From 3bca3da47e616d2abe3ba747d77d7e6c7aba9fb0 Mon Sep 17 00:00:00 2001 From: talshapir Date: Sun, 5 Apr 2026 12:45:35 +0300 Subject: [PATCH 01/26] Refactor and add a new field to the action ai metadata - product categories --- .../email_utilities/actions/AnalyzeHeaders.py | 46 +-- .../ai/{categories.py => ai_categories.py} | 11 + .../integrations/action/ai/metadata.py | 4 +- .../action/ai/product_categories.py | 316 ++++++++++++++++++ .../integrations/action/metadata.py | 51 ++- .../src/mp/describe/integration/__init__.py | 0 .../test_core/test_data_models/utils.py | 2 +- 7 files changed, 380 insertions(+), 50 deletions(-) rename packages/mp/src/mp/core/data_models/integrations/action/ai/{categories.py => ai_categories.py} (92%) create mode 100644 packages/mp/src/mp/core/data_models/integrations/action/ai/product_categories.py create mode 100644 packages/mp/src/mp/describe/integration/__init__.py diff --git a/content/response_integrations/power_ups/email_utilities/actions/AnalyzeHeaders.py b/content/response_integrations/power_ups/email_utilities/actions/AnalyzeHeaders.py index b36a581ec..165a274a8 100644 --- a/content/response_integrations/power_ups/email_utilities/actions/AnalyzeHeaders.py +++ b/content/response_integrations/power_ups/email_utilities/actions/AnalyzeHeaders.py @@ -201,9 +201,7 @@ def parseHops(received): raise if "date" not in parsed_route: continue - hop_info["time"] = ( - parsed_route["date"].astimezone(datetime.UTC).replace(tzinfo=None) - ) + hop_info["time"] = parsed_route["date"].astimezone(datetime.UTC).replace(tzinfo=None) hop_info["blacklisted"] = False if "from" in parsed_route: for f in parsed_route["from"]: @@ -219,14 +217,12 @@ def parseHops(received): response = DbIpCity.get(f, api_key="free") hop_info["from_geo"] = json.loads(response.to_json()) except Exception as expe: - template = ( - "An exception of type {0} occurred. Arguments:\n{1!r}" - ) + template = "An exception of type {0} occurred. Arguments:\n{1!r}" message = template.format(type(expe).__name__, expe.args) denylist["blacklisted"] = ip_check.blacklisted denylist["detected_by"] = ip_check.detected_by.copy() - denylist["categories"] = ip_check.categories.copy() + denylist["categories"] = ip_check.ai_categories.copy() hop_info["blacklist_info"].append(denylist) except ValueError: try: @@ -244,19 +240,15 @@ def parseHops(received): hop_info["from_geo"] = json.loads(response.to_json()) hop_info["from_ip_whois"] = ip_whois except Exception as exp: - template = ( - "An exception of type {0} occurred. Arguments:\n{1!r}" - ) + template = "An exception of type {0} occurred. Arguments:\n{1!r}" message = template.format(type(exp).__name__, exp.args) denylist["blacklisted"] = domain_check.blacklisted denylist["detected_by"] = domain_check.detected_by.copy() - denylist["categories"] = domain_check.categories.copy() + denylist["categories"] = domain_check.ai_categories.copy() hop_info["blacklist_info"].append(denylist) except Exception as e: - template = ( - "An exception of type {0} occurred. Arguments:\n{1!r}" - ) + template = "An exception of type {0} occurred. Arguments:\n{1!r}" message = template.format(type(e).__name__, e.args) logger(message) except Exception as ex: @@ -290,9 +282,7 @@ def parseHops(received): response = DbIpCity.get(resolved_ip, api_key="free") hop_info["by_geo"] = json.loads(response.to_json()) except Exception as expl: - template = ( - "An exception of type {0} occurred. Arguments:\n{1!r}" - ) + template = "An exception of type {0} occurred. Arguments:\n{1!r}" message = template.format(type(expl).__name__, expl.args) except Exception as exp: template = "An exception of type {0} occurred. Arguments:\n{1!r}" @@ -303,9 +293,7 @@ def parseHops(received): else: hop_info["with"] = "" if previous_hop: - hop_info["delay"] = ( - parsed_route["date"] - previous_hop["date"] - ).total_seconds() + hop_info["delay"] = (parsed_route["date"] - previous_hop["date"]).total_seconds() else: hop_info["delay"] = "*" previous_hop = hop_info @@ -400,11 +388,9 @@ def buildResult(header, siemplify): if "by" in fromserver: result["SourceServer"] = fromserver["by"][0] try: - result["SourceServerIP"] = ( - EmailUtilitiesManager.Resolver().query( - result["SourceServer"], - )[0][2] - ) + result["SourceServerIP"] = EmailUtilitiesManager.Resolver().query( + result["SourceServer"], + )[0][2] except: pass continue @@ -433,13 +419,11 @@ def main(siemplify): print_value=False, ) - status = EXECUTION_STATE_COMPLETED # used to flag back to siemplify system, the action final status - output_message = ( - "output message :" # human readable message, showed in UI as the action result - ) - result_value = ( - None # Set a simple result value, used for playbook if\else and placeholders. + status = ( + EXECUTION_STATE_COMPLETED # used to flag back to siemplify system, the action final status ) + output_message = "output message :" # human readable message, showed in UI as the action result + result_value = None # Set a simple result value, used for playbook if\else and placeholders. h = json.loads(headers_json) headers_res = buildResult(h, siemplify) diff --git a/packages/mp/src/mp/core/data_models/integrations/action/ai/categories.py b/packages/mp/src/mp/core/data_models/integrations/action/ai/ai_categories.py similarity index 92% rename from packages/mp/src/mp/core/data_models/integrations/action/ai/categories.py rename to packages/mp/src/mp/core/data_models/integrations/action/ai/ai_categories.py index f96dbc783..95d28d42a 100644 --- a/packages/mp/src/mp/core/data_models/integrations/action/ai/categories.py +++ b/packages/mp/src/mp/core/data_models/integrations/action/ai/ai_categories.py @@ -18,6 +18,8 @@ from pydantic import BaseModel, Field +from mp.core.data_models.abc import RepresentableEnum + class AiCategories(BaseModel): enrichment: Annotated[ @@ -88,3 +90,12 @@ def is_enrichment_action(action): ) ), ] + + +class ActionAiCategory(RepresentableEnum): + ENRICHMENT = "Enrichment" + + +AI_CATEGORY_TO_DEF_AI_CATEGORY: dict[str, ActionAiCategory] = { + "enrichment": ActionAiCategory.ENRICHMENT, +} diff --git a/packages/mp/src/mp/core/data_models/integrations/action/ai/metadata.py b/packages/mp/src/mp/core/data_models/integrations/action/ai/metadata.py index 25deac8dc..90117e9de 100644 --- a/packages/mp/src/mp/core/data_models/integrations/action/ai/metadata.py +++ b/packages/mp/src/mp/core/data_models/integrations/action/ai/metadata.py @@ -18,9 +18,10 @@ from pydantic import BaseModel, Field +from .ai_categories import AiCategories # noqa: TC001 from .capabilities import ActionCapabilities # noqa: TC001 -from .categories import AiCategories # noqa: TC001 from .entity_usage import EntityUsage # noqa: TC001 +from .product_categories import ActionProductCategories # noqa: TC001 class ActionAiMetadata(BaseModel): @@ -78,3 +79,4 @@ class ActionAiMetadata(BaseModel): ), ), ] + product_categories: ActionProductCategories diff --git a/packages/mp/src/mp/core/data_models/integrations/action/ai/product_categories.py b/packages/mp/src/mp/core/data_models/integrations/action/ai/product_categories.py new file mode 100644 index 000000000..dd9bb8687 --- /dev/null +++ b/packages/mp/src/mp/core/data_models/integrations/action/ai/product_categories.py @@ -0,0 +1,316 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from __future__ import annotations + +from typing import Annotated + +from pydantic import BaseModel, Field + +from mp.core.data_models.abc import RepresentableEnum + + +class ActionProductCategories(BaseModel): + enrich_ioc: Annotated[ + bool, + Field( + title="Enrich IOC (hash, filename, IP, domain, URL, CVE, Threat Actor, Campaign)", + description=( + "Returns reputation, prevalence, and threat intelligence" + " (e.g., malware family, attribution) for the indicator." + ), + ), + ] = False + enrich_asset: Annotated[ + bool, + Field( + title="Enrich Asset (hostname, user or internal resource)", + description=( + "Returns contextual metadata (e.g., OS version, owner, department, MAC address)" + " for a user or resource." + ), + ), + ] = False + update_alert: Annotated[ + bool, + Field( + title="Update Alert", + description=( + "Changes the status, severity, or assignee of the alert within the SecOps platform." + ), + ), + ] = False + add_alert_comment: Annotated[ + bool, + Field( + title="Add Alert Comment", + description=( + "Appends analyst notes or automated log entries to the alert's activity timeline." + ), + ), + ] = False + create_ticket: Annotated[ + bool, + Field( + title="Create Ticket", + description=( + "Generates a new record in an external ITSM (e.g., Jira, ServiceNow) and returns" + " the Ticket ID." + ), + ), + ] = False + update_ticket: Annotated[ + bool, + Field( + title="Update Ticket", + description=( + "Synchronizes status, priority, or field changes from SecOps to the external" + " ticketing system." + ), + ), + ] = False + add_ioc_to_blocklist: Annotated[ + bool, + Field( + title="Add IOC To Blocklist", + description=( + "Updates security controls (Firewall, EDR, Proxy) to prevent any future interaction" + " with the IOC." + ), + ), + ] = False + remove_ioc_from_blocklist: Annotated[ + bool, + Field( + title="Remove IOC From Blocklist", + description=( + "Restores connectivity or execution rights for an indicator by removing it from" + " restricted lists." + ), + ), + ] = False + add_ioc_to_allowlist: Annotated[ + bool, + Field( + title="Add IOC To Allowlist", + description=( + 'Marks an indicator as "known good" to prevent future security alerts or false' + " positives." + ), + ), + ] = False + remove_ioc_from_allowlist: Annotated[ + bool, + Field( + title="Remove IOC From Allowlist", + description=( + "Re-enables standard security monitoring and blocking for a previously trusted" + " indicator." + ), + ), + ] = False + disable_identity: Annotated[ + bool, + Field( + title="Disable Identity (User, Account)", + description=( + "Revokes active sessions and prevents a user or service account from authenticating" + " to the network." + ), + ), + ] = False + enable_identity: Annotated[ + bool, + Field( + title="Enable Identity (User, Account)", + description=( + "Restores authentication capabilities and system access for a previously disabled" + " account." + ), + ), + ] = False + contain_host: Annotated[ + bool, + Field( + title="Contain Host", + description=( + "Isolates an endpoint from the network via EDR, allowing communication only with" + " the management console." + ), + ), + ] = False + uncontain_host: Annotated[ + bool, + Field( + title="Uncontain Host", + description=( + "Removes network isolation and restores the endpoint's full communication" + " capabilities." + ), + ), + ] = False + reset_identity_password: Annotated[ + bool, + Field( + title="Reset Identity Password (User, Account)", + description=( + "Invalidates the current credentials and triggers a password change or temporary" + " password generation." + ), + ), + ] = False + update_identity: Annotated[ + bool, + Field( + title="Update Identity (User, Account)", + description=( + "Modifies account metadata, such as group memberships, permissions, or contact" + " information." + ), + ), + ] = False + search_events: Annotated[ + bool, + Field( + title="Search Events", + description=( + "Returns a collection of historical logs or telemetry data matching specific search" + " parameters." + ), + ), + ] = False + execute_command_on_the_host: Annotated[ + bool, + Field( + title="Execute Command on the Host", + description=( + "Runs a script or system command on a remote endpoint and returns the standard" + " output (STDOUT)." + ), + ), + ] = False + download_file: Annotated[ + bool, + Field( + title="Download File", + description=( + "Retrieves a specific file from a remote host for local forensic analysis" + " or sandboxing." + ), + ), + ] = False + send_email: Annotated[ + bool, + Field( + title="Send Email", + description=( + "Dispatches an outbound email notification or response to specified recipients." + ), + ), + ] = False + search_email: Annotated[ + bool, + Field( + title="Search Email", + description=( + "Identifies and lists emails across the mail server based on criteria like sender," + " subject, or attachment." + ), + ), + ] = False + delete_email: Annotated[ + bool, + Field( + title="Delete Email", + description=( + "Removes a specific email or thread from one or more user mailboxes" + " (Purge/Withdraw)." + ), + ), + ] = False + update_email: Annotated[ + bool, + Field( + title="Update Email", + description=( + "Modifies the state of an email, such as moving it to quarantine, marking as read," + " or applying labels." + ), + ), + ] = False + submit_file: Annotated[ + bool, + Field( + title="Submit File", + description=( + "Uploads a file or sample to a sandbox or analysis engine" + " (e.g., VirusTotal, Joe Sandbox) and returns a behavior report or threat score." + ), + ), + ] = False + + +class ActionProductCategory(RepresentableEnum): + ENRICH_IOC = "Enrich IOC (Indicator of Compromise)" + ENRICH_ASSET = "Enrich Asset" + UPDATE_ALERT = "Update Alert" + ADD_ALERT_COMMENT = "Add Alert Comment" + CREATE_TICKET = "Create Ticket" + UPDATE_TICKET = "Update Ticket" + ADD_IOC_TO_BLOCKLIST = "Add IOC to Blocklist" + REMOVE_IOC_FROM_BLOCKLIST = "Remove IOC from Blocklist" + ADD_IOC_TO_ALLOWLIST = "Add IOC to Allowlist" + REMOVE_IOC_FROM_ALLOWLIST = "Remove IOC from Allowlist" + DISABLE_IDENTITY = "Disable Identity (User, Account)" + ENABLE_IDENTITY = "Enable Identity (User, Account)" + CONTAIN_HOST = "Contain Host" + UNCONTAIN_HOST = "Uncontain Host" + RESET_IDENTITY_PASSWORD = "Reset Identity Password (User, Account)" # noqa: S105 + UPDATE_IDENTITY = "Update Identity (User, Account)" + SEARCH_EVENTS = "Search Events" + EXECUTE_COMMAND_ON_THE_HOST = "Execute Command on the Host" + DOWNLOAD_FILE = "Download File" + SEND_EMAIL = "Send Email" + SEARCH_EMAIL = "Search Email" + DELETE_EMAIL = "Delete Email" + UPDATE_EMAIL = "Update Email" + SUBMIT_FILE = "Submit File" + + +PRODUCT_CATEGORY_TO_DEF_PRODUCT_CATEGORY: dict[str, ActionProductCategory] = { + "enrich_ioc": ActionProductCategory.ENRICH_IOC, + "enrich_asset": ActionProductCategory.ENRICH_ASSET, + "update_alert": ActionProductCategory.UPDATE_ALERT, + "add_alert_comment": ActionProductCategory.ADD_ALERT_COMMENT, + "create_ticket": ActionProductCategory.CREATE_TICKET, + "update_ticket": ActionProductCategory.UPDATE_TICKET, + "add_ioc_to_blocklist": ActionProductCategory.ADD_IOC_TO_BLOCKLIST, + "remove_ioc_from_blocklist": ActionProductCategory.REMOVE_IOC_FROM_BLOCKLIST, + "add_ioc_to_allowlist": ActionProductCategory.ADD_IOC_TO_ALLOWLIST, + "remove_ioc_from_allowlist": ActionProductCategory.REMOVE_IOC_FROM_ALLOWLIST, + "disable_identity": ActionProductCategory.DISABLE_IDENTITY, + "enable_identity": ActionProductCategory.ENABLE_IDENTITY, + "contain_host": ActionProductCategory.CONTAIN_HOST, + "uncontain_host": ActionProductCategory.UNCONTAIN_HOST, + "reset_identity_password": ActionProductCategory.RESET_IDENTITY_PASSWORD, + "update_identity": ActionProductCategory.UPDATE_IDENTITY, + "search_events": ActionProductCategory.SEARCH_EVENTS, + "execute_command_on_the_host": ActionProductCategory.EXECUTE_COMMAND_ON_THE_HOST, + "download_file": ActionProductCategory.DOWNLOAD_FILE, + "send_email": ActionProductCategory.SEND_EMAIL, + "search_email": ActionProductCategory.SEARCH_EMAIL, + "delete_email": ActionProductCategory.DELETE_EMAIL, + "update_email": ActionProductCategory.UPDATE_EMAIL, + "submit_file": ActionProductCategory.SUBMIT_FILE, +} diff --git a/packages/mp/src/mp/core/data_models/integrations/action/metadata.py b/packages/mp/src/mp/core/data_models/integrations/action/metadata.py index 6a15215c9..80afe18ae 100644 --- a/packages/mp/src/mp/core/data_models/integrations/action/metadata.py +++ b/packages/mp/src/mp/core/data_models/integrations/action/metadata.py @@ -26,8 +26,13 @@ import mp.core.utils import mp.core.validators from mp.core import exclusions -from mp.core.data_models.abc import ComponentMetadata, RepresentableEnum +from mp.core.data_models.abc import ComponentMetadata +from mp.core.data_models.integrations.action.ai.product_categories import ( + PRODUCT_CATEGORY_TO_DEF_PRODUCT_CATEGORY, + ActionProductCategory, +) +from .ai.ai_categories import AI_CATEGORY_TO_DEF_AI_CATEGORY, ActionAiCategory from .ai.entity_types import EntityType from .ai.metadata import ActionAiMetadata from .dynamic_results_metadata import ( @@ -44,18 +49,16 @@ if TYPE_CHECKING: from mp.core.custom_types import JsonString + DEFAULT_SCRIPT_RESULT_NAME: str = "is_success" DEFAULT_SIMULATION_DATA: str = '{"Entities": []}' class AiFields(NamedTuple): description: str | None - categories: list[ActionAiCategories] + ai_categories: list[ActionAiCategory] entity_types: list[EntityType] - - -class ActionAiCategories(RepresentableEnum): - ENRICHMENT = "Enrichment" + action_categories: list[ActionProductCategory] class BuiltActionMetadata(TypedDict): @@ -76,6 +79,7 @@ class BuiltActionMetadata(TypedDict): AIDescription: str | None AICategories: NotRequired[list[str] | None] EntityTypes: NotRequired[list[str] | None] + ActionCategories: NotRequired[list[str] | None] class NonBuiltActionMetadata(TypedDict): @@ -96,6 +100,7 @@ class NonBuiltActionMetadata(TypedDict): ai_description: NotRequired[str | None] ai_categories: NotRequired[list[str]] entity_types: NotRequired[list[str]] + action_categories: NotRequired[list[str]] class ActionMetadata(ComponentMetadata[BuiltActionMetadata, NonBuiltActionMetadata]): @@ -138,8 +143,9 @@ class ActionMetadata(ComponentMetadata[BuiltActionMetadata, NonBuiltActionMetada pydantic.Field(ge=mp.core.constants.MINIMUM_SCRIPT_VERSION), ] ai_description: str | None - ai_categories: list[ActionAiCategories] + ai_categories: list[ActionAiCategory] entity_types: list[EntityType] + action_categories: list[ActionProductCategory] @classmethod def from_built_path(cls, path: Path) -> list[Self]: @@ -189,8 +195,9 @@ def from_non_built_path(cls, path: Path) -> list[Self]: ai_fields: AiFields = _get_ai_fields(action_metadata_json["name"], path) action_metadata_json["ai_description"] = ai_fields.description - action_metadata_json["ai_categories"] = [c.value for c in ai_fields.categories] + action_metadata_json["ai_categories"] = [c.value for c in ai_fields.ai_categories] action_metadata_json["entity_types"] = [t.value for t in ai_fields.entity_types] + action_metadata_json["action_categories"] = [t.value for t in ai_fields.entity_types] metadata_object: Self = cls.from_non_built(p.stem, action_metadata_json) metadata_objects.append(metadata_object) @@ -232,8 +239,11 @@ def _from_built(cls, file_name: str, built: BuiltActionMetadata) -> Self: default_result_value=built.get("DefaultResultValue"), version=version, ai_description=built.get("AIDescription"), - ai_categories=[ActionAiCategories(c) for c in built.get("AICategories") or []], + ai_categories=[ActionAiCategory(c) for c in built.get("AICategories") or []], entity_types=[EntityType(e) for e in built.get("EntityTypes") or []], + action_categories=[ + ActionProductCategory(c) for c in (built.get("ActionCategories") or []) + ], ) @classmethod @@ -271,8 +281,11 @@ def _from_non_built(cls, file_name: str, non_built: NonBuiltActionMetadata) -> A default_result_value=non_built.get("default_result_value"), version=non_built.get("version", mp.core.constants.MINIMUM_SCRIPT_VERSION), ai_description=non_built.get("ai_description"), - ai_categories=[ActionAiCategories(c) for c in non_built.get("ai_categories") or []], + ai_categories=[ActionAiCategory(c) for c in non_built.get("ai_categories") or []], entity_types=[EntityType(e) for e in non_built.get("entity_types") or []], + action_categories=[ + ActionProductCategory(c) for c in (non_built.get("action_categories") or []) + ], ) def to_built(self) -> BuiltActionMetadata: @@ -375,13 +388,12 @@ def _load_json_examples( return loaded_drms -AI_CATEGORY_TO_DEF_AI_CATEGORY: dict[str, ActionAiCategories] = { - "enrichment": ActionAiCategories.ENRICHMENT, -} - - def _get_ai_fields(action_name: str, integration_path: Path) -> AiFields: - empty_results: AiFields = AiFields(description=None, categories=[], entity_types=[]) + empty_results: AiFields = AiFields( + description=None, ai_categories=[], entity_types=[], action_categories=[] + ) + if not integration_path.exists(): + return empty_results actions_desc: Path = ( integration_path / mp.core.constants.RESOURCES_DIR @@ -399,10 +411,15 @@ def _get_ai_fields(action_name: str, integration_path: Path) -> AiFields: ai_meta: ActionAiMetadata = ActionAiMetadata.model_validate(action_content) return AiFields( description=ai_meta.ai_description, - categories=[ + ai_categories=[ AI_CATEGORY_TO_DEF_AI_CATEGORY[category] for category, is_true in ai_meta.categories.model_dump().items() if is_true ], entity_types=ai_meta.entity_usage.entity_types, + action_categories=[ + PRODUCT_CATEGORY_TO_DEF_PRODUCT_CATEGORY[category] + for category, is_true in ai_meta.product_categories.model_dump().items() + if is_true + ], ) diff --git a/packages/mp/src/mp/describe/integration/__init__.py b/packages/mp/src/mp/describe/integration/__init__.py new file mode 100644 index 000000000..e69de29bb diff --git a/packages/mp/tests/test_mp/test_core/test_data_models/utils.py b/packages/mp/tests/test_mp/test_core/test_data_models/utils.py index 53d433e0d..eeeb32bd7 100644 --- a/packages/mp/tests/test_mp/test_core/test_data_models/utils.py +++ b/packages/mp/tests/test_mp/test_core/test_data_models/utils.py @@ -110,7 +110,7 @@ def st_valid_non_built_param_type(param_type: type[Enum]) -> SearchStrategy[dict return st.sampled_from(param_type).map(lambda e: e.to_string()) -def st_valid_built_param_type(param_type: type[Enum]) -> SearchStrategy[dict[str, Any]]: +def st_valid_built_param_type(param_type: type[Enum]) -> SearchStrategy[Any | str]: return st.sampled_from(param_type).flatmap(lambda e: st.sampled_from([e.value, str(e.value)])) From 392455a211046b35c0aff070eec264b9697217b3 Mon Sep 17 00:00:00 2001 From: talshapir Date: Sun, 5 Apr 2026 12:45:46 +0300 Subject: [PATCH 02/26] Update mp version and dependencies --- packages/mp/pyproject.toml | 10 +- packages/mp/uv.lock | 228 ++++++++++++++++++------------------- 2 files changed, 119 insertions(+), 119 deletions(-) diff --git a/packages/mp/pyproject.toml b/packages/mp/pyproject.toml index 2cdb9c85b..0e43e5cd0 100644 --- a/packages/mp/pyproject.toml +++ b/packages/mp/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "mp" -version = "1.28.21" +version = "1.29.0" description = "General Purpose CLI tool for Google SecOps Marketplace" readme = "README.md" authors = [ @@ -35,7 +35,7 @@ dependencies = [ "pydantic>=2.11.7", "pyyaml>=6.0.2", "rich>=14.0.0", - "ruff>=0.15.0", + "ruff>=0.15.9", "defusedxml>=0.7.1", "toml>=0.10.2", "typer>=0.16.0", @@ -44,9 +44,9 @@ dependencies = [ "jinja2>=3.1.6", "deepdiff>=8.6.1", "platformdirs>=4.5.0", - "ty>=0.0.15", + "ty>=0.0.28", "ruamel-yaml == 0.17.40", - "google-genai>=1.59.0", + "google-genai>=1.70.0", "tenacity>=9.1.2", "anyio>=4.12.1", "toon-format", @@ -66,7 +66,7 @@ mp = "mp.main:main" wmp = "mp.main:main" [build-system] -requires = ["uv_build>=0.10.0"] +requires = ["uv_build>=0.11.3,<0.12"] build-backend = "uv_build" [project.urls] diff --git a/packages/mp/uv.lock b/packages/mp/uv.lock index 6d1a82b41..8a70cc677 100644 --- a/packages/mp/uv.lock +++ b/packages/mp/uv.lock @@ -68,39 +68,39 @@ wheels = [ [[package]] name = "charset-normalizer" -version = "3.4.6" -source = { registry = "https://pypi.org/simple" } -sdist = { url = "https://files.pythonhosted.org/packages/7b/60/e3bec1881450851b087e301bedc3daa9377a4d45f1c26aa90b0b235e38aa/charset_normalizer-3.4.6.tar.gz", hash = "sha256:1ae6b62897110aa7c79ea2f5dd38d1abca6db663687c0b1ad9aed6f6bae3d9d6", size = 143363, upload-time = "2026-03-15T18:53:25.478Z" } -wheels = [ - { url = "https://files.pythonhosted.org/packages/62/28/ff6f234e628a2de61c458be2779cb182bc03f6eec12200d4a525bbfc9741/charset_normalizer-3.4.6-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:82060f995ab5003a2d6e0f4ad29065b7672b6593c8c63559beefe5b443242c3e", size = 293582, upload-time = "2026-03-15T18:50:25.454Z" }, - { url = "https://files.pythonhosted.org/packages/1c/b7/b1a117e5385cbdb3205f6055403c2a2a220c5ea80b8716c324eaf75c5c95/charset_normalizer-3.4.6-cp311-cp311-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:60c74963d8350241a79cb8feea80e54d518f72c26db618862a8f53e5023deaf9", size = 197240, upload-time = "2026-03-15T18:50:27.196Z" }, - { url = "https://files.pythonhosted.org/packages/a1/5f/2574f0f09f3c3bc1b2f992e20bce6546cb1f17e111c5be07308dc5427956/charset_normalizer-3.4.6-cp311-cp311-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:f6e4333fb15c83f7d1482a76d45a0818897b3d33f00efd215528ff7c51b8e35d", size = 217363, upload-time = "2026-03-15T18:50:28.601Z" }, - { url = "https://files.pythonhosted.org/packages/4a/d1/0ae20ad77bc949ddd39b51bf383b6ca932f2916074c95cad34ae465ab71f/charset_normalizer-3.4.6-cp311-cp311-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:bc72863f4d9aba2e8fd9085e63548a324ba706d2ea2c83b260da08a59b9482de", size = 212994, upload-time = "2026-03-15T18:50:30.102Z" }, - { url = "https://files.pythonhosted.org/packages/60/ac/3233d262a310c1b12633536a07cde5ddd16985e6e7e238e9f3f9423d8eb9/charset_normalizer-3.4.6-cp311-cp311-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:9cc4fc6c196d6a8b76629a70ddfcd4635a6898756e2d9cac5565cf0654605d73", size = 204697, upload-time = "2026-03-15T18:50:31.654Z" }, - { url = "https://files.pythonhosted.org/packages/25/3c/8a18fc411f085b82303cfb7154eed5bd49c77035eb7608d049468b53f87c/charset_normalizer-3.4.6-cp311-cp311-manylinux_2_31_armv7l.whl", hash = "sha256:0c173ce3a681f309f31b87125fecec7a5d1347261ea11ebbb856fa6006b23c8c", size = 191673, upload-time = "2026-03-15T18:50:33.433Z" }, - { url = "https://files.pythonhosted.org/packages/ff/a7/11cfe61d6c5c5c7438d6ba40919d0306ed83c9ab957f3d4da2277ff67836/charset_normalizer-3.4.6-cp311-cp311-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:c907cdc8109f6c619e6254212e794d6548373cc40e1ec75e6e3823d9135d29cc", size = 201120, upload-time = "2026-03-15T18:50:35.105Z" }, - { url = "https://files.pythonhosted.org/packages/b5/10/cf491fa1abd47c02f69687046b896c950b92b6cd7337a27e6548adbec8e4/charset_normalizer-3.4.6-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:404a1e552cf5b675a87f0651f8b79f5f1e6fd100ee88dc612f89aa16abd4486f", size = 200911, upload-time = "2026-03-15T18:50:36.819Z" }, - { url = "https://files.pythonhosted.org/packages/28/70/039796160b48b18ed466fde0af84c1b090c4e288fae26cd674ad04a2d703/charset_normalizer-3.4.6-cp311-cp311-musllinux_1_2_armv7l.whl", hash = "sha256:e3c701e954abf6fc03a49f7c579cc80c2c6cc52525340ca3186c41d3f33482ef", size = 192516, upload-time = "2026-03-15T18:50:38.228Z" }, - { url = "https://files.pythonhosted.org/packages/ff/34/c56f3223393d6ff3124b9e78f7de738047c2d6bc40a4f16ac0c9d7a1cb3c/charset_normalizer-3.4.6-cp311-cp311-musllinux_1_2_ppc64le.whl", hash = "sha256:7a6967aaf043bceabab5412ed6bd6bd26603dae84d5cb75bf8d9a74a4959d398", size = 218795, upload-time = "2026-03-15T18:50:39.664Z" }, - { url = "https://files.pythonhosted.org/packages/e8/3b/ce2d4f86c5282191a041fdc5a4ce18f1c6bd40a5bd1f74cf8625f08d51c1/charset_normalizer-3.4.6-cp311-cp311-musllinux_1_2_riscv64.whl", hash = "sha256:5feb91325bbceade6afab43eb3b508c63ee53579fe896c77137ded51c6b6958e", size = 201833, upload-time = "2026-03-15T18:50:41.552Z" }, - { url = "https://files.pythonhosted.org/packages/3b/9b/b6a9f76b0fd7c5b5ec58b228ff7e85095370282150f0bd50b3126f5506d6/charset_normalizer-3.4.6-cp311-cp311-musllinux_1_2_s390x.whl", hash = "sha256:f820f24b09e3e779fe84c3c456cb4108a7aa639b0d1f02c28046e11bfcd088ed", size = 213920, upload-time = "2026-03-15T18:50:43.33Z" }, - { url = "https://files.pythonhosted.org/packages/ae/98/7bc23513a33d8172365ed30ee3a3b3fe1ece14a395e5fc94129541fc6003/charset_normalizer-3.4.6-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:b35b200d6a71b9839a46b9b7fff66b6638bb52fc9658aa58796b0326595d3021", size = 206951, upload-time = "2026-03-15T18:50:44.789Z" }, - { url = "https://files.pythonhosted.org/packages/32/73/c0b86f3d1458468e11aec870e6b3feac931facbe105a894b552b0e518e79/charset_normalizer-3.4.6-cp311-cp311-win32.whl", hash = "sha256:9ca4c0b502ab399ef89248a2c84c54954f77a070f28e546a85e91da627d1301e", size = 143703, upload-time = "2026-03-15T18:50:46.103Z" }, - { url = "https://files.pythonhosted.org/packages/c6/e3/76f2facfe8eddee0bbd38d2594e709033338eae44ebf1738bcefe0a06185/charset_normalizer-3.4.6-cp311-cp311-win_amd64.whl", hash = "sha256:a9e68c9d88823b274cf1e72f28cb5dc89c990edf430b0bfd3e2fb0785bfeabf4", size = 153857, upload-time = "2026-03-15T18:50:47.563Z" }, - { url = "https://files.pythonhosted.org/packages/e2/dc/9abe19c9b27e6cd3636036b9d1b387b78c40dedbf0b47f9366737684b4b0/charset_normalizer-3.4.6-cp311-cp311-win_arm64.whl", hash = "sha256:97d0235baafca5f2b09cf332cc275f021e694e8362c6bb9c96fc9a0eb74fc316", size = 142751, upload-time = "2026-03-15T18:50:49.234Z" }, - { url = "https://files.pythonhosted.org/packages/2a/68/687187c7e26cb24ccbd88e5069f5ef00eba804d36dde11d99aad0838ab45/charset_normalizer-3.4.6-py3-none-any.whl", hash = "sha256:947cf925bc916d90adba35a64c82aace04fa39b46b52d4630ece166655905a69", size = 61455, upload-time = "2026-03-15T18:53:23.833Z" }, +version = "3.4.7" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/e7/a1/67fe25fac3c7642725500a3f6cfe5821ad557c3abb11c9d20d12c7008d3e/charset_normalizer-3.4.7.tar.gz", hash = "sha256:ae89db9e5f98a11a4bf50407d4363e7b09b31e55bc117b4f7d80aab97ba009e5", size = 144271, upload-time = "2026-04-02T09:28:39.342Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/c2/d7/b5b7020a0565c2e9fa8c09f4b5fa6232feb326b8c20081ccded47ea368fd/charset_normalizer-3.4.7-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:7641bb8895e77f921102f72833904dcd9901df5d6d72a2ab8f31d04b7e51e4e7", size = 309705, upload-time = "2026-04-02T09:26:02.191Z" }, + { url = "https://files.pythonhosted.org/packages/5a/53/58c29116c340e5456724ecd2fff4196d236b98f3da97b404bc5e51ac3493/charset_normalizer-3.4.7-cp311-cp311-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:202389074300232baeb53ae2569a60901f7efadd4245cf3a3bf0617d60b439d7", size = 206419, upload-time = "2026-04-02T09:26:03.583Z" }, + { url = "https://files.pythonhosted.org/packages/b2/02/e8146dc6591a37a00e5144c63f29fb7c97a734ea8a111190783c0e60ab63/charset_normalizer-3.4.7-cp311-cp311-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:30b8d1d8c52a48c2c5690e152c169b673487a2a58de1ec7393196753063fcd5e", size = 227901, upload-time = "2026-04-02T09:26:04.738Z" }, + { url = "https://files.pythonhosted.org/packages/fb/73/77486c4cd58f1267bf17db420e930c9afa1b3be3fe8c8b8ebbebc9624359/charset_normalizer-3.4.7-cp311-cp311-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:532bc9bf33a68613fd7d65e4b1c71a6a38d7d42604ecf239c77392e9b4e8998c", size = 222742, upload-time = "2026-04-02T09:26:06.36Z" }, + { url = "https://files.pythonhosted.org/packages/a1/fa/f74eb381a7d94ded44739e9d94de18dc5edc9c17fb8c11f0a6890696c0a9/charset_normalizer-3.4.7-cp311-cp311-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:2fe249cb4651fd12605b7288b24751d8bfd46d35f12a20b1ba33dea122e690df", size = 214061, upload-time = "2026-04-02T09:26:08.347Z" }, + { url = "https://files.pythonhosted.org/packages/dc/92/42bd3cefcf7687253fb86694b45f37b733c97f59af3724f356fa92b8c344/charset_normalizer-3.4.7-cp311-cp311-manylinux_2_31_armv7l.whl", hash = "sha256:65bcd23054beab4d166035cabbc868a09c1a49d1efe458fe8e4361215df40265", size = 199239, upload-time = "2026-04-02T09:26:09.823Z" }, + { url = "https://files.pythonhosted.org/packages/4c/3d/069e7184e2aa3b3cddc700e3dd267413dc259854adc3380421c805c6a17d/charset_normalizer-3.4.7-cp311-cp311-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:08e721811161356f97b4059a9ba7bafb23ea5ee2255402c42881c214e173c6b4", size = 210173, upload-time = "2026-04-02T09:26:10.953Z" }, + { url = "https://files.pythonhosted.org/packages/62/51/9d56feb5f2e7074c46f93e0ebdbe61f0848ee246e2f0d89f8e20b89ebb8f/charset_normalizer-3.4.7-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:e060d01aec0a910bdccb8be71faf34e7799ce36950f8294c8bf612cba65a2c9e", size = 209841, upload-time = "2026-04-02T09:26:12.142Z" }, + { url = "https://files.pythonhosted.org/packages/d2/59/893d8f99cc4c837dda1fe2f1139079703deb9f321aabcb032355de13b6c7/charset_normalizer-3.4.7-cp311-cp311-musllinux_1_2_armv7l.whl", hash = "sha256:38c0109396c4cfc574d502df99742a45c72c08eff0a36158b6f04000043dbf38", size = 200304, upload-time = "2026-04-02T09:26:13.711Z" }, + { url = "https://files.pythonhosted.org/packages/7d/1d/ee6f3be3464247578d1ed5c46de545ccc3d3ff933695395c402c21fa6b77/charset_normalizer-3.4.7-cp311-cp311-musllinux_1_2_ppc64le.whl", hash = "sha256:1c2a768fdd44ee4a9339a9b0b130049139b8ce3c01d2ce09f67f5a68048d477c", size = 229455, upload-time = "2026-04-02T09:26:14.941Z" }, + { url = "https://files.pythonhosted.org/packages/54/bb/8fb0a946296ea96a488928bdce8ef99023998c48e4713af533e9bb98ef07/charset_normalizer-3.4.7-cp311-cp311-musllinux_1_2_riscv64.whl", hash = "sha256:1a87ca9d5df6fe460483d9a5bbf2b18f620cbed41b432e2bddb686228282d10b", size = 210036, upload-time = "2026-04-02T09:26:16.478Z" }, + { url = "https://files.pythonhosted.org/packages/9a/bc/015b2387f913749f82afd4fcba07846d05b6d784dd16123cb66860e0237d/charset_normalizer-3.4.7-cp311-cp311-musllinux_1_2_s390x.whl", hash = "sha256:d635aab80466bc95771bb78d5370e74d36d1fe31467b6b29b8b57b2a3cd7d22c", size = 224739, upload-time = "2026-04-02T09:26:17.751Z" }, + { url = "https://files.pythonhosted.org/packages/17/ab/63133691f56baae417493cba6b7c641571a2130eb7bceba6773367ab9ec5/charset_normalizer-3.4.7-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:ae196f021b5e7c78e918242d217db021ed2a6ace2bc6ae94c0fc596221c7f58d", size = 216277, upload-time = "2026-04-02T09:26:18.981Z" }, + { url = "https://files.pythonhosted.org/packages/06/6d/3be70e827977f20db77c12a97e6a9f973631a45b8d186c084527e53e77a4/charset_normalizer-3.4.7-cp311-cp311-win32.whl", hash = "sha256:adb2597b428735679446b46c8badf467b4ca5f5056aae4d51a19f9570301b1ad", size = 147819, upload-time = "2026-04-02T09:26:20.295Z" }, + { url = "https://files.pythonhosted.org/packages/20/d9/5f67790f06b735d7c7637171bbfd89882ad67201891b7275e51116ed8207/charset_normalizer-3.4.7-cp311-cp311-win_amd64.whl", hash = "sha256:8e385e4267ab76874ae30db04c627faaaf0b509e1ccc11a95b3fc3e83f855c00", size = 159281, upload-time = "2026-04-02T09:26:21.74Z" }, + { url = "https://files.pythonhosted.org/packages/ca/83/6413f36c5a34afead88ce6f66684d943d91f233d76dd083798f9602b75ae/charset_normalizer-3.4.7-cp311-cp311-win_arm64.whl", hash = "sha256:d4a48e5b3c2a489fae013b7589308a40146ee081f6f509e047e0e096084ceca1", size = 147843, upload-time = "2026-04-02T09:26:22.901Z" }, + { url = "https://files.pythonhosted.org/packages/db/8f/61959034484a4a7c527811f4721e75d02d653a35afb0b6054474d8185d4c/charset_normalizer-3.4.7-py3-none-any.whl", hash = "sha256:3dce51d0f5e7951f8bb4900c257dad282f49190fdbebecd4ba99bcc41fef404d", size = 61958, upload-time = "2026-04-02T09:28:37.794Z" }, ] [[package]] name = "click" -version = "8.3.1" +version = "8.3.2" source = { registry = "https://pypi.org/simple" } dependencies = [ { name = "colorama", marker = "sys_platform == 'win32'" }, ] -sdist = { url = "https://files.pythonhosted.org/packages/3d/fa/656b739db8587d7b5dfa22e22ed02566950fbfbcdc20311993483657a5c0/click-8.3.1.tar.gz", hash = "sha256:12ff4785d337a1bb490bb7e9c2b1ee5da3112e94a8622f26a6c77f5d2fc6842a", size = 295065, upload-time = "2025-11-15T20:45:42.706Z" } +sdist = { url = "https://files.pythonhosted.org/packages/57/75/31212c6bf2503fdf920d87fee5d7a86a2e3bcf444984126f13d8e4016804/click-8.3.2.tar.gz", hash = "sha256:14162b8b3b3550a7d479eafa77dfd3c38d9dc8951f6f69c78913a8f9a7540fd5", size = 302856, upload-time = "2026-04-03T19:14:45.118Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/98/78/01c019cdb5d6498122777c1a43056ebb3ebfeef2076d9d026bfe15583b2b/click-8.3.1-py3-none-any.whl", hash = "sha256:981153a64e25f12d547d3426c367a4857371575ee7ad18df2a6183ab0545b2a6", size = 108274, upload-time = "2025-11-15T20:45:41.139Z" }, + { url = "https://files.pythonhosted.org/packages/e4/20/71885d8b97d4f3dde17b1fdb92dbd4908b00541c5a3379787137285f602e/click-8.3.2-py3-none-any.whl", hash = "sha256:1924d2c27c5653561cd2cae4548d1406039cb79b858b747cfea24924bbc1616d", size = 108379, upload-time = "2026-04-03T19:14:43.505Z" }, ] [[package]] @@ -245,7 +245,7 @@ requests = [ [[package]] name = "google-genai" -version = "1.69.0" +version = "1.70.0" source = { registry = "https://pypi.org/simple" } dependencies = [ { name = "anyio" }, @@ -259,9 +259,9 @@ dependencies = [ { name = "typing-extensions" }, { name = "websockets" }, ] -sdist = { url = "https://files.pythonhosted.org/packages/00/5e/c0a5e6ff60d18d3f19819a9b1fbd6a1ef2162d025696d8660550739168dc/google_genai-1.69.0.tar.gz", hash = "sha256:5f1a6a478e0c5851506a3d337534bab27b3c33120e27bf9174507ea79dfb8673", size = 519538, upload-time = "2026-03-28T15:33:27.308Z" } +sdist = { url = "https://files.pythonhosted.org/packages/74/dd/28e4682904b183acbfad3fe6409f13a42f69bb8eab6e882d3bcbea1dde01/google_genai-1.70.0.tar.gz", hash = "sha256:36b67b0fc6f319e08d1f1efd808b790107b1809c8743a05d55dfcf9d9fad7719", size = 519550, upload-time = "2026-04-01T10:52:46.487Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/42/58/ef0586019f54b2ebb36deed7608ccb5efe1377564d2aaea6b1e295d1fadc/google_genai-1.69.0-py3-none-any.whl", hash = "sha256:252e714d724aba74949647b9de511a6a6f7804b3b317ab39ddee9cc2f001cacc", size = 760551, upload-time = "2026-03-28T15:33:24.957Z" }, + { url = "https://files.pythonhosted.org/packages/36/a3/d4564c8a9beaf6a3cef8d70fa6354318572cebfee65db4f01af0d41f45ba/google_genai-1.70.0-py3-none-any.whl", hash = "sha256:b74c24549d8b4208f4c736fd11857374788e1ffffc725de45d706e35c97fceee", size = 760584, upload-time = "2026-04-01T10:52:44.349Z" }, ] [[package]] @@ -404,7 +404,7 @@ wheels = [ [[package]] name = "mp" -version = "1.28.21" +version = "1.29.0" source = { editable = "." } dependencies = [ { name = "anyio" }, @@ -444,7 +444,7 @@ requires-dist = [ { name = "anyio", specifier = ">=4.12.1" }, { name = "deepdiff", specifier = ">=8.6.1" }, { name = "defusedxml", specifier = ">=0.7.1" }, - { name = "google-genai", specifier = ">=1.59.0" }, + { name = "google-genai", specifier = ">=1.70.0" }, { name = "jinja2", specifier = ">=3.1.6" }, { name = "libcst", specifier = ">=1.8.2" }, { name = "packaging", specifier = ">=26.0" }, @@ -456,11 +456,11 @@ requires-dist = [ { name = "requests", specifier = ">=2.32.4" }, { name = "rich", specifier = ">=14.0.0" }, { name = "ruamel-yaml", specifier = "==0.17.40" }, - { name = "ruff", specifier = ">=0.15.0" }, + { name = "ruff", specifier = ">=0.15.9" }, { name = "tenacity", specifier = ">=9.1.2" }, { name = "toml", specifier = ">=0.10.2" }, { name = "toon-format", git = "https://github.com/toon-format/toon-python.git" }, - { name = "ty", specifier = ">=0.0.15" }, + { name = "ty", specifier = ">=0.0.28" }, { name = "typer", specifier = ">=0.16.0" }, { name = "uv", specifier = ">=0.7.13" }, ] @@ -493,28 +493,28 @@ wheels = [ [[package]] name = "pillow" -version = "12.1.1" -source = { registry = "https://pypi.org/simple" } -sdist = { url = "https://files.pythonhosted.org/packages/1f/42/5c74462b4fd957fcd7b13b04fb3205ff8349236ea74c7c375766d6c82288/pillow-12.1.1.tar.gz", hash = "sha256:9ad8fa5937ab05218e2b6a4cff30295ad35afd2f83ac592e68c0d871bb0fdbc4", size = 46980264, upload-time = "2026-02-11T04:23:07.146Z" } -wheels = [ - { url = "https://files.pythonhosted.org/packages/2b/46/5da1ec4a5171ee7bf1a0efa064aba70ba3d6e0788ce3f5acd1375d23c8c0/pillow-12.1.1-cp311-cp311-macosx_10_10_x86_64.whl", hash = "sha256:e879bb6cd5c73848ef3b2b48b8af9ff08c5b71ecda8048b7dd22d8a33f60be32", size = 5304084, upload-time = "2026-02-11T04:20:27.501Z" }, - { url = "https://files.pythonhosted.org/packages/78/93/a29e9bc02d1cf557a834da780ceccd54e02421627200696fcf805ebdc3fb/pillow-12.1.1-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:365b10bb9417dd4498c0e3b128018c4a624dc11c7b97d8cc54effe3b096f4c38", size = 4657866, upload-time = "2026-02-11T04:20:29.827Z" }, - { url = "https://files.pythonhosted.org/packages/13/84/583a4558d492a179d31e4aae32eadce94b9acf49c0337c4ce0b70e0a01f2/pillow-12.1.1-cp311-cp311-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:d4ce8e329c93845720cd2014659ca67eac35f6433fd3050393d85f3ecef0dad5", size = 6232148, upload-time = "2026-02-11T04:20:31.329Z" }, - { url = "https://files.pythonhosted.org/packages/d5/e2/53c43334bbbb2d3b938978532fbda8e62bb6e0b23a26ce8592f36bcc4987/pillow-12.1.1-cp311-cp311-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:fc354a04072b765eccf2204f588a7a532c9511e8b9c7f900e1b64e3e33487090", size = 8038007, upload-time = "2026-02-11T04:20:34.225Z" }, - { url = "https://files.pythonhosted.org/packages/b8/a6/3d0e79c8a9d58150dd98e199d7c1c56861027f3829a3a60b3c2784190180/pillow-12.1.1-cp311-cp311-manylinux_2_27_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:7e7976bf1910a8116b523b9f9f58bf410f3e8aa330cd9a2bb2953f9266ab49af", size = 6345418, upload-time = "2026-02-11T04:20:35.858Z" }, - { url = "https://files.pythonhosted.org/packages/a2/c8/46dfeac5825e600579157eea177be43e2f7ff4a99da9d0d0a49533509ac5/pillow-12.1.1-cp311-cp311-manylinux_2_27_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:597bd9c8419bc7c6af5604e55847789b69123bbe25d65cc6ad3012b4f3c98d8b", size = 7034590, upload-time = "2026-02-11T04:20:37.91Z" }, - { url = "https://files.pythonhosted.org/packages/af/bf/e6f65d3db8a8bbfeaf9e13cc0417813f6319863a73de934f14b2229ada18/pillow-12.1.1-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:2c1fc0f2ca5f96a3c8407e41cca26a16e46b21060fe6d5b099d2cb01412222f5", size = 6458655, upload-time = "2026-02-11T04:20:39.496Z" }, - { url = "https://files.pythonhosted.org/packages/f9/c2/66091f3f34a25894ca129362e510b956ef26f8fb67a0e6417bc5744e56f1/pillow-12.1.1-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:578510d88c6229d735855e1f278aa305270438d36a05031dfaae5067cc8eb04d", size = 7159286, upload-time = "2026-02-11T04:20:41.139Z" }, - { url = "https://files.pythonhosted.org/packages/7b/5a/24bc8eb526a22f957d0cec6243146744966d40857e3d8deb68f7902ca6c1/pillow-12.1.1-cp311-cp311-win32.whl", hash = "sha256:7311c0a0dcadb89b36b7025dfd8326ecfa36964e29913074d47382706e516a7c", size = 6328663, upload-time = "2026-02-11T04:20:43.184Z" }, - { url = "https://files.pythonhosted.org/packages/31/03/bef822e4f2d8f9d7448c133d0a18185d3cce3e70472774fffefe8b0ed562/pillow-12.1.1-cp311-cp311-win_amd64.whl", hash = "sha256:fbfa2a7c10cc2623f412753cddf391c7f971c52ca40a3f65dc5039b2939e8563", size = 7031448, upload-time = "2026-02-11T04:20:44.696Z" }, - { url = "https://files.pythonhosted.org/packages/49/70/f76296f53610bd17b2e7d31728b8b7825e3ac3b5b3688b51f52eab7c0818/pillow-12.1.1-cp311-cp311-win_arm64.whl", hash = "sha256:b81b5e3511211631b3f672a595e3221252c90af017e399056d0faabb9538aa80", size = 2453651, upload-time = "2026-02-11T04:20:46.243Z" }, - { url = "https://files.pythonhosted.org/packages/56/11/5d43209aa4cb58e0cc80127956ff1796a68b928e6324bbf06ef4db34367b/pillow-12.1.1-pp311-pypy311_pp73-macosx_10_15_x86_64.whl", hash = "sha256:600fd103672b925fe62ed08e0d874ea34d692474df6f4bf7ebe148b30f89f39f", size = 5228606, upload-time = "2026-02-11T04:22:52.106Z" }, - { url = "https://files.pythonhosted.org/packages/5f/d5/3b005b4e4fda6698b371fa6c21b097d4707585d7db99e98d9b0b87ac612a/pillow-12.1.1-pp311-pypy311_pp73-macosx_11_0_arm64.whl", hash = "sha256:665e1b916b043cef294bc54d47bf02d87e13f769bc4bc5fa225a24b3a6c5aca9", size = 4622321, upload-time = "2026-02-11T04:22:53.827Z" }, - { url = "https://files.pythonhosted.org/packages/df/36/ed3ea2d594356fd8037e5a01f6156c74bc8d92dbb0fa60746cc96cabb6e8/pillow-12.1.1-pp311-pypy311_pp73-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:495c302af3aad1ca67420ddd5c7bd480c8867ad173528767d906428057a11f0e", size = 5247579, upload-time = "2026-02-11T04:22:56.094Z" }, - { url = "https://files.pythonhosted.org/packages/54/9a/9cc3e029683cf6d20ae5085da0dafc63148e3252c2f13328e553aaa13cfb/pillow-12.1.1-pp311-pypy311_pp73-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:8fd420ef0c52c88b5a035a0886f367748c72147b2b8f384c9d12656678dfdfa9", size = 6989094, upload-time = "2026-02-11T04:22:58.288Z" }, - { url = "https://files.pythonhosted.org/packages/00/98/fc53ab36da80b88df0967896b6c4b4cd948a0dc5aa40a754266aa3ae48b3/pillow-12.1.1-pp311-pypy311_pp73-manylinux_2_27_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:f975aa7ef9684ce7e2c18a3aa8f8e2106ce1e46b94ab713d156b2898811651d3", size = 5313850, upload-time = "2026-02-11T04:23:00.554Z" }, - { url = "https://files.pythonhosted.org/packages/30/02/00fa585abfd9fe9d73e5f6e554dc36cc2b842898cbfc46d70353dae227f8/pillow-12.1.1-pp311-pypy311_pp73-manylinux_2_27_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:8089c852a56c2966cf18835db62d9b34fef7ba74c726ad943928d494fa7f4735", size = 5963343, upload-time = "2026-02-11T04:23:02.934Z" }, - { url = "https://files.pythonhosted.org/packages/f2/26/c56ce33ca856e358d27fda9676c055395abddb82c35ac0f593877ed4562e/pillow-12.1.1-pp311-pypy311_pp73-win_amd64.whl", hash = "sha256:cb9bb857b2d057c6dfc72ac5f3b44836924ba15721882ef103cecb40d002d80e", size = 7029880, upload-time = "2026-02-11T04:23:04.783Z" }, +version = "12.2.0" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/8c/21/c2bcdd5906101a30244eaffc1b6e6ce71a31bd0742a01eb89e660ebfac2d/pillow-12.2.0.tar.gz", hash = "sha256:a830b1a40919539d07806aa58e1b114df53ddd43213d9c8b75847eee6c0182b5", size = 46987819, upload-time = "2026-04-01T14:46:17.687Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/68/e1/748f5663efe6edcfc4e74b2b93edfb9b8b99b67f21a854c3ae416500a2d9/pillow-12.2.0-cp311-cp311-macosx_10_10_x86_64.whl", hash = "sha256:8be29e59487a79f173507c30ddf57e733a357f67881430449bb32614075a40ab", size = 5354347, upload-time = "2026-04-01T14:42:44.255Z" }, + { url = "https://files.pythonhosted.org/packages/47/a1/d5ff69e747374c33a3b53b9f98cca7889fce1fd03d79cdc4e1bccc6c5a87/pillow-12.2.0-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:71cde9a1e1551df7d34a25462fc60325e8a11a82cc2e2f54578e5e9a1e153d65", size = 4695873, upload-time = "2026-04-01T14:42:46.452Z" }, + { url = "https://files.pythonhosted.org/packages/df/21/e3fbdf54408a973c7f7f89a23b2cb97a7ef30c61ab4142af31eee6aebc88/pillow-12.2.0-cp311-cp311-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:f490f9368b6fc026f021db16d7ec2fbf7d89e2edb42e8ec09d2c60505f5729c7", size = 6280168, upload-time = "2026-04-01T14:42:49.228Z" }, + { url = "https://files.pythonhosted.org/packages/d3/f1/00b7278c7dd52b17ad4329153748f87b6756ec195ff786c2bdf12518337d/pillow-12.2.0-cp311-cp311-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:8bd7903a5f2a4545f6fd5935c90058b89d30045568985a71c79f5fd6edf9b91e", size = 8088188, upload-time = "2026-04-01T14:42:51.735Z" }, + { url = "https://files.pythonhosted.org/packages/ad/cf/220a5994ef1b10e70e85748b75649d77d506499352be135a4989c957b701/pillow-12.2.0-cp311-cp311-manylinux_2_27_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:3997232e10d2920a68d25191392e3a4487d8183039e1c74c2297f00ed1c50705", size = 6394401, upload-time = "2026-04-01T14:42:54.343Z" }, + { url = "https://files.pythonhosted.org/packages/e9/bd/e51a61b1054f09437acfbc2ff9106c30d1eb76bc1453d428399946781253/pillow-12.2.0-cp311-cp311-manylinux_2_27_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:e74473c875d78b8e9d5da2a70f7099549f9eb37ded4e2f6a463e60125bccd176", size = 7079655, upload-time = "2026-04-01T14:42:56.954Z" }, + { url = "https://files.pythonhosted.org/packages/6b/3d/45132c57d5fb4b5744567c3817026480ac7fc3ce5d4c47902bc0e7f6f853/pillow-12.2.0-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:56a3f9c60a13133a98ecff6197af34d7824de9b7b38c3654861a725c970c197b", size = 6503105, upload-time = "2026-04-01T14:42:59.847Z" }, + { url = "https://files.pythonhosted.org/packages/7d/2e/9df2fc1e82097b1df3dce58dc43286aa01068e918c07574711fcc53e6fb4/pillow-12.2.0-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:90e6f81de50ad6b534cab6e5aef77ff6e37722b2f5d908686f4a5c9eba17a909", size = 7203402, upload-time = "2026-04-01T14:43:02.664Z" }, + { url = "https://files.pythonhosted.org/packages/bd/2e/2941e42858ebb67e50ae741473de81c2984e6eff7b397017623c676e2e8d/pillow-12.2.0-cp311-cp311-win32.whl", hash = "sha256:8c984051042858021a54926eb597d6ee3012393ce9c181814115df4c60b9a808", size = 6378149, upload-time = "2026-04-01T14:43:05.274Z" }, + { url = "https://files.pythonhosted.org/packages/69/42/836b6f3cd7f3e5fa10a1f1a5420447c17966044c8fbf589cc0452d5502db/pillow-12.2.0-cp311-cp311-win_amd64.whl", hash = "sha256:6e6b2a0c538fc200b38ff9eb6628228b77908c319a005815f2dde585a0664b60", size = 7082626, upload-time = "2026-04-01T14:43:08.557Z" }, + { url = "https://files.pythonhosted.org/packages/c2/88/549194b5d6f1f494b485e493edc6693c0a16f4ada488e5bd974ed1f42fad/pillow-12.2.0-cp311-cp311-win_arm64.whl", hash = "sha256:9a8a34cc89c67a65ea7437ce257cea81a9dad65b29805f3ecee8c8fe8ff25ffe", size = 2463531, upload-time = "2026-04-01T14:43:10.743Z" }, + { url = "https://files.pythonhosted.org/packages/4e/b7/2437044fb910f499610356d1352e3423753c98e34f915252aafecc64889f/pillow-12.2.0-pp311-pypy311_pp73-macosx_10_15_x86_64.whl", hash = "sha256:0538bd5e05efec03ae613fd89c4ce0368ecd2ba239cc25b9f9be7ed426b0af1f", size = 5273969, upload-time = "2026-04-01T14:45:55.538Z" }, + { url = "https://files.pythonhosted.org/packages/f6/f4/8316e31de11b780f4ac08ef3654a75555e624a98db1056ecb2122d008d5a/pillow-12.2.0-pp311-pypy311_pp73-macosx_11_0_arm64.whl", hash = "sha256:394167b21da716608eac917c60aa9b969421b5dcbbe02ae7f013e7b85811c69d", size = 4659674, upload-time = "2026-04-01T14:45:58.093Z" }, + { url = "https://files.pythonhosted.org/packages/d4/37/664fca7201f8bb2aa1d20e2c3d5564a62e6ae5111741966c8319ca802361/pillow-12.2.0-pp311-pypy311_pp73-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:5d04bfa02cc2d23b497d1e90a0f927070043f6cbf303e738300532379a4b4e0f", size = 5288479, upload-time = "2026-04-01T14:46:01.141Z" }, + { url = "https://files.pythonhosted.org/packages/49/62/5b0ed78fce87346be7a5cfcfaaad91f6a1f98c26f86bdbafa2066c647ef6/pillow-12.2.0-pp311-pypy311_pp73-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:0c838a5125cee37e68edec915651521191cef1e6aa336b855f495766e77a366e", size = 7032230, upload-time = "2026-04-01T14:46:03.874Z" }, + { url = "https://files.pythonhosted.org/packages/c3/28/ec0fc38107fc32536908034e990c47914c57cd7c5a3ece4d8d8f7ffd7e27/pillow-12.2.0-pp311-pypy311_pp73-manylinux_2_27_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:4a6c9fa44005fa37a91ebfc95d081e8079757d2e904b27103f4f5fa6f0bf78c0", size = 5355404, upload-time = "2026-04-01T14:46:06.33Z" }, + { url = "https://files.pythonhosted.org/packages/5e/8b/51b0eddcfa2180d60e41f06bd6d0a62202b20b59c68f5a132e615b75aecf/pillow-12.2.0-pp311-pypy311_pp73-manylinux_2_27_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:25373b66e0dd5905ed63fa3cae13c82fbddf3079f2c8bf15c6fb6a35586324c1", size = 6002215, upload-time = "2026-04-01T14:46:08.83Z" }, + { url = "https://files.pythonhosted.org/packages/bc/60/5382c03e1970de634027cee8e1b7d39776b778b81812aaf45b694dfe9e28/pillow-12.2.0-pp311-pypy311_pp73-win_amd64.whl", hash = "sha256:bfa9c230d2fe991bed5318a5f119bd6780cda2915cca595393649fc118ab895e", size = 7080946, upload-time = "2026-04-01T14:46:11.734Z" }, ] [[package]] @@ -755,27 +755,27 @@ wheels = [ [[package]] name = "ruff" -version = "0.15.8" -source = { registry = "https://pypi.org/simple" } -sdist = { url = "https://files.pythonhosted.org/packages/14/b0/73cf7550861e2b4824950b8b52eebdcc5adc792a00c514406556c5b80817/ruff-0.15.8.tar.gz", hash = "sha256:995f11f63597ee362130d1d5a327a87cb6f3f5eae3094c620bcc632329a4d26e", size = 4610921, upload-time = "2026-03-26T18:39:38.675Z" } -wheels = [ - { url = "https://files.pythonhosted.org/packages/4a/92/c445b0cd6da6e7ae51e954939cb69f97e008dbe750cfca89b8cedc081be7/ruff-0.15.8-py3-none-linux_armv6l.whl", hash = "sha256:cbe05adeba76d58162762d6b239c9056f1a15a55bd4b346cfd21e26cd6ad7bc7", size = 10527394, upload-time = "2026-03-26T18:39:41.566Z" }, - { url = "https://files.pythonhosted.org/packages/eb/92/f1c662784d149ad1414cae450b082cf736430c12ca78367f20f5ed569d65/ruff-0.15.8-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:d3e3d0b6ba8dca1b7ef9ab80a28e840a20070c4b62e56d675c24f366ef330570", size = 10905693, upload-time = "2026-03-26T18:39:30.364Z" }, - { url = "https://files.pythonhosted.org/packages/ca/f2/7a631a8af6d88bcef997eb1bf87cc3da158294c57044aafd3e17030613de/ruff-0.15.8-py3-none-macosx_11_0_arm64.whl", hash = "sha256:6ee3ae5c65a42f273f126686353f2e08ff29927b7b7e203b711514370d500de3", size = 10323044, upload-time = "2026-03-26T18:39:33.37Z" }, - { url = "https://files.pythonhosted.org/packages/67/18/1bf38e20914a05e72ef3b9569b1d5c70a7ef26cd188d69e9ca8ef588d5bf/ruff-0.15.8-py3-none-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:fdce027ada77baa448077ccc6ebb2fa9c3c62fd110d8659d601cf2f475858d94", size = 10629135, upload-time = "2026-03-26T18:39:44.142Z" }, - { url = "https://files.pythonhosted.org/packages/d2/e9/138c150ff9af60556121623d41aba18b7b57d95ac032e177b6a53789d279/ruff-0.15.8-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:12e617fc01a95e5821648a6df341d80456bd627bfab8a829f7cfc26a14a4b4a3", size = 10348041, upload-time = "2026-03-26T18:39:52.178Z" }, - { url = "https://files.pythonhosted.org/packages/02/f1/5bfb9298d9c323f842c5ddeb85f1f10ef51516ac7a34ba446c9347d898df/ruff-0.15.8-py3-none-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:432701303b26416d22ba696c39f2c6f12499b89093b61360abc34bcc9bf07762", size = 11121987, upload-time = "2026-03-26T18:39:55.195Z" }, - { url = "https://files.pythonhosted.org/packages/10/11/6da2e538704e753c04e8d86b1fc55712fdbdcc266af1a1ece7a51fff0d10/ruff-0.15.8-py3-none-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:d910ae974b7a06a33a057cb87d2a10792a3b2b3b35e33d2699fdf63ec8f6b17a", size = 11951057, upload-time = "2026-03-26T18:39:19.18Z" }, - { url = "https://files.pythonhosted.org/packages/83/f0/c9208c5fd5101bf87002fed774ff25a96eea313d305f1e5d5744698dc314/ruff-0.15.8-py3-none-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:2033f963c43949d51e6fdccd3946633c6b37c484f5f98c3035f49c27395a8ab8", size = 11464613, upload-time = "2026-03-26T18:40:06.301Z" }, - { url = "https://files.pythonhosted.org/packages/f8/22/d7f2fabdba4fae9f3b570e5605d5eb4500dcb7b770d3217dca4428484b17/ruff-0.15.8-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:0f29b989a55572fb885b77464cf24af05500806ab4edf9a0fd8977f9759d85b1", size = 11257557, upload-time = "2026-03-26T18:39:57.972Z" }, - { url = "https://files.pythonhosted.org/packages/71/8c/382a9620038cf6906446b23ce8632ab8c0811b8f9d3e764f58bedd0c9a6f/ruff-0.15.8-py3-none-manylinux_2_31_riscv64.whl", hash = "sha256:ac51d486bf457cdc985a412fb1801b2dfd1bd8838372fc55de64b1510eff4bec", size = 11169440, upload-time = "2026-03-26T18:39:22.205Z" }, - { url = "https://files.pythonhosted.org/packages/4d/0d/0994c802a7eaaf99380085e4e40c845f8e32a562e20a38ec06174b52ef24/ruff-0.15.8-py3-none-musllinux_1_2_aarch64.whl", hash = "sha256:c9861eb959edab053c10ad62c278835ee69ca527b6dcd72b47d5c1e5648964f6", size = 10605963, upload-time = "2026-03-26T18:39:46.682Z" }, - { url = "https://files.pythonhosted.org/packages/19/aa/d624b86f5b0aad7cef6bbf9cd47a6a02dfdc4f72c92a337d724e39c9d14b/ruff-0.15.8-py3-none-musllinux_1_2_armv7l.whl", hash = "sha256:8d9a5b8ea13f26ae90838afc33f91b547e61b794865374f114f349e9036835fb", size = 10357484, upload-time = "2026-03-26T18:39:49.176Z" }, - { url = "https://files.pythonhosted.org/packages/35/c3/e0b7835d23001f7d999f3895c6b569927c4d39912286897f625736e1fd04/ruff-0.15.8-py3-none-musllinux_1_2_i686.whl", hash = "sha256:c2a33a529fb3cbc23a7124b5c6ff121e4d6228029cba374777bd7649cc8598b8", size = 10830426, upload-time = "2026-03-26T18:40:03.702Z" }, - { url = "https://files.pythonhosted.org/packages/f0/51/ab20b322f637b369383adc341d761eaaa0f0203d6b9a7421cd6e783d81b9/ruff-0.15.8-py3-none-musllinux_1_2_x86_64.whl", hash = "sha256:75e5cd06b1cf3f47a3996cfc999226b19aa92e7cce682dcd62f80d7035f98f49", size = 11345125, upload-time = "2026-03-26T18:39:27.799Z" }, - { url = "https://files.pythonhosted.org/packages/37/e6/90b2b33419f59d0f2c4c8a48a4b74b460709a557e8e0064cf33ad894f983/ruff-0.15.8-py3-none-win32.whl", hash = "sha256:bc1f0a51254ba21767bfa9a8b5013ca8149dcf38092e6a9eb704d876de94dc34", size = 10571959, upload-time = "2026-03-26T18:39:36.117Z" }, - { url = "https://files.pythonhosted.org/packages/1f/a2/ef467cb77099062317154c63f234b8a7baf7cb690b99af760c5b68b9ee7f/ruff-0.15.8-py3-none-win_amd64.whl", hash = "sha256:04f79eff02a72db209d47d665ba7ebcad609d8918a134f86cb13dd132159fc89", size = 11743893, upload-time = "2026-03-26T18:39:25.01Z" }, - { url = "https://files.pythonhosted.org/packages/15/e2/77be4fff062fa78d9b2a4dea85d14785dac5f1d0c1fb58ed52331f0ebe28/ruff-0.15.8-py3-none-win_arm64.whl", hash = "sha256:cf891fa8e3bb430c0e7fac93851a5978fc99c8fa2c053b57b118972866f8e5f2", size = 11048175, upload-time = "2026-03-26T18:40:01.06Z" }, +version = "0.15.9" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/e6/97/e9f1ca355108ef7194e38c812ef40ba98c7208f47b13ad78d023caa583da/ruff-0.15.9.tar.gz", hash = "sha256:29cbb1255a9797903f6dde5ba0188c707907ff44a9006eb273b5a17bfa0739a2", size = 4617361, upload-time = "2026-04-02T18:17:20.829Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/0b/1f/9cdfd0ac4b9d1e5a6cf09bedabdf0b56306ab5e333c85c87281273e7b041/ruff-0.15.9-py3-none-linux_armv6l.whl", hash = "sha256:6efbe303983441c51975c243e26dff328aca11f94b70992f35b093c2e71801e1", size = 10511206, upload-time = "2026-04-02T18:16:41.574Z" }, + { url = "https://files.pythonhosted.org/packages/3d/f6/32bfe3e9c136b35f02e489778d94384118bb80fd92c6d92e7ccd97db12ce/ruff-0.15.9-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:4965bac6ac9ea86772f4e23587746f0b7a395eccabb823eb8bfacc3fa06069f7", size = 10923307, upload-time = "2026-04-02T18:17:08.645Z" }, + { url = "https://files.pythonhosted.org/packages/ca/25/de55f52ab5535d12e7aaba1de37a84be6179fb20bddcbe71ec091b4a3243/ruff-0.15.9-py3-none-macosx_11_0_arm64.whl", hash = "sha256:eaf05aad70ca5b5a0a4b0e080df3a6b699803916d88f006efd1f5b46302daab8", size = 10316722, upload-time = "2026-04-02T18:16:44.206Z" }, + { url = "https://files.pythonhosted.org/packages/48/11/690d75f3fd6278fe55fff7c9eb429c92d207e14b25d1cae4064a32677029/ruff-0.15.9-py3-none-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:9439a342adb8725f32f92732e2bafb6d5246bd7a5021101166b223d312e8fc59", size = 10623674, upload-time = "2026-04-02T18:16:50.951Z" }, + { url = "https://files.pythonhosted.org/packages/bd/ec/176f6987be248fc5404199255522f57af1b4a5a1b57727e942479fec98ad/ruff-0.15.9-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:9c5e6faf9d97c8edc43877c3f406f47446fc48c40e1442d58cfcdaba2acea745", size = 10351516, upload-time = "2026-04-02T18:16:57.206Z" }, + { url = "https://files.pythonhosted.org/packages/b2/fc/51cffbd2b3f240accc380171d51446a32aa2ea43a40d4a45ada67368fbd2/ruff-0.15.9-py3-none-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:7b34a9766aeec27a222373d0b055722900fbc0582b24f39661aa96f3fe6ad901", size = 11150202, upload-time = "2026-04-02T18:17:06.452Z" }, + { url = "https://files.pythonhosted.org/packages/d6/d4/25292a6dfc125f6b6528fe6af31f5e996e19bf73ca8e3ce6eb7fa5b95885/ruff-0.15.9-py3-none-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:89dd695bc72ae76ff484ae54b7e8b0f6b50f49046e198355e44ea656e521fef9", size = 11988891, upload-time = "2026-04-02T18:17:18.575Z" }, + { url = "https://files.pythonhosted.org/packages/13/e1/1eebcb885c10e19f969dcb93d8413dfee8172578709d7ee933640f5e7147/ruff-0.15.9-py3-none-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:ce187224ef1de1bd225bc9a152ac7102a6171107f026e81f317e4257052916d5", size = 11480576, upload-time = "2026-04-02T18:16:52.986Z" }, + { url = "https://files.pythonhosted.org/packages/ff/6b/a1548ac378a78332a4c3dcf4a134c2475a36d2a22ddfa272acd574140b50/ruff-0.15.9-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:2b0c7c341f68adb01c488c3b7d4b49aa8ea97409eae6462d860a79cf55f431b6", size = 11254525, upload-time = "2026-04-02T18:17:02.041Z" }, + { url = "https://files.pythonhosted.org/packages/42/aa/4bb3af8e61acd9b1281db2ab77e8b2c3c5e5599bf2a29d4a942f1c62b8d6/ruff-0.15.9-py3-none-manylinux_2_31_riscv64.whl", hash = "sha256:55cc15eee27dc0eebdfcb0d185a6153420efbedc15eb1d38fe5e685657b0f840", size = 11204072, upload-time = "2026-04-02T18:17:13.581Z" }, + { url = "https://files.pythonhosted.org/packages/69/48/d550dc2aa6e423ea0bcc1d0ff0699325ffe8a811e2dba156bd80750b86dc/ruff-0.15.9-py3-none-musllinux_1_2_aarch64.whl", hash = "sha256:a6537f6eed5cda688c81073d46ffdfb962a5f29ecb6f7e770b2dc920598997ed", size = 10594998, upload-time = "2026-04-02T18:16:46.369Z" }, + { url = "https://files.pythonhosted.org/packages/63/47/321167e17f5344ed5ec6b0aa2cff64efef5f9e985af8f5622cfa6536043f/ruff-0.15.9-py3-none-musllinux_1_2_armv7l.whl", hash = "sha256:6d3fcbca7388b066139c523bda744c822258ebdcfbba7d24410c3f454cc9af71", size = 10359769, upload-time = "2026-04-02T18:17:10.994Z" }, + { url = "https://files.pythonhosted.org/packages/67/5e/074f00b9785d1d2c6f8c22a21e023d0c2c1817838cfca4c8243200a1fa87/ruff-0.15.9-py3-none-musllinux_1_2_i686.whl", hash = "sha256:058d8e99e1bfe79d8a0def0b481c56059ee6716214f7e425d8e737e412d69677", size = 10850236, upload-time = "2026-04-02T18:16:48.749Z" }, + { url = "https://files.pythonhosted.org/packages/76/37/804c4135a2a2caf042925d30d5f68181bdbd4461fd0d7739da28305df593/ruff-0.15.9-py3-none-musllinux_1_2_x86_64.whl", hash = "sha256:8e1ddb11dbd61d5983fa2d7d6370ef3eb210951e443cace19594c01c72abab4c", size = 11358343, upload-time = "2026-04-02T18:16:55.068Z" }, + { url = "https://files.pythonhosted.org/packages/88/3d/1364fcde8656962782aa9ea93c92d98682b1ecec2f184e625a965ad3b4a6/ruff-0.15.9-py3-none-win32.whl", hash = "sha256:bde6ff36eaf72b700f32b7196088970bf8fdb2b917b7accd8c371bfc0fd573ec", size = 10583382, upload-time = "2026-04-02T18:17:04.261Z" }, + { url = "https://files.pythonhosted.org/packages/4c/56/5c7084299bd2cacaa07ae63a91c6f4ba66edc08bf28f356b24f6b717c799/ruff-0.15.9-py3-none-win_amd64.whl", hash = "sha256:45a70921b80e1c10cf0b734ef09421f71b5aa11d27404edc89d7e8a69505e43d", size = 11744969, upload-time = "2026-04-02T18:16:59.611Z" }, + { url = "https://files.pythonhosted.org/packages/03/36/76704c4f312257d6dbaae3c959add2a622f63fcca9d864659ce6d8d97d3d/ruff-0.15.9-py3-none-win_arm64.whl", hash = "sha256:0694e601c028fd97dc5c6ee244675bc241aeefced7ef80cd9c6935a871078f53", size = 11005870, upload-time = "2026-04-02T18:17:15.773Z" }, ] [[package]] @@ -848,26 +848,26 @@ source = { git = "https://github.com/toon-format/toon-python.git#90861444e5bf7d6 [[package]] name = "ty" -version = "0.0.26" +version = "0.0.28" source = { registry = "https://pypi.org/simple" } -sdist = { url = "https://files.pythonhosted.org/packages/18/94/4879b81f8681117ccaf31544579304f6dc2ddcc0c67f872afb35869643a2/ty-0.0.26.tar.gz", hash = "sha256:0496b62405d62de7b954d6d677dc1cc5d3046197215d7a0a7fef37745d7b6d29", size = 5393643, upload-time = "2026-03-26T16:27:11.067Z" } +sdist = { url = "https://files.pythonhosted.org/packages/19/c2/a60543fb172ac7adaa3ae43b8db1d0dcd70aa67df254b70bf42f852a24f6/ty-0.0.28.tar.gz", hash = "sha256:1fbde7bc5d154d6f047b570d95665954fa83b75a0dce50d88cf081b40a27ea32", size = 5447781, upload-time = "2026-04-02T21:34:33.556Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/83/24/99fe33ecd7e16d23c53b0d4244778c6d1b6eb1663b091236dcba22882d67/ty-0.0.26-py3-none-linux_armv6l.whl", hash = "sha256:35beaa56cf59725fd59ab35d8445bbd40b97fe76db39b052b1fcb31f9bf8adf7", size = 10521856, upload-time = "2026-03-26T16:27:06.335Z" }, - { url = "https://files.pythonhosted.org/packages/55/97/1b5e939e2ff69b9bb279ab680bfa8f677d886309a1ac8d9588fd6ce58146/ty-0.0.26-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:487a0be58ab0eb02e31ba71eb6953812a0f88e50633469b0c0ce3fb795fe0fa1", size = 10320958, upload-time = "2026-03-26T16:27:13.849Z" }, - { url = "https://files.pythonhosted.org/packages/71/25/37081461e13d38a190e5646948d7bc42084f7bd1c6b44f12550be3923e7e/ty-0.0.26-py3-none-macosx_11_0_arm64.whl", hash = "sha256:a01b7de5693379646d423b68f119719a1338a20017ba48a93eefaff1ee56f97b", size = 9799905, upload-time = "2026-03-26T16:26:55.805Z" }, - { url = "https://files.pythonhosted.org/packages/a1/1c/295d8f55a7b0e037dfc3a5ec4bdda3ab3cbca6f492f725bf269f96a4d841/ty-0.0.26-py3-none-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:628c3ee869d113dd2bd249925662fd39d9d0305a6cb38f640ddaa7436b74a1ef", size = 10317507, upload-time = "2026-03-26T16:27:31.887Z" }, - { url = "https://files.pythonhosted.org/packages/1d/62/48b3875c5d2f48fe017468d4bbdde1164c76a8184374f1d5e6162cf7d9b8/ty-0.0.26-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:63d04f35f5370cbc91c0b9675dc83e0c53678125a7b629c9c95769e86f123e65", size = 10319821, upload-time = "2026-03-26T16:27:29.647Z" }, - { url = "https://files.pythonhosted.org/packages/ff/28/cfb2d495046d5bf42d532325cea7412fa1189912d549dbfae417a24fd794/ty-0.0.26-py3-none-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:4a53c4e6f6a91927f8b90e584a4b12bcde05b0c1870ddff8d17462168ad7947a", size = 10831757, upload-time = "2026-03-26T16:27:37.441Z" }, - { url = "https://files.pythonhosted.org/packages/26/bf/dbc3e42f448a2d862651de070b4108028c543ca18cab096b38d7de449915/ty-0.0.26-py3-none-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:caf2ced0e58d898d5e3ba5cb843e0ebd377c8a461464748586049afbd9321f51", size = 11369556, upload-time = "2026-03-26T16:26:58.655Z" }, - { url = "https://files.pythonhosted.org/packages/92/4c/6d2f8f34bc6d502ab778c9345a4a936a72ae113de11329c1764bb1f204f6/ty-0.0.26-py3-none-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:384807bbcb7d7ce9b97ee5aaa6417a8ae03ccfb426c52b08018ca62cf60f5430", size = 11085679, upload-time = "2026-03-26T16:27:21.746Z" }, - { url = "https://files.pythonhosted.org/packages/cc/f4/f3f61c203bc980dd9bba0ba7ed3c6e81ddfd36b286330f9487c2c7d041aa/ty-0.0.26-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:8a2c766a94d79b4f82995d41229702caf2d76e5c440ec7e543d05c70e98bf8ab", size = 10900581, upload-time = "2026-03-26T16:27:24.39Z" }, - { url = "https://files.pythonhosted.org/packages/3d/fd/3ca1b4e4bdd129829e9ce78677e0f8e0f1038a7702dccecfa52f037c6046/ty-0.0.26-py3-none-musllinux_1_2_aarch64.whl", hash = "sha256:f41ac45a0f8e3e8e181508d863a0a62156341db0f624ffd004b97ee550a9de80", size = 10294401, upload-time = "2026-03-26T16:27:03.999Z" }, - { url = "https://files.pythonhosted.org/packages/de/20/4ee3d8c3f90e008843795c765cb8bb245f188c23e5e5cc612c7697406fba/ty-0.0.26-py3-none-musllinux_1_2_armv7l.whl", hash = "sha256:73eb8327a34d529438dfe4db46796946c4e825167cbee434dc148569892e435f", size = 10351469, upload-time = "2026-03-26T16:27:19.003Z" }, - { url = "https://files.pythonhosted.org/packages/3d/b1/9fb154ade65906d4148f0b999c4a8257c2a34253cb72e15d84c1f04a064e/ty-0.0.26-py3-none-musllinux_1_2_i686.whl", hash = "sha256:4bb53a79259516535a1b55f613ba1619e9c666854946474ca8418c35a5c4fd60", size = 10529488, upload-time = "2026-03-26T16:27:01.378Z" }, - { url = "https://files.pythonhosted.org/packages/a5/70/9b02b03b1862e27b64143db65946d68b138160a5b6bfea193bee0b8bbc34/ty-0.0.26-py3-none-musllinux_1_2_x86_64.whl", hash = "sha256:2f0e75edc1aeb1b4b84af516c7891f631254a4ca3dcd15e848fa1e061e1fe9da", size = 10999015, upload-time = "2026-03-26T16:27:34.636Z" }, - { url = "https://files.pythonhosted.org/packages/21/16/0a56b8667296e2989b9d48095472d98ebf57a0006c71f2a101bbc62a142d/ty-0.0.26-py3-none-win32.whl", hash = "sha256:943c998c5523ed6b519c899c0c39b26b4c751a9759e460fb964765a44cde226f", size = 9912378, upload-time = "2026-03-26T16:27:08.999Z" }, - { url = "https://files.pythonhosted.org/packages/60/c2/fef0d4bba9cd89a82d725b3b1a66efb1b36629ecf0fb1d8e916cb75b8829/ty-0.0.26-py3-none-win_amd64.whl", hash = "sha256:19c856d343efeb1ecad8ee220848f5d2c424daf7b2feda357763ad3036e2172f", size = 10863737, upload-time = "2026-03-26T16:27:27.06Z" }, - { url = "https://files.pythonhosted.org/packages/4d/05/888ebcb3c4d3b6b72d5d3241fddd299142caa3c516e6d26a9cd887dfed3b/ty-0.0.26-py3-none-win_arm64.whl", hash = "sha256:2cde58ccffa046db1223dc28f3e7d4f2c7da8267e97cc5cd186af6fe85f1758a", size = 10285408, upload-time = "2026-03-26T16:27:16.432Z" }, + { url = "https://files.pythonhosted.org/packages/fe/15/c2aa3d4633e6153a2e300d7dd0ebdedf904a60241d1922566f31c5f7f211/ty-0.0.28-py3-none-linux_armv6l.whl", hash = "sha256:6dbfb27524195ab1715163d7be065cc45037509fe529d9763aff6732c919f0d8", size = 10556282, upload-time = "2026-04-02T21:35:04.165Z" }, + { url = "https://files.pythonhosted.org/packages/60/9c/f6183838df89e9692235a71a69a9d4e0f12481bbdf1883f47010075793b0/ty-0.0.28-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:8c72a899ba94f7438bd07e897a84b36526b385aaf01d6f3eb6504e869232b3a6", size = 10425770, upload-time = "2026-04-02T21:34:49.144Z" }, + { url = "https://files.pythonhosted.org/packages/68/82/e9208383412f8a320537ef4c44a768d2cb6c1330d9ab33087f0b932ccd1b/ty-0.0.28-py3-none-macosx_11_0_arm64.whl", hash = "sha256:eef67f9cdfd31677bde801b611741dde779271ec6f471f818c7c6eccf515237f", size = 9899999, upload-time = "2026-04-02T21:34:40.297Z" }, + { url = "https://files.pythonhosted.org/packages/4d/26/0442f49589ba393fbd3b50751f8bb82137b036bc509762884f7b21c511d1/ty-0.0.28-py3-none-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:70e7b98a91d8245641be1e4b55af8bc9b1ae82ec189794d35e14e546f1e15e66", size = 10400725, upload-time = "2026-04-02T21:34:42.779Z" }, + { url = "https://files.pythonhosted.org/packages/57/d9/64128f1a7ceba72e49f35dd562533f44d4c56d0cf62efb21692377819dbc/ty-0.0.28-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:9bd83d4ad9f99078b830aabb47792fac6dc39368bb0f72f3cc14607173ed6e25", size = 10387410, upload-time = "2026-04-02T21:34:46.889Z" }, + { url = "https://files.pythonhosted.org/packages/cc/52/498b6bdd1d0a985fd14ce83c31186f3b838ad79efdf68ce928f441a6962b/ty-0.0.28-py3-none-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:0172984fc2fcd3e47ccd5da69f36f632cddc410f9a093144a05ad07d67cf06ed", size = 10880982, upload-time = "2026-04-02T21:34:53.687Z" }, + { url = "https://files.pythonhosted.org/packages/f4/c8/fefd616f38a250b28f62ba73728cb6061715f03df0a610dce558a0fdfc0a/ty-0.0.28-py3-none-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:e0bbf47d2bea82a09cab2ca4f48922d6c16a36608447acdc64163cd19beb28d3", size = 11459056, upload-time = "2026-04-02T21:34:31.642Z" }, + { url = "https://files.pythonhosted.org/packages/16/15/9e18d763a5ef9c6a69396876586589fd5e0fd0acba35fae8a9a169680f48/ty-0.0.28-py3-none-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:1774c9a0fb071607e3bdfa0ce8365488ac46809fc04ad1706562a8709a023247", size = 11156341, upload-time = "2026-04-02T21:35:01.824Z" }, + { url = "https://files.pythonhosted.org/packages/89/29/8ac0281fc44c3297f0e58699ebf993c13621e32a0fab1025439d3ea8a2f1/ty-0.0.28-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:f2849d6d212af78175430e8cc51a962a53851458182eb44a981b0e3981163177", size = 11006089, upload-time = "2026-04-02T21:34:38.111Z" }, + { url = "https://files.pythonhosted.org/packages/dd/de/5b5fdbe3bdb5c6f4918b33f1c55cd975b3d606057089a822439d5151bf93/ty-0.0.28-py3-none-musllinux_1_2_aarch64.whl", hash = "sha256:3c576c15b867b3913c4a1d9be30ade4682303e24a576d2cc99bfd8f25ae838e9", size = 10367739, upload-time = "2026-04-02T21:34:57.679Z" }, + { url = "https://files.pythonhosted.org/packages/80/82/abdfb27ab988e6bd09502a4573f64a7e72db3e83acd7886af54448703c97/ty-0.0.28-py3-none-musllinux_1_2_armv7l.whl", hash = "sha256:2e5f13d10b3436bee3ea35851e5af400123f6693bfae48294ddfbbf553fa51ef", size = 10399528, upload-time = "2026-04-02T21:34:51.398Z" }, + { url = "https://files.pythonhosted.org/packages/ba/74/3ccbe468e8480ba53f83a1e52481d3e11756415f0ca1297fb2da65e29612/ty-0.0.28-py3-none-musllinux_1_2_i686.whl", hash = "sha256:759db467e399faedc7d5f1ca4b383dd8ecc71d7d79b2ca6ea6db4ac8e643378a", size = 10586771, upload-time = "2026-04-02T21:34:35.912Z" }, + { url = "https://files.pythonhosted.org/packages/ee/79/545c76dcef0c3f89fb733ec46118aed2a700e79d4e22cb142e3b5a80286c/ty-0.0.28-py3-none-musllinux_1_2_x86_64.whl", hash = "sha256:0cd44e3c857951cbf3f8647722ca87475614fac8ac0371eb1f200a942315a2c2", size = 11110550, upload-time = "2026-04-02T21:34:55.65Z" }, + { url = "https://files.pythonhosted.org/packages/2c/e4/e3c6f71c95a2cbabd7d88fd698b00b8af48e39aa10e0b10b839410fc3c6d/ty-0.0.28-py3-none-win32.whl", hash = "sha256:88e2c784ec5e0e2fb01b137d92fd595cdc27b98a553f4bb34b8bf138bac1be1e", size = 9985411, upload-time = "2026-04-02T21:34:44.763Z" }, + { url = "https://files.pythonhosted.org/packages/8c/e5/79dbab4856d3d15e5173314ff1846be65d58b31de6efe62ef1c25c663b32/ty-0.0.28-py3-none-win_amd64.whl", hash = "sha256:faaffbef127cb67560ad6dbc6a8f8845a4033b818bcc78ad7af923e02df199db", size = 10986548, upload-time = "2026-04-02T21:34:59.886Z" }, + { url = "https://files.pythonhosted.org/packages/01/b2/cc987aaf5babacc55caf0aeb751c83401e86e05e22ce82dace5a7e7e5354/ty-0.0.28-py3-none-win_arm64.whl", hash = "sha256:34a18ea09ee09612fb6555deccf1eed810e6f770b61a41243b494bcb7f624a1c", size = 10388573, upload-time = "2026-04-02T21:34:29.219Z" }, ] [[package]] @@ -917,28 +917,28 @@ wheels = [ [[package]] name = "uv" -version = "0.11.2" -source = { registry = "https://pypi.org/simple" } -sdist = { url = "https://files.pythonhosted.org/packages/ba/9e/65dfeeafe5644a2e0bdd9dfdd4bdc37c87b06067fdff4596eeba0bc0f2f5/uv-0.11.2.tar.gz", hash = "sha256:ef226af1d814466df45dc8a746c5220a951643d0832296a00c30ac3db95a3a4c", size = 4010086, upload-time = "2026-03-26T21:22:13.185Z" } -wheels = [ - { url = "https://files.pythonhosted.org/packages/29/6f/6469561a85b81d690ad63eac1135ce4d4f8269cb4fc92da20ff7efa5fa4f/uv-0.11.2-py3-none-linux_armv6l.whl", hash = "sha256:f27ca998085eb8dc095ff9d7568aa08d9ce7c0d2b74bd525da5cd2e5b7367b71", size = 23387567, upload-time = "2026-03-26T21:22:02.49Z" }, - { url = "https://files.pythonhosted.org/packages/27/2a/313b5de76e52cc75e38fd3e5f1644d6b16d4d4bdb9aaff8508ec955255ed/uv-0.11.2-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:00054a0041c25b3ec3d0f4f6221d3cbfda32e70f7d1c60bee36f1a9736f47b68", size = 22819340, upload-time = "2026-03-26T21:22:42.942Z" }, - { url = "https://files.pythonhosted.org/packages/3a/74/64ea01a48383748f0e1087e617fab0d88176f506fc47e3a18fb936a22a3d/uv-0.11.2-py3-none-macosx_11_0_arm64.whl", hash = "sha256:89972042233c90adf8b8150ec164444a4df41938739e5736773ac00870840887", size = 21425465, upload-time = "2026-03-26T21:22:05.232Z" }, - { url = "https://files.pythonhosted.org/packages/b6/85/d9d71a940e90d1ec130483a02d25711010609c613d245abd48ff14fdfd1d/uv-0.11.2-py3-none-manylinux_2_17_aarch64.manylinux2014_aarch64.musllinux_1_1_aarch64.whl", hash = "sha256:e1f98621b3ffd5dd40bec12bd716e67aec552a7978c7753b709206d7a0e4f93f", size = 23140501, upload-time = "2026-03-26T21:22:31.896Z" }, - { url = "https://files.pythonhosted.org/packages/59/4d/c25126473337acf071b0d572ff94fb6444364641b3d311568028349c964d/uv-0.11.2-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.musllinux_1_1_armv7l.whl", hash = "sha256:66925ceb0e76826b5280937a93e31f0b093c9edfafbb52db7936595b1ef205b8", size = 23003445, upload-time = "2026-03-26T21:22:15.371Z" }, - { url = "https://files.pythonhosted.org/packages/5b/3e/1ef69d9fc88e04037ffebd5c41f70dadeb73021033ced57b2e186b23ac7c/uv-0.11.2-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:a10911b6a555d31beb835653cedc0bc491b656e964d30be8eb9186f1fe0ef88c", size = 22989489, upload-time = "2026-03-26T21:22:26.226Z" }, - { url = "https://files.pythonhosted.org/packages/a0/04/0398b4a5be0f3dd07be80d31275754338ae8857f78309b9776ab854d0a85/uv-0.11.2-py3-none-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:2b8fa0a2ddc69c9ed373d72144b950ac2af81e3d95047c2d02564a8a03be538c", size = 24603289, upload-time = "2026-03-26T21:22:45.967Z" }, - { url = "https://files.pythonhosted.org/packages/e6/79/0388bbb629db283a883e4412d5f54cf62ec4b9f7bb6631781fbbb49c0792/uv-0.11.2-py3-none-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:fbbd6e6e682b7f0bbdfff3348e580ea0fa58a07741e54cc8641b919bdf6f9128", size = 25218467, upload-time = "2026-03-26T21:22:20.701Z" }, - { url = "https://files.pythonhosted.org/packages/25/5c/725442191dee62e5b906576ed0ff432a1f2e3b38994c81e16156574e97ab/uv-0.11.2-py3-none-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:8f9f3ac825561edec6494588d6aed7d3f4a08618b167eb256b4a9027b13304a6", size = 24418929, upload-time = "2026-03-26T21:22:23.446Z" }, - { url = "https://files.pythonhosted.org/packages/9f/6e/f49ca8ad037919e5d44a2070af3d369792be3419c594cfb92f4404ab7832/uv-0.11.2-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:be4bb136bbc8840ede58663e8ba5a9bbf3b5376f7f933f915df28d4078bb9095", size = 24586892, upload-time = "2026-03-26T21:22:18.044Z" }, - { url = "https://files.pythonhosted.org/packages/83/08/aff0a8098ac5946d195e67bf091d494f34c1009ea6e163d0c23e241527e1/uv-0.11.2-py3-none-manylinux_2_28_aarch64.whl", hash = "sha256:fea7efc97f9fcfb345e588c71fa56250c0db8c2bfd8d4e2cd4d21e1308c4e6ac", size = 23232598, upload-time = "2026-03-26T21:22:51.865Z" }, - { url = "https://files.pythonhosted.org/packages/1c/43/eced218d15f8ed58fbb081f0b826e4f016b501b50ec317ab6c331b60c15c/uv-0.11.2-py3-none-manylinux_2_31_riscv64.musllinux_1_1_riscv64.whl", hash = "sha256:b5529572ea7150311f5a17b5d09ef19781c2484932e14eed44a0c038f93ef722", size = 23998818, upload-time = "2026-03-26T21:22:49.097Z" }, - { url = "https://files.pythonhosted.org/packages/62/96/da68d159ba3f49a516796273463288b53d675675c5a0df71c14301ec4323/uv-0.11.2-py3-none-manylinux_2_31_riscv64.whl", hash = "sha256:0919096889e26d0edcbc731e95c4a4d1f47ef881fb46970cbf0800bf17d4840e", size = 24047673, upload-time = "2026-03-26T21:22:37.6Z" }, - { url = "https://files.pythonhosted.org/packages/62/be/db2400f4699717b4f34e036e7a1c54bc1f89c7c5b3303abc8d8a00664071/uv-0.11.2-py3-none-musllinux_1_1_i686.whl", hash = "sha256:7a05747eecca4534c284dbab213526468092317e8f6aec7a6c9f89ce3d1248d3", size = 23733334, upload-time = "2026-03-26T21:22:40.247Z" }, - { url = "https://files.pythonhosted.org/packages/29/27/4045960075f4898a44f092625e9f08ee8af4229be7df6ad487d58aa7d51e/uv-0.11.2-py3-none-musllinux_1_1_x86_64.whl", hash = "sha256:00cbf1829e158b053b0bdc675d9f9c13700b29be90a9bad966cc9b586c01265b", size = 24790898, upload-time = "2026-03-26T21:22:07.812Z" }, - { url = "https://files.pythonhosted.org/packages/e4/9d/7470f39bf72683f1908e7ba70f5379f14e4984c8e6a65f7563f3dfb19f13/uv-0.11.2-py3-none-win32.whl", hash = "sha256:a1b8a39b17cf9e3183a35a44dffa103c91c412f003569a210883ffb537c2c65d", size = 22516649, upload-time = "2026-03-26T21:22:34.806Z" }, - { url = "https://files.pythonhosted.org/packages/f6/a3/c88fa454a7c07785ce63e96b6c1c7b24b5abcb3a6afbc6ad8b29b9bc1a1d/uv-0.11.2-py3-none-win_amd64.whl", hash = "sha256:d4dbcecf6daca8605f46fba232f49e9b49d06ebe3b9cba5e59e608c5be03890e", size = 24989876, upload-time = "2026-03-26T21:22:28.917Z" }, - { url = "https://files.pythonhosted.org/packages/a2/50/fae409a028d87db02ffbf3a3b5ac39980fbeb3d9a0356f49943722b2cabb/uv-0.11.2-py3-none-win_arm64.whl", hash = "sha256:e5b8570e88af5073ce5aa5df4866484e69035a6e66caab8a5c51a988a989a467", size = 23450736, upload-time = "2026-03-26T21:22:10.838Z" }, +version = "0.11.3" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/88/ed/f11c558e8d2e02fba6057dacd9e92a71557359a80bd5355452310b89f40f/uv-0.11.3.tar.gz", hash = "sha256:6a6fcaf1fec28bbbdf0dfc5a0a6e34be4cea08c6287334b08c24cf187300f20d", size = 4027684, upload-time = "2026-04-01T21:47:22.096Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/cb/93/4f04c49fd6046a18293de341d795ded3b9cbd95db261d687e26db0f11d1e/uv-0.11.3-py3-none-linux_armv6l.whl", hash = "sha256:deb533e780e8181e0859c68c84f546620072cd1bd827b38058cb86ebfba9bb7d", size = 23337334, upload-time = "2026-04-01T21:46:47.545Z" }, + { url = "https://files.pythonhosted.org/packages/7a/4b/c44fd3fbc80ac2f81e2ad025d235c820aac95b228076da85be3f5d509781/uv-0.11.3-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:d2b3b0fa1693880ca354755c216ae1c65dd938a4f1a24374d0c3f4b9538e0ee6", size = 22940169, upload-time = "2026-04-01T21:47:32.72Z" }, + { url = "https://files.pythonhosted.org/packages/ba/c7/7d01be259a47d42fa9e80adcb7a829d81e7c376aa8fa1b714f31d7dfc226/uv-0.11.3-py3-none-macosx_11_0_arm64.whl", hash = "sha256:71f5d0b9e73daa5d8a7e2db3fa2e22a4537d24bb4fe78130db797280280d4edc", size = 21473579, upload-time = "2026-04-01T21:47:25.063Z" }, + { url = "https://files.pythonhosted.org/packages/9a/71/fffcd890290a4639a3799cf3f3e87947c10d1b0de19eba3cf837cb418dd8/uv-0.11.3-py3-none-manylinux_2_17_aarch64.manylinux2014_aarch64.musllinux_1_1_aarch64.whl", hash = "sha256:55ba578752f29a3f2b22879b22a162edad1454e3216f3ca4694fdbd4093a6822", size = 23132691, upload-time = "2026-04-01T21:47:44.587Z" }, + { url = "https://files.pythonhosted.org/packages/d1/7b/1ac9e1f753a19b6252434f0bbe96efdcc335cd74677f4c6f431a7c916114/uv-0.11.3-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.musllinux_1_1_armv7l.whl", hash = "sha256:3b1fe09d5e1d8e19459cd28d7825a3b66ef147b98328345bad6e17b87c4fea48", size = 22955764, upload-time = "2026-04-01T21:46:51.721Z" }, + { url = "https://files.pythonhosted.org/packages/ff/51/1a6010a681a3c3e0a8ec99737ba2d0452194dc372a5349a9267873261c02/uv-0.11.3-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:088165b9eed981d2c2a58566cc75dd052d613e47c65e2416842d07308f793a6f", size = 22966245, upload-time = "2026-04-01T21:47:07.403Z" }, + { url = "https://files.pythonhosted.org/packages/38/74/1a1b0712daead7e85f56d620afe96fe166a04b615524c14027b4edd39b82/uv-0.11.3-py3-none-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:ef0ae8ee2988928092616401ec7f473612b8e9589fe1567452c45dbc56840f85", size = 24623370, upload-time = "2026-04-01T21:47:03.59Z" }, + { url = "https://files.pythonhosted.org/packages/b6/62/5c3aa5e7bd2744810e50ad72a5951386ec84a513e109b1b5cb7ec442f3b6/uv-0.11.3-py3-none-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:6708827ecb846d00c5512a7e4dc751c2e27b92e9bd55a0be390561ac68930c32", size = 25142735, upload-time = "2026-04-01T21:46:55.756Z" }, + { url = "https://files.pythonhosted.org/packages/88/ab/6266a04980e0877af5518762adfe23a0c1ab0b801ae3099a2e7b74e34411/uv-0.11.3-py3-none-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:8df030ea7563e99c09854e1bc82ab743dfa2d0ba18976e6861979cb40d04dba7", size = 24512083, upload-time = "2026-04-01T21:46:43.531Z" }, + { url = "https://files.pythonhosted.org/packages/4e/be/7c66d350f833eb437f9aa0875655cc05e07b441e3f4a770f8bced56133f7/uv-0.11.3-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:0fde893b5ab9f6997fe357138e794bac09d144328052519fbbe2e6f72145e457", size = 24589293, upload-time = "2026-04-01T21:47:11.379Z" }, + { url = "https://files.pythonhosted.org/packages/18/4f/22ada41564a8c8c36653fc86f89faae4c54a4cdd5817bda53764a3eb352d/uv-0.11.3-py3-none-manylinux_2_28_aarch64.whl", hash = "sha256:45006bcd9e8718248a23ab81448a5beb46a72a9dd508e3212d6f3b8c63aeb88a", size = 23214854, upload-time = "2026-04-01T21:46:59.491Z" }, + { url = "https://files.pythonhosted.org/packages/aa/18/8669840657fea9fd668739dec89643afe1061c023c1488228b02f79a2399/uv-0.11.3-py3-none-manylinux_2_31_riscv64.musllinux_1_1_riscv64.whl", hash = "sha256:089b9d338a64463956b6fee456f03f73c9a916479bdb29009600781dc1e1d2a7", size = 23914434, upload-time = "2026-04-01T21:47:29.164Z" }, + { url = "https://files.pythonhosted.org/packages/08/0d/c59f24b3a1ae5f377aa6fd9653562a0968ea6be946fe35761871a0072919/uv-0.11.3-py3-none-manylinux_2_31_riscv64.whl", hash = "sha256:3ff461335888336467402cc5cb792c911df95dd0b52e369182cfa4c902bb21f4", size = 23971481, upload-time = "2026-04-01T21:47:48.551Z" }, + { url = "https://files.pythonhosted.org/packages/66/7d/f83ed79921310ef216ed6d73fcd3822dff4b66749054fb97e09b7bd5901e/uv-0.11.3-py3-none-musllinux_1_1_i686.whl", hash = "sha256:a62e29277efd39c35caf4a0fe739c4ebeb14d4ce4f02271f3f74271d608061ff", size = 23784797, upload-time = "2026-04-01T21:47:40.588Z" }, + { url = "https://files.pythonhosted.org/packages/35/19/3ff3539c44ca7dc2aa87b021d4a153ba6a72866daa19bf91c289e4318f95/uv-0.11.3-py3-none-musllinux_1_1_x86_64.whl", hash = "sha256:ebccdcdebd2b288925f0f7c18c39705dc783175952eacaf94912b01d3b381b86", size = 24794606, upload-time = "2026-04-01T21:47:36.814Z" }, + { url = "https://files.pythonhosted.org/packages/79/e5/e676454bb7cc5dcf5c4637ed3ef0ff97309d84a149b832a4dea53f04c0ab/uv-0.11.3-py3-none-win32.whl", hash = "sha256:794aae3bab141eafbe37c51dc5dd0139658a755a6fa9cc74d2dbd7c71dcc4826", size = 22573432, upload-time = "2026-04-01T21:47:15.143Z" }, + { url = "https://files.pythonhosted.org/packages/ff/a0/95d22d524bd3b4708043d65035f02fc9656e5fb6e0aaef73510313b1641b/uv-0.11.3-py3-none-win_amd64.whl", hash = "sha256:68fda574f2e5e7536a2b747dcea88329a71aad7222317e8f4717d0af8f99fbd4", size = 24969508, upload-time = "2026-04-01T21:47:19.515Z" }, + { url = "https://files.pythonhosted.org/packages/f8/6d/3f0b90a06e8c4594e11f813651756d6896de6dd4461f554fd7e4984a1c4f/uv-0.11.3-py3-none-win_arm64.whl", hash = "sha256:92ffc4d521ab2c4738ef05d8ef26f2750e26d31f3ad5611cdfefc52445be9ace", size = 23488911, upload-time = "2026-04-01T21:47:52.427Z" }, ] [[package]] From 37f03ab93b36ffe8deea7cc0b9b9df9ad101f304 Mon Sep 17 00:00:00 2001 From: talshapir Date: Sun, 5 Apr 2026 13:42:09 +0300 Subject: [PATCH 03/26] Update action product categories descriptions --- .../integrations/action/ai/metadata.py | 11 ++- .../action/ai/product_categories.py | 84 ++++++++++++------- .../integrations/action/metadata.py | 29 ++++--- 3 files changed, 82 insertions(+), 42 deletions(-) diff --git a/packages/mp/src/mp/core/data_models/integrations/action/ai/metadata.py b/packages/mp/src/mp/core/data_models/integrations/action/ai/metadata.py index 90117e9de..d896edac4 100644 --- a/packages/mp/src/mp/core/data_models/integrations/action/ai/metadata.py +++ b/packages/mp/src/mp/core/data_models/integrations/action/ai/metadata.py @@ -79,4 +79,13 @@ class ActionAiMetadata(BaseModel): ), ), ] - product_categories: ActionProductCategories + product_categories: Annotated[ + ActionProductCategories, + Field( + description=( + "Categories that describe the action's capabilities in its security product." + " It shows the category and explains the expected outcome of such" + " action." + ) + ), + ] diff --git a/packages/mp/src/mp/core/data_models/integrations/action/ai/product_categories.py b/packages/mp/src/mp/core/data_models/integrations/action/ai/product_categories.py index dd9bb8687..d8cfca923 100644 --- a/packages/mp/src/mp/core/data_models/integrations/action/ai/product_categories.py +++ b/packages/mp/src/mp/core/data_models/integrations/action/ai/product_categories.py @@ -14,12 +14,11 @@ from __future__ import annotations +import enum from typing import Annotated from pydantic import BaseModel, Field -from mp.core.data_models.abc import RepresentableEnum - class ActionProductCategories(BaseModel): enrich_ioc: Annotated[ @@ -27,7 +26,8 @@ class ActionProductCategories(BaseModel): Field( title="Enrich IOC (hash, filename, IP, domain, URL, CVE, Threat Actor, Campaign)", description=( - "Returns reputation, prevalence, and threat intelligence" + "Expected Outcome:" + " Returns reputation, prevalence, and threat intelligence" " (e.g., malware family, attribution) for the indicator." ), ), @@ -37,7 +37,8 @@ class ActionProductCategories(BaseModel): Field( title="Enrich Asset (hostname, user or internal resource)", description=( - "Returns contextual metadata (e.g., OS version, owner, department, MAC address)" + "Expected Outcome:" + " Returns contextual metadata (e.g., OS version, owner, department, MAC address)" " for a user or resource." ), ), @@ -47,7 +48,9 @@ class ActionProductCategories(BaseModel): Field( title="Update Alert", description=( - "Changes the status, severity, or assignee of the alert within the SecOps platform." + "Expected Outcome:" + " Changes the status, severity, or assignee of the alert within the SecOps" + " platform." ), ), ] = False @@ -56,7 +59,8 @@ class ActionProductCategories(BaseModel): Field( title="Add Alert Comment", description=( - "Appends analyst notes or automated log entries to the alert's activity timeline." + "Expected Outcome:" + " Appends analyst notes or automated log entries to the alert's activity timeline." ), ), ] = False @@ -65,7 +69,8 @@ class ActionProductCategories(BaseModel): Field( title="Create Ticket", description=( - "Generates a new record in an external ITSM (e.g., Jira, ServiceNow) and returns" + "Expected Outcome:" + " Generates a new record in an external ITSM (e.g., Jira, ServiceNow) and returns" " the Ticket ID." ), ), @@ -75,7 +80,8 @@ class ActionProductCategories(BaseModel): Field( title="Update Ticket", description=( - "Synchronizes status, priority, or field changes from SecOps to the external" + "Expected Outcome:" + " Synchronizes status, priority, or field changes from SecOps to the external" " ticketing system." ), ), @@ -85,8 +91,9 @@ class ActionProductCategories(BaseModel): Field( title="Add IOC To Blocklist", description=( - "Updates security controls (Firewall, EDR, Proxy) to prevent any future interaction" - " with the IOC." + "Expected Outcome:" + " Updates security controls (Firewall, EDR, Proxy) to prevent any future" + " interaction with the IOC." ), ), ] = False @@ -95,7 +102,8 @@ class ActionProductCategories(BaseModel): Field( title="Remove IOC From Blocklist", description=( - "Restores connectivity or execution rights for an indicator by removing it from" + "Expected Outcome:" + " Restores connectivity or execution rights for an indicator by removing it from" " restricted lists." ), ), @@ -105,7 +113,8 @@ class ActionProductCategories(BaseModel): Field( title="Add IOC To Allowlist", description=( - 'Marks an indicator as "known good" to prevent future security alerts or false' + "Expected Outcome:" + ' Marks an indicator as "known good" to prevent future security alerts or false' " positives." ), ), @@ -115,7 +124,8 @@ class ActionProductCategories(BaseModel): Field( title="Remove IOC From Allowlist", description=( - "Re-enables standard security monitoring and blocking for a previously trusted" + "Expected Outcome:" + " Re-enables standard security monitoring and blocking for a previously trusted" " indicator." ), ), @@ -125,8 +135,9 @@ class ActionProductCategories(BaseModel): Field( title="Disable Identity (User, Account)", description=( - "Revokes active sessions and prevents a user or service account from authenticating" - " to the network." + "Expected Outcome:" + " Revokes active sessions and prevents a user or service account from" + " authenticating to the network." ), ), ] = False @@ -135,7 +146,8 @@ class ActionProductCategories(BaseModel): Field( title="Enable Identity (User, Account)", description=( - "Restores authentication capabilities and system access for a previously disabled" + "Expected Outcome:" + " Restores authentication capabilities and system access for a previously disabled" " account." ), ), @@ -145,7 +157,8 @@ class ActionProductCategories(BaseModel): Field( title="Contain Host", description=( - "Isolates an endpoint from the network via EDR, allowing communication only with" + "Expected Outcome:" + " Isolates an endpoint from the network via EDR, allowing communication only with" " the management console." ), ), @@ -155,7 +168,8 @@ class ActionProductCategories(BaseModel): Field( title="Uncontain Host", description=( - "Removes network isolation and restores the endpoint's full communication" + "Expected Outcome:" + " Removes network isolation and restores the endpoint's full communication" " capabilities." ), ), @@ -165,7 +179,8 @@ class ActionProductCategories(BaseModel): Field( title="Reset Identity Password (User, Account)", description=( - "Invalidates the current credentials and triggers a password change or temporary" + "Expected Outcome:" + " Invalidates the current credentials and triggers a password change or temporary" " password generation." ), ), @@ -175,7 +190,8 @@ class ActionProductCategories(BaseModel): Field( title="Update Identity (User, Account)", description=( - "Modifies account metadata, such as group memberships, permissions, or contact" + "Expected Outcome:" + " Modifies account metadata, such as group memberships, permissions, or contact" " information." ), ), @@ -185,8 +201,9 @@ class ActionProductCategories(BaseModel): Field( title="Search Events", description=( - "Returns a collection of historical logs or telemetry data matching specific search" - " parameters." + "Expected Outcome:" + " Returns a collection of historical logs or telemetry data matching specific" + " search parameters." ), ), ] = False @@ -195,7 +212,8 @@ class ActionProductCategories(BaseModel): Field( title="Execute Command on the Host", description=( - "Runs a script or system command on a remote endpoint and returns the standard" + "Expected Outcome:" + " Runs a script or system command on a remote endpoint and returns the standard" " output (STDOUT)." ), ), @@ -205,7 +223,8 @@ class ActionProductCategories(BaseModel): Field( title="Download File", description=( - "Retrieves a specific file from a remote host for local forensic analysis" + "Expected Outcome:" + " Retrieves a specific file from a remote host for local forensic analysis" " or sandboxing." ), ), @@ -215,7 +234,8 @@ class ActionProductCategories(BaseModel): Field( title="Send Email", description=( - "Dispatches an outbound email notification or response to specified recipients." + "Expected Outcome:" + " Dispatches an outbound email notification or response to specified recipients." ), ), ] = False @@ -224,7 +244,8 @@ class ActionProductCategories(BaseModel): Field( title="Search Email", description=( - "Identifies and lists emails across the mail server based on criteria like sender," + "Expected Outcome:" + " Identifies and lists emails across the mail server based on criteria like sender," " subject, or attachment." ), ), @@ -234,7 +255,8 @@ class ActionProductCategories(BaseModel): Field( title="Delete Email", description=( - "Removes a specific email or thread from one or more user mailboxes" + "Expected Outcome:" + " Removes a specific email or thread from one or more user mailboxes" " (Purge/Withdraw)." ), ), @@ -244,7 +266,8 @@ class ActionProductCategories(BaseModel): Field( title="Update Email", description=( - "Modifies the state of an email, such as moving it to quarantine, marking as read," + "Expected Outcome:" + " Modifies the state of an email, such as moving it to quarantine, marking as read," " or applying labels." ), ), @@ -254,14 +277,15 @@ class ActionProductCategories(BaseModel): Field( title="Submit File", description=( - "Uploads a file or sample to a sandbox or analysis engine" + "Expected Outcome:" + " Uploads a file or sample to a sandbox or analysis engine" " (e.g., VirusTotal, Joe Sandbox) and returns a behavior report or threat score." ), ), ] = False -class ActionProductCategory(RepresentableEnum): +class ActionProductCategory(enum.StrEnum): ENRICH_IOC = "Enrich IOC (Indicator of Compromise)" ENRICH_ASSET = "Enrich Asset" UPDATE_ALERT = "Update Alert" diff --git a/packages/mp/src/mp/core/data_models/integrations/action/metadata.py b/packages/mp/src/mp/core/data_models/integrations/action/metadata.py index 80afe18ae..16952582f 100644 --- a/packages/mp/src/mp/core/data_models/integrations/action/metadata.py +++ b/packages/mp/src/mp/core/data_models/integrations/action/metadata.py @@ -18,7 +18,6 @@ from typing import Annotated, Any, NamedTuple, NotRequired, Self, TypedDict, cast import pydantic -import yaml from PIL.GifImagePlugin import TYPE_CHECKING import mp.core.constants @@ -58,7 +57,7 @@ class AiFields(NamedTuple): description: str | None ai_categories: list[ActionAiCategory] entity_types: list[EntityType] - action_categories: list[ActionProductCategory] + product_categories: list[ActionProductCategory] class BuiltActionMetadata(TypedDict): @@ -79,7 +78,7 @@ class BuiltActionMetadata(TypedDict): AIDescription: str | None AICategories: NotRequired[list[str] | None] EntityTypes: NotRequired[list[str] | None] - ActionCategories: NotRequired[list[str] | None] + ActionProductCategories: NotRequired[list[str] | None] class NonBuiltActionMetadata(TypedDict): @@ -100,7 +99,7 @@ class NonBuiltActionMetadata(TypedDict): ai_description: NotRequired[str | None] ai_categories: NotRequired[list[str]] entity_types: NotRequired[list[str]] - action_categories: NotRequired[list[str]] + action_product_categories: NotRequired[list[str]] class ActionMetadata(ComponentMetadata[BuiltActionMetadata, NonBuiltActionMetadata]): @@ -194,10 +193,7 @@ def from_non_built_path(cls, path: Path) -> list[Self]: action_metadata_json["dynamic_results_metadata"] = drms_with_json_contents ai_fields: AiFields = _get_ai_fields(action_metadata_json["name"], path) - action_metadata_json["ai_description"] = ai_fields.description - action_metadata_json["ai_categories"] = [c.value for c in ai_fields.ai_categories] - action_metadata_json["entity_types"] = [t.value for t in ai_fields.entity_types] - action_metadata_json["action_categories"] = [t.value for t in ai_fields.entity_types] + _update_non_built_with_ai_fields(action_metadata_json, ai_fields) metadata_object: Self = cls.from_non_built(p.stem, action_metadata_json) metadata_objects.append(metadata_object) @@ -313,6 +309,7 @@ def to_built(self) -> BuiltActionMetadata: AIDescription=self.ai_description, AICategories=[c.value for c in self.ai_categories] or None, EntityTypes=[e.value for e in self.entity_types] or None, + ActionProductCategories=[c.value for c in self.action_categories] or None, ) mp.core.utils.remove_none_entries_from_mapping(built) return built @@ -390,10 +387,11 @@ def _load_json_examples( def _get_ai_fields(action_name: str, integration_path: Path) -> AiFields: empty_results: AiFields = AiFields( - description=None, ai_categories=[], entity_types=[], action_categories=[] + description=None, ai_categories=[], entity_types=[], product_categories=[] ) if not integration_path.exists(): return empty_results + actions_desc: Path = ( integration_path / mp.core.constants.RESOURCES_DIR @@ -403,7 +401,7 @@ def _get_ai_fields(action_name: str, integration_path: Path) -> AiFields: if not actions_desc.exists(): return empty_results - content: dict[str, Any] = yaml.safe_load(actions_desc.read_text(encoding="utf-8")) + content: dict[str, Any] = mp.core.file_utils.load_yaml_file(actions_desc) action_content: dict[str, Any] | None = content.get(action_name) if action_content is None: return empty_results @@ -417,9 +415,18 @@ def _get_ai_fields(action_name: str, integration_path: Path) -> AiFields: if is_true ], entity_types=ai_meta.entity_usage.entity_types, - action_categories=[ + product_categories=[ PRODUCT_CATEGORY_TO_DEF_PRODUCT_CATEGORY[category] for category, is_true in ai_meta.product_categories.model_dump().items() if is_true ], ) + + +def _update_non_built_with_ai_fields( + non_built: NonBuiltActionMetadata, ai_fields: AiFields +) -> None: + non_built["ai_description"] = ai_fields.description + non_built["ai_categories"] = [c.value for c in ai_fields.ai_categories] + non_built["entity_types"] = [t.value for t in ai_fields.entity_types] + non_built["action_product_categories"] = [c.value for c in ai_fields.product_categories] From 29b8616605baf0e9a29781e3d6e7239d91086252 Mon Sep 17 00:00:00 2001 From: talshapir Date: Sun, 5 Apr 2026 14:39:56 +0300 Subject: [PATCH 04/26] mp improvements --- packages/mp/src/mp/core/data_models/abc.py | 71 +++++++------------ .../file_utils/integrations/file_utils.py | 25 ++++++- 2 files changed, 47 insertions(+), 49 deletions(-) diff --git a/packages/mp/src/mp/core/data_models/abc.py b/packages/mp/src/mp/core/data_models/abc.py index 1f2794bb2..cee9f6124 100644 --- a/packages/mp/src/mp/core/data_models/abc.py +++ b/packages/mp/src/mp/core/data_models/abc.py @@ -16,13 +16,15 @@ import abc import enum -import json from collections.abc import Mapping from typing import TYPE_CHECKING, Any, Generic, Self, TypeVar import pydantic import yaml +import mp.core.file_utils +from mp.core.utils.common.utils import trim_values + if TYPE_CHECKING: from pathlib import Path @@ -123,8 +125,6 @@ def from_built(cls, built: _BT) -> T_Buildable: ValueError: when the built object failed to be loaded """ - from mp.core.utils.common.utils import trim_values # noqa: PLC0415 - try: metadata: T_Buildable = cls._from_built(built) except (KeyError, ValueError) as e: @@ -147,8 +147,6 @@ def from_non_built(cls, non_built: _NBT) -> T_Buildable: ValueError: when the non-built object failed to be loaded """ - from mp.core.utils.common.utils import trim_values # noqa: PLC0415 - try: metadata: T_Buildable = cls._from_non_built(non_built) except (KeyError, ValueError) as e: @@ -222,8 +220,6 @@ def from_built(cls, file_name: str, built: _BT) -> T_BuildableComponent: ValueError: when the built object failed to be loaded """ - from mp.core.utils.common.utils import trim_values # noqa: PLC0415 - try: metadata: T_BuildableComponent = cls._from_built(file_name, built) except (KeyError, ValueError) as e: @@ -247,8 +243,6 @@ def from_non_built(cls, file_name: str, non_built: _NBT) -> T_BuildableComponent ValueError: when the non-built object failed to be loaded """ - from mp.core.utils.common.utils import trim_values # noqa: PLC0415 - try: metadata: T_BuildableComponent = cls._from_non_built(file_name, non_built) except (KeyError, ValueError) as e: @@ -306,15 +300,12 @@ def _from_built_path(cls, metadata_path: Path) -> T_SingularComponentMetadata: ValueError: when the built JSON failed to be loaded """ - from mp.core.utils.common.utils import trim_values # noqa: PLC0415 - - built_content: str = metadata_path.read_text(encoding="utf-8") try: - metadata_json: _BT = json.loads(built_content) + metadata_json: _BT = mp.core.file_utils.load_json_file(metadata_path) built: T_SingularComponentMetadata = cls.from_built(metadata_path.stem, metadata_json) - except (ValueError, json.JSONDecodeError) as e: - msg: str = f"Failed to load json from {metadata_path}\n{built_content}" - raise ValueError(trim_values(msg)) from e + except ValueError as e: + msg: str = f"Failed to load json from {metadata_path}" + raise ValueError(msg) from e else: return built @@ -332,15 +323,12 @@ def _from_non_built_path(cls, metadata_path: Path) -> T_SingularComponentMetadat ValueError: when the non-built YAML failed to be loaded """ - from mp.core.utils.common.utils import trim_values # noqa: PLC0415 - - non_built_content: str = metadata_path.read_text(encoding="utf-8") try: - metadata_json: _NBT = yaml.safe_load(non_built_content) + metadata_json: _NBT = mp.core.file_utils.load_yaml_file(metadata_path) non_built: Self = cls.from_non_built(metadata_path.stem, metadata_json) - except (ValueError, yaml.YAMLError) as e: - msg: str = f"Failed to load yaml from {metadata_path}\n{non_built_content}" - raise ValueError(trim_values(msg)) from e + except ValueError as e: + msg: str = f"Failed to load yaml from {metadata_path}" + raise ValueError(msg) from e else: return non_built @@ -393,15 +381,12 @@ def _from_built_path(cls, metadata_path: Path) -> T_ComponentMetadata: ValueError: when the built JSON failed to be loaded """ - from mp.core.utils.common.utils import trim_values # noqa: PLC0415 - - built_content: str = metadata_path.read_text(encoding="utf-8") try: - metadata_json: _BT = json.loads(built_content) + metadata_json: _BT = mp.core.file_utils.load_json_file(metadata_path) built: T_ComponentMetadata = cls.from_built(metadata_path.stem, metadata_json) - except (ValueError, json.JSONDecodeError) as e: - msg: str = f"Failed to load json from {metadata_path}\n{built_content}" - raise ValueError(trim_values(msg)) from e + except ValueError as e: + msg: str = f"Failed to load json from {metadata_path}" + raise ValueError(msg) from e else: return built @@ -419,15 +404,12 @@ def _from_non_built_path(cls, metadata_path: Path) -> T_ComponentMetadata: ValueError: when the non-built YAML failed to be loaded """ - from mp.core.utils.common.utils import trim_values # noqa: PLC0415 - - non_built_content: str = metadata_path.read_text(encoding="utf-8") try: - metadata_json: _NBT = yaml.safe_load(non_built_content) + metadata_json: _NBT = mp.core.file_utils.load_yaml_file(metadata_path) non_built: Self = cls.from_non_built(metadata_path.stem, metadata_json) - except (ValueError, yaml.YAMLError) as e: - msg: str = f"Failed to load yaml from {metadata_path}\n{non_built_content}" - raise ValueError(trim_values(msg)) from e + except ValueError as e: + msg: str = f"Failed to load yaml from {metadata_path}" + raise ValueError(msg) from e else: return non_built @@ -481,15 +463,12 @@ def _from_built_path(cls, meta_path: Path) -> list[T_SequentialMetadata]: ValueError: when the built JSON failed to be loaded """ - from mp.core.utils.common.utils import trim_values # noqa: PLC0415 - - built: str = meta_path.read_text(encoding="utf-8") try: - content: list[_BT] = json.loads(built) + content: list[_BT] = mp.core.file_utils.load_json_file(meta_path) results: list[T_SequentialMetadata] = [cls.from_built(c) for c in content] - except (ValueError, json.JSONDecodeError) as e: - msg: str = f"Failed to load json from {meta_path}\n{built}" - raise ValueError(trim_values(msg)) from e + except ValueError as e: + msg: str = f"Failed to load json from {meta_path}" + raise ValueError(msg) from e else: return results @@ -521,13 +500,11 @@ def from_non_built_str(cls, raw_text: str) -> list[T_SequentialMetadata]: ValueError: when the built JSON failed to be loaded """ - from mp.core.utils.common.utils import trim_values # noqa: PLC0415 - try: content: list[_NBT] = yaml.safe_load(raw_text) results: list[T_SequentialMetadata] = [cls.from_non_built(c) for c in content] except (ValueError, yaml.YAMLError) as e: msg: str = "Failed to load yaml." - raise ValueError(trim_values(msg)) from e + raise ValueError(msg) from e else: return results diff --git a/packages/mp/src/mp/core/file_utils/integrations/file_utils.py b/packages/mp/src/mp/core/file_utils/integrations/file_utils.py index 1228ea1bb..906fc686b 100644 --- a/packages/mp/src/mp/core/file_utils/integrations/file_utils.py +++ b/packages/mp/src/mp/core/file_utils/integrations/file_utils.py @@ -459,7 +459,7 @@ def write_str_to_json_file(json_path: Path, json_content: JsonString) -> None: json.dump(json_content, f_json, indent=4) -def load_yaml_file(path: Path) -> dict[str, Any]: +def load_yaml_file(path: Path) -> Any: # noqa: ANN401 """Read a file and loads its content as YAML. Returns: @@ -470,7 +470,7 @@ def load_yaml_file(path: Path) -> dict[str, Any]: """ try: - content = path.read_text(encoding="utf-8") + content: str = path.read_text(encoding="utf-8") return yaml.safe_load(content) except yaml.YAMLError as e: msg = f"Failed to load or parse YAML from file: {path}" @@ -478,3 +478,24 @@ def load_yaml_file(path: Path) -> dict[str, Any]: except FileNotFoundError as e: msg = f"File {path} does not exist" raise ValueError(msg) from e + + +def load_json_file(path: Path) -> Any: # noqa: ANN401 + """Read a file and loads its content as JSON. + + Returns: + The decoded JSON content of the JSON file if it exists. + + Raises: + ValueError: If the file doesn't exist or is an invalid JSON. + + """ + try: + content: str = path.read_text(encoding="utf-8") + return json.loads(content) + except json.JSONDecodeError as e: + msg = f"Failed to load or parse JSON from file: {path}" + raise ValueError(msg) from e + except FileNotFoundError as e: + msg = f"File {path} does not exist" + raise ValueError(msg) from e From cacde3b0a39ef6b050c6304b2207b1f11d79b3d0 Mon Sep 17 00:00:00 2001 From: talshapir Date: Sun, 5 Apr 2026 14:40:20 +0300 Subject: [PATCH 05/26] Add new field for integrations - product categories --- packages/mp/src/mp/core/constants.py | 1 + .../integration_meta/ai/__init__.py | 13 ++ .../integration_meta/ai/metadata.py | 34 +++ .../integration_meta/ai/product_categories.py | 201 ++++++++++++++++++ .../integrations/integration_meta/metadata.py | 85 ++++++-- .../src/mp/describe/integration/__init__.py | 13 ++ 6 files changed, 330 insertions(+), 17 deletions(-) create mode 100644 packages/mp/src/mp/core/data_models/integrations/integration_meta/ai/__init__.py create mode 100644 packages/mp/src/mp/core/data_models/integrations/integration_meta/ai/metadata.py create mode 100644 packages/mp/src/mp/core/data_models/integrations/integration_meta/ai/product_categories.py diff --git a/packages/mp/src/mp/core/constants.py b/packages/mp/src/mp/core/constants.py index 3e270f47e..e2864ec0b 100644 --- a/packages/mp/src/mp/core/constants.py +++ b/packages/mp/src/mp/core/constants.py @@ -84,6 +84,7 @@ AI_DIR: str = "ai" ACTIONS_AI_DESCRIPTION_FILE: str = "actions_ai_description.yaml" +INTEGRATIONS_AI_DESCRIPTION_FILE: str = "integrations_ai_description.yaml" ACTIONS_META_SUFFIX: str = ".actiondef" CONNECTORS_META_SUFFIX: str = ".connectordef" diff --git a/packages/mp/src/mp/core/data_models/integrations/integration_meta/ai/__init__.py b/packages/mp/src/mp/core/data_models/integrations/integration_meta/ai/__init__.py new file mode 100644 index 000000000..0a2669d7a --- /dev/null +++ b/packages/mp/src/mp/core/data_models/integrations/integration_meta/ai/__init__.py @@ -0,0 +1,13 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. diff --git a/packages/mp/src/mp/core/data_models/integrations/integration_meta/ai/metadata.py b/packages/mp/src/mp/core/data_models/integrations/integration_meta/ai/metadata.py new file mode 100644 index 000000000..a9618f656 --- /dev/null +++ b/packages/mp/src/mp/core/data_models/integrations/integration_meta/ai/metadata.py @@ -0,0 +1,34 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from __future__ import annotations + +from typing import Annotated + +from pydantic import BaseModel, Field + +from .product_categories import IntegrationProductCategories # noqa: TC001 + + +class IntegrationAiMetadata(BaseModel): + product_categories: Annotated[ + IntegrationProductCategories, + Field( + description=( + "Categories that describe the integration's capabilities as a security product." + " It shows the category and explains when to use it and the expected outcome" + " of the usage." + ) + ), + ] diff --git a/packages/mp/src/mp/core/data_models/integrations/integration_meta/ai/product_categories.py b/packages/mp/src/mp/core/data_models/integrations/integration_meta/ai/product_categories.py new file mode 100644 index 000000000..dab3b8f71 --- /dev/null +++ b/packages/mp/src/mp/core/data_models/integrations/integration_meta/ai/product_categories.py @@ -0,0 +1,201 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from __future__ import annotations + +import enum +from typing import Annotated + +from pydantic import BaseModel, Field + + +class IntegrationProductCategories(BaseModel): + siem: Annotated[ + bool, + Field( + title="SIEM", + description=( + "When to Use:" + " Use when you need to find the activity related to Assets," + " Users or see if an IOC has been seen globally across your logs in the last 90" + " days." + " Expected Outcome:" + " Returns a timeline of activity, lists all internal assets that touched an IOC," + " and identifies source of the suspicious activity" + ), + ), + ] + edr: Annotated[ + bool, + Field( + title="EDR", + description=( + "When to Use:" + " Use when the investigation involves a specific host (workstation/server) and you" + " need to see deep process-level activity." + " Expected Outcome:" + " Returns the process tree (Parent/Child), retrieves suspicious files for analysis," + " or contains the host by isolating it from the network." + ), + ), + ] + network_security: Annotated[ + bool, + Field( + title="Network Security", + description=( + "When to Use:" + " Use when an internal asset is communicating with a known malicious external IP or" + " to verify if a web-based attack was blocked." + " Expected Outcome:" + " Returns firewall/WAF permit/deny logs and allows the agent to block malicious" + " IPs/URLs at the gateway." + ), + ), + ] + threat_intelligence: Annotated[ + bool, + Field( + title="Threat Intelligence", + description=( + "When to Use:" + " Use as the first step of enrichment for any external indicator (IP, Hash, URL) to" + " determine its reputation." + " Expected Outcome:" + " Returns risk scores, malware family names, and historical 'last seen' data to" + " confirm if an alert is a True Positive." + ), + ), + ] + email_security: Annotated[ + bool, + Field( + title="Email Security", + description=( + "When to Use:" + " Use when the alert involves a phishing report, a suspicious attachment, or a link" + " delivered via email." + " Expected Outcome:" + " Returns a list of all affected users who received the same email and allows the" + " agent to manage emails in all inboxes." + ), + ), + ] + iam_and_identity_management: Annotated[ + bool, + Field( + title="IAM & Identity Management", + description=( + "When to Use:" + ' Use when a user account is showing suspicious behavior ("Impossible Travel,"' + " credential stuffing, or unauthorized privilege escalation) and you want to manage" + " identity." + " Expected Outcome:" + " Returns user or identity group/privilege levels and allows the agent to suspend" + " accounts, force password resets, reset service accounts." + ), + ), + ] + cloud_security: Annotated[ + bool, + Field( + title="Cloud Security", + description=( + "When to Use: Use for alerts involving cloud-native resources GCP/AWS/Azure." + " Expected Outcome:" + " Returns resource configuration states, findings and identifies rogue cloud" + " instances or API keys." + ), + ), + ] + itsm: Annotated[ + bool, + Field( + title="ITSM", + description=( + "When to Use: Use to document the investigation, assign tasks to other teams." + " Expected Outcome:" + " Creates/updates tickets, assigns tasks to specific departments." + ), + ), + ] + vulnerability_management: Annotated[ + bool, + Field( + title="Vulnerability Management", + description=( + "When to Use:" + " Use to verify if a targeted asset is actually susceptible to the exploit seen in" + " the alert." + " Expected Outcome:" + " Returns CVE information and a list of missing patches on the target host to" + " determine if the attack had a high probability of success." + ), + ), + ] + asset_inventory: Annotated[ + bool, + Field( + title="Asset Inventory", + description=( + "When to Use:" + " Use when you want to get more information about an internal asset." + " Expected Outcome:" + " Returns the asset owner, department, business criticality, and whether the device" + " is managed by IT." + ), + ), + ] + collaboration: Annotated[ + bool, + Field( + title="Collaboration", + description=( + "When to Use: " + 'Use when an automated action requires a "Human-in-the-Loop" approval or when the' + " SOC needs to be notified of a critical find." + " Expected Outcome:" + " Sends interactive alerts to Slack/Teams for manual approval and notifies" + " stakeholders of critical findings." + ), + ), + ] + + +class IntegrationProductCategory(enum.StrEnum): + SIEM = "SIEM" + EDR = "EDR" + NETWORK_SECURITY = "Network Security" + THREAT_INTELLIGENCE = "Threat Intelligence" + EMAIL_SECURITY = "Email Security" + IAM_AND_IDENTITY_MANAGEMENT = "IAM & Identity Management" + CLOUD_SECURITY = "Cloud Security" + ITSM = "ITSM" + VULNERABILITY_MANAGEMENT = "Vulnerability Management" + ASSET_INVENTORY = "Asset Inventory" + COLLABORATION = "Collaboration" + + +PRODUCT_CATEGORY_TO_DEF_PRODUCT_CATEGORY: dict[str, IntegrationProductCategory] = { + "siem": IntegrationProductCategory.SIEM, + "edr": IntegrationProductCategory.EDR, + "threat_intelligence": IntegrationProductCategory.THREAT_INTELLIGENCE, + "email_security": IntegrationProductCategory.EMAIL_SECURITY, + "iam_and_identity_management": IntegrationProductCategory.IAM_AND_IDENTITY_MANAGEMENT, + "cloud_security": IntegrationProductCategory.CLOUD_SECURITY, + "itsm": IntegrationProductCategory.ITSM, + "vulnerability_management": IntegrationProductCategory.VULNERABILITY_MANAGEMENT, + "asset_inventory": IntegrationProductCategory.ASSET_INVENTORY, + "collaboration": IntegrationProductCategory.COLLABORATION, +} diff --git a/packages/mp/src/mp/core/data_models/integrations/integration_meta/metadata.py b/packages/mp/src/mp/core/data_models/integrations/integration_meta/metadata.py index d5380db09..a76a8c590 100644 --- a/packages/mp/src/mp/core/data_models/integrations/integration_meta/metadata.py +++ b/packages/mp/src/mp/core/data_models/integrations/integration_meta/metadata.py @@ -17,16 +17,20 @@ import base64 import json import pathlib -from typing import TYPE_CHECKING, Annotated, NotRequired, Self, TypedDict +from typing import TYPE_CHECKING, Annotated, Any, NamedTuple, NotRequired, Self, TypedDict, cast import pydantic -import yaml import mp.core.constants import mp.core.file_utils import mp.core.utils from mp.core import exclusions from mp.core.data_models.abc import RepresentableEnum, SingularComponentMetadata +from mp.core.data_models.integrations.integration_meta.ai.metadata import IntegrationAiMetadata +from mp.core.data_models.integrations.integration_meta.ai.product_categories import ( + PRODUCT_CATEGORY_TO_DEF_PRODUCT_CATEGORY, + IntegrationProductCategory, +) from .feature_tags import BuiltFeatureTags, FeatureTags, NonBuiltFeatureTags from .parameter import BuiltIntegrationParameter, IntegrationParameter, NonBuiltIntegrationParameter @@ -37,6 +41,10 @@ MINIMUM_SYSTEM_VERSION: float = 5.3 +class AiFields(NamedTuple): + product_categories: list[IntegrationProductCategory] + + class PythonVersion(RepresentableEnum): PY_3_11 = 3 @@ -108,6 +116,7 @@ class BuiltIntegrationMetadata(TypedDict): IsCustom: bool IsPowerUp: bool IsCertified: bool + ProductCategories: NotRequired[list[str] | None] class NonBuiltIntegrationMetadata(TypedDict): @@ -126,6 +135,7 @@ class NonBuiltIntegrationMetadata(TypedDict): is_custom: NotRequired[bool] is_available_for_community: NotRequired[bool] is_powerup: NotRequired[bool] + product_categories: NotRequired[list[str] | None] class IntegrationMetadata( @@ -171,6 +181,7 @@ class IntegrationMetadata( pydantic.PositiveFloat, pydantic.Field(ge=MINIMUM_SYSTEM_VERSION), ] = MINIMUM_SYSTEM_VERSION + product_categories: list[IntegrationProductCategory] @classmethod def from_built_path(cls, path: Path) -> Self: @@ -207,24 +218,23 @@ def from_non_built_path(cls, path: Path) -> Self: path: the path to the integration's "non-built" version Returns: - An IntegrationMetadata object - - Raises: - ValueError: when the "non-built" is failed to be loaded + An IntegrationMetadata object\ """ metadata_path: Path = path / mp.core.constants.DEFINITION_FILE - built: str = metadata_path.read_text(encoding="utf-8") - try: - metadata_content: NonBuiltIntegrationMetadata = yaml.safe_load(built) - _read_image_files(metadata_content, path) - metadata: Self = cls.from_non_built(metadata_path.name, metadata_content) - metadata.is_certified = mp.core.file_utils.is_certified_integration(path) - except (ValueError, json.JSONDecodeError) as e: - msg: str = f"Failed to load json from {metadata_path}\n{built}" - raise ValueError(mp.core.utils.trim_values(msg)) from e - else: - return metadata + metadata_content: NonBuiltIntegrationMetadata = cast( + "NonBuiltIntegrationMetadata", + cast("object", mp.core.file_utils.load_yaml_file(metadata_path)), + ) + _read_image_files(metadata_content, path) + + ai_fields: AiFields = _get_ai_fields(path) + _update_non_built_with_ai_fields(metadata_content, ai_fields) + + metadata: Self = cls.from_non_built(metadata_path.name, metadata_content) + metadata.is_certified = mp.core.file_utils.is_certified_integration(path) + + return metadata @classmethod def _from_built(cls, _: str, built: BuiltIntegrationMetadata) -> Self: # ty:ignore[invalid-method-override] @@ -257,6 +267,10 @@ def _from_built(cls, _: str, built: BuiltIntegrationMetadata) -> Self: # ty:ign is_custom=built.get("IsCustom", False), is_available_for_community=built.get("IsAvailableForCommunity", True), is_powerup=built.get("IsPowerUp", False), + product_categories=[ + IntegrationProductCategory(category) + for category in built.get("ProductCategories") or [] + ], ) @classmethod @@ -286,6 +300,9 @@ def _from_non_built(cls, _: str, non_built: NonBuiltIntegrationMetadata) -> Self True, ), is_powerup=non_built.get("is_powerup", False), + product_categories=[ + IntegrationProductCategory(c) for c in non_built.get("product_categories") or [] + ], ) def to_built(self) -> BuiltIntegrationMetadata: @@ -383,3 +400,37 @@ def _read_image_files(metadata_content: NonBuiltIntegrationMetadata, path: Path) if svg_path_str := metadata_content.get("svg_logo_path"): full_path = path / svg_path_str metadata_content["svg_logo_path"] = mp.core.file_utils.svg_path_to_text(full_path) + + +def _get_ai_fields(integration_path: Path) -> AiFields: + empty_results: AiFields = AiFields(product_categories=[]) + if not integration_path.exists(): + return empty_results + + integration_desc: Path = ( + integration_path + / mp.core.constants.RESOURCES_DIR + / mp.core.constants.AI_DIR + / mp.core.constants.INTEGRATIONS_AI_DESCRIPTION_FILE + ) + if not integration_desc.exists(): + return empty_results + + integration_content: dict[str, Any] = mp.core.file_utils.load_yaml_file(integration_desc) + if integration_content is None: + return empty_results + + ai_meta: IntegrationAiMetadata = IntegrationAiMetadata.model_validate(integration_content) + return AiFields( + product_categories=[ + PRODUCT_CATEGORY_TO_DEF_PRODUCT_CATEGORY[category] + for category, is_true in ai_meta.product_categories.model_dump().items() + if is_true + ], + ) + + +def _update_non_built_with_ai_fields( + non_built: NonBuiltIntegrationMetadata, ai_fields: AiFields +) -> None: + non_built["product_categories"] = [c.value for c in ai_fields.product_categories] diff --git a/packages/mp/src/mp/describe/integration/__init__.py b/packages/mp/src/mp/describe/integration/__init__.py index e69de29bb..0a2669d7a 100644 --- a/packages/mp/src/mp/describe/integration/__init__.py +++ b/packages/mp/src/mp/describe/integration/__init__.py @@ -0,0 +1,13 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. From 7a620e22bfb29636ae89f6e56e1cedbe0bc948b7 Mon Sep 17 00:00:00 2001 From: talshapir Date: Sun, 5 Apr 2026 14:54:03 +0300 Subject: [PATCH 06/26] mp fixes --- packages/mp/src/mp/core/data_models/abc.py | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/packages/mp/src/mp/core/data_models/abc.py b/packages/mp/src/mp/core/data_models/abc.py index cee9f6124..96bc9cdb3 100644 --- a/packages/mp/src/mp/core/data_models/abc.py +++ b/packages/mp/src/mp/core/data_models/abc.py @@ -23,7 +23,6 @@ import yaml import mp.core.file_utils -from mp.core.utils.common.utils import trim_values if TYPE_CHECKING: from pathlib import Path @@ -125,6 +124,8 @@ def from_built(cls, built: _BT) -> T_Buildable: ValueError: when the built object failed to be loaded """ + from mp.core.utils.common.utils import trim_values # noqa: PLC0415 + try: metadata: T_Buildable = cls._from_built(built) except (KeyError, ValueError) as e: @@ -147,6 +148,8 @@ def from_non_built(cls, non_built: _NBT) -> T_Buildable: ValueError: when the non-built object failed to be loaded """ + from mp.core.utils.common.utils import trim_values # noqa: PLC0415 + try: metadata: T_Buildable = cls._from_non_built(non_built) except (KeyError, ValueError) as e: @@ -220,6 +223,8 @@ def from_built(cls, file_name: str, built: _BT) -> T_BuildableComponent: ValueError: when the built object failed to be loaded """ + from mp.core.utils.common.utils import trim_values # noqa: PLC0415 + try: metadata: T_BuildableComponent = cls._from_built(file_name, built) except (KeyError, ValueError) as e: @@ -243,6 +248,8 @@ def from_non_built(cls, file_name: str, non_built: _NBT) -> T_BuildableComponent ValueError: when the non-built object failed to be loaded """ + from mp.core.utils.common.utils import trim_values # noqa: PLC0415 + try: metadata: T_BuildableComponent = cls._from_non_built(file_name, non_built) except (KeyError, ValueError) as e: From 6c837b73f20f281463bfe8efbef6aac7dc15155b Mon Sep 17 00:00:00 2001 From: talshapir Date: Sun, 5 Apr 2026 15:28:50 +0300 Subject: [PATCH 07/26] fix tests --- .../restructure/integrations/deconstruct.py | 25 +++++++++++++++++++ packages/mp/src/mp/core/unix.py | 12 ++++++--- 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/packages/mp/src/mp/build_project/restructure/integrations/deconstruct.py b/packages/mp/src/mp/build_project/restructure/integrations/deconstruct.py index 3c5c5170f..45ff76034 100644 --- a/packages/mp/src/mp/build_project/restructure/integrations/deconstruct.py +++ b/packages/mp/src/mp/build_project/restructure/integrations/deconstruct.py @@ -46,6 +46,11 @@ from mp.core.data_models.integrations.action.metadata import ActionMetadata from mp.core.data_models.integrations.action_widget.metadata import ActionWidgetMetadata from mp.core.data_models.integrations.connector.metadata import ConnectorMetadata +from mp.core.data_models.integrations.integration_meta.ai.metadata import IntegrationAiMetadata +from mp.core.data_models.integrations.integration_meta.ai.product_categories import ( + PRODUCT_CATEGORY_TO_DEF_PRODUCT_CATEGORY, + IntegrationProductCategories, +) from mp.core.data_models.integrations.integration_meta.metadata import ( IntegrationMetadata, PythonVersion, @@ -169,6 +174,26 @@ def _create_resource_files(self) -> None: self._create_png_image(resources_dir) self._create_svg_logo(resources_dir) + self._create_ai_description_file(resources_dir) + + def _create_ai_description_file(self, resources_dir: Path) -> None: + ai_dir: Path = resources_dir / mp.core.constants.AI_DIR + ai_dir.mkdir(exist_ok=True, parents=True) + + categories_dict: dict[str, bool] = { + category: ( + PRODUCT_CATEGORY_TO_DEF_PRODUCT_CATEGORY[category] + in self.integration.metadata.product_categories + ) + for category in PRODUCT_CATEGORY_TO_DEF_PRODUCT_CATEGORY + } + + ai_meta = IntegrationAiMetadata( + product_categories=IntegrationProductCategories(**categories_dict) + ) + + ai_file: Path = ai_dir / mp.core.constants.INTEGRATIONS_AI_DESCRIPTION_FILE + mp.core.file_utils.write_yaml_to_file(ai_meta.model_dump(), ai_file) def _create_png_image(self, resources_dir: Path) -> None: if self.integration.metadata.image_base64: diff --git a/packages/mp/src/mp/core/unix.py b/packages/mp/src/mp/core/unix.py index 41c962610..166939b91 100644 --- a/packages/mp/src/mp/core/unix.py +++ b/packages/mp/src/mp/core/unix.py @@ -72,6 +72,8 @@ def compile_core_integration_dependencies(project_path: Path, requirements_path: "--no-dev", "--python", python_version, + "--default-index", + "https://pypi.org/simple", ] runtime_config: list[str] = _get_runtime_config() command.extend(runtime_config) @@ -175,6 +177,8 @@ def download_wheels_from_requirements( "cp", "--platform", "none-any", + "--index-url", + "https://pypi.org/simple", ] runtime_config: list[str] = _get_runtime_config() command.extend(runtime_config) @@ -218,6 +222,8 @@ def add_dependencies_to_toml( "add", "--python", python_version, + "--default-index", + "https://pypi.org/simple", ] runtime_config: list[str] = _get_runtime_config() base_command.extend(runtime_config) @@ -238,10 +244,6 @@ def _add_regular_dependencies_to_toml( return deps_command: list[str] = base_command.copy() deps_command.extend(deps_to_add) - deps_command.extend([ - "--default-index", - "https://pypi.org/simple", - ]) try: sp.run(deps_command, cwd=project_path, check=True, text=True) # noqa: S603 @@ -545,6 +547,8 @@ def check_lock_file(project_path: Path) -> None: str(project_path), "--python", python_version, + "--default-index", + "https://pypi.org/simple", ] runtime_config: list[str] = _get_runtime_config() From b41fe47f150bf29b63a59cfbaf1ba1e0c8ace571 Mon Sep 17 00:00:00 2001 From: talshapir Date: Sun, 5 Apr 2026 15:52:03 +0300 Subject: [PATCH 08/26] Add mp describe integration command --- .../integration_meta/ai/product_categories.py | 1 + .../mp/src/mp/describe/action/describe.py | 435 ++--------------- .../mp/src/mp/describe/action/describe_all.py | 188 +------- .../prompt_constructors/prompt_constructor.py | 21 +- .../{action/utils => common}/__init__.py | 0 .../mp/src/mp/describe/common/describe.py | 454 ++++++++++++++++++ .../mp/src/mp/describe/common/describe_all.py | 194 ++++++++ .../common/prompt_constructors/__init__.py | 13 + .../prompt_constructors/prompt_constructor.py | 68 +++ .../src/mp/describe/common/prompts/system.md | 30 ++ .../src/mp/describe/common/utils/__init__.py | 13 + .../describe/{action => common}/utils/llm.py | 13 +- .../{action => common}/utils/paths.py | 18 +- .../src/mp/describe/integration/__init__.py | 2 +- .../src/mp/describe/integration/describe.py | 124 +++++ .../mp/describe/integration/describe_all.py | 46 ++ .../prompt_constructors/__init__.py | 13 + .../prompt_constructors/integration.py | 83 ++++ .../mp/describe/integration/prompts/task.md | 24 + .../src/mp/describe/integration/typer_app.py | 113 +++++ packages/mp/src/mp/describe/typer_app.py | 2 + .../ai/integrations_ai_description.yaml | 12 + .../mp/tests/test_mp/test_path_discovery.py | 93 ++++ 23 files changed, 1366 insertions(+), 594 deletions(-) rename packages/mp/src/mp/describe/{action/utils => common}/__init__.py (100%) create mode 100644 packages/mp/src/mp/describe/common/describe.py create mode 100644 packages/mp/src/mp/describe/common/describe_all.py create mode 100644 packages/mp/src/mp/describe/common/prompt_constructors/__init__.py create mode 100644 packages/mp/src/mp/describe/common/prompt_constructors/prompt_constructor.py create mode 100644 packages/mp/src/mp/describe/common/prompts/system.md create mode 100644 packages/mp/src/mp/describe/common/utils/__init__.py rename packages/mp/src/mp/describe/{action => common}/utils/llm.py (84%) rename packages/mp/src/mp/describe/{action => common}/utils/paths.py (86%) create mode 100644 packages/mp/src/mp/describe/integration/describe.py create mode 100644 packages/mp/src/mp/describe/integration/describe_all.py create mode 100644 packages/mp/src/mp/describe/integration/prompt_constructors/__init__.py create mode 100644 packages/mp/src/mp/describe/integration/prompt_constructors/integration.py create mode 100644 packages/mp/src/mp/describe/integration/prompts/task.md create mode 100644 packages/mp/src/mp/describe/integration/typer_app.py create mode 100644 packages/mp/tests/test_mp/mock_content_hub/response_integrations/third_party/mock_integration/resources/ai/integrations_ai_description.yaml create mode 100644 packages/mp/tests/test_mp/test_path_discovery.py diff --git a/packages/mp/src/mp/core/data_models/integrations/integration_meta/ai/product_categories.py b/packages/mp/src/mp/core/data_models/integrations/integration_meta/ai/product_categories.py index dab3b8f71..ceb50f6ce 100644 --- a/packages/mp/src/mp/core/data_models/integrations/integration_meta/ai/product_categories.py +++ b/packages/mp/src/mp/core/data_models/integrations/integration_meta/ai/product_categories.py @@ -190,6 +190,7 @@ class IntegrationProductCategory(enum.StrEnum): PRODUCT_CATEGORY_TO_DEF_PRODUCT_CATEGORY: dict[str, IntegrationProductCategory] = { "siem": IntegrationProductCategory.SIEM, "edr": IntegrationProductCategory.EDR, + "network_security": IntegrationProductCategory.NETWORK_SECURITY, "threat_intelligence": IntegrationProductCategory.THREAT_INTELLIGENCE, "email_security": IntegrationProductCategory.EMAIL_SECURITY, "iam_and_identity_management": IntegrationProductCategory.IAM_AND_IDENTITY_MANAGEMENT, diff --git a/packages/mp/src/mp/describe/action/describe.py b/packages/mp/src/mp/describe/action/describe.py index d1ae46edc..3662a340e 100644 --- a/packages/mp/src/mp/describe/action/describe.py +++ b/packages/mp/src/mp/describe/action/describe.py @@ -14,29 +14,23 @@ from __future__ import annotations -import asyncio -import contextlib import json import logging -from typing import TYPE_CHECKING, Any, NamedTuple, TypeAlias +from typing import TYPE_CHECKING, Any, NamedTuple -import anyio import yaml -from rich.progress import TaskID, track from mp.core import constants from mp.core.data_models.integrations.action.ai.metadata import ActionAiMetadata -from mp.core.utils import folded_string_representer +from mp.describe.common.describe import DescribeBase, IntegrationStatus from .prompt_constructors.built import BuiltPromptConstructor from .prompt_constructors.source import SourcePromptConstructor -from .utils import llm, paths if TYPE_CHECKING: import pathlib - from collections.abc import AsyncIterator, Callable - from rich.progress import Progress + import anyio from mp.core.data_models.integrations.action.metadata import ( BuiltActionMetadata, @@ -44,23 +38,6 @@ ) logger: logging.Logger = logging.getLogger(__name__) -_PromptConstructor: TypeAlias = BuiltPromptConstructor | SourcePromptConstructor - - -class IntegrationStatus(NamedTuple): - is_built: bool - out_path: anyio.Path - - -class ActionDescriptionResult(NamedTuple): - action_name: str - metadata: ActionAiMetadata | None - - -class RichParams(NamedTuple): - on_action_done: Callable[[], None] | None = None - progress: Progress | None = None - task_id: TaskID | None = None class DescriptionParams(NamedTuple): @@ -71,65 +48,7 @@ class DescriptionParams(NamedTuple): status: IntegrationStatus -def _merge_results(metadata: dict[str, Any], results: list[ActionDescriptionResult]) -> None: - for result in results: - if result.metadata is not None: - metadata[result.action_name] = result.metadata.model_dump(mode="json") - - -def _create_notifier(rich_params: RichParams) -> Callable[[], None]: - """Create a notifier function to handle progress and callbacks. - - Args: - rich_params: Progress and callback parameters. - - Returns: - Callable[[], None]: A function that advances progress and calls the callback. - - """ - - def notify() -> None: - if rich_params.on_action_done: - rich_params.on_action_done() - if rich_params.progress and rich_params.task_id: - rich_params.progress.advance(rich_params.task_id) - - return notify - - -def _map_bulk_results_to_actions( - actions: list[str], - valid_indices: list[int], - results: list[ActionAiMetadata | str], -) -> list[ActionDescriptionResult]: - """Map Gemini results back to action names. - - Args: - actions: Original list of action names. - valid_indices: Indices of actions that had valid prompts. - results: Results from Gemini for those valid prompts. - - Returns: - list[ActionDescriptionResult]: Mapped results. - - """ - final_results: list[ActionDescriptionResult] = [ - ActionDescriptionResult(action_name=a, metadata=None) for a in actions - ] - for i, result in zip(valid_indices, results, strict=False): - action_name: str = actions[i] - - if isinstance(result, ActionAiMetadata) and action_name.casefold() == "Ping".casefold(): - result.categories.enrichment = False - - final_results[i] = ActionDescriptionResult( - action_name, result if isinstance(result, ActionAiMetadata) else None - ) - - return final_results - - -class DescribeAction: +class DescribeAction(DescribeBase[ActionAiMetadata]): def __init__( self, integration: str, @@ -139,272 +58,40 @@ def __init__( dst: pathlib.Path | None = None, override: bool = False, ) -> None: - self.integration_name: str = integration - self.src: pathlib.Path | None = src - self.integration: anyio.Path = paths.get_integration_path(integration, src=src) - self.actions: set[str] = actions - self.override: bool = override - self.dst: pathlib.Path | None = dst - + super().__init__(integration, actions, src=src, dst=dst, override=override) self._action_name_to_file_stem: dict[str, str] = {} - async def describe_actions( - self, - sem: asyncio.Semaphore | None = None, - on_action_done: Callable[[], None] | None = None, - progress: Progress | None = None, - ) -> None: - """Describe actions in a given integration. + @property + def metadata_file_name(self) -> str: + """Get the name of the metadata file.""" + return constants.ACTIONS_AI_DESCRIPTION_FILE - Args: - sem: Optional semaphore to limit concurrent Gemini requests. - on_action_done: An optional callback is called when an action is finished. - progress: An optional Progress object to use for progress reporting. + @property + def resource_type_name(self) -> str: + """Get the resource type name.""" + return "action" - """ - metadata, status = await asyncio.gather( - self._load_metadata(), self._get_integration_status() - ) - - actions_to_process: set[str] = await self._prepare_actions(status, metadata) - if not actions_to_process: - if not self.actions: - await self._save_metadata(metadata) - else: - logger.info( - "All actions in %s already have descriptions. Skipping.", self.integration_name - ) - return - - if len(actions_to_process) == 1: - logger.info( - "Describing action %s for %s", - next(iter(actions_to_process)), - self.integration_name, - ) - else: - logger.info( - "Describing %d actions for %s", - len(actions_to_process), - self.integration_name, - ) - - results: list[ActionDescriptionResult] = await self._execute_descriptions( - actions_to_process, status, sem, on_action_done, progress - ) + @property + def response_schema(self) -> type[ActionAiMetadata]: + """Get the response schema.""" + return ActionAiMetadata - _merge_results(metadata, results) - await self._save_metadata(metadata) + async def describe_actions(self, **kwargs: Any) -> None: # noqa: ANN401 + """Describe actions (compatibility method).""" + # Compatibility method + await self.describe(**kwargs) async def get_actions_count(self) -> int: - """Get the number of actions in the integration. + """Get actions' count (compatibility method). Returns: int: The number of actions. """ - status, metadata = await asyncio.gather( - self._get_integration_status(), self._load_metadata() - ) - actions: set[str] = await self._prepare_actions(status, metadata) - return len(actions) - - async def _prepare_actions( - self, status: IntegrationStatus, metadata: dict[str, Any] - ) -> set[str]: - if not self.actions: - self.actions = await self._get_all_actions(status) - - if not self.override: - actions_to_process = {action for action in self.actions if action not in metadata} - skipped_count: int = len(self.actions) - len(actions_to_process) - if skipped_count > 0: - if skipped_count == 1: - logger.info( - "Skipping 1 action that already has a description in %s", - self.integration_name, - ) - else: - logger.info( - "Skipping %d actions that already have a description in %s", - skipped_count, - self.integration_name, - ) - return actions_to_process + # Compatibility method + return await self.get_resources_count() - return self.actions - - async def _execute_descriptions( - self, - actions: set[str], - status: IntegrationStatus, - sem: asyncio.Semaphore | None = None, - on_action_done: Callable[[], None] | None = None, - progress: Progress | None = None, - ) -> list[ActionDescriptionResult]: - action_list = list(actions) - bulks = [ - action_list[i : i + llm.DESCRIBE_BULK_SIZE] - for i in range(0, len(action_list), llm.DESCRIBE_BULK_SIZE) - ] - - if len(actions) == 1: - description = f"Describing action {next(iter(actions))} for {self.integration_name}..." - else: - description = f"Describing actions for {self.integration_name}..." - - results: list[ActionDescriptionResult] = [] - - if progress: - task_id = progress.add_task(description, total=len(actions)) - rich_params = RichParams(on_action_done, progress, task_id) - tasks: list[asyncio.Task] = [ - asyncio.create_task(self._process_bulk_actions(bulk, status, sem, rich_params)) - for bulk in bulks - ] - for coro in asyncio.as_completed(tasks): - results.extend(await coro) - - progress.remove_task(task_id) - - else: - rich_params = RichParams(on_action_done) - tasks: list[asyncio.Task] = [ - asyncio.create_task(self._process_bulk_actions(bulk, status, sem, rich_params)) - for bulk in bulks - ] - results.extend([ - res - for bulk_res in track( - asyncio.as_completed(tasks), - description=description, - total=len(bulks), - ) - for res in await bulk_res - ]) - - return results - - async def _process_bulk_actions( - self, - actions: list[str], - status: IntegrationStatus, - sem: asyncio.Semaphore | None = None, - rich_params: RichParams | None = None, - ) -> list[ActionDescriptionResult]: - if rich_params is None: - rich_params = RichParams() - - notify_done: Callable[[], None] = _create_notifier(rich_params) - try: - async with _maybe_use_semaphore(sem): - return await self._describe_actions_bulk_with_error_handling( - actions, status, notify_done - ) - - except Exception: - logger.exception("Failed to process bulk of actions: %s", actions) - for _ in actions: - notify_done() - - return [ActionDescriptionResult(a, None) for a in actions] - - async def _describe_actions_bulk_with_error_handling( - self, - actions: list[str], - status: IntegrationStatus, - notify_done: Callable[[], None], - ) -> list[ActionDescriptionResult]: - try: - results: list[ActionDescriptionResult] = await self.describe_actions_bulk( - actions, status - ) - except Exception: - logger.exception("Failed to describe actions bulk %s", actions) - results: list[ActionDescriptionResult] = [ - ActionDescriptionResult(a, None) for a in actions - ] - - for _ in actions: - notify_done() - - return results - - async def describe_actions_bulk( - self, - actions: list[str], - status: IntegrationStatus, - ) -> list[ActionDescriptionResult]: - """Describe multiple actions of a given integration in bulk. - - Args: - actions: The names of the actions to describe. - status: The status of the integration. - - Returns: - list[ActionDescriptionResult]: The AI-generated metadata for the actions. - - """ - prompts: list[str] = await self._construct_prompts(actions, status) - - valid_indices: list[int] = [i for i, p in enumerate(prompts) if p] - valid_prompts: list[str] = [prompts[i] for i in valid_indices] - - if not valid_prompts: - return [ActionDescriptionResult(a, None) for a in actions] - - results: list[ActionAiMetadata | str] = await llm.call_gemini_bulk(valid_prompts) - return _map_bulk_results_to_actions(actions, valid_indices, results) - - async def _construct_prompts(self, actions: list[str], status: IntegrationStatus) -> list[str]: - """Construct prompts for a list of actions. - - Args: - actions: Names of actions. - status: Integration status. - - Returns: - list[str]: List of constructed prompts. - - """ - prompts: list[str] = [] - for action_name in actions: - if action_name not in self._action_name_to_file_stem: - # Fallback: assume the file stem is the action name (legacy support) - self._action_name_to_file_stem[action_name] = action_name - - params = DescriptionParams( - integration=self.integration, - integration_name=self.integration_name, - action_name=action_name, - action_file_name=self._action_name_to_file_stem[action_name], - status=status, - ) - constructor: _PromptConstructor = _create_prompt_constructor(params) - prompt: str = await constructor.construct() - if not prompt: - logger.warning("Could not construct prompt for action %s", action_name) - prompts.append("") - else: - prompts.append(prompt) - return prompts - - async def _get_integration_status(self) -> IntegrationStatus: - out_path: anyio.Path = paths.get_out_path(self.integration_name, src=self.src) - is_built: bool = await out_path.exists() - - # If it's not built in the out directory, check if the integration itself is built - if not is_built: - def_file: anyio.Path = self.integration / constants.INTEGRATION_DEF_FILE.format( - self.integration_name - ) - if await def_file.exists(): - is_built = True - out_path = self.integration - - return IntegrationStatus(is_built=is_built, out_path=out_path) - - async def _get_all_actions(self, status: IntegrationStatus) -> set[str]: + async def _get_all_resources(self, status: IntegrationStatus) -> set[str]: actions: set[str] = set() if status.is_built: await self._get_all_built_actions(status.out_path, actions) @@ -438,48 +125,28 @@ async def _get_all_non_built_actions(self, actions: set[str]) -> None: except (yaml.YAMLError, KeyError): logger.warning("Failed to parse non-built action metadata %s", file.name) - async def _load_metadata(self) -> dict[str, Any]: - resource_ai_dir: anyio.Path = self.integration / constants.RESOURCES_DIR / constants.AI_DIR - metadata_file: anyio.Path = resource_ai_dir / constants.ACTIONS_AI_DESCRIPTION_FILE - metadata: dict[str, Any] = {} - - if await metadata_file.exists(): - content: str = await metadata_file.read_text() - with contextlib.suppress(yaml.YAMLError): - metadata = yaml.safe_load(content) or {} - - if self.dst: - dst_file: anyio.Path = anyio.Path(self.dst) / constants.ACTIONS_AI_DESCRIPTION_FILE - if await dst_file.exists(): - content: str = await dst_file.read_text() - with contextlib.suppress(yaml.YAMLError): - dst_metadata = yaml.safe_load(content) or {} - - metadata.update(dst_metadata) - - return metadata - - async def _save_metadata(self, metadata: dict[str, Any]) -> None: - if self.dst: - save_dir: anyio.Path = anyio.Path(self.dst) - else: - save_dir: anyio.Path = self.integration / constants.RESOURCES_DIR / constants.AI_DIR - - await save_dir.mkdir(parents=True, exist_ok=True) - metadata_file: anyio.Path = save_dir / constants.ACTIONS_AI_DESCRIPTION_FILE - yaml.add_representer(str, folded_string_representer, Dumper=yaml.SafeDumper) - await metadata_file.write_text(yaml.safe_dump(metadata)) + async def _construct_prompts( + self, resources: list[str], status: IntegrationStatus + ) -> list[str]: + prompts: list[str] = [] + for action_name in resources: + params = DescriptionParams( + self.integration, + self.integration_name, + action_name, + self._action_name_to_file_stem.get(action_name, action_name), + status, + ) + constructor: BuiltPromptConstructor | SourcePromptConstructor = ( + _create_prompt_constructor(params) + ) + prompts.append(await constructor.construct()) + return prompts def _create_prompt_constructor( params: DescriptionParams, ) -> BuiltPromptConstructor | SourcePromptConstructor: - """Create the object. - - Returns: - PromptConstructor: The constructed object. - - """ if params.status.is_built: return BuiltPromptConstructor( params.integration, @@ -495,21 +162,3 @@ def _create_prompt_constructor( params.action_file_name, params.status.out_path, ) - - -@contextlib.asynccontextmanager -async def _maybe_use_semaphore(sem: asyncio.Semaphore | None) -> AsyncIterator[None]: - """Use a context manager that optionally uses semaphore. - - Args: - sem: The semaphore to use, or None. - - Yields: - None: When the semaphore is acquired or if no semaphore is provided. - - """ - if sem: - async with sem: - yield - else: - yield diff --git a/packages/mp/src/mp/describe/action/describe_all.py b/packages/mp/src/mp/describe/action/describe_all.py index 6a9bc25ff..83f936fd8 100644 --- a/packages/mp/src/mp/describe/action/describe_all.py +++ b/packages/mp/src/mp/describe/action/describe_all.py @@ -14,202 +14,34 @@ from __future__ import annotations -import asyncio -import collections -import logging -from asyncio import Task -from typing import TYPE_CHECKING, NamedTuple +from typing import TYPE_CHECKING -from rich.progress import ( - BarColumn, - Progress, - SpinnerColumn, - TaskID, - TextColumn, - TimeRemainingColumn, +from mp.describe.common.describe_all import ( + MarketplaceOrchestratorBase, + get_all_integrations_paths, ) -import mp.core.config -from mp.core.custom_types import RepositoryType -from mp.core.file_utils import get_integration_base_folders_paths -from mp.describe.action.describe import DescribeAction +from .describe import DescribeAction if TYPE_CHECKING: from pathlib import Path -logger: logging.Logger = logging.getLogger(__name__) -MAX_ACTIVE_INTEGRATIONS: int = 3 -MAX_ACTIVE_TASKS: int = 3 - - -class IntegrationTask(NamedTuple): - task: asyncio.Task[None] - integration_name: str - initial_action_count: int - - async def describe_all_actions( src: Path | None = None, dst: Path | None = None, *, override: bool = False ) -> None: """Describe all actions in all integrations in the marketplace.""" - integrations_paths: list[Path] = _get_all_integrations_paths(src=src) + integrations_paths: list[Path] = get_all_integrations_paths(src=src) orchestrator = _MarketplaceOrchestrator(src, integrations_paths, dst=dst, override=override) await orchestrator.run() -class _MarketplaceOrchestrator: - def __init__( - self, - src: Path | None, - integrations_paths: list[Path], - *, - dst: Path | None = None, - override: bool = False, - ) -> None: - self.src: Path | None = src - self.dst: Path | None = dst - self.integrations_paths: list[Path] = integrations_paths - self.concurrency: int = mp.core.config.get_gemini_concurrency() - self.action_sem: asyncio.Semaphore = asyncio.Semaphore(self.concurrency) - self.max_active_integrations: int = max(MAX_ACTIVE_INTEGRATIONS, self.concurrency) - self.override: bool = override - - self.pending_paths: collections.deque[Path] = collections.deque(integrations_paths) - self.active_tasks: set[IntegrationTask] = set() - self.actions_in_flight: int = 0 - - def _on_action_done(self) -> None: - self.actions_in_flight -= 1 - - def _can_start_more(self) -> bool: - """Check if we have capacity and space in UI to start new integrations. - - Returns: - bool: True if we can start more integrations, False otherwise. - - """ - # We want to have at least 'concurrency' actions in flight (or queued), - # But we also want to limit the number of integrations to keep the UI clean. - return bool( - self.pending_paths - and ( - self.actions_in_flight < self.concurrency - or len(self.active_tasks) < MAX_ACTIVE_TASKS - ) - and len(self.active_tasks) < self.max_active_integrations - ) - - async def _start_next_integration(self, progress: Progress) -> None: - """Start describing the next integration in the queue.""" - path: Path = self.pending_paths.popleft() - da: DescribeAction = DescribeAction( - integration=path.name, +class _MarketplaceOrchestrator(MarketplaceOrchestratorBase): + def _create_describer(self, integration_name: str) -> DescribeAction: + return DescribeAction( + integration=integration_name, actions=set(), src=self.src, dst=self.dst, override=self.override, ) - - # Pre-discover action count to decide if we should start more - count: int = await da.get_actions_count() - self.actions_in_flight += count - - task: Task[None] = asyncio.create_task( - da.describe_actions( - sem=self.action_sem, on_action_done=self._on_action_done, progress=progress - ) - ) - self.active_tasks.add( - IntegrationTask( - task=task, - integration_name=path.name, - initial_action_count=count, - ) - ) - - async def _wait_for_tasks(self) -> set[IntegrationTask]: - """Wait for at least one active task to complete and return done tasks. - - Returns: - set[IntegrationTask]: Set of completed tasks. - - """ - if not self.active_tasks: - return set() - - done_tasks, pending_tasks = await asyncio.wait( - {it.task for it in self.active_tasks}, return_when=asyncio.FIRST_COMPLETED - ) - - done_integration_tasks: set[IntegrationTask] = { - it for it in self.active_tasks if it.task in done_tasks - } - self.active_tasks: set[IntegrationTask] = { - it for it in self.active_tasks if it.task in pending_tasks - } - - return done_integration_tasks - - async def run(self) -> None: - """Run the orchestration loop.""" - with Progress( - SpinnerColumn(), - TextColumn("[progress.description]{task.description}"), - BarColumn(), - TextColumn("[progress.percentage]{task.percentage:>3.0f}%"), - TimeRemainingColumn(), - ) as progress: - main_task: TaskID = progress.add_task( - description="Describing integrations...", - total=len(self.integrations_paths), - ) - - while self.pending_paths or self.active_tasks: - while self._can_start_more(): - await self._start_next_integration(progress) - - if not self.active_tasks: - break - - done_integration_tasks: set[IntegrationTask] = await self._wait_for_tasks() - await _process_completed_tasks(done_integration_tasks, progress, main_task) - - -async def _process_completed_tasks( - done_integration_tasks: set[IntegrationTask], - progress: Progress, - main_task: TaskID, -) -> None: - """Process results and exceptions for completed tasks.""" - for it in done_integration_tasks: - progress.advance(main_task) - try: - await it.task - except Exception: - logger.exception( - "Failed to describe integration %s", - it.integration_name, - ) - - -def _get_all_integrations_paths(src: Path | None = None) -> list[Path]: - if src: - return ( - [p for p in src.iterdir() if p.is_dir() and not p.name.startswith(".")] - if src.exists() - else [] - ) - - paths: list[Path] = [] - base_paths: list[Path] = [] - for repo_type in [RepositoryType.COMMERCIAL, RepositoryType.THIRD_PARTY]: - base_paths.extend(get_integration_base_folders_paths(repo_type.value)) - - for base_path in base_paths: - if not base_path.exists(): - continue - - paths.extend([p for p in base_path.iterdir() if p.is_dir() and not p.name.startswith(".")]) - - return paths diff --git a/packages/mp/src/mp/describe/action/prompt_constructors/prompt_constructor.py b/packages/mp/src/mp/describe/action/prompt_constructors/prompt_constructor.py index 51dbead71..95af5e044 100644 --- a/packages/mp/src/mp/describe/action/prompt_constructors/prompt_constructor.py +++ b/packages/mp/src/mp/describe/action/prompt_constructors/prompt_constructor.py @@ -19,14 +19,15 @@ import anyio +from mp.describe.common.prompt_constructors.prompt_constructor import ( + PromptConstructor as BasePromptConstructor, +) -class PromptConstructor(abc.ABC): + +class PromptConstructor(BasePromptConstructor, abc.ABC): __slots__: tuple[str, ...] = ( "action_file_name", "action_name", - "integration", - "integration_name", - "out_path", ) def __init__( @@ -37,18 +38,16 @@ def __init__( action_file_name: str, out_path: anyio.Path, ) -> None: - self.integration: anyio.Path = integration - self.integration_name: str = integration_name + super().__init__(integration, integration_name, out_path) self.action_name: str = action_name self.action_file_name: str = action_file_name - self.out_path: anyio.Path = out_path - @property - async def task_prompt(self) -> Template: + @staticmethod + async def get_task_prompt() -> Template: """Get the task prompt. Returns: - str: The task prompt. + Template: The task prompt. """ prompt_file: anyio.Path = anyio.Path(__file__).parent.parent / "prompts" / "task.md" @@ -56,7 +55,7 @@ async def task_prompt(self) -> Template: @abc.abstractmethod async def construct(self) -> str: - """Construct a prompt for generating action descriptions. + """Construct a prompt for generating AI descriptions. Returns: str: The constructed prompt. diff --git a/packages/mp/src/mp/describe/action/utils/__init__.py b/packages/mp/src/mp/describe/common/__init__.py similarity index 100% rename from packages/mp/src/mp/describe/action/utils/__init__.py rename to packages/mp/src/mp/describe/common/__init__.py diff --git a/packages/mp/src/mp/describe/common/describe.py b/packages/mp/src/mp/describe/common/describe.py new file mode 100644 index 000000000..789b82c2c --- /dev/null +++ b/packages/mp/src/mp/describe/common/describe.py @@ -0,0 +1,454 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from __future__ import annotations + +import abc +import asyncio +import contextlib +import logging +from typing import TYPE_CHECKING, Any, Generic, NamedTuple, TypeVar + +import anyio +import yaml +from pydantic import BaseModel +from rich.progress import TaskID, track + +from mp.core import constants +from mp.core.utils import folded_string_representer + +from .utils import llm, paths + +if TYPE_CHECKING: + import pathlib + from collections.abc import AsyncIterator, Callable + + from rich.progress import Progress + +logger: logging.Logger = logging.getLogger(__name__) + +T_Metadata = TypeVar("T_Metadata", bound=BaseModel) + + +class IntegrationStatus(NamedTuple): + is_built: bool + out_path: anyio.Path + + +class DescriptionResult(NamedTuple): + name: str + metadata: BaseModel | None + + +class RichParams(NamedTuple): + on_done: Callable[[], None] | None = None + progress: Progress | None = None + task_id: TaskID | None = None + + +def _merge_results(metadata: dict[str, Any], results: list[DescriptionResult]) -> None: + for result in results: + if result.metadata is not None: + metadata[result.name] = result.metadata.model_dump(mode="json") + + +def _create_notifier(rich_params: RichParams) -> Callable[[], None]: + """Create a notifier function to handle progress and callbacks. + + Args: + rich_params: Progress and callback parameters. + + Returns: + Callable[[], None]: A function that advances progress and calls the callback. + + """ + + def notify() -> None: + if rich_params.on_done: + rich_params.on_done() + if rich_params.progress and rich_params.task_id: + rich_params.progress.advance(rich_params.task_id) + + return notify + + +@contextlib.asynccontextmanager +async def _maybe_use_semaphore(sem: asyncio.Semaphore | None) -> AsyncIterator[None]: + """Context manager to optionally use a semaphore. + + Args: + sem: The semaphore to use, or None. + + Yields: + None + + """ + if sem: + async with sem: + yield + else: + yield + + +class DescribeBase(abc.ABC, Generic[T_Metadata]): + def __init__( + self, + integration_name: str, + resource_names: set[str], + *, + src: pathlib.Path | None = None, + dst: pathlib.Path | None = None, + override: bool = False, + ) -> None: + self.integration_name: str = integration_name + self.src: pathlib.Path | None = src + self.integration: anyio.Path = paths.get_integration_path(integration_name, src=src) + self.resource_names: set[str] = resource_names + self.override: bool = override + self.dst: pathlib.Path | None = dst + + @property + @abc.abstractmethod + def metadata_file_name(self) -> str: + """The name of the metadata file.""" + raise NotImplementedError + + @property + @abc.abstractmethod + def resource_type_name(self) -> str: + """The name of the resource type (e.g., 'action', 'integration').""" + raise NotImplementedError + + @property + @abc.abstractmethod + def response_schema(self) -> type[T_Metadata]: + """The schema for the LLM response.""" + raise NotImplementedError + + @abc.abstractmethod + async def _get_all_resources(self, status: IntegrationStatus) -> set[str]: + """Get all resources of the given type in the integration.""" + raise NotImplementedError + + @abc.abstractmethod + async def _construct_prompts( + self, resources: list[str], status: IntegrationStatus + ) -> list[str]: + """Construct prompts for the given resources.""" + raise NotImplementedError + + async def describe( + self, + sem: asyncio.Semaphore | None = None, + on_done: Callable[[], None] | None = None, + progress: Progress | None = None, + ) -> None: + """Describe resources in a given integration. + + Args: + sem: Optional semaphore to limit concurrent Gemini requests. + on_done: An optional callback is called when a resource is finished. + progress: An optional Progress object to use for progress reporting. + + """ + metadata, status = await asyncio.gather( + self._load_metadata(), self._get_integration_status() + ) + + resources_to_process: set[str] = await self._prepare_resources(status, metadata) + if not resources_to_process: + if not self.resource_names: + await self._save_metadata(metadata) + else: + logger.info( + "All %ss in %s already have descriptions. Skipping.", + self.resource_type_name, + self.integration_name, + ) + return + + if len(resources_to_process) == 1: + logger.info( + "Describing %s %s for %s", + self.resource_type_name, + next(iter(resources_to_process)), + self.integration_name, + ) + else: + logger.info( + "Describing %d %ss for %s", + len(resources_to_process), + self.resource_type_name, + self.integration_name, + ) + + results: list[DescriptionResult] = await self._execute_descriptions( + resources_to_process, status, sem, on_done, progress + ) + + _merge_results(metadata, results) + await self._save_metadata(metadata) + + async def get_resources_count(self) -> int: + """Get the number of resources in the integration. + + Returns: + int: The number of resources. + + """ + status, metadata = await asyncio.gather( + self._get_integration_status(), self._load_metadata() + ) + resources: set[str] = await self._prepare_resources(status, metadata) + return len(resources) + + async def _prepare_resources( + self, status: IntegrationStatus, metadata: dict[str, Any] + ) -> set[str]: + if not self.resource_names: + self.resource_names = await self._get_all_resources(status) + + if not self.override: + resources_to_process: set[str] = { + res for res in self.resource_names if res not in metadata + } + skipped_count: int = len(self.resource_names) - len(resources_to_process) + if skipped_count > 0: + if skipped_count == 1: + logger.info( + "Skipping 1 %s that already has a description in %s", + self.resource_type_name, + self.integration_name, + ) + else: + logger.info( + "Skipping %d %ss that already have a description in %s", + skipped_count, + self.resource_type_name, + self.integration_name, + ) + return resources_to_process + + return self.resource_names + + async def _execute_descriptions( + self, + resources: set[str], + status: IntegrationStatus, + sem: asyncio.Semaphore | None = None, + on_done: Callable[[], None] | None = None, + progress: Progress | None = None, + ) -> list[DescriptionResult]: + resource_list = list(resources) + bulks = [ + resource_list[i : i + llm.DESCRIBE_BULK_SIZE] + for i in range(0, len(resource_list), llm.DESCRIBE_BULK_SIZE) + ] + + if len(resources) == 1: + description = ( + f"Describing {self.resource_type_name} {next(iter(resources))} for" + f" {self.integration_name}..." + ) + else: + description = f"Describing {self.resource_type_name}s for {self.integration_name}..." + + results: list[DescriptionResult] = [] + + if progress: + task_id: TaskID = progress.add_task(description, total=len(resources)) + rich_params = RichParams(on_done, progress, task_id) + tasks: list[asyncio.Task] = [ + asyncio.create_task(self._process_bulk_resources(bulk, status, sem, rich_params)) + for bulk in bulks + ] + for coro in asyncio.as_completed(tasks): + results.extend(await coro) + + progress.remove_task(task_id) + + else: + rich_params = RichParams(on_done) + tasks: list[asyncio.Task] = [ + asyncio.create_task(self._process_bulk_resources(bulk, status, sem, rich_params)) + for bulk in bulks + ] + results.extend([ + res + for bulk_res in track( + asyncio.as_completed(tasks), + description=description, + total=len(bulks), + ) + for res in await bulk_res + ]) + + return results + + async def _process_bulk_resources( + self, + resources: list[str], + status: IntegrationStatus, + sem: asyncio.Semaphore | None = None, + rich_params: RichParams | None = None, + ) -> list[DescriptionResult]: + if rich_params is None: + rich_params = RichParams() + + notify_done: Callable[[], None] = _create_notifier(rich_params) + try: + async with _maybe_use_semaphore(sem): + return await self._describe_resources_bulk_with_error_handling( + resources, status, notify_done + ) + + except Exception: + logger.exception( + "Failed to process bulk of %ss: %s", self.resource_type_name, resources + ) + for _ in resources: + notify_done() + + return [DescriptionResult(a, None) for a in resources] + + async def _describe_resources_bulk_with_error_handling( + self, + resources: list[str], + status: IntegrationStatus, + notify_done: Callable[[], None], + ) -> list[DescriptionResult]: + try: + results: list[DescriptionResult] = await self.describe_bulk(resources, status) + except Exception: + logger.exception("Failed to describe %ss bulk %s", self.resource_type_name, resources) + results: list[DescriptionResult] = [DescriptionResult(a, None) for a in resources] + + for _ in resources: + notify_done() + + return results + + async def describe_bulk( + self, + resources: list[str], + status: IntegrationStatus, + ) -> list[DescriptionResult]: + """Describe multiple resources of a given integration in bulk. + + Args: + resources: The names of the resources to describe. + status: The status of the integration. + + Returns: + list[DescriptionResult]: The descriptions of the resources. + + """ + prompts: list[str] = await self._construct_prompts(resources, status) + valid_indices: list[int] = [i for i, prompt in enumerate(prompts) if prompt] + + valid_prompts: list[str] = [prompts[i] for i in valid_indices] + if not valid_prompts: + return [DescriptionResult(a, None) for a in resources] + + llm_results: list[T_Metadata | str] = await llm.call_gemini_bulk( + valid_prompts, self.response_schema + ) + + return self._map_bulk_results_to_resources(resources, valid_indices, llm_results) + + def _map_bulk_results_to_resources( + self, + resources: list[str], + valid_indices: list[int], + results: list[T_Metadata | str], + ) -> list[DescriptionResult]: + """Map Gemini results back to resource names. + + Args: + resources: Original list of resource names. + valid_indices: Indices of resources that had valid prompts. + results: Results from Gemini for those valid prompts. + + Returns: + list[DescriptionResult]: The mapped results. + + """ + final_results: list[DescriptionResult] = [DescriptionResult(a, None) for a in resources] + + for i, result in zip(valid_indices, results, strict=True): + resource_name: str = resources[i] + if isinstance(result, str): + logger.error( + "Failed to describe %s %s: %s", self.resource_type_name, resource_name, result + ) + continue + + # Special case for Ping action as in DescribeAction + if ( + self.resource_type_name == "action" + and resource_name.casefold() == "Ping".casefold() + and hasattr(result, "categories") + ): + result.categories.enrichment = False + + final_results[i] = DescriptionResult(resource_name, result) + + return final_results + + async def _get_integration_status(self) -> IntegrationStatus: + out_path: anyio.Path = paths.get_out_path(self.integration_name, src=self.src) + is_built: bool = await out_path.exists() + + # If it's not built in the out directory, check if the integration itself is built + if not is_built: + def_file: anyio.Path = self.integration / constants.INTEGRATION_DEF_FILE.format( + self.integration_name + ) + if await def_file.exists(): + is_built = True + out_path = self.integration + + return IntegrationStatus(is_built=is_built, out_path=out_path) + + async def _load_metadata(self) -> dict[str, Any]: + resource_ai_dir: anyio.Path = self.integration / constants.RESOURCES_DIR / constants.AI_DIR + metadata_file: anyio.Path = resource_ai_dir / self.metadata_file_name + metadata: dict[str, Any] = {} + + if await metadata_file.exists(): + content: str = await metadata_file.read_text() + with contextlib.suppress(yaml.YAMLError): + metadata = yaml.safe_load(content) or {} + + if self.dst: + dst_file: anyio.Path = anyio.Path(self.dst) / self.metadata_file_name + if await dst_file.exists(): + content: str = await dst_file.read_text() + with contextlib.suppress(yaml.YAMLError): + dst_metadata = yaml.safe_load(content) or {} + + metadata.update(dst_metadata) + + return metadata + + async def _save_metadata(self, metadata: dict[str, Any]) -> None: + if self.dst: + save_dir: anyio.Path = anyio.Path(self.dst) + else: + save_dir: anyio.Path = self.integration / constants.RESOURCES_DIR / constants.AI_DIR + + await save_dir.mkdir(parents=True, exist_ok=True) + metadata_file: anyio.Path = save_dir / self.metadata_file_name + yaml.add_representer(str, folded_string_representer, Dumper=yaml.SafeDumper) + await metadata_file.write_text(yaml.safe_dump(metadata)) diff --git a/packages/mp/src/mp/describe/common/describe_all.py b/packages/mp/src/mp/describe/common/describe_all.py new file mode 100644 index 000000000..cb0228312 --- /dev/null +++ b/packages/mp/src/mp/describe/common/describe_all.py @@ -0,0 +1,194 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from __future__ import annotations + +import abc +import asyncio +import collections +import logging +from typing import TYPE_CHECKING, NamedTuple + +from rich.progress import ( + BarColumn, + Progress, + SpinnerColumn, + TaskID, + TextColumn, + TimeRemainingColumn, +) + +import mp.core.config +from mp.core.custom_types import RepositoryType +from mp.core.file_utils import get_integration_base_folders_paths, get_integrations_from_paths + +if TYPE_CHECKING: + from pathlib import Path + + from .describe import DescribeBase + +logger: logging.Logger = logging.getLogger(__name__) +MAX_ACTIVE_INTEGRATIONS: int = 3 +MAX_ACTIVE_TASKS: int = 3 + + +class IntegrationTask(NamedTuple): + task: asyncio.Task[None] + integration_name: str + initial_resource_count: int + + +class MarketplaceOrchestratorBase(abc.ABC): + def __init__( + self, + src: Path | None, + integrations_paths: list[Path], + *, + dst: Path | None = None, + override: bool = False, + ) -> None: + self.src: Path | None = src + self.dst: Path | None = dst + self.integrations_paths: list[Path] = integrations_paths + self.concurrency: int = mp.core.config.get_gemini_concurrency() + self.sem: asyncio.Semaphore = asyncio.Semaphore(self.concurrency) + self.max_active_integrations: int = max(MAX_ACTIVE_INTEGRATIONS, self.concurrency) + self.override: bool = override + + self.pending_paths: collections.deque[Path] = collections.deque(integrations_paths) + self.active_tasks: set[IntegrationTask] = set() + self.resources_in_flight: int = 0 + + def _on_resource_done(self) -> None: + self.resources_in_flight -= 1 + + def _can_start_more(self) -> bool: + """Check if we have capacity and space in UI to start new integrations. + + Returns: + bool: True if we can start more integrations, False otherwise. + + """ + return bool( + self.pending_paths + and ( + self.resources_in_flight < self.concurrency + or len(self.active_tasks) < MAX_ACTIVE_TASKS + ) + and len(self.active_tasks) < self.max_active_integrations + ) + + @abc.abstractmethod + def _create_describer(self, integration_name: str) -> DescribeBase: + """Create a describer for the given integration.""" + raise NotImplementedError + + async def _start_next_integration(self, progress: Progress) -> None: + """Start describing the next integration in the queue.""" + path: Path = self.pending_paths.popleft() + describer: DescribeBase = self._create_describer(path.name) + + # Pre-discover resource count to decide if we should start more + count: int = await describer.get_resources_count() + self.resources_in_flight += count + + task: asyncio.Task[None] = asyncio.create_task( + describer.describe(sem=self.sem, on_done=self._on_resource_done, progress=progress) + ) + self.active_tasks.add( + IntegrationTask( + task=task, + integration_name=path.name, + initial_resource_count=count, + ) + ) + + async def _wait_for_tasks(self) -> set[IntegrationTask]: + """Wait for at least one active task to complete and return done tasks. + + Returns: + set[IntegrationTask]: Set of completed tasks. + + """ + if not self.active_tasks: + return set() + + done_tasks, pending_tasks = await asyncio.wait( + {it.task for it in self.active_tasks}, return_when=asyncio.FIRST_COMPLETED + ) + + done_integration_tasks: set[IntegrationTask] = { + it for it in self.active_tasks if it.task in done_tasks + } + self.active_tasks: set[IntegrationTask] = { + it for it in self.active_tasks if it.task in pending_tasks + } + + return done_integration_tasks + + async def run(self) -> None: + """Run the orchestration loop.""" + with Progress( + SpinnerColumn(), + TextColumn("[progress.description]{task.description}"), + BarColumn(), + TextColumn("[progress.percentage]{task.percentage:>3.0f}%"), + TimeRemainingColumn(), + ) as progress: + main_task: TaskID = progress.add_task( + description="Describing integrations...", + total=len(self.integrations_paths), + ) + + while self.pending_paths or self.active_tasks: + while self._can_start_more(): + await self._start_next_integration(progress) + + if not self.active_tasks: + break + + done_integration_tasks: set[IntegrationTask] = await self._wait_for_tasks() + for it in done_integration_tasks: + progress.advance(main_task) + try: + await it.task + except Exception: + logger.exception( + "Failed to describe integration %s", + it.integration_name, + ) + + +def get_all_integrations_paths(src: Path | None = None) -> list[Path]: + """Get all integrations paths from the marketplace or a custom source. + + Args: + src: Optional custom source path. + + Returns: + list[Path]: The paths to the integrations. + + """ + if src: + return sorted(get_integrations_from_paths(src)) if src.exists() else [] + + base_paths: list[Path] = [] + for repo_type in [ + RepositoryType.COMMERCIAL, + RepositoryType.THIRD_PARTY, + RepositoryType.CUSTOM, + ]: + base_paths.extend(get_integration_base_folders_paths(repo_type.value)) + + return sorted(get_integrations_from_paths(*base_paths)) diff --git a/packages/mp/src/mp/describe/common/prompt_constructors/__init__.py b/packages/mp/src/mp/describe/common/prompt_constructors/__init__.py new file mode 100644 index 000000000..58d482ea3 --- /dev/null +++ b/packages/mp/src/mp/describe/common/prompt_constructors/__init__.py @@ -0,0 +1,13 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. diff --git a/packages/mp/src/mp/describe/common/prompt_constructors/prompt_constructor.py b/packages/mp/src/mp/describe/common/prompt_constructors/prompt_constructor.py new file mode 100644 index 000000000..45afe38fb --- /dev/null +++ b/packages/mp/src/mp/describe/common/prompt_constructors/prompt_constructor.py @@ -0,0 +1,68 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from __future__ import annotations + +import abc +from typing import TYPE_CHECKING + +if TYPE_CHECKING: + from string import Template + + import anyio + + +class PromptConstructor(abc.ABC): + __slots__: tuple[str, ...] = ( + "integration", + "integration_name", + "out_path", + ) + + def __init__( + self, + integration: anyio.Path, + integration_name: str, + out_path: anyio.Path, + ) -> None: + self.integration: anyio.Path = integration + self.integration_name: str = integration_name + self.out_path: anyio.Path = out_path + + @staticmethod + @abc.abstractmethod + async def get_task_prompt() -> Template: + """Get the task prompt. + + Returns: + Template: The task prompt. + + """ + raise NotImplementedError + + @abc.abstractmethod + async def construct(self) -> str: + """Construct a prompt for generating AI descriptions. + + Returns: + str: The constructed prompt. + + """ + raise NotImplementedError + + @property + async def task_prompt(self) -> Template: + """Get the task prompt (compatibility property).""" + # Compatibility property + return await self.get_task_prompt() diff --git a/packages/mp/src/mp/describe/common/prompts/system.md b/packages/mp/src/mp/describe/common/prompts/system.md new file mode 100644 index 000000000..57bfceec9 --- /dev/null +++ b/packages/mp/src/mp/describe/common/prompts/system.md @@ -0,0 +1,30 @@ +**Role:** +You are a Technical Architect and expert in Security Orchestration, Automation, and Response (SOAR) integrations. Your specific expertise lies in analyzing Google SecOps (Chronicle) integration code written in Python. + +**Objective:** +Your goal is to analyze integration code (Python) and its configuration (JSON) to produce a structured JSON capability summary. This summary helps autonomous agents understand the purpose, capabilities, and side effects of the code. + +**Resource Usage Strategy:** +You will be provided with Python code, JSON configurations, and access to library documentation. Use them as follows: + +1. **Python Script (`.py`):** Use this to determine the *logic + flow*, identifying which external API calls are made and what SDK methods (e.g., + `SiemplifyAction`, `TIPCommon`) are utilized. +2. **Configuration File (`.json`):** Use this to identify input parameters, default values, and the + *Entity Scopes* (e.g., IP, HASH) the action supports. +3. **SDK/Library Docs: + ** Use provided documentation links to interpret specific method calls (e.g., distinguishing between + `add_entity_insight` vs `add_result_json` vs `update_entities`). + +**Analysis Guidelines:** + +1. **Primary Purpose (Description):** Write a concise but detailed paragraph explaining + *what* the code does. Focus on the business value (e.g., "Enriches reputation," "Blocks traffic," "Parses email"). Mention specific external services interacting with and specific data points retrieved. +2. **Capability Flags:** You must accurately determine boolean flags (e.g., `fetches_data`, + `can_mutate_external_data`). + * *Enrichment* implies fetching data without changing the external system state. + * *Mutation* implies changing state (e.g., blocking an IP, resetting a password). + * *Internal Mutation* refers to changing the SOAR case data (entities, case wall, insights). + +**Output Format:** +Return **strictly** a valid JSON object matching the provided schema. Do not include Markdown code blocks or conversational text. diff --git a/packages/mp/src/mp/describe/common/utils/__init__.py b/packages/mp/src/mp/describe/common/utils/__init__.py new file mode 100644 index 000000000..58d482ea3 --- /dev/null +++ b/packages/mp/src/mp/describe/common/utils/__init__.py @@ -0,0 +1,13 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. diff --git a/packages/mp/src/mp/describe/action/utils/llm.py b/packages/mp/src/mp/describe/common/utils/llm.py similarity index 84% rename from packages/mp/src/mp/describe/action/utils/llm.py rename to packages/mp/src/mp/describe/common/utils/llm.py index b715c23a7..f3a92152b 100644 --- a/packages/mp/src/mp/describe/action/utils/llm.py +++ b/packages/mp/src/mp/describe/common/utils/llm.py @@ -18,8 +18,8 @@ from typing import TYPE_CHECKING, TypeVar import anyio +from pydantic import BaseModel -from mp.core.data_models.integrations.action.ai.metadata import ActionAiMetadata from mp.core.llm.gemini import Gemini, GeminiConfig if TYPE_CHECKING: @@ -31,23 +31,26 @@ GEMINI_TEMPERATURE: float = 0.1 DESCRIBE_BULK_SIZE: int = 4 -T_Schema = TypeVar("T_Schema") +T_Schema = TypeVar("T_Schema", bound=BaseModel) -async def call_gemini_bulk(prompts: list[str]) -> list[ActionAiMetadata | str]: +async def call_gemini_bulk( + prompts: list[str], response_json_schema: type[T_Schema] +) -> list[T_Schema | str]: """Call Gemini to describe multiple prompts in bulk. Args: prompts: The prompts to send. + response_json_schema: The schema for the response. Returns: - list[ActionAiMetadata | str]: The responses from Gemini. + list[T_Schema | str]: The responses from Gemini. """ async with create_llm_session() as gemini: return await gemini.send_bulk_messages( prompts, - response_json_schema=ActionAiMetadata, + response_json_schema=response_json_schema, ) diff --git a/packages/mp/src/mp/describe/action/utils/paths.py b/packages/mp/src/mp/describe/common/utils/paths.py similarity index 86% rename from packages/mp/src/mp/describe/action/utils/paths.py rename to packages/mp/src/mp/describe/common/utils/paths.py index d3efa5194..e1364a5e3 100644 --- a/packages/mp/src/mp/describe/action/utils/paths.py +++ b/packages/mp/src/mp/describe/common/utils/paths.py @@ -15,7 +15,7 @@ from __future__ import annotations import logging -from typing import TYPE_CHECKING +import pathlib import anyio import typer @@ -24,11 +24,9 @@ from mp.core.file_utils import ( create_or_get_out_integrations_dir, get_integration_base_folders_paths, + is_integration, ) -if TYPE_CHECKING: - import pathlib - logger: logging.Logger = logging.getLogger(__name__) @@ -57,12 +55,20 @@ def _get_source_integration_path(name: str, src: pathlib.Path) -> anyio.Path: def _get_marketplace_integration_path(name: str) -> anyio.Path: + # First, check if name is a direct path to an integration + if (p := pathlib.Path(name)).exists() and is_integration(p): + return anyio.Path(p) + base_paths: list[pathlib.Path] = [] - for repo_type in [RepositoryType.COMMERCIAL, RepositoryType.THIRD_PARTY]: + for repo_type in [ + RepositoryType.COMMERCIAL, + RepositoryType.THIRD_PARTY, + RepositoryType.CUSTOM, + ]: base_paths.extend(get_integration_base_folders_paths(repo_type.value)) for path in base_paths: - if (p := path / name).exists(): + if (p := path / name).exists() and is_integration(p): return anyio.Path(p) logger.error("Integration '%s' not found in marketplace", name) diff --git a/packages/mp/src/mp/describe/integration/__init__.py b/packages/mp/src/mp/describe/integration/__init__.py index 0a2669d7a..58d482ea3 100644 --- a/packages/mp/src/mp/describe/integration/__init__.py +++ b/packages/mp/src/mp/describe/integration/__init__.py @@ -1,4 +1,4 @@ -# Copyright 2025 Google LLC +# Copyright 2026 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/packages/mp/src/mp/describe/integration/describe.py b/packages/mp/src/mp/describe/integration/describe.py new file mode 100644 index 000000000..ebcf5af06 --- /dev/null +++ b/packages/mp/src/mp/describe/integration/describe.py @@ -0,0 +1,124 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from __future__ import annotations + +import contextlib +import logging +from typing import TYPE_CHECKING, Any + +import anyio +import yaml + +from mp.core import constants +from mp.core.data_models.integrations.integration_meta.ai.metadata import IntegrationAiMetadata +from mp.core.utils import folded_string_representer +from mp.describe.common.describe import DescribeBase, IntegrationStatus + +from .prompt_constructors.integration import IntegrationPromptConstructor + +if TYPE_CHECKING: + import pathlib + + +logger: logging.Logger = logging.getLogger(__name__) + + +class DescribeIntegration(DescribeBase[IntegrationAiMetadata]): + def __init__( + self, + integration: str, + *, + src: pathlib.Path | None = None, + dst: pathlib.Path | None = None, + override: bool = False, + ) -> None: + super().__init__(integration, {integration}, src=src, dst=dst, override=override) + + @property + def metadata_file_name(self) -> str: + """Get the name of the metadata file.""" + return constants.INTEGRATIONS_AI_DESCRIPTION_FILE + + @property + def resource_type_name(self) -> str: + """Get the resource type name.""" + return "integration" + + @property + def response_schema(self) -> type[IntegrationAiMetadata]: + """Get the response schema.""" + return IntegrationAiMetadata + + async def _get_all_resources(self, status: IntegrationStatus) -> set[str]: + """Get all resources (only the integration itself). + + Args: + status: The status of the integration. + + Returns: + set[str]: The set of resource names. + + """ + del status # Unused + # There's only one integration to describe per integration folder. + return {self.integration_name} + + async def _construct_prompts( + self, resources: list[str], status: IntegrationStatus + ) -> list[str]: + # resources will be [self.integration_name] + prompts: list[str] = [] + for integration_name in resources: + constructor = IntegrationPromptConstructor( + self.integration, integration_name, status.out_path + ) + prompts.append(await constructor.construct()) + return prompts + + async def _load_metadata(self) -> dict[str, Any]: + resource_ai_dir: anyio.Path = self.integration / constants.RESOURCES_DIR / constants.AI_DIR + metadata_file: anyio.Path = resource_ai_dir / self.metadata_file_name + metadata: dict[str, Any] = {} + + if await metadata_file.exists(): + content: str = await metadata_file.read_text() + with contextlib.suppress(yaml.YAMLError): + # For integrations, the file is NOT keyed by integration name + if raw_metadata := yaml.safe_load(content) or {}: + metadata: dict[str, Any] = {self.integration_name: raw_metadata} + + if self.dst: + dst_file: anyio.Path = anyio.Path(self.dst) / self.metadata_file_name + if await dst_file.exists(): + content: str = await dst_file.read_text() + with contextlib.suppress(yaml.YAMLError): + if dst_raw_metadata := yaml.safe_load(content) or {}: + metadata.update({self.integration_name: dst_raw_metadata}) + + return metadata + + async def _save_metadata(self, metadata: dict[str, Any]) -> None: + if self.dst: + save_dir: anyio.Path = anyio.Path(self.dst) + else: + save_dir: anyio.Path = self.integration / constants.RESOURCES_DIR / constants.AI_DIR + + await save_dir.mkdir(parents=True, exist_ok=True) + metadata_file: anyio.Path = save_dir / self.metadata_file_name + yaml.add_representer(str, folded_string_representer, Dumper=yaml.SafeDumper) + + # For integrations, we don't want to key it by integration name in the file + if (integration_metadata := metadata.get(self.integration_name)) is not None: + await metadata_file.write_text(yaml.safe_dump(integration_metadata)) diff --git a/packages/mp/src/mp/describe/integration/describe_all.py b/packages/mp/src/mp/describe/integration/describe_all.py new file mode 100644 index 000000000..db75b1f3e --- /dev/null +++ b/packages/mp/src/mp/describe/integration/describe_all.py @@ -0,0 +1,46 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from __future__ import annotations + +from typing import TYPE_CHECKING + +from mp.describe.common.describe_all import ( + MarketplaceOrchestratorBase, + get_all_integrations_paths, +) + +from .describe import DescribeIntegration + +if TYPE_CHECKING: + from pathlib import Path + + +async def describe_all_integrations( + src: Path | None = None, dst: Path | None = None, *, override: bool = False +) -> None: + """Describe all integrations in the marketplace.""" + integrations_paths: list[Path] = get_all_integrations_paths(src=src) + orchestrator = _MarketplaceOrchestrator(src, integrations_paths, dst=dst, override=override) + await orchestrator.run() + + +class _MarketplaceOrchestrator(MarketplaceOrchestratorBase): + def _create_describer(self, integration_name: str) -> DescribeIntegration: + return DescribeIntegration( + integration=integration_name, + src=self.src, + dst=self.dst, + override=self.override, + ) diff --git a/packages/mp/src/mp/describe/integration/prompt_constructors/__init__.py b/packages/mp/src/mp/describe/integration/prompt_constructors/__init__.py new file mode 100644 index 000000000..58d482ea3 --- /dev/null +++ b/packages/mp/src/mp/describe/integration/prompt_constructors/__init__.py @@ -0,0 +1,13 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. diff --git a/packages/mp/src/mp/describe/integration/prompt_constructors/integration.py b/packages/mp/src/mp/describe/integration/prompt_constructors/integration.py new file mode 100644 index 000000000..994aedd09 --- /dev/null +++ b/packages/mp/src/mp/describe/integration/prompt_constructors/integration.py @@ -0,0 +1,83 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from __future__ import annotations + +import logging +from string import Template +from typing import TYPE_CHECKING + +import anyio +import yaml + +from mp.core import constants +from mp.describe.common.prompt_constructors.prompt_constructor import PromptConstructor + +if TYPE_CHECKING: + from mp.core.data_models.integrations.integration_meta.metadata import ( + NonBuiltIntegrationMetadata, + ) + +logger: logging.Logger = logging.getLogger(__name__) + + +class IntegrationPromptConstructor(PromptConstructor): + @staticmethod + async def get_task_prompt() -> Template: + """Get the task prompt. + + Returns: + Template: The task prompt. + + """ + prompt_file: anyio.Path = anyio.Path(__file__).parent.parent / "prompts" / "task.md" + return Template(await prompt_file.read_text(encoding="utf-8")) + + async def construct(self) -> str: + """Construct the prompt for integrations. + + Returns: + str: The constructed prompt. + + """ + template: Template = await self.get_task_prompt() + return template.safe_substitute({ + "integration_name": self.integration_name, + "integration_description": await self._get_integration_description(), + "actions_ai_descriptions": await self._get_actions_ai_descriptions(), + }) + + async def _get_integration_description(self) -> str: + # We need to read the integration description from its metadata file. + # It's usually in integration_name.yaml or integration_name.json + # But we can try to find it. + integration_def: anyio.Path = self.integration / constants.INTEGRATION_DEF_FILE.format( + self.integration_name + ) + if await integration_def.exists(): + content: str = await integration_def.read_text(encoding="utf-8") + try: + data: NonBuiltIntegrationMetadata = yaml.safe_load(content) + return data.get("description", "N/A") + except yaml.YAMLError: + logger.warning("Failed to parse integration metadata %s", integration_def) + + return "N/A" + + async def _get_actions_ai_descriptions(self) -> str: + ai_dir: anyio.Path = self.integration / constants.RESOURCES_DIR / constants.AI_DIR + actions_ai_file: anyio.Path = ai_dir / constants.ACTIONS_AI_DESCRIPTION_FILE + if await actions_ai_file.exists(): + return await actions_ai_file.read_text(encoding="utf-8") + return "N/A" diff --git a/packages/mp/src/mp/describe/integration/prompts/task.md b/packages/mp/src/mp/describe/integration/prompts/task.md new file mode 100644 index 000000000..b7bfab9d7 --- /dev/null +++ b/packages/mp/src/mp/describe/integration/prompts/task.md @@ -0,0 +1,24 @@ +**Input Data:** +I have provided the following information for a Google SecOps integration: + +1. `Integration Name`: The name of the integration. +2. `Integration Description`: The original description of the integration. +3. `Actions AI Descriptions`: A collection of AI-generated descriptions for all actions in this integration. + +**Instructions:** +Analyze the provided information and determine the product categories that best describe the integration's capabilities. + +**Current Task Input:** + +Integration Name: ${integration_name} +Integration Description: ${integration_description} + +Actions AI Descriptions: +${actions_ai_descriptions} + +**Final Instructions:** +Based on the input data, return an IntegrationAiMetadata object containing the product categories. +A category should be marked as true if the integration has capabilities that match its "When to Use" and "Expected Outcome" descriptions. +Many integrations will have multiple categories. +If no categories match, all should be false. +Provide your response in JSON format matching the IntegrationAiMetadata schema. diff --git a/packages/mp/src/mp/describe/integration/typer_app.py b/packages/mp/src/mp/describe/integration/typer_app.py new file mode 100644 index 000000000..c3930dbc2 --- /dev/null +++ b/packages/mp/src/mp/describe/integration/typer_app.py @@ -0,0 +1,113 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from __future__ import annotations + +import asyncio +import pathlib # noqa: TC003 +from typing import Annotated + +import rich +import typer + +import mp.core.config + +from .describe import DescribeIntegration +from .describe_all import describe_all_integrations + +app = typer.Typer(help="Commands for describing integrations") + + +@app.command( + name="integration", + help="Describe integrations using Gemini.", + epilog=( + "Examples:\n\n" + " $ mp describe integration -i aws_ec2\n\n" + " $ mp describe integration --all\n\n" + " $ mp describe integration --all --src ./custom_folder\n\n" + ), + no_args_is_help=True, +) +def describe( # noqa: PLR0913 + integration: Annotated[str | None, typer.Argument(help="Integration name")] = None, + *, + all_marketplace: Annotated[ + bool, + typer.Option( + "-a", + "--all", + help="Describe all integrations in the marketplace", + ), + ] = False, + src: Annotated[ + pathlib.Path | None, + typer.Option(help="Customize source folder to describe from."), + ] = None, + dst: Annotated[ + pathlib.Path | None, + typer.Option(help="Customize destination folder to save the AI descriptions."), + ] = None, + quiet: Annotated[ + bool, + typer.Option( + "--quiet", + "-q", + help="Log less on runtime.", + ), + ] = False, + verbose: Annotated[ + bool, + typer.Option( + "--verbose", + "-v", + help="Log more on runtime.", + ), + ] = False, + override: Annotated[ + bool, + typer.Option( + "--override", + help="Rewrite integrations that already have their description.", + ), + ] = False, +) -> None: + """Describe integrations. + + Args: + integration: The name of the integration. + all_marketplace: Whether to describe all integrations in the marketplace. + src: Customize the source folder to describe from. + dst: Customize destination folder to save the AI descriptions. + quiet: Quiet log options. + verbose: Verbose log options. + override: Whether to rewrite existing descriptions. + + Raises: + typer.Exit: If neither --integration nor --all is specified. + + """ + run_params: mp.core.config.RuntimeParams = mp.core.config.RuntimeParams(quiet, verbose) + run_params.set_in_config() + + if integration: + sem: asyncio.Semaphore = asyncio.Semaphore(mp.core.config.get_gemini_concurrency()) + asyncio.run( + DescribeIntegration(integration, src=src, dst=dst, override=override).describe(sem=sem) + ) + elif all_marketplace: + asyncio.run(describe_all_integrations(src=src, dst=dst, override=override)) + else: + rich.print("[red]Please specify either --integration or --all[/red]") + raise typer.Exit(code=1) diff --git a/packages/mp/src/mp/describe/typer_app.py b/packages/mp/src/mp/describe/typer_app.py index 70e256dda..83545fa35 100644 --- a/packages/mp/src/mp/describe/typer_app.py +++ b/packages/mp/src/mp/describe/typer_app.py @@ -16,7 +16,9 @@ import typer from .action.typer_app import app as action_app +from .integration.typer_app import app as integration_app app: typer.Typer = typer.Typer(help="Commands for creating description for content using Gemini") app.add_typer(action_app) +app.add_typer(integration_app) diff --git a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/third_party/mock_integration/resources/ai/integrations_ai_description.yaml b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/third_party/mock_integration/resources/ai/integrations_ai_description.yaml new file mode 100644 index 000000000..b927e7b41 --- /dev/null +++ b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/third_party/mock_integration/resources/ai/integrations_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: true + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/packages/mp/tests/test_mp/test_path_discovery.py b/packages/mp/tests/test_mp/test_path_discovery.py new file mode 100644 index 000000000..2462d355f --- /dev/null +++ b/packages/mp/tests/test_mp/test_path_discovery.py @@ -0,0 +1,93 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from __future__ import annotations + +import pathlib +from typing import TYPE_CHECKING + +import pytest + +from mp.describe.common.describe_all import get_all_integrations_paths +from mp.describe.common.utils import paths + +if TYPE_CHECKING: + from _pytest.monkeypatch import MonkeyPatch + + +@pytest.fixture +def mock_integration(tmp_path: pathlib.Path) -> pathlib.Path: + integration_path = tmp_path / "mock_integration" + integration_path.mkdir() + (integration_path / "pyproject.toml").write_text("[project]\nname = 'Mock Integration'") + return integration_path + + +def test_get_integration_path_by_direct_path(mock_integration: pathlib.Path) -> None: + # Test that we can find an integration by its direct path + path = paths.get_integration_path(str(mock_integration)) + assert pathlib.Path(str(path)) == mock_integration + + +def test_get_integration_path_by_relative_path( + mock_integration: pathlib.Path, monkeypatch: MonkeyPatch +) -> None: + # Test that we can find an integration by its relative path from CWD + monkeypatch.chdir(mock_integration.parent) + path = paths.get_integration_path("mock_integration") + assert pathlib.Path(str(path)).resolve() == mock_integration.resolve() + + +def test_get_integration_path_custom_repo(tmp_path: pathlib.Path, monkeypatch: MonkeyPatch) -> None: + # Test discovery in custom repo + marketplace = tmp_path / "marketplace" + content = marketplace / "content" / "response_integrations" + custom = content / "custom" + custom.mkdir(parents=True) + + integration = custom / "custom_int" + integration.mkdir() + (integration / "pyproject.toml").write_text("[project]\nname = 'Custom Int'") + + # Configure mp to use this marketplace + monkeypatch.setattr("mp.core.config.get_marketplace_path", lambda: marketplace) + + path = paths.get_integration_path("custom_int") + assert pathlib.Path(str(path)).resolve() == integration.resolve() + + +def test_get_all_integrations_paths_custom_repo( + tmp_path: pathlib.Path, monkeypatch: MonkeyPatch +) -> None: + # Test bulk discovery in custom repo + marketplace = tmp_path / "marketplace" + content = marketplace / "content" / "response_integrations" + custom = content / "custom" + custom.mkdir(parents=True) + + int1 = custom / "int1" + int1.mkdir() + (int1 / "pyproject.toml").write_text("[project]\nname = 'Int 1'") + + int2 = custom / "int2" + int2.mkdir() + (int2 / "pyproject.toml").write_text("[project]\nname = 'Int 2'") + + # Configure mp to use this marketplace + monkeypatch.setattr("mp.core.config.get_marketplace_path", lambda: marketplace) + + all_paths = get_all_integrations_paths() + assert len(all_paths) == 2 + assert int1.resolve() in [p.resolve() for p in all_paths] + assert int2.resolve() in [p.resolve() for p in all_paths] From 68125e4e8bb81ff0a8ca28b7406e547bfda6eb8e Mon Sep 17 00:00:00 2001 From: talshapir Date: Sun, 5 Apr 2026 16:31:50 +0300 Subject: [PATCH 09/26] Add mp describe integration command --- packages/mp/src/mp/config/typer_app.py | 17 ++++- packages/mp/src/mp/core/llm/gemini.py | 6 +- .../prompt_constructors/integration.py | 70 +++++++++++++++---- 3 files changed, 75 insertions(+), 18 deletions(-) diff --git a/packages/mp/src/mp/config/typer_app.py b/packages/mp/src/mp/config/typer_app.py index 483e10d49..286a74c51 100644 --- a/packages/mp/src/mp/config/typer_app.py +++ b/packages/mp/src/mp/config/typer_app.py @@ -14,6 +14,7 @@ from __future__ import annotations +import os import pathlib from typing import Annotated @@ -93,13 +94,25 @@ def config( n: int = mp.core.config.get_processes_number() c: int = mp.core.config.get_gemini_concurrency() k: str | None = mp.core.config.get_gemini_api_key() + env_k: str | None = os.environ.get("GEMINI_API_KEY") + + display_k: str = "N/A" if k: - k = f"{k[:4]}{'*' * (len(k) - 4)}" + display_k = f"{k[:4]}{'*' * (len(k) - 4)} (from config)" + if env_k and k != env_k: + display_k += ( + f"\n[yellow]Warning: GEMINI_API_KEY environment variable is also set " + f"({env_k[:4]}{'*' * (len(env_k) - 4)}), but the configuration above " + "takes priority.[/yellow]" + ) + elif env_k: + display_k = f"{env_k[:4]}{'*' * (len(env_k) - 4)} (from GEMINI_API_KEY env var)" + rich.print( f"Marketplace path: {p}\n" f"Number of processes: {n}\n" f"Gemini concurrency: {c}\n" - f"API Key: {k}" + f"API Key: {display_k}" ) diff --git a/packages/mp/src/mp/core/llm/gemini.py b/packages/mp/src/mp/core/llm/gemini.py index e41eb5e7e..c7e48e240 100644 --- a/packages/mp/src/mp/core/llm/gemini.py +++ b/packages/mp/src/mp/core/llm/gemini.py @@ -95,13 +95,13 @@ def api_key(self) -> str: ApiKeyNotFoundError: If the API key is not found. """ + if mp_api_key := mp.core.config.get_gemini_api_key(): + return mp_api_key + gemini_api_key: str | None = os.environ.get("GEMINI_API_KEY") if gemini_api_key: return gemini_api_key - if mp_api_key := mp.core.config.get_gemini_api_key(): - return mp_api_key - msg: str = ( "Could not find a saved Gemini API key in the configuration. " "Please configure it using 'mp config --gemini-api-key ' or" diff --git a/packages/mp/src/mp/describe/integration/prompt_constructors/integration.py b/packages/mp/src/mp/describe/integration/prompt_constructors/integration.py index 994aedd09..f1ae07eed 100644 --- a/packages/mp/src/mp/describe/integration/prompt_constructors/integration.py +++ b/packages/mp/src/mp/describe/integration/prompt_constructors/integration.py @@ -14,9 +14,10 @@ from __future__ import annotations +import contextlib import logging from string import Template -from typing import TYPE_CHECKING +from typing import TYPE_CHECKING, Any import anyio import yaml @@ -59,21 +60,64 @@ async def construct(self) -> str: }) async def _get_integration_description(self) -> str: - # We need to read the integration description from its metadata file. - # It's usually in integration_name.yaml or integration_name.json - # But we can try to find it. + # Try to find the description in various metadata files. + # Order: .def file (built), definition.yaml (source), pyproject.toml (source) + + # 1. Check for built integration metadata (.def file) + if desc := await self._get_description_from_def(): + return desc + + # 2. Check for source integration metadata (definition.yaml) + if desc := await self._get_description_from_definition(): + return desc + + # 3. Check for pyproject.toml (standard PEP 621) + if desc := await self._get_description_from_pyproject(): + return desc + + return "N/A" + + async def _get_description_from_def(self) -> str | None: integration_def: anyio.Path = self.integration / constants.INTEGRATION_DEF_FILE.format( self.integration_name ) - if await integration_def.exists(): - content: str = await integration_def.read_text(encoding="utf-8") - try: - data: NonBuiltIntegrationMetadata = yaml.safe_load(content) - return data.get("description", "N/A") - except yaml.YAMLError: - logger.warning("Failed to parse integration metadata %s", integration_def) - - return "N/A" + if not await integration_def.exists(): + return None + + content: str = await integration_def.read_text(encoding="utf-8") + with contextlib.suppress(yaml.YAMLError): + data: NonBuiltIntegrationMetadata = yaml.safe_load(content) + return data.get("description") + + logger.warning("Failed to parse integration metadata %s", integration_def) + return None + + async def _get_description_from_definition(self) -> str | None: + definition_file: anyio.Path = self.integration / constants.DEFINITION_FILE + if not await definition_file.exists(): + return None + + content: str = await definition_file.read_text(encoding="utf-8") + with contextlib.suppress(yaml.YAMLError): + data: NonBuiltIntegrationMetadata = yaml.safe_load(content) + return data.get("description") + + logger.warning("Failed to parse definition file %s", definition_file) + return None + + async def _get_description_from_pyproject(self) -> str | None: + pyproject_file: anyio.Path = self.integration / constants.PROJECT_FILE + if not await pyproject_file.exists(): + return None + + content: str = await pyproject_file.read_text(encoding="utf-8") + with contextlib.suppress(yaml.YAMLError): + data: dict[str, Any] = yaml.safe_load(content) + if project_data := data.get("project"): + return project_data.get("description") + + logger.warning("Failed to parse pyproject file %s", pyproject_file) + return None async def _get_actions_ai_descriptions(self) -> str: ai_dir: anyio.Path = self.integration / constants.RESOURCES_DIR / constants.AI_DIR From cbff3408a7a7950109c59b2b99a394c52d89e106 Mon Sep 17 00:00:00 2001 From: talshapir Date: Sun, 5 Apr 2026 17:23:09 +0300 Subject: [PATCH 10/26] add mp describe connector and job commands to enhance the integration description. Add a general describe command that describes all the content of an integration --- packages/mp/docs/commands/describe.md | 94 ++++++++--- .../restructure/integrations/deconstruct.py | 7 + .../restructure/integrations/metadata.py | 16 +- packages/mp/src/mp/core/constants.py | 10 +- .../integrations/connector/ai/__init__.py | 13 ++ .../integrations/connector/ai/metadata.py | 39 +++++ .../data_models/integrations/integration.py | 27 +++- .../integrations/job/ai/__init__.py | 13 ++ .../integrations/job/ai/metadata.py | 39 +++++ .../file_utils/integrations/file_utils.py | 51 ++++++ packages/mp/src/mp/describe/__init__.py | 12 +- .../src/mp/describe/action/prompts/system.md | 30 ---- .../mp/src/mp/describe/action/typer_app.py | 1 + packages/mp/src/mp/describe/all_content.py | 62 ++++++++ .../mp/src/mp/describe/common/describe.py | 16 +- .../mp/src/mp/describe/common/describe_all.py | 16 +- .../common/prompt_constructors/resource.py | 65 ++++++++ .../src/mp/describe/common/prompts/system.md | 24 ++- .../mp/src/mp/describe/common/utils/paths.py | 27 +--- .../mp/src/mp/describe/connector/__init__.py | 13 ++ .../mp/src/mp/describe/connector/describe.py | 144 +++++++++++++++++ .../src/mp/describe/connector/describe_all.py | 47 ++++++ .../connector/prompt_constructors/__init__.py | 13 ++ .../connector/prompt_constructors/built.py | 84 ++++++++++ .../prompt_constructors/connector.py | 37 +++++ .../connector/prompt_constructors/source.py | 84 ++++++++++ .../src/mp/describe/connector/prompts/task.md | 61 ++++++++ .../mp/src/mp/describe/connector/typer_app.py | 127 +++++++++++++++ .../src/mp/describe/integration/describe.py | 14 +- .../prompt_constructors/integration.py | 21 ++- .../mp/describe/integration/prompts/task.md | 9 ++ .../src/mp/describe/integration/typer_app.py | 22 +-- packages/mp/src/mp/describe/job/__init__.py | 13 ++ packages/mp/src/mp/describe/job/describe.py | 144 +++++++++++++++++ .../mp/src/mp/describe/job/describe_all.py | 47 ++++++ .../job/prompt_constructors/__init__.py | 13 ++ .../describe/job/prompt_constructors/built.py | 84 ++++++++++ .../describe/job/prompt_constructors/job.py | 37 +++++ .../job/prompt_constructors/source.py | 84 ++++++++++ .../mp/src/mp/describe/job/prompts/task.md | 61 ++++++++ packages/mp/src/mp/describe/job/typer_app.py | 127 +++++++++++++++ packages/mp/src/mp/describe/typer_app.py | 61 ++++++++ .../resources/ai/actions_ai_description.yaml | 13 ++ .../ai/connectors_ai_description.yaml | 10 ++ .../ai/integration_ai_description.yaml | 12 ++ .../resources/ai/jobs_ai_description.yaml | 10 ++ .../resources/ai/actions_ai_description.yaml | 13 ++ .../ai/connectors_ai_description.yaml | 10 ++ .../ai/integration_ai_description.yaml | 12 ++ .../resources/ai/jobs_ai_description.yaml | 10 ++ .../resources/ai/actions_ai_description.yaml | 13 ++ .../ai/connectors_ai_description.yaml | 10 ++ ...n.yaml => integration_ai_description.yaml} | 0 .../resources/ai/jobs_ai_description.yaml | 10 ++ packages/mp/tests/test_mp/test_all_content.py | 109 +++++++++++++ .../test_integrations_file_utils.py | 1 + .../mp/tests/test_mp/test_describe_cli.py | 106 +++++++++++++ .../tests/test_mp/test_describe_resources.py | 148 ++++++++++++++++++ .../test_utils/test_minor_version_bump.py | 16 +- 59 files changed, 2288 insertions(+), 124 deletions(-) create mode 100644 packages/mp/src/mp/core/data_models/integrations/connector/ai/__init__.py create mode 100644 packages/mp/src/mp/core/data_models/integrations/connector/ai/metadata.py create mode 100644 packages/mp/src/mp/core/data_models/integrations/job/ai/__init__.py create mode 100644 packages/mp/src/mp/core/data_models/integrations/job/ai/metadata.py delete mode 100644 packages/mp/src/mp/describe/action/prompts/system.md create mode 100644 packages/mp/src/mp/describe/all_content.py create mode 100644 packages/mp/src/mp/describe/common/prompt_constructors/resource.py create mode 100644 packages/mp/src/mp/describe/connector/__init__.py create mode 100644 packages/mp/src/mp/describe/connector/describe.py create mode 100644 packages/mp/src/mp/describe/connector/describe_all.py create mode 100644 packages/mp/src/mp/describe/connector/prompt_constructors/__init__.py create mode 100644 packages/mp/src/mp/describe/connector/prompt_constructors/built.py create mode 100644 packages/mp/src/mp/describe/connector/prompt_constructors/connector.py create mode 100644 packages/mp/src/mp/describe/connector/prompt_constructors/source.py create mode 100644 packages/mp/src/mp/describe/connector/prompts/task.md create mode 100644 packages/mp/src/mp/describe/connector/typer_app.py create mode 100644 packages/mp/src/mp/describe/job/__init__.py create mode 100644 packages/mp/src/mp/describe/job/describe.py create mode 100644 packages/mp/src/mp/describe/job/describe_all.py create mode 100644 packages/mp/src/mp/describe/job/prompt_constructors/__init__.py create mode 100644 packages/mp/src/mp/describe/job/prompt_constructors/built.py create mode 100644 packages/mp/src/mp/describe/job/prompt_constructors/job.py create mode 100644 packages/mp/src/mp/describe/job/prompt_constructors/source.py create mode 100644 packages/mp/src/mp/describe/job/prompts/task.md create mode 100644 packages/mp/src/mp/describe/job/typer_app.py create mode 100644 packages/mp/tests/test_mp/mock_content_hub/response_integrations/google/mock_integration/resources/ai/actions_ai_description.yaml create mode 100644 packages/mp/tests/test_mp/mock_content_hub/response_integrations/google/mock_integration/resources/ai/connectors_ai_description.yaml create mode 100644 packages/mp/tests/test_mp/mock_content_hub/response_integrations/google/mock_integration/resources/ai/integration_ai_description.yaml create mode 100644 packages/mp/tests/test_mp/mock_content_hub/response_integrations/google/mock_integration/resources/ai/jobs_ai_description.yaml create mode 100644 packages/mp/tests/test_mp/mock_content_hub/response_integrations/mock_built_integration/mock_integration/resources/ai/actions_ai_description.yaml create mode 100644 packages/mp/tests/test_mp/mock_content_hub/response_integrations/mock_built_integration/mock_integration/resources/ai/connectors_ai_description.yaml create mode 100644 packages/mp/tests/test_mp/mock_content_hub/response_integrations/mock_built_integration/mock_integration/resources/ai/integration_ai_description.yaml create mode 100644 packages/mp/tests/test_mp/mock_content_hub/response_integrations/mock_built_integration/mock_integration/resources/ai/jobs_ai_description.yaml create mode 100644 packages/mp/tests/test_mp/mock_content_hub/response_integrations/third_party/mock_integration/resources/ai/actions_ai_description.yaml create mode 100644 packages/mp/tests/test_mp/mock_content_hub/response_integrations/third_party/mock_integration/resources/ai/connectors_ai_description.yaml rename packages/mp/tests/test_mp/mock_content_hub/response_integrations/third_party/mock_integration/resources/ai/{integrations_ai_description.yaml => integration_ai_description.yaml} (100%) create mode 100644 packages/mp/tests/test_mp/mock_content_hub/response_integrations/third_party/mock_integration/resources/ai/jobs_ai_description.yaml create mode 100644 packages/mp/tests/test_mp/test_all_content.py create mode 100644 packages/mp/tests/test_mp/test_describe_cli.py create mode 100644 packages/mp/tests/test_mp/test_describe_resources.py diff --git a/packages/mp/docs/commands/describe.md b/packages/mp/docs/commands/describe.md index bd1d064d6..471e64f63 100644 --- a/packages/mp/docs/commands/describe.md +++ b/packages/mp/docs/commands/describe.md @@ -1,46 +1,92 @@ -# `mp describe action` +# `mp describe` -Generate AI-based descriptions for integration actions using Gemini. This command analyzes action scripts and metadata to create detailed documentation and capabilities summaries. +Commands for creating AI-based descriptions for marketplace content using Gemini. This set of commands analyzes Python scripts and metadata to create detailed documentation and capabilities summaries. -## Usage +## `mp describe action` + +Generate AI-based descriptions for integration actions. + +### Usage ```bash mp describe action [ACTIONS]... [OPTIONS] ``` -## Arguments +### Options -* `ACTIONS`: Optional list of specific action names to describe. If omitted and a specific integration is targeted, all actions in that integration will be described. +| Option | Shorthand | Description | Type | Default | +|:----------------|:----------|:---------------------------------------------------------------------------------------------|:-------|:--------| +| `--integration` | `-i` | The name of the integration containing the actions. | `str` | `None` | +| `--all` | `-a` | Describe all integrations in the marketplace, or all actions if an integration is specified. | `bool` | `False` | +| `--override` | | Rewrite actions that already have a description. | `bool` | `False` | -## Options +## `mp describe connector` -| Option | Shorthand | Description | Type | Default | -| :--- | :--- | :--- | :--- | :--- | -| `--integration` | `-i` | The name of the integration containing the actions. | `str` | `None` | -| `--all` | `-a` | Describe all integrations in the marketplace, or all actions if an integration is specified. | `bool` | `False` | -| `--src` | | Customize source folder to describe from. | `Path` | `None` | -| `--override` | | Rewrite actions that already have a description. | `bool` | `False` | -| `--quiet` | `-q` | Log less on runtime. | `bool` | `False` | -| `--verbose` | `-v` | Log more on runtime. | `bool` | `False` | +Generate AI-based descriptions for integration connectors. -## Examples +### Usage -### Describe specific actions in an integration ```bash -mp describe action ping get_logs --integration aws_ec2 +mp describe connector [CONNECTORS]... [OPTIONS] ``` -### Describe all actions in a specific integration +### Options + +| Option | Shorthand | Description | Type | Default | +|:----------------|:----------|:-----------------------------------------------------------------------------------------------|:-------|:--------| +| `--integration` | `-i` | The name of the integration to describe connectors for. | `str` | `None` | +| `--all` | `-a` | Describe all integrations in the marketplace, or all connectors if an integration is specified | `bool` | `False` | +| `--override` | `-o` | Rewrite connectors that already have a description. | `bool` | `False` | + +## `mp describe job` + +Generate AI-based descriptions for integration jobs. + +### Usage + ```bash -mp describe action --integration aws_ec2 --all +mp describe job [JOBS]... [OPTIONS] ``` -### Describe all actions in the entire marketplace +### Options + +| Option | Shorthand | Description | Type | Default | +|:----------------|:----------|:------------------------------------------------------------------------------------------|:-------|:--------| +| `--integration` | `-i` | The name of the integration to describe jobs for. | `str` | `None` | +| `--all` | `-a` | Describe all integrations in the marketplace, or all jobs if an integration is specified. | `bool` | `False` | +| `--override` | `-o` | Rewrite jobs that already have a description. | `bool` | `False` | + +## `mp describe integration` + +Determine product categories for an integration based on its actions, connectors, and jobs descriptions. + +### Usage + ```bash -mp describe action --all +mp describe integration [INTEGRATIONS]... [OPTIONS] ``` -### Describe all actions in a custom source directory +### Options + +| Option | Shorthand | Description | Type | Default | +|:-------------|:----------|:------------------------------------------------------|:-------|:--------| +| `--all` | `-a` | Describe all integrations in the marketplace. | `bool` | `False` | +| `--override` | `-o` | Rewrite integrations that already have a description. | `bool` | `False` | + +## `mp describe all-content` + +Describe all content (actions, connectors, jobs, and the integration) for a given integration. + +### Usage + ```bash -mp describe action --all --src ./custom_integrations -``` \ No newline at end of file +mp describe all-content [INTEGRATION] [OPTIONS] +``` + +### Options + +| Option | Shorthand | Description | Type | Default | +|:-------------|:----------|:-----------------------------------------------------|:-------|:--------| +| `--override` | `-o` | Rewrite content that already have their description. | `bool` | `False` | +| `--quiet` | `-q` | Log less on runtime. | `bool` | `False` | +| `--verbose` | `-v` | Log more on runtime. | `bool` | `False` | \ No newline at end of file diff --git a/packages/mp/src/mp/build_project/restructure/integrations/deconstruct.py b/packages/mp/src/mp/build_project/restructure/integrations/deconstruct.py index 45ff76034..e0125f5d2 100644 --- a/packages/mp/src/mp/build_project/restructure/integrations/deconstruct.py +++ b/packages/mp/src/mp/build_project/restructure/integrations/deconstruct.py @@ -180,6 +180,13 @@ def _create_ai_description_file(self, resources_dir: Path) -> None: ai_dir: Path = resources_dir / mp.core.constants.AI_DIR ai_dir.mkdir(exist_ok=True, parents=True) + for file_name, content in self.integration.ai_metadata.items(): + if file_name == mp.core.constants.INTEGRATIONS_AI_DESCRIPTION_FILE: + continue + + ai_file: Path = ai_dir / file_name + mp.core.file_utils.write_yaml_to_file(content, ai_file) + categories_dict: dict[str, bool] = { category: ( PRODUCT_CATEGORY_TO_DEF_PRODUCT_CATEGORY[category] diff --git a/packages/mp/src/mp/build_project/restructure/integrations/metadata.py b/packages/mp/src/mp/build_project/restructure/integrations/metadata.py index 519d1f034..d04ded14f 100644 --- a/packages/mp/src/mp/build_project/restructure/integrations/metadata.py +++ b/packages/mp/src/mp/build_project/restructure/integrations/metadata.py @@ -26,7 +26,9 @@ import dataclasses import json import operator -from typing import TYPE_CHECKING +from typing import TYPE_CHECKING, Any + +import yaml import mp.core.constants @@ -62,6 +64,18 @@ def restructure(self) -> None: self._restructure_widget_metadata() self._restructure_custom_families() self._restructure_mapping_rules() + self._restructure_ai_metadata() + + def _restructure_ai_metadata(self) -> None: + ai_metadata: Mapping[str, Any] = self.metadata["ai_metadata"] + if not ai_metadata: + return + + ai_path: Path = self.out_path / "resources" / mp.core.constants.AI_DIR + ai_path.mkdir(parents=True, exist_ok=True) + for file_name, content in ai_metadata.items(): + metadata_file: Path = ai_path / file_name + metadata_file.write_text(yaml.dump(content, sort_keys=True), encoding="utf-8") def _restructure_integration_metadata(self) -> None: metadata: BuiltIntegrationMetadata = self.metadata["metadata"] diff --git a/packages/mp/src/mp/core/constants.py b/packages/mp/src/mp/core/constants.py index e2864ec0b..0cf8f6349 100644 --- a/packages/mp/src/mp/core/constants.py +++ b/packages/mp/src/mp/core/constants.py @@ -84,7 +84,15 @@ AI_DIR: str = "ai" ACTIONS_AI_DESCRIPTION_FILE: str = "actions_ai_description.yaml" -INTEGRATIONS_AI_DESCRIPTION_FILE: str = "integrations_ai_description.yaml" +CONNECTORS_AI_DESCRIPTION_FILE: str = "connectors_ai_description.yaml" +JOBS_AI_DESCRIPTION_FILE: str = "jobs_ai_description.yaml" +INTEGRATIONS_AI_DESCRIPTION_FILE: str = "integration_ai_description.yaml" +AI_DESCRIPTION_FILES: tuple[str, ...] = ( + ACTIONS_AI_DESCRIPTION_FILE, + CONNECTORS_AI_DESCRIPTION_FILE, + JOBS_AI_DESCRIPTION_FILE, + INTEGRATIONS_AI_DESCRIPTION_FILE, +) ACTIONS_META_SUFFIX: str = ".actiondef" CONNECTORS_META_SUFFIX: str = ".connectordef" diff --git a/packages/mp/src/mp/core/data_models/integrations/connector/ai/__init__.py b/packages/mp/src/mp/core/data_models/integrations/connector/ai/__init__.py new file mode 100644 index 000000000..58d482ea3 --- /dev/null +++ b/packages/mp/src/mp/core/data_models/integrations/connector/ai/__init__.py @@ -0,0 +1,13 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. diff --git a/packages/mp/src/mp/core/data_models/integrations/connector/ai/metadata.py b/packages/mp/src/mp/core/data_models/integrations/connector/ai/metadata.py new file mode 100644 index 000000000..85945ac36 --- /dev/null +++ b/packages/mp/src/mp/core/data_models/integrations/connector/ai/metadata.py @@ -0,0 +1,39 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from __future__ import annotations + +from typing import Annotated + +from pydantic import BaseModel, Field + + +class ConnectorAiMetadata(BaseModel): + ai_description: Annotated[ + str, + Field( + description=( + "Detailed description that will be used by LLMs to understand what the connector" + " does. This should be a concise yet informative summary of the connector's" + " purpose, what kind of data it pulls, and the expected outcome." + " Use markdown formatting for clarity, as this is a description for LLMs." + " Please add a description of the data ingestion flow in numbered or bulleted" + " points. In addition, create a table that describes the configuration" + " parameters. How to use them, what is the expected type of value," + " whether the parameter is mandatory or not, and describe what each of them" + " does. Overall the description should be divided into 3-4 sections," + " General description, Parameters description, and Flow description." + ), + ), + ] diff --git a/packages/mp/src/mp/core/data_models/integrations/integration.py b/packages/mp/src/mp/core/data_models/integrations/integration.py index df632cea6..61c9c57a9 100644 --- a/packages/mp/src/mp/core/data_models/integrations/integration.py +++ b/packages/mp/src/mp/core/data_models/integrations/integration.py @@ -17,7 +17,9 @@ import dataclasses import itertools import tomllib -from typing import TYPE_CHECKING, Self, TypedDict +from typing import TYPE_CHECKING, Any, Self, TypedDict + +import yaml import mp.core.constants import mp.core.file_utils @@ -63,6 +65,7 @@ class BuiltIntegration(TypedDict): connectors: Mapping[ConnectorName, BuiltConnectorMetadata] jobs: Mapping[JobName, BuiltJobMetadata] widgets: Mapping[WidgetName, BuiltActionWidgetMetadata] + ai_metadata: Mapping[str, Any] class NonBuiltIntegration(TypedDict): @@ -75,6 +78,7 @@ class NonBuiltIntegration(TypedDict): connectors: Mapping[ConnectorName, NonBuiltConnectorMetadata] jobs: Mapping[JobName, NonBuiltJobMetadata] widgets: Mapping[WidgetName, NonBuiltActionWidgetMetadata] + ai_metadata: Mapping[str, Any] class FullDetailsReleaseNoteJson(TypedDict): @@ -117,6 +121,7 @@ class Integration: connectors_metadata: Mapping[ConnectorName, ConnectorMetadata] jobs_metadata: Mapping[JobName, JobMetadata] widgets_metadata: Mapping[WidgetName, ActionWidgetMetadata] + ai_metadata: Mapping[str, Any] @classmethod def from_built_path(cls, path: Path) -> Self: @@ -139,6 +144,14 @@ def from_built_path(cls, path: Path) -> Self: if python_version_file.exists(): python_version = python_version_file.read_text(encoding="utf-8") + ai_metadata: dict[str, Any] = {} + ai_dir: Path = path / "resources" / mp.core.constants.AI_DIR + if ai_dir.exists(): + for ai_file in mp.core.constants.AI_DESCRIPTION_FILES: + ai_path: Path = ai_dir / ai_file + if ai_path.exists(): + ai_metadata[ai_file] = yaml.safe_load(ai_path.read_text(encoding="utf-8")) + return cls( python_version=python_version, identifier=integration_meta.identifier, @@ -155,6 +168,7 @@ def from_built_path(cls, path: Path) -> Self: widgets_metadata={ w.file_name: w for w in ActionWidgetMetadata.from_built_path(path) }, + ai_metadata=ai_metadata, ) except ValueError as e: msg: str = f"Failed to load integration {path.name}" @@ -188,6 +202,14 @@ def from_non_built_path(cls, path: Path) -> Self: if python_version_file.exists(): python_version = python_version_file.read_text(encoding="utf-8") + ai_metadata: dict[str, Any] = {} + ai_dir: Path = path / "resources" / mp.core.constants.AI_DIR + if ai_dir.exists(): + for ai_file in mp.core.constants.AI_DESCRIPTION_FILES: + ai_path: Path = ai_dir / ai_file + if ai_path.exists(): + ai_metadata[ai_file] = yaml.safe_load(ai_path.read_text(encoding="utf-8")) + return cls( python_version=python_version, identifier=integration_meta.identifier, @@ -204,6 +226,7 @@ def from_non_built_path(cls, path: Path) -> Self: widgets_metadata={ w.file_name: w for w in ActionWidgetMetadata.from_non_built_path(path) }, + ai_metadata=ai_metadata, ) except (KeyError, ValueError, tomllib.TOMLDecodeError) as e: @@ -229,6 +252,7 @@ def to_built(self) -> BuiltIntegration: }, jobs={name: metadata.to_built() for name, metadata in self.jobs_metadata.items()}, widgets={name: metadata.to_built() for name, metadata in self.widgets_metadata.items()}, + ai_metadata=self.ai_metadata, ) def to_non_built(self) -> NonBuiltIntegration: @@ -254,6 +278,7 @@ def to_non_built(self) -> NonBuiltIntegration: widgets={ name: metadata.to_non_built() for name, metadata in self.widgets_metadata.items() }, + ai_metadata=self.ai_metadata, ) def to_built_full_details(self) -> BuiltFullDetails: diff --git a/packages/mp/src/mp/core/data_models/integrations/job/ai/__init__.py b/packages/mp/src/mp/core/data_models/integrations/job/ai/__init__.py new file mode 100644 index 000000000..58d482ea3 --- /dev/null +++ b/packages/mp/src/mp/core/data_models/integrations/job/ai/__init__.py @@ -0,0 +1,13 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. diff --git a/packages/mp/src/mp/core/data_models/integrations/job/ai/metadata.py b/packages/mp/src/mp/core/data_models/integrations/job/ai/metadata.py new file mode 100644 index 000000000..b2cbb0f6c --- /dev/null +++ b/packages/mp/src/mp/core/data_models/integrations/job/ai/metadata.py @@ -0,0 +1,39 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from __future__ import annotations + +from typing import Annotated + +from pydantic import BaseModel, Field + + +class JobAiMetadata(BaseModel): + ai_description: Annotated[ + str, + Field( + description=( + "Detailed description that will be used by LLMs to understand what the job" + " does. This should be a concise yet informative summary of the job's" + " purpose, and the expected outcome." + " Use markdown formatting for clarity, as this is a description for LLMs." + " Please add a description of the flow of the job in numbered or bulleted" + " points. In addition, create a table that describes the configuration" + " parameters. How to use them, what is the expected type of value," + " whether the parameter is mandatory or not, and describe what each of them" + " does. Overall the description should be divided into 3-4 sections," + " General description, Parameters description, and Flow description." + ), + ), + ] diff --git a/packages/mp/src/mp/core/file_utils/integrations/file_utils.py b/packages/mp/src/mp/core/file_utils/integrations/file_utils.py index 906fc686b..a9c344cdb 100644 --- a/packages/mp/src/mp/core/file_utils/integrations/file_utils.py +++ b/packages/mp/src/mp/core/file_utils/integrations/file_utils.py @@ -22,6 +22,7 @@ import base64 import dataclasses import json +import pathlib from typing import TYPE_CHECKING, Any import yaml @@ -74,6 +75,7 @@ def get_integration_base_folders_paths(integrations_classification: str) -> list third_party = base_path / constants.THIRD_PARTY_REPO_NAME return mp.core.file_utils.common.create_dirs_if_not_exists( + third_party, base_path / constants.POWERUPS_DIR_NAME, third_party / constants.COMMUNITY_DIR_NAME, third_party / constants.PARTNER_DIR_NAME, @@ -132,6 +134,55 @@ def create_or_get_out_integrations_dir() -> Path: ) +def get_marketplace_integration_base_paths() -> list[Path]: + """Get all integration base paths across all relevant repository types. + + Returns: + list[Path]: All integration base directories. + + """ + base_paths: list[Path] = [] + for repo_type_name in [ + constants.COMMERCIAL_REPO_NAME, + constants.THIRD_PARTY_REPO_NAME, + constants.CUSTOM_REPO_NAME, + ]: + base_paths.extend(get_integration_base_folders_paths(repo_type_name)) + + return base_paths + + +def get_marketplace_integration_path(name: str) -> Path | None: + """Find the path to an integration in the marketplace. + + Args: + name: The name or path of the integration. + + Returns: + Path | None: The path to the integration if found, None otherwise. + + """ + p = pathlib.Path(name) + if p.exists() and is_integration(p): + return p + + for base_path in get_marketplace_integration_base_paths(): + if (p := base_path / name).exists() and is_integration(p): + return p + + return None + + +def get_all_marketplace_integrations_paths() -> list[Path]: + """Get all integration paths from the marketplace. + + Returns: + list[Path]: All integration paths found in the marketplace. + + """ + return sorted(get_integrations_from_paths(*get_marketplace_integration_base_paths())) + + def discover_core_modules(path: Path) -> list[ManagerName]: """Discover core/manager modules in an integration. diff --git a/packages/mp/src/mp/describe/__init__.py b/packages/mp/src/mp/describe/__init__.py index 513030846..76294486c 100644 --- a/packages/mp/src/mp/describe/__init__.py +++ b/packages/mp/src/mp/describe/__init__.py @@ -12,7 +12,15 @@ # See the License for the specific language governing permissions and # limitations under the License. -from . import action +from . import action, connector, integration, job +from .all_content import describe_all_content from .typer_app import app -__all__: list[str] = ["action", "app"] +__all__: list[str] = [ + "action", + "app", + "connector", + "describe_all_content", + "integration", + "job", +] diff --git a/packages/mp/src/mp/describe/action/prompts/system.md b/packages/mp/src/mp/describe/action/prompts/system.md deleted file mode 100644 index 57bfceec9..000000000 --- a/packages/mp/src/mp/describe/action/prompts/system.md +++ /dev/null @@ -1,30 +0,0 @@ -**Role:** -You are a Technical Architect and expert in Security Orchestration, Automation, and Response (SOAR) integrations. Your specific expertise lies in analyzing Google SecOps (Chronicle) integration code written in Python. - -**Objective:** -Your goal is to analyze integration code (Python) and its configuration (JSON) to produce a structured JSON capability summary. This summary helps autonomous agents understand the purpose, capabilities, and side effects of the code. - -**Resource Usage Strategy:** -You will be provided with Python code, JSON configurations, and access to library documentation. Use them as follows: - -1. **Python Script (`.py`):** Use this to determine the *logic - flow*, identifying which external API calls are made and what SDK methods (e.g., - `SiemplifyAction`, `TIPCommon`) are utilized. -2. **Configuration File (`.json`):** Use this to identify input parameters, default values, and the - *Entity Scopes* (e.g., IP, HASH) the action supports. -3. **SDK/Library Docs: - ** Use provided documentation links to interpret specific method calls (e.g., distinguishing between - `add_entity_insight` vs `add_result_json` vs `update_entities`). - -**Analysis Guidelines:** - -1. **Primary Purpose (Description):** Write a concise but detailed paragraph explaining - *what* the code does. Focus on the business value (e.g., "Enriches reputation," "Blocks traffic," "Parses email"). Mention specific external services interacting with and specific data points retrieved. -2. **Capability Flags:** You must accurately determine boolean flags (e.g., `fetches_data`, - `can_mutate_external_data`). - * *Enrichment* implies fetching data without changing the external system state. - * *Mutation* implies changing state (e.g., blocking an IP, resetting a password). - * *Internal Mutation* refers to changing the SOAR case data (entities, case wall, insights). - -**Output Format:** -Return **strictly** a valid JSON object matching the provided schema. Do not include Markdown code blocks or conversational text. diff --git a/packages/mp/src/mp/describe/action/typer_app.py b/packages/mp/src/mp/describe/action/typer_app.py index 83afd79eb..ec69e3193 100644 --- a/packages/mp/src/mp/describe/action/typer_app.py +++ b/packages/mp/src/mp/describe/action/typer_app.py @@ -86,6 +86,7 @@ def describe( # noqa: PLR0913 bool, typer.Option( "--override", + "-o", help="Rewrite actions that already have their description.", ), ] = False, diff --git a/packages/mp/src/mp/describe/all_content.py b/packages/mp/src/mp/describe/all_content.py new file mode 100644 index 000000000..fda55bba9 --- /dev/null +++ b/packages/mp/src/mp/describe/all_content.py @@ -0,0 +1,62 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from __future__ import annotations + +import asyncio +from typing import TYPE_CHECKING + +import mp.core.config +from mp.describe.action.describe import DescribeAction +from mp.describe.connector.describe import DescribeConnector +from mp.describe.integration.describe import DescribeIntegration +from mp.describe.job.describe import DescribeJob + +if TYPE_CHECKING: + import pathlib + + +async def describe_all_content( + integration: str, + *, + src: pathlib.Path | None = None, + dst: pathlib.Path | None = None, + override: bool = False, +) -> None: + """Describe all content in an integration. + + Describes actions, connectors, jobs, and the integration itself. + + Args: + integration: The name of the integration. + src: Customize the source folder to describe from. + dst: Customize destination folder to save the AI descriptions. + override: Whether to rewrite existing descriptions. + + """ + sem = asyncio.Semaphore(mp.core.config.get_gemini_concurrency()) + + # 1. Describe actions + await DescribeAction(integration, set(), src=src, dst=dst, override=override).describe(sem=sem) + + # 2. Describe connectors + await DescribeConnector(integration, set(), src=src, dst=dst, override=override).describe( + sem=sem + ) + + # 3. Describe jobs + await DescribeJob(integration, set(), src=src, dst=dst, override=override).describe(sem=sem) + + # 4. Describe integration (last because it depends on previous results) + await DescribeIntegration(integration, src=src, dst=dst, override=override).describe(sem=sem) diff --git a/packages/mp/src/mp/describe/common/describe.py b/packages/mp/src/mp/describe/common/describe.py index 789b82c2c..dabde79f7 100644 --- a/packages/mp/src/mp/describe/common/describe.py +++ b/packages/mp/src/mp/describe/common/describe.py @@ -219,6 +219,14 @@ async def _prepare_resources( if not self.resource_names: self.resource_names = await self._get_all_resources(status) + # Prune metadata for resources that no longer exist + # Only for non-integration types which use resource names as keys + if self.resource_type_name != "integration": + metadata_keys = list(metadata.keys()) + for key in metadata_keys: + if key not in self.resource_names: + del metadata[key] + if not self.override: resources_to_process: set[str] = { res for res in self.resource_names if res not in metadata @@ -448,7 +456,13 @@ async def _save_metadata(self, metadata: dict[str, Any]) -> None: else: save_dir: anyio.Path = self.integration / constants.RESOURCES_DIR / constants.AI_DIR - await save_dir.mkdir(parents=True, exist_ok=True) metadata_file: anyio.Path = save_dir / self.metadata_file_name + + if not metadata: + if await metadata_file.exists(): + await metadata_file.unlink() + return + + await save_dir.mkdir(parents=True, exist_ok=True) yaml.add_representer(str, folded_string_representer, Dumper=yaml.SafeDumper) await metadata_file.write_text(yaml.safe_dump(metadata)) diff --git a/packages/mp/src/mp/describe/common/describe_all.py b/packages/mp/src/mp/describe/common/describe_all.py index cb0228312..b9060b90e 100644 --- a/packages/mp/src/mp/describe/common/describe_all.py +++ b/packages/mp/src/mp/describe/common/describe_all.py @@ -30,8 +30,10 @@ ) import mp.core.config -from mp.core.custom_types import RepositoryType -from mp.core.file_utils import get_integration_base_folders_paths, get_integrations_from_paths +from mp.core.file_utils import ( + get_all_marketplace_integrations_paths, + get_integrations_from_paths, +) if TYPE_CHECKING: from pathlib import Path @@ -183,12 +185,4 @@ def get_all_integrations_paths(src: Path | None = None) -> list[Path]: if src: return sorted(get_integrations_from_paths(src)) if src.exists() else [] - base_paths: list[Path] = [] - for repo_type in [ - RepositoryType.COMMERCIAL, - RepositoryType.THIRD_PARTY, - RepositoryType.CUSTOM, - ]: - base_paths.extend(get_integration_base_folders_paths(repo_type.value)) - - return sorted(get_integrations_from_paths(*base_paths)) + return get_all_marketplace_integrations_paths() diff --git a/packages/mp/src/mp/describe/common/prompt_constructors/resource.py b/packages/mp/src/mp/describe/common/prompt_constructors/resource.py new file mode 100644 index 000000000..2f2cae200 --- /dev/null +++ b/packages/mp/src/mp/describe/common/prompt_constructors/resource.py @@ -0,0 +1,65 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from __future__ import annotations + +import abc +from typing import TYPE_CHECKING + +from .prompt_constructor import PromptConstructor as BasePromptConstructor + +if TYPE_CHECKING: + from string import Template + + import anyio + + +class ResourcePromptConstructor(BasePromptConstructor, abc.ABC): + __slots__: tuple[str, ...] = ( + "resource_file_name", + "resource_name", + ) + + def __init__( + self, + integration: anyio.Path, + integration_name: str, + resource_name: str, + resource_file_name: str, + out_path: anyio.Path, + ) -> None: + super().__init__(integration, integration_name, out_path) + self.resource_name: str = resource_name + self.resource_file_name: str = resource_file_name + + @staticmethod + @abc.abstractmethod + async def get_task_prompt() -> Template: + """Get the task prompt. + + Returns: + Template: The task prompt. + + """ + raise NotImplementedError + + @abc.abstractmethod + async def construct(self) -> str: + """Construct a prompt for generating AI descriptions. + + Returns: + str: The constructed prompt. + + """ + raise NotImplementedError diff --git a/packages/mp/src/mp/describe/common/prompts/system.md b/packages/mp/src/mp/describe/common/prompts/system.md index 57bfceec9..50f6a4d4f 100644 --- a/packages/mp/src/mp/describe/common/prompts/system.md +++ b/packages/mp/src/mp/describe/common/prompts/system.md @@ -1,27 +1,21 @@ **Role:** -You are a Technical Architect and expert in Security Orchestration, Automation, and Response (SOAR) integrations. Your specific expertise lies in analyzing Google SecOps (Chronicle) integration code written in Python. +You are a Technical Architect and expert in Security Orchestration, Automation, and Response (SOAR) integrations. Your specific expertise lies in analyzing Google SecOps (Chronicle) integrations, including their actions, connectors, jobs, and overall metadata. **Objective:** -Your goal is to analyze integration code (Python) and its configuration (JSON) to produce a structured JSON capability summary. This summary helps autonomous agents understand the purpose, capabilities, and side effects of the code. +Your goal is to analyze integration components (Python code, configurations, or previously generated AI metadata) to produce structured JSON summaries or classifications. These summaries help autonomous agents and users understand the purpose, capabilities, and side effects of the integration resources. **Resource Usage Strategy:** -You will be provided with Python code, JSON configurations, and access to library documentation. Use them as follows: +Depending on the task, you will be provided with various inputs: -1. **Python Script (`.py`):** Use this to determine the *logic - flow*, identifying which external API calls are made and what SDK methods (e.g., - `SiemplifyAction`, `TIPCommon`) are utilized. -2. **Configuration File (`.json`):** Use this to identify input parameters, default values, and the - *Entity Scopes* (e.g., IP, HASH) the action supports. -3. **SDK/Library Docs: - ** Use provided documentation links to interpret specific method calls (e.g., distinguishing between - `add_entity_insight` vs `add_result_json` vs `update_entities`). +1. **Python Script (`.py`):** Use this to determine the *logic flow*, identifying which external API calls are made and what SDK methods (e.g., `SiemplifyAction`, `TIPCommon`) are utilized. +2. **Configuration File (`.json` or `.yaml`):** Use this to identify input parameters, default values, and the *Entity Scopes* (e.g., IP, HASH) or other settings the resource supports. +3. **AI Descriptions:** Use previously generated AI summaries to perform higher-level classifications or cross-resource analysis. +4. **SDK/Library Docs:** Use provided documentation links to interpret specific method calls (e.g., distinguishing between `add_entity_insight` vs `add_result_json` vs `update_entities`). **Analysis Guidelines:** -1. **Primary Purpose (Description):** Write a concise but detailed paragraph explaining - *what* the code does. Focus on the business value (e.g., "Enriches reputation," "Blocks traffic," "Parses email"). Mention specific external services interacting with and specific data points retrieved. -2. **Capability Flags:** You must accurately determine boolean flags (e.g., `fetches_data`, - `can_mutate_external_data`). +1. **Primary Purpose (Description):** Write a concise but detailed paragraph explaining *what* the component does. Focus on the business value (e.g., "Enriches reputation," "Blocks traffic," "Parses email"). Mention specific external services interacted with and specific data points retrieved. +2. **Technical Accuracy:** You must accurately determine capability flags and classifications based strictly on the provided data and task instructions. * *Enrichment* implies fetching data without changing the external system state. * *Mutation* implies changing state (e.g., blocking an IP, resetting a password). * *Internal Mutation* refers to changing the SOAR case data (entities, case wall, insights). diff --git a/packages/mp/src/mp/describe/common/utils/paths.py b/packages/mp/src/mp/describe/common/utils/paths.py index e1364a5e3..9153c794e 100644 --- a/packages/mp/src/mp/describe/common/utils/paths.py +++ b/packages/mp/src/mp/describe/common/utils/paths.py @@ -15,16 +15,17 @@ from __future__ import annotations import logging -import pathlib +from typing import TYPE_CHECKING + +if TYPE_CHECKING: + import pathlib import anyio import typer -from mp.core.custom_types import RepositoryType from mp.core.file_utils import ( create_or_get_out_integrations_dir, - get_integration_base_folders_paths, - is_integration, + get_marketplace_integration_path, ) logger: logging.Logger = logging.getLogger(__name__) @@ -55,21 +56,9 @@ def _get_source_integration_path(name: str, src: pathlib.Path) -> anyio.Path: def _get_marketplace_integration_path(name: str) -> anyio.Path: - # First, check if name is a direct path to an integration - if (p := pathlib.Path(name)).exists() and is_integration(p): - return anyio.Path(p) - - base_paths: list[pathlib.Path] = [] - for repo_type in [ - RepositoryType.COMMERCIAL, - RepositoryType.THIRD_PARTY, - RepositoryType.CUSTOM, - ]: - base_paths.extend(get_integration_base_folders_paths(repo_type.value)) - - for path in base_paths: - if (p := path / name).exists() and is_integration(p): - return anyio.Path(p) + path = get_marketplace_integration_path(name) + if path: + return anyio.Path(path) logger.error("Integration '%s' not found in marketplace", name) raise typer.Exit(1) diff --git a/packages/mp/src/mp/describe/connector/__init__.py b/packages/mp/src/mp/describe/connector/__init__.py new file mode 100644 index 000000000..58d482ea3 --- /dev/null +++ b/packages/mp/src/mp/describe/connector/__init__.py @@ -0,0 +1,13 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. diff --git a/packages/mp/src/mp/describe/connector/describe.py b/packages/mp/src/mp/describe/connector/describe.py new file mode 100644 index 000000000..02c67999e --- /dev/null +++ b/packages/mp/src/mp/describe/connector/describe.py @@ -0,0 +1,144 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from __future__ import annotations + +import json +import logging +from typing import TYPE_CHECKING, NamedTuple + +import yaml + +from mp.core import constants +from mp.core.data_models.integrations.connector.ai.metadata import ConnectorAiMetadata +from mp.describe.common.describe import DescribeBase, IntegrationStatus + +from .prompt_constructors.built import BuiltPromptConstructor +from .prompt_constructors.source import SourcePromptConstructor + +if TYPE_CHECKING: + import pathlib + + import anyio + +logger: logging.Logger = logging.getLogger(__name__) + + +class DescriptionParams(NamedTuple): + integration: anyio.Path + integration_name: str + connector_name: str + connector_file_name: str + status: IntegrationStatus + + +class DescribeConnector(DescribeBase[ConnectorAiMetadata]): + def __init__( + self, + integration: str, + connectors: set[str], + *, + src: pathlib.Path | None = None, + dst: pathlib.Path | None = None, + override: bool = False, + ) -> None: + super().__init__(integration, connectors, src=src, dst=dst, override=override) + self._connector_name_to_file_stem: dict[str, str] = {} + + @property + def metadata_file_name(self) -> str: + """Get the name of the metadata file.""" + return constants.CONNECTORS_AI_DESCRIPTION_FILE + + @property + def resource_type_name(self) -> str: + """Get the resource type name.""" + return "connector" + + @property + def response_schema(self) -> type[ConnectorAiMetadata]: + """Get the response schema.""" + return ConnectorAiMetadata + + async def _get_all_resources(self, status: IntegrationStatus) -> set[str]: + connectors: set[str] = set() + if status.is_built: + await self._get_all_built_connectors(status.out_path, connectors) + else: + await self._get_all_non_built_connectors(connectors) + return connectors + + async def _get_all_built_connectors(self, out_path: anyio.Path, connectors: set[str]) -> None: + path: anyio.Path = out_path / constants.OUT_CONNECTORS_META_DIR + if await path.exists(): + async for file in path.glob(f"*{constants.CONNECTORS_META_SUFFIX}"): + content: str = await file.read_text(encoding="utf-8") + try: + data: dict = json.loads(content) + name: str = data["Name"] + self._connector_name_to_file_stem[name] = file.stem + connectors.add(name) + except (json.JSONDecodeError, KeyError): + logger.warning("Failed to parse built connector metadata %s", file.name) + + async def _get_all_non_built_connectors(self, connectors: set[str]) -> None: + path: anyio.Path = self.integration / constants.CONNECTORS_DIR + if await path.exists(): + async for file in path.glob(f"*{constants.YAML_SUFFIX}"): + content: str = await file.read_text(encoding="utf-8") + try: + data: dict = yaml.safe_load(content) + name: str = data["name"] + self._connector_name_to_file_stem[name] = file.stem + connectors.add(name) + except (yaml.YAMLError, KeyError): + logger.warning("Failed to parse non-built connector metadata %s", file.name) + + async def _construct_prompts( + self, resources: list[str], status: IntegrationStatus + ) -> list[str]: + prompts: list[str] = [] + for connector_name in resources: + params = DescriptionParams( + self.integration, + self.integration_name, + connector_name, + self._connector_name_to_file_stem.get(connector_name, connector_name), + status, + ) + constructor: BuiltPromptConstructor | SourcePromptConstructor = ( + _create_prompt_constructor(params) + ) + prompts.append(await constructor.construct()) + return prompts + + +def _create_prompt_constructor( + params: DescriptionParams, +) -> BuiltPromptConstructor | SourcePromptConstructor: + if params.status.is_built: + return BuiltPromptConstructor( + params.integration, + params.integration_name, + params.connector_name, + params.connector_file_name, + params.status.out_path, + ) + return SourcePromptConstructor( + params.integration, + params.integration_name, + params.connector_name, + params.connector_file_name, + params.status.out_path, + ) diff --git a/packages/mp/src/mp/describe/connector/describe_all.py b/packages/mp/src/mp/describe/connector/describe_all.py new file mode 100644 index 000000000..7788b809a --- /dev/null +++ b/packages/mp/src/mp/describe/connector/describe_all.py @@ -0,0 +1,47 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from __future__ import annotations + +from typing import TYPE_CHECKING + +from mp.describe.common.describe_all import ( + MarketplaceOrchestratorBase, + get_all_integrations_paths, +) + +from .describe import DescribeConnector + +if TYPE_CHECKING: + from pathlib import Path + + +async def describe_all_connectors( + src: Path | None = None, dst: Path | None = None, *, override: bool = False +) -> None: + """Describe all connectors in all integrations in the marketplace.""" + integrations_paths: list[Path] = get_all_integrations_paths(src=src) + orchestrator = _MarketplaceOrchestrator(src, integrations_paths, dst=dst, override=override) + await orchestrator.run() + + +class _MarketplaceOrchestrator(MarketplaceOrchestratorBase): + def _create_describer(self, integration_name: str) -> DescribeConnector: + return DescribeConnector( + integration=integration_name, + connectors=set(), + src=self.src, + dst=self.dst, + override=self.override, + ) diff --git a/packages/mp/src/mp/describe/connector/prompt_constructors/__init__.py b/packages/mp/src/mp/describe/connector/prompt_constructors/__init__.py new file mode 100644 index 000000000..58d482ea3 --- /dev/null +++ b/packages/mp/src/mp/describe/connector/prompt_constructors/__init__.py @@ -0,0 +1,13 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. diff --git a/packages/mp/src/mp/describe/connector/prompt_constructors/built.py b/packages/mp/src/mp/describe/connector/prompt_constructors/built.py new file mode 100644 index 000000000..d69c82452 --- /dev/null +++ b/packages/mp/src/mp/describe/connector/prompt_constructors/built.py @@ -0,0 +1,84 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from __future__ import annotations + +import io +from typing import TYPE_CHECKING + +from mp.core import constants + +from .connector import ConnectorPromptConstructor + +if TYPE_CHECKING: + from string import Template + + import anyio + +DEFAULT_FILE_CONTENT: str = "N/A" + + +class BuiltPromptConstructor(ConnectorPromptConstructor): + __slots__: tuple[str, ...] = () + + async def construct(self) -> str: + """Construct the prompt for built connectors. + + Returns: + str: The constructed prompt. + + """ + manager_names, manager_content = await self._get_managers_names_and_content() + template: Template = await self.task_prompt + return template.safe_substitute({ + "json_file_name": f"{self.resource_file_name}.json", + "json_file_content": await self._get_built_connector_def_content(), + "python_file_name": f"{self.resource_file_name}.py", + "python_file_content": await self._get_built_connector_content(), + "manager_file_names": manager_names or DEFAULT_FILE_CONTENT, + "manager_files_content": manager_content or DEFAULT_FILE_CONTENT, + }) + + async def _get_managers_names_and_content(self) -> tuple[str, str]: + names: list[str] = [] + content: io.StringIO = io.StringIO() + managers_dir: anyio.Path = self.out_path / constants.OUT_MANAGERS_SCRIPTS_DIR + if await managers_dir.exists(): + async for core_file in managers_dir.glob("*.py"): + names.append(core_file.name) + content.write("```python\n") + content.write(await core_file.read_text(encoding="utf-8")) + content.write("\n```\n\n") + + return ", ".join(names), content.getvalue() + + async def _get_built_connector_def_content(self) -> str: + connector_def: anyio.Path = ( + self.out_path + / constants.OUT_CONNECTORS_META_DIR + / f"{self.resource_file_name}{constants.CONNECTORS_META_SUFFIX}" + ) + if await connector_def.exists(): + return await connector_def.read_text(encoding="utf-8") + + return DEFAULT_FILE_CONTENT + + async def _get_built_connector_content(self) -> str: + connector_script: anyio.Path = ( + self.out_path / constants.OUT_CONNECTOR_SCRIPTS_DIR / f"{self.resource_file_name}.py" + ) + if await connector_script.exists(): + return await connector_script.read_text(encoding="utf-8") + + return DEFAULT_FILE_CONTENT diff --git a/packages/mp/src/mp/describe/connector/prompt_constructors/connector.py b/packages/mp/src/mp/describe/connector/prompt_constructors/connector.py new file mode 100644 index 000000000..3d54b7124 --- /dev/null +++ b/packages/mp/src/mp/describe/connector/prompt_constructors/connector.py @@ -0,0 +1,37 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from __future__ import annotations + +from abc import ABC +from string import Template + +import anyio + +from mp.describe.common.prompt_constructors.resource import ResourcePromptConstructor + + +class ConnectorPromptConstructor(ResourcePromptConstructor, ABC): + __slots__: tuple[str, ...] = () + + @staticmethod + async def get_task_prompt() -> Template: + """Get the task prompt. + + Returns: + Template: The task prompt. + + """ + prompt_file: anyio.Path = anyio.Path(__file__).parent.parent / "prompts" / "task.md" + return Template(await prompt_file.read_text(encoding="utf-8")) diff --git a/packages/mp/src/mp/describe/connector/prompt_constructors/source.py b/packages/mp/src/mp/describe/connector/prompt_constructors/source.py new file mode 100644 index 000000000..970f70652 --- /dev/null +++ b/packages/mp/src/mp/describe/connector/prompt_constructors/source.py @@ -0,0 +1,84 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from __future__ import annotations + +import io +from typing import TYPE_CHECKING + +from mp.core import constants + +from .connector import ConnectorPromptConstructor + +if TYPE_CHECKING: + from string import Template + + import anyio + +DEFAULT_FILE_CONTENT: str = "N/A" + + +class SourcePromptConstructor(ConnectorPromptConstructor): + __slots__: tuple[str, ...] = () + + async def construct(self) -> str: + """Construct the prompt for non-built connectors. + + Returns: + str: The constructed prompt. + + """ + core_names, core_content = await self._get_core_modules_names_and_content() + template: Template = await self.task_prompt + return template.safe_substitute({ + "json_file_name": f"{self.resource_file_name}.yaml", + "json_file_content": await self._get_non_built_connector_def_content(), + "python_file_name": f"{self.resource_file_name}.py", + "python_file_content": await self._get_non_built_connector_content(), + "manager_file_names": core_names or DEFAULT_FILE_CONTENT, + "manager_files_content": core_content or DEFAULT_FILE_CONTENT, + }) + + async def _get_core_modules_names_and_content(self) -> tuple[str, str]: + names: list[str] = [] + content: io.StringIO = io.StringIO() + core_dir: anyio.Path = self.integration / constants.CORE_SCRIPTS_DIR + if await core_dir.exists(): + async for core_file in core_dir.glob("*.py"): + names.append(core_file.name) + content.write("```python\n") + content.write(await core_file.read_text(encoding="utf-8")) + content.write("\n```\n\n") + + return ", ".join(names), content.getvalue() + + async def _get_non_built_connector_def_content(self) -> str: + connector_yaml: anyio.Path = ( + self.integration + / constants.CONNECTORS_DIR + / f"{self.resource_file_name}{constants.YAML_SUFFIX}" + ) + if await connector_yaml.exists(): + return await connector_yaml.read_text(encoding="utf-8") + + return DEFAULT_FILE_CONTENT + + async def _get_non_built_connector_content(self) -> str: + connector_script: anyio.Path = ( + self.integration / constants.CONNECTORS_DIR / f"{self.resource_file_name}.py" + ) + if await connector_script.exists(): + return await connector_script.read_text(encoding="utf-8") + + return DEFAULT_FILE_CONTENT diff --git a/packages/mp/src/mp/describe/connector/prompts/task.md b/packages/mp/src/mp/describe/connector/prompts/task.md new file mode 100644 index 000000000..b380d13a0 --- /dev/null +++ b/packages/mp/src/mp/describe/connector/prompts/task.md @@ -0,0 +1,61 @@ +**Input Data:** +I have provided the following files for a Google SecOps connector: + +1. `Script Code`: The Python logic. +2. `Script Settings`: The JSON/YAML metadata containing parameters and configuration. + +**Reference Documentation:** + +* **SOAR SDK:** https://github.com/chronicle/soar-sdk/tree/main/src/soar_sdk +* **TIPCommon:** https://github.com/chronicle/content-hub/tree/main/packages/tipcommon/TIPCommon +* **SOAR SDK Docs:** + * https://docs.cloud.google.com/chronicle/docs/soar/reference/siemplify-connectors-module + +**Instructions:** + +1. **Analyze the Description:** Synthesize the `Script Code` logic and `Script Settings` description to create a detailed AI description. + * *Style:* Active voice. Concise yet informative. + * *Content:* Explain the connector's purpose, what kind of data it pulls (e.g., alerts, logs, events), and from which external service. + * *Sections:* + * **General description**: A high-level overview of the connector's purpose and the service it integrates with. + * **Parameters description**: A markdown table describing the configuration parameters (name, expected type, mandatory status, and description). + * **Flow description**: A numbered or bulleted list describing the data ingestion flow (how it connects, what it fetches, how it filters, and how it creates cases/alerts in SOAR). + +2. **Format the Output:** The result must be a JSON object with a single field `ai_description` containing the markdown-formatted description. + +**Example Output:** + +```json +{ + "ai_description": "### General Description\nThis connector fetches alerts from VirusTotal and creates cases in Google SecOps. It allows monitoring for malicious activity seen globally.\n\n### Parameters Description\n| Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| API Key | String | Yes | Your VirusTotal API key. |\n| Threshold | Integer | No | Minimum score to fetch. |\n\n### Flow Description\n1. Connects to VirusTotal API using the provided API Key.\n2. Queries for recent alerts matching the configured threshold.\n3. Maps each alert to a Google SecOps case format.\n4. Ingests cases into the system." +} +``` + +**Current Task Input:** + +— START OF FILE ${json_file_name}— + +``` +${json_file_content} +``` + +— END OF FILE ${json_file_name}— + +— START OF FILE ${python_file_name}— + +```python +${python_file_content} +``` + +— END OF FILE ${python_file_name}— + +— START OF FILE ${manager_file_names}— +${manager_files_content} +— END OF FILE ${manager_file_names}— + +**Final Instructions:** +Based strictly on the provided "Current Task Input": + +1. Analyze the code flow and settings. +2. Construct the AI Description. +3. Ensure valid JSON syntax. diff --git a/packages/mp/src/mp/describe/connector/typer_app.py b/packages/mp/src/mp/describe/connector/typer_app.py new file mode 100644 index 000000000..615028e89 --- /dev/null +++ b/packages/mp/src/mp/describe/connector/typer_app.py @@ -0,0 +1,127 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from __future__ import annotations + +import asyncio +import pathlib # noqa: TC003 +from typing import Annotated + +import rich +import typer + +import mp.core.config + +from .describe import DescribeConnector +from .describe_all import describe_all_connectors + +app = typer.Typer(help="Describe connectors in the marketplace.") + + +@app.command() +def connector( # noqa: PLR0913 + connectors: Annotated[list[str] | None, typer.Argument(help="Connector names")] = None, + integration: Annotated[ + str | None, typer.Option("-i", "--integration", help="Integration name") + ] = None, + *, + all_marketplace: Annotated[ + bool, + typer.Option( + "-a", + "--all", + help=( + "Describe all integrations in the marketplace, or all connectors if an" + " integration is specified" + ), + ), + ] = False, + src: Annotated[ + pathlib.Path | None, + typer.Option( + help="The path to the marketplace. If not provided, the configured path will be used." + ), + ] = None, + dst: Annotated[ + pathlib.Path | None, + typer.Option( + help=( + "The path to save the descriptions to. If not provided, they will be" + " saved in the marketplace." + ) + ), + ] = None, + override: Annotated[ + bool, + typer.Option( + "--override", + "-o", + help="Whether to override existing descriptions.", + ), + ] = False, + quiet: Annotated[ + bool, + typer.Option( + "--quiet", + "-q", + help="Log less on runtime.", + ), + ] = False, + verbose: Annotated[ + bool, + typer.Option( + "--verbose", + "-v", + help="Log more on runtime.", + ), + ] = False, +) -> None: + """Describe connectors in a given integration. + + Args: + connectors: The names of the connectors to describe. + integration: The name of the integration to describe connectors for. + all_marketplace: Whether to describe all integrations or all connectors for the integration. + src: The path to the marketplace. + dst: The path to save the descriptions to. + override: Whether to override existing descriptions. + quiet: Log less on runtime. + verbose: Log more on runtime. + + Raises: + typer.Exit: If neither --integration nor --all is specified. + + """ + run_params: mp.core.config.RuntimeParams = mp.core.config.RuntimeParams(quiet, verbose) + run_params.set_in_config() + + sem = asyncio.Semaphore(mp.core.config.get_gemini_concurrency()) + if integration: + target_connector_file_names: set[str] = set(connectors) if connectors else set() + if all_marketplace: + target_connector_file_names = set() + + describer = DescribeConnector( + integration, + target_connector_file_names, + src=src, + dst=dst, + override=override, + ) + asyncio.run(describer.describe(sem=sem)) + elif all_marketplace: + asyncio.run(describe_all_connectors(src=src, dst=dst, override=override)) + else: + rich.print("[red]Please specify either --integration or --all[/red]") + raise typer.Exit(code=1) diff --git a/packages/mp/src/mp/describe/integration/describe.py b/packages/mp/src/mp/describe/integration/describe.py index ebcf5af06..fccfb6732 100644 --- a/packages/mp/src/mp/describe/integration/describe.py +++ b/packages/mp/src/mp/describe/integration/describe.py @@ -115,10 +115,16 @@ async def _save_metadata(self, metadata: dict[str, Any]) -> None: else: save_dir: anyio.Path = self.integration / constants.RESOURCES_DIR / constants.AI_DIR - await save_dir.mkdir(parents=True, exist_ok=True) metadata_file: anyio.Path = save_dir / self.metadata_file_name - yaml.add_representer(str, folded_string_representer, Dumper=yaml.SafeDumper) # For integrations, we don't want to key it by integration name in the file - if (integration_metadata := metadata.get(self.integration_name)) is not None: - await metadata_file.write_text(yaml.safe_dump(integration_metadata)) + integration_metadata = metadata.get(self.integration_name) + + if not integration_metadata: + if await metadata_file.exists(): + await metadata_file.unlink() + return + + await save_dir.mkdir(parents=True, exist_ok=True) + yaml.add_representer(str, folded_string_representer, Dumper=yaml.SafeDumper) + await metadata_file.write_text(yaml.safe_dump(integration_metadata)) diff --git a/packages/mp/src/mp/describe/integration/prompt_constructors/integration.py b/packages/mp/src/mp/describe/integration/prompt_constructors/integration.py index f1ae07eed..eab2c587c 100644 --- a/packages/mp/src/mp/describe/integration/prompt_constructors/integration.py +++ b/packages/mp/src/mp/describe/integration/prompt_constructors/integration.py @@ -16,6 +16,7 @@ import contextlib import logging +import tomllib from string import Template from typing import TYPE_CHECKING, Any @@ -57,6 +58,8 @@ async def construct(self) -> str: "integration_name": self.integration_name, "integration_description": await self._get_integration_description(), "actions_ai_descriptions": await self._get_actions_ai_descriptions(), + "connectors_ai_descriptions": await self._get_connectors_ai_descriptions(), + "jobs_ai_descriptions": await self._get_jobs_ai_descriptions(), }) async def _get_integration_description(self) -> str: @@ -111,8 +114,8 @@ async def _get_description_from_pyproject(self) -> str | None: return None content: str = await pyproject_file.read_text(encoding="utf-8") - with contextlib.suppress(yaml.YAMLError): - data: dict[str, Any] = yaml.safe_load(content) + with contextlib.suppress(Exception): + data: dict[str, Any] = tomllib.loads(content) if project_data := data.get("project"): return project_data.get("description") @@ -125,3 +128,17 @@ async def _get_actions_ai_descriptions(self) -> str: if await actions_ai_file.exists(): return await actions_ai_file.read_text(encoding="utf-8") return "N/A" + + async def _get_connectors_ai_descriptions(self) -> str: + ai_dir: anyio.Path = self.integration / constants.RESOURCES_DIR / constants.AI_DIR + connectors_ai_file: anyio.Path = ai_dir / constants.CONNECTORS_AI_DESCRIPTION_FILE + if await connectors_ai_file.exists(): + return await connectors_ai_file.read_text(encoding="utf-8") + return "N/A" + + async def _get_jobs_ai_descriptions(self) -> str: + ai_dir: anyio.Path = self.integration / constants.RESOURCES_DIR / constants.AI_DIR + jobs_ai_file: anyio.Path = ai_dir / constants.JOBS_AI_DESCRIPTION_FILE + if await jobs_ai_file.exists(): + return await jobs_ai_file.read_text(encoding="utf-8") + return "N/A" diff --git a/packages/mp/src/mp/describe/integration/prompts/task.md b/packages/mp/src/mp/describe/integration/prompts/task.md index b7bfab9d7..e5dd29f8d 100644 --- a/packages/mp/src/mp/describe/integration/prompts/task.md +++ b/packages/mp/src/mp/describe/integration/prompts/task.md @@ -4,9 +4,12 @@ I have provided the following information for a Google SecOps integration: 1. `Integration Name`: The name of the integration. 2. `Integration Description`: The original description of the integration. 3. `Actions AI Descriptions`: A collection of AI-generated descriptions for all actions in this integration. +4. `Connectors AI Descriptions`: A collection of AI-generated descriptions for all connectors in this integration. +5. `Jobs AI Descriptions`: A collection of AI-generated descriptions for all jobs in this integration. **Instructions:** Analyze the provided information and determine the product categories that best describe the integration's capabilities. +Connectors are especially important for determining if the integration is a SIEM or EDR, as they handle the data ingestion. **Current Task Input:** @@ -16,6 +19,12 @@ Integration Description: ${integration_description} Actions AI Descriptions: ${actions_ai_descriptions} +Connectors AI Descriptions: +${connectors_ai_descriptions} + +Jobs AI Descriptions: +${jobs_ai_descriptions} + **Final Instructions:** Based on the input data, return an IntegrationAiMetadata object containing the product categories. A category should be marked as true if the integration has capabilities that match its "When to Use" and "Expected Outcome" descriptions. diff --git a/packages/mp/src/mp/describe/integration/typer_app.py b/packages/mp/src/mp/describe/integration/typer_app.py index c3930dbc2..33c901508 100644 --- a/packages/mp/src/mp/describe/integration/typer_app.py +++ b/packages/mp/src/mp/describe/integration/typer_app.py @@ -34,14 +34,14 @@ help="Describe integrations using Gemini.", epilog=( "Examples:\n\n" - " $ mp describe integration -i aws_ec2\n\n" + " $ mp describe integration aws_ec2\n\n" " $ mp describe integration --all\n\n" " $ mp describe integration --all --src ./custom_folder\n\n" ), no_args_is_help=True, ) def describe( # noqa: PLR0913 - integration: Annotated[str | None, typer.Argument(help="Integration name")] = None, + integrations: Annotated[list[str] | None, typer.Argument(help="Integration names")] = None, *, all_marketplace: Annotated[ bool, @@ -79,6 +79,7 @@ def describe( # noqa: PLR0913 bool, typer.Option( "--override", + "-o", help="Rewrite integrations that already have their description.", ), ] = False, @@ -86,7 +87,7 @@ def describe( # noqa: PLR0913 """Describe integrations. Args: - integration: The name of the integration. + integrations: The names of the integrations. all_marketplace: Whether to describe all integrations in the marketplace. src: Customize the source folder to describe from. dst: Customize destination folder to save the AI descriptions. @@ -95,19 +96,22 @@ def describe( # noqa: PLR0913 override: Whether to rewrite existing descriptions. Raises: - typer.Exit: If neither --integration nor --all is specified. + typer.Exit: If neither integrations nor --all is specified. """ run_params: mp.core.config.RuntimeParams = mp.core.config.RuntimeParams(quiet, verbose) run_params.set_in_config() - if integration: + if integrations: sem: asyncio.Semaphore = asyncio.Semaphore(mp.core.config.get_gemini_concurrency()) - asyncio.run( - DescribeIntegration(integration, src=src, dst=dst, override=override).describe(sem=sem) - ) + for integration in integrations: + asyncio.run( + DescribeIntegration(integration, src=src, dst=dst, override=override).describe( + sem=sem + ) + ) elif all_marketplace: asyncio.run(describe_all_integrations(src=src, dst=dst, override=override)) else: - rich.print("[red]Please specify either --integration or --all[/red]") + rich.print("[red]Please specify either integrations or --all[/red]") raise typer.Exit(code=1) diff --git a/packages/mp/src/mp/describe/job/__init__.py b/packages/mp/src/mp/describe/job/__init__.py new file mode 100644 index 000000000..58d482ea3 --- /dev/null +++ b/packages/mp/src/mp/describe/job/__init__.py @@ -0,0 +1,13 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. diff --git a/packages/mp/src/mp/describe/job/describe.py b/packages/mp/src/mp/describe/job/describe.py new file mode 100644 index 000000000..d287bef30 --- /dev/null +++ b/packages/mp/src/mp/describe/job/describe.py @@ -0,0 +1,144 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from __future__ import annotations + +import json +import logging +from typing import TYPE_CHECKING, NamedTuple + +import yaml + +from mp.core import constants +from mp.core.data_models.integrations.job.ai.metadata import JobAiMetadata +from mp.describe.common.describe import DescribeBase, IntegrationStatus + +from .prompt_constructors.built import BuiltPromptConstructor +from .prompt_constructors.source import SourcePromptConstructor + +if TYPE_CHECKING: + import pathlib + + import anyio + +logger: logging.Logger = logging.getLogger(__name__) + + +class DescriptionParams(NamedTuple): + integration: anyio.Path + integration_name: str + job_name: str + job_file_name: str + status: IntegrationStatus + + +class DescribeJob(DescribeBase[JobAiMetadata]): + def __init__( + self, + integration: str, + jobs: set[str], + *, + src: pathlib.Path | None = None, + dst: pathlib.Path | None = None, + override: bool = False, + ) -> None: + super().__init__(integration, jobs, src=src, dst=dst, override=override) + self._job_name_to_file_stem: dict[str, str] = {} + + @property + def metadata_file_name(self) -> str: + """Get the name of the metadata file.""" + return constants.JOBS_AI_DESCRIPTION_FILE + + @property + def resource_type_name(self) -> str: + """Get the resource type name.""" + return "job" + + @property + def response_schema(self) -> type[JobAiMetadata]: + """Get the response schema.""" + return JobAiMetadata + + async def _get_all_resources(self, status: IntegrationStatus) -> set[str]: + jobs: set[str] = set() + if status.is_built: + await self._get_all_built_jobs(status.out_path, jobs) + else: + await self._get_all_non_built_jobs(jobs) + return jobs + + async def _get_all_built_jobs(self, out_path: anyio.Path, jobs: set[str]) -> None: + path: anyio.Path = out_path / constants.OUT_JOBS_META_DIR + if await path.exists(): + async for file in path.glob(f"*{constants.JOBS_META_SUFFIX}"): + content: str = await file.read_text(encoding="utf-8") + try: + data: dict = json.loads(content) + name: str = data["Name"] + self._job_name_to_file_stem[name] = file.stem + jobs.add(name) + except (json.JSONDecodeError, KeyError): + logger.warning("Failed to parse built job metadata %s", file.name) + + async def _get_all_non_built_jobs(self, jobs: set[str]) -> None: + path: anyio.Path = self.integration / constants.JOBS_DIR + if await path.exists(): + async for file in path.glob(f"*{constants.YAML_SUFFIX}"): + content: str = await file.read_text(encoding="utf-8") + try: + data: dict = yaml.safe_load(content) + name: str = data["name"] + self._job_name_to_file_stem[name] = file.stem + jobs.add(name) + except (yaml.YAMLError, KeyError): + logger.warning("Failed to parse non-built job metadata %s", file.name) + + async def _construct_prompts( + self, resources: list[str], status: IntegrationStatus + ) -> list[str]: + prompts: list[str] = [] + for job_name in resources: + params = DescriptionParams( + self.integration, + self.integration_name, + job_name, + self._job_name_to_file_stem.get(job_name, job_name), + status, + ) + constructor: BuiltPromptConstructor | SourcePromptConstructor = ( + _create_prompt_constructor(params) + ) + prompts.append(await constructor.construct()) + return prompts + + +def _create_prompt_constructor( + params: DescriptionParams, +) -> BuiltPromptConstructor | SourcePromptConstructor: + if params.status.is_built: + return BuiltPromptConstructor( + params.integration, + params.integration_name, + params.job_name, + params.job_file_name, + params.status.out_path, + ) + return SourcePromptConstructor( + params.integration, + params.integration_name, + params.job_name, + params.job_file_name, + params.status.out_path, + ) diff --git a/packages/mp/src/mp/describe/job/describe_all.py b/packages/mp/src/mp/describe/job/describe_all.py new file mode 100644 index 000000000..c6571fb4c --- /dev/null +++ b/packages/mp/src/mp/describe/job/describe_all.py @@ -0,0 +1,47 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from __future__ import annotations + +from typing import TYPE_CHECKING + +from mp.describe.common.describe_all import ( + MarketplaceOrchestratorBase, + get_all_integrations_paths, +) + +from .describe import DescribeJob + +if TYPE_CHECKING: + from pathlib import Path + + +async def describe_all_jobs( + src: Path | None = None, dst: Path | None = None, *, override: bool = False +) -> None: + """Describe all jobs in all integrations in the marketplace.""" + integrations_paths: list[Path] = get_all_integrations_paths(src=src) + orchestrator = _MarketplaceOrchestrator(src, integrations_paths, dst=dst, override=override) + await orchestrator.run() + + +class _MarketplaceOrchestrator(MarketplaceOrchestratorBase): + def _create_describer(self, integration_name: str) -> DescribeJob: + return DescribeJob( + integration=integration_name, + jobs=set(), + src=self.src, + dst=self.dst, + override=self.override, + ) diff --git a/packages/mp/src/mp/describe/job/prompt_constructors/__init__.py b/packages/mp/src/mp/describe/job/prompt_constructors/__init__.py new file mode 100644 index 000000000..58d482ea3 --- /dev/null +++ b/packages/mp/src/mp/describe/job/prompt_constructors/__init__.py @@ -0,0 +1,13 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. diff --git a/packages/mp/src/mp/describe/job/prompt_constructors/built.py b/packages/mp/src/mp/describe/job/prompt_constructors/built.py new file mode 100644 index 000000000..6008811d2 --- /dev/null +++ b/packages/mp/src/mp/describe/job/prompt_constructors/built.py @@ -0,0 +1,84 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from __future__ import annotations + +import io +from typing import TYPE_CHECKING + +from mp.core import constants + +from .job import JobPromptConstructor + +if TYPE_CHECKING: + from string import Template + + import anyio + +DEFAULT_FILE_CONTENT: str = "N/A" + + +class BuiltPromptConstructor(JobPromptConstructor): + __slots__: tuple[str, ...] = () + + async def construct(self) -> str: + """Construct the prompt for built jobs. + + Returns: + str: The constructed prompt. + + """ + manager_names, manager_content = await self._get_managers_names_and_content() + template: Template = await self.task_prompt + return template.safe_substitute({ + "json_file_name": f"{self.resource_file_name}.json", + "json_file_content": await self._get_built_job_def_content(), + "python_file_name": f"{self.resource_file_name}.py", + "python_file_content": await self._get_built_job_content(), + "manager_file_names": manager_names or DEFAULT_FILE_CONTENT, + "manager_files_content": manager_content or DEFAULT_FILE_CONTENT, + }) + + async def _get_managers_names_and_content(self) -> tuple[str, str]: + names: list[str] = [] + content: io.StringIO = io.StringIO() + managers_dir: anyio.Path = self.out_path / constants.OUT_MANAGERS_SCRIPTS_DIR + if await managers_dir.exists(): + async for core_file in managers_dir.glob("*.py"): + names.append(core_file.name) + content.write("```python\n") + content.write(await core_file.read_text(encoding="utf-8")) + content.write("\n```\n\n") + + return ", ".join(names), content.getvalue() + + async def _get_built_job_def_content(self) -> str: + job_def: anyio.Path = ( + self.out_path + / constants.OUT_JOBS_META_DIR + / f"{self.resource_file_name}{constants.JOBS_META_SUFFIX}" + ) + if await job_def.exists(): + return await job_def.read_text(encoding="utf-8") + + return DEFAULT_FILE_CONTENT + + async def _get_built_job_content(self) -> str: + job_script: anyio.Path = ( + self.out_path / constants.OUT_JOB_SCRIPTS_DIR / f"{self.resource_file_name}.py" + ) + if await job_script.exists(): + return await job_script.read_text(encoding="utf-8") + + return DEFAULT_FILE_CONTENT diff --git a/packages/mp/src/mp/describe/job/prompt_constructors/job.py b/packages/mp/src/mp/describe/job/prompt_constructors/job.py new file mode 100644 index 000000000..7c260d12c --- /dev/null +++ b/packages/mp/src/mp/describe/job/prompt_constructors/job.py @@ -0,0 +1,37 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from __future__ import annotations + +from abc import ABC +from string import Template + +import anyio + +from mp.describe.common.prompt_constructors.resource import ResourcePromptConstructor + + +class JobPromptConstructor(ResourcePromptConstructor, ABC): + __slots__: tuple[str, ...] = () + + @staticmethod + async def get_task_prompt() -> Template: + """Get the task prompt. + + Returns: + Template: The task prompt. + + """ + prompt_file: anyio.Path = anyio.Path(__file__).parent.parent / "prompts" / "task.md" + return Template(await prompt_file.read_text(encoding="utf-8")) diff --git a/packages/mp/src/mp/describe/job/prompt_constructors/source.py b/packages/mp/src/mp/describe/job/prompt_constructors/source.py new file mode 100644 index 000000000..4e9cc07f7 --- /dev/null +++ b/packages/mp/src/mp/describe/job/prompt_constructors/source.py @@ -0,0 +1,84 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from __future__ import annotations + +import io +from typing import TYPE_CHECKING + +from mp.core import constants + +from .job import JobPromptConstructor + +if TYPE_CHECKING: + from string import Template + + import anyio + +DEFAULT_FILE_CONTENT: str = "N/A" + + +class SourcePromptConstructor(JobPromptConstructor): + __slots__: tuple[str, ...] = () + + async def construct(self) -> str: + """Construct the prompt for non-built jobs. + + Returns: + str: The constructed prompt. + + """ + core_names, core_content = await self._get_core_modules_names_and_content() + template: Template = await self.task_prompt + return template.safe_substitute({ + "json_file_name": f"{self.resource_file_name}.yaml", + "json_file_content": await self._get_non_built_job_def_content(), + "python_file_name": f"{self.resource_file_name}.py", + "python_file_content": await self._get_non_built_job_content(), + "manager_file_names": core_names or DEFAULT_FILE_CONTENT, + "manager_files_content": core_content or DEFAULT_FILE_CONTENT, + }) + + async def _get_core_modules_names_and_content(self) -> tuple[str, str]: + names: list[str] = [] + content: io.StringIO = io.StringIO() + core_dir: anyio.Path = self.integration / constants.CORE_SCRIPTS_DIR + if await core_dir.exists(): + async for core_file in core_dir.glob("*.py"): + names.append(core_file.name) + content.write("```python\n") + content.write(await core_file.read_text(encoding="utf-8")) + content.write("\n```\n\n") + + return ", ".join(names), content.getvalue() + + async def _get_non_built_job_def_content(self) -> str: + job_yaml: anyio.Path = ( + self.integration + / constants.JOBS_DIR + / f"{self.resource_file_name}{constants.YAML_SUFFIX}" + ) + if await job_yaml.exists(): + return await job_yaml.read_text(encoding="utf-8") + + return DEFAULT_FILE_CONTENT + + async def _get_non_built_job_content(self) -> str: + job_script: anyio.Path = ( + self.integration / constants.JOBS_DIR / f"{self.resource_file_name}.py" + ) + if await job_script.exists(): + return await job_script.read_text(encoding="utf-8") + + return DEFAULT_FILE_CONTENT diff --git a/packages/mp/src/mp/describe/job/prompts/task.md b/packages/mp/src/mp/describe/job/prompts/task.md new file mode 100644 index 000000000..a419723cd --- /dev/null +++ b/packages/mp/src/mp/describe/job/prompts/task.md @@ -0,0 +1,61 @@ +**Input Data:** +I have provided the following files for a Google SecOps job: + +1. `Script Code`: The Python logic. +2. `Script Settings`: The JSON/YAML metadata containing parameters and configuration. + +**Reference Documentation:** + +* **SOAR SDK:** https://github.com/chronicle/soar-sdk/tree/main/src/soar_sdk +* **TIPCommon:** https://github.com/chronicle/content-hub/tree/main/packages/tipcommon/TIPCommon +* **SOAR SDK Docs:** + * https://docs.cloud.google.com/chronicle/docs/soar/reference/siemplify-job-module + +**Instructions:** + +1. **Analyze the Description:** Synthesize the `Script Code` logic and `Script Settings` description to create a detailed AI description. + * *Style:* Active voice. Concise yet informative. + * *Content:* Explain the job's purpose, what it does (e.g., maintenance, enrichment, synchronization), and how it interacts with external services or SOAR data. + * *Sections:* + * **General description**: A high-level overview of the job's purpose. + * **Parameters description**: A markdown table describing the configuration parameters (name, expected type, mandatory status, and description). + * **Flow description**: A numbered or bulleted list describing the job's execution flow. + +2. **Format the Output:** The result must be a JSON object with a single field `ai_description` containing the markdown-formatted description. + +**Example Output:** + +```json +{ + "ai_description": "### General Description\nThis job synchronizes assets from an external CMDB to Google SecOps. It ensures that asset information is kept up to date for investigations.\n\n### Parameters Description\n| Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| CMDB URL | String | Yes | The URL of the CMDB service. |\n| Sync Interval | Integer | No | Minutes between sync runs. |\n\n### Flow Description\n1. Queries the external CMDB for assets modified since the last run.\n2. Compares fetched assets with existing assets in SOAR.\n3. Updates or creates asset records in SOAR accordingly." +} +``` + +**Current Task Input:** + +— START OF FILE ${json_file_name}— + +``` +${json_file_content} +``` + +— END OF FILE ${json_file_name}— + +— START OF FILE ${python_file_name}— + +```python +${python_file_content} +``` + +— END OF FILE ${python_file_name}— + +— START OF FILE ${manager_file_names}— +${manager_files_content} +— END OF FILE ${manager_file_names}— + +**Final Instructions:** +Based strictly on the provided "Current Task Input": + +1. Analyze the code flow and settings. +2. Construct the AI Description. +3. Ensure valid JSON syntax. diff --git a/packages/mp/src/mp/describe/job/typer_app.py b/packages/mp/src/mp/describe/job/typer_app.py new file mode 100644 index 000000000..9cd420eea --- /dev/null +++ b/packages/mp/src/mp/describe/job/typer_app.py @@ -0,0 +1,127 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from __future__ import annotations + +import asyncio +import pathlib # noqa: TC003 +from typing import Annotated + +import rich +import typer + +import mp.core.config + +from .describe import DescribeJob +from .describe_all import describe_all_jobs + +app = typer.Typer(help="Describe jobs in the marketplace.") + + +@app.command() +def job( # noqa: PLR0913 + jobs: Annotated[list[str] | None, typer.Argument(help="Job names")] = None, + integration: Annotated[ + str | None, typer.Option("-i", "--integration", help="Integration name") + ] = None, + *, + all_marketplace: Annotated[ + bool, + typer.Option( + "-a", + "--all", + help=( + "Describe all integrations in the marketplace, or all jobs if an" + " integration is specified" + ), + ), + ] = False, + src: Annotated[ + pathlib.Path | None, + typer.Option( + help="The path to the marketplace. If not provided, the configured path will be used." + ), + ] = None, + dst: Annotated[ + pathlib.Path | None, + typer.Option( + help=( + "The path to save the descriptions to. If not provided, they will be" + " saved in the marketplace." + ) + ), + ] = None, + override: Annotated[ + bool, + typer.Option( + "--override", + "-o", + help="Whether to override existing descriptions.", + ), + ] = False, + quiet: Annotated[ + bool, + typer.Option( + "--quiet", + "-q", + help="Log less on runtime.", + ), + ] = False, + verbose: Annotated[ + bool, + typer.Option( + "--verbose", + "-v", + help="Log more on runtime.", + ), + ] = False, +) -> None: + """Describe jobs in a given integration. + + Args: + jobs: The names of the jobs to describe. + integration: The name of the integration to describe jobs for. + all_marketplace: Whether to describe all integrations or all jobs for the integration. + src: The path to the marketplace. + dst: The path to save the descriptions to. + override: Whether to override existing descriptions. + quiet: Log less on runtime. + verbose: Log more on runtime. + + Raises: + typer.Exit: If neither --integration nor --all is specified. + + """ + run_params: mp.core.config.RuntimeParams = mp.core.config.RuntimeParams(quiet, verbose) + run_params.set_in_config() + + sem = asyncio.Semaphore(mp.core.config.get_gemini_concurrency()) + if integration: + target_job_file_names: set[str] = set(jobs) if jobs else set() + if all_marketplace: + target_job_file_names = set() + + describer = DescribeJob( + integration, + target_job_file_names, + src=src, + dst=dst, + override=override, + ) + asyncio.run(describer.describe(sem=sem)) + elif all_marketplace: + asyncio.run(describe_all_jobs(src=src, dst=dst, override=override)) + else: + rich.print("[red]Please specify either --integration or --all[/red]") + raise typer.Exit(code=1) diff --git a/packages/mp/src/mp/describe/typer_app.py b/packages/mp/src/mp/describe/typer_app.py index 83545fa35..6143b5828 100644 --- a/packages/mp/src/mp/describe/typer_app.py +++ b/packages/mp/src/mp/describe/typer_app.py @@ -13,12 +13,73 @@ # limitations under the License. from __future__ import annotations +import asyncio +import pathlib # noqa: TC003 +from typing import Annotated + import typer +import mp.core.config + from .action.typer_app import app as action_app +from .all_content import describe_all_content +from .connector.typer_app import app as connector_app from .integration.typer_app import app as integration_app +from .job.typer_app import app as job_app app: typer.Typer = typer.Typer(help="Commands for creating description for content using Gemini") app.add_typer(action_app) +app.add_typer(connector_app) app.add_typer(integration_app) +app.add_typer(job_app) + + +@app.command( + name="all-content", + help=( + "Describe all content (actions, connectors, jobs, and the integration) for a given" + " integration." + ), +) +def all_content( # noqa: PLR0913 + integration: Annotated[str, typer.Argument(help="Integration name")], + *, + src: Annotated[ + pathlib.Path | None, + typer.Option(help="Customize source folder to describe from."), + ] = None, + dst: Annotated[ + pathlib.Path | None, + typer.Option(help="Customize destination folder to save the AI descriptions."), + ] = None, + quiet: Annotated[ + bool, + typer.Option( + "--quiet", + "-q", + help="Log less on runtime.", + ), + ] = False, + verbose: Annotated[ + bool, + typer.Option( + "--verbose", + "-v", + help="Log more on runtime.", + ), + ] = False, + override: Annotated[ + bool, + typer.Option( + "--override", + "-o", + help="Rewrite content that already have their description.", + ), + ] = False, +) -> None: + """Describe all content in an integration.""" + run_params: mp.core.config.RuntimeParams = mp.core.config.RuntimeParams(quiet, verbose) + run_params.set_in_config() + + asyncio.run(describe_all_content(integration, src=src, dst=dst, override=override)) diff --git a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/google/mock_integration/resources/ai/actions_ai_description.yaml b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/google/mock_integration/resources/ai/actions_ai_description.yaml new file mode 100644 index 000000000..6ece67598 --- /dev/null +++ b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/google/mock_integration/resources/ai/actions_ai_description.yaml @@ -0,0 +1,13 @@ +ping: + ai_description: Mock AI description for ping action + capabilities: + enrichment: false + internal_mutation: false + mutation: false + categories: + enrichment: false + entity_usage: + created_entities: [] + used_entities: [] + product_categories: + siem: true diff --git a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/google/mock_integration/resources/ai/connectors_ai_description.yaml b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/google/mock_integration/resources/ai/connectors_ai_description.yaml new file mode 100644 index 000000000..5fa100127 --- /dev/null +++ b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/google/mock_integration/resources/ai/connectors_ai_description.yaml @@ -0,0 +1,10 @@ +connector: + ai_description: Mock AI description for connector + capabilities: + enrichment: true + internal_mutation: false + mutation: false + categories: + enrichment: true + product_categories: + siem: true diff --git a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/google/mock_integration/resources/ai/integration_ai_description.yaml b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/google/mock_integration/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..466738966 --- /dev/null +++ b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/google/mock_integration/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + siem: true + threat_intelligence: false + vulnerability_management: false diff --git a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/google/mock_integration/resources/ai/jobs_ai_description.yaml b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/google/mock_integration/resources/ai/jobs_ai_description.yaml new file mode 100644 index 000000000..eab7f2b08 --- /dev/null +++ b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/google/mock_integration/resources/ai/jobs_ai_description.yaml @@ -0,0 +1,10 @@ +job: + ai_description: Mock AI description for job + capabilities: + enrichment: false + internal_mutation: false + mutation: false + categories: + enrichment: false + product_categories: + siem: true diff --git a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/mock_built_integration/mock_integration/resources/ai/actions_ai_description.yaml b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/mock_built_integration/mock_integration/resources/ai/actions_ai_description.yaml new file mode 100644 index 000000000..6ece67598 --- /dev/null +++ b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/mock_built_integration/mock_integration/resources/ai/actions_ai_description.yaml @@ -0,0 +1,13 @@ +ping: + ai_description: Mock AI description for ping action + capabilities: + enrichment: false + internal_mutation: false + mutation: false + categories: + enrichment: false + entity_usage: + created_entities: [] + used_entities: [] + product_categories: + siem: true diff --git a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/mock_built_integration/mock_integration/resources/ai/connectors_ai_description.yaml b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/mock_built_integration/mock_integration/resources/ai/connectors_ai_description.yaml new file mode 100644 index 000000000..5fa100127 --- /dev/null +++ b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/mock_built_integration/mock_integration/resources/ai/connectors_ai_description.yaml @@ -0,0 +1,10 @@ +connector: + ai_description: Mock AI description for connector + capabilities: + enrichment: true + internal_mutation: false + mutation: false + categories: + enrichment: true + product_categories: + siem: true diff --git a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/mock_built_integration/mock_integration/resources/ai/integration_ai_description.yaml b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/mock_built_integration/mock_integration/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..466738966 --- /dev/null +++ b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/mock_built_integration/mock_integration/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + siem: true + threat_intelligence: false + vulnerability_management: false diff --git a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/mock_built_integration/mock_integration/resources/ai/jobs_ai_description.yaml b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/mock_built_integration/mock_integration/resources/ai/jobs_ai_description.yaml new file mode 100644 index 000000000..eab7f2b08 --- /dev/null +++ b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/mock_built_integration/mock_integration/resources/ai/jobs_ai_description.yaml @@ -0,0 +1,10 @@ +job: + ai_description: Mock AI description for job + capabilities: + enrichment: false + internal_mutation: false + mutation: false + categories: + enrichment: false + product_categories: + siem: true diff --git a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/third_party/mock_integration/resources/ai/actions_ai_description.yaml b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/third_party/mock_integration/resources/ai/actions_ai_description.yaml new file mode 100644 index 000000000..6ece67598 --- /dev/null +++ b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/third_party/mock_integration/resources/ai/actions_ai_description.yaml @@ -0,0 +1,13 @@ +ping: + ai_description: Mock AI description for ping action + capabilities: + enrichment: false + internal_mutation: false + mutation: false + categories: + enrichment: false + entity_usage: + created_entities: [] + used_entities: [] + product_categories: + siem: true diff --git a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/third_party/mock_integration/resources/ai/connectors_ai_description.yaml b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/third_party/mock_integration/resources/ai/connectors_ai_description.yaml new file mode 100644 index 000000000..5fa100127 --- /dev/null +++ b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/third_party/mock_integration/resources/ai/connectors_ai_description.yaml @@ -0,0 +1,10 @@ +connector: + ai_description: Mock AI description for connector + capabilities: + enrichment: true + internal_mutation: false + mutation: false + categories: + enrichment: true + product_categories: + siem: true diff --git a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/third_party/mock_integration/resources/ai/integrations_ai_description.yaml b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/third_party/mock_integration/resources/ai/integration_ai_description.yaml similarity index 100% rename from packages/mp/tests/test_mp/mock_content_hub/response_integrations/third_party/mock_integration/resources/ai/integrations_ai_description.yaml rename to packages/mp/tests/test_mp/mock_content_hub/response_integrations/third_party/mock_integration/resources/ai/integration_ai_description.yaml diff --git a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/third_party/mock_integration/resources/ai/jobs_ai_description.yaml b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/third_party/mock_integration/resources/ai/jobs_ai_description.yaml new file mode 100644 index 000000000..eab7f2b08 --- /dev/null +++ b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/third_party/mock_integration/resources/ai/jobs_ai_description.yaml @@ -0,0 +1,10 @@ +job: + ai_description: Mock AI description for job + capabilities: + enrichment: false + internal_mutation: false + mutation: false + categories: + enrichment: false + product_categories: + siem: true diff --git a/packages/mp/tests/test_mp/test_all_content.py b/packages/mp/tests/test_mp/test_all_content.py new file mode 100644 index 000000000..f1534ec1d --- /dev/null +++ b/packages/mp/tests/test_mp/test_all_content.py @@ -0,0 +1,109 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from __future__ import annotations + +from typing import TYPE_CHECKING +from unittest import mock + +import pytest +import yaml + +from mp.core import constants +from mp.describe.all_content import describe_all_content + +if TYPE_CHECKING: + from pathlib import Path + + +@pytest.fixture +def mock_integration_full(tmp_path: Path) -> Path: + integration_path = tmp_path / "mock_integration" + integration_path.mkdir() + + # Create actions + actions_dir = integration_path / constants.ACTIONS_DIR + actions_dir.mkdir() + (actions_dir / "test_action.yaml").write_text( + yaml.safe_dump({"name": "Test Action", "description": "A test action"}), + encoding="utf-8", + ) + (actions_dir / "test_action.py").write_text("def action(): pass", encoding="utf-8") + + # Create connectors + connectors_dir = integration_path / constants.CONNECTORS_DIR + connectors_dir.mkdir() + (connectors_dir / "test_connector.yaml").write_text( + yaml.safe_dump({"name": "Test Connector", "description": "A test connector"}), + encoding="utf-8", + ) + (connectors_dir / "test_connector.py").write_text("class Connector: pass", encoding="utf-8") + + # Create jobs + jobs_dir = integration_path / constants.JOBS_DIR + jobs_dir.mkdir() + (jobs_dir / "test_job.yaml").write_text( + yaml.safe_dump({"name": "Test Job", "description": "A test job"}), encoding="utf-8" + ) + (jobs_dir / "test_job.py").write_text("class Job: pass", encoding="utf-8") + + # Create definition.yaml + (integration_path / constants.DEFINITION_FILE).write_text( + yaml.safe_dump({"description": "Mock integration description"}), encoding="utf-8" + ) + + return integration_path + + +@pytest.mark.anyio +async def test_describe_all_content(mock_integration_full: Path) -> None: + # We need to mock call_gemini_bulk to return appropriate objects for each call. + # DescribeAction, DescribeConnector, DescribeJob, and finally DescribeIntegration. + + action_response = mock.Mock() + action_response.model_dump.return_value = {"ai_description": "Action AI"} + + connector_response = mock.Mock() + connector_response.model_dump.return_value = {"ai_description": "Connector AI"} + + job_response = mock.Mock() + job_response.model_dump.return_value = {"ai_description": "Job AI"} + + integration_response = mock.Mock() + # IntegrationAiMetadata (just some categories) + integration_response.model_dump.return_value = {"endpoint_security": True} + + responses = [ + [action_response], + [connector_response], + [job_response], + [integration_response], + ] + + with mock.patch("mp.describe.common.utils.llm.call_gemini_bulk", side_effect=responses): + await describe_all_content( + integration="mock_integration", + src=mock_integration_full.parent, + ) + + # Check if all files were created + ai_dir = mock_integration_full / constants.RESOURCES_DIR / constants.AI_DIR + assert (ai_dir / constants.ACTIONS_AI_DESCRIPTION_FILE).exists() + assert (ai_dir / constants.CONNECTORS_AI_DESCRIPTION_FILE).exists() + assert (ai_dir / constants.JOBS_AI_DESCRIPTION_FILE).exists() + assert (ai_dir / constants.INTEGRATIONS_AI_DESCRIPTION_FILE).exists() + + # Verify integration AI description + content = yaml.safe_load((ai_dir / constants.INTEGRATIONS_AI_DESCRIPTION_FILE).read_text()) + assert content["endpoint_security"] is True diff --git a/packages/mp/tests/test_mp/test_core/test_file_utils/test_integrations_file_utils.py b/packages/mp/tests/test_mp/test_core/test_file_utils/test_integrations_file_utils.py index 2ac321db1..08fae8ea4 100644 --- a/packages/mp/tests/test_mp/test_core/test_file_utils/test_integrations_file_utils.py +++ b/packages/mp/tests/test_mp/test_core/test_file_utils/test_integrations_file_utils.py @@ -135,6 +135,7 @@ def test_get_integration_base_folders_paths(tmp_path: Path) -> None: third_party = tmp_path / mp.core.constants.THIRD_PARTY_REPO_NAME expected_third_party_paths = [ + third_party, tmp_path / mp.core.constants.POWERUPS_DIR_NAME, third_party / mp.core.constants.COMMUNITY_DIR_NAME, third_party / mp.core.constants.PARTNER_DIR_NAME, diff --git a/packages/mp/tests/test_mp/test_describe_cli.py b/packages/mp/tests/test_mp/test_describe_cli.py new file mode 100644 index 000000000..17bb49bdf --- /dev/null +++ b/packages/mp/tests/test_mp/test_describe_cli.py @@ -0,0 +1,106 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from __future__ import annotations + +from typing import TYPE_CHECKING +from unittest import mock + +import pytest +from typer.testing import CliRunner + +from mp.describe.typer_app import app + +if TYPE_CHECKING: + from collections.abc import Generator + +runner = CliRunner() + + +@pytest.fixture +def mock_describe_action() -> Generator[mock.MagicMock, None, None]: + with mock.patch("mp.describe.action.typer_app.DescribeAction") as mock_class: + mock_class.return_value.describe_actions = mock.AsyncMock() + yield mock_class + + +@pytest.fixture +def mock_describe_connector() -> Generator[mock.MagicMock, None, None]: + with mock.patch("mp.describe.connector.typer_app.DescribeConnector") as mock_class: + mock_class.return_value.describe = mock.AsyncMock() + yield mock_class + + +@pytest.fixture +def mock_describe_job() -> Generator[mock.MagicMock, None, None]: + with mock.patch("mp.describe.job.typer_app.DescribeJob") as mock_class: + mock_class.return_value.describe = mock.AsyncMock() + yield mock_class + + +@pytest.fixture +def mock_describe_integration() -> Generator[mock.MagicMock, None, None]: + with mock.patch("mp.describe.integration.typer_app.DescribeIntegration") as mock_class: + mock_class.return_value.describe = mock.AsyncMock() + yield mock_class + + +def test_describe_action_cli(mock_describe_action: mock.MagicMock) -> None: + # mp describe action [ACTIONS]... -i INTEGRATION + result = runner.invoke(app, ["action", "ping", "get_logs", "-i", "aws_ec2"]) + assert result.exit_code == 0 + mock_describe_action.assert_called_once() + args, _ = mock_describe_action.call_args + assert args[0] == "aws_ec2" + assert args[1] == {"ping", "get_logs"} + + +def test_describe_connector_cli(mock_describe_connector: mock.MagicMock) -> None: + # mp describe connector [CONNECTORS]... -i INTEGRATION + result = runner.invoke(app, ["connector", "my_conn", "-i", "my_int"]) + assert result.exit_code == 0 + mock_describe_connector.assert_called_once() + args, _ = mock_describe_connector.call_args + assert args[0] == "my_int" + assert args[1] == {"my_conn"} + + +def test_describe_job_cli(mock_describe_job: mock.MagicMock) -> None: + # mp describe job [JOBS]... -i INTEGRATION + result = runner.invoke(app, ["job", "my_job", "-i", "my_int"]) + assert result.exit_code == 0 + mock_describe_job.assert_called_once() + args, _ = mock_describe_job.call_args + assert args[0] == "my_int" + assert args[1] == {"my_job"} + + +def test_describe_integration_cli(mock_describe_integration: mock.MagicMock) -> None: + # mp describe integration [INTEGRATIONS]... + result = runner.invoke(app, ["integration", "int1", "int2"]) + assert result.exit_code == 0 + assert mock_describe_integration.call_count == 2 + # Check first call + args, _ = mock_describe_integration.call_args_list[0] + assert args[0] == "int1" + # Check second call + args, _ = mock_describe_integration.call_args_list[1] + assert args[0] == "int2" + + +def test_all_content_cli() -> None: + with mock.patch("mp.describe.typer_app.describe_all_content") as mock_all: + result = runner.invoke(app, ["all-content", "my_int"]) + assert result.exit_code == 0 + mock_all.assert_called_once_with("my_int", src=None, dst=None, override=False) diff --git a/packages/mp/tests/test_mp/test_describe_resources.py b/packages/mp/tests/test_mp/test_describe_resources.py new file mode 100644 index 000000000..20ea6bf83 --- /dev/null +++ b/packages/mp/tests/test_mp/test_describe_resources.py @@ -0,0 +1,148 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from __future__ import annotations + +from typing import TYPE_CHECKING +from unittest import mock + +import pytest +import yaml + +from mp.core import constants +from mp.describe.connector.describe import DescribeConnector +from mp.describe.integration.describe import DescribeIntegration +from mp.describe.job.describe import DescribeJob + +if TYPE_CHECKING: + from pathlib import Path + + +@pytest.fixture +def mock_integration_path(tmp_path: Path) -> Path: + integration_path = tmp_path / "mock_integration" + integration_path.mkdir() + + # Create connectors dir + connectors_dir = integration_path / constants.CONNECTORS_DIR + connectors_dir.mkdir() + (connectors_dir / "test_connector.yaml").write_text( + yaml.safe_dump({"name": "Test Connector", "description": "A test connector"}), + encoding="utf-8", + ) + (connectors_dir / "test_connector.py").write_text("class TestConnector: pass", encoding="utf-8") + + # Create jobs dir + jobs_dir = integration_path / constants.JOBS_DIR + jobs_dir.mkdir() + (jobs_dir / "test_job.yaml").write_text( + yaml.safe_dump({"name": "Test Job", "description": "A test job"}), encoding="utf-8" + ) + (jobs_dir / "test_job.py").write_text("class TestJob: pass", encoding="utf-8") + + return integration_path + + +@pytest.mark.anyio +async def test_describe_connector(mock_integration_path: Path) -> None: + describer = DescribeConnector( + integration="mock_integration", + connectors={"Test Connector"}, + src=mock_integration_path.parent, + ) + + mock_response = mock.Mock() + mock_response.ai_description = "AI-generated connector description" + mock_response.model_dump.return_value = {"ai_description": "AI-generated connector description"} + + with mock.patch("mp.describe.common.utils.llm.call_gemini_bulk", return_value=[mock_response]): + await describer.describe() + + # Verify output file + ai_dir = mock_integration_path / constants.RESOURCES_DIR / constants.AI_DIR + output_file = ai_dir / constants.CONNECTORS_AI_DESCRIPTION_FILE + assert output_file.exists() + + content = yaml.safe_load(output_file.read_text(encoding="utf-8")) + assert "Test Connector" in content + assert content["Test Connector"]["ai_description"] == "AI-generated connector description" + + +@pytest.mark.anyio +async def test_describe_job(mock_integration_path: Path) -> None: + describer = DescribeJob( + integration="mock_integration", jobs={"Test Job"}, src=mock_integration_path.parent + ) + + mock_response = mock.Mock() + mock_response.ai_description = "AI-generated job description" + mock_response.model_dump.return_value = {"ai_description": "AI-generated job description"} + + with mock.patch("mp.describe.common.utils.llm.call_gemini_bulk", return_value=[mock_response]): + await describer.describe() + + # Verify output file + ai_dir = mock_integration_path / constants.RESOURCES_DIR / constants.AI_DIR + output_file = ai_dir / constants.JOBS_AI_DESCRIPTION_FILE + assert output_file.exists() + + content = yaml.safe_load(output_file.read_text(encoding="utf-8")) + assert "Test Job" in content + assert content["Test Job"]["ai_description"] == "AI-generated job description" + + +@pytest.mark.anyio +async def test_describe_integration(mock_integration_path: Path) -> None: + # 1. Create AI description files for context + ai_dir = mock_integration_path / constants.RESOURCES_DIR / constants.AI_DIR + ai_dir.mkdir(parents=True, exist_ok=True) + (ai_dir / constants.ACTIONS_AI_DESCRIPTION_FILE).write_text( + yaml.safe_dump({"test_action": {"description": "Action description"}}), + encoding="utf-8", + ) + (ai_dir / constants.CONNECTORS_AI_DESCRIPTION_FILE).write_text( + yaml.safe_dump({"test_connector": {"description": "Connector description"}}), + encoding="utf-8", + ) + (ai_dir / constants.JOBS_AI_DESCRIPTION_FILE).write_text( + yaml.safe_dump({"test_job": {"description": "Job description"}}), encoding="utf-8" + ) + + # 2. Add description to definition.yaml + (mock_integration_path / constants.DEFINITION_FILE).write_text( + yaml.safe_dump({"name": "mock_integration", "description": "integration_description"}), + encoding="utf-8", + ) + + describer = DescribeIntegration( + integration="mock_integration", + src=mock_integration_path.parent, + ) + + mock_response = mock.Mock() + mock_response.model_dump.return_value = { + "product_categories": ["SIEM"], + "summary": "Integration summary", + } + + with mock.patch("mp.describe.common.utils.llm.call_gemini_bulk", return_value=[mock_response]): + await describer.describe() + + # 3. Verify output file + output_file = ai_dir / constants.INTEGRATIONS_AI_DESCRIPTION_FILE + assert output_file.exists() + + content = yaml.safe_load(output_file.read_text(encoding="utf-8")) + assert content["product_categories"] == ["SIEM"] + assert content["summary"] == "Integration summary" diff --git a/packages/mp/tests/test_mp/test_dev_env/test_utils/test_minor_version_bump.py b/packages/mp/tests/test_mp/test_dev_env/test_utils/test_minor_version_bump.py index 30f9f62bb..3e23aa89d 100644 --- a/packages/mp/tests/test_mp/test_dev_env/test_utils/test_minor_version_bump.py +++ b/packages/mp/tests/test_mp/test_dev_env/test_utils/test_minor_version_bump.py @@ -30,7 +30,9 @@ from collections.abc import Iterator from pathlib import Path -INTEGRATIONS_CACHE_FOLDER_PATH: Path = get_marketplace_path() / ".integrations_cache" + +def get_integrations_cache_folder_path() -> Path: + return get_marketplace_path() / ".integrations_cache" @pytest.fixture @@ -70,7 +72,7 @@ def sandbox( shutil.move(built_dst / "Integration-mock_integration.def", def_path) version_cache_path: Path = ( - INTEGRATIONS_CACHE_FOLDER_PATH / integration_name / "version_cache.yaml" + get_integrations_cache_folder_path() / integration_name / "version_cache.yaml" ) try: @@ -82,14 +84,14 @@ def sandbox( "TMP_ROOT": tmp_path, } finally: - shutil.rmtree(INTEGRATIONS_CACHE_FOLDER_PATH / integration_name, ignore_errors=True) + shutil.rmtree(get_integrations_cache_folder_path() / integration_name, ignore_errors=True) class TestMinorVersionBump: def test_run_first_time_success(self, sandbox: dict[str, Path]) -> None: minor_version_bump(sandbox["BUILT"], sandbox["NON_BUILT"], sandbox["BUILT"].name) - assert INTEGRATIONS_CACHE_FOLDER_PATH.exists() + assert get_integrations_cache_folder_path().exists() assert sandbox["VERSION_CACHE"].exists() assert _load_cached_version(sandbox["VERSION_CACHE"]) == 2.2 assert _load_built_version(sandbox["DEF_FILE"]) == 2.2 @@ -166,8 +168,14 @@ def test_def_file_missing_raises_error_fail(self, sandbox: dict[str, Path]) -> N def _load_cached_version(version_cache_path: Path) -> float: + if not version_cache_path.exists(): + pytest.fail(f"Version cache file not found: {version_cache_path}") + with version_cache_path.open("r", encoding="utf-8") as f: versions_cache = yaml.safe_load(f) + if not versions_cache or "version" not in versions_cache: + pytest.fail(f"Version key not found in cache: {versions_cache}") + return versions_cache["version"] From 36e6044d19a538b83905cadacbb3b484770d5489 Mon Sep 17 00:00:00 2001 From: talshapir Date: Sun, 5 Apr 2026 17:23:09 +0300 Subject: [PATCH 11/26] add mp describe connector and job commands to enhance the integration description. Add a general describe command that describes all the content of an integration --- packages/mp/docs/commands/describe.md | 5 +- .../integrations/action/ai/metadata.py | 6 +- .../integrations/action/metadata.py | 39 +++++--- .../data_models/integrations/integration.py | 26 +++--- .../file_utils/integrations/file_utils.py | 29 +++--- packages/mp/src/mp/describe/all_content.py | 2 +- .../mp/src/mp/describe/common/describe.py | 15 ++-- .../mp/src/mp/describe/common/describe_all.py | 30 +++++-- .../mp/src/mp/describe/common/utils/paths.py | 90 ++++++++++++++++--- .../src/mp/describe/integration/describe.py | 11 ++- .../mp/describe/integration/describe_all.py | 31 +++++-- .../prompt_constructors/integration.py | 38 +++++--- .../src/mp/describe/integration/typer_app.py | 13 ++- packages/mp/src/mp/describe/typer_app.py | 32 +++++-- packages/mp/tests/test_mp/test_all_content.py | 53 +++++++++++ .../mp/tests/test_mp/test_describe_cli.py | 37 ++++++-- .../test_mp/test_describe_integration.py | 73 +++++++++++++++ 17 files changed, 419 insertions(+), 111 deletions(-) create mode 100644 packages/mp/tests/test_mp/test_describe_integration.py diff --git a/packages/mp/docs/commands/describe.md b/packages/mp/docs/commands/describe.md index 471e64f63..934545a5d 100644 --- a/packages/mp/docs/commands/describe.md +++ b/packages/mp/docs/commands/describe.md @@ -75,18 +75,19 @@ mp describe integration [INTEGRATIONS]... [OPTIONS] ## `mp describe all-content` -Describe all content (actions, connectors, jobs, and the integration) for a given integration. +Describe all content (actions, connectors, jobs, and the integration) for integrations. ### Usage ```bash -mp describe all-content [INTEGRATION] [OPTIONS] +mp describe all-content [INTEGRATIONS]... [OPTIONS] ``` ### Options | Option | Shorthand | Description | Type | Default | |:-------------|:----------|:-----------------------------------------------------|:-------|:--------| +| `--all` | `-a` | Describe all content for all integrations. | `bool` | `False` | | `--override` | `-o` | Rewrite content that already have their description. | `bool` | `False` | | `--quiet` | `-q` | Log less on runtime. | `bool` | `False` | | `--verbose` | `-v` | Log more on runtime. | `bool` | `False` | \ No newline at end of file diff --git a/packages/mp/src/mp/core/data_models/integrations/action/ai/metadata.py b/packages/mp/src/mp/core/data_models/integrations/action/ai/metadata.py index d896edac4..6dcede570 100644 --- a/packages/mp/src/mp/core/data_models/integrations/action/ai/metadata.py +++ b/packages/mp/src/mp/core/data_models/integrations/action/ai/metadata.py @@ -58,7 +58,7 @@ class ActionAiMetadata(BaseModel): description=( "Fields that describe how the action operates. Determine these fields based on the" "metadata json and the code itself." - ) + ), ), ] categories: Annotated[ @@ -67,7 +67,7 @@ class ActionAiMetadata(BaseModel): description=( "Categories that describe the action's capabilities." " These tags are inferred based on the fields." - ) + ), ), ] entity_usage: Annotated[ @@ -86,6 +86,6 @@ class ActionAiMetadata(BaseModel): "Categories that describe the action's capabilities in its security product." " It shows the category and explains the expected outcome of such" " action." - ) + ), ), ] diff --git a/packages/mp/src/mp/core/data_models/integrations/action/metadata.py b/packages/mp/src/mp/core/data_models/integrations/action/metadata.py index 16952582f..8c191fd0e 100644 --- a/packages/mp/src/mp/core/data_models/integrations/action/metadata.py +++ b/packages/mp/src/mp/core/data_models/integrations/action/metadata.py @@ -392,12 +392,21 @@ def _get_ai_fields(action_name: str, integration_path: Path) -> AiFields: if not integration_path.exists(): return empty_results + # 1. Check in resources/ai/ (new standard) actions_desc: Path = ( integration_path / mp.core.constants.RESOURCES_DIR / mp.core.constants.AI_DIR / mp.core.constants.ACTIONS_AI_DESCRIPTION_FILE ) + if not actions_desc.exists(): + # 2. Check in resources/ (fallback) + actions_desc = ( + integration_path + / mp.core.constants.RESOURCES_DIR + / mp.core.constants.ACTIONS_AI_DESCRIPTION_FILE + ) + if not actions_desc.exists(): return empty_results @@ -409,17 +418,25 @@ def _get_ai_fields(action_name: str, integration_path: Path) -> AiFields: ai_meta: ActionAiMetadata = ActionAiMetadata.model_validate(action_content) return AiFields( description=ai_meta.ai_description, - ai_categories=[ - AI_CATEGORY_TO_DEF_AI_CATEGORY[category] - for category, is_true in ai_meta.categories.model_dump().items() - if is_true - ], - entity_types=ai_meta.entity_usage.entity_types, - product_categories=[ - PRODUCT_CATEGORY_TO_DEF_PRODUCT_CATEGORY[category] - for category, is_true in ai_meta.product_categories.model_dump().items() - if is_true - ], + ai_categories=( + [ + AI_CATEGORY_TO_DEF_AI_CATEGORY[category] + for category, is_true in ai_meta.categories.model_dump().items() + if is_true + ] + if ai_meta.categories + else [] + ), + entity_types=ai_meta.entity_usage.entity_types if ai_meta.entity_usage else [], + product_categories=( + [ + PRODUCT_CATEGORY_TO_DEF_PRODUCT_CATEGORY[category] + for category, is_true in ai_meta.product_categories.model_dump().items() + if is_true + ] + if ai_meta.product_categories + else [] + ), ) diff --git a/packages/mp/src/mp/core/data_models/integrations/integration.py b/packages/mp/src/mp/core/data_models/integrations/integration.py index 61c9c57a9..d0da9b89f 100644 --- a/packages/mp/src/mp/core/data_models/integrations/integration.py +++ b/packages/mp/src/mp/core/data_models/integrations/integration.py @@ -146,11 +146,14 @@ def from_built_path(cls, path: Path) -> Self: ai_metadata: dict[str, Any] = {} ai_dir: Path = path / "resources" / mp.core.constants.AI_DIR - if ai_dir.exists(): - for ai_file in mp.core.constants.AI_DESCRIPTION_FILES: - ai_path: Path = ai_dir / ai_file - if ai_path.exists(): - ai_metadata[ai_file] = yaml.safe_load(ai_path.read_text(encoding="utf-8")) + for ai_file in mp.core.constants.AI_DESCRIPTION_FILES: + ai_path: Path = ai_dir / ai_file + if not ai_path.exists(): + # Fallback to resources/ + ai_path = path / "resources" / ai_file + + if ai_path.exists(): + ai_metadata[ai_file] = yaml.safe_load(ai_path.read_text(encoding="utf-8")) return cls( python_version=python_version, @@ -204,11 +207,14 @@ def from_non_built_path(cls, path: Path) -> Self: ai_metadata: dict[str, Any] = {} ai_dir: Path = path / "resources" / mp.core.constants.AI_DIR - if ai_dir.exists(): - for ai_file in mp.core.constants.AI_DESCRIPTION_FILES: - ai_path: Path = ai_dir / ai_file - if ai_path.exists(): - ai_metadata[ai_file] = yaml.safe_load(ai_path.read_text(encoding="utf-8")) + for ai_file in mp.core.constants.AI_DESCRIPTION_FILES: + ai_path: Path = ai_dir / ai_file + if not ai_path.exists(): + # Fallback to resources/ + ai_path = path / "resources" / ai_file + + if ai_path.exists(): + ai_metadata[ai_file] = yaml.safe_load(ai_path.read_text(encoding="utf-8")) return cls( python_version=python_version, diff --git a/packages/mp/src/mp/core/file_utils/integrations/file_utils.py b/packages/mp/src/mp/core/file_utils/integrations/file_utils.py index a9c344cdb..804c75561 100644 --- a/packages/mp/src/mp/core/file_utils/integrations/file_utils.py +++ b/packages/mp/src/mp/core/file_utils/integrations/file_utils.py @@ -20,6 +20,7 @@ from __future__ import annotations import base64 +import contextlib import dataclasses import json import pathlib @@ -228,8 +229,9 @@ def get_integrations_from_paths(*paths: Path) -> set[Path]: continue for dir_ in path.iterdir(): - if is_integration(dir_): - integrations.add(dir_) + with contextlib.suppress(Exception): + if is_integration(dir_): + integrations.add(dir_) return integrations @@ -258,8 +260,7 @@ def is_integration(path: Path) -> bool: validator.validate_integration_components_parity() pyproject_toml: Path = path / constants.PROJECT_FILE - def_: Path = path / constants.INTEGRATION_DEF_FILE.format(path.name) - return pyproject_toml.exists() or def_.exists() + return pyproject_toml.exists() or _has_def_file(path) def replace_file_content(file: Path, replace_fn: Callable[[str], str]) -> None: @@ -284,9 +285,7 @@ def is_built(integration: Path) -> bool: """ pyproject: Path = integration / constants.PROJECT_FILE - def_file: Path = integration / constants.INTEGRATION_DEF_FILE.format(integration.name) - definition_file: Path = integration / constants.DEFINITION_FILE - return not pyproject.exists() and def_file.exists() and not definition_file.exists() + return not pyproject.exists() and _has_def_file(integration) def is_half_built(integration: Path) -> bool: @@ -297,8 +296,7 @@ def is_half_built(integration: Path) -> bool: """ pyproject: Path = integration / constants.PROJECT_FILE - def_file: Path = integration / constants.INTEGRATION_DEF_FILE.format(integration.name) - return pyproject.exists() and def_file.exists() + return pyproject.exists() and _has_def_file(integration) def is_non_built_integration(integration: Path) -> bool: @@ -309,9 +307,18 @@ def is_non_built_integration(integration: Path) -> bool: """ pyproject: Path = integration / constants.PROJECT_FILE - def_file: Path = integration / constants.INTEGRATION_DEF_FILE.format(integration.name) definition_file: Path = integration / constants.DEFINITION_FILE - return pyproject.exists() and definition_file.exists() and not def_file.exists() + return pyproject.exists() and definition_file.exists() and not _has_def_file(integration) + + +def _has_def_file(path: Path) -> bool: + """Check if the path contains an Integration-*.def file. + + Returns: + True if it has a def file, False otherwise. + + """ + return any(path.glob("Integration-*.def")) def write_yaml_to_file(content: Mapping[str, Any] | Sequence[Any], path: Path) -> None: diff --git a/packages/mp/src/mp/describe/all_content.py b/packages/mp/src/mp/describe/all_content.py index fda55bba9..87bc2a2a5 100644 --- a/packages/mp/src/mp/describe/all_content.py +++ b/packages/mp/src/mp/describe/all_content.py @@ -41,7 +41,7 @@ async def describe_all_content( Args: integration: The name of the integration. src: Customize the source folder to describe from. - dst: Customize destination folder to save the AI descriptions. + dst: Customize the destination folder to save the AI descriptions. override: Whether to rewrite existing descriptions. """ diff --git a/packages/mp/src/mp/describe/common/describe.py b/packages/mp/src/mp/describe/common/describe.py index dabde79f7..d87c16d8e 100644 --- a/packages/mp/src/mp/describe/common/describe.py +++ b/packages/mp/src/mp/describe/common/describe.py @@ -222,8 +222,7 @@ async def _prepare_resources( # Prune metadata for resources that no longer exist # Only for non-integration types which use resource names as keys if self.resource_type_name != "integration": - metadata_keys = list(metadata.keys()) - for key in metadata_keys: + for key in list(metadata.keys()): if key not in self.resource_names: del metadata[key] @@ -420,20 +419,22 @@ async def _get_integration_status(self) -> IntegrationStatus: # If it's not built in the out directory, check if the integration itself is built if not is_built: - def_file: anyio.Path = self.integration / constants.INTEGRATION_DEF_FILE.format( - self.integration_name - ) - if await def_file.exists(): + # Look for any .def file in the integration directory + async for _f in self.integration.glob("Integration-*.def"): is_built = True out_path = self.integration + break return IntegrationStatus(is_built=is_built, out_path=out_path) async def _load_metadata(self) -> dict[str, Any]: resource_ai_dir: anyio.Path = self.integration / constants.RESOURCES_DIR / constants.AI_DIR metadata_file: anyio.Path = resource_ai_dir / self.metadata_file_name - metadata: dict[str, Any] = {} + if not await metadata_file.exists(): + # Fallback to resources/ + metadata_file = self.integration / constants.RESOURCES_DIR / self.metadata_file_name + metadata: dict[str, Any] = {} if await metadata_file.exists(): content: str = await metadata_file.read_text() with contextlib.suppress(yaml.YAMLError): diff --git a/packages/mp/src/mp/describe/common/describe_all.py b/packages/mp/src/mp/describe/common/describe_all.py index b9060b90e..e751cf47c 100644 --- a/packages/mp/src/mp/describe/common/describe_all.py +++ b/packages/mp/src/mp/describe/common/describe_all.py @@ -18,7 +18,7 @@ import asyncio import collections import logging -from typing import TYPE_CHECKING, NamedTuple +from typing import TYPE_CHECKING, NamedTuple, Protocol from rich.progress import ( BarColumn, @@ -36,9 +36,26 @@ ) if TYPE_CHECKING: + from collections.abc import Callable from pathlib import Path - from .describe import DescribeBase + +class Describer(Protocol): + """Protocol for describer classes.""" + + async def get_resources_count(self) -> int: + """Get the number of resources to describe.""" + ... + + async def describe( + self, + sem: asyncio.Semaphore | None = None, + on_done: Callable[[], None] | None = None, + progress: Progress | None = None, + ) -> None: + """Describe resources.""" + ... + logger: logging.Logger = logging.getLogger(__name__) MAX_ACTIVE_INTEGRATIONS: int = 3 @@ -92,14 +109,14 @@ def _can_start_more(self) -> bool: ) @abc.abstractmethod - def _create_describer(self, integration_name: str) -> DescribeBase: + def _create_describer(self, integration_name: str) -> Describer: """Create a describer for the given integration.""" raise NotImplementedError async def _start_next_integration(self, progress: Progress) -> None: """Start describing the next integration in the queue.""" path: Path = self.pending_paths.popleft() - describer: DescribeBase = self._create_describer(path.name) + describer: Describer = self._create_describer(path.name) # Pre-discover resource count to decide if we should start more count: int = await describer.get_resources_count() @@ -166,10 +183,7 @@ async def run(self) -> None: try: await it.task except Exception: - logger.exception( - "Failed to describe integration %s", - it.integration_name, - ) + logger.exception("Failed to describe integration %s", it.integration_name) def get_all_integrations_paths(src: Path | None = None) -> list[Path]: diff --git a/packages/mp/src/mp/describe/common/utils/paths.py b/packages/mp/src/mp/describe/common/utils/paths.py index 9153c794e..ed9ceb5b4 100644 --- a/packages/mp/src/mp/describe/common/utils/paths.py +++ b/packages/mp/src/mp/describe/common/utils/paths.py @@ -14,18 +14,21 @@ from __future__ import annotations +import contextlib import logging -from typing import TYPE_CHECKING - -if TYPE_CHECKING: - import pathlib +import pathlib +import tomllib +from typing import Any import anyio import typer +import yaml +from mp.core import constants from mp.core.file_utils import ( create_or_get_out_integrations_dir, get_marketplace_integration_path, + is_built, ) logger: logging.Logger = logging.getLogger(__name__) @@ -42,22 +45,21 @@ def get_integration_path(name: str, *, src: pathlib.Path | None = None) -> anyio anyio.Path: The path to the integration. """ - if src: - return _get_source_integration_path(name, src) - return _get_marketplace_integration_path(name) + return ( + _get_source_integration_path(name, src) if src else _get_marketplace_integration_path(name) + ) def _get_source_integration_path(name: str, src: pathlib.Path) -> anyio.Path: - path = src / name - if path.exists(): + if (path := src / name).exists(): return anyio.Path(path) + logger.error("Integration '%s' not found in source '%s'", name, src) raise typer.Exit(1) def _get_marketplace_integration_path(name: str) -> anyio.Path: - path = get_marketplace_integration_path(name) - if path: + if (path := get_marketplace_integration_path(name)) is not None: return anyio.Path(path) logger.error("Integration '%s' not found in marketplace", name) @@ -75,7 +77,67 @@ def get_out_path(integration_name: str, src: pathlib.Path | None = None) -> anyi anyio.Path: The output path. """ - base_out: anyio.Path = anyio.Path(create_or_get_out_integrations_dir()) + base_out: pathlib.Path = create_or_get_out_integrations_dir() if src: - return base_out / src.name / integration_name - return base_out / integration_name + return anyio.Path(base_out / src.name / integration_name) + + identifier: str = _resolve_integration_identifier(integration_name) + + for identifier_to_try in (identifier, integration_name): + if (path := _find_built_integration_in_repos(base_out, identifier_to_try)) is not None: + return path + + if (path := base_out / identifier).exists() and is_built(path): + return anyio.Path(path) + + return anyio.Path(base_out / integration_name) + + +def _resolve_integration_identifier(integration_name: str) -> str: + with contextlib.suppress(Exception): + if source_p := get_marketplace_integration_path(integration_name): + source_path = pathlib.Path(source_p) + return _get_identifier_from_source(source_path) + return integration_name + + +def _find_built_integration_in_repos(base_out: pathlib.Path, identifier: str) -> anyio.Path | None: + for repo_type in ( + constants.COMMERCIAL_REPO_NAME, + constants.THIRD_PARTY_REPO_NAME, + constants.CUSTOM_REPO_NAME, + ): + if (path := base_out / repo_type / identifier).exists() and is_built(path): + return anyio.Path(path) + + return None + + +def _get_identifier_from_source(source_path: pathlib.Path) -> str: + if identifier := _get_identifier_from_definition(source_path): + return identifier + + if identifier := _get_identifier_from_pyproject(source_path): + return identifier + + return source_path.name + + +def _get_identifier_from_definition(source_path: pathlib.Path) -> str | None: + if (definition_file := source_path / constants.DEFINITION_FILE).exists(): + with definition_file.open("r", encoding="utf-8") as f: + data: dict[str, Any] = yaml.safe_load(f) + if data and (identifier := data.get("identifier")): + return identifier + + return None + + +def _get_identifier_from_pyproject(source_path: pathlib.Path) -> str | None: + if (pyproject_file := source_path / constants.PROJECT_FILE).exists(): + with pyproject_file.open("rb") as f: + data: dict[str, Any] = tomllib.load(f) + if (project := data.get("project")) and (identifier := project.get("name")): + return identifier + + return None diff --git a/packages/mp/src/mp/describe/integration/describe.py b/packages/mp/src/mp/describe/integration/describe.py index fccfb6732..e373d3c27 100644 --- a/packages/mp/src/mp/describe/integration/describe.py +++ b/packages/mp/src/mp/describe/integration/describe.py @@ -85,13 +85,17 @@ async def _construct_prompts( self.integration, integration_name, status.out_path ) prompts.append(await constructor.construct()) + return prompts async def _load_metadata(self) -> dict[str, Any]: resource_ai_dir: anyio.Path = self.integration / constants.RESOURCES_DIR / constants.AI_DIR metadata_file: anyio.Path = resource_ai_dir / self.metadata_file_name - metadata: dict[str, Any] = {} + if not await metadata_file.exists(): + # Fallback to resources/ + metadata_file = self.integration / constants.RESOURCES_DIR / self.metadata_file_name + metadata: dict[str, Any] = {} if await metadata_file.exists(): content: str = await metadata_file.read_text() with contextlib.suppress(yaml.YAMLError): @@ -118,11 +122,10 @@ async def _save_metadata(self, metadata: dict[str, Any]) -> None: metadata_file: anyio.Path = save_dir / self.metadata_file_name # For integrations, we don't want to key it by integration name in the file - integration_metadata = metadata.get(self.integration_name) - - if not integration_metadata: + if not (integration_metadata := metadata.get(self.integration_name)): if await metadata_file.exists(): await metadata_file.unlink() + return await save_dir.mkdir(parents=True, exist_ok=True) diff --git a/packages/mp/src/mp/describe/integration/describe_all.py b/packages/mp/src/mp/describe/integration/describe_all.py index db75b1f3e..b36ee68cc 100644 --- a/packages/mp/src/mp/describe/integration/describe_all.py +++ b/packages/mp/src/mp/describe/integration/describe_all.py @@ -14,24 +14,41 @@ from __future__ import annotations -from typing import TYPE_CHECKING +from pathlib import Path from mp.describe.common.describe_all import ( MarketplaceOrchestratorBase, get_all_integrations_paths, ) +from mp.describe.common.utils.paths import get_integration_path from .describe import DescribeIntegration -if TYPE_CHECKING: - from pathlib import Path - async def describe_all_integrations( - src: Path | None = None, dst: Path | None = None, *, override: bool = False + src: Path | None = None, + dst: Path | None = None, + *, + override: bool = False, + integrations: list[str] | None = None, ) -> None: - """Describe all integrations in the marketplace.""" - integrations_paths: list[Path] = get_all_integrations_paths(src=src) + """Describe all integrations in the marketplace or specific ones. + + Args: + src: Optional custom source path. + dst: Optional custom destination path. + override: Whether to rewrite existing descriptions. + integrations: Optional list of integration names to describe. + + """ + integrations_paths: list[Path] + if integrations: + integrations_paths = [ + Path(str(get_integration_path(name, src=src))) for name in integrations + ] + else: + integrations_paths = get_all_integrations_paths(src=src) + orchestrator = _MarketplaceOrchestrator(src, integrations_paths, dst=dst, override=override) await orchestrator.run() diff --git a/packages/mp/src/mp/describe/integration/prompt_constructors/integration.py b/packages/mp/src/mp/describe/integration/prompt_constructors/integration.py index eab2c587c..133c7a496 100644 --- a/packages/mp/src/mp/describe/integration/prompt_constructors/integration.py +++ b/packages/mp/src/mp/describe/integration/prompt_constructors/integration.py @@ -81,18 +81,14 @@ async def _get_integration_description(self) -> str: return "N/A" async def _get_description_from_def(self) -> str | None: - integration_def: anyio.Path = self.integration / constants.INTEGRATION_DEF_FILE.format( - self.integration_name - ) - if not await integration_def.exists(): - return None - - content: str = await integration_def.read_text(encoding="utf-8") - with contextlib.suppress(yaml.YAMLError): - data: NonBuiltIntegrationMetadata = yaml.safe_load(content) - return data.get("description") + # Search for any .def file in the root + async for def_file in self.integration.glob("Integration-*.def"): + content: str = await def_file.read_text(encoding="utf-8") + with contextlib.suppress(yaml.YAMLError): + data: NonBuiltIntegrationMetadata = yaml.safe_load(content) + if data and "description" in data: + return data["description"] - logger.warning("Failed to parse integration metadata %s", integration_def) return None async def _get_description_from_definition(self) -> str | None: @@ -125,6 +121,12 @@ async def _get_description_from_pyproject(self) -> str | None: async def _get_actions_ai_descriptions(self) -> str: ai_dir: anyio.Path = self.integration / constants.RESOURCES_DIR / constants.AI_DIR actions_ai_file: anyio.Path = ai_dir / constants.ACTIONS_AI_DESCRIPTION_FILE + if not await actions_ai_file.exists(): + # Fallback to resources/ + actions_ai_file = ( + self.integration / constants.RESOURCES_DIR / constants.ACTIONS_AI_DESCRIPTION_FILE + ) + if await actions_ai_file.exists(): return await actions_ai_file.read_text(encoding="utf-8") return "N/A" @@ -132,6 +134,14 @@ async def _get_actions_ai_descriptions(self) -> str: async def _get_connectors_ai_descriptions(self) -> str: ai_dir: anyio.Path = self.integration / constants.RESOURCES_DIR / constants.AI_DIR connectors_ai_file: anyio.Path = ai_dir / constants.CONNECTORS_AI_DESCRIPTION_FILE + if not await connectors_ai_file.exists(): + # Fallback to resources/ + connectors_ai_file = ( + self.integration + / constants.RESOURCES_DIR + / constants.CONNECTORS_AI_DESCRIPTION_FILE + ) + if await connectors_ai_file.exists(): return await connectors_ai_file.read_text(encoding="utf-8") return "N/A" @@ -139,6 +149,12 @@ async def _get_connectors_ai_descriptions(self) -> str: async def _get_jobs_ai_descriptions(self) -> str: ai_dir: anyio.Path = self.integration / constants.RESOURCES_DIR / constants.AI_DIR jobs_ai_file: anyio.Path = ai_dir / constants.JOBS_AI_DESCRIPTION_FILE + if not await jobs_ai_file.exists(): + # Fallback to resources/ + jobs_ai_file = ( + self.integration / constants.RESOURCES_DIR / constants.JOBS_AI_DESCRIPTION_FILE + ) + if await jobs_ai_file.exists(): return await jobs_ai_file.read_text(encoding="utf-8") return "N/A" diff --git a/packages/mp/src/mp/describe/integration/typer_app.py b/packages/mp/src/mp/describe/integration/typer_app.py index 33c901508..f5e8c902d 100644 --- a/packages/mp/src/mp/describe/integration/typer_app.py +++ b/packages/mp/src/mp/describe/integration/typer_app.py @@ -23,7 +23,6 @@ import mp.core.config -from .describe import DescribeIntegration from .describe_all import describe_all_integrations app = typer.Typer(help="Commands for describing integrations") @@ -102,14 +101,12 @@ def describe( # noqa: PLR0913 run_params: mp.core.config.RuntimeParams = mp.core.config.RuntimeParams(quiet, verbose) run_params.set_in_config() - if integrations: - sem: asyncio.Semaphore = asyncio.Semaphore(mp.core.config.get_gemini_concurrency()) - for integration in integrations: - asyncio.run( - DescribeIntegration(integration, src=src, dst=dst, override=override).describe( - sem=sem - ) + if integrations and not all_marketplace: + asyncio.run( + describe_all_integrations( + src=src, dst=dst, override=override, integrations=integrations ) + ) elif all_marketplace: asyncio.run(describe_all_integrations(src=src, dst=dst, override=override)) else: diff --git a/packages/mp/src/mp/describe/typer_app.py b/packages/mp/src/mp/describe/typer_app.py index 6143b5828..1f803c80c 100644 --- a/packages/mp/src/mp/describe/typer_app.py +++ b/packages/mp/src/mp/describe/typer_app.py @@ -17,6 +17,7 @@ import pathlib # noqa: TC003 from typing import Annotated +import rich import typer import mp.core.config @@ -38,13 +39,21 @@ @app.command( name="all-content", help=( - "Describe all content (actions, connectors, jobs, and the integration) for a given" - " integration." + "Describe all content (actions, connectors, jobs, and the integration) for integrations." ), + no_args_is_help=True, ) def all_content( # noqa: PLR0913 - integration: Annotated[str, typer.Argument(help="Integration name")], + integrations: Annotated[list[str] | None, typer.Argument(help="Integration names")] = None, *, + all_marketplace: Annotated[ + bool, + typer.Option( + "-a", + "--all", + help="Describe all content for all integrations in the marketplace", + ), + ] = False, src: Annotated[ pathlib.Path | None, typer.Option(help="Customize source folder to describe from."), @@ -78,8 +87,21 @@ def all_content( # noqa: PLR0913 ), ] = False, ) -> None: - """Describe all content in an integration.""" + """Describe all content in integrations. + + Raises: + typer.Exit: If neither integrations nor --all is specified. + + """ run_params: mp.core.config.RuntimeParams = mp.core.config.RuntimeParams(quiet, verbose) run_params.set_in_config() - asyncio.run(describe_all_content(integration, src=src, dst=dst, override=override)) + if integrations and not all_marketplace: + asyncio.run( + describe_all_content(src=src, dst=dst, override=override, integrations=integrations) + ) + elif all_marketplace: + asyncio.run(describe_all_content(src=src, dst=dst, override=override)) + else: + rich.print("[red]Please specify either an integration or --all[/red]") + raise typer.Exit(code=1) diff --git a/packages/mp/tests/test_mp/test_all_content.py b/packages/mp/tests/test_mp/test_all_content.py index f1534ec1d..99e420170 100644 --- a/packages/mp/tests/test_mp/test_all_content.py +++ b/packages/mp/tests/test_mp/test_all_content.py @@ -63,6 +63,29 @@ def mock_integration_full(tmp_path: Path) -> Path: yaml.safe_dump({"description": "Mock integration description"}), encoding="utf-8" ) + # Create pyproject.toml + (integration_path / constants.PROJECT_FILE).write_text( + '[project]\nname = "mock_integration"\n', encoding="utf-8" + ) + + return integration_path + + +@pytest.fixture +def mock_integration_another(tmp_path: Path) -> Path: + integration_path = tmp_path / "another_integration" + integration_path.mkdir() + + # Only integration definition + (integration_path / constants.DEFINITION_FILE).write_text( + yaml.safe_dump({"description": "Another integration"}), encoding="utf-8" + ) + + # Create pyproject.toml + (integration_path / constants.PROJECT_FILE).write_text( + '[project]\nname = "another_integration"\n', encoding="utf-8" + ) + return integration_path @@ -107,3 +130,33 @@ async def test_describe_all_content(mock_integration_full: Path) -> None: # Verify integration AI description content = yaml.safe_load((ai_dir / constants.INTEGRATIONS_AI_DESCRIPTION_FILE).read_text()) assert content["endpoint_security"] is True + + +@pytest.mark.anyio +async def test_describe_all_all_content( + mock_integration_full: Path, mock_integration_another: Path +) -> None: + # Mock LLM response to avoid API calls + integration_response = mock.Mock() + integration_response.model_dump.return_value = {"endpoint_security": True} + + with mock.patch( + "mp.describe.common.utils.llm.call_gemini_bulk", return_value=[integration_response] + ): + await describe_all_all_content( + src=mock_integration_full.parent, + ) + + # Verify both were processed + assert ( + mock_integration_full + / constants.RESOURCES_DIR + / constants.AI_DIR + / constants.INTEGRATIONS_AI_DESCRIPTION_FILE + ).exists() + assert ( + mock_integration_another + / constants.RESOURCES_DIR + / constants.AI_DIR + / constants.INTEGRATIONS_AI_DESCRIPTION_FILE + ).exists() diff --git a/packages/mp/tests/test_mp/test_describe_cli.py b/packages/mp/tests/test_mp/test_describe_cli.py index 17bb49bdf..bc58e467b 100644 --- a/packages/mp/tests/test_mp/test_describe_cli.py +++ b/packages/mp/tests/test_mp/test_describe_cli.py @@ -56,6 +56,13 @@ def mock_describe_integration() -> Generator[mock.MagicMock, None, None]: yield mock_class +@pytest.fixture +def mock_describe_all_integrations() -> Generator[mock.MagicMock, None, None]: + with mock.patch("mp.describe.integration.typer_app.describe_all_integrations") as mock_func: + mock_func.return_value = mock.AsyncMock() + yield mock_func + + def test_describe_action_cli(mock_describe_action: mock.MagicMock) -> None: # mp describe action [ACTIONS]... -i INTEGRATION result = runner.invoke(app, ["action", "ping", "get_logs", "-i", "aws_ec2"]) @@ -86,21 +93,33 @@ def test_describe_job_cli(mock_describe_job: mock.MagicMock) -> None: assert args[1] == {"my_job"} -def test_describe_integration_cli(mock_describe_integration: mock.MagicMock) -> None: +def test_describe_integration_cli(mock_describe_all_integrations: mock.MagicMock) -> None: # mp describe integration [INTEGRATIONS]... result = runner.invoke(app, ["integration", "int1", "int2"]) assert result.exit_code == 0 - assert mock_describe_integration.call_count == 2 - # Check first call - args, _ = mock_describe_integration.call_args_list[0] - assert args[0] == "int1" - # Check second call - args, _ = mock_describe_integration.call_args_list[1] - assert args[0] == "int2" + mock_describe_all_integrations.assert_called_once_with( + src=None, dst=None, override=False, integrations=["int1", "int2"] + ) + + +def test_describe_integration_all_cli(mock_describe_all_integrations: mock.MagicMock) -> None: + # mp describe integration --all + result = runner.invoke(app, ["integration", "--all"]) + assert result.exit_code == 0 + mock_describe_all_integrations.assert_called_once_with(src=None, dst=None, override=False) def test_all_content_cli() -> None: with mock.patch("mp.describe.typer_app.describe_all_content") as mock_all: result = runner.invoke(app, ["all-content", "my_int"]) assert result.exit_code == 0 - mock_all.assert_called_once_with("my_int", src=None, dst=None, override=False) + mock_all.assert_called_once_with( + src=None, dst=None, override=False, integrations=["my_int"] + ) + + +def test_all_content_all_cli() -> None: + with mock.patch("mp.describe.typer_app.describe_all_content") as mock_all: + result = runner.invoke(app, ["all-content", "--all"]) + assert result.exit_code == 0 + mock_all.assert_called_once_with(src=None, dst=None, override=False) diff --git a/packages/mp/tests/test_mp/test_describe_integration.py b/packages/mp/tests/test_mp/test_describe_integration.py new file mode 100644 index 000000000..642fa70a7 --- /dev/null +++ b/packages/mp/tests/test_mp/test_describe_integration.py @@ -0,0 +1,73 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from __future__ import annotations + +from unittest.mock import AsyncMock, patch + +from typer.testing import CliRunner + +from mp.core.data_models.integrations.integration_meta.ai.metadata import IntegrationAiMetadata +from mp.core.data_models.integrations.integration_meta.ai.product_categories import ( + IntegrationProductCategories, +) +from mp.describe.integration.typer_app import app + +runner = CliRunner() + + +def test_describe_integration_command(non_built_integration): + integration_name = "mock_integration" + + # Create AI_DIR if it doesn't exist to avoid issues, + # though the code should handle it. + + with patch( + "mp.describe.common.utils.llm.call_gemini_bulk", new_callable=AsyncMock + ) as mock_bulk: + mock_bulk.return_value = [ + IntegrationAiMetadata( + product_categories=IntegrationProductCategories( + siem=False, + edr=False, + network_security=True, + threat_intelligence=False, + email_security=False, + iam_and_identity_management=False, + cloud_security=False, + itsm=False, + vulnerability_management=False, + asset_inventory=False, + collaboration=False, + ) + ) + ] + + # We need to mock get_integration_path to return the non_built_integration path + with patch("mp.describe.common.utils.paths.get_integration_path") as mock_get_path: + import anyio + + mock_get_path.return_value = anyio.Path(non_built_integration) + + # Run the command + result = runner.invoke(app, ["-i", integration_name]) + + assert result.exit_code == 0 + mock_bulk.assert_called_once() + + # Check if the file was created + ai_file = ( + non_built_integration / "RESOURCES" / "AI" / "integrations_ai_description.yaml" + ) + assert ai_file.exists() From 17d29f3b44834f41ea2bcb6a6831372cdb81ca83 Mon Sep 17 00:00:00 2001 From: talshapir Date: Mon, 6 Apr 2026 10:49:54 +0300 Subject: [PATCH 12/26] update all actions_ai_description.yaml files and add all job, connector and integration files --- .../resources/ai/actions_ai_description.yaml | 478 ++- .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 258 +- .../ai/integration_ai_description.yaml | 12 + .../resources/actions_ai_description.yaml | 431 -- .../resources/ai/actions_ai_description.yaml | 492 ++- .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 327 +- .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 460 ++- .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 783 ++-- .../ai/integration_ai_description.yaml | 12 + .../resources/actions_ai_description.yaml | 345 -- .../resources/ai/actions_ai_description.yaml | 400 +- .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 277 +- .../ai/integration_ai_description.yaml | 12 + .../resources/actions_ai_description.yaml | 194 - .../resources/ai/actions_ai_description.yaml | 242 +- .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 259 +- .../ai/connectors_ai_description.yaml | 78 + .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 1 - .../ai/connectors_ai_description.yaml | 129 + .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 548 ++- .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 903 +++-- .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 1142 ++++-- .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 1322 +++--- .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 82 +- .../ai/integration_ai_description.yaml | 12 + .../resources/ai/jobs_ai_description.yaml | 962 +++++ .../resources/ai/actions_ai_description.yaml | 396 +- .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 349 +- .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 459 ++- .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 383 +- .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 3598 ++++++++++------- .../ai/integration_ai_description.yaml | 12 + .../resources/ai/jobs_ai_description.yaml | 94 + .../resources/ai/actions_ai_description.yaml | 186 +- .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 817 ++-- .../ai/connectors_ai_description.yaml | 35 + .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 1159 ++++-- .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 678 ++-- .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 955 +++-- .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 229 +- .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 719 ++-- .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 73 +- .../ai/connectors_ai_description.yaml | 67 + .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 1970 ++++++--- .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 103 +- .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 163 +- .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 93 +- .../ai/connectors_ai_description.yaml | 73 + .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 66 +- .../ai/connectors_ai_description.yaml | 64 + .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 553 ++- .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 161 +- .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 72 +- .../ai/connectors_ai_description.yaml | 61 + .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 736 ++-- .../ai/connectors_ai_description.yaml | 73 + .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 164 +- .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 315 +- .../ai/connectors_ai_description.yaml | 62 + .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 240 +- .../ai/connectors_ai_description.yaml | 37 + .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 433 +- .../ai/connectors_ai_description.yaml | 70 + .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 149 +- .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 403 +- .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 756 ++-- .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 122 +- .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 1366 ++++--- .../ai/connectors_ai_description.yaml | 70 + .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 208 +- .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 1 - .../resources/ai/actions_ai_description.yaml | 570 ++- .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 227 +- .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 635 +-- .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 1 - .../ai/connectors_ai_description.yaml | 58 + .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 361 +- .../ai/connectors_ai_description.yaml | 78 + .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 71 +- .../ai/connectors_ai_description.yaml | 78 + .../ai/integration_ai_description.yaml | 12 + .../resources/ai/jobs_ai_description.yaml | 47 + .../resources/ai/actions_ai_description.yaml | 390 +- .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 640 ++- .../ai/connectors_ai_description.yaml | 73 + .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 149 +- .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 850 ++-- .../ai/connectors_ai_description.yaml | 55 + .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 75 +- .../ai/connectors_ai_description.yaml | 60 + .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 224 +- .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 173 +- .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 459 ++- .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 381 +- .../ai/connectors_ai_description.yaml | 58 + .../ai/integration_ai_description.yaml | 12 + .../resources/ai/jobs_ai_description.yaml | 52 + .../resources/ai/actions_ai_description.yaml | 184 +- .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 626 +++ .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 152 +- .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 324 +- .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 1467 ++++--- .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 1016 +++-- .../ai/connectors_ai_description.yaml | 30 + .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 689 ++-- .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 2499 ++++++++---- .../ai/connectors_ai_description.yaml | 49 + .../ai/integration_ai_description.yaml | 12 + .../resources/ai/jobs_ai_description.yaml | 36 + .../resources/ai/actions_ai_description.yaml | 2247 ++++++---- .../ai/connectors_ai_description.yaml | 82 + .../ai/integration_ai_description.yaml | 12 + .../resources/ai/jobs_ai_description.yaml | 32 + .../resources/ai/actions_ai_description.yaml | 651 ++- .../ai/connectors_ai_description.yaml | 70 + .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 352 +- .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 210 +- .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 367 +- .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 494 ++- .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 1041 ++--- .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 86 +- .../ai/integration_ai_description.yaml | 12 + .../resources/ai/jobs_ai_description.yaml | 33 + .../resources/ai/actions_ai_description.yaml | 197 +- .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 629 ++- .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 345 +- .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 407 ++ .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 169 +- .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 933 +++-- .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 664 +-- .../ai/connectors_ai_description.yaml | 129 + .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 586 +-- .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 531 +-- .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 581 +++ .../ai/connectors_ai_description.yaml | 35 + .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 513 ++- .../ai/connectors_ai_description.yaml | 150 + .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 275 +- .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 1859 ++++++--- .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 2420 ++++++----- .../ai/connectors_ai_description.yaml | 130 + .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 225 +- .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 1225 +++--- .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 449 +- .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 81 +- .../ai/integration_ai_description.yaml | 12 + .../resources/ai/jobs_ai_description.yaml | 59 + .../resources/ai/actions_ai_description.yaml | 704 ++-- .../ai/connectors_ai_description.yaml | 91 + .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 1632 +++++--- .../ai/connectors_ai_description.yaml | 230 ++ .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 1020 +++-- .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 2597 +++++++----- .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 913 +++-- .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 298 +- .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 386 +- .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 159 +- .../ai/connectors_ai_description.yaml | 34 + .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 333 +- .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 478 ++- .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 476 ++- .../ai/integration_ai_description.yaml | 12 + 258 files changed, 46385 insertions(+), 24250 deletions(-) create mode 100644 content/response_integrations/google/cyber_x/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/google/juniper_vsrx/resources/ai/integration_ai_description.yaml delete mode 100644 content/response_integrations/google/mc_afee_nsm/resources/actions_ai_description.yaml create mode 100644 content/response_integrations/google/mc_afee_nsm/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/google/micro_focus_itsma/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/google/mobile_iron/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/google/portnox/resources/ai/integration_ai_description.yaml delete mode 100644 content/response_integrations/google/reversinglabs_a1000/resources/actions_ai_description.yaml create mode 100644 content/response_integrations/google/reversinglabs_a1000/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/google/stealthwatch_v610/resources/ai/integration_ai_description.yaml delete mode 100644 content/response_integrations/google/symantec_content_analysis/resources/actions_ai_description.yaml create mode 100644 content/response_integrations/google/symantec_content_analysis/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/google/symantec_icdx/resources/ai/connectors_ai_description.yaml create mode 100644 content/response_integrations/google/symantec_icdx/resources/ai/integration_ai_description.yaml delete mode 100644 content/response_integrations/power_ups/connectors/resources/ai/actions_ai_description.yaml create mode 100644 content/response_integrations/power_ups/connectors/resources/ai/connectors_ai_description.yaml create mode 100644 content/response_integrations/power_ups/connectors/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/power_ups/email_utilities/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/power_ups/enrichment/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/power_ups/file_utilities/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/power_ups/functions/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/power_ups/git_sync/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/power_ups/git_sync/resources/ai/jobs_ai_description.yaml create mode 100644 content/response_integrations/power_ups/image_utilities/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/power_ups/insights/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/power_ups/lists/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/power_ups/template_engine/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/power_ups/tools/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/power_ups/tools/resources/ai/jobs_ai_description.yaml create mode 100644 content/response_integrations/third_party/community/abuse_ipdb/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/community/air_table/resources/ai/connectors_ai_description.yaml create mode 100644 content/response_integrations/third_party/community/air_table/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/community/arcanna_ai/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/community/asana/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/community/aws_ec2/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/community/azure_devops/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/community/bandura_cyber/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/community/be_secure/resources/ai/connectors_ai_description.yaml create mode 100644 content/response_integrations/third_party/community/be_secure/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/community/bitdefender_gravity_zone/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/community/chronicle_support_tools/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/community/country_flags/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/community/cybersixgill_actionable_alerts/resources/ai/connectors_ai_description.yaml create mode 100644 content/response_integrations/third_party/community/cybersixgill_actionable_alerts/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/community/cybersixgill_darkfeed/resources/ai/connectors_ai_description.yaml create mode 100644 content/response_integrations/third_party/community/cybersixgill_darkfeed/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/community/cybersixgill_darkfeed_enrichment/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/community/cybersixgill_dve_enrichment/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/community/cybersixgill_dve_feed/resources/ai/connectors_ai_description.yaml create mode 100644 content/response_integrations/third_party/community/cybersixgill_dve_feed/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/community/data_dog/resources/ai/connectors_ai_description.yaml create mode 100644 content/response_integrations/third_party/community/data_dog/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/community/docker_hub/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/community/duo/resources/ai/connectors_ai_description.yaml create mode 100644 content/response_integrations/third_party/community/duo/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/community/eclectic_iq/resources/ai/connectors_ai_description.yaml create mode 100644 content/response_integrations/third_party/community/eclectic_iq/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/community/flashpoint/resources/ai/connectors_ai_description.yaml create mode 100644 content/response_integrations/third_party/community/flashpoint/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/community/full_contact/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/community/google_docs/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/community/google_drive/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/community/google_safe_browsing/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/community/google_sheets/resources/ai/connectors_ai_description.yaml create mode 100644 content/response_integrations/third_party/community/google_sheets/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/community/goqr/resources/ai/integration_ai_description.yaml delete mode 100644 content/response_integrations/third_party/community/grey_noise/resources/ai/actions_ai_description.yaml create mode 100644 content/response_integrations/third_party/community/hibob/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/community/imgbb/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/community/ipqs_fraud_and_risk_scoring/resources/ai/integration_ai_description.yaml delete mode 100644 content/response_integrations/third_party/community/lacework/resources/ai/actions_ai_description.yaml create mode 100644 content/response_integrations/third_party/community/lacework/resources/ai/connectors_ai_description.yaml create mode 100644 content/response_integrations/third_party/community/lacework/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/community/logzio/resources/ai/connectors_ai_description.yaml create mode 100644 content/response_integrations/third_party/community/logzio/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/community/luminar_iocs_and_leaked_credentials/resources/ai/connectors_ai_description.yaml create mode 100644 content/response_integrations/third_party/community/luminar_iocs_and_leaked_credentials/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/community/luminar_iocs_and_leaked_credentials/resources/ai/jobs_ai_description.yaml create mode 100644 content/response_integrations/third_party/community/marketo/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/community/microsoft_graph_security_tools/resources/ai/connectors_ai_description.yaml create mode 100644 content/response_integrations/third_party/community/microsoft_graph_security_tools/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/community/nucleon_cyber/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/community/pager_duty/resources/ai/connectors_ai_description.yaml create mode 100644 content/response_integrations/third_party/community/pager_duty/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/community/perimeter_x/resources/ai/connectors_ai_description.yaml create mode 100644 content/response_integrations/third_party/community/perimeter_x/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/community/philips_hue/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/community/phish_tank/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/community/pulsedive/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/community/sample_integration/resources/ai/connectors_ai_description.yaml create mode 100644 content/response_integrations/third_party/community/sample_integration/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/community/sample_integration/resources/ai/jobs_ai_description.yaml create mode 100644 content/response_integrations/third_party/community/send_grid/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/community/signal_sciences/resources/ai/actions_ai_description.yaml create mode 100644 content/response_integrations/third_party/community/signal_sciences/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/community/spell_checker/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/community/superna_zero_trust/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/community/team_cymru_scout/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/community/telegram/resources/ai/connectors_ai_description.yaml create mode 100644 content/response_integrations/third_party/community/telegram/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/community/vanilla_forums/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/community/vectra_qux/resources/ai/connectors_ai_description.yaml create mode 100644 content/response_integrations/third_party/community/vectra_qux/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/community/vectra_qux/resources/ai/jobs_ai_description.yaml create mode 100644 content/response_integrations/third_party/community/vectra_rux/resources/ai/connectors_ai_description.yaml create mode 100644 content/response_integrations/third_party/community/vectra_rux/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/community/vectra_rux/resources/ai/jobs_ai_description.yaml create mode 100644 content/response_integrations/third_party/community/vorlon/resources/ai/connectors_ai_description.yaml create mode 100644 content/response_integrations/third_party/community/vorlon/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/community/webhook/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/community/whois_xml_api/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/community/workflow_tools/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/community/zoom/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/partner/anyrun_sandbox/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/partner/anyrun_ti_feeds/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/partner/anyrun_ti_feeds/resources/ai/jobs_ai_description.yaml create mode 100644 content/response_integrations/third_party/partner/anyrun_ti_lookup/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/partner/censys/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/partner/clarotyxdome/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/partner/cyjax_threat_intelligence/resources/ai/actions_ai_description.yaml create mode 100644 content/response_integrations/third_party/partner/cyjax_threat_intelligence/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/partner/cylusone/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/partner/cyware_intel_exchange/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/partner/darktrace/resources/ai/connectors_ai_description.yaml create mode 100644 content/response_integrations/third_party/partner/darktrace/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/partner/domain_tools/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/partner/doppel_vision/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/partner/grey_noise/resources/ai/actions_ai_description.yaml create mode 100644 content/response_integrations/third_party/partner/grey_noise/resources/ai/connectors_ai_description.yaml create mode 100644 content/response_integrations/third_party/partner/grey_noise/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/partner/group_ib_ti/resources/ai/connectors_ai_description.yaml create mode 100644 content/response_integrations/third_party/partner/group_ib_ti/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/partner/houdin_io/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/partner/infoblox_nios/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/partner/infoblox_threat_defense_with_ddi/resources/ai/connectors_ai_description.yaml create mode 100644 content/response_integrations/third_party/partner/infoblox_threat_defense_with_ddi/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/partner/ip_info/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/partner/jamf/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/partner/netappransomwareresilience/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/partner/netenrich_connect/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/partner/netenrich_connect/resources/ai/jobs_ai_description.yaml create mode 100644 content/response_integrations/third_party/partner/orca_security/resources/ai/connectors_ai_description.yaml create mode 100644 content/response_integrations/third_party/partner/orca_security/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/partner/recorded_future_intelligence/resources/ai/connectors_ai_description.yaml create mode 100644 content/response_integrations/third_party/partner/recorded_future_intelligence/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/partner/rubrik_security_cloud/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/partner/silentpush/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/partner/silverfort/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/partner/spycloud/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/partner/stairwell/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/partner/thinkst_canary/resources/ai/connectors_ai_description.yaml create mode 100644 content/response_integrations/third_party/partner/thinkst_canary/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/partner/torq/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/partner/wiz/resources/ai/integration_ai_description.yaml create mode 100644 content/response_integrations/third_party/partner/xm_cyber/resources/ai/integration_ai_description.yaml diff --git a/content/response_integrations/google/cyber_x/resources/ai/actions_ai_description.yaml b/content/response_integrations/google/cyber_x/resources/ai/actions_ai_description.yaml index e4fdba9c6..fdab5e5d9 100644 --- a/content/response_integrations/google/cyber_x/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/google/cyber_x/resources/ai/actions_ai_description.yaml @@ -1,54 +1,20 @@ -# Copyright 2026 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - Enrich Endpoints: - ai_description: >- - ### General Description - - Enriches **Hostname** and **IP Address** entities with comprehensive device information - retrieved from the CyberX platform. This action helps security analysts gain visibility - into OT/IoT devices by providing context such as device type, vendor, and operating - system directly within the Google SecOps environment. - - - ### Parameters Description - - There are no parameters for this action. - - - ### Additional Notes - - The action enriches entities by adding custom properties prefixed with `CX_` and - attaching a detailed data table to each successfully matched entity. - - - ### Flow Description - - 1. **Initialization**: Establishes a connection to the CyberX API using the integration's - configuration (API Root and Access Token). - - 2. **Entity Filtering**: Identifies all Hostname and IP Address entities within - the current alert context. - - 3. **Data Retrieval**: For each entity, it queries the CyberX API to find matching - device records based on the IP address or hostname. - - 4. **Enrichment**: - - Updates the entity's `additional_properties` with the flattened device data. - - Adds a formatted data table to the entity for quick reference in the UI. - 5. **Reporting**: Summarizes the enrichment results and logs any errors encountered - during the process. + ai_description: "Enriches Hostname and Address entities using CyberX. This action\ + \ retrieves detailed device information from the CyberX platform to provide context\ + \ about endpoints within the network. \n\n### Flow Description:\n1. **Authentication**:\ + \ Initializes the CyberX manager using the API Root and Access Token provided\ + \ in the integration configuration.\n2. **Entity Filtering**: Identifies all Address\ + \ (IP) and Hostname entities within the current scope.\n3. **Data Retrieval**:\ + \ For each identified entity, the action queries the CyberX API to find a matching\ + \ device record. \n4. **Enrichment**: If a device is found, the action adds a\ + \ data table to the entity containing the raw device information and updates the\ + \ entity's additional properties with the retrieved data, prefixed with 'CX_'.\n\ + \n### Parameters Description:\n| Parameter Name | Description | Type | Mandatory\ + \ | \n| :--- | :--- | :--- | :--- |\n| None | This action does not have any specific\ + \ input parameters; it relies on the integration's global configuration. | N/A\ + \ | N/A |\n\n### Additional Notes:\n* This action performs a lookup against all\ + \ devices known to the CyberX instance. If a large number of devices exist, performance\ + \ may be impacted by the underlying API call to fetch all devices." capabilities: can_create_case_comments: false can_create_insight: false @@ -59,8 +25,8 @@ Enrich Endpoints: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action updates entity additional properties with enriched device information - from CyberX and adds an entity data table to the entity's view. + Updates entity additional properties with device metadata retrieved from CyberX + and adds entity data tables. categories: enrichment: true entity_usage: @@ -80,25 +46,49 @@ Enrich Endpoints: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Alerts: ai_description: "### General Description\nThe **Get Alerts** action retrieves a\ - \ comprehensive list of all security alerts detected by the CyberX XSense platform.\ - \ This action is primarily used for visibility and reporting, allowing security\ - \ analysts to pull the current state of alerts from the CyberX environment into\ - \ Google SecOps for further review or documentation.\n\n### Parameters Description\n\ - There are no input parameters for this action.\n\n### Additional Notes\nThis action\ - \ does not operate on specific entities; it performs a global fetch of all alerts\ - \ available in the CyberX system. The results are presented both as a formatted\ - \ data table and as a raw JSON object.\n\n### Flow Description\n1. **Initialization**:\ - \ The action initializes the CyberX manager using the API Root, Access Token,\ - \ and SSL verification settings from the integration configuration.\n2. **API\ - \ Request**: It executes a GET request to the CyberX `/api/v1/alerts` endpoint\ - \ to retrieve the list of alerts.\n3. **Data Processing**: \n - If alerts are\ - \ retrieved, the action flattens the dictionary objects and constructs a CSV-formatted\ - \ data table titled \"Result ALerts\".\n - It calculates the total count of\ - \ alerts found for the output message.\n4. **Output**: The action returns the\ - \ count of alerts in the execution summary and provides the full list of alerts\ - \ in JSON format for use in downstream playbook steps." + \ comprehensive list of all security alerts currently detected by the CyberX XSense\ + \ platform. This action provides visibility into external security events by pulling\ + \ them into the Google SecOps environment for analysis and reporting.\n\n### Parameters\ + \ Description\nThere are no input parameters for this action. It utilizes the\ + \ global integration configuration (API Root and Access Token) to authenticate\ + \ and communicate with the CyberX API.\n\n### Flow Description\n1. **Initialization**:\ + \ The action initializes the CyberX manager using the provided API credentials\ + \ and SSL settings.\n2. **Data Retrieval**: It executes a GET request to the `/api/v1/alerts`\ + \ endpoint to fetch the full list of alerts from the CyberX instance.\n3. **Data\ + \ Processing**: If alerts are found, the action flattens the JSON response and\ + \ formats it into a CSV-compatible structure.\n4. **Output Generation**: \n \ + \ * A data table titled 'Result Alerts' is added to the action results for display\ + \ in the SOAR UI.\n * The raw JSON data of all alerts is returned as the script\ + \ result.\n * An output message is generated stating the total number of alerts\ + \ retrieved.\n\n### Additional Notes\nThis is a global retrieval action and does\ + \ not operate on specific entities within a case." capabilities: can_create_case_comments: false can_create_insight: false @@ -126,46 +116,52 @@ Get Alerts: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Connections for Endpoint: - ai_description: >- - ### General Description - - Retrieves a list of network connections for specific endpoints (IP addresses or - Hostnames) from the CyberX platform. This action helps security analysts understand - the network activity and communication patterns of a device by fetching its connection - history and displaying it directly within the Google SecOps entity context. - - - ### Parameters - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | N/A | N/A | N/A | This action does not require any input parameters. | - - - ### Additional Notes - - * The action requires a valid API Root and Access Token configured in the CyberX - integration settings. - - * It supports both IP Address (ADDRESS) and Hostname (HOSTNAME) entity types. - - - ### Flow Description - - 1. **Entity Filtering**: The action identifies all target entities in the current - context that are either IP Addresses or Hostnames. - - 2. **Device Identification**: For each identified entity, the action queries the - CyberX API to find the corresponding internal Device ID based on the IP or Hostname. - - 3. **Connection Retrieval**: Once the Device ID is obtained, the action fetches - the list of network connections associated with that device from CyberX. - - 4. **Data Enrichment**: The retrieved connection data is flattened and attached - as a data table to the respective entity in Google SecOps for easy review. + ai_description: "The **Get Connections for Endpoint** action retrieves a comprehensive\ + \ list of network connections associated with specific devices from the CyberX\ + \ platform. It supports both IP Address (ADDRESS) and Hostname (HOSTNAME) entities.\ + \ This action is primarily used for visibility and forensic investigation, allowing\ + \ analysts to see which other assets or external addresses a device has communicated\ + \ with. The retrieved data is presented as a table attached to the entity within\ + \ the case.\n\n### Parameters Description\n\n| Parameter | Type | Mandatory |\ + \ Description |\n| :--- | :--- | :--- | :--- |\n| N/A | N/A | N/A | This action\ + \ does not have any input parameters. |\n\n### Additional Notes\n\n* The action\ + \ first resolves the entity to a CyberX Device ID before fetching connection data.\ + \ \n* If a device is not found in CyberX for a given entity, an error will be\ + \ logged for that specific entity, but the action will continue to process others.\n\ + \n### Flow Description\n\n1. **Entity Filtering:** The action identifies all `ADDRESS`\ + \ and `HOSTNAME` entities in the current context.\n2. **Device Resolution:** For\ + \ each entity, it queries the CyberX API to find the internal `device_id` by matching\ + \ the IP address or hostname.\n3. **Connection Retrieval:** Using the resolved\ + \ `device_id`, it fetches all recorded network connections from the CyberX `/api/v1/devices/{device_id}/connections`\ + \ endpoint.\n4. **Data Presentation:** The retrieved connection data is flattened\ + \ and added as an Entity Table to the respective entity in the Google SecOps case\ + \ for analyst review." capabilities: can_create_case_comments: false can_create_insight: false @@ -176,10 +172,10 @@ Get Connections for Endpoint: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Adds a data table to the entity in Google SecOps containing the network connection - information retrieved from CyberX. + The action adds a data table to the entity within the Google SecOps platform + to display connection information retrieved from CyberX. categories: - enrichment: true + enrichment: false entity_usage: entity_types: - ADDRESS @@ -197,49 +193,66 @@ Get Connections for Endpoint: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Device Vulnerability Report: ai_description: >- ### General Description The **Get Device Vulnerability Report** action retrieves detailed vulnerability - information for specific endpoints from the CyberX platform. It allows security - analysts to see the security posture and known vulnerabilities of devices identified - as IP addresses or Hostnames within a case, providing critical context for incident - response and risk assessment. + information for specific endpoints (Hostnames or IP Addresses) from the CyberX + platform. This action provides security analysts with immediate context regarding + the security posture and known weaknesses of devices involved in an alert, helping + to prioritize response efforts based on the risk level of the affected assets. ### Parameters Description - There are no user-configurable parameters for this action. It relies on the global - CyberX integration configuration, specifically the **API Root**, **Access Token**, - and **Verify SSL** settings. + There are no additional parameters for this action. ### Flow Description - 1. **Authentication**: The action initializes a connection to the CyberX API using - the configured credentials. - - 2. **Entity Filtering**: It identifies and filters the target entities in the - current SOAR context, focusing exclusively on `ADDRESS` (IP) and `HOSTNAME` types. - - 3. **Data Retrieval**: The action performs a single GET request to the CyberX - `/api/v1/reports/vulnerabilities/devices` endpoint to fetch the master list of - all device vulnerability reports. + 1. **Entity Filtering**: The action identifies all `HOSTNAME` and `ADDRESS` (IP) + entities within the current case scope. - 4. **Matching Logic**: It iterates through the filtered entities and attempts - to match each one against the retrieved reports. Matching is performed by IP address - for `ADDRESS` entities and by device name for `HOSTNAME` entities. + 2. **Data Retrieval**: It performs a single API call to fetch the complete list + of device vulnerability reports from the CyberX platform. - 5. **Enrichment**: For every matching device found, the action flattens the vulnerability - data and attaches it as a structured data table to the corresponding entity within - the Google SecOps platform. - - - ### Additional Notes + 3. **Matching Logic**: + * For **IP Address** entities, the action iterates through the reports to + find a match within the `ipAddresses` field. + * For **Hostname** entities, the action searches for a match against the `name` + field of the reports. + 4. **Enrichment**: If a matching report is found, the vulnerability data is flattened + and attached to the specific entity as an **Entity Table** within the Google SecOps + interface. - If no matching reports are found for the provided entities, the action will complete - successfully but will report that no vulnerability data was found. + 5. **Reporting**: The action concludes by summarizing which entities were successfully + enriched and reporting any errors encountered during the process. capabilities: can_create_case_comments: false can_create_insight: false @@ -250,8 +263,8 @@ Get Device Vulnerability Report: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Adds a vulnerability report data table to the identified entities within the - Google SecOps case. + Adds a vulnerability report table to the entity's data within the Google SecOps + case to provide contextual enrichment. categories: enrichment: true entity_usage: @@ -271,24 +284,75 @@ Get Device Vulnerability Report: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Events: - ai_description: "### General Description\nThe **Get Events** action retrieves a\ - \ comprehensive list of events currently recorded in the CyberX event log. This\ - \ utility action is designed to provide visibility into system-level activities\ - \ and security events monitored by the CyberX platform, allowing analysts to review\ - \ historical or recent event data within the Google SecOps environment.\n\n###\ - \ Parameters Description\nThere are no parameters for this action.\n\n### Additional\ - \ Notes\nThis action does not require or process any entities. It performs a global\ - \ fetch of events from the CyberX instance.\n\n### Flow Description\n1. **Authentication**:\ - \ The action initializes the CyberX manager using the API Root, Access Token,\ - \ and SSL verification settings provided in the integration configuration.\n2.\ - \ **API Request**: It performs a GET request to the CyberX `/api/v1/events` endpoint\ - \ to retrieve the event log.\n3. **Data Transformation**: The retrieved list of\ - \ event objects is processed and flattened to ensure compatibility with tabular\ - \ displays.\n4. **Result Presentation**: \n * If events are found, they are\ - \ formatted into a CSV-style data table titled 'Result Events' and attached to\ - \ the action results.\n * The raw JSON response is returned as the script output.\n\ - \ * A summary message indicates the total number of events found." + ai_description: >- + ### General Description + + The **Get Events** action retrieves a comprehensive list of events reported to + the CyberX event log. This action is designed to provide visibility into system + activities and historical logs within the CyberX platform, facilitating auditing + and monitoring workflows. + + + ### Parameters Description + + | Parameter Name | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | N/A | N/A | N/A | This action does not require any input parameters. | + + + ### Additional Notes + + - This action is a global fetch operation and does not target specific entities + within a case. + + - The retrieved events are automatically flattened and presented in a data table + for easier analysis. + + + ### Flow Description + + 1. **Connection**: The action establishes a connection to the CyberX API using + the configured API Root and Access Token. + + 2. **Data Retrieval**: It performs a GET request to the `/api/v1/events` endpoint + to fetch all available event logs. + + 3. **Data Transformation**: The resulting event data is processed and flattened + using utility functions to ensure compatibility with tabular displays. + + 4. **Reporting**: If events are found, they are added to a data table titled 'Result + Events'. + + 5. **Completion**: The action concludes by providing a summary message of the + number of events found and returning the raw JSON data. capabilities: can_create_case_comments: false can_create_insight: false @@ -316,59 +380,68 @@ Get Events: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Ping: ai_description: >- ### General Description The **Ping** action is a diagnostic tool used to verify the connectivity between - Google SecOps and the CyberX platform. It ensures that the integration is correctly - configured and that the service is reachable using the provided credentials. + Google SecOps and the CyberX instance. It ensures that the provided API Root and + Access Token are valid and that the network path is open by attempting a basic + data retrieval operation. ### Parameters Description - This action does not have any direct action parameters. It relies on the global - integration configuration: - - - | Parameter Name | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | + There are no parameters for this action. - | API Root | String | Yes | The base URL of the CyberX instance (e.g., `https://cyberx-server.com`). - | - | Access Token | String | Yes | The API token used to authenticate requests to - the CyberX API. | + ### Additional Notes - | Verify SSL | Boolean | No | Determines whether to verify the SSL certificate - of the CyberX server. Defaults to `false`. | + This action is typically used during the initial setup of the CyberX integration + or for troubleshooting communication issues. It performs a read-only operation + and does not impact any data within CyberX or Google SecOps. ### Flow Description - 1. **Configuration Retrieval:** The action fetches the API Root, Access Token, - and SSL verification settings from the CyberX integration configuration. - - 2. **Manager Initialization:** It initializes the `CyberXManager` with the retrieved - settings. - - 3. **Connectivity Test:** The action executes the `get_all_devices` method, which - performs a `GET` request to the `/api/v1/devices` endpoint. + 1. **Configuration Retrieval**: The action retrieves the API Root, Access Token, + and SSL verification settings from the integration configuration. - 4. **Result Handling:** If the API call is successful, the action concludes with - a success status and a "Connection established" message. If the call fails (e.g., - due to invalid credentials or network issues), an exception is raised, indicating - a connection failure. + 2. **Manager Initialization**: It initializes the `CyberXManager` with the retrieved + credentials. + 3. **Connectivity Test**: The action calls the `get_all_devices` method, which + sends a GET request to the `/api/v1/devices` endpoint of the CyberX API. - ### Additional Notes - - - This action does not process any entities and is strictly used for system health - checks. + 4. **Validation**: If the API responds with a success status code, the connection + is considered established. - - As per standard SOAR practices, this action is excluded from being categorized - as an enrichment action despite fetching data. + 5. **Completion**: The action ends with a success message 'Connection established.' capabilities: can_create_case_comments: false can_create_insight: false @@ -396,3 +469,28 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/google/cyber_x/resources/ai/integration_ai_description.yaml b/content/response_integrations/google/cyber_x/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..18fead5ae --- /dev/null +++ b/content/response_integrations/google/cyber_x/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: true + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: true + siem: true + threat_intelligence: false + vulnerability_management: true diff --git a/content/response_integrations/google/juniper_vsrx/resources/ai/actions_ai_description.yaml b/content/response_integrations/google/juniper_vsrx/resources/ai/actions_ai_description.yaml index dcfd1d06c..ea00e32d9 100644 --- a/content/response_integrations/google/juniper_vsrx/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/google/juniper_vsrx/resources/ai/actions_ai_description.yaml @@ -1,67 +1,50 @@ -# Copyright 2026 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - Add IP To Address Set: ai_description: >- - ### General Description + Adds IP address entities to a specified address set on a Juniper VSRX device. + This action allows for the organization of network addresses into sets, which + can then be used in security policies. It supports adding addresses to either + a global address book or a specific security zone's address book. - This action adds IP address entities to a specified address set on a Juniper VSRX - device. It is primarily used for network access control or blacklisting by grouping - IP addresses into manageable sets within the firewall's security configuration. + ### Flow Description: - ### Parameters Description + 1. **Configuration Retrieval:** Fetches connection details (Address, Port, Username, + Password) for the Juniper VSRX device. - | Parameter | Type | Mandatory | Description | + 2. **Parameter Extraction:** Retrieves the target 'Address Set Name' and the optional + 'Zone Name' from the action parameters. - | :--- | :--- | :--- | :--- | + 3. **Entity Filtering:** Identifies all IP Address entities within the current + context. - | Address Set Name | String | Yes | The name of the target address set on the - Juniper VSRX where the IP addresses will be added. | + 4. **Address Record Creation:** For each identified IP, it creates a unique address + record on the Juniper device. - | Zone Name | String | No | The specific security zone where the address set and - address records should be created. If left empty, the action defaults to using - the global address book. | + 5. **Address Set Update:** Adds the newly created address record to the specified + address set. + 6. **Commit Changes:** Executes a configuration commit on the Juniper VSRX to + persist the changes. - ### Flow Description - - 1. **Initialization**: Establishes a connection to the Juniper VSRX device using - the provided integration credentials. - 2. **Entity Filtering**: Identifies all `ADDRESS` entities within the current - Google SecOps context. + ### Parameters Description: - 3. **Configuration Loading**: For each identified IP address, the action generates - and loads configuration commands to create a unique address record and associate - it with the specified `Address Set Name`. If a `Zone Name` is provided, these - records are scoped to that specific security zone. + | Parameter Name | Type | Mandatory | Description | - 4. **Commitment**: Executes a configuration commit on the Juniper VSRX device - to apply the changes permanently. + | :--- | :--- | :--- | :--- | - 5. **Cleanup**: Closes the session with the device and reports the success or - failure for each processed entity. + | Address Set Name | string | True | The name of the address set where the IP + addresses should be added. | + | Zone Name | string | False | The name of the security zone. If provided, the + address record and set update will be scoped to this specific zone; otherwise, + the global address book is used. | - ### Additional Notes - - This action performs a state-changing operation on the external firewall by - modifying its configuration. + ### Additional Notes: - - If the address record already exists, the behavior depends on the Juniper device's - handling of duplicate 'set' commands (typically idempotent). + - This action performs a configuration commit on the device, which may affect + other pending changes on the Juniper VSRX if not managed carefully. capabilities: can_create_case_comments: false can_create_insight: false @@ -70,7 +53,7 @@ Add IP To Address Set: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates new address records and modifies address set memberships on the Juniper + Creates new address records and modifies address set configurations on the Juniper VSRX device, followed by a configuration commit to apply the changes. fetches_data: false internal_data_mutation_explanation: null @@ -92,51 +75,71 @@ Add IP To Address Set: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: true + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Ping: ai_description: >- ### General Description - The **Ping** action is a diagnostic utility used to verify the connectivity between - Google SecOps and a **Juniper VSRX** instance. Its primary purpose is to validate - that the provided configuration details (Address, Port, Username, and Password) - are correct and that the network path to the device is open. + The **Ping** action is a utility designed to verify the connectivity between the + Google SecOps environment and the Juniper VSRX device. It ensures that the provided + configuration parameters (Address, Port, Username, and Password) are correct and + that the device is reachable over the network. ### Parameters Description - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | + There are no input parameters for this action. It relies entirely on the integration's + global configuration settings. - | N/A | N/A | N/A | This action does not require any input parameters as it uses - the global integration configuration. | - - - ### Additional Notes - - This action is a standard health check and does not interact with any security - entities or alert data. + ### Flow Description - - It is recommended to run this action immediately after configuring the Juniper - VSRX integration to ensure the setup is functional. + 1. **Configuration Retrieval**: The action fetches the connection details (Address, + Port, Username, Password) from the integration's configuration. + 2. **Manager Initialization**: It initializes the `JuniperVSRXManager` using the + retrieved credentials. - ### Flow Description + 3. **Connectivity Probe**: The action calls the `ping` method, which uses the + `probe()` function from the underlying Junos library to check if the device is + responsive. - 1. **Retrieve Configuration**: The action fetches the connection parameters (Address, - Port, Username, and Password) from the integration's shared configuration. + 4. **Session Termination**: The connection session is closed to ensure no resources + are left hanging. - 2. **Initialize Manager**: It creates an instance of the `JuniperVSRXManager` - to handle the communication logic. + 5. **Result Reporting**: The action returns a success message ('Connection Established.') + and a boolean `True` if the probe succeeds, or a failure message ('Connection + Failed.') and `False` otherwise. - 3. **Connectivity Probe**: The action executes a `probe()` call to the Juniper - device to test the network connection and authentication. - 4. **Session Cleanup**: The connection session is explicitly closed to release - resources. + ### Additional Notes - 5. **Final Status**: The action reports whether the connection was successfully - established or if it failed. + This action does not interact with any entities or modify any data. It is strictly + used for health checks and troubleshooting integration connectivity. capabilities: can_create_case_comments: false can_create_insight: false @@ -164,47 +167,77 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Remove IP From Address Set: ai_description: >- - Removes IP address entities from a specified address set on a Juniper VSRX device. - This action interacts with the Juniper Junos OS to identify the internal record - name associated with an IP address and then deletes that record from the target - address set and, optionally, a specific security zone. Finally, it commits the - configuration changes to the device to ensure the removal is persistent. + Removes IP Address entities from a specified address set on a Juniper VSRX device. + This action is typically used to reverse a previous blocking or containment action + by removing the IP from a restricted address group. - ### Parameters + ### Flow Description - | Parameter Name | Type | Mandatory | Description | + 1. **Parameter Retrieval:** The action extracts the 'Address Set Name' and the + optional 'Zone Name' from the input parameters. - | :--- | :--- | :--- | :--- | + 2. **Entity Filtering:** It identifies all entities of type 'ADDRESS' within the + current scope. - | Address Set Name | String | Yes | The name of the address set from which the - IP address should be removed. | + 3. **Record Identification:** For each IP address, it queries the Juniper VSRX + device to find the specific internal record name associated with that IP. - | Zone Name | String | No | The name of the security zone where the address set - is located. If not provided, the action defaults to the global address book. | + 4. **Configuration Staging:** It loads deletion commands into the device's configuration + buffer to remove the address record and its association with the specified address + set. + 5. **Commit Changes:** It executes a commit operation to apply the configuration + changes permanently to the Juniper VSRX device. - ### Flow Description - 1. **Initialization**: Connects to the Juniper VSRX device using provided credentials - and retrieves the action parameters. + ### Parameters Description + + | Parameter Name | Type | Mandatory | Description | - 2. **Entity Filtering**: Identifies all 'ADDRESS' entities within the current - scope. + | :--- | :--- | :--- | :--- | - 3. **Record Identification**: For each IP entity, it queries the device's configuration - to find the specific internal record name mapped to that IP. + | Address Set Name | String | True | The name of the address set (group) from + which the IP address should be removed. | - 4. **Staging Deletion**: Issues commands to delete the address record and its - association with the specified address set (and zone, if provided). + | Zone Name | String | False | The specific security zone where the address set + is located. If omitted, the action targets the global address book. | + + + ### Additional Notes - 5. **Commitment**: Executes a configuration commit on the Juniper VSRX device - to apply the changes. + * This action requires the Juniper VSRX integration to be configured with valid + administrative credentials and network access. - 6. **Cleanup**: Closes the device session and reports the success or failure for - each processed entity. + * The action performs a configuration commit, which may affect other pending changes + on the device if not managed carefully. capabilities: can_create_case_comments: false can_create_insight: false @@ -213,8 +246,8 @@ Remove IP From Address Set: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Removes address records and address-set associations from the Juniper VSRX configuration - and performs a commit operation to apply the changes. + Removes address records and address set memberships from the Juniper VSRX configuration + and commits the changes. fetches_data: true internal_data_mutation_explanation: null categories: @@ -235,3 +268,28 @@ Remove IP From Address Set: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: true + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/google/juniper_vsrx/resources/ai/integration_ai_description.yaml b/content/response_integrations/google/juniper_vsrx/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..b927e7b41 --- /dev/null +++ b/content/response_integrations/google/juniper_vsrx/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: true + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/google/mc_afee_nsm/resources/actions_ai_description.yaml b/content/response_integrations/google/mc_afee_nsm/resources/actions_ai_description.yaml deleted file mode 100644 index 91b5b3057..000000000 --- a/content/response_integrations/google/mc_afee_nsm/resources/actions_ai_description.yaml +++ /dev/null @@ -1,431 +0,0 @@ -# Copyright 2026 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -Block IP: - ai_description: >- - ### General Description - - Blocks IP Address entities in McAfee Network Security Manager (NSM). This action - automates the process of blacklisting malicious IPs by managing firewall rule - objects and policies within the NSM environment. It ensures that the block is - enforced by deploying configuration changes to the relevant sensors. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | None | N/A | N/A | This action does not have any action-specific parameters. - It relies on the integration's configuration (API Root, Credentials, Domain ID, - Policy Name, and Sensor List). | - - - ### Additional Notes - - - The action specifically looks for a policy defined in the integration configuration - ('Siemplify Policy Name'). - - - It manages rule objects with a prefix 'Siemplify_Block' and adheres to NSM limits - (10 addresses per object, 10 objects per rule). - - - A 'Deploy Changes' command is issued to all sensors listed in the configuration - to make the block effective immediately. - - - ### Flow Description - - 1. **Authentication**: Establishes a session with the McAfee NSM API using provided - credentials. - - 2. **Entity Filtering**: Identifies all IP Address (ADDRESS) entities provided - in the action scope. - - 3. **Block Verification**: For each IP, it queries NSM to check if the address - is already blocked within the target policy. - - 4. **Policy Modification**: If the IP is not blocked, it searches for an existing - Siemplify rule object with available capacity. If an available object is found, - it updates it with the new IP. If no object is available, it creates a new rule - object and adds it to the firewall policy. - - 5. **Deployment**: Triggers a configuration push to all sensors specified in the - 'Sensors Names List Comma Separated' configuration. - - 6. **Cleanup**: Logs out of the NSM session and returns the execution status. - capabilities: - can_create_case_comments: false - can_create_insight: false - can_modify_alert_data: false - can_mutate_external_data: true - can_mutate_internal_data: false - can_update_entities: false - external_data_mutation_explanation: >- - Creates or updates firewall rule objects in McAfee NSM and updates the firewall - policy to block the specified IP addresses. It also triggers a configuration - push (deploy changes) to the sensors. - fetches_data: true - internal_data_mutation_explanation: null - categories: - enrichment: false - entity_usage: - entity_types: - - ADDRESS - filters_by_additional_properties: false - filters_by_alert_identifier: false - filters_by_case_identifier: false - filters_by_creation_time: false - filters_by_entity_type: true - filters_by_identifier: false - filters_by_is_artifact: false - filters_by_is_enriched: false - filters_by_is_internal: false - filters_by_is_pivot: false - filters_by_is_suspicious: false - filters_by_is_vulnerable: false - filters_by_modification_time: false -Get Alert Info Data: - ai_description: >- - ### General Description - - Retrieves detailed information for a specific alert from McAfee Network Security - Manager (NSM). This action is used to fetch the full context of an alert, including - signature details, attacker/target information, and malware metadata, which can - be used for further investigation or automated decision-making within a playbook. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Alert ID | String | Yes | The unique identifier of the alert in McAfee NSM. - | - - | Sensor Name | String | Yes | The name of the sensor that generated the alert. - This is required to locate the alert within the NSM architecture. | - - - ### Additional Notes - - This action does not run on entities. It requires a specific Alert ID and Sensor - Name as input parameters. The retrieved data is returned as a JSON object and - displayed in a formatted data table within the case wall. - - - ### Flow Description - - 1. **Initialization**: The action initializes the McAfee NSM manager using the - integration's configuration (API Root, credentials, and domain information). - - 2. **Parameter Retrieval**: The action extracts the `Alert ID` and `Sensor Name` - provided by the user or playbook. - - 3. **Sensor Resolution**: The manager resolves the provided `Sensor Name` to its - internal `Sensor ID` by querying the NSM API. - - 4. **Data Retrieval**: A GET request is sent to the NSM API to fetch the detailed - alert information using the `Alert ID` and the resolved `Sensor ID`. - - 5. **Output Generation**: If data is found, it is added to the action's results - as a raw JSON object and a formatted data table. The action then concludes with - a success message. - capabilities: - can_create_case_comments: false - can_create_insight: false - can_modify_alert_data: false - can_mutate_external_data: false - can_mutate_internal_data: false - can_update_entities: false - external_data_mutation_explanation: null - fetches_data: true - internal_data_mutation_explanation: null - categories: - enrichment: false - entity_usage: - entity_types: [] - filters_by_additional_properties: false - filters_by_alert_identifier: false - filters_by_case_identifier: false - filters_by_creation_time: false - filters_by_entity_type: false - filters_by_identifier: false - filters_by_is_artifact: false - filters_by_is_enriched: false - filters_by_is_internal: false - filters_by_is_pivot: false - filters_by_is_suspicious: false - filters_by_is_vulnerable: false - filters_by_modification_time: false -Is IP Blocked: - ai_description: >- - ### General Description - - The **Is IP Blocked** action checks whether specific IP Address entities are currently - blocked within the McAfee Network Security Manager (NSM). It queries the NSM to - see if the IP is part of a rule object associated with the configured Siemplify - firewall policy. This is primarily used for verifying the current enforcement - state of an IP before or after containment actions. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | N/A | N/A | N/A | This action does not take any input parameters. | - - - ### Additional Notes - - This action relies on the integration's global configuration, specifically the - 'Siemplify Policy Name' and 'Domain ID', to determine which firewall rules to - inspect. It only checks for blocks within the policy managed by the SOAR. - - - ### Flow Description - - 1. **Initialization**: Connects to the McAfee NSM API using the integration's - global configuration credentials. - - 2. **Entity Filtering**: Identifies all `ADDRESS` entities within the current - case scope. - - 3. **Status Check**: For each IP address, it queries the NSM to find rule objects - containing that IP that are also members of the designated Siemplify firewall - policy. - - 4. **Categorization**: Groups entities into 'Blocked' and 'Unblocked' lists based - on the API response. - - 5. **Cleanup**: Logs out of the NSM session to ensure security. - - 6. **Completion**: Returns a summary message and a boolean result (True if at - least one IP is blocked). - capabilities: - can_create_case_comments: false - can_create_insight: false - can_modify_alert_data: false - can_mutate_external_data: false - can_mutate_internal_data: false - can_update_entities: false - external_data_mutation_explanation: null - fetches_data: true - internal_data_mutation_explanation: null - categories: - enrichment: true - entity_usage: - entity_types: - - ADDRESS - filters_by_additional_properties: false - filters_by_alert_identifier: false - filters_by_case_identifier: false - filters_by_creation_time: false - filters_by_entity_type: true - filters_by_identifier: false - filters_by_is_artifact: false - filters_by_is_enriched: false - filters_by_is_internal: false - filters_by_is_pivot: false - filters_by_is_suspicious: false - filters_by_is_vulnerable: false - filters_by_modification_time: false -Ping: - ai_description: >- - Tests connectivity to the McAfee Network Security Manager (NSM) instance. This - action validates the provided credentials and network reachability by attempting - to establish an API session and immediately terminating it. - - - ### Parameters - - There are no parameters for this action. - - - ### Flow Description - - 1. **Configuration Retrieval**: The action fetches the integration configuration, - including API Root, credentials, and Domain ID. - - 2. **Authentication**: The `NsmManager` is initialized, which automatically attempts - to authenticate with the NSM API to retrieve a session token via a GET request - to the session endpoint. - - 3. **Session Termination**: The action explicitly calls the `logout` method to - close the established session using a DELETE request. - - 4. **Result Reporting**: If the authentication and logout cycle completes without - error, the action reports a successful connection. - capabilities: - can_create_case_comments: false - can_create_insight: false - can_modify_alert_data: false - can_mutate_external_data: false - can_mutate_internal_data: false - can_update_entities: false - external_data_mutation_explanation: null - fetches_data: false - internal_data_mutation_explanation: null - categories: - enrichment: false - entity_usage: - entity_types: [] - filters_by_additional_properties: false - filters_by_alert_identifier: false - filters_by_case_identifier: false - filters_by_creation_time: false - filters_by_entity_type: false - filters_by_identifier: false - filters_by_is_artifact: false - filters_by_is_enriched: false - filters_by_is_internal: false - filters_by_is_pivot: false - filters_by_is_suspicious: false - filters_by_is_vulnerable: false - filters_by_modification_time: false -Quarantine IP: - ai_description: >- - ### General Description - - Quarantines specific IP address entities on McAfee Network Security Manager (NSM) - sensors. This action is used for containment by isolating a potentially malicious - host from the network. The quarantine is applied with a duration of 'Until Explicitly - Released', meaning the isolation persists until a manual or automated release - action is triggered. - - - ### Parameters Description - - | Parameter Name | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | No Action Parameters | N/A | N/A | This action does not require specific input - parameters. It relies on the integration's global configuration for sensor lists - and credentials. | - - - ### Additional Notes - - * This action requires the **Sensors Names List Comma Separated** to be correctly - configured in the McAfee NSM integration settings. The action will attempt to - apply the quarantine on every sensor listed in that configuration. - - * The quarantine duration is hardcoded to `UNTIL_EXPLICITLY_RELEASED`. - - - ### Flow Description - - 1. **Initialization**: Connects to the McAfee NSM instance using credentials and - domain information from the integration configuration. - - 2. **Entity Filtering**: Identifies all `ADDRESS` (IP) entities provided in the - current context. - - 3. **Sensor Resolution**: For each configured sensor name, the action retrieves - the corresponding internal Sensor ID from NSM. - - 4. **Quarantine Execution**: Sends a POST request to the NSM API for each IP entity - on every resolved sensor to initiate the quarantine process. - - 5. **Result Tracking**: Tracks which IP addresses were successfully quarantined - across the sensors. - - 6. **Completion**: Logs out of the NSM session and returns a summary message of - the quarantined identifiers. - capabilities: - can_create_case_comments: false - can_create_insight: false - can_modify_alert_data: false - can_mutate_external_data: true - can_mutate_internal_data: false - can_update_entities: false - external_data_mutation_explanation: >- - Quarantines the specified IP address on the configured McAfee NSM sensors, which - changes the network access state for that host in the external system. - fetches_data: false - internal_data_mutation_explanation: null - categories: - enrichment: false - entity_usage: - entity_types: - - ADDRESS - filters_by_additional_properties: false - filters_by_alert_identifier: false - filters_by_case_identifier: false - filters_by_creation_time: false - filters_by_entity_type: true - filters_by_identifier: false - filters_by_is_artifact: false - filters_by_is_enriched: false - filters_by_is_internal: false - filters_by_is_pivot: false - filters_by_is_suspicious: false - filters_by_is_vulnerable: false - filters_by_modification_time: false -Unblock IP: - ai_description: "### General Description\nUnblocks specific IP address entities\ - \ within McAfee Network Security Manager (NSM). This action identifies the firewall\ - \ rule objects associated with the target IP addresses, removes the IPs from those\ - \ rules (or deletes the rule object if it contains only that IP), and then triggers\ - \ a configuration deployment to the relevant sensors to apply the changes.\n\n\ - ### Parameters Description\nThere are no parameters for this action.\n\n### Additional\ - \ Notes\n* This action requires a pre-configured 'Siemplify Policy Name' and a\ - \ list of 'Sensors' in the integration settings to know where to apply the unblocking\ - \ logic.\n* The action performs a 'Deploy Changes' operation at the end of the\ - \ process to ensure the firewall updates are active on the physical or virtual\ - \ sensors.\n\n### Flow Description\n1. **Initialization**: Connects to the McAfee\ - \ NSM API using provided credentials and configuration.\n2. **Entity Filtering**:\ - \ Identifies all `ADDRESS` entities within the current action scope.\n3. **Rule\ - \ Identification**: For each IP address, it searches for the corresponding rule\ - \ object within the specified Siemplify policy in NSM.\n4. **IP Removal**: \n\ - \ * If the rule object contains multiple IPs, it removes only the target IP.\n\ - \ * If the rule object contains only the target IP, it removes the rule object\ - \ from the policy and deletes the object entirely.\n5. **Deployment**: Triggers\ - \ a configuration update (`deploy_changes`) for all sensors defined in the integration\ - \ configuration to finalize the unblocking.\n6. **Cleanup**: Logs out of the NSM\ - \ session and reports the list of successfully unblocked entities." - capabilities: - can_create_case_comments: false - can_create_insight: false - can_modify_alert_data: false - can_mutate_external_data: true - can_mutate_internal_data: false - can_update_entities: false - external_data_mutation_explanation: >- - Removes IP addresses from firewall rule objects, deletes empty rule objects, - and updates sensor configurations to deploy changes in McAfee NSM. - fetches_data: true - internal_data_mutation_explanation: null - categories: - enrichment: false - entity_usage: - entity_types: - - ADDRESS - filters_by_additional_properties: false - filters_by_alert_identifier: false - filters_by_case_identifier: false - filters_by_creation_time: false - filters_by_entity_type: true - filters_by_identifier: false - filters_by_is_artifact: false - filters_by_is_enriched: false - filters_by_is_internal: false - filters_by_is_pivot: false - filters_by_is_suspicious: false - filters_by_is_vulnerable: false - filters_by_modification_time: false diff --git a/content/response_integrations/google/mc_afee_nsm/resources/ai/actions_ai_description.yaml b/content/response_integrations/google/mc_afee_nsm/resources/ai/actions_ai_description.yaml index 91b5b3057..113c074b5 100644 --- a/content/response_integrations/google/mc_afee_nsm/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/google/mc_afee_nsm/resources/ai/actions_ai_description.yaml @@ -1,70 +1,49 @@ -# Copyright 2026 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - Block IP: ai_description: >- - ### General Description + Blocks IP address entities in McAfee Network Security Manager (NSM). The action + interacts with the NSM API to manage firewall rule objects and policies. It checks + if an IP is already blocked; if not, it either appends the IP to an existing 'Siemplify' + rule object or creates a new one if capacity is reached. Finally, it pushes the + configuration changes to the specified sensors to enforce the block. - Blocks IP Address entities in McAfee Network Security Manager (NSM). This action - automates the process of blacklisting malicious IPs by managing firewall rule - objects and policies within the NSM environment. It ensures that the block is - enforced by deploying configuration changes to the relevant sensors. + ### Flow Description: - ### Parameters Description + 1. **Authentication:** Establishes a session with McAfee NSM using provided credentials + and retrieves a session token. - | Parameter | Type | Mandatory | Description | + 2. **Entity Filtering:** Identifies all IP Address entities (ADDRESS) within the + action scope. - | :--- | :--- | :--- | :--- | - - | None | N/A | N/A | This action does not have any action-specific parameters. - It relies on the integration's configuration (API Root, Credentials, Domain ID, - Policy Name, and Sensor List). | - - - ### Additional Notes + 3. **Block Logic:** For each IP, the action checks if it is already part of the + configured firewall policy. If not, it attempts to find a rule object with available + space (max 10 IPs). If no space is available, it creates a new rule object and + attaches it to the policy. - - The action specifically looks for a policy defined in the integration configuration - ('Siemplify Policy Name'). + 4. **Deployment:** Triggers a configuration push ('deploy changes') to the list + of sensors defined in the integration settings to ensure the new rules are active. - - It manages rule objects with a prefix 'Siemplify_Block' and adheres to NSM limits - (10 addresses per object, 10 objects per rule). + 5. **Cleanup:** Logs out of the NSM session. - - A 'Deploy Changes' command is issued to all sensors listed in the configuration - to make the block effective immediately. + ### Parameters Description: - ### Flow Description + | Parameter Name | Type | Mandatory | Description | - 1. **Authentication**: Establishes a session with the McAfee NSM API using provided - credentials. + | :--- | :--- | :--- | :--- | - 2. **Entity Filtering**: Identifies all IP Address (ADDRESS) entities provided - in the action scope. + | None | N/A | N/A | This action does not take direct input parameters; it relies + on the integration's global configuration (API Root, Credentials, Policy Name, + and Sensor List). | - 3. **Block Verification**: For each IP, it queries NSM to check if the address - is already blocked within the target policy. - 4. **Policy Modification**: If the IP is not blocked, it searches for an existing - Siemplify rule object with available capacity. If an available object is found, - it updates it with the new IP. If no object is available, it creates a new rule - object and adds it to the firewall policy. + ### Additional Notes: - 5. **Deployment**: Triggers a configuration push to all sensors specified in the - 'Sensors Names List Comma Separated' configuration. + * The action is designed to work with a dedicated firewall policy name specified + in the integration configuration. - 6. **Cleanup**: Logs out of the NSM session and returns the execution status. + * It manages rule objects with a specific prefix ('Siemplify_Block') to avoid + interfering with manual configurations. capabilities: can_create_case_comments: false can_create_insight: false @@ -73,9 +52,8 @@ Block IP: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates or updates firewall rule objects in McAfee NSM and updates the firewall - policy to block the specified IP addresses. It also triggers a configuration - push (deploy changes) to the sensors. + Creates or updates rule objects in McAfee NSM, modifies firewall policies to + include these objects, and triggers a configuration update on network sensors. fetches_data: true internal_data_mutation_explanation: null categories: @@ -96,63 +74,86 @@ Block IP: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: true + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Alert Info Data: ai_description: >- ### General Description Retrieves detailed information for a specific alert from McAfee Network Security - Manager (NSM). This action is used to fetch the full context of an alert, including - signature details, attacker/target information, and malware metadata, which can - be used for further investigation or automated decision-making within a playbook. + Manager (NSM) using the Alert ID and Sensor Name. This action is useful for analysts + who need to fetch the full context of an alert recorded in NSM to assist in investigation + and response within Google SecOps. ### Parameters Description + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Alert ID | String | Yes | The unique identifier of the alert in McAfee NSM. + | Alert ID | string | Yes | The unique identifier of the alert in McAfee NSM. | - | Sensor Name | String | Yes | The name of the sensor that generated the alert. - This is required to locate the alert within the NSM architecture. | + | Sensor Name | string | Yes | The name of the sensor that generated the alert. + | - ### Additional Notes + ### Flow Description - This action does not run on entities. It requires a specific Alert ID and Sensor - Name as input parameters. The retrieved data is returned as a JSON object and - displayed in a formatted data table within the case wall. + 1. **Initialize Connection**: Establishes a session with the McAfee NSM manager + using provided credentials. + 2. **Resolve Sensor ID**: Looks up the internal Sensor ID corresponding to the + provided `Sensor Name`. - ### Flow Description + 3. **Fetch Alert Data**: Executes a GET request to the NSM API to retrieve the + full alert details using the `Alert ID` and the resolved `Sensor ID`. - 1. **Initialization**: The action initializes the McAfee NSM manager using the - integration's configuration (API Root, credentials, and domain information). + 4. **Process Results**: If data is found, it is formatted as a JSON table and + added to the case. The raw JSON data is also attached to the action result. - 2. **Parameter Retrieval**: The action extracts the `Alert ID` and `Sensor Name` - provided by the user or playbook. - 3. **Sensor Resolution**: The manager resolves the provided `Sensor Name` to its - internal `Sensor ID` by querying the NSM API. - - 4. **Data Retrieval**: A GET request is sent to the NSM API to fetch the detailed - alert information using the `Alert ID` and the resolved `Sensor ID`. + ### Additional Notes - 5. **Output Generation**: If data is found, it is added to the action's results - as a raw JSON object and a formatted data table. The action then concludes with - a success message. + This action does not iterate over or process Google SecOps entities; it operates + strictly based on the provided string parameters. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: false + can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: null + internal_data_mutation_explanation: >- + Adds a JSON table containing alert details to the case and populates the action + result with the alert data. categories: enrichment: false entity_usage: @@ -170,52 +171,70 @@ Get Alert Info Data: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Is IP Blocked: ai_description: >- ### General Description - The **Is IP Blocked** action checks whether specific IP Address entities are currently - blocked within the McAfee Network Security Manager (NSM). It queries the NSM to - see if the IP is part of a rule object associated with the configured Siemplify - firewall policy. This is primarily used for verifying the current enforcement - state of an IP before or after containment actions. + The **Is IP Blocked** action verifies if specific IP Address entities are currently + blocked within the McAfee Network Security Manager (NSM). It checks if the IP + is part of a Siemplify-managed rule object associated with the configured firewall + policy. This action is useful for validating containment status during an investigation. ### Parameters Description - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | N/A | N/A | N/A | This action does not take any input parameters. | - - - ### Additional Notes - - This action relies on the integration's global configuration, specifically the - 'Siemplify Policy Name' and 'Domain ID', to determine which firewall rules to - inspect. It only checks for blocks within the policy managed by the SOAR. + This action does not require any input parameters. It uses the global integration + configuration to connect to the McAfee NSM instance. ### Flow Description - 1. **Initialization**: Connects to the McAfee NSM API using the integration's - global configuration credentials. + 1. **Authentication**: Connects to the McAfee NSM API and establishes a session. - 2. **Entity Filtering**: Identifies all `ADDRESS` entities within the current - case scope. + 2. **Entity Identification**: Filters the case entities to identify all `ADDRESS` + (IP) types. - 3. **Status Check**: For each IP address, it queries the NSM to find rule objects - containing that IP that are also members of the designated Siemplify firewall - policy. + 3. **Block Verification**: For each IP entity, the action queries the NSM to find + rule objects that: + * Start with the prefix `Siemplify_Block`. + * Contain the specific IP address. + * Are actively linked to the firewall policy defined in the integration settings. + 4. **Categorization**: Groups the entities into 'Blocked' and 'Unblocked' lists + based on the API response. - 4. **Categorization**: Groups entities into 'Blocked' and 'Unblocked' lists based - on the API response. + 5. **Completion**: Returns a summary message and a boolean result (`True` if at + least one IP is blocked, `False` otherwise). - 5. **Cleanup**: Logs out of the NSM session to ensure security. - 6. **Completion**: Returns a summary message and a boolean result (True if at - least one IP is blocked). + ### Additional Notes + + This action is strictly diagnostic and does not perform any changes to the firewall + configuration or the entities within Google SecOps. capabilities: can_create_case_comments: false can_create_insight: false @@ -244,32 +263,50 @@ Is IP Blocked: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Ping: - ai_description: >- - Tests connectivity to the McAfee Network Security Manager (NSM) instance. This - action validates the provided credentials and network reachability by attempting - to establish an API session and immediately terminating it. - - - ### Parameters - - There are no parameters for this action. - - - ### Flow Description - - 1. **Configuration Retrieval**: The action fetches the integration configuration, - including API Root, credentials, and Domain ID. - - 2. **Authentication**: The `NsmManager` is initialized, which automatically attempts - to authenticate with the NSM API to retrieve a session token via a GET request - to the session endpoint. - - 3. **Session Termination**: The action explicitly calls the `logout` method to - close the established session using a DELETE request. - - 4. **Result Reporting**: If the authentication and logout cycle completes without - error, the action reports a successful connection. + ai_description: "### General Description\nThe **Ping** action is a diagnostic utility\ + \ designed to verify the connectivity between Google SecOps and the McAfee Network\ + \ Security Manager (NSM) instance. Its primary purpose is to ensure that the integration's\ + \ configuration parameters\u2014such as the API Root, credentials, and Domain\ + \ ID\u2014are correct and that the NSM service is reachable over the network.\n\ + \n### Parameters Description\nThis action does not require any additional input\ + \ parameters. It relies entirely on the global integration configuration.\n\n\ + ### Flow Description\n1. **Configuration Retrieval**: The action fetches the integration's\ + \ configuration, including the API Root, Username, Password, and Domain ID.\n\ + 2. **Authentication**: It initializes the `NsmManager`, which triggers a login\ + \ request to the NSM `session` endpoint to obtain an authentication token.\n3.\ + \ **Session Termination**: Immediately after a successful login, the action calls\ + \ the `logout` method to close the session on the NSM server.\n4. **Result Reporting**:\ + \ If the login and logout sequence completes without exceptions, the action ends\ + \ with a success message: \"Connection Established.\"\n\n### Additional Notes\n\ + * This action is strictly for connectivity testing and does not perform any security\ + \ operations or data retrieval.\n* As per standard conventions, this action is\ + \ not classified as an enrichment action." capabilities: can_create_case_comments: false can_create_insight: false @@ -297,56 +334,56 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Quarantine IP: ai_description: >- ### General Description - Quarantines specific IP address entities on McAfee Network Security Manager (NSM) - sensors. This action is used for containment by isolating a potentially malicious - host from the network. The quarantine is applied with a duration of 'Until Explicitly - Released', meaning the isolation persists until a manual or automated release - action is triggered. - - - ### Parameters Description - - | Parameter Name | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | No Action Parameters | N/A | N/A | This action does not require specific input - parameters. It relies on the integration's global configuration for sensor lists - and credentials. | - - - ### Additional Notes - - * This action requires the **Sensors Names List Comma Separated** to be correctly - configured in the McAfee NSM integration settings. The action will attempt to - apply the quarantine on every sensor listed in that configuration. - - * The quarantine duration is hardcoded to `UNTIL_EXPLICITLY_RELEASED`. - - - ### Flow Description - - 1. **Initialization**: Connects to the McAfee NSM instance using credentials and - domain information from the integration configuration. - - 2. **Entity Filtering**: Identifies all `ADDRESS` (IP) entities provided in the - current context. - - 3. **Sensor Resolution**: For each configured sensor name, the action retrieves - the corresponding internal Sensor ID from NSM. - - 4. **Quarantine Execution**: Sends a POST request to the NSM API for each IP entity - on every resolved sensor to initiate the quarantine process. - - 5. **Result Tracking**: Tracks which IP addresses were successfully quarantined - across the sensors. - - 6. **Completion**: Logs out of the NSM session and returns a summary message of - the quarantined identifiers. + The **Quarantine IP** action is designed to isolate specific IP addresses across + one or more McAfee Network Security Manager (NSM) sensors. By communicating with + the NSM API, the action triggers a quarantine command that restricts the network + activity of the target host. This is a critical containment capability used during + security incidents to prevent lateral movement or data exfiltration from compromised + internal assets.\n\n### Parameters Description\n| Parameter | Type | Mandatory + | Description |\n| :--- | :--- | :--- | :--- |\n| None | N/A | N/A | This action + does not have any action-specific parameters. It uses the global integration configuration + for connection details and sensor selection. |\n\n### Additional Notes\n* The + quarantine duration is fixed to **'until released'**, meaning the isolation will + remain in effect until a manual release is performed or a corresponding release + action is executed.\n* The action specifically targets the sensors listed in the + integration's `Sensors Names List Comma Separated` configuration field.\n\n### + Flow Description\n1. **Establish Session**: The action authenticates with the + McAfee NSM API using the provided credentials.\n2. **Resolve Sensors**: It retrieves + the list of sensors from the integration configuration and fetches their corresponding + internal IDs from the NSM manager.\n3. **Filter Entities**: The action scans the + case for **IP Address** entities.\n4. **Execute Quarantine**: For each valid IP + address, it sends a POST request to the NSM API to quarantine the host on every + identified sensor.\n5. **Cleanup**: The action terminates the NSM session.\n6. + **Finalize**: It returns a success message listing the quarantined IP addresses. capabilities: can_create_case_comments: false can_create_insight: false @@ -355,8 +392,8 @@ Quarantine IP: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Quarantines the specified IP address on the configured McAfee NSM sensors, which - changes the network access state for that host in the external system. + Quarantines the specified IP address on the configured McAfee NSM sensors, changing + the network access state for that host. fetches_data: false internal_data_mutation_explanation: null categories: @@ -377,28 +414,52 @@ Quarantine IP: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: true + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Unblock IP: - ai_description: "### General Description\nUnblocks specific IP address entities\ - \ within McAfee Network Security Manager (NSM). This action identifies the firewall\ - \ rule objects associated with the target IP addresses, removes the IPs from those\ - \ rules (or deletes the rule object if it contains only that IP), and then triggers\ - \ a configuration deployment to the relevant sensors to apply the changes.\n\n\ - ### Parameters Description\nThere are no parameters for this action.\n\n### Additional\ - \ Notes\n* This action requires a pre-configured 'Siemplify Policy Name' and a\ - \ list of 'Sensors' in the integration settings to know where to apply the unblocking\ - \ logic.\n* The action performs a 'Deploy Changes' operation at the end of the\ - \ process to ensure the firewall updates are active on the physical or virtual\ - \ sensors.\n\n### Flow Description\n1. **Initialization**: Connects to the McAfee\ - \ NSM API using provided credentials and configuration.\n2. **Entity Filtering**:\ - \ Identifies all `ADDRESS` entities within the current action scope.\n3. **Rule\ - \ Identification**: For each IP address, it searches for the corresponding rule\ - \ object within the specified Siemplify policy in NSM.\n4. **IP Removal**: \n\ - \ * If the rule object contains multiple IPs, it removes only the target IP.\n\ - \ * If the rule object contains only the target IP, it removes the rule object\ - \ from the policy and deletes the object entirely.\n5. **Deployment**: Triggers\ - \ a configuration update (`deploy_changes`) for all sensors defined in the integration\ - \ configuration to finalize the unblocking.\n6. **Cleanup**: Logs out of the NSM\ - \ session and reports the list of successfully unblocked entities." + ai_description: "Unblocks IP address entities in McAfee Network Security Manager\ + \ (NSM). This action identifies the firewall rule objects associated with the\ + \ target IP addresses within a specific policy, removes the IP entries, and then\ + \ triggers a configuration deployment to the managed sensors to enforce the changes.\ + \ \n\n### Flow Description:\n1. **Initialization**: Connects to the McAfee NSM\ + \ instance using provided credentials and configuration (API Root, Domain ID,\ + \ Policy Name, and Sensor List).\n2. **Entity Filtering**: Identifies all IP Address\ + \ entities within the current context.\n3. **IP Release**: For each identified\ + \ IP, the action searches for the corresponding rule object in the NSM policy.\ + \ If found, it either removes the IP from the rule object or deletes the rule\ + \ object entirely if it contains no other addresses.\n4. **Deployment**: After\ + \ processing all entities, it initiates a 'Deploy Changes' command to push the\ + \ updated firewall configuration to the specified sensors.\n5. **Cleanup**: Logs\ + \ out of the NSM session.\n\n### Parameters Description:\n| Parameter Name | Description\ + \ | Type | Mandatory | \n| --- | --- | --- | --- |\n| None | This action does\ + \ not have any specific action parameters; it relies on the integration's global\ + \ configuration. | N/A | No |\n\n### Additional Notes:\n- This action requires\ + \ a pre-configured 'Siemplify Policy Name' and a list of 'Sensors Names' in the\ + \ integration settings to function correctly.\n- The action performs a state change\ + \ on the external firewall system." capabilities: can_create_case_comments: false can_create_insight: false @@ -407,9 +468,9 @@ Unblock IP: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Removes IP addresses from firewall rule objects, deletes empty rule objects, - and updates sensor configurations to deploy changes in McAfee NSM. - fetches_data: true + Removes IP addresses from firewall rule objects and policies in McAfee NSM and + deploys these configuration changes to the network sensors. + fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false @@ -429,3 +490,28 @@ Unblock IP: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: true + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/google/mc_afee_nsm/resources/ai/integration_ai_description.yaml b/content/response_integrations/google/mc_afee_nsm/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..b927e7b41 --- /dev/null +++ b/content/response_integrations/google/mc_afee_nsm/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: true + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/google/micro_focus_itsma/resources/ai/actions_ai_description.yaml b/content/response_integrations/google/micro_focus_itsma/resources/ai/actions_ai_description.yaml index fb1935406..9911d383b 100644 --- a/content/response_integrations/google/micro_focus_itsma/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/google/micro_focus_itsma/resources/ai/actions_ai_description.yaml @@ -1,63 +1,56 @@ -# Copyright 2026 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - Create Incident: ai_description: >- - Creates a new incident in Micro Focus ITSMA. This action allows users to programmatically - generate incident tickets by providing key details such as the display label, - description, impact scope, urgency, and service ID. It interacts with the Micro - Focus ITSMA API via a POST request to create the record and returns the unique - incident ID upon success. + Creates a new incident in MicroFocus ITSMA. This action allows users to programmatically + generate incident records by providing key details such as the display label, + description, impact scope, urgency, and service category. It interacts with the + MicroFocus ITSMA API via a POST request and returns the unique identifier of the + newly created incident. - ### Parameters + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. **Initialization**: The action initializes the MicroFocus ITSMA manager using + the provided integration configuration (API Root, Credentials, Tenant ID, etc.). - | :--- | :--- | :--- | :--- | + 2. **Parameter Extraction**: It retrieves the mandatory input parameters: Display + Label, Description, Impact Scope, Urgency, and Service ID. - | Display Label | String | True | The display label or title of the incident. - | + 3. **API Interaction**: The action sends a POST request to the MicroFocus ITSMA + 'ces' endpoint with a payload containing the incident properties and external + system metadata. - | Description | String | True | The detailed description of the incident. | + 4. **Result Handling**: If successful, the action extracts the Incident ID from + the API response and returns it as the script result. - | Impact Scope | String | True | The impact scope of the incident (e.g., 'MultipleUsers'). - | - | Urgency | String | True | The urgency of the incident (e.g., 'SevereDisruption'). + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Display Label | string | True | The summary or title of the incident to be created. | - | Service ID | String | True | The ID of the category or service the incident - is registered for. | + | Description | string | True | A detailed description of the incident. | + | Impact Scope | string | True | The scope of the impact (e.g., MultipleUsers, + SingleUser). | - ### Flow Description + | Urgency | string | True | The urgency level of the incident (e.g., SevereDisruption). + | - 1. **Initialization**: Retrieve configuration and initialize the Micro Focus ITSMA - manager with API credentials and tenant information. + | Service ID | string | True | The ID representing the category or service the + incident is registered for. | - 2. **Parameter Extraction**: Extract incident details (Display Label, Description, - Impact Scope, Urgency, and Service ID) from the action parameters. - 3. **API Interaction**: Construct and send a POST request to the Micro Focus ITSMA - 'ces' endpoint with the incident payload. + ### Additional Notes - 4. **Response Processing**: Parse the API response to extract the unique ID of - the newly created incident. + - This action does not operate on entities; it relies entirely on the provided + input parameters. - 5. **Completion**: Return the incident ID and a success message to the Google - SecOps platform. + - The 'External System' and 'External ID' used in the payload are derived from + the integration's configuration settings. capabilities: can_create_case_comments: false can_create_insight: false @@ -66,7 +59,7 @@ Create Incident: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new incident record in the Micro Focus ITSMA platform. + Creates a new incident record in the MicroFocus ITSMA platform. fetches_data: false internal_data_mutation_explanation: null categories: @@ -86,38 +79,68 @@ Create Incident: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: true + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Ping: ai_description: >- ### General Description - Tests the connectivity between Google SecOps and the Micro Focus ITSMA instance. - This action is used to verify that the integration configuration parameters, such - as API Root, Username, Password, and Tenant ID, are correctly configured and that - the external system is reachable. + The **Ping** action is a diagnostic tool designed to verify the connectivity between + the Google SecOps platform and the MicroFocus ITSMA instance. Its primary purpose + is to ensure that the integration configuration (such as API credentials and network + access) is correct and that the remote service is reachable. - ### Parameters + ### Parameters Description There are no parameters for this action. - ### Flow Description + ### Additional Notes - 1. **Configuration Retrieval**: The action retrieves the integration's global - configuration settings, including the API Root, credentials, and Tenant ID. + This action is typically used during the initial setup of the integration or for + troubleshooting connectivity issues. It does not interact with any entities or + modify any data. - 2. **Manager Initialization**: Initializes the `MicroFocusITSMAManager` using - the retrieved configuration. - 3. **Authentication Check**: Executes the `get_token` method, which sends a POST - request to the Micro Focus ITSMA authentication endpoint to retrieve a session - token. + ### Flow Description - 4. **Connection Validation**: Evaluates whether a token was successfully returned - by the external service. + 1. **Configuration Retrieval**: The action starts by fetching the integration's + configuration settings, including the API Root, Username, Password, and Tenant + ID. - 5. **Action Completion**: Reports 'Connection Established' if the token retrieval - was successful, or 'Connection Failed' otherwise. + 2. **Manager Initialization**: It initializes the `MicroFocusITSMAManager` with + the retrieved settings. + + 3. **Authentication Attempt**: The action calls the `get_token` method, which + performs a POST request to the MicroFocus ITSMA authentication endpoint. + + 4. **Result Evaluation**: If the authentication is successful and a token is returned, + the action reports a successful connection. Otherwise, it reports a connection + failure. capabilities: can_create_case_comments: false can_create_insight: false @@ -126,7 +149,7 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: true + fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false @@ -145,62 +168,88 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Update Incident: ai_description: >- - Updates an existing incident in MicroFocus ITSMA. This action allows users to - modify specific attributes of a ticket, such as its title, description, impact, - urgency, and associated service ID. It interacts with the ITSMA API via a POST - request to apply the changes to the specified incident ID. + ### General Description + Updates an existing incident in MicroFocus ITSMA. This action allows for the modification + of various incident attributes such as the display label, description, impact + scope, urgency, and service ID based on the provided Incident ID. - ### Parameters + + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Incident ID | String | Yes | The unique identifier of the incident to be updated. + | Incident ID | string | True | The unique identifier of the incident to be updated. | - | Display Label | String | No | The updated display label (title) of the incident. + | Display Label | string | False | The updated display label (title) of the incident. | - | Description | String | No | The updated description text for the incident. | + | Description | string | False | The updated detailed description of the incident. + | - | Impact Scope | String | No | The updated impact score/scope of the incident. + | Impact Scope | string | False | The updated impact score/scope of the incident. | - | Urgency | String | No | The updated urgency level of the incident. | + | Urgency | string | False | The updated urgency level of the incident. | - | Service ID | String | No | The updated ID of the category or service associated + | Service ID | string | False | The updated ID of the category or service associated with the incident. | ### Additional Notes - - At least one optional parameter should be provided alongside the mandatory 'Incident - ID' for the action to perform a meaningful update. - - - The action uses the 'External System' and 'External ID' configured in the integration - settings to identify the source of the update. + At least one optional parameter (Display Label, Description, Impact Scope, Urgency, + or Service ID) should be provided alongside the mandatory Incident ID for the + update to have an effect. ### Flow Description - 1. **Authentication**: Connects to the MicroFocus ITSMA instance using the provided - credentials and Tenant ID to obtain a session token. + 1. **Initialization**: The action initializes the MicroFocus ITSMA manager using + the provided integration configuration (API Root, Credentials, Tenant ID, etc.). - 2. **Parameter Retrieval**: Collects the mandatory Incident ID and any optional - update fields (Display Label, Description, etc.) from the action input. + 2. **Parameter Retrieval**: The action retrieves the Incident ID and the optional + update fields from the user input. - 3. **Payload Construction**: Builds a JSON payload containing the incident ID - and the specific properties that need to be updated. + 3. **API Interaction**: The action calls the `update_incident` method in the manager, + which constructs a JSON payload and sends a POST request to the MicroFocus ITSMA + API. - 4. **API Interaction**: Sends a POST request to the ITSMA 'ces' endpoint to apply - the updates. + 4. **Result Processing**: If the API call is successful, the action identifies + which parameters were updated and constructs a success message. - 5. **Result Handling**: Validates the API response and returns a success message - listing the parameters that were successfully updated. + 5. **Completion**: The action ends, returning the success status and the summary + message to the Google SecOps platform. capabilities: can_create_case_comments: false can_create_insight: false @@ -209,9 +258,8 @@ Update Incident: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the properties of an existing incident record in the MicroFocus ITSMA - platform, including fields like Display Label, Description, Impact Scope, Urgency, - and Service ID. + Updates the properties (e.g., description, urgency, impact) of an existing incident + record within the MicroFocus ITSMA platform. fetches_data: false internal_data_mutation_explanation: null categories: @@ -231,45 +279,67 @@ Update Incident: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: true Update Incident External Status: ai_description: >- - ### General Description + Updates the external status of a specific incident in Micro Focus ITSMA. This + action allows analysts to synchronize the status of an incident between Google + SecOps and the Micro Focus ITSMA platform by providing the incident's unique identifier + and the desired status value. - Updates the external status of a specific incident within the Micro Focus ITSMA - platform. This action is designed to synchronize incident states between Google - SecOps and the external ITSM system by modifying the 'ExternalStatus' property - of a target ticket. + ### Flow Description - ### Parameters Description - - | Parameter | Description | Type | Mandatory | + 1. **Initialization**: The action initializes the Micro Focus ITSMA manager using + the provided integration configuration (API Root, credentials, Tenant ID, etc.). - | :--- | :--- | :--- | :--- | + 2. **Parameter Retrieval**: It retrieves the mandatory 'Incident ID' and 'Status' + parameters from the action input. - | Incident ID | The unique identifier of the incident in Micro Focus ITSMA that - needs to be updated. | String | Yes | + 3. **API Interaction**: The action constructs a payload containing the incident + ID and the new external status, then sends a POST request to the Micro Focus ITSMA + API endpoint. - | Status | The new external status value to be assigned to the incident (e.g., - 'Pending Vendor', 'Resolved'). | String | Yes | + 4. **Outcome Reporting**: Based on the API response, the action returns a success + message indicating the incident was updated or a failure message if no ticket + was modified. - ### Flow Description + ### Parameters Description - 1. **Initialization**: The action initializes the Micro Focus ITSMA manager using - the integration's configuration settings, including API Root, credentials, and - Tenant ID. + | Parameter Name | Type | Mandatory | Description | - 2. **Parameter Retrieval**: It retrieves the `Incident ID` and the target `Status` - from the action's input parameters. + | :--- | :--- | :--- | :--- | - 3. **API Request**: The action constructs a payload targeting the specific incident - ID and updates its external status properties. It then sends a POST request to - the Micro Focus ITSMA 'ces' (Common Entity Service) endpoint. + | Incident ID | string | True | The unique identifier of the incident in Micro + Focus ITSMA that needs to be updated. | - 4. **Completion**: Upon a successful response from the API, the action returns - a success message confirming the status change. If the update fails or no ticket - is found, it reports the failure accordingly. + | Status | string | True | The new external status value to be applied to the + incident. | capabilities: can_create_case_comments: false can_create_insight: false @@ -278,8 +348,8 @@ Update Incident External Status: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the 'ExternalStatus' property of a specific incident in the Micro Focus - ITSMA system via a POST request to the entity service endpoint. + Updates the 'ExternalStatus' property of an incident record within the Micro + Focus ITSMA platform via a POST request. fetches_data: false internal_data_mutation_explanation: null categories: @@ -299,3 +369,28 @@ Update Incident External Status: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: true diff --git a/content/response_integrations/google/micro_focus_itsma/resources/ai/integration_ai_description.yaml b/content/response_integrations/google/micro_focus_itsma/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..faf1e267b --- /dev/null +++ b/content/response_integrations/google/micro_focus_itsma/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: true + network_security: false + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/google/mobile_iron/resources/ai/actions_ai_description.yaml b/content/response_integrations/google/mobile_iron/resources/ai/actions_ai_description.yaml index 156dcf62a..cb2931433 100644 --- a/content/response_integrations/google/mobile_iron/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/google/mobile_iron/resources/ai/actions_ai_description.yaml @@ -1,25 +1,12 @@ -# Copyright 2026 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - Fetch System Information: ai_description: >- ### General Description - The **Fetch System Information** action retrieves detailed device metadata from - MobileIron for a given IP address. It is primarily used to gain visibility into - the state, ownership, and configuration of mobile devices or endpoints managed - by MobileIron. + The **Fetch System Information** action retrieves detailed technical and ownership + metadata for mobile devices managed by MobileIron, using the device's IP address + as the primary identifier. This action is primarily used for asset enrichment + during investigations to correlate network activity with specific managed devices + and users. ### Parameters Description @@ -28,45 +15,49 @@ Fetch System Information: | :--- | :--- | :--- | :--- | - | Fields To Fetch | String | No | A comma-separated list of specific MobileIron - fields to retrieve (e.g., `ios.DeviceName,user.email_address`). If left empty, - the action fetches a comprehensive default set of fields including OS version, - battery level, and compliance status. | + | **Fields To Fetch** | String | No | A comma-separated list of specific MobileIron + fields to retrieve (e.g., `ios.DeviceName,user.display_name,user.email_address`). + If left empty, the action retrieves a comprehensive set of default fields including + OS version, IMEI, and compliance status. | - ### Flow Description + ### Additional Notes - 1. **Entity Filtering**: The action identifies all `ADDRESS` entities within the - current context. + - The action specifically targets **ADDRESS** (IP Address) entities. - 2. **API Query**: For each IP address, it queries the MobileIron API (`/api/v2/devices`) - using a filter for the `common.ip_address` field. + - If multiple devices are associated with the same IP (though rare in managed + environments), the action typically returns the first match found in the MobileIron + registry. - 3. **Data Extraction**: It extracts the device information, applying the field - filters specified in the "Fields To Fetch" parameter. + - The results are presented as an entity-linked data table within the Google SecOps + case wall. - 4. **Enrichment**: The retrieved data is flattened and attached to the entity - as a data table for analyst review. + ### Flow Description - ### Additional Notes + 1. **Entity Filtering:** The action identifies all IP Address entities within + the current context. - - This action requires the MobileIron integration to be configured with valid - API credentials and Root URL. + 2. **API Query:** For each IP address, it queries the MobileIron API (`api/v2/devices`) + using a search filter for the `common.ip_address` field. - - If multiple devices share the same IP, the action retrieves the first match. + 3. **Data Retrieval:** It requests either the user-specified fields or a predefined + set of default system and user attributes. + + 4. **Internal Enrichment:** The retrieved device information is flattened and + attached to the corresponding entity as a data table for analyst review. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false can_mutate_internal_data: true - can_update_entities: true + can_update_entities: false external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Adds a data table to the IP address entity containing system information retrieved - from MobileIron. + The action adds a data table to the entity within the Google SecOps platform + containing the retrieved device information. categories: enrichment: true entity_usage: @@ -85,52 +76,65 @@ Fetch System Information: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Fetch System Information By UUID: ai_description: >- - ### General Description - - The **Fetch System Information By UUID** action retrieves detailed system and - hardware information for a specific mobile device managed by MobileIron. It uses - the device's unique identifier (UUID) to query the MobileIron API and returns - a comprehensive set of data points, including battery levels, OS versions, compliance - status, and network identifiers. + Fetches detailed system information for a specific mobile device using its Unique + Universal Identifier (UUID) via the MobileIron API. This action is used to retrieve + technical metadata about a device, such as OS version, model, and ownership details, + which is then presented in a structured data table within the case. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Device UUID | String | Yes | The unique identifier (UUID) of the target mobile - device in the MobileIron system. | - - - ### Additional Notes - - * This action does not automatically iterate over entities in the Google SecOps - case. It relies strictly on the provided `Device UUID` parameter. - - * The action is useful for deep-dive investigations into a specific mobile asset - once its UUID has been identified by other discovery actions. + | Device UUID | string | Yes | The unique identifier (UUID) of the target device + in the MobileIron system. | ### Flow Description - 1. **Initialization**: The action initializes the MobileIron manager using the - integration's configuration settings (API Root, credentials, and SSL preferences). + 1. **Parameter Extraction:** The action retrieves the mandatory `Device UUID` + from the user input. - 2. **Parameter Retrieval**: It extracts the `Device UUID` from the action input - parameters. + 2. **API Initialization:** It initializes the MobileIron manager using the integration's + configuration settings (API Root, credentials, etc.). - 3. **Data Retrieval**: The action calls the MobileIron API's device details endpoint - specifically for the provided UUID. + 3. **Data Retrieval:** The action performs a GET request to the MobileIron API + endpoint `api/v2/devices/{device_uuid}/details` to fetch the system information. - 4. **Data Processing**: If information is found, the manager reformats the raw - key-value pairs into a structured dictionary. + 4. **Data Transformation:** If data is found, the raw response is processed and + rearranged into a key-value format suitable for display. - 5. **Output**: The processed system information is added to the action results - as a data table, and the action completes successfully. + 5. **Output Generation:** The formatted data is added to the action's results + as an entity table, and the action completes successfully. capabilities: can_create_case_comments: false can_create_insight: false @@ -142,7 +146,7 @@ Fetch System Information By UUID: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: false + enrichment: true entity_usage: entity_types: [] filters_by_additional_properties: false @@ -158,14 +162,39 @@ Fetch System Information By UUID: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false List Devices: ai_description: >- ### General Description Retrieves a comprehensive list of all devices managed within the MobileIron system. - This action is primarily used for administrative overview and asset discovery, - allowing users to specify exactly which data points (fields) should be returned - for each device. + This action provides visibility into the mobile asset inventory, allowing analysts + to see device metadata, ownership, and compliance status. The results are presented + as a data table within the case and as a raw JSON object for further processing. ### Parameters Description @@ -174,34 +203,34 @@ List Devices: | :--- | :--- | :--- | :--- | - | Fields To Fetch | String | No | A comma-separated string of specific device - fields to retrieve (e.g., `ios.DeviceName,user.display_name,user.email_address`). - If left empty, the integration uses a predefined set of default fields including - hardware identifiers, status, and user information. | + | Fields To Fetch | String | No | A comma-separated list of specific device attributes + to retrieve (e.g., `ios.DeviceName,user.display_name,user.email_address`). If + left empty, the action retrieves a default set of common fields including UUID, + IMEI, IP address, and OS version. | - ### Additional Notes + ### Flow Description - - This action does not target specific entities in the case; it performs a global - fetch of devices from the MobileIron instance. + 1. **Initialization**: The action initializes the MobileIron manager using the + integration's configuration settings (API Root, Credentials, SSL settings). - - The results are presented both as a formatted data table for human review and - as a raw JSON object for downstream automation. + 2. **Parameter Processing**: It retrieves the optional 'Fields To Fetch' parameter + to define the scope of data returned for each device. + 3. **API Request**: The action executes a GET request to the MobileIron `/api/v2/devices` + endpoint. - ### Flow Description + 4. **Data Transformation**: The retrieved device list is flattened into a simplified + structure and converted into a CSV format. - 1. **Authentication**: Connects to the MobileIron API using the configured API - Root, Username, and Password. + 5. **Result Reporting**: The action adds a data table named 'Devices' to the SOAR + case and returns the full device list as a JSON result. - 2. **Data Retrieval**: Executes a GET request to the `/api/v2/devices` endpoint, - passing the `Fields To Fetch` parameter to filter the returned attributes. - 3. **Data Processing**: Flattens the resulting JSON structures into a tabular - format. + ### Additional Notes - 4. **Output Generation**: Constructs a CSV-formatted data table named "Devices" - and attaches it to the action results in Google SecOps. + This action does not target specific entities within the case; it fetches the + global list of devices from the MobileIron environment. capabilities: can_create_case_comments: false can_create_insight: false @@ -212,8 +241,8 @@ List Devices: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action adds a data table named 'Devices' to the action results, which is - stored within the Google SecOps case data. + Adds a data table containing the list of retrieved devices to the Google SecOps + case. categories: enrichment: false entity_usage: @@ -231,69 +260,61 @@ List Devices: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Ping: ai_description: >- ### General Description The **Ping** action is a diagnostic tool used to verify the connectivity between - Google SecOps and a MobileIron instance. It ensures that the provided credentials - (Username and Password) and the API Root URL are correct and that the MobileIron - service is reachable over the network. + Google SecOps and the MobileIron instance. It ensures that the provided configuration + parameters (API Root, Credentials, etc.) are correct and that the MobileIron API + is reachable. ### Parameters Description - This action does not have any input parameters. It relies entirely on the integration's - configuration settings: - - - | Parameter Name | Description | Type | Mandatory | Notes | - - | :--- | :--- | :--- | :--- | :--- | - - | API Root | The base URL of the MobileIron instance. | String | Yes | Used to - construct the API endpoint. | - - | Username | The API username for authentication. | String | Yes | Used for Basic - Auth. | - - | Password | The API password for authentication. | String | Yes | Used for Basic - Auth. | - - | Admin Device ID | The device space ID of the administrator. | Integer | No | - Defaults to 1 if not provided. | - - | Cloud Instance | Whether the instance is a cloud-based MobileIron instance. - | Boolean | No | If true, appends 'rest/' to the API root. | - - | Verify SSL | Whether to verify the SSL certificate of the connection. | Boolean - | No | Defaults to false. | - - - ### Additional Notes - - - This action is typically used during the initial setup of the integration or - for troubleshooting communication issues. - - - It performs a simple GET request to the `api/V2/ping` endpoint. + There are no parameters for this action. ### Flow Description - 1. **Configuration Retrieval:** The action fetches the integration configuration, - including the API Root, credentials, and connection settings. + 1. **Configuration Retrieval**: The action retrieves the integration configuration, + including the API Root, Username, Password, and SSL settings. - 2. **Manager Initialization:** It initializes the `MobileIronManager` with the - retrieved settings, handling URL formatting for cloud or on-premise instances. + 2. **Manager Initialization**: It initializes the `MobileIronManager` with the + retrieved settings. - 3. **Connectivity Test:** The action calls the `ping()` method of the manager, - which sends a GET request to the MobileIron ping API. + 3. **Connectivity Test**: The action calls the `ping` method in the manager, which + sends a GET request to the MobileIron ping endpoint (`api/V2/ping`). - 4. **Response Validation:** The manager validates the HTTP response. If the status - code is successful, it returns `True`. + 4. **Validation**: It validates the HTTP response from the server. - 5. **Final Result:** The action ends by providing a success message ("Connection - Established.") or a failure message based on the API response. + 5. **Final Result**: If the request is successful, it returns a 'Connection Established' + message; otherwise, it reports a failure. capabilities: can_create_case_comments: false can_create_insight: false @@ -321,42 +342,73 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Unlock Device: ai_description: >- ### General Description - Unlocks a mobile device managed by MobileIron using its IP address. This action - is primarily used to restore user access to a device after a security lock has - been applied or as part of a remediation workflow. + The **Unlock Device** action allows analysts to remotely unlock a mobile device + managed by MobileIron using its IP address. This action is primarily used during + incident response to restore access to a device or to facilitate forensic investigation + on a locked endpoint. - ### Parameters + ### Parameters Description - There are no specific action parameters required for this action. It relies on - the global integration configuration (API Root, Username, Password, etc.) and - the IP address entities provided in the context. + | Parameter | Type | Mandatory | Description | + | :--- | :--- | :--- | :--- | - ### Flow Description + | N/A | N/A | N/A | This action does not have any input parameters. It relies + on the IP address entities provided in the context and the integration's global + configuration. | - 1. **Entity Filtering**: The action identifies all IP Address (ADDRESS) entities - within the current alert or case context. - 2. **Device Resolution**: For each identified IP address, the action queries the - MobileIron API to find a matching device and retrieve its unique identifier (UUID). + ### Additional Notes - 3. **Unlock Command**: Once the UUID is obtained, the action sends a POST request - to the MobileIron 'action' endpoint with the `UNLOCK_DEVICE_ONLY` command type. + This action requires the MobileIron integration to be properly configured with + an API Root, Username, Password, and Admin Device ID. It specifically targets + entities of type **ADDRESS** (IP Address). - 4. **Execution Reporting**: The action logs the outcome of the unlock attempt - for each entity and provides a summary message to the user. + ### Flow Description - ### Additional Notes + 1. **Entity Filtering**: The action identifies all entities of type `ADDRESS` + within the current SOAR context. + + 2. **Device Identification**: For each identified IP address, the action queries + the MobileIron API to find the corresponding unique Device UUID. + + 3. **Unlock Command**: Once the UUID is retrieved, the action sends a POST request + to the MobileIron `Action` endpoint with the `UNLOCK_DEVICE_ONLY` command to trigger + the physical unlocking of the device. - This action requires the MobileIron 'Cloud Instance' and 'Admin Device ID' settings - to be correctly configured in the integration parameters to resolve device information - accurately. + 4. **Result Reporting**: The action logs the outcome of the operation and reports + whether the unlock command was successfully dispatched for the processed entities. capabilities: can_create_case_comments: false can_create_insight: false @@ -365,8 +417,8 @@ Unlock Device: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Sends a POST request to the MobileIron API to trigger a remote 'Unlock' command - on the physical mobile device associated with the target IP address. + Sends a POST request to the MobileIron API to execute the 'UNLOCK_DEVICE_ONLY' + action, which changes the lock state of the physical mobile device. fetches_data: true internal_data_mutation_explanation: null categories: @@ -387,44 +439,61 @@ Unlock Device: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: true + update_alert: false + update_email: false + update_identity: false + update_ticket: false Unlock Device by UUID: ai_description: >- - ### General Description - - Unlocks a mobile device managed by MobileIron using its unique Universal Unique - Identifier (UUID). This action is designed to remotely trigger an unlock command - on a specific device, facilitating administrative access or troubleshooting for - managed mobile assets. + Unlocks a mobile device managed by MobileIron using its unique identifier (UUID). + This action sends a command to the MobileIron server to remove the lock screen + or restriction on the specified device, allowing the user to regain access. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Device UUID | String | Yes | The unique identifier (UUID) of the target device - to be unlocked. This value is used to target the specific device in the MobileIron - inventory. | + | Device UUID | String | Yes | The unique identifier (UUID) of the target mobile + device to be unlocked. | ### Flow Description - 1. **Initialization**: The action initializes the MobileIron manager using the - integration's configuration settings (API Root, Credentials, etc.). - - 2. **Parameter Extraction**: The action retrieves the mandatory `Device UUID` - from the input parameters. + 1. **Initialization**: Retrieves connection settings (API Root, Credentials, SSL + settings) from the MobileIron integration configuration. - 3. **Validation**: It checks if the `Device UUID` is provided; if not, it raises - an exception. + 2. **Parameter Extraction**: Retrieves the mandatory `Device UUID` from the action + input. - 4. **API Interaction**: The action calls the `unlock_device_by_uuid` method in - the manager, which sends a POST request to the MobileIron API (`api/v2/devices/action`) - with the `actionType` set to `UNLOCK_DEVICE_ONLY`. + 3. **Execution**: Calls the MobileIron API's action endpoint with the `UNLOCK_DEVICE_ONLY` + command specifically for the provided UUID. - 5. **Completion**: Upon a successful API response, the action concludes with a - success message indicating the unlock command was sent for the specified UUID. + 4. **Completion**: Validates the API response and terminates the action with a + success message if the command was successfully issued. capabilities: can_create_case_comments: false can_create_insight: false @@ -433,8 +502,8 @@ Unlock Device by UUID: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Triggers a remote 'UNLOCK_DEVICE_ONLY' command on the target mobile device via - the MobileIron platform, changing the device's lock state. + Sends a command to the MobileIron platform to unlock a physical mobile device, + which changes the device's security state from locked to unlocked. fetches_data: false internal_data_mutation_explanation: null categories: @@ -454,3 +523,28 @@ Unlock Device by UUID: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/google/mobile_iron/resources/ai/integration_ai_description.yaml b/content/response_integrations/google/mobile_iron/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..b88dc4ab4 --- /dev/null +++ b/content/response_integrations/google/mobile_iron/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: true + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/google/portnox/resources/ai/actions_ai_description.yaml b/content/response_integrations/google/portnox/resources/ai/actions_ai_description.yaml index fc922a76d..c7be1d448 100644 --- a/content/response_integrations/google/portnox/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/google/portnox/resources/ai/actions_ai_description.yaml @@ -1,39 +1,45 @@ -# Copyright 2026 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - Enrich Device: - ai_description: "### General Description\nEnriches IP Address and MacAddress entities\ - \ with comprehensive device information retrieved from Portnox. This action helps\ - \ analysts gain visibility into device details such as security status, location,\ - \ and history directly within the Google SecOps platform by mapping Portnox device\ - \ data to entity attributes.\n\n### Parameters Description\nThere are no parameters\ - \ for this action.\n\n### Flow Description\n1. **Initialization**: The action\ - \ establishes a connection to the Portnox API using the integration's configuration\ - \ (API Root, Username, Password, and SSL verification settings).\n2. **Entity\ - \ Processing**: The action iterates through the target entities provided in the\ - \ context.\n3. **Device Search**: \n - For **IP Address** entities, it searches\ - \ Portnox for a device matching the IP.\n - For **MacAddress** entities, it\ - \ searches Portnox for a device matching the MAC address.\n4. **Data Transformation**:\ - \ If a device is found, the action flattens the resulting JSON data and adds a\ - \ 'Portnox' prefix to all keys to ensure clear data provenance.\n5. **Internal\ - \ Enrichment**: The action updates the entity's `additional_properties` with the\ - \ flattened device data and sets the `is_enriched` flag to `True`.\n6. **Final\ - \ Update**: The action commits the enriched data back to Google SecOps using the\ - \ `update_entities` method and provides a summary message of the enriched entities.\n\ - \n### Additional Notes\n- While the action uses a `POST` request to the `/devices`\ - \ endpoint for searching, this is a read-only query operation and does not modify\ - \ the state of the device in Portnox." + ai_description: >- + ### General Description + + Enriches IP Address and MAC Address entities with comprehensive device metadata + from Portnox. This action queries the Portnox API to retrieve details such as + security status, location, and hardware information for the specified network + identifiers. The retrieved data is then mapped to the entity's additional properties + within Google SecOps, providing analysts with immediate context regarding the + device's posture and identity. + + + ### Parameters Description + + There are no parameters for this action. + + + ### Additional Notes + + - The action uses a POST request to the `/devices` endpoint for searching, but + this is a read-only query operation and does not modify data in Portnox. + + - If multiple devices match a search query, the action selects the first result + returned by the API. + + + ### Flow Description + + 1. **Authentication**: Connects to the Portnox API using the configured API Root, + Username, and Password. + + 2. **Entity Filtering**: Identifies supported entities (IP Addresses and MAC Addresses) + from the target entities list. + + 3. **Data Retrieval**: For each supported entity, it executes a search query in + Portnox using the entity's identifier (IP or MAC address). + + 4. **Data Transformation**: If a device is found, the resulting JSON object is + flattened and prefixed with 'Portnox' to ensure clear attribution in the SOAR. + + 5. **Internal Update**: Updates the entity's additional properties with the enriched + data and marks the entity as 'enriched' within Google SecOps. capabilities: can_create_case_comments: false can_create_insight: false @@ -44,8 +50,8 @@ Enrich Device: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates the 'additional_properties' of the entities with device information - retrieved from Portnox and sets the 'is_enriched' flag to true. + Updates entity additional properties with Portnox device information and sets + the is_enriched flag to true. categories: enrichment: true entity_usage: @@ -65,14 +71,39 @@ Enrich Device: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Device History: ai_description: >- ### General Description - Retrieves historical authentication and connection data for devices associated - with IP or MAC address entities from Portnox. This action is used to understand - the historical context of a device's activity within the network over a specified - period. + The **Get Device History** action retrieves historical activity logs for network + devices managed by Portnox NAC. It allows analysts to see the connection and authentication + history of specific endpoints within a defined timeframe, providing context for + investigations involving potentially compromised or unauthorized devices. ### Parameters Description @@ -81,33 +112,36 @@ Get Device History: | :--- | :--- | :--- | :--- | - | Days Backwards | Integer | Yes | Specifies how many days into the past the action - should look to retrieve device history. Defaults to 1. | + | Days Backwards | String | Yes | Specifies the number of days prior to the current + time to fetch history for. For example, entering "1" retrieves history from the + last 24 hours. | - ### Flow Description + ### Additional Notes - 1. **Initialization**: Connects to the Portnox API using provided credentials. + - This action supports **IP Address** and **MAC Address** entities. - 2. **Timeframe Calculation**: Determines the start and end timestamps based on - the 'Days Backwards' parameter. + - The results are presented as a CSV-formatted table attached to the entity. - 3. **Device Lookup**: For each IP (ADDRESS) or MAC address entity, it searches - Portnox to find the corresponding internal device ID. - 4. **History Retrieval**: Fetches the detailed history for the identified device - within the calculated timeframe. + ### Flow Description - 5. **Data Presentation**: Converts the history data into a CSV format and attaches - it as a table to the specific entity in Google SecOps. + 1. **Time Range Calculation:** The action calculates the start and end timestamps + based on the `Days Backwards` parameter and the current UTC time. - 6. **Entity Update**: Marks the entities as updated/enriched in the system. + 2. **Entity Identification:** It filters the target entities to find IP Addresses + and MAC Addresses. + 3. **Device Search:** For each valid entity, it queries Portnox to find the internal + `deviceId` using a POST request to the search endpoint. - ### Additional Notes + 4. **History Retrieval:** Using the `deviceId`, it fetches the device's history + logs for the calculated time range via a GET request. + + 5. **Data Presentation:** If history is found, it is converted to a CSV format + and added as an entity-specific data table in Google SecOps. - - If no device is found for an entity, or no history exists for the timeframe, - the action will skip that entity and report the results at the end. + 6. **Entity Update:** The action updates the entities to indicate successful enrichment. capabilities: can_create_case_comments: false can_create_insight: false @@ -115,11 +149,11 @@ Get Device History: can_mutate_external_data: false can_mutate_internal_data: true can_update_entities: true - external_data_mutation_explanation: 'null' + external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity fields and adds a device history table to the entity in Google - SecOps. + The action updates the entities in Google SecOps to reflect that enrichment + (device history) was performed and adds data tables to the entities. categories: enrichment: true entity_usage: @@ -139,41 +173,75 @@ Get Device History: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Device Locations: ai_description: >- ### General Description - This action retrieves physical or network location information for devices associated - with IP Address or MAC Address entities from the Portnox NAC platform. It is used - to identify where a specific device is connected within the network infrastructure, - providing visibility into the device's current or last known location. + The **Get Device Locations** action retrieves physical or logical location information + for devices associated with IP Address or MAC Address entities from the Portnox + NAC platform. It helps analysts understand where a specific device is connected + within the network infrastructure by providing details such as switch names, ports, + or site locations. - ### Parameters + ### Parameters Description - There are no parameters for this action. + There are no user-configurable parameters for this action. It relies on the integration's + global configuration (API Root, Username, Password) and the entities present in + the current context. ### Flow Description - 1. **Entity Filtering**: The action iterates through the target entities in the - current context, specifically looking for entities of type `ADDRESS` (IP) or `MacAddress`. + 1. **Entity Identification**: The action iterates through the target entities + in the case, specifically looking for `ADDRESS` (IP) and `MACADDRESS` types. - 2. **Device Search**: For each supported entity, the action queries Portnox to - find a matching device record using the IP address or MAC address as the search - key. + 2. **Device Search**: For each supported entity, it queries Portnox to find a + matching device record using the IP or MAC address as the search key. - 3. **Location Retrieval**: If a device is found, the action uses the internal - Portnox device ID to fetch all associated location records. + 3. **Location Retrieval**: If a device is found, the action retrieves its current + location data from the Portnox API. - 4. **Data Sanitization**: The retrieved location data is processed to remove internal - technical details (like `portIds`) to ensure the output is clean and readable. + 4. **Data Sanitization**: The retrieved location data is cleaned by removing internal + or irrelevant fields (e.g., `portIds`). - 5. **Result Attachment**: The location data is formatted into a CSV table and - attached directly to the entity as an 'Entity Table' in the Google SecOps UI. + 5. **Enrichment**: The location details are formatted into a CSV table and attached + to the entity within Google SecOps. The entity is then updated to reflect the + enrichment. - 6. **Entity Update**: Successfully enriched entities are updated within the system - to reflect the new information. + + ### Additional Notes + + - This action is strictly read-only regarding the Portnox system; it does not + change device status or network access policies. + + - If no device is found for a specific entity, that entity is skipped without + failing the entire action. capabilities: can_create_case_comments: false can_create_insight: false @@ -184,8 +252,8 @@ Get Device Locations: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action updates entities in Google SecOps to mark them as enriched and attaches - a data table containing the retrieved location information to the entity's profile. + The action updates entity attributes and attaches data tables containing location + information to the entities within the Google SecOps case. categories: enrichment: true entity_usage: @@ -205,20 +273,45 @@ Get Device Locations: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Installed Applications: ai_description: >- ### General Description - The **Get Installed Applications** action retrieves a comprehensive list of all - software applications installed on a specific device managed by Portnox. This - action provides visibility into the software inventory of endpoints, which is - essential for security audits and compliance monitoring. It supports both IP Address - and MAC Address entities. + This action retrieves a comprehensive list of all installed applications on a + specific device by interfacing with Portnox. It is designed to provide security + analysts with visibility into the software inventory of endpoints identified by + their IP Address or MAC Address. The retrieved data is presented as a CSV table + attached to the entity within the Google SecOps platform. - ### Parameters + ### Parameters Description - | Parameter Name | Type | Mandatory | Description | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | @@ -227,42 +320,48 @@ Get Installed Applications: ### Additional Notes - - The action identifies devices in Portnox using either their IP Address or MAC - Address. + - The action relies on the Portnox integration configuration (API Root, Username, + Password) to authenticate. - - The retrieved application list is attached to the entity as a data table in - CSV format. + - It specifically targets entities of type **ADDRESS** (IP) and **MacAddress**. + + - If multiple devices match a search criterion in Portnox, the action processes + the first match returned by the API. ### Flow Description - 1. **Authentication**: Establishes a connection to the Portnox API using the configured - credentials. + 1. **Initialization**: The action initializes the Portnox manager using the provided + integration credentials. + + 2. **Entity Filtering**: It iterates through the target entities in the current + context, filtering for IP Addresses and MAC Addresses. - 2. **Entity Filtering**: Iterates through the target entities, focusing on IP - Address and MAC Address types. + 3. **Device Search**: For each valid entity, it performs a search in Portnox (using + the IP or MAC Address as the key) to find the unique device ID. - 3. **Device Search**: Queries Portnox to find a device record matching the entity's - identifier. + 4. **Data Retrieval**: Once a device is identified, the action calls the Portnox + API to fetch the list of installed applications associated with that device ID. - 4. **Inventory Retrieval**: If a match is found, the action fetches the list of - installed applications for that device. + 5. **Data Formatting**: The list of applications is converted into a CSV format. - 5. **Data Enrichment**: Formats the application list as a CSV and attaches it - to the entity as a data table. + 6. **Internal Update**: The CSV data is added as an entity-specific table in the + SOAR, and the entities are updated to reflect the enrichment process. - 6. **Entity Update**: Updates the entities within the Google SecOps case to include - the new information. + 7. **Completion**: The action concludes by providing a summary message of which + entities were successfully enriched. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: false + can_mutate_internal_data: true can_update_entities: true external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: null + internal_data_mutation_explanation: >- + The action updates entities in Google SecOps and adds data tables to them containing + the list of installed applications retrieved from Portnox. categories: enrichment: true entity_usage: @@ -282,53 +381,62 @@ Get Installed Applications: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Open Ports: ai_description: >- - ### General Description - - The **Get Open Ports** action retrieves a comprehensive list of open network ports - for a specific device managed by Portnox. It supports both IP Address and MAC - Address entities. By querying the Portnox NAC (Network Access Control) system, - security analysts can gain visibility into the services exposed on a device, which - is crucial for vulnerability assessment and incident response. - + Retrieves a list of all open ports for a specific device from the Portnox NAC + platform. This action supports IP Address and MAC Address entities. It first searches + for the device within Portnox to obtain its internal ID and then fetches the current + open port details. The results are presented as an entity-specific data table + within the case. - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | - - | N/A | N/A | N/A | This action does not require any input parameters. | - - - ### Additional Notes - - - The action uses the device's IP or MAC address to first locate the device ID - within Portnox before fetching the port details. - - - Results are presented as a CSV-formatted table attached to the entity. + ### Flow Description + 1. **Initialization**: Connects to the Portnox API using the provided credentials + and configuration. - ### Flow Description + 2. **Device Search**: For each IP Address or MAC Address entity, the action queries + Portnox to find a matching device record. - 1. **Initialization**: The action connects to the Portnox API using the configured - credentials and SSL settings. + 3. **Port Retrieval**: If a device is found, the action requests the list of open + ports associated with that device's ID. - 2. **Entity Filtering**: It identifies all `ADDRESS` (IP) and `MacAddress` entities - within the current context. + 4. **Data Presentation**: Converts the retrieved port data into a CSV format and + attaches it as an entity table to the specific entity in the case. - 3. **Device Lookup**: For each valid entity, it performs a search in Portnox to - retrieve the internal `deviceId`. + 5. **Entity Update**: Marks the entities as enriched and updates their status + within the Google SecOps platform. - 4. **Port Retrieval**: Using the `deviceId`, it fetches the list of open ports - from the Portnox details endpoint. - 5. **Enrichment**: If ports are found, it generates a CSV table and attaches it - to the entity in the SOAR UI. + ### Parameters Description - 6. **Final Update**: The action updates the entities in the case to reflect the - new information and provides a summary message. + There are no additional parameters for this action; it relies on the target entities + (IP Address or MAC Address) and the integration's global configuration. capabilities: can_create_case_comments: false can_create_insight: false @@ -339,8 +447,8 @@ Get Open Ports: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action updates entity records and attaches data tables to entities within - the Google SecOps platform. + The action updates the entities within the case to reflect that enrichment data + (open ports) has been successfully retrieved and attached. categories: enrichment: true entity_usage: @@ -360,50 +468,65 @@ Get Open Ports: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Services: ai_description: >- ### General Description - The **Get Services** action retrieves a list of all services running on a specific - device by querying the Portnox NAC platform. It supports both IP Address and MAC - Address entities. The results are attached to the entity as a data table for easy - review within the case. + Retrieves a list of all services running on a device associated with an IP Address + or MAC Address entity via Portnox. This action helps analysts understand the software + footprint and active services on a network asset by fetching real-time service + data from the Portnox NAC solution. ### Parameters Description - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | None | N/A | N/A | This action does not require any input parameters beyond - the entities themselves. | - - - ### Additional Notes - - This action is primarily used for host enrichment during an investigation to understand - the software profile of a connected device. + There are no parameters for this action. ### Flow Description - 1. **Connect to Portnox**: Initializes the connection using integration configuration. - - 2. **Identify Entities**: Iterates through the target entities, specifically looking - for IP Addresses and MAC Addresses. + 1. **Identify Entities**: The action iterates through the target entities in the + current context, specifically looking for IP Address (`ADDRESS`) and MAC Address + (`MacAddress`) types. - 3. **Search Device**: For each entity, it performs a search in Portnox to find - the corresponding device record. + 2. **Device Search**: For each valid entity, it queries the Portnox API to find + a matching device record using the IP or MAC address as the search key. - 4. **Fetch Services**: If a device is found, it retrieves the list of services - associated with that device. + 3. **Service Retrieval**: If a device is successfully identified, the action makes + a follow-up request to Portnox to retrieve the full list of services associated + with that specific device ID. - 5. **Enrich SOAR**: Converts the service list into a CSV format and adds it as - a data table to the entity. + 4. **Data Presentation**: The retrieved service list is converted into a CSV format + and attached to the entity as an 'Entity Table' for easy review within the Google + SecOps interface. - 6. **Update Entities**: Updates the entities in the SOAR to reflect the new enrichment - data. + 5. **Entity Update**: The action updates the entities in the platform to reflect + that enrichment has occurred. capabilities: can_create_case_comments: false can_create_insight: false @@ -414,8 +537,8 @@ Get Services: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Adds a data table containing service information to the entity and updates the - entity's status in the SOAR. + Updates the entity's enrichment status and attaches a data table containing + the list of services to the entity's profile. categories: enrichment: true entity_usage: @@ -435,58 +558,71 @@ Get Services: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get User History: ai_description: >- ### General Description - This action retrieves the user authentication history for specific devices from - Portnox. It targets entities of type IP Address or MAC Address, searches for the - corresponding device in the Portnox system, and fetches a detailed log of users - who have authenticated on that device. The results are presented as a CSV-formatted - data table attached to the entity within Google SecOps. + Retrieves the user authentication history for specific device entities from Portnox. + This action allows analysts to see which users have authenticated to a device + (identified by IP or MAC address) over time, providing critical context for investigations + involving shared assets or compromised credentials. ### Parameters Description - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | None | N/A | N/A | This action does not require any input parameters beyond - the integration configuration. | + There are no parameters for this action. ### Additional Notes - * The action relies on the integration's global configuration for API credentials - and connectivity. - - * If multiple devices match a search criteria in Portnox, the action defaults - to the first device returned by the API. + This action performs a two-step process: first, it searches for the device in + Portnox to obtain a internal device ID, and then it fetches the user history associated + with that ID. The results are attached directly to the entity as a data table. ### Flow Description - 1. **Initialization**: The action establishes a connection to the Portnox API - using the configured API Root, Username, and Password. - - 2. **Entity Filtering**: It iterates through the target entities, specifically - looking for `ADDRESS` (IP) and `MacAddress` types. + 1. **Identify Entities**: The action filters the target entities to find those + of type `ADDRESS` (IP) or `MacAddress`. - 3. **Device Search**: For each supported entity, it queries Portnox to find a - matching device ID based on the IP or MAC address. + 2. **Device Search**: For each valid entity, it queries the Portnox API to find + a matching device record. - 4. **History Retrieval**: If a device is found, the action calls the Portnox API - to fetch the `userHistory` for that specific device ID. + 3. **Fetch History**: If a device is found, the action retrieves its user authentication + history using the Portnox device ID. - 5. **Data Transformation**: The retrieved JSON history data is converted into - a CSV format. + 4. **Data Formatting**: The retrieved history is converted into a CSV format. - 6. **Internal Enrichment**: The CSV data is added as an entity-specific data table - in Google SecOps, and the entity is marked as updated. + 5. **Enrichment**: The CSV data is attached to the entity as a data table named + "[Identifier] - User History". - 7. **Completion**: The action returns a summary message listing all entities for - which authentication history was successfully retrieved. + 6. **Update**: The action updates the entities in Google SecOps to save the newly + attached data tables. capabilities: can_create_case_comments: false can_create_insight: false @@ -497,8 +633,8 @@ Get User History: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action updates entities in Google SecOps and attaches a data table containing - the retrieved authentication history to the entity's context. + Updates entities in Google SecOps and attaches data tables containing user authentication + history to the enriched entities. categories: enrichment: true entity_usage: @@ -518,44 +654,63 @@ Get User History: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Ping: ai_description: >- ### General Description - Tests the connectivity between Google SecOps and the Portnox instance. This action - verifies that the provided credentials (Username, Password) and the API Root URL - are correct and that the service is reachable. It serves as a health check to - ensure the integration is properly configured and functional. + The **Ping** action is a diagnostic tool designed to verify the connectivity between + Google SecOps and the Portnox instance. It validates the integration configuration + by attempting to authenticate with the provided credentials (API Root, Username, + and Password) and checking the server's responsiveness. ### Parameters Description - There are no parameters for this action. - - - ### Additional Notes - - This action is typically used during the initial setup of the integration or for - troubleshooting connection issues. It does not interact with any entities or modify - any data. + There are no input parameters for this action. It relies entirely on the integration's + global configuration settings. ### Flow Description - 1. **Configuration Retrieval**: The action retrieves the API Root, Username, Password, - and SSL verification settings from the integration configuration. + 1. **Configuration Retrieval**: The action retrieves the API Root, Username, + Password, and SSL verification settings from the Portnox integration configuration. - 2. **Manager Initialization**: A `PortnoxManager` instance is initialized with - the retrieved configuration. + 2. **Manager Initialization**: It initializes the `PortnoxManager` with the retrieved + settings. - 3. **Connectivity Test**: The action calls the `test_conectivity` method, which - performs a GET request to the `/auth/user` endpoint of the Portnox API. + 3. **Connectivity Test**: The action calls the `test_connectivity` method, which + executes a GET request to the `/auth/user` endpoint of the Portnox API. - 4. **Response Validation**: The manager validates the API response to ensure successful - authentication and connectivity. + 4. **Response Validation**: The manager validates the HTTP response. If the request + is successful (HTTP 200), the connection is considered established. - 5. **Action Completion**: If the connection is successful, the action ends with - a success message and a result value of `true`. + 5. **Completion**: The action ends with a success message 'Connection Established' + and a result value of 'true'. capabilities: can_create_case_comments: false can_create_insight: false @@ -583,19 +738,44 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Revalidate Device: ai_description: >- ### General Description - Revalidates a device's policy within the Portnox Network Access Control (NAC) - system. This action is used to force a security posture check or policy re-evaluation - for a specific device managed by Portnox, ensuring it complies with current network - security requirements. + The **Revalidate Device** action triggers a policy revalidation for a specific + device within the Portnox Network Access Control (NAC) system. This is typically + used to force a device to undergo a fresh security posture check or authentication + cycle to ensure it complies with current network policies. ### Parameters Description - | Parameter | Type | Mandatory | Description | + | Parameter | Expected Type | Mandatory | Description | | :--- | :--- | :--- | :--- | @@ -603,28 +783,29 @@ Revalidate Device: needs to be revalidated. | - ### Additional Notes + ### Flow Description - This action does not run on SecOps entities automatically; it requires a specific - `DeviceId` provided as an input parameter. The action includes a polling mechanism - that waits for the external system to confirm the revalidation is complete before - finishing. + 1. **Initialization**: The action connects to the Portnox API using the provided + credentials and configuration. + 2. **Trigger Revalidation**: It sends a POST request to the Portnox endpoint to + initiate the revalidation process for the specified `DeviceId`. - ### Flow Description + 3. **Status Polling**: The action enters a polling loop, calling the device information + endpoint to monitor the `securityStatus` of the device. - 1. **Initialization**: Retrieves Portnox API credentials and the `DeviceId` from - the action parameters. + 4. **Completion**: It waits until the device status reaches 'AuthorizationPassed' + or a timeout occurs. Once the status is confirmed, the action completes with a + success message. - 2. **Trigger Revalidation**: Sends a POST request to the Portnox API to initiate - the revalidation process for the specified device. - 3. **Status Polling**: Enters a loop that periodically fetches the device's information - from Portnox to monitor its `securityStatus`. + ### Additional Notes + + - This action does not run on SOAR entities; it requires a specific `DeviceId` + provided as a parameter. - 4. **Completion**: The action concludes successfully once the device status changes - to 'AuthorizationPassed'. If the status does not update within the timeout period, - an error is raised. + - The action includes a built-in waiting mechanism to ensure the revalidation + process finishes before the action returns a result. capabilities: can_create_case_comments: false can_create_insight: false @@ -633,8 +814,8 @@ Revalidate Device: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Triggers a device policy revalidation process in Portnox NAC, which initiates - a state change/security check on the target device. + Triggers a device policy revalidation action on the Portnox NAC system, which + forces the device to undergo a new authentication or compliance check. fetches_data: true internal_data_mutation_explanation: null categories: @@ -654,41 +835,75 @@ Revalidate Device: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Revalidate Device By Address: ai_description: >- ### General Description - The **Revalidate Device By Address** action triggers a revalidation of the authentication - policy for devices connected to the Portnox NAC (Network Access Control) system. - It identifies devices using their IP address or MAC address and forces the system - to re-evaluate their security posture or authorization status. This is typically - used to ensure a device still complies with network policies after a change in - its behavior or environment. + The **Revalidate Device By Address** action forces a re-evaluation of the network + access control (NAC) policy for specific devices within the Portnox environment. + This action is used to ensure that a device is compliant with current organizational + security policies by triggering a fresh authentication and validation cycle. It + supports both IP address and MAC address entities. ### Parameters Description - There are no action-specific parameters for this action. It relies on the global - Portnox integration configuration (API Root, Username, Password, and SSL verification). + There are no parameters for this action. It operates directly on the entities + provided in the context. ### Flow Description - 1. **Entity Filtering**: The action iterates through the target entities in the - current scope, specifically looking for `ADDRESS` (IP) and `MacAddress` types. + 1. **Entity Identification**: The action iterates through the target entities, + specifically looking for `ADDRESS` (IP) and `MacAddress` types. - 2. **Device Search**: For each valid entity, it queries the Portnox API to find - a matching device record using the identifier. + 2. **Device Search**: For each identified entity, it queries the Portnox API to + find the corresponding device record using the IP or MAC address. - 3. **Trigger Revalidation**: If a device is found, the action sends a POST request - to Portnox to initiate the revalidation process for that specific device ID. + 3. **Trigger Revalidation**: If a matching device is found, the action sends a + request to Portnox to initiate a revalidation of that device's authentication + policy. + + 4. **Status Polling**: The action enters a wait state, polling the Portnox API + to monitor the device's security status until the revalidation process is confirmed + as complete (e.g., status becomes 'AuthorizationPassed'). + + 5. **Final Reporting**: The action concludes by listing all entities for which + the device revalidation was successfully triggered and verified. + + + ### Additional Notes - 4. **Status Polling**: The action then waits for the revalidation to complete - by polling the device's security status until it reaches the 'AuthorizationPassed' - state or times out. + - If no device is found for a given entity, that entity is skipped without affecting + the overall action execution. - 5. **Reporting**: Finally, it provides a summary message listing all entities - whose associated devices were successfully revalidated. + - The action includes a built-in timeout mechanism during the polling phase to + prevent the script from running indefinitely if the NAC system does not respond. capabilities: can_create_case_comments: false can_create_insight: false @@ -697,9 +912,8 @@ Revalidate Device By Address: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Triggers a revalidation action in Portnox NAC, which forces a device to undergo - authentication and authorization checks again, potentially changing its access - status on the network. + Triggers a revalidation of the authentication policy for the device in Portnox + NAC, which initiates a state change in the network access control system. fetches_data: true internal_data_mutation_explanation: null categories: @@ -721,3 +935,28 @@ Revalidate Device By Address: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/google/portnox/resources/ai/integration_ai_description.yaml b/content/response_integrations/google/portnox/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..4839c93dd --- /dev/null +++ b/content/response_integrations/google/portnox/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: true + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + siem: true + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/google/reversinglabs_a1000/resources/actions_ai_description.yaml b/content/response_integrations/google/reversinglabs_a1000/resources/actions_ai_description.yaml deleted file mode 100644 index 88240d4cf..000000000 --- a/content/response_integrations/google/reversinglabs_a1000/resources/actions_ai_description.yaml +++ /dev/null @@ -1,345 +0,0 @@ -# Copyright 2026 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -Delete Sample: - ai_description: >- - ### General Description - - The **Delete Sample** action allows security analysts to remove specific file - samples from a Reversinglabs A1000 appliance. This operation is destructive, as - it deletes the sample file itself along with all related metadata and extracted - data associated with that file hash on the appliance. - - - ### Parameters Description - - There are no user-configurable parameters for this action. It operates directly - on the entities provided in the context. - - - ### Flow Description - - 1. **Authentication**: The action initializes a connection to the Reversinglabs - A1000 appliance using the API Root, Username, and Password provided in the integration - configuration. - - 2. **Entity Filtering**: The script iterates through the target entities in the - current scope and identifies those of type `FILEHASH`. - - 3. **Deletion Request**: For each identified file hash, the action sends a `DELETE` - request to the A1000 API endpoint (`/api/samples/{hash}/`). - - 4. **Result Tracking**: The action monitors the API response. If the status code - is 200, the hash is added to a list of successfully deleted items. - - 5. **Final Output**: The action concludes by providing a summary message of the - deleted hashes and sets the action's result value to `True` if at least one deletion - was successful, or `False` otherwise. - - - ### Additional Notes - - * This action is irreversible. Once a sample is deleted from the A1000 appliance, - its analysis data cannot be recovered unless the file is re-uploaded. - - * The action converts all hash identifiers to lowercase before sending the request - to ensure compatibility with the A1000 API. - capabilities: - can_create_case_comments: false - can_create_insight: false - can_modify_alert_data: false - can_mutate_external_data: true - can_mutate_internal_data: false - can_update_entities: false - external_data_mutation_explanation: >- - Deletes file samples, extracted data, and associated metadata from the Reversinglabs - A1000 appliance via a DELETE API request. - fetches_data: false - internal_data_mutation_explanation: null - categories: - enrichment: false - entity_usage: - entity_types: - - FILEHASH - filters_by_additional_properties: false - filters_by_alert_identifier: false - filters_by_case_identifier: false - filters_by_creation_time: false - filters_by_entity_type: true - filters_by_identifier: false - filters_by_is_artifact: false - filters_by_is_enriched: false - filters_by_is_internal: false - filters_by_is_pivot: false - filters_by_is_suspicious: false - filters_by_is_vulnerable: false - filters_by_modification_time: false -Get Report: - ai_description: >- - ### General Description - - The **Get Report** action retrieves a comprehensive classification summary and - detailed analysis for file samples from a ReversingLabs A1000 Malware Analysis - appliance using their hash values. This action is designed to enrich file hash - entities with threat intelligence, providing critical data points such as threat - status, malware names, threat levels, and trust factors. - - - ### Parameters Description - - There are no parameters for this action. - - - ### Flow Description - - 1. **Entity Filtering**: The action iterates through all entities in the current - context and filters for those of type `FILEHASH`. - - 2. **API Authentication**: It initializes the ReversingLabs A1000 client using - the integration's configured API Root, Username, and Password to obtain an authorization - token. - - 3. **Data Retrieval**: The action sends a batch request to the A1000 `/api/samples/list/` - endpoint, passing the collected hash values and requesting specific fields including - `threat_status`, `threat_level`, `threat_name`, and `trust_factor`. - - 4. **Result Processing**: For each hash that returns a report, the action flattens - the dictionary and generates a dedicated data table on the case wall for that - specific hash. - - 5. **Output**: The action concludes by attaching the complete raw JSON response - to the execution results, allowing for further automated analysis or logic in - the playbook. - - - ### Additional Notes - - This action is strictly read-only regarding the external ReversingLabs system. - It queries existing reports and does not trigger new file uploads or analysis - tasks. - capabilities: - can_create_case_comments: false - can_create_insight: false - can_modify_alert_data: false - can_mutate_external_data: false - can_mutate_internal_data: true - can_update_entities: false - external_data_mutation_explanation: null - fetches_data: true - internal_data_mutation_explanation: >- - The action adds detailed classification data tables to the case wall for each - processed file hash and attaches the raw JSON results to the action output. - categories: - enrichment: true - entity_usage: - entity_types: - - FILEHASH - filters_by_additional_properties: false - filters_by_alert_identifier: false - filters_by_case_identifier: false - filters_by_creation_time: false - filters_by_entity_type: true - filters_by_identifier: false - filters_by_is_artifact: false - filters_by_is_enriched: false - filters_by_is_internal: false - filters_by_is_pivot: false - filters_by_is_suspicious: false - filters_by_is_vulnerable: false - filters_by_modification_time: false -Get Scan Status: - ai_description: "### General Description\nThe **Get Scan Status** action retrieves\ - \ the current processing status for a list of file hash entities from the ReversingLabs\ - \ A1000 Malware Analysis Appliance. This action is primarily used to check if\ - \ a previously submitted sample has finished analysis or to verify if the system\ - \ already has a record of the hash.\n\n### Parameters Description\nThere are no\ - \ parameters for this action.\n\n### Additional Notes\n* This action specifically\ - \ targets **FILEHASH** entities.\n* Although the underlying API call uses a POST\ - \ method, it is a read-only operation intended for batch status retrieval and\ - \ does not modify the state of the A1000 system.\n\n### Flow Description\n1. **Entity\ - \ Filtering:** The action identifies all `FILEHASH` entities within the current\ - \ alert context.\n2. **Data Collection:** It extracts the identifiers (hashes)\ - \ of these entities and converts them to lowercase for consistency.\n3. **API\ - \ Query:** The action sends a batch request to the ReversingLabs A1000 `api/samples/status/`\ - \ endpoint to fetch the processing status for all collected hashes.\n4. **Result\ - \ Processing:** \n * If statuses are found, it generates a mapping of hashes\ - \ to their respective statuses (e.g., 'processed').\n * It creates a data table\ - \ named \"Scan Status:\" to display these results in the case wall.\n * It\ - \ attaches the raw status data as a JSON result for use in downstream playbook\ - \ logic.\n5. **Completion:** The action concludes with a success message if data\ - \ was retrieved, or a failure message if the status could not be obtained." - capabilities: - can_create_case_comments: false - can_create_insight: false - can_modify_alert_data: false - can_mutate_external_data: false - can_mutate_internal_data: false - can_update_entities: false - external_data_mutation_explanation: null - fetches_data: true - internal_data_mutation_explanation: null - categories: - enrichment: true - entity_usage: - entity_types: - - FILEHASH - filters_by_additional_properties: false - filters_by_alert_identifier: false - filters_by_case_identifier: false - filters_by_creation_time: false - filters_by_entity_type: true - filters_by_identifier: false - filters_by_is_artifact: false - filters_by_is_enriched: false - filters_by_is_internal: false - filters_by_is_pivot: false - filters_by_is_suspicious: false - filters_by_is_vulnerable: false - filters_by_modification_time: false -Ping: - ai_description: >- - ### General Description - - The **Ping** action is a diagnostic tool used to verify the connectivity between - Google SecOps and the Reversinglabs A1000 Malware Analysis Appliance. Its primary - purpose is to ensure that the integration configuration (API Root, Username, and - Password) is valid and that the external service is reachable and responding to - requests. - - - ### Parameters Description - - There are no input parameters for this action. - - - ### Additional Notes - - This action performs a functional test by attempting to retrieve the processing - status of a hardcoded test hash. It does not interact with any entities present - in the current case or alert. - - - ### Flow Description - - 1. **Configuration Retrieval**: The action extracts the API Root, Username, and - Password from the integration's shared configuration. - - 2. **Authentication**: It initializes the A1000 client, which performs a POST - request to the `/api-token-auth/` endpoint to obtain an authorization token. - - 3. **Connectivity Validation**: The action calls the `test_connectivity` method, - which sends a POST request to the `/api/samples/status/` endpoint using a predefined - test hash. - - 4. **Completion**: If the API responds successfully, the action concludes with - a success message and a boolean result indicating connectivity. - capabilities: - can_create_case_comments: false - can_create_insight: false - can_modify_alert_data: false - can_mutate_external_data: false - can_mutate_internal_data: false - can_update_entities: false - external_data_mutation_explanation: null - fetches_data: false - internal_data_mutation_explanation: null - categories: - enrichment: false - entity_usage: - entity_types: [] - filters_by_additional_properties: false - filters_by_alert_identifier: false - filters_by_case_identifier: false - filters_by_creation_time: false - filters_by_entity_type: false - filters_by_identifier: false - filters_by_is_artifact: false - filters_by_is_enriched: false - filters_by_is_internal: false - filters_by_is_pivot: false - filters_by_is_suspicious: false - filters_by_is_vulnerable: false - filters_by_modification_time: false -Upload File: - ai_description: >- - ### General Description - - Uploads a file from a specified local path to the ReversingLabs A1000 appliance - for automated malware analysis. This action is used to submit samples that are - not yet present in the A1000 environment to retrieve detailed threat intelligence, - including classification, threat level, and trust factors. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | File Path | String | Yes | The full local path to the file on the system where - the agent is running that should be uploaded for analysis. | - - - ### Flow Description - - 1. **Authentication**: Connects to the ReversingLabs A1000 appliance using the - configured API credentials. - - 2. **File Upload**: Submits the file located at the provided 'File Path' to the - A1000 `/api/uploads/` endpoint. - - 3. **Processing Wait**: Enters a polling loop, checking the processing status - of the uploaded file's SHA1 hash until the status is marked as 'processed'. - - 4. **Report Retrieval**: Fetches the summary classification report for the file - once processing is complete. - - 5. **Data Output**: Formats the analysis results into a data table ('File Details:') - and attaches the full JSON response to the action results. - - - ### Additional Notes - - This action does not run on SecOps entities; it requires a direct file path as - input. It is a synchronous action that will wait (block) until the A1000 appliance - finishes analyzing the file. - capabilities: - can_create_case_comments: false - can_create_insight: false - can_modify_alert_data: false - can_mutate_external_data: true - can_mutate_internal_data: false - can_update_entities: false - external_data_mutation_explanation: >- - Uploads a new file sample to the ReversingLabs A1000 appliance, which creates - a new analysis record in the external system. - fetches_data: true - internal_data_mutation_explanation: null - categories: - enrichment: false - entity_usage: - entity_types: [] - filters_by_additional_properties: false - filters_by_alert_identifier: false - filters_by_case_identifier: false - filters_by_creation_time: false - filters_by_entity_type: false - filters_by_identifier: false - filters_by_is_artifact: false - filters_by_is_enriched: false - filters_by_is_internal: false - filters_by_is_pivot: false - filters_by_is_suspicious: false - filters_by_is_vulnerable: false - filters_by_modification_time: false diff --git a/content/response_integrations/google/reversinglabs_a1000/resources/ai/actions_ai_description.yaml b/content/response_integrations/google/reversinglabs_a1000/resources/ai/actions_ai_description.yaml index 88240d4cf..7da6b4b1d 100644 --- a/content/response_integrations/google/reversinglabs_a1000/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/google/reversinglabs_a1000/resources/ai/actions_ai_description.yaml @@ -1,60 +1,34 @@ -# Copyright 2026 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - Delete Sample: ai_description: >- ### General Description - The **Delete Sample** action allows security analysts to remove specific file - samples from a Reversinglabs A1000 appliance. This operation is destructive, as - it deletes the sample file itself along with all related metadata and extracted - data associated with that file hash on the appliance. + The **Delete Sample** action allows analysts to remove specific file samples and + all their associated metadata from a ReversingLabs A1000 appliance. This action + is primarily used for data management, privacy compliance, or clearing out unwanted + analysis data from the appliance. ### Parameters Description - There are no user-configurable parameters for this action. It operates directly - on the entities provided in the context. + There are no user-configurable parameters for this action. It automatically processes + all `FILEHASH` entities identified in the current context. ### Flow Description - 1. **Authentication**: The action initializes a connection to the Reversinglabs + 1. **Authentication**: The action establishes a connection to the ReversingLabs A1000 appliance using the API Root, Username, and Password provided in the integration configuration. - 2. **Entity Filtering**: The script iterates through the target entities in the - current scope and identifies those of type `FILEHASH`. + 2. **Entity Identification**: The script iterates through the target entities + in the SOAR case, specifically filtering for those of type `FILEHASH`. - 3. **Deletion Request**: For each identified file hash, the action sends a `DELETE` + 3. **Deletion Execution**: For each identified file hash, the action sends a `DELETE` request to the A1000 API endpoint (`/api/samples/{hash}/`). - 4. **Result Tracking**: The action monitors the API response. If the status code - is 200, the hash is added to a list of successfully deleted items. - - 5. **Final Output**: The action concludes by providing a summary message of the - deleted hashes and sets the action's result value to `True` if at least one deletion - was successful, or `False` otherwise. - - - ### Additional Notes - - * This action is irreversible. Once a sample is deleted from the A1000 appliance, - its analysis data cannot be recovered unless the file is re-uploaded. - - * The action converts all hash identifiers to lowercase before sending the request - to ensure compatibility with the A1000 API. + 4. **Status Reporting**: The action tracks successful deletions (based on HTTP + 200 responses) and returns a summary message listing the hashes that were successfully + removed from the appliance. capabilities: can_create_case_comments: false can_create_insight: false @@ -63,8 +37,8 @@ Delete Sample: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Deletes file samples, extracted data, and associated metadata from the Reversinglabs - A1000 appliance via a DELETE API request. + Deletes file samples and their associated metadata from the ReversingLabs A1000 + appliance using the HTTP DELETE method. fetches_data: false internal_data_mutation_explanation: null categories: @@ -85,49 +59,51 @@ Delete Sample: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Report: - ai_description: >- - ### General Description - - The **Get Report** action retrieves a comprehensive classification summary and - detailed analysis for file samples from a ReversingLabs A1000 Malware Analysis - appliance using their hash values. This action is designed to enrich file hash - entities with threat intelligence, providing critical data points such as threat - status, malware names, threat levels, and trust factors. - - - ### Parameters Description - - There are no parameters for this action. - - - ### Flow Description - - 1. **Entity Filtering**: The action iterates through all entities in the current - context and filters for those of type `FILEHASH`. - - 2. **API Authentication**: It initializes the ReversingLabs A1000 client using - the integration's configured API Root, Username, and Password to obtain an authorization - token. - - 3. **Data Retrieval**: The action sends a batch request to the A1000 `/api/samples/list/` - endpoint, passing the collected hash values and requesting specific fields including - `threat_status`, `threat_level`, `threat_name`, and `trust_factor`. - - 4. **Result Processing**: For each hash that returns a report, the action flattens - the dictionary and generates a dedicated data table on the case wall for that - specific hash. - - 5. **Output**: The action concludes by attaching the complete raw JSON response - to the execution results, allowing for further automated analysis or logic in - the playbook. - - - ### Additional Notes - - This action is strictly read-only regarding the external ReversingLabs system. - It queries existing reports and does not trigger new file uploads or analysis - tasks. + ai_description: "### General Description\nThe **Get Report** action retrieves summary\ + \ classification reports and detailed analysis metadata for file hashes from the\ + \ ReversingLabs A1000 Malware Analysis Appliance. This action is used to enrich\ + \ file-related indicators by providing threat levels, status (e.g., malicious,\ + \ suspicious, known), and specific threat names identified by ReversingLabs.\n\ + \n### Parameters Description\n| Parameter | Type | Mandatory | Description |\n\ + | :--- | :--- | :--- | :--- |\n| None | N/A | N/A | This action does not require\ + \ any input parameters; it automatically processes all `FILEHASH` entities in\ + \ the scope. |\n\n### Additional Notes\n* This action performs a bulk lookup for\ + \ all identified hashes in a single API call.\n* It does not submit new files\ + \ for analysis; it only retrieves existing reports.\n* Results are presented as\ + \ data tables attached to the case for each hash.\n\n### Flow Description\n1.\ + \ **Entity Identification**: The action scans the current context for entities\ + \ of type `FILEHASH`.\n2. **Data Retrieval**: It sends a list of these hashes\ + \ to the ReversingLabs A1000 `api/samples/list/` endpoint.\n3. **Context Enrichment**:\ + \ For every hash found, the action extracts key fields including `threat_status`,\ + \ `threat_level`, `threat_name`, and `trust_factor`.\n4. **Output Generation**:\ + \ \n * A data table is created for each hash and attached to the case.\n \ + \ * The full response is provided as a JSON result for further playbook processing." capabilities: can_create_case_comments: false can_create_insight: false @@ -138,8 +114,7 @@ Get Report: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action adds detailed classification data tables to the case wall for each - processed file hash and attaches the raw JSON results to the action output. + Adds data tables to the case containing the analysis results for each file hash. categories: enrichment: true entity_usage: @@ -158,39 +133,85 @@ Get Report: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Scan Status: - ai_description: "### General Description\nThe **Get Scan Status** action retrieves\ - \ the current processing status for a list of file hash entities from the ReversingLabs\ - \ A1000 Malware Analysis Appliance. This action is primarily used to check if\ - \ a previously submitted sample has finished analysis or to verify if the system\ - \ already has a record of the hash.\n\n### Parameters Description\nThere are no\ - \ parameters for this action.\n\n### Additional Notes\n* This action specifically\ - \ targets **FILEHASH** entities.\n* Although the underlying API call uses a POST\ - \ method, it is a read-only operation intended for batch status retrieval and\ - \ does not modify the state of the A1000 system.\n\n### Flow Description\n1. **Entity\ - \ Filtering:** The action identifies all `FILEHASH` entities within the current\ - \ alert context.\n2. **Data Collection:** It extracts the identifiers (hashes)\ - \ of these entities and converts them to lowercase for consistency.\n3. **API\ - \ Query:** The action sends a batch request to the ReversingLabs A1000 `api/samples/status/`\ - \ endpoint to fetch the processing status for all collected hashes.\n4. **Result\ - \ Processing:** \n * If statuses are found, it generates a mapping of hashes\ - \ to their respective statuses (e.g., 'processed').\n * It creates a data table\ - \ named \"Scan Status:\" to display these results in the case wall.\n * It\ - \ attaches the raw status data as a JSON result for use in downstream playbook\ - \ logic.\n5. **Completion:** The action concludes with a success message if data\ - \ was retrieved, or a failure message if the status could not be obtained." + ai_description: >- + Retrieves the processing status of file hash entities from the ReversingLabs A1000 + Malware Analysis platform. This action allows analysts to check if submitted samples + have finished analysis or are still being processed. + + + ### Flow Description: + + 1. **Entity Collection**: The action identifies all `FILEHASH` entities within + the current scope. + + 2. **Status Query**: It sends a bulk request to the ReversingLabs A1000 API using + the collected hash values to retrieve their current processing status. + + 3. **Data Processing**: The response is parsed to map each hash to its specific + status (e.g., 'processed', 'uploading', 'analyzing'). + + 4. **Output Generation**: The action generates a data table named 'Scan Status:' + for the case wall and provides a JSON result containing the status mapping for + downstream playbook logic. + + + ### Parameters Description: + + | Parameter Name | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | None | N/A | N/A | This action does not require any input parameters beyond + the entities in the context. | + + + ### Additional Notes: + + * This action uses a POST request to the `/api/samples/status/` endpoint to perform + a bulk lookup of hash statuses. + + * If no status information is returned for the provided hashes, the action will + complete with a failure status. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: false + can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: null + internal_data_mutation_explanation: >- + Adds a data table named 'Scan Status:' to the Google SecOps case containing + the processing status of the analyzed file hashes. categories: - enrichment: true + enrichment: false entity_usage: entity_types: - FILEHASH @@ -207,43 +228,70 @@ Get Scan Status: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Ping: ai_description: >- ### General Description The **Ping** action is a diagnostic tool used to verify the connectivity between - Google SecOps and the Reversinglabs A1000 Malware Analysis Appliance. Its primary - purpose is to ensure that the integration configuration (API Root, Username, and - Password) is valid and that the external service is reachable and responding to - requests. + the Google SecOps platform and the **ReversingLabs A1000 Malware Analysis Appliance**. + It ensures that the integration is correctly configured and that the provided + credentials (Username and Password) have the necessary permissions to interact + with the A1000 API. ### Parameters Description - There are no input parameters for this action. + There are no parameters for this action. - ### Additional Notes + ### Flow Description - This action performs a functional test by attempting to retrieve the processing - status of a hardcoded test hash. It does not interact with any entities present - in the current case or alert. + 1. **Configuration Retrieval**: The action starts by fetching the integration's + configuration, including the API Root, Username, and Password. + 2. **Client Initialization**: It initializes the `A1000MalwareAnalysisClient` + using the retrieved configuration. - ### Flow Description + 3. **Authentication**: The client attempts to authenticate with the A1000 server + to obtain an authorization token. + + 4. **Connectivity Test**: The action performs a status check for a predefined + test hash (`526e57077b938b3c3dbce56f8aaaa7be`) to confirm the API is responsive + and the token is valid. - 1. **Configuration Retrieval**: The action extracts the API Root, Username, and - Password from the integration's shared configuration. + 5. **Completion**: If all steps succeed, the action returns a 'Connected Successfully' + message. - 2. **Authentication**: It initializes the A1000 client, which performs a POST - request to the `/api-token-auth/` endpoint to obtain an authorization token. - 3. **Connectivity Validation**: The action calls the `test_connectivity` method, - which sends a POST request to the `/api/samples/status/` endpoint using a predefined - test hash. + ### Additional Notes - 4. **Completion**: If the API responds successfully, the action concludes with - a success message and a boolean result indicating connectivity. + This action does not process any entities or modify any data within the SecOps + platform or the external A1000 system. capabilities: can_create_case_comments: false can_create_insight: false @@ -271,61 +319,90 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Upload File: ai_description: >- ### General Description - Uploads a file from a specified local path to the ReversingLabs A1000 appliance - for automated malware analysis. This action is used to submit samples that are - not yet present in the A1000 environment to retrieve detailed threat intelligence, - including classification, threat level, and trust factors. + Uploads a file to the ReversingLabs A1000 appliance for automated malware analysis. + This action is designed to submit a local file to the A1000 system, monitor its + processing status until completion, and then retrieve a comprehensive analysis + report. The report includes critical security metadata such as threat levels, + status, and classification details. ### Parameters Description - | Parameter | Type | Mandatory | Description | + | Parameter Name | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | File Path | String | Yes | The full local path to the file on the system where - the agent is running that should be uploaded for analysis. | + | File Path | string | True | The absolute path to the file on the local system + that needs to be uploaded for analysis. | ### Flow Description - 1. **Authentication**: Connects to the ReversingLabs A1000 appliance using the - configured API credentials. + 1. **Authentication**: The action authenticates with the ReversingLabs A1000 appliance + using the configured API credentials. 2. **File Upload**: Submits the file located at the provided 'File Path' to the A1000 `/api/uploads/` endpoint. - 3. **Processing Wait**: Enters a polling loop, checking the processing status - of the uploaded file's SHA1 hash until the status is marked as 'processed'. + 3. **Status Polling**: Enters a polling loop, checking the processing status of + the file's SHA1 hash until the appliance marks it as 'processed'. - 4. **Report Retrieval**: Fetches the summary classification report for the file - once processing is complete. + 4. **Report Retrieval**: Once processing is finished, the action fetches the summary + classification report for the file. - 5. **Data Output**: Formats the analysis results into a data table ('File Details:') - and attaches the full JSON response to the action results. + 5. **Data Output**: The retrieved report is flattened and presented as a data + table named 'File Details:' and also attached as a raw JSON result for further + playbook processing. ### Additional Notes - This action does not run on SecOps entities; it requires a direct file path as - input. It is a synchronous action that will wait (block) until the A1000 appliance - finishes analyzing the file. + This action is synchronous and will wait (block) until the A1000 appliance has + finished analyzing the file. Ensure that the environment where the action runs + has read access to the specified file path. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: true - can_mutate_internal_data: false + can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: >- - Uploads a new file sample to the ReversingLabs A1000 appliance, which creates - a new analysis record in the external system. + Uploads a file to the ReversingLabs A1000 appliance, creating a new analysis + record in the external system. fetches_data: true - internal_data_mutation_explanation: null + internal_data_mutation_explanation: >- + Adds a data table named 'File Details:' to the action results within the Google + SecOps case. categories: enrichment: false entity_usage: @@ -343,3 +420,28 @@ Upload File: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: true + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/google/reversinglabs_a1000/resources/ai/integration_ai_description.yaml b/content/response_integrations/google/reversinglabs_a1000/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..2e831240c --- /dev/null +++ b/content/response_integrations/google/reversinglabs_a1000/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + siem: false + threat_intelligence: true + vulnerability_management: false diff --git a/content/response_integrations/google/stealthwatch_v610/resources/ai/actions_ai_description.yaml b/content/response_integrations/google/stealthwatch_v610/resources/ai/actions_ai_description.yaml index 03a2809e7..5248817ff 100644 --- a/content/response_integrations/google/stealthwatch_v610/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/google/stealthwatch_v610/resources/ai/actions_ai_description.yaml @@ -1,33 +1,25 @@ -# Copyright 2026 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - Ping: - ai_description: "### General Description\nThe **Ping** action is a diagnostic tool\ - \ used to verify the connectivity between Google SecOps and the Cisco Stealthwatch\ - \ (v6.10) instance. It ensures that the provided integration parameters\u2014\ - such as the API Root, Username, and Password\u2014are correct and that the Stealthwatch\ - \ server is reachable over the network.\n\n### Parameters\nThere are no user-input\ - \ parameters for this action. It relies entirely on the integration's global configuration\ - \ settings.\n\n### Flow Description\n1. **Configuration Retrieval**: The action\ - \ fetches the 'Api Root', 'Username', and 'Password' from the StealthwatchV6-10\ - \ integration settings.\n2. **Authentication**: The action initializes the `StealthwatchManager`,\ - \ which performs a POST request to the `/token/v2/authenticate` endpoint to obtain\ - \ a JWT cookie.\n3. **Connectivity Test**: The manager executes the `test_connectivity`\ - \ method, which performs a GET request to the `/sw-reporting/v1/tenants` endpoint\ - \ to retrieve available domains.\n4. **Result Reporting**: If the authentication\ - \ and domain retrieval are successful, the action returns a 'Connected Successfully'\ - \ message and a boolean `True` result." + ai_description: "### General Description\nThe **Ping** action is a utility designed\ + \ to verify the connectivity between the Google SecOps platform and the Cisco\ + \ Stealthwatch (v6.10) instance. Its primary purpose is to ensure that the integration's\ + \ configuration parameters\u2014specifically the API Root, Username, and Password\u2014\ + are correct and that the Stealthwatch server is reachable and responding to requests.\n\ + \n### Parameters Description\nThis action does not require any input parameters.\ + \ It relies entirely on the integration's global configuration settings.\n\n###\ + \ Additional Notes\n* The action performs a live authentication check by requesting\ + \ a JWT token from the Stealthwatch server.\n* It further validates the connection\ + \ by attempting to retrieve a list of available domains (tenants) from the system.\n\ + * If any step in the authentication or domain retrieval fails, the action will\ + \ report a failure, indicating a configuration or network issue.\n\n### Flow Description\n\ + 1. **Configuration Retrieval:** The action fetches the 'Api Root', 'Username',\ + \ and 'Password' from the StealthwatchV6-10 integration settings.\n2. **Manager\ + \ Initialization:** It initializes the `StealthwatchManager`, which triggers an\ + \ authentication request (`POST /token/v2/authenticate`) to obtain a session cookie/JWT.\n\ + 3. **Connectivity Test:** The action calls the `test_connectivity` method, which\ + \ executes a `GET` request to the `/sw-reporting/v1/tenants` endpoint to verify\ + \ that the authenticated session can successfully read data.\n4. **Result Reporting:**\ + \ If the requests are successful, the action concludes with a 'Connected Successfully'\ + \ message and returns a boolean `True` status." capabilities: can_create_case_comments: false can_create_insight: false @@ -36,7 +28,7 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: true + fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false @@ -55,64 +47,90 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Search Events: ai_description: >- ### General Description - This action retrieves security events for specific IP address entities from Cisco - Stealthwatch (v6.10) within a user-defined timeframe. It is designed to provide - security analysts with visibility into the network behavior of a host by identifying - events where the host acted as either a source or a destination. The results are - presented as both raw JSON data and formatted entity tables for easy review within - the Google SecOps platform. + Retrieves security events for IP address entities from Cisco Stealthwatch within + a specified hourly timeframe. This action is useful for identifying malicious + or suspicious network activity associated with a host by searching for events + where the host is either the source or the target. ### Parameters Description - | Parameter | Type | Mandatory | Description | + | Parameter | Expected Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Timeframe | Integer | Yes | Specifies the lookback period in hours from the - current time to search for security events. | + | Timeframe | String | True | The number of hours back from the current time to + search for security events. | - ### Flow Description + ### Additional Notes + + - The action automatically identifies the correct Stealthwatch Domain ID for each + IP address before performing the search. - 1. **Time Calculation**: The action calculates the start and end timestamps for - the search based on the current UTC time and the provided `Timeframe` parameter. + - Results are attached to the case as both raw JSON and formatted entity-level + data tables. - 2. **Entity Filtering**: It iterates through the target entities and processes - only those of type `ADDRESS` (IP addresses). - 3. **Domain Identification**: For each IP address, the action queries the Stealthwatch - API to determine the `domain_id` associated with that host. + ### Flow Description + + 1. **Time Calculation**: Calculates the search start and end times based on the + provided `Timeframe` parameter and the current UTC time. + + 2. **Domain Identification**: For each IP address entity, the action queries Stealthwatch + to find the associated Domain ID. - 4. **Search Initiation**: If a domain is found, the action initiates two separate - asynchronous search queries: one for events where the IP is the source and another - where it is the destination. + 3. **Event Search**: Initiates two asynchronous search queries per entity: one + for events where the IP is the source and another where it is the destination. - 5. **Result Retrieval**: The action polls the Stealthwatch API for the completion - of these search jobs and retrieves the resulting event data. + 4. **Result Polling**: Polls the Stealthwatch API until the search jobs are completed. - 6. **Data Attachment**: The retrieved events are attached to the entity in the - SOAR interface as a JSON object and a formatted CSV table containing security - event details. + 5. **Data Retrieval**: Fetches the search results for both queries. - 7. **Final Status**: The action concludes by reporting which entities had security - events found or if no events were discovered. + 6. **Data Attachment**: Flattens the event data and attaches it to the case as + a JSON result and an entity data table titled 'Security Event Details'. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: false + can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: null + internal_data_mutation_explanation: >- + Adds security event details as entity tables and JSON results to the case. categories: - enrichment: true + enrichment: false entity_usage: entity_types: - ADDRESS @@ -129,46 +147,102 @@ Search Events: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Search Flows: - ai_description: "### General Description\nThe **Search Flows** action retrieves\ - \ network flow records from Cisco Stealthwatch (Secure Network Analytics) for\ - \ specific IP address entities. It identifies flows where the target entity acts\ - \ as either the source or the destination within a user-defined timeframe. This\ - \ action is primarily used for network forensics and visibility, allowing analysts\ - \ to see which internal or external hosts an IP has been communicating with.\n\ - \n### Parameters Description\n| Parameter | Type | Mandatory | Description |\n\ - | :--- | :--- | :--- | :--- |\n| **Timeframe** | Integer | Yes | The number of\ - \ hours to look back from the current time (e.g., 3) to define the search window.\ - \ |\n| **Limit** | Integer | Yes | The maximum number of flow records to retrieve\ - \ for each search (source and destination). |\n\n### Flow Description\n1. **Initialization**:\ - \ The action retrieves the integration configuration (API Root, credentials) and\ - \ the user-provided parameters: `Timeframe` and `Limit`.\n2. **Time Calculation**:\ - \ It calculates the `start_time` and `end_time` in ISO format based on the current\ - \ UTC time and the `Timeframe` parameter.\n3. **Domain Identification**: For each\ - \ IP address entity, the action queries the Stealthwatch API to find the `domain_id`\ - \ associated with that specific IP.\n4. **Flow Searching**: For each valid domain\ - \ found, the action initiates two separate asynchronous search queries:\n *\ - \ A search for flows where the entity is the **source IP**.\n * A search for\ - \ flows where the entity is the **destination IP**.\n5. **Data Retrieval**: The\ - \ action polls the Stealthwatch API for the status of the search jobs. Once completed,\ - \ it retrieves the flow results up to the specified `Limit`.\n6. **Enrichment\ - \ and Output**: \n * The raw flow data is attached to the action results as\ - \ a JSON object.\n * A flattened CSV table of the flows is created and attached\ - \ as an **Entity Table** for the specific IP address.\n7. **Completion**: The\ - \ action concludes by listing the entities for which flows were successfully identified\ - \ and retrieved." + ai_description: >- + ### General Description + + The **Search Flows** action retrieves network flow data from Cisco Stealthwatch + (v6.10+) for specific IP Address entities. It allows security analysts to investigate + network traffic patterns by searching for flows where the target entity acts as + either the source or the destination within a defined historical window. This + provides critical context for understanding lateral movement, data exfiltration, + or communication with known malicious infrastructure. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | **Timeframe** | String | Yes | The number of hours to look back from the current + time (e.g., '3' for the last 3 hours). | + + | **Limit** | String | Yes | The maximum number of flow records to return for + each search (source and destination). | + + + ### Flow Description + + 1. **Initialization**: The action retrieves integration credentials (API Root, + Username, Password) and input parameters (`Timeframe`, `Limit`). + + 2. **Time Calculation**: It calculates the search window's start and end timestamps + based on the provided `Timeframe` relative to the current UTC time. + + 3. **Domain Resolution**: For each IP Address entity in the scope, the action + queries Stealthwatch to identify the corresponding `domain_id` required for reporting. + + 4. **Source Search**: It initiates a flow search query where the entity is the + source IP. + + 5. **Destination Search**: It initiates a flow search query where the entity is + the destination IP. + + 6. **Data Retrieval**: The action polls the Stealthwatch API for the completion + of both search jobs and fetches the resulting flow records. + + 7. **Output Generation**: It aggregates the results, flattens the data for CSV/Table + display, and attaches the findings to the action results as both raw JSON and + entity-specific tables for visualization in the Google SecOps UI. + + + ### Additional Notes + + - This action performs two separate searches per entity (Source and Destination) + and combines the results into a single output. + + - If the action cannot resolve a domain ID for a specific IP address, that entity + will be skipped. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: false + can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: null + internal_data_mutation_explanation: >- + The action populates entity tables with network flow data, which modifies the + internal data associated with the entities in the Google SecOps case. categories: - enrichment: true + enrichment: false entity_usage: entity_types: - ADDRESS @@ -185,3 +259,28 @@ Search Flows: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/google/stealthwatch_v610/resources/ai/integration_ai_description.yaml b/content/response_integrations/google/stealthwatch_v610/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..a67fd6077 --- /dev/null +++ b/content/response_integrations/google/stealthwatch_v610/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: true + siem: true + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/google/symantec_content_analysis/resources/actions_ai_description.yaml b/content/response_integrations/google/symantec_content_analysis/resources/actions_ai_description.yaml deleted file mode 100644 index 831374b51..000000000 --- a/content/response_integrations/google/symantec_content_analysis/resources/actions_ai_description.yaml +++ /dev/null @@ -1,194 +0,0 @@ -# Copyright 2026 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -Get Hash Report: - ai_description: >- - ### General Description - - Enriches File Hash entities by retrieving sample reports from Symantec Content - Analysis. This action supports both MD5 and SHA256 hash types, providing detailed - sample information in a tabular format and updating the entity's metadata within - Google SecOps. - - - ### Parameters - - There are no specific action parameters for this action. It relies on the global - integration configuration (API Root, API Key, and Verify SSL). - - - ### Flow Description - - 1. **Entity Filtering**: The action identifies all `FILEHASH` entities within - the current context. - - 2. **Hash Validation**: For each entity, it validates the hash type based on string - length (32 characters for MD5, 64 characters for SHA256). - - 3. **Data Retrieval**: It performs a GET request to the Symantec Content Analysis - API to fetch sample data associated with the specific hash. - - 4. **Data Attachment**: If a report is found, the action converts the results - into a CSV format and attaches it as an entity table. - - 5. **Internal Enrichment**: The raw JSON response is mapped to the entity's 'additional_properties' - field. - - 6. **Entity Update**: Finally, the action updates the entities in the case to - persist the enriched data. - capabilities: - can_create_case_comments: false - can_create_insight: false - can_modify_alert_data: false - can_mutate_external_data: false - can_mutate_internal_data: true - can_update_entities: true - external_data_mutation_explanation: null - fetches_data: true - internal_data_mutation_explanation: >- - Updates entity additional properties with the retrieved hash report and adds - a data table to the entity in the SOAR. - categories: - enrichment: true - entity_usage: - entity_types: - - FILEHASH - filters_by_additional_properties: false - filters_by_alert_identifier: false - filters_by_case_identifier: false - filters_by_creation_time: false - filters_by_entity_type: true - filters_by_identifier: false - filters_by_is_artifact: false - filters_by_is_enriched: false - filters_by_is_internal: false - filters_by_is_pivot: false - filters_by_is_suspicious: false - filters_by_is_vulnerable: false - filters_by_modification_time: false -Ping: - ai_description: >- - ### General Description - - The Ping action is a diagnostic tool designed to verify the connectivity between - Google SecOps and the Symantec Content Analysis server. It ensures that the provided - API Root and API Key are valid and that the network path is open. - - - ### Parameters Description - - There are no action-specific parameters for this action. It relies entirely on - the integration's global configuration (API Root, API Key, and Verify SSL). - - - ### Additional Notes - - - This action is typically used during the initial setup or troubleshooting of - the Symantec Content Analysis integration. - - - According to standard SOAR practices, Ping actions are not categorized as enrichment - actions. - - - ### Flow Description - - 1. **Configuration Retrieval**: The action fetches the integration's global settings, - including the API Root, API Key, and SSL verification preference. - - 2. **Manager Initialization**: It initializes the `SymantecContentAnalysisManager` - with the retrieved credentials. - - 3. **Connectivity Test**: The manager executes a `GET` request to the `rapi/pattern_groups` - endpoint of the Symantec Content Analysis API. - - 4. **Validation**: The action validates the HTTP response. If the status code - indicates success, it confirms the connection. - - 5. **Result Reporting**: The action outputs 'Connection Established' on success - or 'Connection Failed' if an error occurs. - capabilities: - can_create_case_comments: false - can_create_insight: false - can_modify_alert_data: false - can_mutate_external_data: false - can_mutate_internal_data: false - can_update_entities: false - external_data_mutation_explanation: null - fetches_data: true - internal_data_mutation_explanation: null - categories: - enrichment: false - entity_usage: - entity_types: [] - filters_by_additional_properties: false - filters_by_alert_identifier: false - filters_by_case_identifier: false - filters_by_creation_time: false - filters_by_entity_type: false - filters_by_identifier: false - filters_by_is_artifact: false - filters_by_is_enriched: false - filters_by_is_internal: false - filters_by_is_pivot: false - filters_by_is_suspicious: false - filters_by_is_vulnerable: false - filters_by_modification_time: false -Submit File: - ai_description: "### General Description\nThis action uploads a file from a specified\ - \ local path to Symantec Content Analysis for security scanning and reputation\ - \ analysis. It is used to determine if a file is malicious or suspicious by leveraging\ - \ Symantec's analysis engine. The action retrieves a reputation score and provides\ - \ immediate feedback within the case.\n\n### Parameters Description\n| Parameter\ - \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| File Path\ - \ | String | Yes | The full local path to the file that should be uploaded and\ - \ scanned. |\n\n### Flow Description\n1. **Configuration Retrieval**: The action\ - \ initializes the Symantec Content Analysis manager using the provided API Root\ - \ and API Key.\n2. **File Submission**: It reads the file from the provided `File\ - \ Path` and performs a POST request to the Symantec `rapi/cas/scan` endpoint.\n\ - 3. **Score Extraction**: The action waits for the scan results (with a 5-minute\ - \ timeout) and extracts the `file_reputation_score` from the API response.\n4.\ - \ **Insight Creation**: \n * If the score is between 2 and 6, a 'File Found\ - \ as Suspicious' insight is created.\n * If the score is between 7 and 10,\ - \ a 'File Found as Malicious' insight is created.\n5. **Completion**: The action\ - \ ends by returning the reputation score and a summary message to the Google SecOps\ - \ workbench." - capabilities: - can_create_case_comments: false - can_create_insight: true - can_modify_alert_data: false - can_mutate_external_data: false - can_mutate_internal_data: true - can_update_entities: false - external_data_mutation_explanation: null - fetches_data: true - internal_data_mutation_explanation: >- - Creates case insights in Google SecOps based on the reputation score returned - by the Symantec Content Analysis scan. - categories: - enrichment: true - entity_usage: - entity_types: [] - filters_by_additional_properties: false - filters_by_alert_identifier: false - filters_by_case_identifier: false - filters_by_creation_time: false - filters_by_entity_type: false - filters_by_identifier: false - filters_by_is_artifact: false - filters_by_is_enriched: false - filters_by_is_internal: false - filters_by_is_pivot: false - filters_by_is_suspicious: false - filters_by_is_vulnerable: false - filters_by_modification_time: false diff --git a/content/response_integrations/google/symantec_content_analysis/resources/ai/actions_ai_description.yaml b/content/response_integrations/google/symantec_content_analysis/resources/ai/actions_ai_description.yaml index 831374b51..a547c636e 100644 --- a/content/response_integrations/google/symantec_content_analysis/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/google/symantec_content_analysis/resources/ai/actions_ai_description.yaml @@ -1,52 +1,50 @@ -# Copyright 2026 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - Get Hash Report: ai_description: >- - ### General Description + Enriches File Hash entities (MD5 and SHA256) by retrieving sample reports from + Symantec Content Analysis. This action queries the Symantec API to find basic + sample information associated with a specific file hash and provides the results + as both entity attributes and a data table within the case. + + + ### Parameters Description + + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | None | N/A | N/A | This action does not have any specific input parameters beyond + the target entities. | + - Enriches File Hash entities by retrieving sample reports from Symantec Content - Analysis. This action supports both MD5 and SHA256 hash types, providing detailed - sample information in a tabular format and updating the entity's metadata within - Google SecOps. + ### Additional Notes - ### Parameters + * The action automatically distinguishes between MD5 (32 characters) and SHA256 + (64 characters) hashes to use the appropriate API endpoint. - There are no specific action parameters for this action. It relies on the global - integration configuration (API Root, API Key, and Verify SSL). + * If a hash is neither 32 nor 64 characters long, an error will be logged for + that specific entity. ### Flow Description - 1. **Entity Filtering**: The action identifies all `FILEHASH` entities within - the current context. - 2. **Hash Validation**: For each entity, it validates the hash type based on string - length (32 characters for MD5, 64 characters for SHA256). + 1. **Filter Entities:** The action identifies all File Hash entities within the + current context. - 3. **Data Retrieval**: It performs a GET request to the Symantec Content Analysis - API to fetch sample data associated with the specific hash. + 2. **API Query:** For each identified hash, it determines the hash type (MD5 + or SHA256) and sends a GET request to the Symantec Content Analysis API to retrieve + sample data. - 4. **Data Attachment**: If a report is found, the action converts the results - into a CSV format and attaches it as an entity table. + 3. **Data Processing:** If a report is found, the action flattens the JSON response + and adds it to the entity's additional properties. - 5. **Internal Enrichment**: The raw JSON response is mapped to the entity's 'additional_properties' - field. + 4. **UI Enhancement:** A CSV-formatted table containing the report details is + attached to the entity in the Google SecOps interface. - 6. **Entity Update**: Finally, the action updates the entities in the case to - persist the enriched data. + 5. **Update:** The action updates the entities in the platform to persist the + enriched data. capabilities: can_create_case_comments: false can_create_insight: false @@ -57,8 +55,8 @@ Get Hash Report: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity additional properties with the retrieved hash report and adds - a data table to the entity in the SOAR. + Updates entity additional properties with flattened report data and adds a data + table to the entity's record in the case. categories: enrichment: true entity_usage: @@ -77,46 +75,79 @@ Get Hash Report: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Ping: ai_description: >- ### General Description - The Ping action is a diagnostic tool designed to verify the connectivity between - Google SecOps and the Symantec Content Analysis server. It ensures that the provided - API Root and API Key are valid and that the network path is open. + The **Ping** action is a diagnostic utility designed to verify the connectivity + between Google SecOps and the Symantec Content Analysis server. Its primary purpose + is to ensure that the integration's configuration parameters (API Root and API + Key) are correct and that the server is reachable over the network. ### Parameters Description - There are no action-specific parameters for this action. It relies entirely on - the integration's global configuration (API Root, API Key, and Verify SSL). + | Parameter | Type | Mandatory | Description | + | :--- | :--- | :--- | :--- | + + | API Root | String | Yes | The base URL of the Symantec Content Analysis server + (configured in the integration settings). | + + | API Key | String | Yes | The API token used for authentication (configured in + the integration settings). | + + | Verify SSL | Boolean | Yes | Determines whether to validate the SSL certificate + of the target server (configured in the integration settings). | - ### Additional Notes - - This action is typically used during the initial setup or troubleshooting of - the Symantec Content Analysis integration. + ### Additional Notes - - According to standard SOAR practices, Ping actions are not categorized as enrichment - actions. + This action does not accept any input parameters directly and does not process + any entities. It relies entirely on the integration's global configuration. ### Flow Description - 1. **Configuration Retrieval**: The action fetches the integration's global settings, - including the API Root, API Key, and SSL verification preference. + 1. **Initialization**: The action retrieves the integration configuration, including + the API Root, API Key, and SSL verification preference. - 2. **Manager Initialization**: It initializes the `SymantecContentAnalysisManager` - with the retrieved credentials. + 2. **Manager Setup**: It initializes the `SymantecContentAnalysisManager` with + the provided credentials. - 3. **Connectivity Test**: The manager executes a `GET` request to the `rapi/pattern_groups` - endpoint of the Symantec Content Analysis API. + 3. **API Call**: The action executes a `GET` request to the `rapi/pattern_groups` + endpoint on the Symantec Content Analysis server. - 4. **Validation**: The action validates the HTTP response. If the status code - indicates success, it confirms the connection. + 4. **Validation**: It validates the HTTP response status. If the request is successful + (2xx status code), the connectivity is confirmed. - 5. **Result Reporting**: The action outputs 'Connection Established' on success - or 'Connection Failed' if an error occurs. + 5. **Final Output**: The action returns a success message ('Connection Established') + or a failure message ('Connection Failed') based on the API response. capabilities: can_create_case_comments: false can_create_insight: false @@ -144,39 +175,67 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Submit File: - ai_description: "### General Description\nThis action uploads a file from a specified\ - \ local path to Symantec Content Analysis for security scanning and reputation\ - \ analysis. It is used to determine if a file is malicious or suspicious by leveraging\ - \ Symantec's analysis engine. The action retrieves a reputation score and provides\ - \ immediate feedback within the case.\n\n### Parameters Description\n| Parameter\ - \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| File Path\ - \ | String | Yes | The full local path to the file that should be uploaded and\ - \ scanned. |\n\n### Flow Description\n1. **Configuration Retrieval**: The action\ - \ initializes the Symantec Content Analysis manager using the provided API Root\ - \ and API Key.\n2. **File Submission**: It reads the file from the provided `File\ - \ Path` and performs a POST request to the Symantec `rapi/cas/scan` endpoint.\n\ - 3. **Score Extraction**: The action waits for the scan results (with a 5-minute\ - \ timeout) and extracts the `file_reputation_score` from the API response.\n4.\ - \ **Insight Creation**: \n * If the score is between 2 and 6, a 'File Found\ - \ as Suspicious' insight is created.\n * If the score is between 7 and 10,\ - \ a 'File Found as Malicious' insight is created.\n5. **Completion**: The action\ - \ ends by returning the reputation score and a summary message to the Google SecOps\ - \ workbench." + ai_description: "Submits a file to Symantec Content Analysis for scanning and analysis.\ + \ This action uploads a file from a specified local path to the Symantec service,\ + \ retrieves the resulting reputation score, and generates case insights based\ + \ on the severity of the findings.\n\n### Flow Description\n1. **Configuration\ + \ Retrieval:** The action initializes the Symantec Content Analysis manager using\ + \ the provided API Root and API Key.\n2. **File Submission:** It reads the file\ + \ from the provided 'File Path' and performs a POST request to the Symantec Content\ + \ Analysis API to initiate a scan.\n3. **Score Parsing:** The action extracts\ + \ the file reputation score from the API response.\n4. **Insight Generation:**\ + \ \n * If the score is between 2 and 6, it creates a 'File Found as Suspicious'\ + \ insight.\n * If the score is between 7 and 10, it creates a 'File Found as\ + \ Malicious' insight.\n5. **Completion:** The action concludes by returning the\ + \ reputation score and a summary message.\n\n### Parameters Description\n| Parameter\ + \ Name | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| File\ + \ Path | string | True | The local file system path of the file to be uploaded\ + \ and scanned. |\n\n### Additional Notes\n* This action does not process SecOps\ + \ entities; it operates strictly on the file path provided in the parameters.\n\ + * The action includes a timeout mechanism (defaulting to 5 minutes) for the file\ + \ submission process." capabilities: can_create_case_comments: false can_create_insight: true can_modify_alert_data: false - can_mutate_external_data: false + can_mutate_external_data: true can_mutate_internal_data: true can_update_entities: false - external_data_mutation_explanation: null + external_data_mutation_explanation: >- + Submits a file to the Symantec Content Analysis service for scanning, which + creates a new analysis record in the external system. fetches_data: true internal_data_mutation_explanation: >- - Creates case insights in Google SecOps based on the reputation score returned - by the Symantec Content Analysis scan. + Creates case insights within Google SecOps based on the reputation score returned + by the external service. categories: - enrichment: true + enrichment: false entity_usage: entity_types: [] filters_by_additional_properties: false @@ -192,3 +251,28 @@ Submit File: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: true + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/google/symantec_content_analysis/resources/ai/integration_ai_description.yaml b/content/response_integrations/google/symantec_content_analysis/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..2e831240c --- /dev/null +++ b/content/response_integrations/google/symantec_content_analysis/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + siem: false + threat_intelligence: true + vulnerability_management: false diff --git a/content/response_integrations/google/symantec_icdx/resources/ai/actions_ai_description.yaml b/content/response_integrations/google/symantec_icdx/resources/ai/actions_ai_description.yaml index 83e63c58c..2bd24bd8d 100644 --- a/content/response_integrations/google/symantec_icdx/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/google/symantec_icdx/resources/ai/actions_ai_description.yaml @@ -1,36 +1,52 @@ -# Copyright 2026 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - Get Event: - ai_description: "### General Description\nThis action retrieves detailed information\ - \ for a specific event from Symantec ICDX using its unique identifier (UUID).\ - \ It is primarily used to gather granular event data that may not be present in\ - \ the initial alert, allowing analysts to perform deeper investigations into specific\ - \ activities recorded by Symantec ICDX.\n\n### Parameters Description\n| Parameter\ - \ | Description | Type | Mandatory |\n| :--- | :--- | :--- | :--- |\n| Event UUID\ - \ | The unique identifier (UUID) of the event to be retrieved from the Symantec\ - \ ICDX archives. | String | Yes |\n\n### Flow Description\n1. **Initialization**:\ - \ The action initializes the Symantec ICDX manager using the provided API Root\ - \ and API Token from the integration configuration.\n2. **Parameter Retrieval**:\ - \ The `Event UUID` is extracted from the action parameters.\n3. **API Request**:\ - \ The action sends a POST request to the Symantec ICDX search endpoint with a\ - \ specific request type (`id: 0`) designed for direct event retrieval by UUID.\n\ - 4. **Data Processing**: \n * If the event is found, the raw JSON response is\ - \ attached to the action results.\n * A flattened version of the event data\ - \ is created and added as a data table for visibility in the SOAR interface.\n\ - 5. **Completion**: The action concludes with a success message if the event was\ - \ found, or a failure message if the UUID did not match any records." + ai_description: >- + ### General Description + + The **Get Event** action retrieves detailed information for a specific event from + Symantec ICDX using its unique identifier (UUID). This action is primarily used + for deep-dive investigations where a specific event ID is already known, allowing + analysts to pull the full raw data and structured fields associated with that + event from the ICDX archives. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | **Event UUID** | string | Yes | The unique universal identifier (UUID) of the + event to be retrieved from Symantec ICDX. | + + + ### Additional Notes + + * This action does not process entities automatically; it requires a manual input + of the Event UUID. + + * The results are presented both as a raw JSON object and a flattened data table + for easier viewing within the case wall. + + + ### Flow Description + + 1. **Configuration Retrieval:** The action starts by fetching the Symantec ICDX + integration settings, including the API Root, API Token, and SSL verification + preferences. + + 2. **Parameter Extraction:** It retrieves the `Event UUID` provided by the user + or a previous playbook step. + + 3. **API Interaction:** The action calls the Symantec ICDX Manager to perform + a POST request to the search endpoint (`/r3_epmp_i/dx/archives/search`) with a + request type ID of `0` (specific to 'get event' requests). + + 4. **Data Processing:** If an event is found, the action flattens the dictionary + data for display. + + 5. **Output Generation:** The action populates the JSON result and creates a data + table named after the UUID. If no event is found, it terminates with a 'Not found' + message. capabilities: can_create_case_comments: false can_create_insight: false @@ -58,14 +74,40 @@ Get Event: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Events Minutes Back: ai_description: >- ### General Description - This action retrieves security events from Symantec ICDX based on a specific search - query and a relative time window (minutes back from the current time). It is primarily - used for log searching and event retrieval to gather historical context within - a SOAR workflow. + The **Get Events Minutes Back** action retrieves historical event data from Symantec + ICDX based on a user-defined query and a relative time window (minutes back from + the current time). This action is primarily used for log searching and event correlation + within a specific timeframe, allowing analysts to pull raw event data directly + into the Google SecOps case for further investigation. ### Parameters Description @@ -74,56 +116,63 @@ Get Events Minutes Back: | :--- | :--- | :--- | :--- | - | Query | String | Yes | The search query string to be executed against the Symantec - ICDX archives. | + | **Query** | string | Yes | The search query string used to filter events in + Symantec ICDX (e.g., filtering by specific IP, user, or event type). | - | Limit | Integer | No | The maximum number of events to retrieve. Defaults to - 10 if not specified. | + | **Limit** | string | No | The maximum number of events to retrieve. Defaults + to 10 if not specified. | - | Minutes Back | Integer | No | The number of minutes to look back from the current - time for the search window. Defaults to 60 if not specified. | + | **Minutes Back** | string | No | The number of minutes to look back from the + current time to define the start of the search window. Defaults to 60 minutes. + | - | Fields | String | No | A comma-separated list of specific event fields to include - in the results. If left empty, all default fields are returned. | + | **Fields** | string | No | A comma-separated list of specific event fields to + return (e.g., 'uuid,type,device_ip'). If left empty, all default fields are returned. + | - ### Flow Description + ### Additional Notes - 1. **Authentication**: The action initializes a connection to the Symantec ICDX - API using the provided API Root and Token. + - This action does not run on specific entities; it performs a global search based + on the provided query. - 2. **Time Calculation**: It calculates the start time for the search by subtracting - the 'Minutes Back' value from the current UTC time, converted to milliseconds. + - The action handles API pagination automatically to ensure the requested limit + of events is reached if available. - 3. **Search Execution**: It sends a POST request to the ICDX search endpoint with - the query, start time, and limit. If specific fields are provided, they are included - in the request payload. + - Results are presented both as a raw JSON object and a flattened data table for + easier viewing in the SOAR interface. - 4. **Pagination**: If the initial response indicates more results are available - (via a 'next' UUID), the action automatically paginates through the results to - fulfill the request. - 5. **Data Processing**: The retrieved events are flattened and formatted. + ### Flow Description - 6. **Output**: The action populates the 'JsonResult' with the raw event data and - creates a data table in the SOAR case containing the flattened event details. + 1. **Time Calculation:** The action calculates the start timestamp by subtracting + the 'Minutes Back' value from the current UTC time. + 2. **API Request Construction:** It builds a search payload containing the query, + start time, and limit. If specific fields are requested, they are added to the + payload. - ### Additional Notes + 3. **Data Retrieval:** The action executes a POST request to the Symantec ICDX + search endpoint. - This action does not run on specific entities (like IPs or Hostnames). It performs - a general search based on the 'Query' parameter. If no events are found, the action - completes successfully with a message indicating no results. + 4. **Pagination:** If the initial response indicates more results are available + (via a 'next' UUID), the action paginates through the results until the limit + is met or all events are retrieved. + + 5. **Output Generation:** The retrieved events are added to the action results + as a JSON object and converted into a flattened data table for the case wall. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: false + can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: null + internal_data_mutation_explanation: >- + The action adds a data table to the action results in Google SecOps containing + the flattened event data retrieved from Symantec ICDX. categories: enrichment: false entity_usage: @@ -141,36 +190,61 @@ Get Events Minutes Back: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Ping: ai_description: >- ### General Description - Tests the connectivity to the Symantec ICDX (Integrated Cyber Defense Exchange) - platform to ensure that the provided credentials and API endpoint are valid and - reachable. This action is primarily used for troubleshooting and verifying the - integration setup. + The **Ping** action is a diagnostic utility designed to verify the connectivity + between Google SecOps and the Symantec ICDX (Integrated Cyber Defense Exchange) + platform. It validates the integration's configuration, including the API Root, + API Token, and SSL settings, by performing a test API call. ### Parameters Description - There are no parameters for this action. + This action does not require any input parameters. ### Flow Description - 1. **Initialization**: The action initializes the `SymantecICDXManager` using - the integration's configuration parameters, including the API Root, API Token, - and SSL verification settings. + 1. **Configuration Retrieval**: The action fetches the integration's global configuration, + including the `Api Root`, `Api Token`, and `Verify SSL` settings. - 2. **Connectivity Test**: It calls the `test_connectivity` method, which attempts - to retrieve a specific hardcoded event UUID from the ICDX archives to verify API - access. + 2. **Manager Initialization**: It initializes the `SymantecICDXManager` using + the retrieved credentials. - 3. **Validation**: The manager validates the HTTP response from the Symantec ICDX - API. + 3. **Connectivity Test**: The action executes the `test_connectivity` method, + which attempts to retrieve a specific event by a hardcoded UUID from the Symantec + ICDX search endpoint. - 4. **Completion**: If the API call is successful, the action concludes with a - "Connection Established" status. + 4. **Result Reporting**: If the API call is successful, the action concludes with + a success status and the message 'Connection Established'. If the connection fails, + an exception is raised. capabilities: can_create_case_comments: false can_create_insight: false @@ -179,7 +253,7 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: true + fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false @@ -198,3 +272,28 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/google/symantec_icdx/resources/ai/connectors_ai_description.yaml b/content/response_integrations/google/symantec_icdx/resources/ai/connectors_ai_description.yaml new file mode 100644 index 000000000..b69f1e9e4 --- /dev/null +++ b/content/response_integrations/google/symantec_icdx/resources/ai/connectors_ai_description.yaml @@ -0,0 +1,78 @@ +SymantecICDX query Connector: + ai_description: >- + ### General Description + + The SymantecICDX Query Connector enables Google SecOps to ingest security events + from Symantec Integrated Cyber Defense Exchange (ICDX). By utilizing custom search + queries, the connector fetches specific event data, transforms it into a standardized + format, and creates cases for further investigation. This integration allows security + teams to centralize Symantec security telemetry and automate incident response + workflows. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | DeviceProductField | String | Yes | The field name in the source data used to + determine the device product (default: device_product). | + + | EventClassId | String | No | The field name used to determine the event name + or sub-type (default: name). | + + | PythonProcessTimeout | String | Yes | The timeout limit (in seconds) for the + python process running the current script. | + + | Api Root | String | Yes | The base URL of the Symantec ICDX API instance. | + + | Api Token | Password | Yes | The API token used for Basic authentication. | + + | Verify SSL | Boolean | Yes | If set to true, the connector will verify the SSL + certificate of the API endpoint. | + + | Search Query | String | Yes | The ICDX query string used to filter and retrieve + specific events. | + + | Events Limit | Integer | Yes | The maximum number of events to pull in a single + execution cycle. | + + | Max Days Backwards | Integer | Yes | The number of days to look back for events + during the initial run. | + + | Proxy Server Address | String | No | The address of the proxy server if one + is required for the connection. | + + | Proxy Username | String | No | The username for proxy authentication. | + + | Proxy Password | Password | No | The password for proxy authentication. | + + + ### Flow Description + + 1. **Connection Establishment**: The connector initializes a session with the + Symantec ICDX API using the provided API Root and Token. + + 2. **Timestamp Calculation**: It determines the search start time by checking + the last saved timestamp. If no timestamp exists, it uses the 'Max Days Backwards' + parameter. + + 3. **Event Retrieval**: A search request is sent to the ICDX `/archives/search` + endpoint using the configured 'Search Query' and 'Events Limit'. + + 4. **Pagination Handling**: If the API response indicates more data is available + via a 'next' token, the connector automatically paginates to retrieve the full + set of results. + + 5. **Deduplication**: The connector maintains a local cache of processed event + UUIDs. It filters out any events that have already been ingested within the last + 72 hours. + + 6. **Case Mapping**: Each unique event is mapped to a Google SecOps CaseInfo object. + The 'message' field is typically used for the alert name, and the 'uuid' serves + as the unique identifier. + + 7. **Ingestion**: The connector performs an overflow check for each alert and + then ingests the valid cases into Google SecOps, updating the execution timestamp + and ID cache upon completion. diff --git a/content/response_integrations/google/symantec_icdx/resources/ai/integration_ai_description.yaml b/content/response_integrations/google/symantec_icdx/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..466738966 --- /dev/null +++ b/content/response_integrations/google/symantec_icdx/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + siem: true + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/power_ups/connectors/resources/ai/actions_ai_description.yaml b/content/response_integrations/power_ups/connectors/resources/ai/actions_ai_description.yaml deleted file mode 100644 index 0967ef424..000000000 --- a/content/response_integrations/power_ups/connectors/resources/ai/actions_ai_description.yaml +++ /dev/null @@ -1 +0,0 @@ -{} diff --git a/content/response_integrations/power_ups/connectors/resources/ai/connectors_ai_description.yaml b/content/response_integrations/power_ups/connectors/resources/ai/connectors_ai_description.yaml new file mode 100644 index 000000000..eaad22e84 --- /dev/null +++ b/content/response_integrations/power_ups/connectors/resources/ai/connectors_ai_description.yaml @@ -0,0 +1,129 @@ +Cron Scheduled Connector: + ai_description: >- + ### General Description + + The **Cron Scheduled Connector** is a utility integration designed to generate + synthetic alerts within Google SecOps based on a user-defined schedule. Unlike + traditional connectors that fetch data from external security products, this connector + creates internal alerts using a Cron expression. It is primarily used to trigger + periodic playbooks for tasks such as system health checks, automated reporting, + or recurring maintenance workflows. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Alert fields | String | Yes | A JSON-formatted string (e.g., `{"key": "value"}`) + containing custom data to be included in the alert extensions. | + + | Alert name | String | Yes | The display name for the generated alert. | + + | Alert type | String | No | The category or rule generator for the alert. Defaults + to "Scheduled Alert" if not provided. | + + | Cron Expression | String | No | A standard Cron expression (e.g., `*/5 * * * + *`) that defines the schedule for alert creation. | + + | DeviceProductField | String | Yes | The field name used to identify the device + product in the event mapping. | + + | EventClassId | String | Yes | The field name used to identify the event class + or sub-type. | + + | Product name | String | No | The product name associated with the generated + alert. | + + | PythonProcessTimeout | String | Yes | The maximum execution time (in seconds) + allowed for the connector script. | + + + ### Flow Description + + 1. **Initialization**: The connector retrieves the configuration parameters, including + the alert metadata and the Cron expression. + + 2. **Schedule Validation**: The script uses the `cronex` library to compare the + current system time against the provided Cron expression. + + 3. **Condition Check**: If the current time matches the Cron schedule (or if no + schedule is provided), the connector proceeds to alert generation. + + 4. **Data Parsing**: The `Alert fields` JSON string is parsed into a dictionary + to be used as alert extensions. + + 5. **Case Creation**: A `CaseInfo` object is instantiated with a unique UUID. + The script populates the case with the configured Alert Name, Product, Type, and + a default priority of "Medium" (60). + + 6. **Event Generation**: A single synthetic event is created containing the start + time and product details, which is then attached to the case. + + 7. **Ingestion**: The completed case is returned to Google SecOps, where it triggers + playbooks matching the alert's properties. +Scheduled Connector: + ai_description: >- + ### General Description + + This connector is designed to programmatically trigger playbooks within Google + SecOps by creating synthetic alerts. It allows users to define specific alert + metadata, such as product name, alert type, and custom fields, which are then + ingested as a new case. This is particularly useful for testing playbook logic, + simulating specific threat scenarios, or creating scheduled tasks that require + a case-based trigger. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Alert fields | String | Yes | A JSON-formatted string containing key-value pairs + (e.g., `{"key": "value"}`) to be added as extensions to the alert. | + + | Alert name | String | Yes | The name assigned to the created alert and case. + | + + | Alert type | String | No | The type of alert, which maps to the `rule_generator` + field in the case. Defaults to "Scheduled Alert" if not provided. | + + | DeviceProductField | String | Yes | The field name used to determine the device + product (metadata requirement). | + + | EventClassId | String | Yes | The field name used to determine the event name + or sub-type (metadata requirement). | + + | Product name | String | No | The product name associated with the alert, used + for playbook routing. | + + | PythonProcessTimeout | String | Yes | The timeout limit (in seconds) for the + python process running the current script. | + + + ### Flow Description + + 1. **Parameter Extraction**: The connector retrieves configuration parameters, + including the alert name, product name, alert type, and custom fields from the + connector settings. + + 2. **Data Parsing**: It parses the `Alert fields` JSON string into a dictionary + to be used for case extensions. + + 3. **Identity Generation**: A unique UUID is generated to serve as the `ticket_id`, + `display_id`, and `source_grouping_identifier` for the new case. + + 4. **Case Construction**: A `CaseInfo` object is created and populated with the + provided metadata. The priority is hardcoded to 60 (Medium), and the vendor is + set to "Siemplify". + + 5. **Extension Mapping**: All key-value pairs provided in the `Alert fields` parameter + are added to the case's extensions. + + 6. **Event Creation**: A single event is generated containing the start/end time, + name, and product details, and is attached to the case. + + 7. **Ingestion**: The constructed case is returned to the Google SecOps platform, + where it triggers playbooks based on the defined product and alert criteria. diff --git a/content/response_integrations/power_ups/connectors/resources/ai/integration_ai_description.yaml b/content/response_integrations/power_ups/connectors/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..faf1e267b --- /dev/null +++ b/content/response_integrations/power_ups/connectors/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: true + network_security: false + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/power_ups/email_utilities/resources/ai/actions_ai_description.yaml b/content/response_integrations/power_ups/email_utilities/resources/ai/actions_ai_description.yaml index 45af87633..56098d1be 100644 --- a/content/response_integrations/power_ups/email_utilities/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/power_ups/email_utilities/resources/ai/actions_ai_description.yaml @@ -1,60 +1,64 @@ Analyze EML Headers: ai_description: >- - Analyzes email headers provided either as a base64-encoded EML file or a JSON-formatted - list of headers. The action performs a security-focused heuristic analysis to - identify potential spoofing, misconfigurations, or suspicious patterns. It evaluates - routing information from 'Received' headers and compares key fields such as 'Return-Path', - 'From', and 'Reply-To' to detect mismatches. Additionally, it checks for the presence - of specific headers like 'X-Distribution' and 'Bcc', and validates the 'Message-ID' - format. The results include a detailed JSON breakdown of extracted headers and - a formatted HTML summary of security recommendations and matched rules. + Analyzes email headers extracted from either a base64-encoded EML file or a JSON-formatted + list of headers. The action performs a security-focused analysis to identify potential + spoofing, misconfigurations, or suspicious routing information. - ### Parameters Description + ### General Description + + This action serves as a forensic utility for email analysis. It parses the provided + header data to extract key metadata, including the full list of headers, domains, + and IP addresses found in the 'Received' chain. It then applies a set of heuristic + rules to flag anomalies such as mismatched 'From' and 'Return-Path' addresses, + the presence of BCC headers in received mail, or missing Message-IDs. The results + are provided as both a structured JSON object and a formatted HTML table for easy + review within the SOAR interface. + + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | | Base64 EML | String | No | The base64-encoded content of an EML file. If provided, - the action will parse this file to extract headers. | + the action will decode and parse the headers from this file. | - | Header List | String | No | A JSON-formatted string representing a list of email - headers. Used if a full EML file is not available. | + | Header List | String | No | A JSON-formatted list of headers (e.g., `[["Header-Name", + "Value"], ...]`). This is used if the EML file is not available. | ### Additional Notes - - Either 'Base64 EML' or 'Header List' must be configured for the action to run; - if both are missing, the action will fail. + * **Input Requirement:** Either 'Base64 EML' or 'Header List' must be configured + for the action to execute successfully. If both are provided, 'Base64 EML' takes + precedence. - - The action handles duplicate header keys by appending a numeric suffix (e.g., - 'Received_2'). + * **Heuristic Scoring:** The action assigns scores to various anomalies (e.g., + mismatched headers) to help analysts prioritize suspicious emails. ### Flow Description - 1. **Input Retrieval**: The action checks for the 'Base64 EML' or 'Header List' - parameters. - - 2. **Header Extraction**: If an EML is provided, it is decoded and parsed using - standard email libraries. If a header list is provided, it is parsed from JSON. + 1. **Input Retrieval:** The action checks for the 'Base64 EML' parameter. If present, + it decodes the base64 string and parses the email structure to extract headers. + If absent, it attempts to parse the 'Header List' JSON. - 3. **Normalization**: Headers are organized into a dictionary, and duplicate keys - are handled to ensure all data is captured. + 2. **Header Normalization:** It iterates through the extracted headers, creating + a dictionary and handling duplicate header keys by appending an index (e.g., `Received_2`). - 4. **Routing Analysis**: The action extracts domains and IP addresses from 'Received' - headers to map the email's path. + 3. **Routing Extraction:** It uses regular expressions to extract domains and + IP addresses from all 'Received' headers to map the email's path. - 5. **Heuristic Security Checks**: The code runs several checks: - - Compares 'Return-Path' against 'From' and 'X-Original-Sender'. - - Compares 'Reply-To' against 'From'. - - Validates 'X-Authenticated-User' against the 'From' address. - - Checks for suspicious headers (e.g., 'X-Distribution', 'X-UIDL', 'Bcc'). - - Inspects 'Message-ID' for anomalies. - 6. **Result Generation**: Scores are calculated based on matched rules, and the - findings are outputted as both raw JSON and a formatted HTML table. + 4. **Security Analysis:** The action runs a series of checks: + * Compares 'Return-Path' against 'From' and 'X-Original-Sender'. + * Compares 'Reply-To' against 'From'. + * Checks for suspicious headers like 'X-Distribution', 'Bcc', or 'X-UIDL'. + * Validates the 'Message-ID' for common anomalies. + * Checks 'X-Authenticated-User' against the 'From' address. + 5. **Output Generation:** It compiles the analysis into a JSON result and generates + an HTML table containing the security recommendations and the full header list. capabilities: can_create_case_comments: false can_create_insight: false @@ -82,54 +86,86 @@ Analyze EML Headers: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Analyze Headers: ai_description: >- - Analyzes email headers provided in JSON format to perform a comprehensive security - audit of an email's origin and routing path. The action validates authentication - records (SPF, DMARC, DKIM, ARC), traces the relay hops, and enriches the data - with threat intelligence. + Analyze Headers is a comprehensive email forensics action that evaluates the authenticity + and routing path of an email based on its headers. It performs deep validation + of security protocols and enriches relay information with external threat intelligence. - ### Parameters + ### General Description + + This action takes a JSON object representing email headers and performs a multi-stage + analysis. It validates core email authentication mechanisms (SPF, DMARC, DKIM, + and ARC) to detect spoofing or tampering. Additionally, it parses the 'Received' + headers to reconstruct the email's journey across mail servers (hops). Each identified + relay server is checked against multiple Real-time Blocklists (RBLs) and enriched + with geographic location and Whois (RDAP) data to identify suspicious origins + or infrastructure. + + + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Headers JSON | String | Yes | A JSON object containing the email headers to - be analyzed. This is typically extracted from an email parsing action. | + | Headers JSON | String | Yes | A JSON-formatted string containing the email headers + to be analyzed. This is typically the output of a previous email parsing step. + | - ### Flow Description + ### Additional Notes + + - This action does not operate on SecOps entities directly; it processes the data + provided in the `Headers JSON` parameter. - 1. **Input Extraction:** Retrieves the `Headers JSON` parameter and parses it - into a Python dictionary. + - The action requires outbound connectivity to perform DNS lookups, RBL checks, + and access geo-location/Whois APIs. - 2. **Metadata Extraction:** Identifies core email attributes such as the sender, - recipient, subject, and message ID. - 3. **Domain Security Validation:** Performs DNS queries to check the sender domain's - SPF, DMARC, MX, and DNSSec records using the `checkdmarc` library. + ### Flow Description - 4. **Signature Verification:** Validates DKIM and ARC (Authenticated Receive Chain) - signatures to ensure the email has not been tampered with during transit. + 1. **Input Parsing:** Extracts the email headers from the provided JSON parameter. - 5. **Relay Path Analysis (Hops):** Iterates through the 'Received' headers in - reverse order to reconstruct the email's journey. + 2. **Authentication Validation:** Uses DNS queries to verify SPF, DMARC, and MX + records for the sender's domain. It also cryptographically verifies DKIM and ARC + signatures. - 6. **Threat Intelligence Enrichment:** For each relay server identified in the - hops: - * Checks the IP or domain against multiple Real-time Block Lists (RBLs) - using `pydnsbl` to identify known malicious senders. - * Performs RDAP/WHOIS lookups via `IPWhois` to determine ownership information. - * Retrieves geographic location data (City, Country, Coordinates) using - the `DbIpCity` service. - 7. **Timing Analysis:** Calculates the delay (in seconds) between each relay hop - to identify potential anomalies in delivery time. + 3. **Hop Analysis:** Parses the 'Received' headers to identify every mail server + involved in the delivery chain. - 8. **Result Aggregation:** Consolidates all authentication results, blacklist - statuses, and enrichment data into a structured JSON object for use in subsequent - playbook steps. + 4. **Enrichment:** For each identified IP or hostname in the relay path: + - Queries RBLs to check for blacklisting. + - Performs Whois/RDAP lookups to identify the owner/ASN. + - Retrieves geographic coordinates and city/country information. + 5. **Result Aggregation:** Compiles all authentication results, hop details, and + enrichment data into a single structured JSON object returned to the platform. capabilities: can_create_case_comments: false can_create_insight: false @@ -141,7 +177,7 @@ Analyze Headers: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: false + enrichment: true entity_usage: entity_types: [] filters_by_additional_properties: false @@ -157,74 +193,89 @@ Analyze Headers: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Parse Base64 Email: ai_description: >- - ### General Description - - Parses EML and MSG email files provided as a Base64 encoded string. This action - is a comprehensive utility designed to extract structured data from email blobs, - including headers, body content, and attachments. It automatically identifies - and extracts Indicators of Compromise (IOCs) such as URLs, domains, IP addresses, - and email addresses from the email's headers and body. The action supports recursive - parsing, meaning it will also parse emails that are attached within the primary - email file. - - - ### Parameters Description - + Parses EML and MSG email files provided as Base64 strings to extract comprehensive + metadata, content, and indicators. This action is designed to assist in phishing + analysis by breaking down complex email structures into machine-readable formats + for use in playbooks. - | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + ### Flow Description: - | EML/MSG Base64 String | Content | Yes | The Base64 encoded string representing - the EML or MSG file to be parsed. | + 1. **Input Decoding:** Decodes the provided Base64 string into raw bytes. - | Stop Transport At Header | String | No | A specific header field name. If provided, - the action will stop processing transport/hop headers once this field is encountered. - | + 2. **Format Identification:** Determines if the file is an OLE-based MSG file + or a standard EML file. - | Blacklisted Headers | String | No | A comma-separated list of header names to - be excluded from the final output. | + 3. **Header Parsing:** Extracts email headers (To, From, Subject, etc.) and processes + the 'Received' transport chain, respecting the 'Stop Transport' and 'Blacklist' + configurations. - | Use Blacklist As Whitelist | Boolean | No | If set to `true`, the headers provided - in the 'Blacklisted Headers' parameter will be treated as an allowlist (only those - headers will be included). Default is `false`. | + 4. **Body Extraction:** Retrieves plain text and HTML bodies, then performs extraction + to identify URLs, Domains, IP addresses, and Email addresses using regex and URI + extraction tools. + 5. **Attachment Processing:** Identifies and hashes attachments. If attachments + are themselves emails (nested), it recursively parses them to extract their internal + content. - ### Additional Notes + 6. **Output Generation:** Consolidates all extracted data into a structured JSON + object, including 'observed' indicators and 'received' routing information. - - This action is a local processing utility; it does not make external API calls - to threat intelligence services. - - It handles both standard EML formats and Microsoft Outlook MSG (OLE) formats. + ### Parameters Description: - - The action returns a detailed JSON object containing the parsed structure, which - is ideal for automated analysis in playbooks. + | Parameter | Type | Mandatory | Description | + | :--- | :--- | :--- | :--- | - ### Flow Description + | EML/MSG Base64 String | Content | Yes | The Base64 encoded content of the email + file (EML or MSG) to be parsed. | - 1. **Decode Input:** Decodes the provided Base64 string into raw binary data. + | Stop Transport At Header | String | No | A specific header name (e.g., 'Received') + where the transport chain parsing should stop. | - 2. **Format Detection:** Identifies whether the binary data represents an OLE-based - MSG file or a standard EML file. + | Blacklisted Headers | String | No | A comma-separated list of headers to be + excluded from the response. | - 3. **Header Extraction:** Parses email headers (To, From, Subject, Date, etc.), - applying any blacklist or whitelist filters provided in the parameters. + | Use Blacklist As Whitelist | Boolean | No | If set to 'true', the 'Blacklisted + Headers' parameter acts as an allowlist, and only those headers will be returned. + | - 4. **Body Parsing:** Extracts the email body in both plain text and HTML formats. - If HTML is present, it is rendered to plain text for IOC extraction. - 5. **IOC Extraction:** Scans the headers and body content for IP addresses, URLs, - domains, and email addresses using specialized regex and extraction libraries. + ### Additional Notes: - 6. **Attachment Processing:** Iterates through all attachments, extracting metadata - (filename, size, hashes). If an attachment is another email (EML/MSG), it is parsed - recursively. + - This action is a local utility and does not perform external reputation checks + (e.g., VirusTotal) on the extracted indicators. - 7. **Result Generation:** Aggregates all extracted data into a single structured - JSON object and attaches it to the action's output. + - It handles recursive parsing of attached emails, providing a deep view of the + email's structure. capabilities: can_create_case_comments: false can_create_insight: false @@ -252,79 +303,89 @@ Parse Base64 Email: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Parse Case Wall Email: ai_description: >- Parses EML or MSG email files attached to the Google SecOps case wall to extract - headers, body content, and nested attachments. This action automates the decomposition - of email files into structured data, facilitating the identification of indicators - and the creation of related entities within the case context. + headers, body content, and nested attachments. This action automates the ingestion + of email evidence by identifying the original email file, decoding its structure, + and optionally creating SOAR entities for further investigation. - ### Parameters Description - - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Create Entities | Boolean | No | When enabled (default: true), the action creates - User entities for the 'To' and 'From' headers and an Email Subject entity for - the 'Subject' field. | - - | Exclude Entities Regex | String | No | A regular expression used to prevent - the creation of specific entities that match the pattern. | + ### Flow Description - | Original EML Only | Boolean | No | If enabled (default: true), the action will - only extract attachments from the original EML file. | + 1. **Attachment Retrieval:** Searches the case or alert wall for supported email + files (.eml or .msg), prioritizing the original email attachment. - | Create Observed Entities | DDL | No | Determines which indicator types (URLs, - Emails, IPs, Hashes) to extract from the email body. Options include 'All', specific - types, or 'None'. | + 2. **Email Parsing:** Decodes the email file to extract metadata (To, From, Subject, + Date), body text (Plain Text and HTML), and any embedded attachments. - | Save Attachments to Case Wall | Boolean | No | When enabled (default: true), - any attachments found within the parsed email are extracted and saved back to - the case wall. | + 3. **Entity Creation:** Based on configuration, creates entities for the sender, + recipients, and subject line. It also performs recursive parsing of nested emails. - | Fang Entities | Boolean | No | If enabled (default: true), defanged indicators - (e.g., `example[.]com`) are converted back to their fanged versions (e.g., `example.com`) - during extraction. | + 4. **IOC Extraction:** Scans the email body and headers for observed indicators + (URLs, IPs, Hashes, Emails) and creates corresponding entities in the case. - | Custom Entity Regexes | Code | No | A JSON object containing custom regular - expressions to parse specific entity types from the email body and subject. | + 5. **Attachment Processing:** Extracts files from the email and saves them back + to the case wall, while creating FILENAME and FILEHASH entities linked to the + email subject. + 6. **Data Enrichment:** Updates created entities with additional properties such + as file hashes, attachment IDs, and source file references. - ### Additional Notes - - This action does not require specific input entities to run; it operates on - the attachments associated with the current case or alert. + ### Parameters Description - - Extracted attachments are linked to their corresponding `FILENAME` entities - in the case by updating the entity's `attachment_id` property. + | Parameter | Type | Mandatory | Description | + | :--- | :--- | :--- | :--- | - ### Flow Description + | Create Entities | Boolean | No | If true, creates User entities for 'To'/'From' + headers and an Email Subject entity. | - 1. **Attachment Identification:** The action scans the case wall and alert wall - for supported email file formats (.eml, .msg). + | Exclude Entities Regex | String | No | A regular expression used to skip the + creation of specific entities that match the pattern. | - 2. **Email Parsing:** It utilizes the `EmailManager` to parse the identified file, - extracting metadata (Subject, From, To, Date), body content (Text/HTML), and nested - attachments. + | Original EML Only | Boolean | No | If true, the action will only extract attachments + from the top-level EML file, ignoring nested ones. | - 3. **Indicator Extraction:** The action identifies URLs, IPs, Emails, and Hashes - within the email body and headers based on the `Create Observed Entities` and - `Custom Entity Regexes` settings. + | Create Observed Entities | DDL | No | Specifies which types of indicators (URLs, + Emails, IPs, Hashes) found in the body should be converted into entities. | - 4. **Entity Creation:** If configured, it creates new entities in the SOAR case - for the email participants, subject, and discovered indicators, establishing directional - relationships between them. + | Save Attachments to Case Wall | Boolean | No | If true, saves all files extracted + from the email back to the SOAR case wall as new attachments. | - 5. **Attachment Processing:** If `Save Attachments to Case Wall` is true, nested - files are uploaded to the case. The action also updates existing `FILENAME` entities - in the alert with the new attachment IDs. + | Fang Entities | Boolean | No | If true, automatically 'fangs' defanged indicators + (e.g., converting `example[.]com` to `example.com`) and decodes URL protection + services like Proofpoint or Safelinks. | - 6. **Result Output:** The complete parsed email structure is returned as a JSON - object for use in downstream playbook tasks. + | Custom Entity Regexes | Code | No | A JSON object containing custom regular + expressions to identify and extract specific entity types from the email body + and subject. | capabilities: can_create_case_comments: false can_create_insight: false @@ -333,11 +394,12 @@ Parse Case Wall Email: can_mutate_internal_data: true can_update_entities: true external_data_mutation_explanation: null - fetches_data: false + fetches_data: true internal_data_mutation_explanation: >- - Creates new entities (User, Email Subject, IP, URL, etc.) based on email content, - adds extracted email attachments to the case wall, and updates existing entity - attributes with attachment metadata. + The action saves extracted email attachments back to the Google SecOps case + wall, creates new entities (Users, Email Subjects, URLs, IPs, etc.) within the + case, and updates entity attributes with metadata such as file hashes and attachment + IDs. categories: enrichment: false entity_usage: @@ -355,62 +417,73 @@ Parse Case Wall Email: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Parse EML Base64 Blob: ai_description: >- - ### General Description + Decodes a base64-encoded string and parses it as an EML (Email) file to extract + structured metadata and content. This action is primarily used to analyze email + files that are passed as raw data, such as those retrieved from attachments or + external databases. It extracts standard headers, body content, and recursively + processes nested EML attachments. - The **Parse EML Base64 Blob** action is a utility designed to decode a base64-encoded - string and parse its contents as an EML (Email) file. This action is used to extract - structured information from raw email data, including headers, metadata, and body - content. It is particularly useful in workflows where email files are passed as - encoded strings, allowing for automated analysis of sender information, recipient - lists, and message bodies without requiring external services. + ### Parameters - ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Base64 EML Blob** | String | Yes | The base64-encoded string of the EML file - to be parsed. | - - - ### Additional Notes - - - This action performs local parsing and does not interact with external APIs - or Google SecOps entities. - - - It supports recursive parsing of nested EML attachments found within the primary - blob. - - - The output is provided as a JSON result containing detailed metadata and content - for each parsed email object. + | Base64 EML Blob | String | Yes | The base64 encoded string representing the + content of the EML file to be parsed. | ### Flow Description - 1. **Input Retrieval:** The action retrieves the base64-encoded EML blob from - the input parameters. - 2. **Decoding:** The blob is decoded from base64 into a UTF-8 string. + 1. **Input Retrieval**: The action retrieves the base64-encoded string from the + `Base64 EML Blob` parameter. - 3. **EML Parsing:** The decoded string is parsed into an email message object - using standard libraries. + 2. **Decoding**: It decodes the base64 string into a raw UTF-8 string representing + the EML file content. - 4. **Metadata Extraction:** The action extracts key headers such as 'From', 'To', - 'CC', 'BCC', 'Subject', and 'Date'. + 3. **Metadata Extraction**: The action parses the EML headers to extract the sender, + primary recipients (To), carbon copy recipients (CC), blind carbon copy recipients + (BCC), subject, and the date of the email. - 5. **Content Extraction:** It retrieves the plain text and HTML bodies of the - email, along with a count of the email parts. + 4. **Content Extraction**: It extracts the plain text and HTML versions of the + email body. - 6. **Recursive Attachment Processing:** The action iterates through the email - payload to find nested multipart sections that represent attached EML files. If - found, these are also decoded and parsed. + 5. **Nested EML Parsing**: The action iterates through the email's multipart components. + If it identifies a nested EML file (often found as an attachment), it recursively + extracts the metadata and content for that nested message. - 7. **Result Output:** The extracted data for the main email and any nested emails - is returned as a structured JSON array. + 6. **Result Generation**: All extracted data is compiled into a structured JSON + object and returned as the action's result. capabilities: can_create_case_comments: false can_create_insight: false @@ -438,13 +511,39 @@ Parse EML Base64 Blob: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Ping: ai_description: >- ### General Description - Verifies the connectivity between Google SecOps and the Email Utilities integration. - This action serves as a basic health check to ensure that the integration is correctly - configured and reachable within the environment. + Checks connectivity to the Email Utilities integration. This action is used to + verify that the integration is correctly configured and can communicate with the + Google SecOps environment. It serves as a health check to ensure the integration's + environment and dependencies are properly loaded. ### Parameters Description @@ -452,21 +551,15 @@ Ping: There are no parameters for this action. - ### Additional Notes - - This is a standard 'Ping' action used for troubleshooting and configuration validation. - It does not perform any data processing, external API calls, or entity enrichment. - - ### Flow Description - 1. **Initialization**: The action initializes the Siemplify SDK environment. + 1. **Initialization**: The action initializes the Siemplify action module. - 2. **Connectivity Check**: The script executes a simple completion command to - confirm the execution environment is functional. + 2. **Connectivity Verification**: The action performs a basic internal check to + confirm the script can execute within the SOAR environment. - 3. **Completion**: Returns a success message 'Siemplify is connected' to the SOAR - interface. + 3. **Completion**: The action terminates with a success message 'Siemplify is + connected' and a boolean status of True. capabilities: can_create_case_comments: false can_create_insight: false @@ -494,3 +587,28 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/power_ups/email_utilities/resources/ai/integration_ai_description.yaml b/content/response_integrations/power_ups/email_utilities/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..29179c290 --- /dev/null +++ b/content/response_integrations/power_ups/email_utilities/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: true + iam_and_identity_management: false + itsm: false + network_security: false + siem: false + threat_intelligence: true + vulnerability_management: false diff --git a/content/response_integrations/power_ups/enrichment/resources/ai/actions_ai_description.yaml b/content/response_integrations/power_ups/enrichment/resources/ai/actions_ai_description.yaml index 50ae811f7..076a43e1f 100644 --- a/content/response_integrations/power_ups/enrichment/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/power_ups/enrichment/resources/ai/actions_ai_description.yaml @@ -1,67 +1,63 @@ Enrich Entities from List with Field: ai_description: >- - ### General Description + Enriches a specific list of entities within a Google SecOps case by adding a user-defined + field and value to their additional properties. This action is useful for bulk-tagging + or manually adding context to entities that match a specific type and identifier. - The **Enrich Entities from List with Field** action is designed to bulk-update - entities within a Google SecOps case by adding a custom field and value to their - metadata. This action is particularly useful for tagging or labeling a specific - subset of entities (e.g., marking a list of IP addresses as 'Known Malicious' - or 'Executive Owned') based on a provided list of identifiers. + ### Parameters Description - ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **List of Entities** | String | Yes | A delimited string containing the identifiers - of the entities to be enriched (e.g., '192.168.1.1, 192.168.1.2'). | + | List of Entities | string | Yes | A delimited list of entity identifiers (e.g., + IP addresses, hostnames) to be enriched. | - | **Entity Type** | String | Yes | The specific type of entities to target (e.g., - ADDRESS, HOSTNAME, USERUNIQNAME). Only entities matching this type will be processed. - | + | Entity Type | string | Yes | The specific type of entity to target (e.g., ADDRESS, + USERUNIQNAME, HOSTNAME). | - | **Entity Delimiter** | String | Yes | The character used to separate the identifiers - in the 'List of Entities' parameter (e.g., a comma, semicolon, or pipe). | + | Entity Delimiter | string | Yes | The character used to separate the identifiers + in the 'List of Entities' parameter (e.g., a comma or semicolon). | - | **Enrichment Field** | String | Yes | The name of the property/key to be added - to the entity's 'additional_properties'. | + | Enrichment Field | string | Yes | The name of the custom field to be added to + the entity's 'additional_properties'. | - | **Enrichment Value** | String | Yes | The value to be assigned to the specified + | Enrichment Value | string | Yes | The value to be assigned to the specified 'Enrichment Field'. | - ### Flow Description + ### Additional Notes - 1. **Initialization:** The action retrieves the input parameters, including the - list of entities, the target entity type, the delimiter, and the enrichment key-value - pair. + - This action does not call external APIs; it only processes data provided in + the parameters and applies it to entities already present in the SecOps case. - 2. **Parsing:** The 'List of Entities' string is split into individual identifiers - using the provided delimiter, and whitespace is trimmed from each entry. + - Matching is case-insensitive for entity identifiers. - 3. **Entity Retrieval:** The action fetches all entities associated with the alerts - in the current Google SecOps case. - 4. **Matching Logic:** It iterates through the parsed list of identifiers and - attempts to find matching entities in the case. A match is confirmed if the entity's - identifier (case-insensitive) and entity type both align with the input parameters. + ### Flow Description - 5. **Data Mutation:** For every matched entity, the action updates its `additional_properties` - dictionary by inserting the 'Enrichment Field' as the key and the 'Enrichment - Value' as the value. + 1. **Parameter Parsing**: The action retrieves the list of entities, the target + entity type, the delimiter, and the key-value pair for enrichment from the input + parameters. - 6. **Commitment:** The action calls the SDK's `update_entities` method to save - the changes back to the Google SecOps platform and returns the count of successfully - enriched entities. + 2. **List Processing**: It splits the 'List of Entities' string into individual + identifiers using the provided delimiter and strips whitespace. + 3. **Entity Retrieval**: It fetches all entities associated with the alerts in + the current case. - ### Additional Notes + 4. **Matching Logic**: It iterates through the target identifiers and searches + for matching entities in the case that share both the same identifier (case-insensitive) + and the specified entity type. - This action performs internal data manipulation only and does not interact with - any external APIs or services. It is strictly used for organizing and enriching - data already present within the SOAR environment. + 5. **Internal Mutation**: For every matched entity, it adds or updates the specified + 'Enrichment Field' in the entity's `additional_properties` dictionary with the + 'Enrichment Value'. + + 6. **Update**: The action commits the changes to the entities within the Google + SecOps platform and returns the count of successfully enriched entities. capabilities: can_create_case_comments: false can_create_insight: false @@ -73,7 +69,7 @@ Enrich Entities from List with Field: fetches_data: false internal_data_mutation_explanation: >- Updates the 'additional_properties' attribute of matched entities within the - Google SecOps case with a user-specified field and value. + Google SecOps case with a user-defined field and value. categories: enrichment: false entity_usage: @@ -126,54 +122,87 @@ Enrich Entities from List with Field: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Enrich Entity From Event Field: ai_description: >- - ### General Description - - This action extracts specific data fields from the first security event of an - alert and maps them to the entities within that alert. It is designed to enrich - entity profiles with contextual information already present in the event logs, - such as custom metadata or specific identifiers that were not automatically mapped - during ingestion. + Enriches target entities by extracting specific field values from the alert's + first security event and mapping them to the entities' additional properties. + This utility action allows for the dynamic propagation of event-level metadata + (such as custom logs or specific telemetry fields) directly onto the entity objects + within the SOAR platform, making that data available for subsequent playbook steps + or analyst review. ### Parameters Description + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Fields to enrich | String | Yes | A comma-separated list of field names (e.g., - 'src_port, device_id') to extract from the event's additional properties and add - to the entities. | + | Fields to enrich | string | True | A comma-separated list of field names found + within the security event's additional properties. These values will be copied + to the target entities. | - ### Additional Notes + ### Flow Description - - The action performs a case-insensitive search for the specified fields within - the event's `additional_properties`. - - Only the first security event (`security_events[0]`) associated with the alert - is used as the data source. + 1. **Parameter Parsing:** The action parses the comma-separated string provided + in the 'Fields to enrich' parameter into a list of field names. + 2. **Event Retrieval:** It accesses the first security event (`security_events[0]`) + associated with the current alert. - ### Flow Description + 3. **Data Normalization:** It creates a case-insensitive map of the event's additional + properties to ensure field matching is robust. + + 4. **Entity Iteration:** The action iterates through all entities currently in + the playbook scope (target entities). + + 5. **Field Mapping:** For each entity, it checks if the requested fields exist + in the event data. If a match is found, the entity's 'additional_properties' attribute + is updated with the value from the event. + + 6. **Internal Update:** The action commits the changes to the entities within + Google SecOps using the `update_entities` method. + + 7. **Result Reporting:** It returns a JSON summary of the enriched fields for + each affected entity. - 1. **Initialization**: Retrieves the comma-separated list of field names from - the action parameters. - 2. **Data Retrieval**: Accesses the first security event of the current alert - and converts its additional properties into a case-insensitive dictionary. + ### Additional Notes - 3. **Entity Processing**: Iterates through all target entities in the current - scope. - 4. **Field Mapping**: For each entity, it checks if the requested fields exist - in the event data. If found, the field and its value are added to the entity's - `additional_properties`. + * This action only processes the **first** security event attached to an alert. + If an alert contains multiple events with different data, only the first one is + considered. - 5. **Update**: Updates all modified entities in Google SecOps and outputs the - enriched data as a JSON result. + * The field matching is case-insensitive. capabilities: can_create_case_comments: false can_create_insight: false @@ -184,8 +213,8 @@ Enrich Entity From Event Field: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates the 'additional_properties' of entities within the Google SecOps case - using data extracted from the alert's security events. + Updates the 'additional_properties' attribute of target entities with data retrieved + from the alert's security event. categories: enrichment: true entity_usage: @@ -238,15 +267,41 @@ Enrich Entity From Event Field: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Enrich Entity From JSON: ai_description: >- ### General Description - The **Enrich Entity From JSON** action is a utility designed to update entity - attributes within Google SecOps using data provided in a JSON format. It allows - users to map external data (passed as a parameter) to existing entities by matching - identifiers. This is particularly useful for manual enrichment or when data is - retrieved in a previous step of a playbook and needs to be associated with entities. + Enriches entities within a Google SecOps case by mapping data from a provided + JSON string to existing entities. This utility action allows for the enrichment + of entities using static data or data generated in previous playbook steps without + requiring external API calls. It matches entities based on a configurable identifier + path within the JSON, flattens the associated data, and updates the entity's additional + properties (attributes). ### Parameters Description @@ -255,58 +310,59 @@ Enrich Entity From JSON: | :--- | :--- | :--- | :--- | - | **Enrichment JSON** | String | Yes | A JSON-formatted list of objects containing + | Enrichment JSON | String | Yes | A JSON-formatted list of objects containing the enrichment data. | - | **Identifier KeyPath** | String | Yes | The path within the JSON objects to - the field that matches the entity's identifier (e.g., `EntityResult.id`). Supports - multiple paths separated by newlines. | + | Identifier KeyPath | String | Yes | The dot-separated (or custom separator) + path to the field in the JSON that matches the entity's identifier. | - | **Separator** | String | Yes | The character used to separate keys in the `Identifier - KeyPath` (default is `.`). | + | Separator | String | Yes | The character used to delimit keys in the Identifier + KeyPath (default is '.'). | - | **PrefixForEnrichment** | String | No | An optional prefix to prepend to the - keys of the added enrichment data. | + | PrefixForEnrichment | String | No | An optional string to prefix to the keys + of the enriched data fields. | - | **Enrichment JSONPath** | String | No | An optional JSONPath expression to extract - specific subsets of data from the matching JSON object. | + | Enrichment JSONPath | String | No | An optional JSONPath expression to extract + a specific portion of the JSON object for enrichment. | - ### Additional Notes + ### Flow Description - - The action flattens nested JSON structures into a flat key-value format before - adding them to the entity's `additional_properties`. + 1. **Initialization**: The action retrieves the JSON data and configuration parameters + from the input. - - If multiple key paths are provided in `Identifier KeyPath`, the action will - check them sequentially. + 2. **Parsing**: The `Enrichment JSON` string is parsed into a Python list of dictionaries. - - This action does not perform external API calls; it processes data already present - in the playbook context. + 3. **Entity Iteration**: The action iterates through all entities currently targeted + in the playbook scope. + 4. **Matching**: For each entity, it searches the provided JSON list for an entry + where the value at the specified `Identifier KeyPath` matches the entity's identifier. - ### Flow Description + 5. **Data Extraction**: If a match is found, it extracts the relevant data. If + `Enrichment JSONPath` is provided, it filters the object using that expression; + otherwise, it uses the entire JSON object. - 1. **Data Parsing**: The action parses the `Enrichment JSON` input into a list - of dictionaries. + 6. **Transformation**: The extracted data is flattened into a single-level dictionary + to ensure compatibility with entity fields. - 2. **Entity Iteration**: It iterates through all target entities in the current - context. + 7. **Prefixing**: If a `PrefixForEnrichment` is provided, it is prepended to all + keys in the flattened dictionary. - 3. **Identifier Matching**: For each entity, it searches the JSON list for a record - where the value at `Identifier KeyPath` matches the entity's identifier. + 8. **Enrichment**: The entity's `additional_properties` are updated with the processed + data. - 4. **Data Extraction**: - - If `Enrichment JSONPath` is provided, it extracts the specific data matching - the path. - - Otherwise, it uses the entire matching JSON object. - 5. **Flattening and Prefixing**: The extracted data is flattened into a single-level - dictionary. If a `PrefixForEnrichment` is defined, it is applied to all keys. + 9. **Completion**: The action updates the entities in the Google SecOps platform + and returns the total count of successfully enriched entities. - 6. **Entity Update**: The entity's `additional_properties` are updated with the - processed data. - 7. **Finalization**: The action updates the entities in the system and returns - the count of successfully enriched entities. + ### Additional Notes + + - This action does not perform external network requests; it processes data provided + strictly as an input parameter. + + - The `Identifier KeyPath` supports nested keys using the defined separator (e.g., + 'user.details.id'). capabilities: can_create_case_comments: false can_create_insight: false @@ -317,8 +373,8 @@ Enrich Entity From JSON: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Updates the 'additional_properties' field of entities within the Google SecOps - case based on the provided JSON data. + Updates the 'additional_properties' (enrichment attributes) of entities within + the Google SecOps case based on the provided JSON data. categories: enrichment: false entity_usage: @@ -371,52 +427,77 @@ Enrich Entity From JSON: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Enrich Entity With Field: ai_description: >- ### General Description - This action allows users to manually enrich entities within a Google SecOps case - by adding custom key-value pairs to their 'additional_properties' attribute. It - is primarily used to inject static data or context into entities that may not - be available through automated enrichment sources. + This action allows users to enrich entities within a Google SecOps case by adding + custom key-value pairs to their additional properties. It is a utility action + used to attach static or calculated metadata to entities for better context or + for use in downstream playbook logic. ### Parameters Description - | Parameter Name | Type | Mandatory | Description | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Fields to enrich | string | Yes | A JSON-formatted string representing a list - of objects. Each object must contain `entity_field_name` (the key) and `entity_field_value` - (the value) to be added to the entities. Example: `[{"entity_field_name": "Department", - "entity_field_value": "Finance"}]`. | + | Fields to enrich | String (JSON) | Yes | A JSON-formatted list of objects, where + each object contains `entity_field_name` and `entity_field_value`. These pairs + will be added to the entity's additional properties. | - ### Additional Notes + ### Flow Description - - This action does not interact with any external APIs; it only processes the - data provided in the input parameters. + 1. **Parse Input:** The action retrieves the `Fields to enrich` parameter and + parses the JSON string into a list of field definitions. - - The action updates all entities currently in the scope of the action execution. + 2. **Iterate Entities:** It loops through all entities currently in the action's + scope (`target_entities`). + 3. **Apply Properties:** For each entity, it iterates through the provided field + list and assigns the values to the entity's `additional_properties` dictionary. - ### Flow Description + 4. **Update Platform:** The action calls the `update_entities` method to save + the changes back to the Google SecOps platform. - 1. **Parse Input:** The action retrieves the `Fields to enrich` parameter and - parses the JSON string into a Python list of dictionaries. + 5. **Output Results:** It attaches the enrichment data as a JSON result for each + processed entity and concludes the execution. - 2. **Iterate Entities:** It iterates through all `target_entities` provided in - the current context. - 3. **Apply Enrichment:** For each entity, it loops through the list of key-value - pairs and adds them to the entity's `additional_properties` dictionary. + ### Additional Notes - 4. **Update Internal State:** The action calls the SDK's `update_entities` method - to persist the changes within Google SecOps. + - The input must be a valid JSON array of objects. For example: `[{"entity_field_name": + "Department", "entity_field_value": "Finance"}]`. - 5. **Report Results:** It adds a JSON result for each updated entity and concludes - the execution with a summary message indicating the number of enriched entities. + - This action does not communicate with external APIs; it processes data provided + directly in the parameters. capabilities: can_create_case_comments: false can_create_insight: false @@ -427,8 +508,8 @@ Enrich Entity With Field: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - The action updates the 'additional_properties' attribute of entities within - the Google SecOps case based on the provided input parameters. + The action modifies the 'additional_properties' attribute of entities within + the Google SecOps case to include the provided key-value pairs. categories: enrichment: false entity_usage: @@ -481,60 +562,80 @@ Enrich Entity With Field: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Enrich Entity from Explorer Attributes: ai_description: >- - ### General Description - - Enriches entities within a case by retrieving historical attribute data from the - Google SecOps Entity Explorer. This action allows analysts to automatically populate - entity properties with previously discovered information, ensuring consistency - and providing immediate context without manual lookups. + Enriches entities with historical data retrieved from the Google SecOps Entity + Explorer. This action allows users to synchronize previously discovered entity + attributes into the current case context, ensuring that existing knowledge about + an entity is readily available for analysis. - ### Parameters + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. **Parameter Extraction:** The action identifies which fields to process based + on the `Field Name` and `Use Field Name as Whitelist` parameters. - | :--- | :--- | :--- | :--- | + 2. **Data Retrieval:** For each target entity, the action calls the internal SOAR + API to fetch historical records from the Entity Explorer. - | Field Name | string | No | A comma-separated list of specific field names to - retrieve from the Entity Explorer. If left empty, all available fields (except - system fields) will be processed. | + 3. **Field Filtering:** The retrieved data is filtered to exclude system-protected + fields (like 'Environment' or 'IsInternalAsset') and to match the user-defined + whitelist or denylist. - | Use Field Name as Whitelist | boolean | No | Determines how the 'Field Name' - parameter is applied. If 'true' (default), only the specified fields are added - to the entity. If 'false', the specified fields are excluded (denylist), and all - other available fields are added. | + 4. **Entity Update:** The action maps the retrieved values to the entity's attributes + or `additional_properties` dictionary. + 5. **Persistence:** The updated entity objects are committed back to the Google + SecOps platform, and a summary of the changes is provided in the action results. - ### Additional Notes - - The action automatically filters out internal system fields (e.g., 'IsSuspicious', - 'Environment', 'Type') to prevent accidental overwriting of core platform data. + ### Parameters Description - - If a field already exists as a standard attribute on the entity object, it is - updated directly; otherwise, it is added to the entity's 'additional_properties' - dictionary. + | Parameter Name | Type | Mandatory | Description | + | :--- | :--- | :--- | :--- | - ### Flow Description + | Field Name | string | No | A comma-separated list of specific fields to retrieve + from the Entity Explorer. If left empty, all available fields will be processed. + | - 1. **Initialization**: The action retrieves the configuration parameters, specifically - the list of fields and the allowlist/denylist toggle. + | Use Field Name as Whitelist | boolean | No | If set to `true` (default), only + the fields listed in 'Field Name' will be added to the entity. If `false`, the + list acts as a denylist, and all fields *except* those listed will be added. | - 2. **Data Retrieval**: For every entity targeted in the current scope, the action - calls the internal SecOps API to fetch historical data stored in the Entity Explorer. - 3. **Filtering**: The retrieved fields are filtered based on the 'Field Name' - and 'Use Field Name as Whitelist' logic. System-protected fields are explicitly - excluded from the update list. + ### Additional Notes - 4. **Entity Update**: The action maps the filtered data to the entity object. - It attempts to set attributes directly if they exist or appends them to the 'additional_properties' - metadata. + - This action interacts with internal Google SecOps data stores rather than external + third-party APIs. - 5. **Commit**: The updated entity objects are sent back to the Google SecOps platform - to persist the changes, and a summary of the updated properties is logged. + - System fields are automatically protected and will not be overwritten by this + action to maintain data integrity. capabilities: can_create_case_comments: false can_create_insight: false @@ -545,8 +646,8 @@ Enrich Entity from Explorer Attributes: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity attributes and additional properties within the Google SecOps - platform using historical data retrieved from the Entity Explorer. + Updates entity attributes and additional properties with historical data retrieved + from the internal Entity Explorer. categories: enrichment: true entity_usage: @@ -599,45 +700,76 @@ Enrich Entity from Explorer Attributes: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Enrich FileName Entity with Path: ai_description: >- ### General Description - This action parses file path strings from entity identifiers to extract and enrich - entities with specific file-related metadata, including the directory path, the - full filename, and the file extension. It is designed to work with both Windows - and Unix-style path conventions. + This action enriches entities by parsing their identifiers as file paths. It extracts + the directory path, the full file name, and the file extension, then attaches + this metadata back to the entity. It is designed to handle both Windows-style + (e.g., `C:\path\to\file.exe`) and Unix-style (e.g., `/path/to/file.sh`) paths + using regex and standard path manipulation libraries. ### Parameters Description - No parameters are required for this action. + There are no parameters for this action. ### Additional Notes - This action does not interact with external APIs or services. It performs local - string manipulation on the entity's identifier to derive its components. If an - identifier cannot be parsed as a valid path (e.g., it does not contain a directory - component), the entity will not be enriched. + * The action automatically detects the path format (Windows vs. Unix) based on + the presence of a drive letter (e.g., `C:\`). + + * If an entity identifier cannot be parsed as a valid path, the action will skip + that entity and log a failure message for it. + + * The extracted data is stored in the entity's `additional_properties` and also + returned as a JSON result. ### Flow Description - 1. **Iterate Entities**: The action retrieves all target entities from the current + 1. **Entity Retrieval**: The action retrieves all target entities from the current context. - 2. **Path Analysis**: For each entity, it examines the identifier to detect the - path format (Windows vs. Unix). + 2. **Path Parsing**: For each entity, the script checks if the identifier matches + a Windows path pattern. It then uses the appropriate library (`ntpath` for Windows, + `os.path` for others) to split the identifier into a directory path and a filename. - 3. **Extraction**: It utilizes path-parsing libraries to split the identifier - into `file_path`, `file_name`, and `file_extension`. + 3. **Extension Extraction**: The filename is further processed to extract the + file extension. - 4. **Internal Mutation**: If parsing is successful, it updates the entity's `additional_properties` - with the extracted values. + 4. **Internal Mutation**: If parsing is successful, the `file_name`, `file_path`, + and `file_extension` are added to the entity's `additional_properties`. - 5. **Update and Report**: It updates the entities within Google SecOps and returns - a JSON result mapping identifiers to their parsed details. + 5. **Update and Result**: The action updates the entities within Google SecOps + and attaches a JSON object containing the parsed details for all processed entities. capabilities: can_create_case_comments: false can_create_insight: false @@ -646,12 +778,12 @@ Enrich FileName Entity with Path: can_mutate_internal_data: true can_update_entities: true external_data_mutation_explanation: null - fetches_data: false + fetches_data: true internal_data_mutation_explanation: >- - Updates entity additional properties with parsed file path, name, and extension - metadata derived from the entity identifier. + Updates the 'additional_properties' attribute of the entities with parsed file + path, name, and extension metadata. categories: - enrichment: false + enrichment: true entity_usage: entity_types: - ADDRESS @@ -702,30 +834,80 @@ Enrich FileName Entity with Path: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Enrich Source and Destinations: - ai_description: "### General Description\nThis action enriches entities within a\ - \ Google SecOps alert by identifying their roles as network sources or destinations.\ - \ It retrieves contextual data from the Chronicle Investigator API to determine\ - \ which identifiers are associated with source and destination activities and\ - \ then updates the corresponding entities in the SOAR with specific flags.\n\n\ - ### Parameters\nThere are no user-configurable parameters for this action. It\ - \ automatically processes entities based on the context of the current alert.\n\ - \n### Additional Notes\n- This action specifically targets entities associated\ - \ with the current alert being processed.\n- It relies on the `get_investigator_data`\ - \ method to fetch the underlying security event details from Google SecOps.\n\ - - The enrichment is internal to the SOAR, adding `isSource` or `isDest` attributes\ - \ to the entity's additional properties.\n\n### Flow Description\n1. **Fetch Alert\ - \ Context**: The action calls the Chronicle Investigator API to retrieve the full\ - \ JSON representation of the current alert.\n2. **Identify Roles**: It parses\ - \ the alert data (specifically looking at `securityEventCards` or field groups)\ - \ to extract lists of identifiers categorized as 'sources' and 'destinations'.\n\ - 3. **Match Entities**: The action iterates through all entities associated with\ - \ the current alert.\n4. **Apply Enrichment**: \n - If an entity's identifier\ - \ matches a 'source' from the API data, the property `isSource: true` is added\ - \ to the entity.\n - If an entity's identifier matches a 'destination' from\ - \ the API data, the property `isDest: true` is added to the entity.\n5. **Update\ - \ SOAR**: The modified entities are updated within the Google SecOps platform\ - \ to reflect these new attributes." + ai_description: >- + ### General Description + + This action enriches entities within a Google SecOps alert by identifying and + tagging their roles as either a 'source' or a 'destination' based on the underlying + alert metadata. It retrieves detailed investigator data from the SOAR API, parses + the security event cards or field groups to extract source and destination identifiers, + and then updates the corresponding entities in the case with specific flags. + + + ### Parameters Description + + There are no user-configurable parameters for this action. It operates automatically + based on the context of the current alert. + + + ### Additional Notes + + - The action specifically looks for 'ADDRESS' (IP) and 'HOSTNAME' entities, although + the matching logic is based on the entity identifier string. + + - It uses the `get_investigator_data` utility to fetch the full alert context + from the SOAR platform. + + - Entity properties are updated with `isSource: true` or `isDest: true` which + can be used in subsequent playbook logic or for analyst visibility. + + + ### Flow Description + + 1. **Fetch Alert Data**: The action calls the SOAR API to retrieve comprehensive + investigator data for the current alert. + + 2. **Identify Roles**: It parses the retrieved alert data (checking both `securityEventCards` + and standard field groups) to compile lists of identifiers designated as sources + and destinations. + + 3. **Match Entities**: The action iterates through all entities associated with + the current alert. + + 4. **Tag Entities**: For each entity, it checks if the identifier matches any + of the discovered sources or destinations (case-insensitive). + + 5. **Update Properties**: If a match is found, the entity's `additional_properties` + are updated with the respective role flag. + + 6. **Commit Changes**: The action performs a bulk update of all modified entities + back to the Google SecOps case. capabilities: can_create_case_comments: false can_create_insight: false @@ -736,49 +918,16 @@ Enrich Source and Destinations: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity additional properties with 'isSource' or 'isDest' flags based - on the alert context retrieved from the investigator API. + Updates the 'additional_properties' of entities within the case to mark them + as 'isSource' or 'isDest' based on alert metadata. categories: enrichment: true entity_usage: entity_types: - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME filters_by_additional_properties: false - filters_by_alert_identifier: true + filters_by_alert_identifier: false filters_by_case_identifier: false filters_by_creation_time: false filters_by_entity_type: false @@ -790,40 +939,71 @@ Enrich Source and Destinations: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Mark Entity as Suspicious: ai_description: >- ### General Description - Marks all entities within the current scope as suspicious. This is an internal - utility action used to flag entities for further investigation or to trigger specific - playbooks based on the suspicious status within Google SecOps. + This action marks all entities within the current scope as suspicious in Google + SecOps. It is a utility action designed to flag entities for further investigation + or to influence the logic of subsequent playbook steps based on the entity's suspicious + status. ### Parameters Description - There are no parameters for this action. + | Parameter | Description | Type | Mandatory | + + | :--- | :--- | :--- | :--- | + + | N/A | This action does not require any input parameters. | N/A | N/A | ### Additional Notes - This action does not interact with any external services. It only modifies the - internal state of entities within Google SecOps. It processes all entities in - the scope regardless of their type. + - This action does not interact with any external APIs or services. + + - It applies the 'suspicious' flag to every entity provided in the action's scope, + regardless of their original state or type. ### Flow Description - 1. **Retrieve Entities**: The action accesses the list of target entities in the - current scope. + 1. **Identify Entities**: The action retrieves the list of target entities from + the current Google SecOps scope. - 2. **Flag Entities**: It iterates through every entity and sets its `is_suspicious` + 2. **Flag Entities**: It iterates through each entity and sets the `is_suspicious` attribute to `True`. - 3. **Update Platform**: The action sends the updated entity objects back to Google - SecOps to persist the changes. + 3. **Update Internal State**: The action calls the internal SDK to update the + entity records within the platform. - 4. **Finalize**: It reports the total number of entities successfully marked as - suspicious and completes the execution. + 4. **Finalize**: The action concludes by returning a success message and the total + count of entities that were updated. capabilities: can_create_case_comments: false can_create_insight: false @@ -834,7 +1014,7 @@ Mark Entity as Suspicious: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Updates the 'is_suspicious' attribute of entities within the Google SecOps case + Updates the 'is_suspicious' attribute of entities within the Google SecOps platform to True. categories: enrichment: false @@ -888,14 +1068,39 @@ Mark Entity as Suspicious: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Ping: ai_description: >- ### General Description - The **Ping** action is a diagnostic utility designed to verify the connectivity - between the Google SecOps (Chronicle) environment and the integration's execution - context. It serves as a health check to ensure that the integration is correctly - configured and reachable within the SOAR platform. + This action is a simple connectivity test designed to verify the communication + between the Google SecOps (Chronicle) platform and the Enrichment integration. + It serves as a health check to ensure that the integration is correctly configured + and reachable. ### Parameters Description @@ -903,20 +1108,20 @@ Ping: There are no parameters for this action. - ### Flow Description + ### Additional Notes - 1. **Initialization**: The action initializes the Siemplify action module to establish - a session. + This action does not interact with any external APIs or process any entity data. + It is strictly used for verifying integration connectivity. - 2. **Connectivity Confirmation**: The action immediately terminates with a success - status and a message indicating that the connection is active ('Siemplify is connected'). + ### Flow Description - ### Additional Notes + 1. **Initialization**: The action initializes the SiemplifyAction module to establish + the execution context. - This action does not perform any data retrieval from external sources, nor does - it interact with or modify any entity data or case information. It is strictly - used for configuration validation. + 2. **Connectivity Check**: The action immediately concludes by returning a success + message ('Siemplify is connected') to the platform, confirming the integration + is functional. capabilities: can_create_case_comments: false can_create_insight: false @@ -944,66 +1149,55 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Whois: ai_description: >- - ### General Description - - The **Whois** action queries WHOIS and RDAP servers to retrieve registration and - ownership information for various entity types, including IP Addresses, Domains, - URLs, and Email addresses. It provides critical context regarding domain age, - registrar details, and geographic location for IP addresses to assist in threat - analysis. - - - ### Parameters - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Create Entities | boolean | No | If set to `true`, the action extracts the root - domain from URLs or Email addresses and creates a new, linked DOMAIN entity within - the case. Default is `true`. | - - | Domain Age Threshold | string | No | A threshold in days. If a domain's age - is less than this value, the entity is marked as suspicious. A value of 0 or empty - disables this check. | - - - ### Flow Description - - 1. **Entity Identification**: The action iterates through all target entities - in the current context. - - 2. **IP Enrichment**: For `ADDRESS` entities, it performs an RDAP lookup and a - geographic lookup (via DB-IP) to identify the owner, ASN, and physical location. - - 3. **Domain/URL/Email Processing**: For other entities, it extracts the registered - domain using the `tldextract` library. - - 4. **WHOIS Query**: It performs a WHOIS lookup for the extracted domain to retrieve - creation dates, expiration dates, and registrar information. - - 5. **Entity Creation**: If the `Create Entities` parameter is enabled and a new - domain is identified (e.g., extracted from a URL or Email), a new `DOMAIN` entity - is created and linked to the source entity. - - 6. **Risk Assessment**: The action calculates the domain age in days. If the age - is below the user-defined `Domain Age Threshold`, the entity's `is_suspicious` - attribute is set to `true`. - - 7. **Data Update**: All retrieved information is flattened and added to the entities' - additional properties with a `WHOIS` prefix. The entities are then marked as enriched - and updated in the system. - - - ### Additional Notes - - - This action requires outbound network access to WHOIS/RDAP servers and the DB-IP - API. - - - The `Domain Age Threshold` parameter is processed as an integer; ensure numeric - values are provided. + ### General Description\nEnriches entities by querying WHOIS and RDAP servers + for registration information. It supports IP addresses, domains, URLs, and email + addresses. The action retrieves data such as creation dates, registrar details, + and geographic location for IPs.\n\n### Parameters Description\n| Parameter | + Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Create Entities + | boolean | False | If set to true, the action will create and link new DOMAIN + entities to URL and Email/User entities. |\n| Domain Age Threshold | string | + False | Domains whose age (in days) is less than this value will be marked as + suspicious. Set to 0 to disable. |\n\n### Flow Description\n1. **Parameter Extraction**: + Retrieves the 'Create Entities' flag and 'Domain Age Threshold'.\n2. **Entity + Processing**: Iterates through target entities.\n3. **IP Enrichment**: For ADDRESS + entities, performs an RDAP lookup and fetches geographic data (city, region, country, + lat/long) from DB-IP.\n4. **Domain/URL/Email Enrichment**: Extracts the registered + domain and performs a WHOIS lookup to retrieve registration dates and registrar + info.\n5. **Entity Creation**: If 'Create Entities' is enabled and the input is + a URL or Email, a new DOMAIN entity is created and linked to the original entity.\n6. + **Risk Assessment**: Calculates domain age in days. If the age is below the threshold, + the entity is marked as suspicious.\n7. **Internal Update**: Updates the entities + in Google SecOps with the retrieved WHOIS/RDAP data in additional properties and + sets the 'is_enriched' flag.\n\n### Additional Notes\n- This action uses the `whois_alt` + and `ipwhois` libraries.\n- Geographic lookups for IPs are performed using the + DB-IP free API. capabilities: can_create_case_comments: false can_create_insight: false @@ -1014,10 +1208,8 @@ Whois: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action creates new DOMAIN entities and establishes relationships between - them and the original entities. It also updates existing entities by setting - 'is_suspicious' based on domain age, marking them as 'is_enriched', and adding - WHOIS/Geo-location data to their additional properties. + Creates new DOMAIN entities in the case and updates existing entities' suspicious + status and additional properties. categories: enrichment: false entity_usage: @@ -1039,3 +1231,28 @@ Whois: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/power_ups/enrichment/resources/ai/integration_ai_description.yaml b/content/response_integrations/power_ups/enrichment/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..b962d2eb6 --- /dev/null +++ b/content/response_integrations/power_ups/enrichment/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: true + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + siem: false + threat_intelligence: true + vulnerability_management: false diff --git a/content/response_integrations/power_ups/file_utilities/resources/ai/actions_ai_description.yaml b/content/response_integrations/power_ups/file_utilities/resources/ai/actions_ai_description.yaml index de6d5520a..5d709fc01 100644 --- a/content/response_integrations/power_ups/file_utilities/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/power_ups/file_utilities/resources/ai/actions_ai_description.yaml @@ -1,56 +1,58 @@ Add Attachment: ai_description: >- - ### General Description + Adds a file attachment to the case wall of the current Google SecOps case. This + action allows analysts or automated playbooks to upload evidence, reports, or + logs directly to the case timeline for better documentation and visibility. - The **Add Attachment** action allows users to upload and attach files directly - to the case wall within Google SecOps. This utility is designed to facilitate - evidence preservation and documentation by allowing users to provide file content - in Base64 format, which is then stored as a formal attachment within the context - of the current case. + ### Flow Description - ### Parameters + 1. **Parameter Extraction:** The action retrieves the attachment's name, file + type, Base64-encoded content, description, and favorite status from the input + parameters. - | Parameter | Type | Mandatory | Description | + 2. **Context Identification:** It identifies the current case using the `siemplify.case.identifier`. - | :--- | :--- | :--- | :--- | + 3. **Attachment Construction:** A `CaseWallAttachment` data model is created using + the provided inputs. - | Name | string | Yes | The name of the attachment file as it will appear on the - case wall. | + 4. **Internal API Call:** The action invokes the `save_attachment_to_case_wall` + method to upload the file to the Google SecOps platform. - | IsFavorite | boolean | No | If set to `true`, the attachment will be marked - as a favorite or important item in the case wall. Defaults to `false`. | + 5. **Result Processing:** Upon success, the action parses the API response into + a structured JSON format containing metadata about the new attachment (e.g., attachment + ID, creation time) and completes the execution. - | Base64 Blob | string | Yes | The actual content of the file, encoded in Base64 - format. | - | Type | string | Yes | The file extension or type (e.g., .txt, .pdf, .png). | + ### Parameters Description - | Description | string | Yes | A descriptive note providing context or details - about the attachment. | + | Parameter | Type | Mandatory | Description | + | :--- | :--- | :--- | :--- | - ### Flow Description + | Name | String | True | The name/filename of the attachment to be displayed on + the case wall. | - 1. **Input Retrieval**: The action extracts the file name, Base64-encoded content, - file type, and description from the user-provided parameters. + | IsFavorite | Boolean | False | If set to true, marks the attachment as a 'favorite' + or important item in the case wall. Defaults to false. | - 2. **Data Modeling**: It initializes a `CaseWallAttachment` object, associating - the file data with the current case's unique identifier. + | Base64 Blob | String | True | The actual content of the file, encoded in Base64 + format. | - 3. **Internal API Interaction**: The action calls the internal Google SecOps API - (via `save_attachment_to_case_wall`) to upload the file content and metadata to - the case wall. + | Type | String | True | The file extension or type (e.g., .txt, .pdf, .png). + | - 4. **Response Handling**: It processes the response from the internal API, transforms - it into a structured JSON result containing attachment metadata (like `evidenceId` - and `creationTime`), and marks the action as successfully completed. + | Description | String | True | A descriptive note explaining the context or purpose + of the attachment. | ### Additional Notes - This action is a local utility and does not communicate with external third-party - services. It strictly modifies internal case data by adding attachments. + - This action does not interact with external systems; it only modifies data within + the Google SecOps environment. + + - The attachment is linked to the case level, not a specific alert within the + case. capabilities: can_create_case_comments: false can_create_insight: false @@ -61,7 +63,8 @@ Add Attachment: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Adds a file attachment to the case wall of the current Google SecOps case. + Adds a new file attachment to the case wall of the current Google SecOps case, + modifying the case's stored evidence and timeline. categories: enrichment: false entity_usage: @@ -79,59 +82,71 @@ Add Attachment: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Add Entity to File: ai_description: >- - ### General Description - - The **Add Entity to File** action appends the unique identifiers of target entities - to a local text file stored on the SOAR runner. This utility is primarily used - for state management, such as tracking which entities have already been processed - or creating simple local blocklists/allowlists within a playbook's lifecycle. - It ensures that each entity identifier is only recorded once in the specified - file. + Adds the identifier of target entities to a local text file stored on the Google + SecOps runner. This action is primarily used for maintaining local state, deduplication, + or sharing data between different playbook executions via the filesystem. It ensures + that each entity identifier is only added once to the specified file. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Filename** | String | Yes | The name of the file (e.g., `processed_entities.txt`) - where the entity identifiers will be stored. Files are stored in the `/tmp/` directory - of the runner. | + | Filename | string | Yes | The name of the file to write the entities to. The + file is stored in the `/tmp/` directory on the execution environment. | ### Flow Description 1. **Initialization**: The action retrieves the `Filename` parameter and constructs - the full file path in the `/tmp/` directory. + the full file path using a predefined `/tmp/` prefix. 2. **File Locking**: It utilizes a file-locking mechanism (`EntityFileManager`) - to ensure thread-safe operations, preventing concurrent actions from corrupting - the file. - - 3. **Deduplication Check**: The action reads the existing contents of the file - and compares them against the identifiers of the `target_entities` provided in - the current context. - - 4. **Update**: If an entity identifier is not already present in the file, it - is appended to the list. - - 5. **Persistence**: The updated list of identifiers is written back to the file, - and the file lock is released. - - 6. **Result Reporting**: The action provides an output message detailing which - entities were added and which were already present. If any entity was already - in the file, the action's result value is set to `False`. + to ensure thread-safe access, preventing concurrent actions from corrupting the + file. + 3. **Entity Processing**: The action iterates through all `target_entities` provided + in the current context. - ### Additional Notes + 4. **Deduplication Check**: For each entity, it checks if the identifier already + exists within the file's content. - - This action operates strictly on the local file system of the execution environment - and does not interact with external APIs. + 5. **File Update**: If the identifier is not present, it is appended to the list + and subsequently written back to the file. If it already exists, the action logs + the occurrence and marks the final result as `False` (indicating not all entities + were newly added). - - It does not modify Google SecOps case, alert, or entity metadata. + 6. **Completion**: The action releases the file lock and returns a summary of + added versus existing entities. capabilities: can_create_case_comments: false can_create_insight: false @@ -194,58 +209,81 @@ Add Entity to File: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Count Files: ai_description: >- ### General Description + The **Count Files** action is a utility designed to count the number of files within a specified directory on the local filesystem. It allows users to filter files by a specific extension and optionally perform a recursive search through - subdirectories. This is particularly useful for automated workflows that need - to verify the presence or volume of specific file types (e.g., logs, temporary - files, or artifacts) as part of an investigation or maintenance task. + subdirectories. ### Parameters Description + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Folder** | String | Yes | The absolute or relative directory path where the - file count should be performed. | + | **Folder** | String | Yes | The absolute or relative folder path from which + you would like to count the files. | - | **File Extension** | String | No | A glob-style pattern to filter files (e.g., + | **File Extension** | String | No | The file extension pattern to match (e.g., `*.txt`, `*.log`). If not provided, it defaults to `*.*` (all files). | | **Is Recursive** | Boolean | No | If set to `true`, the action will search for - files in the specified folder and all its subfolders. Defaults to `false`. | + files in the specified folder and all its subfolders. Default is `false`. | - ### Additional Notes + ### Flow Description - - The action uses the Python `glob` library to resolve file paths. - - If the provided `Folder` path does not exist or is inaccessible, the action - will return a count of 0 or may fail depending on environment permissions. + 1. **Parameter Extraction:** The action retrieves the `Folder`, `File Extension`, + and `Is Recursive` values from the input. - - This action does not interact with SecOps entities (IPs, Hostnames, etc.) and - operates strictly on the filesystem path provided. + 2. **Path Construction:** It determines the file extension pattern, defaulting + to `*.*` if none is provided, and constructs the full search path by joining the + folder and extension. + 3. **File Discovery:** The action uses the `glob` module to find all matching + files, applying the recursion flag. - ### Flow Description + 4. **Counting and Output:** It calculates the total number of matching files and + returns this count as the action result. - 1. **Parameter Extraction:** The action retrieves the `Folder`, `File Extension`, - and `Is Recursive` flag from the input parameters. - 2. **Pattern Construction:** If no file extension is provided, it defaults to - `*.*`. It then combines the folder path and the extension into a full search pattern. + ### Additional Notes - 3. **File Discovery:** The action uses the `glob.glob` method with the specified - recursion flag to find all matching file paths. - 4. **Counting and Completion:** It calculates the length of the resulting list - of files and returns this integer as the final result to the SOAR platform. + There are no entities required for this action. It operates directly on the filesystem + path provided in the parameters. capabilities: can_create_case_comments: false can_create_insight: false @@ -254,7 +292,7 @@ Count Files: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: true + fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false @@ -273,34 +311,88 @@ Count Files: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Create Archive: - ai_description: "### General Description\nThis action creates compressed archive\ - \ files from a specified list of files or a directory located on the Google SecOps\ - \ server. It supports multiple archive formats including ZIP and various TAR configurations.\ - \ The resulting archive is stored in a predefined local directory on the server,\ - \ and the action returns the full path to the created file.\n\n### Parameters\ - \ Description\n| Parameter | Type | Mandatory | Description |\n| :--- | :--- |\ - \ :--- | :--- |\n| Archive Type | Dropdown | Yes | The compression format to use.\ - \ Supported values: `zip`, `tar` (uncompressed), `gztar` (gzip), `bztar` (bzip2),\ - \ and `xztar` (xz). |\n| Archive Base Name | String | Yes | The name of the archive\ - \ file to be created (do not include the file extension). |\n| Archive Input |\ - \ String | Yes | A comma-separated list of absolute file paths or a single absolute\ - \ directory path to be included in the archive. |\n\n### Additional Notes\n- The\ - \ action operates on the local filesystem of the Google SecOps (Siemplify) server.\ - \ \n- The output directory is hardcoded to `/opt/siemplify/siemplify_server/Scripting/FileUtilities/Archives`.\ - \ If this directory does not exist, the action attempts to create it.\n- If a\ - \ list of files is provided, the action creates a temporary directory to stage\ - \ the files before archiving.\n\n### Flow Description\n1. **Parameter Extraction**:\ - \ Retrieves the archive type, base name, and input paths from the action configuration.\n\ - 2. **Directory Validation**: Checks for the existence of the destination directory\ - \ on the server and creates it if necessary.\n3. **Input Processing**: \n -\ - \ If the input is a directory, it prepares to archive the directory directly.\n\ - \ - If the input is a list of files, it copies them to a temporary system directory.\n\ - 4. **Archive Creation**: Uses the Python `shutil` library to generate the archive\ - \ file in the specified format.\n5. **Cleanup**: If a temporary directory was\ - \ used for individual files, it is deleted after the archive is created.\n6. **Completion**:\ - \ Returns the path of the generated archive and provides a JSON result indicating\ - \ success." + ai_description: >- + ### General Description + + The **Create Archive** action is a utility designed to package files or directories + into a single compressed archive file on the Google SecOps server. It supports + multiple formats including ZIP and various TAR configurations (uncompressed, gzip, + bzip2, xz). This action is primarily used for organizing forensic evidence, consolidating + logs, or preparing data for export. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | **Archive Type** | DDL | Yes | Specifies the compression format. Supported values: + `zip`, `tar`, `gztar` (gzip), `bztar` (bzip2), `xztar` (xz). | + + | **Archive Base Name** | String | Yes | The name of the archive file to be created, + excluding the file extension. | + + | **Archive Input** | String | Yes | The source for the archive. This can be a + single directory path or a comma-separated list of individual file paths. | + + + ### Flow Description + + 1. **Initialization:** The action extracts the user-provided parameters: archive + type, base name, and input source. + + 2. **Directory Validation:** It checks for the existence of the default destination + directory (`/opt/siemplify/siemplify_server/Scripting/FileUtilities/Archives`) + and creates it if it does not exist. + + 3. **Input Handling:** + - If the input is a directory, the action targets that directory for archiving. + - If the input is a list of files, it creates a temporary directory, copies + the specified files into it, and targets that temporary directory. + 4. **Compression:** The action uses the `shutil.make_archive` utility to create + the archive file in the specified format at the destination path. + + 5. **Cleanup:** If a temporary directory was created for individual files, it + is deleted after the archive is successfully generated. + + 6. **Completion:** The action returns the full path of the created archive file + and updates the action result with success metadata. + + + ### Additional Notes + + - This action performs operations on the local filesystem of the Google SecOps + execution environment. + + - Ensure that the paths provided in 'Archive Input' are accessible by the SecOps + service account. capabilities: can_create_case_comments: false can_create_insight: false @@ -311,8 +403,8 @@ Create Archive: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - The action creates new archive files and potentially new directories within - the Google SecOps server's local filesystem at /opt/siemplify/siemplify_server/Scripting/FileUtilities/Archives. + Creates a new archive file on the local filesystem of the Google SecOps server + in the /opt/siemplify/siemplify_server/Scripting/FileUtilities/Archives directory. categories: enrichment: false entity_usage: @@ -330,68 +422,88 @@ Create Archive: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Create Hash From Base64: ai_description: >- - ### General Description - - This action converts Base64 encoded strings into cryptographic hashes. It is a - utility tool used to generate file-like identifiers (MD5, SHA1, SHA256, etc.) - from encoded data provided as input. This is particularly useful for processing - file content extracted from emails or other sources where the raw data is available - in Base64 format. + Generates cryptographic hashes for one or more Base64 encoded strings. This utility + action is designed to transform data blobs or file contents provided in Base64 + format into standard hash identifiers, which can then be used for reputation lookups + or file identification. It supports a wide variety of hashing algorithms including + MD5, SHA1, SHA256, and SHA512. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. **Input Parsing:** The action retrieves the Base64 encoded strings and optional + names from the parameters, splitting them into lists based on the provided separators. - | :--- | :--- | :--- | :--- | + 2. **Decoding:** Each string is decoded from Base64 into its original byte representation. - | Base64 | Content | Yes | One or more Base64 encoded strings to be hashed, separated - by the 'Base64 Separator'. | + 3. **Hashing:** The action dynamically selects the specified hashing algorithm + from the Python `hashlib` library and computes the hex digest of the decoded bytes. - | Hash Algorythm | DDL | Yes | The cryptographic hashing algorithm to apply (e.g., - md5, sha1, sha256, sha512). | + 4. **Result Compilation:** A result object is created for each input, optionally + including the original Base64 string and the provided name. - | Names | String | No | A list of names (e.g., filenames) corresponding to the - Base64 strings, separated by the 'Names Separator'. | + 5. **Output:** The final list of hashes and metadata is returned as a JSON result. - | Names Separator | String | Yes | The character used to split the 'Names' parameter - (default is ','). | - | Include Base64 | Boolean | No | If true, the original Base64 string will be - included in the JSON output. | + ### Parameters Description - | Base64 Separator | String | Yes | The character used to split the 'Base64' parameter - (default is ','). | + | Parameter | Type | Mandatory | Description | + | :--- | :--- | :--- | :--- | - ### Flow Description + | Base64 | Content | Yes | One or more Base64 encoded strings to be hashed. Multiple + strings should be separated by the 'Base64 Separator'. | - 1. **Input Parsing**: The action retrieves the `Base64` input and splits it into - a list using the `Base64 Separator`. If the `Names` parameter is provided, it - is also split using the `Names Separator`. + | Hash Algorythm | DDL | Yes | The cryptographic hash function to apply (e.g., + sha256, md5, sha1). | - 2. **Decoding**: Each string in the `Base64` list is decoded from Base64 into - raw bytes using the Python `base64` library. + | Names | String | No | A list of names (e.g., filenames) corresponding to the + Base64 strings. Must have the same count as the Base64 strings if provided. | - 3. **Hashing**: The specified `Hash Algorythm` is dynamically invoked from the - `hashlib` library and applied to the decoded bytes to generate a hexadecimal digest. + | Names Separator | String | Yes | The character used to separate the list of + names (default is a comma). | - 4. **Result Construction**: A dictionary is created for each item containing the - generated hash, the algorithm used, and the associated name (if provided). If - `Include Base64` is set to true, the original encoded string is also included - in the dictionary. + | Include Base64 | Boolean | No | If set to true, the original Base64 input string + will be included in the output JSON. | - 5. **Output**: The resulting list of dictionaries is added to the action's JSON - results and the script result. + | Base64 Separator | String | Yes | The character used to separate the input Base64 + strings (default is a comma). | ### Additional Notes - If the `Names` parameter is provided, it should ideally contain the same number - of items as the `Base64` parameter to ensure correct one-to-one mapping in the - output. + - This action does not interact with external APIs; all computations are performed + locally using standard libraries. + + - If the 'Names' parameter is used, ensure the number of names matches the number + of Base64 strings to avoid alignment issues in the output. capabilities: can_create_case_comments: false can_create_insight: false @@ -419,15 +531,40 @@ Create Hash From Base64: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Decode Base64: ai_description: >- ### General Description - The **Decode Base64** action is a utility designed to convert Base64-encoded strings - back into their original text format. It allows users to specify the character - encoding (UTF-8 or ASCII) to ensure the decoded content is interpreted correctly. - This is particularly useful for decoding data found in logs, email headers, or - payloads that are often obfuscated or transmitted in Base64 format. + The **Decode Base64** action is a utility designed to transform Base64-encoded + strings back into human-readable text. It is primarily used within playbooks to + process data that has been encoded for transport or storage, such as email attachments, + log snippets, or API responses. The action supports multiple character encodings + to ensure the resulting string is correctly interpreted. ### Parameters Description @@ -436,35 +573,35 @@ Decode Base64: | :--- | :--- | :--- | :--- | - | Base64 Input | String | Yes | The Base64 encoded string that needs to be decoded. - | + | **Base64 Input** | string | Yes | The Base64 encoded string that needs to be + decoded. | - | Encoding | DDL | Yes | The character encoding to use for the decoded string. - Options include **UTF-8** and **ASCII**. | + | **Encoding** | ddl | Yes | The character encoding to apply to the decoded bytes. + Options include `UTF-8` and `ASCII`. | - ### Additional Notes + ### Flow Description - - This action does not interact with external APIs; it performs the decoding logic - locally within the execution environment. + 1. **Parameter Retrieval**: The action extracts the `Base64 Input` string and + the selected `Encoding` from the user configuration. - - If the input string is not a valid Base64 sequence or the encoding fails, the - action will return a failure status. + 2. **Decoding**: The input string is decoded from Base64 format into raw bytes + using Python's standard `base64` library. + 3. **String Conversion**: The raw bytes are converted into a string using the + specified encoding (e.g., UTF-8). - ### Flow Description + 4. **Result Generation**: The decoded string is packaged into a JSON object (`{"decoded_content": + "..."}`) and returned as the action's result for use in subsequent playbook steps. - 1. **Parameter Extraction**: The action retrieves the `Base64 Input` string and - the selected `Encoding` from the user input. - 2. **Decoding**: It uses the standard Base64 library to decode the input string - into a byte object. + ### Additional Notes - 3. **String Conversion**: The byte object is converted into a string using the - specified encoding (UTF-8 or ASCII). + - This action does not interact with external APIs or modify any SOAR entities; + it is a pure data transformation utility. - 4. **Result Output**: The decoded string is packaged into a JSON object and returned - as the action's result. + - If the input is not a valid Base64 string or the encoding fails, the action + will return a failure status. capabilities: can_create_case_comments: false can_create_insight: false @@ -492,55 +629,70 @@ Decode Base64: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Extract Archive: ai_description: >- - ### General Description - - The **Extract Archive** action is a utility designed to decompress archive files - located on the local filesystem of the Google SecOps server. It supports multiple - formats including ZIP, TAR, GZTAR, BZTAR, and XTAR. The action is primarily used - to prepare files for further analysis by expanding their contents into a structured - directory and providing a detailed map of the extracted files. + Extracts one or more archive files (ZIP, TAR, GZTAR, BZTAR, XTAR) to a designated + directory on the local SOAR server. This utility action is used to unpack compressed + data for further processing or analysis within a playbook. It returns a structured + JSON response containing the directory tree and paths of all extracted files. ### Parameters Description + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Archive** | String | Yes | A comma-separated list of absolute file paths to - the archives that need to be extracted. Example: `/tmp/data.zip, /tmp/logs.tar.gz`. + | Archive | String | Yes | The full path of the archive(s) to be extracted. Supports + comma-separated values for bulk extraction. Example: `/opt/siemplify/siemplify_server/Scripting/FileUtilities/file.zip` | ### Flow Description - 1. **Input Parsing**: The action retrieves the `Archive` parameter and splits - it into a list of individual file paths. - - 2. **Directory Preparation**: For each archive path provided, the action creates - a specific destination directory within the predefined path `/opt/siemplify/siemplify_server/Scripting/FileUtilities/Extract` - based on the archive's name. - 3. **Extraction**: It uses the Python `shutil` library to unpack the archive contents - into the newly created destination directory. - - 4. **Structure Mapping**: The action recursively traverses the extracted directory - to build a hierarchical dictionary (JSON) representing the file structure, including - file names, types, extensions, and full paths. - - 5. **Result Compilation**: It aggregates the success status, folder location, - and file lists for all processed archives into a single JSON result and provides - an output message summarizing the operation. + 1. **Input Parsing:** The action retrieves the `Archive` parameter and splits + it into a list of individual file paths. + 2. **Directory Preparation:** For each archive, it determines a unique output + directory path within the `/opt/siemplify/siemplify_server/Scripting/FileUtilities/Extract` + root. It creates the directory if it does not already exist. - ### Additional Notes + 3. **Extraction:** It utilizes the `shutil.unpack_archive` method to extract the + contents of the archive into the prepared directory. - - This action performs operations on the local filesystem of the SOAR execution - environment. + 4. **Metadata Generation:** The action recursively scans the extracted folder + to generate a JSON representation of the file hierarchy, including file names, + extensions, and full paths. - - It does not interact with external APIs or modify case entities directly. + 5. **Result Reporting:** It compiles the extraction results (success/failure) + and file metadata into a JSON object and ends the action with a summary message. capabilities: can_create_case_comments: false can_create_insight: false @@ -551,8 +703,8 @@ Extract Archive: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Creates directories and extracts files onto the local filesystem of the Google - SecOps server environment. + Creates directories and writes extracted files to the local filesystem of the + SOAR server at /opt/siemplify/siemplify_server/Scripting/FileUtilities/Extract. categories: enrichment: false entity_usage: @@ -570,78 +722,64 @@ Extract Archive: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Extract Zip Files: - ai_description: >- - ### General Description - - This action extracts files from ZIP archives associated with `FILENAME` entities - within a Google SecOps case. It is designed to handle password-protected archives - through either a provided list of passwords or a brute-force approach. The action - can automatically enrich the case by adding the extracted files back to the case - wall and creating new entities for the extracted files and their corresponding - hashes. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Include Data In JSON Result | boolean | No | If set to `true`, the base64 encoded - content of the extracted files will be included in the action's JSON output. Default - is `false`. | - - | Create Entities | boolean | No | If set to `true`, the action will create new - `FILENAME` and `FILEHASH` entities for every file extracted from the archive. - Default is `true`. | - - | Zip File Password | string | No | A string containing one or more passwords - used to attempt extraction of protected ZIP files. | - - | BruteForce Password | boolean | No | If set to `true`, the action will attempt - to brute-force the ZIP password using a built-in wordlist if the provided passwords - fail. Default is `false`. | - - | Add to Case Wall | boolean | No | If set to `true`, the extracted files will - be uploaded as new attachments to the case wall. Default is `true`. | - - | Zip Password List Delimiter | string | Yes | The character used to separate - multiple passwords provided in the 'Zip File Password' parameter (e.g., a comma). - | - - - ### Additional Notes - - * The action specifically targets `FILENAME` entities that possess an `attachment_id` - attribute in their additional properties. This ID is required to retrieve the - file from the SOAR's internal storage. - - * When creating entities, the action also generates relationships between the - extracted files and the original ZIP archive or the relevant email subject. - - - ### Flow Description - - 1. **Identification**: The action iterates through all `FILENAME` entities in - the current context, looking for those with an `attachment_id`. - - 2. **Retrieval**: For each valid entity, it downloads the associated file content - from the Google SecOps attachment service. - - 3. **Extraction**: It verifies if the file is a valid ZIP archive and attempts - to extract its contents. If the ZIP is encrypted, it uses the provided passwords - (split by the delimiter) and/or performs a brute-force attack if enabled. - - 4. **Internal Mutation (Case Wall)**: If 'Add to Case Wall' is enabled, each extracted - file is uploaded back to the case as a new attachment. - - 5. **Internal Mutation (Entities)**: If 'Create Entities' is enabled, the action - creates new `FILENAME` entities for the extracted files and `FILEHASH` entities - for their MD5 hashes, establishing parent-child relationships where applicable. - - 6. **Output**: The action returns a JSON summary of the extracted files, including - metadata like size, MIME type, and hashes (MD5, SHA1, SHA256, SHA512). + ai_description: "Extracts files from ZIP archives associated with FILENAME entities\ + \ in Google SecOps. This action is designed to handle both standard and password-protected\ + \ ZIP files, offering the ability to provide a list of passwords or attempt a\ + \ brute-force attack using a built-in wordlist. \n\n### Flow Description:\n1.\ + \ **Entity Filtering:** The action identifies `FILENAME` entities within the case\ + \ that possess an `attachment_id` attribute in their additional properties.\n\ + 2. **Data Retrieval:** For each valid entity, it retrieves the corresponding ZIP\ + \ file content from the Google SecOps Case Wall.\n3. **Extraction:** It attempts\ + \ to extract the contents of the ZIP archive. If the archive is encrypted, it\ + \ uses the provided passwords (delimited by a user-defined character) or performs\ + \ a brute-force search.\n4. **Internal Mutation (Optional):** \n * If configured,\ + \ it uploads the extracted files back to the Case Wall as new attachments.\n \ + \ * If configured, it creates new `FILENAME` and `FILEHASH` entities for the\ + \ extracted files, automatically linking them to the parent ZIP file.\n5. **Output:**\ + \ The action returns a JSON result containing metadata (and optionally base64\ + \ data) for all extracted files.\n\n### Parameters Description:\n| Parameter Name\ + \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Include\ + \ Data In JSON Result | boolean | No | If true, the base64 encoded content of\ + \ the extracted files is included in the action's JSON output. Default is false.\ + \ |\n| Create Entities | boolean | No | If true, the action creates new `FILENAME`\ + \ and `FILEHASH` entities for every file found inside the ZIP. Default is true.\ + \ |\n| Zip File Password | string | No | A single password or a list of passwords\ + \ used to attempt extraction of protected ZIPs. |\n| BruteForce Password | boolean\ + \ | No | If true, the action attempts to brute-force the ZIP password using a\ + \ predefined wordlist if the provided passwords fail. Default is false. |\n| Add\ + \ to Case Wall | boolean | No | If true, each extracted file is uploaded as an\ + \ individual attachment to the Case Wall. Default is true. |\n| Zip Password List\ + \ Delimiter | string | Yes | The character used to separate multiple passwords\ + \ in the 'Zip File Password' parameter (e.g., a comma). |\n\n### Additional Notes:\n\ + * This action requires the `FILENAME` entity to have an `attachment_id` property,\ + \ which is typically populated when a file is ingested or added to the case via\ + \ other integrations." capabilities: can_create_case_comments: false can_create_insight: false @@ -652,8 +790,8 @@ Extract Zip Files: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action adds extracted files as new attachments to the case wall and creates - new FILENAME and FILEHASH entities within the Google SecOps case environment. + The action adds extracted files as new attachments to the Case Wall and creates + new FILENAME and FILEHASH entities within the Google SecOps case. categories: enrichment: false entity_usage: @@ -672,47 +810,53 @@ Extract Zip Files: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Attachment: ai_description: >- - ### General Description - - This action retrieves file attachments from the Google SecOps case wall or alert - wall and provides them as Base64-encoded strings. It is primarily used to programmatically - access files uploaded to a case for further processing in a playbook, such as - sending them to a sandbox or a malware analysis tool. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Attachment Scope | DDL | Yes | Determines the scope of the search. If set to - 'Alert', the action only retrieves attachments associated with the current alert. - If set to 'Case', it retrieves all attachments associated with the entire case. - | - - - ### Flow Description - - 1. **Scope Identification**: The action reads the 'Attachment Scope' parameter - to decide whether to filter by the specific alert or the whole case. - - 2. **Metadata Retrieval**: It fetches the metadata for all items on the case wall - using the case identifier. - - 3. **Filtering**: The action filters the wall items to identify those of type - 'attachment' (type 4). If the scope is 'Alert', it further filters items to match - the current alert's unique identifier. - - 4. **Content Extraction**: For each identified attachment, the action calls the - internal SOAR API to retrieve the raw binary content. - - 5. **Encoding**: The binary content is encoded into a Base64 string. - - 6. **Result Compilation**: The action appends the Base64 blob to the attachment - metadata and returns the complete list as a JSON result. + ### General Description\nThe **Get Attachment** action retrieves file attachments + stored on the Google SecOps Case Wall or Alert Wall. It is primarily used to programmatically + access files (such as PCAPs, emails, or logs) that have been uploaded to a case, + converting them into Base64 strings for use in subsequent playbook steps.\n\n### + Parameters Description\n| Parameter | Type | Mandatory | Description |\n| :--- + | :--- | :--- | :--- |\n| **Attachment Scope** | DDL | Yes | Specifies the source + of the attachments. Options are `Case` (retrieves all attachments in the case) + or `Alert` (retrieves only attachments associated with the current alert). |\n\n### + Flow Description\n1. **Parameter Retrieval:** The action identifies the requested + scope (Case or Alert).\n2. **Metadata Fetching:** It retrieves the metadata for + all items on the Case Wall.\n3. **Filtering:** The logic filters the wall items + to identify those of type `4` (File Attachments). If the scope is set to `Alert`, + it further filters the list to only include files linked to the specific `alertIdentifier` + of the current alert.\n4. **Content Retrieval:** For each identified attachment, + the action calls the internal API to download the raw file content using its `evidenceId`.\n5. + **Encoding:** The binary file content is encoded into a Base64 string.\n6. **Output + Generation:** The action returns a JSON array containing the original metadata + appended with the `base64_blob` for each file.\n\n### Additional Notes\n- This + action does not interact with external systems; it only interacts with the Google + SecOps internal database.\n- The result is a JSON list of attachment objects. capabilities: can_create_case_comments: false can_create_insight: false @@ -724,7 +868,7 @@ Get Attachment: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: true + enrichment: false entity_usage: entity_types: [] filters_by_additional_properties: false @@ -740,15 +884,40 @@ Get Attachment: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: true + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Files as Base64: ai_description: >- ### General Description - The **Get Files as Base64** action is a utility designed to read local files from - the system where the Google SecOps runner is executing and convert their content - into Base64-encoded strings. This action is primarily used to prepare file data - for transmission to external APIs, inclusion in reports, or further processing - within a playbook where binary data is not supported. + Converts local files stored on the Google SecOps (Chronicle) server into Base64 + encoded strings. This utility action is primarily used to prepare file data for + subsequent playbook steps, such as uploading files to sandboxes, sending attachments + via email, or submitting samples to threat intelligence platforms that require + Base64 input. ### Parameters Description @@ -757,42 +926,40 @@ Get Files as Base64: | :--- | :--- | :--- | :--- | - | **File Paths** | String | Yes | A comma-delimited list of absolute file paths - to be processed (e.g., `/tmp/logs/audit.log, /home/user/evidence.bin`). | - - - ### Additional Notes - - - The action includes specialized logic to handle filenames that may contain commas - by recursively checking for the existence of path segments on the local filesystem. - - - If a file cannot be read or does not exist, the action will log an error and - fail the execution. + | File Paths | String | Yes | A comma-delimited list of absolute or relative file + paths to be processed. The action includes logic to handle filenames that may + contain commas by verifying path existence. | ### Flow Description - 1. **Input Parsing**: The action retrieves the `File Paths` parameter and splits - it into individual path strings. + 1. **Input Parsing:** The action retrieves the `File Paths` string and splits + it into a list of potential file locations. + + 2. **Path Validation:** It utilizes a helper function to verify which paths exist + on the local filesystem, correctly identifying files even if their names contain + commas. - 2. **Path Resolution**: It utilizes a helper function to correctly identify file - boundaries, ensuring that paths containing commas are correctly interpreted if - they exist on the disk. + 3. **File Processing:** For each identified file, the action: + * Extracts the directory path, filename, and extension. + * Opens the file in binary read mode. + * Encodes the raw binary content into a Base64 string. + 4. **Data Aggregation:** Metadata (path, name, extension) and the Base64 string + are stored in a structured format. - 3. **File Access**: The action iterates through the resolved file paths and attempts - to open each file in binary read mode (`rb`). + 5. **Output:** The action returns a JSON object containing the list of processed + filenames and their corresponding Base64 data, and provides a summary message + of the converted files. - 4. **Encoding**: The raw binary content of each file is encoded into a Base64 - string using the UTF-8 character set. - 5. **Metadata Extraction**: For each file, the action extracts the directory path, - filename, and file extension. + ### Additional Notes - 6. **Result Construction**: All encoded data and associated metadata are compiled - into a JSON object. + * This action operates on the local filesystem of the execution environment. Ensure + that the files intended for conversion have been previously downloaded or placed + in a reachable directory (e.g., the `/downloads` folder). - 7. **Output**: The final JSON result is returned to the SOAR platform, and the - action completes with a summary of the converted files. + * The action does not interact with SecOps entities directly; it relies entirely + on the provided file path parameters. capabilities: can_create_case_comments: false can_create_insight: false @@ -801,7 +968,7 @@ Get Files as Base64: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: false + fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false @@ -820,21 +987,62 @@ Get Files as Base64: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Ping: ai_description: >- - ### General Description\nVerifies the connectivity and functional status of the - **File Utilities** integration within Google SecOps. This action serves as a diagnostic - heartbeat to ensure that the integration environment is properly configured and - capable of executing tasks.\n\n### Parameters\nThis action does not require any - input parameters.\n\n| Parameter | Type | Mandatory | Description |\n| :--- | - :--- | :--- | :--- |\n| None | N/A | N/A | This action has no parameters. |\n\n### - Flow Description\n1. **Initialization**: The action initializes the Siemplify - SDK context.\n2. **Connectivity Check**: It performs a basic internal check to - confirm the action runner can execute the script logic.\n3. **Completion**: The - action concludes by returning a success message ("Siemplify is connected") to - the case wall.\n\n### Additional Notes\nThere are no external API dependencies - for this specific action as it serves as a heartbeat check for the integration - framework itself. + ### General Description + + The **Ping** action is a diagnostic utility designed to verify the connectivity + and operational status of the File Utilities integration within the Google SecOps + environment. It serves as a simple health check to ensure that the integration + is correctly installed and that the execution environment is responsive. + + + ### Parameters Description + + There are no parameters for this action. + + + ### Additional Notes + + This action does not perform any data retrieval, external API calls, or modifications + to the SOAR case. It is intended solely for troubleshooting and initial setup + verification. + + + ### Flow Description + + 1. **Initialization**: The action initializes the Siemplify API context. + + 2. **Connectivity Confirmation**: The script executes a simple termination command + without calling any external services. + + 3. **Completion**: The action returns a success message 'Siemplify is connected' + to the user interface. capabilities: can_create_case_comments: false can_create_insight: false @@ -862,27 +1070,79 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Remove Entity from File: ai_description: >- - ### General Description\nRemoves the identifiers of target entities from a specified - local file. This utility action is primarily used for managing local state, exclusion - lists, or temporary data stores within the SOAR environment's local filesystem.\n\n### - Parameters Description\n| Parameter | Type | Mandatory | Description |\n| :--- - | :--- | :--- | :--- |\n| Filename | string | Yes | The name of the file (located - in the /tmp/ directory) from which the entity identifiers will be removed. |\n\n### - Flow Description\n1. **Initialization**: The action extracts the `Filename` parameter - and constructs the full path within the `/tmp/` directory.\n2. **File Locking**: - It opens the file using a locking mechanism to ensure exclusive access and prevent - data corruption from concurrent processes.\n3. **Entity Processing**: The action - iterates through all entities provided in the current context (`target_entities`).\n4. - **Removal Logic**: For each entity, it checks if the identifier exists in the - file's content. If found, the identifier is removed from the internal list.\n5. - **Persistence**: The updated list of identifiers is written back to the file, - and the lock is released.\n6. **Result Evaluation**: If any entity identifier - was not found in the file, the action's final result is set to `False`. Otherwise, - it returns `True`.\n\n### Additional Notes\n- The action operates strictly on - the local filesystem of the SOAR runner.\n- It returns a failure status if at - least one entity was missing from the file, even if others were successfully removed. + Removes entity identifiers from a specified local file. This utility action is + designed to manage local state or watchlists stored on the SOAR runner's file + system. It iterates through all entities in the current scope and attempts to + delete their identifiers from the target file. + + + ### Flow Description + + 1. **Parameter Extraction:** Retrieves the `Filename` parameter provided by the + user. + + 2. **File Path Construction:** Combines the base directory (`/tmp/`) with the + provided filename to determine the target file's location. + + 3. **File Locking and Reading:** Utilizes the `EntityFileManager` to acquire a + file lock (preventing concurrent access issues) and reads the existing identifiers + from the file into memory. + + 4. **Entity Processing:** Iterates through every target entity in the SOAR case. + For each entity, it checks if the identifier exists in the loaded list. + + 5. **Removal Logic:** If an identifier is found, it is removed from the list. + If an identifier is not found, the action logs the absence and flags the final + result as `False` (indicating not all entities were successfully removed/found). + + 6. **Persistence:** Upon completion of the loop, the updated list of identifiers + is written back to the file, and the file lock is released. + + + ### Parameters Description + + | Parameter | Description | Type | Mandatory | + + | :--- | :--- | :--- | :--- | + + | Filename | The name of the file (located in `/tmp/`) from which the entity identifiers + should be removed. | String | Yes | + + + ### Additional Notes + + - The action will return a `False` result value if any of the target entities + are not found within the specified file. + + - The file operations are performed locally on the system where the Google SecOps + agent/runner is executing. capabilities: can_create_case_comments: false can_create_insight: false @@ -945,15 +1205,41 @@ Remove Entity from File: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Save Base64 to File: ai_description: >- ### General Description - The **Save Base64 to File** action converts base64-encoded strings into physical - files and saves them to the local filesystem of the Google SecOps runner (either - on the main server or a remote agent). This utility is primarily used to stage - file content received via logs or API responses for subsequent analysis or processing - steps within a playbook. + The **Save Base64 to File** action is a utility designed to convert base64-encoded + strings into physical files stored on the Google SecOps (Chronicle) runner's local + file system (either the Playbook server or a Remote Agent). This action is particularly + useful for reconstructing file attachments, images, or logs that have been passed + through a playbook as encoded text. It supports bulk processing via comma-separated + lists for both inputs and filenames. ### Parameters Description @@ -962,46 +1248,39 @@ Save Base64 to File: | :--- | :--- | :--- | :--- | - | **Base64 Input** | String | Yes | A comma-separated list of base64 encoded strings + | **Base64 Input** | String | Yes | A comma-separated list of base64-encoded strings to be converted into files. | | **Filename** | String | Yes | A comma-separated list of filenames corresponding to the base64 inputs. | - | **File Extension** | String | No | An optional comma-separated list of file - extensions (e.g., 'txt', '.png') to append to the filenames. | - - - ### Additional Notes - - - This action is a utility and does not interact with SOAR entities or external - APIs. - - - If the number of provided **File Extensions** is less than the number of **Filenames**, - the action automatically applies the last extension in the list to all remaining - files. - - - Filenames are sanitized to remove invalid characters before saving. + | **File Extension** | String | No | An optional comma-separated list of extensions + (e.g., 'png', '.txt') to append to the filenames. If fewer extensions are provided + than filenames, the last extension in the list is applied to all remaining files. + | ### Flow Description - 1. **Parameter Parsing**: The action splits the `Base64 Input`, `Filename`, and - `File Extension` parameters into lists based on comma separators. + 1. **Input Parsing:** The action retrieves the `Base64 Input`, `Filename`, and + `File Extension` parameters, splitting them into lists based on comma delimiters. + + 2. **Environment Detection:** It determines the appropriate storage path (`downloads` + folder) based on whether the action is running on a remote agent or the local + server. - 2. **Directory Preparation**: It identifies the target download folder on the - runner's filesystem and ensures the directory exists. + 3. **Directory Preparation:** The action ensures the target directory exists, + creating it if necessary. - 3. **Extension Alignment**: If extensions are provided, the action ensures the - extension list matches the length of the filename list by repeating the last provided - extension as needed. + 4. **File Processing:** It iterates through the provided lists, decoding each + base64 string and writing the resulting binary data to a file with the specified + name and extension. - 4. **Decoding and Writing**: The action iterates through the inputs, decodes each - base64 string into binary data, and writes it to the calculated file path on the - disk. + 5. **Result Compilation:** Metadata for each created file (name, path, and extension) + is collected into a JSON result object. - 5. **Result Compilation**: It generates a JSON result containing the filename, - full path, and extension for every file successfully created. + 6. **Completion:** The action ends by returning a success message containing the + paths of all saved files. capabilities: can_create_case_comments: false can_create_insight: false @@ -1029,3 +1308,28 @@ Save Base64 to File: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/power_ups/file_utilities/resources/ai/integration_ai_description.yaml b/content/response_integrations/power_ups/file_utilities/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..0801c7556 --- /dev/null +++ b/content/response_integrations/power_ups/file_utilities/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/power_ups/functions/resources/ai/actions_ai_description.yaml b/content/response_integrations/power_ups/functions/resources/ai/actions_ai_description.yaml index 420a27c5a..b0a3ec3e1 100644 --- a/content/response_integrations/power_ups/functions/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/power_ups/functions/resources/ai/actions_ai_description.yaml @@ -1,64 +1,32 @@ Calculate Timestamp: ai_description: >- - Calculates one or more new timestamps by applying specified time offsets (deltas) - to a baseline starting point. This utility action is part of the 'Functions' integration - and is used to generate relative time ranges or specific points in time for use - in subsequent playbook steps. - - - ### Parameters - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Input Type | Dropdown | No | Defines the baseline time source. Options: 'Current - Time' (default), 'Alert Creation Time', 'Case Creation Time', or 'Custom Timestamp'. - | - - | Custom Timestamp | String | No | The specific date/time string to use as a baseline. - **Mandatory** if 'Input Type' is set to 'Custom Timestamp'. | - - | Custom Timestamp Format | String | No | The strftime-style format of the 'Custom - Timestamp'. Defaults to ISO 8601 (%Y-%m-%dT%H:%M:%S%z). If empty, the action attempts - to parse as epoch. | - - | Timestamp Delta | String | No | A comma-separated list of offsets to apply. - Format: [operator][value][unit]. Units: m (months), d (days), H (hours), M (minutes), - S (seconds). Example: '+1d, -30M'. | - - | Output Timestamp Format | String | No | The desired format for the resulting - timestamps. Use 'epoch' for Unix timestamps or strftime-style strings. Defaults - to ISO 8601. | - - - ### Additional Notes - - - If 'Input Type' is 'Custom Timestamp', the 'Custom Timestamp' parameter must - be populated. - - - If 'Output Timestamp Format' is set to 'epoch', the result will be an integer - representing seconds since the Unix epoch. - - - ### Flow Description - - 1. **Baseline Identification**: The action determines the starting timestamp based - on the 'Input Type' (e.g., fetching the current system time or the creation time - of the active alert/case). - - 2. **Parsing**: If a custom timestamp is provided, it is parsed using the specified - format or identified as an epoch value. - - 3. **Delta Calculation**: The action iterates through the 'Timestamp Delta' list, - applying each offset (addition or subtraction) to the baseline time using the - `arrow` library. - - 4. **Formatting**: The original baseline and all calculated offsets are formatted - according to the 'Output Timestamp Format'. - - 5. **Output**: The results are returned as a JSON object containing the 'original_timestamp' - and a dictionary of 'calculated_timestamps'. + ### General Description\nUse the 'Calculate Timestamp' action to find a new point + in time by moving forward or backward from a starting time. This utility action + is useful for playbook logic that requires time-based windows, such as searching + for logs within a specific range relative to an alert's creation.\n\n### Parameters + Description\n| Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- + | :--- |\n| Input Type | DDL | No | The starting point for the calculation. Options: + Current Time, Alert Creation Time, Case Creation Time, Custom Timestamp. Default + is Current Time. |\n| Custom Timestamp | String | No | The specific date and time + value used as the starting point when 'Input Type' is set to 'Custom Timestamp'. + |\n| Custom Timestamp Format | String | No | The format of the 'Custom Timestamp'. + If not provided, the action attempts to parse as epoch time. |\n| Timestamp Delta + | String | No | A comma-separated list of time offsets (e.g., +30M, -1H). Supported + units: m (months), d (days), H (hours), M (minutes), S (seconds). |\n| Output + Timestamp Format | String | No | The desired structure for the resulting calculated + timestamp. Defaults to epoch time. |\n\n### Additional Notes\n- If 'Input Type' + is set to 'Custom Timestamp', the 'Custom Timestamp' parameter must be provided.\n- + The 'Timestamp Delta' parameter requires an operator (+ or -) and a unit.\n\n### + Flow Description\n1. **Parameter Extraction**: The action retrieves the input + type, custom timestamp details, and the desired time offsets.\n2. **Base Time + Determination**: It identifies the starting timestamp based on the 'Input Type' + (e.g., the current system time or the creation time of the alert/case).\n3. **Offset + Calculation**: It parses the 'Timestamp Delta' string and applies each specified + offset (addition or subtraction) to the base timestamp using the Arrow library.\n4. + **Formatting**: The original and all calculated timestamps are formatted according + to the 'Output Timestamp Format'.\n5. **Result Output**: The action returns a + JSON object containing the original timestamp and a dictionary of the calculated + results. capabilities: can_create_case_comments: false can_create_insight: false @@ -86,34 +54,66 @@ Calculate Timestamp: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Convert Time Format: - ai_description: "### General Description\nThis action converts a datetime value\ - \ from one format to another using the `arrow` library. It is a utility function\ - \ designed to normalize time data within a playbook, allowing for format conversion,\ - \ timezone adjustments, and time shifting (adding or subtracting seconds).\n\n\ - ### Parameters Description\n| Parameter | Type | Mandatory | Description |\n|\ - \ :--- | :--- | :--- | :--- |\n| Input | string | Yes | The input datetime value\ - \ to be converted. If left empty, the current time is used. Supports epoch timestamps\ - \ (10 or 13 digits). |\n| From Format | string | Yes | The `strftime` format of\ - \ the input string (e.g., `%Y-%m-%d %H:%M:%S`). Special handling is included for\ - \ 'UTC' or 'GMT' suffixes. |\n| To Format | string | Yes | The desired output\ - \ format using Arrow tokens (e.g., `YYYY/MM/DD`). |\n| Time Delta In Seconds |\ - \ string | Yes | A shift value in seconds to move the time forward (positive)\ - \ or backward (negative). Default is 0. |\n| Timezone | string | No | The target\ - \ timezone for the output (e.g., 'UTC', 'US/Eastern'). |\n\n### Additional Notes\n\ - - If the `Input` parameter is a 10-digit or 13-digit number, the action treats\ - \ it as a Unix timestamp (seconds or milliseconds respectively) regardless of\ - \ the `From Format` provided.\n- The action handles 'UTC' and 'GMT' offsets directly\ - \ if they are appended to the `From Format` string.\n\n### Flow Description\n\ - 1. **Parameter Extraction**: Retrieves the input string, source format, target\ - \ format, time delta, and timezone from the action parameters.\n2. **Time Parsing**:\ - \ \n - If no input is provided, it defaults to the current time.\n - If\ - \ the input is numeric, it parses it as a Unix timestamp.\n - Otherwise, it\ - \ attempts to parse the string using the provided `From Format`.\n3. **Time Manipulation**:\ - \ Applies the `Time Delta In Seconds` to shift the time and converts the object\ - \ to the specified `Timezone` if provided.\n4. **Formatting**: Converts the resulting\ - \ datetime object into the string format defined by `To Format`.\n5. **Output**:\ - \ Returns the formatted string as the action result." + ai_description: "### General Description\nThe **Convert Time Format** action is\ + \ a utility function designed to transform datetime values from one format to\ + \ another. It allows for flexible parsing of input strings (including Unix timestamps),\ + \ applying time offsets (shifts), and converting the result to a specific timezone.\ + \ This is primarily used within playbooks to normalize time data received from\ + \ various security tools into a consistent format for downstream processing or\ + \ reporting.\n\n### Parameters Description\n| Parameter | Type | Mandatory | Description\ + \ |\n| :--- | :--- | :--- | :--- |\n| **Input** | string | Yes | The input datetime\ + \ value to be converted. Can be a formatted string or a Unix timestamp (10 or\ + \ 13 digits). If left empty, the current time is used. |\n| **From Format** |\ + \ string | Yes | The `strftime` format of the input string (e.g., `%Y-%m-%d %H:%M:%S`).\ + \ If the input is a numeric timestamp, this may be bypassed by the logic. |\n\ + | **To Format** | string | Yes | The desired output format using [Arrow tokens](https://arrow.readthedocs.io/en/stable/#supported-tokens)\ + \ (e.g., `YYYY/MM/DD HH:mm:ss`). |\n| **Time Delta In Seconds** | string | Yes\ + \ | A numeric value (positive or negative) representing the number of seconds\ + \ to shift the time. Default is \"0\". |\n| **Timezone** | string | No | The target\ + \ timezone for the output (e.g., `UTC`, `US/Eastern`). If omitted, the timezone\ + \ of the parsed input is maintained. |\n\n### Flow Description\n1. **Parameter\ + \ Extraction:** The action retrieves the input string, source format, target format,\ + \ time delta, and target timezone from the environment.\n2. **Special Suffix\ + \ Handling:** It checks if the `From Format` ends with \"UTC\" or \"GMT\" and\ + \ adjusts the time delta accordingly if those strings are present in the input.\n\ + 3. **Parsing:** \n * If the input is empty, it defaults to the current system\ + \ time.\n * If the input is a 10-digit (seconds) or 13-digit (milliseconds)\ + \ number, it parses it as a Unix timestamp.\n * Otherwise, it attempts to\ + \ parse the string using the provided `From Format` via the `Arrow` library.\n\ + 4. **Time Shifting:** The parsed time is shifted by the specified `Time Delta\ + \ In Seconds`.\n5. **Timezone Conversion:** If a `Timezone` is provided, the\ + \ datetime object is converted to that specific zone.\n6. **Formatting and Output:**\ + \ The final datetime object is formatted according to the `To Format` and returned\ + \ as the action result.\n\n### Additional Notes\n* This action does not interact\ + \ with external APIs; it is a local processing utility.\n* The action is robust\ + \ enough to attempt parsing even if the provided `From Format` is slightly mismatched,\ + \ provided the input looks like a standard timestamp." capabilities: can_create_case_comments: false can_create_insight: false @@ -141,37 +141,90 @@ Convert Time Format: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Create Thumbnail: - ai_description: "### General Description\nThe **Create Thumbnail** action is a utility\ - \ function designed to generate a resized version (thumbnail) of an image provided\ - \ in Base64 format. This action is primarily used for data transformation within\ - \ a playbook, allowing users to standardize image sizes for reporting or display\ - \ purposes without interacting with external APIs.\n\n### Parameters Description\n\ - | Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ - | **Base64 Image** | String | No | The Base64 encoded string of the image to be\ - \ resized. This parameter is used if the image is provided directly rather than\ - \ through a JSON structure. |\n| **Thumbnail Size** | String | Yes | A comma-separated\ - \ string representing the target width and height in pixels (e.g., \"250,250\"\ - ). |\n| **Input JSON** | String | No | A JSON-formatted string (typically an array\ - \ of objects) containing image data. If provided, the action will iterate through\ - \ the JSON to find images. |\n| **Image Key Path** | String | No | A dot-notation\ - \ path (e.g., \"data.content.image\") used to locate the Base64 image string within\ - \ the objects provided in the `Input JSON`. |\n\n### Additional Notes\n- The action\ - \ requires either the **Base64 Image** or the **Input JSON** parameter to be populated\ - \ to function correctly.\n- The output thumbnail is always returned in PNG format,\ - \ encoded as a Base64 string.\n- This action does not interact with the Google\ - \ SecOps entity model directly; it processes data passed through parameters.\n\ - \n### Flow Description\n1. **Initialization**: The action extracts the target\ - \ dimensions from the `Thumbnail Size` parameter and identifies the source of\ - \ the image data.\n2. **Data Extraction**: \n - If `Input JSON` is provided,\ - \ the action parses the JSON and uses the `Image Key Path` to recursively find\ - \ the Base64 image strings for each entry.\n - If `Input JSON` is not provided,\ - \ it uses the single string from the `Base64 Image` parameter.\n3. **Image Processing**:\ - \ For each identified image, the action decodes the Base64 string, utilizes the\ - \ PIL (Pillow) library to resize the image to the specified dimensions, and saves\ - \ the result as a PNG.\n4. **Encoding**: The resized PNG image is re-encoded into\ - \ a Base64 string.\n5. **Result Generation**: The action compiles the processed\ - \ thumbnails into a JSON result object and completes the execution." + ai_description: >- + ### General Description + + The **Create Thumbnail** action is a utility function designed to generate a resized, + Base64-encoded thumbnail from an existing Base64 image string. This action is + used to optimize image data for display within the SOAR interface or to reduce + the size of image payloads before passing them to other systems or playbooks. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | **Base64 Image** | String | No | The raw Base64 string of the image to be resized. + This is used if `Input JSON` is not provided. | + + | **Thumbnail Size** | String | Yes | Comma-separated pixel dimensions (e.g., + "250,250") for the output thumbnail. | + + | **Input JSON** | String | No | A JSON-formatted string containing image data. + If provided, the action can process multiple images defined within the JSON structure. + | + + | **Image Key Path** | String | No | The dot-separated path (e.g., `data.image_base64`) + used to locate the image field within the `Input JSON`. | + + + ### Additional Notes + + - To execute successfully, the action requires either a direct image string via + the **Base64 Image** parameter or a valid **Input JSON** accompanied by an **Image + Key Path**. + + - The action performs all processing locally using the PIL (Pillow) library and + does not communicate with external APIs. + + + ### Flow Description + + 1. **Parameter Extraction**: The action retrieves the input image data (either + as a direct string or within a JSON object), the target dimensions, and the key + path configuration. + + 2. **Data Parsing**: If **Input JSON** is provided, the action parses the JSON + and uses the **Image Key Path** to extract the Base64 image string(s) from the + provided data structure. + + 3. **Image Processing**: The action decodes the Base64 string into raw bytes and + utilizes the PIL library to open and resize the image to the specified **Thumbnail + Size**. + + 4. **Encoding**: The resized image is saved in PNG format and re-encoded into + a Base64 string. + + 5. **Output Generation**: The resulting Base64 thumbnail is returned as a JSON + result, which can be used in subsequent playbook steps. capabilities: can_create_case_comments: false can_create_insight: false @@ -199,53 +252,70 @@ Create Thumbnail: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Defang Text: ai_description: >- ### General Description - This action defangs a provided text string by modifying potentially dangerous - indicators such as URLs, IP addresses, and email addresses. Defanging is a security - practice used to prevent accidental clicking or automatic resolution of malicious - links by rendering them non-functional while remaining human-readable. + The **Defang Text** action is a utility designed to sanitize potentially malicious + or active indicators within a text string. It 'defangs' URLs, IP addresses, and + email addresses by modifying their syntax (e.g., changing `http` to `hxxp` or + `.` to `[.]`), making them non-clickable and preventing accidental execution or + navigation by analysts. ### Parameters Description - | Parameter | Type | Mandatory | Description | + | Parameter | Description | Type | Mandatory | Notes | - | :--- | :--- | :--- | :--- | + | :--- | :--- | :--- | :--- | :--- | - | Input | string | No | The raw text string that needs to be defanged. If the - input is empty or not provided, the action will return an empty string. | + | Input | The raw text string that needs to be defanged. | String | No | If left + empty, the action returns an empty result. | ### Flow Description - 1. **Extraction**: The action retrieves the `Input` string from the action parameters. - - 2. **Validation**: If the input text is empty, the action sets the output message - to "Input text is empty" and returns an empty result. - - 3. **URL Defanging**: Identifies HTTP/HTTPS URLs and replaces `http` with `hxxp` - and replaces dots in the domain with `[.]` (e.g., `http://example.com` becomes - `hxxp://example[.]com`). - - 4. **IP Defanging**: Identifies IPv4 addresses and replaces the dots with `[.]` - (e.g., `1.1.1.1` becomes `1[.]1[.]1[.]1`). + 1. **Parameter Extraction:** The action retrieves the `Input` string provided + by the user. - 5. **Email Defanging**: Identifies email addresses and replaces the `@` symbol - with `[at]` and dots in the domain with `[.]` (e.g., `user@example.com` becomes - `user[at]example[.]com`). + 2. **Empty Check:** If the input is null or empty, the action terminates and returns + an empty result. - 6. **Result**: The final modified string is returned in the `converted_text` JSON - result field. + 3. **URL Defanging:** Identifies `http` or `https` links and replaces the protocol + with `hxxp/hxxps` and escapes dots in the domain name using `[.]`. + 4. **IP Defanging:** Identifies IPv4 addresses and replaces all dots with `[.]`. - ### Additional Notes + 5. **Email Defanging:** Identifies email addresses, replaces the `@` symbol with + `[at]`, and escapes dots in the domain portion. - This is a utility action that performs local text transformation. It does not - interact with external APIs, does not require network connectivity, and does not - modify any internal SOAR objects like entities or case comments. + 6. **Result Output:** The final defanged string is returned in the `JsonResult` + under the key `converted_text`. capabilities: can_create_case_comments: false can_create_insight: false @@ -273,15 +343,40 @@ Defang Text: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Detect Hash Type: ai_description: >- ### General Description - The **Detect Hash Type** action identifies the most likely hash algorithm (MD5, - SHA-1, SHA-256, or SHA-512) for provided strings or `FILEHASH` entities. It uses - the `hashid` library to perform local identification without external API calls. - This utility is primarily used to categorize hash values for downstream logic - in playbooks. + The **Detect Hash Type** action identifies the most likely cryptographic hash + algorithm for a given set of strings or `FILEHASH` entities. It supports detection + for **MD5**, **SHA-1**, **SHA-256**, and **SHA-512**. This utility is primarily + used to normalize data or determine which subsequent enrichment actions are appropriate + based on the hash format. ### Parameters Description @@ -291,40 +386,40 @@ Detect Hash Type: | :--- | :--- | :--- | :--- | | **Hashes** | String | No | A comma-separated list of hash strings to identify. - If provided, the action will identify the types for these specific strings in - addition to any entities in the case scope. | + If provided, these strings will be processed and included in the output alongside + any entities in the scope. | ### Flow Description - 1. **Parameter Parsing**: The action retrieves the `Hashes` parameter and splits - it into individual strings if provided. + 1. **Input Parsing**: The action retrieves the `Hashes` parameter and splits it + into a list of individual strings. - 2. **Manual Identification**: For each string in the `Hashes` parameter, the action - uses the `hashid` library to detect the algorithm. It checks if the detected type - is within the supported set (MD5, SHA-1, SHA-256, SHA-512). + 2. **Manual Hash Identification**: For each string provided in the parameter, + the action uses the `hashid` library to determine the most likely algorithm (MD5, + SHA-1, SHA-256, or SHA-512). - 3. **Entity Filtering**: The action iterates through all entities in the current - case scope, specifically targeting those with the type `FILEHASH`. + 3. **Entity Processing**: The action iterates through all `FILEHASH` entities + associated with the current context. 4. **Entity Identification**: For each `FILEHASH` entity, the action identifies - the hash type using the same logic as the manual identification. + the hash type based on the entity's identifier. - 5. **Internal Enrichment**: The action updates the `additional_properties` of - the `FILEHASH` entities with a new key `HashType` containing the detected algorithm - name. + 5. **Internal Enrichment**: The detected hash type is added to the entity's `additional_properties` + attribute. - 6. **Result Reporting**: The action compiles all identified hash types (from both - parameters and entities) into a JSON result and provides a summary message. + 6. **Result Compilation**: The action updates the entities within Google SecOps + and returns a JSON object containing the mapping of all processed hashes to their + detected types. ### Additional Notes - - If a hash cannot be identified or does not match the supported types, the `HashType` - is set to `UNDETECTED`. + - If a hash type cannot be determined or does not match the supported types, it + is labeled as `UNDETECTED`. - - This action is entirely local and does not require network connectivity to external - threat intelligence services. + - This action performs local identification using a library and does not make + external API calls. capabilities: can_create_case_comments: false can_create_insight: false @@ -335,8 +430,8 @@ Detect Hash Type: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - The action updates the 'additional_properties' attribute of FILEHASH entities - to include the detected hash algorithm type. + Updates the 'additional_properties' attribute of FILEHASH entities with the + detected hash type. categories: enrichment: false entity_usage: @@ -355,14 +450,39 @@ Detect Hash Type: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Detect IP Type: ai_description: >- ### General Description - The **Detect IP Type** action is a utility designed to identify whether an IP - address is in IPv4 or IPv6 format. It processes both manually provided IP addresses - and existing IP Address entities within a case, enriching the entities with the - detected type. + The **Detect IP Type** action identifies whether a given IP address follows the + IPv4 or IPv6 protocol. It uses regular expression matching to categorize addresses + and enriches existing IP Address entities within the Google SecOps environment + by adding an `IPType` field to their additional properties. ### Parameters Description @@ -371,38 +491,38 @@ Detect IP Type: | :--- | :--- | :--- | :--- | - | IP Addresses | String | No | A comma-separated list of IP addresses to evaluate. - If provided, these addresses are processed alongside case entities. | + | IP Addresses | String | No | A comma-separated list of IP addresses to be analyzed. + If provided, these will be processed in addition to any entities in the case. + | - ### Additional Notes + ### Flow Description - - This action uses local regular expression matching and does not require connectivity - to external threat intelligence services. + 1. **Input Retrieval**: The action retrieves the optional `IP Addresses` parameter. - - If an address does not conform to standard IPv4 or IPv6 formats, it is categorized - as 'UNDETECTED'. + 2. **Manual IP Processing**: If the parameter is provided, it splits the string + and uses regex to classify each address as `IPV4`, `IPV6`, or `UNDETECTED`. + 3. **Entity Processing**: The action iterates through the `target_entities` in + the current context, specifically looking for entities of type `ADDRESS`. - ### Flow Description + 4. **Classification**: For each identified entity, it applies the same regex logic + to the entity's identifier. - 1. **Input Retrieval**: The action fetches the 'IP Addresses' parameter and splits - it into a list if it contains values. + 5. **Internal Enrichment**: It updates the `additional_properties` of the entities + with the detected `IPType`. - 2. **Manual IP Processing**: Each IP address from the parameter is checked against - IPv4 and IPv6 regex patterns. The results are stored for the final output. + 6. **Result Reporting**: The action compiles all results into a JSON object and + updates the entities in the SecOps platform. - 3. **Entity Filtering**: The action iterates through the case's `target_entities` - and identifies those with the type `ADDRESS`. - 4. **Type Detection**: For each identified entity, the action applies regex patterns - to its identifier to determine the IP version. + ### Additional Notes - 5. **Internal Enrichment**: The detected type is added to the entity's `additional_properties` - dictionary under the key `IPType`. + - This action does not perform external lookups; all detection is done locally + via regex. - 6. **State Update**: The action updates the modified entities within Google SecOps - and returns a comprehensive JSON result containing all detected types. + - If an address does not match either IPv4 or IPv6 patterns, it is labeled as + `UNDETECTED`. capabilities: can_create_case_comments: false can_create_insight: false @@ -413,9 +533,8 @@ Detect IP Type: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - The action updates the 'additional_properties' attribute of ADDRESS entities - to include the detected IP type (IPv4 or IPv6) and persists these changes in - Google SecOps using the update_entities method. + Updates the 'additional_properties' attribute of ADDRESS entities with the detected + IP type. categories: enrichment: false entity_usage: @@ -434,15 +553,46 @@ Detect IP Type: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Extract IOCs: ai_description: >- + Extracts Indicators of Compromise (IOCs) including domains, IPv4/IPv6 addresses, + URLs, and email addresses from a provided input string. This utility action is + designed to parse unstructured text to identify potential security indicators + for further analysis or automation. + + ### General Description - The **Extract IOCs** action is a utility designed to parse a provided text string - and identify common Indicators of Compromise (IOCs). It specifically identifies - and extracts URLs, domains, IPv4/IPv6 addresses, and email addresses from unstructured - text. This action is typically used to process data from sources like email bodies, - log entries, or threat reports to isolate actionable security identifiers. + This action takes a raw string as input and applies various extraction techniques + (regular expressions and specialized libraries) to identify common IOC types. + It handles URL cleaning, domain derivation from URLs, and IP address validation. + The results are returned as a structured JSON object containing lists for each + IOC category. ### Parameters Description @@ -451,41 +601,38 @@ Extract IOCs: | :--- | :--- | :--- | :--- | - | Input String | String | Yes | The raw text string from which the action will - attempt to extract IOCs. | + | Input String | String | Yes | The raw text content from which the action will + attempt to extract domains, IPs, URLs, and emails. | - ### Additional Notes + ### Flow Description - - This action performs local parsing using regular expressions and specialized - libraries (`URLExtract`, `tld`) and does not interact with external APIs. + 1. **Parameter Extraction**: The action retrieves the `Input String` provided + by the user. - - It includes logic to filter out common false positives in URLs (e.g., specific - file extensions like .js, .css, .png) and validates IP addresses to ensure they - are syntactically correct. + 2. **URL Extraction**: Uses the `urlextract` library to find URLs within the text, + filtering out invalid formats and standalone IP addresses. - - By default, it includes internal/private IP addresses in the extraction results. + 3. **Domain Extraction**: Processes the discovered URLs to extract the Effective + Fully Qualified Domain Name (eFLD) using the `tld` library. + 4. **IP Extraction**: Uses regular expressions to find potential IPv4 and IPv6 + addresses, then validates them using the `ipaddress` module to ensure they are + legitimate network addresses. - ### Flow Description + 5. **Email Extraction**: Applies a comprehensive regular expression to identify + email addresses within the string. - 1. **Input Retrieval**: The action retrieves the `Input String` provided as a - parameter. + 6. **Result Aggregation**: Consolidates all identified indicators into a JSON + object and generates a human-readable summary message for the action output. - 2. **URL Extraction**: Uses the `URLExtract` library to identify potential URLs, - cleaning them of noise and validating their structure. - 3. **Domain Extraction**: For every valid URL identified, the action extracts - the First Level Domain (FLD) using the `tld` library. - - 4. **IP Extraction**: Scans the text for IPv4 and IPv6 patterns, validating them - using the `ipaddress` module to ensure they are valid network addresses. + ### Additional Notes - 5. **Email Extraction**: Uses a regular expression to identify and extract email - addresses from the text. + - This action does not perform external lookups or reputation checks; it is strictly + a parsing utility. - 6. **Result Compilation**: Aggregates all identified IOCs into a structured JSON - object and generates a summary message for the action output. + - Internal/Private IP addresses are included in the extraction results by default. capabilities: can_create_case_comments: false can_create_insight: false @@ -513,51 +660,74 @@ Extract IOCs: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false IP to Integer: ai_description: >- ### General Description - This action is a utility function designed to convert IPv4 addresses into their - corresponding integer (long) format. It is primarily used for data normalization - or when interacting with systems that require IP addresses in numeric form rather - than string format. + This utility action converts one or more IPv4 addresses into their corresponding + integer (long) format. It is primarily used for data normalization or when integrating + with systems that require IP addresses in numerical format rather than dot-decimal + notation. ### Parameters Description - | Parameter | Type | Mandatory | Description | + | Parameter Name | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | IP Addresses | string | Yes | A comma-separated list of IPv4 addresses (e.g., - "192.168.1.1, 10.0.0.1") to be converted into integers. | + | IP Addresses | String | Yes | A comma-separated list of IPv4 addresses to be + converted into integers. | - ### Additional Notes - - - This action does not interact with any external APIs or services. + ### Flow Description - - It does not process or modify Google SecOps entities; it operates strictly on - the provided input parameter string. + 1. **Input Retrieval:** The action retrieves the comma-separated string of IP + addresses from the `IP Addresses` parameter. - - The conversion uses network byte order (big-endian). + 2. **Parsing:** The string is split by commas and stripped of whitespace to create + a list of individual IP strings. + 3. **Conversion:** For each IP address, the action uses the `socket` and `struct` + libraries to convert the address into a 32-bit packed binary format and then unpacks + it as a long integer. - ### Flow Description + 4. **Result Compilation:** The results are stored in a JSON object (mapping the + original IP to the integer) and a comma-separated string of the resulting integers. - 1. **Input Parsing**: The action retrieves the `IP Addresses` parameter and splits - the string by commas, removing any leading or trailing whitespace. + 5. **Output:** The action returns the JSON result and the string result to the + Google SecOps platform. - 2. **Conversion**: For each IP address in the list, the script uses the `socket` - and `struct` libraries to convert the string representation into a 32-bit unsigned - integer. - 3. **Result Compilation**: The results are stored in a JSON dictionary mapping - the original IP to the integer, and also joined into a comma-separated string - for the main result value. + ### Additional Notes - 4. **Output**: The action returns the converted values and provides a summary - message in the execution log. + This action performs local calculations and does not interact with any external + APIs or Google SecOps entities. capabilities: can_create_case_comments: false can_create_insight: false @@ -585,44 +755,77 @@ IP to Integer: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Math Arithmetic: ai_description: >- - Performs basic arithmetic operations on two provided numeric arguments. This action - is designed to facilitate mathematical calculations within playbooks, supporting + ### General Description + + Performs basic arithmetic operations on two provided numeric arguments. This utility + action allows for mathematical calculations within a playbook flow, supporting addition, subtraction, multiplication, division, and modulo operations. - ### Parameters + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Function | ddl | Yes | The mathematical operation to perform. Options include: - Plus (addition), Sub (subtraction), Multi (multiplication), Div (division), and - Mod (modulo). | + | Function | DDL | Yes | The arithmetic operation to perform. Options include: + **Plus** (Addition), **Sub** (Subtraction), **Multi** (Multiplication), **Div** + (Division), and **Mod** (Modulo). | + + | Arg 1 | String | Yes | The first numeric value (integer or float) for the calculation. + | + + | Arg 2 | String | Yes | The second numeric value (integer or float) for the calculation. + | + - | Arg 1 | string | Yes | The first numeric value (integer or float) to be used - in the calculation. | + ### Additional Notes - | Arg 2 | string | Yes | The second numeric value (integer or float) to be used - in the calculation. | + This action is a local utility and does not interact with any external APIs or + Google SecOps entities. It processes the input parameters and returns the result + as a script output. ### Flow Description - 1. **Input Retrieval**: The action retrieves the selected mathematical function - and the two input arguments from the configuration. + 1. **Retrieve Parameters**: The action fetches the selected `Function` and the + two input arguments (`Arg 1` and `Arg 2`) from the configuration. - 2. **Type Conversion**: It attempts to parse the string inputs for 'Arg 1' and - 'Arg 2' into numeric types, prioritizing integers and falling back to floats if - necessary. + 2. **Data Parsing**: The input strings are parsed into numeric types (integers + or floats). - 3. **Execution**: The script executes the logic corresponding to the selected - function (e.g., adding the numbers if 'Plus' is selected). + 3. **Calculation**: Based on the selected `Function`, the action performs the + corresponding mathematical operation. - 4. **Completion**: The calculated result is returned as the action's output value, - accompanied by a status message describing the operation performed. + 4. **Output**: The action concludes by returning the calculated result and a formatted + message (e.g., "10 + 5 = 15") to the SOAR platform. capabilities: can_create_case_comments: false can_create_insight: false @@ -650,54 +853,59 @@ Math Arithmetic: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Math Functions: - ai_description: >- - ### General Description - - The **Math Functions** action provides a suite of built-in Python mathematical - operations to process numeric data within a playbook. It allows users to perform - calculations, formatting, and transformations on a list of numbers provided as - a comma-separated string. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **Function** | DDL | Yes | The mathematical operation to execute. Supported - options: `Max` (largest item), `Min` (smallest item), `Round` (rounds numbers), - `Sort` (sorts numbers), `Sum` (totals the items), `Float` (converts to floating - point), `Hex` (converts to hexadecimal), `Int` (converts to integer), `Abs` (absolute - value), and `Display` (adds comma separators). | - - | **Numbers** | String | Yes | A comma-separated list of numbers (e.g., "13.5, - -90, 566") to be processed by the selected function. | - - - ### Flow Description - - 1. **Input Parsing**: The action retrieves the `Numbers` string and splits it - by commas. It attempts to parse each element into a float or integer. - - 2. **Function Execution**: Based on the selected `Function` parameter, the action - applies the corresponding Python logic (e.g., `abs()`, `max()`, `sum()`, or string - formatting for `Display`). - - 3. **Result Generation**: The processed numbers are stored in a list. If the `Hex` - function is chosen, the action specifically filters for integer-compatible values. - - 4. **Output**: The action returns the result as a JSON array and sets the script - result value to the processed data (or a single value if only one result exists). - - - ### Additional Notes - - - This action does not interact with SecOps entities; it operates strictly on - the provided input parameters. - - - The `Hex` function requires integer inputs to function correctly. + ai_description: "### General Description\nThe **Math Functions** action provides\ + \ a suite of built-in Python mathematical operations that can be applied to a\ + \ list of numbers provided as a comma-separated string. This utility action is\ + \ designed for data transformation and calculation within a playbook, allowing\ + \ users to perform operations like finding the maximum value, summing a list,\ + \ or converting numbers to different formats (e.g., Hexadecimal or Integer) without\ + \ writing custom code.\n\n### Parameters Description\n| Parameter | Type | Mandatory\ + \ | Description |\n| :--- | :--- | :--- | :--- |\n| **Function** | DDL | Yes |\ + \ The specific mathematical operation to perform. Options include: `Max`, `Min`,\ + \ `Round`, `Sort`, `Sum`, `Float`, `Hex`, `Int`, `Abs`, and `Display`. |\n| **Numbers**\ + \ | String | Yes | A comma-separated list of numbers (e.g., \"10, 20.5, -5\")\ + \ to be processed by the selected function. |\n\n### Flow Description\n1. **Input\ + \ Retrieval:** The action retrieves the comma-separated string of numbers and\ + \ the selected function name from the action parameters.\n2. **Parsing:** The\ + \ input string is split by commas, and each element is parsed into either a float\ + \ or an integer. \n3. **Execution:** The action executes the logic corresponding\ + \ to the selected `Function`:\n * **Abs/Float/Int/Round:** Iterates through\ + \ the list and applies the transformation to each number.\n * **Display:**\ + \ Formats numbers with commas for better readability (e.g., 1000 becomes 1,000).\n\ + \ * **Hex:** Converts integer values to their hexadecimal representation.\n\ + \ * **Max/Min/Sum:** Calculates a single aggregate value from the entire list.\n\ + \ * **Sort:** Returns the list of numbers sorted in ascending order.\n4. **Output:**\ + \ The processed results are added to the action's JSON output and the final script\ + \ result is returned to the SOAR platform.\n\n### Additional Notes\n* This action\ + \ does not interact with external APIs or SecOps entities; it operates strictly\ + \ on the input provided in the parameters.\n* If the `Hex` function is selected,\ + \ the action specifically attempts to parse inputs as integers." capabilities: can_create_case_comments: false can_create_insight: false @@ -725,13 +933,38 @@ Math Functions: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Ping: ai_description: >- ### General Description - Verifies the connectivity and availability of the Functions integration within - the Google SecOps environment. This action serves as a basic health check to ensure - that the integration is correctly configured and can execute scripts. + Verifies the connectivity and availability of the integration within the Google + SecOps environment. This action serves as a basic health check to ensure that + the integration is correctly installed and the SOAR platform can execute its scripts. ### Parameters Description @@ -741,16 +974,16 @@ Ping: ### Additional Notes - This action is a standard utility used primarily for troubleshooting or initial - setup verification. It does not interact with external APIs or modify any data. + This action does not interact with any external APIs or modify any data. It is + purely for connectivity verification. ### Flow Description - 1. **Initialization**: The action initializes the Siemplify SDK context. + 1. **Initialization**: The action initializes the Siemplify SDK environment. - 2. **Execution**: The action immediately concludes by returning a success message - ('Siemplify is connected') to the Google SecOps platform. + 2. **Connectivity Check**: The action immediately concludes, returning a success + message to confirm that the execution environment is functional. capabilities: can_create_case_comments: false can_create_insight: false @@ -778,14 +1011,40 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Run JSONPath Query: ai_description: >- ### General Description - The **Run JSONPath Query** action is a utility designed to parse a JSON string - and extract specific values based on a provided JSONPath expression. It leverages - the `jsonpath-ng` library to navigate complex JSON structures, making it highly - useful for data transformation and extraction within playbooks. + The **Run JSONPath Query** action allows users to execute JSONPath expressions + against a provided JSON string to extract specific values or subsets of data. + This is a utility action used for data parsing and transformation within playbooks, + enabling analysts to isolate relevant information from complex JSON payloads returned + by other integrations. ### Parameters Description @@ -794,37 +1053,34 @@ Run JSONPath Query: | :--- | :--- | :--- | :--- | - | **Json** | Code/String | Yes | The raw JSON string that you want to query. | + | Json | code | Yes | The raw JSON string that the query will be executed against. + | - | **JSONPath Expression** | String | Yes | The JSONPath expression used to locate - and extract data from the input JSON. | + | JSONPath Expression | string | Yes | The JSONPath syntax used to navigate and + filter the JSON structure (e.g., `$.store.book[*].author`). | ### Flow Description - 1. **Parameter Extraction**: The action retrieves the input JSON string and the - JSONPath expression from the action parameters. + 1. **Parameter Extraction:** The action retrieves the input JSON string and the + JSONPath expression from the user-defined parameters. - 2. **JSON Parsing**: The input string is converted into a Python dictionary or - list structure. + 2. **JSON Parsing:** The input string is converted into a structured JSON object. - 3. **Expression Evaluation**: The JSONPath expression is parsed and applied against - the JSON data. + 3. **Expression Parsing:** The JSONPath expression is parsed using the `jsonpath-ng` + library. - 4. **Result Compilation**: All matching values found by the expression are collected - into a list under the key `matches`. + 4. **Query Execution:** The parsed expression is applied to the JSON object to + find all matching elements. - 5. **Output**: The resulting JSON object containing the matches is returned to - the SOAR platform for use in subsequent playbook steps. + 5. **Result Compilation:** All matching values are collected into a list and returned + as a JSON result under the `matches` key. ### Additional Notes - - This action is a pure data processing function and does not interact with external - APIs or Google SecOps entities. - - - If the input JSON is malformed or the JSONPath expression is invalid, the action - will fail with an error. + This action is a local utility and does not interact with any external APIs or + modify any Google SecOps entities or case data. capabilities: can_create_case_comments: false can_create_insight: false @@ -852,15 +1108,40 @@ Run JSONPath Query: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false SanitizeHTML: ai_description: >- ### General Description The **SanitizeHTML** action is a utility designed to clean and sanitize HTML fragments. - It uses the `bleach` library to parse HTML according to the HTML5 standard, stripping - or escaping tags, attributes, and CSS styles that are not explicitly permitted. - This is primarily used to prevent Cross-Site Scripting (XSS) or to clean up malformed - HTML data retrieved from external sources. + It uses the HTML5 parsing algorithm to ensure that the output is safe and well-formed. + This is particularly useful for processing potentially malicious or malformed + HTML content from emails or web logs before displaying it or using it in other + processes. ### Parameters Description @@ -869,45 +1150,44 @@ SanitizeHTML: | :--- | :--- | :--- | :--- | - | **Input HTML** | String | Yes | The HTML fragment that needs to be sanitized. - | + | **Input HTML** | String | Yes | The HTML fragment that will be sanitized. | | **Tags** | String | No | A comma-separated list of allowed HTML tags. Tags not in this list will be escaped or stripped. Default includes common safe tags like - `a`, `p`, `div`, etc. | + `a`, `b`, `p`, `div`, etc. | - | **Attributes** | String | No | A comma-separated list of allowed HTML attributes. - | + | **Attributes** | String | No | A comma-separated list of allowed attributes + (e.g., `href`, `src`). | | **Styles** | String | No | A comma-separated list of allowed CSS properties - (e.g., `color`, `background-color`). | + (e.g., `color`, `font-size`) if the `style` attribute is permitted. | - | **Allow All Attributes** | Boolean | No | If set to `True`, the action will - allow all attributes on the permitted tags. | + | **Allow All Attributes** | Boolean | No | If set to `True`, all attributes will + be allowed for the permitted tags. Default is `False`. | - ### Additional Notes + ### Flow Description - - If no `Tags` are provided, the action uses a default set of safe tags defined - in the integration. + 1. **Parameter Extraction**: The action retrieves the input HTML and the configuration + for allowed tags, attributes, and styles. - - The action logic also checks for `Allow All Tags` and `Allow All Styles` parameters - in the code, though they may not be exposed in all configuration versions. + 2. **Sanitization Configuration**: Based on the provided parameters, the action + configures the `bleach` sanitization engine. It handles various combinations of + allowed tags, attributes, and CSS properties. + 3. **Processing**: The input HTML is parsed and sanitized according to the defined + rules. Misnested or unclosed tags are corrected. - ### Flow Description + 4. **Output**: The sanitized HTML string is returned as the action result. - 1. **Parameter Extraction**: The action retrieves the input HTML and the configuration - for allowed tags, attributes, and styles from the action parameters. - 2. **Sanitization Configuration**: It parses the comma-separated strings into - lists and initializes a CSS sanitizer if specific styles are allowed. + ### Additional Notes - 3. **Processing**: It applies the `bleach.clean` method to the input HTML, filtering - it against the defined allow-lists for tags, attributes, and CSS properties. + - The action code contains logic for `Allow All Tags` and `Allow All Styles`, + but these parameters are not defined in the standard configuration. - 4. **Completion**: The sanitized HTML string is returned as the action's result - value, and a success message is logged. + - If no specific tags or attributes are provided, the action defaults to a safe + set of standard HTML tags. capabilities: can_create_case_comments: false can_create_insight: false @@ -935,14 +1215,40 @@ SanitizeHTML: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false String Functions: ai_description: >- ### General Description - This action provides a suite of Python-based string manipulation utilities designed - to transform, analyze, or format strings within a playbook. It allows users to - perform common operations like case conversion, regex matching, and base64 encoding/decoding - on a provided input string without requiring custom script blocks. + This action provides a suite of Python-based string manipulation utilities for + use within playbooks. It allows analysts to transform, format, and validate text + data without writing custom code. Supported operations include case conversion, + whitespace trimming, regex-based searching and replacement, base64 encoding/decoding, + and string splitting. ### Parameters Description @@ -951,50 +1257,54 @@ String Functions: | :--- | :--- | :--- | :--- | - | Input | String | Yes | The source string to be processed. | + | Input | string | Yes | The source text string to be processed. | - | Function | DDL | Yes | The specific string operation to apply. Options include: - Lower, Upper, Count, Find, IsAlpha, IsDigit, Replace, Strip, Title, Regex Replace, - JSON Serialize, Regex, Split, DecodeBase64, EncodeBase64, and RemoveNewLines. - | + | Function | ddl | Yes | The specific operation to perform. Options include: `Lower`, + `Upper`, `Count`, `Find`, `IsAlpha`, `IsDigit`, `Replace`, `Strip`, `Title`, `Regex + Replace`, `JSON Serialize`, `Regex`, `Split`, `DecodeBase64`, `EncodeBase64`, + `RemoveNewLines`. | - | Param 1 | String | No | The first contextual argument required by some functions - (e.g., the substring to count, the regex pattern, or the delimiter for splitting). - | + | Param 1 | string | No | The primary argument for the selected function (e.g., + the search pattern for `Find`, the regex pattern for `Regex`, or the encoding + type for `EncodeBase64`). | - | Param 2 | String | No | The second contextual argument required by some functions - (e.g., the replacement string for 'Replace' or the join character for 'Regex'). - | + | Param 2 | string | No | The secondary argument for the selected function (e.g., + the replacement string for `Replace` or the join delimiter for `Regex`). | ### Additional Notes - - The placeholder `_SPACE_` can be used in `Param 1` and `Param 2` for the 'Replace' - and 'Regex Replace' functions; it will be automatically converted to a literal - space character before processing. + - **Placeholders:** For `Replace` and `Regex Replace` functions, the string `_SPACE_` + can be used in `Param 1` or `Param 2` to represent a literal space character. - - For 'DecodeBase64' and 'EncodeBase64', `Param 1` defaults to 'UTF-8' if not - specified or if it doesn't match 'UTF-8' or 'ASCII'. + - **Base64 Encoding:** `DecodeBase64` and `EncodeBase64` default to `UTF-8` if + `Param 1` is not explicitly set to `UTF-8` or `ASCII`. - - The 'Split' function will default to a comma (`,`) delimiter if `Param 1` is - not provided. + - **Split Output:** When using the `Split` function, the resulting list is also + provided as a JSON result (`JsonResult`) for easier downstream processing. ### Flow Description - 1. **Parameter Retrieval**: The action fetches the `Input` string, the selected - `Function`, and any optional arguments (`Param 1`, `Param 2`). - - 2. **Placeholder Normalization**: For replacement-based functions, it substitutes - the `_SPACE_` placeholder with actual space characters. - - 3. **Logic Execution**: The action executes the specific Python string method - or library function (e.g., `re`, `base64`, `json`) corresponding to the user's - selection. - - 4. **Result Output**: The transformed string or boolean result is returned to - the SOAR platform. For the 'Split' function, the resulting list is also attached - as a JSON result. + 1. **Initialization:** The action retrieves the `Input` string and the selected + `Function` from the parameters. + + 2. **Argument Preparation:** It fetches optional `Param 1` and `Param 2` values + required by specific functions. + + 3. **Execution:** The action executes the corresponding Python logic based on + the `Function` parameter: + - **Basic Transforms:** Performs `lower()`, `upper()`, `strip()`, or `title()` + on the input. + - **Search/Count:** Uses `count()` or `find()` to locate substrings. + - **Validation:** Checks string properties using `isalpha()` or `isdigit()`. + - **Replacement:** Performs standard or regex-based replacements, handling + the `_SPACE_` placeholder. + - **Encoding/Serialization:** Handles Base64 operations or JSON serialization. + - **Regex/Split:** Extracts matches using regex or splits the string into + a list based on a delimiter. + 4. **Completion:** The transformed string is returned as the `ScriptResult`, and + an informative message is generated for the action output. capabilities: can_create_case_comments: false can_create_insight: false @@ -1022,35 +1332,85 @@ String Functions: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Time Duration Calculator: - ai_description: "### General Description\nThe **Time Duration Calculator** is a\ - \ utility action designed to calculate the precise time difference between two\ - \ date-time inputs. It supports various input formats and can dynamically use\ - \ the current system time as one of the comparison points. The action outputs\ - \ the duration in a human-readable format (years, days, hours, minutes, seconds)\ - \ and provides the total duration in seconds as the primary result value.\n\n\ - ### Parameters Description\n| Parameter Name | Type | Mandatory | Description\ - \ |\n| :--- | :--- | :--- | :--- |\n| Input DateTime 1 | String | Yes | The first\ - \ datetime value to compare. Supports specific date strings or the keyword \"\ - now\" for the current UTC time. |\n| Input DateTime 1 Format | String | Yes |\ - \ The `strftime` format used to parse Input DateTime 1 (e.g., `%Y-%m-%dT%H:%M:%S%z`).\ - \ |\n| Input DateTime 2 | String | Yes | The second datetime value to compare.\ - \ Supports specific date strings or the keyword \"now\" for the current UTC time.\ - \ |\n| Input DateTime 2 Format | String | Yes | The `strftime` format used to\ - \ parse Input DateTime 2 (e.g., `%Y-%m-%dT%H:%M:%S%z`). |\n\n### Additional Notes\n\ - - If a provided datetime string does not include timezone information, the action\ - \ automatically localizes it to UTC to ensure accurate calculations.\n- The action\ - \ is purely mathematical and does not interact with external APIs or modify SecOps\ - \ entities.\n\n### Flow Description\n1. **Parameter Extraction:** The action retrieves\ - \ the two input datetime strings and their corresponding format strings from the\ - \ environment.\n2. **Datetime Parsing:** \n - If an input is set to \"now\"\ - , the current UTC time is captured.\n - Otherwise, the string is parsed using\ - \ the provided `strftime` format.\n - Timezone awareness is checked; if the\ - \ object is naive, it is localized to UTC.\n3. **Duration Calculation:** The action\ - \ calculates the delta between the two datetime objects.\n4. **Data Breakdown:**\ - \ The total delta is decomposed into years, days, hours, minutes, and seconds.\n\ - 5. **Output Generation:** The action populates a JSON result with the breakdown\ - \ and sets the total seconds as the main script result." + ai_description: >- + ### General Description + + Calculates the elapsed time or difference between two date-time values. This utility + action is useful for determining the duration of an event, the age of an alert, + or the time between two specific log entries within a playbook. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Input DateTime 1 | String | Yes | The first input datetime value. Supports strftime + format or "now" for the current time. | + + | Input DateTime 1 Format | String | Yes | The strftime format (e.g., `%Y-%m-%dT%H:%M:%S%z`) + used to parse Input DateTime 1. | + + | Input DateTime 2 | String | Yes | The second input datetime value. Supports + strftime format or "now" for the current time. | + + | Input DateTime 2 Format | String | Yes | The strftime format used to parse Input + DateTime 2. | + + + ### Flow Description + + 1. **Parameter Extraction**: Retrieves the two date-time strings and their respective + formats from the action parameters. + + 2. **Date Parsing**: Converts the input strings into timezone-aware Python datetime + objects. If "now" is provided, the current UTC time is used. If a string is provided + without timezone info, it is localized to UTC. + + 3. **Duration Calculation**: Calculates the difference between the two datetime + objects. + + 4. **Formatting**: Breaks down the total duration into years, days, hours, minutes, + and seconds. + + 5. **Output Generation**: Returns a JSON object containing the breakdown and a + human-readable summary string. The action's main result value is set to the total + number of seconds. + + + ### Additional Notes + + - This action does not interact with external APIs or SecOps entities. + + - Ensure the format strings match the input date-time strings exactly to avoid + parsing errors. capabilities: can_create_case_comments: false can_create_insight: false @@ -1078,40 +1438,69 @@ Time Duration Calculator: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false XMLtoJson: ai_description: >- - ### General Description + The XMLtoJson action is a utility function designed to convert XML-formatted strings + into JSON objects. This is particularly useful in automation playbooks when interacting + with legacy systems or APIs that return data in XML format, allowing subsequent + actions to easily access and manipulate the data using JSON keys. - The **XMLtoJson** action is a utility function designed to convert XML-formatted - strings into JSON objects. This is particularly useful for parsing responses from - legacy systems or APIs that return data in XML format, allowing subsequent playbook - steps to easily access the data using JSON path notation. + ### Flow Description - ### Parameters Description + 1. **Parameter Extraction**: The action retrieves the `xml` string provided by + the user or a previous playbook step. - | Parameter | Type | Mandatory | Description | + 2. **Parsing**: It utilizes the `xmltodict` library to parse the XML string into + a Python dictionary. - | :--- | :--- | :--- | :--- | + 3. **Result Output**: The resulting dictionary is attached to the action's execution + results as a JSON object, making it available for downstream playbook tasks. - | **xml** | String | Yes | The XML formatted string that needs to be converted - to JSON. | + 4. **Error Handling**: If the XML is malformed or parsing fails, the action catches + the exception, marks the execution as failed, and provides the error message in + the output. - ### Flow Description + ### Parameters Description - 1. **Parameter Extraction**: The action retrieves the XML string provided in the - `xml` input parameter. + | Parameter Name | Expected Type | Mandatory | Description | - 2. **Parsing**: It utilizes the `xmltodict` library to parse the XML string into - a structured Python dictionary. + | :--- | :--- | :--- | :--- | + + | xml | string | Yes | The raw XML string that needs to be converted into JSON + format. | - 3. **Result Attachment**: The resulting dictionary is added to the action's execution - results as a JSON object via `add_result_json`. - 4. **Completion**: The action concludes by returning the JSON data and a success - status. If the XML is malformed and cannot be parsed, the action flags an execution - failure and returns the error message. + ### Additional Notes + + - This action does not interact with any external APIs or Google SecOps entities; + it is a pure data transformation utility. capabilities: can_create_case_comments: false can_create_insight: false @@ -1139,3 +1528,28 @@ XMLtoJson: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/power_ups/functions/resources/ai/integration_ai_description.yaml b/content/response_integrations/power_ups/functions/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..0801c7556 --- /dev/null +++ b/content/response_integrations/power_ups/functions/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/power_ups/git_sync/resources/ai/actions_ai_description.yaml b/content/response_integrations/power_ups/git_sync/resources/ai/actions_ai_description.yaml index 2204aaf73..a5d849560 100644 --- a/content/response_integrations/power_ups/git_sync/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/power_ups/git_sync/resources/ai/actions_ai_description.yaml @@ -1,40 +1,49 @@ Ping: ai_description: >- - ### General Description + Tests the connectivity and configuration for the GitSync integration. This action + verifies that the Google SecOps environment can successfully communicate with + both the internal Chronicle SOAR API and the external Git repository using the + provided credentials and settings. - The **Ping** action is a diagnostic tool used to verify the connectivity and configuration - of the GitSync integration. It ensures that the Google SecOps environment can - successfully communicate with both the internal Chronicle SOAR API and the external - Git repository (via SSH or HTTPS) using the provided credentials and settings. + ### Flow Description: - ### Parameters Description + 1. **Parameter Extraction:** Retrieves integration configuration parameters including + Repository URL, Branch, Git credentials, and SOAR API credentials. - This action does not have any action-specific input parameters. It utilizes the - global integration configuration parameters, such as the Repository URL, Branch, - Git Credentials, and SOAR API credentials, to perform its connectivity tests. + 2. **Validation:** Validates the 'Commit Author' format using a regular expression + to ensure it follows the 'Name ' pattern. + 3. **SOAR Connectivity Test:** Attempts to connect to the Chronicle SOAR API and + retrieves the system version to verify the 'SOAR Username' and 'SOAR Password'. - ### Flow Description + 4. **Git Connectivity & Fingerprint Verification:** If a 'Git Server Fingerprint' + is provided, the action connects to the Git server to verify the host key fingerprint + (supporting SHA256 and MD5) and ensures the repository is accessible. - 1. **Configuration Loading**: The action retrieves integration-level settings, - including repository details, authentication tokens, and SSL verification preferences. + 5. **Result Reporting:** Returns 'True' if all connectivity tests pass; otherwise, + it raises an exception with details about the failure. - 2. **Author Format Validation**: It validates the `Commit Author` string against - a specific regex pattern (`Name `) to ensure future commits - will be valid. - 3. **SOAR API Connectivity Test**: It attempts to connect to the Chronicle SOAR - API and retrieve the current system version. A failure here indicates incorrect - SOAR credentials or network issues. + ### Parameters Description: - 4. **Git Repository Connectivity Test**: If a `Git Server Fingerprint` is provided, - the action connects to the remote Git server to verify the SSH host key and attempts - to fetch the repository's head tree. This verifies both the network path and the - Git credentials (SSH key or Token). + | Parameter Name | Expected Type | Mandatory | Description | - 5. **Final Status**: If all checks pass, the action completes successfully, confirming - the integration is ready for use. + | :--- | :--- | :--- | :--- | + + | None | N/A | N/A | This action does not take any input parameters; it relies + entirely on the Integration Configuration settings. | + + + ### Additional Notes: + + - This action is primarily used for troubleshooting and initial setup verification. + + - It supports both SSH (via private keys) and HTTP/HTTPS (via passwords or tokens) + for Git authentication. + + - Fingerprint verification is optional but recommended for SSH connections to + prevent Man-in-the-Middle (MitM) attacks. capabilities: can_create_case_comments: false can_create_insight: false @@ -62,3 +71,28 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/power_ups/git_sync/resources/ai/integration_ai_description.yaml b/content/response_integrations/power_ups/git_sync/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..0801c7556 --- /dev/null +++ b/content/response_integrations/power_ups/git_sync/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/power_ups/git_sync/resources/ai/jobs_ai_description.yaml b/content/response_integrations/power_ups/git_sync/resources/ai/jobs_ai_description.yaml new file mode 100644 index 000000000..712a87d8b --- /dev/null +++ b/content/response_integrations/power_ups/git_sync/resources/ai/jobs_ai_description.yaml @@ -0,0 +1,962 @@ +Pull Connector: + ai_description: >- + ### General Description + + The **Pull Connector** job is a maintenance and synchronization utility within + the **GitSync** integration. Its primary purpose is to retrieve a specific connector's + configuration from a Git repository and install or update it within the Google + SecOps (Chronicle) SOAR platform. This ensures that connector settings, including + environment-specific configurations and integration versions, are kept in sync + with a version-controlled source of truth. Additionally, the job can optionally + pull and install associated dependencies such as Visual Families and Ontology + Mappings to ensure the connector is fully operational upon import. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Repo URL | String | No | Optional parameter to override the Git repository URL + configured in the integration instance. | + + | Branch | String | No | Optional parameter to override the Git branch configured + in the integration instance. | + + | Git Server Fingerprint | String | No | Optional parameter to override the SSH + server fingerprint (SHA256 or MD5) for secure Git connections. | + + | Connector Name | String | Yes | The exact name of the connector to be pulled + from the repository. | + + | Include Visual Families | Boolean | No | If set to `true`, the job will identify + and install custom visual families associated with the connector's mappings. | + + | Include Mappings | Boolean | No | If set to `true`, the job will install the + ontology mapping rules (event-to-visual-family associations) for the connector's + integration. | + + + ### Flow Description + + 1. **Initialization**: The job initializes the `GitSyncManager` using the provided + repository URL, branch, and credentials. It extracts the target connector name + and dependency flags. + + 2. **Repository Retrieval**: It connects to the Git repository and searches for + the connector's JSON configuration file within the `Connectors/` directory. + + 3. **Connector Installation**: If the connector is found, the job installs or + updates the connector instance in the SOAR platform. It also checks if the installed + integration version matches the connector's requirements, flagging updates if + necessary. + + 4. **Dependency Analysis**: If either `Include Visual Families` or `Include Mappings` + is enabled, the job retrieves the mapping definitions associated with the connector's + parent integration from the repository. + + 5. **Visual Family Sync**: If `Include Visual Families` is active, the job identifies + visual families referenced in the mappings that are not yet present in the SOAR + platform and installs them. + + 6. **Mapping Sync**: If `Include Mappings` is active, the job installs the ontology + records and rules, ensuring events are correctly mapped to the appropriate visual + families. + + 7. **Completion**: The job logs the success of the installation and terminates + the script. +Pull Content: + ai_description: "### General Description\nThis job is a core component of the GitSync\ + \ integration, designed to synchronize security operations content from a Git\ + \ repository into the Google SecOps (Chronicle) SOAR platform. It facilitates\ + \ 'Configuration as Code' by allowing administrators to deploy, update, and manage\ + \ various SOAR resources\u2014including playbooks, integrations, connectors, and\ + \ environment settings\u2014directly from a version-controlled repository. The\ + \ job ensures that the local SOAR environment matches the state defined in Git,\ + \ supporting automated deployment pipelines and environment consistency.\n\n###\ + \ Parameters Description\n| Parameter | Type | Mandatory | Description |\n| :---\ + \ | :--- | :--- | :--- |\n| Repo URL | String | No | Optional parameter to override\ + \ the repository URL configured in the integration instance. |\n| Branch | String\ + \ | No | Optional parameter to override the target Git branch. |\n| Git Server\ + \ Fingerprint | String | No | Optional parameter to override the SSH fingerprint\ + \ for server verification. |\n| Integrations | Boolean | Yes | If true, pulls\ + \ and installs custom integrations and custom code from the repository. |\n| Playbooks\ + \ | Boolean | Yes | If true, pulls and updates playbooks and blocks based on their\ + \ names. |\n| Jobs | Boolean | Yes | If true, pulls and installs job definitions.\ + \ |\n| Connectors | Boolean | Yes | If true, pulls and installs connector instances.\ + \ |\n| Integration Instances | Boolean | Yes | If true, synchronizes integration\ + \ instances across environments. Note: Passwords may be overwritten. |\n| Visual\ + \ Families | Boolean | Yes | If true, synchronizes custom visual families for\ + \ the ontology. |\n| Mappings | Boolean | Yes | If true, synchronizes event-to-ontology\ + \ mapping rules. |\n| Environments | Boolean | Yes | If true, creates or updates\ + \ environment records. |\n| Dynamic Parameters | Boolean | Yes | If true, synchronizes\ + \ environment-specific dynamic parameters. |\n| Logo | Boolean | Yes | If true,\ + \ pulls and updates the custom company logo. |\n| Case Tags | Boolean | Yes |\ + \ If true, synchronizes case tag definitions. |\n| Case Stages | Boolean | Yes\ + \ | If true, synchronizes case stage definitions. |\n| Case Title Settings | Boolean\ + \ | Yes | If true, synchronizes settings for automatic case titling. |\n| Case\ + \ Close Reasons | Boolean | Yes | If true, synchronizes custom root causes and\ + \ close reasons. |\n| Networks | Boolean | Yes | If true, synchronizes network\ + \ CIDR and metadata definitions. |\n| Domains | Boolean | Yes | If true, synchronizes\ + \ domain alias records. |\n| Custom Lists | Boolean | Yes | If true, synchronizes\ + \ tracking/custom lists. |\n| Email Templates | Boolean | Yes | If true, synchronizes\ + \ email templates used in playbooks. |\n| Blacklists | Boolean | Yes | If true,\ + \ synchronizes blocklist/denylist records. |\n| SLA Records | Boolean | Yes |\ + \ If true, synchronizes SLA definition records. |\n| Simulated Cases | Boolean\ + \ | Yes | If true, pulls and imports simulated cases for testing. |\n\n### Flow\ + \ Description\n1. **Initialization**: The job initializes the `GitSyncManager`,\ + \ which clones or pulls the specified Git repository and branch to a temporary\ + \ local directory.\n2. **Parameter Extraction**: It extracts all feature flags\ + \ (boolean parameters) to determine which specific content types should be synchronized\ + \ during the run.\n3. **Environment Setup**: The job first processes foundational\ + \ settings, including Environment Dynamic Parameters and Environment records,\ + \ ensuring the target infrastructure is ready.\n4. **Core Content Installation**:\ + \ It iterates through logic-heavy components, installing or updating Integrations,\ + \ Connectors, Jobs, and Playbooks. For playbooks, it handles dependency ordering\ + \ (installing blocks before playbooks).\n5. **Ontology and Mapping**: The job\ + \ synchronizes Visual Families and Mappings to ensure data is correctly visualized\ + \ and parsed within the platform.\n6. **Platform Configuration**: It updates administrative\ + \ settings such as Case Tags, Stages, Close Reasons, Title Settings, and SLA Records.\n\ + 7. **Data and Assets**: The job synchronizes operational data including Networks,\ + \ Domains, Custom Lists, Email Templates, Blacklists, and the company Logo.\n\ + 8. **Validation and Cleanup**: Throughout the process, the job uses an ID validator\ + \ to match Git resources with existing SOAR resources by name, ensuring updates\ + \ occur rather than duplicate creations. Finally, it cleans up temporary files\ + \ and closes the Git connection." +Pull Custom Family: + ai_description: >- + ### General Description + + The **Pull Custom Family** job is part of the **GitSync** integration. Its primary + purpose is to import or update a specific Visual Family configuration from a Git + repository into the Google SecOps (Chronicle) SOAR platform. This job enables + teams to maintain their ontology and visualization settings as code, ensuring + consistency across different environments by pulling version-controlled family + definitions (including rules and icons) directly from a repository. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Repo URL | String | No | Optional parameter to override the repository URL defined + in the integration instance settings. | + + | Branch | String | No | Optional parameter to override the Git branch defined + in the integration instance settings. | + + | Git Server Fingerprint | String | No | Optional parameter to override the SSH + server fingerprint for host verification. | + + | Family Name | String | Yes | The exact name of the visual family to be retrieved + from the repository and imported into the platform. | + + + ### Flow Description + + 1. **Parameter Extraction**: The job retrieves the mandatory `Family Name` and + optional Git configuration overrides from the job settings. + + 2. **Git Initialization**: It initializes the `GitSyncManager`, which clones or + pulls the latest changes from the specified Git repository to a temporary working + directory. + + 3. **Content Retrieval**: The job searches the repository's internal structure + (specifically under the `Ontology/VisualFamilies/` path) for a JSON definition + matching the provided `Family Name`. + + 4. **Platform Update**: If the family definition is found, the job sends the raw + configuration data to the Google SecOps API using the `AddOrUpdateVisualFamily` + endpoint. + + 5. **Completion**: The job logs whether the family was successfully updated or + if it could not be found in the repository, then cleans up temporary resources. +Pull Integration: + ai_description: >- + ### General Description + + This job automates the synchronization of integrations from a Git repository to + the Google SecOps (Chronicle) SOAR platform. It allows administrators to pull + specific integrations defined in a whitelist, ensuring that custom code, actions, + connectors, and jobs are updated or installed directly from version control. The + job supports both custom integrations (imported as full packages) and commercial + integrations (where specific custom components are updated). + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Install Whitelist | String | Yes | A comma-separated list of integration identifiers + (e.g., "VirusTotal, ServiceNow") to be pulled and installed from the Git repository. + | + + | Repo URL | String | No | Optional parameter to override the repository URL configured + in the GitSync integration instance. | + + | Branch | String | No | Optional parameter to override the Git branch configured + in the GitSync integration instance. | + + | Git Server Fingerprint | String | No | Optional parameter to override the SSH + server fingerprint (SHA256 or MD5) for host verification. | + + + ### Flow Description + + 1. **Initialization**: The job parses the `Install Whitelist` to identify which + integrations need to be processed. + + 2. **Git Connection**: It establishes a connection to the Git repository using + the provided overrides or the default integration instance settings (URL, Branch, + Credentials). + + 3. **Repository Sync**: The job clones or pulls the latest state of the repository + into a temporary working directory. + + 4. **Integration Retrieval**: For each integration in the whitelist, the job searches + the repository's `Integrations/` directory for the corresponding definition and + source files. + + 5. **Installation Logic**: + * **Custom Integrations**: If the integration is marked as custom, the job + packages the files into a ZIP and imports them into the SOAR platform using the + `ImportPackage` API. + * **Commercial Integrations**: If the integration is commercial, the job ensures + it is installed (attempting to install from the Marketplace if missing) and then + iterates through custom Actions, Jobs, Connectors, and Managers to update their + logic in the IDE. + 6. **Completion**: The job logs the installation status for each item and cleans + up the temporary working directory. +Pull Jobs: + ai_description: >- + ### General Description + + The **Pull Jobs** job is a maintenance utility within the **GitSync** integration + designed to synchronize job definitions from a Git repository to the Google SecOps + (Chronicle) environment. It allows administrators to manage SOAR jobs as code, + ensuring that automation scripts and their configurations are version-controlled + and consistently deployed across different environments. The job fetches job metadata + from the repository and performs an "upsert" (update or insert) operation in the + local SOAR instance. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Job Whitelist | String | Yes | A comma-separated list of job names to pull from + the Git repository. Only jobs specified in this list will be processed. | + + | Repo URL | String | No | Optional parameter to override the repository URL configured + in the integration instance. | + + | Branch | String | No | Optional parameter to override the Git branch configured + in the integration instance. | + + | Git Server Fingerprint | String | No | Optional parameter to override the SSH + server fingerprint (SHA256 or MD5) for host verification. | + + + ### Flow Description + + 1. **Parameter Extraction**: The job parses the `Job Whitelist` to identify which + specific jobs need to be imported. + + 2. **Git Initialization**: It initializes the `GitSyncManager`, which clones or + pulls the latest changes from the configured Git repository into a temporary working + directory. + + 3. **Content Retrieval**: For each job name in the whitelist, the job searches + the repository's `Jobs/` directory for the corresponding JSON definition file. + + 4. **Dependency Validation**: It verifies that the integration associated with + the job is already installed in the SOAR environment. + + 5. **ID Resolution**: The job attempts to resolve the `jobDefinitionId` by querying + the IDE cards and checks if the job already exists locally to determine if an + update or a new creation is required. + + 6. **Installation**: It calls the SOAR API to save or update the job configuration + based on the data retrieved from Git. + + 7. **Completion**: The job logs the success or failure of each individual job + import and cleans up temporary resources. +Pull Mappings: + ai_description: "### General Description\nThe **Pull Mappings** job is a maintenance\ + \ and synchronization component of the **GitSync** integration. Its primary purpose\ + \ is to import and apply ontology mappings\u2014specifically event-to-visual-family\ + \ associations and mapping rules\u2014from a remote Git repository into the Google\ + \ SecOps (Chronicle) platform. This enables security teams to manage their event\ + \ categorization and visualization logic using version control, ensuring consistency\ + \ across different environments.\n\n### Parameters Description\n| Parameter |\ + \ Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Repo URL\ + \ | String | No | Optional parameter to override the Git repository URL configured\ + \ in the integration instance. |\n| Branch | String | No | Optional parameter\ + \ to override the Git branch used for pulling content. |\n| Git Server Fingerprint\ + \ | String | No | Optional parameter to override the SSH fingerprint for Git server\ + \ verification. |\n| Source | String | Yes | The integration identifier or vendor\ + \ name (e.g., 'MicrosoftSentinel'). The job pulls all mappings associated with\ + \ this specific source from the repository. |\n\n### Flow Description\n1. **Parameter\ + \ Extraction**: The job retrieves the `Source` parameter and optional Git configuration\ + \ overrides.\n2. **Git Synchronization**: It initializes the `GitSyncManager`,\ + \ which clones or pulls the latest changes from the specified Git repository to\ + \ a temporary local directory.\n3. **Content Retrieval**: The job utilizes the\ + \ `GitContentManager` to locate mapping files within the repository's structure,\ + \ specifically looking for `{Source}_Records.json` and `{Source}_Rules.json` under\ + \ the `Ontology/Mappings` path.\n4. **Rule Installation**: It parses the retrieved\ + \ mapping rules (family and system fields) and updates the Google SecOps ontology\ + \ via the API.\n5. **Visual Family Association**: The job iterates through the\ + \ mapping records and updates the platform's configuration to link specific products\ + \ and event names to their designated Visual Families.\n6. **Cleanup**: The temporary\ + \ working directory is cleaned up, and the script execution ends." +Pull Playbook: + ai_description: >- + ### General Description + + The **Pull Playbook** job is designed to synchronize specific playbooks and blocks + from a Git repository into the Google SecOps (Chronicle) environment. As part + of the **GitSync** integration, it enables teams to maintain playbooks in version + control and deploy them programmatically. The job allows for targeted synchronization + via a whitelist and can automatically resolve dependencies by pulling any blocks + referenced within the selected playbooks. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Repo URL | String | No | Overrides the repository URL defined in the integration + instance settings. | + + | Branch | String | No | Overrides the Git branch defined in the integration instance + settings. | + + | Git Server Fingerprint | String | No | Overrides the SSH server fingerprint + used for host verification. | + + | Playbook Whitelist | String | Yes | A comma-separated list of playbook names + to pull from the repository. | + + | Include Playbook Blocks | Boolean | Yes | If True, the job identifies and pulls + all blocks used by the playbooks in the whitelist to ensure full functionality. + | + + + ### Flow Description + + 1. **Environment Setup**: The job initializes the `GitSyncManager`, which handles + the connection to the Git provider and manages a temporary local clone of the + repository. + + 2. **Target Identification**: It parses the `Playbook Whitelist` to create a list + of specific playbooks to be imported. + + 3. **Content Fetching**: The job retrieves the JSON definitions for each specified + playbook from the repository's `Playbooks` directory. + + 4. **Dependency Analysis**: If `Include Playbook Blocks` is enabled, the job scans + the retrieved playbooks for any 'Block' type steps and fetches those block definitions + from the repository as well. + + 5. **Workflow Installation**: The collected playbooks and blocks are passed to + the `WorkflowInstaller`, which performs the following sub-tasks: + * **Environment Validation**: Ensures the target environments assigned to + the playbooks exist in the local SOAR instance. + * **Instance Mapping**: Automatically maps integration instances within playbook + steps to available instances in the local environment (supporting both static + and dynamic/AutomaticEnvironment modes). + * **Conflict Resolution**: Compares modification timestamps against a local + cache to determine if an update is required and warns if local changes are about + to be overwritten. + * **ID Synchronization**: Matches identifiers for existing playbooks to maintain + consistency or generates new UUIDs for new content. + 6. **Persistence**: The finalized playbook and block definitions are saved to + the Google SecOps platform, and the local modification cache is updated. +Pull Simulated Cases: + ai_description: >- + ### General Description + + This job imports specific simulated cases from a Git repository into the Google + SecOps platform. It enables security teams to maintain attack simulation content + in version control and synchronize it with their SOAR environment for consistent + testing and validation of detection and response capabilities. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Simulated Cases | String | Yes | A comma-separated list of simulated case names + to pull from the repository. | + + | Repo URL | String | No | Optional parameter to override the repository URL found + in the GitSync integration instance. | + + | Branch | String | No | Optional parameter to override the branch name found + in the GitSync integration instance. | + + | Git Server Fingerprint | String | No | Optional parameter to override the SSH + server fingerprint found in the GitSync integration instance. | + + + ### Flow Description + + 1. **Parameter Extraction**: The job parses the comma-separated list of simulated + case names provided in the job configuration. + + 2. **GitSync Initialization**: It initializes the GitSync manager, which clones + or pulls the latest changes from the specified Git repository and branch. + + 3. **Content Retrieval**: For each specified case name, the job searches the repository's + `SimulatedCases/` directory for the corresponding `.case` file. + + 4. **Import Execution**: The job reads the JSON content of the case file and uses + the Google SecOps API to import the simulated case into the platform. + + 5. **Logging**: Success or failure for each individual case import is logged to + the job output. +Push Connectors: + ai_description: >- + ### General Description + + This job exports specific connectors and their associated metadata from Google + SecOps to a Git repository. It enables version control for connector configurations + and scripts, allowing teams to maintain a history of changes and synchronize connector + settings across different environments. Beyond the connector itself, the job can + optionally include related ontology mappings and visual families to ensure a complete + export of the integration's logic. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Commit | String | Yes | The commit message to describe the changes in the Git + repository. | + + | Connectors | String | Yes | A comma-separated list of connector display names + to be pushed to the repository. | + + | Branch | String | No | Optional parameter to override the Git branch specified + in the integration instance. | + + | Git Server Fingerprint | String | No | Optional parameter to override the SSH + fingerprint for the Git server. | + + | Repo URL | String | No | Optional parameter to override the repository URL found + in the integration instance. | + + | Commit Author | String | No | Optional parameter to override the commit author + (format: `Name `). | + + | Include Visual Families | Boolean | No | If set to `true`, the job will also + export related visual families used by the connector's alerts. | + + | Include Mappings | Boolean | No | If set to `true`, the job will also export + related ontology mappings used by the connector's alerts. | + + | Readme Addon | String | No | Optional markdown text to append to the end of + the README file for all connectors pushed during this run. | + + + ### Flow Description + + 1. **Initialization**: The job extracts the provided parameters and initializes + the `GitSyncManager`, which handles the connection to the Git repository and local + workspace management. + + 2. **Connector Retrieval**: Fetches all installed connectors from the Google SecOps + platform and filters them based on the names provided in the `Connectors` parameter. + + 3. **Metadata Preparation**: For each matching connector, the job prepares the + connector's JSON definition and script. If a `Readme Addon` is provided, it updates + the GitSync metadata to include this text in the connector's documentation. + + 4. **Dependency Analysis**: If `Include Mappings` or `Include Visual Families` + is enabled, the job identifies the integration associated with the connector and + retrieves the corresponding ontology records and mapping rules. + + 5. **Asset Staging**: The job stages the connector files, and optionally the mapping + and visual family files, into the local repository structure. + + 6. **Commit and Push**: Finally, the job creates a Git commit with the specified + message and author, then pushes the changes to the remote repository branch. +Push Content: + ai_description: >- + ### General Description + + This job automates the process of exporting and synchronizing Google SecOps (Chronicle) + content and configurations to a remote Git repository. It serves as a version + control and backup mechanism, allowing administrators to push playbooks, integrations, + connectors, jobs, and various system settings (such as mappings, environments, + and case tags) to a centralized repository. The job supports granular control + over which content types are included and provides options for handling sensitive + data like passwords during the export process. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Commit | String | Yes | The commit message to be used for the Git push operation. + | + + | Repo URL | String | No | Optional override for the Git repository URL defined + in the integration instance. | + + | Branch | String | No | Optional override for the target Git branch. | + + | Git Server Fingerprint | String | No | Optional override for the SSH fingerprint + used to verify the Git server. | + + | Commit Author | String | No | Optional override for the commit author (Format: + Name ). | + + | Commit Passwords | Boolean | Yes | If true, includes passwords/secrets in the + exported integration instance settings. **Warning: Use with caution.** | + + | Integrations | Boolean | Yes | Whether to push all custom and commercial integrations. + | + + | Playbooks | Boolean | Yes | Whether to push all playbooks and blocks. | + + | Jobs | Boolean | Yes | Whether to push all defined maintenance and enrichment + jobs. | + + | Connectors | Boolean | Yes | Whether to push all configured connector instances. + | + + | Integration Instances | Boolean | Yes | Whether to push integration instance + configurations and settings. | + + | Visual Families | Boolean | Yes | Whether to push ontology visual family definitions. + | + + | Mappings | Boolean | Yes | Whether to push ontology mapping records and rules. + | + + | Environments | Boolean | Yes | Whether to push environment definitions. | + + | Dynamic Parameters | Boolean | Yes | Whether to push environment-specific dynamic + parameters. | + + | Logo | Boolean | Yes | Whether to push the platform's custom logo settings. + | + + | Case Tags | Boolean | Yes | Whether to push case tag definitions. | + + | Case Stages | Boolean | Yes | Whether to push case stage definitions. | + + | Case Title Settings | Boolean | Yes | Whether to push case title formatting + settings. | + + | Case Close Reasons | Boolean | Yes | Whether to push case closure reasons and + root causes. | + + | Networks | Boolean | Yes | Whether to push network range definitions. | + + | Domains | Boolean | Yes | Whether to push domain alias records. | + + | Custom Lists | Boolean | Yes | Whether to push custom tracking lists. | + + | Email Templates | Boolean | Yes | Whether to push email communication templates. + | + + | Blacklists | Boolean | Yes | Whether to push blocklist/denylist records. | + + | SLA Records | Boolean | Yes | Whether to push Service Level Agreement definitions. + | + + | Simulated Cases | Boolean | Yes | Whether to push simulated case data for testing. + | + + + ### Flow Description + + 1. **Initialization**: The job initializes the `GitSyncManager`, which clones + or pulls the latest changes from the specified Git repository and branch. + + 2. **Parameter Extraction**: It extracts the commit message and all boolean flags + to determine which content categories should be processed. + + 3. **Content Collection**: For each enabled category, the job queries the Google + SecOps API to retrieve the relevant data: + * **Integrations/Playbooks**: Exports packages and definitions, updating internal + references (like instance names) to ensure portability. + * **Settings**: Collects system-wide configurations like Networks, Domains, + SLA records, and Case Tags. + * **Secrets Handling**: If `Commit Passwords` is enabled, it attempts to retrieve + and include sensitive configuration values for integration instances. + 4. **Git Staging**: The collected content is transformed into structured JSON + or YAML files and staged within the local Git tree managed by the job. + + 5. **Documentation Generation**: Automatically generates or updates `README.md` + files for integrations, playbooks, and the repository root to provide human-readable + summaries of the exported content. + + 6. **Commit and Push**: Finalizes the process by committing the staged changes + with the provided message and pushing them to the remote Git server. +Push Custom Family: + ai_description: >- + ### General Description + + This job exports specific Visual Families (ontology definitions) from Google SecOps + to a Git repository. It enables version control, backup, and portability of custom + visualization rules, entity relations, and icons by staging the family's data + model, image, and documentation in a structured repository format. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Commit | String | Yes | The commit message to describe the changes in the Git + repository. | + + | Repo URL | String | No | Optional parameter to override the repository URL defined + in the integration instance. | + + | Branch | String | No | Optional parameter to override the target Git branch + defined in the integration instance. | + + | Git Server Fingerprint | String | No | Optional parameter to override the SSH + server fingerprint (SHA256 or MD5) for host verification. | + + | Commit Author | String | No | Optional parameter to override the commit author. + Must follow the format: `Name `. | + + | Family Name | String | Yes | A comma-separated list of Visual Family names to + be pushed to the repository. | + + | Readme Addon | String | No | Markdown text to append to the end of the README.md + file for all custom families pushed during this run. | + + + ### Flow Description + + 1. **Initialization**: The job initializes the GitSync manager, which clones or + pulls the target repository to a temporary working directory. + + 2. **Parameter Parsing**: It extracts the list of Visual Family names to export + and any optional overrides for Git configuration. + + 3. **Data Retrieval**: The job fetches all custom Visual Families from the Google + SecOps environment and filters them based on the provided names. + + 4. **Metadata Update**: If a `Readme Addon` is provided, the job updates the `GitSync.json` + metadata file to include the additional documentation for the selected families. + + 5. **Staging**: For each matching family, the job retrieves the full data model + (including rules and the base64-encoded icon) and stages the corresponding JSON, + PNG, and README files in the local repository tree. + + 6. **Synchronization**: Finally, the job performs a Git commit with the specified + message and pushes the changes to the remote repository branch. +Push Integration: + ai_description: >- + ### General Description + + This job automates the process of exporting and pushing specific integrations + from Google SecOps to a Git repository. It enables version control and backup + of SOAR content by synchronizing local integration definitions, scripts, and resources + with a remote Git server. The job allows for selective synchronization via a whitelist + and supports the addition of custom markdown content to the README files of the + pushed integrations. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Commit | String | Yes | The commit message to be used for the Git operation. + | + + | Push Whitelist | String | Yes | A comma-separated list of integration identifiers + (e.g., 'VirusTotal, ServiceNow') to be pushed to the repository. | + + | Repo URL | String | No | Optional parameter to override the repository URL configured + in the GitSync integration instance. | + + | Branch | String | No | Optional parameter to override the target branch name + configured in the GitSync integration instance. | + + | Git Server Fingerprint | String | No | Optional SSH fingerprint (SHA256 or MD5) + used to verify the identity of the Git server. | + + | Commit Author | String | No | Optional parameter to override the commit author + (format: 'Name '). | + + | Readme Addon | String | No | Markdown text that will be appended to the end + of the README file for every integration pushed during this execution. | + + + ### Flow Description + + 1. **Parameter Extraction**: The job retrieves the commit message, the list of + integrations to push (whitelist), and any optional overrides or README additions. + + 2. **Manager Initialization**: Initializes the `GitSyncManager`, which handles + the connection to the Git repository and the Google SecOps API. + + 3. **Integration Filtering**: Fetches all available integration 'IDE cards' from + the platform and filters them to include only those specified in the `Push Whitelist`. + + 4. **Package Export**: For each identified integration, the job exports the full + integration package (including definitions, Python scripts, and resources) as + a byte stream. + + 5. **Metadata Enhancement**: If a `Readme Addon` is provided, the job updates + the `GitSync.json` metadata file to include the custom markdown for the specific + integration. + + 6. **Staging**: The job prepares the file structure for the repository, overwriting + the existing integration folders with the newly exported content. + + 7. **Commit and Push**: Finally, the job creates a Git commit with the provided + message and pushes the changes to the configured remote branch. +Push Job: + ai_description: >- + ### General Description + + This job exports specific Google SecOps (Chronicle) jobs to a Git repository for + version control and backup. It allows users to select a subset of jobs via a whitelist, + optionally append custom documentation to their README files, and synchronize + the job configurations (including parameters and run intervals) to a remote Git + server. The job also maintains a central README file in the repository to provide + an overview of all exported jobs. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Commit | String | Yes | The commit message to be used for the Git push operation. + | + + | Repo URL | String | No | Optional parameter to override the repository URL configured + in the integration instance. | + + | Branch | String | No | Optional parameter to override the Git branch configured + in the integration instance. | + + | Git Server Fingerprint | String | No | Optional parameter to override the SSH + fingerprint used for Git server verification. | + + | Commit Author | String | No | Optional parameter to override the commit author + (Format: Name ). | + + | Job Whitelist | String | Yes | A comma-separated list of job names to be pushed + to the repository. | + + | Readme Addon | String | No | Markdown text to append to the end of the README + file for all jobs pushed during this run. | + + + ### Flow Description + + 1. **Initialization**: The job initializes the `GitSyncManager`, which sets up + a temporary local workspace and establishes a connection to the Git repository + using the provided credentials and configuration. + + 2. **Job Retrieval**: It fetches all installed jobs from the Google SecOps platform + via the internal API. + + 3. **Filtering**: The job filters the retrieved list based on the `Job Whitelist` + parameter, while automatically excluding internal system monitor jobs and the + GitSync integration itself. + + 4. **Metadata Update**: If a `Readme Addon` is provided, it updates the `GitSync.json` + metadata file to include the custom documentation for the selected jobs. + + 5. **Staging**: For each whitelisted job, the configuration is converted to a + JSON format and staged in the local Git repository structure under the `Jobs/` + directory. + + 6. **Documentation Generation**: The job generates or updates individual README + files for the exported jobs and updates the root README file for the Jobs section + to reflect the current state of the repository. + + 7. **Commit and Push**: Finally, the job commits the changes with the specified + commit message and pushes the updates to the remote Git repository. +Push Mappings: + ai_description: "### General Description\nThis job exports ontology mapping configurations\u2014\ + including records and rules\u2014from Google SecOps to a Git repository. It is\ + \ designed to facilitate version control and synchronization of how events are\ + \ mapped to entities and visual families for a specific source integration. By\ + \ automating the export of these mappings, teams can maintain a 'configuration\ + \ as code' approach for their SOAR environment.\n\n### Parameters Description\n\ + | Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ + | Commit | String | Yes | The message to be used for the Git commit. |\n| Source\ + \ | String | Yes | The name of the source integration (e.g., 'Active Directory',\ + \ 'CrowdStrike') whose mappings should be exported. |\n| Repo URL | String | No\ + \ | Optional override for the Git repository URL defined in the integration instance.\ + \ |\n| Branch | String | No | Optional override for the target Git branch. |\n\ + | Git Server Fingerprint | String | No | Optional override for the SSH server\ + \ fingerprint used for host verification. |\n| Commit Author | String | No | Optional\ + \ override for the commit author. Must follow the format: `Name `.\ + \ |\n| Readme Addon | String | No | Markdown text to append to the end of the\ + \ generated README file for the exported mappings. |\n\n### Flow Description\n\ + 1. **Initialization**: The job extracts configuration parameters and initializes\ + \ the `GitSyncManager` to handle repository operations and API communication.\n\ + 2. **Data Retrieval**: It fetches all ontology status records from the Google\ + \ SecOps platform.\n3. **Filtering**: The job filters the retrieved records to\ + \ include only those associated with the specified `Source` integration.\n4. **Rule\ + \ Collection**: For each matching record, it retrieves the corresponding mapping\ + \ rules (both family and system fields) from the platform.\n5. **Data Sanitization**:\ + \ It cleans the records by removing `exampleEventFields` to ensure the exported\ + \ files remain focused on configuration rather than specific event data.\n6. **Metadata\ + \ Update**: If a `Readme Addon` is provided, the job updates the `GitSync.json`\ + \ metadata file to include the additional markdown content.\n7. **Staging**: The\ + \ job prepares the mapping data (JSON files for records and rules) and generates\ + \ a README file, staging them within the local repository structure.\n8. **Push**:\ + \ Finally, it commits the changes using the provided commit message and author\ + \ details, then pushes the update to the remote Git repository." +Push Playbook: + ai_description: >- + ### General Description + + This job exports playbooks and playbook blocks from Google SecOps to a Git repository. + It allows for granular control over which content is synchronized by using whitelists + for specific playbooks or entire folders (categories). A key feature of this job + is its ability to maintain portability; it automatically converts internal integration + instance identifiers within playbook steps into their corresponding display names, + ensuring that exported playbooks can be successfully imported into different environments. + It also handles dependencies by optionally including all blocks referenced by + the selected playbooks. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Branch | String | No | The Git branch to push the content to. If not provided, + the branch defined in the integration instance is used. | + + | Commit | String | Yes | The commit message to be used for the Git push operation. + | + + | Repo URL | String | No | The URL of the target Git repository. If not provided, + the URL defined in the integration instance is used. | + + | Git Server Fingerprint | String | No | The SSH fingerprint of the Git server + for verification. Overrides the integration instance setting if provided. | + + | Commit Author | String | No | The author of the commit, formatted as `Name `. + Overrides the integration instance setting if provided. | + + | Folders Whitelist | String | No | A comma-separated list of playbook categories + (folders) to export. | + + | Playbook Whitelist | String | No | A comma-separated list of specific playbook + names to export. | + + | Readme Addon | String | No | Markdown text to be appended to the end of the + `README.md` file for every playbook exported during this run. | + + | Include Playbook Blocks | Boolean | Yes | If set to `true`, the job will automatically + identify and export all playbook blocks referenced by the selected playbooks. + | + + + ### Flow Description + + 1. **Initialization**: Extracts job parameters and validates that at least one + whitelist (Folders or Playbooks) has been provided. + + 2. **Git Setup**: Initializes the Git manager, clones or pulls the target repository, + and checks out the specified branch. + + 3. **Content Filtering**: Retrieves all playbooks from the SOAR environment and + filters them based on the `Playbook Whitelist` and `Folders Whitelist` parameters. + + 4. **Playbook Processing**: For each matching playbook, the job: + * Appends the `Readme Addon` to the playbook metadata if specified. + * Fetches the full playbook definition. + * Updates step parameters (like `IntegrationInstance`) from internal UUIDs + to display names to ensure the playbook remains portable across different SOAR + instances. + * Stages the playbook JSON and generated README files in the local Git repository + structure. + 5. **Block Processing**: If `Include Playbook Blocks` is enabled, the job identifies + all blocks used within the processed playbooks, retrieves their definitions, updates + their instance names, and stages them for export. + + 6. **Finalization**: Generates an updated root README for the Playbooks directory, + commits all staged changes with the provided commit message, and pushes the updates + to the remote Git repository. +Push Simulated Cases: + ai_description: >- + ### General Description + + This job exports specific simulated cases from the Google SecOps platform to a + Git repository. It enables version control and sharing of simulated attack scenarios + by allowing users to select cases by name and push them to a configured Git branch. + This is particularly useful for maintaining a library of attack simulations across + different environments. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Commit | String | Yes | The commit message to be used for the Git push operation. + | + + | Repo URL | String | No | Optional parameter to override the repository URL configured + in the integration instance. | + + | Branch | String | No | Optional parameter to override the target branch configured + in the integration instance. | + + | Git Server Fingerprint | String | No | Optional parameter to override the SSH + fingerprint for the Git server. | + + | Commit Author | String | No | Optional parameter to override the commit author + (e.g., "Name "). | + + | Simulated Cases | String | Yes | A comma-separated list of simulated case names + to be exported to the repository. | + + + ### Flow Description + + 1. **Parameter Extraction**: The job retrieves the commit message and the list + of simulated case names provided by the user. + + 2. **Initialization**: It initializes the `GitSyncManager`, which sets up the + connection to the Git repository and the Google SecOps API. + + 3. **Case Retrieval**: The job fetches all available custom simulated cases from + the Google SecOps platform. + + 4. **Filtering and Staging**: It iterates through the platform's cases, matching + them against the user-provided list. For each match, it exports the case data + and stages it as a `.case` file in the repository's `SimulatedCases/` directory. + + 5. **Commit and Push**: Finally, it performs a Git commit with the specified message + and pushes the staged files to the remote repository. diff --git a/content/response_integrations/power_ups/image_utilities/resources/ai/actions_ai_description.yaml b/content/response_integrations/power_ups/image_utilities/resources/ai/actions_ai_description.yaml index 78b470c6a..41b5961f0 100644 --- a/content/response_integrations/power_ups/image_utilities/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/power_ups/image_utilities/resources/ai/actions_ai_description.yaml @@ -1,53 +1,63 @@ Convert File: ai_description: >- - Converts files between PNG and PDF formats on a Remote Agent. This action allows - for the transformation of image and document formats directly on the filesystem - where the Remote Agent is deployed. It is particularly useful for workflows that - require file format standardization before further processing, such as OCR or - report generation. + ### General Description + + The **Convert File** action is a utility designed to transform files between **PNG** + and **PDF** formats. This action is executed locally on a **Remote Agent**, allowing + for secure file processing within the customer's environment. It is particularly + useful for standardizing image formats for reporting, documentation, or further + forensic analysis. - ### Parameters + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Input File Format | DDL | Yes | The original format of the file to be converted. - Supported values: PDF, PNG. | + | **Input File Format** | DDL | Yes | The original format of the file to be converted. + Supported values: `PNG`, `PDF`. | - | Input File Path | String | Yes | The absolute path to the source file on the - Remote Agent's filesystem. | + | **Input File Path** | String | Yes | The absolute path to the source file on + the Remote Agent's filesystem. | - | Output File Format | DDL | Yes | The desired format for the resulting file. - Supported values: PNG, PDF. | + | **Output File Format** | DDL | Yes | The desired format after the conversion + process. Supported values: `PNG`, `PDF`. | - ### Flow Description + ### Additional Notes - 1. **Environment Validation**: Checks if the action is running on a Remote Agent; - if not, it raises an error. + - **Remote Agent Required**: This action can only be executed on a Remote Agent. - 2. **Parameter Validation**: Verifies that the input file exists at the specified - path and ensures the input and output formats are not the same. + - **Format Mismatch**: The `Input File Format` and `Output File Format` must be + different; otherwise, the action will fail. - 3. **File Conversion**: - - **PDF to PNG**: Uses the `pdf2image` library (requiring `pdftoppm`) to convert - the first page of the PDF into a PNG image. - - **PNG to PDF**: Uses the `PIL` (Pillow) library to convert the PNG image - into a PDF document. - 4. **Result Generation**: Saves the converted file to a temporary directory with - a timestamped filename and returns the new file path and format in the action's - JSON results. + - **Dependencies**: PDF to PNG conversion requires `poppler-utils` (specifically + the `pdftoppm` utility) to be installed on the Remote Agent. PNG to PDF conversion + uses the `Pillow` library. + - **PDF Conversion Scope**: When converting from PDF to PNG, the action currently + extracts and saves only the first page of the PDF document. - ### Additional Notes - - This action requires a Remote Agent to function as it interacts with the local - filesystem. + ### Flow Description + + 1. **Environment Validation**: The action first verifies that it is running on + a Remote Agent. - - For PDF to PNG conversion, the `poppler-utils` package (specifically `pdftoppm`) - must be installed on the Remote Agent host. + 2. **Parameter Validation**: It checks if the input file exists at the specified + path and ensures that the input and output formats are not identical. + + 3. **Output Path Generation**: A unique output filename is generated in the system's + temporary directory, incorporating the original filename and a timestamp. + + 4. **File Conversion**: + - **PDF to PNG**: Uses the `pdf2image` library to render the first page of + the PDF as a PNG image. + - **PNG to PDF**: Uses the `Pillow` library to convert the image to RGB mode + and save it as a PDF file. + 5. **Result Reporting**: Upon success, the action returns the path to the converted + file and the output format in the JSON results. capabilities: can_create_case_comments: false can_create_insight: false @@ -75,53 +85,57 @@ Convert File: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false OCR Image: - ai_description: >- - Extracts text from image files using Optical Character Recognition (OCR). This - action leverages the Tesseract OCR engine to process images provided either as - a Base64 encoded string or via a local file path on a Remote Agent. - - - ### Parameters - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Base64 Encoded Image | String | No | The base64 encoded string of the image - file. If provided, this is processed first. | - - | File Path | String | No | The path to the image file on the Remote Agent's file - system. | - - - ### Additional Notes - - - Either **Base64 Encoded Image** or **File Path** must be configured for the - action to run. - - - This action **must** be executed on a Remote Agent. - - - The Remote Agent must have the `tesseract-ocr` package installed (e.g., via - `apt-get install -y tesseract-ocr`). - - - ### Flow Description - - 1. **Environment Validation**: Verifies that the action is executing on a Remote - Agent. - - 2. **Parameter Extraction**: Retrieves the image data (Base64) or the file path - from the action configuration. - - 3. **Image Preparation**: If a Base64 string is provided, it is decoded and written - to a temporary PNG file. Otherwise, the provided file path is used. - - 4. **OCR Processing**: Invokes the `pytesseract` library to perform OCR on the - image file and extract text content. - - 5. **Result Output**: Trims the extracted text and returns it within the `extracted_text` - field of the JSON result. + ai_description: "### General Description\nThe **OCR Image** action performs Optical\ + \ Character Recognition (OCR) on an image to extract text content. This utility\ + \ is designed to process visual data\u2014such as screenshots of logs, error messages,\ + \ or phishing content\u2014and convert it into machine-readable text for use in\ + \ downstream playbook logic.\n\n### Parameters Description\n| Parameter | Type\ + \ | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Base64 Encoded\ + \ Image | String | No | The base64 encoded string of the image file. If provided,\ + \ this parameter takes precedence over the 'File Path'. |\n| File Path | String\ + \ | No | The local file system path to the image file. This is used if no Base64\ + \ string is provided. |\n\n### Additional Notes\n- **Execution Environment:**\ + \ This action **must** be executed on a **Remote Agent**.\n- **System Dependencies:**\ + \ The Remote Agent's environment must have the `tesseract-ocr` package installed\ + \ (e.g., via `apt-get install -y tesseract-ocr`).\n- **Input Logic:** At least\ + \ one of the two parameters ('Base64 Encoded Image' or 'File Path') must be provided\ + \ for the action to run. If both are provided, the Base64 string is processed.\n\ + \n### Flow Description\n1. **Environment Verification:** The action checks if\ + \ it is running on a Remote Agent; if not, it raises an error.\n2. **Parameter\ + \ Extraction:** Retrieves the Base64 string or the file path from the input.\n\ + 3. **Input Validation:** Ensures that at least one valid input source is available.\n\ + 4. **Image Processing:** \n - If a Base64 string is provided, it is decoded\ + \ and saved to a temporary file.\n - If only a file path is provided, the action\ + \ targets that specific path.\n5. **OCR Extraction:** The action uses the Tesseract\ + \ OCR engine (via the `pytesseract` library) to analyze the image and extract\ + \ text.\n6. **Result Delivery:** The extracted text is cleaned (stripped of leading/trailing\ + \ whitespace) and returned as a JSON result." capabilities: can_create_case_comments: false can_create_insight: false @@ -149,48 +163,53 @@ OCR Image: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Ping: - ai_description: >- - ### General Description - - Tests the connectivity and environment readiness for the Image Utilities integration. - This action specifically validates that the execution environment is a Google - SecOps Remote Agent and checks for the presence of critical local dependencies: - the Tesseract OCR engine and Playwright browser binaries (Chromium). It is used - to ensure that the system is correctly configured to perform image processing - and web content rasterization tasks. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | N/A | N/A | N/A | This action does not require any input parameters. | - - - ### Additional Notes - - This action must be executed on a Remote Agent. If dependencies are missing, the - action provides specific shell commands in the error message to help administrators - resolve the issues within the container environment. - - - ### Flow Description - - 1. **Environment Validation**: Verifies that the action is running on a Remote - Agent by checking the environment context. - - 2. **Tesseract Verification**: Attempts to retrieve the Tesseract version using - the `pytesseract` library to confirm the OCR engine is installed and accessible. - - 3. **Playwright Verification**: Attempts to launch a headless Chromium instance - using the Playwright library to confirm browser binaries and system dependencies - are correctly installed. - - 4. **Result Reporting**: Returns a success message if all checks pass, or raises - an informative error with installation instructions if dependencies are missing. + ai_description: "### General Description\nThe **Ping** action is a diagnostic tool\ + \ designed to verify the connectivity and environment readiness for the **Image\ + \ Utilities** integration. Its primary purpose is to ensure that the Google SecOps\ + \ Remote Agent is correctly configured and that all necessary local dependencies\u2014\ + specifically **Tesseract OCR** and **Playwright (Chromium)**\u2014are installed\ + \ and functional. This action is typically used during initial setup or troubleshooting\ + \ to confirm that the environment can support image processing and web content\ + \ rasterization tasks.\n\n### Parameters Description\n| Parameter | Type | Mandatory\ + \ | Description |\n| :--- | :--- | :--- | :--- |\n| N/A | N/A | N/A | This action\ + \ does not require any input parameters. |\n\n### Flow Description\n1. **Remote\ + \ Agent Validation**: The action first checks if it is being executed on a Remote\ + \ Agent. If not, it raises a `RemoteAgentRequiredError`.\n2. **Tesseract OCR Verification**:\ + \ It attempts to retrieve the version of the Tesseract OCR engine using the `pytesseract`\ + \ library. If Tesseract is missing, it provides detailed instructions on how to\ + \ install it within the container.\n3. **Playwright/Chromium Verification**: It\ + \ uses the Playwright library to attempt to launch a headless Chromium browser\ + \ instance. If the browser binaries or dependencies are missing, it raises an\ + \ error with specific installation and permission commands for the user to follow.\n\ + \n### Additional Notes\n- This action does not interact with any external APIs;\ + \ it performs local system checks on the Remote Agent container.\n- It is a prerequisite\ + \ for other actions in this integration, such as 'OCR Image' or 'Rasterize Content'." capabilities: can_create_case_comments: false can_create_insight: false @@ -218,84 +237,111 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Rasterize Content: ai_description: >- - The Rasterize Content action converts vector or complex content, such as URLs, - raw HTML, or Email bodies, into fixed bitmap image formats (PNG) or PDF documents. - This action is particularly useful for capturing visual evidence of phishing sites, - rendered emails, or web-based reports directly into a security case. It utilizes - a headless Chromium browser (via Playwright) to ensure accurate rendering of dynamic - content. + ### General Description + The **Rasterize Content** action converts vector or complex content (URLs, HTML, + or Email bodies) into fixed bitmap image formats (PNG) or document formats (PDF). + This action utilizes a headless Chromium browser (via Playwright) to render the + content exactly as it would appear to a user, making it ideal for capturing visual + evidence of phishing sites, suspicious emails, or dynamic web pages. **Note:** + This action requires execution on a **Remote Agent** with the necessary browser + binaries installed. - ### Parameters Description + ### Parameters Description - | Parameter | Type | Mandatory | Default | Description | + | Parameter | Description | Type | Mandatory | Default Value | | :--- | :--- | :--- | :--- | :--- | - | Input Type | DDL | Yes | HTML | Specifies the format of the input: 'URL' (fetches - a webpage), 'HTML' (renders raw HTML), or 'Email' (renders email content). | + | **Input Type** | The type of content to be processed. Options: `URL`, `HTML`, + `Email`. | DDL | Yes | HTML | - | URLs or Body | String | Yes | N/A | The actual content to process. Provide a - comma-separated list for URLs, or the full text/HTML body for other types. | + | **URLs or Body** | The actual content to rasterize. Provide a comma-separated + list for URLs, or the full body for HTML/Email. | String | Yes | - | - | Output Type | DDL | No | PNG | The desired output format: 'PNG', 'PDF', or 'Both'. - | + | **Output Type** | The desired output format. Options: `PNG`, `PDF`, `Both`. + | DDL | No | PNG | - | Export Method | DDL | No | Case Attachment | Determines where to save the result: - 'Case Attachment' (adds to the SOAR case), 'File Path' (returns the local path), - or 'Both'. | + | **Export Method** | How to handle the generated files. Options: `Case Attachment`, + `File Path`, `Both`. | DDL | No | Case Attachment | - | Width | String | Yes | 1920 | The browser viewport width in pixels. | + | **Width** | The browser viewport width in pixels. | String | Yes | 1920 | - | Height | String | Yes | 1080 | The browser viewport height in pixels (ignored - if 'Full Screen' is enabled). | + | **Height** | The browser viewport height in pixels. | String | Yes | 1080 | - | Full Screen | Boolean | Yes | False | If true, the action captures the entire - scrollable height of the content rather than just the viewport. | + | **Full Screen** | If true, the action calculates the full scroll height of the + page and captures the entire content. | Boolean | Yes | False | - | Timeout | String | No | 120 | Maximum time in seconds to wait for the page to - render. | + | **Timeout** | Maximum time (seconds) to wait for rendering. Max: 120. | String + | No | 120 | - | Wait For | DDL | No | NETWORK_IDLE | The browser state to reach before capturing: - 'LOAD', 'DOM_CONTENT_LOADED', 'NETWORK_IDLE', or 'COMMIT'. | + | **Wait For** | The browser state to reach before capturing. Options: `LOAD`, + `DOM_CONTENT_LOADED`, `NETWORK_IDLE`, `COMMIT`. | DDL | No | NETWORK_IDLE | - | Wait for Selector | String | No | N/A | A CSS selector that must become visible - on the page before the capture occurs. | + | **Wait for Selector** | A CSS selector to wait for (e.g., `#content-loaded`) + before capturing. | String | No | - | ### Additional Notes - - **Remote Agent Required:** This action must run on a Remote Agent because it - requires specific browser binaries (Playwright/Chromium) not present in the default - cloud environment. + - **Remote Agent Requirement:** This action will fail if not run on a Remote Agent. + The agent must have Playwright and Chromium dependencies installed. + + - **Full Screen Logic:** When `Full Screen` is enabled, the `Height` parameter + is ignored as the action dynamically adjusts the viewport to match the document's + scroll height. - - **Environment Setup:** Ensure Playwright and Chromium dependencies are installed - on the Remote Agent as described in the action's error messages if execution fails. + - **Exporting:** If `Case Attachment` is selected, files are uploaded to the SOAR + case and then deleted from the agent's local storage. If `File Path` is selected, + the local path on the agent is returned in the JSON results. ### Flow Description 1. **Validation:** The action verifies it is running on a Remote Agent and validates - all input parameters. + all input parameters (DDL values, numeric ranges). - 2. **Input Preparation:** Depending on the 'Input Type', it either parses a list - of URLs or wraps HTML/Email content into a renderable format. + 2. **Initialization:** Launches a headless Chromium browser instance using Playwright. - 3. **Browser Initialization:** Launches a headless Chromium instance using Playwright - with the specified viewport dimensions. + 3. **Content Loading:** Depending on the `Input Type`, the browser either navigates + to the provided URLs or sets the page content using the provided HTML/Email body. - 4. **Content Rendering:** Navigates to the URL or loads the HTML content, waiting - for the specified 'Wait For' state and/or the 'Wait for Selector' to appear. + 4. **Rendering Wait:** The browser waits for the specified `Wait For` state and, + if provided, the `Wait for Selector` to become visible. 5. **Capture:** Generates a PNG screenshot and/or a PDF document based on the - 'Output Type'. If 'Full Screen' is active, it calculates the full page height - before capturing. + `Output Type`. If `Full Screen` is active, it captures the entire page length. - 6. **Export:** Attaches the generated files to the Google SecOps case and/or provides - the file paths in the action's JSON results. + 6. **Export:** Processes the generated files according to the `Export Method`, + either attaching them to the case, returning the file paths, or both. capabilities: can_create_case_comments: false can_create_insight: false @@ -306,8 +352,7 @@ Rasterize Content: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action adds the generated PNG or PDF files as attachments to the current - Google SecOps case. + Adds the generated PNG or PDF files as attachments to the Google SecOps case. categories: enrichment: false entity_usage: @@ -325,3 +370,28 @@ Rasterize Content: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/power_ups/image_utilities/resources/ai/integration_ai_description.yaml b/content/response_integrations/power_ups/image_utilities/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..0801c7556 --- /dev/null +++ b/content/response_integrations/power_ups/image_utilities/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/power_ups/insights/resources/ai/actions_ai_description.yaml b/content/response_integrations/power_ups/insights/resources/ai/actions_ai_description.yaml index 24b0af2c1..5bf7691fb 100644 --- a/content/response_integrations/power_ups/insights/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/power_ups/insights/resources/ai/actions_ai_description.yaml @@ -2,55 +2,54 @@ Create Entity Insight From Enrichment: ai_description: >- ### General Description - This action generates entity insights within Google SecOps by populating a template - message with data retrieved from an entity's enrichment fields (`additional_properties`). - It is primarily used to surface specific details from previous enrichment steps - (such as Active Directory attributes or Threat Intelligence scores) directly onto - the entity's insight panel for better visibility during investigation. + The **Create Entity Insight From Enrichment** action is a utility designed to + transform raw enrichment data stored within an entity's `additional_properties` + into a human-readable insight. It uses a templating system to inject specific + data points into a formatted message, which is then posted to the entity's insight + wall in Google SecOps. This allows analysts to see summarized results from previous + enrichment steps directly on the entity. - ### Parameters + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Message | string | Yes | A template string containing placeholders in curly - braces (e.g., `{AD_DisplayName}`). These placeholders must match keys found in - the entity's `additional_properties` dictionary. | + | Message | String | Yes | A template string containing placeholders in curly + braces (e.g., `{AD_DisplayName}`). These placeholders must correspond to keys + found in the entity's `additional_properties`. | - | Triggered By | string | No | The name of the integration or source to be displayed - as the creator of the insight. Defaults to "Siemplify". | + | Triggered By | String | No | Specifies the integration name to be displayed + as the source of the insight. Defaults to "Siemplify". | ### Flow Description - 1. **Parameter Retrieval**: The action retrieves the template `Message` and the - `Triggered By` source name from the action configuration. + 1. **Parameter Retrieval:** The action fetches the template `Message` and the + `Triggered By` source name from the action parameters. - 2. **Entity Iteration**: The script iterates through all target entities in the - current scope. + 2. **Entity Iteration:** The action loops through all entities provided in the + current context (target entities). - 3. **Template Parsing**: For each entity, the `parse_raw_message` utility is called. - This utility maps the placeholders defined in the `Message` parameter to the corresponding - values stored in the entity's `additional_properties` attribute. + 3. **Template Parsing:** For each entity, the action uses the `ToolsCommon` library + to parse the `Message` string, replacing placeholders with corresponding values + found in the entity's `additional_properties` dictionary. - 4. **Insight Creation**: If the message is successfully populated with data, the - action creates an entity insight using the `add_entity_insight` method, attributing - it to the specified trigger source. + 4. **Insight Creation:** If the message is successfully constructed (i.e., placeholders + are resolved), the action calls the SOAR API to add an entity insight to that + specific entity. - 5. **Final Reporting**: The action completes by providing a summary of all entities - that successfully received an insight. + 5. **Reporting:** The action concludes by providing a summary message listing + all entities that successfully received an insight. ### Additional Notes - - This action is dependent on data being present in the `additional_properties` - of the entity. This typically requires a preceding enrichment action (e.g., "Active - Directory Get User Details") to have run in the playbook. - - - If the template parsing results in a valid message, the insight is added; otherwise, - the entity is skipped. + This action is highly dependent on the presence of specific keys within the `additional_properties` + of the entities. If a placeholder key is missing or the `additional_properties` + are empty, the message parsing might fail or return an empty string, preventing + the insight from being created for that specific entity. capabilities: can_create_case_comments: false can_create_insight: true @@ -61,8 +60,8 @@ Create Entity Insight From Enrichment: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Creates entity insights within the Google SecOps case based on provided templates - and existing entity enrichment data. + Creates entity insights within the Google SecOps platform based on provided + templates and entity properties. categories: enrichment: false entity_usage: @@ -102,7 +101,7 @@ Create Entity Insight From Enrichment: - DestinationURL - USB - USERUNIQNAME - filters_by_additional_properties: false + filters_by_additional_properties: true filters_by_alert_identifier: false filters_by_case_identifier: false filters_by_creation_time: false @@ -115,15 +114,46 @@ Create Entity Insight From Enrichment: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Create Entity Insight From JSON: ai_description: >- + Creates an entity insight within Google SecOps by processing a provided JSON string + and mapping its data to entities in the current case. This action is a utility + designed to transform raw JSON data (often passed from a previous playbook step) + into human-readable insights associated with specific entities. + + ### General Description - The **Create Entity Insight From JSON** action allows users to generate custom - entity insights within Google SecOps by processing a provided JSON string. This - utility action is designed to map data from a JSON object (often produced by a - previous playbook step) to specific entities in a case, formatting that data into - a readable insight message. + The action takes a JSON array, identifies specific objects within that array that + match entities in the case (based on a configurable identifier path), and then + formats a message using placeholders to create an insight. This is particularly + useful for displaying complex data structures or external tool outputs directly + on the entity's insight panel. ### Parameters Description @@ -132,48 +162,47 @@ Create Entity Insight From JSON: | :--- | :--- | :--- | :--- | - | **JSON** | String | Yes | The raw JSON string containing the data to be used - for the insight. | + | JSON | string | True | A JSON-formatted string (usually an array of objects) + containing the data to be processed. | - | **Identifier KeyPath** | String | Yes | The dot-notation path (e.g., `user.email` - or `id`) within the JSON object that corresponds to the entity's identifier for - matching. | + | Identifier KeyPath | string | True | The dot-notation path (e.g., `user.email` + or `id`) within the JSON objects used to match the data to a SecOps entity's identifier. + | - | **Message** | String | Yes | A template for the insight message. Use curly braces - `{}` to reference keys in the JSON (e.g., `{status}`). Supports pipes for transformations - like `| count()`, `| to_str()`, or `| join()`. | + | Message | string | True | A template string for the insight. Use curly braces + `{}` to reference keys from the JSON (e.g., `User {name} has role {role}`). Supports + pipe functions like `default()`, `count()`, and `join()`. | - | **Triggered By** | String | No | Specifies the integration name to be associated - with the insight. Defaults to 'Siemplify'. | + | Triggered By | string | False | The name of the integration or source to be + displayed as the creator of the insight. Defaults to 'Siemplify'. | ### Flow Description - 1. **JSON Parsing**: The action parses the input `JSON` parameter into a structured - object. + 1. **JSON Parsing**: The action parses the input `JSON` string into a Python list + of dictionaries. - 2. **Entity Matching**: The action iterates through all entities in the current - Google SecOps case. For each entity, it searches the provided JSON data for a - record where the value at the specified `Identifier KeyPath` matches the entity's - identifier (case-insensitive). + 2. **Entity Iteration**: It iterates through all `target_entities` available in + the current scope. - 3. **Message Templating**: If a match is found, the action extracts the relevant - data from the JSON and populates the `Message` template. It resolves placeholders - and applies any specified pipe functions (e.g., `count` to get list length, `join` - to concatenate arrays). + 3. **Data Matching**: For each entity, it searches the JSON list for an object + where the value at `Identifier KeyPath` matches the entity's identifier (case-insensitive). - 4. **Insight Creation**: The final formatted message is added as an entity insight - to the matching entity in the case, attributed to the integration specified in - `Triggered By`. + 4. **Message Formatting**: If a match is found, the action uses the `Message` + template and the matched JSON object to resolve placeholders and apply any specified + pipe functions (e.g., formatting lists or providing default values). + + 5. **Insight Creation**: The formatted message is added as an entity insight to + the specific entity in the Google SecOps case. ### Additional Notes - - The `Identifier KeyPath` supports nested objects using dot notation (e.g., `data.user.id`). + - The `Identifier KeyPath` supports nested keys using dot notation (e.g., `metadata.system_info.id`). - - The `Message` parameter supports advanced formatting via the `ToolsCommon` library, - allowing for default values and complex data transformations within the insight - text. + - The `Message` parameter supports advanced formatting via pipes, such as `{results|count()}` + to show the number of items in a list or `{tags|join( )}` to concatenate array + elements. capabilities: can_create_case_comments: false can_create_insight: true @@ -184,8 +213,8 @@ Create Entity Insight From JSON: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Creates entity insights within the Google SecOps case based on the provided - JSON data. + Creates an entity insight within the Google SecOps case to provide additional + context for analysts. categories: enrichment: false entity_usage: @@ -230,7 +259,7 @@ Create Entity Insight From JSON: filters_by_case_identifier: false filters_by_creation_time: false filters_by_entity_type: false - filters_by_identifier: false + filters_by_identifier: true filters_by_is_artifact: false filters_by_is_enriched: false filters_by_is_internal: false @@ -238,14 +267,41 @@ Create Entity Insight From JSON: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false "Create Entity Insight From Multiple JSONs": ai_description: >- ### General Description - This action creates formatted Entity Insights within Google SecOps by parsing - multiple JSON strings provided as input. It is primarily used to transform raw - JSON data (often retrieved from previous enrichment steps in a playbook) into - human-readable tables or lists associated with specific entities in the case. + The **Create Entity Insight From Multiple JSONs** action is a utility designed + to transform raw JSON data into structured, human-readable Entity Insights within + Google SecOps. It allows analysts to pass up to five different JSON datasets and + define specific extraction paths to pull relevant information for each entity + present in the case. This is particularly useful for visualizing data retrieved + in previous playbook steps that was not automatically formatted into insights. ### Parameters Description @@ -254,61 +310,47 @@ Create Entity Insight From JSON: | :--- | :--- | :--- | :--- | - | JSON1 - JSON5 | String | No | JSON strings containing lists of objects. Each - object must include an "Entity" key (matching the entity identifier) and an "EntityResult" - key (containing the data to parse). | + | **JSON1 - JSON5** | String | No | The raw JSON strings to be parsed. These should + contain data mapped to entity identifiers. | - | Fields1 - Fields5 | String | No | Extraction logic for the corresponding JSON. - Format: `Label:path.to.key`. Multiple entries are separated by the 'Placeholder - Separator'. Supports advanced pipes like `count()`, `to_str()`, and `join()`. - | + | **Fields1 - Fields5** | String | No | The extraction logic for the corresponding + JSON. Uses the format `Label:{path.to.key}`. Multiple fields can be separated + by the Placeholder Separator. | - | Title1 - Title5 | String | No | The title used for the insight section created - from the corresponding JSON/Fields pair. Note: A title must be provided for a - JSON/Fields set to be processed. | + | **Title1 - Title5** | String | No | The title used for the specific section + of the entity insight. | - | Placeholder Separator | String | No | The character used to separate multiple - field definitions in the 'Fields' parameters. Default is a comma (`,`). | + | **Placeholder Separator** | String | No | The character used to separate field + definitions in the 'Fields' parameters (default is `,`). | - ### Additional Notes - - - The action expects the input JSON to be a list of dictionaries. - - - Each dictionary must have an "Entity" key that matches the identifier of an - entity in the current scope. - - - The "EntityResult" key should contain the actual data structure you wish to - extract values from. - - - If a field definition does not contain a colon (`:`), the value is added as - a plain string rather than a table row. + ### Flow Description + 1. **Data Collection:** The action retrieves up to five sets of JSON data, field + extraction strings, and titles from the action parameters. - ### Flow Description + 2. **Entity Iteration:** The action iterates through all entities currently associated + with the SecOps case. - 1. **Initialization**: The action reads up to five sets of JSON data, field mappings, - and titles from the parameters. + 3. **Data Extraction:** For each entity, the action searches the provided JSON + strings for a matching `Entity` identifier within the JSON structure. - 2. **Field Parsing**: It splits the 'Fields' strings into individual mapping instructions - based on the 'Placeholder Separator'. + 4. **Field Parsing:** If a match is found, it parses the specified fields using + the provided paths, supporting nested JSON structures and basic transformation + pipes (like `count` or `to_str`). - 3. **Entity Iteration**: The script loops through every entity currently active - in the playbook scope. + 5. **Insight Creation:** The extracted data is formatted into an HTML table and + attached as an Insight to the specific entity, using the provided title as the + trigger/header. - 4. **Data Matching**: For each entity, it searches the provided JSON arrays for - an entry where the "Entity" field matches the entity's identifier. - 5. **Extraction**: If a match is found, it uses the 'Fields' logic to extract - specific values from the "EntityResult" object, supporting nested paths and transformation - pipes (e.g., counting list items or joining arrays). + ### Additional Notes - 6. **Formatting**: Extracted data is formatted into HTML tables (for labeled fields) - or text blocks. + - This action is a data transformation utility and does not interact with external + APIs. - 7. **Insight Creation**: The action calls the SOAR API to attach the formatted - message as an Insight to the entity, using the provided 'Title' as the trigger - source. + - The JSON input is expected to follow a structure where entity identifiers are + mapped to results (e.g., `[{"Entity": "1.1.1.1", "EntityResult": {...}}]`). capabilities: can_create_case_comments: false can_create_insight: true @@ -319,8 +361,8 @@ Create Entity Insight From JSON: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Creates entity insights within the Google SecOps case based on the provided - JSON data. + The action creates Entity Insights within the Google SecOps case based on the + provided JSON data and field extraction logic. categories: enrichment: false entity_usage: @@ -373,14 +415,39 @@ Create Entity Insight From JSON: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Ping: ai_description: >- ### General Description - The **Ping** action is a diagnostic utility designed to verify the connectivity - between Google SecOps and the Insights integration. It serves as a basic health - check to ensure that the integration environment is correctly configured and that - the action runner can execute scripts within the context of the integration. + The **Ping** action is a connectivity test designed to verify the communication + between the Google SecOps (Chronicle) platform and the Insights integration. It + serves as a diagnostic tool to ensure that the integration is correctly configured + and that the execution environment is responsive. ### Parameters Description @@ -388,23 +455,22 @@ Ping: There are no parameters for this action. - ### Additional Notes + ### Flow Description - This action does not interact with any external APIs or internal data structures. - It is strictly used for connectivity testing. + 1. **Initialization**: The action initializes the Siemplify SDK to establish a + context for the execution. + 2. **Connectivity Check**: The action performs a simple internal check to confirm + the script can execute within the environment. - ### Flow Description + 3. **Completion**: The action terminates immediately, returning a success status + and the message "Siemplify is connected". - 1. **Initialization**: The action initializes the `SiemplifyAction` module to - establish the execution context. - 2. **Connectivity Check**: The script executes a simple termination command without - performing any external network requests. + ### Additional Notes - 3. **Completion**: The action concludes by returning a success message ('Siemplify - is connected') to the Google SecOps workbench, indicating that the integration - is functional. + This action does not interact with any external APIs or modify any data within + the SecOps platform. It is strictly used for health checks. capabilities: can_create_case_comments: false can_create_insight: false @@ -432,3 +498,28 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/power_ups/insights/resources/ai/integration_ai_description.yaml b/content/response_integrations/power_ups/insights/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..0801c7556 --- /dev/null +++ b/content/response_integrations/power_ups/insights/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/power_ups/lists/resources/ai/actions_ai_description.yaml b/content/response_integrations/power_ups/lists/resources/ai/actions_ai_description.yaml index d31c3e785..63921ffb3 100644 --- a/content/response_integrations/power_ups/lists/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/power_ups/lists/resources/ai/actions_ai_description.yaml @@ -2,9 +2,10 @@ Add String to Custom List: ai_description: >- ### General Description - Adds a user-defined string to a specific Google SecOps custom list category. This - action is primarily used for managing internal platform lists, such as allowlists, - blocklists, or watchlists, by programmatically inserting new entries. + The **Add String to Custom List** action allows users to programmatically add + a specific string to a designated Custom List category within Google SecOps. This + is a utility action used for managing internal lists such as allowlists, blocklists, + or watchlists directly from a playbook without requiring manual entry in the UI. ### Parameters Description @@ -13,32 +14,34 @@ Add String to Custom List: | :--- | :--- | :--- | :--- | - | ListItem | String | Yes | The specific string value to be added to the custom + | **ListItem** | string | Yes | The specific string value to be added to the custom list. | - | Category | String | Yes | The name of the custom list category where the string - will be stored. | + | **Category** | string | Yes | The name of the custom list category where the + string should be added (e.g., "WhiteList"). | - ### Flow Description + ### Additional Notes - 1. **Parameter Extraction**: The action retrieves the `ListItem` (the string to - add) and the `Category` (the target list) from the input parameters. + This action does not operate on entities within the current context; it uses the + provided string parameter. It modifies internal Google SecOps data (Custom Lists) + but does not interact with external systems. There are no entity-based filters + applied. - 2. **Object Preparation**: It creates a `CustomList` data object containing the - input string, the target category, and the current environment context. - 3. **Internal Mutation**: The action calls the internal SDK method `add_entities_to_custom_list` - to update the specified Google SecOps custom list with the new string. + ### Flow Description - 4. **Finalization**: The action concludes by providing a success message confirming - the addition of the item to the category. + 1. **Parameter Retrieval**: The action extracts the `ListItem` (the string to + add) and the `Category` (the target list) from the input parameters. + 2. **Object Creation**: It constructs a `CustomList` object using the provided + string, category, and the current environment context. - ### Additional Notes + 3. **List Update**: It calls the internal SDK method `add_entities_to_custom_list` + to add the constructed item to the specified custom list in Google SecOps. - This action does not interact with external APIs; it only modifies internal Google - SecOps data structures. + 4. **Completion**: The action returns a success message indicating the string + has been added to the category and terminates with a completed status. capabilities: can_create_case_comments: false can_create_insight: false @@ -49,7 +52,7 @@ Add String to Custom List: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Adds a string entry to an internal Google SecOps custom list category. + Adds a string to a specified Custom List category within Google SecOps. categories: enrichment: false entity_usage: @@ -67,57 +70,79 @@ Add String to Custom List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Is String In Custom List: ai_description: >- - ### General Description - - This action checks if a specific set of strings exists within a designated Google - SecOps Custom List category. It is primarily used for whitelist/blacklist validation - or verifying if specific identifiers (like IPs, domains, or usernames) are already - known to the system within a specific context. + Checks if a specific set of strings exists within a designated Google SecOps Custom + List category. This action is primarily used for whitelist or blacklist validation + by comparing user-provided identifiers against internal lists stored within the + platform. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. **Parse Input:** The action retrieves the `IdentifierList` and `Category` parameters. + It attempts to parse the `IdentifierList` as a JSON array; if that fails, it treats + it as a comma-separated string. - | :--- | :--- | :--- | :--- | + 2. **Iterate Identifiers:** For each string in the list, the action creates a + `CustomList` object associated with the specified category and the current environment. - | **IdentifierList** | String | Yes | A list of strings to compare against the - custom list. This can be provided as a comma-separated string (e.g., `1.2.3.4,google.com`) - or a valid JSON array. | + 3. **Query Custom Lists:** It uses the internal SDK method `any_entity_in_custom_list` + to check if the identifier exists in the specified category. - | **Category** | String | Yes | The name of the Custom List category (e.g., `WhiteList`, - `BlackList`) to search within for the current environment. | + 4. **Aggregate Results:** The action tracks which identifiers were found and maintains + a total count of matches. + 5. **Finalize:** It outputs a JSON mapping of each identifier to its presence + status (true/false) and returns the total count of found items as the result value. - ### Additional Notes - - The action handles both comma-separated strings and JSON-formatted arrays for - the `IdentifierList` parameter. + ### Parameters Description - - It performs the check specifically for the environment associated with the current - execution context. + | Parameter | Type | Mandatory | Description | + | :--- | :--- | :--- | :--- | - ### Flow Description + | IdentifierList | string | Yes | A list of strings to compare against the custom + list. Can be a JSON-formatted list (e.g., `["1.1.1.1", "google.com"]`) or a comma-separated + string (e.g., `1.1.1.1,google.com`). | - 1. **Parameter Retrieval**: The action extracts the `Category` and `IdentifierList` - from the input parameters. + | Category | string | Yes | The name of the Custom List category to search within + (e.g., 'WhiteList', 'BlackList'). | - 2. **Parsing**: It attempts to parse the `IdentifierList` as JSON; if that fails, - it splits the string by commas and trims whitespace from each entry. - 3. **Custom List Lookup**: For each identifier in the list, the action creates - a `CustomList` object and uses the SOAR SDK method `any_entity_in_custom_list` - to verify its existence in the specified category. + ### Additional Notes - 4. **Result Aggregation**: It builds a JSON object mapping each identifier to - a boolean value (`true` if found, `false` otherwise) and maintains a counter of - total matches found. + - This action does not interact with the entities currently present in the alert; + it only processes the strings provided in the `IdentifierList` parameter. - 5. **Completion**: The action outputs the total count of found items as the result - value and attaches the detailed mapping as a JSON result. + - The search is environment-aware, meaning it only checks lists associated with + the environment in which the action is running. capabilities: can_create_case_comments: false can_create_insight: false @@ -129,7 +154,7 @@ Is String In Custom List: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: false + enrichment: true entity_usage: entity_types: [] filters_by_additional_properties: false @@ -145,13 +170,39 @@ Is String In Custom List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Ping: ai_description: >- ### General Description - Verifies the connectivity between the Google SecOps (Chronicle) platform and the - integration environment. This action serves as a basic health check to ensure - that the integration is correctly configured and reachable. + The **Ping** action is a diagnostic utility designed to verify the connectivity + between the Google SecOps platform and the Lists integration environment. It serves + as a health check to ensure that the integration is correctly configured and that + the execution environment can successfully initialize the integration's components. ### Parameters Description @@ -161,19 +212,18 @@ Ping: ### Additional Notes - This is a standard 'Ping' action used for troubleshooting and configuration validation. - It does not interact with any external APIs or internal data stores. + This action does not interact with any external APIs or internal data stores. + It is strictly used for connectivity testing. ### Flow Description - 1. **Initialization**: The action initializes the Siemplify SDK to establish a - session. + 1. **Initialization**: The action initializes the Siemplify API object. - 2. **Connectivity Check**: The script executes a simple completion command to - confirm the environment is responsive. + 2. **Connectivity Check**: The script executes a simple completion command. - 3. **Termination**: The action ends with a success message: 'Siemplify is connected'. + 3. **Result Reporting**: The action terminates with a success message ('Siemplify + is connected') to indicate that the integration logic is reachable and functional. capabilities: can_create_case_comments: false can_create_insight: false @@ -201,52 +251,51 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Remove String from Custom List: ai_description: >- - ### General Description - - The **Remove String from Custom List** action is designed to delete a specific - string entry from an internal Google SecOps custom list. This is typically used - for managing allowlists, blocklists, or other reference datasets within the SOAR - platform. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **Category** | String | Yes | The name of the custom list category (e.g., 'WhiteList') - from which the item should be removed. | - - | **ListItem** | String | Yes | The specific string value to be removed from the - custom list. | - - - ### Additional Notes - - - This action operates on internal Google SecOps data (Custom Lists) and does - not interact with external APIs. - - - **Note**: The parameter description for 'ListItem' in the configuration metadata - incorrectly mentions 'adding' the string, but the action logic and name confirm - it performs a removal. - - - ### Flow Description - - 1. **Parameter Retrieval**: The action extracts the 'Category' and 'ListItem' - values from the user input. - - 2. **Object Construction**: It creates a 'CustomList' object using the provided - string, category, and the current environment context. - - 3. **Removal Execution**: It invokes the 'remove_entities_from_custom_list' method - to delete the entry from the internal database. - - 4. **Completion**: The action returns a success status and an output message confirming - the removal. + ### General Description\n\nThe **Remove String from Custom List** action allows + users to programmatically delete a specific string entry from an existing Google + SecOps custom list. This is typically used to manage internal allowlists, blocklists, + or watchlists by removing indicators that are no longer relevant.\n\n### Parameters + Description\n\n| Parameter | Type | Mandatory | Description |\n| :--- | :--- | + :--- | :--- |\n| **Category** | String | Yes | The name of the custom list category + (e.g., \"WhiteList\") from which the item will be removed. |\n| **ListItem** | + String | Yes | The specific string value to be removed from the custom list. |\n\n### + Flow Description\n\n1. **Parameter Extraction**: The action retrieves the target + custom list category and the specific string to be removed from the input parameters.\n2. + **Object Preparation**: It creates a `CustomList` object containing the string + and category information.\n3. **Removal Execution**: The action calls the internal + SDK method `remove_entities_from_custom_list` to perform the deletion within the + SecOps platform.\n4. **Finalization**: The action returns a success message confirming + the removal or a failure message if an error occurs.\n\n### Additional Notes\n\n- + This action operates on internal Google SecOps custom lists and does not affect + external security controls directly.\n- Ensure the `Category` name matches the + existing list name exactly. capabilities: can_create_case_comments: false can_create_insight: false @@ -257,7 +306,7 @@ Remove String from Custom List: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Removes a string entry from a Google SecOps internal custom list. + Removes a string entry from a Google SecOps custom list. categories: enrichment: false entity_usage: @@ -275,15 +324,40 @@ Remove String from Custom List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Search Custom Lists: ai_description: >- ### General Description - Searches for specific strings within Google SecOps Custom Lists. This action allows - users to query internal tracking lists for specific identifiers or categories, - providing a way to programmatically access and filter custom list data within - a playbook. It is primarily used to check if certain values exist within managed - lists or to retrieve the contents of specific list categories. + This action searches for a specific string within the records of Google SecOps + Custom Lists. It allows users to filter the search by specific categories or perform + a global search across all custom lists. If no search string or categories are + provided, the action retrieves all available custom list records. The results + are returned as a JSON object containing the matching records. ### Parameters Description @@ -292,44 +366,44 @@ Search Custom Lists: | :--- | :--- | :--- | :--- | - | String to Search | String | No | The specific string to look for within the - `entityIdentifier` field of the custom list records. This performs a substring - match. | + | String to Search | String | No | The specific substring to look for within the + `entityIdentifier` field of the custom list records. If omitted, all records in + the specified categories (or all categories) are returned. | - | Categories | String | No | A comma-separated list of custom list names (categories) - to restrict the search to. | + | Categories | String | No | A comma-separated list of custom list categories + to restrict the search to. If omitted, the action searches across all available + custom lists. | - ### Additional Notes + ### Flow Description - - If no `Categories` are provided, the action retrieves records from all available - custom lists. + 1. **Parameter Extraction:** The action retrieves the `String to Search` and `Categories` + from the input. - - If no `String to Search` is provided, the action returns all records within - the specified categories (or all records if no categories are specified). + 2. **Data Retrieval:** It calls the internal SOAR API to fetch custom list records, + optionally filtered by the provided categories. - - The action returns a boolean result indicating if any matches were found and - provides the matching records in JSON format. + 3. **Category Filtering:** If categories were provided, the action ensures only + records belonging to those categories are processed. + 4. **String Matching:** If a search string is provided, the action iterates through + the records and identifies those where the `entityIdentifier` contains the search + string (case-sensitive). - ### Flow Description + 5. **Result Compilation:** Matching records are collected into a list. - 1. **Parameter Extraction**: The action retrieves the `Categories` and `String - to Search` parameters from the input configuration. + 6. **Output:** The list of matching records is attached to the action results + as a JSON object, and the action completes with a summary message indicating the + number of matches found. - 2. **Data Retrieval**: It utilizes the internal SOAR API (`get_traking_list_record`) - to fetch records from the custom lists based on the provided categories. - 3. **Category Filtering**: If specific categories were requested, the action ensures - the results are filtered to only include records belonging to those categories. + ### Additional Notes - 4. **String Matching**: If a search string is provided, the action iterates through - the retrieved records and filters for those where the `entityIdentifier` contains - the search string. + - This action interacts with internal Google SecOps data (Custom Lists) and does + not communicate with external third-party services. - 5. **Result Output**: The final set of matching records is added to the action's - JSON result. The action completes with a success message indicating the number - of records found. + - If no records match the criteria, the action will complete successfully but + indicate that no matching records were found. capabilities: can_create_case_comments: false can_create_insight: false @@ -357,58 +431,78 @@ Search Custom Lists: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Search Environment Custom Lists: ai_description: >- - ### General Description + Searches for a specified string within the records of the environment's custom + lists in Google SecOps. This action allows users to filter results by specific + categories and search for matches within the entity identifiers of the list records. + If no parameters are provided, the action returns all available custom list records. - The **Search Environment Custom Lists** action allows users to query and filter - records stored within the Google SecOps environment's custom lists. It is a utility - action designed to find specific entries (such as indicators, usernames, or identifiers) - across various list categories. If no search criteria are provided, the action - retrieves all available records from the environment. + ### Flow Description: - ### Parameters Description + 1. **Parameter Extraction**: The action retrieves the 'Categories' and 'String + to Search' parameters from the input. - | Parameter | Description | Type | Mandatory | + 2. **Data Retrieval**: It calls the internal SOAR API to fetch custom list records + filtered by the provided categories and string. - | :--- | :--- | :--- | :--- | + 3. **Category Filtering**: If categories are specified, the action filters the + retrieved records to include only those belonging to the specified categories. - | **String to Search** | The specific text string to look for within the `entityIdentifier` - field of the custom list records. | String | No | - - | **Categories** | A comma-separated list of categories (e.g., "Suspicious IPs, - VIP Users") to narrow the search scope to specific lists. | String | No | + 4. **String Matching**: If a search string is provided, the action iterates through + the records and identifies those where the 'entityIdentifier' contains the search + string. + 5. **Result Output**: The matching records are added to the action's JSON results, + and a summary message indicating the number of matches found is returned. - ### Additional Notes - - If both parameters are left empty, the action will return all records from all - custom lists in the environment. + ### Parameters Description: - - The search logic is case-sensitive or case-insensitive depending on the underlying - API implementation, but typically matches the string within the `entityIdentifier` - field. + | Parameter | Type | Mandatory | Description | + | :--- | :--- | :--- | :--- | - ### Flow Description + | String to Search | String | No | The specific string to look for within the + 'entityIdentifier' field of the custom list records. | - 1. **Parameter Extraction**: The action extracts the `Categories` and `String - to Search` parameters provided by the user. + | Categories | String | No | A comma-separated list of categories used to filter + which custom lists are searched. | - 2. **Data Retrieval**: It fetches custom list records from the internal Google - SecOps database using the `get_traking_list_records_filtered` helper method. - 3. **Category Filtering**: If the `Categories` parameter is provided, the action - filters the retrieved records to include only those belonging to the specified - categories. + ### Additional Notes: - 4. **String Matching**: If a `String to Search` is provided, the action filters - the records further, keeping only those where the search string is contained within - the `entityIdentifier` attribute. + - If both parameters are left empty, the action will attempt to return all records + from all custom lists in the environment. - 5. **Result Finalization**: The matching records are added to the action's JSON - results, and the action completes with a summary of the number of matches found. + - This action interacts with internal Google SecOps data and does not communicate + with external third-party services. capabilities: can_create_case_comments: false can_create_insight: false @@ -436,3 +530,28 @@ Search Environment Custom Lists: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/power_ups/lists/resources/ai/integration_ai_description.yaml b/content/response_integrations/power_ups/lists/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..2e831240c --- /dev/null +++ b/content/response_integrations/power_ups/lists/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + siem: false + threat_intelligence: true + vulnerability_management: false diff --git a/content/response_integrations/power_ups/template_engine/resources/ai/actions_ai_description.yaml b/content/response_integrations/power_ups/template_engine/resources/ai/actions_ai_description.yaml index 785f4f049..95bdbcd2a 100644 --- a/content/response_integrations/power_ups/template_engine/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/power_ups/template_engine/resources/ai/actions_ai_description.yaml @@ -2,12 +2,13 @@ Entity Insight: ai_description: >- ### General Description - This action transforms a provided JSON object into human-readable entity insights - using a Jinja2 template. It is designed to take raw data (typically from a previous - integration action) and format it into a structured, analyst-friendly layout within - the Google SecOps case. It supports a wide range of custom Jinja filters for data - manipulation, such as date formatting, regex operations, and converting JSON to - HTML tables. + The **Entity Insight** action is a powerful utility within the Template Engine + integration designed to transform raw JSON data into human-readable insights using + Jinja2 templates. It allows analysts to take complex data structures (typically + from previous enrichment steps) and format them into structured HTML or text insights + that are then attached directly to entities within Google SecOps. This action + is highly customizable, supporting a wide array of custom Jinja filters for data + manipulation, table generation, and regex operations. ### Parameters Description @@ -16,72 +17,71 @@ Entity Insight: | :--- | :--- | :--- | :--- | - | **JSON Object** | content | Yes | The raw JSON object containing the data to - be rendered. It must contain a list of entries where each entry specifies an 'Entity' - and its 'EntityResult'. | + | **JSON Object** | JSON Object | Yes | The raw JSON data (in EntityResult format) + that will be used as the context for the Jinja2 template. | - | **Template** | email_content | Yes | The Jinja2 template used to format the - data. This can be a simple string or a complex HTML template. | + | **Template** | Template | No | The Jinja2 template used to render the insight. + This can be an HTML template or plain text. | - | **Triggered By** | string | Yes | The name of the integration or process that - triggered the insight, which will be displayed in the insight header. | + | **Triggered By** | String | Yes | Specifies the name of the integration that + will be credited as the source of the created entity insight. | - | **Remove BRs** | boolean | No | If set to `true`, the action will strip all - `
` tags from the rendered template output. Default is `false`. | + | **Remove BRs** | Boolean | No | If set to `true`, the action will strip all + `
` tags from the final rendered template. Default is `false`. | - | **Create Insight** | boolean | No | If set to `true`, the action will generate - an Entity Insight in the SOAR platform. Default is `true`. | + | **Create Insight** | Boolean | No | Determines whether the action should actually + create an Entity Insight in the UI. Default is `true`. | - ### Flow Description + ### Additional Notes - 1. **Parameter Extraction**: The action retrieves the input JSON, the Jinja2 template, - and configuration flags (Remove BRs, Create Insight). + - The action automatically excludes entities of type 'ALERT' from processing. - 2. **Environment Setup**: It initializes a Jinja2 environment and loads a comprehensive - set of filters from `JinjaFilters` and `CustomFilters` (if available). + - It supports advanced Jinja filters such as `json2tbl` (converts JSON to HTML + tables), `regex_match`, `filter_datetime`, and `dedup_list_of_dicts`. - 3. **Entity Processing**: It iterates through the target entities in the current - context, excluding any entities that are internally flagged as 'ALERT' types via - their additional properties. + - The input JSON is expected to be a list of objects where each object contains + an "Entity" identifier and an "EntityResult" payload. - 4. **Data Matching**: For each valid entity, the action searches the input JSON - for a matching 'Entity' identifier. - 5. **Template Rendering**: If a match is found, the action combines the entity's - properties with the result data and renders the Jinja2 template. + ### Flow Description - 6. **Result Attachment**: The rendered output is attached to the entity as a JSON - result. If 'Create Insight' is enabled, it also creates a formal Entity Insight. + 1. **Parameter Extraction:** The action retrieves the input JSON, the Jinja2 template, + and configuration flags (Remove BRs, Create Insight). + 2. **Environment Setup:** It initializes a Jinja2 environment and loads a comprehensive + suite of custom filters for data formatting and transformation. - ### Additional Notes + 3. **Entity Filtering:** The action iterates through the target entities in the + case, filtering out any entities identified as 'ALERT' types via their additional + properties. - - **Mandatory Discrepancy**: While the integration metadata (YAML) lists the 'Template' - parameter as optional, the underlying Python code treats it as mandatory (`is_mandatory=True`). - Users should ensure a template is provided to avoid execution errors. + 4. **Data Mapping:** For each valid entity, the action searches the provided **JSON + Object** for an entry matching the entity's identifier. - - **Entity Result Format**: The input JSON is expected to be a list of dictionaries, - each containing an 'Entity' key (matching the entity identifier) and an 'EntityResult' - key (containing the data to render). + 5. **Template Rendering:** If a match is found, the action combines the entity's + metadata with the specific JSON result and renders the Jinja2 template. + + 6. **Internal Mutation:** The rendered output is attached to the entity as a JSON + result. If **Create Insight** is enabled, the action also generates a formal Entity + Insight visible in the Google SecOps case wall. capabilities: can_create_case_comments: false can_create_insight: true can_modify_alert_data: false can_mutate_external_data: false can_mutate_internal_data: true - can_update_entities: false + can_update_entities: true external_data_mutation_explanation: null - fetches_data: false + fetches_data: true internal_data_mutation_explanation: >- - Creates entity insights and attaches JSON results to entities within the Google - SecOps case. + The action creates entity insights and updates entity JSON results within the + Google SecOps platform based on the provided template and data. categories: - enrichment: false + enrichment: true entity_usage: entity_types: - ADDRESS - - ALERT - APPLICATION - CHILDHASH - CHILDPROCESS @@ -128,33 +128,67 @@ Entity Insight: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Ping: ai_description: >- ### General Description - Verifies the connectivity between Google SecOps and the TemplateEngine integration. - This action is a standard health check used to confirm that the integration environment - is correctly configured and that the SOAR platform can successfully execute scripts - within this integration context. + The **Ping** action is a diagnostic utility designed to verify the connectivity + and operational status of the **TemplateEngine** integration within Google SecOps. + Its primary purpose is to confirm that the SOAR platform can successfully communicate + with the integration and execute its logic. It returns a simple success message + upon completion. ### Parameters Description - There are no parameters for this action. + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | None | N/A | N/A | This action does not require any input parameters. | ### Additional Notes - This action does not interact with any external APIs or internal case data; it - simply returns a success status to indicate the integration is 'Up'. + - This action is a standard health check and does not perform any data retrieval + or state changes. + + - It does not interact with external APIs or process SecOps entities. ### Flow Description - 1. The action initializes the Siemplify API object. + 1. **Initialization**: The action initializes the Siemplify action module. - 2. The action immediately concludes by calling the end method with a success message - 'Siemplify is connected' and a result value of True. + 2. **Status Verification**: The script confirms the execution environment is active. + + 3. **Completion**: The action terminates with a success status and the message + "Siemplify is connected". capabilities: can_create_case_comments: false can_create_insight: false @@ -182,72 +216,95 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Render Template: ai_description: >- - ### General Description - - This action renders a Jinja2 template using a provided JSON object as the data - source. It is designed to transform raw data into formatted strings or HTML, which - can then be used in subsequent playbook steps, such as sending emails or creating - reports. The action supports custom Jinja filters for advanced data manipulation, - including JSON-to-HTML table conversion, regex operations, and date formatting. + Renders a Jinja2 template using provided JSON data and optionally current case + data (entities and events). This utility action is designed to format complex + data into human-readable HTML or text, which can then be used for reporting, email + notifications, or case wall logs. It includes a variety of built-in filters for + data manipulation, such as converting JSON to HTML tables, regex operations, and + date formatting. ### Parameters Description + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **JSON Object** | JSON Object | No | The raw JSON object or list that will be - used as the context for the Jinja template. This data is accessible via the `input_json` - variable within the template. Defaults to `{}`. | + | JSON Object | JSON Object | No | The raw JSON object that will be used as the + primary data source (`input_json`) for the Jinja template. Defaults to an empty + object `{}`. | - | **Jinja** | Code | No | The Jinja2 template code to be rendered. If provided, - this value takes precedence over the 'Template' parameter. | + | Jinja | Code | No | The Jinja2 template code to be rendered. If provided, this + value overrides the 'Template' parameter. | - | **Include Case Data** | Boolean | No | If enabled, the action injects current - alert events and target entities into the template context under `input_json['SiemplifyEvents']` - and `input_json['SiemplifyEntities']`. | + | Include Case Data | Boolean | No | When enabled (true), the action automatically + injects the current alert's security events and target entities into the template + context under `input_json['SiemplifyEvents']` and `input_json['SiemplifyEntities']`. + | - | **Template** | Email Content | No | A pre-defined Jinja2 template (e.g., from - Environment Settings). This is used only if the 'Jinja' parameter is empty. | + | Template | Email Content | No | The Jinja2 template to be rendered. This can + be a pre-defined HTML template from the environment settings or a custom string. + | ### Additional Notes - - Either the **Jinja** or **Template** parameter should be configured for the - action to produce meaningful output. - - - The action includes a robust set of built-in filters such as `json2tbl` (converts - JSON to HTML tables), `regex_match`, `filter_datetime`, and `to_nice_json`. + - Either the 'Jinja' or 'Template' parameter should be provided for the action + to produce a meaningful result. If both are provided, 'Jinja' takes precedence. - - If the **JSON Object** is a list, the action will iterate through the list and - append the rendered output for each item into a single result string. + - The action supports custom filters defined in the `JinjaFilters` and `CustomFilters` + modules, allowing for advanced transformations like `json2tbl`, `regex_replace`, + and `epochTimeToHuman`. ### Flow Description - 1. **Initialization**: The action extracts the input parameters and parses the - provided **JSON Object**. + 1. **Initialization**: The action extracts the input parameters and initializes + the Jinja2 environment. - 2. **Context Preparation**: If **Include Case Data** is true, the action retrieves - security events (additional properties) and target entities from the current SecOps - alert context and merges them into the input data. + 2. **Data Collection**: It retrieves security events and target entities from + the current Siemplify alert context. - 3. **Environment Setup**: A Jinja2 environment is initialized with auto-escaping - enabled. It loads standard filters from `JinjaFilters.py` and attempts to load - any user-defined filters from `CustomFilters.py`. + 3. **Context Preparation**: The input JSON string is parsed. If 'Include Case + Data' is enabled, the collected events and entities are merged into the data context. - 4. **Template Selection**: The action determines which template to use, prioritizing - the raw **Jinja** code block over the **Template** selection. + 4. **Filter Loading**: Standard and custom Jinja filters are loaded into the environment + to enable advanced template logic. - 5. **Rendering**: The template is rendered using the prepared JSON context. If - the input is a list, it renders the template for each element and concatenates - the results. + 5. **Rendering**: The action renders the template (from 'Jinja' or 'Template') + using the prepared data context. It supports both single dictionary inputs and + lists of dictionaries (rendering the template once for each item in the list). - 6. **Output**: The final rendered string is saved to the action's JSON result - under the key `html_output` and returned as the main result value. + 6. **Output**: The rendered string is saved to the action's JSON results under + the key `html_output` and returned as the script result. capabilities: can_create_case_comments: false can_create_insight: false @@ -297,11 +354,11 @@ Render Template: - DestinationURL - USB - USERUNIQNAME - filters_by_additional_properties: true + filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false filters_by_creation_time: false - filters_by_entity_type: false + filters_by_entity_type: true filters_by_identifier: false filters_by_is_artifact: false filters_by_is_enriched: false @@ -310,78 +367,89 @@ Render Template: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Render Template from Array: ai_description: >- - ### General Description - - The **Render Template from Array** action is a utility designed to process a list - of data objects and transform them into a formatted string using the Jinja2 templating - engine. It is particularly useful for generating HTML reports, summaries, or formatted - logs from arrays of data produced by previous playbook steps. The action iterates - through each item in a provided JSON array, applies a user-defined Jinja template - to that item, and then joins the resulting strings together with a specified separator. - - - ### Parameters Description + Renders a Jinja2 template for each item in a provided JSON array. This utility + action is designed to transform lists of data into formatted strings, such as + HTML tables, comma-separated lists, or custom text blocks, which can then be used + in emails, reports, or other playbook actions. - | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + ### Flow Description - | **Array input** | Content | No | A JSON-formatted string representing an array - of objects. If a single object is provided, it will be treated as a single-item - array. Default is `[]`. | + 1. **Input Parsing**: The action parses the 'Array input' parameter as a JSON + object. If the input is a single dictionary instead of a list, it is automatically + wrapped into a single-element list. - | **Jinja** | Code | No | The Jinja2 template code used to render each item in - the array. Within the template, the current item is accessible via the `row` variable - or directly by its keys. Default is a simple template showing `row.name`. | + 2. **Environment Setup**: Initializes a Jinja2 environment, loading standard extensions + and a comprehensive set of custom filters (e.g., `json2tbl`, `regex_match`, `filter_datetime`, + `epochTimeToHuman`). - | **join** | String | No | The character or string used to join the rendered output - of each array item (e.g., a comma, a newline, or an HTML break tag). Default is - a comma. | + 3. **Template Rendering**: Iterates through each item in the array. For each item, + it renders the provided 'Jinja' template code. The current item is accessible + within the template using the `row` variable or directly via its keys. - | **prefix** | String | No | A string to be prepended to the final aggregated - output. | + 4. **Aggregation**: Collects all rendered strings into a list and joins them using + the specified 'join' character. - | **suffix** | String | No | A string to be appended to the final aggregated output. - | + 5. **Final Formatting**: Prepends the 'prefix' and appends the 'suffix' to the + joined string to produce the final output. - ### Additional Notes + ### Parameters Description - - The action includes a robust set of custom Jinja filters (e.g., `json2tbl`, - `regex_match`, `filter_datetime`, `epochTimeToHuman`) to assist in complex data - formatting. + | Parameter | Type | Mandatory | Description | - - If the `Array input` is not a valid JSON list, the action attempts to treat - it as a single JSON object and wraps it in a list automatically. + | :--- | :--- | :--- | :--- | - - The output is provided both as a simple result value and as a JSON object containing - `html_output`. + | **Array input** | content | No | A JSON array (list of objects) typically passed + from the output of a previous action. Defaults to an empty list. | + | **Jinja** | code | No | The Jinja2 template string to be applied to each item + in the array. Use `{{ row.key_name }}` to access data. | - ### Flow Description + | **join** | string | No | The character or string used to join the rendered output + of each array item (e.g., a newline `\n` or a comma `,`). | - 1. **Initialization**: The action extracts the input parameters, including the - JSON array, the Jinja template, and formatting options (join, prefix, suffix). + | **prefix** | string | No | A static string to be added at the very beginning + of the final rendered output. | - 2. **JSON Parsing**: The `Array input` string is parsed into a Python list. If - parsing fails, the action terminates with an error. + | **suffix** | string | No | A static string to be added at the very end of the + final rendered output. | - 3. **Environment Setup**: A Jinja2 environment is initialized, and a comprehensive - suite of custom filters (for regex, date parsing, and HTML table conversion) is - loaded into the environment. - 4. **Template Rendering**: The action loops through each element in the input - list. For each element, it renders the provided Jinja template, passing the element - as the context. + ### Additional Notes - 5. **Aggregation**: All rendered strings are joined using the `join` parameter. - The `prefix` and `suffix` are then added to the start and end of the resulting - string. + - This action includes specialized filters like `json2tbl` which can convert JSON + data directly into HTML tables, making it highly effective for creating dynamic + email content. - 6. **Completion**: The final formatted string is returned as the action result - and stored in the `html_output` JSON field. + - If the 'Array input' is not valid JSON, the action will fail. capabilities: can_create_case_comments: false can_create_insight: false @@ -409,3 +477,28 @@ Render Template from Array: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/power_ups/template_engine/resources/ai/integration_ai_description.yaml b/content/response_integrations/power_ups/template_engine/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..0801c7556 --- /dev/null +++ b/content/response_integrations/power_ups/template_engine/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/power_ups/tools/resources/ai/actions_ai_description.yaml b/content/response_integrations/power_ups/tools/resources/ai/actions_ai_description.yaml index 835e0d859..606fc4c69 100644 --- a/content/response_integrations/power_ups/tools/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/power_ups/tools/resources/ai/actions_ai_description.yaml @@ -1,62 +1,56 @@ Add Alert Scoring Information: ai_description: >- - ### General Description - This action adds an entry to an internal alert scoring database stored within - the alert's context properties. It is designed to aggregate multiple security - checks into a single, weighted alert score and severity level. The scoring logic - follows a specific ratio: 5 Low = 1 Medium, 3 Medium = 1 High, and 2 High = 1 - Critical. This allows for a granular yet consolidated view of risk within a single - alert. + the alert's context properties. It calculates a cumulative risk score for the + alert based on a weighted ratio system: 5 Low severities equal 1 Medium, 3 Mediums + equal 1 High, and 2 Highs equal 1 Critical. The action updates the alert's overall + score and severity level based on these calculations. ### Parameters Description + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Name** | string | Yes | The name of the specific check being performed (e.g., - 'Malicious URL Check'). | + | Name | string | Yes | The name of the specific check or rule being performed + on the alert. | - | **Description** | string | Yes | A detailed description of the check and its - findings. | + | Description | string | Yes | A detailed description of the check being performed. + | - | **Severity** | ddl | Yes | The severity of this specific check. Options: Informational, - Low, Medium, High, Critical. | + | Severity | ddl | Yes | The severity assigned to this specific check. Options: + Informational, Low, Medium, High, Critical. | - | **Category** | string | Yes | The category used to group related checks (e.g., - 'Phishing', 'Malware'). | + | Category | string | Yes | The category of the check (e.g., 'Malware', 'Phishing'). + Scores are grouped by category. | - | **Source** | string | No | The specific part of the alert the score was derived - from, such as 'Files', 'Email', or 'User'. | + | Source | string | No | Optional. The specific part of the alert the score was + derived from, such as 'Files', 'Email', or 'User'. | ### Flow Description - 1. **Data Retrieval**: The action retrieves existing scoring information from - the alert's context property `ALERT_SCORE_INFO`. - 2. **Score Processing**: It parses the existing JSON data and appends the new - score entry to the specified category. If the category does not exist, a new one - is created. + 1. **Extract Parameters:** The action retrieves the check name, description, category, + severity, and optional source from the input. - 3. **Weighted Calculation**: The action recalculates the score for each category - and the overall alert using a weighted ratio logic (e.g., multiple lower-severity - findings can escalate the overall alert severity). + 2. **Retrieve Existing Data:** It fetches the current scoring information (`ALERT_SCORE_INFO`) + from the alert's context properties. If none exists, it initializes an empty list. - 4. **Context Update**: It updates three alert context properties: `ALERT_SCORE_INFO` - (the full JSON audit trail), `ALERT_SCORE` (the numeric aggregate score), and - `ALERT_SEVERITY` (the string representation of the aggregate score). + 3. **Update Scoring Information:** It appends the new score entry to the appropriate + category. If the category doesn't exist, it creates a new one. - 5. **Result Output**: The action returns the updated scoring structure as a JSON - result and sets the final action output to the calculated alert severity. + 4. **Calculate Scores:** It recalculates the score for each category and the overall + alert score using the defined ratio logic (e.g., 5 Low = 1 Medium). + 5. **Persist Data:** The action updates the alert context properties: `ALERT_SCORE_INFO` + (the full JSON list of scores), `ALERT_SCORE` (the numeric risk level), and `ALERT_SEVERITY` + (the string representation of the risk level). - ### Additional Notes - - This action does not interact with external APIs; it functions entirely within - the Google SecOps environment to manage alert-level metadata. + 6. **Output Results:** It returns a JSON representation of the updated scoring + structure and sets the action's final result to the new alert severity. capabilities: can_create_case_comments: false can_create_insight: false @@ -67,8 +61,8 @@ Add Alert Scoring Information: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - The action updates alert context properties (ALERT_SCORE_INFO, ALERT_SCORE, - and ALERT_SEVERITY) to store and aggregate risk scoring data within the alert. + Updates alert context properties (ALERT_SCORE_INFO, ALERT_SCORE, ALERT_SEVERITY) + to track and calculate the overall risk score of the alert. categories: enrichment: false entity_usage: @@ -86,14 +80,39 @@ Add Alert Scoring Information: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: true + update_email: false + update_identity: false + update_ticket: false Add Comment to Entity Log: ai_description: >- ### General Description - The **Add Comment to Entity Log** action allows users to programmatically add - comments to the internal logs of specific entities within Google SecOps. This - is useful for auditing, providing context for future investigations, or documenting - automated findings directly on the entity's record in the Entity Explorer. + The **Add Comment to Entity Log** action allows users to programmatically append + comments to the internal logs of entities within the Google SecOps environment. + This is primarily used for maintaining an audit trail or providing additional + context for specific entities during an investigation. ### Parameters Description @@ -102,34 +121,33 @@ Add Comment to Entity Log: | :--- | :--- | :--- | :--- | - | **User** | User | Yes | The username or identifier of the person or system account - that will be credited as the author of the comment. Defaults to `@Administrator`. - | + | **User** | User | Yes | The username or identifier of the person or system creating + the comment. | - | **Comment** | Content | Yes | The actual text content that will be appended - to the entity's log. | + | **Comment** | Content | Yes | The actual text content of the comment to be added + to the entity log. | ### Flow Description 1. **Parameter Extraction**: The action retrieves the `User` and `Comment` values - from the input configuration. + from the input parameters. - 2. **Entity Iteration**: The script iterates through all entities currently in - the action's scope (`target_entities`). + 2. **Entity Iteration**: The action identifies all entities currently in the scope + of the playbook or manual execution. - 3. **Internal API Call**: For each entity, it invokes the `add_comment_to_entity` - helper function, which sends a request to the Google SecOps internal API to attach - the comment to the entity's log in the specified environment. + 3. **Internal API Call**: For each entity, the action invokes an internal SOAR + API method (`add_comment_to_entity`) to record the comment against that specific + entity's log. - 4. **Result Reporting**: The action compiles a summary message detailing which - entities received the comment and completes the execution. + 4. **Completion**: The action generates a summary message listing the entities + that were updated and concludes the execution. ### Additional Notes - This action does not modify the entity's attributes (like reputation or tags) - but rather adds a historical log entry visible in the Entity Explorer. + This action does not interact with external systems; it only modifies internal + metadata associated with entities in the SecOps platform. capabilities: can_create_case_comments: false can_create_insight: false @@ -140,8 +158,7 @@ Add Comment to Entity Log: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Adds a comment to the entity log for each entity in scope within the Google - SecOps platform. + Adds a comment to the internal entity log for each entity in scope. categories: enrichment: false entity_usage: @@ -194,35 +211,58 @@ Add Comment to Entity Log: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Add Or Update Alert Additional Data: ai_description: "### General Description\nThis action allows for the dynamic addition\ - \ or updating of information within the 'Additional Data' field of a Google SecOps\ - \ alert. It is designed to act as a temporary or persistent storage mechanism\ - \ for data collected during a playbook's execution, enabling subsequent actions\ - \ to access this accumulated context. The action supports structured JSON (dictionaries\ - \ and lists) as well as plain text.\n\n### Parameters Description\n| Parameter\ - \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Json Fields\ - \ | string | Yes | The data to be added to the alert. This can be a raw string,\ - \ a JSON-formatted dictionary, or a JSON-formatted list. If a dictionary is provided,\ - \ it is merged into the existing 'dict' key. If a list is provided, it is appended\ - \ to the 'list' key. Any other input is stored in the 'data' key. |\n\n### Additional\ - \ Notes\n- The action automatically initializes a structured schema within the\ - \ alert's additional data if it doesn't exist, containing 'dict', 'list', and\ - \ 'data' keys.\n- If the input string is not valid JSON, it will be treated as\ - \ a standard string and stored in the 'data' field.\n\n### Flow Description\n\ - 1. **Input Parsing**: The action retrieves the 'Json Fields' parameter and attempts\ - \ to parse it as a JSON object (dictionary or list). If parsing fails, it treats\ - \ the input as a raw string.\n2. **Data Retrieval**: It fetches the current alert's\ - \ existing 'additional_data' content.\n3. **Structure Normalization**: If the\ - \ existing data is empty or lacks the standard keys ('dict', 'list', 'data'),\ - \ the action initializes them to ensure a consistent data structure.\n4. **Data\ - \ Merging**: \n - If the input is a **List**, it extends the existing list\ - \ in the alert data.\n - If the input is a **Dictionary**, it updates the existing\ - \ dictionary in the alert data with the new key-value pairs.\n - If the input\ - \ is a **String**, it overwrites the 'data' field with the new value.\n5. **Internal\ - \ Update**: The action calls the Google SecOps API to update the alert's metadata\ - \ with the newly merged JSON structure.\n6. **Output**: The final accumulated\ - \ data is returned as a JSON result for use in the playbook." + \ or modification of metadata stored within an alert's `additional_data` field\ + \ in Google SecOps. It is designed to facilitate state management and data persistence\ + \ across different stages of a playbook by allowing users to store structured\ + \ JSON or plain text directly on the alert object.\n\n### Parameters Description\n\ + | Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ + | Json Fields | string | Yes | The data to be added or updated. This can be a\ + \ JSON-formatted string (representing a Dictionary or List) or plain text. If\ + \ a JSON dictionary is provided, it updates the existing dictionary; if a list\ + \ is provided, it appends to the existing list; otherwise, it populates a general\ + \ 'data' field. |\n\n### Additional Notes\n- The action maintains a specific internal\ + \ structure within the alert's additional data, categorizing inputs into `list`,\ + \ `dict`, or `data` keys to prevent data loss during updates.\n- If the `Json\ + \ Fields` parameter contains invalid JSON, the action will treat the entire input\ + \ as a raw string.\n\n### Flow Description\n1. **Input Retrieval**: The action\ + \ retrieves the value from the `Json Fields` parameter.\n2. **Data Parsing**:\ + \ It attempts to parse the input string into a JSON object (dictionary or list).\ + \ If parsing fails, the input is treated as a standard string.\n3. **Context Retrieval**:\ + \ The action fetches the current alert's existing `additional_data` from Google\ + \ SecOps.\n4. **Merging Logic**: \n - If the input is a **list**, it is appended\ + \ to the existing list in the alert data.\n - If the input is a **dictionary**,\ + \ it updates the existing dictionary in the alert data.\n - If the input is\ + \ a **string**, it overwrites the 'data' field in the alert data.\n5. **Internal\ + \ Update**: The action calls the Google SecOps API to update the alert's `additional_data`\ + \ with the newly merged structure.\n6. **Result Output**: The final accumulated\ + \ data is returned as a JSON result and the action completes." capabilities: can_create_case_comments: false can_create_insight: false @@ -234,7 +274,7 @@ Add Or Update Alert Additional Data: fetches_data: false internal_data_mutation_explanation: >- Updates the 'additional_data' field of the current alert within Google SecOps - to store or update contextual information. + to store or modify metadata. categories: enrichment: false entity_usage: @@ -252,32 +292,55 @@ Add Or Update Alert Additional Data: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: true + update_email: false + update_identity: false + update_ticket: false Append to Context Value: - ai_description: "### General Description\nAppends a specified string value to an\ - \ existing context property or creates a new context property if the key does\ - \ not already exist. This action is designed to facilitate data accumulation across\ - \ playbook steps by storing values in a structured format using a delimiter. It\ - \ supports three distinct scopes: Alert, Case, and Global.\n\n### Parameters Description\n\ - | Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ - | **Scope** | DDL | Yes | Determines the storage scope for the context property.\ - \ Options are 'Alert' (specific to the current alert), 'Case' (shared across the\ - \ entire case), or 'Global' (shared across the environment). Default is 'Alert'.\ - \ |\n| **Key** | String | Yes | The unique identifier/name of the context property\ - \ to be updated or created. |\n| **Value** | String | Yes | The string value to\ - \ append to the existing property or to set as the initial value. |\n| **Delimiter**\ - \ | String | Yes | The character or string used to separate the existing value\ - \ from the new value when appending. Default is a comma (','). |\n\n### Flow Description\n\ - 1. **Parameter Extraction:** The action retrieves the `Scope`, `Key`, `Value`,\ - \ and `Delimiter` from the input configuration.\n2. **Context Retrieval:** Based\ - \ on the selected `Scope`, the action attempts to fetch the current value of the\ - \ specified `Key` from the internal Google SecOps context storage.\n3. **Value\ - \ Processing:** \n * If the key already contains data, the action concatenates\ - \ the existing value, the provided delimiter, and the new value.\n * If the\ - \ key is empty or does not exist, the action initializes it with the provided\ - \ value.\n4. **Context Update:** The updated string is saved back into the corresponding\ - \ context scope (Alert, Case, or Global).\n5. **Completion:** The action returns\ - \ a success message indicating whether the value was appended to an existing key\ - \ or a new key was created." + ai_description: "Appends a specified string value to an existing context property\ + \ or creates a new context property if the key does not exist. This action allows\ + \ for the aggregation of data within the scope of an Alert, a Case, or Globally\ + \ across the environment. It is primarily used for maintaining state or collecting\ + \ multiple values (like a list of IDs or names) during playbook execution.\n\n\ + ### Parameters\n| Parameter | Type | Mandatory | Description |\n| :--- | :---\ + \ | :--- | :--- |\n| Scope | ddl | Yes | The level at which the context property\ + \ exists. Options are 'Alert', 'Case', or 'Global'. |\n| Key | string | Yes |\ + \ The unique identifier (name) of the context property to modify or create. |\n\ + | Value | string | Yes | The string value to be appended to the existing property.\ + \ |\n| Delimiter | string | Yes | The character or string used to separate the\ + \ existing value from the new value (e.g., a comma or semicolon). Default is ','.\ + \ |\n\n### Flow Description\n1. **Parameter Extraction:** The action retrieves\ + \ the 'Scope', 'Key', 'Value', and 'Delimiter' from the input parameters.\n2.\ + \ **Context Retrieval:** Based on the selected 'Scope', the action attempts to\ + \ fetch the current value of the context property associated with the provided\ + \ 'Key'.\n3. **Value Concatenation:** \n * If the property already exists,\ + \ the action appends the new 'Value' to the existing string, separated by the\ + \ 'Delimiter'.\n * If the property does not exist, the action initializes the\ + \ property with the provided 'Value'.\n4. **Context Update:** The action saves\ + \ the updated (or new) value back to the specified context scope (Alert, Case,\ + \ or Global).\n5. **Completion:** The action returns a success message and the\ + \ final concatenated string as the result." capabilities: can_create_case_comments: false can_create_insight: false @@ -288,8 +351,8 @@ Append to Context Value: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Updates or creates context properties within the Alert, Case, or Global scopes - of the Google SecOps environment. + Updates or creates context properties within the Google SecOps platform at the + Alert, Case, or Global scope. categories: enrichment: false entity_usage: @@ -307,24 +370,72 @@ Append to Context Value: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: true + update_email: false + update_identity: false + update_ticket: false Assign Case to User: ai_description: >- - ### General Description This action assigns a specific user to a case within Google - SecOps. It is primarily used for workflow orchestration to ensure that cases are - routed to the correct analysts or administrators for investigation. ### Parameters - Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- - | :--- | | Case Id | String | Yes | The unique identifier of the case that needs - to be assigned. | | Assign To | String | Yes | The username or identifier of the - user to whom the case will be assigned (e.g., '@Admin'). | | Alert Id | String - | Yes | The unique identifier of the alert associated with the case. | ### Additional - Notes - This action performs an internal state change within the Google SecOps - SOAR platform by updating the case ownership. - It does not interact with external - third-party APIs. ### Flow Description 1. Parameter Extraction: The action retrieves - the Case Id, Assign To user, and Alert Id from the input parameters. 2. API Call: - It utilizes the assign_case_to_user utility from the TIPCommon library to communicate - with the internal SOAR API. 3. Assignment: The internal API updates the case record - to reflect the new assignee. 4. Completion: The action logs the result and terminates - successfully. + ### General Description + + This action assigns a specific user to a case within Google SecOps. It is primarily + used for workflow automation to ensure that cases are routed to the correct analyst + or administrator for investigation. + + + ### Parameters Description + + | Parameter Name | Description | Type | Mandatory | Additional Notes | + + | :--- | :--- | :--- | :--- | :--- | + + | Case Id | The unique identifier of the case to which the user will be assigned. + | String | Yes | | + + | Assign To | The username or identifier of the user who will be assigned to the + case. | String | Yes | Default value is '@Admin'. | + + | Alert Id | The unique identifier of the alert associated with the case. | String + | Yes | | + + + ### Flow Description + + 1. **Parameter Extraction**: The action retrieves the `Case Id`, `Assign To` (target + user), and `Alert Id` from the input parameters. + + 2. **API Interaction**: It calls the internal SOAR API function `assign_case_to_user` + using the provided identifiers. + + 3. **Execution Completion**: The action logs the result of the assignment operation + and terminates with a success status. + + + ### Additional Notes + + This action performs an internal state change within the Google SecOps platform + and does not interact with external third-party integrations. capabilities: can_create_case_comments: false can_create_insight: false @@ -335,7 +446,8 @@ Assign Case to User: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Updates the assignee/owner of a case within the Google SecOps SOAR platform. + Updates the assignee field of a case and its associated alert within the Google + SecOps platform. categories: enrichment: false entity_usage: @@ -353,50 +465,71 @@ Assign Case to User: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: true + update_email: false + update_identity: false + update_ticket: false Attach Playbook to Alert: ai_description: >- - ### General Description + Attaches one or more playbooks or blocks to a specific alert within a Google SecOps + case. This action allows for automated workflow triggering by dynamically linking + playbooks based on provided names. It supports handling multiple playbooks via + a comma-separated list and includes logic to prevent or allow duplicate attachments + based on user configuration. - This action attaches one or more playbooks (or blocks) to a specific alert within - Google SecOps. It is primarily used to dynamically trigger additional automated - workflows based on the logic or findings of a parent playbook. The action can - handle multiple playbook names provided as a comma-separated list and includes - logic to prevent or allow duplicate attachments. - - ### Parameters Description + ### Parameters | Parameter Name | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Playbook Name | String | Yes | A comma-separated list of the names of the playbooks - or blocks that should be attached to the alert. | + | Playbook Name | String | True | A comma-separated list of playbook names that + should be attached to the alert. | - | Allow Duplicates | Boolean | No | If set to `true` (default), the action will - attach the playbook even if it is already attached to the alert. If `false`, it - will skip playbooks that are already present. | + | Allow Duplicates | Boolean | False | If set to `true` (default), the action + will attach the playbook even if it is already attached to the alert. If `false`, + it will skip playbooks that are already present. | ### Flow Description - 1. **Parameter Extraction**: The action retrieves the list of playbook names and - the duplicate attachment policy from the input parameters. + 1. **Fetch Existing Workflows:** The action identifies the current alert and retrieves + a list of all playbooks currently attached to it using the `get_workflow_instance_card` + API. - 2. **Fetch Existing Workflows**: It identifies the current alert and calls the - internal API to retrieve a list of playbooks already attached to that specific - alert. + 2. **Parse Input:** The `Playbook Name` string is split by commas and cleaned + of whitespace to create a list of target playbooks. - 3. **Validation and Filtering**: The action iterates through the requested playbook - names. If `Allow Duplicates` is disabled, it checks the requested names against - the list of already attached playbooks. + 3. **Duplicate Check:** If `Allow Duplicates` is disabled, the action compares + the target list against the already attached playbooks. - 4. **Attachment**: For each valid playbook name, it invokes the `attach_workflow_to_case` - method to link the playbook to the alert context. + 4. **Attachment Execution:** For each valid playbook name, the action calls the + internal SDK method `attach_workflow_to_case` to link the playbook to the alert. - 5. **Reporting**: The action compiles a summary message indicating which playbooks - were successfully attached, which were skipped as duplicates, and which failed - (e.g., due to spelling errors). + 5. **Reporting:** The action aggregates the results, providing a summary of successfully + attached playbooks, skipped duplicates, and any failures (e.g., due to misspellings). capabilities: can_create_case_comments: false can_create_insight: false @@ -407,8 +540,8 @@ Attach Playbook to Alert: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action attaches playbooks to an alert, which modifies the alert's workflow - state and execution history within Google SecOps. + Attaches new workflow instances (playbooks) to an existing alert within the + Google SecOps platform, changing the state of the case. categories: enrichment: false entity_usage: @@ -426,41 +559,71 @@ Attach Playbook to Alert: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: true + update_email: false + update_identity: false + update_ticket: false Attach Playbook to All Case Alerts: ai_description: >- - ### General Description + Attaches a specified playbook (workflow) to all alerts associated with the current + case in Google SecOps. This action is designed to standardize the response process + by ensuring that every alert within a case is governed by the same automated logic. - The **Attach Playbook to All Case Alerts** action is designed to programmatically - assign a specific playbook to every alert associated with a case in Google SecOps. - This is particularly useful for ensuring that all alerts within a single investigation - follow a consistent automated response or investigation workflow. + ### Flow Description: - ### Parameters Description + 1. **Parameter Retrieval:** The action retrieves the 'Playbook Name' provided + by the user. - | Parameter | Type | Mandatory | Description | + 2. **Alert Iteration:** It iterates through every alert currently linked to the + active case. - | :--- | :--- | :--- | :--- | + 3. **Playbook Attachment:** For each alert, it invokes the internal system method + to attach the specified playbook using the case ID and alert identifier. - | **Playbook Name** | String | Yes | The exact name of the playbook that should - be attached to all alerts in the current case. | + 4. **Outcome Reporting:** The action tracks the success of the attachment and + returns a summary message indicating whether the playbook was successfully applied + to the alerts. - ### Flow Description + ### Parameters Description: - 1. **Input Retrieval**: The action retrieves the `Playbook Name` from the user-defined - parameters. + | Parameter Name | Description | Type | Mandatory | + + | :--- | :--- | :--- | :--- | - 2. **Alert Iteration**: The script accesses the current case object and iterates - through every alert linked to that case. + | Playbook Name | The exact name of the playbook/workflow that should be attached + to all alerts in the case. | String | Yes | - 3. **Workflow Attachment**: For each alert, the action calls the internal SOAR - API (`attach_workflow_to_case`) to link the specified playbook to the alert's - unique identifier. - 4. **Status Reporting**: The action evaluates the success of the attachment process - and returns a final message to the case wall indicating whether the playbook was - successfully attached to the alerts. + ### Additional Notes: + + - This action modifies the state of alerts within the Google SecOps platform by + assigning workflows to them. + + - It does not interact with external third-party APIs; it performs internal orchestration + within the SOAR environment. capabilities: can_create_case_comments: false can_create_insight: false @@ -471,8 +634,8 @@ Attach Playbook to All Case Alerts: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Attaches a playbook to all alerts within the current case, which modifies the - workflow and automation state of the alerts inside Google SecOps. + Attaches a specified playbook (workflow) to all alerts within the current case, + changing the automation state of those alerts. categories: enrichment: false entity_usage: @@ -490,32 +653,52 @@ Attach Playbook to All Case Alerts: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: true + update_email: false + update_identity: false + update_ticket: false Buffer: - ai_description: >- - ### General Description\n\nThe **Buffer** action is a utility tool within the - Tools integration designed to facilitate data handling and flow control within - playbooks. Its primary purpose is to receive a JSON string and a result value - as inputs and 'buffer' them into the action's output. This is particularly useful - for converting string-based JSON data into a structured format that subsequent - playbook actions can easily consume, or for explicitly setting the result value - of a step to control playbook logic flow.\n\n### Parameters Description\n\n| Parameter - | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| **JSON** - | String | No | A JSON-formatted string. If provided, the action attempts to parse - this string and include the resulting object in the action's JSON results. |\n| - **ResultValue** | String | No | A string value that will be returned as the primary - result of the action. This is often used for conditional branching in playbooks. - |\n\n### Flow Description\n\n1. **Parameter Retrieval:** The action starts by - retrieving the `JSON` and `ResultValue` inputs from the playbook context.\n2. - **JSON Parsing:** If the `JSON` parameter is populated, the script attempts to - deserialize the string into a structured JSON object using `json.loads()`.\n3. - **Result Attachment:** \n * If parsing is successful, the structured data is - added to the action's result JSON using `add_result_json` and `add_json` (under - the key 'Json').\n * If parsing fails, an error message is appended to the - final output message.\n4. **Action Completion:** The action concludes by calling - `siemplify.end()` with a status message and the provided `ResultValue`.\n\n### - Additional Notes\n\n* This action does not interact with any external APIs or - modify any SecOps entities.\n* It serves strictly as a data transformation and - flow control utility. + ai_description: "### General Description\nThe **Buffer** action is a utility tool\ + \ designed to receive a JSON string and return it as a structured JSON object\ + \ within the Google SecOps platform. This is primarily used in playbooks to transform\ + \ string-based data into a format that can be easily accessed and parsed by subsequent\ + \ actions. It also allows for setting a custom script result value.\n\n### Parameters\ + \ Description\n| Parameter | Type | Mandatory | Description |\n| :--- | :--- |\ + \ :--- | :--- |\n| ResultValue | String | No | The value that will be returned\ + \ as the primary script result of the action. |\n| JSON | String | No | A string\ + \ representing a JSON object. If provided, the action attempts to parse this string\ + \ and return it as structured JSON data. |\n\n### Flow Description\n1. **Parameter\ + \ Retrieval**: The action retrieves the `JSON` and `ResultValue` inputs from the\ + \ environment.\n2. **JSON Parsing**: If the `JSON` parameter is provided, the\ + \ script attempts to deserialize the string using `json.loads()`.\n3. **Data Attachment**:\ + \ \n * If parsing is successful, the resulting object is added to the action's\ + \ result JSON and also stored under the key 'Json'.\n * If parsing fails, an\ + \ error message is appended to the output message.\n4. **Completion**: The action\ + \ terminates, returning the `ResultValue` as the script result and providing a\ + \ status message indicating whether the input values were successfully processed.\n\ + \n### Additional Notes\n* This action does not interact with external APIs or\ + \ modify entities; it is strictly a data manipulation utility." capabilities: can_create_case_comments: false can_create_insight: false @@ -543,55 +726,53 @@ Buffer: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Change Case Name: - ai_description: >- - ### General Description - - This action changes the title (name) of a case within Google SecOps. It is primarily - used for case management and organization, allowing playbooks to dynamically rename - cases based on specific logic or findings. The action can be configured to execute - conditionally based on whether the current alert is the first alert in the case. - - - ### Parameters Description - - | Parameter Name | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | New Name | String | No | The new title to be assigned to the case. | - - | Only If First Alert | Boolean | No | If set to `True`, the action will only - rename the case if it is being executed in the context of the chronologically - first alert (based on detection time) within that case. Default is `False`. | - - - ### Additional Notes - - - If `Only If First Alert` is enabled and the action is triggered by a subsequent - alert, the case name will remain unchanged. - - - While `New Name` is marked as not mandatory in the configuration, the action - logic expects a value to perform the rename operation. - - - ### Flow Description - - 1. **Initialization**: The action starts by retrieving the `New Name` and `Only - If First Alert` parameters. - - 2. **Alert Sorting**: It retrieves all alerts associated with the current case - and sorts them by their `detected_time` to identify the chronological order. - - 3. **Condition Check**: If `Only If First Alert` is `True`, the action compares - the identifier of the current alert with the identifier of the first alert in - the sorted list. - - 4. **Execution**: If the condition is met (or if the condition check is disabled), - the action calls the internal SOAR API `rename_case` to update the case title. - - 5. **Completion**: The action concludes by providing an output message indicating - whether the name was changed or if it was skipped due to the 'First Alert' constraint. + ai_description: "### General Description\nThis action changes the title (name) of\ + \ the current case within Google SecOps. It is primarily used for case management\ + \ and organization, allowing playbooks to dynamically rename cases based on logic\ + \ or specific alert attributes. \n\n### Parameters Description\n| Parameter |\ + \ Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| New Name\ + \ | String | No | The new title to be assigned to the case. |\n| Only If First\ + \ Alert | Boolean | No | If set to `True`, the action will only rename the case\ + \ if the current alert being processed is the chronologically first alert (based\ + \ on detection time) associated with the case. Defaults to `False`. |\n\n### Additional\ + \ Notes\n- If the `Only If First Alert` condition is not met, the action will\ + \ complete successfully but will not modify the case name.\n- This action interacts\ + \ with the internal Google SecOps API to perform the update.\n\n### Flow Description\n\ + 1. **Sort Alerts:** The action retrieves all alerts associated with the current\ + \ case and sorts them by their `detected_time` to identify the chronological order.\n\ + 2. **Condition Check:** It evaluates the `Only If First Alert` parameter. If `True`,\ + \ it compares the identifier of the current alert with the identifier of the first\ + \ alert in the sorted list.\n3. **Rename Case:** If the condition is met (or if\ + \ the parameter is `False`), the action calls the `rename_case` utility to update\ + \ the case title using the provided `New Name`.\n4. **Finalize:** The action returns\ + \ a success message indicating whether the title was changed or skipped based\ + \ on the alert order logic." capabilities: can_create_case_comments: false can_create_insight: false @@ -602,8 +783,8 @@ Change Case Name: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Updates the case title (name) within the Google SecOps platform using the internal - SOAR API. + This action modifies the 'title' attribute of the Case object within Google + SecOps. categories: enrichment: false entity_usage: @@ -621,72 +802,98 @@ Change Case Name: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Check Entities Fields In Text: ai_description: >- - ### General Description + This action allows for searching specific fields within each entity in the scope + (or multiple fields using regex) and comparing them with one or more values provided + in a text input. The action uses regular expressions to identify fields, extract + values from those fields, and process the search data. A match is identified if + the processed value from the entity enrichment matches any of the processed values + in the search data. - This utility action allows for the comparison of specific entity fields against - a provided text block using regular expressions. It is designed to identify matches - between threat intelligence or enrichment data already associated with entities - and external text data (such as email bodies, logs, or event descriptions). The - action can optionally tag entities that meet the match criteria with a custom - property. + ### Flow Description: - ### Parameters Description + 1. **Parameter Parsing:** The action parses the `FieldsInput` and `SearchInData` + JSON strings to determine which entity fields to inspect and what data to search + against. - | Parameter | Type | Mandatory | Description | + 2. **Field Identification:** For each entity in the scope, the action scans its + `additional_properties`. It identifies fields either by an exact `FieldName` or + by matching keys against a `RegexForFieldName`. - | :--- | :--- | :--- | :--- | + 3. **Value Extraction:** Once a field is identified, the action retrieves its + value. If `RegexForFieldValue` is provided, it applies the regex to the value + to extract specific sub-strings. - | SearchInData | string | True | A JSON array of objects containing the text to - search in and an optional regex to pre-process that text. Format: `[{"Data": "text", - "RegEx": "pattern"}]`. | + 4. **Search Data Preparation:** The action processes the `SearchInData` by applying + the provided `RegEx` to the `Data` strings to isolate the target search strings. - | FieldsInput | string | True | A JSON array of objects defining which entity - fields to extract and compare. Supports direct field names or regex patterns for - field names and values. Format: `[{"FieldName": "name", "RegexForFieldName": "pattern", - "RegexForFieldValue": "pattern"}]`. | + 5. **Comparison Logic:** The action compares the extracted entity values against + the prepared search strings. This comparison respects the `IsCaseSensitive` toggle. - | ShouldEnrichEntity | string | False | If provided, this string will be used - as a key in the entity's additional properties, set to `True` if a match is found. - | + 6. **Internal Mutation (Optional):** If a match is found and `ShouldEnrichEntity` + is configured, the action updates the entity's `additional_properties` by adding + the specified key with a value of `True`. - | IsCaseSensitive | boolean | False | Determines if the string comparison between - the entity field and the search data should be case-sensitive. Default is `false`. - | + 7. **Results Reporting:** The action compiles a detailed JSON result mapping entity + identifiers to their match results and returns the count of successful matches. - ### Additional Notes + ### Parameters Description: - - The action primarily interacts with the `additional_properties` attribute of - entities. + | Parameter | Type | Mandatory | Description | - - If `ShouldEnrichEntity` is configured, the action will perform an internal mutation - by updating the entity's properties in Google SecOps. + | :--- | :--- | :--- | :--- | + | SearchInData | String (JSON) | Yes | A JSON array of objects: `[{"Data": "...", + "RegEx": "..."}]`. Defines the text blocks to search in and the regex to apply + to them. | - ### Flow Description + | FieldsInput | String (JSON) | Yes | A JSON array of objects: `[{"FieldName": + "...", "RegexForFieldName": "...", "RegexForFieldValue": "..."}]`. Defines which + entity properties to check and how to extract values. | - 1. **Initialization**: Parses the input JSON parameters (`FieldsInput` and `SearchInData`) - and matching configurations. + | ShouldEnrichEntity | String | No | If provided, this string is used as a key + in the entity's additional properties. If a match is found, this key is set to + `True`. | - 2. **Data Extraction**: Iterates through all entities in the current scope. For - each entity, it extracts values from `additional_properties` based on the provided - `FieldName` or `RegexForFieldName`. If `RegexForFieldValue` is provided, it further - filters the extracted value. + | IsCaseSensitive | Boolean | No | If set to `True`, the string comparison between + entity values and search data will be case-sensitive. Defaults to `False`. | - 3. **Search Preparation**: Processes the `SearchInData` by applying the specified - regex to the raw text strings to isolate the relevant content for comparison. - 4. **Comparison**: Performs a substring match check between the extracted entity - values and the processed search strings, respecting the `IsCaseSensitive` flag. + ### Additional Notes: - 5. **Internal Update**: If a match is found and `ShouldEnrichEntity` is set, the - action adds the specified key to the entity's properties. + - This action is primarily a logic and utility tool for cross-referencing entity + metadata with external text or event data within a playbook. - 6. **Finalization**: Updates the entities in the system, attaches a detailed JSON - result of all matches, and returns the count of successfully matched entities. + - The action relies heavily on the `additional_properties` attribute of entities, + which is typically populated by previous enrichment actions. capabilities: can_create_case_comments: false can_create_insight: false @@ -697,8 +904,8 @@ Check Entities Fields In Text: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Updates entity additional properties with a match flag if the 'ShouldEnrichEntity' - parameter is provided and a match is found. + The action can update entity additional properties with a custom match flag + if the 'ShouldEnrichEntity' parameter is provided. categories: enrichment: false entity_usage: @@ -738,7 +945,7 @@ Check Entities Fields In Text: - DestinationURL - USB - USERUNIQNAME - filters_by_additional_properties: false + filters_by_additional_properties: true filters_by_alert_identifier: false filters_by_case_identifier: false filters_by_creation_time: false @@ -751,28 +958,52 @@ Check Entities Fields In Text: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Check List Subset: - ai_description: "### General Description\nThe **Check List Subset** action is a\ - \ utility tool designed to compare two lists and determine if one (the 'Subset')\ - \ is entirely contained within the other (the 'Original'). This is particularly\ - \ useful in playbook logic for validating if a set of observed values matches\ - \ a predefined whitelist or a collection of expected attributes.\n\n### Parameters\ - \ Description\n| Parameter | Type | Mandatory | Description |\n| :--- | :--- |\ - \ :--- | :--- |\n| **Original** | String | Yes | The master list of items to check\ - \ against. This can be provided as a JSON-formatted list (e.g., `[\"a\", \"b\"\ - ]`) or a comma-separated string (e.g., `a, b`). |\n| **Subset** | String | Yes\ - \ | The list of items to verify. This can be provided as a JSON-formatted list\ - \ or a comma-separated string. |\n\n### Flow Description\n1. **Parameter Extraction**:\ - \ The action retrieves the `Original` and `Subset` strings from the input parameters.\n\ - 2. **Data Parsing**: It attempts to parse each input as a JSON list. If JSON parsing\ - \ fails, it falls back to splitting the string by commas, stripping whitespace,\ - \ and converting numeric strings to integers.\n3. **Subset Validation**: The action\ - \ converts both lists into sets and performs a subset comparison (`subset <= original`).\n\ - 4. **Result Generation**: \n * If the subset condition is met, it returns a\ - \ success message.\n * If items in the 'Subset' are missing from the 'Original',\ - \ it identifies the specific missing items and includes them in the output message.\n\ - 5. **Action Completion**: The action ends by returning a boolean result (`True`\ - \ for subset match, `False` otherwise) and the descriptive message." + ai_description: "Checks if all elements of a 'Subset' list are present within an\ + \ 'Original' list. This utility action is designed for logic branching within\ + \ playbooks, allowing analysts to verify if a specific set of values (e.g., a\ + \ list of detected hashes) is entirely contained within a reference list (e.g.,\ + \ a known allowlist or a previous search result).\n\n### Parameters Description\n\ + \n| Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :---\ + \ |\n| Original | String | Yes | The master list to check against. Can be provided\ + \ as a JSON-formatted list (e.g., `[\"a\", \"b\"]`) or a comma-separated string\ + \ (e.g., `a, b`). |\n| Subset | String | Yes | The list of items to verify. Can\ + \ be provided as a JSON-formatted list or a comma-separated string. |\n\n### Flow\ + \ Description\n\n1. **Parameter Extraction:** The action retrieves the `Original`\ + \ and `Subset` strings from the action parameters.\n2. **Data Parsing:** It attempts\ + \ to parse each input as a JSON list. If JSON parsing fails, it falls back to\ + \ splitting the string by commas, stripping whitespace, and converting numeric\ + \ strings to integers.\n3. **Set Comparison:** Both parsed lists are converted\ + \ into Python sets. The action then performs a subset comparison (`subset <= original`).\n\ + 4. **Result Reporting:** \n * If the subset condition is met, the action\ + \ returns `true` with a success message.\n * If the subset condition is not\ + \ met, the action returns `false` and provides a message listing the specific\ + \ items found in the subset that were missing from the original list." capabilities: can_create_case_comments: false can_create_insight: false @@ -800,92 +1031,116 @@ Check List Subset: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Convert Into Simulated Case: - ai_description: "### General Description\nConverts alert data into a format suitable\ - \ for the Google SecOps Case Simulator. This action extracts raw event data from\ - \ an entity's additional properties, transforms it into a standardized case JSON\ - \ structure, and provides options to either push the case directly to the simulator\ - \ or save it as a file attachment on the case wall for manual import.\n\n### Parameters\ - \ Description\n| Parameter | Type | Mandatory | Description |\n| :--- | :--- |\ - \ :--- | :--- |\n| Push to Simulated Cases | boolean | No | If set to `true`,\ - \ the action will automatically import the generated case JSON into the Google\ - \ SecOps Simulator via the SOAR API. |\n| Save JSON as Case Wall File | boolean\ - \ | No | If set to `true`, the action will attach the generated JSON as a `.case`\ - \ file to the case wall for manual download. |\n| Override Alert Name | string\ - \ | No | Allows the user to specify a custom name for the simulated case, overriding\ - \ the default name derived from the source data. |\n| Full path name | boolean\ - \ | No | If set to `true`, the action constructs the case name using the format:\ - \ `SourceSystemName_DeviceProduct_Name`. |\n\n### Additional Notes\n* The action\ - \ specifically targets the **first entity** of the current alert and expects it\ - \ to contain a `SourceFileContent` property within its `additional_properties`\ - \ attribute. If this property is missing or contains invalid JSON, the action\ - \ will fail.\n* This action is primarily used for testing and simulation purposes\ - \ within the Google SecOps platform.\n\n### Flow Description\n1. **Initialization**:\ - \ The action initializes the Siemplify context and extracts the user-provided\ - \ parameters for simulation, file storage, and naming conventions.\n2. **Data\ - \ Retrieval**: It accesses the first entity of the current alert and retrieves\ - \ the `SourceFileContent` string from its `additional_properties`.\n3. **Data\ - \ Transformation**: The action parses the JSON content and normalizes event fields,\ - \ specifically ensuring that `DeviceEventClassId` and `Name` are correctly mapped\ - \ within the event list.\n4. **Naming Logic**: It determines the final name of\ - \ the case based on whether `Full path name` is enabled or if an `Override Alert\ - \ Name` has been provided.\n5. **Simulation and Storage**: \n * If `Push to\ - \ Simulated Cases` is enabled, it calls the internal SOAR API to import the case\ - \ into the simulator.\n * If `Save JSON as Case Wall File` is enabled, it base64-encodes\ - \ the JSON and adds it as an attachment to the case wall.\n6. **Finalization**:\ - \ The action outputs the processed JSON as a result and completes the execution\ - \ with a status message." + ai_description: >- + ### General Description + + This action converts alert data into a format compatible with the Google SecOps + Simulator. It specifically retrieves raw alert content stored within an entity's + additional properties (the `SourceFileContent` attribute), normalizes event-level + fields such as class IDs and names, and prepares the data for simulation. The + action can either push the resulting case directly to the SecOps Simulator or + save it as a downloadable `.case` file on the Case Wall. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Push to Simulated Cases | Boolean | No | If set to `true`, the action will push + the generated case JSON to the SecOps Simulator using the `import_simulator_custom_case` + method. Default is `false`. | + + | Save JSON as Case Wall File | Boolean | No | If set to `true`, the action will + encode the case JSON and attach it as a downloadable `.case` file to the Case + Wall. Default is `true`. | + + | Override Alert Name | String | No | Allows the user to manually specify a name + for the generated case, overriding any automated naming logic. | + + | Full path name | Boolean | No | If set to `true`, the action constructs the + case name using a combination of the `SourceSystemName`, `DeviceProduct`, and + the original alert name. Default is `false`. | + + + ### Additional Notes + + * This action requires the first entity of the current alert to have a property + named `SourceFileContent` containing the JSON representation of the alert data. + If this property is missing, the action will log an error and terminate. + + * The action performs internal normalization on the `Events` list within the JSON, + ensuring `DeviceEventClassId` and `Name` fields are correctly populated in the + raw data fields. + + + ### Flow Description + + 1. **Parameter Extraction:** The action retrieves the configuration for pushing + to the simulator, saving to the case wall, and naming overrides. + + 2. **Data Retrieval:** It accesses the first entity associated with the current + alert and extracts the JSON string from the `SourceFileContent` additional property. + + 3. **Data Normalization:** It iterates through the events in the extracted data, + mapping `DeviceEventClassId` or `deviceEventClassId` to the raw data fields to + ensure consistency. + + 4. **Naming Logic:** It determines the final name of the case based on the `Full + path name` or `Override Alert Name` parameters. + + 5. **Simulator Integration:** If `Push to Simulated Cases` is enabled, it calls + the simulator API to import the custom case. + + 6. **Case Wall Attachment:** If `Save JSON as Case Wall File` is enabled, it base64-encodes + the JSON and adds it as an attachment to the case wall. + + 7. **Completion:** The action returns the final JSON structure as the script result + and completes the execution. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false - can_mutate_external_data: false + can_mutate_external_data: true can_mutate_internal_data: true can_update_entities: false - external_data_mutation_explanation: null + external_data_mutation_explanation: >- + Pushes case definition data to the Google SecOps Simulator API to create or + update simulated cases. fetches_data: false internal_data_mutation_explanation: >- - Adds a .case file attachment to the case wall and imports a custom case into - the Google SecOps Simulator. + Adds a .case file attachment to the Case Wall of the current alert. categories: enrichment: false entity_usage: - entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -899,15 +1154,40 @@ Convert Into Simulated Case: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Create Entities with Separator: ai_description: >- ### General Description The **Create Entities with Separator** action allows users to dynamically create - multiple entities and attach them to a specific alert within Google SecOps. It - takes a delimited string of identifiers, splits them based on a user-defined separator, - and creates new entities of a specified type. Additionally, it can populate the - created entities with custom enrichment data provided in JSON format. + and add multiple entities to a Google SecOps alert. It takes a string of identifiers, + splits them using a configurable separator, and injects them into the case context. + This is particularly useful for processing bulk data from logs or external systems + that need to be represented as formal entities within the SOAR platform. ### Parameters Description @@ -916,59 +1196,54 @@ Create Entities with Separator: | :--- | :--- | :--- | :--- | - | Entities Identifiers | String | Yes | A string containing one or more entity - identifiers to be created, separated by the defined separator. | + | **Entities Identifiers** | String | Yes | A string containing one or more entity + identifiers (e.g., IP addresses, hostnames) to be added to the alert. | - | Entity Type | Entity Type | Yes | The Google SecOps entity type to assign to - the new entities (e.g., HOSTNAME, USERNAME, ADDRESS). | + | **Entity Type** | EntityType | Yes | The specific Siemplify entity type to assign + to the created entities (e.g., ADDRESS, HOSTNAME, USERNAME). | - | Is Internal | Boolean | No | If set to true, the created entities will be marked - as part of the internal network. Defaults to false. | + | **Is Internal** | Boolean | No | If set to `true`, the created entities will + be marked as internal to the network. Default is `false`. | - | Entities Separator | String | Yes | The character used to split the 'Entities - Identifiers' string. Defaults to a comma (','). | + | **Entities Separator** | String | Yes | The character used to split the `Entities + Identifiers` string. Default is a comma (`,`). | - | Enrichment JSON | Code | No | A JSON object containing key-value pairs to be - added to the entity's 'additional_properties'. | + | **Enrichment JSON** | Code | No | A JSON object containing additional data to + be attached to the entities as enrichment. | - | PrefixForEnrichment | String | No | An optional prefix to be added to the keys - of the enrichment data before it is attached to the entity. | + | **PrefixForEnrichment** | String | No | An optional prefix to prepend to the + keys in the `Enrichment JSON` data. | ### Additional Notes - - If the 'Entity Type' is set to **ADDRESS**, the action will perform a validation + - If the **Entity Type** is set to `ADDRESS`, the action performs a validation check to ensure the identifier is a valid IP address before creation. - - The action checks for existing entities in the alert to avoid creating duplicates. - If an entity with the same identifier already exists, the creation for that specific - identifier will be skipped. + - The action checks for existing entities within the alert to prevent the creation + of duplicates. - - All identifiers are converted to uppercase during processing. + - If **Enrichment JSON** is provided, the action will populate the `additional_properties` + of the newly created entities. ### Flow Description - 1. **Parameter Parsing:** The action retrieves the input identifiers, the separator, - the target entity type, and any optional enrichment JSON. - - 2. **Splitting:** The 'Entities Identifiers' string is split into a list using - the provided 'Entities Separator'. + 1. **Input Parsing:** The action retrieves the list of identifiers and splits + them based on the provided **Entities Separator**. - 3. **Duplicate Check:** The action fetches all existing entities currently associated - with the alert and compares their identifiers (case-insensitive) against the new - list. + 2. **Enrichment Preparation:** If **Enrichment JSON** is provided, it parses the + JSON and applies the **PrefixForEnrichment** if specified. - 4. **Validation:** If the target type is 'ADDRESS', each identifier is validated - as a valid IP address using the `ipaddress` library. + 3. **Duplicate Check:** It retrieves all existing entities currently associated + with the alert to ensure no duplicate identifiers are processed. - 5. **Entity Creation:** For each unique and valid identifier, the action calls - `add_entity_to_case` to create the entity, setting its type, internal status, - and populating its 'additional_properties' with the parsed (and optionally prefixed) - enrichment JSON. - - 6. **Reporting:** The action tracks successful creations, enrichments, and failures, - returning a JSON summary and a status message to the SOAR interface. + 4. **Validation & Creation:** For each unique identifier: + - If the type is `ADDRESS`, it validates the IP format. + - It calls the internal SDK to add the entity to the case with the specified + metadata (internal status, enrichment data, etc.). + 5. **Reporting:** The action returns a JSON summary of created, enriched, and + failed entities, and provides a status message to the case wall. capabilities: can_create_case_comments: false can_create_insight: false @@ -979,54 +1254,18 @@ Create Entities with Separator: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - This action creates new entity objects within the Google SecOps case and alert. - It also populates the 'additional_properties' field of these entities with data - provided in the 'Enrichment JSON' parameter. + Creates new entities within the Google SecOps case and populates their attributes + and enrichment fields. categories: enrichment: false entity_usage: - entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false filters_by_creation_time: false filters_by_entity_type: false - filters_by_identifier: true + filters_by_identifier: false filters_by_is_artifact: false filters_by_is_enriched: false filters_by_is_internal: false @@ -1034,84 +1273,86 @@ Create Entities with Separator: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: true + update_email: false + update_identity: false + update_ticket: false Create Entity Relationships: ai_description: >- - ### General Description + Creates relationships between entities within a Google SecOps case. This action + allows users to define connections between a set of 'Entity Identifiers' and 'Target + Entities' already present in the alert. If the specified 'Entity Identifiers' + do not exist in the system, the action will create them automatically. It supports + three types of relationships: Source, Destination, and Linked. Additionally, users + can provide a JSON object to enrich the newly created or linked entities with + custom attributes. - Creates relationships between specified entities and existing entities within - a Google SecOps case. This action can create new entities if they do not already - exist and link them to target entities based on type or specific identifiers. - It supports defining the relationship as a Source, Destination, or a general Link. - Additionally, it can enrich the created or linked entities with custom attributes - provided via a JSON object. **Note: This action supports Siemplify version 5.6 - or higher.** + ### Flow Description: - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Entity Identifier(s) | String | Yes | A list of entity identifiers to be created - or used for the relationship. Multiple values should be separated by the 'Separator - Character'. | - - | Entity Identifier(s) Type | EntityType | Yes | The Siemplify entity type (e.g., - HOSTNAME, ADDRESS, USERUNIQNAME) for the identifiers provided in 'Entity Identifier(s)'. - | - - | Connect As | DDL | Yes | Defines the nature of the relationship. Options are - 'Source' (directional), 'Destination' (directional), or 'Linked' (non-directional). - | - - | Target Entity Type | EntityType | Yes | The type of existing entities in the - alert to which the new entities will be linked. | + 1. **Parameter Extraction:** The action parses the input identifiers, entity types, + relationship direction (Connect As), and optional enrichment JSON. - | Target Entity Identifier(s) | String | No | A list of specific identifiers for - existing entities of the 'Target Entity Type'. If left empty, the action will - link the new entities to all existing entities of the specified 'Target Entity - Type' found in the alert. | + 2. **Target Identification:** It scans the current alert to find existing entities + that match the 'Target Entity Type' and, if provided, the 'Target Entity Identifier(s)'. - | Enrichment JSON | String | No | An optional JSON object containing key-value - pairs to be added to the 'additional_properties' of the entities involved. | + 3. **Entity Creation & Linking:** For each provided identifier, the action uses + the internal SOAR API to create the entity (if missing) and establish the relationship + to the identified target entities. - | Separator Character | String | No | The character used to separate lists in - the identifier parameters. Defaults to a comma (`,`). | + 4. **Enrichment:** If an 'Enrichment JSON' is provided, the action reloads the + case data, identifies the relevant entities, and updates their additional properties + with the provided key-value pairs. - ### Flow Description + ### Parameters Description: - 1. **Parameter Extraction:** The action retrieves all input parameters and parses - the identifier lists using the specified separator. - - 2. **Relationship Configuration:** It determines the relationship direction and - primary link status based on the 'Connect As' selection. + | Parameter Name | Type | Mandatory | Description | - 3. **Target Identification:** It scans all entities within the current alert to - find matches for the 'Target Entity Type' and, if provided, the 'Target Entity - Identifier(s)'. + | :--- | :--- | :--- | :--- | - 4. **Entity Creation and Linking:** For each identifier in the 'Entity Identifier(s)' - list, it calls the SOAR API to ensure the entity exists and establishes the relationship - with the identified target entities. + | Entity Identifier(s) | String | Yes | A comma-separated list of entity values + to create or link. | - 5. **Enrichment:** If an 'Enrichment JSON' is provided, the action reloads the - case data, identifies the relevant entities, updates their additional properties, - and saves the changes back to the system. + | Entity Identifier(s) Type | Entity Type | Yes | The Siemplify entity type for + the identifiers provided (e.g., USERUNIQNAME, HOSTNAME). | + | Connect As | DDL | Yes | Defines the relationship direction: 'Source', 'Destination', + or 'Linked'. | - ### Additional Notes + | Target Entity Type | Entity Type | Yes | The type of existing entities in the + alert to which the new entities should be linked. | - - **Siemplify Version:** This action is compatible only with Siemplify version - 5.6 and above. + | Target Entity Identifier(s) | String | No | A comma-separated list of specific + existing entity values to link to. If empty, links to all entities of the 'Target + Entity Type'. | - - **Targeting Logic:** If 'Target Entity Identifier(s)' is not provided, the action - will attempt to link the new entities to *all* entities of the specified 'Target - Entity Type' found in the alert. + | Enrichment JSON | String | No | A JSON object containing key/value pairs to + add as attributes to the entities. | - - **Execution Delay:** The action includes a 3-second pause before applying enrichment - to ensure the platform has finished processing the entity creation and linking. + | Separator Character | String | No | The character used to split the identifier + lists. Defaults to a comma. | capabilities: can_create_case_comments: false can_create_insight: false @@ -1122,9 +1363,9 @@ Create Entity Relationships: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Creates new entities and establishes relationships (Source, Destination, or - Linked) between entities within the Google SecOps case. It also updates entity - attributes (additional_properties) if an Enrichment JSON is provided. + Creates new entities and establishes relationships between entities within the + Google SecOps case. It also updates entity attributes if enrichment JSON is + provided. categories: enrichment: false entity_usage: @@ -1142,57 +1383,55 @@ Create Entity Relationships: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Create Siemplify Task: - ai_description: >- - This action creates and assigns a new task to a specific user or role within the - context of the current Google SecOps case. It is used to manage manual workflows - or follow-up actions by setting clear instructions and deadlines. - - - ### Parameters - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Assign To | User | Yes | The user or role the task will be assigned to. | - - | Task Content | Content | Yes | The detailed instructions or content of the task. - | - - | SLA (in minutes) | String | No | The amount of time (in minutes) the assigned - user/role has to respond. Default is 480. | - - | Task Title | String | No | The title of the task (Supported in versions 6.0.0.0 - and higher). | - - | Due Date | String | No | Specific deadline for the task in ISO8601 format. If - provided, this takes priority over the SLA parameter. | - - - ### Additional Notes - - - Either the "Due Date" or the "SLA (in minutes)" parameter must be configured - for the action to execute successfully. - - - ### Flow Description - - 1. **Parameter Extraction:** The action retrieves the assignee, task content, - title, and deadline parameters (SLA or Due Date). - - 2. **Validation:** It verifies that at least one deadline mechanism (SLA or Due - Date) is provided. - - 3. **Deadline Calculation:** The action calculates the task's expiration time - in epoch milliseconds. If a Due Date is provided, it parses the ISO8601 string; - otherwise, it adds the SLA minutes to the current system time. - - 4. **Version Compatibility Check:** The script checks the Google SecOps system - version to determine whether to use the v5 or v6 API for task creation. - - 5. **Task Creation:** The action calls the internal SOAR API to create the task - and link it to the current case ID. + ai_description: "### General Description\nAssigns a new task to a specific user\ + \ or role within the current Google SecOps case. This action is used to manage\ + \ manual workflows, analyst assignments, or follow-up actions directly within\ + \ the platform's case management system.\n\n### Parameters Description\n\n| Parameter\ + \ | Description | Type | Mandatory |\n| :--- | :--- | :--- | :--- |\n| Assign\ + \ To | The user or the role the task will be assigned to. | User | Yes |\n| Task\ + \ Content | The detailed instructions or content of the task. | Content | Yes\ + \ |\n| SLA (in minutes) | The amount of time (in minutes) the assigned user/role\ + \ has to respond to the task. Default is 480. | String | No |\n| Task Title |\ + \ The title of the task. Supports Siemplify versions 6.0.0.0 and higher. | String\ + \ | No |\n| Due Date | Specific due date for the task in ISO8601 format. | String\ + \ | No |\n\n### Additional Notes\n* Either the **Due Date** or the **SLA (in minutes)**\ + \ parameter must be configured for the action to run. \n* If both **Due Date**\ + \ and **SLA (in minutes)** are provided, the **Due Date** parameter takes priority.\n\ + \n### Flow Description\n1. **Extract Parameters:** Retrieves the assignee, task\ + \ content, SLA, title, and due date from the action configuration.\n2. **Validate\ + \ Inputs:** Ensures that at least one deadline parameter (either Due Date or SLA)\ + \ is provided.\n3. **Compute Deadline:** Calculates the task's expiration time\ + \ in epoch milliseconds. If a Due Date is provided, it is parsed; otherwise, the\ + \ SLA duration is added to the current system time.\n4. **Version Check:** Identifies\ + \ the Google SecOps (Siemplify) system version to determine the correct API method\ + \ for task creation.\n5. **Create Task:** Calls the internal SOAR API to create\ + \ and assign the task within the context of the active case." capabilities: can_create_case_comments: false can_create_insight: false @@ -1203,7 +1442,8 @@ Create Siemplify Task: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Creates a new task record associated with the current case in Google SecOps. + Creates a new task within the Google SecOps case, assigning it to a specific + user or role with a defined deadline. categories: enrichment: false entity_usage: @@ -1221,62 +1461,84 @@ Create Siemplify Task: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false DNS Lookup: ai_description: >- - Performs DNS lookups for IP Address and Hostname entities using specified DNS - servers. This action allows analysts to retrieve various DNS record types (such - as A, MX, TXT, or PTR) to verify domain configurations or identify associated - hostnames for IP addresses. + ### General Description + The **DNS Lookup** action performs DNS queries against specified DNS servers for + **Address** (IP) and **Hostname** entities. It allows analysts to retrieve various + DNS record types to identify domain associations, mail servers, or reverse lookup + information. - ### Parameters Description + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | DNS Servers | String | Yes | A single IP address or a comma-separated list of - DNS server IP addresses (e.g., '1.1.1.1, 8.8.8.8') to be used for the queries. - | - - | Data Type | DDL | Yes | The specific DNS record type to query (e.g., A, AAAA, - MX, TXT, ANY). **Note:** This parameter only applies to Hostname entities; IP - Address entities always perform a PTR (reverse) lookup. | + | **DNS Servers** | String | Yes | A comma-separated list of DNS server IP addresses + to query (e.g., `8.8.8.8, 1.1.1.1`). | + | **Data Type** | DDL | Yes | The specific DNS record type to query for Hostname + entities. Defaults to `ANY`. Supported types include `A`, `AAAA`, `MX`, `TXT`, + `CNAME`, etc. | - ### Flow Description + ### Additional Notes - 1. **Initialization**: The action parses the provided comma-separated list of - DNS servers and retrieves the requested DNS record type from the parameters. + - For **Address** entities, the action automatically performs a reverse DNS lookup + to find **PTR** records. - 2. **Entity Iteration**: The action iterates through all target entities in the - current context. + - For **Hostname** entities, the action performs a query based on the selected + **Data Type**. - 3. **IP Address Processing**: For each IP Address entity, the action performs - a reverse DNS lookup (PTR record) against every DNS server in the list. + - If multiple DNS servers are provided, the action will attempt to query each + one for every entity. - 4. **Hostname Processing**: For each Hostname entity, the action constructs a - DNS query for the specified 'Data Type' and sends it to every DNS server in the - list via UDP. - 5. **Data Collection**: The action captures successful responses, including the - record type, the returned data, and the specific DNS server that provided the - response. + ### Flow Description - 6. **Finalization**: All gathered DNS information is aggregated into a JSON result. - The action completes with a success status if at least one record was found. + 1. **Initialization**: Retrieves the list of DNS servers and the target record + type from the action parameters. + 2. **Entity Processing**: Iterates through the entities in the current context. - ### Additional Notes + 3. **Reverse Lookup (IPs)**: For each `ADDRESS` entity, it attempts to resolve + the reverse DNS name (PTR record) using the provided DNS servers. + 4. **Forward Lookup (Hostnames)**: For each `HOSTNAME` entity, it constructs a + DNS query for the specified `Data Type` and sends it to the DNS servers via UDP. - - If multiple DNS servers are provided, the action will attempt to query each - one for every applicable entity. + 5. **Result Aggregation**: Collects all successful DNS responses, including the + record type, response data, and the server that provided the answer. - - The action does not modify the entities themselves but provides the lookup results - as raw JSON for downstream playbook tasks. + 6. **Output**: Returns the collected data as a JSON result and completes the action. capabilities: can_create_case_comments: false can_create_insight: false @@ -1306,60 +1568,95 @@ DNS Lookup: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Delay Playbook: ai_description: >- ### General Description - This action pauses the execution of a playbook for a specified duration. It is - designed to introduce a delay in the workflow, allowing for external processes - to complete or for a specific amount of time to pass before the next playbook - step is executed. The action is asynchronous, meaning it will yield execution - and check back periodically until the target time is reached. + The **Delay Playbook** action is a utility tool designed to pause the execution + of a playbook for a specified duration. It leverages the asynchronous execution + capabilities of the Google SecOps SOAR platform to wait for a calculated amount + of time before allowing the workflow to proceed to the next step. This is particularly + useful for scenarios requiring a cooling-off period, waiting for external processes + to complete, or throttling automated responses. ### Parameters Description - | Parameter | Type | Mandatory | Default | Description | + | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | :--- | + | :--- | :--- | :--- | :--- | - | Seconds | string | Yes | 0 | The number of seconds to delay the playbook. | + | **Seconds** | string | Yes | The number of seconds to add to the delay. Defaults + to "0". | - | Minutes | string | Yes | 1 | The number of minutes to delay the playbook. | + | **Minutes** | string | Yes | The number of minutes to add to the delay. Defaults + to "1". | - | Hours | string | Yes | 0 | The number of hours to delay the playbook. | + | **Hours** | string | Yes | The number of hours to add to the delay. Defaults + to "0". | - | Days | string | Yes | 0 | The number of days to delay the playbook. | + | **Days** | string | Yes | The number of days to add to the delay. Defaults to + "0". | ### Additional Notes - - The total delay time is the sum of all provided time parameters (Days + Hours - + Minutes + Seconds). + * This action is **asynchronous**. It does not block the execution engine but + rather schedules itself to be checked periodically until the time condition is + met. - - If all parameters are set to 0, the action will complete immediately. + * The total delay time is the sum of all provided parameters (Days + Hours + Minutes + + Seconds). + + * If all parameters are set to "0", the action will complete immediately. ### Flow Description 1. **Initialization**: The action retrieves the delay values from the input parameters. - 2. **Target Calculation**: It calculates a target UTC timestamp by adding the - specified delay (days, hours, minutes, and seconds) to the current UTC time. + 2. **Target Calculation**: It calculates a `target_date` by adding the specified + days, hours, minutes, and seconds to the current UTC time. - 3. **Initial Check**: If the calculated target time is less than or equal to the - current time, the action completes immediately with a success status. + 3. **Immediate Completion Check**: If the calculated `target_date` is in the past + or equal to the current time, the action completes immediately with a success + status. - 4. **Async State**: If the target time is in the future, the action sets its execution - state to 'In Progress' and stores the target timestamp in the action's persistent - state (additional_data). + 4. **Asynchronous Wait**: If the `target_date` is in the future, the action enters + an `IN_PROGRESS` state and stores the target timestamp in the `additional_data` + field. - 5. **Polling/Wait Phase**: In subsequent execution cycles (the 'wait' phase), - the action retrieves the stored target timestamp from the previous run. + 5. **Periodic Re-evaluation**: The SOAR framework periodically invokes the `wait` + logic. The script parses the stored timestamp and compares it against the current + UTC time. - 6. **Completion**: The action compares the current time against the stored target - timestamp. Once the current time meets or exceeds the target, the action transitions - to the 'Completed' state, allowing the playbook to proceed. + 6. **Finalization**: Once the current time meets or exceeds the `target_date`, + the action transitions to a `COMPLETED` state, allowing the playbook to continue. capabilities: can_create_case_comments: false can_create_insight: false @@ -1380,56 +1677,61 @@ Delay Playbook: filters_by_creation_time: false filters_by_entity_type: false filters_by_identifier: false - filters_by_is_artifact: false - filters_by_is_enriched: false - filters_by_is_internal: false - filters_by_is_pivot: false - filters_by_is_suspicious: false - filters_by_is_vulnerable: false - filters_by_modification_time: false -Delay Playbook Synchronous: - ai_description: >- - ### General Description - - The **Delay Playbook Synchronous** action is a utility designed to pause the execution - of a playbook for a short, specified duration. This is typically used to allow - external systems time to process previous requests or to manage API rate limits. - Because this action runs synchronously, it is strictly limited to a maximum delay - of 30 seconds to ensure playbook stability. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **Seconds** | String | Yes | The duration of the delay in seconds. The value - must be a positive integer between 0 and 30. | - - - ### Additional Notes - - - This action is intended for short-term pauses. If a delay longer than 30 seconds - is required, the "Delay Playbook V2" action should be used instead. - - - The action validates the input range; if the provided value is outside the 0-30 - second window, the action will fail validation. - - - ### Flow Description - - 1. **Parameter Extraction:** The action retrieves the `Seconds` value from the - playbook configuration. - - 2. **Validation:** It verifies that the input is a valid positive integer and - does not exceed the 30-second limit defined in the integration constants. - - 3. **Execution:** The action calculates a target end time and enters a synchronous - sleep loop, pausing execution until the specified time has elapsed. - - 4. **Output:** Upon completion, the action provides a success message confirming - the delay duration and the exact timestamp when execution resumed. + filters_by_is_artifact: false + filters_by_is_enriched: false + filters_by_is_internal: false + filters_by_is_pivot: false + filters_by_is_suspicious: false + filters_by_is_vulnerable: false + filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false +Delay Playbook Synchronous: + ai_description: "Pauses the execution of a playbook synchronously for a specified\ + \ duration of up to 30 seconds. This utility action is designed for short, immediate\ + \ delays within a playbook flow where a brief wait is required before proceeding\ + \ to the next step. It operates by calculating a target end time and entering\ + \ a sleep loop until that time is reached.\n\n### Parameters Description\n\n|\ + \ Parameter | Description | Type | Mandatory | Notes |\n| :--- | :--- | :--- |\ + \ :--- | :--- |\n| Seconds | The number of seconds to pause the playbook execution.\ + \ | String | Yes | Must be a positive integer between 0 and 30. |\n\n### Additional\ + \ Notes\n\n* **Synchronous Execution:** This action blocks the execution thread\ + \ for the duration of the delay. \n* **Time Limit:** The maximum allowed delay\ + \ is 30 seconds. For delays longer than 30 seconds, it is recommended to use the\ + \ \"Delay Playbook V2\" action, which handles longer durations more efficiently.\n\ + * **No Entity Interaction:** This action does not interact with or require any\ + \ entities to function.\n\n### Flow Description\n\n1. **Parameter Extraction:**\ + \ The action retrieves the `Seconds` value provided by the user.\n2. **Validation:**\ + \ It validates that the input is a positive number and falls within the supported\ + \ range of 0 to 30 seconds.\n3. **Target Calculation:** The action calculates\ + \ the exact timestamp when the delay should conclude.\n4. **Sleep Loop:** It\ + \ enters a loop that pauses execution in small increments (up to 1 second) until\ + \ the current time meets or exceeds the target timestamp.\n5. **Completion:**\ + \ Once the delay is finished, the action returns a success message indicating\ + \ the configured delay was reached." capabilities: can_create_case_comments: false can_create_insight: false @@ -1457,36 +1759,64 @@ Delay Playbook Synchronous: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Delay Playbook V2: - ai_description: "### General Description\nThis action pauses the execution of a\ - \ playbook for a specified duration or until a specific time defined by a cron\ - \ expression. It is an asynchronous action that allows for precise control over\ - \ playbook timing, useful for waiting for external processes to complete or scheduling\ - \ tasks for specific windows.\n\n### Parameters Description\n| Parameter | Type\ - \ | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Seconds | string\ - \ | No | The number of seconds to delay the playbook. Default is 0. |\n| Minutes\ - \ | string | No | The number of minutes to delay the playbook. Default is 1. |\n\ - | Hours | string | No | The number of hours to delay the playbook. Default is\ - \ 0. |\n| Days | string | No | The number of days to delay the playbook. Default\ - \ is 0. |\n| Cron Expression | string | No | A standard cron expression (e.g.,\ - \ `0 12 * * *`) used to determine the next execution time. If provided, this parameter\ - \ takes precedence over the relative time parameters (Seconds, Minutes, etc.).\ - \ |\n\n### Additional Notes\n- This action is asynchronous (`is_async: true`).\ - \ It will put the playbook step into an 'In Progress' state until the calculated\ - \ time is reached.\n- If both relative time parameters and a Cron Expression are\ - \ provided, the Cron Expression is prioritized.\n\n### Flow Description\n1. **Initialization**:\ - \ The action retrieves the time parameters or the cron expression from the input.\n\ - 2. **Target Calculation**: \n - If a **Cron Expression** is provided, the action\ - \ calculates the next occurrence of that expression relative to the current time.\n\ - \ - If no cron expression is provided, the action calculates a **Target Date**\ - \ by adding the specified Seconds, Minutes, Hours, and Days to the current UTC\ - \ time.\n3. **Execution Check**: The action compares the current time with the\ - \ calculated target time.\n4. **State Management**:\n - If the target time\ - \ has **not** been reached, the action returns an `INPROGRESS` state and stores\ - \ the target timestamp in the action's internal state (`additional_data`).\n \ - \ - The SOAR platform will periodically re-invoke the action's `wait` logic.\n\ - \ - Once the current time meets or exceeds the target timestamp, the action\ - \ returns a `COMPLETED` state, allowing the playbook to proceed." + ai_description: "### General Description\nThe **Delay Playbook V2** action is a\ + \ utility designed to pause the execution of a playbook for a specified duration\ + \ or until a specific time condition is met. It supports both relative time delays\ + \ (seconds, minutes, hours, days) and absolute scheduling using Cron expressions.\ + \ This is an asynchronous action, meaning it will put the playbook into a waiting\ + \ state without consuming active execution resources until the timer expires.\n\ + \n### Parameters Description\n| Parameter | Type | Mandatory | Description |\n\ + | :--- | :--- | :--- | :--- |\n| Seconds | string | No | The amount of seconds\ + \ to delay the playbook. Defaults to \"0\". |\n| Minutes | string | No | The amount\ + \ of minutes to delay the playbook. Defaults to \"1\". |\n| Hours | string | No\ + \ | The amount of hours to delay the playbook. Defaults to \"0\". |\n| Days |\ + \ string | No | The amount of days to delay the playbook. Defaults to \"0\". |\n\ + | Cron Expression | string | No | A standard cron expression (e.g., `0 12 * *\ + \ *`). If provided, this takes precedence over the relative time parameters and\ + \ determines the next occurrence when the playbook should resume. |\n\n### Additional\ + \ Notes\n- If the **Cron Expression** is provided, the relative time parameters\ + \ (Seconds, Minutes, etc.) are ignored.\n- If no parameters are provided, the\ + \ action defaults to a 1-minute delay.\n- Because this is an asynchronous action,\ + \ the SOAR platform will periodically re-evaluate the condition until the target\ + \ time is reached.\n\n### Flow Description\n1. **Initialization**: The action\ + \ retrieves the delay parameters or the Cron expression from the input.\n2. **Target\ + \ Calculation**: \n - If a **Cron Expression** is present, the action calculates\ + \ the next valid timestamp based on the current UTC time.\n - If relative parameters\ + \ are used, the action calculates a target date by adding the specified seconds,\ + \ minutes, hours, and days to the current UTC time.\n3. **Execution Check**: The\ + \ action compares the calculated target time with the current time.\n4. **State\ + \ Management**: \n - If the target time has already passed or is reached, the\ + \ action returns a `COMPLETED` status, allowing the playbook to continue.\n \ + \ - If the target time is in the future, the action returns an `IN_PROGRESS`\ + \ status and stores the target timestamp in the `additional_data` field.\n5. **Async\ + \ Wait**: The SOAR framework's `wait` mechanism periodically triggers the script\ + \ to check if the current time has finally met or exceeded the stored target timestamp." capabilities: can_create_case_comments: false can_create_insight: false @@ -1514,56 +1844,81 @@ Delay Playbook V2: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Extract URL Domain: ai_description: >- - ### General Description - - Extracts the domain or subdomain from entity identifiers or a provided list of - URLs. This action is a utility tool that parses strings to identify valid domain - structures using the `tldextract` library. It can process all entities in the - current context or a specific list of URLs provided as a parameter. + Extracts domain information from entity identifiers and user-provided URL strings. + This utility action parses strings to identify the registered domain and suffix, + with an optional toggle to include subdomains. For entities, it enriches the object + by adding the extracted domain to a specific custom field ('siemplifytools_extracted_domain'), + facilitating downstream playbooks that require domain-level logic regardless of + the original entity type (e.g., URL, Hostname, or even Email). ### Parameters Description + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Separator | string | Yes | The character or string used to split the values - provided in the `URLs` parameter. Default is a comma (`,`). | + | Separator | String | Yes | The character(s) used to separate multiple URLs in + the 'URLs' parameter (default is a comma). | - | URLs | string | No | A list of URLs or strings to process manually. If provided, - the action will extract domains from these strings in addition to any entities - in scope. | + | URLs | String | No | A list of URLs to process manually, separated by the defined + 'Separator'. | - | Extract subdomain | boolean | No | If set to `true`, the action will include - the subdomain in the result (e.g., `sub.example.com`). If `false`, it only extracts - the root domain and suffix (e.g., `example.com`). | + | Extract subdomain | Boolean | No | If set to True, the action will include the + subdomain (e.g., 'sub' in 'sub.example.com') in the result. | ### Flow Description - 1. **Initialization**: The action retrieves the `URLs`, `Separator`, and `Extract - subdomain` parameters. - 2. **Parameter Processing**: If the `URLs` parameter is populated, the string - is split by the `Separator`. Each resulting string is parsed to extract the domain. - Results are stored in the action's JSON output. + 1. **Parameter Extraction:** The action retrieves the list of URLs (if provided), + the separator, and the subdomain extraction preference from the action parameters. - 3. **Entity Processing**: The action iterates through all entities in the current - scope (`target_entities`). + 2. **Manual URL Processing:** If the 'URLs' parameter is populated, the action + splits the string using the provided separator and extracts domains for each item, + adding the results to the JSON output. - 4. **Domain Extraction**: For each entity, the identifier is parsed. If a valid - domain is found, it is added to the entity's `additional_properties` under the - key `siemplifytools_extracted_domain`. + 3. **Entity Iteration:** The action iterates through all entities currently in + the scope of the playbook step. - 5. **Internal Update**: The action updates the entities within Google SecOps to - persist the new `siemplifytools_extracted_domain` field. + 4. **Domain Extraction:** For each entity, it attempts to parse the identifier + to find a valid domain and suffix using the `tldextract` library logic. - 6. **Final Output**: The action returns a JSON result containing the mapping of - identifiers to extracted domains and provides a summary message of successful - and failed extractions. + 5. **Internal Enrichment:** For every entity where a domain is successfully parsed, + the action updates the entity's `additional_properties` with the key `siemplifytools_extracted_domain` + containing the result. + + 6. **Finalization:** The action updates the modified entities within Google SecOps, + attaches a comprehensive JSON result mapping identifiers to their extracted domains + (or errors), and returns a summary message of the operation. capabilities: can_create_case_comments: false can_create_insight: false @@ -1572,12 +1927,12 @@ Extract URL Domain: can_mutate_internal_data: true can_update_entities: true external_data_mutation_explanation: null - fetches_data: false + fetches_data: true internal_data_mutation_explanation: >- - Updates the 'siemplifytools_extracted_domain' field within the 'additional_properties' - of processed entities. + Updates the 'siemplifytools_extracted_domain' attribute in the additional properties + of the processed entities. categories: - enrichment: false + enrichment: true entity_usage: entity_types: - ADDRESS @@ -1628,37 +1983,51 @@ Extract URL Domain: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Find First Alert: - ai_description: >- - ### General Description - - This action identifies whether the current alert is the chronologically first - alert within its parent case. It is primarily used for playbook logic to ensure - specific tasks are only executed once per case, specifically on the initial triggering - alert. - - - ### Parameters Description - - There are no parameters for this action. - - - ### Flow Description - - 1. **Retrieve Case Alerts**: The action accesses the full list of alerts associated - with the current case. - - 2. **Sort Chronologically**: It sorts the alerts based on their `creation_time` - to determine the true sequence of events. - - 3. **Identify Earliest Alert**: The action identifies the alert with the earliest - timestamp (index 0 after sorting). - - 4. **Comparison**: It compares the unique identifier of the current alert against - the identifier of the earliest alert. - - 5. **Result Output**: If the current alert is the first, it returns the alert's - identifier. If not, it returns the string "false". + ai_description: "### General Description\nThe **Find First Alert** action is a utility\ + \ designed to identify the chronologically earliest alert within a specific Google\ + \ SecOps case. It compares the current alert being processed by the playbook against\ + \ the entire list of alerts in the case to determine if the current alert is the\ + \ 'root' or first alert. This is particularly useful for logic branching in playbooks\ + \ where certain actions should only be performed once per case (on the first alert).\n\ + \n### Parameters Description\nThere are no parameters for this action.\n\n###\ + \ Flow Description\n1. **Retrieve Alerts**: The action accesses the `alerts` collection\ + \ from the current case context.\n2. **Sort Chronologically**: It sorts all alerts\ + \ in the case based on their `creation_time` attribute in ascending order.\n3.\ + \ **Identify First Alert**: The alert at the first index (index 0) of the sorted\ + \ list is identified as the first alert.\n4. **Comparison**: The action compares\ + \ the unique identifier of the `current_alert` with the identifier of the identified\ + \ first alert.\n5. **Output Result**: \n * If they match, it returns the identifier\ + \ of the alert and a message stating it is the first alert.\n * If they do\ + \ not match, it returns the string `\"false\"` and a message stating it is not\ + \ the first alert.\n\n### Additional Notes\nThis action does not interact with\ + \ external APIs or modify any data; it performs internal logic based on existing\ + \ case metadata." capabilities: can_create_case_comments: false can_create_insight: false @@ -1686,71 +2055,88 @@ Find First Alert: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Case Data: ai_description: >- ### General Description - The **Get Case Data** action retrieves comprehensive information for a specific - case within Google SecOps and returns it as a structured JSON object. This data - includes comments, entity information, insights, playbooks, alert details, and - events. It is primarily used as a utility to gather context for playbook logic - or to export case details to external systems. + The **Get Case Data** action retrieves comprehensive information associated with + a specific case in Google SecOps and returns it as a structured JSON object. This + data includes case comments, entity details, insights, playbook execution metadata, + alert information, and events. It is designed to provide playbooks with a full + context of a case for logic branching or data passing to external systems. ### Parameters Description - | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Case Id** | String | No | The unique identifier of the case to query. If left - empty, the action defaults to the current case ID where the playbook is executing. - | + | **Case Id** | String | No | The unique identifier of the case to query. If not + provided, the action defaults to the current case ID. | - | **Fields to Return** | String | No | A comma-separated list of specific JSON - fields to include in the output. If omitted, the entire case data object is returned. - Supports nested paths (e.g., `alerts.0.events`) using the specified delimiter. - | + | **Fields to Return** | String | No | A comma-separated list of specific fields + to include in the output. Supports nested keys (e.g., `alerts.0.name`). If empty, + all available case data is returned. | | **Nested Keys Delimiter** | String | No | The character used to separate levels - in nested field paths within the 'Fields to Return' parameter. Defaults to a dot - (`.`). This cannot be a comma (`,`). | + in a nested key path. Defaults to `.`. Note: This cannot be a comma (`,`). | - ### Flow Description - - 1. **Initialization:** The action extracts the Case ID, requested fields, and - the nested key delimiter from the input parameters. + ### Additional Notes - 2. **Validation:** It verifies that the 'Nested Keys Delimiter' is not a comma - to avoid conflicts with the field list parsing. + - The action will fail if the `Nested Keys Delimiter` is configured as a comma, + as this conflicts with the list parsing of the `Fields to Return` parameter. - 3. **Case Data Retrieval:** The action calls the internal SOAR API to fetch the - full overview of the case, including metadata and alert cards. + - If specific fields are requested but none are found in the case data, the action + will return a failure status. - 4. **Data Transformation:** The retrieved data is converted to JSON, and the `alertCards` - field is renamed to `alerts` for consistency. + - The action automatically handles the retrieval and decoding of insight content + blobs stored within the platform. - 5. **Filtering:** If specific fields were requested, the action traverses the - JSON structure and extracts only the relevant data points. - 6. **Insight Enrichment:** The action identifies all insights associated with - the case. For insights that reference external data blobs, it performs additional - internal API calls to retrieve, Base64-decode, and parse the content into the - final JSON structure. + ### Flow Description - 7. **Final Output:** The aggregated data is returned as a JSON result for use - in subsequent playbook steps. + 1. **Parameter Extraction**: Retrieves the Case ID, field filters, and delimiter + settings from the action configuration. + 2. **Case Data Retrieval**: Fetches the full case overview details from the internal + SOAR API, including expanded tags and alert cards. - ### Additional Notes + 3. **Data Filtering**: If `Fields to Return` is specified, the action traverses + the case JSON structure to extract only the requested data points. - - This action is strictly read-only; it does not modify any data within Google - SecOps or external systems. + 4. **Insight Processing**: Retrieves all insights for the case. For insights that + reference external content blobs, the action performs additional API calls to + fetch, decode (Base64), and parse the JSON content. - - If 'Fields to Return' is provided but none of the specified fields exist in - the case data, the action will result in a failure. + 5. **Result Aggregation**: Combines the filtered case data and processed insights + into a single JSON object and attaches it to the script results. capabilities: can_create_case_comments: false can_create_insight: false @@ -1762,7 +2148,7 @@ Get Case Data: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: true + enrichment: false entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1778,53 +2164,76 @@ Get Case Data: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Case SLA: ai_description: >- ### General Description The **Get Case SLA** action retrieves the Service Level Agreement (SLA) and Critical SLA expiration times for the current case within Google SecOps. It provides these - timestamps in both Unix format and a human-readable string format based on a user-defined - pattern. This action is primarily used for tracking deadlines and timing within - playbooks. + timestamps in both Unix format and a customizable human-readable date-time format. + This is primarily used for playbook logic that needs to calculate remaining time + or log SLA deadlines. ### Parameters Description - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | + | Parameter | Type | Mandatory | Default | Description | - | **DateTime Format** | String | Yes | Specifies the format for the human-readable - SLA expiration times (e.g., `%Y-%m-%d %H:%M:%S`). | + | :--- | :--- | :--- | :--- | :--- | + | DateTime Format | String | Yes | `%Y-%m-%d %H:%M:%S` | The format in which the + SLA expiration times will be presented. Uses standard Python `strftime` syntax. + | - ### Additional Notes - - This action retrieves data from the internal Google SecOps API and does not - interact with external third-party services. + ### Flow Description - - It does not modify the case or any entities; it only returns the SLA information - as action results. + 1. **Parameter Extraction**: The action retrieves the `DateTime Format` from the + input parameters. + 2. **Data Retrieval**: It calls the internal Google SecOps API (`get_case_overview_details`) + to fetch the metadata for the current case. - ### Flow Description + 3. **SLA Extraction**: The logic extracts the `slaExpirationTime` and `criticalExpirationTime` + from the case or stage SLA data. - 1. **Parameter Extraction**: The action retrieves the `DateTime Format` parameter - from the input, defaulting to `%Y-%m-%d %H:%M:%S` if not provided. + 4. **Formatting**: The Unix timestamps are converted into the specified human-readable + format. - 2. **Data Retrieval**: It fetches the case overview details from the internal - Google SecOps API using the current case identifier. + 5. **Output**: The action returns a JSON object containing both the raw Unix timestamps + and the formatted strings, and sets the action output message with the formatted + values. - 3. **SLA Extraction**: The logic identifies the expiration timestamps for both - the standard SLA and the critical SLA from the retrieved case data, checking both - case-level and stage-level fields. - 4. **Formatting**: It converts the Unix timestamps into formatted strings using - the provided date-time pattern. + ### Additional Notes - 5. **Output**: The action returns a JSON object containing the Unix and formatted - timestamps and sets the action output message with the results. + - If no SLA is set for the case, the action will fail with a specific error message + indicating that the SLA was not set. capabilities: can_create_case_comments: false can_create_insight: false @@ -1852,53 +2261,78 @@ Get Case SLA: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Certificate Details: ai_description: >- ### General Description - The **Get Certificate Details** action retrieves and analyzes the SSL/TLS certificate - for a specified URL. It provides critical security information such as the certificate's - validity, issuer, and expiration status, helping analysts verify the trust and - integrity of a remote host. + Retrieves and analyzes the SSL/TLS certificate for a specified URL. This action + connects to the target host over port 443, performs a TLS handshake, and extracts + detailed certificate metadata including validity dates, issuer information, and + Subject Alternative Names (SAN). It is primarily used for verifying certificate + status, checking for expiration, and identifying self-signed certificates during + investigations. ### Parameters Description - | Parameter | Description | Type | Mandatory | Notes | - | :--- | :--- | :--- | :--- | :--- | + | Parameter | Description | Type | Mandatory | + + | :--- | :--- | :--- | :--- | | Url to check | The hostname or URL from which to retrieve the SSL certificate. - | String | Yes | Defaults to `expired.badssl.com`. | + The action will attempt to connect to this host on port 443. | String | Yes | ### Flow Description - 1. **Input Extraction**: Retrieves the target URL from the action parameters. - - 2. **Connection**: Establishes a network connection to the target host on port - 443 using a default SSL context (TLS v1.2 minimum). - - 3. **Certificate Retrieval**: Fetches the peer certificate in binary (DER) format. - - 4. **Parsing**: Uses the `cryptography` library to parse the X.509 certificate. - - 5. **Data Extraction**: Extracts the Common Name (CN), Subject Alternative Names - (SAN), and Issuer information. + 1. **Parameter Extraction:** The action retrieves the target URL from the input + parameters. - 6. **Analysis**: Calculates the number of days until expiration and determines - if the certificate is expired or self-signed. + 2. **Connection Establishment:** It creates a network socket and attempts to connect + to the specified hostname on port 443. - 7. **Output**: Returns a structured JSON object containing all extracted and calculated - certificate details. + 3. **SSL Handshake:** A default SSL context (requiring at least TLS 1.2) is used + to wrap the socket and perform a handshake to retrieve the server's certificate + in binary (DER) format. + 4. **Certificate Parsing:** The `cryptography` library parses the binary certificate + into a structured object. - ### Additional Notes + 5. **Metadata Extraction:** The action extracts the Common Name (CN), Subject + Alternative Names (SAN), and Issuer information. - - This action does not process entities from the Google SecOps environment; it - operates solely on the provided URL parameter. + 6. **Validation Logic:** It calculates the number of days until expiration, determines + if the certificate is currently expired, and checks if it is self-signed (where + the Subject matches the Issuer). - - It uses port 443 by default for the connection. + 7. **Result Output:** The collected data is formatted into a JSON object and returned + as the action result. capabilities: can_create_case_comments: false can_create_insight: false @@ -1926,15 +2360,41 @@ Get Certificate Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Context Value: ai_description: >- ### General Description - The **Get Context Value** action retrieves a specific value associated with a - key from a defined context scope (Alert, Case, or Global) within Google SecOps. - This utility is essential for playbooks to access data that was previously stored - during the execution flow, enabling dynamic decision-making based on historical - or shared context. + The **Get Context Value** action is a utility designed to retrieve specific data + points (values) stored within the Google SecOps platform's context. It allows + playbooks to access variables that were previously saved at different levels of + granularity: the specific alert, the overall case, or a global system-wide scope. + This is particularly useful for passing data between different playbook steps + or maintaining state across multiple alerts. ### Parameters Description @@ -1943,38 +2403,43 @@ Get Context Value: | :--- | :--- | :--- | :--- | - | **Scope** | DDL | Yes | Specifies the context level to search. Options: 'Alert' - (current alert context), 'Case' (current case context), or 'Global' (system-wide + | **Scope** | DDL | Yes | Specifies the context level to search. Options are `Alert` + (current alert context), `Case` (entire case context), or `Global` (system-wide context). | - | **Key** | String | Yes | The unique identifier for the property value to be - retrieved. | + | **Key** | String | Yes | The unique identifier (name) of the property/value + you wish to retrieve. | ### Flow Description - 1. **Parameter Extraction**: Retrieves the 'Scope' and 'Key' values provided by - the user. - - 2. **Context Selection**: Determines the appropriate SDK method to call based - on the 'Scope' (Alert, Case, or Global). - - 3. **Data Retrieval**: Queries the internal SecOps database for the value associated - with the provided 'Key'. + 1. **Parameter Extraction**: The action identifies the target `Key` and the desired + `Scope` from the input parameters. - 4. **Data Sanitization**: If a value is found, it strips any surrounding double - quotes to ensure the output is clean. + 2. **Context Query**: Depending on the selected `Scope`, the action performs one + of the following: + * **Alert**: Calls the internal method to retrieve a property from the current + alert's context. + * **Case**: Calls the internal method to retrieve a property from the current + case's context. + * **Global**: Queries the global context store using the reserved "GLOBAL" + identifier. + 3. **Data Sanitization**: If a value is successfully retrieved, the action strips + any surrounding double quotes to ensure the raw string value is returned to the + playbook. - 5. **Completion**: Returns the found value as the action's result and provides - a status message indicating success or failure. + 4. **Result Reporting**: The retrieved value is set as the action's result. If + the key is found, a success message is generated; otherwise, it reports that the + value was not found for the specified key and scope. ### Additional Notes - - If the key does not exist in the specified scope, the action will complete with - a 'Not found' message. + * This action is strictly read-only and does not modify any context values or + external systems. - - This action is read-only and does not modify any data. + * If the key does not exist in the specified scope, the action will return an + empty result value and a 'Not found' message. capabilities: can_create_case_comments: false can_create_insight: false @@ -2002,37 +2467,69 @@ Get Context Value: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Current Time: ai_description: >- - Returns the current system date and time formatted according to a user-provided + ### General Description + + Returns the current system date and time formatted according to a user-specified string. This utility action is primarily used within playbooks to generate timestamps - for logging, reporting, or for use in subsequent logic steps that require a specific - time format. + for logging, naming conventions, or time-based logic. - ### Parameters + ### Parameters Description - | Parameter | Type | Mandatory | Description | + | Parameter Name | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Datetime Format | string | Yes | The strftime-compatible format string used - to format the current date and time (e.g., '%d/%m/%Y %H:%M'). | + | Datetime Format | string | Yes | The desired format for the output date and + time. Uses standard Python `strftime` format codes (e.g., `%d/%m/%Y %H:%M`). | - ### Flow + ### Flow Description - 1. **Parameter Extraction**: The action retrieves the 'Datetime Format' string + 1. **Parameter Extraction**: The action retrieves the `Datetime Format` string from the input parameters. - 2. **Time Retrieval**: The current system date and time are captured using the - Python datetime library. + 2. **Time Retrieval**: The script captures the current local system time using + the `datetime.now()` method. 3. **Formatting**: The captured time is converted into a string based on the provided - 'Datetime Format'. + format code. - 4. **Completion**: The formatted time string is returned as the action's result - value, and the execution state is set to completed. + 4. **Output**: The formatted time string is returned as the action's result value + and printed to the execution log. + + + ### Additional Notes + + This action does not interact with any external APIs or SecOps entities. It is + a local utility function. capabilities: can_create_case_comments: false can_create_insight: false @@ -2060,46 +2557,67 @@ Get Current Time: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Email Templates: ai_description: >- - ### General Description - - The **Get Email Templates** action retrieves a list of available email templates - from the Google SecOps (Chronicle) SOAR platform. This utility action allows playbooks - to programmatically access template metadata, which is often used to dynamically - select templates for automated email communications. + Retrieves a list of email templates from the Google SecOps (Chronicle) SOAR platform. + This action allows users to fetch either HTML-formatted templates or standard + text templates stored within the system. It is primarily used as a utility to + dynamically select templates for subsequent email-sending actions within a playbook. ### Parameters Description - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - | **Template Type** | DDL | Yes | Specifies the category of templates to retrieve. - Users can choose between `HTML` (for rich-text formatted templates) or `Standard` - (for basic or legacy templates). | + | Parameter | Type | Mandatory | Default | Description | + | :--- | :--- | :--- | :--- | :--- | - ### Flow Description + | Template Type | ddl | Yes | Standard | Specifies the type of email templates + to retrieve. Options are 'HTML' (for rich-text templates) or 'Standard' (for plain-text + templates). | - 1. **Parameter Extraction**: The action retrieves the `Template Type` parameter - provided by the user. - 2. **Data Retrieval**: It calls the internal SOAR API to fetch all email templates - defined in the system. + ### Flow Description - 3. **Filtering**: The script iterates through the retrieved templates and filters - them based on the selected type (HTML vs. Standard) using internal type identifiers. - 4. **Output**: The filtered list of templates is returned as a JSON object and - a human-readable summary is provided in the action result. + 1. **Parameter Extraction**: The action retrieves the 'Template Type' input provided + by the user. + 2. **Data Retrieval**: It calls the internal SOAR API to fetch all available email + templates configured in the environment. - ### Additional Notes + 3. **Filtering**: The action iterates through the retrieved templates and filters + them based on the 'Template Type' parameter. It maps internal type identifiers + (e.g., 1 or 'HtmlFormat' for HTML; 0 or 'Template' for Standard) to the user's + selection. - This action is a read-only utility. It does not interact with external services - or modify any internal case or entity data. + 4. **Output Generation**: The filtered list of templates is formatted into a JSON + object and returned as the action result. capabilities: can_create_case_comments: false can_create_insight: false @@ -2127,11 +2645,36 @@ Get Email Templates: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Integration Instances: ai_description: >- Retrieves a list of all installed integration instances for the current environment - and the global environment. This action is useful for programmatically identifying - which integrations are configured and active within the Google SecOps SOAR platform. + and the global scope. This action is useful for identifying available tools and + their configurations within the SOAR platform. ### Parameters @@ -2139,22 +2682,18 @@ Get Integration Instances: There are no parameters for this action. - ### Flow Description - - 1. **Initialize Action**: Sets up the Siemplify action context and identifies - the script name. + ### Flow - 2. **Define Search Scope**: Prepares a search list containing the current environment - identifier and a wildcard ('*') to include global instances. + 1. **Identify Scopes:** The action identifies the current environment and the + global scope ('*'). - 3. **Fetch Integrations**: Iterates through the search scope and calls the internal - SOAR API to retrieve metadata for all installed integration instances. + 2. **Fetch Integrations:** It queries the internal SOAR API to retrieve all installed + integration instances for the identified scopes. - 4. **Process Results**: Aggregates the retrieved integration objects and converts - them into a JSON-compatible format. + 3. **Aggregate Results:** The retrieved integration data is converted to JSON + format and aggregated into a single list. - 5. **Output Data**: Returns the final list of integration instances as a JSON - result and completes the action. + 4. **Output:** The final list of integration instances is returned as a JSON result. capabilities: can_create_case_comments: false can_create_insight: false @@ -2182,47 +2721,68 @@ Get Integration Instances: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Original Alert Json: ai_description: >- ### General Description - The **Get Original Alert Json** action is a utility designed to extract and expose - the raw JSON data of the original alert. This is particularly useful for playbooks - that need to access specific fields from the source event that were not automatically - mapped to entities or alert properties during the ingestion process. + The **Get Original Alert Json** action retrieves the raw JSON data of the original + alert from the `SourceFileContent` property of the first entity associated with + the alert. This is a utility action designed to expose the full, unmapped context + of an alert, allowing playbooks to access specific data points that were not captured + during the initial ingestion and mapping process. ### Parameters Description - There are no parameters for this action. + This action does not require any input parameters. ### Additional Notes - - This action specifically retrieves data from the `SourceFileContent` key within - the `additional_properties` of the first entity associated with the alert. + * The action relies on the convention that the raw alert content is stored in + the `additional_properties` of the first entity under the key `SourceFileContent`. - - The output is provided as a JSON result, making the raw alert data programmatically - accessible for subsequent playbook steps. + * If the entity list is empty or the specific key is missing, the action will + encounter a runtime error. ### Flow Description - 1. **Initialization**: The action initializes the Siemplify environment and prepares - to access alert data. + 1. **Access Alert Entities**: The action retrieves the entities associated with + the current alert context. - 2. **Entity Selection**: It targets the first entity (`index 0`) in the current - alert's entity list. + 2. **Extract Raw Data**: It targets the first entity in the list and extracts + the string value from the `SourceFileContent` attribute within its `additional_properties`. - 3. **Data Retrieval**: It accesses the `SourceFileContent` attribute from that - entity's `additional_properties` dictionary, which contains the raw alert string. + 3. **Parse JSON**: The extracted string is parsed into a structured JSON object. - 4. **Parsing**: The retrieved string is parsed from a JSON-formatted string into - a Python dictionary (JSON object). - - 5. **Output**: The resulting JSON object is added to the action's result JSON - and the execution concludes, providing the data in the technical details of the - action run. + 4. **Output Results**: The parsed JSON is added to the action's result JSON and + returned as the primary output for use in subsequent playbook steps. capabilities: can_create_case_comments: false can_create_insight: false @@ -2236,42 +2796,7 @@ Get Original Alert Json: categories: enrichment: false entity_usage: - entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2285,45 +2810,50 @@ Get Original Alert Json: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Siemplify Users: ai_description: >- - ### General Description - - Retrieves a comprehensive list of all users configured within the Google SecOps - (formerly Siemplify) environment. This utility action is primarily used for auditing - system access or identifying specific user accounts to be used in downstream playbook - logic. - - - ### Parameters Description - - | Parameter Name | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Hide Disabled Users | Boolean | No | Determines whether to exclude inactive - user accounts from the results. Defaults to `true`. | - - - ### Flow Description - - 1. **Configuration**: The action retrieves the `Hide Disabled Users` parameter - to set the filtering scope. - - 2. **Data Retrieval**: It calls the internal SOAR API to fetch user details, including - account status and metadata. - - 3. **Data Transformation**: The raw user objects are processed and converted into - a structured JSON format. - - 4. **Completion**: The action outputs the list of users to the `JsonResult` and - terminates with a success message. - - - ### Additional Notes - - This action does not process or interact with case entities (e.g., IP addresses, - Hostnames). It provides global system-level information. + ### General Description\nRetrieves a comprehensive list of all users configured + within the Google SecOps (Siemplify) system. This action is primarily used for + administrative, auditing, or playbook logic purposes, such as identifying available + analysts or verifying user roles within a workflow.\n\n### Flow Description\n1. + **Parameter Extraction**: The action reads the 'Hide Disabled Users' boolean parameter + to determine the scope of the user query.\n2. **API Interaction**: It invokes + the internal SOAR API method 'get_siemplify_user_details' with a default page + size of 1000 to fetch user metadata.\n3. **Data Processing**: The retrieved user + objects are converted into a structured JSON format.\n4. **Result Delivery**: + The list of users is attached to the action's JSON results, and the action completes + with a success message.\n\n### Parameters Description\n| Parameter Name | Type + | Mandatory | Description | Expected Value |\n| :--- | :--- | :--- | :--- | :--- + |\n| Hide Disabled Users | Boolean | No | If set to 'true' (default), the action + filters out users who are currently marked as disabled in the system. | True/False + |\n\n### Additional Notes\n- This action does not require or process any entities + from the current case scope.\n- It returns a maximum of 1000 users in a single + execution. capabilities: can_create_case_comments: false can_create_insight: false @@ -2351,29 +2881,56 @@ Get Siemplify Users: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Lock Playbook: - ai_description: "Pauses the execution of the current playbook until all playbooks\ - \ associated with the chronologically preceding alert in the same case have finished.\ - \ This action is used to enforce sequential processing of alerts within a single\ - \ case, ensuring that automation logic for one alert does not overlap with or\ - \ precede the completion of a previous alert's logic.\n\n### Parameters\n| Parameter\ - \ Name | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| None\ - \ | N/A | N/A | This action does not take any input parameters. |\n\n### Additional\ - \ Notes\n- This action is asynchronous (`is_async: true`), allowing it to remain\ - \ in an 'In Progress' state until the dependency is met.\n- It relies on the `creation_time`\ - \ of alerts within a case to determine the execution order.\n\n### Flow Description\n\ - 1. **Alert Retrieval:** Fetches all alerts associated with the current case and\ - \ sorts them by their creation timestamp.\n2. **Position Identification:** Determines\ - \ the index of the current alert within the sorted list.\n3. **First Alert Check:**\ - \ If the current alert is the first one in the case (index 0), the action completes\ - \ immediately to allow the playbook to proceed.\n4. **Dependency Check:** If the\ - \ current alert is not the first, the action identifies the immediately preceding\ - \ alert and queries the SOAR API for the status of its workflow instances.\n5.\ - \ **State Management:** \n - If any playbooks for the previous alert are still\ - \ running (not in a 'Completed' state), the action returns an 'In Progress' status,\ - \ effectively locking the current playbook.\n - Once all playbooks for the\ - \ previous alert are confirmed as 'Completed', the action returns a 'Completed'\ - \ status, releasing the lock and allowing the current playbook to continue." + ai_description: "### General Description\nThis action is a synchronization utility\ + \ designed to manage the execution flow of playbooks within a case. It pauses\ + \ the current playbook's execution until all playbooks associated with the chronologically\ + \ preceding alert in the same case have successfully completed. This ensures that\ + \ alerts are processed in a strict sequential order based on their creation time,\ + \ preventing race conditions or out-of-order processing logic.\n\n### Parameters\ + \ Description\nThere are no parameters for this action.\n\n### Additional Notes\n\ + - This action is marked as asynchronous (`is_async: true`), allowing it to remain\ + \ in an 'In Progress' state while waiting for previous playbooks to finish without\ + \ consuming active execution slots.\n- If the current alert is the first alert\ + \ in the case, the action completes immediately, allowing the playbook to proceed.\n\ + \n### Flow Description\n1. **Alert Retrieval:** Fetches all alerts associated\ + \ with the current case and sorts them by their creation timestamp.\n2. **Current\ + \ Alert Identification:** Locates the current alert within the sorted list to\ + \ determine its sequence.\n3. **Sequence Check:** \n - If the current alert\ + \ is the first in the sequence (index 0), the action completes successfully.\n\ + \ - If there is a previous alert, the action identifies its unique identifier.\n\ + 4. **Status Verification:** Calls the internal SOAR API to retrieve the status\ + \ of all workflow (playbook) instances associated with the previous alert.\n5.\ + \ **Locking Logic:** \n - If any playbooks for the previous alert are not in\ + \ a 'Completed' state, the action sets its status to 'In Progress', effectively\ + \ pausing the current playbook.\n - If all playbooks for the previous alert\ + \ are completed, the action sets its status to 'Completed', releasing the lock\ + \ and allowing the current playbook to continue." capabilities: can_create_case_comments: false can_create_insight: false @@ -2401,58 +2958,68 @@ Lock Playbook: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Look-A-Like Domains: ai_description: >- ### General Description - Identifies potential typosquatting or look-alike domain attacks by comparing DOMAIN - entities in a case against a list of authorized internal domains defined for the - environment. It uses the Levenshtein edit distance algorithm to determine similarity - and flag suspicious entities. + The **Look-A-Like Domains** action identifies potential typosquatting or phishing + attempts by comparing domain entities within a case against a list of authorized + or internal domains configured for the specific environment. It uses the Levenshtein + distance algorithm to detect subtle variations in domain names that might indicate + malicious intent. ### Parameters Description - | Parameter Name | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | None | N/A | No | This action does not have any user-configurable parameters. - | - - - ### Additional Notes - - - The action relies on the 'Internal Domains' configuration within the Google - SecOps platform. - - - It specifically targets entities of type 'DOMAIN'. - - - A domain is flagged if the edit distance is between 1 and 3 (inclusive). + There are no user-configurable parameters for this action. ### Flow Description - 1. **Fetch Internal Domains**: Retrieves the list of internal domains from the - Google SecOps environment via the SOAR API. + 1. **Fetch Environment Domains:** The action retrieves a list of internal or authorized + domains associated with the current environment from the Google SecOps platform + using internal API calls. - 2. **Filter by Environment**: Filters the retrieved list to match the current - environment context. + 2. **Entity Filtering:** It identifies all entities of type `DOMAIN` within the + current case context. - 3. **Iterate Entities**: Processes each entity in the case that is identified - as a 'DOMAIN'. + 3. **Similarity Analysis:** For each domain entity, it calculates the edit distance + against the list of environment domains using the `nltk.edit_distance` method. - 4. **Calculate Similarity**: Computes the edit distance between the entity identifier - and each internal domain using the NLTK library. + 4. **Threshold Evaluation:** If the edit distance is between 1 and 3 (inclusive), + the domain is considered a 'look-alike'. - 5. **Flag Look-Alikes**: If a match is found with an edit distance between 1 and - 3, the entity is marked as suspicious. + 5. **Enrichment and Flagging:** Entities identified as look-alikes are marked + as suspicious (`is_suspicious = True`) and enriched with the matching domain name + in their `additional_properties` field. - 6. **Enrich Entity**: Adds the matching internal domain to the entity's additional - properties under the key 'look_a_like_domain'. - - 7. **Update Case**: Commits the entity updates back to the case and provides a - JSON result of the matches. + 6. **Result Reporting:** The action updates the entities in the platform and provides + a JSON result mapping each entity to its identified look-alike domains. capabilities: can_create_case_comments: false can_create_insight: false @@ -2463,8 +3030,8 @@ Look-A-Like Domains: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates DOMAIN entities by setting the 'is_suspicious' flag to true and adding - the 'look_a_like_domain' property to the entity's additional properties. + Updates domain entities by marking them as suspicious and adding the 'look_a_like_domain' + property to their metadata. categories: enrichment: true entity_usage: @@ -2483,15 +3050,39 @@ Look-A-Like Domains: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Normalize Entity Enrichment: ai_description: >- ### General Description - The **Normalize Entity Enrichment** action is a utility designed to standardize - the naming of enrichment data stored within an entity's `additional_properties`. - It allows users to map existing, potentially inconsistent field names (e.g., from - different threat intelligence providers) to a unified schema within the Google - SecOps SOAR environment. + Normalizes entity enrichment data by mapping existing fields in an entity's `additional_properties` + to new, standardized keys. This action is primarily used to maintain data consistency + across different enrichment sources within a playbook by renaming or aliasing + internal entity attributes. ### Parameters Description @@ -2500,38 +3091,44 @@ Normalize Entity Enrichment: | :--- | :--- | :--- | :--- | - | **Normalization Data** | string | Yes | A JSON-formatted string containing a - list of mapping objects. Each object must include `entitiy_field_name` (the current - key in the entity's additional properties) and `new_name` (the target normalized - key name). | + | Normalization Data | String | Yes | A JSON string representing a list of mapping + objects. Each object must contain `entitiy_field_name` (the source key currently + in `additional_properties`) and `new_name` (the target key to be created). | - ### Flow Description + ### Additional Notes + + * The action expects a valid JSON array of objects as input for the `Normalization + Data` parameter. - 1. **Input Parsing**: The action retrieves the `Normalization Data` parameter - and parses it from a JSON string into a Python list of dictionaries. + * If a source field specified in the mapping is not found on an entity, the target + field will be created with an empty string value (unless the target key already + exists). - 2. **Entity Iteration**: The script iterates through all `target_entities` currently - in the action's scope. + * This action does not remove the original fields; it creates or updates the new + keys with the values from the source fields. - 3. **Property Mapping**: For each entity, it checks if the specified `entitiy_field_name` - exists within the entity's `additional_properties` dictionary. - 4. **Value Assignment**: If the source key is found, its value is copied to a - new key defined by `new_name`. If the source key is missing, the action initializes - the `new_name` key with an empty string (provided the key does not already exist). + ### Flow Description - 5. **Internal Update**: The action collects all processed entities and uses the - `update_entities` method to commit the changes back to the SOAR case. + 1. **Retrieve Configuration:** The action fetches the `Normalization Data` JSON + string from the input parameters. + 2. **Parse Mappings:** The JSON string is parsed into a list of source-to-target + mapping pairs. - ### Additional Notes + 3. **Iterate Entities:** The action iterates through all entities currently in + the playbook scope (`target_entities`). - - This action does not delete or replace the original keys; it creates new keys - with the mapped names, effectively duplicating the data under a normalized header. + 4. **Apply Normalization:** For each entity, it checks the `additional_properties` + for the presence of the source fields defined in the mappings. - - If the `new_name` already exists on the entity, it will be overwritten by the - value from `entitiy_field_name` if that source field is present. + 5. **Update Properties:** If a source field is found, its value is assigned to + the new field name. If not found, and the new field name doesn't exist, it initializes + the new field with an empty string. + + 6. **Persist Changes:** The action updates the entities within the Google SecOps + platform to save the modified `additional_properties`. capabilities: can_create_case_comments: false can_create_insight: false @@ -2542,8 +3139,8 @@ Normalize Entity Enrichment: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - The action updates the 'additional_properties' dictionary of entities within - the Google SecOps case to normalize field names based on user-provided mapping. + Updates entity additional properties by mapping existing fields to new normalized + field names based on the provided JSON configuration. categories: enrichment: false entity_usage: @@ -2596,13 +3193,39 @@ Normalize Entity Enrichment: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Ping: ai_description: >- ### General Description - Verifies the connectivity and availability of the Google SecOps (Chronicle) SOAR - environment. This action serves as a basic health check to ensure that the integration - is correctly configured and that the platform can successfully execute scripts. + The **Ping** action is a diagnostic utility designed to verify the connectivity + and operational status of the Tools integration within Google SecOps. Its primary + purpose is to confirm that the integration environment is reachable and that the + SOAR agent can successfully execute scripts associated with this integration. ### Parameters Description @@ -2612,17 +3235,19 @@ Ping: ### Additional Notes - This action does not interact with any external services or process any entity - data. It is strictly used for connectivity testing within the SOAR environment. + This action is a standard health check and does not perform any data retrieval + from external services, nor does it modify any internal or external records. ### Flow Description - 1. **Initialization**: The action initializes the Siemplify SOAR SDK context. + 1. **Initialization**: The action initializes the Siemplify SDK to establish a + context for the execution. + + 2. **Connectivity Confirmation**: The script immediately prepares a success signal. - 2. **Connectivity Check**: It immediately concludes the execution with a success - message, 'Siemplify is connected', confirming that the script execution environment - is functional. + 3. **Execution Completion**: The action terminates with the message "Siemplify + is connected" and returns a boolean success status. capabilities: can_create_case_comments: false can_create_insight: false @@ -2650,60 +3275,55 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Re-Attach Playbook: - ai_description: >- - ### General Description - - The **Re-Attach Playbook** action is designed to reset and restart a specific - playbook within a Google SecOps case. It performs a deep reset by manually removing - the playbook's execution state and result data from the underlying orchestration - databases before re-attaching the playbook to the case. This is particularly useful - for troubleshooting failed playbooks or re-running logic after environmental configurations - have been updated. - - - ### Parameters Description - - | Parameter Name | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Playbook Name | playbook_name | Yes | The exact name of the playbook that will - be removed from the case and re-attached. Once re-attached, it will trigger a - new execution. | - - - ### Additional Notes - - * **Prerequisite:** This action requires the **PostgreSQL** integration to be - installed and configured. Specifically, an instance named `Siemplify` must be - configured in the Shared Environment, pointing to the SOAR's internal orchestration - and system databases. - - * This action interacts directly with the database layer to ensure all traces - of the previous playbook run (including action results) are cleared before the - restart. - - - ### Flow Description - - 1. **Configuration Retrieval:** The action identifies the PostgreSQL integration - instance named 'Siemplify' to obtain database credentials (server, username, password). - - 2. **Database Connection:** It establishes connections to two internal databases: - `siemplify_orchestration_db` and `siemplify_system_db`. - - 3. **State Identification:** It queries the `WorkflowInstances` table to find - all active or completed instances of the specified playbook associated with the - current Case ID. - - 4. **Cleanup:** For each found instance, it deletes the workflow record from the - orchestration database and removes all associated action results from the system - database. - - 5. **Re-attachment:** Finally, it uses the SOAR API to re-attach the playbook - to the specific alert group within the case, which triggers the playbook to run - again automatically. + ai_description: "Re-attaches a specified playbook to a case, effectively resetting\ + \ its execution state and allowing it to run again from the beginning. This action\ + \ is primarily used for troubleshooting or re-triggering automation that may have\ + \ failed or needs to be executed again with updated context.\n\n### Parameters\ + \ Description\n\n| Parameter Name | Type | Mandatory | Description |\n| :--- |\ + \ :--- | :--- | :--- |\n| Playbook Name | playbook_name | Yes | The exact name\ + \ of the playbook that will be removed from the case and then re-attached to trigger\ + \ a fresh execution. |\n\n### Flow Description\n\n1. **Configuration Retrieval:**\ + \ The action identifies and retrieves connection details for the 'PostgreSQL'\ + \ integration instance named 'Siemplify'.\n2. **Database Connection:** It establishes\ + \ connections to two internal databases: `siemplify_orchestration_db` (for workflow\ + \ state) and `siemplify_system_db` (for action results).\n3. **State Identification:**\ + \ The action queries the databases to find all existing instances and results\ + \ associated with the specified playbook name and the current Case ID.\n4. **Cleanup:**\ + \ It executes SQL DELETE commands to remove the identified workflow instances\ + \ and their corresponding action results, clearing the previous execution history\ + \ for that playbook in the context of the case.\n5. **Re-attachment:** Finally,\ + \ it utilizes the SOAR API to programmatically attach the playbook back to the\ + \ case (specifically to the relevant alerts), which triggers the playbook to start\ + \ running again automatically.\n\n### Additional Notes\n\n* This action requires\ + \ the **PostgreSQL** integration to be installed and configured with an instance\ + \ named **Siemplify** pointing to the SOAR's backend database. \n* This action\ + \ does not process entities; it operates at the Case and Playbook management level." capabilities: can_create_case_comments: false can_create_insight: false @@ -2712,13 +3332,12 @@ Re-Attach Playbook: can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: >- - Executes SQL DELETE commands on the PostgreSQL databases (siemplify_orchestration_db - and siemplify_system_db) to remove records from the 'WorkflowInstances' and - 'ActionResults' tables. + Executes DELETE queries on the PostgreSQL databases (siemplify_orchestration_db + and siemplify_system_db) to remove existing workflow instances and action results. fetches_data: true internal_data_mutation_explanation: >- - Uses the SOAR API to re-attach a playbook to a case, which modifies the case - state and initiates a new automated workflow execution. + Uses the SOAR API to attach a playbook to the case, which modifies the case's + active playbook list and triggers new automation execution. categories: enrichment: false entity_usage: @@ -2736,64 +3355,90 @@ Re-Attach Playbook: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Search Text: ai_description: >- ### General Description - Searches for a specific string or a list of regular expressions within a provided - text block. This utility action is used to validate the presence of specific patterns - or keywords in data extracted from previous playbook steps or alert fields. It - returns a boolean result indicating whether a match was found and provides detailed - match information in JSON format. + The **Search Text** action is a utility designed to identify specific strings + or patterns within a provided block of text. It allows users to perform simple + string matching or complex regular expression searches, making it highly versatile + for parsing logs, emails, or any other textual data within a playbook. - ### Parameters + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Text | String | Yes | The source text that will be searched. | + | **Text** | String | Yes | The source text that will be searched. | - | Search For | String | No | The specific string to search for within the Text. - | + | **Search For** | String | No | The specific literal string to search for within + the input text. | - | Search For Regex | String | No | A comma-separated list of regular expressions - to search for. Regexes should be wrapped in double quotes. | + | **Search For Regex** | String | No | A comma-separated list of regular expressions + to search for. Patterns should be wrapped in double quotes (e.g., "[0-9]+"). | - | Case Sensitive | Boolean | No | If true, the search will be case-sensitive. - Default is false. | + | **Case Sensitive** | Boolean | No | If set to `true`, the search will distinguish + between uppercase and lowercase letters. Default is `false`. | ### Additional Notes - * At least one of the parameters **Search For** or **Search For Regex** must be - provided for the action to execute successfully. If both are empty, the action - will fail. + - At least one of the parameters **Search For** or **Search For Regex** must be + configured for the action to execute successfully. + + - If multiple regexes are provided, the action will return `true` if any of the + patterns match. - * The action supports multiline searching for regex patterns. + - The action supports multiline searching for regex patterns. + + - The action strips double quotes from the regex patterns before execution. ### Flow Description - 1. **Parameter Extraction**: Retrieves the input text, search string, regex list, - and case sensitivity setting from the action parameters. + 1. **Input Extraction**: The action retrieves the input text, search string, regex + list, and case sensitivity setting. - 2. **Validation**: Checks if at least one search method (string or regex) is defined. - If both are missing, the action status is set to failed. + 2. **Validation**: It checks if either a search string or a regex pattern has + been provided. If both are empty, the action fails. - 3. **String Search**: If the **Search For** parameter is provided, the action - performs a substring check on the input text, respecting the case sensitivity - flag. If a match is found, the result is set to true. + 3. **String Matching**: If a literal search string is provided, the action checks + for its presence in the text, applying case sensitivity if requested. - 4. **Regex Search**: If the **Search For Regex** parameter is provided, the action - splits the input into a list of patterns, strips quotes, and iterates through - them. It attempts to find a match using Python's regex engine with multiline support. - If any pattern matches, the result is set to true. + 4. **Regex Matching**: If regex patterns are provided, the action iterates through + each pattern, stripping surrounding quotes and performing a multiline search against + the input text. - 5. **Result Aggregation**: The action adds a JSON object containing the list of - successful matches to the execution results and terminates with the final match - status. + 5. **Result Aggregation**: If any match is found (string or regex), the `match_found` + result is set to `true`. Detailed match information, including the search pattern + and the input text, is added to the JSON result. capabilities: can_create_case_comments: false can_create_insight: false @@ -2821,27 +3466,79 @@ Search Text: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Set Context Value: - ai_description: "### General Description\nThe **Set Context Value** action allows\ - \ users to store and manage data dynamically within a Google SecOps playbook by\ - \ setting key-value pairs in a specific context scope. This is primarily used\ - \ to pass information between different steps of a playbook or to maintain state\ - \ across different alerts and cases.\n\n### Parameters Description\n| Parameter\ - \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| **Key**\ - \ | String | Yes | The name of the property/key to be set in the context. |\n\ - | **Value** | String | Yes | The value to be assigned to the specified key. |\n\ - | **Scope** | DDL | Yes | Determines the visibility and persistence of the data.\ - \ Options are:
1. **Alert**: Data is accessible only within the current alert.
2.\ - \ **Case**: Data is accessible across all alerts within the current case.
3.\ - \ **Global**: Data is accessible globally across the environment. |\n\n### Flow\ - \ Description\n1. **Parameter Extraction**: The action retrieves the `Scope`,\ - \ `Key`, and `Value` from the input parameters.\n2. **Scope Determination**: The\ - \ logic checks the selected `Scope` value.\n3. **Context Update**: \n * If\ - \ **Alert**, it uses the SDK to set a property specific to the alert context.\n\ - \ * If **Case**, it uses the SDK to set a property specific to the case context.\n\ - \ * If **Global**, it uses a specialized helper to set a property in the global\ - \ system context.\n4. **Completion**: The action returns a success message indicating\ - \ which field was updated in which scope." + ai_description: >- + ### General Description + + The **Set Context Value** action allows users to store information as key-value + pairs within specific scopes of the Google SecOps platform. This is a utility + action primarily used for data persistence and sharing information between different + stages of a playbook or across different playbooks. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | **Key** | string | Yes | The name of the context property to be created or updated. + | + + | **Value** | string | Yes | The value to be assigned to the specified key. | + + | **Scope** | ddl | Yes | Defines the visibility and lifecycle of the context + value. Options are: `Alert` (specific to the current alert), `Case` (shared across + all alerts in the case), or `Global` (accessible across the entire environment). + | + + + ### Flow Description + + 1. **Parameter Extraction:** The action retrieves the `Key`, `Value`, and `Scope` + from the input parameters. + + 2. **Scope Determination:** The logic checks the selected `Scope` value. + + 3. **Context Update:** Depending on the scope, the action calls the relevant SDK + method: + - If `Alert`, it updates the property for the specific alert context. + - If `Case`, it updates the property for the entire case context. + - If `Global`, it updates a global context property using a predefined identifier. + 4. **Completion:** The action returns a success message indicating the field, + value, and scope updated. + + + ### Additional Notes + + - This action does not interact with external APIs. + + - It is purely an internal state management tool for the SOAR platform. capabilities: can_create_case_comments: false can_create_insight: false @@ -2852,8 +3549,9 @@ Set Context Value: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - The action modifies internal context properties (metadata) associated with an - Alert, Case, or the Global environment within Google SecOps. + Sets or updates context properties (key-value pairs) at the Alert, Case, or + Global level within the Google SecOps platform to maintain state or share data + between playbook steps. categories: enrichment: false entity_usage: @@ -2871,57 +3569,77 @@ Set Context Value: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: true + update_email: false + update_identity: false + update_ticket: false Spell Check String: ai_description: >- - ### General Description + The **Spell Check String** action analyzes a provided text string for spelling + errors. It utilizes a spell-checking library to identify misspelled words, suggest + corrections, and calculate an overall accuracy score for the input text. - The **Spell Check String** action is a utility designed to analyze the spelling - of a provided text string. It identifies misspelled words, suggests corrections, - calculates an overall accuracy percentage, and generates a version of the input - string with all identified errors corrected. This is useful for cleaning up automated - logs, user-submitted tickets, or alert descriptions before further processing. + ### Parameters - ### Parameters Description - - | Parameter | Type | Mandatory | Description | + | Parameter | Description | Type | Mandatory | | :--- | :--- | :--- | :--- | - | **String** | String | Yes | The input text that will be analyzed for spelling - errors. | + | String | The input text string that will be checked for spelling errors. | String + | Yes | ### Flow Description - 1. **Input Extraction**: The action retrieves the mandatory `String` parameter - provided by the user or playbook. + 1. **Input Extraction:** The action retrieves the input string from the `String` + parameter. - 2. **Preprocessing**: It removes punctuation from the input string using regular - expressions and splits the text into individual words. + 2. **Preprocessing:** It removes punctuation from the string using regular expressions + and splits the text into individual words. - 3. **Spelling Analysis**: Using a spell-checking library, the action identifies - words that are not recognized in the dictionary. + 3. **Spelling Analysis:** The action identifies misspelled words by comparing + them against a dictionary using the `spellchecker` library. - 4. **Correction Generation**: For every misspelled word, the action attempts to - find the most likely correction. It then performs a case-sensitive replacement - of the misspelled word in the original string to create a 'corrected' version. + 4. **Correction Generation:** For each misspelled word, the action attempts to + find the most likely correction and builds a 'corrected' version of the original + string. - 5. **Metrics Calculation**: The action calculates the total word count, the number - of misspelled words, and an accuracy percentage (ratio of correct words to total - words). + 5. **Metrics Calculation:** It calculates the total word count, the number of + misspelled words, and an accuracy percentage. - 6. **Output**: The results are returned as a JSON object containing the detailed - breakdown and a summary message indicating the accuracy percentage. + 6. **Result Output:** The action returns the accuracy percentage as the main result + and provides a detailed JSON object containing the original string, corrected + string, and a list of specific errors found. ### Additional Notes - - If the input string is empty, the action returns an accuracy of 0% and a message - stating 'No input to test.' + - If the input string is empty, the action returns an accuracy of 0 and a message + indicating no input was provided. - - The action uses word boundaries (`\b`) for replacements to ensure that sub-strings - within larger words are not accidentally modified. + - This action is a local utility and does not communicate with external APIs. capabilities: can_create_case_comments: false can_create_insight: false @@ -2949,57 +3667,80 @@ Spell Check String: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Unflatten JSON: ai_description: >- - ### General Description - - Unflattens a flattened JSON object or a list of flattened JSON objects into a - nested structure. This action is particularly useful for transforming data from - systems that provide flat key-value pairs (e.g., `user_id`, `user_name`) into - a hierarchical JSON format required by other integrations or playbooks. + Unflattens a JSON object or a list of JSON objects by converting delimited keys + into nested structures. This utility action is designed to restore the original + hierarchy of data that has been flattened (e.g., for CSV export or simplified + storage) back into its native nested format. - ### Parameters Description + ### Flow Description: - | Parameter | Type | Mandatory | Description | + 1. **Parameter Extraction:** The action retrieves the mandatory `JSON Object` + string and the optional `Delimiter` from the input parameters. - | :--- | :--- | :--- | :--- | + 2. **JSON Parsing:** The input string is converted into a Python data structure + (dictionary or list). - | **JSON Object** | String | Yes | The JSON string (object or list) that needs - to be unflattened. | + 3. **Unflattening Logic:** The action recursively processes the data. For each + key in a dictionary, it splits the key name into tokens using the provided delimiter. + If no delimiter is specified, it uses a regular expression to split by any non-alphanumeric + character (excluding underscores). - | **Delimiter** | String | No | The character used to separate keys for nesting - (e.g., `_` or `.`). If left empty, the action will split keys by any non-alphanumeric - character (excluding underscores) using a word-boundary regex. | + 4. **Structure Reconstruction:** It reconstructs the nested hierarchy. If a token + is identified as a digit, the action creates a list at that level; otherwise, + it creates a dictionary. + 5. **Result Output:** The final nested JSON structure is attached to the action + results for use in subsequent playbook steps. - ### Additional Notes - - If the input JSON is a list, the action will iterate through and unflatten each - item in the list. + ### Parameters Description: - - If a key token is a digit, the action will attempt to create a list at that - level of the hierarchy. + | Parameter | Type | Mandatory | Description | + | :--- | :--- | :--- | :--- | - ### Flow Description + | JSON Object | string | Yes | The flattened JSON string that needs to be converted + back to a nested format. | - 1. **Initialization**: The action retrieves the input JSON string and the optional - delimiter from the parameters. + | Delimiter | string | No | The character used to separate nested keys (e.g., + '.', '_'). If left empty, the action separates keys by every value that is not + a letter, number, or underscore. | - 2. **Parsing**: The input string is parsed into a Python dictionary or list using - the standard JSON library. - 3. **Unflattening Logic**: The action iterates through the keys of the object. - For each key, it splits the string into tokens based on the provided delimiter - or regex. + ### Additional Notes: - 4. **Structure Reconstruction**: It recursively builds a nested dictionary or - list structure by traversing the tokens. If a token represents an index (digit), - it initializes a list; otherwise, it initializes a dictionary. + - The action handles both individual JSON objects and lists of objects. - 5. **Output**: The final nested JSON structure is returned as the action's JSON - result. + - If the provided `JSON Object` is not a valid JSON string, the action will return + a failure status with a specific error message regarding the JSON structure. capabilities: can_create_case_comments: false can_create_insight: false @@ -3027,52 +3768,81 @@ Unflatten JSON: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Update Alert Score: ai_description: >- ### General Description The **Update Alert Score** action is a utility designed to dynamically modify - the numerical score associated with an alert in Google SecOps. This is typically - used within playbooks to adjust the priority or risk level of an alert based on - logic-driven findings (e.g., increasing the score if a file is found to be malicious - or decreasing it if an IP is internal). + the numerical score associated with an alert within the Google SecOps platform. + This is typically used in playbooks to adjust the perceived risk or priority of + an alert based on findings from previous steps. It retrieves the current score + from the alert's context, applies an increment or decrement based on user input, + and saves the updated value back to the alert context. ### Parameters Description + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Input** | String | Yes | The integer value to increment or decrement the alert - score by. For example, '10' increases the score, while '-5' decreases it. | + | **Input** | String | Yes | The integer value to increment (e.g., "10") or decrement + (e.g., "-5") the current alert score by. Defaults to "0". | ### Additional Notes - - The action interacts with the internal alert context property `ALERT_SCORE`. + - This action specifically targets the internal alert context property named `ALERT_SCORE`. - - If no current score exists, the action defaults the starting score to 0. + - If the `ALERT_SCORE` property does not exist in the current context, it defaults + to 0 before applying the input value. - - The input must be a string representation of an integer. + - The input is treated as an integer; providing non-numeric strings will cause + the action to fail. ### Flow Description - 1. **Extract Input:** The action retrieves the `Input` value provided by the user - or playbook. - - 2. **Retrieve Current Score:** It fetches the current value of the `ALERT_SCORE` + 1. **Retrieve Current Score:** The action fetches the current value of the `ALERT_SCORE` property from the alert's context. - 3. **Calculate New Score:** It converts both the current score and the input value - to integers and calculates the sum. + 2. **Parameter Extraction:** It extracts the `Input` value provided in the action + configuration. + + 3. **Calculation:** It converts both the current score and the input value to + integers and calculates the sum. - 4. **Update Context:** The action saves the newly calculated score back to the - alert's `ALERT_SCORE` context property. + 4. **Update Context:** The new calculated score is converted back to a string + and saved to the `ALERT_SCORE` property in the alert context. - 5. **Finalize:** The action completes, returning the new score as the result value - and displaying a success message. + 5. **Completion:** The action ends, returning the new score as the result value + and providing a status message. capabilities: can_create_case_comments: false can_create_insight: false @@ -3083,8 +3853,8 @@ Update Alert Score: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Updates the 'ALERT_SCORE' context property of the current alert by adding or - subtracting the provided input value. + Updates the 'ALERT_SCORE' property within the alert's context, which is used + to track and manage the risk level of the alert inside Google SecOps. categories: enrichment: false entity_usage: @@ -3102,37 +3872,67 @@ Update Alert Score: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: true + update_email: false + update_identity: false + update_ticket: false Update Case Description: ai_description: >- - ### General Description + Updates the description of the current case in Google SecOps. This action allows + analysts or automated playbooks to programmatically change the high-level summary + of a case to reflect new findings or status updates. - Updates the description of the current case in Google SecOps. This action is used - to dynamically modify the high-level summary or context of a case based on information - gathered during a playbook execution or manual investigation. + ### Flow Description - ### Parameters Description + 1. **Parameter Retrieval**: The action retrieves the provided 'Case Description' + string from the input parameters. - | Parameter | Type | Mandatory | Description | + 2. **Context Identification**: It identifies the unique identifier (Case ID) of + the case currently being processed. - | :--- | :--- | :--- | :--- | + 3. **API Execution**: It utilizes the internal SOAR API (`change_case_description`) + to submit the update request to the Google SecOps platform. - | Case Description | String | Yes | The new text that will be assigned as the - description for the current case. | + 4. **Completion**: The action concludes by providing a success message confirming + the new description has been applied. - ### Flow Description + ### Parameters Description - 1. **Parameter Extraction:** The action retrieves the 'Case Description' string - from the input parameters. + | Parameter Name | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Case Description | String | Yes | The new text that will replace the existing + description of the case. | - 2. **Context Identification:** It identifies the unique ID of the case currently - being processed. - 3. **Internal API Call:** It utilizes the internal SOAR API (`change_case_description`) - to update the case's metadata with the new description. + ### Additional Notes - 4. **Completion:** The action returns a success message confirming the update. + - This action modifies internal case metadata and does not interact with external + third-party integrations. capabilities: can_create_case_comments: false can_create_insight: false @@ -3143,7 +3943,7 @@ Update Case Description: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Updates the description field of the current case within Google SecOps. + Updates the description field of the current case within the Google SecOps platform. categories: enrichment: false entity_usage: @@ -3161,26 +3961,53 @@ Update Case Description: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Wait for Playbook to Complete: - ai_description: "### General Description\nThis action synchronizes playbook execution\ - \ by pausing the current playbook until another specified playbook or block, running\ - \ on the same alert, reaches a terminal state. It is primarily used to manage\ - \ dependencies between parallel processes within the same security alert context.\n\ - \n### Parameters Description\n| Parameter | Type | Mandatory | Description |\n\ - | :--- | :--- | :--- | :--- |\n| Playbook Name | String | Yes | The exact name\ - \ of the playbook or block that the current execution should wait for. |\n\n###\ - \ Flow Description\n1. **Initialization**: The action retrieves the target playbook\ - \ name from the input parameters.\n2. **Status Retrieval**: It queries the Google\ - \ SecOps API to fetch the status of all workflow instances associated with the\ - \ current alert group.\n3. **Status Evaluation**: \n * If the target playbook\ - \ is in a terminal state (**Completed**, **Failed**, or **Terminated**), the action\ - \ completes successfully, allowing the current playbook to proceed.\n * If\ - \ the target playbook is still active (**In Progress**, **Pending in Queue**,\ - \ or **Pending for User**), the action sets its own state to 'In Progress'. Because\ - \ the action is asynchronous, it will periodically re-evaluate until the condition\ - \ is met.\n * If the target playbook is not found, the action completes to\ - \ avoid a permanent deadlock.\n4. **Completion**: Once the target playbook finishes,\ - \ the 'lock' is released and the current playbook continues its next steps." + ai_description: "### General Description\nThis action pauses the execution of the\ + \ current playbook until a specified target playbook or block, running within\ + \ the context of the same alert, reaches a terminal state (Completed, Failed,\ + \ or Terminated). It is primarily used for synchronization when multiple playbooks\ + \ are triggered for a single alert and one depends on the results or completion\ + \ of another.\n\n### Parameters Description\n\n| Parameter | Description | Type\ + \ | Mandatory |\n| :--- | :--- | :--- | :--- |\n| Playbook Name | The exact name\ + \ of the playbook or block that this action should wait for. | String | Yes |\n\ + \n### Additional Notes\n- This is an **asynchronous** action. It will periodically\ + \ check the status of the target playbook and remain in an 'In Progress' state\ + \ until the target finishes.\n- If the specified playbook is not found associated\ + \ with the alert, the action will complete immediately to avoid deadlocks.\n\n\ + ### Flow Description\n1. **Retrieve Parameter**: The action identifies the target\ + \ playbook name from the input.\n2. **Fetch Workflow Status**: It queries the\ + \ Google SecOps API to retrieve the status of all workflow instances linked to\ + \ the current alert group.\n3. **Status Evaluation**: \n - If the target playbook's\ + \ status is `Completed`, `Failed`, or `Terminated`, the action finishes successfully.\n\ + \ - If the target playbook's status is `In Progress`, `Pending in Queue`, or\ + \ `Pending for User`, the action sets its state to `In Progress` to wait for the\ + \ next check cycle.\n - If the target playbook is not found, the action completes\ + \ with a message indicating it was not found." capabilities: can_create_case_comments: false can_create_insight: false @@ -3208,3 +4035,28 @@ Wait for Playbook to Complete: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/power_ups/tools/resources/ai/integration_ai_description.yaml b/content/response_integrations/power_ups/tools/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..4788aca80 --- /dev/null +++ b/content/response_integrations/power_ups/tools/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: true + network_security: false + siem: false + threat_intelligence: true + vulnerability_management: false diff --git a/content/response_integrations/power_ups/tools/resources/ai/jobs_ai_description.yaml b/content/response_integrations/power_ups/tools/resources/ai/jobs_ai_description.yaml new file mode 100644 index 000000000..d465dd0e6 --- /dev/null +++ b/content/response_integrations/power_ups/tools/resources/ai/jobs_ai_description.yaml @@ -0,0 +1,94 @@ +Close Cases Based On Search: + ai_description: >- + ### General Description + + This job automates the bulk closure of cases within Google SecOps based on specific + search criteria. It is designed for maintenance and cleanup tasks, allowing users + to programmatically identify and close multiple cases that match a defined search + query. The job ensures that only open cases are targeted and applies a consistent + closure reason, root cause, and comment to all affected records. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Search Payload | String | No | A JSON-formatted string representing the search + criteria. This should match the payload used in the 'CaseSearchEverything' API + call. | + + | Close Comment | String | Yes | The text comment to be added to the case wall + of all closed cases. | + + | Close Reason | Integer | Yes | The numeric identifier for the closure reason + (e.g., 0 for Malicious, 1 for Not Malicious). | + + | Root Cause | String | Yes | The specific root cause category to assign to the + cases, corresponding to values in Settings -> Case Data -> Case Close Root Cause. + | + + + ### Flow Description + + 1. **Initialize Search**: The job retrieves the `Search Payload` from the configuration + and explicitly sets the `isCaseClosed` filter to `False` to ensure only active + cases are processed. + + 2. **Execute Search**: It calls the `search_cases_by_everything` API to find all + cases matching the provided JSON criteria. + + 3. **Identify Cases**: The job extracts the unique Case IDs from the search results. + + 4. **Bulk Closure**: If matching cases are found, it executes the `execute_bulk_close_case` + command, passing the collected Case IDs along with the user-defined `Close Reason`, + `Root Cause`, and `Close Comment`. + + 5. **Logging**: The job logs the specific Case IDs that were affected and provides + a final count of the successfully closed cases. +Tag Untouched Cases: + ai_description: >- + ### General Description + + This job automates the identification and flagging of stagnant incidents within + Google SecOps. It monitors all open cases and identifies those that have not been + modified within a user-defined timeframe (in hours). Once identified, the job + applies specific administrative tags to these cases, enabling SOC managers and + analysts to easily filter and prioritize cases that require immediate attention + or review. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Tags | String | Yes | A comma-separated list of tags to apply to the cases that + meet the inactivity criteria (e.g., "Open Case Review, Stale"). | + + | Unmodified Time | Integer | Yes | The threshold of inactivity in hours. Any + open case not updated within this many hours will be tagged. | + + + ### Flow Description + + 1. **Parameter Retrieval**: The job fetches the `Unmodified Time` threshold and + the list of `Tags` from the configuration. + + 2. **Time Calculation**: It calculates a cutoff timestamp by subtracting the specified + number of hours from the current system time. + + 3. **Case Filtering**: The job queries the platform for all cases currently in + an "OPEN" status that have a "Last Modified" timestamp older than the calculated + cutoff. + + 4. **Tag Parsing**: The comma-separated string of tags is parsed into an array, + removing any leading or trailing whitespace from individual tags. + + 5. **Tag Application**: For every case identified in the filtering step, the job + iterates through the tag list and applies each tag to the case. + + 6. **Logging**: The job logs the IDs of the affected cases and provides a summary + of the total number of cases updated. diff --git a/content/response_integrations/third_party/community/abuse_ipdb/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/abuse_ipdb/resources/ai/actions_ai_description.yaml index 14d8de464..ab1e4a5c0 100644 --- a/content/response_integrations/third_party/community/abuse_ipdb/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/abuse_ipdb/resources/ai/actions_ai_description.yaml @@ -1,10 +1,10 @@ Check IP Reputation: ai_description: >- - Checks the reputation of IP address entities using the AbuseIPDB API. This action - retrieves detailed threat intelligence, including abuse confidence scores, country - information, ISP details, and recent report history. It enriches the entities - within Google SecOps by adding these details as attributes and can automatically - mark entities as suspicious if they exceed a user-defined confidence threshold. + Enriches IP Address entities by retrieving reputation data from AbuseIPDB. This + action checks if an IP address has been reported for malicious activity, providing + details such as the abuse confidence score, ISP, domain, and country. It allows + for filtering out internal addresses to conserve API quota and can automatically + mark entities as suspicious based on a configurable threshold. ### Parameters @@ -13,41 +13,50 @@ Check IP Reputation: | :--- | :--- | :--- | :--- | - | Exclude Internal Addresses | Boolean | No | If set to `true` (default), the - action will skip any IP addresses marked as internal to save API quota. | + | Exclude Internal Addresses | boolean | No | If set to true, the action will + skip any address entities marked as internal in Google SecOps. Default is true. + | - | Suspicious Threshold | String | Yes | An abuse confidence score (0-100). If - the IP's score is equal to or higher than this value, the entity is marked as - suspicious in the platform. Set to 0 to disable this logic. | + | Suspicious Threshold | string | Yes | An abuse confidence score (0-100) equal + to or above this value will mark the entity as suspicious. Set to 0 to disable + this logic. | - | Create Insight | Boolean | No | If `true` (default), creates a formatted insight - on the entity containing key reputation data. | + | Create Insight | boolean | No | If true, creates a detailed insight on the entity's + case wall containing the reputation report summary. Default is true. | - | Max Age in Days | String | Yes | Specifies the time range (in days) for which - AbuseIPDB should check for reports. Default is 90. | + | Max Age in Days | string | Yes | Specifies the timeframe (in days) for the reputation + report (e.g., check reports from the last 90 days). | + + + ### Additional Notes + + - The action specifically targets `ADDRESS` entities. + + - Data retrieved from AbuseIPDB is mapped to the entity's additional properties + with the prefix `AbuseIPDB_`. ### Flow Description - 1. **Filter Entities:** The action identifies all `ADDRESS` entities in the current - scope. If `Exclude Internal Addresses` is enabled, it filters out entities where - `is_internal` is true. + 1. **Filter Entities:** Identifies all `ADDRESS` entities in the current scope. + If `Exclude Internal Addresses` is enabled, it filters out entities where `is_internal` + is true. - 2. **API Query:** For each valid IP, the action sends a GET request to the AbuseIPDB - `/check` endpoint, passing the IP and the `Max Age in Days` parameter. + 2. **API Request:** For each valid IP, it queries the AbuseIPDB API using the + provided API key and the `Max Age in Days` parameter. - 3. **Data Enrichment:** The retrieved data (e.g., ISP, Domain, Country, Confidence - Score) is mapped to the entity's additional properties with the prefix `AbuseIPDB_`. + 3. **Data Mapping:** Parses the API response and populates the entity's additional + properties (e.g., `AbuseIPDB_isp`, `AbuseIPDB_abuseConfidenceScore`). - 4. **Suspicious Evaluation:** The action compares the `abuseConfidenceScore` against - the `Suspicious Threshold`. If the threshold is met, the entity's `is_suspicious` - flag is set to true. + 4. **Suspicious Evaluation:** Compares the retrieved `abuseConfidenceScore` against + the `Suspicious Threshold`. If the score meets or exceeds the threshold, the entity + is marked as suspicious. - 5. **Insight Generation:** If enabled, a detailed HTML insight is created for - the entity, summarizing the reputation findings. + 5. **Insight Creation:** If `Create Insight` is enabled, a formatted HTML insight + is added to the entity in the SecOps case. - 6. **Update:** The action updates the entities in the Google SecOps case and returns - the raw JSON data for further use in the playbook. + 6. **Update Entities:** Updates the entities in the Google SecOps platform with + the new enrichment data and status. capabilities: can_create_case_comments: false can_create_insight: true @@ -58,8 +67,8 @@ Check IP Reputation: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity attributes with reputation data, sets the suspicious status based - on the confidence score, and creates case insights. + Updates entity attributes with reputation data, sets the suspicious status of + entities, and creates case insights. categories: enrichment: true entity_usage: @@ -78,25 +87,83 @@ Check IP Reputation: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Ping: ai_description: >- - ### General Description Tests the connectivity to the AbuseIPDB service to verify - that the provided API key and configuration are valid. This action is typically - used during the initial setup or troubleshooting of the integration. ### Parameters - Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- - | :--- | | Api Key | String | Yes | The API key required to authenticate with - the AbuseIPDB API. This is an integration configuration parameter. | | Verify - SSL | Boolean | No | If enabled, the action will verify the SSL certificate of - the AbuseIPDB API endpoint. This is an integration configuration parameter. Default - is False. | ### Flow Description 1. **Initialization**: The action retrieves the - API Key and SSL verification preference from the integration settings. 2. **Connectivity - Test**: It attempts to query the AbuseIPDB 'check' endpoint using a dummy IP address - (1.1.1.1). 3. **Validation**: The response is checked for success. If the API - key is invalid, a specific error is caught and reported. 4. **Completion**: The - action returns 'true' and a success message if the connection is established, - or 'false' with an error message if the connection fails. ### Additional Notes - There are no action-specific parameters; it relies entirely on the integration's - configuration. This action does not process or affect any entities in the environment. + ### General Description + + The Ping action is a utility designed to verify the connectivity between Google + SecOps and the AbuseIPDB API. It ensures that the provided API key is valid and + that the network path to the service is open. This is typically used during the + initial setup or troubleshooting of the integration. + + + ### Parameters Description + + This action does not have any action-specific parameters. It relies solely on + the integration's global configuration parameters: + + + | Parameter Name | Expected Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Api Key | String | Yes | The API key used to authenticate requests to AbuseIPDB. + | + + | Verify SSL | Boolean | No | If enabled, the action will verify the SSL certificate + of the AbuseIPDB API endpoint. Defaults to False. | + + + ### Additional Notes + + * The action performs a test lookup for a dummy IP address (1.1.1.1) to validate + the API response. + + * If the API key is invalid, the action will return a failure state with a specific + error message regarding forbidden access. + + + ### Flow Description + + 1. **Initialization**: The action retrieves the global configuration (API Key + and SSL verification settings). + + 2. **Connectivity Test**: The action calls the AbuseIPDB manager to perform a + `test_connectivity` operation. + + 3. **API Request**: The manager executes a GET request to the AbuseIPDB 'check' + endpoint using a hardcoded dummy IP (1.1.1.1). + + 4. **Validation**: The response is checked for HTTP errors (e.g., 403 Forbidden + for invalid keys or 204 for rate limits). + + 5. **Outcome**: If the request is successful, the action returns 'true'. If an + exception occurs or the key is invalid, it returns 'false' and logs the error. capabilities: can_create_case_comments: false can_create_insight: false @@ -124,3 +191,28 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/third_party/community/abuse_ipdb/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/abuse_ipdb/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..2e831240c --- /dev/null +++ b/content/response_integrations/third_party/community/abuse_ipdb/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + siem: false + threat_intelligence: true + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/air_table/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/air_table/resources/ai/actions_ai_description.yaml index 77aa731fb..6173e0a0c 100644 --- a/content/response_integrations/third_party/community/air_table/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/air_table/resources/ai/actions_ai_description.yaml @@ -1,66 +1,32 @@ AddOrUpdate: - ai_description: >- - ### General Description - - This action allows users to synchronize data with an Airtable table by either - adding new records or updating existing ones. It is designed to handle batch operations - provided via a JSON-formatted string. The action searches for existing records - based on a user-defined unique field; if a match is found, the record is updated - with the new data; if no match is found, a new record is created. - - - ### Parameters Description - - | Parameter | Description | Type | Mandatory | Notes | - - | :--- | :--- | :--- | :--- | :--- | - - | **Base id** | The unique identifier for the Airtable base where the table resides. - | String | Yes | Found in the Airtable API documentation for the specific base. - | - - | **Table name** | The name of the table within the specified base to perform - operations on. | String | Yes | Must match the table name in Airtable exactly. - | - - | **Field name** | The name of the field (column) used to identify existing records - for updates. | String | Yes | This field acts as the unique key for the 'search' - logic. | - - | **Json fields** | A JSON-formatted string representing a list of record objects - to be processed. | String | Yes | Expected format is a list of dictionaries, e.g., - `[{"Email": "test@example.com", "Status": "Active"}]`. | - - - ### Additional Notes - - - The action expects the `Json fields` parameter to be a valid JSON array of objects. - - - If multiple records in Airtable match the `Field name` value, all matching records - will be updated with the provided data. - - - ### Flow Description - - 1. **Initialization**: The action retrieves the Airtable API key from the integration - configuration and extracts the Base ID, Table Name, Field Name, and JSON data - from the action parameters. - - 2. **Data Parsing**: The `Json fields` string is parsed into a Python list of - dictionaries. - - 3. **Search and Match**: For each dictionary in the list, the action performs - a search in the specified Airtable table where the column defined by `Field name` - matches the value provided in the input data. - - 4. **Update Logic**: If the search returns one or more existing records, the action - iterates through them and updates each record using the provided data. - - 5. **Insert Logic**: If no records are found during the search, the action inserts - a new record into the table using the provided data. - - 6. **Completion**: The action concludes by providing a summary message indicating - the total number of records inserted and updated. + ai_description: "### General Description\nThe **AddOrUpdate** action allows users\ + \ to synchronize data with an Airtable table by either inserting new records or\ + \ updating existing ones. It acts as an 'upsert' operation, ensuring that the\ + \ target table reflects the provided data without creating duplicates based on\ + \ a specific identifier field.\n\n### Parameters Description\n| Parameter | Description\ + \ | Type | Mandatory | \n| :--- | :--- | :--- | :--- |\n| **Base id** | The unique\ + \ identifier for the Airtable base where the table resides. | string | Yes |\n\ + | **Table name** | The name of the specific table within the Airtable base to\ + \ perform operations on. | string | Yes |\n| **Field name** | The name of the\ + \ field used to check for existing records (e.g., 'Email' or 'ID'). This field\ + \ is used in the search query. | string | Yes |\n| **Json fields** | A JSON-formatted\ + \ string (list of objects) containing the data to be added or updated. Each object\ + \ should contain the keys corresponding to Airtable columns. | string | Yes |\n\ + \n### Additional Notes\n- The action expects the `Json fields` parameter to be\ + \ a valid JSON array of objects. \n- The `Field name` provided must exist in the\ + \ Airtable table and should ideally contain unique values for the search logic\ + \ to work correctly.\n\n### Flow Description\n1. **Initialization**: The action\ + \ retrieves the Airtable API key from the integration configuration and extracts\ + \ the Base ID, Table Name, Field Name, and JSON data from the parameters.\n2.\ + \ **Data Parsing**: The `Json fields` string is parsed into a Python list of dictionaries.\n\ + 3. **Search and Upsert Logic**: For each item in the provided list:\n - The\ + \ action searches the Airtable table for records where the specified `Field name`\ + \ matches the value in the current item.\n - **Update**: If one or more matching\ + \ records are found, the action updates those records with the data provided in\ + \ the item.\n - **Insert**: If no matching records are found, the action inserts\ + \ a new record into the table.\n4. **Completion**: The action calculates the total\ + \ number of inserted and updated records and returns a summary message to the\ + \ Google SecOps platform." capabilities: can_create_case_comments: false can_create_insight: false @@ -69,7 +35,7 @@ AddOrUpdate: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - The action performs 'update' and 'insert' operations on the target Airtable + The action performs 'update' and 'insert' operations on the specified Airtable table, modifying the state of the external database. fetches_data: true internal_data_mutation_explanation: null @@ -90,54 +56,83 @@ AddOrUpdate: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Create: ai_description: >- - ### General Description + The 'Create' action allows users to programmatically add new records to a specific + table within an Airtable base. It is designed to handle bulk creation by accepting + a JSON-formatted list of records. This action is useful for logging SOAR activities, + tracking incident metadata, or synchronizing data between Google SecOps and Airtable. - The **Create** action allows users to programmatically insert new records into - a specific table within an AirTable base. It is designed to handle bulk operations - by accepting a JSON array of field-value pairs, making it suitable for logging, - tracking, or synchronizing data from Google SecOps to AirTable. + ### Flow Description - ### Parameters Description + 1. **Configuration Extraction:** The action retrieves the Airtable API key from + the integration configuration and the Base ID, Table Name, and JSON fields from + the action parameters. - | Parameter | Type | Mandatory | Description | + 2. **Data Parsing:** It parses the provided 'Json fields' string into a list of + Python dictionaries, where each dictionary represents a single record to be created. - | :--- | :--- | :--- | :--- | + 3. **Record Insertion:** The action iterates through the list of records and uses + the Airtable SDK to insert each one into the specified table. - | **Base id** | string | Yes | The unique identifier for the AirTable base (database). - This can be found in the URL of the AirTable API page for the specific base. | + 4. **Result Compilation:** It collects the unique IDs and field data of the successfully + created records. - | **Table name** | string | Yes | The name of the specific table within the base - where the records should be inserted. | + 5. **Finalization:** The action outputs the created records as a JSON result and + provides a summary message indicating the total number of records added. - | **Json fields** | content | Yes | A JSON-formatted array of objects. Each object - represents a single row to be created, with keys matching the AirTable column - names and values matching the desired cell content. | + ### Parameters Description - ### Flow Description + | Parameter Name | Type | Mandatory | Description | - 1. **Configuration Retrieval**: The action extracts the AirTable API key from - the integration settings and the Base ID, Table Name, and JSON fields from the - action parameters. + | :--- | :--- | :--- | :--- | - 2. **Connection Initialization**: It initializes the AirTable client using the - provided credentials and base/table identifiers. + | Base id | string | True | The unique identifier for the Airtable base (database). + This can be found in the Airtable API documentation URL for that specific base. + | - 3. **Data Parsing**: The action parses the `Json fields` string into a list of - Python dictionaries. + | Table name | string | True | The name of the table within the base where the + records should be inserted. | - 4. **Record Creation**: It iterates through each dictionary in the list and performs - an `insert` operation into the target AirTable table. + | Json fields | content | True | A JSON-formatted array of objects. Each object + represents a row to be created, with keys matching the Airtable field names and + values representing the data for those fields. | - 5. **Result Compilation**: The action collects the unique IDs and field data of - the successfully created records. - 6. **Finalization**: It outputs a summary message indicating the number of records - added and attaches the full JSON response of the created records to the action - results. + ### Additional Notes + + - This action does not interact with Google SecOps entities; it operates purely + on the data provided in the 'Json fields' parameter. + + - Ensure that the field names in the JSON input exactly match the column names + in the target Airtable table to avoid insertion errors. capabilities: can_create_case_comments: false can_create_insight: false @@ -146,7 +141,7 @@ Create: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - This action creates new records (rows) in a specified AirTable table. + Creates new records (rows) in the specified Airtable base and table. fetches_data: false internal_data_mutation_explanation: null categories: @@ -166,67 +161,90 @@ Create: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Delete: ai_description: >- ### General Description - The **Delete** action allows users to remove records from a specific Airtable - table based on a matching field value. It searches for records where a designated - column (field) contains a specific value and deletes the resulting records up - to a defined limit. + The **Delete** action allows users to remove specific records from an Airtable + table based on a search match. It identifies records by comparing a provided value + against a specific field (column) and deletes all matching records up to a defined + limit. This is useful for automated data cleanup or removing specific entries + from a tracking base during incident response. ### Parameters Description - | Parameter | Description | Type | Mandatory | Notes | - - | :--- | :--- | :--- | :--- | :--- | + | Parameter | Type | Mandatory | Description | - | **Field value** | The specific value to search for within the designated field. - | String | Yes | Records containing this value will be targeted for deletion. - | + | :--- | :--- | :--- | :--- | - | **Field name** | The name of the column (field) in the Airtable table to search. - | String | Yes | This identifies which column to check for the 'Field value'. + | **Base id** | string | Yes | The unique identifier for the Airtable base (database). + This can be found in the URL of the Airtable API documentation for that base. | - | **Table name** | The name of the table within the Airtable base. | String | - Yes | Specifies the target table for the operation. | + | **Table name** | string | Yes | The name of the specific table within the base + where the records are stored. | - | **Base id** | The unique identifier for the Airtable base (database). | String - | Yes | Found in the Airtable API documentation URL for the specific base. | + | **Field name** | string | Yes | The name of the column/field to search within + to find records for deletion. | - | **Max records** | The maximum number of records to be deleted in a single execution. - | String | Yes | Default is 100. This limits the scope of the deletion to prevent - accidental mass data loss. | + | **Field value** | string | Yes | The specific value to match in the 'Field name' + column. Any record containing this value in the specified field will be targeted. + | + | **Max records** | string | Yes | The maximum number of matching records to delete + in a single execution. Defaults to 100 if not specified or invalid. | - ### Additional Notes - * **Warning:** This action performs a destructive operation by deleting entire - records (rows) from Airtable, not just clearing specific cell values. + ### Flow Description - * The action first performs a search to identify record IDs and then iterates - through those IDs to execute the deletion. + 1. **Configuration Retrieval**: The action extracts the API key from the integration + settings and the Base ID, Table Name, and search criteria from the action parameters. + 2. **Search Phase**: It performs a search in the specified Airtable table for + records where the 'Field name' matches the 'Field value'. - ### Flow Description + 3. **Deletion Phase**: The action iterates through the list of found records (limited + by the 'Max records' parameter) and sends a delete request for each unique record + ID. - 1. **Configuration Extraction:** Retrieves the Airtable API key from the integration - settings and the Base ID, Table Name, and search criteria from the action parameters. + 4. **Finalization**: The action calculates the total number of deleted records + and returns a success message to the SecOps platform. - 2. **Search Phase:** Connects to the Airtable API and searches the specified - table for records where the `Field name` matches the `Field value`, limited by - the `Max records` parameter. - 3. **Deletion Phase:** Iterates through the list of matching records retrieved - in the search phase. + ### Additional Notes - 4. **Execution:** For each matching record, it calls the Airtable delete method - using the unique record ID. + - **Data Loss Warning**: This action performs a permanent deletion of data in + the external Airtable system. Ensure that the search criteria (Field name and + Field value) are precise to avoid unintended data loss. - 5. **Reporting:** Returns a summary message to the Google SecOps platform indicating - the total number of records successfully deleted. + - **Rate Limiting**: Large values for 'Max records' may be subject to Airtable + API rate limits. capabilities: can_create_case_comments: false can_create_insight: false @@ -235,8 +253,8 @@ Delete: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - The action deletes records from an Airtable table based on search criteria provided - in the parameters. + The action deletes records from the specified Airtable table based on the search + results matching the provided field name and value. fetches_data: true internal_data_mutation_explanation: null categories: @@ -256,13 +274,39 @@ Delete: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Delete All Records: ai_description: >- ### General Description - Deletes all records from a specified table within an Airtable base. This action - is useful for clearing out temporary data or resetting a table's state as part - of an automated workflow. + The **Delete All Records** action is designed to purge all data from a specific + table within an Airtable base. This is a destructive action used for data cleanup + or resetting a table's state. It works by first retrieving all record identifiers + from the target table and then executing a batch deletion process. ### Parameters Description @@ -271,38 +315,40 @@ Delete All Records: | :--- | :--- | :--- | :--- | :--- | - | Base Id | The unique identifier for the Airtable base (database). This can be - found in the Airtable API documentation for the specific base. | string | Yes - | Required to locate the correct database. | + | **Base Id** | The unique identifier for the Airtable base (database). This can + be found in the Airtable API documentation URL for the specific base. | String + | Yes | Required to locate the correct database. | - | Table name | The name of the table within the specified base from which all - records will be deleted. | string | Yes | Required to target the specific data - set. | + | **Table name** | The name of the table within the specified base where all records + should be deleted. | String | Yes | Required to target the specific data set. + | ### Additional Notes - **Warning:** This is a destructive action. It retrieves all record IDs currently - in the table and performs a batch delete. Ensure the correct Base ID and Table - Name are provided to avoid accidental data loss. + - **Destructive Action**: This action permanently removes all records from the + specified table. Use with caution. + - **API Limits**: The action adjusts the Airtable API limit internally to handle + batch deletions efficiently. - ### Flow Description + - **No Entities**: This action does not run on specific SOAR entities; it operates + globally on the specified Airtable table. - 1. **Authentication:** The action retrieves the Airtable API key from the integration - configuration. - 2. **Data Retrieval:** It connects to the specified Airtable base and table to - fetch all existing records. + ### Flow Description + + 1. **Configuration Extraction**: The action retrieves the Airtable API key from + the integration configuration and the Base ID and Table Name from the action parameters. - 3. **ID Extraction:** The action iterates through the retrieved records to collect - their unique identifiers. + 2. **Data Retrieval**: It connects to the specified Airtable table and fetches + all existing records to collect their unique record IDs. - 4. **Batch Deletion:** It uses the collected IDs to perform a batch delete operation, - removing all records from the table. + 3. **Batch Deletion**: The action uses the collected IDs to perform a batch delete + operation, effectively clearing the table. - 5. **Reporting:** The action concludes by reporting the total number of records - successfully deleted. + 4. **Reporting**: Finally, it calculates the total number of deleted records and + returns a success message to the Google SecOps platform. capabilities: can_create_case_comments: false can_create_insight: false @@ -311,8 +357,8 @@ Delete All Records: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - The action performs a batch delete operation on the specified Airtable table, - permanently removing all records found within it. + The action performs a batch delete operation in Airtable, permanently removing + all records from the specified table. fetches_data: true internal_data_mutation_explanation: null categories: @@ -332,59 +378,95 @@ Delete All Records: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Enrich Entities From Table: ai_description: >- Enriches entities by searching for matching records within a specified Airtable - table. This action allows users to map entity identifiers or specific entity properties - to columns in Airtable to retrieve supplemental context. + table. This action allows users to map external data stored in Airtable (such + as asset owners, threat intelligence, or contact information) directly onto SecOps + entities. It searches a specific column in Airtable using either the entity's + identifier or a custom property as the search key. When a match is found, the + record's fields are flattened, prefixed, and added to the entity's additional + properties. - ### Parameters + ### Parameters Description + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Base id | String | Yes | The unique identifier for the Airtable base (database). - | + | Enrichment Prefix | string | No | A prefix (default: 'AT_') added to the keys + of the data retrieved from Airtable before adding them to the entity. | - | Table name | String | Yes | The name of the table within the base to search. - | + | Max records | string | No | The maximum number of records to retrieve from Airtable + for the search query (default: 100). | - | Field name | String | Yes | The specific column name in the Airtable table to - match against. | + | Base id | string | Yes | The unique identifier for the Airtable Base (database). + | - | Enrichment Prefix | String | No | A prefix added to the keys of the retrieved - data when stored in entity properties (default: 'AT_'). | + | Table name | string | Yes | The name of the table within the Airtable Base to + search. | - | Max records | String | No | The maximum number of records to consider for the - search (default: '100'). | + | Field name | string | Yes | The name of the column (field) in Airtable to match + against the entity value. | - | Entity Field | String | No | The entity property to use for the search. If not - provided, the entity's identifier is used. | + | Entity Field | string | No | The specific entity property to use for the search. + If left blank, the action uses the Entity Identifier. | ### Flow Description - 1. **Initialization**: The action retrieves the Airtable API key from the integration - configuration and extracts the user-provided parameters (Base ID, Table Name, - Field Name, etc.). - 2. **Entity Processing**: For each target entity, the action determines the search - value. It uses either a specific property defined in 'Entity Field' or the entity's - identifier. + 1. **Initialization:** Retrieves Airtable API credentials and action parameters + (Base ID, Table Name, Field Name, etc.). + + 2. **Entity Processing:** Iterates through all target entities in the current + context. + + 3. **Search Key Determination:** For each entity, identifies the search value. + It uses the value from the property specified in 'Entity Field' if provided; otherwise, + it defaults to the entity's identifier. - 3. **Airtable Query**: It performs a search in the specified Airtable table, matching - the 'Field name' column against the search value. It also attempts a case-insensitive - (lowercase) search if the initial search yields no results. + 4. **Airtable Query:** Executes a search in the specified Airtable table where + the 'Field name' matches the search key. It performs a case-sensitive search first, + followed by a case-insensitive search if no results are found. - 4. **Data Enrichment**: If a matching record is found, the action flattens the - record's data structure and updates the entity's additional properties with this - data, applying the specified prefix. + 5. **Data Transformation:** If a record is found, the action takes the first + result, flattens any nested JSON structures, and applies the configured 'Enrichment + Prefix' to the keys. - 5. **Finalization**: The action updates all successfully enriched entities in - Google SecOps and provides a summary of the results, including any errors encountered - during the process. + 6. **Internal Mutation:** Updates the entity's 'additional_properties' with the + processed Airtable data. + + 7. **Finalization:** Updates all successful entities in the SecOps platform and + outputs a summary message along with raw JSON results for the enriched entities + and any errors encountered. capabilities: can_create_case_comments: false can_create_insight: false @@ -395,7 +477,7 @@ Enrich Entities From Table: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity additional properties with flattened data retrieved from Airtable + Updates the 'additional_properties' of entities with data retrieved from Airtable records. categories: enrichment: true @@ -449,65 +531,95 @@ Enrich Entities From Table: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get All Records: ai_description: >- ### General Description - The **Get All Records** action retrieves a specified number of records from a - designated table within an Airtable base. It allows for sorting the results based - on a specific column in either ascending or descending order. This action is primarily - used for data retrieval and synchronization tasks between Airtable and Google - SecOps. + The **Get All Records** action retrieves a collection of records from a specified + table within an Airtable base. It is designed to fetch bulk data, allowing users + to limit the number of returned records and apply sorting based on a specific + column and direction. This action is primarily used for data retrieval and synchronization + tasks where external Airtable data needs to be brought into the Google SecOps + environment for analysis or reporting. ### Parameters Description + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Base Id** | string | Yes | The unique ID of the Airtable base (database). - Found in the API documentation URL for the base. | + | **Base Id** | string | Yes | The unique identifier for the Airtable base (database). + This can be found in the Airtable API documentation for the specific base. | - | **Table name** | string | Yes | The name of the specific table within the base - from which to fetch records. | + | **Table name** | string | Yes | The name of the table within the specified base + from which to retrieve records. | | **Max Records** | string | Yes | The maximum number of rows/records to be retrieved - by the action. | + in a single execution. | - | **Sort by** | string | No | The name of the column to use for sorting the retrieved - records. | + | **Sort by** | string | No | The name of the column (field) to use for sorting + the results. If left empty, no specific sorting is applied. | - | **Sort Direction** | ddl | Yes | Specifies whether the records should be sorted - in 'Ascending' or 'Descending' order. | + | **Sort Direction** | ddl | Yes | Specifies the order of the sorted records. + Options are `Descending` or `Ascending`. Defaults to `Descending`. | ### Additional Notes - - This action does not operate on SecOps entities; it is a utility action for - database interaction. + - This action does not operate on specific entities within a case; it performs + a global fetch based on the provided parameters. - - If **Sort by** is not provided, the records will be returned in the default - order provided by the Airtable API. + - The results are returned as a JSON array containing the record objects from + Airtable. ### Flow Description - 1. **Configuration Extraction**: The action retrieves the Airtable API key from - the integration configuration and the user-provided parameters (Base ID, Table - Name, Max Records, Sort By, and Sort Direction). + 1. **Configuration Extraction:** The action retrieves the Airtable API key from + the integration configuration. - 2. **Client Initialization**: An Airtable client is initialized using the provided + 2. **Parameter Parsing:** It extracts the Base ID, Table Name, record limit, + and sorting preferences from the action parameters. + + 3. **Client Initialization:** An Airtable client is initialized using the provided Base ID, Table Name, and API Key. - 3. **Sort Logic**: The action maps the user-friendly 'Ascending/Descending' input - to the API-required 'asc/desc' values. + 4. **Data Retrieval:** The action calls the Airtable API to fetch records. If + a 'Sort by' column is provided, it applies the specified sorting logic; otherwise, + it fetches records up to the 'Max Records' limit. - 4. **Data Retrieval**: The action calls the Airtable API to fetch the records, - applying the limit and sorting criteria if specified. + 5. **Result Processing:** The retrieved records are counted and formatted into + JSON. - 5. **Result Processing**: The retrieved records are counted and formatted into - a JSON result, which is then attached to the action output in Google SecOps. + 6. **Output:** The action attaches the raw JSON results to the action output + and provides a summary message indicating the number of records successfully fetched. capabilities: can_create_case_comments: false can_create_insight: false @@ -535,51 +647,65 @@ Get All Records: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Ping: ai_description: >- ### General Description - The **Ping** action is designed to verify the connectivity between Google SecOps - and the AirTable service. It ensures that the provided credentials and configuration - details (API Key, Base ID, and Table Name) are valid and that the service is reachable. + The **Ping** action is a diagnostic tool designed to verify the connectivity between + Google SecOps and the AirTable service. It ensures that the provided credentials + (API Key, Base ID, and Table Name) are valid and that the network path to the + AirTable API is open. ### Parameters Description - | Parameter Name | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Api key | String | Yes | The API key used to authenticate with the AirTable - API. This is extracted from the integration configuration. | - - | Base id | String | Yes | The unique identifier for the AirTable base. This is - extracted from the integration configuration. | - - | Table name | String | Yes | The name of the specific table within the base to - test connectivity against. This is extracted from the integration configuration. - | + There are no parameters for this action. ### Additional Notes - This action does not process any entities and is strictly used for health checks - of the integration configuration. It does not accept any action-specific input - parameters. + This action is typically used during the initial setup of the AirTable integration + or for troubleshooting connectivity issues. It performs a read-only operation + by attempting to fetch a single record from the configured table. ### Flow Description - 1. **Configuration Extraction**: The action retrieves the API Key, Base ID, and - Table Name from the integration's configuration settings. + 1. **Configuration Extraction:** The action retrieves the `Api key`, `Base id`, + and `Table name` from the integration's configuration settings. - 2. **Client Initialization**: An AirTable client is initialized using the retrieved + 2. **Client Initialization:** It initializes the AirTable client using the extracted credentials. - 3. **Connectivity Test**: The action attempts to fetch a single record from the - specified table using the `get_all` method with `maxRecords=1`. + 3. **Connectivity Test:** The action executes a request to fetch a maximum of + one record (`maxRecords=1`) from the specified AirTable base and table. - 4. **Result Reporting**: If the request is successful, the action concludes with + 4. **Result Reporting:** If the request is successful, the action concludes with a success message indicating that AirTable is connected. capabilities: can_create_case_comments: false @@ -608,30 +734,84 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Search: ai_description: >- - ### General Description The **Search** action allows users to query an Airtable - base for specific records. It searches a designated table and column (field) for - a matching value and retrieves the corresponding row data. This is useful for - looking up asset information, user details, or threat intelligence stored within - Airtable. ### Parameters Description | Parameter | Type | Mandatory | Description - | | :--- | :--- | :--- | :--- | | **Base id** | string | Yes | The unique identifier - for the Airtable base (found in the API URL). | | **Table name** | string | Yes - | The name of the table within the base where the search will be performed. | - | **Field name** | string | Yes | The name of the column to search in. | | **Field - value** | string | Yes | The specific value to search for within the specified - field. | | **Max records** | string | No | The maximum number of records to return - (default is 100). | ### Flow Description 1. **Initialization**: The action retrieves - the Airtable API key from the integration configuration and extracts the search - parameters (Base ID, Table Name, Field Name, Field Value, and Max Records) from - the input. 2. **Client Setup**: An Airtable client is initialized using the provided - Base ID and API Key. 3. **Execution**: The action performs a search query against - the specified table, filtering by the provided field name and value. 4. **Output**: - The matching records are returned as a JSON object, and a summary message indicates - the number of records found. ### Additional Notes - This action does not process - SOAR entities; it operates strictly based on the provided input parameters. - - The Max records parameter is converted to an integer; if an invalid value is provided, - the script logic defaults to 5. + ### General Description + + The **Search** action allows users to query an Airtable base for specific records. + It searches a designated column (field) for a specific value within a chosen table. + This is useful for retrieving structured data stored in Airtable to provide context + during an investigation. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | **Base id** | string | Yes | The unique identifier for the Airtable base (found + in the API URL). | + + | **Table name** | string | Yes | The name of the table within the base to search. + | + + | **Field name** | string | Yes | The name of the column/field to perform the + search on. | + + | **Field value** | string | Yes | The specific value to look for in the defined + field. | + + | **Max records** | string | No | The maximum number of records to return (default + is 100). | + + + ### Flow Description + + 1. **Initialization**: The action retrieves the API key from the integration configuration + and the search parameters from the action input. + + 2. **Connection**: It establishes a connection to the specified Airtable base + and table using the Airtable SDK. + + 3. **Execution**: It performs a search query using the provided field name and + value, respecting the maximum records limit. + + 4. **Output**: The results are returned as a JSON object, and a summary message + indicates how many records were matched. + + + ### Additional Notes + + - This action is read-only and does not modify any data in Airtable. + + - It does not automatically process entities from the SecOps case; all search + criteria must be provided via parameters. capabilities: can_create_case_comments: false can_create_insight: false @@ -659,66 +839,88 @@ Search: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Update: ai_description: >- ### General Description - Updates specific records in an Airtable table based on a search criterion. This - action allows for bulk updates of records that share a common field value, enabling - automated data management within Airtable bases. + The **Update** action allows users to modify existing records within an Airtable + table. It functions by searching for records that match a specific criteria (field + name and value) and then applying updates to those records based on a provided + JSON object. This is useful for synchronizing data between Google SecOps and Airtable + or for updating status fields in a tracking table. - ### Parameters + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Base id | string | Yes | The unique identifier for the Airtable base, found - in the API URL. | + | **Base id** | string | Yes | The unique identifier for the Airtable base. | - | Table name | string | Yes | The name of the table within the base where the - update will occur. | + | **Table name** | string | Yes | The name of the specific table to update. | - | Field name | string | Yes | The name of the column used to filter/search for - records to be updated. | + | **Field name** | string | Yes | The column name used to filter which records + should be updated. | - | Field value | string | Yes | The specific value to search for in the 'Field - name' column. | + | **Field value** | string | Yes | The value to look for in the specified `Field + name`. | - | Json fields | content | Yes | A JSON-formatted string representing a dictionary - of field names and the new values to be applied (e.g., `{"Status": "Closed", "Priority": - "Low"}`). | + | **Json fields** | content | Yes | A JSON string representing the fields and + their new values (e.g., `{"Status": "Resolved"}`). | - | Max records | string | Yes | The maximum number of records that the action will - attempt to search for and update in a single execution. | + | **Max records** | string | Yes | Limits the number of records that will be updated + in a single execution. | ### Flow Description - 1. **Initialization**: The action extracts the API key from the integration configuration + 1. **Initialization**: Retrieves the API key from the integration configuration and parameters from the action input. - 2. **Search**: It connects to the specified Airtable base and table to search - for records where the `Field name` matches the `Field value`. + 2. **Validation**: Parses the `Json fields` parameter into a dictionary and converts + `Max records` to an integer. - 3. **Limit**: The search result is limited by the `Max records` parameter to prevent - accidental bulk changes beyond the intended scope. + 3. **Search**: Queries the specified Airtable base and table for records where + the `Field name` matches the `Field value`. - 4. **Update**: The action iterates through each record found in the search results - and performs an update operation using the key-value pairs provided in the `Json - fields` parameter. + 4. **Update**: Iterates through the retrieved records (up to the `Max records` + limit) and updates each one with the data provided in `Json fields`. - 5. **Completion**: It returns a summary message indicating the total number of - records that were successfully updated. + 5. **Completion**: Returns a success message indicating the total number of records + updated. ### Additional Notes - - The `Json fields` parameter must be a valid JSON object string. + - Ensure the `Json fields` parameter is a valid JSON string. - - The action performs a search-then-update flow; if no records match the search - criteria, no updates will be performed. + - The action will only update records that are found during the search phase. capabilities: can_create_case_comments: false can_create_insight: false @@ -727,8 +929,8 @@ Update: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates existing records in an Airtable table with new values provided in the - 'Json fields' parameter. + Updates existing records in an Airtable table with new field values based on + a search query. fetches_data: true internal_data_mutation_explanation: null categories: @@ -748,3 +950,28 @@ Update: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/third_party/community/air_table/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/air_table/resources/ai/connectors_ai_description.yaml new file mode 100644 index 000000000..624425975 --- /dev/null +++ b/content/response_integrations/third_party/community/air_table/resources/ai/connectors_ai_description.yaml @@ -0,0 +1,35 @@ +AirTable Connector: + ai_description: "### General Description\nThe AirTable Connector enables the ingestion\ + \ of records from Airtable tables into Google SecOps as alerts and cases. This\ + \ integration allows security teams to treat Airtable as a data source for tracking\ + \ incidents, assets, or logs, facilitating automated response workflows based\ + \ on spreadsheet-style data.\n\n### Parameters Description\n| Parameter | Type\ + \ | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Api key | Password\ + \ | Yes | Your Airtable API Key, found in your account overview. |\n| Base id\ + \ | String | Yes | The unique ID for the Airtable base (database), found in the\ + \ API documentation URL for that base. |\n| Table name | String | Yes | The name\ + \ of the specific table within the base to fetch records from. |\n| Alert type\ + \ | String | Yes | Determines the Alert Type (Rule Generator) for the ingested\ + \ cases. |\n| Max records | String | Yes | The maximum number of rows to fetch\ + \ from the table per execution. |\n| Alert name field | String | No | The Airtable\ + \ column name used to populate the Alert name. |\n| Alert name prefix | String\ + \ | No | A string to prepend to the Alert name for better identification. |\n\ + | Field name | String | No | The column name to use for filtering records. |\n\ + | Field value | String | No | The specific value(s) to search for in the 'Field\ + \ name' column (supports comma-separated values). |\n| DeviceProductField | String\ + \ | Yes | The field name used to determine the device product (defaults to 'AirTable'\ + \ in logic). |\n| EventClassId | String | Yes | The field name used to determine\ + \ the event name or sub-type. |\n| PythonProcessTimeout | String | Yes | The timeout\ + \ limit (in seconds) for the connector execution. |\n\n### Flow Description\n\ + 1. **Authentication**: Connects to the Airtable API using the provided API Key\ + \ and targets the specified Base ID.\n2. **Data Retrieval**: \n * If a `Field\ + \ name` and `Field value` are provided, the connector searches for records where\ + \ that column matches the specified values (handling comma-separated lists).\n\ + \ * If no filter is provided, it fetches all available records from the specified\ + \ `Table name` up to the `Max records` limit.\n3. **Mapping**: Iterates through\ + \ each retrieved record and maps Airtable columns to Google SecOps case extensions.\ + \ Spaces in column names are replaced with underscores.\n4. **Case Creation**:\ + \ Generates a `CaseInfo` object for each record, setting the alert name based\ + \ on the `Alert name field` and applying the `Alert type`.\n5. **Ingestion**:\ + \ Packages the cases and events, then sends them to the Google SecOps platform\ + \ for processing." diff --git a/content/response_integrations/third_party/community/air_table/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/air_table/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..6880e92b2 --- /dev/null +++ b/content/response_integrations/third_party/community/air_table/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: true + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: true + network_security: false + siem: false + threat_intelligence: true + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/arcanna_ai/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/arcanna_ai/resources/ai/actions_ai_description.yaml index 33e46e9af..8f5b0f0a2 100644 --- a/content/response_integrations/third_party/community/arcanna_ai/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/arcanna_ai/resources/ai/actions_ai_description.yaml @@ -2,49 +2,49 @@ Export full event: ai_description: >- ### General Description - The **Export full event** action retrieves the complete data structure of a specific - event processed by Arcanna.ai. This action is primarily used to gather the full - context and raw data of an event that has been analyzed by an Arcanna AI job, - making the detailed results available for further processing or investigation - within the SOAR platform. + The **Export full event** action retrieves the complete data associated with a + specific event from a designated Arcanna.ai job. This is primarily used for deep-dive + analysis or forensic review of events processed by the Arcanna.ai engine, allowing + analysts to see the full raw and processed context of a decision. - ### Parameters + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Job ID** | String | Yes | The unique identifier of the Arcanna job associated - with the event. Note: The code converts this value to an integer internally. | + | **Job ID** | string | Yes | The unique identifier of the Arcanna job where the + event is located. The action converts this to an integer internally. | - | **Event ID** | String | Yes | The unique identifier of the specific event to - be exported from Arcanna. | + | **Event ID** | string | Yes | The unique identifier of the specific event to + be exported. | ### Flow Description - 1. **Configuration Extraction**: The action retrieves the Arcanna base URL, API - Key, and SSL verification settings from the integration's global configuration. + 1. **Configuration Extraction:** The action retrieves the Arcanna URL, API Key, + and SSL verification settings from the integration configuration. - 2. **Input Parsing**: It extracts the `Job ID` and `Event ID` from the action - parameters. + 2. **Parameter Retrieval:** It extracts the `Job ID` and `Event ID` provided by + the user. - 3. **API Request**: The action initializes the Arcanna client and performs a GET - request to the `/api/v1/events/{job_id}/{event_id}/export` endpoint. + 3. **API Interaction:** The action initializes the `ArcannaClient` and performs + a GET request to the `/api/v1/events/{job_id}/{event_id}/export` endpoint. - 4. **Result Processing**: The retrieved JSON response, containing the full event - details, is added to the action's result JSON. + 4. **Data Processing:** The full event data returned by the API is captured as + a JSON object. - 5. **Completion**: The action terminates, providing the exported data as the primary - output. + 5. **Result Output:** The retrieved JSON is attached to the action results for + use in subsequent playbook steps or for analyst review. ### Additional Notes - This action does not iterate over or process SOAR entities (such as IP addresses - or Hostnames). It relies entirely on the specific IDs provided in the parameters - to fetch data. + - This action does not operate on SOAR entities; it requires specific IDs as input + parameters. + + - The output is provided as a raw JSON result (`JsonResult`). capabilities: can_create_case_comments: false can_create_insight: false @@ -56,7 +56,7 @@ Export full event: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: true + enrichment: false entity_usage: entity_types: [] filters_by_additional_properties: false @@ -72,24 +72,69 @@ Export full event: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get AI Job by name: ai_description: >- - ### General Description\nRetrieves detailed information about a specific AI job - from the ArcannaAI platform using the job's name. This action allows users to - programmatically fetch job configurations and metadata, which can be used in subsequent - playbook steps.\n\n### Parameters Description\n| Parameter | Type | Mandatory - | Description |\n| :--- | :--- | :--- | :--- |\n| Job name | String | Yes | The - name of the AI job for which details should be retrieved. |\n\n### Flow Description\n1. - **Configuration Retrieval**: The action fetches the ArcannaAI URL, API Key, and - SSL verification settings from the integration's configuration.\n2. **Input Validation**: - The action extracts the mandatory `Job name` parameter provided by the user.\n3. - **API Request**: The action uses the `ArcannaClient` to send a POST request to - the `/api/v1/jobs/get_by_name` endpoint, passing the job name in the request body.\n4. - **Response Handling**: The action receives the job details in JSON format from - ArcannaAI.\n5. **Output Generation**: The retrieved JSON data is added to the - action's results, and the action completes successfully.\n\n### Additional Notes\nThis - action does not operate on entities. It is a standalone lookup action based on - the provided job name. + Retrieves detailed information about a specific AI job from the Arcanna.ai platform + using its name. This action is primarily used as a utility to fetch job metadata, + such as job IDs or configuration details, which can then be used in subsequent + workflow steps. + + + ### Flow Description: + + 1. **Configuration Retrieval:** The action starts by extracting the Arcanna URL, + API Key, and SSL verification settings from the integration's global configuration. + + 2. **Parameter Extraction:** It retrieves the mandatory 'Job name' provided by + the user. + + 3. **API Request:** The action initializes the Arcanna client and sends a request + to the `/api/v1/jobs/get_by_name` endpoint to search for the specified job. + + 4. **Result Handling:** If the job is found, the full JSON response containing + the job's details is added to the action's results. If the request fails, an error + is logged and the action is marked as failed. + + + ### Parameters Description: + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Job name | String | Yes | The specific name of the AI job in Arcanna for which + you want to retrieve details. | + + + ### Additional Notes: + + - This action does not process or filter SecOps entities (like IPs or Hostnames); + it is a management utility for the Arcanna.ai integration. capabilities: can_create_case_comments: false can_create_insight: false @@ -117,48 +162,75 @@ Get AI Job by name: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get AI Job decision set: ai_description: >- - ### General Description + Retrieves the set of possible decisions (labels) associated with a specific AI + job in Arcanna.ai. This action is used to identify the classification categories + that the AI model can assign to events processed by the specified job. The results + are returned as a JSON object containing the decision set metadata. - The **Get AI Job decision set** action retrieves the collection of possible decisions - (labels) associated with a specific job in Arcanna.ai. This action is primarily - used to understand the classification schema or the set of outcomes an AI job - is configured to produce, which is essential for interpreting AI-driven analysis - results. + ### Parameters - ### Parameters Description + | Parameter | Description | Type | Mandatory | Notes | - | Parameter | Type | Mandatory | Description | + | :--- | :--- | :--- | :--- | :--- | - | :--- | :--- | :--- | :--- | + | Job ID | The unique identifier for the Arcanna AI job for which the decision + set should be fetched. | String | Yes | This value is converted to an integer + internally. | - | Job ID | String | Yes | The unique identifier of the Arcanna.ai job for which - the decision set (labels) should be retrieved. | + ### Additional Notes - ### Flow Description + - This action does not interact with SecOps entities; it retrieves configuration + data directly from the Arcanna.ai platform based on the provided Job ID. - 1. **Configuration Retrieval**: The action extracts the Arcanna.ai base URL, API - Key, and SSL verification settings from the integration's global configuration. + - Ensure the API Key provided in the integration settings has the necessary permissions + to view job details. - 2. **Parameter Extraction**: The mandatory `Job ID` is retrieved from the action's - input parameters and converted to an integer. - 3. **API Request**: The action initializes the `ArcannaClient` and performs a - GET request to the `/api/v1/jobs/{job_id}/labels` endpoint to fetch the decision - set. + ### Flow Description - 4. **Result Handling**: The retrieved JSON response containing the labels is added - to the action's execution results, and the action completes successfully. + 1. **Configuration Extraction**: Retrieves the Arcanna URL, API Key, and SSL verification + settings from the integration configuration. + 2. **Parameter Extraction**: Retrieves the mandatory `Job ID` from the action + parameters. - ### Additional Notes + 3. **Client Initialization**: Initializes the `ArcannaClient` with the provided + credentials and connection settings. - - This action does not process or filter entities from the SecOps environment. + 4. **API Request**: Executes a GET request to the `/api/v1/jobs/{job_id}/labels` + endpoint to fetch the decision set. - - It is a utility action focused on metadata retrieval from the Arcanna.ai platform. + 5. **Result Processing**: Adds the retrieved JSON response to the action results + and completes the execution. capabilities: can_create_case_comments: false can_create_insight: false @@ -186,50 +258,77 @@ Get AI Job decision set: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get AI Job decision set by job name: ai_description: >- ### General Description - Retrieves the decision set (labels) for a specific AI job identified by its name - from the Arcanna.ai platform. This action is used to fetch the possible classification - outcomes or labels associated with a particular AI model configuration, allowing - users to understand the decision space of the job. + Retrieves the decision set (available labels) for a specific AI job in Arcanna.ai + based on the job's name. This action allows users to programmatically identify + the possible classification outcomes configured for a particular job, which is + essential for downstream logic that processes AI decisions. - ### Parameters + ### Parameters Description + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Job name | String | Yes | The unique name of the AI job for which the decision - set (labels) should be retrieved. | + | Job name | String | Yes | The unique name of the Arcanna.ai job for which the + decision set (labels) should be retrieved. | ### Flow Description - 1. **Configuration Extraction**: The action retrieves the Arcanna URL, API Key, - and SSL verification settings from the integration's global configuration. + 1. **Configuration Extraction**: Retrieves the Arcanna URL, API Key, and SSL verification + settings from the integration configuration. + + 2. **Parameter Extraction**: Retrieves the target 'Job name' from the action parameters. - 2. **Parameter Extraction**: The action extracts the mandatory `Job name` provided - by the user. + 3. **API Interaction**: Initializes the Arcanna client and performs a POST request + to the `/api/v1/jobs/get_by_name/labels` endpoint with the job name to fetch the + associated labels. - 3. **API Interaction**: It initializes the Arcanna client and performs a POST - request to the `/api/v1/jobs/get_by_name/labels` endpoint, passing the job name - in the request body to identify the target job. + 4. **Result Processing**: Captures the JSON response containing the decision set + and attaches it to the action's execution results using `add_result_json`. - 4. **Result Processing**: The retrieved decision set (JSON) is captured and added - to the action's execution results for use in subsequent playbook steps. + 5. **Completion**: Finalizes the action with a success or failure status based + on the API response. ### Additional Notes - - This action does not operate on SOAR entities (IPs, Hosts, etc.); it is a system-level - query based on a job name string. + - This action does not operate on SOAR entities; it is a utility action for job + metadata retrieval. - - Note: The provided script contains a potential configuration mapping error where - it attempts to extract the 'SSL Verification' value using the key 'Api Key' from - the configuration block. + - Although the underlying API call uses a POST method, it is a read-only operation + used to fetch data by name and does not modify the state of the AI job. capabilities: can_create_case_comments: false can_create_insight: false @@ -257,65 +356,59 @@ Get AI Job decision set by job name: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Arcanna decision: - ai_description: >- - ### General Description - - Retrieves the AI decision for a specific event from Arcanna.ai. This action is - designed to poll the Arcanna API to fetch the inference results for an event that - has been previously submitted. It uses a configurable retry mechanism to wait - for the decision if it is still in a pending state. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Job Id | string | Yes | The unique identifier of the Arcanna Job associated - with the event. | - - | Event Id | string | Yes | The unique identifier of the specific event for which - the decision is being requested. | - - | Retry count | string | Yes | The maximum number of times the action will poll - the API if the decision is still 'pending_inference'. Default is 20. | - - | Seconds per retry | string | Yes | The duration (in seconds) to wait between - each polling attempt. Default is 5. | - - - ### Additional Notes - - This action does not operate on SecOps entities. It relies entirely on the provided - `Job Id` and `Event Id` parameters to identify the data to retrieve. The action - will fail if the decision is not available within the total retry window (Retry - count * Seconds per retry) or if the API returns an error status. - - - ### Flow Description - - 1. **Initialization**: Extracts the Arcanna integration configuration (URL, API - Key, SSL) and the action parameters. - - 2. **Client Setup**: Initializes the Arcanna API client. - - 3. **Polling Loop**: Enters a loop that continues for the specified `Retry count`. - - 4. **Status Check**: Calls the Arcanna API to get the status of the event using - the `Job Id` and `Event Id`. - - 5. **Decision Handling**: - * If the status is `OK`, the decision data is retrieved, added to the action's - JSON results, and the action completes successfully. - * If the status is `pending_inference`, the action waits for the specified - `Seconds per retry` and then attempts the next poll. - * If the status is `ERROR`, the action logs the error and terminates with - a failure state. - 6. **Timeout**: If the loop finishes without receiving an `OK` or `ERROR` status, - the action fails, notifying the user that the decision could not be retrieved - within the configured window. + ai_description: "### General Description\nRetrieves an AI-driven decision from Arcanna.ai\ + \ for a specific event. This action is used to poll the Arcanna API to obtain\ + \ the inference result (decision) associated with a previously submitted event.\ + \ It is particularly useful in automated workflows where a decision from an AI\ + \ model is required to determine the next steps in an investigation.\n\n### Parameters\ + \ Description\n| Parameter | Description | Type | Mandatory | \n| :--- | :---\ + \ | :--- | :--- |\n| Job Id | The unique identifier of the Arcanna Job associated\ + \ with the event. | string | Yes |\n| Event Id | The unique identifier of the\ + \ specific event for which the decision is being requested. | string | Yes |\n\ + | Retry count | The maximum number of times the action will poll the Arcanna API\ + \ if the decision is still pending. | string | Yes |\n| Seconds per retry | The\ + \ duration (in seconds) to wait between each polling attempt. | string | Yes |\n\ + \n### Additional Notes\n- The action uses a polling mechanism because AI inference\ + \ may not be instantaneous. \n- If the `Retry count` is exhausted and the decision\ + \ is still pending, the action will return a failure state.\n- This action does\ + \ not process SecOps entities; it relies entirely on the provided Job and Event\ + \ IDs.\n\n### Flow Description\n1. **Initialization**: Extracts the Arcanna URL\ + \ and API Key from the integration configuration and the Job/Event IDs from the\ + \ action parameters.\n2. **Retry Loop**: Enters a loop based on the `Retry count`\ + \ and `Seconds per retry` settings.\n3. **API Request**: Calls the Arcanna `get_event_status`\ + \ endpoint for the specified Job and Event.\n4. **Status Evaluation**:\n -\ + \ If the status is **OK**: The decision data is retrieved, added to the action\ + \ results, and the process completes successfully.\n - If the status is **pending_inference**:\ + \ The script logs that the decision is pending, waits for the specified interval,\ + \ and retries.\n - If the status is **ERROR**: The action logs the error and\ + \ terminates with a failure state.\n5. **Timeout**: If the loop finishes without\ + \ receiving an 'OK' or 'ERROR' status, the action fails due to a timeout." capabilities: can_create_case_comments: false can_create_insight: false @@ -343,50 +436,74 @@ Get Arcanna decision: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Jobs: ai_description: >- ### General Description - The **Get Jobs** action retrieves a comprehensive list of all available jobs configured - within the Arcanna.AI platform. This utility action is primarily used to discover - job identifiers and names, which are necessary for configuring other actions within - the Arcanna.AI integration, such as sending events or triggering model training. + This action retrieves a list of all available jobs from the Arcanna.AI platform. + It is primarily used as a utility to discover job IDs or names required for other + Arcanna.AI actions, such as sending cases or getting decisions. The action fetches + the job metadata and saves the raw JSON response into the action's results. ### Parameters Description - There are no action-specific parameters for this action. It utilizes the global - integration configuration for connectivity: + | Parameter Name | Type | Mandatory | Description | - * **Url**: The base URL of the Arcanna.AI instance. + | :--- | :--- | :--- | :--- | - * **Api Key**: The API key used for authentication. + | None | N/A | N/A | This action does not require any input parameters. It relies + solely on the integration's global configuration (URL and API Key). | - * **SSL Verification**: Boolean flag to enable or disable SSL certificate validation. + ### Additional Notes - ### Flow Description + - This action does not interact with any entities in the current case. - 1. **Configuration Extraction**: The action retrieves the connection details (URL, - API Key, and SSL settings) from the integration's configuration block. + - The results are provided in a raw JSON format, which can be used by subsequent + playbook steps to iterate over job configurations. - 2. **Client Initialization**: An Arcanna API client is initialized using the retrieved - credentials. - 3. **API Request**: The action executes a GET request to the `/api/v1/jobs` endpoint - to fetch the list of jobs. + ### Flow Description - 4. **Result Processing**: The retrieved JSON response is parsed and added to the - action's result output. + 1. **Configuration Extraction**: The action retrieves the Arcanna.AI URL, API + Key, and SSL verification settings from the integration's configuration. - 5. **Completion**: The action terminates, providing the job list in the execution - summary and as a JSON result for downstream playbook tasks. + 2. **Client Initialization**: An Arcanna.AI API client is initialized using the + extracted credentials. + 3. **API Request**: The action sends a GET request to the `/api/v1/jobs` endpoint + of the Arcanna.AI service. - ### Additional Notes + 4. **Data Processing**: The service returns a JSON list of available jobs. - This action does not interact with or require any entities (IPs, Hosts, etc.) - to function. It is a global data retrieval task. + 5. **Result Output**: The retrieved JSON data is attached to the action's result + and the execution is marked as completed. capabilities: can_create_case_comments: false can_create_insight: false @@ -414,47 +531,71 @@ Get Jobs: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Ping: ai_description: >- ### General Description - Tests the connectivity between Google SecOps and the Arcanna.ai instance by performing - a health check. This action ensures that the provided URL and API Key are valid - and that the service is reachable. + Tests the connectivity between Google SecOps and the Arcanna.ai instance. This + action is used to verify that the provided API key and URL are correct and that + the network allows communication with the Arcanna.ai health endpoint. ### Parameters Description - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Url | String | Yes | The base URL of the Arcanna.ai instance. | - - | Api Key | String | Yes | The API key used for authentication with the Arcanna.ai - API. | - - | SSL Verification | Boolean | Yes | If set to true, the action will verify the - SSL certificate of the Arcanna.ai server. | + This action does not have any input parameters. It relies solely on the integration's + global configuration (URL, API Key, and SSL Verification settings). ### Additional Notes - This is a standard connectivity test (Ping) action and does not process any entities. + - The action performs a simple GET request to the `/api/v1/health` endpoint of + the Arcanna.ai API. + + - If the connection is successful, the action returns the health status JSON from + the server. ### Flow Description - 1. **Extract Configuration:** Retrieves the Arcanna URL, API Key, and SSL verification + 1. **Configuration Extraction**: Retrieves the Arcanna URL, API Key, and SSL verification settings from the integration configuration. - 2. **Initialize Client:** Sets up the Arcanna API client with the provided credentials. + 2. **Client Initialization**: Initializes the Arcanna API client with the provided + credentials. + + 3. **Connectivity Test**: Executes a GET request to the health check endpoint + (`/api/v1/health`). - 3. **Health Check:** Executes a GET request to the `/api/v1/health` endpoint of - the Arcanna service. + 4. **Result Processing**: Captures the API response and adds it to the action's + result JSON. - 4. **Process Result:** Captures the JSON response from the health check and reports - the execution status (Success/Failure). + 5. **Completion**: Reports whether the connection was successful or failed based + on the HTTP response status. capabilities: can_create_case_comments: false can_create_insight: false @@ -482,60 +623,82 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Send Active Alert from Case to Arcanna: ai_description: >- - ### General Description + Sends the currently active alert from a Google SecOps case to Arcanna.ai for AI-assisted + analysis. This action retrieves the full alert payload from the case context and + transmits it to a specific Arcanna job. It allows for mapping a specific field + from the alert to serve as the unique identifier within the Arcanna platform. - Sends the currently active alert from a Google SecOps case to Arcanna.ai for processing. - This action allows users to forward specific alert data to Arcanna's AI engine - for decision-making or further analysis based on a configured Job ID. + ### Flow Description - ### Parameters Description + 1. **Configuration Retrieval:** Extracts the Arcanna API key, base URL, and SSL + settings from the integration configuration. - | Parameter | Type | Mandatory | Description | + 2. **Parameter Extraction:** Retrieves the target Arcanna Job ID and identifier + mapping settings from the action parameters. - | :--- | :--- | :--- | :--- | + 3. **Case Context Fetching:** Accesses the full case data and identifies the specific + alert currently being processed in the playbook. - | **Job ID** | String | Yes | The ID of the Arcanna.ai job that will receive and - process the alert. Note: The action converts this value to an integer internally. - | + 4. **Alert Matching:** Iterates through the case's cyber alerts to find the payload + matching the current alert's identifier. - | **Alert identifier field** | String | No | The specific field in the alert JSON - to use as the identifier. Defaults to "identifier". | + 5. **Data Transmission:** Sends the raw alert payload to the Arcanna API via a + POST request, optionally including a custom event ID if configured. - | **Use Alert ID as ID in Arcanna** | Boolean | No | If set to `True`, the action - uses the value from the "Alert identifier field" as the ID in Arcanna. If `False`, - Arcanna generates a new unique ID. | + ### Parameters Description - ### Additional Notes + | Parameter Name | Type | Mandatory | Description | - If **Use Alert ID as ID in Arcanna** is enabled, the **Alert identifier field** - should be correctly configured to point to a valid field in the alert payload - (using dot notation if necessary) to ensure the identifier is correctly mapped - in Arcanna.ai. + | :--- | :--- | :--- | :--- | + | Job ID | string | Yes | The specific Job ID in Arcanna.ai that should receive + and process the alert data. | - ### Flow Description - - 1. **Initialization**: Extracts integration configuration (URL, API Key, SSL Verification) - and action parameters. + | Alert identifier field | string | No | The JSON path within the alert payload + (e.g., "identifier") to be used as the unique ID in Arcanna. Defaults to "identifier". + | - 2. **Context Retrieval**: Fetches the full case details and identifies the currently - active alert in the SOAR context. + | Use Alert ID as ID in Arcanna | boolean | Yes | If set to True, the action will + use the value found in the 'Alert identifier field' as the event ID in Arcanna. + If False, Arcanna generates a new unique ID. | - 3. **Alert Matching**: Iterates through the alerts in the case to find the one - matching the active alert's identifier. - 4. **ID Resolution**: If configured to use an existing ID, it extracts the value - from the specified alert field using a dot-notation helper. + ### Additional Notes - 5. **External Transmission**: Sends the raw alert payload to the Arcanna.ai API - via a POST request to the events endpoint. + - This action operates at the Alert level within a Case. It specifically targets + the 'current alert' context of the playbook execution. - 6. **Result Handling**: Captures the API response and attaches it to the action - results as JSON. + - The 'Job ID' is expected to be a numeric string that the script converts to + an integer. capabilities: can_create_case_comments: false can_create_insight: false @@ -544,8 +707,8 @@ Send Active Alert from Case to Arcanna: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Sends alert data to Arcanna.ai, creating a new event record for analysis within - the specified Job ID. + Creates a new event or alert record in the Arcanna.ai platform for processing + and analysis. fetches_data: false internal_data_mutation_explanation: null categories: @@ -565,54 +728,82 @@ Send Active Alert from Case to Arcanna: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Send Analyst Feedback to Arcanna: ai_description: >- ### General Description - This action sends analyst feedback for a specific event to the Arcanna.ai platform. - It is used to provide human-validated labels or feedback on AI-processed events, - which is essential for model training and refinement within the Arcanna ecosystem. - The action interacts with the Arcanna API via a PUT request to update the feedback - status of a specific event associated with a job. + The **Send Analyst Feedback to Arcanna** action allows an analyst to submit feedback + or labels for a specific event processed by Arcanna.ai. This feedback is used + by the Arcanna platform to refine its AI models and improve future decision-making + accuracy. - ### Parameters + ### Parameters Description - | Parameter Name | Description | Type | Mandatory | Default Value | + | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | :--- | + | :--- | :--- | :--- | :--- | - | Event Id | The unique identifier of the event in Arcanna for which feedback - is being provided. | string | Yes | N/A | + | **Event Id** | String | Yes | The unique identifier of the event in Arcanna + for which feedback is being provided. | - | Username | The name of the analyst providing the feedback. This is used for - auditing and tracking within Arcanna. | user | Yes | Admin | + | **Username** | User | Yes | The name or identifier of the analyst providing + the feedback. | - | Job Id | The unique identifier of the Arcanna job that the event belongs to. - | string | Yes | N/A | + | **Job Id** | String | Yes | The unique identifier of the Arcanna job associated + with the event. | - | Analyst Feedback | The specific feedback or label (e.g., a decision or classification) - that the analyst wants to assign to the event. | string | Yes | N/A | + | **Analyst Feedback** | String | Yes | The specific feedback or label (e.g., + 'True Positive', 'False Positive') to be assigned to the event. | ### Flow Description - 1. **Configuration Extraction**: The action retrieves the Arcanna URL, API Key, - and SSL verification settings from the integration configuration. + 1. **Parameter Extraction**: The action retrieves the Arcanna API credentials + (URL, API Key) from the integration configuration and the specific event details + (Event ID, Job ID, Username, Feedback) from the action parameters. - 2. **Parameter Retrieval**: It extracts the `Job Id`, `Event Id`, `Username`, - and `Analyst Feedback` from the action parameters. + 2. **Client Initialization**: An Arcanna API client is initialized with the provided + connection details and SSL verification settings. - 3. **Client Initialization**: An `ArcannaClient` is initialized using the provided - connection details. + 3. **Feedback Submission**: The action performs a `PUT` request to the Arcanna + endpoint (`/api/v1/events/{job_id}/{event_id}/feedback`) containing the analyst's + username and the feedback string. - 4. **API Interaction**: The action calls the `send_feedback` method, which performs - a PUT request to the Arcanna endpoint `/api/v1/events/{job_id}/{event_id}/feedback` - with the analyst's feedback and username. + 4. **Result Processing**: The response from the Arcanna API is captured and attached + to the action's execution results as a JSON object for further use in the playbook. - 5. **Result Processing**: The response from the Arcanna API is captured and added - to the action's JSON results. If successful, the action completes with a success - status; otherwise, it logs the error and fails. + + ### Additional Notes + + This action does not operate on SecOps entities; it requires specific IDs provided + as parameters. It is primarily used for model training and feedback loops within + the Arcanna.ai ecosystem. capabilities: can_create_case_comments: false can_create_insight: false @@ -621,8 +812,8 @@ Send Analyst Feedback to Arcanna: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - The action performs a PUT request to the Arcanna API to update the feedback/label - associated with a specific event in an Arcanna job. + Updates the feedback label for a specific event in the Arcanna.ai platform using + a PUT request. fetches_data: false internal_data_mutation_explanation: null categories: @@ -642,14 +833,39 @@ Send Analyst Feedback to Arcanna: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Send Case to Arcanna: ai_description: >- ### General Description - Sends a Google SecOps case, including its metadata and associated entities, to - Arcanna.ai for analysis or processing. This action allows for the seamless transfer - of case context to Arcanna's AI engine to facilitate automated decision-making - or further investigation. + The **Send Case to Arcanna** action exports the complete data of a Google SecOps + case, including its associated entities, to the Arcanna.ai platform. This integration + allows for external AI-driven analysis and decision-making by submitting case + details to a specific Arcanna job. ### Parameters Description @@ -658,40 +874,46 @@ Send Case to Arcanna: | :--- | :--- | :--- | :--- | - | **Job ID** | String | Yes | The specific Arcanna job ID used for sending the - event to Arcanna.ai. | + | Job ID | String | Yes | The unique identifier of the Arcanna job that will receive + and process the case data. | - | **Case identifier field** | String | No | The field within the Google SecOps - case JSON that will be used as the ID in Arcanna.ai. Default is "identifier". - | + | Case identifier field | String | No | The JSON path in the case object (e.g., + `identifier`) to be used as the event ID in Arcanna. | - | **Use case ID as ID in Arcanna** | Boolean | No | If set to `True`, Arcanna - uses the value found in the "Case identifier field" as the event ID. If `False`, - Arcanna generates a new unique ID. | + | Use case ID as ID in Arcanna | Boolean | No | If set to `True`, the action uses + the value from the 'Case identifier field' as the ID in Arcanna. If `False`, Arcanna + generates a new unique ID. | ### Flow Description - 1. **Configuration Retrieval**: The action fetches the Arcanna URL, API Key, and - SSL settings from the integration configuration. + 1. **Initialization**: The action initializes the Arcanna API client using the + provided URL and API Key from the integration configuration. + + 2. **Data Retrieval**: It fetches the full case object and the list of entities + currently in the context. - 2. **Parameter Extraction**: It retrieves the Job ID, the target case identifier - field, and the ID usage preference from the action parameters. + 3. **Payload Construction**: The case data is prepared as the primary payload, + with the entity list appended to it. - 3. **Data Gathering**: The action retrieves the complete case details and the - list of target entities from the current Google SecOps context. + 4. **ID Mapping**: If configured, it extracts a specific field from the case to + serve as the external event ID. - 4. **Payload Construction**: It combines the case data and entities into a single - JSON payload. + 5. **Submission**: The action sends the payload to Arcanna.ai via a POST request + associated with the specified Job ID. - 5. **ID Resolution**: If configured to use an existing ID, it extracts the specified - field value from the case data using a dot-notation path. + 6. **Result Handling**: The API response from Arcanna is returned and added to + the action's JSON results. - 6. **API Interaction**: The action sends the payload to the Arcanna `/api/v1/events/` - endpoint via a POST request. - 7. **Result Handling**: The response from Arcanna is captured and added to the - action's JSON results. + ### Additional Notes + + * This action performs an external mutation by creating a new record (event) in + the Arcanna.ai system. + + * Note: The script contains a technical quirk where it attempts to extract the + 'Api Key' from the 'SSL Verification' configuration block for SSL verification + settings. capabilities: can_create_case_comments: false can_create_insight: false @@ -700,9 +922,9 @@ Send Case to Arcanna: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new event record in Arcanna.ai containing the case details and entity - information. - fetches_data: true + Creates a new event record in Arcanna.ai by sending the case data via a POST + request. + fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false @@ -721,66 +943,78 @@ Send Case to Arcanna: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: true + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Send JSON Document to Arcanna: ai_description: >- - ### General Description - - The **Send JSON Document to Arcanna** action enables the ingestion of custom JSON - data into the Arcanna.ai platform. It is designed to send a raw JSON payload to - a specific Arcanna Job ID, allowing for external processing, AI analysis, or decision-making - based on the provided data. This action is highly flexible as it allows users - to define the document structure and optionally specify a unique identifier from - within the JSON content. - + Sends a JSON document to Arcanna.ai for ingestion and analysis. This action allows + users to provide a raw JSON payload, specify a Job ID, and optionally define a + unique identifier from within the JSON structure to be used as the event ID in + Arcanna. This is useful for integrating custom data sources or specific event + logs into the Arcanna AI workflow. - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + ### Flow Description - | **Job ID** | String | Yes | The unique ID of the Arcanna.ai job that will receive - and process the document. | + 1. **JSON Parsing:** The action parses the provided 'JSON Document' string into + a JSON object. - | **Identifier field** | String | No | A dot-notation path (e.g., 'id' or 'metadata.uuid') - used to extract a specific value from the JSON document to serve as the document's - ID in Arcanna. | + 2. **ID Extraction (Optional):** If 'Use document ID as ID in Arcanna' is enabled, + the action uses the 'Identifier field' (supporting dot notation) to extract a + specific value from the JSON to serve as the event's unique ID. - | **Use document ID as ID in Arcanna** | Boolean | Yes | If set to `True`, the - action uses the value found in the 'Identifier field' as the document ID. If `False`, - Arcanna generates a new unique ID. | + 3. **API Interaction:** The action sends a POST request to the Arcanna API's events + endpoint, including the Job ID and the raw JSON body. - | **JSON Document** | Code/String | Yes | The JSON object to be sent to Arcanna.ai. - Note: The root of the document must be a JSON object (dictionary), not a list. - | + 4. **Result Handling:** The response from Arcanna is captured and added to the + action's execution results. - ### Additional Notes + ### Parameters Description - - The action validates that the input is a valid JSON object. If a list is provided - at the root level, the action will fail. + | Parameter | Type | Mandatory | Description | - - If 'Use document ID as ID in Arcanna' is enabled but the 'Identifier field' - is not provided or the path is not found in the JSON, the document will be sent - without a specific ID override. + | :--- | :--- | :--- | :--- | + | Job ID | string | Yes | The specific Arcanna.ai Job ID that will process the + ingested document. | - ### Flow Description + | Identifier field | string | No | The path (e.g., 'id' or 'metadata.uuid') to + the field in the JSON document that should be used as the unique identifier. | - 1. **Parameter Extraction**: The action retrieves the Arcanna API credentials - and the user-provided parameters (Job ID, JSON Document, etc.). + | Use document ID as ID in Arcanna | boolean | Yes | If true, the value found + in the 'Identifier field' is used as the ID in Arcanna. If false, Arcanna generates + a new ID. | - 2. **JSON Parsing**: The 'JSON Document' string is parsed into a Python dictionary. - The action verifies that the root element is a dictionary. + | JSON Document | code | Yes | The actual JSON data to be sent to Arcanna. | - 3. **ID Resolution**: If configured to use an existing ID, the action traverses - the JSON structure using the 'Identifier field' path to extract the ID value. - 4. **Data Ingestion**: The action performs a POST request to the Arcanna.ai API - (`/api/v1/events/`), passing the Job ID and the JSON payload. + ### Additional Notes - 5. **Result Processing**: The response from Arcanna.ai is captured and added to - the action's JSON results for downstream use in the playbook. + * The root of the JSON document must be an object, not a list. capabilities: can_create_case_comments: false can_create_insight: false @@ -789,9 +1023,9 @@ Send JSON Document to Arcanna: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new event or document record in the Arcanna.ai platform via a POST - request. - fetches_data: false + Creates a new event record in the Arcanna.ai platform for the specified Job + ID. + fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false @@ -810,60 +1044,90 @@ Send JSON Document to Arcanna: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Send event to Arcanna: ai_description: >- - Sends case or alert data from Google SecOps to Arcanna.ai for AI-driven analysis - and decision-making. This action acts as a bridge, exporting security event data - to a specific Arcanna AI job to leverage its machine learning capabilities. + ### General Description + The **Send event to Arcanna** action exports security event data from Google SecOps + to the Arcanna.ai platform. This allows for external AI-assisted analysis, triage, + and decision-making. The action can be configured to send either the entire case + context or specific alert details to a designated Arcanna job. - ### Flow Description: - 1. **Configuration Extraction:** Retrieves the Arcanna URL and API Key from the - integration settings, along with action-specific parameters like Job ID and Username. + ### Parameters Description - 2. **Data Retrieval:** Fetches the full case details from Google SecOps. + | Parameter | Type | Mandatory | Description | - 3. **Payload Preparation:** Depending on the 'Send individual alerts from case' - parameter, the action either isolates the current alert or packages the entire - case (including target entities) as the payload. + | :--- | :--- | :--- | :--- | - 4. **Identifier Mapping:** If an 'Event ID mapping field' is provided, the action - uses dot-notation to extract a specific value from the data to serve as the external - reference ID in Arcanna. + | **Job ID** | String | Yes | The specific Job ID in Arcanna.ai that will process + the incoming event. | - 5. **API Interaction:** Performs a POST request to the Arcanna API to submit the - event data to the designated Job ID. + | **Username** | User | Yes | The username of the analyst or system account performing + the action, used for auditing within Arcanna. | - 6. **Result Handling:** Captures the API response and attaches it as a JSON result - to the action output. + | **Event ID mapping field** | String | No | A dot-notation path (e.g., `alert.id` + or `external_id`) used to extract a specific value from the case/alert to serve + as the reference ID in Arcanna. | + | **Send individual alerts from case** | Boolean | No | If set to `true`, the + action only sends the current alert context. If `false` (default), the entire + case object is sent. | - ### Parameters Description: - | Parameter | Type | Mandatory | Description | + ### Flow Description - | :--- | :--- | :--- | :--- | + 1. **Initialization**: Retrieves integration configuration (URL, API Key) and + action parameters (Job ID, Username, Mapping Field). - | Job ID | String | Yes | The unique identifier of the Arcanna.ai job that will - process the sent event. | + 2. **Data Retrieval**: Fetches the full case details from the Google SecOps platform. - | Username | User | Yes | The username registered in Arcanna for audit and tracking - purposes. | + 3. **Payload Construction**: + - If `Send individual alerts from case` is true: Filters the case's alerts + to find the one matching the current alert identifier. + - If false: Prepares the entire case object, including target entities, as + the payload. + 4. **ID Mapping**: If an `Event ID mapping field` is provided, it parses the JSON + structure of the case or alert to find the specified reference ID. - | Event ID mapping field | String | No | A dot-notation path (e.g., `alert.id` - or `case.id`) used to extract a specific field from the payload to be used as - the Event ID in Arcanna. | + 5. **API Interaction**: Sends a POST request to the Arcanna.ai `/api/v1/events/` + endpoint with the constructed payload and Job ID. - | Send individual alerts from case | Boolean | No | If set to `true`, only the - alert currently being processed is sent. If `false` (default), the entire case - data is sent. | + 6. **Completion**: Captures the Arcanna response and attaches it as a JSON result + to the action. - ### Additional Notes: + ### Additional Notes - - This action is primarily used for exporting data to Arcanna.ai for further analysis - rather than retrieving enrichment data for SecOps entities. + - This action does not modify any data within Google SecOps; it is strictly an + outbound data integration. + + - Ensure the `Job ID` exists in your Arcanna.ai instance before running the action. capabilities: can_create_case_comments: false can_create_insight: false @@ -872,8 +1136,8 @@ Send event to Arcanna: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new event or updates an existing one within the Arcanna.ai platform - by sending raw case/alert data via a POST request. + Creates new event records in the Arcanna.ai platform via POST requests for AI + analysis. fetches_data: false internal_data_mutation_explanation: null categories: @@ -893,14 +1157,38 @@ Send event to Arcanna: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Trigger AI Model training: ai_description: >- ### General Description - Triggers the AI model training process for a specific job within the ArcannaAI - platform. This action is typically used after providing feedback or adding new - data to a job to ensure the underlying AI model is updated and refined based on - the latest information. + Triggers the training process for a specific AI model associated with a Job ID + in the Arcanna.ai platform. This action is typically used to initiate model updates + or retraining cycles based on collected feedback or new datasets. ### Parameters Description @@ -909,38 +1197,34 @@ Trigger AI Model training: | :--- | :--- | :--- | :--- | - | Job ID | String | Yes | The unique identifier of the Arcanna job for which the - AI model training should be initiated. The value is internally converted to an - integer. | + | Job ID | string | Yes | The unique identifier for the Arcanna job where the + AI model training will be triggered. | - | Username | User | Yes | The username of the person or system account triggering - the training, used for audit logging within ArcannaAI. | + | Username | user | Yes | The username of the analyst or system account triggering + the training, used for audit logging within Arcanna.ai. | ### Additional Notes - - This action performs a state-changing operation in ArcannaAI by initiating a - background training task. - - - It does not interact with or require any Google SecOps entities to run. + This action does not operate on SecOps entities (IPs, Hosts, etc.). It is a direct + API command to the Arcanna.ai management interface. Ensure the Job ID provided + exists and is accessible by the configured API key. ### Flow Description - 1. **Configuration Extraction**: Retrieves the Arcanna URL, API Key, and SSL verification - settings from the integration configuration. - - 2. **Parameter Retrieval**: Extracts the `Job ID` and `Username` from the action + 1. **Parameter Extraction:** Retrieves the Arcanna URL, API Key, and SSL settings + from the integration configuration, and the Job ID and Username from the action parameters. - 3. **Client Initialization**: Initializes the `ArcannaClient` with the provided - credentials and connection settings. + 2. **Client Initialization:** Establishes a connection to the Arcanna.ai API using + the provided credentials. - 4. **API Request**: Sends a POST request to the ArcannaAI `/train` endpoint for - the specified Job ID. + 3. **Trigger Training:** Executes a POST request to the Arcanna training endpoint + (`/api/v1/jobs/{job_id}/train`) including the username for auditing. - 5. **Result Handling**: Captures the API response, adds it to the action's JSON - results, and reports the execution status (Completed or Failed). + 4. **Result Processing:** Captures the API response, which typically includes + the status of the training request, and attaches it to the action's JSON results. capabilities: can_create_case_comments: false can_create_insight: false @@ -949,9 +1233,9 @@ Trigger AI Model training: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Initiates a model training process on the ArcannaAI server for a specific job - ID. - fetches_data: false + Triggers a model training process on the Arcanna.ai server, which initiates + a computational job and changes the state of the AI model lifecycle. + fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false @@ -970,46 +1254,74 @@ Trigger AI Model training: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Update alert priority: ai_description: >- - ### General Description - Updates the priority level of the current alert within Google SecOps. This action - is typically used to dynamically adjust alert severity based on external analysis - or decision logic (e.g., from an AI model like Arcanna.ai). + allows analysts or automated workflows to dynamically adjust alert severity based + on logic or external decision-making tools (like Arcanna.ai). It validates the + input against a set of allowed priority levels and ensures the platform version + supports the update operation. - ### Parameters Description + ### Flow Description: - | Parameter | Type | Mandatory | Description | + 1. **Parameter Extraction:** Retrieves the 'Priority' value from the action parameters. - | :--- | :--- | :--- | :--- | + 2. **Validation:** Checks if the provided priority is one of the allowed values: + 'Informative', 'Low', 'Medium', 'High', or 'Critical'. - | Priority | string | Yes | The new priority level to assign to the alert. Must - be one of the following: `Informative`, `Low`, `Medium`, `High`, or `Critical`. - | + 3. **Version Check:** Verifies that the Google SecOps (Siemplify) version is 5.6 + or higher, as earlier versions do not support this SDK method. + 4. **Internal API Call:** Constructs a request to the internal SOAR SDK endpoint + (`/external/v1/sdk/UpdateAlertPriority`) containing the Case ID, Alert Identifier, + Alert Name, and the new Priority. - ### Additional Notes + 5. **Execution:** Executes a POST request to update the alert state within the + platform. - - This action requires Google SecOps (Siemplify) version 5.6 or higher to function. - - The action interacts with the internal SOAR API to perform the update. + ### Parameters Description: + | Parameter | Type | Mandatory | Description | - ### Flow Description + | :--- | :--- | :--- | :--- | - 1. **Validation**: The action retrieves the current alert identifier and validates - that the provided `Priority` parameter matches one of the five allowed values. + | Priority | String | Yes | The new priority level to assign to the alert. Must + be one of: 'Informative', 'Low', 'Medium', 'High', 'Critical'. | - 2. **Version Check**: It checks the system version to ensure compatibility (version - 5.6+). - 3. **Internal API Call**: It constructs a request containing the Case ID, Alert - Identifier, Alert Name, and the new Priority. + ### Additional Notes: + + - This action modifies internal platform metadata (Alert Priority) rather than + external system data. - 4. **Execution**: It sends a POST request to the internal Google SecOps endpoint - `/external/v1/sdk/UpdateAlertPriority` to commit the change. + - It requires the action to be running within the context of an active alert. capabilities: can_create_case_comments: false can_create_insight: false @@ -1020,8 +1332,8 @@ Update alert priority: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Updates the priority level of the current alert within the Google SecOps platform - via an internal API call. + Updates the priority field of the current alert within the Google SecOps platform + via an internal SDK API call. categories: enrichment: false entity_usage: @@ -1039,3 +1351,28 @@ Update alert priority: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: true + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/third_party/community/arcanna_ai/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/arcanna_ai/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..2e831240c --- /dev/null +++ b/content/response_integrations/third_party/community/arcanna_ai/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + siem: false + threat_intelligence: true + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/asana/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/asana/resources/ai/actions_ai_description.yaml index fea6bec9e..ee04c9a9d 100644 --- a/content/response_integrations/third_party/community/asana/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/asana/resources/ai/actions_ai_description.yaml @@ -1,42 +1,46 @@ Add User To Workspace: ai_description: >- - ### General Description - This action adds a user to a specific Asana workspace using their email address. - It is used to manage workspace membership programmatically within the Asana platform. + It first resolves the workspace name to a workspace ID and then performs a POST + request to the Asana API to associate the user with that workspace. - ### Parameters Description + ### Flow Description: - | Parameter Name | Type | Mandatory | Description | + 1. **Parameter Extraction:** The action retrieves the 'Workspace Name' and 'User's + Email' from the action parameters. - | :--- | :--- | :--- | :--- | + 2. **Workspace ID Retrieval:** It calls the Asana API to list all workspaces and + searches for the one matching the provided name to obtain its unique identifier + (GID). - | Workspace Name | string | Yes | The name of the Asana workspace to which you - want to add the user. Note: This field is case-sensitive. | + 3. **User Addition:** It sends a POST request to the Asana endpoint `/workspaces/{workspace_id}/addUser`, + passing the user's email in the request body. - | User's Email | string | Yes | The email address of the user you want to add - to the workspace. | + 4. **Result Processing:** The action captures the API response, adds it as a JSON + result to the SOAR case, and provides a success or failure message based on the + response data. - ### Flow Description + ### Parameters Description: - 1. **Configuration Extraction**: The action retrieves the Asana API token and - base URL from the integration configuration. + | Parameter Name | Description | Type | Mandatory | Default Value | - 2. **Parameter Extraction**: The action extracts the target workspace name and - the user's email from the action parameters. + | :--- | :--- | :--- | :--- | :--- | - 3. **Workspace Identification**: It calls the Asana API to list all workspaces - and finds the unique identifier (GID) for the workspace matching the provided - name. + | Workspace Name | The name of the Asana workspace to which the user will be added. + Note: This is case-sensitive. | String | Yes | Your Workspace Name | - 4. **User Addition**: It sends a POST request to the Asana API endpoint `/workspaces/{workspace_id}/addUser` - with the user's email. + | User's Email | The email address of the user to be added to the workspace. | + String | Yes | email@gmail.com | - 5. **Result Processing**: The action captures the API response, adds it as a JSON - result to the SOAR case, and provides a success or failure message based on the - outcome. + + ### Additional Notes: + + - This action does not process entities from the SOAR case; it relies entirely + on the provided input parameters. + + - The workspace name must match exactly (including case) as it appears in Asana. capabilities: can_create_case_comments: false can_create_insight: false @@ -45,8 +49,8 @@ Add User To Workspace: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - This action adds a user to an Asana workspace, which changes the membership - state of that workspace in the external Asana system. + Adds a user to an Asana workspace, which modifies the membership state of that + workspace in the external Asana system. fetches_data: true internal_data_mutation_explanation: null categories: @@ -66,64 +70,79 @@ Add User To Workspace: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: true + update_ticket: false Create Task: ai_description: >- - ### General Description - - Creates a new task within a specific project in Asana. This action allows users - to automate task management and tracking directly from Google SecOps by generating - tasks with specific subjects, descriptions, assignees, and due dates. + Creates a new task within a specified Asana project. This action allows users + to programmatically generate tasks, assign them to specific users, and set due + dates and descriptions directly from Google SecOps. - ### Parameters Description + ### Flow Description: - | Parameter | Type | Mandatory | Description | + 1. **Project Identification:** The action retrieves the unique identifier (GID) + for the project using the provided 'Project Name'. - | :--- | :--- | :--- | :--- | + 2. **User Identification (Optional):** If an 'Assignee' is specified, the action + fetches the corresponding user's GID based on their email or identifier. - | Task Subject | String | Yes | The title or subject line of the new task to be - created. | + 3. **Task Creation:** A POST request is sent to Asana to create the task with + the provided subject, description, assignee, and due date. - | Assignee | String | No | The user to whom the task will be assigned. Note: This - is case-sensitive and typically expects the user's email or unique identifier. - | + 4. **Result Handling:** Upon success, the action provides a direct permalink to + the new Asana task and attaches the full JSON response. - | Due Date | String | No | The deadline for the task, which must be provided in - the format YYYY-MM-DD. | - | Description | String | Yes | The detailed content or notes for the new task. - | - - | Project Name | String | Yes | The name of the Asana project where the task will - be assigned. Note: This is case-sensitive. | + ### Parameters Description: + | Parameter | Type | Mandatory | Description | - ### Additional Notes + | :--- | :--- | :--- | :--- | - - Either the project name must exist exactly as provided (case-sensitive) for - the action to successfully retrieve the project ID. + | Task Subject | string | true | The title/subject of the new Asana task. | - - If the Assignee parameter is provided, the action will attempt to resolve the - user's email to a unique Asana GID. + | Assignee | string | false | The email or identifier of the user to assign the + task to (case-sensitive). | + | Due Date | string | false | The deadline for the task in YYYY-MM-DD format. + | - ### Flow Description + | Description | string | true | Detailed notes or description for the task. | - 1. **Configuration Retrieval**: The action extracts the Asana API Token and Base - URL from the integration configuration. + | Project Name | string | true | The exact name of the Asana project where the + task will be created. | - 2. **Project ID Resolution**: It queries the Asana API to find the unique project - ID corresponding to the provided `Project Name`. - 3. **User ID Resolution (Optional)**: If an `Assignee` is specified, the action - fetches the unique user ID for that individual. + ### Additional Notes: - 4. **Task Creation**: The action sends a POST request to the Asana `/tasks` endpoint, - including the subject, description, project ID, and optional assignee/due date. + - The 'Project Name' and 'Assignee' fields are case-sensitive. - 5. **Output Generation**: Upon successful creation, the action adds a direct link - to the new task in the SOAR interface and provides the full JSON response for - downstream use. + - If the project name is not found, the action will fail to retrieve a project + ID and the task creation will not proceed. capabilities: can_create_case_comments: false can_create_insight: false @@ -132,7 +151,7 @@ Create Task: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new task record in the specified Asana project via a POST request. + Creates a new task in the Asana platform via a POST request to the /tasks endpoint. fetches_data: true internal_data_mutation_explanation: null categories: @@ -152,50 +171,54 @@ Create Task: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: true + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Task: - ai_description: >- - ### General Description - - The **Get Task** action retrieves comprehensive details for a specific task in - Asana using its unique Task ID. This action allows analysts to pull context about - work items directly into Google SecOps for investigation or tracking purposes. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **Task ID** | String | Yes | The unique identifier for the Asana task, typically - found in the task's URL (e.g., `https://app.asana.com/0/project_id/task_id`). - | - - - ### Additional Notes - - - This action does not process or filter SecOps entities; it is a standalone data - retrieval task based on the provided ID. - - - The action provides a direct link to the Asana task in the SecOps interface - for quick access. - - - ### Flow Description - - 1. **Configuration Extraction**: Retrieves the API Token and Base URL from the - Asana integration configuration. - - 2. **Parameter Retrieval**: Extracts the `Task ID` from the action parameters. - - 3. **API Interaction**: Initializes the Asana Manager and performs a GET request - to the `/tasks/{task_id}` endpoint. - - 4. **Result Processing**: If the task is found, it extracts the task name, due - date, and permalink. - - 5. **Output**: Adds a link to the task and the full JSON response to the action - results, then terminates with a success message. + ai_description: "### General Description\nThe **Get Task** action retrieves detailed\ + \ information for a specific task in Asana using its unique Task ID. This action\ + \ allows analysts to pull external project management context into the Google\ + \ SecOps platform, facilitating better visibility into task statuses, due dates,\ + \ and descriptions associated with security incidents.\n\n### Parameters Description\n\ + | Parameter | Description | Type | Mandatory |\n| :--- | :--- | :--- | :--- |\n\ + | **Task ID** | The unique identifier of the Asana task. This ID can be found\ + \ in the task's URL (e.g., `https://app.asana.com/0/{project_id}/{task_id}`).\ + \ | String | Yes |\n\n### Flow Description\n1. **Configuration Extraction:** The\ + \ action retrieves the Asana API Token and Base URL from the integration's configuration\ + \ settings.\n2. **Parameter Retrieval:** The mandatory `Task ID` is extracted\ + \ from the action's input parameters.\n3. **API Interaction:** The action initializes\ + \ the `AsanaManager` and executes a GET request to the Asana API to fetch the\ + \ specific task's metadata.\n4. **Result Processing:** \n * If the task is\ + \ found, the action generates a clickable link in the SOAR UI containing the task\ + \ name and its due date.\n * The complete task details are attached to the\ + \ action results as a JSON object.\n5. **Completion:** The action concludes with\ + \ a success message if the task data was successfully retrieved, or a failure\ + \ message if the task was not found.\n\n### Additional Notes\nThis action is a\ + \ retrieval-only utility and does not interact with or process SecOps entities\ + \ (such as IPs, Hostnames, or Users) from the case context. It relies entirely\ + \ on the provided `Task ID` parameter." capabilities: can_create_case_comments: false can_create_insight: false @@ -207,7 +230,7 @@ Get Task: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: true + enrichment: false entity_usage: entity_types: [] filters_by_additional_properties: false @@ -223,14 +246,39 @@ Get Task: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false List My Tasks: ai_description: >- ### General Description - The **List My Tasks** action retrieves a list of tasks associated with a specific - user within a designated Asana workspace. It allows analysts to view task details, - including names, due dates, and direct links to the tasks in Asana. This action - is useful for tracking user activity or verifying task statuses during an investigation. + Lists all tasks associated with a specific user within a designated Asana workspace. + This action allows analysts to retrieve task details, including names, due dates, + and permalinks, filtered by their completion status. It is primarily used for + visibility into user workloads or tracking project-related tasks during an investigation. ### Parameters Description @@ -239,47 +287,47 @@ List My Tasks: | :--- | :--- | :--- | :--- | - | **User's Email** | String | Yes | The email address of the Asana user whose - tasks you want to retrieve. | + | User's Email | String | Yes | The email address of the Asana user whose tasks + you want to retrieve. | - | **Workspace Name** | String | Yes | The exact name of the Asana workspace. Note: - This is case-sensitive. | + | Workspace Name | String | Yes | The case-sensitive name of the Asana workspace + to search within. | - | **Completed Status** | Boolean | No | If checked (True), the action retrieves - only tasks that have been marked as completed. If unchecked (False), it retrieves - only incomplete tasks. | + | Completed Status | Boolean | No | If set to `true`, the action retrieves only + tasks marked as completed. If `false` (default), it retrieves only incomplete + tasks. | - ### Flow Description + ### Additional Notes - 1. **Authentication**: The action initializes the Asana manager using the configured - Personal Access Token and Base URL. + This action does not run on entities; it relies entirely on the provided input + parameters to query the Asana API. It performs multiple sequential API calls to + resolve human-readable names (Email, Workspace Name) into Asana Global Identifiers + (GIDs) before fetching task data. - 2. **User Identification**: It retrieves the unique Asana User ID (GID) associated - with the provided email address. - 3. **Workspace Identification**: It retrieves the unique Workspace ID (GID) by - matching the provided workspace name. + ### Flow Description - 4. **Task List Retrieval**: It fetches the specific 'User Task List' ID for the - identified user within the specified workspace. + 1. **Authentication**: Initializes the Asana manager using the configured Personal + Access Token and Base URL. - 5. **Task Enumeration**: It retrieves the list of tasks contained within that - user's task list. + 2. **User Resolution**: Calls the Asana API to retrieve the unique `GID` for the + user based on the provided `User's Email`. - 6. **Detail Fetching & Filtering**: For each task in the list, the action fetches - full task details and filters them based on the **Completed Status** parameter. + 3. **Workspace Resolution**: Retrieves all workspaces for the authenticated user + and matches the `Workspace Name` to find the corresponding `Workspace GID`. - 7. **Output**: Filtered tasks are added to the JSON result, and direct URLs to - the tasks are added as links in the action output. + 4. **Task List Retrieval**: Fetches the specific `User Task List ID` associated + with the identified User and Workspace. + 5. **Task Fetching**: Retrieves the list of tasks from the user's task list. - ### Additional Notes + 6. **Detail Enrichment & Filtering**: For each task found, the action fetches + full task details to check the `completed` attribute against the `Completed Status` + parameter. - - This action does not iterate over entities in the case; it relies entirely on - the provided input parameters. - - - The `Workspace Name` must be an exact match to the name in Asana. + 7. **Output Generation**: Adds the filtered task details to the JSON result and + generates clickable permalinks for each task in the Google SecOps UI. capabilities: can_create_case_comments: false can_create_insight: false @@ -307,63 +355,84 @@ List My Tasks: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false List Project Tasks: ai_description: >- - ### General Description - - The **List Project Tasks** action retrieves all tasks associated with a specific - project in Asana. It is designed to provide visibility into project progress by - fetching task details and filtering them based on their completion status. The - action outputs a detailed JSON result for each task and provides direct links - to the tasks in the Asana web interface for quick access. + Lists all tasks associated with a specific project in Asana. This action allows + users to retrieve task details, including names and due dates, and provides direct + links to the tasks within the Asana platform. It supports filtering tasks based + on their completion status. ### Parameters Description + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Project Name** | String | Yes | The name of the Asana project from which you - want to fetch tasks. The action resolves this name to a project ID internally. - | + | Project Name | String | Yes | The name of the project from which you would like + to fetch all the tasks. | - | **Completed Status** | Boolean | No | Determines which tasks to retrieve. If - set to `true`, only completed tasks are returned. If set to `false` (default), - only incomplete tasks are returned. | + | Completed Status | Boolean | No | If set to true, the action retrieves only + tasks that are marked as completed. If false, it retrieves only incomplete tasks. + | ### Flow Description - 1. **Initialization**: The action extracts the Asana API token and base URL from - the integration configuration and the project name and completion status from - the action parameters. - 2. **Project Identification**: It calls the Asana API to find the unique project - ID associated with the provided **Project Name**. + 1. **Authentication**: The action retrieves the API token and base URL from the + integration configuration. - 3. **Task Listing**: It retrieves a list of all task identifiers associated with - that project ID. + 2. **Project Identification**: It calls the Asana API to find the unique ID associated + with the provided 'Project Name'. - 4. **Detail Retrieval & Filtering**: For each task identifier, the action fetches - full task details (including completion status, name, due date, and permalink). - It then filters these tasks to match the user-specified **Completed Status**. + 3. **Task Retrieval**: It fetches a list of all tasks belonging to the identified + project. - 5. **Result Compilation**: Matching tasks are added to the final JSON result. - For each matching task, a direct link containing the task name and due date is - added to the SOAR interface. + 4. **Detail Enrichment**: For each task found, the action performs a follow-up + request to get full task details (e.g., completion status, due date, permalink). - 6. **Completion**: The action ends by providing a summary message and the collected - task data. + 5. **Filtering**: The action filters the detailed task list based on the 'Completed + Status' parameter. + + 6. **Output Generation**: It populates the action results with a JSON object + containing task details and adds clickable links for each task to the SOAR interface. ### Additional Notes - - This action does not process SOAR entities (such as IP addresses or Hostnames); - it operates strictly based on the provided project name string. - - If the specified project name cannot be found or contains no tasks matching - the filter, the action will return a failure status. + * This action does not run on entities; it operates based on the provided project + name parameter. + + * The 'Completed Status' parameter is a boolean toggle; ensure it is set correctly + to see the desired subset of tasks. capabilities: can_create_case_comments: false can_create_insight: false @@ -391,49 +460,60 @@ List Project Tasks: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Ping: ai_description: >- ### General Description - The **Ping** action is a utility designed to verify the connectivity between Google - SecOps and the Asana service. It ensures that the integration is correctly configured - with a valid Personal Access Token (PAT) and that the specified Base URL is reachable. - This action is typically used during the initial setup or for troubleshooting - communication issues. - - - ### Parameters Description - - There are no action-specific parameters for this action. It utilizes the global - integration configuration parameters: - - * **Token**: The Personal Access Token used for authentication. - - * **Base URL**: The API endpoint URL for Asana. - - - ### Additional Notes - - As per standard SOAR practices, Ping actions are used solely for health checks - and do not process entities or modify data within the case or the external system. + The **Ping** action is a diagnostic tool used to verify the connectivity between + Google SecOps and the Asana instance. It ensures that the provided API Token and + Base URL are correct and that the service is reachable. ### Flow Description - 1. **Configuration Extraction**: The action retrieves the 'Token' and 'Base URL' - from the Asana integration settings. + 1. **Configuration Retrieval**: The action extracts the 'Token' and 'Base URL' + from the integration's configuration settings. - 2. **Manager Initialization**: An instance of the `AsanaManager` is created using - the retrieved credentials. + 2. **Manager Initialization**: It initializes the `AsanaManager` with the retrieved + credentials. 3. **Connectivity Test**: The action calls the `test_connectivity` method, which performs a GET request to the Asana `/users/me` endpoint. - 4. **Response Validation**: The code checks if the API call was successful and - returned a valid JSON response. + 4. **Result Handling**: If the API returns a successful response, the action concludes + with a success message. If the request fails or returns an error, it reports a + connection failure. + - 5. **Result Reporting**: If the connection is successful, it returns a positive - status and a success message; otherwise, it reports a failure. + ### Parameters Description + + There are no action-specific parameters for this action. It relies entirely on + the integration's global configuration (Token and Base URL). capabilities: can_create_case_comments: false can_create_insight: false @@ -461,50 +541,77 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Remove User From Workspace: ai_description: >- - ### General Description - Removes a specific user from an Asana workspace using their email address. This - action is useful for offboarding users or managing workspace access programmatically - through Google SecOps. + action first resolves the workspace name to a unique workspace ID and then performs + a removal operation via the Asana API. - ### Parameters Description + ### Flow Description: - | Parameter | Description | Type | Mandatory | + 1. **Configuration Retrieval**: Extracts the Asana API token and base URL from + the integration settings. - | :--- | :--- | :--- | :--- | + 2. **Parameter Extraction**: Retrieves the target workspace name and the email + address of the user to be removed from the action parameters. - | Workspace Name | The name of the Asana workspace from which the user should - be removed. Note: This value is case-sensitive. | String | Yes | + 3. **Workspace Resolution**: Calls the Asana API to list all workspaces and identifies + the specific `workspace_id` matching the provided name (case-sensitive). - | User's Email | The email address of the user to be removed from the workspace. - | String | Yes | + 4. **User Removal**: Sends a POST request to the Asana `/workspaces/{workspace_id}/removeUser` + endpoint with the user's email. + 5. **Result Handling**: Validates the API response to confirm if the user was + successfully removed and provides a status message to the Google SecOps case. - ### Flow Description - 1. **Configuration Extraction**: Retrieves the Asana API Token and Base URL from - the integration settings. + ### Parameters Description: - 2. **Parameter Retrieval**: Extracts the target Workspace Name and the User's - Email from the action inputs. - 3. **Workspace Identification**: Calls the Asana API to list workspaces and identifies - the unique Workspace ID corresponding to the provided name. + | Parameter Name | Type | Mandatory | Description | - 4. **User Removal**: Sends a POST request to the Asana `/removeUser` endpoint - for the identified workspace, passing the user's email in the request body. + | :--- | :--- | :--- | :--- | - 5. **Result Handling**: Validates the API response. If the user is successfully - removed, it returns a success message; otherwise, it reports a failure. + | Workspace Name | String | Yes | The exact name of the Asana workspace from which + the user should be removed. Note: This is case-sensitive. | + | User's Email | String | Yes | The email address of the Asana user to be removed + from the workspace. | - ### Additional Notes - This action does not run on entities; it relies entirely on the provided string - parameters for the workspace name and user email. + ### Additional Notes: + + - This action does not run on entities; it uses the provided email address parameter + directly. + + - If the workspace name is not found or the API call fails, the action will return + a failure status. capabilities: can_create_case_comments: false can_create_insight: false @@ -513,8 +620,8 @@ Remove User From Workspace: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Removes a user's access and membership from a specific Asana workspace by sending - a POST request to the Asana API. + Removes a user's access and membership from a specific Asana workspace by making + a POST request to the /removeUser endpoint. fetches_data: true internal_data_mutation_explanation: null categories: @@ -534,61 +641,83 @@ Remove User From Workspace: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: true + update_ticket: false Update Task: ai_description: >- - ### General Description + Updates an existing task in Asana with new details such as the assignee, due date, + and description. The action first resolves the provided assignee email to a unique + Asana user ID and then submits a PUT request to the Asana API to modify the specified + task. - Updates an existing task in Asana by modifying its assignee, due date, or description. - This action is useful for programmatically managing task lifecycles and ensuring - task metadata is kept up-to-date based on security orchestration workflows. + ### Flow Description: - ### Parameters Description + 1. **Credential Retrieval:** Extracts the Asana API Token and Base URL from the + integration configuration. - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | + 2. **Parameter Extraction:** Retrieves the Task ID, Assignee email, Due Date, + and Description from the action parameters. - | **Task ID** | String | Yes | The unique identifier of the Asana task to be updated. - This can be found in the task's URL. | + 3. **User Resolution:** Calls the Asana API to convert the provided assignee email + into a GID (Global Identifier). - | **Due Date** | String | No | The new due date for the task in `YYYY-MM-DD` format. - | + 4. **Task Update:** Executes a PUT request to the Asana `/tasks/{task_id}` endpoint + with the updated fields. - | **Description** | String | No | The new description or notes for the task. | + 5. **Result Processing:** Returns the updated task metadata as a JSON result and + provides a success message. - | **Assignee** | String | No | The email address of the user to whom the task - should be reassigned. Note that this is case-sensitive and will be resolved to - a user ID internally. | + ### Parameters Description: - ### Additional Notes + | Parameter | Type | Mandatory | Description | - - The **Assignee** parameter requires a valid email address that exists within - the Asana workspace. The action will attempt to resolve this email to a GID (Global - ID) before updating the task. + | :--- | :--- | :--- | :--- | - - If optional parameters like **Due Date**, **Description**, or **Assignee** are - left blank, the action will still proceed, but those specific fields may be overwritten - with null or empty values depending on the API's behavior. + | Task ID | string | True | The unique identifier of the task, found in the Asana + URL. | + | Due Date | string | False | The new deadline for the task in YYYY-MM-DD format. + | - ### Flow Description + | Description | string | False | The updated notes or description for the task. + | - 1. **Configuration Extraction**: Retrieves the Asana API Token and Base URL from - the integration settings. + | Assignee | string | False | The email address of the user to whom the task should + be re-assigned. Note: This is case-sensitive. | - 2. **Parameter Retrieval**: Extracts the Task ID and the optional update fields - (Assignee, Due Date, Description) from the action input. - 3. **User Resolution**: If an Assignee email is provided, the action calls the - Asana API to retrieve the corresponding User GID. + ### Additional Notes: - 4. **Task Update**: Executes a PUT request to the Asana API endpoint for the specific - Task ID, updating the assignee, due date, and notes. + - If the Assignee parameter is provided, the action will attempt to resolve the + email to a user ID. If the email is not found, the action may fail depending on + the API response. - 5. **Result Processing**: Captures the API response, adds the updated task data - as a JSON result to the action, and returns a success message. + - This action modifies data in an external system (Asana). capabilities: can_create_case_comments: false can_create_insight: false @@ -597,8 +726,8 @@ Update Task: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the properties (assignee, due date, and description) of an existing - task in the Asana platform via a PUT request. + Updates task attributes including assignee, due date, and description in the + Asana project management platform via a PUT request. fetches_data: true internal_data_mutation_explanation: null categories: @@ -618,3 +747,28 @@ Update Task: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: true diff --git a/content/response_integrations/third_party/community/asana/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/asana/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..6896a3667 --- /dev/null +++ b/content/response_integrations/third_party/community/asana/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: true + edr: false + email_security: false + iam_and_identity_management: false + itsm: true + network_security: false + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/aws_ec2/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/aws_ec2/resources/ai/actions_ai_description.yaml index 7159b452f..ce26c1254 100644 --- a/content/response_integrations/third_party/community/aws_ec2/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/aws_ec2/resources/ai/actions_ai_description.yaml @@ -1,25 +1,50 @@ Authorize Security Group Egress: - ai_description: "### General Description\nThis action adds or updates outbound (egress)\ - \ IP permissions for a specific AWS EC2 Security Group within a VPC. It allows\ - \ administrators to programmatically define network traffic rules, such as allowed\ - \ protocols, port ranges, and destination IP ranges (CIDR), directly from Google\ - \ SecOps.\n\n### Parameters Description\n| Parameter | Description | Type | Mandatory\ - \ |\n| :--- | :--- | :--- | :--- |\n| Group ID | The unique identifier of the\ - \ security group (e.g., sg-1a2b3c4d) where the outbound rules will be applied.\ - \ | String | Yes |\n| IP Permissions | A JSON-formatted string defining the egress\ - \ rules. This includes fields like `FromPort`, `ToPort`, `IpProtocol`, and `IpRanges`\ - \ (containing `CidrIp`). | Code | Yes |\n\n### Additional Notes\n- The `IP Permissions`\ - \ parameter must be a valid JSON array or object as expected by the Boto3 EC2\ - \ client. \n- This action performs a state-changing operation in the AWS environment.\n\ - \n### Flow Description\n1. **Credential Retrieval**: Extracts AWS Access Key,\ - \ Secret Key, and Default Region from the integration configuration.\n2. **Parameter\ - \ Extraction**: Retrieves the target Security Group ID and the JSON-formatted\ - \ IP permissions from the action input.\n3. **JSON Parsing**: Converts the `IP\ - \ Permissions` string into a structured Python dictionary/list.\n4. **AWS API\ - \ Interaction**: Uses the `EC2Manager` to call the AWS `authorize_security_group_egress`\ - \ API with the provided parameters.\n5. **Result Processing**: Captures the API\ - \ response, logs the outcome, and attaches the raw JSON result to the action output\ - \ for use in subsequent playbook steps." + ai_description: >- + Adds or updates outbound (egress) IP permissions for a specific AWS VPC Security + Group. This action allows administrators to programmatically define network traffic + rules that permit traffic leaving a security group based on protocol, port range, + and destination IP ranges (CIDR blocks). + + + ### Flow Description: + + 1. **Credential Extraction:** Retrieves AWS Access Key, Secret Key, and Default + Region from the integration configuration. + + 2. **Parameter Parsing:** Extracts the target Security Group ID and the IP permissions + defined in a JSON format. + + 3. **Data Transformation:** Converts the IP permissions JSON string into a Python + list of dictionaries required by the AWS SDK. + + 4. **AWS API Interaction:** Calls the `authorize_security_group_egress` method + via the Boto3 EC2 client to apply the rules to the specified security group. + + 5. **Result Handling:** Logs the outcome and attaches the raw AWS response to + the action results in Google SecOps. + + + ### Parameters Description: + + | Parameter Name | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Group ID | string | Yes | The unique identifier (e.g., sg-1a2b3c4d) of the security + group where outbound rules will be added. | + + | IP Permissions | code | Yes | A JSON-formatted string defining the egress rules. + It must include `IpProtocol`, and optionally `FromPort`, `ToPort`, and `IpRanges` + (with `CidrIp`). | + + + ### Additional Notes: + + - This action specifically targets **egress** (outbound) rules. For inbound rules, + use the 'Authorize Security Group Ingress' action. + + - The `IP Permissions` parameter must be a valid JSON array or object representing + the rule structure expected by the AWS EC2 API. capabilities: can_create_case_comments: false can_create_insight: false @@ -28,8 +53,8 @@ Authorize Security Group Egress: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - This action modifies the configuration of an AWS EC2 Security Group by adding - or updating egress (outbound) firewall rules. + This action modifies the configuration of an AWS Security Group by adding or + updating outbound (egress) firewall rules. fetches_data: false internal_data_mutation_explanation: null categories: @@ -49,56 +74,75 @@ Authorize Security Group Egress: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Authorize Security Group Ingress: ai_description: >- - ### General Description - - The **Authorize Security Group Ingress** action adds or updates inbound (ingress) - IP permissions for a specific AWS Security Group within a VPC. This action is - used to programmatically modify network access rules, allowing traffic from specified - IP ranges, protocols, and ports to reach AWS resources associated with the security - group. + Adds or updates inbound (ingress) IP permissions for a specific AWS EC2 security + group within a VPC. This action allows administrators to programmatically define + firewall rules, specifying protocols, port ranges, and source IP ranges (CIDR). + It interacts directly with the AWS EC2 service to apply these changes. - ### Parameters Description - - | Parameter | Type | Mandatory | Description | + ### Flow Description: - | :--- | :--- | :--- | :--- | + 1. **Credential Retrieval:** Extracts AWS Access Key, Secret Key, and Default + Region from the integration configuration. - | **Group ID** | String | No | The unique identifier of the AWS Security Group - (e.g., `sg-1a2b3c4d`) to which the inbound rules will be added. | + 2. **Parameter Extraction:** Retrieves the target Security Group ID and the IP + permissions defined in JSON format from the action parameters. - | **IP Permissions** | Code (JSON) | No | A JSON-formatted string defining the - ingress rule. It typically includes `IpProtocol` (e.g., 'tcp'), `FromPort`, `ToPort`, - and `IpRanges` (containing `CidrIp`). | + 3. **Data Parsing:** Converts the IP permissions JSON string into a structured + dictionary for the AWS SDK. + 4. **AWS API Call:** Executes the `authorize_security_group_ingress` command via + the Boto3 library to update the security group rules. - ### Flow Description + 5. **Result Processing:** Captures the AWS response, logs the outcome, and returns + the result JSON to the Google SecOps platform. - 1. **Credential Retrieval:** The action extracts AWS Access Key ID, Secret Access - Key, and Default Region from the integration configuration. - 2. **Parameter Extraction:** It retrieves the target `Group ID` and the `IP Permissions` - JSON string from the action parameters. + ### Parameters Description: - 3. **Data Parsing:** The `IP Permissions` string is parsed from JSON into a dictionary - format required by the AWS SDK. + | Parameter | Type | Mandatory | Description | - 4. **AWS API Call:** The action utilizes the `EC2Manager` to invoke the `authorize_security_group_ingress` - method, which communicates with the AWS EC2 service to apply the new rules. + | :--- | :--- | :--- | :--- | - 5. **Result Processing:** The response from AWS is captured and attached as a - JSON result. The action concludes with a success message if the rules were applied - successfully, or an error message if the operation failed. + | Group ID | String | No | The unique identifier of the security group (e.g., + sg-1a2b3c4d) to which the rules will be added. | + | IP Permissions | Code | No | A JSON-formatted string defining the ingress rules, + including `IpProtocol`, `FromPort`, `ToPort`, and `IpRanges`. | - ### Additional Notes - - This action performs a state-changing operation in the external AWS environment. + ### Additional Notes: - - Although parameters are marked as non-mandatory in the configuration, the action - logic expects valid values to successfully execute the AWS API call. + * This action performs a state change in the AWS environment by modifying network + security policies. While parameters are marked as not mandatory in the configuration, + they are logically required for the action to perform a meaningful update. capabilities: can_create_case_comments: false can_create_insight: false @@ -107,9 +151,9 @@ Authorize Security Group Ingress: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Adds or updates inbound (ingress) firewall rules in an AWS Security Group, modifying - the network access control list for associated VPC resources. - fetches_data: false + Adds or updates inbound IP permissions (ingress rules) for a specific AWS EC2 + security group, changing the network access control state in the AWS environment. + fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false @@ -128,57 +172,86 @@ Authorize Security Group Ingress: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: true + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Create Instance: ai_description: >- - ### General Description + Creates new Amazon EC2 instances based on a specified Amazon Machine Image (AMI). + This action allows for the automated provisioning of virtual servers in the AWS + environment, supporting configurations for instance types, counts, and security + group assignments. It operates asynchronously, meaning it will poll the AWS API + until the requested instances transition from a 'pending' state to a 'running' + state before completing. - Creates one or more Amazon EC2 instances based on a specified Amazon Machine Image - (AMI). This action is designed to be asynchronous, polling the AWS environment - until the instances transition from a 'pending' state to a 'running' state. + ### Flow Description: - ### Parameters Description + 1. **Initialization:** The action retrieves AWS connection details (Access Key, + Secret Key, Region) from the integration configuration and instance specifications + (AMI ID, Type, Counts, Security Groups) from the action parameters. - | Parameter | Type | Mandatory | Description | + 2. **Instance Creation (First Run):** It calls the AWS EC2 service to run new + instances. If the instances are immediately 'running', it collects their details. + If they are 'pending', it stores their IDs and enters an 'In Progress' state. - | :--- | :--- | :--- | :--- | + 3. **Status Polling (Subsequent Runs):** In follow-up executions, the action checks + the current state of the pending instances using the 'describe_instances' method. - | Image ID | String | No | The AMI ID used to create the instance (e.g., `ami-12345`). - | + 4. **Completion:** Once all requested instances have reached the 'running' state, + the action returns the full JSON metadata for the created resources and marks + the execution as completed. - | Instance Type | String | No | The hardware configuration for the instance (e.g., - `m1.small`). Defaults to `m1.small` if not provided. | - | Max Count | String | Yes | The maximum number of instances to launch. | + ### Parameters Description: - | Min Count | String | Yes | The minimum number of instances to launch. | + | Parameter Name | Type | Mandatory | Description | - | Security Group ID | String | No | Comma-separated list of Security Group IDs - to associate with the instances. | + | :--- | :--- | :--- | :--- | + | Image ID | string | No | The AMI ID used to create the new instance (e.g., ami-12345). + Defaults to a placeholder if not provided. | - ### Flow Description + | Instance Type | string | No | The hardware specification for the instance (e.g., + m1.small). Defaults to m1.small if not provided. | - 1. **Initialization**: The action extracts AWS credentials and region from the - integration configuration and parameters from the action settings. + | Max Count | string | Yes | The maximum number of instances to create. | - 2. **Instance Creation (First Run)**: It calls the AWS EC2 `run_instances` API - to initiate the creation of the specified number of instances. + | Min Count | string | Yes | The minimum number of instances to create. | - 3. **State Check**: If the created instances are in a `pending` state, the action - saves the instance IDs and sets the execution status to `IN_PROGRESS`. + | Security Group ID | string | No | A comma-separated list of Security Group IDs + to assign to the instances (e.g., sg-12345, sg-6789). | - 4. **Polling (Subsequent Runs)**: The action periodically checks the status of - the pending instances using the `describe_instances` API. - 5. **Completion**: Once all instances reach the `running` state, the action completes - and returns the full JSON details of the created instances. + ### Additional Notes: + - This action does not process SecOps entities; it relies entirely on user-provided + parameters. - ### Additional Notes - - This action requires the AWS EC2 integration to be configured with valid Access - Key ID, Secret Access Key, and Default Region. + - The action will remain in an 'In Progress' state until AWS reports that all + instances are fully running. capabilities: can_create_case_comments: false can_create_insight: false @@ -187,8 +260,7 @@ Create Instance: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates new EC2 instances in the AWS environment based on the provided AMI and - configuration. + Creates new EC2 instances and associated resources within the AWS environment. fetches_data: true internal_data_mutation_explanation: null categories: @@ -208,57 +280,77 @@ Create Instance: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Create Tags: ai_description: >- - ### General Description - - This action creates or overwrites tags for specified AWS EC2 resources, such as - instances, volumes, or security groups. It allows users to programmatically manage - metadata for their AWS infrastructure directly from Google SecOps by providing - a list of resource IDs and a JSON-formatted set of tags. + Creates or overwrites tags for specified AWS EC2 resources, such as instances, + volumes, or security groups. This action allows for the organization and categorization + of AWS assets directly from Google SecOps by applying key-value pairs to the target + resource identifiers. - ### Parameters Description - - | Parameter | Description | Type | Mandatory | + ### Flow Description: - | :--- | :--- | :--- | :--- | + 1. **Configuration Extraction:** Retrieves AWS credentials (Access Key ID, Secret + Access Key) and the default region from the integration settings. - | Resources ID | A comma-separated list of AWS resource IDs (e.g., i-1234567890abcdef0) - that you want to tag. | String | Yes | + 2. **Parameter Parsing:** Extracts the list of Resource IDs (comma-separated) + and the JSON-formatted tags from the action parameters. - | Tags | A JSON-formatted string defining the tags to be applied. It must follow - the structure: `{"tags": [{"Key": "key1", "Value": "value1"}]}`. | Code | Yes - | + 3. **Tag Preparation:** Converts the provided tags JSON into a list of tag objects + compatible with the AWS SDK. + 4. **Execution:** Iterates through each provided Resource ID and calls the AWS + EC2 `create_tags` API to apply the specified tags. - ### Additional Notes + 5. **Result Reporting:** Tracks which resources were successfully tagged and which + failed, providing a detailed JSON result and an output message for the analyst. - - This action is case-sensitive regarding tag keys and values. - - If a tag key already exists on a resource, its value will be overwritten by - the new value provided in this action. + ### Parameters Description: - - Each resource can have a maximum of 50 tags. + | Parameter Name | Type | Mandatory | Description | + | :--- | :--- | :--- | :--- | - ### Flow Description + | Resources ID | string | Yes | A comma-separated list of AWS resource identifiers + (e.g., i-1234567890abcdef0) that you want to tag. | - 1. **Parameter Extraction**: The action retrieves AWS credentials (Access Key, - Secret Key, Region) from the integration configuration and the target Resource - IDs and Tags from the action parameters. + | Tags | code | Yes | A JSON object containing the tags to be created. Expected + format: `{"tags": [{"Key": "key1", "Value": "value1"}]}`. Note that keys are case-sensitive. + | - 2. **Data Parsing**: The `Tags` parameter is parsed from a JSON string into a - Python list, and the `Resources ID` string is split into individual identifiers. - 3. **AWS Interaction**: For each provided Resource ID, the action calls the AWS - EC2 `create_tags` API via the `EC2Manager` to apply the specified tag set. + ### Additional Notes: - 4. **Result Logging**: The action tracks which resources were successfully tagged - and which encountered errors. + - This action uses the Boto3 `create_tags` method. If a tag with the same key + already exists on a resource, its value will be overwritten. - 5. **Final Output**: Success and failure details are added to the action's JSON - results, and a summary message is displayed in the SOAR interface. + - Each resource can have a maximum of 50 tags. capabilities: can_create_case_comments: false can_create_insight: false @@ -267,8 +359,8 @@ Create Tags: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - This action adds or overwrites tags on AWS EC2 resources, which modifies the - metadata state of those resources in the AWS environment. + Adds or overwrites tags (key-value pairs) on specified AWS EC2 resources using + the AWS API. fetches_data: false internal_data_mutation_explanation: null categories: @@ -288,54 +380,84 @@ Create Tags: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Delete Instance: ai_description: >- ### General Description - Deletes (terminates) specific Amazon EC2 instances within a specified AWS region. - This action is used to permanently remove virtual server instances from an AWS - environment. It supports processing multiple instances in a single execution and - handles the asynchronous nature of AWS instance termination. + The **Delete Instance** action terminates one or more specified Amazon EC2 instances + within a designated AWS region. This is a destructive operation that permanently + removes the instances from the AWS environment. - ### Parameters + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Instance Ids | Content | Yes | A comma-separated list of EC2 instance IDs to - be deleted (e.g., `i-1234567890abcdef0, i-0987654321fedcba0`). | + | **Instance Ids** | String | Yes | A comma-separated list of AWS EC2 instance + identifiers (e.g., `i-1234567890abcdef0, i-0fedcba9876543210`) to be deleted. + | - ### Flow Description + ### Additional Notes - 1. **Credential Extraction**: Retrieves AWS Access Key ID, Secret Access Key, - and Default Region from the integration configuration. + - Terminated instances remain visible in the AWS console for approximately one + hour after deletion. - 2. **Input Parsing**: Extracts the `Instance Ids` parameter and splits the comma-separated - string into a list of individual identifiers. + - The action returns the total count of instances successfully moved to a 'terminated' + or 'shutting-down' state. - 3. **Instance Termination**: Iterates through the list of instance IDs and calls - the AWS EC2 `terminate_instances` API for each. + - This action is marked as asynchronous and can track the progress of the termination + process. - 4. **State Verification**: Evaluates the `CurrentState` returned by AWS. If an - instance is in the `shutting-down` state, the action status is set to `IN_PROGRESS` - (async). If the state is `terminated`, the instance is logged as successfully - deleted. - 5. **Result Reporting**: Adds the raw API response for each successfully terminated - instance to the JSON results and returns the total count of deleted instances - as the final result value. + ### Flow Description + 1. **Configuration Extraction:** Retrieves AWS credentials (Access Key ID, Secret + Access Key) and the default region from the integration settings. - ### Additional Notes + 2. **Parameter Parsing:** Extracts the `Instance Ids` string and splits it into + a list of individual identifiers, stripping any extra whitespace. - - Deleted instances remain visible in the AWS console for approximately one hour - after termination. + 3. **AWS Interaction:** For each instance ID, the action calls the AWS EC2 `terminate_instances` + API via the `EC2Manager`. - - The action will log an error for any instance that cannot be transitioned to - a terminated state from its current state. + 4. **State Verification:** Evaluates the `CurrentState` returned by the AWS API + for each instance: + - If the state is `terminated`, it is logged as a success. + - If the state is `shutting-down`, the action status is set to `IN_PROGRESS` + to reflect the ongoing transition. + - If the instance is in a state that cannot be deleted, an exception is raised + for that specific instance. + 5. **Result Reporting:** Aggregates the results, provides a summary message to + the case wall, and returns the count of deleted instances along with detailed + JSON data for each processed instance. capabilities: can_create_case_comments: false can_create_insight: false @@ -344,8 +466,8 @@ Delete Instance: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Terminates (deletes) EC2 instances in the target AWS account and region, which - is a permanent state change for those resources. + Terminates (deletes) specified EC2 instances in the AWS environment, which is + a permanent state change. fetches_data: false internal_data_mutation_explanation: null categories: @@ -365,62 +487,94 @@ Delete Instance: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Find Instance: ai_description: >- ### General Description - This action fetches detailed information about specific AWS EC2 instances or searches - for instances based on provided filters. It is primarily used for visibility and - data gathering regarding the state and configuration of virtual machines within - an AWS environment. + The **Find Instance** action retrieves detailed information about one or more + Amazon EC2 instances from an AWS environment. It allows users to query specific + instances by their unique IDs or to search for instances based on custom filters + such as instance type, state, or tags. This action is primarily used for asset + enrichment, providing visibility into the configuration and status of cloud resources. - ### Parameters + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Instance Ids | String | No | A comma-separated list of AWS Instance IDs (e.g., - i-1234567890abcdef0). If provided, the action fetches details for these specific - instances. | + | **Instance Ids** | String | No | A comma-separated list of AWS Instance IDs + to fetch (e.g., `i-1234567890abcdef0`). If provided, the action fetches details + for these specific instances. | - | Filters | Content (JSON) | No | A JSON-formatted string defining filters to - apply to the search (e.g., `{"Name": "instance-type", "Values": ["t2.micro"]}`). - | + | **Filters** | Content (JSON) | No | A JSON object defining filters for the search. + Default is `{"Name": "instance-type", "Values": ["t2.micro"]}`. This is used when + specific IDs are not provided or to further narrow the search. | - | Max Results | String | No | The maximum number of instances to return in the - result set, ranging from 5 to 1000. | + | **Max Results** | String | No | The maximum number of results to return in a + single call, ranging from 5 to 1000. Defaults to 1000 if not specified. | - ### Flow Description - - 1. **Parameter Extraction:** The action retrieves AWS credentials (Access Key, - Secret Key, Region) and the user-provided parameters (Instance IDs, Filters, Max - Results). + ### Additional Notes - 2. **Manager Initialization:** An EC2 Manager is initialized to handle communication - with the AWS API using the Boto3 library. + - If neither **Instance Ids** nor **Filters** are specified, the action will attempt + to fetch information for all instances in the configured region, up to the limit + defined by **Max Results**. - 3. **Data Retrieval:** - - If **Instance Ids** are provided: The action iterates through the list and - calls the `describe_instances` API for each ID individually. - - If **Instance Ids** are NOT provided: The action performs a single `describe_instances` - call using the provided **Filters** and **Max Results**. - 4. **Result Processing:** The action collects the metadata for all found instances - and formats it into a JSON object. + - The **Filters** parameter must be a valid JSON object following the AWS Boto3 + `describe_instances` filter syntax. - 5. **Completion:** The action outputs the JSON result and a summary message indicating - which instances were successfully retrieved. + - This action does not run on SecOps entities; it relies entirely on the provided + input parameters. - ### Additional Notes - - - If neither **Instance Ids** nor **Filters** are specified, the action will attempt - to return information for all instances in the configured region (subject to the - **Max Results** limit). + ### Flow Description - - This action is read-only and does not modify any AWS resources. + 1. **Configuration Retrieval:** The action retrieves AWS credentials (Access Key + ID, Secret Access Key) and the Default Region from the integration's configuration. + + 2. **Parameter Parsing:** It extracts the provided **Instance Ids**, **Filters**, + and **Max Results** from the action input. If **Filters** are provided, they are + parsed from a JSON string into a list. + + 3. **Instance Lookup:** + - **Specific IDs:** If **Instance Ids** are provided, the action iterates + through each ID and calls the AWS `describe_instances` API to fetch specific details + for each. + - **Bulk/Filtered Query:** If no **Instance Ids** are provided, the action + performs a single bulk query using the provided **Filters** and **Max Results**. + 4. **Result Processing:** The retrieved instance metadata is aggregated into a + JSON result object. The action tracks which instances were successfully found + and which (if any) failed to be retrieved. + + 5. **Output:** The action returns the aggregated JSON data to the SOAR platform + and provides a summary message indicating the success or failure of the operation. capabilities: can_create_case_comments: false can_create_insight: false @@ -432,7 +586,7 @@ Find Instance: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: false + enrichment: true entity_usage: entity_types: [] filters_by_additional_properties: false @@ -448,25 +602,53 @@ Find Instance: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Ping: ai_description: "### General Description\nThe **Ping** action is designed to verify\ - \ the connectivity between Google SecOps and the Amazon Web Services (AWS) EC2\ - \ environment. It serves as a diagnostic tool to ensure that the provided credentials\ - \ (Access Key ID and Secret Access Key) and the specified region are correct and\ - \ that the system can successfully communicate with the AWS API.\n\n### Parameters\ - \ Description\nThis action does not require any input parameters from the user\ - \ at runtime. It relies entirely on the integration's configuration parameters:\n\ + \ the connectivity between the Google SecOps platform and the Amazon Web Services\ + \ (AWS) EC2 environment. It serves as a diagnostic tool to ensure that the provided\ + \ credentials (Access Key ID and Secret Access Key) are valid and that the integration\ + \ can successfully communicate with the AWS API within the specified region.\n\ + \n### Parameters Description\nThis action does not require any additional input\ + \ parameters. It relies entirely on the global integration configuration parameters:\n\ * **Access Key ID**: The AWS access key used for authentication.\n* **Secret Access\ \ Key**: The AWS secret key used for authentication.\n* **Default Region**: The\ \ AWS region to which the connectivity test is directed.\n\n### Flow Description\n\ 1. **Configuration Extraction**: The action retrieves the AWS credentials and\ - \ region from the integration settings.\n2. **Manager Initialization**: An instance\ - \ of the `EC2Manager` is created using the extracted configuration.\n3. **Connectivity\ - \ Test**: The action calls the `test_connectivity` method, which executes the\ - \ AWS `describe_regions` API call.\n4. **Result Handling**: \n * If the API\ - \ call is successful, the action returns a success message (\"Connected successfully\"\ - ) and a `True` status.\n * If the API call fails, it returns a failure message\ - \ (\"The Connection failed\") and a `False` status." + \ region settings from the integration's configuration.\n2. **Manager Initialization**:\ + \ An instance of the `EC2Manager` is created using the extracted credentials.\n\ + 3. **Connectivity Test**: The action calls the `test_connectivity` method, which\ + \ executes the AWS `describe_regions` API call.\n4. **Result Evaluation**: \n\ + \ * If the API call returns a valid response, the action concludes with a success\ + \ message (\"Connected successfully\").\n * If the API call fails or returns\ + \ no data, the action concludes with a failure message (\"The Connection failed\"\ + ).\n\n### Additional Notes\nThis action is typically used during the initial setup\ + \ of the AWS EC2 integration or for troubleshooting credential/network issues.\ + \ It does not interact with or modify any specific EC2 instances or SecOps entities." capabilities: can_create_case_comments: false can_create_insight: false @@ -494,52 +676,81 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Revoke Security Group Egress: ai_description: >- - ### General Description + Revokes outbound (egress) IP permissions from a specific AWS EC2 Security Group + within a VPC. This action is used to tighten security posture by removing existing + rules that allow traffic to leave the network based on specific protocols, ports, + and CIDR ranges. It interacts directly with the AWS EC2 API to modify the security + group configuration. - Revokes specified outbound (egress) IP permissions from a specific AWS EC2 Security - Group within a VPC. This action is used to tighten network security by removing - existing rules that allow traffic to leave the environment. + ### Flow Description: - ### Parameters Description + 1. **Configuration Extraction:** Retrieves AWS credentials (Access Key ID, Secret + Access Key) and the default region from the integration settings. - | Parameter | Type | Mandatory | Description | + 2. **Parameter Parsing:** Extracts the target Security Group ID and the IP permissions + JSON string from the action parameters. - | :--- | :--- | :--- | :--- | + 3. **Data Transformation:** Converts the IP permissions JSON string into a structured + dictionary required by the AWS SDK (Boto3). - | Group ID | String | No | The unique identifier of the security group (e.g., - sg-1a2b3c4d) from which permissions will be revoked. | + 4. **AWS API Interaction:** Executes the `revoke_security_group_egress` command + via the EC2 Manager to remove the specified rules. - | IP Permissions | Code (JSON) | No | A JSON-formatted object defining the protocol, - port range, and CIDR blocks to be removed. Example: `{"FromPort": 80, "IpProtocol": - "tcp", "IpRanges": [{"CidrIp": "1.1.1.1/16"}], "ToPort": 80}`. | + 5. **Result Reporting:** Logs the outcome, provides the raw JSON response from + AWS, and sets the action status to success or failure. - ### Additional Notes + ### Parameters Description: - - While parameters are marked as non-mandatory in the configuration, providing - both the `Group ID` and valid `IP Permissions` is required for the action to successfully - execute the revocation logic. + | Parameter Name | Type | Mandatory | Description | - - This action interacts directly with the AWS EC2 API and requires appropriate - IAM permissions (`ec2:RevokeSecurityGroupEgress`). + | :--- | :--- | :--- | :--- | + | Group ID | String | No | The unique identifier of the security group (e.g., + `sg-1a2b3c4d`) from which permissions will be revoked. While marked as not mandatory + in metadata, it is required for the API call to succeed. | - ### Flow Description + | IP Permissions | Code | No | A JSON-formatted string defining the rules to revoke. + Must include `IpProtocol`, `FromPort`, `ToPort`, and `IpRanges` (with `CidrIp`). + Example: `{"FromPort": 80, "IpProtocol": "tcp", "IpRanges": [{"CidrIp": "1.1.1.1/16"}], + "ToPort": 80}`. | - 1. **Configuration Extraction**: Retrieves AWS credentials (Access Key ID, Secret - Access Key) and the default region from the integration settings. - 2. **Parameter Parsing**: Extracts the target Security Group ID and the IP permissions - JSON string, converting the latter into a Python dictionary. + ### Additional Notes: - 3. **API Interaction**: Utilizes the `EC2Manager` to call the AWS Boto3 `revoke_security_group_egress` - method. + - This action specifically targets **egress** (outbound) rules. To revoke ingress + (inbound) rules, a different action should be used. - 4. **Result Processing**: Captures the API response, logs the outcome, and provides - the raw JSON result to the SOAR platform. + - If the specified rule does not exist in the security group, the AWS API may + return an error which will be captured in the action logs. capabilities: can_create_case_comments: false can_create_insight: false @@ -548,8 +759,8 @@ Revoke Security Group Egress: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Removes egress (outbound) firewall rules from an AWS EC2 Security Group, modifying - the network security configuration of the VPC. + Removes outbound firewall rules (egress permissions) from an AWS EC2 Security + Group, changing the network access control configuration in the AWS environment. fetches_data: false internal_data_mutation_explanation: null categories: @@ -569,14 +780,39 @@ Revoke Security Group Egress: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: true + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Revoke Security Group ingress: ai_description: >- ### General Description - This action revokes specific inbound (ingress) IP permissions from a designated - AWS EC2 Security Group within a VPC. It is primarily used for containment or security - posture management by removing existing rules that allow network traffic based - on protocol, port ranges, and CIDR blocks. + The **Revoke Security Group ingress** action removes specific inbound (ingress) + IP permissions from an existing AWS EC2 Security Group within a Virtual Private + Cloud (VPC). This action is primarily used for containment and security hardening + by programmatically withdrawing previously granted network access rules. ### Parameters Description @@ -585,42 +821,42 @@ Revoke Security Group ingress: | :--- | :--- | :--- | :--- | - | Group ID | string | No | The unique identifier of the security group (e.g., - `sg-1a2b3c4d`) from which you want to revoke inbound permissions. | - - | IP Permissions | code | No | A JSON-formatted string defining the specific IP - permissions to be removed. It should include keys like `FromPort`, `ToPort`, `IpProtocol`, - and `IpRanges`. | + | **Group ID** | String | No | The unique identifier of the AWS Security Group + (e.g., `sg-1a2b3c4d`) from which you want to revoke inbound permissions. | + | **IP Permissions** | Code (JSON) | No | A JSON-formatted string defining the + specific IP rules to be removed. It includes fields like `FromPort`, `ToPort`, + `IpProtocol`, and `IpRanges`. | - ### Additional Notes - - This action interacts directly with the AWS EC2 API using the `boto3` library. + ### Flow Description - - While the parameters are marked as not mandatory in the configuration, the action - logic requires both a valid `Group ID` and `IP Permissions` JSON to successfully - execute the revocation request to AWS. + 1. **Configuration Extraction:** The action retrieves AWS credentials (Access + Key ID, Secret Access Key) and the default region from the integration settings. + 2. **Parameter Parsing:** It extracts the target Security Group ID and the IP + permissions JSON string. The JSON string is converted into a Python dictionary + for processing. - ### Flow Description + 3. **AWS Interaction:** The action uses the `EC2Manager` (via the Boto3 SDK) to + call the `revoke_security_group_ingress` API on the specified AWS account and + region. - 1. **Configuration Extraction**: The action retrieves AWS credentials (Access - Key ID, Secret Access Key) and the default region from the integration settings. + 4. **Result Handling:** If the revocation is successful, the action returns the + raw response from AWS as a JSON result and sets the action status to success. + If an error occurs (e.g., invalid permissions or group ID), it logs the error + and returns a failure status. - 2. **Parameter Parsing**: It extracts the `Group ID` and the `IP Permissions` - string from the action input. The `IP Permissions` string is parsed from JSON - into a Python dictionary. - 3. **Manager Initialization**: An instance of the `EC2Manager` is created using - the provided AWS credentials and region. + ### Additional Notes - 4. **Revocation Execution**: The action calls the `revoke_security_group_ingress` - method in the manager, which sends a request to the AWS EC2 service to remove - the specified rules. + * **Mandatory Fields:** While the metadata marks parameters as not mandatory, + the action logic requires both a valid `Group ID` and correctly formatted `IP + Permissions` JSON to execute successfully. If these are missing or malformed, + the action will fail. - 5. **Result Handling**: If successful, the API response is added to the action's - JSON results, and the action completes with a success message. If an error occurs - during the API call, it is logged, and the action reports a failure. + * **JSON Format:** The `IP Permissions` parameter must strictly follow the AWS + Boto3 structure for `IpPermissions` objects. capabilities: can_create_case_comments: false can_create_insight: false @@ -629,9 +865,9 @@ Revoke Security Group ingress: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - This action modifies the configuration of an AWS EC2 Security Group by removing - (revoking) existing ingress rules, which changes the allowed network traffic - state in the AWS environment. + This action modifies the configuration of an AWS Security Group by removing + inbound firewall rules, which changes the network access control state in the + AWS environment. fetches_data: false internal_data_mutation_explanation: null categories: @@ -651,27 +887,75 @@ Revoke Security Group ingress: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: true + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Start Instance: - ai_description: "### General Description\nStarts one or more specified AWS EC2 instances.\ - \ This action is used to transition stopped instances into a running state. It\ - \ supports asynchronous execution, meaning if an instance is in a 'pending' state,\ - \ the action will remain 'In Progress' until the operation completes or times\ - \ out.\n\n### Parameters Description\n| Parameter | Type | Mandatory | Description\ - \ |\n| :--- | :--- | :--- | :--- |\n| **Instance Ids** | Content (String) | Yes\ - \ | A comma-separated list of AWS EC2 instance identifiers to be started (e.g.,\ - \ `i-1234567890abcdef0, i-0987654321fedcba0`). |\n\n### Flow Description\n1. **Configuration\ - \ Extraction**: Retrieves AWS credentials (Access Key ID, Secret Access Key) and\ - \ the default region from the integration settings.\n2. **Parameter Parsing**:\ - \ Extracts the `Instance Ids` string and converts it into a list of individual\ - \ identifiers.\n3. **AWS Interaction**: For each instance ID, the action calls\ - \ the AWS EC2 `start_instances` API via the `EC2Manager`.\n4. **State Verification**:\ - \ \n * If the instance state is returned as `running`, it is marked as successfully\ - \ started.\n * If the instance state is `pending`, the action status is set\ - \ to `IN_PROGRESS` to allow for asynchronous tracking.\n * If the instance\ - \ is in an incompatible state or an error occurs, the failure is logged.\n5. **Result\ - \ Reporting**: Returns the total count of successfully started instances as the\ - \ result value and provides a detailed JSON object containing the API responses\ - \ for each instance." + ai_description: >- + ### General Description + + Starts one or more specified AWS EC2 instances. This action is used to programmatically + resume instances that are currently in a stopped state. It provides real-time + feedback on the transition state (pending/running) and returns the count of successfully + started instances. + + + ### Parameters Description + + | Parameter | Description | Type | Mandatory | + + | :--- | :--- | :--- | :--- | + + | Instance Ids | The instance IDs which you want to start (comma separated). For + example: instance_id1, instance_id2. | String | Yes | + + + ### Additional Notes + + - This action is asynchronous. If an instance is in a 'pending' state, the action + will return an 'In Progress' status to allow for state transition. + + - The result value represents the total count of instances successfully moved + to a 'running' state during the execution. + + + ### Flow Description + + 1. Extract configuration parameters (Access Key, Secret Key, Region). + + 2. Extract the 'Instance Ids' action parameter and split it into a list. + + 3. Initialize the EC2Manager. + + 4. Iterate through each Instance ID and attempt to start it using the AWS SDK. + + 5. Evaluate the response: if the state is 'pending', mark the action as 'In Progress'; + if 'running', mark as success. + + 6. Aggregate results, including a count of started instances and detailed JSON + output. capabilities: can_create_case_comments: false can_create_insight: false @@ -680,7 +964,8 @@ Start Instance: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Changes the operational state of AWS EC2 instances from stopped to started/running. + Starts stopped EC2 instances in the AWS environment, changing their state from + 'stopped' to 'pending' or 'running'. fetches_data: true internal_data_mutation_explanation: null categories: @@ -700,51 +985,72 @@ Start Instance: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Stop Instance: ai_description: >- - ### General Description - - Stops one or more specified AWS EC2 instances. This action interacts with the + Stops one or more specified Amazon EC2 instances. This action interacts with the AWS EC2 service to transition instances from a running state to a stopped state. - It supports stopping multiple instances simultaneously and provides an option - to force the shutdown. Because instance shutdown can take time, the action is - designed to run asynchronously, tracking the state until the instances are confirmed - as stopping or stopped. + It supports stopping multiple instances simultaneously via a comma-separated list + and provides an option to force the shutdown. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Instance Ids | String | Yes | A comma-separated list of AWS EC2 instance identifiers - (e.g., `i-0123456789abcdef0, i-0abcdef1234567890`) to be stopped. | + | Instance Ids | String | Yes | Comma-separated list of AWS EC2 instance IDs to + be stopped (e.g., i-0123456789abcdef0). | - | Force Instance To Stop | Boolean | No | If set to `true`, forces the instance - to stop immediately without flushing file system caches or metadata. Default is - `false`. | + | Force Instance To Stop | Boolean | No | If set to true, the instance is forced + to stop without waiting for file system caches or metadata to be processed. Default + is false. | ### Flow Description - 1. **Initialization**: Retrieves AWS credentials (Access Key, Secret Key) and - the default region from the integration configuration. + 1. **Credential Retrieval**: Extracts AWS Access Key, Secret Key, and Region from + the integration configuration. - 2. **Parameter Parsing**: Extracts the list of instance IDs from the action parameters - and splits them into individual identifiers. + 2. **Input Parsing**: Parses the provided string of Instance IDs into a list. - 3. **Execution**: Iterates through each instance ID and calls the AWS EC2 `stop_instances` - API via the `EC2Manager`. + 3. **API Execution**: Iterates through the list and calls the AWS `stop_instances` + API for each identifier. + + 4. **State Verification**: Checks the current state of each instance returned + by the API. + + 5. **Status Handling**: If instances are in the 'stopping' state, the action sets + its status to 'In Progress' for asynchronous tracking. If 'stopped', it marks + them as successful. - 4. **State Monitoring**: Evaluates the response for each instance: - * If the state is `stopping`, the instance is added to a tracking list, and - the action status is set to `IN_PROGRESS` to allow for asynchronous completion. - * If the state is `stopped`, the instance is marked as successfully stopped. - * If the instance is in an incompatible state or an error occurs, an exception - is logged for that specific instance. - 5. **Result Reporting**: Returns the total count of successfully stopped instances - as the result value and provides detailed JSON data for each processed instance. + 6. **Result Reporting**: Returns the total count of stopped instances and detailed + JSON response data for each successful operation. capabilities: can_create_case_comments: false can_create_insight: false @@ -753,8 +1059,8 @@ Stop Instance: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Changes the operational state of AWS EC2 instances from 'running' to 'stopping' - or 'stopped'. + Stops the specified EC2 instances in the AWS environment, changing their operational + state from running to stopped. fetches_data: true internal_data_mutation_explanation: null categories: @@ -774,3 +1080,28 @@ Stop Instance: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: true + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/third_party/community/aws_ec2/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/aws_ec2/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..f8132bd8e --- /dev/null +++ b/content/response_integrations/third_party/community/aws_ec2/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: true + cloud_security: true + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: true + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/azure_devops/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/azure_devops/resources/ai/actions_ai_description.yaml index 8428bc2df..929df117a 100644 --- a/content/response_integrations/third_party/community/azure_devops/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/azure_devops/resources/ai/actions_ai_description.yaml @@ -1,46 +1,21 @@ Ping: ai_description: >- - ### General Description - - Tests the connectivity to the Azure DevOps instance using the provided configuration - parameters. This action is primarily used to verify that the Personal Access Token, - Organization, and Base URL are correctly configured and that the Google SecOps - environment can reach the Azure DevOps API. - - - ### Parameters Description - - | Parameter | Description | Type | Mandatory | - - | :--- | :--- | :--- | :--- | - - | N/A | This action does not have any input parameters. It relies solely on the - integration's configuration parameters (Personal Access Token, Organization, and - Base URL). | N/A | N/A | - - - ### Additional Notes - - * This is a standard 'Ping' action used for integration health checks. - - * It uses the `azure-devops` Python library to interact with the API. - - - ### Flow Description - - 1. **Configuration Retrieval**: The action extracts the `Personal Access Token`, - `Organization`, and `Base URL` from the integration settings. - - 2. **Authentication**: It sets up Basic Authentication using the provided token. - - 3. **Connection Initialization**: It establishes a connection to the Azure DevOps - service URL (constructed as `Base URL/Organization`). - - 4. **Connectivity Test**: It attempts to retrieve the list of projects using the - `get_projects()` method to verify the API connection. - - 5. **Result Reporting**: Based on the success or failure of the API call, it returns - a boolean result and a status message to the SOAR platform. + ### General Description\nTests the connectivity between Google SecOps and the + Azure DevOps instance. This action verifies that the provided credentials and + configuration are valid by attempting to retrieve a list of projects from the + specified organization.\n\n### Parameters Description\nThere are no action parameters + for this action. It relies on the integration's configuration parameters (Personal + Access Token, Organization, and Base URL).\n\n### Flow Description\n1. **Parameter + Extraction**: Retrieves the Personal Access Token, Organization name, and Base + URL from the integration configuration.\n2. **Authentication**: Initializes a + basic authentication object using the Personal Access Token.\n3. **Connection + Establishment**: Creates a connection to the Azure DevOps service using the provided + Base URL and Organization.\n4. **Connectivity Test**: Calls the `get_projects` + method from the core client to verify that the connection is functional and the + credentials have sufficient permissions.\n5. **Result Reporting**: Returns a success + status if the projects are retrieved successfully; otherwise, it reports a connection + failure with the error details.\n\n### Additional Notes\nThis action does not + interact with or process any entities within the case. capabilities: can_create_case_comments: false can_create_insight: false @@ -49,7 +24,7 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: false + fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false @@ -68,14 +43,39 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Trigger Azure Build: ai_description: >- ### General Description - Triggers an Azure DevOps build pipeline for a specific build definition ID and - monitors its progress until completion. This action is designed to automate CI/CD - workflows or infrastructure-as-code tasks directly from Google SecOps by interacting - with the Azure DevOps REST API. + Triggers an Azure DevOps pipeline (build) for a specified definition ID and monitors + its progress until completion. This action is useful for automating CI/CD workflows, + such as deploying infrastructure or running automated tests as part of an incident + response playbook. ### Parameters Description @@ -84,43 +84,37 @@ Trigger Azure Build: | :--- | :--- | :--- | :--- | - | Build Definition Id | String | Yes | The unique identifier for the build definition - (pipeline) in Azure DevOps that you want to trigger. | + | Build Definition Id | string | Yes | The unique identifier (ID) of the build + definition/pipeline you want to trigger in Azure DevOps. | - | Build Variables | Code (JSON) | Yes | A JSON-formatted string containing the - variables to be passed to the build pipeline. For example: `{"ENV": "production", - "VERSION": "1.0.1"}`. | + | Build Variables | code | Yes | A JSON-formatted string containing the variables + to pass to the pipeline (e.g., `{"ENV": "production"}`). | - ### Additional Notes - - - This action is asynchronous. It will trigger the build and then periodically - poll Azure DevOps to check the status of the job until it reaches a terminal state - (Succeeded, Failed, or Canceled). + ### Flow Description - - The integration must be configured with a valid Organization, Project, and Personal - Access Token (PAT) with sufficient permissions to trigger and view builds. + 1. **Initialization**: The action retrieves integration configuration (Organization, + Project, PAT, Base URL) and action parameters. + 2. **Trigger Build**: It sends a POST request to the Azure DevOps Builds API to + initiate a new build for the provided `Build Definition Id` using the specified + `Build Variables`. - ### Flow Description + 3. **Async Monitoring**: The action captures the `build_id` from the response + and enters an asynchronous state (`IN_PROGRESS`). - 1. **Initialization**: The action retrieves integration configuration (Base URL, - Organization, Project, PAT) and action parameters (Build Definition ID, Build - Variables). + 4. **Status Polling**: The `query_job` function periodically polls the Azure DevOps + API using the `build_id` to check the current status and result of the build. - 2. **Trigger Build**: It sends a POST request to the Azure DevOps API (`_apis/build/builds`) - to initiate the pipeline execution. + 5. **Completion**: The action finishes with a `COMPLETED` status if the build + succeeds or partially succeeds, and a `FAILED` status if the build fails or is + canceled. - 3. **Capture Build ID**: Upon a successful trigger, it extracts the `build_id` - from the response and transitions to an 'In Progress' state. - 4. **Status Polling (Async)**: The `query_job` function periodically sends GET - requests to the Azure DevOps API to monitor the `status` and `result` of the specific - `build_id`. + ### Additional Notes - 5. **Completion**: The action concludes with a 'Completed' status if the build - result is `succeeded` or `partiallySucceeded`. It returns a 'Failed' status if - the build fails, is canceled, or encounters an error. + This action is asynchronous and will wait for the external build process to finish + before returning a final result to the Google SecOps playbook. capabilities: can_create_case_comments: false can_create_insight: false @@ -129,7 +123,7 @@ Trigger Azure Build: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Triggers a new build pipeline execution in the Azure DevOps environment. + Triggers a new build execution (pipeline run) in the Azure DevOps environment. fetches_data: true internal_data_mutation_explanation: null categories: @@ -149,27 +143,51 @@ Trigger Azure Build: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Wait Until Web Resource Is Up: - ai_description: "### General Description\nThis action is a utility designed to monitor\ - \ the availability of a specific web resource. It performs an HTTP GET request\ - \ to a provided URL and checks if the resource is accessible (returning a successful\ - \ status code). Because the action is marked as asynchronous, it is typically\ - \ used in playbooks to pause execution until a specific service or endpoint becomes\ - \ reachable.\n\n### Parameters Description\n| Parameter Name | Type | Mandatory\ - \ | Description |\n| :--- | :--- | :--- | :--- |\n| URL | String | Yes | The full\ - \ URL of the web resource to check for availability. |\n\n### Additional Notes\n\ - - This action does not interact with Google SecOps entities.\n- It is an asynchronous\ - \ action; if the web resource is down, the action returns an 'In Progress' state,\ - \ allowing the SOAR platform to retry the check until the resource is up or a\ - \ timeout is reached.\n\n### Flow Description\n1. **Parameter Extraction**: The\ - \ action retrieves the mandatory `URL` parameter from the input.\n2. **Connectivity\ - \ Check**: It performs an HTTP GET request to the specified URL with a 5-second\ - \ timeout.\n3. **Status Evaluation**: \n - If the request is successful (status\ - \ code < 400), the resource is considered 'up'.\n - If the request fails or\ - \ an exception occurs, the resource is considered 'down'.\n4. **Execution Control**:\ - \ \n - If 'up', the action finishes with a `COMPLETED` state.\n - If 'down',\ - \ the action finishes with an `IN_PROGRESS` state, signaling the platform to retry\ - \ later." + ai_description: "### General Description\nThis action monitors the availability\ + \ of a specific web resource by its URL. It functions as an asynchronous task,\ + \ meaning it will repeatedly check the status of the provided URL until it returns\ + \ a successful HTTP response (status code less than 400). This is typically used\ + \ in playbooks to ensure a service, API, or endpoint is fully operational before\ + \ proceeding to subsequent automation steps.\n\n### Parameters Description\n|\ + \ Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ + | URL | String | Yes | The full URL of the web resource to monitor (e.g., `https://dev.azure.com/organization`).\ + \ |\n\n### Flow Description\n1. **Parameter Extraction**: The action retrieves\ + \ the target `URL` from the input parameters.\n2. **Connectivity Check**: It performs\ + \ an HTTP GET request to the specified URL with a 5-second timeout.\n3. **Status\ + \ Evaluation**: The action evaluates the response. If the HTTP status code is\ + \ successful (less than 400), the resource is considered 'up'.\n4. **Execution\ + \ State Management**: \n * If the resource is 'up', the action state is set\ + \ to `COMPLETED`.\n * If the resource is 'down' or the request fails, the action\ + \ state is set to `IN_PROGRESS`. In an asynchronous context, this triggers the\ + \ SOAR platform to retry the action after a delay.\n\n### Additional Notes\nThis\ + \ action is a utility for flow control and does not modify any data within Azure\ + \ DevOps or the Google SecOps platform. It relies on basic HTTP reachability." capabilities: can_create_case_comments: false can_create_insight: false @@ -197,3 +215,28 @@ Wait Until Web Resource Is Up: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/third_party/community/azure_devops/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/azure_devops/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..9e2bf295d --- /dev/null +++ b/content/response_integrations/third_party/community/azure_devops/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: true + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/bandura_cyber/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/bandura_cyber/resources/ai/actions_ai_description.yaml index 4785952fa..f1c734b05 100644 --- a/content/response_integrations/third_party/community/bandura_cyber/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/bandura_cyber/resources/ai/actions_ai_description.yaml @@ -1,49 +1,46 @@ Add Domain to Allowed Lists: ai_description: >- - ### General Description + Adds a domain extracted from a URL entity to a specified Allowed List in Bandura + Cyber. This action is used to whitelist domains, ensuring they are not blocked + by Bandura's security policies. - The **Add Domain to Allowed Lists** action allows users to add the domain component - of URL entities to a specific Allowed List within the Bandura Cyber platform. - This is typically used to whitelist known-safe domains to prevent them from being - blocked by security policies. - - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **List Name** | String | Yes | The exact name of the Allowed List in Bandura - where the domain should be added. Note: This is case-sensitive. | + | List Name | string | Yes | The name of the Allowed List in Bandura Cyber where + the domain should be added. This value is case-sensitive. | - | **Description** | String | No | A custom description to associate with the domain - entry in the list. | + | Description | string | No | A descriptive note to associate with the allowed + domain entry. | - | **Expiration Date** | String | No | The date and time when the domain should - be automatically removed from the list (e.g., `2020-01-01T12:00:00.000+00:00`). - | + | Expiration Date | string | No | The date and time when the domain should be + automatically removed from the list (e.g., 2020-01-01T12:00:00.000+00:00). | ### Flow Description - 1. **Initialization**: The action retrieves connection details (API Root, credentials) - and user-provided parameters (List Name, Description, Expiration Date). + 1. **Parameter Extraction:** The action retrieves the target list name, description, + and expiration date from the user input. - 2. **Entity Filtering**: It identifies all URL entities within the current context. + 2. **Entity Filtering:** It identifies all URL entities within the current alert + scope. - 3. **Domain Extraction**: For each URL, the script parses the string to extract - the network location (domain). + 3. **Domain Extraction:** For each URL entity, the action parses the URL to extract + the domain (netloc). - 4. **List Identification**: It queries the Bandura API to find the unique identifier - (UUID) for the provided `List Name`. + 4. **List Identification:** It queries Bandura Cyber to find the unique identifier + (UUID) of the Allowed List matching the provided 'List Name'. - 5. **External Mutation**: It sends a POST request to the Bandura Cyber API to - create a new entry in the specified Allowed List containing the domain, description, - and expiration date. + 5. **External Mutation:** The action sends a POST request to Bandura Cyber to + add the extracted domain to the identified Allowed List, including the optional + description and expiration date. - 6. **Result Reporting**: The action collects the API responses and provides a - summary of which domains were successfully added to the list. + 6. **Result Reporting:** The action returns a JSON result containing the details + of the added entries and updates the action output message. capabilities: can_create_case_comments: false can_create_insight: false @@ -52,7 +49,7 @@ Add Domain to Allowed Lists: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Adds a domain entry to a specified Allowed List in the Bandura Cyber platform + Adds a domain entry to a specific Allowed List within the Bandura Cyber platform via a POST request. fetches_data: true internal_data_mutation_explanation: null @@ -74,12 +71,37 @@ Add Domain to Allowed Lists: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: true + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Add Domain to Denied Lists: ai_description: >- - Adds URL entities to a specified Denied List in Bandura Cyber. This action is - primarily used for containment by blocking malicious or suspicious domains at - the network level. It extracts the domain (netloc) from the URL entity and pushes - it to the external Bandura Cyber platform. + Adds URL entities to a specified Domain Denied List in Bandura Cyber. This action + extracts the domain (network location) from the URL entity and registers it in + the external Bandura Cyber system to block or monitor traffic. It supports optional + descriptions and expiration dates for the entries. ### Parameters @@ -88,47 +110,36 @@ Add Domain to Denied Lists: | :--- | :--- | :--- | :--- | - | List Name | string | Yes | The name of the Denied List where the domain should + | List Name | string | Yes | The name of the Denied List where the domain will be added. Note: This value is case-sensitive. | - | Description | string | No | A descriptive note to be attached to the entry in - the denied list. | + | Description | string | No | A descriptive note to associate with the domain + entry in the denied list. | - | Expiration Date | string | No | The date and time when the entity should be - automatically removed from the list. Expected format: `YYYY-MM-DDTHH:MM:SS.mmm+00:00`. - | + | Expiration Date | string | No | The date and time when the domain should be + automatically removed from the list (e.g., 2020-01-01T12:00:00.000+00:00). | ### Flow Description - 1. **Authentication**: The action authenticates with the Bandura Cyber API using - the configured Username and Password to retrieve an access token. - - 2. **Entity Selection**: It filters the target entities to identify those of type - URL. - - 3. **Domain Parsing**: For each identified URL, the action extracts the domain - component (netloc) using standard URL parsing logic. + 1. **Authentication**: Connects to the Bandura Cyber API using provided credentials + (Username, Password, API Root). - 4. **List Lookup**: It queries the Bandura Cyber platform to find the internal - UUID associated with the provided 'List Name'. + 2. **Entity Filtering**: Identifies all URL entities within the current SecOps + context. - 5. **External Mutation**: The action performs a POST request to the Bandura Cyber - API to add the domain to the specified denied list, including the optional description - and expiration date if provided. + 3. **Domain Extraction**: For each URL, it parses the string to extract the 'netloc' + (the domain portion). - 6. **Result Processing**: It captures the API response for each entity and returns - a summary of the entities successfully added to the list. + 4. **List Resolution**: Queries the Bandura Cyber system to find the unique identifier + (UUID) for the denied list specified in the 'List Name' parameter. + 5. **External Update**: Sends a POST request to Bandura Cyber to add the extracted + domain to the identified denied list, including the description and expiration + date if provided. - ### Additional Notes - - - The action specifically targets the domain portion of a URL. If a full path - is included in the URL entity, only the root domain/subdomain will be blocked - in Bandura Cyber. - - - If the specified 'List Name' does not exist in the Bandura Cyber environment, - the action will fail to add the entities. + 6. **Reporting**: Returns a JSON result of the operation and updates the action + output message with the list of successfully added domains. capabilities: can_create_case_comments: false can_create_insight: false @@ -137,9 +148,9 @@ Add Domain to Denied Lists: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Adds domain entries to a specified denied list within the Bandura Cyber platform - via a POST request to the /denied-lists/domain/{uuid}/entries endpoint. - fetches_data: false + Adds a domain entry to a specified denied list in Bandura Cyber, which modifies + the security policy configuration of the external system. + fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false @@ -159,12 +170,38 @@ Add Domain to Denied Lists: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: true + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Add IP to Allowed Lists: ai_description: >- - Adds IP address entities to a specified IPv4 Allowed List in Bandura Cyber. This - action allows for automated whitelisting of IP addresses by adding them to existing - manual lists within the Bandura GMC platform. It supports specifying network masks, - descriptions, and expiration dates for each entry. + Adds IP Address entities to a specific IPv4 Allowed List in Bandura Cyber. This + action allows analysts to whitelist specific IP addresses to prevent them from + being blocked by Bandura security controls. It supports defining a network mask + (maskbit), an optional description for the entry, and an expiration date for temporary + whitelisting. ### Parameters @@ -173,36 +210,35 @@ Add IP to Allowed Lists: | :--- | :--- | :--- | :--- | - | List Name | String | Yes | The case-sensitive name of the Allowed List where - the IP will be added. | + | List Name | string | Yes | The exact name (case-sensitive) of the Allowed List + in Bandura Cyber where the IP should be added. | - | Description | String | No | A description to associate with the allowed list - entry. | + | Description | string | No | A descriptive note to associate with the IP entry + in the allowed list. | - | Maskbit | Integer | No | The network mask for the IP address (default is 32). - | + | Maskbit | string | No | The CIDR mask bit for the IP range (e.g., '32' for a + single host). Defaults to '32'. | - | Expiration Date | String | No | The date and time when the entry should be automatically - removed (Format: YYYY-MM-DDTHH:MM:SS.mmm+00:00). | + | Expiration Date | string | No | The date and time when the IP should be automatically + removed from the list (Format: YYYY-MM-DDTHH:MM:SS.SSS+00:00). | ### Flow Description - 1. **Authentication**: Connects to the Bandura Cyber API using the provided credentials - to obtain an access token. + 1. **Authentication**: The action authenticates with Bandura Cyber using the provided + credentials to obtain an access token. - 2. **List Identification**: Retrieves the unique identifier (UUID) for the specified - 'List Name' by querying the Bandura Cyber allowed lists. + 2. **List Identification**: It searches for the specified 'List Name' to retrieve + its unique identifier (UUID). - 3. **Entity Processing**: Filters the target entities to identify all IP Address - (ADDRESS) entities. + 3. **Entity Processing**: For each IP Address entity in the current context, it + sends a request to Bandura Cyber to add the IP to the identified list. - 4. **External Mutation**: For each identified IP, sends a POST request to Bandura - Cyber to add the address to the identified Allowed List using the provided mask, - description, and expiration date. + 4. **Configuration**: The request includes the IP address, the specified maskbit, + the description, and the expiration date if provided. - 5. **Result Reporting**: Aggregates the API responses and provides a summary of - the entities successfully added to the list. + 5. **Result Reporting**: The action collects the response for each entity and + provides a summary of which IPs were successfully added to the allowed list. capabilities: can_create_case_comments: false can_create_insight: false @@ -211,8 +247,8 @@ Add IP to Allowed Lists: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Adds IP addresses to a specified allowed list in the Bandura Cyber platform, - which modifies the active security policy of the external system. + Adds IP addresses to the 'Allowed List' configuration within the Bandura Cyber + platform, which modifies the active security policy of the external system. fetches_data: true internal_data_mutation_explanation: null categories: @@ -233,14 +269,37 @@ Add IP to Allowed Lists: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: true + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Add IP to Denied Lists: ai_description: >- - ### General Description - Adds IP Address entities to a specified Denied List in Bandura Cyber. This action - allows security teams to dynamically block malicious or suspicious IP addresses - by adding them to existing blocklists within the Bandura platform. It supports - specifying CIDR masks, descriptions, and expiration dates for each entry. + is used to block or restrict network traffic from specific IP addresses by including + them in managed security lists. The action allows for specifying the network mask, + an entry description, and an optional expiration date for the block. ### Parameters @@ -249,36 +308,36 @@ Add IP to Denied Lists: | :--- | :--- | :--- | :--- | - | List Name | String | Yes | The exact name of the Denied List to which the IP - will be added. Note: This value is case-sensitive. | + | List Name | string | Yes | The name of the Denied List where the IP will be + added. Note: This value is case-sensitive. | - | Description | String | No | A comment or description to be associated with the - IP entry in the Bandura list. | + | Description | string | No | A descriptive note to associate with the IP entry + in the denied list. | - | Maskbit | Integer | No | Defines the network mask for the IP address. Defaults - to 32 (single host). | + | Maskbit | string | No | Defines the range of IP addresses (CIDR mask) to add. + Defaults to '32' for a single host. | - | Expiration Date | String | No | The timestamp for when the IP should be removed - from the list. Expected format: `2020-01-01T12:00:00.000+00:00`. | + | Expiration Date | string | No | The date and time when the entity should be + automatically removed from the list (e.g., 2020-01-01T12:00:00.000+00:00). | ### Flow Description - 1. **Authentication**: The action authenticates with the Bandura Cyber API using - the configured credentials to obtain an access token. + 1. **Initialization**: The action retrieves the Bandura Cyber connection details + and the user-provided parameters (List Name, Maskbit, etc.). - 2. **Entity Filtering**: It identifies all entities of type `ADDRESS` (IP addresses) - within the current scope. + 2. **List Identification**: It queries the Bandura Cyber API to find the unique + identifier (UUID) for the Denied List matching the provided 'List Name'. - 3. **List Lookup**: For each IP, the action queries the Bandura API to find the - unique identifier (UUID) of the Denied List provided in the 'List Name' parameter. + 3. **Entity Processing**: It iterates through all IP Address entities associated + with the current alert/case. - 4. **Addition**: It sends a POST request to the Bandura API to add the IP address - to the identified Denied List, including the provided mask, description, and expiration - date. + 4. **External Mutation**: For each IP entity, it sends a POST request to the Bandura + Cyber API to add the IP address to the identified Denied List with the specified + configuration. - 5. **Result Processing**: The action collects the API responses and reports which - entities were successfully added to the list. + 5. **Reporting**: The action collects the API responses and provides a summary + of which entities were successfully added to the list. capabilities: can_create_case_comments: false can_create_insight: false @@ -287,8 +346,9 @@ Add IP to Denied Lists: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Adds IP addresses to a specified Denied List in the Bandura Cyber platform, - which modifies the active blocklist configuration. + Adds the specified IP address entity to a designated Denied List in Bandura + Cyber, which modifies the active security policy and blocking rules of the external + system. fetches_data: true internal_data_mutation_explanation: null categories: @@ -309,29 +369,52 @@ Add IP to Denied Lists: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: true + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Allowed Domain Lists: - ai_description: "### General Description\nThis action retrieves information about\ - \ Allowed Domain Lists from the Bandura Cyber platform. It allows users to fetch\ - \ either all available allowed domain lists or a specific list by providing its\ - \ name. The retrieved data is presented as a data table and attached as a JSON\ - \ file to the case for further analysis.\n\n### Parameters Description\n| Parameter\ - \ Name | Description | Type | Mandatory | Notes |\n| :--- | :--- | :--- | :---\ - \ | :--- |\n| List Name | The specific name of the allowed domain list to retrieve.\ - \ This parameter is case-sensitive. | String | No | If left empty, the action\ - \ will retrieve all available allowed domain lists. |\n\n### Additional Notes\n\ - - This action does not operate on specific entities (like IPs or Domains) within\ - \ the case; instead, it queries the global configuration of the Bandura Cyber\ - \ instance.\n- The action requires valid API credentials (Username and Password)\ - \ configured in the integration settings.\n\n### Flow Description\n1. **Authentication**:\ - \ The action starts by authenticating with the Bandura Cyber GMC API using the\ - \ provided credentials to obtain an access token.\n2. **Data Retrieval**: It calls\ - \ the Bandura Cyber API to fetch the allowed domain lists.\n3. **Filtering**:\ - \ If a `List Name` was provided as an input, the action filters the API response\ - \ to find the specific list matching that name.\n4. **Output Generation**: \n\ - \ - It creates a data table named 'Bandura Allowed Domain Lists' containing\ - \ the list details.\n - It attaches the raw JSON response as a file named 'allowed_domain_lists.txt'\ - \ to the case.\n5. **Cleanup**: The action logs out of the Bandura Cyber session\ - \ and terminates." + ai_description: "Retrieves information about Allowed Domain Lists from the Bandura\ + \ Cyber platform. This action allows users to fetch a comprehensive list of all\ + \ allowed domain configurations or filter for a specific list by its name. The\ + \ retrieved data is presented as a data table within the Google SecOps case and\ + \ also attached as a raw JSON file for further analysis.\n\n### Parameters\n|\ + \ Parameter Name | Description | Type | Mandatory | Notes |\n| :--- | :--- | :---\ + \ | :--- | :--- |\n| List Name | The specific name of the allowed domain list\ + \ to retrieve. This field is case-sensitive. | String | No | If omitted, the action\ + \ retrieves all available allowed domain lists. |\n\n### Flow Description\n1.\ + \ **Authentication**: The action establishes a session with the Bandura Cyber\ + \ API using the provided credentials (Username and Password).\n2. **Data Retrieval**:\ + \ It calls the Bandura Cyber API to fetch allowed domain list data. If a `List\ + \ Name` is provided, the results are filtered to match that specific name.\n3.\ + \ **Output Generation**: \n * The raw JSON response is added as an attachment\ + \ named `allowed_domain_lists.txt`.\n * A data table named `Bandura Allowed\ + \ Domain Lists` is created to display the list details in the UI.\n * The\ + \ results are also stored in the action's JSON result object.\n4. **Session Termination**:\ + \ The action explicitly logs out of the Bandura Cyber platform to close the session.\n\ + 5. **Completion**: The action concludes with a success message if lists are found,\ + \ or a failure message if no matching lists exist." capabilities: can_create_case_comments: false can_create_insight: false @@ -359,33 +442,68 @@ Get Allowed Domain Lists: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Allowed IP Lists: - ai_description: "### General Description\nRetrieves information about Allowed IPv4\ - \ Lists from the Bandura Cyber platform. This action allows users to fetch metadata\ - \ for all available allowed IP lists or filter for a specific list by its name.\ - \ The retrieved data, which typically includes list names, UUIDs, and configurations,\ - \ is presented as a data table and attached as a JSON file to the case for further\ - \ analysis.\n\n### Parameters Description\n\n| Parameter | Type | Mandatory |\ - \ Description |\n| :--- | :--- | :--- | :--- |\n| List Name | String | No | The\ - \ specific name of the Allowed IPv4 List to retrieve. Note: This parameter is\ - \ case-sensitive. If left empty, the action retrieves all available allowed IP\ - \ lists associated with the account. |\n\n### Additional Notes\n- This action\ - \ focuses on retrieving the list definitions/metadata. It does not retrieve the\ - \ individual IP entries contained within those lists.\n- The action requires valid\ - \ API credentials (Username and Password) configured in the integration settings.\n\ - \n### Flow Description\n1. **Initialization**: The action initializes the Bandura\ - \ Cyber manager using the provided API Root, Username, and Password.\n2. **Authentication**:\ - \ It performs a login request to the Bandura Cyber GMC API to obtain an access\ - \ token.\n3. **Data Retrieval**: The action calls the `show_allowed_ip_list` method,\ - \ which sends a GET request to the Bandura Cyber API to fetch the allowed IPv4\ - \ lists.\n4. **Filtering**: If a `List Name` is provided as an input, the action\ - \ filters the API response to return only the list that matches the specified\ - \ name.\n5. **Output Generation**: \n - The raw JSON results are added as an\ - \ attachment named `allowed_ip_lists.txt`.\n - A data table named `Bandura\ - \ Allowed IP Lists` is created to display the results in the SOAR interface.\n\ - \ - The results are also saved as the action's JSON result.\n6. **Cleanup**:\ - \ The action logs out of the Bandura Cyber session to ensure security and ends\ - \ the execution with a summary message." + ai_description: >- + Retrieves information about Allowed IPv4 Lists from the Bandura Cyber platform. + This action allows analysts to view all configured allowed IP lists or filter + for a specific list by name. The retrieved data includes list metadata such as + UUIDs, names, and descriptions, which are presented as a data table and a JSON + attachment within the case for further analysis. + + + ### Parameters + + | Parameter Name | Description | Type | Mandatory | Notes | + + | --- | --- | --- | --- | --- | + + | List Name | The specific name of the list to retrieve. This field is case-sensitive. + | String | No | If omitted, the action retrieves all available Allowed IPv4 Lists. + | + + + ### Flow Description + + 1. **Authentication**: The action authenticates with the Bandura Cyber API using + the provided credentials to obtain an access token. + + 2. **Data Retrieval**: It requests the collection of Allowed IPv4 Lists from the + Bandura Cyber management console. + + 3. **Filtering**: If a `List Name` is provided, the action filters the retrieved + collection to find the specific list matching the name. + + 4. **Output Generation**: The results are processed into three formats: a raw + JSON result, a CSV-formatted data table, and a text file attachment containing + the full JSON response. + + 5. **Session Termination**: The action explicitly logs out of the Bandura Cyber + session to ensure security and resource management. capabilities: can_create_case_comments: false can_create_insight: false @@ -413,27 +531,73 @@ Get Allowed IP Lists: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Denied Domain Lists: - ai_description: "### General Description\nThe **Get Denied Domain Lists** action\ - \ retrieves information about denied domain lists from the Bandura Cyber platform.\ - \ It allows users to view all available denied domain lists or filter for a specific\ - \ list by name. The retrieved data is presented as a data table and a JSON attachment\ - \ within the Google SecOps case wall for further analysis.\n\n### Parameters Description\n\ - | Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ - | List Name | String | No | The specific name of the denied domain list to retrieve.\ - \ This parameter is case-sensitive. If left empty, the action retrieves all available\ - \ denied domain lists. |\n\n### Flow Description\n1. **Authentication**: The action\ - \ authenticates with the Bandura Cyber GMC API using the provided Username and\ - \ Password to obtain an access token.\n2. **Data Retrieval**: It performs a GET\ - \ request to the Bandura Cyber API to fetch the denied domain lists associated\ - \ with the account.\n3. **Filtering**: If the `List Name` parameter is provided,\ - \ the action filters the API response to find the specific list matching that\ - \ name.\n4. **Output Generation**: \n - The action attaches the raw JSON results\ - \ as a file named `denied_domain_lists.txt` to the case.\n - It constructs\ - \ and adds a data table named \"Bandura Denied Domain Lists\" to the case wall.\n\ - \ - It populates the action's JSON result with the retrieved data.\n5. **Session\ - \ Termination**: The action explicitly logs out of the Bandura Cyber platform\ - \ to invalidate the session token." + ai_description: >- + Retrieves information about denied domain lists from the Bandura Cyber platform. + This action allows users to fetch all available denied domain lists or filter + for a specific list by name. The retrieved data is presented as a data table within + the case and also provided as a raw JSON attachment for detailed analysis. + + + ### Flow Description + + 1. **Authentication:** The action authenticates with the Bandura Cyber API using + the provided credentials to obtain an access token. + + 2. **Data Retrieval:** It sends a GET request to the Bandura Cyber endpoint to + fetch the denied domain lists. + + 3. **Filtering:** If a 'List Name' parameter is provided, the action filters the + retrieved lists to find an exact, case-sensitive match. + + 4. **Output Generation:** The results are processed to create a data table and + a text file attachment containing the raw JSON data. + + 5. **Cleanup:** The action performs a logout to terminate the API session. + + + ### Parameters Description + + | Parameter Name | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | List Name | String | No | The specific name of the denied domain list to retrieve. + This value is case-sensitive. If omitted, all denied domain lists are returned. + | + + + ### Additional Notes + + - This action does not operate on specific entities within the case; it performs + a global lookup of configuration data from Bandura Cyber. + + - The action will fail if the provided credentials or API Root are incorrect. capabilities: can_create_case_comments: false can_create_insight: false @@ -444,8 +608,8 @@ Get Denied Domain Lists: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action adds a data table and a file attachment to the case wall containing - the retrieved denied domain list information. + The action adds a data table and a file attachment to the Google SecOps case + to display the retrieved domain list information. categories: enrichment: false entity_usage: @@ -463,44 +627,74 @@ Get Denied Domain Lists: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Denied IP Lists: ai_description: >- - ### General Description - Retrieves denied IPv4 lists from the Bandura Cyber platform. This action allows - users to fetch details about specific denied IP lists or all available lists associated - with the account to understand which IP ranges are currently being blocked. + users to fetch all denied IP lists or filter for a specific list by name. The + retrieved data is then presented within Google SecOps as a data table, a JSON + result, and a file attachment for further analysis. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. **Authentication:** Connects to the Bandura Cyber API using provided credentials + (Username and Password) to obtain an access token. - | :--- | :--- | :--- | :--- | + 2. **Data Retrieval:** Calls the Bandura Cyber API to fetch the denied IPv4 lists. + If a 'List Name' is provided, the results are filtered to match that specific + list. - | List Name | String | No | The name of the specific denied IP list to retrieve. - This parameter is case-sensitive. If not provided, the action retrieves all denied - IP lists. | + 3. **Session Termination:** Logs out of the Bandura Cyber session to ensure security + and resource management. + 4. **Output Generation:** If lists are found, the action attaches the raw JSON + as a file, constructs a CSV-formatted data table, and sets the action's JSON result. + If no lists are found, it reports the absence of data. - ### Flow Description - 1. **Authentication**: Connects to the Bandura Cyber API using the configured - credentials (Username and Password) to obtain an access token. + ### Parameters Description - 2. **Data Retrieval**: Calls the Bandura Cyber API to fetch denied IPv4 lists. + | Parameter Name | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | List Name | string | No | The specific name of the denied IP list to retrieve. + This field is case-sensitive. If left empty, all denied IP lists will be returned. + | - 3. **Filtering**: If a `List Name` is provided, the action filters the retrieved - lists to match the specified name. - 4. **Internal Updates**: Adds the raw JSON results as a file attachment named - `denied_ip_lists.txt` and creates a data table named `Bandura Denied IP Lists` - on the case wall for immediate visibility. + ### Additional Notes - 5. **Cleanup**: Logs out of the Bandura Cyber session to ensure security. + - This action does not operate on specific entities within a case; it performs + a global retrieval of list data from the Bandura Cyber platform. - 6. **Completion**: Returns a success message and the JSON results to the SOAR - platform. + - The action requires valid API Root, Username, and Password configuration to + function. capabilities: can_create_case_comments: false can_create_insight: false @@ -511,8 +705,8 @@ Get Denied IP Lists: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action adds a data table to the case wall and attaches a text file containing - the raw JSON results to the case. + The action adds a data table and a file attachment to the Google SecOps case + containing the retrieved denied IP list information. categories: enrichment: false entity_usage: @@ -530,60 +724,74 @@ Get Denied IP Lists: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Ping: ai_description: >- - ### General Description - - The **Ping** action is a diagnostic tool designed to verify the connectivity and - authentication configuration between Google SecOps and the Bandura Cyber platform. - Its primary purpose is to ensure that the integration can successfully communicate - with the Bandura Cyber API using the provided credentials. - + Tests connectivity to the Bandura Cyber platform. This action validates the integration + configuration by attempting to authenticate with the provided credentials and + then logging out. It ensures that the API Root, Username, and Password are correct + and that the network connection is functional. - ### Parameters Description - | Parameter | Type | Mandatory | Description | + ### Flow Description - | :--- | :--- | :--- | :--- | + 1. **Initialization**: The action retrieves the integration configuration parameters, + including API Root, Username, Password, and SSL verification settings. - | **API Root** | String | Yes | The base URL for the Bandura Cyber API instance - (e.g., https://gmc.banduracyber.com/api/v2/). | + 2. **Authentication**: It instantiates the `BanduraCyberManager`, which automatically + attempts to log in to the Bandura Cyber API to obtain an access token via a POST + request. - | **Username** | String | Yes | The username used for authenticating with the - Bandura Cyber service. | + 3. **Session Termination**: The action calls the `logout` method to close the + session immediately after testing the connection. - | **Password** | String | Yes | The password used for authenticating with the - Bandura Cyber service. | + 4. **Result Validation**: It checks if an access token was successfully generated. + If so, it reports a successful connection; otherwise, it reports a failure. - | **Verify SSL** | Boolean | No | Determines whether to verify the SSL certificate - of the API endpoint. Defaults to `False`. | + ### Parameters Description - ### Additional Notes + | Parameter | Type | Mandatory | Description | - This action is a global utility and does not operate on specific entities (IPs, - Domains, etc.). It uses the integration's configuration parameters to perform - a test login and logout sequence. + | :--- | :--- | :--- | :--- | + | API Root | String | Yes | The base URL of the Bandura Cyber API instance. | - ### Flow Description + | Username | String | Yes | The username used for API authentication. | - 1. **Parameter Extraction**: The action retrieves the API Root, Username, Password, - and SSL verification settings from the integration configuration. + | Password | String | Yes | The password used for API authentication. | - 2. **Manager Initialization**: It initializes the `BanduraCyberManager`, which - automatically attempts a login (`POST /auth/login`) to the Bandura Cyber API to - retrieve an access token. + | Verify SSL | Boolean | No | If enabled, the action will verify the SSL certificate + of the API endpoint. Defaults to False. | - 3. **Session Termination**: The action immediately calls the `logout` method (`POST - /auth/logout`) to invalidate the session and clean up resources. - 4. **Connectivity Check**: It evaluates whether an access token was successfully - obtained during the initialization phase. + ### Additional Notes - 5. **Final Result**: If a token was retrieved, the action returns a success message - ("Connection Established"); otherwise, it returns a failure message ("Connection - Failed"). + * This action does not process any entities and is purely for diagnostic purposes. capabilities: can_create_case_comments: false can_create_insight: false @@ -611,3 +819,28 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/third_party/community/bandura_cyber/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/bandura_cyber/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..b927e7b41 --- /dev/null +++ b/content/response_integrations/third_party/community/bandura_cyber/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: true + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/be_secure/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/be_secure/resources/ai/actions_ai_description.yaml index 5475e6954..dc01bbdf7 100644 --- a/content/response_integrations/third_party/community/be_secure/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/be_secure/resources/ai/actions_ai_description.yaml @@ -2,41 +2,47 @@ Ping: ai_description: >- ### General Description - This action is designed to verify the connectivity between Google SecOps and the - beSECURE instance. It serves as a health check to ensure that the provided configuration - (URL and API Key) is valid and that the beSECURE API is reachable and responding - correctly. + The **Ping** action is designed to verify the connectivity and authentication + between Google SecOps and the beSECURE (Beyond Security) platform. It performs + a test API call to retrieve network information, ensuring that the provided URL + and API Key are valid and that the network path is open. ### Parameters Description There are no input parameters for this action. It relies entirely on the integration's - global configuration settings (URL, API Key, and SSL verification). + global configuration (URL, API Key, and SSL verification settings). - ### Flow Description + ### Additional Notes - 1. **Configuration Retrieval**: The action starts by fetching the integration's - configuration, including the API Key, URL, and SSL verification preference. + - This action is primarily used for troubleshooting and initial setup validation. - 2. **Data Sanitization**: The API Key is cleaned of any non-alphanumeric characters - (excluding hyphens) to ensure a valid request format. + - It specifically attempts to call the `returnnetworks` action on the beSECURE + API. - 3. **Connectivity Test**: The action performs a GET request to the beSECURE `/json.cgi` - endpoint. It specifically requests a list of networks (`action=returnnetworks`) - with a search limit and a recent scan time filter to validate that the API can - process administrative queries. + - The API Key is automatically sanitized to remove non-alphanumeric characters + (except hyphens) before the request is made. - 4. **Response Validation**: The script checks the JSON response for any error - keys. If the request is successful and no errors are returned, the action completes - with a success status. If an error is detected or the request fails, the action - reports a failure. + ### Flow Description - ### Additional Notes + 1. **Configuration Retrieval**: The action fetches the integration's global settings, + including the API Key, Base URL, and SSL verification preference. + + 2. **URL Formatting**: It ensures the URL is prefixed with the correct protocol + (HTTP/HTTPS). + + 3. **API Key Sanitization**: It cleans the API Key using a regular expression + to ensure only valid characters are sent. + + 4. **Connectivity Test**: It executes a GET request to the beSECURE `/json.cgi` + endpoint with hardcoded parameters (`primary="admin"`, `secondary="networks"`, + `action="returnnetworks"`) to simulate a data retrieval task. - This is a standard 'Ping' action used primarily for troubleshooting integration - setup and verifying credentials. + 5. **Validation**: The action checks the JSON response for an "error" key. If + an error is found or the request fails, the action reports a failure. Otherwise, + it returns a successful execution state. capabilities: can_create_case_comments: false can_create_insight: false @@ -64,3 +70,28 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/third_party/community/be_secure/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/be_secure/resources/ai/connectors_ai_description.yaml new file mode 100644 index 000000000..bbd1359e6 --- /dev/null +++ b/content/response_integrations/third_party/community/be_secure/resources/ai/connectors_ai_description.yaml @@ -0,0 +1,67 @@ +Pull reports: + ai_description: >- + ### General Description + + This connector integrates with Beyond Security's **beSECURE**, a Vulnerability + Assessment and Management solution. It automatically pulls vulnerability scan + reports and ingests them into Google SecOps as alerts and events. The connector + identifies vulnerable hosts, assesses their risk levels, and provides detailed + information about the vulnerabilities found during network scans. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | URL | String | Yes | The base URL of the beSECURE instance (e.g., `https://besecure.company.com`). + | + + | API Key | Password | Yes | The API Key used to authenticate requests to the + beSECURE API. | + + | Check Every X Minutes | String | Yes | The time interval (in minutes) to look + back for completed scans. | + + | Verify SSL Certificate? | Boolean | No | If set to true, the connector will + verify the SSL certificate of the beSECURE server. | + + | DeviceProductField | String | Yes | The field name used to determine the device + product in the ingested data. | + + | EventClassId | String | No | The field name used to determine the event name + or sub-type. | + + | PythonProcessTimeout | String | Yes | The maximum time (in seconds) allowed + for the connector script to run. | + + + ### Flow Description + + 1. **Connection**: The connector establishes a connection to the beSECURE API + using the provided URL and API Key. + + 2. **Scan Discovery**: It queries for network scans that have finished within + the specified lookback window (defined by the 'Check Every X Minutes' parameter). + + 3. **Deduplication**: The connector maintains a local state file (`previous_scans.json`) + to track processed scan IDs and scan numbers, ensuring that the same report is + not ingested multiple times. + + 4. **Report Retrieval**: For each new scan identified, the connector fetches the + full vulnerability report in JSON format. + + 5. **Vulnerability Filtering**: It parses the report and filters for vulnerable + hosts that have a `RiskFactor` of 1 or higher. + + 6. **Alert Mapping**: Each vulnerability is mapped to a Google SecOps alert. The + priority is determined by the `RiskFactor` (1 maps to Low, 4 to Medium, and 8 + to High). + + 7. **Event Creation**: Detailed event data is generated for each vulnerability, + including the Host ID, Destination Address, Port, Protocol, and the specific Test + Category/ID. + + 8. **Ingestion**: The mapped alerts and events are packaged and sent to Google + SecOps for case creation and alert creation. diff --git a/content/response_integrations/third_party/community/be_secure/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/be_secure/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..dda0f4c70 --- /dev/null +++ b/content/response_integrations/third_party/community/be_secure/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + siem: false + threat_intelligence: false + vulnerability_management: true diff --git a/content/response_integrations/third_party/community/bitdefender_gravity_zone/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/bitdefender_gravity_zone/resources/ai/actions_ai_description.yaml index 6a61bb207..efcfd4add 100644 --- a/content/response_integrations/third_party/community/bitdefender_gravity_zone/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/bitdefender_gravity_zone/resources/ai/actions_ai_description.yaml @@ -1,25 +1,43 @@ Blocklist - Add Hashes: - ai_description: "### General Description\nThe **Blocklist - Add Hashes** action\ - \ allows users to programmatically add file hashes to the Bitdefender GravityZone\ - \ blocklist. This is a containment action used to prevent specific malicious files\ - \ from executing across the environment managed by Bitdefender. It supports both\ - \ MD5 and SHA256 hash formats.\n\n### Parameters Description\n| Parameter | Type\ - \ | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| **Hash List**\ - \ | String | Yes | A comma-separated list of SHA256 or MD5 hashes to be blocked.\ - \ |\n| **Source Info** | String | Yes | A description or reason for blocking these\ - \ hashes (e.g., 'Determined to be malicious'). |\n\n### Flow Description\n1. **Configuration\ - \ Extraction**: The action retrieves the Bitdefender API Key, Access URL, and\ - \ SSL verification settings from the integration configuration.\n2. **Input Parsing**:\ - \ It extracts the `Hash List` and `Source Info` provided as action parameters.\n\ - 3. **Hash Categorization**: The logic splits the comma-separated string and uses\ - \ regular expressions to categorize each hash as either MD5 or SHA256.\n4. **API\ - \ Interaction**: \n - If SHA256 hashes are identified, it sends a request to\ - \ the Bitdefender `addToBlocklist` endpoint with the appropriate type identifier.\n\ - \ - If MD5 hashes are identified, it sends a separate request to the same endpoint\ - \ with the MD5 type identifier.\n5. **Validation**: If any hashes in the list\ - \ do not conform to MD5 or SHA256 formats, the action raises an error and stops\ - \ execution.\n6. **Result Reporting**: Upon successful API calls, the action returns\ - \ a JSON result containing the lists of hashes that were successfully submitted." + ai_description: >- + Adds one or more file hashes to the Bitdefender GravityZone blocklist. This action + allows security teams to proactively block malicious files across their managed + endpoints by providing a list of MD5 or SHA256 hashes. The action validates the + hash format, categorizes them by type, and submits them to the GravityZone Control + Center with associated source information for context. + + + ### Parameters Description + + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Hash List | string | True | A comma-separated list of SHA256 or MD5 hashes to + be added to the blocklist. | + + | Source Info | string | True | A description or context for the hashes (e.g., + 'Determined to be malicious' or 'IOC from threat report'). | + + + ### Flow Description + + + 1. **Initialization**: Connects to the Bitdefender GravityZone Control Center + using the provided API Key and Access URL. + + 2. **Parsing**: Splits the provided 'Hash List' string into individual hash values. + + 3. **Validation and Categorization**: Iterates through the hashes, using regex + to identify whether each is an MD5 or SHA256 hash. Any unsupported hash formats + will cause the action to fail. + + 4. **Submission**: Sends separate API requests to the Bitdefender GravityZone + 'addToBlocklist' endpoint for the collected SHA256 hashes and MD5 hashes. + + 5. **Completion**: Returns a JSON result containing the lists of successfully + processed hashes categorized by type. capabilities: can_create_case_comments: false can_create_insight: false @@ -28,8 +46,9 @@ Blocklist - Add Hashes: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Adds file hashes to the Bitdefender GravityZone blocklist, which modifies the - security policy and prevention state of the external Bitdefender environment. + Adds file hashes to the Bitdefender GravityZone blocklist, which changes the + security policy state in the external system to prevent the execution of those + files. fetches_data: false internal_data_mutation_explanation: null categories: @@ -49,14 +68,41 @@ Blocklist - Add Hashes: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: true + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Blocklist - List Items: ai_description: >- ### General Description - This action retrieves a comprehensive list of all file hashes (MD5 and SHA256) - currently stored in the Bitdefender GravityZone blocklist. It is primarily used - for auditing blocked items or verifying the current state of the environment's - hash-based prevention rules. + This action retrieves a comprehensive list of all file hashes (such as MD5 and + SHA256) currently stored in the Bitdefender GravityZone blocklist. It is primarily + used for auditing existing security controls, verifying blocked indicators, or + synchronizing threat intelligence across multiple security platforms. The action + interacts with the Bitdefender GravityZone Incidents API and handles pagination + automatically to ensure the entire blocklist is captured. ### Parameters Description @@ -65,42 +111,44 @@ Blocklist - List Items: | :--- | :--- | :--- | :--- | - | Use JSON Filter | String | No | Intended for filtering results, though not currently - utilized by the underlying API call logic in this specific action. | + | Use JSON Filter | String | No | A flag or configuration string used to determine + if the results should be filtered using JSON logic. Note: The current implementation + fetches the full list. | - | Filter | String | No | Intended for filtering results, though not currently - utilized by the underlying API call logic in this specific action. | + | Filter | String | No | Specific criteria used to filter the blocklist items + retrieved from the server. | - | Parent ID | String | No | Intended to scope the request to a specific parent - container, though not currently utilized by the underlying API call logic in this - specific action. | + | Parent ID | String | No | The unique identifier of a parent group or container + to narrow down the scope of the blocklist. | - | Endpoints | String | No | Intended to scope the request to specific endpoints, - though not currently utilized by the underlying API call logic in this specific - action. | + | Endpoints | String | No | Specifies the endpoint scope (e.g., 'Managed', 'Unmanaged') + to consider when listing blocklist items. | - ### Additional Notes + ### Flow Description - While the action extracts several parameters (Filter, Parent ID, etc.) from the - UI, the current implementation of the `blocklist_hashes_list` method in the Bitdefender - manager retrieves the entire blocklist without applying these specific filters - to the API request. + 1. **Authentication**: The action initializes a connection to the Bitdefender + GravityZone Control Center using the provided API Key and Access URL. + 2. **Request Initiation**: It calls the `getBlocklistItems` method via a POST + request to the Incidents API endpoint. - ### Flow Description + 3. **Pagination Handling**: The action checks for multiple pages of results. If + more than one page exists, it iteratively fetches all subsequent pages to compile + a complete list of hashes. + + 4. **Data Output**: The final compiled list of blocklist objects is returned as + a JSON result and made available for subsequent playbook steps. - 1. **Authentication**: Establishes a connection to the Bitdefender GravityZone - Control Center using the provided API Key and Access URL. - 2. **Data Retrieval**: Executes the `getBlocklistItems` JSON-RPC method against - the Incidents API endpoint. + ### Additional Notes - 3. **Pagination**: Automatically handles paginated responses from the API to ensure - all blocked items are collected into a single list. + * This action does not require or process specific entities from the SOAR case; + it performs a global retrieval of the blocklist configuration. - 4. **Output**: Consolidates the retrieved items and returns them as a JSON object - in the action's results for further processing in the playbook. + * Although parameters like 'Filter' and 'Parent ID' are extracted, the underlying + manager method for listing blocklist items currently requests the full set of + items from the API. capabilities: can_create_case_comments: false can_create_insight: false @@ -128,43 +176,71 @@ Blocklist - List Items: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Blocklist - Remove Item: ai_description: >- - ### General Description + Removes a specific hash entry from the Bitdefender GravityZone blocklist using + its unique Hash ID. This action is used to manage and clean up the blocklist by + targeting specific items previously added to the security environment's restricted + list. - Removes a specific hash entry from the Bitdefender GravityZone blocklist. This - action is used to manage the blocklist by deleting entries identified by their - unique internal ID, effectively unblocking the associated file hash in the Bitdefender - environment. + ### Flow Description - ### Parameters Description + 1. **Authentication**: Connects to the Bitdefender GravityZone Control Center + using the provided API Key and Access URL. - | Parameter Name | Description | Type | Mandatory | + 2. **Parameter Extraction**: Retrieves the mandatory `Hash ID` from the action + parameters. - | :--- | :--- | :--- | :--- | + 3. **API Execution**: Calls the `removeFromBlocklist` method via the Bitdefender + API, passing the specific Hash ID. - | Hash ID | The unique internal identifier of the item in the Bitdefender blocklist - to be deleted (e.g., a UUID). | String | Yes | + 4. **Result Handling**: Evaluates the API response to determine if the removal + was successful and reports the final status to the SOAR platform. - ### Flow Description + ### Parameters Description - 1. **Authentication**: Establishes a connection to the Bitdefender GravityZone - Control Center using the provided API Key and Access URL. + | Parameter | Description | Type | Mandatory | - 2. **Request Execution**: Sends a JSON-RPC request to the Bitdefender API using - the `removeFromBlocklist` method, passing the `Hash ID` as the target identifier. + | :--- | :--- | :--- | :--- | - 3. **Result Handling**: Evaluates the API response. If the operation is successful, - the action completes with a success status; otherwise, it reports a failure. + | Hash ID | The unique identifier (UUID) of the item in the Bitdefender Blocklist + that needs to be deleted. | String | Yes | ### Additional Notes - Note that the `Hash ID` refers to the internal ID assigned by Bitdefender to the - blocklist entry, not the MD5 or SHA256 hash value itself. To find this ID, one - might typically use a 'List Blocklist' action first. + * This action does not process entities from the case; it operates strictly on + the provided `Hash ID` parameter. + + * The Hash ID is typically obtained from a previous 'List Blocklist' action or + external Bitdefender logs. capabilities: can_create_case_comments: false can_create_insight: false @@ -173,8 +249,8 @@ Blocklist - Remove Item: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Removes a hash entry from the Bitdefender GravityZone blocklist, which changes - the security policy state in the external Bitdefender system. + Removes a specific hash entry from the Bitdefender GravityZone blocklist, effectively + changing the security policy state in the external system. fetches_data: false internal_data_mutation_explanation: null categories: @@ -194,15 +270,40 @@ Blocklist - Remove Item: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: true + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Create Scan Task: ai_description: >- ### General Description - Creates a scan task in Bitdefender GravityZone for specified target endpoints - or containers. This action allows security teams to initiate various types of - scans (Quick, Full, Memory, or Custom) on demand to identify potential threats - on managed systems. Note: While the internal metadata description mentions isolation, - the actual implementation and API calls are strictly for creating scan tasks. + This action creates and initiates a scan task in Bitdefender GravityZone for specified + target IDs. It allows security teams to remotely trigger various types of scans + (Quick, Full, Memory, or Custom) on endpoints or containers to identify potential + threats. For custom scans, users can further define the scan depth and specific + file paths to be analyzed. ### Parameters Description @@ -211,46 +312,50 @@ Create Scan Task: | :--- | :--- | :--- | :--- | - | Target IDs | String | Yes | A comma-separated list of IDs for the targets (endpoints - or containers) to be scanned. | + | Target IDs | String | Yes | A comma-separated list of IDs representing the endpoints + or containers to be scanned. | - | Scan Type | DDL | Yes | The type of scan to perform. Available options: Quick - (1), Full (2), Memory (3), Custom (4). | + | Scan Type | DDL | Yes | The type of scan to perform. Options include: Quick, + Full, Memory, or Custom. | - | Task Name | String | No | A custom name for the scan task. If not provided, - the name is automatically generated by Bitdefender. | + | Task Name | String | No | An optional name for the scan task. If not provided, + Bitdefender will automatically generate a name. | - | Custom Scan - Depth | DDL | No | The scanning intensity for 'Custom' scans. - Options: Aggressive (1), Normal (2), Permissive (3). Defaults to Normal. | + | Custom Scan - Depth | DDL | No | Specifies the scan intensity for 'Custom' scan + types. Options: Aggressive, Normal, or Permissive. Defaults to Normal. | | Custom Scan - Paths | String | No | A comma-separated list of target paths to - be scanned. This is only used when the Scan Type is set to 'Custom'. Defaults - to LocalDrives. | + be scanned. This is only utilized when the Scan Type is set to 'Custom'. | ### Additional Notes - * The 'Custom Scan' parameters (Depth and Paths) are only processed by the Bitdefender - API when the 'Scan Type' is explicitly set to 'Custom'. + * **Discrepancy Note:** While the metadata description in the configuration + file mentions isolating endpoints, the actual implementation logic and API calls + are strictly for creating scan tasks. - * This action does not automatically process SOAR entities; it requires the manual - input of Target IDs. + * **Custom Scan Logic:** The 'Custom Scan - Depth' and 'Custom Scan - Paths' + parameters are only processed by the Bitdefender API when the 'Scan Type' is set + to 'Custom'. ### Flow Description - 1. **Authentication**: Connects to the Bitdefender GravityZone Control Center - using the API Key and Access URL provided in the integration configuration. + 1. **Configuration Extraction:** Retrieves the API Key, Access URL, and SSL verification + settings from the integration configuration. + + 2. **Parameter Extraction:** Collects the target IDs, scan type, task name, and + custom scan settings from the action inputs. - 2. **Parameter Mapping**: Converts the user-selected scan type and depth strings - into the specific integer values required by the Bitdefender JSON-RPC API. + 3. **Manager Initialization:** Initializes the Bitdefender GravityZone Manager + using the provided credentials. - 3. **Task Creation**: Sends a `createScanTask` POST request to the Bitdefender - network endpoint with the target IDs and scan configuration. + 4. **Task Creation:** Sends a POST request to the Bitdefender API's `createScanTask` + method with the mapped scan parameters and target IDs. - 4. **Status Reporting**: Evaluates the API response and terminates the action - with a success or failure message based on whether the task was successfully created - in Bitdefender. + 5. **Result Handling:** Evaluates the API response and ends the action with a + success or failure status based on whether the task was successfully created in + the external system. capabilities: can_create_case_comments: false can_create_insight: false @@ -259,8 +364,8 @@ Create Scan Task: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new scan task (job) in the Bitdefender GravityZone Control Center - for the specified target IDs. + Creates a new scan task record and initiates a scanning process on remote endpoints + within the Bitdefender GravityZone environment. fetches_data: false internal_data_mutation_explanation: null categories: @@ -280,65 +385,84 @@ Create Scan Task: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: true + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Create Scan Task by MAC Address: ai_description: >- - ### General Description - - This action generates a scan task for managed endpoints within Bitdefender GravityZone, - identified by their MAC addresses. It allows security analysts to trigger various - types of scans (Quick, Full, Memory, or Custom) directly from Google SecOps to - remediate or investigate potential threats on specific network interfaces. + Generates a scan task for managed endpoints in Bitdefender GravityZone identified + by their MAC addresses. This action allows security administrators to remotely + trigger various types of scans (Quick, Full, Memory, or Custom) on specific devices + to identify potential threats. It supports scanning up to 100 MAC addresses in + a single execution and allows for detailed configuration when performing custom + scans, including scan depth and specific file paths. ### Parameters Description + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | | MAC Addresses | String | Yes | A comma-separated list of MAC addresses for the - endpoints to be scanned. A maximum of 100 MAC addresses can be processed in a - single request. | + endpoints to be scanned. Maximum of 100 addresses allowed. | - | Scan Type | DDL | Yes | The category of scan to perform. Options include: Quick, - Full, Memory, or Custom. | + | Scan Type | DDL | Yes | The type of scan to perform. Options: Quick, Full, Memory, + Custom. | | Task Name | String | No | A custom name for the scan task. If omitted, Bitdefender will automatically generate a name. | - | Custom Scan - Depth | DDL | No | Specifies the scanning intensity (Aggressive, - Normal, Permissive). This is only applicable when 'Scan Type' is set to 'Custom'. - | - - | Custom Scan - Paths | String | No | A comma-separated list of specific file - system paths to scan. This is only applicable when 'Scan Type' is set to 'Custom'. - | + | Custom Scan - Depth | DDL | No | The scanning intensity. Options: Aggressive, + Normal, Permissive. Only applicable if 'Scan Type' is set to 'Custom'. | + | Custom Scan - Paths | String | No | A comma-separated list of target file paths + to be scanned. Only applicable if 'Scan Type' is set to 'Custom'. | - ### Additional Notes - - This action does not utilize Google SecOps entities (e.g., MAC entities in the - case). Instead, it relies entirely on the MAC addresses provided in the input - parameter. + ### Flow Description - - There is a known discrepancy between the parameter name in the configuration - (`MAC Addresses`) and the identifier used in the script logic (`Target IDs`), - which may require alignment for successful execution. + 1. **Configuration Extraction:** Retrieves the Bitdefender API Key, Access URL, + and SSL verification settings from the integration configuration. - ### Flow Description + 2. **Parameter Parsing:** Extracts the target MAC addresses, scan type, task name, + and custom scan settings from the action input. - 1. **Configuration Extraction:** The action retrieves integration credentials - (API Key, Access URL) and user-provided scan parameters. + 3. **Manager Initialization:** Establishes a connection to the Bitdefender GravityZone + Control Center using the provided credentials. - 2. **Manager Initialization:** It establishes a connection to the Bitdefender - GravityZone Control Center using the provided API Key. + 4. **Validation:** Checks if the number of MAC addresses provided exceeds the + limit of 100. - 3. **Task Creation:** The action calls the `createScanTaskByMac` API method, passing - the list of MAC addresses and the specified scan configuration (type, depth, paths). + 5. **Task Creation:** Sends a JSON-RPC request to the Bitdefender API (method: + `createScanTaskByMac`) with the mapped scan parameters and target identifiers. - 4. **Status Reporting:** The action evaluates the API response and returns a success - or failure status to the Google SecOps platform. + 6. **Result Handling:** Reports whether the scan task was successfully created + in the external system. capabilities: can_create_case_comments: false can_create_insight: false @@ -347,8 +471,8 @@ Create Scan Task by MAC Address: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new scan task in the Bitdefender GravityZone Control Center for the - specified endpoints. + Creates a new scan task in the Bitdefender GravityZone environment, which triggers + an active security operation on the target endpoints. fetches_data: false internal_data_mutation_explanation: null categories: @@ -368,15 +492,40 @@ Create Scan Task by MAC Address: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: true + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Custom Groups List: ai_description: >- ### General Description - The **Get Custom Groups List** action retrieves a list of child groups nested - under a specific parent group within the Bitdefender GravityZone environment. - This action is primarily used for organizational discovery, allowing users to - identify group hierarchies and retrieve specific Group IDs required for other - management tasks. + The **Get Custom Groups List** action retrieves a list of child groups associated + with a specific parent group within Bitdefender GravityZone. This utility is designed + to help analysts navigate the organizational structure of managed endpoints. If + no `Parent ID` is provided, the action defaults to returning the root-level groups, + specifically 'Computers and Groups' and 'Deleted'. ### Parameters Description @@ -386,25 +535,29 @@ Get Custom Groups List: | :--- | :--- | :--- | :--- | | **Parent ID** | String | No | The unique identifier of the parent group for - which child groups should be listed. If this parameter is left empty (null), the - action defaults to returning the top-level 'Computers and Groups' and 'Deleted' + which child groups should be listed. If left empty, the action retrieves the top-level groups. | ### Flow Description - 1. **Authentication**: The action connects to the Bitdefender GravityZone Control - Center using the API Key, Access URL, and SSL verification settings defined in - the integration configuration. + 1. **Authentication**: Establishes a connection to the Bitdefender GravityZone + Control Center using the provided API Key and Access URL. - 2. **API Request**: It executes the `getCustomGroupsList` method via the Bitdefender - API, passing the optional `Parent ID` to filter the results. + 2. **Request**: Executes the `getCustomGroupsList` JSON-RPC method via a POST + request to the Network API endpoint. - 3. **Data Validation**: The response is validated to ensure a successful connection - and valid data retrieval from the external system. + 3. **Processing**: Passes the `Parent ID` (if provided) to filter the results + to a specific branch of the group tree. + + 4. **Output**: Returns the resulting list of groups and their metadata in a JSON + format for use in subsequent playbook steps. + + + ### Additional Notes - 4. **Output Generation**: The retrieved list of groups and their metadata is processed - and returned as a JSON result for use in subsequent playbook logic. + - This action does not operate on specific SOAR entities; it is a utility for + querying the Bitdefender environment structure. capabilities: can_create_case_comments: false can_create_insight: false @@ -432,15 +585,40 @@ Get Custom Groups List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Endpoints List: ai_description: >- ### General Description Retrieves a comprehensive list of endpoints from the Bitdefender GravityZone Control - Center. This action allows users to search and filter endpoints based on management - status, security roles, network location, and specific identifiers like MAC addresses - or SSIDs. It is primarily used for asset discovery and inventory verification - within the security environment. + Center. This action allows analysts to query the network inventory and filter + results based on management status, specific roles (like Relays or Exchange servers), + and identifiers such as MAC addresses or SSIDs. It is primarily used for asset + discovery and visibility within the Bitdefender environment. ### Parameters Description @@ -449,62 +627,63 @@ Get Endpoints List: | :--- | :--- | :--- | :--- | - | **Endpoints** | DDL | Yes | Determines whether to return 'Managed', 'Unmanaged', - or 'All' endpoints. | + | **Endpoints** | DDL | Yes | Determines whether to return 'All', 'Managed', or + 'Unmanaged' endpoints. | - | **Parent ID** | String | No | The ID of the target company or group. If omitted, - returns endpoints under Computers and Groups. | + | **Parent ID** | String | No | The ID of the target company or group to narrow + the search scope. | - | **Filter - Managed with BEST** | Boolean | No | If true, filters for endpoints - with the Bitdefender Endpoint Security Tools (BEST) agent installed. | - - | **Filter - Managed Exchange Servers** | Boolean | No | If true, filters for - protected Exchange servers. | + | **Filter - SSID** | String | No | Filters endpoints by their Active Directory + Security Identifier (SID). | - | **Filter - Managed Relays** | Boolean | No | If true, filters for endpoints - acting as Relays. | + | **Filter - Depth - All Items Recursively** | Boolean | No | If true, searches + all endpoints recursively within the company's network inventory. | - | **Filter - Security Servers** | Boolean | No | If true, filters for Security - Servers. | + | **Filter - Security Servers** | Boolean | No | Filters the list to include only + Security Servers. | - | **Filter - Depth - All Items Recursively** | Boolean | No | If true, searches - all endpoints recursively within the network inventory. | + | **Filter - Managed Relays** | Boolean | No | Filters the list to include only + endpoints with the Relay role. | - | **Filter - SSID** | String | No | Filters endpoints by their Active Directory - SID. | + | **Filter - Managed Exchange Servers** | Boolean | No | Filters the list to include + only protected Exchange servers. | - | **Filter - MAC Addresses** | String | No | A comma-separated list of MAC addresses - to filter the results. | + | **Filter - Managed with BEST** | Boolean | No | Filters for endpoints that have + the Bitdefender Endpoint Security Tools (BEST) agent installed. | | **Filter - Name** | String | No | Filters items by name. Requires a minimum of three characters. | + | **Filter - MAC Addresses** | String | No | A comma-separated list of MAC addresses + to filter the endpoints. | + ### Additional Notes - - The **Filter - Name** parameter has a strict requirement: if provided, the string - must be at least 3 characters long, otherwise the action will fail with an error. + - The **Filter - Name** parameter requires at least 3 characters to be processed + by the Bitdefender API; otherwise, the action will raise an error. - - This action does not operate on specific entities within a case; it performs - a global or scoped query against the Bitdefender environment. + - This action does not operate on specific SOAR entities but rather performs a + global query against the Bitdefender inventory. ### Flow Description - 1. **Configuration Extraction**: Retrieves API credentials (API Key, Access URL) - and SSL verification settings. + 1. **Initialization**: Extracts integration configuration (API Key, URL) and action + parameters (filters). - 2. **Parameter Parsing**: Collects all filtering criteria from the action input, - including the mandatory 'Endpoints' selection. + 2. **Connection**: Establishes a session with the Bitdefender GravityZone API + using Basic Authentication. - 3. **Manager Initialization**: Establishes a connection to the Bitdefender GravityZone - API using the provided credentials. + 3. **Request Construction**: Builds a JSON-RPC request for the `getEndpointsList` + method, applying all provided filters. - 4. **Data Retrieval**: Executes a paginated JSON-RPC request (`getEndpointsList`) - to the Bitdefender Network API endpoint. + 4. **Data Retrieval**: Executes the request. If the results span multiple pages, + the action automatically iterates through all pages to collect the full list of + endpoints. - 5. **Result Processing**: Aggregates all items from paginated responses and returns - the final list as a JSON object for use in subsequent playbook steps. + 5. **Output**: Returns the aggregated list of endpoints as a JSON object and completes + the execution. capabilities: can_create_case_comments: false can_create_insight: false @@ -532,14 +711,40 @@ Get Endpoints List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Hourly Usage for EC2 Instances: ai_description: >- ### General Description - Retrieves hourly usage statistics for Amazon EC2 instance categories (such as - micro, medium, etc.) from Bitdefender GravityZone for a specified month. This - action is primarily used for monitoring and reporting on cloud infrastructure - usage managed within the GravityZone environment. + The **Get Hourly Usage for EC2 Instances** action retrieves detailed hourly usage + statistics for Amazon EC2 instance categories (such as micro, medium, etc.) from + the Bitdefender GravityZone Control Center. This action is primarily used for + auditing and monitoring license consumption or operational usage of AWS resources + managed through Bitdefender for a specific month. ### Parameters Description @@ -549,32 +754,28 @@ Get Hourly Usage for EC2 Instances: | :--- | :--- | :--- | :--- | | Target Month | String | Yes | The month for which the usage data is retrieved. - The value must be provided in the format `mm/yyyy` (e.g., 01/2020). If not specified, - the integration logic typically defaults to the current month. | + The value must be provided in the `mm/yyyy` format (e.g., 05/2023). | - ### Additional Notes - - This action does not operate on specific entities (like IP addresses or Hostnames) - within a case. Instead, it performs a global query against the Bitdefender GravityZone - API to fetch account-level or integration-level usage data. + ### Flow Description + 1. **Connection**: The action initializes a connection to the Bitdefender GravityZone + Control Center using the configured API Key and Access URL. - ### Flow Description + 2. **Request**: It sends a JSON-RPC request using the `getHourlyUsageForAmazonEC2Instances` + method, passing the `Target Month` as a parameter. - 1. **Configuration Extraction**: Retrieves the API Key, Access URL, and SSL verification - settings from the integration configuration. + 3. **Processing**: The action receives the hourly usage data from the external + system. - 2. **Parameter Parsing**: Extracts the `Target Month` provided by the user. + 4. **Output**: The retrieved data is added to the action's JSON results, making + it available for subsequent playbook tasks. - 3. **API Connection**: Initializes the Bitdefender GravityZone Manager and establishes - a connection to the Control Center. - 4. **Data Retrieval**: Calls the `getHourlyUsageForAmazonEC2Instances` API method - to fetch the usage data for the specified month. + ### Additional Notes - 5. **Result Processing**: Returns the retrieved usage data as a JSON object and - completes the action execution. + - This action does not require or process any SecOps entities (IPs, Hostnames, + etc.); it performs a global lookup based on the provided month parameter. capabilities: can_create_case_comments: false can_create_insight: false @@ -602,22 +803,73 @@ Get Hourly Usage for EC2 Instances: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Managed Endpoint Details: - ai_description: "Retrieves detailed information about a specific managed endpoint\ - \ from Bitdefender GravityZone. This action provides comprehensive data including\ - \ endpoint identification, security agent details, and the operational status\ - \ of various protection modules. \n\n### Parameters\n| Parameter | Type | Mandatory\ - \ | Description |\n| :--- | :--- | :--- | :--- |\n| Endpoint ID | string | Yes\ - \ | The unique identifier of the endpoint for which details are being requested.\ - \ |\n\n### Flow Description\n1. **Configuration Extraction:** Retrieves the API\ - \ Key, Access URL, and SSL verification settings from the integration configuration.\n\ - 2. **Parameter Extraction:** Retrieves the mandatory `Endpoint ID` from the action\ - \ parameters.\n3. **API Connection:** Establishes a connection to the Bitdefender\ - \ GravityZone Control Center using the provided credentials.\n4. **Data Retrieval:**\ - \ Executes the `getManagedEndpointDetails` method via the Bitdefender API to fetch\ - \ the endpoint's metadata and module status.\n5. **Result Processing:** Returns\ - \ the retrieved endpoint data as a JSON object for use in subsequent playbook\ - \ steps." + ai_description: >- + ### General Description + + The **Get Managed Endpoint Details** action retrieves comprehensive metadata and + status information for a specific endpoint managed within Bitdefender GravityZone. + It is primarily used to gain visibility into an asset's security posture, including + agent details and the operational status of various protection modules (e.g., + Antimalware, Firewall, Content Control). + + + ### Parameters + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Endpoint ID | String | Yes | The unique identifier of the endpoint in Bitdefender + GravityZone for which details are requested. | + + + ### Flow Description + + 1. **Initialization**: The action extracts the necessary API credentials (API + Key, Access URL) and the target `Endpoint ID` from the action parameters. + + 2. **Connection**: It establishes a secure connection to the Bitdefender GravityZone + JSON-RPC API using the provided credentials. + + 3. **Data Retrieval**: The action executes the `getManagedEndpointDetails` method + to fetch the endpoint's configuration, security agent details, and module status. + + 4. **Result Processing**: The retrieved data is attached to the action's results + as a JSON object, making it available for subsequent playbook logic. + + + ### Additional Notes + + This action does not automatically iterate over entities in the SecOps case; it + requires a specific `Endpoint ID` provided as an input parameter. If you need + to run this for entities in a case, you must first obtain their Bitdefender IDs + (e.g., via a search action) and pass them to this action. capabilities: can_create_case_comments: false can_create_insight: false @@ -629,7 +881,7 @@ Get Managed Endpoint Details: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: true + enrichment: false entity_usage: entity_types: [] filters_by_additional_properties: false @@ -645,90 +897,116 @@ Get Managed Endpoint Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Network Inventory Items: ai_description: >- - ### General Description - Retrieves a list of network inventory items from Bitdefender GravityZone. This - action allows users to search for and list various network objects such as endpoints, - virtual machines, security servers, and custom groups managed within the GravityZone - environment. It provides extensive filtering capabilities to narrow down results - based on management status, roles (e.g., Relay, Exchange), or specific identifiers - like MAC addresses and SSIDs. + action allows users to query the Bitdefender environment for various asset types, + including computers, virtual machines, Amazon EC2 instances, and security servers. + It supports complex filtering by name (partial match), MAC addresses, and SSIDs. + The results are returned as a JSON array, providing detailed metadata about the + discovered assets. ### Parameters Description + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Filter - Name | String | No | Filters items by name. Supports partial matching. - Requires a minimum of 3 characters. | + | Filter - Name | String | No | Filters items by name. Requires a minimum of 3 + characters. Supports partial matching and wildcards (*). | - | Filter - MAC Addresses | String | No | A comma-separated list of MAC addresses + | Filter - MAC Addresses | String | No | Comma-separated list of MAC addresses to filter endpoints. | | Filter - SSID | String | No | The Active Directory SID of the endpoint used for filtering. | - | Filter - Depth - All Items Recursively | Boolean | No | If set to true, the - action searches all endpoints recursively within the network hierarchy. | + | Filter - Depth - All Items Recursively | Boolean | No | If set to true, filters + all endpoints recursively within the Network Inventory. Default is false. | - | Filter - Security Servers | Boolean | No | Filters the results to include only - Security Servers. | + | Filter - Security Servers | Boolean | No | If set to true, filters for Security + Servers. Default is false. | - | Filter - Managed Relays | Boolean | No | Filters the results to include only - endpoints with the Relay role. | + | Filter - Managed Relays | Boolean | No | If set to true, filters for endpoints + with the Relay role. Default is false. | - | Filter - Managed Exchange Servers | Boolean | No | Filters the results to include - only protected Exchange servers. | + | Filter - Managed Exchange Servers | Boolean | No | If set to true, filters for + protected Exchange servers. Default is false. | - | Filter - Managed with BEST | Boolean | No | Filters for endpoints that have - the Bitdefender Endpoint Security Tools (BEST) agent installed. | + | Filter - Managed with BEST | Boolean | No | If set to true, filters for endpoints + with the BEST security agent installed. Default is false. | - | Filter - Virtual Machines | Boolean | No | Filters the results to include only - virtual machines. | + | Filter - Virtual Machines | Boolean | No | If set to true, filters for virtual + machines. Default is false. | - | Filter - Computers | Boolean | No | Filters the results to include only physical - computers. | + | Filter - Computers | Boolean | No | If set to true, filters for physical computers. + Default is false. | - | Filter - EC2 Instances | Boolean | No | Filters the results to include only - Amazon EC2 instances. | + | Filter - EC2 Instances | Boolean | No | If set to true, filters for Amazon EC2 + instances. Default is false. | - | Filter - Groups | Boolean | No | Filters the results to include only custom - groups of endpoints. | + | Filter - Groups | Boolean | No | If set to true, filters for custom groups of + endpoints. Default is false. | - | Parent ID | String | No | The ID of the container or group for which the network - items will be returned. | + | Parent ID | String | No | The ID of the container for which the network items + will be returned. | ### Additional Notes - - The `Filter - Name` parameter must be at least 3 characters long if provided; - otherwise, the action will raise an error. + - The 'Filter - Name' parameter must be at least 3 characters long if provided; + otherwise, the action will fail. - Some filters may be ignored by the Bitdefender API if the corresponding license - is not active in the GravityZone environment. + is not active in the target environment. ### Flow Description - 1. **Connection**: The action initializes a connection to the Bitdefender GravityZone - Control Center using the configured API Key and Access URL. + 1. **Configuration Extraction:** Retrieves the API Key, Access URL, and SSL verification + settings from the integration configuration. + + 2. **Parameter Parsing:** Extracts all 13 optional filter parameters and the Parent + ID from the action input. - 2. **Parameter Processing**: It extracts all optional filter parameters and the - Parent ID from the action input. + 3. **Manager Initialization:** Initializes the Bitdefender GravityZone Manager + using the provided credentials. - 3. **API Query**: It executes a paginated request to the `getNetworkInventoryItems` - endpoint. The manager handles the JSON-RPC communication and iterates through - all result pages to compile a complete list. + 4. **API Request:** Executes a paginated POST request to the Bitdefender JSON-RPC + endpoint (`getNetworkInventoryItems`) with the constructed filter object. - 4. **Result Handling**: The retrieved inventory data is attached to the action - as a JSON result. + 5. **Data Aggregation:** The manager handles pagination automatically, collecting + all matching inventory items into a single list. - 5. **Completion**: The action concludes by reporting a success status and providing - the collected inventory items. + 6. **Result Output:** Adds the retrieved inventory data to the action's JSON result + and completes the execution. capabilities: can_create_case_comments: false can_create_insight: false @@ -756,54 +1034,75 @@ Get Network Inventory Items: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Scan Tasks List: ai_description: >- - ### General Description + Retrieves a list of scan tasks from Bitdefender GravityZone Control Center. This + action allows users to monitor the status of scanning operations across the environment + by filtering for specific task names or statuses. It is primarily used for auditing + and tracking the progress of on-demand or scheduled scans. - Retrieves a list of scan tasks from the Bitdefender GravityZone Control Center. - This action allows security analysts to monitor the status and progress of scanning - operations across the environment by filtering results based on task status and - name. + ### Flow Description: - ### Parameters Description + 1. **Authentication:** Establishes a connection to the Bitdefender GravityZone + API using the provided credentials (API Key) and Access URL. - | Parameter | Type | Mandatory | Description | + 2. **Data Retrieval:** Executes the `getScanTasksList` method via the manager, + applying filters for task name and status. - | :--- | :--- | :--- | :--- | + 3. **Pagination Handling:** Automatically iterates through paginated results provided + by the Bitdefender API to compile a complete list of matching scan tasks. - | Task Status | DDL | Yes | Filters tasks by their current state. Options include - 'All', 'Pending', 'In-progress', and 'Finished'. | + 4. **Output:** Returns the compiled list of tasks as a JSON object for use in + subsequent playbook steps. - | Task Name | String | No | Filters tasks by name. If an asterisk (*) is used - at the beginning, it searches for the keyword anywhere in the name; otherwise, - it returns results where the name starts with the keyword. | + ### Parameters Description: - ### Flow Description + | Parameter | Type | Mandatory | Description | - 1. **Authentication**: Establishes a connection to the Bitdefender GravityZone - API using the configured API Key and Access URL. + | :--- | :--- | :--- | :--- | - 2. **Parameter Extraction**: Retrieves the filtering criteria (Task Status and - Task Name) provided by the user. + | **Task Status** | DDL | Yes | Filters the list by task state. Supported values: + 'All', 'Pending', 'In-progress', 'Finished'. | - 3. **API Request**: Executes the `getScanTasksList` method via the Bitdefender - manager. The manager handles the JSON-RPC request and maps the status strings - to their corresponding numerical identifiers (e.g., 'Pending' to 1). + | **Task Name** | String | No | Filters tasks by name. Use an asterisk (*) in + front to search for the keyword anywhere in the name; otherwise, it matches the + start of the string. | - 4. **Pagination Handling**: Automatically iterates through paginated results from - the API to compile a complete list of matching scan tasks. - 5. **Output**: Returns the compiled list of tasks as a JSON result and sets the - action execution state to completed. + ### Additional Notes: + * This action does not interact with SOAR entities; it performs a global search + for scan tasks within the Bitdefender environment. - ### Additional Notes - - This action is a read-only utility and does not interact with specific entities - in the Google SecOps environment. It is used for broad visibility into the scanning - infrastructure. + * The action uses the JSON-RPC 2.0 protocol to communicate with the GravityZone + API. capabilities: can_create_case_comments: false can_create_insight: false @@ -831,40 +1130,75 @@ Get Scan Tasks List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Isolate Endpoint: ai_description: >- ### General Description - This action creates a task in Bitdefender GravityZone to isolate a specified endpoint. - It is primarily used as a containment measure during incident response to restrict - the network connectivity of a potentially compromised machine, preventing lateral - movement or data exfiltration. + The **Isolate Endpoint** action is designed to programmatically isolate a specific + host within the Bitdefender GravityZone environment. By creating an isolation + task, the action effectively severs the network connectivity of a compromised + or suspicious endpoint, preventing lateral movement or data exfiltration while + still allowing communication with the GravityZone management console for remediation. ### Parameters Description - | Parameter Name | Description | Type | Mandatory | Notes | + | Parameter | Description | Type | Mandatory | - | :--- | :--- | :--- | :--- | :--- | + | :--- | :--- | :--- | :--- | | Endpoint ID | The unique identifier of the endpoint in Bitdefender GravityZone - that needs to be isolated. | String | True | This ID is used to target the specific - machine for the isolation task. | + that needs to be isolated. | String | Yes | ### Flow Description - 1. **Authentication**: The action connects to the Bitdefender GravityZone Control - Center using the provided API Key and Access URL. + 1. **Authentication**: The action initializes a connection to the Bitdefender + GravityZone Control Center using the configured API Key and Access URL. + + 2. **Parameter Extraction**: It retrieves the `Endpoint ID` provided by the user + or playbook. + + 3. **Task Creation**: The action calls the `createIsolateEndpointTask` method + via the Bitdefender JSON-RPC API. + + 4. **Execution Status**: It evaluates the API response to determine if the isolation + task was successfully created. - 2. **Task Creation**: It sends a request to the Bitdefender API (`createIsolateEndpointTask`) - using the specified `Endpoint ID`. + 5. **Completion**: The action concludes by reporting a success or failure status + to the Google SecOps workbench. - 3. **Execution Status**: The action monitors the API response to determine if - the isolation task was successfully created. - 4. **Completion**: It returns a success or failure status to the Google SecOps - platform based on the API's response. + ### Additional Notes + + This action requires the Bitdefender GravityZone incident response module to be + active for the target endpoint. It does not automatically update the entity status + within Google SecOps; it only triggers the external isolation task. capabilities: can_create_case_comments: false can_create_insight: false @@ -873,8 +1207,9 @@ Isolate Endpoint: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates an isolation task in Bitdefender GravityZone which changes the network - state of the target endpoint to restricted/isolated. + This action creates an isolation task in Bitdefender GravityZone, which changes + the network state of the target endpoint to 'Isolated', restricting its network + communication. fetches_data: false internal_data_mutation_explanation: null categories: @@ -894,27 +1229,53 @@ Isolate Endpoint: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: true + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Ping: - ai_description: >- - ### General Description The Ping action is used to verify the connectivity between - Google SecOps and the Bitdefender GravityZone Control Center. It ensures that - the provided API Key and Access URL are valid and that the network connection - is functional. ### Parameters Description | Parameter Name | Type | Mandatory - | Description | | :--- | :--- | :--- | :--- | | API Key | String | Yes | The API - key used for authenticating with the Bitdefender GravityZone API. This is an integration-level - configuration. | | Access URL | String | Yes | The base URL of the Bitdefender - GravityZone instance (e.g., https://cloud.gravityzone.bitdefender.com). This is - an integration-level configuration. | | Verify SSL | Boolean | Yes | Determines - whether to verify the SSL certificate of the Bitdefender GravityZone server. This - is an integration-level configuration. | ### Additional Notes This action does - not take any action-specific parameters. It relies entirely on the integration's - configuration. ### Flow Description 1. Initialization: The action extracts the - API Key, Access URL, and SSL verification setting from the integration configuration. - 2. API Request: It initializes the Bitdefender GravityZone Manager and calls the - getApiKeyDetails method. 3. Validation: The manager sends a POST request to the - GravityZone JSON-RPC endpoint. 4. Result: If the API returns valid key details, - the action completes successfully with a true result. If an error occurs or no - details are returned, it fails with a false result. + ai_description: "### General Description\nThe **Ping** action is a diagnostic tool\ + \ used to verify the connectivity between Google SecOps and the Bitdefender GravityZone\ + \ Control Center. Its primary purpose is to ensure that the integration's configuration\ + \ parameters\u2014specifically the API Key and Access URL\u2014are correct and\ + \ that the network path is open. It performs a lightweight API call to retrieve\ + \ the details of the provided API key to confirm authorization.\n\n### Parameters\ + \ Description\nThis action does not have any action-specific parameters. It relies\ + \ entirely on the global integration configuration:\n* **API Key**: The credential\ + \ used to authenticate with Bitdefender GravityZone.\n* **Access URL**: The base\ + \ URL for the Bitdefender GravityZone API instance.\n* **Verify SSL**: A boolean\ + \ flag determining whether to validate the SSL certificate of the target server.\n\ + \n### Flow Description\n1. **Initialization**: The action initializes the SOAR\ + \ SDK and retrieves the global integration settings (API Key, Access URL, and\ + \ SSL verification preference).\n2. **Manager Setup**: It instantiates the `BitdefenderGravityZoneManager`\ + \ using the provided credentials.\n3. **Connectivity Test**: The action calls\ + \ the `getApiKeyDetails` method via the manager. This triggers a POST request\ + \ to the `GENERAL_URL` endpoint of the Bitdefender API.\n4. **Validation**: The\ + \ script checks if the API response is successful and contains valid key details.\ + \ If the response is empty or an error occurs (e.g., 401 Unauthorized), the action\ + \ fails.\n5. **Completion**: If the API call succeeds, the action returns a \"\ + Connection Established\" message and sets the result value to `true`." capabilities: can_create_case_comments: false can_create_insight: false @@ -942,49 +1303,73 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Policies - Get Details: ai_description: >- - ### General Description + Retrieves comprehensive information for a specific security policy in Bitdefender + GravityZone using its unique identifier. This action allows analysts to fetch + detailed configuration data, which is useful for auditing policy settings, verifying + compliance, or making automated decisions in playbooks based on policy attributes. + The retrieved data is returned as a structured JSON object. - Retrieves comprehensive information about a specific security policy from Bitdefender - GravityZone. This action allows security analysts to inspect the detailed settings - of a policy, including its rules, modules, and configurations, by providing the - unique Policy ID. It is primarily used for auditing policy configurations or verifying - the security posture applied to specific groups or endpoints. + ### Flow Description - ### Parameters Description + 1. **Extract Parameters**: Retrieves the API credentials (API Key, Access URL) + and the mandatory 'Policy ID' from the action configuration. - | Parameter | Type | Mandatory | Description | + 2. **Initialize Connection**: Establishes a secure connection to the Bitdefender + GravityZone Control Center. - | :--- | :--- | :--- | :--- | - - | Policy ID | String | Yes | The unique identifier of the security policy to be - queried. This ID is typically obtained from the 'Policies - List' action or the - Bitdefender console. | + 3. **Fetch Policy Details**: Executes the `getPolicyDetails` JSON-RPC method to + retrieve the full metadata and configuration settings for the specified policy. + 4. **Output Results**: Processes the API response and adds the policy details + to the action's JSON results for use in subsequent playbook steps. - ### Additional Notes - - This action does not operate on entities (IPs, Hosts, etc.) but rather on a - specific Policy ID provided as an input parameter. + ### Parameters Description - - The output is a JSON object containing the full policy specification. + | Parameter | Type | Mandatory | Description | + | :--- | :--- | :--- | :--- | - ### Flow Description + | Policy ID | String | Yes | The unique identifier of the security policy to be + queried. This ID can be obtained from the Bitdefender console or via the 'Policies + - List' action. | - 1. **Initialization**: Extracts integration settings (API Key, Access URL, SSL - verification) and the target `Policy ID` from the action parameters. - 2. **Connection**: Establishes a connection to the Bitdefender GravityZone Control - Center via the `BitdefenderGravityZoneManager`. + ### Additional Notes - 3. **Data Retrieval**: Executes the `getPolicyDetails` API call to fetch the policy's - metadata and configuration details. + - This action does not process entities from the SecOps case; it relies entirely + on the manually provided 'Policy ID' parameter. - 4. **Result Processing**: Formats the API response and attaches it to the action's - JSON results, marking the execution as completed. + - The output is a raw JSON representation of the policy as returned by the Bitdefender + API. capabilities: can_create_case_comments: false can_create_insight: false @@ -1012,44 +1397,71 @@ Policies - Get Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Policies - List All: ai_description: >- - ### General Description + Retrieves a comprehensive list of all available security policies from the Bitdefender + GravityZone Control Center. This action is useful for auditing existing security + configurations or identifying specific policy IDs for use in other automation + tasks. - This action retrieves a comprehensive list of all available security policies - configured within the Bitdefender GravityZone Control Center. It is primarily - used for administrative auditing, policy management, or as a helper step in playbooks - to identify which policies can be applied to endpoints. + ### Flow Description: - ### Parameters Description + 1. **Authentication**: Establishes a connection to the Bitdefender GravityZone + API using the provided API Key and Access URL. - There are no input parameters for this action. It relies solely on the integration's - global configuration (API Key and Access URL). + 2. **Data Retrieval**: Executes the `getPoliciesList` JSON-RPC method to fetch + policy information. + 3. **Pagination Handling**: Automatically iterates through multiple pages of results + if the number of policies exceeds the single-page limit, ensuring a complete list + is retrieved. - ### Additional Notes + 4. **Result Processing**: Aggregates all policy items and returns them as a structured + JSON object in the action's results. - * This action does not target specific entities; it performs a global fetch of - policy data from the Bitdefender environment. - * The action automatically handles API pagination to ensure all policies are retrieved - if the list exceeds a single page. + ### Parameters Description: + | Parameter Name | Description | Type | Mandatory | Notes | - ### Flow Description + | :--- | :--- | :--- | :--- | :--- | + + | None | This action does not require any input parameters. | N/A | No | The action + relies solely on the integration's configuration (API Key, Access URL). | - 1. **Authentication**: The action initializes a connection to the Bitdefender - GravityZone API using the provided API Key and Access URL. - 2. **Data Retrieval**: It calls the `getPoliciesList` method via the JSON-RPC - interface. + ### Additional Notes: - 3. **Pagination Handling**: The manager logic checks for multiple pages of results - and iteratively fetches all policy items. + - This is a read-only action and does not modify any settings within Bitdefender + GravityZone. - 4. **Result Processing**: The complete list of policies is formatted and attached - to the action's JSON result for use in subsequent playbook steps. + - The output includes metadata for each policy, such as its name and unique identifier. capabilities: can_create_case_comments: false can_create_insight: false @@ -1077,14 +1489,39 @@ Policies - List All: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Quarantine - Add File: ai_description: >- ### General Description - This action creates a new task in Bitdefender GravityZone to add a specific file - to quarantine on designated endpoints. It is primarily used for containment by - isolating potentially malicious files based on their absolute file path on the - target system. + Creates a new task in Bitdefender GravityZone to add a specific file to quarantine + on one or more target endpoints. This action is primarily used for remediation + and incident response to isolate potentially malicious files found on disk across + managed endpoints. ### Parameters Description @@ -1093,34 +1530,37 @@ Quarantine - Add File: | :--- | :--- | :--- | :--- | - | File Path | String | Yes | The absolute file path on the target disk (e.g., - 'C:\\Users\\Public\\malicious.exe'). Max 4096 characters. | + | File Path | string | True | The absolute file path on disk to be quarantined. + This can be at most 4096 characters and must follow the format suitable for the + target's operating system (e.g., C:\Users\Public\malicious.exe). | - | Endpoint IDs | String | Yes | A comma-separated list of target endpoint IDs. - Supports up to 100 targets per request. | + | Endpoint IDs | string | True | A comma-separated list of the target endpoint + IDs where the quarantine task should be executed. Max 100 targets per action. + | - ### Additional Notes + ### Flow Description - - Only endpoints with an active EDR Sensor module are considered valid targets - for this action. + 1. **Connection**: The action establishes a connection to the Bitdefender GravityZone + Control Center using the configured API Key and Access URL. - - The file path format must be suitable for the target's operating system. + 2. **Parameter Extraction**: It retrieves the target file path and the list of + endpoint IDs from the action parameters. + 3. **Task Creation**: It calls the Bitdefender API (`createAddFileToQuarantineTask`) + to initiate a quarantine operation for the specified file path on the provided + list of endpoints. - ### Flow Description + 4. **Execution Status**: The action monitors the API response and marks the execution + as completed with a success or failure message based on whether the task was successfully + created in the Bitdefender console. - 1. **Authentication**: Connects to the Bitdefender GravityZone Control Center - using the configured API Key and Access URL. - - 2. **Parameter Extraction**: Retrieves the target endpoint IDs and the specific - file path from the action inputs. - 3. **Task Creation**: Sends a JSON-RPC request to the Bitdefender API using the - `createAddFileToQuarantineTask` method. + ### Additional Notes - 4. **Result Handling**: Evaluates the API response to determine if the task was - successfully created and updates the action status accordingly. + Only endpoints that have the EDR Sensor module active are considered valid targets + for this action. If an endpoint does not meet this requirement, the task creation + for that specific ID may fail or be ignored by the Bitdefender platform. capabilities: can_create_case_comments: false can_create_insight: false @@ -1129,8 +1569,10 @@ Quarantine - Add File: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a task in Bitdefender GravityZone to move a file from its original location - to quarantine on the target endpoints. + Creates a new quarantine task in Bitdefender GravityZone, which instructs the + EDR sensors on the target endpoints to move the specified file to a secure quarantine + location, effectively changing the state of the file system on those remote + hosts. fetches_data: false internal_data_mutation_explanation: null categories: @@ -1150,43 +1592,97 @@ Quarantine - Add File: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Quarantine - Get Items List: - ai_description: "### General Description\nRetrieves a list of quarantined items\ - \ from Bitdefender GravityZone. This action allows security analysts to search\ - \ for and list files or Microsoft Exchange objects that have been moved to quarantine\ - \ across the network or on specific endpoints. It supports various filtering options\ - \ to narrow down results based on threat names, timeframes, and specific endpoint\ - \ identifiers.\n\n### Parameters Description\n| Parameter | Type | Mandatory |\ - \ Description |\n| :--- | :--- | :--- | :--- |\n| Service | DDL | Yes | Determines\ - \ the source of the quarantined items. Options are 'Computers' (for Computers\ - \ and Virtual Machines) or 'Exchange' (for Security for Exchange). |\n| Filter\ - \ - Threat Name | String | No | Filters the list by the name of the detected threat.\ - \ Supports partial matching. |\n| Filter - Start Date | String | No | Filters\ - \ for items quarantined after this specific date. Must be in ISO 8601 format.\ - \ |\n| Filter - End Date | String | No | Filters for items quarantined before\ - \ this specific date. Must be in ISO 8601 format. |\n| Filter - File Path | String\ - \ | No | Filters by the file path where the item originated. Supports partial\ - \ matching and wildcards (e.g., using '*' as a suffix). Only available for the\ - \ 'Computers' service. |\n| Filter - IP Address | String | No | Filters by the\ - \ IP address of the source endpoint. Only available for the 'Computers' service.\ - \ |\n| Filter - Action Status | DDL | No | Filters items by their current status\ - \ (None, Pending Save, Saved). Note: 'Pending Save' is only applicable to the\ - \ Exchange service. |\n| Endpoint ID | String | No | The unique identifier of\ - \ a specific computer. If provided, only items from that computer are returned;\ - \ otherwise, the search covers the entire network. |\n\n### Additional Notes\n\ - - The filter fields **Threat Name**, **File Path**, and **IP Address** support\ - \ partial matching. \n- For the **File Path** filter, you can use an asterisk\ - \ (*) to perform suffix matching (e.g., `*myfile.exe`).\n- The Exchange service\ - \ filters require a valid license for 'Security for Exchange'.\n\n### Flow Description\n\ - 1. **Parameter Extraction**: The action retrieves the integration configuration\ - \ (API Key, URL) and all user-defined filter parameters.\n2. **Manager Initialization**:\ - \ Initializes the Bitdefender GravityZone Manager to handle API communication.\n\ - 3. **API Request**: Sends a JSON-RPC request (`getQuarantineItemsList`) to the\ - \ Bitdefender Control Center, targeting the specified service (Computers or Exchange).\n\ - 4. **Pagination Handling**: The action automatically handles paginated responses\ - \ from the API to ensure all matching quarantined items are retrieved.\n5. **Result\ - \ Processing**: The collected list of quarantined items is formatted and returned\ - \ as a JSON result for use in subsequent playbook steps." + ai_description: >- + ### General Description + + The **Quarantine - Get Items List** action retrieves a comprehensive list of items + currently held in quarantine within the Bitdefender GravityZone environment. This + includes both malicious files found on endpoints and suspicious Microsoft Exchange + objects. The action allows for granular filtering to locate specific threats or + items across the network or on a per-endpoint basis. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | **Service** | DDL | Yes | Specifies the service to query: `Computers` (for files + on VMs/workstations) or `Exchange` (for mail objects). | + + | **Filter - Threat Name** | String | No | Filters results by the name of the + detected threat. Supports partial matching. | + + | **Filter - Start Date** | String | No | Filters for items quarantined after + this date (ISO 8601 format). | + + | **Filter - End Date** | String | No | Filters for items quarantined before this + date (ISO 8601 format). | + + | **Filter - File Path** | String | No | Filters by the file's location. Supports + partial matching and wildcards (e.g., `C:\temp` or `*myfile.exe`). Only for `Computers` + service. | + + | **Filter - IP Address** | String | No | Filters by the IP address of the source + endpoint. Supports partial matching. Only for `Computers` service. | + + | **Filter - Action Status** | DDL | No | Filters by the current status of the + item (e.g., `Saved`, `Pending Save`). | + + | **Endpoint ID** | String | No | Restricts the search to a specific computer + ID. If omitted, the action searches the entire network. | + + + ### Flow Description + + 1. **Authentication**: Connects to the Bitdefender GravityZone Control Center + using the provided API Key and Access URL. + + 2. **Parameter Extraction**: Retrieves user-defined filters and service selection + from the action parameters. + + 3. **API Request**: Executes a paginated request to the `getQuarantineItemsList` + endpoint, targeting the specific service sub-path (e.g., `/computers` or `/exchange`). + + 4. **Data Aggregation**: Iterates through all available pages of results to ensure + a complete list of quarantined items is collected. + + 5. **Output**: Returns the aggregated list of items as a JSON object for use in + subsequent playbook steps. + + + ### Additional Notes + + - Partial matching is supported for Threat Name, File Path, and IP Address. + + - The `Exchange` service filters require a valid license for Security for Exchange. capabilities: can_create_case_comments: false can_create_insight: false @@ -1198,7 +1694,7 @@ Quarantine - Get Items List: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: false + enrichment: true entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1214,52 +1710,76 @@ Quarantine - Get Items List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Quarantine - Remove Items: ai_description: >- - ### General Description + Removes items from the Bitdefender GravityZone quarantine by creating a removal + task in the Control Center. This action allows analysts to permanently delete + quarantined items associated with either endpoint computers/virtual machines or + the Security for Exchange service. - This action creates a new task in Bitdefender GravityZone to remove specific items - from quarantine. It allows security analysts to permanently delete quarantined - files or emails that have been identified as malicious or are no longer needed - for investigation. + ### Flow Description: - ### Parameters Description - - | Parameter | Type | Mandatory | Description | + 1. **Authentication:** Connects to the Bitdefender GravityZone API using the configured + API Key and Access URL. - | :--- | :--- | :--- | :--- | + 2. **Parameter Extraction:** Retrieves the target service type (Computers or Exchange) + and the list of Quarantine Item IDs from the action parameters. - | Service | DDL | Yes | Specifies the target service for the removal task. Options - are 'Computers' (for Computers and Virtual Machines) or 'Exchange' (for Security - for Exchange). | + 3. **Task Initiation:** Sends a JSON-RPC request to the Bitdefender API using + the `createRemoveQuarantineItemTask` method, passing the list of IDs to the service-specific + endpoint. - | Quarantine Item IDs | String | Yes | A comma-separated list of unique identifiers - for the items to be removed from quarantine. A maximum of 100 items can be processed - in a single request. | + 4. **Result Handling:** Processes the API response to determine if the task creation + was successful and terminates the action with a corresponding status message. - ### Additional Notes + ### Parameters Description: - - The action interacts with the Bitdefender GravityZone Control Center via JSON-RPC. + | Parameter | Type | Mandatory | Description | - - The 'Service' parameter determines the specific API endpoint used for the removal - request. + | :--- | :--- | :--- | :--- | + | Service | DDL | Yes | Determines the service context for the removal. Options + are 'Computers' (for endpoints and VMs) or 'Exchange' (for mail security). | - ### Flow Description + | Quarantine Item IDs | String | Yes | A comma-separated list of unique identifiers + for the quarantine items to be removed. A maximum of 100 items can be processed + in a single request. | - 1. **Authentication**: The action connects to the Bitdefender GravityZone Control - Center using the configured API Key and Access URL. - 2. **Parameter Extraction**: It retrieves the target service type and the list - of quarantine item IDs from the action parameters. + ### Additional Notes: - 3. **Task Creation**: The action sends a `createRemoveQuarantineItemTask` request - to the Bitdefender API, targeting the specified service (Computers or Exchange). + * This action triggers a background task in Bitdefender GravityZone. The actual + removal of items happens asynchronously on the target endpoints or mail servers. - 4. **Execution Status**: It evaluates the API response to determine if the task - was successfully created and reports the final status back to Google SecOps. + * Removing items from quarantine is a permanent action and cannot be reversed + through this integration. capabilities: can_create_case_comments: false can_create_insight: false @@ -1269,7 +1789,8 @@ Quarantine - Remove Items: can_update_entities: false external_data_mutation_explanation: >- Creates a task in Bitdefender GravityZone to permanently remove specified items - from the quarantine, effectively deleting them from the external system. + from the quarantine, which results in the deletion of those files or mail items + from the external system. fetches_data: false internal_data_mutation_explanation: null categories: @@ -1289,64 +1810,77 @@ Quarantine - Remove Items: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: true + update_identity: false + update_ticket: false Quarantine - Restore Exchange Items: ai_description: >- - ### General Description + Restores quarantined items on Microsoft Exchange Servers via Bitdefender GravityZone. + This action initiates a task in the GravityZone Control Center to move specific + items from the quarantine back to their original location in the user's mailbox. + It requires Exchange credentials and the specific IDs of the items to be restored. - This action creates a new task in Bitdefender GravityZone to restore specific - items from the quarantine for Exchange Servers. It is designed to move items previously - identified as threats or suspicious back to their original location within the - Exchange environment. - - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Quarantine Item IDs** | String | Yes | A comma-separated list of unique identifiers - for the items to be restored. Note: The maximum number of items that can be processed - in a single request is 100. | + | Quarantine Item IDs | string | Yes | A comma-separated list of the unique identifiers + for the items to be restored from quarantine (maximum 100 items). | - | **Username** | String | Yes | The username of a Microsoft Exchange user, which - must include the domain name (e.g., domain\user). | + | Username | string | Yes | The username of the Microsoft Exchange user, including + the domain name (e.g., domain\user). | - | **Password** | Password | Yes | The password associated with the provided Exchange + | Password | password | Yes | The password associated with the provided Exchange username. | - | **Email** | String | No | The email address of the Exchange user. This is required + | Email | string | No | The email address of the Exchange user. This is required if the email address differs from the username. | - | **EWS URL** | String | No | The Exchange Web Services (EWS) URL. This should - be provided if Exchange Autodiscovery is not functioning in the environment. | - - - ### Additional Notes - - - This action does not automatically process entities from the Google SecOps case; - it relies entirely on the provided action parameters. - - - The action interacts with the Bitdefender GravityZone API via a POST request - to initiate a restoration task. + | EWS URL | string | No | The Exchange Web Services (EWS) URL. Use this if Exchange + Autodiscovery is not functioning or available. | ### Flow Description - 1. **Configuration Extraction:** The action retrieves the API Key, Access URL, - and SSL verification settings from the integration configuration. + 1. **Configuration Extraction:** The action retrieves the Bitdefender API key, + Access URL, and SSL verification settings from the integration configuration. - 2. **Parameter Extraction:** It extracts the specific item IDs and Exchange credentials - provided by the user. + 2. **Parameter Retrieval:** It extracts the mandatory item IDs, Exchange credentials, + and optional connection details (Email, EWS URL) from the action input. - 3. **Manager Initialization:** It initializes the Bitdefender GravityZone Manager - to establish a connection to the Control Center. + 3. **Manager Initialization:** Initializes the Bitdefender GravityZone Manager + to handle API communication. - 4. **Task Creation:** It calls the `createRestoreQuarantineExchangeItemTask` method, - sending the item IDs and credentials to the Bitdefender API. + 4. **Task Creation:** Calls the `createRestoreQuarantineExchangeItemTask` API + endpoint, passing the item IDs and Exchange authentication details. - 5. **Result Reporting:** The action checks the API response and reports whether - the restoration task was successfully created or if the operation failed. + 5. **Result Handling:** Reports whether the restoration task was successfully + created in the Bitdefender Control Center. capabilities: can_create_case_comments: false can_create_insight: false @@ -1355,9 +1889,9 @@ Quarantine - Restore Exchange Items: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - This action creates a task in Bitdefender GravityZone to restore items from - the Exchange quarantine, which changes the state of the quarantined items in - the external Exchange environment. + Creates a task in Bitdefender GravityZone to restore items from the Exchange + quarantine, which changes the state of those items in the external Exchange + environment. fetches_data: false internal_data_mutation_explanation: null categories: @@ -1377,57 +1911,87 @@ Quarantine - Restore Exchange Items: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: true + update_identity: false + update_ticket: false Quarantine - Restore Items: ai_description: >- - ### General Description + Restores items from the Bitdefender GravityZone quarantine. This action creates + a task in the Bitdefender Control Center to move quarantined files back to their + original location or a specified alternative path. It supports both 'Computers' + and 'Exchange' services and allows for the optional creation of policy exclusions + to prevent the restored files from being flagged in future scans. - The **Quarantine - Restore Items** action allows users to restore files or items - previously quarantined by Bitdefender GravityZone. It creates a restoration task - in the GravityZone Control Center for specific items identified by their IDs. - This action is useful for recovering false positives or restoring files for forensic - analysis. + ### Flow Description - ### Parameters Description + 1. **Authentication**: Connects to the Bitdefender GravityZone API using the configured + API Key and Access URL. - | Parameter | Type | Mandatory | Description | + 2. **Parameter Extraction**: Retrieves the list of Quarantine Item IDs, the target + service type, the optional restoration path, and the exclusion preference. - | :--- | :--- | :--- | :--- | + 3. **Task Creation**: Sends a request to the Bitdefender API to initiate a `createRestoreQuarantineItemTask` + for the specified IDs. - | **Quarantine Item IDs** | String | Yes | A comma-separated list of unique identifiers - for the items to be restored from quarantine. Maximum of 100 items per request. - | + 4. **Execution**: The external system processes the restoration task asynchronously. - | **Service** | DDL | Yes | Specifies the service context: 'Computers' for endpoint - files or 'Exchange' for email-related items. | + 5. **Completion**: Returns a success or failure status based on whether the task + creation request was accepted by Bitdefender. - | **Location to Restore** | String | No | The absolute file path where items should - be restored. If left empty, the original location is used. | - | **Add Exclusion in Policy** | Boolean | No | If set to true, the restored items - will be added as exclusions in the current policy to prevent them from being quarantined - again in future scans. | + ### Parameters Description + | Parameter Name | Type | Mandatory | Description | - ### Flow Description + | :--- | :--- | :--- | :--- | - 1. **Authentication**: Connects to the Bitdefender GravityZone API using the provided - API Key and Access URL. + | Quarantine Item IDs | string | Yes | A comma-separated list of unique identifiers + for the items to be restored from quarantine. Maximum of 100 items per request. + | - 2. **Parameter Extraction**: Retrieves the list of item IDs, the target service, - and optional restoration settings (location and exclusions) from the action parameters. + | Service | ddl | Yes | Specifies the Bitdefender service context. Options are + 'Computers' (for endpoints/VMs) or 'Exchange' (for mail security). | - 3. **Task Creation**: Sends a POST request to the Bitdefender API to initiate - a `createRestoreQuarantineItemTask` for the specified service. + | Location to Restore | string | No | The absolute file system path where the + items should be restored. If left empty, the items are restored to their original + location. | - 4. **Completion**: Returns a success status if the task was successfully created - in the external system, or a failure status if the API request failed. + | Add Exclusion in Policy | boolean | No | If set to true, the restored files + will be added to a policy exclusion list to prevent them from being quarantined + again in future scans. | ### Additional Notes - This action does not process Google SecOps entities; it relies entirely on the - provided Quarantine Item IDs. + - This action does not run on SecOps entities; it requires manual input of Quarantine + Item IDs, which are typically retrieved from a previous 'Quarantine - List Items' + action or external logs. + + - Exclusions created via the 'Add Exclusion in Policy' parameter do not apply + to items assigned the 'Default Policy'. capabilities: can_create_case_comments: false can_create_insight: false @@ -1436,9 +2000,9 @@ Quarantine - Restore Items: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a task in Bitdefender GravityZone to restore specific items from quarantine - to their original or a specified location and optionally adds scan exclusions - to the security policy. + Creates a task in Bitdefender GravityZone to restore files from quarantine to + the host's file system and can optionally modify security policies by adding + file exclusions. fetches_data: false internal_data_mutation_explanation: null categories: @@ -1458,52 +2022,70 @@ Quarantine - Restore Items: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Reports - Get Download Links: ai_description: >- ### General Description - Retrieves download links for a specific report from Bitdefender GravityZone. This - action is used to obtain the necessary URLs to download generated reports, whether - they are instant (available for less than 24 hours) or scheduled (stored in the - GravityZone database). + This action retrieves download links and availability information for a specific + report within Bitdefender GravityZone. It allows users to obtain the necessary + URLs to download report files, distinguishing between instant reports (available + for less than 24 hours) and scheduled reports (stored in the GravityZone database). ### Parameters Description - | Parameter | Description | Type | Mandatory | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Report ID | The unique identifier of the report for which you want to retrieve - download links. | String | Yes | + | Report ID | String | Yes | The unique identifier of the report to fetch download + links for. | - ### Additional Notes - - - Instant reports are temporary and typically expire within 24 hours of creation. - - - Scheduled reports are persistent and saved within the Bitdefender database. - - - This action requires a valid API Key and Access URL configured in the integration - settings. + ### Flow Description + 1. **Authentication**: The action initializes a connection to the Bitdefender + GravityZone Control Center using the provided API Key and Access URL. - ### Flow Description + 2. **Request**: It sends a request to the `getDownloadLinks` endpoint of the Reports + API, passing the specified `Report ID`. - 1. **Configuration Extraction**: The action retrieves the API Key, Access URL, - and SSL verification settings from the integration configuration. + 3. **Data Retrieval**: The action receives an object containing metadata about + the report's availability and the specific download links. - 2. **Parameter Extraction**: The action extracts the mandatory `Report ID` provided - by the user. + 4. **Output**: The retrieved report data is added to the action's JSON results + for use in subsequent playbook steps. - 3. **Manager Initialization**: It initializes the `BitdefenderGravityZoneManager` - to handle communication with the Control Center. - 4. **API Request**: The action calls the `getDownloadLinks` method via the Bitdefender - JSON-RPC API using the provided Report ID. + ### Additional Notes - 5. **Result Processing**: The retrieved download link information is added to - the action's JSON results, and the execution is marked as completed. + This action does not process entities; it operates solely based on the provided + `Report ID` parameter. capabilities: can_create_case_comments: false can_create_insight: false @@ -1515,7 +2097,7 @@ Reports - Get Download Links: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: true + enrichment: false entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1531,14 +2113,40 @@ Reports - Get Download Links: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Reports - List All: ai_description: >- ### General Description - Retrieves a list of scheduled reports from the Bitdefender GravityZone Control - Center. This action allows users to query and filter reports based on their name - or specific type, providing visibility into the reporting configuration and history - within the Bitdefender environment. + Lists all scheduled reports from Bitdefender GravityZone. This action allows users + to retrieve a comprehensive list of reports, optionally filtered by name or type. + It interacts with the Bitdefender JSON-RPC API to fetch report metadata, including + report IDs and configurations, which can be used for further reporting or automation + tasks. ### Parameters Description @@ -1547,38 +2155,39 @@ Reports - List All: | :--- | :--- | :--- | :--- | - | Report Name | String | No | Filters the list to only include reports with a - specific name. | + | Report Name | String | No | The specific name of the report to search for. | - | Report Type | DDL | No | Filters the list by a specific report category, such - as 'Malware Status', 'Firewall Activity', or 'Network Incidents'. | + | Report Type | DDL | No | The category of the report (e.g., 'Malware Status', + 'Firewall Activity'). | - ### Additional Notes + ### Flow Description - - This action does not require any entities to run; it performs a global query - against the Bitdefender API. + 1. **Configuration Extraction**: The action retrieves the API Key, Access URL, + and SSL verification settings from the integration configuration. - - If no parameters are provided, the action will attempt to retrieve all available - scheduled reports. + 2. **Parameter Extraction**: It extracts the optional `Report Name` and `Report + Type` filters provided by the user. + 3. **API Connection**: Initializes the `BitdefenderGravityZoneManager` to establish + a connection with the GravityZone Control Center. - ### Flow Description + 4. **Data Retrieval**: Calls the `getReportsList` method. If a `Report Type` is + provided, it maps the display name to the corresponding internal integer ID. - 1. **Authentication**: The action establishes a connection to the Bitdefender - GravityZone API using the configured API Key and Access URL. + 5. **Pagination Handling**: The manager handles paginated responses from the API + to ensure all matching report records are collected. - 2. **Parameter Extraction**: It retrieves the optional 'Report Name' and 'Report - Type' filters from the action configuration. + 6. **Result Output**: The final list of reports is attached to the action result + as a JSON object for use in subsequent playbook steps. - 3. **Type Mapping**: If a 'Report Type' is specified, the action maps the human-readable - string to the internal integer ID required by the Bitdefender API. - 4. **Data Retrieval**: The action executes a paginated request to the Bitdefender - `getReportsList` endpoint. + ### Additional Notes + + - If no filters are provided, the action returns all available scheduled reports. - 5. **Output**: The collected list of reports is returned as a JSON result, making - the data available for downstream playbook logic. + - The `Report Type` parameter uses a predefined list of supported Bitdefender + report categories. capabilities: can_create_case_comments: false can_create_insight: false @@ -1606,48 +2215,58 @@ Reports - List All: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Restore Isolated Endpoint: ai_description: >- - ### General Description - - Restores a specified endpoint from network isolation within the Bitdefender GravityZone - environment. This action is used to reverse a previous isolation command, allowing - the endpoint to resume normal network communications. + Restores a specified endpoint from network isolation using Bitdefender GravityZone. + This action triggers a task in the GravityZone Control Center to reconnect the + endpoint to the network, reversing a previous isolation command. - ### Parameters Description + ### Parameters | Parameter | Description | Type | Mandatory | - | :--- | :--- | :--- | :--- | + | --- | --- | --- | --- | | Endpoint ID | The unique identifier of the endpoint to be restored from isolation. - | String | True | - - - ### Additional Notes - - This action does not process entities from the Google SecOps scope; it relies - solely on the provided 'Endpoint ID' parameter to identify the target system in - Bitdefender GravityZone. + | String | Yes | ### Flow Description - 1. **Configuration Extraction**: Retrieves the API Key, Access URL, and SSL verification - settings from the integration configuration. - - 2. **Parameter Extraction**: Retrieves the mandatory 'Endpoint ID' from the action - parameters. - - 3. **Manager Initialization**: Establishes a connection to the Bitdefender GravityZone - Control Center using the provided credentials. + 1. **Authentication**: Establishes a connection to the Bitdefender GravityZone + Control Center using the provided API Key and Access URL. - 4. **Task Creation**: Executes the `createRestoreEndpointFromIsolationTask` API - method to trigger the restoration process for the specified endpoint. + 2. **Task Creation**: Sends a JSON-RPC request to the Incidents API to create + a `createRestoreEndpointFromIsolationTask` for the specified Endpoint ID. - 5. **Result Reporting**: Evaluates the API response and returns a success or failure - status to the Google SecOps workbench. + 3. **Execution Status**: Evaluates the response from the manager and returns a + success or failure status to the SOAR platform. capabilities: can_create_case_comments: false can_create_insight: false @@ -1656,8 +2275,8 @@ Restore Isolated Endpoint: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a task in Bitdefender GravityZone to restore an endpoint from isolation, - which changes the network connectivity state of the target machine. + Creates a task in Bitdefender GravityZone to restore a previously isolated endpoint, + changing its network connectivity status from isolated to active. fetches_data: false internal_data_mutation_explanation: null categories: @@ -1677,46 +2296,68 @@ Restore Isolated Endpoint: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: true + update_alert: false + update_email: false + update_identity: false + update_ticket: false Set Endpoint Label: ai_description: >- - ### General Description - Sets or resets a label for a specific endpoint in Bitdefender GravityZone. This - action allows administrators to organize or tag endpoints within the Bitdefender - Control Center by applying a string label (up to 64 characters) to a target endpoint - identified by its ID. + action allows analysts to tag endpoints with custom metadata (up to 64 characters) + for better organization or tracking within the GravityZone Control Center. If + an empty string is provided as the label, any existing label on the endpoint will + be cleared. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Label | string | Yes | A string representing the label to be applied. The maximum - allowed length is 64 characters. To reset/remove a previously set label, provide - an empty string. | + | Endpoint ID | string | Yes | The unique identifier of the endpoint in Bitdefender + GravityZone. | - | Endpoint ID | string | Yes | The unique identifier of the endpoint for which - the label will be set. | + | Label | string | Yes | The string representing the label to be set (max 64 characters). + Enter an empty string to reset/clear the label. | ### Flow Description - 1. **Configuration Extraction**: Retrieves the API Key, Access URL, and SSL verification - settings from the integration configuration. - - 2. **Parameter Extraction**: Retrieves the target `Endpoint ID` and the desired - `Label` from the action parameters. + 1. **Parameter Extraction:** The action retrieves the API credentials from the + integration configuration and the target Endpoint ID and Label from the action + parameters. - 3. **Manager Initialization**: Connects to the Bitdefender GravityZone Control - Center using the provided credentials. + 2. **Manager Initialization:** It initializes the Bitdefender GravityZone Manager + using the provided API Key and Access URL. - 4. **API Execution**: Calls the `setEndpointLabel` method via the Bitdefender - API, passing the endpoint ID and the label string. + 3. **API Interaction:** The action calls the `setEndpointLabel` method via a POST + request to the Bitdefender JSON-RPC API. - 5. **Result Handling**: Evaluates the API response and terminates the action with - a success or failure status based on whether the label was successfully applied. + 4. **Result Handling:** It evaluates the API response to determine if the label + was successfully applied and terminates the action with a corresponding success + or failure message. capabilities: can_create_case_comments: false can_create_insight: false @@ -1725,7 +2366,7 @@ Set Endpoint Label: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the label attribute of a specific endpoint in the Bitdefender GravityZone + Updates the label attribute of a specific endpoint within the Bitdefender GravityZone Control Center. fetches_data: false internal_data_mutation_explanation: null @@ -1746,3 +2387,28 @@ Set Endpoint Label: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/third_party/community/bitdefender_gravity_zone/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/bitdefender_gravity_zone/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..cf49db887 --- /dev/null +++ b/content/response_integrations/third_party/community/bitdefender_gravity_zone/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: true + cloud_security: false + collaboration: false + edr: true + email_security: true + iam_and_identity_management: false + itsm: false + network_security: false + siem: false + threat_intelligence: true + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/chronicle_support_tools/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/chronicle_support_tools/resources/ai/actions_ai_description.yaml index eb999a1a9..c44b2832f 100644 --- a/content/response_integrations/third_party/community/chronicle_support_tools/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/chronicle_support_tools/resources/ai/actions_ai_description.yaml @@ -1,26 +1,60 @@ Gather Remote Agent Datapoints: ai_description: >- - ### General Description\n\nGathers comprehensive diagnostic data and logs from - a Remote Agent to assist in troubleshooting integration and connector issues. - It retrieves system performance metrics, agent status, and parses log files for - error patterns.\n\n### Parameters Description\n\n| Parameter | Type | Mandatory - | Description |\n| :--- | :--- | :--- | :--- |\n| IntegrationName | String | Yes - | The name of the integration for which logs and data should be collected. |\n| - ConnectorName | String | No | The specific connector name to target for log collection. - If provided, the action will attempt to locate and parse the specific connector - runner logs. |\n\n### Flow Description\n\n1. **Configuration Extraction**: Retrieves - the target Integration and Connector names from the action parameters.\n2. **Agent - Status Collection**: Reads and parses `agent_status.json` to identify installed - integration versions and general agent health, while masking sensitive information - like IP and MAC addresses.\n3. **System Load Analysis**: Executes system commands - (`lscpu`, `uptime`, `free`) to capture CPU, memory, and uptime statistics.\n4. - **Environment & File Audit**: Captures environment variables (excluding secrets) - and performs a directory listing of the agent's working directory.\n5. **Log Parsing**: - Scans the main agent log (`agent.log`) and specific connector logs (`connectors_runner.log`) - for error-level entries, capturing the most recent occurrences for analysis.\n\n### - Additional Notes\n\nThis action is a diagnostic tool. All collected information - is written to the action's execution logs (LOGGER) rather than being returned - as structured case data or insights. + ### General Description + + + Gathers comprehensive diagnostic data and remote agent datapoints for troubleshooting + purposes. This action collects system-level performance metrics, agent status + configurations, environment variables, and parses local log files for errors related + to specific integrations and connectors. It is primarily used by support teams + to identify issues within the Google SecOps Remote Agent environment. + + + ### Parameters Description + + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | IntegrationName | string | Yes | The name of the integration for which you want + to analyze agent data. | + + | ConnectorName | string | No | The name of the specific connector to retrieve + logs for. | + + + ### Flow Description + + + 1. **Configuration Extraction**: The action retrieves the `IntegrationName` and + `ConnectorName` from the input parameters. + + 2. **Agent Status Retrieval**: It reads the `agent_status.json` file to collect + information about installed integrations, their versions, and the current SSL + version. + + 3. **System Load Collection**: It executes system commands to gather CPU info + (`lscpu`), system uptime, and memory usage (`free -h`). + + 4. **Environment and File Audit**: It collects environment variables (filtering + out sensitive data like keys and tokens) and lists the contents of the agent's + directory. + + 5. **Log Analysis**: It parses the main agent log and specific connector logs + (if a connector name is provided) to identify and capture the most recent error + messages. + + 6. **Logging**: All collected diagnostic information is written to the action's + execution log for analysis. + + + ### Additional Notes + + + This action is intended for debugging and support scenarios. It does not modify + any system settings or case data; it only performs read-only diagnostic operations + on the host where the Remote Agent is installed. capabilities: can_create_case_comments: false can_create_insight: false @@ -32,7 +66,7 @@ Gather Remote Agent Datapoints: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: false + enrichment: true entity_usage: entity_types: [] filters_by_additional_properties: false @@ -48,3 +82,28 @@ Gather Remote Agent Datapoints: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: true + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/third_party/community/chronicle_support_tools/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/chronicle_support_tools/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..0801c7556 --- /dev/null +++ b/content/response_integrations/third_party/community/chronicle_support_tools/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/country_flags/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/country_flags/resources/ai/actions_ai_description.yaml index f9a853e74..01cc67c73 100644 --- a/content/response_integrations/third_party/community/country_flags/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/country_flags/resources/ai/actions_ai_description.yaml @@ -2,25 +2,62 @@ Get Country Flag: ai_description: >- ### General Description - The **Get Country Flag** action retrieves a base64-encoded image of a country's - flag from the `countryflags.io` service. This utility is used to provide visual - context for countries associated with entities or provided as direct input. The - action maintains a local cache to optimize performance and reduce API calls.\n\n### - Parameters Description\n| Parameter | Type | Mandatory | Description |\n| :--- - | :--- | :--- | :--- |\n| Country Code Two Digit | string | No | A 2-letter ISO - country code (e.g., 'us', 'fr') to fetch the flag for. |\n| Country Code From - Entity Field | string | No | A comma-separated list of field names to look for - in an entity's `additional_properties` (e.g., 'country', 'location'). |\n\n### - Additional Notes\n- The action uses a local `flags.json` file in the run folder - for caching.\n- If no country code is found and no parameter is provided, the - action completes without fetching data.\n\n### Flow Description\n1. **Load Cache**: - Attempts to read existing flag data from a local JSON file.\n2. **Identify Country - Codes**: Checks the `Country Code Two Digit` parameter and iterates through entities - to find codes in specified `additional_properties` fields.\n3. **Fetch Missing - Flags**: For any code not in the cache, it performs a GET request to the external - flag service.\n4. **Process and Encode**: Converts the image content to a base64 - string.\n5. **Update and Output**: Updates the local cache file and adds the base64 - strings to the action's JSON result. + The **Get Country Flag** action retrieves a country's flag image in Base64 format. + It is designed to provide visual context for geographic data by converting 2-digit + ISO country codes (e.g., 'US', 'FR') into encoded image strings. The action can + process country codes provided manually as a parameter or dynamically extracted + from the `additional_properties` of entities within a case. It utilizes an external + service (`countryflags.io`) to fetch flags and maintains a local cache file (`flags.json`) + to optimize performance and reduce redundant API calls. + + + ### Parameters Description + + | Parameter Name | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | **Country Code Two Digit** | String | No | A manual 2-digit ISO country code + (e.g., 'us', 'gb') to fetch a flag for. | + + | **Country Code From Entity Field** | String | No | A comma-separated list of + field names to look for in the `additional_properties` of entities. If found, + the value of that field is used as the country code. | + + + ### Additional Notes + + - If neither parameter is provided, the action will not perform any lookups. + + - The action maintains a local cache file named `flags.json` in the execution + folder to store previously fetched flags. + + - The results are returned as a JSON object mapping the identifier (entity or + country code) to the Base64 string. + + + ### Flow Description + + 1. **Initialization**: The action initializes and attempts to load the `flags.json` + cache file from the local execution environment. + + 2. **Parameter Retrieval**: It retrieves the manual `Country Code Two Digit` and + the list of entity fields to check from `Country Code From Entity Field`. + + 3. **Entity Processing**: For each entity in the case, the action checks if any + of the specified fields exist in the entity's `additional_properties`. If a country + code is found, it proceeds to fetch the flag. + + 4. **Flag Retrieval**: For each identified country code (from entities or manual + input), the action checks the local cache. If the flag is missing, it performs + a GET request to `https://www.countryflags.io/`, encodes the resulting image to + Base64, and updates the cache. + + 5. **Cache Update**: If new flags were fetched, the action overwrites the local + `flags.json` file with the updated data. + + 6. **Output**: The action attaches the Base64 flag data to the action's JSON results + and completes the execution. capabilities: can_create_case_comments: false can_create_insight: false @@ -32,7 +69,7 @@ Get Country Flag: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: true + enrichment: false entity_usage: entity_types: - ADDRESS @@ -83,13 +120,38 @@ Get Country Flag: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Ping: ai_description: >- ### General Description - The **Ping** action is designed to verify connectivity between Google SecOps and - the Country Flags service. It performs a test request to ensure that the integration - can successfully reach the external API and retrieve data. + Tests connectivity to the Country Flags service by attempting to retrieve the + flag for a hardcoded country code ('us'). This action is primarily used to verify + that the integration is correctly configured and can reach the external API. ### Parameters Description @@ -99,30 +161,28 @@ Ping: ### Additional Notes - This action uses a hardcoded country code ("us") to perform the connectivity test. - It also utilizes a local cache file (`flags.json`) within the execution environment - to store previously retrieved flag data. Note that while the action fetches data, - it is named 'Ping' and therefore is not categorized as an enrichment action per - standard guidelines. + This is a standard 'Ping' action. It utilizes a local cache file (`flags.json`) + to store retrieved flag data in base64 format to optimize subsequent requests. + It does not process any entities from the case. ### Flow Description - 1. **Initialize**: The script initializes the Siemplify action and attempts to - load existing flag data from a local cache file named `flags.json` in the run - folder. + 1. **Initialize Action**: Sets up the Siemplify action context and identifies + the script as 'GetCountryFlag'. - 2. **Cache Check**: It checks if the flag for the hardcoded country code "us" - is already present in the loaded cache. + 2. **Load Cache**: Attempts to read the `flags.json` file from the execution folder + to retrieve previously cached flags. If the file is missing or invalid, it initializes + an empty cache. - 3. **API Request**: If the flag is not found in the cache, it sends a GET request - to the Country Flags API (`https://www.countryflags.io/us/flat/64.png`). + 3. **Connectivity Test**: Uses a hardcoded country code ('us') to check for a + flag. - 4. **Data Processing**: The retrieved image content is encoded into a base64 string - and added to the local cache object. + 4. **External Request**: If the flag for 'us' is not in the cache, it performs + a GET request to the Country Flags API (https://www.countryflags.io/us/flat/64.png). - 5. **Completion**: The action concludes with a success status if the flag data - is successfully obtained (either from the cache or the external API). + 5. **Finalize**: Returns a success status if the flag data is retrieved or found + in the cache; otherwise, it terminates with a failure state. capabilities: can_create_case_comments: false can_create_insight: false @@ -150,3 +210,28 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/third_party/community/country_flags/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/country_flags/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..0801c7556 --- /dev/null +++ b/content/response_integrations/third_party/community/country_flags/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/cybersixgill_actionable_alerts/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/cybersixgill_actionable_alerts/resources/ai/actions_ai_description.yaml index 2912cfc33..b04afcc67 100644 --- a/content/response_integrations/third_party/community/cybersixgill_actionable_alerts/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/cybersixgill_actionable_alerts/resources/ai/actions_ai_description.yaml @@ -1,49 +1,25 @@ Ping: - ai_description: >- - ### General Description - - The **Ping** action is a connectivity test designed to verify the communication - between Google SecOps and the Cybersixgill API. Its primary purpose is to ensure - that the provided credentials (Client ID and Client Secret) are valid and that - the network configuration allows for a successful connection to the Cybersixgill - service. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Client Id | password | Yes | The unique identifier for the Cybersixgill API - client. | - - | Client Secret | password | Yes | The secret key associated with the Client ID - used for authentication. | - - - ### Flow Description - - 1. **Parameter Extraction**: The action retrieves the `Client Id` and `Client - Secret` from the integration configuration. - - 2. **Manager Initialization**: It initializes the `SixgillEnrichManager` using - the provided credentials. - - 3. **Authentication Test**: The manager attempts to create a `SixgillBaseClient` - and calls the `get_access_token` method to verify connectivity. - - 4. **Result Reporting**: If an access token is successfully retrieved, the action - returns a success message. If an exception occurs or the token cannot be retrieved, - it returns a failure message with the error details. - - - ### Additional Notes - - - This action does not interact with any entities or modify any data within Google - SecOps or Cybersixgill. - - - It is strictly used for configuration validation. + ai_description: "### General Description\nThe **Ping** action is a diagnostic utility\ + \ designed to verify the connectivity and authentication configuration between\ + \ Google SecOps and the Cybersixgill platform. It ensures that the provided credentials\ + \ (Client ID and Client Secret) are valid and that the environment can successfully\ + \ communicate with the Cybersixgill API.\n\n### Parameters Description\n| Parameter\ + \ Name | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Client\ + \ Id | password | Yes | The unique client identifier provided by Cybersixgill\ + \ for API access. |\n| Client Secret | password | Yes | The secret key associated\ + \ with the Client ID used for authentication. |\n\n### Flow Description\n1. **Parameter\ + \ Extraction:** The action retrieves the `Client Id` and `Client Secret` from\ + \ the integration configuration.\n2. **Client Initialization:** It initializes\ + \ the `SixgillEnrichManager` using the extracted credentials.\n3. **Authentication\ + \ Check:** The manager attempts to create a Cybersixgill client and perform a\ + \ handshake by requesting an access token via the `get_access_token` method.\n\ + 4. **Result Reporting:** \n * If the token is successfully retrieved, the action\ + \ returns a success status and a confirmation message.\n * If the authentication\ + \ fails or a connection error occurs, the action catches the exception and returns\ + \ a failure status with the error details.\n\n### Additional Notes\n* This action\ + \ does not process any entities and is strictly used for configuration validation.\n\ + * As a 'Ping' type action, it is excluded from enrichment classifications regardless\ + \ of its data-fetching behavior." capabilities: can_create_case_comments: false can_create_insight: false @@ -52,7 +28,7 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: false + fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false @@ -71,3 +47,28 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/third_party/community/cybersixgill_actionable_alerts/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/cybersixgill_actionable_alerts/resources/ai/connectors_ai_description.yaml new file mode 100644 index 000000000..dabdf918e --- /dev/null +++ b/content/response_integrations/third_party/community/cybersixgill_actionable_alerts/resources/ai/connectors_ai_description.yaml @@ -0,0 +1,73 @@ +Cybersixgill Actionable Alerts: + ai_description: >- + ### General Description + + The Cybersixgill Actionable Alerts connector integrates Google SecOps with the + Cybersixgill platform to ingest high-fidelity threat intelligence alerts. This + connector monitors the deep and dark web for threats specifically targeting an + organization, providing detailed context such as threat assessments, recommendations, + and CVE-related data to enable proactive security responses. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Client Id | Password | Yes | The Client ID used for authenticating with the + Cybersixgill API. | + + | Client Secret | Password | Yes | The Client Secret used for authenticating with + the Cybersixgill API. | + + | Alerts Limit | Integer | Yes | The maximum number of alerts to retrieve in a + single execution cycle. | + + | Organization id | String | No | Optional filter to fetch alerts for a specific + Cybersixgill Organization ID. | + + | Threat Level | String | No | Optional filter to retrieve alerts matching a specific + threat level (e.g., 'imminent'). | + + | Threat Type | String | No | Optional comma-separated list of threat types to + filter the results. | + + | DeviceProductField | String | Yes | The field name used to identify the device + product in Google SecOps. | + + | EventClassId | String | Yes | The field name used to identify the event name + or sub-type in Google SecOps. | + + | PythonProcessTimeout | String | Yes | The maximum time (in seconds) allowed + for the connector script to run. | + + + ### Flow Description + + 1. **Authentication**: The connector establishes a connection to the Cybersixgill + API using the provided Client ID and Client Secret. + + 2. **Time Range Determination**: It calculates the time window for fetching alerts + by checking the last saved timestamp. On the first run, it defaults to a 30-day + lookback period. + + 3. **Alert Retrieval**: The connector queries the Cybersixgill Actionable Alerts + bulk API, applying configured filters for limit, threat level, threat type, and + organization ID. + + 4. **Detailed Enrichment**: For each retrieved alert, the connector performs a + secondary call to fetch full alert details, including descriptions, asset attributes, + and recommendations. + + 5. **CVE & Sub-Alert Processing**: If the alert contains vulnerability data, it + extracts CVE IDs, CVSS scores, and DVE scores. It also parses any associated sub-alerts + into a formatted HTML table for better visibility. + + 6. **Case Creation**: The processed data is mapped to the Google SecOps AlertInfo + model. Alerts marked as 'imminent' are assigned Critical priority, while others + are assigned High priority. + + 7. **Ingestion & Checkpointing**: The alerts are ingested into Google SecOps, + and the timestamp of the most recent alert is saved to ensure subsequent runs + only fetch new data. diff --git a/content/response_integrations/third_party/community/cybersixgill_actionable_alerts/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/cybersixgill_actionable_alerts/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..ac8e64b44 --- /dev/null +++ b/content/response_integrations/third_party/community/cybersixgill_actionable_alerts/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + siem: false + threat_intelligence: true + vulnerability_management: true diff --git a/content/response_integrations/third_party/community/cybersixgill_darkfeed/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/cybersixgill_darkfeed/resources/ai/actions_ai_description.yaml index e25b1bf71..500b9bd3c 100644 --- a/content/response_integrations/third_party/community/cybersixgill_darkfeed/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/cybersixgill_darkfeed/resources/ai/actions_ai_description.yaml @@ -2,37 +2,38 @@ Ping: ai_description: >- ### General Description - Verifies connectivity to the Cybersixgill Darkfeed API. This action is used to - validate that the provided credentials (Client ID and Client Secret) are correct - and that the Google SecOps environment can successfully communicate with the Cybersixgill - service. + The **Ping** action is designed to verify the connectivity between Google SecOps + and the Cybersixgill Darkfeed service. It serves as a diagnostic tool to ensure + that the integration's configuration parameters, specifically the Client ID and + Client Secret, are correct and that the SecOps environment can successfully authenticate + with the Cybersixgill API. - ### Parameters Description + ### Flow Description - There are no parameters for this action. + 1. **Configuration Extraction**: The action retrieves the `Client Id` and `Client + Secret` from the integration's global configuration. + 2. **Manager Initialization**: It initializes the `SixgillEnrichManager` using + the extracted credentials. - ### Additional Notes + 3. **Authentication Check**: The manager attempts to create a Sixgill client and + perform a handshake by requesting an access token from the Cybersixgill API. - This action is a standard connectivity test and does not process any entities - or modify any data. + 4. **Execution Completion**: If the access token is successfully retrieved, the + action returns a success message and a boolean `True` result. If the authentication + fails or a network error occurs, the action raises an error and reports the failure. - ### Flow Description + ### Parameters Description - 1. **Configuration Extraction**: The action retrieves the `Client Id` and `Client - Secret` from the integration's configuration settings. + This action does not require any input parameters. - 2. **Client Initialization**: It initializes the `SixgillEnrichManager` with the - retrieved credentials. - 3. **Authentication Check**: The manager attempts to create a Sixgill client and - requests an access token via the `get_access_token` method. + ### Additional Notes - 4. **Result Reporting**: If the token is successfully retrieved, the action completes - with a success message. If an error occurs during the process, an exception is - raised, indicating a connection failure. + As per standard SOAR practices, this action is used to validate the health of + the integration connector and does not process any entities or modify any data. capabilities: can_create_case_comments: false can_create_insight: false @@ -41,7 +42,7 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: false + fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false @@ -60,3 +61,28 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/third_party/community/cybersixgill_darkfeed/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/cybersixgill_darkfeed/resources/ai/connectors_ai_description.yaml new file mode 100644 index 000000000..ea8c965f3 --- /dev/null +++ b/content/response_integrations/third_party/community/cybersixgill_darkfeed/resources/ai/connectors_ai_description.yaml @@ -0,0 +1,64 @@ +Cybersixgill - Darkfeed Connector: + ai_description: >- + ### General Description + + The Cybersixgill Darkfeed connector integrates Google SecOps with Cybersixgill's + automated feed of malicious indicators of compromise (IOCs). It fetches real-time + data from the deep and dark web, including domains, URLs, hashes, and IP addresses. + This connector allows security teams to preemptively ingest actionable threat + intelligence into the SOAR platform for automated blocking and investigation. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | PythonProcessTimeout | String | Yes | The timeout limit (in seconds) for the + python process running the current script. | + + | EventClassId | String | Yes | The field name used to determine the event name + (sub-type). Default is 'Cybersixgill Darkfeed '. | + + | DeviceProductField | String | Yes | The field name used to determine the device + product. Default is 'Cybersixgill Darkfeed '. | + + | Client Secret | Password | Yes | The Secret Key provided by Cybersixgill for + API authentication. | + + | Client Id | String | Yes | The Client ID provided by Cybersixgill for API authentication. + | + + | Alerts Limit | Integer | Yes | The maximum number of indicators/alerts to be + ingested into the platform per execution cycle. | + + + ### Flow Description + + 1. **Authentication**: The connector establishes a connection with the Cybersixgill + API using the provided Client ID and Client Secret. + + 2. **Data Retrieval**: It queries the Cybersixgill Darkfeed stream to retrieve + a bundle of indicators, limited by the 'Alerts Limit' parameter. + + 3. **Filtering**: The script filters the retrieved objects to identify valid indicators + and excludes any that have been marked as 'revoked'. + + 4. **IOC Extraction**: It parses the STIX-formatted patterns within the indicators + using regular expressions to extract specific IOC values, such as MD5/SHA hashes, + URLs, domains, and IPv4 addresses. + + 5. **Metadata Enrichment**: Each event is enriched with Cybersixgill-specific + metadata, including actor information, feed source, confidence levels, severity, + and external references (such as VirusTotal positive rates or MITRE ATT&CK tactics). + + 6. **Alert Creation**: The connector maps the processed indicator data into Google + SecOps AlertInfo objects, assigning a default priority of 'Medium' (60). + + 7. **Checkpointing**: It calls the `commit_indicators` method to acknowledge the + processed data, ensuring that the same indicators are not ingested multiple times + in subsequent runs. + + 8. **Ingestion**: The final list of alerts is returned to the Google SecOps platform + for case creation. diff --git a/content/response_integrations/third_party/community/cybersixgill_darkfeed/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/cybersixgill_darkfeed/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..2e831240c --- /dev/null +++ b/content/response_integrations/third_party/community/cybersixgill_darkfeed/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + siem: false + threat_intelligence: true + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/cybersixgill_darkfeed_enrichment/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/cybersixgill_darkfeed_enrichment/resources/ai/actions_ai_description.yaml index 3da7a9b58..55654fcd7 100644 --- a/content/response_integrations/third_party/community/cybersixgill_darkfeed_enrichment/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/cybersixgill_darkfeed_enrichment/resources/ai/actions_ai_description.yaml @@ -1,56 +1,53 @@ Enrich Actor: ai_description: >- - ### General Description + Enriches Threat Actor entities using Cybersixgill Darkfeed intelligence to provide + a comprehensive view of their underground activity. The action retrieves IOCs + shared by the actor in the last 90 days, identifies their areas of activity, choice + of targets, and techniques used. It updates the entity's metadata within Google + SecOps, marks it as suspicious, and generates detailed insights including links + to the Cybersixgill portal, VirusTotal, and MITRE ATT&CK frameworks. - Enriches **Threat Actor** entities using Cybersixgill Darkfeed intelligence. This - action retrieves comprehensive data regarding a threat actor's activities in the - underground, including IOCs shared within the last 90 days, their primary areas - of activity, preferred targets, and utilized techniques. The retrieved data is - used to update entity attributes, provide detailed insights, and populate data - tables within the case. + ### Flow Description: - ### Parameters Description + 1. **Configuration Extraction:** Retrieves the Client ID and Client Secret from + the integration configuration. - | Parameter | Type | Mandatory | Description | + 2. **Entity Filtering:** Identifies and processes only Threat Actor entities from + the current context. - | :--- | :--- | :--- | :--- | + 3. **Data Retrieval:** Queries the Cybersixgill API to fetch enrichment data specific + to the threat actor's identifier. - | Client Id | String | Yes | The API Client ID used to authenticate with the Cybersixgill - service. | - - | Client Secret | String | Yes | The API Client Secret used to authenticate with - the Cybersixgill service. | + 4. **Entity Enrichment:** Updates the entity's internal state by setting `is_enriched` + and `is_suspicious` to true, and populates `additional_properties` with detailed + intelligence (e.g., feed name, source, post titles, confidence, and severity). + 5. **Insight Generation:** Creates a case insight containing a summary of the + actor's activity and adds data tables for structured visualization. - ### Flow Description + 6. **Link Association:** Adds external links to the entity for direct access to + the Cybersixgill portal and related threat intelligence sources. - 1. **Authentication**: Extracts the Client ID and Client Secret from the integration - configuration to initialize the Cybersixgill manager. - 2. **Entity Filtering**: Identifies all entities of type `THREATACTOR` within - the current alert context. + ### Parameters Description: - 3. **Data Retrieval**: Queries the Cybersixgill API for each identified threat - actor to fetch enrichment data and associated indicators. + | Parameter Name | Type | Mandatory | Description | - 4. **Entity Enrichment**: Updates the entity's status to `is_enriched` and `is_suspicious`. - It also populates the entity's `additional_properties` with metadata such as description, - feed name, source, actor details, confidence, and severity. + | :--- | :--- | :--- | :--- | - 5. **Insight Generation**: Creates a detailed case insight for each actor, summarizing - the intelligence found. + | Client Id | String | Yes | The API Client ID used to authenticate with Cybersixgill + services. | - 6. **Data Visualization**: Adds a data table to the entity containing structured - records of the actor's activity and provides external links to the Cybersixgill - portal and other sources like VirusTotal or MITRE ATT&CK. + | Client Secret | String | Yes | The API Client Secret used to authenticate with + Cybersixgill services. | - ### Additional Notes + ### Additional Notes: This action specifically targets the `THREATACTOR` entity type. While the underlying - processor supports other types, this specific action script restricts processing - to threat actors only. + processor supports other types, this specific implementation is scoped to actors + to provide deep underground context. capabilities: can_create_case_comments: false can_create_insight: true @@ -61,9 +58,9 @@ Enrich Actor: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action updates entity attributes (is_enriched, is_suspicious), populates - additional properties with threat intelligence, creates case insights, and adds - data tables and external links to the entities. + Updates entity attributes (is_enriched, is_suspicious, additional_properties), + creates case insights, adds entity tables, and associates external links with + entities. categories: enrichment: true entity_usage: @@ -82,58 +79,79 @@ Enrich Actor: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Enrich Domain: ai_description: >- - ### General Description - - Enriches Hostname (Domain) entities using Cybersixgill Darkfeed threat intelligence. + Enriches Domain (Hostname) entities using Cybersixgill Darkfeed threat intelligence. This action identifies if a domain is associated with compromised sites or is - for sale on the dark web, providing critical context for security investigations. - It retrieves detailed threat indicators, including feed names, actors, severity, - and confidence scores, and maps them to the entity's profile in Google SecOps. + being sold on the dark web. It retrieves detailed metadata including feed names, + actors, post titles, and external references to VirusTotal and MITRE ATT&CK. The + action updates the entity's suspicious status, adds enrichment attributes, and + generates detailed case insights and data tables for analyst review. - ### Parameters Description + ### Flow Description: - | Parameter | Type | Mandatory | Description | + 1. **Credential Extraction:** Retrieves the Client ID and Client Secret from the + integration configuration. - | :--- | :--- | :--- | :--- | + 2. **Entity Filtering:** Identifies all Hostname entities within the current context. - | Client Id | String | Yes | The Client ID for the Cybersixgill API, configured - at the integration level. | + 3. **Intelligence Retrieval:** Queries the Cybersixgill API for each domain to + find matches in dark web feeds. - | Client Secret | String | Yes | The Client Secret for the Cybersixgill API, configured - at the integration level. | + 4. **Entity Enrichment:** Updates the entity's internal state (marking it as enriched + and suspicious) and populates additional properties with Sixgill metadata. + 5. **Insight Generation:** Creates a detailed case insight containing a summary + of the threat intelligence and adds a data table to the entity for structured + viewing. - ### Additional Notes + 6. **External Linking:** Adds links to the Cybersixgill portal and other external + references (like VirusTotal) to the entity. - There are no action-specific parameters; the action relies on integration-level - configuration. It automatically marks entities as suspicious and enriched if threat - data is found. It also parses STIX patterns to identify related file hashes (MD5, - SHA-1, SHA-256) and integrates external references from VirusTotal and MITRE ATT&CK - where available. + ### Parameters Description: - ### Flow Description + | Parameter Name | Type | Mandatory | Description | - 1. **Credential Retrieval**: Extracts the Client ID and Client Secret from the - integration configuration. + | :--- | :--- | :--- | :--- | + + | Client Id | String | Yes | The API Client ID used to authenticate with Cybersixgill + services. | + + | Client Secret | String | Yes | The API Client Secret used to authenticate with + Cybersixgill services. | - 2. **Entity Filtering**: Identifies Hostname entities from the target entities - list. - 3. **API Query**: Queries the Cybersixgill Darkfeed API for each identified Hostname - to retrieve enrichment indicators. + ### Additional Notes: - 4. **Data Processing**: If enrichment data is found, the action: - * Marks the entity as 'Enriched' and 'Suspicious'. - * Updates the entity's additional properties with threat details such as Feed - Name, Source, Actor, Severity, and Confidence. - * Parses STIX patterns within the results to find and map related file hashes. - 5. **Output Generation**: Creates a detailed case insight and an entity table - containing the full threat context. It also adds external links to the Cybersixgill - portal and relevant third-party sources like VirusTotal or MITRE ATT&CK. + This action specifically targets Hostname entities. While the underlying processor + supports other types, this specific action script restricts processing to Hostnames. capabilities: can_create_case_comments: false can_create_insight: true @@ -144,8 +162,8 @@ Enrich Domain: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity attributes (is_enriched, is_suspicious, additional_properties) - and creates case insights, entity tables, and entity links within Google SecOps. + Updates entity attributes including 'is_enriched', 'is_suspicious', and 'additional_properties'. + It also creates case insights and entity data tables. categories: enrichment: true entity_usage: @@ -164,57 +182,54 @@ Enrich Domain: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Enrich Hash: - ai_description: >- - ### General Description - - Enriches File Hash entities using Cybersixgill Darkfeed threat intelligence. This - action proactively analyzes and investigates malware hashes as they emerge on - the dark web, providing context even for malware undetected by traditional antivirus - vendors. It retrieves comprehensive metadata, including actor information, severity, - confidence scores, and cross-references with VirusTotal and MITRE ATT&CK. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Client Id | String | Yes | The API Client ID for Cybersixgill authentication. - | - - | Client Secret | String | Yes | The API Client Secret for Cybersixgill authentication. - | - - - ### Additional Notes - - This action specifically targets `FILEHASH` entities. It automatically marks enriched - entities as suspicious if threat data is found in the Cybersixgill database. - - - ### Flow Description - - 1. **Authentication**: Initializes the Cybersixgill manager using the provided - Client ID and Secret. - - 2. **Entity Identification**: Filters the target entities to identify all `FILEHASH` - objects. - - 3. **Threat Intelligence Query**: For each hash, it queries the Cybersixgill Darkfeed - API for matching indicators. - - 4. **Internal Data Mutation**: If a match is found, the action updates the entity's - `is_enriched` and `is_suspicious` flags and populates its `additional_properties` - with detailed threat metadata. - - 5. **Insight Generation**: Creates a detailed Case Insight summarizing the findings, - including feed names, actor details, and severity. - - 6. **Contextual Enrichment**: Adds a data table to the entity, attaches raw JSON - results, and provides external links to the Cybersixgill Portal, VirusTotal, and - MITRE ATT&CK documentation. + ai_description: "Enriches File Hash entities using Cybersixgill Darkfeed intelligence.\ + \ This action proactively investigates malware hashes by searching for them on\ + \ the dark web, providing context even for malware undetected by traditional antivirus\ + \ vendors. It retrieves comprehensive threat intelligence, including actor attribution,\ + \ malware family details, and cross-references with VirusTotal and MITRE ATT&CK\ + \ frameworks.\n\n### Flow Description:\n1. **Credential Retrieval:** Extracts\ + \ the Cybersixgill Client ID and Client Secret from the integration configuration.\n\ + 2. **Entity Filtering:** Identifies all File Hash entities within the current\ + \ context.\n3. **Data Retrieval:** Queries the Cybersixgill Darkfeed API for each\ + \ hash to retrieve enrichment data.\n4. **Internal Enrichment:** Updates the entities\ + \ in Google SecOps by marking them as enriched and suspicious, and populates additional\ + \ properties with metadata such as feed names, confidence scores, and severity.\n\ + 5. **Insight Generation:** Creates detailed case insights and data tables containing\ + \ technical details, VirusTotal positive rates, and MITRE ATT&CK tactics/techniques.\n\ + 6. **Link Association:** Adds external links to the entities, pointing to the\ + \ Cybersixgill Portal, VirusTotal, and MITRE documentation.\n\n### Parameters\ + \ Description:\n| Parameter Name | Type | Mandatory | Description |\n| :--- |\ + \ :--- | :--- | :--- |\n| None | N/A | No | This action does not require any manual\ + \ input parameters; it operates directly on the entities present in the case.\ + \ |\n\n### Additional Notes:\n* This action specifically targets `FILEHASH` entities.\ + \ \n* It automatically marks enriched entities as 'Suspicious' within the platform\ + \ if data is found in the Cybersixgill feed." capabilities: can_create_case_comments: false can_create_insight: true @@ -225,8 +240,8 @@ Enrich Hash: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action updates entity attributes (is_enriched, is_suspicious, additional_properties) - and creates case insights based on the retrieved threat intelligence from Cybersixgill. + Updates entity attributes including 'is_enriched', 'is_suspicious', and 'additional_properties'. + It also creates case insights and data tables. categories: enrichment: true entity_usage: @@ -245,31 +260,87 @@ Enrich Hash: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Enrich IP: - ai_description: "### General Description\nEnriches IP Address entities using Cybersixgill\ - \ Darkfeed threat intelligence. This action identifies malicious IP addresses\ - \ associated with Command and Control (C&C) servers, botnets, DDoS attacks, proxy\ - \ anonymization, and compromised RDP addresses. It provides deep context by retrieving\ - \ feed names, actor information, confidence scores, and severity levels, while\ - \ also integrating external references from VirusTotal and MITRE ATT&CK.\n\n###\ - \ Parameters Description\n| Parameter Name | Type | Mandatory | Description |\n\ - | :--- | :--- | :--- | :--- |\n| Client Id | String | Yes | The Client ID for\ - \ authenticating with the Cybersixgill API. |\n| Client Secret | String | Yes\ - \ | The Client Secret for authenticating with the Cybersixgill API. |\n\n### Flow\ - \ Description\n1. **Authentication**: Initializes the Cybersixgill manager using\ - \ the provided Client ID and Client Secret.\n2. **Entity Filtering**: Identifies\ - \ all IP Address entities within the current context.\n3. **Data Retrieval**:\ - \ Queries the Cybersixgill Darkfeed API for each IP address to retrieve threat\ - \ indicators and metadata.\n4. **Internal Enrichment**: \n * Marks the entity\ - \ as 'Enriched' and 'Suspicious'.\n * Populates entity attributes with detailed\ - \ metadata (e.g., Feed Name, Actor, Confidence, Severity).\n * Parses STIX\ - \ patterns to identify related file hashes (MD5, SHA-1, SHA-256).\n5. **Reporting**:\ - \ \n * Creates a detailed Case Insight for each entity containing the threat\ - \ analysis.\n * Adds a data table to the entity with structured enrichment\ - \ results.\n * Attaches external links to the entity for the Cybersixgill Portal,\ - \ VirusTotal, and MITRE ATT&CK documentation.\n6. **Finalization**: Updates the\ - \ entities in the Google SecOps platform and returns a summary of processed, missing,\ - \ or failed entities." + ai_description: >- + ### General Description + + Enriches IP Address entities using Cybersixgill Darkfeed threat intelligence. + This action identifies if an IP is associated with malicious activities such as + Command and Control (C&C) servers, botnets, DDoS attacks, or compromised RDP addresses. + It retrieves detailed metadata including feed names, actors, confidence scores, + and severity levels. The action automatically marks the entity as suspicious and + enriched in Google SecOps, adds a detailed case insight, attaches a data table + with the findings, and provides direct links to the Cybersixgill portal and external + references like VirusTotal or MITRE ATT&CK. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | None | N/A | N/A | This action does not have any action-specific parameters. + It relies on the integration's configuration for authentication. | + + + ### Additional Notes + + - The action uses the **Client Id** and **Client Secret** configured at the integration + level for authentication. + + - Entities found in the Cybersixgill Darkfeed are automatically marked as **Suspicious** + and **Enriched**. + + - The action specifically targets **IP Address** entities. + + + ### Flow Description + + 1. **Authentication**: The action retrieves the Client ID and Client Secret from + the integration configuration to authenticate with the Cybersixgill API. + + 2. **Entity Filtering**: It identifies all IP Address entities within the current + context. + + 3. **Data Retrieval**: For each IP, it queries the Cybersixgill Darkfeed to find + matching threat indicators. + + 4. **Entity Enrichment**: If data is found, the entity is marked as 'Suspicious' + and 'Enriched'. Additional properties (e.g., Sixgill Feedname, Actor, Confidence) + are added to the entity's metadata. + + 5. **Insight Generation**: A comprehensive case insight is created, summarizing + the threat intelligence. + + 6. **Result Visualization**: A data table is attached to the entity for easy review, + and external links (e.g., to the Cybersixgill Portal or VirusTotal) are added + to the entity's links section. capabilities: can_create_case_comments: false can_create_insight: true @@ -280,9 +351,9 @@ Enrich IP: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity attributes (is_enriched, is_suspicious, additional_properties), - creates case insights, adds entity tables, and adds entity links within Google - SecOps. + The action updates entity attributes (is_suspicious, is_enriched, additional_properties), + creates case insights, adds entity links, and attaches data tables to entities + within Google SecOps. categories: enrichment: true entity_usage: @@ -301,15 +372,40 @@ Enrich IP: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Enrich URL: ai_description: >- ### General Description Enriches URL entities using Cybersixgill Darkfeed threat intelligence. This action - identifies, investigates, and retrieves context for URLs that have been shared - or hosted on underground file-sharing and paste sites. It provides deep visibility - into the dark web context of a URL, including associated actors, feed sources, - and severity levels. + identifies and investigates malware-related URLs shared on underground file-sharing + and paste sites. It provides detailed context such as feed names, actors, confidence + scores, and severity levels to help analysts assess the risk associated with specific + URLs. ### Parameters Description @@ -318,43 +414,34 @@ Enrich URL: | :--- | :--- | :--- | :--- | - | Client Id | String | Yes | The Client ID for authenticating with the Cybersixgill - API. | - - | Client Secret | String | Yes | The Client Secret for authenticating with the - Cybersixgill API. | + | None | N/A | N/A | This action does not have any input parameters. | ### Additional Notes - * This action automatically marks enriched entities as **suspicious** and **enriched** - within the Google SecOps environment if data is found. - - * It integrates external references from VirusTotal and MITRE ATT&CK when available - in the Cybersixgill data. + This action requires valid Cybersixgill API credentials (Client Id and Client + Secret) to be configured in the integration settings. It automatically marks enriched + entities as suspicious and enriched within the Google SecOps platform. ### Flow Description - 1. **Configuration Extraction:** Retrieves the Cybersixgill API credentials from - the integration settings. + 1. **Authentication**: Extracts Cybersixgill credentials from the integration + configuration. - 2. **Entity Filtering:** Identifies all URL entities within the current alert - context. + 2. **Entity Filtering**: Identifies URL entities within the current case context. - 3. **Threat Intelligence Retrieval:** For each URL, it queries the Cybersixgill - Darkfeed API to find matches in underground sources. + 3. **Data Retrieval**: Queries the Cybersixgill Darkfeed API for each identified + URL to retrieve relevant threat intelligence. - 4. **Entity Enrichment:** If data is found, it updates the entity's additional - properties with metadata such as the Sixgill Feed Name, Source, Actor, Confidence, - and Severity. + 4. **Entity Enrichment**: Updates the URL entities with enriched metadata, including + descriptions, feed names, actors, confidence, and severity. - 5. **Insight Generation:** Creates a detailed Case Insight containing a summary - of the threat intelligence and external references. + 5. **Internal State Update**: Marks the entities as suspicious and enriched, and + updates their additional properties. - 6. **Data Visualization:** Adds a data table to the entity and attaches external - links (e.g., to the Cybersixgill Portal, VirusTotal, or MITRE ATT&CK) for further - investigation. + 6. **Insight Generation**: Creates case insights, data tables, and external links + (to the Cybersixgill portal, VirusTotal, or Mitre Attack) for analyst review. capabilities: can_create_case_comments: false can_create_insight: true @@ -365,9 +452,8 @@ Enrich URL: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity attributes with Cybersixgill threat intelligence, marks entities - as suspicious and enriched, adds data tables, creates case insights, and attaches - external links for further investigation. + Updates entity attributes (additional properties), marks entities as suspicious + and enriched, creates case insights, and adds entity tables and links. categories: enrichment: true entity_usage: @@ -386,53 +472,59 @@ Enrich URL: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Ping: ai_description: >- - ### General Description - - The **Ping** action is a diagnostic utility designed to verify the connectivity - between the Google SecOps platform and the Cybersixgill Darkfeed Enrichment service. - Its primary purpose is to ensure that the provided API credentials (Client ID - and Client Secret) are valid and that the network path to the Cybersixgill API - is open. - - - ### Parameters Description + The Ping action is designed to verify the connectivity between the Google SecOps + platform and the Cybersixgill Darkfeed Enrichment service. It ensures that the + provided API credentials (Client ID and Client Secret) are valid and that the + network path to the service is open. - This action does not require any user-provided input parameters at runtime. It - relies entirely on the integration's global configuration settings. + ### Flow Description - | Parameter Name | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | None | N/A | N/A | This action uses no runtime parameters. | - - - ### Additional Notes - - - This action uses a hardcoded IP address (8.8.8.8) to perform a test enrichment - query to validate the API connection. - - - It is typically used during the initial setup of the integration or for troubleshooting - communication issues. + 1. **Configuration Extraction:** The action retrieves the 'Client Id' and 'Client + Secret' from the integration's configuration settings. + 2. **Manager Initialization:** It initializes the `SixgillEnrichManager` and `SixgillActionResultProcessor` + using the extracted credentials. - ### Flow Description + 3. **Connectivity Test:** The action executes the `test_connectivity` method, + which attempts to perform a sample IOC enrichment request for a hardcoded IP address + (8.8.8.8) to confirm the API is responsive. - 1. **Credential Retrieval**: The action extracts the `Client Id` and `Client Secret` - from the integration's configuration parameters. + 4. **Result Reporting:** Based on the success or failure of the API call, the + action returns a completion status and a descriptive message to the SOAR workbench. - 2. **Manager Initialization**: It initializes the `SixgillEnrichManager` and the - `SixgillActionResultProcessor` using the retrieved credentials. - 3. **Connectivity Test**: The processor attempts to create a Cybersixgill client - and executes a test enrichment call for the IP `8.8.8.8`. + ### Parameters Description - 4. **Status Reporting**: If the API call is successful, the action returns a success - message. If an exception occurs (e.g., authentication failure or network timeout), - it logs the error and returns a failure status. + There are no action-specific parameters for this action. It relies entirely on + the integration's global configuration parameters (Client Id and Client Secret). capabilities: can_create_case_comments: false can_create_insight: false @@ -460,3 +552,28 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/third_party/community/cybersixgill_darkfeed_enrichment/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/cybersixgill_darkfeed_enrichment/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..2e831240c --- /dev/null +++ b/content/response_integrations/third_party/community/cybersixgill_darkfeed_enrichment/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + siem: false + threat_intelligence: true + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/cybersixgill_dve_enrichment/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/cybersixgill_dve_enrichment/resources/ai/actions_ai_description.yaml index b1721c2ad..103b2d357 100644 --- a/content/response_integrations/third_party/community/cybersixgill_dve_enrichment/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/cybersixgill_dve_enrichment/resources/ai/actions_ai_description.yaml @@ -1,46 +1,27 @@ Enrich CVE: - ai_description: >- - ### General Description - - Enriches CVE entities using Cybersixgill's Dynamic Vulnerability Exploit (DVE) - Score. This action provides deep visibility into vulnerabilities by retrieving - real-time threat intelligence from the deep and dark web, including DVE scores, - trending status, and proof-of-concept (POC) details. It helps security teams prioritize - critical vulnerabilities based on actual exploitation risk rather than static - scores alone. - - - ### Parameters - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Client Id | String | Yes | The Client ID for Cybersixgill API authentication. - | - - | Client Secret | String | Yes | The Client Secret for Cybersixgill API authentication. - | - - - ### Flow Description - - 1. **Authentication:** Retrieves API credentials (Client ID and Secret) from the - integration configuration. - - 2. **Entity Filtering:** Identifies CVE entities within the current context. - - 3. **Data Retrieval:** Queries the Cybersixgill API for each CVE to fetch DVE - scores and associated metadata (NVD links, CVSS scores, exploitability probability). - - 4. **Internal Enrichment:** Updates the entity's additional properties with the - retrieved data and marks the entity as enriched. - - 5. **Insight Generation:** Creates a detailed case insight for each CVE containing - a summary of the threat intelligence. - - 6. **Data Visualization:** Adds a structured data table to the entity results - for easy review of vulnerability details. + ai_description: "Enriches CVE entities using Cybersixgill's Dynamic Vulnerability\ + \ Exploit (DVE) Score and threat intelligence. This action retrieves deep and\ + \ dark web context for vulnerabilities, including exploit probability, trending\ + \ status, and NVD metadata. It enhances the security analyst's ability to prioritize\ + \ vulnerabilities by providing real-time risk scores and technical details directly\ + \ within the case.\n\n### Flow Description:\n1. **Credential Retrieval:** Extracts\ + \ the Cybersixgill Client ID and Client Secret from the integration configuration.\n\ + 2. **Entity Filtering:** Iterates through the target entities in the current context,\ + \ specifically identifying those of type `CVE`.\n3. **External Query:** For each\ + \ CVE, it queries the Cybersixgill API to fetch the DVE score and associated STIX-based\ + \ threat intelligence.\n4. **Internal Enrichment:** \n * Updates the entity's\ + \ additional properties with Cybersixgill-prefixed attributes.\n * Marks the\ + \ entity as enriched within the SOAR platform.\n5. **Reporting:** \n * Generates\ + \ a detailed Case Insight containing descriptions, scores, and NVD links.\n \ + \ * Adds a structured data table to the entity for quick reference of CVSS scores\ + \ and exploitability metrics.\n * Attaches the raw JSON response to the action\ + \ results.\n\n### Parameters Description:\n| Parameter Name | Type | Mandatory\ + \ | Description |\n| :--- | :--- | :--- | :--- |\n| None | N/A | N/A | This action\ + \ does not require any runtime parameters; it uses the integration's global configuration\ + \ and the entities present in the case. |\n\n### Additional Notes:\n* This action\ + \ specifically targets `CVE` entity types. Other entity types will be logged as\ + \ invalid and skipped.\n* The enrichment includes both Cybersixgill proprietary\ + \ scores (DVE) and standard NVD (National Vulnerability Database) data." capabilities: can_create_case_comments: false can_create_insight: true @@ -51,8 +32,8 @@ Enrich CVE: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity properties with Cybersixgill DVE scores and metadata, and creates - case insights for the enriched CVEs. + The action updates entity properties, sets the 'is_enriched' flag, and creates + case insights and data tables within the SOAR platform. categories: enrichment: true entity_usage: @@ -71,43 +52,70 @@ Enrich CVE: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Ping: ai_description: >- ### General Description - The Ping action is a diagnostic utility designed to verify the connectivity between - Google SecOps and the Cybersixgill DVE Enrichment service. Its primary purpose - is to ensure that the provided API credentials (Client ID and Client Secret) are - valid and that the network path to the Cybersixgill API is open. + The **Ping** action is a diagnostic utility designed to verify the connectivity + between the Google SecOps platform and the Cybersixgill API. Its primary purpose + is to ensure that the integration's configuration parameters, specifically the + Client ID and Client Secret, are valid and that the environment can successfully + establish a network connection to the Cybersixgill service. ### Parameters Description - There are no input parameters for this action. It relies entirely on the global - integration configuration for authentication. + This action does not require any input parameters. It utilizes the global integration + configuration to perform the connectivity test. - ### Additional Notes + ### Flow Description - This action is typically used during the initial setup of the integration or for - troubleshooting authentication issues. It does not process entities or modify - any data within the SOAR or the external system. + 1. **Configuration Retrieval**: The action extracts the `Client Id` and `Client + Secret` from the integration's configuration settings. + 2. **Manager Initialization**: It initializes the `SixgillEnrichManager` using + the extracted credentials. - ### Flow Description + 3. **Connectivity Verification**: The manager attempts to authenticate with the + Cybersixgill API by requesting an access token. This step validates both the credentials + and the network reachability. - 1. **Configuration Extraction**: The action retrieves the 'Client Id' and 'Client - Secret' from the integration's global settings. + 4. **Execution Completion**: The action concludes by returning a success message + and a boolean `True` if the connection is established, or a failure message and + `False` if an error occurs during the authentication process. - 2. **Manager Initialization**: It initializes the `SixgillEnrichManager` with - the extracted credentials. - 3. **Connectivity Test**: The manager attempts to obtain an access token from - the Cybersixgill API using the `SixgillBaseClient`. + ### Additional Notes - 4. **Result Reporting**: If the token is successfully retrieved, the action returns - a success status. If an exception occurs (e.g., invalid credentials or network - timeout), it returns a failure status with the error details. + As a standard connectivity test, this action does not interact with entities, + fetch contextual threat intelligence, or modify any data within Google SecOps + or Cybersixgill. capabilities: can_create_case_comments: false can_create_insight: false @@ -135,3 +143,28 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/third_party/community/cybersixgill_dve_enrichment/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/cybersixgill_dve_enrichment/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..ac8e64b44 --- /dev/null +++ b/content/response_integrations/third_party/community/cybersixgill_dve_enrichment/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + siem: false + threat_intelligence: true + vulnerability_management: true diff --git a/content/response_integrations/third_party/community/cybersixgill_dve_feed/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/cybersixgill_dve_feed/resources/ai/actions_ai_description.yaml index 9c4d9a81c..d7a17cbb9 100644 --- a/content/response_integrations/third_party/community/cybersixgill_dve_feed/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/cybersixgill_dve_feed/resources/ai/actions_ai_description.yaml @@ -2,53 +2,38 @@ Ping: ai_description: >- ### General Description - The **Ping** action is a diagnostic tool designed to verify the connectivity and - authentication configuration between Google SecOps and the Cybersixgill platform. - Its primary purpose is to ensure that the provided API credentials (Client ID - and Client Secret) are valid and that the SecOps environment can successfully - communicate with the Cybersixgill API. + The **Ping** action is a diagnostic utility designed to verify the connectivity + between the Google SecOps platform and the Cybersixgill API. Its primary purpose + is to validate that the configured credentials (Client ID and Client Secret) are + correct and that the Cybersixgill service is accessible from the environment. ### Parameters Description - | Parameter Name | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **Client Id** | String | Yes | The unique identifier for the Cybersixgill API - account, configured at the integration level. | - - | **Client Secret** | String | Yes | The secret key associated with the Cybersixgill - API account, configured at the integration level. | - - - *Note: This action does not have specific runtime parameters; it relies entirely - on the integration's global configuration.* + There are no user-input parameters for this action. It relies entirely on the + integration's global configuration settings. ### Additional Notes - - This action is typically used during the initial setup of the Cybersixgill integration - or for troubleshooting connection issues. - - - It does not process any entities or modify any data within Google SecOps or - Cybersixgill. + This action is a standard connectivity check and does not process any entities + or modify any data within Google SecOps or Cybersixgill. ### Flow Description - 1. **Configuration Extraction:** The action retrieves the `Client Id` and `Client - Secret` from the integration's configuration settings. + 1. **Configuration Retrieval**: The action extracts the `Client Id` and `Client + Secret` from the Cybersixgill integration settings. - 2. **Manager Initialization:** It initializes the `SixgillEnrichManager` using + 2. **Manager Initialization**: It initializes the `SixgillEnrichManager` using the extracted credentials. - 3. **Connectivity Test:** The manager attempts to create a `SixgillBaseClient` - and requests an access token from the Cybersixgill authentication endpoint. + 3. **Authentication Check**: The manager attempts to establish a connection by + requesting an access token from the Cybersixgill API using the `SixgillBaseClient`. - 4. **Result Reporting:** If an access token is successfully retrieved, the action - returns a success status and message. If the authentication fails or a network - error occurs, an exception is raised, and the action reports a failure. + 4. **Execution Completion**: If the access token is successfully retrieved, the + action returns a success status and message. If the connection fails, it raises + a `SixgillManagerError`. capabilities: can_create_case_comments: false can_create_insight: false @@ -76,3 +61,28 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/third_party/community/cybersixgill_dve_feed/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/cybersixgill_dve_feed/resources/ai/connectors_ai_description.yaml new file mode 100644 index 000000000..54ea9a8e5 --- /dev/null +++ b/content/response_integrations/third_party/community/cybersixgill_dve_feed/resources/ai/connectors_ai_description.yaml @@ -0,0 +1,61 @@ +Cybersixgill - DVE Connector: + ai_description: >- + ### General Description + + The Cybersixgill DVE Connector integrates with the Cybersixgill Dynamic Vulnerability + Exploit (DVE) feed to ingest vulnerability-related threat intelligence into Google + SecOps. It focuses on CVEs, providing real-time context on threat actor intent + and the probability of exploitation. This allows security teams to prioritize + vulnerabilities based on dynamic risk scores and dark web intelligence rather + than static severity metrics. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Client Id | String | Yes | The Client ID for authenticating with the Cybersixgill + API. | + + | Client Secret | Password | Yes | The Secret Key for authenticating with the + Cybersixgill API. | + + | Alerts Limit | Integer | Yes | The maximum number of vulnerability alerts to + ingest in a single execution cycle. | + + | EventClassId | String | Yes | The field name used to determine the event name/sub-type. + Default is 'Cybersixgill DVE Feed'. | + + | DeviceProductField | String | Yes | The field name used to determine the device + product. Default is 'Cybersixgill DVE Feed'. | + + | PythonProcessTimeout | String | Yes | The timeout limit (in seconds) for the + python process running the current script. | + + + ### Flow Description + + 1. **Authentication**: The connector authenticates with the Cybersixgill API using + the provided Client ID and Client Secret. + + 2. **Data Retrieval**: It establishes a connection to the Cybersixgill DVE Feed + stream using a dedicated channel ID. + + 3. **Fetching Indicators**: The connector fetches a bundle of vulnerability indicators + (CVEs) from the feed, limited by the 'Alerts Limit' parameter. + + 4. **Filtering**: The script filters the retrieved objects to ensure only valid + indicators are processed for alert creation. + + 5. **Mapping**: Each vulnerability record is mapped to a Google SecOps Alert. + This includes enriching the alert with specific DVE metadata such as current scores, + highest historical scores, exploitation status, and NVD (National Vulnerability + Database) details like CVSS v2/v3 scores and vectors. + + 6. **Ingestion**: The mapped alerts and their associated events are ingested into + the platform to create cases. + + 7. **Checkpointing**: The connector commits the processed indicators back to the + Cybersixgill API to ensure that the same data is not re-ingested in future runs. diff --git a/content/response_integrations/third_party/community/cybersixgill_dve_feed/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/cybersixgill_dve_feed/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..ac8e64b44 --- /dev/null +++ b/content/response_integrations/third_party/community/cybersixgill_dve_feed/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + siem: false + threat_intelligence: true + vulnerability_management: true diff --git a/content/response_integrations/third_party/community/data_dog/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/data_dog/resources/ai/actions_ai_description.yaml index 956084b4c..0769fb17e 100644 --- a/content/response_integrations/third_party/community/data_dog/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/data_dog/resources/ai/actions_ai_description.yaml @@ -1,50 +1,48 @@ Get Beautiful Metric: ai_description: >- - ### General Description + Analyzes a provided set of metric timeseries points from DataDog to generate statistical + summaries. This action does not fetch data directly from the DataDog API; instead, + it processes a JSON-formatted series object provided as an input parameter. It + calculates the sum, average, minimum, and maximum values for the metric data points + within the specified time range and returns these statistics along with metadata + such as the unit and aggregation method. - The **Get Beautiful Metric** action is a data processing utility designed to analyze - and summarize DataDog metric timeseries data. Instead of fetching data directly - from the DataDog API, this action takes a JSON-formatted series of data points - as input and performs statistical calculations to provide a clear overview of - the metric's behavior over a specific time range. + ### Flow Description - ### Parameters Description + 1. **Parameter Extraction:** Retrieves the DataDog API/APP keys from the integration + configuration and the `Series` JSON object from the action parameters. - | Parameter | Type | Mandatory | Description | + 2. **Data Parsing:** Parses the `Series` input to extract the `pointlist` (the + actual metric values), `start` time, and `end` time. - | :--- | :--- | :--- | :--- | - - | **Series** | Code (JSON) | Yes | A JSON string containing the DataDog timeseries - data. It must include a `pointlist` (list of [timestamp, value] pairs), `start` - and `end` timestamps, and metadata like `unit` and `aggr`. | + 3. **Statistical Calculation:** Iterates through the `pointlist` to compute the + sum, average, minimum, and maximum of the raw metric values. + 4. **Result Construction:** Packages the calculated statistics, the original timeseries + points, and metadata (unit, aggregation, expression) into a structured JSON result. - ### Flow Description + 5. **Completion:** Ends the action by providing the JSON result to the SOAR platform. - 1. **Input Parsing**: The action extracts the `Series` parameter and parses it - from a JSON string into a Python dictionary. - 2. **Validation**: It verifies the presence of the `pointlist` key to ensure the - input is valid for analysis. + ### Parameters Description - 3. **Statistical Analysis**: The script iterates through the `pointlist`, extracting - the raw metric values. It then calculates the **Sum**, **Average**, **Minimum**, - and **Maximum** values for the dataset. + | Parameter | Type | Mandatory | Description | - 4. **Result Construction**: It compiles these statistics along with the original - metadata (unit, aggregation type, time range, and expression) into a structured - JSON object. + | :--- | :--- | :--- | :--- | - 5. **Output**: The final analysis is attached to the action's JSON results for - use in subsequent playbook steps. + | Series | code | True | A JSON string representing the DataDog metric series. + It must contain a `pointlist` key (a list of [timestamp, value] pairs) and metadata + like `start`, `end`, `unit`, and `aggr`. | ### Additional Notes - * This action does not make external API calls. It processes data provided in - the `Series` parameter, which is typically output by a preceding DataDog "Get - Metrics" or "Query Metrics" action. + * This action is primarily a utility for data transformation and analysis of metrics + already retrieved by other actions or processes. + + * If the `Series` parameter is missing the `pointlist` key, the action will log + an error and return an empty result. capabilities: can_create_case_comments: false can_create_insight: false @@ -72,22 +70,51 @@ Get Beautiful Metric: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Event Details: - ai_description: "### General Description\nRetrieves detailed information about a\ - \ specific event from DataDog using its unique Event ID. This action allows users\ - \ to fetch the full context of a DataDog event, including its message, tags, priority,\ - \ and metadata, by querying the DataDog API directly.\n\n### Parameters Description\n\ - | Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ - | Event ID | string | Yes | The unique identifier of the DataDog event you want\ - \ to retrieve. |\n\n### Flow Description\n1. **Authentication**: The action extracts\ - \ the API Key and APP Key from the integration configuration to authenticate with\ - \ DataDog.\n2. **Input Retrieval**: The action retrieves the `Event ID` provided\ - \ as an input parameter.\n3. **Data Retrieval**: It calls the DataDog API's GET\ - \ events endpoint (`/api/v1/events/{event_id}`) via the `DataDogManager`.\n4.\ - \ **Result Handling**: \n * If the event details are successfully retrieved,\ - \ the data is added to the action's JSON result, and the action completes with\ - \ a success status.\n * If the event cannot be found or the API call fails,\ - \ the action completes with a failure status and an appropriate log message." + ai_description: "### General Description\nThe **Get Event Details** action retrieves\ + \ comprehensive information for a specific event from DataDog using its unique\ + \ Event ID. This action is primarily used to fetch the full context of an event,\ + \ including its message, tags, priority, and metadata, which can then be used\ + \ for further analysis or decision-making within a playbook.\n\n### Parameters\ + \ Description\n| Parameter | Type | Mandatory | Description |\n| :--- | :--- |\ + \ :--- | :--- |\n| Event ID | String | Yes | The unique identifier of the DataDog\ + \ event to be retrieved. |\n\n### Flow Description\n1. **Configuration Extraction:**\ + \ The action retrieves the API Key and APP Key from the DataDog integration configuration.\n\ + 2. **Parameter Retrieval:** The action extracts the `Event ID` provided by the\ + \ user or playbook.\n3. **API Interaction:** The action initializes the `DataDogManager`\ + \ and calls the `get_event_details` method, which performs a GET request to the\ + \ DataDog API endpoint: `https://api.datadoghq.com/api/v1/events/{event_id}`.\n\ + 4. **Result Processing:** \n * If the event is found, the action logs a success\ + \ message and attaches the event details as a JSON result.\n * If the event\ + \ is not found or the API call fails, the action logs a failure message.\n5. **Completion:**\ + \ The action terminates, returning the success status and the retrieved data.\n\ + \n### Additional Notes\nThis action does not iterate over or modify SOAR entities.\ + \ It operates strictly on the provided `Event ID` parameter." capabilities: can_create_case_comments: false can_create_insight: false @@ -99,7 +126,7 @@ Get Event Details: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: false + enrichment: true entity_usage: entity_types: [] filters_by_additional_properties: false @@ -115,63 +142,90 @@ Get Event Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Events: ai_description: >- - ### General Description + Retrieves event data from DataDog based on specific search criteria. This action + allows analysts to query the DataDog Events API to fetch logs and event details + within a specified time range, filtered by sources, tags, and priority levels. + The results are returned as a JSON object for further analysis within the SOAR + platform. - This action retrieves event logs from DataDog based on a specified time range - and filtering criteria. It is designed to fetch historical or real-time event - data from various sources within the DataDog environment, allowing analysts to - review triggered monitors, alerts, or other system events directly within Google - SecOps. + ### Flow Description: - ### Parameters Description + 1. **Authentication**: Extracts the API Key and APP Key from the integration configuration + to authenticate with the DataDog API. + + 2. **Parameter Extraction**: Retrieves user-defined parameters including the event + sources, start/end times (in Unix format), priority filters, tags, and aggregation + preferences. + + 3. **API Request**: Initializes the DataDog manager and executes a GET request + to the `/api/v1/events` endpoint with the provided filters. + + 4. **Result Processing**: Captures the returned event list. If events are found, + they are added to the action's JSON results and the action completes successfully. + If no events match the criteria, it reports a successful execution with an empty + result set. + + + ### Parameters Description: | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Sources | String | Yes | Specifies the sources to retrieve events from (e.g., - 'alert' to see events from triggered monitors). | + | Sources | String | Yes | The specific sources to retrieve events from (e.g., + 'alert', 'monitor'). | - | Start Time | String | Yes | The start time for the event search in Unix timestamp - format. | + | Start Time | String | Yes | The start of the time range for event retrieval + in Unixtime format. | - | End Time | String | Yes | The end time for the event search in Unix timestamp + | End Time | String | Yes | The end of the time range for event retrieval in Unixtime format. | | Priority | DDL | No | Filters events by priority level. Options include 'all', 'normal', or 'low'. Default is 'all'. | - | Tags | String | No | A comma-separated list of tags to filter the events by - scope (e.g., 'monitor'). | + | Tags | String | No | A comma-separated list of tags to filter the events (e.g., + 'env:prod'). | | Unaggregated | Boolean | No | If set to 'true', retrieves the full list of events. If 'false', retrieves an aggregated list. | - ### Additional Notes - - This action does not operate on specific entities within the case; instead, it - performs a global search based on the provided time and filter parameters. The - results are returned as a JSON array. - - - ### Flow Description - - 1. **Configuration Extraction:** The action retrieves the API Key and APP Key - from the DataDog integration settings. + ### Additional Notes: - 2. **Parameter Processing:** It extracts the search filters including time range - (Start/End), sources, priority, tags, and aggregation preference. + - This action does not operate on specific entities within the case; it performs + a global search based on the provided time and filter parameters. - 3. **API Interaction:** The action uses the `DataDogManager` to perform a GET - request to the DataDog `/api/v1/events` endpoint with the specified query parameters. - - 4. **Result Handling:** If events are successfully retrieved, they are attached - to the action's JSON results. The action then concludes with a status message - indicating whether data was found. + - Ensure that the Start Time and End Time are provided in valid Unix timestamp + format (seconds). capabilities: can_create_case_comments: false can_create_insight: false @@ -199,14 +253,38 @@ Get Events: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Logs: ai_description: >- ### General Description Retrieves Kubernetes logs from DataDog for specific namespaces within a defined - time range. This action allows security analysts to gather log data for troubleshooting - or investigation purposes directly from DataDog's log management system. The results - are returned as a JSON object containing the log entries for each requested namespace. + time range. This action is useful for forensic investigations or monitoring specific + application environments by pulling log data directly into the SOAR platform. ### Parameters Description @@ -215,44 +293,34 @@ Get Logs: | :--- | :--- | :--- | :--- | - | Namespace | String | Yes | A comma-separated list of Kubernetes namespaces to - retrieve logs for (e.g., 'name_space1, name_space2'). | + | Namespace | String | Yes | Comma-separated list of Kubernetes namespaces to + fetch logs for. | - | Start Time | String | Yes | The start time for the log retrieval in ISO 8601 - format (e.g., '2020-02-02T02:02:02Z'). | + | Start Time | String | Yes | The start time (ISO-8601) for the log search. | - | End Time | String | Yes | The end time for the log retrieval in ISO 8601 format - (e.g., '2020-02-02T02:02:02Z'). | + | End Time | String | Yes | The end time (ISO-8601) for the log search. | - ### Additional Notes + ### Flow Description - - The action uses the DataDog Logs API (`/api/v1/logs-queries/list`) via a POST - request to perform the query. + 1. The action retrieves the DataDog API and App keys from the integration configuration. - - Multiple namespaces can be queried in a single execution by providing them as - a comma-separated string. + 2. It extracts the Namespace, Start Time, and End Time from the action parameters. + 3. The Namespace string is split into a list of individual namespaces. - ### Flow Description + 4. For each namespace, the action calls the DataDog API to retrieve logs matching + the kube_namespace query within the specified time window. - 1. **Configuration Extraction**: The action retrieves the DataDog API Key and - APP Key from the integration's global configuration. + 5. Successfully retrieved logs are aggregated into a JSON result. - 2. **Parameter Parsing**: It extracts the target namespaces, start time, and end - time from the action parameters. The namespace string is split into a list for - processing. + 6. The action completes, providing the logs as a JSON output and a summary message. - 3. **Data Retrieval**: For each namespace provided, the action calls the DataDog - manager to fetch logs filtered by the `kube_namespace` tag and the specified time - range. - 4. **Result Aggregation**: The action checks if logs were returned for each namespace. - If logs exist, they are added to a cumulative JSON result object. + ### Additional Notes - 5. **Completion**: The action concludes by providing a summary message of which - namespaces were successfully queried and attaches the aggregated log data to the - action's JSON result. + This action does not process SOAR entities; it relies entirely on the provided + Namespace parameter. capabilities: can_create_case_comments: false can_create_insight: false @@ -280,55 +348,56 @@ Get Logs: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Metric Snapshot Graph: - ai_description: >- - ### General Description - - This action retrieves a metric snapshot graph from DataDog based on a specific - metric query and a defined time range. It is primarily used for visual investigation - and monitoring, allowing analysts to see historical metric data directly within - the Google SecOps platform. The action generates a snapshot URL which is then - provided as a clickable link in the case. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Query | String | Yes | The DataDog metric query to visualize. For example: `avg:aws.rds.cpuutilization{cloud_env:production}by{dbinstanceidentifier}`. - | - - | Start Time | String | Yes | The start time for the snapshot graph in Unix timestamp - format (e.g., `1400000470`). | - - | End Time | String | Yes | The end time for the snapshot graph in Unix timestamp - format (e.g., `1610557457`). | - - - ### Flow Description - - 1. **Configuration Extraction**: The action retrieves the DataDog API Key and - APP Key from the integration configuration. - - 2. **Parameter Retrieval**: It extracts the user-provided metric query, start - time, and end time. - - 3. **API Interaction**: The action uses the `DataDogManager` to send a GET request - to the DataDog API's `/api/v1/graph/snapshot` endpoint. - - 4. **Result Processing**: If a snapshot is successfully generated, the action - extracts the `snapshot_url` from the response. - - 5. **Output Generation**: The snapshot URL is added as a link to the SOAR case, - and the full JSON response is attached as a result for further use in playbooks. - - - ### Additional Notes - - This action does not process entities; it operates solely on the provided query - string and time parameters. + ai_description: "### General Description\nThe **Get Metric Snapshot Graph** action\ + \ retrieves a URL for a metric snapshot graph from Datadog based on a specific\ + \ metric query and time range. This action is designed to provide visual context\ + \ for telemetry data (such as CPU, memory, or custom application metrics) directly\ + \ within the Google SecOps platform, aiding in incident investigation and performance\ + \ monitoring.\n\n### Parameters Description\n| Parameter | Type | Mandatory |\ + \ Description |\n| :--- | :--- | :--- | :--- |\n| Query | String | Yes | The Datadog\ + \ metric query to visualize. For example: `avg:aws.rds.cpuutilization{cloud_env:production}by{dbinstanceidentifier}`.\ + \ |\n| Start Time | String | Yes | The start time for the metric snapshot graph,\ + \ provided as a Unix timestamp (seconds). |\n| End Time | String | Yes | The end\ + \ time for the metric snapshot graph, provided as a Unix timestamp (seconds).\ + \ |\n\n### Flow Description\n1. **Authentication:** The action initializes the\ + \ Datadog manager using the API Key and APP Key from the integration configuration.\n\ + 2. **Input Processing:** It extracts the user-defined metric query and the specified\ + \ time window (Start and End times).\n3. **Data Retrieval:** The action calls\ + \ the Datadog API endpoint `/api/v1/graph/snapshot` to generate a snapshot graph\ + \ for the provided query.\n4. **Output Generation:** \n * If a snapshot is\ + \ successfully generated, the action retrieves the `snapshot_url`.\n * It adds\ + \ a clickable link to the SOAR case titled 'The graph snapshot URL'.\n * It\ + \ attaches the full JSON response from Datadog to the action results for further\ + \ analysis.\n\n### Additional Notes\n* This action does not operate on specific\ + \ entities (like IPs or Hostnames) but rather on a global metric query.\n* Ensure\ + \ that the time range provided is valid and that the query follows Datadog's query\ + \ syntax." capabilities: can_create_case_comments: false can_create_insight: false @@ -356,54 +425,77 @@ Get Metric Snapshot Graph: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Metric Timeseries Points: ai_description: >- + Retrieves metric timeseries points from DataDog based on a specific query and + time range. This action allows users to fetch historical performance data or telemetry + for analysis within Google SecOps. + + ### General Description - Retrieves timeseries data points for a specific metric query from Datadog within - a defined time range. This action allows analysts to fetch granular monitoring - data directly into a case for investigation, performance analysis, or anomaly - detection. + This action interacts with the DataDog API to retrieve timeseries data points + for a provided metric query. It is primarily used for monitoring, troubleshooting, + and incident investigation by pulling specific metric trends over a defined period. - ### Parameters + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Query | string | Yes | The Datadog metric query to execute. Example: `avg:aws.rds.dbload{dbinstanceidentifier:db}by{dbinstanceidentifier}`. + | Query | string | Yes | The DataDog metric query to execute (e.g., `avg:system.cpu.idle{host:host0}`). | | Start Time | string | Yes | The start time of the timeseries points in Unix - timestamp format (e.g., 1400000470). | + timestamp format (e.g., `1400000470`). | | End Time | string | Yes | The end time of the timeseries points in Unix timestamp - format (e.g., 1610557457). | + format (e.g., `1610557457`). | ### Flow Description - 1. **Initialization**: The action extracts the Datadog API Key and APP Key from - the integration configuration. - - 2. **Input Retrieval**: It captures the user-provided metric query and the start/end - Unix timestamps. + 1. **Configuration Extraction**: Retrieves the DataDog API Key and APP Key from + the integration settings. - 3. **API Execution**: The action calls the Datadog `v1/query` endpoint via the - `DataDogManager` to fetch the requested timeseries data. + 2. **Parameter Parsing**: Extracts the user-provided metric query, start time, + and end time. - 4. **Validation**: It verifies if the API response status is "ok" and checks if - any data series were returned. + 3. **API Request**: Executes a GET request to the DataDog `/api/v1/query` endpoint + with the specified parameters. - 5. **Output**: The raw JSON response from Datadog is attached to the action results, - and a success message is generated if data points were found. + 4. **Validation**: Checks if the API response status is 'ok' and if any data series + were returned. - - ### Additional Notes - - This action is a utility query tool and does not automatically map data to specific - entities in the Google SecOps environment. + 5. **Result Processing**: Logs the outcome and attaches the raw timeseries data + to the action's JSON results for use in subsequent playbook steps. capabilities: can_create_case_comments: false can_create_insight: false @@ -431,63 +523,85 @@ Get Metric Timeseries Points: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Pod Metric: ai_description: >- - ### General Description + Retrieves performance metrics and process information for Kubernetes Pods from + DataDog. This action fetches CPU utilization, memory usage percentages, and a + list of active processes associated with specific Pod names within a defined time + range. The data is retrieved via DataDog's timeseries and processes APIs and returned + as a structured JSON object. - The **Get Pod Metric** action retrieves performance data and process information - for one or more Kubernetes Pods from DataDog. It specifically fetches CPU utilization, - memory usage percentages, and a list of active processes associated with the specified - pods within a defined time range. This action is useful for troubleshooting performance - issues or investigating suspicious activity within a Kubernetes environment. + ### Flow Description - ### Parameters + 1. **Authentication**: Initializes the DataDog manager using the provided API + and APP keys from the integration configuration. - | Parameter | Type | Mandatory | Description | + 2. **Parameter Extraction**: Retrieves the list of Pod names, start time, and + end time from the action parameters. + + 3. **Metric Retrieval**: For each Pod provided in the comma-separated list: + * Queries the DataDog Timeseries API for average CPU system total metrics + (`kubernetes.cpu.system.total`). + * Queries the DataDog Timeseries API for average memory usage percentage metrics + (`kubernetes.memory.usage_pct`). + * Queries the DataDog Processes API for all processes tagged with the specific + `pod_name`. + 4. **Data Aggregation**: Consolidates the CPU, memory, and process data into a + single JSON result mapped by Pod name. + + 5. **Output**: Returns the aggregated JSON data and provides a status message + indicating which metrics were successfully fetched. + + + ### Parameters Description + + | Parameter Name | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Pod Name | String | Yes | A comma-separated list of Kubernetes Pod names to - retrieve metrics for. | + | Pod Name | string | Yes | A comma-separated list of Kubernetes Pod names (or + namespaces as per the UI description) to retrieve metrics for. | - | Start Time | String | Yes | The start time for the metric query in Unix timestamp + | Start Time | string | Yes | The start time of the metric window in Unix timestamp format (e.g., 1507040000). | - | End Time | String | Yes | The end time for the metric query in Unix timestamp + | End Time | string | Yes | The end time of the metric window in Unix timestamp format (e.g., 1610557457). | ### Additional Notes - This action does not automatically iterate over Google SecOps entities. It relies - entirely on the pod names provided in the `Pod Name` parameter. If multiple pod - names are provided, the action will iterate through each and aggregate the results - into a single JSON output. + * The action does not interact with SecOps entities; it relies entirely on the + string input provided in the 'Pod Name' parameter. - - ### Flow Description - - 1. **Initialization**: The action extracts the DataDog API Key and APP Key from - the integration configuration. - - 2. **Parameter Parsing**: It retrieves the `Pod Name`, `Start Time`, and `End - Time` from the action parameters. The `Pod Name` string is split by commas into - a list of individual pod identifiers. - - 3. **Data Retrieval**: For each pod in the list, the action performs three distinct - queries to DataDog: - * **CPU Metrics**: Fetches the average CPU system total for the pod. - * **Memory Metrics**: Fetches the average memory usage percentage for the - pod. - * **Process Information**: Retrieves a list of active processes tagged with - the specific `pod_name`. - 4. **Result Aggregation**: The retrieved metrics and process data for each pod - are stored in a structured dictionary. - - 5. **Final Output**: The action adds the aggregated data as a JSON result to the - action execution and provides a summary message indicating which metrics were - successfully retrieved. + * The time range must be provided in Unix timestamp format for the DataDog API + to process the query correctly. capabilities: can_create_case_comments: false can_create_insight: false @@ -499,7 +613,7 @@ Get Pod Metric: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: false + enrichment: true entity_usage: entity_types: [] filters_by_additional_properties: false @@ -515,15 +629,41 @@ Get Pod Metric: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get RDS Metric: ai_description: >- ### General Description - Retrieves AWS RDS performance metrics from DataDog for specific database instances. - This action fetches time-series data for CPU utilization, freeable memory, and - free storage space within a user-defined time range. It is designed to provide - visibility into the health and resource consumption of RDS databases directly - within the SOAR platform. + The **Get RDS Metric** action retrieves performance metrics for Amazon RDS (Relational + Database Service) instances from Datadog. It specifically fetches data regarding + CPU utilization, freeable memory, and free storage space for a given set of database + instance identifiers within a specified time range. This action is useful for + monitoring database health and resource consumption during incident investigation + or performance auditing. ### Parameters Description @@ -533,37 +673,46 @@ Get RDS Metric: | :--- | :--- | :--- | :--- | | Database Instance Identifier | String | Yes | A comma-separated list of AWS - RDS database instance identifiers (e.g., 'db-1, db-2') to query metrics for. | + RDS database instance identifiers (e.g., `db-instance-1, db-instance-2`) to query + metrics for. | - | Start Time | String | Yes | The start of the metric query period in Unix timestamp - format (e.g., '1507040000'). | + | Start Time | String | Yes | The start of the time window for the metrics in + Unix timestamp format (e.g., `1507040000`). | - | End Time | String | Yes | The end of the metric query period in Unix timestamp - format (e.g., '1610557457'). | + | End Time | String | Yes | The end of the time window for the metrics in Unix + timestamp format (e.g., `1610557457`). | ### Flow Description - 1. **Parameter Extraction**: The action extracts the DataDog API and APP keys - from the integration configuration and the database identifiers and time range + 1. **Initialization**: The action extracts the Datadog API and APP keys from the + integration configuration and retrieves the database identifiers and time range from the action parameters. - 2. **Identifier Parsing**: The provided string of database identifiers is split + 2. **Input Parsing**: The comma-separated string of database identifiers is split into a list for individual processing. - 3. **Metric Retrieval**: For each database identifier, the action performs three - distinct API calls to DataDog: - * Fetches CPU utilization metrics (`aws.rds.cpuutilization`). - * Fetches freeable memory metrics (`aws.rds.freeable_memory`). - * Fetches free storage space metrics (`aws.rds.free_storage_space`). - 4. **Data Validation**: The action verifies that the API responses have a status - of 'ok' and contain actual time-series data points. + 3. **Metric Retrieval**: For each database identifier, the action makes three + separate API calls to Datadog to retrieve: + * **CPU Utilization**: Average CPU usage percentage. + * **Freeable Memory**: The amount of available RAM. + * **Free Storage Space**: The amount of available disk space. + 4. **Data Aggregation**: The retrieved metrics are validated (checking for an + "ok" status and existing data series) and aggregated into a structured dictionary. - 5. **Result Aggregation**: Successful metrics are aggregated into a JSON result - object, while identifiers that returned no data are tracked separately. + 5. **Result Reporting**: The action identifies which database identifiers were + successfully queried and which were not. The final results are attached as a JSON + object to the action execution, and the action completes with a success message + if at least one metric was found. + + + ### Additional Notes - 6. **Final Output**: The action returns the aggregated JSON data and a summary - message indicating success or failure for the requested identifiers. + * The action uses the Datadog `/api/v1/query` endpoint to perform time-series + queries. + + * If a specific metric (e.g., CPU) is missing for an identifier but others (e.g., + Memory) are present, the action will still report success for that identifier. capabilities: can_create_case_comments: false can_create_insight: false @@ -575,7 +724,7 @@ Get RDS Metric: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: false + enrichment: true entity_usage: entity_types: [] filters_by_additional_properties: false @@ -591,41 +740,49 @@ Get RDS Metric: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Ping: - ai_description: >- - ### General Description - - The **Ping** action is a diagnostic tool designed to verify the connectivity between - Google SecOps and the DataDog platform. It ensures that the provided API Key and - Application Key are valid and that the network path to the DataDog API is open. - - - ### Parameters - - There are no action-specific parameters for this task. It relies entirely on the - integration's global configuration parameters: - - * **API Key**: The secret key used to authenticate requests to DataDog. - - * **APP Key**: The application key used to identify the specific application making - the request. - - - ### Flow Description - - 1. **Configuration Extraction**: The action retrieves the `API Key` and `APP Key` - from the DataDog integration settings. - - 2. **Manager Initialization**: It initializes the `DataDogManager` with the retrieved - credentials. - - 3. **Connectivity Test**: The action calls the DataDog `/api/v1/validate` endpoint - via a GET request. - - 4. **Validation**: It checks the response for a `valid: True` status. - - 5. **Result Reporting**: If valid, it returns a success message; otherwise, it - reports a connection failure. + ai_description: "### General Description\nThe **Ping** action is a diagnostic tool\ + \ used to verify the connectivity between the Google SecOps platform and the DataDog\ + \ service. It ensures that the provided API Key and Application Key (APP Key)\ + \ are valid and that the DataDog API is reachable from the environment.\n\n###\ + \ Parameters Description\nThere are no input parameters for this action. It relies\ + \ entirely on the integration's global configuration (API Key and APP Key).\n\n\ + ### Flow Description\n1. **Configuration Extraction**: The action retrieves the\ + \ `API Key` and `APP Key` from the DataDog integration settings.\n2. **Manager\ + \ Initialization**: It initializes the `DataDogManager` with the extracted credentials.\n\ + 3. **Connectivity Test**: The action calls the `test_connectivity` method, which\ + \ sends a GET request to the DataDog validation endpoint (`/api/v1/validate`).\n\ + 4. **Result Evaluation**: \n * If the API returns a valid response, the action\ + \ concludes with a success message: \"Connected successfully\".\n * If the\ + \ API returns an invalid response or an error occurs, the action concludes with\ + \ a failure message: \"The Connection failed\".\n\n### Additional Notes\nThis\ + \ action does not process any entities and is strictly used for system health\ + \ and configuration validation." capabilities: can_create_case_comments: false can_create_insight: false @@ -653,3 +810,28 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/third_party/community/data_dog/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/data_dog/resources/ai/connectors_ai_description.yaml new file mode 100644 index 000000000..d2c9184d1 --- /dev/null +++ b/content/response_integrations/third_party/community/data_dog/resources/ai/connectors_ai_description.yaml @@ -0,0 +1,73 @@ +DataDog Connector: + ai_description: >- + ### General Description + + The DataDog Connector enables the ingestion of events and alerts from DataDog + into Google SecOps. It specifically monitors for triggered alerts (errors and + warnings) from DataDog monitors, allowing security teams to centralize monitoring + data and respond to infrastructure or application issues within the SOAR platform. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | API Key | Password | Yes | The API Key for authenticating with DataDog. | + + | APP Key | Password | Yes | The Application Key for authenticating with DataDog. + | + + | Base URL | String | Yes | The base URL for the DataDog API (e.g., `https://api.datadoghq.com`). + | + + | DeviceProductField | String | Yes | The field name used to determine the device + product in the ingested data. | + + | EventClassId | String | Yes | The field name used to determine the event name + or sub-type. | + + | Max Days Back | Integer | Yes | The maximum number of days to look back for + events during the initial run. | + + | Priority | String | No | Filter events by priority (e.g., 'low', 'normal', or + 'all'). | + + | PythonProcessTimeout | String | Yes | The timeout limit in seconds for the script + execution. | + + | Sources | String | Yes | The sources to retrieve events from (e.g., 'alert'). + | + + | Tags | String | No | A comma-separated list of tags to filter monitors (e.g., + 'monitor'). | + + | Unaggregated | Boolean | No | If true, retrieves the full list of events; if + false, retrieves aggregated events. | + + + ### Flow Description + + 1. **Authentication**: Connects to the DataDog API using the provided API Key + and APP Key. + + 2. **Timestamp Check**: Retrieves the last successful execution timestamp or calculates + the start time based on the "Max Days Back" parameter. + + 3. **Event Retrieval**: Queries DataDog for events occurring between the last + run and the current time, filtered by sources, tags, and priority. + + 4. **Filtering**: Filters the retrieved events to include only those with an alert + type of 'error' or 'warning'. + + 5. **Detail Enrichment**: For each relevant event, the connector fetches full + event details. If an event contains "children" events, each child is processed + as an individual alert. + + 6. **Data Mapping**: Maps DataDog event data (monitor name, metrics, tags, and + timestamps) to the Google SecOps AlertInfo model, including flattening nested + JSON structures and extracting product names from metrics. + + 7. **Ingestion**: Ingests the formatted alerts into Google SecOps and updates + the execution timestamp for the next cycle. diff --git a/content/response_integrations/third_party/community/data_dog/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/data_dog/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..e044f2bbd --- /dev/null +++ b/content/response_integrations/third_party/community/data_dog/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: true + collaboration: false + edr: true + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + siem: true + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/docker_hub/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/docker_hub/resources/ai/actions_ai_description.yaml index 203b61c45..d8b7c1497 100644 --- a/content/response_integrations/third_party/community/docker_hub/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/docker_hub/resources/ai/actions_ai_description.yaml @@ -1,19 +1,38 @@ Invite User: - ai_description: "Invites a user to a specific team within a Docker Hub organization\ - \ using their email address. This action facilitates user management by automating\ - \ the invitation process to organizational groups.\n\n### Parameters\n| Parameter\ - \ | Description | Type | Mandatory | \n| --- | --- | --- | --- |\n| Organization\ - \ | The name of the Docker Hub organization where the team resides. | string |\ - \ Yes |\n| Team | The specific team name within the organization to which the\ - \ user will be invited. | string | Yes |\n| Email | The email address of the user\ - \ to receive the invitation. | string | Yes |\n\n### Flow Description\n1. **Authentication**:\ - \ The action authenticates with the Docker Hub API using the credentials (Username\ - \ and Password) provided in the integration configuration.\n2. **Parameter Retrieval**:\ - \ It extracts the Organization, Team, and Email values from the action parameters.\n\ - 3. **API Request**: It executes a POST request to the Docker Hub endpoint `orgs/{org}/groups/{team}/members`\ - \ with the user's email.\n4. **Outcome Reporting**: The action returns a success\ - \ status if the invitation is sent successfully or logs the error if the request\ - \ fails." + ai_description: >- + Invites a user to a specific team within a Docker Hub organization using their + email address. This action facilitates access management by programmatically adding + members to organizational groups. + + + ### Flow Description: + + 1. **Authentication**: Initializes the Docker Hub manager using the provided username + and password from the integration configuration. + + 2. **Parameter Retrieval**: Extracts the target Organization, Team, and user Email + from the action parameters. + + 3. **Invitation Request**: Sends a POST request to the Docker Hub API endpoint + for the specified organization and team, including the user's email in the payload. + + 4. **Completion**: Returns a success message if the invitation is successfully + sent or logs the error if the request fails. + + + ### Parameters Description: + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Team | String | Yes | The name of the team within the Docker Hub organization + to which the user will be invited. | + + | Organization | String | Yes | The name of the Docker Hub organization that owns + the team. | + + | Email | String | Yes | The email address of the user to be invited. | capabilities: can_create_case_comments: false can_create_insight: false @@ -22,8 +41,9 @@ Invite User: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new user invitation record within the specified Docker Hub organization - and team. + Sends a POST request to Docker Hub to create a new user invitation for a specific + team and organization, which changes the state of the organization's membership + list. fetches_data: false internal_data_mutation_explanation: null categories: @@ -43,47 +63,50 @@ Invite User: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: true + update_ticket: false Ping: - ai_description: >- - ### General Description - - The Ping action is designed to verify the connectivity between Google SecOps and - the Docker Hub instance. It ensures that the provided credentials (Username and - Password) are valid and that the environment can successfully communicate with - the Docker Hub API. - - - ### Parameters Description - - There are no parameters for this action. It relies entirely on the integration's - global configuration for authentication. - - - ### Additional Notes - - - This action is a standard connectivity test and does not process any entities - or modify any data. - - - Although the metadata description mentions inviting users, the actual implementation - code performs a connectivity check via the `test_connectivity` method. - - - ### Flow Description - - 1. **Initialization**: The action initializes the Siemplify SDK and sets the script - name. - - 2. **Configuration Retrieval**: It fetches the Username and Password from the - Docker Hub integration configuration. - - 3. **Authentication**: It instantiates the Docker Hub manager, which triggers - a login process (POST request) to obtain a JWT authentication token. - - 4. **Connectivity Test**: It calls the `test_connectivity` method, which performs - a GET request to the `_catalog` endpoint of the Docker Hub API. - - 5. **Completion**: If the request is successful, the action terminates with a - success status. + ai_description: "### General Description\nThe **Ping** action is a diagnostic utility\ + \ designed to verify the connectivity between Google SecOps and the Docker Hub\ + \ API. Its primary purpose is to validate that the integration's configuration\u2014\ + specifically the Username and Password\u2014is correct and that the system can\ + \ successfully authenticate and communicate with Docker Hub.\n\n### Parameters\ + \ Description\nThere are no parameters for this action.\n\n### Additional Notes\n\ + While the metadata description in the configuration file mentions inviting users,\ + \ the actual implementation of this specific action is strictly a connectivity\ + \ test. It is typically used during integration setup or for troubleshooting communication\ + \ issues.\n\n### Flow Description\n1. **Credential Retrieval**: The action retrieves\ + \ the configured Username and Password from the Docker Hub integration settings.\n\ + 2. **Authentication**: It initializes the Docker Hub manager, which triggers an\ + \ authentication flow by sending a POST request to the Docker Hub login endpoint\ + \ to retrieve a JWT token.\n3. **API Validation**: The action calls the `test_connectivity`\ + \ method, which performs a GET request to the `_catalog` endpoint to ensure the\ + \ API is responsive and the token is valid.\n4. **Status Reporting**: If the API\ + \ call succeeds without error, the action terminates with a success status, confirming\ + \ the integration is functional." capabilities: can_create_case_comments: false can_create_insight: false @@ -92,7 +115,7 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: false + fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false @@ -111,3 +134,28 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/third_party/community/docker_hub/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/docker_hub/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..6c27508d3 --- /dev/null +++ b/content/response_integrations/third_party/community/docker_hub/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: true + itsm: false + network_security: false + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/duo/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/duo/resources/ai/actions_ai_description.yaml index 8370e257a..2fadf47c0 100644 --- a/content/response_integrations/third_party/community/duo/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/duo/resources/ai/actions_ai_description.yaml @@ -1,52 +1,57 @@ Get Authentication Logs for User: ai_description: >- - ### General Description + Retrieves user profile information and authentication history from Duo Security + for a specific username. This action queries the Duo Admin API to fetch logs over + a specified lookback period and performs a frequency analysis on successful authentication + attempts. It identifies common access patterns such as IP addresses, operating + systems, and devices that meet a user-defined 'Authentication Threshold'. - This action retrieves user profile information and authentication logs from DUO - MFA for a specific username. It is designed to provide visibility into a user's - authentication patterns over a specified period (defaulting to 1 day). The action - also performs a frequency analysis on successful authentication sources (IP addresses, - states, operating systems, applications, devices, and factors) and filters them - based on a user-defined threshold to identify 'known' or 'safe' sources. + ### Flow Description: - ### Parameters Description + 1. **Authentication**: Connects to the Duo Admin API using the configured API + Hostname, Secret Key, and Integration Key. - | Parameter | Type | Mandatory | Description | + 2. **User Lookup**: Searches for the Duo `user_id` corresponding to the provided + `Username` parameter. - | :--- | :--- | :--- | :--- | + 3. **Log Retrieval**: Fetches authentication logs for the identified user within + the timeframe defined by the `Number Days Back` parameter. - | Authentication Threshold | string | Yes | The minimum number of successful authentications - required for an authentication source (e.g., an IP or device) to be included in - the summary lists. Default is 2. | + 4. **Pattern Analysis**: Iterates through successful authentication logs to count + occurrences of access IPs, geographic states, OS versions, applications, and hardware + devices. - | Number Days Back | string | Yes | The number of days prior to the current time - to retrieve logs for. Default is 1. | + 5. **Threshold Filtering**: Filters the aggregated counts, retaining only those + sources that meet or exceed the `Authentication Threshold` value. - | Username | string | No | The DUO username for which to retrieve data. | + 6. **Output Generation**: Returns a JSON object containing the user's Duo profile, + raw authentication logs, and the filtered frequency statistics. - ### Flow Description + ### Parameters Description: - 1. **Authentication**: Connects to the DUO Admin API using the configured Hostname, - Integration Key, and Secret Key. + | Parameter | Type | Mandatory | Description | - 2. **User Identification**: Queries DUO to find the `user_id` associated with - the provided `Username` parameter. + | :--- | :--- | :--- | :--- | - 3. **Log Retrieval**: Fetches all authentication logs for that user within the - time window defined by `Number Days Back`. + | Authentication Threshold | String | Yes | The minimum number of successful authentications + required for a source (e.g., IP, device) to be included in the summary results. + Default is 2. | + + | Number Days Back | String | Yes | The number of days prior to the current time + to search for authentication logs. Default is 1. | + + | Username | String | No | The Duo username for which to retrieve data. | - 4. **Data Processing**: Iterates through the logs to identify successful authentications. - 5. **Frequency Analysis**: Counts occurrences of specific metadata fields (IP, - OS, Location, Device, etc.) for successful logins. + ### Additional Notes: - 6. **Filtering**: Removes entries from the frequency counts that do not meet the - `Authentication Threshold`. + - This action does not process entities from the Google SecOps case; it relies + entirely on the `Username` parameter. - 7. **Output**: Returns a comprehensive JSON object containing the user's profile, - raw logs, and the filtered frequency analysis. + - If the `Username` is not found in Duo or not provided, the action will report + that no username was provided. capabilities: can_create_case_comments: false can_create_insight: false @@ -74,53 +79,73 @@ Get Authentication Logs for User: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Trust Monitor Events: ai_description: >- ### General Description - Retrieves Trust Monitor events from DUO Security for a specified lookback period. - This action interacts with the DUO Admin API to fetch security events that help - monitor trust assessments and potential security anomalies within the DUO environment. - It is primarily used for data gathering and auditing purposes. + This action retrieves Trust Monitor events from DUO Security for a specified lookback + period. It is designed to provide visibility into security events and anomalies + detected by DUO's Trust Monitor feature, allowing analysts to review historical + event data within Google SecOps. ### Parameters Description - | Parameter Name | Type | Mandatory | Description | + | Parameter Name | Expected Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Number Days Back | String | Yes | The number of days prior to the current time - to retrieve events from. The value is converted to an integer and used to calculate - the start timestamp for the API request. Default is '1'. | - + | Number Days Back | String/Number | Yes | The number of days prior to the current + time from which to start fetching events. Defaults to '1'. | - ### Additional Notes - - This action requires valid DUO Admin API credentials (API Hostname, Admin Secret - Key, and Admin Integration Key) to be configured in the integration settings. + ### Flow Description - - The action does not process specific entities; it performs a global fetch of - events based on the time range provided. + 1. **Configuration Extraction**: The action retrieves the DUO API Hostname, Admin + Secret Key, and Admin Integration Key from the integration settings. + 2. **Parameter Processing**: It extracts the 'Number Days Back' parameter and + calculates the start (mintime) and end (maxtime) timestamps in milliseconds. - ### Flow Description + 3. **API Interaction**: Using the DUO Python SDK (`duo_client`), the action authenticates + to the Admin API and calls the `get_trust_monitor_events_by_offset` method. - 1. **Configuration Retrieval**: The action extracts the DUO API Hostname, Admin - Secret Key, and Admin Integration Key from the integration's provider configuration. + 4. **Data Output**: The retrieved events are formatted into a JSON object and + added to the action's execution results for use in subsequent playbook steps. - 2. **Time Calculation**: It calculates the start and end timestamps in milliseconds. - The start timestamp is determined by subtracting the specified number of days - (converted from the `Number Days Back` parameter) from the current time. - 3. **API Initialization**: Initializes the DUO Admin API client using the provided - credentials. + ### Additional Notes - 4. **Data Retrieval**: Calls the DUO SDK method `get_trust_monitor_events_by_offset` - using the calculated time range to fetch Trust Monitor events. + - This action does not process specific entities; it performs a global fetch of + events based on the time range provided. - 5. **Result Processing**: Formats the retrieved events into a JSON structure and - attaches them to the action's result object for use in subsequent playbook steps. + - Ensure the DUO Admin API keys have the necessary permissions to access Trust + Monitor data. capabilities: can_create_case_comments: false can_create_insight: false @@ -148,43 +173,52 @@ Get Trust Monitor Events: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Users by Name: - ai_description: >- - ### General Description - - Retrieves detailed user information from DUO MFA using the Admin API based on - a specific username. This action is designed to fetch user-specific metadata, - including user IDs, authentication details, and device data, providing visibility - into a user's status within the DUO ecosystem. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Username | String | Yes | The specific username to query in the DUO Admin API - to retrieve associated data. | - - - ### Flow Description - - 1. **Configuration Extraction**: Retrieves the DUO API Hostname, Admin Secret - Key, and Admin Integration Key from the integration's configuration settings. - - 2. **Parameter Extraction**: Retrieves the target `Username` provided as an action - input. - - 3. **API Initialization**: Initializes the DUO Admin API client using the extracted - credentials. - - 4. **Data Retrieval**: Calls the `get_users_by_name` endpoint to fetch all records - associated with the provided username. - - 5. **Result Processing**: Iterates through the returned data to identify the `user_id` - and aggregates the full response into a structured JSON result for use in subsequent - playbook steps. + ai_description: "### General Description\nThis action queries the DUO Admin API\ + \ to retrieve detailed information about a specific user based on a provided username.\ + \ It is designed to fetch contextual data such as user IDs, authentication history,\ + \ and associated device information from the DUO MFA platform. This information\ + \ is typically used for investigation and identity verification during security\ + \ incidents.\n\n### Parameters Description\n| Parameter Name | Type | Mandatory\ + \ | Description | \n| :--- | :--- | :--- | :--- |\n| Username | string | Yes |\ + \ The specific DUO username for which to retrieve account and device data. |\n\ + \n### Flow Description\n1. **Configuration Extraction**: The action retrieves\ + \ the DUO API Hostname, Admin Secret Key, and Admin Integration Key from the integration's\ + \ configuration settings.\n2. **Parameter Extraction**: The action extracts the\ + \ `Username` provided by the user or playbook.\n3. **API Initialization**: It\ + \ initializes the DUO Admin API client using the provided credentials and hostname.\n\ + 4. **Data Retrieval**: The action calls the `get_users_by_name` method from the\ + \ DUO SDK to fetch all data associated with the specified username.\n5. **Result\ + \ Processing**: It extracts the `user_id` from the response and packages the full\ + \ user data into a structured JSON format.\n6. **Output**: The results are added\ + \ to the action's JSON output for use in subsequent playbook steps.\n\n### Additional\ + \ Notes\nThis action does not automatically iterate over entities in a case; it\ + \ relies strictly on the `Username` parameter provided in the action configuration." capabilities: can_create_case_comments: false can_create_insight: false @@ -212,36 +246,50 @@ Get Users by Name: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Ping: - ai_description: >- - ### General Description - - Verifies the connectivity and credentials for the DUO Auth API. This action uses - the DUO Python SDK to call the `/check` endpoint, ensuring that the provided API - Hostname, Secret Key, and Integration Key are valid and that the request signature - is generated correctly. - - - ### Parameters - - There are no input parameters for this action. It relies entirely on the integration's - configuration settings (API Hostname, Auth Secret Key, and Auth Integration Key). - - - ### Flow Description - - 1. **Configuration Extraction**: Retrieves the `API Hostname`, `Auth Secret Key`, - and `Auth Integration Key` from the DUO integration settings. - - 2. **Client Initialization**: Initializes the DUO Auth API client using the retrieved - credentials. - - 3. **Connectivity Check**: Executes the `check()` method against the DUO API to - verify the integration setup. - - 4. **Result Handling**: If the check is successful, it returns a confirmation - message. If an exception occurs, it reports a failure with the specific error - details. + ai_description: "### General Description\nThe **Ping** action is a diagnostic utility\ + \ designed to verify the connectivity and authentication configuration between\ + \ Google SecOps and the DUO Auth API. It validates that the integration's global\ + \ settings\u2014specifically the API Hostname, Auth Integration Key, and Auth\ + \ Secret Key\u2014are correct and that the environment can successfully generate\ + \ the required request signatures to communicate with DUO.\n\n### Parameters Description\n\ + There are no parameters for this action.\n\n### Additional Notes\nThis action\ + \ is primarily used for health checks and troubleshooting. It does not process\ + \ any entities or modify any data within Google SecOps or DUO.\n\n### Flow Description\n\ + 1. **Configuration Retrieval:** The action extracts the `API Hostname`, `Auth\ + \ Secret Key`, and `Auth Integration Key` from the DUO integration configuration.\n\ + 2. **Client Initialization:** It initializes the DUO Python SDK `Auth` client\ + \ using the extracted credentials.\n3. **Validation Call:** The action executes\ + \ the `/check` endpoint via the SDK to verify the validity of the keys and the\ + \ connectivity to the host.\n4. **Execution Outcome:** If the API call succeeds,\ + \ the action completes with a success message. If an exception occurs (e.g., authentication\ + \ failure or network error), the action catches the error and reports a failure\ + \ status." capabilities: can_create_case_comments: false can_create_insight: false @@ -269,3 +317,28 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/third_party/community/duo/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/duo/resources/ai/connectors_ai_description.yaml new file mode 100644 index 000000000..aded74594 --- /dev/null +++ b/content/response_integrations/third_party/community/duo/resources/ai/connectors_ai_description.yaml @@ -0,0 +1,62 @@ +DUO - Trust Monitor Connector: + ai_description: >- + ### General Description + + The DUO Trust Monitor Connector integrates with the Cisco Duo Admin API to ingest + Trust Monitor events into Google SecOps. Duo Trust Monitor uses machine learning + to identify anomalous authentication patterns and potential security risks. This + connector automates the retrieval of these security events, transforming them + into actionable cases for security analysts to investigate within the SOAR platform. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | PythonProcessTimeout | String | Yes | The timeout limit (in seconds) for the + python process running the current script. | + + | EventClassId | String | Yes | The field name used to determine the event name + (sub-type). Default is 'event_name'. | + + | DeviceProductField | String | Yes | The field name used to determine the device + product. Default is 'device_product'. | + + | Days Back | Integer | Yes | The maximum number of days back to retrieve data + from. | + + | API Hostname | String | Yes | API hostname for your Duo tenant (e.g., api-XXXXXXXX.duosecurity.com). + | + + | Admin Secret Key | Password | Yes | DUO Admin API Secret Key used for authentication. + | + + | Admin Integration Key | Password | Yes | DUO Admin API Integration Key used + for authentication. | + + + ### Flow Description + + 1. **Initialization**: The connector retrieves configuration parameters, including + API credentials, the Duo hostname, and the lookback window defined by 'Days Back'. + + 2. **Time Range Calculation**: It calculates the start and end timestamps for + the query based on the current time and the configured 'Days Back' value. + + 3. **API Connection**: The connector establishes a connection to the Duo Admin + API using the provided Integration Key and Secret Key. + + 4. **Data Retrieval**: It queries the Duo Trust Monitor endpoint to fetch all + security events that occurred within the calculated time range. + + 5. **Data Transformation**: For each event found, the connector flattens the nested + JSON data structure to ensure all metadata is accessible within the SOAR environment. + + 6. **Case Creation**: The connector maps the Duo event data (using the transaction + ID as a unique identifier) to the Google SecOps CaseInfo model, setting a default + priority of Medium (60). + + 7. **Ingestion**: The processed alerts are packaged and ingested into Google SecOps + as new cases. diff --git a/content/response_integrations/third_party/community/duo/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/duo/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..9236ddeae --- /dev/null +++ b/content/response_integrations/third_party/community/duo/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: true + itsm: false + network_security: false + siem: true + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/eclectic_iq/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/eclectic_iq/resources/ai/actions_ai_description.yaml index df7c29bf1..a96af87a1 100644 --- a/content/response_integrations/third_party/community/eclectic_iq/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/eclectic_iq/resources/ai/actions_ai_description.yaml @@ -2,39 +2,37 @@ Enrich Entities: ai_description: >- ### General Description - Enriches entities by querying the EclecticIQ Threat Intelligence Platform. This - action retrieves comprehensive context for entities, including observable details, - associated threat entities, confidence levels (maliciousness), and source information. - It enhances the visibility of potential threats within the Google SecOps environment - by attaching external intelligence directly to the entities. + Enriches multiple entity types using the EclecticIQ threat intelligence platform. + This action retrieves detailed context, including observable types, confidence + scores (maliciousness), and related entity information such as titles, descriptions, + tags, and sources. The retrieved data is used to update the entity's profile within + Google SecOps, providing analysts with immediate threat context. - ### Parameters + ### Parameters Description There are no parameters for this action. ### Flow Description - 1. **Initialization**: The action initializes the EclecticIQ manager using the - URL and API token retrieved from the integration configuration. - - 2. **Data Retrieval**: It performs a bulk lookup for all target entities to find - matching observables in the EclecticIQ database. + 1. **Initialization**: Connects to the EclecticIQ API using the configured URL + and API Token. - 3. **Context Enrichment**: For identified observables, it fetches related entity - data and resolves source identifiers to human-readable names. + 2. **Data Retrieval**: Fetches observable information for all target entities + in the current scope from the EclecticIQ platform. - 4. **Entity Update**: It flattens the retrieved intelligence data, applies an - 'EIQ' prefix, and updates the `additional_properties` of the SecOps entities. - It also marks the entities as enriched (`is_enriched = True`). + 3. **Contextual Enrichment**: Retrieves related entity data from EclecticIQ for + the identified observables to provide broader threat context. - 5. **UI Enhancement**: It adds direct links to the EclecticIQ platform and populates - data tables for each entity to provide a detailed view of the findings within - the case wall. - - 6. **Completion**: The action returns the count of enriched entities and lists - any entities that were not found in EclecticIQ in the output message. + 4. **Data Processing**: + * Generates a JSON result containing the full enrichment payload. + * Creates platform links for each enriched entity, allowing analysts to pivot + directly to the EclecticIQ UI. + * Constructs CSV tables for each entity detailing related threat intelligence + and sources. + 5. **Entity Update**: Updates the Google SecOps entities with the retrieved metadata + (prefixed with 'EIQ') and marks them as enriched. capabilities: can_create_case_comments: false can_create_insight: false @@ -45,8 +43,8 @@ Enrich Entities: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity additional properties with threat intelligence data from EclecticIQ - and sets the 'is_enriched' flag to true. + Updates entity additional properties with threat intelligence data and sets + the 'is_enriched' flag to true. categories: enrichment: true entity_usage: @@ -99,24 +97,51 @@ Enrich Entities: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Ping: - ai_description: "### General Description\nThe Ping action is a utility designed\ - \ to verify the connectivity between Google SecOps and the EclecticIQ platform.\ - \ It ensures that the provided configuration parameters, such as the URL and API\ - \ Token, are correct and that the network path is open.\n\n### Parameters\nThis\ - \ action does not require any input parameters.\n\n### Flow Description\n1. **Configuration\ - \ Retrieval**: The action starts by fetching the integration's global configuration,\ - \ including the EclecticIQ URL, API Token, and SSL verification settings.\n2.\ - \ **Manager Initialization**: It initializes the `EclecticIQManager` with the\ - \ retrieved credentials.\n3. **Connectivity Test**: The manager executes the `test_connectivity`\ - \ method, which performs a GET request to the `/api/v2/sources` endpoint of the\ - \ EclecticIQ API.\n4. **Result Handling**: \n * If the API call is successful\ - \ (returns a 200 OK status), the action completes with a success message.\n \ - \ * If an exception occurs (e.g., authentication failure, timeout, or invalid\ - \ URL), the action catches the error, logs the details, and returns a failure\ - \ status.\n\n### Additional Notes\nThis action is primarily used during the initial\ - \ setup of the integration or for troubleshooting communication issues. It does\ - \ not process any entities or modify any data." + ai_description: "### General Description\nThe **Ping** action is a diagnostic tool\ + \ used to verify the connectivity between the Google SecOps platform and the EclecticIQ\ + \ instance. It ensures that the provided configuration parameters, such as the\ + \ URL and API Token, are correct and that the network path is open.\n\n### Parameters\ + \ Description\nThis action does not require any input parameters. It relies solely\ + \ on the integration's global configuration settings (EclecticIQ URL, API Token,\ + \ and Verify SSL).\n\n### Flow Description\n1. **Initialization**: The action\ + \ initializes the Siemplify context and retrieves the global integration configuration.\n\ + 2. **Manager Setup**: It instantiates the `EclecticIQManager` using the configured\ + \ URL, API Token, and SSL verification setting.\n3. **Connectivity Test**: The\ + \ action calls the `test_connectivity` method, which performs a GET request to\ + \ the EclecticIQ `/api/v2/sources` endpoint.\n4. **Result Handling**: \n *\ + \ If the request is successful, the action completes with a success status and\ + \ a confirmation message.\n * If an exception occurs (e.g., authentication\ + \ failure, network timeout), the action fails and provides the error details in\ + \ the output message.\n\n### Additional Notes\n- This action is typically used\ + \ during the initial setup of the integration or for troubleshooting communication\ + \ issues.\n- It does not process any entities or modify any data within EclecticIQ\ + \ or Google SecOps." capabilities: can_create_case_comments: false can_create_insight: false @@ -144,65 +169,85 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Send Entities to EclecticIQ: ai_description: >- - ### General Description + Sends entities from a Google SecOps case to the EclecticIQ Intelligence Center. + This action allows analysts to export case context and associated entities as + sightings or indicators within EclecticIQ, facilitating threat intelligence sharing + and external tracking. By default, the action creates a sighting for each supported + entity found in the case. If configured, it can also create an indicator object. + The action utilizes case metadata such as title, description, priority, and status + to provide context for the created objects in EclecticIQ. - This action sends entities from a Google SecOps case to the EclecticIQ Intelligence - Center. Its primary purpose is to record sightings of specific entities within - the threat intelligence platform. By default, the action creates 'sighting' objects - in EclecticIQ, but it can be configured to also create 'indicator' objects. This - integration helps in synchronizing local security findings with a centralized - threat intelligence management system. + ### Flow Description: - ### Parameters Description - - | Parameter | Type | Mandatory | Description | + 1. **Parameter Extraction:** Retrieves the EclecticIQ configuration (URL, API + Token) and action parameters (Group Name, Create Indicator flag). - | :--- | :--- | :--- | :--- | + 2. **Source Identification:** Queries the EclecticIQ API to find the internal + source ID associated with the provided 'Group Name'. - | **Group Name** | string | Yes | The name of the EclecticIQ Intelligence Center - Group (e.g., 'Testing Group') where the entities will be created. | + 3. **Entity Mapping:** Iterates through the target entities in the SecOps case + and maps them to EclecticIQ extract types (e.g., IP to ipv4, Domain to domain). - | **Create Indicator** | boolean | No | If set to `true`, the action creates both - a sighting and an indicator in EclecticIQ. If `false` (default), only a sighting - is created. | + 4. **Data Construction:** Builds a sighting object (and optionally an indicator + object) containing the case metadata and the list of entity extracts. + 5. **External Creation:** Sends a PUT request to the EclecticIQ API to create + the entities within the platform. - ### Flow Description + 6. **Internal Updates:** Adds a comment to the SecOps case confirming the action's + success and provides a direct platform link to the created data in the action + results. - 1. **Initialization**: The action retrieves the EclecticIQ URL, API Token, and - SSL verification settings from the integration configuration, along with the user-provided - 'Group Name' and 'Create Indicator' flag. - 2. **Group Identification**: It queries the EclecticIQ API to find the internal - source ID associated with the provided 'Group Name'. + ### Parameters Description: - 3. **Data Preparation**: The action constructs a detailed description for the - EclecticIQ objects using metadata from the current SecOps case (e.g., Title, Priority, - Status, Sla Expiration). + | Parameter | Type | Mandatory | Description | - 4. **Entity Mapping**: It iterates through the target entities in the case, filtering - for supported types (IPs, Hostnames, Hashes, URLs, etc.) and mapping them to EclecticIQ - observable types. + | :--- | :--- | :--- | :--- | - 5. **External Creation**: A PUT request is sent to the EclecticIQ `/api/v2/entities` - endpoint to create the sighting (and optionally the indicator) containing the - mapped entities. + | Group Name | string | Yes | The name of the EclecticIQ Intelligence Center Group + (e.g., 'Testing Group') where the sightings/indicators will be created. | - 6. **Internal Updates**: Upon success, the action adds a comment to the SecOps - case wall and attaches a direct platform link to the newly created EclecticIQ - entity. + | Create Indicator | boolean | No | If set to 'true', the action creates both + a sighting and an indicator in EclecticIQ. If 'false' (default), only a sighting + is created. | - ### Additional Notes + ### Additional Notes: - - The action only processes entities that match the internal `ENTITY_MAP` (e.g., - ADDRESS, HOSTNAME, FILEHASH, etc.). Entities not in this map are ignored. + - The action supports a wide range of entity types including IP addresses, hostnames, + file hashes, domains, and CVEs. - - The action uses UUID v5 (namespace X500) based on the case identifier to generate - consistent IDs for the created EclecticIQ objects. + - Case metadata is formatted as HTML within the EclecticIQ description field to + maintain readability. capabilities: can_create_case_comments: true can_create_insight: false @@ -211,12 +256,12 @@ Send Entities to EclecticIQ: can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: >- - Creates new sighting and/or indicator entities in the EclecticIQ Intelligence - Center platform via a PUT request. - fetches_data: false + Creates new sighting and indicator records within the EclecticIQ Intelligence + Center platform via PUT requests. + fetches_data: true internal_data_mutation_explanation: >- - Adds a case comment to the case wall and creates an entity link pointing to - the EclecticIQ platform. + Adds a comment to the Google SecOps case to log the successful export of entities + to EclecticIQ. categories: enrichment: false entity_usage: @@ -252,3 +297,28 @@ Send Entities to EclecticIQ: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: true + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/third_party/community/eclectic_iq/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/eclectic_iq/resources/ai/connectors_ai_description.yaml new file mode 100644 index 000000000..3a54dfb86 --- /dev/null +++ b/content/response_integrations/third_party/community/eclectic_iq/resources/ai/connectors_ai_description.yaml @@ -0,0 +1,37 @@ +EclecticIQ - Feed Connector: + ai_description: "### General Description\nThis connector integrates with the EclecticIQ\ + \ Intelligence Center to ingest threat intelligence data into Google SecOps. It\ + \ specifically targets \"Outgoing Feeds\" configured within EclecticIQ, downloading\ + \ content blocks (typically in CSV format) and converting the contained observables\ + \ and entities into structured alerts and events. This enables security teams\ + \ to automate the ingestion of curated intelligence for correlation and incident\ + \ response.\n\n### Parameters Description\n| Parameter | Type | Mandatory | Description\ + \ |\n| :--- | :--- | :--- | :--- |\n| API Token | Password | Yes | The API token\ + \ used to authenticate with the EclecticIQ Intelligence Center API. |\n| EclecticIQ\ + \ URL | String | Yes | The base URL of the EclecticIQ instance (e.g., https://eclecticiq.local).\ + \ |\n| Outgoing Feed ID | String | Yes | The specific ID of the Outgoing Feed\ + \ from which the connector will fetch entities. |\n| DeviceProductField | String\ + \ | Yes | The field name used to determine the device product in the ingested\ + \ data (Default: EclecticIQ). |\n| EventClassId | String | Yes | The field name\ + \ used to determine the event name or sub-type (Default: Threat Intelligence).\ + \ |\n| PythonProcessTimeout | String | Yes | The timeout limit (in seconds) for\ + \ the python process running the current script. |\n| Verify SSL | Boolean | No\ + \ | If enabled, the connector will verify the SSL certificate of the EclecticIQ\ + \ server. |\n\n### Flow Description\n1. **Authentication**: The connector establishes\ + \ a secure session with the EclecticIQ Intelligence Center using the provided\ + \ API Token and URL.\n2. **Feed Validation**: It verifies that the configured\ + \ `Outgoing Feed ID` is valid and accessible on the platform.\n3. **Content Discovery**:\ + \ The connector queries for available content blocks associated with the specified\ + \ outgoing feed.\n4. **Checkpointing**: It retrieves the ID of the last successfully\ + \ processed content block from the internal database to ensure only new data is\ + \ ingested.\n5. **Data Retrieval and Parsing**: For every new content block identified,\ + \ the connector downloads the data (CSV format) and parses it into individual\ + \ records.\n6. **Alert Transformation**: Each record is mapped to a Google SecOps\ + \ Alert object, utilizing fields like `entity.title` for the alert name and `entity.id`\ + \ for the unique identifier.\n7. **Event Mapping**: Detailed attributes from the\ + \ EclecticIQ record\u2014including observable values, types, descriptions, confidence\ + \ levels, and source names\u2014are mapped into a SOAR event attached to the alert.\n\ + 8. **Ingestion**: The generated alerts and events are ingested into Google SecOps\ + \ for case creation.\n9. **State Update**: Upon successful processing, the connector\ + \ updates the checkpoint with the latest content block ID to prevent duplicate\ + \ ingestion in subsequent runs." diff --git a/content/response_integrations/third_party/community/eclectic_iq/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/eclectic_iq/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..2e831240c --- /dev/null +++ b/content/response_integrations/third_party/community/eclectic_iq/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + siem: false + threat_intelligence: true + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/flashpoint/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/flashpoint/resources/ai/actions_ai_description.yaml index fb9e68e68..d3e4c6b01 100644 --- a/content/response_integrations/third_party/community/flashpoint/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/flashpoint/resources/ai/actions_ai_description.yaml @@ -2,52 +2,52 @@ Custom Query: ai_description: >- ### General Description - This action executes a custom search query against the Flashpoint API. It allows - users to define complex search criteria in JSON format and specify the target - API endpoint, providing flexibility to interact with various Flashpoint search - capabilities beyond standard enrichment actions. + Executes a custom search query against the Flashpoint API. This action provides + the flexibility to perform advanced searches by allowing users to specify both + the query parameters in JSON format and the specific API endpoint path. It is + primarily used to retrieve tailored threat intelligence data, such as forum posts, + carding information, or exploit discussions, directly into the Google SecOps platform. ### Parameters Description - | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + | Parameter | Description | Type | Mandatory | Notes | - | Query Content | Code (JSON) | Yes | A JSON-formatted string containing the search - parameters. This typically includes keys like `query`, `limit`, `start_date`, - `end_date`, and `search_tags`. | + | :--- | :--- | :--- | :--- | :--- | - | New Query URL | String | Yes | The API endpoint path to append to the Flashpoint - base URL (e.g., `/all/search` or `/indicators/attribute`). | + | Query Content | A JSON-formatted string containing the search parameters. | + Code | Yes | Expected to contain keys like `query`, `limit`, `start_date`, `end_date`, + `search_tags`, and `sort_timestamp`. | + | New Query URL | The specific API endpoint path to target. | String | Yes | This + path is appended to the base Flashpoint API URL (e.g., `/all/search` or `/indicators/attribute`). + | - ### Flow Description - 1. **Initialization**: The action retrieves the Flashpoint API Key from the integration - configuration and the `Query Content` and `New Query URL` from the action parameters. + ### Additional Notes - 2. **Manager Setup**: An instance of the `FlashpointManager` is created to handle - the HTTP session and authentication. + - The action uses a POST request to send the query parameters to the Flashpoint + API. - 3. **Request Execution**: The action parses the `Query Content` JSON string into - a Python dictionary and sends a POST request to the constructed URL (Base API - + New Query URL). + - The results are returned as a raw JSON object and attached to the action's execution + results. - 4. **Result Processing**: The JSON response from Flashpoint is retrieved and added - to the action's result JSON. - 5. **Completion**: The action concludes by reporting whether the query was successful - or if an error occurred during the API interaction. + ### Flow Description + 1. **Initialization**: Extracts the Flashpoint API Key from the integration configuration. - ### Additional Notes + 2. **Parameter Extraction**: Retrieves the `Query Content` (JSON string) and the + `New Query URL` from the action input. - - This action does not automatically iterate over entities in the Google SecOps - case; it is a standalone query tool. + 3. **API Request**: Uses the `FlashpointManager` to send a POST request to the + constructed URL (Base API + New Query URL) with the parsed JSON query parameters. - - The `Query Content` must be a valid JSON string, otherwise the action will fail - during the parsing stage. + 4. **Result Processing**: Receives the JSON response from Flashpoint. + + 5. **Output**: Adds the raw JSON response to the action results and completes + the execution with a success message. capabilities: can_create_case_comments: false can_create_insight: false @@ -75,54 +75,58 @@ Custom Query: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false IOC_Enrichment: - ai_description: >- - ### General Description - - The **IOC Enrichment** action retrieves threat intelligence for entities from - the Flashpoint platform. It queries the Flashpoint Indicator Attribute API to - find matches for entity identifiers (such as IPs, Domains, or Hashes) and enriches - the Google SecOps entities with the retrieved metadata. This action helps analysts - quickly identify known malicious indicators by pulling context directly into the - case. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Limit | String | No | The maximum number of result objects to return from Flashpoint - for each entity. Default is "100". | - - - ### Flow Description - - 1. **Initialization**: Retrieves the Flashpoint API key from the integration configuration - and the result limit from the action parameters. - - 2. **API Query**: For each target entity in the case, the action sends a GET request - to the Flashpoint `/indicators/attribute` endpoint using the entity's identifier - as the query string. - - 3. **Data Processing**: If a report is found for an entity, the action: - * Flattens the nested JSON response from Flashpoint. - * Adds a `FlashPoint` prefix to the flattened keys to avoid attribute collisions. - * Updates the entity's `additional_properties` with the enriched data. - * Marks the entity as `enriched` and `suspicious` within the SOAR environment. - 4. **Insight Generation**: Creates a SOAR entity insight for each matched entity, - explicitly marking it as suspicious based on Flashpoint data. - - 5. **Finalization**: Aggregates all retrieved reports into a single JSON result - and provides a summary message listing any entities that were not found in the - Flashpoint database. - - - ### Additional Notes - - * This action is strictly for enrichment; it does not perform any blocking or - state-changing operations in Flashpoint. + ai_description: "Enriches entities using Flashpoint's indicator attribute intelligence.\ + \ This action queries the Flashpoint API to retrieve threat intelligence and contextual\ + \ data for various indicators. It automatically updates the entity's profile within\ + \ Google SecOps with the retrieved information, marks the entity as enriched and\ + \ suspicious, and generates an insight for the analyst.\n\n### Flow Description\n\ + 1. **Initialization**: The action initializes the Flashpoint manager using the\ + \ provided API key from the integration configuration.\n2. **Parameter Extraction**:\ + \ It retrieves the 'Limit' parameter to determine the maximum number of results\ + \ to fetch for each entity.\n3. **Entity Iteration**: The action iterates through\ + \ all target entities provided in the context.\n4. **External Query**: For each\ + \ entity, it calls the Flashpoint `/indicators/attribute` endpoint using the entity's\ + \ identifier.\n5. **Data Processing**: If a report is found, the action flattens\ + \ the JSON response and adds a 'FlashPoint' prefix to the keys.\n6. **Internal\ + \ Mutation**: \n * Updates the entity's `additional_properties` with the\ + \ flattened data.\n * Sets the entity's `is_enriched` status to `True`.\n\ + \ * Sets the entity's `is_suspicious` status to `True`.\n * Creates\ + \ an entity insight titled 'Flashpoint - [identifier] marked as suspicious'.\n\ + 7. **Completion**: Aggregates the results and provides a summary message of which\ + \ entities were enriched or not found.\n\n### Parameters Description\n| Parameter\ + \ | Type | Mandatory | Default | Description |\n| :--- | :--- | :--- | :--- |\ + \ :--- |\n| Limit | string | No | 100 | The maximum number of result objects to\ + \ return from the Flashpoint API for each entity. |\n\n### Additional Notes\n\ + * This action automatically marks any entity found in Flashpoint as 'suspicious'\ + \ regardless of the specific score or content of the report.\n* The action processes\ + \ all entity types without specific filtering, making it a versatile enrichment\ + \ tool for any indicator supported by Flashpoint." capabilities: can_create_case_comments: false can_create_insight: true @@ -133,8 +137,8 @@ IOC_Enrichment: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action updates entity additional properties with enriched data from Flashpoint, - marks entities as enriched and suspicious, and creates entity insights. + Updates entity additional properties with enrichment data, marks entities as + enriched and suspicious, and creates entity insights. categories: enrichment: true entity_usage: @@ -187,15 +191,40 @@ IOC_Enrichment: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Indicators Custom Query: ai_description: >- ### General Description - This action executes a custom search query against the Flashpoint Indicators API - to retrieve specific threat intelligence data, such as events and attributes. - It allows users to perform granular searches using keywords, tags, and time-based - filters to gather indicators of compromise (IOCs) directly from Flashpoint's intelligence - database. + Executes a custom query against the Flashpoint API to retrieve specific indicators, + events, or attributes. This action allows for granular searching using keywords, + tags, date ranges, and specific indicator types (simple, event, or attribute). + It is designed to fetch threat intelligence data based on user-defined criteria + rather than enriching specific entities within a case. ### Parameters Description @@ -204,55 +233,54 @@ Indicators Custom Query: | :--- | :--- | :--- | :--- | - | Sort By Time | ddl | No | Determines the chronological order of the results - (Ascending or Descending). | + | Indicator Type | ddl | Yes | Defines the scope of the search: 'simple' (simplified + list), 'event' (groupings of IOCs), or 'attribute' (individual IOCs). | + + | Query | string | No | The specific search query string to execute against the + Flashpoint database. | - | Entity Types | string | No | A comma-separated list of MISP-style entity types - to retrieve (e.g., 'url,domain,ip-src'). | + | Search Tags | string | No | Comma-separated keywords (e.g., malware, ransomware) + to filter the results. | | Limit | string | No | The maximum number of result objects to return (default is 10). | - | Start Date | string | No | Filters for indicators created after this specific - ISO 8601 date/time. | + | Start Date | string | No | Retrieves values created after this specified date + (e.g., 2020-02-26T14:49:07Z). | - | End Date | string | No | Filters for indicators created before this specific - ISO 8601 date/time. | + | End Date | string | No | Retrieves values created before this specified date + (e.g., 2020-02-25T14:49:07Z). | - | Search Tags | string | No | A comma-separated list of keywords or tags to filter - the search (e.g., 'malware,ransomware'). | + | Entity Types | string | No | Comma-separated MISP-style entity types to retrieve + data for (e.g., url, domain, ip-src). | - | Query | string | No | The specific search query string to execute. | - - | Indicator Type | ddl | Yes | Specifies the level of indicator data to retrieve: - 'simple' (simplified list), 'attribute' (specific IOCs), or 'event' (grouped IOCs). - | + | Sort By Time | ddl | No | Presents the data in 'Ascending' or 'Descending' order + based on the timestamp. | - ### Flow Description + ### Additional Notes - 1. **Configuration Extraction:** The action retrieves the Flashpoint API Key from - the integration settings and all user-defined search parameters. + The 'Indicator Type' parameter is critical as it determines the specific API endpoint + used for the query. While most parameters are optional, providing a 'Query' or + 'Search Tags' is recommended to narrow down results effectively. - 2. **Client Initialization:** An instance of the FlashpointManager is created - to handle API communication. - 3. **API Request:** The action calls the `indicators_custom_query` method, which - constructs a GET request to the Flashpoint `/indicators/{type}` endpoint using - the provided filters (limit, dates, tags, query, and sorting). + ### Flow Description - 4. **Result Processing:** If the query returns data, the raw JSON response is - attached to the action's results in Google SecOps. + 1. **Configuration Retrieval**: Extracts the API Key from the integration settings. - 5. **Completion:** The action concludes with a success message if data is found, - or a notification if no matching indicators were identified. + 2. **Parameter Extraction**: Collects all user-provided search filters, including + the mandatory Indicator Type. + 3. **Manager Initialization**: Initializes the Flashpoint Manager with the provided + credentials. - ### Additional Notes + 4. **API Execution**: Sends a GET request to the Flashpoint Indicators API endpoint + corresponding to the selected Indicator Type, applying all provided filters as + query parameters. - This action is a standalone search utility and does not automatically iterate - over or enrich entities currently present in a Google SecOps case. It is intended - for manual or automated threat hunting and intelligence gathering. + 5. **Result Processing**: If data is found, it is formatted and added to the action's + JSON results for use in subsequent playbook steps. capabilities: can_create_case_comments: false can_create_insight: false @@ -280,49 +308,64 @@ Indicators Custom Query: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Ping: ai_description: >- - ### General Description - - The **Ping** action is a diagnostic tool used to verify the connectivity between - Google SecOps and the Flashpoint platform. Its primary purpose is to ensure that - the integration's API credentials are valid and that the Flashpoint API is reachable - over the network. - + Tests the connectivity between Google SecOps and the Flashpoint API to ensure + that the provided credentials and network configurations are valid. This action + performs a sample search query to verify that the API is reachable and responding + as expected. - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + ### Parameters - | N/A | N/A | N/A | This action does not require any input parameters. | + | Parameter Name | Description | Type | Mandatory | Notes | + | :--- | :--- | :--- | :--- | :--- | - ### Additional Notes - - This action is a standard connectivity check. It does not process any entities - or modify any data within Google SecOps or Flashpoint. It is typically executed - during the initial configuration of the integration or for troubleshooting purposes. + | None | This action does not require any input parameters. | N/A | N/A | N/A + | ### Flow Description - 1. **Configuration Retrieval**: The action extracts the API Key from the integration's - global configuration. + 1. **Configuration Extraction**: Retrieves the API Key from the integration's + shared configuration. - 2. **Manager Initialization**: It initializes the `FlashpointManager` with the - provided API Key. + 2. **Manager Initialization**: Initializes the Flashpoint API manager with the + provided credentials. - 3. **Connectivity Test**: The action invokes the `test_connectivity` method, which - performs a sample GET request to the Flashpoint `/all/search` endpoint using a - hardcoded query. + 3. **Connectivity Test**: Executes a GET request to the Flashpoint search endpoint + using a predefined query. - 4. **Validation**: The logic checks if the API returns a successful response and - valid JSON data. + 4. **Response Validation**: Checks if the API returns a valid JSON response. - 5. **Final Status**: If the request succeeds, the action ends with a success message; - if the request fails or returns an error, it reports a connection failure. + 5. **Finalization**: Reports a successful connection or failure based on the API + response. capabilities: can_create_case_comments: false can_create_insight: false @@ -350,15 +393,41 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Run Query: ai_description: >- ### General Description - Executes a custom search query against the Flashpoint platform to retrieve threat - intelligence data. This action allows users to perform complex searches using - Flashpoint's query syntax, filtering by tags, date ranges, and sorting preferences. - It is designed as a standalone search utility rather than an entity-specific enrichment - tool. + The **Run Query** action executes custom search queries against the Flashpoint + platform to retrieve threat intelligence, forum posts, or indicators. It allows + analysts to perform broad searches across Flashpoint's datasets using specific + query syntax, filtering by tags, date ranges, and sorting preferences. The results + are returned as a raw JSON object, providing flexible data retrieval for complex + investigations. ### Parameters Description @@ -367,41 +436,44 @@ Run Query: | :--- | :--- | :--- | :--- | - | Query | String | Yes | The search query content using Flashpoint syntax (e.g., - `+basetypes:+indicator`). | + | **Query** | String | Yes | The search query content using Flashpoint syntax + (e.g., `+basetypes:+indicator`). | - | Results count limit | String | No | The maximum number of results to return - (default is 100). | + | **Results count limit** | String | No | The maximum number of results to return. + Defaults to 100. | - | Sort By | String | No | Specifies the fields and order for sorting results (e.g., - `posted_at:desc,title:asc`). | + | **Sort By** | String | No | Specifies the fields and order for sorting results + (e.g., `posted_at:desc,title:asc`). | - | Tags | String | No | A comma-separated list of tags to filter the search results. - | + | **Tags** | String | No | A comma-separated list of tags to filter the search + results (e.g., `+tag_1, +tag_2`). | - | Date Range | String | No | The time range for the search (e.g., `[now-1y TO - now]`). | + | **Date Range** | String | No | The timeframe for the search (e.g., `[now-1y + TO now]`). | - ### Flow Description + ### Additional Notes - 1. **Parameter Extraction**: The action retrieves the query string, result limit, - date range, sorting criteria, and tags from the action parameters. + This action does not process specific entities from the Google SecOps case; it + is a standalone search utility. The output is provided as a JSON result for use + in subsequent playbook steps. - 2. **Manager Initialization**: Initializes the `FlashpointManager` using the API - Key provided in the integration configuration. - 3. **Query Execution**: Executes the custom query against the Flashpoint API using - the provided parameters. + ### Flow Description - 4. **Result Processing**: Receives the query response and attaches the raw JSON - data to the action's results in Google SecOps for use in downstream playbook steps. + 1. **Initialization:** The action initializes the Flashpoint manager using the + provided API Key from the integration configuration. + 2. **Parameter Extraction:** It retrieves the query string, result limit, date + range, sorting criteria, and tags from the action parameters. - ### Additional Notes + 3. **API Execution:** The action calls the Flashpoint API to execute the custom + query with the specified filters. + + 4. **Data Capture:** The raw JSON response from Flashpoint is captured. - This action does not iterate over or modify entities within a case. It returns - a broad set of data based on the query provided. + 5. **Completion:** The action attaches the JSON results to the execution context + and finishes with a success message. capabilities: can_create_case_comments: false can_create_insight: false @@ -429,3 +501,28 @@ Run Query: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/third_party/community/flashpoint/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/flashpoint/resources/ai/connectors_ai_description.yaml new file mode 100644 index 000000000..4e51bfadd --- /dev/null +++ b/content/response_integrations/third_party/community/flashpoint/resources/ai/connectors_ai_description.yaml @@ -0,0 +1,70 @@ +"Flashpoint - Compromised Credential Connector": + ai_description: >- + ### General Description + + The Flashpoint Compromised Credential Connector integrates with the Flashpoint + platform to monitor and ingest alerts related to compromised credentials. It specifically + targets 'credential-sighting' events, which occur when employee credentials are + detected as being used or exposed on the web. This connector allows security teams + to proactively respond to potential account takeovers by automatically creating + cases in Google SecOps for every detected sighting. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | API Key | Password | Yes | The API key used to authenticate with the Flashpoint + API. | + + | DeviceProductField | String | Yes | The field name in the source data used to + determine the device product (defaults to 'Flashpoint'). | + + | EventClassId | String | No | The field name used to determine the event name + or sub-type. | + + | Limit | Integer | Yes | The maximum number of events to retrieve in a single + execution cycle. | + + | Max Days Back | Integer | No | The maximum number of days to look back for data + during the first run or if the saved timestamp is invalid. | + + | Proxy Server Address | String | No | The address of the proxy server to use + for outgoing requests. | + + | Proxy Username | String | No | The username for proxy authentication. | + + | Proxy Password | Password | No | The password for proxy authentication. | + + | PythonProcessTimeout | String | Yes | The timeout limit in seconds for the connector's + execution. | + + + ### Flow Description + + 1. **Authentication**: The connector establishes a session with the Flashpoint + API using the provided API Key. + + 2. **Timestamp Retrieval**: It fetches the last saved timestamp to determine the + starting point for the search. If no timestamp is found, it calculates a starting + point based on the 'Max Days Back' parameter. + + 3. **Search Query**: The connector executes a search against the Flashpoint `/all/search` + endpoint, filtering for `basetypes:(credential-sighting)` within the calculated + time range. + + 4. **Data Flattening**: Each result (hit) from the API is processed and flattened + into a single-level dictionary to ensure all metadata is captured within the event. + + 5. **Case Mapping**: The connector maps the Flashpoint data to the Google SecOps + CaseInfo model, assigning a default priority of 60 and using the sighting's indexed + time as the event time. + + 6. **Overflow Validation**: It checks each alert against the system's overflow + rules to prevent duplicate or excessive ingestion. + + 7. **Ingestion and Checkpointing**: Valid cases are ingested into Google SecOps, + and the timestamp of the most recent sighting is saved to ensure the next iteration + picks up where the last one finished. diff --git a/content/response_integrations/third_party/community/flashpoint/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/flashpoint/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..2e831240c --- /dev/null +++ b/content/response_integrations/third_party/community/flashpoint/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + siem: false + threat_intelligence: true + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/full_contact/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/full_contact/resources/ai/actions_ai_description.yaml index 155cdd194..824ebdeaf 100644 --- a/content/response_integrations/third_party/community/full_contact/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/full_contact/resources/ai/actions_ai_description.yaml @@ -2,56 +2,57 @@ Enrich Entities: ai_description: >- ### General Description - Enriches **USER** entities (email addresses) using the Full Contact API. This - action retrieves comprehensive data about both the individual (e.g., job title, - gender, LinkedIn profile) and the organization associated with their email domain - (e.g., company name, industry, employee count, location). It enhances the context - of a case by populating entity properties with external identity and firmographic - intelligence. + Enriches User entities with detailed person and company information using the + Full Contact API. This action takes the email address from a User entity, extracts + the domain, and queries Full Contact to retrieve professional and organizational + metadata. The retrieved data is then mapped to the entity's additional properties + within Google SecOps, providing analysts with deeper context about the individuals + and organizations involved in an alert. ### Parameters Description - There are no parameters for this action. + There are no action-specific parameters for this action. It relies on the 'API + Key' configured in the integration settings. ### Additional Notes - * The action requires a valid Full Contact API Key to be configured in the integration - settings. + * This action specifically targets entities of type **USER**. - * It specifically targets entities of type **USER** (interpreted as email addresses). + * It performs two types of enrichment: Person enrichment (using the full email) + and Company enrichment (using the email domain). - * It handles the asynchronous nature of the Full Contact API by polling when a - `202 Accepted` status is received during domain enrichment. + * The action handles HTTP 202 (Accepted) responses from Full Contact by polling + until the data is ready. ### Flow Description - 1. **Configuration Retrieval**: Fetches the API Key from the 'Full Contact' integration + 1. **Configuration Retrieval:** Fetches the Full Contact API Key from the integration configuration. - 2. **Entity Filtering**: Iterates through the target entities and selects those - identified as `USER` types. + 2. **Entity Filtering:** Iterates through the target entities and identifies those + of type `USER`. - 3. **Domain Extraction**: Parses the email address of the user entity to extract - the domain name. + 3. **Data Extraction:** For each User entity, extracts the full email address + and the domain part of the email. - 4. **Company Enrichment**: Queries the Full Contact `company.enrich` endpoint - using the extracted domain. It includes logic to retry if the API returns a 202 - status. + 4. **Company Enrichment:** Queries the Full Contact `company.enrich` endpoint + using the extracted domain to get details like company name, size, industry, and + location. - 5. **Person Enrichment**: Queries the Full Contact `person.enrich` endpoint using - the user's email address. + 5. **Person Enrichment:** Queries the Full Contact `person.enrich` endpoint using + the email address to get details like gender, job title, and LinkedIn profile. - 6. **Data Mapping**: Maps the retrieved JSON data (Company Name, Industry, Founded - Year, Employees, Website, Location, Gender, Title, LinkedIn) to a local dictionary. + 6. **Internal Mutation:** Maps the retrieved data points to the entity's `additional_properties` + (e.g., `FullContact_CompanyName`, `FullContact_Person_Linkedin`). - 7. **Internal Update**: Updates the `additional_properties` of the entity within - Google SecOps with the enriched data. + 7. **Entity Update:** Updates the entities in Google SecOps with the new enriched + attributes. - 8. **Finalization**: Updates the entities in the case and returns a JSON result - containing the enrichment details for all processed entities. + 8. **Result Reporting:** Returns a JSON result containing the raw enrichment data + for each successfully enriched entity. capabilities: can_create_case_comments: false can_create_insight: false @@ -62,8 +63,8 @@ Enrich Entities: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates the 'additional_properties' field of USER entities with data retrieved - from Full Contact. + Updates the 'additional_properties' attribute of User entities with enriched + data retrieved from Full Contact. categories: enrichment: true entity_usage: @@ -82,42 +83,69 @@ Enrich Entities: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Ping: ai_description: >- ### General Description The **Ping** action is designed to verify the connectivity between Google SecOps - and the Full Contact service. Its primary purpose is to ensure that the integration's - API Key is correctly configured and that the environment can successfully communicate - with the Full Contact API endpoints. + and the Full Contact API. Its primary purpose is to ensure that the integration's + configuration, specifically the API Key, is correct and that the service is reachable. ### Parameters Description - There are no user-facing parameters for this action. It relies entirely on the - 'API Key' provided in the integration's configuration settings. + There are no parameters for this action. - ### Flow Description + ### Additional Notes - 1. **Configuration Retrieval**: The action fetches the 'API Key' from the Full - Contact integration configuration. + This action performs a test enrichment request using a hardcoded domain ('google.com') + against the Full Contact Company Enrichment API. It is used as a diagnostic tool + rather than a functional enrichment step for case entities. - 2. **API Connection Attempt**: It initializes a connection to the Full Contact - API and performs a test request to the company enrichment endpoint (`https://api.fullcontact.com/v3/company.enrich`) - using the hardcoded domain 'google.com'. - 3. **Validation**: The action checks the response from the API. If a 401 Unauthorized - status is returned, it raises an exception to notify the user of invalid credentials. + ### Flow Description - 4. **Result Reporting**: If the request is successful, the action returns a success - message and a boolean result of `True`. + 1. **Retrieve Configuration:** The action fetches the 'API Key' from the Full + Contact integration settings. + 2. **Initialize Manager:** It sets up the `FullContactManager` with the provided + credentials. - ### Additional Notes + 3. **Execute Test Request:** The action sends a POST request to the `https://api.fullcontact.com/v3/company.enrich` + endpoint for the domain 'google.com'. + + 4. **Error Handling:** It specifically monitors for a 401 Unauthorized status + code. If detected, it raises an exception to notify the user of an authentication + failure. - This action does not interact with or process any entities within a case. It is - a diagnostic tool used for integration setup and troubleshooting. + 5. **Finalize:** If the request completes without authentication errors, the action + returns a success status. capabilities: can_create_case_comments: false can_create_insight: false @@ -145,3 +173,28 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/third_party/community/full_contact/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/full_contact/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..b88dc4ab4 --- /dev/null +++ b/content/response_integrations/third_party/community/full_contact/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: true + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/google_docs/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/google_docs/resources/ai/actions_ai_description.yaml index 271666f70..cbb0b92cc 100644 --- a/content/response_integrations/third_party/community/google_docs/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/google_docs/resources/ai/actions_ai_description.yaml @@ -3,54 +3,53 @@ Create Content: ### General Description The **Create Content** action allows users to programmatically insert text into - a specific Google Document. It is designed to automate document updates by taking - a structured JSON input that defines the text to be added and the specific character - offsets (indices) where the text should be placed. + an existing Google Document. It is designed to automate the documentation process + by placing specific strings of text at designated character offsets (indices) + within the document body. This is particularly useful for appending automated + report summaries, logs, or status updates to a centralized document. ### Parameters Description - | Parameter | Description | Type | Mandatory | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Document Id | The unique identifier of the Google Document. This can be extracted - from the document's URL (e.g., https://docs.google.com/document/d/**{DocumentId}**/). - | String | Yes | + | **Document Id** | String | True | The unique identifier of the Google Document, + found in the URL (e.g., `https://docs.google.com/document/d/{DocumentId}/`). | - | Json | A JSON-formatted string containing an array of items to insert. Each - item must include an `index` (the character position) and `text` (the content - to insert). | Code/String | Yes | + | **Json** | Code | True | A JSON-formatted string containing an array of items. + Each item must include an `index` (integer) representing the character position + and `text` (string) representing the content to insert. | ### Flow Description - 1. **Parameter Extraction:** The action retrieves the Google service account credentials - from the integration configuration and the `Document Id` and `Json` payload from - the action parameters. + 1. **Configuration Extraction:** The action retrieves the service account credentials + from the integration settings. - 2. **JSON Parsing:** The provided JSON string is parsed to extract the list of - insertion items. + 2. **Parameter Parsing:** It extracts the target `Document Id` and the `Json` + payload containing the content updates. - 3. **Request Construction:** For each item in the input, the action constructs - a Google Docs `insertText` request object, mapping the text to the specified location - index. + 3. **Request Construction:** The action parses the input JSON and iterates through + the items to build a list of `insertText` requests compatible with the Google + Docs API. - 4. **API Execution:** The action initializes the `GoogleDocsManager` and sends - a `batchUpdate` request to the Google Docs API for the specified document. + 4. **API Execution:** It utilizes the `GoogleDocsManager` to send a `batchUpdate` + request to the Google Docs service. - 5. **Result Handling:** The response from the Google Docs API is attached as a - JSON result, and the action completes with a success message. + 5. **Result Handling:** The response from the Google Docs API (confirming the + updates) is attached as a JSON result in the SOAR platform, and the action completes + with a success message. ### Additional Notes - - The `index` values in the JSON input are zero-based character offsets. Providing - an index that exceeds the document's current length or falls within certain protected - structures may cause the API to return an error. + - The `index` parameter in the JSON input is zero-based. Ensure the index exists + within the document's current character range to avoid API errors. - - This action requires a service account with appropriate permissions (Drive/Docs - scopes) to modify the target document. + - This action requires the `https://www.googleapis.com/auth/drive.file` scope + to be authorized for the service account. capabilities: can_create_case_comments: false can_create_insight: false @@ -61,7 +60,7 @@ Create Content: external_data_mutation_explanation: >- This action modifies the content of an existing Google Document by inserting text at specified indices using the Google Docs API batchUpdate method. - fetches_data: false + fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false @@ -80,54 +79,81 @@ Create Content: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Create Document: ai_description: >- - Creates a new Google Document and configures sharing permissions for specified - users. This action automates the document creation process within Google Workspace, - allowing for immediate collaboration by assigning roles such as Owner, Writer, - or Reader to a list of email addresses. + ### General Description + Creates a new Google Document and manages its initial sharing permissions. This + action is useful for automated reporting, incident documentation, or collaborative + evidence gathering during an investigation. - ### Flow Description: - 1. **Authentication**: Initializes the Google Docs and Drive API clients using - the provided service account credentials. + ### Parameters Description - 2. **Document Creation**: Sends a request to the Google Docs API to create a blank - document with the user-defined title. + | Parameter | Type | Mandatory | Description | - 3. **Permission Assignment**: Parses the semicolon-separated list of email addresses - and, for each email, calls the Google Drive API to grant the specified access - role (Owner, Writer, or Reader). + | :--- | :--- | :--- | :--- | - 4. **Metadata Retrieval**: Fetches the full metadata of the created file from - Google Drive to confirm successful creation and configuration. + | Title | string | Yes | The document title of the document you would like to + create. Default is 'New Document'. | - 5. **Output**: Returns the document metadata as a JSON result and provides the - Document ID as the action's output value. + | Role | ddl | Yes | The permission level to grant to the specified emails. Options: + 'owner' (full control), 'writer' (can comment/edit), 'reader' (view only). | + | Emails | string | Yes | Semicolon-separated list of email addresses (e.g., 'user1@company.com;user2@company.com') + to grant access to the document. | - ### Parameters Description: - | Parameter | Type | Mandatory | Description | + ### Additional Notes - | :--- | :--- | :--- | :--- | + - The action requires a valid Service Account JSON with 'https://www.googleapis.com/auth/drive.file' + scope configured in the integration settings. - | Title | String | Yes | The title of the document to be created. Default is 'New - Document'. | + - Notifications are not sent to the users when permissions are added. - | Role | DDL | Yes | The access level granted to the specified emails. Options: - 'owner' (full control), 'writer' (can edit/comment), 'reader' (view only). | - | Emails | String | Yes | A semicolon-separated list of email addresses (e.g., - 'user1@example.com;user2@example.com') that will receive the specified permissions. - | + ### Flow Description + + 1. **Parameter Extraction**: Retrieves the document title, the desired access + role, and the list of email addresses from the action input. + + 2. **Document Creation**: Uses the Google Docs API to create a new, empty document + with the specified title. + 3. **Permission Assignment**: Parses the semicolon-separated email list and iterates + through each email, using the Google Drive API to create user-specific permissions + based on the selected role. - ### Additional Notes: + 4. **Metadata Retrieval**: Fetches the complete metadata of the newly created + file from Google Drive. - * This action requires a service account with the 'https://www.googleapis.com/auth/drive.file' - scope enabled. + 5. **Result Reporting**: Returns the document metadata (including the Document + ID) to the SOAR platform and sets the Document ID as the action's result value. capabilities: can_create_case_comments: false can_create_insight: false @@ -137,7 +163,7 @@ Create Document: can_update_entities: false external_data_mutation_explanation: >- Creates a new document in Google Docs and modifies file permissions in Google - Drive to share the document with specified email addresses. + Drive for the specified email addresses. fetches_data: true internal_data_mutation_explanation: null categories: @@ -157,50 +183,75 @@ Create Document: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Ping: ai_description: >- ### General Description - The **Ping** action is a diagnostic tool used to verify the connectivity between - Google SecOps and the Google Docs/Drive API. Its primary purpose is to validate - that the provided service account credentials are correct and that the integration - can successfully communicate with Google's services. + + The **Ping** action is designed to verify the connectivity between Google SecOps + and the Google Docs and Google Drive APIs. It ensures that the provided service + account credentials are valid and that the integration has the necessary permissions + to communicate with the Google Cloud environment. ### Parameters Description - | Parameter Name | Type | Mandatory | Description | + + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Credentials Json | String | Yes | This is an integration-level configuration - parameter. It requires the full JSON content of a Google Service Account key to - authenticate requests. | + | None | N/A | N/A | This action does not have any input parameters. It relies + on the 'Credentials Json' provided in the integration configuration. | - ### Additional Notes + ### Flow Description - - This action does not require or process any entities from the Google SecOps - environment. - - It is a read-only operation used strictly for testing the API handshake. + 1. **Credential Extraction**: The action retrieves the service account JSON from + the integration's global configuration. + 2. **Service Initialization**: It initializes the Google Docs and Google Drive + API clients using the provided credentials and the required scopes. - ### Flow Description + 3. **Connectivity Test**: It executes a lightweight 'list' request to the Google + Drive API to verify that the connection is active and authorized. + + 4. **Result Reporting**: If the API call is successful, the action concludes with + a success message. If any step fails (e.g., invalid JSON or authentication error), + an exception is raised. - 1. **Credential Retrieval**: The action extracts the `Credentials Json` from the - integration's global configuration. - 2. **Service Initialization**: It initializes the `GoogleDocsManager`, which parses - the JSON credentials and builds the authorized Google Drive and Google Docs service - clients. + ### Additional Notes - 3. **API Verification**: The action executes a `test_connectivity` call, which - performs a `list` operation on the Google Drive API to verify that the service - account has active access. - 4. **Status Reporting**: If the API call succeeds, the action returns a success - message indicating a functional connection. + This action is strictly for diagnostic purposes and does not perform any data + enrichment or modification in either Google SecOps or the Google Docs environment. capabilities: can_create_case_comments: false can_create_insight: false @@ -209,7 +260,7 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: false + fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false @@ -228,13 +279,41 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Remove Content: ai_description: >- ### General Description - Removes specific content from a Google Document using its unique ID and a JSON-formatted - list of index ranges. This action is primarily used for automated document editing, - such as removing sensitive information or cleaning up generated reports. + The **Remove Content** action allows users to programmatically delete specific + sections of text or elements within a Google Document. By providing the document's + unique ID and a JSON-formatted list of character offsets (start and end indices), + the action executes a batch update to modify the document's body. This is particularly + useful for automated redaction, cleaning up template placeholders, or removing + sensitive information from shared documents. ### Parameters Description @@ -243,30 +322,41 @@ Remove Content: | :--- | :--- | :--- | :--- | - | **Document Id** | String | Yes | The unique identifier of the Google Document. - This can be found in the document's URL (e.g., `https://docs.google.com/document/d/{DocumentId}/`). - | + | **Document Id** | String | Yes | The unique identifier of the Google Document, + found in the URL (e.g., `https://docs.google.com/document/d/{DocumentId}/`). | - | **Json** | Code (JSON) | Yes | A JSON object containing an array of items. Each - item must include `start_index` and `end_index` to define the range of characters - to be deleted. | + | **Json** | Code | Yes | A JSON object containing an array of items. Each item + must specify a `start_index` and `end_index` representing the character range + to be removed. | ### Flow Description - 1. **Initialization**: Retrieves the Google Docs service credentials from the - integration configuration. + 1. **Configuration Extraction:** The action retrieves the Google service account + credentials from the integration settings. + + 2. **Parameter Parsing:** It extracts the `Document Id` and the `Json` payload + containing the deletion ranges. + + 3. **Request Construction:** The action iterates through the provided JSON items + and builds a list of `deleteContentRange` requests compatible with the Google + Docs API. + + 4. **API Execution:** It initializes the `GoogleDocsManager` and sends a `batchUpdate` + request to the Google Docs service. + + 5. **Result Handling:** The response from the Google API (detailing the update + status) is attached to the action results, and the action completes with a success + message. - 2. **Input Parsing**: Extracts the `Document Id` and the `Json` payload containing - the deletion ranges. - 3. **Request Construction**: Iterates through the provided JSON items to build - a list of `deleteContentRange` requests compatible with the Google Docs API. + ### Additional Notes - 4. **Execution**: Sends a `batchUpdate` request to the Google Docs API for the - specified document. + - The `start_index` and `end_index` are zero-based offsets based on the UTF-16 + code units of the document's body content. - 5. **Completion**: Returns the API response and logs the success of the operation. + - Ensure the service account has sufficient permissions (Editor access) to modify + the target document. capabilities: can_create_case_comments: false can_create_insight: false @@ -275,9 +365,9 @@ Remove Content: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Deletes content ranges within a Google Document via the Google Docs API batchUpdate - method. - fetches_data: false + This action modifies the content of a Google Document by deleting text or elements + within specified character ranges using the Google Docs API batchUpdate method. + fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false @@ -296,14 +386,40 @@ Remove Content: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Replace Content: ai_description: >- ### General Description - Replaces specific text strings within a Google Document using the Google Docs - API. This action allows for bulk find-and-replace operations based on a provided - JSON configuration, making it ideal for automating document updates, template - filling, or report generation. + The **Replace Content** action allows users to programmatically search and replace + text within a specific Google Document. It is designed to handle multiple replacement + pairs in a single execution by processing a JSON-formatted input. This is particularly + useful for automating document templating, updating reports, or sanitizing sensitive + information across Google Docs. ### Parameters Description @@ -312,31 +428,43 @@ Replace Content: | :--- | :--- | :--- | :--- | - | Document Id | string | Yes | The unique identifier of the Google Document. This - can be found in the document's URL (e.g., https://docs.google.com/document/d/**{DocumentId}**/). + | **Document Id** | string | True | The unique identifier of the Google Document. + This can be extracted from the document's URL (e.g., `https://docs.google.com/document/d/{DocumentId}/`). | - | Json | code | Yes | A JSON-formatted string containing the replacement rules. - It must include an `items` array where each object specifies `text_to_search`, - `text_to_replace`, and `match_case` (a string value of "true" or "false"). | + | **Json** | code | True | A JSON object containing an array of replacement items. + Each item must include `text_to_search`, `text_to_replace`, and `match_case` (a + string "true" or "false"). | ### Flow Description - 1. **Initialization**: The action retrieves the Google service account credentials - from the integration configuration and extracts the Document ID and replacement - JSON from the action parameters. + 1. **Parameter Extraction:** The action retrieves the Google Docs credentials + from the integration configuration and the Document ID and JSON payload from the + action parameters. + + 2. **JSON Parsing:** The provided JSON string is parsed to extract the list of + search and replace instructions. + + 3. **Request Construction:** For each item in the input list, the action constructs + a `replaceAllText` request compatible with the Google Docs API, specifying the + search string, the replacement string, and whether to match the case. + + 4. **API Execution:** The action uses the `GoogleDocsManager` to send a `batchUpdate` + request to the Google Docs API for the specified Document ID. + + 5. **Result Handling:** The API response (detailing the results of the batch update) + is attached to the action's JSON results, and the action completes with a success + message. - 2. **Request Preparation**: It parses the input JSON string and iterates through - the items to construct a list of `replaceAllText` requests. Each request defines - the search string, the replacement string, and whether the search should be case-sensitive. - 3. **API Execution**: The action initializes the `GoogleDocsManager` and executes - a `batchUpdate` call to the Google Docs API with the constructed requests for - the specified Document ID. + ### Additional Notes + + - The `Json` parameter must follow a specific schema: `{"items": [{"text_to_search": + "...", "text_to_replace": "...", "match_case": "true/false"}]}`. - 4. **Completion**: The API response is captured and added to the action's JSON - results, and the action concludes with a success message. + - This action requires a service account with appropriate permissions (specifically + `https://www.googleapis.com/auth/drive.file`) to modify the target document. capabilities: can_create_case_comments: false can_create_insight: false @@ -345,8 +473,8 @@ Replace Content: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Modifies the content of a Google Document by performing a batch update to replace - specified text strings. + The action modifies the content of an external Google Document by replacing + text strings using the Google Docs API batchUpdate method. fetches_data: false internal_data_mutation_explanation: null categories: @@ -366,3 +494,28 @@ Replace Content: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/third_party/community/google_docs/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/google_docs/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..a4b23e02c --- /dev/null +++ b/content/response_integrations/third_party/community/google_docs/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: true + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/google_drive/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/google_drive/resources/ai/actions_ai_description.yaml index 1d770e3b6..93b7b32b3 100644 --- a/content/response_integrations/third_party/community/google_drive/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/google_drive/resources/ai/actions_ai_description.yaml @@ -3,8 +3,10 @@ Add Permission: ### General Description Adds permissions for a specific file stored in Google Drive to one or more users. - This action allows administrators to programmatically manage access control by - assigning roles such as Owner, Writer, or Reader to specific email addresses. + This action allows administrators or automated workflows to programmatically manage + access control by granting roles such as 'Owner', 'Writer', or 'Reader' to specified + email addresses. It is particularly useful for sharing forensic evidence, reports, + or documentation during an incident response process. ### Parameters Description @@ -13,34 +15,49 @@ Add Permission: | :--- | :--- | :--- | :--- | - | **File Id** | String | Yes | The unique ID of the file in Google Drive. This - can be found in the file's URL. | + | File Id | String | Yes | The unique identifier of the file in Google Drive. + This can be found in the file's URL (e.g., the string after '/file/d/'). | + + | Role | DDL | Yes | The level of access to grant. Options include: **owner** + (full control), **writer** (can edit and comment), and **reader** (view only). + | + + | Emails | String | Yes | A semicolon-separated list of email addresses (e.g., + `user1@company.com;user2@company.com`) to which the permissions will be granted. + | + + | Should send notification | Boolean | No | If set to `true`, Google Drive will + send an automated email notification to the users informing them that access has + been granted. Defaults to `true`. | - | **Role** | DDL | Yes | The level of access to grant. Options include: `owner` - (full control), `writer` (can edit and comment), and `reader` (view only). | - | **Emails** | String | Yes | Semicolon-separated list of email addresses to which - permissions will be granted (e.g., `user1@example.com;user2@example.com`). | + ### Additional Notes + + - This action does not operate on SecOps entities (IPs, Hosts, etc.); it relies + entirely on the provided `File Id` and `Emails` parameters. - | **Should send notification** | Boolean | No | If set to true, Google Drive will - send an email notification to the users about the granted permission. | + - Granting the 'Owner' role may have significant security implications and should + be used cautiously. ### Flow Description - 1. **Initialization**: The action extracts the Google Drive service account credentials - from the integration configuration and the specific file ID, role, and email list - from the action parameters. + 1. **Initialization**: The action extracts the Google Drive credentials from the + integration configuration and the specific file and user details from the action + parameters. + + 2. **Email Parsing**: The provided `Emails` string is split by semicolons into + individual email addresses. - 2. **Parsing**: The semicolon-separated string of email addresses is split into - a list of individual emails. + 3. **Permission Insertion**: For each email address, the action calls the Google + Drive API's `permissions.create` method, applying the selected `Role` and `File + Id`. - 3. **API Interaction**: For each email address in the list, the action calls the - Google Drive API's permissions endpoint to create a new permission entry with - the specified role and notification settings. + 4. **Notification**: If enabled, the Google Drive service dispatches notification + emails to the recipients during the permission creation process. - 4. **Completion**: The action returns a success message confirming that the permissions - were granted for the specified file. + 5. **Completion**: The action concludes by providing a summary message of the + granted permissions and returns the `File Id` as the script result. capabilities: can_create_case_comments: false can_create_insight: false @@ -49,8 +66,8 @@ Add Permission: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Adds new permission entries to Google Drive files, which modifies the access - control list (ACL) of the resource in the external Google Drive system. + Creates new permission records in Google Drive, granting specific users access + to a file. fetches_data: false internal_data_mutation_explanation: null categories: @@ -70,14 +87,39 @@ Add Permission: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Delete File: ai_description: >- ### General Description - The **Delete File** action permanently removes a specific file from Google Drive - using its unique File ID. This action is typically used in response to security - incidents where a malicious or sensitive file needs to be purged from the cloud - environment to prevent further access or distribution. + The **Delete File** action permanently deletes a specific file from Google Drive + using its unique File ID. This action is destructive and bypasses the trash/recycle + bin, making it useful for automated remediation where malicious or sensitive files + must be immediately removed from the environment. ### Parameters Description @@ -87,33 +129,34 @@ Delete File: | :--- | :--- | :--- | :--- | | **File Id** | String | Yes | The unique identifier of the file to be deleted. - This ID is found in the file's URL (e.g., `https://drive.google.com/drive/u/0/folders/{file-id}`). - | + This ID can typically be found in the file's sharing URL (e.g., the string following + `/file/d/` or within the folder URL). | - ### Additional Notes + ### Flow Description - * **Permanent Deletion**: This action performs a permanent deletion, meaning - the file skips the Google Drive trash/bin and cannot be easily recovered. + 1. **Configuration Extraction**: The action retrieves the Google Drive service + account credentials from the integration configuration. - * **No Entity Context**: This action does not automatically process entities - from the alert; it requires the specific File ID to be provided manually or via - a previous playbook step. + 2. **Parameter Retrieval**: The action extracts the `File Id` provided by the + user or playbook. + 3. **Manager Initialization**: A connection to the Google Drive API (v3) is established + using the provided credentials. - ### Flow Description + 4. **Execution**: The action calls the Google Drive API's `delete` method for + the specified `File Id`. + + 5. **Completion**: Upon successful deletion, the action returns a success message + and the deleted File ID as the script result. - 1. **Credential Setup**: The action extracts the service account credentials - from the integration configuration to authenticate with the Google Drive API. - 2. **Input Validation**: It retrieves the mandatory `File Id` parameter provided - in the action configuration. + ### Additional Notes - 3. **API Execution**: The action utilizes the `GoogleDriveManager` to call the - Google Drive API's delete method for the specified file identifier. + * **Warning**: This action performs a permanent deletion. The file will not be + moved to the 'Trash' and cannot be easily recovered through standard user interfaces. - 4. **Finalization**: Upon successful execution, the action returns a confirmation - message stating that the file was successfully deleted. + * This action does not run on entities; it requires a specific File ID as input. capabilities: can_create_case_comments: false can_create_insight: false @@ -122,8 +165,8 @@ Delete File: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Permanently deletes a file from the external Google Drive storage, bypassing - the trash folder. + Permanently deletes a file from the target Google Drive account, bypassing the + trash folder. fetches_data: false internal_data_mutation_explanation: null categories: @@ -143,28 +186,68 @@ Delete File: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Download File To Base64: - ai_description: "### General Description\nThe **Download File To Base64** action\ - \ retrieves a file from Google Drive using its unique File ID and converts the\ - \ file's content into a Base64-encoded string. This is particularly useful for\ - \ automated workflows that need to process file contents (e.g., for malware analysis,\ - \ attachment forwarding, or document parsing) without requiring local file system\ - \ storage. It supports both standard binary files and Google Workspace documents\ - \ (Docs, Sheets, Slides) by automatically converting them to standard formats\ - \ (DOCX, XLSX, PPTX) during the download process.\n\n### Parameters Description\n\ - | Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ - | **File Id** | String | Yes | The unique identifier of the file in Google Drive.\ - \ This ID can be found in the file's sharing URL (e.g., `https://drive.google.com/file/d/{file-id}/view`).\ - \ |\n\n### Flow Description\n1. **Initialization**: The action initializes the\ - \ Google Drive manager using the provided service account credentials.\n2. **Metadata\ - \ Retrieval**: It fetches the metadata for the specified `File Id` to determine\ - \ the file name and MIME type.\n3. **Download Logic**: \n * If the file\ - \ is a Google Workspace document (Doc, Sheet, or Slide), the action uses the `export`\ - \ method to convert it into a Microsoft Office format (DOCX, XLSX, or PPTX).\n\ - \ * If the file is a standard binary file, it uses the direct `get_media`\ - \ download method.\n4. **Encoding**: The downloaded binary stream is converted\ - \ into a Base64 string.\n5. **Output**: The action returns a JSON object containing\ - \ the file name, MIME type, size (for binary files), and the Base64-encoded content." + ai_description: >- + ### General Description + + Downloads a file from Google Drive and converts its content into a Base64 string. + This action is designed to retrieve documents, spreadsheets, or binary files using + their unique File ID and provide the content in a format suitable for further + automated processing within the SOAR platform. + + + ### Parameters + + | Parameter | Description | Type | Mandatory | + + | :--- | :--- | :--- | :--- | + + | File Id | The unique identifier of the file in Google Drive, typically found + in the file's URL. | String | Yes | + + + ### Flow Description + + 1. The action initializes the Google Drive manager using provided service account + credentials. + + 2. It retrieves the metadata for the specified File ID to determine the file name + and MIME type. + + 3. If the file is a Google Workspace document (e.g., Doc, Sheet, Slide), it is + exported to a standard Office format (e.g., .docx, .xlsx, .pptx). + + 4. The file content is downloaded as a binary stream from the Google Drive API. + + 5. The binary stream is encoded into a Base64 string. + + 6. The resulting Base64 string and file metadata are returned as a JSON object + for use in subsequent playbook steps. capabilities: can_create_case_comments: false can_create_insight: false @@ -192,59 +275,91 @@ Download File To Base64: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: true + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Download File To Path: ai_description: >- + Downloads a file from Google Drive to a specified local directory on the execution + environment. This action is useful for retrieving evidence or documents for further + processing within a playbook. + + ### General Description - Downloads a file stored in Google Drive to a specific local path on the system - where the action is executed. This action is designed to retrieve files for local - processing, analysis, or storage within a workflow. It supports both standard - binary files and Google Workspace documents (Docs, Sheets, Slides) by automatically - converting them to standard formats (docx, xlsx, pptx) during the download process. + This action interacts with the Google Drive API to retrieve a file's content and + metadata. It supports both standard binary files and Google Workspace documents + (Docs, Sheets, Slides), which are automatically converted to Microsoft Office + formats (docx, xlsx, pptx) during the download process. The file is saved to a + local path on the system running the action. ### Parameters Description - | Parameter | Type | Mandatory | Description | + | Parameter Name | Type | Mandatory | Default Value | Description | - | :--- | :--- | :--- | :--- | + | :--- | :--- | :--- | :--- | :--- | - | File Id | String | Yes | The unique identifier of the file in Google Drive. - This can be extracted from the file's sharing URL. | + | File Id | String | Yes | N/A | The unique identifier of the file in Google Drive. + This can be found in the file's sharing URL. | - | Folder Path | String | Yes | The local directory path on the runner where the - file should be saved. | + | Folder Path | String | No | /temp | The local directory path on the runner where + the file will be saved. | ### Additional Notes - - **Parameter Discrepancy**: While the configuration metadata indicates that 'Folder - Path' is optional with a default value of `/temp`, the Python implementation explicitly - marks it as mandatory during extraction. Users should ensure this value is provided. + - If the file is a Google Doc, it will be exported as a `.docx` file. - - **File Conversion**: Google-native files are exported to OpenXML formats (e.g., - Google Docs to .docx) to ensure they can be opened locally. + - If the file is a Google Sheet, it will be exported as an `.xlsx` file. + + - If the file is a Google Slide, it will be exported as a `.pptx` file. + + - Ensure the execution environment has the necessary write permissions for the + specified `Folder Path`. ### Flow Description - 1. **Initialization**: Authenticates with the Google Drive API using the provided - service account credentials. + 1. **Initialization**: Extracts the Google Drive credentials from the integration + configuration and the `File Id` and `Folder Path` from the action parameters. - 2. **Metadata Fetching**: Retrieves the file's metadata from Google Drive to identify - its name and MIME type. + 2. **Metadata Retrieval**: Connects to Google Drive to fetch the file's metadata, + including its name and MIME type. - 3. **Type Determination**: Checks if the file is a Google Workspace document. - If so, it selects the appropriate export format (docx, pptx, or xlsx). + 3. **Format Handling**: Determines if the file is a native Google Workspace document + and selects the appropriate export format if necessary. - 4. **Data Retrieval**: Downloads the file content. It uses `export_media` for - Google Workspace files and `get_media` for standard binary files. + 4. **Content Download**: Downloads the file content as a binary stream using the + Google Drive API. - 5. **File Writing**: Saves the binary stream to the specified local `Folder Path` - using the original file name (and appropriate extension if converted). + 5. **Local Storage**: Writes the binary stream to the specified local path on + the filesystem. - 6. **Result Reporting**: Returns a JSON object containing the file name, type, - and the final local path where the file was saved. + 6. **Completion**: Returns a JSON result containing the file name, type, and the + final saved path. capabilities: can_create_case_comments: false can_create_insight: false @@ -272,49 +387,67 @@ Download File To Path: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: true + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get File Metadata: ai_description: >- - ### General Description - Retrieves comprehensive metadata for a specific file stored in Google Drive. This - action allows users to fetch detailed information about a file, including its - name, MIME type, size, creation/modification times, and ownership details, using - the unique Google Drive File ID. + action uses the Google Drive API to fetch all available properties of a file, + such as its name, MIME type, size, creation time, and permissions, based on a + provided File ID. ### Parameters - | Parameter | Type | Mandatory | Description | + | Parameter | Description | Type | Mandatory | | :--- | :--- | :--- | :--- | - | File Id | String | Yes | The unique identifier of the file, which can be found - in the file's URL (e.g., `https://drive.google.com/file/d/{file-id}/view`). | - - - ### Additional Notes - - This action does not process or filter Google SecOps entities. It operates strictly - on the provided `File Id` parameter. It is a read-only operation and does not - modify any data in Google Drive. + | File Id | The unique identifier of the file, which can be found in the file's + URL (e.g., https://drive.google.com/drive/u/0/folders/{file-id}). | String | Yes + | ### Flow Description - 1. **Credential Retrieval**: Extracts the Google service account credentials from - the integration configuration. + 1. **Configuration Extraction:** The action retrieves the necessary service account + credentials from the integration configuration. - 2. **Parameter Extraction**: Retrieves the mandatory `File Id` provided by the + 2. **Parameter Retrieval:** The action extracts the `File Id` provided by the user. - 3. **API Connection**: Initializes the Google Drive API client using the provided - credentials. + 3. **API Interaction:** The `GoogleDriveManager` initializes a connection to the + Google Drive API and executes a `get` request for the specified file ID, requesting + all available metadata fields (`fields="*"`). - 4. **Metadata Retrieval**: Executes a GET request to the Google Drive API to fetch - all available metadata fields for the specified file. + 4. **Result Processing:** The retrieved metadata is attached to the action's execution + results as a JSON object. - 5. **Output Generation**: Adds the retrieved metadata to the action's JSON results - and completes the action with a success message. + 5. **Completion:** The action concludes by returning a success message and the + file's ID as the primary output value. capabilities: can_create_case_comments: false can_create_insight: false @@ -326,7 +459,7 @@ Get File Metadata: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: true + enrichment: false entity_usage: entity_types: [] filters_by_additional_properties: false @@ -342,50 +475,80 @@ Get File Metadata: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Permission List: ai_description: >- ### General Description - The **Permission List** action retrieves a comprehensive list of permissions associated - with a specific file stored in Google Drive. This is useful for auditing access, - identifying over-privileged users, or verifying sharing settings during a security - investigation. + Retrieves a comprehensive list of users and their associated permissions for a + specific file stored in Google Drive. This action is useful for auditing access, + identifying over-privileged files, or verifying sharing settings during an investigation. - ### Parameters + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | File Id | String | Yes | The unique identifier of the file. This can be found - in the file's URL (e.g., `https://drive.google.com/file/d/{file-id}/view`). | + | File Id | String | Yes | The unique identifier for the file. This ID can be + found in the file's URL (e.g., in `https://drive.google.com/drive/u/0/folders/{file-id}`). + | - ### Flow Description + ### Additional Notes - 1. **Configuration Extraction**: The action retrieves the service account credentials - from the integration configuration. + - This action requires a valid Service Account JSON with the necessary Google + Drive API scopes (`drive.metadata`, `drive.file`, or `drive`). - 2. **Input Validation**: It extracts the mandatory `File Id` provided by the user - as an action parameter. + - The action returns the raw JSON list of permissions provided by the Google Drive + API, which includes details like the user's email, role (e.g., owner, writer, + reader), and permission ID. - 3. **API Interaction**: The action connects to the Google Drive API using the - `GoogleDriveManager` and calls the permissions list endpoint for the specified - file. - 4. **Data Processing**: It counts the number of permission entries returned by - the API. + ### Flow Description - 5. **Result Delivery**: The full list of permissions is attached as a JSON result - (`JsonResult`), and the action completes with a summary message indicating the - total count of permissions found. + 1. **Configuration Extraction**: Retrieves the Google Drive credentials from the + integration settings. + 2. **Parameter Extraction**: Retrieves the mandatory `File Id` from the action + input. - ### Additional Notes + 3. **Manager Initialization**: Initializes the `GoogleDriveManager` using the + provided credentials. + + 4. **API Interaction**: Calls the Google Drive API's `permissions().list()` method + for the specified `File Id` to fetch all permission entries. - This action does not interact with Google SecOps entities automatically; it requires - the manual input of a File ID. There are no parameters that depend on each other. + 5. **Result Processing**: Counts the number of permissions retrieved and attaches + the full JSON response to the action results. + + 6. **Completion**: Ends the action with a summary message indicating how many + permissions were found. capabilities: can_create_case_comments: false can_create_insight: false @@ -413,36 +576,69 @@ Permission List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Ping: ai_description: >- ### General Description The **Ping** action is a diagnostic utility designed to verify the connectivity between Google SecOps and the Google Drive service. Its primary purpose is to - ensure that the integration's configuration, specifically the service account - credentials, is valid and that the Google Drive API is reachable. + ensure that the integration is correctly configured and that the provided service + account credentials have the necessary permissions to interact with the Google + Drive API. - ### Parameters + ### Parameters Description + + There are no action-specific parameters for this action. It utilizes the **Credentials + Json** provided in the integration's shared configuration settings. + + + ### Additional Notes + + - This action does not process or interact with any entities. - This action does not require any input parameters. It utilizes the **Credentials - Json** provided in the integration's global configuration to authenticate. + - It is typically used during the initial setup of the Google Drive integration + or for troubleshooting connectivity issues. ### Flow Description - 1. **Authentication**: The action extracts the service account credentials from - the integration settings and initializes the Google Drive API client using the - `drive:v3` discovery service. + 1. **Configuration Extraction:** The action retrieves the service account credentials + from the integration's configuration. - 2. **API Verification**: It executes a test call to the Google Drive API by attempting - to list files with the `mimeType='image/jpeg'` filter. This specific call is used - as a lightweight check to confirm read permissions and network connectivity. + 2. **Manager Initialization:** It initializes the Google Drive API client using + the provided credentials and required scopes. - 3. **Execution Completion**: If the API call succeeds, the action returns a success - message ('Connected successfully') and sets the execution state to completed. - If the credentials are invalid or the service is unreachable, the action will - fail with an error. + 3. **Connectivity Test:** The action executes a `list` request on the files resource + to confirm the API is reachable and the credentials are valid. + + 4. **Result Reporting:** If the request completes successfully, the action ends + with a success message. capabilities: can_create_case_comments: false can_create_insight: false @@ -470,38 +666,63 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Remove Permission: ai_description: >- ### General Description The **Remove Permission** action is designed to revoke a specific user or group's - access to a file stored in Google Drive. By providing the unique identifiers for - both the file and the permission, security teams can programmatically restrict - access as part of an incident response or data loss prevention (DLP) workflow. + access to a file stored in Google Drive. By providing the unique File ID and the + specific Permission ID, security analysts can programmatically restrict access + to sensitive documents during an incident response or audit process. ### Parameters Description - | Parameter Name | Type | Mandatory | Description | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **File Id** | String | Yes | The unique identifier of the Google Drive file. + | **File Id** | string | Yes | The unique identifier of the Google Drive file. This can be found in the file's URL (e.g., `https://drive.google.com/drive/u/0/folders/{file-id}`). | - | **Permission Id** | String | Yes | The unique identifier for the specific permission - to be removed. This ID is typically retrieved using a 'List Permissions' action. + | **Permission Id** | string | Yes | The unique identifier for the specific permission + entry to be removed. This ID can be retrieved using the 'List Permissions' action. | ### Additional Notes - - This action requires valid Google Drive API credentials with sufficient scopes - (`drive` or `drive.file`) to modify permissions. + - This action performs a permanent deletion of the permission entry from the file's + Access Control List (ACL). - - Removing a permission is a permanent action on the external system and cannot - be undone through this specific action (a new permission would need to be created). + - To identify which `Permission Id` corresponds to which user, it is recommended + to run the **List Permissions** action first. ### Flow Description @@ -510,17 +731,16 @@ Remove Permission: account credentials from the integration settings. 2. **Parameter Retrieval:** It extracts the `File Id` and `Permission Id` provided - by the user or playbook. + by the user. 3. **Manager Initialization:** The `GoogleDriveManager` is initialized using the - credentials to establish a connection with the Google Drive API. + provided credentials to establish a connection with the Google Drive API (v3). - 4. **Execution:** The action calls the `remove_permission` method, which sends - a DELETE request to the Google Drive permissions endpoint for the specified file - and permission ID. + 4. **Permission Deletion:** The action calls the Google Drive API's `permissions().delete` + method to remove the specified permission from the target file. - 5. **Finalization:** Upon successful deletion, the action returns a success message - and terminates. + 5. **Execution Completion:** Upon success, the action returns a confirmation message + to the Google SecOps workbench. capabilities: can_create_case_comments: false can_create_insight: false @@ -529,8 +749,8 @@ Remove Permission: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - This action deletes a permission record associated with a file in Google Drive, - effectively changing the access control list (ACL) of the external resource. + This action deletes a permission entry from a file's Access Control List (ACL) + in Google Drive, effectively changing who can access the resource. fetches_data: false internal_data_mutation_explanation: null categories: @@ -550,12 +770,37 @@ Remove Permission: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Upload File From Base64: ai_description: >- ### General Description - This action uploads a file to Google Drive using a Base64 encoded string. It allows - users to specify a file name, provide the file content in Base64 format, and optionally + Uploads a file to Google Drive using a Base64 encoded string. This action allows + users to programmatically save file content to a Google Drive account and optionally share the uploaded file with specific email addresses by granting them 'writer' permissions. @@ -567,45 +812,40 @@ Upload File From Base64: | :--- | :--- | :--- | :--- | | File Name | String | Yes | The name of the file to be created in Google Drive - (e.g., 'report.pdf'). | + (e.g., 'report.txt'). | - | Share with emails | String | Yes | A semicolon-separated list of email addresses - (e.g., 'user1@example.com;user2@example.com') to grant 'writer' access to the - file. | + | Base64 String | String | Yes | The Base64 encoded content of the file to be + uploaded. | - | Base64 String | String | Yes | The content of the file encoded as a Base64 string. + | Share with emails | String | Yes | A semicolon-separated list of email addresses + (e.g., 'user1@gmail.com;user2@gmail.com') to grant 'writer' access to the file. | - ### Flow Description - - 1. **Configuration Extraction**: The action retrieves the Google Drive service - account credentials from the integration settings. - - 2. **Parameter Retrieval**: It extracts the file name, Base64 content, and the - list of emails to share with from the action inputs. + ### Additional Notes - 3. **Data Decoding**: The Base64 string is decoded into a binary stream for processing. + The action uses the Google Drive API v3. The MIME type of the file is automatically + determined based on the file extension provided in the 'File Name' parameter. + If no extension is provided, it defaults to 'application/octet-stream'. - 4. **File Upload**: The action interacts with the Google Drive API to create a - new file with the provided name and content. The MIME type is automatically determined - based on the file extension. - 5. **Permission Management**: If email addresses are provided, the action iterates - through each email and grants 'writer' permissions to the newly created file ID. + ### Flow Description - 6. **Result Reporting**: The action returns the metadata of the created file (including - the unique Google Drive File ID) and completes the execution. + 1. **Configuration Retrieval**: The action retrieves the Google Drive service + account credentials from the integration configuration. + 2. **Parameter Extraction**: It extracts the file name, Base64 content, and the + list of emails to share with from the action parameters. - ### Additional Notes + 3. **File Upload**: The Base64 string is decoded into a binary stream and uploaded + to Google Drive using the `files.create` method. - - The action uses the 'writer' role when sharing files, allowing recipients to - edit the document. + 4. **Permission Assignment**: If email addresses are provided, the action iterates + through the list and grants 'writer' permissions to each email for the newly created + file using the `permissions.create` method. - - If the 'Share with emails' parameter is empty or contains invalid emails, the - file upload will still proceed, but the sharing step may be skipped or fail for - specific entries. + 5. **Result Reporting**: The action returns the metadata of the created file, + including its unique Google Drive ID, and marks the execution as completed. capabilities: can_create_case_comments: false can_create_insight: false @@ -614,8 +854,8 @@ Upload File From Base64: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - This action creates a new file in the user's Google Drive and modifies file - permissions to grant access to specified email addresses. + Creates a new file in Google Drive and assigns 'writer' permissions to specified + email addresses. fetches_data: false internal_data_mutation_explanation: null categories: @@ -635,15 +875,37 @@ Upload File From Base64: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Upload File From Path: ai_description: >- - ### General Description - - The **Upload File From Path** action enables the automated uploading of files - from a local system path to a Google Drive account. This action is particularly - useful for archiving reports, logs, or evidence collected during an investigation. - Beyond simple uploading, it allows for immediate collaboration by sharing the - uploaded file with specified email addresses. + Uploads a file from a specified local path to Google Drive. This action is designed + to move files, such as forensic artifacts or reports, from the local SOAR environment + to cloud storage. It also supports automated sharing by granting 'writer' permissions + to a list of specified email addresses. ### Parameters @@ -652,37 +914,26 @@ Upload File From Path: | :--- | :--- | :--- | :--- | - | **File Path** | String | Yes | The absolute local path of the file to be uploaded - (e.g., `/tmp/evidence.zip`). | - - | **Share with emails** | String | Yes | A semicolon-separated list of email addresses - to grant 'writer' permissions to the uploaded file (e.g., `analyst@company.com;manager@company.com`). - | - + | File Path | String | Yes | The local path of the file to be uploaded to Google + Drive (e.g., `/tmp/report.pdf`). | - ### Additional Notes - - - The action requires a valid Google Service Account JSON configuration to interact - with the Google Drive API. - - - Although the parameter 'Share with emails' is marked as mandatory in the configuration, - the script logic handles the sharing process iteratively for each email provided. + | Share with emails | String | Yes | A semicolon-separated list of email addresses + to grant 'writer' access to the uploaded file. | - ### Flow Description + ### Flow - 1. **Initialization**: The action extracts the Google Drive credentials and the - user-provided file path and email list. + 1. **Setup**: Initializes the Google Drive manager using the provided service + account credentials. - 2. **File Upload**: The `GoogleDriveManager` reads the file from the local path - and performs a multipart upload to Google Drive using the file's original name. + 2. **Upload**: Reads the file from the local `File Path` and uploads it to Google + Drive using the file's original name. - 3. **Permission Assignment**: If email addresses are provided, the action iterates - through the list and calls the Google Drive Permissions API to grant 'writer' - access to each recipient. + 3. **Permissions**: Parses the `Share with emails` string and, for each email + address, creates a 'writer' permission for the uploaded file. - 4. **Result Reporting**: The action returns the Google Drive File ID and the complete - JSON metadata of the created file object. + 4. **Output**: Returns the full metadata of the created file, including the unique + File ID, and sets the File ID as the action's result value. capabilities: can_create_case_comments: false can_create_insight: false @@ -691,8 +942,8 @@ Upload File From Path: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - This action creates a new file resource in Google Drive and modifies the file's - permissions by adding new 'writer' roles for the specified email addresses. + Creates a new file object in the target Google Drive account and modifies the + file's Access Control List (ACL) by adding new permissions for specified users. fetches_data: false internal_data_mutation_explanation: null categories: @@ -712,3 +963,28 @@ Upload File From Path: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/third_party/community/google_drive/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/google_drive/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..9e2bf295d --- /dev/null +++ b/content/response_integrations/third_party/community/google_drive/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: true + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/google_safe_browsing/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/google_safe_browsing/resources/ai/actions_ai_description.yaml index c6f8d8d62..8b6a42bf6 100644 --- a/content/response_integrations/third_party/community/google_safe_browsing/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/google_safe_browsing/resources/ai/actions_ai_description.yaml @@ -2,10 +2,10 @@ Lookup: ai_description: >- ### General Description - The **Lookup** action checks a specific URL against the Google Safe Browsing database - to determine if it is safe for browsing or potentially malicious (e.g., hosting - malware or phishing). It provides a direct way to verify the reputation of a URL - without necessarily linking it to a specific entity in the current case. + The **Lookup** action allows users to check a specific URL against the Google + Safe Browsing database to determine if it is considered safe or malicious. This + is a utility action that performs a real-time reputation check based on a provided + input parameter. ### Parameters Description @@ -14,32 +14,34 @@ Lookup: | :--- | :--- | :--- | :--- | - | **Url** | String | Yes | The specific URL to be checked in Google Safe Browsing. - Defaults to a Google malware testing URL if not provided. | + | Url | String | Yes | The specific URL to be checked in Google Safe Browsing. + Defaults to a malware testing URL if not provided. | ### Flow Description - 1. **Configuration Retrieval**: The action retrieves the API Key from the integration - configuration and the target URL from the action parameters. + 1. **Configuration Retrieval**: The action retrieves the API Key from the integration's + configuration settings. - 2. **API Interaction**: It initializes the SafeBrowsing manager and performs a - lookup for the provided URL. + 2. **Parameter Extraction**: The action extracts the target URL from the action + parameters. - 3. **Data Processing**: The raw JSON response from the API is added to the action - results for downstream use. + 3. **API Interaction**: It initializes the `SafeBrowsing` manager and performs + a lookup for the specified URL. - 4. **Status Evaluation**: The action parses the response to determine if the URL - is flagged as malicious. + 4. **Result Processing**: The raw API response is captured and added to the action's + JSON results. - 5. **Completion**: The action ends with a status message and a boolean result - indicating the maliciousness of the URL. + 5. **Completion**: The action evaluates the 'malicious' flag in the response and + terminates with a message indicating whether the URL was found to be malicious + or safe. ### Additional Notes - This action does not automatically process entities from the case; it relies strictly - on the URL provided in the input parameter. + This action does not iterate over entities within a Google SecOps case. It operates + strictly on the URL provided in the 'Url' parameter. If you wish to check entities, + you must map the entity identifier to this parameter in a playbook. capabilities: can_create_case_comments: false can_create_insight: false @@ -67,40 +69,67 @@ Lookup: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Ping: ai_description: >- ### General Description - Tests the connectivity between Google SecOps and the Google Safe Browsing service. - This action is primarily used to verify that the provided API Key is valid and - that the environment can reach the Google Safe Browsing API endpoints. + The **Ping** action is designed to verify the connectivity between Google SecOps + and the Google Safe Browsing API. It serves as a diagnostic tool to ensure that + the integration's API key is valid and that the environment can successfully communicate + with Google's services. ### Parameters Description - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | None | N/A | N/A | This action has no input parameters. | + There are no action-specific parameters for this action. It utilizes the global + integration configuration for authentication. ### Flow Description - 1. **Configuration Extraction**: Retrieves the 'Api Key' from the integration's - global configuration. + 1. **Configuration Retrieval**: The action extracts the 'Api Key' from the integration's + global settings. + + 2. **Service Initialization**: It initializes the Google Safe Browsing client + library with the provided credentials. - 2. **Connectivity Test**: Initializes the Safe Browsing client and performs a - lookup for a hardcoded test URL (`http://malware.testing.google.test/testing/malware/`). + 3. **Connectivity Check**: The action executes a lookup request for a standard + Google test URL (`http://malware.testing.google.test/testing/malware/`) to validate + the API connection. - 3. **Result Reporting**: If the API call is successful, the action concludes with - a success message. + 4. **Result Reporting**: If the API call returns without error, the action reports + a successful connection. ### Additional Notes - This action does not process any entities from the case; it uses a static test - URL to validate the connection. + This action does not process any entities or modify any data; it is strictly for + configuration validation. capabilities: can_create_case_comments: false can_create_insight: false @@ -128,3 +157,28 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/third_party/community/google_safe_browsing/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/google_safe_browsing/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..2e831240c --- /dev/null +++ b/content/response_integrations/third_party/community/google_safe_browsing/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + siem: false + threat_intelligence: true + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/google_sheets/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/google_sheets/resources/ai/actions_ai_description.yaml index 0d3ab72ae..664309f36 100644 --- a/content/response_integrations/third_party/community/google_sheets/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/google_sheets/resources/ai/actions_ai_description.yaml @@ -2,50 +2,52 @@ Add Permission: ai_description: >- ### General Description - This action adds permissions to a specific Google Sheet for one or more users. - It allows administrators to programmatically manage access levels (Owner, Writer, - Reader) for spreadsheets stored in Google Drive. + The **Add Permission** action allows analysts to programmatically grant access + to a specific Google Spreadsheet. It supports adding multiple users at once and + assigning specific roles such as Owner, Writer, or Reader. This is useful for + sharing reports, logs, or investigation trackers stored in Google Sheets with + relevant stakeholders. ### Parameters Description - | Parameter Name | Type | Mandatory | Description | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Sheet Id | string | Yes | The unique identifier of the spreadsheet, found in - the URL (e.g., `https://docs.google.com/spreadsheets/d/{SheetId}/edit`). | + | **Sheet Id** | String | Yes | The unique identifier of the spreadsheet, found + in the URL (e.g., `https://docs.google.com/spreadsheets/d/{SheetId}/edit`). | - | Role | ddl | Yes | The permission level to grant. Options include: **Owner** - (full control), **Writer** (can edit/comment), and **Reader** (view only). | + | **Role** | DDL | Yes | The access level to grant: `Owner` (full control), `Writer` + (can edit/comment), or `Reader` (view only). | - | Emails | string | Yes | A semicolon-separated list of email addresses (e.g., - `user1@gmail.com;user2@gmail.com`) to which the permissions will be applied. | + | **Emails** | String | Yes | A semicolon-separated list of email addresses (e.g., + `user1@example.com;user2@example.com`) to receive the permissions. | ### Flow Description - 1. **Configuration Extraction**: The action retrieves the Google service account - credentials from the integration configuration. + 1. **Configuration Extraction**: Retrieves the service account credentials from + the integration settings. - 2. **Parameter Parsing**: It extracts the target Sheet ID, the desired role, and + 2. **Parameter Parsing**: Extracts the target Sheet ID, the desired role, and the list of email addresses from the action input. - 3. **Client Initialization**: A Google Sheets client is initialized using the - provided service account JSON. + 3. **Client Initialization**: Authenticates with Google APIs using the provided + credentials. - 4. **Permission Insertion**: The action iterates through the provided emails and - calls the Google Drive API to insert the specified permission role for each user - on the target spreadsheet. + 4. **Permission Insertion**: Executes the request to add the specified users to + the spreadsheet's access control list with the chosen role. - 5. **Result Reporting**: The action concludes by returning a success message if - the permissions were granted or an error message if the operation failed. + 5. **Completion**: Reports the success or failure of the operation to the SOAR + case. ### Additional Notes - This action does not process entities from the case; it relies entirely on the - manually provided parameters. + - Ensure the service account used in the integration has sufficient permissions + to manage the target spreadsheet (e.g., it should be an Owner or have Editor access + if adding others). capabilities: can_create_case_comments: false can_create_insight: false @@ -75,18 +77,44 @@ Add Permission: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Add Row: ai_description: >- ### General Description - Adds a new row of data to a specified Google Sheets spreadsheet. This action is - useful for logging information, exporting alert data, or maintaining external - tracking sheets directly from a playbook. + The **Add Row** action allows users to programmatically append or insert a new + row of data into a specific Google Sheets spreadsheet. This is useful for logging + alert data, tracking incident response progress, or maintaining external audit + trails directly from a Google SecOps playbook. ### Parameters Description - | Parameter Name | Type | Mandatory | Description | + | Parameter Name | Expected Type | Mandatory | Description | | :--- | :--- | :--- | :--- | @@ -94,42 +122,47 @@ Add Row: in the URL: `https://docs.google.com/spreadsheets/d/{Sheet-Id}/edit`. | | **Worksheet Name** | String | No | The name of the specific tab (worksheet) - within the spreadsheet. Defaults to the first sheet (Sheet1) if not provided. - Note: This is case-sensitive. | + within the spreadsheet. Defaults to the first sheet (usually "Sheet1") if not + provided. Note: This is case-sensitive. | | **Row Index** | String | No | The one-based index where the row should be inserted. - If omitted, the behavior depends on the underlying API (typically appends or inserts - at the top). | + If omitted, the row is typically appended or inserted at the default position + defined by the API (usually the top). | - | **Values** | String | Yes | A comma-separated list of values to be placed into - the cells of the new row (e.g., "val1,val2,val3"). | + | **Values** | String | Yes | A comma-separated list of values to be placed in + the cells of the new row (e.g., "Value1,Value2,Value3"). | ### Additional Notes - - The action requires a service account with appropriate permissions (configured - in the integration settings) to access the target spreadsheet. + - The action requires valid Service Account credentials (JSON format) configured + in the integration settings to authenticate with the Google Sheets API. - - The `Values` parameter is parsed by splitting the string at every comma. + - The `Row Index` must be a valid integer string if provided. ### Flow Description - 1. **Initialization**: Extracts the service account credentials from the integration - configuration and the spreadsheet details from the action parameters. + 1. **Initialization**: The action extracts the Google Sheets credentials from + the integration configuration and the user-provided parameters (Sheet ID, Worksheet + Name, Row Index, and Values). - 2. **Data Parsing**: Converts the comma-separated `Values` string into a list + 2. **Data Parsing**: The comma-separated `Values` string is split into a list of individual cell values. - 3. **Connection**: Authenticates with Google APIs and opens the spreadsheet using - the provided `Sheet Id`. + 3. **Connection**: The action uses the `GoogleSheetFactory` to authenticate and + open the spreadsheet identified by the `Sheet Id`. + + 4. **Worksheet Selection**: It selects the worksheet by name if provided; otherwise, + it defaults to the first worksheet in the file. - 4. **Worksheet Selection**: Targets the specific worksheet by name; if no name - is provided, it defaults to the first worksheet in the file. + 5. **Row Insertion**: The action calls the Google Sheets API to insert the row + at the specified `Row Index`. If no index is provided, it inserts the row at the + default position. - 5. **Row Insertion**: Executes the `insert_row` command on the Google Sheets API, - placing the parsed values at the specified `Row Index` (or the default position - if the index is not provided). + 6. **Completion**: The action returns a success status if the row is added successfully, + or a failure status if an error occurs (e.g., invalid Sheet ID or permissions + issues). capabilities: can_create_case_comments: false can_create_insight: false @@ -138,7 +171,8 @@ Add Row: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Adds a new row of data to a specified Google Sheet worksheet. + This action adds a new row of data to an external Google Sheets spreadsheet, + modifying the content of the file. fetches_data: false internal_data_mutation_explanation: null categories: @@ -158,37 +192,99 @@ Add Row: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Add or Update Rows: - ai_description: "### General Description\nThe **Add or Update Rows** action allows\ - \ users to manage records in a Google Sheet dynamically. It provides a mechanism\ - \ to synchronize data by searching for an existing entry based on a specific column\ - \ value. If the entry exists, the action updates the row; otherwise, it appends\ - \ a new row. This is particularly useful for maintaining logs, asset lists, or\ - \ tracking statuses within a spreadsheet.\n\n### Parameters Description\n| Parameter\ - \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| **Column\ - \ Number** | String | Yes | The column index (e.g., \"1\") where the action will\ - \ look for the search value. |\n| **Start Column** | String | Yes | The starting\ - \ column identifier (e.g., \"A\") for the update/append operation. |\n| **End\ - \ Column** | String | Yes | The ending column identifier (e.g., \"C\") for the\ - \ update/append operation. |\n| **Field Name** | String | Yes | The key within\ - \ the provided JSON objects used to find the search value. |\n| **Json** | Code\ - \ | Yes | A JSON array of objects. Each object represents a row to be processed.\ - \ |\n| **Sheet Id** | String | Yes | The unique ID of the spreadsheet (found in\ - \ the URL). |\n| **Worksheet Name** | String | No | The name of the specific sheet\ - \ tab. Defaults to the first sheet if not provided. |\n\n### Flow Description\n\ - 1. **Initialization**: The action extracts credentials and parameters, then connects\ - \ to the Google Sheets API via the `GoogleSheetFactory`.\n2. **Worksheet Selection**:\ - \ It opens the spreadsheet by ID and selects the specified worksheet (or the first\ - \ one by default).\n3. **Data Processing**: It iterates through each object in\ - \ the provided JSON array.\n4. **Search**: For each object, it retrieves the value\ - \ associated with the `Field Name` and searches for it in the specified `Column\ - \ Number` using the `find` method.\n5. **Update/Append**: \n * If the value\ - \ is found, it calculates the target range and updates the existing row with the\ - \ new values.\n * If the value is not found, it appends the values as a new\ - \ row at the bottom of the sheet.\n6. **Completion**: The action returns the count\ - \ of processed rows and the specific ranges updated.\n\n### Additional Notes\n\ - * The `Json` parameter must be a valid JSON array of objects.\n* Ensure the service\ - \ account has the necessary permissions (Editor access) to the spreadsheet." + ai_description: >- + ### General Description + + Adds or updates rows in a Google Spreadsheet based on a search key. This action + allows for dynamic data management within a spreadsheet, enabling users to either + update existing records if a match is found or append new records if no match + exists. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Column Number | String | Yes | The column index (e.g., '1') used to search for + the value of the 'Field Name'. | + + | Start Column | String | Yes | The starting column for the update or add operation. + | + + | End Column | String | Yes | The ending column for the update or add operation. + | + + | Field Name | String | Yes | The key in the input JSON whose value is used for + searching in the spreadsheet. | + + | Json | Code | Yes | A JSON array of objects representing the rows to be added + or updated. | + + | Sheet Id | String | Yes | The unique identifier of the Google Spreadsheet, found + in the URL. | + + | Worksheet Name | String | No | The name of the specific worksheet tab. Defaults + to 'Sheet1' if not provided. | + + + ### Flow Description + + 1. The action authenticates with the Google Sheets API using the provided credentials. + + 2. It opens the spreadsheet identified by the 'Sheet Id' and selects the specified + worksheet. + + 3. It parses the 'Json' input into a list of row data. + + 4. For each row, it searches the specified 'Column Number' for the value associated + with the 'Field Name'. + + 5. If a match is found, it updates the existing row within the range defined by + 'Start Column' and 'End Column'. + + 6. If no match is found, it appends the row data as a new entry at the end of + the worksheet. + + 7. The action concludes by reporting the number of rows processed and the updated + ranges. + + + ### Additional Notes + + - The 'Json' parameter must be a valid JSON array of objects. + + - Column indices are 1-based (e.g., '1' for column A). + + - The action requires appropriate permissions for the service account on the target + spreadsheet. capabilities: can_create_case_comments: false can_create_insight: false @@ -197,8 +293,7 @@ Add or Update Rows: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates existing rows or appends new rows in the specified Google Sheet based - on the provided JSON data. + Updates existing rows or appends new rows in the specified Google Spreadsheet. fetches_data: true internal_data_mutation_explanation: null categories: @@ -218,54 +313,84 @@ Add or Update Rows: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Create Sheet: ai_description: >- ### General Description - The **Create Sheet** action enables the automated creation of a new Google Spreadsheet - within a Google Drive account. This action is primarily used to generate external - reports, logs, or collaborative documents during the lifecycle of an investigation. - It also supports sharing the newly created spreadsheet with specific users by - granting them 'writer' permissions. + This action creates a new Google Spreadsheet within the connected Google Sheets + account. It allows users to specify a name for the new sheet and optionally share + it with a list of email addresses, granting them 'writer' permissions. This is + useful for automated reporting, data collection, or collaborative incident tracking. ### Parameters Description - | Parameter | Type | Mandatory | Description | + | Parameter Name | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Sheet Name** | String | Yes | The name assigned to the new Google Spreadsheet - file. | + | Sheet Name | string | Yes | The name of the new spreadsheet to be created. | - | **Share with emails** | String | No | A semicolon-separated list of email addresses - (e.g., 'user1@gmail.com;user2@gmail.com') to grant 'writer' access to the spreadsheet. - | + | Share with emails | string | No | A semicolon-separated list of email addresses + (e.g., `user1@example.com;user2@example.com`) to grant 'writer' access to the + newly created sheet. | ### Flow Description - 1. **Authentication**: The action authenticates with the Google Sheets and Google - Drive APIs using the provided service account credentials. + 1. **Configuration Extraction**: The action retrieves the Google service account + credentials from the integration configuration. - 2. **Resource Creation**: It creates a new Google Spreadsheet file with the name - provided in the 'Sheet Name' parameter. + 2. **Parameter Parsing**: It extracts the desired sheet name and the optional + list of emails to share the sheet with. + + 3. **Client Initialization**: A Google Sheets client is initialized using the + provided service account credentials. - 3. **Access Control**: If email addresses are provided in the 'Share with emails' - parameter, the action iterates through the list and updates the spreadsheet's - permissions to grant 'writer' access to each user. + 4. **Spreadsheet Creation**: The action calls the Google Sheets API to create + a new spreadsheet with the specified name. - 4. **Output**: The action returns the unique Spreadsheet ID as the result value - upon successful creation. + 5. **Permission Management**: If email addresses were provided, the action iterates + through each email and updates the spreadsheet's permissions to grant 'writer' + (editor) access to those users. + + 6. **Completion**: The action returns the unique ID of the newly created spreadsheet + and a success message. ### Additional Notes - - This action creates a new Spreadsheet file, not just a tab within an existing - file. + - The service account used must have sufficient permissions to create files in + Google Drive and manage sharing permissions. - - If the 'Share with emails' parameter is left empty, the spreadsheet remains - private to the service account owner. + - If the sharing step fails for any specific email, the entire action may report + a failure depending on the exception handling, though the sheet itself might have + already been created. capabilities: can_create_case_comments: false can_create_insight: false @@ -274,8 +399,8 @@ Create Sheet: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new Google Spreadsheet file in Google Drive and modifies its permissions - to share it with specified email addresses. + Creates a new spreadsheet resource in Google Sheets and modifies sharing permissions + (ACLs) for that resource. fetches_data: false internal_data_mutation_explanation: null categories: @@ -295,58 +420,85 @@ Create Sheet: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Delete Rows: ai_description: >- ### General Description - The **Delete Rows** action allows users to remove a specific range of rows from - a Google Sheets worksheet. This is useful for cleaning up logs, removing processed - data, or managing spreadsheet-based databases directly from Google SecOps. + Deletes a specified range of rows from a Google Sheets worksheet. This action + is useful for cleaning up logs, removing processed data, or managing spreadsheet-based + databases directly from a SOAR workflow. ### Parameters Description - | Parameter Name | Description | Type | Mandatory | Notes | + | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | :--- | + | :--- | :--- | :--- | :--- | + + | Sheet Id | string | Yes | The unique identifier of the spreadsheet, found in + the URL: `https://docs.google.com/spreadsheets/d/{SheetId}/edit`. | - | **Sheet Id** | The unique identifier of the spreadsheet, found in the URL: `https://docs.google.com/spreadsheets/d/{SheetId}/edit`. - | String | Yes | Required to locate the file. | + | Worksheet Name | string | No | The name of the specific tab/worksheet. Defaults + to the first sheet (Sheet1) if not provided. Note: This is case-sensitive. | - | **Worksheet Name** | The name of the specific tab (e.g., "Sheet1"). | String - | No | If not provided, the action defaults to the first worksheet in the file. + | From Row | string | Yes | The starting row number for the deletion range (inclusive). | - | **From Row** | The starting row number for the deletion range. | String | Yes - | Must be a valid integer. | - - | **To Row** | The ending row number for the deletion range. | String | Yes | - Must be a valid integer. | + | To Row | string | Yes | The ending row number for the deletion range (inclusive). + | ### Additional Notes - - This action does not process or require any entities from the case. + - The action requires valid Google Service Account credentials with appropriate + permissions (Spreadsheets and Drive scopes) configured in the integration settings. - - The row indices are 1-based (the first row is 1). + - Row numbers are 1-indexed. ### Flow Description - 1. **Authentication**: The action retrieves service account credentials from the - integration configuration. + 1. **Configuration Extraction:** Retrieves the Google Service Account credentials + from the integration configuration. - 2. **Spreadsheet Access**: It connects to the Google Sheets API and opens the - spreadsheet identified by the `Sheet Id`. + 2. **Parameter Parsing:** Extracts the Sheet ID, Worksheet Name, and the row range + (From/To) from the action input. - 3. **Worksheet Selection**: It selects the worksheet specified by the `Worksheet - Name` or defaults to the first sheet if the parameter is empty. + 3. **Authentication:** Initializes a connection to the Google Sheets API using + the provided credentials. - 4. **Row Deletion**: It executes a command to delete all rows within the range - defined by `From Row` and `To Row`. + 4. **Worksheet Selection:** Opens the spreadsheet by ID and selects the specified + worksheet (or the first one by default). - 5. **Completion**: Returns a success message if the rows were deleted or an error - message if the operation failed. + 5. **Execution:** Executes the row deletion command for the specified range. + + 6. **Completion:** Returns a success message if the rows are deleted or an error + message if the operation fails. capabilities: can_create_case_comments: false can_create_insight: false @@ -355,8 +507,8 @@ Delete Rows: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Deletes a range of rows from a specified Google Sheet worksheet, permanently - altering the external document. + Deletes rows from a Google Sheets worksheet, permanently removing data from + the external spreadsheet. fetches_data: false internal_data_mutation_explanation: null categories: @@ -376,47 +528,77 @@ Delete Rows: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Delete Sheet: ai_description: >- ### General Description - Deletes a specific Google Spreadsheet from Google Drive using its unique Spreadsheet - ID. This action is intended for automated cleanup of spreadsheets generated during - investigation or for data management tasks. + The **Delete Sheet** action allows users to permanently remove a specific Google + Spreadsheet from their Google Drive/Sheets environment using its unique Spreadsheet + ID. This action is useful for cleaning up temporary reports, removing sensitive + data after processing, or managing automated spreadsheet lifecycles within a SOAR + workflow. ### Parameters Description - | Name | Type | Mandatory | Description | + | Parameter | Description | Expected Type | Mandatory | | :--- | :--- | :--- | :--- | - | Sheet Id | String | Yes | The unique identifier of the spreadsheet, found in - the URL: `https://docs.google.com/spreadsheets/d/{Sheet_Id}/edit`. | + | **Sheet Id** | The unique identifier for the spreadsheet. This can be found + in the URL of the sheet: `https://docs.google.com/spreadsheets/d/{Sheet_Id}/edit`. + | String | Yes | - ### Flow Description + ### Additional Notes - 1. **Setup**: The action retrieves the necessary Google service account credentials - from the integration configuration. + * **Irreversible Action:** Deleting a sheet is a destructive operation. Ensure + the correct ID is provided, as the action does not typically move the file to + the 'Trash' but performs a direct deletion via the API. - 2. **Input**: It captures the `Sheet Id` from the action input parameters. + * **Permissions:** The service account used in the integration configuration + must have sufficient permissions (Editor/Owner) to delete the target spreadsheet. - 3. **Authentication**: Initializes a connection to the Google Sheets API using - the provided service account credentials. - 4. **Deletion**: Executes the deletion request for the specified spreadsheet ID - via the Google Sheets client. + ### Flow Description - 5. **Completion**: Provides a status message indicating whether the deletion was - successful or if an error occurred. + 1. **Initialization:** The action retrieves the Google Sheets credentials from + the integration configuration and the target **Sheet Id** from the action parameters. + 2. **Authentication:** It initializes a connection to the Google Sheets API using + the provided service account credentials. - ### Additional Notes + 3. **Execution:** The action calls the `del_spreadsheet` method on the Google + Sheets client, passing the provided **Sheet Id**. - Ensure the service account has the appropriate 'Drive' and 'Spreadsheets' API - scopes enabled and has permission to delete the target file. This action permanently - removes the spreadsheet. + 4. **Completion:** If the deletion is successful, the action returns a success + message. If an error occurs (e.g., invalid ID, insufficient permissions), the + action fails and provides the error details. capabilities: can_create_case_comments: false can_create_insight: false @@ -425,7 +607,8 @@ Delete Sheet: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Permanently deletes a Google Spreadsheet from the user's Google Drive account. + This action deletes a spreadsheet file from the external Google Sheets/Google + Drive service. fetches_data: false internal_data_mutation_explanation: null categories: @@ -445,57 +628,87 @@ Delete Sheet: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get All: ai_description: >- ### General Description - Retrieves all rows from a specified Google Sheet worksheet and returns them as - a JSON array of objects. This action is designed to ingest tabular data from Google - Sheets into a Google SecOps playbook for further processing, such as lookups or - data manipulation. It uses service account credentials to authenticate and access - the spreadsheet. + The **Get All** action retrieves all data records from a specified Google Sheets + worksheet. It allows users to ingest tabular data from a spreadsheet into a Google + SecOps playbook for further analysis, lookups, or automation logic. The action + returns the data as a JSON array of objects, where each object represents a row + with keys corresponding to the column headers. - ### Parameters + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | | Sheet Id | String | Yes | The unique identifier of the spreadsheet, found in - the URL: `https://docs.google.com/spreadsheets/d/{Sheet-Id}/edit`. | + the URL (e.g., `https://docs.google.com/spreadsheets/d/{Sheet-Id}/edit`). | - | Worksheet Name | String | No | The name of the specific tab to retrieve data - from. If not provided, the action defaults to the first worksheet (Sheet1). Note: - This is case-sensitive. | + | Worksheet Name | String | No | The name of the specific tab (worksheet) to retrieve + data from. If left blank, the action defaults to the first worksheet in the spreadsheet + (usually "Sheet1"). Note: This value is case-sensitive. | - ### Flow Description + ### Additional Notes - 1. **Authentication**: The action initializes a connection to Google Sheets using - the provided Service Account credentials from the integration configuration. + - The action requires a valid **Credentials Json** to be configured in the integration + settings. - 2. **Spreadsheet Access**: It opens the spreadsheet identified by the `Sheet Id` - parameter. + - The service account associated with the credentials must have at least "Viewer" + permissions on the target spreadsheet. - 3. **Worksheet Selection**: It selects the worksheet based on the `Worksheet Name` - parameter. If the parameter is empty, it defaults to the first sheet in the workbook. + - If the worksheet name provided does not exist, the action will fail. - 4. **Data Retrieval**: It fetches all records from the worksheet using the `get_all_records()` - method, which converts rows into a list of dictionaries where the keys are the - column headers. - 5. **Output**: The retrieved data is attached to the action result as a JSON object - for use in subsequent playbook steps. + ### Flow Description + 1. **Configuration Retrieval:** The action extracts the service account credentials + from the integration configuration. - ### Additional Notes + 2. **Parameter Extraction:** It retrieves the `Sheet Id` and the optional `Worksheet + Name` from the action parameters. + + 3. **API Connection:** Initializes a connection to the Google Sheets API using + the `gspread` library. - - The Service Account must have at least "Viewer" permissions on the target spreadsheet - to successfully retrieve data. + 4. **Spreadsheet Access:** Opens the spreadsheet using the provided `Sheet Id`. - - The action assumes the first row of the worksheet contains headers used as keys - in the resulting JSON. + 5. **Worksheet Selection:** Selects the worksheet specified by the user or defaults + to the first worksheet if no name is provided. + + 6. **Data Fetching:** Executes a request to retrieve all records from the worksheet. + + 7. **Result Output:** Adds the retrieved records to the action's JSON result and + completes the execution with a success message. capabilities: can_create_case_comments: false can_create_insight: false @@ -523,57 +736,79 @@ Get All: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Range: ai_description: >- - ### General Description + Retrieves values from a specified range within a Google Sheets spreadsheet. This + action is designed to fetch data such as lookup tables, reference lists, or configuration + data stored in a spreadsheet for use within a playbook logic flow. - Retrieves the values for a specified range within a Google Spreadsheet. This action - is designed to pull data from a spreadsheet into the Google SecOps platform, enabling - playbooks to use external spreadsheet data for lookups, configuration, or reporting. + ### Flow Description: - ### Parameters Description - - | Parameter | Type | Mandatory | Description | + 1. **Authentication**: Initializes the Google Sheets API client using the provided + service account credentials from the integration configuration. - | :--- | :--- | :--- | :--- | + 2. **Spreadsheet Access**: Connects to the specific spreadsheet using the provided + `Sheet Id`. - | Sheet Id | string | Yes | The unique identifier of the spreadsheet, which can - be found in the spreadsheet URL: `https://docs.google.com/spreadsheets/d/{SheetId}/edit`. - | + 3. **Worksheet Selection**: Selects the target worksheet (tab). If a `Worksheet + Name` is provided, it selects that specific tab; otherwise, it defaults to the + first worksheet in the file. - | Worksheet Name | string | No | The name of the specific worksheet (tab) to query. - If not provided, the action defaults to the first worksheet (Sheet1). Note: this - is case-sensitive. | + 4. **Data Extraction**: Retrieves the values from the cells defined by the `Range` + parameter using A1 notation. - | Range | string | Yes | The range of cells to retrieve using A1 notation (e.g., - 'A1:B10' or 'Sheet1!A:C'). | + 5. **Result Processing**: Returns the fetched data as a JSON object and completes + the action with a success message. - ### Additional Notes + ### Parameters Description: - - The action requires valid service account credentials (Credentials Json) to - be configured in the integration settings. + | Parameter Name | Type | Mandatory | Description | - - The 'Range' parameter must follow the standard Google Sheets A1 notation. + | :--- | :--- | :--- | :--- | + | Sheet Id | String | Yes | The unique identifier of the spreadsheet, found in + the URL: `https://docs.google.com/spreadsheets/d/{SheetId}/edit`. | - ### Flow Description + | Worksheet Name | String | No | The name of the worksheet tab. Note that this + is case-sensitive. If left blank, the action defaults to the first tab. | - 1. **Authentication**: Initializes the Google Sheets client using the provided - service account credentials. + | Range | String | Yes | The cell range to extract using A1 notation (e.g., "A1:C10" + or "Sheet1!A1:B5"). | - 2. **Spreadsheet Access**: Opens the target spreadsheet using the provided 'Sheet - Id'. - 3. **Worksheet Selection**: Selects the specified 'Worksheet Name' or defaults - to the first sheet in the spreadsheet. + ### Additional Notes: - 4. **Data Retrieval**: Executes a batch get request to fetch the values for the - specified 'Range'. + - This action is read-only and does not modify the contents of the Google Sheet. - 5. **Output**: Returns the retrieved cell values as a JSON object and completes - the action with a success message. + - Ensure the service account associated with the credentials has at least 'Viewer' + access to the spreadsheet. capabilities: can_create_case_comments: false can_create_insight: false @@ -601,59 +836,84 @@ Get Range: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Row: ai_description: >- ### General Description - Retrieves the values of a single row from a Google Sheets spreadsheet. This action - is designed to fetch data from a specific row based on its index, allowing playbooks - to ingest external tabular data for decision-making or logging purposes. + The **Get Row** action retrieves all values from a specific row within a Google + Sheets spreadsheet. This is useful for fetching contextual data, configuration + settings, or lookup information stored in a spreadsheet format. The action returns + the row data as a JSON array of values. - ### Parameters + ### Parameters Description - | Parameter | Type | Mandatory | Description | + | Parameter Name | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Sheet Id | String | Yes | The unique identifier of the spreadsheet, which can - be found in the spreadsheet's URL (the string between '/d/' and '/edit'). | - - | Worksheet Name | String | No | The name of the specific worksheet (tab) to query. - If not provided, the action defaults to the first worksheet in the spreadsheet. + | **Sheet Id** | String | Yes | The unique identifier of the spreadsheet, found + in the spreadsheet's URL (e.g., `https://docs.google.com/spreadsheets/d//edit`). | - | Row Number | String | Yes | The one-based index of the row to retrieve (e.g., - '1' for the header row or first row of data). | + | **Worksheet Name** | String | No | The name of the specific worksheet (tab) + to retrieve the row from. If not provided, the action defaults to the first worksheet + (`sheet1`). | + | **Row Number** | String | Yes | The one-based index of the row to retrieve (e.g., + '1' for the first row). | - ### Additional Notes - - The action requires valid Google Service Account credentials configured in the - integration settings. + ### Additional Notes - - The service account must have at least 'Viewer' permissions on the target spreadsheet. + - The action uses service account credentials configured in the integration settings + to access the Google Sheets API. - - The `Row Number` parameter is one-based, following standard spreadsheet indexing. + - The row number is one-based, meaning the first row is 1, the second is 2, and + so on. ### Flow Description - 1. **Authentication**: The action authenticates with the Google Sheets API using - the service account credentials provided in the integration configuration. + 1. **Authentication**: The action initializes a connection to Google Sheets using + the provided service account credentials. - 2. **Spreadsheet Connection**: It opens the spreadsheet identified by the `Sheet - Id`. + 2. **Spreadsheet Access**: It opens the spreadsheet identified by the **Sheet + Id**. - 3. **Worksheet Selection**: It identifies the target worksheet. If a `Worksheet - Name` is specified, it selects that sheet; otherwise, it defaults to the first - sheet (`sheet1`). + 3. **Worksheet Selection**: If a **Worksheet Name** is provided, it selects that + specific tab; otherwise, it defaults to the first tab in the spreadsheet. - 4. **Data Extraction**: It retrieves all cell values for the row specified by - the `Row Number`. + 4. **Data Retrieval**: The action fetches all values for the specified **Row Number** + using the `row_values` method. - 5. **Result Output**: The extracted row values are returned as a JSON array in - the action's result object. + 5. **Output**: The retrieved values are added to the action's JSON results and + the execution completes successfully. capabilities: can_create_case_comments: false can_create_insight: false @@ -665,7 +925,7 @@ Get Row: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: false + enrichment: true entity_usage: entity_types: [] filters_by_additional_properties: false @@ -681,55 +941,79 @@ Get Row: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Import CSV: ai_description: >- ### General Description - Imports the content of a CSV file into a specific Google Spreadsheet. This action - is designed to populate a spreadsheet with external data. **Warning:** This operation - is destructive; it replaces all content in the first worksheet of the target spreadsheet - and removes all other existing worksheets. + The **Import CSV** action allows users to upload the contents of a local CSV file + directly into a Google Spreadsheet. This action is primarily used for reporting + or data synchronization tasks. **Warning:** This action is destructive to the + target spreadsheet; it replaces all content in the first worksheet with the CSV + data and deletes all other worksheets within that spreadsheet. ### Parameters Description - | Parameter Name | Type | Mandatory | Description | + | Parameter Name | Description | Type | Mandatory | Notes | - | :--- | :--- | :--- | :--- | + | :--- | :--- | :--- | :--- | :--- | - | Sheet Id | string | Yes | The unique identifier of the Google Spreadsheet, which - can be extracted from the spreadsheet's URL (e.g., the string between '/d/' and - '/edit'). | + | Sheet Id | The unique identifier for the Google Spreadsheet, found in the URL + (e.g., `https://docs.google.com/spreadsheets/d/{SheetId}/edit`). | String | Yes + | The service account must have editor access to this sheet. | - | CSV Path | string | Yes | The absolute or relative path on the local file system - where the CSV file to be imported is located. | + | CSV Path | The local file system path where the CSV file to be imported is located. + | String | Yes | Ensure the SOAR runner has read permissions for this path. | ### Additional Notes - - The integration must be configured with valid Google Service Account credentials - that have 'Editor' access to the target spreadsheet. + - This action uses the `gspread` library to perform a bulk import of CSV data. - - Because this action deletes other worksheets, it should be used with caution - on spreadsheets containing multiple tabs of data. + - Because this action deletes other worksheets and overwrites the first one, it + should be used with caution on spreadsheets containing existing important data. ### Flow Description - 1. **Authentication:** The action initializes a connection to the Google Sheets - API using the provided Service Account credentials. - - 2. **File Retrieval:** It reads the raw text content from the CSV file specified - in the `CSV Path` parameter. + 1. **Configuration Extraction:** The action retrieves the Google Service Account + credentials from the integration settings and the `Sheet Id` and `CSV Path` from + the action parameters. - 3. **Spreadsheet Access:** It verifies access to the spreadsheet using the `Sheet - Id`. + 2. **File Access:** The script reads the raw text content of the CSV file located + at the provided `CSV Path`. - 4. **Data Import:** It calls the Google Sheets API to import the CSV data. This - process overwrites the first sheet and deletes all other worksheets in the file. + 3. **Authentication:** A connection is established with the Google Sheets API + using the provided service account credentials. - 5. **Completion:** The action returns the Spreadsheet ID and a success message - upon completion. + 4. **Data Import:** The action calls the Google Sheets API to import the CSV content + into the specified spreadsheet. This process automatically clears the first worksheet, + populates it with the new data, and removes any additional worksheets in the file. capabilities: can_create_case_comments: false can_create_insight: false @@ -738,8 +1022,8 @@ Import CSV: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - This action overwrites the content of the first worksheet in a Google Spreadsheet - and deletes all other worksheets within that spreadsheet file. + This action overwrites the content of the first worksheet in the target Google + Spreadsheet and deletes all other worksheets in that file. fetches_data: false internal_data_mutation_explanation: null categories: @@ -759,48 +1043,75 @@ Import CSV: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Ping: ai_description: >- ### General Description - Tests connectivity with Google Sheets by verifying the validity of the provided - service account credentials. The action attempts to create a temporary spreadsheet - and then immediately deletes it to ensure that the integration has both read and - write permissions to the Google Drive and Google Sheets APIs. + The **Ping** action is designed to verify the connectivity and authentication + between Google SecOps and the Google Sheets API. It ensures that the provided + service account credentials have the necessary permissions to perform basic operations, + such as creating and deleting spreadsheets. ### Parameters Description - | Parameter Name | Type | Mandatory | Description | + There are no action-specific parameters for this action. It relies entirely on + the integration's configuration parameters (specifically the 'Credentials Json'). - | :--- | :--- | :--- | :--- | - | Credentials Json | String | Yes | The JSON content of the Google Service Account - key file used for authentication. This is typically retrieved from the integration's - configuration settings. | + ### Additional Notes + * This action requires the 'Credentials Json' to be correctly configured in the + Google Sheets integration settings. - ### Flow Description + * The action performs a 'smoke test' by creating a temporary file and then removing + it. This confirms that the service account has both write and delete permissions + in the target environment. - 1. **Authentication**: Initializes a Google Sheets client using the provided Service - Account JSON credentials. - 2. **Creation Test**: Generates a unique spreadsheet name using a UUID and attempts - to create a new spreadsheet in the associated Google account. + ### Flow Description - 3. **Cleanup**: Immediately deletes the newly created spreadsheet using its unique - identifier to leave the environment clean. + 1. **Credential Extraction**: The action retrieves the 'Credentials Json' from + the integration's configuration. - 4. **Status Reporting**: If both the creation and deletion succeed, the action - returns a success message. If any step fails (e.g., invalid credentials or insufficient - permissions), it catches the exception and reports the failure. + 2. **Client Initialization**: It initializes a Google Sheets client using the + provided service account information and the required OAuth scopes (Spreadsheets + and Drive). + 3. **Connectivity Test (Create)**: The action attempts to create a new spreadsheet + with a unique name (e.g., 'Test-' followed by a random UUID). - ### Additional Notes + 4. **Cleanup (Delete)**: Immediately after creation, the action attempts to delete + the temporary spreadsheet using its ID. - This action is a standard 'Ping' utility used to validate the setup of the Google - Sheets integration. It requires the service account to have scopes for both `https://www.googleapis.com/auth/spreadsheets` - and `https://www.googleapis.com/auth/drive`. + 5. **Result Reporting**: If both the creation and deletion are successful, the + action returns a 'Connected successfully' message. If any step fails, it captures + the error and reports a failure. capabilities: can_create_case_comments: false can_create_insight: false @@ -809,9 +1120,8 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - The action creates a temporary spreadsheet and then deletes it to verify that - the credentials have the necessary permissions to perform write and delete operations - in Google Sheets and Google Drive. + The action creates a temporary spreadsheet in Google Drive and then deletes + it to verify that the credentials have sufficient permissions. fetches_data: false internal_data_mutation_explanation: null categories: @@ -831,66 +1141,86 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Search Row: ai_description: >- ### General Description - The **Search Row** action identifies and retrieves a specific row from a Google - Spreadsheet based on a provided search value. It is designed to act as a lookup - utility, allowing playbooks to fetch contextual data stored in spreadsheets, such - as asset owners, contact lists, or whitelist entries. The action returns the row - index and the full content of the row as a JSON array. + The **Search Row** action allows users to find a specific row within a Google + Spreadsheet based on a search value. It is primarily used to retrieve data associated + with a specific identifier or record stored in a sheet, returning the entire row's + content as a JSON object and the row index as the result value. ### Parameters Description - | Parameter | Type | Mandatory | Description | + | Parameter Name | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Sheet Id** | String | Yes | The unique identifier of the spreadsheet, which - can be extracted from the URL: `https://docs.google.com/spreadsheets/d/{SheetId}/edit`. + | **Sheet Id** | String | Yes | The unique identifier of the spreadsheet, found + in the URL: `https://docs.google.com/spreadsheets/d/{SheetId}/edit`. | + + | **Worksheet Name** | String | No | The name of the specific tab/worksheet to + search. Defaults to the first sheet (Sheet1) if not provided. Note: This is case-sensitive. | - | **Worksheet Name** | String | No | The name of the specific tab (worksheet) - to search within. If not provided, the action defaults to the first worksheet - (Sheet1). | + | **Column Number** | String | Yes | The column index (starting from 1) where + the search should be performed. | - | **Column Number** | String | Yes | The column index where the search is intended - to be performed. **Note:** The current implementation searches the entire worksheet - for the value, but uses this parameter for reporting in the output message. | + | **Search value** | String | Yes | The specific string or value to look for within + the specified column. | - | **Search value** | String | Yes | The string or value to search for within the - spreadsheet. | + ### Additional Notes - ### Flow Description + - The action uses the `gspread` library to interact with the Google Sheets API. - 1. **Authentication**: The action initializes a connection to the Google Sheets - API using service account credentials provided in the integration configuration. + - If the value is not found, the action will return a failure status. - 2. **Spreadsheet Access**: It opens the target spreadsheet using the provided - `Sheet Id`. + - The action returns the full content of the row where the first match is found. - 3. **Worksheet Selection**: It selects the specified worksheet by name or defaults - to the first available sheet. - 4. **Search Execution**: The action performs a search across the worksheet to - find the first cell containing the `Search value`. + ### Flow Description - 5. **Data Extraction**: Upon finding a match, it retrieves the row index and all - values contained within that specific row. + 1. **Authentication**: The action initializes a connection to Google Sheets using + provided Service Account credentials. - 6. **Result Processing**: The row data is added to the action's JSON results, - and the row number is returned as the primary result value. + 2. **Spreadsheet Access**: It opens the spreadsheet using the `Sheet Id` and selects + the target worksheet (either by name or the default first sheet). + 3. **Search Execution**: It performs a search for the `Search value` within the + worksheet. - ### Additional Notes + 4. **Data Retrieval**: If a match is found, it retrieves the values for the entire + row containing that cell. - * The search is case-sensitive and will return the first match found in the sheet. - - * If the value is not found, the action will return a failure status with a 'CellNotFound' - message. + 5. **Output**: The row data is added to the action's JSON results, and the row + number is returned as the main output value. capabilities: can_create_case_comments: false can_create_insight: false @@ -918,68 +1248,90 @@ Search Row: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Search Rows: ai_description: >- ### General Description - The **Search Rows** action allows users to search for specific values within a - designated column of a Google Sheets spreadsheet. It identifies all rows where - the search value exists in the specified column and returns the row numbers as - a list. This is useful for lookups, data validation, or retrieving record identifiers - from a centralized spreadsheet. + The **Search Rows** action enables users to locate specific rows within a Google + Sheet by searching for a value in a designated column. This action is primarily + used for data retrieval and lookups, allowing playbooks to query spreadsheets + for contextual information such as asset owners, contact details, or allowlisted + indicators. ### Parameters Description - | Parameter Name | Type | Mandatory | Description | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Sheet Id** | string | Yes | The unique identifier of the spreadsheet, found - in the URL: `https://docs.google.com/spreadsheets/d/{SheetId}/edit`. | - - | **Worksheet Name** | string | No | The name of the specific tab/worksheet to - search. If not provided, the action defaults to the first worksheet (Sheet1). + | **Sheet Id** | String | Yes | The unique identifier of the spreadsheet, which + can be extracted from the URL: `https://docs.google.com/spreadsheets/d/{SheetId}/edit`. | - | **Column Number** | string | Yes | The numerical index of the column to search - within (e.g., "1" for Column A). | + | **Worksheet Name** | String | No | The name of the specific tab (worksheet) + to search. If left blank, the action defaults to the first sheet (Sheet1). Note: + This is case-sensitive. | - | **Search value** | string | Yes | The specific string or value to search for - within the specified column. | + | **Column Number** | String | Yes | The numerical index of the column to search + within (e.g., '1' for column A). | + | **Search value** | String | Yes | The specific text or value to search for within + the specified column. | - ### Additional Notes - - The search is performed using the `findall` method, which identifies all occurrences - of the value in the sheet, but the action specifically filters these results to - only include matches found in the user-defined **Column Number**. + ### Flow Description - - The action returns the total count of matching rows as the main result value - and a list of row numbers in the JSON result. + 1. **Authentication**: The action initializes a connection to Google Sheets using + the provided Service Account credentials. + 2. **Worksheet Selection**: It opens the spreadsheet via the `Sheet Id` and selects + the target worksheet based on the `Worksheet Name` parameter. - ### Flow Description + 3. **Search Execution**: The action performs a global search for the `Search value` + across the entire worksheet. - 1. **Initialization**: The action extracts the Google Sheets credentials from - the integration configuration and the search parameters (Sheet ID, Worksheet Name, - Column Number, and Search Value) from the action input. + 4. **Column Filtering**: It iterates through the search results and filters for + matches that specifically occur within the provided `Column Number`. - 2. **Connection**: It establishes a connection to the Google Sheets API using - a service account. + 5. **Data Extraction**: For every valid match, the action retrieves the row number + and the full list of values for that row. - 3. **Worksheet Selection**: It opens the spreadsheet by ID and selects the specified - worksheet (or the first one by default). + 6. **Result Reporting**: The action returns the total count of found rows, the + list of row numbers, and the content of the matching rows as JSON output. - 4. **Search Execution**: It searches the entire worksheet for the provided value. - 5. **Filtering**: It iterates through the search results and keeps only those - where the cell's column index matches the provided **Column Number**. + ### Additional Notes - 6. **Data Retrieval**: It collects the row numbers of the matching cells. + - If the search value is not found in the specified column, the action will return + a failure status. - 7. **Completion**: The action outputs the list of row numbers and the total count - of rows found. + - This action does not modify the spreadsheet; it is strictly read-only. capabilities: can_create_case_comments: false can_create_insight: false @@ -1007,57 +1359,83 @@ Search Rows: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Update Cell: ai_description: >- - ### General Description + Updates a specific cell within a Google Sheets spreadsheet. This action allows + for direct modification of spreadsheet data by specifying the spreadsheet ID, + the worksheet name, the target cell (in A1 notation), and the new value to be + inserted. - Updates a specific cell in a Google Sheets spreadsheet with a provided value. - This action is useful for logging, tracking status, or updating external records - directly from a playbook. + ### Flow Description: - ### Parameters Description + 1. **Credential Retrieval:** Extracts the service account credentials from the + integration configuration. - | Parameter Name | Type | Mandatory | Description | + 2. **Parameter Extraction:** Retrieves the Sheet ID, Worksheet Name, Cell coordinates, + and the Value to be updated from the action parameters. - | :--- | :--- | :--- | :--- | + 3. **Connection Establishment:** Uses the Google Sheets API to authenticate and + open the specified spreadsheet. - | Sheet Id | string | Yes | The unique identifier of the spreadsheet, found in - the URL: `https://docs.google.com/spreadsheets/d/{SheetId}/edit`. | + 4. **Worksheet Selection:** Identifies the target worksheet. If no worksheet name + is provided, it defaults to the first sheet in the workbook. - | Worksheet Name | string | No | The name of the specific tab (worksheet) to update. - If not provided, the action defaults to the first sheet (Sheet1). Note: This is - case-sensitive. | + 5. **Cell Update:** Executes the update command to change the value of the specified + cell. - | Cell | string | Yes | The A1 notation of the cell to update (e.g., 'A1', 'B12'). - | - | Value | string | Yes | The data/value to be written into the specified cell. - | + ### Parameters Description: + | Parameter Name | Type | Mandatory | Description | - ### Additional Notes + | :--- | :--- | :--- | :--- | - This action requires a service account with appropriate permissions to access - and edit the target spreadsheet. If the 'Worksheet Name' is not found, the action - will fail. + | Sheet Id | String | Yes | The unique identifier of the spreadsheet, found in + the URL (e.g., `https://docs.google.com/spreadsheets/d/{SheetId}/edit`). | + | Worksheet Name | String | No | The name of the specific tab/worksheet to update. + Case-sensitive. Defaults to the first sheet if left empty. | - ### Flow Description + | Cell | String | Yes | The cell address in A1 notation (e.g., 'A1', 'B10') that + you wish to update. | - 1. **Authentication**: The action initializes a connection to Google Sheets using - the provided service account credentials. + | Value | String | Yes | The new content or value to be written into the specified + cell. | - 2. **Spreadsheet Access**: It opens the spreadsheet identified by the 'Sheet Id'. - 3. **Worksheet Selection**: It selects the worksheet specified by 'Worksheet Name' - or defaults to the first worksheet if the parameter is empty. + ### Additional Notes: - 4. **Cell Update**: It executes an update command to write the 'Value' into the - designated 'Cell'. + - This action does not process or filter entities from the Google SecOps case; + it operates strictly based on the provided parameters. - 5. **Completion**: Returns a success message if the update is successful or an - error message if the operation fails. + - Ensure the service account associated with the provided credentials has 'Editor' + permissions on the target spreadsheet. capabilities: can_create_case_comments: false can_create_insight: false @@ -1066,8 +1444,8 @@ Update Cell: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the content of a specific cell within a Google Sheets spreadsheet, modifying - the external document's state. + Updates the content of a specific cell within a Google Sheets spreadsheet via + the Google Sheets API. fetches_data: false internal_data_mutation_explanation: null categories: @@ -1087,60 +1465,87 @@ Update Cell: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Update Row: ai_description: >- - ### General Description - - Updates a specific row in a Google Sheet with a provided set of values. This action - is useful for logging data, updating status trackers, or maintaining external - records directly from a SOAR playbook. + Updates a specific row in a Google Sheets spreadsheet with a provided list of + values. This action allows for the modification of existing data within a worksheet + by specifying the row index and a comma-separated string of values that will be + mapped to columns sequentially starting from the first column. - ### Parameters Description + ### Parameters | Parameter Name | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Sheet Id | String | Yes | The unique identifier of the spreadsheet, found in - the URL: `https://docs.google.com/spreadsheets/d/{Sheet-Id}/edit`. | + | Sheet Id | string | Yes | The unique identifier of the spreadsheet, found in + the URL: `https://docs.google.com/spreadsheets/d/{SheetId}/edit`. | - | Worksheet Name | String | No | The name of the specific tab (worksheet) to update. - If not provided, the action defaults to the first worksheet (Sheet1). | + | Worksheet Name | string | No | The name of the specific tab (worksheet) to update. + If not provided, the action defaults to the first sheet ('Sheet1'). Note: This + is case-sensitive. | - | Row Number | String | Yes | The numerical index of the row to be updated (e.g., - "1", "5"). | + | Row Number | string | Yes | The numerical index of the row to be updated (e.g., + '1', '2'). | - | Values | String | Yes | A comma-separated list of values to be written into - the row (e.g., "val1,val2,val3"). Each value will be placed in a sequential column - starting from Column A. | + | Values | string | Yes | A comma-separated list of values (e.g., 'val1,val2,val3') + to be written into the row. | ### Additional Notes - * This action does not process or require any SOAR entities. + - The action overwrites existing data in the specified row starting from Column + A (Column 1). - * The `Values` parameter is parsed by splitting the string at each comma. Ensure - your data does not contain unexpected commas unless they are intended as column - delimiters. + - The `Values` parameter is split by commas; ensure that values containing commas + are handled according to the logic or that the input string is formatted correctly. ### Flow Description - 1. **Authentication**: The action initializes a connection to Google Sheets using - the provided Service Account credentials. + 1. **Initialization**: Extracts the service account credentials from the integration + configuration and the spreadsheet details from the action parameters. - 2. **Spreadsheet Access**: It opens the spreadsheet identified by the `Sheet Id`. + 2. **Connection**: Authenticates with the Google Sheets API and opens the spreadsheet + using the provided `Sheet Id`. - 3. **Worksheet Selection**: It selects the worksheet specified by `Worksheet Name` - or defaults to the first available sheet. + 3. **Worksheet Selection**: Selects the target worksheet based on the `Worksheet + Name` parameter or defaults to the first available sheet. - 4. **Data Parsing**: The `Values` string is split into a list of individual cell + 4. **Data Processing**: Splits the `Values` string into a list of individual cell values. - 5. **Row Update**: The action iterates through the list of values, updating each - cell in the specified `Row Number` sequentially, starting from the first column - (Column 1). + 5. **Execution**: Iterates through the list of values and updates each cell in + the specified `Row Number`, incrementing the column index for each value. + + 6. **Completion**: Returns a success message if the row is updated or an error + message if the operation fails. capabilities: can_create_case_comments: false can_create_insight: false @@ -1149,7 +1554,7 @@ Update Row: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates cell values within a specified row of a Google Sheet. + Updates cell values within a specific row of an external Google Sheets spreadsheet. fetches_data: false internal_data_mutation_explanation: null categories: @@ -1169,56 +1574,90 @@ Update Row: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Update Rows: ai_description: >- ### General Description - Updates specific rows in a Google Spreadsheet with provided values. This action - allows for bulk updates of multiple rows by specifying row indices and a sequence - of values to be inserted starting from the first column of each specified row. + The **Update Rows** action allows users to modify specific rows within a Google + Spreadsheet. It is designed to take a list of row numbers and a set of values, + then sequentially update the cells in those rows starting from the first column. + This is useful for logging, tracking status changes, or updating shared records + directly from a SOAR workflow. ### Parameters Description - | Parameter | Type | Mandatory | Description | + | Parameter Name | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Row Number** | String | Yes | Comma-separated list of row numbers to update - (e.g., '1,2,5'). | + | **Row Number** | String | Yes | A comma-separated list of row indices (e.g., + "1,2,5") that you want to update in the sheet. | - | **Values** | Content | Yes | Comma-separated list of values to be written into - the cells (e.g., 'ValueA,ValueB'). | + | **Values** | Content | Yes | A comma-separated list of values (e.g., "Value1,Value2") + to be placed in the columns of the specified rows. The first value goes to Column + A, the second to Column B, and so on. | - | **Sheet Id** | String | Yes | The unique ID of the spreadsheet found in the - URL. | + | **Sheet Id** | String | Yes | The unique identifier of the spreadsheet, found + in the URL: `https://docs.google.com/spreadsheets/d/{SheetId}/edit`. | - | **Worksheet Name** | String | No | The name of the worksheet tab. Defaults to - the first sheet (Sheet1) if not provided. | + | **Worksheet Name** | String | No | The name of the specific tab (worksheet) + to update. If left blank, the action defaults to the first worksheet (Sheet1). + | - ### Flow Description + ### Additional Notes + + - The action uses service account credentials configured in the integration settings + to authenticate with the Google Sheets API. - 1. **Authentication**: Connects to the Google Sheets service using the provided - service account credentials. + - Ensure the service account has 'Editor' permissions on the target spreadsheet. - 2. **Spreadsheet Access**: Opens the spreadsheet identified by the `Sheet Id`. + - Column updates always start from Column 1 (Column A). - 3. **Worksheet Selection**: Targets the specified `Worksheet Name` or defaults - to the first available sheet. - 4. **Data Processing**: Parses the input row numbers and values from comma-separated - strings. + ### Flow Description - 5. **Cell Update**: Iterates through each specified row and updates columns sequentially - starting from column 1 with the provided values. + 1. **Initialization**: The action extracts the Google Sheets credentials from + the integration configuration and the row/value details from the action parameters. + 2. **Connection**: It establishes a connection to the Google Sheets API using + the provided service account JSON. - ### Additional Notes + 3. **Targeting**: It opens the spreadsheet identified by the `Sheet Id` and selects + the specified `Worksheet Name` (or the first sheet by default). - - The action overwrites existing data in the specified cells. + 4. **Execution**: It iterates through each provided row number. For every row, + it iterates through the list of values and updates the corresponding cells (Row + X, Column 1; Row X, Column 2, etc.). - - Column indexing starts at 1 for each row updated. + 5. **Completion**: If all updates are successful, the action returns a success + message; otherwise, it catches and reports the specific error encountered. capabilities: can_create_case_comments: false can_create_insight: false @@ -1227,8 +1666,8 @@ Update Rows: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates cell values in a Google Spreadsheet by overwriting them with provided - input. + Updates cell values within a Google Spreadsheet by writing new data to specified + rows and columns. fetches_data: false internal_data_mutation_explanation: null categories: @@ -1248,3 +1687,28 @@ Update Rows: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/third_party/community/google_sheets/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/google_sheets/resources/ai/connectors_ai_description.yaml new file mode 100644 index 000000000..421f213b9 --- /dev/null +++ b/content/response_integrations/third_party/community/google_sheets/resources/ai/connectors_ai_description.yaml @@ -0,0 +1,70 @@ +Sheet Connector: + ai_description: >- + ### General Description + + The Sheet Connector allows Google SecOps to ingest data directly from Google Sheets. + It treats each row in a specified worksheet as a potential security event, converting + them into alerts and cases. This is particularly useful for ingesting manually + maintained watchlists, tracking logs, or simple automation triggers stored in + a spreadsheet format. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Alert Name Column Index | Integer | Yes | The zero-based index of the column + to be used as the Alert Name. | + + | Credentials Json | String | Yes | The JSON content of a Google Service Account + key with access to the sheet. | + + | DeviceProductField | String | Yes | The field name used to determine the device + product in the SOAR. | + + | EventClassId | String | Yes | The field name used to determine the event name + or sub-type. | + + | Filter Alert Column Index | Integer | No | The index of a column used to filter + which rows should be ingested. | + + | Filter Alert Column Value | String | No | The specific value required in the + filter column for a row to be processed. | + + | Product | String | Yes | The product name assigned to the ingested alerts. | + + | PythonProcessTimeout | String | Yes | The timeout limit (in seconds) for the + connector execution. | + + | Sheet Id | String | Yes | The unique ID of the Google Sheet (found in the URL). + | + + | Worksheet Name | String | Yes | The name of the specific tab/worksheet to pull + data from (e.g., Sheet1). | + + + ### Flow Description + + 1. **Authentication**: The connector authenticates with the Google Sheets API + using the provided Service Account JSON credentials. + + 2. **Sheet Access**: It opens the spreadsheet identified by the Sheet Id and selects + the specified Worksheet Name. + + 3. **Data Retrieval**: The connector fetches all values from the worksheet, identifying + the first row as the header for field mapping. + + 4. **Filtering**: For each row (starting from the second row), it checks if a + filter is configured. If the value in the Filter Alert Column Index does not match + the Filter Alert Column Value, the row is skipped. + + 5. **Alert Creation**: For valid rows, it generates a unique Alert ID and sets + the Alert Name based on the configured column index. + + 6. **Event Mapping**: Each cell in the row is mapped to an event field using the + header names retrieved in step 3. + + 7. **Ingestion**: The constructed alerts, containing the row data as events, are + returned to Google SecOps for case creation. diff --git a/content/response_integrations/third_party/community/google_sheets/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/google_sheets/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..7b58b8805 --- /dev/null +++ b/content/response_integrations/third_party/community/google_sheets/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: true + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: true + network_security: false + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/goqr/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/goqr/resources/ai/actions_ai_description.yaml index a75a38db9..0bba17ebb 100644 --- a/content/response_integrations/third_party/community/goqr/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/goqr/resources/ai/actions_ai_description.yaml @@ -3,11 +3,10 @@ Generate QR Code: ### General Description The **Generate QR Code** action creates a QR code image from a provided string - of data, such as a URL, text, or identifier. This utility action is designed to - facilitate the visual representation of data within a case, allowing analysts - to generate codes for physical tracking, mobile access, or documentation purposes. - It interacts with the GOQR API to render the image based on customizable parameters - like size, color, and error correction levels. + of data, such as a URL or text. This utility action is useful for generating visual + representations of data that can be scanned by mobile devices or other QR readers. + The resulting image is automatically attached to the case wall in Google SecOps + and provided as a base64-encoded string in the action's output. ### Parameters Description @@ -20,50 +19,46 @@ Generate QR Code: the QR code. | | **Size** | String | No | 200x200 | The dimensions of the generated image in - pixels (e.g., 300x300). Maximum value is 1000x1000. | + pixels (e.g., 300x300). Max 1000x1000. | - | **Image Format** | DDL | No | png | The file format for the output image. Options: - png, jpg, gif, svg. | + | **Image Format** | DDL | No | png | The file format for the output image (png, + jpg, gif, svg). | - | **Error Correction** | DDL | No | Low | The level of data redundancy (Low, Medium, - Quartile, High). Higher levels increase damage resistance but result in a more - complex image. | + | **Error Correction** | DDL | No | Low | Level of data redundancy (Low, Medium, + Quartile, High). | - | **Margin** | String | No | 1 | The width of the blank border (quiet zone) around - the QR code in pixels. | + | **Margin** | String | No | 1 | Width of the blank border around the QR code + in pixels. | - | **Foreground Color** | String | No | 0-0-0 | The color of the QR code modules - in R-G-B format (e.g., 255-0-0 for red). | + | **Foreground Color** | String | No | 0-0-0 | Color of the QR code modules in + R-G-B format. | - | **Background Color** | String | No | 255-255-255 | The color of the image background + | **Background Color** | String | No | 255-255-255 | Color of the image background in R-G-B format. | - ### Additional Notes + ### Flow Description - * This action **does not run on entities**. It is a standalone utility that processes - the provided 'Content' parameter. + 1. **Parameter Extraction**: The action retrieves the input string and optional + formatting parameters (size, colors, etc.). - * The generated image is automatically attached to the case wall for immediate - viewing. + 2. **API Request**: It sends a request to the GOQR API to generate the QR code + based on the provided configuration. + 3. **File Handling**: The received image bytes are saved as a temporary file. - ### Flow Description + 4. **Case Integration**: The temporary file is uploaded as an attachment to the + current Google SecOps case. - 1. **Parameter Extraction:** The action retrieves the content to be encoded and - optional styling parameters (size, format, colors) from the user input. + 5. **Result Generation**: The action returns a JSON object containing the base64-encoded + image and metadata, and cleans up temporary files. - 2. **API Interaction:** It sends a request to the GOQR service to generate the - QR code image bytes based on the specified configuration. - 3. **File Management:** The received image bytes are saved as a temporary file - with a sanitized name derived from the content. + ### Additional Notes - 4. **Internal Mutation:** The action attaches the generated image file to the - Google SecOps case wall. + - This action does not process or require Google SecOps entities. - 5. **Result Finalization:** It returns a JSON object containing the base64-encoded - image blob and the metadata used for generation, marking the action as successful. + - The generated QR code is visible on the Case Wall as an attachment. capabilities: can_create_case_comments: false can_create_insight: false @@ -92,40 +87,65 @@ Generate QR Code: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Ping: ai_description: >- ### General Description - The **Ping** action is a diagnostic utility designed to verify the connectivity - between Google SecOps and the QR Server API. Its primary purpose is to ensure - that the integration's configuration (such as the API Root and SSL settings) is - correct and that the external service is reachable. + The **Ping** action is a diagnostic tool used to verify the connectivity between + the Google SecOps platform and the GOQR (QR Server) API. Its primary purpose is + to ensure that the integration's configuration (such as the API Root and SSL settings) + is correct and that the external service is reachable. ### Parameters Description - There are no parameters for this action. + This action does not require any input parameters. - ### Additional Notes + ### Flow Description - This action is a standard connectivity test and does not process any entities - or alert data. It is typically used during the initial setup of the GOQR integration - or for troubleshooting network issues. + 1. **Initialization**: The action initializes the GOQR API client using the global + integration configuration (API Root and Verify SSL). + 2. **Connectivity Test**: It executes a lightweight API call to the QR Server's + `create-qr-code` endpoint using a static 'PingCheck' data string. - ### Flow Description + 3. **Validation**: The action checks the response from the server. If the server + responds successfully, the action concludes that the connection is established. - 1. **Client Initialization**: The action initializes the GOQR API client using - the global integration configuration parameters, specifically the API Root and - Verify SSL settings. + 4. **Output**: A success message is returned if the connection is valid; otherwise, + an error message is generated to assist in troubleshooting. - 2. **Connectivity Check**: It executes a request to the QR Server's ping endpoint - (defined as a small QR code generation request) to validate the communication - path. - 3. **Status Reporting**: The action returns a success message if the API responds - correctly, or an error message if the connection fails. + ### Additional Notes + + - This action is typically used during the initial setup of the integration or + for troubleshooting communication issues. capabilities: can_create_case_comments: false can_create_insight: false @@ -134,7 +154,7 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: false + fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false @@ -153,14 +173,39 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Scan QR Code: ai_description: >- ### General Description - The **Scan QR Code** action extracts and reads data from a QR code image provided - as a Base64-encoded string. It utilizes the GOQR API to decode the image and retrieve - the embedded information, making it useful for analyzing suspicious QR codes found - in digital artifacts. + The **Scan QR Code** action extracts and decodes data from a QR code image provided + as a Base64-encoded string. This utility is primarily used to programmatically + retrieve the URL or text content embedded within QR codes found in attachments + or screenshots during security investigations. ### Parameters Description @@ -169,33 +214,35 @@ Scan QR Code: | :--- | :--- | :--- | :--- | :--- | - | **QR Image Base64 Blob** | The Base64-encoded string representing the QR code - image file. | String | Yes | N/A | + | QR Image Base64 Blob | The Base64-encoded string representing the QR code image + file to be scanned. | String | Yes | N/A | ### Flow Description - 1. **Parameter Extraction**: The action retrieves the Base64-encoded image string + 1. **Parameter Extraction:** The action retrieves the Base64-encoded image string from the input parameters. - 2. **Decoding**: The Base64 string is decoded into raw image bytes. + 2. **Base64 Decoding:** The string is decoded into raw image bytes. If decoding + fails, an error is raised. - 3. **API Interaction**: The image bytes are sent to the GOQR API's read endpoint - (`v1/read-qr-code/`). + 3. **API Interaction:** The image bytes are sent to the GOQR API's `read-qr-code` + endpoint. - 4. **Result Parsing**: The action parses the API response into structured data - models, extracting the decoded text from the QR code symbols. + 4. **Result Processing:** The action parses the API response, extracting the decoded + data from the QR symbols. - 5. **Output**: The decoded information is returned as a JSON result, and the action - status is set to success. + 5. **Output Generation:** The decoded content is saved into the action's JSON + results, and the action completes successfully if data is found. ### Additional Notes - - This action does not process entities from the SecOps environment; it operates - solely on the provided Base64 input. + * The action expects a valid Base64 string. Ensure that any headers (like `data:image/png;base64,`) + are stripped if necessary. - - Ensure the Base64 string is valid to avoid decoding errors. + * If the image contains no recognizable QR code or the API fails to decode it, + the action will result in a failure. capabilities: can_create_case_comments: false can_create_insight: false @@ -223,3 +270,28 @@ Scan QR Code: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/third_party/community/goqr/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/goqr/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..0801c7556 --- /dev/null +++ b/content/response_integrations/third_party/community/goqr/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/grey_noise/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/grey_noise/resources/ai/actions_ai_description.yaml deleted file mode 100644 index 0967ef424..000000000 --- a/content/response_integrations/third_party/community/grey_noise/resources/ai/actions_ai_description.yaml +++ /dev/null @@ -1 +0,0 @@ -{} diff --git a/content/response_integrations/third_party/community/hibob/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/hibob/resources/ai/actions_ai_description.yaml index e26ba2d4e..cc5b29919 100644 --- a/content/response_integrations/third_party/community/hibob/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/hibob/resources/ai/actions_ai_description.yaml @@ -1,54 +1,41 @@ Enrich Entities: ai_description: >- - ### General Description - - Enriches USER entities with detailed profile information from the Hibob HR platform. - This action retrieves employee data such as department, role, and contact details, - flattens the response, and maps it directly to the entity's additional properties - within Google SecOps to provide security analysts with organizational context. + Enriches USER entities with detailed profile information from the Hibob HRIS platform. + This action retrieves comprehensive employee data, flattens the hierarchical structure, + and maps it directly to the entity's additional properties within Google SecOps. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Get User Image | Boolean | No | A toggle to determine if user avatar/image data - should be processed during the enrichment flow. | - - - ### Additional Notes - - - The action specifically targets entities of type `USER`. - - - All retrieved data is prefixed with 'Hibob' when added to the entity's additional - properties to ensure clear data lineage and prevent field collisions. - - - The action uses the entity's identifier (typically an email or employee ID) - to query the Hibob API. + | Get User Image | Boolean | No | If enabled, the action logic is prepared to + handle user avatar retrieval (though the primary flow focuses on profile metadata). + | ### Flow Description - 1. **Configuration Retrieval:** The action initializes by fetching the Hibob API - token from the integration settings. + 1. **Initialization**: Retrieves the Hibob API token from the integration configuration + and initializes the Hibob Manager. - 2. **Entity Filtering:** It iterates through the list of target entities and filters - for those with the type `USER`. + 2. **Entity Filtering**: Iterates through the target entities and identifies those + of type `USER`. - 3. **External API Request:** For each valid user entity, it calls the Hibob `/v1/people/` - endpoint using the entity's identifier. + 3. **Data Retrieval**: For each identified user, it queries the Hibob API (`/v1/people/{identifier}`) + using the entity's identifier (email or ID). - 4. **Data Transformation:** The resulting JSON profile is flattened into a single-level - dictionary using a recursive utility and prefixed with 'Hibob'. + 4. **Data Transformation**: Flattens the resulting JSON response to ensure all + nested attributes are accessible and prefixes all keys with 'Hibob' for clear + attribution. - 5. **Internal Enrichment:** The entity's `additional_properties` are updated with - the flattened data, and the `is_enriched` flag is set to `True`. + 5. **Internal Update**: Updates the entity's `additional_properties` with the + flattened data and sets the `is_enriched` flag to true. - 6. **Update and Finalize:** The action updates the modified entities in the Google - SecOps environment and returns a summary of the enriched users along with the - raw JSON data. + 6. **Finalization**: Commits the updated entity profiles to the case and returns + a full JSON result of the retrieved data. capabilities: can_create_case_comments: false can_create_insight: false @@ -59,8 +46,8 @@ Enrich Entities: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates the 'additional_properties' attribute of USER entities with flattened - Hibob profile data and sets the 'is_enriched' flag to true. + Updates entity additional properties with flattened Hibob user metadata and + sets the 'is_enriched' flag on processed entities. categories: enrichment: true entity_usage: @@ -79,16 +66,37 @@ Enrich Entities: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get User Image: ai_description: >- - ### General Description - - - The **Get User Image** action retrieves the profile image (avatar) for a specific - employee from the Hibob HR platform. By providing an employee's email address, - the action identifies the user within Hibob and retrieves their profile picture, - providing it as both a Base64-encoded string and raw data in the action's JSON - results. + Retrieves the profile image for a specific employee from the Hibob platform. The + action uses an email address to identify the user, fetches their unique employee + ID, and then retrieves the associated avatar data. The resulting image is processed + and returned as a Base64-encoded string and a raw URL string within the JSON results. ### Parameters @@ -98,41 +106,24 @@ Get User Image: | :--- | :--- | :--- | :--- | - | Employee's Email | String | Yes | The email address of the employee whose profile - image is to be retrieved. | + | Employee's Email | string | True | The email address of the employee whose profile + photo you want to retrieve. | ### Flow Description - 1. **Extract Input:** The action retrieves the `Employee's Email` from the input - parameters. - - 2. **Lookup User:** It queries the Hibob API (`/v1/people/{email}`) to find the - employee and obtain their internal unique identifier (`id`). + 1. **Identify User:** The action calls the Hibob API to retrieve employee details + based on the provided email address to obtain the internal employee ID. - 3. **Fetch Image:** Using the internal identifier, it makes a request to the Hibob - avatar endpoint (`/v1/avatars/{id}`) to download the image content. + 2. **Fetch Image:** Using the employee ID, the action makes a request to the Hibob + avatar endpoint to retrieve the binary image content. - 4. **Process Data:** The binary image content is encoded into a Base64 string - for easy use in subsequent playbook steps. + 3. **Process Data:** The binary image data is encoded into a Base64 string for + easy use in downstream tasks or UI components. - 5. **Finalize:** The action populates the JSON result with the Base64 string and - the image data, then completes with a success message. - - - ### Additional Notes - - - * **Entity Support:** This action does not run on entities. It uses the email - address provided in the parameters. - - * **Parameter Typo:** Note that while the internal parameter description in the - metadata mentions 'uploading', the actual function of this action is to retrieve/download - the image. - - * **Data Handling:** The action returns the image in the `JsonResult` under the - keys `imageBase64` and `imageUrl`. + 4. **Output Results:** The action populates a JSON result containing the Base64 + string, the image URL/content, and a boolean indicating if the user exists. capabilities: can_create_case_comments: false can_create_insight: false @@ -160,25 +151,63 @@ Get User Image: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Ping: - ai_description: "### General Description\nThe **Ping** action is a diagnostic tool\ - \ used to verify the connectivity between Google SecOps and the Hibob platform.\ - \ It ensures that the provided API credentials (API Token) are valid and that\ - \ the Hibob API service is reachable.\n\n### Parameters Description\nThere are\ - \ no input parameters for this action. It relies solely on the integration's global\ - \ configuration (API Token).\n\n### Additional Notes\n- This action is typically\ - \ used during the initial setup of the integration or for troubleshooting connection\ - \ issues.\n- It performs a simple GET request to the Hibob `/api/user` endpoint\ - \ to validate authentication.\n\n### Flow Description\n1. **Configuration Retrieval**:\ - \ The action retrieves the API Token from the Hibob integration settings.\n2.\ - \ **Manager Initialization**: It initializes the `HibobManager` with the API root\ - \ URL and the retrieved token.\n3. **Connectivity Test**: It calls the `test_connectivity`\ - \ method, which sends a GET request to the Hibob API.\n4. **Response Validation**:\ - \ \n - If the response is successful (HTTP 200) and contains valid JSON, the\ - \ connection is considered successful.\n - If the response returns a 401 (Unauthorized)\ - \ or 404 (Not Found), an exception is raised with a specific error message.\n\ - 5. **Final Result**: The action ends by returning a boolean value (`True` for\ - \ success, `False` for failure) and a descriptive output message to the SOAR interface." + ai_description: >- + ### General Description + + The Ping action is designed to verify the connectivity between the Google SecOps + platform and the Hibob service. It ensures that the provided API credentials (API + Token) are valid and that the Hibob API endpoint is reachable. This is typically + used as a health check for the integration. + + + ### Parameters Description + + There are no parameters for this action. + + + ### Flow Description + + 1. **Initialization**: The action initializes the Siemplify context and retrieves + the integration configuration, specifically the API Token. + + 2. **Manager Setup**: An instance of the HibobManager is created using the hardcoded + API root (`https://api.hibob.com`) and the retrieved API Token. + + 3. **Connectivity Test**: The action calls the `test_connectivity` method, which + performs a GET request to the `/api/user` endpoint. + + 4. **Validation**: The manager checks for successful HTTP status codes. It specifically + handles 401 (Unauthorized) and 404 (Not Found) errors to provide descriptive exceptions. + + 5. **Output**: If the request is successful and returns valid JSON, the action + concludes with a 'Connected successfully' message. Otherwise, it reports a connection + failure. capabilities: can_create_case_comments: false can_create_insight: false @@ -206,14 +235,39 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Revoke Access: ai_description: >- ### General Description - Revokes an employee's access to the Hibob platform using their email address. - This action is primarily used during offboarding or security incidents to ensure - a user can no longer log into the Hibob system by transitioning their status to - 'uninvited'. + The **Revoke Access** action disables a specific employee's access to the Hibob + platform using their email address. This action is primarily used for offboarding + or responding to security incidents by ensuring a user can no longer authenticate + to the Hibob HRIS system. ### Parameters Description @@ -222,31 +276,32 @@ Revoke Access: | :--- | :--- | :--- | :--- | - | Employee's Email | The email address of the employee whose access needs to be - revoked in Hibob. | String | Yes | + | Employee's Email | The email address of the employee whose access you want to + revoke in Hibob. | String | Yes | ### Flow Description - 1. **Fetch Details**: The action first retrieves the employee's internal Hibob - ID and current status using the provided email address. + 1. **Retrieve User Details:** The action calls the Hibob API to fetch the employee's + internal identifier and current invitation state based on the provided email address. - 2. **Existence Check**: It verifies if the employee exists in the Hibob database. - If not, the action terminates with a failure message. + 2. **Validate Existence:** If the employee is not found in Hibob, the action returns + a message stating the user does not exist. - 3. **Status Validation**: It checks the employee's current 'state'. If the employee - is already in an 'uninvited' state, the action informs the user that access was - already revoked. + 3. **Check Current Status:** The action checks if the employee's status is already + set to 'uninvited'. If so, it concludes that access was already revoked. - 4. **Revocation**: If the employee is active, the action sends a POST request - to the Hibob API to revoke access (uninvite) for that specific employee ID. + 4. **Execute Revocation:** If the employee is active, the action sends a POST + request to the Hibob `/uninvite` endpoint to revoke the user's access. + + 5. **Report Result:** The action returns a JSON result indicating whether the + user existed and if the revocation was successfully performed. ### Additional Notes - This action does not operate on Google SecOps entities (like ADDRESS or USER). - It relies entirely on the 'Employee's Email' input parameter provided by the user - or playbook. + This action operates independently of Google SecOps entities and relies entirely + on the manually provided email parameter. capabilities: can_create_case_comments: false can_create_insight: false @@ -255,9 +310,9 @@ Revoke Access: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - The action performs a POST request to the Hibob API endpoint '/v1/employees/{employee_identifier}/uninvite', - which changes the employee's status to 'uninvited' and revokes their access - to the platform. + The action sends a POST request to the Hibob API's uninvite endpoint, which + changes the employee's account state to 'uninvited', effectively disabling their + access to the platform. fetches_data: true internal_data_mutation_explanation: null categories: @@ -277,47 +332,57 @@ Revoke Access: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: true + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Search User: - ai_description: >- - ### General Description - - Searches for a specific user's details in the Hibob HR platform using their email - address. This action is used to verify the existence of an employee and retrieve - their profile information from the Hibob system. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Employee's Email | String | Yes | The email address of the employee to search - for in Hibob. | - - - ### Flow Description - - 1. **Configuration**: Retrieves the API Token and Root URL from the integration - settings. - - 2. **Input Extraction**: Extracts the target email address from the action parameters. - - 3. **API Request**: Calls the Hibob API GET `/v1/people/{email}` endpoint via - the HibobManager. - - 4. **Processing**: If the user is found, the profile data is captured and formatted - into a JSON result. - - 5. **Output**: Returns a boolean success status and populates the JSON result - with the user's details for use in subsequent playbook steps. - - - ### Additional Notes - - This action does not iterate over entities in the SecOps case; it performs a lookup - based strictly on the provided parameter. If the user is not found, the action - returns a failure status. + ai_description: "### General Description\nThe **Search User** action allows analysts\ + \ to verify the existence of a specific employee within the Hibob HR platform\ + \ and retrieve their detailed profile information. By providing an email address,\ + \ the action queries the Hibob API to fetch comprehensive metadata about the user,\ + \ such as their role, department, and contact details. This is particularly useful\ + \ for identity verification during security investigations or for enriching playbook\ + \ context with organizational data.\n\n### Parameters Description\n| Parameter\ + \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| **Employee's\ + \ Email** | String | Yes | The email address of the employee to search for in\ + \ Hibob. This serves as the unique identifier for the lookup. |\n\n### Flow Description\n\ + 1. **Initialization**: The action initializes the Hibob Manager using the provided\ + \ API Token and the base URL (https://api.hibob.com).\n2. **Parameter Extraction**:\ + \ It retrieves the target email address from the action's input parameters.\n\ + 3. **API Request**: The action performs a GET request to the Hibob `/v1/people/{employee_identifier}`\ + \ endpoint using the provided email.\n4. **Response Handling**: \n * If the\ + \ user is found (HTTP 200), the action parses the JSON response containing the\ + \ employee's details.\n * If the user is not found (HTTP 404), the action identifies\ + \ that the user does not exist.\n5. **Result Output**: The retrieved user data\ + \ is added to the action's JSON results, and the action completes with a success\ + \ or failure message based on whether the user was located.\n\n### Additional\ + \ Notes\n* This action does not iterate over entities in the Google SecOps case;\ + \ it relies strictly on the manual input provided in the 'Employee's Email' parameter.\n\ + * While the code contains comments suggesting entity enrichment, the current implementation\ + \ only returns data via JSON results and does not update entity attributes or\ + \ create insights." capabilities: can_create_case_comments: false can_create_insight: false @@ -329,7 +394,7 @@ Search User: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: false + enrichment: true entity_usage: entity_types: [] filters_by_additional_properties: false @@ -345,32 +410,78 @@ Search User: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Send Invitation: - ai_description: "### General Description\nThis action sends an invitation to an\ - \ employee to join the Hibob system. It is used to invite new employees for their\ - \ first login or to re-invite existing users who have been previously disabled.\ - \ The action ensures the user exists and is not already invited before triggering\ - \ the invitation process using a specified onboarding wizard.\n\n### Parameters\ - \ Description\n| Parameter Name | Type | Mandatory | Description |\n| :--- | :---\ - \ | :--- | :--- |\n| Employee's Email | string | true | The email address of the\ - \ employee to whom the invitation will be sent. |\n| Welcome Wizard Name | string\ - \ | true | The specific name of the 'Welcome Wizard' configured in Hibob (Settings\ - \ -> Flows). This value is case-sensitive (e.g., 'Welcome!'). |\n\n### Flow Description\n\ - 1. **Configuration Retrieval:** The action initializes the Hibob manager using\ - \ the provided API token and root URL.\n2. **Employee Lookup:** It retrieves the\ - \ employee's details from Hibob using the provided email address.\n3. **Validation:**\ - \ \n - If the employee does not exist, the action stops and reports that the\ - \ user was not found.\n - If the employee exists but has already been invited\ - \ (state is 'invited'), the action stops to prevent duplicate invitations.\n4.\ - \ **Wizard Identification:** If the employee is eligible, the action fetches all\ - \ available onboarding wizards from Hibob and matches the provided 'Welcome Wizard\ - \ Name' to find the corresponding ID.\n5. **Send Invitation:** The action performs\ - \ a POST request to the Hibob API to send the invitation to the employee using\ - \ the identified wizard ID.\n6. **Result Reporting:** The action returns a JSON\ - \ result indicating whether the employee exists and if the invitation was successfully\ - \ sent.\n\n### Additional Notes\n- This action does not process entities from\ - \ the Google SecOps environment; it relies entirely on the provided action parameters.\n\ - - The 'Welcome Wizard Name' must exactly match the name defined in the Hibob UI." + ai_description: >- + Sends a login invitation to an employee in the Hibob system. This action is primarily + used to invite new employees to log in for the first time or to re-invite users + who were previously disabled. It validates the employee's existence and current + invitation status before proceeding. + + + ### Flow Description: + + 1. **Retrieve Employee Details:** The action fetches the employee's profile from + Hibob using the provided email address to obtain their unique internal ID and + current invitation state. + + 2. **Status Validation:** It checks if the employee is already in an 'invited' + state. If so, the action stops to prevent redundant invitations. + + 3. **Wizard Identification:** If the employee is eligible for an invitation, the + action retrieves a list of all available onboarding wizards (flows) from Hibob. + + 4. **Match Wizard:** It searches the list for a wizard matching the 'Welcome Wizard + Name' parameter to find the corresponding Wizard ID. + + 5. **Send Invitation:** Finally, it executes a POST request to the Hibob API to + send the invitation using the identified Employee ID and Wizard ID. + + + ### Parameters Description: + + | Parameter Name | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Employee's Email | string | True | The email address of the employee to whom + the invitation will be sent. | + + | Welcome Wizard Name | string | True | The exact name of the onboarding wizard/flow + configured in Hibob (e.g., "Welcome!"). This field is case-sensitive. | + + + ### Additional Notes: + + - This action does not run on SecOps entities; it uses the email address provided + in the action parameters. + + - The 'Welcome Wizard Name' must match exactly as defined in Hibob (Settings -> + Flows). capabilities: can_create_case_comments: false can_create_insight: false @@ -379,9 +490,8 @@ Send Invitation: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - The action performs a POST request to the Hibob API to create an invitation - for an employee, which changes the user's state in the external system and triggers - an automated email. + Sends an invitation email to the employee and updates their invitation status + within the Hibob platform via a POST request. fetches_data: true internal_data_mutation_explanation: null categories: @@ -401,50 +511,79 @@ Send Invitation: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: true + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Upload User Image: ai_description: >- ### General Description - This action uploads a profile image (avatar) to a specific employee's profile - in the Hibob platform using a provided image URL. It first resolves the employee's - unique identifier based on their email address and then performs an update to - their avatar record. + This action allows for the programmatic updating of an employee's profile picture + in the Hibob HR platform. It takes an employee's email address and a URL pointing + to an image, resolves the email to a Hibob internal employee ID, and then updates + the user's avatar. ### Parameters Description - | Parameter Name | Description | Type | Mandatory | Notes | + | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | :--- | + | :--- | :--- | :--- | :--- | - | Employee's Email | The email address of the employee whose image you want to - upload. | string | True | Used to fetch the internal Hibob ID. | + | Employee's Email | string | Yes | The email address of the employee whose image + you want to update. This is used to look up the employee's internal ID. | - | Url Image | The public URL of the image to be set as the employee's avatar. - | string | True | Must be a valid, accessible URL. | + | Url Image | string | Yes | The direct URL of the image to be set as the employee's + new profile picture. | - ### Additional Notes + ### Flow Description - - This action does not operate on Google SecOps entities (e.g., IP, Hostname). - It relies entirely on the provided email and URL parameters. + 1. **Configuration Retrieval:** The action retrieves the Hibob API token and root + URL from the integration settings. - - If the user is not found in Hibob, the action will fail with a descriptive message. + 2. **Employee Lookup:** It calls the Hibob API to fetch the details of the employee + associated with the provided email address. + 3. **ID Extraction:** If the employee is found, the action extracts their unique + internal identifier (ID). - ### Flow Description + 4. **Image Upload:** The action sends a PUT request to the Hibob avatar endpoint + for that specific employee ID, providing the new image URL. - 1. **Fetch Employee ID**: The action calls the Hibob API to retrieve details for - the provided email address to obtain the internal `employee_identifier`. + 5. **Result Handling:** The action checks the response from Hibob. If the upload + is successful, it returns a success message; otherwise, it reports a failure (e.g., + if the user was not found or the upload failed). - 2. **Validate User**: If the user does not exist, the action terminates with a - failure message. - 3. **Upload Image**: If the user is found, the action sends a `PUT` request to - the Hibob avatars endpoint with the provided image URL. + ### Additional Notes + + - This action requires a valid API token with permissions to read employee data + and update avatars. - 4. **Finalize**: The action returns a success message if the image is uploaded - or a failure message if the API returns an error (e.g., 404). + - The image URL must be accessible by the Hibob service. capabilities: can_create_case_comments: false can_create_insight: false @@ -453,8 +592,8 @@ Upload User Image: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the employee's profile picture (avatar) in the Hibob system by sending - a PUT request to the avatars endpoint. + The action performs a PUT request to the Hibob '/v1/avatars/{employee_identifier}' + endpoint to update the profile image of a specific employee. fetches_data: true internal_data_mutation_explanation: null categories: @@ -474,3 +613,28 @@ Upload User Image: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: true + update_ticket: false diff --git a/content/response_integrations/third_party/community/hibob/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/hibob/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..0b062e038 --- /dev/null +++ b/content/response_integrations/third_party/community/hibob/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: true + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: true + itsm: false + network_security: false + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/imgbb/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/imgbb/resources/ai/actions_ai_description.yaml index 63405cf71..863918d07 100644 --- a/content/response_integrations/third_party/community/imgbb/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/imgbb/resources/ai/actions_ai_description.yaml @@ -1,39 +1,19 @@ Ping: - ai_description: >- - ### General Description - - The **Ping** action is a diagnostic utility used to verify the connectivity between - Google SecOps and the Imgbb API. Its primary purpose is to ensure that the integration - is correctly configured and that the system can successfully authenticate and - communicate with the external service. - - - ### Parameters Description - - This action does not require any input parameters. It utilizes the global integration - configuration, specifically the **API Key**, to perform the connectivity test. - - - ### Additional Notes - - Unlike a standard network ping, this action performs a functional test by attempting - to upload a small, hardcoded sample image to the Imgbb service. This confirms - that the API key has the necessary permissions to perform uploads. - - - ### Flow Description - - 1. **Configuration Retrieval**: The script retrieves the `API Key` from the Imgbb - integration configuration. - - 2. **Endpoint Construction**: It targets the Imgbb upload API endpoint (`https://api.imgbb.com/1/upload`). - - 3. **Sample Upload**: The action sends a POST request containing a hardcoded base64-encoded - sample image. - - 4. **Response Validation**: The script evaluates the HTTP response. If the request - is successful (status code 200), it reports a successful connection. If the request - fails, an exception is raised, indicating a configuration or connectivity issue. + ai_description: "Verifies connectivity to the Imgbb service by performing a test\ + \ image upload. This action is used to ensure that the integration configuration,\ + \ specifically the API Key, is valid and that the Imgbb API is reachable from\ + \ the Google SecOps environment.\n\n### Flow Description:\n1. **Configuration\ + \ Retrieval:** The action retrieves the 'API Key' from the Imgbb integration settings.\n\ + 2. **Request Construction:** It prepares a POST request to the Imgbb upload API\ + \ endpoint (`https://api.imgbb.com/1/upload`).\n3. **Connectivity Test:** The\ + \ action sends a sample base64-encoded image as a payload to the API.\n4. **Validation:**\ + \ It checks the HTTP response status. If the request is successful (status code\ + \ 200), it confirms connectivity.\n5. **Completion:** The action returns a success\ + \ message and a boolean result to the playbook.\n\n### Parameters Description:\n\ + | Parameter Name | Description | Type | Mandatory | \n| :--- | :--- | :--- | :---\ + \ |\n| None | This action does not require any input parameters. | N/A | N/A |\n\ + \n### Additional Notes:\n* This action is a standard 'Ping' utility used primarily\ + \ for health checks and troubleshooting integration connectivity." capabilities: can_create_case_comments: false can_create_insight: false @@ -43,7 +23,7 @@ Ping: can_update_entities: false external_data_mutation_explanation: >- The action performs a POST request to the Imgbb upload endpoint, which results - in a sample image being uploaded to the external service to verify connectivity. + in a temporary image being uploaded to the service to verify the API key's validity. fetches_data: false internal_data_mutation_explanation: null categories: @@ -63,52 +43,76 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Upload Image From Base64: ai_description: >- ### General Description - Uploads a base64-encoded image to the Imgbb hosting service and retrieves a public - URL for the image. This action is primarily used as a utility to host images (such - as screenshots or evidence) externally and provide a direct link within the SOAR - case. + This action uploads a base64-encoded image to the Imgbb hosting service. It is + primarily used to convert local image data into a publicly or semi-publicly accessible + URL, which can then be used in subsequent workflow steps such as sending emails, + updating tickets, or adding comments with visual evidence. ### Parameters Description - | Parameter | Description | Type | Mandatory | + | Parameter Name | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Image in base64 | The base64 string representation of the image to be uploaded - to Imgbb. | String | Yes | + | Image in base64 | String | Yes | The base64-encoded string representing the + image file you wish to upload to Imgbb. | - ### Flow Description + ### Additional Notes - 1. **Configuration Retrieval**: Fetches the API Key and SSL verification settings - from the Imgbb integration configuration. + * The action automatically sets an expiration for the uploaded image (defaulted + in the code to 600 seconds/10 minutes via the API URL). - 2. **Parameter Extraction**: Retrieves the mandatory base64 image string from - the action parameters. + * The resulting URL is provided both as a clickable link in the action results + and within the JSON output. - 3. **API Interaction**: Sends a POST request to the Imgbb API (`https://api.imgbb.com/1/upload`) - containing the image data. The request includes a default expiration of 600 seconds - (10 minutes) for the uploaded image. - 4. **Response Processing**: Parses the JSON response from Imgbb to extract the - generated image URL. + ### Flow Description - 5. **Output Generation**: Adds the resulting image URL as a clickable link to - the action result and includes the full response data in the JSON result block. + 1. **Configuration Retrieval:** The action fetches the API Key and SSL verification + settings from the Imgbb integration configuration. + 2. **Parameter Extraction:** It extracts the base64 image string provided by the + user. - ### Additional Notes + 3. **External API Call:** It performs a POST request to the Imgbb API (`/1/upload`) + containing the image data. - * The uploaded image is set to expire automatically after 10 minutes as per the - API endpoint configuration in the script. + 4. **Response Processing:** The action parses the JSON response from Imgbb to + retrieve the unique URL of the uploaded image. - * This action does not process or iterate over SecOps entities; it operates solely - on the provided base64 string parameter. + 5. **Result Reporting:** It adds the image URL as a link to the action results, + populates the JSON result object, and concludes the action with a success message. capabilities: can_create_case_comments: false can_create_insight: false @@ -117,8 +121,8 @@ Upload Image From Base64: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Uploads a base64 encoded image to the Imgbb service, creating a new hosted image - resource on their servers. + Uploads image data to the Imgbb service, creating a new hosted image resource + on their servers. fetches_data: false internal_data_mutation_explanation: null categories: @@ -138,15 +142,40 @@ Upload Image From Base64: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: true + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Upload Image From File Path: ai_description: >- ### General Description - The **Upload Image From File Path** action enables the uploading of a local image - file to the Imgbb hosting service. Its primary purpose is to take a file stored - on the local system, upload it to a cloud-based hosting provider, and retrieve - a public URL for the image. This is particularly useful for sharing screenshots - or visual evidence captured during an investigation. + The **Upload Image From File Path** action allows users to upload a local image + file from the Google SecOps environment to the Imgbb hosting service. This action + is primarily used to convert local image files (such as screenshots or forensic + captures) into publicly or internally accessible URLs for easier sharing and documentation + within a case. ### Parameters Description @@ -155,36 +184,39 @@ Upload Image From File Path: | :--- | :--- | :--- | :--- | - | Image File Path | String | Yes | The full system path to the image file that - needs to be uploaded to Imgbb. | + | Image File Path | String | Yes | The full local directory path to the image + file that needs to be uploaded. | ### Flow Description - 1. **Setup**: Retrieves the Imgbb API Key and SSL verification preferences from - the integration configuration. + 1. **Configuration Retrieval:** The action fetches the API Key and SSL verification + settings from the Imgbb integration configuration. + + 2. **File Reading:** It opens the file specified in the `Image File Path` parameter + in binary mode. - 2. **File Encoding**: Reads the image file from the specified local path and converts - the binary data into a Base64-encoded string. + 3. **Encoding:** The binary content of the image is encoded into a Base64 string + to meet the requirements of the Imgbb API. - 3. **External Upload**: Executes a POST request to the Imgbb API (`https://api.imgbb.com/1/upload`) - with the Base64 data. The upload is configured with a 600-second (10-minute) expiration. + 4. **API Request:** The action sends a POST request to the Imgbb upload endpoint + (`https://api.imgbb.com/1/upload`) with the Base64 image data. Note: The request + includes a hardcoded expiration of 600 seconds (10 minutes). - 4. **Data Extraction**: Parses the JSON response from Imgbb to extract the direct - URL of the uploaded image. + 5. **Response Handling:** It parses the JSON response from Imgbb to extract the + generated image URL. - 5. **Result Reporting**: Adds the image URL as a clickable link in the Google - SecOps interface and provides the URL in the action's JSON result for use in subsequent - playbook steps. + 6. **Result Reporting:** The action adds the image URL to the JSON results and + creates a clickable link in the SOAR interface for the analyst. ### Additional Notes - - The action requires the Google SecOps runner to have filesystem access to the - provided path. + - This action does not interact with or filter SecOps entities (IPs, Hostnames, + etc.). - - The uploaded image is temporary and will expire after 10 minutes as per the - hardcoded API parameter. + - The uploaded image is temporary and will expire after 10 minutes based on the + API call parameters. capabilities: can_create_case_comments: false can_create_insight: false @@ -194,7 +226,7 @@ Upload Image From File Path: can_update_entities: false external_data_mutation_explanation: >- Uploads an image file to the Imgbb service, creating a new hosted image resource - on their platform. + on their servers. fetches_data: false internal_data_mutation_explanation: null categories: @@ -214,3 +246,28 @@ Upload Image From File Path: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/third_party/community/imgbb/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/imgbb/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..0801c7556 --- /dev/null +++ b/content/response_integrations/third_party/community/imgbb/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/ipqs_fraud_and_risk_scoring/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/ipqs_fraud_and_risk_scoring/resources/ai/actions_ai_description.yaml index 468654f0c..9f28131e7 100644 --- a/content/response_integrations/third_party/community/ipqs_fraud_and_risk_scoring/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/ipqs_fraud_and_risk_scoring/resources/ai/actions_ai_description.yaml @@ -1,28 +1,46 @@ Enrich Domain: - ai_description: "### General Description\nEnriches Hostname entities using the IPQualityScore\ - \ (IPQS) service to detect malicious URLs, phishing links, and malware. This action\ - \ leverages machine learning models to provide real-time risk scoring, domain\ - \ age analysis, and reputation checks for domains and links.\n\n### Parameters\ - \ Description\n\n| Parameter | Type | Mandatory | Description |\n| :--- | :---\ - \ | :--- | :--- |\n| Strictness | DDL | Yes | Determines the intensity of the\ - \ scan. Options are '0', '1', or '2'. Higher strictness levels provide more thorough\ - \ checks but may increase the false-positive rate. |\n| Fast | Boolean | No |\ - \ When enabled (true), the API performs lighter analysis to provide faster response\ - \ times. Defaults to false. |\n\n### Flow Description\n1. **Parameter Extraction:**\ - \ Retrieves the API Key from the integration configuration and the 'Strictness'\ - \ and 'Fast' settings from the action parameters.\n2. **Entity Filtering:** Identifies\ - \ all Hostname entities within the current context.\n3. **External API Interaction:**\ - \ For each Hostname, the action sends a POST request to the IPQS URL API endpoint,\ - \ passing the strictness and speed preferences.\n4. **Risk Evaluation:** Analyzes\ - \ the API response to determine a risk verdict (e.g., CLEAN, SUSPICIOUS, HIGH\ - \ RISK, CRITICAL) based on malware/phishing flags and the numerical risk score.\n\ - 5. **Internal Data Enrichment:** \n * Updates the entity's additional properties\ - \ with detailed metadata (e.g., domain rank, DNS validity, domain age).\n *\ - \ Sets the entity's 'is_suspicious' attribute if the risk score exceeds defined\ - \ thresholds.\n * Creates a Case Insight summarizing the IPQS verdict.\n\ - \ * Adds a detailed data table to the entity in the SOAR interface.\n6. **Result\ - \ Reporting:** Returns a JSON object containing the full enrichment data for all\ - \ processed entities." + ai_description: >- + Enriches Hostname entities using the IPQualityScore (IPQS) service to detect suspicious + URLs, phishing links, and malware in real-time. The action utilizes machine learning + models to provide risk scores and identify domain attributes such as parking status, + spam scores, and domain age. + + + ### Flow Description + + 1. **Parameter Extraction:** Retrieves the API Key from the integration configuration + and the 'Strictness' and 'Fast' parameters from the action settings. + + 2. **Entity Filtering:** Identifies Hostname entities within the current context. + + 3. **External API Query:** For each Hostname, it sends a request to the IPQS URL + API endpoint with the specified strictness and speed settings. + + 4. **Risk Scoring:** Processes the API response to calculate a risk verdict (e.g., + Clean, Suspicious, High Risk) based on malware, phishing, and risk score indicators. + + 5. **Internal Updates:** Updates the entity's additional properties with enriched + metadata, sets the 'is_enriched' flag, updates the 'is_suspicious' status if applicable, + and generates a detailed Case Insight and data table. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Strictness | DDL | Yes | Determines the scan's intensity (0, 1, or 2). Higher + levels increase detection but may raise false positives. | + + | Fast | Boolean | No | If enabled, the API performs lighter checks to provide + faster response times. | + + + ### Additional Notes + + - This action specifically targets Hostname entities. While the underlying manager + supports other types, this specific action logic restricts processing to Hostnames. capabilities: can_create_case_comments: false can_create_insight: true @@ -33,8 +51,8 @@ Enrich Domain: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity attributes with IPQS reputation data, modifies the 'is_suspicious' - and 'is_enriched' flags, and creates case insights. + Updates entity additional properties with IPQS metadata, modifies entity suspicious/enriched + flags, and creates case insights with risk scoring details. categories: enrichment: true entity_usage: @@ -53,77 +71,61 @@ Enrich Domain: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Enrich Email: - ai_description: >- - ### General Description - - The **Enrich Email** action provides real-time email address reputation scoring - and validation using the IPQualityScore (IPQS) API. It performs a variety of checks, - including syntax validation, DNS verification, and SMTP checks to determine if - an email inbox exists and is active. Additionally, it identifies if an email address - is associated with recent abuse, fraud, or disposable mail services, providing - a comprehensive risk assessment for security investigations. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **Abuse Strictness** | DDL | Yes | Sets the strictness level (0, 1, or 2) for - machine learning pattern recognition of abusive email addresses. Higher levels - are more aggressive in flagging potential threats. | - - | **Fast** | Boolean | No | If enabled, the API skips the SMTP check with the - mail service provider, which significantly increases the speed of the action but - may reduce validation depth. | - - | **Timeout in seconds** | String | No | Specifies the maximum number of seconds - to wait for a reply from a mail service provider. The default value is 7 seconds. - | - - | **Suggest Domain** | Boolean | No | If enabled, the action checks if the email - domain has a typo and suggests a correction to a popular mail service (e.g., correcting - 'gmial.com' to 'gmail.com'). | - - - ### Flow Description - - 1. **Initialization**: The action extracts the API key from the integration configuration - and retrieves the user-defined parameters (Abuse Strictness, Fast mode, Timeout, - and Domain Suggestion). - - 2. **Entity Filtering**: The action iterates through the case entities, specifically - targeting `USER` entities that match a standard email address format via regular - expression. - - 3. **API Interaction**: For each valid email entity, a POST request is sent to - the IPQS Email Validation API with the configured parameters. - - 4. **Risk Scoring**: The action processes the API response to determine a risk - verdict (e.g., CLEAN, LOW RISK, HIGH RISK, DISPOSABLE, or INVALID) based on the - fraud score and validation flags. - - 5. **Internal Enrichment**: - * **Entity Attributes**: Updates the entity's additional properties with detailed - IPQS data (e.g., deliverability, domain age, leak status). - * **Suspicious Status**: Marks the entity as suspicious if the risk assessment - exceeds internal thresholds. - * **Insights**: Generates a Case Insight summarizing the IPQS verdict and - key risk indicators. - * **Data Tables**: Adds a detailed enrichment table to the entity for quick - reference in the SOAR UI. - 6. **Finalization**: Updates the entities within Google SecOps and returns a structured - JSON result of the enrichment data. - - - ### Additional Notes - - - This action is strictly for enrichment and does not modify any data in the IPQualityScore - platform. - - - The action specifically maps `USER` entities to email validation logic. + ai_description: "Enriches Email address entities (represented as User entities)\ + \ using the IPQualityScore (IPQS) Fraud and Risk Scoring API. This action provides\ + \ real-time email validation, reputation scoring, and risk assessment by performing\ + \ syntax checks, DNS verification, and SMTP checks to determine if an inbox exists\ + \ and is active. It identifies disposable email services, honeypots, and addresses\ + \ associated with recent abuse or fraudulent behavior.\n\n### Flow Description:\n\ + 1. **Parameter Extraction:** Retrieves the API key from the integration configuration\ + \ and action parameters including Abuse Strictness, Fast mode, Timeout, and Domain\ + \ Suggestion.\n2. **Entity Filtering:** Identifies User entities within the case\ + \ that match a standard email address format using regex.\n3. **External API Interaction:**\ + \ Sends a POST request to the IPQS Email Validation API for each valid email address.\n\ + 4. **Risk Scoring:** Evaluates the API response (fraud score, disposable status,\ + \ validity) to assign a risk verdict (e.g., CLEAN, LOW RISK, HIGH RISK, INVALID).\n\ + 5. **Internal Data Enrichment:** \n * Updates the entity's `additional_properties`\ + \ with detailed IPQS metadata.\n * Sets the entity's `is_enriched` flag to\ + \ true.\n * Sets the `is_suspicious` flag if the risk score exceeds defined\ + \ thresholds.\n6. **Reporting:** Generates a detailed data table and a Case Insight\ + \ within Google SecOps for analyst review.\n\n### Parameters Description:\n| Parameter\ + \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Abuse Strictness\ + \ | DDL | Yes | Sets the strictness level (0, 1, or 2) for machine learning pattern\ + \ recognition of abusive email addresses. |\n| Fast | Boolean | No | If enabled,\ + \ skips the SMTP check with the mail provider to increase API speed. |\n| Timeout\ + \ in seconds | String | No | Maximum seconds to wait for a reply from the mail\ + \ service provider (default is 7). |\n| Suggest Domain | Boolean | No | If enabled,\ + \ checks if the email domain has a typo and suggests corrections for popular mail\ + \ services. |\n\n### Additional Notes:\n* This action specifically targets `USER`\ + \ entities that contain valid email strings.\n* The `is_suspicious` flag is automatically\ + \ triggered if the email is identified as disposable, invalid, or has a high fraud\ + \ score." capabilities: can_create_case_comments: false can_create_insight: true @@ -134,8 +136,9 @@ Enrich Email: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity attributes with IPQS reputation data, sets the entity's suspicious - flag based on risk scores, and creates case insights summarizing the findings. + Updates entity attributes with IPQS reputation data, modifies the suspicious + status of entities based on risk scores, and creates case insights and data + tables. categories: enrichment: true entity_usage: @@ -154,41 +157,98 @@ Enrich Email: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Enrich IP: - ai_description: "### General Description\nEnriches IP Address entities using the\ - \ IPQualityScore (IPQS) Fraud and Risk Scoring service. This action performs real-time\ - \ lookups to determine the risk level of an IP address, identifying if it is associated\ - \ with proxies, VPNs, TOR nodes, or malicious activity. It retrieves over 20 data\ - \ points, including geolocation, ISP, connection type, and a fraud score, to help\ - \ analysts classify the reputation and risk of network traffic.\n\n### Parameters\ - \ Description\n| Parameter | Type | Mandatory | Description |\n| :--- | :--- |\ - \ :--- | :--- |\n| Strictness | DDL | Yes | Sets the depth/strictness of the query\ - \ (0, 1, or 2). Higher values increase processing time and potential false-positive\ - \ rates. |\n| User Agent | String | No | Optional browser user agent string to\ - \ help identify bots or invalid browsers. |\n| User Language | String | No | Optional\ - \ language header to assist in fraud score evaluation. |\n| Fast | Boolean | No\ - \ | If enabled, bypasses certain forensic checks to speed up processing. |\n|\ - \ Mobile | Boolean | No | If enabled, treats the lookup as a mobile device. |\n\ - | Allow Public Access Points | Boolean | No | Bypasses checks for education, research,\ - \ and corporate connections. |\n| Lighter Penalties | Boolean | No | Skips certain\ - \ denylists to reduce false positives for sensitive audiences. |\n\n### Flow Description\n\ - 1. **Initialization**: Extracts the API Key from the integration configuration\ - \ and retrieves action parameters (Strictness, User Agent, etc.).\n2. **Entity\ - \ Filtering**: Identifies all IP Address entities within the current context.\n\ - 3. **API Interaction**: For each IP Address, sends a POST request to the IPQS\ - \ API with the specified parameters.\n4. **Data Processing**: Parses the API response\ - \ to extract fraud scores, geolocation data (Country, City, Zip), ISP information,\ - \ and proxy/VPN status.\n5. **Risk Assessment**: Calculates a risk verdict (CLEAN,\ - \ SUSPICIOUS, MEDIUM, HIGH, or CRITICAL) based on the returned fraud score.\n\ - 6. **Internal Updates**: \n * Updates the entity's additional properties with\ - \ the prefix 'IPQualityScore'.\n * Marks the entity as 'enriched'.\n * Sets\ - \ the 'is_suspicious' flag if the fraud score meets the threshold (>= 60).\n \ - \ * Adds a detailed data table to the entity.\n * Creates a Case Insight\ - \ containing the IPQS verdict.\n7. **Completion**: Returns a summary message of\ - \ processed, failed, or skipped entities.\n\n### Additional Notes\nThis action\ - \ is strictly for IP Address enrichment. While the underlying manager supports\ - \ other types, this specific action logic is hardcoded to process only ADDRESS\ - \ entities." + ai_description: >- + Enriches IP Address entities using the IPQualityScore (IPQS) API to perform real-time + fraud and risk scoring. The action retrieves comprehensive threat intelligence, + including fraud scores, proxy/VPN/TOR detection, ISP information, and geolocation + data. Based on the retrieved fraud score, the action automatically flags entities + as suspicious and generates detailed case insights for analysts. + + + ### Flow Description + + 1. **Parameter Extraction:** Retrieves the API key from the integration configuration + and extracts action parameters including strictness levels and optional forensic + flags (Fast, Mobile, etc.). + + 2. **Entity Filtering:** Identifies all IP Address entities within the current + context. + + 3. **External API Interaction:** For each IP address, it sends a POST request + to the IPQS API with the configured forensic parameters and user-agent/language + headers if provided. + + 4. **Risk Evaluation:** Processes the API response to calculate a risk verdict + (Clean, Suspicious, Moderate, High, or Critical) based on the returned fraud score. + + 5. **Internal Data Enrichment:** Updates the entity's additional properties with + IPQS metadata, marks the entity as enriched, and sets the 'is_suspicious' flag + if the risk threshold is met. + + 6. **Insight Generation:** Creates a case insight containing the IPQS verdict + and adds a detailed data table to the entity. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Strictness | DDL | Yes | Sets the depth of the query (0, 1, or 2). Higher values + provide more in-depth analysis but may increase false positives. | + + | User Language | String | No | Optional user language header to help evaluate + fraud scores based on regional context. | + + | User Agent | String | No | Optional browser user-agent string to detect bots + or invalid browsers. | + + | Fast | Boolean | No | If enabled, skips certain time-consuming forensic checks + to speed up processing. | + + | Mobile | Boolean | No | If enabled, treats the lookup specifically as a mobile + device connection. | + + | Allow Public Access Points | Boolean | No | Bypasses checks for known public + access points like schools or corporate connections. | + + | Lighter Penalties | Boolean | No | Skips specific denylists to reduce false + positives for sensitive audiences. | + + + ### Additional Notes + + - The action specifically targets `ADDRESS` entities. While the underlying manager + supports other types, this specific action logic is restricted to IP addresses. + + - The 'is_suspicious' flag is triggered if the fraud score is 60 or higher. capabilities: can_create_case_comments: false can_create_insight: true @@ -199,8 +259,8 @@ Enrich IP: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action updates entity attributes with enrichment data, sets the suspicious - status based on fraud scores, and creates case insights. + Updates entity additional properties with IPQS metadata, sets the 'is_enriched' + and 'is_suspicious' flags, and creates case insights. categories: enrichment: true entity_usage: @@ -219,32 +279,74 @@ Enrich IP: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Enrich Phone: - ai_description: "### General Description\nEnriches Phone Number entities using the\ - \ IPQualityScore (IPQS) API. This action validates phone numbers globally, retrieves\ - \ carrier and line type details (e.g., VOIP, prepaid, mobile), and performs risk\ - \ analysis to detect fraudulent, inactive, or disposable numbers. It helps security\ - \ analysts identify numbers associated with abusive behavior or virtual services.\n\ - \n### Parameters Description\n| Parameter | Type | Mandatory | Description |\n\ - | :--- | :--- | :--- | :--- |\n| **Strictness** | DDL | Yes | Determines the depth\ - \ of the reputation check. Higher values (0, 1, 2) increase strictness, which\ - \ may lead to higher detection rates but also potential false positives. |\n|\ - \ **Country(For multiple countries, provide comma-separated values)** | String\ - \ | No | An optional comma-separated list of ISO country codes suspected to be\ - \ associated with the phone number to improve validation accuracy. |\n\n### Flow\ - \ Description\n1. **Configuration Extraction:** Retrieves the API Key from the\ - \ integration configuration and the 'Strictness' and 'Country' parameters from\ - \ the action input.\n2. **Entity Filtering:** Identifies all `PHONENUMBER` entities\ - \ within the current context.\n3. **External API Query:** For each phone number,\ - \ it sends a POST request to the IPQS Phone Validation API including the strictness\ - \ level and optional country hints.\n4. **Risk Scoring:** Evaluates the API response\ - \ (fraud score, active status, and validity) to determine a risk verdict (e.g.,\ - \ CLEAN, SUSPICIOUS, HIGH RISK).\n5. **Internal Data Mutation:** \n * Updates\ - \ the entity's `additional_properties` with detailed enrichment data (carrier,\ - \ line type, region, etc.).\n * Marks the entity as `is_enriched`.\n * Sets\ - \ the `is_suspicious` flag if the risk score exceeds defined thresholds.\n6. **Reporting:**\ - \ Adds a detailed data table to the entity, creates a Case Insight with the IPQS\ - \ verdict, and attaches the raw JSON result to the action output." + ai_description: >- + Enriches Phone Number entities using the IPQualityScore (IPQS) API to verify authenticity + and assess reputation. This action retrieves detailed metadata including carrier + information, line type (e.g., mobile, VOIP), and geographic data while performing + risk analysis to detect fraudulent or disposable numbers. + + + ### Parameters + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Strictness | DDL | Yes | Sets the depth of the reputation check (0, 1, or 2). + Higher levels are more restrictive but may increase false positives. | + + | Country(For multiple countries, provide comma-separated values) | String | No + | Optional comma-separated list of ISO country codes suspected to be associated + with the phone number to improve validation accuracy. | + + + ### Flow Description + + 1. **Initialization**: Retrieves the API key from the integration configuration + and extracts the 'Strictness' and 'Country' parameters from the action input. + + 2. **Entity Filtering**: Identifies all Phone Number entities within the current + context. + + 3. **External API Interaction**: For each phone number, it sends a POST request + to the IPQS Phone Validation API endpoint with the configured strictness and country + settings. + + 4. **Risk Scoring**: Analyzes the API response (Fraud Score, validity, and active + status) to determine a risk verdict (e.g., Clean, Suspicious, High Risk). + + 5. **Internal Enrichment**: Updates the entity in Google SecOps by adding enrichment + attributes (prefixed with 'IPQualityScore'), marking the entity as enriched, and + potentially flagging it as suspicious based on the risk score. + + 6. **Reporting**: Generates a detailed entity data table and creates a Case Insight + containing the IPQS risk verdict. capabilities: can_create_case_comments: false can_create_insight: true @@ -255,8 +357,8 @@ Enrich Phone: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity attributes with phone reputation data, sets the suspicious status - based on fraud scores, and creates case insights for analyst review. + Updates entity attributes with enrichment data, sets the suspicious flag based + on risk scores, and creates case insights. categories: enrichment: true entity_usage: @@ -275,35 +377,76 @@ Enrich Phone: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Enrich URL: - ai_description: "### General Description\nThis action enriches URL entities using\ - \ the IPQualityScore (IPQS) Fraud and Risk Scoring service. It performs real-time\ - \ scans of links and domains using machine learning models to detect phishing,\ - \ malware, viruses, and parked domains. The action provides detailed intelligence\ - \ including risk scores, domain age, and reputation checks to help analysts identify\ - \ malicious infrastructure.\n\n### Parameters Description\n| Parameter | Type\ - \ | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Strictness | DDL\ - \ | Yes | Determines the intensity of the scan. Options are '0', '1', or '2'.\ - \ Higher strictness levels perform more aggressive checks but may result in a\ - \ higher false-positive rate. |\n| Fast | Boolean | No | When enabled, the API\ - \ uses lighter analysis to provide faster response times. Default is false. |\n\ - \n### Flow Description\n1. **Configuration Retrieval**: The action extracts the\ - \ API Key from the integration settings and the 'Strictness' and 'Fast' parameters\ - \ from the action input.\n2. **Entity Filtering**: It identifies all URL entities\ - \ within the current alert or case scope.\n3. **External API Interaction**: For\ - \ each URL, it sends a POST request to the IPQS URL API endpoint, passing the\ - \ URL identifier and the configured strictness/speed parameters.\n4. **Risk Analysis**:\ - \ The action parses the IPQS response, extracting data points such as `risk_score`,\ - \ `malware`, `phishing`, and `domain_age`.\n5. **Verdict Calculation**: It applies\ - \ a scoring logic to determine a risk verdict (e.g., CLEAN, LOW RISK, HIGH RISK,\ - \ CRITICAL) based on the returned risk score and threat flags.\n6. **Internal\ - \ Data Mutation**: \n * **Entity Enrichment**: Updates the entity's additional\ - \ properties with IPQS metadata (prefixed with 'IPQualityScore').\n * **Suspicious\ - \ Flag**: Marks the entity as suspicious if the risk analysis indicates a threat.\n\ - \ * **Insights**: Creates a detailed Case Insight containing the IPQS verdict\ - \ and analysis summary.\n * **Data Tables**: Adds a formatted data table\ - \ to the entity containing comprehensive URL intelligence.\n7. **Completion**:\ - \ Returns a summary message indicating which entities were successfully enriched." + ai_description: >- + ### General Description + + Enriches URL entities using the IPQualityScore (IPQS) API to detect malicious + links, phishing attempts, and malware. This action performs real-time scanning + using machine learning models to provide risk scores and detailed domain intelligence, + such as domain age and parking status. It updates the entity's suspicious status + in Google SecOps based on the retrieved risk metrics and generates detailed insights + and data tables for further investigation. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Strictness | DDL | Yes | Determines the intensity of the scan (0, 1, or 2). + Higher levels increase detection accuracy but may raise the false-positive rate. + | + + | Fast | Boolean | No | If enabled, the API provides quicker response times by + using lighter checks and analysis. | + + + ### Flow Description + + 1. **Initialization**: Retrieves the API key from the integration configuration + and the Strictness and Fast parameters from the action settings. + + 2. **Entity Filtering**: Identifies URL entities within the current case context. + + 3. **API Query**: For each URL, sends a request to the IPQS URL API endpoint with + the specified strictness and speed settings. + + 4. **Data Analysis**: Parses the API response for risk scores, malware/phishing + flags, and domain metadata (e.g., domain rank, DNS validity, category). + + 5. **Internal Mutation**: Updates the URL entity's attributes with enrichment + data and marks it as suspicious if the risk score or threat flags exceed defined + thresholds. + + 6. **Reporting**: Creates a case insight summarizing the verdict and adds a detailed + data table and raw JSON result to the case for analyst review. capabilities: can_create_case_comments: false can_create_insight: true @@ -314,8 +457,8 @@ Enrich URL: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity additional properties with IPQS enrichment data, modifies the - 'is_suspicious' flag based on risk scores, and creates detailed case insights. + Updates entity attributes with enrichment data, sets suspicious status, and + creates case insights. categories: enrichment: true entity_usage: @@ -334,47 +477,52 @@ Enrich URL: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Ping: - ai_description: >- - ### General Description - - Tests the connectivity to the IPQualityScore (IPQS) server to ensure the integration - is correctly configured and the API key is valid. This action performs a health - check by attempting a sample query against the IPQS API. - - - ### Parameters Description - - | Parameter Name | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | API Key | String | Yes | The API key used for authentication with the IPQualityScore - service. This is retrieved from the integration's configuration settings. | - - - ### Flow Description - - 1. **Configuration Extraction**: Retrieves the API Key from the integration's - global configuration. - - 2. **Test Preparation**: Sets up a dummy request using a standard support email - address to verify API responsiveness. - - 3. **API Interaction**: Sends a POST request to the IPQS email validation endpoint. - - 4. **Response Validation**: Analyzes the JSON response from the server to check - the 'success' status. - - 5. **Result Reporting**: Returns a success message if the connection is established. - If the connection fails or the API key is invalid, it returns a failure status - along with the error message provided by the service. - - - ### Additional Notes - - This action does not process any entities and is strictly used for diagnostic - purposes to verify the integration's communication with the external service. + ai_description: "### General Description\nThe **Ping** action is a diagnostic utility\ + \ used to verify the connectivity between the Google SecOps platform and the IPQualityScore\ + \ (IPQS) API. It ensures that the integration is correctly configured, the network\ + \ path is open, and the provided API Key is valid and active.\n\n### Parameters\ + \ Description\n| Parameter | Type | Mandatory | Description |\n| :--- | :--- |\ + \ :--- | :--- |\n| N/A | N/A | N/A | This action does not have any input parameters.\ + \ It relies on the 'API Key' defined in the integration's shared configuration.\ + \ |\n\n### Flow Description\n1. **Configuration Extraction**: The action retrieves\ + \ the 'API Key' from the integration's global settings.\n2. **Test Payload Preparation**:\ + \ It prepares a sample request using a hardcoded support email address (`support@ipqualityscore.com`)\ + \ to test the API's response.\n3. **API Connectivity Check**: The action sends\ + \ a POST request to the IPQS email validation endpoint via the `IPQSManager`.\n\ + 4. **Response Analysis**: It evaluates the JSON response from the service, specifically\ + \ checking the 'success' boolean flag.\n5. **Execution Outcome**: \n * If the\ + \ API responds with a success status, the action returns a 'Successfully Connected'\ + \ message.\n * If the connection fails or the API returns an error (e.g., invalid\ + \ key), the action fails and reports the specific error message provided by the\ + \ service.\n\n### Additional Notes\n- This action does not process, filter, or\ + \ enrich any entities within a Google SecOps case.\n- It is strictly intended\ + \ for health checks and troubleshooting integration connectivity." capabilities: can_create_case_comments: false can_create_insight: false @@ -402,3 +550,28 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/third_party/community/ipqs_fraud_and_risk_scoring/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/ipqs_fraud_and_risk_scoring/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..2e831240c --- /dev/null +++ b/content/response_integrations/third_party/community/ipqs_fraud_and_risk_scoring/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + siem: false + threat_intelligence: true + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/lacework/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/lacework/resources/ai/actions_ai_description.yaml deleted file mode 100644 index 0967ef424..000000000 --- a/content/response_integrations/third_party/community/lacework/resources/ai/actions_ai_description.yaml +++ /dev/null @@ -1 +0,0 @@ -{} diff --git a/content/response_integrations/third_party/community/lacework/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/lacework/resources/ai/connectors_ai_description.yaml new file mode 100644 index 000000000..879195ebe --- /dev/null +++ b/content/response_integrations/third_party/community/lacework/resources/ai/connectors_ai_description.yaml @@ -0,0 +1,58 @@ +Lacework Connector: + ai_description: >- + ### General Description + + The Lacework Connector integrates with the Lacework Events API to ingest security + events into Google SecOps. It allows security teams to monitor cloud security + posture, container activity, and compliance violations by automatically fetching + and converting Lacework events into actionable cases. The connector supports severity-based + filtering to ensure only relevant security incidents are processed. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | accountName | String | Yes | The Lacework account URL (e.g., [youraccount].lacework.net). + | + + | keyId | String | Yes | The Lacework API Access Key ID. | + + | secret | Password | Yes | The Lacework API Secret Key. | + + | severity_threshold | String | Yes | The maximum severity level to ingest (1-Critical, + 2-High, 3-Medium, 4-Low, 5-Info). Events with a numerical value higher than this + threshold are ignored. | + + | DeviceProductField | String | Yes | The field name used to determine the device + product (Default: device_product). | + + | EventClassId | String | Yes | The field name used to determine the event name/sub-type + (Default: event_name). | + + | PythonProcessTimeout | String | Yes | The timeout limit in seconds for the connector + execution (Default: 30). | + + + ### Flow Description + + 1. **Authentication**: The connector uses the provided `keyId` and `secret` to + request a temporary bearer token from the Lacework Access Token API. + + 2. **Event Discovery**: It queries the `GetEventsForDateRange` endpoint to retrieve + a list of events generated within the last hour. + + 3. **Severity Filtering**: For each event found, the connector compares its severity + against the `severity_threshold`. Only events meeting the threshold (e.g., severity + 1, 2, or 3 if the threshold is 3) are processed further. + + 4. **Detail Enrichment**: For every event passing the filter, the connector makes + a secondary call to `GetEventDetails` to fetch the full metadata and context of + the alert. + + 5. **Mapping and Ingestion**: The connector maps Lacework event fields (such as + `EVENT_TYPE`, `EVENT_MODEL`, and `START_TIME`) to the Google SecOps AlertInfo + model, converts the severity to the platform's priority scale, and ingests the + data as a new alert. diff --git a/content/response_integrations/third_party/community/lacework/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/lacework/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..b16aaa23c --- /dev/null +++ b/content/response_integrations/third_party/community/lacework/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: true + collaboration: false + edr: false + email_security: false + iam_and_identity_management: true + itsm: false + network_security: false + siem: true + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/logzio/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/logzio/resources/ai/actions_ai_description.yaml index b2fd94bf7..fa1eb44d4 100644 --- a/content/response_integrations/third_party/community/logzio/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/logzio/resources/ai/actions_ai_description.yaml @@ -2,52 +2,58 @@ Ping: ai_description: >- ### General Description - Validates connectivity to Logz.io by testing the provided Security and Operations - API tokens. This action ensures that the integration can successfully communicate - with the Logz.io API and that the credentials provided in the configuration are - valid. + The **Ping** action is designed to test and validate the connectivity between + Google SecOps and the Logz.io platform. It verifies the validity of both the Security + and Operations API tokens by making a request to the Logz.io `whoami` endpoint. + This ensures that the integration is correctly configured and that the provided + credentials have the necessary permissions to interact with the Logz.io API. ### Parameters Description - | Parameter | Type | Mandatory | Description | + | Parameter Name | Expected Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | `logzio_security_token` | String | Yes | The API token for the Logz.io Security - account. | + | **logzio_security_token** | String | Yes | The API token associated with your + Logz.io Security account. | - | `logzio_operations_token` | String | Yes | The API token for the Logz.io Operations - account. | + | **logzio_operations_token** | String | Yes | The API token associated with your + Logz.io Operations account. | - | `logzio_region` | String | No | The Logz.io region (e.g., 'us', 'eu'). If left - empty or set to 'us', the default base URL is used. | + | **logzio_region** | String | No | The geographic region where your Logz.io account + is hosted (e.g., 'us', 'eu', 'uk'). Defaults to 'us' if left empty. | - | `logzio_custom_endpoint` | String | No | A custom URL for the Logz.io API. If - provided, it overrides the regional URL logic. | + | **logzio_custom_endpoint** | String | No | A custom URL for the Logz.io API. + If provided, this overrides the region-based URL construction. | - ### Flow Description + ### Additional Notes + + - This action does not process any entities from the case; it relies entirely + on the integration's configuration parameters. - 1. **Parameter Extraction**: Retrieves the security token, operations token, region, - and custom endpoint from the integration configuration. + - The action performs a `GET` request to the `v1/account-management/whoami` endpoint + for both tokens provided. - 2. **Token Validation**: Checks that both tokens are non-empty strings. - 3. **Endpoint Construction**: Determines the target API URL using the provided - region or custom endpoint, appending the `whoami` suffix. + ### Flow Description - 4. **Connectivity Test**: Executes GET requests to the Logz.io `whoami` endpoint - for both the Operations and Security tokens. + 1. **Parameter Extraction:** The action retrieves the Security token, Operations + token, region, and optional custom endpoint from the integration configuration. - 5. **Result Verification**: Confirms that both API calls return a 200 OK status - code and logs the associated account names. + 2. **Token Validation:** It performs a basic check to ensure the tokens are non-empty + strings. + 3. **Endpoint Construction:** It determines the correct API URL based on the provided + region or custom endpoint. - ### Additional Notes + 4. **Connectivity Test:** It sends a `GET` request to the Logz.io API for the + Security token and then for the Operations token. - This action is primarily used for troubleshooting and initial setup verification. - It does not process any entities or modify any data. + 5. **Response Verification:** If both requests return a `200 OK` status code, + the action logs the account names and completes successfully. If any request fails, + the action reports a failure. capabilities: can_create_case_comments: false can_create_insight: false @@ -75,29 +81,88 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false json-adapter: ai_description: >- - General Description: The Json Adapter action is a utility designed to transform - raw JSON log data, specifically formatted for Logz.io, into a standardized JSON - structure compatible with Google SecOps playbooks. It extracts specific fields - from a list of log results and maps them to a consistent entityType and entityIdentifier - format, facilitating easier downstream processing and entity mapping. Parameters - Description: 1. fields_to_search (String, Mandatory): A comma-separated list of - keys (e.g., src_ip, dest_ip, user_name) to search for within each log entry in - the provided JSON. 2. raw_json (String, Mandatory): The raw JSON data to be processed. - The expected structure is an object containing a results key, which holds an array - of log objects. Flow Description: 1. Parameter Extraction: The action retrieves - the list of target fields and the raw JSON input. 2. Parsing: It converts the - fields_to_search string into a list and parses the raw_json string into a Python - dictionary. 3. Data Iteration: The script iterates through each log entry found - in the results array of the input JSON. 4. Field Mapping: For each log entry, - it checks if any of the specified search fields exist. If a match is found, it - creates a mapping: entityType (the field name) and entityIdentifier (the field - value). 5. Result Aggregation: All identified mappings are collected into a final - results object. 6. Output: If at least one field was successfully mapped, the - action returns the structured JSON and completes successfully. Additional Notes: - This action is strictly a data transformation utility and does not interact with - external APIs or modify existing entities within the SOAR environment directly. + ### General Description + + The **json-adapter** action is a utility designed to transform raw JSON log data + from Logz.io into a standardized format compatible with Google SecOps (Chronicle) + playbooks. It specifically looks for a 'results' array within the input JSON and + extracts specified fields, mapping them to a consistent structure of 'entityType' + and 'entityIdentifier'. This allows downstream playbook actions to easily consume + data that might otherwise have varying schemas. + + + ### Parameters Description + + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | **fields_to_search** | String | Yes | A comma-separated list of keys (fields) + to look for within each object in the JSON 'results' array. | + + | **raw_json** | String | Yes | The raw JSON string containing the data to be + processed. The script expects a top-level 'results' key containing a list of objects. + | + + + ### Flow Description + + 1. **Parameter Extraction**: The action retrieves the `fields_to_search` and `raw_json` + strings from the action parameters. + + 2. **Data Parsing**: It parses the `raw_json` into a Python dictionary and splits + the `fields_to_search` into a list of individual field names. + + 3. **Search Logic**: The script iterates through every object found in the `results` + list of the input JSON. + + 4. **Field Mapping**: For each object, it checks if any of the requested fields + exist. If a field is found, it creates a new dictionary mapping the field name + to `entityType` and the field's value to `entityIdentifier`. + + 5. **Result Aggregation**: All identified mappings are collected into a final + output list. + + 6. **Output Generation**: If at least one field was successfully found and mapped, + the action returns the formatted JSON and completes successfully. If no fields + are found, the action is marked as failed. + + + ### Additional Notes + + - This action is strictly a data transformation utility and does not interact + with external APIs or modify SecOps entities directly. + + - The input JSON must contain a key named `results` which holds an array of objects + for the script to process correctly. capabilities: can_create_case_comments: false can_create_insight: false @@ -125,62 +190,79 @@ json-adapter: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false logzio-get-logs-by-event-id: ai_description: >- - ### General Description - - This action fetches the logs that triggered a specific security event from Logz.io. - It retrieves the logs in JSON format and provides them as a paginated list. The - action is designed to help investigators see the raw data behind a security alert - by querying the Logz.io Security API using a unique event identifier. + Fetches the logs that triggered a specific security event in Logz.io and returns + them as a paginated JSON list. This action is used to investigate the underlying + data of a security alert by retrieving the raw logs associated with a unique event + identifier. - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | + ### Flow Description - | alert_event_id | string | Yes | The unique GUID of the security event in your - Logz.io security account. This ID is used to filter and retrieve the specific - logs associated with the event. | + 1. **Configuration Extraction:** Retrieves the Logz.io API token, region, and + optional custom endpoint from the integration settings. - | page_size | string | No | Controls the number of results per page. Valid inputs - are between 1 and 1000. If an invalid value is provided, it defaults to 25. | + 2. **Endpoint Construction:** Determines the correct API URL based on the provided + region or custom endpoint. + 3. **Initial Fetch:** Executes a POST request to the Logz.io search API using + the provided `alert_event_id` to retrieve the first page of logs. - ### Additional Notes + 4. **Pagination Handling:** If the total number of logs exceeds the initial page + size, the action uses a thread pool to concurrently fetch all remaining pages. - - The action automatically handles pagination to ensure all logs associated with - the event ID are collected, even if they span multiple pages. + 5. **Data Aggregation:** Combines all retrieved logs into a single JSON structure. - - The action uses a ThreadPoolExecutor to fetch multiple pages concurrently for - better performance. + 6. **Insight Creation:** Generates case insights within Google SecOps containing + the log data for immediate analyst visibility. - - Retrieved logs are added to the case as insights for immediate visibility. + ### Parameters Description - ### Flow Description + | Parameter Name | Type | Mandatory | Description | - 1. **Configuration Extraction:** The action retrieves the Logz.io API token, region, - and optional custom endpoint from the integration configuration. + | :--- | :--- | :--- | :--- | - 2. **Endpoint Construction:** It determines the correct API URL based on the provided - region or custom endpoint. + | alert_event_id | String | Yes | The unique GUID of the security event in the + Logz.io security account that you want to investigate. | - 3. **Initial API Call:** It sends a POST request to the Logz.io search logs endpoint - using the `alert_event_id` and the specified `page_size`. + | page_size | String | No | Controls the number of results per page. Valid inputs + are 1 to 1000. Defaults to 25. | - 4. **Pagination Handling:** If the total number of available logs exceeds the - initial page, the action calculates the remaining pages and fetches them concurrently. - 5. **Data Processing:** All collected logs are aggregated into a single JSON structure. + ### Additional Notes - 6. **Insight Creation:** The action creates case insights within Google SecOps, - containing the retrieved log data. + - The action automatically handles pagination to ensure all logs associated with + the event ID are retrieved, up to the limits of the Logz.io API. - 7. **Completion:** The action returns the aggregated JSON results and a success - message indicating the number of logs retrieved. + - If more than 3 logs are returned, they are grouped into a single insight; otherwise, + individual insights are created for each log. capabilities: can_create_case_comments: false can_create_insight: true @@ -192,7 +274,7 @@ logzio-get-logs-by-event-id: fetches_data: true internal_data_mutation_explanation: >- The action creates case insights within Google SecOps to display the retrieved - logs. + log data. categories: enrichment: true entity_usage: @@ -210,65 +292,83 @@ logzio-get-logs-by-event-id: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false logzio-search-logs: ai_description: >- - ### General Description - Searches logs in a Logz.io operations account using Lucene syntax. This action - allows users to retrieve specific log data within a defined time range, providing - raw log results for further analysis within the SOAR platform. + allows users to retrieve historical log data within a specified time range and + limit the number of results returned. The retrieved logs are provided as a JSON + object for further analysis within the playbook. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | | query | string | No | A search query written in valid Lucene syntax. Defaults - to '*' (wildcard) if not provided. | + to '*' (all logs) if not provided. | - | size | string | No | The number of log results to retrieve per query. It is - limited to a maximum of 1000 logs. If an invalid value is provided, it defaults - to 1000. | + | size | string | No | Number of log results per query. Limited to a maximum of + 1000 logs. | - | from_time | string | Yes | The earliest time to search. It accepts Unix timestamps, - relative time (e.g., '1 hour ago'), or specific date formats. | + | from_time | string | Yes | Earliest time to search. Supports Unix timestamps, + relative time (e.g., '5 minutes ago'), or specific date formats. | - | to_time | string | No | The latest time to search. This should be left empty - if a relative time is used for the 'from_time' parameter. | + | to_time | string | No | Latest time to search. If left empty, the search extends + to the current time. | - ### Additional Notes - - - The action requires a valid Logz.io API token and region (or custom endpoint) - to be configured in the integration settings. + ### Flow Description - - Time parsing is handled by the `dateparser` library, supporting a wide range - of natural language and technical time formats. + 1. **Configuration Extraction:** Retrieves the Logz.io API token, region, and + optional custom endpoint from the integration settings. + 2. **Parameter Validation:** Validates the 'size' parameter to ensure it falls + within the 1-1000 range and parses the 'from_time' and 'to_time' into Unix timestamps + using the `dateparser` library. - ### Flow Description + 3. **Request Construction:** Builds a JSON request body containing the Lucene + query, size limit, and time range filters. - 1. **Configuration Extraction:** The action retrieves the Logz.io API token, region, - and optional custom endpoint from the integration configuration. + 4. **API Interaction:** Sends a POST request to the Logz.io Search API endpoint. - 2. **Parameter Processing:** It extracts the search query, validates the result - size (clamping it between 1 and 1000), and parses the 'from' and 'to' time parameters - into Unix timestamps. + 5. **Data Processing:** Parses the API response, extracts the log source data + from the hits, and attaches the results to the action output as a JSON object. - 3. **Request Construction:** A JSON request body is constructed following the - Logz.io Search API schema, including the Lucene query and the timestamp range - filters. - 4. **API Interaction:** The action performs a POST request to the Logz.io search - endpoint (`v1/search`). + ### Additional Notes - 5. **Data Parsing:** Upon a successful response (HTTP 200), the action iterates - through the hits and extracts the `_source` data for each log entry. + - The action uses a POST request to the `/v1/search` endpoint, but this is strictly + for querying data and does not modify any external state. - 6. **Result Delivery:** The collected logs are formatted into a JSON object and - added to the action's result, and the action completes successfully. + - If no logs match the query, the action completes successfully with an informative + message. capabilities: can_create_case_comments: false can_create_insight: false @@ -296,3 +396,28 @@ logzio-search-logs: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/third_party/community/logzio/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/logzio/resources/ai/connectors_ai_description.yaml new file mode 100644 index 000000000..2d0cd9ffa --- /dev/null +++ b/content/response_integrations/third_party/community/logzio/resources/ai/connectors_ai_description.yaml @@ -0,0 +1,78 @@ +LOGZIO fetch-security-events: + ai_description: >- + ### General Description + + The Logz.io connector fetches security rule events from a Logz.io security account + and ingests them as cases into Google SecOps. It provides a seamless integration + for monitoring security alerts generated within Logz.io, supporting multi-region + environments and custom API endpoints. The connector allows for granular filtering + based on rule names and severities, ensuring that only relevant security incidents + are escalated for investigation. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | logzio_token | Password | Yes | API token for your Logz.io security account. + | + + | from_date | String | Yes | Earliest time to search on the first run. Supports + Unix timestamps, relative time (e.g., '1 day ago'), or ISO 8601 format. | + + | logzio_region | String | No | 2-letter region code for your Logz.io account + (e.g., 'us', 'eu', 'wa'). Defaults to 'us'. | + + | logzio_custom_endpoint | String | No | Optional custom URL for the Logz.io API. + If provided, it overrides the region setting. | + + | search_term | String | No | Filter to fetch only events where the rule name + matches this string. | + + | severities | String | No | A comma-delimited list of severities to fetch: INFO, + LOW, MEDIUM, HIGH, SEVERE. | + + | page_size | Integer | No | Controls the number of results per API page. Valid + range is 1 to 1000 (Default: 25). | + + | DeviceProductField | String | Yes | The field name used to determine the device + product in the SOAR (Default: 'device_product'). | + + | EventClassId | String | Yes | The field name used to determine the event name/sub-type + (Default: 'event_name'). | + + | PythonProcessTimeout | String | Yes | The timeout limit in seconds for the connector + execution process. | + + + ### Flow Description + + 1. **Timestamp Management**: The connector retrieves the last successful execution + timestamp. If it's the first run, it uses the `from_date` parameter. The search + window ends at the current time minus 3 minutes to account for data ingestion + latency in Logz.io. + + 2. **Endpoint Configuration**: It determines the correct API endpoint using either + the `logzio_custom_endpoint` or by constructing a regional URL based on the `logzio_region` + parameter. + + 3. **Data Fetching**: The connector queries the Logz.io `v2/security/rules/events/search` + API. It applies filters for the time range, search terms, and specified severities. + + 4. **Concurrent Pagination**: If the result set exceeds the page size, the connector + utilizes a thread pool to concurrently fetch all remaining pages of event data + to optimize performance. + + 5. **Alert Mapping**: Each retrieved Logz.io event is transformed into a Google + SecOps `AlertInfo` object. This includes mapping Logz.io severities to SOAR priorities + and extracting metadata such as tags, hits, and 'group by' fields into the event + context. + + 6. **Case Creation**: The mapped alerts are returned to Google SecOps to be created + as cases. + + 7. **Checkpointing**: The connector saves the timestamp of the most recent event + (or one hour ago, whichever is later) to ensure the next execution starts from + where the previous one finished. diff --git a/content/response_integrations/third_party/community/logzio/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/logzio/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..466738966 --- /dev/null +++ b/content/response_integrations/third_party/community/logzio/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + siem: true + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/luminar_iocs_and_leaked_credentials/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/luminar_iocs_and_leaked_credentials/resources/ai/actions_ai_description.yaml index a87d40307..6d8df1730 100644 --- a/content/response_integrations/third_party/community/luminar_iocs_and_leaked_credentials/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/luminar_iocs_and_leaked_credentials/resources/ai/actions_ai_description.yaml @@ -1,31 +1,25 @@ Ping: ai_description: "### General Description\nThe **Ping** action is a diagnostic utility\ - \ used to verify the connectivity between Google SecOps and the Luminar API. Its\ - \ primary purpose is to validate that the integration's configuration parameters\u2014\ - specifically the API credentials and the base URL\u2014are correct and that the\ - \ external service is reachable.\n\n### Parameters Description\n| Parameter Name\ - \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Luminar\ - \ API Client ID | String | Yes | The Client ID used for OAuth2 authentication\ - \ with the Luminar service. |\n| Luminar API Client Secret | String | Yes | The\ - \ Client Secret used for OAuth2 authentication with the Luminar service. |\n|\ - \ Luminar API Account ID | String | Yes | The specific Account ID (Realm) used\ - \ to construct the API endpoint path. |\n| Luminar Base URL | String | Yes | The\ - \ base URL of the Luminar API instance. |\n\n### Additional Notes\nThis action\ - \ does not have any action-specific parameters; it relies entirely on the integration's\ - \ global configuration. It does not process entities, fetch threat intelligence\ - \ data for alerts, or modify any internal or external records. It is strictly\ - \ a connectivity test.\n\n### Flow Description\n1. **Configuration Extraction**:\ - \ The script retrieves the Client ID, Client Secret, Account ID, and Base URL\ - \ from the integration's configuration settings.\n2. **Manager Initialization**:\ - \ It initializes the `LuminarManager` with the retrieved credentials.\n3. **Connectivity\ - \ Test**: The action invokes the `test_connectivity` method, which sends an HTTP\ - \ POST request to the Luminar token endpoint (`/externalApi/realm/{account_id}/token`)\ - \ using the provided credentials.\n4. **Response Evaluation**: The script evaluates\ - \ the HTTP response. If the response is successful (HTTP 200 OK), the connection\ - \ is confirmed. If the response indicates an authentication error (401, 403) or\ - \ other failures, the action reports a connection error.\n5. **Execution Completion**:\ - \ The action terminates, providing a status message and a boolean result indicating\ - \ whether the connection was successful." + \ designed to verify the connectivity between Google SecOps and the **Luminar\ + \ IOCs and Leaked Credentials** platform. Its primary purpose is to validate that\ + \ the integration's configuration parameters\u2014specifically the API Client\ + \ ID, Client Secret, Account ID, and Base URL\u2014are correct and that the external\ + \ service is reachable.\n\n### Parameters Description\nThere are no action-specific\ + \ parameters for this action. It utilizes the global integration configuration\ + \ settings.\n\n### Additional Notes\n* This action does not process entities or\ + \ modify any data within Google SecOps or the Luminar platform.\n* It is strictly\ + \ used for testing the authentication handshake and network connectivity.\n\n\ + ### Flow Description\n1. **Configuration Retrieval:** The action extracts the\ + \ `Luminar API Client ID`, `Luminar API Client Secret`, `Luminar API Account ID`,\ + \ and `Luminar Base URL` from the integration's configuration settings.\n2. **Manager\ + \ Initialization:** It initializes the `LuminarManager` using the extracted credentials\ + \ and URL.\n3. **Connectivity Test:** The action calls the `test_connectivity`\ + \ method, which sends a POST request to the Luminar authentication endpoint (`/externalApi/realm/{account_id}/token`)\ + \ to request an OAuth2 access token.\n4. **Response Evaluation:** The action evaluates\ + \ the HTTP response. A successful response (200 OK) confirms valid credentials\ + \ and connectivity, while error codes (e.g., 401, 403) indicate authentication\ + \ or configuration issues.\n5. **Execution Completion:** The action terminates\ + \ by reporting the connection status and a descriptive message to the SOAR platform." capabilities: can_create_case_comments: false can_create_insight: false @@ -53,3 +47,28 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/third_party/community/luminar_iocs_and_leaked_credentials/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/luminar_iocs_and_leaked_credentials/resources/ai/connectors_ai_description.yaml new file mode 100644 index 000000000..aef5d7b7f --- /dev/null +++ b/content/response_integrations/third_party/community/luminar_iocs_and_leaked_credentials/resources/ai/connectors_ai_description.yaml @@ -0,0 +1,78 @@ +"Luminar IOCs and Leaked Credentials Connector": + ai_description: >- + ### General Description + + The Luminar IOCs and Leaked Credentials connector integrates Google SecOps with + Cognyte's Luminar platform. It fetches cyber threat intelligence data, specifically + Indicators of Compromise (IOCs) and Leaked Credentials, formatted as STIX objects. + The connector identifies malicious activity related to malware families and compromised + user accounts, transforming this data into actionable alerts and cases within + the SOAR platform. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | DeviceProductField | String | Yes | The field name used to determine the device + product (default: device_product). | + + | EventClassId | String | Yes | The field name used to determine the event name/sub-type + (default: event_type). | + + | Luminar API Account ID | Password | Yes | The unique Account ID for the Luminar + API. | + + | Luminar API Client ID | Password | Yes | The Client ID used for API authentication. + | + + | Luminar API Client Secret | Password | Yes | The Client Secret used for API + authentication. | + + | Luminar Base URL | String | Yes | The base URL of the Luminar instance (e.g., + https://demo.cyberluminar.com). | + + | Proxy Password | Password | No | Password for the proxy server if required. + | + + | Proxy Port | Integer | No | Port number for the proxy server. | + + | Proxy Server Address | String | No | The network address of the proxy server. + | + + | Proxy Username | String | No | Username for the proxy server. | + + | PythonProcessTimeout | String | Yes | The maximum execution time allowed for + the connector script in seconds. | + + | Verify SSL | Boolean | No | If enabled, the connector will verify the SSL certificate + of the Luminar server. | + + + ### Flow Description + + 1. **Authentication**: The connector establishes a connection to the Luminar API + using the provided Account ID, Client ID, and Client Secret to retrieve an OAuth2 + access token. + + 2. **Data Ingestion**: It queries the `/externalApi/stix` endpoint using a persistent + timestamp to fetch new STIX-formatted objects since the last execution. + + 3. **Object Processing**: The connector parses the STIX bundle, identifying specific + object types including `malware`, `incident`, `indicator`, and `relationship`. + + 4. **Categorization & Enrichment**: + * **Malware IOCs**: Maps indicators (IPs, Hashes, Domains, URLs) to their + respective malware families based on STIX relationships. + * **Leaked Credentials**: Associates compromised user accounts with specific + security incidents. + * **Expiring IOCs**: Filters and groups indicators that are nearing their + expiration date. + 5. **Alert Generation**: Events are aggregated into alerts (limited to 500 events + per alert to optimize performance). Each alert is assigned a priority and mapped + to the Google SecOps data model. + + 6. **State Management**: Upon successful ingestion, the connector updates the + internal timestamp to ensure subsequent runs only process new intelligence data. diff --git a/content/response_integrations/third_party/community/luminar_iocs_and_leaked_credentials/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/luminar_iocs_and_leaked_credentials/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..4fe442a77 --- /dev/null +++ b/content/response_integrations/third_party/community/luminar_iocs_and_leaked_credentials/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: true + itsm: false + network_security: false + siem: false + threat_intelligence: true + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/luminar_iocs_and_leaked_credentials/resources/ai/jobs_ai_description.yaml b/content/response_integrations/third_party/community/luminar_iocs_and_leaked_credentials/resources/ai/jobs_ai_description.yaml new file mode 100644 index 000000000..fb92c7a3b --- /dev/null +++ b/content/response_integrations/third_party/community/luminar_iocs_and_leaked_credentials/resources/ai/jobs_ai_description.yaml @@ -0,0 +1,47 @@ +Luminar IOC and Leaked Credentials Job: + ai_description: >- + ### General Description + + This job performs automated maintenance for cases generated by the Luminar integration + within Google SecOps. It identifies open cases titled "Luminar IOCs" and evaluates + whether the indicators associated with those cases have reached their expiration + date. If an indicator is found to be expired, the job automatically assigns the + case to the configured user and closes it with a maintenance reason, ensuring + the case queue remains relevant and free of outdated intelligence. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Siemplify Username | String | Yes | The username used to authenticate with the + Google SecOps internal API to perform case search, assignment, and closure. | + + | Siemplify Password | Password | Yes | The password for the specified Siemplify + Username. | + + + ### Flow Description + + 1. **Authentication**: The job authenticates against the Google SecOps API using + the provided credentials to retrieve a bearer token for subsequent requests. + + 2. **Case Search**: It searches for all currently open cases that match the specific + title "Luminar IOCs". + + 3. **Detail Retrieval**: For each matching case, the job fetches the full case + details to access specific alert fields. + + 4. **Expiration Check**: It extracts the expiration date from the security event + card fields within the case data. + + 5. **Date Comparison**: The job compares the extracted expiration date against + the current system time. + + 6. **Case Assignment**: If the expiration date is in the past, the job performs + a bulk assignment of the case to the provided username. + + 7. **Case Closure**: Finally, the job executes a bulk close action on the expired + cases, marking them with the reason "Maintenance" and the comment "Expired IOCs". diff --git a/content/response_integrations/third_party/community/marketo/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/marketo/resources/ai/actions_ai_description.yaml index b97e831c4..dc413b00c 100644 --- a/content/response_integrations/third_party/community/marketo/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/marketo/resources/ai/actions_ai_description.yaml @@ -2,9 +2,9 @@ Create lead: ai_description: >- ### General Description - Creates a new lead in Marketo using provided user details. This action allows - for the programmatic addition of individuals to the Marketo database directly - from a SOAR workflow, facilitating marketing automation and lead management processes. + Creates a new lead in Marketo using provided user details. This action is used + to programmatically register a new contact within the Marketo marketing automation + platform by providing their email, name, and country information. ### Parameters Description @@ -13,7 +13,8 @@ Create lead: | :--- | :--- | :--- | :--- | - | Email | String | Yes | The email address of the new lead to be created. | + | Email | String | Yes | The email address of the new lead you want to create. + This is used as the primary lookup field. | | First Name | String | Yes | The first name of the new lead. | @@ -22,24 +23,34 @@ Create lead: | Country | String | Yes | The country of the new lead. | + ### Additional Notes + + This action uses the `createOnly` method, meaning it will attempt to create a + new record and will not update an existing one if the email already exists in + Marketo. The action requires valid Marketo API credentials (Client ID, Client + Secret, and Munchkin ID) to be configured in the integration settings. + + ### Flow Description - 1. **Initialization**: The action retrieves Marketo integration credentials (Client - ID, Client Secret, and Munchkin ID) and the specific lead details from the action - parameters. + 1. **Parameter Extraction**: The action retrieves the Marketo API credentials + from the integration configuration and the lead details (Email, First Name, Last + Name, Country) from the action parameters. - 2. **API Connection**: It establishes a connection to the Marketo API using the - `MarketoClient`. + 2. **Client Initialization**: Initializes the MarketoClient using the provided + Munchkin ID and credentials. - 3. **Lead Creation**: The action executes a `create_update_leads` call with the - `createOnly` action flag, ensuring that it only attempts to create a new lead - rather than updating an existing one, using the email as the lookup field. + 3. **Data Preparation**: Formats the input data into a structure compatible with + the Marketo API. - 4. **Response Handling**: It parses the API response to check for success or specific - failure reasons (such as the lead already existing). + 4. **API Execution**: Calls the Marketo API's `create_update_leads` method with + the `createOnly` action flag. - 5. **Finalization**: The action outputs the raw JSON result from Marketo and provides - a human-readable summary, including the new Lead ID upon success. + 5. **Response Handling**: Parses the API response to check for success or specific + error reasons. + + 6. **Finalization**: Returns a success message with the new Lead ID or a failure + message with error details to the Google SecOps platform. capabilities: can_create_case_comments: false can_create_insight: false @@ -48,7 +59,7 @@ Create lead: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new lead record in the external Marketo marketing automation system. + Creates a new lead record in the Marketo marketing automation platform. fetches_data: false internal_data_mutation_explanation: null categories: @@ -68,49 +79,54 @@ Create lead: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: true + update_ticket: false Get Lead By Email Param: - ai_description: >- - ### General Description - - Retrieves lead information from Marketo based on a provided email address. This - action is used to verify the existence of a lead and fetch their associated data - from the Marketo platform. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Email | String | Yes | The email address of the user to retrieve details for. - | - - - ### Flow Description - - 1. **Parameter Extraction**: The action retrieves the Client ID, Client Secret, - and Munchkin ID from the integration configuration, and the Email from the action - parameters. - - 2. **Client Initialization**: A MarketoClient is initialized with the retrieved - credentials. - - 3. **Data Retrieval**: The action calls the Marketo API to get lead details using - the email as a filter. - - 4. **Response Handling**: The action checks if lead data was returned. If found, - it extracts the lead ID and sets the result to success. If not, it indicates the - user was not found. - - 5. **Finalization**: The lead details are added to the action's JSON results, - and the action completes with a summary message. - - - ### Additional Notes - - This action operates on a manual input parameter and does not automatically iterate - over or enrich entities present in the SecOps case. + ai_description: "### General Description\nThe **Get Lead By Email Param** action\ + \ retrieves detailed lead information from Marketo for a specific email address\ + \ provided as an input parameter. This action is designed to fetch marketing-related\ + \ context about a user, such as their Lead ID and other profile attributes stored\ + \ in Marketo, without requiring the email to be an existing entity in the Google\ + \ SecOps case.\n\n### Parameters Description\n| Parameter | Type | Mandatory |\ + \ Description |\n| :--- | :--- | :--- | :--- |\n| Email | String | Yes | The email\ + \ address of the user you want to retrieve details for. The value is converted\ + \ to lowercase before the search. |\n\n### Flow Description\n1. **Initialization**:\ + \ The action extracts Marketo API credentials (Client ID, Client Secret, and Munchkin\ + \ ID) from the integration configuration.\n2. **Input Processing**: The action\ + \ retrieves the `Email` parameter and converts it to lowercase to ensure consistency\ + \ with Marketo's search requirements.\n3. **API Interaction**: The action uses\ + \ the Marketo REST API client to execute a search (`get_multiple_leads_by_filter_type`)\ + \ using the email as the filter.\n4. **Result Evaluation**: \n * If lead data\ + \ is returned, the action identifies the Lead ID and constructs a success message.\n\ + \ * If no data is found, the action reports that the user does not exist in\ + \ Marketo.\n5. **Output**: The action attaches the raw lead details as a JSON\ + \ result and terminates with a summary message and a boolean status indicating\ + \ if the lead was found.\n\n### Additional Notes\nThis action operates independently\ + \ of the entities present in the SecOps case. It relies strictly on the provided\ + \ `Email` parameter." capabilities: can_create_case_comments: false can_create_insight: false @@ -138,40 +154,77 @@ Get Lead By Email Param: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Lead By Entity Email: ai_description: >- ### General Description - Retrieves lead information from Marketo for User entities that possess a valid - email address format. This action is used to enrich user profiles with marketing - data such as names and lead identifiers. + The **Get Lead By Entity Email** action enriches USER entities by retrieving corresponding + lead information from the Marketo platform. It uses the entity's identifier (email + address) to query Marketo's database for associated metadata such as names and + lead IDs. - ### Parameters + ### Parameters Description - There are no action-specific parameters for this action. It relies on the Marketo - integration configuration (Client Id, Client Secret, and Munchkin Id). + There are no action-specific parameters for this action. It relies on the global + integration configuration (Client Id, Client Secret, and Munchkin Id) to authenticate + with the Marketo API. ### Flow Description - 1. **Configuration Retrieval**: The action fetches the Marketo API credentials - from the integration settings. + 1. **Authentication**: The action initializes the Marketo client using the provided + integration credentials (Client Id, Client Secret, and Munchkin Id). 2. **Entity Filtering**: It iterates through the target entities, selecting only - those of type `USER` that match a standard email regex pattern. + those of type `USER`. + + 3. **Email Validation**: For each USER entity, it performs a regex check to ensure + the identifier is a valid email address format. + + 4. **Data Retrieval**: It queries Marketo for lead details using the validated + email address as a filter. - 3. **External API Call**: For each valid email, it queries the Marketo API using - the `get_multiple_leads_by_filter_type` method. + 5. **Enrichment**: If a lead is found, the action extracts the first name, last + name, email, and lead ID from the Marketo response. - 4. **Data Enrichment**: If a lead is found, the action extracts the first name, - last name, email, and Lead ID. + 6. **Internal Update**: The action updates the entity's `additional_properties` + with the retrieved data (prefixed with 'Marketo_') and marks the entity as enriched + (`is_enriched = True`). - 5. **Internal Update**: The entity's additional properties are updated with the - retrieved data, and the `is_enriched` flag is set to true. + 7. **Output**: Finally, it provides a JSON result containing the enrichment details + for all processed entities and the total count of leads found. + + + ### Additional Notes - 6. **Finalization**: The action updates all enriched entities in Google SecOps - and provides a JSON summary of the results. + Entities that do not match the email regex or are not of type `USER` are skipped + with a log message. capabilities: can_create_case_comments: false can_create_insight: false @@ -182,8 +235,8 @@ Get Lead By Entity Email: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity additional properties with lead information from Marketo and - sets the 'is_enriched' flag to true. + Updates entity additional properties with Marketo lead information (first name, + last name, email, lead ID) and sets the is_enriched flag to true. categories: enrichment: true entity_usage: @@ -194,7 +247,7 @@ Get Lead By Entity Email: filters_by_case_identifier: false filters_by_creation_time: false filters_by_entity_type: true - filters_by_identifier: true + filters_by_identifier: false filters_by_is_artifact: false filters_by_is_enriched: false filters_by_is_internal: false @@ -202,49 +255,75 @@ Get Lead By Entity Email: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Ping: ai_description: >- ### General Description - Tests the connectivity with the Marketo service to ensure that the integration - is correctly configured and that the Google SecOps environment can communicate - with the Marketo API. This action is primarily used for troubleshooting and initial - setup verification. + The **Ping** action is designed to verify the connectivity between Google SecOps + and the **Marketo** instance. It ensures that the provided credentials (Client + Id, Client Secret, and Munchkin Id) are valid and that the system can successfully + communicate with the Marketo API. ### Parameters Description - There are no action-specific parameters for this action. It utilizes the following - integration configuration parameters: + There are no action-specific parameters for this action. It relies entirely on + the integration's configuration parameters. + - * **Client Id**: The client ID for the Marketo API. + | Parameter | Type | Mandatory | Description | - * **Client Secret**: The client secret for the Marketo API. + | :--- | :--- | :--- | :--- | - * **Munchkin Id**: The Munchkin ID for the Marketo instance. + | N/A | N/A | N/A | This action does not require any input parameters. | ### Additional Notes - This action follows the standard 'Ping' pattern for Google SecOps integrations. - It performs a read-only operation (fetching a lead by a static ID) to verify the - validity of the credentials and the network path. + This action is typically used during the initial setup or troubleshooting phase + to confirm that the integration is correctly configured. ### Flow Description - 1. **Initialize Action**: The action initializes the Siemplify context. + 1. **Configuration Extraction**: The action retrieves the `Client Id`, `Client + Secret`, and `Munchkin Id` from the integration settings. - 2. **Retrieve Configuration**: It extracts the Client Id, Client Secret, and Munchkin - Id from the integration settings. - - 3. **Establish Connection**: It instantiates the MarketoClient using the provided + 2. **Client Initialization**: It initializes the `MarketoClient` using the retrieved credentials. - 4. **Test API Call**: It executes a `get_lead_by_id` call for a lead with ID '1' - to verify that the API responds correctly. + 3. **Connectivity Test**: It attempts to fetch a lead with the ID `1` using the + `get_lead_by_id` method. This serves as a lightweight request to validate the + API connection. - 5. **Finalize**: If the call is successful, the action ends with a success status. + 4. **Result Reporting**: If the request is successful, the action completes with + a success status. If an exception occurs, it indicates a connectivity or authentication + failure. capabilities: can_create_case_comments: false can_create_insight: false @@ -272,56 +351,76 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Request Campaign: ai_description: >- - ### General Description - - This action triggers a specific Marketo campaign for a designated lead. It allows - users to programmatically initiate marketing workflows directly from Google SecOps - by providing the campaign and lead identifiers along with optional dynamic tokens. + Triggers a specific Marketo campaign for a designated lead. This action allows + security or marketing automation workflows to programmatically initiate campaigns + within Marketo by providing the Campaign ID and Lead ID. It also supports passing + custom tokens via a JSON string to personalize the campaign execution. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. **Parameter Extraction:** The action retrieves Marketo configuration credentials + (Client ID, Secret, Munchkin ID) and action parameters (Campaign ID, Lead ID, + and optional Tokens JSON). - | :--- | :--- | :--- | :--- | + 2. **Token Processing:** If provided, the Tokens JSON is parsed and processed + to ensure keys are formatted correctly (lowercase, unless they contain sensitive + strings like 'password'). - | Campaign Id | string | Yes | The unique integer identifier of the Marketo campaign - to be requested. | + 3. **API Execution:** The action initializes the Marketo client and executes the + `request_campaign` method using the provided IDs and tokens. - | Lead Id | string | Yes | The unique integer identifier of the lead for whom - the campaign is being requested. | - - | Tokens Json | string | No | A JSON-formatted string containing key-value pairs - (tokens) to be used within the campaign. The action automatically lowercases keys - and values unless the key contains the word 'password'. | + 4. **Result Reporting:** The action returns a success message if the campaign + was triggered successfully or an error message if the request failed. - ### Additional Notes + ### Parameters Description - - This action does not operate on entities within the Google SecOps case; it relies - entirely on the IDs provided in the action parameters. + | Parameter | Type | Mandatory | Description | - - The `Campaign Id` and `Lead Id` are treated as integers by the underlying Marketo - SDK. + | :--- | :--- | :--- | :--- | + | Campaign Id | string | Yes | The unique identifier of the Marketo campaign to + be triggered. The value is treated as an integer. | - ### Flow Description + | Lead Id | string | Yes | The unique identifier of the Marketo lead for whom + the campaign is triggered. The value is treated as an integer. | - 1. **Initialization**: The action retrieves Marketo integration credentials (Client - ID, Client Secret, and Munchkin ID) and the action parameters. + | Tokens Json | string | No | A JSON-formatted string containing key-value pairs + of tokens to be used in the campaign. | - 2. **Token Processing**: If provided, the `Tokens Json` is parsed. The logic iterates - through the dictionary to lowercase keys and values, preserving the case for any - values associated with keys containing 'password'. - 3. **API Execution**: The action initializes the `MarketoClient` and calls the - `execute` method with the `request_campaign` operation, passing the `campaign_id`, - `lead_id`, and processed tokens. + ### Additional Notes - 4. **Result Handling**: If the API call is successful, the action completes with - a success message. If an error occurs, it logs the exception and fails the execution. + This action does not process entities from the Google SecOps case; it relies entirely + on the provided input parameters. capabilities: can_create_case_comments: false can_create_insight: false @@ -330,8 +429,8 @@ Request Campaign: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Triggers the execution of a marketing campaign for a specific lead within the - Marketo platform, which initiates external workflows and communications. + Triggers a marketing campaign for a specific lead in Marketo, which initiates + an automated workflow or communication in the external system. fetches_data: false internal_data_mutation_explanation: null categories: @@ -351,3 +450,28 @@ Request Campaign: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/third_party/community/marketo/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/marketo/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..0801c7556 --- /dev/null +++ b/content/response_integrations/third_party/community/marketo/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/microsoft_graph_security_tools/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/microsoft_graph_security_tools/resources/ai/actions_ai_description.yaml index af65c55c4..3c0342c7f 100644 --- a/content/response_integrations/third_party/community/microsoft_graph_security_tools/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/microsoft_graph_security_tools/resources/ai/actions_ai_description.yaml @@ -1,43 +1,51 @@ Delete Attachment: ai_description: >- - ### General Description - - The **Delete Attachment** action allows analysts to programmatically remove a - specific attachment from a user's mailbox within Microsoft 365 using the Microsoft - Graph API. This is primarily used in incident response scenarios to remediate - malicious files delivered via email after they have been identified. + Deletes a specific attachment from a user's email message within a Microsoft 365 + mailbox using the Microsoft Graph API. This action is primarily used for remediation + purposes, such as removing malicious files from an inbox after they have been + identified. It requires the specific identifiers for the user, the message, and + the attachment itself. - ### Parameters Description + ### Parameters - | Parameter | Type | Mandatory | Description | + | Parameter Name | Description | Type | Mandatory | | :--- | :--- | :--- | :--- | - | **User ID** | String | Yes | The User ID or User Principal Name (typically the - email address) of the mailbox owner. | + | User ID | The userPrincipalName (typically the email address) of the mailbox + owner. | String | Yes | - | **Message ID** | String | Yes | The unique identifier of the email message that - contains the attachment. | + | Message ID | The unique identifier of the email message containing the attachment. + | String | Yes | - | **Attachment ID** | String | Yes | The unique identifier of the specific attachment - to be deleted. | + | Attachment ID | The unique identifier of the specific attachment to be deleted. + | String | Yes | ### Flow Description - 1. **Authentication**: The action establishes a connection to Microsoft Graph - using the provided Client ID, Tenant ID, and either a Secret ID or a Certificate. + 1. **Authentication**: The action authenticates with Microsoft Graph using the + provided Integration parameters (Client ID, Secret/Certificate, and Tenant ID). + + 2. **Parameter Extraction**: It retrieves the User ID, Message ID, and Attachment + ID from the action input. + + 3. **API Request**: It sends an HTTP DELETE request to the Microsoft Graph endpoint: + `https://graph.microsoft.com/v1.0/users/{user_id}/messages/{message_id}/attachments/{attachment_id}`. + + 4. **Result Processing**: The action checks the response status code. An HTTP + 204 status indicates a successful deletion. The result is then logged and returned + to the SOAR platform. - 2. **Parameter Extraction**: It retrieves the target User ID, Message ID, and - Attachment ID from the action input. - 3. **API Execution**: The action sends a `DELETE` request to the Microsoft Graph - endpoint: `https://graph.microsoft.com/v1.0/users/{user_id}/messages/{message_id}/attachments/{attachment_id}`. + ### Additional Notes + + - This action performs a permanent deletion of the attachment from the message. + It does not move it to a deleted items folder. - 4. **Result Processing**: If the API returns a `204 No Content` status, the action - reports a successful deletion. Otherwise, it reports a failure with the corresponding - status code. + - Ensure the application permissions in Azure AD are correctly configured to allow + `Mail.ReadWrite` for the target mailboxes. capabilities: can_create_case_comments: false can_create_insight: false @@ -46,8 +54,8 @@ Delete Attachment: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - This action deletes an attachment from a user's mailbox in Microsoft 365, which - is a permanent state change in an external system. + Deletes a specific attachment from a user's mailbox in Microsoft 365 via the + Microsoft Graph API. fetches_data: false internal_data_mutation_explanation: null categories: @@ -67,32 +75,77 @@ Delete Attachment: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: true + update_identity: false + update_ticket: false Delete Message: - ai_description: "### General Description\nThe **Delete Message** action allows security\ - \ analysts to programmatically remove specific email messages from one or more\ - \ Microsoft 365 mailboxes. This is primarily used for incident response, such\ - \ as removing phishing emails or malicious attachments from user inboxes after\ - \ they have been identified. The action interacts with the Microsoft Graph API\ - \ to perform a hard delete of the specified message.\n\n### Parameters Description\n\ - | Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ - | **Message ID** | string | Yes | The unique identifier of the email message to\ - \ be deleted. This is typically retrieved from previous search or listing actions.\ - \ |\n| **User ID** | string | Yes | The email address (userPrincipalName) or unique\ - \ ID of the user whose mailbox contains the message. This parameter supports a\ - \ comma-separated list (CSV) to target multiple mailboxes simultaneously. |\n\n\ - ### Flow Description\n1. **Authentication**: The action initializes a connection\ - \ to the Microsoft Graph Security API using the configured Client ID, Secret/Certificate,\ - \ and Tenant ID.\n2. **Input Parsing**: It retrieves the `Message ID` and `User\ - \ ID` from the action parameters. If the `User ID` contains commas, it is split\ - \ into a list of individual users.\n3. **API Execution**: For each user provided,\ - \ the action sends a `DELETE` request to the Microsoft Graph endpoint: `https://graph.microsoft.com/v1.0/users/{user_id}/messages/{message_id}`.\n\ - 4. **Result Processing**: The action checks the HTTP response status. A `204\ - \ No Content` status indicates a successful deletion. \n5. **Finalization**:\ - \ The action reports the overall success or failure and attaches the raw JSON\ - \ response data to the action results in Google SecOps.\n\n### Additional Notes\n\ - - This action performs a permanent deletion of the message.\n- If multiple User\ - \ IDs are provided via CSV, the action will attempt to delete the message with\ - \ the same `Message ID` from every specified mailbox." + ai_description: >- + Deletes a specific email message from one or more Microsoft 365 mailboxes using + the Microsoft Graph API. This action is primarily used for remediation, such as + removing malicious emails (phishing) identified during an investigation. It supports + targeting multiple users simultaneously via a comma-separated list of email addresses. + + + ### Flow Description: + + 1. **Authentication**: The action establishes a connection to the Microsoft Graph + API using the provided Client ID, Tenant ID, and either a Client Secret or a Certificate. + + 2. **Parameter Extraction**: It retrieves the 'Message ID' and 'User ID' from + the action parameters. The 'User ID' can be a single email or a CSV list of emails. + + 3. **Execution**: The action iterates through the provided user identifiers and + sends a DELETE request to the Microsoft Graph endpoint for the specified message. + + 4. **Result Reporting**: It captures the HTTP response status (expecting 204 No + Content for success) and returns a summary of the operation's outcome to the Google + SecOps case. + + + ### Parameters Description: + + | Parameter Name | Description | Type | Mandatory | Notes | + + | :--- | :--- | :--- | :--- | :--- | + + | Message ID | The unique identifier of the message to be deleted. | String | + Yes | This ID is typically retrieved from a previous 'List Messages' or 'Search' + action. | + + | User ID | The email address or userPrincipalName of the mailbox owner. | String + | Yes | Supports a CSV input (e.g., user1@domain.com,user2@domain.com) to delete + the same message ID from multiple mailboxes. | + + + ### Additional Notes: + + - This action performs a permanent deletion (or moves to 'Deleted Items' depending + on API behavior/mailbox settings) and cannot be undone via this integration. + + - If a CSV list is provided for 'User ID', the action will attempt to delete the + message from every mailbox in the list. capabilities: can_create_case_comments: false can_create_insight: false @@ -101,8 +154,8 @@ Delete Message: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Deletes email messages from specified user mailboxes in Microsoft 365 using - the Microsoft Graph API. + Deletes email messages from specified user mailboxes within the Microsoft 365 + environment via the Microsoft Graph API. fetches_data: false internal_data_mutation_explanation: null categories: @@ -122,14 +175,40 @@ Delete Message: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: true + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Message: ai_description: >- ### General Description - Retrieves the full details of a specific email message from a user's Microsoft - 365 inbox using the Microsoft Graph API. This action is primarily used for forensic - investigation and incident response to inspect the content, headers, and metadata - of a specific email. + The **Get Message** action retrieves the full details and metadata of a specific + email message from a user's Microsoft 365 inbox using the Microsoft Graph API. + This action is primarily used for forensic investigation, allowing security analysts + to inspect the content, headers, and properties of a specific email identified + in an alert. ### Parameters Description @@ -138,33 +217,35 @@ Get Message: | :--- | :--- | :--- | :--- | - | User ID | string | Yes | The email address or userPrincipalName of the user - whose inbox contains the message. | + | **User ID** | String | Yes | The email address or `userPrincipalName` of the + user whose mailbox is being accessed. | - | Message ID | string | Yes | The unique identifier of the specific email message - to retrieve from the Microsoft Graph API. | + | **Message ID** | String | Yes | The unique identifier (ID) of the specific email + message to be retrieved. | ### Flow Description - 1. **Authentication**: The action initializes the Microsoft Graph Security Manager - using the integration's configuration parameters (Client ID, Secret/Certificate, - and Tenant ID). + 1. **Authentication**: The action establishes a connection to the Microsoft Graph + API using the configured Client ID, Tenant ID, and either a Client Secret or Certificate. - 2. **Parameter Extraction**: It extracts the `User ID` and `Message ID` provided - as action inputs. + 2. **Parameter Retrieval**: The action extracts the target `User ID` and `Message + ID` from the user input. - 3. **Data Retrieval**: It performs a GET request to the Microsoft Graph endpoint + 3. **Data Retrieval**: It executes a GET request to the Microsoft Graph endpoint: `https://graph.microsoft.com/v1.0/users/{user_id}/messages/{message_id}`. - 4. **Result Processing**: The retrieved message data is added to the action's - JSON results and the execution is marked as completed. + 4. **Output**: The retrieved message data is returned as a JSON object and attached + to the action results in Google SecOps. ### Additional Notes - This action does not operate on SecOps entities (like IP or Hostname) but instead - uses explicit input parameters to target a specific message in a specific mailbox. + - This action is read-only and does not change the state of the email (e.g., it + does not mark the email as read). + + - The integration must have the appropriate API permissions (such as `Mail.Read` + or `Mail.ReadWrite`) configured in the Azure portal. capabilities: can_create_case_comments: false can_create_insight: false @@ -192,55 +273,88 @@ Get Message: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get User MFA: ai_description: >- ### General Description Retrieves Multi-Factor Authentication (MFA) registration and status details for - users from Microsoft Graph. This action is designed to provide visibility into - a user's security posture by checking if they have MFA enabled, registered, and - which authentication methods are in use. It targets a specific email provided - as a parameter and also processes email-based entities within the case. + users from Microsoft Graph. This action helps analysts determine if a user is + properly enrolled in MFA, which authentication methods they have configured, and + whether they are capable of performing MFA challenges. It processes both a manually + provided email address and any email-like entities found within the case context. - ### Parameters + ### Parameters Description + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | User Email | String | Yes | The primary User Principal Name (UPN) to query. - This will always be the first result in the output JSON. | + | Create Insight | boolean | No | If set to `true`, the action will generate a + detailed Case Insight for every user successfully queried, summarizing their MFA + status. | - | Create Insight | Boolean | No | If enabled, the action will create a detailed - insight in the case for every user found with MFA statistics. | + | User Email | string | Yes | The specific User Principal Name (UPN) or email + address to search for. This user will always be the first entry in the results. + | ### Flow Description - 1. **Authentication**: Establishes a connection to the Microsoft Graph API using - the configured Client ID, Secret, and Tenant ID. + 1. **Authentication**: Connects to the Microsoft Graph API using the integration's + Client ID, Tenant ID, and either a Client Secret or Certificate. - 2. **Primary Query**: Fetches MFA registration details for the specific email - provided in the 'User Email' parameter. + 2. **Manual User Query**: Fetches MFA statistics for the email address provided + in the `User Email` parameter via the `credentialUserRegistrationDetails` endpoint. - 3. **Entity Processing**: Scans all entities associated with the current case. - For any entity whose identifier contains an '@' symbol (identifying it as a potential - email/UPN), the action performs a lookup for its MFA status. + 3. **Initial Insight**: If `Create Insight` is enabled, it creates a case insight + for the manually provided user. - 4. **Insight Generation**: If 'Create Insight' is set to true, the action generates - a formatted insight for the primary user and each discovered entity, detailing - registration status, enablement, and authentication methods. + 4. **Entity Processing**: Iterates through all entities in the current SOAR case. - 5. **Results**: Aggregates all found MFA records into a JSON result and completes - the execution. + 5. **Identifier Filtering**: For each entity, it checks if the identifier contains + an `@` symbol (treating it as a potential email/UPN). + + 6. **Contextual Enrichment**: For every matching entity, it retrieves the corresponding + MFA statistics from Microsoft Graph. + + 7. **Contextual Insights**: If `Create Insight` is enabled, it generates insights + for each discovered entity. + + 8. **Final Output**: Aggregates all retrieved MFA records into a JSON array and + returns a success status. ### Additional Notes - The action utilizes the Microsoft Graph Beta endpoint (`/beta/reports/credentialUserRegistrationDetails`) - to retrieve comprehensive MFA data. The JSON result will always return the 'User - Email' input first at index zero. + The JSON result will always return the data for the `User Email` input at index + zero, followed by any data found for entities in the case. capabilities: can_create_case_comments: false can_create_insight: true @@ -252,7 +366,7 @@ Get User MFA: fetches_data: true internal_data_mutation_explanation: >- Creates case insights containing MFA registration details (isRegistered, isEnabled, - isCapable, authMethods) if the 'Create Insight' parameter is enabled. + isCapable, authMethods) for the queried users. categories: enrichment: true entity_usage: @@ -305,14 +419,39 @@ Get User MFA: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false List Attachments: ai_description: >- ### General Description - The **List Attachments** action retrieves metadata for all attachments associated - with a specific email message in a user's mailbox using the Microsoft Graph API. - This action is primarily used for forensic analysis and automated investigation - to identify files (such as malicious documents or executables) sent via email. + Retrieves a list of attachment objects associated with a specific email message + using the Microsoft Graph API. This action allows analysts to view metadata for + all files attached to a message, such as file names, sizes, and content types, + which is essential for phishing investigations and forensic analysis. ### Parameters Description @@ -321,35 +460,32 @@ List Attachments: | :--- | :--- | :--- | :--- | - | **User ID** | String | Yes | The user's principal name (UPN/email address) or - unique Azure AD identifier. | + | User ID | String | Yes | The userPrincipalName (email) or unique ID of the user + whose mailbox is being accessed. | - | **Message ID** | String | No | The unique identifier of the message from which - to retrieve attachments. Note: While marked as non-mandatory in configuration, - the API request requires this ID to successfully locate the message. | + | Message ID | String | No | The unique identifier of the message from which to + retrieve the attachment list. | - ### Additional Notes + ### Flow Description - This action performs a read-only operation and does not download the actual file - content; it retrieves the attachment objects (metadata) which typically include - the name, size, and content type. + 1. **Authentication**: The action initializes a connection to Microsoft Graph + using the provided Client ID, Tenant ID, and either a Client Secret or a Certificate. + 2. **Parameter Extraction**: It extracts the target User ID and Message ID from + the action parameters. - ### Flow Description + 3. **API Call**: It performs a GET request to the Microsoft Graph endpoint: `/users/{user_id}/messages/{message_id}/attachments`. - 1. **Authentication**: The action initializes the Microsoft Graph Security Manager - using the provided integration credentials (Client ID, Secret/Certificate, and - Tenant ID). + 4. **Data Output**: The retrieved list of attachment metadata is added to the + action's JSON results for use in playbooks. - 2. **Input Extraction**: It extracts the `User ID` and `Message ID` from the action - parameters. - 3. **API Execution**: It sends a GET request to the Microsoft Graph endpoint: - `https://graph.microsoft.com/v1.0/users/{user_id}/messages/{message_id}/attachments`. + ### Additional Notes - 4. **Data Output**: The resulting list of attachment objects is returned as a - JSON object and added to the action's execution results. + While the 'Message ID' is marked as not mandatory in the configuration, it is + required by the underlying API endpoint to successfully locate the message. If + omitted, the action may fail during the API request phase. capabilities: can_create_case_comments: false can_create_insight: false @@ -361,7 +497,7 @@ List Attachments: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: true + enrichment: false entity_usage: entity_types: [] filters_by_additional_properties: false @@ -377,48 +513,78 @@ List Attachments: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: true + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false List Mail Rules: ai_description: >- ### General Description - The **List Mail Rules** action retrieves all message rules (messageRule objects) - defined for a specific user's Inbox in Microsoft 365. This action is useful for - security investigations to identify suspicious mail forwarding, deletion, or redirection - rules that might indicate account compromise or data exfiltration. + The **List Mail Rules** action retrieves all message rules (inbox rules) defined + for a specific user's inbox using the Microsoft Graph API. This action is a critical + tool for security analysts investigating Business Email Compromise (BEC) or account + takeover incidents, as it allows for the identification of suspicious rules that + may be automatically forwarding, hiding, or deleting incoming correspondence. ### Parameters Description - | Parameter | Description | Type | Mandatory | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **User ID** | The `userPrincipalName` (typically the email address) of the user - whose inbox rules you want to retrieve. | String | Yes | + | **User ID** | String | Yes | The `userPrincipalName` or email address of the + target user whose inbox rules are to be retrieved. | ### Flow Description - 1. **Authentication**: The action initializes a connection to the Microsoft Graph - API using the provided Client ID, Secret/Certificate, and Tenant ID from the integration - configuration. + 1. **Authentication**: The action initializes a connection to the Microsoft Graph + API using the integration's Client ID, Tenant ID, and either a Client Secret or + Certificate. + + 2. **Input Retrieval**: The action extracts the target `User ID` from the provided + action parameters. - 2. **Parameter Extraction**: It retrieves the target `User ID` from the action - input. + 3. **API Invocation**: It executes a GET request to the Microsoft Graph endpoint: + `/v1.0/users/{User ID}/mailFolders/inbox/messageRules`. - 3. **Data Retrieval**: It calls the Microsoft Graph API endpoint `GET /users/{id}/mailFolders/inbox/messageRules` - to fetch the list of rules. + 4. **Result Processing**: The action captures the list of `messageRule` objects + returned by the API. - 4. **Result Processing**: The retrieved list of mail rules is attached to the - action's result as a JSON object, and the action completes successfully. + 5. **Completion**: The retrieved rules are added to the action's JSON results, + and the action concludes with a success status. ### Additional Notes - * This action is read-only and does not modify any settings in the user's mailbox. + - This action does not automatically iterate over entities in the SecOps case; + the target user must be explicitly provided via the **User ID** parameter. - * The output includes rule details such as conditions, actions (e.g., move to - folder, delete), and whether the rule is enabled. + - The output includes detailed rule configurations, including conditions (e.g., + from specific senders) and actions (e.g., move to folder, delete, or forward). capabilities: can_create_case_comments: false can_create_insight: false @@ -430,7 +596,7 @@ List Mail Rules: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: true + enrichment: false entity_usage: entity_types: [] filters_by_additional_properties: false @@ -446,14 +612,40 @@ List Mail Rules: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false List Messages: ai_description: >- ### General Description - The **List Messages** action retrieves a list of email messages from a specified - user's mailbox using the Microsoft Graph API. This action is primarily used for - investigative purposes, allowing analysts to search for specific emails or list - recent activity within a mailbox without modifying the content. + This action retrieves a list of email messages from a specific user's mailbox + using the Microsoft Graph API. It allows for granular searching and filtering + of messages based on OData query parameters and specific field selection. This + is primarily used for investigative purposes to identify suspicious emails or + audit mailbox activity. ### Parameters Description @@ -462,44 +654,42 @@ List Messages: | :--- | :--- | :--- | :--- | - | **User ID** | String | Yes | The User ID or userPrincipalName (email address) - of the target mailbox. | + | User ID | string | Yes | The userPrincipalName (email address) or unique ID + of the user whose mailbox will be queried. | - | **Select Filter** | String | No | A comma-separated list of specific message - fields to return (e.g., `subject,sender,receivedDateTime`). If omitted, default - fields are returned. | + | Select Filter | string | No | A comma-separated list of specific message properties + to return (e.g., 'subject,sender,receivedDateTime'). If left empty, default fields + are returned. | - | **Query Parameters** | String | No | OData query parameters used to filter the - results. It should begin with `$` (e.g., `$filter=subject eq 'Urgent'`). | + | Query Parameters | string | No | Standard Microsoft Graph OData query parameters + used to filter or sort results. Must begin with '$' (e.g., '$filter=subject eq + 'Urgent''). | - ### Flow Description + ### Additional Notes - 1. **Authentication**: The action establishes a session with Microsoft Graph using - the integration's Client ID, Secret, and Tenant ID. + - The action uses the Microsoft Graph `/users/{id}/messages` endpoint. - 2. **Parameter Processing**: It extracts the target User ID and any optional OData - query or selection filters provided by the user. + - Ensure the integration has the necessary 'Mail.Read' or 'Mail.ReadWrite' permissions + in Azure AD. - 3. **Request Construction**: The action builds a GET request targeting the `/users/{user_id}/messages` - endpoint, incorporating the `$select` and `$filter` parameters into the query - string. - 4. **Data Retrieval**: It executes the API call to fetch the message data from - the Microsoft 365 environment. + ### Flow Description - 5. **Result Processing**: The retrieved list of messages is formatted and added - to the action's JSON results, making the data available for subsequent playbook - steps. + 1. **Authentication**: The action establishes a connection to Microsoft Graph + using the configured Client ID, Secret, and Tenant ID. + 2. **Parameter Extraction**: It retrieves the target User ID and optional filters + from the action parameters. - ### Additional Notes + 3. **Query Construction**: The action builds the API request URL, appending the + `$select` filter and any provided OData query parameters. - - This action is a read-only operation and does not impact the state of the mailbox - or the messages within it. + 4. **Data Retrieval**: A GET request is sent to the Microsoft Graph API to fetch + the message data. - - Ensure that the OData syntax in the `Query Parameters` field follows Microsoft - Graph specifications to avoid API errors. + 5. **Result Processing**: The retrieved list of messages is formatted and attached + to the action's JSON results for use in subsequent playbook steps. capabilities: can_create_case_comments: false can_create_insight: false @@ -511,7 +701,7 @@ List Messages: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: false + enrichment: true entity_usage: entity_types: [] filters_by_additional_properties: false @@ -527,30 +717,71 @@ List Messages: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: true + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Ping: - ai_description: "### General Description\nThe **Ping** action is a diagnostic utility\ - \ designed to verify the connectivity and authentication configuration between\ - \ Google SecOps and the Microsoft Graph Security API. Its primary purpose is to\ - \ ensure that the provided credentials (Client ID, Secret ID, Tenant ID, or Certificates)\ - \ are valid and that the system can successfully establish a secure session with\ - \ Microsoft's identity platform.\n\n### Parameters Description\nThis action does\ - \ not require any input parameters. It utilizes the global configuration settings\ - \ defined at the integration level.\n\n| Parameter Name | Type | Mandatory | Description\ - \ |\n| :--- | :--- | :--- | :--- |\n| N/A | N/A | N/A | This action has no input\ - \ parameters. |\n\n### Additional Notes\n- The action attempts to generate an\ - \ OAuth2 access token. If successful, it confirms that the integration is correctly\ - \ configured.\n- It supports both Client Secret and Certificate-based authentication\ - \ based on the integration's configuration.\n\n### Flow Description\n1. **Configuration\ - \ Retrieval:** The action extracts the integration's configuration parameters,\ - \ including Client ID, Secret ID, Tenant ID, and certificate details.\n2. **Manager\ - \ Initialization:** It initializes the `MicrosoftGraphSecurityManager` using the\ - \ retrieved credentials.\n3. **Authentication Request:** The manager attempts\ - \ to authenticate with the Microsoft Graph API by requesting an access token via\ - \ a POST request to the Microsoft identity endpoint.\n4. **Execution Outcome:**\ - \ \n - If the token is successfully acquired, the action concludes with a 'Connection\ - \ Established' message and a success status.\n - If an exception occurs (e.g.,\ - \ network error, invalid credentials), the action logs the error and returns a\ - \ failure status." + ai_description: >- + ### General Description + + The **Ping** action is a diagnostic tool used to verify the connectivity between + the Google SecOps platform and the Microsoft Graph Security API. It ensures that + the provided integration credentials (Client ID, Secret, Tenant ID, or Certificate) + are valid and that the environment can successfully authenticate and communicate + with the external service. + + + ### Parameters Description + + This action does not require any input parameters. It relies entirely on the global + integration configuration settings. + + + ### Flow Description + + 1. **Configuration Extraction:** The action retrieves the authentication details + (Client ID, Secret ID, Tenant ID, Certificate Path, and Certificate Password) + from the integration's configuration. + + 2. **Manager Initialization:** It initializes the `MicrosoftGraphSecurityManager` + using the extracted credentials. + + 3. **Authentication Attempt:** During initialization, the manager attempts to + request an OAuth2 access token from the Microsoft identity platform (`login.microsoftonline.com`). + + 4. **Validation:** If the token is successfully retrieved, the connection is validated. + + 5. **Result Reporting:** The action returns a success status if the connection + is established or a failure status with an error message if authentication fails + or a network error occurs. + + + ### Additional Notes + + * This action is typically used during the initial setup of the integration or + for troubleshooting connectivity issues. capabilities: can_create_case_comments: false can_create_insight: false @@ -578,3 +809,28 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/third_party/community/microsoft_graph_security_tools/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/microsoft_graph_security_tools/resources/ai/connectors_ai_description.yaml new file mode 100644 index 000000000..435d6765e --- /dev/null +++ b/content/response_integrations/third_party/community/microsoft_graph_security_tools/resources/ai/connectors_ai_description.yaml @@ -0,0 +1,73 @@ +MS SecureScore Alert: + ai_description: "### General Description\nThe MS SecureScore Alert connector monitors\ + \ the Microsoft Secure Score for an Azure tenant via the Microsoft Graph API.\ + \ It is designed to proactively alert security teams when the organization's security\ + \ posture\u2014represented by the Secure Score\u2014falls below a user-defined\ + \ threshold. This helps in identifying security regressions, configuration drifts,\ + \ or a decrease in compliance across Microsoft 365 services.\n\n### Parameters\ + \ Description\n| Parameter | Type | Mandatory | Description |\n| :--- | :--- |\ + \ :--- | :--- |\n| Threshold | Integer | No | The Secure Score value limit. An\ + \ alert is triggered if the current score drops below this value. |\n| Tenant\ + \ ID | String | Yes | The Azure Active Directory Tenant ID. |\n| Secret ID | Password\ + \ | Yes | The Client Secret for the Azure App Registration. |\n| Client ID | String\ + \ | Yes | The Client ID for the Azure App Registration. |\n| Default Priority\ + \ | Integer | Yes | The priority assigned to the created alert (-1 to 100). |\n\ + | Certificate Path | String | No | Local path to a PFX certificate for authentication\ + \ if not using a Client Secret. |\n| Certificate Password | Password | No | Password\ + \ for the provided certificate file. |\n| EventClassId | String | Yes | The field\ + \ name used to determine the event name (sub-type) in the SOAR. |\n| DeviceProductField\ + \ | String | Yes | The field name used to determine the device product in the\ + \ SOAR. |\n| PythonProcessTimeout | String | Yes | The timeout limit (in seconds)\ + \ for the python process running the script. |\n\n### Flow Description\n1. **Authentication**:\ + \ The connector authenticates with the Microsoft Graph API using the provided\ + \ Client ID and either a Client Secret or a Certificate.\n2. **Data Retrieval**:\ + \ It calls the Microsoft Graph `secureScores` endpoint to fetch the most recent\ + \ security score data for the tenant.\n3. **Threshold Comparison**: The connector\ + \ compares the `currentScore` from the retrieved data against the configured `Threshold`\ + \ parameter.\n4. **Alert Generation**: If the current score is lower than the\ + \ threshold, the connector initiates the alert creation process.\n5. **Event Mapping**:\ + \ It extracts specific metrics such as active user counts, enabled services, and\ + \ comparative averages (Industry, Total Seats, and Tenant averages) and maps them\ + \ into a SOAR event.\n6. **Ingestion**: The alert, containing the detailed score\ + \ breakdown, is ingested into Google SecOps for further analysis." +MS365 MFA Alert: + ai_description: "### General Description\nThe MS365 MFA Alert connector monitors\ + \ Microsoft 365 environments for Multi-Factor Authentication (MFA) compliance\ + \ and security posture. By integrating with the Microsoft Graph API, it identifies\ + \ users who lack MFA registration or possess self-service reset capabilities that\ + \ may violate organizational security policies. This connector helps security\ + \ teams proactively identify and remediate identity-based risks.\n\n### Parameters\ + \ Description\n| Parameter | Type | Mandatory | Description |\n| :--- | :--- |\ + \ :--- | :--- |\n| Tenant ID | String | Yes | The Azure AD Tenant ID associated\ + \ with the Microsoft 365 environment. |\n| Client ID | String | Yes | The Application\ + \ (client) ID of the Azure app registration used for authentication. |\n| Secret\ + \ ID | Password | Yes | The Client Secret for the Azure app registration (required\ + \ if not using certificates). |\n| Certificate Path | String | No | The local\ + \ file path to a PFX certificate if using certificate-based authentication. |\n\ + | Certificate Password | Password | No | The password required to access the PFX\ + \ certificate file. |\n| MFA Registration Alert | Boolean | No | If enabled (true),\ + \ the connector generates alerts for users who are not registered for MFA. |\n\ + | Self Service Reset Alert | Boolean | No | If enabled (true), the connector generates\ + \ alerts for users who have the ability to perform self-service password or MFA\ + \ resets. |\n| Exclude Guests | Boolean | No | If enabled (true), the connector\ + \ will ignore external/guest users (identified by '#EXT#' in their UPN). |\n|\ + \ EventClassId | String | Yes | The field name used to determine the event sub-type\ + \ in the SOAR (default: 'MFA Alert'). |\n| DeviceProductField | String | Yes |\ + \ The field name used to determine the device product (default: 'Microsoft 365').\ + \ |\n| PythonProcessTimeout | String | Yes | The timeout limit in seconds for\ + \ the execution of the connector script. |\n\n### Flow Description\n1. **Authentication**:\ + \ The connector establishes a session with the Microsoft Graph API using either\ + \ the provided Client Secret or a PFX certificate.\n2. **Data Retrieval**: It\ + \ queries the `reports/credentialUserRegistrationDetails` endpoint to fetch the\ + \ current MFA registration status and capabilities for all users in the tenant.\n\ + 3. **Filtering**: \n * It excludes guest users if the 'Exclude Guests' parameter\ + \ is set to true.\n * It checks the user's Principal Name against the SOAR's\ + \ internal allowlist to skip authorized exceptions (e.g., legacy service accounts).\n\ + 4. **Alert Evaluation**: The connector evaluates each user based on the 'MFA Registration\ + \ Alert' and 'Self Service Reset Alert' logic. If a user is not registered for\ + \ MFA or is capable of self-service resets (and the corresponding parameter is\ + \ enabled), an alert is triggered.\n5. **Case Creation**: For every non-compliant\ + \ user identified, the connector creates a SOAR alert containing user metadata\ + \ such as Display Name, UPN, and specific registration flags.\n6. **Ingestion**:\ + \ The generated alerts are packaged and sent to the SOAR platform for analyst\ + \ review." diff --git a/content/response_integrations/third_party/community/microsoft_graph_security_tools/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/microsoft_graph_security_tools/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..b070990d3 --- /dev/null +++ b/content/response_integrations/third_party/community/microsoft_graph_security_tools/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: true + collaboration: false + edr: false + email_security: true + iam_and_identity_management: true + itsm: false + network_security: false + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/nucleon_cyber/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/nucleon_cyber/resources/ai/actions_ai_description.yaml index bdfa19a92..a184596d0 100644 --- a/content/response_integrations/third_party/community/nucleon_cyber/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/nucleon_cyber/resources/ai/actions_ai_description.yaml @@ -2,10 +2,11 @@ GetIPs: ai_description: >- ### General Description - The **GetIPs** action retrieves a feed of active cyber threat intelligence from - the Nucleon Cyber Active Threats API. It is designed to provide security teams - with a list of recently collected malicious or suspicious IP addresses and associated - metadata to be used for further analysis or automated blocking in a playbook. + The **GetIPs** action retrieves active threat intelligence data from the Nucleon + Cyber Active Threats API. It is designed to fetch a list of recently collected + cyber intelligence data points, typically used for feed ingestion or broad threat + hunting within a playbook. The action returns the raw intelligence data in a structured + JSON format. ### Parameters Description @@ -14,35 +15,38 @@ GetIPs: | :--- | :--- | :--- | :--- | - | **limit** | String | Yes | Specifies the maximum number of threat records to - retrieve from the API. Default is "10". | + | **limit** | string | Yes | Specifies the maximum number of threat intelligence + records to retrieve from the API. Defaults to '10'. | ### Additional Notes - - This action requires valid Nucleon Cyber credentials (Username, Password, Client - Name, and Client ID) configured at the integration level. + * This action does not process specific entities from the Google SecOps case; + instead, it fetches a global feed of active threats based on the provided credentials + and limit. - - The action does not process specific entities from the SOAR case; instead, it - fetches a global feed of data. + * The action requires valid integration-level configuration for `Username`, `Password`, + `client name`, and `client id` to authenticate successfully. ### Flow Description - 1. **Configuration Extraction**: The action retrieves the necessary API credentials - and the `limit` parameter. + 1. **Configuration Retrieval:** The action extracts the necessary API credentials + (Username, Password, Client Name, Client ID) from the integration settings and + the `limit` parameter from the action input. - 2. **API Request**: It performs a POST request to the Nucleon Cyber `activethreats` - endpoint using Basic Authentication. + 2. **API Request:** It performs a POST request to the Nucleon Cyber `activethreats` + endpoint, passing the client identifiers and the result limit in the request body. - 3. **Error Handling**: The script checks for successful authentication and valid - response codes. If authentication fails or the data section is missing, it raises - an exception. + 3. **Authentication & Validation:** The script validates the response status code + and checks for specific error strings (e.g., 'ApiKey authenticate failed') to + ensure the connection was successful. - 4. **Data Processing**: The "data" section of the JSON response is extracted. + 4. **Data Extraction:** It parses the JSON response to extract the `data` section + containing the threat intelligence. - 5. **Output Generation**: The retrieved threat data is added to the action's JSON - results, making it available for downstream playbook tasks. + 5. **Output Generation:** The retrieved data is added to the action's JSON results + and context details, making it available for subsequent playbook steps. capabilities: can_create_case_comments: false can_create_insight: false @@ -70,20 +74,74 @@ GetIPs: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Ping: ai_description: >- - ### General Description The Ping action is designed to verify the connectivity - between Google SecOps and the NucleonCyber API. It ensures that the provided credentials - and client identifiers are valid and that the service is reachable. ### Parameters - Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- - | :--- | | limit | String | Yes | Specifies the maximum number of results to request - from the API during the connectivity test. | ### Flow Description 1. Configuration - Retrieval: The action fetches the integration's global settings, including the - Username, Password, Client Name, and Client ID. 2. Parameter Extraction: It retrieves - the limit parameter from the action input. 3. API Request: It executes a POST - request to the NucleonCyber activethreats endpoint using Basic Authentication. - 4. Validation: The action checks if the API returns a HTTP 200 status code. 5. - Completion: If successful, it reports a Successful Connection. + ### General Description + + The **Ping** action is designed to verify the connectivity between Google SecOps + and the NucleonCyber API. It serves as a diagnostic tool to ensure that the provided + credentials (Username, Password) and configuration parameters (Client Name, Client + ID) are valid and that the external service is reachable. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | **limit** | String | Yes | Specifies the number of API results to request during + the connectivity test. Defaults to "5". | + + + ### Flow Description + + 1. **Configuration Extraction**: The action retrieves the integration's global + settings, including the Username, Password, Client Name, and Client ID. + + 2. **Parameter Extraction**: The action retrieves the `limit` parameter from the + action input. + + 3. **API Request**: It performs a POST request to the NucleonCyber `activethreats` + endpoint (`https://api.nucleoncyber.com/feed/activethreats`) using Basic Authentication. + + 4. **Validation**: The action checks the HTTP response status code. If the status + code is 200, it confirms a successful connection. + + 5. **Outcome**: If the connection is successful, the action returns a success + message. If the credentials or connection fail (non-200 status), an exception + is raised. + + + ### Additional Notes + + * This action does not process any entities and is strictly used for integration + health checks. capabilities: can_create_case_comments: false can_create_insight: false @@ -92,7 +150,7 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: false + fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false @@ -111,3 +169,28 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/third_party/community/nucleon_cyber/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/nucleon_cyber/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..2e831240c --- /dev/null +++ b/content/response_integrations/third_party/community/nucleon_cyber/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + siem: false + threat_intelligence: true + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/pager_duty/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/pager_duty/resources/ai/actions_ai_description.yaml index 84d3c8195..c895c43e4 100644 --- a/content/response_integrations/third_party/community/pager_duty/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/pager_duty/resources/ai/actions_ai_description.yaml @@ -2,52 +2,52 @@ Create Incident: ai_description: >- ### General Description - This action creates a new incident in PagerDuty. It is used to programmatically - trigger incident response workflows by providing specific details such as title, - urgency, and description. The incident is associated with a specific service defined - in the integration configuration. + This action creates a new incident in PagerDuty using the provided details. It + is typically used to escalate security alerts from Google SecOps to an on-call + rotation or incident management workflow in PagerDuty. ### Parameters Description - | Parameter | Type | Mandatory | Description | + | Parameter | Description | Type | Mandatory | | :--- | :--- | :--- | :--- | - | Details | String | Yes | Detailed information about the incident, such as logs - or investigation context. | + | Details | A detailed description of the incident, providing context for the + responder. | String | Yes | - | Title | String | Yes | A concise summary of the incident. | + | Title | A short, descriptive title for the PagerDuty incident. | String | Yes + | - | Email | String | Yes | The email address of the PagerDuty user creating the - incident. This is used for attribution in PagerDuty. | + | Email | The email address of the user creating the incident. This is used in + the 'From' header required by the PagerDuty API. | String | Yes | - | Urgency | String | Yes | The urgency level of the incident (e.g., 'high' or - 'low'). | + | Urgency | The urgency level of the incident (e.g., 'high' or 'low'). | String + | Yes | ### Additional Notes - - The **Service ID** used to create the incident is retrieved from the 'Services' - parameter in the integration configuration. + * This action requires the 'Services' ID to be configured in the PagerDuty integration + settings, as it determines which service the incident will be associated with. - - The action returns the full JSON response from PagerDuty, including the incident - number and ID. + * The action does not run on specific entities; it uses the provided parameters + to generate the external record. ### Flow Description - 1. **Initialization**: Retrieves the API token and Service ID from the PagerDuty - integration configuration. + 1. **Initialization**: The action initializes the PagerDuty manager using the + API token and service configuration from the integration settings. - 2. **Input Collection**: Captures the Title, Email, Urgency, and Details from - the action parameters. + 2. **Parameter Extraction**: It retrieves the Title, Email, Urgency, and Details + from the action parameters. - 3. **API Request**: Sends a POST request to the PagerDuty `/incidents` endpoint - with the incident payload. + 3. **API Request**: The action sends a POST request to the PagerDuty `/incidents` + endpoint with the constructed payload. - 4. **Completion**: Processes the API response, attaches the incident data to the - action results, and marks the action as completed. + 4. **Result Processing**: If successful, the full JSON response of the created + incident is returned and added to the action results. capabilities: can_create_case_comments: false can_create_insight: false @@ -56,9 +56,8 @@ Create Incident: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new incident record in the PagerDuty platform via the /incidents API - endpoint. - fetches_data: false + Creates a new incident record in the PagerDuty platform via a POST request. + fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false @@ -77,86 +76,115 @@ Create Incident: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: true + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Filtered Incident List: ai_description: >- ### General Description - The **Filtered Incident List** action retrieves a list of incidents from PagerDuty - based on a variety of user-defined filters. It allows security analysts to search - for specific incidents by status, urgency, assigned users, teams, or specific - timeframes, providing a flexible way to query PagerDuty data directly from a playbook. + This action retrieves a filtered list of incidents from PagerDuty based on a wide + variety of criteria. It allows analysts to search for specific incidents by status, + urgency, assigned users, teams, services, and time ranges. The results are returned + as a JSON object, making it ideal for automated reporting, incident auditing, + or as a precursor to bulk incident management within a playbook. ### Parameters Description - | Parameter | Type | Mandatory | Description | + | Parameter | Description | Type | Mandatory | | :--- | :--- | :--- | :--- | - | **Email** | String | Yes | The email address of the PagerDuty user. While mandatory - for the action configuration, it is primarily used for auditing and header requirements - in PagerDuty API interactions. | + | Email | The email address of the user making the request. This is often required + by PagerDuty for auditing purposes. | String | Yes | - | **Additional_Data** | Multi-select | No | Specifies additional details to include - in the response, such as 'users', 'services', 'assignees', or 'teams'. | + | Additional_Data | Specifies additional details to include in the response, such + as 'users', 'services', 'assignees', or 'teams'. | Multi-choice | No | - | **sort_by** | Multi-select | No | Determines the field to sort by (e.g., incident_number, - created_at) and the order (asc, desc). | + | sort_by | Determines the field to sort by (e.g., incident_number, created_at) + and the order (asc, desc). | Multi-choice | No | - | **Urgencies** | Multi-select | No | Filters the results by incident urgency - level (low or high). | + | Urgencies | Filters incidents by their urgency level (low or high). | Multi-choice + | No | - | **User_IDS** | String | No | Filters incidents assigned to specific user IDs. - Can be provided as a single ID or a JSON-formatted list of IDs. | + | User_IDS | Filters incidents assigned to specific User IDs. Multiple IDs can + be provided. | String | No | - | **Team_IDS** | String | No | Filters incidents associated with specific team - IDs. Supports JSON-formatted lists. | + | Team_IDS | Filters incidents assigned to specific Team IDs. Multiple IDs can + be provided. | String | No | - | **Incident_Key** | String | No | Filters results by a specific PagerDuty incident - key. | + | Incident_Key | Filters for a specific incident using its unique Incident Key. + | String | No | - | **Incidents_Statuses** | Multi-select | No | Filters incidents by their current - state: triggered, acknowledged, or resolved. | + | Incidents_Statuses | Filters incidents by their current state: triggered, acknowledged, + or resolved. | Multi-choice | No | - | **Since** | String | No | The start date for the incident search (format: YYYY-MM-DD). - | + | Data_Range | Filters incidents based on a predefined data range string. | String + | No | - | **Until** | String | No | The end date for the incident search (format: YYYY-MM-DD). - | + | Since | The start date for the search range in YYYY-MM-DD format. Maximum range + is 6 months. | String | No | - | **Data_Range** | String | No | A predefined data range filter for the query. + | Until | The end date for the search range in YYYY-MM-DD format. | String | No | - | **Service_IDS** | String | No | Filters incidents associated with specific service - IDs. | + | Service_IDS | Filters incidents associated with specific Service IDs. | String + | No | ### Additional Notes - - Parameters that accept multiple values (like `User_IDS` or `Team_IDS`) can be - passed as a standard string or a JSON array string (e.g., `["P123", "P456"]`). + - The action handles multi-choice parameters by parsing them as JSON lists if + they are formatted as such. + + - The `Since` parameter is restricted to a maximum lookback of 6 months by the + PagerDuty API. - - The action performs a read-only query and does not modify any incident data - in PagerDuty. + - While the `Email` parameter is mandatory in the configuration, the underlying + logic for this specific search action primarily relies on the API Token for authentication. ### Flow Description 1. **Initialization**: The action initializes the PagerDuty manager using the - API token from the integration configuration. + integration's API key. - 2. **Parameter Parsing**: It extracts all input parameters and processes them, - converting JSON-formatted strings into Python lists and removing empty values. + 2. **Parameter Extraction**: It extracts all filter parameters from the environment, + including mandatory fields like Email and optional filters like Statuses and IDs. - 3. **Query Construction**: A dictionary of filter parameters is constructed, mapping - SOAR inputs to PagerDuty API query keys (e.g., `statuses[]`, `service_ids[]`). + 3. **Data Parsing**: The script processes multi-choice and list-based parameters, + ensuring they are correctly formatted for the API request and removing any empty + values. - 4. **API Execution**: The action sends a GET request to the PagerDuty `/incidents` - endpoint with the constructed query parameters. + 4. **API Request**: It constructs a query dictionary and executes a GET request + to the PagerDuty `/incidents` endpoint with the specified filters. - 5. **Result Handling**: The retrieved list of incidents is attached to the action's - result as a JSON object, and the execution status is updated based on whether - incidents were found. + 5. **Result Processing**: The action captures the list of incidents and attaches + them to the action's JSON result, completing the execution with a success message + if data is found. capabilities: can_create_case_comments: false can_create_insight: false @@ -168,7 +196,7 @@ Filtered Incident List: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: false + enrichment: true entity_usage: entity_types: [] filters_by_additional_properties: false @@ -184,14 +212,39 @@ Filtered Incident List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Incident By ID: ai_description: >- ### General Description Retrieves detailed information about a specific PagerDuty incident using its unique - Incident Key. This action is primarily used to fetch the current status, urgency, - and metadata of an incident from PagerDuty to provide context within a Google - SecOps case. + Incident Key. This action is useful for fetching the current status, urgency, + and metadata of an incident directly from PagerDuty to assist in automated workflows + or manual investigations within Google SecOps. ### Parameters Description @@ -200,34 +253,36 @@ Get Incident By ID: | :--- | :--- | :--- | :--- | - | Incident Key | String | Yes | The unique identifier (Incident Key) of the PagerDuty + | Incident Key | string | Yes | The unique identifier (Incident Key) of the PagerDuty incident to retrieve. | - | Email | String | Yes | The email address of the PagerDuty user performing the - action. This is required for the 'From' header in PagerDuty API requests. | + | Email | string | Yes | The email address of the user performing the action. + This is required by the PagerDuty API for the 'From' header to track who is making + the request. | ### Flow Description - 1. **Initialization**: The action extracts the `Incident Key` and `Email` from - the input parameters and retrieves the API token from the integration configuration. + 1. **Parameter Extraction**: The action extracts the `Incident Key` and the requester's + `Email` from the input parameters. + + 2. **Manager Initialization**: Initializes the PagerDuty API manager using the + configured API token. - 2. **API Request**: The action calls the PagerDuty API's `/incidents` endpoint - using a GET request, passing the user's email in the 'From' header. + 3. **API Request**: Sends a GET request to the PagerDuty `/incidents` endpoint, + including the user's email in the 'From' header. - 3. **Data Processing**: The script receives a list of incidents and iterates through - them to find the specific entry where the `incident_key` matches the provided - input. + 4. **Data Filtering**: Iterates through the returned incidents to find the one + that matches the provided `Incident Key`. - 4. **Result Delivery**: If found, the incident details are returned as a JSON - object. If no match is found, the action completes with a 'No Incident Found' - message. + 5. **Result Processing**: If found, the incident details are added to the action's + JSON results. If not found, an appropriate message is returned. ### Additional Notes - This action does not operate on SecOps entities (like IPs or Hostnames); it is - a standalone utility that relies on the provided `Incident Key` parameter. + This action does not run on entities; it relies entirely on the provided `Incident + Key` parameter to identify the target record. capabilities: can_create_case_comments: false can_create_insight: false @@ -239,7 +294,7 @@ Get Incident By ID: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: true + enrichment: false entity_usage: entity_types: [] filters_by_additional_properties: false @@ -255,52 +310,70 @@ Get Incident By ID: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get User By Email: ai_description: >- ### General Description - The **Get User By Email** action retrieves comprehensive details for a specific - user in PagerDuty using their email address. This action is primarily used to - fetch user-specific metadata such as user IDs, roles, contact methods, and team - associations from the PagerDuty platform. + Retrieves detailed information for a specific PagerDuty user based on their email + address. This action is useful for identifying user roles, contact information, + and account status within PagerDuty during an incident response workflow. ### Parameters Description - | Parameter | Type | Mandatory | Description | + | Parameter | Description | Type | Mandatory | Notes | - | :--- | :--- | :--- | :--- | + | :--- | :--- | :--- | :--- | :--- | - | **Email** | String | Yes | The exact email address of the PagerDuty user whose - information you want to retrieve. | + | Email | The email address of the PagerDuty user to retrieve information for. + | string | Yes | Default value is 'test@example.com'. | ### Flow Description - 1. **Parameter Extraction**: The action extracts the `Email` parameter provided - in the action configuration. - - 2. **API Initialization**: It initializes the PagerDuty manager using the integration's - API key. + 1. **Parameter Retrieval**: The action extracts the `Email` parameter provided + by the user. - 3. **Data Retrieval**: The action performs a GET request to the PagerDuty `/users` - endpoint, using the email as a query parameter. + 2. **API Query**: It calls the PagerDuty `/users` API endpoint using the email + as a query parameter. - 4. **Exact Match Filtering**: Since the PagerDuty API may return partial matches, - the script iterates through the results to identify the user object that exactly - matches the provided email address. + 3. **Data Filtering**: The action iterates through the returned list of users + to find an exact match for the provided email address. - 5. **Result Processing**: If a match is found, the user's full JSON profile is - added to the action results. If no user is found, the action returns a failure - state. + 4. **Result Output**: If a match is found, the user's full profile (JSON) is added + to the action results. If no user is found, the action fails with an informative + message. ### Additional Notes - - This action does not operate on SecOps entities; it relies entirely on the manual - input of an email address. - - - The action is read-only and does not modify any data within PagerDuty. + This action does not automatically process entities from the SecOps case; it relies + solely on the manual input provided in the `Email` parameter. capabilities: can_create_case_comments: false can_create_insight: false @@ -312,7 +385,7 @@ Get User By Email: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: true + enrichment: false entity_usage: entity_types: [] filters_by_additional_properties: false @@ -328,48 +401,49 @@ Get User By Email: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get User By ID: - ai_description: >- - ### General Description - - This action retrieves detailed information for a specific user in PagerDuty using - their unique User ID. It is primarily used to fetch user metadata such as name, - email, time zone, role, and contact methods for further investigation or automation - logic within a playbook. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | UserID | String | Yes | The unique identifier (ID) of the user in PagerDuty - whose information you want to retrieve. | - - - ### Additional Notes - - - This action does not run on entities; it requires a specific User ID provided - as a parameter. - - - The action returns the full user object as a JSON result if the ID is valid. - - - ### Flow Description - - 1. **Parameter Retrieval**: The action extracts the `UserID` from the input parameters - and the `api_key` from the integration configuration. - - 2. **API Interaction**: It initializes the PagerDuty manager and performs a GET - request to the `/users/{id}` endpoint. - - 3. **Data Processing**: If the user is found, the action extracts the user details - from the response. - - 4. **Output**: The retrieved user data is attached to the action's JSON result, - and the action completes successfully. If the user is not found or an error occurs, - the action fails with an appropriate error message. + ai_description: "### General Description\nRetrieves detailed information for a specific\ + \ PagerDuty user using their unique User ID. This action is primarily used to\ + \ fetch metadata such as a user's name, email, time zone, role, and description\ + \ directly from the PagerDuty platform.\n\n### Parameters Description\n\n| Parameter\ + \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| UserID\ + \ | string | Yes | The unique identifier (ID) of the PagerDuty user to retrieve\ + \ information for. |\n\n### Flow Description\n1. **Initialization**: The action\ + \ initializes the PagerDuty manager using the API key provided in the integration\ + \ configuration.\n2. **Parameter Extraction**: It retrieves the `UserID` provided\ + \ by the user in the action parameters.\n3. **API Request**: The action performs\ + \ a GET request to the PagerDuty API endpoint `/users/{userID}`.\n4. **Data Processing**:\ + \ \n * If the user is found, the action extracts the user object from the response.\n\ + \ * If the user is not found or the request fails, an error message is generated.\n\ + 5. **Output**: The retrieved user data is added to the action's JSON results,\ + \ and the action completes with a success message containing the user's email.\n\ + \n### Additional Notes\nThis action does not process SecOps entities. It relies\ + \ entirely on the manual input of a PagerDuty User ID." capabilities: can_create_case_comments: false can_create_insight: false @@ -381,7 +455,7 @@ Get User By ID: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: true + enrichment: false entity_usage: entity_types: [] filters_by_additional_properties: false @@ -397,42 +471,70 @@ Get User By ID: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false List All OnCall: ai_description: >- ### General Description - The **List All OnCall** action retrieves a comprehensive list of all current on-call - entries from PagerDuty. This utility action is designed to provide visibility - into which personnel are currently active across various escalation policies, - schedules, and services within the PagerDuty environment. + Retrieves a list of all current on-call shifts from PagerDuty. This action provides + visibility into which users are currently assigned to on-call schedules across + various services and escalation policies. It is primarily used to identify the + correct personnel to contact or escalate to during an incident response process. - ### Parameters Description + ### Flow Description - There are no parameters for this action. + 1. **Authentication**: The action initializes the PagerDuty manager using the + API key provided in the integration configuration. + + 2. **API Request**: It executes a GET request to the PagerDuty `/oncalls` endpoint + to retrieve the current on-call status. + 3. **Data Extraction**: The action parses the API response and extracts the list + of on-call entries. - ### Flow Description + 4. **Result Output**: The retrieved list is added to the action's JSON results, + and the action completes with a success message. - 1. **Initialization**: The action initializes the PagerDuty API manager using - the API key defined in the integration's configuration. - 2. **API Request**: It executes a GET request to the PagerDuty `/oncalls` endpoint - to retrieve the current on-call status for the entire organization. + ### Parameters Description - 3. **Data Output**: The retrieved list of on-call records is processed and added - to the action's execution results as a JSON object. + | Parameter Name | Type | Mandatory | Description | - 4. **Finalization**: The action completes with a success message if the data is - retrieved, or a failure message if the PagerDuty API returns an error or no data - is found. + | :--- | :--- | :--- | :--- | + + | None | N/A | N/A | This action does not take any input parameters. | ### Additional Notes - This action does not operate on specific entities (like Hostnames or Users) within - the Google SecOps case; it fetches global organizational data from the external - PagerDuty service. + This action does not interact with or filter based on entities within the Google + SecOps case. It returns a global list of on-call assignments for the PagerDuty + account. capabilities: can_create_case_comments: false can_create_insight: false @@ -444,7 +546,7 @@ List All OnCall: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: false + enrichment: true entity_usage: entity_types: [] filters_by_additional_properties: false @@ -460,44 +562,65 @@ List All OnCall: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false List Incidents: ai_description: >- ### General Description The **List Incidents** action retrieves a comprehensive list of all incidents - from the PagerDuty platform. It is primarily used for visibility and data retrieval, - allowing playbooks to access current incident data for reporting, cross-referencing, - or conditional logic based on the state of PagerDuty incidents. + from the PagerDuty platform. It provides visibility into the current state of + all incidents managed within the PagerDuty account, returning detailed metadata + for each incident found. ### Parameters Description - There are no input parameters for this action. It retrieves all incidents accessible - via the configured API token. - + There are no parameters for this action. - ### Additional Notes - * This action does not require or process any specific entities from the Google - SecOps case. + ### Flow Description - * The results are returned as a raw JSON array containing incident details such - as status, urgency, and service information. + 1. **Initialization**: The action initializes the PagerDuty manager using the + API token retrieved from the integration's configuration. + 2. **API Request**: It executes a GET request to the PagerDuty `/incidents` endpoint + to fetch all incident records. - ### Flow Description + 3. **Data Output**: The retrieved list of incidents is added to the action's JSON + result for use in downstream playbook logic. - 1. **Initialization**: The action initializes the PagerDuty manager using the - API token provided in the integration configuration. + 4. **Finalization**: The action completes with a success message if incidents + are retrieved, or a 'not found' message if the list is empty. - 2. **Data Retrieval**: It performs a GET request to the PagerDuty `/incidents` - endpoint to fetch all active and historical incidents. - 3. **Processing**: The script captures the API response and checks for the presence - of incident data. + ### Additional Notes - 4. **Output**: The retrieved incident list is attached to the action's JSON results, - and the action completes with a success message if data is found. + This action operates at a global level and does not filter results based on specific + entities or case context. capabilities: can_create_case_comments: false can_create_insight: false @@ -525,22 +648,65 @@ List Incidents: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false List Users: ai_description: >- - ### General Description: Retrieves a comprehensive list of all users associated - with the configured PagerDuty account. This action is primarily used for administrative - auditing or to gather contact information for users within the PagerDuty environment. - ### Parameters Description: There are no parameters for this action. Note: Although - the integration metadata mentions hostname parameters, none are defined or used - in the implementation. ### Additional Notes: This action does not operate on specific - entities and instead fetches the global user list for the integration instance. - ### Flow Description: 1. **Initialization**: The action initializes the PagerDuty - manager using the API key provided in the integration configuration. 2. **API - Request**: It performs a GET request to the PagerDuty `/users` endpoint to retrieve - all user records. 3. **Data Handling**: The action extracts the user data from - the API response and attaches it to the action's JSON results. 4. **Completion**: - The action concludes by reporting the success of the retrieval and providing the - user list as output. + ### General Description + + The **List Users** action retrieves a comprehensive list of all users associated + with the PagerDuty account. This action is primarily used for administrative visibility + or to provide a reference list of users for other automated workflows within the + SOAR platform. + + + ### Parameters Description + + There are no input parameters for this action. + + + ### Flow Description + + 1. **Authentication**: The action retrieves the API key from the integration configuration + and initializes the PagerDuty manager. + + 2. **Data Retrieval**: It executes a GET request to the PagerDuty `/users` endpoint + to fetch all user records. + + 3. **Result Handling**: The action parses the response, extracts the list of users, + and attaches the raw data to the action's JSON results. + + 4. **Completion**: The action concludes with a success message if users are found, + or a 'no users found' message if the list is empty. + + + ### Additional Notes + + This action does not operate on specific entities and fetches data at the global + account level. capabilities: can_create_case_comments: false can_create_insight: false @@ -552,7 +718,7 @@ List Users: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: true + enrichment: false entity_usage: entity_types: [] filters_by_additional_properties: false @@ -568,52 +734,70 @@ List Users: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Ping: ai_description: >- ### General Description - The **Ping** action is a diagnostic utility designed to verify the connectivity - and authentication between Google SecOps and the PagerDuty API. Its primary purpose - is to ensure that the provided API key is valid and that the network environment - allows for outbound communication to PagerDuty's infrastructure. + The **Ping** action is a utility designed to verify the connectivity between the + Google SecOps platform and the PagerDuty API. It ensures that the provided API + key is valid and that the network path to PagerDuty's services is open. ### Parameters Description - | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | api_key | String | Yes | The API key used to authenticate with the PagerDuty - API. This is typically retrieved from the integration configuration. | + | N/A | N/A | N/A | This action does not have any input parameters. It relies + on the integration's configuration (API Key). | ### Additional Notes - - This action does not interact with or process any entities (e.g., IPs, Hostnames). + - This action is primarily used for troubleshooting and initial setup validation. - - It is strictly a connectivity test and does not retrieve or modify any incident - data. - - - According to standard SOAR practices, this action is not classified as an enrichment - action. + - It does not interact with any SecOps entities or modify any data. ### Flow Description - 1. **Parameter Extraction**: The action retrieves the mandatory `api_key` from - the integration's configuration settings. + 1. **Configuration Extraction**: The action retrieves the `api_key` from the PagerDuty + integration settings. - 2. **Client Initialization**: It initializes the `PagerDutyManager` with the provided - API key to handle HTTP requests. + 2. **Client Initialization**: A connection session is established using the PagerDuty + Manager. - 3. **Connectivity Test**: The action executes a GET request to the PagerDuty `/abilities` - endpoint. + 3. **Connectivity Test**: The action performs a GET request to the `/abilities` + endpoint of the PagerDuty API. - 4. **Validation**: If the API responds with a successful status code, the action - confirms connectivity. If the request fails (e.g., 401 Unauthorized or network - timeout), an error message is generated. + 4. **Validation**: The action checks the response status; a successful response + confirms connectivity. capabilities: can_create_case_comments: false can_create_insight: false @@ -641,54 +825,75 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Run Response Play: ai_description: >- - ### General Description - - Runs a specified PagerDuty response play on a given incident. Response plays are - pre-defined sets of actions in PagerDuty that can be manually or automatically + Runs a specified PagerDuty Response Play on a given incident. Response plays are + pre-configured packages of actions in PagerDuty that can be manually or automatically triggered to streamline incident response, such as notifying specific stakeholders - or adding responders. This action is currently marked as deprecated. + or adding responders. Note: This action is marked as deprecated. - ### Parameters Description + ### Flow Description: - | Parameter | Type | Mandatory | Description | + 1. **Parameter Extraction:** Retrieves the user's email, the Response Play ID, + and the Incident ID from the action parameters. - | :--- | :--- | :--- | :--- | + 2. **Manager Initialization:** Initializes the PagerDuty API manager using the + provided API key. - | Email | String | Yes | The email address of the PagerDuty user performing the - action. This is required for the 'From' header in the API request. | + 3. **Execution:** Sends a POST request to the PagerDuty API endpoint `/response_plays/{response_plays_id}/run` + with the incident reference in the payload. - | Response ID | String | Yes | The unique identifier of the response play to be - executed. | + 4. **Result Handling:** Captures the API response and reports the success or failure + of the play execution to the Google SecOps case wall. - | Incident_ID | String | Yes | The unique identifier of the PagerDuty incident - on which the response play will be applied. | + ### Parameters Description: - ### Flow Description + | Parameter | Type | Mandatory | Description | - 1. **Parameter Extraction**: The action retrieves the user's email, the specific - Response Play ID, and the target Incident ID from the input parameters. + | :--- | :--- | :--- | :--- | - 2. **Manager Initialization**: Initializes the PagerDuty API manager using the - integration's API key. + | Email | String | Yes | The email address of the PagerDuty user performing the + action. This is used for the 'From' header required by PagerDuty's API. | - 3. **API Execution**: Sends a POST request to the PagerDuty `/response_plays/{response_play_id}/run` - endpoint with the incident reference in the payload. + | Response ID | String | Yes | The unique identifier of the Response Play to be + executed. | - 4. **Result Reporting**: Captures the API response, adds it to the action results, - and provides a success or failure message based on the HTTP response status. + | Incident_ID | String | Yes | The unique identifier of the PagerDuty incident + on which the response play will be run. | - ### Additional Notes + ### Additional Notes: - * **Deprecated**: This action is officially marked as deprecated in the integration - metadata. + - This action is deprecated and may be replaced by newer workflow capabilities. - * **No Entity Support**: This action does not iterate over or utilize Google SecOps - entities; it operates strictly based on the provided parameters. + - The action requires a valid API key with permissions to execute response plays. capabilities: can_create_case_comments: false can_create_insight: false @@ -697,8 +902,8 @@ Run Response Play: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Triggers a response play in PagerDuty, which initiates automated workflows and - state changes (like adding responders or notifying users) on a specific incident. + Triggers a Response Play in PagerDuty, which initiates automated workflows, + notifications, or status changes associated with a specific incident. fetches_data: false internal_data_mutation_explanation: null categories: @@ -718,27 +923,73 @@ Run Response Play: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: true Snooze Incident: - ai_description: "### General Description\nThe **Snooze Incident** action allows\ - \ users to temporarily silence a PagerDuty incident for a fixed duration of one\ - \ hour (3600 seconds). This action is primarily used to pause notifications for\ - \ an active incident while it is being addressed or during known maintenance periods.\n\ - \n### Parameters Description\n| Parameter | Type | Mandatory | Description |\n\ - | :--- | :--- | :--- | :--- |\n| **Email** | String | Yes | The email address\ - \ of the PagerDuty user performing the action. This is required by PagerDuty for\ - \ the 'From' header to track who initiated the snooze. |\n| **IncidentID** | String\ - \ | Yes | The unique identifier of the PagerDuty incident that needs to be snoozed.\ - \ |\n\n### Flow Description\n1. **Initialization**: The action extracts the `Email`\ - \ and `IncidentID` from the input parameters and retrieves the API key from the\ - \ integration configuration.\n2. **API Request**: It utilizes the `PagerDutyManager`\ - \ to send a POST request to the PagerDuty `/incidents/{incident_id}/snooze` endpoint.\n\ - 3. **Payload**: The request includes a hardcoded payload setting the snooze duration\ - \ to 3600 seconds (1 hour).\n4. **Response Handling**: \n * If successful,\ - \ the action retrieves the updated incident details, adds them to the JSON results,\ - \ and completes the execution.\n * If an HTTP error occurs (e.g., invalid ID\ - \ or unauthorized), the action captures the error details and marks the execution\ - \ as failed.\n\n### Additional Notes\n* The snooze duration is currently fixed\ - \ at 1 hour and cannot be adjusted via parameters." + ai_description: >- + ### General Description + + Snoozes a specific PagerDuty incident for a duration of one hour. This action + changes the state of the incident in PagerDuty, preventing further notifications + for the specified period and returning the updated incident details. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Email | string | Yes | The email address of the PagerDuty user performing the + action. This is required for the 'From' header in PagerDuty API requests. | + + | IncidentID | string | Yes | The unique identifier of the PagerDuty incident + to be snoozed. | + + + ### Flow Description + + 1. **Initialization**: The action initializes the PagerDuty manager using the + API key from the integration configuration. + + 2. **Parameter Extraction**: It retrieves the mandatory `Email` and `IncidentID` + from the action parameters. + + 3. **API Execution**: It calls the PagerDuty API's snooze endpoint (`POST /incidents/{incident_id}/snooze`) + with a hardcoded duration of 3600 seconds (1 hour). + + 4. **Output**: Upon success, the action returns the updated incident JSON data + and completes the execution. If an HTTP error occurs, it captures the error details + and marks the action as failed. + + + ### Additional Notes + + The snooze duration is currently hardcoded to 3600 seconds (1 hour) within the + integration's manager logic. capabilities: can_create_case_comments: false can_create_insight: false @@ -747,8 +998,8 @@ Snooze Incident: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Snoozes an incident in PagerDuty, which changes the incident's state to 'snoozed' - and suppresses notifications for a duration of 1 hour. + Changes the status of an incident in PagerDuty to 'snoozed', which suppresses + notifications for a duration of 1 hour. fetches_data: true internal_data_mutation_explanation: null categories: @@ -768,3 +1019,28 @@ Snooze Incident: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: true diff --git a/content/response_integrations/third_party/community/pager_duty/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/pager_duty/resources/ai/connectors_ai_description.yaml new file mode 100644 index 000000000..2cd32e755 --- /dev/null +++ b/content/response_integrations/third_party/community/pager_duty/resources/ai/connectors_ai_description.yaml @@ -0,0 +1,55 @@ +PagerDutyConnector: + ai_description: >- + ### General Description + + The PagerDuty connector facilitates the ingestion of incidents from the PagerDuty + platform into Google SecOps. It allows security teams to centralize incident management + by pulling active PagerDuty incidents and converting them into actionable alerts + within the SOAR environment. Additionally, the connector supports an automated + acknowledgment feature to synchronize incident states between both platforms. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | apiKey | String | Yes | The API Key used to authenticate with the PagerDuty + API. | + + | acknowledge | Boolean | No | If enabled, the connector will automatically acknowledge + the incident in PagerDuty upon successful ingestion. Requires an API key with + write permissions. | + + | DeviceProductField | String | Yes | The field name used to determine the device + product for the ingested alert (default: device_product). | + + | EventClassId | String | Yes | The field name used to determine the event name + or sub-type (default: event_name). | + + | PythonProcessTimeout | String | Yes | The maximum time in seconds allowed for + the connector script to execute. | + + + ### Flow Description + + 1. **Authentication**: The connector establishes a session with the PagerDuty + API using the provided API Key. + + 2. **Incident Retrieval**: It queries the PagerDuty `/incidents` endpoint to fetch + a list of current incidents. + + 3. **Severity Mapping**: The connector maps PagerDuty urgency levels to Google + SecOps severity values (e.g., 'high' maps to 100, 'low' maps to -1). + + 4. **Alert Construction**: For each incident, the connector creates an `AlertInfo` + object, populating it with the incident title, creation time, and flattened event + data. + + 5. **State Synchronization**: If the `acknowledge` parameter is set to true, the + connector sends a request to PagerDuty to update the incident status to 'acknowledged' + for each processed alert. + + 6. **Ingestion**: The finalized list of alerts is returned to the system for case + creation and further orchestration. diff --git a/content/response_integrations/third_party/community/pager_duty/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/pager_duty/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..6896a3667 --- /dev/null +++ b/content/response_integrations/third_party/community/pager_duty/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: true + edr: false + email_security: false + iam_and_identity_management: false + itsm: true + network_security: false + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/perimeter_x/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/perimeter_x/resources/ai/actions_ai_description.yaml index a5191b64c..ef2f38cf6 100644 --- a/content/response_integrations/third_party/community/perimeter_x/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/perimeter_x/resources/ai/actions_ai_description.yaml @@ -1,47 +1,41 @@ Ping: ai_description: >- - ### General Description + The Ping action is a utility designed to verify the connectivity and authentication + status between Google SecOps and the Slack API for the PerimeterX integration. + It ensures that the configured Slack API Key is valid and that the system can + successfully communicate with Slack's authentication endpoint. - The Ping action is designed to verify the connectivity and authentication status - between Google SecOps and the Slack API as part of the PerimeterX integration. - It ensures that the configured credentials are correct and that the system can - successfully communicate with Slack. + ### Flow Description: - ### Parameters Description + 1. **Configuration Retrieval**: The action extracts the 'Slack API Key' and 'Slack + Channel' from the integration's global configuration settings. - | Parameter Name | Type | Mandatory | Description | + 2. **Manager Initialization**: It initializes the PerimeterXManager using the + retrieved Slack credentials. - | :--- | :--- | :--- | :--- | - - | Slack API Key | String | Yes | The API token used to authenticate requests to - the Slack platform. This is a configuration-level parameter. | + 3. **Authentication Test**: It performs a POST request to the Slack `auth.test` + API endpoint to validate the token. - | Slack Channel | String | Yes | The specific Slack channel name associated with - the integration. This is a configuration-level parameter. | + 4. **Result Validation**: The action evaluates the API response. If the response + indicates success ('ok': true), the action completes successfully. If the API + returns an error or the connection fails, the action reports a failure. - ### Flow Description + ### Parameters Description: - 1. **Parameter Extraction**: The action retrieves the Slack API Key and Slack - Channel from the integration's configuration settings. + | Parameter | Type | Mandatory | Description | - 2. **Manager Initialization**: It initializes the PerimeterXManager with the provided - credentials. - - 3. **Authentication Check**: The action calls the auth() method, which performs - a POST request to the Slack auth.test endpoint to verify the token. + | :--- | :--- | :--- | :--- | - 4. **Result Reporting**: If the API returns a successful authentication response, - the action completes with a success message. If an error occurs or authentication - fails, it reports a failure status. + | N/A | N/A | N/A | This action does not have any input parameters; it uses integration + configuration parameters. | - ### Additional Notes + ### Additional Notes: - This action does not process any entities and is strictly used for health checks - of the integration configuration. As a Ping action, it is not categorized as an - enrichment action. + This action is primarily used for health checks and troubleshooting to ensure + the Slack connector is properly configured within the PerimeterX integration. capabilities: can_create_case_comments: false can_create_insight: false @@ -69,3 +63,28 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/third_party/community/perimeter_x/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/perimeter_x/resources/ai/connectors_ai_description.yaml new file mode 100644 index 000000000..584f5ba73 --- /dev/null +++ b/content/response_integrations/third_party/community/perimeter_x/resources/ai/connectors_ai_description.yaml @@ -0,0 +1,60 @@ +Slack Connector For Code Defender: + ai_description: >- + ### General Description + + The Slack Connector For Code Defender allows Google SecOps to ingest security + alerts from PerimeterX Code Defender via a Slack integration. It monitors a designated + Slack channel where Code Defender posts incident notifications, automatically + converting these messages into structured cases and events for security orchestration + and response. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Slack Channel | String | Yes | The name of the Slack channel to monitor for + alerts (e.g., 'cd_alerts'). Do not include the '#' prefix. | + + | Slack API Key | Password | Yes | The API Key/Token used to authenticate with + the Slack API. | + + | PythonProcessTimeout | String | Yes | The timeout limit (in seconds) for the + python process running the current script. | + + | EventClassId | String | Yes | The field name used to determine the event name + or sub-type. | + + | DeviceProductField | String | Yes | The field name used to determine the device + product (e.g., 'PerimeterXCodeDefender'). | + + + ### Flow Description + + 1. **Authentication and Setup**: The connector authenticates with the Slack API + using the provided API Key and resolves the specified Slack Channel name to a + unique Channel ID. + + 2. **Timestamp Management**: It retrieves the timestamp of the last successful + execution to ensure only new messages are processed, preventing duplicate alerts. + + 3. **Message Retrieval**: The connector queries the Slack `conversations.history` + endpoint, fetching messages from the channel since the last run. It supports pagination + to handle large volumes of messages. + + 4. **Alert Filtering**: It filters the retrieved messages to identify specific + PerimeterX Code Defender notifications by looking for the title 'Code Defender + has detected a new incident' within the message attachments. + + 5. **Data Extraction**: For each matching message, the connector parses the attachment + fields to extract critical metadata, including Risk Level (Severity), Script Name, + Host Domain, and deep links to the PerimeterX console. + + 6. **Case Creation**: The extracted data is mapped to the Google SecOps AlertInfo + model. Priorities are assigned based on a mapping of Code Defender risk levels + (Informative, Low, Medium, High, Critical). + + 7. **Ingestion**: The connector packages the alerts and events, ingests them into + Google SecOps, and updates the stored timestamp for the next iteration. diff --git a/content/response_integrations/third_party/community/perimeter_x/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/perimeter_x/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..a67fd6077 --- /dev/null +++ b/content/response_integrations/third_party/community/perimeter_x/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: true + siem: true + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/philips_hue/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/philips_hue/resources/ai/actions_ai_description.yaml index c361f78df..61e781247 100644 --- a/content/response_integrations/third_party/community/philips_hue/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/philips_hue/resources/ai/actions_ai_description.yaml @@ -2,47 +2,44 @@ Ping: ai_description: >- ### General Description - Tests the connectivity to the Philips HUE Bridge to ensure that the provided configuration - parameters (Bridge IP and Authorized Username) are correct and that the bridge - is reachable over the network. This action is primarily used for health checks - and verifying integration settings. + The **Ping** action is designed to verify the connectivity between the Google + SecOps platform and the Philips HUE Bridge. It serves as a diagnostic tool to + ensure that the integration's configuration parameters, such as the Bridge IP + and Authorized Username, are correct and that the bridge is reachable over the + network. ### Parameters Description - | Parameter | Type | Mandatory | Description | + There are no action-specific parameters for this action. It relies entirely on + the integration's global configuration parameters: - | :--- | :--- | :--- | :--- | + * **Bridge IP**: The IP address of the Philips HUE bridge. - | Bridge IP | String | Yes (Config) | The IP address of the Philips HUE bridge, - retrieved from the integration configuration. | + * **Authorized Username**: The username used to authorize access to the bridge's + API. - | Authorized Username | String | Yes (Config) | The username used to authorize - access to the bridge's API, retrieved from the integration configuration. | + ### Flow Description - ### Additional Notes + 1. **Initialization**: The action initializes the `PhilipsManager` using the `Bridge + IP` and `Authorized Username` retrieved from the integration configuration. - This action does not take any runtime parameters; it relies entirely on the integration's - configuration settings. As per standard practice, Ping actions are used for health - checks and do not perform data enrichment or mutation. + 2. **Connectivity Test**: It calls the `test_connectivity` method, which performs + a synchronous GET request to the base API endpoint of the Philips HUE Bridge. + 3. **Validation**: The action checks if the request was successful (HTTP status + code 200). - ### Flow Description + 4. **Result Reporting**: If the connection is successful, it returns a success + message and sets the script result to `True`. If an error occurs during the request, + it captures the exception and reports a failure. - 1. **Initialization**: The action starts by initializing the Siemplify context - and logging the start of the process. - 2. **Configuration Retrieval**: It extracts the 'Bridge IP' and 'Authorized Username' - from the integration's configuration parameters. - - 3. **Connectivity Test**: It uses the PhilipsManager to perform a GET request - to the bridge's API endpoint (https://{bridge_ip}/api/{user_name}). + ### Additional Notes - 4. **Result Handling**: If the GET request is successful (returns a 200 OK), the - action returns a success message. If an error occurs (e.g., timeout, authentication - failure, or network unreachable), it catches the exception and returns a failure - message with the error details. + This action does not interact with any entities and is strictly used for health + checks of the integration connection. capabilities: can_create_case_comments: false can_create_insight: false @@ -70,14 +67,39 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Turn Off Light: ai_description: >- ### General Description The **Turn Off Light** action allows users to programmatically turn off a specific - Philips HUE light bulb via the Philips HUE Bridge. This action is useful for physical - security responses or automation scenarios where lighting control is required - based on security events. + Philips HUE light bulb connected to a Philips HUE Bridge. This action is designed + to interact with the Philips HUE API to change the physical state of a device + based on its unique identifier. ### Parameters Description @@ -87,25 +109,35 @@ Turn Off Light: | :--- | :--- | :--- | :--- | | **Light ID** | String | Yes | The unique identifier of the light bulb you wish - to turn off. This ID is specific to the Philips HUE Bridge configuration. | + to turn off. This ID can be found by listing lights via the bridge API. | ### Flow Description - 1. **Initialization**: The action retrieves the Bridge IP and Authorized Username - from the integration configuration and the Light ID from the action parameters. + 1. **Configuration Retrieval**: The action retrieves the Bridge IP and Authorized + Username from the integration's global configuration. + + 2. **ID Verification**: It queries the Philips HUE Bridge to verify that the provided + `Light ID` exists within the bridge's registry. + + 3. **Reachability Check**: It performs a check to ensure the specific light bulb + is currently reachable (powered and within range) by the bridge. - 2. **Validation**: It first checks if the provided Light ID exists within the - Philips HUE Bridge environment. + 4. **State Mutation**: If the light is valid and reachable, the action sends a + PUT request to the bridge's state endpoint for that specific light, setting the + `on` parameter to `false`. - 3. **Reachability Check**: If the ID exists, the action verifies if the light - bulb is currently reachable by the bridge. + 5. **Result Reporting**: The action provides an output message indicating success + or failure and returns the raw JSON response from the bridge API. - 4. **State Mutation**: If reachable, the action sends a PUT request to the bridge's - API to set the light's 'on' state to `false` (off). - 5. **Reporting**: The action returns a success message if the light was successfully - turned off, or an error message if the light was unreachable or the ID was invalid. + ### Additional Notes + + - This action requires a pre-configured and authorized username on the Philips + HUE Bridge. + + - If the light is physically powered off at a wall switch, the action will identify + it as 'unreachable' and fail to change the state. capabilities: can_create_case_comments: false can_create_insight: false @@ -114,8 +146,8 @@ Turn Off Light: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - The action performs a PUT request to the Philips HUE Bridge API to change the - physical state of a light bulb from 'on' to 'off'. + Modifies the physical state of a Philips HUE light bulb by sending a PUT request + to the bridge API to set the 'on' property to false. fetches_data: true internal_data_mutation_explanation: null categories: @@ -135,15 +167,38 @@ Turn Off Light: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Turn On Light and Color: ai_description: >- ### General Description - The **Turn On Light and Color** action allows users to control a specific Philips - Hue light bulb by its ID. It enables turning the light on while simultaneously - setting a specific color and an optional visual alert effect (like flickering). - This is often used in physical security or SOC environments to provide visual - cues for alerts. + Turns on a specific Philips Hue light bulb and configures its color and visual + alert effect. This action is designed to provide physical notifications or status + indicators within a workspace by interacting with a Philips Hue Bridge. ### Parameters Description @@ -152,33 +207,43 @@ Turn On Light and Color: | :--- | :--- | :--- | :--- | - | **Light ID** | String | Yes | The unique identifier of the light bulb to be - controlled. | + | Light ID | string | Yes | The unique identifier of the light bulb to be controlled. + | - | **Color** | DDL | Yes | The color to set the light to. Options include Red, - Orange, Yellow, Green, Blue, Purple, and Pink. | + | Color | ddl | Yes | The color to apply to the light. Supported values: Red, + Orange, Yellow, Green, Blue, Purple, Pink. | - | **Alert effect** | DDL | Yes | The visual effect to apply. `None` just turns - it on, `Flicker-Once` performs a single flash, and `Flicker-Loop` flashes for - 15 seconds. | + | Alert effect | ddl | Yes | The visual effect to trigger. 'None' turns the light + on normally. 'Flicker-Once' flashes the light once. 'Flicker-Loop' flashes the + light for 15 seconds. | ### Flow Description - 1. **Initialization**: Connects to the Philips Hue Bridge using the provided IP - and authorized username. + 1. **Initialization**: Retrieves the Bridge IP and Authorized Username from the + integration configuration. + + 2. **Validation**: Checks the Philips Hue Bridge to ensure the provided Light + ID exists. - 2. **Validation**: Checks if the specified `Light ID` exists on the bridge via - a GET request. + 3. **Reachability Check**: Verifies if the specific light bulb is currently reachable + by the Bridge. - 3. **Reachability Check**: Verifies if the light bulb is currently reachable by - the bridge. + 4. **Execution**: Sends a PUT request to the Bridge API to turn the light on, + set the specific hue corresponding to the chosen color, and apply the selected + alert effect. + + 5. **Reporting**: Returns the result of the operation, including reachability + status and API response details. + + + ### Additional Notes - 4. **State Mutation**: Sends a PUT request to the bridge to turn the light on - and apply the selected color and alert effect. + - This action requires the Philips Hue Bridge to be accessible from the Google + SecOps environment. - 5. **Completion**: Returns the result of the operation and updates the action - status in Google SecOps. + - If the light bulb is powered off at the switch or out of range, the action will + fail and report that the light is unreachable. capabilities: can_create_case_comments: false can_create_insight: false @@ -187,9 +252,9 @@ Turn On Light and Color: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - This action changes the physical state of a Philips Hue light bulb (turning - it on, changing color, or triggering an alert effect) via a PUT request to the - Philips Hue Bridge API. + Updates the physical state of a Philips Hue light bulb, including its power + status (on/off), color (hue), and visual alert effects via a PUT request to + the Hue Bridge API. fetches_data: true internal_data_mutation_explanation: null categories: @@ -209,3 +274,28 @@ Turn On Light and Color: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/third_party/community/philips_hue/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/philips_hue/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..a4b23e02c --- /dev/null +++ b/content/response_integrations/third_party/community/philips_hue/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: true + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/phish_tank/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/phish_tank/resources/ai/actions_ai_description.yaml index a8e8a5a2a..13cb6ae11 100644 --- a/content/response_integrations/third_party/community/phish_tank/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/phish_tank/resources/ai/actions_ai_description.yaml @@ -1,55 +1,28 @@ Check Url: - ai_description: >- - ### General Description - - Checks if a specific URL is marked as suspicious by the PhishTank Community. This - action enriches URL entities with reputation data, including verification status - and links to PhishTank detail pages. It helps security analysts quickly identify - known phishing links based on community-sourced intelligence. - - - ### Parameters - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Service Url | String | Yes | The API endpoint for the PhishTank service, retrieved - from the integration configuration. | - - - ### Flow Description - - 1. **Configuration Retrieval**: Fetches the PhishTank Service URL from the integration - settings. - - 2. **Entity Filtering**: Identifies all URL entities within the current scope - for processing. - - 3. **External Lookup**: For each URL, performs a POST request to the PhishTank - API to retrieve its status. - - 4. **Data Parsing**: Converts the XML response from PhishTank into a structured - format. - - 5. **Reputation Assessment**: Checks if the URL exists in the PhishTank database - and evaluates its verification status. - - 6. **Internal Updates**: - * Adds an **Entity Insight** to the URL entity containing the verification - status and a link to the PhishTank detail page. - * Marks the entity as **Suspicious** within Google SecOps if the URL is confirmed - as verified phishing. - * Updates the entity attributes to reflect the new suspicious status. - 7. **Result Reporting**: Consolidates the findings into a final action message - and provides a detailed JSON result for downstream playbooks. - - - ### Additional Notes - - * The action attempts to use the `OriginalIdentifier` from the entity's additional - properties to ensure the most accurate URL is queried, falling back to the standard - identifier if necessary. + ai_description: "### General Description\nThe **Check Url** action queries the PhishTank\ + \ community database to determine if specific URL entities are associated with\ + \ phishing activities. It retrieves metadata such as verification status, validity,\ + \ and direct links to PhishTank detail pages. This action is primarily used for\ + \ automated URL enrichment and threat validation within a security orchestration\ + \ workflow.\n\n### Parameters Description\nThere are no action-specific parameters\ + \ for this action. It relies on the global integration configuration for the PhishTank\ + \ Service URL.\n\n### Additional Notes\n* This action requires the **Service Url**\ + \ to be correctly configured in the PhishTank integration settings.\n* The action\ + \ uses the `OriginalIdentifier` of an entity if available; otherwise, it defaults\ + \ to the standard identifier.\n* Results are returned in both a human-readable\ + \ summary and a structured JSON format for downstream playbook logic.\n\n### Flow\ + \ Description\n1. **Configuration Retrieval**: The action fetches the PhishTank\ + \ Service URL from the integration's provider configuration.\n2. **Entity Filtering**:\ + \ It identifies all entities of type `URL` (DestinationURL) within the current\ + \ alert scope.\n3. **External Query**: For each URL, it sends a POST request to\ + \ the PhishTank API to check its status.\n4. **Data Parsing**: The action parses\ + \ the XML response from PhishTank to extract phishing details.\n5. **Internal\ + \ Updates**: \n * If a URL is found in the database, it generates an **Entity\ + \ Insight** containing the PhishTank link and verification status.\n * If the\ + \ URL is explicitly marked as **verified** in PhishTank, the action sets the entity's\ + \ `is_suspicious` attribute to `True`.\n6. **Finalization**: The action updates\ + \ the modified entities in Google SecOps and provides a summary message of the\ + \ findings." capabilities: can_create_case_comments: false can_create_insight: true @@ -60,8 +33,8 @@ Check Url: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates the 'is_suspicious' attribute of URL entities if they are verified as - phishing in PhishTank and adds entity insights with the lookup results. + Updates the 'is_suspicious' attribute of URL entities and creates entity insights + based on PhishTank reputation data. categories: enrichment: true entity_usage: @@ -80,39 +53,76 @@ Check Url: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Ping: ai_description: >- ### General Description - Tests the connectivity to the PhishTank service to ensure the integration is properly - configured and the service is reachable. + The **Ping** action is a utility designed to verify the connectivity between Google + SecOps and the PhishTank service. Its primary purpose is to ensure that the integration + is correctly configured and that the PhishTank API is reachable from the environment. ### Parameters Description - There are no action-specific parameters for this action. It utilizes the 'Service - Url' defined in the integration's global configuration. + There are no action-specific parameters for this action. It utilizes the global + integration configuration to perform the connectivity test. - ### Flow Description + | Parameter Name | Type | Mandatory | Description | - 1. **Configuration Retrieval**: The action retrieves the 'Service Url' from the - PhishTank integration settings. + | :--- | :--- | :--- | :--- | - 2. **Connectivity Check**: It sends a POST request to the configured URL with - a sample payload (checking the status of 'google.com') to verify the API's responsiveness. + | N/A | N/A | N/A | This action does not take any input parameters. | - 3. **Validation**: The action checks the HTTP response status code using `res.raise_for_status()`. - 4. **Completion**: If the request is successful, it reports that PhishTank is - connected. + ### Additional Notes + * This action uses a hardcoded test URL (`google.com`) to perform a POST request + to the PhishTank API to validate the connection. - ### Additional Notes + * It relies on the 'Service Url' defined in the PhishTank integration settings. + + + ### Flow Description + + 1. **Configuration Retrieval**: The action retrieves the 'Service Url' from the + PhishTank integration configuration. + + 2. **Request Construction**: It prepares a POST request with a payload containing + a test URL (`google.com`) and specifies the format as JSON. + + 3. **Connectivity Test**: The action sends the request to the PhishTank service + using the configured headers. + + 4. **Validation**: It checks the response status. If the request is successful + (HTTP 200 OK), it confirms the connection. - This action is primarily used for troubleshooting and verifying the initial setup - of the PhishTank integration. Per the guidelines, Ping actions are not categorized - as enrichment actions. + 5. **Completion**: The action ends with a success message: 'PhishTank is connected'. capabilities: can_create_case_comments: false can_create_insight: false @@ -140,3 +150,28 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/third_party/community/phish_tank/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/phish_tank/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..2e831240c --- /dev/null +++ b/content/response_integrations/third_party/community/phish_tank/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + siem: false + threat_intelligence: true + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/pulsedive/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/pulsedive/resources/ai/actions_ai_description.yaml index 87ca18363..0ba64b61d 100644 --- a/content/response_integrations/third_party/community/pulsedive/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/pulsedive/resources/ai/actions_ai_description.yaml @@ -1,33 +1,34 @@ Enrich IP: - ai_description: "### General Description\nEnriches IP Address entities using Pulsedive\ - \ threat intelligence. This action retrieves comprehensive indicator data, including\ - \ risk levels, risk factors, and community comments, to provide context for security\ - \ investigations. It allows users to define a risk threshold to automatically\ - \ flag suspicious entities within Google SecOps.\n\n### Parameters Description\n\ - | Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ - | **Threshold** | DDL | Yes | The minimum risk level (verylow, low, medium, high,\ - \ critical) required for the action to mark an entity as suspicious. |\n| **Retrieve\ - \ Comments** | Boolean | No | If enabled, the action will fetch and display community\ - \ comments associated with the IP indicator. Default is true. |\n| **Only Suspicious\ - \ Entity Insight** | Boolean | No | If enabled, the action will only generate\ - \ a case insight for entities that meet or exceed the specified risk threshold.\ - \ Default is false. |\n| **Max Comments To Return** | String | No | Specifies\ - \ the maximum number of comments to retrieve and display in the case wall data\ - \ table. Default is 50. |\n\n### Flow Description\n1. **Parameter Extraction**:\ - \ Retrieves integration configuration (API Key, Root) and action-specific parameters\ - \ (Threshold, Comment settings).\n2. **Entity Filtering**: Identifies all `ADDRESS`\ - \ (IP) entities within the current context.\n3. **External Lookup**: For each\ - \ IP, queries the Pulsedive API to fetch indicator details and risk scores.\n\ - 4. **Risk Assessment**: Compares the retrieved Pulsedive risk level against the\ - \ user-defined `Threshold`. If the threshold is met, the entity is marked as suspicious.\n\ - 5. **Internal Enrichment**: Updates the entity's additional properties with Pulsedive\ - \ metadata and marks the entity as enriched.\n6. **Case Documentation**: \n \ - \ * Creates a data table on the case wall containing community comments (if enabled).\n\ - \ * Generates a detailed insight for the entity (subject to the `Only Suspicious\ - \ Entity Insight` filter).\n7. **Finalization**: Updates the entities in the Google\ - \ SecOps platform and returns a JSON summary of the results." + ai_description: "Enriches IP Address entities using threat intelligence from Pulsedive.\ + \ This action retrieves detailed indicator data, including risk levels, risk factors,\ + \ and community comments, to provide context for security alerts.\n\n### Flow\ + \ Description\n1. **Filter Entities:** Identifies all IP Address (ADDRESS) entities\ + \ within the current context.\n2. **Fetch Intelligence:** For each IP, it queries\ + \ the Pulsedive API to retrieve reputation data, risk scores, and optionally,\ + \ community comments.\n3. **Risk Evaluation:** Compares the retrieved risk level\ + \ against the user-defined 'Threshold'. If the risk meets or exceeds the threshold,\ + \ the entity is marked as suspicious in Google SecOps.\n4. **Internal Enrichment:**\ + \ Updates the entity's additional properties with Pulsedive metadata and sets\ + \ the 'is_enriched' flag.\n5. **Insight & Reporting:** \n * Creates an entity\ + \ insight containing a summary of the risk analysis.\n * If comments are retrieved,\ + \ it constructs a data table on the case wall for analyst review.\n6. **Final\ + \ Update:** Commits all entity changes (suspicious status and enrichment properties)\ + \ back to the SecOps platform.\n\n### Parameters Description\n| Parameter | Type\ + \ | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Threshold | DDL\ + \ | Yes | The risk level (verylow, low, medium, high, critical) at which an entity\ + \ should be marked as suspicious. Default is 'medium'. |\n| Retrieve Comments\ + \ | Boolean | No | If enabled, the action fetches community comments associated\ + \ with the IP from Pulsedive. Default is true. |\n| Only Suspicious Entity Insight\ + \ | Boolean | No | If enabled, insights will only be created for entities that\ + \ meet the risk threshold. Default is false. |\n| Max Comments To Return | String\ + \ | No | Specifies the maximum number of comments to retrieve and display in the\ + \ data table. Default is 50. |\n\n### Additional Notes\n* The action uses a mapping\ + \ system to translate Pulsedive's risk strings into numerical scores for comparison\ + \ against the user-provided threshold.\n* Data tables are added to the case wall\ + \ for each entity that has associated comments, provided 'Retrieve Comments' is\ + \ enabled." capabilities: - can_create_case_comments: false + can_create_case_comments: true can_create_insight: true can_modify_alert_data: false can_mutate_external_data: false @@ -36,8 +37,9 @@ Enrich IP: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity attributes (enrichment fields and suspicious status), creates - case insights, and adds data tables to the case wall. + The action updates entity attributes with enrichment data, marks entities as + suspicious based on risk thresholds, creates entity insights, and adds data + tables containing comments to the case wall. categories: enrichment: true entity_usage: @@ -56,56 +58,87 @@ Enrich IP: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: true + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Enrich URL: ai_description: >- - Enriches URL entities using threat intelligence from Pulsedive. The action retrieves + ### General Description + + Enriches URL entities using threat intelligence from Pulsedive. This action retrieves comprehensive indicator data, including risk levels, risk factors, and community - comments. It evaluates the URL's risk against a user-defined threshold to determine - if the entity should be marked as suspicious within Google SecOps. + comments, to provide security analysts with actionable context. It evaluates the + URL's risk against a user-defined threshold and can automatically mark entities + as suspicious within the platform. ### Parameters | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + | --- | --- | --- | --- | - | Threshold | DDL | Yes | The risk level (verylow, low, medium, high, critical) - at which the URL is marked suspicious. | + | Max Comments To Return | String | No | Specifies the maximum number of Pulsedive + comments to retrieve and display (Default: 50). | - | Retrieve Comments | Boolean | No | If enabled, fetches community comments associated - with the URL from Pulsedive. | + | Threshold | DDL | Yes | The risk level (verylow, low, medium, high, critical) + at which the entity should be labeled as suspicious. | - | Max Comments To Return | String | No | The maximum number of comments to retrieve - (default is 50). | + | Retrieve Comments | Boolean | No | If enabled, the action fetches community + comments associated with the URL. | - | Only Suspicious Entity Insight | Boolean | No | If enabled, entity insights - will only be created for URLs that meet or exceed the risk threshold. | + | Only Suspicious Entity Insight | Boolean | No | If enabled, insights will only + be generated for entities that meet or exceed the risk threshold. | ### Flow Description - 1. **Entity Filtering:** Filters the target entities to identify URL types. + 1. **Initialization**: The action initializes the Pulsedive manager using the + provided API root and key. + + 2. **Entity Filtering**: It identifies all URL entities within the current alert + context. - 2. **Data Retrieval:** For each URL, it queries the Pulsedive API to fetch indicator - details, risk scores, and risk factors. + 3. **Data Retrieval**: For each URL, it queries the Pulsedive API to fetch indicator + details, risk scores, and (optionally) comments. - 3. **Risk Evaluation:** Compares the Pulsedive risk level against the user-provided - `Threshold` parameter. If the risk is equal to or higher than the threshold, the - entity is marked as suspicious. + 4. **Risk Evaluation**: The URL's risk level is compared against the user-defined + threshold. If the risk is equal to or higher than the threshold, the entity is + marked as suspicious. - 4. **Enrichment:** Updates the entity's additional properties with Pulsedive metadata - (e.g., indicator ID, retired status, seen dates). + 5. **Enrichment**: Entity attributes are updated with Pulsedive metadata (prefixed + with 'PD'), and the entity is marked as enriched. - 5. **Comment Processing:** If `Retrieve Comments` is active, it fetches comments - and adds them as a structured data table to the case wall. + 6. **Case Wall Reporting**: If comments are retrieved, they are formatted into + a data table and added to the case wall. - 6. **Insight Generation:** Creates an HTML-formatted entity insight containing - a risk summary and detailed risk factors. This is conditional based on the `Only - Suspicious Entity Insight` parameter. + 7. **Insight Generation**: A detailed HTML insight is created for the entity, + summarizing the risk level and specific risk factors identified by Pulsedive. - 7. **Finalization:** Updates the entities in the system and returns a JSON result - containing the raw data and a global risk flag. + 8. **Finalization**: The action updates the entities in Google SecOps and returns + a summary of successful and failed enrichments. capabilities: can_create_case_comments: false can_create_insight: true @@ -117,7 +150,7 @@ Enrich URL: fetches_data: true internal_data_mutation_explanation: >- Updates entity suspicious status, populates enrichment fields, adds data tables - for comments to the case wall, and creates entity insights. + to the case wall for comments, and creates entity insights. categories: enrichment: true entity_usage: @@ -136,14 +169,39 @@ Enrich URL: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Threat Details: ai_description: >- ### General Description - This action retrieves comprehensive threat intelligence from Pulsedive based on - a provided threat name or threat ID. It is designed to provide security analysts - with deep context regarding specific threat actors, campaigns, or malware families, - including risk levels, wiki summaries, associated news, and user comments. + Retrieves comprehensive threat intelligence from Pulsedive based on a specific + threat name or threat ID. This action provides detailed context including risk + summaries, associated news, and user comments, helping analysts understand the + nature and severity of a known threat actor or campaign. ### Parameters Description @@ -155,53 +213,44 @@ Get Threat Details: | Threat Name | String | No | The name of the threat to retrieve information for (e.g., 'Zeus'). | - | Threat ID | String | No | The specific Pulsedive ID (TID) of the threat to retrieve - information for. | - - | Retrieve Comments | Boolean | No | If set to `true`, the action will fetch user - comments associated with the threat. Default is `true`. | - - | Split Risk | Boolean | No | If set to `true`, the action will provide a breakdown - of indicator counts by risk level (Critical, High, Medium, etc.). Default is `true`. - | + | Threat ID | String | No | The unique Pulsedive ID for the threat. | - | Create Insight | Boolean | No | If set to `true`, the action will generate a - formatted HTML insight in the Google SecOps case containing the threat summary. - Default is `false`. | + | Retrieve Comments | Boolean | No | If set to true, retrieves and displays user + comments associated with the threat. Default is true. | + | Split Risk | Boolean | No | If set to true, categorizes the associated indicator + counts by their risk levels. Default is true. | - ### Additional Notes + | Create Insight | Boolean | No | If set to true, generates a detailed Siemplify + Insight within the case containing the threat's risk summary and news. Default + is false. | - * **Input Requirement**: Either the `Threat Name` or the `Threat ID` must be - provided for the action to successfully identify a threat. If both are provided, - the `Threat Name` takes precedence in the logic. - * **Data Tables**: If comments are retrieved, they are presented in a dedicated - data table on the case wall. + ### Flow Description + 1. **Parameter Initialization:** The action extracts API credentials from the + integration configuration and retrieves the user-provided threat identifiers and + display options. - ### Flow Description + 2. **Data Retrieval:** It queries the Pulsedive API using either the provided + `Threat Name` or `Threat ID` to fetch the threat's metadata, risk summary, and + news. - 1. **Initialization**: The action initializes the Pulsedive manager using the - provided API Root and API Key. + 3. **Comment Processing:** If `Retrieve Comments` is enabled, the action fetches + associated comments and formats them into a data table for the case wall. - 2. **Parameter Extraction**: It extracts the threat identifier (Name or ID) and - configuration flags (Retrieve Comments, Split Risk, Create Insight) from the action - parameters. + 4. **Insight Generation:** If `Create Insight` is enabled, the action constructs + a formatted HTML insight containing the threat's category, risk summary (counts + of indicators by risk level), wiki summary, and recent news links. - 3. **Data Retrieval**: The action queries the Pulsedive API (`/api/info.php`) - to fetch detailed information about the specified threat. + 5. **Result Output:** The action returns the full threat data as a JSON object + and provides a success message if the threat details were successfully found. - 4. **Internal Mutation (Data Table)**: If the threat has associated comments - and `Retrieve Comments` is enabled, the action constructs a CSV-formatted table - and adds it to the case wall. - 5. **Internal Mutation (Insight)**: If `Create Insight` is enabled, the action - generates a formatted HTML insight containing the threat's risk level, category, - risk summary, wiki summary, and recent news. + ### Additional Notes - 6. **Completion**: The action populates the JSON results with the full threat - data and completes the execution with a success message. + Either the **Threat Name** or the **Threat ID** must be provided for the action + to successfully locate threat data. If neither is provided, the action will fail. capabilities: can_create_case_comments: false can_create_insight: true @@ -212,10 +261,10 @@ Get Threat Details: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action adds a data table to the case wall containing threat comments and - can create a detailed case insight with threat summaries and risk scores. + The action creates a case insight containing threat intelligence and adds a + data table for threat comments to the action results. categories: - enrichment: false + enrichment: true entity_usage: entity_types: [] filters_by_additional_properties: false @@ -231,47 +280,73 @@ Get Threat Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Ping: ai_description: >- - Tests the connectivity to the Pulsedive server using the provided configuration - parameters. This action ensures that the API Root and API Key are valid and that - the network connection to Pulsedive is functional. - + ### General Description - ### Parameters + The **Ping** action is a diagnostic utility designed to verify the connectivity + between the Google SecOps platform and the Pulsedive API. It ensures that the + provided configuration parameters, such as the API Root and API Key, are valid + and that the network path is open. - | Parameter Name | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + ### Parameters Description - | API Root | String | Yes | The base URL of the Pulsedive API. | + There are no runtime parameters for this action. It relies entirely on the integration's + global configuration (API Root, API Key, and Verify SSL). - | API Key | String | Yes | The API key used for authentication with Pulsedive. - | - | Verify SSL | Boolean | No | If enabled, the action will verify the SSL certificate - of the Pulsedive server. Default is True. | + ### Additional Notes + - This action is typically used during the initial setup of the Pulsedive integration + or for troubleshooting connection issues. - ### Flow Description + - It performs a test search request to the Pulsedive API to confirm that the credentials + have the necessary permissions to interact with the service. - 1. **Parameter Extraction**: Retrieves the API Root, API Key, and SSL verification - settings from the integration configuration. - 2. **Manager Initialization**: Initializes the PulsediveManager with the extracted - credentials. + ### Flow Description - 3. **Connectivity Test**: Executes a test search request to the Pulsedive API - to verify the connection and credentials. + 1. **Initialization**: The action initializes the Siemplify context and retrieves + the global configuration parameters (API Root, API Key, and SSL verification settings). - 4. **Result Reporting**: Returns a success message if the connection is established, - or a failure message with error details if the test fails. + 2. **Manager Setup**: It instantiates the `PulsediveManager` using the retrieved + configuration. + 3. **Connectivity Test**: The action calls the `test_connectivity` method, which + executes a GET request to the Pulsedive search endpoint with a set of test parameters. - ### Additional Notes + 4. **Validation**: If the API responds with a successful status code, the action + confirms connectivity. If an exception occurs (e.g., 401 Unauthorized, 404 Not + Found, or network timeout), the action captures the error. - - This action does not process any entities and is used solely for configuration - validation. + 5. **Completion**: The action terminates, returning a success message if the connection + was established or a failure message with error details if it was not. capabilities: can_create_case_comments: false can_create_insight: false @@ -299,86 +374,111 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Scan Indicator: ai_description: >- - ### General Description - - Performs an automated scan on indicators (IPs, Domains, URLs, and Hashes) using - the Pulsedive threat intelligence platform. This action is asynchronous, meaning - it submits indicators for analysis, polls for completion, and then retrieves the - final report. It supports both Passive scans (retrieving existing data) and Active - scans (initiating a fresh probe). The action enriches entities with risk levels, - risk factors, and community comments, and can automatically mark entities as suspicious - based on a configurable risk threshold. + Performs a scan on indicators (IPs, Domains, URLs, Hashes) using Pulsedive to + retrieve threat intelligence, risk scores, and community comments. This is an + asynchronous action that initiates a scan task, polls for completion, and then + enriches the entities within Google SecOps based on the results. ### Parameters Description + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Scan Type | DDL | Yes | Determines the scan depth. 'Passive' fetches existing - data without direct interaction, while 'Active' performs a more intrusive, real-time - scan. | + | Scan Type | DDL | Yes | Choose between 'Passive' (retrieves existing data without + direct interaction) or 'Active' (performs a live, more intrusive scan). | - | Threshold | DDL | Yes | The risk level (verylow, low, medium, high, critical) - at which an entity will be labeled as suspicious in Google SecOps. | + | Threshold | DDL | Yes | Specifies the risk level (verylow, low, medium, high, + critical) at which an entity should be marked as suspicious in Google SecOps. + | | Only Suspicious Entity Insight | Boolean | No | If enabled, the action will - only generate an entity insight if the indicator's risk score meets or exceeds - the specified threshold. | + only generate an entity insight if the indicator's risk level meets or exceeds + the specified 'Threshold'. | - | Retrieve Comments | Boolean | No | If enabled, the action fetches community + | Retrieve Comments | Boolean | No | If enabled, the action will fetch community comments associated with the indicator from Pulsedive. | - | Max Comments To Return | String | No | Specifies the maximum number of comments - to retrieve and display in the case wall data table. Defaults to 50. | + | Max Comments To Return | String | No | Defines the maximum number of comments + to retrieve and display in the case wall data table. Default is 50. | - ### Additional Notes + ### Flow Description - - This action is **Asynchronous**: It will transition through 'In Progress' states - while waiting for Pulsedive to complete the analysis. - - The action uses the `OriginalIdentifier` of an entity if available, ensuring - accurate lookups for renamed or modified entities. + 1. **Submission**: The action submits the target entities to Pulsedive's analysis + engine via a POST request, specifying the desired scan type (Active or Passive). + 2. **Polling**: As an asynchronous operation, the action periodically checks the + status of the submitted scan IDs until Pulsedive marks them as 'done'. - ### Flow Description + 3. **Data Retrieval**: Once completed, the action fetches the full indicator report, + including the risk level, risk factors, and community comments. - 1. **Submission (First Run):** The action iterates through all target entities - and submits them to Pulsedive's analysis engine using the specified `Scan Type` - (Active or Passive). + 4. **Risk Evaluation**: It compares the indicator's risk level against the user-defined + 'Threshold'. If the risk is equal to or higher than the threshold, the entity + is marked as suspicious (`is_suspicious = True`). - 2. **Status Polling:** The action enters an asynchronous loop, checking the status - of each submitted scan ID until Pulsedive reports the analysis is 'done'. + 5. **Enrichment**: The action updates the entity's additional properties with + Pulsedive metadata and sets the 'is_enriched' flag. - 3. **Data Retrieval:** Once completed, the action fetches the full report for - each indicator, including risk scores, risk factors, and comments. + 6. **Reporting**: It generates entity insights (optionally filtered) and populates + data tables with community comments for analyst review. + + + ### Additional Notes - 4. **Risk Evaluation:** It compares the retrieved risk level against the user-defined - `Threshold`. If the risk is equal to or higher than the threshold, the entity - is marked as suspicious. - 5. **Enrichment & Insights:** The action updates the entity's additional properties - with Pulsedive data, creates detailed entity insights (optionally filtered by - the 'Only Suspicious' flag), and adds data tables containing community comments - to the case. + * This action is asynchronous and its execution time depends on Pulsedive's processing + speed and the chosen scan type. + + * The 'Threshold' parameter uses a mapping where 'verylow' corresponds to Pulsedive's + 'none' risk score. capabilities: can_create_case_comments: false can_create_insight: true can_modify_alert_data: false - can_mutate_external_data: false + can_mutate_external_data: true can_mutate_internal_data: true can_update_entities: true - external_data_mutation_explanation: null + external_data_mutation_explanation: >- + Initiates a scan request on the Pulsedive platform via a POST request to the + analysis endpoint, which creates a new analysis task. fetches_data: true internal_data_mutation_explanation: >- - Updates entity suspicious status, adds enrichment properties to entities, creates - entity insights, and adds data tables for comments within the case. + Updates entity suspicious status, adds enrichment data to entity properties, + creates entity insights, and adds data tables for comments to the case wall. categories: - enrichment: true + enrichment: false entity_usage: entity_types: - ADDRESS @@ -429,3 +529,28 @@ Scan Indicator: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/third_party/community/pulsedive/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/pulsedive/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..2e831240c --- /dev/null +++ b/content/response_integrations/third_party/community/pulsedive/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + siem: false + threat_intelligence: true + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/sample_integration/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/sample_integration/resources/ai/actions_ai_description.yaml index 28f4750f0..d51c6b7d1 100644 --- a/content/response_integrations/third_party/community/sample_integration/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/sample_integration/resources/ai/actions_ai_description.yaml @@ -1,32 +1,58 @@ Async Action Example: - ai_description: "### General Description\nThis is an asynchronous utility action\ - \ designed to synchronize workflows by waiting for specific tags to be applied\ - \ to one or more Google SecOps cases. It is primarily used in playbooks where\ - \ a subsequent step should only proceed once a manual or automated tagging event\ - \ has occurred on designated cases.\n\n### Parameters Description\n| Parameter\ - \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Case IDs\ - \ | String | No | A comma-separated list of Case IDs to monitor. If left empty,\ - \ the action defaults to monitoring the Case ID from which it was executed. |\n\ - | Case Tag To Wait For | String | Yes | The specific tag string the action will\ - \ look for in the target cases. The action remains 'In Progress' until all specified\ - \ cases contain this tag. |\n\n### Additional Notes\n- This action is defined\ - \ as `is_async: true`, meaning it will yield execution and resume periodically\ - \ until the condition is met or the system timeout is reached.\n- It uses the\ - \ `additional_data` parameter internally to maintain state (tracking which cases\ - \ have already been tagged) between asynchronous iterations.\n\n### Flow Description\n\ - 1. **Initialization**: The action extracts the target Case IDs and the required\ - \ tag from the input parameters.\n2. **Validation**: If no Case IDs are provided,\ - \ it identifies the current case ID as the target. It then parses the CSV string\ - \ into a list of integers.\n3. **Status Check**: The action iterates through the\ - \ target cases and calls the SOAR API to retrieve their current metadata, specifically\ - \ looking at the tags.\n4. **Tag Verification**: It compares the tags found on\ - \ each case against the 'Case Tag To Wait For' parameter.\n5. **State Management**:\ - \ \n - If all target cases possess the required tag, the action sets its state\ - \ to `COMPLETED` and returns a success message.\n - If any cases are still\ - \ missing the tag, the action updates its internal state (tracking progress) and\ - \ sets the execution state to `IN_PROGRESS` to be retried in the next cycle.\n\ - 6. **Timeout Handling**: If the action approaches the global asynchronous timeout\ - \ before all cases are tagged, it will exit gracefully with a timeout error." + ai_description: >- + ### General Description + + The **Async Action Example** is a flow-control utility designed to synchronize + playbook execution based on the status of Google SecOps cases. It allows a playbook + to pause and wait until a specific tag is applied to one or more cases. This is + particularly useful for manual review steps or cross-case dependencies where an + automated process must wait for an analyst's signal (via a tag) before proceeding. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | **Case IDs** | String | No | A comma-separated list of Case IDs to monitor. + If left empty, the action defaults to monitoring the current case where the action + is running. | + + | **Case Tag To Wait For** | String | Yes | The specific tag string the action + is looking for. The action will remain 'In Progress' until all specified cases + have this tag. | + + + ### Additional Notes + + - This is an **Asynchronous** action, meaning it runs in cycles until the condition + is met or it times out. + + - It does not modify any data; it is strictly a monitoring/polling utility. + + - If no Case IDs are provided, the action automatically targets the case ID from + which it was executed. + + + ### Flow Description + + 1. **Initialization**: The action retrieves the list of Case IDs and the target + tag from the input parameters. + + 2. **Data Retrieval**: For each Case ID, the action performs an internal API call + to fetch the case's overview details, including its current tags. + + 3. **Tag Validation**: The action checks if the 'Case Tag To Wait For' exists + in the list of tags for each case. + + 4. **State Management**: If all monitored cases possess the required tag, the + action completes successfully. If any cases are still missing the tag, the action + saves its current progress and enters an 'In Progress' state to be re-evaluated + in the next polling cycle. + + 5. **Timeout**: If the action exceeds the defined timeout period before all tags + are found, it will fail with a timeout error. capabilities: can_create_case_comments: false can_create_insight: false @@ -34,11 +60,11 @@ Async Action Example: can_mutate_external_data: false can_mutate_internal_data: false can_update_entities: false - external_data_mutation_explanation: null + external_data_mutation_explanation: 'null' fetches_data: true - internal_data_mutation_explanation: null + internal_data_mutation_explanation: 'null' categories: - enrichment: false + enrichment: true entity_usage: entity_types: [] filters_by_additional_properties: false @@ -54,14 +80,39 @@ Async Action Example: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Enrich Entity Action Example: ai_description: >- ### General Description - Enriches entities within Google SecOps by adding metadata and data tables. This - action serves as a template for processing entities based on their type (IP, Hash, - or User) and applying enrichment logic. It generates a timestamped enrichment - record for each eligible entity to provide context within the SOAR platform. + The **Enrich Entity Action Example** is a sample enrichment action designed to + demonstrate how to process and augment entities within Google SecOps. It targets + specific entity types (IP, Hash, User, or all) and adds simulated enrichment data, + including a timestamp and a status flag, to the entity's context. ### Parameters Description @@ -70,37 +121,35 @@ Enrich Entity Action Example: | :--- | :--- | :--- | :--- | - | Entity Type | DDL | Yes | Defines which entities from the alert scope should - be processed. Options include 'All Entities', 'IP', 'Hash', and 'User'. This selection - determines the filtering logic applied to the target entities. | + | **Entity Type** | DDL | Yes | Specifies which entities from the alert scope + should be processed. Options include 'All Entities', 'IP', 'Hash', and 'User'. + | ### Flow Description - 1. **Parameter Extraction**: Retrieves the 'Entity Type' selection from the action - configuration to define the scope of work. + 1. **Parameter Extraction:** The action retrieves the 'Entity Type' selection + from the user input. + + 2. **Entity Filtering:** It filters the available entities in the alert scope + based on the selected type (e.g., mapping 'IP' to 'ADDRESS' entities). - 2. **Entity Filtering**: Identifies entities in the current alert scope that match - the selected type (e.g., mapping 'IP' to ADDRESS entities or 'Hash' to FILEHASH, - CHILDHASH, and PARENTHASH entities). + 3. **Enrichment Generation:** For each matching entity, it generates a JSON object + containing a 'true' enrichment status and a current Unix timestamp. - 3. **Enrichment Generation**: For each matching entity, the action generates a - data dictionary containing a 'true' enrichment status and a current Unix timestamp. + 4. **Internal Mutation:** It applies a prefix ('SampleIntegration_') to the enrichment + data, updates the entity's fields, and attaches a CSV-formatted Data Table to + the entity. - 4. **Internal Updates**: - * **Entity Attributes**: Updates the entity's attributes with prefixed fields - (e.g., `SampleIntegration_enriched` and `SampleIntegration_timestamp`). - * **Data Tables**: Attaches a Data Table to the entity containing the enrichment - details in CSV format for visibility in the entity's profile. - 5. **Finalization**: Produces a summary message listing all successfully enriched - entities and sets the action result to success. + 5. **Finalization:** The action reports the list of successfully enriched entities + in the output message. ### Additional Notes - This is a synchronous action designed for demonstration and template purposes. - It does not interact with an external API but simulates the enrichment process - internally. + This action is intended as a template for developers. It does not communicate + with an external API but demonstrates the standard workflow for internal data + enrichment and entity updates. capabilities: can_create_case_comments: false can_create_insight: false @@ -111,8 +160,8 @@ Enrich Entity Action Example: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity attributes with enrichment data and attaches data tables to the - entities. + Updates entity fields with enrichment data and adds data tables to the entities + in Google SecOps. categories: enrichment: true entity_usage: @@ -165,48 +214,65 @@ Enrich Entity Action Example: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Ping: ai_description: >- - The Ping action is a diagnostic tool used to verify the connectivity between Google - SecOps and the API Service (VatComply). It ensures that the integration's configuration - parameters, such as the API Root and authentication credentials, are correct and - that the external service is reachable. - - - ### Parameters - - There are no action-specific parameters for this action. It relies entirely on - the integration's global configuration settings: + ### General Description + The **Ping** action is a diagnostic tool used to verify the connectivity between + the Google SecOps platform and the external API Service. It ensures that the integration's + configuration parameters, such as the API Root, Password, and SSL verification + settings, are correct and that the service is reachable. - | Parameter Name | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + ### Parameters Description - | API Root | String | Yes | The base URL of the API Service (default: https://api.vatcomply.com). - | + There are no action-specific parameters for this action. It relies entirely on + the global integration configuration. - | Password Field | String | No | The password or API key used for authentication. - | - | Verify SSL | Boolean | Yes | Whether to verify the SSL certificate of the API - server. | + ### Flow Description + 1. **Initialization**: The action initializes the API client using the global + integration settings (API Root, Password, and Verify SSL). - ### Flow Description + 2. **Connectivity Test**: It executes a test request (typically a GET request + to a lightweight endpoint like `/rates`) to the configured API Service. - 1. **Initialization**: The action initializes the API client by retrieving the - global integration configuration (API Root, Password, and SSL settings). + 3. **Validation**: If the request is successful, the action returns a success + message. If the request fails due to network issues, incorrect credentials, or + SSL errors, it returns an error message. - 2. **Authentication**: It sets up an authenticated session using the provided - password in a custom header. - 3. **Connectivity Test**: The action calls the `test_connectivity` method, which - typically performs a lightweight GET request to a predefined endpoint (e.g., `/rates`) - to check for a valid response. + ### Additional Notes - 4. **Result Reporting**: If the request is successful, it returns a success message. - If the connection fails or returns an error, it reports a failure message. + - This action is primarily used during the initial setup or troubleshooting of + the integration to confirm that the environment can communicate with the target + API. capabilities: can_create_case_comments: false can_create_insight: false @@ -215,7 +281,7 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: false + fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false @@ -234,69 +300,62 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Simple Action Example: ai_description: >- - ### General Description - - This action retrieves currency exchange rate data from the external service 'api.vatcomply.com'. - It allows users to specify multiple currencies and a time range to fetch historical - or current rates. The results are presented as data tables, links on the case - wall, and a JSON file attachment within the Google SecOps case. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Currencies String | string | No | A comma-separated list of currency codes (e.g., - USD, EUR) to be processed. | - - | Currencies DDL | ddl | No | A dropdown menu to select a single currency. The - action combines values from both 'Currencies String' and 'Currencies DDL'. | - - | Time Frame | ddl | No | Defines the temporal scope of the data. Options include - 'Today', 'Last 7 Days', or 'Custom'. | - - | Start Time | string | No | The starting timestamp in ISO 8601 format. This is - **mandatory** if 'Time Frame' is set to 'Custom'. | - - | End Time | string | No | The ending timestamp in ISO 8601 format. If omitted - while 'Custom' is selected, the current time is used. | - - | Return JSON Result | boolean | Yes | If enabled, the action will populate the - JSON result field in the SOAR output. | - - - ### Additional Notes - - - At least one currency must be provided via either 'Currencies String' or 'Currencies - DDL'. - - - The maximum allowed time delta between 'Start Time' and 'End Time' is 7 days; - the action will automatically truncate the range if it exceeds this limit. - - - This action does not process or interact with Google SecOps entities. - - - ### Flow Description - - 1. **Parameter Extraction**: The action retrieves input parameters including currency - lists and time frame configurations. - - 2. **Validation**: It validates that at least one currency is provided and ensures - the time range logic is sound (e.g., checking if 'Start Time' is provided for - 'Custom' ranges). - - 3. **Data Retrieval**: The action performs a GET request to the VatComply API - to fetch exchange rates for the specified currencies and dates. - - 4. **Internal Data Processing**: It constructs data tables and case wall links - for each retrieved rate. - - 5. **Case Mutation**: The action saves the raw JSON response as a temporary file - and attaches it to the current Google SecOps case for audit and review. + ### General Description\nThis action retrieves currency exchange rate data from + the external service `api.vatcomply.com`. It allows users to specify multiple + currencies and a time range (up to 7 days) to fetch historical or current rates. + The results are presented as Data Tables, Links, and a JSON attachment within + the Google SecOps case. This action does not interact with or process any entities.\n\n### + Parameters Description\n| Parameter | Type | Mandatory | Description |\n| :--- + | :--- | :--- | :--- |\n| Currencies String | String | No | A comma-separated + list of currency codes (e.g., USD, EUR) to process. |\n| Currencies DDL | DDL + | No | A dropdown menu to select a single currency code. |\n| Time Frame | DDL + | No | Defines the period for the data: 'Today', 'Last 7 Days', or 'Custom'. |\n| + Start Time | String | No* | The start date in ISO 8601 format. Mandatory if 'Time + Frame' is set to 'Custom'. |\n| End Time | String | No | The end date in ISO 8601 + format. Defaults to current time if omitted. |\n| Return JSON Result | Boolean + | Yes | If enabled, the action will output the raw data in the JSON result field. + |\n\n### Additional Notes\n- Either 'Currencies String' or 'Currencies DDL' must + be provided for the action to execute.\n- The maximum allowed duration between + 'Start Time' and 'End Time' is 7 days. If a larger range is provided, the action + automatically truncates the end date to 7 days after the start date.\n- This action + is purely informational regarding external systems and does not modify any external + system state.\n\n### Flow Description\n1. **Parameter Extraction:** The action + retrieves all user-provided inputs, including currency lists and time configurations.\n2. + **Validation:** It ensures at least one currency is specified and validates the + time range logic, enforcing the 7-day maximum delta.\n3. **Data Retrieval:** The + action performs a GET request to the `api.vatcomply.com` service to fetch exchange + rates for the specified currencies and dates.\n4. **Internal Data Creation:** + Generates Data Tables for each currency and date, creates Links pointing to the + specific API endpoint for each rate, and saves the full result as a JSON attachment + added to the current case.\n5. **Output:** Returns a success message summarizing + the processed currencies and time range. capabilities: can_create_case_comments: false can_create_insight: false @@ -307,8 +366,7 @@ Simple Action Example: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action creates a temporary JSON file containing the retrieved exchange rates - and adds it as an attachment to the current case. + Adds data tables, links, and a JSON file attachment to the Google SecOps case. categories: enrichment: false entity_usage: @@ -326,3 +384,28 @@ Simple Action Example: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/third_party/community/sample_integration/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/sample_integration/resources/ai/connectors_ai_description.yaml new file mode 100644 index 000000000..89118fafa --- /dev/null +++ b/content/response_integrations/third_party/community/sample_integration/resources/ai/connectors_ai_description.yaml @@ -0,0 +1,58 @@ +"Sample Integration - Simple Connector Example": + ai_description: "### General Description\nThis connector integrates with the `api.vatcomply.com`\ + \ service to fetch currency exchange rate data and ingest it as alerts into Google\ + \ SecOps. It serves as a comprehensive example of a SOAR connector, demonstrating\ + \ core capabilities such as historical data fetching, dynamic filtering via whitelists/blocklists,\ + \ environment mapping, and attachment management. The connector allows security\ + \ teams to monitor financial data or use exchange rates as a trigger for automated\ + \ workflows.\n\n### Parameters Description\n| Parameter | Type | Mandatory | Description\ + \ |\n| :--- | :--- | :--- | :--- |\n| DeviceProductField | String | Yes | The\ + \ source field name used to retrieve the Product Field name for the alert metadata.\ + \ |\n| EventClassId | String | Yes | The source field name used to retrieve the\ + \ Event Field name for the alert metadata. |\n| Environment Field Name | String\ + \ | No | The name of the field where the environment name is stored. Defaults\ + \ to the default environment if not found. |\n| Environment Regex Pattern | String\ + \ | No | A regex pattern applied to the Environment Field Name to manipulate or\ + \ extract the environment value. |\n| PythonProcessTimeout | String | Yes | The\ + \ timeout limit in seconds for the Python process running the connector script.\ + \ |\n| API Root | String | Yes | The base URL for the vatcomply API (default:\ + \ `https://api.vatcomply.com`). |\n| Password Field | Password | No | An example\ + \ password field for authentication (not strictly required by the public vatcomply\ + \ API). |\n| Currencies To Fetch | String | No | A comma-separated list of currency\ + \ codes (e.g., USD, EUR) to retrieve exchange rates for. |\n| Create Alert Per\ + \ Exchange Rate | Boolean | No | If enabled, the connector creates a separate\ + \ alert for every currency pair. If disabled, it creates one combined alert per\ + \ date. |\n| Alert Severity | String | No | The severity assigned to the ingested\ + \ alerts (Critical, High, Medium, Low, Informational). |\n| Add Attachment | Boolean\ + \ | No | If enabled, the raw JSON exchange rate data is added as an attachment\ + \ to the alert. |\n| Max Days Backwards | Integer | Yes | The maximum number of\ + \ days to look back for historical data (Limit: 1-30 days). |\n| Max Alerts To\ + \ Fetch | String | Yes | Dictates how many alerts (dates) are processed in a single\ + \ connector iteration. |\n| Use dynamic list as blocklist | Boolean | Yes | If\ + \ enabled, the connector's dynamic list (whitelist) will function as a blocklist.\ + \ |\n| Disable Overflow | Boolean | No | If enabled, the connector will bypass\ + \ the standard SOAR overflow protection mechanism. |\n| Verify SSL | Boolean |\ + \ Yes | Whether to verify the SSL certificate for the connection to the API server.\ + \ |\n| Proxy Server Address | String | No | The address of the proxy server to\ + \ use for outgoing requests. |\n| Proxy Username | String | No | The username\ + \ for proxy authentication. |\n| Proxy Password | Password | No | The password\ + \ for proxy authentication. |\n\n### Flow Description\n1. **Initialization**:\ + \ The connector establishes a session with the `api.vatcomply.com` service using\ + \ the provided API Root and SSL configurations.\n2. **Context Loading**: It retrieves\ + \ the timestamp of the last successful execution and a list of previously processed\ + \ alert IDs from the SOAR database to prevent duplicate ingestion.\n3. **Data\ + \ Retrieval**: The connector requests exchange rate data for the configured currencies,\ + \ starting from the last success time up to the current date (limited by the 'Max\ + \ Days Backwards' parameter).\n4. **Alert Construction**: \n * If 'Create Alert\ + \ Per Exchange Rate' is active, it generates individual `AlertInfo` objects for\ + \ every currency rate found.\n * Otherwise, it aggregates all rates for a specific\ + \ date into a single `AlertInfo` object.\n5. **Filtering and Validation**: \n\ + \ * **Dynamic List Filter**: It checks the currency against the connector's\ + \ whitelist/blocklist.\n * **Deduplication**: It filters out any alerts whose\ + \ IDs already exist in the processed IDs cache.\n * **Overflow Check**: It\ + \ verifies if the alert should be suppressed based on overflow settings.\n6. **Enrichment**:\ + \ If 'Add Attachment' is enabled, the connector converts the raw API response\ + \ into a JSON file and attaches it to the alert.\n7. **Ingestion**: The finalized\ + \ alerts are sent to the Google SecOps platform for case creation.\n8. **Checkpointing**:\ + \ The connector updates the 'Last Success Time' and saves the new set of processed\ + \ alert IDs to ensure the next run starts from the correct point." diff --git a/content/response_integrations/third_party/community/sample_integration/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/sample_integration/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..0801c7556 --- /dev/null +++ b/content/response_integrations/third_party/community/sample_integration/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/sample_integration/resources/ai/jobs_ai_description.yaml b/content/response_integrations/third_party/community/sample_integration/resources/ai/jobs_ai_description.yaml new file mode 100644 index 000000000..027f99445 --- /dev/null +++ b/content/response_integrations/third_party/community/sample_integration/resources/ai/jobs_ai_description.yaml @@ -0,0 +1,52 @@ +Simple Job Example: + ai_description: >- + ### General Description + + This job performs automated case management and data enrichment within Google + SecOps. It identifies open cases based on specific tags to either automate the + closure process or enrich the case with real-time financial data. Specifically, + it handles cases tagged with "Closed" by closing them formally in the system and + handles cases tagged with "Currency" by fetching and posting the latest EUR exchange + rates from the vatcomply API. The job includes a state-management mechanism (context) + to ensure that enrichment comments are added only once per case per day. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | API Root | String | Yes | The root URL for the vatcomply API service (default: + `https://api.vatcomply.com`). | + + | Password Field | Password | No | A placeholder password field used for demonstration + purposes; the current API does not require authentication. | + + | Verify SSL | Boolean | Yes | If enabled, the job validates the SSL certificate + of the API service during connection. | + + + ### Flow Description + + 1. **Initialize API Client**: Establishes a connection to the external API service + using the provided root URL and SSL settings. + + 2. **Load Job Context**: Retrieves the persistent state from Google SecOps to + track the current date and a list of cases that have already received currency + updates. + + 3. **Fetch Target Cases**: Queries the SOAR platform for open cases that possess + either the "Closed" or "Currency" tags, limited to a predefined processing threshold. + + 4. **Automated Case Closure**: For every case tagged with "Closed", the job executes + a closure command with the reason "Maintenance" and a standard system comment. + + 5. **Currency Enrichment**: For cases tagged with "Currency" (and not already + processed in the current session): + * Calls the external API to retrieve the latest exchange rate for EUR. + * Posts a formatted comment to the case wall containing the exchange rate + and the retrieval date. + 6. **State Persistence**: Updates the job context with the IDs of newly enriched + cases and saves the state back to the platform to prevent duplicate comments in + the next execution cycle. diff --git a/content/response_integrations/third_party/community/send_grid/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/send_grid/resources/ai/actions_ai_description.yaml index eb0b6589e..e3e2adda7 100644 --- a/content/response_integrations/third_party/community/send_grid/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/send_grid/resources/ai/actions_ai_description.yaml @@ -1,43 +1,23 @@ Ping: - ai_description: >- - ### General Description - - This action is designed to test the connectivity between Google SecOps and the - SendGrid API. It validates the provided API Token by checking if it has the necessary - permissions to perform core functions, specifically the ability to send emails. - - - ### Parameters Description - - There are no parameters for this action. It relies solely on the 'API Token' provided - in the SendGrid integration configuration. - - - ### Additional Notes - - - This action is a standard 'Ping' utility used to ensure the integration is correctly - configured before running other functional actions. - - - It specifically looks for the `mail.send` scope in the API response to confirm - the token is valid for sending operations. - - - ### Flow Description - - 1. **Configuration Retrieval**: The action retrieves the 'API Token' from the - SendGrid integration settings. - - 2. **API Connection**: It establishes an HTTPS connection to `api.sendgrid.com`. - - 3. **Permission Check**: A GET request is sent to the `/v3/scopes` endpoint to - retrieve the list of permissions associated with the token. - - 4. **Validation**: The script parses the JSON response and uses a regular expression - to search for the `mail.send` scope. - - 5. **Result Reporting**: If the scope is found, the action completes successfully - with a confirmation message. If the scope is missing or the connection fails, - it returns an error message. + ai_description: "### General Description\nThe **Ping** action is a connectivity\ + \ test designed to verify the integration between Google SecOps and the SendGrid\ + \ service. Its primary purpose is to ensure that the provided API Token is valid\ + \ and possesses the necessary permissions to perform core functions, specifically\ + \ sending emails.\n\n### Parameters Description\nThere are no parameters for this\ + \ action. It relies solely on the integration's global configuration (API Token).\n\ + \n### Additional Notes\nThis action specifically checks for the `mail.send` scope\ + \ in the SendGrid account permissions. If the token is valid but lacks this specific\ + \ scope, the action will return a failure status, as the integration would be\ + \ unable to perform its primary email-sending tasks.\n\n### Flow Description\n\ + 1. **Configuration Retrieval:** The action retrieves the `API Token` from the\ + \ SendGrid integration settings.\n2. **API Request:** It performs an HTTPS GET\ + \ request to the SendGrid `/v3/scopes` endpoint using the provided token for authentication.\n\ + 3. **Response Parsing:** The action decodes the JSON response from SendGrid to\ + \ extract the list of authorized scopes.\n4. **Permission Validation:** It uses\ + \ a regular expression to search for the `mail.send` string within the retrieved\ + \ scopes.\n5. **Result Reporting:** \n * If `mail.send` is found, it returns\ + \ a success message and sets the result to `True`.\n * If the scope is missing\ + \ or the API call fails, it returns an error message and sets the result to `False`." capabilities: can_create_case_comments: false can_create_insight: false @@ -65,29 +45,82 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Send Email: - ai_description: "### General Description\nSends an email message through the SendGrid\ - \ service using the SendGrid API. This action is designed to facilitate automated\ - \ communication within playbooks, such as sending notifications, reports, or alerts\ - \ to specific recipients.\n\n### Parameters Description\n| Parameter | Type |\ - \ Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Email From | String\ - \ | Yes | The email address that will appear as the sender. |\n| Email To | String\ - \ | Yes | The email address of the recipient. |\n| Subject | String | Yes | The\ - \ subject line of the email. |\n| Content | Email Content | Yes | The HTML-formatted\ - \ body of the email. |\n| Return Message Status | Boolean | No | If set to true,\ - \ the action will include the SendGrid API response status code and metadata in\ - \ the action's JSON results. Default is false. |\n\n### Flow Description\n1. **Configuration\ - \ Retrieval**: The action retrieves the SendGrid API Token from the integration\ - \ settings.\n2. **Message Construction**: It builds a mail object using the provided\ - \ 'Email From', 'Email To', 'Subject', and 'Content' parameters.\n3. **API Interaction**:\ - \ The action initializes the SendGrid API client and attempts to send the email.\n\ - 4. **Result Processing**: \n * If the email is sent successfully, it logs the\ - \ success.\n * If 'Return Message Status' is enabled, it captures the status\ - \ code and recipient details into the action's JSON result.\n5. **Error Handling**:\ - \ If the API call fails, the action logs the exception and returns a failure state.\n\ - \n### Additional Notes\nThis action does not operate on entities (IPs, Hosts,\ - \ etc.) within the case; it relies entirely on the provided input parameters to\ - \ execute the email delivery." + ai_description: >- + Sends an email message using the SendGrid API. This action allows users to dispatch + formatted HTML emails to specific recipients by providing sender details, subject + lines, and message content. It is primarily used for notifications, reporting, + or communication within automated playbooks. + + + ### Flow Description + + 1. **Initialization**: The action initializes the SendGrid API client using the + provided API Token from the integration configuration. + + 2. **Message Construction**: It constructs a mail object containing the sender's + email, recipient's email, subject, and HTML content derived from the action parameters. + + 3. **API Request**: The action sends the email request to the SendGrid service. + + 4. **Result Handling**: If the 'Return Message Status' parameter is enabled, the + action captures the API response status code and timestamp, attaching them as + a JSON result to the action execution. + + + ### Parameters Description + + | Parameter Name | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Email From | string | Yes | The email address that will appear in the 'From' + field of the sent email. | + + | Email To | string | Yes | The recipient's email address. | + + | Subject | string | Yes | The subject line of the email. | + + | Content | email_content | Yes | The HTML-formatted body of the email message. + | + + | Return Message Status | boolean | No | If set to 'true', the action will return + the SendGrid API response status code and delivery metadata in the JSON results. + Default is 'false'. | + + + ### Additional Notes + + - This action does not operate on specific SecOps entities; it uses the provided + parameter values to execute the mail delivery. + + - No retry logic is implemented within this specific action; failures in the API + call will result in an execution failure state. capabilities: can_create_case_comments: false can_create_insight: false @@ -96,8 +129,8 @@ Send Email: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Sends an email message to an external recipient via the SendGrid API, which - creates a new outbound communication record in the SendGrid service. + Sends an outbound email through the SendGrid API, which creates a new email + transaction and record within the SendGrid service. fetches_data: false internal_data_mutation_explanation: null categories: @@ -117,3 +150,28 @@ Send Email: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: true + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/third_party/community/send_grid/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/send_grid/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..a4b23e02c --- /dev/null +++ b/content/response_integrations/third_party/community/send_grid/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: true + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/signal_sciences/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/signal_sciences/resources/ai/actions_ai_description.yaml new file mode 100644 index 000000000..60e9dba1b --- /dev/null +++ b/content/response_integrations/third_party/community/signal_sciences/resources/ai/actions_ai_description.yaml @@ -0,0 +1,626 @@ +Add IP to Allow List: + ai_description: >- + Adds one or more IP addresses to the Signal Sciences Allow List for a specific + site. This action allows analysts to proactively permit traffic from specific + sources by updating the Signal Sciences configuration. It processes IP addresses + provided directly as parameters as well as IP Address entities present in the + current SOAR context. + + + ### Flow Description + + 1. **Parameter Extraction:** Retrieves the 'Site Name', 'IP Address' (optional + list), and 'Note' (mandatory justification) from the action input. + + 2. **Target Identification:** Collects IP addresses from the 'IP Address' parameter + and identifies all 'ADDRESS' entities within the case. + + 3. **Pre-check:** Fetches the existing allow list for the specified site from + Signal Sciences to identify IPs that are already listed. + + 4. **Validation and Execution:** Validates the format of each target IP. For IPs + not already on the list, it performs a PUT request to the Signal Sciences API + to add them, including the provided note. + + 5. **Finalization:** Consolidates the results, reporting which IPs were successfully + added, which already existed, and which failed (due to invalid format or API errors). + + + ### Parameters Description + + | Parameter Name | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Site Name | String | Yes | The API name of the site as defined in the Signal + Sciences dashboard where the IP will be allowed. | + + | IP Address | String | No | A comma-separated list of IP addresses to add. If + left empty, the action will only process IP Address entities from the case. | + + | Note | String | Yes | A descriptive note or justification for allowing the IP. + This is a required field by the Signal Sciences API. | + + + ### Additional Notes + + - The action deduplicates IP addresses found in both the parameters and the entities. + + - If an IP address is already present in the Signal Sciences allow list, the action + treats it as a success but does not attempt to re-add it. + capabilities: + can_create_case_comments: false + can_create_insight: false + can_modify_alert_data: false + can_mutate_external_data: true + can_mutate_internal_data: false + can_update_entities: false + external_data_mutation_explanation: >- + Adds the specified IP addresses to the Signal Sciences allow list for a specific + site via a PUT request to the /whitelist endpoint. + fetches_data: true + internal_data_mutation_explanation: null + categories: + enrichment: false + entity_usage: + entity_types: + - ADDRESS + filters_by_additional_properties: false + filters_by_alert_identifier: false + filters_by_case_identifier: false + filters_by_creation_time: false + filters_by_entity_type: true + filters_by_identifier: false + filters_by_is_artifact: false + filters_by_is_enriched: false + filters_by_is_internal: false + filters_by_is_pivot: false + filters_by_is_suspicious: false + filters_by_is_vulnerable: false + filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: true + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false +Add IP to Block List: + ai_description: >- + ### General Description + + The **Add IP to Block List** action allows security analysts to programmatically + add IP addresses to the block list of a specific site within Signal Sciences. + This action is used for containment and remediation by preventing traffic from + known malicious or suspicious IP addresses. It supports both manual input via + parameters and automatic processing of IP Address entities present in the Google + SecOps case. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Site Name | String | Yes | The API name of the site as defined in the Signal + Sciences dashboard where the IP will be blocked. | + + | IP Address | String | No | A comma-separated list of IP addresses to add. If + left empty, the action will only process IP Address entities from the case. | + + | Note | String | Yes | A mandatory descriptive note or justification for blocking + the IP address, which is required by the Signal Sciences API. | + + + ### Additional Notes + + - The action performs a de-duplication check: if an IP address is already present + in the site's block list, it will not attempt to add it again but will report + it as a success. + + - Both IPv4 and IPv6 addresses are supported and validated before submission. + + - If no IPs are provided via parameters and no IP entities are found in the case, + the action will fail with an informative message. + + + ### Flow Description + + 1. **Parameter Extraction:** The action retrieves the `Site Name`, `IP Address` + list, and the mandatory `Note` from the input. + + 2. **Target Identification:** It identifies target IP addresses by combining those + provided in the `IP Address` parameter with any `ADDRESS` entities found in the + current case context. + + 3. **Pre-check:** It fetches the current block list for the specified site from + Signal Sciences to identify IPs that are already blocked. + + 4. **Validation and Execution:** For each unique target IP, the action validates + the IP format. If valid and not already blocked, it sends a request to the Signal + Sciences API to add the IP to the block list using the provided note. + + 5. **Result Compilation:** The action tracks successful additions and failures, + providing a summary message and a detailed JSON result containing the status of + each processed IP. + capabilities: + can_create_case_comments: false + can_create_insight: false + can_modify_alert_data: false + can_mutate_external_data: true + can_mutate_internal_data: false + can_update_entities: false + external_data_mutation_explanation: >- + Adds the specified IP addresses to the Signal Sciences block list for a specific + site via a PUT request to the Signal Sciences API. + fetches_data: true + internal_data_mutation_explanation: null + categories: + enrichment: false + entity_usage: + entity_types: + - ADDRESS + filters_by_additional_properties: false + filters_by_alert_identifier: false + filters_by_case_identifier: false + filters_by_creation_time: false + filters_by_entity_type: true + filters_by_identifier: false + filters_by_is_artifact: false + filters_by_is_enriched: false + filters_by_is_internal: false + filters_by_is_pivot: false + filters_by_is_suspicious: false + filters_by_is_vulnerable: false + filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: true + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false +List Sites: + ai_description: >- + Retrieves a list of all sites associated with the configured corporation in Signal + Sciences. This action is useful for discovering available site names and their + metadata, such as display names and agent levels, which are often required as + inputs for other Signal Sciences actions. It supports automatic pagination to + ensure all requested records are retrieved. + + + ### Parameters + + + | Parameter | Type | Mandatory | Default | Description | + + | :--- | :--- | :--- | :--- | :--- | + + | Max Sites To Return | string | No | 50 | The maximum number of sites to return. + Setting this value to 0 or leaving it empty returns all available sites. | + + + ### Additional Notes + + - This action does not require any input entities and runs at the corporation + level. + + - The results are presented both as a JSON object and as a formatted data table + named 'Signal Sciences Sites'. + + + ### Flow Description + + 1. **Parameter Extraction:** The action retrieves the 'Max Sites To Return' parameter + and validates that it is a valid integer. + + 2. **API Interaction:** It calls the Signal Sciences API to fetch site information + for the configured corporation. + + 3. **Pagination:** The action handles pagination automatically, continuing to + fetch pages until the specified limit is reached or all sites are retrieved. + + 4. **Data Processing:** The raw API response is transformed into structured 'Site' + objects. + + 5. **Output Generation:** The action populates the JSON results, creates a data + table for the case wall, and generates a success message listing the names of + the retrieved sites. + capabilities: + can_create_case_comments: false + can_create_insight: false + can_modify_alert_data: false + can_mutate_external_data: false + can_mutate_internal_data: false + can_update_entities: false + external_data_mutation_explanation: null + fetches_data: true + internal_data_mutation_explanation: null + categories: + enrichment: true + entity_usage: + entity_types: [] + filters_by_additional_properties: false + filters_by_alert_identifier: false + filters_by_case_identifier: false + filters_by_creation_time: false + filters_by_entity_type: false + filters_by_identifier: false + filters_by_is_artifact: false + filters_by_is_enriched: false + filters_by_is_internal: false + filters_by_is_pivot: false + filters_by_is_suspicious: false + filters_by_is_vulnerable: false + filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false +Ping: + ai_description: >- + ### General Description + + The **Ping** action is a utility designed to verify the connectivity between the + Google SecOps platform and the Signal Sciences API. It ensures that the integration + is correctly configured and that the service is reachable using the provided credentials. + + + ### Parameters Description + + There are no action-specific parameters for this action. It relies on the global + integration configuration parameters (API Root, Email, API Token, and Corporation + Name) to establish a connection. + + + ### Additional Notes + + This action is typically used during the initial setup of the integration or for + troubleshooting communication issues. It does not process any entities or modify + any data. + + + ### Flow Description + + 1. **Initialize Client**: The action initializes the Signal Sciences API manager + using the integration's configuration settings (API Root, Email, API Token, Corporation + Name, and SSL verification settings). + + 2. **Test Connectivity**: It performs a GET request to the Signal Sciences Corporation + endpoint (`/corps/{corp_name}`) to validate the credentials and the corporation + name. + + 3. **Validate Response**: + - If the API returns a successful response (HTTP 200), the action completes + with a success message indicating connectivity. + - If an exception occurs (e.g., network error, 401 Unauthorized, 404 Not Found), + the action catches the error, logs the reason, and returns a failure status. + capabilities: + can_create_case_comments: false + can_create_insight: false + can_modify_alert_data: false + can_mutate_external_data: false + can_mutate_internal_data: false + can_update_entities: false + external_data_mutation_explanation: null + fetches_data: true + internal_data_mutation_explanation: null + categories: + enrichment: false + entity_usage: + entity_types: [] + filters_by_additional_properties: false + filters_by_alert_identifier: false + filters_by_case_identifier: false + filters_by_creation_time: false + filters_by_entity_type: false + filters_by_identifier: false + filters_by_is_artifact: false + filters_by_is_enriched: false + filters_by_is_internal: false + filters_by_is_pivot: false + filters_by_is_suspicious: false + filters_by_is_vulnerable: false + filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false +Remove IP from Allow List: + ai_description: >- + ### General Description + + The **Remove IP from Allow List** action is used to remove specific IP addresses + from the allow list of a designated site within Signal Sciences. This action is + useful for revoking previously granted access or trust for specific network indicators. + It can process IP addresses provided directly as parameters or automatically identify + and process IP Address entities within the SOAR case context. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Site Name | String | Yes | The API name of the site as defined in the Signal + Sciences dashboard. This determines which site's allow list will be modified. + | + + | IP Address | String | No | A comma-separated list of IP addresses to remove. + If this parameter is left empty, the action will attempt to use all IP Address + entities found in the current context. | + + + ### Flow Description + + 1. **Parameter Extraction:** The action retrieves the `Site Name` and the optional + `IP Address` list from the input parameters. + + 2. **Target Identification:** It identifies target IP addresses by combining those + provided in the `IP Address` parameter with any `ADDRESS` entities found in the + case context. The list is then deduplicated. + + 3. **Allow List Retrieval:** The action fetches the current allow list for the + specified site from the Signal Sciences API to find the internal IDs associated + with the target IPs. + + 4. **Validation and Matching:** For each target IP, the action validates the IP + format. It then searches the retrieved allow list for entries where the source + matches the target IP. + + 5. **Removal Execution:** For every matching entry found, the action sends a DELETE + request to Signal Sciences to remove that specific item from the allow list. + + 6. **Finalization:** The action summarizes the results, listing which IPs were + successfully removed and which encountered errors. + + + ### Additional Notes + + - If an IP address is not found in the allow list, the action treats it as a success + (as the desired state of the IP not being on the list is met). + + - Either the `IP Address` parameter must be populated, or the case must contain + `ADDRESS` entities for the action to have targets to process. + capabilities: + can_create_case_comments: false + can_create_insight: false + can_modify_alert_data: false + can_mutate_external_data: true + can_mutate_internal_data: false + can_update_entities: false + external_data_mutation_explanation: >- + The action performs DELETE requests to the Signal Sciences API to remove specific + IP address entries from a site's allow list. + fetches_data: true + internal_data_mutation_explanation: null + categories: + enrichment: false + entity_usage: + entity_types: + - ADDRESS + filters_by_additional_properties: false + filters_by_alert_identifier: false + filters_by_case_identifier: false + filters_by_creation_time: false + filters_by_entity_type: true + filters_by_identifier: false + filters_by_is_artifact: false + filters_by_is_enriched: false + filters_by_is_internal: false + filters_by_is_pivot: false + filters_by_is_suspicious: false + filters_by_is_vulnerable: false + filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: true + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false +Remove IP from Block List: + ai_description: >- + Removes specific IP addresses from the Signal Sciences block list (blacklist) + for a designated site. The action identifies target IPs from both the 'IP Address' + input parameter and any IP Address entities present in the current context. It + first retrieves the existing block list for the specified site to find the internal + IDs associated with the target IPs and then issues deletion requests to remove + them. + + + ### Flow Description + + 1. **Parameter Extraction:** Retrieves the mandatory 'Site Name' and the optional + 'IP Address' list from the action configuration. + + 2. **Entity Identification:** Collects IP addresses from the 'IP Address' parameter + and identifies all 'ADDRESS' entities in the scope. + + 3. **Data Retrieval:** Fetches the current block list for the specified site from + Signal Sciences to map IP addresses to their unique item IDs. + + 4. **Validation:** Validates that each target IP is a correctly formatted IPv4 + or IPv6 address. + + 5. **Removal Logic:** For each valid target IP, the action searches the retrieved + block list. If a match is found, it calls the Signal Sciences API to delete that + specific entry. + + 6. **Finalization:** Summarizes the results, listing which IPs were successfully + removed and which failed (due to invalid format or API errors). + + + ### Parameters Description + + | Parameter Name | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Site Name | string | True | The API name of the site as defined in the Signal + Sciences dashboard. | + + | IP Address | string | False | A comma-separated list of IP addresses to remove. + If not provided, the action will only process IP Address entities. | + + + ### Additional Notes + + - If an IP address is already absent from the block list, the action treats it + as a success. + + - The action requires the 'Site Name' to be the API-specific name, not necessarily + the display name. + capabilities: + can_create_case_comments: false + can_create_insight: false + can_modify_alert_data: false + can_mutate_external_data: true + can_mutate_internal_data: false + can_update_entities: false + external_data_mutation_explanation: >- + Deletes IP address entries from the Signal Sciences block list (blacklist) for + a specific site via the API. + fetches_data: true + internal_data_mutation_explanation: null + categories: + enrichment: false + entity_usage: + entity_types: + - ADDRESS + filters_by_additional_properties: false + filters_by_alert_identifier: false + filters_by_case_identifier: false + filters_by_creation_time: false + filters_by_entity_type: true + filters_by_identifier: false + filters_by_is_artifact: false + filters_by_is_enriched: false + filters_by_is_internal: false + filters_by_is_pivot: false + filters_by_is_suspicious: false + filters_by_is_vulnerable: false + filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: true + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/third_party/community/signal_sciences/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/signal_sciences/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..b927e7b41 --- /dev/null +++ b/content/response_integrations/third_party/community/signal_sciences/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: true + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/spell_checker/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/spell_checker/resources/ai/actions_ai_description.yaml index 5fd183f8e..acb457f39 100644 --- a/content/response_integrations/third_party/community/spell_checker/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/spell_checker/resources/ai/actions_ai_description.yaml @@ -2,31 +2,34 @@ Ping: ai_description: >- ### General Description - The **Ping** action is a diagnostic utility used to verify the connectivity and - functional status of the **Spell Checker** integration within Google SecOps. Its - primary purpose is to ensure that the integration environment is correctly set - up and that the action execution engine can successfully initialize the integration's - components. + The **Ping** action is a diagnostic utility designed to verify the connectivity + and operational status of the **Spell Checker** integration within Google SecOps. + Its primary purpose is to ensure that the integration is correctly configured + and that the system can successfully execute logic associated with the Spell Checker + module. - ### Parameters + ### Parameters Description - There are no parameters required for this action. + There are no parameters configured for this action. - ### Additional Notes + ### Flow Description - This action does not interact with any external APIs or perform any spell-checking - logic. It is strictly used for health checks. + 1. **Initialization**: The action initializes the `SiemplifyAction` handler to + interface with the Google SecOps environment. + 2. **Status Verification**: The script executes a minimal logic path to confirm + the integration's availability. - ### Flow Description + 3. **Execution Completion**: The action terminates successfully, returning a static + message ('Spell Checker is connected') to indicate that the integration is functional. - 1. **Initialization**: The action initializes the Siemplify API context. - 2. **Connectivity Confirmation**: The action immediately concludes, returning - a success message ('Spell Checker is connected') to indicate that the integration - is reachable and active. + ### Additional Notes + + This action does not interact with any external APIs or perform any data processing; + it serves strictly as a heartbeat check. capabilities: can_create_case_comments: false can_create_insight: false @@ -54,55 +57,55 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Spelling Check: ai_description: >- - ### General Description - - This action identifies misspelled words within a provided text string and suggests - potential corrections based on word frequency. It is designed to help analysts - clean up notes, communications, or extracted data within the SOAR platform by - highlighting typographical errors. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Input | String | No | The raw text that will be analyzed for spelling errors. - If left empty, the action will process an empty string. | - - - ### Flow Description - - 1. **Text Retrieval**: The action retrieves the string provided in the `Input` - parameter. - - 2. **Sanitization**: It cleans the input text using regular expressions to remove - special characters while preserving letters, spaces, and specific symbols like - '@' (to identify emails). - - 3. **Filtering**: The logic splits the text into individual words and filters - out potential false positives such as email addresses and URLs (containing 'http'). - - 4. **Misspelling Identification**: It utilizes a spell-checking manager (augmented - with a custom allowlist of technical terms like 'siemplify' and 'playbook') to - identify words not found in its dictionary. - - 5. **Suggestion Generation**: For every misspelled word found, the action generates - a list of candidate corrections. - - 6. **Output Generation**: The results are formatted into a JSON object and a data - table titled 'Found spelling mistakes' which is attached to the action output - in the SOAR case. - - - ### Additional Notes - - This action performs local text processing and does not require connectivity to - external web services or APIs. It does not interact with or filter entities within - the case scope. + ### General Description\nThis action identifies misspelled words within a provided + text string and suggests potential corrections based on word frequency. It is + a utility action designed to improve the quality of text data processed within + Google SecOps playbooks by identifying errors and providing recommendations.\n\n### + Parameters\n| Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- + | :--- |\n| Input | String | No | The text that will be checked by the Spell Checker. + Note: While marked as not mandatory in configuration, the action logic expects + a string to process. |\n\n### Additional Notes\n- The action utilizes a local + spell-checking library and does not communicate with external web services, ensuring + data privacy.\n- It includes a built-in allowlist for common technical terms like + 'Microsoft', 'Google', 'Siemplify', and 'SaaS' to prevent them from being flagged + as errors.\n- Emails and URLs are automatically excluded from the check to reduce + false positives.\n\n### Flow Description\n1. **Input Acquisition**: Retrieves + the text string from the 'Input' parameter.\n2. **Text Cleaning**: Applies regular + expressions to remove non-alphabetic characters and noise while preserving word + boundaries.\n3. **Word Extraction**: Splits the cleaned text into individual words, + filtering out any tokens that appear to be email addresses or URLs.\n4. **Spelling + Analysis**: Identifies words not found in the dictionary (misspellings) using + the SpellCheckerManager.\n5. **Correction Discovery**: Generates a list of candidate + corrections for each identified misspelling based on word frequency.\n6. **Result + Reporting**: Outputs the count of mistakes, a JSON mapping of errors to suggestions, + and a data table for analyst review. capabilities: can_create_case_comments: false can_create_insight: false @@ -130,3 +133,28 @@ Spelling Check: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/third_party/community/spell_checker/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/spell_checker/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..0801c7556 --- /dev/null +++ b/content/response_integrations/third_party/community/spell_checker/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/superna_zero_trust/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/superna_zero_trust/resources/ai/actions_ai_description.yaml index 6d22f2797..a2fa03861 100644 --- a/content/response_integrations/third_party/community/superna_zero_trust/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/superna_zero_trust/resources/ai/actions_ai_description.yaml @@ -1,24 +1,56 @@ Ping: ai_description: >- - ### General Description: Tests the connectivity and health of the Superna Zero - Trust (Eyeglass) API. This action is primarily used to verify that the integration - is correctly configured and can successfully communicate with the target server. - ### Parameters Description: | Parameter | Type | Mandatory | Description | | :--- - | :--- | :--- | :--- | | api_token | String | Yes | (Configuration) The API key - used for authentication with the Superna Zero Trust service. | | eyeglass_ip | - String | Yes | (Configuration) The IP address or hostname of the Superna Eyeglass - server. | | Verify SSL | Boolean | No | (Configuration) Determines whether to - verify the SSL certificate of the server. Defaults to False. | ### Additional - Notes: This action does not require any input entities and relies solely on the - integration's configuration parameters. It is categorized as a connectivity test. - ### Flow Description: 1. **Configuration Extraction**: Retrieves the api_token, - eyeglass_ip, and Verify SSL settings from the integration configuration. 2. **URL - Construction**: Builds the full API URL using the provided IP and the /sera/v1/healthcheck - endpoint. 3. **API Request**: Sends a GET request to the health check endpoint - with the API key included in the headers. 4. **Error Handling**: Catches timeouts, - connection errors, and HTTP errors, logging the specific failure reason for troubleshooting. - 5. **Result Reporting**: Returns a success message if the API responds correctly, - or a failure message with details if an error occurs. + ### General Description + + The **Ping** action is designed to verify the connectivity and health of the Superna + Eyeglass Zero Trust API. It performs a simple GET request to the health check + endpoint of the configured Eyeglass server to ensure that the integration can + successfully communicate with the external service using the provided credentials. + + + ### Parameters Description + + | Parameter Name | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | api_token | String | Yes | The API key used to authenticate requests to the + Superna Eyeglass server. This is retrieved from the integration configuration. + | + + | eyeglass_ip | String | Yes | The IP address or hostname of the Superna Eyeglass + server. This is retrieved from the integration configuration. | + + | Verify SSL | Boolean | No | Determines whether to verify the SSL certificate + of the Eyeglass server. Defaults to `False`. | + + + ### Additional Notes + + - This action is primarily used for troubleshooting and initial setup verification. + + - It does not process any entities from the SOAR case. + + - As per standard conventions, actions named 'Ping' are not classified as enrichment + actions. + + + ### Flow Description + + 1. **Configuration Retrieval:** The action extracts the `api_token`, `eyeglass_ip`, + and `Verify SSL` settings from the integration configuration. + + 2. **URL Construction:** It constructs the full API endpoint URL using the `eyeglass_ip` + and the hardcoded path `/sera/v1/healthcheck`. + + 3. **Request Execution:** A GET request is sent to the constructed URL with the + `api_key` included in the headers. + + 4. **Error Handling:** The script handles various network and HTTP exceptions, + including timeouts and connection failures. + + 5. **Result Reporting:** The action logs the API response and terminates with + a status of `COMPLETED`, `FAILED`, or `TIMEDOUT` based on the outcome of the request. capabilities: can_create_case_comments: false can_create_insight: false @@ -46,58 +78,83 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Superna Snapshot Critical NAS Data: ai_description: >- - ### General Description + Triggers a Cyber Snapshot of critical NAS (Network Attached Storage) data using + the Superna Eyeglass Zero Trust API. This action is designed to provide ransomware + protection by initiating snapshots of critical data paths defined within the Superna + environment. It communicates with the Superna Eyeglass server via a POST request + to the ransomware critical paths endpoint. - Triggers a snapshot of critical NAS (Network Attached Storage) data via the Superna - Eyeglass Zero Trust API. This action is designed to initiate a protective snapshot - of critical data paths, typically as a response to detected ransomware activity - or as a proactive security measure within a Zero Trust framework. - - ### Parameters Description + ### Parameters | Parameter Name | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | api_token | String | Yes | The API key used for authentication with the Superna + | api_token | String | Yes | The API token used for authentication with the Superna Eyeglass server. This is retrieved from the integration configuration. | | eyeglass_ip | String | Yes | The IP address or hostname of the Superna Eyeglass - instance. This is retrieved from the integration configuration. | + server. This is retrieved from the integration configuration. | - | Verify SSL | Boolean | No | Determines whether to verify the SSL certificate - of the Superna Eyeglass server. Defaults to `False`. | + | Verify SSL | Boolean | No | Whether to verify the SSL certificate of the Superna + Eyeglass server. Defaults to False. This is retrieved from the integration configuration. + | ### Additional Notes - * This action does not operate on specific entities (like IPs or Hostnames) within - a case. Instead, it performs a global operation on the configured Superna Eyeglass - environment. + - This action does not take any direct input parameters; instead, it relies entirely + on the global integration configuration for connection details. - * The action uses a POST request to the `/sera/v2/ransomware/criticalpaths` endpoint, - which triggers the snapshot process on the external system. + - The action is marked as asynchronous in the metadata, although the provided + script follows a synchronous execution flow. ### Flow Description - 1. **Configuration Extraction**: Retrieves the `api_token`, `eyeglass_ip`, and - `Verify SSL` settings from the integration configuration. + 1. **Configuration Retrieval:** The action extracts the `api_token`, `eyeglass_ip`, + and `Verify SSL` settings from the SupernaZeroTrust integration configuration. - 2. **URL Construction**: Builds the target API endpoint using the provided Eyeglass - IP and the predefined critical paths route. + 2. **Endpoint Construction:** It constructs the full API URL using the provided + Eyeglass IP and the specific ransomware critical paths route (`/sera/v2/ransomware/criticalpaths`). - 3. **API Request**: Executes an authenticated HTTP POST request to the Superna - Eyeglass API to trigger the snapshot. + 3. **API Request:** It sends a POST request to the Superna Eyeglass server with + the required authentication headers. - 4. **Error Handling**: Implements comprehensive error handling for timeouts, connection - issues, and HTTP errors (e.g., 4xx or 5xx responses). + 4. **Response Handling:** The action processes the server's response. If successful, + it returns the response text. It includes comprehensive error handling for timeouts, + connection issues, and HTTP errors. - 5. **Result Reporting**: Returns the raw API response text as the action result - and sets the execution status based on the success of the API call. + 5. **Completion:** The action terminates by providing the execution status and + the raw API response to the Google SecOps platform. capabilities: can_create_case_comments: false can_create_insight: false @@ -106,8 +163,8 @@ Superna Snapshot Critical NAS Data: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Triggers the creation of a data snapshot for critical NAS paths within the Superna - Eyeglass platform. + Initiates a snapshot of critical NAS data on the storage systems managed by + Superna Eyeglass, which creates a new point-in-time data state. fetches_data: true internal_data_mutation_explanation: null categories: @@ -127,47 +184,62 @@ Superna Snapshot Critical NAS Data: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Superna Zero Trust User Lockout: ai_description: >- - ### General Description + This action locks out a suspected user from all Superna protected NAS storage. + It interacts with the Superna Eyeglass API to resolve user permissions and apply + a 'deny read' permission to SMB shares, effectively preventing the user from accessing + data on the NAS. - The **Superna Zero Trust User Lockout** action is designed to immediately revoke - a user's access to all Superna-protected Network Attached Storage (NAS). By communicating - with the Superna Eyeglass API, it resolves existing user permissions and applies - a 'deny read' permission to SMB shares, effectively containing a suspected compromised - account. - - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **UserName** | String | Yes | The identifier of the user to be locked out. Should - be provided in `domain\username` or `user@domain` format. | + | UserName | String | Yes | The username to be locked out. Expected format is + `domain\username` or `user@domain`. | ### Flow Description - 1. **Initialization**: The action retrieves the necessary connection details (Eyeglass - IP, API Token) and the target username from the action parameters. - - 2. **Encoding**: The username is URL-encoded to ensure compatibility with the - API endpoint structure. - - 3. **API Request**: A POST request is sent to the Superna Eyeglass lockout endpoint - (`/sera/v2/ransomware/lockout/{user}`). + 1. **Initialization**: Retrieves the API token, Eyeglass IP, and SSL verification + settings from the integration configuration. - 4. **Outcome Handling**: The action monitors the HTTP response. If successful, - it confirms the lockout; otherwise, it logs specific error types (Timeout, Connection, - or HTTP errors) and fails the action. + 2. **Input Processing**: Extracts the `UserName` parameter and URL-encodes it + to ensure it is safe for the API call. + 3. **API Request**: Constructs the lockout API URL and sends a POST request to + the Superna Eyeglass server. - ### Additional Notes - - This action does not process entities from the case context; it relies solely - on the provided `UserName` parameter. + 4. **Outcome**: Processes the server's response. If successful, the user is locked + out; otherwise, an error is reported based on the HTTP status or connection result. capabilities: can_create_case_comments: false can_create_insight: false @@ -176,8 +248,8 @@ Superna Zero Trust User Lockout: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Triggers a lockout on the Superna Eyeglass platform, which modifies user permissions - and SMB share access on protected NAS storage. + Locks out a user from Superna protected NAS storage by applying deny read permissions + to SMB shares via a POST request to the Superna Eyeglass API. fetches_data: false internal_data_mutation_explanation: null categories: @@ -197,51 +269,67 @@ Superna Zero Trust User Lockout: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: true + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: true + update_ticket: false Superna Zero Trust User Un Lock: ai_description: >- - ### General Description + Unlocks a user account in Superna Zero Trust that was previously locked out from + protected NAS storage. This action communicates with the Superna Eyeglass API + to restore access for a specific user identifier. - This action unlocks a user account that was previously locked out from Superna-protected - NAS storage. It communicates with the Superna Eyeglass Zero Trust API to restore - access for the specified user. + ### Flow Description - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | + 1. **Parameter Extraction:** Retrieves the API token, Eyeglass IP, and SSL verification + settings from the integration configuration. - | UserName | String | Yes | The identifier of the user to be unlocked. The expected - format is `domain\username` or `username@domain`. | + 2. **Input Processing:** Extracts the `UserName` from the action parameters and + URL-encodes it to ensure safe transmission in the API path. + 3. **API Request:** Constructs a POST request to the `/sera/v2/ransomware/unlock/` + endpoint on the target Superna Eyeglass server. - ### Additional Notes + 4. **Response Handling:** Processes the server response, handling potential timeouts, + connection errors, or HTTP failures, and returns the result to the SecOps platform. - * The action requires the `api_token` and `eyeglass_ip` to be correctly configured - in the integration settings. - - * The `Verify SSL` configuration parameter determines whether the action validates - the SSL certificate of the Eyeglass server. + ### Parameters Description - ### Flow Description + | Parameter | Type | Mandatory | Description | - 1. **Configuration Retrieval**: The action extracts the API token, Eyeglass IP - address, and SSL verification settings from the integration configuration. + | :--- | :--- | :--- | :--- | - 2. **Input Processing**: The `UserName` provided in the action parameters is retrieved - and URL-encoded to ensure compatibility with the API endpoint. + | UserName | String | Yes | The identifier of the user to unlock. Expected format + is `domain\username` or `username@domain`. | - 3. **API Request Construction**: A POST request URL is constructed using the Eyeglass - IP and the encoded username (e.g., `https://{eyeglass_ip}/sera/v2/ransomware/unlock/{user}`). - 4. **External Execution**: The action sends a POST request to the Superna Eyeglass - API using the provided API key for authentication. + ### Additional Notes - 5. **Response Handling**: The action processes the API response, handling various - error states such as timeouts, connection failures, and HTTP errors, and returns - the final status and response text to Google SecOps. + - This action requires a valid API token and the IP address of the Superna Eyeglass + management console to be configured in the integration settings. capabilities: can_create_case_comments: false can_create_insight: false @@ -250,9 +338,8 @@ Superna Zero Trust User Un Lock: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - The action sends a POST request to the Superna Eyeglass API to unlock a user - account, which changes the user's access state on the protected NAS storage - systems. + Unlocks a user account within the Superna Zero Trust environment, changing the + user's access state on protected NAS storage systems. fetches_data: false internal_data_mutation_explanation: null categories: @@ -272,3 +359,28 @@ Superna Zero Trust User Un Lock: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: true + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/third_party/community/superna_zero_trust/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/superna_zero_trust/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..6c27508d3 --- /dev/null +++ b/content/response_integrations/third_party/community/superna_zero_trust/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: true + itsm: false + network_security: false + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/team_cymru_scout/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/team_cymru_scout/resources/ai/actions_ai_description.yaml index 81e708fca..c091c3d4d 100644 --- a/content/response_integrations/third_party/community/team_cymru_scout/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/team_cymru_scout/resources/ai/actions_ai_description.yaml @@ -2,47 +2,51 @@ Account Usage: ai_description: >- ### General Description - The **Account Usage** action retrieves real-time metrics regarding the query consumption - and quota limits for the Team Cymru Scout API. It provides security analysts with - visibility into their remaining API balance, ensuring that automated workflows - or manual investigations do not exceed subscription limits. The action fetches - data for both standard queries and foundation API usage. + The **Account Usage** action retrieves real-time metrics regarding the API consumption + for the Team Cymru Scout integration. It provides visibility into the number of + queries used, the remaining quota, and the overall query limits for both the standard + Scout API and the Foundation API. This is primarily a utility action used by administrators + or analysts to monitor license usage and ensure API availability for automated + playbooks. ### Parameters Description + This action does not require any input parameters. + + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | N/A | N/A | N/A | This action does not require any input parameters. | + | N/A | N/A | N/A | No parameters are required for this action. | ### Additional Notes - - This action is a utility task used for monitoring integration health and quota - status. + - The action performs a read-only GET request to the `/usage` endpoint. - - It does not interact with or require any entities (IPs, Domains, etc.) to execute. + - Results are displayed in a structured data table within the Google SecOps case + wall. ### Flow Description - 1. **Authentication**: The action retrieves the configured authentication credentials - (either API Key or Username/Password) from the Team Cymru Scout integration settings. + 1. **Initialization**: The action initializes the Siemplify environment and retrieves + the integration's authentication configuration (either API Key or Username/Password). - 2. **API Connection**: It initializes a connection to the Team Cymru Scout service - via the `ApiManager`. + 2. **API Connection**: It establishes a session with the Team Cymru Scout API + manager, applying SSL verification settings as configured. - 3. **Data Retrieval**: A GET request is dispatched to the `/usage` endpoint to - fetch current account statistics. + 3. **Data Retrieval**: The action executes a GET request to the account usage + endpoint to fetch current metric data. - 4. **Metric Extraction**: The logic parses the response to identify key metrics: - `used_queries`, `remaining_queries`, `query_limit`, and specific foundation API - usage details. + 4. **Response Handling**: If the request is successful, the raw JSON response + is attached to the action results. - 5. **Output Generation**: The action returns the raw JSON response and renders - a formatted data table titled "Account Usage" within the Google SecOps case wall. + 5. **Table Rendering**: The action parses the response into a human-readable format + and renders a data table titled "Account Usage" containing specific fields like + `Used Queries`, `Remaining Queries`, and `Query Limit`. capabilities: can_create_case_comments: false can_create_insight: false @@ -70,79 +74,101 @@ Account Usage: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Advanced Query: ai_description: >- - ### General Description - - The **Advanced Query** action executes a search using the Team Cymru Scout query - language to retrieve comprehensive summary information about network indicators. - It allows for flexible filtering by date ranges or relative day offsets and returns - detailed intelligence across multiple categories, including PDNS, open ports, - top peers, and SSL certificates. + The Advanced Query action executes a search using the Team Cymru Scout query language + to retrieve comprehensive summary information about network indicators. This action + is primarily used for threat hunting and deep-dive investigations by allowing + analysts to query the Scout platform for specific communication patterns, IP behaviors, + and historical metadata. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. **Parameter Extraction:** The action retrieves the mandatory 'Query' string + and optional filters including 'Start Date', 'End Date', 'Days', and 'Size'. - | :--- | :--- | :--- | :--- | + 2. **Validation:** It validates the date formats (YYYY-MM-DD) and ensures the + requested time range does not exceed platform limits (e.g., 90-day lookback, 30-day + window). - | **Query** | String | Yes | A simple or advanced query following the Scout query - language (e.g., `comms.ip="1.1.1.1"`). | + 3. **API Interaction:** Sends a GET request to the Team Cymru Scout `/search` + endpoint with the constructed query and parameters. - | **Start Date** | String | No | The latest date for results (YYYY-MM-DD). Defaults - to 29 days ago if not provided. | + 4. **Data Processing:** Parses the returned JSON which includes IP summaries, + passive DNS (PDNS) records, open ports, top peers, service counts, fingerprints, + and X.509 certificates. - | **End Date** | String | No | The earliest date for results (YYYY-MM-DD). Defaults - to today. | + 5. **Output Generation:** Populates multiple data tables in the Google SecOps + case and attaches the full raw JSON response for further analysis. It also provides + a table detailing current API account usage. - | **Days** | String | No | Relative offset in days from current time. If provided, - this takes priority over Start/End dates. | - - | **Size** | String | No | The number of records to return (Maximum: 5000). | + ### Parameters Description - ### Flow Description + | Parameter | Type | Mandatory | Description | - 1. **Parameter Extraction:** The action retrieves the query string and optional - time/size filters from the user input. + | :--- | :--- | :--- | :--- | - 2. **Validation:** It validates the date formats and ensures the requested range - does not exceed platform limits (e.g., a 30-day window). + | Query | String | Yes | A simple or advanced query using Scout query language + (e.g., `comms.ip="1.1.1.1"`). | - 3. **API Request:** The action sends a GET request to the Team Cymru Scout `/search` - endpoint. + | Start Date | String | No | The latest date for results (YYYY-MM-DD). Defaults + to 29 days prior to today if not provided. | - 4. **Data Processing:** The response is parsed to extract various intelligence - categories, including PDNS, open ports, top peers, service counts, fingerprints, - and SSL certificates. + | End Date | String | No | The earliest date for results (YYYY-MM-DD). Defaults + to today's date. | - 5. **Output Generation:** The action populates multiple data tables in the SOAR - interface and provides the raw JSON response for further downstream processing. + | Days | String | No | Relative offset in days from current time. If provided, + this takes priority over Start/End dates. | - 6. **Usage Tracking:** It also retrieves and displays the current API account - usage to monitor query quotas. + | Size | String | No | The number of records to return (Maximum 5000). | ### Additional Notes - - This action is standalone and does not automatically iterate over entities in - the SOAR case; the user must provide the specific query. - - - The **Days** parameter takes precedence over **Start Date** and **End Date** - if all are provided. + - This action does not run on specific entities within the case; it relies entirely + on the user-provided 'Query' parameter. - - The maximum result size is capped at 5000 records. + - The 'Days' parameter overrides specific date ranges if both are provided. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: false + can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: null + internal_data_mutation_explanation: >- + The action populates multiple data tables (Summary, PDNS, Open Ports, Top Peers, + Service Counts, Fingerprints, and Certs) within the Google SecOps case and attaches + raw JSON results. categories: enrichment: false entity_usage: @@ -160,51 +186,82 @@ Advanced Query: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Enrich IPs: ai_description: >- ### General Description - Enriches IP Address entities using threat intelligence from the Team Cymru Scout - platform. This action retrieves reputation ratings, tags, and last enrichment - timestamps to provide context for security investigations. + The **Enrich IPs** action retrieves threat intelligence for IP Address entities + from the Team Cymru Scout platform. It provides critical context such as reputation + ratings (e.g., malicious, suspicious) and associated tags to help analysts evaluate + the risk of network indicators. To optimize performance and API usage, the action + includes a built-in caching mechanism that skips entities enriched within the + last 24 hours. - ### Parameters Description - - | Parameter | Type | Mandatory | Description | + ### Flow Description - | :--- | :--- | :--- | :--- | + 1. **Entity Identification:** The action scans the current context for all `ADDRESS` + entities. - | None | N/A | N/A | This action does not take any input parameters. | + 2. **Redundancy Check:** For each identified IP, the action checks the `TCS_last_enriched` + field in the entity's `additional_properties`. If the timestamp indicates the + entity was enriched within the last 24 hours, it is skipped. + 3. **Data Retrieval:** The action fetches IP summary data from the Team Cymru + Scout API for all eligible entities using batch processing. - ### Additional Notes + 4. **Entity Enrichment:** + * **Suspicious Status:** The `is_suspicious` flag is set to `True` if the + Team Cymru Scout rating is 'malicious' or 'suspicious'. + * **Metadata Update:** The entity's `additional_properties` are updated with + the rating, tags, and a new `TCS_last_enriched` timestamp. + * **Enrichment Flag:** The entity is marked as `is_enriched = True`. + 5. **Platform Update:** The action updates the entities within Google SecOps and + returns a JSON summary of the enrichment results. - The action uses a 24-hour caching mechanism based on the 'TCS_last_enriched' property - to prevent redundant API calls. Enrichment data added to entities is prefixed - with 'TCS'. + ### Parameters Description - ### Flow Description + | Parameter Name | Usage | Expected Type | Mandatory | Description | - 1. **Entity Filtering**: The action identifies all `ADDRESS` entities in the current - context. + | :--- | :--- | :--- | :--- | :--- | - 2. **Cache Validation**: It checks the `TCS_last_enriched` property of each entity. - If the entity was enriched within the last 24 hours, it is skipped. + | N/A | N/A | N/A | N/A | This action does not have any input parameters. It processes + all IP Address entities in the scope using global integration settings. | - 3. **Data Retrieval**: The action calls the Team Cymru Scout Foundation API to - retrieve summary information for the remaining IP addresses. - 4. **Reputation Analysis**: It evaluates the 'rating' provided by the API. If - the rating is 'malicious' or 'suspicious', the entity's `is_suspicious` flag is - set to true. + ### Additional Notes - 5. **Entity Enrichment**: The action updates the entity's `additional_properties` - with the retrieved data (prefixed with 'TCS') and sets the `is_enriched` flag. + * **Caching:** The 24-hour enrichment cache is stored locally on the entity object + within Google SecOps. - 6. **Platform Update**: Finally, it updates the entities in Google SecOps and - returns the raw summary data as a JSON result. + * **Batching:** The action processes IPs in batches of 10 to ensure efficient + API communication. capabilities: can_create_case_comments: false can_create_insight: false @@ -215,8 +272,9 @@ Enrich IPs: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity fields including 'is_suspicious', 'is_enriched', and populates - 'additional_properties' with enrichment data. + Updates the entity's suspicious status, enrichment status, and populates additional + properties with Team Cymru Scout metadata including reputation ratings, tags, + and enrichment timestamps. categories: enrichment: true entity_usage: @@ -235,48 +293,58 @@ Enrich IPs: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Extract Tags: - ai_description: >- - ### General Description - - This action extracts tags from a specified IP address and its communicating peers - using the Team Cymru Scout service. It allows users to search for specific tags - within the retrieved data to identify potentially malicious or noteworthy associations. - This is useful for identifying if an IP or its immediate network neighborhood - is associated with known threats like malware or phishing. - - - ### Parameters Description - - | Parameter | Description | Type | Mandatory | - - | :--- | :--- | :--- | :--- | - - | IP Address | The IP address for which tags and peer information will be retrieved. - | String | Yes | - - | Tags to Search | A comma-separated list of tags (e.g., 'malware, phishing') - to look for in the results. | String | Yes | - - - ### Flow Description - - 1. **Validation**: The action validates the format of the provided IP address - to ensure it is a valid IPv4 or IPv6 address. - - 2. **Data Retrieval**: It calls the Team Cymru Scout API's `get_ip_details` endpoint - to fetch comprehensive details for the IP, including its metadata and a list of - peer IPs it has communicated with. - - 3. **Tag Extraction**: The logic processes the API response to compile a map of - IPs (the target and its peers) to their respective tags. - - 4. **Tag Matching**: It performs an intersection between the tags found in the - response and the tags provided in the 'Tags to Search' parameter. - - 5. **Reporting**: If matches are found, it returns the matching IPs and tags in - JSON format and provides a summary message. It also renders a data table showing - the current API account usage statistics. + ai_description: "Extracts and searches for specific threat tags associated with\ + \ a provided IP address and its communicating peers using the Team Cymru Scout\ + \ intelligence platform. This action is designed to identify if an IP or its network\ + \ neighbors are linked to known malicious activities like phishing or malware\ + \ based on a user-defined list of tags.\n\n### Flow Description:\n1. **Parameter\ + \ Extraction:** Retrieves the target 'IP Address' and the 'Tags to Search' (comma-separated)\ + \ from the action parameters.\n2. **Validation:** Validates the format of the\ + \ provided IP address to ensure it is a valid IPv4 or IPv6 string.\n3. **Data\ + \ Retrieval:** Calls the Team Cymru Scout API (`get_ip_details`) to fetch comprehensive\ + \ metadata, including tags for the target IP and a list of its communicating peers\ + \ with their respective tags.\n4. **Tag Processing:** Aggregates all tags found\ + \ for the primary IP and its peers into a searchable structure.\n5. **Matching\ + \ Logic:** Performs an intersection between the tags retrieved from the API and\ + \ the tags provided by the user.\n6. **Result Reporting:** \n * If matches\ + \ are found, it identifies which IPs (primary or peers) triggered the match and\ + \ returns the specific matching tags.\n * Generates a JSON result containing\ + \ the matching IPs and their full tag sets.\n * Always produces an 'Account\ + \ Usage' data table showing remaining API query limits.\n\n### Parameters Description:\n\ + | Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ + | IP Address | String | True | The specific IP address to investigate for associated\ + \ tags. |\n| Tags to Search | String | True | A comma-separated list of tags to\ + \ look for (e.g., 'malware, phishing, botnet'). |\n\n### Additional Notes:\n*\ + \ This action does not automatically process entities from the SOAR case; it relies\ + \ strictly on the 'IP Address' string parameter provided in the input.\n* The\ + \ search includes 'peers', which are other IP addresses that have communicated\ + \ with the target IP according to Team Cymru's telemetry." capabilities: can_create_case_comments: false can_create_insight: false @@ -288,7 +356,7 @@ Extract Tags: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: false + enrichment: true entity_usage: entity_types: [] filters_by_additional_properties: false @@ -304,76 +372,66 @@ Extract Tags: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Communications Info: - ai_description: >- - ### General Description - - The **Get Communications Info** action retrieves detailed network communication - and peer information for a specified list of IP addresses from the Team Cymru - Scout platform. This action is designed to provide visibility into the communication - patterns of an IP, including protocol details, client/server relationships, geographic - locations, and associated autonomous system (AS) information. It is primarily - used for network forensics and threat infrastructure mapping. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **IP Addresses** | String | Yes | A comma-separated list of IPv4 or IPv6 addresses - to fetch detailed communication information for. | - - | **Limit** | String | Yes | The maximum number of valid IP addresses to process - in a single execution. Default is 10. | - - | **Start Date** | String | No | The earliest date for results in the range (formatted - YYYY-MM-DD in UTC). If not provided, defaults to 29 days prior to today. | - - | **End Date** | String | No | The latest date for results in the range (formatted - YYYY-MM-DD in UTC). If not provided, defaults to the current date. | - - | **Days** | String | No | A relative offset in days from the current time. If - provided, this integer value takes priority over the Start and End date parameters. - | - - | **Size** | String | No | The number of records to return per IP address (maximum - allowed is 1000). | - - - ### Additional Notes - - - **Date Constraints**: The `Start Date` cannot be older than 90 days from the - current time, and the total window between `Start Date` and `End Date` cannot - exceed 30 days. - - - **Priority Logic**: The `Days` parameter, if provided, will override any values - entered in the `Start Date` and `End Date` fields. - - - **IP Validation**: The action automatically filters out duplicate and invalid - IP formats before making API requests. - - - ### Flow Description - - 1. **Initialization**: The action extracts the provided IP addresses, limits, - and time-range parameters from the environment. - - 2. **Validation**: It validates the IP address formats and ensures the requested - date range complies with Team Cymru Scout's API limitations (e.g., the 30-day - window and 90-day history limit). - - 3. **API Interaction**: For each valid IP address (up to the specified limit), - the action performs a GET request to the Team Cymru Scout `/details` endpoint, - specifically requesting the `comms` (communications) section. - - 4. **Data Processing**: The retrieved data is parsed to extract peer connection - details, including protocols, country codes, top services, and AS names. - - 5. **Output Generation**: The action produces a raw JSON result for further automation - and renders a detailed "Peers" data table in the Google SecOps interface. It also - provides an "Account Usage" table to track API quota consumption. + ai_description: "### General Description\nThe **Get Communications Info** action\ + \ retrieves detailed network communication metadata for a list of provided IP\ + \ addresses from the Team Cymru Scout platform. It focuses on identifying 'peers'\u2014\ + other IP addresses that the target IP has interacted with\u2014along with protocol\ + \ details, service ports, and geographic/ASN context for both sides of the communication.\ + \ This action is primarily used for threat intelligence and network forensics\ + \ to understand the communication patterns of suspicious indicators.\n\n### Parameters\ + \ Description\n| Parameter | Type | Mandatory | Description |\n| :--- | :--- |\ + \ :--- | :--- |\n| **IP Addresses** | String | Yes | A comma-separated list of\ + \ IPv4 or IPv6 addresses to investigate. |\n| **Limit** | String | Yes | The maximum\ + \ number of valid IP addresses from the input list to process (default is 10).\ + \ |\n| **Start Date** | String | No | The latest date for results, formatted YYYY-MM-DD\ + \ in UTC. If not provided, defaults to 29 days prior to today. |\n| **End Date**\ + \ | String | No | The earliest date for results, formatted YYYY-MM-DD in UTC.\ + \ If not provided, defaults to today's date. |\n| **Days** | String | No | Relative\ + \ offset in days (integer) from current time in UTC. **Note:** This takes priority\ + \ over Start Date and End Date if all three are provided. |\n| **Size** | String\ + \ | No | The number of records to return per IP (maximum 1000). |\n\n### Flow\ + \ Description\n1. **Validation**: The action parses the input IP list, removing\ + \ duplicates and identifying invalid formats. It also validates date formats and\ + \ ensures 'Days' and 'Size' are valid integers.\n2. **API Request**: For each\ + \ valid IP (up to the specified limit), the action queries the Team Cymru Scout\ + \ `/ip/{ip}/details` endpoint, specifically requesting the 'comms' (communications)\ + \ section.\n3. **Data Processing**: The response is parsed to extract peer information,\ + \ including protocol text, client/server IPs, country codes, top services, and\ + \ AS names for both the target and the peer.\n4. **Output Generation**:\n *\ + \ A raw JSON result containing the full API response for all processed IPs is\ + \ attached.\n * A **Peers** data table is created, listing detailed interaction\ + \ metrics such as First/Last seen, Event counts, and service ports.\n * An\ + \ **Account Usage** table is generated to show remaining API query quotas for\ + \ the integration.\n\n### Additional Notes\n* This action does not automatically\ + \ process entities from the SOAR case; it relies strictly on the manual input\ + \ provided in the **IP Addresses** parameter.\n* The **Days** parameter, if\ + \ provided, overrides any specific **Start Date** or **End Date** configurations." capabilities: can_create_case_comments: false can_create_insight: false @@ -385,7 +443,7 @@ Get Communications Info: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: false + enrichment: true entity_usage: entity_types: [] filters_by_additional_properties: false @@ -401,130 +459,98 @@ Get Communications Info: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Fingerprints Info: ai_description: >- - ### General Description - - Retrieves detailed Fingerprints information for specified IP addresses from Team - Cymru Scout. This action allows security analysts to gather technical fingerprinting - data (such as SSL/TLS or SSH signatures) associated with network indicators to - assist in threat profiling and infrastructure analysis. + Retrieves detailed fingerprint information for specified IP addresses from Team + Cymru Scout. This action is used to gather technical metadata about network indicators, + including fingerprint types, signatures, and observation timelines (first and + last seen). It supports both IPv4 and IPv6 addresses and allows for time-based + filtering and result size limits. ### Parameters Description + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **IP Addresses** | String | Yes | Comma-separated list of IPv4 or IPv6 addresses - to investigate. Default is "1.1.1.1". | + | IP Addresses | String | Yes | A comma-separated list of IPv4 or IPv6 addresses + to fetch fingerprint information for. | - | **Limit** | String | Yes | The maximum number of valid IP addresses to process - in a single execution. Default is "10". | + | Limit | String | Yes | The maximum number of valid IP addresses to process in + a single execution. Default is 10. | - | **Start Date** | String | No | The latest date for results (YYYY-MM-DD in UTC). - Defaults to 29 days prior to today if not provided. | + | Start Date | String | No | The latest date for results in YYYY-MM-DD format + (UTC). Defaults to 29 days prior to today if not provided. | - | **End Date** | String | No | The earliest date for results (YYYY-MM-DD in UTC). - Defaults to today's date if not provided. | + | End Date | String | No | The earliest date for results in YYYY-MM-DD format + (UTC). Defaults to the current date if not provided. | - | **Days** | String | No | Relative offset in days (integer) from current time - in UTC. This takes priority over Start and End dates if all are provided. | + | Days | String | No | Relative offset in days from the current time. If provided, + this takes priority over Start Date and End Date. | - | **Size** | String | No | The number of records to retrieve per search (Maximum - 1000). | + | Size | String | No | The number of records to return per search (maximum 1000). + | ### Additional Notes - - The action performs validation on the IP formats and date ranges before making - API calls. + - The action performs validation on all input IP addresses, skipping duplicates + and invalid formats. - - If the number of valid IPs provided exceeds the **Limit**, the additional IPs - are skipped and noted in the output message. + - If the number of valid IPs exceeds the 'Limit' parameter, the additional IPs + are skipped. - - The **Days** parameter, if provided, will override any values provided in the - **Start Date** and **End Date** parameters. + - The 'Days' parameter, if used, overrides any specific date range provided. ### Flow Description - 1. **Input Validation**: The action parses the `IP Addresses` parameter, removes - duplicates, and validates the format of each IP. It also validates date and size - parameters. + 1. **Initialization**: Retrieves integration credentials (API Key or Username/Password) + and validates the 'Limit' and 'IP Addresses' parameters. - 2. **API Connection**: Establishes a connection to the Team Cymru Scout API using - the configured authentication method (API Key or Username/Password). + 2. **Validation**: Parses the input IP list, identifying valid, invalid, and duplicate + addresses. It also validates date formats and ranges. - 3. **Data Fetching**: Iterates through the valid IPs (up to the `Limit`) and requests - detailed fingerprint information for each from the Team Cymru Scout service. + 3. **API Interaction**: For each valid IP (up to the limit), it calls the Team + Cymru Scout API (`/ip/{ip}/details`) with the specified filters (dates, size, + and section set to 'fingerprints'). - 4. **Result Compilation**: Aggregates the API responses into a JSON object and - formats the data into "Fingerprints" and "Account Usage" data tables. + 4. **Data Processing**: Aggregates the API responses, including raw JSON data + and usage statistics. - 5. **Action Completion**: Returns a success or failure status along with a detailed - output message summarizing the results for each IP. - capabilities: - can_create_case_comments: false - can_create_insight: false - can_modify_alert_data: false - can_mutate_external_data: false - can_mutate_internal_data: false - can_update_entities: false - external_data_mutation_explanation: null - fetches_data: true - internal_data_mutation_explanation: null - categories: - enrichment: false - entity_usage: - entity_types: [] - filters_by_additional_properties: false - filters_by_alert_identifier: false - filters_by_case_identifier: false - filters_by_creation_time: false - filters_by_entity_type: false - filters_by_identifier: false - filters_by_is_artifact: false - filters_by_is_enriched: false - filters_by_is_internal: false - filters_by_is_pivot: false - filters_by_is_suspicious: false - filters_by_is_vulnerable: false - filters_by_modification_time: false -Get IP Details: - ai_description: "### General Description\nRetrieves comprehensive threat intelligence\ - \ for specific IP addresses from Team Cymru Scout. This action provides deep visibility\ - \ into IP-related data, including WHOIS information, Passive DNS (PDNS) records,\ - \ open ports, SSL/TLS certificates, and peer communication patterns. It is designed\ - \ to assist analysts in investigating the reputation and historical behavior of\ - \ network indicators.\n\n### Parameters Description\n| Parameter | Type | Mandatory\ - \ | Description |\n| :--- | :--- | :--- | :--- |\n| **IP Addresses** | String\ - \ | Yes | A comma-separated list of IPv4 or IPv6 addresses to investigate. |\n\ - | **Limit** | String | Yes | The maximum number of valid IP addresses to process\ - \ in a single execution (default is 10). |\n| **Start Date** | String | No | The\ - \ earliest date for results (YYYY-MM-DD). Defaults to 29 days prior to today if\ - \ not specified. |\n| **End Date** | String | No | The latest date for results\ - \ (YYYY-MM-DD). Defaults to today's date. |\n| **Days** | String | No | A relative\ - \ offset in days from the current time. **Note:** This parameter takes priority\ - \ over Start Date and End Date if all three are provided. |\n| **Size** | String\ - \ | No | The number of records to return for specific search results (e.g., PDNS\ - \ or Ports). Maximum allowed value is 1000. |\n\n### Flow Description\n1. **Validation:**\ - \ The action parses the input IP addresses, removes duplicates, and validates\ - \ the format (IPv4/IPv6). It also validates date formats and the 'Days' offset.\n\ - 2. **Authentication:** Connects to the Team Cymru Scout API using either API Key\ - \ or Username/Password credentials.\n3. **Data Retrieval:** For each valid IP\ - \ address (up to the specified limit), the action performs a GET request to the\ - \ Scout API to fetch detailed intelligence.\n4. **Data Processing:** Aggregates\ - \ the API response, which includes sections for WHOIS, PDNS, communications, open\ - \ ports, fingerprints, and X.509 certificates.\n5. **Output Generation:** \n \ - \ * Adds the raw JSON response to the action results.\n * Generates and\ - \ attaches multiple data tables to the Google SecOps case (Summary, Insights,\ - \ PDNS, Peers, Ports, Fingerprints, and Certificates).\n * Creates an 'Account\ - \ Usage' table to track API quota consumption.\n\n### Additional Notes\n- The\ - \ action handles API rate limiting (429) and server errors (500+) with a built-in\ - \ retry mechanism and backoff factor.\n- If the number of valid IPs exceeds the\ - \ 'Limit' parameter, the extra IPs are skipped and noted in the output message." + 5. **Output Generation**: Creates a 'Fingerprints' data table containing details + like Type, Signature, and Event Count for each IP. It also generates an 'Account + Usage' table to track API quota consumption. + + 6. **Completion**: Returns the aggregated JSON result and a summary message indicating + the number of successfully processed IPs. capabilities: can_create_case_comments: false can_create_insight: false @@ -535,9 +561,8 @@ Get IP Details: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Adds multiple data tables to the Google SecOps case, including Summary Information, - Insights, Top PDNS, Top Peers, Top Open Ports, Top Fingerprints, Top Certificates, - and Account Usage. + The action adds a 'Fingerprints' data table and an 'Account Usage' data table + to the Google SecOps case to display the retrieved intelligence. categories: enrichment: false entity_usage: @@ -555,16 +580,40 @@ Get IP Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false -Get PDNS Info: + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false +Get IP Details: ai_description: >- ### General Description - The **Get PDNS Info** action retrieves detailed Passive DNS (PDNS) information - for a specified list of IP addresses from the Team Cymru Scout platform. This - action is used to uncover historical domain associations, providing visibility - into which domains have resolved to the target IPs over time. It is particularly - useful for threat hunting and incident investigation to identify potentially malicious - infrastructure or related domains. + Retrieves detailed threat intelligence for specific IP addresses from Team Cymru + Scout. This action provides comprehensive metadata including WHOIS information, + Passive DNS (PDNS) records, network peers, open ports, SSL/X509 certificates, + and fingerprints. It is designed to help security analysts understand the context, + ownership, and historical behavior of IP addresses involved in security incidents. ### Parameters Description @@ -573,73 +622,67 @@ Get PDNS Info: | :--- | :--- | :--- | :--- | - | **IP Addresses** | A comma-separated list of IPv4 or IPv6 addresses to fetch - PDNS information for. | String | Yes | - - | **Limit** | The maximum number of valid IP addresses to process in a single - execution. Default is 10. | String | Yes | + | IP Addresses | A comma-separated list of IPv4 or IPv6 addresses to investigate. + | String | Yes | - | **Start Date** | The latest date for results, formatted as YYYY-MM-DD in UTC. - If omitted, it defaults to 29 days prior to the current date. | String | No | + | Limit | The maximum number of valid IP addresses to process in a single execution + (default is 10). | String | Yes | - | **End Date** | The earliest date for results, formatted as YYYY-MM-DD in UTC. - If omitted, it defaults to the current date. | String | No | + | Start Date | The latest date for results, formatted as YYYY-MM-DD in UTC. Defaults + to 29 days prior to today if not provided. | String | No | - | **Days** | An integer representing a relative offset in days from the current - time. This parameter takes priority over Start Date and End Date if all are provided. - | String | No | + | End Date | The earliest date for results, formatted as YYYY-MM-DD in UTC. Defaults + to today's date if not provided. | String | No | - | **Size** | The number of records to return in the search results (maximum 1000). + | Days | Relative offset in days (integer) from the current time in UTC. This + parameter takes priority over Start Date and End Date if all three are provided. | String | No | + | Size | The number of records to return in the search results (maximum allowed + is 1000). | String | No | - ### Flow Description - 1. **Initialization:** The action extracts the provided IP addresses and configuration - parameters from the SOAR environment. + ### Additional Notes - 2. **Validation:** It validates the IP address formats and ensures date/day parameters - are within valid ranges (e.g., Start Date must be within the last 90 days, and - the range cannot exceed 30 days). + - The action performs validation on all input IP addresses and will skip duplicates + or invalid formats, reporting these in the output message. - 3. **API Request:** For each valid IP address (up to the defined limit), the action - sends a GET request to the Team Cymru Scout API's IP details endpoint, specifically - requesting the 'pdns' section. + - The `Days` parameter is a convenient way to specify a lookback window and will + override specific date ranges. - 4. **Data Processing:** The action parses the API response to extract domain names, - event counts, and first/last seen timestamps for each IP. + - Results are presented as a raw JSON object and multiple structured data tables + for easy review within the case wall. - 5. **Reporting:** It generates a JSON result containing the raw data and renders - two data tables: "PDNS" (containing the extracted records) and "Account Usage" - (showing API quota information). + ### Flow Description - ### Additional Notes + 1. **Input Validation:** The action extracts the provided IP addresses and parameters, + validating IP formats and ensuring the count does not exceed the specified limit. - - The action supports both IPv4 and IPv6 addresses. + 2. **Time Range Calculation:** It determines the search window based on the `Days`, + `Start Date`, and `End Date` parameters. - - If the number of valid IPs exceeds the `Limit`, the extra IPs are skipped and - a warning is logged. + 3. **API Query:** For each valid IP address, the action sends a request to the + Team Cymru Scout API to retrieve detailed intelligence. - - The `Days` parameter is the preferred way to define the search window and will - override specific date inputs if both are provided. + 4. **Data Categorization:** The response is parsed into specific categories such + as WHOIS, PDNS, Peers, and Certificates. - - This action does not run on existing SecOps entities but rather on the list - of IPs provided in the parameters. + 5. **Result Population:** The action attaches the full JSON response to the result + and generates several data tables (e.g., 'Summary Information', 'Top PDNS', 'Top + Peers') to display the enrichment data in the SecOps platform. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: true + can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: >- - The action adds data tables for PDNS Information and Account Usage to the Google - SecOps case. + internal_data_mutation_explanation: null categories: - enrichment: false + enrichment: true entity_usage: entity_types: [] filters_by_additional_properties: false @@ -655,16 +698,40 @@ Get PDNS Info: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false -Get Ports Info: + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false +Get PDNS Info: ai_description: >- ### General Description - Retrieves detailed open port information for specified IP addresses from Team - Cymru Scout. This action allows users to input a list of IPv4 or IPv6 addresses - to fetch historical and current port data, including service names, port numbers, - protocols, and first/last seen timestamps. The results are presented as a JSON - object and formatted into 'Open Ports' and 'Account Usage' data tables within - the Google SecOps case. + The **Get PDNS Info** action retrieves detailed Passive DNS (PDNS) information + for a specified list of IP addresses from Team Cymru Scout. This action is designed + to provide analysts with historical domain resolution data, including event counts + and first/last seen timestamps, which is essential for identifying malicious infrastructure, + tracking domain-to-IP relationships, and uncovering related threat activity. ### Parameters Description @@ -673,57 +740,138 @@ Get Ports Info: | :--- | :--- | :--- | :--- | - | IP Addresses | String | Yes | Comma-separated list of IPv4 or IPv6 addresses - to fetch information for. | + | **IP Addresses** | String | Yes | A comma-separated list of IPv4 or IPv6 addresses + to fetch PDNS information for. | - | Limit | String | Yes | The maximum number of valid IP addresses to be allowed - for processing. Default is 10. | + | **Limit** | String | Yes | The maximum number of valid IP addresses to process + from the input list. This helps manage API quota and performance. | - | Start Date | String | No | The latest date for results, formatted YYYY-MM-DD - in UTC. If not provided, defaults to 29 days prior to today. | + | **Start Date** | String | No | The latest date for results in UTC, formatted + as YYYY-MM-DD. If not provided, it defaults to 29 days prior to the current date. + | - | End Date | String | No | The earliest date for results, formatted YYYY-MM-DD - in UTC. If not provided, defaults to today's date. | + | **End Date** | String | No | The earliest date for results in UTC, formatted + as YYYY-MM-DD. If not provided, it defaults to the current date. | - | Days | String | No | Relative offset in days (integer) from current time in - UTC. This takes priority over Start Date and End Date if all three are provided. - | + | **Days** | String | No | An integer representing a relative offset in days from + the current time. If provided, this value takes priority over the Start and End + dates. | - | Size | String | No | Size, in records, of the search results per IP. The maximum - allowed size is 1000. | + | **Size** | String | No | The number of records to return in the search results + (Maximum allowed is 1000). | ### Flow Description - 1. **Parameter Extraction:** The action retrieves the list of IP addresses, processing - limits, and date filters from the user input. - - 2. **IP Validation:** It validates each IP address format, filters out duplicates, - and ensures the number of IPs processed does not exceed the specified `Limit`. + 1. **Initialization:** The action initializes the Team Cymru Scout API manager + and extracts the user-provided parameters. - 3. **Date Validation:** It validates the date range or relative day offset to - ensure they fall within the supported 90-day window and 30-day range limit. + 2. **Validation:** It validates the format of the provided IP addresses, ensuring + they are valid IPv4 or IPv6 strings. It also validates the date formats and the + result size constraints. - 4. **API Request:** It sends a GET request to the Team Cymru Scout API for each - valid IP, specifically targeting the 'open_ports' section. + 3. **API Request:** For each valid IP address (up to the specified limit), the + action performs a GET request to the Team Cymru Scout `/ip/{ip}/details` endpoint, + specifically requesting the 'pdns' section. - 5. **Data Processing:** The action parses the returned JSON to extract service - names, port numbers, protocols, and observation dates. + 4. **Data Processing:** The action parses the API response, extracting domain + names, event counts, and visibility windows (first/last seen). - 6. **Result Reporting:** It attaches the raw JSON response to the action, generates - an 'Open Ports' data table for the case, and provides an 'Account Usage' table - showing remaining API quota. + 5. **Output:** The action generates a JSON result containing the raw PDNS data + and renders two data tables: one for the detailed PDNS information and another + for the integration's Account Usage statistics. ### Additional Notes - - The `Days` parameter, if provided, overrides the `Start Date` and `End Date` - parameters. + - This action does not automatically iterate over entities in the Google SecOps + case; it processes only the IP addresses provided in the **IP Addresses** parameter. - - The maximum allowed `Size` for records is 1000. - - - This action does not automatically iterate over entities in the case; it processes - the specific IPs provided in the `IP Addresses` parameter. + - The **Days** parameter is the most efficient way to define a search window and + will override specific date parameters if both are supplied. + capabilities: + can_create_case_comments: false + can_create_insight: false + can_modify_alert_data: false + can_mutate_external_data: false + can_mutate_internal_data: false + can_update_entities: false + external_data_mutation_explanation: null + fetches_data: true + internal_data_mutation_explanation: null + categories: + enrichment: false + entity_usage: + entity_types: [] + filters_by_additional_properties: false + filters_by_alert_identifier: false + filters_by_case_identifier: false + filters_by_creation_time: false + filters_by_entity_type: false + filters_by_identifier: false + filters_by_is_artifact: false + filters_by_is_enriched: false + filters_by_is_internal: false + filters_by_is_pivot: false + filters_by_is_suspicious: false + filters_by_is_vulnerable: false + filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false +Get Ports Info: + ai_description: "### General Description\nThe **Get Ports Info** action retrieves\ + \ detailed information about open ports and associated services for a specified\ + \ list of IP addresses using the Team Cymru Scout platform. It provides visibility\ + \ into the network profile of an IP, including service names, port numbers, protocols,\ + \ and observation timestamps, which is essential for attack surface mapping and\ + \ vulnerability assessment.\n\n### Parameters Description\n| Parameter | Type\ + \ | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| **IP Addresses**\ + \ | String | Yes | A comma-separated list of IPv4 or IPv6 addresses to fetch port\ + \ information for. |\n| **Limit** | String | Yes | The maximum number of valid\ + \ IP addresses to process in a single execution (Default: 10). |\n| **Start Date**\ + \ | String | No | The earliest date for results (YYYY-MM-DD). Defaults to 29 days\ + \ prior to the current date if not provided. |\n| **End Date** | String | No |\ + \ The latest date for results (YYYY-MM-DD). Defaults to the current date if not\ + \ provided. |\n| **Days** | String | No | A relative offset in days from the current\ + \ time. If provided, this value takes priority over the Start and End dates. |\n\ + | **Size** | String | No | The maximum number of records to return per search\ + \ (Maximum: 1000). |\n\n### Flow Description\n1. **Initialization:** The action\ + \ extracts the provided IP addresses and time-range parameters (Dates or Days).\n\ + 2. **Validation:** It validates the IP formats, removes duplicates, and ensures\ + \ the number of IPs does not exceed the specified 'Limit'.\n3. **API Request:**\ + \ For each valid IP, the action performs a GET request to the Team Cymru Scout\ + \ `/ip/{ip}/details` endpoint, specifically requesting the `open_ports` section.\n\ + 4. **Data Parsing:** The action processes the API response, extracting fields\ + \ such as Service, Port, Protocol, and First/Last Seen dates.\n5. **Output Generation:**\ + \ \n - A JSON result containing the raw data is added to the action output.\n\ + \ - An 'Open Ports' data table is rendered in the Google SecOps interface for\ + \ analyst review.\n - An 'Account Usage' table is generated to display remaining\ + \ API quotas.\n\n### Additional Notes\n- The action supports both IPv4 and IPv6\ + \ addresses.\n- If the `Days` parameter is used, it will override any values provided\ + \ in `Start Date` or `End Date`." capabilities: can_create_case_comments: false can_create_insight: false @@ -734,9 +882,10 @@ Get Ports Info: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Adds 'Open Ports' and 'Account Usage' data tables to the Google SecOps case. + The action populates the 'Open Ports' and 'Account Usage' data tables within + the Google SecOps action results. categories: - enrichment: false + enrichment: true entity_usage: entity_types: [] filters_by_additional_properties: false @@ -752,15 +901,41 @@ Get Ports Info: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Proto Info: ai_description: >- ### General Description - Retrieves detailed protocol information for a list of IP addresses from Team Cymru - Scout. This action is designed to provide visibility into the types of network - protocols associated with specific IPs, aiding in network traffic analysis and - security investigations. It allows users to query protocol data over a specific - time window or a relative number of days. + The **Get Proto Info** action retrieves detailed protocol-level communication + information for a specified list of IP addresses from the Team Cymru Scout platform. + It is primarily used for network forensics and threat hunting to understand the + types of protocols an IP has been observed using over a specific timeframe. The + action outputs the raw data in JSON format and provides a formatted data table + for analyst review. ### Parameters Description @@ -770,52 +945,45 @@ Get Proto Info: | :--- | :--- | :--- | :--- | | IP Addresses | String | Yes | A comma-separated list of IPv4 or IPv6 addresses - to be queried. | - - | Limit | String | Yes | The maximum number of valid IP addresses to process from - the input list. Default is 10. | - - | Start Date | String | No | The latest date for results in YYYY-MM-DD format - (UTC). Defaults to 29 days prior to today. | - - | End Date | String | No | The earliest date for results in YYYY-MM-DD format - (UTC). Defaults to today. | - - | Days | String | No | Relative offset in days from the current time. If provided, - this value takes precedence over Start Date and End Date. | - - | Size | String | No | The number of records to return per IP address (maximum - 1000). | + to fetch protocol information for. | + | Limit | String | Yes | The maximum number of valid IP addresses from the input + list to process in a single execution. Default is 10. | - ### Additional Notes + | Start Date | String | No | The start of the time range for the query, formatted + as YYYY-MM-DD (UTC). If omitted, it defaults to 29 days prior to the current date. + | - - The action performs validation on the provided IP addresses, filtering out invalid - formats and removing duplicates. + | End Date | String | No | The end of the time range for the query, formatted + as YYYY-MM-DD (UTC). If omitted, it defaults to the current date. | - - The time difference between the start and end dates must not exceed 30 days. + | Days | String | No | An integer representing a relative offset in days from + the current time. If provided, this value takes precedence over the Start and + End date parameters. | - - The action provides information on API usage, including remaining query counts, - via an 'Account Usage' table. + | Size | String | No | The number of records to retrieve per search. The maximum + allowed value is 1000. | ### Flow Description - 1. **Parameter Extraction**: The action retrieves the IP addresses, limit, and - date-related parameters from the user input. + 1. **Parameter Extraction:** The action extracts the list of IP addresses, processing + limits, and time-range filters (Dates or Days) from the user input. - 2. **Validation**: It validates the IP addresses and date ranges, ensuring they - meet the integration's requirements (e.g., date range < 30 days). + 2. **Validation:** It validates the format of the IP addresses and ensures the + date range is valid (e.g., start date is not after the end date and is within + the 90-day historical limit). - 3. **API Interaction**: For each valid IP address (up to the defined limit), the - action sends a GET request to the Team Cymru Scout API's protocol information - endpoint (`proto_by_ip`). + 3. **API Interaction:** For each valid IP address (up to the defined limit), the + action performs a GET request to the Team Cymru Scout API's `/ip/{ip}/details` + endpoint, specifically requesting the `proto_by_ip` section. - 4. **Data Processing**: The retrieved protocol data is processed and formatted - into a structured JSON response. + 4. **Data Processing:** The retrieved protocol data, which includes protocol types + and observation dates, is parsed and aggregated. - 5. **Reporting**: The action generates a 'Proto By IP' data table and an 'Account - Usage' table, which are attached to the Google SecOps case for review. + 5. **Output Generation:** The action populates the `JsonResult` with the raw API + response and generates two data tables: 'Proto By IP' (containing the protocol + details) and 'Account Usage' (showing remaining API quota). capabilities: can_create_case_comments: false can_create_insight: false @@ -827,7 +995,7 @@ Get Proto Info: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: false + enrichment: true entity_usage: entity_types: [] filters_by_additional_properties: false @@ -843,84 +1011,109 @@ Get Proto Info: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Whois Info: ai_description: >- - ### General Description + The 'Get Whois Info' action retrieves detailed Whois information for a provided + list of IP addresses from the Team Cymru Scout platform. This action is primarily + used for gathering administrative and network context, such as ASN, AS Name, BGP + information, and organizational details (Net Name, Org Name, contact emails) for + specific indicators. It supports both IPv4 and IPv6 addresses and allows for time-based + filtering of the results. - The **Get Whois Info** action retrieves detailed Whois information for a list - of provided IP addresses from the Team Cymru Scout platform. This action is designed - to provide security analysts with ownership and registration context, including - Autonomous System Numbers (ASN), AS names, BGP information, network names, and - organizational contact details (admin, tech, and abuse). + ### Flow Description - ### Parameters Description + 1. **Parameter Extraction:** The action extracts the comma-separated list of IP + addresses, processing limits, and optional time filters (Start Date, End Date, + Days, and Size) from the user input. - | Parameter | Type | Mandatory | Description | + 2. **Validation:** It validates the format of the IP addresses and ensures that + date parameters are correctly formatted (YYYY-MM-DD) and within allowed ranges + (e.g., start date not older than 90 days). - | :--- | :--- | :--- | :--- | + 3. **API Interaction:** For each valid IP address (up to the defined limit), the + action performs a GET request to the Team Cymru Scout API's IP details endpoint, + specifically requesting the 'whois' section. - | **IP Addresses** | String | Yes | A comma-separated list of IPv4 or IPv6 addresses - to fetch Whois information for. | + 4. **Data Processing:** The action parses the JSON response, extracting key Whois + fields like ASN, BGP ASN, and organizational contact information. - | **Limit** | String | Yes | The maximum number of valid IP addresses to process - from the input list (default is 10). | + 5. **Output Generation:** It generates a data table titled 'Whois' containing + the extracted details and another table for 'Account Usage' to track API consumption. + The full raw response is also attached as a JSON result. - | **Start Date** | String | No | The latest date for results (YYYY-MM-DD). If - not provided, defaults to 29 days prior to today. | - | **End Date** | String | No | The earliest date for results (YYYY-MM-DD). If - not provided, defaults to today's date. | + ### Parameters Description - | **Days** | String | No | Relative offset in days (integer) from current time. - If provided, this takes priority over Start Date and End Date. | + | Parameter | Type | Mandatory | Description | - | **Size** | String | No | The number of records to return in the search results - (maximum allowed is 1000). | + | :--- | :--- | :--- | :--- | + | IP Addresses | String | Yes | A comma-separated list of IPv4 or IPv6 addresses + to fetch Whois information for. | - ### Flow Description + | Limit | String | Yes | The maximum number of valid IP addresses to process in + a single execution (default is 10). | - 1. **Initialization**: The action extracts the provided IP addresses and configuration - parameters (Limit, Dates, Size). + | Start Date | String | No | The latest date for results in YYYY-MM-DD format + (UTC). Defaults to 29 days prior to today if not provided. | - 2. **Validation**: It validates the format of the IP addresses and ensures the - date parameters (Start Date, End Date, Days) are within acceptable ranges (e.g., - Start Date not older than 90 days and date range not exceeding 30 days). + | End Date | String | No | The earliest date for results in YYYY-MM-DD format + (UTC). Defaults to today's date if not provided. | - 3. **Data Retrieval**: For each valid IP address (up to the specified limit), - the action performs a GET request to the Team Cymru Scout API to fetch detailed - IP information. + | Days | String | No | Relative offset in days from the current time. If provided, + this takes priority over Start/End dates. | - 4. **Processing**: The action specifically extracts the "Whois" section from the - API response for each IP. + | Size | String | No | The number of records to return in the search results (maximum + 1000). | - 5. **Output Generation**: - * Adds the raw API response as a JSON result. - * Generates a data table named "Whois" containing ASN, Org Name, and contact - IDs. - * Generates a data table named "Account Usage" showing remaining API query - limits. ### Additional Notes - * If the number of valid IPs exceeds the **Limit**, the extra IPs are skipped - and a warning is logged. + - If the 'Days' parameter is provided, it will override any values provided in + 'Start Date' and 'End Date'. - * The **Days** parameter, if provided, overrides the **Start Date** and **End - Date** parameters. + - The action performs validation to skip duplicate or malformed IP addresses and + will report these in the output message. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: false + can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: null + internal_data_mutation_explanation: >- + The action adds data tables (Whois information and Account Usage) and JSON results + to the action output within Google SecOps. categories: - enrichment: true + enrichment: false entity_usage: entity_types: [] filters_by_additional_properties: false @@ -936,78 +1129,65 @@ Get Whois Info: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get X509 Info: - ai_description: >- - ### General Description - - Retrieves detailed X509 certificate information for specified IP addresses using - the Team Cymru Scout threat intelligence platform. This action allows analysts - to investigate SSL/TLS certificates associated with an IP, providing visibility - into certificate subjects, issuers, validity periods, and fingerprints. This data - is crucial for identifying malicious infrastructure, verifying host identities, - or detecting certificate-related anomalies during an investigation. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | IP Addresses | String | Yes | A comma-separated list of IPv4 or IPv6 addresses - to fetch certificate information for. | - - | Limit | String | Yes | The maximum number of valid IP addresses to process in - a single execution. Must be a positive integer. | - - | Start Date | String | No | The latest date for results in YYYY-MM-DD format - (UTC). If not provided, defaults to 29 days prior to today. | - - | End Date | String | No | The earliest date for results in YYYY-MM-DD format - (UTC). If not provided, defaults to today's date. | - - | Days | String | No | An integer representing a relative offset in days from - the current time in UTC. If provided, this parameter takes priority over Start - Date and End Date. | - - | Size | String | No | The number of records to return in the search results. - The maximum allowed size is 1000. | - - - ### Additional Notes - - - The action performs validation on all input IP addresses, filtering out duplicates - and invalid formats before processing. - - - If the number of valid IP addresses provided exceeds the specified 'Limit', - the additional IPs will be skipped. - - - The 'Days' parameter acts as a priority filter, overriding any values provided - in the 'Start Date' or 'End Date' parameters. - - - ### Flow Description - - 1. **Initialization**: The action initializes the Siemplify environment and retrieves - integration configuration parameters such as API keys or credentials. - - 2. **Parameter Extraction**: It extracts the target IP addresses and search filters - (dates, limit, size) from the action parameters. - - 3. **Validation**: The script validates the IP address formats and ensures that - date ranges and size limits are within the allowed thresholds defined by the Team - Cymru Scout API. - - 4. **API Request**: For each valid IP address (up to the defined limit), the action - sends a GET request to the Team Cymru Scout API endpoint, specifically requesting - the 'x509' data section. - - 5. **Data Parsing**: The received JSON response is parsed to extract certificate - details, including Subject, Issuer, Validity Period, and Fingerprints. - - 6. **Output Generation**: The action generates a 'Certificates' data table and - an 'Account Usage' table for the SOAR case wall. It also attaches the raw JSON - response to the action results for use in subsequent playbook steps. + ai_description: "### General Description\nThe **Get X509 Info** action retrieves\ + \ detailed X509 certificate information for a list of provided IP addresses from\ + \ the Team Cymru Scout platform. This action is designed to provide security analysts\ + \ with visibility into the SSL/TLS certificate history and metadata associated\ + \ with specific network indicators, aiding in infrastructure mapping and threat\ + \ intelligence gathering.\n\n### Parameters Description\n| Parameter | Type |\ + \ Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| **IP Addresses**\ + \ | String | Yes | A comma-separated list of IPv4 or IPv6 addresses to fetch certificate\ + \ information for. |\n| **Limit** | String | Yes | The maximum number of valid\ + \ IP addresses to process in a single execution. Default is 10. |\n| **Start Date**\ + \ | String | No | The latest date for results in UTC (YYYY-MM-DD). If omitted,\ + \ defaults to 29 days prior to the current date. |\n| **End Date** | String |\ + \ No | The earliest date for results in UTC (YYYY-MM-DD). If omitted, defaults\ + \ to the current date. |\n| **Days** | String | No | A relative offset in days\ + \ (integer) from the current time. If provided, this parameter takes priority\ + \ over Start Date and End Date. |\n| **Size** | String | No | The number of records\ + \ to return per search (Maximum allowed is 1000). |\n\n### Flow Description\n\ + 1. **Input Extraction**: The action extracts the target IP addresses and query\ + \ filters (Limit, Dates, Days, Size) from the user-provided parameters.\n2. **Validation**:\ + \ It validates the format of the IP addresses and ensures that the date ranges\ + \ or 'Days' values are within the supported limits (e.g., Start Date must be within\ + \ the last 90 days).\n3. **API Interaction**: For each valid IP address (up to\ + \ the specified limit), the action sends a GET request to the Team Cymru Scout\ + \ API to retrieve data from the 'x509' section.\n4. **Data Processing**: The action\ + \ parses the API response, extracting certificate details such as issuer, subject,\ + \ validity period, and fingerprints.\n5. **Output Generation**: \n * The\ + \ raw data is attached as a JSON result.\n * A data table named \"Certificates\"\ + \ is created to display the certificate details for each IP.\n * An \"Account\ + \ Usage\" table is generated to inform the user of their remaining API query quota.\n\ + \n### Additional Notes\n* If the `Days` parameter is used, it overrides the\ + \ `Start Date` and `End Date` parameters.\n* The action handles duplicate and\ + \ invalid IP addresses by filtering them out and reporting the count in the final\ + \ output message." capabilities: can_create_case_comments: false can_create_insight: false @@ -1019,7 +1199,7 @@ Get X509 Info: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: false + enrichment: true entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1035,59 +1215,60 @@ Get X509 Info: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false List IP Summary: - ai_description: >- - ### General Description - - The **List IP Summary** action retrieves comprehensive summary information for - a user-provided list of IP addresses from the Team Cymru Scout platform. It is - designed to provide quick visibility into the reputation, geographic location, - and associated threat intelligence for multiple IPs simultaneously, without requiring - existing entities in the Google SecOps context. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **IP Addresses** | String | Yes | A comma-separated list of IP addresses to - be queried (e.g., "1.1.1.1, 8.8.8.8"). | - - | **Limit** | String | Yes | The maximum number of valid IP addresses to process - from the provided list. This helps manage API usage and performance. | - - - ### Flow Description - - 1. **Parameter Extraction:** The action retrieves the list of IP addresses and - the processing limit from the user input. - - 2. **Validation:** It validates the format of each IP address, identifies duplicates, - and filters out invalid entries. - - 3. **Batching:** The valid IP addresses are grouped into batches (up to 10 per - batch) to optimize API communication. - - 4. **API Interaction:** The action sends GET requests to the Team Cymru Scout - `/ip/foundation` endpoint for each batch. - - 5. **Data Aggregation:** Results from all batches are aggregated into a single - dataset. - - 6. **Output Generation:** The action populates the action results with a JSON - summary and creates multiple data tables, including "Summary Information for IPs", - "Insights", and "Account Usage". - - - ### Additional Notes - - - This action does not automatically process entities from the Google SecOps context; - it relies entirely on the manually provided "IP Addresses" parameter. - - - If the number of valid IPs exceeds the specified "Limit", the extra IPs are - skipped, and a warning is logged. + ai_description: "### General Description\nThe **List IP Summary** action retrieves\ + \ comprehensive summary information for a specified list of IP addresses from\ + \ the Team Cymru Scout platform. It is designed for bulk lookups, allowing analysts\ + \ to gather threat intelligence, geographic data, and autonomous system (AS) information\ + \ for multiple indicators in a single execution. The action includes built-in\ + \ validation to handle duplicate or malformed IP addresses and allows for a processing\ + \ limit to manage API quota usage.\n\n### Parameters Description\n| Parameter\ + \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| **IP Addresses**\ + \ | string | Yes | A comma-separated list of IP addresses (e.g., \"1.1.1.1, 8.8.8.8\"\ + ) to be queried for summary information. |\n| **Limit** | string | Yes | The maximum\ + \ number of valid IP addresses to process from the provided list. Defaults to\ + \ 10. Must be a positive integer. |\n\n### Flow Description\n1. **Input Parsing:**\ + \ The action extracts the comma-separated string of IP addresses and the processing\ + \ limit from the user input.\n2. **Validation:** It validates each IP address\ + \ format, identifies duplicates, and filters out invalid entries. If the number\ + \ of valid IPs exceeds the specified limit, the excess IPs are skipped.\n3. **API\ + \ Execution:** The action batches the valid IP addresses (up to 10 per batch)\ + \ and performs GET requests to the Team Cymru Scout `/ip/foundation` endpoint.\n\ + 4. **Data Aggregation:** It aggregates the responses from all batches, including\ + \ summary details, insights, and API usage statistics.\n5. **Output Generation:**\ + \ \n * Adds the raw summary data as a JSON result.\n * Generates a \"\ + Summary Information for IPs\" data table containing IP, Country Code, ASN, and\ + \ Insight Ratings.\n * Generates an \"Insights\" data table detailing specific\ + \ threat observations.\n * Generates an \"Account Usage\" table showing remaining\ + \ API query limits.\n\n### Additional Notes\n* This action does not run on existing\ + \ SecOps entities; it processes the IP addresses provided directly in the parameter\ + \ field.\n* If all provided IP addresses are invalid or if the API calls fail,\ + \ the action will report a failure state." capabilities: can_create_case_comments: false can_create_insight: false @@ -1115,28 +1296,53 @@ List IP Summary: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Ping: - ai_description: "### General Description\nThe **Ping** action is a diagnostic utility\ - \ designed to verify the connectivity and authentication configuration between\ - \ Google SecOps and the Team Cymru Scout platform. Its primary purpose is to ensure\ - \ that the integration parameters (such as API keys or credentials) are correct\ - \ and that the Team Cymru Scout API is reachable.\n\n### Parameters Description\n\ - This action does not require any input parameters. It utilizes the global integration\ - \ configuration settings (Authentication Type, API Key, Username, Password, and\ - \ Verify SSL) to perform the connectivity test.\n\n### Flow Description\n1. **Initialization**:\ - \ The action initializes the Siemplify environment and retrieves the integration's\ - \ configuration parameters.\n2. **API Manager Setup**: An `ApiManager` instance\ - \ is created using the provided authentication details (either Token-based or\ - \ Basic Auth).\n3. **Connectivity Test**: The action calls the `api_usage` method,\ - \ which sends a GET request to the Team Cymru Scout `/usage` endpoint.\n4. **Result\ - \ Evaluation**: \n * If the API returns a successful response (HTTP 200), the\ - \ action concludes with a success message indicating a valid connection.\n \ - \ * If an exception occurs or the API returns an error (e.g., 401 Unauthorized),\ - \ the action captures the error details and reports a failure.\n5. **Finalization**:\ - \ The action ends by returning the execution status and a descriptive output message\ - \ to the SOAR interface.\n\n### Additional Notes\n* This action is strictly for\ - \ testing purposes and does not process any entities or modify data in either\ - \ Google SecOps or Team Cymru Scout." + ai_description: "### General Description\nThe **Ping** action is designed to verify\ + \ the connectivity and authentication configuration between Google SecOps and\ + \ the Team Cymru Scout platform. It serves as a diagnostic tool to ensure that\ + \ the provided credentials (either API Key or Username/Password) and network settings\ + \ (like SSL verification) are correct and that the Team Cymru Scout API is reachable.\n\ + \n### Parameters Description\nThis action does not require any input parameters.\n\ + \n### Flow Description\n1. **Configuration Retrieval**: The action fetches the\ + \ integration's global configuration parameters, including the authentication\ + \ type, credentials, and SSL verification settings.\n2. **API Initialization**:\ + \ An internal API manager is initialized using the retrieved settings to handle\ + \ communication with the Team Cymru Scout service.\n3. **Connectivity Test**:\ + \ The action performs a GET request to the `/usage` endpoint of the Team Cymru\ + \ Scout API. This endpoint is used to check the current API usage and effectively\ + \ validates the provided credentials.\n4. **Result Processing**: \n * If the\ + \ API call is successful (HTTP 200), the action completes with a success status\ + \ and a message confirming the connection.\n * If the API call fails (e.g.,\ + \ due to invalid credentials or network issues), the action logs the error and\ + \ completes with a failure status, providing the error details in the output message.\n\ + \n### Additional Notes\n* This action is typically used during the initial setup\ + \ of the integration or for troubleshooting connectivity issues.\n* It does not\ + \ process any entities or modify any data within Google SecOps or Team Cymru Scout." capabilities: can_create_case_comments: false can_create_insight: false @@ -1164,3 +1370,28 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/third_party/community/team_cymru_scout/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/team_cymru_scout/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..2e831240c --- /dev/null +++ b/content/response_integrations/third_party/community/team_cymru_scout/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + siem: false + threat_intelligence: true + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/telegram/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/telegram/resources/ai/actions_ai_description.yaml index 51cdb5996..d7c9afe08 100644 --- a/content/response_integrations/third_party/community/telegram/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/telegram/resources/ai/actions_ai_description.yaml @@ -1,37 +1,39 @@ Get Bot Details: ai_description: >- - ### General Description + Retrieves the configuration details and metadata of the Telegram bot associated + with the provided API token. This action is primarily used to verify the bot's + identity and status within the Telegram platform. - Retrieves the configuration details of the Telegram bot associated with the provided - API token. This action is used to verify the bot's identity and connectivity status - by fetching its metadata from the Telegram API. + ### Flow Description: - ### Parameters + 1. **Configuration Retrieval:** The action extracts the 'API Token' from the Telegram + integration's global configuration. - There are no action-specific parameters for this action. It relies on the 'API - Token' configured at the integration level. + 2. **Manager Initialization:** It initializes the Telegram Manager using the retrieved + token. + 3. **API Interaction:** The action calls the Telegram API's `/getMe` endpoint + to fetch the bot's details. - ### Flow Description + 4. **Result Processing:** The retrieved JSON data, containing information such + as the bot's ID, name, and username, is attached to the action's execution results. - 1. **Configuration Extraction**: The action retrieves the 'API Token' from the - Telegram integration settings. - 2. **API Interaction**: It utilizes the `TelegramManager` to call the Telegram - `getMe` endpoint. + ### Parameters Description: + + | Parameter Name | Type | Mandatory | Description | - 3. **Data Retrieval**: The action fetches bot-specific information, including - the bot's unique ID, name, and username. + | :--- | :--- | :--- | :--- | - 4. **Output**: The retrieved bot details are added to the action's JSON results - for visibility. + | None | N/A | N/A | This action does not require any action-specific parameters. + It relies on the global integration configuration for the API Token. | - ### Additional Notes + ### Additional Notes: - This action does not process entities and is primarily diagnostic or informational - in nature. + - This action is a diagnostic or utility task used to confirm that the bot is + correctly configured and reachable. capabilities: can_create_case_comments: false can_create_insight: false @@ -59,14 +61,41 @@ Get Bot Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Chat Details: ai_description: >- ### General Description - Retrieves detailed information about a specific Telegram chat (group, channel, - or private chat) using its unique ID or username. This action is primarily used - to gather metadata about a chat, such as its title, type, and invite link, which - can be useful for investigation or automated reporting. + The **Get Chat Details** action retrieves comprehensive metadata for a specific + Telegram chat using its unique identifier or username. This action is primarily + used to gather context about a communication channel, such as its title, type + (private, group, supergroup, or channel), and invite link. It is a utility action + that helps analysts verify the existence and properties of a chat involved in + an investigation. ### Parameters Description @@ -75,30 +104,35 @@ Get Chat Details: | :--- | :--- | :--- | :--- | - | Chat ID | String | Yes | The unique identifier or username of the target Telegram - chat (e.g., '123456' or '@my_channel'). | + | **Chat ID** | String | Yes | The unique identifier or username (e.g., '@username') + of the target Telegram chat. | ### Flow Description - 1. **Parameter Extraction**: The action retrieves the Telegram Bot API Token from - the integration configuration and the Chat ID from the action parameters. + 1. **Initialization:** The action retrieves the Telegram Bot API Token from the + integration's configuration settings. + + 2. **Parameter Extraction:** The `Chat ID` provided by the user is extracted. - 2. **API Interaction**: It initializes the Telegram Manager and calls the `/getChat` - endpoint of the Telegram Bot API using a GET request. + 3. **API Request:** The action utilizes the `TelegramManager` to call the Telegram + `getChat` API endpoint with the specified ID. - 3. **Data Processing**: Upon a successful response, the action extracts the chat's - invite link from the result payload. + 4. **Data Extraction:** Upon a successful response, the action extracts the chat's + invite link (if available). - 4. **Result Reporting**: The action adds the invite link as a clickable resource - in the SOAR interface and attaches the full JSON response containing all chat - details to the action result. + 5. **Output Generation:** The action adds the invite link to the SOAR result interface + and attaches the full JSON response containing all chat details for use in downstream + playbook logic. ### Additional Notes - This action does not run on entities; it requires a manual input of the Chat ID - parameter. + - This action does not operate on SecOps entities; it requires a manually provided + `Chat ID`. + + - The bot must be a member of the chat or have sufficient permissions to retrieve + its details. capabilities: can_create_case_comments: false can_create_insight: false @@ -110,7 +144,7 @@ Get Chat Details: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: true + enrichment: false entity_usage: entity_types: [] filters_by_additional_properties: false @@ -126,52 +160,81 @@ Get Chat Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Messages: ai_description: >- ### General Description - The **Get Messages** action retrieves updates and messages from the Telegram Bot - API. It allows a bot to pull incoming messages, channel posts, and other update - types from chats where the bot is a member. This action is essential for monitoring - chat activity or ingesting external communications into a workflow. + The **Get Messages** action retrieves updates and messages from a specific Telegram + chat where the bot is a member. It utilizes the Telegram Bot API's `getUpdates` + method to pull incoming data, allowing analysts to monitor chat activity, channel + posts, or poll results directly within Google SecOps. ### Parameters Description - | Parameter | Type | Mandatory | Description | + | Parameter | Description | Type | Mandatory | | :--- | :--- | :--- | :--- | - | **Last Message ID** | String | No | Corresponds to the `offset` parameter in - the Telegram API. It specifies the identifier of the first update to be returned. - Updates with an identifier smaller than this value will be ignored. | + | Last Message ID | The ID of the last message (offset) from which the action + will start pulling messages. This helps in controlling the starting point of the + data retrieval. | String | No | - | **Message Types** | Content (List) | No | A JSON list of update types to retrieve - (e.g., `["message", "channel_post", "poll_answer"]`). If left empty, all update - types are retrieved. | + | Message Types | A list of update types to retrieve (e.g., `['channel_post', + 'poll_answer']`). If left empty, all supported update types are returned. | Content + | No | ### Flow Description - 1. **Initialization**: The action initializes the Telegram Manager using the API - Token provided in the integration configuration. + 1. **Initialization**: The action extracts the Telegram API Token from the integration + configuration. - 2. **Parameter Extraction**: It extracts the `Last Message ID` and `Message Types` - from the action parameters. + 2. **Parameter Extraction**: It retrieves the `Last Message ID` (used as an offset) + and the `Message Types` (allowed updates) from the action input. + + 3. **API Interaction**: The action initializes the `TelegramManager` and calls + the `get_messages` method, which sends a GET request to the Telegram Bot API's + `/getUpdates` endpoint. - 3. **API Interaction**: The action calls the Telegram `/getUpdates` endpoint via - a GET request, passing the offset and allowed update types as parameters. + 4. **Data Processing**: The retrieved JSON response containing the messages is + captured. - 4. **Output**: The raw JSON response containing the list of updates/messages is - attached to the action results for use in the playbook. + 5. **Output**: The action attaches the raw message data to the action's JSON results + for further processing or inspection in the SOAR platform. ### Additional Notes - - The bot must be a member of the chat/channel to retrieve messages. + - The bot must be a member of the chat or channel to successfully retrieve messages. - - This action does not operate on specific SOAR entities (like IPs or Hostnames) - but rather fetches global updates for the bot. + - This action does not target specific entities but rather fetches global updates + for the configured bot. capabilities: can_create_case_comments: false can_create_insight: false @@ -199,51 +262,71 @@ Get Messages: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Ping: ai_description: >- ### General Description The **Ping** action is a diagnostic utility designed to verify the connectivity between Google SecOps and the Telegram Bot API. Its primary purpose is to ensure - that the integration is correctly configured and that the provided Bot API Token - is valid and authorized to communicate with Telegram's servers. + that the integration is correctly configured and that the provided API Token is + valid and authorized to communicate with Telegram's servers. ### Parameters Description - | Parameter | Type | Mandatory | Description | + | Parameter Name | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **API Token** | String | Yes | This is a configuration-level parameter (not - an action parameter). It is the unique authentication token for the Telegram bot, - used to authorize requests to the Telegram API. | + | None | N/A | N/A | This action does not take any input parameters. It uses the + 'API Token' defined in the integration configuration. | - ### Additional Notes - - This action does not take any user-provided input parameters at runtime. It relies - solely on the credentials provided in the integration's configuration settings. - As a 'Ping' action, it does not interact with entities or modify any data within - the SOAR or external systems. + ### Flow Description + 1. **Configuration Extraction**: The action retrieves the 'API Token' from the + Telegram integration's shared configuration. - ### Flow Description + 2. **Connectivity Check**: It initializes the Telegram Manager and executes a + GET request to the `getMe` endpoint of the Telegram Bot API. - 1. **Configuration Retrieval**: The action extracts the `API Token` from the Telegram - integration settings. + 3. **Response Evaluation**: The action parses the API response to check the `ok` + status field. - 2. **Manager Initialization**: It initializes the `TelegramManager` with the retrieved - token. + 4. **Execution Outcome**: If the API returns a successful response, the action + completes with a success message. If the request fails or the token is invalid, + it reports a connection failure. - 3. **Connectivity Check**: The action calls the `test_connectivity` method, which - sends a GET request to the Telegram API's `getMe` endpoint. - 4. **Response Validation**: It checks the API response for a successful status - code and an 'ok' boolean in the JSON body. + ### Additional Notes - 5. **Status Reporting**: If the request is successful, it returns a 'Connected - successfully' message; otherwise, it reports a connection failure. + This is a standard health-check action and does not interact with or modify any + entities or alert data within the SOAR platform. capabilities: can_create_case_comments: false can_create_insight: false @@ -271,13 +354,39 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Send Document: ai_description: >- ### General Description - Sends a document to a specified Telegram chat using a provided URL. This action - allows a Telegram bot to share files (such as reports, logs, or evidence) directly - within a chat or group by providing a publicly accessible link to the file. + Sends a document to a specified Telegram chat or channel using a provided URL. + This action is useful for automated reporting or sharing files (such as logs, + evidence, or summaries) directly to a Telegram-based communication channel during + an incident response workflow. ### Parameters Description @@ -286,30 +395,37 @@ Send Document: | :--- | :--- | :--- | :--- | - | Document URL | string | Yes | The direct URL of the document to be sent to the - Telegram chat. | + | Document URL | string | Yes | The web URL of the document to be sent. Telegram + will download the file from this URL and send it to the chat. | - | Chat ID | string | Yes | The unique identifier or username of the target Telegram - chat where the document will be sent. | + | Chat ID | string | Yes | The unique identifier for the target chat, group, or + channel where the document should be sent. | - ### Flow Description + ### Additional Notes - 1. **Configuration Retrieval**: The action retrieves the Telegram Bot API Token - from the integration's global configuration. + - This action requires a valid Telegram Bot API Token to be configured in the + integration settings. - 2. **Parameter Extraction**: It extracts the target Chat ID and the Document URL - from the action's input parameters. + - The document is sent via the Telegram Bot API's `sendDocument` method. - 3. **API Interaction**: The action uses the Telegram Manager to call the `sendDocument` - endpoint of the Telegram Bot API, passing the Chat ID and the Document URL. - 4. **Result Processing**: The action captures the JSON response from Telegram, - which contains metadata about the sent message, and attaches it to the action's - results. + ### Flow Description + + 1. **Parameter Extraction**: The action retrieves the Telegram Bot API Token from + the integration configuration and the 'Chat ID' and 'Document URL' from the action + parameters. + + 2. **Manager Initialization**: It initializes the `TelegramManager` using the + provided API token. + + 3. **API Execution**: The action calls the `send_doc` method, which sends a request + to the Telegram API to deliver the document from the specified URL to the target + chat. - 5. **Completion**: The action concludes with a success message if the document - was sent or a failure message if an error occurred during the API call. + 4. **Result Handling**: If the API call is successful, the action returns a success + status and includes the JSON response from Telegram in the results. If it fails, + an error message is captured and the action is marked as failed. capabilities: can_create_case_comments: false can_create_insight: false @@ -318,8 +434,8 @@ Send Document: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Sends a document to a Telegram chat, which creates a new message and file entry - in the external Telegram platform. + Sends a document to a specified Telegram chat or channel, which modifies the + chat history/state in the external Telegram platform. fetches_data: false internal_data_mutation_explanation: null categories: @@ -339,14 +455,54 @@ Send Document: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Send Location: ai_description: >- - ### General Description + Sends a specific geographic location to a designated Telegram chat using a bot. + This action is primarily used for notification or coordination purposes, allowing + a SOAR playbook to share coordinates directly into a Telegram conversation. + + + ### Flow Description + + 1. **Parameter Extraction:** The action retrieves the Telegram Bot API Token from + the integration configuration and the Chat ID, Latitude, and Longitude from the + action parameters. - Sends a geographic location to a specific Telegram chat using a Telegram bot. - This action allows users to share coordinates (latitude and longitude) directly - into a chat, which is useful for operational coordination or reporting physical - locations associated with an incident. + 2. **Manager Initialization:** It initializes the `TelegramManager` with the provided + API token to facilitate communication with the Telegram Bot API. + + 3. **API Interaction:** The action calls the `sendLocation` method, which sends + a GET request to the Telegram API endpoint with the specified coordinates and + target chat identifier. + + 4. **Result Handling:** The response from Telegram (containing details of the + sent message) is captured and added to the action's JSON results. The action then + terminates with a success or failure message based on the API response. ### Parameters Description @@ -355,30 +511,23 @@ Send Location: | :--- | :--- | :--- | :--- | - | Chat ID | string | Yes | The unique identifier for the target chat or the username - of the target channel/private chat (e.g., '123456789'). | - - | Latitude | string | Yes | The latitude coordinate of the location to be sent - (e.g., '30.0123213'). | - - | Longitude | string | Yes | The longitude coordinate of the location to be sent - (e.g., '30.456468'). | + | Chat ID | String | Yes | The unique identifier or username for the target chat + (e.g., a user ID or a group chat ID). | + | Latitude | String | Yes | The latitude coordinate of the location to be sent + (e.g., 30.0123213). | - ### Flow Description + | Longitude | String | Yes | The longitude coordinate of the location to be sent + (e.g., 30.456468). | - 1. **Initialization**: The action retrieves the Telegram API Token from the integration - configuration and the Chat ID, Latitude, and Longitude from the action parameters. - 2. **API Interaction**: It uses the `TelegramManager` to call the Telegram Bot - API's `sendLocation` endpoint with the provided coordinates and chat identifier. + ### Additional Notes - 3. **Result Processing**: The action captures the response from Telegram, which - includes details of the sent message. + * This action does not process SecOps entities; it relies entirely on the provided + input parameters. - 4. **Completion**: The response is added to the action's JSON results, and the - action completes with a success message if the location was sent successfully, - or a failure message if an error occurred. + * The Telegram Bot must have the necessary permissions to send messages to the + specified Chat ID. capabilities: can_create_case_comments: false can_create_insight: false @@ -387,8 +536,8 @@ Send Location: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Sends a new location message to a Telegram chat, which modifies the chat history - in the external Telegram system. + Sends a location message to a Telegram chat, which creates a new message entry + in the external Telegram system's chat history. fetches_data: false internal_data_mutation_explanation: null categories: @@ -408,49 +557,75 @@ Send Location: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Send Message: ai_description: >- ### General Description - Sends a message to a specific Telegram chat using a configured bot. This action - allows for automated communication from Google SecOps to Telegram users, groups, - or channels, facilitating notifications or alerts. + The **Send Message** action allows a configured Telegram bot to send a text message + to a specific chat. This is primarily used for automated notifications, alerting + analysts, or communicating status updates to a Telegram group or individual user + directly from a Google SecOps playbook. ### Parameters Description - | Parameter | Type | Mandatory | Default Value | Description | + | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | :--- | + | :--- | :--- | :--- | :--- | - | Chat ID | String | Yes | 123456 | The unique identifier for the target chat - or username where the message will be sent. | + | **Chat ID** | String | Yes | The unique identifier for the Telegram chat (group, + channel, or private) where the message should be sent. | - | Message | String | Yes | (Empty) | The text content of the message to be delivered + | **Message** | String | Yes | The actual text content of the message to be delivered by the bot. | ### Flow Description - 1. **Configuration Retrieval**: The action extracts the Telegram Bot API Token - from the integration's configuration settings. + 1. **Initialization**: The action retrieves the bot's API Token from the integration + configuration and the target Chat ID and Message content from the action parameters. - 2. **Parameter Extraction**: It retrieves the target `Chat ID` and the `Message` - content from the action's input parameters. + 2. **API Connection**: It initializes the Telegram Manager and prepares a request + to the Telegram Bot API's `sendMessage` endpoint. - 3. **API Interaction**: The action initializes the `TelegramManager` and calls - the `telegram_bot_sendmessage` method, which sends a request to the Telegram Bot - API's `sendMessage` endpoint. + 3. **Execution**: The bot sends the message to the specified chat via an HTTP + request. - 4. **Result Processing**: The response from the Telegram API is captured and added - to the action's JSON results. The action then terminates with a success or failure - message based on the API response. + 4. **Result Handling**: The action captures the JSON response from Telegram (containing + message details) and reports a success or failure status back to the SOAR platform. ### Additional Notes - This action does not operate on entities and requires a valid Bot API Token to - be configured at the integration level. + - This action does not process or iterate over SecOps entities; it relies entirely + on the provided parameters. + + - Ensure the bot has the necessary permissions to post in the target chat ID. capabilities: can_create_case_comments: false can_create_insight: false @@ -459,8 +634,8 @@ Send Message: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Sends a message to a Telegram chat, which creates new message content within - the external Telegram platform. + Sends a message to a Telegram chat, which creates new data (a message) in the + external Telegram system. fetches_data: false internal_data_mutation_explanation: null categories: @@ -480,13 +655,38 @@ Send Message: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Send Photo: ai_description: >- ### General Description Sends a photo to a specific Telegram chat using a provided image URL. This action - allows a Telegram bot to share visual information (PNG, JPEG, JPG, etc.) with - a user, group, or channel based on a unique Chat ID. + allows automated bots to share visual information, such as screenshots, graphs, + or evidence, directly into a Telegram conversation or channel. ### Parameters Description @@ -495,32 +695,37 @@ Send Photo: | :--- | :--- | :--- | :--- | - | Photo URL | String | Yes | The HTTP URL of the photo to be sent. The URL should - point directly to an image file (e.g., ending in .png, .jpg). | + | Photo URL | string | Yes | The HTTP URL of the photo to be sent. The URL must + point to a valid image file and should end with a supported extension like .png, + .jpeg, or .jpg. | - | Chat ID | String | Yes | The unique identifier for the target Telegram chat - where the photo will be delivered. | + | Chat ID | string | Yes | The unique identifier for the target chat or the username + of the target channel (e.g., '123456' or '@my_channel'). | ### Additional Notes - This action requires a valid Telegram Bot API Token to be configured in the integration - settings. It does not process or filter Google SecOps entities; it operates solely - based on the provided parameters. + - The action requires a valid Telegram Bot API Token to be configured in the integration + settings. + + - The bot must have the necessary permissions to send messages/photos in the target + chat. ### Flow Description - 1. **Initialization**: Retrieves the Telegram API Token from the integration configuration. + 1. **Initialization**: The action retrieves the Telegram API Token from the integration + configuration. - 2. **Parameter Extraction**: Collects the target Chat ID and the Photo URL from - the action inputs. + 2. **Parameter Extraction**: It extracts the target 'Chat ID' and the 'Photo URL' + from the action inputs. - 3. **API Interaction**: Uses the Telegram Manager to call the `sendPhoto` endpoint - of the Telegram Bot API. + 3. **API Interaction**: The action uses the TelegramManager to call the Telegram + Bot API's `sendPhoto` endpoint, passing the chat identifier and the image link. - 4. **Result Processing**: Captures the API response, adds it to the action's JSON - results, and notifies the user of a successful or failed delivery. + 4. **Result Processing**: If the API call is successful, the response data is + attached to the action's JSON results. If it fails, an error message is returned + and the action status is set to failed. capabilities: can_create_case_comments: false can_create_insight: false @@ -529,8 +734,8 @@ Send Photo: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Sends a photo to a Telegram chat, which modifies the chat history and state - of the external Telegram platform. + Sends a photo to a Telegram chat, which creates a new message/content in the + external Telegram platform. fetches_data: false internal_data_mutation_explanation: null categories: @@ -550,14 +755,38 @@ Send Photo: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Send Poll: ai_description: >- ### General Description - This action sends a poll with pre-defined answer options to a specific Telegram - chat or channel using a Telegram bot. It is primarily used for interactive communication - or gathering feedback within a chat environment during incident response or operational - workflows. + Sends a poll with pre-defined answer options to a specific Telegram chat or channel + using a Telegram Bot. This action is useful for gathering feedback or making collaborative + decisions within a chat environment directly from a SOAR playbook. ### Parameters Description @@ -567,42 +796,42 @@ Send Poll: | :--- | :--- | :--- | :--- | | Chat ID | String | Yes | The unique identifier for the target chat or the username - of the target channel (e.g., @channelusername). | + of the target channel (e.g., @channelusername). Note: Non-anonymous polls cannot + be sent to channel chats. | | Question | String | Yes | The question text to be sent in the poll. | - | Options | Content | Yes | A JSON array of strings representing the answer options - (e.g., ["Yes", "No"]). | + | Options | Content (Array) | Yes | A JSON array of strings representing the answer + options (e.g., ["Yes", "No"]). Telegram typically requires between 2 and 10 options. + | | Is Anonymous | Boolean | No | Determines if the poll results will be anonymous. - Default is false. Note: Non-anonymous polls cannot be sent to channel chats. | + If set to false, users' identities will be visible to the bot and other users. + Default is false. | - ### Additional Notes + ### Flow Description - - The bot must be a member of the target chat or channel with appropriate permissions - to send messages and polls. + 1. **Configuration Retrieval**: The action retrieves the Telegram Bot API Token + from the integration settings. - - If 'Is Anonymous' is set to false, the action will fail if the target is a Telegram - Channel. + 2. **Parameter Extraction**: It extracts the target Chat ID, the question text, + the list of options, and the anonymity preference from the action parameters. + 3. **API Interaction**: The action calls the Telegram `sendPoll` API endpoint + via the `TelegramManager`. - ### Flow Description + 4. **Result Processing**: If successful, the action returns the metadata of the + sent poll (including the poll ID and message details) as a JSON result and completes + the execution. - 1. **Initialization**: The action retrieves the Telegram API Token from the integration - configuration and extracts the user-provided parameters (Chat ID, Question, Options, - and Anonymity status). - 2. **API Interaction**: It utilizes the `TelegramManager` to call the Telegram - Bot API's `sendPoll` endpoint. + ### Additional Notes - 3. **Execution**: The manager sends a GET request (standard for Telegram Bot API - methods) containing the poll details to the Telegram servers. + - Ensure the bot has the necessary permissions to post in the specified chat or + channel. - 4. **Result Handling**: If successful, the action captures the JSON response representing - the sent poll object, attaches it to the action results, and completes with a - success message. If the API returns an error, the action fails and reports the - error details. + - Non-anonymous polls are restricted from being sent to Telegram Channels. capabilities: can_create_case_comments: false can_create_insight: false @@ -611,9 +840,9 @@ Send Poll: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new poll message in the specified Telegram chat or channel, which - changes the state of the external chat history. - fetches_data: false + Creates and sends a new poll message to a Telegram chat or channel, which changes + the state of the external Telegram environment. + fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false @@ -632,65 +861,57 @@ Send Poll: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Set Default Chat Permissions: - ai_description: >- - ### General Description - - Sets the default chat permissions for all new members in a specific Telegram group - or supergroup. This action allows administrators to define what actions new members - are permitted to perform by default, such as sending messages, polls, or inviting - others. Note that the bot must be an administrator in the target group with 'can_restrict_members' - permissions for this action to succeed. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Chat ID | String | Yes | The unique identifier for the Telegram chat where permissions - will be updated. | - - | Can Send Messages | Boolean | No | If true, allows users to send text messages, - contacts, and locations. Default is true. | - - | Can Send Polls | Boolean | No | If true, allows users to send polls. Default - is true. | - - | Can Pin Messages | Boolean | No | If true, allows users to pin messages. Note: - This cannot be applied in supergroups. Default is true. | - - | Can Invite Users | Boolean | No | If true, allows users to invite new users - to the chat. Default is true. | - - | Can Edit Info | Boolean | No | If true, allows users to edit chat title, photo, - and other settings. Note: This cannot be applied in supergroups. Default is true. - | - - - ### Additional Notes - - - The bot must have administrative privileges in the group. - - - Certain permissions like 'Can Pin Messages' and 'Can Edit Info' are restricted - in supergroups when applied as default permissions. - - - ### Flow Description - - 1. **Initialization**: The action initializes the Telegram Manager using the provided - API Token from the integration configuration. - - 2. **Parameter Extraction**: It retrieves the target Chat ID and the specific - permission boolean flags from the action parameters. - - 3. **API Interaction**: The action calls the Telegram API's `setChatPermissions` - endpoint with the specified parameters. - - 4. **Result Processing**: If the API call is successful, it returns a success - message and the resulting JSON data. If it fails (e.g., insufficient bot permissions), - it returns a failure status and the error details. + ai_description: "Sets default chat permissions for all new members in a specified\ + \ Telegram group or supergroup. This action allows administrators to define the\ + \ baseline capabilities for new participants, such as their ability to send messages,\ + \ polls, invite others, or modify chat settings. \n\n### Parameters\n| Parameter\ + \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Chat ID\ + \ | string | Yes | The unique identifier or username of the target chat where\ + \ permissions will be applied. |\n| Can Send Messages | boolean | No | If true,\ + \ allows users to send text messages, contacts, and locations. Default is true.\ + \ |\n| Can Send Polls | boolean | No | If true, allows users to send polls. Default\ + \ is true. |\n| Can Invite Users | boolean | No | If true, allows users to invite\ + \ new members to the chat. Default is true. |\n| Can Pin Messages | boolean |\ + \ No | If true, allows users to pin messages. Note: This cannot be applied in\ + \ supergroups. Default is true. |\n| Can Edit Info | boolean | No | If true, allows\ + \ users to edit chat titles, photos, and other settings. Note: This cannot be\ + \ applied in supergroups. Default is true. |\n\n### Additional Notes\n- The Telegram\ + \ bot must be an administrator in the target group or supergroup.\n- The bot must\ + \ specifically have the `can_restrict_members` administrative permission for this\ + \ action to succeed.\n\n### Flow Description\n1. **Initialization**: The action\ + \ retrieves the Telegram API Token from the integration configuration and extracts\ + \ the Chat ID and permission flags from the action parameters.\n2. **API Interaction**:\ + \ The action uses the `TelegramManager` to call the Telegram `setChatPermissions`\ + \ endpoint with the provided configuration.\n3. **Result Processing**: The action\ + \ captures the API response, which indicates whether the permission update was\ + \ successful.\n4. **Finalization**: The action outputs a success or failure message\ + \ to the SOAR case wall and attaches the raw JSON response from Telegram for auditing." capabilities: can_create_case_comments: false can_create_insight: false @@ -699,8 +920,8 @@ Set Default Chat Permissions: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the default member permissions configuration for a specific Telegram - chat via the Telegram Bot API. + Updates the default permission configuration for a Telegram chat, which affects + the capabilities of all new members joining the group. fetches_data: false internal_data_mutation_explanation: null categories: @@ -720,76 +941,65 @@ Set Default Chat Permissions: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Set User Permissions: - ai_description: >- - ### General Description - - This action modifies user permissions within a Telegram supergroup or channel. - It allows administrators to promote or demote users by toggling specific rights - such as pinning messages, deleting content, or inviting new members. The bot must - have administrative privileges in the target chat to execute these changes. - - - ### Parameters Description - - | Parameter Name | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Chat ID | string | Yes | The unique identifier or username of the target chat. - | - - | User ID | string | Yes | The unique identifier of the user whose permissions - are being modified. | - - | Is Anonymous | boolean | No | If true, the user's presence in the chat is hidden. - | - - | Can Edit The Info | boolean | No | Allows the user to change the chat title, - photo, and other settings. | - - | Can Post Messages | boolean | No | Allows the user to post messages (relevant - for channels). | - - | Can Edit Messages | boolean | No | Allows the user to edit messages of other - users. | - - | Can Delete Messages | boolean | No | Allows the user to delete messages of other - users. | - - | Can Invite Users | boolean | No | Allows the user to invite new users to the - chat. | - - | Can Restrict Members | boolean | No | Allows the user to restrict, ban, or unban - chat members. | - - | Can Promote Members | boolean | No | Allows the user to add or revoke other - administrators. | - - | Can Pin Messages | boolean | No | Allows the user to pin messages (relevant - for supergroups). | - - - ### Additional Notes - - - The bot must be an administrator in the chat for this action to work. - - - This action uses the Telegram `promoteChatMember` API endpoint. - - - ### Flow Description - - 1. **Initialization**: Retrieves the Telegram API Token from the integration configuration. - - 2. **Parameter Extraction**: Collects the Chat ID, User ID, and all permission-related - boolean flags from the action input. - - 3. **API Execution**: Calls the Telegram Manager to execute the `set_user_permissions` - method, which sends a request to the Telegram API to update the user's status. - - 4. **Result Handling**: Captures the API response. If successful, it returns a - success message and the resulting JSON; otherwise, it reports a failure with the - error details. + ai_description: "### General Description\nUpdates or revokes specific administrative\ + \ permissions for a user within a Telegram supergroup or channel. This action\ + \ allows for granular control over user capabilities such as pinning messages,\ + \ deleting content, or inviting new members. For this action to succeed, the configured\ + \ Telegram bot must already be an administrator in the target chat with the necessary\ + \ rights to promote or demote other members.\n\n### Parameters Description\n|\ + \ Parameter Name | Description | Type | Mandatory | \n| :--- | :--- | :--- | :---\ + \ |\n| Chat ID | The unique identifier or username of the target Telegram chat.\ + \ | String | Yes |\n| User ID | The unique identifier of the user whose permissions\ + \ are being modified. | String | Yes |\n| Is Anonymous | If set to true, the user's\ + \ presence in the chat is hidden. | Boolean | No |\n| Can Edit The Info | Allows\ + \ the user to change the chat title, photo, and other settings. | Boolean | No\ + \ |\n| Can Post Messages | Allows the user to post messages (relevant for channels).\ + \ | Boolean | No |\n| Can Edit Messages | Allows the user to edit messages sent\ + \ by others (relevant for channels). | Boolean | No |\n| Can Delete Messages |\ + \ Allows the user to delete messages sent by others. | Boolean | No |\n| Can Invite\ + \ Users | Allows the user to invite new users to the chat. | Boolean | No |\n\ + | Can Restrict Members | Allows the user to restrict, ban, or unban chat members.\ + \ | Boolean | No |\n| Can Promote Members | Allows the user to add or revoke permissions\ + \ for other administrators. | Boolean | No |\n| Can Pin Messages | Allows the\ + \ user to pin messages (relevant for supergroups). | Boolean | No |\n\n### Additional\ + \ Notes\nThis action uses the Telegram `promoteChatMember` API endpoint. While\ + \ the manager uses a GET request, the operation results in a state change on the\ + \ Telegram platform. If a permission parameter is not provided, it defaults to\ + \ the value specified in the integration settings (usually 'true' in the provided\ + \ YAML).\n\n### Flow Description\n1. **Initialization**: Retrieves the Telegram\ + \ API Token from the integration configuration.\n2. **Parameter Extraction**:\ + \ Collects the mandatory Chat ID and User ID, along with all optional permission\ + \ boolean flags from the action input.\n3. **API Execution**: Calls the `set_user_permissions`\ + \ method in the Telegram Manager, which sends a request to the `promoteChatMember`\ + \ endpoint with the specified permission set.\n4. **Result Processing**: Captures\ + \ the API response. If successful, it returns a confirmation message and the raw\ + \ JSON result; otherwise, it reports a failure with the error details." capabilities: can_create_case_comments: false can_create_insight: false @@ -798,8 +1008,8 @@ Set User Permissions: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates user permissions and administrative rights within a Telegram chat via - the promoteChatMember API. + Modifies user permissions and administrative rights within a Telegram chat or + channel via the promoteChatMember API. fetches_data: false internal_data_mutation_explanation: null categories: @@ -819,40 +1029,101 @@ Set User Permissions: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: true + update_ticket: false Wait for poll results: - ai_description: "### General Description\nThe **Wait for poll results** action is\ - \ an asynchronous task designed to monitor a specific Telegram poll and retrieve\ - \ its results. It is primarily used to automate workflows that require user feedback\ - \ or voting via Telegram. The action periodically checks the status of a poll\ - \ until a specific vote threshold is reached or a predefined timeout occurs.\n\ - \n### Parameters Description\n| Parameter | Type | Mandatory | Description |\n\ - | :--- | :--- | :--- | :--- |\n| **Poll ID** | String | Yes | The unique identifier\ - \ of the Telegram poll to monitor. |\n| **Answer Votes Threshold** | String |\ - \ Yes | The number of votes for any single option that will trigger the action\ - \ to complete successfully. |\n| **Waiting Timeframe** | String | Yes | The maximum\ - \ duration (in minutes) the action should wait for the threshold to be met before\ - \ finishing. |\n| **Scan back Limit** | String | Yes | The maximum number of poll\ - \ updates to retrieve and scan from the Telegram bot's history. |\n\n### Flow\ - \ Description\n1. **Initialization**: The action retrieves the Telegram API token\ - \ from the integration configuration and extracts the user-provided parameters\ - \ (Poll ID, Threshold, Timeframe, and Limit).\n2. **State Recovery**: Since the\ - \ action is asynchronous, it checks if it is the first run. If not, it restores\ - \ the execution state (start time and last processed update ID) from the `additional_data`\ - \ parameter.\n3. **Data Fetching**: It interacts with the Telegram API's `getUpdates`\ - \ method to fetch recent poll-related activity.\n4. **Filtering**: The action\ - \ filters the incoming updates to find the specific poll matching the provided\ - \ **Poll ID**.\n5. **Evaluation**: \n - **Threshold Check**: It checks if any\ - \ option in the poll has reached the **Answer Votes Threshold**.\n - **Timeout\ - \ Check**: It calculates the elapsed time since the action started and compares\ - \ it against the **Waiting Timeframe**.\n6. **Outcome**: \n - If the threshold\ - \ is met, the action completes with a success status.\n - If the timeframe\ - \ expires, the action completes, returning whatever results were found.\n -\ - \ If neither condition is met, the action saves its current state and remains\ - \ in an 'In Progress' state for the next polling cycle.\n\n### Additional Notes\n\ - - This action does not operate on Google SecOps entities (e.g., IPs, Hostnames)\ - \ and instead relies entirely on the provided **Poll ID**.\n- It is an asynchronous\ - \ action, meaning it will yield execution back to the SOAR platform between polling\ - \ intervals." + ai_description: >- + ### General Description + + This action monitors a specific Telegram poll and retrieves its results once certain + conditions are met. It is an asynchronous action that periodically checks for + updates from the Telegram bot until either a specified vote threshold is reached + for any poll option or a maximum waiting timeframe expires. This is primarily + used in automated workflows to pause execution until a user or group provides + feedback via a Telegram poll. + + + ### Parameters Description + + | Parameter | Description | Type | Mandatory | + + | :--- | :--- | :--- | :--- | + + | **Poll ID** | The unique identifier of the Telegram poll to monitor for answers. + | String | Yes | + + | **Answer Votes Threshold** | The number of votes required for any single poll + option to satisfy the condition and stop the waiting process. | String | Yes | + + | **Waiting Timeframe** | The maximum duration (in minutes) the action will wait + for the threshold to be met. If this time passes, the action completes with the + current results. | String | Yes | + + | **Scan back Limit** | The maximum number of recent Telegram updates to retrieve + and scan when searching for the poll's status. | String | Yes | + + + ### Additional Notes + + - This action is **asynchronous**. If the threshold is not met and the timeframe + has not expired, the action will enter an 'In Progress' state and resume in the + next execution cycle. + + - The action uses the `getUpdates` Telegram API method, specifically filtering + for 'poll' update types. + + + ### Flow Description + + 1. **Initialization**: The action retrieves the Telegram API Token from the integration + configuration and extracts the Poll ID, Vote Threshold, Timeframe, and Scan Limit + from the action parameters. + + 2. **State Recovery**: If this is a subsequent run (async), it recovers the start + time and the last processed update ID from the previous execution's state. + + 3. **Data Retrieval**: It calls the Telegram API to fetch recent updates based + on the **Scan back Limit** and the last known update offset. + + 4. **Filtering**: The action filters the retrieved updates to find those matching + the specified **Poll ID**. + + 5. **Threshold Evaluation**: It checks the current vote counts for all options + in the identified poll. If any option's `voter_count` is greater than or equal + to the **Answer Votes Threshold**, the action marks itself as completed. + + 6. **Timeframe Check**: If the threshold is not met, it calculates the elapsed + time. If the elapsed time exceeds the **Waiting Timeframe**, the action completes. + + 7. **Asynchronous Wait**: If neither the threshold nor the timeframe has been + reached, the action saves its current state (start time, timeframe, and last update + ID) and sets its status to 'In Progress' to be re-executed later. + + 8. **Result Reporting**: Upon completion or during the wait, the action provides + the current poll answers and raw update data in the JSON results. capabilities: can_create_case_comments: false can_create_insight: false @@ -880,3 +1151,28 @@ Wait for poll results: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/third_party/community/telegram/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/telegram/resources/ai/connectors_ai_description.yaml new file mode 100644 index 000000000..8de9f4020 --- /dev/null +++ b/content/response_integrations/third_party/community/telegram/resources/ai/connectors_ai_description.yaml @@ -0,0 +1,30 @@ +Telegram Connector: + ai_description: "### General Description\nThe Telegram Connector allows Google SecOps\ + \ to ingest messages from Telegram channels, supergroups, and private chats where\ + \ a configured bot is a member. It enables security teams to monitor communication\ + \ platforms for potential threats, data leaks, or automated alerts. \n\n**Note:**\ + \ For the connector to function, the bot must be an administrator in channels\ + \ or have message access enabled in groups. Additionally, this connector uses\ + \ polling and cannot operate if an active Webhook is configured for the same bot\ + \ token.\n\n### Parameters Description\n| Parameter | Type | Mandatory | Description\ + \ |\n| :--- | :--- | :--- | :--- |\n| API Token | Password | Yes | The unique\ + \ API token provided by Telegram's BotFather for authentication. |\n| DeviceProductField\ + \ | String | Yes | The field name used to determine the device product in the\ + \ SOAR platform (Default: device_product). |\n| EventClassId | String | Yes |\ + \ The field name used to determine the event name or sub-type (Default: event_name).\ + \ |\n| PythonProcessTimeout | String | Yes | The maximum time in seconds allowed\ + \ for the connector script to execute (Default: 30). |\n\n### Flow Description\n\ + 1. **Authentication**: The connector initializes a connection to the Telegram\ + \ Bot API using the provided API Token.\n2. **State Tracking**: It retrieves the\ + \ `update_id` of the last processed message from the internal storage to ensure\ + \ only new data is ingested.\n3. **Data Fetching**: The connector polls the Telegram\ + \ `getUpdates` endpoint, starting from the next available `update_id`.\n4. **Message\ + \ Processing**: \n * It identifies whether the update is a standard message\ + \ (private/group) or a channel post.\n * The message payload is flattened into\ + \ a structured format.\n * Timestamps and product metadata are assigned to\ + \ the event.\n5. **Alert Creation**: Each message is encapsulated into a SOAR\ + \ Alert with a default priority of Medium (60).\n6. **Checkpointing**: After successful\ + \ processing, the connector saves the latest `update_id` back to the internal\ + \ storage to prevent duplicate ingestion in the next cycle.\n7. **Ingestion**:\ + \ The generated alerts are returned to Google SecOps for case creation and further\ + \ investigation." diff --git a/content/response_integrations/third_party/community/telegram/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/telegram/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..4b35c0d73 --- /dev/null +++ b/content/response_integrations/third_party/community/telegram/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: true + edr: false + email_security: false + iam_and_identity_management: true + itsm: false + network_security: false + siem: true + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/vanilla_forums/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/vanilla_forums/resources/ai/actions_ai_description.yaml index ddf308908..c210e2865 100644 --- a/content/response_integrations/third_party/community/vanilla_forums/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/vanilla_forums/resources/ai/actions_ai_description.yaml @@ -1,72 +1,60 @@ Add User: ai_description: >- - ### General Description - - This action adds a new user to Vanilla Forums with comprehensive details including - name, email, role, and password. It includes logic to handle username conflicts - by optionally using alternative separators between the first and last names. + Adds a new user to Vanilla Forums with comprehensive profile details including + name, email, role, and password. The action includes logic to handle username + collisions by attempting to use alternative separators (e.g., underscores or hyphens) + if the primary name is already taken and duplicity is allowed. It validates password + complexity requirements before attempting creation. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | First Name | String | Yes | The first name of the new user. | - - | Last Name | String | Yes | The last name of the new user. | - - | Email | String | Yes | The email address for the new user account. | + | First Name | string | True | The first name of the new user. | - | Role ID | String | Yes | The specific ID of the role to be assigned to the user - in Vanilla Forums. | + | Last Name | string | True | The last name of the new user. | - | Password | Password | Yes | The account password. Must be at least 6 characters - long and contain both letters and digits. | + | Email | string | True | The email address for the new account. | - | Override Name Duplicity | Boolean | No | If set to 'True', the action will attempt - to create the user even if the name exists by using alternative separators. Default - is 'False'. | + | Password | password | True | The account password. Must be at least 6 characters + and contain both letters and digits. | - | Additional Identifiers | String | No | A comma-separated list of characters - (e.g., '_,~,-') used to replace the space in the username if the primary name - is already taken. | + | Role ID | string | True | The numeric ID of the role to assign to the user (e.g., + '8'). | - | Email Confirmed | Boolean | No | If 'True', the user's email will be marked - as confirmed upon creation. Default is 'True'. | + | Override Name Duplicity | boolean | False | If 'True', allows creating a user + even if the username exists (provided the email is different). | - | Photo URL | String | No | The URL for the user's profile picture. | + | Additional Identifiers | string | False | A comma-separated list of characters + (e.g., '_,~,-') to use as separators between first and last names if the default + space is taken. | + | Email Confirmed | boolean | False | Whether the user's email address is pre-confirmed. + Default is 'true'. | - ### Additional Notes - - - The action performs a validation check on the password complexity before attempting - to communicate with the API. - - - If `Override Name Duplicity` is enabled but all provided `Additional Identifiers` - result in existing usernames, the action will fail. + | Photo URL | string | False | URL for the user's profile picture. | ### Flow Description - 1. **Validation**: The action first validates that the provided password meets - the complexity requirements (minimum 6 characters, includes letters, and includes - digits). + 1. **Validation:** Validates that the provided password meets the complexity requirements + (minimum 6 characters, contains letters and digits). - 2. **Conflict Check**: It searches Vanilla Forums for an existing user with the - name 'First Name Last Name'. + 2. **Availability Check:** Searches Vanilla Forums for the proposed username (First + Name + Space + Last Name). - 3. **Username Resolution**: If a conflict is found and `Override Name Duplicity` - is enabled, the action iterates through the `Additional Identifiers` list to find - a unique username combination (e.g., 'First_Last'). + 3. **Collision Handling:** If the name exists and 'Override Name Duplicity' is + enabled, the action iterates through the 'Additional Identifiers' to find an available + username variant (e.g., First_Last). - 4. **User Creation**: Once a unique username is determined (or if no conflict - exists), the action sends a POST request to the Vanilla Forums API to create the - user account with the specified parameters. + 4. **User Creation:** Sends a POST request to the Vanilla Forums API to create + the user account with the specified attributes. - 5. **Result Handling**: The action returns the user details in a JSON format and - provides a success message upon completion. + 5. **Result Reporting:** Returns the created user's details, including the assigned + email and password, as a JSON result. capabilities: can_create_case_comments: false can_create_insight: false @@ -75,7 +63,8 @@ Add User: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new user account in the Vanilla Forums platform via a POST request. + Creates a new user account in the Vanilla Forums platform via a POST request + to the /v2/users endpoint. fetches_data: true internal_data_mutation_explanation: null categories: @@ -95,50 +84,73 @@ Add User: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: true + update_ticket: false Generate Password: ai_description: >- ### General Description - Generates a random password that complies with Vanilla Forums' complexity requirements. - This utility action is typically used in workflows involving user creation or - password resets to ensure the generated credentials meet the platform's minimum - security standards (at least one uppercase letter, one lowercase letter, and digits). + Generates a random password that complies with Vanilla Forums' password requirements. + The generated password consists of at least one uppercase letter, one lowercase + letter, and the remainder as digits, ensuring a minimum complexity level for user + accounts. ### Parameters Description - | Parameter | Description | Type | Mandatory | Notes | + | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | :--- | + | :--- | :--- | :--- | :--- | - | Length | The total number of characters for the generated password. | String - | No | Must be an integer of at least 6. Defaults to 6 if not provided. | + | Length | String | No | The desired length of the generated password. Must be + an integer of at least 6. Defaults to 6 if not specified. | ### Additional Notes - - The action performs local string generation and does not communicate with the - Vanilla Forums API to generate the password. + - The action performs local string generation logic and does not communicate with + the Vanilla Forums API to generate the password. - - If a length less than 6 is provided, the action will fail with an explicit error - message. + - If a length less than 6 is provided, the action will fail with an error message. ### Flow Description - 1. **Parameter Extraction**: Retrieves the 'Length' parameter from the action - input and converts it to an integer. + 1. **Parameter Extraction**: The action retrieves the `Length` parameter from + the input and converts it to an integer. - 2. **Validation**: Checks if the requested length is at least 6 characters. If - not, the execution fails. + 2. **Validation**: It checks if the length is at least 6 characters. If not, it + raises an exception. - 3. **Password Generation**: Uses the `VanillaManager` to construct a string consisting - of: - - One random uppercase letter. - - One random lowercase letter. - - Random digits for the remaining length (Length - 2). - 4. **Result Output**: Returns the generated password string as the action's result - value and provides a success message. + 3. **Password Generation**: The `VanillaManager` generates a password string by: + - Selecting one random uppercase letter. + - Selecting one random lowercase letter. + - Selecting random digits for the remaining length (Length - 2). + 4. **Completion**: The generated password is returned as the action's result value + and the execution state is set to completed. capabilities: can_create_case_comments: false can_create_insight: false @@ -166,22 +178,53 @@ Generate Password: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get User Details: - ai_description: >- - ### General Description: Fetches comprehensive details for a specific user from - VanillaForums using their unique User ID. This action is primarily used to retrieve - profile information, roles, and account status for administrative or investigative - purposes. ### Parameters Description: | Parameter | Type | Mandatory | Description - | | :--- | :--- | :--- | :--- | | User ID | String | Yes | The unique identifier - of the user whose details are to be retrieved. Default is 0. | ### Flow Description: - 1. **Parameter Extraction**: Retrieves the User ID from the action input parameters. - 2. **Manager Initialization**: Establishes a connection to the VanillaForums API - using the configured API Token and Base URL. 3. **Data Retrieval**: Executes a - GET request to the /v2/users/{user_id} endpoint to fetch the user's profile data. - 4. **Result Processing**: Captures the JSON response containing user details and - attaches it to the action results for use in subsequent playbook steps. ### Additional - Notes: This action does not automatically process entities from the SecOps case; - it requires the User ID to be provided manually or mapped from a previous step. + ai_description: "### General Description\nThe **Get User Details** action retrieves\ + \ comprehensive information about a specific user from Vanilla Forums using their\ + \ unique User ID. This action is designed to fetch metadata such as the user's\ + \ name, email, roles, rank, and profile information, providing administrative\ + \ context for investigations or auditing purposes.\n\n### Parameters Description\n\ + | Parameter | Description | Type | Mandatory | Notes |\n| :--- | :--- | :--- |\ + \ :--- | :--- |\n| **User ID** | The unique identifier of the user whose details\ + \ are to be retrieved. | String | Yes | Default value is \"0\". |\n\n### Flow\ + \ Description\n1. **Initialization**: The action initializes the connection to\ + \ Vanilla Forums using the API Token and Base URL from the integration configuration.\n\ + 2. **Parameter Extraction**: The `User ID` is extracted from the action parameters\ + \ and trimmed of whitespace.\n3. **API Request**: The action calls the `get_user_details`\ + \ method in the `VanillaManager`, which executes a GET request to the `/v2/users/{user_id}`\ + \ endpoint.\n4. **Response Handling**: \n - If successful, the user's JSON\ + \ data is captured.\n - If the user is not found or the request fails, an error\ + \ is logged and the action status is set to failed.\n5. **Output**: The retrieved\ + \ JSON data is added to the action's results, and the action completes with a\ + \ descriptive message.\n\n### Additional Notes\n- This action does not interact\ + \ with Google SecOps entities (e.g., it does not iterate over `target_entities`).\ + \ It operates strictly based on the provided `User ID` parameter.\n- There are\ + \ no parameters that are conditionally mandatory; only the `User ID` is required." capabilities: can_create_case_comments: false can_create_insight: false @@ -209,14 +252,39 @@ Get User Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get a Leaderboard Analytics: ai_description: >- ### General Description The **Get a Leaderboard Analytics** action retrieves statistical data for specified - leaderboards from a Vanilla Forums instance. It allows users to fetch engagement - metrics, such as top posters or discussion starters, within a defined date range. - This action is primarily used for reporting and monitoring community activity. + leaderboards from a Vanilla Forums instance. It allows analysts to gather engagement + metrics (such as top posters or discussion starters) within a specific timeframe + to understand community activity or identify influential users. ### Parameters Description @@ -225,43 +293,43 @@ Get a Leaderboard Analytics: | :--- | :--- | :--- | :--- | - | **Leaderboards** | String | Yes | A comma-separated list of leaderboard identifiers + | **Leaderboards** | String | Yes | A comma-separated list of leaderboard names to query (e.g., `top-posters, top-discussion-starters`). | - | **From** | String | Yes | The start date for the analytics report in `yyyy-mm-dd` + | **From** | String | Yes | The start date for the analytics report in `YYYY-MM-DD` format. | - | **To** | String | Yes | The end date for the analytics report in `yyyy-mm-dd` + | **To** | String | Yes | The end date for the analytics report in `YYYY-MM-DD` format. | - | **Amount Limit** | String | Yes | The maximum number of rows (positions) to - return for each requested leaderboard. | + | **Amount Limit** | String | Yes | The maximum number of records to return for + each requested leaderboard. | ### Flow Description - 1. **Initialization**: The action initializes the Siemplify context and retrieves - the API Token and Base URL from the integration configuration. + 1. **Parameter Extraction:** The action retrieves the list of leaderboards, the + date range (From/To), and the result limit from the user input. - 2. **Parameter Extraction**: It extracts the user-provided date range, row limit, - and the list of leaderboards to be queried. + 2. **Input Processing:** The `Leaderboards` string is split into a list of individual + board identifiers. - 3. **Data Retrieval**: The action iterates through the list of leaderboards. For - each board, it calls the Vanilla Forums API via a GET request to the `/analytics/leaderboard` - endpoint, passing the specified time frame and limit. + 3. **Data Retrieval:** For each leaderboard in the list, the action calls the + Vanilla Forums API (`/v2/analytics/leaderboard`) to fetch the corresponding analytics + data. - 4. **Result Processing**: The retrieved analytics data for each leaderboard is - aggregated into a JSON structure. + 4. **Result Aggregation:** The retrieved data for all boards is compiled into + a single JSON structure. - 5. **Completion**: The action returns the aggregated JSON data and provides a - summary message indicating which leaderboards were successfully fetched. + 5. **Output:** The action provides the aggregated JSON results and a status message + indicating success or failure for each board. ### Additional Notes - - This action does not interact with or process entities (such as IPs, Hosts, - or Users) found within a Google SecOps case. It operates purely on the provided - string parameters to fetch global forum data. + - Ensure the date format strictly follows `YYYY-MM-DD` to avoid API errors. + + - The `Amount Limit` should be provided as a string representing a numeric value. capabilities: can_create_case_comments: false can_create_insight: false @@ -273,7 +341,7 @@ Get a Leaderboard Analytics: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: false + enrichment: true entity_usage: entity_types: [] filters_by_additional_properties: false @@ -289,42 +357,50 @@ Get a Leaderboard Analytics: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Ping: - ai_description: >- - ### General Description - - The **Ping** action is designed to verify the connectivity between Google SecOps - and the VanillaForums platform. It serves as a diagnostic tool to ensure that - the integration configuration, including the API Token and Base URL, is valid - and that the external service is reachable. - - - ### Parameters Description - - There are no parameters for this action. - - - ### Additional Notes - - This action is primarily used for health checks and troubleshooting integration - setup. It does not interact with any entities or modify any data. - - - ### Flow Description - - 1. **Configuration Retrieval**: The action retrieves the integration's global - configuration, specifically the **API Token** and **URL**. - - 2. **Manager Initialization**: It initializes the `VanillaManager` with the provided - credentials. - - 3. **Connectivity Check**: The action calls the `test_connectivity` method, which - performs a `GET` request to the `/v2/categories` endpoint of the VanillaForums - API with minimal depth and limit to minimize resource usage. - - 4. **Final Status**: If the API call is successful, the action returns a success - message. If an exception occurs (e.g., 401 Unauthorized or 404 Not Found), it - captures the error and reports a connection failure. + ai_description: "### General Description\nThe **Ping** action is a diagnostic tool\ + \ designed to verify the connectivity between Google SecOps and the VanillaForums\ + \ platform. It ensures that the provided API Token and Base URL are correct and\ + \ that the network path to the VanillaForums API is open. This action is typically\ + \ used during the initial setup of the integration or for troubleshooting communication\ + \ issues.\n\n### Parameters Description\nThere are no parameters for this action.\n\ + \n### Flow Description\n1. **Configuration Retrieval:** The action starts by fetching\ + \ the integration's configuration, specifically the 'API Token' and 'URL'.\n2.\ + \ **Manager Initialization:** It initializes the `VanillaManager` using the retrieved\ + \ credentials.\n3. **Connectivity Test:** The action calls the `test_connectivity`\ + \ method, which sends a GET request to the `/v2/categories` endpoint of the VanillaForums\ + \ API with a limit of 1 item to minimize data transfer.\n4. **Result Handling:**\ + \ \n * If the API responds with a success status code, the action concludes\ + \ with a success message indicating a successful connection.\n * If an exception\ + \ occurs (e.g., authentication failure, timeout, or invalid URL), the error is\ + \ caught, and a failure message containing the error details is returned.\n\n\ + ### Additional Notes\nThis action does not interact with any entities in the SecOps\ + \ environment and does not modify any data within VanillaForums or Google SecOps." capabilities: can_create_case_comments: false can_create_insight: false @@ -352,50 +428,85 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Search User By Email and Name: ai_description: >- ### General Description This action searches for a user within the Vanilla Forums platform using both an email address and a username. It is designed to verify the existence of a user - account and retrieve associated details. The action performs two separate lookups - and returns a consolidated result indicating whether each identifier was found. + account and retrieve associated details if the email search is successful. The + action returns boolean indicators for the existence of the email and username + independently, providing a clear picture of whether the provided identifiers are + registered in the system. ### Parameters Description - | Parameter Name | Type | Mandatory | Description | + | Parameter Name | Type | Mandatory | Description | Expected Value | - | :--- | :--- | :--- | :--- | + | :--- | :--- | :--- | :--- | :--- | - | User Email | string | Yes | The email address of the user to search for. The - search is case-insensitive. | + | User Email | string | Yes | The email address of the user to search for. | A + valid email string (e.g., `user@example.com`). | | User Name | string | Yes | The full name or username of the user to search for. - | + | A string representing the user's display name or username. | - ### Flow Description + ### Additional Notes - 1. **Parameter Extraction**: The action retrieves the `User Email` and `User Name` - from the input parameters, performing basic sanitization (stripping whitespace - and converting email to lowercase). + - The action performs two separate lookups: one by email and one by username. - 2. **Manager Initialization**: It initializes the `VanillaManager` using the integration's - API Token and Base URL. + - If the email is found, the full user details (as returned by the Vanilla Forums + API) are included in the `UserDetails` field of the result JSON. - 3. **Email Search**: The action calls the `search_user_by_email` method, which - paginates through the Vanilla Forums user list to find a matching email. + - The action will succeed (result value `True`) if either the email OR the username + is found in the system. - 4. **Username Search**: The action calls the `search_user_by_name` method to check - for the existence of the provided username. - 5. **Result Compilation**: It constructs a JSON result containing boolean flags - for `Email` and `UserName` existence. If the email is found, the full user details - are included in the `UserDetails` field. + ### Flow Description + + 1. **Initialization**: The action extracts the integration configuration (API + Token and URL) and the user-provided parameters (`User Email` and `User Name`). + + 2. **Email Search**: The action calls the `search_user_by_email` method, which + iterates through the `/v2/users` endpoint (handling pagination) to find a match + for the provided email. + + 3. **Username Search**: The action calls the `search_user_by_name` method, which + queries the `/v2/users/by-names` endpoint to check for the existence of the provided + username. + + 4. **Data Aggregation**: The results from both searches are compiled into a JSON + object. This includes boolean flags for `Email` and `UserName` existence. - 6. **Final Output**: The action concludes by providing an output message summarizing - the findings and setting the execution status to completed. + 5. **Completion**: The action sets the final output message based on the search + results and returns the aggregated JSON data to the Google SecOps platform. capabilities: can_create_case_comments: false can_create_insight: false @@ -407,7 +518,7 @@ Search User By Email and Name: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: false + enrichment: true entity_usage: entity_types: [] filters_by_additional_properties: false @@ -423,50 +534,67 @@ Search User By Email and Name: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Update Badge: ai_description: >- - ### General Description + Awards a specific badge to a user within the Vanilla Forums platform. This action + uses the Vanilla Forums API to associate a badge ID with a user ID, effectively + updating the user's profile with the new achievement. It is primarily used for + community management and engagement automation. - The **Update Badge** action allows administrators to award a specific badge to - a user within the Vanilla Forums platform. This is a management action used to - reward or categorize users based on their activity or status. - - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **User ID** | String | Yes | The unique identifier of the user in Vanilla Forums - who will receive the badge. | + | User ID | string | True | The unique identifier of the user who will receive + the badge. | - | **Badge ID** | String | Yes | The unique identifier of the badge to be awarded + | Badge ID | string | True | The unique identifier of the badge to be awarded to the user. | ### Flow Description - 1. **Parameter Extraction**: The action retrieves the `User ID` and `Badge ID` - from the input parameters. - - 2. **API Connection**: It establishes a connection to the Vanilla Forums instance - using the configured API Token and Base URL. - - 3. **Badge Assignment**: The action calls the `give_user_badge` method in the - manager, which sends a POST request to the `/v2/badges/{badge_id}/users` endpoint. - - 4. **Result Processing**: The response from the API, containing the details of - the assignment, is captured and added to the action's JSON results. + 1. **Initialization**: The action initializes the Vanilla Forums manager using + the API Token and Base URL provided in the integration configuration. - 5. **Completion**: The action concludes by providing an output message indicating - whether the badge was successfully awarded. + 2. **Parameter Extraction**: It retrieves the 'User ID' and 'Badge ID' from the + action input parameters. + 3. **API Execution**: The action calls the `give_user_badge` method in the manager, + which sends a POST request to the Vanilla Forums endpoint `/v2/badges/{badge_id}/users` + with the user's ID in the payload. - ### Additional Notes - - - This action does not interact with entities present in the Google SecOps case. - It operates solely on the IDs provided in the parameters. + 4. **Result Handling**: If the request is successful, it returns the badge assignment + details as a JSON result and completes the action. If the request fails, it captures + the error and marks the action as failed. capabilities: can_create_case_comments: false can_create_insight: false @@ -475,8 +603,8 @@ Update Badge: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Awards a badge to a user in Vanilla Forums by sending a POST request to the - badges endpoint. + Awards a badge to a user in Vanilla Forums, which modifies the user's profile + and badge collection in the external community platform. fetches_data: false internal_data_mutation_explanation: null categories: @@ -496,43 +624,75 @@ Update Badge: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: true + update_ticket: false Update Rank: ai_description: >- ### General Description - The **Update Rank** action is designed to modify the rank of a specific user within - the Vanilla Forums platform. This action is primarily used for administrative - management, allowing security teams or administrators to programmatically adjust - user status or permissions based on external triggers or manual intervention. + The **Update Rank** action allows analysts to programmatically change the rank + of a specific user within the Vanilla Forums platform. This is typically used + for administrative tasks or as part of a response workflow where a user's permissions + or status needs to be adjusted based on their activity or security profile. ### Parameters Description - | Parameter | Type | Mandatory | Description | + | Parameter Name | Description | Type | Mandatory | Default Value | - | :--- | :--- | :--- | :--- | + | :--- | :--- | :--- | :--- | :--- | - | **Rank ID** | String | Yes | The unique identifier of the rank to be assigned - to the user. | + | Rank ID | The unique identifier of the rank you wish to assign to the user. + | String | Yes | 2 | + + | User ID | The unique identifier of the user whose rank you want to modify. | + String | Yes | 0 | + + + ### Additional Notes - | **User ID** | String | Yes | The unique identifier of the user whose rank is - being updated. | + This action does not run on SecOps entities (like IP or Hostname). Instead, it + requires specific User and Rank IDs provided as manual inputs or mapped from previous + playbook steps. It performs a direct state change in the Vanilla Forums environment. ### Flow Description - 1. **Initialization**: The action extracts the `Rank ID` and `User ID` from the - input parameters and retrieves the integration configuration (API Token and URL). + 1. **Parameter Extraction:** The action retrieves the `Rank ID` and `User ID` + from the input parameters. - 2. **API Interaction**: It utilizes the `VanillaManager` to call the `change_user_rank` - method. + 2. **API Initialization:** It initializes the Vanilla Forums manager using the + integration's API Token and Base URL. - 3. **External Mutation**: The manager performs a `PUT` request to the Vanilla - Forums endpoint `/v2/users/{user_id}/rank` with the new rank details. + 3. **External Request:** The action sends a `PUT` request to the Vanilla Forums + API endpoint `/v2/users/{user_id}/rank` with the new `rankID` in the payload. - 4. **Outcome Reporting**: The action captures the API response, adds it as a JSON - result to the case, and provides a success or failure message based on the execution - outcome. + 4. **Result Processing:** If the request is successful, the action returns a success + message and the JSON response from the API. If it fails, it captures the error + and reports a failure state. capabilities: can_create_case_comments: false can_create_insight: false @@ -541,8 +701,8 @@ Update Rank: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the rank of a user in the Vanilla Forums platform by performing a PUT - request to the user's rank endpoint. + Updates the rank attribute of a user profile in the Vanilla Forums platform + via a PUT request. fetches_data: false internal_data_mutation_explanation: null categories: @@ -562,51 +722,73 @@ Update Rank: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: true + update_ticket: false Update User Role: ai_description: >- ### General Description - The **Update User Role** action allows for the modification of a user's assigned - role within the Vanilla Forums platform. This action is primarily used for administrative - tasks such as promoting users, changing permissions, or managing access levels - programmatically based on security workflows. + Updates the role of a specific user within the Vanilla Forums platform. This action + allows administrators to programmatically reassign user permissions by providing + the unique User ID and the target Role ID. It is primarily used for identity management + and access control workflows. ### Parameters Description - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **UserID** | String | Yes | The unique identifier of the user in Vanilla Forums - whose role is to be changed. | - - | **RoleID** | String | Yes | The unique identifier of the role to be assigned - to the user. | + | Parameter Name | Description | Type | Mandatory | Additional Notes | + | :--- | :--- | :--- | :--- | :--- | - ### Additional Notes + | RoleID | The unique identifier of the role to be assigned to the user. | String + | Yes | This should be the numeric or string ID as defined in Vanilla Forums. + | - This action performs a partial update (PATCH) on the user object in Vanilla Forums. - It expects a single Role ID which will be passed as an array to the external API. + | UserID | The unique identifier of the user whose role is being changed. | String + | Yes | The target user's ID. | ### Flow Description - 1. **Initialization**: The action initializes the Vanilla Forums manager using - the provided API Token and Base URL from the integration configuration. + 1. **Parameter Extraction**: The action retrieves the `UserID` and `RoleID` from + the input parameters. - 2. **Parameter Extraction**: It extracts the `UserID` and `RoleID` from the action - parameters. + 2. **API Initialization**: It initializes the `VanillaManager` using the integration's + API Token and Base URL. - 3. **API Request**: The action calls the `give_user_role` method in the manager, - which sends a `PATCH` request to the `/v2/users/{user_id}` endpoint with the new - `roleID` in the payload. + 3. **Role Update**: The action calls the `give_user_role` method, which sends + a `PATCH` request to the Vanilla Forums `/v2/users/{userID}` endpoint with the + new `roleID` in the payload. - 4. **Validation**: The action checks the response for errors or invalid role IDs. + 4. **Response Handling**: The action parses the API response. If the role is successfully + updated, it returns the updated user details as a JSON result. If the role ID + is invalid or the user is not found, it raises an error. - 5. **Completion**: It returns the updated user details as a JSON result and provides - a success message if the update was successful. + 5. **Completion**: The action concludes by reporting the success or failure of + the operation to the SOAR case wall. capabilities: can_create_case_comments: false can_create_insight: false @@ -616,8 +798,8 @@ Update User Role: can_update_entities: false external_data_mutation_explanation: >- Updates the 'roleID' attribute of a user profile in Vanilla Forums via a PATCH - request to the /v2/users/{user_id} endpoint. - fetches_data: false + request to the users endpoint. + fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false @@ -636,3 +818,28 @@ Update User Role: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: true + update_ticket: false diff --git a/content/response_integrations/third_party/community/vanilla_forums/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/vanilla_forums/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..6c27508d3 --- /dev/null +++ b/content/response_integrations/third_party/community/vanilla_forums/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: true + itsm: false + network_security: false + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/vectra_qux/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/vectra_qux/resources/ai/actions_ai_description.yaml index 1059c2dc3..1be358642 100644 --- a/content/response_integrations/third_party/community/vectra_qux/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/vectra_qux/resources/ai/actions_ai_description.yaml @@ -1,47 +1,50 @@ Add Note: ai_description: >- - ### General Description - Adds a note to a specific entity (Account, Host, or Detection) within the Vectra - platform. This action allows analysts to document findings or provide context - directly on the Vectra entity record from within Google SecOps. + platform. This action allows analysts to append contextual information or findings + directly to Vectra entities from within Google SecOps. - ### Parameters Description + ### Flow Description: - | Parameter | Type | Mandatory | Description | + 1. **Parameter Extraction:** The action retrieves the API configuration (Root, + Token, SSL) and action parameters (Note content, Entity ID, and Entity Type). - | :--- | :--- | :--- | :--- | + 2. **Validation:** It validates that the provided `Entity ID` is a valid integer. - | Note | String | Yes | The text content of the note to be added to the entity. - | + 3. **API Interaction:** It sends a POST request to the Vectra API endpoint corresponding + to the selected `Entity Type` (Accounts, Hosts, or Detections) and the specific + `Entity ID` to create the note. - | Entity ID | String | Yes | The unique numerical identifier of the entity in - Vectra. | + 4. **Result Processing:** Upon success, it retrieves the created note's metadata + (ID, creation date, creator) and presents it in a data table and JSON format within + the SOAR case. - | Entity Type | DDL | Yes | The category of the entity. Supported values: `Account`, - `Host`, `Detection`. | + ### Parameters Description: - ### Flow Description - 1. **Parameter Extraction:** Retrieves the note content, entity ID, and entity - type from the action inputs. + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Note | String | Yes | The text content of the note to be added to the Vectra + entity. | - 2. **Validation:** Validates that the provided Entity ID is a valid integer. + | Entity ID | String | Yes | The unique numerical identifier of the entity in + Vectra. | - 3. **API Interaction:** Sends a POST request to the Vectra API endpoint corresponding - to the entity type and ID. + | Entity Type | DDL | Yes | The category of the entity in Vectra. Supported values: + `Account`, `Host`, `Detection`. | - 4. **Result Processing:** Parses the response from Vectra, which includes the - new note's ID and creation details, and displays it in a data table and JSON result. + ### Additional Notes: - ### Additional Notes + * This action performs an external state change by creating a new record (a note) + in the Vectra system. - This action does not automatically process entities from the current case scope; - it requires the specific Entity ID to be provided manually or via a previous playbook - step. + * It does not process Google SecOps entities automatically; it requires a specific + ID to be passed as a parameter. capabilities: can_create_case_comments: false can_create_insight: false @@ -50,9 +53,9 @@ Add Note: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new note record associated with a specific entity in the Vectra platform - via a POST request. - fetches_data: false + Creates a new note record associated with a specific entity (Host, Account, + or Detection) in the Vectra platform via a POST request. + fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false @@ -71,28 +74,69 @@ Add Note: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Add Outcome: - ai_description: "### General Description\nThe **Add Outcome** action allows users\ - \ to define and create a new outcome within the Vectra system. Outcomes are used\ - \ to categorize the resolution of assignments, providing structured feedback on\ - \ whether a detection was a true positive (malicious or benign) or a false positive.\ - \ This action is primarily used for administrative setup or to dynamically add\ - \ custom resolution categories to the Vectra platform.\n\n### Parameters Description\n\ - | Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ - | **Title** | String | Yes | The unique name/title for the new outcome (e.g.,\ - \ 'Confirmed Phishing'). |\n| **Category** | DDL | Yes | The broad classification\ - \ for the outcome. Supported values: `malicious_true_positive`, `benign_true_positive`,\ - \ `false_positive`. |\n\n### Flow Description\n1. **Parameter Extraction:** The\ - \ action retrieves the API configuration (Root, Token, SSL) and the user-provided\ - \ `Title` and `Category`.\n2. **Manager Initialization:** It initializes the `VectraQUXManager`\ - \ to handle communication with the Vectra API.\n3. **API Interaction:** The action\ - \ sends a `POST` request to the `/assignment_outcomes` endpoint with the specified\ - \ title and category.\n4. **Result Processing:** \n * If successful, it parses\ - \ the created outcome object.\n * It generates a data table displaying the\ - \ new Outcome ID, Title, and Category.\n * It attaches the full JSON response\ - \ to the action results for further use in playbooks.\n5. **Completion:** The\ - \ action concludes by providing a success message containing the unique ID of\ - \ the newly created outcome." + ai_description: >- + Adds a new assignment outcome to Vectra QUX. Outcomes are used to categorize the + results of assignments, such as when resolving a detection or entity assignment. + This action allows users to define custom outcome titles mapped to standard categories + like 'malicious_true_positive', 'benign_true_positive', or 'false_positive'. + + + ### Flow Description: + + 1. **Parameter Extraction:** Retrieves the 'Title' and 'Category' from the action + input and API credentials from the integration configuration. + + 2. **API Interaction:** Sends a POST request to the Vectra QUX `/assignment_outcomes` + endpoint with the provided title and category. + + 3. **Result Processing:** Captures the created outcome's ID and metadata from + the response. + + 4. **Output Generation:** Populates a data table and JSON result with the new + outcome information for use in subsequent playbook steps. + + + ### Parameters Description: + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Title | String | Yes | The unique title for the new outcome. | + + | Category | DDL | Yes | The category classification. Expected values: `malicious_true_positive`, + `benign_true_positive`, or `false_positive`. | + + + ### Additional Notes: + + - This action does not process or require any entities from the SOAR case. capabilities: can_create_case_comments: false can_create_insight: false @@ -101,8 +145,8 @@ Add Outcome: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new outcome definition in the Vectra system via a POST request to - the assignment outcomes endpoint. + Creates a new assignment outcome record in the Vectra QUX platform via a POST + request. fetches_data: false internal_data_mutation_explanation: null categories: @@ -122,50 +166,83 @@ Add Outcome: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Add Tags: ai_description: >- - This action adds tags to specific entities (Accounts, Hosts, or Detections) within - the Vectra platform using their unique Vectra IDs. It is designed to update the - metadata of these entities to assist in categorization and tracking. + ### General Description + + Adds one or more tags to specific entities (Accounts, Hosts, or Detections) within + the Vectra platform. This action allows for bulk tagging by providing a comma-separated + list of Entity IDs. It ensures data integrity by first fetching existing tags + for each entity and merging them with the new tags to prevent duplicates before + performing a partial update (PATCH) on the external system. ### Parameters Description - | Parameter | Type | Mandatory | Description | + | Parameter | Description | Type | Mandatory | | :--- | :--- | :--- | :--- | - | Tags | string | Yes | A comma-separated list of tags to be added to the specified - entities. | + | Tags | A comma-separated list of tags to be added to the specified entities. + | String | Yes | - | Entity IDs | string | Yes | A comma-separated list of the unique Vectra identifiers - for the entities to be tagged. | + | Entity IDs | A comma-separated list of internal Vectra IDs for the entities + to be updated. | String | Yes | - | Entity Type | ddl | Yes | The type of Vectra entity being targeted. Options - are 'Account', 'Host', or 'Detection'. | + | Entity Type | The category of the entities being tagged. Supported values are + 'Account', 'Host', and 'Detection'. | DDL | Yes | ### Flow Description + 1. **Initialization**: The action initializes the Vectra manager using the provided + API Root and Token. - 1. **Parameter Extraction:** The action retrieves the API configuration and the - user-provided tags, entity IDs, and entity type. + 2. **Input Processing**: It parses the `Tags` and `Entity IDs` parameters, splitting + them by commas and removing any duplicates or whitespace. + + 3. **Validation**: Validates that the provided `Entity IDs` are valid integers. - 2. **Validation:** It cleans the tag list and validates that the provided Entity - IDs are valid integers. + 4. **Tag Enrichment Loop**: For each Entity ID: + - It retrieves the current list of tags from the Vectra API. + - It merges the existing tags with the new tags provided in the input. + - It sends a PATCH request to Vectra to update the entity with the new combined + tag list. 5. **Result Compilation**: Tracks successes and failures for each ID. - 3. **Tag Retrieval:** For each provided Entity ID, the action first fetches the - existing tags from the Vectra API to ensure no data is overwritten. + 6. **Output**: Generates a summary data table and a detailed JSON result showing + the status and final tag list for each processed entity. - 4. **Tag Merging:** It merges the new tags with the existing ones, removing any - duplicates. - 5. **External Update:** The action sends a PATCH request to the Vectra API to - update the entity's tag list with the combined set. + ### Additional Notes - 6. **Result Reporting:** It compiles a status report for each ID, providing a - summary table and JSON result indicating which updates succeeded or failed. + This action does not run on SOAR entities automatically; it requires the user + to provide specific Vectra internal IDs as input parameters. capabilities: can_create_case_comments: false can_create_insight: false @@ -174,8 +251,8 @@ Add Tags: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - The action performs a PATCH request to the Vectra API to update the 'tags' field - of the specified Account, Host, or Detection entities. + Updates the metadata of entities (Accounts, Hosts, or Detections) in the Vectra + platform by adding new tags via a PATCH request. fetches_data: true internal_data_mutation_explanation: null categories: @@ -195,56 +272,79 @@ Add Tags: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: true + update_ticket: false Assign Entity: ai_description: >- - ### General Description - - Assigns a specific entity (either a Host or an Account) to a user within the Vectra - platform. This action is used to establish ownership and accountability for specific - entities during an investigation by creating an assignment record in the external - Vectra system. + Assigns a specific entity (Host or Account) to a user within the Vectra QUX platform. + This action is primarily used to establish ownership or accountability for a detected + threat or asset during an investigation. It creates a formal assignment record + in Vectra, which can then be tracked or resolved. The action requires the internal + Vectra IDs for both the user and the entity. - ### Parameters Description + ### Flow Description: - | Parameter | Type | Mandatory | Description | + 1. **Parameter Extraction:** Retrieves the API configuration and action parameters, + including the User ID, Entity ID, and Entity Type (Host or Account). - | :--- | :--- | :--- | :--- | + 2. **Validation:** Validates that the provided User ID and Entity ID are valid + integers. - | Entity ID | String | Yes | The unique identifier of the entity in Vectra. This - must be a valid integer string. | + 3. **API Interaction:** Sends a POST request to the Vectra QUX `/api/v2.5/assignments` + endpoint to create the assignment. - | Entity Type | DDL | Yes | The type of entity being assigned. Options are 'Account' - or 'Host'. | + 4. **Result Processing:** Parses the response into an Assignment object, adds + a summary data table to the case, and provides the raw JSON response for further + automation steps. - | User ID | String | Yes | The unique identifier of the user to whom the entity - will be assigned. This must be a valid integer string. | + ### Parameters Description: - ### Additional Notes + | Parameter Name | Type | Mandatory | Description | - - Both 'Entity ID' and 'User ID' are validated as integers before the API call - is made. If they are not numeric, the action will fail. + | :--- | :--- | :--- | :--- | - - This action does not run on SecOps entities automatically; it requires manual - input of IDs. + | Entity ID | String | Yes | The unique internal identifier of the entity in Vectra + QUX. | + | Entity Type | DDL | Yes | Specifies whether the entity is a 'Host' or an 'Account'. + | - ### Flow Description + | User ID | String | Yes | The unique internal identifier of the Vectra user to + whom the entity will be assigned. | - 1. **Parameter Extraction**: The action retrieves the API configuration (Root, - Token, SSL) and the action parameters (User ID, Entity ID, Entity Type). - 2. **Validation**: It validates that the provided 'Entity ID' and 'User ID' are - valid non-negative integers. + ### Additional Notes: - 3. **API Interaction**: It initializes the VectraQUXManager and calls the `assign_entity` - method, which sends a POST request to the Vectra API endpoint `/api/v2.5/assignments` - with the assignment details. + - This action does not run on SOAR entities automatically; it requires specific + ID values provided as input parameters. - 4. **Result Processing**: Upon success, it parses the returned assignment data, - creates a data table for the case wall, and attaches the raw JSON response to - the action results. + - The 'Entity Type' parameter is case-insensitive in the logic but provided as + a dropdown for ease of use. capabilities: can_create_case_comments: false can_create_insight: false @@ -253,9 +353,9 @@ Assign Entity: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new assignment record in the Vectra platform, linking a specific Host - or Account entity to a designated User ID. - fetches_data: false + Creates a new assignment record in the Vectra QUX platform, linking a specific + user to a host or account entity. + fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false @@ -274,35 +374,82 @@ Assign Entity: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: true + update_ticket: false Assign Group: - ai_description: "### General Description\nThis action adds members to a specific\ - \ group within the Vectra AI platform using its unique Group ID. It is designed\ - \ to manage group memberships dynamically by appending a list of provided identifiers\ - \ (such as hostnames, IPs, account UIDs, or domains) to an existing group. The\ - \ action validates the input, performs the update via the Vectra API, and provides\ - \ a detailed summary of which members were successfully assigned and which were\ - \ not.\n\n### Parameters Description\n| Parameter | Description | Type | Mandatory\ - \ |\n| :--- | :--- | :--- | :--- |\n| Group ID | The unique integer identifier\ - \ of the specific group in Vectra AI to which members will be added. | String\ - \ | Yes |\n| Members | A comma-separated list of member identifiers to assign\ - \ to the group. The type of identifier required depends on the group's configuration\ - \ in Vectra (e.g., IP addresses for an IP group, hostnames for a host group).\ - \ | String | Yes |\n\n### Additional Notes\n- The action uses the 'append' membership\ - \ action, meaning existing members in the group are preserved.\n- The success\ - \ of the assignment depends on whether the provided member identifiers exist and\ - \ match the group's type (Host, IP, Account, or Domain).\n- The Group ID must\ - \ be a valid positive integer.\n\n### Flow Description\n1. **Initialization**:\ - \ Retrieves configuration parameters (API Root, Token, SSL verification) and action\ - \ parameters (Group ID, Members).\n2. **Validation**: Validates that the Group\ - \ ID is a valid integer and processes the Members string into a clean list of\ - \ unique identifiers.\n3. **API Interaction**: Calls the Vectra AI API using a\ - \ PATCH request to the group's endpoint to append the new members.\n4. **Result\ - \ Processing**: Compares the requested members against the updated group membership\ - \ returned by the API to identify successful assignments and any failures.\n5.\ - \ **Output Generation**: \n - Generates a descriptive output message summarizing\ - \ the results.\n - Renders an HTML table showing the group's updated properties\ - \ and member list.\n - Returns the full group object as a JSON result for downstream\ - \ use." + ai_description: >- + Assigns members to a specific group in Vectra QUX. This action allows users to + add multiple members to an existing group by providing the Group ID and a comma-separated + list of member identifiers. The action uses an 'append' logic, meaning existing + members are preserved while new ones are added. It validates the Group ID and + processes the member list before making a PATCH request to the Vectra API. After + the update, the action verifies which members were successfully assigned and provides + a detailed HTML summary of the group's current state. + + + ### Flow Description: + + 1. **Parameter Extraction:** Retrieves the Group ID and the list of members from + the action parameters. + + 2. **Validation:** Validates that the Group ID is a positive integer and splits + the members string into a list. + + 3. **API Interaction:** Calls the Vectra QUX API using a PATCH request to append + the specified members to the group. + + 4. **Verification:** Compares the requested members against the updated group + membership returned by the API to identify any failed assignments. + + 5. **Output Generation:** Renders an HTML table showing the group's properties + (ID, Name, Type, Description, and Members) and attaches the raw JSON response. + + + ### Parameters Description: + + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Group ID | string | True | The unique numerical identifier of the group in Vectra + QUX. | + + | Members | string | True | A comma-separated list of members to assign to the + group. The member identifiers (e.g., IP, hostname, account UID) must match the + group's defined type. | + + + ### Additional Notes: + + - The action will fail if the Group ID does not exist or if none of the provided + members are valid for the group's type. + + - If some members are successfully added while others fail (e.g., due to invalid + format or non-existence), the action will complete with a partial success message. capabilities: can_create_case_comments: false can_create_insight: false @@ -311,59 +458,8 @@ Assign Group: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates group membership in the Vectra AI platform by appending new members - to a specified group via a PATCH request to the /groups/{group_id} endpoint. - fetches_data: true - internal_data_mutation_explanation: null - categories: - enrichment: false - entity_usage: - entity_types: [] - filters_by_additional_properties: false - filters_by_alert_identifier: false - filters_by_case_identifier: false - filters_by_creation_time: false - filters_by_entity_type: false - filters_by_identifier: false - filters_by_is_artifact: false - filters_by_is_enriched: false - filters_by_is_internal: false - filters_by_is_pivot: false - filters_by_is_suspicious: false - filters_by_is_vulnerable: false - filters_by_modification_time: false -Describe Assignment: - ai_description: "### General Description\nThe **Describe Assignment** action retrieves\ - \ comprehensive details for a specific assignment from Vectra QUX using its unique\ - \ ID. This action is primarily used for investigative purposes to understand who\ - \ is assigned to a specific task, the current status of the assignment, and any\ - \ associated outcomes or notes recorded in the Vectra platform.\n\n### Parameters\ - \ Description\n| Parameter | Type | Mandatory | Description |\n| :--- | :--- |\ - \ :--- | :--- |\n| **Assignment ID** | String | Yes | The unique identifier of\ - \ the assignment in Vectra QUX. Although provided as a string, the action validates\ - \ that this value is a positive integer before processing. |\n\n### Flow Description\n\ - 1. **Parameter Extraction:** The action retrieves the API configuration (Root,\ - \ Token, SSL) and the mandatory `Assignment ID` from the user input.\n2. **Validation:**\ - \ It validates that the `Assignment ID` is a valid non-negative integer.\n3. **API\ - \ Interaction:** The action initializes the VectraQUX manager and performs a GET\ - \ request to the `/assignments/{assignment_id}` endpoint.\n4. **Data Processing:**\ - \ The raw JSON response is parsed into an internal data model. If the assignment\ - \ is not found, an error is raised.\n5. **Result Output:** \n * The full\ - \ raw JSON response is added to the action results.\n * A formatted data\ - \ table titled 'Describe Assignment' is created, containing key fields such as\ - \ Assigned User, Resolved By User, Outcome Title, and the associated Entity ID/Type.\n\ - \n### Additional Notes\n* This action does not operate on SecOps entities (IPs,\ - \ Hosts, etc.) directly; it requires a specific Vectra Assignment ID as input.\n\ - * If the ID does not exist in the Vectra system, the action will return a 'Failed'\ - \ status with a 'Not Found' message." - capabilities: - can_create_case_comments: false - can_create_insight: false - can_modify_alert_data: false - can_mutate_external_data: false - can_mutate_internal_data: false - can_update_entities: false - external_data_mutation_explanation: null + Updates group membership in Vectra QUX by appending new members to the specified + group via a PATCH request. fetches_data: true internal_data_mutation_explanation: null categories: @@ -383,14 +479,39 @@ Describe Assignment: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: true + update_ticket: false Describe Assignment: ai_description: >- ### General Description The **Describe Assignment** action retrieves comprehensive details for a specific assignment within the Vectra QUX platform using its unique Assignment ID. This - action is designed to provide analysts with full context regarding an assignment's - lifecycle, including ownership, resolution status, and associated entities. + action is primarily used to programmatically inspect the status, ownership, and + resolution details of investigative assignments managed in Vectra. ### Parameters Description @@ -399,35 +520,38 @@ Describe Assignment: | :--- | :--- | :--- | :--- | - | **Assignment ID** | String | Yes | The unique identifier of the assignment to - retrieve details for. The action validates this input to ensure it is a valid - non-negative integer. | + | **Assignment ID** | String | Yes | The unique numerical identifier of the assignment + to retrieve. The action validates that this value is a positive integer. | ### Flow Description - 1. **Input Validation**: The action first validates the provided `Assignment ID` - to ensure it is a valid integer. + 1. **Initialization**: The action extracts the integration's configuration (API + Root, Token, and SSL verification settings) and the mandatory `Assignment ID` + parameter. - 2. **API Request**: It performs a GET request to the Vectra QUX API endpoint for - assignments (`/api/v2.5/assignments/{assignment_id}`). + 2. **Validation**: The `Assignment ID` is validated to ensure it is a valid integer. + If validation fails, the action returns a failure status. - 3. **Data Parsing**: The manager parses the JSON response into an internal data - model, extracting details such as the assigned user, the user who resolved the - assignment, the outcome title, and the linked entity (Host or Account). + 3. **API Request**: The action communicates with the Vectra QUX API via a GET + request to the `/api/v2.5/assignments/{assignment_id}` endpoint. - 4. **Result Generation**: The action populates the result JSON with the full API - response and constructs a data table for the case wall containing the summarized - assignment information. + 4. **Data Parsing**: Upon a successful response, the action parses the assignment + metadata, including the assigned user, the user who resolved it (if applicable), + the outcome, and the associated entity (Host or Account). + 5. **Output**: The action produces two main outputs: + * A **JSON Result** containing the full raw response from the Vectra API. + * A **Data Table** named 'Describe Assignment' that summarizes key fields + like Assignment ID, Assigned User, Outcome, and Entity Type. ### Additional Notes - - This action does not process entities from the case scope; it relies entirely - on the provided `Assignment ID` parameter. + - This action does not process or filter entities from the Google SecOps case; + it operates exclusively on the ID provided in the parameters. - - If the ID does not exist in Vectra QUX, the action will return a 'not found' - error. + - If the provided ID does not correspond to an existing assignment, the action + will return an 'Assignment not found' error. capabilities: can_create_case_comments: false can_create_insight: false @@ -439,7 +563,7 @@ Describe Assignment: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: true + enrichment: false entity_usage: entity_types: [] filters_by_additional_properties: false @@ -455,29 +579,58 @@ Describe Assignment: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Describe Detection: ai_description: "### General Description\nThe **Describe Detection** action retrieves\ - \ comprehensive details for a specific detection from the Vectra AI platform using\ - \ its unique Detection ID. This action is designed to provide security analysts\ - \ with deep-dive context into a specific threat event, including its state, category,\ - \ and associated source entities.\n\n### Parameters Description\n| Parameter |\ - \ Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| **Detection\ - \ ID** | String | Yes | The unique numerical identifier of the detection to be\ - \ retrieved. This value must be a valid integer. |\n\n### Flow Description\n1.\ - \ **Initialization:** The action extracts the API configuration (Root URL, Token,\ - \ and SSL verification) and the mandatory **Detection ID** parameter.\n2. **Validation:**\ - \ The provided Detection ID is validated to ensure it is a non-negative integer.\n\ - 3. **Data Retrieval:** The action makes a GET request to the Vectra AI API endpoint\ - \ `/api/v2.5/detections/{detection_id}`.\n4. **Parsing:** The response is parsed\ - \ into a structured Detection data model, which includes attributes like detection\ - \ type, state, category, and source entity information.\n5. **Output:** \n \ - \ * A **Data Table** named 'Describe Detection' is created, summarizing key\ - \ fields (ID, Type, State, Category, Source Entity ID/Name).\n * The full\ - \ raw JSON response is attached as **JsonResult** for use in subsequent playbook\ - \ steps.\n\n### Additional Notes\n- This action does not process entities from\ - \ the case scope; it operates strictly on the provided **Detection ID** parameter.\n\ - - If the specified Detection ID does not exist in the Vectra system, the action\ - \ will return a 'Detection not found' error." + \ comprehensive details for a specific detection from the Vectra QUX platform\ + \ using its unique identifier. This action is designed to provide analysts with\ + \ the full context, current state, and metadata associated with a security event,\ + \ facilitating deep-dive investigations within the Google SecOps environment.\n\ + \n### Parameters Description\n\n| Parameter | Description | Type | Mandatory |\ + \ Default Value |\n| :--- | :--- | :--- | :--- | :--- |\n| Detection ID | The\ + \ unique identifier of the detection to be retrieved. The action validates that\ + \ this input is a valid non-negative integer. | String | Yes | 0 |\n\n### Flow\ + \ Description\n1. **Parameter Extraction:** The action retrieves the `Detection\ + \ ID` from the user input and the API configuration (Root, Token, and SSL verification)\ + \ from the integration settings.\n2. **Validation:** It performs a validation\ + \ check to ensure the `Detection ID` is a valid integer. If the ID is invalid\ + \ or negative, the action fails with an error message.\n3. **API Request:** The\ + \ action initializes the `VectraQUXManager` and executes a GET request to the\ + \ Vectra QUX API endpoint `/api/v2.5/detections/{detection_id}`.\n4. **Data Parsing:**\ + \ The raw JSON response from the API is parsed into a structured `Detection` object\ + \ using the `VectraQUXParser`.\n5. **Result Output:** \n - A data table titled\ + \ \"Describe Detection\" is created, containing key fields such as ID, Detection\ + \ Type, State, Category, and Source Entity information.\n - The full raw JSON\ + \ data of the detection is added to the action's result JSON for use in subsequent\ + \ playbook steps.\n\n### Additional Notes\n- **Error Handling:** The action explicitly\ + \ handles cases where the detection is not found (404 error), providing a user-friendly\ + \ message to verify the ID.\n- **Entity Interaction:** This action does not process\ + \ or filter existing entities in the case; it operates solely based on the provided\ + \ `Detection ID` parameter." capabilities: can_create_case_comments: false can_create_insight: false @@ -505,52 +658,52 @@ Describe Detection: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Describe Entity: ai_description: >- - ### General Description - - The **Describe Entity** action retrieves comprehensive details for a specific - entity (either a Host or an Account) from the Vectra AI platform using its unique - identifier. This action is designed to provide deep-dive visibility into a specific - asset's state, threat scores, and associated detections within the Vectra environment. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Entity ID | String | Yes | The unique numerical identifier for the Account or - Host in Vectra. | - - | Entity Type | DDL | Yes | The category of the entity to retrieve. Must be either - 'Account' or 'Host'. | - - - ### Flow Description - - 1. **Initialization:** The action extracts the API configuration (Root URL, Token) - and the user-provided parameters (Entity ID and Type). - - 2. **Validation:** The Entity ID is validated to ensure it is a non-negative integer. - - 3. **API Interaction:** The action performs a GET request to the Vectra API v2.5 - endpoint specific to the entity type (e.g., `/api/v2.5/hosts/{id}` or `/api/v2.5/accounts/{id}`). - - 4. **Data Parsing:** The raw JSON response is parsed into a structured Entity - object, extracting fields such as Name, State, Threat Score, Severity, and Tags. - - 5. **Output Generation:** The action generates a data table titled 'Describe Entity' - containing a summary of the asset and attaches the full raw JSON response to the - action results for further inspection. - - - ### Additional Notes - - This action does not automatically iterate over entities present in the Google - SecOps case. It requires the user to manually provide the specific Vectra Entity - ID. If the ID is not found, the action will return a failure status. + Retrieves detailed information for a specific Host or Account entity from Vectra + QUX using its unique identifier. This action allows analysts to perform a targeted + lookup of asset metadata, including threat scores, severity, state, and associated + detection summaries. The retrieved data is presented as a structured data table + and a raw JSON object for further analysis.\n\n### Parameters Description\n\n| + Parameter | Description | Type | Mandatory |\n| :--- | :--- | :--- | :--- |\n| + Entity ID | The unique numerical identifier for the Account or Host to be described. + | String | Yes |\n| Entity Type | Specifies the category of the entity to retrieve. + Must be either 'Account' or 'Host'. | DDL | Yes |\n\n### Flow Description\n\n1. + **Parameter Extraction**: Retrieves the API configuration and the specific Entity + ID and Entity Type from the action input.\n2. **Validation**: Validates that the + provided Entity ID is a valid non-negative integer.\n3. **API Interaction**: Connects + to the Vectra QUX API and requests the full details for the specified entity type + and ID.\n4. **Data Processing**: Parses the API response into a standardized entity + model.\n5. **Output Generation**: Populates a CSV-formatted data table with key + entity attributes and attaches the complete raw JSON response to the action results.\n\n### + Additional Notes\n\n* This action performs a direct lookup by ID and does not + automatically iterate over entities present in the current alert context unless + explicitly mapped in a playbook step. capabilities: can_create_case_comments: false can_create_insight: false @@ -578,25 +731,47 @@ Describe Entity: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Download PCAP: ai_description: >- - ### General Description Downloads a Packet Capture (PCAP) file from Vectra QUX - for a specific detection ID. This action allows analysts to retrieve raw network - traffic data associated with a security event for further forensic investigation. - ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- - | :--- | :--- | :--- | | **Detection ID** | String | Yes | The unique identifier - of the detection to retrieve the PCAP file for. Although provided as a string, - the action validates that it is a valid integer. | ### Flow Description 1. **Initialization**: - The action initializes the Vectra QUX manager using the provided API Root and - Token. 2. **Validation**: The input Detection ID is validated to ensure it is - a non-negative integer. 3. **Data Retrieval**: The action sends a GET request - to the Vectra QUX API to download the PCAP file content associated with the detection. - 4. **File Processing**: It extracts the filename from the response headers and - saves the file locally. 5. **Result**: The PCAP file is attached to the action - result in Google SecOps, and a success message is returned. ### Additional Notes - - This action does not operate on entities; it requires a manual input of a Detection - ID. - Per Google SecOps categorization rules, actions that download files are - not classified as enrichment actions. + Downloads a PCAP (Packet Capture) file associated with a specific detection ID + from Vectra QUX. This action is used to retrieve network traffic data for forensic + analysis and investigation of security detections. Flow Description: 1. Parameter + Extraction: Retrieves the Detection ID from the action input. 2. Validation: Validates + that the provided Detection ID is a valid integer. 3. API Request: Sends a GET + request to the Vectra QUX API endpoint for PCAP downloads using the provided ID. + 4. File Retrieval: Receives the binary content of the PCAP file and extracts the + filename from the response headers. 5. Attachment: Encodes the file content and + adds it as an attachment to the action result in Google SecOps. Parameters Description: + Detection ID (String, Mandatory): The unique identifier of the detection in Vectra + QUX for which the PCAP file should be downloaded. Although passed as a string, + it must represent a valid integer. Additional Notes: This action does not run + on entities; it requires a specific Detection ID as input. Downloaded files are + attached to the action result for analyst review. capabilities: can_create_case_comments: false can_create_insight: false @@ -624,75 +799,66 @@ Download PCAP: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: true + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false List Assignments: - ai_description: >- - ### General Description - - The **List Assignments** action retrieves a list of assignments from the Vectra - QUX platform based on various filtering criteria. It is primarily used for auditing, - reporting, or identifying specific task assignments related to hosts or accounts - within the Vectra environment. The action supports pagination and allows users - to limit the number of returned records. - - - ### Parameters Description - - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Accounts IDs | String | No | Comma-separated list of account IDs to filter the - assignments. | - - | Hosts IDs | String | No | Comma-separated list of host IDs to filter the assignments. - | - - | Assignees IDs | String | No | Comma-separated list of user IDs (assignees) to - filter the assignments. | - - | Resolution IDs | String | No | Comma-separated list of outcome/resolution IDs - to filter the assignments. | - - | Resolved | DDL | No | Filters assignments by their resolution status. Options: - `None` (no filter), `True` (resolved only), `False` (unresolved only). | - - | Created After | String | No | Filters assignments created after a specific timestamp. - Supports relative formats (e.g., '2 hours', '2 days') or absolute ISO formats. - | - - | Limit | String | No | Specifies the maximum number of assignment records to - fetch. Defaults to the system limit if not provided. | - - - ### Additional Notes - - - This action does not operate on specific entities within the Google SecOps scope; - it performs a global search based on the provided parameters. - - - If no assignments match the criteria, the action will complete successfully - with a message indicating no results were found. - - - ### Flow Description - - 1. **Parameter Initialization:** The action extracts configuration settings (API - Root, Token) and user-provided filters. - - 2. **Validation:** It validates the 'Limit' parameter to ensure it is a non-negative - integer and processes comma-separated ID strings into lists. - - 3. **Query Construction:** A query parameter mapping is built using the provided - filters such as `resolved` status and `created_after` timestamps. - - 4. **API Interaction:** The action calls the Vectra QUX API's assignments endpoint - using a paginated GET request to retrieve the data. - - 5. **Data Processing:** The raw JSON response is parsed into internal assignment - objects. - - 6. **Output Generation:** The results are presented as a structured data table - named 'Assignment Details' and the full raw JSON is attached to the action result. + ai_description: "The 'List Assignments' action retrieves a list of assignments from\ + \ the Vectra QUX platform based on user-defined filtering criteria. It allows\ + \ analysts to query assignments associated with specific accounts, hosts, assignees,\ + \ or resolution outcomes. The action supports filtering by resolution status (resolved\ + \ or unresolved) and creation time. The results are presented both as a structured\ + \ data table for quick review and a raw JSON object for downstream automation\ + \ logic.\n\n### Parameters Description\n\n| Parameter | Type | Mandatory | Description\ + \ |\n| :--- | :--- | :--- | :--- |\n| Accounts IDs | String | No | A comma-separated\ + \ list of account IDs to filter the assignments. |\n| Hosts IDs | String | No\ + \ | A comma-separated list of host IDs to filter the assignments. |\n| Assignees\ + \ IDs | String | No | A comma-separated list of assignee (user) IDs to filter\ + \ the assignments. |\n| Resolution IDs | String | No | A comma-separated list\ + \ of outcome/resolution IDs to filter the assignments. |\n| Resolved | DDL | No\ + \ | Filters assignments by their resolution status. Options: 'None' (no filter),\ + \ 'True' (only resolved), 'False' (only unresolved). |\n| Created After | String\ + \ | No | Filters assignments created after a specific timestamp. Supports relative\ + \ formats (e.g., '2 days') or absolute ISO 8601 timestamps. |\n| Limit | String\ + \ | No | Specifies the maximum number of assignment records to retrieve. Defaults\ + \ to the system limit if not provided. |\n\n### Additional Notes\n- This action\ + \ does not require entities to be present in the current scope; it operates entirely\ + \ based on the provided input parameters.\n- All ID-based parameters (Accounts,\ + \ Hosts, Assignees, Resolutions) are validated to ensure they are integers.\n\n\ + ### Flow Description\n1. **Parameter Extraction:** The action retrieves the API\ + \ configuration (Root, Token, SSL) and the user-provided filter parameters.\n\ + 2. **Validation:** It validates the 'Limit' parameter and converts comma-separated\ + \ ID strings into lists of integers.\n3. **Query Construction:** A query mapping\ + \ is built using the provided filters (e.g., `resolved`, `created_after`, `hosts`,\ + \ `accounts`).\n4. **API Interaction:** The action calls the Vectra QUX API's\ + \ assignment endpoint using a paginated GET request to fetch the records up to\ + \ the specified limit.\n5. **Data Processing:** The retrieved assignment objects\ + \ are parsed and formatted.\n6. **Output Generation:** \n - A data table named\ + \ 'Assignment Details' is created containing key fields like Assignment ID, Assigned\ + \ User, and Entity Type.\n - The full raw response is attached as a JSON result\ + \ for further processing." capabilities: can_create_case_comments: false can_create_insight: false @@ -704,7 +870,7 @@ List Assignments: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: false + enrichment: true entity_usage: entity_types: [] filters_by_additional_properties: false @@ -720,52 +886,84 @@ List Assignments: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false List Entity Detections: ai_description: >- - ### General Description + Retrieves a list of detections associated with a specific entity ID (Host or Account) + from the Vectra QUX platform. This action allows analysts to query historical + or active security detections for a known entity identifier, providing visibility + into the threat activity linked to that specific asset. It supports filtering + by the state of the detection (Active, Inactive, or Fixed) and allows for limiting + the number of returned records. - The **List Entity Detections** action retrieves a comprehensive list of security - detections associated with a specific entity (either a Host or an Account) from - the Vectra QUX platform. This action allows analysts to query the Vectra API for - historical or active threat data related to a specific asset identifier, providing - visibility into the types of malicious activity detected for that asset. + ### Flow Description - ### Parameters Description + 1. **Parameter Extraction:** The action retrieves the API configuration and action + parameters, including the `Entity ID`, `Entity Type`, `Limit`, and `State`. - | Parameter | Type | Mandatory | Description | + 2. **Validation:** It validates that the `Entity ID` and `Limit` are valid integer + values. - | :--- | :--- | :--- | :--- | + 3. **API Interaction:** The action uses the `VectraQUXManager` to perform a GET + request to the Vectra search detections endpoint, using a query string that filters + by the source entity's ID and the specified detection state. - | **Entity ID** | String | Yes | The unique identifier for the Host or Account - within Vectra QUX. | + 4. **Data Processing:** The retrieved detections are parsed into structured objects. + If detections are found, they are converted into a JSON result and a CSV-formatted + data table. - | **Entity Type** | DDL | Yes | Specifies whether the provided ID belongs to a - `Host` or an `Account`. | + 5. **Output:** The action completes by providing a summary message and attaching + the detection data to the case for analyst review. - | **Limit** | String | No | The maximum number of detection records to retrieve. - | - | **State** | DDL | Yes | Filters the detections by their current status. Supported - values are `Active`, `Inactive`, and `Fixed`. | + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + | :--- | :--- | :--- | :--- | - ### Flow Description + | Entity ID | String | Yes | The unique identifier for the Account or Host within + the Vectra platform. | - 1. **Initialization**: The action initializes the Vectra QUX manager using the - provided API Root and Token. + | Entity Type | DDL | Yes | Specifies whether the provided ID refers to an 'Account' + or a 'Host'. | - 2. **Validation**: It validates that the `Entity ID` and `Limit` parameters are - valid integers. + | Limit | String | No | The maximum number of detection records to fetch. If not + provided, the system default is used. | - 3. **API Request**: It constructs a search query for the `/api/v2.5/search/detections` - endpoint, targeting the specific entity ID and filtering by the chosen state. + | State | DDL | Yes | Filters detections based on their current status: 'Active', + 'Inactive', or 'Fixed'. | - 4. **Pagination**: The action utilizes a paginator to fetch results up to the - specified limit. - 5. **Output**: The retrieved detections are parsed into a JSON result and a formatted - data table titled 'List Entity Detections' for display in the case wall. + ### Additional Notes + + - This action does not automatically iterate over entities in the current Google + SecOps case; it requires a specific `Entity ID` to be provided as an input parameter. capabilities: can_create_case_comments: false can_create_insight: false @@ -793,15 +991,41 @@ List Entity Detections: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false List Groups: ai_description: >- ### General Description The **List Groups** action retrieves a list of groups from the Vectra QUX platform - based on user-defined filtering criteria. It allows security analysts to search - for specific groups by associated hosts, accounts, domains, IP addresses, or metadata - such as importance and modification history. This action is primarily used for - administrative oversight and identifying group memberships within the Vectra environment. + based on a variety of user-defined query parameters. It allows analysts to search + for specific groups by host names, account names, domains, IP addresses, importance + levels, and modification metadata. This action is primarily used for auditing + group memberships or identifying specific group configurations within the Vectra + environment. ### Parameters Description @@ -810,74 +1034,73 @@ List Groups: | :--- | :--- | :--- | :--- | - | **Host Names** | String | No | Comma-separated list of host names to filter + | Host Names | String | No | A comma-separated list of host names to filter the groups. | - | **Account Names** | String | No | Comma-separated list of account names to filter - groups. | + | Account Names | String | No | A comma-separated list of account names to filter + the groups. | - | **Domains** | String | No | Comma-separated list of domains to filter groups. + | Domains | String | No | A comma-separated list of domains to filter the groups. | - | **Host Ids** | String | No | Comma-separated list of host IDs to filter groups. + | Host Ids | String | No | A comma-separated list of host IDs to filter the groups. | - | **Importance** | DDL | No | Filter groups by importance level (low, medium, - high, never_prioritize). | + | Importance | DDL | No | Filters groups by their importance level (e.g., low, + medium, high, never_prioritize). | - | **IPs** | String | No | Comma-separated list of IP addresses to filter groups. + | IPs | String | No | A comma-separated list of IP addresses to filter the groups. | - | **Last Modified Timestamp GTE** | String | No | Filter groups modified on or - after this timestamp (Greater Than or Equal). | + | Last Modified Timestamp GTE | String | No | Filters groups modified on or after + this specific timestamp. | - | **Last Modified By** | String | No | Filter groups modified by a specific username. - | + | Last Modified By | String | No | Filters groups based on the username of the + person who last modified them. | - | **Name** | String | No | Filter by the specific name of the group. | + | Name | String | No | Filters groups by their specific name. | - | **Type** | DDL | No | Filter by group type (host, account, ip, domain). | + | Type | DDL | No | Filters groups by their type (e.g., host, account, ip, domain). + | - | **Limit** | String | No | The maximum number of group records to retrieve. Defaults - to the system limit if not specified. | + | Limit | String | No | Specifies the maximum number of records to fetch from + the API. | - | **Description** | String | No | Case-insensitive match for the group description. - | + | Description | String | No | Performs a case-insensitive match against the group's + description field. | ### Additional Notes + - This action does not process Google SecOps entities automatically; it relies + entirely on the provided input parameters. + - If no parameters are provided, the action will attempt to list all groups up to the specified limit. - - The `Limit` parameter is validated to ensure it is a non-negative integer; a - value of "0" will result in an error. - - - Comma-separated string parameters (like Host Names or IPs) are automatically - cleaned of whitespace and duplicates before the request is made. + - The 'Limit' parameter defaults to a system-defined maximum if not specified. ### Flow Description - 1. **Parameter Extraction:** The action retrieves configuration settings (API - Root, Token) and user-provided filter parameters from the Google SecOps environment. + 1. **Parameter Extraction**: The action retrieves the integration configuration + (API Root, Token) and all optional search filters provided by the user. - 2. **Validation:** The `Limit` parameter is validated to ensure it is a proper - integer greater than zero. + 2. **Input Sanitization**: Comma-separated strings for hosts, accounts, domains, + and IPs are split into lists and stripped of whitespace. - 3. **API Request:** The `VectraQUXManager` constructs a GET request to the `/api/v2.5/groups` - endpoint, applying the provided filters as query parameters. + 3. **Validation**: The 'Limit' parameter is validated to ensure it is a positive + integer. - 4. **Pagination:** The action handles paginated responses from the Vectra API - to collect all relevant group objects up to the defined limit. + 4. **API Request**: The action initializes the VectraQUX manager and performs + a paginated GET request to the `/groups` endpoint, applying the filters as query + parameters. - 5. **Output Generation:** - - A data table named "List Of Groups" is created containing the ID, Name, - Type, and Description of each found group. - - The full raw JSON response is attached to the action results for further - processing. - - A summary message is returned indicating the number of groups successfully - retrieved. + 5. **Data Parsing**: The raw JSON response is parsed into structured Group objects. + + 6. **Output Generation**: If groups are found, the action populates a data table + named 'List Of Groups' in the SOAR case and attaches the full JSON result for + further analysis. capabilities: can_create_case_comments: false can_create_insight: false @@ -905,56 +1128,77 @@ List Groups: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false List Outcomes: ai_description: >- ### General Description - Lists all assignment outcomes from the Vectra QUX platform. This action retrieves - a collection of outcome objects which define the possible results or resolutions - for assignments (e.g., 'True Positive', 'Benign'). It is primarily used for administrative - discovery or to provide context for other assignment-related actions within the - Vectra QUX ecosystem. + The **List Outcomes** action retrieves a comprehensive list of all assignment + outcomes configured in the Vectra QUX platform. This utility action is primarily + used to discover valid outcome titles and IDs, which are required for subsequent + workflow steps such as resolving assignments or triaging detections. It provides + visibility into both built-in and user-defined outcomes. ### Parameters Description - | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Limit | string | No | Specifies the maximum number of outcome records to retrieve. - The value is validated as a positive integer. If not provided, the action fetches - all available records up to the system's default limit. | - - - ### Additional Notes - - - This action does not require any entities to be present in the context to run. - - - The results are presented both as a structured data table ('Outcome Details') - and as a raw JSON object for downstream playbook processing. + | Limit | String | No | Specifies the maximum number of outcome records to return. + If not provided, the action will use the default system limit. The value must + be a valid non-negative integer string. | ### Flow Description - 1. **Parameter Initialization**: The action extracts the API Root, API Token, - and SSL verification settings from the integration configuration. + 1. **Parameter Initialization**: The action retrieves the integration configuration + (API Root, Token, SSL settings) and the optional `Limit` parameter. - 2. **Input Validation**: The 'Limit' parameter is extracted and validated to ensure - it is a valid non-negative integer. + 2. **Validation**: The `Limit` parameter is validated to ensure it is a valid + integer greater than or equal to zero. - 3. **API Interaction**: The action initializes the VectraQUXManager and calls - the `get_outcome_list` method, which performs a GET request to the `/assignment_outcomes` - endpoint. + 3. **Data Retrieval**: The action performs a paginated GET request to the Vectra + QUX `/assignment_outcomes` endpoint using the `VectraQUXManager`. - 4. **Pagination**: If the number of outcomes exceeds the page size, the manager - handles pagination automatically to retrieve the requested number of records. + 4. **Output Generation**: + * If outcomes are found, a data table named "Outcome Details" is created, + containing fields like Outcome ID, Title, Category, and whether it is Built-In + or User Selectable. + * The full raw response is attached as a JSON result for further processing + in the playbook. + * If no outcomes are found, a success message is returned indicating no + data was retrieved. - 5. **Data Processing**: The raw JSON response is parsed into Outcome data models. + ### Additional Notes - 6. **Output Generation**: The action constructs a CSV-formatted data table for - the case wall and attaches the full JSON response to the action results. + * This action does not operate on specific entities (IPs, Hosts, etc.) but rather + fetches global configuration data from the Vectra QUX environment. capabilities: can_create_case_comments: false can_create_insight: false @@ -966,7 +1210,7 @@ List Outcomes: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: true + enrichment: false entity_usage: entity_types: [] filters_by_additional_properties: false @@ -982,29 +1226,95 @@ List Outcomes: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false List Users: ai_description: >- - ### General Description\nLists users from the Vectra AI platform based on various - filtering criteria. This action allows security analysts to search for user accounts - by role, username, account type, authentication profile, or last login time. The - results are presented as a data table and a raw JSON object for further processing.\n\n### - Parameters Description\n| Parameter | Type | Mandatory | Description |\n| :--- - | :--- | :--- | :--- |\n| Role | String | No | Filter users by their assigned - role. |\n| Authentication Profile | String | No | Filter users by their authentication - profile. |\n| Last Login GTE | String | No | Filter users whose last login timestamp - is greater than or equal to this value. |\n| User Name | String | No | Filter - by a specific username. |\n| Account Type | String | No | Filter by the type of - account. |\n| Limit | String | No | The maximum number of user records to retrieve. - |\n\n### Additional Notes\nThis action does not require any input entities and - operates as a standalone search utility. If no users are found, the action will - complete successfully with an informative message.\n\n### Flow Description\n1. - **Parameter Extraction**: Retrieves API configuration and user-defined filters - from the action parameters.\n2. **Validation**: Validates the 'Limit' parameter - to ensure it is a non-negative integer.\n3. **API Interaction**: Initializes the - VectraQUXManager and calls the user list endpoint with the specified filters.\n4. - **Pagination**: Handles paginated responses from the Vectra AI API to collect - users up to the defined limit.\n5. **Output Generation**: Constructs a data table - 'List Of Users' and attaches the raw JSON results to the action output. + The **List Users** action retrieves a list of user accounts from the Vectra QUX + platform based on specified filtering criteria. It allows analysts to search for + users by their role, account type, authentication profile, or username, and can + filter based on the last login timestamp. This action is primarily used for administrative + auditing, identifying specific user accounts, or verifying user permissions within + the Vectra environment. + + + ### Parameters Description + + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Role | String | No | Filter users by their assigned role in Vectra (e.g., 'admin', + 'readonly'). | + + | Authentication Profile | String | No | Filter users by their authentication + profile name. | + + | Last Login GTE | String | No | Filter users whose last login timestamp is greater + than or equal to this value. | + + | User Name | String | No | Filter by a specific username. | + + | Account Type | String | No | Filter by the type of account (e.g., 'local', 'ldap'). + | + + | Limit | String | No | The maximum number of user records to retrieve. Defaults + to the system limit if not specified. | + + + ### Flow Description + + + 1. **Parameter Extraction:** The action retrieves the API configuration (Root, + Token) and the optional filter parameters provided by the user. + + 2. **Validation:** It validates the `Limit` parameter to ensure it is a valid + non-negative integer. + + 3. **API Request:** It initializes the VectraQUX manager and performs a GET request + to the `/users` endpoint, applying the provided filters (Role, Username, etc.) + as query parameters. + + 4. **Pagination:** The action handles pagination automatically to retrieve results + up to the specified limit. + + 5. **Output Generation:** + * If users are found, it constructs a CSV-formatted data table containing + key user details: ID, Username, Role, Account Type, and Last Login. + * It attaches the full raw JSON response to the action results for further + processing. + * If no users match the criteria, it returns a message stating that no users + were found. + + ### Additional Notes + + + * There are no mandatory action parameters; if none are provided, the action will + return a list of all users up to the default or specified limit. capabilities: can_create_case_comments: false can_create_insight: false @@ -1032,22 +1342,77 @@ List Users: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Mark Detection Fixed: - ai_description: "Marks specific detections as 'fixed' within the Vectra QUX platform.\ - \ This action allows analysts to programmatically update the state of one or more\ - \ detections by providing their unique identifiers. \n\n### Parameters\n| Parameter\ - \ | Description | Type | Mandatory | Notes |\n|-----------|-------------|------|-----------|-------|\n\ - | Detection IDs | A comma-separated list of numeric detection IDs to be marked\ - \ as fixed. | String | Yes | Each ID is validated as a positive integer before\ - \ processing. |\n\n### Flow Description\n1. **Initialization**: Retrieves API\ - \ configuration (Root URL, Token, SSL verification) and the 'Detection IDs' action\ - \ parameter.\n2. **Validation**: Splits the input string by commas and validates\ - \ that each provided ID is a valid non-negative integer.\n3. **API Interaction**:\ - \ Uses the `VectraQUXManager` to send a `PATCH` request to the Vectra API endpoint\ - \ (`/api/v2.5/detections`). The request payload includes the list of IDs and sets\ - \ the `mark_as_fixed` attribute to `True`.\n4. **Result Processing**: Captures\ - \ the API response, attaches it as a JSON result to the action, and provides a\ - \ success or failure message based on the outcome." + ai_description: >- + ### General Description + + Marks specific detections as fixed in the Vectra platform. This action is used + to programmatically update the status of security detections, indicating that + the identified threats or activities have been addressed or resolved by an analyst. + It allows for bulk updates by providing a list of detection identifiers. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Detection IDs | string | Yes | A comma-separated list of numeric IDs representing + the detections in Vectra that should be marked as fixed. Each ID must be a valid + integer. | + + + ### Flow Description + + 1. **Parameter Extraction**: The action retrieves the `Detection IDs` string from + the input parameters. + + 2. **Validation**: The comma-separated string is split into individual IDs. Each + ID is stripped of whitespace and validated to ensure it is a valid integer. + + 3. **API Interaction**: The action uses the `VectraQUXManager` to send a `PATCH` + request to the Vectra detections endpoint (`/api/v2.5/detections`). + + 4. **State Mutation**: The request payload specifies the list of detection IDs + and sets the `mark_as_fixed` attribute to `True`. + + 5. **Result Handling**: The raw JSON response from the Vectra API is added to + the action results, and the action completes with a success message if the update + was accepted. + + + ### Additional Notes + + - This action does not run on SecOps entities; it relies entirely on the IDs provided + in the `Detection IDs` parameter. + + - If any provided ID is not a valid integer, the action will fail with an `InvalidIntegerException`. capabilities: can_create_case_comments: false can_create_insight: false @@ -1056,8 +1421,8 @@ Mark Detection Fixed: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Changes the state of detections in the Vectra QUX platform to 'fixed' via a - PATCH request. + Updates the status of specific detections in the external Vectra platform to + 'fixed' via a PATCH request to the detections API endpoint. fetches_data: false internal_data_mutation_explanation: null categories: @@ -1077,14 +1442,39 @@ Mark Detection Fixed: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Mark Entity Fixed: ai_description: >- ### General Description - Marks all detections associated with a specific entity (Host or Account) as 'fixed' - in the Vectra platform. This action is useful for bulk-remediating or closing - out all security events related to a specific asset or user account once an investigation - is complete. + The **Mark Entity Fixed** action transitions the state of all security detections + associated with a specific entity (Host or Account) to 'Fixed' within the Vectra + QUX platform. This action is used to programmatically resolve detections in Vectra + after an investigation is complete. ### Parameters Description @@ -1093,28 +1483,33 @@ Mark Entity Fixed: | :--- | :--- | :--- | :--- | - | Entity ID | string | Yes | The unique numeric identifier of the entity in Vectra. - | + | **Entity ID** | string | Yes | The unique numerical identifier of the entity + in Vectra QUX. | - | Entity Type | ddl | Yes | The type of entity to target. Must be either 'Account' - or 'Host'. | + | **Entity Type** | ddl | Yes | The type of entity, can be either 'Account' or + 'Host'. | ### Flow Description - 1. **Parameter Extraction**: Retrieves the API configuration (Root, Token, SSL) - and action parameters (Entity ID, Entity Type). + 1. **Input Validation**: Validates that the provided Entity ID is a valid integer. + + 2. **Entity Retrieval**: Fetches the entity's details from Vectra QUX to identify + all associated detection IDs. - 2. **Validation**: Validates that the provided Entity ID is a valid integer. + 3. **Status Update**: Sends a PATCH request to the Vectra QUX API to mark all + identified detections as 'fixed'. - 3. **Entity Retrieval**: Calls the Vectra API to describe the specified entity - and retrieve its current list of associated detection IDs. + 4. **Result Reporting**: Returns the API response confirming the update. - 4. **Detection Update**: If detections are found, the action sends a PATCH request - to Vectra's detections endpoint to mark all retrieved detection IDs as fixed. - 5. **Result Reporting**: Outputs a success message indicating the number of detections - updated and provides the raw API response as JSON. + ### Additional Notes + + - This action does not run on SOAR entities; it requires a manual Entity ID and + Type. + + - If no detections are found for the entity, the action completes with a success + message but no changes are made. capabilities: can_create_case_comments: false can_create_insight: false @@ -1123,8 +1518,8 @@ Mark Entity Fixed: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the state of detections in the Vectra platform by marking them as 'fixed' - via a PATCH request. + Marks all detections associated with the specified entity as 'fixed' in the + Vectra QUX platform via a PATCH request. fetches_data: true internal_data_mutation_explanation: null categories: @@ -1144,54 +1539,54 @@ Mark Entity Fixed: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Ping: - ai_description: >- - ### General Description - - The **Ping** action is a utility designed to verify the connectivity between the - Google SecOps (Chronicle) environment and the Vectra platform. It ensures that - the provided credentials (API Root and API Token) are valid and that the network - path is open. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **API Root** | String | Yes | The base URL of the Vectra API instance. | - - | **API Token** | String | Yes | The API token used for authentication with the - Vectra platform. | - - | **Verify SSL** | Boolean | Yes | If enabled, the action will verify the SSL - certificate of the Vectra server. Default is `True`. | - - - ### Flow Description - - 1. **Initialization**: The action retrieves the configuration parameters (API - Root, API Token, and SSL verification setting). - - 2. **Manager Setup**: It initializes the `VectraQUXManager` with the provided - credentials. - - 3. **Connectivity Test**: The manager executes a `test_connectivity` call, which - performs a simple `GET` request to the Vectra `hosts` endpoint to validate the - connection. - - 4. **Result Handling**: - - If the request is successful, the action returns a success message and a - `True` result. - - If an exception occurs (e.g., authentication failure, timeout, or invalid - URL), the action catches the error, logs the details, and returns a failure message - with a `False` result. - - ### Additional Notes - - - This action does not interact with any entities or modify any data. It is strictly - for diagnostic purposes. + ai_description: "The Ping action is a diagnostic utility designed to verify the\ + \ connectivity between the Google SecOps (Chronicle) environment and the Vectra\ + \ platform. It ensures that the integration's configuration parameters, such as\ + \ the API Root and API Token, are correct and that the network path is open.\n\ + \n### Parameters Description\n\n| Parameter Name | Type | Mandatory | Description\ + \ |\n| :--- | :--- | :--- | :--- |\n| API Root | String | Yes | The base URL of\ + \ the Vectra API instance (e.g., https://vectra-brain.example.com). |\n| API Token\ + \ | String | Yes | The authentication token used to authorize requests to the\ + \ Vectra API. |\n| Verify SSL | Boolean | Yes | Determines whether the action\ + \ should verify the SSL certificate of the Vectra server. Default is True. |\n\ + \n### Flow Description\n\n1. **Initialization**: The action initializes the Siemplify\ + \ context and logs the start of the connectivity test.\n2. **Configuration Extraction**:\ + \ It retrieves the integration's global configuration parameters, including the\ + \ API Root, API Token, and SSL verification setting.\n3. **Manager Setup**: An\ + \ instance of the `VectraQUXManager` is created using the extracted credentials.\n\ + 4. **Connectivity Test**: The manager executes the `test_connectivity` method,\ + \ which performs a simple `GET` request to the Vectra `/api/v2.5/hosts` endpoint\ + \ to confirm the API is responsive and the token is valid.\n5. **Result Handling**:\ + \ \n * If the request succeeds, the action returns a success message and\ + \ a boolean `True` result.\n * If the request fails (e.g., due to network\ + \ issues, invalid credentials, or SSL errors), an exception is caught, an error\ + \ message is logged, and the action returns `False` with a failure status." capabilities: can_create_case_comments: false can_create_insight: false @@ -1200,7 +1595,7 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: false + fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false @@ -1219,49 +1614,73 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Remove Assignment: ai_description: >- - Removes an assignment from a specific entity (Host or Account) in Vectra AI. This - action is used to clear the triage or ownership status of an entity within the - Vectra platform by deleting the associated assignment record. + Removes the analyst assignment for a specific entity (Account or Host) within + the Vectra AI platform. This action is used to clear the ownership or investigation + status of an entity by deleting its current assignment record. It first verifies + the existence of an assignment for the provided Entity ID before attempting the + deletion. - ### Parameters + ### Parameters Description - | Parameter Name | Description | Type | Mandatory | Notes | - | :--- | :--- | :--- | :--- | :--- | + | Parameter | Type | Mandatory | Description | - | Entity ID | The unique identifier of the entity in Vectra for which the assignment - should be removed. | String | Yes | Must be a valid integer string. | + | :--- | :--- | :--- | :--- | + + | Entity ID | String | Yes | The unique numerical identifier of the entity in + Vectra AI whose assignment should be removed. | - | Entity Type | The category of the entity. | DDL | Yes | Options are 'Account' + | Entity Type | DDL | Yes | The category of the entity. Must be either 'Account' or 'Host'. | ### Flow Description - 1. **Validation**: The action validates that the provided 'Entity ID' is a valid - integer. - - 2. **Entity Retrieval**: It fetches the current details of the specified entity - from Vectra AI to check for an existing assignment. - 3. **Assignment Identification**: If an assignment is found, the action extracts - the unique 'Assignment ID'. + 1. **Parameter Extraction:** The action retrieves the 'Entity ID' and 'Entity + Type' from the input parameters. - 4. **Deletion**: It executes a DELETE request to the Vectra API to remove the - identified assignment. + 2. **Validation:** Validates that the 'Entity ID' is a valid integer. - 5. **Outcome**: If no assignment is found on the entity, the action reports a - failure state indicating the entity has no assignment to remove. + 3. **Entity Lookup:** Calls the Vectra API to describe the entity and check if + it currently has an active assignment. + 4. **Assignment Identification:** If an assignment is found, the action extracts + the specific 'Assignment ID'. - ### Additional Notes + 5. **Deletion:** Executes a DELETE request to the Vectra assignments endpoint + using the identified 'Assignment ID'. - This action requires the 'Entity ID' and 'Entity Type' to be explicitly provided - as parameters and does not automatically iterate over entities in the Google SecOps - case scope. + 6. **Outcome Reporting:** Returns a success message if the assignment is deleted, + or a failure message if the entity had no assignment or the ID was not found. capabilities: can_create_case_comments: false can_create_insight: false @@ -1270,8 +1689,8 @@ Remove Assignment: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Deletes an assignment record in the Vectra AI platform via a DELETE request - to the assignments API endpoint. + The action performs a DELETE request to the Vectra AI API to remove an assignment + record associated with a specific entity. fetches_data: true internal_data_mutation_explanation: null categories: @@ -1291,63 +1710,74 @@ Remove Assignment: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Remove Group: ai_description: >- - ### General Description - - The **Remove Group** action allows users to remove specific members from a group - in Vectra AI using the group's unique ID. This action is designed to manage group - memberships dynamically, which is useful for containment or policy adjustments - during an investigation. + Removes specific members from a Vectra QUX group based on a provided Group ID. + This action interacts with the Vectra QUX API to modify group membership by removing + a comma-separated list of members (which can be IPs, hostnames, account UIDs, + or domains depending on the group's type). It provides a detailed HTML summary + of the group's state after the removal operation and returns the raw JSON response. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Group ID** | String | Yes | The unique identifier of the group in Vectra. - Although provided as a string, the action validates it as a positive integer. - | + | Group ID | String | Yes | The unique integer identifier of the Vectra group + from which members will be removed. | - | **Members** | String | Yes | A comma-separated list of members to be removed - from the group. The identifier type (e.g., IP, hostname, account UID, or domain) - must correspond to the group's defined type. | + | Members | String | Yes | A comma-separated list of member identifiers to be + removed from the group. | ### Flow Description - 1. **Initialization**: The action extracts the API configuration (Root, Token, - SSL) and the action parameters (Group ID and Members). + 1. **Validation**: The action validates that the provided `Group ID` is a valid + non-zero integer. - 2. **Validation**: The `Group ID` is validated to ensure it is a valid positive - integer. The `Members` string is processed into a list of individual identifiers. + 2. **Member Processing**: The `Members` string is parsed into a unique list of + identifiers. - 3. **Pre-Execution Fetch**: The action retrieves the current members of the group - to facilitate a comparison after the removal process. + 3. **Pre-check**: The action fetches the current membership list of the group + to verify existence and current state. - 4. **External Mutation**: A `PATCH` request is sent to the Vectra API endpoint - for the specific group ID, using the `membership_action="remove"` parameter to - delete the specified members. + 4. **API Interaction**: A PATCH request is sent to the Vectra QUX API with the + `membership_action` set to `remove` for the specified members. - 5. **Post-Execution Analysis**: The action compares the updated group membership - with the initial state to identify which members were successfully removed and - which were not found or could not be removed. + 5. **Result Analysis**: The action compares the requested removal list against + the updated group membership to determine which members were successfully removed + and which were not found or could not be removed. - 6. **Result Reporting**: The action outputs the updated group details as a JSON - object and renders an HTML table for the case wall. It provides a status message - indicating the count of removed members and any identifiers that were not found - in the group. - - - ### Additional Notes - - - The action will fail if none of the provided members exist in the specified - group. - - - The type of member identifiers provided must match the group's type (e.g., if - the group type is 'host', the members should be hostnames). + 6. **Output Generation**: An HTML table is rendered showing the updated group + properties and membership, and the full JSON response is attached to the action + results. capabilities: can_create_case_comments: false can_create_insight: false @@ -1356,8 +1786,8 @@ Remove Group: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Removes specified members from a group in Vectra AI by sending a PATCH request - to the group's API endpoint. + Removes specified members from a group configuration within the Vectra QUX platform + via a PATCH request. fetches_data: true internal_data_mutation_explanation: null categories: @@ -1377,14 +1807,40 @@ Remove Group: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: true + update_ticket: false Remove Note: ai_description: >- ### General Description The **Remove Note** action allows users to delete a specific note associated with - an entity in the Vectra platform. This action is designed to manage and clean - up documentation or comments within Vectra directly from the Google SecOps environment - by targeting specific note and entity identifiers. + an entity in the Vectra platform. This action supports three types of entities: + Accounts, Hosts, and Detections. It is primarily used for managing and cleaning + up documentation or analyst notes within the Vectra environment directly from + Google SecOps. ### Parameters Description @@ -1399,25 +1855,37 @@ Remove Note: | **Note ID** | String | Yes | The unique identifier of the specific note to be deleted. | - | **Entity Type** | DDL | Yes | The category of the entity. Supported values are - `Account`, `Host`, and `Detection`. | + | **Entity Type** | DDL | Yes | The type of entity the note is attached to. Supported + values are: `Account`, `Host`, and `Detection`. | ### Flow Description - 1. **Parameter Extraction:** The action retrieves the API configuration (API Root, - Token) and the specific identifiers for the entity and the note from the action - parameters. + 1. **Initialization**: The action initializes the Vectra manager using the provided + API Root and Token. - 2. **Validation:** The `Entity ID` and `Note ID` are validated to ensure they - are valid integer values before proceeding with the API request. + 2. **Parameter Extraction**: It extracts the `Entity ID`, `Note ID`, and `Entity + Type` from the action parameters. + + 3. **Validation**: The action validates that both the `Entity ID` and `Note ID` + are valid integer values before proceeding. + + 4. **API Execution**: It calls the Vectra API using a `DELETE` request to the + specific endpoint constructed from the entity type and IDs. + + 5. **Completion**: Upon a successful response from the API, the action returns + a success message confirming the deletion of the note. If the note or entity does + not exist, or if the user lacks permissions, it handles the exception and reports + the failure. + + + ### Additional Notes - 3. **API Interaction:** The action sends a `DELETE` request to the Vectra API - endpoint corresponding to the specified entity type and IDs (e.g., `/api/v2.5/hosts/{entity_id}/notes/{note_id}`). + - This action performs a permanent state change in the external Vectra system + by deleting data. - 4. **Result Handling:** If the request is successful, the action returns a success - message. If the note or entity is not found, or if the user lacks permissions, - the action raises a specific exception and reports failure. + - The action does not process entities from the Google SecOps case context; it + relies entirely on the provided input parameters. capabilities: can_create_case_comments: false can_create_insight: false @@ -1426,8 +1894,8 @@ Remove Note: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Deletes a specific note associated with an entity (Account, Host, or Detection) - in the Vectra platform via a DELETE request. + The action performs a DELETE request to the Vectra API to permanently remove + a note record associated with a specific entity. fetches_data: false internal_data_mutation_explanation: null categories: @@ -1447,25 +1915,79 @@ Remove Note: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Remove Tags: - ai_description: "Removes specific tags from a Vectra entity (Account, Host, or Detection)\ - \ based on a provided Entity ID. This action interacts with the Vectra API to\ - \ manage entity metadata, allowing for the cleanup of labels or status markers.\ - \ \n\n### Parameters\n| Parameter | Type | Mandatory | Description |\n| :--- |\ - \ :--- | :--- | :--- |\n| Tags | string | Yes | A comma-separated list of tags\ - \ to be removed from the entity. |\n| Entity ID | string | Yes | The unique identifier\ - \ of the entity in Vectra. |\n| Entity Type | ddl | Yes | The type of entity to\ - \ target. Options are 'Account', 'Host', or 'Detection'. |\n\n### Flow Description\n\ - 1. **Initialization**: Extracts API configuration and action parameters (Tags,\ - \ Entity ID, and Entity Type).\n2. **Tag Processing**: Parses the comma-separated\ - \ 'Tags' input into a unique list of strings.\n3. **Data Retrieval**: Fetches\ - \ the current list of tags associated with the specified Entity ID and Type from\ - \ the Vectra platform.\n4. **Logic Execution**: Compares the provided tags against\ - \ the existing tags. It identifies which tags can be removed and which do not\ - \ exist on the entity.\n5. **External Mutation**: If matching tags are found,\ - \ it sends a PATCH request to Vectra with the updated (reduced) tag list.\n6.\ - \ **Reporting**: Generates a summary message and a data table ('Tag Updated Status')\ - \ detailing which tags were successfully removed and which were not found." + ai_description: >- + Removes specific tags from a Vectra QUX entity, such as an Account, Host, or Detection, + based on a provided Entity ID. The action first retrieves the current tags associated + with the entity, identifies which of the user-specified tags are present, and + then submits an update to the Vectra QUX API to remove them. + + + ### Parameters Description + + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Tags | string | Yes | A comma-separated list of tags to be removed from the + entity. | + + | Entity ID | string | Yes | The unique identifier of the entity in Vectra QUX. + | + + | Entity Type | ddl | Yes | The type of entity to target. Options are 'Account', + 'Host', or 'Detection'. | + + + ### Flow Description + + + 1. **Parameter Extraction:** The action retrieves the API configuration and the + user-provided parameters: Tags, Entity ID, and Entity Type. + + 2. **Tag Processing:** The input string of tags is split into a list, and whitespace + is trimmed. + + 3. **Data Retrieval:** The action calls the Vectra QUX API to fetch the current + tags for the specified entity. + + 4. **Validation:** It checks if the entity exists. If not, an error is raised. + + 5. **Tag Comparison:** The action compares the user-provided tags with the existing + tags. It identifies which tags can be successfully removed and which do not exist + on the entity. + + 6. **Update Execution:** If at least one tag is found for removal, the action + sends a PATCH request to Vectra QUX with the updated (reduced) tag list. + + 7. **Result Reporting:** The action outputs a summary of the operation, including + a JSON result and a data table showing the updated status of the entity's tags. capabilities: can_create_case_comments: false can_create_insight: false @@ -1474,8 +1996,8 @@ Remove Tags: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Removes specified tags from an entity (Account, Host, or Detection) in the Vectra - platform by updating the entity's tag list via a PATCH request. + The action modifies the state of an entity in Vectra QUX by updating its tag + list via a PATCH request to the tagging API endpoint. fetches_data: true internal_data_mutation_explanation: null categories: @@ -1495,68 +2017,94 @@ Remove Tags: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: true + update_email: false + update_identity: true + update_ticket: false Resolve Assignment: ai_description: >- - ### General Description - - Resolves a specific assignment in Vectra AI based on a provided Assignment ID - and Outcome ID. This action allows security analysts to close out assignments - by marking them with specific outcomes (e.g., Benign, Malicious, or False Positive) - and optionally adding triage rules and notes. It interacts with the Vectra API - via a PUT request to the resolution endpoint. + Resolves a specific assignment in Vectra QUX using a provided assignment ID and + outcome ID. This action allows analysts to close out tasks by specifying whether + the activity was benign, malicious, or a false positive. It also supports adding + notes, applying triage rules, and associating specific detection IDs with the + resolution. The action performs a state change in the Vectra QUX platform and + returns the updated assignment details. ### Parameters Description + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Assignment ID | string | Yes | The unique identifier of the assignment to be + | Assignment ID | String | Yes | The unique identifier of the assignment to be resolved. Must be a valid integer. | - | Outcome ID | string | Yes | The ID representing the resolution outcome. Common + | Outcome ID | String | Yes | The ID representing the resolution outcome. Common values: 1 (Benign True Positive), 2 (Malicious True Positive), 3 (False Positive). Custom outcomes are also supported. | - | Note Title | string | No | An optional note or title to be associated with the - resolution of the assignment. | + | Note Title | String | No | An optional note or comment to be attached to the + assignment resolution. | - | Triage As | string | No | An optional triage rule to apply. If provided, at - least one Detection ID must also be specified. | + | Triage As | String | No | An optional triage rule to apply when resolving the + assignment. | - | Detection IDs | string | No | A comma-separated list of integer detection IDs - to be associated with the resolution. Required if 'Triage As' is used. | + | Detection IDs | String | No | A comma-separated list of integer detection IDs + to associate with this resolution. **Note:** This parameter is mandatory if 'Triage + As' is provided. | ### Additional Notes - - The action performs strict validation on the 'Assignment ID' and 'Outcome ID' - to ensure they are valid integers. + - The action validates that 'Assignment ID' and 'Outcome ID' are valid integers. - - If the 'Triage As' parameter is populated, the action requires at least one - 'Detection ID' to be provided; otherwise, it will fail with a validation error. + - If 'Triage As' is configured, at least one 'Detection ID' must be provided, + or the action will fail. - - The 'Triage As' value must be at least 4 characters long and cannot contain + - The 'Triage As' parameter must be at least 4 characters long and cannot contain special characters like `!@#$%^&*()`. ### Flow Description - 1. **Parameter Extraction**: Retrieves the Assignment ID, Outcome ID, and optional - parameters (Note, Triage, Detection IDs) from the action input. + 1. **Parameter Extraction:** The action retrieves the Assignment ID, Outcome ID, + and optional parameters (Note, Triage, Detections) from the input. - 2. **Validation**: Validates that IDs are integers and checks the logical dependency - between 'Triage As' and 'Detection IDs'. + 2. **Validation:** It validates that the IDs are integers and checks the conditional + requirement between 'Triage As' and 'Detection IDs'. - 3. **API Interaction**: Initializes the VectraQUXManager and sends a PUT request - to the `/assignments/{assignment_id}/resolve` endpoint with the resolution payload. + 3. **API Interaction:** It sends a PUT request to the Vectra QUX API endpoint + `/assignments/{assignment_id}/resolve` with the resolution payload. - 4. **Data Processing**: Parses the updated assignment object returned by the API. + 4. **Data Processing:** The response from Vectra is parsed into an Assignment + object. - 5. **Output Generation**: Adds the raw JSON response to the action results and - creates a data table named 'Resolved Assignment' containing the key details of - the resolution. + 5. **Output Generation:** The action provides a JSON result of the API response + and creates a data table named 'Resolved Assignment' containing the key details + of the resolved task. capabilities: can_create_case_comments: false can_create_insight: false @@ -1565,8 +2113,8 @@ Resolve Assignment: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the state of an assignment in the Vectra AI platform to 'Resolved' and - applies the specified outcome, notes, and triage rules. + Updates the status of an assignment in the Vectra QUX platform to 'Resolved' + and applies outcomes, notes, and triage rules. fetches_data: true internal_data_mutation_explanation: null categories: @@ -1586,89 +2134,121 @@ Resolve Assignment: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: true Search Accounts: ai_description: >- - Searches for and retrieves account details from Vectra AI based on user-defined - query parameters. This action allows for granular filtering of accounts using - scores, states, timestamps, and tags, providing a comprehensive list of matching - accounts for investigation. + ### General Description + This action searches for and retrieves account information from Vectra QUX based + on a wide range of user-defined query parameters. It is primarily used for threat + hunting and investigation to identify accounts that meet specific criteria such + as high threat scores, specific privilege levels, or recent detection activity. + The action returns detailed JSON data for each account and provides a summary + data table within the Google SecOps case. - ### Parameters Description + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Order | String (DDL) | No | Determines the sort direction of the results: 'Ascending' + | Order | DDL | No | Determines the sort direction of the results. Options: 'Ascending' or 'Descending'. | | Limit | String | No | The maximum number of account records to retrieve. | - | Order By | String (DDL) | No | The field used to sort the results (e.g., threat - score, certainty score, last detection timestamp, or ID). | + | Order By | DDL | No | The field used to sort the results. Options: 't_score' + (Threat Score), 'c_score' (Certainty Score), 'last_detection_timestamp', or 'id'. + | - | Fields | Multi-select | No | A list of specific account attributes to include - in the output (e.g., name, state, threat, tags). | + | Fields | Multi-choice | No | A selection of specific account attributes to include + in the response (e.g., id, name, state, threat, certainty). | - | Name | String | No | Filters the search results to accounts matching a specific - name. | + | Name | String | No | Filters accounts by their name. | - | State | String (DDL) | No | Filters accounts by their current state: 'Active' + | State | DDL | No | Filters accounts based on their current state. Options: 'Active' or 'Inactive'. | | Threat GTE | String | No | Filters for accounts with a threat score greater - than or equal to the specified value. | + than or equal to this value. | | Certainty GTE | String | No | Filters for accounts with a certainty score greater - than or equal to the specified value. | + than or equal to this value. | | Last Detection Timestamp GTE | String | No | Filters for accounts with a last - detection timestamp greater than or equal to this value. | + detection timestamp greater than or equal to this ISO-formatted date. | | Last Detection Timestamp LTE | String | No | Filters for accounts with a last - detection timestamp less than or equal to this value. | + detection timestamp less than or equal to this ISO-formatted date. | - | Tags | String | No | A comma-separated list of tags to filter the accounts by. + | Tags | String | No | Filters accounts based on a comma-separated list of tags. | | Note Modified Timestamp GTE | String | No | Filters for accounts where notes - were modified after the specified timestamp. | + were modified after this timestamp. | - | Privilege Level | String | No | Filters accounts by a specific privilege level. - | + | Privilege Level | String | No | Filters accounts by a specific numeric privilege + level. | - | Privilege Category | String (DDL) | No | Filters accounts by privilege category: + | Privilege Category | DDL | No | Filters accounts by privilege category. Options: 'Low', 'Medium', or 'High'. | ### Additional Notes + - The action performs pagination automatically to fetch the number of records + specified in the 'Limit' parameter. - This action does not operate on specific entities within the SOAR case; instead, - it performs a global search within the Vectra AI platform based on the provided - criteria. + - If 'Descending' is selected in the 'Order' parameter, the action prepends a + '-' to the 'Order By' field in the API request. + - The action cleans up API versioning strings (e.g., /api/v2.5) from returned + URLs for better readability. - ### Flow Description + ### Flow Description - 1. **Parameter Extraction**: The action retrieves configuration settings (API - Root, Token) and user-provided search filters from the action parameters. + 1. **Initialization:** The action extracts the integration configuration (API + Root, Token) and all user-provided search parameters. - 2. **Validation**: Numeric parameters such as 'Limit', 'Threat GTE', and 'Certainty - GTE' are validated to ensure they are proper integers. + 2. **Validation:** It validates numeric inputs such as 'Limit', 'Threat GTE', + 'Certainty GTE', and 'Privilege Level' to ensure they are valid integers. - 3. **API Query**: The action constructs a request and queries the Vectra AI `/accounts` - endpoint, applying the specified filters and pagination logic. + 3. **API Query:** The action constructs a GET request to the Vectra QUX `/accounts` + endpoint, applying the filters, sorting, and field selections provided by the + user. - 4. **Data Sanitization**: The returned account data is processed to remove API - versioning strings from URLs and to extract a subset of mandatory fields for display. + 4. **Data Processing:** Upon receiving the results, the action iterates through + the accounts, cleaning up URL fields and extracting mandatory fields (ID, Name, + Threat, Certainty, State, Timestamp, Severity) for the summary table. - 5. **Result Delivery**: The action outputs the full account details as a JSON - object and creates a summary data table titled "List Of Accounts" in the SOAR - interface. + 5. **Output:** The action populates the JSON result with the full account data + and adds a 'List Of Accounts' data table to the case wall. capabilities: can_create_case_comments: false can_create_insight: false @@ -1696,18 +2276,63 @@ Search Accounts: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Search Detections: ai_description: >- - ### General Description + Searches for and retrieves detections from the Vectra QUX platform based on a + wide range of filtering criteria. This action allows analysts to query security + detections using parameters such as source IP, host ID, threat and certainty scores, + detection types, and categories. It supports pagination through a limit parameter + and allows for custom ordering and field selection. The retrieved detections are + presented in a structured data table and a full JSON result for further analysis. - This action searches for and retrieves a list of detections from the Vectra QUX - platform based on a wide variety of user-defined query parameters. It allows analysts - to filter detections by time, host, tags, asset status, scores (threat/certainty), - and state. The results are returned as a detailed JSON object and a summary data - table within the Google SecOps case. + ### Flow Description: - ### Parameters Description + 1. **Parameter Extraction:** The action begins by extracting configuration details + (API Root, Token) and all 15 optional search parameters from the environment and + action input. + + 2. **Validation:** It validates numeric inputs such as 'Limit', 'Threat GTE', + and 'Certainty GTE' to ensure they are valid integers. + + 3. **API Interaction:** The action initializes the VectraQUXManager and performs + a GET request to the detections endpoint, applying the specified filters as query + parameters. + + 4. **Data Processing:** If detections are found, the action iterates through the + results to normalize URLs (removing API version prefixes) and extracts a subset + of mandatory fields (ID, type, category, timestamps, state) for the summary table. + + 5. **Output Generation:** The processed data is added to the action's execution + results as a JSON object and a formatted data table titled 'List Of Detections'. + + + ### Parameters Description: | Parameter | Type | Mandatory | Description | @@ -1716,8 +2341,8 @@ Search Detections: | Last Timestamp GTE | String | No | Filters detections with a last seen timestamp greater than or equal to the provided value. | - | Host ID | String | No | Filters detections associated with a specific Host ID. - | + | Host ID | String | No | Filters detections associated with a specific Vectra + Host ID. | | Tags | String | No | Filters detections by a comma-separated list of tags. | @@ -1727,26 +2352,27 @@ Search Detections: | Note Modified Timestamp GTE | String | No | Filters detections where the associated note was modified after the given timestamp. | - | Order | DDL | No | Specifies the sort direction: 'Ascending' or 'Descending'. - | + | Order | DDL | No | Specifies the sort order: 'Ascending' or 'Descending'. | | Limit | String | No | The maximum number of detection records to retrieve. | - | Order By | DDL | No | The field used to sort the results (e.g., last_timestamp, + | Order By | DDL | No | The field used to sort results (e.g., last_timestamp, t_score, c_score). | - | Fields | Multi-select | No | A list of specific fields to include in the response - for each detection. | + | Fields | Multi-Choice | No | Specifies which data fields to include in the response + (e.g., src_ip, state, threat). | - | State | DDL | No | Filters detections by their current state (Active, Inactive, - Fixed). | + | State | DDL | No | Filters detections by their current state: 'Active', 'Inactive', + or 'Fixed'. | - | Detection Type | String | No | Filters by the specific type of detection. | + | Detection Type | String | No | Filters by the specific type of detection (e.g., + 'Hidden HTTP Tunnel'). | - | Detection Category | DDL | No | Filters by the detection category (e.g., Command - and Control, Exfiltration). | + | Detection Category | DDL | No | Filters by detection category (e.g., 'Command + and Control', 'Exfiltration'). | - | Src IP | String | No | Filters detections by the source IP address. | + | Src IP | String | No | Filters detections originating from a specific source + IP address. | | Threat GTE | String | No | Filters detections with a threat score greater than or equal to the provided value. | @@ -1755,37 +2381,15 @@ Search Detections: than or equal to the provided value. | - ### Additional Notes - - - The 'Limit' parameter is validated to ensure it is a positive integer. - - - If 'Order' is set to 'Descending', the 'Order By' field is prefixed with a minus - sign (-) before being sent to the Vectra API. - - - The 'Fields' parameter expects a JSON-formatted list of strings if provided - manually, though typically handled by the UI multi-choice selector. - - - ### Flow Description - - 1. **Parameter Extraction:** The action retrieves configuration settings (API - Root, Token) and all 15 optional search parameters. - - 2. **Validation:** It validates numeric inputs such as 'Limit', 'Threat GTE', - and 'Certainty GTE' to ensure they are valid integers. - - 3. **Query Construction:** It prepares the API request, including formatting the - sort order and joining selected fields into a comma-separated string. + ### Additional Notes: - 4. **API Interaction:** The action calls the Vectra QUX `search_detections` endpoint - via a GET request, utilizing pagination to retrieve the requested number of records. + - If no detections match the criteria, the action completes successfully with + an informative message. - 5. **Data Processing:** For each retrieved detection, the script cleans up internal - API versioning strings from URLs and extracts a set of mandatory fields (ID, type, - category, timestamps, state). + - The 'Fields' parameter is processed as a JSON-encoded list of strings. - 6. **Output Generation:** The processed data is added to the action results as - a raw JSON object and a formatted data table titled 'List Of Detections'. + - The 'Order' parameter works in conjunction with 'Order By'; selecting 'Descending' + prepends a minus sign to the sort field in the API request. capabilities: can_create_case_comments: false can_create_insight: false @@ -1813,109 +2417,130 @@ Search Detections: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Search Hosts: ai_description: >- - ### General Description - - The **Search Hosts** action allows users to query and retrieve a list of host - entities from the Vectra AI platform based on a wide array of filtering criteria. - It is primarily used for threat hunting and asset discovery, enabling analysts - to find hosts based on their threat scores, certainty levels, active traffic status, - or specific tags. The action returns detailed host metadata, including IP addresses, - severity levels, and detection summaries. + Searches for and lists hosts in Vectra QUX based on a wide range of query parameters. + This action allows analysts to filter hosts by name, state, threat and certainty + scores, tags, privilege levels, and activity timestamps. It retrieves detailed + host metadata, cleans up API versioning from URLs in the response, and presents + the results in both a raw JSON format and a structured data table within the SOAR + case. ### Parameters Description + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Limit | String | No | The maximum number of host records to retrieve. Defaults - to 0 (all available up to system limits). | + | Limit | string | No | The maximum number of host records to fetch. Must be greater + than 0. | - | Tags | String | No | Filter hosts that match specific tags. | + | Tags | string | No | Filter hosts based on specific tags. | - | Last Source | String | No | Filter hosts based on their last reported source. + | Last Source | string | No | Filter hosts based on their last reported source. | - | Order | DDL | No | Specifies whether the results should be in 'Ascending' or - 'Descending' order. | + | Order | ddl | No | Specifies the sort order: 'Ascending' or 'Descending'. | - | Fields | Multi-choice | No | A list of specific host attributes to include in - the response (e.g., id, name, ip, threat). | + | Fields | multi_choice_parameter | No | A list of specific fields to include + in the response (e.g., id, name, ip, threat). | - | Name | String | No | Filter hosts by their specific name. | + | Name | string | No | Filter hosts by their name. | - | State | DDL | No | Filter hosts by their current state: 'Active' or 'Inactive'. + | State | ddl | No | Filter hosts by their current state: 'Active' or 'Inactive'. | - | Threat GTE | String | No | Filter for hosts with a threat score greater than - or equal to this value. | + | Threat GTE | string | No | Filter hosts with a threat score greater than or + equal to the provided value. | - | Certainty GTE | String | No | Filter for hosts with a certainty score greater - than or equal to this value. | + | Certainty GTE | string | No | Filter hosts with a certainty score greater than + or equal to the provided value. | - | Last Detection Timestamp GTE | String | No | Filter for hosts with detections - occurring on or after this timestamp. | + | Last Detection Timestamp GTE | string | No | Filter hosts with a last detection + timestamp greater than or equal to the provided value. | - | Last Detection Timestamp LTE | String | No | Filter for hosts with detections - occurring on or before this timestamp. | + | Last Detection Timestamp LTE | string | No | Filter hosts with a last detection + timestamp less than or equal to the provided value. | - | Is Targeting Key Asset | DDL | No | Filter hosts based on whether they are targeting - key assets ('True' or 'False'). | + | Is Targeting Key Asset | ddl | No | Filter hosts based on whether they are + targeting key assets ('True' or 'False'). | - | Privilege Level GTE | String | No | Filter for hosts with a privilege level - greater than or equal to this value. | + | Privilege Level GTE | string | No | Filter hosts with a privilege level greater + than or equal to the provided value. | - | Privilege Category | DDL | No | Filter hosts by privilege category: 'Low', 'Medium', + | Privilege Category | ddl | No | Filter hosts by privilege category: 'Low', 'Medium', or 'High'. | - | Active Traffic | DDL | No | Filter hosts that have shown active traffic within + | Active Traffic | ddl | No | Filter hosts that have shown active traffic within the last two hours ('True' or 'False'). | - | Order By | DDL | No | The field used to sort the results (e.g., t_score, c_score, + | Order By | ddl | No | The field to sort the results by (e.g., t_score, c_score, last_detection_timestamp). | - | Note Modified Timestamp GTE | String | No | Filter hosts where notes were modified - on or after this timestamp. | + | Note Modified Timestamp GTE | string | No | Filter hosts based on when their + notes were last modified. | ### Additional Notes - - The action performs input validation on numeric fields like `Limit`, `Threat - GTE`, and `Certainty GTE` to ensure they are valid integers. - - If `Order` is set to 'Descending', the action automatically prefixes the `Order - By` parameter with a minus sign (e.g., `-t_score`) to comply with the Vectra API - requirements. + - The `Limit` parameter must be a positive integer string; if set to "0", the + action will fail. - - The action automatically strips API version strings (e.g., `/api/v2.5`) from - returned URLs to provide cleaner data for the SOAR interface. + - Parameters like `Threat GTE`, `Certainty GTE`, and `Privilege Level GTE` are + validated as integers. + - Categorical parameters such as `State`, `Privilege Category`, and `Active Traffic` + are processed in lowercase. + + - If `Order` is set to 'Descending', the `Order By` field is prefixed with a minus + sign for the API request. - ### Flow Description - 1. **Initialization**: The action initializes the Vectra AI manager using the - provided API Root and Token. + ### Flow Description - 2. **Parameter Extraction**: It retrieves all user-defined filters and sorting - preferences from the action parameters. - 3. **Validation**: It validates that the `Limit` and score-based parameters are - valid integers. + 1. **Parameter Initialization:** Extracts configuration settings (API Root, Token) + and all 17 action parameters. - 4. **API Request**: It constructs a GET request with the specified query parameters - and sends it to the Vectra `/hosts` endpoint. + 2. **Validation:** Validates that `Limit` is greater than 0 and ensures integer-based + parameters are correctly formatted. - 5. **Pagination**: If the number of results exceeds the page size, the action - handles pagination to retrieve the requested number of records up to the `Limit`. + 3. **API Query:** Constructs a GET request to the Vectra QUX hosts endpoint, applying + all provided filters and pagination logic. - 6. **Data Processing**: The action iterates through the retrieved hosts, cleans - up URL fields, and extracts mandatory fields for the summary table. + 4. **Data Processing:** Iterates through the retrieved hosts, removing API version + strings from internal URLs and extracting mandatory fields for display. - 7. **Output**: It populates a data table named 'List Of Hosts' and attaches the - full JSON response to the action results. + 5. **Output Generation:** Adds the full host details as a JSON result and creates + a formatted data table titled 'List Of Hosts' in the SOAR interface. capabilities: can_create_case_comments: false can_create_insight: false @@ -1943,44 +2568,74 @@ Search Hosts: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Unmark Detection Fixed: ai_description: >- - ### General Description + Unmarks specific detections as fixed in the Vectra QUX platform. This action is + used to revert the status of detections that were previously marked as resolved + or fixed, effectively reopening them for further investigation or workflow processing. + It accepts a list of detection IDs and performs a bulk update via a PATCH request + to the Vectra API. - Unmarks specific detections as fixed within the Vectra AI platform. This action - is used to revert the status of detections that were previously marked as resolved, - allowing them to be treated as active or requiring further investigation. It interacts - with the Vectra AI API via a PATCH request to update the state of the specified - detection IDs. + ### Flow Description: - ### Parameters Description + 1. **Parameter Extraction**: The action retrieves the 'Detection IDs' from the + input parameters. - | Parameter | Type | Mandatory | Description | + 2. **Validation**: It splits the comma-separated string of IDs and validates that + each ID is a valid integer. - | :--- | :--- | :--- | :--- | + 3. **API Interaction**: It calls the Vectra QUX Manager to send a PATCH request + to the detections endpoint, setting the 'mark_as_fixed' attribute to 'False' for + the provided IDs. - | Detection IDs | String | Yes | A comma-separated list of numeric identifiers - for the detections that should be unmarked as fixed. Each ID is validated as an - integer before processing. | + 4. **Result Handling**: The raw JSON response from the Vectra API is attached + to the action results, and the action completes with a success or failure status + based on the API's response. - ### Flow Description + ### Parameters Description: + + | Parameter Name | Expected Type | Mandatory | Description | - 1. **Initialization**: The action initializes the VectraQUX manager using the - provided API Root, API Token, and SSL verification settings. + | :--- | :--- | :--- | :--- | + + | Detection IDs | String | Yes | A comma-separated list of numeric IDs representing + the detections to be unmarked as fixed. | - 2. **Parameter Parsing**: It extracts the 'Detection IDs' string, splits it by - commas, and validates that each entry is a valid integer. - 3. **API Interaction**: The action calls the `unmark_detection_as_fixed` method - in the manager, which sends a PATCH request to the Vectra AI detections endpoint. + ### Additional Notes: - 4. **State Mutation**: The request payload includes the list of detection IDs - and explicitly sets the `mark_as_fixed` attribute to `False`. + - This action does not run on entities; it operates solely based on the provided + Detection IDs. - 5. **Result Handling**: The response from the Vectra AI API is captured and added - to the action's result JSON for auditing and further playbook logic. + - If any ID in the list is invalid or not found, the action may fail depending + on the API's error handling logic. capabilities: can_create_case_comments: false can_create_insight: false @@ -1989,8 +2644,8 @@ Unmark Detection Fixed: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the status of detections in the Vectra AI platform by setting the 'mark_as_fixed' - attribute to False for the specified detection IDs via a PATCH request. + Updates the status of detections in the Vectra QUX platform by setting the 'mark_as_fixed' + flag to 'False'. fetches_data: false internal_data_mutation_explanation: null categories: @@ -2010,13 +2665,39 @@ Unmark Detection Fixed: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Update Assignment: ai_description: >- ### General Description - The **Update Assignment** action allows users to change the assigned analyst for - a specific entity (Host or Account) within the Vectra QUX platform. This action - is primarily used for reassigning ownership of security entities during an investigation. + The **Update Assignment** action is used to modify the assigned user for an existing + assignment associated with a specific entity (either a Host or an Account) within + the Vectra AI platform. This action is essential for reassigning investigations + or ownership of security entities to different analysts or teams. ### Parameters Description @@ -2025,39 +2706,46 @@ Update Assignment: | :--- | :--- | :--- | :--- | - | **Entity ID** | String | Yes | The unique numeric identifier of the entity in - Vectra QUX. | + | Entity ID | String | Yes | The unique identifier of the entity (Host or Account) + in Vectra AI whose assignment needs to be updated. | + + | Entity Type | DDL | Yes | The category of the entity. Supported values are 'Account' + and 'Host'. | - | **Entity Type** | DDL | Yes | The type of entity to update. Options are `Account` - or `Host`. | + | User ID | String | Yes | The unique identifier of the user to whom the entity + assignment will be updated. | - | **User ID** | String | Yes | The unique numeric identifier of the user to whom - the entity should be reassigned. | + ### Flow Description - ### Additional Notes + 1. **Parameter Extraction**: The action retrieves the API configuration (API Root, + Token, SSL verification) and the specific Entity ID, Entity Type, and User ID + from the input parameters. - - This action requires the entity to already have an existing assignment; it will - fail if no assignment is currently associated with the provided Entity ID. + 2. **Validation**: It validates that the provided Entity ID and User ID are valid + integer strings. - - Both the Entity ID and User ID must be valid numeric values. + 3. **Entity Retrieval**: It fetches the current details of the specified entity + from Vectra AI to check for an existing assignment. + 4. **Assignment Verification**: The action checks if the entity currently has + an assignment. If no assignment is found, the action fails, as it is designed + only to update existing assignments. - ### Flow Description + 5. **Update Execution**: If an assignment exists, the action performs a PUT request + to the Vectra AI API to update the assignment with the new User ID. - 1. **Initialization**: Retrieves API credentials and action parameters (Entity - ID, Entity Type, and User ID). + 6. **Output Generation**: Upon success, the action returns the raw JSON response + and creates a data table titled 'Updated Assignment' containing the updated assignment + details. - 2. **Validation**: Validates that the provided Entity ID and User ID are integers. - 3. **Pre-check**: Fetches the current details of the entity from Vectra QUX to - verify its existence and check for an existing assignment. + ### Additional Notes - 4. **Execution**: If an assignment exists, it sends a `PUT` request to the Vectra - QUX API to update the assignment with the new User ID. + - This action requires an existing assignment to be present on the entity. To + create a new assignment for an unassigned entity, use the 'Assign Entity' action. - 5. **Output**: Returns the updated assignment details as a JSON object and populates - a data table named 'Updated Assignment' with the reassignment information. + - Both Entity ID and User ID must be numeric strings. capabilities: can_create_case_comments: false can_create_insight: false @@ -2066,8 +2754,8 @@ Update Assignment: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the 'assign_to_user_id' field for an existing assignment record in the - Vectra QUX platform via a PUT request. + Updates the assigned user for an existing assignment in Vectra AI using a PUT + request to the assignments endpoint. fetches_data: true internal_data_mutation_explanation: null categories: @@ -2087,3 +2775,28 @@ Update Assignment: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/third_party/community/vectra_qux/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/vectra_qux/resources/ai/connectors_ai_description.yaml new file mode 100644 index 000000000..7f313f203 --- /dev/null +++ b/content/response_integrations/third_party/community/vectra_qux/resources/ai/connectors_ai_description.yaml @@ -0,0 +1,49 @@ +Vectra QUX - Entities Connector: + ai_description: "### General Description\nThe Vectra QUX - Entities Connector integrates\ + \ with the Vectra QUX platform to retrieve security entities (Hosts or Accounts)\ + \ and their associated detections. It transforms each Vectra entity into a Google\ + \ SecOps alert, while the specific detections linked to that entity are ingested\ + \ as individual events within the alert. This approach provides a consolidated\ + \ view of the threat landscape for specific network assets or user accounts.\n\ + \n### Parameters Description\n| Parameter | Type | Mandatory | Description |\n\ + | :--- | :--- | :--- | :--- |\n| API Root | String | Yes | The base URL of the\ + \ Vectra QUX API (e.g., https://
:). |\n| API Token | Password |\ + \ Yes | The unique identifier used to authenticate and authorize access to the\ + \ Vectra API. |\n| Entity Type | String | Yes | The type of entity to retrieve.\ + \ Supported values: 'Host' or 'Account'. Default is 'Host'. |\n| DeviceProductField\ + \ | String | Yes | The field name used to determine the device product in the\ + \ alert metadata. Default: 'Vectra QUX'. |\n| EventClassId | String | Yes | The\ + \ field name used to determine the event name/sub-type. Default: 'detection_type'.\ + \ |\n| PythonProcessTimeout | String | Yes | The timeout limit (in seconds) for\ + \ the python process running the script. |\n| Threat Score GTE | Integer | No\ + \ | Filters for entities with a threat score greater than or equal to this value.\ + \ |\n| Certainty Score GTE | Integer | No | Filters for entities with a certainty\ + \ score greater than or equal to this value. |\n| Detection Category | String\ + \ | No | Filters results by category (e.g., Command & Control, Botnet Activity,\ + \ Reconnaissance, Lateral Movement, Exfiltration, Info). |\n| Detection Type |\ + \ String | No | Filters results by a specific Vectra detection type. |\n| Limit\ + \ | Integer | No | Maximum number of entities to fetch in a single execution cycle.\ + \ |\n| Max Hours Backwards | Integer | No | The number of hours to look back for\ + \ entities during the first connector iteration. |\n| Query | String | No | A\ + \ custom query string used to specify advanced conditions for filtering results.\ + \ |\n| Specific Tag | String | No | Filters results by a specific tag assigned\ + \ in Vectra. |\n| Partial Tag | String | No | Filters results by a partial tag\ + \ match. |\n| Verify SSL | Boolean | No | If enabled, the connector will verify\ + \ the SSL certificate of the Vectra API endpoint. |\n\n### Flow Description\n\ + 1. **Authentication & Initialization**: The connector establishes a session with\ + \ the Vectra QUX API using the provided API Token and Root URL.\n2. **Timeframe\ + \ Determination**: It calculates the retrieval window based on the last successful\ + \ execution timestamp or the `Max Hours Backwards` parameter for initial runs.\n\ + 3. **Entity Discovery**: The connector queries the Vectra `/api/v2.5/search/{entity_type}s`\ + \ endpoint, applying filters for threat/certainty scores, categories, tags, and\ + \ custom queries. It specifically targets entities in an 'active' state.\n4. **Detection\ + \ Retrieval**: For every entity found, the connector performs a secondary lookup\ + \ to fetch all associated 'active' detections for that specific Host or Account\ + \ ID.\n5. **Alert Mapping**: \n * The **Entity** metadata (ID, name, severity,\ + \ threat score) is mapped to the primary Alert object.\n * The **Detections**\ + \ are mapped as individual Events within that alert.\n * The `source_grouping_identifier`\ + \ is constructed as `{entity_type}#{entity_id}` to ensure that updates to the\ + \ same entity are grouped into the same case in Google SecOps.\n6. **Ingestion\ + \ & State Management**: The connector ingests the alerts into the SOAR platform\ + \ and saves the latest entity IDs and timestamps to ensure only new or updated\ + \ data is processed in the next cycle." diff --git a/content/response_integrations/third_party/community/vectra_qux/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/vectra_qux/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..14535ab0f --- /dev/null +++ b/content/response_integrations/third_party/community/vectra_qux/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: true + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: true + itsm: true + network_security: false + siem: true + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/vectra_qux/resources/ai/jobs_ai_description.yaml b/content/response_integrations/third_party/community/vectra_qux/resources/ai/jobs_ai_description.yaml new file mode 100644 index 000000000..d66cf25b1 --- /dev/null +++ b/content/response_integrations/third_party/community/vectra_qux/resources/ai/jobs_ai_description.yaml @@ -0,0 +1,36 @@ +Vectra QUX - Clear Empty Cases Job: + ai_description: "### General Description\nThis job performs automated maintenance\ + \ on Google SecOps cases generated by the Vectra QUX integration. Its primary\ + \ purpose is to reduce analyst fatigue by identifying and closing redundant or\ + \ \"empty\" cases and alerts. It analyzes open cases within specified environments\ + \ and products, comparing the underlying detection IDs (event IDs) across alerts.\ + \ If an alert's detections are entirely covered by other active alerts or cases,\ + \ the job programmatically closes the redundant alert or the entire case, ensuring\ + \ that investigators focus only on unique security incidents.\n\n### Parameters\ + \ Description\n| Parameter | Type | Mandatory | Description |\n| :--- | :--- |\ + \ :--- | :--- |\n| Max Hours Backwards | String | No | The maximum number of hours\ + \ to look back for open cases. Setting this to '0' will cause the job to process\ + \ all open cases regardless of their creation time. Default is 24. |\n| Environments\ + \ | String | Yes | A comma-separated list of environments to include in the cleanup\ + \ process. Default is 'Default Environment'. |\n| Products | String | Yes | A\ + \ comma-separated list of product names (DeviceProduct field) used to filter the\ + \ alerts within the cases. Default is 'Vectra QUX'. |\n\n### Flow Description\n\ + 1. **Initialization**: Retrieves the job configuration, including the lookback\ + \ window, target environments, and product names.\n2. **Time Range Calculation**:\ + \ Determines the starting timestamp for the search by comparing the `Max Hours\ + \ Backwards` parameter against the last successful execution time stored in the\ + \ job's context.\n3. **Case Retrieval**: Queries the SOAR platform to fetch IDs\ + \ of all cases currently in \"OPEN\" status that fall within the calculated time\ + \ range.\n4. **Data Extraction**: For each retrieved case, the job fetches the\ + \ full case details and filters alerts based on the provided `Environments` and\ + \ `Products` parameters.\n5. **Detection Mapping**: Extracts unique detection\ + \ IDs (event IDs) from the security events associated with each valid alert and\ + \ maps them to their respective cases.\n6. **Redundancy Analysis**: Compares alerts\ + \ across all processed cases. An alert is flagged as redundant if all of its associated\ + \ detection IDs are already present in other active alerts or cases.\n7. **Automated\ + \ Closure**: \n * Closes individual alerts identified as duplicates with the\ + \ reason: \"Similar alert already under investigation\".\n * Closes entire\ + \ cases if all alerts within them are found to be redundant with the reason: \"\ + Similar case already under investigation\".\n8. **State Persistence**: Saves the\ + \ current timestamp as the last successful run time to the internal database for\ + \ use in the next execution cycle." diff --git a/content/response_integrations/third_party/community/vectra_rux/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/vectra_rux/resources/ai/actions_ai_description.yaml index 68f56ab9e..7edf26f5b 100644 --- a/content/response_integrations/third_party/community/vectra_rux/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/vectra_rux/resources/ai/actions_ai_description.yaml @@ -1,43 +1,60 @@ Add Note: ai_description: >- - Adds a note to a specific entity within the Vectra RUX platform. This action allows - users to attach textual context or observations to specific Accounts, Hosts, or - Detections by providing the entity's unique identifier and type. The action performs - a POST request to the Vectra API and returns the details of the created note, - including its ID and creation timestamp. + ### General Description + The **Add Note** action allows analysts to attach a text-based note to a specific + entity within the Vectra AI platform. This action supports adding notes to three + types of entities: **Accounts**, **Hosts**, and **Detections**. It is primarily + used to document investigation findings, provide context for other analysts, or + maintain an audit trail directly within the Vectra console from Google SecOps. - ### Parameters - | Parameter | Type | Mandatory | Description | + ### Parameters Description + + | Parameter | Description | Type | Mandatory | | :--- | :--- | :--- | :--- | - | Note | string | Yes | The textual content of the note to be added to the entity. - | + | Note | The textual content of the note to be added to the specified entity. + | String | Yes | - | Entity ID | string | Yes | The unique numeric identifier of the entity in Vectra - RUX. | + | Entity ID | The unique numerical identifier of the entity in Vectra AI where + the note will be attached. | String | Yes | + + | Entity Type | The category of the target entity. Supported values are 'Account', + 'Host', and 'Detection'. | DDL | Yes | + + + ### Additional Notes + + * The **Entity ID** must be a valid integer. The action will perform a validation + check and fail if a non-integer value is provided. - | Entity Type | ddl | Yes | The type of entity to which the note will be attached. - Supported values: Account, Host, Detection. | + * The **Entity Type** parameter is case-insensitive in the logic but should + be selected from the provided dropdown list (Account, Host, Detection). ### Flow Description - 1. **Parameter Extraction:** Retrieves the API configuration (Root, Client ID, - Secret) and action parameters (Note, Entity ID, Entity Type). + 1. **Initialization**: The action extracts the integration configuration (API + Root, Client ID, Client Secret) and the action parameters (Note, Entity ID, Entity + Type). - 2. **Validation:** Validates that the provided `Entity ID` is a valid integer. + 2. **Validation**: The provided `Entity ID` is validated to ensure it is a proper + integer. + + 3. **Authentication**: The action authenticates with the Vectra AI API using + the provided credentials to obtain a bearer token. - 3. **API Interaction:** Authenticates with Vectra RUX and sends a POST request - to the `/entities/{entity_id}/notes` endpoint with the note content and entity - type. + 4. **API Execution**: A POST request is sent to the Vectra API endpoint `/entities/{entity_id}/notes`, + passing the `Entity Type` as a query parameter and the `Note` content in the request + body. - 4. **Result Processing:** Parses the API response into a `Note` object. + 5. **Result Processing**: Upon a successful response, the action parses the metadata + of the newly created note (ID, creation date, creator). - 5. **Output Generation:** Adds the note details to a data table and provides the - raw JSON response for downstream use in the playbook. + 6. **Output**: The action populates a data table with the note's details and + provides the raw JSON response for downstream use in the playbook. capabilities: can_create_case_comments: false can_create_insight: false @@ -47,7 +64,7 @@ Add Note: can_update_entities: false external_data_mutation_explanation: >- Creates a new note record associated with a specific entity (Account, Host, - or Detection) in the Vectra RUX platform. + or Detection) in the Vectra AI platform. fetches_data: false internal_data_mutation_explanation: null categories: @@ -67,55 +84,86 @@ Add Note: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Add Tags: ai_description: >- ### General Description - Adds one or more tags to specific entities within the Vectra platform. This action - supports tagging Accounts, Hosts, and Detections by their unique Vectra identifiers. - It ensures that existing tags are preserved by fetching the current tag list before - appending the new ones. + The **Add Tags** action allows users to append one or more tags to specific entities + in the Vectra AI platform. It supports tagging for Accounts, Hosts, and Detections. + By providing a list of IDs and the desired tags, the action ensures that the new + tags are integrated with existing ones, maintaining the entity's historical context + while adding new metadata. ### Parameters Description - | Parameter | Type | Mandatory | Description | + | Parameter | Expected Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Tags | String | Yes | A comma-separated list of tags to be added to the target - entities. | + | Tags | String | Yes | A comma-separated list of tags to add to the entities. + | - | Entity IDs | String | Yes | A comma-separated list of the unique identifiers - (IDs) for the entities in Vectra. | + | Entity IDs | String | Yes | A comma-separated list of the internal Vectra IDs + for the target entities. | - | Entity Type | DDL | Yes | The type of Vectra entity being tagged. Options are: - `Account`, `Host`, or `Detection`. | + | Entity Type | DDL | Yes | The type of entity to tag. Options are: Account, Host, + or Detection. | ### Flow Description - 1. **Initialization**: The action parses the comma-separated strings for `Tags` - and `Entity IDs` into unique lists and converts the `Entity Type` to lowercase. + 1. **Initialization**: The action starts by extracting the necessary configuration + and action parameters. + + 2. **Data Preparation**: It splits the `Tags` and `Entity IDs` strings into lists + and validates that the IDs are integers. - 2. **Data Retrieval**: For each provided Entity ID, the action calls the Vectra - API to retrieve the current list of tags associated with that entity. + 3. **Processing Loop**: It iterates through each provided Entity ID. - 3. **Tag Merging**: The new tags are merged with the existing tags to create a - deduplicated set. + 4. **Context Retrieval**: For each ID, it performs a GET request to Vectra to + retrieve the current tags. - 4. **External Mutation**: The action sends a PATCH request to Vectra to update - the entity's tags with the new combined list. + 5. **Logic Execution**: It merges the existing tags with the new ones to create + a unique, updated list. - 5. **Result Reporting**: Successes and failures are tracked per ID. A data table - named "Tag Update Status" is created in the SOAR case to summarize the outcome - for each entity. + 6. **State Change**: It performs a PATCH request to Vectra to update the entity + with the new tag list. + + 7. **Output Generation**: It records the outcome for each ID and produces a summary + data table and a detailed JSON result. ### Additional Notes - This action does not process entities currently present in the SOAR case scope; - it operates strictly on the IDs provided in the input parameters. + The action is designed to be additive, meaning it will not remove existing tags + from the entities. It also handles partial failures, allowing the action to complete + even if some entity IDs are invalid or not found. capabilities: can_create_case_comments: false can_create_insight: false @@ -124,8 +172,8 @@ Add Tags: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - The action performs a PATCH request to the Vectra API to update the tags associated - with specific entities (Accounts, Hosts, or Detections). + Updates the 'tags' attribute of entities (Accounts, Hosts, or Detections) in + Vectra AI via a PATCH request. fetches_data: true internal_data_mutation_explanation: null categories: @@ -145,55 +193,58 @@ Add Tags: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: true + update_email: false + update_identity: true + update_ticket: false Assign Entity: ai_description: >- - ### General Description - - Assigns a Vectra entity (Host or Account) to a specific user within the Vectra - RUX platform. This action is primarily used for workflow orchestration and incident - management, allowing analysts to programmatically manage resource ownership and - responsibility within the Vectra console. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Entity ID | String | Yes | The unique identifier of the entity to be assigned. - This must be a valid integer representing a Host or Account ID in Vectra. | - - | Entity Type | DDL | Yes | The category of the entity. Must be either 'Account' - or 'Host'. | - - | User ID | String | Yes | The unique identifier of the user to whom the entity - will be assigned. This must be a valid integer. | - - - ### Additional Notes - - This action does not automatically process entities from the SOAR case context. - It requires the explicit input of IDs via the action parameters. Both the Entity - ID and User ID are validated as integers before the API request is made. - - - ### Flow Description - - 1. **Initialization:** The action initializes the Vectra RUX manager using provided - API credentials (API Root, Client ID, and Client Secret). - - 2. **Parameter Validation:** It extracts the User ID, Entity ID, and Entity Type - from the action parameters and validates that the IDs are numeric. - - 3. **API Request:** It executes a POST request to the Vectra RUX assignments endpoint - (`api/v3.4/assignments`) with the assignment details. - - 4. **Data Processing:** Upon a successful response, the action parses the new - assignment data into a structured object. - - 5. **Output Generation:** It populates a data table named 'Assign Entity' with - the assignment details and attaches the full raw JSON response to the action results. + ### General Description\nThe **Assign Entity** action allows security analysts + to assign a specific entity, such as a **Host** or an **Account**, to a designated + user within the Vectra RUX platform. This action is primarily used for workflow + management and incident response orchestration, ensuring that specific assets + are tracked and managed by the appropriate personnel directly from the Google + SecOps environment.\n\n### Parameters Description\n| Parameter | Type | Mandatory + | Description |\n| :--- | :--- | :--- | :--- |\n| **Entity ID** | String | Yes + | The unique numerical identifier of the entity (Host or Account) in Vectra RUX + to be assigned. |\n| **Entity Type** | DDL | Yes | The category of the entity + being assigned. Supported values are `Account` and `Host`. |\n| **User ID** | + String | Yes | The unique numerical identifier of the Vectra RUX user to whom + the entity will be assigned. |\n\n### Flow Description\n1. **Input Extraction**: + The action retrieves the `Entity ID`, `Entity Type`, and `User ID` from the provided + parameters.\n2. **Validation**: It validates that the `Entity ID` and `User ID` + are valid non-negative integers, which is a requirement for the Vectra RUX API.\n3. + **API Interaction**: The action initializes the Vectra RUX manager and sends a + `POST` request to the `/assignments` endpoint. It dynamically maps the `Entity + ID` to either `assign_host_id` or `assign_account_id` based on the selected `Entity + Type`.\n4. **Result Processing**: Upon a successful assignment, the action parses + the response into an Assignment object.\n5. **Output Generation**: The action + adds a data table to the case wall containing the new Assignment ID, the User + ID, and the Entity ID, and provides the raw JSON response for downstream playbook + logic.\n\n### Additional Notes\n* This action does not automatically iterate over + entities in the SOAR context; it requires the specific IDs to be manually provided + or mapped from previous playbook steps. capabilities: can_create_case_comments: false can_create_insight: false @@ -203,7 +254,7 @@ Assign Entity: can_update_entities: false external_data_mutation_explanation: >- Creates a new assignment record in the Vectra RUX platform, linking a specific - user to a host or account entity. + host or account to a user via a POST request to the /assignments endpoint. fetches_data: true internal_data_mutation_explanation: null categories: @@ -223,35 +274,51 @@ Assign Entity: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Assign Group: - ai_description: "### General Description\nThe **Assign Group** action allows users\ - \ to add multiple members to a specific group within the Vectra RUX platform.\ - \ This action is designed to manage group memberships dynamically, supporting\ - \ various group types such as hosts, accounts, IPs, or domains. It appends the\ - \ provided members to the existing group list without overwriting current members.\n\ - \n### Parameters\n| Parameter | Type | Mandatory | Description |\n| :--- | :---\ - \ | :--- | :--- |\n| **Group ID** | String | Yes | The unique numerical identifier\ - \ of the target group in Vectra RUX. |\n| **Members** | String | Yes | A comma-separated\ - \ list of member identifiers to be added to the group. The identifier type (e.g.,\ - \ IP address, Hostname, Account UID) must correspond to the group's specific type.\ - \ |\n\n### Flow Description\n1. **Parameter Extraction and Validation**: The action\ - \ retrieves the `Group ID` and `Members` list. It validates that the `Group ID`\ - \ is a positive integer and parses the `Members` string into a unique list of\ - \ identifiers.\n2. **Authentication**: The action establishes a session with the\ - \ Vectra RUX API using provided client credentials.\n3. **External Mutation**:\ - \ It executes a `PATCH` request to the Vectra RUX `/groups/{group_id}` endpoint\ - \ with the `membership_action` set to `append`, effectively adding the new members\ - \ to the group.\n4. **Response Processing**: The action receives the updated group\ - \ object from Vectra. It compares the requested members against the actual members\ - \ in the updated group to identify any identifiers that failed to be assigned\ - \ (e.g., if the member does not exist in the Vectra system).\n5. **Reporting**:\ - \ \n - If successful, it generates an HTML summary table showing the group's\ - \ updated properties (ID, Name, Type, Importance) and the current member list.\n\ - \ - It provides a raw JSON result of the updated group object.\n - It returns\ - \ a status message indicating how many members were successfully assigned and\ - \ listing any that were not.\n\n### Additional Notes\n- This action performs an\ - \ **append** operation; it does not remove existing members.\n- The action will\ - \ fail if none of the provided members can be successfully assigned to the group." + ai_description: >- + ### General Description Add members to a specific group in Vectra RUX. This action + allows analysts to manage group memberships by appending a list of identifiers + (such as IPs, hostnames, or account UIDs) to an existing group ID. ### Parameters + Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- + | :--- | | Group ID | String | Yes | The unique ID of the Vectra group to which + members will be added. | | Members | String | Yes | A comma-separated list of + member identifiers (e.g., hostnames, IPs, or account UIDs) to be assigned to the + group. | ### Flow Description 1. Extracts the Group ID and the list of members + from the action parameters. 2. Validates that the Group ID is a valid integer. + 3. Processes the members string into a list of unique, stripped identifiers. 4. + Executes a PATCH request to the Vectra RUX API to append the provided members + to the specified group. 5. Compares the requested members against the updated + group state returned by the API to identify any members that were not successfully + assigned. 6. Generates an HTML table and a JSON object containing the updated + group details and membership status. ### Additional Notes This action uses the + 'append' membership action, meaning existing members are preserved. The type of + identifier required in the 'Members' parameter depends on the group's type (e.g., + IP for IP groups, UID for account groups). capabilities: can_create_case_comments: false can_create_insight: false @@ -260,8 +327,8 @@ Assign Group: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates group membership in the Vectra RUX platform by appending new members - to a specified group via a PATCH API request. + Updates the membership list of a specified group in Vectra RUX by appending + new members via a PATCH request. fetches_data: true internal_data_mutation_explanation: null categories: @@ -281,14 +348,39 @@ Assign Group: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: true + update_ticket: false Describe Assignment: ai_description: >- ### General Description - Retrieves comprehensive details for a specific assignment in Vectra RUX using - its unique identifier. This action is used to gain visibility into the status, - ownership, and resolution outcomes of assignments related to hosts or accounts - within the Vectra platform. + The **Describe Assignment** action retrieves detailed information for a specific + assignment within the Vectra RUX platform using its unique Assignment ID. This + action is designed to provide analysts with programmatic access to the metadata, + participants, and status of investigative assignments. ### Parameters Description @@ -297,29 +389,33 @@ Describe Assignment: | :--- | :--- | :--- | :--- | - | Assignment ID | String | Yes | The unique identifier of the assignment to retrieve - details for. This value must be a valid integer. | + | **Assignment ID** | String | Yes | The unique identifier of the assignment to + retrieve. The value must be a valid integer. | ### Flow Description - 1. **Parameter Initialization**: The action retrieves configuration parameters - (API Root, Client ID, Client Secret) and the mandatory `Assignment ID` from the - input. + 1. **Input Validation**: The action validates that the provided `Assignment ID` + is a valid integer. + + 2. **Authentication**: Establishes a session with the Vectra RUX API using the + configured Client ID and Secret. - 2. **Validation**: The `Assignment ID` is validated to ensure it is a proper integer - value. + 3. **Data Retrieval**: Executes a GET request to the assignments endpoint for + the specified ID. - 3. **API Interaction**: The action initializes the `VectraRUXManager` and performs - a GET request to the Vectra API endpoint for assignments using the provided ID. + 4. **Result Processing**: + - The raw JSON response from the API is added to the action results. + - A data table is generated containing key assignment details such as Assigned + User, Resolved By, and Outcome. + 5. **Completion**: Returns a success message if the assignment is found, or a + failure message if the ID is invalid or not found. - 4. **Data Processing**: The retrieved assignment data is parsed into a structured - object containing details such as the assigned user, resolver, outcome, and associated - entity (Host or Account). - 5. **Output Generation**: The action outputs the raw JSON response and constructs - a formatted data table titled "Describe Assignment" containing key fields for - the SOAR interface. + ### Additional Notes + + - This action does not operate on SecOps entities; it requires a direct ID input + via the action parameters. capabilities: can_create_case_comments: false can_create_insight: false @@ -331,7 +427,7 @@ Describe Assignment: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: true + enrichment: false entity_usage: entity_types: [] filters_by_additional_properties: false @@ -347,58 +443,71 @@ Describe Assignment: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Describe Detection: ai_description: >- - ### General Description - - The **Describe Detection** action retrieves comprehensive details for a specific - detection from the Vectra RUX platform using its unique Detection ID. This action - is designed to provide deep-dive visibility into a security event, including its - state, category, threat level, and the source entities (hosts or accounts) involved. - It is typically used in playbooks to gather context about a specific alert identifier - before making further orchestration decisions. + Retrieves comprehensive details for a specific detection from Vectra AI using + its unique ID. This action is designed to provide analysts with deep-dive context + into a specific security event identified by the Vectra platform, including its + state, category, threat level, and associated entity information. - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | + ### Flow Description - | Detection ID | String | Yes | The unique identifier of the detection to retrieve. - This value must be a numeric string representing a valid integer. | + 1. **Parameter Extraction**: The action retrieves the `Detection ID` from the + input parameters. + 2. **Validation**: It validates that the provided `Detection ID` is a valid integer + format. - ### Additional Notes + 3. **API Interaction**: It authenticates with the Vectra AI platform and performs + a GET request to the `/api/v3.4/detections/{detection_id}` endpoint. - - This action does not automatically iterate over entities in the current Google - SecOps case; it requires the `Detection ID` to be explicitly provided as an input - parameter. + 4. **Data Parsing**: The response is parsed into a structured Detection data model, + which includes metadata like detection type, category, and source entity details. - - The action validates the input ID to ensure it is a non-negative integer before - making the API call. + 5. **Output Generation**: The action generates a data table for the case wall + and attaches the full raw JSON response to the action results for further inspection. - ### Flow Description + ### Parameters Description - 1. **Parameter Extraction:** The action retrieves the `Detection ID` from the - input parameters. + | Parameter Name | Type | Mandatory | Description | - 2. **Validation:** It validates that the provided ID is a valid integer using - an internal utility function. + | :--- | :--- | :--- | :--- | - 3. **Authentication:** The action initializes the `VectraRUXManager`, which handles - OAuth2 authentication and token management. + | Detection ID | String | Yes | The unique identifier of the detection to retrieve + from Vectra AI. | - 4. **API Interaction:** It performs a GET request to the Vectra RUX API endpoint - (`/api/v3.4/detections/{detection_id}`) to fetch the detection metadata. - 5. **Data Processing:** The raw API response is parsed into a structured `Detection` - data model. + ### Additional Notes - 6. **Output Generation:** The action populates the SOAR results with a flattened - data table for UI display and the full raw JSON response for downstream playbook - logic. + - This action is a utility/search action and does not automatically iterate over + entities in the SOAR case scope. It requires a specific ID provided as a parameter. capabilities: can_create_case_comments: false can_create_insight: false @@ -426,48 +535,57 @@ Describe Detection: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Describe Entity: - ai_description: >- - ### General Description - - The **Describe Entity** action retrieves comprehensive details for a specific - entity (either a **Host** or an **Account**) from the Vectra RUX platform using - its unique identifier. This action is primarily used for deep-dive enrichment, - providing security analysts with granular information about an entity's state, - severity, urgency scores, and associated detection sets. - - - ### Parameters Description - - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **Entity ID** | String | Yes | The unique numerical identifier for the entity - in Vectra RUX. This value must be a valid integer. | - - | **Entity Type** | DDL | Yes | Specifies the category of the entity. Supported - values are `Account` and `Host`. | - - - ### Flow Description - - 1. **Parameter Extraction:** The action retrieves the `Entity ID` and `Entity - Type` from the user input and validates that the ID is a valid integer. - - 2. **Manager Initialization:** It initializes the `VectraRUXManager` using the - provided API credentials (API Root, Client ID, and Client Secret). - - 3. **API Interaction:** The action performs a `GET` request to the Vectra RUX - API endpoint specifically for the provided entity type and ID. - - 4. **Data Processing:** The raw JSON response is parsed into a structured `Entity` - data model. - - 5. **Output Generation:** The action populates the SOAR results with a data table - (CSV format) for quick viewing and the full raw JSON response for further automated - processing. + ai_description: "### General Description\nThe **Describe Entity** action retrieves\ + \ comprehensive metadata and status information for a specific entity (either\ + \ a Host or an Account) from Vectra RUX using its unique identifier. This action\ + \ is designed to provide analysts with deep-dive visibility into an asset's urgency\ + \ score, attack rating, importance, and associated detection history, facilitating\ + \ informed decision-making during incident response.\n\n### Parameters Description\n\ + | Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ + | **Entity ID** | String | Yes | The unique identifier of the entity in Vectra\ + \ RUX. Although provided as a string, the value must represent a valid integer.\ + \ |\n| **Entity Type** | DDL | Yes | The category of the entity to describe. Supported\ + \ values are `Account` and `Host`. |\n\n### Flow Description\n1. **Initialization**:\ + \ The action initializes the Vectra RUX manager using the provided API Root, Client\ + \ ID, and Client Secret.\n2. **Parameter Extraction**: It extracts the `Entity\ + \ ID` and `Entity Type` from the action parameters.\n3. **Validation**: The `Entity\ + \ ID` is validated to ensure it is a non-negative integer.\n4. **Data Retrieval**:\ + \ The action performs a GET request to the Vectra RUX API to fetch the specific\ + \ details of the entity based on the provided ID and type.\n5. **Output Generation**:\ + \ \n - A data table named \"Describe Entity\" is created, containing key attributes\ + \ such as Name, State, Urgency Score, and Importance.\n - The full raw JSON\ + \ response from the API is attached to the action results for granular analysis.\n\ + \n### Additional Notes\n- This action does not automatically process entities\ + \ currently associated with the SecOps case; it operates strictly on the ID provided\ + \ in the parameters.\n- The \"Detection Set\" field in the output table provides\ + \ a list of detection IDs linked to the entity, which can be used for further\ + \ investigation." capabilities: can_create_case_comments: false can_create_insight: false @@ -479,7 +597,7 @@ Describe Entity: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: true + enrichment: false entity_usage: entity_types: [] filters_by_additional_properties: false @@ -495,44 +613,83 @@ Describe Entity: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Download PCAP: ai_description: >- ### General Description - Downloads a Packet Capture (PCAP) file from Vectra RUX associated with a specific - detection ID. This action allows security analysts to retrieve raw network traffic - data for forensic investigation and detailed protocol analysis directly within + Downloads a PCAP (Packet Capture) file associated with a specific detection ID + from the Vectra RUX platform. This action is designed to facilitate deep-dive + forensic analysis by providing the raw network traffic data related to a security + detection. The retrieved file is automatically attached to the action result within Google SecOps. - ### Parameters + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Detection ID | string | Yes | The unique identifier of the detection in Vectra - RUX for which the PCAP file should be downloaded. | + | Detection ID | String | Yes | The unique identifier of the Vectra detection + for which the PCAP file should be downloaded. Although provided as a string, the + value must represent a valid integer. | ### Flow Description - 1. **Initialization**: The action initializes the Vectra RUX manager using the - provided API Root, Client ID, and Client Secret. + 1. **Parameter Extraction**: The action retrieves the `Detection ID` from the + action parameters. + + 2. **Validation**: It validates that the `Detection ID` is a valid integer using + internal utility functions. - 2. **Validation**: Validates that the provided `Detection ID` is a valid integer. + 3. **API Interaction**: The action uses the `VectraRUXManager` to send a GET request + to the Vectra RUX API endpoint specifically for PCAP downloads (`/detections/{detection_id}/pcap`). - 3. **Data Retrieval**: Performs a GET request to the Vectra RUX API endpoint `/api/v3.4/detections/{detection_id}/pcap` - to fetch the file content. + 4. **File Retrieval**: Upon a successful response (HTTP 200), the action extracts + the filename from the `Content-Disposition` header and retrieves the binary content + of the PCAP file. - 4. **File Processing**: Extracts the filename from the `Content-Disposition` header - and saves the binary content to a local path. + 5. **Local Storage & Attachment**: The file is temporarily saved to the local + execution environment and then encoded in Base64 to be added as an attachment + to the Siemplify action result. - 5. **Attachment**: Encodes the PCAP file content into Base64 and adds it as an - attachment to the action result in Google SecOps. + 6. **Completion**: The action concludes by providing a success message containing + the filename and the associated detection ID. - 6. **Completion**: Returns a success message indicating the file has been retrieved - and attached. + + ### Additional Notes + + - This action does not process or filter entities from the case; it operates solely + based on the provided `Detection ID` parameter. + + - If the file is not found or the API returns an error, the action will fail with + a descriptive error message. capabilities: can_create_case_comments: false can_create_insight: false @@ -560,75 +717,61 @@ Download PCAP: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: true + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false List Assignments: - ai_description: >- - ### General Description - - The **List Assignments** action retrieves a list of assignments from the Vectra - RUX platform based on user-defined filtering criteria. It allows security analysts - to query assignments by account, host, assignee, resolution status, and creation - time. The results are presented in a structured data table and a raw JSON format - for further processing. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **Accounts IDs** | String | No | A comma-separated list of account IDs to filter - the assignments. | - - | **Assignees IDs** | String | No | A comma-separated list of user IDs (assignees) - to filter the assignments. | - - | **Resolution IDs** | String | No | A comma-separated list of outcome/resolution - IDs to filter the assignments. | - - | **Resolved** | DDL | No | Filters assignments by their resolution status. Options - are `None`, `True`, or `False`. | - - | **Created After** | String | No | Filters assignments created after a specific - timestamp. Supports relative formats (e.g., "2 hours", "2 days") and absolute - ISO 8601 formats. | - - | **Limit** | String | No | The maximum number of assignment records to retrieve. - | - - | **Hosts IDs** | String | No | A comma-separated list of host IDs to filter the - assignments. | - - - ### Additional Notes - - - All ID-based parameters (Accounts, Assignees, Resolution, Hosts) are validated - as integers before being sent to the API. - - - If no assignments match the criteria, the action will complete successfully - with a message indicating no results were found. - - - ### Flow Description - - 1. **Parameter Extraction:** The action retrieves configuration details (API Root, - Credentials) and user-provided filter parameters. - - 2. **Validation:** ID strings are parsed into lists of integers, and the `Limit` - parameter is validated for numeric integrity. - - 3. **Query Construction:** A mapping of query parameters is created based on the - provided filters (e.g., `resolved`, `created_after`, `accounts`, `hosts`). - - 4. **API Interaction:** The `VectraRUXManager` authenticates and performs a paginated - `GET` request to the `/assignments` endpoint. - - 5. **Data Processing:** The retrieved assignment data is parsed into internal - models for structured output. - - 6. **Output Generation:** The action populates a data table named "Assignment - Details" with key assignment information and attaches the full raw JSON response - to the action result. + ai_description: "### General Description\nLists assignments from Vectra RUX based\ + \ on specified query parameters. This action allows analysts to retrieve a filtered\ + \ list of assignments, providing visibility into how detections, hosts, or accounts\ + \ are being handled within the Vectra platform. The results are presented as a\ + \ data table for quick review and a full JSON object for further automated processing.\n\ + \n### Parameters Description\n| Parameter | Type | Mandatory | Description |\n\ + | :--- | :--- | :--- | :--- |\n| Accounts IDs | string | No | Comma-separated\ + \ list of account IDs to filter the assignments. |\n| Assignees IDs | string |\ + \ No | Comma-separated list of user IDs (assignees) to filter the assignments.\ + \ |\n| Resolution IDs | string | No | Comma-separated list of outcome/resolution\ + \ IDs to filter the assignments. |\n| Resolved | ddl | No | Filter assignments\ + \ by their resolution status. Options: None, True, False. |\n| Created After |\ + \ string | No | Filter assignments created after a specific timestamp. Supports\ + \ relative formats (e.g., '2 days') or absolute ISO formats. |\n| Limit | string\ + \ | No | The maximum number of assignment records to retrieve. |\n| Hosts IDs\ + \ | string | No | Comma-separated list of host IDs to filter the assignments.\ + \ |\n\n### Flow Description\n1. **Initialization**: The action initializes the\ + \ Vectra RUX manager using the provided API credentials (API Root, Client ID,\ + \ and Client Secret).\n2. **Parameter Extraction**: It extracts all optional filters,\ + \ including Account IDs, Host IDs, Assignee IDs, and Resolution IDs, converting\ + \ comma-separated strings into lists of integers.\n3. **Query Construction**:\ + \ A query parameter mapping is built based on the provided inputs, including the\ + \ 'Resolved' status and 'Created After' timestamp.\n4. **Data Retrieval**: The\ + \ action performs a paginated GET request to the Vectra RUX assignments endpoint\ + \ using the constructed filters and the specified limit.\n5. **Output Generation**:\ + \ \n * If assignments are found, it constructs a data table titled 'Assignment\ + \ Details' containing key fields like Assignment ID, Assigned User, and Outcome.\n\ + \ * The full raw JSON response is attached to the action results.\n * A\ + \ summary message indicates the number of assignments successfully retrieved." capabilities: can_create_case_comments: false can_create_insight: false @@ -656,15 +799,42 @@ List Assignments: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false List Detections: ai_description: >- ### General Description - This action retrieves a list of detections from the Vectra RUX platform based - on a wide variety of filtering criteria. It is primarily used for searching and - auditing detections associated with specific entities (Hosts or Accounts) or broad - categories within the Vectra environment. The results are presented as a formatted - data table on the case wall and as a raw JSON object for further playbook processing. + The **List Detections** action retrieves a list of security detections from the + Vectra RUX platform based on a wide array of filtering criteria. It is designed + to provide analysts with visibility into specific threats associated with hosts + or accounts, allowing for deep-dive investigations into detection categories, + threat levels, and temporal data. The action outputs a structured data table for + quick review within the SOAR case and provides the full raw JSON response for + further automated processing. ### Parameters Description @@ -673,89 +843,87 @@ List Detections: | :--- | :--- | :--- | :--- | - | Detection Category | DDL | No | Filters detections by category (e.g., Exfiltration, - Lateral Movement, Reconnaissance). | + | Detection Category | DDL | No | Filters results by the Vectra detection category + (e.g., Exfiltration, Lateral Movement, Reconnaissance). | | Threat GTE | String | No | Filters detections with a threat score greater than - or equal to the provided integer. | + or equal to this value. | | Certainty GTE | String | No | Filters detections with a certainty score greater - than or equal to the provided integer. | + than or equal to this value. | - | Last Timestamp GTE | String | No | Filters detections with a last seen timestamp - greater than or equal to the provided value. | + | Last Timestamp GTE | String | No | Filters detections occurring on or after + this timestamp. | - | Last Timestamp LTE | String | No | Filters detections with a last seen timestamp - less than or equal to the provided value. | + | Last Timestamp LTE | String | No | Filters detections occurring on or before + this timestamp. | - | Tags | String | No | A comma-separated list of tags to filter detections. | + | Tags | String | No | A comma-separated list of tags to filter the detections. + | | Entity Type | DDL | No | Specifies the type of entity to filter by (Host or Account). | - | Entity ID | String | No | The specific ID of the entity for which to list detections. - | + | Entity ID | String | No | The unique identifier of the entity in Vectra to retrieve + detections for. | | Is Targeting Key Asset | DDL | No | Filters detections based on whether they - target a key asset (True/False). | + target a designated key asset (True/False). | - | Note Modified Timestamp GTE | String | No | Filters detections based on when - their notes were last modified. | + | Note Modified Timestamp GTE | String | No | Filters detections where the associated + notes were modified after this timestamp. | | Limit | String | No | The maximum number of detection records to retrieve. | | Order | DDL | No | Specifies the sort order (Ascending or Descending). | - | Order By | DDL | No | The field to sort results by (last_timestamp, threat_score, + | Order By | DDL | No | The field used for sorting (last_timestamp, threat_score, or certainty_score). | | State | DDL | No | Filters detections by their current state (Active, Inactive, - Fixed). | + or Fixed). | - | Detection Type | String | No | Filters detections by a specific detection type - string. | + | Detection Type | String | No | Filters by the specific name or type of detection. + | - ### Additional Notes + ### Flow Description - - The action performs validation on integer-based parameters like 'Threat GTE', - 'Certainty GTE', and 'Limit'. If invalid values are provided, the action will - fail. + 1. **Parameter Extraction:** The action retrieves configuration details (API Root, + Credentials) and all user-provided filter parameters. - - If 'Order By' is selected, the action automatically handles the mapping of score - fields (e.g., converting 'threat_score' to 'threat' for the API call). + 2. **Validation:** It validates numeric inputs such as `Threat GTE`, `Certainty + GTE`, and `Limit` to ensure they are valid integers. + 3. **API Request:** The action initializes the VectraRUX manager, authenticates, + and sends a GET request to the detections endpoint using the constructed query + parameters. - ### Flow Description + 4. **Data Processing:** For each retrieved detection, the action cleans up internal + API versioning strings from URLs to ensure they are user-friendly. - 1. **Parameter Extraction:** The action extracts configuration details (API Root, - Credentials) and all 15 optional filtering parameters. + 5. **Output Generation:** It extracts key fields (ID, Type, Category, Timestamps, + State) to create a 'List Of Detections' data table and attaches the complete JSON + payload to the action results. - 2. **Validation:** It validates that numeric inputs (Limit, Threat, Certainty) - are valid integers and processes DDL selections into the format expected by the - Vectra API. - 3. **API Interaction:** The action authenticates with the Vectra RUX service and - performs a paginated GET request to the detections endpoint using the provided - filters. + ### Additional Notes - 4. **Data Processing:** Retrieved detections undergo URL cleaning (removing API - version strings) and field extraction for reporting. + - This action does not run on SOAR entities automatically; it relies on the `Entity + ID` and `Entity Type` parameters provided in the action configuration. - 5. **Output Generation:** The action populates a data table named 'List Of Detections' - on the case wall and attaches the full raw JSON response to the action result. + - If no detections match the provided filters, the action will complete successfully + with an informative message. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: true + can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: >- - The action adds a data table titled 'List Of Detections' to the case wall, which - modifies the internal case data representation. + internal_data_mutation_explanation: null categories: enrichment: false entity_usage: @@ -773,86 +941,116 @@ List Detections: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false List Entities: ai_description: >- - ### General Description - - The **List Entities** action retrieves a filtered list of entities (either Hosts - or Accounts) from the Vectra RUX platform. It serves as a search utility allowing - analysts to query the Vectra environment for specific entity data based on various - attributes like threat scores, status, and timestamps. + Lists entities (Hosts or Accounts) from the Vectra RUX platform based on specified + query parameters. This action allows analysts to search for and retrieve detailed + metadata about assets within the Vectra environment using various filters such + as entity name, state, urgency scores, and tags. It is particularly useful for + threat hunting, asset discovery, or gathering context on a group of related entities. + The action retrieves data via a paginated GET request and presents the results + in both a structured data table for the SOAR UI and a full JSON response for downstream + processing. ### Parameters Description + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Entity Type** | DDL | Yes | Specifies the category of entities to retrieve. - Valid values are 'Host' or 'Account'. | + | Entity Type | DDL | Yes | Specifies the type of entities to retrieve. Valid + values are "Host" or "Account". | - | **Order By** | DDL | No | Determines the field used to sort the records (e.g., - urgency_score, last_detection_timestamp). | + | Order By | DDL | No | Sorts the results by a specific field such as `urgency_score`, + `last_detection_timestamp`, `name`, or `last_modified_timestamp`. | - | **Fields** | Multi-choice | No | Allows the user to select specific data fields - to be returned in the results. | + | Fields | Multi-choice | No | Allows selection of specific fields to include + in the response (e.g., `id`, `name`, `ip`, `severity`). | - | **Name** | String | No | Filters the results to entities matching a specific - name. | + | Name | String | No | Filters entities by their display name. | - | **State** | DDL | No | Filters entities by their current state: 'Active' or - 'Inactive'. | + | State | DDL | No | Filters entities by their current state: "Active" or "Inactive". + | - | **Last Detection Timestamp GTE** | String | No | Filters for entities where - the last detection occurred on or after this timestamp. | + | Last Detection Timestamp GTE | String | No | Filters for entities with a last + detection timestamp greater than or equal to the provided value. | - | **Last Detection Timestamp LTE** | String | No | Filters for entities where - the last detection occurred on or before this timestamp. | + | Last Detection Timestamp LTE | String | No | Filters for entities with a last + detection timestamp less than or equal to the provided value. | - | **Tags** | String | No | Filters entities by a comma-separated list of tags. - | + | Tags | String | No | Filters entities by associated tags (provide as a comma-separated + list). | - | **Note Modified Timestamp GTE** | String | No | Filters for entities where notes - were modified on or after this timestamp. | + | Note Modified Timestamp GTE | String | No | Filters for entities where notes + were modified after the provided timestamp. | - | **Prioritized** | DDL | No | Filters entities based on their prioritization - status (True/False). | + | Prioritized | DDL | No | Filters entities based on whether they are marked as + prioritized ("True" or "False"). | - | **Limit** | String | No | The maximum number of entity records to fetch from - the API. | + | Limit | String | No | The maximum number of entities to retrieve. | - | **Order** | DDL | No | Specifies the sorting direction: 'Ascending' or 'Descending'. - | + | Order | DDL | No | Specifies the sort order: "Ascending" or "Descending". | ### Additional Notes - - This action is a search/query tool and does not process entities currently associated - with the SOAR case (it does not iterate over `target_entities`). + - The `Limit` parameter is validated to ensure it is a positive integer. If not + provided, the system defaults to a predefined maximum. + + - If `Order` is set to "Descending", the `Order By` field is automatically prefixed + with a minus sign (`-`) for the API request. - - The action automatically cleans API versioning from returned URLs to ensure - they are user-friendly. + - The action automatically cleans up URLs in the response by removing the API + version substring for better readability. ### Flow Description - 1. **Initialization:** The action extracts the Vectra RUX configuration and user-provided - filter parameters. + 1. **Parameter Extraction:** Retrieves configuration (API Root, Credentials) and + action parameters (filters, sorting, limit). - 2. **Validation:** It validates the 'Limit' parameter to ensure it is a valid - positive integer. + 2. **Validation:** Validates the `Limit` parameter and formats the `Order By` + field based on the selected `Order`. - 3. **API Query:** It executes a GET request to the Vectra RUX `/entities` endpoint, - applying all provided filters and handling pagination if the requested limit exceeds - the default page size. + 3. **Manager Initialization:** Initializes the VectraRUXManager and authenticates + with the platform. - 4. **Data Refinement:** The action processes the raw JSON response, removing internal - API version strings from URLs and extracting a set of mandatory fields (ID, Name, - Severity, etc.) for the summary view. + 4. **API Request:** Executes a paginated GET request to the Vectra `entities` + endpoint using the constructed query parameters. - 5. **Output:** It generates a CSV-formatted data table for the SOAR case wall - and attaches the full raw JSON response for further automated processing. + 5. **Data Processing:** Iterates through the retrieved entities, cleans up URL + fields, and extracts mandatory fields (ID, Type, Name, Severity, etc.) for the + UI table. + + 6. **Output Generation:** Adds a CSV-formatted data table to the action results + and attaches the full raw JSON response. capabilities: can_create_case_comments: false can_create_insight: false @@ -880,29 +1078,83 @@ List Entities: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false List Entity Detections: ai_description: >- - ### General Description This action retrieves a list of security detections from - Vectra AI for a specific entity identified by its ID. It allows analysts to pivot - from a known Vectra Entity ID to see all associated malicious or suspicious activities, - filtered by state and limited by count. ### Parameters Description | Parameter - | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | | **Entity ID** - | String | Yes | The unique numerical identifier of the entity in Vectra. | | - **Entity Type** | DDL | Yes | The type of entity being queried. Options are 'Account' - or 'Host'. | | **Limit** | String | No | The maximum number of detection records - to return. | | **State** | DDL | Yes | Filters the detections based on their current - status in Vectra. Options include 'Active', 'Inactive', or 'Fixed'. | ### Additional - Notes - This action is a manual lookup and does not automatically process entities - from the current SOAR case; it requires the user to provide a specific Entity - ID. - The Entity ID must be a valid integer. ### Flow Description 1. **Initialization**: - The action initializes the Vectra RUX manager using the provided API credentials. - 2. **Input Validation**: It validates that the Entity ID and Limit parameters - are correctly formatted as integers. 3. **Entity Metadata Retrieval**: It performs - a lookup for the specified entity to obtain the list of detection IDs associated - with it. 4. **Detection Fetching**: It queries the Vectra API for the details - of each detection ID found, applying the State filter and the Limit constraint. - 5. **Output Generation**: The action populates a JSON result with the full detection - details and creates a data table in the case wall for quick review. + ### General Description + + This action retrieves a list of detections associated with a specific entity ID + (either a Host or an Account) from the Vectra RUX platform. It is used to gain + visibility into the security events linked to a particular asset by fetching detailed + detection metadata, including detection types, categories, and timestamps. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Entity ID | String | Yes | The unique numerical identifier of the entity in + Vectra. | + + | Entity Type | DDL | Yes | Specifies whether the ID belongs to an 'Account' or + a 'Host'. | + + | Limit | String | No | The maximum number of detections to retrieve. If not provided, + a default limit is applied. | + + | State | DDL | Yes | Filters detections by their current state. Options include + 'Active', 'Inactive', or 'Fixed'. | + + + ### Additional Notes + + - The action first performs a lookup to describe the entity and retrieve its associated + detection IDs before fetching the full detection details. + + - The 'Entity ID' must be a valid integer. + + + ### Flow Description + + 1. **Parameter Extraction:** The action retrieves the API configuration and the + user-provided parameters (Entity ID, Type, Limit, and State). + + 2. **Validation:** It validates that the 'Entity ID' and 'Limit' are valid integers. + + 3. **Entity Lookup:** It calls the Vectra API to describe the entity and extract + the list of detection IDs associated with it. + + 4. **Detection Retrieval:** If detections are found, it fetches the detailed information + for each detection ID, applying the 'State' filter and 'Limit'. + + 5. **Output Generation:** The results are processed into a JSON object and a data + table, which are then attached to the action results in Google SecOps. capabilities: can_create_case_comments: false can_create_insight: false @@ -930,15 +1182,38 @@ List Entity Detections: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false List Groups: ai_description: >- ### General Description - The **List Groups** action retrieves a list of groups from the Vectra AI platform - based on various user-defined filtering criteria. It is primarily used for administrative - oversight or to gather context about existing group configurations within the - Vectra environment. The action supports extensive filtering by group name, type, - importance, and specific member identifiers like IP addresses or hostnames. + Retrieves a list of groups from Vectra RUX based on specified query parameters. + This action allows analysts to search for and list groups by name, type, importance, + and associated members such as hosts, accounts, IPs, or domains. ### Parameters Description @@ -947,71 +1222,65 @@ List Groups: | :--- | :--- | :--- | :--- | - | Last Modified Timestamp GTE | String | No | Filters for groups modified on or - after the specified timestamp (ISO 8601 format). | + | Last Modified Timestamp GTE | String | No | Filter groups modified on or after + this timestamp (e.g., 2023-10-27T12:00). | - | Last Modified By | String | No | Filters groups by the username of the person - who last modified them. | + | Last Modified By | String | No | Filter by the username of the person who modified + the group. | - | Name | String | No | Filters groups by their specific name. | + | Name | String | No | Filter by the specific name of the group. | - | Type | DDL | No | Filters groups by their category. Options include: `account`, - `ip`, `domain`, `host`, or `None`. | + | Type | DDL | No | Filter by the type of group: account, ip, domain, or host. + | - | Limit | String | No | Specifies the maximum number of group records to retrieve. - Defaults to a system maximum if not provided. | + | Limit | String | No | The maximum number of group records to return. | - | Account Names | String | No | A comma-separated list of account names to filter - the groups. | + | Account Names | String | No | Comma-separated list of account names to filter + group membership. | - | Domains | String | No | A comma-separated list of domain names to filter the - groups. | + | Domains | String | No | Comma-separated list of domains to filter group membership. + | - | Host Ids | String | No | A comma-separated list of host IDs to filter the groups. + | Host Ids | String | No | Comma-separated list of host IDs to filter group membership. | - | Host Names | String | No | A comma-separated list of host names to filter the - groups. | + | Host Names | String | No | Comma-separated list of host names to filter group + membership. | - | Importance | DDL | No | Filters groups by their assigned importance level. Options: - `low`, `medium`, `high`, `never_prioritize`, or `None`. | + | Importance | DDL | No | Filter by the importance level: low, medium, high, or + never_prioritize. | - | IPs | String | No | A comma-separated list of IP addresses to filter the groups. + | IPs | String | No | Comma-separated list of IP addresses to filter group membership. | - | Description | String | No | Performs a case-insensitive match against the group's - description field. | + | Description | String | No | Filter by the group's description (case-insensitive + match). | - ### Additional Notes + ### Flow Description - - Comma-separated parameters (like IPs or Host Names) are automatically parsed - into lists before the API request is made. + 1. **Initialization**: The action initializes the Vectra RUX manager using the + provided API credentials. - - The action utilizes pagination to ensure that large sets of results are handled - efficiently up to the specified limit. + 2. **Parameter Processing**: It extracts all optional filters and validates the + 'Limit' parameter to ensure it is a valid integer. + 3. **API Retrieval**: The action performs a paginated GET request to the Vectra + RUX `/groups` endpoint, applying the specified filters. - ### Flow Description + 4. **Result Formatting**: If groups are found, they are formatted into a data + table titled 'List Of Groups' and the full raw data is returned as a JSON result. - 1. **Initialization**: The action extracts the necessary API credentials (API - Root, Client ID, Client Secret) and all optional filtering parameters. - - 2. **Validation**: It validates the `Limit` parameter to ensure it is a non-negative - integer. + 5. **Completion**: The action concludes by reporting the number of groups successfully + retrieved. - 3. **Data Processing**: Comma-separated string inputs for accounts, domains, hosts, - and IPs are converted into clean lists for API consumption. - 4. **API Request**: The action authenticates with Vectra AI and sends a GET request - to the `/groups` endpoint, applying all provided filters as query parameters. + ### Additional Notes - 5. **Pagination**: If the number of results exceeds the page size, the action - iterates through subsequent pages until the `Limit` is reached or all data is - retrieved. + - If no groups match the provided filters, the action will complete successfully + with a message stating no groups were found. - 6. **Output**: The retrieved group details are formatted into a SOAR data table - titled "List Of Groups" and the raw JSON response is attached to the action result. + - The 'Limit' parameter defaults to a system-defined maximum if not specified. capabilities: can_create_case_comments: false can_create_insight: false @@ -1039,31 +1308,54 @@ List Groups: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false List Outcomes: - ai_description: "### General Description\nRetrieves a comprehensive list of all\ - \ assignment outcomes from the Vectra RUX platform. This action is primarily used\ - \ to identify the available resolution types and categories that can be applied\ - \ when managing assignments or detections within Vectra. The results are presented\ - \ both as a structured data table and a raw JSON object for downstream automation.\n\ - \n### Parameters Description\n| Parameter | Description | Type | Mandatory | Notes\ - \ |\n| :--- | :--- | :--- | :--- | :--- |\n| Limit | Specifies the maximum number\ - \ of outcome records to retrieve from the API. | String | No | If provided, must\ - \ be a valid positive integer. If omitted, the action fetches all available records\ - \ up to the integration's default limit. |\n\n### Additional Notes\n- This action\ - \ does not operate on specific entities (IPs, Hosts, etc.) and can be run as a\ - \ standalone task within a playbook.\n- The 'Limit' parameter is validated to\ - \ ensure it is a positive integer; providing '0' or a negative number will result\ - \ in an execution failure.\n\n### Flow Description\n1. **Authentication**: Establishes\ - \ a session with the Vectra RUX API using the configured API Root, Client ID,\ - \ and Client Secret.\n2. **Parameter Validation**: Extracts the 'Limit' parameter\ - \ and validates that it is a valid integer greater than zero.\n3. **Data Retrieval**:\ - \ Performs a paginated GET request to the `/assignment_outcomes` endpoint to fetch\ - \ the outcome definitions.\n4. **Data Processing**: Parses the raw API response\ - \ into structured Outcome objects, extracting fields such as Outcome ID, Title,\ - \ Category, and whether it is a built-in or user-selectable outcome.\n5. **Output\ - \ Generation**: \n - Constructs a data table named 'Outcome Details' for the\ - \ Case Wall.\n - Attaches the full raw response as a JSON result for use in\ - \ subsequent playbook steps." + ai_description: "### General Description\nThis action retrieves a list of all available\ + \ assignment outcomes from the Vectra RUX platform. Assignment outcomes represent\ + \ the possible resolutions or classifications that can be applied when resolving\ + \ an assignment (e.g., 'True Positive', 'Benign'). This is primarily a utility\ + \ action used to identify valid outcome IDs for use in other assignment-related\ + \ actions.\n\n### Parameters Description\n| Parameter | Type | Mandatory | Description\ + \ |\n| :--- | :--- | :--- | :--- |\n| Limit | string | No | Specifies the maximum\ + \ number of outcome records to fetch from the API. If not provided, a default\ + \ system limit is applied. |\n\n### Additional Notes\n- The action validates that\ + \ the 'Limit' parameter is a positive integer.\n- The results are presented both\ + \ as a structured data table ('Outcome Details') and as a raw JSON object.\n\n\ + ### Flow Description\n1. **Parameter Initialization**: The action extracts the\ + \ API configuration (Root, Client ID, Client Secret) and the 'Limit' action parameter.\n\ + 2. **Validation**: It validates that the 'Limit' parameter is a valid non-negative\ + \ integer.\n3. **API Interaction**: It initializes the VectraRUXManager and calls\ + \ the `get_outcome_list` method, which performs a GET request to the `/assignment_outcomes`\ + \ endpoint.\n4. **Data Processing**: The manager paginates through the results\ + \ if necessary (up to the specified limit) and parses the raw JSON into Outcome\ + \ data models.\n5. **Output Generation**: \n - A data table named 'Outcome\ + \ Details' is created containing the Outcome ID, Title, Category, and flags for\ + \ 'Built In' and 'User Selectable'.\n - The full JSON response is attached\ + \ to the action result." capabilities: can_create_case_comments: false can_create_insight: false @@ -1091,40 +1383,84 @@ List Outcomes: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false List Users: - ai_description: "### General Description\nThe **List Users** action retrieves a\ - \ list of users from the Vectra RUX platform based on specified query parameters.\ - \ It allows security analysts to search for user accounts by their role, email\ - \ address, or the time of their last login. The results are presented in a structured\ - \ data table within the Google SecOps case and are also available as a raw JSON\ - \ object for further automated processing.\n\n### Parameters Description\n| Parameter\ - \ | Description | Type | Mandatory | Notes |\n| :--- | :--- | :--- | :--- | :---\ - \ |\n| Role | Filters the user list by a specific role (e.g., 'admin', 'readonly').\ - \ | String | No | |\n| Email | Filters the user list by a specific email address.\ - \ | String | No | |\n| Last Login GTE | Filters for users whose last login timestamp\ - \ is greater than or equal to the provided value. | String | No | Expected format\ - \ is typically ISO 8601 or as defined by the Vectra API. |\n| Limit | Specifies\ - \ the maximum number of user records to retrieve. | String | No | Must be a positive\ - \ integer. If not provided, a default system limit is applied. |\n\n### Additional\ - \ Notes\n- This action does not operate on specific entities within a case; it\ - \ performs a global search across the Vectra RUX environment.\n- If no users match\ - \ the provided criteria, the action will complete successfully with a message\ - \ stating that no users were found.\n- The `Limit` parameter is validated to ensure\ - \ it is a valid integer greater than zero if provided.\n\n### Flow Description\n\ - 1. **Parameter Extraction:** The action retrieves the API configuration (Root\ - \ URL, Client ID, Client Secret) and the user-provided search filters (Role, Email,\ - \ Last Login GTE, Limit).\n2. **Validation:** The `Limit` parameter is validated\ - \ to ensure it is a valid integer.\n3. **Authentication:** The action authenticates\ - \ with the Vectra RUX API using OAuth2 client credentials, managing token generation\ - \ and refresh logic internally.\n4. **Data Retrieval:** A GET request is sent\ - \ to the `/users` endpoint of the Vectra RUX API, applying the specified filters\ - \ as query parameters. The action handles pagination automatically to fetch results\ - \ up to the defined limit.\n5. **Data Processing:** The raw API response is parsed\ - \ into internal user objects.\n6. **Output Generation:** \n - A data table\ - \ named \"List Of Users\" is created, containing key details like Name, Email,\ - \ Role, and Last Login.\n - The full list of user data is attached to the action\ - \ result as a JSON object.\n - A summary message is returned indicating the\ - \ number of users successfully retrieved." + ai_description: >- + ### General Description + + The **List Users** action retrieves a list of users from the Vectra RUX platform + based on specified filtering criteria. It allows analysts to search for users + by their role, email address, or a minimum last login timestamp. The results are + presented as a data table and a raw JSON object within the Google SecOps environment. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | **Role** | String | No | Filters the user list to only include users with the + specified role. | + + | **Email** | String | No | Filters the user list to only include the user with + the specified email address. | + + | **Last Login GTE** | String | No | Filters users whose last login timestamp + is greater than or equal to the provided value (Format: YYYY-MM-DDTHH:MM). | + + | **Limit** | String | No | Specifies the maximum number of user records to retrieve. + If not provided, a default limit is applied. | + + + ### Additional Notes + + - This action does not require any entities to be present in the context. + + - The `Limit` parameter must be a positive integer if provided. + + + ### Flow Description + + 1. **Parameter Extraction:** The action retrieves the configuration (API Root, + Credentials) and action parameters (Role, Email, Last Login GTE, Limit). + + 2. **Validation:** The `Limit` parameter is validated to ensure it is a valid + integer. + + 3. **API Interaction:** The action connects to the Vectra RUX API and performs + a paginated GET request to the `/users` endpoint using the provided filters. + + 4. **Data Processing:** The retrieved user objects are parsed into a structured + format. + + 5. **Output Generation:** A data table titled "List Of Users" is created with + key user details (Name, Email, Role, ID, Last Login), and the full raw response + is attached as a JSON result. capabilities: can_create_case_comments: false can_create_insight: false @@ -1152,22 +1488,71 @@ List Users: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Mark Detection Fixed: - ai_description: "Marks specific detections as 'fixed' within the Vectra RUX platform.\ - \ This action allows analysts to programmatically update the status of one or\ - \ more detections by providing their unique identifiers. \n\n### Parameters\n\ - | Parameter | Description | Type | Mandatory | Notes |\n| :--- | :--- | :--- |\ - \ :--- | :--- |\n| Detection IDs | A comma-separated list of numeric identifiers\ - \ for the detections to be marked as fixed. | String | Yes | The IDs must be valid\ - \ integers. |\n\n### Flow Description\n1. **Initialization**: Retrieves API credentials\ - \ (API Root, Client ID, Client Secret) from the integration configuration.\n2.\ - \ **Parameter Extraction**: Extracts the 'Detection IDs' string from the action\ - \ parameters.\n3. **Validation**: Splits the input string by commas and validates\ - \ that each ID is a valid integer.\n4. **API Interaction**: Sends a PATCH request\ - \ to the Vectra RUX API endpoint for detections, passing the list of IDs and setting\ - \ the 'mark_as_fixed' attribute to True.\n5. **Result Processing**: Captures the\ - \ API response, attaches it as a JSON result to the action, and provides a success\ - \ or failure message based on the outcome." + ai_description: >- + ### General Description + + Marks one or more detections as 'fixed' in the Vectra AI platform. This action + is used to programmatically update the status of detections, indicating that the + underlying security issue has been addressed or resolved within the Vectra environment. + + + ### Flow Description + + 1. **Parameter Extraction**: Retrieves the API configuration (API Root, Client + ID, and Client Secret) and the 'Detection IDs' provided by the user. + + 2. **Validation**: Parses the comma-separated string of IDs and validates that + each ID is a valid integer using internal utility managers. + + 3. **API Interaction**: Initializes the VectraRUXManager and sends a PATCH request + to the Vectra detections endpoint with the list of IDs and the `mark_as_fixed` + parameter set to `True`. + + 4. **Result Processing**: Captures the API response and attaches it as a JSON + result to the action execution, providing feedback on the success of the operation. + + + ### Parameters Description + + | Parameter | Description | Type | Mandatory | Notes | + + | :--- | :--- | :--- | :--- | :--- | + + | Detection IDs | A comma-separated list of numeric IDs representing the detections + to be marked as fixed. | String | Yes | Each ID must be a valid integer. | + + + ### Additional Notes + + This action performs a bulk update on the external Vectra system. It does not + interact with or modify entities within the Google SecOps case directly, nor does + it create insights or comments. capabilities: can_create_case_comments: false can_create_insight: false @@ -1176,8 +1561,8 @@ Mark Detection Fixed: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the state of specified detections to 'fixed' in the Vectra RUX platform - via a PATCH request to the detections endpoint. + Updates the status of specific detections in the Vectra AI platform to 'fixed' + via a PATCH request to the detections API endpoint. fetches_data: false internal_data_mutation_explanation: null categories: @@ -1197,13 +1582,40 @@ Mark Detection Fixed: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: true + update_email: false + update_identity: false + update_ticket: false Mark Entity Fixed: ai_description: >- ### General Description - Marks all detections associated with a specific entity as 'fixed' in the Vectra - RUX platform. This action is used to programmatically resolve or acknowledge multiple - security detections linked to a single Host or Account entity simultaneously. + The **Mark Entity Fixed** action is used to programmatically resolve all security + detections associated with a specific entity (either a Host or an Account) within + the Vectra RUX platform. By providing the unique Entity ID and specifying its + type, the action identifies all linked detections and updates their status to + 'fixed,' effectively clearing them from the active queue in Vectra. ### Parameters Description @@ -1212,29 +1624,37 @@ Mark Entity Fixed: | :--- | :--- | :--- | :--- | - | Entity ID | string | Yes | The unique numeric identifier of the entity in Vectra - RUX whose detections should be marked as fixed. | + | **Entity ID** | String | Yes | The unique numerical identifier of the entity + in Vectra whose detections should be marked as fixed. | - | Entity Type | ddl | Yes | The type of entity associated with the ID. Supported - values are 'Account' or 'Host'. | + | **Entity Type** | DDL | Yes | The type of entity being targeted. Options are + `Account` or `Host`. | ### Flow Description 1. **Parameter Extraction:** The action retrieves the `Entity ID` and `Entity - Type` from the input parameters. + Type` from the user input. + + 2. **Entity Validation:** The `Entity ID` is validated to ensure it is a proper + integer. + + 3. **Detection Retrieval:** The action calls the Vectra API to describe the entity, + which returns a list of all `detection_ids` currently associated with that entity. + + 4. **State Update:** If detections are found, the action sends a PATCH request + to Vectra's detections endpoint to mark all identified IDs as 'fixed'. - 2. **Validation:** Validates that the `Entity ID` is a valid integer. + 5. **Result Reporting:** The action returns the API response from Vectra and provides + a summary message of the operation's success. - 3. **Entity Retrieval:** Calls the Vectra RUX API to describe the entity and retrieve - the list of all associated `detection_ids` currently linked to that entity. - 4. **Detection Update:** If detections are found, the action sends a PATCH request - to the Vectra RUX detections endpoint to update the state of all retrieved detection - IDs to 'fixed'. + ### Additional Notes + + - This action performs a state change in the external Vectra system. - 5. **Result Reporting:** Adds the raw API response to the action's JSON results - and provides a summary message indicating the number of detections updated. + - If no detections are found for the provided Entity ID, the action will complete + successfully but will report that no detections were found. capabilities: can_create_case_comments: false can_create_insight: false @@ -1243,8 +1663,8 @@ Mark Entity Fixed: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the state of detections in the Vectra RUX platform by marking them as - 'fixed' via a PATCH request. + Updates the state of detections associated with a specific entity to 'fixed' + in the Vectra RUX platform via a PATCH request. fetches_data: true internal_data_mutation_explanation: null categories: @@ -1264,53 +1684,61 @@ Mark Entity Fixed: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Ping: - ai_description: >- - ### General Description - - Tests the connectivity between the Google SecOps (Chronicle) server and the Vectra - RUX platform. This action ensures that the provided credentials (Client ID and - Client Secret) and the API Root URL are correct and that the SOAR server can successfully - authenticate and communicate with the Vectra API. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | API Root | String | Yes | The base URL of the Vectra RUX instance. | - - | Client ID | String | Yes | The Client ID for OAuth2 authentication. | - - | Client Secret | String | Yes | The Client Secret for OAuth2 authentication. - | - - - ### Additional Notes - - This action is typically used during the initial setup of the integration to verify - that the configuration is correct. It does not process any entities or modify - any data. The parameters listed are configuration parameters required for the - integration to function. - - - ### Flow Description - - 1. **Initialization**: The action starts by retrieving the integration's configuration - parameters: API Root, Client ID, and Client Secret. - - 2. **Manager Setup**: It initializes the `VectraRUXManager`, which handles the - session and authentication logic. - - 3. **Connectivity Test**: The manager calls the `test_connectivity` method, which - internally attempts to generate or refresh an OAuth2 access token using the provided - credentials. - - 4. **Result Handling**: If a token is successfully retrieved, the action reports - a successful connection. If an error occurs (e.g., invalid credentials, network - timeout), the action fails and provides an error message. + ai_description: "### General Description\nThe **Ping** action is a diagnostic tool\ + \ designed to verify the connectivity between the Google SecOps (Chronicle) environment\ + \ and the Vectra RUX platform. Its primary purpose is to ensure that the integration's\ + \ configuration parameters (API Root, Client ID, and Client Secret) are correct\ + \ and that the network path to the Vectra API is open. This action is typically\ + \ used during the initial setup of the integration or for troubleshooting communication\ + \ issues.\n\n### Parameters Description\nThis action does not require any input\ + \ parameters at the action level. It relies entirely on the integration's global\ + \ configuration settings:\n\n| Parameter | Type | Mandatory | Description |\n\ + | :--- | :--- | :--- | :--- |\n| API Root | String | Yes | The base URL of the\ + \ Vectra RUX API instance. |\n| Client ID | String | Yes | The unique identifier\ + \ for the API client used for authentication. |\n| Client Secret | Password |\ + \ Yes | The secret key associated with the Client ID for secure authentication.\ + \ |\n\n### Flow Description\n1. **Initialization**: The action starts by initializing\ + \ the Siemplify SDK and retrieving the global configuration parameters (API Root,\ + \ Client ID, and Client Secret).\n2. **Manager Setup**: It instantiates the `VectraRUXManager`.\ + \ During instantiation, the manager attempts to generate an OAuth2 access token\ + \ by sending a POST request to the `oauth2/token` endpoint.\n3. **Connectivity\ + \ Test**: The action calls the `test_connectivity` method. This method validates\ + \ the stored tokens or attempts to re-authenticate if the credentials have changed.\n\ + 4. **Result Reporting**: \n * If the authentication and connection are successful,\ + \ the action returns a success message: \"Successfully connected to the VectraRUX\ + \ server\".\n * If an error occurs (e.g., invalid credentials, network timeout,\ + \ or API error), the action catches the exception, logs the error details, and\ + \ returns a failure message.\n\n### Additional Notes\n* **Authentication Mechanism**:\ + \ The action uses OAuth2 Client Credentials flow. It manages token persistence\ + \ internally using a local JSON file to avoid redundant authentication requests.\n\ + * **Error Handling**: The action includes robust error handling to distinguish\ + \ between authentication failures (401/403) and server-side issues (500+)." capabilities: can_create_case_comments: false can_create_insight: false @@ -1338,22 +1766,69 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Remove Assignment: ai_description: >- - General Description: Removes the assignment for a specified entity (Account or - Host) in Vectra AI. This action is used to clear ownership or status of an entity - within the Vectra platform, typically when an investigation is concluded or needs - to be reset. Parameters Description: 1. Entity ID (String, Mandatory): The unique - numeric identifier of the entity in Vectra. 2. Entity Type (DDL, Mandatory): The - category of the entity, which must be either 'Account' or 'Host'. Flow Description: - 1. Validation: The action validates that the provided Entity ID is a valid integer. - 2. Information Retrieval: It fetches current metadata for the specified entity - from Vectra to check for an existing assignment. 3. Assignment Identification: - If an assignment is found, the action extracts the specific assignment ID. 4. - Removal: It sends a DELETE request to the Vectra API to remove the identified - assignment. 5. Outcome: Reports success if the assignment was deleted or failure - if the entity had no active assignment. Additional Notes: This action requires - valid API credentials (Client ID and Secret) and the API Root of the Vectra instance. + Removes the assignment associated with a specific entity (Host or Account) in + Vectra RUX. This action is used to clear the ownership or analyst assignment of + a detection target within the Vectra platform. + + + ### Flow Description: + + 1. **Validation**: Validates that the provided `Entity ID` is a valid integer. + + 2. **Retrieval**: Fetches the current metadata for the specified entity from Vectra + RUX to identify if an active assignment exists. + + 3. **Identification**: Extracts the `assignment_id` from the entity's details + if present. + + 4. **Deletion**: Executes a DELETE request to the Vectra API to remove the identified + assignment. + + + ### Parameters Description: + + | Parameter Name | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Entity ID | String | Yes | The unique numeric identifier of the entity in Vectra + RUX. | + + | Entity Type | DDL | Yes | The category of the entity. Supported values are 'Account' + or 'Host'. | + + + ### Additional Notes: + + * If the entity does not have an active assignment, the action will fail with + a message indicating that no assignment was found. capabilities: can_create_case_comments: false can_create_insight: false @@ -1362,8 +1837,8 @@ Remove Assignment: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Deletes an existing assignment record in Vectra AI via a DELETE request to the - assignments API endpoint. + Deletes an existing assignment record in the Vectra RUX platform via a DELETE + request to the assignments API endpoint. fetches_data: true internal_data_mutation_explanation: null categories: @@ -1383,65 +1858,71 @@ Remove Assignment: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Remove Group: ai_description: >- - ### General Description - - Removes specified members from a group in Vectra AI using the group's unique identifier. - This action allows for the automated management of group memberships, which is - useful for containment or policy enforcement workflows. It supports removing various - member types (IPs, Hostnames, Accounts, Domains) depending on the group's configuration - in Vectra. - - - ### Parameters Description - - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | + Removes specified members from a group in Vectra AI. This action identifies a + group by its ID and removes a list of provided members (which can be accounts, + hosts, IPs, or domains depending on the group type). It validates the input, performs + a PATCH request to update the group membership in the external system, and provides + a summary of which members were successfully removed and which were not found + in the group. - | Group ID | String | Yes | The unique identifier of the target group in Vectra - AI. This value must be a valid integer. | - | Members | String | Yes | A comma-separated list of member identifiers to be - removed from the group. The identifier type must match the group's type (e.g., - IP addresses for IP groups, account UIDs for account groups). | - - - ### Additional Notes + ### Flow Description - - The action performs a validation check on the `Group ID` to ensure it is a positive - integer. + 1. **Parameter Extraction**: Retrieves the Group ID and the comma-separated list + of members from the action parameters. - - If the action is unable to remove any of the provided members (e.g., if the - members were not part of the group or the identifiers were invalid), the action - will return a failure status. + 2. **Validation**: Validates that the Group ID is a positive integer. - - The action provides a detailed HTML table showing the updated group properties - and its remaining members. + 3. **Pre-check**: Fetches the current members of the group to verify existence + and prepare for comparison. + 4. **External Mutation**: Sends a PATCH request to the Vectra AI API with the + `membership_action` set to 'remove' to update the group's member list. - ### Flow Description + 5. **Result Processing**: Compares the member list before and after the operation + to determine success. It then renders an HTML table showing the updated group + details and returns the raw JSON response. - 1. **Parameter Extraction:** Retrieves the `Group ID` and the list of `Members` - from the action input. - 2. **Validation:** Validates that the `Group ID` is a valid integer and processes - the `Members` string into a clean list. + ### Parameters Description - 3. **Pre-check:** Fetches the current members of the group from Vectra AI to establish - a baseline. + | Parameter | Type | Mandatory | Description | - 4. **Mutation:** Sends a `PATCH` request to the Vectra AI API with the `membership_action` - set to `remove` for the specified members. + | :--- | :--- | :--- | :--- | - 5. **Result Processing:** Compares the API response with the requested removal - list to determine which members were successfully removed and which were not. + | Group ID | String | Yes | The unique integer identifier of the group in Vectra + AI. | - 6. **Output Generation:** Creates an HTML representation of the updated group, - attaches the raw JSON response, and returns a success or failure message based - on the outcome. + | Members | String | Yes | A comma-separated list of member identifiers to remove. + These should match the group's type (e.g., account UIDs, hostnames, IP addresses, + or domains). | capabilities: can_create_case_comments: false can_create_insight: false @@ -1450,8 +1931,8 @@ Remove Group: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Removes specified members from a group in Vectra AI by sending a PATCH request - to the group's endpoint with the 'remove' membership action. + Removes members from a group in Vectra AI by performing a PATCH request to the + group's endpoint with a 'remove' membership action. fetches_data: true internal_data_mutation_explanation: null categories: @@ -1471,54 +1952,74 @@ Remove Group: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: true + update_ticket: false Remove Note: ai_description: >- ### General Description Removes a specific note from a designated entity within the Vectra platform. This - action allows users to manage and clean up annotations on Hosts, Accounts, or - Detections by providing the unique identifiers for both the entity and the note. + action allows analysts to manage and delete notes associated with Accounts, Hosts, + or Detections by providing the specific Entity ID and Note ID. ### Parameters Description - | Parameter | Type | Mandatory | Description | + | Parameter | Description | Type | Mandatory | | :--- | :--- | :--- | :--- | - | Entity ID | String | Yes | The unique identifier of the entity (Host, Account, - or Detection) from which the note will be removed. | + | Entity ID | The unique identifier of the entity (Account, Host, or Detection) + from which the note should be removed. | String | Yes | - | Note ID | String | Yes | The unique identifier of the specific note to be deleted. - | - - | Entity Type | DDL | Yes | The category of the entity. Supported values are 'Account', - 'Host', and 'Detection'. | + | Note ID | The unique identifier of the specific note to be deleted. | String + | Yes | + | Entity Type | The category of the entity the note is attached to. Options are + Account, Host, or Detection. | DDL | Yes | - ### Additional Notes - - The action validates that both the 'Entity ID' and 'Note ID' are valid integers - before attempting the API call. + ### Flow Description - - This action performs a hard delete of the note in the external Vectra system. + 1. **Initialization**: Retrieve the API configuration (API Root, Client ID, Client + Secret) and action parameters (Entity ID, Note ID, Entity Type). + 2. **Validation**: Validate that the provided Entity ID and Note ID are valid + integers. - ### Flow Description + 3. **Execution**: Send a DELETE request to the Vectra API endpoint corresponding + to the specified entity type and IDs. - 1. **Parameter Extraction**: Retrieves the API configuration (Root, Client ID, - Secret) and the action parameters (Entity ID, Note ID, Entity Type). + 4. **Completion**: Return a success message upon successful deletion or an error + message if the operation fails. - 2. **Validation**: Validates that the provided 'Entity ID' and 'Note ID' are integers - using a utility manager. - 3. **API Interaction**: Initializes the VectraRUXManager and executes a DELETE - request to the specific note endpoint: `api/v3.4/entities/{entity_id}/notes/{note_id}`. + ### Additional Notes - 4. **Result Handling**: If the request is successful, it returns a completion - status. If the note or entity is not found, or if permissions are insufficient, - it catches the specific exception and fails the action with a descriptive error - message. + There are no additional notes for this action. capabilities: can_create_case_comments: false can_create_insight: false @@ -1527,8 +2028,7 @@ Remove Note: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Deletes a specific note record from an entity (Host, Account, or Detection) - within the Vectra platform via a DELETE API request. + Removes a note from an entity in the Vectra platform via a DELETE request. fetches_data: false internal_data_mutation_explanation: null categories: @@ -1548,61 +2048,83 @@ Remove Note: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Remove Tags: ai_description: >- - ### General Description + Removes specific tags from a Vectra AI entity, such as an Account, Host, or Detection. + The action first retrieves the current tags associated with the specified Entity + ID to verify existence, then filters out the tags provided by the user, and finally + updates the entity in Vectra AI with the modified tag list. - The **Remove Tags** action allows users to remove specific tags from an entity - within the Vectra RUX platform. It supports three types of entities: **Account**, - **Host**, and **Detection**. The action first retrieves the existing tags for - the specified entity, filters out the tags requested for removal, and then updates - the entity with the remaining tags. + ### Flow Description: - ### Parameters Description + 1. **Parameter Extraction:** Retrieves the API configuration and action parameters, + including the comma-separated list of tags to remove, the target Entity ID, and + the Entity Type (Account, Host, or Detection). - | Parameter | Type | Mandatory | Description | + 2. **Tag Retrieval:** Calls the Vectra AI API to fetch the current list of tags + for the specified entity. - | :--- | :--- | :--- | :--- | + 3. **Tag Comparison:** Compares the user-provided tags against the existing tags. + It identifies which tags can be successfully removed and which do not exist on + the entity. - | **Tags** | String | Yes | A comma-separated list of tags to be removed from - the entity. | + 4. **External Update:** If at least one tag is found for removal, it sends a PATCH + request to Vectra AI to update the entity's tag list. - | **Entity ID** | String | Yes | The unique identifier of the entity (Account, - Host, or Detection) from which tags should be removed. | + 5. **Result Reporting:** Generates a data table and JSON result summarizing the + status of the removal operation, including which tags were removed and which were + not found. - | **Entity Type** | DDL | Yes | The type of entity. Options are: `Account`, `Host`, - or `Detection`. | + ### Parameters Description: - ### Flow Description - - 1. **Initialization**: The action initializes the Vectra RUX manager using the - provided API credentials (API Root, Client ID, and Client Secret). - - 2. **Parameter Processing**: It parses the comma-separated `Tags` input into a - unique list and validates that the `Entity ID` is a valid integer. + | Parameter | Type | Mandatory | Description | - 3. **Fetch Current State**: The action calls the Vectra API to retrieve the current - list of tags associated with the specified `Entity ID` and `Entity Type`. + | --- | --- | --- | --- | - 4. **Tag Comparison**: It compares the requested tags against the existing tags. - If a requested tag exists, it is marked for removal. + | Tags | String | Yes | A comma-separated list of tags to be removed from the + entity. | - 5. **Update External System**: If valid tags were found and removed, the action - sends a `PATCH` request to the Vectra platform to update the entity's tag list. + | Entity ID | String | Yes | The unique identifier of the entity in Vectra AI + from which tags will be removed. | - 6. **Reporting**: The action generates a JSON result and a data table ('Tag Updated - Status') summarizing the success or failure of the removal for each tag. + | Entity Type | DDL | Yes | The category of the entity. Supported values are 'Account', + 'Host', or 'Detection'. | - ### Additional Notes + ### Additional Notes: - - If none of the tags provided in the input exist on the target entity, the action - will fail with a `TagsUpdateFailException`. + - If none of the specified tags exist on the target entity, the action will fail + with a 'TagsUpdateFailException'. - - The `Entity Type` parameter is case-insensitive in the logic but provided as - a DDL for user convenience. + - The action performs a state change in the external Vectra AI system by modifying + the metadata of the specified entity. capabilities: can_create_case_comments: false can_create_insight: false @@ -1611,8 +2133,9 @@ Remove Tags: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the entity's tag list in Vectra RUX by removing the specified tags via - a PATCH request. + Updates the tag list of an entity (Account, Host, or Detection) in Vectra AI + by sending a PATCH request to the tagging endpoint, effectively removing the + specified tags from the external system. fetches_data: true internal_data_mutation_explanation: null categories: @@ -1632,65 +2155,89 @@ Remove Tags: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Resolve Assignment: ai_description: >- ### General Description - Resolves a specific assignment in Vectra RUX using a provided Assignment ID and - Outcome ID. This action allows analysts to programmatically close assignments - in the Vectra platform, optionally applying triage rules, notes, and associating - specific detection IDs with the resolution. + Resolves a Vectra AI assignment using a specified outcome. This action is used + to close out workflow items in Vectra AI, allowing for the categorization of the + resolution (e.g., as a true or false positive) and the inclusion of supporting + evidence such as notes and detection IDs. ### Parameters Description + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Outcome ID | String | Yes | The ID representing the resolution outcome. Standard - values include 1 (Benign True Positive), 2 (Malicious True Positive), and 3 (False - Positive). Custom outcome IDs are also supported. | + | Outcome ID | String | Yes | The outcome for resolving the assignment. Common + values: 1 (Benign True Positive), 2 (Malicious True Positive), 3 (False Positive). + Custom outcomes are also supported. | - | Assignment ID | String | Yes | The unique integer identifier of the assignment - to be resolved. | + | Assignment ID | String | Yes | The unique identifier of the assignment to be + resolved. | - | Note Title | String | No | An optional note or title to be attached to the assignment - resolution record. | + | Note Title | String | No | A note or title to be added to the assignment resolution. + | - | Triage As | String | No | An optional triage rule to apply to the assignment. + | Triage As | String | No | The triage rule to apply when resolving the assignment. | | Detection IDs | String | No | A comma-separated list of integer detection IDs - to be associated with this resolution. | + to associate with the resolution. | - ### Additional Notes + ### Flow Description - - **Dependency:** If the **Triage As** parameter is provided, at least one **Detection - ID** must also be provided; otherwise, the action will fail with a validation - error. + 1. **Parameter Extraction:** Retrieves API credentials and action parameters (`Assignment + ID`, `Outcome ID`, `Note Title`, `Triage As`, `Detection IDs`). - - **Validation:** Both the **Assignment ID** and **Outcome ID** must be valid - integer strings. + 2. **Validation:** Validates that `Assignment ID` and `Outcome ID` are integers. + If `Detection IDs` are provided, they are also validated as integers. + 3. **Dependency Check:** Ensures that if `Triage As` is specified, `Detection + IDs` are not empty. - ### Flow Description + 4. **API Interaction:** Calls the Vectra AI API via a `PUT` request to resolve + the assignment. - 1. **Parameter Extraction and Validation:** The action retrieves all input parameters - and validates that the Assignment ID and Outcome ID are integers. It also ensures - that if a triage rule is specified, detection IDs are also present. + 5. **Result Processing:** Captures the API response, creates a data table named + 'Resolved Assignment', and attaches the raw JSON result. - 2. **Authentication:** The action authenticates with the Vectra RUX API using - the provided Client ID and Client Secret to obtain a bearer token. - 3. **API Request:** It executes a `PUT` request to the Vectra RUX resolution endpoint - (`/assignments/{assignment_id}/resolve`) with a payload containing the outcome, - notes, and triage details. + ### Additional Notes - 4. **Result Handling:** Upon a successful API response, the action parses the - updated assignment object, adds the raw JSON to the execution results, and generates - a data table for the case wall displaying the resolution details. + * If the `Triage As` parameter is configured, the `Detection IDs` parameter must + also be provided; otherwise, the action will fail. + + * The `Assignment ID` and `Outcome ID` must be valid integer values. capabilities: can_create_case_comments: false can_create_insight: false @@ -1699,8 +2246,8 @@ Resolve Assignment: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the status of an assignment in the Vectra RUX platform to 'Resolved' - and applies specific outcomes, notes, and triage rules via a PUT request. + Resolves an assignment in Vectra AI by updating its status with a specific outcome + ID, and optionally adding notes, triage rules, and associated detection IDs. fetches_data: true internal_data_mutation_explanation: null categories: @@ -1720,47 +2267,73 @@ Resolve Assignment: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: true Unmark Detection Fixed: ai_description: >- ### General Description - Unmarks specified detections as fixed in the Vectra AI platform. This action is + Unmarks specific detections as fixed in the Vectra AI platform. This action is used to revert the status of detections that were previously marked as resolved - or fixed, allowing them to be re-evaluated or tracked as active issues within - the Vectra console. + or fixed, allowing them to be re-evaluated or monitored again within the Vectra + interface. - ### Parameters + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Detection IDs | String | Yes | Comma-separated values of numeric IDs for the - detections to be unmarked as fixed. | + | Detection IDs | String | Yes | A comma-separated list of numeric IDs representing + the detections to be unmarked as fixed. | ### Flow Description - 1. **Initialization**: The action initializes the VectraRUXManager using the provided - API Root, Client ID, and Client Secret to establish an authenticated session. + 1. **Parameter Extraction**: Retrieves the `Detection IDs` string from the action + input. - 2. **Parameter Parsing**: It extracts the `Detection IDs` string from the input, - splits it by commas, and validates that each ID is a valid integer. + 2. **Validation**: Splits the comma-separated string into individual IDs and validates + that each ID is a valid integer. - 3. **API Interaction**: It sends a PATCH request to the Vectra AI detections endpoint - (`/api/v3.4/detections`) with a payload containing the list of IDs and the `mark_as_fixed` - flag set to `False`. + 3. **API Interaction**: Initializes the `VectraRUXManager` and sends a `PATCH` + request to the Vectra AI detections endpoint. The request payload sets the `mark_as_fixed` + attribute to `False` for the provided list of detection IDs. - 4. **Result Handling**: The raw JSON response from the Vectra API is captured - and added to the action's result JSON, and the action completes with a success - message if the request was processed. + 4. **Result Processing**: Captures the API response and attaches it to the action + results as a JSON object for further use in the playbook. ### Additional Notes - This action does not operate on Google SecOps entities; it requires the manual - provision of Detection IDs via the action parameters. + - This action performs a state change in the external Vectra AI system. + + - Ensure that the provided IDs correspond to existing detections in the target + Vectra environment. capabilities: can_create_case_comments: false can_create_insight: false @@ -1769,8 +2342,8 @@ Unmark Detection Fixed: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the status of specific detections in Vectra AI by unmarking them as - fixed via a PATCH request to the detections endpoint. + Updates the 'mark_as_fixed' status of specific detections to 'False' in the + Vectra AI platform via a PATCH request. fetches_data: false internal_data_mutation_explanation: null categories: @@ -1790,53 +2363,84 @@ Unmark Detection Fixed: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Update Assignment: ai_description: >- ### General Description - Updates the assigned user for a Vectra RUX assignment associated with a specific - entity. This action is used to reassign investigations or tasks within the Vectra - platform to a different user by targeting the assignment linked to a Host or Account. + The **Update Assignment** action is designed to change the assigned user for a + specific assignment associated with a Host or Account entity within the Vectra + RUX platform. This action is primarily used for workflow management, allowing + analysts to programmatically reassign investigations or tasks to different users + based on their User ID. - ### Parameters + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Entity ID | String | Yes | The unique identifier of the entity (Host or Account) - whose assignment is being updated. | + | **Entity ID** | string | Yes | The unique identifier of the entity (Host or + Account) whose assignment needs to be updated. | - | Entity Type | DDL | Yes | The category of the entity. Supported values: `Account`, - `Host`. | + | **Entity Type** | ddl | Yes | The type of the entity. Expected values are 'Account' + or 'Host'. | - | User ID | String | Yes | The unique identifier of the Vectra user to whom the - assignment will be transferred. | + | **User ID** | string | Yes | The unique identifier of the user to whom the assignment + will be reassigned. | ### Flow Description - 1. **Parameter Extraction**: The action retrieves the Entity ID, Entity Type, - and target User ID from the input parameters. + 1. **Validation**: The action first validates that the provided `Entity ID` and + `User ID` are valid integers. - 2. **Validation**: It validates that the Entity ID and User ID are valid integers. + 2. **Entity Lookup**: It performs a GET request to the Vectra API to retrieve + information about the specified entity (Host or Account). - 3. **Assignment Retrieval**: It queries the Vectra API to find the specific assignment - ID associated with the provided entity. + 3. **Assignment Identification**: From the entity details, the action extracts + the current `assignment_id`. If no assignment is found for the entity, the action + fails with an 'Item Not Found' error. - 4. **Update Execution**: It performs a PUT request to the Vectra assignments endpoint - to update the `assign_to_user_id` field with the new User ID. + 4. **Update Request**: The action sends a PUT request to the Vectra assignments + endpoint, updating the `assign_to_user_id` field with the new `User ID`. - 5. **Result Reporting**: The action returns the updated assignment details as - a JSON object and populates a data table named "Updated Assignment" for visibility - in the case wall. + 5. **Output**: Upon success, the action returns the updated assignment details + in a JSON format and populates a data table named 'Updated Assignment' with the + change details. ### Additional Notes - The action will fail if the specified entity does not have an active assignment - or if the provided IDs are invalid. + This action performs a state change in the external Vectra RUX system by modifying + the ownership of an assignment. It does not interact with Google SecOps entities + directly from the case context but rather uses the provided parameters to identify + the target resource. capabilities: can_create_case_comments: false can_create_insight: false @@ -1845,8 +2449,8 @@ Update Assignment: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the assigned user for a specific assignment in Vectra RUX via a PUT - request to the assignments API endpoint. + Updates the 'assign_to_user_id' field of an existing assignment in the Vectra + RUX platform via a PUT request. fetches_data: true internal_data_mutation_explanation: null categories: @@ -1866,3 +2470,28 @@ Update Assignment: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: true diff --git a/content/response_integrations/third_party/community/vectra_rux/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/vectra_rux/resources/ai/connectors_ai_description.yaml new file mode 100644 index 000000000..ce0c3a893 --- /dev/null +++ b/content/response_integrations/third_party/community/vectra_rux/resources/ai/connectors_ai_description.yaml @@ -0,0 +1,82 @@ +Vectra RUX - Entities Connector: + ai_description: >- + ### General Description + + The Vectra RUX - Entities Connector integrates with the Vectra RUX platform to + ingest security data into Google SecOps. It focuses on monitoring 'Entities' (either + Hosts or Accounts) that have active detections. The connector maps each Vectra + entity to a SOAR alert and its associated detections to alert events, providing + a comprehensive view of suspicious asset activity. It supports stateful tracking + to ensure only new or modified entities are processed and uses source grouping + to maintain case continuity. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | API Root | String | Yes | The base URL of the Vectra RUX API (e.g., https://
:). + | + + | Client ID | String | Yes | Unique identifier assigned to the client for API + authentication. | + + | Client Secret | Password | Yes | Confidential key associated with the Client + ID for secure authorization. | + + | DeviceProductField | String | Yes | The field name used to determine the device + product (Default: Vectra RUX). | + + | Entity Type | String | Yes | The type of Vectra entity to retrieve: 'Host' or + 'Account'. | + + | EventClassId | String | Yes | The field name used to determine the event name + or sub-type (Default: detection_type). | + + | Limit | Integer | No | Maximum number of entities to fetch in a single execution + cycle. | + + | Max Hours Backwards | Integer | No | Number of hours to look back for entities + during the first connector iteration. | + + | Prioritized | Boolean | No | If enabled, only entities with a priority score + above the configured threshold are retrieved. | + + | PythonProcessTimeout | String | Yes | The timeout limit (in seconds) for the + Python process running the script. | + + | Specific Tag | String | No | A specific tag used to filter the entities retrieved + from the platform. | + + + ### Flow Description + + 1. **Authentication**: The connector establishes a session with the Vectra RUX + API using OAuth2 credentials (Client ID and Secret), managing access and refresh + tokens via a local file stream. + + 2. **Initialization & Validation**: It validates input parameters, ensuring the + entity type is either 'Host' or 'Account' and calculating the start time based + on the 'Max Hours Backwards' or the last successful execution timestamp. + + 3. **Entity Retrieval**: The connector queries the Vectra RUX `/entities` endpoint + for active entities modified since the last run. It applies filters for prioritization + and specific tags if provided. + + 4. **Duplicate Prevention**: It filters out already processed entities by comparing + a unique identifier composed of the Entity ID and its Last Modified Timestamp + against a stored list of IDs. + + 5. **Detection & Assignment Enrichment**: For each valid entity, the connector + fetches associated active detections (to be used as events) and current user assignments + from the Vectra platform. + + 6. **Alert Mapping**: The Vectra Entity is mapped to a Google SecOps Alert. Detections + are flattened and mapped as Events within that alert. A Source Grouping Identifier + (`entity_type#entity_id`) is assigned to facilitate case grouping. + + 7. **Ingestion**: The connector checks for alert overflow and then ingests the + processed alerts into Google SecOps, updating the last success timestamp and ID + list upon completion. diff --git a/content/response_integrations/third_party/community/vectra_rux/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/vectra_rux/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..971d37ab1 --- /dev/null +++ b/content/response_integrations/third_party/community/vectra_rux/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: true + cloud_security: true + collaboration: false + edr: false + email_security: false + iam_and_identity_management: true + itsm: true + network_security: true + siem: true + threat_intelligence: true + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/vectra_rux/resources/ai/jobs_ai_description.yaml b/content/response_integrations/third_party/community/vectra_rux/resources/ai/jobs_ai_description.yaml new file mode 100644 index 000000000..993bbbe9f --- /dev/null +++ b/content/response_integrations/third_party/community/vectra_rux/resources/ai/jobs_ai_description.yaml @@ -0,0 +1,32 @@ +Vectra RUX - Clear Empty Cases Job: + ai_description: "### General Description\nThis job performs maintenance on Google\ + \ SecOps cases generated by the Vectra RUX integration. Its primary purpose is\ + \ to reduce SOC noise by identifying and closing redundant or duplicate cases\ + \ and alerts. The job analyzes open cases to determine if the underlying detections\ + \ (events) are already being investigated in other active cases. If a case or\ + \ alert is found to be a complete duplicate of another, it is automatically closed\ + \ with a specific root cause, ensuring analysts focus only on unique security\ + \ incidents.\n\n### Parameters Description\n| Parameter | Type | Mandatory | Description\ + \ |\n| :--- | :--- | :--- | :--- |\n| Max Hours Backwards | String | No | The\ + \ maximum number of hours to look back for open cases to process. Default is '24'.\ + \ Set to '0' to fetch and process all open cases regardless of their creation\ + \ time. |\n| Environments | String | Yes | A comma-separated list of environments\ + \ to include in the cleanup process. Default is 'Default Environment'. |\n| Products\ + \ | String | Yes | A comma-separated list of product names used to filter relevant\ + \ alerts within the cases. Default is 'Vectra RUX'. |\n\n### Flow Description\n\ + 1. **Initialization**: The job retrieves the configuration parameters and determines\ + \ the starting timestamp for the search based on the \"Max Hours Backwards\" setting\ + \ and the last successful execution time stored in the database.\n2. **Case Retrieval**:\ + \ It queries Google SecOps for all open cases that match the specified time range\ + \ and environment filters.\n3. **Alert Analysis**: For each retrieved case, the\ + \ job fetches associated alerts and filters them by the specified product names.\ + \ It then extracts the unique detection (event) IDs from these alerts.\n4. **Redundancy\ + \ Check**: The job builds a map of detections across all processed cases. It identifies\ + \ alerts or entire cases where all associated detection IDs are already present\ + \ in other active investigations.\n5. **Cleanup**: \n * If an entire case is\ + \ found to be redundant (all its alerts are duplicates), the job closes the case\ + \ with the reason \"Similar case already under investigation\".\n * If only\ + \ specific alerts within a case are redundant, it closes those individual alerts\ + \ with the reason \"Similar alert already under investigation\".\n6. **Finalization**:\ + \ The job saves the current execution timestamp to the scoped job context to serve\ + \ as the baseline for the next run." diff --git a/content/response_integrations/third_party/community/vorlon/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/vorlon/resources/ai/actions_ai_description.yaml index 0220713c0..d546f55e0 100644 --- a/content/response_integrations/third_party/community/vorlon/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/vorlon/resources/ai/actions_ai_description.yaml @@ -1,36 +1,35 @@ Get Alerts: ai_description: >- - ### General Description - - This action retrieves a list of alerts from the Vorlon platform based on user-defined - filters. It is primarily used for searching and auditing alerts within the Vorlon - environment, allowing analysts to fetch specific alert details or broad sets of - alerts based on service IDs, timeframes, and status. + Retrieves a list of alerts from the Vorlon platform based on specified filtering + criteria. This action allows analysts to query for alerts by requesting or responding + service IDs, specific alert IDs, time ranges, and alert statuses. The results + are returned as a JSON object for further processing within the playbook. ### Parameters Description + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Requesting Service | String | No | A comma-separated list of requesting service - IDs to include in the filter. | + | Requesting Service | String | No | A comma-separated list of service IDs that + initiated the request associated with the alert. | - | Responding Service | String | No | A comma-separated list of responding service - IDs to include in the filter. | + | Responding Service | String | No | A comma-separated list of service IDs that + responded to the request associated with the alert. | - | Alert IDs | String | No | A comma-separated list of specific alert IDs to retrieve. - | + | Alert IDs | String | No | A comma-separated list of specific Vorlon alert IDs + to retrieve. | - | From | String | No | Filter alerts from this start time. Expected format: "YYYY-MM-DDTHH:MM:SS" - (e.g., 2023-01-01T00:00:00). | + | From | String | No | The start time for the alert search in 'YYYY-MM-DDTHH:MM:SS' + format (e.g., 2023-10-01T12:00:00). | - | To | String | No | Filter alerts up to this end time. Expected format: "YYYY-MM-DDTHH:MM:SS". - | + | To | String | No | The end time for the alert search in 'YYYY-MM-DDTHH:MM:SS' + format. | - | Alert Status | DDL | No | The status of alerts to retrieve. Options: `open`, - `dismissed`, `resolved`. Default is `open`. | + | Alert Status | DDL | No | Filters alerts by their current status. Options: 'open', + 'dismissed', 'resolved'. Default is 'open'. | | Limit | String | No | The maximum number of alerts to return. Default is 100. | @@ -38,31 +37,28 @@ Get Alerts: ### Additional Notes - - The action performs time conversion from the provided string format to epoch - timestamps required by the Vorlon API. - - - If no alerts are found, the action returns an empty JSON object. + - This action does not run on entities; it is a standalone search action. - - This action does not operate on specific entities within the Google SecOps case; - it is a standalone search action. + - Time parameters must follow the strict ISO-like format 'YYYY-MM-DDTHH:MM:SS' + to be correctly converted to epoch time for the API request. ### Flow Description - 1. **Initialization**: The action extracts configuration credentials (API Root, - Client ID, Client Secret) and action parameters. + 1. **Parameter Extraction:** The action retrieves configuration settings (API + Root, Credentials) and user-provided filter parameters. - 2. **Authentication**: It initializes the `VorlonManager`, which handles OAuth2 - token retrieval and session management. + 2. **Manager Initialization:** A VorlonManager instance is created to handle authentication + and API communication. - 3. **Data Preparation**: It cleans input strings (removing extra spaces) and converts - the `From` and `To` time strings into epoch timestamps. + 3. **Data Transformation:** Comma-separated strings for services and IDs are cleaned + of whitespace. Date strings are converted into Unix epoch timestamps. - 4. **API Request**: It sends a GET request to the `/rest/v1/alerts` endpoint with - the constructed query parameters. + 4. **API Request:** The action performs a GET request to the Vorlon `/rest/v1/alerts` + endpoint with the constructed query parameters. - 5. **Result Processing**: The retrieved alerts are added to the action's JSON - result, and the action completes successfully. + 5. **Result Processing:** The retrieved alerts are added to the action's JSON + results, and the execution status is updated based on the success of the API call. capabilities: can_create_case_comments: false can_create_insight: false @@ -90,48 +86,66 @@ Get Alerts: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get All Services: ai_description: >- ### General Description The **Get All Services** action retrieves a comprehensive list of all detected - and observed services from the Vorlon platform. This action is primarily used - for visibility and auditing, allowing users to see the full scope of services - monitored by the Vorlon integration. + and observed services from the Vorlon server. This action is primarily used for + inventory discovery and visibility into the services monitored by the Vorlon platform. ### Parameters Description - There are no action-specific parameters for this action. It utilizes the global - integration configuration parameters: - - * **API Root**: The base URL of the Vorlon API. - - * **Client ID**: The unique identifier for API authentication. + There are no action-specific parameters for this action. It relies solely on the + integration's global configuration (API Root, Client ID, and Client Secret) to + authenticate and communicate with the Vorlon API. - * **Client Secret**: The secret key for API authentication. + ### Flow Description - ### Additional Notes - - This action does not operate on specific entities (such as IPs or Hostnames) and - instead fetches a global list of services from the connected Vorlon instance. - The results are returned as a raw JSON object. + 1. **Initialization**: The action initializes the Siemplify environment and retrieves + the necessary configuration parameters for the Vorlon integration. + 2. **Authentication**: It establishes a session with the Vorlon server using the + provided credentials to obtain an OAuth2 access token. - ### Flow Description + 3. **Data Retrieval**: The action calls the `get_all_services` method in the Vorlon + Manager, which executes a GET request to the `/rest/v1/services` endpoint. - 1. **Initialization**: The action initializes the connection to the Vorlon platform - using the provided API Root and credentials. + 4. **Result Processing**: The retrieved JSON list of services is attached to the + action's results, and the action completes with a success message. - 2. **Authentication**: It retrieves an OAuth2 access token using the Client ID - and Client Secret. - 3. **Data Retrieval**: The action performs a GET request to the `/rest/v1/services` - endpoint to fetch all service data. + ### Additional Notes - 4. **Output**: The retrieved service list is attached to the action results as - a JSON object, and the action completes with a success message. + This action does not operate on specific entities within a case; it performs a + global fetch of service data from the external system. capabilities: can_create_case_comments: false can_create_insight: false @@ -159,67 +173,89 @@ Get All Services: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Connection Summary: ai_description: >- - ### General Description - - The **Get Connection Summary** action retrieves a summary of network connections - for a specific service from the Vorlon platform. This action is used to gather - high-level connection statistics and metadata, allowing users to filter results - by instance, time range, and connection type (observed or detected). + Retrieves a summary of network connections for a specific service from the Vorlon + platform. This action allows analysts to query connection data based on service + identifiers, time ranges, and connection types (observed or detected). The retrieved + data is returned as a JSON object for use in subsequent playbook steps. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Service ID** | string | Yes | The unique identifier (typically the service - name or application name) for which to retrieve the connection summary. | + | Service ID | string | Yes | The unique identifier for the service (typically + the service or app name) to retrieve the connection summary for. | - | **Instance ID** | string | No | If provided, filters the connection summary - by a specific instance ID of the service. | + | Instance ID | string | No | If provided, filters the results by a specific instance + ID of the service. | - | **From** | string | No | Filters connections starting from this timestamp. Expected - format: `YYYY-MM-DDTHH:MM:SS` (e.g., `2023-01-01T12:00:00`). | + | From | string | No | Filters results by a start time in 'YYYY-MM-DDTHH:MM:SS' + format (e.g., 2023-10-01T12:00:00). | - | **To** | string | No | Filters connections up to this timestamp. Expected format: - `YYYY-MM-DDTHH:MM:SS` (e.g., `2023-01-01T13:00:00`). | + | To | string | No | Filters results by an end time in 'YYYY-MM-DDTHH:MM:SS' format + (e.g., 2023-10-01T13:00:00). | - | **Type** | ddl | No | The type of connection to retrieve. Available options - are `observed` (default) or `detected`. | + | Type | ddl | No | The type of connection to retrieve. Options are 'observed' + (default) or 'detected'. | - | **Secret IDs** | string | No | A comma-separated list of secret IDs to filter - the connection summary. | + | Secret IDs | string | No | A comma-separated list of secret IDs to filter the + connection summary. | - ### Additional Notes + ### Flow Description - - This action does not operate on entities within the SOAR case; it relies entirely - on the provided `Service ID` and optional filter parameters. + 1. **Parameter Extraction:** The action retrieves the API configuration (Root + URL, Client ID, Client Secret) and the user-provided action parameters. - - The `Service ID` is a required path parameter for the underlying API request. + 2. **Manager Initialization:** Initializes the VorlonManager, which handles authentication + and token management. + 3. **Data Transformation:** Converts the 'From' and 'To' timestamp strings into + epoch format and cleans the 'Secret IDs' string by removing unnecessary spaces. - ### Flow Description + 4. **API Request:** Executes a GET request to the Vorlon API endpoint `/rest/v1/connections/summary/{service_id}` + with the specified filters. - 1. **Parameter Extraction**: The action extracts the Vorlon API configuration - (API Root, Client ID, Client Secret) and the user-provided action parameters. + 5. **Result Processing:** Validates the response and attaches the connection summary + data to the action's JSON result. - 2. **Time Validation**: If `From` or `To` parameters are provided, the action - validates the format and converts the strings into epoch timestamps. - 3. **API Request**: The action initializes the `VorlonManager` and calls the `get_connection_summary` - method, which sends a GET request to the Vorlon API endpoint `/rest/v1/connections/summary/{service_id}` - with the specified filters. + ### Additional Notes - 4. **Result Handling**: The retrieved JSON data is added to the action's result - object. + - The 'Service ID' is a path parameter in the API request and is strictly required + for the action to execute. - 5. **Completion**: The action concludes with a success message and the fetched - data, or fails if the service ID is missing, the API returns an error, or the - response is empty. + - Time parameters must follow the exact format 'YYYY-MM-DDTHH:MM:SS' or the action + will fail during the conversion process. capabilities: can_create_case_comments: false can_create_insight: false @@ -247,34 +283,78 @@ Get Connection Summary: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Connections: - ai_description: "### General Description\nThe **Get Connections** action retrieves\ - \ connection details for a specific service from the Vorlon platform. It allows\ - \ security analysts to query network or application connections associated with\ - \ a service ID, providing visibility into communication patterns and associated\ - \ secrets. The results are returned as a JSON object for further processing in\ - \ playbooks.\n\n### Parameters Description\n| Parameter | Type | Mandatory | Description\ - \ |\n| :--- | :--- | :--- | :--- |\n| **Service ID** | String | Yes | The unique\ - \ identifier for the service (typically the service name or app name) for which\ - \ connections are retrieved. |\n| **Instance ID** | String | No | Filters the\ - \ results by a specific instance ID of the service. |\n| **From** | String | No\ - \ | Filters connections starting from this time. Expected format: `YYYY-MM-DDTHH:MM:SS`.\ - \ |\n| **To** | String | No | Filters connections up to this time. Expected format:\ - \ `YYYY-MM-DDTHH:MM:SS`. |\n| **Secret IDs** | String | No | A comma-separated\ - \ list of secret IDs to filter the connection results. |\n| **Limit** | String\ - \ | No | The maximum number of connection records to return. Defaults to 100.\ - \ |\n\n### Additional Notes\n- The action requires a valid **Service ID** to function.\ - \ \n- Time parameters must strictly follow the `YYYY-MM-DDTHH:MM:SS` format to\ - \ be correctly converted to epoch time by the integration.\n\n### Flow Description\n\ - 1. **Parameter Extraction:** The action retrieves the API configuration (API Root,\ - \ Client ID, Client Secret) and user-provided parameters including the mandatory\ - \ Service ID and optional filters.\n2. **Manager Initialization:** It initializes\ - \ the `VorlonManager` which handles authentication and token management.\n3. **Data\ - \ Retrieval:** The action calls the Vorlon API's connections endpoint (`/rest/v1/connections/{service_id}`)\ - \ using a GET request, passing the filters (Instance ID, time range, secrets,\ - \ and limit) as query parameters.\n4. **Result Processing:** The retrieved connection\ - \ data is attached to the action result as a JSON object, and the action completes\ - \ with a success message." + ai_description: >- + Retrieves connection records for a specified service from the Vorlon platform. + This action allows analysts to query historical connection data, filtered by instance, + time range, and associated secrets, to understand service interactions and potential + security implications. + + + ### Parameters + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Service ID | string | Yes | The unique identifier or name of the service (e.g., + app name) to retrieve connections for. | + + | Instance ID | string | No | If provided, filters the results by the specific + instance ID of the service. | + + | From | string | No | Filters connections starting from this time. Expected format: + "YYYY-MM-DDTHH:MM:SS" (e.g., 1970-01-01T00:00:00). | + + | To | string | No | Filters connections up to this time. Expected format: "YYYY-MM-DDTHH:MM:SS" + (e.g., 1970-01-01T00:00:00). | + + | Secret IDs | string | No | A comma-separated list of secret IDs to filter the + connection results. | + + | Limit | string | No | The maximum number of connection records to return. Default + value is 100. | + + + ### Flow Description + + 1. **Authentication:** The action initializes the Vorlon manager using the provided + API Root, Client ID, and Client Secret to obtain an access token. + + 2. **Parameter Processing:** It extracts the Service ID and optional filters (Instance + ID, Secret IDs, Limit). It also validates and converts the 'From' and 'To' date + strings into epoch timestamps. + + 3. **Data Retrieval:** The action performs a GET request to the Vorlon API endpoint + specific to the provided Service ID, applying the defined filters as query parameters. + + 4. **Result Handling:** The retrieved connection data is added to the action's + JSON results, and the execution is marked as completed with a success message. capabilities: can_create_case_comments: false can_create_insight: false @@ -302,15 +382,40 @@ Get Connections: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Linked Alerts: ai_description: >- ### General Description - Retrieves a list of alerts from the Vorlon platform that are linked to a specific - Alert ID. Alerts are considered linked if they share the same secret ID and belong - to the same alert group. This action is primarily used for incident investigation - to identify related security events and understand the broader context of a specific - alert. + The **Get Linked Alerts** action retrieves a list of alerts from the Vorlon platform + that are logically linked to a specific Alert ID. Alerts are considered linked + if they share the same secret ID and belong to the same alert group. This action + is primarily used for incident investigation to identify related security events + and understand the broader scope of a potential threat. ### Parameters Description @@ -319,42 +424,46 @@ Get Linked Alerts: | :--- | :--- | :--- | :--- | - | **Alert ID** | String | Yes | The unique identifier of the alert for which linked + | **Alert ID** | string | Yes | The unique identifier of the alert for which linked alerts should be retrieved. | - | **Alert Status** | DDL | No | Filters the linked alerts by their current status. - Supported values: `open`, `dismissed`, `resolved`. | + | **Alert Status** | ddl | No | Filters the results by the status of the linked + alerts. Options include: `open`, `dismissed`, `resolved`. | - | **Page** | String | No | The page number to retrieve for paginated results. + | **Page** | string | No | The page number to retrieve for paginated results. | - | **Limit** | String | No | The maximum number of linked alerts to return in the - response. Default is 100. | + | **Limit** | string | No | The maximum number of linked alerts to return. Defaults + to 100 if not specified. | - ### Additional Notes + ### Flow Description - - This action does not process SecOps entities; it operates solely based on the - provided **Alert ID** parameter. + 1. **Parameter Extraction:** The action retrieves the API configuration (Root + URL, Client ID, Client Secret) and the user-provided parameters (Alert ID, Status, + Page, Limit). - - The retrieved data is returned as a JSON object, which can be used for downstream - logic in playbooks. + 2. **Manager Initialization:** A `VorlonManager` instance is created to handle + authentication and communication with the Vorlon API. + 3. **Data Retrieval:** The action calls the `get_linked_alerts` method, which + sends a GET request to the Vorlon server's linked alerts endpoint using the provided + Alert ID and filters. - ### Flow Description + 4. **Result Processing:** The retrieved list of linked alerts is attached to + the action's execution results as a JSON object. + + 5. **Completion:** The action concludes with a success message if data is retrieved + or an error message if the request fails or no linked alerts are found. - 1. **Initialization**: The action extracts the Vorlon API configuration (API Root, - Client ID, Client Secret) and the user-provided parameters. - 2. **API Connection**: It establishes a session with the Vorlon server and retrieves - an access token. + ### Additional Notes - 3. **Data Retrieval**: The action performs a GET request to the Vorlon endpoint - `/rest/v1/alerts/linked/{id}` using the provided Alert ID and optional filters - (status, page, limit). + * This action does not process entities from the SOAR case; it relies entirely + on the provided **Alert ID** parameter. - 4. **Output**: The list of linked alerts is processed and added to the action's - JSON results, and a success message is returned to the SOAR platform. + * If no linked alerts are found, the action will return a failure status with + a descriptive message. capabilities: can_create_case_comments: false can_create_insight: false @@ -382,55 +491,80 @@ Get Linked Alerts: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Secrets: ai_description: >- ### General Description - Retrieves detailed information about secrets from the Vorlon platform. This action - allows users to fetch data for specific secrets using their unique identifiers - or to retrieve all secrets associated with a particular service. The retrieved - data is returned as a JSON object for use in subsequent playbook steps. + The **Get Secrets** action retrieves detailed information about secrets stored + within the Vorlon platform. It allows users to query for specific secrets by their + unique identifiers or to list all secrets associated with a particular service. + This action is primarily used for gathering metadata and configuration details + about managed secrets. ### Parameters Description - | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Service ID** | String | No | The unique identifier (typically the service - name) for which to retrieve associated secrets. | + | **Service ID** | String | No | The unique identifier for a service (typically + the service name). When provided, the action fetches all secrets linked to this + specific service. | - | **Secret IDs** | String | No | A comma-separated list of specific secret IDs - to retrieve details for. | + | **Secret IDs** | String | No | A comma-separated list of specific secret identifiers + to retrieve. | ### Additional Notes - **Mutual Exclusivity:** The action requires exactly one of the two parameters - to be provided. If both `Service ID` and `Secret IDs` are provided, or if neither - is provided, the action will fail with an error message. + to be configured. Providing both the `Service ID` and `Secret IDs`, or leaving + both empty, will result in an execution failure. - - **Entity Support:** This action does not operate on SecOps entities; it is a - data retrieval utility based on user-provided parameters. + - This action does not process or filter SOAR entities; it operates as a standalone + data retrieval utility. ### Flow Description - 1. **Initialization:** The action initializes the Vorlon manager using the API - Root, Client ID, and Client Secret from the integration configuration. + 1. **Authentication:** The action initializes the Vorlon manager and authenticates + with the API using the configured Client ID and Client Secret to obtain a bearer + token. - 2. **Parameter Extraction:** It extracts the `Service ID` and `Secret IDs` from - the action parameters. + 2. **Input Validation:** The logic verifies that either `Secret IDs` or `Service + ID` is provided, ensuring they are not used simultaneously. - 3. **Validation & Request:** The manager validates that only one parameter is - set and then performs a GET request to the `/rest/v1/secrets` endpoint on the - Vorlon server. + 3. **API Request:** A GET request is dispatched to the `/rest/v1/secrets` endpoint, + passing the selected identifier as a query parameter. - 4. **Result Handling:** The resulting secret data is added to the action's JSON - result, and the action completes with a success message if the data is successfully - fetched. + 4. **Result Processing:** The JSON response containing the secret details is captured + and attached to the action's execution results. capabilities: can_create_case_comments: false can_create_insight: false @@ -458,29 +592,53 @@ Get Secrets: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Ping: ai_description: "### General Description\nThe **Ping** action is a diagnostic tool\ - \ used to verify the connectivity between Google SecOps and the **Vorlon** instance.\ - \ It ensures that the provided credentials (Client ID and Client Secret) are valid\ - \ and that the API Root is reachable.\n\n### Parameters Description\n| Parameter\ - \ Name | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| **API\ - \ Root** | String | Yes | The base URL of the Vorlon API instance. |\n| **Client\ - \ ID** | String | Yes | The unique identifier for the API client used for authentication.\ - \ |\n| **Client Secret** | String | Yes | The secret key associated with the Client\ - \ ID for secure authentication. |\n\n*Note: These parameters are extracted from\ - \ the integration configuration rather than action-specific inputs.*\n\n### Flow\ - \ Description\n1. **Initialization**: The action starts by initializing the Siemplify\ - \ context and logging the start of the process.\n2. **Configuration Extraction**:\ - \ It retrieves the `API Root`, `Client ID`, and `Client Secret` from the Vorlon\ - \ integration settings.\n3. **Manager Setup**: It instantiates the `VorlonManager`.\ - \ During instantiation, the manager automatically attempts to retrieve an OAuth2\ - \ access token using the provided credentials.\n4. **Connectivity Test**: The\ - \ action calls the `test_connectivity` method, which performs a `GET` request\ - \ to the `/rest/v1/services` endpoint of the Vorlon API.\n5. **Result Handling**:\ - \ \n * If the request is successful, the action completes with a success\ - \ message.\n * If an error occurs (e.g., authentication failure, network\ - \ timeout), the exception is caught, and the action fails with a descriptive error\ - \ message." + \ designed to verify the connectivity between Google SecOps and the **Vorlon**\ + \ platform. It validates that the integration's configuration parameters\u2014\ + specifically the API Root, Client ID, and Client Secret\u2014are correct and that\ + \ the Vorlon API is reachable and responding to requests.\n\n### Parameters Description\n\ + This action does not have any input parameters. It utilizes the global integration\ + \ configuration settings:\n\n| Parameter | Type | Mandatory | Description |\n\ + | :--- | :--- | :--- | :--- |\n| API Root | String | Yes | The base URL of the\ + \ Vorlon API instance. |\n| Client ID | String | Yes | The unique identifier used\ + \ for OAuth2 authentication. |\n| Client Secret | String | Yes | The secret key\ + \ used for OAuth2 authentication. |\n\n### Flow Description\n1. **Parameter Extraction**:\ + \ The action retrieves the API Root, Client ID, and Client Secret from the integration's\ + \ configuration.\n2. **Manager Initialization**: It initializes the `VorlonManager`.\ + \ During initialization, the manager performs an authentication handshake by sending\ + \ a POST request to the token endpoint to obtain a Bearer token.\n3. **Connectivity\ + \ Check**: The action executes the `test_connectivity` method, which performs\ + \ a GET request to the `/rest/v1/services` endpoint.\n4. **Execution Outcome**:\ + \ If the API call is successful, the action returns a success message. If the\ + \ authentication fails or the endpoint is unreachable, the action catches the\ + \ exception and reports a failure status with the error details.\n\n### Additional\ + \ Notes\nThere are no action-specific parameters for this resource." capabilities: can_create_case_comments: false can_create_insight: false @@ -489,7 +647,7 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: true + fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false @@ -508,15 +666,45 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Update Alert: ai_description: >- + Updates an alert's details or status within the Vorlon platform. This action allows + for programmatic modification of alert attributes by submitting a JSON-formatted + update request to the Vorlon API. + + ### General Description - Updates an alert's details or status within the Vorlon platform. This action allows - for programmatic management of alerts, such as dismissing them or changing their - status, by providing a JSON-formatted update request. It is primarily used for - workflow automation where alert states need to be synchronized between Google - SecOps and the Vorlon server. + This action interacts with the Vorlon REST API to update existing alerts. It is + primarily used to change alert statuses (e.g., dismissing an alert) or to apply + updates across linked alerts. The action requires a raw JSON string representing + the update payload, providing flexibility for various update scenarios supported + by the Vorlon platform. ### Parameters Description @@ -525,38 +713,30 @@ Update Alert: | :--- | :--- | :--- | :--- | - | Alert Object | String | Yes | The alert update request JSON body. This string - must be a valid JSON object containing the `alert_id` and the desired changes - (e.g., `new_status`, `apply_to_linked_alerts`). | + | Alert Object | String | Yes | A JSON-formatted string containing the update + details. It typically requires an `alert_id` and the fields to be updated, such + as `new_status` or `apply_to_linked_alerts`. | ### Flow Description - 1. **Parameter Extraction**: The action retrieves the connection configuration - (API Root, Client ID, Client Secret) and the mandatory `Alert Object` parameter. + 1. **Configuration Retrieval:** The action fetches the API Root, Client ID, and + Client Secret from the integration settings. - 2. **Manager Initialization**: It initializes the `VorlonManager`, which handles - OAuth2 token generation and session management. + 2. **Parameter Extraction:** The `Alert Object` string is retrieved from the action + input. - 3. **JSON Validation**: The action attempts to parse the `Alert Object` string - into a Python dictionary. If the string is not valid JSON, the action fails with - an informative error. + 3. **Manager Initialization:** A `VorlonManager` instance is created, which handles + authentication and token management. - 4. **External API Call**: It performs a `PUT` request to the Vorlon API endpoint - `/rest/v1/alerts/update` using the parsed JSON body. + 4. **JSON Validation:** The action attempts to parse the `Alert Object` string + into a JSON object to ensure it is valid before transmission. - 5. **Result Handling**: The response from the Vorlon server (the updated alert - object) is captured and added to the action's JSON results. The action then completes - with a success message. + 5. **API Execution:** The manager sends a `PUT` request to the `/rest/v1/alerts/update` + endpoint with the provided JSON payload. - - ### Additional Notes - - - This action does not operate on SecOps entities; it requires a specific JSON - payload to identify the target alert in the external system. - - - Ensure the `Alert Object` follows the schema expected by the Vorlon API to avoid - 400-series errors. + 6. **Result Processing:** The response from the Vorlon server is captured and + added to the action's JSON results for use in subsequent playbook steps. capabilities: can_create_case_comments: false can_create_insight: false @@ -565,9 +745,9 @@ Update Alert: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the status, assignment, or metadata of an alert in the Vorlon platform - via a PUT request to the /rest/v1/alerts/update endpoint. - fetches_data: true + Updates the status or properties of an alert in the Vorlon platform via a PUT + request to the /rest/v1/alerts/update endpoint. + fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false @@ -586,3 +766,28 @@ Update Alert: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: true + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/third_party/community/vorlon/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/vorlon/resources/ai/connectors_ai_description.yaml new file mode 100644 index 000000000..d1ddddc12 --- /dev/null +++ b/content/response_integrations/third_party/community/vorlon/resources/ai/connectors_ai_description.yaml @@ -0,0 +1,70 @@ +Vorlon Connector: + ai_description: >- + ### General Description + + The Vorlon Connector enables the ingestion of security alerts from the Vorlon + platform into Google SecOps. It provides visibility into service-to-service interactions, + secret usage, and potential security risks by fetching detailed alert data and + converting it into actionable cases within the SOAR environment. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | API Root | String | Yes | The base URL of your Vorlon instance (e.g., `https://.vorlon.io`). + | + + | Client ID | String | Yes | The Client ID used for OAuth2 authentication with + the Vorlon API. | + + | Client Secret | Password | Yes | The Client Secret used for OAuth2 authentication + with the Vorlon API. | + + | DeviceProductField | String | Yes | The field name used to determine the device + product in the ingested events. Default is 'Vorlon'. | + + | EventClassId | String | Yes | The field name used to determine the event name + or sub-type. Default is 'type'. | + + | Max Days Backwards | String | No | The number of days to look back for alerts + during the first run or if no timestamp is found. Default is 1 day. | + + | Max Incidents per Fetch | String | Yes | The maximum number of alerts to retrieve + in a single execution cycle. | + + | Open Alerts Only | Boolean | No | If enabled, the connector only fetches alerts + with an 'open' status. Otherwise, it fetches open, dismissed, and resolved alerts. + | + + | PythonProcessTimeout | String | Yes | The timeout limit (in seconds) for the + connector's Python process. | + + + ### Flow Description + + 1. **Authentication**: The connector uses the Client ID and Client Secret to request + an OAuth2 access token from the Vorlon `/rest/v1/token` endpoint. + + 2. **Timestamp Calculation**: It identifies the starting point for the fetch by + checking the last saved timestamp. If unavailable, it uses the 'Max Days Backwards' + parameter. + + 3. **Alert Fetching**: The connector queries the Vorlon `/rest/v1/alerts` endpoint, + applying filters for the start time, alert status (based on 'Open Alerts Only'), + and the fetch limit. + + 4. **Pagination**: If more alerts are available than the 'Max Incidents per Fetch' + limit, the connector iterates through pages to collect the requested number of + alerts. + + 5. **Event Mapping**: Each fetched alert is parsed to extract metadata, including + requesting/responding service details, secret types, and severity levels. + + 6. **Case Ingestion**: The parsed alerts are transformed into Google SecOps `CaseInfo` + objects and sent to the system for processing. + + 7. **Checkpointing**: The connector saves the timestamp of the most recent alert + to ensure that the next execution only retrieves new data. diff --git a/content/response_integrations/third_party/community/vorlon/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/vorlon/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..a888df70b --- /dev/null +++ b/content/response_integrations/third_party/community/vorlon/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: true + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + siem: true + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/webhook/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/webhook/resources/ai/actions_ai_description.yaml index 11fe8e44f..0f339bb1c 100644 --- a/content/response_integrations/third_party/community/webhook/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/webhook/resources/ai/actions_ai_description.yaml @@ -1,24 +1,57 @@ Create Token: ai_description: >- - ### General Description\nThis action creates a new webhook token within the Webhook - integration. Its primary purpose is to generate a unique endpoint (URL) that can - receive external HTTP requests. Users can configure the response that the webhook - URL provides when accessed, including the body content and the content type.\n\n### - Parameters\n| Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- - | :--- |\n| **Default Content** | string | Yes | The content to be returned in - the response body when the generated webhook URL is accessed. |\n| **Default Content - Type** | string | Yes | The MIME type of the content (e.g., `text/html` or `application/json`). - |\n| **Timeout** | string | No | The number of seconds (up to 10) the service - should wait before returning a response to a request made to the webhook URL. - |\n\n### Flow Description\n1. **Initialization**: The action retrieves the base - URL from the integration configuration and extracts the user-provided parameters - for content, content type, and timeout.\n2. **API Interaction**: It performs a - POST request to the Webhook service's `/token` endpoint with the specified configuration.\n3. - **URL Generation**: Upon a successful response, the action extracts the unique - UUID for the new token and constructs the full webhook URL.\n4. **Completion**: - The action returns the token metadata and the generated URL as a JSON result and - marks the execution as successful.\n\n### Additional Notes\n- This action does - not process or require any SecOps entities to run. + ### General Description + + The **Create Token** action generates a new webhook token within the Webhook integration. + This action is primarily used to set up a unique URL that can receive incoming + HTTP requests. When the generated URL is accessed, the service will respond with + the user-defined content and content type. This is highly useful for testing external + callbacks, orchestrating multi-step automation flows that require external triggers, + or verifying connectivity. + + + ### Parameters Description + + | Parameter Name | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | **Default Content** | string | True | The specific content or message that will + be displayed/returned when the generated webhook URL is visited or called. | + + | **Default Content Type** | string | True | The MIME type of the content (e.g., + `text/html`, `application/json`) to be returned by the webhook URL. | + + | **Timeout** | string | False | The number of seconds (0-10) the service should + wait before returning a response when the webhook is triggered. Used for testing + timeout scenarios. | + + + ### Additional Notes + + - This action does not operate on specific SecOps entities; it is a utility action + that interacts with the Webhook service to create infrastructure for the case. + + - The action returns a `webhookURL` which is the concatenation of the integration's + base URL and the newly created token's UUID. + + + ### Flow Description + + 1. **Parameter Extraction:** The action retrieves the `Default Content`, `Default + Content Type`, and `Timeout` from the user input. + + 2. **Manager Initialization:** It initializes the `WebhookManager` using the base + URL configured in the integration settings. + + 3. **Token Creation:** The action sends a POST request to the `/token` endpoint + of the Webhook service with the provided parameters. + + 4. **URL Construction:** Upon a successful response, it extracts the `uuid` and + constructs the full `webhookURL`. + + 5. **Result Reporting:** The action outputs the full JSON response from the service + and provides the created URL in the output message. capabilities: can_create_case_comments: false can_create_insight: false @@ -27,8 +60,8 @@ Create Token: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new webhook token and a corresponding unique URL endpoint on the external - Webhook service. + This action performs a POST request to the external Webhook service to create + a new token resource, which generates a unique endpoint on that system. fetches_data: false internal_data_mutation_explanation: null categories: @@ -48,50 +81,73 @@ Create Token: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Delete Token: ai_description: >- - ### General Description + Deletes a specific Webhook token using its unique identifier. This action communicates + with the Webhook service to remove the token, which results in the associated + webhook URL becoming inaccessible. It is primarily used for cleaning up temporary + webhooks or revoking access to specific endpoints. - The **Delete Token** action is designed to remove a specific webhook token from - the Webhook service. By deleting the token, the unique URL associated with it - becomes inactive and inaccessible, preventing further data from being received - or processed through that specific endpoint. This is typically used for cleanup - or to revoke access to a temporary webhook. + ### Flow Description: - ### Parameters + 1. **Parameter Extraction:** The action retrieves the 'Token ID' from the input + parameters. - | Parameter Name | Description | Type | Mandatory | Notes | + 2. **Manager Initialization:** It initializes the WebhookManager using the base + URL provided in the integration configuration. - | :--- | :--- | :--- | :--- | :--- | + 3. **External Request:** The action calls the `delete_token` method, which sends + an HTTP DELETE request to the external service's token endpoint. - | Token ID | The unique identifier of the token to be deleted. | String | Yes - | This ID is used to construct the specific API endpoint for the deletion request. - | + 4. **Result Handling:** If the request is successful, it returns a completion + status and a success message. If the request fails, it captures the error and + reports a failure. - ### Flow Description + ### Parameters Description: - 1. **Parameter Extraction**: The action retrieves the `Token ID` provided by the - user and strips any leading/trailing whitespace. + | Parameter Name | Description | Type | Mandatory | Notes | - 2. **Manager Initialization**: It initializes the `WebhookManager` using the base - URL defined in the integration's configuration. + | :--- | :--- | :--- | :--- | :--- | - 3. **External API Call**: The action invokes the `delete_token` method in the - manager, which sends an HTTP DELETE request to the external Webhook service's - endpoint (`/token/{token_id}`). + | Token ID | The unique identifier of the webhook token that needs to be deleted. + | String | Yes | This ID is used to construct the specific API endpoint for deletion. + | - 4. **Result Handling**: The action captures the HTTP status code from the response. - If the request is successful, it marks the execution as completed and returns - a success message. If an error occurs, it logs the error and reports a failure. + ### Additional Notes: - ### Additional Notes + - This action does not process or interact with SOAR entities (IPs, Hostnames, + etc.). - This action does not process or interact with entities (such as IPs or Hostnames) - within the Google SecOps case; it operates strictly based on the provided `Token - ID` parameter. + - Successful execution results in a permanent state change in the external Webhook + service. capabilities: can_create_case_comments: false can_create_insight: false @@ -100,8 +156,8 @@ Delete Token: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Deletes a webhook token from the external Webhook service, which permanently - removes the token and makes the associated URL endpoint inaccessible. + The action sends an HTTP DELETE request to the external Webhook service to remove + a specific token, making the associated URL endpoint permanently inaccessible. fetches_data: false internal_data_mutation_explanation: null categories: @@ -121,68 +177,95 @@ Delete Token: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Webhook Response: ai_description: >- - ### General Description + The 'Get Webhook Response' action is an asynchronous task designed to retrieve + request data sent to a specific Webhook URL associated with a provided Token ID. + It allows analysts to monitor incoming HTTP requests to a webhook endpoint, which + is often used for receiving callbacks or manual interactions from external users. + The action supports two modes of operation: waiting for a predefined duration + (TimeFrame) or waiting until at least one request is detected (AwaitClick). It + automatically filters out automated requests from Slackbots to ensure data relevance. - The **Get Webhook Response** action is designed to retrieve data from a specific - webhook URL endpoint (formatted as `{Base URL}/{Token ID}`). This action is particularly - useful for scenarios where a workflow needs to wait for an external trigger, such - as a user clicking a link or an external system sending a callback. It supports - asynchronous execution, allowing the SOAR platform to poll the endpoint until - specific conditions are met. + ### Flow Description: - ### Parameters Description - - | Parameter | Type | Mandatory | Description | + 1. **Initialization**: The action extracts the base URL from the integration configuration + and retrieves user-provided parameters including the Token ID, retrieval preference + (All vs. Latest), and the pending condition logic. - | :--- | :--- | :--- | :--- | + 2. **Condition Evaluation**: + * **TimeFrame Mode**: If the action is in its first run, it calculates the + expiration time. In subsequent runs, it checks if the specified timeframe has + elapsed. If the time has passed, it proceeds to fetch the data; otherwise, it + remains in an 'In Progress' state. + * **AwaitClick Mode**: The action immediately attempts to fetch requests. + If requests are found, it completes. If no requests are found, it remains 'In + Progress' to check again in the next cycle. + 3. **Data Retrieval**: The action calls the Webhook API to fetch request logs + for the specific Token ID. - | **Pending Condition** | DDL | Yes | Determines the logic for ending the action. - `TimeFrame` waits for a specific duration before fetching data. `AwaitClick` polls - the endpoint and completes as soon as at least one request is detected. | + 4. **Data Processing**: It filters the results to exclude requests generated by + Slack user agents and, if configured, restricts the output to only the most recent + request. - | **TimeFrame** | String | Yes | The number of minutes to wait before the action - fetches the data and completes. This is only relevant when `Pending Condition` - is set to `TimeFrame`. | + 5. **Finalization**: The retrieved data is attached as a JSON result, and the + action completes with a summary message. - | **Responses To Retrieve** | DDL | Yes | Specifies whether to retrieve `All` - recorded requests for the token or only the `Latest` one. | - | **Token ID** | String | Yes | The unique identifier for the webhook token to - monitor. | + ### Parameters Description: + | Parameter | Type | Mandatory | Description | - ### Additional Notes + | :--- | :--- | :--- | :--- | - - This action is **asynchronous**. It will remain in an 'In Progress' state until - the specified timeframe expires or a request is received (depending on the configuration). + | Pending Condition | DDL | Yes | Determines the wait logic. 'TimeFrame' waits + for a set duration before fetching. 'AwaitClick' waits until the first request + is received. | - - The action automatically filters out requests generated by Slackbots (identified - via User-Agent) to prevent false positives in chat-based workflows. + | TimeFrame | String | Yes | The number of minutes to wait before the action stops + listening and returns the collected data. Only relevant if 'Pending Condition' + is set to 'TimeFrame'. | + | Responses To Retrieve | DDL | Yes | Specifies whether to return 'All' requests + captured during the window or only the 'Latest' single request. | - ### Flow Description + | Token ID | String | Yes | The unique identifier of the webhook token to monitor + for incoming requests. | - 1. **Initialization**: The action extracts the Token ID, the pending condition, - and the retrieval preference (All vs. Latest). - 2. **Condition Check**: - - If **TimeFrame** is selected: The action calculates the elapsed time since - the first run. If the timeframe has not yet passed, it returns an `INPROGRESS` - status. Once the timeframe expires, it fetches the requests. - - If **AwaitClick** is selected: The action immediately checks for any requests - associated with the Token ID. If no requests are found, it returns `INPROGRESS`. - If requests are found, it proceeds to completion. - 3. **Data Retrieval**: The action calls the Webhook Manager to fetch request data - from the external service. + ### Additional Notes: - 4. **Filtering**: The retrieved data is filtered to remove Slackbot-related entries. - If 'Latest' was selected, only the most recent request is kept. + * This action is **Asynchronous**, meaning it will run repeatedly in the background + until the specified condition (time or data arrival) is met. - 5. **Completion**: The action outputs the retrieved JSON data and provides a summary - message indicating how many requests were found or if the timeout was reached. + * The action is designed to work with the Webhook integration's token system where + URLs follow the pattern `{Base URL}/{Token ID}`. capabilities: can_create_case_comments: false can_create_insight: false @@ -194,7 +277,7 @@ Get Webhook Response: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: true + enrichment: false entity_usage: entity_types: [] filters_by_additional_properties: false @@ -210,42 +293,68 @@ Get Webhook Response: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Ping: ai_description: >- ### General Description The **Ping** action is a diagnostic tool used to verify the connectivity between - Google SecOps and the Webhook service. Its primary purpose is to ensure that the - integration is correctly configured and that the target service is reachable over - the network. + the Google SecOps platform and the Webhook service. It ensures that the configured + URL is reachable and that the integration can successfully communicate with the + target endpoint. ### Parameters Description - There are no parameters for this action. It relies entirely on the integration's - global configuration. + There are no user-input parameters for this action. It relies solely on the integration's + global configuration settings (specifically the 'URL' parameter). ### Additional Notes - This action utilizes the **URL** parameter defined in the integration settings - to perform its check. It does not interact with any entities or alert data. + This action is typically used during the initial setup of the integration or for + troubleshooting communication issues. It does not interact with any entities or + modify any data. ### Flow Description - 1. **Configuration Retrieval**: The action retrieves the base URL from the Webhook - integration configuration. + 1. **Configuration Retrieval**: The action fetches the `URL` parameter from the + integration's global configuration. - 2. **Manager Initialization**: It initializes the `WebhookManager` with the provided + 2. **Manager Initialization**: It initializes the `WebhookManager` with the retrieved base URL. - 3. **Connectivity Check**: The action executes the `test_connectivity` method, - which performs an HTTP GET request to the base URL. + 3. **Connectivity Test**: The action calls the `test_connectivity` method, which + performs a standard HTTP GET request to the base URL. - 4. **Execution Result**: If the GET request returns a successful status code, - the action completes with a success message. If the request fails or an exception - occurs, it returns a failure message with the error details. + 4. **Result Reporting**: If the request returns a successful status code (2xx), + the action reports a successful connection. If an exception occurs or the status + code indicates an error, the action fails and provides the error details. capabilities: can_create_case_comments: false can_create_insight: false @@ -254,7 +363,7 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: false + fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false @@ -273,3 +382,28 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/third_party/community/webhook/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/webhook/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..a4b23e02c --- /dev/null +++ b/content/response_integrations/third_party/community/webhook/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: true + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/whois_xml_api/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/whois_xml_api/resources/ai/actions_ai_description.yaml index cc1ad8c50..aa640efbb 100644 --- a/content/response_integrations/third_party/community/whois_xml_api/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/whois_xml_api/resources/ai/actions_ai_description.yaml @@ -2,43 +2,53 @@ Enrich Entities: ai_description: >- ### General Description - Enriches Hostname and URL entities by retrieving domain registration information - from the WHOIS XML API. This action helps analysts understand the ownership and - registration history of a domain by pulling data such as registrant name, organization, - and contact details directly into the Google SecOps entity profile. + The **Enrich Entities** action retrieves WHOIS registration information for Hostname + and URL entities using the Whois XML API. It specifically targets external hostnames + and all URLs to gather registrant details such as name, organization, and contact + information, which are then appended to the entity's metadata within Google SecOps + to provide analysts with ownership context. ### Parameters Description - | Parameter | Type | Mandatory | Description | + | Parameter | Expected Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | API Key | String | Yes | The API key used to authenticate with the WHOIS XML - API service. This is extracted from the integration configuration. | + | API Key | String | Yes | This is an integration-level configuration parameter + used to authenticate requests to the Whois XML API. It is not an action-specific + parameter but is required for the action to function. | + + + ### Additional Notes + + - This action only processes Hostname entities that are marked as **not internal** + (`is_internal` is false). + + - The retrieved registrant details are added to the `additional_properties` of + the entity, making them visible in the Entity Explorer. ### Flow Description - 1. **Configuration Retrieval**: The action extracts the API Key from the integration's - configuration settings. + 1. **Initialization**: The action retrieves the API Key from the integration configuration + and constructs the base URL for the Whois XML API service. - 2. **Entity Filtering**: It iterates through the target entities, selecting only - those that are either non-internal Hostnames or URLs. + 2. **Entity Filtering**: It iterates through the `target_entities` in the current + context, selecting only Hostnames (where `is_internal` is false) and URLs. - 3. **External API Interaction**: For each eligible entity, the action sends a - GET request to the WHOIS XML API `WhoisService` endpoint using the entity's identifier - as the domain name. + 3. **API Request**: For each valid entity, a GET request is sent to the Whois + XML API to fetch the WHOIS record in JSON format. - 4. **Data Extraction**: The action parses the JSON response to locate registrant - details within the `WhoisRecord`. + 4. **Data Extraction**: The action parses the API response to extract registrant + details (e.g., name, organization) from the `WhoisRecord` object. - 5. **Internal Enrichment**: If registrant details are found, they are mapped to - the entity's `additional_properties`. + 5. **Internal Enrichment**: If registrant data is found, the action updates the + entity's `additional_properties` with this information. - 6. **Finalization**: The action updates the entities in Google SecOps with the - new metadata and attaches the raw JSON response to the action's execution results - for further review. + 6. **Finalization**: The action updates the entities within Google SecOps, attaches + the full JSON response to the action results, and returns a summary message listing + the successfully processed entities. capabilities: can_create_case_comments: false can_create_insight: false @@ -49,8 +59,8 @@ Enrich Entities: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity additional properties with registrant information (name, organization, - etc.) retrieved from the WHOIS XML API. + Updates entity additional properties with WHOIS registrant information retrieved + from the API. categories: enrichment: true entity_usage: @@ -70,14 +80,40 @@ Enrich Entities: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Domain Details: ai_description: >- ### General Description The **Get Domain Details** action retrieves comprehensive WHOIS information for - a specified domain using the WHOIS XML API. This action is designed to provide - security analysts with registration details, ownership information, and domain - status to assist in investigations and threat intelligence gathering. + a specified domain using the WHOIS XML API. It allows analysts to gather registration + details, ownership information, and optionally check the domain's availability + status. The results are returned as a JSON object, making them accessible for + subsequent playbook steps. ### Parameters Description @@ -86,35 +122,38 @@ Get Domain Details: | :--- | :--- | :--- | :--- | - | **Domain Name** | String | Yes | The specific domain (e.g., google.com) to be - scanned for WHOIS information. | + | Domain Name | String | Yes | The specific domain (e.g., google.com) to perform + the WHOIS lookup on. | - | **Check availability** | Boolean | No | If set to `true`, the action will include - a check for the domain's availability in the response. Defaults to `false`. | + | Check availability | Boolean | No | If set to "true", the action will include + domain availability information in the response. Defaults to "false". | - ### Flow Description + ### Additional Notes - 1. **Initialization**: The action extracts the API Key from the integration configuration - and retrieves the target domain and availability preference from the action parameters. + This action does not automatically process entities from the Google SecOps case. + It relies entirely on the provided "Domain Name" parameter. To use this action + with case entities, the domain must be passed into the "Domain Name" parameter + via a placeholder. - 2. **Request Construction**: It constructs a GET request URL for the WHOIS XML - API, incorporating the API key, the target domain, and the availability check - flag. - 3. **Data Retrieval**: The action performs a synchronous HTTP GET request to the - WHOIS XML API service. + ### Flow Description - 4. **Output Generation**: The resulting JSON data is processed and added to the - action's results in two formats: as a script result (for use in subsequent playbook - steps) and as an action JSON (for display in the context details view). + 1. **Configuration Retrieval**: The action retrieves the API Key from the integration's + configuration settings. + 2. **Parameter Extraction**: It extracts the target domain name and the availability + check preference from the action parameters. - ### Additional Notes + 3. **Request Construction**: A GET request URL is constructed, incorporating the + API key, the target domain, and the availability flag. + + 4. **API Interaction**: The action sends a request to the WHOIS XML API service. + + 5. **Data Processing**: The JSON response from the API is captured. - This action operates independently of the alert's entity context; it requires - the domain to be explicitly provided as a parameter rather than iterating over - entities like IP or Domain objects found in the alert. + 6. **Result Output**: The retrieved data is attached to the action results in + JSON format for use in the Google SecOps platform. capabilities: can_create_case_comments: false can_create_insight: false @@ -142,19 +181,45 @@ Get Domain Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Ping: ai_description: >- ### General Description - The **Ping** action is designed to verify the connectivity between Google SecOps - and the **WHOIS XML API** service. It ensures that the provided API credentials - are valid and that the external service is reachable. + The **Ping** action is a diagnostic utility used to verify the connectivity between + Google SecOps and the **Whois XML API** service. Its primary purpose is to ensure + that the integration's configuration, specifically the API Key, is valid and that + the service endpoint is reachable. ### Parameters Description - There are no action-specific parameters for this action. It relies on the global - integration configuration for the **API Key**. + This action does not require any input parameters. It relies solely on the global + integration configuration. ### Flow Description @@ -162,20 +227,16 @@ Ping: 1. **Configuration Retrieval**: The action extracts the `API Key` from the integration's configuration settings. - 2. **Connectivity Test**: It performs a `GET` request to the WHOIS XML API endpoint, - querying a hardcoded domain (`google.com`) to test the connection. + 2. **Connectivity Test**: It performs a test GET request to the Whois XML API + endpoint, specifically requesting WHOIS data for the domain `google.com` to validate + the connection. - 3. **Authentication Validation**: The script checks the response body for specific - error messages indicating authentication failure. - - 4. **Result Reporting**: If the request is successful and no authentication errors - are found, the action completes with a "Successful Connection" status. - - - ### Additional Notes + 3. **Authentication Check**: The action inspects the API response for specific + error strings, such as "ApiKey authenticate failed", to determine if the credentials + are valid. - This action does not process any entities from the case; it is purely for administrative - connectivity testing. + 4. **Status Reporting**: If the request is successful and no authentication errors + are found, the action returns a success status; otherwise, it raises an exception. capabilities: can_create_case_comments: false can_create_insight: false @@ -203,3 +264,28 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/third_party/community/whois_xml_api/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/whois_xml_api/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..2e831240c --- /dev/null +++ b/content/response_integrations/third_party/community/whois_xml_api/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + siem: false + threat_intelligence: true + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/workflow_tools/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/workflow_tools/resources/ai/actions_ai_description.yaml index 066eda885..586ce1c3a 100644 --- a/content/response_integrations/third_party/community/workflow_tools/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/workflow_tools/resources/ai/actions_ai_description.yaml @@ -1,47 +1,54 @@ Approval Request: ai_description: >- + ### General Description + The **Approval Request** action is designed to pause a workflow and require manual - intervention from a designated reviewer. It facilitates the approval process by - reassigning cases within Google SecOps and notifying stakeholders via Slack. + intervention from a designated reviewer. It manages the assignment of cases within + Google SecOps and provides external notification via Slack to ensure reviewers + are alerted promptly. A key feature is the ability to isolate a specific alert + into its own case, preventing a single approval from inadvertently affecting other + alerts grouped in the same case. - ### Parameters + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Move Alert If Grouped** | boolean | No | If set to `true` (default), and the - current alert is part of a case containing multiple alerts, the action will move - this specific alert into its own new case before assigning it to the reviewer. - If `false`, the entire case is assigned as-is. | + | Move Alert If Grouped | Boolean | No | If set to `true` (default), and the current + case contains more than one alert, the action will move the specific alert being + processed into a new, separate case before assigning it to the reviewer. | ### Flow Description - 1. **Configuration Extraction:** Retrieves integration-level settings including - API credentials, the target Siemplify/SecOps hostname, Slack webhook URL, and - the designated Approval Managers. + 1. **Configuration Retrieval:** The action fetches necessary integration settings, + including Siemplify API credentials, the Slack webhook URL, and the designated + Approval Managers. - 2. **Grouping Logic:** Checks the `Move Alert If Grouped` parameter. If enabled - and the case contains more than one alert, it triggers an internal API call to - move the current alert into a newly created case. + 2. **Case/Alert Evaluation:** It identifies the current case and alert identifiers. - 3. **Case Assignment:** Reassigns the target case (either the original or the - newly created one) to the user specified as the 'Approval Manager'. + 3. **Alert Isolation (Optional):** If `Move Alert If Grouped` is enabled and the + case has multiple alerts, the action calls the Siemplify API to move the current + alert to a new case. - 4. **External Notification:** Sends a formatted message to a Slack channel via - a webhook, providing a direct link to the case awaiting approval. + 4. **Assignment:** The action assigns the target case (either the original or + the newly created one) to the primary Approval Manager. - 5. **Result Reporting:** Returns a JSON object containing the original case ID, - any new case ID created, and the identities of the assigned managers. + 5. **Notification:** A message containing a direct link to the case is sent to + the configured Slack webhook. + + 6. **Result Reporting:** The action returns a JSON object containing the original + and (if applicable) new case IDs, along with the assigned managers. ### Additional Notes - - This action requires the 'Workflow Tools' integration to be configured with - valid API credentials for the SecOps instance itself to perform the case reassignment - and alert movement. + - This action requires the "Workflow Tools" integration to be properly configured + with an API Key that has permissions to move alerts and assign cases. + + - If no Slack Webhook URL is provided, the notification step is skipped. capabilities: can_create_case_comments: false can_create_insight: false @@ -50,12 +57,11 @@ Approval Request: can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: >- - Sends a notification message to an external Slack channel via a webhook to alert - reviewers of the pending approval request. + Sends a notification message to a Slack channel via a webhook. fetches_data: true internal_data_mutation_explanation: >- - Reassigns the case owner to the designated Approval Manager and can move an - alert from one case to a new case using internal API calls. + Reassigns the case to a specific reviewer and potentially moves an alert to + a new case within Google SecOps. categories: enrichment: false entity_usage: @@ -73,62 +79,83 @@ Approval Request: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: true + update_email: false + update_identity: false + update_ticket: false Approval Response: ai_description: >- - ### General Description + Processes an approval or denial for a workflow request within a Google SecOps + case. This action validates that the user executing the action is an authorized + 'Approval Manager' or 'Secondary Approval Manager' (supporting both specific usernames + and roles starting with '@'). If authorized, it records the decision, adds any + provided comments to the case, and sends a notification to a configured Slack + webhook. - The **Approval Response** action enables a formal approval workflow within Google - SecOps. It allows designated 'Approval Managers' to either approve or deny a pending - request. The action ensures security by verifying that the user executing the - action matches the authorized personnel or roles defined in the integration settings. - It provides a mechanism for human-in-the-loop decision-making within automated - playbooks. + ### Flow Description - ### Parameters Description + 1. **Authentication & Setup:** Extracts configuration parameters including API + credentials, Slack Webhook URL, and authorized Approval Managers. - | Parameter | Type | Mandatory | Description | + 2. **User Validation:** Identifies the user who triggered the action and verifies + if they match the authorized managers or belong to the authorized SOC roles by + querying the internal User Profiles API. - | :--- | :--- | :--- | :--- | + 3. **Decision Processing:** Based on the 'Action Approved' parameter, it determines + the approval status and constructs a notification message. - | **Action Approved** | Boolean | Yes | Determines the outcome of the request. - Set to `True` to approve or `False` to deny. | + 4. **Internal Mutation:** If 'Response Comments' are provided, it appends them + as a comment to the current case and alert. - | **Response Comments** | String | No | Optional notes or justification for the - decision. If provided, these are added as a case comment and included in the Slack - notification. | + 5. **External Notification:** Sends the final approval or denial message (including + links to the case) to the specified Slack channel. + 6. **Result Reporting:** Returns a JSON object containing the reviewer's name, + comments, and the final approval status. - ### Flow Description - 1. **Authorization Check**: The action identifies the user currently executing - the task (`original_requesting_user`) and compares them against the configured - `Approval Manager` and `Secondary Approval Manager`. If a manager is defined as - a role (prefixed with `@`), the action queries the Google SecOps API to verify - the user's role membership. + ### Parameters Description - 2. **Decision Processing**: Based on the `Action Approved` input, the action sets - the internal result state to approved or denied. + | Parameter | Type | Mandatory | Description | - 3. **Internal Documentation**: If `Response Comments` are provided, the action - adds them as a comment to the current case and alert using the `add_comment` method. + | :--- | :--- | :--- | :--- | - 4. **External Notification**: A notification message containing the decision, - the reviewer's name, and any comments is sent to a configured Slack channel via - a webhook. + | Action Approved | boolean | No | Determines the outcome of the request. If true, + the request is marked as approved; if false, it is denied. Default is false. | - 5. **Result Reporting**: The action returns a JSON object summarizing the review - details (reason, reviewer, comments, approval status) and sets the action's final - status. + | Response Comments | string | No | Optional notes provided by the reviewer. These + are added as a case comment and included in the Slack notification. | ### Additional Notes - - If an unauthorized user attempts to run this action, it will fail with a `ValueError` - and send an unauthorized access alert to Slack. + - The action will fail with an error if the user attempting to run it is not listed + as an 'Approval Manager' or 'Secondary Approval Manager' in the integration settings. - - The `Approval Manager` configuration can accept specific usernames or role names - (prefixed with `@`). + - Role-based authorization is supported by prefixing the manager name with '@' + (e.g., '@SOC_Managers'). capabilities: can_create_case_comments: true can_create_insight: false @@ -137,11 +164,12 @@ Approval Response: can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: >- - Sends a notification message to a Slack channel via a webhook to report the - approval or denial of a request. + Sends a notification message to a Slack channel via a webhook to inform stakeholders + about the approval or denial of the workflow request. fetches_data: true internal_data_mutation_explanation: >- - Adds a comment to the case and alert if 'Response Comments' are provided. + Adds a case comment to the Google SecOps case containing the reviewer's notes + and the approval decision. categories: enrichment: false entity_usage: @@ -159,29 +187,80 @@ Approval Response: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: true + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Assign Case to Current User: - ai_description: "### General Description\nThe **Assign Case to Current User** action\ - \ is a workflow utility designed to automatically assign a Google SecOps case\ - \ and its current alert to the analyst who manually triggered the playbook action.\ - \ This is typically used at the beginning of a playbook to ensure that the person\ - \ investigating the case is officially recorded as the owner.\n\n### Parameters\ - \ Description\nThis action does not require any input parameters from the user\ - \ at runtime. It relies on the execution context to identify the requesting user.\n\ - \n### Additional Notes\n* **Manual Execution Required:** This action is specifically\ - \ designed for manual execution. If triggered by the 'System' user (e.g., via\ - \ an automated trigger without human intervention), the action will fail with\ - \ an error. \n* **Integration Configuration:** Requires the 'Workflow Tools' integration\ - \ to be configured with a valid Siemplify API Key, API Root, and Instance Hostname\ - \ to interact with the platform's internal API.\n\n### Flow Description\n1. **Configuration\ - \ Extraction:** The action retrieves the API credentials and connection details\ - \ for the Google SecOps instance from the integration settings.\n2. **Context\ - \ Identification:** It identifies the unique identifiers for the current case\ - \ and the active alert.\n3. **User Validation:** It retrieves the username of\ - \ the person who initiated the action (`original_requesting_user`). It checks\ - \ if the user is the 'System' user.\n4. **Assignment:** If the user is a valid\ - \ human analyst, it calls the internal API to assign the case and alert to that\ - \ specific user.\n5. **Completion:** The action logs the assignment and returns\ - \ the username as the result value." + ai_description: >- + ### General Description + + Assigns the current case and alert to the user who manually triggered the action. + This action is designed to be used at the beginning of a playbook to ensure that + the analyst who initiates the investigation is officially recorded as the owner + of the case and the specific alert within the Google SecOps platform. + + + ### Parameters Description + + | Parameter Name | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | None | N/A | N/A | This action does not require any input parameters. | + + + ### Additional Notes + + * **Manual Execution Required:** This action will fail if executed automatically + by the system (e.g., as part of an automated playbook trigger) because it relies + on the `original_requesting_user` context, which is only populated during manual + execution. + + * **System User Check:** The action explicitly checks if the requesting user is + "System" and will raise an error if so, preventing automated assignments to the + system account. + + + ### Flow Description + + 1. **Configuration Retrieval:** The action retrieves the necessary API credentials + and instance hostname from the integration configuration. + + 2. **Context Identification:** It identifies the current Case ID and Alert ID + from the execution context. + + 3. **User Identification:** It retrieves the identifier of the user who triggered + the action (`original_requesting_user`). + + 4. **Validation:** It verifies that the requesting user is not the "System" user. + + 5. **Assignment:** It calls the internal SDK method to assign the case and alert + to the identified user. + + 6. **Completion:** The action ends, returning the username of the assigned user + as the result value. capabilities: can_create_case_comments: false can_create_insight: false @@ -192,8 +271,8 @@ Assign Case to Current User: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Updates the ownership/assignment of the case and alert within Google SecOps - to the user who executed the action. + Updates the owner/assignee of the current case and alert within the Google SecOps + platform. categories: enrichment: false entity_usage: @@ -211,60 +290,71 @@ Assign Case to Current User: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: true + update_email: false + update_identity: false + update_ticket: false Ping: ai_description: >- ### General Description - The **Ping** action is a diagnostic utility designed to verify the connectivity - and configuration of the Workflow Tools integration. It serves as a health check - to ensure that the Google SecOps (Siemplify) environment can communicate with - its own internal API and external services like Slack. + The **Ping** action is a diagnostic tool designed to verify the connectivity and + configuration of the Workflow Tools integration. It ensures that the Google SecOps + platform can successfully communicate with its internal API and external services + like Slack. ### Parameters Description - This action does not require any direct input parameters. It utilizes the following - integration configuration settings to perform its checks: - - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Siemplify API Key | String | Yes | The API key used to authenticate requests - to the Google SecOps internal API. | - - | Siemplify API Root | String | Yes | The base URL for the Google SecOps API. - | + There are no action-specific parameters for this action. It relies entirely on + the integration's configuration settings, such as the API Key, API Root, and Slack + Webhook URL. - | Siemplify Instance Hostname | String | Yes | The hostname of the current instance. - | - | Slack Webhook URL | String | No | The URL used to send test messages to Slack. - If omitted, the Slack test is skipped. | + ### Flow Description - | Approval Manager | String | Yes | A username or role (prefixed with @) to validate - against the user profile database. | + 1. **Configuration Extraction**: The action retrieves integration-level settings, + including the Siemplify API Key, API Root, and Slack Webhook URL. - | Secondary Approval Manager | String | No | An optional secondary username or - role to validate. | + 2. **Manager Initialization**: Initializes the `WorkflowToolsManager` with the + extracted configuration to handle API requests. + 3. **User/Role Validation**: The action calls the internal API (`GetUserProfiles`) + to verify the existence and roles of the primary and secondary approval managers + specified in the configuration. - ### Flow Description + 4. **External Connectivity Test**: Sends a test notification message to the configured + Slack Webhook URL to verify outbound communication. - 1. **Configuration Retrieval**: The action extracts necessary API keys, endpoints, - and manager identities from the integration's global settings. + 5. **Execution Completion**: If all checks (API connectivity and Slack messaging) + succeed, the action completes with a success status. - 2. **Internal API Validation**: It initializes the `WorkflowToolsManager` and - performs a lookup for the configured 'Approval Manager' and 'Secondary Approval - Manager' using the `/api/external/v1/settings/GetUserProfiles` endpoint. This - confirms the API key and root URL are correct. - 3. **External Notification Test**: If a Slack Webhook URL is provided, the action - sends a test POST request to Slack to verify outbound connectivity. + ### Additional Notes - 4. **Execution Finalization**: The action completes with a success status if the - API queries and Slack notification (if applicable) are processed without exceptions. + This action does not interact with or process any entities within a case. It is + strictly for system health and configuration validation. capabilities: can_create_case_comments: false can_create_insight: false @@ -273,8 +363,8 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - The action sends a test message to a Slack Webhook URL to verify connectivity, - which creates a new message entry in the external Slack channel. + Sends a test message to a Slack channel via a configured webhook URL to verify + connectivity. fetches_data: true internal_data_mutation_explanation: null categories: @@ -294,3 +384,28 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/third_party/community/workflow_tools/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/workflow_tools/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..6896a3667 --- /dev/null +++ b/content/response_integrations/third_party/community/workflow_tools/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: true + edr: false + email_security: false + iam_and_identity_management: false + itsm: true + network_security: false + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/zoom/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/zoom/resources/ai/actions_ai_description.yaml index 00000494c..e18b709cc 100644 --- a/content/response_integrations/third_party/community/zoom/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/zoom/resources/ai/actions_ai_description.yaml @@ -2,58 +2,57 @@ Create Meeting: ai_description: >- ### General Description - Creates a scheduled or instant meeting in Zoom for a specified host. This action - allows users to automate the creation of Zoom meetings directly from Google SecOps, - specifying details such as topic, start time, duration, and recording preferences. + Create a scheduled or instant meeting in Zoom for a specific host. This action + allows users to automate the creation of Zoom meetings directly from a playbook, + providing a join URL and full meeting details upon success. - ### Parameters + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Meeting Type | Dropdown | Yes | Defines if the meeting is 'Instant' or 'Scheduled'. + | Meeting Type | ddl | Yes | The type of the meeting: 'Instant' or 'Scheduled'. | - | Meeting Start Time | String | Yes | The start time in GMT (yyyy-mm-dd hh:mm:ss). + | Meeting Start Time | string | Yes | Meeting start time in GMT (yyyy-mm-dd hh:mm:ss). Used for scheduled meetings. | - | Meeting Topic | String | Yes | The title or topic of the meeting. | + | Meeting Topic | string | Yes | The topic or title of the meeting. | - | Auto Recording Type | Dropdown | Yes | Specifies if the meeting should be recorded - ('local', 'cloud', or 'none'). | + | Auto Recording Type | ddl | Yes | Recording preference: 'local', 'cloud', or + 'none'. | - | Time Zone | String | Yes | The time zone for the meeting (e.g., 'America/New_York'). - | + | Time Zone | string | Yes | The time zone in 'Continent/Country' format. | - | Meeting Duration | String | Yes | The duration of the meeting in minutes. | + | Meeting Duration | string | Yes | The duration of the meeting in minutes. | - | Host Email Address | String | Yes | The email address of the Zoom user who will + | Host Email Address | string | Yes | The email address of the Zoom user who will host the meeting. | ### Flow Description - 1. **Parameter Extraction**: Retrieves meeting details (topic, type, time, duration, - timezone, recording type, and host email) from the action inputs. + 1. **Parameter Extraction**: The action retrieves the meeting details (topic, + type, time, duration, etc.) and the host's email from the input parameters. - 2. **Authentication**: Initializes the Zoom Manager using OAuth or JWT credentials - provided in the integration configuration. + 2. **API Interaction**: It uses the Zoom API to send a POST request to the `/users/{host_email}/meetings` + endpoint. - 3. **Meeting Creation**: Sends a POST request to the Zoom API endpoint (`/users/{host_email}/meetings`) - with the provided configuration payload. + 3. **Link Generation**: If the meeting is created successfully, the action extracts + the `join_url` and adds it as a link to the action results for easy access. - 4. **Result Handling**: If the meeting is created successfully, it adds the 'join_url' - as a clickable link in the SOAR interface and returns the full meeting metadata - as a JSON result. + 4. **Result Reporting**: The action outputs the full JSON response from Zoom and + marks the execution as completed. ### Additional Notes - - The 'Meeting Start Time' is specifically required for 'Scheduled' meetings. + - Ensure the 'Host Email Address' belongs to a registered user in your Zoom account. - - Ensure the 'Host Email Address' corresponds to a valid user in the Zoom account. + - The 'Meeting Start Time' is mandatory but only effectively used when the 'Meeting + Type' is set to 'Scheduled'. capabilities: can_create_case_comments: false can_create_insight: false @@ -62,8 +61,7 @@ Create Meeting: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new meeting record in the Zoom platform, which consumes API quota - and adds data to the Zoom account. + Creates a new meeting record in the Zoom platform. fetches_data: false internal_data_mutation_explanation: null categories: @@ -83,51 +81,52 @@ Create Meeting: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Create User: - ai_description: >- - ### General Description - - Creates a new user account in Zoom using the provided user details and license - type. This action is designed to automate the provisioning of Zoom users as part - of IT or security workflows. - - - ### Parameters - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | First Name | string | Yes | The first name of the user to be created. | - - | Last Name | string | Yes | The last name of the user to be created. | - - | Email | string | Yes | The email address of the user to be created. | - - | User Type | ddl | Yes | The user license type. Supported values: 'Basic', 'Licensed', - 'On-prem'. | - - - ### Flow Description - - 1. **Parameter Extraction**: Retrieves the user's first name, last name, email, - and license type from the action parameters. - - 2. **Pre-check**: Queries the Zoom API to check if a user with the specified email - already exists to prevent duplicate creation. - - 3. **User Creation**: If the user does not exist, sends a POST request to the - Zoom `/users` endpoint with the specified user information. - - 4. **Result Processing**: Captures the API response containing the new user's - details and attaches it to the action's JSON results. - - - ### Additional Notes - - This action requires valid Zoom API credentials (either JWT or OAuth) to be configured - in the integration settings. If the user already exists, the action will fail - with a specific error message. + ai_description: "Creates a new user in the Zoom platform. This action allows administrators\ + \ to provision new Zoom accounts by providing the user's first name, last name,\ + \ email address, and license type. \n\n### Flow Description:\n1. **Parameter Extraction:**\ + \ The action retrieves the 'First Name', 'Last Name', 'Email', and 'User Type'\ + \ from the action parameters.\n2. **Pre-check:** It calls the Zoom API to check\ + \ if a user with the provided email already exists to prevent duplicate account\ + \ creation.\n3. **User Creation:** If the user does not exist, it sends a POST\ + \ request to the Zoom `/users` endpoint with the specified user details and license\ + \ type.\n4. **Result Handling:** If successful, the action returns the created\ + \ user's details in JSON format and marks the execution as completed.\n\n### Parameters\ + \ Description:\n| Parameter Name | Type | Mandatory | Description |\n| :--- |\ + \ :--- | :--- | :--- |\n| First Name | String | Yes | The first name of the user\ + \ to be created. |\n| Last Name | String | Yes | The last name of the user to\ + \ be created. |\n| Email | String | Yes | The email address of the user to be\ + \ created. This serves as the unique identifier in Zoom. |\n| User Type | DDL\ + \ | Yes | The license type for the new user. Supported values are 'Basic', 'Licensed',\ + \ and 'On-prem'. |\n\n### Additional Notes:\n- This action requires valid Zoom\ + \ API credentials (either OAuth or JWT) configured in the integration settings.\n\ + - If the user already exists, the action will fail with a 'User Already Exists'\ + \ error." capabilities: can_create_case_comments: false can_create_insight: false @@ -136,8 +135,8 @@ Create User: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new user account in the Zoom platform via a POST request to the /users - endpoint. + Creates a new user account in the Zoom platform via a POST request to the Zoom + API. fetches_data: true internal_data_mutation_explanation: null categories: @@ -157,35 +156,54 @@ Create User: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: true + update_ticket: false Delete User: - ai_description: "### General Description\nThe **Delete User** action permanently\ - \ removes a user from a Zoom account. This action is designed for administrative\ - \ cleanup or security response scenarios, such as offboarding or responding to\ - \ compromised accounts. It provides the capability to transfer the user's assets\u2014\ - including future meetings, webinars, and cloud recordings\u2014to another specified\ - \ user before the deletion is executed to prevent data loss.\n\n### Parameters\ - \ Description\n| Parameter | Type | Mandatory | Description |\n| :--- | :--- |\ - \ :--- | :--- |\n| **Deleted User Email** | String | Yes | The email address of\ - \ the user to be permanently deleted from Zoom. |\n| **Transfer Email** | String\ - \ | No | The email address of the recipient who will take ownership of the deleted\ - \ user's data. |\n| **Transfer Meeting** | Boolean | No | If set to true, transfers\ - \ all future scheduled meetings to the Transfer Email recipient. |\n| **Transfer\ - \ Recordings** | Boolean | No | If set to true, transfers all cloud recordings\ - \ to the Transfer Email recipient. |\n| **Transfer Webinar** | Boolean | No |\ - \ If set to true, transfers all future scheduled webinars to the Transfer Email\ - \ recipient. |\n\n### Additional Notes\n- The action includes a safety check:\ - \ it verifies the existence of recordings, webinars, and meetings before attempting\ - \ a transfer. If no data is found for a category, the transfer flag for that category\ - \ is automatically disabled to ensure API compatibility.\n- This action uses the\ - \ `delete` action type in the Zoom API, which is a permanent removal.\n\n### Flow\ - \ Description\n1. **Initialization**: Extracts the target user's email and transfer\ - \ configurations from the action parameters.\n2. **Data Verification**: Calls\ - \ the Zoom API to check if the user has any existing recordings, webinars, or\ - \ meetings that can be transferred.\n3. **Logic Optimization**: Adjusts the transfer\ - \ flags based on the actual presence of data to avoid unnecessary transfer requests.\n\ - 4. **Execution**: Sends a DELETE request to the Zoom `/users/{userId}` endpoint\ - \ with the specified transfer parameters.\n5. **Completion**: Returns a success\ - \ message and a JSON result indicating whether the user was successfully deleted." + ai_description: "Deletes a user permanently from a Zoom account. This action allows\ + \ for the optional transfer of the user's scheduled meetings, webinars, and cloud\ + \ recordings to another specified user before the deletion is finalized. \n\n\ + ### Flow Description:\n1. **Parameter Extraction:** The action retrieves the email\ + \ of the user to be deleted and the transfer preferences (meetings, recordings,\ + \ webinars, and the recipient's email).\n2. **Pre-check:** It verifies if the\ + \ user has existing recordings, webinars, or meetings to transfer if the corresponding\ + \ transfer flags are set to true.\n3. **Deletion Execution:** It sends a DELETE\ + \ request to the Zoom API, passing the transfer parameters to ensure data is moved\ + \ to the designated recipient during the deletion process.\n4. **Result Handling:**\ + \ The action returns a success message if the user is deleted or an error message\ + \ if the user is not found or if the API request fails.\n\n### Parameters Description:\n\ + | Parameter Name | Type | Mandatory | Description |\n| :--- | :--- | :--- | :---\ + \ |\n| Deleted User Email | string | True | The email address of the Zoom user\ + \ to be permanently deleted. |\n| Transfer Meeting | boolean | False | If set\ + \ to true, transfers all future scheduled meetings to the 'Transfer Email'. Defaults\ + \ to false. |\n| Transfer Recordings | boolean | False | If set to true, transfers\ + \ all past cloud recordings to the 'Transfer Email'. Defaults to false. |\n| Transfer\ + \ Webinar | boolean | False | If set to true, transfers all future scheduled webinars\ + \ to the 'Transfer Email'. Defaults to false. |\n| Transfer Email | string | False\ + \ | The email address of the user who will receive the transferred data. Required\ + \ if any transfer flag is set to true. |" capabilities: can_create_case_comments: false can_create_insight: false @@ -194,8 +212,8 @@ Delete User: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Permanently deletes a user account from the Zoom platform and reassigns their - meetings, webinars, and recordings to another user. + Permanently deletes a user from the Zoom platform and optionally transfers their + data (meetings, webinars, recordings) to another user account. fetches_data: true internal_data_mutation_explanation: null categories: @@ -215,54 +233,79 @@ Delete User: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: true + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: true + update_ticket: false Enrich Entities: ai_description: >- ### General Description - Enriches User entities with detailed account information retrieved from Zoom. - This action identifies User entities within the case, queries the Zoom API for - their specific profile details, and maps the retrieved data back to the entity's - additional properties. It is primarily used to provide security analysts with - context regarding a user's Zoom account status, type, and other metadata during - an investigation. + The **Enrich Entities** action retrieves detailed profile information for User + entities from the Zoom platform. It is designed to provide security analysts with + contextual data about a user's Zoom account, such as their status, department, + job title, and account type, directly within the Google SecOps environment. ### Parameters Description - There are no action-specific parameters for this action. It relies on the global - integration configuration for authentication (JWT Token or OAuth credentials). + There are no action-specific parameters for this component. It relies on the global + integration configuration (JWT or OAuth credentials) to authenticate with the + Zoom API. ### Additional Notes - * The action specifically targets entities of type `USER`. + * This action specifically targets entities of type **USER**. - * All retrieved data points are flattened and prefixed with 'Zoom' before being - added to the entity's properties to avoid naming collisions. + * Retrieved data is flattened and prefixed with "Zoom" before being appended to + the entity's additional properties. - * If a user is not found in Zoom, the action will skip that specific entity and - continue processing others. + * If a user is not found in Zoom or an error occurs for a specific entity, the + action will log the error and continue processing the remaining entities. ### Flow Description - 1. **Authentication**: Initializes the Zoom Manager using either JWT or OAuth - credentials provided in the integration configuration. + 1. **Initialization**: The action initializes the Zoom API manager using the provided + integration credentials (JWT or OAuth). - 2. **Entity Filtering**: Iterates through the target entities and filters for - those with the `USER` entity type. + 2. **Entity Filtering**: It iterates through the target entities in the current + context and filters for those of type **USER**. - 3. **Data Retrieval**: For each valid User entity, it calls the Zoom API's `/users/{user_id}` - endpoint using the entity identifier (email). + 3. **Data Retrieval**: For each identified User entity, the action calls the Zoom + API's `/users/{email}` endpoint using the entity's identifier (email address). - 4. **Data Transformation**: Flattens the resulting JSON response and adds the - 'Zoom' prefix to all keys. + 4. **Data Processing**: The resulting JSON data is flattened into a single-level + dictionary, and keys are prefixed with "Zoom" to avoid naming collisions. - 5. **Internal Update**: Updates the entity's `additional_properties` with the - transformed data and sets the `is_enriched` flag to `True`. + 5. **Internal Update**: The entity's `additional_properties` are updated with + the Zoom data, and the entity is marked as `is_enriched = True`. - 6. **Finalization**: Updates the entities in Google SecOps and returns a JSON - result containing the raw data for all successfully enriched users. + 6. **Finalization**: The action updates the entities within Google SecOps and + returns a comprehensive JSON result containing the raw data for all successfully + enriched users. capabilities: can_create_case_comments: false can_create_insight: false @@ -273,8 +316,8 @@ Enrich Entities: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates the 'additional_properties' of User entities with Zoom profile data - and sets the 'is_enriched' attribute to true. + Updates the 'additional_properties' and 'is_enriched' status of User entities + within the SOAR case. categories: enrichment: true entity_usage: @@ -293,26 +336,79 @@ Enrich Entities: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Meeting Recording: - ai_description: "### General Description\nThe **Get Meeting Recording** action retrieves\ - \ metadata and the cloud sharing URL for a specific Zoom meeting recording stored\ - \ in the cloud. It allows users to programmatically access recording details using\ - \ a unique Meeting ID, facilitating investigations or automated workflows that\ - \ require access to recorded session data.\n\n### Parameters\n| Parameter | Type\ - \ | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Meeting ID | String\ - \ | Yes | The unique identifier of the Zoom meeting recording to be retrieved.\ - \ |\n\n### Flow Description\n1. **Parameter Extraction**: The action extracts\ - \ the `Meeting ID` from the input parameters.\n2. **Authentication**: The action\ - \ initializes the `ZoomManager` using provided credentials (either OAuth or JWT)\ - \ to authenticate with the Zoom API.\n3. **API Request**: It performs a GET request\ - \ to the Zoom `/meetings/{meeting_id}/recordings` endpoint to fetch the recording\ - \ details.\n4. **Result Processing**: \n * Extracts the `share_url` from\ - \ the API response.\n * Adds the sharing URL as a clickable link in the Google\ - \ SecOps interface.\n * Attaches the full recording metadata as a JSON result\ - \ for downstream use.\n5. **Completion**: The action concludes by returning the\ - \ sharing URL as the primary result value.\n\n### Additional Notes\nThis action\ - \ only retrieves recordings that are stored in the Zoom Cloud. It does not support\ - \ local recordings." + ai_description: >- + ### General Description + + The **Get Meeting Recording** action retrieves metadata and the shareable URL + for a specific Zoom meeting recording stored in the cloud. This action is designed + to provide security analysts with quick access to recorded meeting content for + forensic investigations, compliance audits, or incident response documentation + based on a known Meeting ID. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Meeting ID | String | Yes | The unique identifier of the Zoom meeting recording + to be retrieved. | + + + ### Flow Description + + 1. **Parameter Extraction**: The action retrieves the `Meeting ID` from the input + parameters. + + 2. **Authentication**: The action initializes the `ZoomManager` using the provided + integration credentials (OAuth or JWT). + + 3. **API Interaction**: The action performs a GET request to the Zoom API endpoint + `/meetings/{meeting_id}/recordings` to fetch the recording details. + + 4. **Data Extraction**: It extracts the `share_url` from the API response to serve + as the primary result value. + + 5. **SOAR Enrichment**: The action adds the recording URL as a clickable link + in the Google SecOps interface and attaches the full JSON response containing + all recording metadata (e.g., file sizes, recording types, timestamps) to the + action results. + + + ### Additional Notes + + - This action specifically targets recordings stored in the Zoom Cloud; it cannot + retrieve local recordings. + + - The integration must be configured with credentials that have the `recording:read` + or `recording:read:admin` scopes. capabilities: can_create_case_comments: false can_create_insight: false @@ -340,50 +436,77 @@ Get Meeting Recording: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Ping: ai_description: >- ### General Description - The Ping action is designed to verify the connectivity between Google SecOps and - the Zoom API. It ensures that the provided credentials (either OAuth or JWT) are - valid and that the network path to the Zoom service is open. + The **Ping** action is a diagnostic tool used to verify the connectivity between + Google SecOps and the Zoom API. It ensures that the provided credentials (either + JWT or OAuth) are valid and that the network path to Zoom's service is open. This + action is typically used during the initial setup of the integration or for troubleshooting + purposes. ### Parameters Description - There are no action-specific parameters for this action. It utilizes the global - integration configuration parameters: + This action does not require any input parameters. It relies entirely on the integration's + global configuration (JWT Token or OAuth Client ID, Client Secret, and Account + ID). - * **JWT Token**: Used for JWT-based authentication (legacy). - * **Account ID**: Used for OAuth-based authentication. + ### Flow Description - * **Client ID**: Used for OAuth-based authentication. + 1. **Configuration Retrieval:** The action fetches the integration's configuration + parameters, including authentication credentials. - * **Client Secret**: Used for OAuth-based authentication. + 2. **Manager Initialization:** It initializes the `ZoomManager` which handles + the authentication logic (OAuth token exchange or JWT header setup). + 3. **Connectivity Test:** The action calls the `test_connectivity` method, which + performs a `GET` request to the Zoom `/users` endpoint (requesting a small page + of active users). - ### Additional Notes + 4. **Validation:** If the API responds with a success status code (HTTP 200) and + valid JSON, the action returns a success message. - Either the JWT Token or the set of OAuth credentials (Account ID, Client ID, Client - Secret) must be configured in the integration settings for this action to function. - This action is primarily used for troubleshooting and initial setup verification. + 5. **Error Handling:** If the request fails due to invalid credentials, network + timeouts, or API errors, the action catches the exception and reports the failure + details. - ### Flow Description - - 1. **Initialize Manager**: The action initializes the ZoomManager using the credentials - provided in the integration configuration. - - 2. **Authentication**: Depending on the configuration, it either sets the JWT - bearer token or performs an OAuth login flow to retrieve an access token. + ### Additional Notes - 3. **Connectivity Test**: It executes a GET request to the Zoom `/users` endpoint - (requesting active users) to verify that the API responds successfully. + - This action is strictly for connectivity testing and does not process any entities + or modify any data. - 4. **Result Reporting**: If the request is successful, it returns a 'Connected - successfully' message. If any step fails (authentication or network), it reports - a failure with the specific error encountered. + - Either a JWT Token or a complete set of OAuth credentials (Account ID, Client + ID, Client Secret) must be configured in the integration settings for this action + to succeed. capabilities: can_create_case_comments: false can_create_insight: false @@ -411,3 +534,28 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/third_party/community/zoom/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/zoom/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..01511d2a6 --- /dev/null +++ b/content/response_integrations/third_party/community/zoom/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: true + cloud_security: false + collaboration: true + edr: false + email_security: false + iam_and_identity_management: true + itsm: false + network_security: false + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/partner/anyrun_sandbox/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/anyrun_sandbox/resources/ai/actions_ai_description.yaml index eb6f35e5b..256936a74 100644 --- a/content/response_integrations/third_party/partner/anyrun_sandbox/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/anyrun_sandbox/resources/ai/actions_ai_description.yaml @@ -2,12 +2,33 @@ File Android Analysis: ai_description: >- ### General Description - This action performs automated file analysis using an Android Virtual Machine - within the ANY.RUN sandbox environment. It is designed to process file attachments - associated with a case, providing deep behavioral analysis, network activity monitoring, - and threat intelligence. The action submits the file to the ANY.RUN platform, - monitors the analysis progress, and retrieves comprehensive reports including - HTML summaries and identified Indicators of Compromise (IOCs). + The **File Android Analysis** action enables security analysts to perform automated + file detonation and behavioral analysis using the ANY.RUN Sandbox's Android Virtual + Machine. The action retrieves a file attachment from a Google SecOps case, uploads + it to the ANY.RUN platform with highly granular configuration options (such as + network routing, privacy levels, and environment locales), and retrieves comprehensive + analysis results including HTML reports and Indicators of Compromise (IOCs). + + + ### Flow Description + + 1. **Attachment Acquisition**: The action fetches the first available attachment + from the current Google SecOps case. + + 2. **Sandbox Submission**: The file is uploaded to the ANY.RUN Sandbox. The submission + includes specific Android VM configurations based on the provided parameters like + network connectivity, Tor usage, and MITM proxy settings. + + 3. **Interactive Link Generation**: A comment is added to the case containing + a direct URL to the live interactive analysis session in ANY.RUN. + + 4. **Status Monitoring**: The action polls the sandbox for task completion. + + 5. **Report Retrieval & Storage**: Once the analysis is finished, the action downloads + the full HTML report and saves it as a new attachment on the case wall. + + 6. **IOC Extraction**: The action retrieves identified IOCs and posts a summary + comment to the case, highlighting any indicators flagged as 'Suspicious' or 'Malicious'. ### Parameters Description @@ -16,41 +37,40 @@ File Android Analysis: | :--- | :--- | :--- | :--- | - | Timeout In Seconds | String | No | Defines the duration for the analysis task. - Range: 10-660 seconds. Default is 240. | + | Timeout In Seconds | String | No | Defines the duration of the analysis task + (Range: 10-660 seconds). Default is 240. | - | Change to valid extension | Boolean | No | If enabled, automatically adjusts - the file extension to a valid format for analysis. | + | Change to valid extension | Boolean | No | If enabled, the sandbox will automatically + correct the file extension to a valid format. | - | Command line | String | No | Optional command-line arguments to be passed to - the object during analysis. | + | Command line | String | No | Optional command-line arguments to be executed + with the file. | - | System's language | String | No | Sets the operating system language for the - sandbox (e.g., 'en-US', 'Brazil'). | + | System's language | String | No | Sets the OS locale/language (e.g., 'en-US' + or 'Brazil'). | - | User Tags | String | No | Custom tags to categorize the task in ANY.RUN. Max - 8 tags, 16 chars each. | + | User Tags | String | No | Custom tags for task categorization in ANY.RUN (Max + 8 tags, 16 chars each). | - | Analysis Privacy Type | DDL | No | Sets visibility of the analysis: public, - bylink, owner, or byteam. | + | Analysis Privacy Type | DDL | No | Controls visibility: 'public', 'bylink', + 'owner', or 'byteam'. | - | Network Connect | Boolean | No | Enables or disables network connectivity for - the analyzed file. | + | Network Connect | Boolean | No | Enables or disables internet access for the + Android VM. | | Network Fakenet | Boolean | No | Enables the FakeNet feature to simulate network services. | - | Network Tor | Boolean | No | Routes sandbox traffic through the TOR network. - | + | Network Tor | Boolean | No | Routes VM traffic through the Tor network. | - | Network Geo | String | No | Specifies the geolocation for TOR or proxy exit - nodes (e.g., 'US', 'AU'). | + | Network Geo | String | No | Specifies the geolocation for Tor exit nodes (e.g., + 'US', 'AU'). | - | Network Mitm | Boolean | No | Enables HTTPS Man-In-The-Middle proxy for traffic + | Network Mitm | Boolean | No | Enables HTTPS Man-in-the-Middle proxying for traffic inspection. | - | Network Residential Proxy | Boolean | No | Uses a residential proxy for network - traffic. | + | Network Residential Proxy | Boolean | No | Enables the use of residential proxies + for the analysis. | | Network Residential Proxy Geo | String | No | Specifies the geolocation for the residential proxy. | @@ -58,41 +78,9 @@ File Android Analysis: ### Additional Notes - - This action operates on the **first attachment** found in the Google SecOps - case. If no attachments are present, the action will fail. - - - It requires a valid ANY.RUN Sandbox API Key to be configured in the integration - settings. - - - The action results in both a new attachment (HTML report) and case comments - (analysis link and IOC summary). - - - ### Flow Description - - 1. **Initialization:** Retrieves the ANY.RUN API key and SSL configuration from - the integration settings. - - 2. **Attachment Retrieval:** Fetches the first available attachment from the current - case context. - - 3. **Task Submission:** Submits the file to the ANY.RUN Android sandbox using - the specified environment, network, and privacy parameters. - - 4. **Interactive Link:** Immediately posts a case comment containing the URL to - the live interactive analysis in ANY.RUN. - - 5. **Status Monitoring:** Polls the ANY.RUN API to monitor the progress of the - analysis task. - - 6. **Report Retrieval:** Once complete, downloads the HTML version of the analysis - report. - - 7. **Internal Mutation (Attachment):** Saves the HTML report as a new attachment - on the Google SecOps case wall. - - 8. **IOC Processing:** Fetches IOC data; if suspicious or malicious indicators - are found, it formats and posts them as a summary comment in the case. + This action is specifically designed for Android-compatible files (e.g., APKs). + It requires a valid API Key for ANY.RUN to be configured in the integration settings. + The action will fail if no attachments are found in the case. capabilities: can_create_case_comments: true can_create_insight: false @@ -101,12 +89,12 @@ File Android Analysis: can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: >- - Creates a new sandbox analysis task and uploads a file to the ANY.RUN platform - for processing. + Creates a new analysis task and uploads a file to the ANY.RUN Sandbox environment + for detonation. fetches_data: true internal_data_mutation_explanation: >- - Adds comments to the case wall containing analysis links and IOC summaries, - and uploads the generated HTML report as a new case attachment. + Adds comments to the case containing analysis links and IOC summaries, and saves + the HTML analysis report as a new attachment to the case wall. categories: enrichment: false entity_usage: @@ -124,15 +112,43 @@ File Android Analysis: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: true + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: true + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false File Linux Analysis: ai_description: >- ### General Description - The **File Linux Analysis** action automates the submission of file attachments - to the ANY.RUN sandbox for behavioral analysis within a Linux environment (Ubuntu - or Debian). It allows security analysts to safely execute suspicious files, observe - their network activity, and retrieve detailed forensic reports directly within - Google SecOps. + Performs automated file analysis in an ANY.RUN Linux sandbox environment. This + action retrieves the first attachment from a Google SecOps case, uploads it to + the ANY.RUN platform, and executes it within a specified Linux virtual machine + (Ubuntu or Debian). It allows for extensive configuration of the sandbox environment, + including network settings (FakeNet, TOR, MITM proxy), execution privileges, and + privacy levels. The action monitors the task until completion, then retrieves + a detailed HTML report and a summary of malicious or suspicious Indicators of + Compromise (IOCs). ### Parameters Description @@ -141,78 +157,94 @@ File Linux Analysis: | :--- | :--- | :--- | :--- | - | **Env Os** | DDL | Yes | Specifies the Linux distribution for the analysis (ubuntu - or debian). | + | Env Os | ddl | Yes | Version of the Linux OS to use for analysis. Supports 'ubuntu' + and 'debian'. | - | **StartFolder** | DDL | No | The directory where the file will be placed (desktop, - home, downloads, temp). | + | StartFolder | ddl | No | The directory where the file execution starts. Supports + 'desktop', 'home', 'downloads', and 'temp'. | - | **Run As Root** | Boolean | No | If true, executes the file with superuser privileges. - | + | Run As Root | boolean | No | If true, executes the file with superuser (root) + privileges. | - | **Timeout In Seconds** | String | No | Duration of the analysis (10 to 660 seconds). - Default is 240. | + | Timeout In Seconds | string | No | The duration of the sandbox task. Range: + 10-660 seconds. Default is 240. | - | **Change to valid extension** | Boolean | No | Automatically renames the file - to a valid extension if necessary. | + | Change to valid extension | boolean | No | If true, automatically renames the + file to have a valid extension before analysis. | - | **Command line** | String | No | Optional arguments to pass to the file during - execution. | + | Command line | string | No | Optional command-line arguments to pass to the + analyzed object. | - | **System's language** | String | No | The locale/language of the OS (e.g., 'en-US'). - | + | System's language | string | No | The locale or country name for the operating + system (e.g., 'en-US'). | - | **User Tags** | String | No | Custom tags for the ANY.RUN task (max 8 tags, - 16 chars each). | + | User Tags | string | No | Custom tags to associate with the ANY.RUN task (max + 8 tags, 16 characters each). | - | **Analysis Privacy Type** | DDL | No | Sets visibility of the task (public, - bylink, owner, byteam). | + | Analysis Privacy Type | ddl | No | Privacy level for the analysis task. Supports + 'public', 'bylink', 'owner', and 'byteam'. | - | **Network Connect** | Boolean | No | Enables or disables internet access for - the VM. | + | Network Connect | boolean | No | Enables or disables network connectivity for + the sandbox. | - | **Network Fakenet** | Boolean | No | Enables FakeNet to simulate network services. - | + | Network Fakenet | boolean | No | Enables the FakeNet feature to simulate network + services. | - | **Network Tor** | Boolean | No | Routes traffic through the TOR network. | + | Network Tor | boolean | No | Enables the use of the TOR network for sandbox + traffic. | - | **Network Geo** | String | No | Geolocation for TOR exit nodes (e.g., 'US'). - | + | Network Geo | string | No | Specifies the TOR exit node geolocation (e.g., 'US', + 'AU'). | - | **Network Mitm** | Boolean | No | Enables HTTPS Man-In-The-Middle proxying. + | Network Mitm | boolean | No | Enables an HTTPS MITM Proxy for traffic inspection. | - | **Network Residential Proxy** | Boolean | No | Uses a residential proxy for - network traffic. | + | Network Residential Proxy | boolean | No | Enables the use of a residential + proxy for network traffic. | - | **Network Residential Proxy Geo** | String | No | Geolocation for the residential - proxy. | + | Network Residential Proxy Geo | string | No | Specifies the geolocation for + the residential proxy. | ### Additional Notes - - This action requires at least one attachment to be present in the Google SecOps - case. It processes the first attachment found. + * **Discrepancy Note:** The YAML configuration defines the parameter as `Env Os`, + but the underlying Python script attempts to extract a parameter named `Machine + Os`. Ensure the parameter name in the UI matches the script's expectation or vice + versa. + + * **Attachment Handling:** This action specifically targets the first attachment + found in the current case. If no attachments are present, the action will fail. - - The action provides a direct link to the interactive ANY.RUN session in the - case comments. + * **Internal Mutation:** This action modifies the case by adding comments and + attaching the final HTML report to the case wall. ### Flow Description - 1. **Attachment Retrieval:** Fetches the first available attachment from the current - case. + 1. **Initialization:** Retrieves the ANY.RUN API key and SSL verification settings + from the integration configuration. - 2. **Sandbox Submission:** Uploads the file to ANY.RUN using the Linux connector - with the configured OS and network parameters. + 2. **Attachment Retrieval:** Fetches all attachments associated with the current + case and selects the first one for analysis. - 3. **Task Monitoring:** Polls the ANY.RUN API to monitor the status of the analysis. + 3. **Task Submission:** Uploads the file data to the ANY.RUN Sandbox, configuring + the Linux environment based on the provided action parameters. - 4. **Report Retrieval:** Once complete, it downloads the HTML analysis report - and extracts Indicators of Compromise (IOCs). + 4. **Interactive Link:** Adds a comment to the case wall containing a direct link + to the interactive analysis task on the ANY.RUN platform. - 5. **Case Enrichment:** Saves the HTML report to the Case Wall and adds comments - containing the task URL and a summary of malicious/suspicious IOCs. + 5. **Monitoring:** Polls the ANY.RUN API to track the status of the analysis task + until it reaches a terminal state. + + 6. **Report Retrieval:** Downloads the final analysis report in HTML format and + attaches it to the case wall. + + 7. **IOC Extraction:** Fetches a list of IOCs identified during analysis. If any + are classified as suspicious or malicious, a summary comment is added to the case. + + 8. **Completion:** Ends the action by providing the final analysis verdict (e.g., + malicious, suspicious, or clean). capabilities: can_create_case_comments: true can_create_insight: false @@ -221,11 +253,11 @@ File Linux Analysis: can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: >- - Creates a new analysis task and uploads a file to the ANY.RUN sandbox environment. + Creates a new sandbox analysis task and uploads a file to the ANY.RUN platform. fetches_data: true internal_data_mutation_explanation: >- - Adds comments to the case and uploads the HTML analysis report as an attachment - to the case wall. + Adds case comments containing analysis links and IOC summaries, and attaches + the HTML analysis report to the case wall. categories: enrichment: false entity_usage: @@ -243,106 +275,76 @@ File Linux Analysis: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: true + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false File Windows Analysis: - ai_description: >- - ### General Description - - Performs automated malware analysis of file attachments using ANY.RUN's Windows - sandbox environment. This action allows security analysts to submit suspicious - files directly from a Google SecOps case to ANY.RUN, where they are executed in - a controlled virtual machine to observe behavior, network activity, and potential - threats. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Environment Version | DDL | No | Specifies the Windows OS version (7, 10, or - 11). Default is 10. | - - | Environment Bitness | DDL | No | Specifies the OS architecture (32 or 64 bit). - Default is 64. | - - | Environment Type | DDL | No | Selects the environment preset. 'development' - is only for Windows 10 x64; 'complete' is required for others. | - - | File Force Elevation | Boolean | No | If true, forces the file to execute with - administrative privileges (PE files only). | - - | StartFolder | DDL | No | The directory where the file will be executed (e.g., - temp, desktop, downloads). | - - | Timeout In Seconds | String | No | The duration of the analysis task (10-660 - seconds). Default is 240. | - - | Change to valid extension | Boolean | No | Automatically corrects the file extension - to match the file type. | - - | Command line | String | No | Optional arguments to pass to the file during execution. - | - - | System's language | String | No | Sets the OS locale (e.g., 'en-US'). | - - | User Tags | String | No | Custom tags for the ANY.RUN task (max 8 tags, 16 chars - each). | - - | Analysis Privacy Type | DDL | No | Sets visibility of the task (public, bylink, - owner, byteam). | - - | Network Connect | Boolean | No | Enables or disables network connectivity for - the sandbox. | - - | Network Fakenet | Boolean | No | Enables the FakeNet feature to simulate network - services. | - - | Network Tor | Boolean | No | Routes sandbox traffic through the TOR network. - | - - | Network Geo | String | No | Specifies the TOR exit node location (e.g., 'US'). - | - - | Network Mitm | Boolean | No | Enables HTTPS Man-In-The-Middle proxy for traffic - inspection. | - - | Network Residential Proxy | Boolean | No | Uses a residential proxy for the - sandbox connection. | - - | Network Residential Proxy Geo | String | No | Specifies the residential proxy - location. | - - - ### Additional Notes - - * This action does not run on specific entities (like IP or Hostname) but instead - processes **attachments** associated with the current case. - - * At least one attachment must be present in the case for the action to execute - successfully. - - - ### Flow Description - - 1. **Attachment Retrieval:** The action fetches the first available attachment - from the Google SecOps case. - - 2. **Task Submission:** It uploads the file to the ANY.RUN API, creating a new - Windows analysis task with the configured environment and network settings. - - 3. **Monitoring:** The action polls the ANY.RUN service to monitor the status - of the analysis. - - 4. **Reporting:** Once complete, it retrieves the full HTML analysis report and - saves it as a new attachment to the case wall. - - 5. **IOC Extraction:** It fetches identified Indicators of Compromise (IOCs) and - posts a summary comment to the case wall, highlighting suspicious or malicious - findings. - - 6. **Verdict:** The action concludes by providing the final analysis verdict (e.g., - Malicious, Suspicious, Clean) as the action result. + ai_description: "Uploads a file attachment from a Google SecOps case to the ANY.RUN\ + \ sandbox for dynamic analysis within a Windows virtual machine. This action allows\ + \ analysts to execute suspicious files in a controlled environment to observe\ + \ behavior, network activity, and potential threats. It supports extensive configuration\ + \ of the analysis environment, including OS version, bitness, and network routing\ + \ options like Tor or residential proxies. \n\n### Flow Description:\n1. **Attachment\ + \ Retrieval:** The action identifies and retrieves the first available file attachment\ + \ from the current Google SecOps case.\n2. **Sandbox Submission:** The file is\ + \ uploaded to the ANY.RUN sandbox with the specified environment parameters (OS,\ + \ network settings, timeout, etc.).\n3. **Interactive Link:** A comment is added\ + \ to the case providing a direct URL to the live interactive analysis session\ + \ in ANY.RUN.\n4. **Status Monitoring:** The action polls the sandbox for the\ + \ task status until completion.\n5. **Report Retrieval:** Once finished, the action\ + \ downloads the full HTML analysis report and saves it as a new attachment on\ + \ the case wall.\n6. **IOC Extraction:** It fetches identified Indicators of Compromise\ + \ (IOCs) and appends a summary of suspicious or malicious indicators to the case\ + \ comments.\n\n### Parameters Description:\n| Parameter Name | Type | Mandatory\ + \ | Description |\n| :--- | :--- | :--- | :--- |\n| Environment Version | DDL\ + \ | No | Specifies the Windows OS version (7, 10, or 11). Default is 10. |\n|\ + \ Environment Bitness | DDL | No | Specifies the OS architecture (32 or 64 bit).\ + \ Default is 64. |\n| Environment Type | DDL | No | Selects the environment preset.\ + \ 'development' is only for Win 10 x64; 'complete' is required for others. |\n\ + | File Force Elevation | Boolean | No | If true, executes the file with administrative/elevated\ + \ privileges. |\n| StartFolder | DDL | No | The directory where the file execution\ + \ starts (e.g., temp, desktop, downloads). |\n| Timeout In Seconds | String |\ + \ No | The duration of the analysis task (10-660 seconds). Default is 240. |\n\ + | Change to valid extension | Boolean | No | Automatically corrects the file extension\ + \ to a valid one before execution. |\n| Command line | String | No | Optional\ + \ CLI arguments to pass to the file during execution. |\n| System's language |\ + \ String | No | The locale/language of the guest OS (e.g., 'en-US'). |\n| User\ + \ Tags | String | No | Custom tags to label the task in ANY.RUN. Default is 'secops-alert'.\ + \ |\n| Analysis Privacy Type | DDL | No | Sets visibility of the analysis (public,\ + \ bylink, owner, byteam). |\n| Network Connect | Boolean | No | Enables or disables\ + \ internet access for the sandbox environment. |\n| Network Fakenet | Boolean\ + \ | No | Enables FakeNet to simulate network services and intercept traffic. |\n\ + | Network Tor | Boolean | No | Routes sandbox network traffic through the Tor\ + \ network. |\n| Network Geo | String | No | Specifies the geolocation for Tor\ + \ exit nodes (e.g., 'US', 'AU'). |\n| Network Mitm | Boolean | No | Enables HTTPS\ + \ MITM proxy for SSL/TLS inspection. |\n| Network Residential Proxy | Boolean\ + \ | No | Uses a residential proxy for network traffic. |\n| Network Residential\ + \ Proxy Geo | String | No | Specifies the geolocation for the residential proxy.\ + \ |\n\n### Additional Notes:\n- This action requires at least one attachment to\ + \ be present in the case to function.\n- The 'Environment Type' must be set to\ + \ 'complete' for any OS version other than Windows 10 x64." capabilities: can_create_case_comments: true can_create_insight: false @@ -351,12 +353,11 @@ File Windows Analysis: can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: >- - Creates a new sandbox analysis task and uploads a file to the ANY.RUN platform - for processing. + Creates a new analysis task and uploads a file to the ANY.RUN sandbox platform. fetches_data: true internal_data_mutation_explanation: >- - Adds comments to the case wall containing analysis links and IOC summaries, - and saves the HTML analysis report as a case attachment. + Adds comments to the case and saves the sandbox analysis report as an attachment + to the case wall. categories: enrichment: false entity_usage: @@ -374,64 +375,76 @@ File Windows Analysis: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: true + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Ping: ai_description: >- ### General Description - Tests the connectivity between Google SecOps and the ANY.RUN Sandbox service. - This action is used to verify that the integration is correctly configured and - can successfully communicate with the ANY.RUN API. + The Ping action is a diagnostic tool designed to verify the connectivity between + the Google SecOps environment and the ANY.RUN Sandbox service. Its primary purpose + is to ensure that the integration is correctly configured, the API key is valid, + and the network path (including optional proxies) is open. - ### Parameters Description + ### Flow Description - This action does not take any action-specific parameters. It relies on the following - integration configuration parameters: + 1. **Configuration Extraction**: The action retrieves the integration's global + configuration, including the ANY.RUN Sandbox API Key, SSL verification preference, + and proxy settings. + 2. **Proxy Validation**: If proxy support is enabled in the configuration, the + action first attempts to validate the connection through the specified proxy host + and port. - | Parameter | Type | Mandatory | Description | + 3. **Authorization Check**: The action initializes a connection to the ANY.RUN + Sandbox API using the provided credentials and performs a standard authorization + check to confirm the API key's validity. - | :--- | :--- | :--- | :--- | + 4. **Result Reporting**: Based on the success or failure of the API call, the + action returns a completion status and an informative message to the user. - | ANYRUN Sandbox API KEY | String | Yes | The API key used to authenticate with - the ANY.RUN Sandbox service. | - | Verify SSL | Boolean | No | If enabled, the action will verify the SSL certificate - of the ANY.RUN API. | + ### Parameters Description - | Enable proxy | Boolean | No | If enabled, the action will use the configured - proxy to connect to the ANY.RUN API. | + | Parameter | Type | Mandatory | Description | - | Proxy host | String | No | The hostname or IP address of the proxy server. Required - if 'Enable proxy' is true. | + | :--- | :--- | :--- | :--- | - | Proxy port | String | No | The port of the proxy server. Required if 'Enable - proxy' is true. | + | N/A | N/A | N/A | This action does not take any input parameters. It uses the + global integration configuration. | ### Additional Notes - - This is a standard 'Ping' action used for troubleshooting connectivity and credential - issues. - - - The action will fail if the API key is invalid or if the network connection - (including proxy settings) is misconfigured. - - - ### Flow Description - - 1. **Configuration Extraction**: The action retrieves the API key, SSL verification - setting, and proxy configuration from the integration's global settings. - - 2. **Proxy Validation (Optional)**: If the 'Enable proxy' setting is true, the - action attempts to validate the proxy connection using the provided host and port. - - 3. **Authorization Check**: The action makes a request to the ANY.RUN Sandbox - API to verify the validity of the provided API key. + - This action is strictly for connectivity testing and does not process any entities + or alert data. - 4. **Result Reporting**: If the authorization check is successful, the action - logs a success message and completes. If an error occurs (e.g., authentication - failure or network timeout), the action logs the error and fails. + - It relies on the 'ANYRUN Sandbox API KEY', 'Verify SSL', and 'Enable proxy' + settings defined at the integration level. capabilities: can_create_case_comments: false can_create_insight: false @@ -459,85 +472,66 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false URL Android Analysis: - ai_description: >- - ### General Description - - The **URL Android Analysis** action submits one or more URLs to the ANY.RUN Sandbox - for automated analysis using an Android virtual machine. This action is designed - to observe the behavior of URLs in a mobile environment, providing detailed threat - intelligence, including HTML reports, Indicators of Compromise (IOCs), and a final - analysis verdict. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **Url** | String | Yes | The URL(s) to be analyzed. Defaults to `[Entity.Identifier]`. - Multiple URLs can be provided as a comma-separated list. | - - | **Timeout In Seconds** | String | No | The duration for the analysis task, ranging - from 10 to 660 seconds. Default is 120. | - - | **Command line** | String | No | Optional command-line arguments for the analyzed - object. | - - | **System's language** | String | No | The operating system's locale or country - name (e.g., 'en-US'). | - - | **User Tags** | String | No | Custom tags to categorize the task in ANY.RUN - (max 8 tags, 16 chars each). | - - | **Analysis Privacy Type** | DDL | No | Privacy level for the task: `public`, - `bylink`, `owner`, or `byteam`. Default is `bylink`. | - - | **Network Connect** | Boolean | No | Enables network connectivity for the analysis - VM. Default is `true`. | - - | **Network Fakenet** | Boolean | No | Enables the FakeNet feature to simulate - network services. | - - | **Network Tor** | Boolean | No | Routes VM traffic through the TOR network. - | - - | **Network Geo** | String | No | Geolocation for TOR or proxy exit nodes (e.g., - 'US', 'AU'). | - - | **Network Mitm** | Boolean | No | Enables HTTPS MITM Proxy for traffic inspection. - | - - | **Network Residential Proxy** | Boolean | No | Uses a residential proxy for - the analysis. | - - | **Network Residential Proxy Geo** | String | No | Geolocation for the residential - proxy. | - - - ### Flow Description - - 1. **Setup**: Extracts API credentials and configuration settings for the ANY.RUN - Sandbox. - - 2. **Task Submission**: Submits the target URL(s) to the ANY.RUN API to initiate - an Android-based analysis task. - - 3. **Interactive Link**: Immediately adds a case comment with a link to the live - interactive analysis on the ANY.RUN platform. - - 4. **Status Polling**: Monitors the task status until the analysis is complete. - - 5. **Report Retrieval**: Downloads the final analysis report in HTML format and - attaches it to the Google SecOps Case Wall. - - 6. **IOC Extraction**: Retrieves detected Indicators of Compromise (IOCs). If - any are classified as suspicious or malicious, a summary is added to the case - comments. - - 7. **Final Verdict**: Fetches the final analysis verdict and adds a concluding - comment to the case with the analysis status. + ai_description: "Performs automated URL analysis using an Android Virtual Machine\ + \ in the ANY.RUN sandbox. This action allows analysts to submit suspicious URLs\ + \ to a controlled environment to observe behavior, network activity, and potential\ + \ threats. \n\n### Flow Description:\n1. **Configuration Retrieval:** Retrieves\ + \ the ANY.RUN API key and SSL verification settings from the integration configuration.\n\ + 2. **Input Processing:** Extracts the target URL(s) from the action parameters.\ + \ If multiple URLs are provided (comma-separated), it processes them sequentially.\n\ + 3. **Task Submission:** For each URL, it initiates an analysis task on an ANY.RUN\ + \ Android VM using the specified network and environment parameters.\n4. **Monitoring:**\ + \ Polls the ANY.RUN API to monitor the task status until the analysis is complete.\n\ + 5. **Report Retrieval:** Downloads the HTML analysis report and attaches it to\ + \ the Google SecOps case wall for forensic review.\n6. **IOC Extraction:** Fetches\ + \ identified Indicators of Compromise (IOCs) from the analysis and adds a summary\ + \ comment to the case if suspicious or malicious indicators are found.\n7. **Verdict\ + \ Reporting:** Retrieves the final analysis verdict and posts it as a concluding\ + \ comment to the case.\n\n### Parameters Description:\n| Parameter | Type | Mandatory\ + \ | Description |\n| :--- | :--- | :--- | :--- |\n| Url | string | Yes | The destination\ + \ URL(s) to be analyzed. Supports comma-separated values. Defaults to [Entity.Identifier].\ + \ |\n| Timeout In Seconds | string | No | The duration for the analysis task (10-660\ + \ seconds). Default is 120. |\n| Command line | string | No | Optional command-line\ + \ arguments for the analyzed object. |\n| System's language | string | No | The\ + \ OS locale or country name (e.g., 'en-US' or 'Brazil'). |\n| User Tags | string\ + \ | No | Custom tags for the task (max 8 tags, 16 chars each). |\n| Analysis Privacy\ + \ Type | ddl | No | Privacy level: public, bylink, owner, or byteam. |\n| Network\ + \ Connect | boolean | No | Whether to enable network connectivity in the VM. |\n\ + | Network Fakenet | boolean | No | Whether to enable the FakeNet feature. |\n\ + | Network Tor | boolean | No | Whether to use TOR for network traffic. |\n| Network\ + \ Geo | string | No | TOR geolocation (e.g., US, AU). |\n| Network Mitm | boolean\ + \ | No | Whether to enable HTTPS MITM Proxy. |\n| Network Residential Proxy |\ + \ boolean | No | Whether to use a residential proxy. |\n| Network Residential\ + \ Proxy Geo | string | No | Residential proxy geolocation. |\n\n### Additional\ + \ Notes:\n- This action creates a new task in the ANY.RUN platform for every URL\ + \ processed.\n- The HTML report is saved as a case wall attachment, which is not\ + \ considered a standard enrichment update." capabilities: can_create_case_comments: true can_create_insight: false @@ -546,51 +540,16 @@ URL Android Analysis: can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: >- - Submits a URL to the ANY.RUN sandbox, which creates a new analysis task/resource - on the external platform. + Submits a URL to the ANY.RUN sandbox to initiate a new automated analysis task, + creating a record/job in the external system. fetches_data: true internal_data_mutation_explanation: >- - Adds multiple comments to the case and saves the analysis report as an attachment - to the case wall. + Adds comments to the case summarizing IOCs and verdicts, and uploads the HTML + analysis report as an attachment to the case wall. categories: enrichment: false entity_usage: - entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -604,94 +563,128 @@ URL Android Analysis: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: true + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: true + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false URL Linux Analysis: ai_description: >- - ### General Description + Submits URLs to the ANY.RUN Linux-based sandbox for automated behavioral analysis. + This action allows security analysts to execute and observe potentially malicious + links within a controlled Linux environment (Ubuntu or Debian) using popular browsers + like Google Chrome or Mozilla Firefox. It provides comprehensive visibility into + network activity, process execution, and potential threats associated with the + submitted URL. - Submits one or more URLs to the ANY.RUN Sandbox for automated analysis using a - Linux virtual machine. This action allows security analysts to safely investigate - suspicious URLs in a controlled environment, providing detailed reports on network - activity, file modifications, and threat indicators. + ### Flow Description - ### Parameters Description + 1. **Initialization**: Retrieves the ANY.RUN API key and SSL verification settings + from the integration configuration. - | Parameter | Description | Type | Mandatory | + 2. **Input Processing**: Extracts the target URL(s) from the action parameters, + supporting comma-separated inputs. - | :--- | :--- | :--- | :--- | + 3. **Task Submission**: For each URL, it initiates a new Linux analysis task in + the ANY.RUN sandbox using the specified OS, browser, and network configurations + (e.g., Tor, VPN, MITM proxy). - | Url | The destination URL(s) to analyze. Supports a comma-separated list of - URLs. Defaults to the identifier of the entity in scope. | String | Yes | + 4. **Interactive Access**: Immediately posts a case comment containing a direct + link to the interactive ANY.RUN analysis session. - | Machine Os | The Linux operating system version to use for the analysis. Supported - values: `ubuntu`, `debian`. | DDL | Yes | + 5. **Status Monitoring**: Polls the ANY.RUN API to monitor the progress of the + analysis task until completion. - | Browser | The web browser to use for the analysis. Supported values: `Google - Chrome`, `Mozilla Firefox`. | DDL | Yes | + 6. **Report Retrieval**: Downloads the final HTML analysis report and attaches + it to the Google SecOps case wall for forensic documentation. - | Timeout In Seconds | The duration of the analysis task in the sandbox. Range: - 10-660 seconds. Default is 120. | String | No | + 7. **IOC Extraction**: Retrieves identified Indicators of Compromise (IOCs) from + the analysis and summarizes suspicious or malicious findings in a case comment. - | Command line | Optional command-line arguments to be passed to the analyzed - object. | String | No | + 8. **Verdict Reporting**: Fetches the final analysis verdict and posts a concluding + status update to the case. - | System's language | The language/locale of the sandbox operating system (e.g., - 'en-US' or 'Brazil'). | String | No | - | User Tags | Custom tags to associate with the analysis task. Max 8 unique tags, - 16 characters each. | String | No | + ### Parameters Description - | Analysis Privacy Type | Privacy level for the analysis task. Supported values: - `public`, `bylink`, `owner`, `byteam`. | DDL | No | + | Parameter | Description | Type | Mandatory | Notes | - | Network Connect | Enables or disables network connectivity within the sandbox. - | Boolean | No | + | :--- | :--- | :--- | :--- | :--- | - | Network Fakenet | Enables the FakeNet feature to simulate network services. - | Boolean | No | + | Url | The destination URL(s) to be analyzed in the sandbox. | String | Yes | + Supports comma-separated values; defaults to the entity identifier. | - | Network Tor | Enables the use of the TOR network for analysis. | Boolean | No - | + | Machine Os | The Linux distribution to use for the analysis. | DDL | Yes | Supports + 'ubuntu' and 'debian'. | - | Network Geo | Specifies the TOR geolocation (e.g., 'US', 'AU'). Default is 'fastest'. - | String | No | + | Browser | The web browser to use for opening the URL. | DDL | Yes | Supports + 'Google Chrome' and 'Mozilla Firefox'. | - | Network Mitm | Enables an HTTPS MITM (Man-In-The-Middle) proxy. | Boolean | - No | + | Timeout In Seconds | The duration of the analysis task. | String | No | Range: + 10-660 seconds. Default: 120. | - | Network Residential Proxy | Enables the use of a residential proxy. | Boolean - | No | + | Command line | Optional command-line arguments for the browser or analyzed object. + | String | No | | - | Network Residential Proxy Geo | Specifies the residential proxy geolocation - (e.g., 'US', 'AU'). Default is 'fastest'. | String | No | + | System's language | The locale or language for the operating system. | String + | No | Example: 'en-US' or 'Brazil'. | + | User Tags | Custom tags to categorize the task in ANY.RUN. | String | No | Max + 8 unique tags, 16 chars each. | - ### Flow Description + | Analysis Privacy Type | Privacy level for the analysis task. | DDL | No | Options: + public, bylink, owner, byteam. Default: bylink. | + + | Network Connect | Enables or disables network connectivity for the VM. | Boolean + | No | Default: true. | - 1. **Initialization**: The action extracts the ANY.RUN API key and SSL verification - settings from the integration configuration. + | Network Fakenet | Enables the FakeNet feature to simulate network services. + | Boolean | No | Default: false. | - 2. **URL Parsing**: It retrieves the `Url` parameter and splits it by commas to - handle multiple URLs in a single execution. + | Network Tor | Routes network traffic through the Tor network. | Boolean | No + | Default: false. | - 3. **Task Submission**: For each URL, it initiates a Linux-based analysis task - in ANY.RUN using the specified OS, browser, and network configuration parameters. + | Network Geo | Specifies the Tor exit node geolocation. | String | No | Default: + 'fastest'. | - 4. **Interactive Link**: A comment is added to the Google SecOps case containing - a direct link to the interactive analysis task on the ANY.RUN platform. + | Network Mitm | Enables HTTPS MITM Proxy for traffic inspection. | Boolean | + No | Default: false. | - 5. **Monitoring**: The action polls the ANY.RUN API to monitor the status of the - analysis task until completion. + | Network Residential Proxy | Uses a residential proxy for the analysis. | Boolean + | No | Default: false. | + + | Network Residential Proxy Geo | Geolocation for the residential proxy. | String + | No | Default: 'fastest'. | - 6. **Report Retrieval**: Once finished, it downloads the full HTML analysis report - and attaches it to the Case Wall. - 7. **IOC Summary**: It fetches the Indicator of Compromise (IOC) report. If any - malicious or suspicious indicators are found, it adds a summary comment to the - case. + ### Additional Notes + + - This action performs a mutation in the external ANY.RUN system by creating a + new analysis task. - 8. **Verdict**: Finally, it retrieves the analysis verdict and adds a concluding - comment with the final status of the URL analysis. + - The action modifies internal case data by adding comments and file attachments + (HTML reports). capabilities: can_create_case_comments: true can_create_insight: false @@ -700,16 +693,16 @@ URL Linux Analysis: can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: >- - Creates a new analysis task resource in the ANY.RUN sandbox environment for - every URL submitted. + Creates a new URL analysis task/resource in the ANY.RUN sandbox environment. fetches_data: true internal_data_mutation_explanation: >- - Adds multiple comments to the case and attaches an HTML analysis report to the - case wall. + Adds descriptive comments to the case and uploads the HTML analysis report as + an attachment to the case wall. categories: enrichment: false entity_usage: - entity_types: [] + entity_types: + - DestinationURL filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -723,97 +716,125 @@ URL Linux Analysis: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: true + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: true + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false URL Windows Analysis: ai_description: >- - ### General Description + Performs automated URL analysis using the ANY.RUN interactive sandbox on a Windows + virtual machine. This action allows security analysts to submit suspicious URLs + to a controlled environment to observe behavior, network activity, and potential + threats. It supports various browser configurations and advanced network settings + like TOR, FakeNet, and residential proxies. The action retrieves a comprehensive + HTML report, extracts indicators of compromise (IOCs), and provides a final verdict, + all of which are integrated back into the SecOps case for further investigation. - Submits URLs to the ANY.RUN Sandbox for automated and interactive analysis using - a Windows Virtual Machine. This action allows security analysts to safely execute - and observe the behavior of suspicious links in a controlled environment, providing - detailed reports on network activity, process execution, and threat indicators. + ### Flow Description: - ### Parameters Description + 1. **Initialization:** Extracts the API key and SSL verification settings from + the integration configuration. - | Parameter | Type | Mandatory | Description | + 2. **Parameter Extraction:** Retrieves the target URL(s) and analysis parameters + (browser, timeout, network settings, etc.) from the action input. - | :--- | :--- | :--- | :--- | + 3. **Analysis Submission:** For each provided URL, it initiates a new Windows-based + sandbox analysis task in ANY.RUN. - | Url | String | Yes | The destination URL(s) to analyze. Supports comma-separated - values. Defaults to the entity identifier. | + 4. **Interactive Link:** Immediately posts a comment to the case wall containing + a direct link to the live interactive analysis session. - | Browser | DDL | Yes | The browser used for the analysis (Microsoft Edge, Google - Chrome, Mozilla Firefox, Internet Explorer). | + 5. **Status Monitoring:** Polls the ANY.RUN API to monitor the progress of the + analysis task until completion. - | Timeout In Seconds | String | No | Task completion time (10-660 seconds). Default - is 120. | + 6. **Report Retrieval:** Downloads the full HTML analysis report and attaches + it to the case wall as a file. - | Command line | String | No | Optional command-line arguments for the analyzed - object. | + 7. **IOC Extraction:** Fetches extracted indicators from the analysis. If any + indicators are identified as suspicious or malicious, it summarizes them in a + case comment. - | System's language | String | No | Operation system's language (e.g., 'en-US' - or 'Brazil'). | + 8. **Verdict Reporting:** Retrieves the final analysis verdict (e.g., malicious, + clean) and posts it as a concluding comment to the case. - | User Tags | String | No | Custom tags for the task (max 8 unique tags, 16 characters - each). | - | Analysis Privacy Type | DDL | No | Privacy settings for the analysis (public, - bylink, owner, byteam). | + ### Parameters Description: - | Network Connect | Boolean | No | Enable network connection during analysis. - | + | Parameter | Description | Type | Mandatory | - | Network Fakenet | Boolean | No | Enable FakeNet feature to simulate network - services. | + | :--- | :--- | :--- | :--- | - | Network Tor | Boolean | No | Enable TOR for network traffic. | + | Url | The destination URL(s) to analyze. Supports multiple URLs separated by + commas. Defaults to the entity identifier. | string | Yes | - | Network Geo | String | No | TOR geolocation option (e.g., US, AU). | + | Browser | The web browser to use for the analysis (Microsoft Edge, Google Chrome, + Mozilla Firefox, or Internet Explorer). | ddl | Yes | - | Network Mitm | Boolean | No | Enable HTTPS MITM Proxy for traffic inspection. - | + | Timeout In Seconds | The duration of the analysis task (range: 10-660 seconds). + Default is 120. | string | No | - | Network Residential Proxy | Boolean | No | Use a residential proxy for the analysis. - | - - | Network Residential Proxy Geo | String | No | Residential proxy geolocation - option. | + | Command line | Optional command-line arguments to be used during the analysis. + | string | No | + | System's language | The operating system's locale or language (e.g., 'en-US'). + | string | No | - ### Additional Notes + | User Tags | Custom tags to associate with the analysis task (max 8 tags, 16 + characters each). | string | No | - - The action can process multiple URLs simultaneously if they are provided as - a comma-separated list in the `Url` parameter. + | Analysis Privacy Type | Privacy level for the analysis (public, bylink, owner, + or byteam). | ddl | No | - - While the action is designed to work with URL entities via the `[Entity.Identifier]` - placeholder, it processes the input as a string and does not directly modify entity - attributes. + | Network Connect | Enables or disables network connectivity within the sandbox. + | boolean | No | + | Network Fakenet | Enables the FakeNet feature to simulate network services. + | boolean | No | - ### Flow Description + | Network Tor | Enables the use of the TOR network for analysis traffic. | boolean + | No | - 1. **Initialization**: Retrieves the API key and SSL verification settings from - the integration configuration. + | Network Geo | Specifies the TOR geolocation (e.g., 'US', 'AU'). | string | No + | - 2. **Input Parsing**: Extracts the target URL(s) from the action parameters. + | Network Mitm | Enables an HTTPS MITM proxy for traffic inspection. | boolean + | No | - 3. **Task Submission**: For each URL, it initiates a Windows-based analysis task - in the ANY.RUN sandbox using the specified browser, timeout, and network configurations. + | Network Residential Proxy | Enables the use of a residential proxy for the analysis. + | boolean | No | - 4. **Interactive Link**: Immediately adds a case comment containing a direct link - to the ANY.RUN interactive analysis session. + | Network Residential Proxy Geo | Specifies the residential proxy geolocation + (e.g., 'US', 'AU'). | string | No | - 5. **Monitoring**: Polls the ANY.RUN API to monitor the status of the analysis - task. - 6. **Report Retrieval**: Once the analysis is complete, it fetches the full HTML - report and attaches it to the Google SecOps Case Wall. + ### Additional Notes: - 7. **IOC Extraction**: Retrieves identified Indicators of Compromise (IOCs) and - posts a summary of suspicious or malicious findings as a case comment. + - This action creates a new task in the ANY.RUN platform for every execution, + which may consume API credits. - 8. **Final Verdict**: Fetches the final analysis verdict and status, adding them - as a concluding comment to the case. + - The HTML report is saved directly to the case wall for forensic review. capabilities: can_create_case_comments: true can_create_insight: false @@ -822,12 +843,11 @@ URL Windows Analysis: can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: >- - Submits a URL to the ANY.RUN sandbox to initiate a new interactive analysis - task, which creates a new job/record in the external ANY.RUN environment. + Creates a new URL analysis task/job in the ANY.RUN sandbox environment. fetches_data: true internal_data_mutation_explanation: >- - Adds multiple case comments containing analysis links, IOC summaries, and verdicts. - It also saves and attaches the HTML analysis report to the case wall. + Adds multiple comments to the case wall and uploads an HTML analysis report + as a case attachment. categories: enrichment: false entity_usage: @@ -845,3 +865,28 @@ URL Windows Analysis: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: true + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/third_party/partner/anyrun_sandbox/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/anyrun_sandbox/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..2e831240c --- /dev/null +++ b/content/response_integrations/third_party/partner/anyrun_sandbox/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + siem: false + threat_intelligence: true + vulnerability_management: false diff --git a/content/response_integrations/third_party/partner/anyrun_ti_feeds/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/anyrun_ti_feeds/resources/ai/actions_ai_description.yaml index 02fb019a4..10614c95c 100644 --- a/content/response_integrations/third_party/partner/anyrun_ti_feeds/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/anyrun_ti_feeds/resources/ai/actions_ai_description.yaml @@ -2,10 +2,24 @@ Ping: ai_description: >- ### General Description - The **Ping** action is a diagnostic tool designed to verify the connectivity between - Google SecOps and the ANY.RUN TI Feeds service. It ensures that the provided API - key is valid and that the network configuration (including optional proxy settings) - allows for successful communication with the ANY.RUN API. + Tests the connectivity and authentication with the ANY.RUN TI Feeds service. This + action validates the provided API key and, if configured, verifies the proxy settings + to ensure the integration can communicate with the external API. + + + ### Flow Description + + 1. **Parameter Extraction:** Retrieves the API key, SSL verification preference, + and proxy settings from the integration configuration. + + 2. **Proxy Verification (Optional):** If proxy usage is enabled, the action attempts + to establish a connection through the specified proxy host and port. + + 3. **Authorization Check:** Uses the ANY.RUN FeedsConnector to verify the validity + of the API key by calling the authorization endpoint. + + 4. **Status Reporting:** Logs the success or failure of the connection attempt + and terminates the action with the corresponding execution state. ### Parameters Description @@ -14,46 +28,27 @@ Ping: | :--- | :--- | :--- | :--- | - | ANYRUN TI Feeds API key | String | Yes | The API key used to authenticate requests - to the ANY.RUN TI Feeds service. | + | ANYRUN TI Feeds API key | String | Yes | The API key used to authenticate with + ANY.RUN TI Feeds. | | Verify SSL | Boolean | No | If enabled, the action will verify the SSL certificate - of the ANY.RUN API endpoint. | + of the API endpoint. | - | Enable proxy | Boolean | No | If enabled, the action will attempt to route the - connection through a proxy server. | + | Enable proxy | Boolean | No | If enabled, the action will use the configured + proxy settings. | | Proxy host | String | No | The hostname or IP address of the proxy server. Required if 'Enable proxy' is true. | - | Proxy port | String | No | The port number of the proxy server. Required if - 'Enable proxy' is true. | + | Proxy port | String | No | The port of the proxy server. Required if 'Enable + proxy' is true. | ### Additional Notes - - This action does not process any entities and is strictly used for configuration - validation. - - - If 'Enable proxy' is selected, both 'Proxy host' and 'Proxy port' must be correctly - configured in the integration settings. - - - ### Flow Description - - 1. **Parameter Extraction:** The action retrieves the API key, SSL verification - preference, and proxy settings from the integration configuration. - - 2. **Proxy Validation (Optional):** If proxying is enabled, the action first attempts - to establish a connection to the ANY.RUN service through the specified proxy host - and port. - - 3. **Authorization Check:** The action initializes a connection to the ANY.RUN - TI Feeds API and executes a `check_authorization` call to validate the API key. - - 4. **Result Reporting:** If the authorization is successful, the action completes - with a success message. If any step fails (e.g., network timeout, invalid key, - proxy error), it catches the exception and reports a failure status. + * This action does not process entities and is used solely for health checks and + configuration validation. Note that while parameters are extracted from the configuration, + they are essential for the action's execution. capabilities: can_create_case_comments: false can_create_insight: false @@ -81,3 +76,28 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/third_party/partner/anyrun_ti_feeds/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/anyrun_ti_feeds/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..2e831240c --- /dev/null +++ b/content/response_integrations/third_party/partner/anyrun_ti_feeds/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + siem: false + threat_intelligence: true + vulnerability_management: false diff --git a/content/response_integrations/third_party/partner/anyrun_ti_feeds/resources/ai/jobs_ai_description.yaml b/content/response_integrations/third_party/partner/anyrun_ti_feeds/resources/ai/jobs_ai_description.yaml new file mode 100644 index 000000000..be6a40c3d --- /dev/null +++ b/content/response_integrations/third_party/partner/anyrun_ti_feeds/resources/ai/jobs_ai_description.yaml @@ -0,0 +1,33 @@ +ANYRUN TI Feeds: + ai_description: "### General Description\nThis job synchronizes threat intelligence\ + \ feeds from ANY.RUN to Google SecOps DataTables. It automates the retrieval of\ + \ Indicators of Compromise (IOCs)\u2014specifically IPs, URLs, and Domains\u2014\ + and stores them in dedicated DataTables (`anyrun_feed_ip`, `anyrun_feed_url`,\ + \ `anyrun_feed_domain`). This ensures that security analysts have access to up-to-date\ + \ reputation data within the Google SecOps environment for detection and enrichment\ + \ purposes. The job performs a full refresh of the data by recreating the tables\ + \ during each execution to maintain data integrity.\n\n### Parameters Description\n\ + | Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ + | Feed Fetch Depth | String | Yes | Specify the lookback period in days for fetching\ + \ indicators (e.g., 90). |\n| ANYRUN TI Feeds API key | String | Yes | The API\ + \ key used to authenticate with ANY.RUN TI services. |\n| Project ID | String\ + \ | Yes | The Google Cloud Project ID associated with the SecOps instance. |\n\ + | Project location | String | Yes | The regional location of the Google SecOps\ + \ instance. |\n| Instance ID | String | Yes | The specific Instance ID of the\ + \ Google SecOps environment. |\n| Google service account | String | Yes | The\ + \ JSON key of the Google Service Account used for SecOps API authentication. |\n\ + | Verify SSL | Boolean | No | If enabled, the job will verify SSL certificates\ + \ for outgoing requests. |\n| Enable proxy | Boolean | No | If enabled, the job\ + \ will use the configured proxy settings for communication. |\n\n### Flow Description\n\ + 1. **Initialization**: The job retrieves configuration settings for both ANY.RUN\ + \ and the Google SecOps API, including authentication credentials and the lookback\ + \ window.\n2. **Cleanup**: For each indicator type (IP, URL, Domain), the job\ + \ checks if a corresponding DataTable already exists in Google SecOps. If it exists,\ + \ the table is deleted to prepare for a fresh data load.\n3. **Schema Creation**:\ + \ New DataTables are created with a predefined schema containing columns for the\ + \ IOC value, confidence level, labels, creation date, and modification date.\n\ + 4. **Data Retrieval**: The job connects to the ANY.RUN TAXII/STIX endpoint and\ + \ fetches indicators modified within the specified `Feed Fetch Depth` period.\n\ + 5. **Data Transformation**: The raw ANY.RUN indicators are parsed and mapped to\ + \ the Google SecOps DataTable row format.\n6. **Bulk Loading**: The processed\ + \ indicators are uploaded in bulk to the newly created DataTables in Google SecOps." diff --git a/content/response_integrations/third_party/partner/anyrun_ti_lookup/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/anyrun_ti_lookup/resources/ai/actions_ai_description.yaml index 9b5471260..32b7333dd 100644 --- a/content/response_integrations/third_party/partner/anyrun_ti_lookup/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/anyrun_ti_lookup/resources/ai/actions_ai_description.yaml @@ -1,58 +1,67 @@ ANYRUN TI Lookup: ai_description: >- - ### General Description + Performs threat intelligence lookups on ANY.RUN for specific entities or raw queries. + This action retrieves threat levels and detailed intelligence reports, providing + analysts with context on potentially malicious indicators. It supports lookups + for IP addresses, domains, URLs, processes, and file hashes. The action attaches + a full JSON summary of the intelligence report to the case wall and adds comments + with direct lookup links and a summary of the findings. - Performs threat intelligence lookups using the ANY.RUN TI Lookup service. This - action allows users to query for specific entities (IPs, Domains, URLs, Processes, - Filehashes) or provide a raw ANY.RUN query string to retrieve detailed threat - analysis. The results include threat levels (Malicious, Suspicious, Unknown) and - full JSON reports. + ### Parameters - ### Parameters Description + | Parameter | Description | Type | Mandatory | Default Value | - | Parameter | Description | Type | Mandatory | - - | :--- | :--- | :--- | :--- | + | :--- | :--- | :--- | :--- | :--- | | Lookup Depth | Specify the number of days from the current date for which you - want to lookup. | String | Yes | + want to lookup. | string | Yes | 90 | | Query | Raw query with necessary filters. Supports condition concatenation with - AND, OR, NOT and Parentheses (). | String | No | + AND, OR, NOT and Parentheses (). | string | No | | - | Identifiers | The target case entity identifiers. | String | Yes | + | Identifiers | The target case entity identifiers. | string | Yes | [Entity.Identifier] + | - | Types | The target case entity types. | String | Yes | + | Types | The target case entity types. | string | Yes | [Entity.Type] | ### Additional Notes - The action requires either a raw query or a list of entity identifiers and types. - If the 'Query' parameter is provided, the action will prioritize it and perform - a lookup based on the query string. If 'Query' is empty, the action will iterate - through the provided entities and perform lookups for supported types (Address, - IPSet, DestinationURL, Domain, Process, and Filehash). + * If the **Query** parameter is provided, the action will perform a raw query + lookup and ignore the **Identifiers** and **Types** parameters. + + * Supported entity types include: ADDRESS, IPSET, DestinationURL, DOMAIN, PROCESS, + and FILEHASH. + + * The action requires an ANY.RUN TI Lookup API KEY to be configured in the integration + settings. ### Flow Description - 1. **Parameter Extraction**: Retrieve action parameters (Lookup Depth, Query, - Identifiers, Types) and integration settings (API Key, SSL verification). + 1. **Initialization:** Extract action parameters (Lookup Depth, Query, Identifiers, + Types) and integration configuration (API Key, Verify SSL, Proxy settings). + + 2. **Query Execution:** If a raw **Query** is provided, the action performs a + single lookup using that query. + + 3. **Entity Processing:** If no raw query is provided, the action iterates through + the provided **Identifiers** and **Types**. + + 4. **Type Validation:** For each entity, it checks if the type is supported (Address, + IPSet, DestinationURL, Domain, Process, FileHash). - 2. **Lookup Mode Selection**: Check if a raw query is provided. If so, proceed - with query lookup; otherwise, process the list of entities. + 5. **Intelligence Retrieval:** For each valid entity or query, it calls the ANY.RUN + API to fetch threat intelligence data based on the specified **Lookup Depth**. - 3. **API Interaction**: For the query or each supported entity, call the ANY.RUN - TI Lookup API to fetch intelligence data. + 6. **Internal Updates:** For each successful lookup, it adds a comment to the + case with a direct link to the ANY.RUN analysis and attaches the full JSON report + to the case wall. - 4. **Internal Data Updates**: For each successful lookup: - - Add a comment to the case with a direct link to the ANY.RUN portal. - - Save the complete JSON intelligence report as an attachment to the case - wall. - - Calculate a verdict based on the threat level score. - 5. **Summary Reporting**: Aggregate the results for all processed items into a - summary table and add it as a final comment to the case. + 7. **Final Summary:** Once all lookups are complete, it adds a final summary comment + to the case listing the type, value, and verdict (Malicious, Suspicious, Unknown, + or No info) for each item processed. capabilities: can_create_case_comments: true can_create_insight: false @@ -63,7 +72,8 @@ ANYRUN TI Lookup: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Adds lookup URLs and summary reports as comments and case wall attachments. + Adds comments to the case containing lookup URLs and a summary of results. It + also saves the full JSON intelligence report as an attachment to the case wall. categories: enrichment: false entity_usage: @@ -87,29 +97,83 @@ ANYRUN TI Lookup: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: true + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Ping: ai_description: >- - ### General Description: Tests the connectivity between Google SecOps and the - ANY.RUN TI Lookup service to ensure the integration is correctly configured and - can successfully communicate with the ANY.RUN API. ### Parameters Description: - 1. ANYRUN TI Lookup API KEY (String, Mandatory): The API key required to authenticate - requests to the ANY.RUN TI Lookup service. 2. Verify SSL (Boolean, Optional): - If enabled, the action will verify the SSL certificate of the ANY.RUN API endpoint. - 3. Enable proxy (Boolean, Optional): If enabled, the action will attempt to connect - through the specified proxy server. 4. Proxy host (String, Optional): The hostname - or IP address of the proxy server. Required if 'Enable proxy' is true. 5. Proxy - port (String, Optional): The port number of the proxy server. Required if 'Enable - proxy' is true. ### Additional Notes: This action does not process any entities - or modify any data. If 'Enable proxy' is selected, both 'Proxy host' and 'Proxy - port' must be provided. ### Flow Description: 1. Configuration Extraction: The - action retrieves the API key, SSL verification preference, and proxy settings - from the integration configuration. 2. Proxy Validation (Optional): If proxying - is enabled, the action first tests the connection through the specified proxy - host and port. 3. Authorization Check: The action uses the LookupConnector to - perform an authorization check against the ANY.RUN API using the provided API - key. 4. Result Reporting: If the check is successful, a completion message is - returned. If any step fails (e.g., invalid API key, network timeout), the action - fails and logs the error details. + ### General Description + + Tests the connectivity between Google SecOps and the ANY.RUN TI Lookup service. + This action validates the provided API key and network configuration (including + proxy settings) to ensure that subsequent enrichment actions can communicate with + the ANY.RUN API successfully. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | ANYRUN TI Lookup API KEY | String | Yes | The API key used to authenticate with + the ANY.RUN TI Lookup service. | + + | Verify SSL | Boolean | No | If enabled, the action will verify the SSL certificate + of the ANY.RUN server. | + + | Enable proxy | Boolean | No | If enabled, the action will use the configured + proxy to connect to the service. | + + | Proxy host | String | No | The hostname or IP address of the proxy server. Required + if 'Enable proxy' is true. | + + | Proxy port | String | No | The port of the proxy server. Required if 'Enable + proxy' is true. | + + + ### Additional Notes + + This is a utility action used for troubleshooting and initial setup. It does not + process entities or modify any data within the SOAR or the external service. If + 'Enable proxy' is set to true, both 'Proxy host' and 'Proxy port' must be provided. + + + ### Flow Description + + 1. Extract configuration parameters including the API Key, SSL verification preference, + and proxy settings. + + 2. If proxying is enabled, validate the proxy connection using the provided host + and port. + + 3. Initialize the ANY.RUN connector and perform an authorization check against + the ANY.RUN TI Lookup API. + + 4. Return a success message if the connection is established and authorized, otherwise + return a failure message with the error details. capabilities: can_create_case_comments: false can_create_insight: false @@ -137,3 +201,28 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/third_party/partner/anyrun_ti_lookup/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/anyrun_ti_lookup/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..2e831240c --- /dev/null +++ b/content/response_integrations/third_party/partner/anyrun_ti_lookup/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + siem: false + threat_intelligence: true + vulnerability_management: false diff --git a/content/response_integrations/third_party/partner/censys/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/censys/resources/ai/actions_ai_description.yaml index 8c9c3fb52..a0b834c0e 100644 --- a/content/response_integrations/third_party/partner/censys/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/censys/resources/ai/actions_ai_description.yaml @@ -1,54 +1,48 @@ Enrich Certificates: ai_description: >- - ### General Description + Enriches FILEHASH entities with comprehensive SSL/TLS certificate intelligence + using the Censys Platform API. The action identifies certificates by their SHA-256 + fingerprint and retrieves detailed metadata including issuer information, subject + details, validity periods, and self-signed status. - This action retrieves comprehensive information about SSL/TLS certificates using - the Censys Platform API. It identifies certificates by their SHA-256 fingerprint - and provides detailed intelligence including issuer, subject, validity periods, - and Subject Alternative Names (SANs). + ### Flow Description: - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | + 1. **Entity Collection:** Identifies all FILEHASH entities within the current + scope. - | N/A | N/A | N/A | This action does not have any input parameters. It relies - on the global integration configuration (API Key, Organization ID, and Verify - SSL). | + 2. **Validation:** Validates that the entity identifiers are formatted as 64-character + hexadecimal strings (SHA-256 fingerprints). + 3. **API Interaction:** Performs a batch request to the Censys `/v3/global/asset/certificate` + endpoint to retrieve certificate data. - ### Additional Notes + 4. **Data Processing:** For each matching certificate found, it parses the API + response into a structured data model. - This action specifically targets FILEHASH entities. The identifiers must be valid - SHA-256 fingerprints (64 hex characters). If an entity identifier is not a valid - fingerprint, it will be skipped. + 5. **Internal Update:** Clears any existing Censys-specific enrichment data on + the entity, updates the entity's additional properties with the new certificate + metadata, and marks the entity as enriched. - ### Flow Description + ### Parameters Description: - 1. **Initialization**: The action initializes the Censys API manager using the - integration's global configuration. + | Parameter Name | Type | Mandatory | Description | - 2. **Entity Selection**: It identifies all `FILEHASH` entities within the current - scope. + | :--- | :--- | :--- | :--- | - 3. **Validation**: It validates that the entity identifiers are valid SHA-256 - fingerprints (exactly 64 hexadecimal characters). + | None | N/A | N/A | This action does not require any action-specific parameters; + it relies on the integration's global configuration (API Key, Organization ID). + | - 4. **API Request**: It performs a batch POST request to the Censys `/v3/global/asset/certificate` - endpoint. - 5. **Data Processing**: For each matching certificate found, it extracts metadata - such as Subject DN, Issuer DN, Common Name, and Validity dates. + ### Additional Notes: - 6. **Internal Update**: It clears any existing Censys enrichment data on the entity, - updates the entity's additional properties with the new data, and marks the entity - as enriched. + * This action specifically targets FILEHASH entities. If an entity identifier + is not a valid SHA-256 hash, it will be skipped and reported as invalid. - 7. **Completion**: The action returns a summary message and the full raw JSON - results for the case wall. + * The action performs internal state changes by updating entity attributes and + clearing previous enrichment keys to ensure data freshness. capabilities: can_create_case_comments: false can_create_insight: false @@ -59,8 +53,9 @@ Enrich Certificates: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity additional properties with certificate metadata (e.g., issuer, - subject, validity) and sets the 'is_enriched' attribute to true. + Updates entity additional properties with certificate metadata (issuer, subject, + validity) and sets the 'is_enriched' flag to true. It also clears previous Censys + enrichment data for the entity to prevent stale data. categories: enrichment: true entity_usage: @@ -79,63 +74,82 @@ Enrich Certificates: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Enrich IPs: ai_description: >- - ### General Description - - Enriches IP Address entities using the Censys Platform API. This action retrieves - comprehensive intelligence about internet-facing infrastructure, including active - services, open ports, protocols, SSL/TLS certificates, known vulnerabilities, - and geographic location data. It is designed to help security teams understand - the attack surface exposure of specific IP addresses. + Enriches IP Address entities using the Censys Platform API to provide comprehensive + intelligence about internet-facing infrastructure. This action retrieves detailed + data including active services, open ports, protocols, SSL/TLS certificates, known + vulnerabilities, and geographic location data. It supports historical lookups + via a timestamp parameter, allowing analysts to view the state of a host at a + specific point in time. ### Parameters Description + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | At Time | String | No | An RFC3339 formatted timestamp (e.g., `2024-01-15T00:00:00Z`) - used to retrieve historical host data from a specific point in time. If omitted, - the most recent data is returned. | + | At Time | String | No | An RFC3339 formatted timestamp (e.g., '2024-01-15T00:00:00Z') + used to retrieve historical host data from a specific point in time. | ### Additional Notes - - This action specifically targets `ADDRESS` entities. Other entity types in the - scope will be ignored. + - This action specifically targets entities of type `ADDRESS` (IP addresses). - - The action performs a batch request to Censys for all valid IP addresses found - in the scope to optimize API usage. + - If the `At Time` parameter is provided, it must follow the RFC3339 format; otherwise, + the action will fail validation. - - Existing Censys-specific enrichment data on the entity is cleared before new - data is applied to ensure accuracy. + - The action automatically clears previous Censys IP enrichment data on the entity + before applying new results to ensure data freshness. ### Flow Description - 1. **Initialization**: The action initializes the Censys API manager using the - integration's API Key and Organization ID. + 1. **Parameter Extraction:** The action retrieves the optional `At Time` parameter + and validates its format if provided. - 2. **Entity Filtering**: It identifies all `ADDRESS` entities within the current - SOAR scope. + 2. **Entity Filtering:** It identifies all `ADDRESS` entities within the current + scope and validates that they are correctly formatted IP addresses. - 3. **Validation**: It validates the format of the IP addresses and the optional - `At Time` timestamp parameter. + 3. **API Interaction:** A batch request is sent to the Censys `/v3/global/asset/host` + endpoint to fetch intelligence for all valid IP addresses. - 4. **API Request**: A POST request is sent to the Censys `/v3/global/asset/host` - endpoint with the list of valid IP addresses. + 4. **Data Mapping:** For each successful response, the action parses the host + data (ASN, location, services, vulnerabilities) using a structured data model. - 5. **Data Processing**: For each IP found in the Censys database, the action parses - the response into a structured data model, extracting fields such as ASN, location, - service counts, and threat labels. + 5. **Internal Update:** The action clears old enrichment keys, updates the entity's + additional properties with the new intelligence, and marks the entity as enriched. - 6. **Internal Mutation**: It updates the entity's `additional_properties` with - the retrieved intelligence and sets the `is_enriched` flag to `true`. - - 7. **Completion**: The action returns a summary message indicating how many IPs - were successfully enriched, not found, or failed to process. + 6. **Completion:** The action updates the entities in the Google SecOps platform + and returns a summary message of the enrichment results. capabilities: can_create_case_comments: false can_create_insight: false @@ -146,8 +160,8 @@ Enrich IPs: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity additional properties with Censys enrichment data and sets the - 'is_enriched' flag to true. + Updates entity additional properties with Censys host intelligence data and + sets the 'is_enriched' flag to true. categories: enrichment: true entity_usage: @@ -166,50 +180,92 @@ Enrich IPs: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Enrich Web Properties: ai_description: >- - Enriches IP Address and Domain entities using the Censys Platform API to retrieve - detailed web property intelligence. The action identifies assets by combining - hostnames or IP addresses with specific ports to provide context on web-facing - services, including HTTP/HTTPS configurations, SSL/TLS certificates, and detected - software technologies. + Enriches IP Address (ADDRESS) and Domain (DOMAIN) entities with comprehensive + web property intelligence using the Censys Platform API. This action retrieves + detailed information about web-facing assets, including HTTP/HTTPS service details, + SSL/TLS certificates, identified software/technologies, and associated security + threats or vulnerabilities. Enrichment data is added to the entity's additional + properties using port-specific prefixes (e.g., Censys_80_...) to allow for multiple + port enrichments on a single entity. - ### Parameters + ### Flow Description - | Parameter | Type | Mandatory | Default | Description | + 1. **Parameter Extraction:** Retrieves the 'Port' (comma-separated list) and the + optional 'At Time' (RFC3339 timestamp for historical data) from the action parameters. - | :--- | :--- | :--- | :--- | :--- | + 2. **Entity Identification:** Filters the target entities to identify valid ADDRESS + (IP) and DOMAIN (Hostname) objects. - | Port | String | Yes | 80, 443 | A comma-separated list of ports associated with - the domain or hostname (e.g., '80, 443, 8080'). | + 3. **Validation:** Validates the format of IP addresses, domain names, and port + numbers (1-65535). It also ensures the 'At Time' parameter follows the RFC3339 + standard if provided. - | At Time | String | No | N/A | An RFC3339 formatted timestamp (e.g., '2023-10-01T00:00:00Z') - used to retrieve historical data for the requested hosts at a specific point in - time. | + 4. **API Request Construction:** Combines each valid entity identifier with each + specified port to create unique web property IDs (e.g., 'example.com:443') and + sends a bulk enrichment request to the Censys API. + 5. **Data Parsing:** Processes the API response using a specialized data model + to extract software vendors, products, versions, certificate fingerprints, subject/issuer + details, and threat names. - ### Flow Description + 6. **Internal Update:** Clears existing Censys enrichment for the specific ports + being processed, updates the entity's additional properties with the new data, + and marks the entity as enriched. - 1. **Parameter Extraction:** Retrieves the list of ports and the optional historical - timestamp from the action configuration. + 7. **Result Reporting:** Updates the entities in the SOAR platform and provides + a detailed JSON result for each processed web property. - 2. **Entity Filtering:** Identifies valid `ADDRESS` (IP) and `DOMAIN` entities - within the current SOAR scope. - 3. **Identifier Construction:** For every valid entity, it generates a unique - web property identifier for each specified port (e.g., `1.1.1.1:80`, `example.com:443`). + ### Parameters Description - 4. **External API Query:** Performs a bulk lookup via the Censys API to fetch - enrichment data for all constructed web property identifiers. + | Parameter | Type | Mandatory | Default | Description | + + | :--- | :--- | :--- | :--- | :--- | - 5. **Internal Data Update:** For each successful match, it clears existing Censys - enrichment data for that specific port, updates the entity's additional properties - with new metadata (software, certificates, scan times), and marks the entity as - enriched. + | Port | String | True | 80, 443 | A comma-separated list of ports associated + with the domain or hostname to be queried (e.g., "80, 443, 8080"). | - 6. **Result Reporting:** Updates the entities in the SOAR platform and returns - a JSON result containing the full raw data for each enriched property. + | At Time | String | False | None | An RFC3339 formatted timestamp (e.g., "2024-01-15T00:00:00Z") + used to retrieve historical data for the web property at a specific point in time. + | + + + ### Additional Notes + + * The action uses port-prefixed keys in the entity's additional properties (e.g., + `Censys_443_web_cert_issuer`) to prevent data collisions when multiple ports are + enriched for the same host. + + * If an entity is invalid or no data is found for a specific host/port combination, + the action will log the skip and continue processing other entities. capabilities: can_create_case_comments: false can_create_insight: false @@ -220,10 +276,8 @@ Enrich Web Properties: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity additional properties with web property details such as service - information, software versions, and certificate fingerprints. It also sets the - 'is_enriched' flag to true and clears previous enrichment values for the specific - ports being processed to ensure data freshness. + Updates entity additional properties with port-prefixed enrichment data (e.g., + software, certificates, threats) and sets the 'is_enriched' flag to true. categories: enrichment: true entity_usage: @@ -243,68 +297,79 @@ Enrich Web Properties: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Host History: ai_description: >- - ### General Description - - This action retrieves the event history for a specific host (IP address) from - the Censys platform. It allows security analysts to view historical scan data, - track infrastructure changes over time, and identify when specific services were - added, modified, or removed. The action is particularly useful for forensic investigations - and monitoring the evolution of an asset's exposure. - + Retrieves the event history for a specific host (IP address) from Censys. This + action allows analysts to view historical scan data, track infrastructure changes + over time, and identify when services were added, removed, or modified. It performs + time-based pagination to collect up to 1,000 records within the specified RFC3339 + time range. - ### Parameters Description - | Parameter | Type | Mandatory | Description | + ### Flow Description: - | :--- | :--- | :--- | :--- | + 1. **Validation**: Validates that the 'Host ID' is a valid IP address and that + 'Start Time' and 'End Time' are in the correct RFC3339 format. - | **Host ID** | string | Yes | The IP address of the host for which you want to - retrieve the history. | + 2. **API Request**: Initiates a GET request to the Censys Host Timeline API endpoint. - | **Start Time** | string | Yes | The beginning of the timeline range. Must be - a valid RFC3339 string (e.g., `2025-01-01T00:00:00Z`). This should be chronologically - earlier than the End Time. | + 3. **Pagination**: Automatically handles pagination to retrieve multiple pages + of history, respecting a maximum threshold of 1,000 records or 10 API calls. - | **End Time** | string | Yes | The end of the timeline range. Must be a valid - RFC3339 string (e.g., `2025-01-02T00:00:00Z`). This should be chronologically - later than the Start Time and earlier than the current time. | + 4. **Data Processing**: Parses the raw event data (e.g., service scans, DNS resolutions, + location updates) into a structured format. + 5. **Output**: Generates a data table for the SOAR interface and provides the + full raw results in JSON format. - ### Flow Description - 1. **Parameter Extraction and Validation**: The action extracts the Host ID, Start - Time, and End Time. It validates that the Host ID is a valid IP address and that - both timestamps conform to the RFC3339 standard. + ### Parameters Description: - 2. **API Initialization**: It initializes the Censys API Manager using the provided - integration credentials (API Key and Organization ID). + | Parameter Name | Type | Mandatory | Description | - 3. **Data Retrieval**: The action performs a series of paginated `GET` requests - to the Censys Host Timeline endpoint. It automatically handles time-based pagination - using the `scanned_to` cursor provided by the API. + | :--- | :--- | :--- | :--- | - 4. **Pagination Limits**: To ensure performance, the action retrieves a maximum - of 1,000 records or performs up to 10 pagination calls. It also monitors the total - payload size to prevent exceeding system limits. + | Host ID | String | Yes | The IP address of the host to query. | - 5. **Data Modeling**: Each retrieved event is processed through the `HostHistoryEventModel`, - which parses resource types (e.g., service scans, DNS resolutions, WHOIS updates) - and generates direct links to the Censys platform for historical viewing. + | Start Time | String | Yes | The beginning of the timeline range. Must be a valid + RFC3339 string (e.g., 2025-01-01T00:00:00Z). | - 6. **Result Output**: The full event history is attached as a JSON result. Additionally, - a data table named "Host History Events" is created to display the first 1,000 - events directly in the SOAR interface. + | End Time | String | Yes | The end of the timeline range. Must be a valid RFC3339 + string (e.g., 2025-01-02T00:00:00Z). | - ### Additional Notes + ### Additional Notes: - - If the API returns a partial data error during pagination, the action will still - return the events collected up to that point along with a warning message. + - The action enforces a chronological check where 'Start Time' must be earlier + than 'End Time'. - - The action implements a chronological-to-reverse-chronological mapping to align - user input with the Censys API's internal timeline logic. + - If the API returns more than 1,000 records, the action will truncate the results + and provide a link to the Censys platform for further exploration. capabilities: can_create_case_comments: false can_create_insight: false @@ -316,7 +381,7 @@ Get Host History: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: true + enrichment: false entity_usage: entity_types: [] filters_by_additional_properties: false @@ -332,26 +397,73 @@ Get Host History: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Rescan Status: - ai_description: "### General Description\nRetrieves the current status of a scan\ - \ in Censys using its unique Scan ID. This action is primarily used to monitor\ - \ the progress of scans initiated via the 'Initiate Rescan' action. It supports\ - \ asynchronous execution, allowing the playbook to poll until the scan reaches\ - \ a terminal state (Completed or Failed).\n\n### Parameters Description\n\n| Parameter\ - \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Scan ID\ - \ | String | Yes | The unique identifier of the tracked scan. |\n\n### Additional\ - \ Notes\nThis action does not run on entities. It is a utility for process monitoring\ - \ and is designed to be used in an asynchronous loop within a playbook to wait\ - \ for scan results to become available.\n\n### Flow Description\n1. **Parameter\ - \ Extraction**: Retrieves the `Scan ID` from the input parameters and validates\ - \ that it is not empty.\n2. **API Interaction**: Connects to the Censys API and\ - \ calls the GET endpoint for the specific scan ID.\n3. **Status Evaluation**:\ - \ Analyzes the API response to check for the presence and value of the `completed`\ - \ field.\n4. **Execution State Management**: \n - If the `completed` field\ - \ is missing, the action returns an `IN_PROGRESS` state.\n - If `completed`\ - \ is `True`, the action returns `COMPLETED`.\n - If `completed` is `False`,\ - \ the action returns `FAILED`.\n5. **Data Output**: Adds the full API response\ - \ as a JSON result for use in subsequent playbook steps." + ai_description: >- + Retrieves the current status of a scan by its ID from Censys. This action is primarily + used to monitor the progress of previously initiated rescans and determine when + results are available for further processing. It supports asynchronous execution, + allowing the SOAR platform to poll for completion. + + + ### Parameters Description + + + | Parameter Name | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Scan ID | String | Yes | The unique identifier of the tracked scan, typically + obtained from the output of an 'Initiate Rescan' action. | + + + ### Flow Description + + + 1. **Parameter Extraction:** The action extracts the `Scan ID` from the input + parameters and validates that it is a non-empty string. + + 2. **API Initialization:** Initializes the Censys API Manager using the integration's + API Key and Organization ID. + + 3. **Status Retrieval:** Makes a GET request to the Censys API (`/v3/global/scans/{scan_id}`) + to fetch the current state of the scan. + + 4. **Result Processing:** Adds the raw API response to the action results as + a JSON object. + + 5. **State Determination:** Analyzes the response to determine the execution + state: + * If the 'completed' field is missing, the action returns an `IN_PROGRESS` + state. + * If 'completed' is `True`, the action returns a `COMPLETED` state. + * If 'completed' is `False`, the action returns a `FAILED` state. + 6. **Finalization:** Ends the action with a descriptive output message and the + calculated execution status. capabilities: can_create_case_comments: false can_create_insight: false @@ -379,65 +491,85 @@ Get Rescan Status: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Initiate Rescan: ai_description: >- - ### General Description + Initiates a live rescan for a known host service or web origin in Censys. This + action allows analysts to trigger an immediate update of Censys's data for a specific + target (IP/Port or Hostname/Port) rather than waiting for the next scheduled crawl. + The action returns a unique Scan ID which can be used with the 'Get Rescan Status' + action to monitor the progress and results of the scan. - This action initiates a live rescan for a specific host service or web origin - on the Censys platform. It allows users to trigger an immediate update of Censys's - data for a particular IP/Port or Hostname/Port combination. The action returns - a `tracked_scan_id`, which can be used to monitor the progress and eventual results - of the scan. + ### Flow Description: - ### Parameters Description - - | Parameter | Type | Mandatory | Description | + 1. **Parameter Validation**: Validates that the 'Port' is a valid integer (1-65535) + and ensures that if the 'IOC Type' is 'Service', a 'Protocol' is provided and + the 'IOC Value' is a valid IP address. - | :--- | :--- | :--- | :--- | + 2. **API Request Construction**: Builds a JSON payload for the Censys API. For + 'Service' targets, it includes IP, port, protocol, and transport protocol. For + 'Web Origin' targets, it includes hostname and port. - | **IOC Type** | DDL | Yes | Specifies the type of target to rescan. Options are - 'Service' (for IP-based services) or 'Web Origin' (for hostname-based services). - | - - | **IOC Value** | String | Yes | The target identifier. This should be an IP address - if 'IOC Type' is 'Service', or a domain/hostname if 'IOC Type' is 'Web Origin'. - | + 3. **External Interaction**: Sends a POST request to the Censys `/v3/global/scans/rescan` + endpoint. - | **Port** | String | Yes | The port associated with the service (e.g., 443). - Valid range is 1 to 65535. Default is '443'. | + 4. **Result Processing**: Extracts the `tracked_scan_id`, task count, and creation + time from the response and provides them as action results. - | **Protocol** | String | No | The name of the service protocol (e.g., 'http', - 'ssh'). This is **mandatory** if 'IOC Type' is set to 'Service'. | - | **Transport Protocol** | DDL | No | The transport layer protocol (e.g., TCP, - UDP). Default is 'Unknown'. | + ### Parameters Description: + | Parameter | Type | Mandatory | Description | - ### Additional Notes + | :--- | :--- | :--- | :--- | - - If 'IOC Type' is 'Service', the 'IOC Value' must be a valid IP address and the - 'Protocol' parameter must be provided. + | IOC Type | DDL | Yes | Specifies the target type: 'Service' (for IP-based targets) + or 'Web Origin' (for hostname-based targets). | - - The scan may take several minutes to complete on the Censys side. + | IOC Value | String | Yes | The IP address (for Service) or domain name (for + Web Origin) to be rescanned. | + | Port | String | Yes | The port associated with the target. Must be between 1 + and 65535. Default is 443. | - ### Flow Description + | Protocol | String | No | The service protocol (e.g., http, ssh). This is **mandatory** + if 'IOC Type' is set to 'Service'. | - 1. **Parameter Extraction:** The action retrieves the target details (Type, Value, - Port, Protocol) from the user input. + | Transport Protocol | DDL | No | The transport layer protocol (TCP, UDP, etc.). + Used when 'IOC Type' is 'Service'. Defaults to 'Unknown'. | - 2. **Validation:** It validates that the port is a valid integer and, if the type - is 'Service', ensures the value is a valid IP and a protocol is specified. - 3. **API Request:** The action sends a POST request to the Censys `/v3/global/scans/rescan` - endpoint with the target configuration. + ### Additional Notes: - 4. **Response Processing:** It parses the API response to extract the `tracked_scan_id`, - creation time, and task count. + - This action does not run on SOAR entities automatically; it requires manual + input or mapping of entity identifiers to the 'IOC Value' parameter. - 5. **Completion:** The action outputs the scan ID and status message, providing - the raw JSON response for further automation steps. + - The rescan process may take several minutes to complete in the Censys platform. capabilities: can_create_case_comments: false can_create_insight: false @@ -446,8 +578,8 @@ Initiate Rescan: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Initiates a new live rescan task on the Censys platform for the specified target, - which creates a new scan job in the external system. + Initiates a new scanning job/task in the Censys platform, which creates a new + tracked scan record and consumes scanning resources. fetches_data: true internal_data_mutation_explanation: null categories: @@ -467,27 +599,53 @@ Initiate Rescan: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Ping: - ai_description: "### General Description\nThe **Ping** action is a diagnostic utility\ - \ used to verify the connectivity between the Google SecOps SOAR platform and\ - \ the Censys API. It ensures that the integration is correctly configured with\ - \ valid credentials and that the SOAR server can communicate with the Censys platform\ - \ over the network.\n\n### Parameters Description\nThis action does not have any\ - \ input parameters. It relies entirely on the integration's global configuration\ - \ parameters:\n* **API Key**: The credential used for authentication.\n* **Organization\ - \ Id**: The specific Censys organization identifier.\n* **Verify SSL**: A boolean\ - \ flag determining whether to validate SSL certificates during the connection.\n\ - \n### Flow Description\n1. **Parameter Extraction**: The action retrieves the\ - \ `API Key`, `Organization Id`, and `Verify SSL` settings from the integration\ - \ configuration.\n2. **Manager Initialization**: It initializes the `APIManager`\ - \ with the retrieved credentials and settings.\n3. **Connectivity Test**: The\ - \ action calls the `test_connectivity` method, which executes a `GET` request\ - \ to the Censys organization endpoint (`/v3/accounts/organizations/{organization_id}`).\n\ - 4. **Status Evaluation**: \n * If the API call is successful, the action concludes\ - \ with a success message and a positive connectivity result.\n * If an exception\ - \ occurs (e.g., 401 Unauthorized, 404 Not Found, or network timeout), the error\ - \ is caught, logged, and the action returns a failure message with a negative\ - \ connectivity result." + ai_description: "### General Description\nThe **Ping** action is a diagnostic tool\ + \ used to verify the connectivity between the Google SecOps SOAR environment and\ + \ the Censys platform. Its primary purpose is to ensure that the integration's\ + \ configuration parameters\u2014specifically the API Key and Organization ID\u2014\ + are correct and that the SOAR server can successfully communicate with the Censys\ + \ API endpoints.\n\n### Parameters Description\nThis action does not require any\ + \ input parameters. It relies entirely on the global integration configuration\ + \ (API Key, Organization ID, and Verify SSL).\n\n### Additional Notes\n- This\ + \ action is typically used during the initial setup of the Censys integration\ + \ or for troubleshooting communication issues.\n- It performs a simple GET request\ + \ to the Censys account/organization endpoint to validate credentials.\n\n###\ + \ Flow Description\n1. **Parameter Retrieval:** The action extracts the global\ + \ integration settings, including the API Key, Organization ID, and SSL verification\ + \ preference.\n2. **Manager Initialization:** It initializes the `APIManager`\ + \ with the retrieved credentials.\n3. **Connectivity Test:** The action calls\ + \ the `test_connectivity` method, which executes a GET request to the Censys API\ + \ (`/v3/accounts/organizations/{organization_id}`).\n4. **Result Handling:** \n\ + \ - If the request is successful, it returns a success message and sets the\ + \ connectivity result to `True`.\n - If an exception occurs (e.g., authentication\ + \ failure, network timeout), it captures the error, logs it, and returns a failure\ + \ message with the connectivity result set to `False`." capabilities: can_create_case_comments: false can_create_insight: false @@ -515,3 +673,28 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/third_party/partner/censys/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/censys/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..ac8e64b44 --- /dev/null +++ b/content/response_integrations/third_party/partner/censys/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + siem: false + threat_intelligence: true + vulnerability_management: true diff --git a/content/response_integrations/third_party/partner/clarotyxdome/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/clarotyxdome/resources/ai/actions_ai_description.yaml index 5c5fb5b5b..0669f080b 100644 --- a/content/response_integrations/third_party/partner/clarotyxdome/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/clarotyxdome/resources/ai/actions_ai_description.yaml @@ -1,32 +1,53 @@ AddVulnerabilities: - ai_description: "### General Description\nEnriches entities with vulnerability information\ - \ retrieved from Claroty xDome. This action maps Google SecOps entities (such\ - \ as IP addresses, MAC addresses, or specific xDome UIDs) to devices managed within\ - \ the xDome platform. Once a device is identified, the action fetches all associated\ - \ vulnerability relations, including CVE IDs, risk scores, and remediation recommendations,\ - \ and attaches this data to the entity within the case.\n\n### Parameters Description\n\ - | Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ - | xdomeHost | string | Yes | The base URL for the Claroty xDome instance (e.g.,\ - \ `https://example.xdome.claroty.com`). |\n| xdomeApiToken | string | Yes | The\ - \ API token used for authenticating requests to the Claroty xDome API. |\n| Verify\ - \ SSL | boolean | No | If set to `true`, the action validates the SSL certificate\ - \ of the xDome host. Defaults to `true`. |\n\n### Additional Notes\n- The action\ - \ identifies devices by checking if the entity identifier matches an IP address\ - \ (IPv4/IPv6) or a MAC address pattern. \n- If the identifier is a string of 32-40\ - \ hexadecimal characters/hyphens, it is treated directly as an xDome Device UID.\n\ - - The action updates the `is_vulnerable` property of the entity based on whether\ - \ any vulnerabilities are found.\n\n### Flow Description\n1. **Configuration Extraction**:\ - \ Retrieves the xDome host, API token, and SSL verification settings.\n2. **Entity\ - \ Identification**: Iterates through all target entities in the case. For each\ - \ entity, it determines if the identifier is a UID, an IP, or a MAC address.\n\ - 3. **Device Lookup**: If the identifier is not a UID, the action queries the xDome\ - \ `/api/v1/devices/` endpoint to find the corresponding device UID.\n4. **Vulnerability\ - \ Retrieval**: Uses the device UID to query the `/api/v1/device_vulnerability_relations/`\ - \ endpoint to fetch detailed vulnerability data.\n5. **Internal Enrichment**:\ - \ Updates the entity's `additional_properties` with the vulnerability list, count,\ - \ and device UID. It also sets the `is_enriched` flag to `true`.\n6. **Entity\ - \ Update**: Commits the enriched data back to the Google SecOps case for all successfully\ - \ processed entities." + ai_description: >- + Enriches entities with vulnerability information retrieved from Claroty xDome. + The action identifies devices by their IP address, MAC address, or xDome Unique + Identifier (UID) and queries the xDome API to retrieve associated security vulnerabilities. + It fetches detailed data including CVE IDs, vulnerability names, risk scores, + and descriptions. The gathered information is then appended to the entity's additional + properties in Google SecOps, and the entity is marked as enriched. + + + ### Parameters Description + + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | xdomeHost | String | Yes | The base URL for the Claroty xDome instance (e.g., + `https://example.xdome.claroty.com`). | + + | xdomeApiToken | String | Yes | The API token used for authenticating requests + to the xDome API. | + + | Verify SSL | Boolean | No | If enabled, the action will validate SSL certificates + for the API connection. Defaults to true. | + + + ### Flow Description + + + 1. **Configuration Extraction:** The action retrieves the xDome host, API token, + and SSL verification settings from the integration configuration. + + 2. **Entity Identification:** It iterates through the target entities and determines + if the identifier is a UID, an IP address (v4/v6), or a MAC address using regular + expressions. + + 3. **Device Resolution:** For IP or MAC identifiers, the action queries the xDome + `/api/v1/devices/` endpoint to find the corresponding device UID. + + 4. **Vulnerability Retrieval:** Using the device UID, the action queries the `/api/v1/device_vulnerability_relations/` + endpoint to fetch all related vulnerability records. + + 5. **Data Enrichment:** The retrieved vulnerability details (count, list of CVEs, + risk scores) are mapped to the entity's `additional_properties` and the `is_enriched` + flag is set to true. + + 6. **Internal Update:** The action updates the entities within the Google SecOps + platform and returns a JSON result containing the enrichment data for each processed + entity. capabilities: can_create_case_comments: false can_create_insight: false @@ -37,8 +58,8 @@ AddVulnerabilities: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity additional properties with vulnerability data and sets the is_enriched - flag to true. + Updates entity additional properties with vulnerability data and sets the enrichment + status flag. categories: enrichment: true entity_usage: @@ -83,7 +104,7 @@ AddVulnerabilities: filters_by_case_identifier: false filters_by_creation_time: false filters_by_entity_type: false - filters_by_identifier: false + filters_by_identifier: true filters_by_is_artifact: false filters_by_is_enriched: false filters_by_is_internal: false @@ -91,53 +112,71 @@ AddVulnerabilities: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false EnrichAlerts: ai_description: >- - ### General Description - - Enriches the current Google SecOps alert with detailed metadata from a specific - Claroty xDome alert. This action retrieves comprehensive alert information, including - classification, timing, and status, and maps it to the alert's properties. Crucially, - it extracts MITRE ATT&CK (Enterprise or ICS) tactics and techniques from Claroty - and populates the corresponding security result fields in Google SecOps to improve - threat context. + Enriches a Google SecOps alert with detailed metadata from a Claroty xDome alert. + This action uses a specific Claroty Alert ID to fetch comprehensive information, + including alert classification, timing, and MITRE ATT&CK mapping. The retrieved + data is then mapped to the current alert's additional properties and security + result fields to provide analysts with better context. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | clarotyAlertId | string | Yes | The unique identifier of the alert in Claroty - xDome that you wish to retrieve data for. | + | clarotyAlertId | String | Yes | The unique alert ID from Claroty xDome used + to fetch details. | ### Flow Description - 1. **Configuration Retrieval:** The action fetches the Claroty xDome host and - API token from the integration settings. + 1. **Configuration Retrieval:** Extracts the Claroty xDome host and API token + from the integration settings. - 2. **Data Retrieval:** It sends a POST request to the Claroty xDome API to query - for the specific alert ID provided in the parameters. + 2. **Parameter Extraction:** Retrieves the mandatory `clarotyAlertId` provided + by the user. - 3. **Property Mapping:** If the alert is found, the action iterates through predefined - Claroty fields (e.g., alert_class, category, status) and adds them to the Google - SecOps alert's `additional_properties` with a 'Claroty_' prefix. + 3. **External API Query:** Sends a POST request to the Claroty xDome `/api/v1/alerts/` + endpoint, filtering by the specific alert ID. - 4. **MITRE Enrichment:** The action extracts MITRE Enterprise or ICS technique/tactic - names and IDs from the Claroty data and updates the `security_result` object of - the current alert. + 4. **Data Mapping:** If an alert is found, the script iterates through predefined + Claroty fields (e.g., `alert_type_name`, `category`, `description`) and adds them + to the Google SecOps alert's `additional_properties` with a `Claroty_` prefix. - 5. **Completion:** The action returns the raw JSON result of the alert and updates - the action status based on whether the enrichment was successful. - - - ### Additional Notes + 5. **MITRE Enrichment:** Extracts MITRE ATT&CK Enterprise or ICS tactics and techniques + from the Claroty data and updates the alert's `security_result` fields (tactic, + tactic_id, technique, technique_id). - This action specifically targets the alert object itself rather than individual - entities within the alert. It requires the integration to be configured with valid - `xdomeHost` and `xdomeApiToken` values. + 6. **Result Reporting:** Returns the raw JSON of the fetched alert and updates + the action status. capabilities: can_create_case_comments: false can_create_insight: false @@ -148,9 +187,8 @@ EnrichAlerts: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates the current alert's additional properties with Claroty alert metadata - and modifies the security result fields (tactic, tactic_id, technique, technique_id) - with MITRE information. + The action modifies the current alert's 'additional_properties' by adding Claroty + metadata and updates the 'security_result' field with MITRE ATT&CK information. categories: enrichment: false entity_usage: @@ -168,51 +206,80 @@ EnrichAlerts: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: true + update_email: false + update_identity: false + update_ticket: false EnrichXDomeAssetInformation: ai_description: >- - ### General Description + Enriches IP Address and MAC Address entities with asset information from Claroty + xDome. This action retrieves detailed device metadata, including device category, + type, manufacturer, and risk scores. It also fetches associated vulnerability + data to provide a comprehensive security posture for the identified asset. - Enriches IP Address and MAC Address entities with detailed asset information and - vulnerability data retrieved from Claroty xDome. This action helps security analysts - understand the context of an asset, including its manufacturer, device type, risk - score, and known vulnerabilities, directly within the Google SecOps platform. + ### Flow Description - ### Parameters Description + 1. **Entity Validation**: The action iterates through target entities, filtering + for IP Addresses and MAC Addresses. It uses regex to ensure the identifiers are + valid formats. - | Parameter | Description | Type | Mandatory | + 2. **Device Lookup**: For each valid entity, it queries the Claroty xDome `/api/v1/devices/` + endpoint to find matching active (non-retired) devices. - | :--- | :--- | :--- | :--- | + 3. **Vulnerability Retrieval**: If a device is found, the action performs a secondary + query to `/api/v1/device_vulnerability_relations/` using the device's unique identifier + (UID) to fetch known vulnerabilities. - | xdomeHost | The base URL for the Claroty xDome instance (e.g., `https://example.xdome.claroty.com`). - | String | Yes | + 4. **Data Processing**: It summarizes the top 5 vulnerabilities and compiles asset + metadata (e.g., site name, risk score, firmware version) into a compact format. - | xdomeApiToken | The API token used for authenticating requests to the Claroty - xDome API. | String | Yes | + 5. **Enrichment**: The action updates the entity's additional properties in Google + SecOps and marks the entity as enriched. - ### Flow Description + ### Parameters Description - 1. **Entity Validation**: The action iterates through the target entities and - filters for those of type `ADDRESS` (IP) or `MacAddress`. + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | - 2. **Identifier Parsing**: It uses regular expressions to verify if the entity - identifier is a valid IPv4, IPv6, or MAC address. + | xdomeHost | String | True | The base URL for the Claroty xDome instance (e.g., + https://example.xdome.claroty.com). | + + | xdomeApiToken | String | True | The API token used for authenticating requests + to the Claroty xDome API. | - 3. **Device Lookup**: For each valid entity, it performs a POST request to the - Claroty xDome `/api/v1/devices/` endpoint to find matching active (non-retired) - devices. - 4. **Vulnerability Retrieval**: If a device is found, the action uses the device's - unique ID (`uid`) to query the `/api/v1/device_vulnerability_relations/` endpoint - for associated vulnerabilities. + ### Additional Notes - 5. **Data Enrichment**: The action compiles asset details (e.g., `device_category`, - `risk_score`, `manufacturer`) and a summary of the top 5 vulnerabilities. + - The action supports both IPv4 and IPv6 addresses. - 6. **Internal Update**: The compiled data is added to the entity's `additional_properties` - (prefixed with `Claroty_`), the entity is marked as enriched, and the changes - are saved back to Google SecOps. + - MAC addresses are normalized to uppercase before querying the external system. + + - Only the first matching device found in xDome is used for enrichment if multiple + matches exist. capabilities: can_create_case_comments: false can_create_insight: false @@ -236,7 +303,7 @@ EnrichXDomeAssetInformation: filters_by_case_identifier: false filters_by_creation_time: false filters_by_entity_type: true - filters_by_identifier: false + filters_by_identifier: true filters_by_is_artifact: false filters_by_is_enriched: false filters_by_is_internal: false @@ -244,52 +311,75 @@ EnrichXDomeAssetInformation: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Ping: ai_description: >- ### General Description - Tests the connectivity between Google SecOps and the Claroty xDome instance using - the provided configuration parameters. This action ensures that the API host is - reachable and the provided API token is valid by performing a minimal API call. + The **Ping** action is a utility designed to verify the connectivity between Google + SecOps and the Claroty xDome platform. It ensures that the provided API host and + token are valid and that the network path is open. ### Parameters Description - | Parameter | Type | Mandatory | Description | + | Parameter Name | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | xdomeHost | String | Yes | The base URL of the Claroty xDome instance (e.g., - https://example.xdome.claroty.com). | + | **xdomeHost** | String | Yes | The base URL or Host address of the Claroty xDome + instance. | - | xdomeApiToken | String | Yes | The API token used for authentication with Claroty - xDome. | + | **xdomeApiToken** | String | Yes | The API token used for authentication with + the Claroty xDome API. | - | Verify SSL | Boolean | No | If enabled, the action will verify the SSL certificate - of the Claroty xDome host. Defaults to False if not specified. | + | **Verify SSL** | Boolean | No | If enabled, the action will verify the SSL certificate + of the host. Defaults to false if not specified. | ### Flow Description 1. **Parameter Extraction**: The action retrieves the host URL, API token, and - SSL verification preference from the integration configuration using the `extract_configuration_param` - utility. + SSL verification settings from the integration configuration. - 2. **Connectivity Test**: It constructs a POST request to the `/api/v1/alerts/` - endpoint of the Claroty xDome API. The request includes a minimal payload (`offset: - 0`, `limit: 1`) to verify that the credentials have permission to query data without - retrieving a large dataset. + 2. **Connectivity Test**: It performs a POST request to the `/api/v1/alerts/` + endpoint. The request includes a minimal payload (limit of 1) to test if the API + responds correctly to the provided credentials. - 3. **Response Handling**: The action checks the HTTP response status. If the request - is successful, it returns a success message and sets the execution state to completed. - If an exception occurs (e.g., network error, invalid credentials), it logs the - error and returns a failure status. + 3. **Validation**: If the API returns a successful status code, the action completes + with a success message. If an exception occurs (e.g., connection error, authentication + failure), it logs the error and reports a failure. ### Additional Notes - - This action does not process any entities and is intended solely for configuration - validation and health checks of the integration. + This action does not process any entities and is strictly used for configuration + validation. There are no input parameters required at the action level; it relies + on the integration's configuration parameters. capabilities: can_create_case_comments: false can_create_insight: false @@ -298,7 +388,7 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: false + fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false @@ -317,3 +407,28 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/third_party/partner/clarotyxdome/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/clarotyxdome/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..3276144a2 --- /dev/null +++ b/content/response_integrations/third_party/partner/clarotyxdome/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: true + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + siem: false + threat_intelligence: false + vulnerability_management: true diff --git a/content/response_integrations/third_party/partner/cyjax_threat_intelligence/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/cyjax_threat_intelligence/resources/ai/actions_ai_description.yaml new file mode 100644 index 000000000..76bcfccd8 --- /dev/null +++ b/content/response_integrations/third_party/partner/cyjax_threat_intelligence/resources/ai/actions_ai_description.yaml @@ -0,0 +1,407 @@ +Domain monitor: + ai_description: >- + ### General Description + + The **Domain Monitor** action retrieves information from the Cyjax Domain Monitor + feature. This feature is designed to track specific brands against newly registered + global domains and Certificate Transparency Logs (CTL) to identify potential brand + impersonation or malicious domain registrations. The action allows users to search + for specific domain strings and filter results by a time range. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | **Query** | String | No | A query string used to search for a specific domain + or a partial domain match. | + + | **Since** | String | No | The start date and time for the search in ISO8601 + format (e.g., `2026-02-09T15:01:39Z`). | + + | **Until** | String | No | The end date and time for the search in ISO8601 format + (e.g., `2026-02-09T15:01:39Z`). | + + + ### Additional Notes + + - The action performs automatic pagination and can retrieve up to a maximum of + 1000 records from the Cyjax API. + + - If the `Since` date is configured to be later than the `Until` date, the action + will fail with a validation error. + + - Results are presented both as a data table for quick review and as a raw JSON + object for downstream playbook processing. + + + ### Flow Description + + 1. **Parameter Extraction:** The action retrieves the API token and SSL verification + settings from the integration configuration, followed by the `Query`, `Since`, + and `Until` action parameters. + + 2. **Validation:** It validates that the provided dates are in the correct ISO8601 + format and ensures the start date is not after the end date. + + 3. **API Interaction:** The action initializes the Cyjax API client and calls + the Domain Monitor endpoint. It handles pagination automatically to fetch all + available results up to the 1000-record limit. + + 4. **Data Processing:** Retrieved records are parsed into a structured data model. + If results are found, they are formatted into a CSV-style list for the data table. + + 5. **Output Generation:** The action populates a data table named "Domain Monitor + Results" in the Google SecOps case wall and attaches the full result set as a + JSON object. It then concludes with a status message indicating the number of + records found. + capabilities: + can_create_case_comments: false + can_create_insight: false + can_modify_alert_data: false + can_mutate_external_data: false + can_mutate_internal_data: true + can_update_entities: false + external_data_mutation_explanation: null + fetches_data: true + internal_data_mutation_explanation: >- + The action creates a data table named "Domain Monitor Results" within the Google + SecOps case to display the retrieved domain monitoring records. + categories: + enrichment: false + entity_usage: + entity_types: [] + filters_by_additional_properties: false + filters_by_alert_identifier: false + filters_by_case_identifier: false + filters_by_creation_time: false + filters_by_entity_type: false + filters_by_identifier: false + filters_by_is_artifact: false + filters_by_is_enriched: false + filters_by_is_internal: false + filters_by_is_pivot: false + filters_by_is_suspicious: false + filters_by_is_vulnerable: false + filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false +Enrich IOCs: + ai_description: >- + Enriches Indicators of Compromise (IOCs) using Cyjax threat intelligence. This + action retrieves detailed contextual information for various indicator types, + including sightings from monitored sources, GeoIP data, and ASN details. It automatically + processes entities within the case, updates their properties with the retrieved + intelligence, and provides a summary table for quick analysis. + + + ### Parameters + + | Parameter Name | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | None | N/A | N/A | This action does not require manual parameters; it automatically + processes all supported entities attached to the case. | + + + ### Additional Notes + + - Supported IOC types include: Domain, Email, Hostname, FileHash (MD5, SHA1, SHA256), + IPv4, IPv6, URL, and CVE. + + - The action clears any existing Cyjax-prefixed enrichment data on the entity + before applying new results to ensure data freshness. + + + ### Flow Description + + 1. **Entity Retrieval**: The action identifies all target entities associated + with the current case. + + 2. **API Interaction**: For each entity, the action queries the Cyjax API's enrichment + endpoint using the entity's identifier. + + 3. **Data Cleaning**: Existing enrichment properties (prefixed with 'Cyjax_') + on the entity are reset to ensure no stale data remains. + + 4. **Enrichment**: The action parses the API response to extract GeoIP (city, + country), ASN (organization, number), and sighting information. + + 5. **Internal Update**: Entity attributes are updated with the new intelligence, + and the entity is marked as 'enriched'. + + 6. **Reporting**: A data table named 'Enriched IOCs' is added to the case, and + a JSON result containing the raw data is attached. + capabilities: + can_create_case_comments: false + can_create_insight: false + can_modify_alert_data: false + can_mutate_external_data: false + can_mutate_internal_data: true + can_update_entities: true + external_data_mutation_explanation: null + fetches_data: true + internal_data_mutation_explanation: >- + Updates entity additional properties with Cyjax threat intelligence data and + adds a data table to the case. + categories: + enrichment: true + entity_usage: + entity_types: + - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME + filters_by_additional_properties: false + filters_by_alert_identifier: false + filters_by_case_identifier: false + filters_by_creation_time: false + filters_by_entity_type: false + filters_by_identifier: false + filters_by_is_artifact: false + filters_by_is_enriched: false + filters_by_is_internal: false + filters_by_is_pivot: false + filters_by_is_suspicious: false + filters_by_is_vulnerable: false + filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false +List Data Breaches: + ai_description: "### General Description\nThe **List Data Breaches** action retrieves\ + \ a list of email addresses and associated metadata that have been identified\ + \ in data breaches, using the Cyjax Threat Intelligence platform. It allows analysts\ + \ to search for specific email addresses or patterns and filter results by a specific\ + \ time range. The action provides visibility into leaked credentials, including\ + \ the source of the breach, the specific data classes exposed (e.g., passwords,\ + \ usernames), and the discovery date.\n\n### Parameters Description\n\n| Parameter\ + \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| **Query**\ + \ | string | No | A query string to search for a specific email address or a partial\ + \ string. If omitted, the action retrieves general breach data based on time filters.\ + \ |\n| **Since** | string | No | The start date and time for the search in ISO8601\ + \ format (e.g., `2026-02-09T15:01:39Z`). |\n| **Until** | string | No | The end\ + \ date and time for the search in ISO8601 format (e.g., `2026-02-09T15:01:39Z`).\ + \ |\n\n### Additional Notes\n- The action implements automatic pagination and\ + \ will retrieve up to a maximum of 1,000 records from the Cyjax API.\n- If the\ + \ `Since` date is configured to be later than the `Until` date, the action will\ + \ fail with a validation error.\n- Results are presented both as a formatted data\ + \ table for quick review and as a raw JSON object for downstream playbook processing.\n\ + \n### Flow Description\n1. **Parameter Extraction:** The action retrieves the\ + \ `Query`, `Since`, and `Until` parameters provided by the user.\n2. **Validation:**\ + \ It validates that the provided dates are in the correct ISO8601 format and ensures\ + \ the start date is not after the end date.\n3. **API Interaction:** The action\ + \ initializes the Cyjax API client and performs a GET request to the data leak\ + \ credentials endpoint.\n4. **Pagination:** It automatically iterates through\ + \ result pages until all matching records are found or the 1,000-record limit\ + \ is reached.\n5. **Data Processing:** The raw API response is parsed into structured\ + \ data models.\n6. **Output Generation:** \n - A data table named \"Data Breach\ + \ Results\" is added to the case, containing columns for ID, Email, Source, Breach\ + \ Name, Data Classes, and Discovery Date.\n - The full result set is attached\ + \ as a JSON object to the action's output." + capabilities: + can_create_case_comments: false + can_create_insight: false + can_modify_alert_data: false + can_mutate_external_data: false + can_mutate_internal_data: true + can_update_entities: false + external_data_mutation_explanation: null + fetches_data: true + internal_data_mutation_explanation: >- + The action adds a data table named 'Data Breach Results' to the Google SecOps + case to display the retrieved breach information. + categories: + enrichment: false + entity_usage: + entity_types: [] + filters_by_additional_properties: false + filters_by_alert_identifier: false + filters_by_case_identifier: false + filters_by_creation_time: false + filters_by_entity_type: false + filters_by_identifier: false + filters_by_is_artifact: false + filters_by_is_enriched: false + filters_by_is_internal: false + filters_by_is_pivot: false + filters_by_is_suspicious: false + filters_by_is_vulnerable: false + filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false +Ping: + ai_description: "### General Description\nThe **Ping** action is a diagnostic utility\ + \ designed to verify the connectivity between the Google SecOps SOAR platform\ + \ and the Cyjax Threat Intelligence instance. It ensures that the provided API\ + \ Token is valid, the network path is open, and the integration has the necessary\ + \ permissions to interact with the Cyjax API.\n\n### Parameters Description\n\ + There are no input parameters for this action. It relies solely on the global\ + \ integration configuration (API Token and Verify SSL settings).\n\n### Flow Description\n\ + 1. **Initialization**: The action initializes the Siemplify environment and retrieves\ + \ the global integration parameters, specifically the API Token and SSL verification\ + \ preference.\n2. **Manager Setup**: It instantiates the `APIManager` using the\ + \ retrieved credentials.\n3. **Connectivity Test**: The action calls the `ping()`\ + \ method, which executes an authenticated `GET` request to the Cyjax `/indicator-of-compromise`\ + \ endpoint with a result limit of 1 to minimize data transfer.\n4. **Result Handling**:\ + \ \n * If the request is successful (HTTP 200), the action returns a success\ + \ message and sets the result value to `True`.\n * If an exception occurs (e.g.,\ + \ 401 Unauthorized, 403 Forbidden, or network timeout), the action captures the\ + \ error, logs the details, and returns a failure status with the result value\ + \ set to `False`.\n\n### Additional Notes\nThis action is intended for health\ + \ checks and troubleshooting during the initial setup or when connectivity issues\ + \ are suspected. It does not process any case entities or modify any data." + capabilities: + can_create_case_comments: false + can_create_insight: false + can_modify_alert_data: false + can_mutate_external_data: false + can_mutate_internal_data: false + can_update_entities: false + external_data_mutation_explanation: null + fetches_data: false + internal_data_mutation_explanation: null + categories: + enrichment: false + entity_usage: + entity_types: [] + filters_by_additional_properties: false + filters_by_alert_identifier: false + filters_by_case_identifier: false + filters_by_creation_time: false + filters_by_entity_type: false + filters_by_identifier: false + filters_by_is_artifact: false + filters_by_is_enriched: false + filters_by_is_internal: false + filters_by_is_pivot: false + filters_by_is_suspicious: false + filters_by_is_vulnerable: false + filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/third_party/partner/cyjax_threat_intelligence/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/cyjax_threat_intelligence/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..ac8e64b44 --- /dev/null +++ b/content/response_integrations/third_party/partner/cyjax_threat_intelligence/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + siem: false + threat_intelligence: true + vulnerability_management: true diff --git a/content/response_integrations/third_party/partner/cylusone/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/cylusone/resources/ai/actions_ai_description.yaml index 0f4115761..e6ad5f847 100644 --- a/content/response_integrations/third_party/partner/cylusone/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/cylusone/resources/ai/actions_ai_description.yaml @@ -3,52 +3,46 @@ EnrichAssetInformation: ### General Description Enriches IP Address entities with detailed asset information retrieved from the - CylusOne platform. This action is designed to provide security analysts with deeper - context regarding network assets by fetching metadata such as MAC addresses, associated - IP lists, and custom asset properties. The retrieved data is mapped directly to - the entity's additional properties within Google SecOps, facilitating better informed - incident response. + CylusOne platform. This action is designed to provide security analysts with contextual + metadata about network assets, such as MAC addresses, associated IPs, and custom + asset properties, directly within the Google SecOps case. ### Parameters Description - There are no action-specific parameters for this action. It relies on the global - integration configuration (Base URL, API Key, and Verify SSL). + There are no parameters for this action. - ### Flow Description + ### Additional Notes - 1. **Initialization**: The action initializes the CylusOne API manager using the - integration's global configuration parameters. + - The action specifically targets entities of type **ADDRESS** (IP addresses). - 2. **Entity Filtering**: It iterates through all target entities in the current - context, specifically filtering for those of type `ADDRESS` (IP Address). + - Enriched data is added to the entity's `additional_properties` with a `Cylus_` + prefix. - 3. **Validation**: Each IP address is validated against a standard IPv4 regex - pattern to ensure API compatibility. + - The action marks the entity as `is_enriched = True` upon successful data retrieval. - 4. **Data Retrieval**: For each valid IP, the action performs a GET request to - the CylusOne `/rest/v1/assets/by-ip` endpoint. - 5. **Data Transformation**: If an asset is found, the action flattens the response - data. Custom properties are prefixed with `Cylus_prop_`, and list-based fields - (like MACs) are converted into comma-separated strings. + ### Flow Description - 6. **Internal Update**: The processed enrichment data is added to the entity's - `additional_properties` dictionary, and the entity's `is_enriched` status is set - to `True`. + 1. **Initialization**: The action initializes the CylusOne API manager using the + integration's base URL and API key. - 7. **Finalization**: The action updates the entities in the Google SecOps platform - and returns a JSON object containing the enrichment results for all processed - identifiers. + 2. **Entity Filtering**: It iterates through the target entities in the current + context, filtering for those of type `ADDRESS` and validating that they follow + a proper IPv4 format. + 3. **Data Retrieval**: For each valid IP address, the action performs a GET request + to the CylusOne `/rest/v1/assets/by-ip` endpoint. - ### Additional Notes + 4. **Data Processing**: If an asset is found, the action flattens the JSON response, + formatting list fields (like MACs) and custom properties into a key-value structure. - - This action only supports IPv4 addresses. + 5. **Internal Update**: The processed metadata is appended to the entity's additional + properties, and the entity is updated within the Google SecOps platform. - - If an asset is not found in CylusOne for a specific IP, the action will report - a failure for that specific entity but continue processing others. + 6. **Finalization**: The action returns a summary message indicating which entities + were successfully enriched and which failed. capabilities: can_create_case_comments: false can_create_insight: false @@ -59,8 +53,8 @@ EnrichAssetInformation: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity additional properties with asset metadata from CylusOne and sets - the 'is_enriched' flag to true for successful lookups. + Updates entity additional properties with asset information from Cylus and sets + the 'is_enriched' flag to true. categories: enrichment: true entity_usage: @@ -79,49 +73,53 @@ EnrichAssetInformation: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Ping: - ai_description: >- - ### General Description - - Tests the connectivity between Google SecOps and the CylusOne platform. This action - verifies that the provided Base URL and API Key are correct and that the network - connection is functional. - - - ### Parameters Description - - There are no action-specific parameters for this action. It relies entirely on - the integration's global configuration parameters: - - * **Base URL**: The root URL of the CylusOne API. - - * **Cylus API Key**: The API key used for authentication. - - * **Verify SSL**: Boolean flag indicating whether to verify the SSL certificate - of the CylusOne server. - - - ### Flow Description - - 1. **Parameter Extraction**: Retrieves the integration's configuration parameters - (Base URL, API Key, and SSL verification setting) using utility functions. - - 2. **API Initialization**: Initializes the `ApiManager` with the retrieved credentials - and session headers. - - 3. **Connectivity Test**: Executes the `test_connectivity` method, which performs - a GET request to a sample asset endpoint (`/rest/v1/assets/by-ip`) using a placeholder - IP address to verify authentication and network reachability. - - 4. **Result Reporting**: Returns a success status if the API responds with a valid - status code (200 or 404). If the request fails (e.g., 401 Unauthorized, 403 Forbidden, - or connection timeout), it captures the error and reports a failure. - - - ### Additional Notes - - This is a standard health check action. Per system rules, actions named 'Ping' - are not categorized as enrichment actions. + ai_description: "### General Description\nThe **Ping** action is a diagnostic tool\ + \ designed to verify the connectivity between the Google SecOps platform and the\ + \ CylusOne instance. It ensures that the provided Base URL is reachable and that\ + \ the API Key is valid by performing a test API call. This action is typically\ + \ used during the initial setup or for troubleshooting communication issues.\n\ + \n### Parameters Description\nThere are no action-specific parameters for this\ + \ action. It relies entirely on the integration's global configuration parameters\ + \ (Base URL, API Key, and Verify SSL).\n\n### Flow Description\n1. **Parameter\ + \ Extraction:** The action retrieves the global integration settings, including\ + \ the Base URL, API Key, and SSL verification preference.\n2. **API Initialization:**\ + \ An API Manager instance is created using the retrieved credentials.\n3. **Connectivity\ + \ Test:** The action executes a `GET` request to a sample asset endpoint (`/rest/v1/assets/by-ip`)\ + \ using a dummy IP address.\n4. **Response Validation:** \n * If the API returns\ + \ a `200 OK` or `404 Not Found` (indicating the service is reachable even if the\ + \ dummy IP doesn't exist), the connection is considered successful.\n * If\ + \ the API returns `401` or `403`, it identifies authentication or permission errors.\n\ + \ * If a connection timeout or network error occurs, it captures the specific\ + \ failure reason.\n5. **Final Result:** The action reports a success or failure\ + \ status along with a descriptive message to the Siemplify interface.\n\n### Additional\ + \ Notes\nThis action does not process any entities and does not modify any data\ + \ within CylusOne or Google SecOps." capabilities: can_create_case_comments: false can_create_insight: false @@ -149,3 +147,28 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/third_party/partner/cylusone/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/cylusone/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..b88dc4ab4 --- /dev/null +++ b/content/response_integrations/third_party/partner/cylusone/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: true + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/partner/cyware_intel_exchange/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/cyware_intel_exchange/resources/ai/actions_ai_description.yaml index 9b11dd3c5..a3b88dbe6 100644 --- a/content/response_integrations/third_party/partner/cyware_intel_exchange/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/cyware_intel_exchange/resources/ai/actions_ai_description.yaml @@ -2,53 +2,57 @@ Add IOCs to Allowed list: ai_description: >- ### General Description - The **Add IOCs to Allowed list** action allows users to whitelist specific indicators - within the Cyware Intel Exchange (CTIX) platform. This is typically used to prevent - known-safe indicators from triggering alerts or being flagged as malicious in - future intelligence cycles. + Marks indicators (IOCs) as allowed (whitelisted) in Cyware Intel Exchange (CTIX). + This action is used to prevent specific indicators from being flagged as threats + or to manage false positives by adding them to the global allowed list within + the Cyware platform. It processes all entities present in the current case and + submits them in bulk to the external system. ### Parameters Description - | Parameter | Type | Mandatory | Description | + | Parameter Name | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **IOC Type** | DDL | Yes | Specifies the type of the indicators being added + | **IOC Type** | DDL | Yes | Specifies the STIX-compatible type of the indicator (e.g., `ipv4-addr`, `domain-name`, `file`). This must match the type of the entities being processed. | | **Reason** | String | Yes | Provides a justification or context for why these - indicators are being added to the allowed list. | + indicators are being added to the allowed list. Default is 'Allow IOCs from Google + Secops'. | - ### Flow Description + ### Additional Notes - 1. **Parameter Extraction**: The action retrieves the `IOC Type` and `Reason` - from the user input. + - This action performs a state change in the external Cyware CTIX system. - 2. **Entity Collection**: It identifies all entities currently associated with - the case context. + - If no entities are found in the case, the action will complete successfully + without making an API call. - 3. **API Interaction**: The action sends a bulk `POST` request to the Cyware `allowed_indicators` - endpoint, containing the list of entity identifiers, the specified type, and the - reason. + - The action returns a summary of the operation, including the count of newly + created entries, entries that already existed, and any invalid entries. - 4. **Result Processing**: It parses the response from Cyware, which details how - many indicators were newly created, how many already existed in the list, and - if any were considered invalid. - 5. **Output**: The action provides a summary message of the operation's success - and attaches the full JSON response for further review. + ### Flow Description + 1. **Parameter Extraction:** The action retrieves the `IOC Type` and `Reason` + from the user input and the integration configuration (Base URL, Access ID, Secret + Key). - ### Additional Notes + 2. **Entity Collection:** It gathers the identifiers of all entities currently + associated with the SecOps case. - - This action performs a mutation on the external Cyware system by modifying its - whitelist configuration. + 3. **API Interaction:** The action sends a POST request to the Cyware `allowed_indicators` + endpoint with the list of entity identifiers, the specified IOC type, and the + provided reason. - - If no entities are found in the context, the action will complete successfully - with a message stating no entities were processed. + 4. **Response Processing:** It parses the API response to determine the status + of each indicator (New, Already Exists, or Invalid). + + 5. **Result Reporting:** The action outputs a summary message to the case wall + and attaches the full JSON response as a script result. capabilities: can_create_case_comments: false can_create_insight: false @@ -57,9 +61,10 @@ Add IOCs to Allowed list: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Adds the provided indicator values to the Cyware Intel Exchange allowed list - (whitelist) with a specified reason. - fetches_data: false + Adds the provided entity identifiers to the allowed list (whitelist) configuration + in the Cyware Intel Exchange platform, which changes how those indicators are + treated in future threat intelligence lookups. + fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false @@ -113,15 +118,39 @@ Add IOCs to Allowed list: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: true + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Add Note to IOCs: ai_description: >- ### General Description - The **Add Note to IOCs** action allows users to attach descriptive notes or structured - JSON data to existing threat intelligence objects (IOCs) within the Cyware Intel - Exchange platform. This action is primarily used to document analyst findings, - add context from external tools, or update the status of an indicator within the - threat intelligence lifecycle. + Adds a note to an existing threat data object (indicator) in Cyware Intel Exchange. + This action allows analysts to append context, findings, or metadata to specific + IOCs directly from Google SecOps. It supports both plain text and JSON-formatted + notes. ### Parameters Description @@ -130,46 +159,44 @@ Add Note to IOCs: | :--- | :--- | :--- | :--- | - | **Note Type** | String | Yes | Specifies the category or type of the note being - added (e.g., `threatdata`). | - - | **Note** | String | Yes | The actual content of the note. This can be plain - text or a JSON string. | + | Note Type | String | True | The type or category of the note (e.g., 'threatdata'). + | - | **Is the Note in Json format** | Boolean | No | If set to `true`, the action - validates that the `Note` parameter contains valid JSON before sending it to Cyware. + | Note | String | True | The actual content or description of the note to be added. | + | Is the Note in Json format | Boolean | False | If set to true, the action validates + that the 'Note' parameter is a valid JSON string before sending it to Cyware. + Default is false. | + ### Flow Description - 1. **Initialization**: The action retrieves connection details (Base URL, Access - ID, Secret Key) and input parameters from the configuration. + 1. **Parameter Initialization**: The action retrieves the integration configuration + (Base URL, Credentials) and the action parameters (Note, Note Type, JSON flag). - 2. **Entity Identification**: It collects the identifiers of all entities currently - attached to the Google SecOps case. + 2. **Entity Identification**: It identifies all target entities attached to the + case. - 3. **Bulk Lookup**: It queries Cyware Intel Exchange using a bulk lookup endpoint - to map the case entity identifiers to their corresponding internal Cyware Indicator - IDs. + 3. **Bulk Lookup**: The action performs a bulk lookup against the Cyware Intel + Exchange API to map the entity identifiers (IOC values) to their corresponding + internal Cyware IDs. - 4. **Note Submission**: For every entity successfully matched to a Cyware indicator, - the action sends a POST request to the `/ingestion/notes/` endpoint to create - and attach the specified note. + 4. **Validation**: It identifies which indicators exist in Cyware and which are + missing. Missing indicators are skipped. - 5. **Result Reporting**: The action provides a summary of which IOCs were successfully - updated and includes the raw API responses in the JSON results for downstream - playbook use. + 5. **Note Creation**: For each valid indicator found, the action sends a POST + request to the Cyware API to create a new note record associated with that indicator's + ID. + 6. **Result Aggregation**: The action collects the responses from the API, including + the new Note IDs, and returns a summary of successful and failed operations. - ### Additional Notes - - If an entity is not found in Cyware Intel Exchange, it is skipped and reported - as missing. + ### Additional Notes - - If the **Is the Note in Json format** parameter is enabled but the input provided - in the **Note** field is not valid JSON, the action will fail with a specific - error message. + If 'Is the Note in Json format' is enabled but the 'Note' content is not valid + JSON, the action will fail with a specific error message. capabilities: can_create_case_comments: false can_create_insight: false @@ -178,8 +205,8 @@ Add Note to IOCs: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates new note records in the Cyware Intel Exchange platform associated with - specific threat indicators. + Creates a new note record in the Cyware Intel Exchange platform associated with + the specific indicator. fetches_data: true internal_data_mutation_explanation: null categories: @@ -234,14 +261,41 @@ Add Note to IOCs: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Create Intel in Cyware Intel Exchange: ai_description: >- ### General Description - This action creates new intelligence records (indicators) in Cyware Intel Exchange - (CTIX) for entities found in the current Google SecOps context. It allows users - to submit indicators with specific metadata such as TLP, confidence scores, and - tags, and then monitors the creation process until completion. + The **Create Intel in Cyware Intel Exchange** action allows users to create new + intelligence records (indicators) within the Cyware Intel Exchange (CTIX) platform + based on entities present in a Google SecOps case. It supports various indicator + types and allows for the inclusion of metadata such as TLP, confidence scores, + and tags. This action is primarily used to share or store threat intelligence + discovered during an investigation. ### Parameters Description @@ -250,59 +304,56 @@ Create Intel in Cyware Intel Exchange: | :--- | :--- | :--- | :--- | - | Title | String | Yes | The title for the intelligence record (maximum 100 characters). - | + | **Title** | String | Yes | The title for the intelligence record (max 100 characters). + Defaults to the Alert Name. | - | IOC Type | DDL | Yes | The STIX-compliant type of the indicator (e.g., ipv4-addr, - domain-name, file). | + | **IOC Type** | DDL | Yes | The STIX-compliant type of the indicator (e.g., `ipv4-addr`, + `domain-name`, `file`, `SHA-256`). | - | TLP | DDL | No | The Traffic Light Protocol level (RED, CLEAR, AMBER, AMBER_STRICT, - NONE, GREEN). Default is NONE. | + | **TLP** | DDL | No | The Traffic Light Protocol level (RED, CLEAR, AMBER, AMBER_STRICT, + NONE, GREEN). Defaults to `NONE`. | - | Metadata Confidence Score | String | No | A source confidence score between + | **Metadata Confidence Score** | String | No | A source confidence score between 0 and 100. | - | Tags | String | No | Comma-separated list of tags to associate with the intelligence. - | + | **Tags** | String | No | Comma-separated list of tags to associate with the + intel. | - | Deprecates After | String | No | The expiration time of the indicator in days - (maximum 1000 days). | + | **Deprecates After** | String | No | Expiration time in days (1 to 1000). Defaults + to 180. | - | Description | String | No | A detailed description for the intelligence (maximum - 1000 characters). | + | **Description** | String | No | A detailed description for the intel (max 1000 + characters). | ### Flow Description - 1. **Parameter Initialization**: The action retrieves the integration configuration - (Base URL, Credentials) and the action-specific parameters. - - 2. **Entity Collection**: It identifies all target entities associated with the - current case. + 1. **Initialization**: The action retrieves integration parameters (Base URL, + Access ID, Secret Key) and the list of target entities from the current context. - 3. **Validation**: The action validates the lengths of the Title and Description, - and ensures the Confidence Score and Expiration days are within valid numeric - ranges. + 2. **Validation**: It validates the lengths of the Title and Description, and + ensures the Confidence Score and Deprecation period are within valid integer ranges. - 4. **Intel Creation**: For each entity, it sends a POST request to the Cyware - CTIX API to initiate the creation of a STIX-based intelligence record. + 3. **Intel Creation**: For each entity identifier, the action constructs a 'Quick + Intel' payload and sends a POST request to the Cyware API endpoint `/conversion/quick-intel/create-stix/`. - 5. **Status Polling**: After initiation, the action enters a polling loop, checking - the status of the creation task via the Cyware API at regular intervals until - the record is successfully created, an error occurs, or the maximum number of - attempts is reached. + 4. **Status Polling**: After submission, the action enters a polling loop, checking + the status of the creation task using the returned Task ID via GET requests to + `/conversion/quick-intel/receive-report/` until it reaches a success or failure + state (or times out after 24 attempts). - 6. **Result Reporting**: Finally, it aggregates the results for all entities and - provides a summary of successful and failed operations. + 5. **Result Reporting**: The action aggregates the results, including the creation + responses and final statuses, and outputs them as a JSON result for the analyst. ### Additional Notes - * The action applies the same `IOC Type` to all entities processed in a single - run. Ensure that the entities in the context match the selected type. + - This action processes all entities in the context regardless of their type; + the user must specify the correct `IOC Type` that applies to the entities being + submitted. - * If no entities are found, the action will complete successfully with a message - indicating no entities were processed. + - If no entities are found in the context, the action completes with a message + indicating no processing occurred. capabilities: can_create_case_comments: false can_create_insight: false @@ -311,7 +362,8 @@ Create Intel in Cyware Intel Exchange: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates new intelligence records (indicators) in Cyware Intel Exchange. + Creates new intelligence records (indicators) in Cyware Intel Exchange via POST + requests. fetches_data: true internal_data_mutation_explanation: null categories: @@ -366,14 +418,39 @@ Create Intel in Cyware Intel Exchange: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Create Task for IOCs: ai_description: >- ### General Description - Creates tasks in Cyware Intel Exchange for specific Indicator of Compromise (IOC) - entities. This action allows analysts to automate the creation of follow-up tasks - or investigations within the Cyware platform, associated directly with threat - data objects found in a Google SecOps case. + This action creates tasks within the Cyware Intel Exchange platform for specific + Indicator of Compromise (IOC) entities present in a Google SecOps case. It allows + analysts to automate the assignment of investigative or remediation work related + to threat intelligence by linking tasks directly to indicators in the Cyware environment. ### Parameters Description @@ -382,57 +459,58 @@ Create Task for IOCs: | :--- | :--- | :--- | :--- | - | **Text** | String | Yes | The description of the task to be performed. Limited - to 2000 characters. | + | Text | String | Yes | The description or instructions for the task. Limited + to a maximum of 2000 characters. | - | **Priority** | DDL | Yes | The priority level assigned to the task. Options: - `high`, `medium`, `low`. | + | Priority | DDL | Yes | The urgency level of the task. Options include: high, + medium, low. | - | **Status** | DDL | Yes | The initial status of the created task. Options: `not_started`, - `in_progress`, `completed`. | + | Status | DDL | Yes | The initial state of the task. Options include: not_started, + in_progress, completed. | - | **Deadline** | String | Yes | The deadline for the task expressed in days from - the current time. Must be an integer between 1 and 365. | + | Deadline | String | Yes | The number of days from the current time until the + task is due. Must be an integer between 1 and 365. | - | **Assignee Email ID** | String | No | The email address of a valid Cyware user - to whom the task will be assigned. If omitted, the task is created as unassigned. + | Assignee Email ID | String | No | The email address of the Cyware user to whom + the task should be assigned. If not provided, the task will be created as unassigned. | - ### Flow Description + ### Additional Notes - 1. **Initialization**: Extracts integration configuration and action parameters, - including task details and the optional assignee email. + - The action performs a bulk lookup to resolve entity identifiers to internal + Cyware object IDs before task creation. Tasks are only created for IOCs that already + exist in Cyware Intel Exchange. - 2. **Validation**: Validates that the task description is within the character - limit and that the deadline is a valid integer within the allowed range (1-365 - days). + - If an `Assignee Email ID` is provided but the user cannot be found in Cyware, + the action will fail to ensure tasks are not assigned to non-existent users. - 3. **User Resolution**: If an assignee email is provided, the action queries the - Cyware API to retrieve the corresponding internal User ID. If the user is not - found, the action fails. + - The deadline is calculated as an epoch timestamp based on the number of days + provided from the moment of execution. - 4. **IOC Lookup**: Retrieves all target entities from the case and performs a - bulk lookup in Cyware Intel Exchange to map entity identifiers to their internal - Cyware object IDs. - 5. **Task Creation**: Iterates through the valid IOCs found in Cyware and sends - a POST request to create a task for each, including the description, priority, - status, and calculated deadline timestamp. + ### Flow Description - 6. **Result Reporting**: Aggregates the responses, providing a summary of successful - and failed task creations, and outputs the raw JSON results for each task. + 1. **Parameter Extraction:** Retrieves the task description, priority, status, + deadline, and optional assignee email from the action configuration. + 2. **Entity Retrieval:** Collects all target entities from the current case context. - ### Additional Notes + 3. **Validation:** Validates that the task text does not exceed character limits + and that the deadline is a valid integer within the allowed range (1-365 days). - - **Entity Matching**: Only entities that already exist as indicators in Cyware - Intel Exchange will have tasks created for them. Entities not found in Cyware - are skipped. + 4. **User Resolution:** If an assignee email is provided, the action queries the + Cyware API to retrieve the corresponding internal User ID. - - **Error Handling**: The action will fail if no entities are provided, if the - assignee email is invalid, or if the task description exceeds the 2000-character - limit. + 5. **IOC Lookup:** Executes a bulk lookup against Cyware Intel Exchange to map + the SecOps entity identifiers to internal Cyware indicator IDs. + + 6. **Task Creation:** Iterates through the valid indicators and sends a POST request + to Cyware to create a task for each, including the description, priority, status, + and calculated deadline. + + 7. **Result Reporting:** Returns a JSON result containing the details of the created + tasks and provides a summary message of successful and failed operations. capabilities: can_create_case_comments: false can_create_insight: false @@ -441,8 +519,8 @@ Create Task for IOCs: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates new task objects in the Cyware Intel Exchange platform associated with - specific threat indicators. + Creates new task records in Cyware Intel Exchange associated with specific indicators + (IOCs). fetches_data: true internal_data_mutation_explanation: null categories: @@ -497,57 +575,78 @@ Create Task for IOCs: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: true + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Allowed IOCs: ai_description: >- - ### General Description - - This action retrieves a list of Indicators of Compromise (IOCs) that have been - marked as 'allowed' (whitelisted) within the Cyware CTIX platform. It allows security - analysts to audit or verify the current allowlist status of various indicator - types directly from Google SecOps. + Retrieves a list of allowed (whitelisted) Indicators of Compromise (IOCs) from + the Cyware Intel Exchange (CTIX) platform. This action allows analysts to audit + or verify which indicators are currently bypassed by security logic based on their + type or creation time. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. **Parameter Extraction:** The action retrieves the `IOC Type` and `Created + From` filter parameters from the user input. - | :--- | :--- | :--- | :--- | + 2. **Validation:** It validates the `Created From` parameter to ensure it is a + valid non-negative integer representing an epoch timestamp. - | **IOC Type** | DDL | No | Filters the results by a specific indicator type (e.g., - `domain-name`, `ipv4-addr`, `file`). If set to 'All' (default), all allowed indicators - are retrieved. | + 3. **API Query:** It connects to the Cyware CTIX API and performs a paginated + search for indicators marked as 'allowed'. - | **Created From** | String | No | Filters records based on their creation time. - Expects an epoch timestamp in seconds (e.g., `1767160932`). | + 4. **Data Processing:** The raw API response is parsed into structured data models. + If results are found, it prepares a summary for a data table. + 5. **Output Generation:** It populates a data table named 'Allowed IOCs' in the + Google SecOps case (limited to the first 10 records for visibility) and attaches + the full JSON result for further automated processing. - ### Additional Notes - - This action does not run on specific entities within a case; it performs a global - retrieval from the Cyware platform based on the provided filters. + ### Parameters Description - - The action handles pagination automatically to ensure all matching records are - retrieved, though the displayed data table is limited to the first 10 records - for readability. + | Parameter | Type | Mandatory | Description | + | :--- | :--- | :--- | :--- | - ### Flow Description + | **IOC Type** | DDL | No | Filters the results by a specific indicator type (e.g., + `domain-name`, `ipv4-addr`). Selecting 'All' retrieves all types. | - 1. **Parameter Extraction:** The action retrieves the `IOC Type` and `Created - From` filters from the user input. + | **Created From** | String | No | An epoch timestamp in seconds (e.g., `1767160932`). + If provided, the action only retrieves IOCs created after this time. | - 2. **Validation:** It validates that the `Created From` parameter is a valid non-negative - integer if provided. - 3. **API Interaction:** It connects to the Cyware CTIX API and performs a GET - request to the allowed indicators endpoint, applying the specified filters. + ### Additional Notes - 4. **Data Processing:** The action aggregates paginated results into a single - list and maps them to a structured data model. + - This action does not run on specific entities within the case; it performs a + global search against the Cyware allowlist. - 5. **Output Generation:** It populates a data table named 'Allowed IOCs' with - the ID, Type, and Value of the retrieved indicators and attaches the full raw - JSON response to the action results. + - The data table displayed in the UI is capped at 10 records to prevent performance + issues, but the full list is available in the JSON result. capabilities: can_create_case_comments: false can_create_insight: false @@ -559,7 +658,7 @@ Get Allowed IOCs: fetches_data: true internal_data_mutation_explanation: >- The action adds a data table named 'Allowed IOCs' to the Google SecOps case - to display the retrieved information. + to display the retrieved indicators. categories: enrichment: false entity_usage: @@ -577,53 +676,57 @@ Get Allowed IOCs: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get IOC Details: - ai_description: >- - ### General Description - - Retrieves detailed threat intelligence for entities from Cyware Intel Exchange - (CTIX), including analyst scores, confidence levels, and TLP classifications. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Enrichment Data | boolean | No | If true, includes detailed enrichment metadata - in the results. | - - | Relation Data | boolean | No | If true, includes relationship data between IOCs - in the results. | - - | Fields | string | No | A comma-separated list of specific fields to retrieve - from the API. | - - - ### Additional Notes - - - The action performs a bulk lookup for all target entities. - - - The data table displayed in the case wall is limited to the first 10 records. - - - Entities are enriched with properties prefixed with 'Cyware_'. - - - ### Flow Description - - 1. Extract parameters and identify target entities. - - 2. Query the Cyware CTIX API for IOC details using entity identifiers. - - 3. Parse the response and populate a data table for the case wall. - - 4. Map the results back to the original entities. - - 5. Update entity additional properties with threat intelligence and mark them - as enriched. - - 6. Return the full JSON response. + ai_description: "Retrieves comprehensive threat intelligence for IOCs from Cyware\ + \ Intel Exchange. This action performs a bulk lookup for indicators present in\ + \ the case, fetching details such as analyst scores, confidence levels, TLP, and\ + \ tags. It enriches the entities within Google SecOps by updating their additional\ + \ properties with the retrieved intelligence and provides a summary table for\ + \ quick analyst review.\n\n### Flow Description\n1. **Parameter Extraction:**\ + \ Retrieves the 'Enrichment Data', 'Relation Data', and 'Fields' parameters to\ + \ customize the API request.\n2. **Entity Identification:** Collects all target\ + \ entities from the current case context.\n3. **API Lookup:** Executes a bulk\ + \ lookup request to the Cyware Intel Exchange API for the identified IOC values.\n\ + 4. **Data Processing:** Parses the API response into structured data models, handling\ + \ pagination and record limits for display.\n5. **Case Enrichment:** \n * Adds\ + \ a detailed 'IOC Details' data table to the case wall.\n * Updates matching\ + \ entities with specific threat attributes (e.g., `Cyware_analyst_score`, `Cyware_tlp`).\n\ + \ * Sets the `is_enriched` flag to true for all successfully processed entities.\n\ + \n### Parameters Description\n| Parameter | Type | Mandatory | Description |\n\ + | :--- | :--- | :--- | :--- |\n| Enrichment Data | boolean | No | If set to true,\ + \ the action will request additional enrichment data from Cyware for each IOC.\ + \ Default is false. |\n| Relation Data | boolean | No | If set to true, the action\ + \ will include relationship data (e.g., associated campaigns or actors) in the\ + \ results. Default is false. |\n| Fields | string | No | A comma-separated list\ + \ of specific fields to retrieve (e.g., 'name,id,tlp'). If left empty, default\ + \ fields are returned. |\n\n### Additional Notes\n* The action limits the number\ + \ of records displayed in the data table to 10 to maintain performance and readability,\ + \ though all retrieved data is included in the JSON results." capabilities: can_create_case_comments: false can_create_insight: false @@ -634,8 +737,8 @@ Get IOC Details: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity additional properties with Cyware threat intelligence (scores, - TLP, status) and marks entities as enriched. + Updates entity additional properties with threat intelligence data (scores, + TLP, whitelist status) and sets the 'is_enriched' flag to true. categories: enrichment: true entity_usage: @@ -688,36 +791,88 @@ Get IOC Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Manage Tags in IOCs: - ai_description: "### General Description\nThe **Manage Tags in IOCs** action allows\ - \ users to programmatically add or remove tags from Indicators of Compromise (IOCs)\ - \ within the Cyware Intel Exchange platform. It facilitates bulk tagging operations\ - \ based on entities present in a Google SecOps case, ensuring that threat intelligence\ - \ metadata is kept up-to-date.\n\n### Parameters Description\n| Parameter | Type\ - \ | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| **Tags** | String\ - \ | Yes | A comma-separated list of tag names to be added or removed (e.g., \"\ - malicious\", \"phishing\"). |\n| **Operation Type** | DDL | Yes | Determines the\ - \ action to perform. Options are `Add Tag` or `Remove Tag`. |\n\n### Additional\ - \ Notes\n- **Auto-Creation**: During an `Add Tag` operation, if a specified tag\ - \ does not exist in Cyware Intel Exchange, the action will automatically attempt\ - \ to create it before associating it with the IOCs.\n- **IOC Resolution**: The\ - \ action resolves SecOps entity identifiers to Cyware internal object IDs. If\ - \ an entity is not found in Cyware, it will be skipped, and a note will be included\ - \ in the output message.\n- **Validation**: For `Remove Tag` operations, only\ - \ existing tags found in Cyware will be processed; invalid or non-existent tags\ - \ are ignored.\n\n### Flow Description\n1. **Initialization**: Retrieves integration\ - \ credentials and extracts the `Tags` and `Operation Type` parameters.\n2. **Tag\ - \ Discovery**: Fetches the full list of available tags from Cyware Intel Exchange\ - \ to map the provided tag names to their respective internal IDs.\n3. **Entity\ - \ Resolution**: Converts the identifiers of the target entities into Cyware IOC\ - \ object IDs using a bulk lookup.\n4. **Tag Management (Add)**: \n - Identifies\ - \ any tags that do not yet exist in Cyware and creates them.\n - Executes a\ - \ bulk API call to associate the complete list of tag IDs with the identified\ - \ IOCs.\n5. **Tag Management (Remove)**: \n - Filters the provided tag list\ - \ to include only those that currently exist in Cyware.\n - Executes a bulk\ - \ API call to disassociate the specified tag IDs from the identified IOCs.\n6.\ - \ **Completion**: Returns a summary message indicating the number of tags processed\ - \ and any entities or tags that were skipped." + ai_description: >- + ### General Description + + The **Manage Tags in IOCs** action allows analysts to programmatically add or + remove tags from Indicators of Compromise (IOCs) within the Cyware Intel Exchange + platform. This action is essential for maintaining organized threat intelligence + by labeling indicators based on campaigns, threat actors, or internal tracking + requirements. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Tags | String | Yes | A comma-separated list of tag names to be applied or removed + (e.g., "malware-family", "apt-28"). | + + | Operation Type | DDL | Yes | Determines the action to perform. Options are **Add + Tag** (associates tags with IOCs) or **Remove Tag** (disassociates tags from IOCs). + | + + + ### Flow Description + + 1. **Parameter Extraction:** The action retrieves the list of tags and the desired + operation type from the user input. + + 2. **Entity Identification:** It collects the identifiers of all target entities + currently attached to the case. + + 3. **Tag Resolution:** The action queries Cyware Intel Exchange to fetch all existing + tags and maps the provided tag names to their corresponding internal IDs. + + 4. **IOC Lookup:** It resolves the SOAR entity identifiers to specific IOC object + IDs within the Cyware platform. + + 5. **Tag Management Logic:** + * **Add Tag:** If any specified tags do not exist in Cyware, the action + automatically creates them. It then performs a bulk operation to associate the + tag IDs with the identified IOCs. + * **Remove Tag:** The action performs a bulk operation to remove the association + between the specified tag IDs and the identified IOCs. + 6. **Result Reporting:** The action provides a summary of the number of tags successfully + managed and lists any invalid IOCs or tags that were skipped. + + + ### Additional Notes + + * **Automatic Tag Creation:** During the "Add Tag" operation, if a tag name provided + in the input does not exist in Cyware, the action will attempt to create it before + proceeding. + + * **Validation:** The action validates entities against the Cyware database; entities + not found in Cyware as IOCs will be reported as invalid and skipped. capabilities: can_create_case_comments: false can_create_insight: false @@ -726,9 +881,10 @@ Manage Tags in IOCs: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - This action modifies the metadata of IOCs in Cyware Intel Exchange by adding - or removing tags. Additionally, it can create new tag objects in the external - system if they do not already exist during an 'Add Tag' operation. + This action modifies the metadata of Indicators of Compromise (IOCs) in Cyware + Intel Exchange by adding or removing tags. Additionally, if the 'Add Tag' operation + is selected and a specified tag does not exist, the action creates the new tag + in the external system. fetches_data: true internal_data_mutation_explanation: null categories: @@ -783,67 +939,71 @@ Manage Tags in IOCs: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Mark IOCs False Positive: ai_description: >- - ### General Description + Marks multiple Indicator of Compromise (IOC) entities as false positives within + the Cyware Intel Exchange (CTIX) platform. This action is used to tune threat + intelligence by identifying indicators that are no longer considered threats or + were incorrectly flagged. - This action marks multiple Indicators of Compromise (IOCs) as false positives - within the Cyware Intel Exchange (CTIX) platform. It is used to update the status - of threat intelligence indicators that have been determined to be non-threatening, - ensuring that future security analysis is accurate and noise is reduced. + ### Flow Description - ### Parameters Description - - There are no action-specific parameters for this action. It relies on the global - integration configuration parameters: + 1. **Entity Retrieval**: The action identifies all target entities associated + with the current Google SecOps case. + 2. **ID Resolution**: It performs a bulk lookup against Cyware Intel Exchange + to map the entity identifiers (e.g., IP addresses, domains, hashes) to their corresponding + internal Cyware Object IDs. - | Parameter Name | Type | Mandatory | Description | + 3. **Validation**: The action filters out any entities that do not exist in the + Cyware platform, logging them as skipped. - | :--- | :--- | :--- | :--- | + 4. **Status Update**: For all valid indicators found, it sends a bulk request + to the Cyware API to update their status to 'False Positive'. - | Base URL | String | Yes | The base URL of the Cyware CTIX tenant. | + 5. **Result Reporting**: The action returns the API response, including a success + message and the count of updated indicators. - | Access ID | String | Yes | The Access ID used for API authentication. | - | Secret Key | String | Yes | The Secret Key used for API authentication. | + ### Parameters Description - | Verify SSL | Boolean | No | If enabled, the action will verify the SSL certificate - of the CTIX server. Default is False. | + There are no specific action parameters for this resource; it operates directly + on the entities present in the case scope. ### Additional Notes - * The action first performs a lookup to translate the Google SecOps entity identifiers - into Cyware-specific internal IDs. - - * Only entities that already exist in the Cyware Intel Exchange platform will - be processed; any entities not found in CTIX will be skipped. - - * The action performs a bulk update, meaning it processes all valid entities in - a single API request to the external system. - + * This action requires valid Cyware API credentials (Access ID and Secret Key) + configured in the integration settings. - ### Flow Description - - 1. **Initialization**: The action initializes the Siemplify (Google SecOps) environment - and retrieves the integration configuration (Base URL, credentials). - - 2. **Entity Retrieval**: It collects all target entities associated with the current - case. - - 3. **IOC Lookup**: The action calls the Cyware API to perform a bulk lookup of - the entity identifiers to retrieve their corresponding internal Cyware IDs. - - 4. **Validation**: It identifies which entities have valid IDs in CTIX and logs - any entities that are missing from the platform. - - 5. **Status Update**: If valid IDs are found, the action sends a request to the - Cyware bulk action endpoint to mark those specific indicators as 'False Positive'. - - 6. **Result Reporting**: The action returns the API response as a JSON object - and provides a summary message indicating the number of successfully updated indicators. + * Only entities that already exist in the Cyware Intel Exchange database can be + marked as false positives. capabilities: can_create_case_comments: false can_create_insight: false @@ -852,8 +1012,8 @@ Mark IOCs False Positive: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - This action updates the status of indicators in the Cyware Intel Exchange platform - by marking them as 'False Positive' via a POST request to the bulk action endpoint. + Updates the status of indicators in the Cyware Intel Exchange platform to 'False + Positive'. fetches_data: true internal_data_mutation_explanation: null categories: @@ -908,27 +1068,56 @@ Mark IOCs False Positive: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: true + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Ping: - ai_description: "### General Description\nThe **Ping** action is a diagnostic tool\ - \ used to verify the connectivity between Google SecOps and the Cyware Intel Exchange\ - \ platform. Its primary purpose is to ensure that the provided configuration parameters\ - \ (Base URL, Access ID, and Secret Key) are correct and that the network path\ - \ to the Cyware server is open. It performs a simple health check by sending a\ - \ GET request to the service's ping endpoint.\n\n### Parameters Description\n\ - This action does not require any input parameters.\n\n### Additional Notes\n*\ - \ This action is typically used during the initial setup of the integration or\ - \ for troubleshooting connectivity issues.\n* A successful execution returns a\ - \ 'True' result, while any failure (authentication, timeout, or DNS issues) returns\ - \ 'False'.\n\n### Flow Description\n1. **Initialization**: The action initializes\ - \ the Siemplify context and retrieves the integration's global configuration parameters,\ - \ including the Base URL and authentication credentials.\n2. **API Connection**:\ - \ It instantiates the `APIManager` which handles the authentication logic (HMAC\ - \ signature generation).\n3. **Connectivity Test**: The action calls the `test_connectivity`\ - \ method, which executes a GET request to the `/ping/` endpoint.\n4. **Result\ - \ Handling**: \n * If the server responds with a success status, the action\ - \ logs the success and returns a positive result.\n * If an exception occurs\ - \ (e.g., `UnauthorizedException` or `InternalServerError`), the action captures\ - \ the error, logs the details, and marks the execution as failed." + ai_description: "### General Description\nThe **Ping** action is a diagnostic utility\ + \ designed to verify the connectivity between Google SecOps and the Cyware Intel\ + \ Exchange (CTIX) instance. It ensures that the provided configuration parameters\u2014\ + such as the Base URL, Access ID, and Secret Key\u2014are correct and that the\ + \ network path is open.\n\n### Parameters Description\nThis action does not require\ + \ any input parameters. It relies solely on the integration's global configuration\ + \ settings.\n\n| Parameter Name | Type | Mandatory | Description |\n| :--- | :---\ + \ | :--- | :--- |\n| N/A | N/A | N/A | No parameters are used for this action.\ + \ |\n\n### Flow Description\n1. **Initialization**: The action initializes the\ + \ Siemplify SDK and retrieves the global integration parameters (Base URL, Access\ + \ ID, Secret Key, and SSL verification settings).\n2. **API Client Setup**: An\ + \ instance of the `APIManager` is created using the retrieved credentials.\n3.\ + \ **Connectivity Test**: The action calls the `test_connectivity` method, which\ + \ executes a `GET` request to the `/ping/` endpoint of the Cyware API.\n4. **Response\ + \ Handling**: \n * If the API returns a successful response (HTTP 200), the\ + \ action logs the success and returns a result value of `True`.\n * If the\ + \ request fails due to authentication errors, network issues, or server errors,\ + \ an exception is caught, the error is logged, and the action returns a result\ + \ value of `False` with a failure status.\n5. **Finalization**: The action terminates,\ + \ providing an output message indicating whether the connection was successful\ + \ or detailing the reason for failure.\n\n### Additional Notes\n* This action\ + \ is typically used during the initial setup of the integration or for troubleshooting\ + \ communication issues.\n* It does not interact with any entities or modify\ + \ any data within Cyware or Google SecOps." capabilities: can_create_case_comments: false can_create_insight: false @@ -937,7 +1126,7 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: false + fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false @@ -956,49 +1145,74 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Remove IOCs from Allowed list: ai_description: >- - ### General Description + Removes indicators (IOCs) from the allowed list (un-whitelists them) in Cyware + Intel Exchange. This action is used to revert the 'allowed' status of specific + entities, ensuring they are no longer excluded from security monitoring or correlation + logic within the Cyware platform. - The **Remove IOCs from Allowed list** action is used to un-whitelist indicators - in Cyware Intel Exchange. It processes the entities present in a Google SecOps - case, resolves their identifiers to internal Cyware indicator IDs, and then removes - those IDs from the Cyware allowed list (allowlist). + ### Flow Description: - ### Parameters + 1. **Parameter Initialization:** Retrieves integration credentials (Base URL, + Access ID, Secret Key) and identifies all target entities associated with the + current context. - There are no specific action parameters for this action. It utilizes the global - integration configuration (Base URL, Access ID, Secret Key, and Verify SSL) and - the entities attached to the case. + 2. **Indicator Lookup:** Performs a bulk lookup against Cyware Intel Exchange + to map the provided entity identifiers to their corresponding internal Cyware + Indicator IDs. + 3. **Validation:** Filters the list to identify which indicators exist in the + external system; entities not found in Cyware are logged and skipped. - ### Flow Description + 4. **Removal Process:** Executes a bulk API request to the Cyware 'un_whitelist' + endpoint using the gathered Indicator IDs. - 1. **Initialization**: The action retrieves integration credentials and the list - of target entities from the current case. + 5. **Result Reporting:** Returns the API response, including success messages + and counts of removed indicators, to the Google SecOps platform. - 2. **ID Resolution**: It performs a bulk lookup in Cyware Intel Exchange to map - the entity identifiers (such as IP addresses, domains, or hashes) to their corresponding - internal Cyware indicator IDs. - 3. **Validation**: The action identifies which entities exist in Cyware and logs - any that are missing from the external system. + ### Parameters Description: - 4. **Removal**: For all successfully resolved IDs, it sends a bulk POST request - to the Cyware API to remove these indicators from the allowed list. + | Parameter Name | Type | Mandatory | Description | - 5. **Completion**: The action returns the raw API response as JSON and provides - a summary message of the operation's success or failure. + | :--- | :--- | :--- | :--- | + | None | N/A | N/A | This action does not require any action-specific parameters; + it operates directly on the entities present in the case scope. | - ### Additional Notes - - This action requires the entities to already exist as indicators within Cyware - Intel Exchange to be successfully removed from the allowed list. + ### Additional Notes: - - If no entities are provided or no valid indicators are found in the external - system, the action will complete gracefully with an informative message. + * This action requires the indicators to already exist in Cyware Intel Exchange + to be successfully removed from the allowlist. If an indicator is not found during + the lookup phase, it will be ignored. capabilities: can_create_case_comments: false can_create_insight: false @@ -1007,8 +1221,8 @@ Remove IOCs from Allowed list: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Removes specified indicators from the allowed list (un-whitelists them) in Cyware - Intel Exchange via a bulk action API call. + Removes indicators from the allowed list (un-whitelists) in Cyware Intel Exchange + via a POST request to the bulk-action/un_whitelist endpoint. fetches_data: true internal_data_mutation_explanation: null categories: @@ -1063,3 +1277,28 @@ Remove IOCs from Allowed list: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: true + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/third_party/partner/cyware_intel_exchange/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/cyware_intel_exchange/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..4788aca80 --- /dev/null +++ b/content/response_integrations/third_party/partner/cyware_intel_exchange/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: true + network_security: false + siem: false + threat_intelligence: true + vulnerability_management: false diff --git a/content/response_integrations/third_party/partner/darktrace/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/darktrace/resources/ai/actions_ai_description.yaml index a85ceb0d7..e6bbd36b6 100644 --- a/content/response_integrations/third_party/partner/darktrace/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/darktrace/resources/ai/actions_ai_description.yaml @@ -1,24 +1,44 @@ Add Comment To Model Breach: - ai_description: "### General Description\nAdds a comment to a specific model breach\ - \ in Darktrace. This action allows analysts to document findings, provide updates,\ - \ or add context directly to a Darktrace alert from within Google SecOps. It targets\ - \ a specific model breach using its unique identifier.\n\n### Parameters Description\n\ - \n| Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :---\ - \ |\n| Model Breach ID | String | Yes | The unique identifier of the model breach\ - \ in Darktrace to which the comment will be added. |\n| Comment | String | Yes\ - \ | The text content of the comment to be appended to the model breach record.\ - \ |\n\n### Flow Description\n1. **Initialization**: The action extracts the necessary\ - \ API configuration (Root URL, Token, Private Token) and the specific action parameters\ - \ (Model Breach ID and Comment).\n2. **API Connection**: Initializes the Darktrace\ - \ Manager to establish a secure connection to the Darktrace API.\n3. **Execution**:\ - \ Sends a POST request to the Darktrace endpoint `/modelbreaches/{model_breach_id}/comments`\ - \ containing the comment payload.\n4. **Error Handling**: Specifically catches\ - \ cases where the Model Breach ID does not exist (NotFoundException) and provides\ - \ a clear error message. \n5. **Completion**: Returns the JSON response from the\ - \ Darktrace API and marks the action as completed or failed based on the outcome.\n\ - \n### Additional Notes\nThis action performs a state-changing operation in the\ - \ external Darktrace system. It does not interact with or modify entities within\ - \ the Google SecOps environment." + ai_description: >- + Adds a comment to a specific model breach in Darktrace. This action allows analysts + to append notes, documentation, or context to an existing Darktrace alert (model + breach) directly from Google SecOps. It requires the unique identifier of the + model breach and the text of the comment to be submitted. + + + ### Flow Description + + 1. **Parameter Extraction:** The action retrieves the 'Model Breach ID' and the + 'Comment' text from the user input. + + 2. **Manager Initialization:** It initializes the Darktrace Manager using the + provided API credentials (API Root, Token, Private Token) and SSL settings. + + 3. **API Interaction:** The action sends a POST request to the Darktrace API endpoint + `/modelbreaches/{model_breach_id}/comments` with the comment message in the payload. + + 4. **Result Handling:** It captures the response from Darktrace. If the breach + ID is not found, it returns a failure; otherwise, it completes the execution and + logs the result. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Model Breach ID | string | True | The unique identifier of the model breach + in Darktrace that you want to comment on. | + + | Comment | string | True | The actual text content of the comment to be added + to the breach record. | + + + ### Additional Notes + + - This action performs a state change in the external Darktrace system by adding + data to its records. capabilities: can_create_case_comments: false can_create_insight: false @@ -27,8 +47,8 @@ Add Comment To Model Breach: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Adds a new comment to a model breach record in the Darktrace platform via a - POST request to the API. + Adds a new comment record to a specific model breach within the Darktrace platform + via a POST request. fetches_data: false internal_data_mutation_explanation: null categories: @@ -48,62 +68,81 @@ Add Comment To Model Breach: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: true + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: true + update_email: false + update_identity: false + update_ticket: false Enrich Entities: ai_description: >- - ### General Description - - Enriches IP Address, Hostname, MAC Address, and URL entities using threat intelligence - and device metadata from Darktrace. This action retrieves comprehensive device - details, endpoint information, and optionally historical connection data to provide - security analysts with context regarding internal and external endpoints. + Enriches IP Address, Hostname, MacAddress, and URL entities using network visibility + and threat intelligence data from Darktrace. This action identifies devices and + endpoints within the Darktrace environment to provide contextual metadata such + as OS versions, device labels, and location information. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Fetch Connection Data | boolean | No | If enabled, the action retrieves additional - information about network connections related to internal Darktrace endpoints. - | + | Fetch Connection Data | Boolean | No | If enabled, the action retrieves additional + information about network connections related to internal endpoints. | + + | Max Hours Backwards | String | No | Specifies the lookback window (in hours) + for fetching connection data. Defaults to 24 hours. | + + | Create Endpoint Insight | Boolean | No | If enabled, the action generates a + detailed insight on the entity containing Darktrace endpoint information. | + + + ### Additional Notes - | Max Hours Backwards | string | No | Specifies the lookback window (in hours) - for fetching connection data. Defaults to 24. If a value less than 1 is provided, - the default is used. | + - For URL entities, the action automatically extracts the domain or network path + to perform the lookup. - | Create Endpoint Insight | boolean | No | If enabled, generates a detailed insight - for the entity in the Google SecOps case containing hostname, IP, MAC, OS, and - device type information. | + - If 'Max Hours Backwards' is set to a value less than 1, the default value of + 24 will be used. ### Flow Description - 1. **Initialization**: The action extracts API credentials (API Root, Token, Private - Token) and configuration parameters, including the connection data toggle and - lookback window. + 1. **Filter Entities:** The action identifies supported entities (IP, Hostname, + MAC, URL) from the current context. - 2. **Entity Filtering**: It identifies supported entities from the case, specifically - targeting IP Addresses, Hostnames, MAC Addresses, and URLs. + 2. **Query Darktrace:** For each entity, it queries the Darktrace API to find + matching device records or endpoint details. - 3. **Data Retrieval**: For each entity, the action queries the Darktrace API: - * **IP/MAC**: Fetches device or endpoint details directly. - * **Hostname**: Searches for the device to retrieve its IP or MAC, then fetches - full details. - * **URL**: Extracts the domain or path and queries for endpoint details. - 4. **Connection Enrichment**: If `Fetch Connection Data` is active and a device - ID is found, the action retrieves historical connection logs for the specified + 3. **Fetch Connections (Optional):** If 'Fetch Connection Data' is enabled, it + retrieves historical connection logs for the identified device based on the specified timeframe. - 5. **Internal Updates**: The action enriches the entities by updating their additional - properties with Darktrace metadata, adding data tables for interacted devices - and connections, and marking the entities as enriched. + 4. **Enrichment:** The action populates the entity's additional properties with + metadata (e.g., OS, Vendor, ASN, Location) and marks the entity as enriched. - 6. **Insight Generation**: If `Create Endpoint Insight` is enabled, a formatted - insight is added to the entity for quick reference. - - 7. **Finalization**: The action updates the entities in the Google SecOps environment - and returns a JSON summary of the results. + 5. **Internal Updates:** It creates data tables for connection and device interaction + data and, if configured, generates an entity insight for the analyst. capabilities: can_create_case_comments: false can_create_insight: true @@ -114,9 +153,8 @@ Enrich Entities: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action updates entity attributes with enrichment data, sets the 'is_enriched' - flag, adds data tables to the case, and creates entity insights containing device - and endpoint details. + The action updates entity enrichment attributes (additional_properties), sets + the 'is_enriched' flag, adds data tables to the case, and creates entity insights. categories: enrichment: true entity_usage: @@ -138,66 +176,100 @@ Enrich Entities: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Execute Custom Search: ai_description: >- ### General Description - Executes a custom search query in Darktrace to retrieve specific event or threat - data within a defined timeframe. This action allows users to leverage Darktrace's - advanced search capabilities directly from Google SecOps, returning raw search - hits for further analysis or automation logic. + + The **Execute Custom Search** action allows users to perform advanced, ad-hoc + queries against the Darktrace platform. It is designed to retrieve specific telemetry, + event data, or security hits based on a user-defined query string and a specified + time range. This action is particularly useful for threat hunting or gathering + additional context during an investigation that isn't covered by standard enrichment + actions. ### Parameters Description + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Query | String | Yes | The specific Darktrace query string to be executed. | + | **Query** | String | Yes | Specify the query that needs to be executed. | - | Time Frame | DDL | No | The temporal scope for the search. Options include relative - ranges (e.g., 'Last Hour'), alert-relative ranges (e.g., '5 Minutes Around Alert - Time'), or 'Custom'. Defaults to 'Last Hour'. | + | **Time Frame** | DDL | No | Specify a time frame for the results. Options include + predefined ranges (e.g., 'Last Hour', 'Last Week') or 'Custom'. Defaults to 'Last + Hour'. | - | Start Time | String | No | The ISO 8601 formatted start time. This is mandatory - if 'Time Frame' is set to 'Custom'. | + | **Start Time** | String | No | Specify the start time for the results in ISO + 8601 format. This parameter is mandatory if 'Custom' is selected for the 'Time + Frame' parameter. | - | End Time | String | No | The ISO 8601 formatted end time. If 'Custom' is selected - and this is empty, the current time is used. | + | **End Time** | String | No | Specify the end time for the results in ISO 8601 + format. If nothing is provided and 'Custom' is selected, the current time is used. + | - | Max Results To Return | String | No | Limits the number of hits returned by - the search. Defaults to 50. | + | **Max Results To Return** | String | No | Specify how many results to return. + Default is 50. | ### Additional Notes - - If 'Custom' is selected as the 'Time Frame', the 'Start Time' parameter must - be provided, otherwise the action will fail. - - When using alert-relative timeframes (e.g., '30 Minutes Around Alert Time'), - the action automatically calculates the range based on the start and end times - of the current alert in Google SecOps. + * If **Time Frame** is set to 'Custom', the **Start Time** must be provided; + otherwise, the action will fail. + + * The action can use the alert's start and end times when relative time frames + like '30 Minutes Around Alert Time' are selected, allowing for context-aware searching. ### Flow Description - 1. **Parameter Extraction**: Retrieves API configuration and user-provided search - parameters. - 2. **Time Range Calculation**: Determines the absolute start and end timestamps - based on the 'Time Frame' selection and alert context. + 1. **Parameter Extraction:** The action retrieves the API configuration (API + Root, Tokens) and the user-provided search parameters. - 3. **Query Encoding**: Formats the search parameters into a JSON structure and - encodes it into a Base64 string as required by the Darktrace Advanced Search API. + 2. **Time Range Calculation:** It determines the precise start and end timestamps + based on the **Time Frame** selection. It handles relative ranges (like 'Last + Hour') and alert-relative ranges (like 'Alert Time Till Now') using the alert's + metadata. - 4. **API Execution**: Sends a GET request to the Darktrace `/advancedsearch/api/search/{base64_query}` - endpoint. + 3. **Query Encoding:** The search query, timeframe, and limit are formatted into + a JSON object and then Base64 encoded to construct the URL for the Darktrace Advanced + Search API. - 5. **Data Parsing**: Processes the API response and converts the resulting hits - into a structured JSON format. + 4. **API Execution:** A GET request is sent to the Darktrace endpoint using the + encoded query string. - 6. **Result Reporting**: Returns the search results to the Google SecOps platform. + 5. **Result Processing:** The action parses the JSON response from Darktrace, + extracts the 'hits', and adds them to the action's result JSON for use in the + SOAR platform. capabilities: can_create_case_comments: false can_create_insight: false @@ -209,7 +281,7 @@ Execute Custom Search: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: false + enrichment: true entity_usage: entity_types: [] filters_by_additional_properties: false @@ -225,84 +297,77 @@ Execute Custom Search: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false List Endpoint Events: - ai_description: >- - ### General Description - - This action retrieves the latest security and network events related to specific - endpoints from Darktrace. It supports searching for events based on IP addresses, - Hostnames, or MAC addresses. The action allows users to filter by specific event - types (such as connections, unusual connections, or model breaches) and define - a specific time window for the search. The retrieved data is presented as data - tables on the case wall and as a raw JSON result for further automation. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **Event Type** | String | Yes | A comma-separated list of event types to retrieve. - Supported values include: `connection`, `unusualconnection`, `newconnection`, - `notice`, `devicehistory`, `modelbreach`. | - - | **Time Frame** | DDL | Yes | The time range for the search (e.g., Last Hour, - Last 24 Hours). If set to "Custom", the "Start Time" parameter must be provided. - | - - | **Start Time** | String | No | The start time for the search in ISO 8601 format. - This is mandatory only if "Time Frame" is set to "Custom". | - - | **End Time** | String | No | The end time for the search in ISO 8601 format. - If left empty while using a "Custom" time frame, the current time is used. | - - | **Max Events To Return** | String | No | The maximum number of events to return - per event type. Defaults to 50. | - - - ### Additional Notes - - - Events are returned in the UTC timezone. - - - The action first attempts to resolve the entity to a Darktrace Device ID (`did`) - before fetching events. - - - If multiple event types are requested, a separate data table is created for - each type per entity. - - - ### Flow Description - - 1. **Parameter Initialization**: Extracts API configuration and action parameters, - validating that the provided event types and limits are valid. - - 2. **Time Calculation**: Determines the start and end timestamps based on the - selected "Time Frame" or custom inputs. - - 3. **Entity Resolution**: For each supported entity (IP, Hostname, or MAC Address), - the action queries Darktrace to find the corresponding internal Device ID. - - 4. **Event Retrieval**: If a device is found, the action iterates through the - requested event types and fetches the latest events within the specified time - range. - - 5. **Data Output**: Successfully retrieved events are formatted into data tables - and added to the case wall. The full dataset is also attached as a JSON result. + ai_description: "### General Description\nLists the latest security and network\ + \ events associated with specific endpoints in Darktrace. This action enables\ + \ analysts to retrieve detailed logs for various event categories\u2014including\ + \ connections, unusual activities, and model breaches\u2014across a specified\ + \ time range. By supporting IP Address, Hostname, and MacAddress entities, it\ + \ provides a comprehensive view of endpoint activity, outputting data in both\ + \ structured tables and JSON for analysis.\n\n### Parameters Description\n| Parameter\ + \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Event Type\ + \ | String | Yes | A comma-separated list of event types to retrieve. Possible\ + \ values: connection, unusualconnection, newconnection, notice, devicehistory,\ + \ modelbreach. |\n| Time Frame | DDL | Yes | The time window for the search. Options\ + \ include Last Hour, Last 6 Hours, Last 24 Hours, Last Week, Last Month, or Custom.\ + \ |\n| Start Time | String | No | The start time for the search in ISO 8601 format.\ + \ Mandatory if \"Time Frame\" is set to \"Custom\". |\n| End Time | String | No\ + \ | The end time for the search in ISO 8601 format. If omitted with \"Custom\"\ + \ time frame, the current time is used. |\n| Max Events To Return | String | No\ + \ | The maximum number of events to return per event type. Defaults to 50. |\n\ + \n### Additional Notes\n* Events are returned in the UTC timezone.\n* If \"Custom\"\ + \ is selected for \"Time Frame\", \"Start Time\" must be provided.\n* The action\ + \ supports IP, Hostname, and MacAddress entities.\n* The action validates that\ + \ \"Max Events To Return\" is a positive number.\n\n### Flow Description\n1. **Parameter\ + \ Initialization:** Extract configuration (API Root, Tokens) and action parameters\ + \ (Event Types, Time Frame, etc.).\n2. **Validation:** Verify that the provided\ + \ event types are valid and the limit is a non-negative integer.\n3. **Time Range\ + \ Calculation:** Calculate the start and end timestamps based on the selected\ + \ \"Time Frame\". If \"Custom\" is used, parse the \"Start Time\" and \"End Time\"\ + .\n4. **Entity Filtering:** Identify target entities that are of type IP Address,\ + \ Hostname, or MacAddress.\n5. **Device Resolution:** For each entity, query Darktrace\ + \ to find the internal device ID (`did`).\n6. **Event Retrieval:** For each resolved\ + \ device and each requested event type, fetch the events from Darktrace within\ + \ the calculated time range, up to the specified limit.\n7. **Output Generation:**\ + \ Create data tables for each entity's events and compile a final JSON result\ + \ containing all retrieved data." capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: true + can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: >- - The action adds data tables to the Google SecOps case wall to display the retrieved - endpoint events. + internal_data_mutation_explanation: null categories: - enrichment: false + enrichment: true entity_usage: entity_types: - ADDRESS @@ -321,70 +386,95 @@ List Endpoint Events: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false List Similar Devices: ai_description: >- ### General Description - Retrieves a list of devices from Darktrace that exhibit similar behavioral patterns - to the provided endpoint entities. This action leverages Darktrace's AI-driven - analysis to identify related assets, which is critical for scoping potential compromises - or identifying lateral movement during an investigation. It supports IP Address, - Hostname, and MAC Address entities. + This action identifies and lists devices in Darktrace that are similar to a provided + endpoint entity (IP Address, Hostname, or MAC Address). It is primarily used for + asset enrichment and identifying potentially related or similar-behaving devices + within the network environment. ### Parameters Description - | Parameter | Type | Mandatory | Default | Description | + | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | :--- | + | :--- | :--- | :--- | :--- | - | Max Devices To Return | Integer | No | 50 | Specifies the maximum number of - similar devices to retrieve for each identified entity. | + | Max Devices To Return | String | No | Specifies the maximum number of similar + devices to retrieve for each entity. The value must be a positive integer. Default + is 50. | - ### Flow Description + ### Additional Notes - 1. **Parameter Validation**: Validates that the 'Max Devices To Return' parameter - is a positive integer greater than zero. + * The action requires a valid connection to the Darktrace API. - 2. **Connection Initialization**: Establishes a secure connection to the Darktrace - API using the configured API Root and tokens. + * The 'Max Devices To Return' parameter must be greater than 0; otherwise, the + action will fail. - 3. **Entity Filtering**: Filters the case's target entities to identify supported - types: ADDRESS (IP), HOSTNAME, and MacAddress. + * The action first resolves the entity to a Darktrace internal device ID (DID) + before querying for similar devices. - 4. **Device Identification**: For each valid entity, the action searches Darktrace - to find its corresponding internal Device ID (DID). - 5. **Similarity Query**: Queries the Darktrace '/similardevices' endpoint using - the DID to fetch a list of similar devices, limited by the user-defined threshold. + ### Flow Description - 6. **Data Enrichment**: Enriches the case by adding a detailed data table to each - successful entity and populating the action's JSON results with the raw device - data. + 1. **Parameter Extraction:** The action retrieves the API configuration and the + 'Max Devices To Return' parameter. + 2. **Connectivity Test:** It verifies the connection to the Darktrace instance. - ### Additional Notes + 3. **Entity Resolution:** For each supported entity (IP, Hostname, or MAC Address), + the action queries Darktrace to find the corresponding device and its unique identifier + (DID). - - The 'Max Devices To Return' parameter must be greater than 0; otherwise, the - action will fail with an error. + 4. **Similarity Query:** If a device is found, the action calls the Darktrace + API to retrieve a list of similar devices based on the resolved DID and the specified + limit. - - If a matching device cannot be found in Darktrace for a specific entity, that - entity will be reported as failed in the final output message. + 5. **Data Output:** The action populates an entity-level data table with the similar + devices' details (IP, MAC, OS, Hostname, Type, etc.) and attaches the raw JSON + results to the action output. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false can_mutate_internal_data: true - can_update_entities: true + can_update_entities: false external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action enriches entities by adding data tables containing similar device - information and populates the action's JSON results with the retrieved data. + The action adds a data table to the entity within the Google SecOps case, containing + details of similar devices found in Darktrace. categories: - enrichment: true + enrichment: false entity_usage: entity_types: - ADDRESS @@ -403,58 +493,89 @@ List Similar Devices: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Ping: ai_description: >- ### General Description - The **Ping** action is a diagnostic tool designed to verify the connectivity between - Google SecOps and the Darktrace server. It validates that the integration's configuration - parameters, such as the API Root and authentication tokens, are correctly set - and that the Darktrace API is reachable. + The **Ping** action is a diagnostic utility used to verify the connectivity between + Google SecOps and the Darktrace server. It validates the integration's configuration + by attempting to authenticate and communicate with the Darktrace API status endpoint. + This action is essential for ensuring that the API Root, API Token, and API Private + Token are correctly configured and that the network environment allows communication + with the Darktrace instance. ### Parameters Description - | Parameter | Type | Mandatory | Description | + This action does not have any action-specific parameters. It utilizes the global + configuration parameters defined at the integration level: + + + | Parameter Name | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **API Root** | String | Yes | The base URL of the Darktrace API instance (e.g., - https://darktrace-instance.com). | + | API Root | String | Yes | The base URL of the Darktrace API instance. | - | **API Token** | String | Yes | The public API token used for authentication. - | + | API Token | String | Yes | The public API token used for authentication. | - | **API Private Token** | String | Yes | The private API token used to generate - the HMAC signature for request headers. | + | API Private Token | String | Yes | The private API token used for HMAC signature + generation. | - | **Verify SSL** | Boolean | No | If set to true, the action will validate the - SSL certificate of the Darktrace server. | + | Verify SSL | Boolean | No | If enabled, the action will verify the SSL certificate + of the Darktrace server. | - ### Additional Notes + ### Flow Description - This action does not process any entities and is strictly used for testing the - integration's communication with the Darktrace API. It targets the `/status` endpoint - to confirm service availability. + 1. **Initialization:** The action initializes the Siemplify context and extracts + the global integration configuration parameters (API Root, Tokens, and SSL settings). + 2. **Manager Setup:** It instantiates the `DarktraceManager` which handles the + logic for request signing and API communication. - ### Flow Description + 3. **Connectivity Test:** The action calls the `test_connectivity` method, which + sends a signed GET request to the `/status` endpoint of the Darktrace API. - 1. **Parameter Extraction:** The action retrieves the API Root, API Token, Private - Token, and SSL verification settings from the integration configuration. + 4. **Response Validation:** The manager validates the HTTP response. If the request + is successful (HTTP 200) and contains no application-level errors, the action + returns a success status. - 2. **Manager Initialization:** It initializes the `DarktraceManager` with the - extracted credentials. + 5. **Completion:** The action reports the connection status back to the SOAR platform, + providing an error message if the connection fails. - 3. **Connectivity Test:** The manager executes a signed GET request to the Darktrace - `/status` endpoint. - 4. **Response Validation:** The action checks the HTTP response and any error - messages returned by the API. + ### Additional Notes + + - This action does not process any entities. - 5. **Execution Result:** If the request is successful, the action completes with - a success message; otherwise, it fails and provides the error details. + - As a 'Ping' action, it is excluded from being categorized as an enrichment action + regardless of its data-fetching behavior. capabilities: can_create_case_comments: false can_create_insight: false @@ -482,14 +603,39 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Update Model Breach Status: ai_description: >- ### General Description - Updates the status of a specific model breach in Darktrace. This action allows - security analysts to programmatically acknowledge or unacknowledge breaches identified - by Darktrace, facilitating automated incident response workflows and status synchronization - between Google SecOps and Darktrace. + Updates the acknowledgment status of a specific model breach within the Darktrace + platform. This action allows analysts to programmatically mark breaches as either + 'Acknowledged' or 'Unacknowledged' directly from Google SecOps, facilitating incident + lifecycle management. ### Parameters Description @@ -498,32 +644,39 @@ Update Model Breach Status: | :--- | :--- | :--- | :--- | - | Status | DDL | Yes | Specifies the target status for the model breach. Supported - values are `Acknowledged` and `Unacknowledged`. | + | Status | DDL | Yes | The target status for the model breach. Options are 'Acknowledged' + (marks the breach as reviewed) or 'Unacknowledged' (reverts the breach to an unreviewed + state). | - | Model Breach ID | String | Yes | The unique identifier of the model breach in - Darktrace that needs to be updated. | + | Model Breach ID | String | Yes | The unique identifier (pbid) of the Darktrace + model breach to be updated. | ### Flow Description - 1. **Initialization**: The action initializes the Darktrace manager using API - credentials and configuration parameters. + 1. **Parameter Extraction**: Retrieves the API configuration (Root, Tokens) and + the specific `Model Breach ID` and target `Status` from the action input. + + 2. **Status Verification**: Queries the Darktrace API to fetch the current state + of the specified model breach to ensure it exists and to check its current acknowledgment + status. - 2. **Current State Retrieval**: It fetches the current details of the specified - model breach from Darktrace using the `Model Breach ID` to determine its existing - acknowledgment status. + 3. **Redundancy Check**: Compares the current status with the requested status. + If the breach is already in the desired state, the action completes with an 'Already + Applied' message to avoid redundant API calls. - 3. **Status Comparison**: The action compares the current status with the requested - `Status` parameter. If the breach already has the requested status, it raises - an `AlreadyAppliedException` and completes successfully without further action. + 4. **Status Update**: If the statuses differ, the action sends a POST request + to the appropriate Darktrace endpoint (`/acknowledge` or `/unacknowledge`) to + update the breach status. - 4. **Mutation**: If the status needs to be changed, the action sends a POST request - to the Darktrace API to either acknowledge or unacknowledge the breach based on - the input. + 5. **Completion**: Reports the success or failure of the update operation to the + Google SecOps case. + + + ### Additional Notes - 5. **Completion**: The action returns a success message confirming the status - update or indicating that the status was already set as requested. + - This action does not process entities from the case; it operates strictly on + the `Model Breach ID` provided as a parameter. capabilities: can_create_case_comments: false can_create_insight: false @@ -532,8 +685,8 @@ Update Model Breach Status: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the acknowledgment status of a model breach in the Darktrace platform - by sending POST requests to the /acknowledge or /unacknowledge endpoints. + Updates the acknowledgment status of a model breach in Darktrace via POST requests + to the /acknowledge or /unacknowledge endpoints. fetches_data: true internal_data_mutation_explanation: null categories: @@ -553,3 +706,28 @@ Update Model Breach Status: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/third_party/partner/darktrace/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/partner/darktrace/resources/ai/connectors_ai_description.yaml new file mode 100644 index 000000000..0676d9c5a --- /dev/null +++ b/content/response_integrations/third_party/partner/darktrace/resources/ai/connectors_ai_description.yaml @@ -0,0 +1,129 @@ +Darktrace - AI Incident Events Connector: + ai_description: >- + ### General Description + + The Darktrace - AI Incident Events Connector integrates with the Darktrace AI + Analyst to fetch high-fidelity security incidents and ingest them into Google + SecOps as cases. This connector allows security teams to automate the monitoring + of AI-detected anomalies, ensuring that significant breaches identified by Darktrace's + autonomous analysis are prioritized for investigation. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | API Root | String | Yes | The API root URL of your Darktrace instance (e.g., + https://darktrace-instance.com). | + + | API Token | String | Yes | The public API token for authentication. | + + | API Private Token | Password | Yes | The private API token used for generating + request signatures. | + + | Verify SSL | Boolean | Yes | If enabled, verifies the SSL certificate of the + Darktrace server. | + + | Lowest AI Incident Score To Fetch | Integer | Yes | The minimum AI Analyst score + (0-100) required to fetch an incident. | + + | Max Hours Backwards | Integer | No | The number of hours to look back for incidents + during the first run or as a fallback. | + + | Max AI Incidents To Fetch | Integer | No | The maximum number of incidents to + process in a single connector iteration (Max: 100). | + + | Use dynamic list as a blocklist | Boolean | Yes | If enabled, the SOAR dynamic + list will act as a blocklist for incident titles; otherwise, it acts as a whitelist. + | + + | DeviceProductField | String | Yes | The source field name used to populate the + Product Name in the SOAR case. | + + | EventClassId | String | Yes | The source field name used to populate the Event + Field name. | + + | Environment Field Name | String | No | The field name used to determine the + environment for the ingested case. | + + | Environment Regex Pattern | String | No | A regex pattern to extract or manipulate + the environment value. | + + | PythonProcessTimeout | Integer | Yes | The timeout limit in seconds for the + connector execution. | + + + ### Flow Description + + 1. **Authentication**: The connector establishes a secure connection to the Darktrace + API using the provided API Token and Private Token, generating a HMAC-SHA1 signature + for each request. + + 2. **Time Window Calculation**: It determines the fetch window by checking the + last successful run timestamp stored in the system. If no timestamp exists, it + uses the 'Max Hours Backwards' parameter. + + 3. **Data Retrieval**: The connector queries the `/aianalyst/incidentevents` endpoint, + filtering for incidents that occurred within the time window and meet the 'Lowest + AI Incident Score To Fetch' threshold. + + 4. **Filtering**: Fetched incidents are filtered against a dynamic list (whitelist + or blocklist) based on their title to exclude irrelevant alerts. + + 5. **Data Transformation**: For each valid incident, the connector flattens nested + 'details' into individual events. It maps the incident metadata (score, summary, + timestamps) to the Google SecOps case format, assigning severity based on the + AI score. + + 6. **Case Ingestion**: The transformed incidents and their associated events are + ingested into Google SecOps as cases. + + 7. **Checkpointing**: The connector saves the ID of processed incidents and updates + the last run timestamp to ensure no duplicate ingestion in subsequent cycles. +Darktrace - Model Breaches Connector: + ai_description: "### General Description\nThe Darktrace - Model Breaches Connector\ + \ enables the ingestion of security alerts from the Darktrace platform into Google\ + \ SecOps. It specifically focuses on 'Model Breaches,' which represent anomalous\ + \ behaviors detected by Darktrace's AI. The connector not only pulls the high-level\ + \ breach information but also enriches each alert with detailed connection events\ + \ and metadata, providing analysts with the necessary context to investigate potential\ + \ threats detected within the network environment.\n\n### Parameters Description\n\ + | Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ + | API Root | String | Yes | The API root URL of the Darktrace instance (e.g.,\ + \ https://instance.darktrace.com). |\n| API Token | String | Yes | The public\ + \ API token for authentication. |\n| API Private Token | Password | Yes | The\ + \ private API token used for generating request signatures. |\n| Verify SSL |\ + \ Boolean | Yes | If enabled, verifies the SSL certificate of the Darktrace server.\ + \ |\n| DeviceProductField | String | Yes | The source field name used to populate\ + \ the 'Product Name' in Google SecOps. |\n| EventClassId | String | Yes | The\ + \ source field name used to populate the 'Event Field' name. |\n| Lowest Model\ + \ Breach Score To Fetch | Integer | No | The minimum score (0-100) required to\ + \ fetch a model breach. Default is 0. |\n| Lowest Priority To Fetch | Integer\ + \ | No | The minimum priority level (1-5) to fetch. 1-3: Informational, 4: Suspicious,\ + \ 5: Critical. |\n| Max Hours Backwards | Integer | No | The number of hours to\ + \ look back for alerts during the first run or as a fallback. |\n| Max Model Breaches\ + \ To Fetch | Integer | No | Maximum number of breaches to process per iteration\ + \ (Max: 1000). |\n| Use whitelist as a blacklist | Boolean | Yes | If enabled,\ + \ the provided whitelist will act as a exclusion list (blacklist). |\n| Behaviour\ + \ Visibility | String | No | Comma-separated list of categories to ingest (e.g.,\ + \ Critical, Suspicious, Compliance, Informational). |\n| Padding Time | Integer\ + \ | No | Optional hours of overlap to ensure no alerts are missed between cycles\ + \ (Max: 100). |\n| PythonProcessTimeout | Integer | Yes | The maximum execution\ + \ time for the connector script in seconds. |\n\n### Flow Description\n1. **Authentication**:\ + \ The connector establishes a secure connection to the Darktrace API using HMAC-SHA1\ + \ signatures generated from the API Token and Private Token.\n2. **Time Management**:\ + \ It calculates the fetch window based on the last successful execution timestamp,\ + \ applying 'Max Hours Backwards' for initial runs and 'Padding Time' to prevent\ + \ data gaps.\n3. **Alert Retrieval**: Queries the `/modelbreaches` endpoint to\ + \ retrieve breaches that meet the configured 'Lowest Model Breach Score' and 'Lowest\ + \ Priority' thresholds.\n4. **Filtering**: \n * **Deduplication**: Skips\ + \ alerts already processed in previous cycles using stored IDs.\n * **Whitelist/Blacklist**:\ + \ Filters alerts based on their name using the configured whitelist logic.\n \ + \ * **Behaviour Visibility**: Filters alerts based on their model category\ + \ (e.g., only ingesting 'Critical' or 'Suspicious' behaviors).\n5. **Enrichment**:\ + \ For every valid breach, the connector performs a secondary call to the `/details`\ + \ endpoint to fetch associated connection events and triggered components.\n6.\ + \ **Ingestion**: Maps the breach data and its enriched events into Google SecOps\ + \ AlertInfo objects and creates cases for investigation." diff --git a/content/response_integrations/third_party/partner/darktrace/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/darktrace/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..ac6c94bb4 --- /dev/null +++ b/content/response_integrations/third_party/partner/darktrace/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: true + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: true + siem: true + threat_intelligence: true + vulnerability_management: false diff --git a/content/response_integrations/third_party/partner/domain_tools/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/domain_tools/resources/ai/actions_ai_description.yaml index b52a171db..d2d573f99 100644 --- a/content/response_integrations/third_party/partner/domain_tools/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/domain_tools/resources/ai/actions_ai_description.yaml @@ -1,126 +1,48 @@ -Get Domain Profile: +Get Domain Rdap: ai_description: >- ### General Description - Enriches Domain, Hostname, and URL entities using DomainTools threat intelligence. - This action retrieves the "Domain Profile" for a given domain, providing comprehensive - details such as registration information, hosting history summaries, and risk - indicators. It is designed to provide security analysts with immediate context - regarding the reputation and ownership of external domains. + Enriches external domain entities with DomainTools threat intelligence data. This + action retrieves RDAP (Registration Data Access Protocol) information, including + registrar details, registration dates, and contact information, providing context + for domain-based investigations. ### Parameters Description - | Parameter | Type | Mandatory | Description | + | Parameter | Default Value | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + | :--- | :--- | :--- | :--- | :--- | - | None | N/A | N/A | This action does not require any input parameters beyond - the integration configuration. | + | Domain | | string | false | The domain to get the parsed domain RDAP result. + If provided, the action runs on this domain instead of case entities. | ### Additional Notes - * **License Requirement**: The action requires the "domain-profile" product - to be active on the DomainTools account license. + - This action requires a valid DomainTools license for the 'parsed-domain-rdap' + product. - * **Domain Extraction**: It automatically extracts the root domain from URLs - and email addresses (e.g., extracting "example.com" from "www.example.com" or - "user@example.com"). + - Entities are updated with flattened RDAP data in their additional properties. - * **Data Prefixing**: Enrichment data is added to the entity's additional properties - with a "DT" prefix to avoid naming collisions. + - The action extracts the base domain from URLs and Hostnames. ### Flow Description - 1. **Domain Extraction**: The action parses the entity identifier to extract the - root domain name. + 1. **Configuration**: Retrieves API credentials and SSL settings. - 2. **API Interaction**: It queries the DomainTools `domain_profile` endpoint using - the extracted domain. + 2. **Targeting**: Checks if a specific domain is provided via the 'Domain' parameter. + If not, it identifies all URL, Hostname, and Domain entities in the case. - 3. **Data Transformation**: The JSON response is flattened and converted into - a CSV format for UI presentation. + 3. **Extraction**: Extracts the root domain from the identifiers. - 4. **Internal Enrichment**: - * Updates the entity's `additional_properties` with the flattened profile - data. - * Marks the entity as `is_enriched`. - * Attaches a CSV data table containing the profile details to the entity - in the Google SecOps SOAR interface. - 5. **Finalization**: The action updates all processed entities in the case and - returns the raw JSON results for downstream playbook logic. - capabilities: - can_create_case_comments: false - can_create_insight: false - can_modify_alert_data: false - can_mutate_external_data: false - can_mutate_internal_data: true - can_update_entities: true - external_data_mutation_explanation: null - fetches_data: true - internal_data_mutation_explanation: >- - Updates entity additional properties with DomainTools profile data, sets the - enriched status, and adds a CSV data table to the entity. - categories: - enrichment: true - entity_usage: - entity_types: - - DOMAIN - - HOSTNAME - - DestinationURL - filters_by_additional_properties: false - filters_by_alert_identifier: false - filters_by_case_identifier: false - filters_by_creation_time: false - filters_by_entity_type: true - filters_by_identifier: false - filters_by_is_artifact: false - filters_by_is_enriched: false - filters_by_is_internal: false - filters_by_is_pivot: false - filters_by_is_suspicious: false - filters_by_is_vulnerable: false - filters_by_modification_time: false -Get Domain Risk: - ai_description: >- - Enriches Domain, Hostname, and URL entities with risk scores and detailed risk - profiles using DomainTools data. The action retrieves threat intelligence from - DomainTools' risk and reputation endpoints to evaluate the potential threat level - of a domain. - - - ### Parameters - - | Parameter | Type | Mandatory | Description | + 4. **API Query**: Requests RDAP data for each domain from the DomainTools API. - | :--- | :--- | :--- | :--- | - - | Threshold | String | Yes | A numeric value (e.g., 3) used as a cutoff. If the - domain's risk score exceeds this value, the entity is marked as suspicious in - Google SecOps. | - - - ### Flow Description - - 1. **Domain Extraction:** Parses the entity identifier (URL, Hostname, or Domain) - to extract the base domain name. + 5. **Parsing**: Processes the raw API response into a structured format. - 2. **Data Retrieval:** Queries the DomainTools API (Risk and Reputation products) - to fetch the domain's risk score and component data. - - 3. **Risk Evaluation:** Compares the retrieved risk score against the user-provided - `Threshold` parameter. - - 4. **Entity Enrichment:** Updates the entity's additional properties with the - risk score (`DT_Risk`). - - 5. **Suspicious Marking:** If the risk score is higher than the threshold, the - entity's `is_suspicious` attribute is set to `True`. - - 6. **Result Reporting:** Returns a JSON result containing the detailed risk profile - and updates the case with the enrichment data. + 6. **Enrichment**: Updates entity properties with the prefix 'DT', adds an entity-specific + table, and creates a global summary table for the case. capabilities: can_create_case_comments: false can_create_insight: false @@ -131,8 +53,8 @@ Get Domain Risk: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity attributes by adding the 'DT_Risk' property and modifies the - 'is_suspicious' status of the entity if the risk score exceeds the defined threshold. + Updates entity additional properties with RDAP information and adds data tables + to the case. categories: enrichment: true entity_usage: @@ -153,15 +75,40 @@ Get Domain Risk: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false -Get Hosting History: + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false +Get WhoIs History: ai_description: >- ### General Description - This action retrieves the hosting history for a domain using the DomainTools API. - It provides security analysts with historical context regarding where a domain - has been hosted over time, which is useful for identifying infrastructure changes - or malicious patterns. The action enriches Hostname and URL entities with this - data and presents it in a structured CSV table within the Google SecOps UI. + The **Get WhoIs History** action enriches Domain, Hostname, and URL entities with + historical Whois registration data retrieved from DomainTools. It provides a chronological + view of changes to a domain's registrar, registration dates, and registrant information, + which is vital for tracking ownership changes and identifying potentially malicious + infrastructure. ### Parameters Description @@ -170,26 +117,39 @@ Get Hosting History: | :--- | :--- | :--- | :--- | - | None | N/A | N/A | This action does not require any input parameters. | + | **Domain** | String | No | A specific domain to query. If provided, the action + will process this domain instead of the entities in the case. | ### Flow Description - 1. **Entity Filtering**: The action identifies all Hostname and URL entities within - the current context. + 1. **Initialization**: Retrieves API credentials (Username and API Key) from the + integration configuration. + + 2. **Target Identification**: Determines the domains to process. It prioritizes + the manual `Domain` parameter; if empty, it identifies all `URL`, `HOSTNAME`, + and `DOMAIN` entities within the current SecOps case. - 2. **Domain Extraction**: For each entity, it extracts the base domain name from - the identifier (e.g., stripping protocols or email prefixes). + 3. **Data Retrieval**: For each identified domain, it queries the DomainTools + API to fetch its Whois history records. - 3. **API Query**: It calls the DomainTools 'hosting-history' endpoint to retrieve - historical records for the extracted domain. + 4. **Entity Enrichment**: Flattens the retrieved Whois data and appends it to + the entity's `additional_properties` with a `DT` prefix. - 4. **Data Enrichment**: The retrieved data is flattened and added to the entity's - 'additional_properties' with a 'DT' prefix. + 5. **Reporting**: + * Creates an **Entity Table** for each processed entity showing its specific + Whois history. + * Generates a global **Data Table** named "DomainTools Whois History" summarizing + the history for all enriched entities. + * Updates the entities in the SecOps platform to reflect the new metadata. - 5. **UI Enhancement**: A CSV-formatted table containing the hosting history is - attached to the entity via the 'add_entity_table' method for visibility in the - case wall. + ### Additional Notes + + * If the `Domain` parameter is used, the action creates a temporary domain entity + for the scope of the execution. + + * The action handles cases where no history is found by logging the status and + continuing to the next entity. capabilities: can_create_case_comments: false can_create_insight: false @@ -200,13 +160,13 @@ Get Hosting History: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action updates the 'additional_properties' of the processed entities with - the retrieved hosting history data and attaches a CSV-formatted table to the - entity in the Google SecOps UI. + Updates entity additional properties with Whois history data and adds data tables + to the case. categories: enrichment: true entity_usage: entity_types: + - DOMAIN - HOSTNAME - DestinationURL filters_by_additional_properties: false @@ -222,79 +182,41 @@ Get Hosting History: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false -Ping: + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false +Investigate Domain: ai_description: >- ### General Description - The **Ping** action is a diagnostic tool used to verify the connectivity between - Google SecOps and the DomainTools API. Its primary purpose is to ensure that the - integration's configuration parameters, such as the Username and API Token, are - correct and that the network path to the DomainTools service is open. - - - ### Parameters Description - - There are no parameters for this action. - - - ### Additional Notes - - This action is typically executed during the initial setup of the DomainTools - integration or when troubleshooting communication issues. It performs a 'Read-Only' - operation by requesting account information from the API. - - - ### Flow Description - - 1. **Configuration Retrieval**: The action retrieves the Username, API Token, - and SSL verification settings from the DomainTools integration configuration. - - 2. **Manager Initialization**: It instantiates the `DomainToolsManager` using - the provided credentials. - - 3. **Connectivity Verification**: Upon initialization, the manager automatically - executes an API call to the DomainTools `account_information` endpoint to validate - the credentials and retrieve the list of licensed products. - - 4. **Final Status**: If the API call succeeds, the action returns a success message - ('Connection Established'). If the initialization or API call fails, it indicates - a connection failure. - capabilities: - can_create_case_comments: false - can_create_insight: false - can_modify_alert_data: false - can_mutate_external_data: false - can_mutate_internal_data: false - can_update_entities: false - external_data_mutation_explanation: null - fetches_data: true - internal_data_mutation_explanation: null - categories: - enrichment: false - entity_usage: - entity_types: [] - filters_by_additional_properties: false - filters_by_alert_identifier: false - filters_by_case_identifier: false - filters_by_creation_time: false - filters_by_entity_type: false - filters_by_identifier: false - filters_by_is_artifact: false - filters_by_is_enriched: false - filters_by_is_internal: false - filters_by_is_pivot: false - filters_by_is_suspicious: false - filters_by_is_vulnerable: false - filters_by_modification_time: false -Recent Domains: - ai_description: >- - ### General Description - - This action searches for newly registered domains that contain a specific keyword - using the DomainTools Phisheye service. It is designed to help security teams - identify potential phishing or brand-impersonation domains shortly after they - are registered. **Note:** This action is deprecated as the Phisheye product has - been deprecated by DomainTools. + Enriches Domain, Hostname, and URL entities using DomainTools Iris Investigate. + This action provides deep visibility into domain ownership, registration history, + and risk profiles. It retrieves a wide array of data points including overall + risk scores, proximity risk, malware/phishing/spam scores, registrant information, + hosting details (IPs, MX servers, SSL certificates), and tracking codes (Google + Analytics, Adsense, etc.). ### Parameters Description @@ -303,112 +225,38 @@ Recent Domains: | :--- | :--- | :--- | :--- | - | String Query | String | Yes | The specific word or string to search for within - newly registered domain names. | - - - ### Additional Notes - - - This action does not operate on entities within a case; it relies solely on - the manual input provided in the `String Query` parameter. - - - Because the underlying Phisheye service is deprecated, this action may not return - results or may fail depending on the current state of the DomainTools API. + | Domain | String | No | A specific domain to investigate. If provided, the action + will process this domain instead of the entities present in the case. | ### Flow Description - 1. **Initialization**: The action initializes the DomainTools manager using the - integration's API credentials (Username and API Token). - - 2. **Parameter Extraction**: It retrieves the user-provided `String Query` parameter. - - 3. **API Query**: The action calls the DomainTools Phisheye API endpoint with - the provided query string. + 1. **Initialization**: Retrieves API credentials (Username and API Token) from + the integration configuration. - 4. **Data Transformation**: If results are returned, the action flattens the JSON - response and converts it into a CSV-compatible format. - - 5. **Reporting**: It creates a data table within the Google SecOps case to display - the search results and sets the action's result to success. - capabilities: - can_create_case_comments: false - can_create_insight: false - can_modify_alert_data: false - can_mutate_external_data: false - can_mutate_internal_data: true - can_update_entities: false - external_data_mutation_explanation: null - fetches_data: true - internal_data_mutation_explanation: >- - The action adds a data table to the Google SecOps case containing the results - of the domain search. - categories: - enrichment: false - entity_usage: - entity_types: [] - filters_by_additional_properties: false - filters_by_alert_identifier: false - filters_by_case_identifier: false - filters_by_creation_time: false - filters_by_entity_type: false - filters_by_identifier: false - filters_by_is_artifact: false - filters_by_is_enriched: false - filters_by_is_internal: false - filters_by_is_pivot: false - filters_by_is_suspicious: false - filters_by_is_vulnerable: false - filters_by_modification_time: false -Reverse Domain: - ai_description: >- - ### General Description + 2. **Entity Identification**: Determines the domains to investigate. If the 'Domain' + parameter is provided, it takes precedence. Otherwise, it extracts domains from + all supported entities (URL, Hostname, Domain) in the current case. - Finds IP addresses that point to a specific domain or identifies domains associated - with a given IP address using DomainTools. This action is primarily used for reverse - DNS enrichment, allowing security analysts to understand the infrastructure associated - with a hostname, URL, or domain entity. + 3. **API Interaction**: Sends the domains to the DomainTools Iris Investigate + endpoint. The action handles batching (up to 100 domains per call) to optimize + API usage. + 4. **Data Parsing**: Processes the API response, extracting risk analytics, identity + details, registration dates, and hosting infrastructure. - ### Parameters Description + 5. **Enrichment**: Updates the SecOps entities with the retrieved data, adding + them as additional properties prefixed with 'DT'. - There are no action-specific parameters for this action. It relies on the global - integration configuration (Username, API Token, and Verify SSL). + 6. **Reporting**: Generates detailed CSV tables for each entity and a comprehensive + summary table for the entire case. ### Additional Notes - * The action supports `HOSTNAME`, `URL`, and `DOMAIN` entity types. - - * It automatically extracts the domain from URLs or email-like strings before - querying the API. - - * If the input is identified as a valid IPv4 address, it performs a 'Host Domains' - lookup; otherwise, it performs a 'Reverse IP' lookup. - - - ### Flow Description - - 1. **Entity Filtering:** The action identifies all entities in the current scope - that match the supported types (`URL`, `HOSTNAME`, `DOMAIN`). - - 2. **Domain Extraction:** For each entity, it extracts the base domain from the - identifier (e.g., stripping 'www' or URL paths). - - 3. **API Query:** It calls the DomainTools `enrich_domain` method, which dynamically - chooses between `host_domains` (for IPs) or `reverse_ip` (for domains) based on - the input format. + - The action automatically extracts the root domain from URLs or email-like strings. - 4. **Internal Enrichment:** If results are found, the action: - * Flattens the API response and adds it to the entity's `additional_properties` - with a `DT` prefix. - * Generates a CSV-formatted table of the results and attaches it to the - entity in the case wall. - 5. **Platform Update:** Updates the entities within Google SecOps to persist - the new metadata. - - 6. **Final Output:** Returns a JSON object containing the full enrichment data - for all processed entities. + - Entities are marked as 'enriched' upon successful data retrieval. capabilities: can_create_case_comments: false can_create_insight: false @@ -419,8 +267,8 @@ Reverse Domain: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity additional properties with DomainTools reverse DNS data and adds - data tables to the entity's context in the case. + Updates entity additional properties with enriched DomainTools data and marks + entities as enriched. categories: enrichment: true entity_usage: @@ -441,128 +289,120 @@ Reverse Domain: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false -Reverse Email: - ai_description: "### General Description\nThe **Reverse Email** action leverages\ - \ the DomainTools Iris API to identify domain names associated with a specific\ - \ email address found in WhoIs records. This action is designed to help security\ - \ analysts uncover infrastructure linked to a known email address during investigations\ - \ or threat hunting activities.\n\n### Parameters Description\n| Parameter | Description\ - \ | Type | Mandatory |\n| :--- | :--- | :--- | :--- |\n| N/A | This action does\ - \ not require any input parameters. | N/A | N/A |\n\n### Additional Notes\n- This\ - \ action requires a DomainTools license that includes access to the **Iris** product.\n\ - - Enrichment data added to entities is prefixed with 'DT' to distinguish DomainTools\ - \ data from other sources.\n\n### Flow Description\n1. **Configuration Retrieval**:\ - \ The action fetches the DomainTools integration settings, including the Username,\ - \ API Token, and SSL verification preference.\n2. **Entity Filtering**: It identifies\ - \ all `USER` entities (representing email addresses) within the current scope\ - \ of the action.\n3. **External API Query**: For each identified email address,\ - \ the action queries the DomainTools Iris endpoint to find associated domains.\n\ - 4. **Data Processing**: The raw API response is flattened into a key-value structure\ - \ and converted into a CSV-compatible format for display.\n5. **Internal Enrichment**:\ - \ \n - The entity's `additional_data` is updated with the flattened DomainTools\ - \ attributes.\n - A data table containing the results is attached to the entity\ - \ in the Google SecOps SOAR UI.\n6. **Entity Update**: The action updates the\ - \ entities within the case to persist the newly acquired enrichment data.\n7.\ - \ **Completion**: The action concludes by providing a summary message of the enriched\ - \ entities and a boolean success status." - capabilities: - can_create_case_comments: false - can_create_insight: false - can_modify_alert_data: false - can_mutate_external_data: false - can_mutate_internal_data: true - can_update_entities: true - external_data_mutation_explanation: null - fetches_data: true - internal_data_mutation_explanation: >- - The action updates the 'additional_data' attribute of User entities with information - retrieved from DomainTools and adds a data table to the entity's result view. - categories: - enrichment: true - entity_usage: - entity_types: - - USERUNIQNAME - filters_by_additional_properties: false - filters_by_alert_identifier: false - filters_by_case_identifier: false - filters_by_creation_time: false - filters_by_entity_type: true - filters_by_identifier: false - filters_by_is_artifact: false - filters_by_is_enriched: false - filters_by_is_internal: false - filters_by_is_pivot: false - filters_by_is_suspicious: false - filters_by_is_vulnerable: false - filters_by_modification_time: false -Reverse IP: + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false +Ping: ai_description: >- ### General Description - This action identifies domain names that share a specific IP address using the - DomainTools Iris API. It is designed to enrich IP Address entities by uncovering - their hosting relationships, which is critical for infrastructure mapping and - threat intelligence gathering. + The **Ping** action is designed to verify the connectivity between Google SecOps + and the DomainTools API. It ensures that the provided credentials (Username and + API Token) are valid and that the environment can successfully communicate with + the DomainTools service. ### Parameters Description - There are no action-specific parameters for this action. It utilizes the global - integration configuration settings: + | Parameter | Type | Mandatory | Description | - * **Username**: DomainTools API username. + | :--- | :--- | :--- | :--- | - * **ApiToken**: DomainTools API key. + | N/A | N/A | N/A | This action does not have any input parameters. | - * **Verify SSL**: Boolean flag to enable/disable SSL certificate verification. + ### Additional Notes - ### Flow Description + This action is typically used during the initial setup or troubleshooting of the + DomainTools integration to confirm that the API is reachable and the license is + active. It does not process any entities. - 1. **Entity Filtering**: The action identifies all `ADDRESS` (IP) entities in - the current scope that are not marked as internal. - 2. **API Query**: For each valid entity, the action calls the DomainTools Iris - API (`get_domains_by_ip`) to retrieve a list of domains associated with that IP. + ### Flow Description - 3. **Data Processing**: If data is returned, the response is flattened and prefixed - with 'DT' to avoid naming collisions. + 1. **Configuration Retrieval**: The action retrieves the Username, API Token, + and SSL verification settings from the integration configuration. - 4. **Internal Enrichment**: The action updates the entity's 'additional_properties' - with the flattened API data. + 2. **Manager Initialization**: It initializes the `DomainToolsManager`, which + triggers an internal call to the DomainTools `account_information` endpoint to + verify the license. - 5. **UI Visualization**: A data table containing the domain information is attached - to the entity in the Google SecOps case view. + 3. **Connectivity Check**: If the API call succeeds and the manager is successfully + instantiated, the action confirms the connection. - 6. **Finalization**: The action updates the entities in the system and returns - a summary of the enrichment results. + 4. **Final Output**: The action ends with a message indicating whether the connection + was established or failed. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: true - can_update_entities: true + can_mutate_internal_data: false + can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: >- - Updates entity additional properties with enrichment data and adds data tables - to the entity in the case view. + internal_data_mutation_explanation: null categories: - enrichment: true + enrichment: false entity_usage: - entity_types: - - ADDRESS + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false filters_by_creation_time: false - filters_by_entity_type: true + filters_by_entity_type: false filters_by_identifier: false filters_by_is_artifact: false filters_by_is_enriched: false - filters_by_is_internal: true + filters_by_is_internal: false filters_by_is_pivot: false filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/third_party/partner/domain_tools/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/domain_tools/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..2e831240c --- /dev/null +++ b/content/response_integrations/third_party/partner/domain_tools/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + siem: false + threat_intelligence: true + vulnerability_management: false diff --git a/content/response_integrations/third_party/partner/doppel_vision/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/doppel_vision/resources/ai/actions_ai_description.yaml index 6383e0c69..d9c95f821 100644 --- a/content/response_integrations/third_party/partner/doppel_vision/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/doppel_vision/resources/ai/actions_ai_description.yaml @@ -1,48 +1,42 @@ Create Abuse Alert: ai_description: >- - ### General Description - - - The **Create Abuse Alert** action allows users to programmatically report a specific - entity (typically a URL) to the DoppelVision abuse box. This is useful for flagging - malicious content or suspicious domains discovered during an investigation so - that Doppel's system can process them. Note that the action will fail if the entity - is invalid or belongs to a protected list (e.g., google.com). - - - ### Parameters Description + Creates an abuse alert for a specific entity within the DoppelVision platform. + This action is used to report suspicious values, such as URLs, to the Doppel abuse + box for further investigation. It requires a specific entity value as input and + returns the details of the created alert. Note that the action will fail if the + provided entity is invalid or belongs to a protected domain list within Doppel's + system. - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | + ### Flow Description: - | **Entity** | String | Yes | The specific value (e.g., a URL) to be reported - to the abuse box. | + 1. **Parameter Extraction:** Retrieves the API credentials (API Key, User API + Key, Org Code) and the target entity from the action parameters. + 2. **Manager Initialization:** Initializes the DoppelManager to handle communication + with the Doppel API. - ### Flow Description + 3. **API Request:** Executes a POST request to the `/alert/abuse` endpoint with + the provided entity. + 4. **Result Processing:** Captures the API response, stores it as JSON results, + and completes the action with a success or failure status. - 1. **Parameter Extraction**: Retrieves the API Key, User API Key, and Organization - Code from the integration configuration, and the target entity from the action - parameters. - 2. **API Interaction**: Uses the `DoppelManager` to send a POST request to the - `/alert/abuse` endpoint of the Doppel API. + ### Parameters Description: - 3. **Result Processing**: If the request is successful, the resulting alert data - is stored as a JSON result in the SOAR. + | Parameter | Type | Mandatory | Description | - 4. **Completion**: The action completes with a success message or logs an error - if the creation fails (e.g., due to a protected entity). + | :--- | :--- | :--- | :--- | + | Entity | String | Yes | The specific value (e.g., a URL) to be reported and + alerted on in the Doppel abuse box. | - ### Additional Notes + ### Additional Notes: - This action does not run on entities automatically; it requires the user to provide - the entity value as a string parameter. + * This action does not process entities from the current SecOps context; it relies + solely on the 'Entity' parameter input. capabilities: can_create_case_comments: false can_create_insight: false @@ -51,8 +45,9 @@ Create Abuse Alert: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new abuse alert in the DoppelVision system. - fetches_data: false + Creates a new abuse alert record in the DoppelVision platform via a POST request + to the /alert/abuse endpoint. + fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false @@ -71,47 +66,52 @@ Create Abuse Alert: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: true + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Create Alert: - ai_description: >- - ### General Description - - Creates a new alert within the Doppel system for a specified entity. This action - is used to programmatically flag entities (such as URLs) for monitoring or investigation - within the Doppel platform. It interacts with the Doppel API to register the entity - and returns the resulting alert details. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Entity | String | Yes | The specific entity identifier (e.g., a URL) for which - the alert should be created in the Doppel system. | - - - ### Flow Description - - 1. **Credential Retrieval:** The action extracts the API Key, User API Key, and - Organization Code from the integration configuration. - - 2. **Input Extraction:** The action retrieves the 'Entity' string provided by - the user. - - 3. **API Interaction:** The `DoppelManager` sends a POST request to the `/alert` - endpoint of the Doppel API with the entity data. - - 4. **Response Processing:** If the request is successful, the JSON response from - Doppel is attached to the action results. If the request fails or the entity is - invalid/protected, the action reports a failure. - - - ### Additional Notes - - This action does not operate on Google SecOps entities directly; it uses a manual - string input. The action will fail if the entity is already protected or deemed - invalid by Doppel's internal logic. + ai_description: "### General Description\nThe **Create Alert** action allows users\ + \ to programmatically generate a new alert within the DoppelVision platform for\ + \ a specific entity, such as a URL or domain. This action is primarily used to\ + \ escalate or flag specific indicators for monitoring or protection within the\ + \ Doppel ecosystem. It requires a direct input of the entity and returns the full\ + \ API response upon successful creation.\n\n### Parameters Description\n\n| Parameter\ + \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| **Entity**\ + \ | String | Yes | The specific entity (e.g., a URL) for which the alert will\ + \ be created in DoppelVision. |\n\n### Flow Description\n\n1. **Credential Retrieval:**\ + \ The action extracts the API Key, User API Key, and Organization Code from the\ + \ integration's configuration settings.\n2. **Input Extraction:** The action retrieves\ + \ the target entity string from the action parameters.\n3. **API Interaction:**\ + \ The action uses the `DoppelManager` to send a POST request to the DoppelVision\ + \ `/alert` endpoint with the entity identifier.\n4. **Response Handling:** \n\ + \ * If the alert is created successfully, the action captures the JSON response\ + \ and attaches it to the execution results.\n * If the creation fails (e.g.,\ + \ due to an invalid entity or a protected resource), the action logs the error\ + \ and marks the execution as failed.\n\n### Additional Notes\n\n* This action\ + \ does not iterate over SecOps entities automatically; it operates strictly on\ + \ the value provided in the **Entity** parameter." capabilities: can_create_case_comments: false can_create_insight: false @@ -120,8 +120,8 @@ Create Alert: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new alert record in the Doppel external system via a POST request - to the /alert endpoint. + Creates a new alert record in the DoppelVision platform via a POST request to + the /alert endpoint. fetches_data: false internal_data_mutation_explanation: null categories: @@ -141,55 +141,82 @@ Create Alert: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: true + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Alert: ai_description: >- ### General Description - The **Get Alert** action retrieves comprehensive details for a specific alert - from the DoppelVision platform. It allows users to query alert information using - either a specific Alert ID or an associated entity (typically a URL). This action - is primarily used to gather context about existing alerts for further investigation - or automated decision-making within a playbook. + The **Get Alert** action retrieves detailed information about a specific alert + from the DoppelVision platform. It allows users to look up alert data using either + a unique Alert ID or an entity identifier (such as a URL). This action is primarily + used to gather context and metadata for investigation purposes within the SOAR + environment. ### Parameters Description - | Parameter | Type | Mandatory | Description | + | Parameter | Description | Type | Mandatory | Notes | - | :--- | :--- | :--- | :--- | + | :--- | :--- | :--- | :--- | :--- | - | **Entity** | String | No | The entity (e.g., a URL) for which to fetch the alert - details. | + | **Entity** | The entity identifier (e.g., a URL) associated with the alert you + wish to retrieve. | String | No | Either this or `Alert_ID` must be provided. + | - | **Alert_ID** | String | No | The unique identifier of the alert on the Doppel - Tenant. | + | **Alert_ID** | The unique identifier of the alert on the Doppel Tenant. | String + | No | Either this or `Entity` must be provided. | ### Additional Notes - - **Mutual Exclusivity:** Either the `Entity` or the `Alert_ID` parameter must - be provided for the action to run. However, providing both simultaneously will - cause the action to fail. + - **Validation Logic:** The action will fail if both `Entity` and `Alert_ID` are + provided simultaneously, or if neither is provided. Exactly one of these parameters + must be configured for the action to execute successfully. - - This action is a read-only operation and does not change the state of the alert - in DoppelVision. + - **Output:** The retrieved alert details are returned as a JSON object and stored + in the `JsonResult` field. ### Flow Description - 1. **Initialization:** The action extracts the integration configuration (API - Key, User API Key, and Organization Code) and the action parameters (`Entity` - and `Alert_ID`). + 1. **Parameter Extraction:** The action extracts the API configuration (API Key, + User API Key, Org Code) and the action parameters (`Entity`, `Alert_ID`). + + 2. **Validation:** It checks that exactly one of the two search parameters is + present. - 2. **Validation:** It verifies that exactly one of the two parameters (`Entity` - or `Alert_ID`) is populated. + 3. **API Interaction:** The `DoppelManager` sends a GET request to the Doppel + API endpoint (`/alert`) with the specified identifier. - 3. **Data Retrieval:** The `DoppelManager` performs a GET request to the Doppel - API's `/alert` endpoint using the provided identifier as a query parameter. + 4. **Result Processing:** If an alert is found, the data is added to the action's + JSON results. - 4. **Output:** If the alert is successfully retrieved, the raw JSON data is added - to the action's results. If the alert is not found or the API returns an error, - the action fails with a descriptive message. + 5. **Completion:** The action completes with a success message if data is retrieved, + or fails if the alert is not found or an API error occurs. capabilities: can_create_case_comments: false can_create_insight: false @@ -217,14 +244,40 @@ Get Alert: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Alerts: ai_description: >- ### General Description - The **Get Alerts** action retrieves a list of alerts from the Doppel platform - based on various filtering criteria. It is designed to fetch alert data for ingestion, - auditing, or further processing within a playbook. The action supports filtering - by product category, creation timestamps, queue status, and specific search keys. + The **Get Alerts** action retrieves a list of alerts from the DoppelVision platform. + It allows users to query the Doppel tenant for specific security incidents or + reports based on a wide range of filters such as product category, creation time, + queue status, and tags. This action is primarily used for searching and auditing + alerts within the Doppel ecosystem. ### Parameters Description @@ -233,59 +286,56 @@ Get Alerts: | :--- | :--- | :--- | :--- | - | Search Key | String | No | Filters alerts by a specific identifier, currently - supporting search by URL. | + | Search Key | String | No | Filters alerts by a specific key, currently supporting + search by URL. | - | Product | DDL | No | Filters alerts by product category (e.g., domains, social_media, + | Product | DDL | No | Filters by product category (e.g., domains, social_media, mobile_apps, ecommerce, crypto, emails, paid_adds). | - | Created Before | String | No | Filters for alerts created before a specific - date and time (ISO8601 format, e.g., '2024-01-05T13:45:30'). | + | Created Before | String | No | Filters alerts created before a specific ISO + 8601 timestamp (e.g., '2024-01-05T13:45:30'). | - | Created After | String | No | Filters for alerts created after a specific date - and time (ISO8601 format, e.g., '2024-01-05T13:45:30'). | + | Created After | String | No | Filters alerts created after a specific ISO 8601 + timestamp (e.g., '2024-01-05T13:45:30'). | - | Sort Type | DDL | No | Specifies the field to sort the reports by. Defaults - to 'date_sourced'. Options: date_sourced, date_last_actioned. | + | Sort Type | DDL | No | Field to sort results by ('date_sourced' or 'date_last_actioned'). + Defaults to 'date_sourced'. | - | Sort Order | DDL | No | Specifies the sorting order. Defaults to 'desc'. Options: - asc, desc. | + | Sort Order | DDL | No | Order of sorting ('asc' or 'desc'). Defaults to 'desc'. + | - | Page | String | No | Specifies the page number for paginated results; defaults - to 0. | + | Page | String | No | Page number for paginated results; defaults to 0. | | Queue State | DDL | No | Filters alerts by their current queue status (e.g., - doppel_review, actioned, taken_down). | + 'doppel_review', 'actioned', 'taken_down'). | - | Tags | String | No | A comma-separated list of tags used to filter the alerts. - | + | Tags | String | No | A comma-separated list of tags to filter the alerts. | ### Additional Notes - - If no parameters are provided, the action attempts to fetch all available alerts - for the configured tenant. + - This action does not operate on specific entities within the SOAR case; it performs + a global search against the DoppelVision API. - - The 'Tags' parameter is parsed from a comma-separated string into a list for - the API request. + - Timestamps for 'Created Before' and 'Created After' should follow the format + 'YYYY-MM-DDTHH:MM:SS'. ### Flow Description - 1. **Credential Extraction**: Retrieves the API Key, User API Key, and Organization - Code from the integration configuration. - - 2. **Parameter Collection**: Extracts user-provided filters including search keys, - product categories, date ranges, and sorting preferences. + 1. **Configuration Extraction:** Retrieves API credentials (API Key, User API + Key, and Organization Code) from the integration settings. - 3. **Filter Construction**: Builds a filter dictionary, removing any null values - and splitting the 'Tags' string into a list. + 2. **Parameter Parsing:** Collects optional filter parameters provided by the + user, including time ranges, categories, and sorting preferences. It also parses + the 'Tags' string into a list. - 4. **API Execution**: Initializes the DoppelManager and calls the `get_alerts` - method, which performs a GET request to the Doppel API. + 3. **API Request:** Executes a GET request to the DoppelVision `/alerts` endpoint + using the constructed filter set via the DoppelManager. - 5. **Result Handling**: If alerts are found, they are stored in the action's JSON - result. If no alerts are returned, the action fails with an error message. + 4. **Result Processing:** If alerts are found, they are returned as a JSON object + and stored in the action's execution results. If no alerts match the criteria + or an empty response is received, the action reports a failure. capabilities: can_create_case_comments: false can_create_insight: false @@ -313,50 +363,49 @@ Get Alerts: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Ping: - ai_description: >- - ### General Description - - The **Ping** action is a diagnostic tool designed to verify the connectivity between - Google SecOps and the DoppelVision platform. Its primary purpose is to validate - that the provided credentials (API Key, User API Key, and Organization Code) are - correct and that the DoppelVision API endpoint is reachable. - - - ### Parameters Description - - There are no action-specific parameters for this task. It relies entirely on the - integration's configuration parameters: - - * **API Key**: The primary authentication token for the DoppelVision API (Mandatory). - - * **User API Key**: An optional key for user-specific authentication. - - * **Organization Code**: An optional code used for multi-tenant or specific organizational - routing. - - - ### Additional Notes - - This action is typically used during the initial setup of the integration or for - troubleshooting communication issues. It does not process any entities or modify - any data within Google SecOps or DoppelVision. - - - ### Flow Description - - 1. **Configuration Extraction**: The action retrieves the API Key, User API Key, - and Organization Code from the integration settings. - - 2. **Manager Initialization**: It initializes the `DoppelManager` with the extracted - credentials. - - 3. **Connectivity Test**: The action calls the `connection_test` method, which - performs a `GET` request to the `/alerts` endpoint of the DoppelVision API. - - 4. **Result Reporting**: If the API responds with a success status code, the action - ends with a 'Connection successful' message. If the request fails or the credentials - are invalid, it reports a connection failure. + ai_description: "### General Description\nThe **Ping** action is a diagnostic tool\ + \ designed to verify the connectivity between Google SecOps and the DoppelVision\ + \ platform. Its primary purpose is to validate that the provided integration credentials\ + \ (API Key, User API Key, and Organization Code) are correct and that the DoppelVision\ + \ API endpoint is reachable.\n\n### Parameters Description\nThis action does not\ + \ require any input parameters. It relies entirely on the configuration parameters\ + \ defined at the integration level.\n\n### Flow Description\n1. **Configuration\ + \ Extraction:** The action retrieves the `API Key`, `User API Key`, and `Organization\ + \ Code` from the DoppelVision integration settings.\n2. **Manager Initialization:**\ + \ It initializes the `DoppelManager` using the extracted credentials.\n3. **Connectivity\ + \ Test:** The action calls the `connection_test` method, which performs a `GET`\ + \ request to the `/alerts` endpoint of the DoppelVision API.\n4. **Result Reporting:**\ + \ \n * If the API responds successfully (HTTP 200), the action ends with a\ + \ success message.\n * If the request fails or returns an error (e.g., 401\ + \ Unauthorized), the action reports a connection failure.\n\n### Additional Notes\n\ + This action is intended for use during the initial setup or troubleshooting of\ + \ the DoppelVision integration to ensure the communication channel is functional." capabilities: can_create_case_comments: false can_create_insight: false @@ -384,58 +433,55 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Update Alert: - ai_description: >- - ### General Description - - Updates the status and state of an alert within the DoppelVision platform. This - action allows analysts to modify the lifecycle stage of an alert (Queue State) - and the operational status of the associated entity (Entity State). It is primarily - used for remediation and alert management workflows. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **Alert_ID** | string | No | The unique identifier for the specific alert in - the Doppel tenant. Either this or 'Entity' must be provided. | - - | **Entity** | string | No | The entity (typically a URL) associated with the - alert. Either this or 'Alert_ID' must be provided. | - - | **Queue_State** | ddl | Yes | The target queue state for the alert. Options - include: `doppel_review`, `needs_confirmation`, `monitoring`, `taken_down`, `actioned`, - `archived`. | - - | **Entity_State** | ddl | Yes | The target state for the entity. Options include: - `active`, `down`, `parked`. | - - - ### Additional Notes - - * **Validation Logic:** The action requires exactly one identifier. You must provide - either the `Alert_ID` or the `Entity`. Providing both or neither will cause the - action to fail. - - * **Side Effects:** This action performs a `PUT` request to the Doppel API, resulting - in a state change in the external system. - - - ### Flow Description - - 1. **Parameter Extraction:** Retrieves API credentials from the integration configuration - and user-provided parameters from the action input. - - 2. **Validation:** Checks that exactly one of `Alert_ID` or `Entity` is populated. - - 3. **API Interaction:** Executes a `PUT` request to the DoppelVision `/alert` - endpoint with the specified states and identifier. - - 4. **Result Processing:** Captures the updated alert object from the response - and attaches it as a JSON result to the action output. + ai_description: "Updates an alert's status and entity state within the DoppelVision\ + \ platform. This action allows analysts to transition alerts through different\ + \ queue states and update the operational status of the associated entity. The\ + \ target alert is identified using either a unique Alert ID or the Entity URL.\n\ + \n### Parameters\n| Parameter | Type | Mandatory | Description |\n| :--- | :---\ + \ | :--- | :--- |\n| Alert_ID | String | No | Unique identity for each specific\ + \ alert in the Doppel tenant. |\n| Entity | String | No | The URL or identifier\ + \ of the entity associated with the alert. |\n| Queue_State | DDL | Yes | The\ + \ target queue state for the alert. Options include: \"doppel_review\", \"needs_confirmation\"\ + , \"monitoring\", \"taken_down\", \"actioned\", \"archived\". |\n| Entity_State\ + \ | DDL | Yes | The target state for the entity. Options include: \"active\",\ + \ \"down\", \"parked\". |\n\n### Additional Notes\n* Either the **Alert_ID** or\ + \ the **Entity** parameter must be provided for the action to run. \n* If both\ + \ **Alert_ID** and **Entity** are provided simultaneously, the action will fail\ + \ with a validation error.\n\n### Flow Description\n1. **Extract Parameters:**\ + \ The action retrieves the API configuration (API Key, User API Key, Org Code)\ + \ and the action-specific parameters (Alert_ID, Entity, Queue_State, Entity_State).\n\ + 2. **Validation:** It checks that exactly one identifier (either Alert_ID or Entity)\ + \ is provided.\n3. **API Interaction:** It calls the DoppelManager's `update_alert`\ + \ method, which sends a PUT request to the DoppelVision API with the specified\ + \ states.\n4. **Result Processing:** If the update is successful, the updated\ + \ alert details are added to the action's JSON results. If the API returns an\ + \ error or an empty response, the action fails." capabilities: can_create_case_comments: false can_create_insight: false @@ -444,9 +490,9 @@ Update Alert: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the 'queue_state' and 'entity_state' of an alert in the DoppelVision + Updates the 'queue_state' and 'entity_state' of an existing alert in the DoppelVision platform via a PUT request. - fetches_data: false + fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false @@ -465,3 +511,28 @@ Update Alert: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: true + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/third_party/partner/doppel_vision/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/doppel_vision/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..4788aca80 --- /dev/null +++ b/content/response_integrations/third_party/partner/doppel_vision/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: true + network_security: false + siem: false + threat_intelligence: true + vulnerability_management: false diff --git a/content/response_integrations/third_party/partner/grey_noise/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/grey_noise/resources/ai/actions_ai_description.yaml new file mode 100644 index 000000000..e7027770b --- /dev/null +++ b/content/response_integrations/third_party/partner/grey_noise/resources/ai/actions_ai_description.yaml @@ -0,0 +1,581 @@ +Execute GNQL Query: + ai_description: >- + Executes custom GNQL (GreyNoise Query Language) queries to search the GreyNoise + threat intelligence database. This action allows users to perform complex searches + for IP addresses based on various attributes like tags, classifications, or last + seen dates. It supports automatic pagination to retrieve large datasets up to + a specified limit and provides options to control the verbosity of the returned + data. + + + ### Parameters + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | GNQL Query | String | Yes | The GreyNoise Query Language query string to execute + (e.g., 'last_seen:1d'). | + + | Max Results | String | No | The maximum number of results to return across all + paginated requests. Default is 1000. | + + | Quick | Boolean | No | If set to true, the response will only include the IP + address and the classification or trust level, reducing payload size. | + + | Exclude Raw | Boolean | No | Whether to exclude raw scan data from the response + to simplify the output. Default is true. | + + + ### Flow Description + + 1. **Initialization:** Extracts the GNQL query, result limits, and display preferences + from the action parameters. + + 2. **Validation:** Validates that the 'Max Results' parameter is a positive integer. + + 3. **API Connection:** Establishes a connection to the GreyNoise API using the + configured API key. + + 4. **Paginated Execution:** Enters a loop to execute the GNQL query. It uses scroll + tokens provided by the GreyNoise API to fetch subsequent pages of data. + + 5. **Data Aggregation:** Appends results from each page to a master list until + the 'Max Results' limit is reached or the API indicates no more data is available. + + 6. **Finalization:** Returns the aggregated list of results as a JSON object and + provides a summary message indicating the total number of records fetched. + capabilities: + can_create_case_comments: false + can_create_insight: false + can_modify_alert_data: false + can_mutate_external_data: false + can_mutate_internal_data: false + can_update_entities: false + external_data_mutation_explanation: null + fetches_data: true + internal_data_mutation_explanation: null + categories: + enrichment: false + entity_usage: + entity_types: [] + filters_by_additional_properties: false + filters_by_alert_identifier: false + filters_by_case_identifier: false + filters_by_creation_time: false + filters_by_entity_type: false + filters_by_identifier: false + filters_by_is_artifact: false + filters_by_is_enriched: false + filters_by_is_internal: false + filters_by_is_pivot: false + filters_by_is_suspicious: false + filters_by_is_vulnerable: false + filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false +Get CVE Details: + ai_description: >- + ### General Description + + Enriches CVE entities using GreyNoise intelligence to provide deep context on + vulnerabilities. This action retrieves critical data points including CVSS scores, + EPSS (Exploit Prediction Scoring System) scores, exploit availability, and real-world + exploitation activity observed by GreyNoise sensors. The retrieved information + is used to update the entity's attributes and generate a comprehensive HTML insight + for analysts. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | None | N/A | N/A | This action does not require any input parameters beyond + the integration configuration. | + + + ### Additional Notes + + - The action validates that CVE identifiers follow the standard 'CVE-YYYY-NNNN' + format. + + - Requires a valid GreyNoise API key configured in the integration settings. + + - Only processes entities of type CVE. + + + ### Flow Description + + 1. **Entity Identification**: Retrieves all CVE entities from the current case + context. + + 2. **Format Validation**: Validates each CVE identifier against the standard format + (e.g., CVE-2024-12345). + + 3. **GreyNoise Lookup**: Queries the GreyNoise API for each valid CVE to retrieve + vulnerability and exploitation intelligence. + + 4. **Entity Enrichment**: Updates the CVE entity's additional properties with + data such as CVSS score, EPSS score, and exploit status. + + 5. **Insight Generation**: Generates and attaches a detailed HTML insight to the + entity, visualizing threat assessments and active exploitation activity. + + 6. **Finalization**: Updates the entities in the platform and returns a summary + of the enrichment process. + capabilities: + can_create_case_comments: false + can_create_insight: true + can_modify_alert_data: false + can_mutate_external_data: false + can_mutate_internal_data: false + can_update_entities: true + external_data_mutation_explanation: null + fetches_data: true + internal_data_mutation_explanation: null + categories: + enrichment: true + entity_usage: + entity_types: + - CVE + filters_by_additional_properties: false + filters_by_alert_identifier: false + filters_by_case_identifier: false + filters_by_creation_time: false + filters_by_entity_type: true + filters_by_identifier: false + filters_by_is_artifact: false + filters_by_is_enriched: false + filters_by_is_internal: false + filters_by_is_pivot: false + filters_by_is_suspicious: false + filters_by_is_vulnerable: false + filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false +IP Lookup: + ai_description: "Enriches IP Address entities with comprehensive threat intelligence\ + \ from GreyNoise, including classification (benign, suspicious, malicious), actor\ + \ attribution, associated tags, CVEs, and business service intelligence. The action\ + \ automatically detects the API tier (Community vs. Enterprise) to optimize data\ + \ retrieval, using batch lookups for Enterprise keys. It updates the entity's\ + \ suspicious status based on GreyNoise classification and generates a detailed\ + \ HTML insight for the case wall.\n\n### Flow Description:\n1. **Identify Entities:**\ + \ Filters the target entities to identify all IP Address (ADDRESS) entities.\n\ + 2. **Tier Detection:** Checks the provided GreyNoise API key to determine if it\ + \ belongs to the Community or Enterprise tier.\n3. **Data Retrieval:** \n *\ + \ For **Enterprise** keys: Performs a batch lookup for all identified IPs to maximize\ + \ efficiency.\n * For **Community** keys: Performs individual lookups for each\ + \ IP.\n4. **Entity Enrichment:** For each IP found in the GreyNoise dataset, it\ + \ updates the entity's `additional_properties` with metadata (e.g., country, organization,\ + \ tags) and marks the entity as enriched.\n5. **Risk Assessment:** Sets the entity's\ + \ `is_suspicious` flag to true if GreyNoise classifies the IP as 'suspicious'\ + \ or 'malicious'.\n6. **Insight Generation:** Creates a formatted HTML insight\ + \ for each successfully processed entity, providing a visual summary of the intelligence.\n\ + \n### Parameters Description:\n| Parameter Name | Type | Mandatory | Description\ + \ |\n| :--- | :--- | :--- | :--- |\n| GN API Key | String | Yes | The API key\ + \ used to authenticate with GreyNoise services. This is configured at the integration\ + \ level. |\n\n### Additional Notes:\n* This action is read-only regarding external\ + \ systems and is classified as an enrichment action.\n* Community tier users will\ + \ receive a limited set of data compared to Enterprise users." + capabilities: + can_create_case_comments: false + can_create_insight: true + can_modify_alert_data: false + can_mutate_external_data: false + can_mutate_internal_data: true + can_update_entities: true + external_data_mutation_explanation: null + fetches_data: true + internal_data_mutation_explanation: >- + Updates entity attributes including 'is_enriched', 'is_suspicious', and 'additional_properties'. + It also generates entity insights. + categories: + enrichment: true + entity_usage: + entity_types: + - ADDRESS + filters_by_additional_properties: false + filters_by_alert_identifier: false + filters_by_case_identifier: false + filters_by_creation_time: false + filters_by_entity_type: true + filters_by_identifier: false + filters_by_is_artifact: false + filters_by_is_enriched: false + filters_by_is_internal: false + filters_by_is_pivot: false + filters_by_is_suspicious: false + filters_by_is_vulnerable: false + filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false +IP Timeline Lookup: + ai_description: >- + Retrieves the historical activity timeline for IP Address entities from GreyNoise, + providing visibility into how an indicator's behavior has changed over time. This + action allows analysts to track shifts in classification, associated tags, destination + ports, and other metadata with configurable time granularity. + + + ### Parameters Description + + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Field | DDL | No | Specifies the attribute to aggregate data by. Options include + classification, destination_port, http_path, http_user_agent, source_asn, source_org, + source_rdns, and tag_ids. Default is 'classification'. | + + | Granularity | String | No | Defines the time bucket size for the timeline. Supports + hours (e.g., '1h' to '24h') or days (e.g., '1d' to '90d'). Default is '1d'. | + + | Days | String | No | The total lookback period in days (1 to 90). Default is + '30'. | + + + ### Flow Description + + + 1. **Initialization**: Extracts the GreyNoise API key from the integration configuration + and validates the 'Days' parameter to ensure it is a positive integer. + + 2. **Entity Identification**: Filters the target entities to identify all IP Address + (ADDRESS) objects. + + 3. **Data Retrieval**: For each identified IP, the action queries the GreyNoise + Timeline API using the specified field, granularity, and lookback period. + + 4. **Tag Enrichment**: If the 'Field' parameter is set to 'tag_ids', the action + performs secondary API calls to fetch descriptive metadata (name, intention, category) + for each tag ID found in the timeline. + + 5. **Internal Mutation**: Updates the entity's additional properties with the + timeline metadata and raw results. It also sets the 'is_enriched' flag to true. + + 6. **Insight Generation**: Constructs a detailed HTML insight containing a visual + summary of the activity timeline, including overview statistics and a breakdown + of events. + + 7. **Finalization**: Updates the entities within Google SecOps and returns a JSON + result containing the full timeline data for each processed IP. + capabilities: + can_create_case_comments: false + can_create_insight: true + can_modify_alert_data: false + can_mutate_external_data: false + can_mutate_internal_data: true + can_update_entities: true + external_data_mutation_explanation: null + fetches_data: true + internal_data_mutation_explanation: >- + Updates entity additional properties with GreyNoise timeline metadata and data, + and creates entity insights containing HTML summaries of the activity. + categories: + enrichment: true + entity_usage: + entity_types: + - ADDRESS + filters_by_additional_properties: false + filters_by_alert_identifier: false + filters_by_case_identifier: false + filters_by_creation_time: false + filters_by_entity_type: true + filters_by_identifier: false + filters_by_is_artifact: false + filters_by_is_enriched: false + filters_by_is_internal: false + filters_by_is_pivot: false + filters_by_is_suspicious: false + filters_by_is_vulnerable: false + filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false +Ping: + ai_description: >- + ### General Description + + The **Ping** action is a diagnostic utility designed to verify the connectivity + between Google SecOps and the GreyNoise API. Its primary purpose is to validate + that the provided API key is correct, active, and has not expired, ensuring that + subsequent enrichment or search actions can proceed without authentication issues. + + + ### Parameters Description + + There are no parameters for this action. + + + ### Additional Notes + + - This action is typically used during the initial setup of the GreyNoise integration + or for troubleshooting connection issues. + + - It checks for API key expiration for Enterprise-tier keys and logs a warning + if the key is no longer valid. + + + ### Flow Description + + 1. **Initialization**: The action initializes the Siemplify SDK and retrieves + the GreyNoise API key from the integration configuration. + + 2. **API Connection**: It establishes a session with the GreyNoise API using the + provided credentials. + + 3. **Connectivity Test**: It executes a `test_connection` call to the GreyNoise + service. + + 4. **Validation**: The action parses the response to confirm the API tier (Community + vs. Enterprise) and checks the expiration date for Enterprise keys. + + 5. **Error Handling**: If a rate limit is reached or a request fails, the action + captures the specific error and marks the execution as failed. + + 6. **Completion**: Returns a success message and a boolean result indicating whether + the connection was successful. + capabilities: + can_create_case_comments: false + can_create_insight: false + can_modify_alert_data: false + can_mutate_external_data: false + can_mutate_internal_data: false + can_update_entities: false + external_data_mutation_explanation: null + fetches_data: true + internal_data_mutation_explanation: null + categories: + enrichment: false + entity_usage: + entity_types: [] + filters_by_additional_properties: false + filters_by_alert_identifier: false + filters_by_case_identifier: false + filters_by_creation_time: false + filters_by_entity_type: false + filters_by_identifier: false + filters_by_is_artifact: false + filters_by_is_enriched: false + filters_by_is_internal: false + filters_by_is_pivot: false + filters_by_is_suspicious: false + filters_by_is_vulnerable: false + filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false +Quick IP Lookup: + ai_description: >- + Performs a lightweight IP classification lookup using GreyNoise to determine trust + levels, internet scanner status, and business service status for IP Address entities. + This action is designed for high-speed enrichment of multiple IPs simultaneously. + + + ### Parameters + + There are no user-configurable parameters for this action beyond the global integration + API key. + + + ### Flow Description + + 1. **Entity Identification:** The action identifies all `ADDRESS` (IP) entities + within the current scope. + + 2. **Batch Lookup:** It sends a batch request to the GreyNoise Quick Lookup API + for all identified IP addresses. + + 3. **Data Processing:** For each IP found in the GreyNoise dataset, the action: + * Updates the entity's `additional_properties` with GreyNoise metadata (e.g., + `GN_is_business_service`, `GN_is_internet_scanner`, `GN_trust_level`, `GN_classification`). + * Sets the entity's `is_enriched` status to `true`. + * Updates the entity's `is_suspicious` status if the GreyNoise classification + is 'suspicious' or 'malicious'. + 4. **Insight Generation:** Creates a detailed HTML insight for each enriched entity, + providing a visual summary of the IP's intelligence (Business Service vs. Internet + Scanner status). + + 5. **Finalization:** Updates the entities in the Google SecOps platform and returns + a summary message along with the raw JSON results for all processed IPs. + + + ### Additional Notes + + * This action uses the GreyNoise 'Quick' endpoint, which is optimized for speed + and batch processing but provides less detail than a full IP lookup. + + * If no IP entities are found, the action completes gracefully with an informative + message. + capabilities: + can_create_case_comments: false + can_create_insight: true + can_modify_alert_data: false + can_mutate_external_data: false + can_mutate_internal_data: true + can_update_entities: true + external_data_mutation_explanation: null + fetches_data: true + internal_data_mutation_explanation: >- + Updates entity attributes including additional_properties, is_enriched, and + is_suspicious status. It also generates and attaches entity insights. + categories: + enrichment: true + entity_usage: + entity_types: + - ADDRESS + filters_by_additional_properties: false + filters_by_alert_identifier: false + filters_by_case_identifier: false + filters_by_creation_time: false + filters_by_entity_type: true + filters_by_identifier: false + filters_by_is_artifact: false + filters_by_is_enriched: false + filters_by_is_internal: false + filters_by_is_pivot: false + filters_by_is_suspicious: false + filters_by_is_vulnerable: false + filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/third_party/partner/grey_noise/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/partner/grey_noise/resources/ai/connectors_ai_description.yaml new file mode 100644 index 000000000..3b6006c9d --- /dev/null +++ b/content/response_integrations/third_party/partner/grey_noise/resources/ai/connectors_ai_description.yaml @@ -0,0 +1,35 @@ +Generate Alert from GreyNoise GNQL: + ai_description: "### General Description\nThe GreyNoise GNQL connector enables automated\ + \ ingestion of threat intelligence data into Google SecOps by executing GreyNoise\ + \ Query Language (GNQL) queries. It identifies IP addresses with specific characteristics\u2014\ + such as malicious intent, specific tags, or recent activity\u2014and generates\ + \ corresponding alerts and cases. This integration allows security teams to proactively\ + \ monitor for known scanners, business services, or malicious actors observed\ + \ by the GreyNoise sensor network.\n\n### Parameters Description\n| Parameter\ + \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| GN API\ + \ Key | Password | Yes | The API key used to authenticate with GreyNoise services.\ + \ |\n| Query | String | Yes | The GNQL query string used to filter GreyNoise data\ + \ (e.g., `last_seen:1d` or `classification:malicious`). |\n| Max Results | Integer\ + \ | No | The maximum number of indicators to fetch and process in a single execution\ + \ cycle (Default: 100). |\n| DeviceProductField | String | Yes | The field name\ + \ used to populate the device product attribute in the alert (Default: GreyNoise).\ + \ |\n| EventClassId | String | Yes | The field name used to determine the event\ + \ type or sub-type (Default: event_type). |\n| PythonProcessTimeout | Integer\ + \ | Yes | The maximum time in seconds allowed for the connector script to run\ + \ before terminating (Default: 1200). |\n\n### Flow Description\n1. **Authentication**:\ + \ The connector authenticates with the GreyNoise API using the provided API Key.\n\ + 2. **State Management**: It retrieves the list of previously processed event IDs\ + \ from the local store to ensure deduplication and prevent redundant alert creation.\n\ + 3. **Query Execution**: It executes the configured GNQL query to fetch matching\ + \ IP indicators from the GreyNoise database.\n4. **Pagination**: If the result\ + \ set is large, the connector utilizes scroll tokens to paginate through the results\ + \ until the `Max Results` limit or the end of the data is reached.\n5. **Data\ + \ Transformation**: Each retrieved IP record is mapped to a standard SOAR `AlertInfo`\ + \ object. Severity is dynamically assigned based on the GreyNoise classification\ + \ (e.g., Malicious IPs are mapped to High severity, while Suspicious IPs are mapped\ + \ to Medium).\n6. **Deduplication & Overflow Check**: The connector filters out\ + \ already processed IDs and performs an overflow check to ensure the system is\ + \ not overwhelmed by high-volume alerts.\n7. **Ingestion**: Validated alerts are\ + \ packaged and ingested into Google SecOps as new cases for investigation.\n8.\ + \ **Update State**: The connector saves the IDs of the newly processed events\ + \ to the local store for reference in the next execution cycle." diff --git a/content/response_integrations/third_party/partner/grey_noise/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/grey_noise/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..ac8e64b44 --- /dev/null +++ b/content/response_integrations/third_party/partner/grey_noise/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + siem: false + threat_intelligence: true + vulnerability_management: true diff --git a/content/response_integrations/third_party/partner/group_ib_ti/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/group_ib_ti/resources/ai/actions_ai_description.yaml index 73a09ce81..e789beb47 100644 --- a/content/response_integrations/third_party/partner/group_ib_ti/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/group_ib_ti/resources/ai/actions_ai_description.yaml @@ -1,36 +1,34 @@ Get-Collection-Info-Async: - ai_description: "### General Description\nThis action retrieves threat intelligence\ - \ data from specific Group-IB TI collections. It is designed for periodic data\ - \ extraction (e.g., daily updates) by tracking sequence numbers to ensure only\ - \ new data is ingested. It operates independently of case entities, acting as\ - \ a data retrieval utility for the Group-IB TI portal.\n\n### Parameters Description\n\ - | Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ - | Collection | DDL | Yes | The specific Group-IB TI collection to download data\ - \ from (e.g., `apt/threat`, `malware/cnc`, `ioc/common`). |\n| Portion limit |\ - \ DDL | Yes | Controls the number of data portions (batches) received from the\ - \ TI Portal API in a single run. |\n| Enable mapping parser | Boolean | No | If\ - \ set to `true`, the action parses the JSON output using predefined Group-IB mapping\ - \ keys. If `false`, it returns raw data. |\n| Start date | String | No | The start\ - \ date (YYYY-MM-DD) for data download if no previous sequence timestamp is found\ - \ in the system. Defaults to 1 day ago if left empty. |\n\n### Additional Notes\n\ - - This action is asynchronous and ignores any entities present in the case; it\ - \ uses the execution trigger to start the collection download.\n- It utilizes\ - \ sequence tracking (via `fetch_timestamp`) to maintain state between runs, allowing\ - \ for incremental updates.\n\n### Flow Description\n1. **Initialization**: The\ - \ action initializes the Group-IB TI connector and retrieves user-defined parameters\ - \ including the collection name, portion limits, and parsing preferences.\n2.\ - \ **Sequence Tracking**: It attempts to fetch a stored timestamp (sequence update\ - \ number) from the environment. If found, it resumes data collection from that\ - \ specific sequence. \n3. **Fallback Logic**: If no sequence number is stored,\ - \ it calculates a starting point based on the provided 'Start date' or defaults\ - \ to 24 hours prior to the current time.\n4. **Data Retrieval**: It establishes\ - \ a connection to the Group-IB TI API and creates a generator to fetch data portions\ - \ for the selected collection, respecting the 'Portion limit'.\n5. **Processing\ - \ & Parsing**: For each retrieved portion, the action either applies a mapping\ - \ parser to structure the data into a standardized format or extracts the raw\ - \ items based on the 'Enable mapping parser' configuration.\n6. **Aggregation**:\ - \ The action aggregates all retrieved portions into a single result set, adds\ - \ it to the action's JSON output, and completes the execution." + ai_description: "Fetches threat intelligence data from specific Group-IB TI collections.\ + \ This action is designed for bulk data retrieval or periodic updates rather than\ + \ per-entity enrichment. It utilizes sequence update numbers to track progress,\ + \ allowing it to be run on a schedule (e.g., daily) to retrieve only new updates\ + \ since the last execution. The action retrieves data from a wide variety of collections\ + \ including APT threats, malware configurations, compromised accounts, and suspicious\ + \ IP lists.\n\n### Flow Description:\n1. **Initialization**: Initializes the Group-IB\ + \ TI connector and poller using provided API credentials.\n2. **State Retrieval**:\ + \ Attempts to fetch the last successful sequence update number from the internal\ + \ storage (timestamp). \n3. **Start Point Determination**: If no previous state\ + \ is found, it calculates the starting sequence number based on the provided 'Start\ + \ date' (defaulting to 1 day ago if not specified).\n4. **Data Retrieval**: Initiates\ + \ a request to the Group-IB TI API for the chosen 'Collection', limited by the\ + \ 'Portion limit' parameter.\n5. **Data Processing**: Iterates through the retrieved\ + \ data portions. If 'Enable mapping parser' is true, it applies predefined mapping\ + \ logic to structure the data; otherwise, it collects the raw JSON items.\n6.\ + \ **Output**: Aggregates all retrieved items into a single JSON result and completes\ + \ the action.\n\n### Parameters Description:\n| Parameter | Type | Mandatory |\ + \ Description |\n| :--- | :--- | :--- | :--- |\n| Enable mapping parser | Boolean\ + \ | No | If enabled, the action will parse the raw API response into a structured\ + \ format based on Group-IB's internal mapping keys. Default is false. |\n| Collection\ + \ | DDL | Yes | The specific threat intelligence collection to query (e.g., 'apt/threat',\ + \ 'malware/cnc', 'compromised/account_group'). |\n| Start date | String | No |\ + \ The date (YYYY-MM-DD) to start fetching data from if no previous execution state\ + \ (timestamp) exists. |\n| Portion limit | DDL | Yes | Controls the volume of\ + \ data retrieved by setting the maximum number of portions to fetch in a single\ + \ run. Default is 100. |\n\n### Additional Notes:\n- This action **ignores all\ + \ entities** in the case. It is intended to be used as a data-gathering task within\ + \ a playbook.\n- The action is asynchronous and uses internal state management\ + \ (timestamps) to ensure data continuity across multiple runs." capabilities: can_create_case_comments: false can_create_insight: false @@ -58,50 +56,77 @@ Get-Collection-Info-Async: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get-Graph-Info: ai_description: >- ### General Description - The **Get-Graph-Info** action retrieves relational intelligence and infrastructure - data (often associated with WHOIS information) from the Group-IB Threat Intelligence - (TI) platform. It is specifically designed to provide context for network-based - entities by querying Group-IB's graph utility endpoints. + The **Get-Graph-Info** action retrieves WHOIS and relationship graph information + for **IP Address** and **Domain** entities from the Group-IB Threat Intelligence + (TI) platform. This action is designed to provide analysts with infrastructure + context and potential connections between indicators to aid in threat investigation. - ### Parameters + ### Parameters Description - This action does not have any user-configurable parameters. It automatically processes - supported entities found in the current alert or case context. + | Parameter | Type | Mandatory | Description | + | :--- | :--- | :--- | :--- | - ### Flow Description + | N/A | N/A | N/A | This action does not require any input parameters. | - 1. **Initialization**: The action initializes the Group-IB TI poller using the - integration's global configuration (API Login, API Key, and API URL). - 2. **Entity Gathering**: It retrieves the list of target entities from the current - Google SecOps context. + ### Flow Description + + 1. **Entity Identification**: The action iterates through all entities attached + to the alert/case. - 3. **Type Validation**: The action uses an internal validator to identify the - type of each entity. It explicitly filters the list to only include entities identified - as **IP Addresses** or **Domains**. + 2. **Type Validation**: It uses an internal validator to identify which entities + are valid IPs or Domains. Any other entity types (e.g., File Hashes, URLs) are + ignored. - 4. **API Interaction**: For each valid entity, it sends a GET request to the Group-IB - TI `utils/graph` endpoint (e.g., `utils/graph/ip` or `utils/graph/domain`). + 3. **API Request**: For each valid IP or Domain, the action sends a GET request + to the Group-IB TI `utils/graph` endpoint using the entity identifier as a query + parameter. - 5. **Rate Limiting**: The script pauses for 1 second between entity requests to - respect external API rate limits. + 4. **Data Aggregation**: The action collects the API responses, including WHOIS + data and graph metadata, into a structured JSON object. - 6. **Data Output**: The raw JSON responses from the API are aggregated and added - to the action's result JSON, making the data available for subsequent playbook - logic. + 5. **Result Output**: The final aggregated data is attached to the action's JSON + result for use in playbooks or for manual review by an analyst. ### Additional Notes - - This action is a data-retrieval task. It does not automatically update entity - fields, add insights, or create case comments. The output is provided as a raw - JSON result for use in playbooks. + - **Rate Limiting**: The action includes a 1-second sleep interval between requests + to ensure compliance with API rate limits. + + - **Scope**: This action is strictly for enrichment and does not modify any external + or internal system states beyond providing the retrieved data. capabilities: can_create_case_comments: false can_create_insight: false @@ -113,7 +138,7 @@ Get-Graph-Info: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: false + enrichment: true entity_usage: entity_types: - ADDRESS @@ -131,32 +156,84 @@ Get-Graph-Info: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get-TI-Search-Info: - ai_description: "### General Description\nThe **Get-TI-Search-Info** action allows\ - \ users to search for specific entities\u2014including Domains, IP Addresses,\ - \ File Hashes, Bank Cards, and Emails\u2014within the Group-IB Threat Intelligence\ - \ (TI) database. This action is designed to provide deep contextual enrichment\ - \ by identifying which threat collections (e.g., APT reports, malware configs,\ - \ compromised accounts) contain information about the target entities and retrieving\ - \ the detailed records associated with them.\n\n### Parameters Description\n|\ - \ Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ - | Enable mapping parser | Boolean | No | If set to `true`, the action will use\ - \ predefined mapping keys to structure the JSON output into a more readable format.\ - \ If `false` (default), the action returns the raw data as provided by the Group-IB\ - \ API. |\n\n### Flow Description\n1. **Initialization**: The action initializes\ - \ the Group-IB TI connector and poller using the integration's configuration (API\ - \ Key, Login, and URL).\n2. **Entity Identification**: It iterates through the\ - \ target entities in the current context and uses an internal validator to determine\ - \ their type (e.g., IP, Domain, Hash, Email, or Credit Card).\n3. **Global Search**:\ - \ For each valid entity, the action performs a global search across the Group-IB\ - \ TI database to identify all relevant data collections (API paths) that contain\ - \ matches.\n4. **Data Retrieval**: For every identified collection, the action\ - \ executes a specific query to fetch detailed records, limited to a maximum of\ - \ 3,000 items per collection.\n5. **Data Processing**: The retrieved records are\ - \ either parsed using a mapping configuration (if enabled) or kept in their raw\ - \ format.\n6. **Result Aggregation**: All findings are aggregated into a single\ - \ JSON object and attached to the action's execution results for use in subsequent\ - \ playbook steps." + ai_description: >- + ### General Description + + The **Get-TI-Search-Info** action allows analysts to search the Group-IB Threat + Intelligence (TI) database for comprehensive information regarding specific indicators. + It supports searching for IP addresses, domains, file hashes, email addresses, + and bank card numbers. The action identifies which collections in the Group-IB + TI database contain information about the provided entities and retrieves the + relevant records, providing deep context from various threat intelligence feeds. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Enable mapping parser | Boolean | No | If set to `true`, the action will use + a predefined mapping parser to structure the retrieved data into a more readable + format based on the collection type. If `false` (default), the raw JSON items + from the API are returned. | + + + ### Flow Description + + 1. **Initialization**: The action initializes the connection to Group-IB TI using + the provided API credentials and configuration. + + 2. **Entity Identification**: It iterates through all target entities in the current + context and uses a validator to determine their type (e.g., IP, Domain, Hash, + Email, or Bank Card) based on the format of their identifier. + + 3. **Global Search**: For each identified entity, it performs a global search + across the Group-IB TI platform to find all collections (API paths) that contain + data for that specific indicator. + + 4. **Data Retrieval**: For every collection found, the action queries the database + to fetch the detailed records associated with the entity using a query formatted + as `type:value`. + + 5. **Parsing and Output**: The retrieved data is either parsed using the mapping + engine (if enabled) or collected as raw items. The final results are aggregated + into a single JSON object and attached to the action result. + + + ### Additional Notes + + - This action is primarily used for deep enrichment and cross-collection searching + within the Group-IB ecosystem. + + - A 1-second delay is implemented between API calls to ensure compliance with + API rate limits. capabilities: can_create_case_comments: false can_create_insight: false @@ -172,16 +249,45 @@ Get-TI-Search-Info: entity_usage: entity_types: - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN - DOMAIN + - EMAILSUBJECT + - EVENT - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE - DestinationURL + - USB - USERUNIQNAME - - CREDITCARD filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false filters_by_creation_time: false - filters_by_entity_type: true + filters_by_entity_type: false filters_by_identifier: false filters_by_is_artifact: false filters_by_is_enriched: false @@ -190,70 +296,62 @@ Get-TI-Search-Info: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get-TI-Search-Info-By-Collection: - ai_description: >- - ### General Description - - The **Get-TI-Search-Info-By-Collection** action searches the Group-IB Threat Intelligence - (TI) database for specific indicators across a wide range of collections. It allows - users to query for data related to Domains, IP Addresses, URLs, File Hashes, Bank - Cards, and Emails. The action is highly configurable, allowing users to target - specific collections and optionally apply a mapping parser to structure the raw - API response into a more readable format. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **Collection** | DDL | Yes | Specifies the Group-IB TI collection to search. - Options include `apt/threat`, `malware/cnc`, `compromised/account_group`, and - many others. | - - | **Enable mapping parser** | Boolean | No | If set to `true`, the action transforms - the raw API data into a structured JSON format based on internal mapping keys. - If `false`, it returns the raw items from the API. Default is `false`. | - - | **Search tag** | String | No | An optional tag used to prefix the search query - (e.g., `domain:google.com`). If provided, the query is formatted as `tag:identifier`. - If omitted, the raw entity identifier is used. | - - - ### Flow Description - - 1. **Initialization:** The action initializes the Group-IB TI connector and retrieves - user-defined parameters including the target collection and search preferences. - - 2. **Entity Processing:** It iterates through all entities in the current scope. - For each entity, it validates the identifier to determine if it matches supported - formats (IP, Domain, Hash, etc.). - - 3. **Query Construction:** A search query is built for each valid entity. If - a `Search tag` is specified, it is prepended to the entity identifier; otherwise, - the identifier is used as the standalone query. - - 4. **Data Retrieval:** The action queries the Group-IB TI API for the selected - collection. It uses a generator to handle data retrieval, supporting up to 3,000 - items per query. - - 5. **Parsing and Aggregation:** Based on the `Enable mapping parser` setting, - the retrieved data is either parsed into a structured format or kept as raw JSON. - All results are aggregated into a single result object. - - 6. **Completion:** The final aggregated JSON is attached to the action result, - and the task is marked as completed. - - - ### Additional Notes - - * The action includes built-in rate-limiting protection by implementing a 1-second - delay between API requests. - - * While the `Enable mapping parser` parameter is a boolean, the underlying logic - expects string comparisons ("true"/"false"), which is handled automatically by - the integration's parameter extraction logic. + ai_description: "Searches the Group-IB Threat Intelligence (TI) database for information\ + \ related to specific entities within a chosen collection. This action allows\ + \ analysts to query a wide variety of TI data\u2014including threat actors, malware\ + \ configurations, phishing kits, and compromised accounts\u2014directly from Google\ + \ SecOps. It supports 31 distinct collections and provides an optional mapping\ + \ parser to structure the raw API response into a more readable format.\n\n###\ + \ Parameters Description\n\n| Parameter | Type | Mandatory | Description |\n|\ + \ :--- | :--- | :--- | :--- |\n| Collection | DDL | Yes | Specifies the Group-IB\ + \ TI collection to search (e.g., `apt/threat`, `malware/cnc`, `suspicious_ip/tor_node`).\ + \ |\n| Enable mapping parser | Boolean | No | If set to `true`, the action will\ + \ use predefined mapping keys to parse the raw JSON output into a structured format.\ + \ Default is `false`. |\n| Search tag | String | No | Allows for targeted field\ + \ searches. If provided, the query is formatted as `tag:entity` (e.g., `domain:google.com`).\ + \ If empty, a general search is performed. |\n\n### Flow Description\n\n1. **Initialization**:\ + \ The action initializes the Group-IB TI poller using the integration's API credentials\ + \ and configuration.\n2. **Parameter Extraction**: It retrieves the selected `Collection`,\ + \ the `Search tag`, and the `Enable mapping parser` toggle.\n3. **Entity Processing**:\ + \ The action iterates through all target entities provided in the context.\n4.\ + \ **Query Construction**: For each entity, it constructs a search query. If a\ + \ `Search tag` is specified, it prefixes the entity identifier with the tag; otherwise,\ + \ it uses the raw identifier.\n5. **Data Retrieval**: It queries the Group-IB\ + \ TI API for the specified collection and query string, retrieving up to 3,000\ + \ results.\n6. **Parsing**: If the mapping parser is enabled, the action transforms\ + \ the raw API items into a structured format based on the integration's mapping\ + \ configuration.\n7. **Output**: The aggregated results from all entities are\ + \ added to the action's JSON result and returned to the platform.\n\n### Additional\ + \ Notes\n\n- This action is primarily used for deep-dive threat intelligence lookups\ + \ across Group-IB's extensive database of cybercriminal activity and compromised\ + \ data.\n- The `Collection` parameter is a dropdown list containing 31 specific\ + \ categories of intelligence." capabilities: can_create_case_comments: false can_create_insight: false @@ -308,7 +406,7 @@ Get-TI-Search-Info-By-Collection: filters_by_case_identifier: false filters_by_creation_time: false filters_by_entity_type: false - filters_by_identifier: true + filters_by_identifier: false filters_by_is_artifact: false filters_by_is_enriched: false filters_by_is_internal: false @@ -316,29 +414,77 @@ Get-TI-Search-Info-By-Collection: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Ping: - ai_description: "### General Description\nThe **Ping** action is designed to verify\ - \ the connectivity between Google SecOps and the Group-IB Threat Intelligence\ - \ (TI) platform. Beyond a simple heartbeat check, it retrieves a list of all data\ - \ collections available to the user based on their current subscription level,\ - \ providing visibility into accessible threat feeds.\n\n### Parameters Description\n\ - | Parameter Name | Description | Type | Mandatory | Notes |\n| :--- | :--- | :---\ - \ | :--- | :--- |\n| None | This action does not require any input parameters.\ - \ | N/A | N/A | N/A |\n\n### Additional Notes\n- This action relies on the integration's\ - \ global configuration (API Login, API Key, and API URL) to authenticate.\n- The\ - \ output includes a JSON object listing the 'granted_collections' which helps\ - \ administrators verify which threat feeds are active.\n\n### Flow Description\n\ - 1. **Initialization**: The action initializes the Siemplify environment and sets\ - \ the script name.\n2. **Connector Setup**: It retrieves the global configuration\ - \ credentials (API Login, API Key, API URL) and initializes the `GIBConnector`\ - \ and `PlaybookAdapter`.\n3. **API Request**: The action sends a GET request to\ - \ the `user/granted_collections` endpoint of the Group-IB TI API.\n4. **Result\ - \ Processing**: \n - If successful, the list of collections is added to the\ - \ action's JSON results, and a 'Connection Established' message is returned.\n\ - \ - If the request fails (e.g., due to authentication or network issues), an\ - \ error message is logged, and the action status is set to failed.\n5. **Termination**:\ - \ The action concludes by reporting the connectivity status and the retrieved\ - \ collection data to the SOAR workbench." + ai_description: >- + Tests the connectivity to the Group-IB Threat Intelligence service. This action + validates the provided API credentials (API Login, API Key, and API URL) and retrieves + a list of all data collections accessible under the current subscription. It is + primarily used for troubleshooting and verifying that the integration is correctly + configured. + + + ### Flow Description: + + 1. **Initialization**: The action initializes the Siemplify context and sets the + script name. + + 2. **Configuration Retrieval**: It retrieves the integration's global configuration + parameters, including the API login, API key, and API URL. + + 3. **API Connection**: It initializes the Group-IB TI adapter and poller to establish + a session with the external service. + + 4. **Data Retrieval**: The action sends a GET request to the `user/granted_collections` + endpoint to verify access. + + 5. **Result Processing**: If successful, the list of granted collections is added + to the action's JSON results. If the request fails, an error message is logged + and the action status is set to failed. + + 6. **Completion**: The action ends by reporting the connectivity status and an + output message. + + + ### Parameters Description: + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | N/A | N/A | N/A | This action does not have any input parameters. | + + + ### Additional Notes: + + - This action relies on the global integration configuration for authentication. + + - The JSON output provides visibility into which Group-IB TI collections (e.g., + `apt/threat`, `malware/cnc`) are available for the configured account. capabilities: can_create_case_comments: false can_create_insight: false @@ -366,3 +512,28 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/third_party/partner/group_ib_ti/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/partner/group_ib_ti/resources/ai/connectors_ai_description.yaml new file mode 100644 index 000000000..f586e806e --- /dev/null +++ b/content/response_integrations/third_party/partner/group_ib_ti/resources/ai/connectors_ai_description.yaml @@ -0,0 +1,150 @@ +TI IoC Hash Connector: + ai_description: >- + ### General Description + + This connector integrates with the Group-IB Threat Intelligence (TI) Portal to + ingest File Hash Indicators of Compromise (IoCs). It specifically monitors the + `ioc/common` collection for new hash-based threats and creates cases in Google + SecOps. This allows security teams to stay updated on malicious file signatures + identified by Group-IB's global intelligence network. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | API key | Password | Yes | API key generated at your Group-IB TI Profile. | + + | API login | Email | Yes | Email address used to enter the Group-IB TI Portal. + | + + | API URL | String | Yes | Group-IB TI Portal API URL (default: https://tap.group-ib.com/api/v2/). + | + + | Case name | String | Yes | The name to be displayed for the created cases (default: + IoC Hash). | + + | Case severity | String | Yes | Severity level for the cases: Informative, Low, + Medium, High, Critical. | + + | Case type | String | Yes | The case type used to trigger specific playbooks + or actions (default: IoC). | + + | DeviceProductField | String | Yes | Field name used to determine the device + product (default: title). | + + | EventClassId | String | Yes | Field name used to determine the event name/sub-type + (default: id). | + + | Start date | String | No | Initial date to start downloading data (YYYY-MM-DD). + If not provided, defaults to 1 day back. | + + | Verify SSL | Boolean | Yes | Whether to verify SSL certificates for API requests. + | + + + ### Flow Description + + 1. **Authentication**: The connector connects to the Group-IB TI Portal using + the provided API Login and API Key. + + 2. **State Management**: It retrieves the last processed sequence update number + from the Google SecOps internal storage to ensure only new data is fetched. + + 3. **Initialization**: If no previous state exists, it uses the "Start date" parameter + (or defaults to 24 hours ago) to determine the starting sequence update number + for the `ioc/common` collection. + + 4. **Data Retrieval**: It queries the Group-IB API for new IoC updates starting + from the saved sequence number, limited to 50 items per cycle. + + 5. **Filtering**: The connector parses the retrieved data, specifically filtering + for entries containing file hash indicators (`file_ioc__hash`). + + 6. **Event Creation**: For each identified hash, it creates an event object containing + the hash value, event type ("FileHash"), and associated metadata. + + 7. **Case Ingestion**: Events are aggregated into a single Alert/Case using the + configured "Case name", "Case type", and "Case severity". + + 8. **Checkpointing**: The connector saves the latest sequence update number back + to the internal storage to mark the progress for the next execution. +TI IoC IP Connector: + ai_description: >- + ### General Description + + This connector integrates with the Group-IB Threat Intelligence (TI) Portal to + automatically fetch Indicators of Compromise (IoCs), specifically focusing on + malicious IP addresses. It monitors the `ioc/common` collection within the Group-IB + TI platform and ingests these indicators into Google SecOps as cases. This allows + security teams to proactively identify and respond to network-based threats based + on Group-IB's global threat intelligence data. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | API login | Email | Yes | Your email address used to access the Group-IB TI + Portal. | + + | API URL | String | Yes | The base URL for the Group-IB TI Portal API (e.g., + https://tap.group-ib.com/api/v2/). | + + | Case name | String | Yes | The display name for the cases created in Google + SecOps. | + + | Case severity | String | Yes | The severity level assigned to created cases + (Informative, Low, Medium, High, Critical). | + + | Case type | String | Yes | The case type used to categorize the alert and trigger + specific playbooks. | + + | DeviceProductField | String | Yes | The field name used to determine the device + product in the event metadata. | + + | EventClassId | String | Yes | The field name used to determine the event name + or sub-type. | + + | PythonProcessTimeout | String | Yes | The maximum execution time (in seconds) + allowed for the connector script. | + + | Start date | String | No | The initial date (YYYY-MM-DD) to begin fetching data + if no previous checkpoint exists. Defaults to 1 day back. | + + | API key | Password | Yes | The API key generated from your Group-IB TI Profile. + | + + | Verify SSL | Boolean | Yes | If enabled, the connector will verify SSL certificates + for API requests. | + + + ### Flow Description + + 1. **Authentication**: The connector authenticates with the Group-IB TI Portal + using the provided API Login and API Key. + + 2. **State Tracking**: It retrieves the last processed 'sequence update' number + from the internal storage. If this is the first run, it uses the `Start date` + parameter or defaults to fetching data from the last 24 hours. + + 3. **Data Collection**: The connector queries the `ioc/common` collection for + new threat intelligence updates released since the last successful execution. + + 4. **Parsing and Filtering**: It iterates through the retrieved intelligence portions, + specifically extracting network profiles that contain valid IP addresses. + + 5. **Alert Construction**: For each identified malicious IP, the connector creates + an internal event and aggregates them into a single Alert/Case structure defined + by the `Case name` and `Case severity` parameters. + + 6. **Ingestion**: The aggregated alert and its associated events are returned + to Google SecOps for case creation. + + 7. **Checkpointing**: Upon successful processing, the connector saves the latest + sequence update number to ensure that the next run only fetches new, unprocessed + indicators. diff --git a/content/response_integrations/third_party/partner/group_ib_ti/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/group_ib_ti/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..2e831240c --- /dev/null +++ b/content/response_integrations/third_party/partner/group_ib_ti/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + siem: false + threat_intelligence: true + vulnerability_management: false diff --git a/content/response_integrations/third_party/partner/houdin_io/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/houdin_io/resources/ai/actions_ai_description.yaml index 209f114ee..d4080b50c 100644 --- a/content/response_integrations/third_party/partner/houdin_io/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/houdin_io/resources/ai/actions_ai_description.yaml @@ -1,48 +1,69 @@ Enrich Entities: - ai_description: "### General Description\nThe **Enrich Entities** action scans compatible\ - \ entities\u2014including Public IPv4/IPv6 addresses, URLs, Domains, and File\ - \ Hashes (MD5, SHA1, SHA256)\u2014using the **Houdin.io** platform. It retrieves\ - \ comprehensive threat intelligence by leveraging multiple third-party scanners\ - \ and Houdin's proprietary AI-driven analysis. The action updates entity attributes\ - \ with threat scores and analysis summaries, providing security analysts with\ - \ immediate context within the Google SecOps platform.\n\n### Parameters Description\n\ - | Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ - | **scanOn** | Multi-choice | No | Specifies an array of scanners for Houdin to\ - \ utilize (e.g., `vt`, `urlscan`, `abuseipdb`, `mesmer`). If not provided, the\ - \ platform uses its default scanner configuration. |\n\n### Additional Notes\n\ - - **IP Filtering**: The action automatically filters out internal/private IP addresses,\ - \ only performing scans for global (public) IP entities.\n- **Asynchronous Polling**:\ - \ Although the action logic includes a polling loop, it is marked as asynchronous\ - \ in the configuration. Users should ensure the script timeout in the Google SecOps\ - \ IDE is sufficient for the scanners to complete their analysis.\n- **Data Enrichment**:\ - \ Results are written to the entity's `additional_properties`, specifically updating\ - \ `Houdin-io_Threat_Score`, `Houdin-io_AI_Analysis`, and `Houdin-io_Analysis_sources`.\n\ - \n### Flow Description\n1. **Entity Identification**: The action iterates through\ - \ target entities and selects those matching compatible types: URL, Domain, FileHash,\ - \ or Public IP Address.\n2. **Scan Initiation**: For each compatible entity, the\ - \ action sends a POST request to the Houdin.io API to launch a new scan job, passing\ - \ the optional `scanOn` parameters if configured.\n3. **Result Polling**: The\ - \ action enters a polling phase, periodically sending GET requests to retrieve\ - \ the status and final results of the initiated scans.\n4. **Intelligence Extraction**:\ - \ Upon scan completion, the action parses the response to extract the Mesmer global\ - \ threat score (normalized to a /10 scale) and the AI-generated analysis summary.\n\ - 5. **Internal Update**: The action updates the `additional_properties` of the\ - \ successful entities with the retrieved intelligence and calls the internal update\ - \ method to persist these changes in Google SecOps.\n6. **Output Generation**:\ - \ Finally, the action produces a JSON result containing the full raw scan data\ - \ for each processed entity and ends with a summary message." + ai_description: >- + ### General Description + + The **Enrich Entities** action enriches compatible entities (Public IPv4/IPv6, + URL, Domain, and File Hashes) by scanning them on the Houdin.io platform. It retrieves + comprehensive threat intelligence, including threat scores and AI-driven analysis + summaries, and updates the entity attributes within Google SecOps. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | **scanOn** | multi_choice_parameter | No | An array of scanners you want Houdin + to use. Supported options include: `vt`, `urlscan`, `alienvault`, `abuseipdb`, + `triage`, `mesmer`, and `servicenow`. | + + + ### Additional Notes + + - This action is **asynchronous**; ensure the script timeout in the Google SecOps + IDE is adjusted if necessary to accommodate polling times. + + - **IP Filtering:** Only global (public) IP addresses are processed. Internal + or private IP addresses are automatically skipped. + + - **File Hashes:** Compatible hash types include MD5, SHA1, and SHA256. + + - **Configuration:** Requires a valid API Key to be configured in the Houdin-io + integration settings. + + + ### Flow Description + + 1. **Identify Compatible Entities:** The action filters the target entities for + supported types: Public IPs, URLs, Domains, and File Hashes. + + 2. **Launch Scans:** For each compatible entity, the action sends a POST request + to Houdin.io to initiate a scan, optionally specifying the scanners to be used. + + 3. **Poll for Results:** The action polls the Houdin.io API using the returned + scan IDs until the analysis is complete. + + 4. **Extract Intelligence:** It retrieves the threat score (from the Mesmer engine), + an AI-generated analysis summary, and the list of analysis sources. + + 5. **Enrich Entities:** The action updates the `additional_properties` of the + entities in Google SecOps with the retrieved data and provides a detailed JSON + result. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: true - can_mutate_internal_data: false + can_mutate_internal_data: true can_update_entities: true external_data_mutation_explanation: >- - The action performs a POST request to the Houdin.io API to create and launch - new scan jobs for the provided entities. + The action initiates a new scan job on the Houdin.io platform by sending a POST + request with the entity identifier. fetches_data: true - internal_data_mutation_explanation: null + internal_data_mutation_explanation: >- + The action updates the 'additional_properties' of entities in Google SecOps + with threat scores, AI analysis summaries, and analysis sources. categories: enrichment: false entity_usage: @@ -56,51 +77,82 @@ Enrich Entities: filters_by_case_identifier: false filters_by_creation_time: false filters_by_entity_type: true - filters_by_identifier: true + filters_by_identifier: false filters_by_is_artifact: false filters_by_is_enriched: false - filters_by_is_internal: false + filters_by_is_internal: true filters_by_is_pivot: false filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: true + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Ping: ai_description: >- - ### General Description + The Ping action is a utility designed to verify the connectivity between Google + SecOps and the Houdin.io API. It ensures that the provided API Key is valid and + that the network path to the service is open. This action is typically used during + the initial setup of the integration or for troubleshooting communication issues. - Tests the connectivity to the Houdin.io API to ensure the integration is configured - correctly and the service is reachable. This action is primarily used for troubleshooting - and verifying that the provided API credentials and network settings allow communication - with the Houdin.io platform. + ### Flow Description: - ### Parameters Description + 1. **Initialization**: The action retrieves the 'API Key' and 'Verify SSL' settings + from the integration's global configuration. - | Parameter | Type | Mandatory | Description | + 2. **Manager Setup**: It initializes the `HoudinManager` with these credentials. - | :--- | :--- | :--- | :--- | + 3. **Connectivity Test**: It calls the `test_connectivity` method, which sends + a POST request to the Houdin.io `/ping` endpoint. - | API Key | String | Yes | The API key used for authentication with the Houdin.io - API. | + 4. **Validation**: The action checks the HTTP response status. If it receives + a 200 OK, the connection is confirmed. - | Verify SSL | Boolean | No | If enabled, the action will verify the SSL certificate - of the Houdin.io API endpoint. Defaults to False. | + 5. **Completion**: The action returns a boolean 'true' on success or 'false' if + an exception or authentication error occurs. - ### Flow Description + ### Parameters Description: - 1. **Initialization**: The action extracts the API Key and SSL verification preference - from the integration configuration. + | Parameter Name | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | No Action Parameters | N/A | N/A | This action does not take any input parameters; + it relies solely on the integration's configuration (API Key and Verify SSL). + | - 2. **Connectivity Check**: It initializes the HoudinManager and calls the `test_connectivity` - method. - 3. **API Interaction**: The manager sends a POST request to the Houdin.io `/ping` - endpoint using the provided API key. + ### Additional Notes: - 4. **Outcome**: If the API responds with a success status (HTTP 200), the action - completes with a 'Connection Established' message. If the connection fails or - the API returns an error, the action catches the exception and reports the failure. + * This action is strictly for health checks and does not process any entities + or alert data. + + * It uses a POST request for the ping endpoint as required by the Houdin.io API + specification. capabilities: can_create_case_comments: false can_create_insight: false @@ -128,16 +180,41 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Scan Artifact: ai_description: >- ### General Description The **Scan Artifact** action allows users to submit a specific artifact (such as an IP address, URL, Domain, or File Hash) to the Houdin.io platform for comprehensive - security scanning. It integrates with various third-party scanners to provide - a consolidated view of the artifact's reputation and threat profile. This action - is designed to be used when a specific indicator needs deep analysis beyond standard - enrichment. + security analysis. It supports a variety of third-party scanners and returns the + aggregated results directly into the Google SecOps platform. This action is asynchronous, + meaning it initiates a scan and then polls for the results until the analysis + is complete. ### Parameters Description @@ -147,41 +224,38 @@ Scan Artifact: | :--- | :--- | :--- | :--- | | **artifact** | String | Yes | The specific indicator to be scanned. Supported - formats include IPv4, IPv6, URL, Domain, MD5, SHA1, and SHA256. | + formats include Public IPv4/IPv6, URL, Domain, MD5, SHA1, and SHA256. | - | **scanOn** | Multi-choice | No | A list of specific scanners to utilize (e.g., - vt, urlscan, abuseipdb, alienvault, triage, mesmer, servicenow). If left empty, - the platform uses its default scanner set. | + | **scanOn** | Multi-choice | No | A list of specific scanners to be utilized + by Houdin.io. Options include `vt` (VirusTotal), `urlscan`, `alienvault`, `abuseipdb`, + `triage`, `mesmer`, and `servicenow`. If left empty, default scanners are used. + | ### Flow Description - 1. **Initialization**: The action extracts the API key from the integration configuration - and initializes the Houdin connection manager. + 1. **Initialization**: The action extracts the API Key from the integration configuration + and the artifact/scanner details from the action parameters. - 2. **Scan Submission**: It sends a POST request to the Houdin.io API (`scan/launch`) - with the provided artifact and the list of selected scanners. + 2. **Scan Launch**: It sends a POST request to the Houdin.io API to initiate a + scan for the provided artifact. - 3. **Asynchronous Polling**: The action enters a polling phase, sending GET requests - to the Houdin API (`scan/result`) to check the status of the scan. It will continue - to poll until the scan is complete or the maximum number of retries is reached. + 3. **Polling**: Because the action is asynchronous, it enters a polling loop, + periodically checking the status of the scan using the unique Scan ID received + during the launch phase. - 4. **Data Retrieval**: Once the scan is finished, the action retrieves the full - JSON result set containing the findings from all utilized scanners. + 4. **Data Retrieval**: Once the scan status indicates completion, the action retrieves + the full JSON report of the findings. - 5. **Output**: The final results are attached to the action as a JSON result and - a specific 'HoudinResult' object for use in subsequent playbook logic. + 5. **Output**: The final results are attached to the action execution as a JSON + result and a specific 'HoudinResult' object for use in downstream playbook logic. ### Additional Notes - - This action does not automatically iterate over entities in a Google SecOps - case; the artifact must be explicitly provided as a parameter (often via a placeholder - from a previous step or entity). - - - Because this action involves external scanning which can take time, it is marked - as asynchronous. Users should ensure the action timeout in the Google SecOps IDE - is configured appropriately for long-running scans. + - This action is marked as **async**. Users should ensure that the script timeout + in the Google SecOps IDE is configured to allow enough time for external scanners + to complete their analysis. capabilities: can_create_case_comments: false can_create_insight: false @@ -190,8 +264,8 @@ Scan Artifact: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - The action performs a POST request to the Houdin.io API to initiate a new scan - job, which creates a new scan resource and consumes platform credits/quota. + The action performs a POST request to the Houdin.io API to 'launch' a new scan + job, which creates a new record/task on the external platform. fetches_data: true internal_data_mutation_explanation: null categories: @@ -211,3 +285,28 @@ Scan Artifact: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: true + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/third_party/partner/houdin_io/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/houdin_io/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..2e831240c --- /dev/null +++ b/content/response_integrations/third_party/partner/houdin_io/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + siem: false + threat_intelligence: true + vulnerability_management: false diff --git a/content/response_integrations/third_party/partner/infoblox_nios/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/infoblox_nios/resources/ai/actions_ai_description.yaml index 7bc03f1b5..1b4167a36 100644 --- a/content/response_integrations/third_party/partner/infoblox_nios/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/infoblox_nios/resources/ai/actions_ai_description.yaml @@ -1,74 +1,67 @@ Create Host Record: ai_description: >- - ### General Description + Adds a host record to Infoblox NIOS with associated IPv4 and IPv6 addresses. This + action is primarily used for IPAM (IP Address Management) and DNS inventory management. + When the 'Configure for DNS' parameter is enabled, the action automatically creates + the corresponding A, AAAA, and PTR DNS records in the specified DNS view. - The **Create Host Record** action adds a new host record to the Infoblox NIOS - system. This action is used for IP Address Management (IPAM) and DNS inventory, - allowing users to define a host with its associated IPv4 and IPv6 addresses, aliases, - and metadata. When the DNS configuration is enabled, it automatically manages - corresponding A, AAAA, and PTR records. + ### Flow Description: - ### Parameters Description + 1. **Parameter Extraction:** The action retrieves the host name (FQDN), IP address + arrays, DNS view, and other optional configurations like aliases and extended + attributes from the action parameters. - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | + 2. **Validation:** It validates that the host name is provided and that the IP + address objects (IPv4/IPv6) are in the correct JSON format. - | **Name** | String | Yes | The FQDN of the host (e.g., `server1.example.com`). - It must belong to an existing DNS zone. | + 3. **API Interaction:** It sends a POST request to the Infoblox NIOS WAPI `/record:host` + endpoint to create the host record. - | **IPv4 Addresses** | String | No | A JSON array of IPv4 address objects (e.g., - `[{"ipv4addr":"192.168.1.100","mac":"00:11:22:33:44:55","configure_for_dhcp":true}]`). - | + 4. **Result Processing:** Upon success, it returns the created record's details + in JSON format and populates a data table named 'Hosts' in the Google SecOps case. - | **IPv6 Addresses** | String | No | A JSON array of IPv6 address objects (e.g., - `[{"ipv6addr":"2001:db8::1"}]`). | - | **View** | String | No | The DNS view in which the record resides (default: - `default`). | + ### Parameters Description: - | **Comment** | String | No | Additional information or notes about this host - record. | + | Parameter | Type | Mandatory | Description | - | **Aliases** | String | No | Comma-separated list of DNS aliases (CNAMEs) for - this host. | + | :--- | :--- | :--- | :--- | - | **Configure for DNS** | Boolean | No | If set to `false`, the host record will - not have associated DNS records. Default is `true`. | + | Name | String | Yes | The FQDN of the host (e.g., `server1.auth.threat.zone`). + It must belong to an existing DNS zone. | - | **Extended Attributes** | String | No | Comma-separated key/value pairs for - Infoblox extended attributes (e.g., `Site=New York,Owner=Security`). | + | IPv4 Addresses | String | No | A JSON array of IPv4 objects, e.g., `[{"ipv4addr":"192.168.1.100","mac":"00:11:22:33:44:55","configure_for_dhcp":true}]`. + | - | **Additional Parameters** | String | No | A JSON object containing additional - parameters supported by the Infoblox WAPI. | + | IPv6 Addresses | String | No | A JSON array of IPv6 objects, e.g., `[{"ipv6addr":"2001:db8::1"}]`. + | + | View | String | No | The DNS view in which the record resides (default is 'default'). + | - ### Flow Description + | Comment | String | No | Additional information or notes about this host record. + | - 1. **Input Validation**: The action validates that the `Name` is provided and - that `IPv4 Addresses`, `IPv6 Addresses`, and `Additional Parameters` are provided - in valid JSON formats. + | Aliases | String | No | Comma-separated list of DNS aliases (CNAMEs) for this + host. | - 2. **Attribute Parsing**: It parses the `Extended Attributes` string into the - specific dictionary format required by the Infoblox API. + | Configure for DNS | Boolean | No | When true (default), the host record includes + associated DNS records. | - 3. **API Request**: It sends a POST request to the Infoblox `/record:host` endpoint - with the constructed payload. + | Extended Attributes | String | No | Comma-separated key/value formatted filter + for extended attributes (e.g., `Site=New York`). | - 4. **Result Processing**: If successful, the action returns the created record's - details in JSON format and populates a 'Hosts' data table in the case wall for - visibility. + | Additional Parameters | String | No | A JSON object containing additional parameters + supported by the Infoblox API (e.g., `{"use_ttl":true}`). | - ### Additional Notes + ### Additional Notes: - - While `IPv4 Addresses` and `IPv6 Addresses` are technically optional in the - parameter list, at least one is typically required by Infoblox to create a functional - host record. + - The 'Name' parameter must be a valid FQDN. - - The `Name` parameter is effectively mandatory as the script performs a manual - validation check and will fail if it is empty. + - IP address parameters must be formatted as valid JSON arrays of objects as required + by the Infoblox WAPI. capabilities: can_create_case_comments: false can_create_insight: false @@ -77,8 +70,8 @@ Create Host Record: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new host record and potentially associated DNS records (A, AAAA, PTR) - in the Infoblox NIOS system via a POST request. + Creates a new host record and potentially associated DNS A, AAAA, and PTR records + in the Infoblox NIOS instance. fetches_data: false internal_data_mutation_explanation: null categories: @@ -98,61 +91,88 @@ Create Host Record: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Create RPZ A Rule: ai_description: >- - ### General Description + Creates an RPZ (Response Policy Zone) Substitute rule in Infoblox NIOS. This action + allows administrators to map a specific domain name (A record) or an IPv4 address + to a substitute IPv4 address. This is primarily used for DNS redirection, sinkholing, + or blocking malicious traffic at the DNS level. - The **Create RPZ A Rule** action allows users to create a Response Policy Zone - (RPZ) Substitute rule within Infoblox NIOS. This rule maps a specific domain name - (A record) or an IPv4 address to a substitute IPv4 address. This is primarily - used for DNS redirection, sinkholing, or blocking access to malicious destinations - by providing an alternative IP response. + ### Flow Description - ### Parameters Description + 1. **Parameter Extraction:** The action retrieves the object type (Domain or IP), + the rule name, the target RP Zone, and the substitute IPv4 address from the input + parameters. - | Parameter | Type | Mandatory | Description | + 2. **Validation:** It validates that the rule name and RP Zone are non-empty strings + and ensures the provided IPv4 address is in a valid format. - | :--- | :--- | :--- | :--- | + 3. **Endpoint Selection:** Based on the 'Object Type' parameter, the action selects + the appropriate Infoblox WAPI endpoint (either `record:rpz:a` for domains or `record:rpz:a:ipaddress` + for IP addresses). - | **Object Type** | DDL | Yes | Determines the type of record to create. Options - are `IP Address` or `Domain Name`. | + 4. **Rule Creation:** It sends a POST request to the Infoblox API to create the + new rule, including any optional comments or additional JSON parameters provided + by the user. - | **Name** | String | Yes | The name or FQDN of the rule to be created. | + 5. **Output Generation:** Upon success, the action returns the raw JSON of the + created record and populates a data table named 'RPZ A Rule' with the rule's details. - | **RP Zone** | String | Yes | The specific Response Policy Zone where the rule - will be assigned. | - | **IPv4 Address** | String | Yes | The substitute IPv4 address that will be returned - by the DNS server for this rule. | + ### Parameters Description - | **Comment** | String | No | An optional descriptive comment for the rule. | + | Parameter Name | Type | Mandatory | Description | - | **Additional Parameters** | String | No | A JSON-formatted string containing - extra parameters for the Infoblox WAPI request. | + | :--- | :--- | :--- | :--- | + | Object Type | DDL | Yes | Determines the type of record to create. Options are + 'Domain Name' or 'IP Address'. | - ### Flow Description + | Name | String | Yes | The domain name or IP address that the rule will apply + to. | + + | RP Zone | String | Yes | The name of the Response Policy Zone where the rule + will be created. | - 1. **Parameter Extraction:** The action retrieves the configuration and action - parameters, including the object type, rule name, target zone, and substitute - IP. + | IPv4 Address | String | Yes | The substitute IPv4 address that the DNS query + will be redirected to. | - 2. **Validation:** It validates that the `Name` and `RP Zone` are non-empty, - the `IPv4 Address` is a valid IPv4 format, and the `Additional Parameters` (if - provided) is a valid JSON object. + | Comment | String | No | An optional description or note for the rule. | - 3. **API Preparation:** Based on the `Object Type`, it selects the appropriate - Infoblox WAPI endpoint (`record:rpz:a` for domains or `record:rpz:a:ipaddress` - for IPs). + | Additional Parameters | String | No | A JSON object string containing extra + Infoblox-specific parameters for the record creation. | - 4. **Rule Creation:** It constructs the request body, ensuring the rule name - is correctly formatted with the zone suffix, and sends a POST request to the Infoblox - API. - 5. **Result Processing:** Upon success, it parses the API response, creates a - data table named 'RPZ A Rule' with the record details, and returns the raw JSON - result. + ### Additional Notes + + - The 'Name' parameter is automatically formatted to include the 'RP Zone' suffix + if it is not already present, ensuring compatibility with Infoblox naming conventions. capabilities: can_create_case_comments: false can_create_insight: false @@ -182,59 +202,84 @@ Create RPZ A Rule: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: true + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Create RPZ AAAA Rule: ai_description: >- - Creates a Response Policy Zone (RPZ) AAAA rule in Infoblox NIOS. This action allows - for DNS redirection or blocking by mapping a domain name or an IPv6 address to - a substitute IPv6 address. It is primarily used for security enforcement within - a DNS environment. + Creates an RPZ (Response Policy Zone) AAAA rule in Infoblox NIOS. This action + allows for DNS redirection or blocking by mapping a domain name or an IPv6 address + to a substitute IPv6 address. It is primarily used to implement security policies + at the DNS level, such as sinkholing malicious domains or redirecting traffic + from known bad IPv6 addresses. - ### Parameters Description + ### Flow Description: + 1. **Parameter Extraction:** The action retrieves the object type (Domain Name + or IP Address), the rule name, the target RP Zone, and the substitute IPv6 address + from the input parameters. - | Parameter | Type | Mandatory | Description | + 2. **Validation:** It validates that the required strings are non-empty and that + the provided IPv6 address follows the correct format. - | :--- | :--- | :--- | :--- | + 3. **API Interaction:** Based on the 'Object Type', it determines the specific + Infoblox WAPI endpoint (either `record:rpz:aaaa` or `record:rpz:aaaa:ipaddress`) + and sends a POST request to create the record. - | Object Type | DDL | Yes | Determines if the rule is for a 'Domain Name' or an - 'IP Address'. This affects the underlying Infoblox record type created. | + 4. **Result Processing:** Upon success, the action retrieves the created record's + details, formats them into a data table, and provides the raw JSON response. - | Name | String | Yes | The name of the rule (e.g., the domain or IP address to - be intercepted). | - | RP Zone | String | Yes | The specific Response Policy Zone where the rule will - be created. | + ### Parameters Description: - | IPv6 Address | String | Yes | The substitute IPv6 address that the DNS query - will be redirected to. | + | Parameter Name | Type | Mandatory | Description | - | Comment | String | No | An optional description or note for the rule. | + | :--- | :--- | :--- | :--- | - | Additional Parameters | String | No | A JSON-formatted string containing extra - parameters supported by the Infoblox WAPI for record creation. | + | **Object Type** | DDL | Yes | Determines if the rule targets a 'Domain Name' + or an 'IP Address'. | + | **Name** | String | Yes | The FQDN or identifier for the rule. | - ### Flow Description + | **RP Zone** | String | Yes | The name of the Response Policy Zone where the + rule will be created. | + | **IPv6 Address** | String | Yes | The substitute IPv6 address used for redirection + or blocking. | - 1. **Initialization**: The action retrieves integration configuration (API Root, - credentials) and user-provided parameters. + | **Comment** | String | No | An optional descriptive comment for the rule. | - 2. **Validation**: It validates that mandatory strings are non-empty, ensures - the 'IPv6 Address' is a valid IPv6 format, and parses 'Additional Parameters' - if provided. + | **Additional Parameters** | String | No | A JSON string containing extra key-value + pairs for advanced Infoblox record configuration. | - 3. **Logic Branching**: Based on the 'Object Type' selection, it selects the appropriate - Infoblox API identifier and record type (either a standard AAAA record or an IP-address-based - AAAA record). - 4. **External Interaction**: It performs a POST request to the Infoblox WAPI to - create the new RPZ rule. + ### Additional Notes: - 5. **Output**: Upon success, it adds the raw JSON response to the action results - and constructs a data table displaying the rule's reference ID, name, and assigned - zone. + - The 'Name' parameter is automatically suffixed with the 'RP Zone' name if it + doesn't already end with it to ensure the FQDN is correctly formed for Infoblox. capabilities: can_create_case_comments: false can_create_insight: false @@ -243,8 +288,8 @@ Create RPZ AAAA Rule: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new RPZ AAAA rule in the Infoblox NIOS system via a POST request to - the WAPI, which modifies the DNS policy configuration. + Creates a new RPZ AAAA rule record in the Infoblox NIOS system, which modifies + the DNS response policy configuration. fetches_data: false internal_data_mutation_explanation: null categories: @@ -264,71 +309,102 @@ Create RPZ AAAA Rule: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: true + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Create RPZ CNAME Rule: ai_description: >- - ### General Description - - Adds a CNAME rule to an existing Response Policy Zone (RPZ) in Infoblox NIOS to - override DNS behavior. This action allows administrators to define how specific - domains or IP addresses should be handled (e.g., blocked, passed through, or redirected) - within the DNS infrastructure. It supports various rule types such as Passthru, - Block, and Substitute. + Adds a CNAME rule to an existing Response Policy Zone (RPZ) in Infoblox NIOS. + This action allows administrators to override DNS behavior for specific domains + or IP addresses, enabling capabilities such as blocking resolution, passing traffic + through, or redirecting to a substitute domain. It supports different object types + including Domain Names, IP Addresses, and Client IP Addresses. ### Parameters Description + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | | Name | String | Yes | The rule name in a FQDN format. | - | RP Zone | String | Yes | The zone to assign the rule to. | + | RP Zone | String | Yes | The target Response Policy Zone to which the rule will + be added. | - | Rule Type | DDL | Yes | The type of the rule to create. Options: `Passthru`, - `Block (No such domain)`, `Substitute (Domain name)`, `Block (No data)`. | + | Rule Type | DDL | Yes | The behavior of the rule. Options: `Passthru`, `Block + (No such domain)`, `Substitute (Domain name)`, `Block (No data)`. | - | Object Type | DDL | Yes | The type of the object for which to assign the rule. - Options: `Domain Name`, `IP Address`, `Client IP Address`. | + | Object Type | DDL | Yes | The type of object the rule targets. Options: `Domain + Name`, `IP Address`, `Client IP Address`. | - | Substitute Name | String | No | The substitute name to assign (substitute domain - only). Mandatory if 'Rule Type' is 'Substitute (Domain name)'. | - - | Comment | String | No | Comment for this rule. | + | Substitute Name | String | No | The domain name to use as a substitute. This + is required if the 'Rule Type' is set to 'Substitute (Domain name)'. | | View | String | No | The DNS view in which the records are located. Defaults to 'default'. | - | Additional Parameters | String | No | JSON object containing additional parameters - to create the RPZ rule. | + | Comment | String | No | A descriptive comment for the rule. | + | Additional Parameters | String | No | A JSON object containing any additional + parameters for the Infoblox API request. | - ### Additional Notes - - **Conditional Requirement:** If 'Rule Type' is set to 'Substitute (Domain name)', - the 'Substitute Name' parameter must be provided. + ### Flow Description - - **Compatibility Check:** 'Substitute (Domain name)' rule type is not applicable - when 'Object Type' is 'IP Address' or 'Client IP Address'. - - **Rule Logic:** The action automatically determines the 'canonical' value for - the Infoblox API based on the selected 'Rule Type' (e.g., '*' for Block (No data), - 'rpz-passthru' for Passthru on Client IP). + 1. **Parameter Extraction:** The action retrieves all input parameters, including + the rule name, zone, type, and object target. + 2. **Validation:** It validates that mandatory fields like 'Name' and 'RP Zone' + are provided and ensures 'Additional Parameters' is a valid JSON object. + + 3. **Endpoint Selection:** Based on the 'Object Type' (Domain, IP, or Client IP), + the action selects the corresponding Infoblox WAPI endpoint. + + 4. **Logic Mapping:** The action maps the 'Rule Type' to the specific 'canonical' + value required by Infoblox (e.g., '*' for 'Block (No data)', 'rpz-passthru' for + 'Passthru' on Client IPs). + + 5. **API Execution:** A POST request is sent to the Infoblox NIOS server to create + the rule. + + 6. **Result Processing:** The action parses the API response, creates a data table + with the new rule's details, and returns the execution status. - ### Flow Description - 1. **Parameter Extraction:** The action retrieves and validates input parameters, - ensuring mandatory fields like 'Name' and 'RP Zone' are present. + ### Additional Notes - 2. **Logic Determination:** It determines the correct Infoblox API endpoint based - on the 'Object Type' and calculates the 'canonical' value based on the 'Rule Type'. - 3. **API Interaction:** The action sends a POST request to the Infoblox NIOS WAPI - to create the CNAME rule. + - **Conditional Requirement:** If the 'Rule Type' is set to 'Substitute (Domain + name)', the 'Substitute Name' parameter must be provided. - 4. **Result Processing:** Upon success, it parses the API response, creates a - data table with the rule details, and adds the raw JSON result to the action output. + - **Compatibility:** The 'Substitute (Domain name)' rule type is only applicable + when the 'Object Type' is 'Domain Name'. It cannot be used with IP Address or + Client IP Address object types. capabilities: can_create_case_comments: false can_create_insight: false @@ -337,8 +413,8 @@ Create RPZ CNAME Rule: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new CNAME rule in the Infoblox NIOS Response Policy Zone (RPZ) configuration, - which modifies the DNS resolution behavior for the specified target. + Creates a new CNAME rule in the specified Response Policy Zone (RPZ) on the + Infoblox NIOS server, which modifies the DNS resolution policy. fetches_data: false internal_data_mutation_explanation: null categories: @@ -358,27 +434,81 @@ Create RPZ CNAME Rule: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: true + add_ioc_to_blocklist: true + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Create RPZ MX Rule: ai_description: >- Adds a mail exchange (MX) override rule to a Response Policy Zone (RPZ) in Infoblox - NIOS. This action allows administrators to define custom mail routing policies - within a specific DNS response policy zone.\n\n### Parameters\n| Parameter | Type - | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Name | String | - Yes | The name of the rule to be created. |\n| RP Zone | String | Yes | The Response - Policy Zone where the rule will be added. |\n| Mail Exchanger | String | Yes | - The mail exchanger (host) for the rule. |\n| Preference | String | Yes | The preference - value for the MX record (0-65535). |\n| Comment | String | No | A descriptive - comment for the rule. |\n| Additional Parameters | String | No | A JSON object - containing any additional Infoblox WAPI parameters. |\n\n### Flow Description\n1. - **Parameter Extraction:** The action retrieves the rule name, target RP zone, - mail exchanger, preference, and optional comments or additional parameters.\n2. - **Validation:** It validates that mandatory fields are present, the preference - is a valid integer within the allowed range (0-65535), and additional parameters - are in valid JSON format.\n3. **API Interaction:** It connects to the Infoblox - NIOS API and performs a POST request to create the `record:rpz:mx` object.\n4. - **Result Processing:** Upon success, it returns the details of the created rule - in a JSON format and populates a data table for the user.\n\n### Additional Notes\n- - The rule name is automatically suffixed with the RP Zone name if not already present. + NIOS. This action allows administrators to define custom mail routing for specific + domains within a security policy zone, typically used for redirecting or managing + mail traffic for policy enforcement. + + + ### Flow Description + + 1. **Parameter Initialization:** The action retrieves integration credentials + (API Root, Username, Password) and extracts user-provided parameters including + the target RP Zone, the rule name, the mail exchanger address, and the preference + value. + + 2. **Validation:** It validates that mandatory fields (Name, RP Zone, Mail Exchanger, + Preference) are provided and that the Preference is a valid integer within the + allowed range (0-65535). + + 3. **API Interaction:** The action sends a POST request to the Infoblox WAPI endpoint + `/record:rpz:mx` with the rule details and any optional additional parameters + provided in JSON format. + + 4. **Output Generation:** Upon success, it returns the raw JSON of the created + record and displays a formatted data table containing the Reference ID, Name, + Mail Exchanger, and Preference of the new rule. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Name | String | Yes | The name of the rule (e.g., the domain name to override). + | + + | RP Zone | String | Yes | The specific Response Policy Zone where the rule will + be created. | + + | Mail Exchanger | String | Yes | The hostname of the mail server that will handle + mail for this rule. | + + | Preference | String | Yes | The priority of the mail exchanger (lower values + have higher priority). Must be an integer between 0 and 65535. | + + | Comment | String | No | An optional descriptive comment for the rule. | + + | Additional Parameters | String | No | A JSON object string containing extra + Infoblox WAPI parameters for the record creation. | capabilities: can_create_case_comments: false can_create_insight: false @@ -387,9 +517,9 @@ Create RPZ MX Rule: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Adds a new mail exchange (MX) override rule to a Response Policy Zone (RPZ) - in Infoblox NIOS. - fetches_data: false + Creates a new mail exchange (MX) record within a Response Policy Zone (RPZ) + on the Infoblox NIOS server via a POST request. + fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false @@ -408,59 +538,94 @@ Create RPZ MX Rule: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Create RPZ NAPTR Rule: ai_description: >- - Adds a NAPTR (Naming Authority Pointer) override rule in a Response Policy Zone - (RPZ) within Infoblox NIOS. This action is used to control DNS-based service discovery - by specifying how a domain name should be replaced or processed when multiple - rules exist. It allows administrators to define the sequence of rule application - and the preference for specific records. + Creates a NAPTR (Naming Authority Pointer) rule within a Response Policy Zone + (RPZ) in Infoblox NIOS. This action allows for the control of DNS-based service + discovery by defining how specific domain names should be rewritten or redirected. + It is primarily used for advanced DNS traffic management and policy enforcement. - ### Parameters Description + ### Flow Description + 1. **Parameter Extraction:** Retrieves the rule name, target RP Zone, order, preference, + replacement domain, and optional comments or additional JSON parameters. - | Parameter | Type | Mandatory | Description | + 2. **Validation:** Ensures that mandatory fields (Name, RP Zone, Replacement) + are provided. It specifically validates that 'Order' and 'Preference' are integers + between 0 and 65535. - | :--- | :--- | :--- | :--- | + 3. **Data Preparation:** Formats the rule name to ensure it is correctly associated + with the specified RP Zone and parses any provided 'Additional Parameters' from + a JSON string. - | Name | String | Yes | Specify the name of the rule to be created. | + 4. **API Interaction:** Executes a POST request to the Infoblox NIOS WAPI (`/record:rpz:naptr`) + to create the new rule. - | RP Zone | String | Yes | The Response Policy Zone to which the rule will be - assigned. | + 5. **Result Processing:** If successful, it adds the raw API response to the action + results and generates a data table summarizing the created NAPTR rule details. - | Order | String | Yes | Defines the sequence of rule application when multiple - rules exist. Must be a non-negative integer. | - | Preference | String | Yes | The preference value for the NAPTR record. Must - be a non-negative integer. | + ### Parameters Description - | Replacement | String | Yes | Specifies the next domain name to look up for non-terminal - NAPTR records. | + | Parameter | Type | Mandatory | Description | - | Comment | String | No | An optional comment or description for the rule. | + | :--- | :--- | :--- | :--- | - | Additional Parameters | String | No | A JSON object containing any additional - WAPI parameters required for the rule creation. | + | Name | String | Yes | The name of the NAPTR rule. The action automatically appends + the RP Zone name if not already present. | + | RP Zone | String | Yes | The specific Response Policy Zone where the rule will + be created. | - ### Flow Description + | Order | String | Yes | An integer (0-65535) defining the sequence in which NAPTR + records are processed. | + + | Preference | String | Yes | An integer (0-65535) defining the priority of the + rule when multiple records have the same order. | + | Replacement | String | Yes | The replacement domain name used for the substitution + logic in the NAPTR record. | - 1. **Parameter Extraction:** The action retrieves the configuration (API Root, - credentials) and action parameters (Name, RP Zone, Order, Preference, Replacement, - etc.). + | Comment | String | No | A descriptive comment for the rule record in Infoblox. + | - 2. **Validation:** It validates that mandatory strings are non-empty and that - 'Order' and 'Preference' are valid non-negative integers within the allowed range - (0-65535). It also ensures 'Additional Parameters' is a valid JSON object if provided. + | Additional Parameters | String | No | A JSON-formatted string containing any + additional supported Infoblox WAPI fields for the NAPTR record. | - 3. **API Interaction:** The action connects to the Infoblox NIOS API and performs - a POST request to the `record:rpz:naptr` endpoint to create the rule. - 4. **Result Processing:** Upon success, the action returns the raw JSON response - from Infoblox and constructs a data table displaying the created rule's details - (Reference ID, Name, RP Zone, Replacement, etc.). + ### Additional Notes + + - The 'Order' and 'Preference' parameters must be valid integers; otherwise, the + action will fail during the validation stage. + + - 'Additional Parameters' must be a valid JSON object (e.g., `{"extattrs": {"Site": + {"value": "New York"}}}`). capabilities: can_create_case_comments: false can_create_insight: false @@ -469,8 +634,8 @@ Create RPZ NAPTR Rule: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new NAPTR (Naming Authority Pointer) rule within a Response Policy - Zone (RPZ) in the Infoblox NIOS system via a POST request. + Creates a new NAPTR (Naming Authority Pointer) record within a Response Policy + Zone (RPZ) on the Infoblox NIOS server. fetches_data: false internal_data_mutation_explanation: null categories: @@ -490,14 +655,52 @@ Create RPZ NAPTR Rule: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Create RPZ PTR Rule: ai_description: >- - ### General Description - Adds a reverse DNS lookup override in a Response Policy Zone (RPZ) for an IP address - within Infoblox NIOS. This action allows administrators to define custom PTR records - within an RPZ to redirect or block reverse DNS queries by creating a `record:rpz:ptr` - object. + within Infoblox NIOS. This action allows administrators to define how specific + IP addresses should be resolved in reverse DNS lookups within a security policy + context. + + + ### Flow Description + + 1. **Parameter Extraction:** Retrieves the target RP Zone, PTR DName, and optional + fields like Name, Comment, and IP addresses from the action input. + + 2. **Validation:** Ensures mandatory strings are present, validates the format + of IPv4 and IPv6 addresses, and parses any provided JSON for additional parameters. + + 3. **API Interaction:** Executes a POST request to the Infoblox WAPI `record:rpz:ptr` + endpoint to create the new rule. + + 4. **Result Processing:** Captures the API response, formats the created rule + data into a structured table, and returns the JSON result to the SOAR platform. ### Parameters Description @@ -506,11 +709,11 @@ Create RPZ PTR Rule: | :--- | :--- | :--- | :--- | - | **RP Zone** | String | Yes | The specific Response Policy Zone where the rule - will be created. | - | **PTR DName** | String | Yes | The domain name of the RPZ substitute rule object - for the PTR record. | + of the PTR record. | + + | **RP Zone** | String | Yes | The specific Response Policy Zone to which the + rule will be assigned. | | **Name** | String | No | The name of the RPZ Substitute rule object. | @@ -523,31 +726,13 @@ Create RPZ PTR Rule: rule. | | **Additional Parameters** | String | No | A JSON object containing extra parameters - for the Infoblox WAPI request. | + supported by the Infoblox WAPI for RPZ PTR records. | ### Additional Notes - At least one of the following parameters must be provided for the action to succeed: - **Name**, **IPv4 Address**, or **IPv6 Address**. The action performs format validation - on IP addresses if they are provided. - - - ### Flow Description - - 1. **Parameter Extraction:** Retrieves the RP Zone, PTR DName, and optional fields - (Name, Comment, IPs, Additional Parameters) from the action input. - - 2. **Validation:** Ensures mandatory fields are non-empty and that at least one - identifying field (Name, IPv4, or IPv6) is populated. It also validates the syntax - of provided IP addresses and parses the 'Additional Parameters' JSON. - - 3. **API Interaction:** Executes a POST request to the Infoblox NIOS WAPI endpoint - for RPZ PTR records (`/record:rpz:ptr`). - - 4. **Result Processing:** Upon success, the action adds the raw JSON response - to the action results and constructs a data table summarizing the created PTR - rule for display in the case wall. + * At least one of 'Name', 'IPv4 Address', or 'IPv6 Address' must be provided for + the rule creation to be valid according to the integration logic. capabilities: can_create_case_comments: false can_create_insight: false @@ -556,8 +741,8 @@ Create RPZ PTR Rule: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new RPZ PTR rule (reverse DNS lookup override) in the Infoblox NIOS - instance via a POST request to the WAPI. + Creates a new RPZ PTR (Pointer) record in the Infoblox NIOS system, which modifies + the DNS response policy configuration. fetches_data: false internal_data_mutation_explanation: null categories: @@ -577,14 +762,38 @@ Create RPZ PTR Rule: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Create RPZ SRV Rule: ai_description: >- ### General Description - Adds an SRV record override in a Response Policy Zone (RPZ) for service-based - DNS lookups in Infoblox NIOS. This action allows security teams to redirect or - block specific service lookups by creating a Substitute (SRV Record) Rule within - a specified zone. + Adds an SRV (Service) record override in a Response Policy Zone (RPZ) within Infoblox + NIOS. This action is used to manage service-based DNS lookups, allowing administrators + to define how specific services are resolved or redirected within a managed zone. ### Parameters Description @@ -593,51 +802,50 @@ Create RPZ SRV Rule: | :--- | :--- | :--- | :--- | - | Name | String | Yes | The name of the rule to be created. | + | Name | String | Yes | The name of the SRV rule to be created. | | Priority | String | Yes | The priority of the SRV record. Must be a non-negative integer (0-65535). | - | RP Zone | String | Yes | The name of the response policy zone where the record + | RP Zone | String | Yes | The name of the Response Policy Zone where the record will reside. | - | Port | String | Yes | The port of the SRV record. Must be a non-negative integer + | Port | String | Yes | The port of the service. Must be a non-negative integer (0-65535). | - | Target | String | Yes | The target host associated with the record. | + | Target | String | Yes | The target host associated with the SRV record. | | Weight | String | Yes | The weight of the SRV record. Must be a non-negative integer (0-65535). | | Comment | String | No | An optional comment for the rule. | - | Additional Parameters | String | No | An optional JSON object containing extra - parameters for the Infoblox API call. | + | Additional Parameters | String | No | A JSON object containing additional Infoblox + WAPI parameters for the record creation. | ### Flow Description - 1. **Parameter Extraction:** The action retrieves the API configuration and the - rule details from the input parameters. + 1. **Parameter Extraction:** The action retrieves the RP Zone, Name, Priority, + Port, Weight, Target, and optional Comment/Additional Parameters from the input. - 2. **Validation:** It validates that mandatory fields (Name, RP Zone, Target) - are provided and that numeric fields (Priority, Port, Weight) are valid integers - within the allowed range (0-65535). + 2. **Validation:** It validates that mandatory strings are non-empty and that + Priority, Port, and Weight are valid non-negative integers within the range of + 0 to 65535. - 3. **API Interaction:** It uses the Infoblox API Manager to send a POST request - to the `/record:rpz:srv` endpoint with the rule details. + 3. **API Interaction:** It initializes the Infoblox API Manager and sends a POST + request to the `record:rpz:srv` endpoint to create the rule. - 4. **Result Processing:** If successful, it returns the created rule's details - in JSON format and displays them in a data table. If it fails, an error message - is returned. + 4. **Result Processing:** Upon success, the action adds the created rule's details + to a data table and returns the full JSON response to the SOAR. ### Additional Notes - - The `Priority`, `Port`, and `Weight` parameters are passed as strings but must - represent valid integers between 0 and 65535. + - The Priority, Port, and Weight parameters are accepted as strings but must represent + valid integers. - - The `Additional Parameters` must be a valid JSON object if provided. + - If 'Additional Parameters' is provided, it must be a valid JSON object. capabilities: can_create_case_comments: false can_create_insight: false @@ -646,8 +854,8 @@ Create RPZ SRV Rule: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new SRV record override in the specified Response Policy Zone (RPZ) - on the Infoblox NIOS server. + Creates a new SRV record override (record:rpz:srv) in the specified Response + Policy Zone on the Infoblox NIOS server. fetches_data: false internal_data_mutation_explanation: null categories: @@ -667,52 +875,89 @@ Create RPZ SRV Rule: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Create RPZ TXT Rule: ai_description: >- - ### General Description - - The **Create RPZ TXT Rule** action allows users to add a TXT record rule within - a specific Response Policy Zone (RPZ) in Infoblox NIOS. This is typically used - to associate descriptive text or metadata with DNS responses for security policies - or administrative tracking. + Adds a TXT record rule in a Response Policy Zone (RPZ) within Infoblox NIOS. This + action is used to associate specific text data with a DNS response for policy + or informational purposes. ### Parameters Description + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **RP Zone** | String | Yes | The FQDN of the Response Policy Zone where the - rule will be created. | + | RP Zone | String | Yes | The specific Response Policy Zone where the rule will + be assigned. | - | **Name** | String | Yes | The name of the rule (e.g., the domain name being - handled). | + | Name | String | Yes | The name of the rule to be created. | - | **Text** | String | Yes | The text data to be associated with the TXT record. - | + | Text | String | Yes | The text data to be associated with the TXT record. | - | **Comment** | String | No | An optional comment to describe the purpose of the - rule. | + | Comment | String | No | An optional comment to describe the purpose of the rule. + | - | **Additional Parameters** | String | No | A JSON-formatted string containing - additional fields supported by the Infoblox WAPI for TXT records. | + | Additional Parameters | String | No | A JSON-formatted string containing any + additional Infoblox-specific parameters for the record creation. | ### Flow Description - 1. **Parameter Extraction:** The action retrieves the RP Zone, Name, Text, and - optional fields from the user input. - 2. **Validation:** It ensures mandatory strings are non-empty and validates that - 'Additional Parameters' is a valid JSON object. + 1. **Initialization**: The action initializes the Infoblox API manager using the + provided integration credentials (API Root, Username, Password). + + 2. **Parameter Extraction**: It extracts the mandatory parameters (`RP Zone`, + `Name`, `Text`) and optional parameters (`Comment`, `Additional Parameters`) from + the action configuration. - 3. **API Interaction:** It constructs a POST request to the Infoblox NIOS WAPI - (`/record:rpz:txt`) with the provided data. The rule name is automatically formatted - to include the zone if not already present. + 3. **Validation**: The action validates that the mandatory strings are not empty + and that the `Additional Parameters` (if provided) is a valid JSON object. - 4. **Result Processing:** Upon success, the action returns the raw JSON response - and displays a summary table of the created TXT rule in the Google SecOps interface. + 4. **Rule Creation**: It calls the Infoblox API to create the RPZ TXT rule (`record:rpz:txt`). + The rule name is automatically formatted to include the zone suffix if it is not + already present. + + 5. **Result Processing**: Upon success, the action returns the raw JSON response + and populates a data table named "RPZ TXT Rule" with the record details, including + the Reference ID and the associated text. + + + ### Additional Notes + + + * The action will fail if the specified RP Zone does not exist or if the provided + `Additional Parameters` JSON is malformed. + + * This action does not process entities from the SecOps environment; it relies + entirely on user-provided parameters. capabilities: can_create_case_comments: false can_create_insight: false @@ -722,7 +967,7 @@ Create RPZ TXT Rule: can_update_entities: false external_data_mutation_explanation: >- Creates a new TXT record rule within a specified Response Policy Zone (RPZ) - in the Infoblox NIOS system via a POST request. + in the Infoblox NIOS system. fetches_data: false internal_data_mutation_explanation: null categories: @@ -742,74 +987,94 @@ Create RPZ TXT Rule: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Create Response Policy Zone: ai_description: >- - ### General Description - Creates a new Response Policy Zone (RPZ) in Infoblox NIOS to define custom DNS - responses. This action allows administrators to programmatically configure DNS - security policies, such as blocking specific domains or redirecting traffic, by - creating a dedicated zone with specific policies, severities, and types. + responses. This action allows administrators to programmatically set up DNS zones + that can be used for security policies, such as redirecting or blocking specific + DNS queries. It supports various policy types (GIVEN, NODATA, NXDOMAIN, PASSTHRU, + SUBSTITUTE) and allows for detailed configuration including severity levels, zone + types, and FireEye rule mappings. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. **Parameter Extraction:** Retrieves the FQDN, policy settings, severity, and + optional JSON configurations (FireEye mappings and additional parameters) from + the action input. - | :--- | :--- | :--- | :--- | + 2. **Validation:** Ensures the FQDN is provided and validates that 'Additional + Parameters' and 'Fireeye Rule Mapping' are valid JSON objects. - | FQDN | String | Yes | The name of the DNS zone in FQDN format. | + 3. **API Interaction:** Sends a POST request to the Infoblox WAPI `/zone_rp` endpoint + with the configured zone details. - | Substitute Name | String | No | The alternative name of the redirect target, - used when the policy involves substitution. | + 4. **Result Processing:** If successful, it parses the returned zone metadata, + creates a 'RP Zone' data table for the UI, and returns the full JSON response. - | Comment | String | No | A descriptive comment for the zone. | - | RPZ Policy | DDL | No | The override policy for the zone. Options include: DISABLED, - GIVEN, NODATA, NXDOMAIN, PASSTHRU, SUBSTITUTE. Default is GIVEN. | + ### Parameters Description - | RPZ Severity | DDL | No | The severity level assigned to the zone. Options include: - CRITICAL, MAJOR, WARNING, INFORMATIONAL. Default is MAJOR. | + | Parameter | Type | Mandatory | Description | - | RPZ Type | DDL | No | The type of the Response Policy Zone. Options include: - FEED, FIREEYE, LOCAL. Default is LOCAL. | + | :--- | :--- | :--- | :--- | - | Fireeye Rule Mapping | String | No | A JSON object string containing rules to - map FireEye alerts to the zone. | + | FQDN | string | Yes | The Fully Qualified Domain Name of the DNS zone to be + created. | - | Additional Parameters | String | No | A JSON object string containing any additional - parameters supported by the Infoblox WAPI for zone creation. | + | Substitute Name | string | No | The alternative name of the redirect target + if using a substitute response policy. | + | Comment | string | No | A descriptive comment for the zone. | - ### Additional Notes + | RPZ Policy | ddl | No | The override policy (e.g., GIVEN, NXDOMAIN, PASSTHRU). + Default is GIVEN. | - - This action does not operate on entities; it is a management action that requires - manual input of the FQDN. + | RPZ Severity | ddl | No | The severity level assigned to the zone (e.g., CRITICAL, + MAJOR). Default is MAJOR. | - - If 'Fireeye Rule Mapping' or 'Additional Parameters' are provided, they must - be valid, parseable JSON objects. + | RPZ Type | ddl | No | The type of RPZ (FEED, FIREEYE, or LOCAL). Default is + LOCAL. | + | Fireeye Rule Mapping | string | No | A JSON object defining rules to map FireEye + alerts to this zone. | - ### Flow Description - - 1. **Parameter Initialization**: The action retrieves the Infoblox connection - details and the user-provided parameters (FQDN, Policy, etc.). - - 2. **Validation**: It validates that the FQDN is a non-empty string and attempts - to parse 'Fireeye Rule Mapping' and 'Additional Parameters' as JSON objects. + | Additional Parameters | string | No | A JSON object containing any other supported + Infoblox WAPI parameters for zone creation. | - 3. **API Request**: The action calls the Infoblox WAPI via a POST request to the - `zone_rp` endpoint, passing the constructed configuration body. - 4. **Response Handling**: Upon a successful API call, the action parses the returned - zone data. + ### Additional Notes - 5. **Output Generation**: It adds the raw JSON response to the action results - and constructs a data table named "RP Zone" containing the details of the newly - created zone. + - This action does not run on entities; it is a management action that requires + manual input of the FQDN. - 6. **Finalization**: The action completes with a success message indicating the - zone was created. + - The 'Additional Parameters' field allows for advanced configuration not explicitly + covered by the standard action fields. capabilities: can_create_case_comments: false can_create_insight: false @@ -818,9 +1083,9 @@ Create Response Policy Zone: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new Response Policy Zone (RPZ) configuration in the external Infoblox - NIOS system via a POST request to the WAPI. - fetches_data: false + Creates a new Response Policy Zone (RPZ) resource within the Infoblox NIOS system + via a POST request. + fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false @@ -839,16 +1104,40 @@ Create Response Policy Zone: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false DHCP Lease Lookup: ai_description: >- ### General Description - Retrieves DHCP lease details from Infoblox NIOS for a specific MAC address, IP - address, or other identifiers. This action is essential for incident response - and network forensics, as it helps identify the device and user associated with - a specific network address at a given time. It queries the Infoblox WAPI `/lease` - endpoint and returns detailed information about the lease's state, duration, and - client metadata. + The **DHCP Lease Lookup** action retrieves detailed DHCP lease information from + Infoblox NIOS. It allows security analysts to search for lease records using various + identifiers such as IP addresses, MAC addresses (Hardware), hostnames, or usernames. + This action is essential for forensic investigations to identify which device + or user was assigned a specific IP address at a given point in time. ### Parameters Description @@ -857,56 +1146,57 @@ DHCP Lease Lookup: | :--- | :--- | :--- | :--- | - | IP Address | string | No | The IPv4 or IPv6 address to search for in the DHCP - leases. | - - | Hardware | string | No | The MAC address for IPv4 leases. Supports regex or - exact search. | + | **IP Address** | String | No | The IPv4 or IPv6 address to search for in the + lease database. | - | Hostname | string | No | The hostname sent via DHCP option 12. Supports regex + | **Hardware** | String | No | The MAC address for IPv4 leases. Supports regex or exact search. | - | IPv6 DUID | string | No | The IPv6 DUID identifier for IPv6 leases. Supports + | **Hostname** | String | No | The hostname sent via DHCP option 12. Supports + regex or exact search. | + + | **IPv6 DUID** | String | No | The IPv6 DUID identifier for IPv6 leases. Supports regex or exact search. | - | Protocol | ddl | No | Filters results by protocol: BOTH, IPV4, or IPV6. Default - is Both. | + | **Protocol** | DDL | No | Filters results by protocol: `Both`, `IPv4`, or `IPv6`. + Default is `Both`. | - | Fingerprint | string | No | The DHCP client fingerprint. Supports case-insensitive + | **Fingerprint** | String | No | The DHCP client fingerprint; supports case-insensitive or regex search. | - | Username | string | No | The user associated with the lease request. Supports + | **Username** | String | No | The user associated with the lease request; supports case-insensitive or regex search. | - | Limit | string | No | Maximum number of objects to return. Default is 100. | + | **Limit** | String | No | The maximum number of lease objects to return. Default + is 100. | - ### Flow Description + ### Additional Notes - 1. **Initialization**: The action initializes the API manager and extracts user-provided - parameters. + - This action does not automatically process entities from the case. It relies + on the provided search parameters. - 2. **Validation**: It validates the 'Limit' parameter to ensure it is a positive - integer and verifies the format of the 'IP Address' if provided. + - Results are output as a JSON object and a summary data table (displaying up + to 20 records) on the case wall. - 3. **Data Retrieval**: It sends a GET request to the Infoblox NIOS `/lease` endpoint, - applying filters for IP, MAC, hostname, DUID, fingerprint, and username as specified. - 4. **Processing**: The action iterates through the results, mapping them to a - structured data model and preparing a subset (up to 20 records) for display in - a data table. + ### Flow Description - 5. **Completion**: It outputs the full result set as JSON and populates the 'DHCP - Lease Lookup Data' table in the Google SecOps UI. + 1. **Parameter Extraction:** The action retrieves search filters (IP, MAC, Hostname, + etc.) and the result limit from the user input. + 2. **Validation:** It validates the `Limit` parameter to ensure it is a positive + integer and checks the format of the `IP Address` if provided. - ### Additional Notes + 3. **API Request:** It executes a GET request to the Infoblox NIOS WAPI `/lease` + endpoint, applying the specified filters as query parameters. - - This action does not automatically iterate over entities in the case scope; - it relies on the parameters provided in the action configuration. + 4. **Data Processing:** The action parses the returned lease records into a structured + format using the `DHCPLeaseLookup` data model. - - Regex search is supported for Hardware, Hostname, IPv6 DUID, Fingerprint, and - Username parameters. + 5. **Output Generation:** It populates the action's JSON result with the full + dataset and generates a data table for the case wall to provide immediate visibility + into the findings. capabilities: can_create_case_comments: false can_create_insight: false @@ -918,7 +1208,7 @@ DHCP Lease Lookup: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: true + enrichment: false entity_usage: entity_types: [] filters_by_additional_properties: false @@ -934,51 +1224,68 @@ DHCP Lease Lookup: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Delete RPZ Rule: ai_description: >- - ### General Description - - Deletes a specific Response Policy Zone (RPZ) rule from Infoblox NIOS. This action - is designed to remove existing rules by targeting their unique internal reference - ID. It supports all RPZ record types (such as A, AAAA, CNAME, TXT, etc.) because - the Infoblox API handles the deletion based on the object's specific reference - identifier. + Deletes a specific rule from a Response Policy Zone (RPZ) within Infoblox NIOS. + This action is used to remove existing DNS policies, such as blocks, redirects, + or passthru rules, by targeting the unique reference ID of the rule. It supports + all RPZ record types (A, AAAA, CNAME, MX, TXT, etc.) because the deletion is performed + against the object's unique identifier in the Infoblox database. ### Parameters Description - | Parameter | Type | Mandatory | Description | + + | Parameter | Description | Type | Mandatory | | :--- | :--- | :--- | :--- | - | Reference ID | String | Yes | The unique reference identifier (often starting - with `record:rpz:...`) of the RPZ rule to be deleted. | + | Reference ID | The unique WAPI reference string for the RPZ rule to be deleted + (e.g., `record:rpz:cname/ZG5zLmJpbmRfcnB6X2N6X25hbWUuY29tLmV4YW1wbGUuY29t:example.com/default`). + | String | Yes | ### Flow Description - 1. **Parameter Extraction**: The action retrieves the Infoblox connection details - (API Root, Username, Password) and the mandatory `Reference ID` from the action - parameters. - 2. **Validation**: It validates that the `Reference ID` is a non-empty string. - - 3. **API Interaction**: The action initializes the `APIManager` and executes a - `DELETE` request to the Infoblox WAPI endpoint using the provided reference ID. - - 4. **Error Handling**: The action includes specific error handling for `ItemNotFoundException` - (404 errors), providing a clear message if the rule does not exist. It also catches - general Infoblox and system exceptions. - - 5. **Completion**: If the deletion is successful, the action returns a success - message and sets the execution state to completed. + 1. **Parameter Extraction**: The action retrieves the `Reference ID` from the + user input and the connection details (API Root, Username, Password) from the + integration configuration. + 2. **Validation**: It validates that the `Reference ID` is a non-empty string. - ### Additional Notes + 3. **API Interaction**: The action initializes the `APIManager` and sends a `DELETE` + request to the Infoblox NIOS WAPI endpoint corresponding to the provided reference + ID. - This action does not process entities from the Google SecOps case. It operates - strictly on the provided `Reference ID` parameter. Users typically obtain this - ID from the output of a search or creation action within the same integration. + 4. **Response Processing**: If the API returns a success status, the action completes + with a success message. If the rule is not found (404) or the API returns an error, + the action catches the exception and reports the failure to the SOAR platform. capabilities: can_create_case_comments: false can_create_insight: false @@ -987,8 +1294,8 @@ Delete RPZ Rule: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Deletes a specific RPZ rule record from the Infoblox NIOS server, which modifies - the active DNS security policy configuration. + Deletes a specific Response Policy Zone (RPZ) rule from the Infoblox NIOS server, + which modifies the DNS policy configuration. fetches_data: false internal_data_mutation_explanation: null categories: @@ -1008,24 +1315,73 @@ Delete RPZ Rule: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: true + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Delete Response Policy Zone: - ai_description: "### General Description\nDeletes an existing Response Policy Zone\ - \ (RPZ) from the Infoblox NIOS server. This action is used to programmatically\ - \ remove DNS security policies that are no longer required, identified by their\ - \ unique internal reference ID.\n\n### Parameters Description\n| Parameter | Type\ - \ | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Reference ID |\ - \ String | Yes | The unique internal reference ID (e.g., `zone_rp/ZG5zLnpvbmUkLl9kZWZhdWx0LmNvbS5leGFtcGxl:example.com/default`)\ - \ of the response policy zone to be deleted. |\n\n### Flow Description\n1. **Initialization**:\ - \ The action initializes the Infoblox API manager using the provided integration\ - \ credentials (API Root, Username, and Password).\n2. **Parameter Validation**:\ - \ It validates that the `Reference ID` is provided and is a non-empty string.\n\ - 3. **API Execution**: The action sends a `DELETE` request to the Infoblox WAPI\ - \ endpoint corresponding to the specific resource reference.\n4. **Error Handling**:\ - \ \n * If the reference ID is not found (404), it returns a specific 'not found'\ - \ error message.\n * If the API returns a success, it confirms the deletion.\n\ - \ * General Infoblox or connection errors are caught and reported as failures.\n\ - 5. **Completion**: The action terminates, returning a success message and a boolean\ - \ result indicating whether the deletion was successful." + ai_description: >- + Deletes an existing Response Policy Zone (RPZ) from Infoblox NIOS. This action + uses the unique reference ID of the zone to perform a hard deletion via the Infoblox + WAPI. It is typically used for automated cleanup or decommissioning of security + policies. + + + ### Flow Description + + 1. **Parameter Extraction:** Retrieves the 'Reference ID' from the action parameters + and integration configuration (API Root, credentials). + + 2. **Validation:** Ensures the 'Reference ID' is a non-empty string. + + 3. **API Interaction:** Executes a DELETE request to the Infoblox WAPI endpoint + corresponding to the provided reference ID. + + 4. **Error Handling:** Specifically catches 'ItemNotFoundException' if the reference + ID does not exist, as well as general Infoblox or connection errors. + + 5. **Result Reporting:** Returns a success message if the deletion is confirmed + by the server. + + + ### Parameters Description + + | Parameter Name | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Reference ID | String | Yes | The unique internal reference identifier (e.g., + `zone_rp/ZG5zLnpvbmUkLl9kZWZhdWx0LmNvbS5leGFtcGxl:example.com/default`) of the + Response Policy Zone to be deleted. | + + + ### Additional Notes + + - This action performs a destructive operation in the external Infoblox system. + + - If the Reference ID is not found, the action will fail with a specific 'not + found' error message. capabilities: can_create_case_comments: false can_create_insight: false @@ -1034,8 +1390,8 @@ Delete Response Policy Zone: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Deletes a Response Policy Zone resource from the Infoblox NIOS server via a - DELETE request. + Deletes a Response Policy Zone resource from the Infoblox NIOS server using + a DELETE request. fetches_data: false internal_data_mutation_explanation: null categories: @@ -1055,18 +1411,44 @@ Delete Response Policy Zone: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Response Policy Zone Details: ai_description: >- ### General Description - Retrieves configuration details for a specified Response Policy Zone (RPZ) from - Infoblox NIOS. This action allows users to query for zone information using filters - such as FQDN, DNS view, and comments. It is primarily used for administrative - visibility and auditing of DNS security policies. + Retrieves configuration details for Response Policy Zones (RPZ) from Infoblox + NIOS. This action allows analysts to query the DNS security policy configurations, + including policy types, severities, and associated comments, providing visibility + into how specific DNS zones are being managed and filtered. ### Parameters Description + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | @@ -1075,10 +1457,10 @@ Get Response Policy Zone Details: | | View | String | No | The name of the DNS view in which the zone resides (e.g., - "external"). Defaults to "default". | + "external"). Defaults to "default" if not specified. | - | Comment | String | No | A comment string to filter the zones by (supports partial - matching). | + | Comment | String | No | Filter results by the comment string associated with + the zone. | | Limit | String | No | Maximum number of objects to be returned by the API. Defaults to 100. | @@ -1086,31 +1468,36 @@ Get Response Policy Zone Details: ### Flow Description - 1. **Parameter Initialization**: The action extracts the integration configuration - (API Root, credentials) and the action parameters (FQDN, View, Comment, Limit). + 1. **Initialization**: The action initializes the Infoblox API manager using the + provided API Root, Username, and Password from the integration configuration. - 2. **Validation**: The 'Limit' parameter is validated to ensure it is a positive + 2. **Parameter Extraction**: It extracts the FQDN, View, Comment, and Limit parameters + from the action input. + + 3. **Validation**: The 'Limit' parameter is validated to ensure it is a positive integer. - 3. **API Interaction**: The action uses the `APIManager` to perform a GET request - to the Infoblox `/zone_rp` endpoint, applying the provided filters and handling - pagination if necessary. + 4. **API Request**: The action performs a GET request to the Infoblox `/zone_rp` + endpoint, applying filters for FQDN, View, and Comment if provided. + + 5. **Data Processing**: The retrieved zone data is parsed and added to the action's + JSON results. - 4. **Data Processing**: The raw JSON response is captured. If results are found, - the action maps the data to the `RPZone` model. + 6. **UI Enhancement**: If zones are found, the action generates a data table titled + "Response Policy Zones" containing key fields such as Reference ID, FQDN, Policy, + Severity, and Type. - 5. **Output Generation**: The action adds the full JSON result to the execution - context and creates a data table named "Response Policy Zones" in the case, displaying - key attributes like Reference ID, FQDN, Policy, and Severity. + 7. **Completion**: The action concludes by reporting the number of zones successfully + retrieved. ### Additional Notes - - This action does not require or process specific entities from the Google SecOps - case; it operates based on the provided input parameters. + - If no specific FQDN is provided, the action will list all available Response + Policy Zones within the specified View. - - If no matching zones are found, the action completes with a success status but - notifies the user that no criteria were met. + - The data table displays a maximum of 20 records to maintain readability within + the Google SecOps interface. capabilities: can_create_case_comments: false can_create_insight: false @@ -1122,7 +1509,7 @@ Get Response Policy Zone Details: fetches_data: true internal_data_mutation_explanation: >- The action creates a data table named 'Response Policy Zones' within the Google - SecOps case to display retrieved configuration details. + SecOps case to display the retrieved configuration details. categories: enrichment: false entity_usage: @@ -1140,68 +1527,101 @@ Get Response Policy Zone Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false IP Lookup: ai_description: >- - Retrieves IP Address Management (IPAM) information from Infoblox NIOS based on - specific search criteria. This action allows users to query for details about - a single IP address, an entire network (CIDR), or a range of IP addresses. It - returns comprehensive data including status, MAC address, network associations, - and extended attributes. + Retrieves IP Address Management (IPAM) information from Infoblox NIOS for a specific + IP address, network, or IP range. This action allows analysts to query the Infoblox + database to identify the status, MAC address, and associated metadata of network + resources. It supports filtering by device status and extended attributes, providing + a comprehensive view of IP allocation and usage within the environment. - ### Parameters + ### Parameters Description + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | IP Address | String | No | The specific IP address to retrieve information for. + | IP Address | string | No | The specific IP address to look up (e.g., "192.168.1.1"). | - | Network | String | No | The network in FQDN/CIDR format (e.g., 192.168.1.0/24). + | Network | string | No | The network to search in FQDN/CIDR format (e.g., "192.168.1.0/24"). | - | From IP | String | No | The start of the IP range. Must be used with 'To IP'. - | + | From IP | string | No | The start of an IP range for the search. Must be used + with 'To IP'. | - | To IP | String | No | The end of the IP range. Must be used with 'From IP'. - | + | To IP | string | No | The end of an IP range for the search. Must be used with + 'From IP'. | - | Status | DDL | No | Filter by device status: All, Active, Used, or Unused. Default - is 'All'. | + | Status | ddl | No | Filter results by device status. Options: All, Active, Used, + Unused. Default is 'All'. | - | Extended Attributes | String | No | Comma-separated key/value filters (e.g., - 'Site=New York'). | + | Limit | string | No | Maximum number of objects to return. Default is 100. | - | Limit | String | No | Maximum number of records to return. Default is 100. | + | Extended Attributes | string | No | Comma-separated key/value filter for extended + attributes (e.g., "Site=New York"). | ### Additional Notes - - You must provide exactly one of the following: 'IP Address', 'Network', or both - 'From IP' and 'To IP'. - - The action will fail if multiple search types are provided simultaneously. + * **Search Criteria**: At least one of the following must be provided: 'IP Address', + 'Network', or both 'From IP' and 'To IP'. + + * **Exclusivity**: Only one search method (Single IP, Network, or Range) can be + used per action execution. + + * **IP Versions**: The action automatically handles both IPv4 and IPv6 addresses + based on the input format. ### Flow Description - 1. **Parameter Extraction & Validation**: The action extracts input parameters - and ensures that exactly one search mode (IP, Network, or Range) is selected. - It also validates the format of IP and network strings. - 2. **API Connection**: Initializes a connection to the Infoblox NIOS WAPI using - provided credentials. + 1. **Parameter Extraction**: Retrieves configuration settings and action parameters + from the SOAR environment. - 3. **Data Retrieval**: Executes a GET request to the appropriate Infoblox endpoint - (`/ipv4address` or `/ipv6address`) with pagination support based on the provided - limit. + 2. **Input Validation**: Ensures that exactly one valid search criteria is provided + and validates the format of IP and network strings. - 4. **Data Processing**: Parses the raw API response into a structured format using - the `IPLookup` data model, flattening attributes for display. + 3. **API Connection**: Initializes the Infoblox API manager using the provided + credentials and API root. - 5. **Output Generation**: Populates the action results with the raw JSON data - and creates an 'IP Lookup Data' table for the case wall. + 4. **Data Retrieval**: Executes a paginated GET request to the Infoblox WAPI endpoints + (`/ipv4address` or `/ipv6address`) based on the input. + + 5. **Data Processing**: Maps the raw API response to a structured data model, + extracting key fields such as MAC address, status, and usage. + + 6. **Output Generation**: Populates the action results with the full JSON response + and creates a CSV-formatted data table for the case wall. capabilities: can_create_case_comments: false can_create_insight: false @@ -1229,38 +1649,89 @@ IP Lookup: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false List Host Info: - ai_description: "### General Description\nThe **List Host Info** action retrieves\ - \ detailed host records from Infoblox NIOS based on user-defined search criteria.\ - \ It is designed to provide visibility into host configurations, including hostnames,\ - \ associated IPv4 and IPv6 addresses (A/AAAA records), PTR records, DNS view information,\ - \ and any configured extensible attributes (EAs). This action is primarily used\ - \ for asset discovery and verifying DNS/IPAM configurations within the Infoblox\ - \ environment.\n\n### Parameters Description\n| Parameter | Type | Mandatory |\ - \ Description |\n| :--- | :--- | :--- | :--- |\n| **IPv4 Address** | String |\ - \ No | Filters host records by a specific IPv4 address. |\n| **Name** | String\ - \ | No | Filters host records by the hostname. |\n| **IPv6 Address** | String\ - \ | No | Filters host records by a specific IPv6 address. |\n| **Extended Attributes**\ - \ | String | No | A comma-separated list of key/value pairs (e.g., \"Site=New\ - \ York,Department=IT\") used to filter records based on Infoblox extensible attributes.\ - \ |\n| **Limit** | String | No | Specifies the maximum number of host records\ - \ to return from the API. Defaults to 100. |\n\n### Flow Description\n1. **Initialization:**\ - \ The action initializes the Infoblox API manager and extracts the provided search\ - \ parameters (Name, IPv4, IPv6, Extended Attributes, and Limit).\n2. **Validation:**\ - \ It validates that the provided IP addresses follow standard IPv4/IPv6 formats\ - \ and ensures the 'Limit' parameter is a valid positive integer.\n3. **API Query:**\ - \ The action performs a GET request to the Infoblox NIOS WAPI `/record:host` endpoint,\ - \ applying the specified filters. It utilizes a paginator to handle large result\ - \ sets up to the defined limit.\n4. **Data Transformation:** The raw JSON response\ - \ is processed. If records are found, they are mapped to the Host datamodel.\n\ - 5. **Output Generation:** \n - The full raw data is attached to the action's\ - \ JSON results.\n - A data table named \"Hosts\" is created, displaying key\ - \ attributes (Reference ID, Name, View, Zone, IP Addresses, etc.) for up to 20\ - \ records.\n - An output message summarizes the number of hosts found.\n\n\ - ### Additional Notes\n- This action does not process Google SecOps entities; it\ - \ operates strictly on the input parameters provided in the action configuration.\n\ - - If no search criteria are provided, the action will return all host records\ - \ available up to the specified limit." + ai_description: >- + Retrieves host records from Infoblox NIOS based on specific search criteria such + as hostname, IPv4/IPv6 addresses, or extended attributes. This action is primarily + used for searching and listing existing host information within the Infoblox environment + without modifying any records. + + + ### Flow Description: + + 1. **Parameter Extraction:** The action retrieves the search criteria from the + user inputs, including 'Name', 'IPv4 Address', 'IPv6 Address', 'Extended Attributes', + and a 'Limit' for the number of results. + + 2. **Validation:** It validates that the provided IP addresses are in the correct + format and that the 'Limit' is a positive integer. + + 3. **API Query:** It performs a GET request to the Infoblox WAPI `/record:host` + endpoint, applying the filters provided in the parameters. + + 4. **Pagination:** If the number of results exceeds the page size, the action + handles pagination to retrieve records up to the specified limit. + + 5. **Output Generation:** The retrieved host data is returned as a JSON object. + Additionally, a summary table ('Hosts') is created in the Google SecOps case, + displaying key details like Reference ID, Name, View, Zone, and associated IP + addresses for the first 20 records. + + + ### Parameters Description: + + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Name | String | No | The hostname to search for in Infoblox host records. | + + | IPv4 Address | String | No | The IPv4 address associated with the host record. + | + + | IPv6 Address | String | No | The IPv6 address associated with the host record. + | + + | Extended Attributes | String | No | Comma-separated key/value pairs used to + filter hosts by custom metadata (e.g., "Site=New York,Dept=IT"). | + + | Limit | String | No | The maximum number of host records to return. Defaults + to 100. | + + + ### Additional Notes: + + * This action does not iterate over entities in the Google SecOps case; it relies + entirely on the provided input parameters. + + * If no search criteria (Name, IPv4, IPv6, or Extended Attributes) are provided, + the action will return all host records up to the specified limit. capabilities: can_create_case_comments: false can_create_insight: false @@ -1288,50 +1759,89 @@ List Host Info: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false List Network Info: ai_description: >- - ### General Description\n\nThe **List Network Info** action retrieves a list of - defined IPv4 and IPv6 networks and subnets from the Infoblox NIOS IPAM (IP Address - Management) system. This action is designed for general network discovery and - inventory management, allowing users to query the IPAM database for network configurations, - utilization data, and associated metadata.\n\n### Parameters Description\n\n| - Parameter | Type | Mandatory | Default | Description |\n| :--- | :--- | :--- | - :--- | :--- |\n| **Network** | String | No | N/A | The network address in CIDR - notation (e.g., \"192.168.1.0/24\"). If provided, the action filters for this - specific network. |\n| **Limit** | String | No | 100 | The maximum number of network - objects to be returned from the Infoblox server. |\n| **Extended Attributes** - | String | No | N/A | A comma-separated key/value formatted filter for extended - attributes (e.g., \"Site=New York,Environment=Production\"). |\n\n### Flow Description\n\n1. - **Parameter Extraction and Validation:** The action retrieves the integration - configuration and action parameters. It validates that the **Limit** is a positive - integer and that the **Network** (if provided) is in a valid CIDR format.\n2. - **API Request Construction:** The action constructs a GET request to the Infoblox - `/network` endpoint. If **Extended Attributes** are provided, they are parsed - and added as query parameters.\n3. **Data Retrieval:** The action performs a paginated - request to Infoblox to fetch the network information based on the specified criteria.\n4. - **Result Processing:** The raw JSON response is captured. The action then maps - the results to a structured `Network` data model, extracting fields such as Network - View, Utilization, and Comments.\n5. **Output Generation:** The action adds the - full JSON result to the execution context and creates a data table (showing up - to 20 records) for display in the Google SecOps case wall.\n\n### Additional Notes\n\n- - This action does not operate on specific entities (like IP or Hostname entities) - but rather performs a global query against the Infoblox IPAM database.\n- If no - parameters are provided, the action will return all defined networks up to the - specified limit. + Lists defined IPv4/IPv6 networks and subnets in Infoblox NIOS IPAM. This action + allows users to retrieve a list of network objects filtered by CIDR notation or + extended attributes. It is primarily used for network discovery and verifying + subnet configurations within the IPAM environment. + + + ### Parameters Description + + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Network | String | No | The network address in CIDR notation (e.g., "192.168.1.0/24") + to filter the results. | + + | Limit | String | No | Maximum number of objects to be returned. Defaults to + 100 if not specified. | + + | Extended Attributes | String | No | Comma-separated key/value pairs used to + filter results by Infoblox extended attributes (e.g., "Site=New York,Owner=IT"). + | + + + ### Flow Description + + + 1. **Parameter Extraction**: The action retrieves the 'Network', 'Limit', and + 'Extended Attributes' from the input parameters. + + 2. **Validation**: It validates that the 'Limit' is a positive integer and that + the 'Network' (if provided) follows valid CIDR notation for IPv4 or IPv6. + + 3. **API Interaction**: The action connects to the Infoblox NIOS WAPI and performs + a GET request to the `/network` endpoint, applying the provided filters and handling + pagination to respect the 'Limit'. + + 4. **Data Processing**: The retrieved network data is processed using the internal + Network data model to extract fields such as Network View, Container, Comment, + and Utilization. + + 5. **Output Generation**: The action attaches the complete JSON response to the + case and generates a 'Networks' data table displaying the first 20 results for + quick analyst review. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: true + can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: >- - The action adds a data table and JSON results to the action execution context - for display in the SOAR interface. + internal_data_mutation_explanation: null categories: - enrichment: false + enrichment: true entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1347,29 +1857,52 @@ List Network Info: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Ping: - ai_description: "### General Description\nThe **Ping** action is a diagnostic tool\ - \ used to verify the connectivity between Google SecOps and the Infoblox NIOS\ - \ server. It ensures that the provided integration credentials (Username, Password)\ - \ and the API Root URL are correct and that the network path is open.\n\n### Parameters\ - \ Description\nThere are no specific input parameters for this action. It relies\ - \ entirely on the global integration configuration parameters:\n* **API Root**:\ - \ The base URL of the Infoblox NIOS WAPI.\n* **Username**: The account username\ - \ for authentication.\n* **Password**: The account password for authentication.\n\ - \n### Additional Notes\n* This action is typically used during the initial setup\ - \ of the Infoblox NIOS integration or for troubleshooting communication issues.\n\ - * It performs a simple `GET` request to the Infoblox schema endpoint (`/?_schema`)\ - \ to validate the connection.\n\n### Flow Description\n1. **Initialization**:\ - \ The action initializes the Siemplify context and logs the start of the process.\n\ - 2. **Parameter Retrieval**: It extracts the global integration configuration (API\ - \ Root, Username, Password).\n3. **Manager Setup**: An `APIManager` instance is\ - \ created using the retrieved credentials.\n4. **Connectivity Test**: The manager\ - \ executes a `GET` request to the Infoblox WAPI schema endpoint.\n5. **Result\ - \ Handling**: \n * If the request is successful, it logs a success message\ - \ and sets the execution state to completed.\n * If an exception occurs (e.g.,\ - \ authentication failure, timeout), it logs the error and sets the execution state\ - \ to failed.\n6. **Finalization**: The action ends by returning the connectivity\ - \ status and a descriptive message to the SOAR platform." + ai_description: "Tests the connectivity to the Infoblox NIOS server to ensure that\ + \ the integration can successfully communicate with the API. This action uses\ + \ the provided integration configuration parameters (API Root, Username, and Password)\ + \ to perform a basic authentication check and network reachability test against\ + \ the Infoblox WAPI.\n\n### Flow Description\n1. **Configuration Retrieval**:\ + \ The action starts by extracting the global integration parameters, including\ + \ the API Root URL, Username, and Password.\n2. **Manager Initialization**: It\ + \ initializes the `APIManager` which handles the HTTP session and authentication.\n\ + 3. **Connectivity Check**: The manager executes a `GET` request to the Infoblox\ + \ WAPI schema endpoint (`/?_schema`). This serves as a lightweight way to verify\ + \ that the credentials are valid and the server is reachable.\n4. **Outcome Reporting**:\ + \ \n * If the request is successful, the action returns a success message and\ + \ a result value of `True`.\n * If an exception occurs (e.g., authentication\ + \ failure, timeout, or DNS error), the action logs the error and returns a failure\ + \ message with a result value of `False`.\n\n### Parameters Description\n| Parameter\ + \ Name | Description | Type | Mandatory |\n| :--- | :--- | :--- | :--- |\n| N/A\ + \ | This action does not take any input parameters. It relies solely on the integration's\ + \ configuration settings. | N/A | N/A |\n\n### Additional Notes\n* This action\ + \ is typically used during the initial setup of the integration or for troubleshooting\ + \ communication issues between Google SecOps and the Infoblox environment." capabilities: can_create_case_comments: false can_create_insight: false @@ -1397,15 +1930,39 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Search RPZ Rule: ai_description: >- ### General Description Searches for specific Response Policy Zone (RPZ) rules within Infoblox NIOS. This - action allows users to query the Infoblox WAPI for various RPZ record types (such - as A, CNAME, MX, or TXT) based on a rule name. It is primarily used for auditing - existing security policies or verifying the presence of specific DNS block/allow - rules. + action allows users to query for various RPZ record types (like A, CNAME, MX, + etc.) by their name. It retrieves detailed configuration data, which is then presented + as a JSON result and a formatted data table within the SOAR case for analyst review. ### Parameters Description @@ -1414,57 +1971,54 @@ Search RPZ Rule: | :--- | :--- | :--- | :--- | - | **Object Type** | DDL | Yes | The Infoblox object type to search for. Supported - types include `record:rpz:a`, `record:rpz:cname`, `record:rpz:txt`, etc. | + | Object Type | DDL | Yes | The Infoblox object type to search for (e.g., record:rpz:a, + record:rpz:cname). | - | **Rule Name** | String | No | The full name of the rule to search for (e.g., - `malicious.domain.com`). | + | Rule Name | String | No | The full name of the rule (e.g., name.domain.com). + | - | **Output Fields** | String | No | A comma-separated list of specific fields - to retrieve from the Infoblox object (e.g., `address, comment`). | + | Output Fields | String | No | Comma-separated fields to include in the response. + 'name' and 'view' are included by default. | - | **Limit** | String | No | The maximum number of rule objects to return in the - results. Defaults to 100. | + | Limit | String | No | Maximum number of objects to return. Defaults to 100. + | ### Additional Notes - - This action does **not** operate on entities from the alert context. It relies - entirely on the manual input provided in the parameters. + - This action does not process entities from the case; it relies entirely on the + provided input parameters. - - The action automatically includes default fields (`name`, `view`) in the output - even if not explicitly requested. + - If 'Output Fields' are provided, the action automatically includes 'name' and + 'view' in the results. - - Results are displayed in a data table (up to 20 records) and the full raw data - is available in the JSON result. + - The data table displays up to 20 records. ### Flow Description - 1. **Initialization**: Extracts integration configuration (API Root, Credentials) - and action parameters. + 1. Initialize the Infoblox API manager with provided credentials. - 2. **Validation**: Validates the `Limit` parameter to ensure it is a positive - integer and processes the `Output Fields` string into a list. + 2. Validate the 'Limit' parameter to ensure it is a positive integer. - 3. **API Request**: Executes a paginated GET request to the Infoblox WAPI endpoint - corresponding to the selected `Object Type` and `Rule Name`. + 3. Construct the API request using the specified 'Object Type' and 'Rule Name'. - 4. **Data Transformation**: Parses the returned JSON data into `RPZRule` data - models. + 4. Execute a paginated GET request to the Infoblox WAPI. - 5. **Output**: Adds the full result set to the action's JSON output and constructs - a data table for the SOAR case wall showing the rule details. + 5. Process the returned rules and generate a data table for the first 20 records. + + 6. Output the full results in JSON format. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: false + can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: null + internal_data_mutation_explanation: >- + Adds a data table named 'RPZ Rules' to the case containing the search results. categories: enrichment: false entity_usage: @@ -1482,15 +2036,55 @@ Search RPZ Rule: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Update RPZ CNAME Rule: ai_description: >- Updates an existing Response Policy Zone (RPZ) CNAME rule in Infoblox NIOS to modify DNS behavior. This action allows for the modification of rule types, names, - and associated metadata for existing DNS security policies. + and associated zones, enabling dynamic control over DNS filtering and redirection. - ### Parameters Description + ### Flow Description + + 1. **Parameter Validation:** The action validates that the mandatory parameters + 'Reference ID', 'RP Zone', and 'Name' are provided and non-empty. + + 2. **Logic Determination:** It determines the 'canonical' value for the DNS rule + based on the selected 'Rule Type' (e.g., setting it to '*' for 'Block (No data)' + or 'rpz-passthru' for 'Passthru'). + 3. **API Interaction:** It executes a PUT request to the Infoblox WAPI using the + provided 'Reference ID' to update the rule configuration. + + 4. **Output Generation:** Upon success, it retrieves the updated rule details, + formats them into a data table ('RPZ CNAME Rule'), and provides the raw JSON response. + + + ### Parameters Description | Parameter | Type | Mandatory | Description | @@ -1499,25 +2093,24 @@ Update RPZ CNAME Rule: | Reference ID | String | Yes | The unique reference ID of the existing RPZ rule to be updated. | - | Rule Type | DDL | Yes | The behavior of the rule. Options include: 'Passthru', - 'Block (No such Domain)', 'Block (No data)', and 'Substitute (Domain name)'. | + | Rule Type | DDL | Yes | The behavior of the rule. Options: Passthru, Block (No + such Domain), Block (No data), Substitute (Domain name). | | Name | String | Yes | The rule name in FQDN format. | - | RP Zone | String | Yes | The Response Policy Zone to which the rule belongs. + | RP Zone | String | Yes | The Response Policy Zone to which the rule is assigned. | - | Comment | String | No | An optional comment describing the rule or the update. - | + | Comment | String | No | An optional comment or description for the rule. | - | Substitute Name | String | No | The substitute domain name to assign. This is - mandatory if the 'Rule Type' is set to 'Substitute (Domain name)'. | + | Substitute Name | String | No | The domain name to substitute. Required only + if 'Rule Type' is set to 'Substitute (Domain name)'. | - | View | String | No | The DNS view where the records are located. Defaults to - 'default'. | + | View | String | No | The DNS view where the record is located. Defaults to 'default'. + | - | Additional Parameters | String | No | A JSON object string containing any additional - Infoblox WAPI parameters for the rule update. | + | Additional Parameters | String | No | A JSON object containing any additional + Infoblox API parameters for rule modification. | ### Additional Notes @@ -1526,27 +2119,7 @@ Update RPZ CNAME Rule: must be provided. - The action will fail if the 'Reference ID' does not exist or if the 'Substitute - (Domain name)' type is attempted on IP-based RPZ rules. - - - ### Flow Description - - 1. **Parameter Extraction**: The action retrieves all input parameters, including - the mandatory 'Reference ID', 'Rule Type', 'Name', and 'RP Zone'. - - 2. **Validation**: It validates that mandatory strings are non-empty and parses - 'Additional Parameters' if provided as a JSON string. - - 3. **Logic Determination**: Based on the selected 'Rule Type', the script determines - the correct 'canonical' value (e.g., '*' for Block (No data), 'rpz-passthru' for - Passthru, or the 'Substitute Name' for substitution rules). - - 4. **API Interaction**: The action performs a PUT request to the Infoblox WAPI - using the provided 'Reference ID' to update the rule configuration. - - 5. **Result Processing**: Upon success, the action returns the updated rule details - in a JSON format and creates a data table named 'RPZ CNAME Rule' for the case - wall. + (Domain name)' type is applied to IP-based RPZ rules. capabilities: can_create_case_comments: false can_create_insight: false @@ -1556,8 +2129,9 @@ Update RPZ CNAME Rule: can_update_entities: false external_data_mutation_explanation: >- Updates an existing RPZ CNAME rule configuration in the Infoblox NIOS system - via a PUT request to the WAPI. - fetches_data: false + via a PUT request, which changes the DNS resolution behavior for the specified + domain or IP. + fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false @@ -1576,3 +2150,28 @@ Update RPZ CNAME Rule: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/third_party/partner/infoblox_nios/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/infoblox_nios/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..fb8271382 --- /dev/null +++ b/content/response_integrations/third_party/partner/infoblox_nios/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: true + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: true + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/partner/infoblox_threat_defense_with_ddi/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/infoblox_threat_defense_with_ddi/resources/ai/actions_ai_description.yaml index 7911363f6..5e4e7a39a 100644 --- a/content/response_integrations/third_party/partner/infoblox_threat_defense_with_ddi/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/infoblox_threat_defense_with_ddi/resources/ai/actions_ai_description.yaml @@ -1,64 +1,60 @@ Create Custom List: ai_description: >- - ### General Description - - Creates a new custom list in the Infoblox Threat Defense platform. This action - allows users to define a named collection of indicators (such as IPv4 addresses, - IPv6 addresses, or domain names) that can be utilized within security policies - for filtering or threat management. + Creates a new custom list in Infoblox Threat Defense for use in security policies. + This action allows users to define a list of indicators (IPv4, IPv6, or domains) + along with metadata such as threat level, confidence level, and tags. The created + list can then be referenced in security policies to manage traffic filtering. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Name** | string | Yes | The unique name of the Custom List to be created. - | + | Name | String | Yes | The unique name of the Custom List to create. | - | **Type** | string | Yes | The category or type of the Custom List (default is - 'custom_list'). | + | Type | String | Yes | The type of Custom List (default: 'custom_list'). | - | **Items** | string | No | A comma-separated string of indicators (IPs or domains) - to populate the list initially. | + | Items | String | No | Comma-separated indicators (IPs or domains) to include + in the list. | - | **Description** | string | No | A brief explanation of the list's purpose. | + | Description | String | No | A brief description of the list's purpose. | - | **Confidence Level** | ddl | No | The confidence score associated with the list - indicators (High, Medium, Low). | + | Confidence Level | DDL | No | Confidence level for the list (High, Medium, Low). + | - | **Threat Level** | ddl | No | The severity of the threat associated with the - list (High, Medium, Low, Info). | + | Threat Level | DDL | No | Threat level for the list (High, Medium, Low, Info). + | - | **Tags** | string | No | A JSON-formatted string of tags to categorize the list. + | Tags | String | No | A JSON object string representing tags for categorization. | ### Additional Notes - - The **Items** parameter must contain valid IPv4, IPv6, or domain name formats; - otherwise, the action will fail during validation. + - The 'Tags' parameter must be a valid JSON object string (e.g., '{"key": "value"}'). - - The **Tags** parameter must be a valid JSON object string (e.g., `{"key": "value"}`). + - The 'Items' parameter is validated to ensure all entries are valid IPv4, IPv6, + or domain formats. ### Flow Description - 1. **Parameter Extraction:** The action retrieves configuration settings (API - Root, Key) and user-provided action parameters. + 1. **Parameter Extraction:** Retrieves the list name, type, items, and metadata + from the action input. - 2. **Validation:** It validates that mandatory strings are present and that any - provided indicators in the 'Items' list match expected network patterns (IP/Domain). + 2. **Validation:** Validates that the name and type are provided and that any + items provided follow valid IP or domain formats. - 3. **Payload Construction:** A JSON payload is built containing the list metadata - and items. + 3. **Payload Construction:** Builds the request body, including optional fields + like description and tags (parsed from JSON). - 4. **API Interaction:** The action sends a POST request to the Infoblox `/api/atcfw/v1/named_lists` + 4. **API Interaction:** Sends a POST request to the Infoblox `/api/atcfw/v1/named_lists` endpoint. - 5. **Result Processing:** Upon success, the action returns the raw JSON response - and generates a 'Custom List Details' data table in the Google SecOps interface. + 5. **Result Processing:** Returns the API response as JSON and populates a data + table with the new list's details. capabilities: can_create_case_comments: false can_create_insight: false @@ -67,8 +63,7 @@ Create Custom List: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new custom list resource in the Infoblox Threat Defense platform via - a POST request. + Creates a new custom list resource in Infoblox Threat Defense. fetches_data: false internal_data_mutation_explanation: null categories: @@ -88,15 +83,38 @@ Create Custom List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Create Network List: ai_description: >- ### General Description - This action creates a new network list within Infoblox Threat Defense. Network - lists are used to group IP addresses or CIDR blocks, which can then be referenced - in security policies to control traffic or apply specific security rules. This - is a management action used to define network boundaries or groups for security - enforcement. + Creates a new network list in Infoblox Threat Defense. Network lists are used + to group IP addresses or CIDR blocks, which can then be referenced in security + policies to define where specific security rules should be applied. ### Parameters Description @@ -107,40 +125,35 @@ Create Network List: | Name | String | Yes | The unique name for the network list to be created. | - | Items | String | Yes | A comma-separated string of items (e.g., IP addresses - or CIDR blocks) to include in the network list. | + | Items | String | Yes | A comma-separated list of IP addresses or CIDR blocks + to include in the network list. | - | Description | String | No | An optional text description providing context or - purpose for the network list. | + | Description | String | No | A descriptive text providing more context about + the network list. | ### Additional Notes - * The **Items** parameter must be provided as a comma-separated string; the action - will automatically parse this into a list for the API request. - - * The action performs validation to ensure that both **Name** and **Items** are - non-empty strings before attempting the API call. + This action does not operate on SecOps entities. It uses the provided input parameters + to create a resource directly in the Infoblox platform. If the network list name + already exists, the action will fail. ### Flow Description - 1. **Parameter Extraction:** The action retrieves the 'Name', 'Items', and 'Description' - from the input parameters. - - 2. **Validation:** It validates that the mandatory 'Name' and 'Items' fields are - not empty strings. + 1. **Parameter Extraction**: The action retrieves the `Name`, `Items`, and `Description` + from the user input. - 3. **Data Preparation:** The comma-separated 'Items' string is converted into - a Python list format. + 2. **Validation**: It ensures that the mandatory `Name` and `Items` fields are + populated and converts the comma-separated `Items` string into a list format. - 4. **API Interaction:** The action initializes the Infoblox API Manager and sends - a POST request to the `/api/atcfw/v1/network_lists` endpoint with the network - list details. + 3. **API Interaction**: The action sends a POST request to the Infoblox API endpoint + `/api/atcfw/v1/network_lists` with the provided details. - 5. **Result Processing:** The action parses the API response, populates a 'Network - List Details' data table with the created list's metadata (ID, Name, Description, - Policy ID), and returns the raw JSON result. + 4. **Result Processing**: Upon success, it parses the response into a `NetworkList` + data model, adds the raw JSON to the action results, and creates a data table + named 'Network List Details' containing the ID, Name, and Security Policy ID of + the new list. capabilities: can_create_case_comments: false can_create_insight: false @@ -170,78 +183,106 @@ Create Network List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Create Security Policy: ai_description: >- - ### General Description + Creates a new security policy in Infoblox Threat Defense. This action allows for + the comprehensive definition of security policies, including rules, network list + associations, DNS Forwarding Proxy (DFP) assignments, and roaming device group + configurations. It also supports enabling security features such as DNS rebinding + protection and safe search filtering. - Creates a new security policy in the Infoblox Threat Defense platform. This action - allows administrators to define policy names, descriptions, security rules, and - associations with network lists, DNS Forwarding Proxies (DFPs), and roaming device - groups. It also supports advanced security features like DNS rebinding protection - and safe search filtering. + ### Flow Description: - ### Parameters Description + 1. **Parameter Extraction:** The action retrieves the policy name, description, + rules, network lists, DFPs, roaming device groups, and other configuration settings + from the input parameters. - | Parameter | Type | Mandatory | Description | + 2. **Validation:** It validates that the mandatory 'Policy Name' is provided and + ensures that complex parameters like 'Rules', 'Tags', and 'Additional Parameters' + are valid JSON strings. - | :--- | :--- | :--- | :--- | + 3. **Payload Construction:** A JSON payload is constructed, converting comma-separated + lists into integer arrays and parsing JSON strings into objects. - | Policy Name | string | True | The unique name for the security policy. | + 4. **API Interaction:** The action sends a POST request to the Infoblox API to + create the security policy. - | Description | string | False | A brief description of the policy's purpose. - | + 5. **Result Processing:** Upon success, the action returns the raw JSON response + and populates a data table with the new policy's ID, name, description, and default + action. - | Rules | string | False | A JSON array of rule objects defining actions (e.g., - block, allow) and data types. | - | Network Lists | string | False | Comma-separated IDs of network lists to associate - with this policy. | + ### Parameters Description: - | DFPS | string | False | Comma-separated IDs of DNS Forwarding Proxies to associate - with this policy. | - | Roaming Device Groups | string | False | Comma-separated IDs of roaming device - groups to associate with this policy. | + | Parameter | Type | Mandatory | Description | - | Block DNS Rebinding | boolean | False | If true, enables protection against - DNS rebinding attacks. Default is false. | + | :--- | :--- | :--- | :--- | - | Safe Search | boolean | False | If true, enables safe search filtering for the - policy. Default is false. | + | Policy Name | String | True | The unique name for the new security policy. | - | Tags | string | False | A JSON object containing key-value pairs to categorize - the policy. | + | Description | String | False | A brief description of the security policy's + purpose. | - | Additional Parameters | string | False | A JSON object for advanced fields such - as precedence, access_codes, or doh_enabled. | + | Rules | String | False | A JSON array of rule objects defining actions (e.g., + block, allow) and criteria. | + | Network Lists | String | False | Comma-separated IDs of network lists to associate + with the policy. | - ### Additional Notes + | DFPS | String | False | Comma-separated IDs of DNS Forwarding Proxies to associate + with the policy. | + + | Roaming Device Groups | String | False | Comma-separated IDs of roaming device + groups to associate with the policy. | - - The 'Rules' parameter must be a valid JSON array string. + | Block DNS Rebinding | Boolean | False | If true, enables protection against + DNS rebinding attacks. Default is false. | - - The 'Tags' and 'Additional Parameters' must be valid JSON object strings. + | Safe Search | Boolean | False | If true, enables safe search filtering for the + policy. Default is false. | - - 'Network Lists', 'DFPS', and 'Roaming Device Groups' expect comma-separated - integers. + | Tags | String | False | A JSON object containing key-value pairs for categorizing + the policy. | + | Additional Parameters | String | False | A JSON object for advanced fields like + precedence, access_codes, or doh_enabled. | - ### Flow Description - 1. **Parameter Extraction:** The action retrieves all user-provided parameters - and validates that the mandatory 'Policy Name' is present. + ### Additional Notes: - 2. **Payload Construction:** It parses the input strings into their respective - formats (e.g., converting CSV strings to integer lists and JSON strings to Python - dictionaries). + - The 'Rules' parameter must be a valid JSON array of objects. - 3. **API Interaction:** The action sends a POST request to the Infoblox API endpoint - `/api/atcfw/v1/security_policies` with the constructed payload. + - The 'Tags' and 'Additional Parameters' must be valid JSON objects. - 4. **Result Processing:** Upon success, the action returns the raw JSON response - of the created policy and generates a data table titled 'Security Policy Details' - for the case wall. + - Network Lists, DFPS, and Roaming Device Groups should be provided as comma-separated + numeric IDs. capabilities: can_create_case_comments: false can_create_insight: false @@ -251,7 +292,7 @@ Create Security Policy: can_update_entities: false external_data_mutation_explanation: >- Creates a new security policy configuration within the Infoblox Threat Defense - platform via a POST request. + platform. fetches_data: false internal_data_mutation_explanation: null categories: @@ -271,15 +312,40 @@ Create Security Policy: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false DHCP Lease Lookup: ai_description: >- ### General Description - The **DHCP Lease Lookup** action retrieves detailed DHCP lease information from - Infoblox DDI based on user-defined filter criteria. This action is designed to - help security analysts identify IP address assignments, hostnames, and hardware - (MAC) addresses associated with network devices, providing critical context during - investigations. + This action retrieves DHCP lease information from Infoblox based on specific filter + criteria provided by the user. It is primarily used to identify the hardware (MAC + address), hostname, and state of a lease associated with a particular IP address + or other network identifiers. The results are returned as a raw JSON object and + a formatted data table within the Google SecOps platform. ### Parameters Description @@ -288,45 +354,45 @@ DHCP Lease Lookup: | :--- | :--- | :--- | :--- | - | **DHCP Lease Filter** | string | No | A logical expression used to filter DHCP - leases (e.g., `address == "192.168.1.1"` or `hostname == "ubuntu"`). | + | DHCP Lease Filter | string | No | A logical expression used to filter DHCP leases. + For example: `address == "192.168.1.10"` or `hostname == "workstation-01"`. | - | **Offset** | string | No | The starting point for pagination (default is "0"). - | + | Offset | string | No | The starting point for pagination. Defaults to "0". | - | **Limit** | string | No | The maximum number of lease records to return (default - is "100"). | + | Limit | string | No | The maximum number of lease records to return. Defaults + to "100". | - | **Order By** | string | No | A comma-separated list of fields to sort the results - by, supporting ascending (`asc`) or descending (`desc`) order. | + | Order By | string | No | A comma-separated list of fields to sort the results + by (e.g., `address asc`). | ### Additional Notes - - This action does not operate on specific entities within the Google SecOps case; - it relies entirely on the provided filter string to query the Infoblox database. + - This action does not automatically process entities from the current alert or + case. It relies entirely on the `DHCP Lease Filter` parameter to define the search + scope. - - The results are presented both as a raw JSON object and as a formatted data - table named "DHCP Leases". + - The data table displayed in the UI is limited to the first 20 records for readability, + while the full result set is available in the JSON output. ### Flow Description - 1. **Parameter Extraction**: The action retrieves the API configuration and user-provided - filter, pagination, and sorting parameters. + 1. **Parameter Extraction:** The action retrieves the filter, offset, limit, and + sorting parameters from the user input. - 2. **Validation**: The `Offset` and `Limit` parameters are validated to ensure - they are non-negative integers. + 2. **Validation:** It validates that the `Offset` and `Limit` parameters are valid + non-negative integers. - 3. **API Request**: A GET request is sent to the Infoblox `/api/ddi/v1/dhcp/lease` - endpoint using the specified filters. + 3. **API Interaction:** It sends a GET request to the Infoblox DDI API endpoint + `/api/ddi/v1/dhcp/lease` with the specified filters and pagination settings. - 4. **Data Processing**: The retrieved lease records are parsed and converted into - a flat format suitable for display. + 4. **Data Processing:** The raw API response is captured. If records are found, + they are mapped to a internal data model. - 5. **Output Generation**: The action populates the JSON result with the full API - response and creates a data table containing the lease details for visibility - in the case wall. + 5. **Output Generation:** The action attaches the full JSON response to the script + results and constructs a CSV-formatted data table named "DHCP Leases" for the + analyst view. capabilities: can_create_case_comments: false can_create_insight: false @@ -354,73 +420,176 @@ DHCP Lease Lookup: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false DNS Record Lookup: + ai_description: >- + ### General Description\nPerforms a DNS record query within Infoblox Threat Defense + and DDI to retrieve associated IP addresses or domains. This action allows users + to search for specific DNS records using flexible filtering criteria, including + record types, zone names, and tags. It supports pagination and custom sorting + to manage large result sets. The retrieved data is presented as a JSON object + and a formatted data table for analyst review.\n\n### Flow Description\n1. **Parameter + Initialization:** Retrieves and validates input parameters including DNS filters, + tag filters, pagination offsets, and limits.\n2. **API Request:** Executes a GET + request to the Infoblox DDI API endpoint for DNS records.\n3. **Data Processing:** + Parses the API response into structured DNS record models.\n4. **Output Generation:** + Populates the action results with the raw JSON response and creates a 'DNS Records' + data table in the SecOps case.\n\n### Parameters Description\n| Parameter | Type + | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| DNS Record Filter + | String | No | Logical expression to filter DNS records (e.g., `type=='PTR'`). + |\n| Tag Filter | String | No | Logical expression to filter records by assigned + tags. |\n| Offset | String | No | The starting index for pagination (defaults + to 0). |\n| Limit | String | No | The maximum number of records to return (defaults + to 100). |\n| Order By | String | No | Comma-separated fields to sort results + (e.g., `name desc`). |\n\n### Additional Notes\nThis action does not run on specific + entities but rather performs a global search based on the provided parameters. + capabilities: + can_create_case_comments: false + can_create_insight: false + can_modify_alert_data: false + can_mutate_external_data: false + can_mutate_internal_data: true + can_update_entities: false + external_data_mutation_explanation: null + fetches_data: true + internal_data_mutation_explanation: >- + Adds a data table to the case containing the retrieved DNS record information. + categories: + enrichment: false + entity_usage: + entity_types: [] + filters_by_additional_properties: false + filters_by_alert_identifier: false + filters_by_case_identifier: false + filters_by_creation_time: false + filters_by_entity_type: false + filters_by_identifier: false + filters_by_is_artifact: false + filters_by_is_enriched: false + filters_by_is_internal: false + filters_by_is_pivot: false + filters_by_is_suspicious: false + filters_by_is_vulnerable: false + filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false +Get Custom List: ai_description: >- ### General Description - - The **DNS Record Lookup** action performs a DNS record query to retrieve associated - IP addresses or domains from Infoblox Threat Defense. This action is designed - as a search tool that allows analysts to query the Infoblox DDI database for specific - DNS records using customizable filters, tags, and sorting parameters. It is particularly - useful for infrastructure discovery, verifying DNS configurations, and investigating - domain-to-IP mappings during security incidents. + The **Get Custom List** action retrieves the contents and metadata of custom lists + from Infoblox Threat Defense. This action allows analysts to audit existing lists, + verify configurations such as threat levels and confidence scores, or discover + list IDs for use in other automation tasks. It supports fetching a specific list + by its unique ID or searching for lists based on name, type, and tags. ### Parameters Description - | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **DNS Record Filter** | String | No | A logical expression used to filter DNS - records (e.g., `type=='PTR' and absolute_zone_name == 'Test'`). | + | **Custom List ID** | String | No | The unique identifier of the specific custom + list to retrieve. If provided, this takes precedence over other filters. | - | **Tag Filter** | String | No | A logical expression used to filter DNS records - based on specific tags (e.g., `'nios/federation_enabled'==true`). | + | **Name** | String | No | The name of the custom list to search for. This parameter + is used in conjunction with the **Type** parameter. | - | **Offset** | String | No | The starting point for pagination. Defaults to "0". - | + | **Type** | String | No | The type of the custom list (e.g., 'custom_list'). + Defaults to 'custom_list'. | - | **Limit** | String | No | The maximum number of results to return. Defaults - to "100". | + | **Tag Filter** | String | No | Filter security policies or lists by specific + tags using the format `'tag_name'='tag_value'`. | + + | **Tag Sort Filter** | String | No | Sort the retrieved custom lists based on + specific tags (e.g., 'Test1'). | - | **Order By** | String | No | A comma-separated list of JSON fields to sort the - results. Supports `asc` or `desc` directions and dot notation for nested fields. + | **Offset** | String | No | The starting point for pagination (default is '0'). | + | **Limit** | String | No | The maximum number of results to return (default is + '100'). | + ### Additional Notes + - If **Custom List ID** is provided, the action fetches that specific list directly, + ignoring other filters. - - This action does not operate on specific entities within a case; it is a global - lookup tool based on the provided input parameters. + - If both **Name** and **Type** are provided, the action performs a targeted search + for a list matching those criteria. - - The action displays up to 20 records in the "DNS Records" data table for quick - reference, while the full result set is available in the JSON output. + - If no specific identifiers are provided, the action returns a paginated list + of all available custom lists, optionally filtered by tags. ### Flow Description + 1. **Parameter Extraction:** The action extracts the API configuration and user-provided + search parameters from the environment. - 1. **Parameter Extraction:** The action retrieves the user-provided filters, pagination - settings (Offset, Limit), and sorting preferences (Order By). - - 2. **Validation:** The `Offset` and `Limit` parameters are validated to ensure - they are non-negative integers, with `Limit` specifically required to be greater - than zero. + 2. **Validation:** Integer-based parameters such as `Offset`, `Limit`, and `Custom + List ID` are validated to ensure they are non-negative integers. - 3. **API Execution:** The action initializes the Infoblox API Manager and performs - a GET request to the DNS record endpoint using the configured filters and pagination - parameters. + 3. **API Request:** The action constructs a GET request to the Infoblox API. The + endpoint varies based on whether a specific ID, a name/type pair, or general filters + are provided. - 4. **Data Transformation:** The retrieved DNS records are parsed and mapped to - a structured data model. The action flattens the data for tabular display. + 4. **Data Processing:** The raw API response is parsed using the `CustomList` + data model to extract key fields like ID, Name, Description, Confidence Level, + and Threat Level. - 5. **Result Reporting:** The full API response is attached as a JSON result to - the action. Additionally, a summary table titled "DNS Records" is created containing - the first 20 records for immediate visibility in the Google SecOps interface. + 5. **Output Generation:** The action populates a data table titled 'Custom List + Details' with the processed information and attaches the full raw JSON response + to the action results. capabilities: can_create_case_comments: false can_create_insight: false @@ -448,41 +617,47 @@ DNS Record Lookup: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false -Get Custom List: - ai_description: "### General Description\nRetrieves the contents and metadata of\ - \ custom lists from Infoblox Threat Defense. This action allows users to fetch\ - \ specific lists by their unique ID, search for lists by a combination of name\ - \ and type, or list all available custom lists using tag-based filters and pagination.\ - \ The retrieved data includes list IDs, names, descriptions, confidence levels,\ - \ threat levels, and item counts.\n\n### Parameters Description\n| Parameter |\ - \ Description | Type | Mandatory |\n| :--- | :--- | :--- | :--- |\n| Custom List\ - \ ID | The unique identifier of the Custom List to retrieve. If provided, this\ - \ takes precedence over other search parameters. | String | No |\n| Name | The\ - \ name of the custom list to search for. Must be used in conjunction with the\ - \ 'Type' parameter for a specific lookup. | String | No |\n| Type | The category\ - \ of the custom list (e.g., 'custom_list'). Defaults to 'custom_list'. | String\ - \ | No |\n| Tag Filter | A logical expression to filter results by tags (e.g.,\ - \ `'tag_name'='tag_value'`). | String | No |\n| Tag Sort Filter | Specifies the\ - \ tag field by which to sort the results. | String | No |\n| Offset | The starting\ - \ point for pagination (default is 0). | String | No |\n| Limit | The maximum\ - \ number of results to return in a single request (default is 100). | String |\ - \ No |\n\n### Additional Notes\n- The action logic follows a hierarchy: if `Custom\ - \ List ID` is provided, it performs a direct lookup. If both `Name` and `Type`\ - \ are provided, it searches for that specific pair. Otherwise, it performs a general\ - \ query using the provided tag filters and pagination settings.\n- Parameters\ - \ like `Offset`, `Limit`, and `Custom List ID` are validated as non-negative integers\ - \ before the API call is made.\n\n### Flow Description\n1. **Parameter Initialization**:\ - \ Extracts configuration (API Root, API Key) and action parameters from the Siemplify\ - \ environment.\n2. **Validation**: Validates that `Offset`, `Limit`, and `Custom\ - \ List ID` (if provided) are valid integers.\n3. **API Request**: \n - If a\ - \ `Custom List ID` is provided, it calls the specific list endpoint.\n - If\ - \ `Name` and `Type` are both provided, it queries the API for that specific list.\n\ - \ - Otherwise, it calls the base custom lists endpoint with optional tag filters\ - \ and pagination.\n4. **Data Processing**: Parses the raw JSON response into a\ - \ structured `CustomList` data model.\n5. **Output Generation**: \n - Adds\ - \ the full raw response to the action's JSON results.\n - Constructs a data\ - \ table titled 'Custom List Details' containing key fields like ID, Name, and\ - \ Threat Level for display in the SOAR interface." + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false +Get Indicator Intel Lookup Result: + ai_description: >- + ### General Description: Retrieves the results of a previously initiated Dossier + lookup job for indicators (IP, URL, Host, Email, or Hash) from Infoblox Threat + Defense. This action is used to fetch detailed threat intelligence data once a + background lookup job has been completed. ### Parameters Description: 1. Job ID + (String, Mandatory): The unique identifier of the Dossier lookup job to retrieve + results for. ### Flow Description: 1. Parameter Extraction: Retrieves the Job + ID from the action input. 2. API Request: Calls the Infoblox API endpoint /tide/api/services/intel/lookup/jobs/{job_id}/results + to fetch the job status and data. 3. Data Processing: Parses the returned JSON, + mapping results to the IndicatorIntelLookupResult data model. 4. Output Generation: + Adds the complete raw response to the action results and constructs a data table + showing up to 20 dossier records, including source, status, and truncated data + details. ### Additional Notes: This action does not run on entities directly; + it requires a valid Job ID generated by a preceding 'Initiate Indicator Intel + Lookup With Dossier' action. capabilities: can_create_case_comments: false can_create_insight: false @@ -494,7 +669,7 @@ Get Custom List: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: false + enrichment: true entity_usage: entity_types: [] filters_by_additional_properties: false @@ -510,14 +685,40 @@ Get Custom List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false -Get Indicator Intel Lookup Result: + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false +Get Network List: ai_description: >- ### General Description - Retrieves the results of a previously initiated Dossier lookup job from Infoblox - Threat Defense. This action is used to fetch detailed threat intelligence for - indicators (such as IP addresses, URLs, Hostnames, Emails, or Hashes) after a - lookup has been asynchronously started using a Job ID. + The **Get Network List** action retrieves the contents and metadata of network + lists from the Infoblox Threat Defense platform. This action allows analysts to + fetch specific network lists by their unique ID or to search through available + lists using logical filter expressions. It is useful for auditing network configurations + or dynamically retrieving list details for use in security playbooks. ### Parameters Description @@ -526,36 +727,47 @@ Get Indicator Intel Lookup Result: | :--- | :--- | :--- | :--- | - | Job ID | String | Yes | Specify the unique Job ID of the Dossier lookup job - to retrieve the results for. This ID is typically obtained from the output of - an initiation action. | + | Network List ID | String | No | The unique identifier of a specific network + list. If provided, the action fetches this specific list directly, ignoring other + filters. | + + | Security Network Filter | String | No | A logical expression string (e.g., `name + == 'net_list1'`) used to filter the collection of network lists returned by the + API. | + + | Offset | String | No | The pagination offset specifying the starting point of + the results. Defaults to "0". | + + | Limit | String | No | The maximum number of network lists to return in the response. + Defaults to "100". | ### Additional Notes - - This action does not process entities in the current scope; it relies entirely - on the provided `Job ID` parameter. + - The action validates that the `Network List ID`, `Offset`, and `Limit` are valid + non-negative integers before execution. - - The action displays up to 20 records in the 'Dossier Lookup Results' data table - for readability, while the full response is available in the JSON result. + - Results are presented in a structured data table (limited to the first 20 records + for display) and the full raw response is attached as a JSON result. ### Flow Description - 1. **Parameter Extraction**: The action retrieves the `Job ID` from the input - parameters and the API configuration from the integration settings. + 1. **Parameter Initialization**: The action extracts integration configuration + (API Root, API Key) and user-provided parameters. - 2. **Validation**: It ensures the `Job ID` is a valid, non-empty string. + 2. **Validation**: It validates that the pagination parameters and the Network + List ID (if provided) are correctly formatted integers. - 3. **API Interaction**: It calls the Infoblox API via a GET request to the Dossier - jobs results endpoint using the provided `Job ID`. + 3. **API Request**: The action performs a GET request to the Infoblox `/api/atcfw/v1/network_lists` + endpoint. If a specific ID is provided, it targets that resource directly. - 4. **Data Processing**: The response is parsed, and individual result items are - mapped to a structured data model. + 4. **Data Parsing**: The raw API response is processed using the `NetworkList` + data model to extract relevant fields like Name, Description, and Security Policy + ID. - 5. **Output Generation**: The action populates a data table with a summary of - the results and attaches the complete raw response as a JSON object for further - downstream processing. + 5. **Output Generation**: The action populates a SOAR data table with the retrieved + network list information and provides the full JSON payload for downstream tasks. capabilities: can_create_case_comments: false can_create_insight: false @@ -567,7 +779,7 @@ Get Indicator Intel Lookup Result: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: true + enrichment: false entity_usage: entity_types: [] filters_by_additional_properties: false @@ -583,62 +795,98 @@ Get Indicator Intel Lookup Result: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false -Get Network List: + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false +Get SOC Insights Assets: ai_description: >- - ### General Description - - Retrieves the contents of network lists from Infoblox Threat Defense. This action - allows users to fetch details for a specific network list by its ID or to query - multiple network lists using a logical filter expression. The retrieved data includes - network list names, descriptions, and associated security policy IDs, which are - presented as both a raw JSON result and a formatted data table within the case. + Retrieves a list of assets associated with a specific SOC Insight ID from Infoblox + Threat Defense. This action allows analysts to identify which devices or users + were involved in a particular security insight, providing critical context for + investigation. The results can be filtered by IP address, MAC address, operating + system version, or associated user, and the output is presented both as a raw + JSON and a formatted data table within the case. ### Parameters Description + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Network List ID | string | No | The unique identifier of the network list to - retrieve. If provided, the action fetches only this specific list and ignores - the 'Security Network Filter'. | + | Insight ID | String | Yes | The unique identifier of the Infoblox SOC Insight + to query assets for. | - | Security Network Filter | string | No | A logical expression string (e.g., `name - == 'net_list1'`) used to filter network lists when no specific ID is provided. - | + | Asset IP | String | No | Filter the results to only include assets matching + this IP address. | - | Offset | string | No | The starting index for pagination (default is '0'). | + | MAC Address | String | No | Filter the results to only include assets matching + this MAC address. | - | Limit | string | No | The maximum number of results to return (default is '100'). - | + | OS Version | String | No | Filter the results to only include assets running + this specific operating system version. | + + | User | String | No | Filter the results to only include assets associated with + this specific username. | + + | Limit | String | No | The maximum number of asset records to return (default + is 100). | + + | From | String | No | Filter for assets changed after this timestamp (Format: + YYYY-MM-DDTHH:mm:ss.SSS). | + + | To | String | No | Filter for assets changed before this timestamp (Format: + YYYY-MM-DDTHH:mm:ss.SSS). | ### Additional Notes - - If a 'Network List ID' is provided, the 'Security Network Filter' is ignored - by the API. + - This action does not run on entities; it requires a specific Insight ID as input. - - The action displays up to 20 records in the 'Network List' data table for readability, - while the full response is available in the JSON result. + - The data table displayed in the UI is limited to the first 20 records for readability, + while the full results are available in the JSON output. ### Flow Description - 1. **Parameter Initialization**: Extracts the API configuration and action parameters - (ID, Filter, Offset, Limit). + 1. **Parameter Extraction:** The action retrieves the Insight ID and optional + filters (IP, MAC, OS, User, Time range, and Limit) from the user input. - 2. **Validation**: Validates that the 'Network List ID', 'Offset', and 'Limit' - are valid non-negative integers. + 2. **Validation:** It validates that the Insight ID is provided and that the Limit + is a valid positive integer. - 3. **API Interaction**: Calls the Infoblox API's network lists endpoint. If an - ID is provided, it targets the specific resource; otherwise, it applies the filter - and pagination parameters. + 3. **API Request:** It sends a GET request to the Infoblox API endpoint for the + specified Insight's assets, applying the provided filters as query parameters. - 4. **Data Processing**: Parses the API response into the `NetworkList` data model. + 4. **Data Processing:** The response is parsed, and asset data is mapped to a + structured data model. - 5. **Output Generation**: Adds the full JSON response to the action results and - constructs a CSV-formatted data table named 'Network List' for the SOAR interface. + 5. **Output Generation:** The action adds the full API response as a JSON result + and constructs a CSV-formatted data table named 'Assets' containing key details + like IP, MAC, OS, and User for the retrieved assets. capabilities: can_create_case_comments: false can_create_insight: false @@ -649,8 +897,8 @@ Get Network List: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action adds a data table named 'Network List' to the Google SecOps case - to display the retrieved information. + Adds a data table named 'Assets' to the Google SecOps case containing details + of the retrieved assets. categories: enrichment: false entity_usage: @@ -668,80 +916,58 @@ Get Network List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false -Get SOC Insights Assets: - ai_description: >- - ### General Description - - The **Get SOC Insights Assets** action retrieves a list of assets associated with - a specific Infoblox SOC Insight ID. This action is used to identify which devices - or users were involved in a particular security insight, providing critical context - for incident response. It allows for granular filtering by IP address, MAC address, - operating system version, and associated user, as well as time-based filtering - for asset changes. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **Insight ID** | String | Yes | The unique identifier of the SOC Insight to - retrieve assets from. | - - | **Asset IP** | String | No | Filter the results to include only assets with - this specific IP address. | - - | **MAC Address** | String | No | Filter the results to include only assets with - this specific MAC address. | - - | **OS Version** | String | No | Filter the results by the operating system version - of the asset. | - - | **User** | String | No | Filter the results by the user associated with the - asset. | - - | **Limit** | String | No | The maximum number of results to return (Default is - 100). | - - | **From** | String | No | Filter for assets changed after this time (Format: - YYYY-MM-DDTHH:mm:ss.SSS). | - - | **To** | String | No | Filter for assets changed before this time (Format: YYYY-MM-DDTHH:mm:ss.SSS). - | - - - ### Additional Notes - - - The action returns a maximum of 20 records in the visible data table for performance - reasons, though the full list (up to the specified limit) is available in the - JSON result. - - - Time parameters must follow the ISO-like format `YYYY-MM-DDTHH:mm:ss.SSS` to - be processed correctly by the Infoblox API. - - - ### Flow Description - - 1. **Parameter Extraction**: The action retrieves the mandatory `Insight ID` and - optional filters (IP, MAC, OS, User, Time range, and Limit) from the input. - - 2. **Validation**: It validates that the `Insight ID` is not empty and that the - `Limit` is a valid positive integer. - - 3. **API Request**: It utilizes the `APIManager` to send a GET request to the - Infoblox `/api/v1/insights/{insight_id}/assets` endpoint with the provided query - parameters. - - 4. **Data Processing**: The response is parsed. If assets are found, they are - mapped to the `SOCInsightAsset` data model. - - 5. **Output Generation**: The action adds the raw JSON response to the execution - results and constructs a CSV-formatted data table named "Assets" containing key - details like Asset IP, MAC Address, Threat Level, OS Version, and User. - - 6. **Completion**: The action concludes by providing a summary message of the - number of assets found or an error message if the Insight ID is invalid. + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false +Get SOC Insights Comments: + ai_description: "### General Description\nRetrieves the list of comments associated\ + \ with a specific SOC Insight from Infoblox Threat Defense. This action allows\ + \ security analysts to view the chronological history of notes, status changes,\ + \ and manual entries associated with an insight, providing critical context for\ + \ investigation. It supports time-based filtering to narrow down results to a\ + \ specific window.\n\n### Parameters Description\n| Parameter | Type | Mandatory\ + \ | Description |\n| :--- | :--- | :--- | :--- |\n| Insight ID | String | Yes\ + \ | The unique identifier of the SOC Insight from which to retrieve comments.\ + \ |\n| From | String | No | Filter comments changed after this time. Expected\ + \ format: `YYYY-MM-DDTHH:mm:ss.SSS`. |\n| To | String | No | Filter comments changed\ + \ before this time. Expected format: `YYYY-MM-DDTHH:mm:ss.SSS`. |\n\n### Additional\ + \ Notes\n- The action retrieves comments via a GET request and does not modify\ + \ any data in Infoblox.\n- Results are displayed in a formatted data table named\ + \ \"SOC Insight Comments\" (up to a maximum of 20 records) and the full response\ + \ is provided in JSON format.\n\n### Flow Description\n1. **Initialization**:\ + \ Extracts API credentials and action parameters including the mandatory `Insight\ + \ ID` and optional `From`/`To` time filters.\n2. **Validation**: Ensures the `Insight\ + \ ID` is a non-empty string.\n3. **API Interaction**: Calls the Infoblox API GET\ + \ endpoint `/api/v1/insights/{insight_id}/comments` with the provided time filters\ + \ as query parameters.\n4. **Data Parsing**: Processes the returned comment list\ + \ using the `SOCInsightComment` data model, extracting fields such as the changer's\ + \ name, date of change, and the comment content.\n5. **Output Generation**: \n\ + \ - Populates a SOAR data table with the formatted comment details.\n -\ + \ Attaches the complete raw JSON response to the action results.\n6. **Finalization**:\ + \ Returns a success message indicating the number of comments retrieved or a failure\ + \ message if the Insight ID is invalid or the API call fails." capabilities: can_create_case_comments: false can_create_insight: false @@ -769,13 +995,40 @@ Get SOC Insights Assets: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false -Get SOC Insights Comments: + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false +Get SOC Insights Events: ai_description: >- ### General Description - Retrieves all comments associated with a specific SOC Insight from Infoblox Threat - Defense. This action allows analysts to review the history and notes attached - to an insight, with optional time-based filtering to narrow down the results. + The **Get SOC Insights Events** action retrieves a detailed list of security events + associated with a specific SOC Insight ID from Infoblox Threat Defense. This action + allows security analysts to investigate the underlying telemetry, DNS queries, + and policy actions that contributed to a specific threat detection or insight, + providing granular visibility into the observed malicious activity. ### Parameters Description @@ -784,116 +1037,79 @@ Get SOC Insights Comments: | :--- | :--- | :--- | :--- | - | Insight ID | String | Yes | The unique identifier of the SOC Insight to retrieve - comments for. | + | **Insight ID** | String | Yes | The unique identifier of the SOC insight to + query. | - | From | String | No | Filter comments changed after this time (Format: YYYY-MM-DDTHH:mm:ss.SSS). - | + | **Device IP** | String | No | Filters the results to events involving a specific + device IP address. | - | To | String | No | Filter comments changed before this time (Format: YYYY-MM-DDTHH:mm:ss.SSS). - | + | **Query** | String | No | Filters events by a specific DNS query string (e.g., + a malicious domain). | + + | **Query Type** | String | No | Filters events by DNS record types (e.g., A, + TXT, MX). | + + | **Source** | String | No | Filters events by the threat intelligence source + or feed (e.g., DFP). | + + | **Indicator** | String | No | Filters events by a specific threat indicator + such as a domain, IP, or hash. | + + | **Threat Level** | DDL | No | Filters events by severity level. Options: All, + Info, Low, Medium, High. | + + | **Confidence Level** | DDL | No | Filters events by confidence level. Options: + All, Low, Medium, High. | + + | **Limit** | String | No | The maximum number of events to return. Defaults to + 100. | + + | **From** | String | No | Start time for the event search in YYYY-MM-DDTHH:mm:ss.SSS + format. | + + | **To** | String | No | End time for the event search in YYYY-MM-DDTHH:mm:ss.SSS + format. | ### Flow Description - 1. **Parameter Extraction**: The action retrieves the Insight ID and optional - time filters from the user input. + 1. **Parameter Extraction:** The action retrieves the mandatory Insight ID and + optional filter criteria (IP, Query, Source, Time range, etc.) from the user input. - 2. **Validation**: Ensures the Insight ID is provided and formatted correctly. + 2. **Validation:** It validates that the Insight ID is non-empty and that the + Limit parameter is a valid positive integer. - 3. **API Interaction**: Queries the Infoblox API endpoint for comments related - to the specified Insight ID. + 3. **API Request:** The action sends a GET request to the Infoblox SOC Insights + API endpoint for events, applying all provided filter parameters. - 4. **Data Processing**: Parses the returned comments and maps them to a structured - format. + 4. **Data Processing:** The retrieved events are parsed into a structured format, + capturing details such as Device Name, Action taken, Security Policy triggered, + and Threat Family. - 5. **Output Generation**: Populates a data table named "SOC Insight Comments" - with the retrieved details and attaches the full JSON response to the action results. + 5. **Output Generation:** A data table named 'SOC Insight Events' is created (showing + up to 20 records for readability), and the full raw JSON response is attached + to the action results for further analysis. ### Additional Notes - - The data table displays a maximum of 20 records to maintain performance. + - If the 'Threat Level' or 'Confidence Level' is set to 'All', the filter is ignored + to return all available levels. - - If no comments are found for the given ID, the action will report success but - indicate that the list is empty. - capabilities: - can_create_case_comments: false - can_create_insight: false - can_modify_alert_data: false - can_mutate_external_data: false - can_mutate_internal_data: true - can_update_entities: false - external_data_mutation_explanation: null - fetches_data: true - internal_data_mutation_explanation: >- - Adds a data table named "SOC Insight Comments" to the Google SecOps case containing - the retrieved comment details. - categories: - enrichment: false - entity_usage: - entity_types: [] - filters_by_additional_properties: false - filters_by_alert_identifier: false - filters_by_case_identifier: false - filters_by_creation_time: false - filters_by_entity_type: false - filters_by_identifier: false - filters_by_is_artifact: false - filters_by_is_enriched: false - filters_by_is_internal: false - filters_by_is_pivot: false - filters_by_is_suspicious: false - filters_by_is_vulnerable: false - filters_by_modification_time: false -Get SOC Insights Events: - ai_description: "Retrieves a list of events associated with a specific SOC Insight\ - \ ID from Infoblox Threat Defense. This action allows analysts to drill down into\ - \ the specific activities and detections that triggered a SOC insight, providing\ - \ granular visibility into threat families, device names, and policy actions.\ - \ It supports extensive filtering by device IP, query strings, DNS query types,\ - \ threat sources, and indicators. The results are presented as a data table in\ - \ the case wall and a full JSON response for further processing.\n\n### Parameters\ - \ Description\n\n| Parameter | Type | Mandatory | Description |\n| :--- | :---\ - \ | :--- | :--- |\n| Insight ID | String | Yes | The unique identifier of the\ - \ SOC insight to retrieve events for. |\n| Device IP | String | No | Filter events\ - \ by the IP address of the involved device. |\n| Query | String | No | Filter\ - \ events by a specific query string. |\n| Query Type | String | No | Filter events\ - \ by DNS query type (e.g., A, TXT, MX). |\n| Source | String | No | Filter events\ - \ by the threat intelligence source or feed (e.g., DFP). |\n| Indicator | String\ - \ | No | Filter events by a specific threat indicator such as a domain, IP, or\ - \ hash. |\n| Threat Level | DDL | No | Filter by threat level. Options: All, Info,\ - \ Low, Medium, High. |\n| Confidence Level | DDL | No | Filter by confidence level.\ - \ Options: All, Low, Medium, High. |\n| Limit | String | No | Maximum number of\ - \ results to return (default is 100). |\n| From | String | No | Filter by events\ - \ detected after this time (Format: YYYY-MM-DDTHH:mm:ss.SSS). |\n| To | String\ - \ | No | Filter by events detected before this time (Format: YYYY-MM-DDTHH:mm:ss.SSS).\ - \ |\n\n### Flow Description\n\n1. **Parameter Extraction and Validation**: The\ - \ action extracts the Insight ID and optional filters. It validates that the Insight\ - \ ID is a non-empty string and that the Limit is a valid positive integer.\n2.\ - \ **API Interaction**: It calls the Infoblox API GET endpoint for SOC Insight\ - \ events, passing the Insight ID as a path parameter and the filters as query\ - \ parameters.\n3. **Data Transformation**: The raw JSON response is parsed, and\ - \ individual event records are mapped to the SOCInsightEvent data model.\n4. **Output\ - \ Generation**: \n * If events are found, it constructs a CSV-formatted data\ - \ table named \"SOC Insight Events\" containing key fields like Confidence Level,\ - \ Device Name, Action, and Threat Family.\n * It attaches the full JSON response\ - \ to the action results.\n * It provides a summary message indicating the number\ - \ of events retrieved." + - The action will return a success status even if no events are found, provided + the Insight ID is valid. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: true + can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: >- - Adds a data table named 'SOC Insight Events' to the case wall containing details - of the retrieved events. + internal_data_mutation_explanation: null categories: - enrichment: false + enrichment: true entity_usage: entity_types: [] filters_by_additional_properties: false @@ -909,15 +1125,40 @@ Get SOC Insights Events: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get SOC Insights Indicators: ai_description: >- ### General Description - Retrieves a list of threat indicators associated with a specific SOC Insight from - Infoblox Threat Defense. This action allows analysts to drill down into the specific - indicators (such as domains or IPs) that triggered or are related to a security - insight, providing context on the threat actor, confidence levels, and actions - taken. + The **Get SOC Insights Indicators** action retrieves a list of indicators (such + as domains, IPs, or hashes) associated with a specific SOC Insight in Infoblox + Threat Defense. This action is used to gather detailed threat intelligence and + context about the indicators that triggered or are related to a specific security + insight, allowing analysts to understand the scope of the threat. ### Parameters Description @@ -926,52 +1167,59 @@ Get SOC Insights Indicators: | :--- | :--- | :--- | :--- | - | Insight ID | String | Yes | The unique identifier of the SOC insight to retrieve - indicators from. | + | **Insight ID** | String | Yes | The unique identifier of the SOC insight to + retrieve indicators from. | - | Confidence | String | No | Filter results by a specific confidence score. | + | **Confidence** | String | No | Filter indicators by their confidence score. + | - | Indicator | String | No | Filter results by a specific indicator value (e.g., - a domain name). | + | **Indicator** | String | No | Filter for a specific indicator value (e.g., a + specific domain or IP). | - | Actor | String | No | Filter results by a specific threat actor name. | + | **Actor** | String | No | Filter by a specific threat actor associated with + the indicators. | - | From | String | No | Filter for indicators seen after this timestamp (Format: - YYYY-MM-DDTHH:mm:ss.SSS). | + | **From** | String | No | Filter for indicators seen after this time. Expected + format: `YYYY-MM-DDTHH:mm:ss.SSS`. | - | To | String | No | Filter for indicators seen before this timestamp (Format: - YYYY-MM-DDTHH:mm:ss.SSS). | + | **To** | String | No | Filter for indicators seen before this time. Expected + format: `YYYY-MM-DDTHH:mm:ss.SSS`. | - | Action | String | No | Filter by the action taken on the indicator (e.g., 'block', - 'allow'). | + | **Action** | String | No | Filter by the action taken on the indicator (e.g., + Blocked, Logged). | - | Limit | String | No | The maximum number of results to return (Default is 100). - | + | **Limit** | String | No | The maximum number of results to return. Defaults + to 100. | - ### Flow Description + ### Additional Notes - 1. **Parameter Extraction**: The action extracts the mandatory `Insight ID` and - optional filters like `Confidence`, `Actor`, and time ranges. + - The action provides a summary table in the case wall showing up to 20 records + for quick review. - 2. **Validation**: It validates that the `Insight ID` is provided and that the - `Limit` is a valid positive integer. + - The full API response is available in the JSON results for use in subsequent + playbook logic. - 3. **API Request**: It calls the Infoblox API endpoint `/api/v1/insights/{insight_id}/indicators` - with the specified query parameters. - 4. **Data Processing**: The retrieved indicators are parsed into a structured - format using the `SOCInsightIndicator` model. + ### Flow Description - 5. **Output Generation**: The action generates a data table named 'SOC Insight - Indicators' (displaying up to 20 records) and attaches the full raw JSON response - to the action results. + 1. **Parameter Extraction:** The action extracts the mandatory `Insight ID` and + optional filters including Confidence, Indicator, Actor, Time range, Action, and + Limit. + 2. **Validation:** It validates that the `Insight ID` is a non-empty string and + that the `Limit` is a valid positive integer. - ### Additional Notes + 3. **API Request:** Sends a GET request to the Infoblox API endpoint for SOC insight + indicators using the provided filters. + + 4. **Data Processing:** Parses the returned indicator data. If indicators are + found, it constructs a data table named "SOC Insight Indicators" containing fields + such as Action, Confidence, Count, Feed Name, Threat Level Max, Indicator, and + Actor. - - This action does not run on entities; it requires a specific Insight ID, which - is typically obtained from a previous step or a SOC Insight alert. + 5. **Output:** Returns the full JSON response and displays the data table in the + Google SecOps case wall for analyst review. capabilities: can_create_case_comments: false can_create_insight: false @@ -999,67 +1247,86 @@ Get SOC Insights Indicators: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Security Policies: ai_description: >- - ### General Description + Retrieves all configured security policies and their metadata from Infoblox Threat + Defense. This action allows users to filter policies based on logical expressions + or specific tags and supports pagination through offset and limit parameters. + The results are presented as a JSON object and a formatted data table for easy + review of policy names, descriptions, and default actions. - Retrieves all configured security policies and their associated metadata from - the Infoblox Threat Defense platform. This action is primarily used for auditing, - visibility, and policy management within a SOAR workflow, allowing users to fetch - a list of security policies based on specific filters and tags. - - - ### Parameters Description - | Parameter | Type | Mandatory | Description | + ### Flow Description - | :--- | :--- | :--- | :--- | + 1. **Parameter Initialization:** The action extracts integration configuration + (API Root, API Key) and action-specific parameters (Filters, Offset, Limit). - | Security Policy Filter | String | No | A logical expression string used to filter - security policies (e.g., `name=='sec_policy_a'`). | + 2. **Validation:** It validates that the 'Offset' and 'Limit' parameters are valid + non-negative integers. - | Tag Filter | String | No | Filters the security policy list by specific tags - using the format: `''=''`. | + 3. **API Interaction:** The action calls the Infoblox API (GET /api/atcfw/v1/security_policies) + using the provided filters and pagination settings. - | Tag Sort Filter | String | No | Sorts the resulting security policy list based - on Tags. | + 4. **Data Processing:** The raw API response is parsed into `SecurityPolicy` data + models to extract key fields like ID, Name, and Default Action. - | Offset | String | No | Specifies the starting point (offset) for pagination. - Defaults to "0". | + 5. **Output Generation:** The action returns the full JSON response and constructs + a data table titled 'Security Policies' containing the processed metadata. - | Limit | String | No | Specifies the maximum number of results to return in a - single request. Defaults to "100". | + ### Parameters Description - ### Additional Notes + | Parameter | Description | Type | Mandatory | - - This action does not operate on specific entities (like IPs or Domains) but - rather fetches global configuration data from the Infoblox environment. + | :--- | :--- | :--- | :--- | - - The action includes built-in validation for the `Offset` and `Limit` parameters - to ensure they are non-negative integers. + | Security Policy Filter | A logical expression string to filter security policies + (e.g., name== 'sec_policy_a'). | String | No | - - A maximum of 20 records will be displayed in the Siemplify Data Table for UI - performance, while the full result set is available in the JSON output. + | Tag Filter | Filter security policy by specific tags format: ''=''. + | String | No | + | Tag Sort Filter | Sort security policy list by Tags. | String | No | - ### Flow Description + | Offset | Specify the offset from where to start pagination. Default is 0. | + String | No | - 1. **Parameter Initialization**: The action extracts integration configuration - (API Root, API Key) and user-provided action parameters. + | Limit | Specify the maximum number of results to return. Default is 100. | String + | No | - 2. **Validation**: It validates that the `Offset` and `Limit` parameters are valid - integers. - 3. **API Interaction**: It calls the Infoblox API (`GET /api/atcfw/v1/security_policies`) - with the provided filters and pagination settings. + ### Additional Notes - 4. **Data Processing**: The raw API response is parsed into `SecurityPolicy` data - models. + - This action does not operate on specific entities; it retrieves global configuration + data from the Infoblox platform. - 5. **Output Generation**: The action populates a JSON result with the full API - response and constructs a data table titled "Security Policies" containing key - fields like Policy ID, Name, Description, and Default Action. + - The data table displays up to a maximum number of records defined by the integration's + internal constants (typically 20). capabilities: can_create_case_comments: false can_create_insight: false @@ -1087,77 +1354,94 @@ Get Security Policies: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Host Lookup: ai_description: >- - ### General Description - - Retrieves host asset information from Infoblox IPAM (IP Address Management). This - action allows users to search for host records using specific filtering criteria, - tags, and sorting options. It is primarily used for asset discovery and inventory - management within the Infoblox environment. + Retrieves host information from Infoblox IPAM (DDI). This action allows for searching + host records using flexible filters, tag-based criteria, and pagination settings. + The results are presented as a raw JSON response and a formatted data table within + the case. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. **Parameter Initialization:** Extracts API credentials and action parameters + including filters, pagination (Offset/Limit), and sorting (Order By). - | :--- | :--- | :--- | :--- | + 2. **Validation:** Ensures that Offset and Limit are valid non-negative integers. - | Host Filter | String | No | A logical expression to filter hosts (e.g., `name=="webserver01"` - or `ip_address=="192.168.1.100"`). | + 3. **API Request:** Performs a GET request to the Infoblox `/api/ddi/v1/ipam/host` + endpoint using the provided filters. - | Tag Filter | String | No | A logical expression to filter hosts by their assigned - tags (e.g., `'Tenable_scan'=='true'`). | + 4. **Data Processing:** Parses the API response and maps host records to a structured + data model. - | Offset | String | No | The starting index for pagination. Defaults to "0". | + 5. **Output Generation:** Adds the full JSON response to the action results and + constructs a 'Hosts' data table for display in the Google SecOps UI. - | Limit | String | No | The maximum number of host records to return. Defaults - to "100". | - | Order By | String | No | Comma-separated fields to sort the results (e.g., `name - asc`). Supports dot notation for nested fields. | + ### Parameters Description + | Parameter | Type | Mandatory | Description | - ### Flow Description + | :--- | :--- | :--- | :--- | - 1. **Parameter Extraction:** The action retrieves the filter criteria, pagination - settings (Offset/Limit), and sorting preferences from the user input. + | Host Filter | String | No | Filter IPAM hosts by specific criteria (e.g., `name=="webserver01"` + or `ip_address=="192.168.1.100"`). | - 2. **Validation:** It validates that the `Offset` and `Limit` parameters are valid - non-negative integers using internal utility functions. + | Tag Filter | String | No | Filter IP addresses by specific tags (e.g. `'Tenable_scan'=='true'`). + | - 3. **API Request:** It sends a GET request to the Infoblox `/api/ddi/v1/ipam/host` - endpoint via the `APIManager` with the specified query parameters. + | Offset | String | No | Specify the offset from where to start pagination. Defaults + to "0". | - 4. **Data Processing:** The raw JSON response is captured and added to the action's - result JSON. + | Limit | String | No | Specify the maximum number of results to return. Defaults + to "100". | - 5. **Output Generation:** The action processes the results into `Host` data models - and populates a data table named "Hosts" with the retrieved host details (up to - a maximum of 20 records for display) and provides the full JSON result for further - playbook processing. + | Order By | String | No | Comma-separated JSON fields to sort the results. Supports + asc/desc and dot notation. | ### Additional Notes - - This action does not automatically process entities present in the SecOps case; - it relies entirely on the provided filter parameters. - - - If no records match the filters, the action completes successfully with a message - indicating no records were found. - - - The `Limit` parameter controls the API response size, while the UI table is - capped at 20 records. + - This action does not run on specific entities but rather queries the Infoblox + database based on the provided input parameters. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: false + can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: null + internal_data_mutation_explanation: >- + Adds a data table named "Hosts" to the Google SecOps case containing the retrieved + host information. categories: enrichment: false entity_usage: @@ -1175,77 +1459,72 @@ Host Lookup: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false IP Lookup: ai_description: >- - ### General Description - - The **IP Lookup** action retrieves detailed information about IP addresses from - the Infoblox IPAM (IP Address Management) system. It allows users to query the - Infoblox database using flexible filters, including IP address state, tags, and - specific scopes. This action is primarily used for asset discovery and network - visibility within a SOAR workflow. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **IP Filter** | String | No | A logical expression to filter IP addresses (e.g., - `address=="192.168.1.100"`). | - - | **Address State** | DDL | No | Filters results by the state of the IP address. - Options: `Any`, `Free`, `Used`. Default is `Used`. | - - | **Scope** | String | No | Limits the lookup to a specific network scope or view. - | - - | **Tag Filter** | String | No | Filters results based on metadata tags (e.g., - `'Department'=='IT'`). | - - | **Offset** | String | No | The starting point for pagination (default is `0`). - | - - | **Limit** | String | No | The maximum number of records to return (default is - `100`). | - - | **Order By** | String | No | Specifies the sorting order of the results using - JSON fields. | - - - ### Additional Notes - - - This action does not automatically process entities from the current case; it - relies entirely on the provided input parameters. - - - Results are returned as a JSON object and displayed in a data table (up to 20 - records). - - - ### Flow Description - - 1. **Parameter Extraction**: The action retrieves configuration and input parameters, - validating that `Offset` and `Limit` are valid integers. - - 2. **API Request**: It constructs a query and sends a GET request to the Infoblox - IPAM API endpoint. - - 3. **Data Processing**: The raw API response is parsed using the `IPLookup` data - model to extract fields like address, hostname, state, and hardware address. - - 4. **Output Generation**: The action populates the execution result with the full - JSON response and creates a data table for the user interface. + ### General Description\nRetrieves detailed IP address information from Infoblox + DDI based on user-defined filters, state, and scope. This action is primarily + used for searching the IPAM (IP Address Management) database to find records matching + specific criteria such as IP address, usage state, or associated tags. It returns + a comprehensive list of matching records, including hostnames, hardware addresses, + and protocols.\n\n### Parameters Description\n| Parameter | Type | Mandatory | + Description |\n| :--- | :--- | :--- | :--- |\n| IP Filter | String | No | Logical + expression to filter IP addresses (e.g., address=='192.168.1.100' or state=='USED'). + |\n| Address State | DDL | No | Filter by the state of the IP address. Options: + Any, Free, Used. Defaults to 'Used'. |\n| Scope | String | No | The network scope + to search within. |\n| Tag Filter | String | No | Filter results by specific tags + (e.g., 'Tenable_scan'=='true'). |\n| Offset | String | No | The starting point + for pagination. Defaults to '0'. |\n| Limit | String | No | The maximum number + of records to return. Defaults to '100'. |\n| Order By | String | No | Comma-separated + fields to sort the results (e.g., 'address asc'). |\n\n### Additional Notes\nThis + action does not run on specific entities in the case; instead, it performs a global + search based on the provided parameters. The results are displayed in a data table + and attached as a JSON result.\n\n### Flow Description\n1. **Parameter Initialization:** + The action extracts configuration settings and user-provided filters, including + pagination and sorting preferences.\n2. **Validation:** It validates that the + 'Offset' and 'Limit' parameters are valid non-negative integers.\n3. **API Request:** + The action sends a GET request to the Infoblox DDI IPAM address endpoint with + the specified filters.\n4. **Data Processing:** The response is parsed using the + IPLookup data model to extract key fields like Address, Host Name, State, and + MAC Address.\n5. **Output Generation:** The action populates a data table named + 'IP Lookup Data' with the first 20 results and attaches the full response as a + JSON object to the action result. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: false + can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: null + internal_data_mutation_explanation: >- + The action adds a data table named 'IP Lookup Data' to the case containing the + retrieved IPAM records. categories: enrichment: false entity_usage: @@ -1263,14 +1542,41 @@ IP Lookup: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Indicator Threat Lookup With TIDE: ai_description: >- ### General Description - The **Indicator Threat Lookup With TIDE** action allows users to query Infoblox - TIDE (Threat Intelligence Data Exchange) for detailed threat intelligence regarding - specific indicators. It supports searching for IPs, Hosts, URLs, Emails, and Hashes, - or filtering by broader criteria like domains, threat classes, and targets. + Looks up threat intelligence details for specific indicators or criteria using + Infoblox TIDE (Threat Intelligence Data Exchange). This action allows analysts + to query the TIDE database for reputation data, threat levels, and classifications + associated with IP addresses, hostnames, URLs, email addresses, or file hashes. + It supports filtering by domain, top-level domain (TLD), threat class, and target, + providing a comprehensive view of known threats. ### Parameters Description @@ -1279,53 +1585,60 @@ Indicator Threat Lookup With TIDE: | :--- | :--- | :--- | :--- | - | **Indicator Type** | Dropdown | No | The category of indicator to search for - (e.g., IP, Host, URL, Email, Hash). Defaults to 'All'. | + | Indicator Type | ddl | No | Specify the type of indicator to search for (Host, + IP, URL, Email, Hash, All). Default is 'All'. | - | **Indicator Value** | String | No | The specific value of the indicator to look - up. | + | Indicator Value | string | No | Specify the indicator value(s) based on the + indicator type you want to search for. | - | **Domain** | String | No | Comma-separated list of domains to filter the search. + | Domain | string | No | Specify the comma-separated domain(s) to search for. | - | **Top-Level Domain** | String | No | Comma-separated list of top-level domains - (TLDs) to filter the search. | + | Top-Level Domain | string | No | Specify the comma-separated top-level domain(s) + to search for. | - | **Threat Class** | String | No | Comma-separated list of threat classes (e.g., - malware, phishing) to search for. | + | Threat Class | string | No | Specify the comma-separated threat class(es) to + search for. | - | **Target** | String | No | Comma-separated list of targets to filter the search. + | Target | string | No | Specify the comma-separated target(s) to search for. | - | **Expiration** | String | No | Period of time after which data is no longer - considered active (ISO8601 format). | + | Expiration | string | No | Period of time after which data is no longer considered + active (ISO8601 format). | - | **Limit** | String | No | Maximum number of results to return. Defaults to 1000. - | + | Limit | string | No | Specify the maximum number of results to return. Default + is 1000. | ### Additional Notes - This action does not automatically process entities from the current Google SecOps - case. It is a manual lookup tool that relies on the values provided in the action - parameters. If 'Indicator Type' is set to 'All', the 'Indicator Value' is ignored - in favor of other filters like Domain or Threat Class. + - If 'Indicator Type' is set to a specific value (e.g., IP), the 'Indicator Value' + parameter should be populated to perform a targeted lookup. + + - The action returns a maximum of 20 records in the UI data table for readability, + while the full results are available in the JSON output. ### Flow Description - 1. **Parameter Extraction**: Retrieves API credentials and user-defined search - filters (Indicator Type, Value, Domain, etc.) from the action parameters. + 1. **Parameter Extraction:** The action retrieves the API configuration and user-provided + search parameters, including indicator details and filtering criteria. - 2. **API Request**: Executes a GET request to the Infoblox TIDE `/tide/api/data/threats` - endpoint using the provided filters. + 2. **Validation:** It validates the 'Limit' parameter to ensure it is a valid + positive integer. + + 3. **API Request:** It constructs a GET request to the Infoblox TIDE threats endpoint + (`/tide/api/data/threats`) using the provided filters. + + 4. **Data Processing:** The action parses the API response, iterating through + the identified threats and mapping them to a structured data model. - 3. **Data Processing**: Parses the JSON response into a list of threat records - using the `IndicatorThreatLookupTideResult` model. + 5. **Output Generation:** It attaches the complete raw JSON response to the action + results and constructs a data table summarizing the key threat details (Indicator, + Type, Threat Level, Class, etc.). - 4. **Output Generation**: Returns the raw JSON response for downstream logic and - constructs a data table displaying key threat fields including Indicator, Type, - Threat Level, Class, Property, Profile, and Detection status. + 6. **Completion:** The action concludes by reporting the number of threat records + found or indicating if no data was retrieved. capabilities: can_create_case_comments: false can_create_insight: false @@ -1337,7 +1650,7 @@ Indicator Threat Lookup With TIDE: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: true + enrichment: false entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1353,44 +1666,103 @@ Indicator Threat Lookup With TIDE: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false "Initiate Indicator Intel Lookup With Dossier": - ai_description: "### General Description\nInitiates an indicator investigation using\ - \ Infoblox Dossier. This action allows for the lookup of threat intelligence data\ - \ for various indicator types including IP addresses, Hostnames, URLs, Emails,\ - \ and Hashes. Users can choose to receive immediate results or a Job ID for asynchronous\ - \ processing.\n\n### Parameters Description\n\n| Parameter | Type | Mandatory\ - \ | Description |\n| :--- | :--- | :--- | :--- |\n| Indicator Type | DDL | Yes\ - \ | The type of indicator to search for. Options: IP, Host, URL, Email, Hash.\ - \ Default is Host. |\n| Indicator Value | String | Yes | The specific value of\ - \ the indicator to be investigated. |\n| Source | String | No | Comma-separated\ - \ list of specific threat intelligence sources to query within Dossier. |\n| Wait\ - \ for Results | Boolean | No | If set to true, the action waits for the API to\ - \ return the full dossier report. If false (default), it returns a Job ID and\ - \ status. |\n\n### Additional Notes\nThis action does not automatically process\ - \ entities from the Google SecOps case; it relies on the manual input provided\ - \ in the 'Indicator Value' parameter. If 'Wait for Results' is set to false, the\ - \ resulting Job ID can be used in the 'Get Indicator Intel Lookup Result' action\ - \ to retrieve the data at a later time.\n\n### Flow Description\n1. **Parameter\ - \ Extraction:** Retrieves the indicator type, value, sources, and wait preference\ - \ from the action parameters.\n2. **Validation:** Ensures the indicator value\ - \ is provided and non-empty, and trims whitespace from the source string if provided.\n\ - 3. **API Request:** Calls the Infoblox Dossier API endpoint corresponding to the\ - \ specified indicator type.\n4. **Response Handling:** \n * If 'Wait for Results'\ - \ is true: Parses the returned dossier results and populates a data table with\ - \ source, status, and data details.\n * If 'Wait for Results' is false: Captures\ - \ the Job ID and status for the initiated lookup.\n5. **Result Reporting:** Adds\ - \ the raw JSON response to the action results and updates the case with a summary\ - \ message and a data table." + ai_description: >- + ### General Description + + Initiates an indicator investigation using the Infoblox Dossier service. This + action allows analysts to perform deep-dive lookups on various indicator types + (IP, Host, URL, Email, or Hash) to retrieve threat intelligence and contextual + data. It supports both synchronous execution (waiting for the full report) and + asynchronous execution (returning a Job ID for later retrieval). + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Indicator Type | DDL | Yes | The category of the indicator being searched. Supported + values: IP, Host, URL, Email, Hash. | + + | Indicator Value | String | Yes | The specific value (e.g., an IP address or + domain name) to investigate. | + + | Source | String | No | A comma-separated list of specific threat intelligence + sources to query within Dossier. | + + | Wait for Results | Boolean | No | Determines the execution mode. If `True`, + the action waits for the full report. If `False`, it returns a Job ID and status + immediately. | + + + ### Additional Notes + + - This action is parameter-driven and does not automatically iterate over entities + from the case wall. It requires manual input or mapped values for the 'Indicator + Value' parameter. + + - When `Wait for Results` is set to `False`, the returned Job ID can be used in + the 'Get Indicator Intel Lookup Result' action once processing is complete. + + - The action displays up to 20 records in the results table. + + + ### Flow Description + + 1. **Parameter Extraction:** Retrieves the indicator type, value, and execution + preferences from the user input. + + 2. **API Request:** Sends a GET request to the Infoblox Dossier API endpoint corresponding + to the indicator type. + + 3. **Execution Mode Handling:** + - **Synchronous:** If 'Wait for Results' is enabled, the action pauses until + the dossier report is ready, then parses the results into a CSV table using the + `DossierWaitResult` model. + - **Asynchronous:** If 'Wait for Results' is disabled, the action captures + the `job_id` and `status` from the initial response and presents them in a CSV + table using the `DossierJobResult` model. + 4. **Data Presentation:** Formats the retrieved data into a CSV table and attaches + the raw JSON response to the action results for further use in the playbook. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: false + can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: null + internal_data_mutation_explanation: >- + Adds a data table to the case wall containing the Dossier lookup results or + the Job ID information. categories: enrichment: false entity_usage: @@ -1408,25 +1780,66 @@ Indicator Threat Lookup With TIDE: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Ping: - ai_description: "### General Description\nVerifies connectivity to the Infoblox\ - \ Threat Defense with DDI server by performing a test API call. This action is\ - \ primarily used to validate that the integration's configuration parameters,\ - \ such as the API Root and API Key, are correct and that the Google SecOps environment\ - \ can successfully communicate with the Infoblox API.\n\n### Parameters Description\n\ - This action does not have any input parameters. It uses the global integration\ - \ configuration.\n\n### Additional Notes\nAs a standard 'Ping' action, it does\ - \ not process entities or modify any data within the SOAR or the external Infoblox\ - \ system.\n\n### Flow Description\n1. **Parameter Initialization**: The action\ - \ retrieves the global configuration parameters: API Root, API Key, and SSL verification\ - \ status.\n2. **API Manager Setup**: It initializes the `APIManager` with the\ - \ provided credentials and connection settings.\n3. **Connectivity Test**: The\ - \ action executes the `test_connectivity` method, which sends a GET request to\ - \ the `/api/authn/v1/account` endpoint.\n4. **Status Evaluation**: \n * If\ - \ the API call is successful, the action returns a success message and sets the\ - \ execution state to completed.\n * If an exception occurs (e.g., authentication\ - \ failure or connection timeout), the action logs the error, returns a failure\ - \ message, and sets the execution state to failed." + ai_description: >- + ### General Description + + The **Ping** action is a utility designed to verify the connectivity between Google + SecOps and the Infoblox Threat Defense with DDI platform. It ensures that the + provided API Root and API Key are valid and that the network path is open. + + + ### Parameters Description + + There are no input parameters for this action. It relies solely on the integration's + global configuration settings (API Root, API Key, and Verify SSL). + + + ### Additional Notes + + This action is typically used during the initial setup of the integration or for + troubleshooting connection issues. It performs a read-only request to the Infoblox + account endpoint. + + + ### Flow Description + + 1. **Initialization**: The action initializes the Siemplify context and retrieves + the global integration parameters. + + 2. **Connectivity Test**: It calls the `test_connectivity` method in the APIManager, + which sends a GET request to the `/api/authn/v1/account` endpoint. + + 3. **Validation**: The action validates the API response. If the status code is + successful, it confirms connectivity. + + 4. **Completion**: The action ends by returning a success or failure message along + with a boolean result indicating the connection status. capabilities: can_create_case_comments: false can_create_insight: false @@ -1454,39 +1867,63 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Remove Custom List: ai_description: >- Deletes a specified custom list from the Infoblox Threat Defense system. This - action is used to manage threat intelligence resources by removing named lists + action is used for administrative cleanup or to remove threat intelligence lists that are no longer required. It requires the unique identifier of the custom list - and performs a destructive operation on the external system. + to perform the deletion. ### Parameters - | Parameter Name | Type | Mandatory | Description | + | Parameter Name | Description | Type | Mandatory | Notes | - | :--- | :--- | :--- | :--- | + | :--- | :--- | :--- | :--- | :--- | - | Custom List ID | string | Yes | The unique numerical ID of the custom list to - remove. The action validates that this is a positive integer before execution. - | + | Custom List ID | The unique identifier (ID) of the custom list to be removed. + | String | Yes | The value must be a positive integer. | ### Flow Description - 1. **Initialization**: Retrieves integration configuration (API Root, API Key, - SSL verification) and the 'Custom List ID' parameter. + 1. **Parameter Extraction:** The action retrieves the `Custom List ID` from the + input parameters. - 2. **Validation**: Validates that the provided 'Custom List ID' is a valid positive + 2. **Validation:** The `Custom List ID` is validated to ensure it is a positive integer. - 3. **API Interaction**: Executes a DELETE request to the Infoblox API endpoint - `/api/atcfw/v1/named_lists/{custom_list_id}`. + 3. **API Interaction:** The action initializes the Infoblox API Manager and sends + a DELETE request to the `/api/atcfw/v1/named_lists/{custom_list_id}` endpoint. - 4. **Result Handling**: If the deletion is successful, it returns a success message. - If the list is not found or an error occurs (e.g., the list is currently in use - by a policy), it captures the error and fails the action. + 4. **Result Handling:** If the API call is successful, the action completes with + a success message. If the ID is not found or an error occurs, the action fails + with a descriptive error message. capabilities: can_create_case_comments: false can_create_insight: false @@ -1495,7 +1932,7 @@ Remove Custom List: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Deletes a custom list resource from the Infoblox Threat Defense platform using + Deletes a custom list resource from the Infoblox Threat Defense platform via a DELETE request. fetches_data: false internal_data_mutation_explanation: null @@ -1516,48 +1953,73 @@ Remove Custom List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Remove Network List: ai_description: >- ### General Description Removes an existing network list from the Infoblox Threat Defense environment. - This action is used to manage network security configurations by deleting specific - network lists that are no longer required. It requires the unique identifier of - the network list to perform the deletion. + This action is used for administrative cleanup or policy management by deleting + a specific network list identified by its unique ID. ### Parameters Description - | Parameter | Type | Mandatory | Description | + | Parameter | Description | Type | Mandatory | Notes | - | :--- | :--- | :--- | :--- | + | :--- | :--- | :--- | :--- | :--- | - | Network List ID | String | Yes | The unique identifier (ID) of the network list - to be removed. Although provided as a string, the action validates that it is - a positive integer. | + | Network List ID | Specify the ID of the network list to remove. | String | Yes + | Must be a positive integer. | ### Additional Notes - - The action will fail if the network list ID does not exist or if the network - list is currently assigned to an active security policy. + * The action will fail if the network list is currently assigned to a security + policy. - - This action performs a permanent deletion in the external Infoblox system. + * The default value of '0' for the ID will trigger a validation error as the ID + must be a positive integer. ### Flow Description - 1. **Parameter Extraction**: Retrieves the `Network List ID` from the action parameters - and integration configuration (API Root, API Key). + 1. **Parameter Extraction**: The action retrieves the `Network List ID` from the + input parameters. - 2. **Validation**: Validates that the `Network List ID` is a valid positive integer. + 2. **Validation**: The ID is validated to ensure it is a valid positive integer + greater than zero. - 3. **API Interaction**: Initializes the Infoblox API Manager and sends a `DELETE` - request to the Infoblox endpoint associated with the specific network list ID. + 3. **API Interaction**: The action initializes the Infoblox API Manager and sends + a `DELETE` request to the Infoblox API endpoint for the specified network list. - 4. **Result Handling**: If the API returns a success status, the action completes - with a success message. If an error occurs (e.g., list not found or dependency - error), it captures the exception and reports a failure. + 4. **Result Handling**: If the deletion is successful, the action completes with + a success message. If the API returns an error (e.g., list not found or list is + in use), the action fails and reports the error reason. capabilities: can_create_case_comments: false can_create_insight: false @@ -1566,8 +2028,8 @@ Remove Network List: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Deletes an existing network list from the Infoblox Threat Defense environment - using a DELETE request to the external API. + Deletes an existing network list resource from the Infoblox Threat Defense platform + using a DELETE request. fetches_data: false internal_data_mutation_explanation: null categories: @@ -1587,13 +2049,39 @@ Remove Network List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Remove Security Policy: ai_description: >- ### General Description Deletes a specified security policy from the Infoblox Threat Defense system. This - action is primarily used to unblock indicators or manage firewall configurations - by removing obsolete or incorrect security policies using their unique identifier. + action is used to manage security configurations by removing policies that are + no longer required or to unblock indicators by removing the policy that restricts + them. ### Parameters Description @@ -1602,31 +2090,31 @@ Remove Security Policy: | :--- | :--- | :--- | :--- | - | Security Policy ID | String | Yes | The unique numerical ID of the security - policy to be deleted. The action validates that this value is a positive integer - before proceeding. | + | Security Policy ID | String | Yes | The unique identifier of the security policy + to delete. The value must be a positive integer. | - ### Flow Description + ### Additional Notes - 1. **Parameter Extraction**: Retrieves the integration configuration (API Root, - API Key) and the action parameter (Security Policy ID). + This action performs a permanent deletion of the security policy in the external + Infoblox system. It does not process or iterate over entities within the SOAR + case; it operates solely based on the provided ID. - 2. **Validation**: Validates that the `Security Policy ID` is a non-empty string - and represents a positive integer. - 3. **API Interaction**: Initializes the `APIManager` and executes a `DELETE` request - to the Infoblox security policies endpoint using the provided ID. + ### Flow Description - 4. **Result Handling**: If the deletion is successful, the action completes with - a success message. If the API returns an error (e.g., policy not found or insufficient - permissions), the action fails and logs the error details. + 1. **Parameter Extraction**: The action retrieves the `Security Policy ID` from + the input parameters. + 2. **Validation**: It validates that the ID is a non-empty string and represents + a valid positive integer. - ### Additional Notes + 3. **API Interaction**: The action sends a `DELETE` request to the Infoblox API + endpoint `/api/atcfw/v1/security_policies/{security_policy_id}`. - This action does not process entities from the Google SecOps case; it operates - strictly based on the provided `Security Policy ID` parameter. + 4. **Result Handling**: If the API returns a success status, the action completes + with a success message. If the policy is not found or an error occurs, it reports + a failure. capabilities: can_create_case_comments: false can_create_insight: false @@ -1635,8 +2123,8 @@ Remove Security Policy: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Deletes a security policy configuration from the Infoblox Threat Defense platform - via a DELETE API request. + Deletes a security policy from the Infoblox Threat Defense system using a DELETE + request to the security policies endpoint. fetches_data: false internal_data_mutation_explanation: null categories: @@ -1656,75 +2144,95 @@ Remove Security Policy: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Update Custom List: ai_description: >- ### General Description - Updates the configuration of an existing custom list in the Infoblox Threat Defense - platform. This action allows for the modification of metadata such as the list's - name, description, confidence level, threat level, and associated tags. It ensures - data consistency by fetching the current state of the list before applying updates, - allowing users to modify only specific fields while preserving others. + Updates the metadata of an existing custom list in Infoblox Threat Defense. This + action allows users to modify the name, description, confidence level, threat + level, and tags associated with a specific custom list identified by its ID. It + ensures data consistency by fetching the current state of the list and only updating + the fields provided by the user. ### Parameters Description - | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Custom List ID | String | Yes | The unique identifier of the custom list to - be updated. Must be a positive integer. | + | **Custom List ID** | String | Yes | The unique ID of the custom list to update. + Must be a positive integer. | - | Name | String | No | The new name for the custom list. If not provided, the - existing name is retained. | + | **Name** | String | No | The new name for the custom list. If not provided, + the existing name is preserved. | - | Description | String | No | The new description for the custom list. Use the - keyword `empty` to remove the existing description. | + | **Description** | String | No | The new description for the custom list. Use + the keyword `empty` to remove the existing description. | - | Confidence Level | DDL | No | The confidence level for the custom list. Options: - High, Medium, Low. | + | **Confidence Level** | DDL | No | The new confidence level (High, Medium, Low). + If not provided, the existing level is preserved. | - | Threat Level | DDL | No | The threat level for the custom list. Options: High, - Medium, Low, Info. | + | **Threat Level** | DDL | No | The new threat level (High, Medium, Low, Info). + If not provided, the existing level is preserved. | - | Tags | String | No | A JSON object string representing tags to categorize the - list. Use the keyword `empty` to remove all existing tags. | + | **Tags** | String | No | A JSON object string representing tags to categorize + the list. Use the keyword `empty` to remove all existing tags. | ### Additional Notes - - The action uses a 'fetch-then-update' logic to ensure that fields not specified - in the action parameters remain unchanged in the external system. - - - The `empty` keyword is a special trigger used to explicitly clear the `Description` - or `Tags` fields. + - The action performs a 'read-before-write' operation: it fetches the existing + list configuration first to inherit values for any parameters that are not explicitly + provided in the action configuration. - - Tags must be provided as a valid JSON object string (e.g., `{"key": "value"}`). + - The `Custom List ID` must be a valid positive integer greater than zero. ### Flow Description - 1. **Parameter Initialization:** The action extracts the integration configuration - (API Root, API Key) and the action-specific parameters. + 1. **Parameter Extraction**: Retrieves the Custom List ID and optional metadata + fields (Name, Description, Levels, Tags) from the action input. - 2. **Validation:** Validates that the `Custom List ID` is a valid positive integer. + 2. **Validation**: Validates that the `Custom List ID` is a valid positive integer. - 3. **Data Retrieval:** Calls the Infoblox API to fetch the current details of - the specified custom list. This is necessary to populate the update payload with - existing values for any parameters not provided by the user. + 3. **State Retrieval**: Calls the Infoblox API to fetch the current configuration + of the specified custom list. - 4. **Payload Construction:** Merges the user-provided updates with the existing - data. It specifically handles the `empty` keyword to nullify fields and converts - level strings to uppercase as required by the API. + 4. **Payload Construction**: Merges the user-provided updates with the existing + list data. If a parameter is missing, the existing value is used; if the keyword + `empty` is used, the field is cleared. - 5. **API Execution:** Sends a `PUT` request to the Infoblox endpoint to update - the custom list resource. + 5. **API Update**: Sends a `PUT` request to the Infoblox `/api/atcfw/v1/named_lists/{id}` + endpoint with the constructed payload. - 6. **Result Processing:** Parses the API response, adds the raw JSON result to - the action output, and constructs a data table titled "Custom List Details" for - the case wall. + 6. **Result Processing**: Parses the API response, adds the full JSON result to + the action output, and generates a 'Custom List Details' data table for the analyst. capabilities: can_create_case_comments: false can_create_insight: false @@ -1733,8 +2241,9 @@ Update Custom List: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Modifies the properties (name, description, levels, and tags) of an existing - custom list resource in the Infoblox Threat Defense platform via a PUT request. + Updates the configuration metadata (name, description, confidence/threat levels, + and tags) of an existing custom list in the Infoblox Threat Defense platform + via a PUT request. fetches_data: true internal_data_mutation_explanation: null categories: @@ -1754,61 +2263,56 @@ Update Custom List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Update Custom List Items: - ai_description: >- - ### General Description - - Updates the items within an existing Infoblox Custom List. This action allows - users to programmatically manage threat intelligence lists by adding or removing - specific indicators such as IPv4 addresses, IPv6 addresses, or domain names. It - is primarily used for maintaining blocklists or allowlists within the Infoblox - Threat Defense platform. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **Custom List ID** | String | Yes | The unique identifier of the Custom List - to update. Although provided as a string, the action validates that it is a positive - integer. | - - | **Action** | DDL | Yes | Specifies the operation to perform. Options are **Add** - (to insert new items) or **Remove** (to delete existing items). | - - | **Items** | String | Yes | A comma-separated list of indicators to be processed. - Supported formats include IPv4, IPv6, and domain names. | - - - ### Flow Description - - 1. **Parameter Extraction and Validation**: The action retrieves the Custom List - ID, the desired action (Add/Remove), and the list of items. It validates that - the ID is a valid positive integer and that every item in the list conforms to - IP or domain name syntax. - - 2. **API Request Construction**: Based on the selected action, the code prepares - a JSON payload for a PATCH request. If the action is 'Add', items are placed in - the `inserted_items_described` field; if 'Remove', they are placed in `deleted_items_described`. - - 3. **External Mutation**: The action sends a PATCH request to the Infoblox API - endpoint `/api/atcfw/v1/named_lists/{custom_list_id}/items` to update the list - state. - - 4. **Result Processing**: The action parses the response from Infoblox, calculates - the number of items added, removed, or updated, and outputs a summary message - along with the raw JSON result. - - - ### Additional Notes - - - This action does not process entities from the SecOps environment; it relies - entirely on the provided 'Items' parameter. - - - The action will fail if the 'Items' string is empty or contains invalid indicator - formats. + ai_description: "Updates the items within an existing Infoblox Custom List. This\ + \ action allows users to either add or remove specific indicators\u2014such as\ + \ IPv4 addresses, IPv6 addresses, or domain names\u2014from a designated list\ + \ identified by its ID. It performs data validation on the provided items to ensure\ + \ they conform to standard networking formats before communicating with the Infoblox\ + \ API via a PATCH request.\n\n### Flow Description:\n1. **Parameter Extraction:**\ + \ Retrieves the Custom List ID, the desired action (Add or Remove), and the comma-separated\ + \ string of items from the action parameters.\n2. **Validation:** Validates that\ + \ the Custom List ID is a positive integer and parses the items string into a\ + \ list. Each item is checked against regex patterns for valid IPv4, IPv6, or domain\ + \ name formats.\n3. **API Interaction:** Sends a PATCH request to the Infoblox\ + \ endpoint `/api/atcfw/v1/named_lists/{custom_list_id}/items` with a payload containing\ + \ the items to be inserted or deleted.\n4. **Result Processing:** Analyzes the\ + \ API response to determine the number of items successfully added, removed, or\ + \ updated, and provides a summary message to the user.\n\n### Parameters Description:\n\ + | Parameter Name | Type | Mandatory | Description |\n| :--- | :--- | :--- | :---\ + \ |\n| Custom List ID | String | Yes | The unique numerical identifier of the\ + \ Infoblox Custom List to be modified. |\n| Action | DDL | Yes | Specifies whether\ + \ to 'Add' or 'Remove' the provided items from the list. |\n| Items | String |\ + \ Yes | A comma-separated list of indicators (IPs or Domains) to be processed.\ + \ |\n\n### Additional Notes:\n- This action does not run on SOAR entities; it\ + \ processes data provided directly through the 'Items' parameter.\n- If no items\ + \ are successfully modified, the action will return a message indicating no changes\ + \ were made." capabilities: can_create_case_comments: false can_create_insight: false @@ -1817,8 +2321,8 @@ Update Custom List Items: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Adds or removes indicators (IPs, domains) from a named custom list in the Infoblox - Threat Defense platform using a PATCH request. + Adds or removes indicators (IPs, domains, or networks) from a specified custom + list in Infoblox Threat Defense, which can affect security policy enforcement. fetches_data: false internal_data_mutation_explanation: null categories: @@ -1838,53 +2342,52 @@ Update Custom List Items: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: true + add_ioc_to_blocklist: true + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: true + remove_ioc_from_blocklist: true + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Update Network List: ai_description: >- Updates an existing network list in Infoblox Threat Defense with a new name, items, - or description. This action allows for partial updates; if a parameter is not - provided, the action retrieves the current value from the system and preserves - it. It also supports clearing the description field using a specific keyword. - - - ### Parameters Description - - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Network List ID | string | Yes | The unique identifier of the network list to - update. Must be a positive integer. | - - | Name | string | No | The new name for the network list. If omitted, the current - name is kept. | - - | Items | string | No | A comma-separated list of items (e.g., IP addresses or - CIDRs) to include in the network list. If omitted, current items are kept. | - - | Description | string | No | A new description for the network list. Use the - keyword `empty` to remove the existing description. If omitted, the current description - is kept. | - - - ### Flow Description - - - 1. **Parameter Extraction**: The action retrieves the Network List ID and optional - update fields (Name, Items, Description) from the user input. - - 2. **Current State Retrieval**: It calls the Infoblox API to fetch the current - configuration of the specified network list to ensure that omitted parameters - do not overwrite existing data with null values. - - 3. **Data Merging**: The action merges the provided inputs with the existing configuration. - It specifically handles the `empty` keyword to clear the description field. - - 4. **External Update**: A `PUT` request is sent to the Infoblox Threat Defense - API to apply the changes to the network list. - - 5. **Result Processing**: The updated network list details are parsed, added to - the action's JSON results, and displayed in a data table named 'Network List Details'. + or description. This action is useful for managing network boundaries or lists + used in security policies. ### Flow Description: 1. **Parameter Extraction:** + Retrieves the Network List ID, Name, Items, and Description from the action parameters. + 2. **Validation:** Validates that the Network List ID is a positive integer. 3. + **Data Retrieval:** Fetches the current configuration of the specified network + list to allow for partial updates. 4. **Payload Construction:** Merges the provided + parameters with existing data. If a parameter is not provided, the existing value + is retained. The keyword 'empty' can be used to clear the description. 5. **API + Update:** Executes a PUT request to the Infoblox API to apply the changes. 6. + **Output Generation:** Returns the updated network list details as a JSON result + and populates a data table. ### Parameters Description: | Parameter | Type | Mandatory + | Description | | :--- | :--- | :--- | :--- | | Network List ID | String | Yes + | The unique ID of the network list to update. | | Name | String | No | The new + name for the network list. | | Items | String | No | Comma-separated items (e.g., + IP addresses) to include in the list. | | Description | String | No | The new + description. Use the keyword 'empty' to remove the existing description. | ### + Additional Notes: - If optional parameters (Name, Items, Description) are left + blank, the action will preserve the current values stored in Infoblox. capabilities: can_create_case_comments: false can_create_insight: false @@ -1894,7 +2397,7 @@ Update Network List: can_update_entities: false external_data_mutation_explanation: >- Updates the configuration (name, items, or description) of an existing network - list in the Infoblox Threat Defense platform via a PUT request. + list in Infoblox via a PUT request. fetches_data: true internal_data_mutation_explanation: null categories: @@ -1914,80 +2417,66 @@ Update Network List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Update Security Policy: - ai_description: >- - Modifies an existing security policy in Infoblox Threat Defense. This action allows - for comprehensive updates to a policy's configuration, including its name, description, - associated network lists, rules, and security settings. It supports clearing specific - fields using the 'empty' keyword and allows for advanced configuration through - a JSON object for additional parameters. - - - ### Parameters Description - - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Security Policy ID | String | Yes | The unique identifier of the security policy - to update. Must be a positive integer. | - - | Policy Name | String | No | The new name for the security policy. | - - | Description | String | No | The updated description. Use the keyword `empty` - to remove the existing description. | - - | Network Lists | String | No | Comma-separated IDs of network lists to associate - with the policy. Use `empty` to remove all associated lists. | - - | DFPS | String | No | Comma-separated Default Forwarding Policies (DFPs) to update. - Use `empty` to remove all DFPs. | - - | Roaming Device Groups | String | No | Comma-separated IDs of Roaming Device - Groups to associate. Use `empty` to remove all groups. | - - | Rules | String | No | A JSON array of rule objects (action, type, data, etc.). - Use `empty` to remove all rules. | - - | Safe Search | DDL | No | Enables or disables safe search filtering (True/False). - | - - | Block DNS Rebinding | DDL | No | Enables or disables protection against DNS - rebinding attacks (True/False). | - - | Tags | String | No | A JSON object containing tags to categorize the policy. - | - - | Additional Parameters | String | No | A JSON object for advanced fields such - as `precedence`, `access_codes`, `doh_enabled`, etc. | - - - ### Additional Notes - - - The action first retrieves the existing policy configuration to ensure that - fields not specified in the parameters remain unchanged (partial update logic). - - - The `Rules`, `Tags`, and `Additional Parameters` must be valid JSON strings. - - - ### Flow Description - - 1. **Validation**: Validates that the `Security Policy ID` is a valid positive - integer. - - 2. **Data Retrieval**: Fetches the current state of the security policy from Infoblox - to identify existing values. - - 3. **Payload Construction**: Merges the user-provided parameters with the existing - data. It specifically checks for the `empty` keyword to nullify or clear specific - attributes. - - 4. **API Interaction**: Sends a PUT request to the Infoblox API to update the - security policy with the newly constructed payload. - - 5. **Output**: Returns the full JSON response of the updated policy and populates - a data table with key policy details (ID, Name, Description, Default Action). + ai_description: "Modifies an existing security policy's configurations or linked\ + \ lists in Infoblox Threat Defense. This action allows for comprehensive updates\ + \ to policy metadata, network associations, security rules, and advanced settings.\ + \ It first retrieves the current state of the policy to ensure that only the specified\ + \ fields are updated while preserving others. \n\n### Flow Description:\n1. **Validation:**\ + \ Validates that the provided `Security Policy ID` is a positive integer.\n2.\ + \ **Data Retrieval:** Fetches the existing configuration of the specified security\ + \ policy from Infoblox to serve as a baseline.\n3. **Payload Construction:** Merges\ + \ the user-provided parameters with the existing policy data. If a parameter is\ + \ provided as `empty`, the corresponding field is cleared; if a parameter is omitted,\ + \ the existing value is retained.\n4. **Update Execution:** Sends a PUT request\ + \ to the Infoblox API to apply the changes to the security policy.\n5. **Output\ + \ Generation:** Returns the full JSON response of the updated policy and populates\ + \ a data table with key policy details.\n\n### Parameters Description:\n| Parameter\ + \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Security\ + \ Policy ID | String | Yes | The unique identifier of the security policy to update.\ + \ |\n| Policy Name | String | No | The updated name for the security policy. |\n\ + | Description | String | No | The updated description. Use the keyword `empty`\ + \ to remove the existing description. |\n| Network Lists | String | No | Comma-separated\ + \ IDs of network lists to associate with this policy. Use `empty` to remove all\ + \ associations. |\n| DFPS | String | No | Comma-separated Default Forwarding Policies\ + \ (DFPs) to update. Use `empty` to remove all DFPs. |\n| Roaming Device Groups\ + \ | String | No | Comma-separated IDs of Roaming Device Groups to associate. Use\ + \ `empty` to remove all groups. |\n| Rules | String | No | A JSON array of rule\ + \ objects (action, type, data, etc.). Use `empty` to remove all rules. |\n| Safe\ + \ Search | DDL | No | Specify whether to enable (`True`) or disable (`False`)\ + \ safe search filtering. |\n| Block DNS Rebinding | DDL | No | Specify whether\ + \ to enable (`True`) or disable (`False`) protection against DNS rebinding attacks.\ + \ |\n| Tags | String | No | A JSON object containing tags to categorize the policy.\ + \ |\n| Additional Parameters | String | No | A JSON object for advanced settings\ + \ such as `precedence`, `doh_enabled`, `ecs`, or `access_codes`. |\n\n### Additional\ + \ Notes:\n- The action uses a 'merge' logic: only parameters explicitly defined\ + \ by the user (or set to `empty`) will change the existing policy configuration.\n\ + - The `Rules`, `Tags`, and `Additional Parameters` fields must be valid JSON strings." capabilities: can_create_case_comments: false can_create_insight: false @@ -1996,9 +2485,9 @@ Update Security Policy: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the configuration of an existing security policy in Infoblox Threat - Defense via a PUT request, potentially changing rules, network associations, - and security settings. + Updates the configuration of a security policy in the Infoblox Threat Defense + platform via a PUT request, potentially changing rules, network associations, + and security filtering settings. fetches_data: true internal_data_mutation_explanation: null categories: @@ -2018,3 +2507,28 @@ Update Security Policy: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/third_party/partner/infoblox_threat_defense_with_ddi/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/partner/infoblox_threat_defense_with_ddi/resources/ai/connectors_ai_description.yaml new file mode 100644 index 000000000..9a43e7052 --- /dev/null +++ b/content/response_integrations/third_party/partner/infoblox_threat_defense_with_ddi/resources/ai/connectors_ai_description.yaml @@ -0,0 +1,130 @@ +Infoblox - DNS Security Events Connector: + ai_description: >- + ### General Description + + The Infoblox - DNS Security Events connector integrates with the Infoblox Threat + Defense platform to ingest DNS-related security events into Google SecOps. This + connector allows security teams to monitor malicious DNS activity, such as malware + communications, phishing attempts, and data exfiltration, by pulling detailed + event logs. It supports extensive filtering capabilities based on threat categories, + severity levels, and policy actions to ensure only relevant security data is ingested + for investigation. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | API Root | String | Yes | The base URL of the Infoblox API, typically `https://csp.infoblox.com/`. + | + + | API Key | Password | Yes | The unique identifier used to authenticate and authorize + access to the Infoblox API. | + + | PythonProcessTimeout | String | Yes | The timeout limit (in seconds) for the + python process running the connector script. | + + | EventClassId | String | Yes | The field name used to determine the event name/sub-type + (default: `tclass`). | + + | DeviceProductField | String | Yes | The field name used to determine the device + product (default: `Infoblox Threat Defense with DDI`). | + + | Limit | String | No | Specify the maximum number of alerts to create per execution + cycle. Default is 100. | + + | Max Hours Backwards | String | No | Number of hours before the first connector + iteration to retrieve alerts from. Default is 24. | + + | Threat Level | String | No | Filter events by severity level (LOW, MEDIUM, HIGH, + CRITICAL). | + + | Policy Action | String | No | Filter by the action performed by Infoblox (Log, + Block, Default, Redirect). | + + | Feed Name | String | No | Filter by comma-separated threat feed or custom list + names. | + + | Threat Class | String | No | Filter by threat category (e.g., "Malware", "MalwareDownload"). + | + + | Threat Family | String | No | Filter by threat family (e.g., "Log4Shell", "OPENRESOLVER"). + | + + | Queried name | String | No | Filter by comma-separated queried domain names. + | + + | Threat Indicator | String | No | Filter by comma-separated threat indicators + (domains, IPs). | + + | Policy Name | String | No | Filter by comma-separated security policy names. + | + + | Network | String | No | Filter by comma-separated network name, on-premises + host, endpoint, or DFP name. | + + | Verify SSL | Boolean | No | If enabled, the connector will verify the SSL certificate + of the API endpoint. | + + + ### Flow Description + + 1. **Authentication**: The connector establishes a session with the Infoblox API + using the provided API Key and Root URL. + + 2. **Time Window Determination**: It calculates the polling window by checking + the timestamp of the last successful run. If no previous timestamp exists, it + uses the 'Max Hours Backwards' parameter. + + 3. **Event Fetching**: The connector queries the `/api/dnsdata/v2/dns_event` endpoint, + applying all configured filters (e.g., Threat Level, Policy Action, Network) to + retrieve DNS security events. + + 4. **Deduplication**: It compares retrieved events against a list of previously + processed IDs stored in the SOAR environment to prevent duplicate alert creation. + + 5. **Alert Mapping**: Each unique event is transformed into a Google SecOps `AlertInfo` + object. The alert name is dynamically generated using the threat class and queried + domain name. + + 6. **Case Creation**: The mapped alerts are sent to the Google SecOps platform, + where they are converted into cases for analyst review. + + 7. **State Persistence**: Upon successful ingestion, the connector saves the latest + event timestamp and updated list of processed IDs to ensure the next run starts + exactly where the current one finished. +Infoblox - SOC Insights Connector: + ai_description: "### General Description\nThe Infoblox - SOC Insights Connector\ + \ retrieves high-fidelity Security Operations Center (SOC) insights from the Infoblox\ + \ Threat Defense platform. These insights represent aggregated security events\ + \ and detections, allowing security teams to ingest prioritized threat data into\ + \ Google SecOps for automated investigation, enrichment, and response. The connector\ + \ supports deduplication and filtering to ensure only relevant, new insights are\ + \ processed.\n\n### Parameters Description\n| Parameter | Type | Mandatory | Description\ + \ |\n| :--- | :--- | :--- | :--- |\n| API Root | String | Yes | The base URL of\ + \ the Infoblox API (e.g., https://csp.infoblox.com/). |\n| API Key | Password\ + \ | Yes | Unique identifier used to authenticate and authorize access to the Infoblox\ + \ API. |\n| Verify SSL | Boolean | Yes | If enabled, the connector will verify\ + \ the SSL certificate for API requests. |\n| PythonProcessTimeout | Integer |\ + \ Yes | The timeout limit (in seconds) for the python process running the script.\ + \ |\n| EventClassId | String | Yes | The field name used to determine the event\ + \ name/sub-type (default: tclass). |\n| DeviceProductField | String | Yes | The\ + \ field name used to determine the device product (default: Infoblox Threat Defense\ + \ with DDI). |\n| Status | String | No | Filter Insights by their current status\ + \ (e.g., ACTIVE, CLOSED). |\n| Threat Type | String | No | Filter Insights by\ + \ the specific type of threat detected. |\n| Priority | String | No | Filter Insights\ + \ by priority level (INFO, LOW, MEDIUM, HIGH, CRITICAL). |\n\n### Flow Description\n\ + 1. **Authentication**: Establishes a connection to the Infoblox API using the\ + \ provided API Key and Root URL.\n2. **Deduplication**: Retrieves the list of\ + \ previously processed Insight IDs from the system to ensure no duplicate alerts\ + \ are created.\n3. **Data Retrieval**: Queries the Infoblox `/api/v1/insights`\ + \ endpoint, applying user-defined filters for Status, Threat Type, and Priority.\n\ + 4. **Validation & Filtering**: \n * Validates each insight against the `PythonProcessTimeout`\ + \ to ensure graceful exit if the process runs too long.\n * Checks for case\ + \ overflow to prevent system flooding.\n5. **Mapping**: Converts each SOC Insight\ + \ into the Google SecOps `AlertInfo` format, mapping fields such as `insightId`\ + \ to `ticket_id`, and translating Infoblox priority text into numerical severity\ + \ values.\n6. **Ingestion**: Ingests the processed alerts into Google SecOps and\ + \ updates the persistent storage with the new Insight IDs for future deduplication." diff --git a/content/response_integrations/third_party/partner/infoblox_threat_defense_with_ddi/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/infoblox_threat_defense_with_ddi/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..ac6c94bb4 --- /dev/null +++ b/content/response_integrations/third_party/partner/infoblox_threat_defense_with_ddi/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: true + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: true + siem: true + threat_intelligence: true + vulnerability_management: false diff --git a/content/response_integrations/third_party/partner/ip_info/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/ip_info/resources/ai/actions_ai_description.yaml index 3fb883b81..e99dad504 100644 --- a/content/response_integrations/third_party/partner/ip_info/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/ip_info/resources/ai/actions_ai_description.yaml @@ -1,23 +1,44 @@ Get Domain Information: - ai_description: "### General Description\nEnriches Hostname entities by fetching\ - \ domain-specific information from the IPInfo service. This action retrieves data\ - \ such as associated IP addresses, IP ranges, ASN details, and a list of related\ - \ domains. The retrieved information is used to populate entity properties and\ - \ provide a structured data table for analysts within the Google SecOps platform.\n\ - \n### Parameters Description\nThere are no parameters for this action.\n\n###\ - \ Additional Notes\n* The action automatically extracts the base domain from the\ - \ hostname identifier before querying the IPInfo API.\n* Entities are marked as\ - \ enriched upon successful data retrieval.\n\n### Flow Description\n1. **Filter\ - \ Entities**: The action identifies all `HOSTNAME` entities within the current\ - \ context.\n2. **Domain Extraction**: For each hostname, it extracts the root\ - \ domain using a utility function.\n3. **API Query**: It calls the IPInfo API's\ - \ `/domains` endpoint to retrieve metadata for the extracted domain.\n4. **Data\ - \ Processing**: The resulting JSON data is flattened and prefixed with 'IPInfo'.\n\ - 5. **Internal Enrichment**: \n * Updates the entity's `additional_properties`\ - \ with the flattened data.\n * Sets the `is_enriched` flag to `True`.\n \ - \ * Attaches a CSV-formatted data table to the entity in the SecOps UI.\n6. **Finalization**:\ - \ Updates all successfully enriched entities in the system and returns a summary\ - \ message." + ai_description: >- + ### General Description + + Fetches domain information for Hostname entities using the IPInfo service. This + action retrieves metadata associated with a domain, such as registration details + and other contextual information, to assist in security investigations. + + + ### Parameters Description + + There are no parameters for this action. + + + ### Additional Notes + + This action specifically targets Hostname entities and uses the `get_domain` utility + to ensure the identifier is in the correct format before querying the API. + + + ### Flow Description + + 1. **Identify Entities**: The action identifies all Hostname entities within the + current alert context. + + 2. **Extract Domain**: For each entity, it extracts the domain name from the identifier. + + 3. **API Query**: It sends a GET request to the IPInfo API's `/domains` endpoint + for each domain. + + 4. **Data Processing**: The retrieved JSON data is flattened and prefixed with + 'IPInfo'. + + 5. **Enrichment**: The action updates the entity's additional properties with + the domain data and marks the entity as enriched. + + 6. **Visualization**: A data table containing the domain information is added + to the entity in the Google SecOps interface. + + 7. **Final Update**: The action updates the entities in the system and returns + a summary of the results. capabilities: can_create_case_comments: false can_create_insight: false @@ -28,8 +49,8 @@ Get Domain Information: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity additional properties with domain metadata, sets the enriched - flag, and adds a data table to the entity. + Updates entity additional properties with domain information and sets the 'is_enriched' + flag to true. categories: enrichment: true entity_usage: @@ -48,40 +69,49 @@ Get Domain Information: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get IP Information: - ai_description: >- - ### General Description - - Enriches IP Address entities with detailed geolocation and network information - using the IPInfo service. This action retrieves data such as city, region, country, - ASN, and carrier details to provide context for security investigations. - - - ### Parameters - - There are no action-specific parameters for this action. It relies on the global - integration configuration (API Root, Token, and Verify SSL). - - - ### Flow Description - - 1. **Initialization**: The action initializes the IPInfo manager using the provided - API Root and Token from the integration configuration. - - 2. **Entity Filtering**: It identifies all entities of type `ADDRESS` within the - current scope. - - 3. **Data Retrieval**: For each identified IP address, the action sends a GET - request to the IPInfo API. - - 4. **Data Processing**: The retrieved JSON response is flattened and prefixed - with 'IPInfo'. - - 5. **Internal Updates**: The action updates the entity's additional properties, - marks the entity as enriched, and attaches a CSV-formatted data table to the entity. - - 6. **Finalization**: All successfully enriched entities are updated in Google - SecOps, and a summary message is returned. + ai_description: "Enriches IP Address entities using the IPInfo service. This action\ + \ retrieves detailed contextual information for IP addresses, including geographic\ + \ location (city, region, country), ASN details, and company information. \n\n\ + ### Flow Description\n1. **Entity Filtering:** The action identifies all entities\ + \ of type `ADDRESS` within the current context.\n2. **Data Retrieval:** For each\ + \ identified IP address, it queries the IPInfo API using the configured API Root\ + \ and Token.\n3. **Data Processing:** The retrieved JSON data is flattened and\ + \ prefixed with 'IPInfo'.\n4. **Internal Updates:** The flattened data is added\ + \ to the entity's 'additional_properties', the entity is marked as 'enriched',\ + \ and an entity-specific data table is created.\n5. **Finalization:** The action\ + \ updates the entities within Google SecOps and provides a summary of the enriched\ + \ IPs and any errors encountered.\n\n### Parameters Description\n| Parameter Name\ + \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| None |\ + \ N/A | N/A | This action does not have any input parameters. It relies on the\ + \ integration's configuration (API Root, Token, Verify SSL). |\n\n### Additional\ + \ Notes\n- This action is strictly for enrichment and does not modify any external\ + \ data.\n- It specifically targets entities of type `ADDRESS`." capabilities: can_create_case_comments: false can_create_insight: false @@ -92,8 +122,8 @@ Get IP Information: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity additional properties with enriched IP information and adds data - tables to the entities. + Updates entity additional properties with enriched IP information, sets the + 'is_enriched' flag to true, and adds entity data tables. categories: enrichment: true entity_usage: @@ -112,43 +142,67 @@ Get IP Information: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Ping: ai_description: >- ### General Description - Verifies the connectivity and API token validity for the IPInfo integration. This - action is used to ensure that the Google SecOps platform can successfully communicate - with the IPInfo service using the provided credentials. + Validates the connectivity and API token for the IPInfo integration. This action + performs a test request to the IPInfo API using a hardcoded IP address (8.8.8.8) + to ensure that the service is reachable and the provided credentials (API Root + and Token) are valid. ### Parameters Description - There are no action-specific parameters for this action. It relies on the integration's - global configuration (API Root, Token, and Verify SSL). + There are no parameters for this action. ### Additional Notes - This action does not process any entities and is strictly for connectivity testing. - It is a standard 'Ping' action used to validate integration health. + This is a standard connectivity check action used to verify that the integration + configuration is correct. ### Flow Description - 1. **Configuration Retrieval**: The action retrieves the API Root, Token, and - SSL verification settings from the integration's global configuration. + 1. **Retrieve Configuration**: Fetches the API Root, Token, and SSL verification + settings from the integration configuration. - 2. **Manager Initialization**: Initializes the IPInfoManager with the retrieved - settings. + 2. **Initialize Manager**: Instantiates the IPInfoManager with the provided credentials. - 3. **Connectivity Test**: Executes a GET request to the IPInfo API using a hardcoded - test IP address (8.8.8.8) to verify the token validity and network path. + 3. **Execute Ping**: Calls the `ping` method, which sends a GET request to the + IPInfo API for the test IP '8.8.8.8'. - 4. **Validation**: Validates the HTTP response status and content to ensure the - request was successful and the token is authorized. + 4. **Validate Response**: Checks the HTTP response status and ensures no error + messages are present in the content. - 5. **Completion**: Returns a success message 'Connection Established.' if the - connection is verified. + 5. **Finalize**: Returns a success message 'Connection Established.' if the request + is successful. capabilities: can_create_case_comments: false can_create_insight: false @@ -176,3 +230,28 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/third_party/partner/ip_info/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/ip_info/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..2e831240c --- /dev/null +++ b/content/response_integrations/third_party/partner/ip_info/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + siem: false + threat_intelligence: true + vulnerability_management: false diff --git a/content/response_integrations/third_party/partner/jamf/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/jamf/resources/ai/actions_ai_description.yaml index 6414daf9b..a60aa03fa 100644 --- a/content/response_integrations/third_party/partner/jamf/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/jamf/resources/ai/actions_ai_description.yaml @@ -1,63 +1,67 @@ Assign to Group: ai_description: >- + Adds computers to a specific computer group in Jamf Pro using various identifiers + such as computer IDs, names, or serial numbers. This action is primarily used + for asset management and organizing devices for policy application or security + workflows. + + ### General Description - This action adds computers to a specific computer group in Jamf Pro using various - identifiers such as computer IDs, names, or serial numbers. It is designed for - bulk operations, allowing users to provide comma-separated lists of identifiers - to update group memberships efficiently. + This action allows an analyst to programmatically assign one or more computers + to a Jamf Pro computer group. It supports bulk operations by accepting comma-separated + lists of identifiers. Because computer names are not unique in Jamf Pro, the action + provides warnings and recommends using Computer IDs or Serial Numbers for precise + targeting. - ### Parameters Description + ### Flow Description - | Parameter | Description | Type | Mandatory | + 1. **Initialization:** Connects to the Jamf Pro API using provided credentials + and validates the session token. - | :--- | :--- | :--- | :--- | + 2. **Parameter Validation:** Checks that a Group ID is provided and that at least + one computer identifier (IDs, Names, or Serial Numbers) is present. - | Group ID | The unique ID of the computer group in Jamf Pro that you want to - modify. | String | Yes | + 3. **Data Parsing:** Splits the comma-separated input strings into clean lists + of identifiers. - | Computer IDs | A comma-separated list of Jamf computer IDs to add (e.g., "123,456"). - | String | No | + 4. **API Request:** Constructs an XML payload for the Jamf Classic API and performs + a PUT request to the computer group endpoint (`/JSSResource/computergroups/id/{id}`). - | Computer Names | A comma-separated list of computer names to add. Note: Names - may not be unique in Jamf; the API acts on the first match. | String | No | + 5. **Response Handling:** Parses the XML response to extract the group name and + confirm the number of computers successfully added. - | Computer Serial Numbers | A comma-separated list of computer serial numbers - to add (e.g., "ABC123,DEF456"). | String | No | + 6. **Output:** Returns a summary message and a JSON object containing the operation + results. - ### Additional Notes + ### Parameters Description - * **Validation Requirement:** At least one of the following parameters must be - provided for the action to execute: `Computer IDs`, `Computer Names`, or `Computer - Serial Numbers`. + | Parameter | Type | Mandatory | Description | - * **Identification Reliability:** Using `Computer IDs` or `Computer Serial Numbers` - is recommended over `Computer Names` for more reliable identification, as names - are not strictly unique in Jamf Pro. + | :--- | :--- | :--- | :--- | + | Group ID | String | Yes | The unique numeric ID of the computer group to modify. + | - ### Flow Description + | Computer IDs | String | No | A comma-separated list of Jamf computer IDs (e.g., + "10,11,12"). | - 1. **Initialization:** The action extracts the Jamf Pro integration configuration - (API Root, Credentials, SSL settings) and the action-specific parameters. + | Computer Names | String | No | A comma-separated list of computer names. Note: + The API acts on the first matching record found if names are duplicated. | - 2. **Input Validation:** It verifies that at least one computer identifier (ID, - Name, or Serial Number) has been provided. If all are empty, the action fails. + | Computer Serial Numbers | String | No | A comma-separated list of computer serial + numbers (e.g., "C02LW5EEF8JC"). | - 3. **Data Parsing:** Comma-separated strings are parsed into clean Python lists, - removing whitespace and empty entries. - 4. **API Interaction:** The action initializes the `JamfManager`, authenticates - with Jamf Pro, and calls the `assign_to_group` method. + ### Additional Notes - 5. **Mutation:** The manager constructs an XML payload containing the computer - additions and sends a `PUT` request to the Jamf Pro Classic API endpoint (`/JSSResource/computergroups/id/{id}`). + - **Requirement:** At least one of the following parameters must be configured + for the action to run: 'Computer IDs', 'Computer Names', or 'Computer Serial Numbers'. - 6. **Result Processing:** The action parses the XML response from Jamf, extracts - the group name and the count of processed computers, and returns a summary message - and JSON result to the Google SecOps platform. + - **Reliability:** It is highly recommended to use 'Computer IDs' or 'Computer + Serial Numbers' to avoid ambiguity caused by non-unique computer names. capabilities: can_create_case_comments: false can_create_insight: false @@ -66,9 +70,9 @@ Assign to Group: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - This action modifies the membership of a computer group in Jamf Pro by adding - specified computers to it via a PUT request to the Jamf Pro Classic API. - fetches_data: false + Adds computer records to a computer group in Jamf Pro by sending a PUT request + with an XML payload to the Jamf Classic API endpoint. + fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false @@ -87,72 +91,98 @@ Assign to Group: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Computer Inventory: ai_description: >- - ### General Description - Retrieves paginated computer inventory records from Jamf Pro. This action allows - for comprehensive searching and filtering of managed computers based on attributes - like name, serial number, UDID, or user email. It supports advanced sorting and - allows users to specify which data sections (e.g., Hardware, Security, Applications) - should be included in the response to optimize performance and data relevance. + for comprehensive searching and filtering of managed computers based on specific + criteria such as name, serial number, UDID, username, or email. It supports advanced + sorting and allows users to specify which data sections (e.g., Hardware, Security, + Applications) should be included in the results to optimize performance. - ### Parameters + ### Parameters Description + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Filter | DDL | Yes | The field to filter the inventory by. Options include `general.name`, - `hardware.serialNumber`, `udid`, `userAndLocation.username`, and `userAndLocation.email`. - | + | Page | String | No | The page number to retrieve (starts at 0). | - | Filter Value | String | Yes | The specific value to search for within the selected - filter field. | + | Page Size | String | No | The number of records to return per page (default + is 100, maximum is 2000). | - | Page | String | No | The page number to retrieve for paginated results. Defaults - to "0". | + | Filter | DDL | Yes | The field to use for filtering results (e.g., `general.name`, + `hardware.serialNumber`, `udid`). | - | Page Size | String | No | The number of records to return per page. Defaults - to "100". | + | Filter Value | String | Yes | The specific value to search for in the selected + filter field. | - | Section | Multi-select | No | Specific data categories to include in the response - (e.g., `HARDWARE`, `SECURITY`, `APPLICATIONS`). Selecting `ALL` retrieves all - available data. | + | Section | Multi-Choice | No | Specific data sections to include in the response + (e.g., `HARDWARE`, `SECURITY`, `APPLICATIONS`). Defaults to `ALL`. | - | Sort | Multi-select | No | Criteria for sorting the results, including field - and direction (e.g., `general.name:asc`). | + | Sort | Multi-Choice | No | Criteria for sorting the results, including field + name and direction (e.g., `general.name:asc`). | ### Flow Description - 1. **Initialization:** The action extracts Jamf Pro API credentials and user-provided - parameters from the environment and action configuration. - 2. **Validation:** It validates that the `Page` and `Page Size` parameters are - valid integers and within acceptable ranges. + 1. **Initialization**: The action extracts the Jamf Pro API configuration and + user-provided parameters. - 3. **Query Preparation:** The action constructs a Jamf-compliant filter string - (e.g., `field=="value"`) and formats the sort criteria and requested data sections. + 2. **Validation**: It validates that `Page` and `Page Size` are valid integers + and within acceptable ranges. - 4. **Section Optimization:** If a specific filter field is used, the action automatically - ensures the corresponding data section is included in the API request to ensure - the filter can be processed correctly. + 3. **Request Construction**: It builds a filter string in the Jamf Pro API format + (e.g., `field=="value"`) and processes the sort and section selections. - 5. **API Execution:** It authenticates with the Jamf Pro API and performs a GET - request to the `/api/v1/computers-inventory` endpoint with the constructed query - parameters. + 4. **Section Optimization**: If a filter is applied to a specific field (like + UDID), the action automatically ensures the corresponding data section (like `HARDWARE`) + is included in the request if not already specified. + + 5. **API Execution**: It performs a GET request to the Jamf Pro `/api/v1/computers-inventory` + endpoint with the constructed query parameters. + + 6. **Data Processing**: The retrieved inventory data is cleaned to ensure valid + JSON formatting and to handle special characters that might cause parsing issues. - 6. **Output:** The retrieved inventory data, along with pagination and metadata, - is returned as a JSON result for further analysis or display. + 7. **Output**: The action returns the inventory results as a JSON object and provides + a summary message including the total count of records found. ### Additional Notes - This action does not operate on specific SecOps entities (like IP or Hostname) - but rather performs a global search against the Jamf Pro inventory. It is strictly - a read-only enrichment action. + + - If `Section` is set to `ALL`, the action retrieves all available data points + for the computers, which may impact performance for large datasets. + + - The action is read-only and does not modify any data within Jamf Pro. capabilities: can_create_case_comments: false can_create_insight: false @@ -164,7 +194,7 @@ Get Computer Inventory: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: true + enrichment: false entity_usage: entity_types: [] filters_by_additional_properties: false @@ -180,53 +210,76 @@ Get Computer Inventory: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Device Group Membership: ai_description: >- ### General Description - The **Get Device Group Membership** action retrieves the list of computers belonging - to a specific computer group in Jamf Pro. It provides detailed membership information, - including the total count of member devices and their basic details. This action - is compatible with both static and smart computer groups, allowing security teams - to identify all devices associated with a specific management group for further - investigation or orchestration. + Retrieves the membership information for a specific computer group from Jamf Pro. + This action fetches detailed data about all member devices within a group, supporting + both static and smart computer groups. It provides the total count of members + and the full membership data structure, which is useful for identifying devices + subject to specific policies or configurations. ### Parameters Description - | Parameter | Type | Mandatory | Description | + | Name | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Group ID | String | Yes | The unique identifier of the computer group in Jamf + | Group ID | string | Yes | The unique identifier of the computer group in Jamf Pro to retrieve membership for. | ### Flow Description 1. **Initialization**: The action initializes the Jamf Pro API manager using the - integration's configuration (API Root, Client ID, and Secret). + integration's configuration parameters, including the API Root, Client ID, and + Client Secret. - 2. **Parameter Extraction**: The action retrieves the `Group ID` provided by the - user. + 2. **Parameter Extraction**: The `Group ID` is extracted from the action input + parameters. - 3. **API Request**: It calls the Jamf Pro API endpoint `/JSSResource/computergroups/id/{id}` - to fetch the group's membership data. + 3. **API Request**: The action sends a GET request to the Jamf Pro Classic API + endpoint (`/JSSResource/computergroups/id/{id}`) to fetch membership details. - 4. **Data Processing**: The action extracts the list of computers from the response - and calculates the total member count. + 4. **Data Processing**: It parses the API response to extract the list of member + computers and calculates the total member count. - 5. **Result Delivery**: The membership data and count are added to the action's - JSON results, and a summary message is provided. + 5. **Result Output**: The membership data and count are added to the action's + JSON results, and a success message is returned to the SOAR platform. ### Additional Notes - - This action does not operate on entities; it requires the manual input of a - Group ID. - - - If the specified Group ID does not exist, the action will report that no membership - data was found. + This action does not operate on specific entities within the Google SecOps case; + it retrieves group-level data based on the provided ID. There are no parameters + that are conditionally mandatory. capabilities: can_create_case_comments: false can_create_insight: false @@ -254,56 +307,49 @@ Get Device Group Membership: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Device Information: ai_description: >- - ### General Description - - The **Get Device Information** action retrieves comprehensive details for a specific - computer managed in Jamf Pro using its unique Computer ID. This action is designed - for deep enrichment, providing technical data points such as hardware specifications, - operating system details, disk encryption status, and user/location information. - It is particularly useful for security analysts needing to verify the state or - ownership of a macOS or Windows device during an investigation. - - - ### Parameters Description - - | Parameter | Description | Type | Mandatory | - - | :--- | :--- | :--- | :--- | - - | **Computer ID** | The unique numerical identifier of the computer in Jamf Pro - for which information should be retrieved. | String | Yes | - - - ### Additional Notes - - * This action does not automatically iterate over SecOps entities (like Hostnames - or IPs). It requires the specific Jamf Computer ID to be provided as an input - parameter. - - * The action includes a data-cleaning layer that handles unescaped quotes and - special characters in the Jamf API response to ensure the resulting JSON is valid - for display in the Google SecOps UI. - - - ### Flow Description - - 1. **Authentication**: The action connects to the Jamf Pro API using OAuth2 credentials - (Client ID and Secret) to obtain a temporary access token. - - 2. **Input Validation**: The mandatory `Computer ID` parameter is extracted and - validated. - - 3. **API Request**: The action performs a GET request to the Jamf Pro `/api/v1/computers-inventory-detail/{id}` - endpoint. - - 4. **Data Sanitization**: The raw API response is processed through a cleaning - utility to escape control characters and fix common JSON structural issues found - in Jamf inventory data (e.g., within extension attributes or certificates). - - 5. **Result Delivery**: The sanitized device information is returned as a JSON - object and made available for subsequent playbook steps or UI widgets. + ### General Description\nThe **Get Device Information** action retrieves detailed + computer information from Jamf Pro using a specific Computer ID. It is designed + to provide analysts with comprehensive visibility into a managed asset, including + hardware specifications, operating system details, and user/location data.\n\n### + Parameters Description\n| Parameter | Type | Mandatory | Description |\n| :--- + | :--- | :--- | :--- |\n| **Computer ID** | String | Yes | The unique ID of the + computer in Jamf Pro to retrieve information for. |\n\n### Flow Description\n1. + **Initialize Manager**: Sets up the Jamf Pro API connection using configuration + credentials.\n2. **Fetch Data**: Executes a GET request to the Jamf Pro API for + the specific computer ID.\n3. **Sanitize Result**: Cleans the resulting JSON to + ensure special characters or malformed structures from Jamf do not break the SOAR + UI.\n4. **Return Results**: Populates the action's JSON result with the device + details.\n\n### Additional Notes\n- This action does not process entities from + the case context; it relies solely on the provided Computer ID parameter.\n- If + the device is not found, the action completes successfully but indicates no data + was found. capabilities: can_create_case_comments: false can_create_insight: false @@ -331,15 +377,40 @@ Get Device Information: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Mobile Device Inventory: ai_description: >- ### General Description - Retrieves mobile device inventory data from Jamf Pro using the v2 API. This action - allows for granular searching of mobile devices based on specific identifiers - like serial numbers or usernames, with support for pagination, sorting, and the - ability to request specific data sections (e.g., Hardware, Security, Applications) - to optimize performance. + Retrieves mobile device inventory from Jamf Pro using the v2 API. This action + allows for granular data retrieval by supporting pagination, sorting, and filtering + based on specific device attributes like serial number, UDID, or username. It + is primarily used for asset discovery and gathering detailed hardware, software, + and security configuration data for mobile devices managed within Jamf Pro. ### Parameters Description @@ -348,51 +419,47 @@ Get Mobile Device Inventory: | :--- | :--- | :--- | :--- | - | Page | String | No | The page number to retrieve (default is 0). | + | Page | String | No | The page number to retrieve (starts at 0). | | Page Size | String | No | The number of records to return per page (default - is 100, maximum is 2000). | + 100). | - | Filter | DDL | Yes | The field used to filter the inventory. Supported fields: - `serialNumber`, `udid`, `username`, `emailAddress`. | + | Filter | DDL | Yes | The attribute to filter by (serialNumber, udid, username, + emailAddress). | | Filter Value | String | Yes | The specific value to search for in the selected filter field. | - | Section | DDL | No | Specific data sections to include in the response (e.g., - `HARDWARE`, `SECURITY`, `APPLICATIONS`). Selecting `ALL` retrieves all available - data. | + | Section | DDL | No | Specifies which data sections to include (e.g., HARDWARE, + SECURITY, APPLICATIONS). Defaults to ALL. | - | Sort | Multi-choice | No | Criteria for sorting the results (e.g., `displayName:asc`). - Multiple fields can be selected. | + | Sort | Multi-choice | No | Defines the sorting order for the results (e.g., + displayName:asc). Supports over 200 sorting options. | - ### Additional Notes + ### Flow Description - - The action automatically includes the necessary data section required by the - chosen `Filter` field (e.g., if filtering by `udid`, the `HARDWARE` section is - automatically added if not already selected). + 1. **Authentication**: The action authenticates with the Jamf Pro API using provided + client credentials to obtain a bearer token. - - Page and Page Size must be valid integers. + 2. **Parameter Processing**: Validates pagination integers and constructs the + filter query string (e.g., `username=="value"`). + 3. **Section Selection**: Determines which inventory sections to request; if a + filter is used, the corresponding section is automatically included to ensure + the filter works. - ### Flow Description + 4. **Data Retrieval**: Sends a GET request to the `/api/v2/mobile-devices/detail` + endpoint with the constructed query parameters. - 1. **Parameter Extraction**: Retrieves and validates pagination, filtering, and - sorting parameters from the action configuration. + 5. **Result Handling**: Cleans the returned JSON data to ensure compatibility + and outputs the inventory records to the action results. - 2. **Section Logic**: Determines which Jamf Pro data sections are required based - on the user's filter choice to ensure the query returns the expected data. - 3. **API Authentication**: Obtains an OAuth2 bearer token from Jamf Pro using - the provided Client ID and Secret. - - 4. **Data Retrieval**: Executes a GET request to the `/api/v2/mobile-devices/detail` - endpoint with the constructed query parameters (page, page-size, sort, filter, - and sections). + ### Additional Notes - 5. **Result Processing**: Cleans the returned JSON data to ensure compatibility - with the SOAR platform and outputs the inventory details as a JSON result. + This action does not run on entities within the SOAR case; it performs a direct + search against the Jamf Pro inventory based on the provided filter parameters. capabilities: can_create_case_comments: false can_create_insight: false @@ -404,7 +471,7 @@ Get Mobile Device Inventory: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: true + enrichment: false entity_usage: entity_types: [] filters_by_additional_properties: false @@ -420,42 +487,50 @@ Get Mobile Device Inventory: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false List Computer Groups: ai_description: >- - ### General Description - - Retrieves a comprehensive list of all computer groups configured within Jamf Pro, - including both static and smart groups. This action is used to discover the organizational - structure of managed devices, providing a list of group names and identifiers - that can be used in subsequent automation steps. - - - ### Parameters Description - - This action does not require any input parameters. It utilizes the global integration - configuration for authentication and connectivity. - - - ### Flow Description - - 1. **Authentication**: The action initializes the Jamf Manager and authenticates - using the provided Client API ID and Secret to obtain an OAuth2 access token. - - 2. **API Request**: It performs a GET request to the Jamf Pro API endpoint `/api/v1/computer-groups` - to fetch all defined computer groups. - - 3. **Data Processing**: The retrieved list is processed and encapsulated into - a JSON structure. - - 4. **Result Delivery**: The action returns the list of computer groups to the - Google SecOps platform via the result JSON, making it available for playbook logic. - - - ### Additional Notes - - This is a global discovery action and does not operate on specific entities (such - as Hostnames or IPs). If no groups are found, the action will still complete successfully - but return an empty list. + ### General Description\nThis action retrieves a comprehensive list of all computer + groups configured within Jamf Pro. It includes both static groups (manually assigned) + and smart groups (criteria-based). The retrieved data is provided in a structured + JSON format, allowing for further processing or automation based on group membership + or configuration.\n\n### Parameters Description\n| Parameter Name | Type | Mandatory + | Description |\n| :--- | :--- | :--- | :--- |\n| None | N/A | N/A | This action + does not require any input parameters. |\n\n### Additional Notes\nThis action + does not require any input entities and operates at the system level to provide + visibility into the Jamf Pro environment's group structure. It is primarily used + for discovery and environment mapping.\n\n### Flow Description\n1. **Authentication**: + The action connects to the Jamf Pro API using the provided credentials (API Root, + Client ID, and Client Secret) to obtain a Bearer token.\n2. **Data Retrieval**: + It sends a GET request to the `/api/v1/computer-groups` endpoint to fetch the + list of all computer groups.\n3. **Processing**: The action parses the API response, + handling both direct list formats and potential empty results.\n4. **Output**: + The list of computer groups is attached to the action's JSON result for use in + subsequent playbook steps. capabilities: can_create_case_comments: false can_create_insight: false @@ -483,67 +558,63 @@ List Computer Groups: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Ping: - ai_description: >- - ### General Description - - The **Ping** action is designed to verify the connectivity and authentication - configuration between Google SecOps and the Jamf Pro and Jamf Protect APIs. It - ensures that the provided credentials (Client ID and Secret) are valid and that - the network path to the API endpoints is open. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Jamf Pro API Root | String | Yes | The base URL of the Jamf Pro server (e.g., - `https://yourserver.jamfcloud.com`). | - - | Jamf Pro Client API ID | String | Yes | The API Client ID used for authentication - with Jamf Pro. | - - | Jamf Pro Client API Secret | String | Yes | The API Client Secret used for authentication - with Jamf Pro. | - - | Verify SSL | Boolean | No | If enabled (default), the action will verify the - SSL certificate of the Jamf servers. | - - | Jamf Protect API Root | String | No | The base URL of the Jamf Protect server. - Required only if testing Jamf Protect connectivity. | - - | Jamf Protect Client API ID | String | No | The API Client ID for Jamf Protect. - Required only if testing Jamf Protect connectivity. | - - | Jamf Protect Client API Secret | String | No | The API Client Secret for Jamf - Protect. Required only if testing Jamf Protect connectivity. | - - - ### Additional Notes - - - To test Jamf Protect connectivity, all three Protect-related parameters (`API - Root`, `Client ID`, and `Client Secret`) must be provided. If any are missing, - the action will only test Jamf Pro. - - - This action does not process any entities. - - - ### Flow Description - - 1. **Parameter Extraction:** Retrieves Jamf Pro and Jamf Protect configuration - details from the integration settings. - - 2. **Jamf Pro Connectivity Test:** - - Initializes the `JamfManager`. - - Attempts to obtain an OAuth2 access token via a POST request. - - Calls the Jamf Pro version endpoint (GET) to confirm API responsiveness. - 3. **Jamf Protect Connectivity Test (Optional):** - - If Protect credentials are provided, initializes the `JamfProtectManager`. - - Attempts to obtain an access token for the Jamf Protect GraphQL API. - 4. **Result Reporting:** Returns a success message if the tests pass, or a failure - message with error details if any step fails. + ai_description: "### General Description\nThe **Ping** action is a diagnostic tool\ + \ designed to verify the connectivity and authentication configuration between\ + \ Google SecOps and the Jamf Pro and Jamf Protect platforms. It ensures that the\ + \ provided API credentials (Client ID and Secret) are valid and that the network\ + \ path to the specified API roots is open.\n\n### Parameters Description\n| Parameter\ + \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Jamf Pro\ + \ API Root | String | Yes | The base URL of the Jamf Pro server (e.g., `https://yourserver.jamfcloud.com`).\ + \ |\n| Jamf Pro Client API ID | String | Yes | The Client ID used for OAuth2 authentication\ + \ with Jamf Pro. |\n| Jamf Pro Client API Secret | String | Yes | The Client Secret\ + \ used for OAuth2 authentication with Jamf Pro. |\n| Verify SSL | Boolean | No\ + \ | If enabled, the action will verify the SSL certificate of the Jamf servers.\ + \ Defaults to `True`. |\n| Jamf Protect API Root | String | No | The base URL\ + \ of the Jamf Protect server. |\n| Jamf Protect Client API ID | String | No |\ + \ The Client ID used for authentication with Jamf Protect. |\n| Jamf Protect Client\ + \ API Secret | String | No | The Client Secret used for authentication with Jamf\ + \ Protect. |\n\n### Flow Description\n1. **Parameter Extraction:** The action\ + \ retrieves the Jamf Pro configuration (Root, ID, Secret, SSL) and optional Jamf\ + \ Protect configuration from the integration settings.\n2. **Jamf Pro Connectivity\ + \ Test:** \n * Initializes the `JamfManager`.\n * Attempts to obtain an\ + \ OAuth access token using the provided Client ID and Secret.\n * Performs\ + \ a GET request to the `/api/v1/jamf-pro-version` endpoint to confirm the API\ + \ is responsive.\n3. **Jamf Protect Connectivity Test (Optional):** \n * If\ + \ all Jamf Protect parameters (Root, ID, Secret) are provided, the action initializes\ + \ the `JamfProtectManager`.\n * Attempts to obtain an access token from the\ + \ Jamf Protect authentication endpoint.\n4. **Result Reporting:** If the connection\ + \ tests are successful, the action completes with a success message. If any step\ + \ fails (e.g., authentication error, timeout), it returns a failure status with\ + \ the error details.\n\n### Additional Notes\n* Jamf Protect connectivity is only\ + \ tested if all three related parameters are configured. If any are missing, the\ + \ Protect test is skipped.\n* This action does not process any entities and is\ + \ strictly for system health checks." capabilities: can_create_case_comments: false can_create_insight: false @@ -571,57 +642,82 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Remote Lock Managed Device: ai_description: >- - ### General Description + Remotely locks a managed computer using Jamf Pro MDM commands. This action is + specifically designed for computer objects within Jamf. It triggers a device lock + screen that prevents user access until a specific PIN is entered. The action also + allows for a custom message and a contact phone number to be displayed on the + lock screen. Note that this action requires the computer's management ID, which + it retrieves automatically using the provided Computer ID. - Remotely lock a managed computer using Jamf Pro MDM commands. This action is designed - specifically for computers. It locks the device screen and can optionally display - a custom message and phone number. For mobile device lock functionality, use the - "Remote Lock Mobile Device" action instead. + ### Flow Description: - ### Parameters Description + 1. **Authentication**: Connects to the Jamf Pro API using provided credentials + to obtain an access token. - | Parameter | Type | Mandatory | Description | + 2. **Management ID Retrieval**: Fetches detailed inventory information for the + specified Computer ID to extract the required `managementId`. - | :--- | :--- | :--- | :--- | + 3. **Command Execution**: Sends a `DEVICE_LOCK` MDM command to the Jamf Pro API + targeting the retrieved management ID. - | Computer ID | String | Yes | The ID of the computer to lock. | + 4. **Result Processing**: Captures the API response and provides a summary of + the command initiation status. - | PIN | String | Yes | A 6-digit PIN code required to unlock the device. Note: - While the configuration might suggest this is optional, the underlying logic requires - a valid 6-digit numeric PIN to execute the lock command. | - | Message | String | No | Optional custom message to display on the locked device - screen. | - - | Phone Number | String | No | Optional phone number to display on the locked - device screen for contact. | + ### Parameters Description: + | Parameter Name | Type | Mandatory | Description | - ### Flow Description + | :--- | :--- | :--- | :--- | - 1. **Authentication**: The action authenticates with the Jamf Pro API using the - provided Client ID and Secret to obtain a bearer token. + | Computer ID | String | Yes | The unique identifier of the computer in Jamf Pro + that you wish to lock. | - 2. **Management ID Retrieval**: It retrieves the detailed inventory for the specified - Computer ID to obtain the `managementId` required for MDM commands. + | PIN | String | Yes | A 6-digit numeric code required to unlock the device. Although + marked as optional in some configurations, the underlying logic requires a valid + 6-digit PIN for the command to succeed. | - 3. **Command Initiation**: It sends a `DEVICE_LOCK` MDM command to the Jamf Pro - API targeting the specific `managementId`. The command payload includes the PIN - and any optional display information (message/phone number). + | Message | String | No | An optional custom message to display on the device's + lock screen (e.g., "This device has been locked by Security"). | - 4. **Result Reporting**: The action captures the API response, adds the command - details to the JSON results, and provides a success or failure message to the - case wall. + | Phone Number | String | No | An optional phone number to display on the lock + screen for the user to contact support. | - ### Additional Notes + ### Additional Notes: - - This action is intended for macOS computers managed by Jamf Pro. + - This action is intended for computers; for mobile devices (iOS/iPadOS), use + the "Remote Lock Mobile Device" action. - - The PIN must be exactly 6 digits long. + - The PIN must be exactly 6 digits. capabilities: can_create_case_comments: false can_create_insight: false @@ -630,8 +726,9 @@ Remote Lock Managed Device: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Sends a 'DEVICE_LOCK' MDM command to the Jamf Pro API to remotely lock a managed - computer, changing the state of the physical device. + Sends a 'DEVICE_LOCK' MDM command to the Jamf Pro API, which changes the state + of the physical or virtual managed computer by locking its screen and requiring + a PIN for access. fetches_data: true internal_data_mutation_explanation: null categories: @@ -651,47 +748,76 @@ Remote Lock Managed Device: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: true + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Remote Lock Mobile Device: ai_description: >- - Remotely locks a managed mobile device using Jamf Pro MDM commands. This action + ### General Description + + Remotely lock a managed mobile device using Jamf Pro MDM commands. This action is used to secure a device by locking its screen, preventing unauthorized access. - It allows for an optional custom message and a contact phone number to be displayed - on the locked screen. + It allows for an optional custom message and phone number to be displayed on the + locked screen. ### Parameters Description - | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | | Mobile Device ID | String | Yes | The unique identifier of the mobile device - in Jamf Pro that you wish to lock. | + in Jamf Pro. | - | Message | String | No | An optional custom message to display on the device's - lock screen (e.g., 'This device has been locked by IT'). | + | Message | String | No | A custom message to display on the device's lock screen. + | - | Phone Number | String | No | An optional phone number to display on the lock - screen so the user can contact the administrator. | + | Phone Number | String | No | A contact phone number to display on the device's + lock screen. | ### Flow Description + 1. **Authentication**: The action authenticates with the Jamf Pro API using the + provided credentials. + + 2. **Device Lookup**: It retrieves the detailed information for the specified + `Mobile Device ID` to obtain the necessary `managementId` required for MDM commands. - 1. **Authentication**: The action authenticates with the Jamf Pro API using the - provided Client ID and Secret to obtain a bearer token. + 3. **Command Execution**: It sends a `DEVICE_LOCK` MDM command to the Jamf Pro + server for the target device. - 2. **Device Identification**: It retrieves the detailed inventory information - for the specified `Mobile Device ID` to obtain the necessary `managementId` required - for MDM commands. + 4. **Result Processing**: The action captures the response from Jamf Pro and outputs + the command initiation status and details as a JSON result. - 3. **Command Execution**: It sends a `DEVICE_LOCK` MDM command to the Jamf Pro - `/api/v2/mdm/commands` endpoint, targeting the specific device's management ID. - 4. **Result Processing**: The action captures the API response, logs the command - details (including whether a message or phone number was used), and returns a - success or failure status to Google SecOps. + ### Additional Notes + + This action requires the Jamf Pro API user to have sufficient permissions to send + MDM commands and view mobile device inventory. capabilities: can_create_case_comments: false can_create_insight: false @@ -700,8 +826,8 @@ Remote Lock Mobile Device: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Sends a 'DEVICE_LOCK' MDM command to Jamf Pro to remotely lock a managed mobile - device, changing the physical state of the device to a locked screen. + Sends a 'DEVICE_LOCK' MDM command to Jamf Pro, which remotely locks the screen + of the target mobile device. fetches_data: true internal_data_mutation_explanation: null categories: @@ -721,50 +847,76 @@ Remote Lock Mobile Device: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: true + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Update Extension Attribute: ai_description: >- ### General Description - Updates a specific extension attribute for a computer managed in Jamf Pro. This - action allows security analysts to programmatically modify computer metadata, - such as department assignments, asset tags, or custom status fields, directly - from Google SecOps. + Updates a single extension attribute for a specific computer managed in Jamf Pro. + This action allows analysts to modify custom metadata, such as department, tags, + or location, directly within the Jamf Pro inventory. ### Parameters Description - | Parameter Name | Type | Mandatory | Description | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Computer ID | string | Yes | The unique identifier of the computer in Jamf Pro - that needs to be updated. | + | Computer ID | String | Yes | The unique identifier of the computer in Jamf Pro. + | - | Extension Attribute Name | string | Yes | The display name of the extension - attribute to update. The action will automatically resolve this name to its internal - Jamf ID. | + | Extension Attribute Name | String | Yes | The name of the extension attribute + to be updated. | - | Values | string | Yes | A comma-separated list of values to assign to the extension - attribute. | + | Values | String | Yes | A comma-separated list of values to assign to the attribute. + | ### Flow Description - 1. **Initialization:** Extracts the Jamf Pro API configuration and action parameters - (Computer ID, Attribute Name, and Values). + 1. **Attribute Resolution**: The action fetches all available computer extension + attributes from Jamf Pro to map the provided name to its internal definition ID. + + 2. **Validation**: It verifies that the specified attribute name exists in the + Jamf Pro environment. - 2. **Value Parsing:** Converts the comma-separated 'Values' string into a list, - ensuring at least one value is provided. + 3. **API Update**: It constructs a PATCH request containing the new values and + sends it to the Jamf Pro computer inventory endpoint. - 3. **Attribute Resolution:** Fetches the complete list of computer extension attributes - from the Jamf Pro API to find the `definitionId` associated with the provided - 'Extension Attribute Name'. + 4. **Result Processing**: The action captures the API response, providing details + about the updated computer and the values set. - 4. **Update Execution:** Sends a PATCH request to the Jamf Pro API for the specified - Computer ID, updating the targeted extension attribute with the new values. - 5. **Result Handling:** Retrieves the updated computer details (Name, Serial Number, - Platform) and provides a summary message and full JSON result of the operation. + ### Additional Notes + + - This action performs a case-insensitive search for the attribute name. + + - Multiple values are supported for attributes that allow them. capabilities: can_create_case_comments: false can_create_insight: false @@ -773,8 +925,8 @@ Update Extension Attribute: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the value of a specific extension attribute for a computer in Jamf Pro - using a PATCH request to the computer inventory detail endpoint. + Updates the extension attribute values of a computer record in Jamf Pro using + a PATCH request. fetches_data: true internal_data_mutation_explanation: null categories: @@ -794,38 +946,91 @@ Update Extension Attribute: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Update Protect Prevent List: - ai_description: "### General Description\nThe **Update Protect Prevent List** action\ - \ allows security administrators to modify an existing prevent list within Jamf\ - \ Protect. This action is primarily used for containment by adding new indicators\u2014\ - such as file hashes, Team IDs, or Signing IDs\u2014to a blocklist to prevent malicious\ - \ activity on managed macOS devices.\n\n### Parameters Description\n| Parameter\ - \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| **Prevent\ - \ List Name** | String | Yes | The exact name of the existing prevent list in\ - \ Jamf Protect that you wish to update. |\n| **Prevent List Description** | String\ - \ | No | An optional field to update the description of the prevent list. If left\ - \ blank, the existing description is preserved. |\n| **Prevent Type** | DDL |\ - \ Yes | The type of indicators the list contains. Options include `File Hash`,\ - \ `Signing Information - Team ID`, `Signing Information - Code Directory Hash`,\ - \ and `Signing Information - Signing ID`. **Note:** This must match the type of\ - \ the existing list. |\n| **Prevent List Data** | String | Yes | A comma-separated\ - \ list of the new indicators (e.g., SHA-256 hashes) to be added to the prevent\ - \ list. |\n| **Prevent List Tags** | String | No | A comma-separated list of tags\ - \ to be added to the prevent list. |\n\n### Flow Description\n1. **Authentication**:\ - \ Connects to the Jamf Protect API using the provided credentials.\n2. **List\ - \ Retrieval**: Fetches all available prevent lists from the Jamf Protect environment.\n\ - 3. **Target Identification**: Searches for a list matching the provided **Prevent\ - \ List Name**.\n4. **Validation**: Verifies that the target list exists and that\ - \ the provided **Prevent Type** matches the list's current configuration (as Jamf\ - \ Protect does not allow changing the type of an existing list).\n5. **Data Merging**:\ - \ Combines the new indicators and tags with the existing ones, ensuring all entries\ - \ are unique and properly formatted.\n6. **Indicator Validation**: Performs regex-based\ - \ validation on the new indicators (e.g., ensuring file hashes are valid SHA-1\ - \ or SHA-256 strings).\n7. **Update Execution**: Sends a GraphQL mutation to Jamf\ - \ Protect to apply the updates to the prevent list.\n\n### Additional Notes\n\ - - This action does not run on entities; it relies entirely on the provided input\ - \ parameters.\n- The action will fail if the specified list name is not found\ - \ or if the indicator formats are invalid for the selected type." + ai_description: >- + Updates an existing prevent list in Jamf Protect to include additional indicators + such as file hashes, Team IDs, or signing identifiers. This action is primarily + used for containment by expanding the scope of blocked items on managed macOS + devices. + + + ### Flow Description + + 1. **Authentication**: Initializes the Jamf Protect Manager and obtains a GraphQL + access token. + + 2. **List Retrieval**: Fetches all existing prevent lists from Jamf Protect to + locate the target list by name. + + 3. **Validation**: Verifies that the target list exists and that the provided + 'Prevent Type' matches the existing list's configuration (the type cannot be changed + during an update). + + 4. **Data Merging**: Parses the new indicators and tags from comma-separated strings, + then merges and deduplicates them with the existing data in the list. + + 5. **Indicator Validation**: Validates the format of the new indicators (e.g., + checking for valid SHA-1/SHA-256 hashes or Apple Team IDs) based on the prevent + type. + + 6. **External Update**: Executes a GraphQL mutation to update the prevent list + in Jamf Protect with the merged data. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Prevent List Name | String | Yes | The exact name of the existing prevent list + to be updated. | + + | Prevent List Description | String | No | An optional updated description for + the prevent list. If left empty, the existing description is preserved. | + + | Prevent Type | DDL | Yes | The category of indicators being added (e.g., File + Hash, Team ID). This must match the type of the existing list. | + + | Prevent List Data | String | Yes | A comma-separated list of identifiers (hashes, + IDs) to add to the prevent list. | + + | Prevent List Tags | String | No | A comma-separated list of tags to associate + with the prevent list. | + + + ### Additional Notes + + - This action performs a 'merge' operation; it does not overwrite existing indicators + but appends new ones to the list. + + - The 'Prevent Type' is strictly enforced; if you attempt to update a 'File Hash' + list using 'Team ID' data, the action will fail. capabilities: can_create_case_comments: false can_create_insight: false @@ -834,8 +1039,8 @@ Update Protect Prevent List: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates an existing prevent list in Jamf Protect by adding new indicators (hashes, - IDs) and tags via a GraphQL mutation. + Updates an existing prevent list configuration in Jamf Protect by adding new + indicators and tags via a GraphQL mutation. fetches_data: true internal_data_mutation_explanation: null categories: @@ -855,67 +1060,58 @@ Update Protect Prevent List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: true + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Wipe Managed Device: - ai_description: >- - ### General Description - - Remotely erases a managed computer using the Jamf Pro `ERASE_DEVICE` MDM command. - This action is designed for security containment, allowing administrators to wipe - a compromised or lost computer to prevent data exfiltration. It is specifically - intended for computers; for mobile devices, use the 'Wipe Mobile Device' action. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Computer ID | String | Yes | The unique identifier of the computer to erase - in Jamf Pro. | - - | PIN | String | Yes | Optional 6-digit PIN for the erase command. Note: While - marked mandatory in the configuration, it can be left as an empty string if not - required by the target device. | - - | Obliteration Behavior | DDL | Yes | Defines how the device should be obliterated - during the erase process. Options: Default, DoNotObliterate, ObliterateWithWarning, - Always. | - - | Return to Service | Boolean | Yes | Whether to enable 'Return to Service' after - the erase, allowing the device to automatically re-enroll. | - - | MDM Profile Data | String | No | Base64-encoded MDM profile data for Return - to Service. Required if 'Return to Service' is enabled. | - - | WiFi Profile Data | String | No | Base64-encoded WiFi profile data for Return - to Service. Required if 'Return to Service' is enabled. | - - - ### Additional Notes - - - If **Return to Service** is enabled, at least one of **MDM Profile Data** or - **WiFi Profile Data** must be provided, or the action will fail with a validation - error. - - - The **PIN**, if provided, must be exactly a 6-digit number. - - - ### Flow Description - - 1. **Authentication**: Obtains an OAuth access token from the Jamf Pro API. - - 2. **Management ID Retrieval**: Fetches the detailed inventory for the specified - `Computer ID` to retrieve its `managementId`. - - 3. **Validation**: Validates the PIN format and ensures Return to Service requirements - are met. - - 4. **Command Execution**: Sends a POST request to the Jamf Pro MDM commands endpoint - with the `ERASE_DEVICE` command type and specified parameters. - - 5. **Result Reporting**: Returns the initiation status of the MDM command and - detailed execution metadata. + ai_description: "Remotely erases or wipes a managed computer using the Jamf Pro\ + \ `ERASE_DEVICE` MDM command. This action is specifically designed for macOS computers\ + \ and allows for granular control over the wipe process, including obliteration\ + \ behavior and 'Return to Service' configurations. \n\n### Flow Description:\n\ + 1. **Authentication:** Initializes a connection to the Jamf Pro API using provided\ + \ credentials.\n2. **Management ID Retrieval:** Fetches the device's `managementId`\ + \ using the provided `Computer ID` to ensure the command is routed correctly.\n\ + 3. **Command Construction:** Builds the `ERASE_DEVICE` MDM command payload, incorporating\ + \ the PIN, obliteration behavior, and optional Return to Service profiles (MDM\ + \ and WiFi).\n4. **Execution:** Sends the POST request to the Jamf Pro MDM commands\ + \ endpoint to initiate the wipe.\n5. **Reporting:** Returns the initiation status\ + \ and command details as a JSON result.\n\n### Parameters Description:\n| Parameter\ + \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Computer\ + \ ID | String | Yes | The unique identifier of the computer in Jamf Pro to be\ + \ erased. |\n| PIN | String | Yes | A 6-digit PIN required for the erase command\ + \ on certain hardware. |\n| Obliteration Behavior | DDL | Yes | Specifies how\ + \ the device should be obliterated (Default, DoNotObliterate, ObliterateWithWarning,\ + \ Always). |\n| Return to Service | Boolean | Yes | If enabled, the device will\ + \ attempt to re-enroll automatically after the wipe. |\n| MDM Profile Data | String\ + \ | No | Base64-encoded MDM profile data required if 'Return to Service' is enabled.\ + \ |\n| WiFi Profile Data | String | No | Base64-encoded WiFi profile data required\ + \ if 'Return to Service' is enabled to provide network connectivity. |\n\n###\ + \ Additional Notes:\n* This action is intended for computers only; use the 'Wipe\ + \ Mobile Device' action for iOS/iPadOS devices.\n* If 'Return to Service' is enabled,\ + \ at least one profile (MDM or WiFi) should typically be provided to ensure the\ + \ device can reconnect and re-enroll." capabilities: can_create_case_comments: false can_create_insight: false @@ -924,8 +1120,8 @@ Wipe Managed Device: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Initiates an ERASE_DEVICE MDM command in Jamf Pro, which remotely wipes all - data from the target managed computer. + Initiates an ERASE_DEVICE MDM command in Jamf Pro which remotely wipes the target + managed computer. fetches_data: true internal_data_mutation_explanation: null categories: @@ -945,72 +1141,96 @@ Wipe Managed Device: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: true + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Wipe Mobile Device: ai_description: >- - Remotely erases or wipes a managed mobile device using the Jamf Pro ERASE_DEVICE - MDM command. This action is primarily used for containment when a device is lost, - stolen, or compromised. It supports advanced configurations such as preserving - eSIM data plans, disabling proximity setup on reboot, and enabling 'Return to - Service' by providing MDM and WiFi profiles. + ### General Description + Remotely erase or wipe a managed mobile device using the Jamf Pro `ERASE_DEVICE` + MDM command. This containment action is designed to secure lost or compromised + devices by performing a full factory reset. It supports advanced configuration + options such as preserving eSIM data plans and enabling "Return to Service," which + allows a device to automatically re-enroll in MDM after being wiped, provided + the necessary profile data is supplied. - ### Parameters Description + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Mobile Device ID | string | Yes | The unique identifier of the mobile device - in Jamf Pro to be erased. | + | Mobile Device ID | string | Yes | The ID of the mobile device to erase. | - | Preserve Data Plan | boolean | No | If set to true, preserves the data plan - on devices with eSIM functionality (iOS 11+). Default is false. | + | Preserve Data Plan | boolean | No | Whether to preserve the data plan on a mobile + device with eSIM functionality (iOS 11+). | - | Disallow Proximity Setup | boolean | No | If set to true, disables Proximity - Setup on the next reboot and skips the pane in Setup Assistant (iOS 11+). Default - is false. | + | Disallow Proximity Setup | boolean | No | Whether to disable Proximity Setup + on the next reboot and skip the pane in Setup Assistant (iOS 11+). | - | Return to Service | boolean | Yes | Whether to enable the 'Return to Service' - feature, allowing the device to automatically re-enroll after the wipe. Default - is true. | + | Return to Service | boolean | Yes | Whether to enable return to service after + erase (requires MDM profile data). | - | MDM Profile Data | string | No | Base64-encoded MDM profile data required if - 'Return to Service' is enabled. | + | MDM Profile Data | string | No | Base64-encoded MDM profile data for return + to service. | - | WiFi Profile Data | string | No | Base64-encoded WiFi profile data required - if 'Return to Service' is enabled to allow the device to connect to the network. - | + | WiFi Profile Data | string | No | Base64-encoded WiFi profile data for return + to service. | - | Bootstrap Token | string | No | Base64-encoded bootstrap token for the device, - used if 'Return to Service' is enabled. | + | Bootstrap Token | string | No | Base64 encoded bootstrap token for the device. + | - ### Additional Notes + ### Flow Description - - This action does not run on entities; it requires a specific 'Mobile Device - ID' provided as a parameter. + 1. **Parameter Extraction**: The action retrieves the Jamf Pro API configuration + and the specific mobile device ID and wipe options from the input parameters. - - If 'Return to Service' is enabled, it is highly recommended to provide at least - one profile (MDM or WiFi) to ensure the device can successfully re-enroll. + 2. **Authentication**: It authenticates with the Jamf Pro API using the provided + Client ID and Secret to obtain a bearer token. + 3. **Device Context Retrieval**: It fetches the detailed inventory information + for the specified mobile device to retrieve its `managementId`, which is required + for MDM commands. - ### Flow Description + 4. **Command Execution**: It constructs and sends an `ERASE_DEVICE` MDM command + to the Jamf Pro API, including optional settings like data plan preservation and + "Return to Service" profiles. - 1. **Authentication**: The action authenticates with the Jamf Pro API using OAuth2 - client credentials. + 5. **Result Reporting**: The action captures the response from Jamf Pro and reports + the command initiation status and details back to the SecOps platform. - 2. **Device Lookup**: It retrieves the specific management ID for the mobile device - using the provided 'Mobile Device ID'. - 3. **Command Construction**: It builds an ERASE_DEVICE MDM command payload, incorporating - optional flags for data plans and setup behavior. + ### Additional Notes - 4. **Execution**: The action sends a POST request to the Jamf Pro MDM commands - endpoint to initiate the wipe. + - The "Return to Service" feature requires MDM profile data to be effective. - 5. **Result Reporting**: It returns a JSON object containing the API response - from Jamf and the details of the command initiated. + - Prior to iOS 14, the "Disallow Proximity Setup" option should not be used with + any other option. capabilities: can_create_case_comments: false can_create_insight: false @@ -1019,8 +1239,8 @@ Wipe Mobile Device: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Initiates an ERASE_DEVICE MDM command in Jamf Pro, which remotely wipes all - data and settings from the target mobile device. + Sends an ERASE_DEVICE MDM command to Jamf Pro to remotely wipe the specified + mobile device. fetches_data: true internal_data_mutation_explanation: null categories: @@ -1040,3 +1260,28 @@ Wipe Mobile Device: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: true + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/third_party/partner/jamf/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/jamf/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..fc37bcee9 --- /dev/null +++ b/content/response_integrations/third_party/partner/jamf/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: true + cloud_security: false + collaboration: false + edr: true + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/partner/netappransomwareresilience/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/netappransomwareresilience/resources/ai/actions_ai_description.yaml index 96a1130a5..9c2d29765 100644 --- a/content/response_integrations/third_party/partner/netappransomwareresilience/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/netappransomwareresilience/resources/ai/actions_ai_description.yaml @@ -2,11 +2,10 @@ Check Job Status: ai_description: >- ### General Description - The **Check Job Status** action is designed to retrieve the current status of - an asynchronous task previously initiated within the NetApp Ransomware Resilience - Service (RRS). This action is essential for workflows that involve long-running - operations, such as volume snapshots or taking volumes offline, allowing the SOAR - platform to poll for completion before proceeding to subsequent steps. + Checks the status of a previously triggered asynchronous job within the NetApp + Ransomware Resilience Service (RRS). This action is typically used in playbooks + to poll for the completion of long-running tasks like snapshot creation or volume + management. ### Parameters Description @@ -15,40 +14,34 @@ Check Job Status: | :--- | :--- | :--- | :--- | - | **Source** | String | Yes | The identifier for the source system (e.g., "rps-agent"). + | Source | string | Yes | The source identifier of the request (e.g., 'rps-agent'). | - | **Agent ID** | String | Yes | The unique identifier for the Console Agent associated - with the job. | + | Agent ID | string | Yes | The Console Agent ID associated with the job. | - | **Job ID** | String | Yes | The specific identifier of the job whose status - is being queried. | + | Job ID | string | Yes | The unique identifier for the job whose status is being + queried. | ### Flow Description - 1. **Parameter Extraction:** The action retrieves the `Source`, `Agent ID`, and - `Job ID` from the user-provided inputs. + 1. **Initialization**: Sets up the API manager and handles OAuth authentication. - 2. **Authentication:** It utilizes the `ApiManager` to ensure a valid OAuth2 token - is available for communication with the NetApp BlueXP API. + 2. **Parameter Extraction**: Retrieves the Source, Agent ID, and Job ID from the + action inputs. - 3. **API Request:** A GET request is dispatched to the RRS job status endpoint, - passing the provided identifiers as query parameters. + 3. **API Request**: Executes a GET request to the RRS job status endpoint using + the provided identifiers. - 4. **Result Processing:** The API response, containing the job's current state - and details, is captured and attached to the action's JSON result. - - 5. **Completion:** The action concludes by reporting whether the status retrieval - was successful. + 4. **Result Processing**: Captures the API response and returns it as a JSON object + to the SOAR platform, indicating whether the job is still in progress, completed, + or failed. ### Additional Notes - * This action does not operate on SOAR entities; it relies entirely on the provided - input parameters. - - * It is a read-only operation and does not modify any data in the NetApp environment. + This action does not operate on entities and requires specific IDs generated by + previous actions in the workflow. capabilities: can_create_case_comments: false can_create_insight: false @@ -60,7 +53,7 @@ Check Job Status: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: true + enrichment: false entity_usage: entity_types: [] filters_by_additional_properties: false @@ -76,48 +69,67 @@ Check Job Status: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Enrich IP Address: ai_description: >- - ### General Description - Enriches a specific IP address with threat intelligence data from the NetApp Ransomware - Resilience Service (RRS). This action allows users to retrieve contextual information - about an IP to assist in security investigations and ransomware impact analysis. + Resilience Service (RRS). This action allows analysts to retrieve contextual security + information about an IP to assist in investigation and response. - ### Parameters Description + ### Flow Description: - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | + 1. **Authentication**: Initializes the API manager and ensures a valid OAuth token + is available for the NetApp RRS API. - | IP Address | String | Yes | The specific IP address that needs to be enriched - with threat intelligence data. | + 2. **Parameter Extraction**: Retrieves the mandatory 'IP Address' parameter provided + by the user or playbook. + 3. **Data Retrieval**: Executes a POST request to the RRS enrichment endpoint + (`enrich/ip-address`) with the target IP. - ### Additional Notes + 4. **Result Processing**: Captures the API response and attaches it as a JSON + result to the action output for use in downstream tasks. - This action does not automatically iterate over entities in the Google SecOps - case. It requires the IP address to be provided explicitly as a parameter, which - can be mapped from an entity or a previous action's output. + ### Parameters Description: - ### Flow Description + | Parameter Name | Type | Mandatory | Description | - 1. **Initialization**: The action initializes the API manager and handles OAuth2 - authentication with the NetApp service using stored credentials. + | :--- | :--- | :--- | :--- | - 2. **Parameter Extraction**: The target IP address is extracted from the action's - input parameters. + | IP Address | String | Yes | The specific IP address to be enriched with threat + intelligence. | - 3. **External API Call**: The action sends a POST request to the NetApp RRS enrichment - endpoint (`enrich/ip-address`) containing the IP address. - 4. **Data Processing**: The retrieved threat intelligence data is received from - the external service. + ### Additional Notes: - 5. **Output**: The enrichment data is attached as a JSON result to the action, - and the action completes with a success message. + This action does not automatically process entities from the SOAR case; it requires + the IP address to be passed explicitly as a parameter. capabilities: can_create_case_comments: false can_create_insight: false @@ -145,14 +157,40 @@ Enrich IP Address: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Enrich Storage: ai_description: >- ### General Description Retrieves detailed volume and storage information for a specific agent and system from the NetApp Ransomware Resilience Service (RRS). This action is used to gather - context about the storage environment during an investigation, providing metadata - that can help identify the scope of potential ransomware impact. + technical metadata about storage resources to assist in security analysis and + resilience verification. It provides visibility into the state and configuration + of storage assets managed by NetApp. ### Parameters Description @@ -161,33 +199,36 @@ Enrich Storage: | :--- | :--- | :--- | :--- | - | Agent ID | String | Yes | The unique identifier for the Console Agent associated - with the storage system. | + | Agent ID | String | Yes | The unique identifier for the Console Agent. | - | System ID | String | Yes | The unique identifier for the Storage System to be - enriched. | + | System ID | String | Yes | The unique identifier for the Storage System. | ### Flow Description - 1. **Parameter Extraction**: The action extracts the mandatory `Agent ID` and - `System ID` from the input parameters. + 1. **Initialization**: Sets up the API manager and authenticates with the NetApp + RRS using the integration's configured credentials (Client ID, Client Secret, + and Account ID). + + 2. **Parameter Extraction**: Retrieves the `Agent ID` and `System ID` from the + action input parameters. - 2. **Authentication**: The `ApiManager` initializes and handles OAuth2 authentication - with the NetApp BlueXP service to obtain a valid bearer token. + 3. **Data Retrieval**: Executes a GET request to the RRS `enrich/storage` endpoint + using the provided IDs as query parameters. - 3. **Data Retrieval**: The action performs a GET request to the RRS enrichment - endpoint (`enrich/storage`) using the provided IDs as query parameters. + 4. **Result Processing**: Captures the JSON response containing storage enrichment + data. - 4. **Result Processing**: The retrieved storage metadata is parsed and attached - to the action's output as a JSON result for use in subsequent playbook logic. + 5. **Completion**: Attaches the raw JSON results to the action output and marks + the execution as successful. ### Additional Notes - This action does not operate on SecOps entities (like IP or Hostname). It requires - specific identifiers provided directly as action parameters. If the API call fails, - the action will return a failed status and an empty result list. + This action does not operate on standard SOAR entities (such as IP addresses or + Hostnames). It requires specific NetApp-specific identifiers provided as manual + inputs or mapped from previous playbook steps. There are no internal mutations + (like insights or entity updates) performed by this action. capabilities: can_create_case_comments: false can_create_insight: false @@ -199,7 +240,7 @@ Enrich Storage: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: true + enrichment: false entity_usage: entity_types: [] filters_by_additional_properties: false @@ -215,53 +256,69 @@ Enrich Storage: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Ping: ai_description: >- ### General Description - Tests the connectivity between Google SecOps and the NetApp Ransomware Resilience - Service. This action ensures that the integration is correctly configured and - that the service is reachable using the provided credentials. + The **Ping** action is a diagnostic utility designed to verify the connectivity + and authentication configuration between Google SecOps and the NetApp Ransomware + Resilience Service (RRS). Its primary purpose is to ensure that the integration + can successfully communicate with the external API using the provided credentials. ### Parameters Description - There are no action-specific parameters for this action. It utilizes the following - global integration configuration parameters: - - * **Client ID**: The OAuth client ID used for authentication. - - * **Client Secret**: The OAuth client secret used for authentication. + This action does not require any input parameters. - * **Account ID**: The NetApp account identifier. - * **Verify SSL**: A boolean flag to enable or disable SSL certificate validation - for API requests. - - - ### Additional Notes - - This action is primarily used for troubleshooting and verifying the initial setup - of the NetApp Ransomware Resilience integration. It does not process any entities. + ### Flow Description + 1. **Initialization**: The action initializes the `ApiManager`, which retrieves + the integration's configuration parameters (Client ID, Client Secret, and Account + ID). - ### Flow Description + 2. **Authentication Attempt**: The `ApiManager` checks for a valid OAuth token + in encrypted storage. If the token is missing or expired, it attempts to generate + a new one by making a POST request to the NetApp Auth0 endpoint. - 1. **Initialization**: The action initializes the API manager and retrieves the - integration's global configuration parameters. + 3. **Connectivity Validation**: The action verifies if a valid token is obtained, + effectively testing the reachability of the RRS service and the validity of the + credentials. - 2. **Authentication Check**: It checks if a valid OAuth token already exists in - the encrypted credential storage. + 4. **Result Reporting**: The action returns a success message if the connection + is established or a failure message with error details if the authentication or + connection fails. - 3. **Token Generation**: If no valid token is found or if the existing token is - expired, it sends a POST request to the NetApp Auth0 endpoint to generate a new - access token. - 4. **Validation**: It verifies the token's validity to ensure the service is reachable - and the credentials are correct. + ### Additional Notes - 5. **Completion**: Returns a success status if authentication succeeds, or a failure - status with a descriptive error message if any step fails. + This action is a standard connectivity test and does not perform any data enrichment, + entity modification, or external state changes. capabilities: can_create_case_comments: false can_create_insight: false @@ -270,7 +327,7 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: true + fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false @@ -289,48 +346,78 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Take Snapshot: ai_description: >- - ### General Description - Triggers the creation of a volume snapshot using the NetApp Ransomware Resilience - Service (RRS). This action is designed to create a point-in-time recovery point - for a specific storage volume, serving as a critical defensive measure in ransomware - mitigation and data protection workflows. + Service (RRS). This action is used to create a point-in-time recovery point for + a specific storage volume, which is a critical step in ransomware mitigation and + data protection strategies. It requires specific identifiers for the volume, agent, + and storage system to execute the request via the NetApp BlueXP API. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. **Parameter Extraction**: The action retrieves the mandatory 'Volume ID', 'Agent + ID', and 'System ID' from the input parameters. - | :--- | :--- | :--- | :--- | + 2. **Authentication**: It initializes the API Manager, which handles OAuth token + generation and management using encrypted storage. - | Volume ID | String | Yes | The unique identifier of the volume for which the - snapshot will be created. | + 3. **API Request**: A POST request is sent to the NetApp RRS endpoint (`storage/take-snapshot`) + with the provided volume and system identifiers. - | Agent ID | String | Yes | The console agent ID associated with the NetApp storage - environment. | + 4. **Result Processing**: The action captures the API response (containing snapshot + or job details), adds it to the JSON results, and reports the execution status + (Completed or Failed) to the SOAR platform. - | System ID | String | Yes | The identifier of the storage system where the target - volume resides. | + ### Parameters Description - ### Flow Description + | Parameter | Type | Mandatory | Description | - 1. **Initialization**: The action initializes the `ApiManager`, which handles - OAuth2 authentication and token management for the NetApp RRS API. + | :--- | :--- | :--- | :--- | + + | Volume ID | String | Yes | The unique identifier of the storage volume to be + snapshotted. | + + | Agent ID | String | Yes | The console agent ID associated with the NetApp environment. + | + + | System ID | String | Yes | The unique identifier of the storage system where + the volume resides. | - 2. **Parameter Extraction**: It retrieves the `Volume ID`, `Agent ID`, and `System - ID` from the action input parameters. - 3. **API Execution**: The action sends a POST request to the `storage/take-snapshot` - endpoint of the Ransomware Resilience Service. + ### Additional Notes - 4. **Result Processing**: It captures the API response, which typically includes - job or snapshot details, and attaches it as a JSON result to the action. + - This action does not process or iterate over SOAR entities (e.g., IP, Hostname). + It relies entirely on the provided string parameters. - 5. **Completion**: The action reports a successful status if the snapshot creation - was triggered or a failure status if an API or connection error occurred. + - The action performs a state-changing operation in the external NetApp environment. capabilities: can_create_case_comments: false can_create_insight: false @@ -339,9 +426,9 @@ Take Snapshot: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new volume snapshot in the NetApp storage system via the Ransomware - Resilience Service API, which is a state-changing operation on the storage infrastructure. - fetches_data: false + Initiates the creation of a new volume snapshot in the NetApp storage system + via the Ransomware Resilience Service API. + fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false @@ -360,14 +447,40 @@ Take Snapshot: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Volume Offline: ai_description: >- ### General Description - The **Volume Offline** action is designed to programmatically take a specific - storage volume offline within the NetApp Ransomware Resilience Service (RRS). - This is a remediation action typically used to isolate potentially compromised - storage volumes to prevent the spread of ransomware or further data exfiltration. + The **Volume Offline** action is designed to programmatically take a storage volume + offline within the NetApp Ransomware Resilience Service (RRS). This action serves + as a critical response capability, allowing security teams to quickly isolate + storage resources that may be compromised or under threat during a ransomware + attack, thereby preventing further data encryption or exfiltration. ### Parameters Description @@ -376,39 +489,40 @@ Volume Offline: | :--- | :--- | :--- | :--- | - | **Volume ID** | String | Yes | The unique identifier of the storage volume to - be taken offline. | + | **Volume ID** | String | Yes | The unique identifier of the storage volume that + needs to be taken offline. | - | **Agent ID** | String | Yes | The Console Agent ID associated with the NetApp - environment. | + | **Agent ID** | String | Yes | The identifier for the BlueXP Console Agent associated + with the storage system. | - | **System ID** | String | Yes | The identifier of the storage system where the - volume is located. | + | **System ID** | String | Yes | The identifier for the specific storage system + where the volume resides. | ### Flow Description - 1. **Authentication**: The action initializes the `ApiManager`, which manages - OAuth2 token generation and encrypted storage for communication with the NetApp - BlueXP API. + 1. **Parameter Extraction**: The action retrieves the `Volume ID`, `Agent ID`, + and `System ID` from the action parameters. - 2. **Input Retrieval**: The action extracts the `Volume ID`, `Agent ID`, and `System - ID` from the action parameters. + 2. **API Initialization**: It initializes the `ApiManager`, which handles OAuth2 + authentication and session management with the NetApp BlueXP platform. - 3. **External Request**: It performs a POST request to the NetApp RRS endpoint - (`storage/take-volume-offline`) using the extracted identifiers. + 3. **API Request**: A POST request is sent to the NetApp RRS endpoint (`storage/take-volume-offline`) + containing the volume, agent, and system identifiers in the JSON payload. - 4. **Outcome Handling**: If the request is successful, the action returns a success - message and the raw JSON response. If the API returns an error or a connection - issue occurs, it catches the exception, logs the error, and marks the action as - failed. + 4. **Result Processing**: The action captures the API response, which includes + the status of the operation, and returns it as a JSON result to the Google SecOps + platform. It then reports a success or failure message based on the API's response. ### Additional Notes - This action does not automatically process entities from the Google SecOps case. - It relies entirely on the provided parameter inputs, which must be mapped from - alert data or previous playbook steps. + - This action performs a state-changing operation on external storage infrastructure. + It should be used with caution as taking a volume offline will disrupt access + to the data stored on it. + + - Ensure that the provided IDs are accurate to avoid impacting the wrong storage + resources. capabilities: can_create_case_comments: false can_create_insight: false @@ -417,9 +531,9 @@ Volume Offline: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - This action changes the operational state of a storage volume in the NetApp - environment by taking it offline. - fetches_data: false + Takes a storage volume offline in the NetApp environment, which is a state-changing + operation on the storage infrastructure. + fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false @@ -438,3 +552,28 @@ Volume Offline: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/third_party/partner/netappransomwareresilience/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/netappransomwareresilience/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..f762df419 --- /dev/null +++ b/content/response_integrations/third_party/partner/netappransomwareresilience/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: true + cloud_security: true + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + siem: false + threat_intelligence: true + vulnerability_management: false diff --git a/content/response_integrations/third_party/partner/netenrich_connect/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/netenrich_connect/resources/ai/actions_ai_description.yaml index de8f0752f..103493d90 100644 --- a/content/response_integrations/third_party/partner/netenrich_connect/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/netenrich_connect/resources/ai/actions_ai_description.yaml @@ -2,55 +2,57 @@ Ping: ai_description: >- ### General Description - This action is designed to verify the connectivity between Google SecOps and the - Netenrich Resolution Intelligence Cloud. It serves as a diagnostic tool to ensure - that the integration is correctly configured and that the external API endpoint - is reachable using the provided credentials. + The **Ping** action is a connectivity test designed to verify the communication + between Google SecOps and the **Resolution Intelligence Cloud**. It ensures that + the integration is correctly configured and that the external API endpoint is + reachable using the provided credentials. ### Parameters Description - | Parameter Name | Type | Mandatory | Description | + This action does not have any action-specific parameters. It relies on the following + integration configuration parameters: + + + | Parameter | Expected Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | RI Inbound Webhook URL | String | Yes | (Configuration Parameter) The base URL - for the Netenrich inbound webhook. It must include a `{token}` placeholder which - is dynamically replaced during execution. | + | RI Inbound Webhook URL | String | Yes | The target URL for the inbound webhook. + It must contain a `{token}` placeholder. | - | Token | String | Yes | (Configuration Parameter) The authentication token required - to authorize the request to the Netenrich service. | + | Token | String | Yes | The API token used for authentication, which replaces + the placeholder in the URL. | - | Verify SSL | Boolean | No | (Configuration Parameter) Determines whether the - action should verify the SSL certificate of the target server. Defaults to `True`. - | + | Verify SSL | Boolean | No | Determines whether to validate the SSL certificate + of the target server. Defaults to `True`. | ### Additional Notes - * This action does not take any input parameters directly; it relies entirely - on the integration's configuration settings. + - The action considers HTTP status codes `200` (OK) and `400` (Bad Request) as + successful indicators of reachability. - * A successful connection is identified if the external service returns an HTTP - status code of 200 or 400. + - If the `RI Inbound Webhook URL` is missing from the configuration, the action + will fail immediately. ### Flow Description - 1. **Configuration Retrieval:** The action fetches the `RI Inbound Webhook URL`, - `Token`, and `Verify SSL` settings from the integration configuration. + 1. **Configuration Retrieval:** The action extracts the Webhook URL, Token, and + SSL verification settings from the integration configuration. - 2. **URL Construction:** It replaces the `{token}` placeholder in the webhook - URL with the actual authentication token. + 2. **URL Construction:** It replaces the `{token}` placeholder in the Webhook + URL with the actual Token value. - 3. **Connectivity Test:** It performs an HTTP POST request with an empty JSON - body to the constructed URL. + 3. **Connectivity Check:** It sends an empty HTTP POST request to the constructed + URL. - 4. **Response Validation:** The action evaluates the HTTP response status code. - If the code is 200 or 400, the connection is considered successful. + 4. **Response Validation:** It evaluates the HTTP response status code. If the + code is 200 or 400, the connection is deemed successful. - 5. **Result Reporting:** It outputs a success message if reachable, or a failure - message with the specific error or status code if the connection fails. + 5. **Result Reporting:** The action concludes with a success message if reachable, + or logs the error/status code and fails if unreachable. capabilities: can_create_case_comments: false can_create_insight: false @@ -78,3 +80,28 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/third_party/partner/netenrich_connect/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/netenrich_connect/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..a18433ba6 --- /dev/null +++ b/content/response_integrations/third_party/partner/netenrich_connect/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: true + edr: false + email_security: false + iam_and_identity_management: false + itsm: true + network_security: false + siem: true + threat_intelligence: true + vulnerability_management: false diff --git a/content/response_integrations/third_party/partner/netenrich_connect/resources/ai/jobs_ai_description.yaml b/content/response_integrations/third_party/partner/netenrich_connect/resources/ai/jobs_ai_description.yaml new file mode 100644 index 000000000..fb0ff4cf0 --- /dev/null +++ b/content/response_integrations/third_party/partner/netenrich_connect/resources/ai/jobs_ai_description.yaml @@ -0,0 +1,59 @@ +Sync ActOn Updates To Case: + ai_description: "### General Description\nThis job synchronizes Netenrich Resolution\ + \ Intelligence (RI) ActOn\u2122 data with Google SecOps cases. It ensures that\ + \ case metadata, entities, comments, and attachments are kept in sync between\ + \ the two platforms. The job handles case creation, updates to core fields (title,\ + \ description, priority, stage, and status), and manages case assignments by mapping\ + \ external SOC roles to internal roles. Additionally, it stores specialized ActOn\ + \ telemetry, such as scoring evidence and alert counts, within a dedicated custom\ + \ entity for detailed investigation context.\n\n### Parameters Description\n|\ + \ Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ + | CREATE | String (JSON) | No | A JSON payload used to initialize and create a\ + \ new case based on ActOn data. |\n| UPDATE | String (JSON) | No | A JSON payload\ + \ containing updates for an existing case's metadata and entities. |\n| COMMENT\ + \ | String (JSON) | No | A JSON payload specifically for synchronizing comments\ + \ and base64-encoded attachments. |\n\n### Flow Description\n1. **Payload Extraction**:\ + \ The job identifies the operation type by checking for `CREATE`, `UPDATE`, or\ + \ `COMMENT` data in the job parameters.\n2. **Case Identification**: It retrieves\ + \ the existing case or creates a new one in Google SecOps using the external ticket\ + \ identifier.\n3. **Metadata Synchronization**: Updates the case title, description,\ + \ priority, and stage to match the current state of the ActOn.\n4. **Assignee\ + \ Management**: Maps the external SOC role to a corresponding internal role and\ + \ updates the case assignee.\n5. **Comment and Attachment Processing**: Adds comments\ + \ to the case wall and decodes base64-encoded file content to upload as case attachments.\n\ + 6. **Telemetry Storage**: Extracts scoring evidence, risk scores, and alert metadata,\ + \ storing them in a specialized custom entity (`RI_CUSTOM_ENTITY`) within the\ + \ case.\n7. **Entity Delta Sync**: Compares entities in the ActOn with those in\ + \ the SecOps case and adds any missing assets or indicators.\n8. **Status and\ + \ Webhook Notification**: Updates the case status (e.g., closing the case if resolved)\ + \ and sends a confirmation back to the Resolution Intelligence inbound webhook." +Sync Case Updates To ActOn: + ai_description: "### General Description\nThis job synchronizes case updates from\ + \ Google SecOps to Netenrich's Resolution Intelligence Cloud (RIC) ActOns\u2122\ + . It ensures that manual activities, such as comments, attachments, status changes,\ + \ and assignee updates made within the SOAR, are reflected in the corresponding\ + \ RIC ActOn. The job runs on a scheduled interval (typically every 1 minute) to\ + \ maintain near real-time consistency between the two platforms.\n\n### Parameters\ + \ Description\n| Parameter | Type | Mandatory | Description |\n| :--- | :--- |\ + \ :--- | :--- |\n| RI Inbound Webhook URL | String | Yes | The URL for the Resolution\ + \ Intelligence Cloud inbound ingest webhook. |\n| Token | String | Yes | The authentication\ + \ token used to authorize requests to the RIC webhook. |\n| Environment | String\ + \ | Yes | The SOAR environment name used to filter which cases should be synchronized.\ + \ |\n\n### Flow Description\n1. **Retrieve Sync State**: Fetches the `last_sync_time`\ + \ from the job's scoped context to determine the starting point for the current\ + \ run.\n2. **Identify Updated Cases**: Queries the SOAR for all cases (regardless\ + \ of status) that have been modified since the last synchronization.\n3. **Filter\ + \ by Environment**: Iterates through the identified cases and excludes any that\ + \ do not match the configured `Environment` parameter.\n4. **Fetch Wall Activities**:\ + \ For each relevant case, retrieves the wall activities (comments, logs, etc.)\ + \ and filters for manual updates created by users (ignoring automated system updates).\n\ + 5. **Process Attachments**: If an activity includes an attachment, the job retrieves\ + \ the file content and encodes it into a base64 string for transmission.\n6. **Enrich\ + \ Case Data**: Retrieves additional metadata required for the sync, including\ + \ SOC roles for assignees and specific Case Stage IDs from the SOAR API.\n7. **Map\ + \ RIC Metadata**: Identifies the corresponding RIC ActOn ID by searching for a\ + \ specific custom entity (`RI_CUSTOM_ENTITY_FOR_CASE_{case_id}`) associated with\ + \ the case.\n8. **Transmit Updates**: Constructs a JSON payload containing the\ + \ updated posts, status, priority, and tags, then sends it to the configured RIC\ + \ Inbound Webhook.\n9. **Update Sync State**: Saves the current timestamp as the\ + \ new `last_sync_time` for the next execution cycle." diff --git a/content/response_integrations/third_party/partner/orca_security/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/orca_security/resources/ai/actions_ai_description.yaml index c851bd4b7..2d1652156 100644 --- a/content/response_integrations/third_party/partner/orca_security/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/orca_security/resources/ai/actions_ai_description.yaml @@ -1,11 +1,23 @@ Add Comment To Alert: ai_description: >- - ### General Description + Adds a comment to a specific alert in Orca Security. This action allows analysts + to append notes or documentation directly to an alert record within the Orca Security + platform, facilitating better tracking and collaboration on security findings. + + + ### Flow Description - This action allows users to add a comment to a specific alert within the Orca - Security platform. It is primarily used for documentation and collaboration purposes, - ensuring that analysts can record findings or notes directly on the source alert - in Orca Security from within Google SecOps. + 1. **Authentication**: The action initializes the Orca Security Manager using + the provided API Root and either an API Key or API Token. + + 2. **Parameter Extraction**: It retrieves the mandatory 'Alert ID' and 'Comment' + text from the action parameters. + + 3. **API Interaction**: The action sends a PUT request to the Orca Security API + endpoint (`/api/alerts/{alert_id}/comment`) containing the comment payload. + + 4. **Result Processing**: Upon success, the action returns the JSON representation + of the created comment and confirms the operation in the output message. ### Parameters Description @@ -17,33 +29,14 @@ Add Comment To Alert: | Alert ID | String | True | The unique identifier of the alert in Orca Security to which the comment will be added. | - | Comment | String | True | The actual text content of the comment to be posted - to the alert. | + | Comment | String | True | The text content of the comment to be appended to + the alert. | ### Additional Notes - - This action requires either an **API Key** or an **API Token** to be configured - in the integration settings for authentication. - - - The action performs an external state change by modifying the alert metadata - in Orca Security. - - - ### Flow Description - - 1. **Authentication**: The action initializes the `OrcaSecurityManager` using - the provided API Root and credentials (API Key or Token). - - 2. **Parameter Extraction**: It retrieves the `Alert ID` and the `Comment` text - from the action's input parameters. - - 3. **API Interaction**: The manager executes a `PUT` request to the Orca Security - endpoint `/api/alerts/{alert_id}/comment` with the comment payload. - - 4. **Result Processing**: The action parses the response into an `AlertComment` - object and attaches the raw JSON result to the action output for use in subsequent - playbook steps. + - This action performs a state change in the external Orca Security system by + adding new data to an existing alert record. capabilities: can_create_case_comments: false can_create_insight: false @@ -52,9 +45,10 @@ Add Comment To Alert: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - The action adds a new comment to an existing alert in the Orca Security platform - via a PUT request to the API. - fetches_data: false + The action performs a PUT request to the Orca Security API to add a new comment + to an existing alert, thereby modifying the alert's metadata in the external + system. + fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false @@ -73,81 +67,84 @@ Add Comment To Alert: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: true + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Asset Details: ai_description: >- - ### General Description + Retrieves detailed information for specific assets from Orca Security. This action + allows users to fetch comprehensive asset metadata and optionally include related + vulnerability information filtered by severity. It is designed to provide deep + visibility into the security posture of cloud assets by pulling data directly + from the Orca Security platform. - The **Get Asset Details** action retrieves comprehensive information for specific - assets within Orca Security using their unique Asset IDs. It provides metadata - such as asset name, type, account, category, and current security state. Additionally, - the action can be configured to fetch associated vulnerabilities (CVEs) for each - asset, filtered by a minimum severity threshold. The retrieved data is presented - as a raw JSON result, a structured data table, and optionally as individual Case - Insights for each asset. - - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Asset IDs** | String | Yes | A comma-separated list of unique Orca Security - asset identifiers to be queried. | - - | **Return Vulnerabilities Information** | Boolean | No | If enabled (True), the - action will also retrieve vulnerability data linked to the specified assets. Default - is True. | - - | **Lowest Severity For Vulnerabilities** | DDL | Yes | The minimum severity level - required for a vulnerability to be included in the results. Options include: Critical, - High, Medium, Low, Unknown. Default is 'Hazardous'. | - - | **Max Vulnerabilities To Fetch** | String | No | The maximum number of vulnerabilities - to return per asset. Must be a positive integer between 1 and 100. Default is - 50. | - - | **Create Insight** | Boolean | No | If enabled (True), the action will generate - a Case Insight in Google SecOps for every successfully enriched asset, including - a direct link to the asset in the Orca UI. Default is True. | - + | Asset IDs | String | Yes | A comma-separated list of unique Orca Security asset + identifiers to retrieve details for. | - ### Additional Notes + | Return Vulnerabilities Information | Boolean | No | If enabled (default), the + action will also fetch vulnerabilities associated with the asset. | - - This action does not process entities from the current case scope; it relies - entirely on the provided **Asset IDs** parameter. + | Lowest Severity For Vulnerabilities | DDL | Yes | The minimum severity level + (Critical, High, Medium, Low, Unknown) to include when fetching vulnerabilities. + | - - The **Max Vulnerabilities To Fetch** parameter is capped at 100 to ensure performance - and API stability. + | Max Vulnerabilities To Fetch | String | No | The maximum number of vulnerabilities + to return per asset (Default: 50, Max: 100). | - - Authentication requires either an **API Key** or an **API Token** to be configured - in the integration settings. + | Create Insight | Boolean | No | If enabled (default), creates a Google SecOps + case insight for each enriched asset. | ### Flow Description - 1. **Parameter Validation**: The action extracts and validates input parameters, - ensuring the vulnerability limit is within the allowed range (1-100). + 1. **Parameter Validation:** The action validates that the 'Max Vulnerabilities + To Fetch' is a positive integer and does not exceed the system limit of 100. - 2. **Manager Initialization**: Initializes the `OrcaSecurityManager` using the - provided API credentials and connection settings. + 2. **Authentication:** Initializes the Orca Security Manager using the provided + API/API Token and connection settings. - 3. **Asset Retrieval**: Iterates through the list of provided Asset IDs and performs - a query to the Orca Security API to fetch asset metadata. + 3. **Asset Retrieval:** Iterates through the provided list of Asset IDs, making + a request to Orca Security to fetch the core asset metadata. - 4. **Vulnerability Enrichment (Optional)**: If enabled, it performs a secondary - query for each asset to retrieve vulnerabilities that meet the specified severity - criteria. + 4. **Vulnerability Enrichment:** If requested, it performs a secondary lookup + for each asset to retrieve vulnerabilities that meet the specified severity threshold. - 5. **Data Formatting**: Aggregates the asset and vulnerability data into JSON - and CSV formats for output. + 5. **Output Generation:** For each successful retrieval, it compiles the data + into a JSON result, constructs a CSV data table for the case wall, and generates + a detailed case insight containing a direct link to the asset in the Orca Security + UI. - 6. **Insight Generation (Optional)**: If enabled, creates a Case Insight for each - asset, providing a summary of its security posture and a link to the Orca Security - console. - - 7. **Final Output**: Adds the aggregated JSON results and a summary data table - to the action's output and completes the execution. + 6. **Error Handling:** Tracks successful and failed asset lookups, providing a + summary message at the end of execution. capabilities: can_create_case_comments: false can_create_insight: true @@ -158,10 +155,10 @@ Get Asset Details: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action creates case insights and adds a data table to the Google SecOps - case to display retrieved asset information. + The action creates case insights and adds data tables to the case in Google + SecOps to display asset and vulnerability details. categories: - enrichment: false + enrichment: true entity_usage: entity_types: [] filters_by_additional_properties: false @@ -177,14 +174,40 @@ Get Asset Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Compliance Info: ai_description: >- ### General Description - The **Get Compliance Info** action retrieves detailed compliance framework information - from Orca Security. It allows security analysts to monitor the compliance posture - of their cloud environment by fetching data such as average scores, test results - (pass/fail counts), and the active status of specific or all selected frameworks. + Retrieves compliance framework information from Orca Security. This action allows + security analysts to monitor the compliance posture of their cloud environment + by fetching details about various frameworks (e.g., CIS, SOC2, NIST). It provides + a summary of compliance scores, as well as the number of passed and failed tests + for each framework. ### Parameters Description @@ -193,39 +216,44 @@ Get Compliance Info: | :--- | :--- | :--- | :--- | - | **Framework Names** | String | No | A comma-separated list of framework names - (e.g., 'CIS AWS Foundations', 'SOC2') to retrieve. If left empty, the action returns - information for all selected frameworks in the Orca Security account. | + | Framework Names | String | No | A comma-separated list of framework names to + retrieve. If left empty, the action returns information about all selected frameworks + in Orca Security. | - | **Create Insight** | Boolean | Yes | If enabled (default: true), the action - creates a Case Insight in Google SecOps containing a formatted summary of the - compliance data. | + | Create Insight | Boolean | Yes | If set to true, the action generates a detailed + insight on the case wall containing the compliance summary. | - | **Max Frameworks To Return** | Integer | No | Specifies the maximum number of - frameworks to include in the results. Default is 50. | + | Max Frameworks To Return | Integer | No | Specifies the maximum number of frameworks + to return in the results. Default is 50. | + + + ### Additional Notes + + - The action will attempt to find frameworks matching the provided names. If some + frameworks are not found, they will be listed in the output message. + + - If none of the provided frameworks are found, the action will fail. + + - Although 'Max Frameworks To Return' is defined as a string in the configuration, + the logic treats it as an integer. ### Flow Description - 1. **Initialization:** The action extracts API credentials from the integration - configuration and user-provided parameters (Framework Names, Insight toggle, and - Limit). + 1. **Initialization**: Extracts API credentials (API Root, Key/Token) and action + parameters. - 2. **API Query:** The action connects to the Orca Security API and sends a POST - request to the `/api/serving-layer/compliance/frameworks/overview` endpoint. If - specific framework names were provided, it iterates through them to fetch targeted - data. + 2. **API Request**: Calls the Orca Security `/api/serving-layer/compliance/frameworks/overview` + endpoint to fetch framework data. - 3. **Data Parsing:** The raw JSON response is parsed into framework objects, extracting - key metrics like `avg_score_percent`, `test_results_fail`, and `test_results_pass`. + 3. **Filtering**: If specific framework names were provided, the action filters + the results to match those names. - 4. **Insight Creation:** If the 'Create Insight' parameter is true, the action - generates an HTML-formatted insight with color-coded scores and attaches it to - the case. + 4. **Insight Creation**: If 'Create Insight' is enabled, it formats the framework + scores and test results into an HTML-based case insight. - 5. **Result Output:** The action populates a data table named 'Compliance Details' - and adds the raw framework data to the action's JSON results for use in subsequent - playbook steps. + 5. **Result Output**: Populates a data table named 'Compliance Details' and attaches + the raw JSON data to the action result. capabilities: can_create_case_comments: false can_create_insight: true @@ -236,8 +264,8 @@ Get Compliance Info: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action creates a case insight containing compliance information and adds - a data table to the case results. + The action creates a case insight and adds a data table to the case in Google + SecOps. categories: enrichment: false entity_usage: @@ -255,64 +283,63 @@ Get Compliance Info: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Vulnerability Details: - ai_description: >- - ### General Description - - The **Get Vulnerability Details** action retrieves comprehensive information about - specific vulnerabilities (CVEs) from Orca Security. It allows security analysts - to enrich a case with details such as vulnerability summaries, severity levels, - affected assets, and remediation availability. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **CVE IDs** | String | Yes | A comma-separated list of CVE identifiers (e.g., - CVE-2021-44228) to be queried. | - - | **Fields To Return** | String | No | A comma-separated list of specific fields - to include in the output. If left empty, all available fields are returned. | - - | **Output** | DDL | No | Determines the output format. Options are `JSON` (default) - or `CSV`. If `CSV` is selected, a file is created and the path is returned. | - - | **Create Insight** | Boolean | No | If enabled (default), the action creates - a detailed case insight for each successfully retrieved CVE. | - - | **Max Assets To Return** | String | No | The maximum number of assets associated - with the CVE to retrieve. Default is 50, maximum is 10,000. | - - - ### Flow Description - - 1. **Initialization**: The action parses the input CVE IDs and validates the `Max - Assets To Return` parameter. - - 2. **API Interaction**: For each CVE ID provided, the action queries the Orca - Security API using a paginated search to retrieve vulnerability and asset data. - - 3. **Data Processing**: The retrieved data is filtered based on the `Fields To - Return` parameter and formatted for output. - - 4. **Insight Generation**: If `Create Insight` is true, the action generates a - formatted HTML insight for the case, highlighting severity, description, and affected - assets. - - 5. **Final Output**: The results are attached to the case as a JSON object or - a CSV file, and a "Vulnerability Details" data table is added to the case wall. - - - ### Additional Notes - - - This action does not operate on existing entities in the case; it relies entirely - on the CVE IDs provided in the input parameter. - - - The `Fields To Return` parameter supports flattened JSON keys (e.g., `object_id` - for `{"object": {"id": 123}}`). + ai_description: "Retrieves detailed vulnerability information from Orca Security\ + \ for a specified list of CVE IDs. This action fetches data regarding the vulnerability's\ + \ description, severity, fix availability, and associated affected assets. It\ + \ allows users to filter the returned JSON fields and choose between JSON or CSV\ + \ output formats. Additionally, the action can generate case insights for each\ + \ enriched vulnerability and populates a data table with the findings.\n\n###\ + \ Parameters Description\n\n| Parameter | Type | Mandatory | Description |\n|\ + \ :--- | :--- | :--- | :--- |\n| CVE IDs | String | Yes | A comma-separated list\ + \ of CVE identifiers (e.g., CVE-2021-44228) to be enriched. |\n| Fields To Return\ + \ | String | No | A comma-separated list of specific fields to include in the\ + \ output. If left empty, all available fields are returned. |\n| Output | DDL\ + \ | No | The format of the action output. Options are 'JSON' (default) or 'CSV'.\ + \ If 'CSV' is selected, a file is created and the path is returned. |\n| Create\ + \ Insight | Boolean | No | If enabled (default), the action creates a detailed\ + \ case insight for every successfully enriched vulnerability. |\n| Max Assets\ + \ To Return | String | No | The maximum number of assets related to the CVE to\ + \ retrieve. Default is 50, with a maximum limit of 10,000. |\n\n### Flow Description\n\ + \n1. **Parameter Validation**: The action validates the `Max Assets To Return`\ + \ parameter to ensure it is a positive integer within the allowed limit (10,000).\n\ + 2. **Authentication**: Initializes the Orca Security Manager using the provided\ + \ API credentials (API Key or Token).\n3. **Data Retrieval**: Iterates through\ + \ the provided list of CVE IDs and performs a paginated query to the Orca Security\ + \ API to fetch vulnerability details and related asset information.\n4. **Data\ + \ Processing**: Filters the results based on the `Fields To Return` parameter\ + \ and prepares the data for the requested output format (JSON or CSV).\n5. **Internal\ + \ Mutation**: \n * If `Create Insight` is true, it generates a formatted HTML\ + \ insight for the case containing the vulnerability's severity, description, and\ + \ affected assets.\n * Adds a data table named 'Vulnerability Details' to the\ + \ case containing a summary of the enriched CVEs.\n6. **Final Output**: Returns\ + \ the processed data as a JSON result or a file path to a CSV, along with a success/failure\ + \ message for each CVE." capabilities: can_create_case_comments: false can_create_insight: true @@ -323,7 +350,8 @@ Get Vulnerability Details: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Creates case insights and adds a 'Vulnerability Details' data table to the case. + The action creates case insights and adds a data table to the case containing + vulnerability details. categories: enrichment: false entity_usage: @@ -341,57 +369,59 @@ Get Vulnerability Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Ping: - ai_description: >- - ### General Description - - The **Ping** action is used to verify the connectivity between Google SecOps and - the Orca Security instance. It ensures that the provided configuration parameters, - such as the API Root and authentication credentials (API Key or API Token), are - correct and that the service is reachable. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | API Root | String | Yes | The base URL of the Orca Security API. | - - | API Key | String | No | The API key for authentication. Required if API Token - is not provided. | - - | API Token | String | No | The API token for authentication. This is the preferred - authentication method. | - - | Verify SSL | Boolean | No | If enabled, the action will verify the SSL certificate - of the API. | - - - ### Additional Notes - - - Either the **API Key** or the **API Token** must be provided for the action - to authenticate successfully. - - - This action does not process any entities and is strictly used for configuration - validation. - - - ### Flow Description - - 1. **Parameter Extraction:** The action retrieves the API Root, API Key, API Token, - and SSL verification settings from the integration configuration. - - 2. **Manager Initialization:** An instance of the `OrcaSecurityManager` is created - using the extracted credentials. - - 3. **Connectivity Test:** The action calls the `test_connectivity` method, which - sends a POST request to the Orca Security vulnerability details endpoint with - a result limit of 1 to verify the API's responsiveness. - - 4. **Result Reporting:** Based on the success or failure of the API call, the - action returns a completion or failure status along with a descriptive message. + ai_description: "### General Description\nThe **Ping** action is a diagnostic tool\ + \ designed to verify the connectivity between Google SecOps and the Orca Security\ + \ platform. It ensures that the provided configuration parameters\u2014such as\ + \ the API Root, API Key or Token, and SSL settings\u2014are correct and that the\ + \ SecOps environment can successfully communicate with the Orca Security API.\n\ + \n### Parameters Description\nThis action does not require any action-specific\ + \ parameters. It relies entirely on the global integration configuration provided\ + \ on the Marketplace tab:\n\n| Parameter | Type | Mandatory | Description |\n\ + | :--- | :--- | :--- | :--- |\n| **API Root** | String | Yes | The base URL of\ + \ the Orca Security API instance. |\n| **API Key** | String | No | The security\ + \ token used for cookie-based authentication (if Token is not provided). |\n|\ + \ **API Token** | String | No | The preferred authentication method using a Bearer-style\ + \ token. |\n| **Verify SSL** | Boolean | No | If enabled, the action will validate\ + \ the SSL certificate of the API endpoint. |\n\n### Additional Notes\n- Either\ + \ the **API Key** or the **API Token** must be configured in the integration settings\ + \ for the action to succeed.\n- This action is typically used during the initial\ + \ setup or for troubleshooting connection issues.\n\n### Flow Description\n1.\ + \ **Initialization**: The action retrieves the global configuration parameters\ + \ (API Root, Key/Token, and SSL settings) from the integration environment.\n\ + 2. **Manager Setup**: It initializes the `OrcaSecurityManager` which handles authentication\ + \ (either via cookies for API Keys or headers for API Tokens).\n3. **Connectivity\ + \ Test**: The manager executes a lightweight query (requesting a single vulnerability\ + \ record) to the Orca Security `serving-layer/query` endpoint.\n4. **Validation**:\ + \ The action validates the API response. If the request is successful, it confirms\ + \ connectivity; otherwise, it catches the exception and reports the failure details.\n\ + 5. **Completion**: The action ends with a success or failure status and a descriptive\ + \ message for the analyst." capabilities: can_create_case_comments: false can_create_insight: false @@ -400,7 +430,7 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: false + fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false @@ -419,57 +449,81 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Scan Assets: ai_description: >- ### General Description - The **Scan Assets** action initiates and monitors security scans for specific - assets within the Orca Security platform. This action is designed to run asynchronously, - meaning it triggers the scans and then periodically polls the Orca Security API - to check for completion. It is useful for ensuring that assets are scanned for - vulnerabilities or compliance issues as part of an automated response workflow. + Initiates and monitors security scans for specific assets within the Orca Security + platform. This action is designed to trigger an on-demand assessment of cloud + assets and retrieve the resulting security telemetry. It operates asynchronously + to accommodate the time required for cloud security scans to complete. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. **Parameter Extraction**: The action retrieves the 'Asset IDs' provided by + the user and converts the comma-separated string into a list. - | :--- | :--- | :--- | :--- | + 2. **Scan Initiation**: For each Asset ID, the action calls the Orca Security + API to start a scan. If a scan is already running for a particular asset, the + action captures the existing scan's identifier to monitor it. - | Asset IDs | String | Yes | A comma-separated list of unique Orca Security asset - identifiers that you want to scan. | + 3. **Asynchronous Monitoring**: The action enters an asynchronous loop. It periodically + polls the Orca Security API to check the status of each pending scan using the + scan IDs. + 4. **Timeout Management**: The script monitors its own execution time and the + global action timeout. If a timeout is approaching, it gracefully exits and reports + the pending assets. - ### Flow Description + 5. **Result Aggregation**: Once scans reach a 'done' status, the action retrieves + the raw scan data. Successful results are added to the action's JSON output, and + a summary message is generated detailing which scans succeeded or failed. - 1. **Initialization**: The action extracts the comma-separated list of Asset IDs - from the input parameters and initializes the Orca Security manager. - 2. **Scan Initiation (First Run)**: For each provided Asset ID, the action sends - a POST request to the Orca Security API to start a new scan. If a scan is already - in progress for an asset, the action captures the existing scan's ID. + ### Parameters Description - 3. **Asynchronous Polling**: The action enters an 'In Progress' state, storing - the scan identifiers. In subsequent execution cycles, it polls the status of each - pending scan. + | Parameter | Type | Mandatory | Description | - 4. **Timeout Monitoring**: During polling, the script checks if it is approaching - the global SOAR timeout or the Python process timeout to ensure a graceful exit - and state preservation. + | :--- | :--- | :--- | :--- | - 5. **Data Retrieval and Completion**: Once all scans reach a 'done' status, the - action retrieves the raw scan data, attaches it to the action's JSON results, - and provides a summary of successful and failed scans. + | Asset IDs | string | Yes | A comma-separated list of unique identifiers for + the assets in Orca Security that you wish to scan. | ### Additional Notes - - This action is **asynchronous**. Users should ensure the script timeout value - in the Google SecOps IDE is adjusted to accommodate the time required for Orca - Security to complete asset scans. + * **Async Mode**: This action is marked as asynchronous. Users should ensure the + script timeout value in the Google SecOps IDE is sufficiently high to allow the + external scanning process to finish. - - The action handles cases where a scan is already running by tracking the existing - process instead of failing. + * **State Persistence**: The action uses the `additional_data` parameter internally + to track the state of pending scans across multiple asynchronous execution cycles. capabilities: can_create_case_comments: false can_create_insight: false @@ -478,8 +532,8 @@ Scan Assets: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Initiates new security scan processes for the specified assets within the Orca - Security environment via POST requests. + Initiates a new security scan process within the Orca Security platform for + the specified asset identifiers. fetches_data: true internal_data_mutation_explanation: null categories: @@ -499,73 +553,90 @@ Scan Assets: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Update Alert: ai_description: >- - Updates the state of a specific alert in Orca Security. This action allows users - to modify an alert's status, initiate a verification process, or manage its snooze - state (snooze/unsnooze). It interacts with the Orca Security API via PUT requests - to apply changes and then retrieves the updated alert details to provide a final - status report. + Updates the state of an alert in Orca Security. This action allows for modifying + the alert's status, managing its snooze state, or initiating a verification process. + It requires a specific Alert ID and at least one modification parameter to be + configured. After performing the requested updates, the action retrieves and returns + the updated alert details from Orca Security. - ### Parameters Description - - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | + ### Flow Description - | **Alert ID** | String | Yes | The unique identifier of the alert in Orca Security - that needs to be updated. | + 1. **Parameter Validation**: Checks that at least one update operation (Status, + Verify Alert, or Snooze State) is requested. If 'Snooze' is selected, it ensures + 'Snooze Days' is provided. - | **Verify Alert** | Boolean | No | If set to `True`, the action will initiate - the verification process for the specified alert. | + 2. **Verification**: If 'Verify Alert' is enabled, it triggers the verification + process for the specified alert. - | **Snooze State** | DDL | No | Determines the snooze status. Options include - `Select One`, `Snooze`, or `Unsnooze`. | + 3. **Snooze Management**: If 'Snooze State' is set to 'Snooze', it snoozes the + alert for the defined number of days. If set to 'Unsnooze', it prepares to reset + the status. - | **Snooze Days** | String | No | The number of days to snooze the alert. This - is required if **Snooze State** is set to `Snooze`. Defaults to 1 if not provided. - | + 4. **Status Update**: Updates the alert status to the specified value (Open, In + Progress, Close, or Dismiss). If 'Unsnooze' was selected without a specific status, + it defaults to 'Open'. - | **Status** | DDL | No | The new status to assign to the alert. Options include - `Open`, `In Progress`, `Close`, or `Dismiss`. | + 5. **Data Retrieval**: Fetches the final state of the alert from Orca Security + to confirm changes and provide the updated data as a JSON result. - ### Additional Notes - - * **Validation Requirement:** At least one of the following parameters must be - configured for the action to execute: `Status`, `Verify Alert`, or `Snooze State`. + ### Parameters Description - * **Unsnooze Logic:** If `Snooze State` is set to `Unsnooze` and no specific `Status` - is provided, the action automatically sets the alert status to `Open`. + | Parameter | Type | Mandatory | Description | - * **Duplicate Handling:** If the alert already possesses the requested status, - the action will complete successfully while noting that no change was necessary. + | :--- | :--- | :--- | :--- | + | Alert ID | String | Yes | The unique identifier of the alert to be updated. + | - ### Flow Description + | Verify Alert | Boolean | No | If enabled, initiates the verification process + for the alert. | - 1. **Initialization:** Extracts configuration (API Root, Key/Token) and action - parameters. + | Snooze State | DDL | No | Sets the snooze state. Options: 'Snooze' or 'Unsnooze'. + | - 2. **Validation:** Ensures that at least one update operation (Status, Verify, - or Snooze) is requested and validates `Snooze Days` if applicable. + | Snooze Days | String | No | Number of days to snooze the alert. Mandatory if + 'Snooze State' is 'Snooze'. Defaults to 1 if not provided. | - 3. **Verification:** If `Verify Alert` is enabled, sends a request to the Orca - Security verification endpoint. + | Status | DDL | No | The new status to assign to the alert. Options: 'Open', + 'In Progress', 'Close', 'Dismiss'. | - 4. **Snooze Management:** If `Snooze State` is `Snooze`, sends a request to the - snooze endpoint with the specified duration. - 5. **Status Update:** Updates the alert status if a new status is provided or - if the alert is being unsnoozed. + ### Additional Notes - 6. **Data Retrieval:** Fetches the latest alert data from Orca Security to confirm - the current state. + * At least one of the following parameters must be provided for the action to + execute: 'Status', 'Verify Alert', or 'Snooze State'. - 7. **Output:** Returns the updated alert details as a JSON result and provides - a summary message of the operations performed. + * If 'Snooze State' is set to 'Unsnooze' and no 'Status' is provided, the action + automatically sets the alert status to 'Open'. capabilities: can_create_case_comments: false can_create_insight: false @@ -574,8 +645,8 @@ Update Alert: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - This action modifies the state of alerts within the Orca Security platform by - updating their status, verification status, or snooze settings via API PUT requests. + Updates the status, snooze state, and verification status of alerts in the Orca + Security platform using PUT requests. fetches_data: true internal_data_mutation_explanation: null categories: @@ -595,3 +666,28 @@ Update Alert: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: true + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/third_party/partner/orca_security/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/partner/orca_security/resources/ai/connectors_ai_description.yaml new file mode 100644 index 000000000..bff807b0b --- /dev/null +++ b/content/response_integrations/third_party/partner/orca_security/resources/ai/connectors_ai_description.yaml @@ -0,0 +1,91 @@ +Orca Security - Alerts Connector: + ai_description: >- + ### General Description + + + The Orca Security Alerts Connector fetches security findings and risks from the + Orca Security platform and ingests them into Google SecOps as cases. It provides + a continuous stream of cloud security alerts, including vulnerabilities, misconfigurations, + and compromised assets, allowing security teams to centralize their cloud security + posture monitoring. The connector supports granular filtering by severity, category, + and Orca's proprietary risk score to ensure only relevant alerts are processed. + + + ### Parameters Description + + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | API Root | String | Yes | The base URL of your Orca Security instance (e.g., + https://.orcasecurity.io). | + + | API Key | Password | No | API Key for authentication. Used if API Token is not + provided. | + + | API Token | Password | No | API Token for authentication. This is the preferred + method and takes precedence over the API Key. | + + | DeviceProductField | String | Yes | The source field name used to populate the + Product Name in the SOAR case. Default is 'Product Name'. | + + | EventClassId | String | Yes | The source field name used to retrieve the Event + Field name. Default is 'data_RiskFindings_value_type'. | + + | Lowest Severity To Fetch | String | No | The minimum severity level to ingest. + Options: Compromised, Imminent compromise, Hazardous, Informational. | + + | Lowest Orca Score To Fetch | String | No | The minimum Orca Risk Score (1-10) + required for an alert to be ingested. | + + | Category Filter | String | No | A comma-separated list of Orca categories (e.g., + Vulnerability, Malware) to include. | + + | Alert Type Filter | String | No | A comma-separated list of specific Orca alert + types to ingest. | + + | Max Hours Backwards | Integer | No | The lookback window for the first run or + if the last run timestamp is missing. Default is 1 hour. | + + | Max Alerts To Fetch | Integer | No | Maximum number of alerts to process per + iteration. Default is 100. | + + | Use dynamic list as a blacklist | Boolean | Yes | If enabled, the connector + uses the SOAR environment's dynamic list (whitelist) as a blacklist for alert + titles. | + + | Verify SSL | Boolean | Yes | If enabled, validates the SSL certificate of the + Orca Security API endpoint. | + + | PythonProcessTimeout | Integer | Yes | The maximum execution time allowed for + the connector script in seconds. | + + + ### Flow Description + + + 1. **Authentication**: The connector establishes a session with the Orca Security + API using the provided API Token (Header-based) or API Key (Cookie-based). + + 2. **Timeframe Calculation**: It determines the starting point for data retrieval + by checking the timestamp of the last successful execution. If no timestamp exists, + it uses the 'Max Hours Backwards' parameter. + + 3. **Query Construction**: A query is built for the Orca 'Serving Layer' API, + incorporating filters for severity, categories, alert types, and the Orca Risk + Score. + + 4. **Data Retrieval**: The connector fetches a batch of alerts (up to the 'Max + Alerts To Fetch' limit) matching the criteria. + + 5. **Deduplication**: It compares retrieved alert IDs against a local cache of + previously processed IDs to prevent duplicate case creation. + + 6. **Mapping and Ingestion**: Each unique alert is mapped to the Google SecOps + AlertInfo model. The raw alert data is attached as an event, and the alert is + ingested as a case. + + 7. **State Persistence**: Upon successful processing, the connector updates the + last run timestamp and the list of processed alert IDs to ensure continuity in + the next cycle. diff --git a/content/response_integrations/third_party/partner/orca_security/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/orca_security/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..15ef5e595 --- /dev/null +++ b/content/response_integrations/third_party/partner/orca_security/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: true + cloud_security: true + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + siem: false + threat_intelligence: false + vulnerability_management: true diff --git a/content/response_integrations/third_party/partner/recorded_future_intelligence/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/recorded_future_intelligence/resources/ai/actions_ai_description.yaml index 6afc8d1b4..68fb15930 100644 --- a/content/response_integrations/third_party/partner/recorded_future_intelligence/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/recorded_future_intelligence/resources/ai/actions_ai_description.yaml @@ -1,46 +1,56 @@ Add Analyst Note: ai_description: >- - ### General Description - Adds an analyst note to the Recorded Future platform. This action allows users - to document findings or context within Recorded Future, automatically associating - the note with the entities currently present in the Google SecOps case scope by - appending their identifiers to the note text. + to publish structured intelligence notes directly from Google SecOps. It automatically + collects the identifiers of all entities currently in the action's scope and appends + them to the note text to provide context within Recorded Future. Users can specify + a title, the main body of the note, and an optional topic to categorize the intelligence + (e.g., Malware/Tool Profile, Actor Profile). - ### Parameters Description + ### Parameters - | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + | Parameter | Type | Mandatory | Default | Description | + + | :--- | :--- | :--- | :--- | :--- | + + | Note Title | string | True | Note Title | The title of the analyst note to be + created in Recorded Future. | + + | Note Text | string | True | Note Text | The main content/body of the note. The + action will automatically append a list of entities from the case to this text. + | - | Note Title | String | Yes | Specifies the title for the analyst note. | + | Topic | ddl | False | None | The category or topic for the note. Options include + 'Actor Profile', 'Malware/Tool Profile', 'YARA Rule', etc. | + + + ### Additional Notes - | Note Text | String | Yes | Specifies the body text for the note. The action - will automatically append a list of all entities collected from the current case - to this text. | + - This action does not modify any data within Google SecOps; it only creates a + new record in the external Recorded Future platform. - | Topic | DDL | No | Specifies the relevant note topic from a predefined list - (e.g., Actor Profile, Malware/Tool Profile, YARA Rule). If not specified, it defaults - to 'None'. | + - The list of entities appended to the note includes all entities passed to the + action, regardless of their type. ### Flow Description - 1. **Parameter Extraction:** The action retrieves the API configuration (URL, - Key, SSL verification) and the user-provided note details (Title, Text, Topic). + 1. **Parameter Extraction:** Retrieves the note title, text, and selected topic + from the action parameters. - 2. **Entity Collection:** It iterates through all entities in the current target - scope and aggregates their identifiers into a single string. + 2. **Entity Collection:** Iterates through all entities in the current scope and + compiles a list of their identifiers. - 3. **Text Preparation:** The aggregated entity list is appended to the user-provided - `Note Text` to ensure the note contains context about the specific case. + 3. **Text Preparation:** Appends the compiled list of entity identifiers to the + user-provided note text for better context. - 4. **External API Call:** The action uses the `RecordedFutureManager` to publish - the note to the Recorded Future platform via the `AnalystNoteMgr`. + 4. **External API Call:** Uses the Recorded Future API to publish the note with + the specified title, combined text, and topic. - 5. **Result Handling:** Upon successful creation, the action returns the unique - `document_id` of the new note and completes the execution. + 5. **Completion:** Returns the unique ID of the newly created note in Recorded + Future. capabilities: can_create_case_comments: false can_create_insight: false @@ -49,7 +59,8 @@ Add Analyst Note: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new Analyst Note in the Recorded Future platform. + Creates a new Analyst Note record in the Recorded Future platform containing + the provided intelligence and a list of associated entities. fetches_data: false internal_data_mutation_explanation: null categories: @@ -57,40 +68,10 @@ Add Analyst Note: entity_usage: entity_types: - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT + - DestinationURL - FILEHASH - - FILENAME - - GENERICENTITY - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -104,62 +85,90 @@ Add Analyst Note: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Detonate File: ai_description: >- - ### General Description + Submits a file to the Recorded Future Sandbox for automated analysis and detonation. + This action is asynchronous, meaning it initiates the upload and then periodically + checks the status of the analysis until a report is ready or a timeout occurs. + Once the analysis is complete, the action retrieves the report details and generates + a comprehensive insight within the Google SecOps case. - Submits a file to the Recorded Future Sandbox for automated detonation and behavioral - analysis. This action is designed to handle files stored either in a Google Cloud - Platform (GCP) Bucket or on the local file system. It is an asynchronous action - that uploads the file, monitors the analysis progress, and retrieves a comprehensive - report once completed. + ### Parameters - ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | File Path | String | Yes | The full path or identifier of the file to be detonated. + | File Path | string | Yes | The full path to the file that needs to be analyzed. | - | File Source | DDL | Yes | Specifies where the file is located. Options are `GCP - Bucket` or `Local File System`. | + | File Source | ddl | Yes | Specifies where the action should retrieve the file + from. Options are 'GCP Bucket' (retrieves via Google Cloud Storage) or 'Local + File System' (retrieves from the local path). | - | Profile | String | No | The specific Sandbox profile to use for the analysis. - | + | Profile | string | No | The specific Recorded Future Sandbox profile to use + for the analysis. | - | Password | String | No | The password required to extract the file if it is - an encrypted archive. | + | Password | string | No | The password required to extract the file if it is + a password-protected archive. | ### Flow Description - 1. **Initialization**: The action extracts the file path and source configuration - from the input parameters. - 2. **File Retrieval**: Depending on the `File Source`, it either reads the file - from the local disk or fetches it from a GCP Bucket using the SecOps SDK. + 1. **File Retrieval:** The action retrieves the file content based on the provided + `File Path` and `File Source` (either from a GCP Bucket or the local filesystem). - 3. **Submission**: The file is uploaded to the Recorded Future Sandbox API for - detonation. + 2. **Submission:** The file is uploaded to the Recorded Future Sandbox API using + the provided `Profile` and `Password` (if applicable). - 4. **Monitoring**: As an asynchronous action, it enters an 'In Progress' state, - periodically polling the sandbox to check if the analysis is finished. + 3. **Status Polling:** Because the action is asynchronous, it enters an 'In Progress' + state and periodically queries the Sandbox API to check if the analysis is 'reported' + (finished). - 5. **Reporting**: Once the analysis is complete, it retrieves the overview report, - including scores, signatures, and IOCs. + 4. **Report Retrieval:** Once the analysis is complete, the action fetches the + overview report, which includes scores, signatures, and IOCs. - 6. **Internal Update**: It generates a detailed Case Insight in Google SecOps - containing the detonation results and analysis summary. + 5. **Insight Generation:** The action processes the report data and creates a + detailed HTML insight in the Google SecOps case, providing visibility into the + detonation results. ### Additional Notes - This action requires a valid Recorded Future Sandbox API key and URL configured - in the integration settings. It is an asynchronous action and will remain in progress - until the sandbox analysis is finished or a timeout occurs. + + * This action requires a valid Recorded Future Sandbox API key and URL configured + in the integration settings. + + * The action will time out if the analysis takes longer than the configured + execution deadline. capabilities: can_create_case_comments: false can_create_insight: true @@ -168,11 +177,12 @@ Detonate File: can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: >- - Submits a file to the Recorded Future Sandbox for detonation and analysis, which - creates a new analysis task in the external system. + Submits a file to the Recorded Future Sandbox, which creates a new analysis + record and initiates a detonation process on the external platform. fetches_data: true internal_data_mutation_explanation: >- - Creates case insights containing the detonation report and analysis details. + Creates case insights within Google SecOps to display the results of the file + analysis. categories: enrichment: false entity_usage: @@ -190,48 +200,76 @@ Detonate File: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: true + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Detonate URL: ai_description: >- - ### General Description + Submits URL entities to the Recorded Future Sandbox for automated analysis and + detonation. This is an asynchronous action that initiates a scan and then polls + for the results. Once the analysis is complete, it retrieves a detailed report + including risk scores, signatures, and associated IOCs. - Submits URL entities to the Recorded Future Sandbox (Triage) for automated detonation - and behavioral analysis. This action is designed to handle URLs asynchronously, - meaning it initiates the detonation process and then polls the sandbox until the - analysis is complete. Once finished, it retrieves a comprehensive report including - risk scores, signatures, and observed network flows. + ### Flow Description - ### Parameters Description + 1. **Extraction:** Identifies URL entities from the target entities in the current + context. - | Parameter | Type | Mandatory | Description | + 2. **Submission:** Submits the identified URLs to the Recorded Future Sandbox + API, optionally using a specified Sandbox profile. - | :--- | :--- | :--- | :--- | + 3. **Polling:** Periodically checks the status of the submitted samples until + they reach a 'reported' or 'failed' state. - | Profile | String | No | Specifies the Sandbox profile to use for the detonation - (e.g., a specific OS or browser environment). If left empty, the default sandbox - profile is used. | + 4. **Retrieval:** Fetches the overview report for all successfully analyzed URLs. + 5. **Enrichment:** Generates detailed HTML insights for each analyzed URL, including + summary scores, scan metadata, and detected signatures/IOCs. - ### Flow Description + 6. **Finalization:** Populates the action results with JSON data and a summary + table of the findings. - 1. **Entity Extraction**: The action identifies all URL entities within the current - context. - 2. **Submission**: It submits each identified URL to the Recorded Future Sandbox - API. If a specific 'Profile' is provided, it is applied to the submission. + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Profile | String | No | Specifies the Sandbox profile to be used for the detonation + (e.g., specific OS or browser environment). | - 3. **Polling (Async)**: Because detonation takes time, the action enters an 'In - Progress' state, periodically polling the sandbox to check the status of the analysis. - 4. **Report Retrieval**: Once the sandbox reports the analysis as 'reported' (finished), - the action fetches the full overview report. + ### Additional Notes - 5. **Result Generation**: The action parses the report to extract risk scores, - signatures, and IOCs. + * This action is **asynchronous**; it will remain in an 'In Progress' state while + waiting for the Sandbox to complete the analysis. - 6. **Internal Updates**: It creates detailed Case Insights containing the detonation - results in HTML format and adds the raw data to the action's JSON results and - data tables. + * If the action approaches the global timeout, it will report the pending URLs + in the output message. capabilities: can_create_case_comments: false can_create_insight: true @@ -240,12 +278,12 @@ Detonate URL: can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: >- - Submits URLs to the Recorded Future Sandbox, which creates new analysis samples - and triggers active detonation processes in the external environment. + Submits a URL to the Recorded Future Sandbox, which creates a new analysis sample + and job in the external system. fetches_data: true internal_data_mutation_explanation: >- - Creates case insights containing the detonation analysis reports and adds data - tables to the case wall. + Creates case insights containing the detonation report details and adds data + tables to the action result. categories: enrichment: false entity_usage: @@ -264,88 +302,96 @@ Detonate URL: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: true + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Enrich CVE: ai_description: >- - ### General Description - - This action queries Recorded Future to retrieve comprehensive threat intelligence - for CVE (Common Vulnerabilities and Exposures) entities. It provides detailed - risk scores, triggered risk rules, and intelligence cards. The action helps security - analysts understand the severity of a vulnerability by comparing Recorded Future's - risk score against a customizable threshold, automatically marking high-risk entities - as suspicious and providing context through case insights. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Risk Score Threshold | String | Yes | The minimum malicious risk score (0-99) - required to mark a CVE as suspicious. Corresponds to Recorded Future's risk levels - (e.g., Medium: 25-64, High: 65-79). | + Enriches CVE (Common Vulnerabilities and Exposures) entities using Recorded Future's + threat intelligence. This action retrieves comprehensive vulnerability data, including + risk scores, evidence details, and intelligence card links. It evaluates the CVE + against a user-defined risk threshold to automatically mark entities as suspicious + within Google SecOps. Additionally, it can contribute detection telemetry back + to Recorded Future via the Collective Insights feature. - | Include Links | Boolean | No | If enabled, the action retrieves information - about related entities and links from Recorded Future. | - - | Enable Collective Insights | Boolean | No | If enabled, the action contributes - detection data back to Recorded Future's Collective Insights platform. | + ### Flow Description: - ### Additional Notes + 1. **Parameter Extraction:** Retrieves API credentials from the integration configuration + and action parameters including the Risk Score Threshold, Link inclusion preference, + and Collective Insights toggle. - - **Collective Insights**: This feature is only active if enabled in both the - integration configuration and the action parameters, and only for alerts where - the reporting vendor is not 'Recorded Future'. + 2. **Entity Filtering:** Identifies and processes only CVE entities present in + the current context. - - **Risk Levels**: The threshold corresponds to Recorded Future's risk levels: - None (0), Low (5-24), Medium (25-64), High (65-79), Critical (80-89), and Very - Critical (90-99). + 3. **Intelligence Retrieval:** Queries Recorded Future for the risk score, evidence + details, and (optionally) related entity links for each CVE. - - **External Mutation**: This action is not categorized as a pure enrichment action - because it can submit data to an external system (Collective Insights). + 4. **External Contribution:** If 'Enable Collective Insights' is active and the + alert did not originate from Recorded Future, it submits detection metadata to + Recorded Future's telemetry API. + 5. **Internal Enrichment:** Updates the entity's additional properties with Recorded + Future metadata and sets the 'is_enriched' flag. - ### Flow Description + 6. **Risk Assessment:** Compares the retrieved risk score against the 'Risk Score + Threshold'. If exceeded, the entity is marked as suspicious. - 1. **Parameter Initialization**: Extracts API credentials and action-specific - parameters like the risk threshold and link inclusion settings. + 7. **Insight & Reporting:** Generates a detailed Case Insight containing risk + evidence and populates data tables with overview and link information. - 2. **Entity Scoping**: Filters the target entities to process only those of type - 'CVE'. - 3. **Intelligence Query**: Calls the Recorded Future API to fetch vulnerability - intelligence, including risk scores, evidence, and optional links. + ### Parameters Description: - 4. **Collective Insights Submission**: If enabled, the action sends detection - telemetry to Recorded Future's Collective Insights service, provided the alert - did not originate from Recorded Future. + | Parameter Name | Type | Mandatory | Description | - 5. **Result Processing**: Populates data tables with the vulnerability report - and triggered risk rules. It also adds a direct link to the Recorded Future intelligence - card. + | :--- | :--- | :--- | :--- | - 6. **Risk Evaluation**: Compares the CVE's risk score against the user-defined - 'Risk Score Threshold'. + | Risk Score Threshold | String | Yes | The minimum malicious risk score (0-99) + required to mark a CVE as suspicious. Default is 25. | - 7. **Internal Enrichment**: If the score exceeds the threshold, the entity is - marked as suspicious, and a detailed case insight is created. + | Include Links | Boolean | No | If enabled, the action retrieves and displays + related entity links from Recorded Future. | - 8. **Entity Update**: Updates the entity's additional properties with the retrieved - intelligence and marks it as enriched. + | Enable Collective Insights | Boolean | No | If enabled, the action shares detection + telemetry back to Recorded Future to improve global threat intelligence. | capabilities: can_create_case_comments: false can_create_insight: true can_modify_alert_data: false can_mutate_external_data: true - can_mutate_internal_data: false + can_mutate_internal_data: true can_update_entities: true external_data_mutation_explanation: >- - Submits detection telemetry and incident metadata to Recorded Future's Collective - Insights platform when the 'Enable Collective Insights' parameter is enabled. + If the 'Enable Collective Insights' parameter is enabled, the action performs + a POST request to Recorded Future's Collective Insights API to contribute detection + telemetry. fetches_data: true - internal_data_mutation_explanation: null + internal_data_mutation_explanation: >- + The action updates entity attributes (is_suspicious, is_enriched, additional_properties) + and creates case insights based on the retrieved threat intelligence. categories: enrichment: false entity_usage: @@ -364,57 +410,91 @@ Enrich CVE: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Enrich Hash: ai_description: >- - ### General Description - - Enriches File Hash entities using Recorded Future's threat intelligence. This - action retrieves risk scores, evidence details, and optional entity links. It - evaluates the hash against a user-defined risk threshold to mark entities as suspicious - and generates detailed insights and data tables within the case. + Enriches File Hash entities using Recorded Future's threat intelligence platform. + This action retrieves comprehensive intelligence including risk scores, evidence + details, and intelligence card links. It evaluates the risk score against a user-defined + threshold to automatically mark entities as suspicious within Google SecOps. Additionally, + it can contribute detection data back to Recorded Future via the Collective Insights + feature. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Risk Score Threshold | String | Yes | Represents the minimum malicious risk - score (0-89) for a Hash to be marked malicious. | + | Risk Score Threshold | string | Yes | The minimum malicious risk score (0-89) + required to mark a Hash as suspicious. | - | Include Links | Boolean | No | If enabled, the action retrieves information - about related entity links. | + | Include Links | boolean | No | If enabled, retrieves information about related + entity links. | - | Enable Collective Insights | Boolean | No | If enabled, contributes detection - data back to Recorded Future's Collective Insights service. | + | Enable Collective Insights | boolean | No | If enabled, contributes detection + data back to Recorded Future's community intelligence. | ### Additional Notes - Collective Insights are only submitted if the alert's reporting vendor is not - 'Recorded Future'. + - The 'Enable Collective Insights' feature only triggers if both the action parameter + and the global integration configuration are enabled, and the alert vendor is + not 'Recorded Future'. + + - Risk bands: Unusual (5-24), Suspicious (25-64), Malicious (65-89). ### Flow Description - 1. **Parameter Extraction**: Retrieves API configuration and action parameters - (Threshold, Links, Collective Insights). + 1. **Initialization**: Extracts API configuration and action parameters (Threshold, + Links, Collective Insights). + + 2. **Entity Filtering**: Identifies all File Hash entities within the current + context. - 2. **Entity Filtering**: Iterates through target entities and filters for File - Hash types. + 3. **Data Retrieval**: For each hash, queries Recorded Future for its risk profile + and intelligence data. - 3. **Intelligence Retrieval**: Queries Recorded Future for reputation data, including - risk scores, evidence, and optional links. + 4. **External Contribution**: If Collective Insights is enabled, submits the detection + event to Recorded Future. - 4. **External Contribution**: If enabled and applicable, submits detection information - back to Recorded Future via Collective Insights. + 5. **Internal Enrichment**: Updates the entity's additional properties with Recorded + Future metadata and adds data tables for risk rules and overview details. - 5. **Internal Enrichment**: Updates entity attributes (is_suspicious, additional_properties) - based on the risk score and threshold. + 6. **Risk Assessment**: Compares the retrieved risk score to the 'Risk Score Threshold'. + If exceeded, the entity is marked as suspicious. - 6. **Reporting**: Generates case insights, data tables for risk rules and links, - and adds a direct link to the Recorded Future portal. + 7. **Insight Generation**: Creates a detailed Case Insight containing the risk + breakdown and a link to the Recorded Future portal. + + 8. **Completion**: Updates the entities in the case and returns the final execution + status. capabilities: can_create_case_comments: false can_create_insight: true @@ -423,13 +503,13 @@ Enrich Hash: can_mutate_internal_data: true can_update_entities: true external_data_mutation_explanation: >- - Submits detection information to Recorded Future's Collective Insights service - if the 'Enable Collective Insights' parameter is set to true and the alert source - is not Recorded Future. + If 'Enable Collective Insights' is active, the action performs a POST request + to Recorded Future to contribute detection data to their community intelligence + database. fetches_data: true internal_data_mutation_explanation: >- - Updates entity fields (is_suspicious, additional_properties, is_enriched) and - creates case insights with detailed threat intelligence. + Updates entity suspicious status, populates additional properties with enrichment + data, and creates case insights. categories: enrichment: false entity_usage: @@ -448,68 +528,88 @@ Enrich Hash: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Enrich Host: ai_description: >- ### General Description - The **Enrich Host** action queries Recorded Future to retrieve comprehensive threat - intelligence for **Hostname** and **Domain** entities. It provides security analysts - with critical context, including risk scores, triggered risk rules, and intelligence - cards, to help evaluate the threat level of specific hosts within a case. + Enriches Hostname and Domain entities using Recorded Future intelligence. This + action retrieves comprehensive threat intelligence, including risk scores, triggered + risk rules, and evidence details. It helps analysts identify malicious hosts by + comparing risk scores against a configurable threshold and provides direct links + to the Recorded Future portal for deeper investigation. ### Parameters Description - | Parameter | Type | Mandatory | Description | + | Parameter | Type | Mandatory | Default | Description | - | :--- | :--- | :--- | :--- | + | :--- | :--- | :--- | :--- | :--- | - | **Risk Score Threshold** | String | Yes | The minimum risk score (0-99) required - to mark a host as suspicious. Scores are categorized as: Very Malicious (90-99), - Malicious (65-89), Suspicious (25-64), Unusual (5-24), and No Malicious Content - (0). | + | Risk Score Threshold | String | Yes | 25 | Represents the minimum malicious + risk score (0-99) for a Host to be marked malicious. | - | **Include Links** | Boolean | No | If enabled, the action retrieves additional - information about related entity links from Recorded Future. | + | Include Links | Boolean | No | False | If enabled, the action will retrieve + information about links from Recorded Future. | - | **Enable Collective Insights** | Boolean | No | If enabled, the action contributes - detection data back to Recorded Future's Collective Insights system, provided - the alert did not originate from Recorded Future itself. | + | Enable Collective Insights | Boolean | No | True | If enabled, contributes detection + data back to Recorded Future's Collective Insights API. | - ### Flow Description + ### Additional Notes - 1. **Initialization**: Extracts API configuration (URL, Key, SSL settings) and - action parameters (Threshold, Links, Collective Insights). + * Collective Insights are only submitted if the alert's reporting vendor is not + 'Recorded Future'. - 2. **Entity Filtering**: Identifies all `HOSTNAME` and `DOMAIN` entities within - the current Google SecOps context. + * The action supports both Hostname and Domain entity types. - 3. **Intelligence Retrieval**: For each identified entity, the action calls the - Recorded Future API to fetch enrichment data, including risk scores and evidence. - 4. **External Contribution**: If `Enable Collective Insights` is true and the - alert source is external, detection data is submitted to Recorded Future. + ### Flow Description - 5. **Data Augmentation**: Adds detailed data tables to the action results, including - a general report, triggered risk rules, and optionally, related links. + 1. **Initialize Connection**: Establishes a connection to Recorded Future using + the provided API URL and Key. - 6. **Risk Assessment**: Compares the retrieved risk score against the user-defined - `Risk Score Threshold`. If the score exceeds the threshold, the entity is marked - as suspicious. + 2. **Filter Entities**: Identifies target entities of type Hostname or Domain + for processing. - 7. **Internal Updates**: Updates the entity's properties in Google SecOps with - the new intelligence and creates a case insight containing the risk analysis and - portal links. + 3. **Query Intelligence**: For each entity, queries Recorded Future for enrichment + data, including risk scores and evidence details. + 4. **Submit Collective Insights**: If enabled and applicable, submits detection + telemetry to Recorded Future. - ### Additional Notes + 5. **Evaluate Risk**: Compares the retrieved risk score against the user-defined + 'Risk Score Threshold'. - - This action performs an external mutation by contributing to 'Collective Insights' - if the parameter is enabled. + 6. **Update Internal Data**: Updates the entity's suspicious status, adds enrichment + properties, and creates case insights with detailed risk evidence. - - The action supports both `HOSTNAME` and `DOMAIN` entity types, even though the - simulation data may only list one. + 7. **Generate Results**: Adds data tables for overview, risk rules, and links + to the case wall, and provides a direct link to the Recorded Future portal. capabilities: can_create_case_comments: false can_create_insight: true @@ -518,12 +618,12 @@ Enrich Host: can_mutate_internal_data: true can_update_entities: true external_data_mutation_explanation: >- - If the 'Enable Collective Insights' parameter is enabled, the action submits - detection information back to Recorded Future's Collective Insights platform. + Contributes detection information to Recorded Future's Collective Insights API + if the 'Enable Collective Insights' parameter is set to true. fetches_data: true internal_data_mutation_explanation: >- - Updates entity attributes such as 'is_suspicious', 'is_enriched', and 'additional_properties'. - It also creates case insights to display threat intelligence summary. + Updates entity suspicious status, adds enrichment properties to entities, and + creates case insights with risk details. categories: enrichment: false entity_usage: @@ -543,75 +643,92 @@ Enrich Host: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Enrich IOC: ai_description: >- - ### General Description - - The **Enrich IOC** action retrieves comprehensive threat intelligence from Recorded - Future for various Indicators of Compromise (IOCs), including IP addresses, domains, - hostnames, file hashes, URLs, and CVEs. It provides risk scores, evidence for - maliciousness, and links to Recorded Future intelligence cards. This action is - designed to automate the initial triage of entities within a case by providing - context and automatically flagging suspicious entities based on a configurable - risk threshold. + Enriches IOC entities (IP Address, Domain, Hostname, File Hash, URL, and CVE) + using Recorded Future intelligence. This action retrieves risk scores, evidence + details, and optional related links. It automatically updates entity attributes, + marks entities as suspicious based on a configurable threshold, and generates + detailed insights for analysts. ### Parameters Description + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Risk Score Threshold** | Integer | Yes | The minimum Recorded Future risk - score (0-100) required to mark an entity as suspicious. Default is 25. | + | Risk Score Threshold | String | Yes | Represents the minimum malicious risk + score (0-100) for each entity to be marked as suspicious. | - | **Include Links** | Boolean | No | If enabled, the action retrieves related - entity links (e.g., IPs related to a domain) and populates them into a data table. - | + | Include Links | Boolean | No | If enabled, the action will retrieve information + about related entity links from Recorded Future. | - | **Enable Collective Insights** | Boolean | No | If enabled, the action contributes - detection data back to Recorded Future's Collective Insights platform to improve - global threat intelligence. This is skipped for alerts originally generated by - Recorded Future. | + | Enable Collective Insights | Boolean | No | If enabled, the action will contribute + detection telemetry back to Recorded Future's Collective Insights API. | - ### Additional Notes + ### Flow Description - - This action updates the `is_suspicious` and `is_enriched` flags on entities - within Google SecOps. - - It populates the entity's `additional_properties` with Recorded Future specific - data (prefixed with `RF_`). + 1. **Initialization**: Extracts integration configuration (API Key, URL) and action + parameters. - - Collective Insights submission is subject to both the action-level parameter - and a global integration configuration. + 2. **Entity Filtering**: Identifies supported entities in the current context, + including IP Addresses, Domains, Hostnames, File Hashes, URLs, and CVEs. + 3. **Intelligence Retrieval**: For each supported entity, queries the Recorded + Future API to fetch enrichment data, risk scores, and evidence details. - ### Flow Description + 4. **Collective Insights Submission**: If 'Enable Collective Insights' is active + and the alert is from an external vendor, submits detection telemetry (IOC value, + type, and alert context) to Recorded Future. - 1. **Parameter Extraction:** Retrieves API credentials and action parameters (Threshold, - Links, Collective Insights). + 5. **Data Population**: Updates entity properties with the fetched intelligence + and adds data tables (Overview, Risk Rules, and Links) to the case. - 2. **Entity Filtering:** Iterates through the case's target entities and filters - for supported types (ADDRESS, HOSTNAME, DOMAIN, FILEHASH, CVE, DestinationURL). + 6. **Risk Assessment**: Compares the entity's risk score against the 'Risk Score + Threshold'. - 3. **Intelligence Retrieval:** For each supported entity, it queries the Recorded - Future API to fetch the risk report and intelligence metadata. + 7. **Insight Generation**: If the threshold is exceeded, marks the entity as suspicious + and generates a detailed case insight containing risk details and location data + (for IPs). - 4. **External Contribution:** If 'Enable Collective Insights' is active, it submits - the detection context to Recorded Future. + 8. **Completion**: Updates the entities within Google SecOps and provides a summary + of the enrichment results. - 5. **Data Visualization:** Adds multiple data tables to the case, including an - overview report, triggered risk rules, and related links (if requested). - 6. **Risk Assessment:** Compares the retrieved risk score against the **Risk Score - Threshold**. If the score is higher, the entity is marked as suspicious. + ### Additional Notes - 7. **Insight Generation:** Creates a detailed Case Insight containing the risk - score, portal links, and evidence details for risky entities. - 8. **Entity Update:** Updates the entities in the Google SecOps case with the - new enrichment data and suspicious status. + Collective Insights submissions are automatically excluded for alerts where the + reporting vendor is 'Recorded Future' to avoid redundant data submission. capabilities: can_create_case_comments: false can_create_insight: true @@ -621,21 +738,21 @@ Enrich IOC: can_update_entities: true external_data_mutation_explanation: >- If 'Enable Collective Insights' is enabled, the action performs a POST request - to Recorded Future's Collective Insights API to contribute detection data. + to Recorded Future's Collective Insights API to contribute detection telemetry. fetches_data: true internal_data_mutation_explanation: >- - Updates entity fields (is_suspicious, is_enriched), adds enrichment data to - entity additional_properties, and creates case insights. + Updates entity fields (is_suspicious, is_enriched, additional_properties) and + creates case insights containing risk scores and evidence details. categories: enrichment: false entity_usage: entity_types: - ADDRESS - CVE + - DOMAIN - FILEHASH - HOSTNAME - DestinationURL - - DOMAIN filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -649,15 +766,40 @@ Enrich IOC: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Enrich IOCs Bulk: ai_description: >- ### General Description - Enriches multiple IOCs (Indicators of Compromise) in bulk using Recorded Future's - SOAR API. This action retrieves threat intelligence for a variety of entity types, - including IP Addresses, Domains, Hostnames, File Hashes, URLs, and CVEs, in a - single request. It is designed for high-efficiency enrichment of all supported - entities present in the current context. + Enriches multiple Indicator of Compromise (IOC) entities in bulk using the Recorded + Future SOAR API. This action retrieves comprehensive threat intelligence, including + risk scores and evidence, for IP addresses, domains, hostnames, file hashes, URLs, + and CVEs. It also allows for contributing detection data back to Recorded Future + via the Collective Insights feature. ### Parameters Description @@ -666,43 +808,39 @@ Enrich IOCs Bulk: | :--- | :--- | :--- | :--- | - | Enable Collective Insights | boolean | No | If enabled, the action will contribute - detection information back to Recorded Future's Collective Insights platform. - This submission only occurs if the alert did not originate from Recorded Future - itself. Default is true. | + | Enable Collective Insights | Boolean | No | If enabled, the action will contribute + detection data (IOCs and alert context) back to Recorded Future's Collective Insights + platform. This is only performed if the alert vendor is not Recorded Future. | ### Additional Notes - - This action uses the Recorded Future SOAR API, which is optimized for bulk lookups. + - This action is designed for bulk processing and returns data in a structured + JSON format. - - The action retrieves raw intelligence data and attaches it as a JSON result - to the action output. - - - Unlike individual enrichment actions, this bulk action does not automatically - update entity fields or create case insights; it focuses on data retrieval. + - Collective Insights submission is subject to both global integration settings + and the specific action parameter. ### Flow Description - 1. **Parameter Extraction**: Retrieves the API configuration (URL, Key, SSL verification) - and the 'Enable Collective Insights' action parameter. + 1. **Parameter Extraction:** Retrieves API credentials and the 'Enable Collective + Insights' setting. - 2. **Entity Identification**: Scans the current context for all supported entities - (ADDRESS, DOMAIN, HOSTNAME, FILEHASH, DestinationURL, CVE). + 2. **Entity Identification:** Filters the case's target entities to find supported + types: Hostname, CVE, Filehash, Address, URL, and Domain. - 3. **Bulk Request Preparation**: Groups the identified entities by their Recorded - Future type (e.g., mapping 'ADDRESS' to 'ip') to construct a bulk query. + 3. **Bulk Request Preparation:** Groups the identified entities by type to prepare + a single bulk request for the Recorded Future SOAR API. - 4. **Intelligence Retrieval**: Executes a bulk lookup via the Recorded Future - SOAR API to fetch intelligence for all entities simultaneously. + 4. **Intelligence Retrieval:** Executes the bulk lookup to fetch risk scores and + threat data. - 5. **Collective Insights Submission**: If enabled and applicable (based on the - alert vendor), submits detection metadata for the entities to Recorded Future's - global intelligence platform. + 5. **Collective Insights Submission:** If enabled and applicable, submits the + detection context to Recorded Future. - 6. **Output Generation**: Aggregates the retrieved intelligence into a structured - JSON result and completes the action. + 6. **Result Output:** Returns the enriched data as a JSON result for use in subsequent + playbook steps. capabilities: can_create_case_comments: false can_create_insight: false @@ -711,21 +849,19 @@ Enrich IOCs Bulk: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - If 'Enable Collective Insights' is true, the action submits detection information - (IOC value, type, and incident metadata) to Recorded Future's Collective Insights - API to contribute to global threat intelligence. + Submits detection information to Recorded Future Collective Insights if enabled. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: entity_types: - - ADDRESS + - HOSTNAME - CVE - FILEHASH - - HOSTNAME - - DOMAIN + - ADDRESS - DestinationURL + - DOMAIN filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -739,14 +875,39 @@ Enrich IOCs Bulk: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Enrich IP: ai_description: >- Enriches IP Address entities using Recorded Future threat intelligence. This action - retrieves comprehensive reputation data, including risk scores, triggered risk - rules, location details (ASN, country, city), and related entity links. It evaluates - the risk score against a configurable threshold to automatically mark entities - as suspicious within Google SecOps. Additionally, it can contribute detection - data back to Recorded Future via the Collective Insights feature. + retrieves comprehensive data including risk scores, evidence details, location + information (ASN, country, city), and organizational context. It evaluates the + risk score against a user-defined threshold to determine if the entity should + be marked as suspicious within Google SecOps. Additionally, it can contribute + detection telemetry back to Recorded Future via the Collective Insights feature. ### Parameters @@ -756,39 +917,53 @@ Enrich IP: | :--- | :--- | :--- | :--- | | Risk Score Threshold | String | Yes | The minimum malicious risk score (0-99) - required to mark an IP as suspicious. Band levels: Very Malicious (90-99), Malicious - (65-89), Suspicious (25-64), Unusual (5-24). Default is 25. | + required to mark an IP as suspicious. Below 5 is 'No Malicious Content', 5-24 + is 'Unusual', 25-64 is 'Suspicious', 65-89 is 'Malicious', and 90-99 is 'Very + Malicious'. | | Include Links | Boolean | No | If enabled, the action retrieves and displays - information about related entity links in a dedicated data table. | + information about related entity links in a separate data table. | | Enable Collective Insights | Boolean | No | If enabled, the action contributes - detection data back to Recorded Future's Collective Insights platform. | + detection telemetry (IOC value, type, and incident metadata) back to Recorded + Future. | - ### Flow Description + ### Additional Notes - 1. **Initialization**: Retrieves API credentials and configuration settings (URL, - API Key, SSL verification). + - **Collective Insights Logic**: Submission to Collective Insights only occurs + if the feature is enabled both globally in the integration configuration and specifically + for this action. Furthermore, submissions are automatically skipped if the alert's + reporting vendor is 'Recorded Future' to prevent redundant reporting. + + - **Risk Scoring**: If Recorded Future returns no score for an entity, a default + score of 0 is used for threshold comparison. - 2. **Parameter Extraction**: Parses the risk threshold, link inclusion preference, - and Collective Insights toggle. - 3. **Entity Filtering**: Identifies all IP Address entities within the current + ### Flow Description + + 1. **Initialization**: Extracts API credentials from the configuration and user-defined + parameters (Threshold, Links, Collective Insights). + + 2. **Entity Filtering**: Identifies all IP Address entities present in the current alert or case context. - 4. **Data Retrieval**: Queries Recorded Future for the IP's risk score, evidence - details, and geographical information. + 3. **Intelligence Retrieval**: Queries Recorded Future for each IP to obtain its + risk score, evidence details, location data, and optional links. - 5. **External Contribution**: If 'Enable Collective Insights' is active and the - alert is not from Recorded Future itself, it submits the detection to the Recorded - Future platform. + 4. **External Contribution**: If Collective Insights is enabled and the alert + source is external, the action submits the detection metadata to Recorded Future. - 6. **Risk Evaluation**: Compares the retrieved risk score against the 'Risk Score - Threshold'. If exceeded, the entity is marked as suspicious. + 5. **Risk Evaluation**: Compares the retrieved risk score against the 'Risk Score + Threshold'. If the score exceeds the threshold, the entity is marked as suspicious. + + 6. **Internal Enrichment**: Updates the entity's additional properties with Recorded + Future metadata, sets the 'is_enriched' flag, and creates a detailed Case Insight + containing risk evidence and location details. - 7. **Internal Updates**: Updates the entity's additional properties with enrichment - data, creates a detailed case insight, and populates data tables with the findings. + 7. **Reporting**: Adds data tables for the overview report, triggered risk rules, + and links to the action results, while also providing a direct link to the Recorded + Future Intel Card. capabilities: can_create_case_comments: false can_create_insight: true @@ -797,13 +972,13 @@ Enrich IP: can_mutate_internal_data: true can_update_entities: true external_data_mutation_explanation: >- - If 'Enable Collective Insights' is enabled, the action submits detection information - back to Recorded Future's Collective Insights service, which modifies data in - the external Recorded Future platform. + If 'Enable Collective Insights' is enabled, the action submits detection telemetry + (IOC value, type, and incident metadata) to Recorded Future's Collective Insights + API. fetches_data: true internal_data_mutation_explanation: >- - The action updates entity attributes with enrichment data, modifies the 'is_suspicious' - flag of entities based on the risk score, and creates case insights. + Updates entity attributes (additional properties, suspicious status, enriched + status) and creates case insights containing threat intelligence evidence. categories: enrichment: false entity_usage: @@ -822,63 +997,58 @@ Enrich IP: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Enrich URL: ai_description: >- - ### General Description - - Enriches URL entities using Recorded Future Intelligence. This action retrieves - comprehensive threat intelligence for URLs, including risk scores, evidence details, - and intelligence cards. It helps security analysts determine the reputation of - a URL and provides context for investigation. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Risk Score Threshold | string | Yes | Represents the minimum malicious risk - score (0-99) for a URL to be marked as suspicious in Google SecOps. Default is - 25. | - - | Include Links | boolean | No | If enabled, the action retrieves additional information - about related links associated with the URL. | - - | Enable Collective Insights | boolean | No | If enabled, the action contributes - detection telemetry back to Recorded Future's Collective Insights API. | - - - ### Additional Notes - - - The action will mark an entity as suspicious and create a case insight if the - retrieved risk score exceeds the configured 'Risk Score Threshold'. - - - Collective Insights submissions are automatically disabled if the alert vendor - is 'Recorded Future' to avoid redundant reporting. - - - ### Flow Description - - 1. **Parameter Initialization**: Extracts API configuration (URL, Key, SSL) and - action parameters (Threshold, Include Links, Collective Insights). - - 2. **Entity Filtering**: Identifies URL entities within the current alert scope. - - 3. **Intelligence Retrieval**: For each URL, queries the Recorded Future API to - fetch enrichment data, risk scores, and evidence. - - 4. **Telemetry Submission**: If 'Enable Collective Insights' is active, submits - detection context to Recorded Future. - - 5. **Internal Enrichment**: Updates the entity's additional properties with Recorded - Future data and sets the 'is_enriched' flag. - - 6. **Risk Assessment**: Compares the risk score against the threshold. If exceeded, - marks the entity as suspicious and generates a detailed case insight. - - 7. **Data Visualization**: Adds data tables to the case wall containing the overview - report, triggered risk rules, and related links. + ### General Description\nEnriches URL entities using Recorded Future Intelligence. + This action retrieves comprehensive threat intelligence, including risk scores, + criticality levels, and evidence details. It allows analysts to automatically + mark entities as suspicious based on a configurable risk threshold and can optionally + contribute detection data back to Recorded Future via Collective Insights.\n\n### + Parameters Description\n| Parameter | Description | Type | Mandatory |\n| :--- + | :--- | :--- | :--- |\n| Risk Score Threshold | Represents the minimum malicious + risk score (0-99) for a URL to be marked as suspicious. | String | Yes |\n| Include + Links | If enabled, the action retrieves information about links associated with + the URL. | Boolean | No |\n| Enable Collective Insights | If enabled, the action + contributes detection data back to Recorded Future's Collective Insights API. + | Boolean | No |\n\n### Additional Notes\n- The action will skip Collective Insights + submission if the alert's reporting vendor is 'Recorded Future' to prevent redundant + data loops.\n- Risk scores are categorized into bands: Very Malicious (90-99), + Malicious (65-89), Suspicious (25-64), Unusual (5-24), and No Malicious content + (0).\n\n### Flow Description\n1. **Parameter Extraction**: Retrieves API configuration + and action parameters (Threshold, Include Links, Collective Insights setting).\n2. + **Entity Filtering**: Identifies URL entities within the current context.\n3. + **Intelligence Retrieval**: Queries Recorded Future for enrichment data, including + risk scores and evidence details for each URL.\n4. **External Contribution**: + If enabled and applicable, submits the detection to Recorded Future Collective + Insights.\n5. **Internal Enrichment**: Updates the entity's additional properties, + sets the enriched status, and marks the entity as suspicious if the risk score + exceeds the threshold.\n6. **Insight Generation**: Creates case insights and data + tables containing the risk analysis and evidence details for the analyst. capabilities: can_create_case_comments: false can_create_insight: true @@ -887,13 +1057,12 @@ Enrich URL: can_mutate_internal_data: true can_update_entities: true external_data_mutation_explanation: >- - Submits detection telemetry (IOC value, type, and incident context) to Recorded - Future's Collective Insights API if the 'Enable Collective Insights' parameter - is enabled. + Submits detection information to Recorded Future's Collective Insights API if + the 'Enable Collective Insights' parameter is set to true. fetches_data: true internal_data_mutation_explanation: >- - Updates entity attributes (is_suspicious, additional_properties) and creates - case insights with detailed threat intelligence. + Updates entity attributes (additional properties, suspicious status, enriched + status) and creates case insights with threat intelligence details. categories: enrichment: false entity_usage: @@ -912,50 +1081,77 @@ Enrich URL: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Alert Details: ai_description: >- ### General Description - Retrieves comprehensive details for a specific Recorded Future alert using its - unique identifier. This action allows analysts to fetch deep context regarding - a threat, including associated documents, related entities, and evidence details, - facilitating a more thorough investigation within the Google SecOps case. + The **Get Alert Details** action retrieves comprehensive information about a specific + Recorded Future alert using its unique identifier. This action is designed to + provide analysts with deep-dive context, including associated documents, related + entities, and evidence details, which are returned to the Google SecOps case for + further investigation. ### Parameters Description - | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Alert ID | string | Yes | The unique identifier of the Recorded Future alert - for which details are being requested. | + | Alert ID | String | Yes | The unique identifier of the Recorded Future alert + for which you want to fetch details. | ### Flow Description - 1. **Authentication**: The action initializes the Recorded Future manager using - the provided API URL and API Key. + 1. **Initialization**: The action initializes the Recorded Future manager using + the integration's API URL, API Key, and SSL verification settings. - 2. **Parameter Extraction**: It retrieves the mandatory `Alert ID` from the action - parameters. + 2. **Parameter Extraction**: The mandatory `Alert ID` is retrieved from the action + input parameters. - 3. **Data Retrieval**: The action queries the Recorded Future API to fetch detailed - information about the specified alert, including hits, rules, and analyst notes. + 3. **Data Retrieval**: The action queries the Recorded Future API to fetch the + full alert object, including hits, rules, and review status. - 4. **Result Processing**: The retrieved alert data is converted to JSON and added - to the action's execution results for use in subsequent playbook steps. + 4. **Result Processing**: The retrieved alert data is converted into a JSON result + and added to the action output. - 5. **Portal Linking**: A direct web link to the alert in the Recorded Future portal - is provided for the analyst to access the original report. + 5. **Link Generation**: A direct web report link to the Recorded Future portal + for the specific alert is added to the case results. ### Additional Notes - This action does not operate on case entities; it requires a specific Alert ID - as input. It is primarily used for manual or automated deep-dive lookups of known - Recorded Future alerts. + - This action does not process or enrich entities from the Google SecOps case; + it operates strictly on the provided `Alert ID` parameter. + + - If the provided Alert ID is not found in Recorded Future, the action will return + a failure status with a descriptive error message. capabilities: can_create_case_comments: false can_create_insight: false @@ -967,7 +1163,7 @@ Get Alert Details: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: false + enrichment: true entity_usage: entity_types: [] filters_by_additional_properties: false @@ -983,56 +1179,83 @@ Get Alert Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Playbook Alert Details: ai_description: >- ### General Description - This action retrieves comprehensive details for a specific Recorded Future Playbook - Alert and attaches the results to the current case. It is designed to provide - deep context beyond the initial alert summary, such as updated DNS records, specific - vulnerability stages, or detailed identity exposure information. The action returns - the full raw data of the alert and provides a direct link to the Recorded Future - portal for the full web report. + + The **Get Playbook Alert Details** action retrieves exhaustive information regarding + a specific Playbook Alert from Recorded Future. This is particularly useful for + gaining deeper context on alerts related to domain abuse, vulnerabilities, data + leaks, and third-party risks. The action returns the full alert data in JSON format + and provides a direct URL to the Recorded Future Intelligence Card for the alert. ### Parameters Description + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Playbook Alert ID | String | Yes | The unique identifier of the playbook alert - for which you want to fetch details. | + | **Playbook Alert ID** | String | Yes | The unique identifier of the Playbook + Alert to be fetched. | - | Category | String | Yes | The specific category of the Playbook Alert. Supported - values include: `domain_abuse`, `cyber_vulnerability`, `code_repo_leakage`, `third_party_risk`, + | **Category** | String | Yes | The specific category the alert belongs to. Valid + options include: `domain_abuse`, `cyber_vulnerability`, `code_repo_leakage`, `third_party_risk`, `identity_novel_exposures`, and `geopolitics_facility`. | - ### Additional Notes + ### Flow Description - - This action does not run on entities; it requires a specific Alert ID and Category - as input parameters. - - The action is read-only and does not change the status or assignee of the alert - in Recorded Future. + 1. **Parameter Extraction:** The action retrieves the API credentials from the + integration configuration and the Alert ID and Category from the user-provided + parameters. + 2. **Manager Initialization:** It initializes the `RecordedFutureManager` to handle + API communication. - ### Flow Description + 3. **Data Retrieval:** The action calls the Recorded Future API to fetch the specific + details of the Playbook Alert based on the ID and Category. + + 4. **Result Processing:** The retrieved alert object is converted to JSON and + added to the action results. - 1. **Parameter Extraction:** The action extracts the API credentials (URL, Key, - SSL verification) and the specific Playbook Alert ID and Category from the user - input. + 5. **Link Generation:** A direct web link to the Recorded Future portal for that + specific alert is added to the action output for quick access. - 2. **API Interaction:** It utilizes the `RecordedFutureManager` to call the Recorded - Future API's fetch method for the specified alert. - 3. **Data Processing:** The retrieved alert data is transformed into a structured - `PlaybookAlert` object. + ### Additional Notes + - 4. **Result Attachment:** The action adds the full JSON representation of the - alert details to the execution results and generates a direct link to the Recorded - Future portal report for easy access by analysts. + * This action does not process entities from the case; it relies solely on the + provided `Playbook Alert ID` and `Category` parameters. capabilities: can_create_case_comments: false can_create_insight: false @@ -1060,56 +1283,77 @@ Get Playbook Alert Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Ping: ai_description: >- - ### General Description + Tests the connectivity to the Recorded Future API using the provided integration + configuration. This action validates that the SOAR environment can successfully + communicate with Recorded Future by performing a sample enrichment lookup on a + known IP address (8.8.8.8). - The **Ping** action is a diagnostic tool used to verify the connectivity between - the Google SecOps (Chronicle) environment and the Recorded Future API. It ensures - that the provided API URL and API Key are valid and that the network allows communication - with the service. + ### Flow Description: - ### Parameters - - | Parameter Name | Description | Type | Mandatory | Default Value | - - | :--- | :--- | :--- | :--- | :--- | + 1. **Parameter Initialization:** Retrieves the `ApiUrl`, `ApiKey`, and `Verify + SSL` settings from the integration configuration. - | ApiUrl | The base URL for the Recorded Future API. | String | Yes | N/A | + 2. **Manager Setup:** Initializes the `RecordedFutureManager` with the retrieved + credentials. - | ApiKey | The API Key used for authentication with Recorded Future. | String - | Yes | N/A | + 3. **Connectivity Test:** Executes the `test_connectivity` method, which attempts + to fetch reputation data for the hardcoded IP `8.8.8.8` from the Recorded Future + API. - | Verify SSL | If enabled, the action will verify the SSL certificate of the API - endpoint. | Boolean | No | False | + 4. **Result Handling:** If the API call is successful, it returns a 'Connection + Established' message. If an exception occurs (e.g., unauthorized, network error), + it captures the error and reports a failure. - ### Flow Description + ### Parameters Description: - 1. **Initialization**: The action initializes the Siemplify SDK and logger. + | Parameter | Type | Mandatory | Description | - 2. **Parameter Extraction**: It retrieves the `ApiUrl`, `ApiKey`, and `Verify - SSL` settings from the integration configuration. + | :--- | :--- | :--- | :--- | - 3. **Manager Setup**: A `RecordedFutureManager` instance is created using the - extracted credentials. + | ApiUrl | String | Yes (Config) | The base URL for the Recorded Future API. | - 4. **Connectivity Test**: The action calls the `test_connectivity` method, which - performs a sample enrichment lookup for a hardcoded IP address (8.8.8.8) to confirm - the API is responsive and the credentials are valid. + | ApiKey | String | Yes (Config) | The API key used for authentication. | - 5. **Result Reporting**: If the test succeeds, it returns a 'Connection Established' - message. If it fails, it captures the exception and reports a failure status. + | Verify SSL | Boolean | No (Config) | Determines whether to verify the SSL certificate + of the API endpoint. Defaults to False. | - ### Additional Notes + ### Additional Notes: - - This action does not process any entities from the current alert or case; it - uses a static internal test to validate the integration configuration. + * This action does not process any entities from the SecOps case; it uses a static + IP address for the health check. - - As per standard SOAR conventions, this action is categorized as a connectivity - test and not as an enrichment action. + * There are no action-specific parameters; all required values are pulled from + the integration's shared configuration. capabilities: can_create_case_comments: false can_create_insight: false @@ -1137,46 +1381,78 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Refresh Playbook Alert: ai_description: >- - Updates a Google SecOps case with the latest information from a Recorded Future - Playbook Alert. This action is designed to synchronize an existing case with new - data fetched directly from the Recorded Future platform, ensuring that the investigation - reflects the most current threat intelligence. + ### General Description + Updates information in a Google SecOps case created by the Recorded Future Playbook + Alerts Connector. This action fetches the latest data for a specific Playbook + Alert from the Recorded Future platform and synchronizes the case by adding any + newly discovered entities. - ### Parameters Description + ### Flow Description - | Parameter | Description | Type | Mandatory | + 1. **Validation**: Verifies that the current alert in Google SecOps is a Recorded + Future Playbook Alert. - | :--- | :--- | :--- | :--- | + 2. **Data Retrieval**: Fetches the latest alert details from Recorded Future using + the provided Alert ID and Category. - | Playbook Alert ID | The unique identifier of the playbook alert in Recorded - Future to be refreshed. | string | Yes | + 3. **Entity Extraction**: Processes the alert data based on its category (e.g., + Domain Abuse, Identity Exposure) to identify relevant indicators. - | Category | The specific category of the Playbook Alert. Supported values include: - `domain_abuse`, `cyber_vulnerability`, `code_repo_leakage`, `third_party_risk`, - `identity_novel_exposures`, and `geopolitics_facility`. | string | Yes | + 4. **Case Synchronization**: Automatically adds newly discovered entities (IPs, + Domains, CVEs, etc.) to the current Google SecOps case. + 5. **Output Generation**: Populates the action results with formatted JSON and + provides a direct link to the Recorded Future Intelligence Card. - ### Flow Description + ### Parameters Description + + | Parameter | Description | Type | Mandatory | - 1. **Validation**: The action first verifies that the current case was generated - by the Recorded Future Playbook Alert product. If not, it terminates with an error. + | :--- | :--- | :--- | :--- | - 2. **Data Retrieval**: It connects to the Recorded Future API to fetch the latest - details for the specified Playbook Alert ID and Category. + | Playbook Alert ID | The unique identifier of the playbook alert in Recorded + Future. | String | Yes | - 3. **Entity Synchronization**: Based on the alert category, the action identifies - relevant indicators (such as IPs, Domains, Hostnames, or CVEs) within the refreshed - data and automatically adds them as entities to the Google SecOps case. + | Category | The category of the Playbook Alert. Supported values: `domain_abuse`, + `cyber_vulnerability`, `code_repo_leakage`, `third_party_risk`, `identity_novel_exposures`, + and `geopolitics_facility`. | String | Yes | + + + ### Additional Notes - 4. **Result Generation**: The action populates the execution results with a JSON - object containing the updated alert data (including HTML-formatted summaries for - widgets) and provides a direct link to the Recorded Future portal for the specific - alert. + This action is specifically designed to work with cases generated by the Recorded + Future Playbook Alerts Connector. It ensures that the investigation context remains + up-to-date as the external alert evolves. capabilities: can_create_case_comments: false can_create_insight: false @@ -1187,8 +1463,8 @@ Refresh Playbook Alert: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action adds new entities discovered in the refreshed Recorded Future alert - data to the current Google SecOps case. + Adds new entities discovered in the refreshed Recorded Future Playbook Alert + to the current Google SecOps case. categories: enrichment: false entity_usage: @@ -1206,57 +1482,95 @@ Refresh Playbook Alert: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Search Hash Malware Intelligence: ai_description: >- Queries Recorded Future's Malware Intelligence to retrieve sandbox analysis reports - for SHA256 file hashes. This action allows security analysts to look up historical - detonation results from the Recorded Future Sandbox (Triage) without re-submitting - the file. It retrieves detailed technical data including risk scores, network - flows, and behavioral signatures. + for SHA256 file hashes. This action allows analysts to look up historical sandbox + detonations and technical indicators associated with a specific hash without needing + to re-detonate the file. + + + ### General Description + + The action iterates through file hash entities in the current context and queries + the Recorded Future API for existing sandbox reports. It supports filtering by + date range and can be restricted to only search for samples submitted by the user's + enterprise. The results include risk scores, malware signatures, and network flow + data, which are then presented as a Case Insight for quick review. ### Parameters Description + | Parameter | Type | Mandatory | Default | Description | - | Parameter | Type | Mandatory | Description | + | :--- | :--- | :--- | :--- | :--- | - | :--- | :--- | :--- | :--- | + | My Enterprise | boolean | No | false | If set to true, the action will only + return reports for samples submitted by your organization. | - | My Enterprise | boolean | No | If set to `true`, the search is restricted to - samples submitted by your organization's enterprise account. Default is `false`. + | Start Date | string | No | -30d | The starting point for the search lookback. + Supports relative formats (e.g., '-1d', '-30d') or specific dates (YYYY-MM-DD). | - | Start Date | string | No | The starting point for the search lookback. Supports - relative formats like `-30d` or specific dates like `2026-01-23`. Default is `-30d`. - | + | End Date | string | No | None | The end point for the search lookback. If left + empty, it defaults to the current time. | - | End Date | string | No | The ending point for the search lookback. Supports - relative formats or specific dates. If left empty, it defaults to the current - date. | + ### Additional Notes - ### Flow Description + * This action specifically targets **SHA256** hashes. The logic explicitly filters + for hash identifiers with a length of 64 characters. + * If no report is found for a hash within the specified timeframe, the action + will still complete successfully but will indicate that no data was found in the + insight. - 1. **Initialization**: The action extracts the API configuration and user-provided - parameters (Enterprise scope and date range). - 2. **Entity Filtering**: It iterates through the target entities in the case, - specifically looking for `FILEHASH` entities that are 64 characters long (SHA256). + ### Flow Description - 3. **External Query**: For each valid hash, it queries the Recorded Future Malware - Intelligence API using the specified date filters and enterprise scope. + 1. **Parameter Extraction:** The action retrieves the API configuration and user-provided + parameters (Enterprise filter and date range). - 4. **Data Processing**: If reports are found, the action parses the sandbox results, - including analysis scores, completion timestamps, network flows (destination IPs/ports), - and behavioral signatures (TTPs and descriptions). + 2. **Entity Filtering:** It identifies `FILEHASH` entities from the target list, + specifically looking for SHA256 strings. - 5. **Internal Enrichment**: It generates a detailed HTML Case Insight for each - hash, providing a summary of the sandbox findings directly within the Google SecOps - interface. + 3. **API Query:** For each valid hash, it calls the Recorded Future Malware Intelligence + API to fetch sandbox reports. - 6. **Output**: The raw report data is attached as a JSON result for use in downstream - playbook logic. + 4. **Data Transformation:** The raw API response is parsed into a structured data + model containing analysis summaries, signatures, and network telemetry. + + 5. **Insight Generation:** A detailed HTML insight is created and attached to + the entity in the Google SecOps case, providing immediate visibility into the + malware's behavior. + + 6. **Result Output:** The full report data is added to the action's JSON results + for use in downstream playbook logic. capabilities: can_create_case_comments: false can_create_insight: true @@ -1267,8 +1581,8 @@ Search Hash Malware Intelligence: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action creates Case Insights in Google SecOps to display detailed malware - sandbox report summaries for the analyzed file hashes. + The action creates Case Insights within Google SecOps to display the retrieved + malware intelligence reports. categories: enrichment: true entity_usage: @@ -1287,31 +1601,80 @@ Search Hash Malware Intelligence: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Update Alert: - ai_description: "### General Description\nUpdates the details of an existing alert\ - \ within the Recorded Future platform. This action allows analysts to programmatically\ - \ manage the lifecycle of Recorded Future alerts by changing their status, assigning\ - \ them to specific users, or adding administrative notes.\n\n### Parameters Description\n\ - | Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ - | **Alert ID** | string | Yes | The unique identifier of the Recorded Future alert\ - \ to be updated. |\n| **Assign To** | string | No | The identifier of the user\ - \ to whom the alert should be assigned. Accepts ID, username, user hash, or email.\ - \ |\n| **Note** | string | No | A text comment or note to be appended to the alert.\ - \ |\n| **Status** | ddl | Yes | The new lifecycle status for the alert. Options\ - \ include: `New`, `Pending`, `Dismissed`, `Resolved`, and `Flag for Tuning`. |\n\ - \n### Additional Notes\nWhile the `Status` parameter is marked as mandatory in\ - \ the configuration, the action logic requires that at least one of the following\ - \ parameters\u2014`Status` (if not set to 'None'), `Assign To`, or `Note`\u2014\ - must be provided for the update to proceed. If all three are empty or 'None',\ - \ the action will fail with an error message.\n\n### Flow Description\n1. **Parameter\ - \ Extraction**: Retrieves the API configuration and the specific alert details\ - \ (ID, Status, Assignee, Note) from the action input.\n2. **Validation**: Checks\ - \ if at least one update field (Status, Assignee, or Note) contains a value to\ - \ ensure a valid update request is sent.\n3. **API Interaction**: Uses the `RecordedFutureManager`\ - \ to send a request to the Recorded Future API's alert update endpoint.\n4. **Result\ - \ Processing**: Captures the API response, adds the raw JSON result to the action\ - \ output, and provides a success message if the update was accepted by the external\ - \ system." + ai_description: >- + Updates an existing alert in the Recorded Future Intelligence platform. This action + allows analysts to modify the status, assignee, and associated notes of a specific + alert identified by its ID. It is primarily used to synchronize the state of an + investigation between Google SecOps and Recorded Future. + + + ### Flow Description: + + 1. **Parameter Extraction:** The action retrieves the Alert ID, the new Status, + the Assignee (optional), and any Note (optional) from the user input. + + 2. **Input Validation:** It verifies that at least one update field (Status, Assign + To, or Note) has been provided. If the Status is set to 'None' and no assignee + or note is provided, the action will fail to prevent empty updates. + + 3. **API Interaction:** The action initializes the Recorded Future Manager and + sends a request to the Recorded Future API to update the specified alert record. + + 4. **Result Processing:** Upon success, the action returns a JSON confirmation + of the update and provides an output message to the analyst. + + + ### Parameters Description: + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Alert ID | string | Yes | The unique identifier of the alert in Recorded Future + that needs to be updated. | + + | Status | ddl | Yes | The new status to assign to the alert. Options include: + None, New, Pending, Dismissed, Resolved, Flag for Tuning. Selecting 'None' means + the status will not be changed. | + + | Assign To | string | No | The identifier of the user to whom the alert should + be assigned. This can be an ID, username, user hash, or email address. | + + | Note | string | No | A text note or comment to be appended to the alert in Recorded + Future. | + + + ### Additional Notes: + + * **Validation Logic:** While the 'Status' parameter is mandatory, selecting 'None' + is treated as a null operation for that field. In such cases, either 'Assign To' + or 'Note' must be populated for the action to execute successfully. capabilities: can_create_case_comments: false can_create_insight: false @@ -1320,7 +1683,7 @@ Update Alert: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the status, assignee, and notes of an alert directly within the Recorded + Updates the status, assignee, and notes of an alert record within the Recorded Future platform. fetches_data: false internal_data_mutation_explanation: null @@ -1341,11 +1704,36 @@ Update Alert: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: true Update Playbook Alert: ai_description: >- - Updates the details of a specific playbook alert in Recorded Future. This action - allows for modifying the alert's status, priority, assignee, and reopen strategy, - as well as adding log entries for auditing purposes. + Updates a playbook alert in Recorded Future with new metadata such as status, + priority, or assignee. This action allows analysts to synchronize the state of + a Recorded Future alert with the investigation progress in Google SecOps. ### Parameters @@ -1354,54 +1742,53 @@ Update Playbook Alert: | :--- | :--- | :--- | :--- | - | Playbook Alert ID | String | Yes | The unique identifier of the playbook alert + | Playbook Alert ID | string | Yes | The unique identifier of the playbook alert to be updated. | - | Playbook Alert Category | String | Yes | The category associated with the playbook - alert (e.g., domain_abuse, cyber_vulnerability). | + | Playbook Alert Category | string | Yes | The category of the playbook alert + (e.g., domain_abuse, cyber_vulnerability). | - | Assign To | String | No | The user uhash of the person to whom the alert should - be assigned. | + | Assign To | string | No | The user hash (uhash) of the Recorded Future user + to whom the alert should be assigned. | - | Log Entry | String | No | A comment or note to be added to the alert's activity - log. | + | Log Entry | string | No | A comment or note to be added to the alert's activity + log during the update. | - | Status | DDL | No | The new status for the alert (New, In Progress, Dismissed, - Resolved). | + | Status | ddl | No | The new status for the alert. Options: New, In Progress, + Dismissed, Resolved. | - | Priority | DDL | No | The new priority level for the alert (High, Moderate, - Informational). | + | Priority | ddl | No | The new priority level for the alert. Options: High, Moderate, + Informational. | - | Reopen Strategy | DDL | No | The strategy for reopening the alert (Never, Significant - Updates). | + | Reopen Strategy | ddl | No | Defines the strategy for reopening the alert. Options: + Never, Significant Updates. | ### Additional Notes - At least one of the following parameters must be provided for the action to execute: - `Assign To`, `Log Entry`, `Status`, `Priority`, or `Reopen Strategy`. If none - are provided, the action will fail with an error message. + - At least one of the optional parameters (Assign To, Log Entry, Status, Priority, + or Reopen Strategy) must be provided for the action to execute successfully. + + - The action first fetches the current state of the alert from Recorded Future + before applying the requested changes. ### Flow Description - 1. **Parameter Extraction:** The action retrieves the API configuration (URL, - Key, SSL verification) and the specific alert identifiers and update values from - the input parameters. + 1. **Parameter Extraction:** Retrieves the Alert ID, Category, and update fields + from the action input. - 2. **Validation:** It verifies that at least one update field (Status, Priority, - Assignee, Log Entry, or Reopen Strategy) has been provided to ensure a mutation - is intended. + 2. **Validation:** Checks that at least one update field is populated to avoid + redundant API calls. - 3. **Manager Initialization:** Initializes the Recorded Future Manager to facilitate - communication with the external API. + 3. **Manager Initialization:** Establishes a connection to the Recorded Future + API using the provided credentials. - 4. **Alert Update:** The action first fetches the existing playbook alert to ensure - its existence and then submits a request to the Recorded Future API to apply the - specified changes. + 4. **External Update:** Calls the Recorded Future API to modify the specified + playbook alert attributes. - 5. **Result Processing:** The updated alert data is returned as a JSON object, - and a success message is logged in the action output. + 5. **Result Processing:** Returns the raw JSON response of the updated alert and + provides a success message to the analyst. capabilities: can_create_case_comments: false can_create_insight: false @@ -1411,7 +1798,7 @@ Update Playbook Alert: can_update_entities: false external_data_mutation_explanation: >- Updates the status, priority, assignee, log entry, or reopen strategy of a playbook - alert in the Recorded Future platform. + alert record within the Recorded Future platform. fetches_data: true internal_data_mutation_explanation: null categories: @@ -1431,3 +1818,28 @@ Update Playbook Alert: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: true diff --git a/content/response_integrations/third_party/partner/recorded_future_intelligence/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/partner/recorded_future_intelligence/resources/ai/connectors_ai_description.yaml new file mode 100644 index 000000000..d8f0a1ed0 --- /dev/null +++ b/content/response_integrations/third_party/partner/recorded_future_intelligence/resources/ai/connectors_ai_description.yaml @@ -0,0 +1,230 @@ +"Recorded Future - Classic Alerts Connector": + ai_description: >- + ### General Description + + The Recorded Future - Classic Alerts Connector fetches "Classic Alerts" from the + Recorded Future API and ingests them into Google SecOps as cases. This integration + allows security teams to automate the monitoring of threat intelligence alerts + generated by Recorded Future's correlation rules, providing enriched event data, + AI-driven insights, and direct links to the Recorded Future portal for further + investigation. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | DeviceProductField | String | Yes | The source field name used to retrieve the + Product Field name (default: device_product). | + + | EventClassId | String | Yes | The source field name used to retrieve the Event + Field name (default: rule_name). | + + | Environment Field Name | String | No | The field name where the environment + name is stored. | + + | Environment Regex Pattern | String | No | A regex pattern to extract or manipulate + the environment name from the environment field. | + + | PythonProcessTimeout | Integer | Yes | The timeout limit in seconds for the + connector's execution (default: 180). | + + | API URL | String | Yes | The root URL of the Recorded Future API instance. | + + | API Key | Password | Yes | The API Key used to authenticate with Recorded Future. + | + + | Fetch Max Hours Backwards | Integer | No | The number of hours to look back + for alerts during the first run or if no checkpoint exists. | + + | Alert Statuses | String | No | Comma-separated list of alert statuses to fetch + (e.g., New, Pending, Resolved, Dismissed). | + + | Max Alerts To Fetch | Integer | No | The maximum number of alerts to process + in a single connector iteration. | + + | Severity | String | Yes | The severity level (Low, Medium, High, Critical) to + assign to the created SecOps alerts. | + + | Use whitelist as a blacklist | Boolean | No | If enabled, the provided whitelist + will be treated as a denylist to exclude specific rules. | + + | Enable Overflow | Boolean | No | If enabled, uses deduplication logic to prevent + redundant alerts from creating multiple cases. | + + | Extract all Entities | Boolean | No | If enabled, extracts all entities found + in the alert events; otherwise, only primary entities are extracted. | + + | Verify SSL | Boolean | No | If enabled, verifies the SSL certificate of the + Recorded Future server. | + + | Proxy Server Address | String | No | The address of the proxy server if one + is required. | + + | Proxy Username | String | No | The username for proxy authentication. | + + | Proxy Password | Password | No | The password for proxy authentication. | + + + ### Flow Description + + 1. **Authentication**: The connector establishes a connection to the Recorded + Future API using the provided API Key and URL. + + 2. **Timeframe Calculation**: It determines the starting point for the fetch based + on the last successful execution timestamp or the "Fetch Max Hours Backwards" + parameter. + + 3. **Alert Retrieval**: The connector queries Recorded Future for alerts matching + the configured statuses (e.g., "New") and applies filtering based on the whitelist/denylist + of rule names. + + 4. **Deduplication**: It checks the retrieved alert IDs against a local database + of previously processed IDs to ensure no duplicate cases are created. + + 5. **Data Enrichment**: For each valid alert, the connector extracts event data, + including AI-generated insights and metadata such as the alert URL and rule generator. + + 6. **Case Creation**: The connector maps the Recorded Future alert data to the + Google SecOps AlertInfo model, applies environment logic, and checks for overflow/deduplication + before ingesting the case into the system. + + 7. **Checkpointing**: Upon successful processing, the connector saves the timestamp + of the most recent alert and updates the list of processed IDs for the next cycle. +"Recorded Future - Playbook Alerts Connector": + ai_description: >- + ### General Description + + The Recorded Future - Playbook Alerts Connector fetches high-fidelity threat intelligence + alerts from the Recorded Future platform and ingests them into Google SecOps as + cases. It specifically targets 'Playbook Alerts,' which are categorized intelligence + findings such as domain abuse, code repository leakages, cyber vulnerabilities, + and third-party risks. This integration enables security teams to automate the + response to external threat intelligence by providing structured alert data directly + within the SOAR environment. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | API URL | String | Yes | The API Root of the Recorded Future instance (e.g., + https://api.recordedfuture.com). | + + | API Key | Password | Yes | The API Key used to authenticate with Recorded Future. + | + + | Playbook Alert Categories | String | No | Comma-separated list of categories + to fetch (e.g., domain_abuse, cyber_vulnerability, code_repo_leakage). | + + | Playbook Alert Statuses | String | No | Comma-separated list of statuses to + fetch (e.g., New, InProgress, Resolved). | + + | Playbook Alert Priorities | String | No | Comma-separated list of priorities + to fetch (e.g., Informational, Moderate, High). | + + | Fetch Max Hours Backwards | Integer | No | The number of hours back from the + current time to start fetching alerts. | + + | Max Alerts To Fetch | Integer | No | The maximum number of alerts to process + in a single connector iteration. | + + | Severity | String | No | An optional override for the alert severity (Low, Medium, + High, Critical). | + + | Enable Overflow | Boolean | No | If enabled, uses Google SecOps overflow logic + to deduplicate similar alerts. | + + | Verify SSL | Boolean | No | If enabled, verifies the SSL certificate for the + connection to the Recorded Future server. | + + | Environment Field Name | String | No | The field name used to determine the + environment for the ingested alerts. | + + + ### Flow Description + + 1. **Initialization**: The connector validates the API credentials and configuration + parameters, including category and status filters. + + 2. **State Retrieval**: It identifies the starting point for the fetch by checking + the last successful execution timestamp and retrieves a list of previously processed + alert IDs to avoid duplication. + + 3. **API Query**: The connector sends a request to the Recorded Future Playbook + Alerts API, filtering by the configured categories, statuses, priorities, and + the time window defined by the 'Fetch Max Hours Backwards' parameter. + + 4. **Alert Transformation**: For each retrieved alert, the connector maps the + Recorded Future data model to the Google SecOps `AlertInfo` format. This includes + setting the environment, priority, and rule generator fields. + + 5. **Deduplication & Overflow**: If 'Enable Overflow' is active, the connector + checks the SOAR platform's overflow mechanism to skip alerts that are considered + duplicates based on defined logic. + + 6. **Case Creation**: Validated and transformed alerts are ingested into Google + SecOps to create actionable cases. + + 7. **Checkpointing**: Upon successful completion, the connector saves the current + timestamp and the list of processed alert IDs to ensure the next iteration starts + from the correct point. +"Recorded Future - Playbook Alerts Tracking Connector": + ai_description: "### General Description\nThe Recorded Future Playbook Alerts Tracking\ + \ connector monitors and ingests updates to existing Playbook Alerts from the\ + \ Recorded Future platform. Unlike standard alert connectors that fetch only new\ + \ records, this tracking connector identifies significant changes in existing\ + \ alerts\u2014such as status changes, priority escalations, or new evidence\u2014\ + and creates new cases in Google SecOps based on specific user-defined triggers.\ + \ This ensures that security teams are alerted to evolving threats and intelligence\ + \ updates throughout the lifecycle of an alert.\n\n### Parameters Description\n\ + | Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ + | DeviceProductField | String | Yes | The source field name used to retrieve the\ + \ Product Field name (default: device_product). |\n| EventClassId | String | Yes\ + \ | The source field name used to retrieve the Event Field name (default: category).\ + \ |\n| Environment Field Name | String | No | The field name where the environment\ + \ name is stored for multi-tenant environments. |\n| Environment Regex Pattern\ + \ | String | No | A regex pattern to extract or manipulate the environment name\ + \ from the environment field. |\n| PythonProcessTimeout | Integer | Yes | The\ + \ timeout limit in seconds for the connector's execution process. |\n| API URL\ + \ | String | Yes | The API Root of the Recorded Future instance (default: https://api.recordedfuture.com).\ + \ |\n| API Key | Password | Yes | The API Key used to authenticate with Recorded\ + \ Future. |\n| Search Max Hours Backwards | Integer | No | The number of hours\ + \ to look back for updates during the first run or if no checkpoint exists. |\n\ + | Playbook Alert Categories | String | No | Comma-separated list of categories\ + \ to fetch (e.g., domain_abuse, cyber_vulnerability, third_party_risk). |\n| Playbook\ + \ Alert Statuses | String | No | Comma-separated list of statuses to fetch (New,\ + \ InProgress, Resolved, Dismissed). |\n| Playbook Alert Priorities | String |\ + \ No | Comma-separated list of priorities to fetch (Informational, Moderate, High).\ + \ |\n| Playbook Alert Reopened | Boolean | No | If enabled, creates a new case\ + \ when a previously closed Playbook Alert is reopened. |\n| Priority Increased\ + \ | Boolean | No | If enabled, creates a new case when the priority of a Playbook\ + \ Alert is increased. |\n| New Assessment Added | Boolean | No | If enabled, creates\ + \ a new case when a new assessment is added to a Playbook Alert. |\n| Entity Added\ + \ | Boolean | No | If enabled, creates a new case when new entities are added\ + \ to a Playbook Alert. |\n| Max Alerts To Fetch | Integer | No | The maximum number\ + \ of alerts to process in a single connector iteration. |\n| Severity | String\ + \ | Yes | The severity level (Low, Medium, High, Critical) to assign to the created\ + \ Google SecOps cases. |\n| Enable Overflow | Boolean | No | If enabled, uses\ + \ Google SecOps overflow logic to deduplicate similar alerts. |\n| Verify SSL\ + \ | Boolean | No | If enabled, verifies the SSL certificate for the connection\ + \ to Recorded Future. |\n\n### Flow Description\n1. **Authentication**: The connector\ + \ establishes a connection to the Recorded Future API using the provided API Key\ + \ and URL.\n2. **Time Window Determination**: It calculates the search window\ + \ by checking the last successful execution timestamp or falling back to the \"\ + Search Max Hours Backwards\" setting.\n3. **Alert Retrieval**: The connector queries\ + \ Recorded Future for Playbook Alerts that have been updated within the search\ + \ window, applying filters for Category, Status, and Priority.\n4. **Update Analysis**:\ + \ For each retrieved alert, the connector analyzes the internal change logs (`panel_log_v2`)\ + \ to identify the specific nature of the update.\n5. **Trigger Filtering**: It\ + \ evaluates the updates against the enabled tracking triggers: Reopened, Priority\ + \ Increased, New Assessment Added, or Entity Added. If no enabled trigger is matched,\ + \ the update is skipped.\n6. **Case Mapping**: Alerts meeting the trigger criteria\ + \ are mapped to the Google SecOps `AlertInfo` data model, including relevant event\ + \ details and environment context.\n7. **Ingestion**: The connector ingests the\ + \ processed updates as new cases into Google SecOps and updates the execution\ + \ checkpoint." diff --git a/content/response_integrations/third_party/partner/recorded_future_intelligence/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/recorded_future_intelligence/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..ac8e64b44 --- /dev/null +++ b/content/response_integrations/third_party/partner/recorded_future_intelligence/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + siem: false + threat_intelligence: true + vulnerability_management: true diff --git a/content/response_integrations/third_party/partner/rubrik_security_cloud/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/rubrik_security_cloud/resources/ai/actions_ai_description.yaml index 23c6c50f4..7fd0bcbdd 100644 --- a/content/response_integrations/third_party/partner/rubrik_security_cloud/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/rubrik_security_cloud/resources/ai/actions_ai_description.yaml @@ -1,51 +1,61 @@ Advanced IOC Scan: ai_description: >- - ### Advanced IOC Scan + Starts an advanced Indicator of Compromise (IOC) scan, also known as a Threat + Hunt, on specified Rubrik objects. This action allows security teams to search + for malicious files, hashes, or patterns across backup snapshots within Rubrik + Security Cloud. It supports complex filtering including file size limits, path + inclusions/exclusions, and specific snapshot time ranges. - #### General Description + ### Flow Description + + 1. **Parameter Validation:** The action validates the mandatory `Object ID` and + optional parameters like `Start Date`, `End Date`, and integer-based filters (file + sizes, snapshot limits). + + 2. **IOC Configuration:** It processes the IOC criteria provided either via the + `IOC Type` and `IOC Value` parameters or through a complex JSON object in the + `Advanced IOC` parameter. - Initiates an advanced Indicator of Compromise (IOC) scan (Threat Hunt) on specified - Rubrik objects within the Rubrik Security Cloud. This action allows security teams - to search for specific file patterns, hashes, or YARA rules across snapshots of - protected systems, providing granular control over scan criteria such as file - size, date ranges, and path inclusions/exclusions. + 3. **API Interaction:** It sends a GraphQL mutation (`startBulkThreatHunt`) to + Rubrik Security Cloud to initiate the scanning process. + 4. **Result Processing:** The action retrieves the unique IDs for the newly created + threat hunts and displays them in a data table within the SecOps case for tracking. - #### Parameters Description + + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Object ID** | String | Yes | Comma-separated list of Rubrik object IDs (snappables) - to perform the scan on. | + | **Object ID** | String | Yes | Comma-separated list of Rubrik Object IDs (e.g., + virtual machines, file sets) to perform the scan on. | - | **IOC Type** | DDL | No | The type of indicator to scan for. Options include: - `INDICATOR_OF_COMPROMISE_TYPE_PATH_OR_FILENAME`, `INDICATOR_OF_COMPROMISE_TYPE_HASH`, - or `INDICATOR_OF_COMPROMISE_TYPE_YARA_RULE`. | + | **IOC Type** | DDL | No | The category of indicator to search for: `PATH_OR_FILENAME`, + `HASH`, or `YARA_RULE`. | - | **IOC Value** | String | No | The specific value of the indicator to search - for (e.g., a file hash or path pattern). | + | **IOC Value** | String | No | The specific value (e.g., file hash or path pattern) + to search for. Required if `Advanced IOC` is not used. | - | **Scan Name** | String | No | Custom name for the threat hunt. If not provided, - a name is auto-generated using the format `Google-SecOps-YYYY-MM-DD-HH:MM:SS`. - | + | **Advanced IOC** | String | No | A JSON-encoded string containing multiple indicators + of compromise. If provided, it overrides `IOC Type` and `IOC Value`. | - | **Advanced IOC** | String | No | A JSON-encoded object where keys represent - IOC types and values are lists of indicators. | + | **Scan Name** | String | No | A custom name for the threat hunt. If omitted, + a name is auto-generated using the current timestamp. | - | **Start Date** | String | No | Filter snapshots from this date. Supported formats: - `yyyy-mm-dd`, `yyyy-mm-ddTHH:MM:SSZ`. | + | **Start Date** | String | No | Filters snapshots to scan starting from this + date (Format: `yyyy-mm-dd` or ISO 8601). | - | **End Date** | String | No | Filter snapshots until this date. Supported formats: - `yyyy-mm-dd`, `yyyy-mm-ddTHH:MM:SSZ`. | + | **End Date** | String | No | Filters snapshots to scan until this date (Format: + `yyyy-mm-dd` or ISO 8601). | - | **Max Snapshots Per Object** | String | No | The maximum number of snapshots - to scan for each specified object. | + | **Max Snapshots Per Object** | String | No | Limits the number of snapshots + scanned for each specified object. | - | **Max Matches Per Snapshot** | String | No | The scan for a snapshot terminates - once this number of matches is detected. | + | **Max Matches Per Snapshot** | String | No | Terminates the scan for a snapshot + once this number of matches is reached. | | **Min File Size** | String | No | Minimum file size in bytes to include in the scan. | @@ -56,39 +66,20 @@ Advanced IOC Scan: | **Paths To Include** | String | No | Comma-separated list of file paths to explicitly include in the scan. | - | **Paths To Exclude** | String | No | Comma-separated list of file paths to exclude - from the scan. | + | **Paths To Exclude** | String | No | Comma-separated list of file paths to ignore + during the scan. | | **Paths To Exempt** | String | No | Comma-separated list of paths to exempt from the exclusion list. | - #### Additional Notes - - - **Requirement Logic:** Either the `Advanced IOC` parameter must be configured, - OR both `IOC Type` and `IOC Value` must be provided for the action to run. If - neither set is provided, the action will fail. - - - The action returns a data table named "Advanced IOC Scan Results" containing - the Hunt IDs and their initial statuses. - - - #### Flow Description - - 1. **Initialization:** Extracts configuration parameters and action inputs. - - 2. **Validation:** Validates date formats, ensures integer parameters (like file - sizes and snapshot limits) are non-negative, and parses the `Advanced IOC` JSON - if provided. - - 3. **Authentication:** Establishes a session with Rubrik Security Cloud using - OAuth credentials. + ### Additional Notes - 4. **Scan Initiation:** Executes a GraphQL mutation (`startBulkThreatHunt`) to - trigger the scan on the Rubrik platform with the defined IOCs and filters. + - Either the combination of `IOC Type` and `IOC Value` OR the `Advanced IOC` parameter + must be configured for the action to run successfully. - 5. **Output:** Captures the resulting Hunt IDs and populates a data table and - the raw JSON result in Google SecOps. + - The action returns a list of Hunt IDs which can be used in subsequent actions + to check the status or results of the scan. capabilities: can_create_case_comments: false can_create_insight: false @@ -97,9 +88,8 @@ Advanced IOC Scan: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Initiates a new Threat Hunt (IOC scan) on the Rubrik Security Cloud platform, - which creates new hunt records and starts background scanning processes on the - target objects. + Initiates a new Threat Hunt process in Rubrik Security Cloud, which creates + new hunt records and triggers scanning tasks on the backup infrastructure. fetches_data: true internal_data_mutation_explanation: null categories: @@ -119,28 +109,65 @@ Advanced IOC Scan: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get CDM Cluster Connection State: - ai_description: "### General Description\nRetrieves the connection state of a specific\ - \ Rubrik CDM (Cloud Data Management) cluster from Rubrik Security Cloud (RSC).\ - \ This action provides visibility into the operational status of a cluster and\ - \ its individual nodes, helping administrators verify connectivity and health.\n\ - \n### Parameters Description\n| Parameter | Type | Mandatory | Description |\n\ - | :--- | :--- | :--- | :--- |\n| Cluster ID | String | Yes | The unique identifier\ - \ of the CDM cluster to check. |\n\n### Flow Description\n1. **Parameter Extraction**:\ - \ The action retrieves the mandatory `Cluster ID` from the input parameters.\n\ - 2. **Authentication**: Initializes the Rubrik API manager using the provided service\ - \ account credentials and establishes a secure session.\n3. **Data Retrieval**:\ - \ Executes a GraphQL query (`CDM_CLUSTER_CONNECTION_STATE_QUERY`) against the\ - \ Rubrik Security Cloud API to fetch the connection status for the specified cluster.\n\ - 4. **Data Processing**: Parses the API response to extract node-specific connection\ - \ states (e.g., `connectedState`) using the `CDMClusterConnectionStateDatamodel`.\n\ - 5. **Output Generation**: \n * Adds the raw JSON response to the action's result\ - \ JSON.\n * Creates a data table named 'CDM Cluster Connection State' containing\ - \ the connection status of the cluster nodes for display in the SOAR interface.\n\ - \ * Returns a success message and sets the result value to `true` if data is\ - \ retrieved successfully.\n\n### Additional Notes\nThis action does not automatically\ - \ iterate over entities in the case. It is a standalone utility that requires\ - \ a manually provided `Cluster ID` to function." + ai_description: >- + Retrieves the connection state of a specific Cloud Data Management (CDM) cluster + from Rubrik Security Cloud. This action is used to monitor the health and connectivity + status of Rubrik clusters, providing details on whether the cluster and its individual + nodes are currently connected to the Rubrik Security Cloud platform. + + + ### Parameters + + | Parameter | Description | Type | Mandatory | + + | :--- | :--- | :--- | :--- | + + | Cluster ID | The unique identifier of the CDM cluster to query. | String | Yes + | + + + ### Flow Description + + 1. **Parameter Extraction:** Retrieves the mandatory `Cluster ID` from the action + input. + + 2. **API Initialization:** Sets up the Rubrik API manager using the integration's + service account credentials. + + 3. **Data Retrieval:** Executes a GraphQL query to fetch the `connectedState` + for the specified cluster and its associated nodes. + + 4. **Data Processing:** Parses the API response into a structured data model. + + 5. **Result Output:** Returns the full JSON response and generates a data table + titled 'CDM Cluster Connection State' containing the connection status for each + node. capabilities: can_create_case_comments: false can_create_insight: false @@ -168,53 +195,76 @@ Get CDM Cluster Connection State: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get CDM Cluster Location: ai_description: >- - ### General Description + Retrieves the geographical location information for a specific Rubrik Cloud Data + Management (CDM) cluster. This action queries the Rubrik Security Cloud API to + find the physical address or location details associated with the nodes of a cluster + identified by its unique ID. - The **Get CDM Cluster Location** action retrieves the geographical location information - for a specific Rubrik Cloud Data Management (CDM) cluster. It identifies the physical - address associated with the nodes within the cluster by querying the Rubrik Security - Cloud API. This action is useful for asset management and identifying the physical - residency of data stored in specific clusters. + ### Flow Description: - ### Parameters Description + 1. **Parameter Extraction:** The action extracts the mandatory `Cluster ID` from + the input parameters. - | Parameter | Type | Mandatory | Description | + 2. **Authentication:** It initializes the Rubrik API Manager using service account + credentials to establish a secure connection. - | :--- | :--- | :--- | :--- | + 3. **Data Retrieval:** It executes a GraphQL query (`CDM_CLUSTER_LOCATION_QUERY`) + to fetch the `geoLocation` and `address` data for the specified cluster. - | **Cluster ID** | String | Yes | The unique identifier of the CDM cluster for - which the location is being requested. | + 4. **Data Processing:** The response is parsed to extract location details for + all nodes within the cluster. + 5. **Output Generation:** The action populates the execution results with a raw + JSON response and creates a formatted data table named 'CDM Cluster Location' + containing the Cluster ID and its corresponding address. - ### Flow Description - 1. **Parameter Extraction**: The action retrieves the mandatory `Cluster ID` from - the input parameters. + ### Parameters Description: - 2. **API Initialization**: It initializes the Rubrik Security Cloud API manager - using the provided service account credentials and validates the connection. - 3. **Data Retrieval**: A GraphQL query is executed to fetch the `geoLocation` - (specifically the `address` field) for the specified cluster ID. + | Parameter Name | Type | Mandatory | Description | - 4. **Data Processing**: The response is parsed, and the location details for the - cluster nodes are extracted and structured using the `CDMClusterLocationDatamodel`. + | :--- | :--- | :--- | :--- | - 5. **Result Output**: The action adds the raw JSON response to the execution results - and constructs a data table named "CDM Cluster Location" containing the Cluster - ID and its physical location for display in the SOAR interface. + | Cluster ID | String | Yes | The unique identifier of the CDM cluster for which + you want to retrieve location information. | - ### Additional Notes + ### Additional Notes: - - This action does not operate on entities; it requires a specific Cluster ID - as input. + - This action does not run on SOAR entities; it requires a specific Cluster ID + as a manual or playbook-provided input. - - The results are displayed in a data table for easy viewing within the SOAR interface, - limited to a maximum number of records defined by the integration's constants. + - The results include a data table limited to the first 20 records for display + purposes. capabilities: can_create_case_comments: false can_create_insight: false @@ -226,7 +276,7 @@ Get CDM Cluster Location: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: false + enrichment: true entity_usage: entity_types: [] filters_by_additional_properties: false @@ -242,68 +292,82 @@ Get CDM Cluster Location: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Sonar Sensitive Hits: ai_description: >- - ### General Description + Retrieves sensitive data hits detected by Rubrik Sonar for a specific object within + Rubrik Security Cloud. Rubrik Sonar is a data classification and sensitive data + discovery engine that identifies sensitive information (like PII or PCI) within + backups. This action allows analysts to identify which data classification policies + were triggered and the volume of sensitive hits found on a specific resource. - The **Get Sonar Sensitive Hits** action retrieves data classification and sensitive - discovery results for a specific object within Rubrik Security Cloud (RSC). It - identifies violations and hits detected by Rubrik Sonar (the sensitive data discovery - engine) based on a configurable lookback period. This action is primarily used - to identify if sensitive data (such as PII, PHI, or financial information) exists - on a specific workload, backup, or file share object. + ### Flow Description: - ### Parameters Description + 1. **Parameter Extraction:** The action retrieves the 'Object Name' and 'Lookback + Days' from the input parameters. - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **Object Name** | String | Yes | The exact name of the Rubrik object (e.g., - a Virtual Machine, physical host, or database) to check for sensitive hits. | + 2. **Validation:** It validates that the 'Object Name' is provided and that 'Lookback + Days' is a non-negative integer. - | **Lookback Days** | String | No | The number of days in the past to retrieve - scan results from. For example, a value of 7 will return results as of 7 days - ago. Defaults to 7 if not provided. | + 3. **Date Calculation:** It calculates a search date by subtracting the lookback + days from the current date. + 4. **Object Discovery:** It queries the Rubrik API to list all policy objects + for the calculated date and filters the results to find the specific object matching + the provided name. - ### Flow Description + 5. **Detail Retrieval:** Once the object is identified, it performs a second query + to fetch detailed sensitive hit information, including analyzer names and hit + counts. - 1. **Input Validation**: The action validates that the `Object Name` is a non-empty - string and that `Lookback Days` is a valid non-negative integer. + 6. **Output Generation:** The results are formatted into a JSON object and a data + table (limited to the top 20 records) for display in the SOAR interface. - 2. **Date Calculation**: It calculates a target search date by subtracting the - lookback days from the current system time. - 3. **Object Discovery**: The action queries the Rubrik Security Cloud API to list - all policy objects that were scanned on the calculated target date. + ### Parameters Description: - 4. **Object Matching**: It iterates through the list of policy objects to find - a match for the provided `Object Name`. If no match is found, or if the object - has no snapshots for that date, the action fails. + | Parameter Name | Type | Mandatory | Description | - 5. **Detail Retrieval**: Once the object is identified, it performs a secondary - GraphQL query to fetch detailed sensitive hit information, including analyzer - groups (e.g., 'US PII') and specific analyzer results (e.g., 'Social Security - Number'). + | :--- | :--- | :--- | :--- | - 6. **Data Formatting**: The retrieved data is parsed into a structured format, - including hit counts and analyzer names. + | Object Name | String | Yes | The exact name of the Rubrik object (e.g., a virtual + machine or file share) to check for sensitive hits. | - 7. **Output Generation**: The action returns the raw JSON response and creates - a data table named "Sonar Sensitive Hits" in the Google SecOps UI for analyst - review. + | Lookback Days | String | No | The number of days in the past to look for scan + results. Defaults to 7 days. | - ### Additional Notes + ### Additional Notes: - - This action does not operate on Google SecOps entities (like IP addresses or - Hostnames); it relies entirely on the `Object Name` parameter provided by the - user. + - This action does not run on SOAR entities; it requires the manual input of an + 'Object Name'. - - The action is read-only and does not modify any data within Rubrik Security - Cloud. + - The action uses GraphQL queries to interact with the Rubrik Security Cloud API. capabilities: can_create_case_comments: false can_create_insight: false @@ -331,14 +395,41 @@ Get Sonar Sensitive Hits: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false IOC Scan Results: ai_description: >- ### General Description - The **IOC Scan Results** action retrieves comprehensive details and metrics for - a specific threat hunt (either Turbo or Advanced) from Rubrik Security Cloud. - It is designed to provide visibility into the progress and findings of an Indicator - of Compromise (IOC) scan, including object metrics and scan status. + The **IOC Scan Results** action retrieves detailed information, metrics, and status + for a specific Turbo or Advanced Threat Hunt (IOC Scan) from Rubrik Security Cloud. + It is designed to provide analysts with visibility into the progress and findings + of a hunt, including scanned objects, affected snapshots, and specific IOC matches. + This action supports asynchronous execution, meaning it can poll the status of + a hunt until it reaches a terminal state (Succeeded or Failed). ### Parameters Description @@ -347,55 +438,52 @@ IOC Scan Results: | :--- | :--- | :--- | :--- | - | **Hunt ID** | String | Yes | The unique identifier of the threat hunt/IOC scan - to retrieve results for. | - + | Hunt ID | String | Yes | The unique identifier of the threat hunt/IOC scan. + This ID is typically generated when starting a Turbo or Advanced IOC scan. | - ### Additional Notes - - This action is **asynchronous**. If the threat hunt is still in a `PENDING` - or `IN_PROGRESS` state in Rubrik, the action will return an 'In Progress' status - to Google SecOps, allowing for subsequent polling. + ### Flow Description - - The action outputs both the raw JSON response and a formatted data table named - 'IOC Scan Results'. + 1. **Initialization**: The action initializes the Rubrik Security Cloud API client + using the provided service account credentials and validates the mandatory `Hunt + ID` parameter. + 2. **Data Retrieval**: It executes a GraphQL query to fetch both the threat hunt + details (status, start/end times, IOC configuration) and the object metrics (total + scanned, affected, and unaffected objects). - ### Flow Description + 3. **Result Processing**: The raw JSON response is attached to the action results + for full visibility. - 1. **Parameter Extraction**: The action extracts the mandatory `Hunt ID` from - the input parameters. + 4. **Data Visualization**: A data table titled "IOC Scan Results" is created, + summarizing key metrics such as Hunt Name, Type, Status, IOC Details, Object Metrics + (Scanned/Affected), and Scan Metrics (Matched Snapshots/Unique Matches). - 2. **API Initialization**: It initializes the Rubrik Security Cloud API manager - using the provided service account credentials and handles OAuth token management. + 5. **Async Handling**: The action checks the current status of the hunt. If the + status is `PENDING` or `IN_PROGRESS`, the action returns an `IN_PROGRESS` state + to the SOAR platform, allowing for subsequent polling. If the hunt is finished, + it returns a `COMPLETED` state. - 3. **Data Retrieval**: It executes a GraphQL query to fetch the scan's status, - object metrics (scanned, affected, unaffected, and unscannable objects), and scan - metrics (matched snapshots, unique file matches). - 4. **Data Processing**: The raw response is attached to the action results as - JSON. + ### Additional Notes - 5. **Internal Mutation**: A formatted data table is created containing key metrics - such as Hunt Name, Hunt Type, Status, IOC Details, Object Metrics, and Scan Metrics. + - This action does not initiate a new scan; it only retrieves results for an existing + `Hunt ID`. - 6. **Status Handling**: If the hunt is still running (status is `PENDING` or `IN_PROGRESS`), - the action sets its state to `IN_PROGRESS`. Otherwise, it marks the execution - as `COMPLETED`. + - If the `Hunt ID` is not found, the action will fail with an informative error + message. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: true + can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: >- - The action creates a data table named 'IOC Scan Results' within the Google SecOps - case to display hunt metrics and status. + internal_data_mutation_explanation: null categories: - enrichment: false + enrichment: true entity_usage: entity_types: [] filters_by_additional_properties: false @@ -411,92 +499,107 @@ IOC Scan Results: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false List Events: ai_description: >- - ### General Description - - Retrieves a list of events and activities from Rubrik Security Cloud (RSC). This - action allows security analysts to search through system activities, backup events, - and security anomalies by applying various filters such as status, severity, object - types, and date ranges. It is primarily used for auditing, monitoring task progress, - and investigating historical activities within the Rubrik environment. + Retrieves a list of events and activities from Rubrik Security Cloud (RSC) based + on various filtering criteria. This action allows analysts to search through historical + and real-time system events, such as backup successes, failures, anomalies, and + storage activities. It supports pagination and sorting to manage large datasets. ### Parameters Description + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Sort By | DDL | No | Specifies the field to use for sorting the response (e.g., - Last Updated, Severity, Cluster Name). | + | Activity Status | String | No | Filter events by status (e.g., "Failure", "Success", + "Running"). Supports comma-separated values. | - | Sort Order | DDL | No | Specifies the order to sort the data (Asc or Desc). - | + | Activity Type | String | No | Filter events by type (e.g., "Backup", "Anomaly", + "Sync"). Supports comma-separated values. | - | Limit | String | No | The number of results to retrieve (1 to 1000). Defaults - to 50. | + | Severity | String | No | Filter events by severity level (e.g., "Critical", + "Warning", "Info"). Supports comma-separated values. | - | Next Page Token | String | No | The cursor token used to retrieve the next set - of results for paginated requests. | + | Object Name | String | No | Filter events associated with a specific object + name. | - | Activity Status | String | No | Comma-separated list of statuses to filter by - (e.g., "Failure", "Success", "Running"). | + | Object Type | String | No | Filter events by object type (e.g., "VmwareVm", + "WindowsFileset"). Supports comma-separated values. | - | Activity Type | String | No | Comma-separated list of activity types to filter - by (e.g., "Backup", "Anomaly", "Recovery"). | + | Cluster ID | String | No | Filter events by specific Rubrik Cluster IDs. Supports + comma-separated values. | - | Severity | String | No | Comma-separated list of severity levels to filter by - (e.g., "Critical", "Warning", "Info"). | + | Start Date | String | No | The start date for the event range. Supported formats: + `yyyy-mm-dd`, `yyyy-mm-ddTHH:MM:SSZ`. | - | Object Name | String | No | Filters events based on a specific object name. - | + | End Date | String | No | The end date for the event range. Supported formats: + `yyyy-mm-dd`, `yyyy-mm-ddTHH:MM:SSZ`. | - | Object Type | String | No | Comma-separated list of object types to filter by - (e.g., "VmwareVm", "WindowsFileset"). | + | Sort By | DDL | No | Field to sort results by (e.g., Last Updated, Severity, + Start Time). Default is Last Updated. | - | Cluster ID | String | No | Comma-separated list of Rubrik cluster IDs to filter - events. | + | Sort Order | DDL | No | The order of sorting: "Asc" or "Desc". Default is Desc. + | - | Start Date | String | No | The start date for the event search range. Supports - YYYY-MM-DD or ISO 8601 formats. | + | Limit | String | No | Maximum number of results to retrieve (Max: 1000). Default + is 50. | - | End Date | String | No | The end date for the event search range. Supports YYYY-MM-DD - or ISO 8601 formats. | + | Next Page Token | String | No | Cursor token used to retrieve the next page + of results. | ### Additional Notes - - **Date Formats**: Supported formats include `yyyy-mm-dd`, `yyyy-mm-ddTHH:MM:SSZ`, - and `yyyy-mm-ddTHH:MM:SS.fffZ`. + - If both **Start Date** and **End Date** are provided, the Start Date must be + chronologically before the End Date. - - **Pagination**: If more results are available than the specified limit, the - action provides a 'Next Page Token' in the output message which can be used in - subsequent runs. - - - **Table Limits**: While the action can fetch up to 1000 records, the UI data - table is limited to displaying the first 20 records for performance. + - The action returns a maximum of 20 records in the visible data table for performance, + while the full result set is available in the JSON output. ### Flow Description - 1. **Parameter Initialization**: The action extracts all user-provided filters, - sorting preferences, and pagination tokens. - - 2. **Validation**: It validates that the 'Limit' is a valid positive integer and - ensures that the 'Start Date' occurs before the 'End Date'. - - 3. **Authentication**: Connects to Rubrik Security Cloud using the provided Service - Account JSON and manages OAuth token lifecycle. + 1. **Parameter Extraction:** The action extracts all filtering, sorting, and pagination + parameters provided by the user. - 4. **API Request**: Executes a GraphQL query (`activitySeriesConnection`) against - the Rubrik API with the specified filters. + 2. **Validation:** It validates the integer format for the 'Limit' and ensures + that 'Start Date' and 'End Date' follow the required ISO or date formats. - 5. **Data Processing**: Parses the GraphQL response into a structured data model, - extracting event IDs, object details, and status information. + 3. **API Interaction:** It initializes the Rubrik API Manager and executes a GraphQL + query (`activitySeriesConnection`) against the Rubrik Security Cloud endpoint + with the specified filters. - 6. **Output**: Generates a JSON result containing the full response and populates - a data table named "Events" in the Google SecOps interface. + 4. **Data Processing:** The retrieved events are parsed into a data model. The + full response is attached as a JSON result, and a summary table containing key + event details (Event ID, Object Name, Severity, Start Time) is added to the case. capabilities: can_create_case_comments: false can_create_insight: false @@ -524,42 +627,100 @@ List Events: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false List Object Snapshots: - ai_description: "### General Description\nThe **List Object Snapshots** action retrieves\ - \ metadata for snapshots associated with a specific object ID from Rubrik Security\ - \ Cloud (RSC). This action is designed to provide visibility into the backup history\ - \ of a specific workload, allowing analysts to identify available recovery points\ - \ or audit snapshot frequency.\n\n### Parameters Description\n| Parameter | Type\ - \ | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| **Object ID**\ - \ | String | Yes | The unique identifier of the Rubrik object (e.g., a VM, database,\ - \ or file share) for which snapshots are being retrieved. |\n| **Limit** | String\ - \ | No | The maximum number of snapshot records to return in the response. Default\ - \ is 50; the maximum allowed is 1000. |\n| **Next Page Token** | String | No |\ - \ A cursor used for pagination to retrieve the next set of results if the total\ - \ number of snapshots exceeds the limit. |\n| **Sort Order** | DDL | No | Specifies\ - \ the chronological order of the results. Options are **Asc** (Ascending) or **Desc**\ - \ (Descending). Default is Asc. |\n| **Start Date** | String | No | Filters snapshots\ - \ to include only those created on or after this date. Supports `yyyy-mm-dd` or\ - \ `yyyy-mm-ddTHH:MM:SSZ` formats. |\n| **End Date** | String | No | Filters snapshots\ - \ to include only those created on or before this date. Supports `yyyy-mm-dd`\ - \ or `yyyy-mm-ddTHH:MM:SSZ` formats. |\n| **Snapshot Type** | String | No | A\ - \ comma-separated list of snapshot types to filter the results (e.g., `OnDemand`,\ - \ `Scheduled`). |\n\n### Flow Description\n1. **Input Validation**: The action\ - \ validates the mandatory `Object ID`. It also checks that `Start Date` and `End\ - \ Date` follow supported ISO formats and that the start date does not occur after\ - \ the end date.\n2. **Authentication**: It initializes the Rubrik API manager\ - \ using the provided Service Account JSON, handling OAuth token lifecycle management.\n\ - 3. **Data Retrieval**: The action executes a GraphQL query (`OBJECT_SNAPSHOTS_QUERY`)\ - \ against Rubrik Security Cloud, applying the provided filters for time range,\ - \ snapshot types, and pagination.\n4. **Result Processing**: \n * The raw\ - \ API response is attached to the action results as a JSON object.\n * A\ - \ data table named \"Object Snapshots\" is generated, displaying key attributes:\ - \ Snapshot ID, Creation Date, Cluster Name, and SLA Domain Name.\n5. **Completion**:\ - \ The action returns a success message indicating the number of snapshots found.\ - \ If more results are available, it provides the `Next Page Token` in the output\ - \ message.\n\n### Additional Notes\n* This action does not automatically iterate\ - \ over Google SecOps entities; it requires a manual or mapped input for the **Object\ - \ ID** parameter." + ai_description: >- + Retrieves a list of snapshots for a specific object from Rubrik Security Cloud + (RSC). This action allows analysts to identify available backup points for a given + resource, which is essential for data recovery, forensic investigations, or point-in-time + analysis. It supports advanced filtering by date ranges and snapshot types, as + well as pagination for large result sets. + + + ### Parameters Description + + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | **Object ID** | String | Yes | The unique identifier (FID) of the Rubrik object + to retrieve snapshots for. | + + | **Start Date** | String | No | The beginning of the time range to filter snapshots. + Supported formats: `yyyy-mm-dd`, `yyyy-mm-ddTHH:MM:SSZ`. | + + | **End Date** | String | No | The end of the time range to filter snapshots. + Supported formats: `yyyy-mm-dd`, `yyyy-mm-ddTHH:MM:SSZ`. | + + | **Snapshot Type** | String | No | A comma-separated list of snapshot types (e.g., + `OnDemand`, `Scheduled`) to filter the results. | + + | **Limit** | String | No | The maximum number of snapshots to retrieve in a single + request. Default is 50; maximum is 1000. | + + | **Next Page Token** | String | No | A cursor used to retrieve the next page + of results if more snapshots are available. | + + | **Sort Order** | DDL | No | Specifies whether to sort the snapshots in ascending + (`Asc`) or descending (`Desc`) order based on creation time. Default is `Asc`. + | + + + ### Additional Notes + + - If both **Start Date** and **End Date** are provided, the **Start Date** must + be chronologically before the **End Date**. + + - The action outputs a data table named "Object Snapshots" containing the Snapshot + ID, Creation Date, Cluster Name, and SLA Domain Name for each result. + + + ### Flow Description + + 1. **Parameter Extraction:** The action extracts the mandatory `Object ID` and + optional filters/pagination parameters from the input. + + 2. **Validation:** It validates that the `Object ID` is provided, the `Limit` + is a valid integer within bounds, and that any provided dates follow the supported + ISO formats. + + 3. **API Initialization:** It initializes the Rubrik API Manager using the provided + Service Account credentials and handles OAuth token management. + + 4. **Data Retrieval:** It executes a GraphQL query (`OBJECT_SNAPSHOTS_QUERY`) + against the Rubrik Security Cloud endpoint to fetch the snapshot metadata. + + 5. **Result Processing:** The raw JSON response is attached to the action results. + The snapshot data is then parsed into a structured format. + + 6. **Output Generation:** A data table is created for the SOAR interface, and + a summary message is generated indicating the number of snapshots found and providing + a pagination token if more results exist. capabilities: can_create_case_comments: false can_create_insight: false @@ -587,16 +748,40 @@ List Object Snapshots: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false List Sonar File Contexts: ai_description: >- ### General Description - Retrieves the Sonar file contexts for a specific object snapshot from Rubrik Security - Cloud (RSC). This action allows security analysts to identify files, folders, - or file shares that contain sensitive data findings detected by Rubrik Sonar. - It provides detailed information such as file names, sizes, total sensitive hits, - daily hit changes, and access/modification times. The action supports extensive - filtering by file name, path, and user ID, as well as pagination and sorting. + Retrieves file contexts and sensitive data findings detected by Rubrik Sonar for + a specific object snapshot. This action allows analysts to inspect files, folders, + or file shares for sensitive information hits, providing visibility into data + risks within backups. It supports extensive filtering by file name, path, and + user ID, as well as pagination and sorting. ### Parameters Description @@ -605,75 +790,70 @@ List Sonar File Contexts: | :--- | :--- | :--- | :--- | - | **Object ID** | string | Yes | The unique identifier of the Rubrik object (Snappable - ID) to query. | + | **Object ID** | string | Yes | The unique identifier (Snappable ID) of the object + in Rubrik. | | **Snapshot ID** | string | Yes | The unique identifier of the specific snapshot - for the object. | + to analyze. | - | **File Name** | string | No | Filter results to include only files with a specific - name. | + | **File Name** | string | No | Filter results by a specific file name or search + text. | - | **File Path** | string | No | Filter results by a specific standard file path. - | + | **File Path** | string | No | Filter results by a standard file path. | - | **User ID** | string | No | Filter results by a specific user ID associated - with the file context. | + | **User ID** | string | No | Filter results by a specific User ID (SID). | | **Include Whitelisted Results** | ddl | No | Boolean (True/False) indicating - whether to include results that have been whitelisted in Rubrik. | + whether to include results that have been whitelisted. | - | **Limit** | string | No | The maximum number of file contexts to retrieve in - a single request (default is 50). | + | **Limit** | string | No | Maximum number of results to retrieve (Default: 50, + Max: 1000). | | **Next Page Token** | string | No | The cursor token used to retrieve the next - set of paginated results. | + page of results. | - | **Sort By** | ddl | No | The field used to sort the results (e.g., HITS, NAME, - LAST_MODIFIED). | + | **Sort By** | ddl | No | Field to sort the response by (e.g., HITS, NAME, LAST_MODIFIED). + | - | **Sort Order** | ddl | No | The order of sorting, either 'Asc' (Ascending) or - 'Desc' (Descending). | + | **Sort Order** | ddl | No | The order to sort the data (Asc or Desc). Default + is Desc. | ### Additional Notes - - This action does not run on entities; it requires specific IDs provided as parameters. + - The action returns a detailed data table named "Sonar File Contexts" containing + file metadata, size, sensitive hit counts, and access times. - - The results are displayed in a data table named 'Sonar File Contexts' and also - provided as a raw JSON result. + - Results are limited to the first 20 records in the UI data table for performance, + while the full result is available in the JSON output. ### Flow Description - 1. **Parameter Validation**: The action validates that the mandatory 'Object ID' - and 'Snapshot ID' are provided and that the 'Limit' is a valid integer. + 1. **Parameter Validation**: The action extracts and validates the mandatory `Object + ID` and `Snapshot ID`, and ensures the `Limit` is a valid integer. - 2. **Authentication**: Initializes the Rubrik API Manager using the provided Service - Account JSON and authenticates with Rubrik Security Cloud. + 2. **Authentication**: Initializes the Rubrik API client using OAuth credentials + stored in the integration configuration. - 3. **Data Retrieval**: Executes a GraphQL query (`SONAR_FILE_CONTEXTS_QUERY`) - against the Rubrik API to fetch file context data based on the provided IDs and - filters. + 3. **API Request**: Executes a GraphQL query (`SONAR_FILE_CONTEXTS_QUERY`) against + Rubrik Security Cloud, applying the provided filters and sorting parameters. - 4. **Data Processing**: Parses the GraphQL response into a structured data model, - extracting file metadata and sensitive hit counts. + 4. **Data Processing**: Parses the GraphQL response using the `SonarFileContextsDatamodel` + to extract file-level details and sensitive hit metrics. - 5. **Output Generation**: Creates a data table 'Sonar File Contexts' containing - the processed file details and attaches the full raw JSON response to the action - results. + 5. **Output Generation**: Adds the raw JSON response to the action results and + constructs a CSV-formatted data table for display in the Google SecOps case wall. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: true + can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: >- - Adds a data table 'Sonar File Contexts' and a result JSON containing the file - context details to the Google SecOps action results. + internal_data_mutation_explanation: null categories: enrichment: false entity_usage: @@ -691,47 +871,53 @@ List Sonar File Contexts: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Ping: - ai_description: >- - ### General Description - - The **Ping** action is a utility designed to verify the connectivity and authentication - between the Google SecOps SOAR platform and the **Rubrik Security Cloud** instance. - It ensures that the provided Service Account credentials are valid and that the - network path to the Rubrik GraphQL API is open and functional. - - - ### Parameters Description - - | Parameter Name | Description | Type | Mandatory | Default Value | - - | :--- | :--- | :--- | :--- | :--- | - - | N/A | This action does not require any input parameters. | N/A | N/A | N/A | - - - ### Additional Notes - - This action relies entirely on the global integration configuration (Service Account - JSON and Verify SSL) to establish a connection. It does not interact with specific - case entities. - - - ### Flow Description - - 1. **Initialization**: The action initializes the Siemplify environment and retrieves - the integration's global configuration parameters. - - 2. **API Manager Setup**: It instantiates the `APIManager`, which handles OAuth2 - token management, including retrieving tokens from encrypted storage or generating - new ones via the Rubrik OAuth adapter if the current token is expired or missing. - - 3. **Connectivity Test**: It executes a lightweight GraphQL query (`deploymentVersion`) - against the Rubrik API to confirm reachability and authorization. - - 4. **Result Reporting**: The action concludes by returning a boolean status (`connectivity_result`) - and a descriptive message indicating whether the connection was successful or - failed. + ai_description: "### General Description\nThe **Ping** action is a diagnostic tool\ + \ designed to verify the connectivity between the Google SecOps SOAR server and\ + \ the Rubrik Security Cloud instance. It ensures that the provided credentials\ + \ (Service Account JSON) are valid and that the network path to the Rubrik GraphQL\ + \ API is open. This action is typically used during the initial setup of the integration\ + \ or for troubleshooting communication issues.\n\n### Parameters Description\n\ + There are no parameters for this action.\n\n### Additional Notes\nThis action\ + \ relies on the integration-level configuration parameters: `Service Account JSON`\ + \ and `Verify SSL`. If the Service Account JSON is missing the `client_id` or\ + \ `access_token_uri`, the action will fail during initialization.\n\n### Flow\ + \ Description\n1. **Initialization**: The action initializes the Siemplify SDK\ + \ and retrieves the global integration configuration parameters.\n2. **API Manager\ + \ Setup**: It instantiates the `APIManager`, which automatically handles OAuth\ + \ token management, including fetching cached tokens from encrypted storage or\ + \ generating a new token if necessary.\n3. **Connectivity Test**: The action calls\ + \ the `test_connectivity` method, which executes a simple GraphQL query (`deploymentVersion`)\ + \ against the Rubrik Security Cloud API.\n4. **Result Handling**: \n * If the\ + \ query succeeds, the action returns a success message and sets the connectivity\ + \ result to `True`.\n * If an exception occurs (e.g., authentication failure,\ + \ network timeout, or server error), the action catches the error, logs the details,\ + \ and returns a failure message with the connectivity result set to `False`." capabilities: can_create_case_comments: false can_create_insight: false @@ -740,7 +926,7 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: false + fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false @@ -759,72 +945,93 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Turbo IOC Scan: ai_description: >- - ### General Description - - This action initiates a **Turbo IOC (Indicator of Compromise) Scan** within Rubrik - Security Cloud. Turbo scans are high-performance threat hunts optimized for speed, - allowing security teams to search for specific file hashes (MD5, SHA1, SHA256) - across multiple clusters and snapshots. The action returns a unique Hunt ID which - can be used to track the progress and results of the scan. + Initiates a Turbo IOC (Indicator of Compromise) scan across Rubrik infrastructure. + This action is optimized for speed and allows for scanning multiple indicators + across clusters with configurable time ranges and snapshot limits. It triggers + a state-changing operation in Rubrik Security Cloud by starting a new threat hunt + process. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + |-----------|------|-----------|-------------| - | **IOC** | String | Yes | A comma-separated list of indicator values (hashes) + | IOC | String | Yes | Comma-separated list of indicator values (e.g., file hashes) to scan for. | - | **Scan Name** | String | No | A custom name for the threat hunt. If not provided, - the system auto-generates a name using the format `Google-SecOps-YYYY-MM-DD-HH:MM:SS`. + | Scan Name | String | No | Custom name for the new turbo threat hunt scan. If + not provided, a name is automatically generated using the current date and time. | - | **Cluster ID** | String | No | A comma-separated list of specific Rubrik cluster - IDs to target. If left empty, the scan will run across all available clusters. - | + | Cluster ID | String | No | Comma-separated list of cluster IDs on which to perform + the scan. If empty, the scan may apply to all available clusters. | - | **Start Time** | String | No | Filters the snapshots to be scanned starting - from this date. Supported formats: `yyyy-mm-dd`, `yyyy-mm-ddTHH:MM:SSZ`. | + | Start Time | String | No | Filter snapshots from this date. Supported formats: + yyyy-mm-dd, yyyy-mm-ddTHH:MM:SSZ. | - | **End Time** | String | No | Filters the snapshots to be scanned until this - date. Supported formats: `yyyy-mm-dd`, `yyyy-mm-ddTHH:MM:SSZ`. | + | End Time | String | No | Filter snapshots until this date. Supported formats: + yyyy-mm-dd, yyyy-mm-ddTHH:MM:SSZ. | - | **Max Snapshots Per Object** | String | No | The maximum number of snapshots - to scan for each object (e.g., VM or File System). | + | Max Snapshots Per Object | String | No | Maximum number of snapshots to scan + per object. Must be a positive integer. | ### Additional Notes - - The `Start Time` must be chronologically before the `End Time` if both are provided. - - - The action uses GraphQL mutations to interact with the Rubrik Security Cloud - API. + - The action validates that the 'Start Time' is chronologically before the 'End + Time'. - - Results include a data table containing the generated `Turbo Threat Hunt ID`. + - The 'IOC' parameter specifically supports hash values (MD5, SHA1, SHA256) which + are mapped to 'IOC_HASH' in the Rubrik GraphQL API. ### Flow Description - 1. **Parameter Extraction:** The action retrieves and trims all input parameters, - including the mandatory IOC list. + 1. **Parameter Extraction**: Retrieves and trims all input parameters from the + SOAR environment. - 2. **Validation:** It validates date formats for `Start Time` and `End Time`, - ensures `Max Snapshots Per Object` is a valid integer, and generates a default - scan name if none was provided. + 2. **Validation**: Validates date formats, ensures 'Start Time' is before 'End + Time', and confirms 'Max Snapshots Per Object' is a valid positive integer. - 3. **Authentication:** Initializes the Rubrik API Manager, which handles OAuth - token generation and encrypted storage. + 3. **Scan Preparation**: Generates a default scan name if none was provided and + converts comma-separated strings (IOCs and Cluster IDs) into lists. - 4. **Scan Initiation:** Executes a GraphQL mutation (`startTurboThreatHunt`) to - the Rubrik Security Cloud endpoint with the specified IOCs and filters. + 4. **API Interaction**: Authenticates with Rubrik Security Cloud and executes + a GraphQL mutation (`startTurboThreatHunt`) to initiate the scan. - 5. **Result Processing:** Captures the `huntId` from the API response, adds the - raw JSON response to the action results, and creates a data table for the SOAR - interface displaying the Hunt ID. + 5. **Result Processing**: Captures the resulting 'Hunt ID' from the API response. + + 6. **Output**: Adds the raw JSON response to the action results and creates a + data table displaying the 'Turbo Threat Hunt ID'. capabilities: can_create_case_comments: false can_create_insight: false @@ -833,9 +1040,9 @@ Turbo IOC Scan: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Initiates a new Turbo Threat Hunt scan job in Rubrik Security Cloud, creating - a new resource/activity in the external system. - fetches_data: false + Initiates a new Turbo Threat Hunt scan process within the Rubrik Security Cloud + environment, which creates a new task/record in the external system. + fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false @@ -854,3 +1061,28 @@ Turbo IOC Scan: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/third_party/partner/rubrik_security_cloud/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/rubrik_security_cloud/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..7bf893de0 --- /dev/null +++ b/content/response_integrations/third_party/partner/rubrik_security_cloud/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: true + cloud_security: true + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + siem: true + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/partner/silentpush/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/silentpush/resources/ai/actions_ai_description.yaml index 0cafc91e0..f1fbb6bf1 100644 --- a/content/response_integrations/third_party/partner/silentpush/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/silentpush/resources/ai/actions_ai_description.yaml @@ -2,58 +2,62 @@ Add Feed: ai_description: >- ### General Description - Adds a new feed to the Silent Push platform. This action allows users to programmatically - create and configure threat intelligence feeds by providing metadata such as name, - type, category, and vendor. It is typically used for administrative organization - or for setting up containers for indicators within the Silent Push ecosystem. + The **Add Feed** action allows users to create and register a new threat intelligence + feed within the Silent Push platform. This action is primarily used for administrative + and management purposes, enabling the organization of indicators into structured + feeds with specific metadata such as categories, vendors, and tags. - ### Parameters + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Name | string | Yes | The unique name for the new feed. | + | **Name** | string | Yes | The unique name assigned to the new feed. | - | Type | string | Yes | The classification or type of the feed. | + | **Type** | string | Yes | The classification or type of the feed (e.g., 'domain', + 'ip'). | - | Category | string | No | The category the feed belongs to. | + | **Category** | string | No | The functional category the feed belongs to. | - | Vendor | string | No | The vendor associated with the feed data. | + | **Vendor** | string | No | The provider or vendor associated with the feed data. + | - | Feed Description | string | No | A description for the feed. Note: The metadata - suggests this field may be used for a screenshot URL. | + | **Feed Description** | string | No | A descriptive summary of the feed's purpose. + Note: The configuration metadata suggests this may be used for a screenshot URL + in some contexts. | - | Tags | string | No | A comma-separated list of tags to be attached to the feed - for organization. | + | **Tags** | string | No | A comma-separated list of tags to be associated with + the feed for easier filtering and management. | - ### Flow Description + ### Additional Notes - 1. **Configuration Extraction:** The action retrieves the Silent Push server URL - and API key from the integration's global configuration. + - This action does not operate on specific entities (like IPs or Domains) from + the SecOps case; instead, it uses the provided parameters to create a global resource + in Silent Push. - 2. **Parameter Retrieval:** It extracts the feed details (Name, Type, Category, - Vendor, Description, and Tags) from the action's input parameters. + - The `Tags` parameter should be provided as a comma-separated string (e.g., `malware,phishing,critical`). - 3. **API Interaction:** The action uses the `SilentPushManager` to send a POST - request to the `/api/v1/feeds/` endpoint on the Silent Push server with the provided - metadata. - 4. **Tag Processing:** If tags are provided, they are split into a list before - being sent in the API payload. + ### Flow Description - 5. **Execution Finalization:** The action evaluates the API response. If the feed - is successfully created, it returns a success message; otherwise, it logs an error - and terminates with a failure status. + 1. **Configuration Extraction**: The action retrieves the Silent Push Server URL + and API Key from the integration settings. + 2. **Parameter Retrieval**: It extracts the feed details (Name, Type, Category, + Vendor, Description, and Tags) provided by the user. - ### Additional Notes + 3. **API Interaction**: The action initializes the `SilentPushManager` and sends + a POST request to the `/api/v1/feeds/` endpoint with the constructed payload. - - This action does not utilize or depend on entities within the Google SecOps - case scope, although it may log entity identifiers if they are present in the - context. + 4. **Tag Processing**: If tags are provided, they are split into a list before + being sent in the request body. + + 5. **Result Handling**: The action captures the API response. If successful, it + returns the feed details; otherwise, it logs an error and marks the action as + failed. capabilities: can_create_case_comments: false can_create_insight: false @@ -62,9 +66,9 @@ Add Feed: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new feed resource on the Silent Push platform via a POST request to - the feeds API endpoint. - fetches_data: false + Creates a new feed resource in the Silent Push platform via a POST request to + the /api/v1/feeds/ endpoint. + fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false @@ -83,14 +87,39 @@ Add Feed: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Add Feed Tags: ai_description: >- ### General Description The **Add Feed Tags** action allows users to append specific tags to an existing - feed within the Silent Push platform. This is primarily used for organizing and - categorizing threat intelligence feeds based on custom metadata or operational - requirements. + threat intelligence feed within the Silent Push platform. This action is used + to organize and categorize feeds by adding metadata that can be used for filtering + or identification within the Silent Push console. ### Parameters Description @@ -99,38 +128,41 @@ Add Feed Tags: | :--- | :--- | :--- | :--- | - | **Feed UUID** | String | Yes | The unique identifier (UUID) of the feed in Silent - Push that you want to update. | - - | **Tags** | String | No | A comma-separated list of tags to be added to the specified - feed. | + | **Feed UUID** | String | No | The unique identifier (UUID) of the feed to which + the tags will be added. While marked as non-mandatory in the configuration, it + is required for the API call to succeed. | + | **Tags** | String | No | A comma-separated list of tags (e.g., "malware, suspicious, + research") to be associated with the feed. | - ### Additional Notes - - Although the YAML configuration lists the parameters as non-mandatory, the action - logic requires a valid `Feed UUID` to construct the API endpoint. + ### Flow Description - - The Python script attempts to extract an `ASN` parameter which is not present - in the YAML configuration; this parameter is currently only used in error logging. + 1. **Parameter Extraction**: The action retrieves the `Feed UUID` and the `Tags` + string from the action parameters. - - The YAML description incorrectly mentions adding "indicators," whereas the action - specifically manages "tags." + 2. **Manager Initialization**: It initializes the `SilentPushManager` using the + integration's server URL and API Key. + 3. **API Request**: The action calls the `add_feed_tags` method, which splits + the comma-separated tags into a list and sends a **POST** request to the Silent + Push endpoint: `/api/v1/feeds/{feed_uuid}/tags/`. - ### Flow Description + 4. **Execution Finalization**: The action processes the API response. If successful, + it returns a confirmation message. If the API returns an error or no data is found + for the UUID, the action fails and logs the error. - 1. **Initialization**: The action retrieves the Silent Push Server URL and API - Key from the integration configuration. - 2. **Parameter Extraction**: It extracts the `Feed UUID` and the string of `Tags` - provided by the user. + ### Additional Notes - 3. **API Interaction**: The `SilentPushManager` formats the tags into a list and - performs a **POST** request to the `/api/v1/feeds/{feed_uuid}/tags/` endpoint. + - **Entity Usage**: Although the script contains a loop that iterates through + target entities, it does not use entity data for any logic or API calls. This + action is considered a data-management task rather than an entity-enrichment task. - 4. **Result Handling**: The action checks the API response. If successful, it - returns the result; otherwise, it logs an error and marks the action as failed. + - **Parameter Discrepancy**: The script attempts to extract an "ASN" parameter + which is not defined in the action's configuration (YAML), likely a remnant of + code reuse. This parameter does not affect the primary flow of adding tags to + a feed. capabilities: can_create_case_comments: false can_create_insight: false @@ -139,48 +171,15 @@ Add Feed Tags: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Adds tags to a specific feed in the Silent Push platform via a POST request. + The action performs a POST request to the Silent Push API to add new tags to + a specific feed, thereby changing the state of the feed object in the external + system. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -194,60 +193,87 @@ Add Feed Tags: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Add Indicators: ai_description: >- ### General Description The **Add Indicators** action allows users to programmatically add a list of indicators (such as domains or IP addresses) to a specific feed within the Silent Push platform. - This action is primarily used for updating threat intelligence feeds with new - indicators identified during an investigation. + This is primarily used for managing threat intelligence feeds and ensuring that + new indicators of interest are tracked or shared across the Silent Push ecosystem. - ### Parameters + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Feed UUID | String | Yes | The unique identifier (UUID) of the target feed in - Silent Push where indicators will be added. | + | **Feed UUID** | String | No | The unique identifier (UUID) of the target feed + in Silent Push. If not provided, a default UUID is used. | - | Indicators | String | Yes | A comma-separated list of indicators (e.g., 'example.com, - 1.2.3.4') to be added to the feed. | + | **Indicators** | String | No | A comma-separated string of indicators (e.g., + `example.com, 1.2.3.4`) to be added to the feed. If not provided, a default value + is used. | - ### Additional Notes + ### Flow Description - - Although the configuration metadata marks parameters as not mandatory, the action - logic requires a valid `Feed UUID` to construct the API endpoint and `Indicators` - to provide data to the external system. + 1. **Configuration Extraction:** The action retrieves the Silent Push Server URL + and API Key from the integration settings. - - The action code extracts an `ASN` parameter which is not defined in the provided - YAML configuration; this parameter appears to be used primarily for error reporting - in the current implementation. + 2. **Parameter Extraction:** It extracts the `Feed UUID` and the string of `Indicators` + from the action parameters. - - The action iterates through all entities in the current scope and logs their - identifiers, but it does not perform any enrichment or modifications on the entities - themselves. + 3. **Manager Initialization:** A `SilentPushManager` instance is created to handle + the API communication. + 4. **Data Processing:** The manager splits the comma-separated `Indicators` string + into a list format required by the API. - ### Flow Description + 5. **External API Call:** The action sends a `POST` request to the Silent Push + endpoint: `/api/v1/feeds/{feed_uuid}/indicators/` with the indicator list in the + request body. - 1. **Configuration Extraction:** Retrieves the Silent Push server URL and API - key from the integration settings. + 6. **Result Handling:** The action checks the API response. If successful, it + returns a completion status; otherwise, it logs an error and fails. - 2. **Parameter Retrieval:** Extracts the target Feed UUID and the list of indicators - from the action input parameters. - 3. **API Interaction:** Initializes the Silent Push Manager and sends a POST request - to the indicators endpoint for the specified feed. + ### Additional Notes - 4. **Entity Logging:** Iterates through the `target_entities` in the Google SecOps - case and logs their identifiers to the script output for visibility. + * **Entity Interaction:** Although the script iterates over target entities in + the environment, it does not use them to perform the action. The indicators added + are strictly defined by the `Indicators` input parameter. - 5. **Completion:** Returns a success message if the indicators were added successfully - or terminates with a failure status if the API returns an error or no data. + * **Code Discrepancy:** The script contains a reference to an `ASN` parameter + and an error message mentioning "retrieving data for ASN," which appears to be + a remnant from a different action. The core logic correctly performs a mutation + (adding indicators) rather than a retrieval. capabilities: can_create_case_comments: false can_create_insight: false @@ -256,49 +282,14 @@ Add Indicators: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Adds new indicators to a specified feed within the Silent Push platform via - a POST request to the indicators endpoint. + Adds new indicators to a specified feed in the Silent Push platform via a POST + request to the /api/v1/feeds/{feed_uuid}/indicators/ endpoint. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -312,35 +303,71 @@ Add Indicators: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Add Indicators Tags: - ai_description: "### General Description\nThe **Add Indicators Tags** action is\ - \ designed to update or add tags to a specific indicator (such as a domain or\ - \ IP address) within a designated feed on the Silent Push platform. This action\ - \ allows security analysts to categorize and organize threat intelligence indicators\ - \ directly from Google SecOps, facilitating better tracking and management of\ - \ malicious or suspicious assets.\n\n### Parameters Description\n| Parameter |\ - \ Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| **Feed UUID**\ - \ | String | Yes | The unique identifier (UUID) of the feed where the indicator\ - \ is located. |\n| **Indicator Name** | String | Yes | The specific indicator\ - \ value (e.g., a domain name like `example.com`) that you wish to tag. |\n| **Tags**\ - \ | String | Yes | A string containing the tags to be applied to the indicator.\ - \ |\n\n### Flow Description\n1. **Configuration Extraction**: The action retrieves\ - \ the Silent Push server URL and API key from the integration's global configuration.\n\ - 2. **Parameter Retrieval**: It extracts the `Feed UUID`, `Indicator Name`, and\ - \ `Tags` from the action's input parameters.\n3. **API Request**: The action initializes\ - \ the `SilentPushManager` and executes a `PUT` request to the Silent Push API\ - \ endpoint: `/api/v1/feeds/{feed_uuid}/indicators/{indicator_name}/update-tags/`.\n\ - 4. **Execution Status**: \n - If the API call returns a successful response,\ - \ the action completes with a success message containing the Feed UUID and the\ - \ result.\n - If the API call fails or the manager returns no data, the action\ - \ logs an error and terminates with a failure status.\n5. **Entity Iteration**:\ - \ The script iterates through the target entities in the scope and prints their\ - \ identifiers to the log, though these entities do not drive the primary tagging\ - \ logic.\n\n### Additional Notes\n- **Unused Parameter**: The script code attempts\ - \ to extract an `ASN` parameter from the action inputs, but this parameter is\ - \ not defined in the YAML configuration and is not utilized by the underlying\ - \ manager method for this specific action.\n- **External Mutation**: This action\ - \ performs a state-changing operation (PUT) on the Silent Push platform." + ai_description: >- + ### General Description + + The **Add Indicators Tags** action allows users to update or add tags to a specific + indicator (such as a domain or IP address) within an existing Silent Push feed. + This is useful for organizing threat intelligence data and labeling indicators + based on specific campaigns, threat actors, or internal tracking requirements. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Feed UUID | string | Yes | The unique identifier (UUID) of the Silent Push feed + where the indicator is located. | + + | Indicator Name | string | Yes | The specific name of the indicator (e.g., 'example.com') + to be tagged. | + + | Tags | string | Yes | A string containing the tags to be associated with the + indicator. | + + + ### Flow Description + + 1. **Configuration Extraction:** Retrieves the Silent Push server URL and API + Key from the integration settings. + + 2. **Parameter Retrieval:** Extracts the Feed UUID, Indicator Name, and Tags provided + by the user. + + 3. **API Interaction:** Initializes the `SilentPushManager` and executes a `PUT` + request to the Silent Push API endpoint: `/api/v1/feeds/{feed_uuid}/indicators/{indicator_name}/update-tags/`. + + 4. **Result Handling:** If the API call is successful, the action completes with + a success message. If the indicator or feed is not found, or if the API returns + an error, the action fails and logs the error details. capabilities: can_create_case_comments: false can_create_insight: false @@ -349,8 +376,8 @@ Add Indicators Tags: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the tags associated with a specific indicator within a Silent Push feed - using a PUT request. + Updates the tags associated with a specific indicator in a Silent Push feed + using a PUT request to the external API. fetches_data: false internal_data_mutation_explanation: null categories: @@ -370,59 +397,77 @@ Add Indicators Tags: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Density Lookup: ai_description: >- - ### General Description + Queries granular DNS and IP parameters from Silent Push to retrieve density information. + This action allows analysts to look up specific infrastructure components such + as Name Servers (NS), Mail Servers (MX), IP addresses, and ASNs to understand + their prevalence and associations within the Silent Push dataset. - The **Density Lookup** action queries the Silent Push platform to retrieve granular - density information for various DNS and IP parameters. This capability allows - security analysts to understand the prevalence and distribution of specific infrastructure - components, such as Name Servers (NS), Mail Servers (MX), IP addresses, and ASNs. - By analyzing the "density" of these records, analysts can identify patterns associated - with malicious infrastructure, shared hosting environments, or large-scale campaigns. + ### Flow Description: - ### Parameters Description + 1. **Parameter Extraction:** The action retrieves the query type (`Qtype`), the + query value (`Query`), and the optional `Scope` from the input parameters. - | Parameter | Type | Mandatory | Description | + 2. **API Interaction:** It initializes the Silent Push manager and performs a + GET request to the density lookup endpoint using the provided parameters. - | :--- | :--- | :--- | :--- | - - | **Qtype** | String | Yes | Specifies the type of density lookup to perform. - Supported types include `nssrv` (Name Server), `mxsrv` (Mail Server), `nshash`, - `mxhash`, `ipv4`, `ipv6`, `asn`, and `chv`. | + 3. **Data Validation:** The action checks the response for density records. If + no records are found, the action fails with an informative message. - | **Query** | String | Yes | The specific value to be queried (e.g., a nameserver - domain like `ns1.example.com` or an IP address). | + 4. **Result Processing:** If records are found, they are returned as a JSON result + for use in subsequent playbook steps. - | **Scope** | String | No | Defines the match level or scope for the lookup to - filter results. | + ### Parameters Description: - ### Flow Description + | Parameter | Type | Mandatory | Description | - 1. **Configuration Extraction:** The action retrieves the Silent Push Server URL - and API Key from the integration settings. + | :--- | :--- | :--- | :--- | - 2. **Parameter Parsing:** It extracts the `Qtype`, `Query`, and `Scope` provided - by the user. + | Qtype | String | Yes | The type of density lookup to perform. Supported values + include `nssrv`, `mxsrv`, `nshash`, `mxhash`, `ipv4`, `ipv6`, `asn`, and `chv`. + | - 3. **API Interaction:** The action calls the Silent Push `density_lookup` API - endpoint using a GET request. + | Query | String | Yes | The specific value (e.g., domain, IP, or ASN) to query + for density information. | - 4. **Data Validation:** It checks the API response for the presence of density - records. + | Scope | String | No | The match level or scope to apply to the query results. + | - 5. **Result Reporting:** If records are found, the action completes successfully - and returns the record data. If no records are found or an error occurs, the action - reports a failure. + ### Additional Notes: - ### Additional Notes + - This action does not automatically process entities from the SecOps case; it + relies entirely on the provided `Query` parameter. - - This action is a standalone lookup and does not automatically process entities - from the current context; it relies entirely on the manually provided `Query` - and `Qtype` parameters. + - The results are provided in the `JsonResult` output. capabilities: can_create_case_comments: false can_create_insight: false @@ -450,29 +495,55 @@ Density Lookup: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Forward Padns Lookup: ai_description: >- ### General Description - Performs a forward Passive DNS (PADNS) lookup using the Silent Push API. This - action allows users to retrieve historical DNS records for a specific domain or - record name (`Qname`) and record type (`Qtype`). It supports extensive filtering - options such as date ranges (first/last seen), regex patterns, and netmasks to - narrow down the results. + This action performs a forward Passive DNS (PADNS) lookup using the Silent Push + platform. It allows analysts to retrieve historical DNS records associated with + a specific domain name (`Qname`) and record type (`Qtype`). The action is designed + for deep infrastructure analysis, providing visibility into how a domain's DNS + records have changed over time. It supports extensive filtering capabilities, + including time-based constraints, network masks, and regular expressions, making + it a powerful tool for threat hunting and identifying malicious infrastructure + patterns. ### Parameters Description - | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Qname** | string | Yes | The DNS record name to lookup (e.g., 'silentpush.com'). - | + | **Qname** | string | Yes | The DNS record name (domain) to lookup. | - | **Qtype** | string | No | The DNS record type to query (e.g., 'ns', 'a', 'mx'). - Defaults to 'ns'. | + | **Qtype** | string | No | The DNS record type to query (e.g., 'ns', 'a', 'mx', + 'txt'). Defaults to 'ns'. | | **Netmask** | string | No | Filter results by a specific network mask. | @@ -482,63 +553,73 @@ Forward Padns Lookup: | **Regex** | string | No | A regular expression to filter the returned DNS records. | - | **Match** | string | No | Specifies the match type for the query (e.g., 'exact', - 'partial'). | + | **Match** | string | No | The type of match for the query (e.g., 'exact', 'partial'). + | - | **First Seen After** | string | No | Filter for records first observed after - this timestamp. | + | **First Seen After** | string | No | Filter records first observed after this + date (ISO 8601 format). | - | **First Seen Before** | string | No | Filter for records first observed before - this timestamp. | + | **First Seen Before** | string | No | Filter records first observed before this + date (ISO 8601 format). | - | **Last Seen After** | string | No | Filter for records last observed after this - timestamp. | + | **Last Seen After** | string | No | Filter records last observed after this + date (ISO 8601 format). | - | **Last Seen Before** | string | No | Filter for records last observed before - this timestamp. | + | **Last Seen Before** | string | No | Filter records last observed before this + date (ISO 8601 format). | | **As Of** | string | No | Retrieve DNS records as they appeared at a specific point in time. | - | **Sort** | string | No | Field used to sort the results. | + | **Sort** | string | No | Field to sort the results by (e.g., 'date', 'score'). + | - | **Output Format** | string | No | The desired format for the output data. | + | **Output Format** | string | No | The desired format for the results (e.g., + 'JSON', 'XML'). | - | **Prefer** | string | No | Preference for specific DNS sources or servers. | + | **Prefer** | string | No | Preference for specific DNS servers or data sources. + | - | **With Metadata** | string | No | Whether to include additional metadata in - the response. | + | **With Metadata** | string | No | Boolean flag to include additional metadata + in the records. | - | **Max Wait** | string | No | Maximum time in seconds to wait for the API response. - | + | **Max Wait** | string | No | Maximum seconds to wait for the API response (0-25 + seconds). | - | **Skip** | string | No | Number of records to skip for pagination. | + | **Skip** | string | No | Number of results to skip for pagination. | - | **Limit** | string | No | Maximum number of records to return in the response. - | + | **Limit** | string | No | Maximum number of results to return. | ### Flow Description - 1. **Configuration**: Extracts the Silent Push server URL and API key from the - integration settings. + 1. **Initialization:** The action extracts the Silent Push server URL and API + key from the integration configuration. - 2. **Input Gathering**: Collects the mandatory `Qname` and optional filtering - parameters from the action input. + 2. **Parameter Collection:** It retrieves the mandatory `Qname` and all optional + filtering parameters provided by the user. - 3. **API Execution**: Initiates a GET request to the Silent Push `explore/padns/lookup/query` - endpoint, passing the query type, name, and filters as parameters. + 3. **API Execution:** The action calls the Silent Push `forward_padns_lookup` + method, which executes a GET request to the `explore/padns/lookup/query` endpoint. - 4. **Validation**: Checks the API response for errors. If the API returns an error - or no records are found, the action fails with a descriptive message. + 4. **Error Handling:** The script validates the API response. If the API returns + an error or if no records are found for the specified query, the action terminates + with a failure status. - 5. **Completion**: Returns the list of DNS records found as the action result. + 5. **Output:** Upon a successful lookup, the retrieved DNS records are returned + as a JSON object in the `JsonResult` field, and the action completes successfully. ### Additional Notes - This action is parameter-driven and does not automatically process entities from - the current context. The `Qname` must be explicitly provided to perform the lookup. + * **Parameter Discrepancy:** Note that while the configuration defines the parameter + as `subdomain`, the underlying Python logic attempts to extract it as `Subdomains`. + Ensure the parameter name in the UI matches the expected input in the script for + correct functionality. + + * **Entity Interaction:** Although the script iterates through target entities + at the end of the execution, it does not use them to drive the lookup logic; the + query is strictly based on the `Qname` parameter. capabilities: can_create_case_comments: false can_create_insight: false @@ -566,30 +647,79 @@ Forward Padns Lookup: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get ASN Reputation: - ai_description: "### General Description\nThe **Get ASN Reputation** action retrieves\ - \ historical reputation data for a specific Autonomous System Number (ASN) from\ - \ the Silent Push platform. This information helps security analysts understand\ - \ the risk profile of an ASN over time, including its reputation score and associated\ - \ metadata. \n\n### Parameters Description\n| Parameter | Type | Mandatory | Description\ - \ |\n| :--- | :--- | :--- | :--- |\n| **ASN** | String | Yes | The Autonomous\ - \ System Number (ASN) to perform the reputation lookup for. |\n| **Explain** |\ - \ Boolean | No | If enabled, the action will include detailed information explaining\ - \ how the reputation score was calculated. |\n| **Limit** | String | No | Specifies\ - \ the maximum number of historical reputation records to retrieve. |\n\n### Additional\ - \ Notes\n* Although the action metadata description mentions IPv4, the logic specifically\ - \ performs a lookup based on the provided **ASN** parameter.\n* The results are\ - \ sorted by date in descending order (most recent first).\n\n### Flow Description\n\ - 1. **Configuration Extraction:** Retrieves the Silent Push Server URL and API\ - \ Key from the integration settings.\n2. **Parameter Parsing:** Extracts the target\ - \ `ASN`, the `Explain` flag, and the `Limit` value from the action inputs.\n3.\ - \ **API Interaction:** Connects to the Silent Push API via the `SilentPushManager`\ - \ and requests reputation history for the specified ASN using a GET request.\n\ - 4. **Data Processing:** Extracts the reputation records from the API response,\ - \ sorts them by date (newest first), and formats them into a structured list suitable\ - \ for a results table.\n5. **Result Delivery:** Adds the formatted reputation\ - \ data to the action's JSON results and completes the execution with a success\ - \ or failure status." + ai_description: >- + Retrieves the reputation history for a specific Autonomous System Number (ASN) + from Silent Push. This action provides insights into historical reputation scores, + associated AS names, and dates of reputation changes. It allows users to request + detailed explanations for the reputation scores and limit the number of historical + records returned. + + + ### Flow Description + + 1. **Parameter Extraction:** The action extracts the mandatory `ASN` and optional + `Explain` and `Limit` parameters from the input. + + 2. **API Request:** It initializes the Silent Push manager and calls the ASN reputation + endpoint to fetch historical data for the specified ASN. + + 3. **Data Processing:** The response is parsed to extract reputation history, + which is then sorted by date in descending order. + + 4. **Formatting:** If the `Explain` parameter is enabled, the action includes + the reputation calculation details in the output table. + + 5. **Output:** The formatted data is attached as a JSON result to the action, + and the execution status is updated based on whether data was found. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | ASN | string | Yes | The Autonomous System Number (ASN) to lookup (e.g., '12345'). + | + + | Explain | boolean | No | If set to true, the action retrieves and displays the + information used to calculate the reputation score. | + + | Limit | string | No | The maximum number of reputation history records to retrieve + from the API. | + + + ### Additional Notes + + - This action is parameter-driven and does not automatically iterate over or enrich + entities present in the Google SecOps case, although it may be executed within + a case context. capabilities: can_create_case_comments: false can_create_insight: false @@ -601,7 +731,7 @@ Get ASN Reputation: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: false + enrichment: true entity_usage: entity_types: [] filters_by_additional_properties: false @@ -617,56 +747,58 @@ Get ASN Reputation: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get ASN Takedown Reputation: - ai_description: >- - ### General Description - - The **Get ASN Takedown Reputation** action retrieves historical and current takedown - reputation data for a specific Autonomous System Number (ASN) from the Silent - Push platform. This information helps security analysts evaluate the risk associated - with an ASN by reviewing its history of malicious activity and subsequent takedowns. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **ASN** | String | Yes | The Autonomous System Number (ASN) to investigate (e.g., - '211298'). | - - | **Explain** | Boolean | No | If set to `true` (default), the response includes - the underlying information and logic used to calculate the reputation score. | - - | **Limit** | String | No | The maximum number of historical reputation records - to retrieve from the API. | - - - ### Flow Description - - 1. **Initialization**: The action extracts the Silent Push Server URL and API - Key from the integration configuration. - - 2. **Input Extraction**: It retrieves the `ASN`, `Explain`, and `Limit` parameters - provided by the user or playbook. - - 3. **API Request**: The action calls the Silent Push API via the `get_asn_takedown_reputation` - method in the manager class, which performs a GET request to the `explore/takedownreputation/asn/{asn}` - endpoint. - - 4. **Response Validation**: It checks if the API returned valid takedown reputation - history. If no data is found, the action fails with an informative error message. - - 5. **Output Generation**: The retrieved reputation data is formatted into a JSON - object and returned as the action's primary result for use in playbooks. - - - ### Additional Notes - - - This action operates based on the manually provided **ASN** parameter rather - than automatically iterating through entities in the case scope. While it accesses - the `target_entities` list, it does not use them to drive the lookup logic. + ai_description: "Retrieves the takedown reputation information for a specific Autonomous\ + \ System Number (ASN) using the Silent Push API. This action provides insights\ + \ into the historical reputation of an ASN, which can be used to assess the risk\ + \ associated with network infrastructure. The action allows users to specify the\ + \ ASN, limit the number of history records retrieved, and optionally include an\ + \ explanation of how the reputation score was calculated.\n\n### Flow Description:\n\ + 1. **Configuration Extraction:** The action retrieves the Silent Push Server URL\ + \ and API Key from the integration settings.\n2. **Parameter Processing:** It\ + \ extracts the mandatory 'ASN' parameter and optional 'Explain' and 'Limit' parameters.\ + \ The 'Explain' boolean is converted to a numeric flag (0 or 1) for the API request.\n\ + 3. **API Interaction:** The action initializes the Silent Push Manager and calls\ + \ the `get_asn_takedown_reputation` method, which performs a GET request to the\ + \ `explore/takedownreputation/asn/{asn}` endpoint.\n4. **Data Validation:** It\ + \ checks if the response contains takedown reputation history. If no data is found,\ + \ the action fails with an error message.\n5. **Result Output:** If successful,\ + \ the reputation data is returned as a JSON result mapped to the ASN identifier.\n\ + \n### Parameters Description:\n| Parameter | Type | Mandatory | Description |\n\ + | :--- | :--- | :--- | :--- |\n| ASN | string | True | The Autonomous System Number\ + \ (ASN) to lookup (e.g., \"211298\"). |\n| Explain | boolean | False | If set\ + \ to true, the API returns the information used to calculate the reputation score.\ + \ Defaults to true. |\n| Limit | string | False | The maximum number of reputation\ + \ history records to retrieve from the service. |\n\n### Additional Notes:\n*\ + \ This action does not automatically iterate over entities in the case; it relies\ + \ on the 'ASN' parameter provided in the action configuration. \n* While the script\ + \ contains a loop that prints entity identifiers, it does not use them to perform\ + \ the lookup or update their properties." capabilities: can_create_case_comments: false can_create_insight: false @@ -694,50 +826,77 @@ Get ASN Takedown Reputation: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get ASNs for Domain: ai_description: >- ### General Description - The **Get ASNs for Domain** action retrieves Autonomous System Numbers (ASNs) - associated with a specific domain using the Silent Push platform. It identifies - ASNs linked to A records for the domain and its subdomains that have been observed - in the last 30 days. This action is primarily used for infrastructure mapping - and network attribution during security investigations. + This action retrieves Autonomous System Numbers (ASNs) associated with a specific + domain using the Silent Push platform. It is designed to identify the network + infrastructure that has hosted the domain and its subdomains within the last 30 + days, providing critical context for network-based threat intelligence and investigations. ### Parameters Description - | Parameter | Type | Mandatory | Default Value | Description | - | :--- | :--- | :--- | :--- | :--- | + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | - | Domain | String | Yes | silentpush.com | The domain name for which to retrieve - associated ASNs. | + | Domain | string | Yes | The domain name to search ASNs for. The action retrieves + ASNs associated with 'A' records for the specified domain and its subdomains in + the last 30 days. Default value is 'silentpush.com'. | ### Flow Description - 1. **Configuration Extraction:** The action retrieves the Silent Push Server URL - and API Key from the integration's configuration settings. + 1. **Initialization**: The action connects to the Silent Push API using the configured + Server URL and API Key. - 2. **Parameter Retrieval:** It extracts the target domain name from the action - input parameters. + 2. **Parameter Extraction**: It retrieves the target domain from the action input + parameters. - 3. **API Request:** The action calls the Silent Push `explore/padns/lookup/domain/asns` - endpoint to fetch ASN records associated with the domain's historical A records. + 3. **API Request**: The action performs a GET request to the Silent Push `explore/padns/lookup/domain/asns/{domain}` + endpoint. - 4. **Response Validation:** It checks the API response for valid records. If no - ASNs are found, the action logs an error and terminates with a failure status. + 4. **Data Extraction**: It parses the JSON response to extract the list of ASN + records associated with the domain. - 5. **Result Output:** Upon success, the action returns the list of ASNs in a JSON - result and provides a summary message to the Google SecOps platform. + 5. **Result Reporting**: If records are found, they are returned in the action's + JSON result and displayed in the output message. If no records are found or an + error occurs, the action reports a failure. ### Additional Notes - This action is parameter-driven and does not automatically iterate over entities - in a case. To use this action with entities, the 'Domain' parameter should be - mapped to an entity identifier within a playbook. + This action is parameter-driven and does not automatically process entities from + the case scope. To enrich specific domain entities, the entity identifier should + be mapped to the 'Domain' parameter in a playbook. capabilities: can_create_case_comments: false can_create_insight: false @@ -745,9 +904,9 @@ Get ASNs for Domain: can_mutate_external_data: false can_mutate_internal_data: false can_update_entities: false - external_data_mutation_explanation: null + external_data_mutation_explanation: 'null' fetches_data: true - internal_data_mutation_explanation: null + internal_data_mutation_explanation: 'null' categories: enrichment: true entity_usage: @@ -765,50 +924,77 @@ Get ASNs for Domain: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Data Exports: ai_description: >- - Downloads exported threat intelligence feed data from the Silent Push platform. - This action utilizes a specific Feed URL to retrieve data (typically in CSV format) - containing indicators or other threat-related information. The retrieved content - is returned as part of the action result for further processing within the playbook. + ### General Description + The **Get Data Exports** action retrieves and downloads exported data files from + the Silent Push platform. This utility is primarily used to fetch bulk indicator + lists or organization-specific exports (e.g., CSV files) previously generated + within the Silent Push environment. The action performs a direct download from + the Silent Push export repository based on a provided file identifier or relative + URL suffix. - ### Flow Description: - 1. **Configuration Extraction:** Retrieves the Silent Push server URL and API - key from the integration's global configuration. + ### Parameters Description + + | Parameter | Type | Mandatory | Description | - 2. **Parameter Retrieval:** Obtains the mandatory 'Feed URL' provided as an action - parameter. + | :--- | :--- | :--- | :--- | - 3. **API Request:** Executes a GET request to the Silent Push export endpoint - (`/app/v1/export/organization-exports/`) using the constructed URL. + | Feed URL | String | Yes | The specific path or filename of the export to retrieve + (e.g., '9b38bd50-ea46-4280-8739-9b71fc3a9291_indicators.csv'). | - 4. **Response Validation:** Checks if the request was successful (HTTP 200). If - the server returns an error, the action logs the failure and terminates. - 5. **Result Processing:** Extracts the filename from the URL and returns the raw - content of the exported feed in the action output. + ### Flow Description + 1. **Configuration Retrieval**: The action fetches the Silent Push Server URL + and API Key from the integration settings. - ### Parameters Description: + 2. **Parameter Extraction**: It retrieves the 'Feed URL' provided by the user. - | Parameter | Type | Mandatory | Description | + 3. **Request Construction**: The Silent Push Manager constructs the full URL for + the export endpoint by appending the Feed URL to the base export path. - | :--- | :--- | :--- | :--- | + 4. **Data Retrieval**: A GET request is sent to the Silent Push API to download + the file content. - | Feed URL | String | Yes | The specific URL suffix or identifier for the feed - data to be exported from Silent Push. Default is a specific indicator CSV. | + 5. **Response Validation**: The action checks for a successful HTTP 200 response. + If the download fails, an error is logged and the action fails. + 6. **Output**: The content of the downloaded file is returned as the action result. - ### Additional Notes: - - This action is designed for bulk data retrieval and does not perform individual - entity-level enrichment. + ### Additional Notes - - Although the action iterates over target entities in the environment, it does - not use them to filter or modify the data retrieval process; it simply logs their - identifiers. + - This action is a utility for bulk data retrieval and does not perform specific + analysis or enrichment on individual entities within the case, although it will + iterate through any entities present in the scope for logging purposes. capabilities: can_create_case_comments: false can_create_insight: false @@ -871,42 +1057,66 @@ Get Data Exports: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: true + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Domain Certificates: - ai_description: "### General Description\nThis action retrieves SSL/TLS certificate\ - \ data for a specified domain using the Silent Push API. It allows security analysts\ - \ to examine certificate history and metadata collected from domain scanning,\ - \ which is essential for identifying infrastructure patterns, verifying ownership,\ - \ or detecting malicious impersonation and phishing infrastructure.\n\n### Parameters\ - \ Description\n| Parameter | Type | Mandatory | Description |\n| :--- | :--- |\ - \ :--- | :--- |\n| Domain | string | Yes | The target domain to query certificates\ - \ for (e.g., silentpush.com). |\n| Domain Regex | string | No | A regular expression\ - \ to filter the domains returned in the certificate data. |\n| Certificate Issuer\ - \ | string | No | Filter results by the name of the certificate issuer (CA). |\n\ - | Date Min | string | No | Filter for certificates issued on or after this date\ - \ (ISO format). |\n| Date Max | string | No | Filter for certificates issued on\ - \ or before this date (ISO format). |\n| Prefer | string | No | Specifies whether\ - \ to wait for results (synchronous) or return a job_id immediately (asynchronous).\ - \ |\n| Max Wait | string | No | The number of seconds (0-25) to wait for results\ - \ before the API returns a job_id. |\n| With Metadata | string | No | If set to\ - \ true, includes a metadata object containing result counts and job identifiers.\ - \ |\n| Skip | string | No | The number of results to skip for pagination. |\n\ - | Limit | string | No | The maximum number of results to return. |\n\n### Flow\ - \ Description\n1. **Initialization:** The action extracts the Silent Push server\ - \ URL and API key from the integration configuration.\n2. **Parameter Extraction:**\ - \ It retrieves the target domain and optional filters (regex, issuer, dates, pagination)\ - \ from the action parameters.\n3. **API Request:** The action calls the Silent\ - \ Push `explore/domain/certificates/{domain}` endpoint using a GET request, passing\ - \ the filters as query parameters.\n4. **Response Handling:** \n * If the API\ - \ returns a `job_status` (indicating a long-running query), the action completes\ - \ successfully and provides the job details for later retrieval.\n * If the\ - \ API returns certificate data immediately, the action parses the list of certificates\ - \ and associated metadata.\n5. **Completion:** The action outputs the retrieved\ - \ certificate data or job information to the Google SecOps result JSON.\n\n###\ - \ Additional Notes\n* This action is parameter-driven and does not automatically\ - \ iterate over entities in the current case scope. The 'Domain' parameter must\ - \ be explicitly provided or mapped from an entity identifier in a playbook.\n\ - * If no certificates are found for the provided domain, the action will return\ - \ a failure status." + ai_description: "### General Description\nThis action retrieves SSL certificate\ + \ data collected from domain scanning using the Silent Push platform. It allows\ + \ analysts to query a specific domain and receive a list of associated certificates,\ + \ including details about the issuer and validity dates. The action supports filtering\ + \ by regular expressions, specific issuers, and date ranges, and can handle both\ + \ immediate results and long-running asynchronous jobs.\n\n### Parameters Description\n\ + | Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ + | Domain | string | Yes | The specific domain to query for certificate data (e.g.,\ + \ silentpush.com). |\n| Domain Regex | string | No | A regular expression to filter\ + \ the returned domains within the certificate data. |\n| Certificate Issuer |\ + \ string | No | Filter the results to only include certificates issued by a specific\ + \ authority. |\n| Date Min | string | No | Filter for certificates issued on or\ + \ after this date (YYYY-MM-DD). |\n| Date Max | string | No | Filter for certificates\ + \ issued on or before this date (YYYY-MM-DD). |\n| Prefer | string | No | Determines\ + \ whether to wait for results for longer-running queries or return a `job_id`\ + \ immediately. |\n| Max Wait | string | No | The number of seconds (0-25) to wait\ + \ for results before the API returns a `job_id`. |\n| With Metadata | string |\ + \ No | If set to true, includes a metadata object in the response containing result\ + \ counts and job IDs. |\n| Skip | string | No | The number of results to skip\ + \ for pagination purposes. |\n| Limit | string | No | The maximum number of certificate\ + \ results to return. |\n\n### Additional Notes\n- This action does not automatically\ + \ process entities from the Google SecOps context; it relies on the manually provided\ + \ `Domain` parameter.\n- If the query takes longer than the `Max Wait` time, the\ + \ action will return job details which can be used with a 'Get Job Status' action.\n\ + \n### Flow Description\n1. **Configuration Extraction:** The action retrieves\ + \ the Silent Push server URL and API key from the integration settings.\n2. **Parameter\ + \ Parsing:** It extracts the target domain and all optional filters (regex, issuer,\ + \ dates, pagination) from the action input.\n3. **API Request:** The action sends\ + \ a GET request to the Silent Push `explore/domain/certificates/{domain}` endpoint\ + \ with the specified filters.\n4. **Response Handling:** \n - If the API returns\ + \ a `job_status`, the action completes and provides the job details for asynchronous\ + \ tracking.\n - If certificates are returned immediately, the action parses\ + \ the list and associated metadata.\n5. **Completion:** The action outputs the\ + \ certificate data to the action message and sets the execution status to completed." capabilities: can_create_case_comments: false can_create_insight: false @@ -914,11 +1124,11 @@ Get Domain Certificates: can_mutate_external_data: false can_mutate_internal_data: false can_update_entities: false - external_data_mutation_explanation: 'null' + external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: 'null' + internal_data_mutation_explanation: null categories: - enrichment: true + enrichment: false entity_usage: entity_types: [] filters_by_additional_properties: false @@ -928,73 +1138,67 @@ Get Domain Certificates: filters_by_entity_type: false filters_by_identifier: false filters_by_is_artifact: false - filters_by_is_enriched: false - filters_by_is_internal: false - filters_by_is_pivot: false - filters_by_is_suspicious: false - filters_by_is_vulnerable: false - filters_by_modification_time: false -Get Enrichment Data: - ai_description: >- - ### General Description - - This action retrieves comprehensive enrichment information for a specific resource, - such as a domain, IPv4, or IPv6 address, from the Silent Push platform. It is - designed for manual lookups where a user provides a specific value to investigate. - The action returns detailed metadata, including ASN information and reputation - data, which can be used to assess the risk associated with the resource. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Resource | string | Yes | The type of resource for which information needs to - be retrieved (e.g., domain, ipv4, ipv6). | - - | Value | string | Yes | The value corresponding to the selected resource (e.g., - silentpush.com or an IP address). | - - | Explain | boolean | No | When set to `true`, the response will include an explanation - of how the data calculations were performed. | - - | Scan Data | boolean | No | When set to `true`, the response will include scan - data. This is only applicable when the resource type is `ipv4`. | - - - ### Additional Notes - - - This action does not automatically process entities from the Google SecOps case - scope; it relies entirely on the provided `Value` and `Resource` parameters. - - - The `Scan Data` parameter is only applicable when the `Resource` type is set - to `ipv4`. - - - The action performs a read-only operation and does not modify any data in Silent - Push or Google SecOps. - - - ### Flow Description - - 1. **Configuration Retrieval**: The action extracts the Silent Push server URL - and API key from the integration configuration. - - 2. **Parameter Extraction**: It retrieves the user-provided parameters: `Resource`, - `Value`, `Explain`, and `Scan Data`. - - 3. **Input Validation**: The action validates that the `Resource` type is one - of the allowed values (`ipv4`, `ipv6`, `domain`). If the resource is an IP, it - validates the format using the `validate_ip` helper. - - 4. **Data Retrieval**: It calls the `get_enrichment_data` method in the `SilentPushManager`, - which sends a GET request to the Silent Push API's enrichment endpoint. - - 5. **Result Handling**: If data is retrieved, it is added to the action's JSON - results. The action then concludes by providing an output message and a success - status. If an error occurs or no data is found, it logs the error and ends with - a failure status. + filters_by_is_enriched: false + filters_by_is_internal: false + filters_by_is_pivot: false + filters_by_is_suspicious: false + filters_by_is_vulnerable: false + filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false +Get Enrichment Data: + ai_description: "Retrieves comprehensive enrichment information for a specific resource,\ + \ such as a domain, IPv4, or IPv6 address, using the Silent Push platform. This\ + \ action allows analysts to gather deep contextual data, including reputation\ + \ and infrastructure details, to support threat investigation and incident response.\n\ + \n### Flow Description\n1. **Configuration Extraction:** The action retrieves\ + \ the Silent Push server URL and API key from the integration's global configuration.\n\ + 2. **Parameter Parsing:** It extracts the target resource type (domain, ipv4,\ + \ or ipv6), the specific value to enrich, and optional flags for data explanation\ + \ and scan data inclusion.\n3. **Validation:** The action validates that the provided\ + \ resource type is supported and performs IP version validation if the resource\ + \ is an IP address.\n4. **API Interaction:** It executes a GET request to the\ + \ Silent Push enrichment endpoint (`explore/enrich/{resource}/{value}`) with the\ + \ specified query parameters.\n5. **Result Handling:** The retrieved enrichment\ + \ data is processed and added to the action's JSON results. If no data is found\ + \ or the API request fails, the action terminates with a failure status.\n\n###\ + \ Parameters Description\n| Parameter | Type | Mandatory | Description |\n| :---\ + \ | :--- | :--- | :--- |\n| Resource | string | Yes | The type of resource for\ + \ which information needs to be retrieved. Supported values are `domain`, `ipv4`,\ + \ and `ipv6`. |\n| Value | string | Yes | The specific identifier (e.g., domain\ + \ name or IP address) corresponding to the selected resource type. |\n| Explain\ + \ | boolean | No | If set to `true`, the response will include detailed explanations\ + \ of how data calculations were performed. Defaults to `false`. |\n| Scan Data\ + \ | boolean | No | If set to `true`, the response will include raw scan data.\ + \ This is only applicable when the resource type is `ipv4`. Defaults to `false`.\ + \ |\n\n### Additional Notes\n* This action does not automatically iterate over\ + \ entities in the SecOps case; it relies strictly on the `Value` and `Resource`\ + \ parameters provided in the action configuration. \n* While the script contains\ + \ a loop over `target_entities`, it is only used for logging purposes and does\ + \ not affect the enrichment logic." capabilities: can_create_case_comments: false can_create_insight: false @@ -1006,7 +1210,7 @@ Get Enrichment Data: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: false + enrichment: true entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1022,57 +1226,84 @@ Get Enrichment Data: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Future Attack Indicatiors: ai_description: >- - ### General Description - - This action retrieves indicators of potential future attacks from the Silent Push - platform using a specific Feed UUID. It is designed to fetch threat intelligence - data, specifically Indicators of Compromise (IOCs) associated with threat rankings, - to assist in proactive security monitoring and defense strategies. + The 'Get Future Attack Indicators' action retrieves a list of indicators associated + with potential future attacks from the Silent Push platform. It uses a specific + Feed UUID to query the threat-ranking API, allowing analysts to proactively identify + emerging threats. The action supports pagination through page number and page + size parameters to handle large datasets. The retrieved indicators are returned + as a JSON object for further analysis or use in subsequent playbook steps. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. **Configuration Extraction**: The action retrieves the Silent Push server URL + and API key from the integration configuration. - | :--- | :--- | :--- | :--- | + 2. **Parameter Parsing**: It extracts the mandatory 'Feed UUID' and optional pagination + parameters ('Page No' and 'Page Size') from the action input. - | Feed UUID | String | Yes | The unique identifier for the Silent Push threat - feed from which to retrieve indicators. | + 3. **API Interaction**: The action initializes the Silent Push Manager and performs + a GET request to the `/api/v2/iocs/threat-ranking/` endpoint, passing the Feed + UUID and pagination details as query parameters. - | Page No | String | No | The page number for paginated results. Defaults to "1" - if not provided. | + 4. **Data Processing**: It parses the API response to extract the list of indicators. + If no indicators are found, the action terminates with a failure status. - | Page Size | String | No | The number of indicators to retrieve per page. Defaults - to "10000" if not provided. | + 5. **Result Output**: The list of indicators is added to the action's JSON results, + and the action completes successfully. - ### Flow Description + ### Parameters Description - 1. **Configuration Extraction**: The action retrieves the Silent Push Server URL - and API Key from the integration's global configuration. + | Parameter Name | Type | Mandatory | Description | Expected Value | - 2. **Input Parsing**: It extracts the `Feed UUID`, `Page No`, and `Page Size` - from the action parameters, ensuring default values are applied for pagination - if they are missing. + | :--- | :--- | :--- | :--- | :--- | - 3. **API Interaction**: The action makes a GET request to the Silent Push `/api/v2/iocs/threat-ranking/` - endpoint, passing the feed UUID and pagination details as query parameters. + | Feed UUID | string | True | The unique identifier for the specific threat feed + to fetch indicators from. | A valid UUID string (e.g., '99da9b6a-146b-4a4d-9929-5fd5c6e2c257'). + | - 4. **Response Handling**: It processes the API response, extracting the list of - indicators from the returned JSON data. + | Page No | string | False | The specific page number of results to retrieve. + Defaults to '1' if not provided. | An integer string (e.g., '2'). | - 5. **Output Generation**: The retrieved indicators are added to the action's JSON - result (`JsonResult`). If no indicators are found, the action reports a failure; - otherwise, it completes successfully with the fetched data. + | Page Size | string | False | The maximum number of indicators to return per + page. Defaults to '10000'. | An integer string (e.g., '500'). | ### Additional Notes - - This action is parameter-driven and does not utilize or filter data based on - entities present in the Google SecOps case. While it iterates through target entities - for logging purposes, they do not influence the API query or the results. + - This action does not process or enrich specific entities within the case; it + fetches global feed data based on the provided UUID. + + - If the API returns an empty list or no 'indicators' key, the action will report + a failure. capabilities: can_create_case_comments: false can_create_insight: false @@ -1100,59 +1331,74 @@ Get Future Attack Indicatiors: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get IPV4 Reputation: ai_description: >- - ### General Description - Retrieves historical reputation data for a specific IPv4 address using the Silent - Push threat intelligence platform. This action allows analysts to understand the - reputation score and history of an IP address, providing context on its past behavior - and potential risk levels. + Push API. This action allows analysts to fetch a list of reputation scores and + the data used to calculate them for a given IP address. The results are provided + as a JSON object containing the reputation history, which can be used for further + analysis or decision-making within a playbook. ### Parameters Description + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | | Nameserver | string | Yes | The IPv4 address for which reputation information - needs to be retrieved. Note: Despite the name 'Nameserver', the API expects an - IPv4 address. | + needs to be retrieved. | | Explain | boolean | No | If set to true, the response will include the specific - information and logic used to calculate the reputation score. Defaults to false. - | + information used to calculate the reputation score. Defaults to false. | | Limit | string | No | The maximum number of reputation history entries to retrieve - from the platform. | - - - ### Additional Notes - - - This action does not automatically process entities from the Google SecOps case; - it relies strictly on the provided 'Nameserver' parameter. - - - The action returns a JSON object containing the reputation history, which can - be used in downstream playbooks for decision-making. + from the API. | ### Flow Description - 1. **Configuration Extraction**: Retrieves the Silent Push Server URL and API - Key from the integration settings. - 2. **Parameter Parsing**: Extracts the target IPv4 address (Nameserver), the explanation - flag, and the result limit from the action inputs. + 1. **Parameter Extraction**: The action extracts the target IPv4 address from + the 'Nameserver' parameter and retrieves the 'Explain' and 'Limit' settings. + + 2. **Manager Initialization**: It initializes the Silent Push Manager using the + integration's server URL and API Key. - 3. **API Interaction**: Calls the Silent Push `get_ipv4_reputation` endpoint using - the provided parameters. + 3. **API Request**: The action performs a GET request to the Silent Push `explore/ipreputation/history/ipv4` + endpoint using the provided IPv4 address. - 4. **Response Validation**: Checks if reputation history data was returned. If - no history is found, the action reports a failure. + 4. **Data Validation**: It checks the API response for the presence of reputation + history data. If no data is found, the action is marked as failed. - 5. **Result Output**: Adds the raw API response to the action's JSON results for - use in the SOAR platform. + 5. **Result Output**: The raw API response is attached to the action results as + a JSON object, and the execution status is set to completed. capabilities: can_create_case_comments: false can_create_insight: false @@ -1180,62 +1426,52 @@ Get IPV4 Reputation: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Nameserver Reputation: ai_description: >- - ### General Description - - This action retrieves historical reputation data for a specified nameserver using - the Silent Push API. It provides reputation scores and can optionally include - detailed information about how those scores were calculated. The action is primarily - used for threat intelligence gathering and investigating the reputation of DNS - infrastructure. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Nameserver | String | Yes | The specific nameserver name (e.g., `ns1.example.com`) - for which reputation history is being requested. | - - | Explain | String | No | If provided (e.g., "true"), the API will return the - specific data points and logic used to calculate the reputation score. | - - | Limit | String | No | The maximum number of historical reputation records to - retrieve. | - - - ### Additional Notes - - - The action does not automatically iterate over entities in the Google SecOps - environment. Instead, it relies on the `Nameserver` parameter provided by the - user or mapped from a playbook. - - - Dates in the returned reputation history are automatically parsed from the API's - integer format (YYYYMMDD) into ISO 8601 format for better readability. - - - ### Flow Description - - 1. **Configuration Extraction:** The action retrieves the Silent Push Server URL - and API Key from the integration settings. - - 2. **Parameter Retrieval:** It extracts the `Nameserver`, `Explain`, and `Limit` - values from the action inputs. - - 3. **API Interaction:** The `SilentPushManager` is initialized and calls the `explore/nsreputation/history/nameserver` - endpoint via a GET request. - - 4. **Data Processing:** The script iterates through the returned reputation history - list, converting integer-based dates into standard ISO strings. - - 5. **Validation:** If no valid reputation history is found, the action reports - a failure. - - 6. **Completion:** The action ends by returning the reputation data as a result - and providing a status message to the case wall. + ### General description\nRetrieves historical reputation data for a specified + nameserver from the Silent Push platform. This action provides a timeline of reputation + scores and optional calculation details to help analysts assess the risk associated + with specific DNS infrastructure.\n\n### Parameters description\n| Parameter | + Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Nameserver + | string | Yes | The nameserver name (e.g., ns1.example.com) to retrieve reputation + history for. |\n| Explain | string | No | If provided, the response will include + the detailed information used to calculate the reputation score. |\n| Limit | + string | No | The maximum number of historical reputation entries to retrieve. + |\n\n### Additional notes\n- This action is parameter-driven and does not automatically + iterate over entities in the case.\n- The action will fail if no valid reputation + history is found for the provided nameserver.\n\n### Flow description\n1. **Extract + Configuration**: Retrieves the Silent Push Server URL and API Key from the integration + settings.\n2. **Extract Parameters**: Retrieves the target Nameserver, Explain + flag, and Limit value from the action input.\n3. **API Request**: Calls the Silent + Push API to fetch historical reputation data for the specified nameserver.\n4. + **Data Normalization**: Processes the results, specifically converting integer-based + dates into ISO-8601 format for better readability.\n5. **Output**: Returns the + reputation history data to the SOAR platform. capabilities: can_create_case_comments: false can_create_insight: false @@ -1247,7 +1483,7 @@ Get Nameserver Reputation: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: false + enrichment: true entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1263,53 +1499,81 @@ Get Nameserver Reputation: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Subnet Reputation: ai_description: >- - ### General Description + Retrieves the reputation history for a specific IPv4 subnet using the Silent Push + API. This action allows analysts to understand the historical threat context of + a network range by fetching reputation scores and optional detailed explanations + for those scores. The results are returned as a JSON object containing the history + entries. - Retrieves the reputation history for a specific IPv4 subnet from Silent Push. - This action allows security analysts to understand the historical risk profile - of a network range, including detailed scoring explanations if requested. + ### Flow Description - ### Parameters - - | Parameter | Type | Mandatory | Description | + 1. **Configuration Extraction:** The action retrieves the Silent Push server URL + and API key from the integration configuration. - | :--- | :--- | :--- | :--- | + 2. **Parameter Extraction:** It extracts the target 'Subnet' and optional 'Explain' + and 'Limit' parameters from the action input. - | Subnet | String | Yes | The IPv4 subnet (e.g., 192.168.0.0/16) for which reputation - information needs to be retrieved. | + 3. **API Interaction:** A GET request is sent to the Silent Push 'explore/ipreputation/history/subnet' + endpoint for the specified subnet. - | Explain | String | No | Show the detailed information used to calculate the - reputation score. | + 4. **Data Parsing:** The action parses the 'subnet_reputation_history' from the + API response. - | Limit | String | No | Maximum number of reputation history entries to retrieve. - | + 5. **Completion:** The retrieved history is returned as the action result, or + the action fails if no history is found. - ### Flow Description + ### Parameters Description - 1. **Configuration Extraction**: Retrieves the Silent Push Server URL and API - Key from the integration settings. + | Parameter | Type | Mandatory | Description | - 2. **Parameter Retrieval**: Extracts the target Subnet, Explain flag, and Limit - from the action inputs. + | :--- | :--- | :--- | :--- | - 3. **API Interaction**: Executes a GET request to the Silent Push `explore/ipreputation/history/subnet` - endpoint via the `SilentPushManager`. + | Subnet | string | Yes | The IPv4 subnet (e.g., 192.168.0.0/16) for which reputation + information needs to be retrieved. | - 4. **Response Processing**: Extracts the `subnet_reputation_history` from the - API response. + | Explain | string | No | If provided, the API returns detailed information used + to calculate the reputation score. | - 5. **Completion**: Returns the reputation data as a JSON result and sets the action - status based on whether data was found. + | Limit | string | No | Maximum number of reputation history entries to retrieve + from the service. | ### Additional Notes - This action does not automatically update entities or create insights; it provides - the raw reputation history in the action's JSON result. + - This action does not automatically process entities from the SecOps case; it + relies on the manually provided 'Subnet' parameter. + + - If the API returns no reputation history for the provided subnet, the action + will result in a failure state. capabilities: can_create_case_comments: false can_create_insight: false @@ -1323,42 +1587,7 @@ Get Subnet Reputation: categories: enrichment: true entity_usage: - entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1372,14 +1601,40 @@ Get Subnet Reputation: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get job status: ai_description: >- ### General Description - This action retrieves the current status or the final results of a previously - initiated job within the Silent Push platform using a specific Job ID. It is primarily - used to poll for the completion of asynchronous tasks such as deep scans or complex - infrastructure lookups. + The **Get job status** action is a utility task designed to track the progress + or retrieve the final output of asynchronous jobs initiated within the Silent + Push platform. It is primarily used to poll for results after launching long-running + queries or scans, allowing the playbook to wait for data before proceeding to + analysis. ### Parameters Description @@ -1388,49 +1643,44 @@ Get job status: | :--- | :--- | :--- | :--- | - | **Job ID** | string | Yes | The unique identifier of the job returned by previous + | Job ID | string | Yes | The unique identifier of the job returned by previous Silent Push actions. | - | **Max Wait** | string | No | The number of seconds (0-25) the action should - wait for the job results before returning the current status. Defaults to 20 if - not provided. | - - | **Status Only** | boolean | No | If set to `true`, the action returns only the - job status information, even if the job has already completed and results are - available. | + | Max Wait | string | No | The number of seconds (0-25) the action should wait + for the job to complete before returning the current status. Defaults to 20 seconds + if not specified. | - | **Force Metadata On** | boolean | No | If set to `true`, the response will always - include query metadata, regardless of the original request configuration. | + | Status Only | boolean | No | If set to `true`, the action returns only the job's + status (e.g., 'complete', 'running') even if the results are available. | - | **Force Metadata Off** | boolean | No | If set to `true`, the response will - never include query metadata, regardless of the original request configuration. - | + | Force Metadata On | boolean | No | Ensures that query metadata is included in + the response, regardless of the original request settings. | + | Force Metadata Off | boolean | No | Ensures that query metadata is excluded + from the response. | - ### Additional Notes - - The `Max Wait` parameter is capped at 25 seconds by the underlying API logic. + ### Flow Description - - This action does not process or require specific SecOps entities; it operates - globally based on the provided `Job ID`. + 1. **Parameter Extraction:** The action retrieves the `Job ID` and optional configuration + flags (Max Wait, Status Only, Metadata toggles) from the input parameters. + 2. **API Request:** It performs a GET request to the Silent Push `explore/job/{job_id}` + endpoint using the provided credentials and parameters. - ### Flow Description + 3. **Status Validation:** The action checks the API response to ensure a valid + job status was found for the provided ID. - 1. **Configuration Extraction:** The action retrieves the Silent Push Server URL - and API Key from the integration settings. + 4. **Result Delivery:** The raw JSON response, containing either the job's current + status or the full result set, is returned to the Google SecOps platform. - 2. **Parameter Parsing:** It extracts the `Job ID` and optional parameters like - `Max Wait` and status flags. - 3. **API Interaction:** The action initializes the `SilentPushManager` and performs - a GET request to the `explore/job/{job_id}` endpoint. + ### Additional Notes - 4. **Response Handling:** It checks if a valid job status was returned. If the - job status is missing, the action fails. + - This action does not process or enrich entities; it operates solely based on + the `Job ID` provided. - 5. **Result Reporting:** The action outputs the raw JSON response containing the - job status or results and sets the execution state to completed. + - The `Max Wait` parameter is capped at 25 seconds by the Silent Push API logic. capabilities: can_create_case_comments: false can_create_insight: false @@ -1442,7 +1692,7 @@ Get job status: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: true + enrichment: false entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1458,33 +1708,81 @@ Get job status: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false List Domain Information: - ai_description: "### General Description\nThe **List Domain Information** action\ - \ retrieves comprehensive metadata for a list of domains using the Silent Push\ - \ platform. It provides a consolidated view of domain attributes and can be configured\ - \ to include advanced security context such as risk scores and live WHOIS records.\ - \ This action is designed for bulk lookups and returns data in both Markdown format\ - \ for the case wall and structured JSON for playbook automation.\n\n### Parameters\ - \ Description\n| Parameter | Type | Mandatory | Description |\n| :--- | :--- |\ - \ :--- | :--- |\n| **Domains** | String | Yes | A comma-separated list of domain\ - \ names (e.g., `example.com, test.org`) to be queried. |\n| **Fetch Risk Score**\ - \ | Boolean | No | If set to `true`, the action retrieves the Silent Push risk\ - \ score and a detailed explanation for each domain. Default is `false`. |\n| **Fetch\ - \ Whois Info** | Boolean | No | If set to `true`, the action performs a live WHOIS\ - \ lookup to retrieve registration details for each domain. Default is `false`.\ - \ |\n\n### Flow Description\n1. **Initialization**: The action extracts the API\ - \ key and server URL from the integration configuration and parses the input domain\ - \ list from the action parameters.\n2. **Data Retrieval**: \n - The action\ - \ performs a bulk request to fetch general domain information (e.g., infrastructure\ - \ tags, IP diversity).\n - If enabled, it fetches risk scores for the provided\ - \ domains.\n - If enabled, it performs individual WHOIS lookups for each domain\ - \ in the list.\n3. **Processing**: The action aggregates the data from different\ - \ Silent Push endpoints into a unified structure for each domain.\n4. **Output**:\ - \ It generates a Markdown summary for the case wall and a structured JSON object\ - \ containing the full results for use in downstream playbook logic.\n\n### Additional\ - \ Notes\n- This action supports querying up to 100 domains in a single execution.\n\ - - While the script iterates over target entities for logging purposes, the core\ - \ logic is driven exclusively by the `Domains` input parameter." + ai_description: >- + Retrieves detailed information for multiple domains from Silent Push, including + infrastructure data, risk scores, and WHOIS records. This action allows for bulk + querying of domains provided as a comma-separated list. Users can optionally include + Silent Push risk scores (with explanations) and live WHOIS information to gain + deeper context on the reputation and ownership of the specified domains. + + + ### Parameters Description + + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Domains | string | Yes | Comma-separated list of domains to query (e.g., "example.com,test.org"). + | + + | Fetch Risk Score | boolean | No | If set to true, the action retrieves Silent + Push risk scores and detailed explanations for each domain. Defaults to false. + | + + | Fetch Whois Info | boolean | No | If set to true, the action retrieves live + WHOIS information for each domain. Defaults to false. | + + + ### Flow Description + + + 1. **Configuration Extraction**: Retrieves the Silent Push Server URL and API + Key from the integration settings. + + 2. **Input Parsing**: Extracts the 'Domains' parameter and splits the comma-separated + string into a list of individual domains. + + 3. **Bulk Domain Lookup**: Calls the Silent Push API to fetch general infrastructure + and metadata for the provided domains. + + 4. **Risk Assessment (Optional)**: If 'Fetch Risk Score' is enabled, the action + makes a secondary request to retrieve risk scores and their corresponding explanations. + + 5. **WHOIS Retrieval (Optional)**: If 'Fetch Whois Info' is enabled, the action + performs individual WHOIS lookups for each domain in the list. + + 6. **Data Aggregation**: Consolidates the retrieved information into a unified + data structure. + + 7. **Output Generation**: Formats the results into a Markdown summary for the + case wall and a detailed JSON object for use in subsequent playbook steps. capabilities: can_create_case_comments: false can_create_insight: false @@ -1496,7 +1794,7 @@ List Domain Information: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: false + enrichment: true entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1512,72 +1810,90 @@ List Domain Information: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false List Domain Infratags: ai_description: >- - ### General Description - - The **List Domain Infratags** action retrieves infrastructure tags (infratags) - for a specified list of domains from the Silent Push platform. Infratags provide - critical context about the infrastructure associated with a domain, such as hosting - providers, shared IP space, or specific technology stacks. This action is designed - for bulk lookups and can optionally cluster results to identify common infrastructure - patterns across multiple domains. + Retrieves infrastructure tags (infratags) for one or more domains using the Silent + Push platform. This action allows analysts to identify the underlying infrastructure, + hosting providers, and technology stacks associated with specific domains. It + supports bulk lookups and optional clustering of results to identify related infrastructure + patterns. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. **Input Parsing:** Extracts a comma-separated list of domains from the 'Domain' + parameter and other optional configuration settings like 'Mode' and 'Cluster'. - | :--- | :--- | :--- | :--- | + 2. **API Interaction:** Sends a POST request to the Silent Push 'explore/bulk/domain/infratags' + endpoint with the specified domains and filtering criteria. - | **Domain** | String | Yes | A comma-separated list of domains to query for infrastructure - tags. | + 3. **Data Processing:** Receives infrastructure tags and, if requested, tag clusters + from the external service. - | **Mode** | String | No | The lookup mode to use. Options are `live` (current - data) or `padns` (historical passive DNS data). Defaults to `live`. | + 4. **Result Output:** Formats the retrieved infratags and clusters into a JSON + result for use in subsequent playbook steps. - | **Match** | String | No | Specifies the handling of self-hosted infrastructure. - Defaults to `self`. | - | **As Of** | String | No | A timestamp used when `Mode` is set to `padns` to - retrieve infrastructure data as it existed at a specific point in time. | + ### Parameters Description - | **Cluster** | Boolean | No | If set to `true`, the action will cluster the results - and provide a formatted summary of domain tag clusters. Defaults to `false`. | + | Parameter | Type | Mandatory | Description | - | **Origin UID** | String | No | An optional unique identifier for the request - origin. | + | :--- | :--- | :--- | :--- | - | **Use Get** | Boolean | No | A configuration flag; however, the underlying implementation - uses a POST request to support bulk domain processing. | + | Domain | string | Yes | A comma-separated list of domains to retrieve infrastructure + tags for (e.g., 'example.com, test.org'). | + | Mode | string | No | The lookup mode to use. Options are 'live' (current data) + or 'padns' (historical passive DNS data). Defaults to 'live'. | - ### Flow Description + | Cluster | boolean | No | If set to 'true', the action will return clustered + infrastructure data, grouping related tags together. | - 1. **Initialization:** The action extracts the Silent Push API credentials and - the user-provided parameters, including the list of domains to be analyzed. + | Match | string | No | Specifies how to handle self-hosted infrastructure. Defaults + to 'self'. | - 2. **API Interaction:** It sends a POST request to the Silent Push `explore/bulk/domain/infratags` - endpoint. The request includes the domains, the selected mode (live/padns), and - other filtering criteria like the 'As Of' timestamp. + | As Of | string | No | A timestamp used to build infratags from historical padns + data (between first_seen and last_seen). | - 3. **Data Processing:** The action parses the API response to extract infrastructure - tags. If the `Cluster` parameter is enabled, it also processes and formats the - `tag_clusters` data into a readable structure. + | Origin UID | string | No | A unique identifier for the origin of the request, + used for tracking or specific API permissions. | - 4. **Result Delivery:** The retrieved infratags and optional cluster details are - attached to the action's JSON result. The action completes with a summary message - indicating the success or failure of the data retrieval. + | Use Get | boolean | No | Internal flag to determine request method, though the + implementation primarily uses POST for bulk data. | ### Additional Notes - - This action operates independently of the entities currently present in the - Google SecOps case; it relies strictly on the domains provided in the **Domain** - input parameter. + - This action is primarily driven by the 'Domain' input parameter rather than + the entities present in the SecOps case. - - The `Use Get` parameter is present in the configuration but is not used to change - the HTTP method, as the bulk lookup logic requires a POST request. + - If 'Cluster' is enabled, the output will include a 'Domain Tag Clusters' section + providing a higher-level view of the infrastructure relationships. capabilities: can_create_case_comments: false can_create_insight: false @@ -1605,30 +1921,52 @@ List Domain Infratags: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false List IP Information: ai_description: "### General Description\nThe **List IP Information** action retrieves\ - \ comprehensive Autonomous System Number (ASN) and network routing information\ - \ for a provided list of IPv4 and IPv6 addresses using the Silent Push platform.\ - \ This action is designed for bulk lookups, allowing security analysts to gather\ - \ context on multiple IP indicators simultaneously to identify ownership and network\ - \ reputation.\n\n### Parameters Description\n| Parameter | Type | Mandatory |\ - \ Description |\n| :--- | :--- | :--- | :--- |\n| Ips | String | Yes | A comma-separated\ - \ list of IPv4 or IPv6 addresses to investigate (e.g., \"142.251.188.102, 8.8.8.8\"\ - ). |\n\n### Flow Description\n1. **Configuration Extraction:** The action retrieves\ - \ the Silent Push Server URL and API Key from the integration's configuration\ - \ parameters.\n2. **Input Parsing:** It extracts the `Ips` string parameter and\ - \ splits it into a list of individual addresses.\n3. **Validation & Categorization:**\ - \ The action uses the `SilentPushManager` to validate each address and categorize\ - \ them into separate lists for IPv4 and IPv6.\n4. **Bulk Data Retrieval:** \n\ - \ - If IPv4 addresses are present, it performs a bulk POST request to the `explore/bulk/ip2asn/ipv4`\ - \ endpoint.\n - If IPv6 addresses are present, it performs a bulk POST request\ - \ to the `explore/bulk/ip2asn/ipv6` endpoint.\n5. **Result Aggregation:** The\ - \ action collects the ASN information (including ASN number, organization, and\ - \ routing details) for all valid IPs and returns the aggregated data as a JSON\ - \ result.\n\n### Additional Notes\n- The action supports a maximum of 100 IP addresses\ - \ per single execution.\n- Although the script iterates over the `target_entities`\ - \ in the environment for logging purposes, the actual lookup logic is driven exclusively\ - \ by the values provided in the `Ips` parameter." + \ detailed network metadata for a provided list of IPv4 and IPv6 addresses using\ + \ the Silent Push platform. It specifically focuses on mapping IP addresses to\ + \ Autonomous System Numbers (ASN) and providing associated network context.\n\n\ + ### Parameters Description\n| Parameter | Type | Mandatory | Default Value | Description\ + \ |\n| :--- | :--- | :--- | :--- | :--- |\n| Ips | String | Yes | 142.251.188.102\ + \ | A comma-separated list of IPv4 or IPv6 addresses to be queried. |\n\n### Flow\ + \ Description\n1. **Configuration Extraction:** The action retrieves the Silent\ + \ Push Server URL and API Key from the integration settings.\n2. **Input Parsing:**\ + \ It extracts the `Ips` string parameter and splits it into a list.\n3. **Validation:**\ + \ The action validates each IP and categorizes them into IPv4 and IPv6 groups\ + \ using the Silent Push Manager.\n4. **External API Query:** \n - For IPv4 addresses,\ + \ it sends a POST request to the `explore/bulk/ip2asn/ipv4` endpoint.\n - For\ + \ IPv6 addresses, it sends a POST request to the `explore/bulk/ip2asn/ipv6` endpoint.\n\ + 5. **Data Consolidation:** The results (IP-to-ASN mappings) are aggregated into\ + \ a single list.\n6. **Output:** The action returns the consolidated IP information\ + \ as a JSON result and provides an execution status.\n\n### Additional Notes\n\ + - This action does not automatically process entities from the SecOps case; it\ + \ relies strictly on the `Ips` parameter.\n- A maximum of 100 IPs can be processed\ + \ in a single execution." capabilities: can_create_case_comments: false can_create_insight: false @@ -1656,14 +1994,41 @@ List IP Information: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Live URL Scan: ai_description: >- ### General Description - The **Live URL Scan** action performs a real-time scan of a specified URL using - the Silent Push platform to retrieve comprehensive hosting metadata. This action - is designed to provide technical insights into how a URL is served across various - environments, including different platforms, operating systems, and browsers. + The **Live URL Scan** action performs an on-demand scan of a specific URL using + the Silent Push platform to retrieve hosting metadata. This action is designed + to provide analysts with immediate technical context about a URL, such as its + hosting infrastructure, without requiring manual investigation. It allows for + simulation of different platforms, operating systems, browsers, and geographic + regions to see how the URL behaves under various conditions. ### Parameters Description @@ -1672,51 +2037,49 @@ Live URL Scan: | :--- | :--- | :--- | :--- | - | **URL** | String | Yes | The target URL to be scanned for hosting metadata. + | URL | String | Yes | The specific URL to be scanned. Defaults to 'https://silentpush.com'. | - | **Platform** | String | No | The device platform to simulate during the scan. - Supported values: `Desktop`, `Mobile`, `Crawler`. | + | Platform | String | No | The device platform to simulate for the scan. Allowed + values: 'Desktop', 'Mobile', 'Crawler'. | - | **Os** | String | No | The operating system to simulate during the scan. Supported - values: `Windows`, `Linux`, `MacOS`, `iOS`, `Android`. | + | Os | String | No | The operating system to simulate. Allowed values: 'Windows', + 'Linux', 'MacOS', 'iOS', 'Android'. | - | **Browser** | String | No | The web browser to simulate during the scan. Supported - values: `Firefox`, `Chrome`, `Edge`, `Safari`. | + | Browser | String | No | The browser to simulate. Allowed values: 'Firefox', + 'Chrome', 'Edge', 'Safari'. | - | **Region** | String | No | The geographic region from which the scan request - should originate. Supported values: `US`, `EU`, `AS`, `TOR`. | + | Region | String | No | The geographic region from which the scan should originate. + Allowed values: 'US', 'EU', 'AS', 'TOR'. | - ### Additional Notes - - - This action operates primarily on the provided **URL** parameter rather than - iterating through SecOps entities. + ### Flow Description - - The action includes built-in validation for optional parameters; providing a - value outside the supported lists will result in an execution failure. + 1. **Parameter Extraction:** The action extracts the target URL and optional simulation + parameters (Platform, OS, Browser, and Region) from the user input. - - If the Silent Push API returns no scan data for the specified URL, the action - will terminate with a failure status. + 2. **Validation:** It validates the optional parameters against a predefined list + of supported values (e.g., checking if the provided 'Platform' is one of 'Desktop', + 'Mobile', or 'Crawler'). If validation fails, the action terminates with an error. + 3. **API Execution:** The action initializes the Silent Push Manager and executes + a GET request to the `scanondemand` endpoint with the provided parameters. - ### Flow Description + 4. **Data Parsing:** It extracts the scan results and hosting metadata from the + API response. - 1. **Initialization:** The action extracts the integration configuration (Server - URL and API Key) and the user-provided action parameters. + 5. **Output Generation:** The retrieved scan data is formatted and added to the + action's JSON results. If no scan data is found, the action reports a failure; + otherwise, it completes successfully. - 2. **Validation:** It validates the optional simulation parameters (Platform, - OS, Browser, Region) against allowed values to ensure a successful API request. - 3. **API Request:** The action sends a GET request to the Silent Push `scanondemand` - endpoint with the specified URL and simulation criteria. + ### Additional Notes - 4. **Data Processing:** It parses the API response to extract hosting metadata - and scan results. + - This action is strictly a retrieval (GET) operation and does not modify any + data on the Silent Push platform or within the scanned URL's environment. - 5. **Output Generation:** The retrieved scan data is formatted and added to the - action's result JSON, providing the user with a detailed summary of the URL's - hosting environment. + - While the code iterates over target entities, it does not use them to drive + the scan logic; the scan is driven entirely by the 'URL' parameter. capabilities: can_create_case_comments: false can_create_insight: false @@ -1744,52 +2107,68 @@ Live URL Scan: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Ping: ai_description: >- ### General Description - The **Ping** action is a diagnostic tool used to verify the connectivity between - Google SecOps and the Silent Push API. It ensures that the provided configuration - parameters, such as the Server URL and API Key, are valid and that the network - path is open. + The **Ping** action is a diagnostic tool designed to verify the connectivity between + the Google SecOps platform and the Silent Push API. It ensures that the provided + configuration parameters, such as the Server URL and API Key, are valid and that + the network path to the Silent Push service is open. ### Parameters Description - | Parameter Name | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Silent Push Server | String | Yes | The base URL of the Silent Push API instance - (Configuration Parameter). | - - | API Key | String | Yes | The API key used for authentication with Silent Push - (Configuration Parameter). | + There are no action-specific parameters for this action. It relies entirely on + the integration's global configuration (Silent Push Server and API Key). - ### Additional Notes - - * There are no action-specific parameters for this action; it relies entirely - on the integration's configuration. + ### Flow Description - * This action does not interact with or process any entities. + 1. **Configuration Extraction**: The action retrieves the 'Silent Push Server' + and 'API Key' from the integration settings. + 2. **Manager Initialization**: It initializes the `SilentPushManager` with the + extracted credentials. - ### Flow Description + 3. **Connection Test**: The action calls the `test_connection` method, which internally + executes a sample domain search (limited to 1 result) to validate the API key's + permissions and the server's responsiveness. - 1. **Parameter Extraction:** The action retrieves the 'Silent Push Server' and - 'API Key' from the integration configuration. + 4. **Result Reporting**: If the API call succeeds, it returns a success message. + If the call fails (e.g., due to invalid credentials or network issues), it catches + the exception and reports a failure state with the error details. - 2. **Manager Initialization:** It initializes the `SilentPushManager` with the - extracted credentials. - 3. **Connectivity Test:** It executes the `test_connection` method, which performs - a lightweight API call (a domain search with a limit of 1) to validate the credentials - and server reachability. + ### Additional Notes - 4. **Action Completion:** If the API call succeeds, the action completes with - a success message. If it fails (e.g., due to invalid credentials or network issues), - it reports the error and fails the execution. + This action is typically used during the initial setup of the integration or for + troubleshooting purposes. It does not process any entities or modify any data. capabilities: can_create_case_comments: false can_create_insight: false @@ -1798,7 +2177,7 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: false + fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false @@ -1817,104 +2196,129 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Reverse Padns Lookup: ai_description: >- ### General Description - This action performs a reverse Passive DNS (PADNS) lookup using the Silent Push - platform. While a forward DNS lookup resolves a hostname to an IP, a reverse PADNS - lookup identifies all domain names associated with a specific DNS record value - (the 'answer'). This allows analysts to find all domains pointing to a specific - Name Server (NS), Mail Server (MX), or IP address, which is critical for infrastructure - mapping and identifying related malicious assets. + The **Reverse Padns Lookup** action performs a reverse Passive DNS (PADNS) query + using the Silent Push platform. It allows analysts to retrieve historical DNS + records associated with a specific value, such as a nameserver or IP address, + across various DNS record types (e.g., NS, A, MX). This action is primarily used + for infrastructure mapping and identifying related domains or assets during an + investigation. ### Parameters Description - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | + | Name | Type | Description | Mandatory | Default Value | - | Qtype | string | No | The DNS record type to search for (e.g., 'ns', 'a', 'mx', - 'aaaa'). Defaults to 'ns'. | + | :--- | :--- | :--- | :--- | :--- | - | Qname | string | Yes | The DNS record value (the answer) to lookup (e.g., 'ns1.example.com'). + | Qtype | string | The DNS record type to query (e.g., ns, a, mx). | false | ns | - | Netmask | string | No | A netmask to filter the lookup results. | + | Qname | string | The DNS record name or value to perform the reverse lookup + for. | true | vida.ns.cloudflare.com | - | subdomain | string | No | A flag to include subdomains in the lookup results. - | + | Netmask | string | Optional netmask to filter the lookup results. | false | + "" | - | Regex | string | No | A regular expression to filter the returned DNS records. - | + | subdomain | string | Flag to include subdomains in the lookup results. | false + | "" | - | Match | string | No | The type of match for the query (e.g., 'exact', 'partial'). - | + | Regex | string | A regular expression to filter the returned DNS records. | + false | "" | - | First Seen After | string | No | Filter results to include only records first - seen after this date (YYYY-MM-DD). | + | Match | string | The type of match for the query (e.g., exact, partial). | false + | "" | - | First Seen Before | string | No | Filter results to include only records first - seen before this date (YYYY-MM-DD). | + | First Seen After | string | Filter results to include only records first seen + after this date (YYYY-MM-DD). | false | "" | - | Last Seen After | string | No | Filter results to include only records last - seen after this date (YYYY-MM-DD). | + | First Seen Before | string | Filter results to include only records first seen + before this date (YYYY-MM-DD). | false | "" | - | Last Seen Before | string | No | Filter results to include only records last - seen before this date (YYYY-MM-DD). | + | Last Seen After | string | Filter results to include only records last seen + after this date (YYYY-MM-DD). | false | "" | - | As Of | string | No | Retrieve DNS records as they existed at a specific point - in time. | + | Last Seen Before | string | Filter results to include only records last seen + before this date (YYYY-MM-DD). | false | "" | - | Sort | string | No | The field by which to sort the results (e.g., 'date'). - | + | As Of | string | Retrieve DNS records as they appeared at a specific point in + time. | false | "" | - | Output Format | string | No | The format for the returned results (e.g., 'JSON'). - | + | Sort | string | Field by which to sort the results (e.g., date, score). | false + | "" | - | Prefer | string | No | Preference for specific DNS servers or data sources. - | + | Output Format | string | The format for the returned results (e.g., JSON, XML). + | false | "" | - | With Metadata | string | No | Flag to include additional metadata in the DNS - records. | + | Prefer | string | Preference for specific DNS servers or data sources. | false + | "" | - | Max Wait | string | No | Maximum seconds to wait for the API to return results. - | + | With Metadata | string | Boolean flag to include additional metadata in the + records. | false | "" | - | Skip | string | No | Number of results to skip for pagination. | + | Max Wait | string | Maximum seconds to wait for the API response (0-25). | false + | "" | - | Limit | string | No | Maximum number of results to return. | + | Skip | string | Number of results to skip for pagination. | false | "" | + + | Limit | string | Maximum number of results to return. | false | "" | ### Additional Notes - Although the script iterates through the entities present in the Google SecOps - scope, it does not use the entity identifiers to perform the lookup. The search - is entirely driven by the `Qname` and `Qtype` action parameters provided by the - user or playbook. + - This action is parameter-driven and does not automatically iterate over entities + in the SecOps case. The `Qname` must be provided manually or mapped from a previous + step. + - The `Max Wait` parameter is constrained by the API to a value between 0 and + 25 seconds. - ### Flow Description - 1. **Initialization**: The action retrieves the Silent Push API key and Server - URL from the integration configuration. + ### Flow Description - 2. **Parameter Extraction**: It extracts 18 potential search and filter parameters - from the action input, with `Qname` being the primary mandatory search term. + 1. **Initialization**: The action extracts the Silent Push server URL and API + key from the integration configuration. - 3. **API Request**: The action initializes the `SilentPushManager` and executes - a GET request to the reverse PADNS endpoint (`explore/padns/lookup/answer`). + 2. **Parameter Extraction**: It retrieves all user-provided parameters, ensuring + the mandatory `Qname` is present. - 4. **Data Processing**: It parses the JSON response from Silent Push, specifically - looking for the `records` list within the response object. + 3. **API Request**: The action calls the Silent Push `reverse_padns_lookup` endpoint + using a GET request, passing the `Qtype`, `Qname`, and all optional filters. - 5. **Error Handling**: The script validates the response; if the API returns an - error or if no records are found for the given criteria, the action is marked + 4. **Data Validation**: It checks the API response for errors or empty record + sets. If the API returns an error or no records are found, the action is marked as failed. - 6. **Finalization**: If successful, the DNS records are returned as a JSON result, - and the action completes. + 5. **Result Output**: If successful, the retrieved DNS records are returned as + a JSON result for use in subsequent playbook steps. capabilities: can_create_case_comments: false can_create_insight: false @@ -1942,65 +2346,78 @@ Reverse Padns Lookup: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Run Threat check: ai_description: >- - ### General Description - - The **Run Threat check** action queries the Silent Push Threat Check API to retrieve - intelligence on a specific indicator, such as an IP address or domain. It allows - users to verify if a value is present within a specific Silent Push data source - (e.g., 'iofa') and returns the associated threat data. This action is primarily - used for manual or automated lookups of indicators that may not be directly associated - with the current alert's entities. + Runs a threat check against the Silent Push Threat Check API to evaluate the risk + associated with a specific indicator, such as an IP address or a domain. This + action queries a specified data source within Silent Push and returns threat intelligence + data based on the provided query value. ### Parameters Description + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Data** | string | Yes | The name of the Silent Push data source to query (e.g., + | Data | string | Yes | The name of the Silent Push data source to query (e.g., 'iofa'). | - | **Query** | string | Yes | The specific value to check for threats, such as - an IP address or a domain name. | + | Query | string | Yes | The specific value to check for threats, such as an IP + address or a domain name. | - | **Type** | string | Yes | The type of the value being queried (e.g., 'ip', 'domain'). + | Type | string | Yes | The category of the query value (e.g., 'ip', 'domain'). | - | **User Identifier** | string | Yes | A unique identifier for the user making - the request, used by Silent Push for tracking and auditing. | - + | User Identifier | string | Yes | A unique identifier for the user or system + making the request, used for tracking and attribution. | - ### Additional Notes - - - This action does not automatically process entities from the Google SecOps case; - it relies entirely on the manually provided **Query** parameter. - - Although the underlying script attempts to extract `Feed UUID` and `ASN` parameters, - these are not defined in the action's metadata and are only used for error logging - purposes. - - - The action does not update entity attributes, create insights, or add case comments - within Google SecOps; it only returns the raw API result in the output message. + ### Flow Description - ### Flow Description + 1. **Configuration Extraction:** The action retrieves the Silent Push Server URL + and API Key from the integration configuration. - 1. **Configuration Extraction:** Retrieves the Silent Push Server URL and API - Key from the integration's global configuration. + 2. **Parameter Retrieval:** It extracts the mandatory action parameters: Data + source, Query value, Type, and User Identifier. - 2. **Parameter Retrieval:** Extracts the data source, query value, query type, - and user identifier from the action's input parameters. + 3. **API Interaction:** The action initializes the Silent Push Manager and performs + a GET request to the Threat Check API endpoint (`https://api.threatcheck.silentpush.com/v1/`) + using the provided parameters. - 3. **API Interaction:** Executes a GET request to the Silent Push Threat Check - API endpoint (`https://api.threatcheck.silentpush.com/v1/`) using the provided - parameters. + 4. **Result Processing:** The action receives the threat check data from Silent + Push. If no data is found or an error occurs, the action fails with a descriptive + message. - 4. **Result Processing:** If the API returns data, the action formats the response - into an output message. If no data is found or the request fails, the action terminates - with a failure status and logs the error. + 5. **Completion:** The retrieved threat data is returned as a JSON result, and + the action completes successfully. capabilities: can_create_case_comments: false can_create_insight: false @@ -2028,51 +2445,50 @@ Run Threat check: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Screenshot URL: - ai_description: >- - ### General Description - - The **Screenshot URL** action generates a visual capture of a specified web address - using the Silent Push platform. This capability allows security analysts to safely - inspect the content of a URL without direct interaction, facilitating the investigation - of phishing, malware distribution, or suspicious landing pages. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | URL | String | Yes | The full web address (e.g., https://example.com) to be - screenshotted. | - - - ### Flow Description - - 1. **Setup**: Extracts the Silent Push API credentials and the target URL from - the action parameters. - - 2. **Screenshot Generation**: Communicates with the Silent Push API's `scanondemand` - endpoint to request a live screenshot of the provided URL. - - 3. **Response Parsing**: Validates the API response to ensure a screenshot URL - was successfully generated and returned. - - 4. **Image Verification**: Performs an HTTP GET request to the resulting image - URL to verify that the file is accessible and the capture was successful. - - 5. **Completion**: Returns the URL of the generated screenshot as a JSON result - for use in subsequent playbook steps or manual review. - - - ### Additional Notes - - - This action is driven by the `URL` input parameter and does not automatically - map or filter based on existing case entities. - - - Because the action involves downloading/verifying a file (the screenshot image), - it is not classified as a standard enrichment action. + ai_description: "Generates a screenshot of a specified URL using the Silent Push\ + \ platform's on-demand scan capabilities. This action is primarily used to visually\ + \ verify the content of a suspicious or malicious URL without requiring the analyst\ + \ to visit the site directly. \n\n### Flow Description:\n1. **Configuration Extraction:**\ + \ Retrieves the Silent Push Server URL and API Key from the integration settings.\n\ + 2. **Parameter Retrieval:** Extracts the target URL provided by the user.\n3.\ + \ **Screenshot Request:** Calls the Silent Push API (`explore/tools/scanondemand`)\ + \ to initiate a live scan and generate a screenshot.\n4. **URL Validation:** Parses\ + \ the returned screenshot URL and performs a GET request to ensure the image is\ + \ accessible and the server returns a successful HTTP 200 status.\n5. **Result\ + \ Processing:** Returns the final screenshot URL as a JSON result for use in subsequent\ + \ playbook steps.\n\n### Parameters Description:\n| Parameter Name | Type | Mandatory\ + \ | Description |\n| :--- | :--- | :--- | :--- |\n| URL | string | Yes | The specific\ + \ URL for which to generate a screenshot. Defaults to a VirusTotal domain lookup\ + \ if not specified. |\n\n### Additional Notes:\n- This action does not automatically\ + \ attach the image to the case wall; it provides the URL to the generated image.\n\ + - While the script iterates over target entities, it does not use them for the\ + \ logic; the operation is entirely driven by the `URL` input parameter." capabilities: can_create_case_comments: false can_create_insight: false @@ -2100,64 +2516,87 @@ Screenshot URL: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Search Scan Data: ai_description: >- - ### General Description - - The **Search Scan Data** action enables users to search through Silent Push's - scan data repositories using SPQL (Silent Push Query Language) queries. This action - is primarily used for threat hunting and data discovery, allowing for complex - queries against raw scan data to identify infrastructure patterns or specific - assets. + Searches Silent Push scan data repositories using SPQL (Silent Push Query Language) + queries. This action allows analysts to perform complex searches across Silent + Push's raw scan data to identify infrastructure patterns, certificates, or other + technical attributes. The results are returned as a JSON object containing the + raw scan records. ### Parameters Description + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Query** | String | Yes | The SPQL query string used to filter scan data (e.g., + | Query | string | Yes | The SPQL query string used to filter scan data (e.g., `tld=cool`). | - | **Fields** | String | No | Specifies which fields to return in the response. - Note: The script logic currently evaluates this as a boolean presence check. | + | Fields | string | No | Specific fields to return in the response. | - | **sort** | String | No | Sorting criteria for the results. | + | sort | string | No | Sorting criteria for the results. | - | **Skip** | String | No | The number of records to skip in the response, used - for pagination. | + | Skip | string | No | Number of records to skip in the response (pagination). + | - | **Limit** | String | No | The maximum number of records to return. | + | Limit | string | No | Maximum number of results to return. | - | **With Metadata** | Boolean | No | Whether to include metadata in the response. - Defaults to `true`. | + | With Metadata | boolean | No | Whether to include metadata in the response. + Defaults to true. | ### Additional Notes - - This action is a standalone search tool and does not utilize or enrich entities - (IPs, Domains, etc.) currently present in the Google SecOps case. It relies entirely - on the manual `Query` input. + - This action does not run on specific entities; it performs a global search based + on the provided SPQL query. - - If the search returns no results, the action will terminate with a failure state. + - The action uses a POST request to the `explore/scandata/search/raw` endpoint. ### Flow Description - 1. **Configuration**: Retrieves the Silent Push Server URL and API Key from the - integration settings. + 1. **Configuration Extraction:** Retrieves the Silent Push Server URL and API + Key from the integration settings. - 2. **Input Parsing**: Extracts the SPQL query and optional parameters (Limit, - Skip, Fields, Metadata) from the action configuration. + 2. **Parameter Parsing:** Extracts the SPQL query and optional filters (Fields, + Limit, Skip, etc.) from the action parameters. - 3. **API Execution**: Performs a POST request to the Silent Push `explore/scandata/search/raw` - endpoint with the provided query. + 3. **API Interaction:** Initializes the Silent Push Manager and sends a POST request + to the scan data search endpoint with the query and filters. - 4. **Response Handling**: Parses the `scandata_raw` results from the API response. + 4. **Data Processing:** Parses the API response to extract the `scandata_raw` + records. - 5. **Finalization**: Logs the number of records found and completes the execution. - If no records are found, it logs an error and fails the action. + 5. **Result Finalization:** Returns the found records to the Google SecOps platform + or fails if no records are found or an error occurs. capabilities: can_create_case_comments: false can_create_insight: false @@ -2185,16 +2624,40 @@ Search Scan Data: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false search domains: ai_description: >- ### General Description - This action searches for domains within the Silent Push platform using a wide - variety of filtering criteria. It allows security analysts to perform advanced - discovery of infrastructure by querying domain names, name servers, ASNs, registrars, - and SSL certificate issuers. The action is primarily used for threat hunting and - infrastructure mapping, returning a list of domain records that match the specified - search parameters. + The **search domains** action allows users to query the Silent Push platform for + domains matching specific criteria. It is a flexible search tool that supports + wildcards, regex patterns, and various infrastructure filters such as Name Servers, + ASNs, and Registrars. This action is primarily used for threat hunting and infrastructure + analysis by identifying domains associated with specific network attributes. ### Parameters Description @@ -2207,10 +2670,10 @@ search domains: | | Domain Regex | string | No | A valid RE2 regex pattern to match domains. If - provided, this typically overrides the standard domain argument. | + provided, this overrides the 'Domain' argument. | - | Name Server | string | No | Name server name or wildcard pattern used by the - domains. | + | Name Server | string | No | Name server name or wildcard pattern of the name + server used by domains. | | Asnum | string | No | Autonomous System (AS) number to filter domains. | @@ -2232,8 +2695,8 @@ search domains: | Whois Date After | string | No | Filter domains with a WHOIS creation date after this date (format: YYYY-MM-DD). | - | Skip | string | No | Number of results to skip in the search query (used for - pagination). | + | Skip | string | No | Number of results to skip in the search query for pagination. + | | Limit | string | No | Number of results to return. Defaults to the SilentPush API's default behavior. | @@ -2241,31 +2704,34 @@ search domains: ### Additional Notes - * The underlying Python script also attempts to extract parameters for `Start - Date`, `End Date`, `Risk Score Min`, and `Risk Score Max`, although these are - not explicitly defined in the provided YAML configuration. + - The action returns a JSON result containing the list of matching domain records + found in the Silent Push database. + + - Although the underlying Python code attempts to extract parameters like `Start + Date`, `End Date`, `Risk Score Min`, and `Risk Score Max`, these are not currently + defined in the action's metadata and may not be available in the UI unless the + integration is customized. - * The action returns the search results as a string representation of the records - list in the output message. + - This action does not automatically process or enrich entities currently present + in the Google SecOps case; it functions as a standalone search utility. ### Flow Description - 1. **Initialization**: The action initializes the `SilentPushManager` using the - integration's Server URL and API Key. + 1. **Initialization**: The action initializes the Silent Push manager using the + server URL and API key provided in the integration configuration. - 2. **Parameter Extraction**: It retrieves all search filters from the action - parameters, including domain patterns, regex, network identifiers (ASN), and registration - details. + 2. **Parameter Extraction**: It retrieves the search filters and pagination settings + (Skip/Limit) from the action parameters. - 3. **API Request**: It performs a GET request to the Silent Push `explore/domain/search` - endpoint, passing the filtered parameters as query arguments. + 3. **API Request**: The action executes a GET request to the Silent Push `explore/domain/search` + endpoint, passing all provided filters as query parameters. - 4. **Response Processing**: The action parses the JSON response to extract the - list of domain records found. + 4. **Data Processing**: It parses the API response to extract domain records. + If no records are found, it prepares a message indicating no results were returned. - 5. **Completion**: It sets the action's output message to include the retrieved - records and marks the execution as completed. + 5. **Completion**: The action returns the raw JSON records to the SecOps platform + and completes the execution successfully. capabilities: can_create_case_comments: false can_create_insight: false @@ -2293,3 +2759,28 @@ search domains: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/third_party/partner/silentpush/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/silentpush/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..2e831240c --- /dev/null +++ b/content/response_integrations/third_party/partner/silentpush/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + siem: false + threat_intelligence: true + vulnerability_management: false diff --git a/content/response_integrations/third_party/partner/silverfort/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/silverfort/resources/ai/actions_ai_description.yaml index 6a797b13d..879439ca0 100644 --- a/content/response_integrations/third_party/partner/silverfort/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/silverfort/resources/ai/actions_ai_description.yaml @@ -2,39 +2,40 @@ Change Policy State: ai_description: >- ### General Description - This action enables or disables an authentication policy in Silverfort. It allows - security analysts to quickly toggle the active state of a policy without needing - to modify its underlying configuration. This is useful for emergency containment - or temporary policy adjustments during an incident. + Enable or disable an authentication policy in Silverfort. This action provides + a streamlined way to toggle the active status of a specific policy without altering + its internal configuration or rules. It is particularly useful for temporary policy + adjustments during incident response or maintenance windows. ### Parameters Description - | Parameter | Type | Mandatory | Description | + + | Parameter | Description | Type | Mandatory | | :--- | :--- | :--- | :--- | - | Policy ID | string | Yes | The unique identifier of the Silverfort policy to - be enabled or disabled. | + | Policy ID | The unique identifier of the Silverfort policy to be modified. | + String | Yes | - | Enable Policy | boolean | Yes | Set to `true` to enable the policy or `false` - to disable it. | + | Enable Policy | Determines the new state of the policy. Set to `True` to activate + the policy or `False` to deactivate it. | Boolean | Yes | ### Flow Description - 1. **Parameter Extraction**: The action retrieves the `Policy ID` and the desired + 1. **Parameter Extraction**: The action retrieves the `Policy ID` and the target `Enable Policy` state from the user input. - 2. **API Client Initialization**: It initializes the Silverfort Policy API client + 2. **Client Initialization**: It initializes the Silverfort Policy API client using the configured integration credentials. - 3. **State Change Request**: The action sends a POST request to the Silverfort - `/v1/public/changePolicyState` endpoint with the policy ID and the target state. + 3. **API Request**: The action sends a POST request to the Silverfort `/v1/public/changePolicyState` + endpoint with the policy ID and the desired state. - 4. **Result Processing**: Upon a successful API response, the action constructs - a JSON result containing the policy ID and its new status, and provides a success - message to the SOAR case wall. + 4. **Result Processing**: Upon a successful response from the API, the action + generates a success message and populates the JSON results with the updated policy + status. capabilities: can_create_case_comments: false can_create_insight: false @@ -43,9 +44,8 @@ Change Policy State: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - This action changes the 'enabled' or 'disabled' state of an authentication policy - within the Silverfort platform via a POST request to the /v1/public/changePolicyState - endpoint. + Enables or disables an authentication policy in Silverfort by updating its active + state via the Policies API. fetches_data: false internal_data_mutation_explanation: null categories: @@ -65,15 +65,40 @@ Change Policy State: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Entity Risk: ai_description: >- ### General Description - This action retrieves detailed risk information for a specific user or resource - from the Silverfort Identity Security platform. It provides visibility into the - security posture of an entity by returning its current risk score, severity level - (e.g., Low, Medium, High, Critical), and specific risk factors identified by Silverfort's - analysis engine. + Retrieves detailed risk information for a specific user or resource from the Silverfort + Identity Security platform. This action provides visibility into an entity's security + posture by returning its current risk score, severity level (e.g., Low, Medium, + High, Critical), and specific risk factors identified by Silverfort's analysis + engine. ### Parameters Description @@ -82,35 +107,38 @@ Get Entity Risk: | :--- | :--- | :--- | :--- | - | User Principal Name | String | No* | The User Principal Name (UPN) of the user - (e.g., user@domain.com). | - - | Resource Name | String | No* | The name of the resource for non-user entities. + | User Principal Name | String | No | The User Principal Name (UPN) of the user + to query (e.g., `user@domain.com`). Either this or 'Resource Name' must be provided. | + | Resource Name | String | No | The name of the resource/asset to query. Either + this or 'User Principal Name' must be provided. | - **Additional Notes:** Either the 'User Principal Name' or the 'Resource Name' - must be provided for the action to execute successfully. If both are missing, - the action will fail with a validation error. + ### Additional Notes - ### Flow Description + - This action requires the **Risk API** credentials (App User ID and Secret) to + be configured in the Silverfort integration settings. - 1. **Parameter Extraction**: The action extracts the 'User Principal Name' and - 'Resource Name' from the input parameters. + - At least one identifier ('User Principal Name' or 'Resource Name') is required + for the action to execute successfully. If both are provided, the action will + query the API using both identifiers. - 2. **Validation**: It validates that at least one of the two identifiers is provided - to ensure the API request has a target entity. - 3. **API Client Initialization**: The action initializes the Silverfort Risk API - client using the integration's configured credentials and API root. + ### Flow Description + + 1. **Parameter Extraction**: The action retrieves the 'User Principal Name' and + 'Resource Name' from the user input. - 4. **Data Retrieval**: It performs a GET request to the Silverfort `/v1/public/getEntityRisk` - endpoint using the provided identifier. + 2. **Validation**: It checks that at least one of the two identifier parameters + contains a value. If both are empty, the action terminates with an error. - 5. **Result Processing**: The action captures the risk score, severity, and risk - factors from the API response, stores them in the action's JSON results, and generates - a success message for the case wall. + 3. **API Interaction**: The action authenticates with the Silverfort Risk API + and performs a GET request to fetch the risk profile for the specified entity. + + 4. **Result Processing**: The action captures the API response, which includes + the risk score, severity, and a list of risk factors, and attaches it to the action's + JSON results. capabilities: can_create_case_comments: false can_create_insight: false @@ -138,49 +166,74 @@ Get Entity Risk: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Policy: ai_description: >- - ### General Description - The **Get Policy** action retrieves comprehensive configuration details for a - specific authentication policy within the Silverfort platform. It is used to inspect - policy settings, including associated users, groups, source/destination constraints, - and the specific security actions (e.g., MFA, Block) defined for that policy. + specific authentication policy from the Silverfort platform using its unique Policy + ID. This action is primarily used to audit policy settings, verify security controls, + or gather context during an investigation regarding how specific users or resources + are being authenticated. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Policy ID** | String | Yes | The unique identifier of the Silverfort policy - to retrieve. | + | **Policy ID** | string | Yes | The unique identifier (GUID) of the Silverfort + policy to retrieve. | ### Flow Description - 1. **Parameter Extraction:** The action extracts the mandatory `Policy ID` from - the input parameters. + 1. **Parameter Extraction:** The action extracts the `Policy ID` provided by the + user. - 2. **Client Initialization:** It initializes an authenticated connection to the - Silverfort Policies API using the configured credentials. + 2. **Client Initialization:** It initializes the Silverfort Policy API client + using the configured integration credentials (API Root, External API Key, and + Policy App User credentials). - 3. **Data Retrieval:** The action sends a GET request to the Silverfort API endpoint - `/v2/public/policies/{policy_id}` to fetch the policy details. + 3. **API Request:** The action sends a GET request to the Silverfort V2 Policies + API endpoint (`/v2/public/policies/{policy_id}`). - 4. **Result Processing:** The retrieved policy configuration is parsed into a - structured JSON object and returned as the action's result, providing visibility - into the policy's state and rules. + 4. **Data Processing:** Upon a successful response, the action parses the policy + metadata, including enabled status, authentication types, protocols, sources, + destinations, and associated actions (e.g., MFA prompts). + 5. **Output:** The complete policy configuration is returned as a JSON object, + and a success message is displayed in the SOAR interface. - ### Additional Notes - - This action does not operate on SOAR entities; it requires a specific Policy - ID as input. + ### Additional Notes - - The returned data includes detailed configuration such as authentication types, - protocols, and destination services. + * This action requires the **Policies App User ID** and **Policies App User Secret** + to be configured in the integration settings to access the Policies API. capabilities: can_create_case_comments: false can_create_insight: false @@ -208,50 +261,76 @@ Get Policy: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Service Account: ai_description: >- - ### General Description - Retrieves detailed information about a specific service account from Silverfort - using its unique identifier (GUID). This action provides comprehensive attributes - for the account, including its risk score, predictability, protection status, - authentication counts, and privilege levels. It is primarily used for deep-dive - investigation into service account behavior and security posture within the Silverfort - environment. + using its unique identifier (GUID). This action is used to gather contextual metadata + such as risk scores, predictability, protection status, and account attributes + (UPN, DN, SPN) for a service account. The retrieved data is returned as a JSON + object for use in subsequent playbook steps. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Service Account GUID | String | Yes | The unique identifier (GUID) of the service + | Service Account GUID | string | Yes | The unique identifier (GUID) of the service account to retrieve from Silverfort. | - ### Additional Notes + ### Flow Description - This action does not automatically iterate over entities in the Google SecOps - case. It requires the specific GUID of the service account to be provided as an - input parameter. The results are returned as a JSON object for use in downstream - playbook logic. + 1. **Parameter Extraction:** The action retrieves the mandatory `Service Account + GUID` from the input parameters. + 2. **Client Initialization:** It initializes the Silverfort Service Account API + client using the configured API Root and Service Account-specific JWT credentials. - ### Flow Description + 3. **Data Retrieval:** The action performs a GET request to the Silverfort API + endpoint `/v1/public/serviceAccounts/{guid}`. - 1. **Parameter Extraction**: The action extracts the mandatory `Service Account - GUID` from the input parameters. + 4. **Result Processing:** The API response is parsed into a structured `ServiceAccount` + data model. - 2. **Client Initialization**: It initializes the Silverfort Service Account API - client using the configured integration credentials and an authenticated JWT session. + 5. **Output:** The service account details are saved to the action's JSON results, + and a success message is generated including the account's display name or UPN. - 3. **Data Retrieval**: The action performs a GET request to the Silverfort API - endpoint `/v1/public/serviceAccounts/{guid}` to fetch the account's metadata. - 4. **Result Processing**: The retrieved service account data is converted to a - JSON format and attached to the action's results. A success message is generated - containing the account's display name or UPN. + ### Additional Notes + + - This action requires the **Service Accounts App User ID** and **Service Accounts + App User Secret** to be configured in the integration settings to generate the + necessary JWT authentication token. + + - If the provided GUID does not exist or the API credentials lack sufficient permissions, + the action will return an error. capabilities: can_create_case_comments: false can_create_insight: false @@ -279,61 +358,76 @@ Get Service Account: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false List Policies: ai_description: >- - ### General Description - - This action retrieves a comprehensive list of authentication policies from the - Silverfort Identity Security platform. It allows users to fetch all configured - policies or filter the response to include only specific fields of interest, such - as policy names, status, authentication types, and protocols. This is primarily - used for auditing, configuration review, or as a helper step in automation playbooks - to identify existing security controls. + Retrieves a comprehensive list of authentication policies from the Silverfort + platform. This action allows users to fetch policy configurations, including their + status, authentication types, protocols, and scope (users, groups, sources, and + destinations). It supports optional field filtering to limit the response to specific + data points of interest. - ### Parameters Description - - | Parameter | Description | Type | Mandatory | + ### Flow Description: - | :--- | :--- | :--- | :--- | + 1. **Parameter Extraction:** The action extracts the `Fields` parameter provided + by the user. - | Fields | A comma-separated list of specific policy attributes to include in - the response (e.g., `enabled, policyName, action`). If left empty, all available - fields are returned. Valid fields include: `enabled`, `policyName`, `authType`, - `protocols`, `policyType`, `allUsersAndGroups`, `usersAndGroups`, `allDevices`, - `sources`, `allDestinations`, `destinations`, `action`, `MFAPrompt`, `all`, `bridgeType`. - | String | No | + 2. **Field Validation:** If fields are specified, the action validates them against + a list of supported policy fields (e.g., `policyName`, `enabled`, `authType`). + Invalid fields are logged as warnings and ignored. + 3. **API Interaction:** The action authenticates with the Silverfort Policies + API and sends a request to the policy index endpoint, passing the validated field + list. - ### Additional Notes + 4. **Result Processing:** The retrieved policy data is formatted into a JSON result + and the total count of policies is reported in the output message. - - If invalid fields are provided in the `Fields` parameter, the action will log - a warning and ignore the invalid entries while continuing to process the valid - ones. - - This action does not require or interact with any specific entities (like IPs - or Users) from the Google SecOps case; it performs a global query against the - Silverfort environment. + ### Parameters Description: + | Parameter | Type | Mandatory | Description | - ### Flow Description + | :--- | :--- | :--- | :--- | - 1. **Parameter Extraction:** The action retrieves the `Fields` input provided - by the user. + | Fields | string | No | A comma-separated list of specific policy fields to include + in the response. If left empty, all available fields are returned. Supported fields + include: `enabled`, `policyName`, `authType`, `protocols`, `policyType`, `allUsersAndGroups`, + `usersAndGroups`, `allDevices`, `sources`, `allDestinations`, `destinations`, + `action`, `MFAPrompt`, `all`, `bridgeType`. | - 2. **Field Validation:** If fields are specified, the script parses the comma-separated - string and validates each field against the supported Silverfort policy schema. - Invalid fields are logged as warnings. - 3. **API Client Initialization:** The action initializes a `PolicyApiClient` using - the integration's configured API Root and credentials (JWT-based authentication). + ### Additional Notes: - 4. **Data Retrieval:** The action sends a request to the Silverfort `/v2/public/policies/index` - endpoint to fetch the policy data. + - This action does not operate on specific entities (like IPs or Users) but rather + fetches global configuration data from the Silverfort environment. - 5. **Result Processing:** The retrieved list of policies is converted into a JSON - format and attached to the action's results. A success message indicating the - total count of policies found is generated. + - The action uses the Policies API v2 endpoint. capabilities: can_create_case_comments: false can_create_insight: false @@ -361,16 +455,40 @@ List Policies: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false List Service Accounts: ai_description: >- ### General Description The **List Service Accounts** action retrieves a paginated list of service accounts - from the Silverfort platform. This action is primarily used for discovery and - auditing of service accounts within the environment, providing details such as - risk levels, protection status, and authentication patterns. It allows security - analysts to query the Silverfort inventory without targeting specific entities - in a case. + from the Silverfort platform. This utility action allows analysts to browse or + audit service accounts, providing visibility into their attributes, risk levels, + and protection status. It is primarily used for discovery and reporting rather + than direct incident response on specific entities. ### Parameters Description @@ -379,45 +497,46 @@ List Service Accounts: | :--- | :--- | :--- | :--- | - | **Page Size** | String | No | The number of results to return per page (range - 1-100). Defaults to 50. | + | Page Size | String | No | The number of results to return per page (1-100). + Defaults to 50. | - | **Page Number** | String | No | The specific page number of results to retrieve. - Defaults to 1. | + | Page Number | String | No | The specific page number to retrieve. Defaults to + 1. | - | **Fields** | String | No | A comma-separated list of specific service account - attributes to include in the response (e.g., `guid`, `risk`, `upn`). If left empty, - all available fields are returned. | + | Fields | String | No | A comma-separated list of specific attributes to include + in the response (e.g., `guid, display_name, risk`). If left empty, all available + fields are returned. | ### Flow Description - 1. **Parameter Extraction**: The action retrieves the user-provided pagination - settings (Page Size and Page Number) and the list of requested fields. + 1. **Parameter Extraction**: The action retrieves the `Page Size`, `Page Number`, + and `Fields` from the user input. 2. **Field Validation**: If specific fields are requested, the action validates - them against a predefined list of supported Silverfort service account attributes - (e.g., `guid`, `display_name`, `risk`). Invalid fields are logged as warnings - and ignored. + them against the supported Silverfort service account schema (`SA_INDEX_FIELDS`). + Invalid fields are logged as warnings and ignored. + + 3. **API Request**: The action authenticates using the Service Accounts API credentials + and sends a POST request to the `/v1/public/serviceAccounts/index` endpoint with + the pagination and field selection criteria. - 3. **API Request**: The action initializes a connection to the Silverfort Service - Accounts API and sends a POST request to the `/v1/public/serviceAccounts/index` - endpoint to fetch the data based on the pagination and field filters. + 4. **Data Processing**: The retrieved service account data is parsed into a structured + format and stored in the action's JSON results. - 4. **Result Processing**: The retrieved list of service accounts is formatted - into a JSON result, and a summary message is generated indicating the number of + 5. **Output**: The action provides a summary message indicating the number of accounts found on the requested page. ### Additional Notes - - This action does not operate on specific entities within the SOAR case; it performs - a global query against the Silverfort environment. + - This action does not operate on specific entities within a case; it is a global + search/list operation. - - Valid fields for the **Fields** parameter include: `guid`, `display_name`, `sources_count`, - `destinations_count`, `number_of_authentications`, `risk`, `predictability`, `protected`, - `upn`, `dn`, `spn`, `comment`, `owner`, `type`, `domain`, `category`, `creation_date`, - `highly_privileged`, `interactive_login`, `broadly_used`, `suspected_brute_force`, + - Supported fields for the `Fields` parameter include: `guid`, `display_name`, + `sources_count`, `destinations_count`, `number_of_authentications`, `risk`, `predictability`, + `protected`, `upn`, `dn`, `spn`, `comment`, `owner`, `type`, `domain`, `category`, + `creation_date`, `highly_privileged`, `interactive_login`, `broadly_used`, `suspected_brute_force`, `repetitive_behavior`. capabilities: can_create_case_comments: false @@ -446,69 +565,58 @@ List Service Accounts: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Ping: - ai_description: >- - ### General Description - - The **Ping** action is used to verify the connectivity between Google SecOps and - the Silverfort API. It ensures that the provided **External API Key** is valid - and tests the connection for each specific Silverfort module (Risk, Service Accounts, - and Policies) that has been configured with credentials. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **API Root** | String | Yes | The base URL of the Silverfort API instance. | - - | **External API Key** | String | Yes | The primary API key used for authentication - across all Silverfort services. | - - | **Verify SSL** | Boolean | No | If enabled, the action will verify the SSL certificate - of the Silverfort API. Defaults to `True`. | - - | **Risk App User ID / Secret** | String | No | Credentials required to test connectivity - specifically for the Risk API. | - - | **Service Accounts App User ID / Secret** | String | No | Credentials required - to test connectivity specifically for the Service Accounts API. | - - | **Policies App User ID / Secret** | String | No | Credentials required to test - connectivity specifically for the Policies API. | - - - ### Additional Notes - - - At least one set of API credentials (Risk, Service Accounts, or Policies) must - be configured in the integration settings for the action to perform specific module - tests. - - - If no module-specific credentials are provided, the action will raise an error - indicating that no credentials are configured. - - - ### Flow Description - - 1. **Configuration Retrieval:** The action fetches the integration parameters, - including the API Root and various credentials. - - 2. **API Identification:** It determines which Silverfort APIs (Risk, Service - Accounts, Policies) are configured based on the presence of User IDs and Secrets. - - 3. **Connectivity Testing:** For each configured API, the action performs a lightweight - request: - - **Risk API:** Attempts a GET request to the `getEntityRisk` endpoint. - - **Service Accounts API:** Attempts a POST request to the `list_service_accounts` - endpoint with a page size of 1. - - **Policies API:** Attempts a GET request to the `get_rules_names_and_ids` - endpoint. - 4. **Result Aggregation:** The action collects the results. If all configured - APIs connect, it returns a success message. If some fail, it returns a partial - success message listing the failed modules. If all fail or none are configured, - it returns an error. + ai_description: "### General Description\nThe **Ping** action is a utility designed\ + \ to verify the connectivity between Google SecOps and the Silverfort Identity\ + \ Security platform. It validates the integration's configuration by testing the\ + \ reachability of the Silverfort API Root and the validity of the provided credentials.\ + \ Specifically, it checks the connectivity for each configured API module: Risk,\ + \ Service Accounts, and Policies. This ensures that subsequent actions relying\ + \ on these specific modules will function correctly.\n\n### Parameters Description\n\ + There are no user-input parameters for this action. It relies entirely on the\ + \ integration's global configuration settings (API Root, External API Key, and\ + \ module-specific App User IDs/Secrets).\n\n### Additional Notes\n* The action\ + \ requires at least one set of API credentials (Risk, Service Accounts, or Policies)\ + \ to be configured in the integration settings to perform a meaningful test.\n\ + * The connectivity test for each module is lightweight: the Risk API performs\ + \ a dummy risk lookup, the Service Accounts API attempts a paginated list request,\ + \ and the Policies API retrieves a list of rule names.\n\n### Flow Description\n\ + 1. **Configuration Retrieval:** The action fetches the global integration parameters,\ + \ including the API Root and authentication keys.\n2. **Module Identification:**\ + \ It identifies which Silverfort API modules (Risk, Service Accounts, Policies)\ + \ have credentials configured.\n3. **Connectivity Testing:** For each configured\ + \ module, the action initializes a specific API client and executes a `test_connectivity`\ + \ method.\n4. **Result Aggregation:** The action tracks which modules succeeded\ + \ and which failed.\n5. **Final Reporting:** \n * If all configured modules\ + \ connect successfully, it returns a success message.\n * If some modules\ + \ fail while others succeed, it returns a partial success message detailing the\ + \ status of each.\n * If no modules are configured or all configured modules\ + \ fail, it raises an error." capabilities: can_create_case_comments: false can_create_insight: false @@ -517,7 +625,7 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: false + fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false @@ -536,61 +644,85 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Update Entity Risk: ai_description: >- - ### General Description + Updates risk information for a user in Silverfort. This action allows security + analysts to manually or automatically adjust a user's risk profile based on external + threat intelligence or specific security events observed in the environment. By + setting a specific risk type and severity, Silverfort can adjust its authentication + policies for that user. - Updates risk information for a specific user in Silverfort. This action allows - security analysts to manually or automatically adjust a user's risk profile (type, - severity, and duration) based on external intelligence or observed behavior within - the Silverfort platform. + ### Flow Description - ### Parameters Description - - | Parameter | Type | Mandatory | Description | + 1. **Parameter Extraction:** The action retrieves the User Principal Name (UPN), + risk type, severity level, validity duration, and a descriptive reason from the + input parameters. - | :--- | :--- | :--- | :--- | + 2. **Validation:** It validates that the provided risk type and severity match + Silverfort's supported enums and ensures the validity duration is a positive integer. - | User Principal Name | String | Yes | The user principal name (e.g., user@domain.com) - of the user whose risk profile is being updated. | + 3. **API Interaction:** The action initializes a connection to the Silverfort + Risk API and sends a POST request to the `/v1/public/updateEntityRisk` endpoint + with the specified risk metadata. - | Risk Type | DDL | Yes | The specific category of risk to update. Options include: - `activity_risk`, `malware_risk`, `data_breach_risk`, or `custom_risk`. | + 4. **Result Reporting:** Upon a successful API response, the action returns a + success message and populates the JSON results with the updated risk details. - | Severity | DDL | Yes | The severity level to assign to the risk indicator. Options - include: `low`, `medium`, `high`, or `critical`. | - | Valid For Hours | String | Yes | The duration (in hours) for which this risk - indicator should remain valid. This must be a positive integer. | + ### Parameters Description - | Description | String | Yes | A descriptive text providing context or a reason - for the risk update. | + | Parameter Name | Type | Mandatory | Description | - ### Additional Notes + | :--- | :--- | :--- | :--- | - This action performs a state-changing operation in the external Silverfort system. - It does not automatically iterate over entities in the Google SecOps case; instead, - it relies on the provided `User Principal Name` parameter. + | User Principal Name | String | Yes | The user principal name (e.g., user@domain.com) + for whom the risk information will be updated. | + | Risk Type | DDL | Yes | The category of risk to update. Options include: `activity_risk`, + `malware_risk`, `data_breach_risk`, or `custom_risk`. | - ### Flow Description + | Severity | DDL | Yes | The severity level of the risk indicator. Options include: + `low`, `medium`, `high`, or `critical`. | - 1. **Parameter Extraction:** The action retrieves the UPN, risk type, severity, - duration, and description from the input parameters. + | Valid For Hours | String | Yes | The duration (in hours) for which this risk + indicator should remain active in Silverfort. Must be a positive integer. | - 2. **Validation:** It validates that the `Risk Type` and `Severity` match supported - Silverfort values and ensures the `Valid For Hours` is a positive integer. + | Description | String | Yes | A text description providing context or the reason + for the risk update. | - 3. **API Client Initialization:** Initializes the Silverfort Risk API client using - the configured integration credentials. - 4. **Risk Update Execution:** Constructs a risk update payload and sends a POST - request to the Silverfort `/v1/public/updateEntityRisk` endpoint. + ### Additional Notes - 5. **Result Reporting:** Captures the API response and updates the action's output - message and JSON results to reflect the success of the operation. + * This action requires the **Risk App User ID** and **Risk App User Secret** to + be configured in the integration settings to authenticate with the Silverfort + Risk API. capabilities: can_create_case_comments: false can_create_insight: false @@ -599,8 +731,8 @@ Update Entity Risk: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the risk level, risk type, and duration for a specific user principal - name in the Silverfort platform via a POST request. + Updates the risk score and risk factors for a specific user identity within + the Silverfort platform via the Risk API. fetches_data: false internal_data_mutation_explanation: null categories: @@ -620,14 +752,40 @@ Update Entity Risk: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: true + update_ticket: false Update Policy: ai_description: >- ### General Description Updates an existing authentication policy in Silverfort. This action allows for - the modification of a policy's operational state (enabled or disabled) and provides - granular control over the policy's scope by adding or removing specific users, - groups, network sources, and destinations. + comprehensive modification of a policy's configuration, including toggling its + enabled state and dynamically managing the lists of users, groups, network sources, + and destinations associated with it. It is primarily used to adjust security controls + or access permissions for specific entities within the Silverfort environment. ### Parameters Description @@ -637,57 +795,61 @@ Update Policy: | :--- | :--- | :--- | :--- | | Policy ID | String | Yes | The unique identifier of the Silverfort policy to - update. | + be updated. | - | Enabled | Boolean | No | Sets the policy to enabled (true) or disabled (false). - | + | Enabled | Boolean | No | Determines whether the policy should be active (true) + or inactive (false). | | Add Users and Groups | String | No | A JSON array of user/group objects to add - to the policy scope. Format: `[{"identifierType": "upn", "identifier": "user@domain.com"}]`. - | + to the policy. Format: `[{"identifierType": "upn", "identifier": "user@domain.com", + "displayName": "User Name", "domain": "domain.com"}]`. | | Remove Users and Groups | String | No | A JSON array of user/group objects to - remove from the policy scope. | + remove from the policy. Format: `[{"identifierType": "upn", "identifier": "user@domain.com", + "displayName": "User Name", "domain": "domain.com"}]`. | - | Add Sources | String | No | A JSON array of source objects (e.g., IP addresses) - to add to the policy. Format: `[{"identifierType": "ip", "identifier": "10.0.0.1"}]`. - | + | Add Sources | String | No | A JSON array of source objects to add. Format: `[{"identifierType": + "ip", "identifier": "10.0.0.1", "displayName": "Server"}]`. | - | Remove Sources | String | No | A JSON array of source objects to remove from - the policy. | + | Remove Sources | String | No | A JSON array of source objects to remove. Format: + `[{"identifierType": "ip", "identifier": "10.0.0.1", "displayName": "Server"}]`. + | | Add Destinations | String | No | A JSON array of destination objects to add. - Format: `[{"identifierType": "hostname", "identifier": "server.com", "services": - ["rdp"]}]`. | + Format: `[{"identifierType": "hostname", "identifier": "server.domain.com", "displayName": + "Server", "domain": "domain.com", "services": ["rdp"]}]`. | - | Remove Destinations | String | No | A JSON array of destination objects to remove - from the policy. | + | Remove Destinations | String | No | A JSON array of destination objects to remove. + Format: `[{"identifierType": "hostname", "identifier": "server.domain.com", "displayName": + "Server", "domain": "domain.com", "services": ["rdp"]}]`. | ### Additional Notes - The action expects JSON-formatted strings for all 'Add' and 'Remove' parameters. - Incorrectly formatted JSON will result in a validation error. + Ensure the JSON structure matches the examples provided in the parameter descriptions + to avoid parsing errors. - - This action utilizes the Silverfort Policies API v2. + - If no optional parameters are provided, the action will attempt to update the + policy with no changes, which may result in a successful but no-op API call. ### Flow Description - 1. **Parameter Extraction**: The action extracts the mandatory Policy ID and optional - configuration parameters from the SOAR environment. + 1. **Parameter Extraction:** The action retrieves the mandatory Policy ID and + all optional configuration parameters from the SOAR environment. - 2. **JSON Parsing**: Input strings for users, groups, sources, and destinations - are parsed from JSON into structured data models (`PolicyIdentifier` and `PolicyDestination`). + 2. **JSON Parsing:** It parses the provided JSON strings for users, groups, sources, + and destinations into structured data models (`PolicyIdentifier` and `PolicyDestination`). - 3. **Client Initialization**: The action initializes a `PolicyApiClient` using - the integration's configured credentials and API root. + 3. **API Client Initialization:** Initializes the Silverfort Policy API client + using configured credentials. - 4. **API Execution**: A PATCH request is sent to the Silverfort `/v2/public/policies/{policy_id}` - endpoint with the constructed payload containing the updates. + 4. **Policy Update:** Executes a PATCH request to the Silverfort API endpoint + `/v2/public/policies/{policy_id}` with the specified modifications. - 5. **Result Processing**: The action confirms the update status and returns a - success message along with the updated policy ID in the JSON results. + 5. **Result Reporting:** Captures the API response, updates the action's JSON + results with the policy status, and provides a success message to the case wall. capabilities: can_create_case_comments: false can_create_insight: false @@ -696,8 +858,8 @@ Update Policy: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the configuration, membership, and enabled status of an authentication - policy within the Silverfort platform via a PATCH request. + Updates the configuration of an authentication policy in Silverfort, including + its status and member lists (users, groups, sources, destinations). fetches_data: false internal_data_mutation_explanation: null categories: @@ -717,51 +879,112 @@ Update Policy: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Update SA Policy: - ai_description: "### General Description\nUpdates the protection policy for a specific\ - \ service account within the Silverfort Identity Security platform. This action\ - \ allows for granular control over how a service account is protected, including\ - \ its operational state, enforcement actions (blocking), and logging configurations.\ - \ It is primarily used to tune security policies or respond to identified risks\ - \ by modifying allowlists and protocol restrictions.\n\n### Parameters Description\n\ - | Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ - | **Service Account GUID** | string | Yes | The unique identifier (GUID) of the\ - \ service account in Silverfort that you wish to update. |\n| **Enabled** | boolean\ - \ | No | If set to true, the policy is active. If false, the policy is disabled.\ - \ |\n| **Block** | boolean | No | If set to true, Silverfort will block authentication\ - \ attempts that violate the policy. |\n| **Send to SIEM** | boolean | No | If\ - \ set to true, policy violation events will be forwarded to the configured SIEM.\ - \ |\n| **Risk Level** | ddl | No | Sets the risk level threshold for the policy.\ - \ Supported values: `low`, `medium`, `high`. |\n| **Allow All Sources** | boolean\ - \ | No | If true, the policy will allow authentications from any source, ignoring\ - \ the specific allowed sources list. |\n| **Allow All Destinations** | boolean\ - \ | No | If true, the policy will allow authentications to any destination, ignoring\ - \ the specific allowed destinations list. |\n| **Protocols** | string | No | A\ - \ comma-separated list of protocols to allow (e.g., `Kerberos, ldap, ntlm`). |\n\ - | **Add Allowed Sources** | string | No | A JSON array of source objects to add\ - \ to the allowlist. Format: `[{\"key\": \"10.0.0.1\", \"key_type\": \"ip\"}]`.\ - \ |\n| **Remove Allowed Sources** | string | No | A JSON array of source objects\ - \ to remove from the allowlist. Format: `[{\"key\": \"10.0.0.1\", \"key_type\"\ - : \"ip\"}]`. |\n| **Add Allowed Destinations** | string | No | A JSON array of\ - \ destination objects to add to the allowlist. Format: `[{\"key\": \"10.0.0.1\"\ - , \"key_type\": \"ip\"}]`. |\n| **Remove Allowed Destinations** | string | No\ - \ | A JSON array of destination objects to remove from the allowlist. Format:\ - \ `[{\"key\": \"10.0.0.1\", \"key_type\": \"ip\"}]`. |\n\n### Additional Notes\n\ - - The `Add/Remove` parameters for sources and destinations require a specific\ - \ JSON format containing `key` and `key_type` fields. \n- Valid `key_type` values\ - \ typically include `ip`, `hostname`, or `dn` depending on the Silverfort API\ - \ version.\n- If `Allow All Sources` or `Allow All Destinations` is set to true,\ - \ the respective allowlists are effectively bypassed.\n\n### Flow Description\n\ - 1. **Parameter Extraction:** The action retrieves the Service Account GUID and\ - \ all optional policy configuration parameters from the user input.\n2. **Validation:**\ - \ It validates that the `Risk Level` and `Protocols` (if provided) match the allowed\ - \ enums defined in the Silverfort integration.\n3. **JSON Parsing:** It parses\ - \ the JSON strings for adding or removing sources and destinations into structured\ - \ `AllowedEndpoint` objects.\n4. **API Interaction:** The action uses the Silverfort\ - \ Service Account API client to send a POST request to the `/v1/public/serviceAccounts/policy/{guid}`\ - \ endpoint with the updated configuration payload.\n5. **Result Handling:** Upon\ - \ a successful API response, it generates a success message and returns a JSON\ - \ result indicating the GUID and the updated status." + ai_description: >- + Updates the protection policy for a specific service account in Silverfort. This + action allows for granular control over how a service account is protected, including + enabling/disabling the policy, toggling active blocking for violations, and configuring + SIEM logging. It also supports defining risk level thresholds, allowed protocols + (Kerberos, LDAP, NTLM), and managing allowlists for source and destination endpoints. + Sources and destinations can be added or removed using JSON-formatted arrays of + objects containing the endpoint key and its type (e.g., IP, hostname). + + + ### Flow Description + + 1. **Parameter Extraction:** Retrieves the mandatory Service Account GUID and + optional policy settings (Enabled, Block, Send to SIEM, Risk Level, etc.) from + the action parameters. + + 2. **Validation:** Validates that the provided Risk Level and Protocols match + the allowed values defined in the Silverfort integration constants. + + 3. **Endpoint Parsing:** Parses the JSON strings for adding or removing allowed + sources and destinations into structured endpoint objects. + + 4. **API Execution:** Calls the Silverfort Service Accounts API via a POST request + to the `/v1/public/serviceAccounts/policy/{guid}` endpoint with the updated configuration. + + 5. **Result Handling:** Returns a success message and a JSON object containing + the GUID and update status if the operation completes successfully. + + + ### Parameters Description + + | Parameter Name | Expected Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Service Account GUID | string | Yes | The unique identifier (GUID) of the service + account to update. | + + | Enabled | boolean | No | If set, enables or disables the protection policy. + | + + | Block | boolean | No | If set, enables or disables active blocking for policy + violations. | + + | Send to SIEM | boolean | No | If set, enables or disables the forwarding of + policy events to the SIEM. | + + | Risk Level | ddl | No | Sets the risk level threshold for the policy. Options: + low, medium, high. | + + | Allow All Sources | boolean | No | If true, the policy will allow all source + endpoints, ignoring the specific allowlist. | + + | Allow All Destinations | boolean | No | If true, the policy will allow all destination + endpoints, ignoring the specific allowlist. | + + | Protocols | string | No | A comma-separated list of protocols to allow (e.g., + 'Kerberos, ldap, ntlm'). | + + | Add Allowed Sources | string | No | A JSON array of source objects to add to + the allowlist. Format: `[{"key": "10.0.0.1", "key_type": "ip"}]`. | + + | Remove Allowed Sources | string | No | A JSON array of source objects to remove + from the allowlist. Format: `[{"key": "10.0.0.1", "key_type": "ip"}]`. | + + | Add Allowed Destinations | string | No | A JSON array of destination objects + to add to the allowlist. Format: `[{"key": "10.0.0.1", "key_type": "ip"}]`. | + + | Remove Allowed Destinations | string | No | A JSON array of destination objects + to remove from the allowlist. Format: `[{"key": "10.0.0.1", "key_type": "ip"}]`. + | + + + ### Additional Notes + + - The action performs a state change in Silverfort and is classified as a mutation + action. + + - Allowlist parameters (Add/Remove Sources/Destinations) must be valid JSON arrays + of objects with 'key' and 'key_type' fields. capabilities: can_create_case_comments: false can_create_insight: false @@ -770,9 +993,8 @@ Update SA Policy: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - This action modifies the security policy configuration for a service account - in the Silverfort platform, which can change the enforcement state (e.g., enabling - blocking) and network access controls (allowlists). + Updates the protection policy configuration for a specific service account in + Silverfort, including blocking status, logging, and allowlists. fetches_data: false internal_data_mutation_explanation: null categories: @@ -792,3 +1014,28 @@ Update SA Policy: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: true + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: true + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: true + update_ticket: false diff --git a/content/response_integrations/third_party/partner/silverfort/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/silverfort/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..0b062e038 --- /dev/null +++ b/content/response_integrations/third_party/partner/silverfort/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: true + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: true + itsm: false + network_security: false + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/partner/spycloud/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/spycloud/resources/ai/actions_ai_description.yaml index 46ae8e2da..45b4c1477 100644 --- a/content/response_integrations/third_party/partner/spycloud/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/spycloud/resources/ai/actions_ai_description.yaml @@ -1,71 +1,68 @@ List Catalogs: ai_description: >- - ### General Description - - The **List Catalogs** action retrieves a list of available breach catalogs from - SpyCloud based on specified timeframes and filtering criteria. This action is - primarily used for discovery and auditing purposes, allowing users to see which - data sources or breach collections are available within the SpyCloud platform - for a given period. + Lists available breach catalogs from SpyCloud based on specified timeframes and + filters. This action allows analysts to discover which data sources (catalogs) + are available in the SpyCloud database for a given period, facilitating further + investigation into specific breaches. - ### Parameters Description + ### Flow Description: - | Parameter | Type | Mandatory | Description | + 1. **Parameter Extraction:** Retrieves API credentials and action parameters including + filter logic, time range, and result limits. - | :--- | :--- | :--- | :--- | + 2. **Timeframe Calculation:** Converts the selected 'Time Frame' (e.g., Last Week, + Last Month, Last Year, or Custom) into specific start and end dates using utility + functions. - | Filter Logic | DDL | No | Determines the matching logic for the filter. Options - are 'Equal' (exact match on title) or 'Contains' (substring match across all fields). - Defaults to 'Equal'. | + 3. **API Request:** Sends a paginated GET request to the SpyCloud `/enterprise-v1/breach/catalog` + endpoint via the SpyCloudManager. - | Filter Value | String | No | The string value to search for. If 'Equal' is selected, - the action filters results locally by title. If 'Contains' is selected, the value - is passed to the API query. | + 4. **Filtering:** Applies local filtering to the results if 'Equal' logic is selected, + matching the 'Filter Value' against catalog titles. If 'Contains' is selected, + the API-level query parameter handles the search. - | Time Frame | DDL | Yes | The temporal scope of the search. Options include 'Last - Week', 'Last Month', 'Last Year', or 'Custom'. | + 5. **Data Processing:** Slices the result list based on the 'Max Catalogs To Return' + parameter to ensure the output stays within the requested limit. - | Start Time | String | No* | The start date/time for the search in ISO 8601 format. - This is **mandatory** if 'Time Frame' is set to 'Custom'. | + 6. **Output Generation:** Populates a data table named 'Available Catalogs' and + provides the raw JSON results for downstream playbook use. - | End Time | String | No | The end date/time for the search in ISO 8601 format. - If omitted while using 'Custom' timeframe, it defaults to the current time. | - | Max Catalogs To Return | String | No | Limits the number of catalog records - returned in the output. Defaults to 50. | + ### Parameters Description: + | Parameter | Type | Mandatory | Description | - ### Additional Notes + | :--- | :--- | :--- | :--- | - - If the **Time Frame** is set to 'Custom', the **Start Time** parameter must - be provided, otherwise the action will fail. + | Filter Logic | DDL | No | Determines how the 'Filter Value' is applied. 'Equal' + performs a strict title match in the script, while 'Contains' relies on the API's + query parameter. | - - The action performs client-side filtering when the 'Equal' logic is selected - to ensure exact title matches. + | Filter Value | String | No | The string to search for within the catalogs. If + 'Equal' is used, it matches the title; otherwise, it acts as a general query. + | + | Time Frame | DDL | Yes | The temporal scope of the search (Last Week, Last Month, + Last Year, or Custom). | - ### Flow Description + | Start Time | String | No | Mandatory if 'Time Frame' is set to 'Custom'. Expects + ISO 8601 format. | - 1. **Parameter Initialization**: Extracts API credentials and action parameters, - validating that the result limit is a positive integer. + | End Time | String | No | ISO 8601 format. Defaults to the current time if 'Custom' + is selected and this field is left empty. | - 2. **Timeframe Calculation**: Determines the start and end timestamps based on - the selected 'Time Frame' or custom inputs. + | Max Catalogs To Return | String | No | Limits the number of catalog records + returned. Default is 50. | - 3. **Data Retrieval**: Connects to the SpyCloud API and fetches catalog data from - the `/enterprise-v1/breach/catalog` endpoint, handling pagination automatically - to retrieve all relevant records. - 4. **Filtering**: Applies the 'Equal' filter logic if specified, narrowing the - results to catalogs whose titles exactly match the 'Filter Value'. + ### Additional Notes: - 5. **Result Processing**: Slices the result list based on the 'Max Catalogs To - Return' parameter. + - If 'Custom' is selected for 'Time Frame', the 'Start Time' parameter must be + provided or the action will fail. - 6. **Output Generation**: Populates the action's JSON result with the raw catalog - data and creates a formatted data table named 'Available Catalogs' for the case - wall. + - The 'Equal' filter logic is case-sensitive and specifically targets the 'title' + field of the catalog objects returned by the API. capabilities: can_create_case_comments: false can_create_insight: false @@ -93,74 +90,91 @@ List Catalogs: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: true + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false List Entity Breaches: ai_description: >- - ### General Description - - This action retrieves breach information from SpyCloud for specific entities including - IP Addresses, Usernames, Email Addresses, and Domains. It identifies if an entity - has been compromised in known data breaches and provides details such as the source - of the breach, severity, and obfuscated credentials if available. + Enriches entities by checking for associated data breaches in the SpyCloud database. + This action supports IP Addresses, Usernames, Email Addresses, and Domains, providing + detailed information about where and when an entity's data may have been compromised. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. **Initialization**: Establishes a connection to the SpyCloud API using the + provided credentials and validates the 'Max Breaches To Return' parameter. - | :--- | :--- | :--- | :--- | + 2. **Time Window Calculation**: Determines the start and end timestamps for the + search based on the 'Time Frame' selection (Last Week, Last Month, Last Year, + or Custom). - | Catalog Filter | String | No | Specify the name of a specific SpyCloud category/catalog - to search within. If provided, the action validates the catalog exists before - searching. | + 3. **Catalog Resolution**: If a 'Catalog Filter' is provided, the action fetches + available catalogs from SpyCloud to identify the specific ID for the requested + category. - | Time Frame | DDL | Yes | Defines the temporal scope of the search. Options include - 'Last Week', 'Last Month', 'Last Year', or 'Custom'. | + 4. **Entity Processing**: Iterates through supported entities (IP, User, URL) + and maps them to SpyCloud breach types (ips, emails, usernames, domains). - | Start Time | String | No | Mandatory only if 'Time Frame' is set to 'Custom'. - Expects an ISO 8601 formatted string. | + 5. **Data Retrieval**: Queries the SpyCloud API for breach records matching the + entity identifier, applying the catalog filter and result limit. - | End Time | String | No | Used when 'Time Frame' is 'Custom'. If omitted, the - current time is used. Expects an ISO 8601 formatted string. | + 6. **Internal Update**: For entities with found breaches, it updates the entity's + additional properties with a 'was_breached' flag, marks the entity as enriched, + and attaches the full breach details as a JSON result. - | Max Breaches To Return | String | No | Limits the number of breach records returned - per entity. Default is 1, maximum is 1000. | + ### Parameters Description - ### Additional Notes + | Parameter | Type | Mandatory | Description | - - **Entity Mapping:** Email addresses are handled as `USERUNIQNAME` entities that - match an email regex. Domains are extracted from `DestinationURL` entities. + | :--- | :--- | :--- | :--- | - - **Data Privacy:** Passwords returned in the JSON results are automatically obfuscated - by the integration logic (e.g., `p****rd`). + | Catalog Filter | string | No | Specify the name of the category/source in which + you want to search for breaches. | - - **Timeframe Logic:** If 'Custom' is selected, 'Start Time' must be provided, - otherwise the action will fail. + | Time Frame | ddl | Yes | Specify a time frame for the search. Options: Last + Week, Last Month, Last Year, Custom. | + | Start Time | string | No | Mandatory if 'Custom' is selected for 'Time Frame'. + Format: ISO 8601. | - ### Flow Description + | End Time | string | No | Optional for 'Custom' Time Frame. If empty, defaults + to the current time. Format: ISO 8601. | - 1. **Initialization:** Extracts API configuration and action parameters, validating - that the 'Max Breaches To Return' is a positive integer. + | Max Breaches To Return | string | No | Limits the number of breach records returned + per entity. Default is 1; Maximum is 1000. | - 2. **Timeframe Calculation:** Converts the selected 'Time Frame' or 'Custom' timestamps - into date objects for the API request. - 3. **Catalog Resolution:** If a 'Catalog Filter' is provided, the action fetches - available catalogs from SpyCloud to find the corresponding internal ID. + ### Additional Notes - 4. **Entity Processing:** Iterates through supported entities (`ADDRESS`, `USERUNIQNAME`, - `DestinationURL`): - - Determines the SpyCloud breach type (ips, emails, usernames, or domains). - - Normalizes the identifier (e.g., extracting the domain from a URL). - - Queries the SpyCloud API for breach data associated with the entity and - timeframe. - 5. **Enrichment:** For entities with found breaches, it updates the entity's `additional_properties` - with a `was_breached` flag and marks the entity as enriched. + - If 'Custom' is selected for 'Time Frame', the 'Start Time' parameter must be + provided, or the action will fail. - 6. **Finalization:** Updates the entities in the Google SecOps case, attaches - the full breach details as a JSON result, and provides a summary message of successful - and failed lookups. + - For URL entities, the action automatically extracts the domain part to perform + the search. capabilities: can_create_case_comments: false can_create_insight: false @@ -171,8 +185,8 @@ List Entity Breaches: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action updates entity attributes by adding enrichment data (was_breached - flag) and setting the 'is_enriched' status to true. + Updates entity additional properties with a 'was_breached' flag and sets the + 'is_enriched' status to true for entities found in breach data. categories: enrichment: true entity_usage: @@ -193,60 +207,79 @@ List Entity Breaches: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Ping: ai_description: >- ### General Description - The Ping action is a diagnostic tool designed to verify the connectivity between - Google SecOps and the SpyCloud API. It ensures that the provided integration configuration - parameters, such as the API Root and API Key, are correct and that the network - path is open. + The **Ping** action is a diagnostic utility designed to verify the connectivity + between the Google SecOps platform and the SpyCloud service. It ensures that the + provided API Root, API Key, and SSL settings are correct and that the SpyCloud + API is reachable and responding to requests. This action is typically used during + the initial setup of the integration or for troubleshooting communication issues. ### Parameters Description - This action does not take any dynamic input parameters during execution. It relies - entirely on the configuration parameters defined at the integration level: - - - | Parameter Name | Expected Type | Mandatory | Description | + | Parameter Name | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | API Root | String | Yes | The base URL of the SpyCloud instance. | - - | API Key | String | Yes | The API key used to authenticate requests to SpyCloud. - | - - | Verify SSL | Boolean | Yes | If enabled, the action will verify the SSL certificate - of the SpyCloud server. | + | None | N/A | N/A | This action does not require any runtime parameters. It utilizes + the configuration parameters defined at the integration level (API Root, API Key, + and Verify SSL). | ### Additional Notes - * This action is typically used during the initial setup of the integration or - for troubleshooting connection issues. + - This action performs a simple GET request to the `/enterprise-v1/breach/catalog/1` + endpoint to validate the credentials and network path. - * As per standard SOAR practices, Ping actions are not classified as enrichment - actions. + - As per standard SOAR practices, Ping actions are used for health checks and + do not process entities or modify case data. ### Flow Description - 1. **Parameter Extraction:** The action retrieves the API Root, API Key, and SSL - verification settings from the integration's configuration. + 1. **Parameter Extraction:** The action retrieves the integration's configuration + settings, including the API Root URL, the API Key, and the SSL verification flag. 2. **Manager Initialization:** It initializes the `SpyCloudManager` with the retrieved - credentials. + configuration. - 3. **Connectivity Test:** The manager executes a `GET` request to a specific SpyCloud - endpoint (`/enterprise-v1/breach/catalog/1`). + 3. **Connectivity Test:** The manager executes the `test_connectivity` method, + which sends a GET request to the SpyCloud API. - 4. **Response Validation:** The action checks if the API returns a successful - status code. + 4. **Response Validation:** The action checks the HTTP response status. If the + request is successful (2xx status code), the connection is considered valid. - 5. **Final Status:** If the request is successful, the action completes with a - success message; otherwise, it catches the exception and reports a failure. + 5. **Final Status:** The action reports a success message to the Siemplify workbench + if the connection is established, or an error message detailing the failure if + the request fails. capabilities: can_create_case_comments: false can_create_insight: false @@ -274,3 +307,28 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/third_party/partner/spycloud/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/spycloud/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..4fe442a77 --- /dev/null +++ b/content/response_integrations/third_party/partner/spycloud/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: true + itsm: false + network_security: false + siem: false + threat_intelligence: true + vulnerability_management: false diff --git a/content/response_integrations/third_party/partner/stairwell/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/stairwell/resources/ai/actions_ai_description.yaml index 48552d161..cc3374e93 100644 --- a/content/response_integrations/third_party/partner/stairwell/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/stairwell/resources/ai/actions_ai_description.yaml @@ -1,66 +1,35 @@ Enrich Hash: - ai_description: >- - ### General Description - - Enriches File Hash entities using threat intelligence data from Stairwell. This - action retrieves comprehensive file metadata, including size, entropy, multiple - hash types (SHA256, SHA1, MD5, Imphash, TLSH), and file magic/MIME types. It also - evaluates the file's reputation based on Stairwell's malicious probability scores - and verdicts, updating the entity's status and providing detailed insights for - security analysts. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | API Root | String | Yes | The base URL of the Stairwell API instance. | - - | API Key | String | Yes | The API key used for authentication with Stairwell. - | - - | Organization ID | String | No | The specific Organization ID to include in the - request headers for multi-tenant environments. | - - | User ID | String | No | The specific User ID to include in the request headers - if required by the API configuration. | - - - ### Additional Notes - - - The action specifically targets `FILEHASH` entities. - - - If a file is determined to be suspicious (based on the `MALICIOUS` verdict or - high malicious probability), an entity insight is automatically generated. - - - Detailed reports are attached to the case as data tables. - - - ### Flow Description - - 1. **Initialization**: Retrieves connection details (API Root, API Key) and optional - identifiers (Org ID, User ID) from the integration configuration. - - 2. **Entity Filtering**: Identifies all `FILEHASH` entities within the current - alert context. - - 3. **Data Retrieval**: For each hash, it queries the Stairwell API to fetch the - file's enrichment report. - - 4. **Enrichment**: Updates the entity's additional properties with metadata such - as file size, entropy, and alternative hashes. - - 5. **Risk Assessment**: Evaluates the file's verdict. If the file is flagged as - malicious or has a high malicious probability, the entity is marked as suspicious. - - 6. **Insight & Reporting**: Generates a formatted insight for suspicious files - and attaches a detailed CSV-style data table to the case wall for each processed - entity. - - 7. **Finalization**: Updates the entities in Google SecOps and returns a summary - of successful and failed enrichments. + ai_description: "Enriches File Hash entities with threat intelligence data from\ + \ Stairwell. This action retrieves comprehensive file metadata, including hash\ + \ variants (MD5, SHA1, SHA256), file size, entropy, MIME type, and signature information.\ + \ It also fetches Stairwell-specific intelligence such as 'MalEval' malicious\ + \ probability scores, AI-generated summaries, and sighting prevalence. The action\ + \ evaluates the file's risk level based on Stairwell's verdicts; if a file is\ + \ determined to be suspicious or malicious, it updates the entity's status in\ + \ Google SecOps and generates a detailed insight for the analyst.\n\n### Parameters\n\ + | Parameter Name | Type | Mandatory | Description |\n| :--- | :--- | :--- | :---\ + \ |\n| API Root | String | Yes | The base URL for the Stairwell API instance.\ + \ |\n| API Key | String | Yes | The API key used for authentication with Stairwell.\ + \ |\n| Organization ID | String | No | The specific Stairwell Organization ID\ + \ to contextually scope the request. |\n| User ID | String | No | The specific\ + \ Stairwell User ID to associate with the request. |\n\n### Additional Notes\n\ + - The action specifically targets `FILEHASH` entities.\n- It uses the `OriginalIdentifier`\ + \ of the entity if available to ensure accurate lookups in Stairwell.\n- Enrichment\ + \ data is prefixed with 'SW' (Stairwell) when added to entity additional properties.\n\ + \n### Flow Description\n1. **Initialization**: Extracts API configuration (Root,\ + \ Key, Org ID, User ID) and initializes the Stairwell manager.\n2. **Entity Filtering**:\ + \ Identifies all `FILEHASH` entities within the current context.\n3. **Data Retrieval**:\ + \ For each hash, it queries the Stairwell `/object_event` endpoint to fetch the\ + \ file report.\n4. **Risk Assessment**: Analyzes the report's verdict and malicious\ + \ probability scores to determine if the file is suspicious.\n5. **Internal Updates**:\ + \ \n - Updates the entity's additional properties with the fetched metadata.\n\ + \ - Marks the entity as 'enriched'.\n - Sets the 'is_suspicious' flag based\ + \ on the assessment.\n6. **Insight & Reporting**: \n - If suspicious, creates\ + \ a detailed entity insight containing probability scores and detection labels.\n\ + \ - Adds a data table to the case wall containing a summary of the file report.\n\ + \ - Attaches the full raw JSON response to the action results.\n7. **Finalization**:\ + \ Updates all processed entities in the Google SecOps platform and provides a\ + \ summary message of successful and failed enrichments." capabilities: can_create_case_comments: false can_create_insight: true @@ -71,9 +40,9 @@ Enrich Hash: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action updates entity additional properties with enrichment data, sets the - 'is_suspicious' and 'is_enriched' flags, creates entity insights, and adds data - tables to the case wall. + The action updates entity additional properties with enrichment data, modifies + the 'is_suspicious' and 'is_enriched' flags of entities, creates entity insights, + and adds data tables to the case wall. categories: enrichment: true entity_usage: @@ -92,65 +61,89 @@ Enrich Hash: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Enrich Hostname: ai_description: >- - ### General Description - Enriches Hostname entities with threat intelligence data from Stairwell. This - action retrieves detailed host information, including community opinions, comments, - and DNS records (A, AAAA, MX), to provide context for security investigations. - It helps analysts determine the reputation and history of a host within the Stairwell - platform. + action retrieves comprehensive metadata including verdicts, opinions, comments, + and DNS records (A, AAAA, MX) for specified hostnames. It evaluates the security + posture of the entity, updates its attributes within the platform, and provides + detailed visual reports through data tables and insights. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. **Initialization**: Connects to the Stairwell API using the provided API Root, + API Key, and optional Organization/User IDs. - | :--- | :--- | :--- | :--- | + 2. **Entity Filtering**: Identifies all Hostname entities within the current alert + context. - | API Root | String | Yes | The base URL of the Stairwell API instance. | + 3. **Data Retrieval**: For each hostname, it queries the Stairwell enrichment + endpoint to fetch the latest threat intelligence report. - | API Key | String | Yes | The API key used for authentication with Stairwell. - | + 4. **Entity Enrichment**: Updates the entity's additional properties with the + retrieved data and marks the entity as enriched. - | Organization ID | String | No | The specific Stairwell Organization ID to scope - the request. | + 5. **Risk Assessment**: Checks the Stairwell verdict; if the hostname is classified + as 'MALICIOUS', the entity is marked as suspicious. - | User ID | String | No | The specific Stairwell User ID to associate with the - request. | + 6. **Insight Generation**: Creates an entity insight for malicious hostnames to + highlight the threat to analysts. + 7. **Reporting**: Generates a data table for the case wall containing a summary + of the host's records and attaches the full raw JSON response to the action results. - ### Additional Notes - - The action uses the `OriginalIdentifier` of the entity if available; otherwise, - it defaults to the standard entity identifier. + ### Parameters Description - - Enrichment data is prefixed with `SW` in the entity's additional properties. + | Parameter Name | Type | Mandatory | Description | - - If no Hostname entities are found in the context, the action will complete with - a 'No entities were enriched' message. + | :--- | :--- | :--- | :--- | + | API Root | String | Yes | The base URL for the Stairwell API instance. | - ### Flow Description + | API Key | String | Yes | The API key used for authentication with Stairwell. + | - 1. **Parameter Extraction:** Retrieves API credentials and configuration from - the integration settings. + | Organization ID | String | No | Optional identifier for the specific Stairwell + organization. | - 2. **Entity Filtering:** Identifies all Hostname entities within the target scope. + | User ID | String | No | Optional identifier for the specific Stairwell user. + | - 3. **Data Retrieval:** For each hostname, it queries the Stairwell API's enrichment - endpoint (`/labs/appapi/enrichment/v1/hostname_event/{hostname}`). - 4. **Entity Enrichment:** Updates the entity's additional properties with the - retrieved data and marks the entity as enriched. + ### Additional Notes - 5. **Risk Assessment:** Evaluates the host's verdict. If the verdict is 'MALICIOUS', - it marks the entity as suspicious and creates a detailed insight containing the - verdict. + * This action is strictly read-only regarding the Stairwell platform and does + not modify any external data. - 6. **Reporting:** Adds a formatted data table to the case wall for each host and - attaches the raw JSON response to the action results. + * It uses the 'OriginalIdentifier' property of the entity if available to ensure + accurate lookups. capabilities: can_create_case_comments: false can_create_insight: true @@ -161,9 +154,9 @@ Enrich Hostname: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action updates entity attributes with enrichment data, sets the suspicious - flag, creates entity insights for malicious findings, and adds data tables to - the case wall. + Updates entity attributes with enrichment data, sets the suspicious flag based + on Stairwell verdicts, creates entity insights, and adds data tables to the + case wall. categories: enrichment: true entity_usage: @@ -182,36 +175,60 @@ Enrich Hostname: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Enrich IP: - ai_description: "### General Description\nEnriches IP Address entities with threat\ - \ intelligence data retrieved from the Stairwell platform. This action provides\ - \ security analysts with context regarding an IP's reputation, including verdicts\ - \ (e.g., MALICIOUS), community opinions, and historical comments. It automates\ - \ the process of identifying high-risk entities by marking them as suspicious\ - \ and generating detailed insights directly within the case.\n\n### Parameters\ - \ Description\n| Parameter | Type | Mandatory | Description |\n| :--- | :--- |\ - \ :--- | :--- |\n| API Root | String | Yes | The base URL of the Stairwell API\ - \ instance used for requests. |\n| API Key | String | Yes | The authentication\ - \ key required to access Stairwell services. |\n| Organization ID | String | No\ - \ | An optional identifier to scope requests to a specific Stairwell organization.\ - \ |\n| User ID | String | No | An optional identifier to associate requests with\ - \ a specific Stairwell user. |\n\n### Additional Notes\n- This action specifically\ - \ targets entities of type **ADDRESS**.\n- If an IP is found to have a 'MALICIOUS'\ - \ verdict in Stairwell, the action automatically flags the entity as suspicious\ - \ in Google SecOps.\n- A detailed report table is added to the case wall for every\ - \ successfully enriched entity.\n\n### Flow Description\n1. **Initialization**:\ - \ Extracts API configuration (Root, Key, Org ID, User ID) and initializes the\ - \ Stairwell API manager.\n2. **Entity Filtering**: Identifies all IP Address entities\ - \ in the current scope for processing.\n3. **Data Retrieval**: For each IP, the\ + ai_description: "Enriches IP Address entities with threat intelligence data from\ + \ Stairwell. This action retrieves reputation metadata, including verdicts and\ + \ opinions, to provide security context for identified IP addresses. It evaluates\ + \ the risk level based on Stairwell's analysis, updates the entity's suspicious\ + \ status within Google SecOps, and generates detailed insights and data tables\ + \ for the case wall.\n\n### Parameters\n| Parameter Name | Type | Mandatory |\ + \ Description |\n| :--- | :--- | :--- | :--- |\n| API Root | String | Yes | The\ + \ base URL of the Stairwell API instance. |\n| API Key | String | Yes | The API\ + \ key used for authentication with Stairwell. |\n| Organization ID | String |\ + \ No | The specific Organization ID to include in the request headers for multi-tenant\ + \ environments. |\n| User ID | String | No | The specific User ID to include in\ + \ the request headers if required by the API configuration. |\n\n### Additional\ + \ Notes\n- This action specifically targets entities of type `ADDRESS`.\n- An\ + \ entity is marked as suspicious if the Stairwell verdict is 'MALICIOUS'.\n- Enrichment\ + \ data is prefixed with 'SW' in the entity's additional properties.\n\n### Flow\ + \ Description\n1. **Initialization**: The action initializes the Stairwell manager\ + \ using the provided API Root, API Key, and optional Organization/User IDs.\n\ + 2. **Entity Filtering**: It identifies all IP Address entities (`ADDRESS`) within\ + \ the current alert context.\n3. **Data Retrieval**: For each identified IP, the\ \ action performs a GET request to the Stairwell enrichment endpoint to fetch\ - \ event data.\n4. **Enrichment & Analysis**: \n - Updates the entity's additional\ - \ properties with the retrieved intelligence.\n - Evaluates the 'verdict' field;\ - \ if it matches 'MALICIOUS', the entity is marked as suspicious.\n5. **Internal\ - \ Updates**: \n - Creates an Entity Insight for suspicious IPs containing the\ - \ verdict summary.\n - Generates a data table on the case wall with a flat\ - \ representation of the Stairwell report.\n6. **Finalization**: Updates the entities\ - \ in the Google SecOps platform and returns a summary of successful and failed\ - \ enrichments." + \ reputation data.\n4. **Internal Updates**: \n - Updates the entity's additional\ + \ properties with the enrichment results.\n - Sets the `is_enriched` flag to\ + \ true.\n - Evaluates the verdict; if 'MALICIOUS', the entity is marked as\ + \ suspicious.\n5. **Reporting**: \n - Generates an entity insight containing\ + \ the verdict if the IP is suspicious.\n - Adds a detailed data table to the\ + \ case wall for each processed IP.\n - Appends the raw JSON results to the\ + \ action output.\n6. **Finalization**: Updates the entities in the platform and\ + \ returns a success message listing the enriched IPs." capabilities: can_create_case_comments: false can_create_insight: true @@ -222,9 +239,9 @@ Enrich IP: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity attributes (additional properties), sets the 'is_suspicious' - and 'is_enriched' flags, creates entity insights, and adds data tables to the - case wall. + Updates entity enrichment fields (additional properties), sets the suspicious + flag based on the Stairwell verdict, creates entity insights, and adds data + tables to the case wall. categories: enrichment: true entity_usage: @@ -243,58 +260,84 @@ Enrich IP: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Ping: ai_description: >- ### General Description - Tests the connectivity to the Stairwell API to ensure that the integration can - successfully communicate with the service. This action is typically used during - the initial setup or for troubleshooting purposes to verify that the provided - credentials and API endpoint are valid. + Tests connectivity to the Stairwell API to ensure that the integration is correctly + configured and the service is reachable. This action validates the provided API + Root, API Key, and optional Organization/User IDs by performing a test request + to the enrichment endpoint using a dummy hostname. ### Parameters Description - There are no action-specific parameters for this action. It utilizes the global - integration configuration parameters to perform the connectivity test: - | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | API Root | String | Yes | The base URL of the Stairwell API. | + | API Root | String | Yes | The base URL of the Stairwell API instance. | - | API Key | String | Yes | The API key used for authentication. | + | API Key | String | Yes | The API key used for authentication with Stairwell. + | - | Organization ID | String | No | The specific Organization ID associated with - the account. | + | Organization ID | String | No | The specific Organization ID to be included + in the request headers. | - | User ID | String | No | The specific User ID associated with the account. | + | User ID | String | No | The specific User ID to be included in the request headers. + | ### Additional Notes - This action performs a read-only request to a dummy hostname to verify API access - and does not process any entities from the current context. + This action does not process any entities from the SOAR case. It uses a hardcoded + dummy hostname ('www.google.com') to verify the API connection. Although the integration + metadata might classify this as an enrichment type, per architectural guidelines, + Ping actions are categorized separately from functional enrichment actions. ### Flow Description - 1. **Parameter Extraction**: The action retrieves the API Root, API Key, Organization - ID, and User ID from the integration's configuration settings. + 1. **Parameter Initialization**: Retrieves the API Root, API Key, Organization + ID, and User ID from the integration configuration. + + 2. **Manager Setup**: Initializes the Stairwell Manager with the provided credentials + and connection settings. - 2. **Manager Initialization**: A `StairwellManager` instance is created using - the extracted configuration and credentials. + 3. **Connectivity Test**: Executes the `test_connectivity` method, which triggers + a GET request to the Stairwell enrichment endpoint for a dummy hostname. - 3. **Connectivity Check**: The action executes the `test_connectivity` method, - which sends a GET request to the Stairwell API for a dummy hostname (`www.google.com`) - to verify the connection. + 4. **Response Validation**: Checks the HTTP response status. If the request is + successful, it confirms the connection; otherwise, it captures the error. - 4. **Completion**: If the API responds successfully, the action completes with - a success status and a 'Connection Established' message. If the request fails - (e.g., due to invalid credentials or network issues), it catches the exception - and returns a failure status with the error details. + 5. **Execution Completion**: Returns a success status and a 'Connection Established' + message if the test passes, or a failure status with the error details if it fails. capabilities: can_create_case_comments: false can_create_insight: false @@ -322,3 +365,28 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/third_party/partner/stairwell/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/stairwell/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..2e831240c --- /dev/null +++ b/content/response_integrations/third_party/partner/stairwell/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + siem: false + threat_intelligence: true + vulnerability_management: false diff --git a/content/response_integrations/third_party/partner/thinkst_canary/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/thinkst_canary/resources/ai/actions_ai_description.yaml index 9b2086401..75eadfa9b 100644 --- a/content/response_integrations/third_party/partner/thinkst_canary/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/thinkst_canary/resources/ai/actions_ai_description.yaml @@ -2,47 +2,50 @@ Acknowledge Console Alert: ai_description: >- ### General Description - - Acknowledges an alert on the Thinkst Canary console. This action allows analysts - to programmatically mark Canary incidents as acknowledged directly from the Google - SecOps interface, ensuring synchronization between the SOAR and the Canary platform. + The **Acknowledge Console Alert** action is designed to change the status of a + specific incident to 'acknowledged' within the Thinkst Canary console. This action + is typically used as a response step in a playbook to synchronize the state of + an alert between Google SecOps and the Canary management environment, ensuring + that analysts do not need to manually acknowledge the same alert in multiple consoles. ### Parameters Description - - | Parameter | Type | Mandatory | Description | + | Parameter Name | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | None | N/A | N/A | This action does not take any input parameters. It automatically - identifies the alert to acknowledge using the `AlertId` stored in the alert's - metadata. | + | None | N/A | N/A | This action does not require any direct input parameters. + It relies on the context of the current alert and the integration's global configuration + (API Key and Console Hash). | ### Additional Notes + - **Prerequisites:** This action requires that the alert in Google SecOps was + originally ingested via the Thinkst Canary connector, as it relies on the `AlertId` + being present in the `additional_properties` of the alert's security events. - This action requires the `AlertId` to be present in the `additional_properties` - of the first security event of the alert. This ID is typically populated automatically - by the Thinkst Canary connector when the alert is ingested. If the `AlertId` is - missing, the action will fail. + - **Configuration:** The action uses the global 'API Key' and 'Console Hash' defined + in the Thinkst integration settings. ### Flow Description + 1. **Configuration Retrieval:** The action fetches the API Key, Console Hash, + and SSL verification settings from the integration configuration. - 1. **Extract Configuration**: Retrieves the API Key, Console Hash, and SSL verification - settings from the integration configuration. - - 2. **Identify Incident**: Accesses the current alert's security events and extracts - the `AlertId` from the `additional_properties` field of the first event. + 2. **Incident Identification:** It accesses the `security_events` of the current + alert in Google SecOps and extracts the `AlertId` from the `additional_properties` + of the first event. - 3. **API Request**: Sends a POST request to the `/api/v1/incident/acknowledge` - endpoint on the Canary Console using the extracted `AlertId`. + 3. **API Request:** The action constructs a POST request to the Thinkst Canary + API endpoint `/incident/acknowledge`, passing the `AlertId` as the `incident` + parameter. - 4. **Finalize**: Reports the outcome of the acknowledgement request (success or - failure) to the case wall. + 4. **Outcome Validation:** It checks the API response. If the response indicates + success, the action completes successfully; otherwise, it fails with an error + message explaining the issue (e.g., missing AlertId or API error). capabilities: can_create_case_comments: false can_create_insight: false @@ -51,8 +54,8 @@ Acknowledge Console Alert: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the status of an incident on the Thinkst Canary console to 'acknowledged' - via a POST request to the API. + Updates the status of an incident to 'acknowledged' on the Thinkst Canary console + via a POST request to the /incident/acknowledge endpoint. fetches_data: false internal_data_mutation_explanation: null categories: @@ -72,63 +75,76 @@ Acknowledge Console Alert: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Ping: ai_description: >- ### General Description - The **Ping** action is a diagnostic utility used to verify the connectivity and - authentication credentials between Google SecOps and the Thinkst Canary Console. - It ensures that the provided API Key and Console Hash are valid and that the network - path to the Canary API is open. + The **Ping** action is a connectivity utility designed to verify the communication + between Google SecOps and the Thinkst Canary Console. It validates that the provided + API Key and Console Hash are correct and that the network path is open. This action + is typically used during initial setup or troubleshooting to ensure the integration + is properly configured. ### Parameters Description - This action does not have any action-specific parameters. It relies entirely on + There are no action-specific parameters for this action. It relies entirely on the integration's global configuration parameters: + * **API Key**: The authentication token for the Canary Console. - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **API Key** | String | Yes | The authentication token used to access the Thinkst - Canary API. | - - | **Console Hash** | String | Yes | The unique subdomain identifier for your Canary - Console (e.g., the 'example' in 'example.canary.tools'). | - - | **Verify SSL** | Boolean | No | Determines whether to verify the SSL certificate - of the Canary Console. | + * **Console Hash**: The unique identifier/subdomain for your Canary Console. + * **Verify SSL**: Determines whether to validate the SSL certificate of the console. - ### Additional Notes - * This action will fail immediately if the **API Key** or **Console Hash** are - left as their default placeholder values. + ### Flow Description - * Per Google SecOps standards, Ping actions are used for health checks and do - not contribute to case enrichment or data mutation. + 1. **Configuration Extraction**: The action retrieves the API Key, Console Hash, + and SSL verification settings from the integration configuration. + 2. **Validation**: It checks if the API Key and Console Hash are provided and + are not the default placeholder values. - ### Flow Description + 3. **Manager Initialization**: Initializes the `ThinkstActionManager` with the + connection details. - 1. **Parameter Extraction:** The script retrieves the global configuration for - the Thinkst integration, including the API Key, Console Hash, and SSL verification - setting. + 4. **API Call**: Executes a GET request to the `/api/v1/ping` endpoint of the + Canary Console. - 2. **Validation:** It checks if the API Key and Console Hash have been changed - from their default values. If not, the action fails with an error message. + 5. **Result Evaluation**: If the API returns a success result, the action completes + successfully; otherwise, it reports a failure. - 3. **Manager Initialization:** It initializes the `ThinkstActionManager` which - sets up the HTTP session and base URL for the Canary API. - 4. **Connectivity Check:** The script calls the `/api/v1/ping` endpoint using - a GET request. + ### Additional Notes - 5. **Result Processing:** If the API returns a JSON response with a 'success' - result, the action completes successfully. Otherwise, it reports a connection - failure. + This action does not process any entities and does not modify any data within + Google SecOps or the Thinkst Canary environment. capabilities: can_create_case_comments: false can_create_insight: false @@ -156,3 +172,28 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/third_party/partner/thinkst_canary/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/partner/thinkst_canary/resources/ai/connectors_ai_description.yaml new file mode 100644 index 000000000..fc317f79e --- /dev/null +++ b/content/response_integrations/third_party/partner/thinkst_canary/resources/ai/connectors_ai_description.yaml @@ -0,0 +1,34 @@ +Thinkst - Alert Connector: + ai_description: "### General Description\nThe Thinkst - Alert Connector integrates\ + \ Google SecOps with the Thinkst Canary Console to automate the ingestion of security\ + \ incidents. It fetches unacknowledged incidents\u2014including Honeypot triggers,\ + \ Canarytoken activations, and operational alerts (like disconnected Canaries)\u2014\ + and converts them into cases within the SOAR platform for investigation and response.\n\ + \n### Parameters Description\n| Parameter | Type | Mandatory | Description |\n\ + | :--- | :--- | :--- | :--- |\n| API Key | Password | Yes | The API key used to\ + \ authenticate with your Thinkst Canary Console. |\n| Console Hash | String |\ + \ Yes | The unique subdomain of your console (e.g., the 'example' in 'example.canary.tools').\ + \ |\n| Verify SSL | Boolean | No | If enabled, the connector will verify SSL certificates\ + \ during API requests. Defaults to true. |\n| Ignore Informative | Boolean | No\ + \ | If enabled, incidents classified as 'Informative' (priority -1) will not be\ + \ ingested as cases. |\n| PythonProcessTimeout | String | Yes | The maximum time\ + \ in seconds allowed for the connector script to run. |\n| DeviceProductField\ + \ | String | Yes | The field name used to identify the device product in the ingested\ + \ data. |\n| EventClassId | String | Yes | The field name used to determine the\ + \ event sub-type (e.g., SourceType). |\n\n### Flow Description\n1. **Authentication**:\ + \ The connector establishes a session with the Thinkst Canary Console API using\ + \ the provided API Key and Console Hash.\n2. **State Management**: It retrieves\ + \ the last processed Incident ID and Timestamp from the internal SOAR context\ + \ to ensure only new, unacknowledged incidents are fetched.\n3. **Data Retrieval**:\ + \ The connector queries the `/incidents/unacknowledged` endpoint. It automatically\ + \ handles pagination using cursors to collect all pending incidents since the\ + \ last run.\n4. **Filtering**: If the 'Ignore Informative' parameter is set, the\ + \ connector filters out operational or low-severity incidents (such as console\ + \ setting changes or disconnected devices) based on their log type.\n5. **Data\ + \ Mapping**: Raw incident data is transformed into the SOAR AlertInfo format.\ + \ This includes mapping source/destination IPs, ports, and specific Canarytoken\ + \ metadata (like filenames or usernames) into structured event fields.\n6. **Priority\ + \ Assignment**: The connector maps Thinkst log types to SOAR priority levels (Informative,\ + \ Low, Medium, High, or Critical).\n7. **Ingestion**: Processed alerts are sent\ + \ to Google SecOps, and the connector updates its persistent state with the latest\ + \ Incident ID and Timestamp for the next iteration." diff --git a/content/response_integrations/third_party/partner/thinkst_canary/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/thinkst_canary/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..a888df70b --- /dev/null +++ b/content/response_integrations/third_party/partner/thinkst_canary/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: true + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: false + network_security: false + siem: true + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/partner/torq/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/torq/resources/ai/actions_ai_description.yaml index 1607543bc..14bd75598 100644 --- a/content/response_integrations/third_party/partner/torq/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/torq/resources/ai/actions_ai_description.yaml @@ -1,68 +1,62 @@ Create a Case: ai_description: >- - ### General Description - - This action creates a case or incident in the Torq platform by triggering a specific - Torq workflow via a Webhook. It automatically collects the current alert's metadata, - including entity details and raw data, and packages it into a JSON payload sent - to Torq. If Torq API credentials or a Bearer token are configured, the action - will also poll the Torq Public API to retrieve the final execution status and - output of the triggered workflow, providing the results directly within Google - SecOps. - - - ### Parameters Description + The 'Create a Case' action triggers a workflow in Torq by sending a webhook request + containing the current Google SecOps alert and case context. This action is primarily + used to escalate alerts into Torq for further orchestration and response. It packages + alert metadata, including entity details and additional properties, into a JSON + payload. If Torq API credentials or a Bearer token are provided, the action will + also poll the Torq Public API to retrieve the final execution status and output + of the triggered workflow, providing visibility into the automated response directly + within the SecOps action results. - | Parameter | Description | Type | Mandatory | Default Value | - | :--- | :--- | :--- | :--- | :--- | + ### Flow Description - | **Deduplication Key** | An optional idempotency key used by Torq to prevent - the creation of duplicate cases for the same event. | string | No | "" | + 1. **Context Collection:** The action gathers metadata from the current SecOps + case (ID, name, environment) and the specific alert (identifier, severity, product, + entities, and raw data). - | **Correlation Key** | An optional key used to group related cases or incidents - within the Torq platform. | string | No | "" | + 2. **Payload Preparation:** It constructs a JSON payload containing the source + ('Google SecOps'), the action type ('create_case'), and the collected context/alert + data, along with optional deduplication and correlation keys. - | **Poll Max Seconds** | The maximum duration (in seconds) the action will wait - and poll the Torq API for the workflow's final result. | string | No | "60" | + 3. **Webhook Invocation:** A POST request is sent to the configured Torq Webhook + URL, authenticated via a 'secret' header. - | **Poll Interval Seconds** | The frequency (in seconds) at which the action will - check the Torq API for the workflow status. | string | No | "3" | + 4. **Execution Polling (Optional):** If an execution ID is returned by the webhook + and API credentials are available, the action enters a polling loop. It periodically + checks the Torq Public API for the workflow's completion. + 5. **Result Reporting:** The action returns the full request/response details, + the execution ID, and the final workflow output (if polled) to the SecOps platform. - ### Additional Notes - - The action requires a **Torq URL** and **Webhook Secret** to be configured in - the integration settings. + ### Parameters Description - - To enable polling for the final workflow output, you must provide either **Client - ID/Secret** (for OAuth) or a **Bearer Token (override)** in the integration configuration. + | Parameter Name | Type | Mandatory | Description | - - If polling is not configured or fails, the action will still succeed if the - initial webhook trigger was accepted by Torq. + | :--- | :--- | :--- | :--- | + | Deduplication Key | String | No | An optional key used by Torq to prevent duplicate + cases or incidents from being created for the same event. | - ### Flow Description + | Correlation Key | String | No | An optional key used to group related cases + or incidents within the Torq platform. | - 1. **Data Collection:** The action gathers context from the current Google SecOps - case (Case ID, Environment) and the specific alert (Severity, Product, Vendor, - Entities, and Raw Data). + | Poll Max Seconds | String | No | The maximum duration (in seconds) the action + will wait and poll the Torq API for the workflow to complete. Default is 60. | - 2. **Payload Construction:** It builds a JSON payload containing the source ("Google - SecOps"), the action type ("create_case"), and the collected alert/case context. + | Poll Interval Seconds | String | No | The time interval (in seconds) between + consecutive polling requests to the Torq API. Default is 3. | - 3. **Webhook Trigger:** It sends a POST request to the Torq Webhook URL, authenticated - via the "secret" header. - 4. **Execution Tracking:** Upon a successful trigger, it extracts the `execution_id` - from the Torq response. + ### Additional Notes - 5. **Polling (Optional):** If API credentials are available, it enters a polling - loop, querying the Torq Public API for the status of the execution ID until it - reaches a terminal state (e.g., SUCCESS, FAILED) or the timeout is reached. + - To enable polling for the final workflow output, you must configure the Torq + integration with either a Client ID/Secret or a Bearer Token (Override). - 6. **Result Reporting:** The final status, execution details, and any output returned - by the Torq workflow are attached to the action's JSON result in Google SecOps. + - The action uses a 'secret' header for webhook authentication as required by + Torq's webhook trigger configuration. capabilities: can_create_case_comments: false can_create_insight: false @@ -71,49 +65,14 @@ Create a Case: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Triggers a Torq workflow via a webhook which typically results in the creation - of a case, incident, or other records within the Torq platform. + Triggers a workflow in Torq via a webhook, which typically results in the creation + of a case, incident, or other state changes within the Torq platform. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -127,60 +86,89 @@ Create a Case: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: true + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Ping: ai_description: >- ### General Description - Sends a ping request to a Torq workflow via a Webhook and optionally polls the - Torq Public API to retrieve the execution result. This action is primarily used - to verify connectivity between Google SecOps and Torq, and to trigger automated - workflows within the Torq platform. + The **Ping** action triggers a specific workflow in Torq via a Webhook and optionally + polls the Torq Public API to retrieve the final execution results. This action + is primarily used to verify connectivity between Google SecOps and Torq, or to + initiate automated logic within Torq that requires context from the current SecOps + case (such as Case ID and Environment). ### Parameters Description - | Parameter | Description | Type | Mandatory | Default | + | Parameter Name | Type | Mandatory | Default Value | Description | | :--- | :--- | :--- | :--- | :--- | - | Poll Max Seconds | The maximum amount of time (in seconds) the action will wait - for the Torq workflow execution to reach a terminal state. | String | No | 60 - | + | Poll Max Seconds | string | No | 60 | The maximum duration (in seconds) the + action will wait and poll the Torq API for the workflow execution to reach a terminal + state. | - | Poll Interval Seconds | The interval (in seconds) between successive requests - to the Torq API to check the status of the execution. | String | No | 3 | + | Poll Interval Seconds | string | No | 3 | The time interval (in seconds) between + consecutive polling requests to the Torq API. | - ### Flow Description + ### Additional Notes - 1. **Configuration Retrieval**: The action fetches integration settings, including - the Webhook URL, Secret, and API credentials (Client ID/Secret or Bearer Token). + - This action requires the **Torq URL** and **Webhook Secret** to be configured + in the integration settings. - 2. **Payload Preparation**: A JSON payload is constructed containing the source - ("Google SecOps"), the action name ("ping"), and context from the current case - (Case ID, Name, Environment). + - To enable polling for execution results, the **Client ID**, **Client Secret**, + and **Region** (or a **Bearer Token Override**) must be provided in the integration + configuration to authenticate against the Torq Public API. - 3. **Webhook Trigger**: The action sends a POST request to the Torq Webhook URL - with the provided secret. + - If no execution ID is returned by the initial webhook call, polling is skipped. - 4. **Execution Identification**: It parses the response to extract an `execution_id`. - 5. **Polling (Optional)**: If an execution ID is found and polling parameters - are set, the action repeatedly queries the Torq Public API for the execution's - status (e.g., SUCCESS, FAILED). + ### Flow Description - 6. **Result Reporting**: The final execution status, output data, and full API - response are attached to the action result in Google SecOps. + 1. **Configuration Retrieval:** The action fetches integration settings (URLs, + secrets, region) and action parameters (polling limits). + 2. **Payload Construction:** It builds a JSON payload containing the source ("Google + SecOps"), the action name ("ping"), and metadata from the current case (Case ID, + Case Name, and Environment). - ### Additional Notes + 3. **Webhook Trigger:** A POST request is sent to the configured Torq Webhook + URL using the `secret` header for authentication. - - This action is named "Ping" and is excluded from enrichment categorization. + 4. **Execution Identification:** The action parses the webhook response to extract + an `execution_id` or `run_id`. - - To enable polling, the integration must be configured with either OAuth credentials - or a Bearer Token override. + 5. **Polling (Optional):** If an execution ID is found and API credentials are + available, the action enters a polling loop, querying the Torq Public API (`GET + /executions/{id}`) until the workflow succeeds, fails, or the timeout is reached. - - If the Webhook response does not contain an execution ID, polling is skipped. + 6. **Result Processing:** The final execution status, headers, and output data + are captured and attached to the action results in Google SecOps. capabilities: can_create_case_comments: false can_create_insight: false @@ -189,8 +177,8 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Triggers a Torq workflow via a webhook POST request, which initiates an execution - in the Torq platform. + Triggers the execution of a workflow in the Torq platform via a webhook POST + request. fetches_data: true internal_data_mutation_explanation: null categories: @@ -210,18 +198,40 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Run a Workflow: ai_description: >- ### General Description - This action triggers a Torq workflow by sending a POST request to a configured - Torq webhook. It is designed to bridge Google SecOps with Torq's automation capabilities, - allowing users to pass custom JSON data and optionally include the full context - of the current alert (including metadata and entities) to the workflow. If Torq - API credentials (Client ID/Secret or a Bearer Token) are provided in the integration - configuration, the action will also poll the Torq Public API to retrieve the final - execution status and output, providing a synchronous-like experience for asynchronous - workflow executions. + Triggers a Torq workflow by sending a POST request to a specified Torq webhook + URL. This action allows users to pass custom JSON data and optionally include + the full payload of the current alert to provide context to the Torq workflow. + If Torq API credentials (Client ID and Secret) are provided, the action will poll + the Torq Public API to retrieve the final execution status and output. ### Parameters Description @@ -230,52 +240,44 @@ Run a Workflow: | :--- | :--- | :--- | :--- | - | **Workflow Input** | String (JSON) | Yes | A JSON object containing the data - to be passed into the Torq workflow. Must be a valid JSON dictionary. | + | Workflow Input | String (JSON) | Yes | A JSON object containing the data to + be passed to the Torq workflow. | - | **Include Alert Payload** | Boolean | No | If set to `True`, the action retrieves - the current alert's details (identifier, name, severity, entities, etc.) and includes - them in the request payload under the 'alert' key. | + | Include Alert Payload | Boolean | No | If true, the action includes the current + alert's metadata and associated entities in the request. | - | **Poll Max Seconds** | String | No | The maximum amount of time (in seconds) - the action should wait and poll the Torq API for the workflow's completion. Defaults - to 60 seconds. | + | Poll Max Seconds | String | No | The maximum duration (in seconds) to poll the + Torq API for the workflow's completion. Default is 60. | - | **Poll Interval Seconds** | String | No | The frequency (in seconds) at which - the action checks the Torq API for the execution status. Defaults to 3 seconds. - | + | Poll Interval Seconds | String | No | The time interval (in seconds) between + consecutive polling requests. Default is 3. | ### Additional Notes - - To enable polling for execution results, the Torq integration must be configured - with either `Client ID` and `Client Secret` or a `Bearer Token (override)`. Without - these, the action will only trigger the workflow and return the initial webhook - response. + - The integration requires a 'Torq URL' and 'Webhook Secret' to function. + + - Polling for results requires 'Client ID' and 'Client Secret' to be configured + in the integration settings to generate an OAuth token. - - The action uses a 'best-effort' approach to collect alert data, attempting to - find the current alert or falling back to the first alert in the case. + - The 'Workflow Input' must be a valid JSON object string. ### Flow Description - 1. **Configuration Retrieval:** The action reads the Torq URL, Webhook Secret, - and API credentials from the integration settings. + 1. **Configuration Retrieval**: The action fetches Torq instance settings and + OAuth credentials. - 2. **Payload Construction:** It builds a JSON payload containing the user-provided - `Workflow Input`, minimal case context (Case ID, Environment), and the alert payload - if `Include Alert Payload` is enabled. + 2. **Payload Construction**: It builds a JSON payload containing the workflow + input and optionally the current alert data. - 3. **Workflow Trigger:** It sends a POST request to the Torq Webhook URL. If the - request is successful, it extracts the `execution_id` from the response. + 3. **Workflow Trigger**: It sends an authenticated POST request to the Torq webhook. - 4. **Polling (Optional):** If an `execution_id` is found and API credentials are - available, the action enters a polling loop. It repeatedly queries the Torq Public - API for the status of the execution until it reaches a terminal state (e.g., SUCCESS, - FAILED) or the `Poll Max Seconds` threshold is met. + 4. **Execution Polling**: If an execution ID is returned and API credentials exist, + the action polls the Torq Public API until completion or timeout. - 5. **Result Processing:** The action captures the final execution output and status, - attaching the full JSON response to the action results in Google SecOps. + 5. **Result Processing**: The final execution status and output are captured and + returned to Google SecOps. capabilities: can_create_case_comments: false can_create_insight: false @@ -284,8 +286,8 @@ Run a Workflow: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Triggers a new workflow execution in the Torq platform by posting to a webhook, - which creates a state-changing event (an execution) in the external system. + Triggers the execution of a workflow in the Torq platform via a webhook POST + request. fetches_data: true internal_data_mutation_explanation: null categories: @@ -305,3 +307,28 @@ Run a Workflow: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/content/response_integrations/third_party/partner/torq/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/torq/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..6896a3667 --- /dev/null +++ b/content/response_integrations/third_party/partner/torq/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: false + cloud_security: false + collaboration: true + edr: false + email_security: false + iam_and_identity_management: false + itsm: true + network_security: false + siem: false + threat_intelligence: false + vulnerability_management: false diff --git a/content/response_integrations/third_party/partner/wiz/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/wiz/resources/ai/actions_ai_description.yaml index 5c8a8d9f1..944d59828 100644 --- a/content/response_integrations/third_party/partner/wiz/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/wiz/resources/ai/actions_ai_description.yaml @@ -1,52 +1,45 @@ Add Comment To Issue: ai_description: >- - ### General Description - - The **Add Comment To Issue** action allows users to append a text comment (note) - to a specific issue within the Wiz platform. This is primarily used for documenting - investigation steps, providing updates, or collaborating on security findings - directly from Google SecOps. + Adds a comment (note) to a specific issue in the Wiz platform. This action allows + analysts to document findings, provide updates, or record automated responses + directly within the Wiz issue's timeline. It utilizes the Wiz GraphQL API to perform + a `createIssueNote` mutation, ensuring that the communication is synchronized + between Google SecOps and the Wiz security posture management console. - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | + ### Flow Description - | **Issue ID** | String | Yes | The unique identifier of the target issue in Wiz - where the comment will be added. | + 1. **Parameter Extraction:** The action retrieves the mandatory `Issue ID` and + `Comment` text from the user input. - | **Comment** | String | Yes | The actual text content of the comment to be posted - to the issue. | + 2. **API Initialization:** Authenticates with the Wiz platform using OAuth2 client + credentials to obtain a bearer token. + 3. **Mutation Execution:** Constructs and sends a GraphQL mutation (`createIssueNote`) + to the Wiz endpoint, targeting the specified issue with the provided comment text. - ### Additional Notes + 4. **Result Processing:** Captures the response from Wiz, which includes the new + comment's ID and creation timestamp, and returns it as a JSON result. - - This action uses the Wiz GraphQL API (`createIssueNote` mutation) to perform - the update. - - If the provided **Issue ID** does not exist in Wiz, the action will return an - error indicating the issue was not found. + ### Parameters Description + | Parameter | Type | Mandatory | Description | - ### Flow Description + | :--- | :--- | :--- | :--- | - 1. **Parameter Extraction**: The action retrieves the `Issue ID` and `Comment` - text from the user input. + | Issue ID | String | True | The unique identifier of the issue in Wiz where the + comment will be added. | - 2. **API Initialization**: It initializes the Wiz API client and authenticates - using the configured credentials (Client ID and Client Secret). + | Comment | String | True | The actual text content of the comment to be appended + to the issue. | - 3. **Mutation Construction**: The action builds a GraphQL mutation payload using - the `AddCommentThreadMutationBuilder`, mapping the `Issue ID` and `Comment` to - the `createIssueNote` input. - 4. **Execution**: A POST request is sent to the Wiz GraphQL endpoint with the - mutation payload. + ### Additional Notes - 5. **Result Processing**: The action parses the response from Wiz, confirms the - successful creation of the note, and returns the comment details as JSON results. + - This action does not operate on SecOps entities; it requires a direct Issue + ID, which is typically obtained from a previous 'Get Issue Details' action or + an alert's external ID field. capabilities: can_create_case_comments: false can_create_insight: false @@ -55,9 +48,9 @@ Add Comment To Issue: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Adds a new comment (note) to an existing issue in the Wiz platform via a GraphQL - mutation. - fetches_data: false + Adds a new comment/note to an existing issue in the Wiz platform via a GraphQL + mutation, changing the state of the issue's activity log. + fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false @@ -76,14 +69,40 @@ Add Comment To Issue: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: true Get Issue Details: ai_description: >- ### General Description The **Get Issue Details** action retrieves comprehensive information about a specific - security issue within the Wiz platform. It is designed to provide security analysts - with detailed context regarding vulnerabilities, misconfigurations, or threats - identified by Wiz, including resource metadata and project associations. + security issue from the Wiz platform using its unique identifier. This action + is primarily used for investigation and gathering context, providing details such + as the issue's status, severity, description, affected cloud resources (entity + snapshot), and associated projects or source rules. ### Parameters Description @@ -92,8 +111,8 @@ Get Issue Details: | :--- | :--- | :--- | :--- | - | **Issue ID** | String | Yes | The unique identifier of the Wiz issue to retrieve. - This ID is used to query the Wiz GraphQL API for specific issue metadata. | + | **Issue ID** | String | Yes | The unique identifier of the Wiz issue to retrieve + or act upon. | ### Flow Description @@ -101,28 +120,25 @@ Get Issue Details: 1. **Parameter Extraction**: The action extracts the `Issue ID` from the input parameters. - 2. **API Client Initialization**: It initializes the Wiz API client using the - integration's configuration (API Root, Client ID, and Client Secret) and authenticates - via OAuth2 to obtain a bearer token. + 2. **API Initialization**: It initializes the Wiz API client and authenticates + using the integration's credentials (Client ID and Client Secret). - 3. **GraphQL Query Construction**: The action builds a GraphQL query specifically - targeting the provided `Issue ID`. It requests fields such as status, severity, - description, creation/resolution timestamps, and an `entitySnapshot` which includes - cloud platform details (region, subscription, etc.). + 3. **Query Construction**: The action constructs a GraphQL query specifically + designed to fetch detailed fields for the provided Issue ID, including metadata + like `createdAt`, `status`, `severity`, and `entitySnapshot` (cloud platform, + region, etc.). - 4. **Data Retrieval**: The query is sent to the Wiz `/graphql` endpoint via a - POST request. + 4. **Data Retrieval**: It executes a POST request to the Wiz GraphQL endpoint + with the constructed query. - 5. **Result Output**: The action parses the response, converts the issue data - into a structured JSON format, and returns it as the action result. + 5. **Result Processing**: The response is parsed into an Issue data model and + returned as a JSON result for use in subsequent playbook steps. ### Additional Notes - - This is a read-only action and does not perform any mutations in the Wiz environment. - - - If the specified `Issue ID` is invalid or does not exist, the action will return - an explicit 'Issue not found' error. + This action does not operate on SecOps entities (like IPs or Hostnames) automatically; + it requires the manual or dynamic input of a Wiz-specific Issue ID. capabilities: can_create_case_comments: false can_create_insight: false @@ -150,49 +166,90 @@ Get Issue Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Ignore Issue: ai_description: >- ### General Description - The **Ignore Issue** action allows users to ignore a specific issue within the - Wiz platform. This is typically used for issues identified as false positives, - exceptions, or those that will not be fixed. Note that this action is specifically - compatible with **Graph Control** or **Cloud Configuration** issues. + The **Ignore Issue** action allows analysts to dismiss or ignore specific security + findings within the Wiz platform. It is specifically designed to handle **Graph + Control** or **Cloud Configuration** issues. By executing this action, the status + of the identified issue in Wiz is transitioned to 'REJECTED', effectively removing + it from the active queue based on the provided justification. - ### Parameters + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Issue ID** | String | Yes | The unique identifier of the issue in Wiz to be - ignored. | + | **Issue ID** | String | Yes | The unique identifier (ID) of the issue in Wiz + that you want to ignore. | - | **Resolution Reason** | DDL | No | The reason for ignoring the issue. Options - include: `False Positive`, `Exception`, `Won't Fix`. Defaults to `False Positive`. - | + | **Resolution Reason** | DDL | No | The reason for ignoring the issue. Available + options are: `False Positive`, `Exception`, or `Won't Fix`. Defaults to `False + Positive`. | - | **Resolution Note** | String | Yes | A mandatory note providing additional context - or justification for ignoring the issue. | + | **Resolution Note** | String | Yes | A mandatory text field to provide additional + context or justification for why this issue is being ignored. | + + + ### Additional Notes + + * **Scope:** This action is restricted to Graph Control and Cloud Configuration + issues within Wiz. + + * **State Change:** This is a mutation action that changes the state of data + in the external Wiz environment. + + * **Discrepancy Note:** While the `Resolution Reason` is marked as non-mandatory + in the configuration, the underlying logic applies a default value of 'False Positive' + if not provided. ### Flow Description - 1. **Parameter Extraction**: The action retrieves the Issue ID, Resolution Reason, - and Resolution Note from the input parameters. + 1. **Parameter Extraction:** The action retrieves the `Issue ID`, `Resolution + Reason`, and `Resolution Note` from the user input. + + 2. **Validation:** It validates that the `Resolution Reason` matches the allowed + values defined in the Wiz integration constants. - 2. **Validation**: It validates that the provided Resolution Reason matches the - allowed values (False Positive, Exception, Won't Fix) defined in the integration - constants. + 3. **API Initialization:** An authenticated GraphQL API client is initialized + to communicate with the Wiz instance. - 3. **API Interaction**: It executes a GraphQL mutation against the Wiz API to - update the status of the specified issue to `REJECTED`, applying the selected - resolution reason and the provided note. + 4. **Mutation Execution:** The action sends a GraphQL mutation request to Wiz + to update the specified issue's status to `REJECTED`, attaching the chosen reason + and the provided note. - 4. **Result Processing**: Upon a successful API response, the action returns the - updated issue details as a JSON result and outputs a success message to the case - wall. + 5. **Result Processing:** Upon success, the action retrieves the updated issue + details from the API response, populates the JSON results, and confirms the successful + update in the output message. capabilities: can_create_case_comments: false can_create_insight: false @@ -201,9 +258,9 @@ Ignore Issue: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the status of a specified issue in Wiz to 'REJECTED' and attaches a - resolution reason and a mandatory note. - fetches_data: false + Updates the status of a specified issue in the Wiz platform to 'REJECTED' and + applies a resolution reason and note. + fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false @@ -222,48 +279,68 @@ Ignore Issue: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: true Ping: ai_description: >- - ### General Description + The Ping action is used to verify the connectivity between Google SecOps and the + Wiz platform. It ensures that the provided integration parameters (API Root, Client + ID, and Client Secret) are correct and that the service is reachable. - The **Ping** action is a diagnostic utility designed to verify the connection - between Google SecOps and the Wiz platform. Its primary purpose is to ensure that - the integration's configuration parameters, such as the API Root, Client ID, and - Client Secret, are correct and that the environment can successfully communicate - with the Wiz API. + ### Flow Description: - ### Parameters + 1. **Initialization**: The action initializes the Wiz API client using the provided + configuration parameters, including the API Root and SSL verification settings. - There are no input parameters for this action. It relies entirely on the integration's - global configuration settings. + 2. **Authentication**: It authenticates with the Wiz OAuth2 service using the + Client ID and Client Secret to obtain a bearer token. + 3. **Connectivity Test**: It executes a minimal GraphQL query to the Wiz `/graphql` + endpoint, attempting to retrieve the ID of a single issue to confirm API access. - ### Additional Notes + 4. **Validation**: The action validates the HTTP response and GraphQL errors. + If successful, it returns a confirmation message. - - This action does not process any entities. - - It performs a read-only operation and has no impact on the data stored in Wiz. + ### Parameters Description: - - According to standard SOAR practices, Ping actions are not categorized as enrichment. + | Parameter Name | Type | Mandatory | Description | + | :--- | :--- | :--- | :--- | - ### Flow Description + | None | N/A | N/A | This action does not take any input parameters. It relies + solely on the integration's global configuration. | - 1. **Client Initialization**: The action initializes the Wiz API client using - the global integration parameters (API Root, Client ID, Client Secret, and SSL - verification settings). - 2. **Authentication**: It performs an OAuth2 handshake with the Wiz authentication - server to obtain a bearer token. + ### Additional Notes: - 3. **Connectivity Test**: The action executes a minimal GraphQL query (fetching - the ID of a single issue) to the Wiz `/graphql` endpoint to verify that the token - is valid and the API is responsive. + - This action is primarily used for troubleshooting and initial setup verification. - 4. **Response Validation**: The action checks the HTTP status code and the GraphQL - response body. If successful, it returns a confirmation message; otherwise, it - raises an error with details about the failure. + - It does not process any entities or modify any data within Wiz or Google SecOps. capabilities: can_create_case_comments: false can_create_insight: false @@ -272,7 +349,7 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: false + fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false @@ -291,50 +368,69 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Reopen Issue: ai_description: >- ### General Description - The **Reopen Issue** action allows users to change the status of a specific issue - in Wiz back to 'OPEN'. This is typically used when an issue was previously resolved - or ignored but requires further investigation or remediation. The action interacts - with the Wiz GraphQL API to perform a status update mutation. + The **Reopen Issue** action allows users to change the status of a specific security + issue in Wiz back to **OPEN**. This is typically used when a previously resolved + or ignored issue is found to be still relevant or requires further investigation. + The action interacts with the Wiz GraphQL API to perform a state change on the + specified issue. ### Parameters Description - | Parameter | Type | Mandatory | Description | + | Parameter | Description | Type | Mandatory | | :--- | :--- | :--- | :--- | - | **Issue ID** | String | Yes | The unique identifier of the issue in Wiz that - you want to reopen. | + | **Issue ID** | The unique identifier of the issue in Wiz to be reopened. | String + | Yes | ### Flow Description - 1. **Parameter Extraction**: The action retrieves the mandatory `Issue ID` from - the input parameters. + 1. **Parameter Extraction**: The action retrieves the `Issue ID` provided by the + user from the action parameters. - 2. **API Initialization**: It initializes the Wiz API client using the integration's - configuration (API Root, Client ID, Client Secret). + 2. **API Initialization**: Establishes an authenticated connection to the Wiz + API using the configured API Root, Client ID, and Client Secret. - 3. **Mutation Execution**: The action constructs and sends a GraphQL mutation - to the Wiz API, specifically targeting the `updateIssue` endpoint to set the issue's - status to 'OPEN'. + 3. **Mutation Construction**: Builds a GraphQL mutation targeting the `updateIssue` + endpoint. It creates a patch object that specifically sets the issue's status + to `OPEN`. - 4. **Result Processing**: Upon success, the action retrieves the updated issue - object from the response and provides it as a JSON result for downstream use in - the playbook. + 4. **Execution**: Sends the GraphQL mutation request to the Wiz `/graphql` endpoint. - - ### Additional Notes - - - This action requires valid API credentials with permissions to modify issue - statuses in Wiz. - - - If the provided `Issue ID` does not exist, the action will return an error indicating - the issue was not found. + 5. **Result Processing**: Captures the updated issue data from the API response, + converts it into a structured JSON format, and returns a success message indicating + the issue has been reopened. capabilities: can_create_case_comments: false can_create_insight: false @@ -343,8 +439,7 @@ Reopen Issue: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the status of a specified issue in the Wiz platform to 'OPEN' via a - GraphQL mutation. + Changes the status of a specified issue in Wiz to 'OPEN' via a GraphQL mutation. fetches_data: true internal_data_mutation_explanation: null categories: @@ -364,59 +459,79 @@ Reopen Issue: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: true Resolve Issue: ai_description: >- - ### General Description - The **Resolve Issue** action allows users to programmatically resolve a specific - issue within the Wiz platform. This action is specifically designed for managing - **Threat Detection** issues. By providing the unique identifier of an issue, users - can transition its status to 'RESOLVED' while documenting the reason and providing - additional context. + issue within the Wiz platform. This action is specifically intended for use with + **Threat Detection** issues. It updates the issue's status to 'RESOLVED' and allows + the user to provide a specific resolution reason and an optional explanatory note. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. **Parameter Extraction:** The action retrieves the mandatory `Issue ID` and + optional `Resolution Reason` and `Resolution Note` from the input parameters. - | :--- | :--- | :--- | :--- | + 2. **Validation:** It validates that the provided `Resolution Reason` is one of + the allowed values defined in the Wiz integration constants. - | **Issue ID** | String | Yes | The unique identifier of the issue in Wiz that - needs to be resolved. | + 3. **API Interaction:** The action constructs a GraphQL mutation using the `UpdateIssueMutationBuilder`. + This mutation targets the specified `Issue ID` and applies a patch to change the + status to `RESOLVED` and attach the resolution metadata. - | **Resolution Reason** | DDL | No | The reason for resolving the issue. Supported - values include: `Malicious Threat`, `Not Malicious Threat`, `Security Test Threat`, - `Planned Action Threat`, and `Inconclusive Threat`. Defaults to `Not Malicious - Threat`. | + 4. **Result Processing:** Upon a successful API call, the action parses the returned + JSON (representing the updated state of the issue) and provides a success message + to the user. - | **Resolution Note** | String | No | An optional note providing further context - or details regarding the resolution of the issue. | + ### Parameters Description - ### Flow Description + | Parameter Name | Type | Mandatory | Description | - 1. **Parameter Extraction:** The action retrieves the `Issue ID`, `Resolution - Reason`, and `Resolution Note` from the user input. + | :--- | :--- | :--- | :--- | - 2. **Validation:** It validates that the provided `Resolution Reason` matches - one of the supported values defined in the Wiz integration constants. + | **Issue ID** | String | Yes | The unique identifier of the issue in Wiz that + needs to be resolved. | - 3. **API Interaction:** The action constructs and sends a GraphQL mutation to - the Wiz API. This mutation updates the issue's status to `RESOLVED` and attaches - the specified reason and note. + | **Resolution Reason** | DDL | No | The reason for resolving the issue. Defaults + to 'Not Malicious Threat'. Options include: Malicious Threat, Not Malicious Threat, + Security Test Threat, Planned Action Threat, Inconclusive Threat. | - 4. **Result Handling:** Upon success, the action returns the updated issue object - as JSON and provides a success message. If the issue is not found, it raises an - `IssueNotFoundError`. + | **Resolution Note** | String | No | An optional text note providing additional + context or justification for the resolution. | ### Additional Notes - - This action performs a state change in the external Wiz system by updating the - issue status. + - This action performs a state change in the external Wiz system. - - This action does not operate on SecOps entities (like IPs or Hostnames) but - rather on a specific Wiz Issue ID provided as a string parameter. + - If the specified `Issue ID` does not exist, the action will return an error + indicating the issue was not found. capabilities: can_create_case_comments: false can_create_insight: false @@ -425,9 +540,9 @@ Resolve Issue: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the status of a specified issue in Wiz to 'RESOLVED' and sets the resolution - reason and note. - fetches_data: false + This action changes the status of an issue in the Wiz platform to 'RESOLVED' + and updates its resolution metadata (reason and notes). + fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false @@ -446,3 +561,28 @@ Resolve Issue: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: true diff --git a/content/response_integrations/third_party/partner/wiz/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/wiz/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..a7f7000e9 --- /dev/null +++ b/content/response_integrations/third_party/partner/wiz/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: true + cloud_security: true + collaboration: false + edr: false + email_security: false + iam_and_identity_management: false + itsm: true + network_security: false + siem: false + threat_intelligence: false + vulnerability_management: true diff --git a/content/response_integrations/third_party/partner/xm_cyber/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/xm_cyber/resources/ai/actions_ai_description.yaml index 27768f939..b91d6f604 100644 --- a/content/response_integrations/third_party/partner/xm_cyber/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/xm_cyber/resources/ai/actions_ai_description.yaml @@ -1,80 +1,74 @@ Calculate Risk Score: ai_description: >- - ### General Description - - Calculates a comprehensive risk score for an alert by analyzing XM Cyber enrichment - data embedded within security events and entity properties. This action acts as - a logic engine that transforms raw enrichment attributes into a structured JSON - object, enabling playbooks to make informed filtering and prioritization decisions - based on calculated risk levels. - + Calculates a comprehensive risk score for an alert by processing XM Cyber-specific + attributes found within alert events and entities. This action is designed to + provide a structured JSON output that playbooks can use to filter, prioritize, + or route alerts based on calculated risk levels. It evaluates multiple security + factors such as MFA status, administrative privileges, and asset criticality based + on user-defined weights. - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + ### Flow Description: - | AD Risk to Domain | DDL | Yes | Select the weight for Active Directory risk - to domain values (Disabled, Low, Default, High). | + 1. **Parameter Collection:** Retrieves user-configured risk weights and thresholds + for various categories (e.g., Critical Assets, MFA status, AD risk levels). - | AD Risky Principals | DDL | Yes | Select the weight for Active Directory risky - principals values (Disabled, Low, Default, High). | + 2. **Event Processing:** Iterates through the security events associated with + the current alert, extracting XM Cyber labels and calculating individual risk + scores for assets and users mentioned in the events. - | AD Admins And DCs | DDL | Yes | Select the weight for AD Admins and Domain Controllers - values (Disabled, Low, Default, High). | + 3. **Entity Processing:** Iterates through the alert's entities (specifically + Users and Hostnames), checking for XM Cyber enrichment data in their additional + properties to calculate entity-specific risk scores. - | User without MFA | DDL | Yes | Select the weight for users lacking Multi-Factor - Authentication (Disabled, Low, Default, High). | + 4. **Aggregation:** Consolidates all calculated scores from events and entities, + determining the maximum risk levels and aggregating labels. - | Is Critical Asset | DDL | Yes | Select the weight applied if the entity is identified - as a critical asset (Disabled, Low, Default, High). | + 5. **Output Generation:** Produces a final JSON object containing the base risk + score, calculated risk score, and boolean flags for various risk factors, which + is then attached to the action result. - | Predefined Admin | DDL | Yes | Select the weight applied if the entity is a - predefined administrator (Disabled, Low, Default, High). | - | Highly Privileged | DDL | Yes | Select the weight applied if the entity has - high privileges (Disabled, Low, Default, High). | + ### Parameters Description: - | Compromise Risk Score | DDL | Yes | Select the weight for the XM Cyber Compromise - Risk Score (Low, Default, High). | + | Parameter | Type | Mandatory | Description | - | Choke Point Score | DDL | Yes | Select the weight for the XM Cyber Choke Point - Score (Low, Default, High). | + | :--- | :--- | :--- | :--- | + | AD Risk to Domain | DDL | Yes | Weight for Active Directory risk to the domain + (Disabled, Low, Default, High). | - ### Additional Notes + | AD Risky Principals | DDL | Yes | Weight for AD risky principals (Disabled, + Low, Default, High). | - - This action does not perform external API calls; it processes data already present - in the alert's security events and entity additional properties. + | AD Admins And DCs | DDL | Yes | Weight for AD Administrators and Domain Controllers + (Disabled, Low, Default, High). | - - The final calculated risk score is capped at 100. + | User without MFA | DDL | Yes | Weight for users identified as not having Multi-Factor + Authentication (Disabled, Low, Default, High). | - - The impact score component of the calculation is capped at 1.7. + | Is Critical Asset | DDL | Yes | Weight for entities marked as critical assets + (Disabled, Low, Default, High). | + | Predefined Admin | DDL | Yes | Weight for predefined administrative accounts + (Disabled, Low, Default, High). | - ### Flow Description + | Highly Privileged | DDL | Yes | Weight for highly privileged accounts (Disabled, + Low, Default, High). | - 1. **Parameter Extraction**: Retrieves user-defined weights for various risk factors - (e.g., MFA status, administrative privileges) from the action configuration. + | Compromise Risk Score | DDL | Yes | Sensitivity level for the compromise risk + score (Low, Default, High). | - 2. **Event Analysis**: Iterates through the alert's security events, searching - for XM Cyber specific metadata and labels associated with assets or users. + | Choke Point Score | DDL | Yes | Sensitivity level for the choke point score + (Low, Default, High). | - 3. **Entity Analysis**: Iterates through the alert's target entities (filtered - for Users and Hostnames), checking for XM Cyber enrichment data stored in their - additional properties. - 4. **Scoring Logic**: For each identified entity, it calculates a risk score using - a formula that combines a base score with probability and impact multipliers derived - from the found attributes and configured weights. + ### Additional Notes: - 5. **Aggregation**: Consolidates the findings from all events and entities, selecting - the maximum risk scores and aggregating boolean flags (like 'Is Critical Asset'). + - This action does not perform external API calls; it relies on data previously + populated in the alert or entities (typically by an enrichment action). - 6. **Result Generation**: Produces a final JSON object containing the aggregated - risk profile, which is then attached to the action result for use in playbook - decision-making. + - The final risk score is capped at 100. capabilities: can_create_case_comments: false can_create_insight: false @@ -104,31 +98,75 @@ Calculate Risk Score: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Enrich Entities: - ai_description: "### General Description\nThe **Enrich Entities** action retrieves\ - \ deep contextual information for **HOSTNAME** and **USER** entities from the\ - \ XM Cyber platform. It is designed to provide security analysts with visibility\ - \ into asset criticality, compromise risk scores, and associated attack techniques\ - \ by enriching entities with data stored in the XM Cyber environment.\n\n### Parameters\ - \ Description\nThere are no user-configurable parameters for this action. It automatically\ - \ processes all supported entities within the current alert context based on the\ - \ integration's configuration.\n\n### Flow Description\n1. **Entity Identification**:\ - \ The action identifies all `HOSTNAME` and `USER` entities associated with the\ - \ alert.\n2. **Pre-Enrichment Filtering**: \n * It filters entities to ensure\ - \ they are of supported types.\n * It checks if the entity has already been\ - \ enriched within the last 24 hours by inspecting the `XMC_last_enriched` property\ - \ in the entity's additional properties.\n * It verifies if the entity is already\ - \ present in the security events to avoid redundant processing.\n3. **Data Retrieval**:\ - \ For eligible entities, the action queries the XM Cyber API (`/api/secopsPublisher/entities`)\ - \ using the entity identifiers.\n4. **Data Processing**: The retrieved data (e.g.,\ - \ risk scores, labels, AD risk details) is processed and prefixed with `XMC_`\ - \ to distinguish it from other enrichment sources.\n5. **Entity Update**: The\ - \ action updates the entities' `additional_properties` with the new data and marks\ - \ them as enriched by setting the `is_enriched` flag to `True`.\n\n### Additional\ - \ Notes\n* The action uses either API Key or OAuth-based authentication depending\ - \ on the integration configuration.\n* Enrichment data includes fields such as\ - \ `Compromise Risk Score`, `Is Critical Asset`, `Choke Point Score`, and `Attacked\ - \ By Techniques`." + ai_description: >- + ### General Description + + The **Enrich Entities** action retrieves contextual security data from the XM + Cyber platform for **HOSTNAME** and **USER** entities associated with an alert. + It enriches these entities with attributes such as risk scores, critical asset + status, and security labels, providing analysts with immediate visibility into + the threat landscape surrounding the specific assets or identities. + + + ### Parameters Description + + This action does not require any input parameters. + + + ### Flow Description + + 1. **Entity Identification**: The action identifies all entities of type `HOSTNAME` + and `USER` within the current alert scope. + + 2. **Pre-Enrichment Filtering**: It filters the identified entities to skip those + that: + - Are already present in the alert's security events (to avoid redundant processing). + - Have been enriched within the last 24 hours (based on the `XMC_last_enriched` + property). + 3. **Data Retrieval**: For the remaining entities, the action performs a GET request + to the XM Cyber API to fetch enrichment data. + + 4. **Data Processing**: The response is parsed to extract relevant attributes, + including labels (prefixed with 'XM Cyber - ') and asset/user-specific details. + + 5. **Entity Update**: The action updates the entities' `additional_properties` + with the fetched data (prefixed with `XMC_`), sets the `is_enriched` flag to `true`, + and records the `last_enriched` timestamp. + + + ### Additional Notes + + - This action is designed to be read-only regarding the XM Cyber platform; it + does not modify any data in the external system. + + - The 24-hour enrichment cache ensures efficient API usage and prevents unnecessary + data updates. capabilities: can_create_case_comments: false can_create_insight: false @@ -139,8 +177,8 @@ Enrich Entities: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity additional properties with enrichment data from XM Cyber and - sets the is_enriched flag to true. + Updates entity additional properties with enrichment data (e.g., risk scores, + labels) from XM Cyber and sets the 'is_enriched' flag to true. categories: enrichment: true entity_usage: @@ -160,55 +198,78 @@ Enrich Entities: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Get Event Data JSON: ai_description: >- ### General Description - The **Get Event Data JSON** action aggregates XM Cyber-specific metadata from - both the security events of an alert and the entities associated with the case. - It compiles this information into a structured JSON object, mapping entity identifiers - to their full XM Cyber context (e.g., risk scores, criticality, and labels). This - allows playbooks to easily access consolidated threat intelligence and direct - portal links for all relevant entities in a single step. - + The **Get Event Data JSON** action is a utility designed to aggregate and format + XM Cyber enrichment data already present within a Google SecOps alert. It scans + both the security events associated with the alert and the entities (specifically + Users and Hostnames) for XM Cyber-specific attributes. The action compiles this + information into a structured JSON object, making it easier for subsequent playbook + steps or analysts to access consolidated risk scores, asset criticality, and direct + links to the XM Cyber management console. - ### Parameters Description - | Parameter | Type | Mandatory | Description | + ### Parameters - | :--- | :--- | :--- | :--- | + This action does not require any input parameters. - | None | N/A | N/A | This action does not have any input parameters. | + ### Flow Description - ### Additional Notes - - - This action is a data-processing utility and does not communicate with the XM - Cyber API during execution. - - - It relies on data being present from previous enrichment steps or ingestion - mapping within the alert's `security_events` or the case's `target_entities`. + 1. **Data Retrieval**: The action fetches the list of security events and target + entities from the current alert context. + 2. **Event Parsing**: It iterates through security events, looking for XM Cyber + product object IDs for assets and users in the event's additional properties. - ### Flow Description + 3. **Entity Parsing**: It filters target entities for Hostnames and Users, checking + their additional properties for existing XM Cyber enrichment data (prefixed with + 'XMC'). - 1. **Retrieve Context**: The action fetches all security events associated with - the current alert and all target entities in the case. + 4. **Data Consolidation**: For each identified entity, it extracts relevant parameters + such as 'Compromise Risk Score', 'Is Critical Asset', and 'Attacked By Techniques'. - 2. **Process Events**: It scans alert events for XM Cyber identifiers and attributes - (e.g., labels, product object IDs) for assets and users. + 5. **URL Generation**: It constructs a direct deep-link URL to the entity's overview + page in the XM Cyber portal using the configured Base URL from the integration + settings. - 3. **Process Entities**: It filters case entities (Hostnames and Users) for those - containing XM Cyber enrichment data in their `additional_properties`. + 6. **Output**: The final consolidated mapping of entity IDs to their respective + XM Cyber attributes is returned as a JSON object. - 4. **Map Attributes**: For each identified entity, it extracts specific XM Cyber - fields such as 'Choke Point Score', 'Compromise Risk Score', and 'AD Risk'. - 5. **Generate Links**: It constructs direct URLs to the XM Cyber portal for each - entity using the integration's base URL. + ### Additional Notes - 6. **Output Results**: It compiles all gathered data into a single JSON object - and returns it as the action result. + This action does not perform any external API calls; it relies entirely on data + that has been previously ingested or enriched within the SecOps platform. If no + XM Cyber-specific data is found in the events or entities, the action will complete + successfully but return an empty JSON object. capabilities: can_create_case_comments: false can_create_insight: false @@ -238,26 +299,50 @@ Get Event Data JSON: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Ping: - ai_description: "### General Description\nThe **Ping** action is a diagnostic tool\ - \ designed to verify the connectivity and authentication configuration between\ - \ Google SecOps and the XM Cyber platform. It ensures that the provided Base URL\ - \ and credentials (either API Key or Access Token) are valid and that the network\ - \ path is open.\n\n### Parameters Description\nThere are no action-specific parameters\ - \ for this action. It relies entirely on the integration's global configuration\ - \ settings (Base URL, API Key, and Authentication Type).\n\n### Flow Description\n\ - 1. **Configuration Retrieval**: The action fetches the integration's global settings,\ - \ including the Base URL, API Key, and the selected authentication method (API\ - \ Key vs. Access Token).\n2. **API Manager Initialization**: It initializes the\ - \ internal API communication module.\n3. **Connectivity Test**: \n * If using\ - \ **API Key Authentication**, the action performs a `POST` request to the `/api/auth/`\ - \ endpoint to validate the key.\n * If using **Access Token Based Authentication**,\ - \ it initializes the OAuth2 flow, which involves attempting to retrieve or refresh\ - \ an access token.\n4. **Status Reporting**: If the authentication handshake is\ - \ successful, the action returns a success message. If any step fails (e.g., 401\ - \ Unauthorized, connection timeout), it captures the error and reports a failure.\n\ - \n### Additional Notes\nThis action is intended for setup and troubleshooting\ - \ purposes and does not interact with specific security entities or alert data." + ai_description: "### General Description\nTests the connectivity and authentication\ + \ configuration for the XM Cyber integration. This action ensures that the Google\ + \ SecOps environment can successfully communicate with the XM Cyber API using\ + \ the provided Base URL and credentials (either API Key or OAuth-based).\n\n###\ + \ Parameters Description\nThis action does not have any parameters.\n\n### Additional\ + \ Notes\nThis action is primarily used for initial setup verification and troubleshooting\ + \ connection issues. It does not interact with any entities or modify any data\ + \ within XM Cyber or Google SecOps.\n\n### Flow Description\n1. **Retrieve Configuration:**\ + \ The action extracts the integration's global settings, including the Authentication\ + \ Type (API Key or OAuth), Base URL, and API Key.\n2. **Initialize API Manager:**\ + \ It sets up the communication handler based on the selected authentication method.\n\ + 3. **Connectivity Check:** \n - If using **API Key Authentication**, the action\ + \ performs a POST request to the `/api/auth/` endpoint to verify the validity\ + \ of the API Key.\n - If using **OAuth Authentication**, the action initializes\ + \ the OAuth manager and client to ensure tokens can be successfully retrieved\ + \ or refreshed.\n4. **Finalize Execution:** If the connection is established without\ + \ errors, the action returns a success status. If any step fails (e.g., invalid\ + \ credentials or network timeout), it captures the error and reports a failure." capabilities: can_create_case_comments: false can_create_insight: false @@ -265,9 +350,9 @@ Ping: can_mutate_external_data: false can_mutate_internal_data: false can_update_entities: false - external_data_mutation_explanation: null + external_data_mutation_explanation: 'null' fetches_data: false - internal_data_mutation_explanation: null + internal_data_mutation_explanation: 'null' categories: enrichment: false entity_usage: @@ -285,15 +370,42 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false Push Breach Point Data: ai_description: >- ### General Description - The **Push Breach Point Data** action allows users to apply specific labels (attributes) - to entities within the XM Cyber platform based on filtering criteria defined in - Google SecOps. This action is typically used to tag entities involved in a security - incident as 'Breach Points' or other custom designations within the XM Cyber environment - for further risk analysis and visibility. + The **Push Breach Point Data** action is designed to synchronize security context + between Google SecOps and the XM Cyber platform. It identifies specific entities + (Users and Hosts) within a SecOps alert or event that meet user-defined criteria + and applies a custom label (Breach Point attribute) to those entities in the XM + Cyber inventory. This allows analysts to tag assets involved in a breach or high-risk + scenario directly from the SOAR, facilitating better visibility and risk management + within the XM Cyber console. ### Parameters Description @@ -302,52 +414,57 @@ Push Breach Point Data: | :--- | :--- | :--- | :--- | - | **Attribute Name** | String | Yes | The name of the attribute/label to be pushed - to XM Cyber (e.g., `Google_SecOps_BP`). | + | **Attribute Name** | string | Yes | The name of the label or attribute to be + pushed to the entities in XM Cyber. Defaults to `Google_SecOps_BP`. | - | **Parameter** | DDL | Yes | The entity or event property to evaluate (e.g., - `Compromised Risk Score`, `Is Critical Asset`, `entityID`, `Labels`). | + | **Parameter** | ddl | Yes | The specific field or attribute of the entity/event + to evaluate against the criteria. Options include `All` (to process all entities), + `entityID`, `Compromised Risk Score`, `Is Critical Asset`, and various other enriched + metadata fields. | - | **Operator** | DDL | Yes | The logical operator used to compare the `Parameter` - against the `Value` (e.g., `Equals`, `Greater than`, `Contains`). | + | **Operator** | ddl | Yes | The logical operator used to compare the selected + **Parameter** with the **Value**. Supports standard comparisons like `Equals`, + `Contains`, `Greater than`, etc. | - | **Value** | String | Yes | The specific value to match against the chosen `Parameter`. - | + | **Value** | string | Yes | The target value used for matching against the entity's + parameter value. | ### Flow Description - 1. **Authentication**: The action authenticates with the XM Cyber API using either - API Key or OAuth (Access Token) credentials. + 1. **Authentication:** The action authenticates with the XM Cyber API using either + API Key or OAuth-based credentials provided in the integration settings. + + 2. **Parameter Extraction:** It retrieves the user-defined criteria, including + the attribute name to push and the logic for entity selection (Parameter, Operator, + and Value). - 2. **Input Validation**: It validates the user-provided criteria (Parameter, Operator, - Value) to ensure they are compatible (e.g., ensuring 'Contains' is only used with - list-based parameters). + 3. **Entity Identification:** The action scans both the security events associated + with the alert and the target entities in the SecOps case. It specifically looks + for `USER` and `HOSTNAME` entity types. - 3. **Entity Identification**: - - The action scans all **Security Events** associated with the current alert - to identify asset or user IDs. - - It scans all **Target Entities** (specifically Hostnames and Users) in the - current case scope. - 4. **Criteria Evaluation**: For each identified entity, the action checks if its - properties (retrieved from `additional_properties` populated by previous enrichment) - match the specified criteria. + 4. **Criteria Evaluation:** For each identified entity, the action checks if it + matches the specified criteria. If the **Parameter** is set to `All`, all supported + entities are selected. Otherwise, it evaluates the entity's properties (including + enriched XM Cyber data stored in additional properties) against the operator and + value. - 5. **Data Push**: For every entity that meets the criteria, the action sends a - POST request to the XM Cyber API to apply the specified label (e.g., setting the - attribute to `true`). + 5. **Data Push:** For all entities that meet the criteria, the action sends a + POST request to the XM Cyber endpoint `/api/entityInventory/applyImportedLabelsOnEntities` + to apply the specified **Attribute Name** with a value of `true`. - 6. **Completion**: The action returns a summary of the entities successfully updated - in the XM Cyber platform. + 6. **Reporting:** The action concludes by providing a summary of the entities + successfully updated in XM Cyber. ### Additional Notes - - This action requires entities to have been previously enriched by XM Cyber (specifically - requiring the `XMC_product_object_id` property) to successfully map them back - to the XM Cyber platform. + - This action requires that entities have been previously enriched or contain + the `XMC_product_object_id` (for SOAR entities) or `productObjectId` (for event + principals) to correctly map them to XM Cyber records. - - Supported entity types are **HOSTNAME** and **USER**. + - If the **Attribute Name** is left blank in the configuration, it defaults to + `Google_SecOps_BP`. capabilities: can_create_case_comments: false can_create_insight: false @@ -356,16 +473,16 @@ Push Breach Point Data: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Applies labels/attributes to entities in the XM Cyber platform via a POST request - to the `/api/entityInventory/applyImportedLabelsOnEntities` endpoint. + Adds or updates labels/attributes on entities within the XM Cyber platform inventory + via a POST request. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: entity_types: - - HOSTNAME - USERUNIQNAME + - HOSTNAME filters_by_additional_properties: true filters_by_alert_identifier: false filters_by_case_identifier: false @@ -379,3 +496,28 @@ Push Breach Point Data: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_email: false + search_events: false + send_email: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: true + update_ticket: false diff --git a/content/response_integrations/third_party/partner/xm_cyber/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/xm_cyber/resources/ai/integration_ai_description.yaml new file mode 100644 index 000000000..b52752603 --- /dev/null +++ b/content/response_integrations/third_party/partner/xm_cyber/resources/ai/integration_ai_description.yaml @@ -0,0 +1,12 @@ +product_categories: + asset_inventory: true + cloud_security: false + collaboration: false + edr: false + email_security: false + iam_and_identity_management: true + itsm: false + network_security: false + siem: false + threat_intelligence: false + vulnerability_management: true From a3efe7e594946e373ac7f160d9a919616c4047c7 Mon Sep 17 00:00:00 2001 From: talshapir Date: Mon, 6 Apr 2026 12:12:48 +0300 Subject: [PATCH 13/26] update dependencies --- packages/mp/pyproject.toml | 4 +-- packages/mp/uv.lock | 50 +++++++++++++++++++------------------- 2 files changed, 27 insertions(+), 27 deletions(-) diff --git a/packages/mp/pyproject.toml b/packages/mp/pyproject.toml index 0e43e5cd0..c8f1f2152 100644 --- a/packages/mp/pyproject.toml +++ b/packages/mp/pyproject.toml @@ -44,7 +44,7 @@ dependencies = [ "jinja2>=3.1.6", "deepdiff>=8.6.1", "platformdirs>=4.5.0", - "ty>=0.0.28", + "ty>=0.0.29", "ruamel-yaml == 0.17.40", "google-genai>=1.70.0", "tenacity>=9.1.2", @@ -55,7 +55,7 @@ dependencies = [ [dependency-groups] dev = [ - "hypothesis>=6.147.0", + "hypothesis>=6.151.11", "pytest>=8.4.0", "pytest-cov>=6.2.1", "pytest-xdist>=3.7.0", diff --git a/packages/mp/uv.lock b/packages/mp/uv.lock index 8a70cc677..ee6771a1f 100644 --- a/packages/mp/uv.lock +++ b/packages/mp/uv.lock @@ -303,14 +303,14 @@ wheels = [ [[package]] name = "hypothesis" -version = "6.151.10" +version = "6.151.11" source = { registry = "https://pypi.org/simple" } dependencies = [ { name = "sortedcontainers" }, ] -sdist = { url = "https://files.pythonhosted.org/packages/f5/dd/633e2cd62377333b7681628aee2ec1d88166f5bdf916b08c98b1e8288ad3/hypothesis-6.151.10.tar.gz", hash = "sha256:6c9565af8b4aa3a080b508f66ce9c2a77dd613c7e9073e27fc7e4ef9f45f8a27", size = 463762, upload-time = "2026-03-29T01:06:22.19Z" } +sdist = { url = "https://files.pythonhosted.org/packages/a9/58/41af0d539b3c95644d1e4e353cbd6ac9473e892ea21802546a8886b79078/hypothesis-6.151.11.tar.gz", hash = "sha256:f33dcb68b62c7b07c9ac49664989be898fa8ce57583f0dc080259a197c6c7ff1", size = 463779, upload-time = "2026-04-05T17:35:55.935Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/40/da/439bb2e451979f5e88c13bbebc3e9e17754429cfb528c93677b2bd81783b/hypothesis-6.151.10-py3-none-any.whl", hash = "sha256:b0d7728f0c8c2be009f89fcdd6066f70c5439aa0f94adbb06e98261d05f49b05", size = 529493, upload-time = "2026-03-29T01:06:19.161Z" }, + { url = "https://files.pythonhosted.org/packages/1d/06/f49393eca84b87b17a67aaebf9f6251190ba1e9fe9f2236504049fc43fee/hypothesis-6.151.11-py3-none-any.whl", hash = "sha256:7ac05173206746cec8312f95164a30a4eb4916815413a278922e63ff1e404648", size = 529572, upload-time = "2026-04-05T17:35:53.438Z" }, ] [[package]] @@ -460,14 +460,14 @@ requires-dist = [ { name = "tenacity", specifier = ">=9.1.2" }, { name = "toml", specifier = ">=0.10.2" }, { name = "toon-format", git = "https://github.com/toon-format/toon-python.git" }, - { name = "ty", specifier = ">=0.0.28" }, + { name = "ty", specifier = ">=0.0.29" }, { name = "typer", specifier = ">=0.16.0" }, { name = "uv", specifier = ">=0.7.13" }, ] [package.metadata.requires-dev] dev = [ - { name = "hypothesis", specifier = ">=6.147.0" }, + { name = "hypothesis", specifier = ">=6.151.11" }, { name = "pytest", specifier = ">=8.4.0" }, { name = "pytest-cov", specifier = ">=6.2.1" }, { name = "pytest-xdist", specifier = ">=3.7.0" }, @@ -848,26 +848,26 @@ source = { git = "https://github.com/toon-format/toon-python.git#90861444e5bf7d6 [[package]] name = "ty" -version = "0.0.28" -source = { registry = "https://pypi.org/simple" } -sdist = { url = "https://files.pythonhosted.org/packages/19/c2/a60543fb172ac7adaa3ae43b8db1d0dcd70aa67df254b70bf42f852a24f6/ty-0.0.28.tar.gz", hash = "sha256:1fbde7bc5d154d6f047b570d95665954fa83b75a0dce50d88cf081b40a27ea32", size = 5447781, upload-time = "2026-04-02T21:34:33.556Z" } -wheels = [ - { url = "https://files.pythonhosted.org/packages/fe/15/c2aa3d4633e6153a2e300d7dd0ebdedf904a60241d1922566f31c5f7f211/ty-0.0.28-py3-none-linux_armv6l.whl", hash = "sha256:6dbfb27524195ab1715163d7be065cc45037509fe529d9763aff6732c919f0d8", size = 10556282, upload-time = "2026-04-02T21:35:04.165Z" }, - { url = "https://files.pythonhosted.org/packages/60/9c/f6183838df89e9692235a71a69a9d4e0f12481bbdf1883f47010075793b0/ty-0.0.28-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:8c72a899ba94f7438bd07e897a84b36526b385aaf01d6f3eb6504e869232b3a6", size = 10425770, upload-time = "2026-04-02T21:34:49.144Z" }, - { url = "https://files.pythonhosted.org/packages/68/82/e9208383412f8a320537ef4c44a768d2cb6c1330d9ab33087f0b932ccd1b/ty-0.0.28-py3-none-macosx_11_0_arm64.whl", hash = "sha256:eef67f9cdfd31677bde801b611741dde779271ec6f471f818c7c6eccf515237f", size = 9899999, upload-time = "2026-04-02T21:34:40.297Z" }, - { url = "https://files.pythonhosted.org/packages/4d/26/0442f49589ba393fbd3b50751f8bb82137b036bc509762884f7b21c511d1/ty-0.0.28-py3-none-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:70e7b98a91d8245641be1e4b55af8bc9b1ae82ec189794d35e14e546f1e15e66", size = 10400725, upload-time = "2026-04-02T21:34:42.779Z" }, - { url = "https://files.pythonhosted.org/packages/57/d9/64128f1a7ceba72e49f35dd562533f44d4c56d0cf62efb21692377819dbc/ty-0.0.28-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:9bd83d4ad9f99078b830aabb47792fac6dc39368bb0f72f3cc14607173ed6e25", size = 10387410, upload-time = "2026-04-02T21:34:46.889Z" }, - { url = "https://files.pythonhosted.org/packages/cc/52/498b6bdd1d0a985fd14ce83c31186f3b838ad79efdf68ce928f441a6962b/ty-0.0.28-py3-none-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:0172984fc2fcd3e47ccd5da69f36f632cddc410f9a093144a05ad07d67cf06ed", size = 10880982, upload-time = "2026-04-02T21:34:53.687Z" }, - { url = "https://files.pythonhosted.org/packages/f4/c8/fefd616f38a250b28f62ba73728cb6061715f03df0a610dce558a0fdfc0a/ty-0.0.28-py3-none-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:e0bbf47d2bea82a09cab2ca4f48922d6c16a36608447acdc64163cd19beb28d3", size = 11459056, upload-time = "2026-04-02T21:34:31.642Z" }, - { url = "https://files.pythonhosted.org/packages/16/15/9e18d763a5ef9c6a69396876586589fd5e0fd0acba35fae8a9a169680f48/ty-0.0.28-py3-none-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:1774c9a0fb071607e3bdfa0ce8365488ac46809fc04ad1706562a8709a023247", size = 11156341, upload-time = "2026-04-02T21:35:01.824Z" }, - { url = "https://files.pythonhosted.org/packages/89/29/8ac0281fc44c3297f0e58699ebf993c13621e32a0fab1025439d3ea8a2f1/ty-0.0.28-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:f2849d6d212af78175430e8cc51a962a53851458182eb44a981b0e3981163177", size = 11006089, upload-time = "2026-04-02T21:34:38.111Z" }, - { url = "https://files.pythonhosted.org/packages/dd/de/5b5fdbe3bdb5c6f4918b33f1c55cd975b3d606057089a822439d5151bf93/ty-0.0.28-py3-none-musllinux_1_2_aarch64.whl", hash = "sha256:3c576c15b867b3913c4a1d9be30ade4682303e24a576d2cc99bfd8f25ae838e9", size = 10367739, upload-time = "2026-04-02T21:34:57.679Z" }, - { url = "https://files.pythonhosted.org/packages/80/82/abdfb27ab988e6bd09502a4573f64a7e72db3e83acd7886af54448703c97/ty-0.0.28-py3-none-musllinux_1_2_armv7l.whl", hash = "sha256:2e5f13d10b3436bee3ea35851e5af400123f6693bfae48294ddfbbf553fa51ef", size = 10399528, upload-time = "2026-04-02T21:34:51.398Z" }, - { url = "https://files.pythonhosted.org/packages/ba/74/3ccbe468e8480ba53f83a1e52481d3e11756415f0ca1297fb2da65e29612/ty-0.0.28-py3-none-musllinux_1_2_i686.whl", hash = "sha256:759db467e399faedc7d5f1ca4b383dd8ecc71d7d79b2ca6ea6db4ac8e643378a", size = 10586771, upload-time = "2026-04-02T21:34:35.912Z" }, - { url = "https://files.pythonhosted.org/packages/ee/79/545c76dcef0c3f89fb733ec46118aed2a700e79d4e22cb142e3b5a80286c/ty-0.0.28-py3-none-musllinux_1_2_x86_64.whl", hash = "sha256:0cd44e3c857951cbf3f8647722ca87475614fac8ac0371eb1f200a942315a2c2", size = 11110550, upload-time = "2026-04-02T21:34:55.65Z" }, - { url = "https://files.pythonhosted.org/packages/2c/e4/e3c6f71c95a2cbabd7d88fd698b00b8af48e39aa10e0b10b839410fc3c6d/ty-0.0.28-py3-none-win32.whl", hash = "sha256:88e2c784ec5e0e2fb01b137d92fd595cdc27b98a553f4bb34b8bf138bac1be1e", size = 9985411, upload-time = "2026-04-02T21:34:44.763Z" }, - { url = "https://files.pythonhosted.org/packages/8c/e5/79dbab4856d3d15e5173314ff1846be65d58b31de6efe62ef1c25c663b32/ty-0.0.28-py3-none-win_amd64.whl", hash = "sha256:faaffbef127cb67560ad6dbc6a8f8845a4033b818bcc78ad7af923e02df199db", size = 10986548, upload-time = "2026-04-02T21:34:59.886Z" }, - { url = "https://files.pythonhosted.org/packages/01/b2/cc987aaf5babacc55caf0aeb751c83401e86e05e22ce82dace5a7e7e5354/ty-0.0.28-py3-none-win_arm64.whl", hash = "sha256:34a18ea09ee09612fb6555deccf1eed810e6f770b61a41243b494bcb7f624a1c", size = 10388573, upload-time = "2026-04-02T21:34:29.219Z" }, +version = "0.0.29" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/47/d5/853561de49fae38c519e905b2d8da9c531219608f1fccc47a0fc2c896980/ty-0.0.29.tar.gz", hash = "sha256:e7936cca2f691eeda631876c92809688dbbab68687c3473f526cd83b6a9228d8", size = 5469221, upload-time = "2026-04-05T15:01:21.328Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/03/b7/911f9962115acfa24e3b2ec9d4992dd994c38e8769e1b1d7680bb4d28a51/ty-0.0.29-py3-none-linux_armv6l.whl", hash = "sha256:b8a40955f7660d3eaceb0d964affc81b790c0765e7052921a5f861ff8a471c30", size = 10568206, upload-time = "2026-04-05T15:01:19.165Z" }, + { url = "https://files.pythonhosted.org/packages/fe/c3/fcae2167d4c77a97269f92f11d1b43b03617f81de1283d5d05b43432110c/ty-0.0.29-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:6b6849adae15b00bbe2d3c5b078967dcb62eba37d38936b8eeb4c81a82d2e3b8", size = 10442530, upload-time = "2026-04-05T15:01:28.471Z" }, + { url = "https://files.pythonhosted.org/packages/97/33/5a6bfa240cfcb9c36046ae2459fa9ea23238d20130d8656ff5ac4d6c012a/ty-0.0.29-py3-none-macosx_11_0_arm64.whl", hash = "sha256:dcdd9b17209788152f7b7ea815eda07989152325052fe690013537cc7904ce49", size = 9915735, upload-time = "2026-04-05T15:01:10.365Z" }, + { url = "https://files.pythonhosted.org/packages/b3/1e/318f45fae232118e81a6306c30f50de42c509c412128d5bd231eab699ffb/ty-0.0.29-py3-none-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:9d8ed4789bae78ffaf94462c0d25589a734cab0366b86f2bbcb1bb90e1a7a169", size = 10419748, upload-time = "2026-04-05T15:01:32.375Z" }, + { url = "https://files.pythonhosted.org/packages/a9/a8/5687872e2ab5a0f7dd4fd8456eac31e9381ad4dc74961f6f29965ad4dd91/ty-0.0.29-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:91ec374b8565e0ad0900011c24641ebbef2da51adbd4fb69ff3280c8a7eceb02", size = 10394738, upload-time = "2026-04-05T15:01:06.473Z" }, + { url = "https://files.pythonhosted.org/packages/de/68/015d118097eeb95e6a44c4abce4c0a28b7b9dfb3085b7f0ee48e4f099633/ty-0.0.29-py3-none-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:298a8d5faa2502d3810bbbb47a030b9455495b9921594206043c785dd61548cf", size = 10910613, upload-time = "2026-04-05T15:01:17.17Z" }, + { url = "https://files.pythonhosted.org/packages/1c/01/47ce3c6c53e0670eadbe80756b167bf80ed6681d1ba57cfde2e8065a13d1/ty-0.0.29-py3-none-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:3c8fba1a3524c6109d1e020d92301c79d41bf442fa8d335b9fa366239339cb70", size = 11475750, upload-time = "2026-04-05T15:01:30.461Z" }, + { url = "https://files.pythonhosted.org/packages/c4/cf/e361845b1081c9264ad5b7c963231bab03f2666865a9f2a115c4233f2137/ty-0.0.29-py3-none-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:4c48adf88a70d264128c39ee922ed14a947817fced1e93c08c1a89c9244edcde", size = 11190055, upload-time = "2026-04-05T15:01:12.369Z" }, + { url = "https://files.pythonhosted.org/packages/79/12/0fb0857e9a62cb11586e9a712103877bbf717f5fb570d16634408cfdefee/ty-0.0.29-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:2ce0a7a0e96bc7b42518cd3a1a6a6298ef64ff40ca4614355c1aa807059b5c6f", size = 11020539, upload-time = "2026-04-05T15:01:37.022Z" }, + { url = "https://files.pythonhosted.org/packages/20/36/5a26753802083f80cd125db6c4348ad42b3c982ec36e718e0bf4c18f75e5/ty-0.0.29-py3-none-musllinux_1_2_aarch64.whl", hash = "sha256:a6ac86a05b4a3731d45365ab97780acc7b8146fa62fccb3cbe94fe6546c67a97", size = 10396399, upload-time = "2026-04-05T15:01:26.167Z" }, + { url = "https://files.pythonhosted.org/packages/00/e6/b4e75b5752239ab3ab400f19faef4dbef81d05aab5d3419fda0c062a3765/ty-0.0.29-py3-none-musllinux_1_2_armv7l.whl", hash = "sha256:6bbbf53141af0f3150bf288d716263f1a3550054e4b3551ca866d38192ba9891", size = 10421461, upload-time = "2026-04-05T15:01:08.367Z" }, + { url = "https://files.pythonhosted.org/packages/c0/21/1084b5b609f9abed62070ec0b31c283a403832a6310c8bbc208bd45ee1e6/ty-0.0.29-py3-none-musllinux_1_2_i686.whl", hash = "sha256:1c9e06b770c1d0ff5efc51e34312390db31d53fcf3088163f413030b42b74f84", size = 10599187, upload-time = "2026-04-05T15:01:23.52Z" }, + { url = "https://files.pythonhosted.org/packages/ab/a1/ce19a2ca717bbcc1ee11378aba52ef70b6ce5b87245162a729d9fdc2360f/ty-0.0.29-py3-none-musllinux_1_2_x86_64.whl", hash = "sha256:0307fe37e3f000ef1a4ae230bbaf511508a78d24a5e51b40902a21b09d5e6037", size = 11121198, upload-time = "2026-04-05T15:01:15.22Z" }, + { url = "https://files.pythonhosted.org/packages/6b/6b/f1430b279af704321566ce7ec2725d3d8258c2f815ebd93e474c64cd4543/ty-0.0.29-py3-none-win32.whl", hash = "sha256:7a2a898217960a825f8bc0087e1fdbaf379606175e98f9807187221d53a4a8ed", size = 9995331, upload-time = "2026-04-05T15:01:01.32Z" }, + { url = "https://files.pythonhosted.org/packages/d2/ef/3ef01c17785ff9a69378465c7d0faccd48a07b163554db0995e5d65a5a23/ty-0.0.29-py3-none-win_amd64.whl", hash = "sha256:fc1294200226b91615acbf34e0a9ad81caf98c081e9c6a912a31b0a7b603bc3f", size = 11023644, upload-time = "2026-04-05T15:01:04.432Z" }, + { url = "https://files.pythonhosted.org/packages/2c/55/87280a994d6a2d2647c65e12abbc997ed49835794366153c04c4d9304d76/ty-0.0.29-py3-none-win_arm64.whl", hash = "sha256:f9794bbd1bb3ce13f78c191d0c89ae4c63f52c12b6daa0c6fe220b90d019d12c", size = 10428165, upload-time = "2026-04-05T15:01:34.665Z" }, ] [[package]] From 0a8c136f4c77889d6d2a3f29847a6ddf95f1aafc Mon Sep 17 00:00:00 2001 From: talshapir Date: Mon, 6 Apr 2026 12:14:44 +0300 Subject: [PATCH 14/26] fix issues after merge conflicts --- .../resources/ai/actions_ai_description.yaml | 51 ++++--- .../restructure/integrations/integration.py | 6 +- .../restructure/integrations/metadata.py | 2 +- .../integrations/action/metadata.py | 25 ++-- .../data_models/integrations/integration.py | 12 +- .../integrations/integration_meta/metadata.py | 8 +- .../mp/src/mp/describe/action/describe_all.py | 23 +++- packages/mp/src/mp/describe/all_content.py | 130 +++++++++++++++--- .../mp/src/mp/describe/common/describe.py | 6 +- .../src/mp/describe/connector/describe_all.py | 23 +++- .../mp/src/mp/describe/connector/typer_app.py | 23 ++-- .../src/mp/describe/integration/describe.py | 3 - .../prompt_constructors/integration.py | 20 --- .../mp/src/mp/describe/job/describe_all.py | 23 +++- packages/mp/src/mp/describe/job/typer_app.py | 23 ++-- packages/mp/tests/test_mp/conftest.py | 6 +- .../ActionsDefinitions/ping.actiondef | 6 +- .../Integration-mock_integration.def | 4 + .../resources/ai/actions_ai_description.yaml | 30 +++- .../ai/integration_ai_description.yaml | 2 +- .../mock_built_integration/marketplace.json | 4 + .../ActionsDefinitions/ping.actiondef | 11 +- .../Integration-mock_integration.def | 4 + .../resources/ai/actions_ai_description.yaml | 30 +++- .../ai/integration_ai_description.yaml | 2 +- .../resources/ai/actions_ai_description.yaml | 30 +++- .../ai/integration_ai_description.yaml | 2 +- .../test_integrations_repo/test_build.py | 14 ++ .../tests/test_mp/test_describe/__init__.py | 13 ++ .../{ => test_describe}/test_all_content.py | 4 +- .../{ => test_describe}/test_describe_cli.py | 0 .../test_describe_integration.py | 33 +++-- .../test_describe_resources.py | 32 +++-- 33 files changed, 415 insertions(+), 190 deletions(-) create mode 100644 packages/mp/tests/test_mp/test_describe/__init__.py rename packages/mp/tests/test_mp/{ => test_describe}/test_all_content.py (98%) rename packages/mp/tests/test_mp/{ => test_describe}/test_describe_cli.py (100%) rename packages/mp/tests/test_mp/{ => test_describe}/test_describe_integration.py (65%) rename packages/mp/tests/test_mp/{ => test_describe}/test_describe_resources.py (82%) diff --git a/content/response_integrations/third_party/community/vectra_qux/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/vectra_qux/resources/ai/actions_ai_description.yaml index 1be358642..9a7c929d8 100644 --- a/content/response_integrations/third_party/community/vectra_qux/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/vectra_qux/resources/ai/actions_ai_description.yaml @@ -509,49 +509,46 @@ Describe Assignment: ### General Description The **Describe Assignment** action retrieves comprehensive details for a specific - assignment within the Vectra QUX platform using its unique Assignment ID. This - action is primarily used to programmatically inspect the status, ownership, and - resolution details of investigative assignments managed in Vectra. + assignment within the Vectra QUX platform using its unique ID. This action allows + analysts to programmatically fetch metadata about how a detection or entity has + been assigned, including the assigned user, the resolution outcome, and any associated + notes. It is an informational action used to track the lifecycle and ownership + of security tasks in Vectra QUX. ### Parameters Description - | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + | Parameter | Description | Type | Mandatory | Notes | - | **Assignment ID** | String | Yes | The unique numerical identifier of the assignment - to retrieve. The action validates that this value is a positive integer. | + | :--- | :--- | :--- | :--- | :--- | + | Assignment ID | The unique identifier of the assignment to retrieve. | String + | Yes | Must be a valid numeric string representing a non-negative integer. | - ### Flow Description - 1. **Initialization**: The action extracts the integration's configuration (API - Root, Token, and SSL verification settings) and the mandatory `Assignment ID` - parameter. + ### Additional Notes - 2. **Validation**: The `Assignment ID` is validated to ensure it is a valid integer. - If validation fails, the action returns a failure status. + - This action does not process SOAR entities (e.g., IP, Hostname) from the case + scope; it relies entirely on the provided `Assignment ID` parameter. - 3. **API Request**: The action communicates with the Vectra QUX API via a GET - request to the `/api/v2.5/assignments/{assignment_id}` endpoint. + - If the assignment ID does not exist, the action will return a 'not found' error. - 4. **Data Parsing**: Upon a successful response, the action parses the assignment - metadata, including the assigned user, the user who resolved it (if applicable), - the outcome, and the associated entity (Host or Account). - 5. **Output**: The action produces two main outputs: - * A **JSON Result** containing the full raw response from the Vectra API. - * A **Data Table** named 'Describe Assignment' that summarizes key fields - like Assignment ID, Assigned User, Outcome, and Entity Type. + ### Flow Description - ### Additional Notes + 1. **Input Validation**: The action extracts the `Assignment ID` from the input + parameters and validates that it is a valid integer. + + 2. **API Request**: It initializes the `VectraQUXManager` and sends a GET request + to the assignments endpoint (`/api/v2.5/assignments/{assignment_id}`). - - This action does not process or filter entities from the Google SecOps case; - it operates exclusively on the ID provided in the parameters. + 3. **Data Parsing**: The manager parses the JSON response into an internal `Assignment` + data model, extracting fields such as `assigned_to`, `resolved_by`, and `outcome`. - - If the provided ID does not correspond to an existing assignment, the action - will return an 'Assignment not found' error. + 4. **Result Output**: The action attaches the full JSON response to the script + results and generates a formatted data table (CSV) containing a summary of the + assignment details for display in the SOAR interface. capabilities: can_create_case_comments: false can_create_insight: false diff --git a/packages/mp/src/mp/build_project/restructure/integrations/integration.py b/packages/mp/src/mp/build_project/restructure/integrations/integration.py index 3fede6054..41cfc38ef 100644 --- a/packages/mp/src/mp/build_project/restructure/integrations/integration.py +++ b/packages/mp/src/mp/build_project/restructure/integrations/integration.py @@ -52,10 +52,10 @@ def restructure_integration( """ rich.print(f"Restructuring {integration_metadata['metadata']['Identifier']}") - if mp.core.file_utils.is_non_built_integration(integration_path): - rich.print("Restructuring metadata") - metadata.Metadata(integration_out_path, integration_metadata).restructure() + rich.print("Restructuring metadata") + metadata.Metadata(integration_out_path, integration_metadata).restructure() + if mp.core.file_utils.is_non_built_integration(integration_path): rich.print("Restructuring scripts") scripts.Scripts(integration_path, integration_out_path).restructure() diff --git a/packages/mp/src/mp/build_project/restructure/integrations/metadata.py b/packages/mp/src/mp/build_project/restructure/integrations/metadata.py index d04ded14f..c26aba43e 100644 --- a/packages/mp/src/mp/build_project/restructure/integrations/metadata.py +++ b/packages/mp/src/mp/build_project/restructure/integrations/metadata.py @@ -71,7 +71,7 @@ def _restructure_ai_metadata(self) -> None: if not ai_metadata: return - ai_path: Path = self.out_path / "resources" / mp.core.constants.AI_DIR + ai_path: Path = self.out_path / mp.core.constants.RESOURCES_DIR / mp.core.constants.AI_DIR ai_path.mkdir(parents=True, exist_ok=True) for file_name, content in ai_metadata.items(): metadata_file: Path = ai_path / file_name diff --git a/packages/mp/src/mp/core/data_models/integrations/action/metadata.py b/packages/mp/src/mp/core/data_models/integrations/action/metadata.py index 8c191fd0e..670c22645 100644 --- a/packages/mp/src/mp/core/data_models/integrations/action/metadata.py +++ b/packages/mp/src/mp/core/data_models/integrations/action/metadata.py @@ -75,7 +75,7 @@ class BuiltActionMetadata(TypedDict): SimulationDataJson: NotRequired[str] DefaultResultValue: NotRequired[str | None] Version: float - AIDescription: str | None + AIDescription: NotRequired[str | None] AICategories: NotRequired[list[str] | None] EntityTypes: NotRequired[list[str] | None] ActionProductCategories: NotRequired[list[str] | None] @@ -235,10 +235,10 @@ def _from_built(cls, file_name: str, built: BuiltActionMetadata) -> Self: default_result_value=built.get("DefaultResultValue"), version=version, ai_description=built.get("AIDescription"), - ai_categories=[ActionAiCategory(c) for c in built.get("AICategories") or []], - entity_types=[EntityType(e) for e in built.get("EntityTypes") or []], + ai_categories=[ActionAiCategory(c) for c in (built.get("AICategories") or [])], + entity_types=[EntityType(e) for e in (built.get("EntityTypes") or [])], action_categories=[ - ActionProductCategory(c) for c in (built.get("ActionCategories") or []) + ActionProductCategory(c) for c in (built.get("ActionProductCategories") or []) ], ) @@ -277,10 +277,10 @@ def _from_non_built(cls, file_name: str, non_built: NonBuiltActionMetadata) -> A default_result_value=non_built.get("default_result_value"), version=non_built.get("version", mp.core.constants.MINIMUM_SCRIPT_VERSION), ai_description=non_built.get("ai_description"), - ai_categories=[ActionAiCategory(c) for c in non_built.get("ai_categories") or []], - entity_types=[EntityType(e) for e in non_built.get("entity_types") or []], + ai_categories=[ActionAiCategory(c) for c in (non_built.get("ai_categories") or [])], + entity_types=[EntityType(e) for e in (non_built.get("entity_types") or [])], action_categories=[ - ActionProductCategory(c) for c in (non_built.get("action_categories") or []) + ActionProductCategory(c) for c in (non_built.get("action_product_categories") or []) ], ) @@ -392,26 +392,21 @@ def _get_ai_fields(action_name: str, integration_path: Path) -> AiFields: if not integration_path.exists(): return empty_results - # 1. Check in resources/ai/ (new standard) actions_desc: Path = ( integration_path / mp.core.constants.RESOURCES_DIR / mp.core.constants.AI_DIR / mp.core.constants.ACTIONS_AI_DESCRIPTION_FILE ) - if not actions_desc.exists(): - # 2. Check in resources/ (fallback) - actions_desc = ( - integration_path - / mp.core.constants.RESOURCES_DIR - / mp.core.constants.ACTIONS_AI_DESCRIPTION_FILE - ) if not actions_desc.exists(): return empty_results content: dict[str, Any] = mp.core.file_utils.load_yaml_file(actions_desc) action_content: dict[str, Any] | None = content.get(action_name) + if action_content is None: + action_content = content.get(mp.core.utils.str_to_snake_case(action_name)) + if action_content is None: return empty_results diff --git a/packages/mp/src/mp/core/data_models/integrations/integration.py b/packages/mp/src/mp/core/data_models/integrations/integration.py index d0da9b89f..5efdee03c 100644 --- a/packages/mp/src/mp/core/data_models/integrations/integration.py +++ b/packages/mp/src/mp/core/data_models/integrations/integration.py @@ -145,13 +145,9 @@ def from_built_path(cls, path: Path) -> Self: python_version = python_version_file.read_text(encoding="utf-8") ai_metadata: dict[str, Any] = {} - ai_dir: Path = path / "resources" / mp.core.constants.AI_DIR + ai_dir: Path = path / mp.core.constants.RESOURCES_DIR / mp.core.constants.AI_DIR for ai_file in mp.core.constants.AI_DESCRIPTION_FILES: ai_path: Path = ai_dir / ai_file - if not ai_path.exists(): - # Fallback to resources/ - ai_path = path / "resources" / ai_file - if ai_path.exists(): ai_metadata[ai_file] = yaml.safe_load(ai_path.read_text(encoding="utf-8")) @@ -206,13 +202,9 @@ def from_non_built_path(cls, path: Path) -> Self: python_version = python_version_file.read_text(encoding="utf-8") ai_metadata: dict[str, Any] = {} - ai_dir: Path = path / "resources" / mp.core.constants.AI_DIR + ai_dir: Path = path / mp.core.constants.RESOURCES_DIR / mp.core.constants.AI_DIR for ai_file in mp.core.constants.AI_DESCRIPTION_FILES: ai_path: Path = ai_dir / ai_file - if not ai_path.exists(): - # Fallback to resources/ - ai_path = path / "resources" / ai_file - if ai_path.exists(): ai_metadata[ai_file] = yaml.safe_load(ai_path.read_text(encoding="utf-8")) diff --git a/packages/mp/src/mp/core/data_models/integrations/integration_meta/metadata.py b/packages/mp/src/mp/core/data_models/integrations/integration_meta/metadata.py index a76a8c590..c59379470 100644 --- a/packages/mp/src/mp/core/data_models/integrations/integration_meta/metadata.py +++ b/packages/mp/src/mp/core/data_models/integrations/integration_meta/metadata.py @@ -269,7 +269,7 @@ def _from_built(cls, _: str, built: BuiltIntegrationMetadata) -> Self: # ty:ign is_powerup=built.get("IsPowerUp", False), product_categories=[ IntegrationProductCategory(category) - for category in built.get("ProductCategories") or [] + for category in (built.get("ProductCategories") or []) ], ) @@ -301,7 +301,7 @@ def _from_non_built(cls, _: str, non_built: NonBuiltIntegrationMetadata) -> Self ), is_powerup=non_built.get("is_powerup", False), product_categories=[ - IntegrationProductCategory(c) for c in non_built.get("product_categories") or [] + IntegrationProductCategory(c) for c in (non_built.get("product_categories") or []) ], ) @@ -339,6 +339,7 @@ def to_built(self) -> BuiltIntegrationMetadata: IsCustom=self.is_custom, IsPowerUp=self.is_powerup, IsCertified=self.is_certified, + ProductCategories=[c.value for c in self.product_categories], ) mp.core.utils.remove_none_entries_from_mapping(built) return built @@ -367,6 +368,7 @@ def to_non_built(self) -> NonBuiltIntegrationMetadata: categories=self.categories, svg_logo_path=svg_path.as_posix() if self.svg_logo is not None else None, image_path=image.as_posix() if self.image_base64 is not None else None, + product_categories=[c.value for c in self.product_categories] or None, ) if self.feature_tags is not None: @@ -381,6 +383,8 @@ def to_non_built(self) -> NonBuiltIntegrationMetadata: if self.is_powerup is True: non_built["is_powerup"] = self.is_powerup + del non_built["product_categories"] + mp.core.utils.remove_none_entries_from_mapping(non_built) return non_built diff --git a/packages/mp/src/mp/describe/action/describe_all.py b/packages/mp/src/mp/describe/action/describe_all.py index 83f936fd8..900fb942e 100644 --- a/packages/mp/src/mp/describe/action/describe_all.py +++ b/packages/mp/src/mp/describe/action/describe_all.py @@ -14,24 +14,33 @@ from __future__ import annotations -from typing import TYPE_CHECKING +from pathlib import Path from mp.describe.common.describe_all import ( MarketplaceOrchestratorBase, get_all_integrations_paths, ) +from mp.describe.common.utils.paths import get_integration_path from .describe import DescribeAction -if TYPE_CHECKING: - from pathlib import Path - async def describe_all_actions( - src: Path | None = None, dst: Path | None = None, *, override: bool = False + src: Path | None = None, + dst: Path | None = None, + *, + override: bool = False, + integrations: list[str] | None = None, ) -> None: - """Describe all actions in all integrations in the marketplace.""" - integrations_paths: list[Path] = get_all_integrations_paths(src=src) + """Describe all actions in all integrations in the marketplace or specific ones.""" + integrations_paths: list[Path] + if integrations: + integrations_paths = [ + Path(str(get_integration_path(name, src=src))) for name in integrations + ] + else: + integrations_paths = get_all_integrations_paths(src=src) + orchestrator = _MarketplaceOrchestrator(src, integrations_paths, dst=dst, override=override) await orchestrator.run() diff --git a/packages/mp/src/mp/describe/all_content.py b/packages/mp/src/mp/describe/all_content.py index 87bc2a2a5..d61bc0b3f 100644 --- a/packages/mp/src/mp/describe/all_content.py +++ b/packages/mp/src/mp/describe/all_content.py @@ -15,48 +15,134 @@ from __future__ import annotations import asyncio +from pathlib import Path from typing import TYPE_CHECKING import mp.core.config from mp.describe.action.describe import DescribeAction +from mp.describe.common.describe_all import ( + MarketplaceOrchestratorBase, + get_all_integrations_paths, +) +from mp.describe.common.utils.paths import get_integration_path from mp.describe.connector.describe import DescribeConnector from mp.describe.integration.describe import DescribeIntegration from mp.describe.job.describe import DescribeJob if TYPE_CHECKING: - import pathlib + from collections.abc import Callable + + from rich.progress import Progress + + +class AllContentDescriber: + """Describer for all content types in an integration.""" + + def __init__( + self, + integration: str, + *, + src: Path | None = None, + dst: Path | None = None, + override: bool = False, + ) -> None: + self.integration = integration + self.src = src + self.dst = dst + self.override = override + + @staticmethod + async def get_resources_count() -> int: + """Get the number of resources to describe. + + For all-content, we use 4 as a representative number of stages: + actions, connectors, jobs, and the integration metadata. + + Returns: + int: The number of stages. + + """ + return 4 + + async def describe( + self, + sem: asyncio.Semaphore | None = None, + on_done: Callable[[], None] | None = None, + progress: Progress | None = None, + ) -> None: + """Describe all content in an integration.""" + if sem is None: + sem = asyncio.Semaphore(mp.core.config.get_gemini_concurrency()) + + # 1. Describe actions + await DescribeAction( + self.integration, set(), src=self.src, dst=self.dst, override=self.override + ).describe(sem=sem, progress=progress) + + # 2. Describe connectors + await DescribeConnector( + self.integration, set(), src=self.src, dst=self.dst, override=self.override + ).describe(sem=sem, progress=progress) + + # 3. Describe jobs + await DescribeJob( + self.integration, set(), src=self.src, dst=self.dst, override=self.override + ).describe(sem=sem, progress=progress) + + # 4. Describe integration (last because it depends on previous results) + await DescribeIntegration( + self.integration, src=self.src, dst=self.dst, override=self.override + ).describe(sem=sem, progress=progress) + + if on_done: + on_done() + + +class AllContentMarketplaceOrchestrator(MarketplaceOrchestratorBase): + """Orchestrate all-content description across the entire marketplace.""" + + def _create_describer(self, integration_name: str) -> AllContentDescriber: + return AllContentDescriber( + integration=integration_name, + src=self.src, + dst=self.dst, + override=self.override, + ) async def describe_all_content( - integration: str, + integration: str | None = None, *, - src: pathlib.Path | None = None, - dst: pathlib.Path | None = None, + integrations: list[str] | None = None, + src: Path | None = None, + dst: Path | None = None, override: bool = False, ) -> None: - """Describe all content in an integration. - - Describes actions, connectors, jobs, and the integration itself. + """Describe all content in one or more integrations. Args: - integration: The name of the integration. - src: Customize the source folder to describe from. - dst: Customize the destination folder to save the AI descriptions. + integration: Single integration name (backward compatibility). + integrations: List of integration names. + src: Optional custom source path. + dst: Optional custom destination path. override: Whether to rewrite existing descriptions. """ - sem = asyncio.Semaphore(mp.core.config.get_gemini_concurrency()) + all_integrations: list[str] = [] + if integration: + all_integrations.append(integration) + if integrations: + all_integrations.extend(integrations) - # 1. Describe actions - await DescribeAction(integration, set(), src=src, dst=dst, override=override).describe(sem=sem) + integrations_paths: list[Path] + if all_integrations: + integrations_paths = [ + Path(str(get_integration_path(name, src=src))) for name in all_integrations + ] + else: + integrations_paths = get_all_integrations_paths(src=src) - # 2. Describe connectors - await DescribeConnector(integration, set(), src=src, dst=dst, override=override).describe( - sem=sem + orchestrator = AllContentMarketplaceOrchestrator( + src, integrations_paths, dst=dst, override=override ) - - # 3. Describe jobs - await DescribeJob(integration, set(), src=src, dst=dst, override=override).describe(sem=sem) - - # 4. Describe integration (last because it depends on previous results) - await DescribeIntegration(integration, src=src, dst=dst, override=override).describe(sem=sem) + await orchestrator.run() diff --git a/packages/mp/src/mp/describe/common/describe.py b/packages/mp/src/mp/describe/common/describe.py index d87c16d8e..8c28acb61 100644 --- a/packages/mp/src/mp/describe/common/describe.py +++ b/packages/mp/src/mp/describe/common/describe.py @@ -407,7 +407,8 @@ def _map_bulk_results_to_resources( and resource_name.casefold() == "Ping".casefold() and hasattr(result, "categories") ): - result.categories.enrichment = False + res_any: Any = result + res_any.categories.enrichment = False # ty: ignore[unresolved-attribute] final_results[i] = DescriptionResult(resource_name, result) @@ -430,9 +431,6 @@ async def _get_integration_status(self) -> IntegrationStatus: async def _load_metadata(self) -> dict[str, Any]: resource_ai_dir: anyio.Path = self.integration / constants.RESOURCES_DIR / constants.AI_DIR metadata_file: anyio.Path = resource_ai_dir / self.metadata_file_name - if not await metadata_file.exists(): - # Fallback to resources/ - metadata_file = self.integration / constants.RESOURCES_DIR / self.metadata_file_name metadata: dict[str, Any] = {} if await metadata_file.exists(): diff --git a/packages/mp/src/mp/describe/connector/describe_all.py b/packages/mp/src/mp/describe/connector/describe_all.py index 7788b809a..c7a804602 100644 --- a/packages/mp/src/mp/describe/connector/describe_all.py +++ b/packages/mp/src/mp/describe/connector/describe_all.py @@ -14,24 +14,33 @@ from __future__ import annotations -from typing import TYPE_CHECKING +from pathlib import Path from mp.describe.common.describe_all import ( MarketplaceOrchestratorBase, get_all_integrations_paths, ) +from mp.describe.common.utils.paths import get_integration_path from .describe import DescribeConnector -if TYPE_CHECKING: - from pathlib import Path - async def describe_all_connectors( - src: Path | None = None, dst: Path | None = None, *, override: bool = False + src: Path | None = None, + dst: Path | None = None, + *, + override: bool = False, + integrations: list[str] | None = None, ) -> None: - """Describe all connectors in all integrations in the marketplace.""" - integrations_paths: list[Path] = get_all_integrations_paths(src=src) + """Describe all connectors in all integrations in the marketplace or specific ones.""" + integrations_paths: list[Path] + if integrations: + integrations_paths = [ + Path(str(get_integration_path(name, src=src))) for name in integrations + ] + else: + integrations_paths = get_all_integrations_paths(src=src) + orchestrator = _MarketplaceOrchestrator(src, integrations_paths, dst=dst, override=override) await orchestrator.run() diff --git a/packages/mp/src/mp/describe/connector/typer_app.py b/packages/mp/src/mp/describe/connector/typer_app.py index 615028e89..e9c7c6d44 100644 --- a/packages/mp/src/mp/describe/connector/typer_app.py +++ b/packages/mp/src/mp/describe/connector/typer_app.py @@ -29,8 +29,12 @@ app = typer.Typer(help="Describe connectors in the marketplace.") -@app.command() -def connector( # noqa: PLR0913 +@app.command( + name="connector", + help="Describe connectors in an integration or across the entire marketplace using Gemini.", + no_args_is_help=True, +) +def describe( # noqa: PLR0913 connectors: Annotated[list[str] | None, typer.Argument(help="Connector names")] = None, integration: Annotated[ str | None, typer.Option("-i", "--integration", help="Integration name") @@ -112,14 +116,15 @@ def connector( # noqa: PLR0913 if all_marketplace: target_connector_file_names = set() - describer = DescribeConnector( - integration, - target_connector_file_names, - src=src, - dst=dst, - override=override, + asyncio.run( + DescribeConnector( + integration, + target_connector_file_names, + src=src, + dst=dst, + override=override, + ).describe(sem=sem) ) - asyncio.run(describer.describe(sem=sem)) elif all_marketplace: asyncio.run(describe_all_connectors(src=src, dst=dst, override=override)) else: diff --git a/packages/mp/src/mp/describe/integration/describe.py b/packages/mp/src/mp/describe/integration/describe.py index e373d3c27..9c5e9b8c9 100644 --- a/packages/mp/src/mp/describe/integration/describe.py +++ b/packages/mp/src/mp/describe/integration/describe.py @@ -91,9 +91,6 @@ async def _construct_prompts( async def _load_metadata(self) -> dict[str, Any]: resource_ai_dir: anyio.Path = self.integration / constants.RESOURCES_DIR / constants.AI_DIR metadata_file: anyio.Path = resource_ai_dir / self.metadata_file_name - if not await metadata_file.exists(): - # Fallback to resources/ - metadata_file = self.integration / constants.RESOURCES_DIR / self.metadata_file_name metadata: dict[str, Any] = {} if await metadata_file.exists(): diff --git a/packages/mp/src/mp/describe/integration/prompt_constructors/integration.py b/packages/mp/src/mp/describe/integration/prompt_constructors/integration.py index 133c7a496..93d6d64bf 100644 --- a/packages/mp/src/mp/describe/integration/prompt_constructors/integration.py +++ b/packages/mp/src/mp/describe/integration/prompt_constructors/integration.py @@ -121,12 +121,6 @@ async def _get_description_from_pyproject(self) -> str | None: async def _get_actions_ai_descriptions(self) -> str: ai_dir: anyio.Path = self.integration / constants.RESOURCES_DIR / constants.AI_DIR actions_ai_file: anyio.Path = ai_dir / constants.ACTIONS_AI_DESCRIPTION_FILE - if not await actions_ai_file.exists(): - # Fallback to resources/ - actions_ai_file = ( - self.integration / constants.RESOURCES_DIR / constants.ACTIONS_AI_DESCRIPTION_FILE - ) - if await actions_ai_file.exists(): return await actions_ai_file.read_text(encoding="utf-8") return "N/A" @@ -134,14 +128,6 @@ async def _get_actions_ai_descriptions(self) -> str: async def _get_connectors_ai_descriptions(self) -> str: ai_dir: anyio.Path = self.integration / constants.RESOURCES_DIR / constants.AI_DIR connectors_ai_file: anyio.Path = ai_dir / constants.CONNECTORS_AI_DESCRIPTION_FILE - if not await connectors_ai_file.exists(): - # Fallback to resources/ - connectors_ai_file = ( - self.integration - / constants.RESOURCES_DIR - / constants.CONNECTORS_AI_DESCRIPTION_FILE - ) - if await connectors_ai_file.exists(): return await connectors_ai_file.read_text(encoding="utf-8") return "N/A" @@ -149,12 +135,6 @@ async def _get_connectors_ai_descriptions(self) -> str: async def _get_jobs_ai_descriptions(self) -> str: ai_dir: anyio.Path = self.integration / constants.RESOURCES_DIR / constants.AI_DIR jobs_ai_file: anyio.Path = ai_dir / constants.JOBS_AI_DESCRIPTION_FILE - if not await jobs_ai_file.exists(): - # Fallback to resources/ - jobs_ai_file = ( - self.integration / constants.RESOURCES_DIR / constants.JOBS_AI_DESCRIPTION_FILE - ) - if await jobs_ai_file.exists(): return await jobs_ai_file.read_text(encoding="utf-8") return "N/A" diff --git a/packages/mp/src/mp/describe/job/describe_all.py b/packages/mp/src/mp/describe/job/describe_all.py index c6571fb4c..9080f35dd 100644 --- a/packages/mp/src/mp/describe/job/describe_all.py +++ b/packages/mp/src/mp/describe/job/describe_all.py @@ -14,24 +14,33 @@ from __future__ import annotations -from typing import TYPE_CHECKING +from pathlib import Path from mp.describe.common.describe_all import ( MarketplaceOrchestratorBase, get_all_integrations_paths, ) +from mp.describe.common.utils.paths import get_integration_path from .describe import DescribeJob -if TYPE_CHECKING: - from pathlib import Path - async def describe_all_jobs( - src: Path | None = None, dst: Path | None = None, *, override: bool = False + src: Path | None = None, + dst: Path | None = None, + *, + override: bool = False, + integrations: list[str] | None = None, ) -> None: - """Describe all jobs in all integrations in the marketplace.""" - integrations_paths: list[Path] = get_all_integrations_paths(src=src) + """Describe all jobs in all integrations in the marketplace or specific ones.""" + integrations_paths: list[Path] + if integrations: + integrations_paths = [ + Path(str(get_integration_path(name, src=src))) for name in integrations + ] + else: + integrations_paths = get_all_integrations_paths(src=src) + orchestrator = _MarketplaceOrchestrator(src, integrations_paths, dst=dst, override=override) await orchestrator.run() diff --git a/packages/mp/src/mp/describe/job/typer_app.py b/packages/mp/src/mp/describe/job/typer_app.py index 9cd420eea..f66624b8a 100644 --- a/packages/mp/src/mp/describe/job/typer_app.py +++ b/packages/mp/src/mp/describe/job/typer_app.py @@ -29,8 +29,12 @@ app = typer.Typer(help="Describe jobs in the marketplace.") -@app.command() -def job( # noqa: PLR0913 +@app.command( + name="job", + help="Describe jobs in an integration or across the entire marketplace using Gemini.", + no_args_is_help=True, +) +def describe( # noqa: PLR0913 jobs: Annotated[list[str] | None, typer.Argument(help="Job names")] = None, integration: Annotated[ str | None, typer.Option("-i", "--integration", help="Integration name") @@ -112,14 +116,15 @@ def job( # noqa: PLR0913 if all_marketplace: target_job_file_names = set() - describer = DescribeJob( - integration, - target_job_file_names, - src=src, - dst=dst, - override=override, + asyncio.run( + DescribeJob( + integration, + target_job_file_names, + src=src, + dst=dst, + override=override, + ).describe(sem=sem) ) - asyncio.run(describer.describe(sem=sem)) elif all_marketplace: asyncio.run(describe_all_jobs(src=src, dst=dst, override=override)) else: diff --git a/packages/mp/tests/test_mp/conftest.py b/packages/mp/tests/test_mp/conftest.py index 2ba801d77..31aa2c3cc 100644 --- a/packages/mp/tests/test_mp/conftest.py +++ b/packages/mp/tests/test_mp/conftest.py @@ -31,7 +31,11 @@ @pytest.fixture(autouse=True) -def set_runtime_params() -> None: +def set_runtime_params(tmp_path: Path, monkeypatch: pytest.MonkeyPatch) -> None: + # Use a temporary config file for tests to avoid race conditions and home dir pollution + temp_config: Path = tmp_path / ".mp_config" + monkeypatch.setattr("mp.core.config.CONFIG_PATH", temp_config) + params: RuntimeParams = RuntimeParams(quiet=True, verbose=False) params.set_in_config() diff --git a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/google/mock_integration/ActionsDefinitions/ping.actiondef b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/google/mock_integration/ActionsDefinitions/ping.actiondef index c1d24b4ea..1aa3463a0 100644 --- a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/google/mock_integration/ActionsDefinitions/ping.actiondef +++ b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/google/mock_integration/ActionsDefinitions/ping.actiondef @@ -1,4 +1,5 @@ { + "AIDescription": "Mock AI description for ping action", "Creator": "admin", "Description": "This action will do something.", "DynamicResultsMetadata": [ @@ -16,12 +17,15 @@ "Description": "A Description.", "IsMandatory": true, "Name": "API Root", + "OptionalValues": null, "Type": 0, "Value": "" } ], + "ActionProductCategories": [ + "Enrich IOC (Indicator of Compromise)" + ], "ScriptResultName": "is_success", "SimulationDataJson": "{\"Entities\": []}", - "Type": 0, "Version": 1.0 } \ No newline at end of file diff --git a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/google/mock_integration/Integration-mock_integration.def b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/google/mock_integration/Integration-mock_integration.def index 2972bedd8..45db3c127 100644 --- a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/google/mock_integration/Integration-mock_integration.def +++ b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/google/mock_integration/Integration-mock_integration.def @@ -41,6 +41,10 @@ "IsPowerUp": false, "MarketingDisplayName": "Mock Integration", "MinimumSystemVersion": 5.3, + "ProductCategories": [ + "SIEM", + "Network Security" + ], "PythonVersion": 3, "SVGImage": "\n\n \n\n", "ShouldInstalledInSystem": false, diff --git a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/google/mock_integration/resources/ai/actions_ai_description.yaml b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/google/mock_integration/resources/ai/actions_ai_description.yaml index 6ece67598..721779afb 100644 --- a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/google/mock_integration/resources/ai/actions_ai_description.yaml +++ b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/google/mock_integration/resources/ai/actions_ai_description.yaml @@ -1,13 +1,31 @@ ping: ai_description: Mock AI description for ping action capabilities: - enrichment: false - internal_mutation: false - mutation: false + can_create_case_comments: false + can_create_insight: false + can_modify_alert_data: false + can_mutate_external_data: false + can_mutate_internal_data: false + can_update_entities: false + external_data_mutation_explanation: null + fetches_data: false + internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - created_entities: [] - used_entities: [] + entity_types: [] + filters_by_additional_properties: false + filters_by_alert_identifier: false + filters_by_case_identifier: false + filters_by_creation_time: false + filters_by_entity_type: false + filters_by_identifier: false + filters_by_is_artifact: false + filters_by_is_enriched: false + filters_by_is_internal: false + filters_by_is_pivot: false + filters_by_is_suspicious: false + filters_by_is_vulnerable: false + filters_by_modification_time: false product_categories: - siem: true + enrich_ioc: true diff --git a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/google/mock_integration/resources/ai/integration_ai_description.yaml b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/google/mock_integration/resources/ai/integration_ai_description.yaml index 466738966..a67fd6077 100644 --- a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/google/mock_integration/resources/ai/integration_ai_description.yaml +++ b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/google/mock_integration/resources/ai/integration_ai_description.yaml @@ -6,7 +6,7 @@ product_categories: email_security: false iam_and_identity_management: false itsm: false - network_security: false + network_security: true siem: true threat_intelligence: false vulnerability_management: false diff --git a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/mock_built_integration/marketplace.json b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/mock_built_integration/marketplace.json index 9d654c18d..6964ec67b 100644 --- a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/mock_built_integration/marketplace.json +++ b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/mock_built_integration/marketplace.json @@ -45,6 +45,10 @@ "MarketingDisplayName": "Mock Integration", "MinimumSystemVersion": 5.3, "NewNotificationExpired": 1721865600000, + "ProductCategories": [ + "SIEM", + "Network Security" + ], "PythonVersion": 3, "SVGImage": "\n\n \n\n", "ShouldInstalledInSystem": false, diff --git a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/mock_built_integration/mock_integration/ActionsDefinitions/ping.actiondef b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/mock_built_integration/mock_integration/ActionsDefinitions/ping.actiondef index c1d24b4ea..899597a1e 100644 --- a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/mock_built_integration/mock_integration/ActionsDefinitions/ping.actiondef +++ b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/mock_built_integration/mock_integration/ActionsDefinitions/ping.actiondef @@ -1,14 +1,18 @@ { + "AIDescription": "Mock AI description for ping action", "Creator": "admin", "Description": "This action will do something.", "DynamicResultsMetadata": [ { - "ResultExample": "{\n \"Example\": \"Json Example\"\n }", + "ResultExample": "{\"Example\": \"Json Example\"}", "ResultName": "JsonResult", "ShowResult": true } ], "IntegrationIdentifier": "MockIntegration", + "IsAsync": false, + "IsCustom": false, + "IsEnabled": true, "Name": "Ping", "Parameters": [ { @@ -16,12 +20,15 @@ "Description": "A Description.", "IsMandatory": true, "Name": "API Root", + "OptionalValues": null, "Type": 0, "Value": "" } ], + "ActionProductCategories": [ + "Enrich IOC (Indicator of Compromise)" + ], "ScriptResultName": "is_success", "SimulationDataJson": "{\"Entities\": []}", - "Type": 0, "Version": 1.0 } \ No newline at end of file diff --git a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/mock_built_integration/mock_integration/Integration-mock_integration.def b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/mock_built_integration/mock_integration/Integration-mock_integration.def index 2972bedd8..45db3c127 100644 --- a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/mock_built_integration/mock_integration/Integration-mock_integration.def +++ b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/mock_built_integration/mock_integration/Integration-mock_integration.def @@ -41,6 +41,10 @@ "IsPowerUp": false, "MarketingDisplayName": "Mock Integration", "MinimumSystemVersion": 5.3, + "ProductCategories": [ + "SIEM", + "Network Security" + ], "PythonVersion": 3, "SVGImage": "\n\n \n\n", "ShouldInstalledInSystem": false, diff --git a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/mock_built_integration/mock_integration/resources/ai/actions_ai_description.yaml b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/mock_built_integration/mock_integration/resources/ai/actions_ai_description.yaml index 6ece67598..721779afb 100644 --- a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/mock_built_integration/mock_integration/resources/ai/actions_ai_description.yaml +++ b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/mock_built_integration/mock_integration/resources/ai/actions_ai_description.yaml @@ -1,13 +1,31 @@ ping: ai_description: Mock AI description for ping action capabilities: - enrichment: false - internal_mutation: false - mutation: false + can_create_case_comments: false + can_create_insight: false + can_modify_alert_data: false + can_mutate_external_data: false + can_mutate_internal_data: false + can_update_entities: false + external_data_mutation_explanation: null + fetches_data: false + internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - created_entities: [] - used_entities: [] + entity_types: [] + filters_by_additional_properties: false + filters_by_alert_identifier: false + filters_by_case_identifier: false + filters_by_creation_time: false + filters_by_entity_type: false + filters_by_identifier: false + filters_by_is_artifact: false + filters_by_is_enriched: false + filters_by_is_internal: false + filters_by_is_pivot: false + filters_by_is_suspicious: false + filters_by_is_vulnerable: false + filters_by_modification_time: false product_categories: - siem: true + enrich_ioc: true diff --git a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/mock_built_integration/mock_integration/resources/ai/integration_ai_description.yaml b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/mock_built_integration/mock_integration/resources/ai/integration_ai_description.yaml index 466738966..a67fd6077 100644 --- a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/mock_built_integration/mock_integration/resources/ai/integration_ai_description.yaml +++ b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/mock_built_integration/mock_integration/resources/ai/integration_ai_description.yaml @@ -6,7 +6,7 @@ product_categories: email_security: false iam_and_identity_management: false itsm: false - network_security: false + network_security: true siem: true threat_intelligence: false vulnerability_management: false diff --git a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/third_party/mock_integration/resources/ai/actions_ai_description.yaml b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/third_party/mock_integration/resources/ai/actions_ai_description.yaml index 6ece67598..721779afb 100644 --- a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/third_party/mock_integration/resources/ai/actions_ai_description.yaml +++ b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/third_party/mock_integration/resources/ai/actions_ai_description.yaml @@ -1,13 +1,31 @@ ping: ai_description: Mock AI description for ping action capabilities: - enrichment: false - internal_mutation: false - mutation: false + can_create_case_comments: false + can_create_insight: false + can_modify_alert_data: false + can_mutate_external_data: false + can_mutate_internal_data: false + can_update_entities: false + external_data_mutation_explanation: null + fetches_data: false + internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - created_entities: [] - used_entities: [] + entity_types: [] + filters_by_additional_properties: false + filters_by_alert_identifier: false + filters_by_case_identifier: false + filters_by_creation_time: false + filters_by_entity_type: false + filters_by_identifier: false + filters_by_is_artifact: false + filters_by_is_enriched: false + filters_by_is_internal: false + filters_by_is_pivot: false + filters_by_is_suspicious: false + filters_by_is_vulnerable: false + filters_by_modification_time: false product_categories: - siem: true + enrich_ioc: true diff --git a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/third_party/mock_integration/resources/ai/integration_ai_description.yaml b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/third_party/mock_integration/resources/ai/integration_ai_description.yaml index b927e7b41..a67fd6077 100644 --- a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/third_party/mock_integration/resources/ai/integration_ai_description.yaml +++ b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/third_party/mock_integration/resources/ai/integration_ai_description.yaml @@ -7,6 +7,6 @@ product_categories: iam_and_identity_management: false itsm: false network_security: true - siem: false + siem: true threat_intelligence: false vulnerability_management: false diff --git a/packages/mp/tests/test_mp/test_build_project/test_content_repo/test_integrations_repo/test_build.py b/packages/mp/tests/test_mp/test_build_project/test_content_repo/test_integrations_repo/test_build.py index 5f4953299..1f8a67b30 100644 --- a/packages/mp/tests/test_mp/test_build_project/test_content_repo/test_integrations_repo/test_build.py +++ b/packages/mp/tests/test_mp/test_build_project/test_content_repo/test_integrations_repo/test_build.py @@ -129,6 +129,20 @@ def wrapper(integration_path: Path) -> None: ) assert actual == expected + # Check action definitions + expected_actions_dir: Path = built_integration / mp.core.constants.OUT_ACTIONS_META_DIR + actual_actions_dir: Path = out_integration / mp.core.constants.OUT_ACTIONS_META_DIR + if expected_actions_dir.exists(): + for expected_action_file in expected_actions_dir.rglob( + f"*{mp.core.constants.ACTIONS_META_SUFFIX}" + ): + actual_action_file = actual_actions_dir / expected_action_file.name + actual_action, expected_action = test_mp.common.get_json_content( + expected=expected_action_file, + actual=actual_action_file, + ) + assert actual_action == expected_action + actual, expected = test_mp.common.get_json_content( expected=( built_integration diff --git a/packages/mp/tests/test_mp/test_describe/__init__.py b/packages/mp/tests/test_mp/test_describe/__init__.py new file mode 100644 index 000000000..58d482ea3 --- /dev/null +++ b/packages/mp/tests/test_mp/test_describe/__init__.py @@ -0,0 +1,13 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. diff --git a/packages/mp/tests/test_mp/test_all_content.py b/packages/mp/tests/test_mp/test_describe/test_all_content.py similarity index 98% rename from packages/mp/tests/test_mp/test_all_content.py rename to packages/mp/tests/test_mp/test_describe/test_all_content.py index 99e420170..1e50ef64a 100644 --- a/packages/mp/tests/test_mp/test_all_content.py +++ b/packages/mp/tests/test_mp/test_describe/test_all_content.py @@ -133,7 +133,7 @@ async def test_describe_all_content(mock_integration_full: Path) -> None: @pytest.mark.anyio -async def test_describe_all_all_content( +async def test_describe_marketplace_all_content( mock_integration_full: Path, mock_integration_another: Path ) -> None: # Mock LLM response to avoid API calls @@ -143,7 +143,7 @@ async def test_describe_all_all_content( with mock.patch( "mp.describe.common.utils.llm.call_gemini_bulk", return_value=[integration_response] ): - await describe_all_all_content( + await describe_all_content( src=mock_integration_full.parent, ) diff --git a/packages/mp/tests/test_mp/test_describe_cli.py b/packages/mp/tests/test_mp/test_describe/test_describe_cli.py similarity index 100% rename from packages/mp/tests/test_mp/test_describe_cli.py rename to packages/mp/tests/test_mp/test_describe/test_describe_cli.py diff --git a/packages/mp/tests/test_mp/test_describe_integration.py b/packages/mp/tests/test_mp/test_describe/test_describe_integration.py similarity index 65% rename from packages/mp/tests/test_mp/test_describe_integration.py rename to packages/mp/tests/test_mp/test_describe/test_describe_integration.py index 642fa70a7..14a9c32b5 100644 --- a/packages/mp/tests/test_mp/test_describe_integration.py +++ b/packages/mp/tests/test_mp/test_describe/test_describe_integration.py @@ -14,20 +14,31 @@ from __future__ import annotations +import shutil +from typing import TYPE_CHECKING from unittest.mock import AsyncMock, patch +import anyio from typer.testing import CliRunner +from mp.core import constants from mp.core.data_models.integrations.integration_meta.ai.metadata import IntegrationAiMetadata from mp.core.data_models.integrations.integration_meta.ai.product_categories import ( IntegrationProductCategories, ) from mp.describe.integration.typer_app import app +if TYPE_CHECKING: + from pathlib import Path + runner = CliRunner() -def test_describe_integration_command(non_built_integration): +def test_describe_integration_command(tmp_path: Path, non_built_integration: Path) -> None: + integration: Path = ( + shutil.copytree(non_built_integration, tmp_path, dirs_exist_ok=True) + / non_built_integration.name + ) integration_name = "mock_integration" # Create AI_DIR if it doesn't exist to avoid issues, @@ -54,20 +65,26 @@ def test_describe_integration_command(non_built_integration): ) ] - # We need to mock get_integration_path to return the non_built_integration path - with patch("mp.describe.common.utils.paths.get_integration_path") as mock_get_path: - import anyio - - mock_get_path.return_value = anyio.Path(non_built_integration) + # We need to mock get_integration_path and get_out_path + with ( + patch("mp.describe.common.utils.paths.get_integration_path") as mock_get_path, + patch("mp.describe.common.utils.paths.get_out_path") as mock_get_out_path, + patch("mp.describe.integration.describe_all.get_integration_path", new=mock_get_path), + ): + mock_get_path.return_value = anyio.Path(integration) + mock_get_out_path.return_value = anyio.Path(integration) # Run the command - result = runner.invoke(app, ["-i", integration_name]) + result = runner.invoke(app, [integration_name, "--override"]) assert result.exit_code == 0 mock_bulk.assert_called_once() # Check if the file was created ai_file = ( - non_built_integration / "RESOURCES" / "AI" / "integrations_ai_description.yaml" + integration + / constants.RESOURCES_DIR + / constants.AI_DIR + / constants.INTEGRATIONS_AI_DESCRIPTION_FILE ) assert ai_file.exists() diff --git a/packages/mp/tests/test_mp/test_describe_resources.py b/packages/mp/tests/test_mp/test_describe/test_describe_resources.py similarity index 82% rename from packages/mp/tests/test_mp/test_describe_resources.py rename to packages/mp/tests/test_mp/test_describe/test_describe_resources.py index 20ea6bf83..8317921e1 100644 --- a/packages/mp/tests/test_mp/test_describe_resources.py +++ b/packages/mp/tests/test_mp/test_describe/test_describe_resources.py @@ -14,9 +14,11 @@ from __future__ import annotations +import shutil from typing import TYPE_CHECKING from unittest import mock +import anyio import pytest import yaml @@ -55,11 +57,11 @@ def mock_integration_path(tmp_path: Path) -> Path: @pytest.mark.anyio -async def test_describe_connector(mock_integration_path: Path) -> None: +async def test_describe_connector(tmp_path: Path, mock_integration_path: Path) -> None: describer = DescribeConnector( integration="mock_integration", connectors={"Test Connector"}, - src=mock_integration_path.parent, + src=shutil.copytree(mock_integration_path, tmp_path, dirs_exist_ok=True), ) mock_response = mock.Mock() @@ -70,7 +72,9 @@ async def test_describe_connector(mock_integration_path: Path) -> None: await describer.describe() # Verify output file - ai_dir = mock_integration_path / constants.RESOURCES_DIR / constants.AI_DIR + ai_dir: Path = ( + tmp_path / mock_integration_path.name / constants.RESOURCES_DIR / constants.AI_DIR + ) output_file = ai_dir / constants.CONNECTORS_AI_DESCRIPTION_FILE assert output_file.exists() @@ -80,9 +84,11 @@ async def test_describe_connector(mock_integration_path: Path) -> None: @pytest.mark.anyio -async def test_describe_job(mock_integration_path: Path) -> None: +async def test_describe_job(tmp_path: Path, mock_integration_path: Path) -> None: describer = DescribeJob( - integration="mock_integration", jobs={"Test Job"}, src=mock_integration_path.parent + integration="mock_integration", + jobs={"Test Job"}, + src=shutil.copytree(mock_integration_path, tmp_path, dirs_exist_ok=True), ) mock_response = mock.Mock() @@ -93,7 +99,9 @@ async def test_describe_job(mock_integration_path: Path) -> None: await describer.describe() # Verify output file - ai_dir = mock_integration_path / constants.RESOURCES_DIR / constants.AI_DIR + ai_dir: Path = ( + tmp_path / mock_integration_path.name / constants.RESOURCES_DIR / constants.AI_DIR + ) output_file = ai_dir / constants.JOBS_AI_DESCRIPTION_FILE assert output_file.exists() @@ -103,10 +111,16 @@ async def test_describe_job(mock_integration_path: Path) -> None: @pytest.mark.anyio -async def test_describe_integration(mock_integration_path: Path) -> None: +async def test_describe_integration(tmp_path: Path, mock_integration_path: Path) -> None: # 1. Create AI description files for context - ai_dir = mock_integration_path / constants.RESOURCES_DIR / constants.AI_DIR - ai_dir.mkdir(parents=True, exist_ok=True) + ai_dir: Path = ( + shutil.copytree(mock_integration_path, tmp_path, dirs_exist_ok=True) + / mock_integration_path.name + / constants.RESOURCES_DIR + / constants.AI_DIR + ) + await anyio.Path(ai_dir).mkdir(parents=True, exist_ok=True) + (ai_dir / constants.ACTIONS_AI_DESCRIPTION_FILE).write_text( yaml.safe_dump({"test_action": {"description": "Action description"}}), encoding="utf-8", From 2153468a461647cbde820356075287532c873687 Mon Sep 17 00:00:00 2001 From: talshapir Date: Mon, 6 Apr 2026 13:29:27 +0300 Subject: [PATCH 15/26] Add license headers to all "google" ai-descriptions files --- .../resources/ai/actions_ai_description.yaml | 14 ++++++++++++++ .../resources/ai/integration_ai_description.yaml | 14 ++++++++++++++ .../resources/ai/actions_ai_description.yaml | 14 ++++++++++++++ .../resources/ai/integration_ai_description.yaml | 14 ++++++++++++++ .../resources/ai/actions_ai_description.yaml | 14 ++++++++++++++ .../resources/ai/integration_ai_description.yaml | 14 ++++++++++++++ .../resources/ai/actions_ai_description.yaml | 14 ++++++++++++++ .../resources/ai/integration_ai_description.yaml | 14 ++++++++++++++ .../resources/ai/actions_ai_description.yaml | 14 ++++++++++++++ .../resources/ai/integration_ai_description.yaml | 14 ++++++++++++++ .../resources/ai/actions_ai_description.yaml | 14 ++++++++++++++ .../resources/ai/integration_ai_description.yaml | 14 ++++++++++++++ .../resources/ai/actions_ai_description.yaml | 14 ++++++++++++++ .../resources/ai/integration_ai_description.yaml | 14 ++++++++++++++ .../resources/ai/actions_ai_description.yaml | 14 ++++++++++++++ .../resources/ai/integration_ai_description.yaml | 14 ++++++++++++++ .../resources/ai/actions_ai_description.yaml | 14 ++++++++++++++ .../resources/ai/integration_ai_description.yaml | 14 ++++++++++++++ .../resources/ai/actions_ai_description.yaml | 14 ++++++++++++++ .../resources/ai/connectors_ai_description.yaml | 14 ++++++++++++++ .../resources/ai/integration_ai_description.yaml | 14 ++++++++++++++ 21 files changed, 294 insertions(+) diff --git a/content/response_integrations/google/cyber_x/resources/ai/actions_ai_description.yaml b/content/response_integrations/google/cyber_x/resources/ai/actions_ai_description.yaml index fdab5e5d9..821933519 100644 --- a/content/response_integrations/google/cyber_x/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/google/cyber_x/resources/ai/actions_ai_description.yaml @@ -1,3 +1,17 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + Enrich Endpoints: ai_description: "Enriches Hostname and Address entities using CyberX. This action\ \ retrieves detailed device information from the CyberX platform to provide context\ diff --git a/content/response_integrations/google/cyber_x/resources/ai/integration_ai_description.yaml b/content/response_integrations/google/cyber_x/resources/ai/integration_ai_description.yaml index 18fead5ae..936908b36 100644 --- a/content/response_integrations/google/cyber_x/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/google/cyber_x/resources/ai/integration_ai_description.yaml @@ -1,3 +1,17 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + product_categories: asset_inventory: true cloud_security: false diff --git a/content/response_integrations/google/juniper_vsrx/resources/ai/actions_ai_description.yaml b/content/response_integrations/google/juniper_vsrx/resources/ai/actions_ai_description.yaml index ea00e32d9..abe69a34e 100644 --- a/content/response_integrations/google/juniper_vsrx/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/google/juniper_vsrx/resources/ai/actions_ai_description.yaml @@ -1,3 +1,17 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + Add IP To Address Set: ai_description: >- Adds IP address entities to a specified address set on a Juniper VSRX device. diff --git a/content/response_integrations/google/juniper_vsrx/resources/ai/integration_ai_description.yaml b/content/response_integrations/google/juniper_vsrx/resources/ai/integration_ai_description.yaml index b927e7b41..733471053 100644 --- a/content/response_integrations/google/juniper_vsrx/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/google/juniper_vsrx/resources/ai/integration_ai_description.yaml @@ -1,3 +1,17 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + product_categories: asset_inventory: false cloud_security: false diff --git a/content/response_integrations/google/mc_afee_nsm/resources/ai/actions_ai_description.yaml b/content/response_integrations/google/mc_afee_nsm/resources/ai/actions_ai_description.yaml index 113c074b5..d9a0053ca 100644 --- a/content/response_integrations/google/mc_afee_nsm/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/google/mc_afee_nsm/resources/ai/actions_ai_description.yaml @@ -1,3 +1,17 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + Block IP: ai_description: >- Blocks IP address entities in McAfee Network Security Manager (NSM). The action diff --git a/content/response_integrations/google/mc_afee_nsm/resources/ai/integration_ai_description.yaml b/content/response_integrations/google/mc_afee_nsm/resources/ai/integration_ai_description.yaml index b927e7b41..733471053 100644 --- a/content/response_integrations/google/mc_afee_nsm/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/google/mc_afee_nsm/resources/ai/integration_ai_description.yaml @@ -1,3 +1,17 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + product_categories: asset_inventory: false cloud_security: false diff --git a/content/response_integrations/google/micro_focus_itsma/resources/ai/actions_ai_description.yaml b/content/response_integrations/google/micro_focus_itsma/resources/ai/actions_ai_description.yaml index 9911d383b..93aeb1fc1 100644 --- a/content/response_integrations/google/micro_focus_itsma/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/google/micro_focus_itsma/resources/ai/actions_ai_description.yaml @@ -1,3 +1,17 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + Create Incident: ai_description: >- Creates a new incident in MicroFocus ITSMA. This action allows users to programmatically diff --git a/content/response_integrations/google/micro_focus_itsma/resources/ai/integration_ai_description.yaml b/content/response_integrations/google/micro_focus_itsma/resources/ai/integration_ai_description.yaml index faf1e267b..87a5ffbcd 100644 --- a/content/response_integrations/google/micro_focus_itsma/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/google/micro_focus_itsma/resources/ai/integration_ai_description.yaml @@ -1,3 +1,17 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + product_categories: asset_inventory: false cloud_security: false diff --git a/content/response_integrations/google/mobile_iron/resources/ai/actions_ai_description.yaml b/content/response_integrations/google/mobile_iron/resources/ai/actions_ai_description.yaml index cb2931433..eb9998cfc 100644 --- a/content/response_integrations/google/mobile_iron/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/google/mobile_iron/resources/ai/actions_ai_description.yaml @@ -1,3 +1,17 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + Fetch System Information: ai_description: >- ### General Description diff --git a/content/response_integrations/google/mobile_iron/resources/ai/integration_ai_description.yaml b/content/response_integrations/google/mobile_iron/resources/ai/integration_ai_description.yaml index b88dc4ab4..751e47ecf 100644 --- a/content/response_integrations/google/mobile_iron/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/google/mobile_iron/resources/ai/integration_ai_description.yaml @@ -1,3 +1,17 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + product_categories: asset_inventory: true cloud_security: false diff --git a/content/response_integrations/google/portnox/resources/ai/actions_ai_description.yaml b/content/response_integrations/google/portnox/resources/ai/actions_ai_description.yaml index c7be1d448..722d2ef0d 100644 --- a/content/response_integrations/google/portnox/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/google/portnox/resources/ai/actions_ai_description.yaml @@ -1,3 +1,17 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + Enrich Device: ai_description: >- ### General Description diff --git a/content/response_integrations/google/portnox/resources/ai/integration_ai_description.yaml b/content/response_integrations/google/portnox/resources/ai/integration_ai_description.yaml index 4839c93dd..9058834e8 100644 --- a/content/response_integrations/google/portnox/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/google/portnox/resources/ai/integration_ai_description.yaml @@ -1,3 +1,17 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + product_categories: asset_inventory: true cloud_security: false diff --git a/content/response_integrations/google/reversinglabs_a1000/resources/ai/actions_ai_description.yaml b/content/response_integrations/google/reversinglabs_a1000/resources/ai/actions_ai_description.yaml index 7da6b4b1d..53374e8de 100644 --- a/content/response_integrations/google/reversinglabs_a1000/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/google/reversinglabs_a1000/resources/ai/actions_ai_description.yaml @@ -1,3 +1,17 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + Delete Sample: ai_description: >- ### General Description diff --git a/content/response_integrations/google/reversinglabs_a1000/resources/ai/integration_ai_description.yaml b/content/response_integrations/google/reversinglabs_a1000/resources/ai/integration_ai_description.yaml index 2e831240c..229aa2d1d 100644 --- a/content/response_integrations/google/reversinglabs_a1000/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/google/reversinglabs_a1000/resources/ai/integration_ai_description.yaml @@ -1,3 +1,17 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + product_categories: asset_inventory: false cloud_security: false diff --git a/content/response_integrations/google/stealthwatch_v610/resources/ai/actions_ai_description.yaml b/content/response_integrations/google/stealthwatch_v610/resources/ai/actions_ai_description.yaml index 5248817ff..b0253dd62 100644 --- a/content/response_integrations/google/stealthwatch_v610/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/google/stealthwatch_v610/resources/ai/actions_ai_description.yaml @@ -1,3 +1,17 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + Ping: ai_description: "### General Description\nThe **Ping** action is a utility designed\ \ to verify the connectivity between the Google SecOps platform and the Cisco\ diff --git a/content/response_integrations/google/stealthwatch_v610/resources/ai/integration_ai_description.yaml b/content/response_integrations/google/stealthwatch_v610/resources/ai/integration_ai_description.yaml index a67fd6077..6df311e0f 100644 --- a/content/response_integrations/google/stealthwatch_v610/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/google/stealthwatch_v610/resources/ai/integration_ai_description.yaml @@ -1,3 +1,17 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + product_categories: asset_inventory: false cloud_security: false diff --git a/content/response_integrations/google/symantec_content_analysis/resources/ai/actions_ai_description.yaml b/content/response_integrations/google/symantec_content_analysis/resources/ai/actions_ai_description.yaml index a547c636e..1f5af7640 100644 --- a/content/response_integrations/google/symantec_content_analysis/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/google/symantec_content_analysis/resources/ai/actions_ai_description.yaml @@ -1,3 +1,17 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + Get Hash Report: ai_description: >- Enriches File Hash entities (MD5 and SHA256) by retrieving sample reports from diff --git a/content/response_integrations/google/symantec_content_analysis/resources/ai/integration_ai_description.yaml b/content/response_integrations/google/symantec_content_analysis/resources/ai/integration_ai_description.yaml index 2e831240c..229aa2d1d 100644 --- a/content/response_integrations/google/symantec_content_analysis/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/google/symantec_content_analysis/resources/ai/integration_ai_description.yaml @@ -1,3 +1,17 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + product_categories: asset_inventory: false cloud_security: false diff --git a/content/response_integrations/google/symantec_icdx/resources/ai/actions_ai_description.yaml b/content/response_integrations/google/symantec_icdx/resources/ai/actions_ai_description.yaml index 2bd24bd8d..bab92ddcb 100644 --- a/content/response_integrations/google/symantec_icdx/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/google/symantec_icdx/resources/ai/actions_ai_description.yaml @@ -1,3 +1,17 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + Get Event: ai_description: >- ### General Description diff --git a/content/response_integrations/google/symantec_icdx/resources/ai/connectors_ai_description.yaml b/content/response_integrations/google/symantec_icdx/resources/ai/connectors_ai_description.yaml index b69f1e9e4..741a44c93 100644 --- a/content/response_integrations/google/symantec_icdx/resources/ai/connectors_ai_description.yaml +++ b/content/response_integrations/google/symantec_icdx/resources/ai/connectors_ai_description.yaml @@ -1,3 +1,17 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + SymantecICDX query Connector: ai_description: >- ### General Description diff --git a/content/response_integrations/google/symantec_icdx/resources/ai/integration_ai_description.yaml b/content/response_integrations/google/symantec_icdx/resources/ai/integration_ai_description.yaml index 466738966..f127e31fa 100644 --- a/content/response_integrations/google/symantec_icdx/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/google/symantec_icdx/resources/ai/integration_ai_description.yaml @@ -1,3 +1,17 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + product_categories: asset_inventory: false cloud_security: false From 4bbe52e0c51f269da4fc2069a31de0a21634c546 Mon Sep 17 00:00:00 2001 From: talshapir Date: Mon, 6 Apr 2026 15:43:39 +0300 Subject: [PATCH 16/26] Fix yaml key name --- .../resources/ai/actions_ai_description.yaml | 30 +- .../resources/ai/actions_ai_description.yaml | 12 +- .../resources/ai/actions_ai_description.yaml | 24 +- .../resources/ai/actions_ai_description.yaml | 16 +- .../resources/ai/actions_ai_description.yaml | 24 +- .../resources/ai/actions_ai_description.yaml | 56 +- .../resources/ai/actions_ai_description.yaml | 20 +- .../resources/ai/actions_ai_description.yaml | 12 +- .../resources/ai/actions_ai_description.yaml | 12 +- .../resources/ai/actions_ai_description.yaml | 12 +- .../resources/ai/actions_ai_description.yaml | 24 +- .../resources/ai/actions_ai_description.yaml | 524 ++++++++-------- .../resources/ai/actions_ai_description.yaml | 188 +++--- .../resources/ai/actions_ai_description.yaml | 64 +- .../resources/ai/actions_ai_description.yaml | 4 +- .../resources/ai/actions_ai_description.yaml | 16 +- .../resources/ai/actions_ai_description.yaml | 220 +++---- .../resources/ai/actions_ai_description.yaml | 24 +- .../resources/ai/actions_ai_description.yaml | 150 ++--- .../resources/ai/actions_ai_description.yaml | 442 ++++++------- .../resources/ai/actions_ai_description.yaml | 8 +- .../resources/ai/actions_ai_description.yaml | 104 ++-- .../resources/ai/actions_ai_description.yaml | 56 +- .../resources/ai/actions_ai_description.yaml | 32 +- .../resources/ai/actions_ai_description.yaml | 44 +- .../resources/ai/actions_ai_description.yaml | 12 +- .../resources/ai/actions_ai_description.yaml | 36 +- .../resources/ai/actions_ai_description.yaml | 4 +- .../resources/ai/actions_ai_description.yaml | 96 +-- .../resources/ai/actions_ai_description.yaml | 4 +- .../resources/ai/actions_ai_description.yaml | 76 +-- .../resources/ai/actions_ai_description.yaml | 4 +- .../resources/ai/actions_ai_description.yaml | 4 +- .../resources/ai/actions_ai_description.yaml | 24 +- .../resources/ai/actions_ai_description.yaml | 8 +- .../resources/ai/actions_ai_description.yaml | 4 +- .../resources/ai/actions_ai_description.yaml | 36 +- .../resources/ai/actions_ai_description.yaml | 8 +- .../resources/ai/actions_ai_description.yaml | 16 +- .../resources/ai/actions_ai_description.yaml | 114 ++-- .../resources/ai/actions_ai_description.yaml | 88 +-- .../resources/ai/actions_ai_description.yaml | 8 +- .../resources/ai/actions_ai_description.yaml | 20 +- .../resources/ai/actions_ai_description.yaml | 40 +- .../resources/ai/actions_ai_description.yaml | 8 +- .../resources/ai/actions_ai_description.yaml | 64 +- .../resources/ai/actions_ai_description.yaml | 12 +- .../resources/ai/actions_ai_description.yaml | 28 +- .../resources/ai/actions_ai_description.yaml | 12 +- .../resources/ai/actions_ai_description.yaml | 24 +- .../resources/ai/actions_ai_description.yaml | 16 +- .../resources/ai/actions_ai_description.yaml | 4 +- .../resources/ai/actions_ai_description.yaml | 20 +- .../resources/ai/actions_ai_description.yaml | 100 +-- .../resources/ai/actions_ai_description.yaml | 8 +- .../resources/ai/actions_ai_description.yaml | 44 +- .../resources/ai/actions_ai_description.yaml | 4 +- .../resources/ai/actions_ai_description.yaml | 12 +- .../resources/ai/actions_ai_description.yaml | 8 +- .../resources/ai/actions_ai_description.yaml | 88 +-- .../resources/ai/actions_ai_description.yaml | 84 +-- .../resources/ai/actions_ai_description.yaml | 8 +- .../resources/ai/actions_ai_description.yaml | 24 +- .../resources/ai/actions_ai_description.yaml | 8 +- .../resources/ai/actions_ai_description.yaml | 16 +- .../resources/ai/actions_ai_description.yaml | 56 +- .../resources/ai/actions_ai_description.yaml | 48 +- .../resources/ai/actions_ai_description.yaml | 36 +- .../resources/ai/actions_ai_description.yaml | 108 ++-- .../resources/ai/actions_ai_description.yaml | 100 +-- .../resources/ai/actions_ai_description.yaml | 32 +- .../resources/ai/actions_ai_description.yaml | 16 +- .../resources/ai/actions_ai_description.yaml | 14 +- .../resources/ai/actions_ai_description.yaml | 16 +- .../resources/ai/actions_ai_description.yaml | 24 +- .../resources/ai/actions_ai_description.yaml | 28 +- .../resources/ai/actions_ai_description.yaml | 4 +- .../resources/ai/actions_ai_description.yaml | 18 +- .../resources/ai/actions_ai_description.yaml | 30 +- .../resources/ai/actions_ai_description.yaml | 86 +-- .../resources/ai/actions_ai_description.yaml | 84 +-- .../resources/ai/actions_ai_description.yaml | 8 +- .../resources/ai/actions_ai_description.yaml | 584 +++++++++--------- .../resources/ai/actions_ai_description.yaml | 42 +- .../resources/ai/actions_ai_description.yaml | 28 +- .../resources/ai/actions_ai_description.yaml | 24 +- .../resources/ai/actions_ai_description.yaml | 24 +- .../resources/ai/actions_ai_description.yaml | 158 ++--- .../resources/ai/actions_ai_description.yaml | 18 +- .../resources/ai/actions_ai_description.yaml | 80 +-- .../resources/ai/actions_ai_description.yaml | 100 +-- .../resources/ai/actions_ai_description.yaml | 12 +- .../resources/ai/actions_ai_description.yaml | 52 +- .../resources/ai/actions_ai_description.yaml | 24 +- .../resources/ai/actions_ai_description.yaml | 4 +- .../resources/ai/actions_ai_description.yaml | 28 +- .../resources/ai/actions_ai_description.yaml | 98 +-- .../resources/ai/actions_ai_description.yaml | 40 +- .../resources/ai/actions_ai_description.yaml | 176 +++--- .../resources/ai/actions_ai_description.yaml | 40 +- .../resources/ai/actions_ai_description.yaml | 16 +- .../resources/ai/actions_ai_description.yaml | 16 +- .../resources/ai/actions_ai_description.yaml | 8 +- .../resources/ai/actions_ai_description.yaml | 12 +- .../resources/ai/actions_ai_description.yaml | 24 +- .../resources/ai/actions_ai_description.yaml | 28 +- 106 files changed, 2828 insertions(+), 2828 deletions(-) diff --git a/content/response_integrations/google/cyber_x/resources/ai/actions_ai_description.yaml b/content/response_integrations/google/cyber_x/resources/ai/actions_ai_description.yaml index 821933519..07c6a40bb 100644 --- a/content/response_integrations/google/cyber_x/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/google/cyber_x/resources/ai/actions_ai_description.yaml @@ -45,8 +45,8 @@ Enrich Endpoints: enrichment: true entity_usage: entity_types: - - ADDRESS - - HOSTNAME + - ADDRESS + - HOSTNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -60,7 +60,7 @@ Enrich Endpoints: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -116,7 +116,7 @@ Get Alerts: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -130,7 +130,7 @@ Get Alerts: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -192,8 +192,8 @@ Get Connections for Endpoint: enrichment: false entity_usage: entity_types: - - ADDRESS - - HOSTNAME + - ADDRESS + - HOSTNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -207,7 +207,7 @@ Get Connections for Endpoint: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -283,8 +283,8 @@ Get Device Vulnerability Report: enrichment: true entity_usage: entity_types: - - ADDRESS - - HOSTNAME + - ADDRESS + - HOSTNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -298,7 +298,7 @@ Get Device Vulnerability Report: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -380,7 +380,7 @@ Get Events: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -394,7 +394,7 @@ Get Events: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -469,7 +469,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -483,7 +483,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/google/juniper_vsrx/resources/ai/actions_ai_description.yaml b/content/response_integrations/google/juniper_vsrx/resources/ai/actions_ai_description.yaml index abe69a34e..d1fd6e6e4 100644 --- a/content/response_integrations/google/juniper_vsrx/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/google/juniper_vsrx/resources/ai/actions_ai_description.yaml @@ -75,7 +75,7 @@ Add IP To Address Set: enrichment: false entity_usage: entity_types: - - ADDRESS + - ADDRESS filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -89,7 +89,7 @@ Add IP To Address Set: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: true @@ -167,7 +167,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -181,7 +181,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -268,7 +268,7 @@ Remove IP From Address Set: enrichment: false entity_usage: entity_types: - - ADDRESS + - ADDRESS filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -282,7 +282,7 @@ Remove IP From Address Set: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/google/mc_afee_nsm/resources/ai/actions_ai_description.yaml b/content/response_integrations/google/mc_afee_nsm/resources/ai/actions_ai_description.yaml index d9a0053ca..6e4fabe4c 100644 --- a/content/response_integrations/google/mc_afee_nsm/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/google/mc_afee_nsm/resources/ai/actions_ai_description.yaml @@ -74,7 +74,7 @@ Block IP: enrichment: false entity_usage: entity_types: - - ADDRESS + - ADDRESS filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -88,7 +88,7 @@ Block IP: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: true @@ -171,7 +171,7 @@ Get Alert Info Data: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -185,7 +185,7 @@ Get Alert Info Data: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -263,7 +263,7 @@ Is IP Blocked: enrichment: true entity_usage: entity_types: - - ADDRESS + - ADDRESS filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -277,7 +277,7 @@ Is IP Blocked: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -334,7 +334,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -348,7 +348,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -414,7 +414,7 @@ Quarantine IP: enrichment: false entity_usage: entity_types: - - ADDRESS + - ADDRESS filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -428,7 +428,7 @@ Quarantine IP: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -490,7 +490,7 @@ Unblock IP: enrichment: false entity_usage: entity_types: - - ADDRESS + - ADDRESS filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -504,7 +504,7 @@ Unblock IP: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/google/micro_focus_itsma/resources/ai/actions_ai_description.yaml b/content/response_integrations/google/micro_focus_itsma/resources/ai/actions_ai_description.yaml index 93aeb1fc1..b4c6e869c 100644 --- a/content/response_integrations/google/micro_focus_itsma/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/google/micro_focus_itsma/resources/ai/actions_ai_description.yaml @@ -79,7 +79,7 @@ Create Incident: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -93,7 +93,7 @@ Create Incident: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -168,7 +168,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -182,7 +182,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -279,7 +279,7 @@ Update Incident: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -293,7 +293,7 @@ Update Incident: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -369,7 +369,7 @@ Update Incident External Status: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -383,7 +383,7 @@ Update Incident External Status: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/google/mobile_iron/resources/ai/actions_ai_description.yaml b/content/response_integrations/google/mobile_iron/resources/ai/actions_ai_description.yaml index eb9998cfc..a28ab6508 100644 --- a/content/response_integrations/google/mobile_iron/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/google/mobile_iron/resources/ai/actions_ai_description.yaml @@ -76,7 +76,7 @@ Fetch System Information: enrichment: true entity_usage: entity_types: - - ADDRESS + - ADDRESS filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -90,7 +90,7 @@ Fetch System Information: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -162,7 +162,7 @@ Fetch System Information By UUID: categories: enrichment: true entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -176,7 +176,7 @@ Fetch System Information By UUID: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -260,7 +260,7 @@ List Devices: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -274,7 +274,7 @@ List Devices: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -342,7 +342,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -356,7 +356,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -439,7 +439,7 @@ Unlock Device: enrichment: false entity_usage: entity_types: - - ADDRESS + - ADDRESS filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -453,7 +453,7 @@ Unlock Device: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -523,7 +523,7 @@ Unlock Device by UUID: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -537,7 +537,7 @@ Unlock Device by UUID: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/google/portnox/resources/ai/actions_ai_description.yaml b/content/response_integrations/google/portnox/resources/ai/actions_ai_description.yaml index 722d2ef0d..067b4256f 100644 --- a/content/response_integrations/google/portnox/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/google/portnox/resources/ai/actions_ai_description.yaml @@ -70,8 +70,8 @@ Enrich Device: enrichment: true entity_usage: entity_types: - - ADDRESS - - MacAddress + - ADDRESS + - MacAddress filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -85,7 +85,7 @@ Enrich Device: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -172,8 +172,8 @@ Get Device History: enrichment: true entity_usage: entity_types: - - ADDRESS - - MacAddress + - ADDRESS + - MacAddress filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -187,7 +187,7 @@ Get Device History: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -272,8 +272,8 @@ Get Device Locations: enrichment: true entity_usage: entity_types: - - ADDRESS - - MacAddress + - ADDRESS + - MacAddress filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -287,7 +287,7 @@ Get Device Locations: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -380,8 +380,8 @@ Get Installed Applications: enrichment: true entity_usage: entity_types: - - ADDRESS - - MacAddress + - ADDRESS + - MacAddress filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -395,7 +395,7 @@ Get Installed Applications: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -467,8 +467,8 @@ Get Open Ports: enrichment: true entity_usage: entity_types: - - ADDRESS - - MacAddress + - ADDRESS + - MacAddress filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -482,7 +482,7 @@ Get Open Ports: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -557,8 +557,8 @@ Get Services: enrichment: true entity_usage: entity_types: - - ADDRESS - - MacAddress + - ADDRESS + - MacAddress filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -572,7 +572,7 @@ Get Services: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -653,8 +653,8 @@ Get User History: enrichment: true entity_usage: entity_types: - - ADDRESS - - MacAddress + - ADDRESS + - MacAddress filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -668,7 +668,7 @@ Get User History: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -738,7 +738,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -752,7 +752,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -835,7 +835,7 @@ Revalidate Device: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -849,7 +849,7 @@ Revalidate Device: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -934,8 +934,8 @@ Revalidate Device By Address: enrichment: false entity_usage: entity_types: - - ADDRESS - - MacAddress + - ADDRESS + - MacAddress filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -949,7 +949,7 @@ Revalidate Device By Address: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/google/reversinglabs_a1000/resources/ai/actions_ai_description.yaml b/content/response_integrations/google/reversinglabs_a1000/resources/ai/actions_ai_description.yaml index 53374e8de..7d349bac1 100644 --- a/content/response_integrations/google/reversinglabs_a1000/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/google/reversinglabs_a1000/resources/ai/actions_ai_description.yaml @@ -59,7 +59,7 @@ Delete Sample: enrichment: false entity_usage: entity_types: - - FILEHASH + - FILEHASH filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -73,7 +73,7 @@ Delete Sample: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -133,7 +133,7 @@ Get Report: enrichment: true entity_usage: entity_types: - - FILEHASH + - FILEHASH filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -147,7 +147,7 @@ Get Report: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -228,7 +228,7 @@ Get Scan Status: enrichment: false entity_usage: entity_types: - - FILEHASH + - FILEHASH filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -242,7 +242,7 @@ Get Scan Status: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -319,7 +319,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -333,7 +333,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -420,7 +420,7 @@ Upload File: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -434,7 +434,7 @@ Upload File: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/google/stealthwatch_v610/resources/ai/actions_ai_description.yaml b/content/response_integrations/google/stealthwatch_v610/resources/ai/actions_ai_description.yaml index b0253dd62..0607c86f2 100644 --- a/content/response_integrations/google/stealthwatch_v610/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/google/stealthwatch_v610/resources/ai/actions_ai_description.yaml @@ -47,7 +47,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -61,7 +61,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -147,7 +147,7 @@ Search Events: enrichment: false entity_usage: entity_types: - - ADDRESS + - ADDRESS filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -161,7 +161,7 @@ Search Events: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -259,7 +259,7 @@ Search Flows: enrichment: false entity_usage: entity_types: - - ADDRESS + - ADDRESS filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -273,7 +273,7 @@ Search Flows: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/google/symantec_content_analysis/resources/ai/actions_ai_description.yaml b/content/response_integrations/google/symantec_content_analysis/resources/ai/actions_ai_description.yaml index 1f5af7640..a81e25c28 100644 --- a/content/response_integrations/google/symantec_content_analysis/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/google/symantec_content_analysis/resources/ai/actions_ai_description.yaml @@ -75,7 +75,7 @@ Get Hash Report: enrichment: true entity_usage: entity_types: - - FILEHASH + - FILEHASH filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -89,7 +89,7 @@ Get Hash Report: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -175,7 +175,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -189,7 +189,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -251,7 +251,7 @@ Submit File: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -265,7 +265,7 @@ Submit File: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/google/symantec_icdx/resources/ai/actions_ai_description.yaml b/content/response_integrations/google/symantec_icdx/resources/ai/actions_ai_description.yaml index bab92ddcb..338ad1fd8 100644 --- a/content/response_integrations/google/symantec_icdx/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/google/symantec_icdx/resources/ai/actions_ai_description.yaml @@ -74,7 +74,7 @@ Get Event: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -88,7 +88,7 @@ Get Event: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -190,7 +190,7 @@ Get Events Minutes Back: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -204,7 +204,7 @@ Get Events Minutes Back: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -272,7 +272,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -286,7 +286,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/power_ups/email_utilities/resources/ai/actions_ai_description.yaml b/content/response_integrations/power_ups/email_utilities/resources/ai/actions_ai_description.yaml index 56098d1be..87afae354 100644 --- a/content/response_integrations/power_ups/email_utilities/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/power_ups/email_utilities/resources/ai/actions_ai_description.yaml @@ -72,7 +72,7 @@ Analyze EML Headers: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -86,7 +86,7 @@ Analyze EML Headers: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -179,7 +179,7 @@ Analyze Headers: categories: enrichment: true entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -193,7 +193,7 @@ Analyze Headers: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -289,7 +289,7 @@ Parse Base64 Email: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -303,7 +303,7 @@ Parse Base64 Email: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -403,7 +403,7 @@ Parse Case Wall Email: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -417,7 +417,7 @@ Parse Case Wall Email: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -497,7 +497,7 @@ Parse EML Base64 Blob: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -511,7 +511,7 @@ Parse EML Base64 Blob: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -573,7 +573,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -587,7 +587,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/power_ups/enrichment/resources/ai/actions_ai_description.yaml b/content/response_integrations/power_ups/enrichment/resources/ai/actions_ai_description.yaml index 076a43e1f..16b2ad6f7 100644 --- a/content/response_integrations/power_ups/enrichment/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/power_ups/enrichment/resources/ai/actions_ai_description.yaml @@ -74,41 +74,41 @@ Enrich Entities from List with Field: enrichment: false entity_usage: entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -122,7 +122,7 @@ Enrich Entities from List with Field: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -219,41 +219,41 @@ Enrich Entity From Event Field: enrichment: true entity_usage: entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -267,7 +267,7 @@ Enrich Entity From Event Field: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -379,41 +379,41 @@ Enrich Entity From JSON: enrichment: false entity_usage: entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -427,7 +427,7 @@ Enrich Entity From JSON: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -514,41 +514,41 @@ Enrich Entity With Field: enrichment: false entity_usage: entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -562,7 +562,7 @@ Enrich Entity With Field: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -652,41 +652,41 @@ Enrich Entity from Explorer Attributes: enrichment: true entity_usage: entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -700,7 +700,7 @@ Enrich Entity from Explorer Attributes: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -786,41 +786,41 @@ Enrich FileName Entity with Path: enrichment: true entity_usage: entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -834,7 +834,7 @@ Enrich FileName Entity with Path: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -924,8 +924,8 @@ Enrich Source and Destinations: enrichment: true entity_usage: entity_types: - - ADDRESS - - HOSTNAME + - ADDRESS + - HOSTNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -939,7 +939,7 @@ Enrich Source and Destinations: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1020,41 +1020,41 @@ Mark Entity as Suspicious: enrichment: false entity_usage: entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1068,7 +1068,7 @@ Mark Entity as Suspicious: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1135,7 +1135,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1149,7 +1149,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1214,10 +1214,10 @@ Whois: enrichment: false entity_usage: entity_types: - - ADDRESS - - DOMAIN - - DestinationURL - - USERUNIQNAME + - ADDRESS + - DOMAIN + - DestinationURL + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1231,7 +1231,7 @@ Whois: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/power_ups/file_utilities/resources/ai/actions_ai_description.yaml b/content/response_integrations/power_ups/file_utilities/resources/ai/actions_ai_description.yaml index 5d709fc01..e8d308ac4 100644 --- a/content/response_integrations/power_ups/file_utilities/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/power_ups/file_utilities/resources/ai/actions_ai_description.yaml @@ -68,7 +68,7 @@ Add Attachment: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -82,7 +82,7 @@ Add Attachment: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -161,41 +161,41 @@ Add Entity to File: enrichment: false entity_usage: entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -209,7 +209,7 @@ Add Entity to File: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -297,7 +297,7 @@ Count Files: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -311,7 +311,7 @@ Count Files: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -408,7 +408,7 @@ Create Archive: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -422,7 +422,7 @@ Create Archive: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -517,7 +517,7 @@ Create Hash From Base64: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -531,7 +531,7 @@ Create Hash From Base64: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -615,7 +615,7 @@ Decode Base64: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -629,7 +629,7 @@ Decode Base64: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -708,7 +708,7 @@ Extract Archive: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -722,7 +722,7 @@ Extract Archive: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -796,7 +796,7 @@ Extract Zip Files: enrichment: false entity_usage: entity_types: - - FILENAME + - FILENAME filters_by_additional_properties: true filters_by_alert_identifier: false filters_by_case_identifier: false @@ -810,7 +810,7 @@ Extract Zip Files: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -870,7 +870,7 @@ Get Attachment: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -884,7 +884,7 @@ Get Attachment: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -973,7 +973,7 @@ Get Files as Base64: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -987,7 +987,7 @@ Get Files as Base64: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1056,7 +1056,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1070,7 +1070,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1157,41 +1157,41 @@ Remove Entity from File: enrichment: false entity_usage: entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1205,7 +1205,7 @@ Remove Entity from File: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1294,7 +1294,7 @@ Save Base64 to File: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1308,7 +1308,7 @@ Save Base64 to File: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/power_ups/functions/resources/ai/actions_ai_description.yaml b/content/response_integrations/power_ups/functions/resources/ai/actions_ai_description.yaml index b0a3ec3e1..50b344a8b 100644 --- a/content/response_integrations/power_ups/functions/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/power_ups/functions/resources/ai/actions_ai_description.yaml @@ -40,7 +40,7 @@ Calculate Timestamp: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -54,7 +54,7 @@ Calculate Timestamp: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -127,7 +127,7 @@ Convert Time Format: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -141,7 +141,7 @@ Convert Time Format: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -238,7 +238,7 @@ Create Thumbnail: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -252,7 +252,7 @@ Create Thumbnail: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -329,7 +329,7 @@ Defang Text: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -343,7 +343,7 @@ Defang Text: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -436,7 +436,7 @@ Detect Hash Type: enrichment: false entity_usage: entity_types: - - FILEHASH + - FILEHASH filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -450,7 +450,7 @@ Detect Hash Type: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -539,7 +539,7 @@ Detect IP Type: enrichment: false entity_usage: entity_types: - - ADDRESS + - ADDRESS filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -553,7 +553,7 @@ Detect IP Type: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -646,7 +646,7 @@ Extract IOCs: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -660,7 +660,7 @@ Extract IOCs: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -741,7 +741,7 @@ IP to Integer: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -755,7 +755,7 @@ IP to Integer: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -839,7 +839,7 @@ Math Arithmetic: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -853,7 +853,7 @@ Math Arithmetic: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -919,7 +919,7 @@ Math Functions: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -933,7 +933,7 @@ Math Functions: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -997,7 +997,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1011,7 +1011,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1094,7 +1094,7 @@ Run JSONPath Query: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1108,7 +1108,7 @@ Run JSONPath Query: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1201,7 +1201,7 @@ SanitizeHTML: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1215,7 +1215,7 @@ SanitizeHTML: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1318,7 +1318,7 @@ String Functions: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1332,7 +1332,7 @@ String Functions: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1424,7 +1424,7 @@ Time Duration Calculator: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1438,7 +1438,7 @@ Time Duration Calculator: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1514,7 +1514,7 @@ XMLtoJson: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1528,7 +1528,7 @@ XMLtoJson: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/power_ups/git_sync/resources/ai/actions_ai_description.yaml b/content/response_integrations/power_ups/git_sync/resources/ai/actions_ai_description.yaml index a5d849560..cbfc35eef 100644 --- a/content/response_integrations/power_ups/git_sync/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/power_ups/git_sync/resources/ai/actions_ai_description.yaml @@ -57,7 +57,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -71,7 +71,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/power_ups/image_utilities/resources/ai/actions_ai_description.yaml b/content/response_integrations/power_ups/image_utilities/resources/ai/actions_ai_description.yaml index 41b5961f0..82158b8a0 100644 --- a/content/response_integrations/power_ups/image_utilities/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/power_ups/image_utilities/resources/ai/actions_ai_description.yaml @@ -71,7 +71,7 @@ Convert File: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -85,7 +85,7 @@ Convert File: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -149,7 +149,7 @@ OCR Image: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -163,7 +163,7 @@ OCR Image: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -223,7 +223,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -237,7 +237,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -356,7 +356,7 @@ Rasterize Content: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -370,7 +370,7 @@ Rasterize Content: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/power_ups/insights/resources/ai/actions_ai_description.yaml b/content/response_integrations/power_ups/insights/resources/ai/actions_ai_description.yaml index 5bf7691fb..9cacfa46e 100644 --- a/content/response_integrations/power_ups/insights/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/power_ups/insights/resources/ai/actions_ai_description.yaml @@ -66,41 +66,41 @@ Create Entity Insight From Enrichment: enrichment: false entity_usage: entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME filters_by_additional_properties: true filters_by_alert_identifier: false filters_by_case_identifier: false @@ -114,7 +114,7 @@ Create Entity Insight From Enrichment: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -219,41 +219,41 @@ Create Entity Insight From JSON: enrichment: false entity_usage: entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -267,7 +267,7 @@ Create Entity Insight From JSON: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -367,41 +367,41 @@ Create Entity Insight From JSON: enrichment: false entity_usage: entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -415,7 +415,7 @@ Create Entity Insight From JSON: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -484,7 +484,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -498,7 +498,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/power_ups/lists/resources/ai/actions_ai_description.yaml b/content/response_integrations/power_ups/lists/resources/ai/actions_ai_description.yaml index 63921ffb3..2e8d95563 100644 --- a/content/response_integrations/power_ups/lists/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/power_ups/lists/resources/ai/actions_ai_description.yaml @@ -56,7 +56,7 @@ Add String to Custom List: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -70,7 +70,7 @@ Add String to Custom List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -156,7 +156,7 @@ Is String In Custom List: categories: enrichment: true entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -170,7 +170,7 @@ Is String In Custom List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -237,7 +237,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -251,7 +251,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -310,7 +310,7 @@ Remove String from Custom List: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -324,7 +324,7 @@ Remove String from Custom List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -417,7 +417,7 @@ Search Custom Lists: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -431,7 +431,7 @@ Search Custom Lists: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -516,7 +516,7 @@ Search Environment Custom Lists: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -530,7 +530,7 @@ Search Environment Custom Lists: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/power_ups/template_engine/resources/ai/actions_ai_description.yaml b/content/response_integrations/power_ups/template_engine/resources/ai/actions_ai_description.yaml index 95bdbcd2a..72a5ad4f4 100644 --- a/content/response_integrations/power_ups/template_engine/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/power_ups/template_engine/resources/ai/actions_ai_description.yaml @@ -81,40 +81,40 @@ Entity Insight: enrichment: true entity_usage: entity_types: - - ADDRESS - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + - ADDRESS + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME filters_by_additional_properties: true filters_by_alert_identifier: false filters_by_case_identifier: false @@ -128,7 +128,7 @@ Entity Insight: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -202,7 +202,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -216,7 +216,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -319,41 +319,41 @@ Render Template: enrichment: false entity_usage: entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -367,7 +367,7 @@ Render Template: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -463,7 +463,7 @@ Render Template from Array: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -477,7 +477,7 @@ Render Template from Array: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/power_ups/tools/resources/ai/actions_ai_description.yaml b/content/response_integrations/power_ups/tools/resources/ai/actions_ai_description.yaml index 606fc4c69..d26dc209a 100644 --- a/content/response_integrations/power_ups/tools/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/power_ups/tools/resources/ai/actions_ai_description.yaml @@ -66,7 +66,7 @@ Add Alert Scoring Information: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -80,7 +80,7 @@ Add Alert Scoring Information: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -163,41 +163,41 @@ Add Comment to Entity Log: enrichment: false entity_usage: entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -211,7 +211,7 @@ Add Comment to Entity Log: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -278,7 +278,7 @@ Add Or Update Alert Additional Data: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -292,7 +292,7 @@ Add Or Update Alert Additional Data: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -356,7 +356,7 @@ Append to Context Value: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -370,7 +370,7 @@ Append to Context Value: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -451,7 +451,7 @@ Assign Case to User: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -465,7 +465,7 @@ Assign Case to User: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -545,7 +545,7 @@ Attach Playbook to Alert: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -559,7 +559,7 @@ Attach Playbook to Alert: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -639,7 +639,7 @@ Attach Playbook to All Case Alerts: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -653,7 +653,7 @@ Attach Playbook to All Case Alerts: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -712,7 +712,7 @@ Buffer: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -726,7 +726,7 @@ Buffer: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -788,7 +788,7 @@ Change Case Name: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -802,7 +802,7 @@ Change Case Name: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -910,41 +910,41 @@ Check Entities Fields In Text: enrichment: false entity_usage: entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME filters_by_additional_properties: true filters_by_alert_identifier: false filters_by_case_identifier: false @@ -958,7 +958,7 @@ Check Entities Fields In Text: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1017,7 +1017,7 @@ Check List Subset: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1031,7 +1031,7 @@ Check List Subset: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1140,7 +1140,7 @@ Convert Into Simulated Case: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1154,7 +1154,7 @@ Convert Into Simulated Case: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1259,7 +1259,7 @@ Create Entities with Separator: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1273,7 +1273,7 @@ Create Entities with Separator: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1369,7 +1369,7 @@ Create Entity Relationships: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1383,7 +1383,7 @@ Create Entity Relationships: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1447,7 +1447,7 @@ Create Siemplify Task: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1461,7 +1461,7 @@ Create Siemplify Task: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1553,8 +1553,8 @@ DNS Lookup: enrichment: true entity_usage: entity_types: - - ADDRESS - - HOSTNAME + - ADDRESS + - HOSTNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1568,7 +1568,7 @@ DNS Lookup: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1670,7 +1670,7 @@ Delay Playbook: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1684,7 +1684,7 @@ Delay Playbook: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1745,7 +1745,7 @@ Delay Playbook Synchronous: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1759,7 +1759,7 @@ Delay Playbook Synchronous: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1830,7 +1830,7 @@ Delay Playbook V2: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1844,7 +1844,7 @@ Delay Playbook V2: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1935,41 +1935,41 @@ Extract URL Domain: enrichment: true entity_usage: entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1983,7 +1983,7 @@ Extract URL Domain: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -2041,7 +2041,7 @@ Find First Alert: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2055,7 +2055,7 @@ Find First Alert: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -2150,7 +2150,7 @@ Get Case Data: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2164,7 +2164,7 @@ Get Case Data: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -2247,7 +2247,7 @@ Get Case SLA: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2261,7 +2261,7 @@ Get Case SLA: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -2346,7 +2346,7 @@ Get Certificate Details: categories: enrichment: true entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2360,7 +2360,7 @@ Get Certificate Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -2453,7 +2453,7 @@ Get Context Value: categories: enrichment: true entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2467,7 +2467,7 @@ Get Context Value: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -2543,7 +2543,7 @@ Get Current Time: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2557,7 +2557,7 @@ Get Current Time: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -2631,7 +2631,7 @@ Get Email Templates: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2645,7 +2645,7 @@ Get Email Templates: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -2707,7 +2707,7 @@ Get Integration Instances: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2721,7 +2721,7 @@ Get Integration Instances: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -2796,7 +2796,7 @@ Get Original Alert Json: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2810,7 +2810,7 @@ Get Original Alert Json: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -2867,7 +2867,7 @@ Get Siemplify Users: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2881,7 +2881,7 @@ Get Siemplify Users: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -2944,7 +2944,7 @@ Lock Playbook: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2958,7 +2958,7 @@ Lock Playbook: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -3036,7 +3036,7 @@ Look-A-Like Domains: enrichment: true entity_usage: entity_types: - - DOMAIN + - DOMAIN filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -3050,7 +3050,7 @@ Look-A-Like Domains: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -3145,41 +3145,41 @@ Normalize Entity Enrichment: enrichment: false entity_usage: entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -3193,7 +3193,7 @@ Normalize Entity Enrichment: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -3261,7 +3261,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -3275,7 +3275,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -3341,7 +3341,7 @@ Re-Attach Playbook: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -3355,7 +3355,7 @@ Re-Attach Playbook: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -3452,7 +3452,7 @@ Search Text: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -3466,7 +3466,7 @@ Search Text: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -3555,7 +3555,7 @@ Set Context Value: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -3569,7 +3569,7 @@ Set Context Value: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -3653,7 +3653,7 @@ Spell Check String: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -3667,7 +3667,7 @@ Spell Check String: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -3754,7 +3754,7 @@ Unflatten JSON: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -3768,7 +3768,7 @@ Unflatten JSON: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -3858,7 +3858,7 @@ Update Alert Score: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -3872,7 +3872,7 @@ Update Alert Score: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -3947,7 +3947,7 @@ Update Case Description: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -3961,7 +3961,7 @@ Update Case Description: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -4021,7 +4021,7 @@ Wait for Playbook to Complete: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -4035,7 +4035,7 @@ Wait for Playbook to Complete: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/community/abuse_ipdb/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/abuse_ipdb/resources/ai/actions_ai_description.yaml index ab1e4a5c0..400fc7c51 100644 --- a/content/response_integrations/third_party/community/abuse_ipdb/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/abuse_ipdb/resources/ai/actions_ai_description.yaml @@ -73,7 +73,7 @@ Check IP Reputation: enrichment: true entity_usage: entity_types: - - ADDRESS + - ADDRESS filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -87,7 +87,7 @@ Check IP Reputation: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -177,7 +177,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -191,7 +191,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/community/air_table/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/air_table/resources/ai/actions_ai_description.yaml index 6173e0a0c..d05005c2e 100644 --- a/content/response_integrations/third_party/community/air_table/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/air_table/resources/ai/actions_ai_description.yaml @@ -42,7 +42,7 @@ AddOrUpdate: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -56,7 +56,7 @@ AddOrUpdate: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -147,7 +147,7 @@ Create: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -161,7 +161,7 @@ Create: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -260,7 +260,7 @@ Delete: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -274,7 +274,7 @@ Delete: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -364,7 +364,7 @@ Delete All Records: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -378,7 +378,7 @@ Delete All Records: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -483,41 +483,41 @@ Enrich Entities From Table: enrichment: true entity_usage: entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME filters_by_additional_properties: true filters_by_alert_identifier: false filters_by_case_identifier: false @@ -531,7 +531,7 @@ Enrich Entities From Table: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -633,7 +633,7 @@ Get All Records: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -647,7 +647,7 @@ Get All Records: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -720,7 +720,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -734,7 +734,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -825,7 +825,7 @@ Search: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -839,7 +839,7 @@ Search: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -936,7 +936,7 @@ Update: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -950,7 +950,7 @@ Update: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/community/arcanna_ai/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/arcanna_ai/resources/ai/actions_ai_description.yaml index 8f5b0f0a2..2beccae54 100644 --- a/content/response_integrations/third_party/community/arcanna_ai/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/arcanna_ai/resources/ai/actions_ai_description.yaml @@ -58,7 +58,7 @@ Export full event: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -72,7 +72,7 @@ Export full event: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -148,7 +148,7 @@ Get AI Job by name: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -162,7 +162,7 @@ Get AI Job by name: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -244,7 +244,7 @@ Get AI Job decision set: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -258,7 +258,7 @@ Get AI Job decision set: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -342,7 +342,7 @@ Get AI Job decision set by job name: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -356,7 +356,7 @@ Get AI Job decision set by job name: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -422,7 +422,7 @@ Get Arcanna decision: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -436,7 +436,7 @@ Get Arcanna decision: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -517,7 +517,7 @@ Get Jobs: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -531,7 +531,7 @@ Get Jobs: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -609,7 +609,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -623,7 +623,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -714,7 +714,7 @@ Send Active Alert from Case to Arcanna: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -728,7 +728,7 @@ Send Active Alert from Case to Arcanna: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -819,7 +819,7 @@ Send Analyst Feedback to Arcanna: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -833,7 +833,7 @@ Send Analyst Feedback to Arcanna: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -929,7 +929,7 @@ Send Case to Arcanna: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -943,7 +943,7 @@ Send Case to Arcanna: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1030,7 +1030,7 @@ Send JSON Document to Arcanna: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1044,7 +1044,7 @@ Send JSON Document to Arcanna: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1143,7 +1143,7 @@ Send event to Arcanna: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1157,7 +1157,7 @@ Send event to Arcanna: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1240,7 +1240,7 @@ Trigger AI Model training: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1254,7 +1254,7 @@ Trigger AI Model training: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1337,7 +1337,7 @@ Update alert priority: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1351,7 +1351,7 @@ Update alert priority: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/community/asana/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/asana/resources/ai/actions_ai_description.yaml index ee04c9a9d..f3f5bcf10 100644 --- a/content/response_integrations/third_party/community/asana/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/asana/resources/ai/actions_ai_description.yaml @@ -56,7 +56,7 @@ Add User To Workspace: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -70,7 +70,7 @@ Add User To Workspace: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -157,7 +157,7 @@ Create Task: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -171,7 +171,7 @@ Create Task: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -232,7 +232,7 @@ Get Task: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -246,7 +246,7 @@ Get Task: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -341,7 +341,7 @@ List My Tasks: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -355,7 +355,7 @@ List My Tasks: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -446,7 +446,7 @@ List Project Tasks: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -460,7 +460,7 @@ List Project Tasks: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -527,7 +527,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -541,7 +541,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -627,7 +627,7 @@ Remove User From Workspace: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -641,7 +641,7 @@ Remove User From Workspace: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -733,7 +733,7 @@ Update Task: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -747,7 +747,7 @@ Update Task: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/community/aws_ec2/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/aws_ec2/resources/ai/actions_ai_description.yaml index ce26c1254..bca6b6349 100644 --- a/content/response_integrations/third_party/community/aws_ec2/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/aws_ec2/resources/ai/actions_ai_description.yaml @@ -60,7 +60,7 @@ Authorize Security Group Egress: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -74,7 +74,7 @@ Authorize Security Group Egress: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -158,7 +158,7 @@ Authorize Security Group Ingress: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -172,7 +172,7 @@ Authorize Security Group Ingress: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: true add_ioc_to_blocklist: false @@ -266,7 +266,7 @@ Create Instance: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -280,7 +280,7 @@ Create Instance: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -366,7 +366,7 @@ Create Tags: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -380,7 +380,7 @@ Create Tags: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -473,7 +473,7 @@ Delete Instance: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -487,7 +487,7 @@ Delete Instance: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -588,7 +588,7 @@ Find Instance: categories: enrichment: true entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -602,7 +602,7 @@ Find Instance: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -662,7 +662,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -676,7 +676,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -766,7 +766,7 @@ Revoke Security Group Egress: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -780,7 +780,7 @@ Revoke Security Group Egress: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -873,7 +873,7 @@ Revoke Security Group ingress: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -887,7 +887,7 @@ Revoke Security Group ingress: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -971,7 +971,7 @@ Start Instance: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -985,7 +985,7 @@ Start Instance: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1066,7 +1066,7 @@ Stop Instance: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1080,7 +1080,7 @@ Stop Instance: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/community/azure_devops/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/azure_devops/resources/ai/actions_ai_description.yaml index 929df117a..01a82fcf4 100644 --- a/content/response_integrations/third_party/community/azure_devops/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/azure_devops/resources/ai/actions_ai_description.yaml @@ -29,7 +29,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -43,7 +43,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -129,7 +129,7 @@ Trigger Azure Build: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -143,7 +143,7 @@ Trigger Azure Build: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -201,7 +201,7 @@ Wait Until Web Resource Is Up: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -215,7 +215,7 @@ Wait Until Web Resource Is Up: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/community/bandura_cyber/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/bandura_cyber/resources/ai/actions_ai_description.yaml index f1c734b05..3900088fb 100644 --- a/content/response_integrations/third_party/community/bandura_cyber/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/bandura_cyber/resources/ai/actions_ai_description.yaml @@ -57,7 +57,7 @@ Add Domain to Allowed Lists: enrichment: false entity_usage: entity_types: - - DestinationURL + - DestinationURL filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -71,7 +71,7 @@ Add Domain to Allowed Lists: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: true add_ioc_to_blocklist: false @@ -156,7 +156,7 @@ Add Domain to Denied Lists: enrichment: false entity_usage: entity_types: - - DestinationURL + - DestinationURL filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -170,7 +170,7 @@ Add Domain to Denied Lists: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: true @@ -255,7 +255,7 @@ Add IP to Allowed Lists: enrichment: false entity_usage: entity_types: - - ADDRESS + - ADDRESS filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -269,7 +269,7 @@ Add IP to Allowed Lists: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: true add_ioc_to_blocklist: false @@ -355,7 +355,7 @@ Add IP to Denied Lists: enrichment: false entity_usage: entity_types: - - ADDRESS + - ADDRESS filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -369,7 +369,7 @@ Add IP to Denied Lists: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: true @@ -428,7 +428,7 @@ Get Allowed Domain Lists: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -442,7 +442,7 @@ Get Allowed Domain Lists: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -517,7 +517,7 @@ Get Allowed IP Lists: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -531,7 +531,7 @@ Get Allowed IP Lists: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -613,7 +613,7 @@ Get Denied Domain Lists: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -627,7 +627,7 @@ Get Denied Domain Lists: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -710,7 +710,7 @@ Get Denied IP Lists: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -724,7 +724,7 @@ Get Denied IP Lists: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -805,7 +805,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -819,7 +819,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/community/be_secure/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/be_secure/resources/ai/actions_ai_description.yaml index dc01bbdf7..b98a634e9 100644 --- a/content/response_integrations/third_party/community/be_secure/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/be_secure/resources/ai/actions_ai_description.yaml @@ -56,7 +56,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -70,7 +70,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/community/bitdefender_gravity_zone/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/bitdefender_gravity_zone/resources/ai/actions_ai_description.yaml index efcfd4add..f6c81f601 100644 --- a/content/response_integrations/third_party/community/bitdefender_gravity_zone/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/bitdefender_gravity_zone/resources/ai/actions_ai_description.yaml @@ -54,7 +54,7 @@ Blocklist - Add Hashes: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -68,7 +68,7 @@ Blocklist - Add Hashes: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: true @@ -162,7 +162,7 @@ Blocklist - List Items: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -176,7 +176,7 @@ Blocklist - List Items: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -256,7 +256,7 @@ Blocklist - Remove Item: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -270,7 +270,7 @@ Blocklist - Remove Item: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -371,7 +371,7 @@ Create Scan Task: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -385,7 +385,7 @@ Create Scan Task: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -478,7 +478,7 @@ Create Scan Task by MAC Address: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -492,7 +492,7 @@ Create Scan Task by MAC Address: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -571,7 +571,7 @@ Get Custom Groups List: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -585,7 +585,7 @@ Get Custom Groups List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -697,7 +697,7 @@ Get Endpoints List: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -711,7 +711,7 @@ Get Endpoints List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -789,7 +789,7 @@ Get Hourly Usage for EC2 Instances: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -803,7 +803,7 @@ Get Hourly Usage for EC2 Instances: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -883,7 +883,7 @@ Get Managed Endpoint Details: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -897,7 +897,7 @@ Get Managed Endpoint Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1020,7 +1020,7 @@ Get Network Inventory Items: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1034,7 +1034,7 @@ Get Network Inventory Items: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1116,7 +1116,7 @@ Get Scan Tasks List: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1130,7 +1130,7 @@ Get Scan Tasks List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1215,7 +1215,7 @@ Isolate Endpoint: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1229,7 +1229,7 @@ Isolate Endpoint: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1289,7 +1289,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1303,7 +1303,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1383,7 +1383,7 @@ Policies - Get Details: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1397,7 +1397,7 @@ Policies - Get Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1475,7 +1475,7 @@ Policies - List All: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1489,7 +1489,7 @@ Policies - List All: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1578,7 +1578,7 @@ Quarantine - Add File: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1592,7 +1592,7 @@ Quarantine - Add File: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1696,7 +1696,7 @@ Quarantine - Get Items List: categories: enrichment: true entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1710,7 +1710,7 @@ Quarantine - Get Items List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1796,7 +1796,7 @@ Quarantine - Remove Items: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1810,7 +1810,7 @@ Quarantine - Remove Items: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1897,7 +1897,7 @@ Quarantine - Restore Exchange Items: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1911,7 +1911,7 @@ Quarantine - Restore Exchange Items: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -2008,7 +2008,7 @@ Quarantine - Restore Items: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2022,7 +2022,7 @@ Quarantine - Restore Items: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -2099,7 +2099,7 @@ Reports - Get Download Links: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2113,7 +2113,7 @@ Reports - Get Download Links: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -2201,7 +2201,7 @@ Reports - List All: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2215,7 +2215,7 @@ Reports - List All: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -2282,7 +2282,7 @@ Restore Isolated Endpoint: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2296,7 +2296,7 @@ Restore Isolated Endpoint: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -2373,7 +2373,7 @@ Set Endpoint Label: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2387,7 +2387,7 @@ Set Endpoint Label: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/community/chronicle_support_tools/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/chronicle_support_tools/resources/ai/actions_ai_description.yaml index c44b2832f..870833005 100644 --- a/content/response_integrations/third_party/community/chronicle_support_tools/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/chronicle_support_tools/resources/ai/actions_ai_description.yaml @@ -68,7 +68,7 @@ Gather Remote Agent Datapoints: categories: enrichment: true entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -82,7 +82,7 @@ Gather Remote Agent Datapoints: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/community/country_flags/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/country_flags/resources/ai/actions_ai_description.yaml index 01cc67c73..8f11f86ce 100644 --- a/content/response_integrations/third_party/community/country_flags/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/country_flags/resources/ai/actions_ai_description.yaml @@ -72,41 +72,41 @@ Get Country Flag: enrichment: false entity_usage: entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME filters_by_additional_properties: true filters_by_alert_identifier: false filters_by_case_identifier: false @@ -120,7 +120,7 @@ Get Country Flag: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -196,7 +196,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -210,7 +210,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/community/cybersixgill_actionable_alerts/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/cybersixgill_actionable_alerts/resources/ai/actions_ai_description.yaml index b04afcc67..dae018e81 100644 --- a/content/response_integrations/third_party/community/cybersixgill_actionable_alerts/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/cybersixgill_actionable_alerts/resources/ai/actions_ai_description.yaml @@ -33,7 +33,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -47,7 +47,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/community/cybersixgill_darkfeed/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/cybersixgill_darkfeed/resources/ai/actions_ai_description.yaml index 500b9bd3c..b3818783c 100644 --- a/content/response_integrations/third_party/community/cybersixgill_darkfeed/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/cybersixgill_darkfeed/resources/ai/actions_ai_description.yaml @@ -47,7 +47,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -61,7 +61,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/community/cybersixgill_darkfeed_enrichment/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/cybersixgill_darkfeed_enrichment/resources/ai/actions_ai_description.yaml index 55654fcd7..274b05be5 100644 --- a/content/response_integrations/third_party/community/cybersixgill_darkfeed_enrichment/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/cybersixgill_darkfeed_enrichment/resources/ai/actions_ai_description.yaml @@ -65,7 +65,7 @@ Enrich Actor: enrichment: true entity_usage: entity_types: - - THREATACTOR + - THREATACTOR filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -79,7 +79,7 @@ Enrich Actor: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -168,7 +168,7 @@ Enrich Domain: enrichment: true entity_usage: entity_types: - - HOSTNAME + - HOSTNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -182,7 +182,7 @@ Enrich Domain: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -246,7 +246,7 @@ Enrich Hash: enrichment: true entity_usage: entity_types: - - FILEHASH + - FILEHASH filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -260,7 +260,7 @@ Enrich Hash: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -358,7 +358,7 @@ Enrich IP: enrichment: true entity_usage: entity_types: - - ADDRESS + - ADDRESS filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -372,7 +372,7 @@ Enrich IP: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -458,7 +458,7 @@ Enrich URL: enrichment: true entity_usage: entity_types: - - DestinationURL + - DestinationURL filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -472,7 +472,7 @@ Enrich URL: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -538,7 +538,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -552,7 +552,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/community/cybersixgill_dve_enrichment/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/cybersixgill_dve_enrichment/resources/ai/actions_ai_description.yaml index 103b2d357..1700b6bdb 100644 --- a/content/response_integrations/third_party/community/cybersixgill_dve_enrichment/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/cybersixgill_dve_enrichment/resources/ai/actions_ai_description.yaml @@ -38,7 +38,7 @@ Enrich CVE: enrichment: true entity_usage: entity_types: - - CVE + - CVE filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -52,7 +52,7 @@ Enrich CVE: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -129,7 +129,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -143,7 +143,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/community/cybersixgill_dve_feed/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/cybersixgill_dve_feed/resources/ai/actions_ai_description.yaml index d7a17cbb9..d55bd2b5c 100644 --- a/content/response_integrations/third_party/community/cybersixgill_dve_feed/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/cybersixgill_dve_feed/resources/ai/actions_ai_description.yaml @@ -47,7 +47,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -61,7 +61,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/community/data_dog/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/data_dog/resources/ai/actions_ai_description.yaml index 0769fb17e..905124703 100644 --- a/content/response_integrations/third_party/community/data_dog/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/data_dog/resources/ai/actions_ai_description.yaml @@ -56,7 +56,7 @@ Get Beautiful Metric: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -70,7 +70,7 @@ Get Beautiful Metric: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -128,7 +128,7 @@ Get Event Details: categories: enrichment: true entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -142,7 +142,7 @@ Get Event Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -239,7 +239,7 @@ Get Events: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -253,7 +253,7 @@ Get Events: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -334,7 +334,7 @@ Get Logs: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -348,7 +348,7 @@ Get Logs: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -411,7 +411,7 @@ Get Metric Snapshot Graph: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -425,7 +425,7 @@ Get Metric Snapshot Graph: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -509,7 +509,7 @@ Get Metric Timeseries Points: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -523,7 +523,7 @@ Get Metric Timeseries Points: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -615,7 +615,7 @@ Get Pod Metric: categories: enrichment: true entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -629,7 +629,7 @@ Get Pod Metric: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -726,7 +726,7 @@ Get RDS Metric: categories: enrichment: true entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -740,7 +740,7 @@ Get RDS Metric: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -796,7 +796,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -810,7 +810,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/community/docker_hub/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/docker_hub/resources/ai/actions_ai_description.yaml index d8b7c1497..3177f76eb 100644 --- a/content/response_integrations/third_party/community/docker_hub/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/docker_hub/resources/ai/actions_ai_description.yaml @@ -49,7 +49,7 @@ Invite User: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -63,7 +63,7 @@ Invite User: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -120,7 +120,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -134,7 +134,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/community/duo/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/duo/resources/ai/actions_ai_description.yaml index 2fadf47c0..e6e7d9728 100644 --- a/content/response_integrations/third_party/community/duo/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/duo/resources/ai/actions_ai_description.yaml @@ -65,7 +65,7 @@ Get Authentication Logs for User: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -79,7 +79,7 @@ Get Authentication Logs for User: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -159,7 +159,7 @@ Get Trust Monitor Events: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -173,7 +173,7 @@ Get Trust Monitor Events: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -232,7 +232,7 @@ Get Users by Name: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -246,7 +246,7 @@ Get Users by Name: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -303,7 +303,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -317,7 +317,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/community/eclectic_iq/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/eclectic_iq/resources/ai/actions_ai_description.yaml index a96af87a1..289c94c1d 100644 --- a/content/response_integrations/third_party/community/eclectic_iq/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/eclectic_iq/resources/ai/actions_ai_description.yaml @@ -49,41 +49,41 @@ Enrich Entities: enrichment: true entity_usage: entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -97,7 +97,7 @@ Enrich Entities: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -155,7 +155,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -169,7 +169,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -266,24 +266,24 @@ Send Entities to EclecticIQ: enrichment: false entity_usage: entity_types: - - ADDRESS - - CHILDHASH - - CHILDPROCESS - - CREDITCARD - - CVE - - CVEID - - DESTINATIONDOMAIN - - DOMAIN - - FILEHASH - - FILENAME - - HOSTNAME - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - PROCESS - - SOURCEDOMAIN - - THREATACTOR - - DestinationURL + - ADDRESS + - CHILDHASH + - CHILDPROCESS + - CREDITCARD + - CVE + - CVEID + - DESTINATIONDOMAIN + - DOMAIN + - FILEHASH + - FILENAME + - HOSTNAME + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - PROCESS + - SOURCEDOMAIN + - THREATACTOR + - DestinationURL filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -297,7 +297,7 @@ Send Entities to EclecticIQ: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: true add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/community/flashpoint/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/flashpoint/resources/ai/actions_ai_description.yaml index d3e4c6b01..0b9cc30d9 100644 --- a/content/response_integrations/third_party/community/flashpoint/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/flashpoint/resources/ai/actions_ai_description.yaml @@ -61,7 +61,7 @@ Custom Query: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -75,7 +75,7 @@ Custom Query: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -143,41 +143,41 @@ IOC_Enrichment: enrichment: true entity_usage: entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -191,7 +191,7 @@ IOC_Enrichment: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -294,7 +294,7 @@ Indicators Custom Query: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -308,7 +308,7 @@ Indicators Custom Query: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -379,7 +379,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -393,7 +393,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -487,7 +487,7 @@ Run Query: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -501,7 +501,7 @@ Run Query: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/community/full_contact/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/full_contact/resources/ai/actions_ai_description.yaml index 824ebdeaf..6915d802b 100644 --- a/content/response_integrations/third_party/community/full_contact/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/full_contact/resources/ai/actions_ai_description.yaml @@ -69,7 +69,7 @@ Enrich Entities: enrichment: true entity_usage: entity_types: - - USERUNIQNAME + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -83,7 +83,7 @@ Enrich Entities: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -159,7 +159,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -173,7 +173,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/community/google_docs/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/google_docs/resources/ai/actions_ai_description.yaml index cbb0b92cc..d86e3e09c 100644 --- a/content/response_integrations/third_party/community/google_docs/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/google_docs/resources/ai/actions_ai_description.yaml @@ -65,7 +65,7 @@ Create Content: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -79,7 +79,7 @@ Create Content: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -169,7 +169,7 @@ Create Document: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -183,7 +183,7 @@ Create Document: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -265,7 +265,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -279,7 +279,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -372,7 +372,7 @@ Remove Content: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -386,7 +386,7 @@ Remove Content: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -480,7 +480,7 @@ Replace Content: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -494,7 +494,7 @@ Replace Content: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/community/google_drive/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/google_drive/resources/ai/actions_ai_description.yaml index 93b7b32b3..f8c7192fa 100644 --- a/content/response_integrations/third_party/community/google_drive/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/google_drive/resources/ai/actions_ai_description.yaml @@ -73,7 +73,7 @@ Add Permission: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -87,7 +87,7 @@ Add Permission: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -172,7 +172,7 @@ Delete File: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -186,7 +186,7 @@ Delete File: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -261,7 +261,7 @@ Download File To Base64: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -275,7 +275,7 @@ Download File To Base64: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -373,7 +373,7 @@ Download File To Path: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -387,7 +387,7 @@ Download File To Path: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -461,7 +461,7 @@ Get File Metadata: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -475,7 +475,7 @@ Get File Metadata: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -562,7 +562,7 @@ Permission List: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -576,7 +576,7 @@ Permission List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -652,7 +652,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -666,7 +666,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -756,7 +756,7 @@ Remove Permission: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -770,7 +770,7 @@ Remove Permission: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -861,7 +861,7 @@ Upload File From Base64: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -875,7 +875,7 @@ Upload File From Base64: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -949,7 +949,7 @@ Upload File From Path: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -963,7 +963,7 @@ Upload File From Path: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/community/google_safe_browsing/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/google_safe_browsing/resources/ai/actions_ai_description.yaml index 8b6a42bf6..c5bf868db 100644 --- a/content/response_integrations/third_party/community/google_safe_browsing/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/google_safe_browsing/resources/ai/actions_ai_description.yaml @@ -55,7 +55,7 @@ Lookup: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -69,7 +69,7 @@ Lookup: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -143,7 +143,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -157,7 +157,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/community/google_sheets/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/google_sheets/resources/ai/actions_ai_description.yaml index 664309f36..0cde8be52 100644 --- a/content/response_integrations/third_party/community/google_sheets/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/google_sheets/resources/ai/actions_ai_description.yaml @@ -63,7 +63,7 @@ Add Permission: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -77,7 +77,7 @@ Add Permission: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -178,7 +178,7 @@ Add Row: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -192,7 +192,7 @@ Add Row: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -299,7 +299,7 @@ Add or Update Rows: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -313,7 +313,7 @@ Add or Update Rows: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -406,7 +406,7 @@ Create Sheet: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -420,7 +420,7 @@ Create Sheet: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -514,7 +514,7 @@ Delete Rows: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -528,7 +528,7 @@ Delete Rows: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -614,7 +614,7 @@ Delete Sheet: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -628,7 +628,7 @@ Delete Sheet: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -722,7 +722,7 @@ Get All: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -736,7 +736,7 @@ Get All: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -822,7 +822,7 @@ Get Range: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -836,7 +836,7 @@ Get Range: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -927,7 +927,7 @@ Get Row: categories: enrichment: true entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -941,7 +941,7 @@ Get Row: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1029,7 +1029,7 @@ Import CSV: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1043,7 +1043,7 @@ Import CSV: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1127,7 +1127,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1141,7 +1141,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1234,7 +1234,7 @@ Search Row: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1248,7 +1248,7 @@ Search Row: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1345,7 +1345,7 @@ Search Rows: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1359,7 +1359,7 @@ Search Rows: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1451,7 +1451,7 @@ Update Cell: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1465,7 +1465,7 @@ Update Cell: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1560,7 +1560,7 @@ Update Row: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1574,7 +1574,7 @@ Update Row: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1673,7 +1673,7 @@ Update Rows: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1687,7 +1687,7 @@ Update Rows: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/community/goqr/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/goqr/resources/ai/actions_ai_description.yaml index 0bba17ebb..2ed595254 100644 --- a/content/response_integrations/third_party/community/goqr/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/goqr/resources/ai/actions_ai_description.yaml @@ -73,7 +73,7 @@ Generate QR Code: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -87,7 +87,7 @@ Generate QR Code: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -159,7 +159,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -173,7 +173,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -256,7 +256,7 @@ Scan QR Code: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -270,7 +270,7 @@ Scan QR Code: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/community/hibob/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/hibob/resources/ai/actions_ai_description.yaml index cc5b29919..4d1658634 100644 --- a/content/response_integrations/third_party/community/hibob/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/hibob/resources/ai/actions_ai_description.yaml @@ -52,7 +52,7 @@ Enrich Entities: enrichment: true entity_usage: entity_types: - - USERUNIQNAME + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -66,7 +66,7 @@ Enrich Entities: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -137,7 +137,7 @@ Get User Image: categories: enrichment: true entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -151,7 +151,7 @@ Get User Image: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -221,7 +221,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -235,7 +235,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -318,7 +318,7 @@ Revoke Access: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -332,7 +332,7 @@ Revoke Access: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -396,7 +396,7 @@ Search User: categories: enrichment: true entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -410,7 +410,7 @@ Search User: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -497,7 +497,7 @@ Send Invitation: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -511,7 +511,7 @@ Send Invitation: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -599,7 +599,7 @@ Upload User Image: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -613,7 +613,7 @@ Upload User Image: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/community/imgbb/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/imgbb/resources/ai/actions_ai_description.yaml index 863918d07..aacc3b78e 100644 --- a/content/response_integrations/third_party/community/imgbb/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/imgbb/resources/ai/actions_ai_description.yaml @@ -29,7 +29,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -43,7 +43,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -128,7 +128,7 @@ Upload Image From Base64: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -142,7 +142,7 @@ Upload Image From Base64: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -232,7 +232,7 @@ Upload Image From File Path: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -246,7 +246,7 @@ Upload Image From File Path: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/community/ipqs_fraud_and_risk_scoring/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/ipqs_fraud_and_risk_scoring/resources/ai/actions_ai_description.yaml index 9f28131e7..decb208b7 100644 --- a/content/response_integrations/third_party/community/ipqs_fraud_and_risk_scoring/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/ipqs_fraud_and_risk_scoring/resources/ai/actions_ai_description.yaml @@ -57,7 +57,7 @@ Enrich Domain: enrichment: true entity_usage: entity_types: - - HOSTNAME + - HOSTNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -71,7 +71,7 @@ Enrich Domain: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -143,7 +143,7 @@ Enrich Email: enrichment: true entity_usage: entity_types: - - USERUNIQNAME + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -157,7 +157,7 @@ Enrich Email: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -265,7 +265,7 @@ Enrich IP: enrichment: true entity_usage: entity_types: - - ADDRESS + - ADDRESS filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -279,7 +279,7 @@ Enrich IP: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -363,7 +363,7 @@ Enrich Phone: enrichment: true entity_usage: entity_types: - - PHONENUMBER + - PHONENUMBER filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -377,7 +377,7 @@ Enrich Phone: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -463,7 +463,7 @@ Enrich URL: enrichment: true entity_usage: entity_types: - - DestinationURL + - DestinationURL filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -477,7 +477,7 @@ Enrich URL: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -536,7 +536,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -550,7 +550,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/community/logzio/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/logzio/resources/ai/actions_ai_description.yaml index fa1eb44d4..af097a891 100644 --- a/content/response_integrations/third_party/community/logzio/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/logzio/resources/ai/actions_ai_description.yaml @@ -67,7 +67,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -81,7 +81,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -176,7 +176,7 @@ json-adapter: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -190,7 +190,7 @@ json-adapter: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -278,7 +278,7 @@ logzio-get-logs-by-event-id: categories: enrichment: true entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -292,7 +292,7 @@ logzio-get-logs-by-event-id: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -382,7 +382,7 @@ logzio-search-logs: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -396,7 +396,7 @@ logzio-search-logs: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/community/luminar_iocs_and_leaked_credentials/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/luminar_iocs_and_leaked_credentials/resources/ai/actions_ai_description.yaml index 6d8df1730..9fb8b22ed 100644 --- a/content/response_integrations/third_party/community/luminar_iocs_and_leaked_credentials/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/luminar_iocs_and_leaked_credentials/resources/ai/actions_ai_description.yaml @@ -33,7 +33,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -47,7 +47,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/community/marketo/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/marketo/resources/ai/actions_ai_description.yaml index dc413b00c..9e13c7f37 100644 --- a/content/response_integrations/third_party/community/marketo/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/marketo/resources/ai/actions_ai_description.yaml @@ -65,7 +65,7 @@ Create lead: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -79,7 +79,7 @@ Create lead: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -140,7 +140,7 @@ Get Lead By Email Param: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -154,7 +154,7 @@ Get Lead By Email Param: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -241,7 +241,7 @@ Get Lead By Entity Email: enrichment: true entity_usage: entity_types: - - USERUNIQNAME + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -255,7 +255,7 @@ Get Lead By Entity Email: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -337,7 +337,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -351,7 +351,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -436,7 +436,7 @@ Request Campaign: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -450,7 +450,7 @@ Request Campaign: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/community/microsoft_graph_security_tools/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/microsoft_graph_security_tools/resources/ai/actions_ai_description.yaml index 3c0342c7f..f5c24eea9 100644 --- a/content/response_integrations/third_party/community/microsoft_graph_security_tools/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/microsoft_graph_security_tools/resources/ai/actions_ai_description.yaml @@ -61,7 +61,7 @@ Delete Attachment: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -75,7 +75,7 @@ Delete Attachment: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -161,7 +161,7 @@ Delete Message: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -175,7 +175,7 @@ Delete Message: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -259,7 +259,7 @@ Get Message: categories: enrichment: true entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -273,7 +273,7 @@ Get Message: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -371,41 +371,41 @@ Get User MFA: enrichment: true entity_usage: entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -419,7 +419,7 @@ Get User MFA: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -499,7 +499,7 @@ List Attachments: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -513,7 +513,7 @@ List Attachments: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -598,7 +598,7 @@ List Mail Rules: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -612,7 +612,7 @@ List Mail Rules: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -703,7 +703,7 @@ List Messages: categories: enrichment: true entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -717,7 +717,7 @@ List Messages: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -795,7 +795,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -809,7 +809,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/community/nucleon_cyber/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/nucleon_cyber/resources/ai/actions_ai_description.yaml index a184596d0..fb4bb5bf9 100644 --- a/content/response_integrations/third_party/community/nucleon_cyber/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/nucleon_cyber/resources/ai/actions_ai_description.yaml @@ -60,7 +60,7 @@ GetIPs: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -74,7 +74,7 @@ GetIPs: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -155,7 +155,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -169,7 +169,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/community/pager_duty/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/pager_duty/resources/ai/actions_ai_description.yaml index c895c43e4..a6c5b58d6 100644 --- a/content/response_integrations/third_party/community/pager_duty/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/pager_duty/resources/ai/actions_ai_description.yaml @@ -62,7 +62,7 @@ Create Incident: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -76,7 +76,7 @@ Create Incident: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -198,7 +198,7 @@ Filtered Incident List: categories: enrichment: true entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -212,7 +212,7 @@ Filtered Incident List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -296,7 +296,7 @@ Get Incident By ID: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -310,7 +310,7 @@ Get Incident By ID: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -387,7 +387,7 @@ Get User By Email: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -401,7 +401,7 @@ Get User By Email: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -457,7 +457,7 @@ Get User By ID: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -471,7 +471,7 @@ Get User By ID: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -548,7 +548,7 @@ List All OnCall: categories: enrichment: true entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -562,7 +562,7 @@ List All OnCall: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -634,7 +634,7 @@ List Incidents: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -648,7 +648,7 @@ List Incidents: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -720,7 +720,7 @@ List Users: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -734,7 +734,7 @@ List Users: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -811,7 +811,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -825,7 +825,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -909,7 +909,7 @@ Run Response Play: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -923,7 +923,7 @@ Run Response Play: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1005,7 +1005,7 @@ Snooze Incident: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1019,7 +1019,7 @@ Snooze Incident: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/community/perimeter_x/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/perimeter_x/resources/ai/actions_ai_description.yaml index ef2f38cf6..53a697701 100644 --- a/content/response_integrations/third_party/community/perimeter_x/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/perimeter_x/resources/ai/actions_ai_description.yaml @@ -49,7 +49,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -63,7 +63,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/community/philips_hue/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/philips_hue/resources/ai/actions_ai_description.yaml index 61e781247..9c92d02e2 100644 --- a/content/response_integrations/third_party/community/philips_hue/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/philips_hue/resources/ai/actions_ai_description.yaml @@ -53,7 +53,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -67,7 +67,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -153,7 +153,7 @@ Turn Off Light: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -167,7 +167,7 @@ Turn Off Light: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -260,7 +260,7 @@ Turn On Light and Color: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -274,7 +274,7 @@ Turn On Light and Color: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/community/phish_tank/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/phish_tank/resources/ai/actions_ai_description.yaml index 13cb6ae11..f9dbdc1f7 100644 --- a/content/response_integrations/third_party/community/phish_tank/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/phish_tank/resources/ai/actions_ai_description.yaml @@ -39,7 +39,7 @@ Check Url: enrichment: true entity_usage: entity_types: - - DestinationURL + - DestinationURL filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -53,7 +53,7 @@ Check Url: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -136,7 +136,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -150,7 +150,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/community/pulsedive/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/pulsedive/resources/ai/actions_ai_description.yaml index 0ba64b61d..c5e79a3c4 100644 --- a/content/response_integrations/third_party/community/pulsedive/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/pulsedive/resources/ai/actions_ai_description.yaml @@ -44,7 +44,7 @@ Enrich IP: enrichment: true entity_usage: entity_types: - - ADDRESS + - ADDRESS filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -58,7 +58,7 @@ Enrich IP: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: true add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -155,7 +155,7 @@ Enrich URL: enrichment: true entity_usage: entity_types: - - DestinationURL + - DestinationURL filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -169,7 +169,7 @@ Enrich URL: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -266,7 +266,7 @@ Get Threat Details: categories: enrichment: true entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -280,7 +280,7 @@ Get Threat Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -360,7 +360,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -374,7 +374,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -481,41 +481,41 @@ Scan Indicator: enrichment: false entity_usage: entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -529,7 +529,7 @@ Scan Indicator: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/community/sample_integration/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/sample_integration/resources/ai/actions_ai_description.yaml index d51c6b7d1..b2e9aa3f1 100644 --- a/content/response_integrations/third_party/community/sample_integration/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/sample_integration/resources/ai/actions_ai_description.yaml @@ -66,7 +66,7 @@ Async Action Example: categories: enrichment: true entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -80,7 +80,7 @@ Async Action Example: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -166,41 +166,41 @@ Enrich Entity Action Example: enrichment: true entity_usage: entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -214,7 +214,7 @@ Enrich Entity Action Example: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -286,7 +286,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -300,7 +300,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -370,7 +370,7 @@ Simple Action Example: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -384,7 +384,7 @@ Simple Action Example: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/community/send_grid/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/send_grid/resources/ai/actions_ai_description.yaml index e3e2adda7..552a2d2d2 100644 --- a/content/response_integrations/third_party/community/send_grid/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/send_grid/resources/ai/actions_ai_description.yaml @@ -31,7 +31,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -45,7 +45,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -136,7 +136,7 @@ Send Email: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -150,7 +150,7 @@ Send Email: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/community/signal_sciences/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/signal_sciences/resources/ai/actions_ai_description.yaml index 60e9dba1b..1fc84611c 100644 --- a/content/response_integrations/third_party/community/signal_sciences/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/signal_sciences/resources/ai/actions_ai_description.yaml @@ -64,7 +64,7 @@ Add IP to Allow List: enrichment: false entity_usage: entity_types: - - ADDRESS + - ADDRESS filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -78,7 +78,7 @@ Add IP to Allow List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: true add_ioc_to_blocklist: false @@ -178,7 +178,7 @@ Add IP to Block List: enrichment: false entity_usage: entity_types: - - ADDRESS + - ADDRESS filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -192,7 +192,7 @@ Add IP to Block List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: true @@ -276,7 +276,7 @@ List Sites: categories: enrichment: true entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -290,7 +290,7 @@ List Sites: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -366,7 +366,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -380,7 +380,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -478,7 +478,7 @@ Remove IP from Allow List: enrichment: false entity_usage: entity_types: - - ADDRESS + - ADDRESS filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -492,7 +492,7 @@ Remove IP from Allow List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -585,7 +585,7 @@ Remove IP from Block List: enrichment: false entity_usage: entity_types: - - ADDRESS + - ADDRESS filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -599,7 +599,7 @@ Remove IP from Block List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/community/spell_checker/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/spell_checker/resources/ai/actions_ai_description.yaml index acb457f39..41c9faaa9 100644 --- a/content/response_integrations/third_party/community/spell_checker/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/spell_checker/resources/ai/actions_ai_description.yaml @@ -43,7 +43,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -57,7 +57,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -119,7 +119,7 @@ Spelling Check: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -133,7 +133,7 @@ Spelling Check: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/community/superna_zero_trust/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/superna_zero_trust/resources/ai/actions_ai_description.yaml index a2fa03861..374218a77 100644 --- a/content/response_integrations/third_party/community/superna_zero_trust/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/superna_zero_trust/resources/ai/actions_ai_description.yaml @@ -64,7 +64,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -78,7 +78,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -170,7 +170,7 @@ Superna Snapshot Critical NAS Data: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -184,7 +184,7 @@ Superna Snapshot Critical NAS Data: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -255,7 +255,7 @@ Superna Zero Trust User Lockout: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -269,7 +269,7 @@ Superna Zero Trust User Lockout: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -345,7 +345,7 @@ Superna Zero Trust User Un Lock: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -359,7 +359,7 @@ Superna Zero Trust User Un Lock: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/community/team_cymru_scout/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/team_cymru_scout/resources/ai/actions_ai_description.yaml index c091c3d4d..4806db53f 100644 --- a/content/response_integrations/third_party/community/team_cymru_scout/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/team_cymru_scout/resources/ai/actions_ai_description.yaml @@ -60,7 +60,7 @@ Account Usage: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -74,7 +74,7 @@ Account Usage: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -172,7 +172,7 @@ Advanced Query: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -186,7 +186,7 @@ Advanced Query: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -279,7 +279,7 @@ Enrich IPs: enrichment: true entity_usage: entity_types: - - ADDRESS + - ADDRESS filters_by_additional_properties: true filters_by_alert_identifier: false filters_by_case_identifier: false @@ -293,7 +293,7 @@ Enrich IPs: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -358,7 +358,7 @@ Extract Tags: categories: enrichment: true entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -372,7 +372,7 @@ Extract Tags: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -445,7 +445,7 @@ Get Communications Info: categories: enrichment: true entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -459,7 +459,7 @@ Get Communications Info: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -566,7 +566,7 @@ Get Fingerprints Info: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -580,7 +580,7 @@ Get Fingerprints Info: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -684,7 +684,7 @@ Get IP Details: categories: enrichment: true entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -698,7 +698,7 @@ Get IP Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -802,7 +802,7 @@ Get PDNS Info: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -816,7 +816,7 @@ Get PDNS Info: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -887,7 +887,7 @@ Get Ports Info: categories: enrichment: true entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -901,7 +901,7 @@ Get Ports Info: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -997,7 +997,7 @@ Get Proto Info: categories: enrichment: true entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1011,7 +1011,7 @@ Get Proto Info: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1115,7 +1115,7 @@ Get Whois Info: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1129,7 +1129,7 @@ Get Whois Info: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1201,7 +1201,7 @@ Get X509 Info: categories: enrichment: true entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1215,7 +1215,7 @@ Get X509 Info: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1282,7 +1282,7 @@ List IP Summary: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1296,7 +1296,7 @@ List IP Summary: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1356,7 +1356,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1370,7 +1370,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/community/telegram/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/telegram/resources/ai/actions_ai_description.yaml index d7c9afe08..acc3f2465 100644 --- a/content/response_integrations/third_party/community/telegram/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/telegram/resources/ai/actions_ai_description.yaml @@ -47,7 +47,7 @@ Get Bot Details: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -61,7 +61,7 @@ Get Bot Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -146,7 +146,7 @@ Get Chat Details: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -160,7 +160,7 @@ Get Chat Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -248,7 +248,7 @@ Get Messages: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -262,7 +262,7 @@ Get Messages: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -340,7 +340,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -354,7 +354,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -441,7 +441,7 @@ Send Document: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -455,7 +455,7 @@ Send Document: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -543,7 +543,7 @@ Send Location: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -557,7 +557,7 @@ Send Location: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -641,7 +641,7 @@ Send Message: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -655,7 +655,7 @@ Send Message: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -741,7 +741,7 @@ Send Photo: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -755,7 +755,7 @@ Send Photo: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -847,7 +847,7 @@ Send Poll: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -861,7 +861,7 @@ Send Poll: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -927,7 +927,7 @@ Set Default Chat Permissions: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -941,7 +941,7 @@ Set Default Chat Permissions: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1015,7 +1015,7 @@ Set User Permissions: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1029,7 +1029,7 @@ Set User Permissions: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1137,7 +1137,7 @@ Wait for poll results: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1151,7 +1151,7 @@ Wait for poll results: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/community/vanilla_forums/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/vanilla_forums/resources/ai/actions_ai_description.yaml index c210e2865..1f86e9eac 100644 --- a/content/response_integrations/third_party/community/vanilla_forums/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/vanilla_forums/resources/ai/actions_ai_description.yaml @@ -70,7 +70,7 @@ Add User: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -84,7 +84,7 @@ Add User: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -164,7 +164,7 @@ Generate Password: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -178,7 +178,7 @@ Generate Password: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -238,7 +238,7 @@ Get User Details: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -252,7 +252,7 @@ Get User Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -343,7 +343,7 @@ Get a Leaderboard Analytics: categories: enrichment: true entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -357,7 +357,7 @@ Get a Leaderboard Analytics: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -414,7 +414,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -428,7 +428,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -520,7 +520,7 @@ Search User By Email and Name: categories: enrichment: true entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -534,7 +534,7 @@ Search User By Email and Name: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -610,7 +610,7 @@ Update Badge: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -624,7 +624,7 @@ Update Badge: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -708,7 +708,7 @@ Update Rank: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -722,7 +722,7 @@ Update Rank: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -804,7 +804,7 @@ Update User Role: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -818,7 +818,7 @@ Update User Role: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/community/vectra_qux/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/vectra_qux/resources/ai/actions_ai_description.yaml index 9a7c929d8..5b1a88840 100644 --- a/content/response_integrations/third_party/community/vectra_qux/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/vectra_qux/resources/ai/actions_ai_description.yaml @@ -60,7 +60,7 @@ Add Note: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -74,7 +74,7 @@ Add Note: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -152,7 +152,7 @@ Add Outcome: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -166,7 +166,7 @@ Add Outcome: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -258,7 +258,7 @@ Add Tags: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -272,7 +272,7 @@ Add Tags: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -360,7 +360,7 @@ Assign Entity: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -374,7 +374,7 @@ Assign Entity: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -465,7 +465,7 @@ Assign Group: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -479,7 +479,7 @@ Assign Group: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -562,7 +562,7 @@ Describe Assignment: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -576,7 +576,7 @@ Describe Assignment: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -641,7 +641,7 @@ Describe Detection: categories: enrichment: true entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -655,7 +655,7 @@ Describe Detection: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -714,7 +714,7 @@ Describe Entity: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -728,7 +728,7 @@ Describe Entity: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -782,7 +782,7 @@ Download PCAP: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -796,7 +796,7 @@ Download PCAP: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -869,7 +869,7 @@ List Assignments: categories: enrichment: true entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -883,7 +883,7 @@ List Assignments: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -974,7 +974,7 @@ List Entity Detections: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -988,7 +988,7 @@ List Entity Detections: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1111,7 +1111,7 @@ List Groups: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1125,7 +1125,7 @@ List Groups: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1209,7 +1209,7 @@ List Outcomes: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1223,7 +1223,7 @@ List Outcomes: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1325,7 +1325,7 @@ List Users: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1339,7 +1339,7 @@ List Users: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1425,7 +1425,7 @@ Mark Detection Fixed: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1439,7 +1439,7 @@ Mark Detection Fixed: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1522,7 +1522,7 @@ Mark Entity Fixed: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1536,7 +1536,7 @@ Mark Entity Fixed: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1597,7 +1597,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1611,7 +1611,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1693,7 +1693,7 @@ Remove Assignment: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1707,7 +1707,7 @@ Remove Assignment: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1790,7 +1790,7 @@ Remove Group: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1804,7 +1804,7 @@ Remove Group: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1898,7 +1898,7 @@ Remove Note: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1912,7 +1912,7 @@ Remove Note: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -2000,7 +2000,7 @@ Remove Tags: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2014,7 +2014,7 @@ Remove Tags: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -2117,7 +2117,7 @@ Resolve Assignment: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2131,7 +2131,7 @@ Resolve Assignment: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -2259,7 +2259,7 @@ Search Accounts: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2273,7 +2273,7 @@ Search Accounts: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -2400,7 +2400,7 @@ Search Detections: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2414,7 +2414,7 @@ Search Detections: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -2551,7 +2551,7 @@ Search Hosts: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2565,7 +2565,7 @@ Search Hosts: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -2648,7 +2648,7 @@ Unmark Detection Fixed: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2662,7 +2662,7 @@ Unmark Detection Fixed: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -2758,7 +2758,7 @@ Update Assignment: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2772,7 +2772,7 @@ Update Assignment: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/community/vectra_rux/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/vectra_rux/resources/ai/actions_ai_description.yaml index 7edf26f5b..2fbd0b7cd 100644 --- a/content/response_integrations/third_party/community/vectra_rux/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/vectra_rux/resources/ai/actions_ai_description.yaml @@ -70,7 +70,7 @@ Add Note: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -84,7 +84,7 @@ Add Note: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -179,7 +179,7 @@ Add Tags: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -193,7 +193,7 @@ Add Tags: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -260,7 +260,7 @@ Assign Entity: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -274,7 +274,7 @@ Assign Entity: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -334,7 +334,7 @@ Assign Group: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -348,7 +348,7 @@ Assign Group: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -429,7 +429,7 @@ Describe Assignment: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -443,7 +443,7 @@ Describe Assignment: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -521,7 +521,7 @@ Describe Detection: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -535,7 +535,7 @@ Describe Detection: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -599,7 +599,7 @@ Describe Entity: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -613,7 +613,7 @@ Describe Entity: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -703,7 +703,7 @@ Download PCAP: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -717,7 +717,7 @@ Download PCAP: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -785,7 +785,7 @@ List Assignments: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -799,7 +799,7 @@ List Assignments: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -927,7 +927,7 @@ List Detections: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -941,7 +941,7 @@ List Detections: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1064,7 +1064,7 @@ List Entities: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1078,7 +1078,7 @@ List Entities: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1168,7 +1168,7 @@ List Entity Detections: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1182,7 +1182,7 @@ List Entity Detections: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1294,7 +1294,7 @@ List Groups: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1308,7 +1308,7 @@ List Groups: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1369,7 +1369,7 @@ List Outcomes: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1383,7 +1383,7 @@ List Outcomes: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1474,7 +1474,7 @@ List Users: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1488,7 +1488,7 @@ List Users: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1568,7 +1568,7 @@ Mark Detection Fixed: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1582,7 +1582,7 @@ Mark Detection Fixed: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1670,7 +1670,7 @@ Mark Entity Fixed: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1684,7 +1684,7 @@ Mark Entity Fixed: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1752,7 +1752,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1766,7 +1766,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1844,7 +1844,7 @@ Remove Assignment: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1858,7 +1858,7 @@ Remove Assignment: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1938,7 +1938,7 @@ Remove Group: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1952,7 +1952,7 @@ Remove Group: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -2034,7 +2034,7 @@ Remove Note: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2048,7 +2048,7 @@ Remove Note: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -2141,7 +2141,7 @@ Remove Tags: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2155,7 +2155,7 @@ Remove Tags: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -2253,7 +2253,7 @@ Resolve Assignment: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2267,7 +2267,7 @@ Resolve Assignment: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -2349,7 +2349,7 @@ Unmark Detection Fixed: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2363,7 +2363,7 @@ Unmark Detection Fixed: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -2456,7 +2456,7 @@ Update Assignment: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2470,7 +2470,7 @@ Update Assignment: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/community/vorlon/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/vorlon/resources/ai/actions_ai_description.yaml index d546f55e0..da9a6eba0 100644 --- a/content/response_integrations/third_party/community/vorlon/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/vorlon/resources/ai/actions_ai_description.yaml @@ -72,7 +72,7 @@ Get Alerts: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -86,7 +86,7 @@ Get Alerts: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -159,7 +159,7 @@ Get All Services: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -173,7 +173,7 @@ Get All Services: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -269,7 +269,7 @@ Get Connection Summary: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -283,7 +283,7 @@ Get Connection Summary: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -368,7 +368,7 @@ Get Connections: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -382,7 +382,7 @@ Get Connections: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -477,7 +477,7 @@ Get Linked Alerts: categories: enrichment: true entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -491,7 +491,7 @@ Get Linked Alerts: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -578,7 +578,7 @@ Get Secrets: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -592,7 +592,7 @@ Get Secrets: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -652,7 +652,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -666,7 +666,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -752,7 +752,7 @@ Update Alert: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -766,7 +766,7 @@ Update Alert: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/community/webhook/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/webhook/resources/ai/actions_ai_description.yaml index 0f339bb1c..5840f2968 100644 --- a/content/response_integrations/third_party/community/webhook/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/webhook/resources/ai/actions_ai_description.yaml @@ -67,7 +67,7 @@ Create Token: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -81,7 +81,7 @@ Create Token: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -163,7 +163,7 @@ Delete Token: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -177,7 +177,7 @@ Delete Token: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -279,7 +279,7 @@ Get Webhook Response: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -293,7 +293,7 @@ Get Webhook Response: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -368,7 +368,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -382,7 +382,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/community/whois_xml_api/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/whois_xml_api/resources/ai/actions_ai_description.yaml index aa640efbb..200799713 100644 --- a/content/response_integrations/third_party/community/whois_xml_api/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/whois_xml_api/resources/ai/actions_ai_description.yaml @@ -65,8 +65,8 @@ Enrich Entities: enrichment: true entity_usage: entity_types: - - HOSTNAME - - DestinationURL + - HOSTNAME + - DestinationURL filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -80,7 +80,7 @@ Enrich Entities: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -167,7 +167,7 @@ Get Domain Details: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -181,7 +181,7 @@ Get Domain Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -250,7 +250,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -264,7 +264,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/community/workflow_tools/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/workflow_tools/resources/ai/actions_ai_description.yaml index 586ce1c3a..ffe616fa2 100644 --- a/content/response_integrations/third_party/community/workflow_tools/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/workflow_tools/resources/ai/actions_ai_description.yaml @@ -65,7 +65,7 @@ Approval Request: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -79,7 +79,7 @@ Approval Request: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -173,7 +173,7 @@ Approval Response: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -187,7 +187,7 @@ Approval Response: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: true add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -276,7 +276,7 @@ Assign Case to Current User: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -290,7 +290,7 @@ Assign Case to Current User: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -370,7 +370,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -384,7 +384,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/community/zoom/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/zoom/resources/ai/actions_ai_description.yaml index e18b709cc..0436c162f 100644 --- a/content/response_integrations/third_party/community/zoom/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/zoom/resources/ai/actions_ai_description.yaml @@ -67,7 +67,7 @@ Create Meeting: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -81,7 +81,7 @@ Create Meeting: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -142,7 +142,7 @@ Create User: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -156,7 +156,7 @@ Create User: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -219,7 +219,7 @@ Delete User: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -233,7 +233,7 @@ Delete User: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -322,7 +322,7 @@ Enrich Entities: enrichment: true entity_usage: entity_types: - - USERUNIQNAME + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -336,7 +336,7 @@ Enrich Entities: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -422,7 +422,7 @@ Get Meeting Recording: categories: enrichment: true entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -436,7 +436,7 @@ Get Meeting Recording: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -520,7 +520,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -534,7 +534,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/partner/anyrun_sandbox/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/anyrun_sandbox/resources/ai/actions_ai_description.yaml index 256936a74..f154d7e69 100644 --- a/content/response_integrations/third_party/partner/anyrun_sandbox/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/anyrun_sandbox/resources/ai/actions_ai_description.yaml @@ -98,7 +98,7 @@ File Android Analysis: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -112,7 +112,7 @@ File Android Analysis: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: true add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -261,7 +261,7 @@ File Linux Analysis: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -275,7 +275,7 @@ File Linux Analysis: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -361,7 +361,7 @@ File Windows Analysis: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -375,7 +375,7 @@ File Windows Analysis: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -458,7 +458,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -472,7 +472,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -549,7 +549,7 @@ URL Android Analysis: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -563,7 +563,7 @@ URL Android Analysis: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: true add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -702,7 +702,7 @@ URL Linux Analysis: enrichment: false entity_usage: entity_types: - - DestinationURL + - DestinationURL filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -716,7 +716,7 @@ URL Linux Analysis: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: true add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -851,7 +851,7 @@ URL Windows Analysis: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -865,7 +865,7 @@ URL Windows Analysis: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: true add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/partner/anyrun_ti_feeds/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/anyrun_ti_feeds/resources/ai/actions_ai_description.yaml index 10614c95c..fd2cfc019 100644 --- a/content/response_integrations/third_party/partner/anyrun_ti_feeds/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/anyrun_ti_feeds/resources/ai/actions_ai_description.yaml @@ -62,7 +62,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -76,7 +76,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/partner/anyrun_ti_lookup/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/anyrun_ti_lookup/resources/ai/actions_ai_description.yaml index 32b7333dd..a0db4d32e 100644 --- a/content/response_integrations/third_party/partner/anyrun_ti_lookup/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/anyrun_ti_lookup/resources/ai/actions_ai_description.yaml @@ -78,12 +78,12 @@ ANYRUN TI Lookup: enrichment: false entity_usage: entity_types: - - ADDRESS - - IPSET - - DestinationURL - - DOMAIN - - PROCESS - - FILEHASH + - ADDRESS + - IPSET + - DestinationURL + - DOMAIN + - PROCESS + - FILEHASH filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -97,7 +97,7 @@ ANYRUN TI Lookup: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: true add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -187,7 +187,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -201,7 +201,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/partner/censys/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/censys/resources/ai/actions_ai_description.yaml index a0b834c0e..1a2d86c32 100644 --- a/content/response_integrations/third_party/partner/censys/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/censys/resources/ai/actions_ai_description.yaml @@ -60,7 +60,7 @@ Enrich Certificates: enrichment: true entity_usage: entity_types: - - FILEHASH + - FILEHASH filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -74,7 +74,7 @@ Enrich Certificates: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -166,7 +166,7 @@ Enrich IPs: enrichment: true entity_usage: entity_types: - - ADDRESS + - ADDRESS filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -180,7 +180,7 @@ Enrich IPs: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -282,8 +282,8 @@ Enrich Web Properties: enrichment: true entity_usage: entity_types: - - ADDRESS - - DOMAIN + - ADDRESS + - DOMAIN filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -297,7 +297,7 @@ Enrich Web Properties: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -383,7 +383,7 @@ Get Host History: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -397,7 +397,7 @@ Get Host History: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -477,7 +477,7 @@ Get Rescan Status: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -491,7 +491,7 @@ Get Rescan Status: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -585,7 +585,7 @@ Initiate Rescan: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -599,7 +599,7 @@ Initiate Rescan: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -659,7 +659,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -673,7 +673,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/partner/clarotyxdome/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/clarotyxdome/resources/ai/actions_ai_description.yaml index 0669f080b..9aec71134 100644 --- a/content/response_integrations/third_party/partner/clarotyxdome/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/clarotyxdome/resources/ai/actions_ai_description.yaml @@ -64,41 +64,41 @@ AddVulnerabilities: enrichment: true entity_usage: entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -112,7 +112,7 @@ AddVulnerabilities: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -192,7 +192,7 @@ EnrichAlerts: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -206,7 +206,7 @@ EnrichAlerts: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -296,8 +296,8 @@ EnrichXDomeAssetInformation: enrichment: true entity_usage: entity_types: - - ADDRESS - - MacAddress + - ADDRESS + - MacAddress filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -311,7 +311,7 @@ EnrichXDomeAssetInformation: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -393,7 +393,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -407,7 +407,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/partner/cyjax_threat_intelligence/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/cyjax_threat_intelligence/resources/ai/actions_ai_description.yaml index 76bcfccd8..0759ab831 100644 --- a/content/response_integrations/third_party/partner/cyjax_threat_intelligence/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/cyjax_threat_intelligence/resources/ai/actions_ai_description.yaml @@ -72,7 +72,7 @@ Domain monitor: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -86,7 +86,7 @@ Domain monitor: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -174,41 +174,41 @@ Enrich IOCs: enrichment: true entity_usage: entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -222,7 +222,7 @@ Enrich IOCs: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -293,7 +293,7 @@ List Data Breaches: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -307,7 +307,7 @@ List Data Breaches: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -366,7 +366,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -380,7 +380,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/partner/cylusone/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/cylusone/resources/ai/actions_ai_description.yaml index e6ad5f847..a2319ae67 100644 --- a/content/response_integrations/third_party/partner/cylusone/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/cylusone/resources/ai/actions_ai_description.yaml @@ -59,7 +59,7 @@ EnrichAssetInformation: enrichment: true entity_usage: entity_types: - - ADDRESS + - ADDRESS filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -73,7 +73,7 @@ EnrichAssetInformation: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -133,7 +133,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -147,7 +147,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/partner/cyware_intel_exchange/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/cyware_intel_exchange/resources/ai/actions_ai_description.yaml index a3b88dbe6..9aa0e4d17 100644 --- a/content/response_integrations/third_party/partner/cyware_intel_exchange/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/cyware_intel_exchange/resources/ai/actions_ai_description.yaml @@ -70,41 +70,41 @@ Add IOCs to Allowed list: enrichment: false entity_usage: entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -118,7 +118,7 @@ Add IOCs to Allowed list: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: true add_ioc_to_blocklist: false @@ -213,41 +213,41 @@ Add Note to IOCs: enrichment: false entity_usage: entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -261,7 +261,7 @@ Add Note to IOCs: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -370,41 +370,41 @@ Create Intel in Cyware Intel Exchange: enrichment: false entity_usage: entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -418,7 +418,7 @@ Create Intel in Cyware Intel Exchange: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -527,41 +527,41 @@ Create Task for IOCs: enrichment: false entity_usage: entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -575,7 +575,7 @@ Create Task for IOCs: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -662,7 +662,7 @@ Get Allowed IOCs: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -676,7 +676,7 @@ Get Allowed IOCs: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -743,41 +743,41 @@ Get IOC Details: enrichment: true entity_usage: entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -791,7 +791,7 @@ Get IOC Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -891,41 +891,41 @@ Manage Tags in IOCs: enrichment: false entity_usage: entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -939,7 +939,7 @@ Manage Tags in IOCs: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1020,41 +1020,41 @@ Mark IOCs False Positive: enrichment: false entity_usage: entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1068,7 +1068,7 @@ Mark IOCs False Positive: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: true add_ioc_to_blocklist: false @@ -1131,7 +1131,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1145,7 +1145,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1229,41 +1229,41 @@ Remove IOCs from Allowed list: enrichment: false entity_usage: entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1277,7 +1277,7 @@ Remove IOCs from Allowed list: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/partner/darktrace/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/darktrace/resources/ai/actions_ai_description.yaml index e6bbd36b6..2f73c3e0d 100644 --- a/content/response_integrations/third_party/partner/darktrace/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/darktrace/resources/ai/actions_ai_description.yaml @@ -54,7 +54,7 @@ Add Comment To Model Breach: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -68,7 +68,7 @@ Add Comment To Model Breach: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: true add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -159,10 +159,10 @@ Enrich Entities: enrichment: true entity_usage: entity_types: - - ADDRESS - - HOSTNAME - - MacAddress - - DestinationURL + - ADDRESS + - HOSTNAME + - MacAddress + - DestinationURL filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -176,7 +176,7 @@ Enrich Entities: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -283,7 +283,7 @@ Execute Custom Search: categories: enrichment: true entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -297,7 +297,7 @@ Execute Custom Search: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -370,9 +370,9 @@ List Endpoint Events: enrichment: true entity_usage: entity_types: - - ADDRESS - - HOSTNAME - - MacAddress + - ADDRESS + - HOSTNAME + - MacAddress filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -386,7 +386,7 @@ List Endpoint Events: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -477,9 +477,9 @@ List Similar Devices: enrichment: false entity_usage: entity_types: - - ADDRESS - - HOSTNAME - - MacAddress + - ADDRESS + - HOSTNAME + - MacAddress filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -493,7 +493,7 @@ List Similar Devices: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -589,7 +589,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -603,7 +603,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -692,7 +692,7 @@ Update Model Breach Status: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -706,7 +706,7 @@ Update Model Breach Status: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/partner/domain_tools/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/domain_tools/resources/ai/actions_ai_description.yaml index d2d573f99..5d1f10f03 100644 --- a/content/response_integrations/third_party/partner/domain_tools/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/domain_tools/resources/ai/actions_ai_description.yaml @@ -59,9 +59,9 @@ Get Domain Rdap: enrichment: true entity_usage: entity_types: - - HOSTNAME - - DestinationURL - - DOMAIN + - HOSTNAME + - DestinationURL + - DOMAIN filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -75,7 +75,7 @@ Get Domain Rdap: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -166,9 +166,9 @@ Get WhoIs History: enrichment: true entity_usage: entity_types: - - DOMAIN - - HOSTNAME - - DestinationURL + - DOMAIN + - HOSTNAME + - DestinationURL filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -182,7 +182,7 @@ Get WhoIs History: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -273,9 +273,9 @@ Investigate Domain: enrichment: true entity_usage: entity_types: - - HOSTNAME - - DestinationURL - - DOMAIN + - HOSTNAME + - DestinationURL + - DOMAIN filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -289,7 +289,7 @@ Investigate Domain: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -367,7 +367,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -381,7 +381,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/partner/doppel_vision/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/doppel_vision/resources/ai/actions_ai_description.yaml index d9c95f821..12a037033 100644 --- a/content/response_integrations/third_party/partner/doppel_vision/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/doppel_vision/resources/ai/actions_ai_description.yaml @@ -52,7 +52,7 @@ Create Abuse Alert: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -66,7 +66,7 @@ Create Abuse Alert: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -127,7 +127,7 @@ Create Alert: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -141,7 +141,7 @@ Create Alert: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -230,7 +230,7 @@ Get Alert: categories: enrichment: true entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -244,7 +244,7 @@ Get Alert: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -349,7 +349,7 @@ Get Alerts: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -363,7 +363,7 @@ Get Alerts: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -419,7 +419,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -433,7 +433,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -497,7 +497,7 @@ Update Alert: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -511,7 +511,7 @@ Update Alert: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/partner/grey_noise/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/grey_noise/resources/ai/actions_ai_description.yaml index e7027770b..44c4cab56 100644 --- a/content/response_integrations/third_party/partner/grey_noise/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/grey_noise/resources/ai/actions_ai_description.yaml @@ -58,7 +58,7 @@ Execute GNQL Query: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -72,7 +72,7 @@ Execute GNQL Query: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -162,7 +162,7 @@ Get CVE Details: enrichment: true entity_usage: entity_types: - - CVE + - CVE filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -176,7 +176,7 @@ Get CVE Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -242,7 +242,7 @@ IP Lookup: enrichment: true entity_usage: entity_types: - - ADDRESS + - ADDRESS filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -256,7 +256,7 @@ IP Lookup: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -348,7 +348,7 @@ IP Timeline Lookup: enrichment: true entity_usage: entity_types: - - ADDRESS + - ADDRESS filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -362,7 +362,7 @@ IP Timeline Lookup: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -443,7 +443,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -457,7 +457,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -540,7 +540,7 @@ Quick IP Lookup: enrichment: true entity_usage: entity_types: - - ADDRESS + - ADDRESS filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -554,7 +554,7 @@ Quick IP Lookup: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/partner/group_ib_ti/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/group_ib_ti/resources/ai/actions_ai_description.yaml index e789beb47..6c8d0b8b5 100644 --- a/content/response_integrations/third_party/partner/group_ib_ti/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/group_ib_ti/resources/ai/actions_ai_description.yaml @@ -42,7 +42,7 @@ Get-Collection-Info-Async: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -56,7 +56,7 @@ Get-Collection-Info-Async: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -141,8 +141,8 @@ Get-Graph-Info: enrichment: true entity_usage: entity_types: - - ADDRESS - - DOMAIN + - ADDRESS + - DOMAIN filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -156,7 +156,7 @@ Get-Graph-Info: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -248,41 +248,41 @@ Get-TI-Search-Info: enrichment: true entity_usage: entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -296,7 +296,7 @@ Get-TI-Search-Info: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -366,41 +366,41 @@ Get-TI-Search-Info-By-Collection: enrichment: true entity_usage: entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -414,7 +414,7 @@ Get-TI-Search-Info-By-Collection: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -498,7 +498,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -512,7 +512,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/partner/houdin_io/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/houdin_io/resources/ai/actions_ai_description.yaml index d4080b50c..227b16465 100644 --- a/content/response_integrations/third_party/partner/houdin_io/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/houdin_io/resources/ai/actions_ai_description.yaml @@ -68,10 +68,10 @@ Enrich Entities: enrichment: false entity_usage: entity_types: - - ADDRESS - - DOMAIN - - FILEHASH - - DestinationURL + - ADDRESS + - DOMAIN + - FILEHASH + - DestinationURL filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -85,7 +85,7 @@ Enrich Entities: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -166,7 +166,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -180,7 +180,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -271,7 +271,7 @@ Scan Artifact: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -285,7 +285,7 @@ Scan Artifact: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/partner/infoblox_nios/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/infoblox_nios/resources/ai/actions_ai_description.yaml index 1b4167a36..3f9f44af4 100644 --- a/content/response_integrations/third_party/partner/infoblox_nios/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/infoblox_nios/resources/ai/actions_ai_description.yaml @@ -77,7 +77,7 @@ Create Host Record: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -91,7 +91,7 @@ Create Host Record: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -188,7 +188,7 @@ Create RPZ A Rule: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -202,7 +202,7 @@ Create RPZ A Rule: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: true @@ -295,7 +295,7 @@ Create RPZ AAAA Rule: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -309,7 +309,7 @@ Create RPZ AAAA Rule: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: true @@ -420,7 +420,7 @@ Create RPZ CNAME Rule: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -434,7 +434,7 @@ Create RPZ CNAME Rule: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: true add_ioc_to_blocklist: true @@ -524,7 +524,7 @@ Create RPZ MX Rule: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -538,7 +538,7 @@ Create RPZ MX Rule: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -641,7 +641,7 @@ Create RPZ NAPTR Rule: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -655,7 +655,7 @@ Create RPZ NAPTR Rule: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -748,7 +748,7 @@ Create RPZ PTR Rule: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -762,7 +762,7 @@ Create RPZ PTR Rule: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -861,7 +861,7 @@ Create RPZ SRV Rule: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -875,7 +875,7 @@ Create RPZ SRV Rule: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -973,7 +973,7 @@ Create RPZ TXT Rule: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -987,7 +987,7 @@ Create RPZ TXT Rule: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1090,7 +1090,7 @@ Create Response Policy Zone: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1104,7 +1104,7 @@ Create Response Policy Zone: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1210,7 +1210,7 @@ DHCP Lease Lookup: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1224,7 +1224,7 @@ DHCP Lease Lookup: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1301,7 +1301,7 @@ Delete RPZ Rule: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1315,7 +1315,7 @@ Delete RPZ Rule: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1397,7 +1397,7 @@ Delete Response Policy Zone: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1411,7 +1411,7 @@ Delete Response Policy Zone: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1513,7 +1513,7 @@ Get Response Policy Zone Details: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1527,7 +1527,7 @@ Get Response Policy Zone Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1635,7 +1635,7 @@ IP Lookup: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1649,7 +1649,7 @@ IP Lookup: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1745,7 +1745,7 @@ List Host Info: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1759,7 +1759,7 @@ List Host Info: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1843,7 +1843,7 @@ List Network Info: categories: enrichment: true entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1857,7 +1857,7 @@ List Network Info: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1916,7 +1916,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1930,7 +1930,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -2022,7 +2022,7 @@ Search RPZ Rule: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2036,7 +2036,7 @@ Search RPZ Rule: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -2136,7 +2136,7 @@ Update RPZ CNAME Rule: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2150,7 +2150,7 @@ Update RPZ CNAME Rule: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/partner/infoblox_threat_defense_with_ddi/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/infoblox_threat_defense_with_ddi/resources/ai/actions_ai_description.yaml index 5e4e7a39a..20cd67225 100644 --- a/content/response_integrations/third_party/partner/infoblox_threat_defense_with_ddi/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/infoblox_threat_defense_with_ddi/resources/ai/actions_ai_description.yaml @@ -69,7 +69,7 @@ Create Custom List: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -83,7 +83,7 @@ Create Custom List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -169,7 +169,7 @@ Create Network List: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -183,7 +183,7 @@ Create Network List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -298,7 +298,7 @@ Create Security Policy: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -312,7 +312,7 @@ Create Security Policy: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -406,7 +406,7 @@ DHCP Lease Lookup: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -420,7 +420,7 @@ DHCP Lease Lookup: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -481,7 +481,7 @@ DNS Record Lookup: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -495,7 +495,7 @@ DNS Record Lookup: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -603,7 +603,7 @@ Get Custom List: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -617,7 +617,7 @@ Get Custom List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -671,7 +671,7 @@ Get Indicator Intel Lookup Result: categories: enrichment: true entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -685,7 +685,7 @@ Get Indicator Intel Lookup Result: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -781,7 +781,7 @@ Get Network List: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -795,7 +795,7 @@ Get Network List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -902,7 +902,7 @@ Get SOC Insights Assets: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -916,7 +916,7 @@ Get SOC Insights Assets: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -981,7 +981,7 @@ Get SOC Insights Comments: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -995,7 +995,7 @@ Get SOC Insights Comments: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1111,7 +1111,7 @@ Get SOC Insights Events: categories: enrichment: true entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1125,7 +1125,7 @@ Get SOC Insights Events: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1233,7 +1233,7 @@ Get SOC Insights Indicators: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1247,7 +1247,7 @@ Get SOC Insights Indicators: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1340,7 +1340,7 @@ Get Security Policies: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1354,7 +1354,7 @@ Get Security Policies: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1445,7 +1445,7 @@ Host Lookup: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1459,7 +1459,7 @@ Host Lookup: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1528,7 +1528,7 @@ IP Lookup: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1542,7 +1542,7 @@ IP Lookup: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1652,7 +1652,7 @@ Indicator Threat Lookup With TIDE: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1666,7 +1666,7 @@ Indicator Threat Lookup With TIDE: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1766,7 +1766,7 @@ Indicator Threat Lookup With TIDE: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1780,7 +1780,7 @@ Indicator Threat Lookup With TIDE: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1853,7 +1853,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1867,7 +1867,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1939,7 +1939,7 @@ Remove Custom List: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1953,7 +1953,7 @@ Remove Custom List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -2035,7 +2035,7 @@ Remove Network List: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2049,7 +2049,7 @@ Remove Network List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -2130,7 +2130,7 @@ Remove Security Policy: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2144,7 +2144,7 @@ Remove Security Policy: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -2249,7 +2249,7 @@ Update Custom List: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2263,7 +2263,7 @@ Update Custom List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -2328,7 +2328,7 @@ Update Custom List Items: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2342,7 +2342,7 @@ Update Custom List Items: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: true add_ioc_to_blocklist: true @@ -2403,7 +2403,7 @@ Update Network List: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2417,7 +2417,7 @@ Update Network List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -2493,7 +2493,7 @@ Update Security Policy: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2507,7 +2507,7 @@ Update Security Policy: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/partner/ip_info/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/ip_info/resources/ai/actions_ai_description.yaml index e99dad504..88c5ffcfe 100644 --- a/content/response_integrations/third_party/partner/ip_info/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/ip_info/resources/ai/actions_ai_description.yaml @@ -55,7 +55,7 @@ Get Domain Information: enrichment: true entity_usage: entity_types: - - HOSTNAME + - HOSTNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -69,7 +69,7 @@ Get Domain Information: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -128,7 +128,7 @@ Get IP Information: enrichment: true entity_usage: entity_types: - - ADDRESS + - ADDRESS filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -142,7 +142,7 @@ Get IP Information: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -216,7 +216,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -230,7 +230,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/partner/jamf/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/jamf/resources/ai/actions_ai_description.yaml index a60aa03fa..db727c08f 100644 --- a/content/response_integrations/third_party/partner/jamf/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/jamf/resources/ai/actions_ai_description.yaml @@ -77,7 +77,7 @@ Assign to Group: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -91,7 +91,7 @@ Assign to Group: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -196,7 +196,7 @@ Get Computer Inventory: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -210,7 +210,7 @@ Get Computer Inventory: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -293,7 +293,7 @@ Get Device Group Membership: categories: enrichment: true entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -307,7 +307,7 @@ Get Device Group Membership: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -363,7 +363,7 @@ Get Device Information: categories: enrichment: true entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -377,7 +377,7 @@ Get Device Information: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -473,7 +473,7 @@ Get Mobile Device Inventory: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -487,7 +487,7 @@ Get Mobile Device Inventory: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -544,7 +544,7 @@ List Computer Groups: categories: enrichment: true entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -558,7 +558,7 @@ List Computer Groups: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -628,7 +628,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -642,7 +642,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -734,7 +734,7 @@ Remote Lock Managed Device: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -748,7 +748,7 @@ Remote Lock Managed Device: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -833,7 +833,7 @@ Remote Lock Mobile Device: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -847,7 +847,7 @@ Remote Lock Mobile Device: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -932,7 +932,7 @@ Update Extension Attribute: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -946,7 +946,7 @@ Update Extension Attribute: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1046,7 +1046,7 @@ Update Protect Prevent List: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1060,7 +1060,7 @@ Update Protect Prevent List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: true @@ -1127,7 +1127,7 @@ Wipe Managed Device: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1141,7 +1141,7 @@ Wipe Managed Device: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1246,7 +1246,7 @@ Wipe Mobile Device: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1260,7 +1260,7 @@ Wipe Mobile Device: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/partner/netappransomwareresilience/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/netappransomwareresilience/resources/ai/actions_ai_description.yaml index 9c2d29765..f9b6d4b46 100644 --- a/content/response_integrations/third_party/partner/netappransomwareresilience/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/netappransomwareresilience/resources/ai/actions_ai_description.yaml @@ -55,7 +55,7 @@ Check Job Status: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -69,7 +69,7 @@ Check Job Status: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -143,7 +143,7 @@ Enrich IP Address: categories: enrichment: true entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -157,7 +157,7 @@ Enrich IP Address: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -242,7 +242,7 @@ Enrich Storage: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -256,7 +256,7 @@ Enrich Storage: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -332,7 +332,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -346,7 +346,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -433,7 +433,7 @@ Take Snapshot: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -447,7 +447,7 @@ Take Snapshot: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -538,7 +538,7 @@ Volume Offline: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -552,7 +552,7 @@ Volume Offline: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/partner/netenrich_connect/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/netenrich_connect/resources/ai/actions_ai_description.yaml index 103493d90..35c5a9d98 100644 --- a/content/response_integrations/third_party/partner/netenrich_connect/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/netenrich_connect/resources/ai/actions_ai_description.yaml @@ -66,7 +66,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -80,7 +80,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/partner/orca_security/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/orca_security/resources/ai/actions_ai_description.yaml index 2d1652156..b70765f25 100644 --- a/content/response_integrations/third_party/partner/orca_security/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/orca_security/resources/ai/actions_ai_description.yaml @@ -53,7 +53,7 @@ Add Comment To Alert: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -67,7 +67,7 @@ Add Comment To Alert: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: true add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -160,7 +160,7 @@ Get Asset Details: categories: enrichment: true entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -174,7 +174,7 @@ Get Asset Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -269,7 +269,7 @@ Get Compliance Info: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -283,7 +283,7 @@ Get Compliance Info: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -355,7 +355,7 @@ Get Vulnerability Details: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -369,7 +369,7 @@ Get Vulnerability Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -435,7 +435,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -449,7 +449,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -539,7 +539,7 @@ Scan Assets: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -553,7 +553,7 @@ Scan Assets: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -652,7 +652,7 @@ Update Alert: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -666,7 +666,7 @@ Update Alert: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/partner/recorded_future_intelligence/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/recorded_future_intelligence/resources/ai/actions_ai_description.yaml index 68fb15930..5fca892a5 100644 --- a/content/response_integrations/third_party/partner/recorded_future_intelligence/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/recorded_future_intelligence/resources/ai/actions_ai_description.yaml @@ -67,11 +67,11 @@ Add Analyst Note: enrichment: false entity_usage: entity_types: - - ADDRESS - - CVE - - DestinationURL - - FILEHASH - - HOSTNAME + - ADDRESS + - CVE + - DestinationURL + - FILEHASH + - HOSTNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -85,7 +85,7 @@ Add Analyst Note: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -186,7 +186,7 @@ Detonate File: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -200,7 +200,7 @@ Detonate File: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -288,7 +288,7 @@ Detonate URL: enrichment: false entity_usage: entity_types: - - DestinationURL + - DestinationURL filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -302,7 +302,7 @@ Detonate URL: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -396,7 +396,7 @@ Enrich CVE: enrichment: false entity_usage: entity_types: - - CVE + - CVE filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -410,7 +410,7 @@ Enrich CVE: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -514,7 +514,7 @@ Enrich Hash: enrichment: false entity_usage: entity_types: - - FILEHASH + - FILEHASH filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -528,7 +528,7 @@ Enrich Hash: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -628,8 +628,8 @@ Enrich Host: enrichment: false entity_usage: entity_types: - - HOSTNAME - - DOMAIN + - HOSTNAME + - DOMAIN filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -643,7 +643,7 @@ Enrich Host: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -747,12 +747,12 @@ Enrich IOC: enrichment: false entity_usage: entity_types: - - ADDRESS - - CVE - - DOMAIN - - FILEHASH - - HOSTNAME - - DestinationURL + - ADDRESS + - CVE + - DOMAIN + - FILEHASH + - HOSTNAME + - DestinationURL filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -766,7 +766,7 @@ Enrich IOC: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -856,12 +856,12 @@ Enrich IOCs Bulk: enrichment: false entity_usage: entity_types: - - HOSTNAME - - CVE - - FILEHASH - - ADDRESS - - DestinationURL - - DOMAIN + - HOSTNAME + - CVE + - FILEHASH + - ADDRESS + - DestinationURL + - DOMAIN filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -875,7 +875,7 @@ Enrich IOCs Bulk: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -983,7 +983,7 @@ Enrich IP: enrichment: false entity_usage: entity_types: - - ADDRESS + - ADDRESS filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -997,7 +997,7 @@ Enrich IP: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1067,7 +1067,7 @@ Enrich URL: enrichment: false entity_usage: entity_types: - - DestinationURL + - DestinationURL filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1081,7 +1081,7 @@ Enrich URL: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1165,7 +1165,7 @@ Get Alert Details: categories: enrichment: true entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1179,7 +1179,7 @@ Get Alert Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1269,7 +1269,7 @@ Get Playbook Alert Details: categories: enrichment: true entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1283,7 +1283,7 @@ Get Playbook Alert Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1367,7 +1367,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1381,7 +1381,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1468,7 +1468,7 @@ Refresh Playbook Alert: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1482,7 +1482,7 @@ Refresh Playbook Alert: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1587,7 +1587,7 @@ Search Hash Malware Intelligence: enrichment: true entity_usage: entity_types: - - FILEHASH + - FILEHASH filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1601,7 +1601,7 @@ Search Hash Malware Intelligence: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1690,7 +1690,7 @@ Update Alert: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1704,7 +1704,7 @@ Update Alert: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1804,7 +1804,7 @@ Update Playbook Alert: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1818,7 +1818,7 @@ Update Playbook Alert: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/partner/rubrik_security_cloud/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/rubrik_security_cloud/resources/ai/actions_ai_description.yaml index 7fd0bcbdd..17b09e2ad 100644 --- a/content/response_integrations/third_party/partner/rubrik_security_cloud/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/rubrik_security_cloud/resources/ai/actions_ai_description.yaml @@ -95,7 +95,7 @@ Advanced IOC Scan: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -109,7 +109,7 @@ Advanced IOC Scan: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -181,7 +181,7 @@ Get CDM Cluster Connection State: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -195,7 +195,7 @@ Get CDM Cluster Connection State: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -278,7 +278,7 @@ Get CDM Cluster Location: categories: enrichment: true entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -292,7 +292,7 @@ Get CDM Cluster Location: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -381,7 +381,7 @@ Get Sonar Sensitive Hits: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -395,7 +395,7 @@ Get Sonar Sensitive Hits: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -485,7 +485,7 @@ IOC Scan Results: categories: enrichment: true entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -499,7 +499,7 @@ IOC Scan Results: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -613,7 +613,7 @@ List Events: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -627,7 +627,7 @@ List Events: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -734,7 +734,7 @@ List Object Snapshots: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -748,7 +748,7 @@ List Object Snapshots: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -857,7 +857,7 @@ List Sonar File Contexts: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -871,7 +871,7 @@ List Sonar File Contexts: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -931,7 +931,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -945,7 +945,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1047,7 +1047,7 @@ Turbo IOC Scan: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1061,7 +1061,7 @@ Turbo IOC Scan: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/partner/silentpush/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/silentpush/resources/ai/actions_ai_description.yaml index f1fbb6bf1..6d95d4cf3 100644 --- a/content/response_integrations/third_party/partner/silentpush/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/silentpush/resources/ai/actions_ai_description.yaml @@ -73,7 +73,7 @@ Add Feed: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -87,7 +87,7 @@ Add Feed: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -179,7 +179,7 @@ Add Feed Tags: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -193,7 +193,7 @@ Add Feed Tags: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -289,7 +289,7 @@ Add Indicators: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -303,7 +303,7 @@ Add Indicators: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -383,7 +383,7 @@ Add Indicators Tags: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -397,7 +397,7 @@ Add Indicators Tags: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -481,7 +481,7 @@ Density Lookup: categories: enrichment: true entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -495,7 +495,7 @@ Density Lookup: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -633,7 +633,7 @@ Forward Padns Lookup: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -647,7 +647,7 @@ Forward Padns Lookup: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -733,7 +733,7 @@ Get ASN Reputation: categories: enrichment: true entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -747,7 +747,7 @@ Get ASN Reputation: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -812,7 +812,7 @@ Get ASN Takedown Reputation: categories: enrichment: true entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -826,7 +826,7 @@ Get ASN Takedown Reputation: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -910,7 +910,7 @@ Get ASNs for Domain: categories: enrichment: true entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -924,7 +924,7 @@ Get ASNs for Domain: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1009,41 +1009,41 @@ Get Data Exports: enrichment: false entity_usage: entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1057,7 +1057,7 @@ Get Data Exports: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1130,7 +1130,7 @@ Get Domain Certificates: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1144,7 +1144,7 @@ Get Domain Certificates: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1212,7 +1212,7 @@ Get Enrichment Data: categories: enrichment: true entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1226,7 +1226,7 @@ Get Enrichment Data: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1317,7 +1317,7 @@ Get Future Attack Indicatiors: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1331,7 +1331,7 @@ Get Future Attack Indicatiors: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1412,7 +1412,7 @@ Get IPV4 Reputation: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1426,7 +1426,7 @@ Get IPV4 Reputation: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1485,7 +1485,7 @@ Get Nameserver Reputation: categories: enrichment: true entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1499,7 +1499,7 @@ Get Nameserver Reputation: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1587,7 +1587,7 @@ Get Subnet Reputation: categories: enrichment: true entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1601,7 +1601,7 @@ Get Subnet Reputation: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1694,7 +1694,7 @@ Get job status: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1708,7 +1708,7 @@ Get job status: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1796,7 +1796,7 @@ List Domain Information: categories: enrichment: true entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1810,7 +1810,7 @@ List Domain Information: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1907,7 +1907,7 @@ List Domain Infratags: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1921,7 +1921,7 @@ List Domain Infratags: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1980,7 +1980,7 @@ List IP Information: categories: enrichment: true entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1994,7 +1994,7 @@ List IP Information: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -2093,7 +2093,7 @@ Live URL Scan: categories: enrichment: true entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2107,7 +2107,7 @@ Live URL Scan: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -2182,7 +2182,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2196,7 +2196,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -2332,7 +2332,7 @@ Reverse Padns Lookup: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2346,7 +2346,7 @@ Reverse Padns Lookup: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -2431,7 +2431,7 @@ Run Threat check: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2445,7 +2445,7 @@ Run Threat check: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -2502,7 +2502,7 @@ Screenshot URL: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2516,7 +2516,7 @@ Screenshot URL: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -2610,7 +2610,7 @@ Search Scan Data: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2624,7 +2624,7 @@ Search Scan Data: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -2745,7 +2745,7 @@ search domains: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2759,7 +2759,7 @@ search domains: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/partner/silverfort/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/silverfort/resources/ai/actions_ai_description.yaml index 879439ca0..883284aab 100644 --- a/content/response_integrations/third_party/partner/silverfort/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/silverfort/resources/ai/actions_ai_description.yaml @@ -51,7 +51,7 @@ Change Policy State: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -65,7 +65,7 @@ Change Policy State: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -152,7 +152,7 @@ Get Entity Risk: categories: enrichment: true entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -166,7 +166,7 @@ Get Entity Risk: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -247,7 +247,7 @@ Get Policy: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -261,7 +261,7 @@ Get Policy: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -344,7 +344,7 @@ Get Service Account: categories: enrichment: true entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -358,7 +358,7 @@ Get Service Account: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -441,7 +441,7 @@ List Policies: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -455,7 +455,7 @@ List Policies: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -551,7 +551,7 @@ List Service Accounts: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -565,7 +565,7 @@ List Service Accounts: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -630,7 +630,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -644,7 +644,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -738,7 +738,7 @@ Update Entity Risk: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -752,7 +752,7 @@ Update Entity Risk: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -865,7 +865,7 @@ Update Policy: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -879,7 +879,7 @@ Update Policy: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -1000,7 +1000,7 @@ Update SA Policy: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1014,7 +1014,7 @@ Update SA Policy: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: true add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/partner/spycloud/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/spycloud/resources/ai/actions_ai_description.yaml index 45b4c1477..e13a014b6 100644 --- a/content/response_integrations/third_party/partner/spycloud/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/spycloud/resources/ai/actions_ai_description.yaml @@ -76,7 +76,7 @@ List Catalogs: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -90,7 +90,7 @@ List Catalogs: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -191,9 +191,9 @@ List Entity Breaches: enrichment: true entity_usage: entity_types: - - ADDRESS - - USERUNIQNAME - - DestinationURL + - ADDRESS + - USERUNIQNAME + - DestinationURL filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -207,7 +207,7 @@ List Entity Breaches: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -293,7 +293,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -307,7 +307,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/partner/stairwell/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/stairwell/resources/ai/actions_ai_description.yaml index cc3374e93..2a912bc31 100644 --- a/content/response_integrations/third_party/partner/stairwell/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/stairwell/resources/ai/actions_ai_description.yaml @@ -47,7 +47,7 @@ Enrich Hash: enrichment: true entity_usage: entity_types: - - FILEHASH + - FILEHASH filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -61,7 +61,7 @@ Enrich Hash: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -161,7 +161,7 @@ Enrich Hostname: enrichment: true entity_usage: entity_types: - - HOSTNAME + - HOSTNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -175,7 +175,7 @@ Enrich Hostname: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -246,7 +246,7 @@ Enrich IP: enrichment: true entity_usage: entity_types: - - ADDRESS + - ADDRESS filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -260,7 +260,7 @@ Enrich IP: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -351,7 +351,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -365,7 +365,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/partner/thinkst_canary/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/thinkst_canary/resources/ai/actions_ai_description.yaml index 75eadfa9b..b02791920 100644 --- a/content/response_integrations/third_party/partner/thinkst_canary/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/thinkst_canary/resources/ai/actions_ai_description.yaml @@ -61,7 +61,7 @@ Acknowledge Console Alert: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -75,7 +75,7 @@ Acknowledge Console Alert: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -158,7 +158,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -172,7 +172,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/partner/torq/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/torq/resources/ai/actions_ai_description.yaml index 14bd75598..281833fb8 100644 --- a/content/response_integrations/third_party/partner/torq/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/torq/resources/ai/actions_ai_description.yaml @@ -72,7 +72,7 @@ Create a Case: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -86,7 +86,7 @@ Create a Case: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -184,7 +184,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -198,7 +198,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -293,7 +293,7 @@ Run a Workflow: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -307,7 +307,7 @@ Run a Workflow: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/partner/wiz/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/wiz/resources/ai/actions_ai_description.yaml index 944d59828..37fc52c17 100644 --- a/content/response_integrations/third_party/partner/wiz/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/wiz/resources/ai/actions_ai_description.yaml @@ -55,7 +55,7 @@ Add Comment To Issue: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -69,7 +69,7 @@ Add Comment To Issue: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -152,7 +152,7 @@ Get Issue Details: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -166,7 +166,7 @@ Get Issue Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -265,7 +265,7 @@ Ignore Issue: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -279,7 +279,7 @@ Ignore Issue: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -354,7 +354,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -368,7 +368,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -445,7 +445,7 @@ Reopen Issue: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -459,7 +459,7 @@ Reopen Issue: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -547,7 +547,7 @@ Resolve Issue: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -561,7 +561,7 @@ Resolve Issue: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false diff --git a/content/response_integrations/third_party/partner/xm_cyber/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/xm_cyber/resources/ai/actions_ai_description.yaml index b91d6f604..4b8fc4c38 100644 --- a/content/response_integrations/third_party/partner/xm_cyber/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/xm_cyber/resources/ai/actions_ai_description.yaml @@ -83,8 +83,8 @@ Calculate Risk Score: enrichment: false entity_usage: entity_types: - - HOSTNAME - - USERUNIQNAME + - HOSTNAME + - USERUNIQNAME filters_by_additional_properties: true filters_by_alert_identifier: false filters_by_case_identifier: false @@ -98,7 +98,7 @@ Calculate Risk Score: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -183,8 +183,8 @@ Enrich Entities: enrichment: true entity_usage: entity_types: - - HOSTNAME - - USERUNIQNAME + - HOSTNAME + - USERUNIQNAME filters_by_additional_properties: true filters_by_alert_identifier: false filters_by_case_identifier: false @@ -198,7 +198,7 @@ Enrich Entities: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -284,8 +284,8 @@ Get Event Data JSON: enrichment: false entity_usage: entity_types: - - HOSTNAME - - USERUNIQNAME + - HOSTNAME + - USERUNIQNAME filters_by_additional_properties: true filters_by_alert_identifier: false filters_by_case_identifier: false @@ -299,7 +299,7 @@ Get Event Data JSON: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -356,7 +356,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -370,7 +370,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false @@ -481,8 +481,8 @@ Push Breach Point Data: enrichment: false entity_usage: entity_types: - - USERUNIQNAME - - HOSTNAME + - USERUNIQNAME + - HOSTNAME filters_by_additional_properties: true filters_by_alert_identifier: false filters_by_case_identifier: false @@ -496,7 +496,7 @@ Push Breach Point Data: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false From 4a3025e58692c5cb3b942b8ff2dd84d3b8322fda Mon Sep 17 00:00:00 2001 From: talshapir Date: Mon, 6 Apr 2026 16:35:09 +0300 Subject: [PATCH 17/26] Fix tests and improve code --- .../integrations/action/ai/metadata.py | 2 +- .../integrations/action/metadata.py | 20 +++++------ .../data_models/integrations/integration.py | 34 +++++++++---------- .../resources/ai/actions_ai_description.yaml | 4 +-- .../ai/connectors_ai_description.yaml | 8 ----- .../resources/ai/jobs_ai_description.yaml | 8 ----- .../resources/ai/actions_ai_description.yaml | 4 +-- .../ai/connectors_ai_description.yaml | 8 ----- .../resources/ai/jobs_ai_description.yaml | 8 ----- .../resources/ai/actions_ai_description.yaml | 4 +-- .../ai/connectors_ai_description.yaml | 8 ----- .../resources/ai/jobs_ai_description.yaml | 8 ----- 12 files changed, 33 insertions(+), 83 deletions(-) diff --git a/packages/mp/src/mp/core/data_models/integrations/action/ai/metadata.py b/packages/mp/src/mp/core/data_models/integrations/action/ai/metadata.py index 6dcede570..abd31499a 100644 --- a/packages/mp/src/mp/core/data_models/integrations/action/ai/metadata.py +++ b/packages/mp/src/mp/core/data_models/integrations/action/ai/metadata.py @@ -79,7 +79,7 @@ class ActionAiMetadata(BaseModel): ), ), ] - product_categories: Annotated[ + action_product_categories: Annotated[ ActionProductCategories, Field( description=( diff --git a/packages/mp/src/mp/core/data_models/integrations/action/metadata.py b/packages/mp/src/mp/core/data_models/integrations/action/metadata.py index 670c22645..1f38130f6 100644 --- a/packages/mp/src/mp/core/data_models/integrations/action/metadata.py +++ b/packages/mp/src/mp/core/data_models/integrations/action/metadata.py @@ -57,7 +57,7 @@ class AiFields(NamedTuple): description: str | None ai_categories: list[ActionAiCategory] entity_types: list[EntityType] - product_categories: list[ActionProductCategory] + action_product_categories: list[ActionProductCategory] class BuiltActionMetadata(TypedDict): @@ -144,7 +144,7 @@ class ActionMetadata(ComponentMetadata[BuiltActionMetadata, NonBuiltActionMetada ai_description: str | None ai_categories: list[ActionAiCategory] entity_types: list[EntityType] - action_categories: list[ActionProductCategory] + action_product_categories: list[ActionProductCategory] @classmethod def from_built_path(cls, path: Path) -> list[Self]: @@ -237,7 +237,7 @@ def _from_built(cls, file_name: str, built: BuiltActionMetadata) -> Self: ai_description=built.get("AIDescription"), ai_categories=[ActionAiCategory(c) for c in (built.get("AICategories") or [])], entity_types=[EntityType(e) for e in (built.get("EntityTypes") or [])], - action_categories=[ + action_product_categories=[ ActionProductCategory(c) for c in (built.get("ActionProductCategories") or []) ], ) @@ -279,7 +279,7 @@ def _from_non_built(cls, file_name: str, non_built: NonBuiltActionMetadata) -> A ai_description=non_built.get("ai_description"), ai_categories=[ActionAiCategory(c) for c in (non_built.get("ai_categories") or [])], entity_types=[EntityType(e) for e in (non_built.get("entity_types") or [])], - action_categories=[ + action_product_categories=[ ActionProductCategory(c) for c in (non_built.get("action_product_categories") or []) ], ) @@ -309,7 +309,7 @@ def to_built(self) -> BuiltActionMetadata: AIDescription=self.ai_description, AICategories=[c.value for c in self.ai_categories] or None, EntityTypes=[e.value for e in self.entity_types] or None, - ActionProductCategories=[c.value for c in self.action_categories] or None, + ActionProductCategories=[c.value for c in self.action_product_categories] or None, ) mp.core.utils.remove_none_entries_from_mapping(built) return built @@ -387,7 +387,7 @@ def _load_json_examples( def _get_ai_fields(action_name: str, integration_path: Path) -> AiFields: empty_results: AiFields = AiFields( - description=None, ai_categories=[], entity_types=[], product_categories=[] + description=None, ai_categories=[], entity_types=[], action_product_categories=[] ) if not integration_path.exists(): return empty_results @@ -423,13 +423,13 @@ def _get_ai_fields(action_name: str, integration_path: Path) -> AiFields: else [] ), entity_types=ai_meta.entity_usage.entity_types if ai_meta.entity_usage else [], - product_categories=( + action_product_categories=( [ PRODUCT_CATEGORY_TO_DEF_PRODUCT_CATEGORY[category] - for category, is_true in ai_meta.product_categories.model_dump().items() + for category, is_true in ai_meta.action_product_categories.model_dump().items() if is_true ] - if ai_meta.product_categories + if ai_meta.action_product_categories else [] ), ) @@ -441,4 +441,4 @@ def _update_non_built_with_ai_fields( non_built["ai_description"] = ai_fields.description non_built["ai_categories"] = [c.value for c in ai_fields.ai_categories] non_built["entity_types"] = [t.value for t in ai_fields.entity_types] - non_built["action_product_categories"] = [c.value for c in ai_fields.product_categories] + non_built["action_product_categories"] = [c.value for c in ai_fields.action_product_categories] diff --git a/packages/mp/src/mp/core/data_models/integrations/integration.py b/packages/mp/src/mp/core/data_models/integrations/integration.py index 5efdee03c..2ee6a88b7 100644 --- a/packages/mp/src/mp/core/data_models/integrations/integration.py +++ b/packages/mp/src/mp/core/data_models/integrations/integration.py @@ -17,7 +17,7 @@ import dataclasses import itertools import tomllib -from typing import TYPE_CHECKING, Any, Self, TypedDict +from typing import TYPE_CHECKING, Any, Self, TypedDict, cast import yaml @@ -144,13 +144,6 @@ def from_built_path(cls, path: Path) -> Self: if python_version_file.exists(): python_version = python_version_file.read_text(encoding="utf-8") - ai_metadata: dict[str, Any] = {} - ai_dir: Path = path / mp.core.constants.RESOURCES_DIR / mp.core.constants.AI_DIR - for ai_file in mp.core.constants.AI_DESCRIPTION_FILES: - ai_path: Path = ai_dir / ai_file - if ai_path.exists(): - ai_metadata[ai_file] = yaml.safe_load(ai_path.read_text(encoding="utf-8")) - return cls( python_version=python_version, identifier=integration_meta.identifier, @@ -167,7 +160,7 @@ def from_built_path(cls, path: Path) -> Self: widgets_metadata={ w.file_name: w for w in ActionWidgetMetadata.from_built_path(path) }, - ai_metadata=ai_metadata, + ai_metadata=_get_ai_metadata(path), ) except ValueError as e: msg: str = f"Failed to load integration {path.name}" @@ -189,7 +182,9 @@ def from_non_built_path(cls, path: Path) -> Self: """ project_file_path: Path = path / mp.core.constants.PROJECT_FILE file_content: str = project_file_path.read_text(encoding="utf-8") - pyproject_toml: PyProjectTomlFile = tomllib.loads(file_content) # ty: ignore[invalid-assignment] + pyproject_toml: PyProjectTomlFile = cast( + "PyProjectTomlFile", cast("object", tomllib.loads(file_content)) + ) try: integration_meta: IntegrationMetadata = IntegrationMetadata.from_non_built_path(path) _update_integration_meta_form_pyproject( @@ -201,13 +196,6 @@ def from_non_built_path(cls, path: Path) -> Self: if python_version_file.exists(): python_version = python_version_file.read_text(encoding="utf-8") - ai_metadata: dict[str, Any] = {} - ai_dir: Path = path / mp.core.constants.RESOURCES_DIR / mp.core.constants.AI_DIR - for ai_file in mp.core.constants.AI_DESCRIPTION_FILES: - ai_path: Path = ai_dir / ai_file - if ai_path.exists(): - ai_metadata[ai_file] = yaml.safe_load(ai_path.read_text(encoding="utf-8")) - return cls( python_version=python_version, identifier=integration_meta.identifier, @@ -224,7 +212,7 @@ def from_non_built_path(cls, path: Path) -> Self: widgets_metadata={ w.file_name: w for w in ActionWidgetMetadata.from_non_built_path(path) }, - ai_metadata=ai_metadata, + ai_metadata=_get_ai_metadata(path), ) except (KeyError, ValueError, tomllib.TOMLDecodeError) as e: @@ -348,3 +336,13 @@ def _update_integration_meta_form_pyproject( integration_meta.python_version = pyproject_toml.project.requires_python integration_meta.description = pyproject_toml.project.description integration_meta.version = pyproject_toml.project.version + + +def _get_ai_metadata(path: Path) -> dict[str, Any]: + ai_metadata: dict[str, Any] = {} + ai_dir: Path = path / mp.core.constants.RESOURCES_DIR / mp.core.constants.AI_DIR + for ai_file in mp.core.constants.AI_DESCRIPTION_FILES: + if (ai_path := ai_dir / ai_file).exists(): + ai_metadata[ai_file] = yaml.safe_load(ai_path.read_text(encoding="utf-8")) + + return ai_metadata diff --git a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/google/mock_integration/resources/ai/actions_ai_description.yaml b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/google/mock_integration/resources/ai/actions_ai_description.yaml index 721779afb..c19d27b9c 100644 --- a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/google/mock_integration/resources/ai/actions_ai_description.yaml +++ b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/google/mock_integration/resources/ai/actions_ai_description.yaml @@ -13,7 +13,7 @@ ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -27,5 +27,5 @@ ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: enrich_ioc: true diff --git a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/google/mock_integration/resources/ai/connectors_ai_description.yaml b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/google/mock_integration/resources/ai/connectors_ai_description.yaml index 5fa100127..8f25619f2 100644 --- a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/google/mock_integration/resources/ai/connectors_ai_description.yaml +++ b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/google/mock_integration/resources/ai/connectors_ai_description.yaml @@ -1,10 +1,2 @@ connector: ai_description: Mock AI description for connector - capabilities: - enrichment: true - internal_mutation: false - mutation: false - categories: - enrichment: true - product_categories: - siem: true diff --git a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/google/mock_integration/resources/ai/jobs_ai_description.yaml b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/google/mock_integration/resources/ai/jobs_ai_description.yaml index eab7f2b08..32e9f4451 100644 --- a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/google/mock_integration/resources/ai/jobs_ai_description.yaml +++ b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/google/mock_integration/resources/ai/jobs_ai_description.yaml @@ -1,10 +1,2 @@ job: ai_description: Mock AI description for job - capabilities: - enrichment: false - internal_mutation: false - mutation: false - categories: - enrichment: false - product_categories: - siem: true diff --git a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/mock_built_integration/mock_integration/resources/ai/actions_ai_description.yaml b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/mock_built_integration/mock_integration/resources/ai/actions_ai_description.yaml index 721779afb..c19d27b9c 100644 --- a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/mock_built_integration/mock_integration/resources/ai/actions_ai_description.yaml +++ b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/mock_built_integration/mock_integration/resources/ai/actions_ai_description.yaml @@ -13,7 +13,7 @@ ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -27,5 +27,5 @@ ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: enrich_ioc: true diff --git a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/mock_built_integration/mock_integration/resources/ai/connectors_ai_description.yaml b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/mock_built_integration/mock_integration/resources/ai/connectors_ai_description.yaml index 5fa100127..8f25619f2 100644 --- a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/mock_built_integration/mock_integration/resources/ai/connectors_ai_description.yaml +++ b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/mock_built_integration/mock_integration/resources/ai/connectors_ai_description.yaml @@ -1,10 +1,2 @@ connector: ai_description: Mock AI description for connector - capabilities: - enrichment: true - internal_mutation: false - mutation: false - categories: - enrichment: true - product_categories: - siem: true diff --git a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/mock_built_integration/mock_integration/resources/ai/jobs_ai_description.yaml b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/mock_built_integration/mock_integration/resources/ai/jobs_ai_description.yaml index eab7f2b08..32e9f4451 100644 --- a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/mock_built_integration/mock_integration/resources/ai/jobs_ai_description.yaml +++ b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/mock_built_integration/mock_integration/resources/ai/jobs_ai_description.yaml @@ -1,10 +1,2 @@ job: ai_description: Mock AI description for job - capabilities: - enrichment: false - internal_mutation: false - mutation: false - categories: - enrichment: false - product_categories: - siem: true diff --git a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/third_party/mock_integration/resources/ai/actions_ai_description.yaml b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/third_party/mock_integration/resources/ai/actions_ai_description.yaml index 721779afb..c19d27b9c 100644 --- a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/third_party/mock_integration/resources/ai/actions_ai_description.yaml +++ b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/third_party/mock_integration/resources/ai/actions_ai_description.yaml @@ -13,7 +13,7 @@ ping: categories: enrichment: false entity_usage: - entity_types: [] + entity_types: [ ] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -27,5 +27,5 @@ ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - product_categories: + action_product_categories: enrich_ioc: true diff --git a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/third_party/mock_integration/resources/ai/connectors_ai_description.yaml b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/third_party/mock_integration/resources/ai/connectors_ai_description.yaml index 5fa100127..8f25619f2 100644 --- a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/third_party/mock_integration/resources/ai/connectors_ai_description.yaml +++ b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/third_party/mock_integration/resources/ai/connectors_ai_description.yaml @@ -1,10 +1,2 @@ connector: ai_description: Mock AI description for connector - capabilities: - enrichment: true - internal_mutation: false - mutation: false - categories: - enrichment: true - product_categories: - siem: true diff --git a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/third_party/mock_integration/resources/ai/jobs_ai_description.yaml b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/third_party/mock_integration/resources/ai/jobs_ai_description.yaml index eab7f2b08..32e9f4451 100644 --- a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/third_party/mock_integration/resources/ai/jobs_ai_description.yaml +++ b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/third_party/mock_integration/resources/ai/jobs_ai_description.yaml @@ -1,10 +1,2 @@ job: ai_description: Mock AI description for job - capabilities: - enrichment: false - internal_mutation: false - mutation: false - categories: - enrichment: false - product_categories: - siem: true From 5f69e818c69958fdeab3ccf2e818b2d64311f951 Mon Sep 17 00:00:00 2001 From: talshapir Date: Thu, 9 Apr 2026 12:47:27 +0300 Subject: [PATCH 18/26] update dependencies --- packages/mp/uv.lock | 142 ++++++++++++++++++++++---------------------- 1 file changed, 71 insertions(+), 71 deletions(-) diff --git a/packages/mp/uv.lock b/packages/mp/uv.lock index ee6771a1f..467dcee24 100644 --- a/packages/mp/uv.lock +++ b/packages/mp/uv.lock @@ -143,47 +143,47 @@ toml = [ [[package]] name = "cryptography" -version = "46.0.6" +version = "46.0.7" source = { registry = "https://pypi.org/simple" } dependencies = [ { name = "cffi", marker = "platform_python_implementation != 'PyPy'" }, ] -sdist = { url = "https://files.pythonhosted.org/packages/a4/ba/04b1bd4218cbc58dc90ce967106d51582371b898690f3ae0402876cc4f34/cryptography-46.0.6.tar.gz", hash = "sha256:27550628a518c5c6c903d84f637fbecf287f6cb9ced3804838a1295dc1fd0759", size = 750542, upload-time = "2026-03-25T23:34:53.396Z" } -wheels = [ - { url = "https://files.pythonhosted.org/packages/47/23/9285e15e3bc57325b0a72e592921983a701efc1ee8f91c06c5f0235d86d9/cryptography-46.0.6-cp311-abi3-macosx_10_9_universal2.whl", hash = "sha256:64235194bad039a10bb6d2d930ab3323baaec67e2ce36215fd0952fad0930ca8", size = 7176401, upload-time = "2026-03-25T23:33:22.096Z" }, - { url = "https://files.pythonhosted.org/packages/60/f8/e61f8f13950ab6195b31913b42d39f0f9afc7d93f76710f299b5ec286ae6/cryptography-46.0.6-cp311-abi3-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:26031f1e5ca62fcb9d1fcb34b2b60b390d1aacaa15dc8b895a9ed00968b97b30", size = 4275275, upload-time = "2026-03-25T23:33:23.844Z" }, - { url = "https://files.pythonhosted.org/packages/19/69/732a736d12c2631e140be2348b4ad3d226302df63ef64d30dfdb8db7ad1c/cryptography-46.0.6-cp311-abi3-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:9a693028b9cbe51b5a1136232ee8f2bc242e4e19d456ded3fa7c86e43c713b4a", size = 4425320, upload-time = "2026-03-25T23:33:25.703Z" }, - { url = "https://files.pythonhosted.org/packages/d4/12/123be7292674abf76b21ac1fc0e1af50661f0e5b8f0ec8285faac18eb99e/cryptography-46.0.6-cp311-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:67177e8a9f421aa2d3a170c3e56eca4e0128883cf52a071a7cbf53297f18b175", size = 4278082, upload-time = "2026-03-25T23:33:27.423Z" }, - { url = "https://files.pythonhosted.org/packages/5b/ba/d5e27f8d68c24951b0a484924a84c7cdaed7502bac9f18601cd357f8b1d2/cryptography-46.0.6-cp311-abi3-manylinux_2_28_ppc64le.whl", hash = "sha256:d9528b535a6c4f8ff37847144b8986a9a143585f0540fbcb1a98115b543aa463", size = 4926514, upload-time = "2026-03-25T23:33:29.206Z" }, - { url = "https://files.pythonhosted.org/packages/34/71/1ea5a7352ae516d5512d17babe7e1b87d9db5150b21f794b1377eac1edc0/cryptography-46.0.6-cp311-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:22259338084d6ae497a19bae5d4c66b7ca1387d3264d1c2c0e72d9e9b6a77b97", size = 4457766, upload-time = "2026-03-25T23:33:30.834Z" }, - { url = "https://files.pythonhosted.org/packages/01/59/562be1e653accee4fdad92c7a2e88fced26b3fdfce144047519bbebc299e/cryptography-46.0.6-cp311-abi3-manylinux_2_31_armv7l.whl", hash = "sha256:760997a4b950ff00d418398ad73fbc91aa2894b5c1db7ccb45b4f68b42a63b3c", size = 3986535, upload-time = "2026-03-25T23:33:33.02Z" }, - { url = "https://files.pythonhosted.org/packages/d6/8b/b1ebfeb788bf4624d36e45ed2662b8bd43a05ff62157093c1539c1288a18/cryptography-46.0.6-cp311-abi3-manylinux_2_34_aarch64.whl", hash = "sha256:3dfa6567f2e9e4c5dceb8ccb5a708158a2a871052fa75c8b78cb0977063f1507", size = 4277618, upload-time = "2026-03-25T23:33:34.567Z" }, - { url = "https://files.pythonhosted.org/packages/dd/52/a005f8eabdb28df57c20f84c44d397a755782d6ff6d455f05baa2785bd91/cryptography-46.0.6-cp311-abi3-manylinux_2_34_ppc64le.whl", hash = "sha256:cdcd3edcbc5d55757e5f5f3d330dd00007ae463a7e7aa5bf132d1f22a4b62b19", size = 4890802, upload-time = "2026-03-25T23:33:37.034Z" }, - { url = "https://files.pythonhosted.org/packages/ec/4d/8e7d7245c79c617d08724e2efa397737715ca0ec830ecb3c91e547302555/cryptography-46.0.6-cp311-abi3-manylinux_2_34_x86_64.whl", hash = "sha256:d4e4aadb7fc1f88687f47ca20bb7227981b03afaae69287029da08096853b738", size = 4457425, upload-time = "2026-03-25T23:33:38.904Z" }, - { url = "https://files.pythonhosted.org/packages/1d/5c/f6c3596a1430cec6f949085f0e1a970638d76f81c3ea56d93d564d04c340/cryptography-46.0.6-cp311-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:2b417edbe8877cda9022dde3a008e2deb50be9c407eef034aeeb3a8b11d9db3c", size = 4405530, upload-time = "2026-03-25T23:33:40.842Z" }, - { url = "https://files.pythonhosted.org/packages/7e/c9/9f9cea13ee2dbde070424e0c4f621c091a91ffcc504ffea5e74f0e1daeff/cryptography-46.0.6-cp311-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:380343e0653b1c9d7e1f55b52aaa2dbb2fdf2730088d48c43ca1c7c0abb7cc2f", size = 4667896, upload-time = "2026-03-25T23:33:42.781Z" }, - { url = "https://files.pythonhosted.org/packages/ad/b5/1895bc0821226f129bc74d00eccfc6a5969e2028f8617c09790bf89c185e/cryptography-46.0.6-cp311-abi3-win32.whl", hash = "sha256:bcb87663e1f7b075e48c3be3ecb5f0b46c8fc50b50a97cf264e7f60242dca3f2", size = 3026348, upload-time = "2026-03-25T23:33:45.021Z" }, - { url = "https://files.pythonhosted.org/packages/c3/f8/c9bcbf0d3e6ad288b9d9aa0b1dee04b063d19e8c4f871855a03ab3a297ab/cryptography-46.0.6-cp311-abi3-win_amd64.whl", hash = "sha256:6739d56300662c468fddb0e5e291f9b4d084bead381667b9e654c7dd81705124", size = 3483896, upload-time = "2026-03-25T23:33:46.649Z" }, - { url = "https://files.pythonhosted.org/packages/c4/cc/f330e982852403da79008552de9906804568ae9230da8432f7496ce02b71/cryptography-46.0.6-cp38-abi3-macosx_10_9_universal2.whl", hash = "sha256:12cae594e9473bca1a7aceb90536060643128bb274fcea0fc459ab90f7d1ae7a", size = 7162776, upload-time = "2026-03-25T23:34:13.308Z" }, - { url = "https://files.pythonhosted.org/packages/49/b3/dc27efd8dcc4bff583b3f01d4a3943cd8b5821777a58b3a6a5f054d61b79/cryptography-46.0.6-cp38-abi3-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:639301950939d844a9e1c4464d7e07f902fe9a7f6b215bb0d4f28584729935d8", size = 4270529, upload-time = "2026-03-25T23:34:15.019Z" }, - { url = "https://files.pythonhosted.org/packages/e6/05/e8d0e6eb4f0d83365b3cb0e00eb3c484f7348db0266652ccd84632a3d58d/cryptography-46.0.6-cp38-abi3-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:ed3775295fb91f70b4027aeba878d79b3e55c0b3e97eaa4de71f8f23a9f2eb77", size = 4414827, upload-time = "2026-03-25T23:34:16.604Z" }, - { url = "https://files.pythonhosted.org/packages/2f/97/daba0f5d2dc6d855e2dcb70733c812558a7977a55dd4a6722756628c44d1/cryptography-46.0.6-cp38-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:8927ccfbe967c7df312ade694f987e7e9e22b2425976ddbf28271d7e58845290", size = 4271265, upload-time = "2026-03-25T23:34:18.586Z" }, - { url = "https://files.pythonhosted.org/packages/89/06/fe1fce39a37ac452e58d04b43b0855261dac320a2ebf8f5260dd55b201a9/cryptography-46.0.6-cp38-abi3-manylinux_2_28_ppc64le.whl", hash = "sha256:b12c6b1e1651e42ab5de8b1e00dc3b6354fdfd778e7fa60541ddacc27cd21410", size = 4916800, upload-time = "2026-03-25T23:34:20.561Z" }, - { url = "https://files.pythonhosted.org/packages/ff/8a/b14f3101fe9c3592603339eb5d94046c3ce5f7fc76d6512a2d40efd9724e/cryptography-46.0.6-cp38-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:063b67749f338ca9c5a0b7fe438a52c25f9526b851e24e6c9310e7195aad3b4d", size = 4448771, upload-time = "2026-03-25T23:34:22.406Z" }, - { url = "https://files.pythonhosted.org/packages/01/b3/0796998056a66d1973fd52ee89dc1bb3b6581960a91ad4ac705f182d398f/cryptography-46.0.6-cp38-abi3-manylinux_2_31_armv7l.whl", hash = "sha256:02fad249cb0e090b574e30b276a3da6a149e04ee2f049725b1f69e7b8351ec70", size = 3978333, upload-time = "2026-03-25T23:34:24.281Z" }, - { url = "https://files.pythonhosted.org/packages/c5/3d/db200af5a4ffd08918cd55c08399dc6c9c50b0bc72c00a3246e099d3a849/cryptography-46.0.6-cp38-abi3-manylinux_2_34_aarch64.whl", hash = "sha256:7e6142674f2a9291463e5e150090b95a8519b2fb6e6aaec8917dd8d094ce750d", size = 4271069, upload-time = "2026-03-25T23:34:25.895Z" }, - { url = "https://files.pythonhosted.org/packages/d7/18/61acfd5b414309d74ee838be321c636fe71815436f53c9f0334bf19064fa/cryptography-46.0.6-cp38-abi3-manylinux_2_34_ppc64le.whl", hash = "sha256:456b3215172aeefb9284550b162801d62f5f264a081049a3e94307fe20792cfa", size = 4878358, upload-time = "2026-03-25T23:34:27.67Z" }, - { url = "https://files.pythonhosted.org/packages/8b/65/5bf43286d566f8171917cae23ac6add941654ccf085d739195a4eacf1674/cryptography-46.0.6-cp38-abi3-manylinux_2_34_x86_64.whl", hash = "sha256:341359d6c9e68834e204ceaf25936dffeafea3829ab80e9503860dcc4f4dac58", size = 4448061, upload-time = "2026-03-25T23:34:29.375Z" }, - { url = "https://files.pythonhosted.org/packages/e0/25/7e49c0fa7205cf3597e525d156a6bce5b5c9de1fd7e8cb01120e459f205a/cryptography-46.0.6-cp38-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:9a9c42a2723999a710445bc0d974e345c32adfd8d2fac6d8a251fa829ad31cfb", size = 4399103, upload-time = "2026-03-25T23:34:32.036Z" }, - { url = "https://files.pythonhosted.org/packages/44/46/466269e833f1c4718d6cd496ffe20c56c9c8d013486ff66b4f69c302a68d/cryptography-46.0.6-cp38-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:6617f67b1606dfd9fe4dbfa354a9508d4a6d37afe30306fe6c101b7ce3274b72", size = 4659255, upload-time = "2026-03-25T23:34:33.679Z" }, - { url = "https://files.pythonhosted.org/packages/0a/09/ddc5f630cc32287d2c953fc5d32705e63ec73e37308e5120955316f53827/cryptography-46.0.6-cp38-abi3-win32.whl", hash = "sha256:7f6690b6c55e9c5332c0b59b9c8a3fb232ebf059094c17f9019a51e9827df91c", size = 3010660, upload-time = "2026-03-25T23:34:35.418Z" }, - { url = "https://files.pythonhosted.org/packages/1b/82/ca4893968aeb2709aacfb57a30dec6fa2ab25b10fa9f064b8882ce33f599/cryptography-46.0.6-cp38-abi3-win_amd64.whl", hash = "sha256:79e865c642cfc5c0b3eb12af83c35c5aeff4fa5c672dc28c43721c2c9fdd2f0f", size = 3471160, upload-time = "2026-03-25T23:34:37.191Z" }, - { url = "https://files.pythonhosted.org/packages/2e/84/7ccff00ced5bac74b775ce0beb7d1be4e8637536b522b5df9b73ada42da2/cryptography-46.0.6-pp311-pypy311_pp73-macosx_11_0_arm64.whl", hash = "sha256:2ea0f37e9a9cf0df2952893ad145fd9627d326a59daec9b0802480fa3bcd2ead", size = 3475444, upload-time = "2026-03-25T23:34:38.944Z" }, - { url = "https://files.pythonhosted.org/packages/bc/1f/4c926f50df7749f000f20eede0c896769509895e2648db5da0ed55db711d/cryptography-46.0.6-pp311-pypy311_pp73-manylinux_2_28_aarch64.whl", hash = "sha256:a3e84d5ec9ba01f8fd03802b2147ba77f0c8f2617b2aff254cedd551844209c8", size = 4218227, upload-time = "2026-03-25T23:34:40.871Z" }, - { url = "https://files.pythonhosted.org/packages/c6/65/707be3ffbd5f786028665c3223e86e11c4cda86023adbc56bd72b1b6bab5/cryptography-46.0.6-pp311-pypy311_pp73-manylinux_2_28_x86_64.whl", hash = "sha256:12f0fa16cc247b13c43d56d7b35287ff1569b5b1f4c5e87e92cc4fcc00cd10c0", size = 4381399, upload-time = "2026-03-25T23:34:42.609Z" }, - { url = "https://files.pythonhosted.org/packages/f3/6d/73557ed0ef7d73d04d9aba745d2c8e95218213687ee5e76b7d236a5030fc/cryptography-46.0.6-pp311-pypy311_pp73-manylinux_2_34_aarch64.whl", hash = "sha256:50575a76e2951fe7dbd1f56d181f8c5ceeeb075e9ff88e7ad997d2f42af06e7b", size = 4217595, upload-time = "2026-03-25T23:34:44.205Z" }, - { url = "https://files.pythonhosted.org/packages/9e/c5/e1594c4eec66a567c3ac4400008108a415808be2ce13dcb9a9045c92f1a0/cryptography-46.0.6-pp311-pypy311_pp73-manylinux_2_34_x86_64.whl", hash = "sha256:90e5f0a7b3be5f40c3a0a0eafb32c681d8d2c181fc2a1bdabe9b3f611d9f6b1a", size = 4380912, upload-time = "2026-03-25T23:34:46.328Z" }, - { url = "https://files.pythonhosted.org/packages/1a/89/843b53614b47f97fe1abc13f9a86efa5ec9e275292c457af1d4a60dc80e0/cryptography-46.0.6-pp311-pypy311_pp73-win_amd64.whl", hash = "sha256:6728c49e3b2c180ef26f8e9f0a883a2c585638db64cf265b49c9ba10652d430e", size = 3409955, upload-time = "2026-03-25T23:34:48.465Z" }, +sdist = { url = "https://files.pythonhosted.org/packages/47/93/ac8f3d5ff04d54bc814e961a43ae5b0b146154c89c61b47bb07557679b18/cryptography-46.0.7.tar.gz", hash = "sha256:e4cfd68c5f3e0bfdad0d38e023239b96a2fe84146481852dffbcca442c245aa5", size = 750652, upload-time = "2026-04-08T01:57:54.692Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/0b/5d/4a8f770695d73be252331e60e526291e3df0c9b27556a90a6b47bccca4c2/cryptography-46.0.7-cp311-abi3-macosx_10_9_universal2.whl", hash = "sha256:ea42cbe97209df307fdc3b155f1b6fa2577c0defa8f1f7d3be7d31d189108ad4", size = 7179869, upload-time = "2026-04-08T01:56:17.157Z" }, + { url = "https://files.pythonhosted.org/packages/5f/45/6d80dc379b0bbc1f9d1e429f42e4cb9e1d319c7a8201beffd967c516ea01/cryptography-46.0.7-cp311-abi3-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:b36a4695e29fe69215d75960b22577197aca3f7a25b9cf9d165dcfe9d80bc325", size = 4275492, upload-time = "2026-04-08T01:56:19.36Z" }, + { url = "https://files.pythonhosted.org/packages/4a/9a/1765afe9f572e239c3469f2cb429f3ba7b31878c893b246b4b2994ffe2fe/cryptography-46.0.7-cp311-abi3-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:5ad9ef796328c5e3c4ceed237a183f5d41d21150f972455a9d926593a1dcb308", size = 4426670, upload-time = "2026-04-08T01:56:21.415Z" }, + { url = "https://files.pythonhosted.org/packages/8f/3e/af9246aaf23cd4ee060699adab1e47ced3f5f7e7a8ffdd339f817b446462/cryptography-46.0.7-cp311-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:73510b83623e080a2c35c62c15298096e2a5dc8d51c3b4e1740211839d0dea77", size = 4280275, upload-time = "2026-04-08T01:56:23.539Z" }, + { url = "https://files.pythonhosted.org/packages/0f/54/6bbbfc5efe86f9d71041827b793c24811a017c6ac0fd12883e4caa86b8ed/cryptography-46.0.7-cp311-abi3-manylinux_2_28_ppc64le.whl", hash = "sha256:cbd5fb06b62bd0721e1170273d3f4d5a277044c47ca27ee257025146c34cbdd1", size = 4928402, upload-time = "2026-04-08T01:56:25.624Z" }, + { url = "https://files.pythonhosted.org/packages/2d/cf/054b9d8220f81509939599c8bdbc0c408dbd2bdd41688616a20731371fe0/cryptography-46.0.7-cp311-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:420b1e4109cc95f0e5700eed79908cef9268265c773d3a66f7af1eef53d409ef", size = 4459985, upload-time = "2026-04-08T01:56:27.309Z" }, + { url = "https://files.pythonhosted.org/packages/f9/46/4e4e9c6040fb01c7467d47217d2f882daddeb8828f7df800cb806d8a2288/cryptography-46.0.7-cp311-abi3-manylinux_2_31_armv7l.whl", hash = "sha256:24402210aa54baae71d99441d15bb5a1919c195398a87b563df84468160a65de", size = 3990652, upload-time = "2026-04-08T01:56:29.095Z" }, + { url = "https://files.pythonhosted.org/packages/36/5f/313586c3be5a2fbe87e4c9a254207b860155a8e1f3cca99f9910008e7d08/cryptography-46.0.7-cp311-abi3-manylinux_2_34_aarch64.whl", hash = "sha256:8a469028a86f12eb7d2fe97162d0634026d92a21f3ae0ac87ed1c4a447886c83", size = 4279805, upload-time = "2026-04-08T01:56:30.928Z" }, + { url = "https://files.pythonhosted.org/packages/69/33/60dfc4595f334a2082749673386a4d05e4f0cf4df8248e63b2c3437585f2/cryptography-46.0.7-cp311-abi3-manylinux_2_34_ppc64le.whl", hash = "sha256:9694078c5d44c157ef3162e3bf3946510b857df5a3955458381d1c7cfc143ddb", size = 4892883, upload-time = "2026-04-08T01:56:32.614Z" }, + { url = "https://files.pythonhosted.org/packages/c7/0b/333ddab4270c4f5b972f980adef4faa66951a4aaf646ca067af597f15563/cryptography-46.0.7-cp311-abi3-manylinux_2_34_x86_64.whl", hash = "sha256:42a1e5f98abb6391717978baf9f90dc28a743b7d9be7f0751a6f56a75d14065b", size = 4459756, upload-time = "2026-04-08T01:56:34.306Z" }, + { url = "https://files.pythonhosted.org/packages/d2/14/633913398b43b75f1234834170947957c6b623d1701ffc7a9600da907e89/cryptography-46.0.7-cp311-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:91bbcb08347344f810cbe49065914fe048949648f6bd5c2519f34619142bbe85", size = 4410244, upload-time = "2026-04-08T01:56:35.977Z" }, + { url = "https://files.pythonhosted.org/packages/10/f2/19ceb3b3dc14009373432af0c13f46aa08e3ce334ec6eff13492e1812ccd/cryptography-46.0.7-cp311-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:5d1c02a14ceb9148cc7816249f64f623fbfee39e8c03b3650d842ad3f34d637e", size = 4674868, upload-time = "2026-04-08T01:56:38.034Z" }, + { url = "https://files.pythonhosted.org/packages/1a/bb/a5c213c19ee94b15dfccc48f363738633a493812687f5567addbcbba9f6f/cryptography-46.0.7-cp311-abi3-win32.whl", hash = "sha256:d23c8ca48e44ee015cd0a54aeccdf9f09004eba9fc96f38c911011d9ff1bd457", size = 3026504, upload-time = "2026-04-08T01:56:39.666Z" }, + { url = "https://files.pythonhosted.org/packages/2b/02/7788f9fefa1d060ca68717c3901ae7fffa21ee087a90b7f23c7a603c32ae/cryptography-46.0.7-cp311-abi3-win_amd64.whl", hash = "sha256:397655da831414d165029da9bc483bed2fe0e75dde6a1523ec2fe63f3c46046b", size = 3488363, upload-time = "2026-04-08T01:56:41.893Z" }, + { url = "https://files.pythonhosted.org/packages/a7/7f/cd42fc3614386bc0c12f0cb3c4ae1fc2bbca5c9662dfed031514911d513d/cryptography-46.0.7-cp38-abi3-macosx_10_9_universal2.whl", hash = "sha256:462ad5cb1c148a22b2e3bcc5ad52504dff325d17daf5df8d88c17dda1f75f2a4", size = 7165618, upload-time = "2026-04-08T01:57:10.645Z" }, + { url = "https://files.pythonhosted.org/packages/a5/d0/36a49f0262d2319139d2829f773f1b97ef8aef7f97e6e5bd21455e5a8fb5/cryptography-46.0.7-cp38-abi3-manylinux2014_aarch64.manylinux_2_17_aarch64.whl", hash = "sha256:84d4cced91f0f159a7ddacad249cc077e63195c36aac40b4150e7a57e84fffe7", size = 4270628, upload-time = "2026-04-08T01:57:12.885Z" }, + { url = "https://files.pythonhosted.org/packages/8a/6c/1a42450f464dda6ffbe578a911f773e54dd48c10f9895a23a7e88b3e7db5/cryptography-46.0.7-cp38-abi3-manylinux2014_x86_64.manylinux_2_17_x86_64.whl", hash = "sha256:128c5edfe5e5938b86b03941e94fac9ee793a94452ad1365c9fc3f4f62216832", size = 4415405, upload-time = "2026-04-08T01:57:14.923Z" }, + { url = "https://files.pythonhosted.org/packages/9a/92/4ed714dbe93a066dc1f4b4581a464d2d7dbec9046f7c8b7016f5286329e2/cryptography-46.0.7-cp38-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:5e51be372b26ef4ba3de3c167cd3d1022934bc838ae9eaad7e644986d2a3d163", size = 4272715, upload-time = "2026-04-08T01:57:16.638Z" }, + { url = "https://files.pythonhosted.org/packages/b7/e6/a26b84096eddd51494bba19111f8fffe976f6a09f132706f8f1bf03f51f7/cryptography-46.0.7-cp38-abi3-manylinux_2_28_ppc64le.whl", hash = "sha256:cdf1a610ef82abb396451862739e3fc93b071c844399e15b90726ef7470eeaf2", size = 4918400, upload-time = "2026-04-08T01:57:19.021Z" }, + { url = "https://files.pythonhosted.org/packages/c7/08/ffd537b605568a148543ac3c2b239708ae0bd635064bab41359252ef88ed/cryptography-46.0.7-cp38-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:1d25aee46d0c6f1a501adcddb2d2fee4b979381346a78558ed13e50aa8a59067", size = 4450634, upload-time = "2026-04-08T01:57:21.185Z" }, + { url = "https://files.pythonhosted.org/packages/16/01/0cd51dd86ab5b9befe0d031e276510491976c3a80e9f6e31810cce46c4ad/cryptography-46.0.7-cp38-abi3-manylinux_2_31_armv7l.whl", hash = "sha256:cdfbe22376065ffcf8be74dc9a909f032df19bc58a699456a21712d6e5eabfd0", size = 3985233, upload-time = "2026-04-08T01:57:22.862Z" }, + { url = "https://files.pythonhosted.org/packages/92/49/819d6ed3a7d9349c2939f81b500a738cb733ab62fbecdbc1e38e83d45e12/cryptography-46.0.7-cp38-abi3-manylinux_2_34_aarch64.whl", hash = "sha256:abad9dac36cbf55de6eb49badd4016806b3165d396f64925bf2999bcb67837ba", size = 4271955, upload-time = "2026-04-08T01:57:24.814Z" }, + { url = "https://files.pythonhosted.org/packages/80/07/ad9b3c56ebb95ed2473d46df0847357e01583f4c52a85754d1a55e29e4d0/cryptography-46.0.7-cp38-abi3-manylinux_2_34_ppc64le.whl", hash = "sha256:935ce7e3cfdb53e3536119a542b839bb94ec1ad081013e9ab9b7cfd478b05006", size = 4879888, upload-time = "2026-04-08T01:57:26.88Z" }, + { url = "https://files.pythonhosted.org/packages/b8/c7/201d3d58f30c4c2bdbe9b03844c291feb77c20511cc3586daf7edc12a47b/cryptography-46.0.7-cp38-abi3-manylinux_2_34_x86_64.whl", hash = "sha256:35719dc79d4730d30f1c2b6474bd6acda36ae2dfae1e3c16f2051f215df33ce0", size = 4449961, upload-time = "2026-04-08T01:57:29.068Z" }, + { url = "https://files.pythonhosted.org/packages/a5/ef/649750cbf96f3033c3c976e112265c33906f8e462291a33d77f90356548c/cryptography-46.0.7-cp38-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:7bbc6ccf49d05ac8f7d7b5e2e2c33830d4fe2061def88210a126d130d7f71a85", size = 4401696, upload-time = "2026-04-08T01:57:31.029Z" }, + { url = "https://files.pythonhosted.org/packages/41/52/a8908dcb1a389a459a29008c29966c1d552588d4ae6d43f3a1a4512e0ebe/cryptography-46.0.7-cp38-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:a1529d614f44b863a7b480c6d000fe93b59acee9c82ffa027cfadc77521a9f5e", size = 4664256, upload-time = "2026-04-08T01:57:33.144Z" }, + { url = "https://files.pythonhosted.org/packages/4b/fa/f0ab06238e899cc3fb332623f337a7364f36f4bb3f2534c2bb95a35b132c/cryptography-46.0.7-cp38-abi3-win32.whl", hash = "sha256:f247c8c1a1fb45e12586afbb436ef21ff1e80670b2861a90353d9b025583d246", size = 3013001, upload-time = "2026-04-08T01:57:34.933Z" }, + { url = "https://files.pythonhosted.org/packages/d2/f1/00ce3bde3ca542d1acd8f8cfa38e446840945aa6363f9b74746394b14127/cryptography-46.0.7-cp38-abi3-win_amd64.whl", hash = "sha256:506c4ff91eff4f82bdac7633318a526b1d1309fc07ca76a3ad182cb5b686d6d3", size = 3472985, upload-time = "2026-04-08T01:57:36.714Z" }, + { url = "https://files.pythonhosted.org/packages/63/0c/dca8abb64e7ca4f6b2978769f6fea5ad06686a190cec381f0a796fdcaaba/cryptography-46.0.7-pp311-pypy311_pp73-macosx_11_0_arm64.whl", hash = "sha256:fc9ab8856ae6cf7c9358430e49b368f3108f050031442eaeb6b9d87e4dcf4e4f", size = 3476879, upload-time = "2026-04-08T01:57:38.664Z" }, + { url = "https://files.pythonhosted.org/packages/3a/ea/075aac6a84b7c271578d81a2f9968acb6e273002408729f2ddff517fed4a/cryptography-46.0.7-pp311-pypy311_pp73-manylinux_2_28_aarch64.whl", hash = "sha256:d3b99c535a9de0adced13d159c5a9cf65c325601aa30f4be08afd680643e9c15", size = 4219700, upload-time = "2026-04-08T01:57:40.625Z" }, + { url = "https://files.pythonhosted.org/packages/6c/7b/1c55db7242b5e5612b29fc7a630e91ee7a6e3c8e7bf5406d22e206875fbd/cryptography-46.0.7-pp311-pypy311_pp73-manylinux_2_28_x86_64.whl", hash = "sha256:d02c738dacda7dc2a74d1b2b3177042009d5cab7c7079db74afc19e56ca1b455", size = 4385982, upload-time = "2026-04-08T01:57:42.725Z" }, + { url = "https://files.pythonhosted.org/packages/cb/da/9870eec4b69c63ef5925bf7d8342b7e13bc2ee3d47791461c4e49ca212f4/cryptography-46.0.7-pp311-pypy311_pp73-manylinux_2_34_aarch64.whl", hash = "sha256:04959522f938493042d595a736e7dbdff6eb6cc2339c11465b3ff89343b65f65", size = 4219115, upload-time = "2026-04-08T01:57:44.939Z" }, + { url = "https://files.pythonhosted.org/packages/f4/72/05aa5832b82dd341969e9a734d1812a6aadb088d9eb6f0430fc337cc5a8f/cryptography-46.0.7-pp311-pypy311_pp73-manylinux_2_34_x86_64.whl", hash = "sha256:3986ac1dee6def53797289999eabe84798ad7817f3e97779b5061a95b0ee4968", size = 4385479, upload-time = "2026-04-08T01:57:46.86Z" }, + { url = "https://files.pythonhosted.org/packages/20/2a/1b016902351a523aa2bd446b50a5bc1175d7a7d1cf90fe2ef904f9b84ebc/cryptography-46.0.7-pp311-pypy311_pp73-win_amd64.whl", hash = "sha256:258514877e15963bd43b558917bc9f54cf7cf866c38aa576ebf47a77ddbc43a4", size = 3412829, upload-time = "2026-04-08T01:57:48.874Z" }, ] [[package]] @@ -245,7 +245,7 @@ requests = [ [[package]] name = "google-genai" -version = "1.70.0" +version = "1.71.0" source = { registry = "https://pypi.org/simple" } dependencies = [ { name = "anyio" }, @@ -259,9 +259,9 @@ dependencies = [ { name = "typing-extensions" }, { name = "websockets" }, ] -sdist = { url = "https://files.pythonhosted.org/packages/74/dd/28e4682904b183acbfad3fe6409f13a42f69bb8eab6e882d3bcbea1dde01/google_genai-1.70.0.tar.gz", hash = "sha256:36b67b0fc6f319e08d1f1efd808b790107b1809c8743a05d55dfcf9d9fad7719", size = 519550, upload-time = "2026-04-01T10:52:46.487Z" } +sdist = { url = "https://files.pythonhosted.org/packages/88/49/a13e9cf4d963691fc79d661f2d78f041bc1f2e7287d41ef0f831b82462f0/google_genai-1.71.0.tar.gz", hash = "sha256:044f7ac453437d5d380ec192f823dba64e001c478d7878c5a2d327432f4a28ac", size = 520044, upload-time = "2026-04-08T17:55:51.084Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/36/a3/d4564c8a9beaf6a3cef8d70fa6354318572cebfee65db4f01af0d41f45ba/google_genai-1.70.0-py3-none-any.whl", hash = "sha256:b74c24549d8b4208f4c736fd11857374788e1ffffc725de45d706e35c97fceee", size = 760584, upload-time = "2026-04-01T10:52:44.349Z" }, + { url = "https://files.pythonhosted.org/packages/55/d4/63c97d487f0b4861a6f530628a9e56a380f9c9704d2e207f0bed9d16e31a/google_genai-1.71.0-py3-none-any.whl", hash = "sha256:6213ebfee7fc8e6a21692c2c340309e463322cc35c2c603d1ea59e8ea34ac240", size = 760561, upload-time = "2026-04-08T17:55:49.107Z" }, ] [[package]] @@ -303,14 +303,14 @@ wheels = [ [[package]] name = "hypothesis" -version = "6.151.11" +version = "6.151.12" source = { registry = "https://pypi.org/simple" } dependencies = [ { name = "sortedcontainers" }, ] -sdist = { url = "https://files.pythonhosted.org/packages/a9/58/41af0d539b3c95644d1e4e353cbd6ac9473e892ea21802546a8886b79078/hypothesis-6.151.11.tar.gz", hash = "sha256:f33dcb68b62c7b07c9ac49664989be898fa8ce57583f0dc080259a197c6c7ff1", size = 463779, upload-time = "2026-04-05T17:35:55.935Z" } +sdist = { url = "https://files.pythonhosted.org/packages/ce/ab/67ca321d1ab96fd3828b12142f1c258e2d4a668a025d06cd50ab3409787f/hypothesis-6.151.12.tar.gz", hash = "sha256:be485f503979af4c3dfa19e3fc2b967d0458e7f8c4e28128d7e215e0a55102e0", size = 463900, upload-time = "2026-04-08T19:40:06.205Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/1d/06/f49393eca84b87b17a67aaebf9f6251190ba1e9fe9f2236504049fc43fee/hypothesis-6.151.11-py3-none-any.whl", hash = "sha256:7ac05173206746cec8312f95164a30a4eb4916815413a278922e63ff1e404648", size = 529572, upload-time = "2026-04-05T17:35:53.438Z" }, + { url = "https://files.pythonhosted.org/packages/0e/5a/6cecf134b631050a1f8605096adbe812483b60790d951470989d39b56860/hypothesis-6.151.12-py3-none-any.whl", hash = "sha256:37d4f3a768365c30571b11dfd7a6857a12173d933010b2c4ab65619f1b5952c5", size = 529656, upload-time = "2026-04-08T19:40:03.126Z" }, ] [[package]] @@ -528,11 +528,11 @@ wheels = [ [[package]] name = "platformdirs" -version = "4.9.4" +version = "4.9.6" source = { registry = "https://pypi.org/simple" } -sdist = { url = "https://files.pythonhosted.org/packages/19/56/8d4c30c8a1d07013911a8fdbd8f89440ef9f08d07a1b50ab8ca8be5a20f9/platformdirs-4.9.4.tar.gz", hash = "sha256:1ec356301b7dc906d83f371c8f487070e99d3ccf9e501686456394622a01a934", size = 28737, upload-time = "2026-03-05T18:34:13.271Z" } +sdist = { url = "https://files.pythonhosted.org/packages/9f/4a/0883b8e3802965322523f0b200ecf33d31f10991d0401162f4b23c698b42/platformdirs-4.9.6.tar.gz", hash = "sha256:3bfa75b0ad0db84096ae777218481852c0ebc6c727b3168c1b9e0118e458cf0a", size = 29400, upload-time = "2026-04-09T00:04:10.812Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/63/d7/97f7e3a6abb67d8080dd406fd4df842c2be0efaf712d1c899c32a075027c/platformdirs-4.9.4-py3-none-any.whl", hash = "sha256:68a9a4619a666ea6439f2ff250c12a853cd1cbd5158d258bd824a7df6be2f868", size = 21216, upload-time = "2026-03-05T18:34:12.172Z" }, + { url = "https://files.pythonhosted.org/packages/75/a6/a0a304dc33b49145b21f4808d763822111e67d1c3a32b524a1baf947b6e1/platformdirs-4.9.6-py3-none-any.whl", hash = "sha256:e61adb1d5e5cb3441b4b7710bea7e4c12250ca49439228cc1021c00dcfac0917", size = 21348, upload-time = "2026-04-09T00:04:09.463Z" }, ] [[package]] @@ -637,7 +637,7 @@ wheels = [ [[package]] name = "pytest" -version = "9.0.2" +version = "9.0.3" source = { registry = "https://pypi.org/simple" } dependencies = [ { name = "colorama", marker = "sys_platform == 'win32'" }, @@ -646,9 +646,9 @@ dependencies = [ { name = "pluggy" }, { name = "pygments" }, ] -sdist = { url = "https://files.pythonhosted.org/packages/d1/db/7ef3487e0fb0049ddb5ce41d3a49c235bf9ad299b6a25d5780a89f19230f/pytest-9.0.2.tar.gz", hash = "sha256:75186651a92bd89611d1d9fc20f0b4345fd827c41ccd5c299a868a05d70edf11", size = 1568901, upload-time = "2025-12-06T21:30:51.014Z" } +sdist = { url = "https://files.pythonhosted.org/packages/7d/0d/549bd94f1a0a402dc8cf64563a117c0f3765662e2e668477624baeec44d5/pytest-9.0.3.tar.gz", hash = "sha256:b86ada508af81d19edeb213c681b1d48246c1a91d304c6c81a427674c17eb91c", size = 1572165, upload-time = "2026-04-07T17:16:18.027Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/3b/ab/b3226f0bd7cdcf710fbede2b3548584366da3b19b5021e74f5bde2a8fa3f/pytest-9.0.2-py3-none-any.whl", hash = "sha256:711ffd45bf766d5264d487b917733b453d917afd2b0ad65223959f59089f875b", size = 374801, upload-time = "2025-12-06T21:30:49.154Z" }, + { url = "https://files.pythonhosted.org/packages/d4/24/a372aaf5c9b7208e7112038812994107bc65a84cd00e0354a88c2c77a617/pytest-9.0.3-py3-none-any.whl", hash = "sha256:2c5efc453d45394fdd706ade797c0a81091eccd1d6e4bccfcd476e2b8e0ab5d9", size = 375249, upload-time = "2026-04-07T17:16:16.13Z" }, ] [[package]] @@ -917,28 +917,28 @@ wheels = [ [[package]] name = "uv" -version = "0.11.3" -source = { registry = "https://pypi.org/simple" } -sdist = { url = "https://files.pythonhosted.org/packages/88/ed/f11c558e8d2e02fba6057dacd9e92a71557359a80bd5355452310b89f40f/uv-0.11.3.tar.gz", hash = "sha256:6a6fcaf1fec28bbbdf0dfc5a0a6e34be4cea08c6287334b08c24cf187300f20d", size = 4027684, upload-time = "2026-04-01T21:47:22.096Z" } -wheels = [ - { url = "https://files.pythonhosted.org/packages/cb/93/4f04c49fd6046a18293de341d795ded3b9cbd95db261d687e26db0f11d1e/uv-0.11.3-py3-none-linux_armv6l.whl", hash = "sha256:deb533e780e8181e0859c68c84f546620072cd1bd827b38058cb86ebfba9bb7d", size = 23337334, upload-time = "2026-04-01T21:46:47.545Z" }, - { url = "https://files.pythonhosted.org/packages/7a/4b/c44fd3fbc80ac2f81e2ad025d235c820aac95b228076da85be3f5d509781/uv-0.11.3-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:d2b3b0fa1693880ca354755c216ae1c65dd938a4f1a24374d0c3f4b9538e0ee6", size = 22940169, upload-time = "2026-04-01T21:47:32.72Z" }, - { url = "https://files.pythonhosted.org/packages/ba/c7/7d01be259a47d42fa9e80adcb7a829d81e7c376aa8fa1b714f31d7dfc226/uv-0.11.3-py3-none-macosx_11_0_arm64.whl", hash = "sha256:71f5d0b9e73daa5d8a7e2db3fa2e22a4537d24bb4fe78130db797280280d4edc", size = 21473579, upload-time = "2026-04-01T21:47:25.063Z" }, - { url = "https://files.pythonhosted.org/packages/9a/71/fffcd890290a4639a3799cf3f3e87947c10d1b0de19eba3cf837cb418dd8/uv-0.11.3-py3-none-manylinux_2_17_aarch64.manylinux2014_aarch64.musllinux_1_1_aarch64.whl", hash = "sha256:55ba578752f29a3f2b22879b22a162edad1454e3216f3ca4694fdbd4093a6822", size = 23132691, upload-time = "2026-04-01T21:47:44.587Z" }, - { url = "https://files.pythonhosted.org/packages/d1/7b/1ac9e1f753a19b6252434f0bbe96efdcc335cd74677f4c6f431a7c916114/uv-0.11.3-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.musllinux_1_1_armv7l.whl", hash = "sha256:3b1fe09d5e1d8e19459cd28d7825a3b66ef147b98328345bad6e17b87c4fea48", size = 22955764, upload-time = "2026-04-01T21:46:51.721Z" }, - { url = "https://files.pythonhosted.org/packages/ff/51/1a6010a681a3c3e0a8ec99737ba2d0452194dc372a5349a9267873261c02/uv-0.11.3-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:088165b9eed981d2c2a58566cc75dd052d613e47c65e2416842d07308f793a6f", size = 22966245, upload-time = "2026-04-01T21:47:07.403Z" }, - { url = "https://files.pythonhosted.org/packages/38/74/1a1b0712daead7e85f56d620afe96fe166a04b615524c14027b4edd39b82/uv-0.11.3-py3-none-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:ef0ae8ee2988928092616401ec7f473612b8e9589fe1567452c45dbc56840f85", size = 24623370, upload-time = "2026-04-01T21:47:03.59Z" }, - { url = "https://files.pythonhosted.org/packages/b6/62/5c3aa5e7bd2744810e50ad72a5951386ec84a513e109b1b5cb7ec442f3b6/uv-0.11.3-py3-none-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:6708827ecb846d00c5512a7e4dc751c2e27b92e9bd55a0be390561ac68930c32", size = 25142735, upload-time = "2026-04-01T21:46:55.756Z" }, - { url = "https://files.pythonhosted.org/packages/88/ab/6266a04980e0877af5518762adfe23a0c1ab0b801ae3099a2e7b74e34411/uv-0.11.3-py3-none-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:8df030ea7563e99c09854e1bc82ab743dfa2d0ba18976e6861979cb40d04dba7", size = 24512083, upload-time = "2026-04-01T21:46:43.531Z" }, - { url = "https://files.pythonhosted.org/packages/4e/be/7c66d350f833eb437f9aa0875655cc05e07b441e3f4a770f8bced56133f7/uv-0.11.3-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:0fde893b5ab9f6997fe357138e794bac09d144328052519fbbe2e6f72145e457", size = 24589293, upload-time = "2026-04-01T21:47:11.379Z" }, - { url = "https://files.pythonhosted.org/packages/18/4f/22ada41564a8c8c36653fc86f89faae4c54a4cdd5817bda53764a3eb352d/uv-0.11.3-py3-none-manylinux_2_28_aarch64.whl", hash = "sha256:45006bcd9e8718248a23ab81448a5beb46a72a9dd508e3212d6f3b8c63aeb88a", size = 23214854, upload-time = "2026-04-01T21:46:59.491Z" }, - { url = "https://files.pythonhosted.org/packages/aa/18/8669840657fea9fd668739dec89643afe1061c023c1488228b02f79a2399/uv-0.11.3-py3-none-manylinux_2_31_riscv64.musllinux_1_1_riscv64.whl", hash = "sha256:089b9d338a64463956b6fee456f03f73c9a916479bdb29009600781dc1e1d2a7", size = 23914434, upload-time = "2026-04-01T21:47:29.164Z" }, - { url = "https://files.pythonhosted.org/packages/08/0d/c59f24b3a1ae5f377aa6fd9653562a0968ea6be946fe35761871a0072919/uv-0.11.3-py3-none-manylinux_2_31_riscv64.whl", hash = "sha256:3ff461335888336467402cc5cb792c911df95dd0b52e369182cfa4c902bb21f4", size = 23971481, upload-time = "2026-04-01T21:47:48.551Z" }, - { url = "https://files.pythonhosted.org/packages/66/7d/f83ed79921310ef216ed6d73fcd3822dff4b66749054fb97e09b7bd5901e/uv-0.11.3-py3-none-musllinux_1_1_i686.whl", hash = "sha256:a62e29277efd39c35caf4a0fe739c4ebeb14d4ce4f02271f3f74271d608061ff", size = 23784797, upload-time = "2026-04-01T21:47:40.588Z" }, - { url = "https://files.pythonhosted.org/packages/35/19/3ff3539c44ca7dc2aa87b021d4a153ba6a72866daa19bf91c289e4318f95/uv-0.11.3-py3-none-musllinux_1_1_x86_64.whl", hash = "sha256:ebccdcdebd2b288925f0f7c18c39705dc783175952eacaf94912b01d3b381b86", size = 24794606, upload-time = "2026-04-01T21:47:36.814Z" }, - { url = "https://files.pythonhosted.org/packages/79/e5/e676454bb7cc5dcf5c4637ed3ef0ff97309d84a149b832a4dea53f04c0ab/uv-0.11.3-py3-none-win32.whl", hash = "sha256:794aae3bab141eafbe37c51dc5dd0139658a755a6fa9cc74d2dbd7c71dcc4826", size = 22573432, upload-time = "2026-04-01T21:47:15.143Z" }, - { url = "https://files.pythonhosted.org/packages/ff/a0/95d22d524bd3b4708043d65035f02fc9656e5fb6e0aaef73510313b1641b/uv-0.11.3-py3-none-win_amd64.whl", hash = "sha256:68fda574f2e5e7536a2b747dcea88329a71aad7222317e8f4717d0af8f99fbd4", size = 24969508, upload-time = "2026-04-01T21:47:19.515Z" }, - { url = "https://files.pythonhosted.org/packages/f8/6d/3f0b90a06e8c4594e11f813651756d6896de6dd4461f554fd7e4984a1c4f/uv-0.11.3-py3-none-win_arm64.whl", hash = "sha256:92ffc4d521ab2c4738ef05d8ef26f2750e26d31f3ad5611cdfefc52445be9ace", size = 23488911, upload-time = "2026-04-01T21:47:52.427Z" }, +version = "0.11.5" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/c1/cc/78a91ce11d04ce3b5ea7ea543cfe28f1564868bb5c34346fe727ae2078f1/uv-0.11.5.tar.gz", hash = "sha256:ad7582ddd9d5410ecde6d609a3bf66e01c0ec4bc8e2bb9aeaff76b033a5ec3ae", size = 4062802, upload-time = "2026-04-08T20:33:42.85Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/aa/0c/b78efab6bdd38a278752ec551f640b8857f2ccd846a9864e5bcf4d24707a/uv-0.11.5-py3-none-linux_armv6l.whl", hash = "sha256:6fb915d9667e2692bd96ea927d46c5b435fe436312e52ce00790b5844af7b848", size = 23693092, upload-time = "2026-04-08T20:33:25.732Z" }, + { url = "https://files.pythonhosted.org/packages/f0/4c/5098a21ff28c88b969f0ca9150f44148cfe5e6c9388af422a176c505c6d9/uv-0.11.5-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:f92fd58727bcf12615e4322006a0590f4375fced6529052e7c13a81f4636846c", size = 23120003, upload-time = "2026-04-08T20:33:17.645Z" }, + { url = "https://files.pythonhosted.org/packages/60/d9/1d890e98be779e06cc4c7c2576ff1722a20d31c3b50f772c6add9ad2c3b4/uv-0.11.5-py3-none-macosx_11_0_arm64.whl", hash = "sha256:1e34d016099248ec2be4e890a71c05a225ab256ba815571eff60bbbf709410e2", size = 21674719, upload-time = "2026-04-08T20:33:20.295Z" }, + { url = "https://files.pythonhosted.org/packages/58/41/35046e9c618547a635ce926aa48fa3787946a53ceb66f330c384e26bb34c/uv-0.11.5-py3-none-manylinux_2_17_aarch64.manylinux2014_aarch64.musllinux_1_1_aarch64.whl", hash = "sha256:8fb1b7cedbe6e6f60e08cdd7aa64dcbd29ae4712089fbaab15dc2a8e8f243c4f", size = 23423173, upload-time = "2026-04-08T20:33:57.185Z" }, + { url = "https://files.pythonhosted.org/packages/c7/e9/b5417252167ecea577a3fb254d9cf8ea63c3338017c199c9d261a33ae276/uv-0.11.5-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.musllinux_1_1_armv7l.whl", hash = "sha256:063cedb810ac34a4796bca738118eb15718a3f3c0d7c7caa5f98dd1d4f65fc2e", size = 23215778, upload-time = "2026-04-08T20:33:34.605Z" }, + { url = "https://files.pythonhosted.org/packages/c0/41/8cd9595481819e9e000cf708ea07d4eb4d347de7d7117b47ae8e7e258713/uv-0.11.5-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:192b966efd1ffd230af410e1c969f94e18ef37964780f45a786dea25a6ca3d4e", size = 23233108, upload-time = "2026-04-08T20:33:40.711Z" }, + { url = "https://files.pythonhosted.org/packages/08/cb/4c731f7b48d1e7a4242c33064b0c4c88d151cdf638ecaf8117fca267f6fb/uv-0.11.5-py3-none-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:cb6ced97cd44b63aa58144e9a307e0f94a1b133220d9734f405743b20ba5567e", size = 24818189, upload-time = "2026-04-08T20:33:28.401Z" }, + { url = "https://files.pythonhosted.org/packages/6a/15/15dfd92136d651cf2e2a003acceea45bda53db3ecf56f7891f791a6e07f3/uv-0.11.5-py3-none-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:0820d2b87a50ab05721515d159010dc176aff98d35629550b733f6f3020e9419", size = 25514566, upload-time = "2026-04-08T20:33:03.262Z" }, + { url = "https://files.pythonhosted.org/packages/f3/b9/5d01bb1b9f315787c926b1ea3265125a5cacf00ab3cec7732f23dd4fff65/uv-0.11.5-py3-none-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:82c3aad922362a393373a1681dfba108bca456e9b20f7d32c3338034ba6c8375", size = 24748557, upload-time = "2026-04-08T20:33:51.276Z" }, + { url = "https://files.pythonhosted.org/packages/3e/32/a309c83d7c71307331cc657da952e2c8b1368918be0abf53ce200f976d90/uv-0.11.5-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:8d0e40e5216714c8f5a502b27282c5f0bbf7994ae4d09fb09a728a2fe8f74799", size = 24835596, upload-time = "2026-04-08T20:33:48.414Z" }, + { url = "https://files.pythonhosted.org/packages/b1/4e/d078af5949b1d4769a379b753f3d407d7515fcf36f0499e350faddb2b8e9/uv-0.11.5-py3-none-manylinux_2_28_aarch64.whl", hash = "sha256:eeadc114cc6c076f93526e89f70323865568f2b46c3209d731e7e6496ad5bc31", size = 23503142, upload-time = "2026-04-08T20:33:22.967Z" }, + { url = "https://files.pythonhosted.org/packages/ab/36/82d03488da99e774557db5e25e0e4e59e15846dc193e78f38f2fe46d3f69/uv-0.11.5-py3-none-manylinux_2_31_riscv64.musllinux_1_1_riscv64.whl", hash = "sha256:f2b89af45b8dc932fcc36270b032594fad44af9194eba7331d3b2a62f42da41d", size = 24288663, upload-time = "2026-04-08T20:33:06.346Z" }, + { url = "https://files.pythonhosted.org/packages/8d/ff/c4a0ee964ef3662927dffc286d388571833aef8044462350bd38590f3c13/uv-0.11.5-py3-none-manylinux_2_31_riscv64.whl", hash = "sha256:d285946607782d36a016d29753a64636d4fb3c7e284e11802b0e26a050d03e85", size = 24318278, upload-time = "2026-04-08T20:34:00.386Z" }, + { url = "https://files.pythonhosted.org/packages/e6/60/df2dfd7cf1d03665a97023c69cca4aa6330e72cab09994ea19b98d922bff/uv-0.11.5-py3-none-musllinux_1_1_i686.whl", hash = "sha256:cacd4288721797d2987ecbdf7b016cebdaafdfed2034ab8e442e3b96721db6ac", size = 23962394, upload-time = "2026-04-08T20:33:45.173Z" }, + { url = "https://files.pythonhosted.org/packages/93/c4/a78900d0181c8d43581518f19b2c8a9ce59ca80c609141c112f271222ec1/uv-0.11.5-py3-none-musllinux_1_1_x86_64.whl", hash = "sha256:007177234bf6e3f4e22e12b9a72764adb316fe76883c4a766c6d4a887d0bc252", size = 25030807, upload-time = "2026-04-08T20:33:54.55Z" }, + { url = "https://files.pythonhosted.org/packages/a2/f3/8e8e9c19fdb3a223b3ec53d86a3ab4f7bc541d6170b339b916cc7c81e0be/uv-0.11.5-py3-none-win32.whl", hash = "sha256:137a529da317c24639a0c8d0d632091317d987bf81b8cad8f1ef11dabc0e1e07", size = 22870047, upload-time = "2026-04-08T20:33:31.811Z" }, + { url = "https://files.pythonhosted.org/packages/00/d6/f49e3a48347cadffc5be673c91aa81c411fd67708f1488f87865558f75ee/uv-0.11.5-py3-none-win_amd64.whl", hash = "sha256:d0c0bc72f40daffe52d4479027bc37e80ed573f3ded59c5b1acd550a78ac8ebb", size = 25290444, upload-time = "2026-04-08T20:33:37.711Z" }, + { url = "https://files.pythonhosted.org/packages/1b/42/0026690d18aebbdc8b4b72f884555e2349e99822115f5938d283044e12f3/uv-0.11.5-py3-none-win_arm64.whl", hash = "sha256:b6a32bf1221cb5d25a7a3c4b4e49f3291d04574b6c2f22d11707294737db722d", size = 23781340, upload-time = "2026-04-08T20:33:14.321Z" }, ] [[package]] From 6b818d3a72d6e4629b97d31ed7b979f64cf7be8f Mon Sep 17 00:00:00 2001 From: talshapir Date: Thu, 9 Apr 2026 18:56:01 +0300 Subject: [PATCH 19/26] Add new categories and improve action prompt --- .../action/ai/product_categories.py | 158 ++++++++++++------ .../mp/src/mp/describe/action/prompts/task.md | 66 +++++++- 2 files changed, 172 insertions(+), 52 deletions(-) diff --git a/packages/mp/src/mp/core/data_models/integrations/action/ai/product_categories.py b/packages/mp/src/mp/core/data_models/integrations/action/ai/product_categories.py index d8cfca923..e8f30299d 100644 --- a/packages/mp/src/mp/core/data_models/integrations/action/ai/product_categories.py +++ b/packages/mp/src/mp/core/data_models/integrations/action/ai/product_categories.py @@ -26,263 +26,319 @@ class ActionProductCategories(BaseModel): Field( title="Enrich IOC (hash, filename, IP, domain, URL, CVE, Threat Actor, Campaign)", description=( - "Expected Outcome:" + "Mark as true for actions that match the expected outcome." + " Expected Outcome:" " Returns reputation, prevalence, and threat intelligence" " (e.g., malware family, attribution) for the indicator." ), ), - ] = False + ] enrich_asset: Annotated[ bool, Field( title="Enrich Asset (hostname, user or internal resource)", description=( - "Expected Outcome:" + "Mark as true for actions that match the expected outcome." + " Expected Outcome:" " Returns contextual metadata (e.g., OS version, owner, department, MAC address)" " for a user or resource." ), ), - ] = False + ] update_alert: Annotated[ bool, Field( title="Update Alert", description=( - "Expected Outcome:" + "Mark as true for actions that match the expected outcome." + " Expected Outcome:" " Changes the status, severity, or assignee of the alert within the SecOps" " platform." ), ), - ] = False + ] add_alert_comment: Annotated[ bool, Field( title="Add Alert Comment", description=( - "Expected Outcome:" + "Mark as true for actions that match the expected outcome." + " Expected Outcome:" " Appends analyst notes or automated log entries to the alert's activity timeline." ), ), - ] = False + ] create_ticket: Annotated[ bool, Field( title="Create Ticket", description=( - "Expected Outcome:" + "Mark as true for actions that match the expected outcome." + " Expected Outcome:" " Generates a new record in an external ITSM (e.g., Jira, ServiceNow) and returns" " the Ticket ID." ), ), - ] = False + ] update_ticket: Annotated[ bool, Field( title="Update Ticket", description=( - "Expected Outcome:" + "Mark as true for actions that match the expected outcome." + " Expected Outcome:" " Synchronizes status, priority, or field changes from SecOps to the external" " ticketing system." ), ), - ] = False + ] add_ioc_to_blocklist: Annotated[ bool, Field( title="Add IOC To Blocklist", description=( - "Expected Outcome:" + "Mark as true for actions that match the expected outcome." + " Expected Outcome:" " Updates security controls (Firewall, EDR, Proxy) to prevent any future" " interaction with the IOC." ), ), - ] = False + ] remove_ioc_from_blocklist: Annotated[ bool, Field( title="Remove IOC From Blocklist", description=( - "Expected Outcome:" + "Mark as true for actions that match the expected outcome." + " Expected Outcome:" " Restores connectivity or execution rights for an indicator by removing it from" " restricted lists." ), ), - ] = False + ] add_ioc_to_allowlist: Annotated[ bool, Field( title="Add IOC To Allowlist", description=( - "Expected Outcome:" + "Mark as true for actions that match the expected outcome." + " Expected Outcome:" ' Marks an indicator as "known good" to prevent future security alerts or false' " positives." ), ), - ] = False + ] remove_ioc_from_allowlist: Annotated[ bool, Field( title="Remove IOC From Allowlist", description=( - "Expected Outcome:" + "Mark as true for actions that match the expected outcome." + " Expected Outcome:" " Re-enables standard security monitoring and blocking for a previously trusted" " indicator." ), ), - ] = False + ] disable_identity: Annotated[ bool, Field( title="Disable Identity (User, Account)", description=( - "Expected Outcome:" + "Mark as true for actions that match the expected outcome." + " Expected Outcome:" " Revokes active sessions and prevents a user or service account from" " authenticating to the network." ), ), - ] = False + ] enable_identity: Annotated[ bool, Field( title="Enable Identity (User, Account)", description=( - "Expected Outcome:" + "Mark as true for actions that match the expected outcome." + " Expected Outcome:" " Restores authentication capabilities and system access for a previously disabled" " account." ), ), - ] = False + ] contain_host: Annotated[ bool, Field( title="Contain Host", description=( - "Expected Outcome:" + "Mark as true for actions that match the expected outcome." + " Expected Outcome:" " Isolates an endpoint from the network via EDR, allowing communication only with" " the management console." ), ), - ] = False + ] uncontain_host: Annotated[ bool, Field( title="Uncontain Host", description=( - "Expected Outcome:" + "Mark as true for actions that match the expected outcome." + " Expected Outcome:" " Removes network isolation and restores the endpoint's full communication" " capabilities." ), ), - ] = False + ] reset_identity_password: Annotated[ bool, Field( title="Reset Identity Password (User, Account)", description=( - "Expected Outcome:" + "Mark as true for actions that match the expected outcome." + " Expected Outcome:" " Invalidates the current credentials and triggers a password change or temporary" " password generation." ), ), - ] = False + ] update_identity: Annotated[ bool, Field( title="Update Identity (User, Account)", description=( - "Expected Outcome:" + "Mark as true for actions that match the expected outcome." + " Expected Outcome:" " Modifies account metadata, such as group memberships, permissions, or contact" " information." ), ), - ] = False + ] search_events: Annotated[ bool, Field( title="Search Events", description=( - "Expected Outcome:" + "Mark as true for actions that match the expected outcome." + " Expected Outcome:" " Returns a collection of historical logs or telemetry data matching specific" " search parameters." ), ), - ] = False + ] execute_command_on_the_host: Annotated[ bool, Field( title="Execute Command on the Host", description=( - "Expected Outcome:" + "Mark as true for actions that match the expected outcome." + " Expected Outcome:" " Runs a script or system command on a remote endpoint and returns the standard" " output (STDOUT)." ), ), - ] = False + ] download_file: Annotated[ bool, Field( title="Download File", description=( - "Expected Outcome:" + "Mark as true for actions that match the expected outcome." + " Expected Outcome:" " Retrieves a specific file from a remote host for local forensic analysis" " or sandboxing." ), ), - ] = False + ] send_email: Annotated[ bool, Field( title="Send Email", description=( - "Expected Outcome:" + "Mark as true for actions that match the expected outcome." + " Expected Outcome:" " Dispatches an outbound email notification or response to specified recipients." ), ), - ] = False + ] search_email: Annotated[ bool, Field( title="Search Email", description=( - "Expected Outcome:" + "Mark as true for actions that match the expected outcome." + " Expected Outcome:" " Identifies and lists emails across the mail server based on criteria like sender," " subject, or attachment." ), ), - ] = False + ] delete_email: Annotated[ bool, Field( title="Delete Email", description=( - "Expected Outcome:" + "Mark as true for actions that match the expected outcome." + " Expected Outcome:" " Removes a specific email or thread from one or more user mailboxes" " (Purge/Withdraw)." ), ), - ] = False + ] update_email: Annotated[ bool, Field( title="Update Email", description=( - "Expected Outcome:" + "Mark as true for actions that match the expected outcome." + " Expected Outcome:" " Modifies the state of an email, such as moving it to quarantine, marking as read," " or applying labels." ), ), - ] = False + ] submit_file: Annotated[ bool, Field( title="Submit File", description=( - "Expected Outcome:" + "Mark as true for actions that match the expected outcome." + " Expected Outcome:" " Uploads a file or sample to a sandbox or analysis engine" " (e.g., VirusTotal, Joe Sandbox) and returns a behavior report or threat score." ), ), - ] = False + ] + send_message: Annotated[ + bool, + Field( + title="Send Message", + description=( + "Mark as true for actions that match the expected outcome." + " Expected Outcome:" + " Sends a message to a communication app (e.g., Google Chat, Microsoft Teams)" + ), + ), + ] + search_asset: Annotated[ + bool, + Field( + title="Search Asset", + description=( + "Mark as true for actions that match the expected outcome." + " Expected Outcome:" + " Searches for the asset associated with the alert within the product" + ), + ), + ] + get_alert_information: Annotated[ + bool, + Field( + title="Get Alert Information", + description=( + "Mark as true for actions that match the expected outcome." + " Expected Outcome: Fetches information about the alert from the 3rd party product" + ), + ), + ] class ActionProductCategory(enum.StrEnum): @@ -310,6 +366,9 @@ class ActionProductCategory(enum.StrEnum): DELETE_EMAIL = "Delete Email" UPDATE_EMAIL = "Update Email" SUBMIT_FILE = "Submit File" + SEND_MESSAGE = "Send Message" + SEARCH_ASSET = "Search Asset" + GET_ALERT_INFORMATION = "Get Alert Information" PRODUCT_CATEGORY_TO_DEF_PRODUCT_CATEGORY: dict[str, ActionProductCategory] = { @@ -337,4 +396,7 @@ class ActionProductCategory(enum.StrEnum): "delete_email": ActionProductCategory.DELETE_EMAIL, "update_email": ActionProductCategory.UPDATE_EMAIL, "submit_file": ActionProductCategory.SUBMIT_FILE, + "send_message": ActionProductCategory.SEND_MESSAGE, + "search_asset": ActionProductCategory.SEARCH_ASSET, + "get_alert_information": ActionProductCategory.GET_ALERT_INFORMATION, } diff --git a/packages/mp/src/mp/describe/action/prompts/task.md b/packages/mp/src/mp/describe/action/prompts/task.md index 905c8124f..0b39996c0 100644 --- a/packages/mp/src/mp/describe/action/prompts/task.md +++ b/packages/mp/src/mp/describe/action/prompts/task.md @@ -105,8 +105,37 @@ for entity in suitable_entities: "filters_by_is_enriched": false, "filters_by_is_pivot": false }, - "tags": { - "is_enrichment": true + "categories": { + "enrichment": true + }, + "action_product_categories": { + "add_alert_comment": false, + "add_ioc_to_allowlist": false, + "add_ioc_to_blocklist": false, + "contain_host": false, + "create_ticket": false, + "delete_email": false, + "disable_identity": false, + "download_file": false, + "enable_identity": false, + "enrich_asset": false, + "enrich_ioc": true, + "execute_command_on_the_host": false, + "get_alert_information": false, + "remove_ioc_from_allowlist": false, + "remove_ioc_from_blocklist": false, + "reset_identity_password": false, + "search_asset": false, + "search_email": false, + "search_events": false, + "send_email": false, + "send_message": false, + "submit_file": false, + "uncontain_host": false, + "update_alert": false, + "update_email": false, + "update_identity": false, + "update_ticket": false } } ``` @@ -170,8 +199,37 @@ if result['success']: "filters_by_is_enriched": false, "filters_by_is_pivot": false }, - "tags": { - "is_enrichment": false + "categories": { + "enrichment": false + }, + "action_product_categories": { + "add_alert_comment": false, + "add_ioc_to_allowlist": false, + "add_ioc_to_blocklist": false, + "contain_host": true, + "create_ticket": false, + "delete_email": false, + "disable_identity": false, + "download_file": false, + "enable_identity": false, + "enrich_asset": false, + "enrich_ioc": false, + "execute_command_on_the_host": false, + "get_alert_information": false, + "remove_ioc_from_allowlist": false, + "remove_ioc_from_blocklist": false, + "reset_identity_password": false, + "search_asset": false, + "search_email": false, + "search_events": false, + "send_email": false, + "send_message": false, + "submit_file": false, + "uncontain_host": false, + "update_alert": false, + "update_email": false, + "update_identity": false, + "update_ticket": false } } ``` From 87e6b9fb1dfc8139569c29c02fd7cbf96d22096b Mon Sep 17 00:00:00 2001 From: talshapir Date: Sun, 12 Apr 2026 10:46:57 +0300 Subject: [PATCH 20/26] Rerun descriptions --- .../resources/ai/actions_ai_description.yaml | 349 +- .../ai/integration_ai_description.yaml | 14 - .../resources/ai/actions_ai_description.yaml | 98 +- .../ai/integration_ai_description.yaml | 14 - .../resources/ai/actions_ai_description.yaml | 303 +- .../ai/integration_ai_description.yaml | 14 - .../resources/ai/actions_ai_description.yaml | 104 +- .../ai/integration_ai_description.yaml | 14 - .../resources/ai/actions_ai_description.yaml | 139 +- .../ai/integration_ai_description.yaml | 14 - .../resources/ai/actions_ai_description.yaml | 314 +- .../ai/integration_ai_description.yaml | 22 +- .../resources/ai/actions_ai_description.yaml | 176 +- .../ai/integration_ai_description.yaml | 14 - .../resources/ai/actions_ai_description.yaml | 102 +- .../ai/integration_ai_description.yaml | 14 - .../resources/ai/actions_ai_description.yaml | 153 +- .../ai/integration_ai_description.yaml | 14 - .../resources/ai/actions_ai_description.yaml | 139 +- .../ai/connectors_ai_description.yaml | 91 +- .../ai/integration_ai_description.yaml | 14 - .../ai/connectors_ai_description.yaml | 134 +- .../ai/integration_ai_description.yaml | 2 +- .../resources/ai/actions_ai_description.yaml | 491 +-- .../resources/ai/actions_ai_description.yaml | 1270 ++++--- .../ai/integration_ai_description.yaml | 2 +- .../resources/ai/actions_ai_description.yaml | 1053 +++--- .../resources/ai/actions_ai_description.yaml | 1080 +++--- .../resources/ai/actions_ai_description.yaml | 111 +- .../resources/ai/jobs_ai_description.yaml | 1145 +++--- .../resources/ai/actions_ai_description.yaml | 364 +- .../ai/integration_ai_description.yaml | 4 +- .../resources/ai/actions_ai_description.yaml | 508 +-- .../resources/ai/actions_ai_description.yaml | 384 +- .../resources/ai/actions_ai_description.yaml | 485 +-- .../resources/ai/actions_ai_description.yaml | 3194 +++++++++-------- .../ai/integration_ai_description.yaml | 2 +- .../resources/ai/jobs_ai_description.yaml | 114 +- .../resources/ai/actions_ai_description.yaml | 203 +- .../resources/ai/actions_ai_description.yaml | 800 +++-- .../ai/connectors_ai_description.yaml | 64 +- .../resources/ai/actions_ai_description.yaml | 918 ++--- .../resources/ai/actions_ai_description.yaml | 520 +-- .../ai/integration_ai_description.yaml | 2 +- .../resources/ai/actions_ai_description.yaml | 802 +++-- .../resources/ai/actions_ai_description.yaml | 236 +- .../ai/integration_ai_description.yaml | 2 +- .../resources/ai/actions_ai_description.yaml | 659 ++-- .../resources/ai/actions_ai_description.yaml | 102 +- .../ai/connectors_ai_description.yaml | 68 +- .../resources/ai/actions_ai_description.yaml | 1637 +++++---- .../ai/integration_ai_description.yaml | 2 +- .../resources/ai/actions_ai_description.yaml | 125 +- .../resources/ai/actions_ai_description.yaml | 235 +- .../resources/ai/actions_ai_description.yaml | 122 +- .../ai/connectors_ai_description.yaml | 96 +- .../resources/ai/actions_ai_description.yaml | 95 +- .../ai/connectors_ai_description.yaml | 59 +- .../resources/ai/actions_ai_description.yaml | 463 ++- .../resources/ai/actions_ai_description.yaml | 154 +- .../resources/ai/actions_ai_description.yaml | 95 +- .../ai/connectors_ai_description.yaml | 68 +- .../resources/ai/actions_ai_description.yaml | 631 ++-- .../ai/connectors_ai_description.yaml | 111 +- .../ai/integration_ai_description.yaml | 2 +- .../resources/ai/actions_ai_description.yaml | 180 +- .../resources/ai/actions_ai_description.yaml | 316 +- .../ai/connectors_ai_description.yaml | 51 +- .../ai/integration_ai_description.yaml | 2 +- .../resources/ai/actions_ai_description.yaml | 357 +- .../ai/connectors_ai_description.yaml | 99 +- .../resources/ai/actions_ai_description.yaml | 422 ++- .../ai/connectors_ai_description.yaml | 60 +- .../ai/integration_ai_description.yaml | 2 +- .../resources/ai/actions_ai_description.yaml | 170 +- .../ai/integration_ai_description.yaml | 2 +- .../resources/ai/actions_ai_description.yaml | 358 +- .../resources/ai/actions_ai_description.yaml | 703 ++-- .../resources/ai/actions_ai_description.yaml | 149 +- .../resources/ai/actions_ai_description.yaml | 1139 +++--- .../ai/connectors_ai_description.yaml | 77 +- .../ai/integration_ai_description.yaml | 2 +- .../resources/ai/actions_ai_description.yaml | 218 +- .../resources/ai/actions_ai_description.yaml | 459 ++- .../resources/ai/actions_ai_description.yaml | 236 +- .../resources/ai/actions_ai_description.yaml | 538 +-- .../ai/connectors_ai_description.yaml | 59 +- .../ai/integration_ai_description.yaml | 2 +- .../resources/ai/actions_ai_description.yaml | 326 +- .../ai/connectors_ai_description.yaml | 89 +- .../resources/ai/actions_ai_description.yaml | 96 +- .../ai/connectors_ai_description.yaml | 115 +- .../ai/integration_ai_description.yaml | 2 +- .../resources/ai/jobs_ai_description.yaml | 40 +- .../resources/ai/actions_ai_description.yaml | 335 +- .../ai/integration_ai_description.yaml | 4 +- .../resources/ai/actions_ai_description.yaml | 660 ++-- .../ai/connectors_ai_description.yaml | 177 +- .../resources/ai/actions_ai_description.yaml | 153 +- .../resources/ai/actions_ai_description.yaml | 674 ++-- .../ai/connectors_ai_description.yaml | 46 +- .../resources/ai/actions_ai_description.yaml | 111 +- .../ai/connectors_ai_description.yaml | 53 +- .../ai/integration_ai_description.yaml | 2 +- .../resources/ai/actions_ai_description.yaml | 217 +- .../resources/ai/actions_ai_description.yaml | 184 +- .../resources/ai/actions_ai_description.yaml | 515 ++- .../resources/ai/actions_ai_description.yaml | 353 +- .../ai/connectors_ai_description.yaml | 145 +- .../resources/ai/jobs_ai_description.yaml | 48 +- .../resources/ai/actions_ai_description.yaml | 180 +- .../resources/ai/actions_ai_description.yaml | 506 ++- .../resources/ai/actions_ai_description.yaml | 128 +- .../resources/ai/actions_ai_description.yaml | 324 +- .../resources/ai/actions_ai_description.yaml | 1291 ++++--- .../resources/ai/actions_ai_description.yaml | 891 ++--- .../ai/connectors_ai_description.yaml | 88 +- .../resources/ai/actions_ai_description.yaml | 637 ++-- .../resources/ai/actions_ai_description.yaml | 2136 ++++++----- .../ai/connectors_ai_description.yaml | 91 +- .../ai/integration_ai_description.yaml | 6 +- .../resources/ai/jobs_ai_description.yaml | 68 +- .../resources/ai/actions_ai_description.yaml | 1849 +++++----- .../ai/connectors_ai_description.yaml | 77 +- .../ai/integration_ai_description.yaml | 2 +- .../resources/ai/jobs_ai_description.yaml | 85 +- .../resources/ai/actions_ai_description.yaml | 571 +-- .../ai/connectors_ai_description.yaml | 72 +- .../ai/integration_ai_description.yaml | 2 +- .../resources/ai/actions_ai_description.yaml | 305 +- .../resources/ai/actions_ai_description.yaml | 212 +- .../resources/ai/actions_ai_description.yaml | 376 +- .../resources/ai/actions_ai_description.yaml | 510 +-- .../resources/ai/actions_ai_description.yaml | 968 ++--- .../resources/ai/actions_ai_description.yaml | 116 +- .../resources/ai/jobs_ai_description.yaml | 96 +- .../resources/ai/actions_ai_description.yaml | 233 +- .../resources/ai/actions_ai_description.yaml | 571 +-- .../resources/ai/actions_ai_description.yaml | 396 +- .../resources/ai/actions_ai_description.yaml | 384 +- .../resources/ai/actions_ai_description.yaml | 152 +- .../ai/integration_ai_description.yaml | 2 +- .../resources/ai/actions_ai_description.yaml | 1347 +++---- .../resources/ai/actions_ai_description.yaml | 632 ++-- .../ai/connectors_ai_description.yaml | 222 +- .../resources/ai/actions_ai_description.yaml | 323 +- .../resources/ai/actions_ai_description.yaml | 440 ++- .../resources/ai/actions_ai_description.yaml | 454 +-- .../ai/connectors_ai_description.yaml | 95 +- .../resources/ai/actions_ai_description.yaml | 547 +-- .../ai/connectors_ai_description.yaml | 155 +- .../resources/ai/actions_ai_description.yaml | 268 +- .../resources/ai/actions_ai_description.yaml | 1629 ++++----- .../resources/ai/actions_ai_description.yaml | 2062 ++++++----- .../ai/connectors_ai_description.yaml | 194 +- .../resources/ai/actions_ai_description.yaml | 213 +- .../resources/ai/actions_ai_description.yaml | 1070 +++--- .../resources/ai/actions_ai_description.yaml | 386 +- .../ai/integration_ai_description.yaml | 2 +- .../resources/ai/actions_ai_description.yaml | 110 +- .../ai/integration_ai_description.yaml | 4 +- .../resources/ai/jobs_ai_description.yaml | 116 +- .../resources/ai/actions_ai_description.yaml | 626 ++-- .../ai/connectors_ai_description.yaml | 106 +- .../resources/ai/actions_ai_description.yaml | 1434 ++++---- .../ai/connectors_ai_description.yaml | 312 +- .../resources/ai/actions_ai_description.yaml | 839 +++-- .../ai/integration_ai_description.yaml | 2 +- .../resources/ai/actions_ai_description.yaml | 2197 ++++++------ .../resources/ai/actions_ai_description.yaml | 783 ++-- .../resources/ai/actions_ai_description.yaml | 309 +- .../ai/integration_ai_description.yaml | 2 +- .../resources/ai/actions_ai_description.yaml | 355 +- .../resources/ai/actions_ai_description.yaml | 161 +- .../ai/connectors_ai_description.yaml | 69 +- .../ai/integration_ai_description.yaml | 2 +- .../resources/ai/actions_ai_description.yaml | 286 +- .../resources/ai/actions_ai_description.yaml | 405 ++- .../ai/integration_ai_description.yaml | 2 +- .../resources/ai/actions_ai_description.yaml | 445 ++- .../ai/integration_ai_description.yaml | 2 +- packages/mp/src/mp/core/llm/gemini.py | 2 +- 182 files changed, 32557 insertions(+), 30052 deletions(-) diff --git a/content/response_integrations/google/cyber_x/resources/ai/actions_ai_description.yaml b/content/response_integrations/google/cyber_x/resources/ai/actions_ai_description.yaml index 07c6a40bb..ad5d01d72 100644 --- a/content/response_integrations/google/cyber_x/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/google/cyber_x/resources/ai/actions_ai_description.yaml @@ -1,34 +1,70 @@ -# Copyright 2026 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - Enrich Endpoints: - ai_description: "Enriches Hostname and Address entities using CyberX. This action\ - \ retrieves detailed device information from the CyberX platform to provide context\ - \ about endpoints within the network. \n\n### Flow Description:\n1. **Authentication**:\ - \ Initializes the CyberX manager using the API Root and Access Token provided\ - \ in the integration configuration.\n2. **Entity Filtering**: Identifies all Address\ - \ (IP) and Hostname entities within the current scope.\n3. **Data Retrieval**:\ - \ For each identified entity, the action queries the CyberX API to find a matching\ - \ device record. \n4. **Enrichment**: If a device is found, the action adds a\ - \ data table to the entity containing the raw device information and updates the\ - \ entity's additional properties with the retrieved data, prefixed with 'CX_'.\n\ - \n### Parameters Description:\n| Parameter Name | Description | Type | Mandatory\ - \ | \n| :--- | :--- | :--- | :--- |\n| None | This action does not have any specific\ - \ input parameters; it relies on the integration's global configuration. | N/A\ - \ | N/A |\n\n### Additional Notes:\n* This action performs a lookup against all\ - \ devices known to the CyberX instance. If a large number of devices exist, performance\ - \ may be impacted by the underlying API call to fetch all devices." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + Enriches Hostname and Address entities using CyberX. This action retrieves detailed + device information from the CyberX platform to provide context about endpoints + within the network, such as OS, device type, and other metadata. + + + ### Flow Description: + + 1. **Authentication**: Initializes the CyberX manager using the API Root and Access + Token provided in the integration configuration. + + 2. **Entity Filtering**: Identifies all Address (IP) and Hostname entities within + the current scope. + + 3. **Data Retrieval**: For each identified entity, the action queries the CyberX + API (fetching all devices and filtering locally) to find a matching device record + by IP or Hostname. + + 4. **Enrichment**: If a device is found, the action adds a data table to the entity + containing the raw device information and updates the entity's additional properties + with the retrieved data, prefixed with 'CX_'. + + + ### Parameters Description: + + | Parameter Name | Description | Type | Mandatory | + + | :--- | :--- | :--- | :--- | + + | None | This action does not have any specific input parameters; it relies on + the integration's global configuration. | N/A | N/A | + + + ### Additional Notes: + + * This action performs a lookup against all devices known to the CyberX instance. + If a large number of devices exist, performance may be impacted by the underlying + API call to fetch all devices. capabilities: can_create_case_comments: false can_create_insight: false @@ -39,14 +75,14 @@ Enrich Endpoints: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity additional properties with device metadata retrieved from CyberX - and adds entity data tables. + The action updates entity additional properties with retrieved device metadata + and adds a data table to the entity for visualization. categories: enrichment: true entity_usage: entity_types: - - ADDRESS - - HOSTNAME + - ADDRESS + - HOSTNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -60,6 +96,7 @@ Enrich Endpoints: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Alerts: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -70,39 +107,41 @@ Enrich Endpoints: disable_identity: false download_file: false enable_identity: false - enrich_asset: true + enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: true remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Alerts: - ai_description: "### General Description\nThe **Get Alerts** action retrieves a\ - \ comprehensive list of all security alerts currently detected by the CyberX XSense\ - \ platform. This action provides visibility into external security events by pulling\ - \ them into the Google SecOps environment for analysis and reporting.\n\n### Parameters\ - \ Description\nThere are no input parameters for this action. It utilizes the\ - \ global integration configuration (API Root and Access Token) to authenticate\ - \ and communicate with the CyberX API.\n\n### Flow Description\n1. **Initialization**:\ - \ The action initializes the CyberX manager using the provided API credentials\ - \ and SSL settings.\n2. **Data Retrieval**: It executes a GET request to the `/api/v1/alerts`\ - \ endpoint to fetch the full list of alerts from the CyberX instance.\n3. **Data\ - \ Processing**: If alerts are found, the action flattens the JSON response and\ - \ formats it into a CSV-compatible structure.\n4. **Output Generation**: \n \ - \ * A data table titled 'Result Alerts' is added to the action results for display\ - \ in the SOAR UI.\n * The raw JSON data of all alerts is returned as the script\ - \ result.\n * An output message is generated stating the total number of alerts\ - \ retrieved.\n\n### Additional Notes\nThis is a global retrieval action and does\ - \ not operate on specific entities within a case." + ai_description: >- + ### General Description The **Get Alerts** action retrieves a comprehensive list + of all security alerts currently detected by the CyberX XSense platform. This + action provides visibility into external security events by pulling them into + the Google SecOps environment for analysis and reporting. ### Parameters Description + No parameters are required for this action. It utilizes the global integration + configuration (API Root and Access Token) to authenticate and communicate with + the CyberX API. ### Flow Description 1. **Initialization**: The action initializes + the CyberX manager using the provided API credentials and SSL settings. 2. **Data + Retrieval**: It executes a GET request to the `/api/v1/alerts` endpoint to fetch + the full list of alerts from the CyberX instance. 3. **Data Processing**: If alerts + are found, the action flattens the JSON response and formats it into a CSV-compatible + structure. 4. **Output Generation**: A data table titled 'Result Alerts' is added + to the action results for display in the SOAR UI. The raw JSON data of all alerts + is returned as the script result. An output message is generated stating the total + number of alerts retrieved. ### Additional Notes This is a global retrieval action + and does not operate on specific entities within a case. capabilities: can_create_case_comments: false can_create_insight: false @@ -116,7 +155,7 @@ Get Alerts: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -130,6 +169,7 @@ Get Alerts: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Connections for Endpoint: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -140,60 +180,85 @@ Get Alerts: disable_identity: false download_file: false enable_identity: false - enrich_asset: false + enrich_asset: true enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: true + search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Connections for Endpoint: - ai_description: "The **Get Connections for Endpoint** action retrieves a comprehensive\ - \ list of network connections associated with specific devices from the CyberX\ - \ platform. It supports both IP Address (ADDRESS) and Hostname (HOSTNAME) entities.\ - \ This action is primarily used for visibility and forensic investigation, allowing\ - \ analysts to see which other assets or external addresses a device has communicated\ - \ with. The retrieved data is presented as a table attached to the entity within\ - \ the case.\n\n### Parameters Description\n\n| Parameter | Type | Mandatory |\ - \ Description |\n| :--- | :--- | :--- | :--- |\n| N/A | N/A | N/A | This action\ - \ does not have any input parameters. |\n\n### Additional Notes\n\n* The action\ - \ first resolves the entity to a CyberX Device ID before fetching connection data.\ - \ \n* If a device is not found in CyberX for a given entity, an error will be\ - \ logged for that specific entity, but the action will continue to process others.\n\ - \n### Flow Description\n\n1. **Entity Filtering:** The action identifies all `ADDRESS`\ - \ and `HOSTNAME` entities in the current context.\n2. **Device Resolution:** For\ - \ each entity, it queries the CyberX API to find the internal `device_id` by matching\ - \ the IP address or hostname.\n3. **Connection Retrieval:** Using the resolved\ - \ `device_id`, it fetches all recorded network connections from the CyberX `/api/v1/devices/{device_id}/connections`\ - \ endpoint.\n4. **Data Presentation:** The retrieved connection data is flattened\ - \ and added as an Entity Table to the respective entity in the Google SecOps case\ - \ for analyst review." + ai_description: >- + The **Get Connections for Endpoint** action retrieves a comprehensive list of + network connections associated with specific devices from the CyberX platform. + It supports both IP Address (ADDRESS) and Hostname (HOSTNAME) entities. This action + is primarily used for visibility and forensic investigation, allowing analysts + to see which other assets or external addresses a device has communicated with. + The retrieved data is presented as a table attached to the entity within the case. + + + ### Parameters Description + + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | N/A | N/A | N/A | This action does not have any input parameters. | + + + ### Additional Notes + + + * The action first resolves the entity to a CyberX Device ID before fetching connection + data. + + * If a device is not found in CyberX for a given entity, an error will be logged + for that specific entity, but the action will continue to process others. + + + ### Flow Description + + + 1. **Entity Filtering:** The action identifies all `ADDRESS` and `HOSTNAME` entities + in the current context. + + 2. **Device Resolution:** For each entity, it queries the CyberX API to find the + internal `device_id` by matching the IP address or hostname. + + 3. **Connection Retrieval:** Using the resolved `device_id`, it fetches all recorded + network connections from the CyberX `/api/v1/devices/{device_id}/connections` + endpoint. + + 4. **Data Presentation:** The retrieved connection data is flattened and added + as an Entity Table to the respective entity in the Google SecOps case for analyst + review. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: true + can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: >- - The action adds a data table to the entity within the Google SecOps platform - to display connection information retrieved from CyberX. + internal_data_mutation_explanation: null categories: - enrichment: false + enrichment: true entity_usage: entity_types: - - ADDRESS - - HOSTNAME + - ADDRESS + - HOSTNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -207,6 +272,7 @@ Get Connections for Endpoint: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Device Vulnerability Report: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -220,19 +286,21 @@ Get Connections for Endpoint: enrich_asset: true enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Device Vulnerability Report: ai_description: >- ### General Description @@ -277,14 +345,13 @@ Get Device Vulnerability Report: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Adds a vulnerability report table to the entity's data within the Google SecOps - case to provide contextual enrichment. + Adds a vulnerability report as an entity table to the enriched entities. categories: enrichment: true entity_usage: entity_types: - - ADDRESS - - HOSTNAME + - ADDRESS + - HOSTNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -298,6 +365,7 @@ Get Device Vulnerability Report: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Events: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -308,65 +376,42 @@ Get Device Vulnerability Report: disable_identity: false download_file: false enable_identity: false - enrich_asset: true + enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: false + search_events: true send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Events: ai_description: >- - ### General Description - - The **Get Events** action retrieves a comprehensive list of events reported to - the CyberX event log. This action is designed to provide visibility into system - activities and historical logs within the CyberX platform, facilitating auditing - and monitoring workflows. - - - ### Parameters Description - - | Parameter Name | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | N/A | N/A | N/A | This action does not require any input parameters. | - - - ### Additional Notes - - - This action is a global fetch operation and does not target specific entities - within a case. - - - The retrieved events are automatically flattened and presented in a data table - for easier analysis. - - - ### Flow Description - - 1. **Connection**: The action establishes a connection to the CyberX API using - the configured API Root and Access Token. - - 2. **Data Retrieval**: It performs a GET request to the `/api/v1/events` endpoint - to fetch all available event logs. - - 3. **Data Transformation**: The resulting event data is processed and flattened - using utility functions to ensure compatibility with tabular displays. - - 4. **Reporting**: If events are found, they are added to a data table titled 'Result - Events'. - - 5. **Completion**: The action concludes by providing a summary message of the - number of events found and returning the raw JSON data. + ### General Description\nThe **Get Events** action retrieves a comprehensive list + of events reported to the CyberX event log. This action is designed to provide + visibility into system activities and historical logs within the CyberX platform, + facilitating auditing and monitoring workflows.\n\n### Parameters Description\n| + Parameter Name | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- + |\n| N/A | N/A | N/A | This action does not require any input parameters. |\n\n### + Additional Notes\n- This action is a global fetch operation and does not target + specific entities within a case.\n- The retrieved events are automatically flattened + and presented in a data table for easier analysis.\n\n### Flow Description\n1. + **Connection**: The action establishes a connection to the CyberX API using the + configured API Root and Access Token.\n2. **Data Retrieval**: It performs a GET + request to the `/api/v1/events` endpoint to fetch all available event logs.\n3. + **Data Transformation**: The resulting event data is processed and flattened using + utility functions to ensure compatibility with tabular displays.\n4. **Reporting**: + If events are found, they are added to a data table titled 'Result Events'.\n5. + **Completion**: The action concludes by providing a summary message of the number + of events found and returning the raw JSON data. capabilities: can_create_case_comments: false can_create_insight: false @@ -380,7 +425,7 @@ Get Events: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -394,6 +439,7 @@ Get Events: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -407,19 +453,21 @@ Get Events: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: true + search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: ai_description: >- ### General Description @@ -469,7 +517,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -483,28 +531,3 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/google/cyber_x/resources/ai/integration_ai_description.yaml b/content/response_integrations/google/cyber_x/resources/ai/integration_ai_description.yaml index 936908b36..18fead5ae 100644 --- a/content/response_integrations/google/cyber_x/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/google/cyber_x/resources/ai/integration_ai_description.yaml @@ -1,17 +1,3 @@ -# Copyright 2026 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - product_categories: asset_inventory: true cloud_security: false diff --git a/content/response_integrations/google/juniper_vsrx/resources/ai/actions_ai_description.yaml b/content/response_integrations/google/juniper_vsrx/resources/ai/actions_ai_description.yaml index d1fd6e6e4..51903d198 100644 --- a/content/response_integrations/google/juniper_vsrx/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/google/juniper_vsrx/resources/ai/actions_ai_description.yaml @@ -1,18 +1,32 @@ -# Copyright 2026 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - Add IP To Address Set: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- Adds IP address entities to a specified address set on a Juniper VSRX device. This action allows for the organization of network addresses into sets, which @@ -67,15 +81,15 @@ Add IP To Address Set: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates new address records and modifies address set configurations on the Juniper - VSRX device, followed by a configuration commit to apply the changes. + Creates address records and updates address sets on the Juniper VSRX device, + followed by a configuration commit. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: entity_types: - - ADDRESS + - ADDRESS filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -89,10 +103,11 @@ Add IP To Address Set: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false - add_ioc_to_blocklist: true + add_ioc_to_blocklist: false contain_host: false create_ticket: false delete_email: false @@ -102,19 +117,21 @@ Add IP To Address Set: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: ai_description: >- ### General Description @@ -167,7 +184,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -181,6 +198,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Remove IP From Address Set: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -194,19 +212,21 @@ Ping: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false + remove_ioc_from_blocklist: true reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Remove IP From Address Set: ai_description: >- Removes IP Address entities from a specified address set on a Juniper VSRX device. This action is typically used to reverse a previous blocking or containment action @@ -222,7 +242,8 @@ Remove IP From Address Set: current scope. 3. **Record Identification:** For each IP address, it queries the Juniper VSRX - device to find the specific internal record name associated with that IP. + device using an RPC call to find the specific internal record name associated + with that IP. 4. **Configuration Staging:** It loads deletion commands into the device's configuration buffer to remove the address record and its association with the specified address @@ -260,15 +281,15 @@ Remove IP From Address Set: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Removes address records and address set memberships from the Juniper VSRX configuration - and commits the changes. + Removes address records and their associations from address sets on the Juniper + VSRX device and commits the configuration changes. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: entity_types: - - ADDRESS + - ADDRESS filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -282,28 +303,3 @@ Remove IP From Address Set: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: true - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/google/juniper_vsrx/resources/ai/integration_ai_description.yaml b/content/response_integrations/google/juniper_vsrx/resources/ai/integration_ai_description.yaml index 733471053..b927e7b41 100644 --- a/content/response_integrations/google/juniper_vsrx/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/google/juniper_vsrx/resources/ai/integration_ai_description.yaml @@ -1,17 +1,3 @@ -# Copyright 2026 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - product_categories: asset_inventory: false cloud_security: false diff --git a/content/response_integrations/google/mc_afee_nsm/resources/ai/actions_ai_description.yaml b/content/response_integrations/google/mc_afee_nsm/resources/ai/actions_ai_description.yaml index 6e4fabe4c..55bd89f49 100644 --- a/content/response_integrations/google/mc_afee_nsm/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/google/mc_afee_nsm/resources/ai/actions_ai_description.yaml @@ -1,18 +1,32 @@ -# Copyright 2026 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - Block IP: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: true + contain_host: true + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- Blocks IP address entities in McAfee Network Security Manager (NSM). The action interacts with the NSM API to manage firewall rule objects and policies. It checks @@ -66,15 +80,15 @@ Block IP: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates or updates rule objects in McAfee NSM, modifies firewall policies to - include these objects, and triggers a configuration update on network sensors. + Creates or updates firewall rule objects in McAfee NSM and triggers a configuration + push to network sensors to enforce the block. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: entity_types: - - ADDRESS + - ADDRESS filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -88,10 +102,11 @@ Block IP: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Alert Info Data: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false - add_ioc_to_blocklist: true + add_ioc_to_blocklist: false contain_host: false create_ticket: false delete_email: false @@ -101,19 +116,21 @@ Block IP: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: true remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Alert Info Data: ai_description: >- ### General Description @@ -161,17 +178,15 @@ Get Alert Info Data: can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: true + can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: >- - Adds a JSON table containing alert details to the case and populates the action - result with the alert data. + internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -185,6 +200,7 @@ Get Alert Info Data: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Is IP Blocked: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -198,19 +214,21 @@ Get Alert Info Data: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Is IP Blocked: ai_description: >- ### General Description @@ -222,22 +240,26 @@ Is IP Blocked: ### Parameters Description - This action does not require any input parameters. It uses the global integration - configuration to connect to the McAfee NSM instance. + | Parameter | Description | Type | Mandatory | + + | :--- | :--- | :--- | :--- | + + | None | This action does not require any input parameters. | N/A | N/A | ### Flow Description - 1. **Authentication**: Connects to the McAfee NSM API and establishes a session. + 1. **Authentication**: Connects to the McAfee NSM API using the global integration + credentials and establishes a session. 2. **Entity Identification**: Filters the case entities to identify all `ADDRESS` (IP) types. 3. **Block Verification**: For each IP entity, the action queries the NSM to find - rule objects that: - * Start with the prefix `Siemplify_Block`. - * Contain the specific IP address. - * Are actively linked to the firewall policy defined in the integration settings. + rule objects that start with the prefix `Siemplify_Block`, contain the specific + IP address, and are actively linked to the firewall policy defined in the integration + settings. + 4. **Categorization**: Groups the entities into 'Blocked' and 'Unblocked' lists based on the API response. @@ -263,7 +285,7 @@ Is IP Blocked: enrichment: true entity_usage: entity_types: - - ADDRESS + - ADDRESS filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -277,6 +299,7 @@ Is IP Blocked: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -288,39 +311,41 @@ Is IP Blocked: download_file: false enable_identity: false enrich_asset: false - enrich_ioc: true + enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: - ai_description: "### General Description\nThe **Ping** action is a diagnostic utility\ + ai_description: "### General Description\\nThe **Ping** action is a diagnostic utility\ \ designed to verify the connectivity between Google SecOps and the McAfee Network\ \ Security Manager (NSM) instance. Its primary purpose is to ensure that the integration's\ \ configuration parameters\u2014such as the API Root, credentials, and Domain\ - \ ID\u2014are correct and that the NSM service is reachable over the network.\n\ - \n### Parameters Description\nThis action does not require any additional input\ - \ parameters. It relies entirely on the global integration configuration.\n\n\ - ### Flow Description\n1. **Configuration Retrieval**: The action fetches the integration's\ - \ configuration, including the API Root, Username, Password, and Domain ID.\n\ - 2. **Authentication**: It initializes the `NsmManager`, which triggers a login\ - \ request to the NSM `session` endpoint to obtain an authentication token.\n3.\ - \ **Session Termination**: Immediately after a successful login, the action calls\ - \ the `logout` method to close the session on the NSM server.\n4. **Result Reporting**:\ - \ If the login and logout sequence completes without exceptions, the action ends\ - \ with a success message: \"Connection Established.\"\n\n### Additional Notes\n\ - * This action is strictly for connectivity testing and does not perform any security\ - \ operations or data retrieval.\n* As per standard conventions, this action is\ - \ not classified as an enrichment action." + \ ID\u2014are correct and that the NSM service is reachable over the network.\\\ + n\\n### Parameters Description\\nThis action does not require any additional input\ + \ parameters. It relies entirely on the global integration configuration.\\n\\\ + n### Flow Description\\n1. **Configuration Retrieval**: The action fetches the\ + \ integration's configuration, including the API Root, Username, Password, and\ + \ Domain ID.\\n2. **Authentication**: It initializes the `NsmManager`, which triggers\ + \ a login request to the NSM `session` endpoint to obtain an authentication token.\\\ + n3. **Session Termination**: Immediately after a successful login, the action\ + \ calls the `logout` method to close the session on the NSM server.\\n4. **Result\ + \ Reporting**: If the login and logout sequence completes without exceptions,\ + \ the action ends with a success message: \"Connection Established.\"\\n\\n###\ + \ Additional Notes\\n* This action is strictly for connectivity testing and does\ + \ not perform any security operations or data retrieval.\\n* As per standard conventions,\ + \ this action is not classified as an enrichment action." capabilities: can_create_case_comments: false can_create_insight: false @@ -334,7 +359,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -348,11 +373,12 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Quarantine IP: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false - contain_host: false + contain_host: true create_ticket: false delete_email: false disable_identity: false @@ -361,19 +387,21 @@ Ping: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Quarantine IP: ai_description: >- ### General Description @@ -382,22 +410,46 @@ Quarantine IP: the NSM API, the action triggers a quarantine command that restricts the network activity of the target host. This is a critical containment capability used during security incidents to prevent lateral movement or data exfiltration from compromised - internal assets.\n\n### Parameters Description\n| Parameter | Type | Mandatory - | Description |\n| :--- | :--- | :--- | :--- |\n| None | N/A | N/A | This action - does not have any action-specific parameters. It uses the global integration configuration - for connection details and sensor selection. |\n\n### Additional Notes\n* The - quarantine duration is fixed to **'until released'**, meaning the isolation will - remain in effect until a manual release is performed or a corresponding release - action is executed.\n* The action specifically targets the sensors listed in the - integration's `Sensors Names List Comma Separated` configuration field.\n\n### - Flow Description\n1. **Establish Session**: The action authenticates with the - McAfee NSM API using the provided credentials.\n2. **Resolve Sensors**: It retrieves - the list of sensors from the integration configuration and fetches their corresponding - internal IDs from the NSM manager.\n3. **Filter Entities**: The action scans the - case for **IP Address** entities.\n4. **Execute Quarantine**: For each valid IP - address, it sends a POST request to the NSM API to quarantine the host on every - identified sensor.\n5. **Cleanup**: The action terminates the NSM session.\n6. - **Finalize**: It returns a success message listing the quarantined IP addresses. + internal assets. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | None | N/A | N/A | This action does not have any action-specific parameters. + It uses the global integration configuration for connection details and sensor + selection. | + + + ### Additional Notes + + * The quarantine duration is fixed to **'until released'**, meaning the isolation + will remain in effect until a manual release is performed or a corresponding release + action is executed. + + * The action specifically targets the sensors listed in the integration's `Sensors + Names List Comma Separated` configuration field. + + + ### Flow Description + + 1. **Establish Session**: The action authenticates with the McAfee NSM API using + the provided credentials. + + 2. **Resolve Sensors**: It retrieves the list of sensors from the integration + configuration and fetches their corresponding internal IDs from the NSM manager. + + 3. **Filter Entities**: The action scans the case for **IP Address** entities. + + 4. **Execute Quarantine**: For each valid IP address, it sends a POST request + to the NSM API to quarantine the host on every identified sensor. + + 5. **Cleanup**: The action terminates the NSM session. + + 6. **Finalize**: It returns a success message listing the quarantined IP addresses. capabilities: can_create_case_comments: false can_create_insight: false @@ -406,15 +458,15 @@ Quarantine IP: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Quarantines the specified IP address on the configured McAfee NSM sensors, changing - the network access state for that host. - fetches_data: false + Triggers a quarantine command on McAfee NSM sensors to isolate the specified + IP address, restricting its network activity. + fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: entity_types: - - ADDRESS + - ADDRESS filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -428,11 +480,12 @@ Quarantine IP: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Unblock IP: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false - contain_host: true + contain_host: false create_ticket: false delete_email: false disable_identity: false @@ -441,39 +494,64 @@ Quarantine IP: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false + remove_ioc_from_blocklist: true reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false - uncontain_host: false + uncontain_host: true update_alert: false update_email: false update_identity: false update_ticket: false -Unblock IP: - ai_description: "Unblocks IP address entities in McAfee Network Security Manager\ - \ (NSM). This action identifies the firewall rule objects associated with the\ - \ target IP addresses within a specific policy, removes the IP entries, and then\ - \ triggers a configuration deployment to the managed sensors to enforce the changes.\ - \ \n\n### Flow Description:\n1. **Initialization**: Connects to the McAfee NSM\ - \ instance using provided credentials and configuration (API Root, Domain ID,\ - \ Policy Name, and Sensor List).\n2. **Entity Filtering**: Identifies all IP Address\ - \ entities within the current context.\n3. **IP Release**: For each identified\ - \ IP, the action searches for the corresponding rule object in the NSM policy.\ - \ If found, it either removes the IP from the rule object or deletes the rule\ - \ object entirely if it contains no other addresses.\n4. **Deployment**: After\ - \ processing all entities, it initiates a 'Deploy Changes' command to push the\ - \ updated firewall configuration to the specified sensors.\n5. **Cleanup**: Logs\ - \ out of the NSM session.\n\n### Parameters Description:\n| Parameter Name | Description\ - \ | Type | Mandatory | \n| --- | --- | --- | --- |\n| None | This action does\ - \ not have any specific action parameters; it relies on the integration's global\ - \ configuration. | N/A | No |\n\n### Additional Notes:\n- This action requires\ - \ a pre-configured 'Siemplify Policy Name' and a list of 'Sensors Names' in the\ - \ integration settings to function correctly.\n- The action performs a state change\ - \ on the external firewall system." + ai_description: >- + Unblocks IP address entities in McAfee Network Security Manager (NSM). This action + identifies the firewall rule objects associated with the target IP addresses within + a specific policy, removes the IP entries, and then triggers a configuration deployment + to the managed sensors to enforce the changes. + + + ### Flow Description: + + 1. **Initialization**: Connects to the McAfee NSM instance using provided credentials + and configuration (API Root, Domain ID, Policy Name, and Sensor List) from the + integration settings. + + 2. **Entity Filtering**: Identifies all IP Address entities within the current + context (target entities). + + 3. **IP Release**: For each identified IP, the action searches for the corresponding + rule object in the NSM policy. If found, it either removes the IP from the rule + object or deletes the rule object entirely if it contains no other addresses. + + 4. **Deployment**: After processing all entities, it initiates a 'Deploy Changes' + command to push the updated firewall configuration to the specified sensors. + + 5. **Cleanup**: Logs out of the NSM session to ensure security. + + + ### Parameters Description: + + | Parameter Name | Description | Type | Mandatory | + + | --- | --- | --- | --- | + + | None | This action does not have any specific action parameters; it relies on + the integration's global configuration. | N/A | No | + + + ### Additional Notes: + + - This action requires a pre-configured 'Siemplify Policy Name' and a list of + 'Sensors Names' in the integration settings to function correctly. + + - The action performs a state change on the external firewall system by modifying + rule objects and deploying configurations. capabilities: can_create_case_comments: false can_create_insight: false @@ -482,15 +560,15 @@ Unblock IP: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Removes IP addresses from firewall rule objects and policies in McAfee NSM and - deploys these configuration changes to the network sensors. + Removes IP addresses from firewall rule objects and triggers a configuration + deployment to McAfee NSM sensors. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: entity_types: - - ADDRESS + - ADDRESS filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -504,28 +582,3 @@ Unblock IP: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: true - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/google/mc_afee_nsm/resources/ai/integration_ai_description.yaml b/content/response_integrations/google/mc_afee_nsm/resources/ai/integration_ai_description.yaml index 733471053..b927e7b41 100644 --- a/content/response_integrations/google/mc_afee_nsm/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/google/mc_afee_nsm/resources/ai/integration_ai_description.yaml @@ -1,17 +1,3 @@ -# Copyright 2026 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - product_categories: asset_inventory: false cloud_security: false diff --git a/content/response_integrations/google/micro_focus_itsma/resources/ai/actions_ai_description.yaml b/content/response_integrations/google/micro_focus_itsma/resources/ai/actions_ai_description.yaml index b4c6e869c..a9ca3c512 100644 --- a/content/response_integrations/google/micro_focus_itsma/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/google/micro_focus_itsma/resources/ai/actions_ai_description.yaml @@ -1,18 +1,32 @@ -# Copyright 2026 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - Create Incident: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: true + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- Creates a new incident in MicroFocus ITSMA. This action allows users to programmatically generate incident records by providing key details such as the display label, @@ -73,13 +87,13 @@ Create Incident: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new incident record in the MicroFocus ITSMA platform. + Creates a new incident record in MicroFocus ITSMA with the provided details. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -93,12 +107,13 @@ Create Incident: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false contain_host: false - create_ticket: true + create_ticket: false delete_email: false disable_identity: false download_file: false @@ -106,19 +121,21 @@ Create Incident: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: ai_description: >- ### General Description @@ -168,7 +185,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -182,6 +199,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Update Incident: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -195,19 +213,21 @@ Ping: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false - update_ticket: false -Update Incident: + update_ticket: true ai_description: >- ### General Description @@ -272,14 +292,14 @@ Update Incident: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the properties (e.g., description, urgency, impact) of an existing incident - record within the MicroFocus ITSMA platform. + Updates incident attributes such as Display Label, Description, Impact Scope, + Urgency, and Service ID in the MicroFocus ITSMA system via a POST request. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -293,6 +313,7 @@ Update Incident: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Update Incident External Status: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -306,19 +327,21 @@ Update Incident: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: true -Update Incident External Status: ai_description: >- Updates the external status of a specific incident in Micro Focus ITSMA. This action allows analysts to synchronize the status of an incident between Google @@ -362,14 +385,14 @@ Update Incident External Status: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the 'ExternalStatus' property of an incident record within the Micro - Focus ITSMA platform via a POST request. + Updates the 'ExternalStatus' field of a specific incident in the Micro Focus + ITSMA platform via a POST request. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -383,28 +406,3 @@ Update Incident External Status: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: true diff --git a/content/response_integrations/google/micro_focus_itsma/resources/ai/integration_ai_description.yaml b/content/response_integrations/google/micro_focus_itsma/resources/ai/integration_ai_description.yaml index 87a5ffbcd..faf1e267b 100644 --- a/content/response_integrations/google/micro_focus_itsma/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/google/micro_focus_itsma/resources/ai/integration_ai_description.yaml @@ -1,17 +1,3 @@ -# Copyright 2026 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - product_categories: asset_inventory: false cloud_security: false diff --git a/content/response_integrations/google/mobile_iron/resources/ai/actions_ai_description.yaml b/content/response_integrations/google/mobile_iron/resources/ai/actions_ai_description.yaml index a28ab6508..91575e8d6 100644 --- a/content/response_integrations/google/mobile_iron/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/google/mobile_iron/resources/ai/actions_ai_description.yaml @@ -1,18 +1,32 @@ -# Copyright 2026 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - Fetch System Information: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description @@ -65,18 +79,16 @@ Fetch System Information: can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: true + can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: >- - The action adds a data table to the entity within the Google SecOps platform - containing the retrieved device information. + internal_data_mutation_explanation: null categories: enrichment: true entity_usage: entity_types: - - ADDRESS + - ADDRESS filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -90,6 +102,7 @@ Fetch System Information: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Fetch System Information By UUID: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -103,24 +116,26 @@ Fetch System Information: enrich_asset: true enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Fetch System Information By UUID: ai_description: >- Fetches detailed system information for a specific mobile device using its Unique Universal Identifier (UUID) via the MobileIron API. This action is used to retrieve technical metadata about a device, such as OS version, model, and ownership details, - which is then presented in a structured data table within the case. + which is then presented in a structured data table within the action results. ### Parameters @@ -136,7 +151,7 @@ Fetch System Information By UUID: ### Flow Description 1. **Parameter Extraction:** The action retrieves the mandatory `Device UUID` - from the user input. + from the action parameters. 2. **API Initialization:** It initializes the MobileIron manager using the integration's configuration settings (API Root, credentials, etc.). @@ -162,7 +177,7 @@ Fetch System Information By UUID: categories: enrichment: true entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -176,6 +191,7 @@ Fetch System Information By UUID: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +List Devices: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -186,22 +202,24 @@ Fetch System Information By UUID: disable_identity: false download_file: false enable_identity: false - enrich_asset: true + enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: true search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -List Devices: ai_description: >- ### General Description @@ -255,12 +273,12 @@ List Devices: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Adds a data table containing the list of retrieved devices to the Google SecOps - case. + The action adds a data table named 'Devices' to the SOAR case containing the + flattened list of retrieved mobile devices. categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -274,6 +292,7 @@ List Devices: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -287,19 +306,21 @@ List Devices: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: ai_description: >- ### General Description @@ -329,6 +350,12 @@ Ping: 5. **Final Result**: If the request is successful, it returns a 'Connection Established' message; otherwise, it reports a failure. + + + ### Additional Notes + + This action does not process any entities and is strictly for testing the integration + setup. capabilities: can_create_case_comments: false can_create_insight: false @@ -342,7 +369,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -356,6 +383,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Unlock Device: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -369,19 +397,21 @@ Ping: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false - uncontain_host: false + uncontain_host: true update_alert: false update_email: false update_identity: false update_ticket: false -Unlock Device: ai_description: >- ### General Description @@ -415,7 +445,7 @@ Unlock Device: within the current SOAR context. 2. **Device Identification**: For each identified IP address, the action queries - the MobileIron API to find the corresponding unique Device UUID. + the MobileIron API via a GET request to find the corresponding unique Device UUID. 3. **Unlock Command**: Once the UUID is retrieved, the action sends a POST request to the MobileIron `Action` endpoint with the `UNLOCK_DEVICE_ONLY` command to trigger @@ -431,15 +461,16 @@ Unlock Device: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Sends a POST request to the MobileIron API to execute the 'UNLOCK_DEVICE_ONLY' - action, which changes the lock state of the physical mobile device. + Sends a POST request to the MobileIron API to trigger the 'UNLOCK_DEVICE_ONLY' + command on the target mobile device, physically changing its state from locked + to unlocked. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: entity_types: - - ADDRESS + - ADDRESS filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -453,6 +484,7 @@ Unlock Device: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Unlock Device by UUID: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -466,19 +498,21 @@ Unlock Device: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: true update_alert: false update_email: false update_identity: false update_ticket: false -Unlock Device by UUID: ai_description: >- Unlocks a mobile device managed by MobileIron using its unique identifier (UUID). This action sends a command to the MobileIron server to remove the lock screen @@ -516,14 +550,14 @@ Unlock Device by UUID: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Sends a command to the MobileIron platform to unlock a physical mobile device, - which changes the device's security state from locked to unlocked. + Sends a command to the MobileIron server to remove the lock screen or restriction + on the specified mobile device, changing its operational state. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -537,28 +571,3 @@ Unlock Device by UUID: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/google/mobile_iron/resources/ai/integration_ai_description.yaml b/content/response_integrations/google/mobile_iron/resources/ai/integration_ai_description.yaml index 751e47ecf..b88dc4ab4 100644 --- a/content/response_integrations/google/mobile_iron/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/google/mobile_iron/resources/ai/integration_ai_description.yaml @@ -1,17 +1,3 @@ -# Copyright 2026 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - product_categories: asset_inventory: true cloud_security: false diff --git a/content/response_integrations/google/portnox/resources/ai/actions_ai_description.yaml b/content/response_integrations/google/portnox/resources/ai/actions_ai_description.yaml index 067b4256f..184c5942c 100644 --- a/content/response_integrations/google/portnox/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/google/portnox/resources/ai/actions_ai_description.yaml @@ -1,18 +1,32 @@ -# Copyright 2026 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - Enrich Device: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: true + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description @@ -64,14 +78,14 @@ Enrich Device: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity additional properties with Portnox device information and sets - the is_enriched flag to true. + Updates the entity's additional properties with flattened device metadata and + sets the 'is_enriched' attribute to true. categories: enrichment: true entity_usage: entity_types: - - ADDRESS - - MacAddress + - ADDRESS + - MacAddress filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -85,6 +99,7 @@ Enrich Device: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Device History: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -98,19 +113,21 @@ Enrich Device: enrich_asset: true enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: true search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Device History: ai_description: >- ### General Description @@ -167,13 +184,13 @@ Get Device History: fetches_data: true internal_data_mutation_explanation: >- The action updates the entities in Google SecOps to reflect that enrichment - (device history) was performed and adds data tables to the entities. + has occurred and attaches a data table containing the retrieved device history. categories: enrichment: true entity_usage: entity_types: - - ADDRESS - - MacAddress + - ADDRESS + - MacAddress filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -187,6 +204,7 @@ Get Device History: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Device Locations: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -200,62 +218,66 @@ Get Device History: enrich_asset: true enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: true search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Device Locations: ai_description: >- ### General Description The **Get Device Locations** action retrieves physical or logical location information for devices associated with IP Address or MAC Address entities from the Portnox - NAC platform. It helps analysts understand where a specific device is connected + NAC platform. This action helps analysts identify where a specific device is connected within the network infrastructure by providing details such as switch names, ports, or site locations. ### Parameters Description - There are no user-configurable parameters for this action. It relies on the integration's - global configuration (API Root, Username, Password) and the entities present in - the current context. + This action does not have any user-configurable parameters. It utilizes the integration's + global configuration (API Root, Username, Password) and processes the entities + available in the current context. ### Flow Description 1. **Entity Identification**: The action iterates through the target entities - in the case, specifically looking for `ADDRESS` (IP) and `MACADDRESS` types. + in the case, specifically filtering for `ADDRESS` (IP) and `MacAddress` types. - 2. **Device Search**: For each supported entity, it queries Portnox to find a - matching device record using the IP or MAC address as the search key. + 2. **Device Search**: For each supported entity, it queries the Portnox API to + find a matching device record using the IP or MAC address as the search key via + a search query. - 3. **Location Retrieval**: If a device is found, the action retrieves its current - location data from the Portnox API. + 3. **Location Retrieval**: If a matching device is found, the action retrieves + its current location data from the Portnox `/locations` endpoint using the device's + unique ID. 4. **Data Sanitization**: The retrieved location data is cleaned by removing internal - or irrelevant fields (e.g., `portIds`). + or irrelevant fields, such as `portIds`, to ensure the output is concise. 5. **Enrichment**: The location details are formatted into a CSV table and attached - to the entity within Google SecOps. The entity is then updated to reflect the - enrichment. + to the specific entity as an entity table. Finally, the action updates the entities + within Google SecOps to reflect the enrichment. ### Additional Notes - This action is strictly read-only regarding the Portnox system; it does not - change device status or network access policies. + modify device status or network access policies. - - If no device is found for a specific entity, that entity is skipped without - failing the entire action. + - If no device is found for a specific entity, that entity is skipped, and the + action continues processing others. capabilities: can_create_case_comments: false can_create_insight: false @@ -266,14 +288,14 @@ Get Device Locations: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action updates entity attributes and attaches data tables containing location - information to the entities within the Google SecOps case. + Updates entities and adds entity tables containing device location information + retrieved from Portnox. categories: enrichment: true entity_usage: entity_types: - - ADDRESS - - MacAddress + - ADDRESS + - MacAddress filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -287,6 +309,7 @@ Get Device Locations: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Installed Applications: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -300,19 +323,21 @@ Get Device Locations: enrich_asset: true enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: true search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Installed Applications: ai_description: >- ### General Description @@ -346,24 +371,25 @@ Get Installed Applications: ### Flow Description 1. **Initialization**: The action initializes the Portnox manager using the provided - integration credentials. + integration credentials (API Root, Username, Password, and SSL verification settings). 2. **Entity Filtering**: It iterates through the target entities in the current - context, filtering for IP Addresses and MAC Addresses. + context, filtering for those of type **ADDRESS** (IP) and **MacAddress**. - 3. **Device Search**: For each valid entity, it performs a search in Portnox (using - the IP or MAC Address as the key) to find the unique device ID. + 3. **Device Search**: For each valid entity, it performs a search in Portnox using + the IP or MAC Address as the key to find the unique device ID. 4. **Data Retrieval**: Once a device is identified, the action calls the Portnox API to fetch the list of installed applications associated with that device ID. - 5. **Data Formatting**: The list of applications is converted into a CSV format. + 5. **Data Formatting**: The list of applications is converted into a CSV format + using the `construct_csv` utility. 6. **Internal Update**: The CSV data is added as an entity-specific table in the - SOAR, and the entities are updated to reflect the enrichment process. + SOAR platform, and the entities are updated to reflect the enrichment process. - 7. **Completion**: The action concludes by providing a summary message of which - entities were successfully enriched. + 7. **Completion**: The action concludes by providing a summary message indicating + which entities were successfully enriched with application data. capabilities: can_create_case_comments: false can_create_insight: false @@ -374,14 +400,14 @@ Get Installed Applications: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action updates entities in Google SecOps and adds data tables to them containing - the list of installed applications retrieved from Portnox. + The action adds a CSV table containing installed applications to the entity's + data and updates the entity objects within the Google SecOps platform. categories: enrichment: true entity_usage: entity_types: - - ADDRESS - - MacAddress + - ADDRESS + - MacAddress filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -395,6 +421,7 @@ Get Installed Applications: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Open Ports: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -408,19 +435,21 @@ Get Installed Applications: enrich_asset: true enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: true search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Open Ports: ai_description: >- Retrieves a list of all open ports for a specific device from the Portnox NAC platform. This action supports IP Address and MAC Address entities. It first searches @@ -432,25 +461,36 @@ Get Open Ports: ### Flow Description 1. **Initialization**: Connects to the Portnox API using the provided credentials - and configuration. + and configuration (API Root, Username, Password). 2. **Device Search**: For each IP Address or MAC Address entity, the action queries - Portnox to find a matching device record. + the Portnox `/devices` endpoint to find a matching device record and retrieve + its unique `deviceId`. 3. **Port Retrieval**: If a device is found, the action requests the list of open - ports associated with that device's ID. + ports from the `/devices/{deviceId}/details/openports` endpoint. 4. **Data Presentation**: Converts the retrieved port data into a CSV format and - attaches it as an entity table to the specific entity in the case. + attaches it as an entity-specific data table to the entity in the Google SecOps + case. 5. **Entity Update**: Marks the entities as enriched and updates their status - within the Google SecOps platform. + within the platform. ### Parameters Description There are no additional parameters for this action; it relies on the target entities (IP Address or MAC Address) and the integration's global configuration. + + + ### Additional Notes + + - If multiple devices match a search query in Portnox, the action selects the + first device returned by the API. + + - If no open ports are found for an entity, no table is added for that specific + entity. capabilities: can_create_case_comments: false can_create_insight: false @@ -461,14 +501,14 @@ Get Open Ports: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action updates the entities within the case to reflect that enrichment data - (open ports) has been successfully retrieved and attached. + Updates entities to mark them as enriched and adds entity-specific data tables + containing the list of open ports retrieved from Portnox. categories: enrichment: true entity_usage: entity_types: - - ADDRESS - - MacAddress + - ADDRESS + - MacAddress filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -482,6 +522,7 @@ Get Open Ports: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Services: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -495,19 +536,21 @@ Get Open Ports: enrich_asset: true enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Services: ai_description: >- ### General Description @@ -529,11 +572,12 @@ Get Services: (`MacAddress`) types. 2. **Device Search**: For each valid entity, it queries the Portnox API to find - a matching device record using the IP or MAC address as the search key. + a matching device record using the IP or MAC address as the search key via a POST + request to the `/devices` endpoint. 3. **Service Retrieval**: If a device is successfully identified, the action makes - a follow-up request to Portnox to retrieve the full list of services associated - with that specific device ID. + a follow-up GET request to Portnox to retrieve the full list of services associated + with that specific device ID from the `/details/services` endpoint. 4. **Data Presentation**: The retrieved service list is converted into a CSV format and attached to the entity as an 'Entity Table' for easy review within the Google @@ -551,14 +595,14 @@ Get Services: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates the entity's enrichment status and attaches a data table containing - the list of services to the entity's profile. + Updates entities to reflect enrichment and adds an entity table containing the + list of services retrieved from Portnox. categories: enrichment: true entity_usage: entity_types: - - ADDRESS - - MacAddress + - ADDRESS + - MacAddress filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -572,6 +616,7 @@ Get Services: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get User History: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -585,19 +630,21 @@ Get Services: enrich_asset: true enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get User History: ai_description: >- ### General Description @@ -615,28 +662,32 @@ Get User History: ### Additional Notes This action performs a two-step process: first, it searches for the device in - Portnox to obtain a internal device ID, and then it fetches the user history associated - with that ID. The results are attached directly to the entity as a data table. + Portnox to obtain an internal device ID, and then it fetches the user history + associated with that ID. The results are attached directly to the entity as a + data table. If no history is found or the device is not located in Portnox, the + action will complete without enriching that specific entity. ### Flow Description - 1. **Identify Entities**: The action filters the target entities to find those - of type `ADDRESS` (IP) or `MacAddress`. + 1. **Identify Entities**: The action iterates through the target entities and + filters for those of type `ADDRESS` (IP) or `MacAddress`. - 2. **Device Search**: For each valid entity, it queries the Portnox API to find - a matching device record. + 2. **Device Search**: For each valid entity, it queries the Portnox API using + a POST request to find a matching device record and retrieve its unique internal + ID. - 3. **Fetch History**: If a device is found, the action retrieves its user authentication - history using the Portnox device ID. + 3. **Fetch History**: If a device is found, the action performs a GET request + to retrieve the user authentication history associated with that device ID. - 4. **Data Formatting**: The retrieved history is converted into a CSV format. + 4. **Data Formatting**: The retrieved history list is converted into a CSV format + using the `construct_csv` utility. 5. **Enrichment**: The CSV data is attached to the entity as a data table named "[Identifier] - User History". - 6. **Update**: The action updates the entities in Google SecOps to save the newly - attached data tables. + 6. **Update**: The action updates the entities in Google SecOps to persist the + newly attached data tables. capabilities: can_create_case_comments: false can_create_insight: false @@ -647,14 +698,14 @@ Get User History: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entities in Google SecOps and attaches data tables containing user authentication - history to the enriched entities. + The action attaches data tables containing authentication history to the entities + and updates the entity objects within the Google SecOps platform. categories: enrichment: true entity_usage: entity_types: - - ADDRESS - - MacAddress + - ADDRESS + - MacAddress filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -668,6 +719,7 @@ Get User History: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -678,22 +730,24 @@ Get User History: disable_identity: false download_file: false enable_identity: false - enrich_asset: true + enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: ai_description: >- ### General Description @@ -711,19 +765,19 @@ Ping: ### Flow Description - 1. **Configuration Retrieval**: The action retrieves the API Root, Username, - Password, and SSL verification settings from the Portnox integration configuration. + 1. **Configuration Retrieval**: The action retrieves the API Root, Username, Password, + and SSL verification settings from the Portnox integration configuration. - 2. **Manager Initialization**: It initializes the `PortnoxManager` with the retrieved + 2. **Manager Initialization**: It initializes the `PortnoxManager` with the retrieved settings. - 3. **Connectivity Test**: The action calls the `test_connectivity` method, which + 3. **Connectivity Test**: The action calls the `test_connectivity` method, which executes a GET request to the `/auth/user` endpoint of the Portnox API. - 4. **Response Validation**: The manager validates the HTTP response. If the request + 4. **Response Validation**: The manager validates the HTTP response. If the request is successful (HTTP 200), the connection is considered established. - 5. **Completion**: The action ends with a success message 'Connection Established' + 5. **Completion**: The action ends with a success message 'Connection Established' and a result value of 'true'. capabilities: can_create_case_comments: false @@ -738,7 +792,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -752,6 +806,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Revalidate Device: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -765,26 +820,28 @@ Ping: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Revalidate Device: ai_description: >- ### General Description The **Revalidate Device** action triggers a policy revalidation for a specific - device within the Portnox Network Access Control (NAC) system. This is typically - used to force a device to undergo a fresh security posture check or authentication - cycle to ensure it complies with current network policies. + device within the Portnox Network Access Control (NAC) system. This is used to + force a device to undergo a fresh security posture check or authentication cycle + to ensure it complies with current network policies. ### Parameters Description @@ -800,13 +857,13 @@ Revalidate Device: ### Flow Description 1. **Initialization**: The action connects to the Portnox API using the provided - credentials and configuration. + credentials (API Root, Username, Password) and SSL configuration. - 2. **Trigger Revalidation**: It sends a POST request to the Portnox endpoint to - initiate the revalidation process for the specified `DeviceId`. + 2. **Trigger Revalidation**: It sends a POST request to the Portnox endpoint `/devices/actions/revalidation` + to initiate the revalidation process for the specified `DeviceId`. 3. **Status Polling**: The action enters a polling loop, calling the device information - endpoint to monitor the `securityStatus` of the device. + endpoint `/devices/{deviceId}` to monitor the `securityStatus` of the device. 4. **Completion**: It waits until the device status reaches 'AuthorizationPassed' or a timeout occurs. Once the status is confirmed, the action completes with a @@ -828,14 +885,15 @@ Revalidate Device: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Triggers a device policy revalidation action on the Portnox NAC system, which - forces the device to undergo a new authentication or compliance check. + Triggers a policy revalidation process for a specific device in Portnox NAC, + which initiates a fresh security posture check or authentication cycle on the + network access control system. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -849,6 +907,7 @@ Revalidate Device: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Revalidate Device By Address: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -862,19 +921,21 @@ Revalidate Device: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: true search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Revalidate Device By Address: ai_description: >- ### General Description @@ -926,16 +987,16 @@ Revalidate Device By Address: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Triggers a revalidation of the authentication policy for the device in Portnox - NAC, which initiates a state change in the network access control system. + Triggers a re-authentication and validation cycle for the device in the Portnox + NAC system. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: entity_types: - - ADDRESS - - MacAddress + - ADDRESS + - MacAddress filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -949,28 +1010,3 @@ Revalidate Device By Address: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/google/portnox/resources/ai/integration_ai_description.yaml b/content/response_integrations/google/portnox/resources/ai/integration_ai_description.yaml index 9058834e8..5dd92530c 100644 --- a/content/response_integrations/google/portnox/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/google/portnox/resources/ai/integration_ai_description.yaml @@ -1,26 +1,12 @@ -# Copyright 2026 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - product_categories: asset_inventory: true cloud_security: false collaboration: false - edr: false + edr: true email_security: false - iam_and_identity_management: false + iam_and_identity_management: true itsm: false - network_security: false + network_security: true siem: true threat_intelligence: false - vulnerability_management: false + vulnerability_management: true diff --git a/content/response_integrations/google/reversinglabs_a1000/resources/ai/actions_ai_description.yaml b/content/response_integrations/google/reversinglabs_a1000/resources/ai/actions_ai_description.yaml index 7d349bac1..82e25b46d 100644 --- a/content/response_integrations/google/reversinglabs_a1000/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/google/reversinglabs_a1000/resources/ai/actions_ai_description.yaml @@ -1,18 +1,32 @@ -# Copyright 2026 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - Delete Sample: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description @@ -52,14 +66,14 @@ Delete Sample: can_update_entities: false external_data_mutation_explanation: >- Deletes file samples and their associated metadata from the ReversingLabs A1000 - appliance using the HTTP DELETE method. + appliance via a DELETE request to the API. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: entity_types: - - FILEHASH + - FILEHASH filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -73,6 +87,7 @@ Delete Sample: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Report: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -84,21 +99,23 @@ Delete Sample: download_file: false enable_identity: false enrich_asset: false - enrich_ioc: false + enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Report: ai_description: "### General Description\nThe **Get Report** action retrieves summary\ \ classification reports and detailed analysis metadata for file hashes from the\ \ ReversingLabs A1000 Malware Analysis Appliance. This action is used to enrich\ @@ -113,11 +130,13 @@ Get Report: \ data tables attached to the case for each hash.\n\n### Flow Description\n1.\ \ **Entity Identification**: The action scans the current context for entities\ \ of type `FILEHASH`.\n2. **Data Retrieval**: It sends a list of these hashes\ - \ to the ReversingLabs A1000 `api/samples/list/` endpoint.\n3. **Context Enrichment**:\ - \ For every hash found, the action extracts key fields including `threat_status`,\ - \ `threat_level`, `threat_name`, and `trust_factor`.\n4. **Output Generation**:\ - \ \n * A data table is created for each hash and attached to the case.\n \ - \ * The full response is provided as a JSON result for further playbook processing." + \ to the ReversingLabs A1000 `api/samples/list/` endpoint to fetch classification\ + \ metadata.\n3. **Context Enrichment**: For every hash found in the response,\ + \ the action extracts key fields including `threat_status`, `threat_level`, `threat_name`,\ + \ and `trust_factor`.\n4. **Output Generation**: \n * A data table containing\ + \ the flattened report is created for each hash and attached to the case.\n \ + \ * The full response dictionary is provided as a JSON result for further playbook\ + \ processing." capabilities: can_create_case_comments: false can_create_insight: false @@ -128,12 +147,13 @@ Get Report: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Adds data tables to the case containing the analysis results for each file hash. + Adds data tables containing the malware analysis reports to the case for each + processed file hash. categories: enrichment: true entity_usage: entity_types: - - FILEHASH + - FILEHASH filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -147,6 +167,7 @@ Get Report: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Scan Status: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -160,42 +181,30 @@ Get Report: enrich_asset: false enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Scan Status: ai_description: >- + ### General Description + Retrieves the processing status of file hash entities from the ReversingLabs A1000 Malware Analysis platform. This action allows analysts to check if submitted samples - have finished analysis or are still being processed. - - - ### Flow Description: - - 1. **Entity Collection**: The action identifies all `FILEHASH` entities within - the current scope. - - 2. **Status Query**: It sends a bulk request to the ReversingLabs A1000 API using - the collected hash values to retrieve their current processing status. + have finished analysis or are still being processed by the appliance. - 3. **Data Processing**: The response is parsed to map each hash to its specific - status (e.g., 'processed', 'uploading', 'analyzing'). - 4. **Output Generation**: The action generates a data table named 'Scan Status:' - for the case wall and provides a JSON result containing the status mapping for - downstream playbook logic. - - - ### Parameters Description: + ### Parameters Description | Parameter Name | Type | Mandatory | Description | @@ -205,13 +214,29 @@ Get Scan Status: the entities in the context. | - ### Additional Notes: + ### Additional Notes * This action uses a POST request to the `/api/samples/status/` endpoint to perform a bulk lookup of hash statuses. * If no status information is returned for the provided hashes, the action will complete with a failure status. + + + ### Flow Description + + 1. **Entity Collection**: The action identifies all `FILEHASH` entities within + the current scope. + + 2. **Status Query**: It sends a bulk request to the ReversingLabs A1000 API using + the collected hash values to retrieve their current processing status. + + 3. **Data Processing**: The response is parsed to map each hash to its specific + status (e.g., 'processed', 'uploading', 'analyzing'). + + 4. **Output Generation**: The action generates a data table named 'Scan Status:' + for the case wall and provides a JSON result containing the status mapping for + downstream playbook logic. capabilities: can_create_case_comments: false can_create_insight: false @@ -222,13 +247,13 @@ Get Scan Status: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Adds a data table named 'Scan Status:' to the Google SecOps case containing - the processing status of the analyzed file hashes. + Adds a data table named 'Scan Status:' to the case wall containing the processing + status of the hashes. categories: enrichment: false entity_usage: entity_types: - - FILEHASH + - FILEHASH filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -242,6 +267,7 @@ Get Scan Status: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -253,21 +279,23 @@ Get Scan Status: download_file: false enable_identity: false enrich_asset: false - enrich_ioc: true + enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: ai_description: >- ### General Description @@ -314,12 +342,12 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: false + fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -333,6 +361,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Upload File: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -346,19 +375,21 @@ Ping: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false - submit_file: false + send_message: false + submit_file: true uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Upload File: ai_description: >- ### General Description @@ -408,19 +439,17 @@ Upload File: can_create_insight: false can_modify_alert_data: false can_mutate_external_data: true - can_mutate_internal_data: true + can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Uploads a file to the ReversingLabs A1000 appliance, creating a new analysis - record in the external system. + Uploads a file to the ReversingLabs A1000 appliance for analysis, creating a + new analysis record on the system. fetches_data: true - internal_data_mutation_explanation: >- - Adds a data table named 'File Details:' to the action results within the Google - SecOps case. + internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -434,28 +463,3 @@ Upload File: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: true - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/google/reversinglabs_a1000/resources/ai/integration_ai_description.yaml b/content/response_integrations/google/reversinglabs_a1000/resources/ai/integration_ai_description.yaml index 229aa2d1d..2e831240c 100644 --- a/content/response_integrations/google/reversinglabs_a1000/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/google/reversinglabs_a1000/resources/ai/integration_ai_description.yaml @@ -1,17 +1,3 @@ -# Copyright 2026 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - product_categories: asset_inventory: false cloud_security: false diff --git a/content/response_integrations/google/stealthwatch_v610/resources/ai/actions_ai_description.yaml b/content/response_integrations/google/stealthwatch_v610/resources/ai/actions_ai_description.yaml index 0607c86f2..a39ff126e 100644 --- a/content/response_integrations/google/stealthwatch_v610/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/google/stealthwatch_v610/resources/ai/actions_ai_description.yaml @@ -1,18 +1,32 @@ -# Copyright 2026 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: "### General Description\nThe **Ping** action is a utility designed\ \ to verify the connectivity between the Google SecOps platform and the Cisco\ \ Stealthwatch (v6.10) instance. Its primary purpose is to ensure that the integration's\ @@ -42,12 +56,12 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: false + fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -61,6 +75,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Search Events: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -72,21 +87,23 @@ Ping: download_file: false enable_identity: false enrich_asset: false - enrich_ioc: false + enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: false + search_events: true send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Search Events: ai_description: >- ### General Description @@ -142,12 +159,13 @@ Search Events: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Adds security event details as entity tables and JSON results to the case. + The action attaches security event data to the case as JSON results and creates + entity-level data tables for the processed IP addresses. categories: - enrichment: false + enrichment: true entity_usage: entity_types: - - ADDRESS + - ADDRESS filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -161,6 +179,7 @@ Search Events: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Search Flows: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -174,19 +193,21 @@ Search Events: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: true send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Search Flows: ai_description: >- ### General Description @@ -248,18 +269,16 @@ Search Flows: can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: true + can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: >- - The action populates entity tables with network flow data, which modifies the - internal data associated with the entities in the Google SecOps case. + internal_data_mutation_explanation: null categories: - enrichment: false + enrichment: true entity_usage: entity_types: - - ADDRESS + - ADDRESS filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -273,28 +292,3 @@ Search Flows: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: true - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/google/stealthwatch_v610/resources/ai/integration_ai_description.yaml b/content/response_integrations/google/stealthwatch_v610/resources/ai/integration_ai_description.yaml index 6df311e0f..a67fd6077 100644 --- a/content/response_integrations/google/stealthwatch_v610/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/google/stealthwatch_v610/resources/ai/integration_ai_description.yaml @@ -1,17 +1,3 @@ -# Copyright 2026 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - product_categories: asset_inventory: false cloud_security: false diff --git a/content/response_integrations/google/symantec_content_analysis/resources/ai/actions_ai_description.yaml b/content/response_integrations/google/symantec_content_analysis/resources/ai/actions_ai_description.yaml index a81e25c28..592372cae 100644 --- a/content/response_integrations/google/symantec_content_analysis/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/google/symantec_content_analysis/resources/ai/actions_ai_description.yaml @@ -1,18 +1,32 @@ -# Copyright 2026 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - Get Hash Report: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- Enriches File Hash entities (MD5 and SHA256) by retrieving sample reports from Symantec Content Analysis. This action queries the Symantec API to find basic @@ -34,30 +48,30 @@ Get Hash Report: ### Additional Notes - * The action automatically distinguishes between MD5 (32 characters) and SHA256 + * The action automatically distinguishes between MD5 (32 characters) and SHA256 (64 characters) hashes to use the appropriate API endpoint. - * If a hash is neither 32 nor 64 characters long, an error will be logged for + * If a hash is neither 32 nor 64 characters long, an error will be logged for that specific entity. ### Flow Description - 1. **Filter Entities:** The action identifies all File Hash entities within the + 1. **Filter Entities:** The action identifies all File Hash entities within the current context. - 2. **API Query:** For each identified hash, it determines the hash type (MD5 - or SHA256) and sends a GET request to the Symantec Content Analysis API to retrieve + 2. **API Query:** For each identified hash, it determines the hash type (MD5 or + SHA256) and sends a GET request to the Symantec Content Analysis API to retrieve sample data. - 3. **Data Processing:** If a report is found, the action flattens the JSON response + 3. **Data Processing:** If a report is found, the action flattens the JSON response and adds it to the entity's additional properties. - 4. **UI Enhancement:** A CSV-formatted table containing the report details is + 4. **UI Enhancement:** A CSV-formatted table containing the report details is attached to the entity in the Google SecOps interface. - 5. **Update:** The action updates the entities in the platform to persist the + 5. **Update:** The action updates the entities in the platform to persist the enriched data. capabilities: can_create_case_comments: false @@ -69,13 +83,13 @@ Get Hash Report: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity additional properties with flattened report data and adds a data - table to the entity's record in the case. + Updates entity additional properties with the retrieved report data and adds + a data table to the entity. categories: enrichment: true entity_usage: entity_types: - - FILEHASH + - FILEHASH filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -89,6 +103,7 @@ Get Hash Report: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -100,21 +115,23 @@ Get Hash Report: download_file: false enable_identity: false enrich_asset: false - enrich_ioc: true + enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: ai_description: >- ### General Description @@ -170,12 +187,12 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: true + fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -189,6 +206,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Submit File: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -202,56 +220,56 @@ Ping: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false - submit_file: false + send_message: false + submit_file: true uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Submit File: - ai_description: "Submits a file to Symantec Content Analysis for scanning and analysis.\ - \ This action uploads a file from a specified local path to the Symantec service,\ - \ retrieves the resulting reputation score, and generates case insights based\ - \ on the severity of the findings.\n\n### Flow Description\n1. **Configuration\ - \ Retrieval:** The action initializes the Symantec Content Analysis manager using\ - \ the provided API Root and API Key.\n2. **File Submission:** It reads the file\ - \ from the provided 'File Path' and performs a POST request to the Symantec Content\ - \ Analysis API to initiate a scan.\n3. **Score Parsing:** The action extracts\ - \ the file reputation score from the API response.\n4. **Insight Generation:**\ - \ \n * If the score is between 2 and 6, it creates a 'File Found as Suspicious'\ - \ insight.\n * If the score is between 7 and 10, it creates a 'File Found as\ - \ Malicious' insight.\n5. **Completion:** The action concludes by returning the\ - \ reputation score and a summary message.\n\n### Parameters Description\n| Parameter\ - \ Name | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| File\ - \ Path | string | True | The local file system path of the file to be uploaded\ - \ and scanned. |\n\n### Additional Notes\n* This action does not process SecOps\ - \ entities; it operates strictly on the file path provided in the parameters.\n\ + ai_description: "### General Description\nSubmits a file to Symantec Content Analysis\ + \ for scanning and analysis. This action uploads a file from a specified local\ + \ path to the Symantec service, retrieves the resulting reputation score, and\ + \ generates case insights based on the severity of the findings.\n\n### Flow Description\n\ + 1. **Configuration Retrieval:** The action initializes the Symantec Content Analysis\ + \ manager using the provided API Root and API Key.\n2. **File Submission:** It\ + \ reads the file from the provided 'File Path' and performs a POST request to\ + \ the Symantec Content Analysis API to initiate a scan.\n3. **Score Parsing:**\ + \ The action extracts the file reputation score from the API response.\n4. **Insight\ + \ Generation:** \n * If the score is between 2 and 6, it creates a 'File Found\ + \ as Suspicious' insight.\n * If the score is between 7 and 10, it creates\ + \ a 'File Found as Malicious' insight.\n5. **Completion:** The action concludes\ + \ by returning the reputation score and a summary message.\n\n### Parameters Description\n\ + | Parameter Name | Type | Mandatory | Description |\n| :--- | :--- | :--- | :---\ + \ |\n| File Path | string | True | The local file system path of the file to be\ + \ uploaded and scanned. |\n\n### Additional Notes\n* This action does not process\ + \ SecOps entities; it operates strictly on the file path provided in the parameters.\n\ * The action includes a timeout mechanism (defaulting to 5 minutes) for the file\ \ submission process." capabilities: can_create_case_comments: false can_create_insight: true can_modify_alert_data: false - can_mutate_external_data: true + can_mutate_external_data: false can_mutate_internal_data: true can_update_entities: false - external_data_mutation_explanation: >- - Submits a file to the Symantec Content Analysis service for scanning, which - creates a new analysis record in the external system. + external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Creates case insights within Google SecOps based on the reputation score returned - by the external service. + The action creates case insights within Google SecOps based on the reputation + score returned by the Symantec Content Analysis service. categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -265,28 +283,3 @@ Submit File: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: true - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/google/symantec_content_analysis/resources/ai/integration_ai_description.yaml b/content/response_integrations/google/symantec_content_analysis/resources/ai/integration_ai_description.yaml index 229aa2d1d..2e831240c 100644 --- a/content/response_integrations/google/symantec_content_analysis/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/google/symantec_content_analysis/resources/ai/integration_ai_description.yaml @@ -1,17 +1,3 @@ -# Copyright 2026 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - product_categories: asset_inventory: false cloud_security: false diff --git a/content/response_integrations/google/symantec_icdx/resources/ai/actions_ai_description.yaml b/content/response_integrations/google/symantec_icdx/resources/ai/actions_ai_description.yaml index 338ad1fd8..bd64af8d3 100644 --- a/content/response_integrations/google/symantec_icdx/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/google/symantec_icdx/resources/ai/actions_ai_description.yaml @@ -1,18 +1,32 @@ -# Copyright 2026 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - Get Event: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: true + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description @@ -66,15 +80,17 @@ Get Event: can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: false + can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: null + internal_data_mutation_explanation: >- + The action adds a data table to the case wall containing the flattened details + of the retrieved event. categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -88,6 +104,7 @@ Get Event: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Events Minutes Back: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -101,19 +118,21 @@ Get Event: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: true send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Events Minutes Back: ai_description: >- ### General Description @@ -185,12 +204,12 @@ Get Events Minutes Back: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action adds a data table to the action results in Google SecOps containing - the flattened event data retrieved from Symantec ICDX. + The action adds a data table containing the retrieved event logs to the case + wall. categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -204,6 +223,7 @@ Get Events Minutes Back: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -217,48 +237,36 @@ Get Events Minutes Back: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: true + search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: ai_description: >- - ### General Description - - The **Ping** action is a diagnostic utility designed to verify the connectivity - between Google SecOps and the Symantec ICDX (Integrated Cyber Defense Exchange) - platform. It validates the integration's configuration, including the API Root, - API Token, and SSL settings, by performing a test API call. - - - ### Parameters Description - - This action does not require any input parameters. - - - ### Flow Description - - 1. **Configuration Retrieval**: The action fetches the integration's global configuration, - including the `Api Root`, `Api Token`, and `Verify SSL` settings. - - 2. **Manager Initialization**: It initializes the `SymantecICDXManager` using - the retrieved credentials. - - 3. **Connectivity Test**: The action executes the `test_connectivity` method, - which attempts to retrieve a specific event by a hardcoded UUID from the Symantec - ICDX search endpoint. - - 4. **Result Reporting**: If the API call is successful, the action concludes with - a success status and the message 'Connection Established'. If the connection fails, - an exception is raised. + ### General Description\nThe **Ping** action is a diagnostic utility designed + to verify the connectivity between Google SecOps and the Symantec ICDX (Integrated + Cyber Defense Exchange) platform. It validates the integration's configuration, + including the API Root, API Token, and SSL settings, by performing a test API + call.\n\n### Parameters Description\nThis action does not require any input parameters.\n\n### + Flow Description\n1. **Configuration Retrieval**: The action fetches the integration's + global configuration, including the `Api Root`, `Api Token`, and `Verify SSL` + settings.\n2. **Manager Initialization**: It initializes the `SymantecICDXManager` + using the retrieved credentials.\n3. **Connectivity Test**: The action executes + the `test_connectivity` method, which attempts to retrieve a specific event by + a hardcoded UUID from the Symantec ICDX search endpoint.\n4. **Result Reporting**: + If the API call is successful, the action concludes with a success status and + the message 'Connection Established'. If the connection fails, an exception is + raised.\n\n### Additional Notes\nThere are no parameters for this action. capabilities: can_create_case_comments: false can_create_insight: false @@ -267,12 +275,12 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: false + fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -286,28 +294,3 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/google/symantec_icdx/resources/ai/connectors_ai_description.yaml b/content/response_integrations/google/symantec_icdx/resources/ai/connectors_ai_description.yaml index 741a44c93..d0e27c963 100644 --- a/content/response_integrations/google/symantec_icdx/resources/ai/connectors_ai_description.yaml +++ b/content/response_integrations/google/symantec_icdx/resources/ai/connectors_ai_description.yaml @@ -1,59 +1,47 @@ -# Copyright 2026 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - SymantecICDX query Connector: ai_description: >- ### General Description - The SymantecICDX Query Connector enables Google SecOps to ingest security events - from Symantec Integrated Cyber Defense Exchange (ICDX). By utilizing custom search - queries, the connector fetches specific event data, transforms it into a standardized - format, and creates cases for further investigation. This integration allows security - teams to centralize Symantec security telemetry and automate incident response - workflows. + + The SymantecICDX Query Connector enables the ingestion of security events from + the Symantec Integrated Cyber Defense Exchange (ICDX) into Google SecOps. By utilizing + the ICDX Search API, the connector allows security teams to define specific search + queries to filter and pull relevant telemetry, which is then transformed into + actionable cases within the SOAR platform. ### Parameters Description + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | DeviceProductField | String | Yes | The field name in the source data used to - determine the device product (default: device_product). | + | DeviceProductField | String | Yes | The field name in the ICDX event used to + determine the device product (defaults to `device_product`). | | EventClassId | String | No | The field name used to determine the event name - or sub-type (default: name). | + or sub-type (defaults to `name`). | | PythonProcessTimeout | String | Yes | The timeout limit (in seconds) for the - python process running the current script. | + python process running the script. | | Api Root | String | Yes | The base URL of the Symantec ICDX API instance. | - | Api Token | Password | Yes | The API token used for Basic authentication. | + | Api Token | Password | Yes | The API token used for Basic Authentication with + the ICDX server. | - | Verify SSL | Boolean | Yes | If set to true, the connector will verify the SSL - certificate of the API endpoint. | + | Verify SSL | Boolean | Yes | Specifies whether to verify the SSL certificate + of the ICDX server. | - | Search Query | String | Yes | The ICDX query string used to filter and retrieve - specific events. | + | Search Query | String | Yes | The ICDX-specific query string used to filter + events (e.g., `category_id = 1`). | | Events Limit | Integer | Yes | The maximum number of events to pull in a single execution cycle. | - | Max Days Backwards | Integer | Yes | The number of days to look back for events - during the initial run. | + | Max Days Backwards | Integer | Yes | The maximum number of days to look back + for events during the initial run or if the timestamp is lost. | | Proxy Server Address | String | No | The address of the proxy server if one is required for the connection. | @@ -65,28 +53,33 @@ SymantecICDX query Connector: ### Flow Description - 1. **Connection Establishment**: The connector initializes a session with the - Symantec ICDX API using the provided API Root and Token. - 2. **Timestamp Calculation**: It determines the search start time by checking - the last saved timestamp. If no timestamp exists, it uses the 'Max Days Backwards' + 1. **Initialization**: The connector initializes the connection to the Symantec + ICDX API using the provided API Root and Token. + + 2. **Time Management**: It retrieves the last successful execution timestamp. + If no timestamp exists, it calculates the start time based on the `Max Days Backwards` parameter. - 3. **Event Retrieval**: A search request is sent to the ICDX `/archives/search` - endpoint using the configured 'Search Query' and 'Events Limit'. + 3. **Data Retrieval**: The connector sends a POST request to the ICDX search + endpoint (`/r3_epmp_i/dx/archives/search`) containing the `Search Query`, `start_time`, + and `limit`. + + 4. **Pagination**: If the ICDX response indicates more data is available (via + a `next` UUID), the connector iteratively fetches additional pages until the limit + is reached or no more data remains. - 4. **Pagination Handling**: If the API response indicates more data is available - via a 'next' token, the connector automatically paginates to retrieve the full - set of results. + 5. **Deduplication**: It filters out events that have already been processed + by comparing event UUIDs against a local tracking file (`ids.json`) that stores + IDs from the last 72 hours. - 5. **Deduplication**: The connector maintains a local cache of processed event - UUIDs. It filters out any events that have already been ingested within the last - 72 hours. + 6. **Case Creation**: For each unique event, the connector maps ICDX fields (such + as `message`, `uuid`, and `log_time`) to Google SecOps Case objects. It flattens + the event JSON to ensure all data is available within the case events. - 6. **Case Mapping**: Each unique event is mapped to a Google SecOps CaseInfo object. - The 'message' field is typically used for the alert name, and the 'uuid' serves - as the unique identifier. + 7. **Overflow Check**: The connector checks if the alert should be filtered out + based on configured overflow rules in Google SecOps. - 7. **Ingestion**: The connector performs an overflow check for each alert and - then ingests the valid cases into Google SecOps, updating the execution timestamp - and ID cache upon completion. + 8. **Finalization**: Successfully processed cases are ingested, the execution + timestamp is updated to the time of the latest event, and the processed IDs are + saved to prevent future duplicates. diff --git a/content/response_integrations/google/symantec_icdx/resources/ai/integration_ai_description.yaml b/content/response_integrations/google/symantec_icdx/resources/ai/integration_ai_description.yaml index f127e31fa..466738966 100644 --- a/content/response_integrations/google/symantec_icdx/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/google/symantec_icdx/resources/ai/integration_ai_description.yaml @@ -1,17 +1,3 @@ -# Copyright 2026 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - product_categories: asset_inventory: false cloud_security: false diff --git a/content/response_integrations/power_ups/connectors/resources/ai/connectors_ai_description.yaml b/content/response_integrations/power_ups/connectors/resources/ai/connectors_ai_description.yaml index eaad22e84..796f4e2bd 100644 --- a/content/response_integrations/power_ups/connectors/resources/ai/connectors_ai_description.yaml +++ b/content/response_integrations/power_ups/connectors/resources/ai/connectors_ai_description.yaml @@ -2,12 +2,12 @@ Cron Scheduled Connector: ai_description: >- ### General Description - The **Cron Scheduled Connector** is a utility integration designed to generate - synthetic alerts within Google SecOps based on a user-defined schedule. Unlike - traditional connectors that fetch data from external security products, this connector - creates internal alerts using a Cron expression. It is primarily used to trigger - periodic playbooks for tasks such as system health checks, automated reporting, - or recurring maintenance workflows. + The **Cron Scheduled Connector** is a utility integration designed to trigger + playbooks within Google SecOps on a scheduled basis. Unlike traditional connectors + that fetch data from external security products, this connector generates synthetic + alerts based on user-defined parameters and a Cron expression. It is primarily + used for automating recurring tasks, such as health checks, periodic maintenance, + or scheduled reporting playbooks. ### Parameters Description @@ -16,63 +16,65 @@ Cron Scheduled Connector: | :--- | :--- | :--- | :--- | - | Alert fields | String | Yes | A JSON-formatted string (e.g., `{"key": "value"}`) - containing custom data to be included in the alert extensions. | + | Alert fields | String | Yes | A JSON-formatted string containing the key-value + pairs to be inserted into the alert's extension fields (e.g., `{"key": "value"}`). + | - | Alert name | String | Yes | The display name for the generated alert. | + | Alert name | String | Yes | The display name for the alert that will be created + in the system. | - | Alert type | String | No | The category or rule generator for the alert. Defaults + | Alert type | String | No | The specific alert type or rule generator name. Defaults to "Scheduled Alert" if not provided. | | Cron Expression | String | No | A standard Cron expression (e.g., `*/5 * * * - *`) that defines the schedule for alert creation. | + *`) that determines the frequency and timing of alert creation. | - | DeviceProductField | String | Yes | The field name used to identify the device - product in the event mapping. | + | DeviceProductField | String | Yes | The field name used by the platform to identify + the device product. | - | EventClassId | String | Yes | The field name used to identify the event class - or sub-type. | + | EventClassId | String | Yes | The field name used by the platform to identify + the event class or sub-type. | | Product name | String | No | The product name associated with the generated alert. | - | PythonProcessTimeout | String | Yes | The maximum execution time (in seconds) - allowed for the connector script. | + | PythonProcessTimeout | String | Yes | The maximum time (in seconds) allowed + for the script to execute before being terminated. | ### Flow Description - 1. **Initialization**: The connector retrieves the configuration parameters, including - the alert metadata and the Cron expression. + 1. **Parameter Extraction**: The connector retrieves the configured alert metadata + (name, type, product), the JSON payload for alert fields, and the Cron expression. 2. **Schedule Validation**: The script uses the `cronex` library to compare the - current system time against the provided Cron expression. + current system time against the provided `Cron Expression`. - 3. **Condition Check**: If the current time matches the Cron schedule (or if no - schedule is provided), the connector proceeds to alert generation. + 3. **Execution Check**: If the current time does not match the Cron schedule, + the connector logs the status and exits without creating an alert. - 4. **Data Parsing**: The `Alert fields` JSON string is parsed into a dictionary - to be used as alert extensions. + 4. **Alert Generation**: If the schedule matches, the connector generates a unique + UUID for the alert and initializes a `CaseInfo` object. - 5. **Case Creation**: A `CaseInfo` object is instantiated with a unique UUID. - The script populates the case with the configured Alert Name, Product, Type, and - a default priority of "Medium" (60). + 5. **Data Mapping**: The JSON data from the `Alert fields` parameter is parsed + and mapped to the alert's extension fields. The priority is set to Medium (60) + by default. - 6. **Event Generation**: A single synthetic event is created containing the start - time and product details, which is then attached to the case. + 6. **Event Creation**: A dummy event is created and attached to the case to ensure + compatibility with the Google SecOps data model. - 7. **Ingestion**: The completed case is returned to Google SecOps, where it triggers - playbooks matching the alert's properties. + 7. **Ingestion**: The generated case is sent to the platform, where it can trigger + playbooks based on the defined Alert Name, Type, or Product. Scheduled Connector: ai_description: >- ### General Description - This connector is designed to programmatically trigger playbooks within Google - SecOps by creating synthetic alerts. It allows users to define specific alert - metadata, such as product name, alert type, and custom fields, which are then - ingested as a new case. This is particularly useful for testing playbook logic, - simulating specific threat scenarios, or creating scheduled tasks that require - a case-based trigger. + The Scheduled Connector is a utility integration designed to programmatically + generate alerts and cases within Google SecOps. Unlike traditional connectors + that fetch data from external security products, this connector creates synthetic + alerts based on user-defined configuration parameters. It is primarily used to + trigger specific playbooks on a scheduled basis or to simulate alerts for testing + and automation orchestration. ### Parameters Description @@ -81,49 +83,45 @@ Scheduled Connector: | :--- | :--- | :--- | :--- | - | Alert fields | String | Yes | A JSON-formatted string containing key-value pairs - (e.g., `{"key": "value"}`) to be added as extensions to the alert. | + | Alert fields | String | Yes | A JSON-formatted string representing the key-value + pairs to be included in the alert extensions (e.g., `{"src": "1.1.1.1"}`). | - | Alert name | String | Yes | The name assigned to the created alert and case. - | + | Alert name | String | Yes | The display name for the created alert. | - | Alert type | String | No | The type of alert, which maps to the `rule_generator` - field in the case. Defaults to "Scheduled Alert" if not provided. | + | Alert type | String | No | The category or rule generator for the alert. Defaults + to "Scheduled Alert" if not provided. | - | DeviceProductField | String | Yes | The field name used to determine the device - product (metadata requirement). | + | DeviceProductField | String | Yes | Configuration mapping used by the platform + to identify the device product field. | - | EventClassId | String | Yes | The field name used to determine the event name - or sub-type (metadata requirement). | + | EventClassId | String | Yes | Configuration mapping used by the platform to + identify the event class/sub-type. | - | Product name | String | No | The product name associated with the alert, used - for playbook routing. | + | Product name | String | No | The name of the product associated with the alert. + | - | PythonProcessTimeout | String | Yes | The timeout limit (in seconds) for the - python process running the current script. | + | PythonProcessTimeout | String | Yes | The maximum execution time (in seconds) + allowed for the connector logic. | ### Flow Description - 1. **Parameter Extraction**: The connector retrieves configuration parameters, - including the alert name, product name, alert type, and custom fields from the - connector settings. - - 2. **Data Parsing**: It parses the `Alert fields` JSON string into a dictionary - to be used for case extensions. + 1. **Initialization**: The connector starts execution, typically triggered by + a predefined schedule in the Google SecOps environment. - 3. **Identity Generation**: A unique UUID is generated to serve as the `ticket_id`, - `display_id`, and `source_grouping_identifier` for the new case. + 2. **Parameter Extraction**: The script retrieves the alert metadata, including + the name, product, type, and the JSON string of custom fields. - 4. **Case Construction**: A `CaseInfo` object is created and populated with the - provided metadata. The priority is hardcoded to 60 (Medium), and the vendor is - set to "Siemplify". + 3. **Data Parsing**: The `Alert fields` JSON string is parsed into a Python dictionary + to be mapped as alert extensions. - 5. **Extension Mapping**: All key-value pairs provided in the `Alert fields` parameter - are added to the case's extensions. + 4. **Alert Generation**: A unique UUID is generated to serve as the Ticket ID + and Grouping Identifier. A `CaseInfo` object is then constructed using the provided + parameters. - 6. **Event Creation**: A single event is generated containing the start/end time, - name, and product details, and is attached to the case. + 5. **Event Creation**: A single internal event is generated and attached to the + case to satisfy the SOAR data model requirements. - 7. **Ingestion**: The constructed case is returned to the Google SecOps platform, - where it triggers playbooks based on the defined product and alert criteria. + 6. **Ingestion**: The constructed case is returned to the SOAR platform, where + it is ingested as a new alert, subsequently triggering any playbooks configured + to match the specified Product and Alert Name. diff --git a/content/response_integrations/power_ups/connectors/resources/ai/integration_ai_description.yaml b/content/response_integrations/power_ups/connectors/resources/ai/integration_ai_description.yaml index faf1e267b..0801c7556 100644 --- a/content/response_integrations/power_ups/connectors/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/power_ups/connectors/resources/ai/integration_ai_description.yaml @@ -5,7 +5,7 @@ product_categories: edr: false email_security: false iam_and_identity_management: false - itsm: true + itsm: false network_security: false siem: false threat_intelligence: false diff --git a/content/response_integrations/power_ups/email_utilities/resources/ai/actions_ai_description.yaml b/content/response_integrations/power_ups/email_utilities/resources/ai/actions_ai_description.yaml index 87afae354..0abb9506e 100644 --- a/content/response_integrations/power_ups/email_utilities/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/power_ups/email_utilities/resources/ai/actions_ai_description.yaml @@ -1,64 +1,88 @@ Analyze EML Headers: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - Analyzes email headers extracted from either a base64-encoded EML file or a JSON-formatted - list of headers. The action performs a security-focused analysis to identify potential - spoofing, misconfigurations, or suspicious routing information. - - - ### General Description - - This action serves as a forensic utility for email analysis. It parses the provided - header data to extract key metadata, including the full list of headers, domains, - and IP addresses found in the 'Received' chain. It then applies a set of heuristic - rules to flag anomalies such as mismatched 'From' and 'Return-Path' addresses, - the presence of BCC headers in received mail, or missing Message-IDs. The results - are provided as both a structured JSON object and a formatted HTML table for easy - review within the SOAR interface. + Analyzes email headers provided either as a base64-encoded EML file or a JSON-formatted + list of headers. The action performs a security-focused heuristic analysis to + identify potential spoofing, misconfigurations, or suspicious patterns. It evaluates + routing information from 'Received' headers and compares key fields such as 'Return-Path', + 'From', and 'Reply-To' to detect mismatches. Additionally, it checks for the presence + of specific headers like 'X-Distribution' and 'Bcc', and validates the 'Message-ID' + format. The results include a detailed JSON breakdown of extracted headers and + a formatted HTML summary of security recommendations and matched rules. ### Parameters Description + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | | Base64 EML | String | No | The base64-encoded content of an EML file. If provided, - the action will decode and parse the headers from this file. | + the action will parse this file to extract headers. | - | Header List | String | No | A JSON-formatted list of headers (e.g., `[["Header-Name", - "Value"], ...]`). This is used if the EML file is not available. | + | Header List | String | No | A JSON-formatted string representing a list of email + headers. Used if a full EML file is not available. | ### Additional Notes - * **Input Requirement:** Either 'Base64 EML' or 'Header List' must be configured - for the action to execute successfully. If both are provided, 'Base64 EML' takes - precedence. + - Either 'Base64 EML' or 'Header List' must be configured for the action to run; + if both are missing, the action will fail. - * **Heuristic Scoring:** The action assigns scores to various anomalies (e.g., - mismatched headers) to help analysts prioritize suspicious emails. + - The action handles duplicate header keys by appending a numeric suffix (e.g., + 'Received_2'). ### Flow Description - 1. **Input Retrieval:** The action checks for the 'Base64 EML' parameter. If present, - it decodes the base64 string and parses the email structure to extract headers. - If absent, it attempts to parse the 'Header List' JSON. + 1. **Input Retrieval**: The action checks for the 'Base64 EML' or 'Header List' + parameters. - 2. **Header Normalization:** It iterates through the extracted headers, creating - a dictionary and handling duplicate header keys by appending an index (e.g., `Received_2`). + 2. **Header Extraction**: If an EML is provided, it is decoded and parsed using + standard email libraries. If a header list is provided, it is parsed from JSON. - 3. **Routing Extraction:** It uses regular expressions to extract domains and - IP addresses from all 'Received' headers to map the email's path. + 3. **Normalization**: Headers are organized into a dictionary, and duplicate keys + are handled to ensure all data is captured. - 4. **Security Analysis:** The action runs a series of checks: - * Compares 'Return-Path' against 'From' and 'X-Original-Sender'. - * Compares 'Reply-To' against 'From'. - * Checks for suspicious headers like 'X-Distribution', 'Bcc', or 'X-UIDL'. - * Validates the 'Message-ID' for common anomalies. - * Checks 'X-Authenticated-User' against the 'From' address. - 5. **Output Generation:** It compiles the analysis into a JSON result and generates - an HTML table containing the security recommendations and the full header list. + 4. **Routing Analysis**: The action extracts domains and IP addresses from 'Received' + headers to map the email's path. + + 5. **Heuristic Security Checks**: The code runs several checks: + - Compares 'Return-Path' against 'From' and 'X-Original-Sender'. + - Compares 'Reply-To' against 'From'. + - Validates 'X-Authenticated-User' against the 'From' address. + - Checks for suspicious headers (e.g., 'X-Distribution', 'X-UIDL', 'Bcc'). + - Inspects 'Message-ID' for anomalies. + 6. **Result Generation**: Scores are calculated based on matched rules, and the + findings are outputted as both raw JSON and a formatted HTML table. capabilities: can_create_case_comments: false can_create_insight: false @@ -72,7 +96,7 @@ Analyze EML Headers: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -86,6 +110,7 @@ Analyze EML Headers: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Analyze Headers: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -97,75 +122,69 @@ Analyze EML Headers: download_file: false enable_identity: false enrich_asset: false - enrich_ioc: false + enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Analyze Headers: ai_description: >- - Analyze Headers is a comprehensive email forensics action that evaluates the authenticity - and routing path of an email based on its headers. It performs deep validation - of security protocols and enriches relay information with external threat intelligence. - + Analyzes email headers provided in JSON format to perform a comprehensive security + audit of an email's origin and routing path. The action validates authentication + records (SPF, DMARC, DKIM, ARC), traces the relay hops, and enriches the data + with threat intelligence including RBL status, WHOIS information, and geographic + location. - ### General Description - - This action takes a JSON object representing email headers and performs a multi-stage - analysis. It validates core email authentication mechanisms (SPF, DMARC, DKIM, - and ARC) to detect spoofing or tampering. Additionally, it parses the 'Received' - headers to reconstruct the email's journey across mail servers (hops). Each identified - relay server is checked against multiple Real-time Blocklists (RBLs) and enriched - with geographic location and Whois (RDAP) data to identify suspicious origins - or infrastructure. - - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Headers JSON | String | Yes | A JSON-formatted string containing the email headers - to be analyzed. This is typically the output of a previous email parsing step. - | + | Headers JSON | String | Yes | A JSON object containing the email headers to + be analyzed. This is typically extracted from an email parsing action. | - ### Additional Notes + ### Flow Description - - This action does not operate on SecOps entities directly; it processes the data - provided in the `Headers JSON` parameter. + 1. **Input Extraction:** Retrieves the `Headers JSON` parameter and parses it + into a Python dictionary. - - The action requires outbound connectivity to perform DNS lookups, RBL checks, - and access geo-location/Whois APIs. + 2. **Metadata Extraction:** Identifies core email attributes such as the sender, + recipient, subject, and message ID. + 3. **Domain Security Validation:** Performs DNS queries to check the sender domain's + SPF, DMARC, MX, and DNSSec records using the `checkdmarc` library. - ### Flow Description + 4. **Signature Verification:** Validates DKIM and ARC (Authenticated Receive Chain) + signatures to ensure the email has not been tampered with during transit. - 1. **Input Parsing:** Extracts the email headers from the provided JSON parameter. + 5. **Relay Path Analysis (Hops):** Iterates through the 'Received' headers in + reverse order to reconstruct the email's journey. - 2. **Authentication Validation:** Uses DNS queries to verify SPF, DMARC, and MX - records for the sender's domain. It also cryptographically verifies DKIM and ARC - signatures. + 6. **Threat Intelligence Enrichment:** For each relay server identified in the + hops, the action checks the IP or domain against multiple Real-time Block Lists + (RBLs), performs RDAP/WHOIS lookups to determine ownership, and retrieves geographic + location data (City, Country, Coordinates). - 3. **Hop Analysis:** Parses the 'Received' headers to identify every mail server - involved in the delivery chain. + 7. **Timing Analysis:** Calculates the delay (in seconds) between each relay hop + to identify potential anomalies in delivery time. - 4. **Enrichment:** For each identified IP or hostname in the relay path: - - Queries RBLs to check for blacklisting. - - Performs Whois/RDAP lookups to identify the owner/ASN. - - Retrieves geographic coordinates and city/country information. - 5. **Result Aggregation:** Compiles all authentication results, hop details, and - enrichment data into a single structured JSON object returned to the platform. + 8. **Result Aggregation:** Consolidates all authentication results, blacklist + statuses, and enrichment data into a structured JSON object for use in subsequent + playbook steps. capabilities: can_create_case_comments: false can_create_insight: false @@ -179,7 +198,7 @@ Analyze Headers: categories: enrichment: true entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -193,6 +212,7 @@ Analyze Headers: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Parse Base64 Email: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -204,78 +224,90 @@ Analyze Headers: download_file: false enable_identity: false enrich_asset: false - enrich_ioc: true + enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Parse Base64 Email: ai_description: >- - Parses EML and MSG email files provided as Base64 strings to extract comprehensive - metadata, content, and indicators. This action is designed to assist in phishing - analysis by breaking down complex email structures into machine-readable formats - for use in playbooks. + ### General Description + Parses EML and MSG email files provided as a Base64 encoded string. This action + is a comprehensive utility designed to extract structured data from email blobs, + including headers, body content, and attachments. It automatically identifies + and extracts Indicators of Compromise (IOCs) such as URLs, domains, IP addresses, + and email addresses from the email's headers and body. The action supports recursive + parsing, meaning it will also parse emails that are attached within the primary + email file. - ### Flow Description: - 1. **Input Decoding:** Decodes the provided Base64 string into raw bytes. + ### Parameters Description - 2. **Format Identification:** Determines if the file is an OLE-based MSG file - or a standard EML file. - 3. **Header Parsing:** Extracts email headers (To, From, Subject, etc.) and processes - the 'Received' transport chain, respecting the 'Stop Transport' and 'Blacklist' - configurations. + | Parameter | Type | Mandatory | Description | - 4. **Body Extraction:** Retrieves plain text and HTML bodies, then performs extraction - to identify URLs, Domains, IP addresses, and Email addresses using regex and URI - extraction tools. + | :--- | :--- | :--- | :--- | - 5. **Attachment Processing:** Identifies and hashes attachments. If attachments - are themselves emails (nested), it recursively parses them to extract their internal - content. + | EML/MSG Base64 String | String | Yes | The Base64 encoded string representing + the EML or MSG file to be parsed. | - 6. **Output Generation:** Consolidates all extracted data into a structured JSON - object, including 'observed' indicators and 'received' routing information. + | Stop Transport At Header | String | No | A specific header field name. If provided, + the action will stop processing transport/hop headers once this field is encountered. + | + | Blacklisted Headers | String | No | A comma-separated list of header names to + be excluded from the final output. | - ### Parameters Description: + | Use Blacklist As Whitelist | Boolean | No | If set to `true`, the headers provided + in the 'Blacklisted Headers' parameter will be treated as an allowlist (only those + headers will be included). Default is `false`. | - | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + ### Additional Notes - | EML/MSG Base64 String | Content | Yes | The Base64 encoded content of the email - file (EML or MSG) to be parsed. | + - This action is a local processing utility; it does not make external API calls + to threat intelligence services. - | Stop Transport At Header | String | No | A specific header name (e.g., 'Received') - where the transport chain parsing should stop. | + - It handles both standard EML formats and Microsoft Outlook MSG (OLE) formats. - | Blacklisted Headers | String | No | A comma-separated list of headers to be - excluded from the response. | + - The action returns a detailed JSON object containing the parsed structure, which + is ideal for automated analysis in playbooks. - | Use Blacklist As Whitelist | Boolean | No | If set to 'true', the 'Blacklisted - Headers' parameter acts as an allowlist, and only those headers will be returned. - | + ### Flow Description + + 1. **Decode Input:** Decodes the provided Base64 string into raw binary data. - ### Additional Notes: + 2. **Format Detection:** Identifies whether the binary data represents an OLE-based + MSG file or a standard EML file. - - This action is a local utility and does not perform external reputation checks - (e.g., VirusTotal) on the extracted indicators. + 3. **Header Extraction:** Parses email headers (To, From, Subject, Date, etc.), + applying any blacklist or whitelist filters provided in the parameters. - - It handles recursive parsing of attached emails, providing a deep view of the - email's structure. + 4. **Body Parsing:** Extracts the email body in both plain text and HTML formats. + If HTML is present, it is rendered to plain text for IOC extraction. + + 5. **IOC Extraction:** Scans the headers and body content for IP addresses, URLs, + domains, and email addresses using specialized regex and extraction libraries. + + 6. **Attachment Processing:** Iterates through all attachments, extracting metadata + (filename, size, hashes). If an attachment is another email (EML/MSG), it is parsed + recursively. + + 7. **Result Generation:** Aggregates all extracted data into a single structured + JSON object and attaches it to the action's output. capabilities: can_create_case_comments: false can_create_insight: false @@ -289,7 +321,7 @@ Parse Base64 Email: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -303,6 +335,7 @@ Parse Base64 Email: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Parse Case Wall Email: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -314,78 +347,95 @@ Parse Base64 Email: download_file: false enable_identity: false enrich_asset: false - enrich_ioc: false + enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Parse Case Wall Email: ai_description: >- Parses EML or MSG email files attached to the Google SecOps case wall to extract - headers, body content, and nested attachments. This action automates the ingestion - of email evidence by identifying the original email file, decoding its structure, - and optionally creating SOAR entities for further investigation. + headers, body content, and nested attachments. This action automates the decomposition + of email files into structured data, facilitating the identification of indicators + and the creation of related entities within the case context. - ### Flow Description + ### Parameters Description - 1. **Attachment Retrieval:** Searches the case or alert wall for supported email - files (.eml or .msg), prioritizing the original email attachment. - 2. **Email Parsing:** Decodes the email file to extract metadata (To, From, Subject, - Date), body text (Plain Text and HTML), and any embedded attachments. + | Parameter | Type | Mandatory | Description | - 3. **Entity Creation:** Based on configuration, creates entities for the sender, - recipients, and subject line. It also performs recursive parsing of nested emails. + | :--- | :--- | :--- | :--- | - 4. **IOC Extraction:** Scans the email body and headers for observed indicators - (URLs, IPs, Hashes, Emails) and creates corresponding entities in the case. + | Create Entities | Boolean | No | When enabled (default: true), the action creates + User entities for the 'To' and 'From' headers and an Email Subject entity for + the 'Subject' field. | - 5. **Attachment Processing:** Extracts files from the email and saves them back - to the case wall, while creating FILENAME and FILEHASH entities linked to the - email subject. + | Exclude Entities Regex | String | No | A regular expression used to prevent + the creation of specific entities that match the pattern. | - 6. **Data Enrichment:** Updates created entities with additional properties such - as file hashes, attachment IDs, and source file references. + | Original EML Only | Boolean | No | If enabled (default: true), the action will + only extract attachments from the original EML file. | + | Create Observed Entities | DDL | No | Determines which indicator types (URLs, + Emails, IPs, Hashes) to extract from the email body. Options include 'All', specific + types, or 'None'. | - ### Parameters Description + | Save Attachments to Case Wall | Boolean | No | When enabled (default: true), + any attachments found within the parsed email are extracted and saved back to + the case wall. | - | Parameter | Type | Mandatory | Description | + | Fang Entities | Boolean | No | If enabled (default: true), defanged indicators + (e.g., `example[.]com`) are converted back to their fanged versions (e.g., `example.com`) + during extraction. | + + | Custom Entity Regexes | Code | No | A JSON object containing custom regular + expressions to parse specific entity types from the email body and subject. | - | :--- | :--- | :--- | :--- | - | Create Entities | Boolean | No | If true, creates User entities for 'To'/'From' - headers and an Email Subject entity. | + ### Additional Notes + + - This action does not require specific input entities to run; it operates on + the attachments associated with the current case or alert. - | Exclude Entities Regex | String | No | A regular expression used to skip the - creation of specific entities that match the pattern. | + - Extracted attachments are linked to their corresponding `FILENAME` entities + in the case by updating the entity's `attachment_id` property. - | Original EML Only | Boolean | No | If true, the action will only extract attachments - from the top-level EML file, ignoring nested ones. | - | Create Observed Entities | DDL | No | Specifies which types of indicators (URLs, - Emails, IPs, Hashes) found in the body should be converted into entities. | + ### Flow Description - | Save Attachments to Case Wall | Boolean | No | If true, saves all files extracted - from the email back to the SOAR case wall as new attachments. | + 1. **Attachment Identification:** The action scans the case wall and alert wall + for supported email file formats (.eml, .msg). - | Fang Entities | Boolean | No | If true, automatically 'fangs' defanged indicators - (e.g., converting `example[.]com` to `example.com`) and decodes URL protection - services like Proofpoint or Safelinks. | + 2. **Email Parsing:** It utilizes the `EmailManager` to parse the identified file, + extracting metadata (Subject, From, To, Date), body content (Text/HTML), and nested + attachments. - | Custom Entity Regexes | Code | No | A JSON object containing custom regular - expressions to identify and extract specific entity types from the email body - and subject. | + 3. **Indicator Extraction:** The action identifies URLs, IPs, Emails, and Hashes + within the email body and headers based on the `Create Observed Entities` and + `Custom Entity Regexes` settings. + + 4. **Entity Creation:** If configured, it creates new entities in the SOAR case + for the email participants, subject, and discovered indicators, establishing directional + relationships between them. + + 5. **Attachment Processing:** If `Save Attachments to Case Wall` is true, nested + files are uploaded to the case. The action also updates existing `FILENAME` entities + in the alert with the new attachment IDs. + + 6. **Result Output:** The complete parsed email structure is returned as a JSON + object for use in downstream playbook tasks. capabilities: can_create_case_comments: false can_create_insight: false @@ -396,20 +446,19 @@ Parse Case Wall Email: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action saves extracted email attachments back to the Google SecOps case - wall, creates new entities (Users, Email Subjects, URLs, IPs, etc.) within the - case, and updates entity attributes with metadata such as file hashes and attachment - IDs. + Creates new entities for email participants and indicators, uploads nested attachments + to the case wall, and updates existing Filename entities with attachment IDs. categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: + - FILENAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false filters_by_creation_time: false - filters_by_entity_type: false - filters_by_identifier: false + filters_by_entity_type: true + filters_by_identifier: true filters_by_is_artifact: false filters_by_is_enriched: false filters_by_is_internal: false @@ -417,6 +466,7 @@ Parse Case Wall Email: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Parse EML Base64 Blob: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -430,60 +480,76 @@ Parse Case Wall Email: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Parse EML Base64 Blob: ai_description: >- - Decodes a base64-encoded string and parses it as an EML (Email) file to extract - structured metadata and content. This action is primarily used to analyze email - files that are passed as raw data, such as those retrieved from attachments or - external databases. It extracts standard headers, body content, and recursively - processes nested EML attachments. + ### General Description + The **Parse EML Base64 Blob** action is a utility designed to decode a base64-encoded + string and parse its contents as an EML (Email) file. This action extracts structured + information from raw email data, including headers, metadata, and body content. + It is particularly useful in workflows where email files are passed as encoded + strings, allowing for automated analysis of sender information, recipient lists, + and message bodies without requiring external services. - ### Parameters + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Base64 EML Blob | String | Yes | The base64 encoded string representing the - content of the EML file to be parsed. | + | **Base64 EML Blob** | String | Yes | The base64-encoded string of the EML file + to be parsed. | + + + ### Additional Notes + + - This action performs local parsing using standard Python libraries and does + not interact with external APIs or Google SecOps entities. + + - It supports recursive parsing of nested EML attachments found within the primary + blob. + + - The output is provided as a JSON result containing detailed metadata and content + for each parsed email object. ### Flow Description + 1. **Input Retrieval:** The action retrieves the base64-encoded EML blob from + the input parameters. - 1. **Input Retrieval**: The action retrieves the base64-encoded string from the - `Base64 EML Blob` parameter. + 2. **Decoding:** The blob is decoded from base64 into a UTF-8 string. - 2. **Decoding**: It decodes the base64 string into a raw UTF-8 string representing - the EML file content. + 3. **EML Parsing:** The decoded string is parsed into an email message object + using standard libraries. - 3. **Metadata Extraction**: The action parses the EML headers to extract the sender, - primary recipients (To), carbon copy recipients (CC), blind carbon copy recipients - (BCC), subject, and the date of the email. + 4. **Metadata Extraction:** The action extracts key headers such as 'From', 'To', + 'CC', 'BCC', 'Subject', and 'Date'. - 4. **Content Extraction**: It extracts the plain text and HTML versions of the - email body. + 5. **Content Extraction:** It retrieves the plain text and HTML bodies of the + email, along with a count of the email parts. - 5. **Nested EML Parsing**: The action iterates through the email's multipart components. - If it identifies a nested EML file (often found as an attachment), it recursively - extracts the metadata and content for that nested message. + 6. **Recursive Attachment Processing:** The action iterates through the email + payload to find nested multipart sections that represent attached EML files. If + found, these are also decoded and parsed. - 6. **Result Generation**: All extracted data is compiled into a structured JSON - object and returned as the action's result. + 7. **Result Output:** The extracted data for the main email and any nested emails + is returned as a structured JSON array. capabilities: can_create_case_comments: false can_create_insight: false @@ -497,7 +563,7 @@ Parse EML Base64 Blob: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -511,6 +577,7 @@ Parse EML Base64 Blob: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -524,26 +591,27 @@ Parse EML Base64 Blob: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: ai_description: >- ### General Description - Checks connectivity to the Email Utilities integration. This action is used to - verify that the integration is correctly configured and can communicate with the - Google SecOps environment. It serves as a health check to ensure the integration's - environment and dependencies are properly loaded. + Verifies the connectivity between Google SecOps and the Email Utilities integration. + This action serves as a basic health check to ensure that the integration is correctly + configured and reachable within the environment. ### Parameters Description @@ -551,15 +619,21 @@ Ping: There are no parameters for this action. + ### Additional Notes + + This is a standard 'Ping' action used for troubleshooting and configuration validation. + It does not perform any data processing, external API calls, or entity enrichment. + + ### Flow Description - 1. **Initialization**: The action initializes the Siemplify action module. + 1. **Initialization**: The action initializes the Siemplify SDK environment. - 2. **Connectivity Verification**: The action performs a basic internal check to - confirm the script can execute within the SOAR environment. + 2. **Connectivity Check**: The script executes a simple completion command to + confirm the execution environment is functional. - 3. **Completion**: The action terminates with a success message 'Siemplify is - connected' and a boolean status of True. + 3. **Completion**: Returns a success message 'Siemplify is connected' to the SOAR + interface. capabilities: can_create_case_comments: false can_create_insight: false @@ -573,7 +647,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -587,28 +661,3 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/power_ups/enrichment/resources/ai/actions_ai_description.yaml b/content/response_integrations/power_ups/enrichment/resources/ai/actions_ai_description.yaml index 16b2ad6f7..4acf607a4 100644 --- a/content/response_integrations/power_ups/enrichment/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/power_ups/enrichment/resources/ai/actions_ai_description.yaml @@ -1,63 +1,92 @@ Enrich Entities from List with Field: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - Enriches a specific list of entities within a Google SecOps case by adding a user-defined - field and value to their additional properties. This action is useful for bulk-tagging - or manually adding context to entities that match a specific type and identifier. + ### General Description + The **Enrich Entities from List with Field** action is a utility designed to bulk-update + entities within a Google SecOps case. It takes a delimited list of entity identifiers + and a specific entity type, searches for matching entities already present in + the case, and enriches them by adding or updating a custom field in their `additional_properties`. + This action is particularly useful for manual tagging or applying context derived + from external lists to existing case entities. - ### Parameters Description + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | List of Entities | string | Yes | A delimited list of entity identifiers (e.g., - IP addresses, hostnames) to be enriched. | + | **List of Entities** | String | Yes | A delimited string containing the identifiers + (e.g., IP addresses, hostnames) of the entities to be enriched. | - | Entity Type | string | Yes | The specific type of entity to target (e.g., ADDRESS, - USERUNIQNAME, HOSTNAME). | + | **Entity Type** | String | Yes | The type of entities to target (e.g., ADDRESS, + HOSTNAME, USER). The action will only update entities that match this type. | - | Entity Delimiter | string | Yes | The character used to separate the identifiers - in the 'List of Entities' parameter (e.g., a comma or semicolon). | + | **Entity Delimiter** | String | Yes | The character used to separate the identifiers + in the **List of Entities** parameter (default is a comma). | - | Enrichment Field | string | Yes | The name of the custom field to be added to - the entity's 'additional_properties'. | + | **Enrichment Field** | String | Yes | The name of the field (key) to be added + to the entity's `additional_properties`. | - | Enrichment Value | string | Yes | The value to be assigned to the specified - 'Enrichment Field'. | + | **Enrichment Value** | String | Yes | The value to be assigned to the specified + **Enrichment Field**. | - ### Additional Notes + ### Flow Description - - This action does not call external APIs; it only processes data provided in - the parameters and applies it to entities already present in the SecOps case. + 1. **Parsing**: The action splits the input **List of Entities** into individual + strings based on the provided **Entity Delimiter**. - - Matching is case-insensitive for entity identifiers. + 2. **Retrieval**: It retrieves all entities associated with all alerts in the + current Google SecOps case. + 3. **Matching**: For each identifier in the parsed list, the action iterates through + the case entities to find a match. A match is confirmed if the entity's identifier + (case-insensitive) and its type both match the provided parameters. - ### Flow Description + 4. **Enrichment**: For every matching entity, the action adds or updates the specified + **Enrichment Field** with the **Enrichment Value** in the entity's `additional_properties` + dictionary. - 1. **Parameter Parsing**: The action retrieves the list of entities, the target - entity type, the delimiter, and the key-value pair for enrichment from the input - parameters. + 5. **Update**: The action calls the internal SDK to update the modified entities + within the platform. - 2. **List Processing**: It splits the 'List of Entities' string into individual - identifiers using the provided delimiter and strips whitespace. - 3. **Entity Retrieval**: It fetches all entities associated with the alerts in - the current case. - - 4. **Matching Logic**: It iterates through the target identifiers and searches - for matching entities in the case that share both the same identifier (case-insensitive) - and the specified entity type. + ### Additional Notes - 5. **Internal Mutation**: For every matched entity, it adds or updates the specified - 'Enrichment Field' in the entity's `additional_properties` dictionary with the - 'Enrichment Value'. + - This action does not interact with external APIs; it performs internal data + manipulation within the SOAR environment. - 6. **Update**: The action commits the changes to the entities within the Google - SecOps platform and returns the count of successfully enriched entities. + - If an identifier in the list does not exist in the case or does not match the + specified type, it is skipped without error. capabilities: can_create_case_comments: false can_create_insight: false @@ -66,49 +95,49 @@ Enrich Entities from List with Field: can_mutate_internal_data: true can_update_entities: true external_data_mutation_explanation: null - fetches_data: false + fetches_data: true internal_data_mutation_explanation: >- - Updates the 'additional_properties' attribute of matched entities within the - Google SecOps case with a user-defined field and value. + Updates the 'additional_properties' attribute of entities within the Google + SecOps case. categories: - enrichment: false + enrichment: true entity_usage: entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -122,6 +151,7 @@ Enrich Entities from List with Field: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Enrich Entity From Event Field: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -132,77 +162,77 @@ Enrich Entities from List with Field: disable_identity: false download_file: false enable_identity: false - enrich_asset: false + enrich_asset: true enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Enrich Entity From Event Field: ai_description: >- - Enriches target entities by extracting specific field values from the alert's - first security event and mapping them to the entities' additional properties. - This utility action allows for the dynamic propagation of event-level metadata - (such as custom logs or specific telemetry fields) directly onto the entity objects - within the SOAR platform, making that data available for subsequent playbook steps + ### General Description + + This action enriches entities by extracting specific field values from the first + security event associated with the current alert and mapping them to the entity's + additional properties. It is designed to propagate event-level context (such as + custom metadata, department info, or specific event tags) directly onto the entities + involved in the alert, making that data available for subsequent playbook steps or analyst review. ### Parameters Description - - | Parameter | Type | Mandatory | Description | + | Parameter Name | Expected Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Fields to enrich | string | True | A comma-separated list of field names found - within the security event's additional properties. These values will be copied - to the target entities. | + | Fields to enrich | String | Yes | A comma-separated list of field names (keys) + to look for in the security event's additional properties. These values will be + copied to the entity's additional properties if found. | ### Flow Description + 1. **Parameter Parsing**: The action retrieves the comma-separated list of field + names from the input parameter. - 1. **Parameter Parsing:** The action parses the comma-separated string provided - in the 'Fields to enrich' parameter into a list of field names. - - 2. **Event Retrieval:** It accesses the first security event (`security_events[0]`) + 2. **Event Retrieval**: It accesses the first security event (`security_events[0]`) associated with the current alert. - 3. **Data Normalization:** It creates a case-insensitive map of the event's additional - properties to ensure field matching is robust. + 3. **Entity Iteration**: The action iterates through all target entities in the + current scope. - 4. **Entity Iteration:** The action iterates through all entities currently in - the playbook scope (target entities). + 4. **Field Mapping**: For each entity, it performs a case-insensitive check to + see if the requested fields exist within the event's additional properties. - 5. **Field Mapping:** For each entity, it checks if the requested fields exist - in the event data. If a match is found, the entity's 'additional_properties' attribute - is updated with the value from the event. + 5. **Internal Mutation**: If matches are found, the entity's `additional_properties` + are updated with the values from the event. - 6. **Internal Update:** The action commits the changes to the entities within - Google SecOps using the `update_entities` method. + 6. **Persistence**: The action calls the internal SDK method to save the updated + entity attributes back to the Google SecOps platform. - 7. **Result Reporting:** It returns a JSON summary of the enriched fields for - each affected entity. + 7. **Result Reporting**: It returns a JSON object containing the enriched fields + and a count of how many entities were successfully updated. ### Additional Notes + - This action only looks at the **first** security event in the alert. If an alert + contains multiple events with different data, only the first one is used for enrichment. - * This action only processes the **first** security event attached to an alert. - If an alert contains multiple events with different data, only the first one is - considered. - - * The field matching is case-insensitive. + - The field matching is case-insensitive, but the keys are stored in lowercase + in the resulting entity properties. capabilities: can_create_case_comments: false can_create_insight: false @@ -213,47 +243,47 @@ Enrich Entity From Event Field: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates the 'additional_properties' attribute of target entities with data retrieved - from the alert's security event. + Updates the 'additional_properties' of entities within the Google SecOps platform + using data extracted from the alert's security events. categories: enrichment: true entity_usage: entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -267,6 +297,7 @@ Enrich Entity From Event Field: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Enrich Entity From JSON: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -278,91 +309,94 @@ Enrich Entity From Event Field: download_file: false enable_identity: false enrich_asset: true - enrich_ioc: false + enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Enrich Entity From JSON: ai_description: >- - ### General Description - - Enriches entities within a Google SecOps case by mapping data from a provided - JSON string to existing entities. This utility action allows for the enrichment - of entities using static data or data generated in previous playbook steps without - requiring external API calls. It matches entities based on a configurable identifier - path within the JSON, flattens the associated data, and updates the entity's additional - properties (attributes). + Enriches entities within Google SecOps using data provided in a JSON format. This + utility action allows users to map external data (passed as a parameter) to existing + entities in a case by matching identifiers. It flattens the provided JSON data + and adds it to the entity's additional properties, optionally applying a prefix + or filtering the data using JSONPath. ### Parameters Description + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Enrichment JSON | String | Yes | A JSON-formatted list of objects containing - the enrichment data. | + | Enrichment JSON | String | Yes | A JSON string representing a list of objects + containing the enrichment data. | - | Identifier KeyPath | String | Yes | The dot-separated (or custom separator) - path to the field in the JSON that matches the entity's identifier. | + | Identifier KeyPath | String | Yes | The path to the field in the JSON that contains + the entity identifier. Supports multiple paths separated by newlines. | - | Separator | String | Yes | The character used to delimit keys in the Identifier - KeyPath (default is '.'). | + | Separator | String | Yes | The character used to separate keys in the `Identifier + KeyPath` (default is `.`). | - | PrefixForEnrichment | String | No | An optional string to prefix to the keys - of the enriched data fields. | + | PrefixForEnrichment | String | No | An optional prefix to prepend to the keys + added to the entity's additional properties. | - | Enrichment JSONPath | String | No | An optional JSONPath expression to extract - a specific portion of the JSON object for enrichment. | + | Enrichment JSONPath | String | No | An optional JSONPath expression to filter + or select specific parts of the JSON object for enrichment. | - ### Flow Description + ### Additional Notes - 1. **Initialization**: The action retrieves the JSON data and configuration parameters - from the input. - 2. **Parsing**: The `Enrichment JSON` string is parsed into a Python list of dictionaries. + - This action is a utility for manual or automated enrichment using static or + dynamically generated JSON data within a playbook. - 3. **Entity Iteration**: The action iterates through all entities currently targeted - in the playbook scope. + - It does not interact with external APIs; all data must be provided via the `Enrichment + JSON` parameter. - 4. **Matching**: For each entity, it searches the provided JSON list for an entry - where the value at the specified `Identifier KeyPath` matches the entity's identifier. + - The action flattens nested JSON structures into a single-level key-value format + suitable for entity additional properties. - 5. **Data Extraction**: If a match is found, it extracts the relevant data. If - `Enrichment JSONPath` is provided, it filters the object using that expression; - otherwise, it uses the entire JSON object. - 6. **Transformation**: The extracted data is flattened into a single-level dictionary - to ensure compatibility with entity fields. + ### Flow Description - 7. **Prefixing**: If a `PrefixForEnrichment` is provided, it is prepended to all - keys in the flattened dictionary. - 8. **Enrichment**: The entity's `additional_properties` are updated with the processed - data. + 1. **Parse Input:** The action parses the `Enrichment JSON` string into a list + of dictionaries. - 9. **Completion**: The action updates the entities in the Google SecOps platform - and returns the total count of successfully enriched entities. + 2. **Identify Keys:** It processes the `Identifier KeyPath` and `Separator` to + determine how to locate identifiers within the JSON objects. + 3. **Iterate Entities:** It iterates through all target entities in the current + SOAR context. - ### Additional Notes + 4. **Match and Extract:** For each entity, it scans the JSON list. If a matching + identifier is found (based on the provided key path), it proceeds to extract the + data. + + 5. **Apply JSONPath (Optional):** If an `Enrichment JSONPath` is provided, the + action filters the matching JSON object to extract only the specified data. - - This action does not perform external network requests; it processes data provided - strictly as an input parameter. + 6. **Flatten and Prefix:** The extracted data is flattened into a flat dictionary. + If a `PrefixForEnrichment` is specified, it is prepended to all keys. - - The `Identifier KeyPath` supports nested keys using the defined separator (e.g., - 'user.details.id'). + 7. **Update Entities:** The entity's `additional_properties` are updated with + the processed data, and the entity is marked for update in the platform. + + 8. **Finalize:** The action concludes by updating all modified entities and returning + the total count of enriched entities. capabilities: can_create_case_comments: false can_create_insight: false @@ -371,49 +405,49 @@ Enrich Entity From JSON: can_mutate_internal_data: true can_update_entities: true external_data_mutation_explanation: null - fetches_data: false + fetches_data: true internal_data_mutation_explanation: >- - Updates the 'additional_properties' (enrichment attributes) of entities within - the Google SecOps case based on the provided JSON data. + Updates the 'additional_properties' of the entities within Google SecOps based + on the provided JSON data. categories: - enrichment: false + enrichment: true entity_usage: entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -427,6 +461,7 @@ Enrich Entity From JSON: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Enrich Entity With Field: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -440,26 +475,30 @@ Enrich Entity From JSON: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Enrich Entity With Field: ai_description: >- ### General Description - This action allows users to enrich entities within a Google SecOps case by adding - custom key-value pairs to their additional properties. It is a utility action - used to attach static or calculated metadata to entities for better context or - for use in downstream playbook logic. + The **Enrich Entity With Field** action is a utility designed to manually or programmatically + inject custom metadata into entities within a Google SecOps case. It allows users + to define a list of key-value pairs that are then appended to the `additional_properties` + attribute of all entities currently in scope. This action is primarily used for + tagging entities with static information, organizational context, or data derived + from previous playbook steps that isn't automatically mapped by standard integrations. ### Parameters Description @@ -468,36 +507,41 @@ Enrich Entity With Field: | :--- | :--- | :--- | :--- | - | Fields to enrich | String (JSON) | Yes | A JSON-formatted list of objects, where - each object contains `entity_field_name` and `entity_field_value`. These pairs - will be added to the entity's additional properties. | + | **Fields to enrich** | string | Yes | A JSON-formatted string representing a + list of objects. Each object must contain `entity_field_name` and `entity_field_value`. + For example: `[{"entity_field_name": "Title", "entity_field_value": "SalesManager"}]`. + | ### Flow Description - 1. **Parse Input:** The action retrieves the `Fields to enrich` parameter and - parses the JSON string into a list of field definitions. + 1. **Input Parsing**: The action retrieves the JSON string from the `Fields to + enrich` parameter and parses it into a list of dictionaries. - 2. **Iterate Entities:** It loops through all entities currently in the action's - scope (`target_entities`). + 2. **Entity Iteration**: The script iterates through every entity provided in + the `target_entities` list of the current context. - 3. **Apply Properties:** For each entity, it iterates through the provided field - list and assigns the values to the entity's `additional_properties` dictionary. + 3. **Property Injection**: For each entity, the script loops through the parsed + fields and adds or updates the corresponding keys in the entity's `additional_properties` + dictionary. - 4. **Update Platform:** The action calls the `update_entities` method to save - the changes back to the Google SecOps platform. + 4. **Platform Update**: The action calls the `update_entities` method to persist + these changes within the Google SecOps platform. - 5. **Output Results:** It attaches the enrichment data as a JSON result for each - processed entity and concludes the execution. + 5. **Result Reporting**: The action generates a JSON result for each entity containing + the applied fields and concludes with a summary message indicating the number + of entities successfully updated. ### Additional Notes - - The input must be a valid JSON array of objects. For example: `[{"entity_field_name": - "Department", "entity_field_value": "Finance"}]`. + - This action does not communicate with any external APIs; it only processes data + provided via parameters. - - This action does not communicate with external APIs; it processes data provided - directly in the parameters. + - It modifies internal entity data within the SOAR environment by updating the + `additional_properties` field. + + - Ensure the JSON provided in the parameter is valid to avoid execution errors. capabilities: can_create_case_comments: false can_create_insight: false @@ -508,47 +552,47 @@ Enrich Entity With Field: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - The action modifies the 'additional_properties' attribute of entities within - the Google SecOps case to include the provided key-value pairs. + Updates the 'additional_properties' attribute of entities within the Google + SecOps case to include custom key-value pairs provided in the action parameters. categories: enrichment: false entity_usage: entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -562,6 +606,7 @@ Enrich Entity With Field: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Enrich Entity from Explorer Attributes: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -572,70 +617,80 @@ Enrich Entity With Field: disable_identity: false download_file: false enable_identity: false - enrich_asset: false + enrich_asset: true enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Enrich Entity from Explorer Attributes: ai_description: >- - Enriches entities with historical data retrieved from the Google SecOps Entity - Explorer. This action allows users to synchronize previously discovered entity - attributes into the current case context, ensuring that existing knowledge about - an entity is readily available for analysis. + ### General Description + Enriches entities within a Google SecOps case by retrieving historical attribute + data from the Entity Explorer. This action allows analysts to automatically populate + entity properties with previously discovered information, ensuring consistency + and providing deeper context without manual data entry. - ### Flow Description - 1. **Parameter Extraction:** The action identifies which fields to process based - on the `Field Name` and `Use Field Name as Whitelist` parameters. + ### Parameters Description + + | Parameter | Type | Mandatory | Description | - 2. **Data Retrieval:** For each target entity, the action calls the internal SOAR - API to fetch historical records from the Entity Explorer. + | :--- | :--- | :--- | :--- | - 3. **Field Filtering:** The retrieved data is filtered to exclude system-protected - fields (like 'Environment' or 'IsInternalAsset') and to match the user-defined - whitelist or denylist. + | Field Name | string | False | A comma-separated list of specific fields to retrieve + from the Entity Explorer. If left empty, all available fields will be considered + based on the whitelist/denylist logic. | - 4. **Entity Update:** The action maps the retrieved values to the entity's attributes - or `additional_properties` dictionary. + | Use Field Name as Whitelist | boolean | False | Determines how the 'Field Name' + parameter is applied. If set to `true` (default), only the specified fields are + enriched. If set to `false`, the specified fields are excluded (denylist), and + all other available fields are enriched. | - 5. **Persistence:** The updated entity objects are committed back to the Google - SecOps platform, and a summary of the changes is provided in the action results. + ### Flow Description - ### Parameters Description + 1. **Parameter Extraction:** The action retrieves the filtering logic (whitelist + vs. denylist) and the list of target field names from the user input. - | Parameter Name | Type | Mandatory | Description | + 2. **Entity Iteration:** The action iterates through all entities currently associated + with the case or targeted by the playbook. - | :--- | :--- | :--- | :--- | + 3. **Data Retrieval:** For each entity, it queries the internal Google SecOps + API (Entity Explorer) to fetch historical data associated with that specific entity + identifier and type. - | Field Name | string | No | A comma-separated list of specific fields to retrieve - from the Entity Explorer. If left empty, all available fields will be processed. - | + 4. **Field Filtering:** The retrieved data is filtered to exclude core system + fields (e.g., 'Type', 'Environment', 'IsInternalAsset') and then processed according + to the user-defined whitelist or denylist. + + 5. **Entity Update:** The action updates the entity's attributes or populates + its 'additional_properties' dictionary with the filtered values. - | Use Field Name as Whitelist | boolean | No | If set to `true` (default), only - the fields listed in 'Field Name' will be added to the entity. If `false`, the - list acts as a denylist, and all fields *except* those listed will be added. | + 6. **Persistence:** Finally, the action commits the updated entity objects back + to the SecOps platform and outputs the results in JSON format. ### Additional Notes - - This action interacts with internal Google SecOps data stores rather than external - third-party APIs. + - Core system fields are protected and cannot be overwritten by this action to + maintain data integrity. - - System fields are automatically protected and will not be overwritten by this - action to maintain data integrity. + - If no fields are specified in the 'Field Name' parameter and the whitelist mode + is active, the action will attempt to enrich the entity with all available historical + fields found in the explorer. capabilities: can_create_case_comments: false can_create_insight: false @@ -646,47 +701,47 @@ Enrich Entity from Explorer Attributes: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity attributes and additional properties with historical data retrieved - from the internal Entity Explorer. + Updates entity attributes and additional properties within the Google SecOps + platform using data retrieved from the Entity Explorer. categories: enrichment: true entity_usage: entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -700,6 +755,7 @@ Enrich Entity from Explorer Attributes: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Enrich FileName Entity with Path: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -713,63 +769,69 @@ Enrich Entity from Explorer Attributes: enrich_asset: true enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Enrich FileName Entity with Path: ai_description: >- ### General Description - This action enriches entities by parsing their identifiers as file paths. It extracts - the directory path, the full file name, and the file extension, then attaches - this metadata back to the entity. It is designed to handle both Windows-style - (e.g., `C:\path\to\file.exe`) and Unix-style (e.g., `/path/to/file.sh`) paths - using regex and standard path manipulation libraries. + This action parses file paths from entity identifiers to extract and enrich the + entity with specific file metadata, including the directory path, the full filename, + and the file extension. It is designed to provide better context for entities + that represent file system locations by breaking down complex path strings into + structured data. ### Parameters Description - There are no parameters for this action. + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | None | N/A | N/A | This action does not require any input parameters. | ### Additional Notes - * The action automatically detects the path format (Windows vs. Unix) based on - the presence of a drive letter (e.g., `C:\`). + - The action automatically detects whether a path is Windows-style (e.g., starting + with a drive letter like `C:\`) or Unix-style to ensure accurate parsing. - * If an entity identifier cannot be parsed as a valid path, the action will skip - that entity and log a failure message for it. + - Enrichment only occurs if a directory path is successfully identified within + the entity's identifier; simple filenames without paths may not be enriched depending + on the environment context. - * The extracted data is stored in the entity's `additional_properties` and also - returned as a JSON result. + - Extracted data is stored in the entity's `additional_properties` field, making + it available for downstream playbooks and searches. ### Flow Description - 1. **Entity Retrieval**: The action retrieves all target entities from the current - context. + 1. **Retrieve Entities**: The action fetches all target entities from the current + SecOps context. - 2. **Path Parsing**: For each entity, the script checks if the identifier matches - a Windows path pattern. It then uses the appropriate library (`ntpath` for Windows, - `os.path` for others) to split the identifier into a directory path and a filename. + 2. **Path Parsing**: For each entity, the identifier is analyzed using regex and + path utilities to determine if it contains a valid file path. - 3. **Extension Extraction**: The filename is further processed to extract the - file extension. + 3. **Metadata Extraction**: If a path is found, the logic splits the identifier + into the directory path, the filename, and the file extension. - 4. **Internal Mutation**: If parsing is successful, the `file_name`, `file_path`, - and `file_extension` are added to the entity's `additional_properties`. + 4. **Internal Enrichment**: The extracted metadata (file_name, file_path, file_extension) + is added to the entity's `additional_properties` attribute. - 5. **Update and Result**: The action updates the entities within Google SecOps - and attaches a JSON object containing the parsed details for all processed entities. + 5. **Update and Report**: The action updates the entities within Google SecOps + and returns a JSON summary of the enriched data for all processed entities. capabilities: can_create_case_comments: false can_create_insight: false @@ -780,47 +842,47 @@ Enrich FileName Entity with Path: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates the 'additional_properties' attribute of the entities with parsed file - path, name, and extension metadata. + Updates the 'additional_properties' attribute of entities with parsed file path, + name, and extension. categories: enrichment: true entity_usage: entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -834,6 +896,7 @@ Enrich FileName Entity with Path: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Enrich Source and Destinations: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -844,70 +907,72 @@ Enrich FileName Entity with Path: disable_identity: false download_file: false enable_identity: false - enrich_asset: false - enrich_ioc: true + enrich_asset: true + enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Enrich Source and Destinations: ai_description: >- ### General Description - This action enriches entities within a Google SecOps alert by identifying and - tagging their roles as either a 'source' or a 'destination' based on the underlying - alert metadata. It retrieves detailed investigator data from the SOAR API, parses - the security event cards or field groups to extract source and destination identifiers, - and then updates the corresponding entities in the case with specific flags. + This action enriches entities within a Google SecOps alert by identifying their + roles as either a source or a destination. It retrieves detailed alert context + via the Chronicle SOAR API, parses the security event data to find source and + destination identifiers, and then updates the corresponding entities' metadata + with specific flags (`isSource` or `isDest`). This provides analysts with immediate + visual context regarding the directionality of network traffic or events directly + on the entity objects. ### Parameters Description - There are no user-configurable parameters for this action. It operates automatically - based on the context of the current alert. + | Parameter Name | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | None | N/A | N/A | This action does not require any input parameters. | ### Additional Notes - - The action specifically looks for 'ADDRESS' (IP) and 'HOSTNAME' entities, although - the matching logic is based on the entity identifier string. + - The action specifically targets entities associated with the current alert. - - It uses the `get_investigator_data` utility to fetch the full alert context - from the SOAR platform. + - It uses case-insensitive matching to link alert metadata identifiers to SecOps + entities. - - Entity properties are updated with `isSource: true` or `isDest: true` which - can be used in subsequent playbook logic or for analyst visibility. + - While the action logic is generic, it is primarily intended for IP (ADDRESS) + and HOSTNAME entities as per the integration's design. ### Flow Description - 1. **Fetch Alert Data**: The action calls the SOAR API to retrieve comprehensive - investigator data for the current alert. - - 2. **Identify Roles**: It parses the retrieved alert data (checking both `securityEventCards` - and standard field groups) to compile lists of identifiers designated as sources - and destinations. + 1. **Fetch Context:** The action calls the Chronicle SOAR API to retrieve the + full investigator data for the current alert. - 3. **Match Entities**: The action iterates through all entities associated with - the current alert. + 2. **Parse Metadata:** It extracts source and destination identifiers from the + alert's `securityEventCards` or field groups. - 4. **Tag Entities**: For each entity, it checks if the identifier matches any - of the discovered sources or destinations (case-insensitive). + 3. **Match Entities:** It iterates through all entities associated with the alert + and compares their identifiers with the extracted source/destination lists. - 5. **Update Properties**: If a match is found, the entity's `additional_properties` - are updated with the respective role flag. + 4. **Update Attributes:** For every match found, it updates the entity's `additional_properties` + with `isSource: true` or `isDest: true`. - 6. **Commit Changes**: The action performs a bulk update of all modified entities - back to the Google SecOps case. + 5. **Commit Changes:** The updated entity objects are sent back to the SecOps + platform to persist the enrichment. capabilities: can_create_case_comments: false can_create_insight: false @@ -918,16 +983,49 @@ Enrich Source and Destinations: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates the 'additional_properties' of entities within the case to mark them - as 'isSource' or 'isDest' based on alert metadata. + Updates the 'additional_properties' of entities within the SecOps case to flag + them as sources or destinations based on alert metadata. categories: enrichment: true entity_usage: entity_types: - - ADDRESS - - HOSTNAME + - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME filters_by_additional_properties: false - filters_by_alert_identifier: false + filters_by_alert_identifier: true filters_by_case_identifier: false filters_by_creation_time: false filters_by_entity_type: false @@ -939,6 +1037,7 @@ Enrich Source and Destinations: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Mark Entity as Suspicious: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -949,61 +1048,60 @@ Enrich Source and Destinations: disable_identity: false download_file: false enable_identity: false - enrich_asset: true + enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Mark Entity as Suspicious: ai_description: >- ### General Description This action marks all entities within the current scope as suspicious in Google - SecOps. It is a utility action designed to flag entities for further investigation - or to influence the logic of subsequent playbook steps based on the entity's suspicious - status. + SecOps. It is a utility action used to programmatically flag entities for further + investigation or to trigger subsequent automated workflows that filter for suspicious + indicators. ### Parameters Description - | Parameter | Description | Type | Mandatory | - - | :--- | :--- | :--- | :--- | - - | N/A | This action does not require any input parameters. | N/A | N/A | + There are no parameters for this action. - ### Additional Notes + ### Flow Description - - This action does not interact with any external APIs or services. + 1. **Initialization**: The action initializes the Siemplify API to access the + current case context. - - It applies the 'suspicious' flag to every entity provided in the action's scope, - regardless of their original state or type. + 2. **Entity Iteration**: The script iterates through every entity currently present + in the action's scope (`target_entities`). + 3. **Flag Modification**: For each entity, the `is_suspicious` attribute is set + to `True`. - ### Flow Description + 4. **Internal Update**: The action calls the internal update method to commit + these changes to the Google SecOps platform. - 1. **Identify Entities**: The action retrieves the list of target entities from - the current Google SecOps scope. + 5. **Completion**: The action concludes by returning the total count of entities + that were successfully updated. - 2. **Flag Entities**: It iterates through each entity and sets the `is_suspicious` - attribute to `True`. - 3. **Update Internal State**: The action calls the internal SDK to update the - entity records within the platform. + ### Additional Notes - 4. **Finalize**: The action concludes by returning a success message and the total - count of entities that were updated. + This action does not interact with any external APIs or services. It only modifies + the internal state of entities within the SOAR platform. capabilities: can_create_case_comments: false can_create_insight: false @@ -1020,41 +1118,41 @@ Mark Entity as Suspicious: enrichment: false entity_usage: entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1068,6 +1166,7 @@ Mark Entity as Suspicious: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1081,26 +1180,28 @@ Mark Entity as Suspicious: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: ai_description: >- ### General Description - This action is a simple connectivity test designed to verify the communication - between the Google SecOps (Chronicle) platform and the Enrichment integration. - It serves as a health check to ensure that the integration is correctly configured - and reachable. + Verifies the connectivity and functional status of the integration within the + Google SecOps environment. This action serves as a basic health check to ensure + that the integration is correctly configured and that the SOAR platform can successfully + execute scripts associated with this integration. ### Parameters Description @@ -1110,18 +1211,19 @@ Ping: ### Additional Notes - This action does not interact with any external APIs or process any entity data. - It is strictly used for verifying integration connectivity. + This action does not interact with any external APIs, nor does it process or enrich + any entities. It is strictly used for connectivity validation. ### Flow Description - 1. **Initialization**: The action initializes the SiemplifyAction module to establish - the execution context. + 1. **Initialization**: The action initializes the Siemplify SOAR SDK environment. - 2. **Connectivity Check**: The action immediately concludes by returning a success - message ('Siemplify is connected') to the platform, confirming the integration - is functional. + 2. **Connectivity Check**: The script executes a simple internal check to confirm + the integration environment is responsive. + + 3. **Completion**: The action terminates immediately, returning a success message + "Siemplify is connected" to the case wall. capabilities: can_create_case_comments: false can_create_insight: false @@ -1135,7 +1237,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1149,6 +1251,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Whois: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1160,44 +1263,85 @@ Ping: download_file: false enable_identity: false enrich_asset: false - enrich_ioc: false + enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Whois: ai_description: >- - ### General Description\nEnriches entities by querying WHOIS and RDAP servers - for registration information. It supports IP addresses, domains, URLs, and email - addresses. The action retrieves data such as creation dates, registrar details, - and geographic location for IPs.\n\n### Parameters Description\n| Parameter | - Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Create Entities - | boolean | False | If set to true, the action will create and link new DOMAIN - entities to URL and Email/User entities. |\n| Domain Age Threshold | string | - False | Domains whose age (in days) is less than this value will be marked as - suspicious. Set to 0 to disable. |\n\n### Flow Description\n1. **Parameter Extraction**: - Retrieves the 'Create Entities' flag and 'Domain Age Threshold'.\n2. **Entity - Processing**: Iterates through target entities.\n3. **IP Enrichment**: For ADDRESS - entities, performs an RDAP lookup and fetches geographic data (city, region, country, - lat/long) from DB-IP.\n4. **Domain/URL/Email Enrichment**: Extracts the registered - domain and performs a WHOIS lookup to retrieve registration dates and registrar - info.\n5. **Entity Creation**: If 'Create Entities' is enabled and the input is - a URL or Email, a new DOMAIN entity is created and linked to the original entity.\n6. - **Risk Assessment**: Calculates domain age in days. If the age is below the threshold, - the entity is marked as suspicious.\n7. **Internal Update**: Updates the entities - in Google SecOps with the retrieved WHOIS/RDAP data in additional properties and - sets the 'is_enriched' flag.\n\n### Additional Notes\n- This action uses the `whois_alt` - and `ipwhois` libraries.\n- Geographic lookups for IPs are performed using the - DB-IP free API. + ### General Description + + The **Whois** action queries WHOIS servers to retrieve registration information + for various entity types, including IP Addresses, URLs, Emails, and Domains. It + provides contextual data such as domain age, creation dates, and registrar details. + Additionally, it performs geolocation lookups for IP addresses and can automatically + create and link new DOMAIN entities to the case based on extracted data. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | **Create Entities** | boolean | No | If set to `true`, the action will create + new DOMAIN entities extracted from URLs or Email addresses and link them to the + original entity. Default is `true`. | + + | **Domain Age Threshold** | string | No | Specifies a threshold in days. If a + domain's age is less than this value, the entity will be marked as suspicious. + If set to `0` or left empty, this check is disabled. | + + + ### Flow Description + + 1. **Parameter Extraction:** Retrieves the `Create Entities` toggle and the `Domain + Age Threshold` value from the action parameters. + + 2. **Entity Iteration:** Processes each target entity associated with the action. + + 3. **IP Enrichment:** For `ADDRESS` entities, the action performs an RDAP lookup + using the `IPWhois` library and a geolocation lookup via the DB-IP API to retrieve + city, region, and country data. + + 4. **Domain/URL/Email Enrichment:** For other entities, the action extracts the + registered domain using `tldextract` and performs a WHOIS lookup. It calculates + the domain's age in days based on the creation date. + + 5. **Entity Creation & Linking:** If `Create Entities` is enabled and a domain + is extracted from a URL or Email, a new `DOMAIN` entity is created in the case + and linked to the source entity. + + 6. **Internal Data Enrichment:** Updates the entities' `additional_properties` + with the retrieved WHOIS and geolocation data (prefixed with "WHOIS"). + + 7. **Suspicious Status Evaluation:** Compares the calculated domain age against + the `Domain Age Threshold`. If the domain is younger than the threshold, the entity + is marked as suspicious. + + 8. **Finalization:** Updates the entities within Google SecOps and returns a JSON + result containing the full WHOIS and geolocation data. + + + ### Additional Notes + + - This action requires outbound network connectivity to WHOIS servers and the + `api.db-ip.com` endpoint. + + - The `Domain Age Threshold` is treated as an integer during logic execution; + non-numeric strings may cause the threshold check to be skipped. capabilities: can_create_case_comments: false can_create_insight: false @@ -1208,16 +1352,17 @@ Whois: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Creates new DOMAIN entities in the case and updates existing entities' suspicious - status and additional properties. + Creates new DOMAIN entities and links them to the original entities if 'Create + Entities' is enabled. Updates entity attributes including suspicious status, + enriched status, and additional properties. categories: enrichment: false entity_usage: entity_types: - - ADDRESS - - DOMAIN - - DestinationURL - - USERUNIQNAME + - ADDRESS + - DestinationURL + - DOMAIN + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1231,28 +1376,3 @@ Whois: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: true - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/power_ups/enrichment/resources/ai/integration_ai_description.yaml b/content/response_integrations/power_ups/enrichment/resources/ai/integration_ai_description.yaml index b962d2eb6..2337bb28c 100644 --- a/content/response_integrations/power_ups/enrichment/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/power_ups/enrichment/resources/ai/integration_ai_description.yaml @@ -7,6 +7,6 @@ product_categories: iam_and_identity_management: false itsm: false network_security: false - siem: false + siem: true threat_intelligence: true vulnerability_management: false diff --git a/content/response_integrations/power_ups/file_utilities/resources/ai/actions_ai_description.yaml b/content/response_integrations/power_ups/file_utilities/resources/ai/actions_ai_description.yaml index e8d308ac4..bac88a24d 100644 --- a/content/response_integrations/power_ups/file_utilities/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/power_ups/file_utilities/resources/ai/actions_ai_description.yaml @@ -1,60 +1,81 @@ Add Attachment: + action_product_categories: + add_alert_comment: true + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- Adds a file attachment to the case wall of the current Google SecOps case. This - action allows analysts or automated playbooks to upload evidence, reports, or - logs directly to the case timeline for better documentation and visibility. - + action allows analysts to programmatically upload evidence, logs, or reports directly + to the case timeline by providing the file content in Base64 format. It supports + marking attachments as favorites and adding descriptive metadata to the case wall + entry. - ### Flow Description - 1. **Parameter Extraction:** The action retrieves the attachment's name, file - type, Base64-encoded content, description, and favorite status from the input - parameters. + ### Parameters - 2. **Context Identification:** It identifies the current case using the `siemplify.case.identifier`. + | Parameter | Description | Type | Mandatory | Notes | - 3. **Attachment Construction:** A `CaseWallAttachment` data model is created using - the provided inputs. + | :--- | :--- | :--- | :--- | :--- | - 4. **Internal API Call:** The action invokes the `save_attachment_to_case_wall` - method to upload the file to the Google SecOps platform. + | Name | The name of the attachment file. | string | True | This will be the filename + displayed in the case wall. | - 5. **Result Processing:** Upon success, the action parses the API response into - a structured JSON format containing metadata about the new attachment (e.g., attachment - ID, creation time) and completes the execution. + | IsFavorite | Whether the attachment should be marked as a favorite in the case + wall. | boolean | False | Defaults to false if not provided. | + | Base64 Blob | The actual content of the attachment encoded in Base64. | string + | True | Ensure the string is a valid Base64 representation of the file. | - ### Parameters Description + | Type | The file extension or type of the attachment (e.g., .txt, .pdf, .png). + | string | True | Used to identify the file format. | - | Parameter | Type | Mandatory | Description | + | Description | A brief description of the attachment's purpose or content. | + string | True | This text appears alongside the attachment in the case wall. | - | :--- | :--- | :--- | :--- | - | Name | String | True | The name/filename of the attachment to be displayed on - the case wall. | - - | IsFavorite | Boolean | False | If set to true, marks the attachment as a 'favorite' - or important item in the case wall. Defaults to false. | - - | Base64 Blob | String | True | The actual content of the file, encoded in Base64 - format. | - - | Type | String | True | The file extension or type (e.g., .txt, .pdf, .png). - | + ### Flow Description - | Description | String | True | A descriptive note explaining the context or purpose - of the attachment. | + 1. **Parameter Extraction:** The action retrieves the filename, Base64 content, + file type, description, and favorite status from the input parameters. + 2. **Context Retrieval:** It identifies the current case ID from the active Google + SecOps environment. - ### Additional Notes + 3. **Attachment Construction:** A `CaseWallAttachment` data model is created using + the provided inputs. - - This action does not interact with external systems; it only modifies data within - the Google SecOps environment. + 4. **Internal API Call:** The action invokes the internal SOAR API (`save_attachment_to_case_wall`) + to upload the file content and metadata to the case wall. - - The attachment is linked to the case level, not a specific alert within the - case. + 5. **Result Processing:** Upon successful upload, the action parses the API response + to return detailed metadata about the new attachment, including its unique ID + and creation timestamps. capabilities: - can_create_case_comments: false + can_create_case_comments: true can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false @@ -63,12 +84,12 @@ Add Attachment: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Adds a new file attachment to the case wall of the current Google SecOps case, - modifying the case's stored evidence and timeline. + Adds a file attachment to the case wall of the current Google SecOps case, creating + a new entry in the case timeline. categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -82,6 +103,7 @@ Add Attachment: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Add Entity to File: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -95,58 +117,42 @@ Add Attachment: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Add Entity to File: ai_description: >- - Adds the identifier of target entities to a local text file stored on the Google - SecOps runner. This action is primarily used for maintaining local state, deduplication, - or sharing data between different playbook executions via the filesystem. It ensures - that each entity identifier is only added once to the specified file. - - - ### Parameters - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Filename | string | Yes | The name of the file to write the entities to. The - file is stored in the `/tmp/` directory on the execution environment. | - - - ### Flow Description - - 1. **Initialization**: The action retrieves the `Filename` parameter and constructs - the full file path using a predefined `/tmp/` prefix. - - 2. **File Locking**: It utilizes a file-locking mechanism (`EntityFileManager`) - to ensure thread-safe access, preventing concurrent actions from corrupting the - file. - - 3. **Entity Processing**: The action iterates through all `target_entities` provided - in the current context. - - 4. **Deduplication Check**: For each entity, it checks if the identifier already - exists within the file's content. - - 5. **File Update**: If the identifier is not present, it is appended to the list - and subsequently written back to the file. If it already exists, the action logs - the occurrence and marks the final result as `False` (indicating not all entities - were newly added). - - 6. **Completion**: The action releases the file lock and returns a summary of - added versus existing entities. + ### General Description\nThis action adds the identifier of target entities to + a local file stored on the system. It is primarily used for tracking entities + across different executions or playbooks. The action ensures that each entity + identifier is only added once; if an entity already exists in the file, it is + skipped, and the action's final result value is set to False to indicate that + not all entities were newly added.\n\n### Parameters Description\n| Parameter + | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Filename + | String | Yes | The name of the file (located in /tmp/) where the entity identifiers + will be stored. |\n\n### Flow Description\n1. **Parameter Extraction:** The action + retrieves the `Filename` parameter.\n2. **File Access:** It attempts to open and + lock the specified file in the `/tmp/` directory to prevent concurrent access + issues.\n3. **Entity Processing:** It iterates through all target entities in + the current context.\n4. **Duplicate Check:** For each entity, it checks if the + identifier already exists in the file's content.\n5. **File Update:** If the identifier + is new, it is added to the list. If it already exists, the action logs the occurrence + and prepares to return a False result.\n6. **Finalization:** The updated list + is written back to the file, the lock is released, and the action completes with + a summary message.\n\n### Additional Notes\n- The file is stored in the `/tmp/` + directory of the execution environment.\n- The action uses a file-locking mechanism + to ensure data integrity during concurrent executions. capabilities: can_create_case_comments: false can_create_insight: false @@ -161,41 +167,41 @@ Add Entity to File: enrichment: false entity_usage: entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -209,6 +215,7 @@ Add Entity to File: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Count Files: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -222,68 +229,74 @@ Add Entity to File: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Count Files: ai_description: >- ### General Description - - The **Count Files** action is a utility designed to count the number of files - within a specified directory on the local filesystem. It allows users to filter - files by a specific extension and optionally perform a recursive search through - subdirectories. + The **Count Files** action is a utility designed to calculate the total number + of files within a specified directory. It allows users to filter results based + on file extensions and provides the option to perform a recursive search through + subdirectories. This is particularly useful for monitoring directory growth, verifying + file transfers, or identifying the presence of specific file types in a filesystem. ### Parameters Description - | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Folder** | String | Yes | The absolute or relative folder path from which - you would like to count the files. | + | Folder | String | Yes | The directory path where the file count should be performed. + | - | **File Extension** | String | No | The file extension pattern to match (e.g., - `*.txt`, `*.log`). If not provided, it defaults to `*.*` (all files). | + | File Extension | String | No | A glob-style pattern (e.g., `*.txt` or `*.log`) + used to filter the files. If left empty, the action defaults to `*.*` (counting + all files). | - | **Is Recursive** | Boolean | No | If set to `true`, the action will search for - files in the specified folder and all its subfolders. Default is `false`. | + | Is Recursive | Boolean | No | If enabled (`true`), the action will search for + matching files in the specified folder and all of its subdirectories. Defaults + to `false`. | - ### Flow Description + ### Additional Notes + - The action uses the standard Python `glob` library for pattern matching. - 1. **Parameter Extraction:** The action retrieves the `Folder`, `File Extension`, - and `Is Recursive` values from the input. + - If the provided folder path does not exist or is inaccessible, the action will + return a count of 0 or fail depending on environment permissions. - 2. **Path Construction:** It determines the file extension pattern, defaulting - to `*.*` if none is provided, and constructs the full search path by joining the - folder and extension. - 3. **File Discovery:** The action uses the `glob` module to find all matching - files, applying the recursion flag. + ### Flow Description - 4. **Counting and Output:** It calculates the total number of matching files and - returns this count as the action result. + 1. **Initialization:** The action extracts the `Folder`, `File Extension`, and + `Is Recursive` parameters from the input. + 2. **Path Preparation:** If no file extension is provided, it defaults to `*.*`. + It then constructs a full search path by joining the folder and the extension + pattern. - ### Additional Notes + 3. **File Search:** The action executes a search using the `glob` module, applying + the recursion flag if specified. + 4. **Result Calculation:** It determines the length of the list of discovered + files. - There are no entities required for this action. It operates directly on the filesystem - path provided in the parameters. + 5. **Execution Completion:** The action returns the total count as the final result + and completes with a success state. capabilities: can_create_case_comments: false can_create_insight: false @@ -292,12 +305,12 @@ Count Files: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: false + fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -311,6 +324,7 @@ Count Files: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Create Archive: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -324,75 +338,77 @@ Count Files: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Create Archive: ai_description: >- ### General Description The **Create Archive** action is a utility designed to package files or directories - into a single compressed archive file on the Google SecOps server. It supports - multiple formats including ZIP and various TAR configurations (uncompressed, gzip, - bzip2, xz). This action is primarily used for organizing forensic evidence, consolidating - logs, or preparing data for export. + into a compressed archive format directly on the Google SecOps (Chronicle) server. + It supports multiple archive formats including ZIP and various TAR configurations. + This action is primarily used for organizing forensic artifacts, preparing logs + for export, or consolidating multiple files into a single container for subsequent + processing steps. ### Parameters Description - | Parameter | Type | Mandatory | Description | + | Parameter Name | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Archive Type** | DDL | Yes | Specifies the compression format. Supported values: - `zip`, `tar`, `gztar` (gzip), `bztar` (bzip2), `xztar` (xz). | + | **Archive Type** | Dropdown | Yes | Specifies the compression format. Supported + values: `zip`, `tar` (uncompressed), `gztar` (gzip), `bztar` (bzip2), and `xztar` + (xz). | - | **Archive Base Name** | String | Yes | The name of the archive file to be created, - excluding the file extension. | + | **Archive Base Name** | String | Yes | The desired name for the resulting archive + file (do not include the file extension). | - | **Archive Input** | String | Yes | The source for the archive. This can be a - single directory path or a comma-separated list of individual file paths. | + | **Archive Input** | String | Yes | A comma-separated list of absolute file paths + or a single directory path to be archived. | ### Flow Description - 1. **Initialization:** The action extracts the user-provided parameters: archive - type, base name, and input source. + 1. **Parameter Extraction:** The action retrieves the archive format, the base + name for the output file, and the input paths (files or directory) from the user + configuration. - 2. **Directory Validation:** It checks for the existence of the default destination + 2. **Environment Preparation:** It checks for the existence of the default destination directory (`/opt/siemplify/siemplify_server/Scripting/FileUtilities/Archives`) - and creates it if it does not exist. - - 3. **Input Handling:** - - If the input is a directory, the action targets that directory for archiving. - - If the input is a list of files, it creates a temporary directory, copies - the specified files into it, and targets that temporary directory. - 4. **Compression:** The action uses the `shutil.make_archive` utility to create - the archive file in the specified format at the destination path. + on the server and creates it if it does not exist. - 5. **Cleanup:** If a temporary directory was created for individual files, it - is deleted after the archive is successfully generated. + 3. **Input Validation:** The action determines if the provided input is a single + directory or a list of individual files. - 6. **Completion:** The action returns the full path of the created archive file - and updates the action result with success metadata. + 4. **Archiving Logic:** + * If a **directory** is provided, it archives the entire directory structure. + * If a **list of files** is provided, it copies the files to a temporary directory, + archives that directory, and then cleans up the temporary files. + 5. **Completion:** Upon success, the action returns the full file path of the + newly created archive and provides a JSON result containing the success status + and the archive location. ### Additional Notes - - This action performs operations on the local filesystem of the Google SecOps - execution environment. + * This action operates on the local filesystem of the SOAR server. Ensure that + the paths provided in **Archive Input** are accessible by the SOAR execution environment. - - Ensure that the paths provided in 'Archive Input' are accessible by the SecOps - service account. + * The resulting archive is stored in a specific internal directory: `/opt/siemplify/siemplify_server/Scripting/FileUtilities/Archives`. capabilities: can_create_case_comments: false can_create_insight: false @@ -403,12 +419,12 @@ Create Archive: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Creates a new archive file on the local filesystem of the Google SecOps server - in the /opt/siemplify/siemplify_server/Scripting/FileUtilities/Archives directory. + Creates a directory and an archive file on the local SOAR server's filesystem + at /opt/siemplify/siemplify_server/Scripting/FileUtilities/Archives. categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -422,6 +438,7 @@ Create Archive: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Create Hash From Base64: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -435,75 +452,80 @@ Create Archive: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Create Hash From Base64: ai_description: >- - Generates cryptographic hashes for one or more Base64 encoded strings. This utility - action is designed to transform data blobs or file contents provided in Base64 - format into standard hash identifiers, which can then be used for reputation lookups - or file identification. It supports a wide variety of hashing algorithms including - MD5, SHA1, SHA256, and SHA512. + ### General Description + The **Create Hash From Base64** action is a utility designed to generate cryptographic + hashes from one or more Base64 encoded strings. This is particularly useful for + identifying files or data payloads when only the encoded content is available. + The action supports multiple hashing algorithms and can process a list of strings + in a single execution. - ### Flow Description - 1. **Input Parsing:** The action retrieves the Base64 encoded strings and optional - names from the parameters, splitting them into lists based on the provided separators. + ### Parameters Description - 2. **Decoding:** Each string is decoded from Base64 into its original byte representation. - 3. **Hashing:** The action dynamically selects the specified hashing algorithm - from the Python `hashlib` library and computes the hex digest of the decoded bytes. + | Parameter | Type | Mandatory | Description | - 4. **Result Compilation:** A result object is created for each input, optionally - including the original Base64 string and the provided name. + | :--- | :--- | :--- | :--- | - 5. **Output:** The final list of hashes and metadata is returned as a JSON result. + | **Base64** | Content | Yes | One or more Base64 encoded strings to be hashed. + Multiple strings should be separated by the 'Base64 Separator'. | + | **Hash Algorythm** | DDL | Yes | The cryptographic hash function to apply (e.g., + md5, sha1, sha256, sha512). | - ### Parameters Description + | **Names** | String | No | An optional list of names (like filenames) to associate + with each Base64 string. Must match the count of Base64 strings. | - | Parameter | Type | Mandatory | Description | + | **Names Separator** | String | Yes | The character used to separate the list + of names (default is ','). | - | :--- | :--- | :--- | :--- | + | **Include Base64** | Boolean | No | If set to 'true', the original Base64 input + string will be included in the output JSON. | - | Base64 | Content | Yes | One or more Base64 encoded strings to be hashed. Multiple - strings should be separated by the 'Base64 Separator'. | + | **Base64 Separator** | String | Yes | The character used to separate the input + Base64 strings (default is ','). | - | Hash Algorythm | DDL | Yes | The cryptographic hash function to apply (e.g., - sha256, md5, sha1). | - | Names | String | No | A list of names (e.g., filenames) corresponding to the - Base64 strings. Must have the same count as the Base64 strings if provided. | + ### Flow Description - | Names Separator | String | Yes | The character used to separate the list of - names (default is a comma). | + 1. **Input Parsing:** The action retrieves the Base64 strings and optional names + from the parameters, splitting them into lists based on the provided separators. - | Include Base64 | Boolean | No | If set to true, the original Base64 input string - will be included in the output JSON. | + 2. **Decoding:** Each string is decoded from Base64 format into raw bytes using + the standard base64 library. - | Base64 Separator | String | Yes | The character used to separate the input Base64 - strings (default is a comma). | + 3. **Hashing:** The selected hashing algorithm is dynamically invoked from the + `hashlib` library and applied to the decoded bytes to produce a hexadecimal digest. + 4. **Result Compilation:** A dictionary is created for each input, containing + the calculated hash, the algorithm name, and optionally the name and original + Base64 string. - ### Additional Notes + 5. **Output:** The resulting list of hash objects is returned as a JSON result + and added to the action's execution context. - - This action does not interact with external APIs; all computations are performed - locally using standard libraries. - - If the 'Names' parameter is used, ensure the number of names matches the number - of Base64 strings to avoid alignment issues in the output. + ### Additional Notes + + If the 'Names' parameter is provided, ensure that the number of names matches + the number of Base64 strings to ensure correct mapping in the output. capabilities: can_create_case_comments: false can_create_insight: false @@ -517,7 +539,7 @@ Create Hash From Base64: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -531,6 +553,7 @@ Create Hash From Base64: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Decode Base64: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -544,27 +567,29 @@ Create Hash From Base64: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Decode Base64: ai_description: >- ### General Description - The **Decode Base64** action is a utility designed to transform Base64-encoded - strings back into human-readable text. It is primarily used within playbooks to - process data that has been encoded for transport or storage, such as email attachments, - log snippets, or API responses. The action supports multiple character encodings - to ensure the resulting string is correctly interpreted. + The **Decode Base64** action is a utility designed to convert Base64 encoded strings + back into their original text format. It allows users to specify the character + encoding (UTF-8 or ASCII) to ensure the resulting string is correctly interpreted. + This is particularly useful for decoding obfuscated data found in logs, emails, + or script arguments during an investigation. ### Parameters Description @@ -573,35 +598,33 @@ Decode Base64: | :--- | :--- | :--- | :--- | - | **Base64 Input** | string | Yes | The Base64 encoded string that needs to be - decoded. | + | **Base64 Input** | string | Yes | The Base64 encoded string that you want to + decode. | - | **Encoding** | ddl | Yes | The character encoding to apply to the decoded bytes. - Options include `UTF-8` and `ASCII`. | + | **Encoding** | ddl | Yes | The character encoding to use for the decoded output. + Options include **UTF-8** and **ASCII**. | ### Flow Description - 1. **Parameter Retrieval**: The action extracts the `Base64 Input` string and + 1. **Parameter Retrieval**: The action retrieves the `Base64 Input` string and the selected `Encoding` from the user configuration. - 2. **Decoding**: The input string is decoded from Base64 format into raw bytes - using Python's standard `base64` library. + 2. **Decoding Process**: The input string is decoded from Base64 format into raw + bytes using Python's standard library. - 3. **String Conversion**: The raw bytes are converted into a string using the - specified encoding (e.g., UTF-8). + 3. **String Conversion**: The raw bytes are converted into a string based on the + provided encoding (UTF-8 or ASCII). - 4. **Result Generation**: The decoded string is packaged into a JSON object (`{"decoded_content": - "..."}`) and returned as the action's result for use in subsequent playbook steps. + 4. **Result Output**: The decoded string is packaged into a JSON object (`decoded_content`) + and returned as the action's result. If decoding fails (e.g., due to invalid Base64 + format), the action reports a failure. ### Additional Notes - - This action does not interact with external APIs or modify any SOAR entities; - it is a pure data transformation utility. - - - If the input is not a valid Base64 string or the encoding fails, the action - will return a failure status. + This action does not interact with external APIs or modify any SOAR entities; + it performs local data transformation. capabilities: can_create_case_comments: false can_create_insight: false @@ -615,7 +638,7 @@ Decode Base64: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -629,6 +652,7 @@ Decode Base64: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Extract Archive: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -642,57 +666,69 @@ Decode Base64: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Extract Archive: ai_description: >- - Extracts one or more archive files (ZIP, TAR, GZTAR, BZTAR, XTAR) to a designated - directory on the local SOAR server. This utility action is used to unpack compressed - data for further processing or analysis within a playbook. It returns a structured - JSON response containing the directory tree and paths of all extracted files. + Extracts one or more archive files to a specific directory on the Google SecOps + server. This action supports multiple archive formats including ZIP, TAR, GZTAR, + BZTAR, and XTAR. It processes a comma-separated list of file paths, creates a + dedicated output directory for each archive, and unpacks the contents. The action + returns a detailed JSON structure representing the extracted file hierarchy, including + file names, extensions, and full system paths. - ### Parameters Description + ### Flow Description + 1. **Parameter Parsing:** The action retrieves the `Archive` parameter and splits + it into a list of individual file paths. - | Parameter | Type | Mandatory | Description | + 2. **Directory Preparation:** For each archive, it determines a destination path + within the predefined directory `/opt/siemplify/siemplify_server/Scripting/FileUtilities/Extract`. + It creates the directory if it does not already exist. - | :--- | :--- | :--- | :--- | + 3. **Extraction:** It utilizes the `shutil.unpack_archive` library to extract + the contents of the archive into the designated folder. - | Archive | String | Yes | The full path of the archive(s) to be extracted. Supports - comma-separated values for bulk extraction. Example: `/opt/siemplify/siemplify_server/Scripting/FileUtilities/file.zip` - | + 4. **Metadata Collection:** After extraction, it recursively scans the output + directory to build a dictionary-based representation of the files and folders + created. + 5. **Result Reporting:** It compiles a JSON result containing success/failure + status for each archive, the destination folder path, and a list of all extracted + files (both as a simple list and with full paths). - ### Flow Description + ### Parameters Description - 1. **Input Parsing:** The action retrieves the `Archive` parameter and splits - it into a list of individual file paths. + | Parameter | Type | Mandatory | Description | - 2. **Directory Preparation:** For each archive, it determines a unique output - directory path within the `/opt/siemplify/siemplify_server/Scripting/FileUtilities/Extract` - root. It creates the directory if it does not already exist. + | :--- | :--- | :--- | :--- | - 3. **Extraction:** It utilizes the `shutil.unpack_archive` method to extract the - contents of the archive into the prepared directory. + | Archive | String | Yes | A comma-delimited list of full file system paths to + the archives that need to be extracted. Example: `/path/to/file1.zip, /path/to/file2.tar.gz`. + | - 4. **Metadata Generation:** The action recursively scans the extracted folder - to generate a JSON representation of the file hierarchy, including file names, - extensions, and full paths. - 5. **Result Reporting:** It compiles the extraction results (success/failure) - and file metadata into a JSON object and ends the action with a summary message. + ### Additional Notes + + * This action operates directly on the local filesystem of the execution environment. + It does not interact with external APIs or SecOps entity models (like IP or Hostname). + + * The extraction destination is hardcoded to a specific subdirectory within the + Siemplify scripting folder. capabilities: can_create_case_comments: false can_create_insight: false @@ -703,12 +739,12 @@ Extract Archive: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Creates directories and writes extracted files to the local filesystem of the - SOAR server at /opt/siemplify/siemplify_server/Scripting/FileUtilities/Extract. + The action creates directories and writes extracted files to the local filesystem + of the Google SecOps server at /opt/siemplify/siemplify_server/Scripting/FileUtilities/Extract. categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -722,6 +758,7 @@ Extract Archive: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Extract Zip Files: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -735,51 +772,86 @@ Extract Archive: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Extract Zip Files: - ai_description: "Extracts files from ZIP archives associated with FILENAME entities\ - \ in Google SecOps. This action is designed to handle both standard and password-protected\ - \ ZIP files, offering the ability to provide a list of passwords or attempt a\ - \ brute-force attack using a built-in wordlist. \n\n### Flow Description:\n1.\ - \ **Entity Filtering:** The action identifies `FILENAME` entities within the case\ - \ that possess an `attachment_id` attribute in their additional properties.\n\ - 2. **Data Retrieval:** For each valid entity, it retrieves the corresponding ZIP\ - \ file content from the Google SecOps Case Wall.\n3. **Extraction:** It attempts\ - \ to extract the contents of the ZIP archive. If the archive is encrypted, it\ - \ uses the provided passwords (delimited by a user-defined character) or performs\ - \ a brute-force search.\n4. **Internal Mutation (Optional):** \n * If configured,\ - \ it uploads the extracted files back to the Case Wall as new attachments.\n \ - \ * If configured, it creates new `FILENAME` and `FILEHASH` entities for the\ - \ extracted files, automatically linking them to the parent ZIP file.\n5. **Output:**\ - \ The action returns a JSON result containing metadata (and optionally base64\ - \ data) for all extracted files.\n\n### Parameters Description:\n| Parameter Name\ - \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Include\ - \ Data In JSON Result | boolean | No | If true, the base64 encoded content of\ - \ the extracted files is included in the action's JSON output. Default is false.\ - \ |\n| Create Entities | boolean | No | If true, the action creates new `FILENAME`\ - \ and `FILEHASH` entities for every file found inside the ZIP. Default is true.\ - \ |\n| Zip File Password | string | No | A single password or a list of passwords\ - \ used to attempt extraction of protected ZIPs. |\n| BruteForce Password | boolean\ - \ | No | If true, the action attempts to brute-force the ZIP password using a\ - \ predefined wordlist if the provided passwords fail. Default is false. |\n| Add\ - \ to Case Wall | boolean | No | If true, each extracted file is uploaded as an\ - \ individual attachment to the Case Wall. Default is true. |\n| Zip Password List\ - \ Delimiter | string | Yes | The character used to separate multiple passwords\ - \ in the 'Zip File Password' parameter (e.g., a comma). |\n\n### Additional Notes:\n\ - * This action requires the `FILENAME` entity to have an `attachment_id` property,\ - \ which is typically populated when a file is ingested or added to the case via\ - \ other integrations." + ai_description: >- + ### General Description + + The **Extract Zip Files** action is a utility designed to process ZIP archives + associated with a case. It identifies `FILENAME` entities that contain an `attachment_id`, + retrieves the corresponding file from the Google SecOps internal storage, and + extracts its contents. The action supports password-protected archives through + either a provided list of passwords or a brute-force mechanism using a predefined + wordlist. Extracted files can be re-uploaded to the case wall, used to create + new entities (FILENAME and FILEHASH), and included as base64 data in the action's + JSON output. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Include Data In JSON Result | boolean | No | If set to `true`, the base64 encoded + content of the extracted files will be included in the `JsonResult` output. Default + is `false`. | + + | Create Entities | boolean | No | If set to `true`, the action will automatically + create new `FILENAME` and `FILEHASH` entities for each file found inside the ZIP + archive. Default is `true`. | + + | Zip File Password | string | No | A string containing one or more passwords + used to attempt extraction of protected ZIP files. | + + | BruteForce Password | boolean | No | If set to `true`, the action will attempt + to brute-force the ZIP password using an internal wordlist if the provided passwords + fail. Default is `false`. | + + | Add to Case Wall | boolean | No | If set to `true`, each extracted file will + be uploaded back to the case wall as a new attachment. Default is `true`. | + + | Zip Password List Delimiter | string | Yes | The character used to separate + multiple passwords provided in the `Zip File Password` parameter (e.g., a comma). + Default is `,`. | + + + ### Flow Description + + 1. **Entity Filtering:** The action scans the target entities for those of type + `FILENAME` that possess an `attachment_id` attribute in their additional properties. + + 2. **Attachment Retrieval:** For each valid entity, the action fetches the binary + content of the ZIP file from the SOAR platform. + + 3. **Extraction Logic:** + * It attempts to open the ZIP file. + * If the file is encrypted, it first tries the passwords provided in the + `Zip File Password` parameter (split by the delimiter). + * If still locked and `BruteForce Password` is enabled, it iterates through + a wordlist to find the correct password. + 4. **Metadata Calculation:** For every file extracted, the action calculates + MD5, SHA1, SHA256, and SHA512 hashes, and determines the MIME type. + + 5. **Internal Updates:** + * If `Add to Case Wall` is enabled, files are uploaded to the case wall. + * If `Create Entities` is enabled, new `FILENAME` and `FILEHASH` entities + are generated and linked to the parent ZIP file entity. + 6. **Result Reporting:** The action returns a JSON object mapping the original + ZIP filename to the list of extracted file metadata. capabilities: can_create_case_comments: false can_create_insight: false @@ -790,13 +862,13 @@ Extract Zip Files: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action adds extracted files as new attachments to the Case Wall and creates - new FILENAME and FILEHASH entities within the Google SecOps case. + The action creates new FILENAME and FILEHASH entities within the Google SecOps + case and uploads extracted files as new attachments to the case wall. categories: enrichment: false entity_usage: entity_types: - - FILENAME + - FILENAME filters_by_additional_properties: true filters_by_alert_identifier: false filters_by_case_identifier: false @@ -810,6 +882,7 @@ Extract Zip Files: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Attachment: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -818,45 +891,48 @@ Extract Zip Files: create_ticket: false delete_email: false disable_identity: false - download_file: false + download_file: true enable_identity: false enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Attachment: - ai_description: >- - ### General Description\nThe **Get Attachment** action retrieves file attachments - stored on the Google SecOps Case Wall or Alert Wall. It is primarily used to programmatically - access files (such as PCAPs, emails, or logs) that have been uploaded to a case, - converting them into Base64 strings for use in subsequent playbook steps.\n\n### - Parameters Description\n| Parameter | Type | Mandatory | Description |\n| :--- - | :--- | :--- | :--- |\n| **Attachment Scope** | DDL | Yes | Specifies the source - of the attachments. Options are `Case` (retrieves all attachments in the case) - or `Alert` (retrieves only attachments associated with the current alert). |\n\n### - Flow Description\n1. **Parameter Retrieval:** The action identifies the requested - scope (Case or Alert).\n2. **Metadata Fetching:** It retrieves the metadata for - all items on the Case Wall.\n3. **Filtering:** The logic filters the wall items - to identify those of type `4` (File Attachments). If the scope is set to `Alert`, - it further filters the list to only include files linked to the specific `alertIdentifier` - of the current alert.\n4. **Content Retrieval:** For each identified attachment, - the action calls the internal API to download the raw file content using its `evidenceId`.\n5. - **Encoding:** The binary file content is encoded into a Base64 string.\n6. **Output - Generation:** The action returns a JSON array containing the original metadata - appended with the `base64_blob` for each file.\n\n### Additional Notes\n- This - action does not interact with external systems; it only interacts with the Google - SecOps internal database.\n- The result is a JSON list of attachment objects. + ai_description: "### General Description\nThe **Get Attachment** action retrieves\ + \ file attachments from the Google SecOps case wall or a specific alert wall.\ + \ It fetches the metadata for the attachments and then downloads the actual file\ + \ content, converting it into a Base64-encoded string. This is useful for downstream\ + \ actions that need to process file content (e.g., sandboxing, hash calculation,\ + \ or parsing) without requiring direct access to the SecOps storage.\n\n### Parameters\ + \ Description\n| Parameter Name | Type | Mandatory | Description |\n| :--- | :---\ + \ | :--- | :--- |\n| Attachment Scope | DDL | Yes | Determines the scope of the\ + \ search. If set to **Case**, the action retrieves all attachments associated\ + \ with the entire case. If set to **Alert**, it only retrieves attachments specifically\ + \ linked to the current alert context. |\n\n### Flow Description\n1. **Parameter\ + \ Retrieval**: The action identifies the user-defined scope (Case or Alert).\n\ + 2. **Metadata Fetching**: It calls the internal API to retrieve a list of all\ + \ attachment metadata associated with the current case identifier.\n3. **Filtering**:\ + \ \n * It filters the list to include only items of type 'Attachment' (Type\ + \ 4).\n * If the scope is set to **Alert**, it further filters the list to\ + \ include only those attachments whose `alertIdentifier` matches the current alert.\n\ + 4. **Content Retrieval**: For every matching attachment, the action uses the `evidenceId`\ + \ to download the raw file content.\n5. **Encoding**: The raw binary content of\ + \ each file is encoded into a Base64 string.\n6. **Output Generation**: The action\ + \ appends the Base64 string to the attachment's metadata and returns the complete\ + \ list as a JSON result." capabilities: can_create_case_comments: false can_create_insight: false @@ -870,7 +946,7 @@ Get Attachment: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -884,6 +960,7 @@ Get Attachment: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Files as Base64: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -892,32 +969,33 @@ Get Attachment: create_ticket: false delete_email: false disable_identity: false - download_file: true + download_file: false enable_identity: false enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Files as Base64: ai_description: >- ### General Description - Converts local files stored on the Google SecOps (Chronicle) server into Base64 - encoded strings. This utility action is primarily used to prepare file data for - subsequent playbook steps, such as uploading files to sandboxes, sending attachments - via email, or submitting samples to threat intelligence platforms that require - Base64 input. + The **Get Files as Base64** action is a utility designed to read local files from + the system and convert their contents into Base64-encoded strings. This is primarily + used to prepare binary file data for transmission to external APIs, sandboxes, + or for inclusion in structured reports where raw binary data is not supported. ### Parameters Description @@ -926,40 +1004,37 @@ Get Files as Base64: | :--- | :--- | :--- | :--- | - | File Paths | String | Yes | A comma-delimited list of absolute or relative file - paths to be processed. The action includes logic to handle filenames that may - contain commas by verifying path existence. | + | **File Paths** | String | Yes | A comma-delimited list of absolute file paths + to be processed (e.g., `/tmp/malware.exe, /home/user/evidence.log`). | ### Flow Description - 1. **Input Parsing:** The action retrieves the `File Paths` string and splits + 1. **Input Parsing**: The action retrieves the `File Paths` parameter and splits it into a list of potential file locations. - 2. **Path Validation:** It utilizes a helper function to verify which paths exist - on the local filesystem, correctly identifying files even if their names contain - commas. + 2. **Path Resolution**: It executes a custom resolution logic (`get_filenames`) + to verify the existence of the files on the local filesystem, handling cases where + filenames might contain commas. - 3. **File Processing:** For each identified file, the action: - * Extracts the directory path, filename, and extension. - * Opens the file in binary read mode. - * Encodes the raw binary content into a Base64 string. - 4. **Data Aggregation:** Metadata (path, name, extension) and the Base64 string - are stored in a structured format. + 3. **File Processing**: For each identified file: + - It extracts metadata including the directory path, filename, and file extension. + - It opens the file in binary read mode. + - It encodes the binary content into a Base64 string. + 4. **Data Aggregation**: The action constructs a JSON object containing the list + of processed filenames and a data array with the metadata and Base64 strings for + each file. - 5. **Output:** The action returns a JSON object containing the list of processed - filenames and their corresponding Base64 data, and provides a summary message - of the converted files. + 5. **Output**: The resulting JSON is added to the action's execution results, + and the action completes with a success message listing the converted files. ### Additional Notes - * This action operates on the local filesystem of the execution environment. Ensure - that the files intended for conversion have been previously downloaded or placed - in a reachable directory (e.g., the `/downloads` folder). + - This action operates on the local filesystem of the environment where the Google + SecOps agent or runner is active. - * The action does not interact with SecOps entities directly; it relies entirely - on the provided file path parameters. + - Large files may consume significant memory during the Base64 encoding process. capabilities: can_create_case_comments: false can_create_insight: false @@ -968,12 +1043,12 @@ Get Files as Base64: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: true + fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -987,6 +1062,7 @@ Get Files as Base64: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1000,49 +1076,50 @@ Get Files as Base64: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: ai_description: >- ### General Description The **Ping** action is a diagnostic utility designed to verify the connectivity - and operational status of the File Utilities integration within the Google SecOps - environment. It serves as a simple health check to ensure that the integration - is correctly installed and that the execution environment is responsive. + and functional status of the File Utilities integration within Google SecOps. + It performs a basic handshake to ensure that the integration environment is correctly + configured and that the SOAR platform can successfully execute scripts associated + with this integration. ### Parameters Description - There are no parameters for this action. + There are no parameters required for this action. ### Additional Notes - This action does not perform any data retrieval, external API calls, or modifications - to the SOAR case. It is intended solely for troubleshooting and initial setup - verification. + This action does not interact with any external APIs or process any entity data. + It is strictly used for health checks. ### Flow Description 1. **Initialization**: The action initializes the Siemplify API context. - 2. **Connectivity Confirmation**: The script executes a simple termination command - without calling any external services. + 2. **Connectivity Check**: The script executes a simple completion command. - 3. **Completion**: The action returns a success message 'Siemplify is connected' - to the user interface. + 3. **Finalization**: The action ends with a success message 'Siemplify is connected', + confirming the integration is active. capabilities: can_create_case_comments: false can_create_insight: false @@ -1056,7 +1133,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1070,6 +1147,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Remove Entity from File: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1083,115 +1161,126 @@ Ping: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Remove Entity from File: ai_description: >- - Removes entity identifiers from a specified local file. This utility action is - designed to manage local state or watchlists stored on the SOAR runner's file - system. It iterates through all entities in the current scope and attempts to - delete their identifiers from the target file. + Removes the identifiers of target entities from a specified local file. This utility + action is designed to manage local lists or flat-file databases by ensuring that + specific entity strings are deleted from the file content. It employs a file-locking + mechanism to ensure thread safety and prevent data corruption during concurrent + access. ### Flow Description - 1. **Parameter Extraction:** Retrieves the `Filename` parameter provided by the - user. + 1. **Parameter Initialization**: The action retrieves the `Filename` parameter + provided by the user. + + 2. **Path Construction**: It constructs the full file path by appending the filename + to the default directory (`/tmp/`). - 2. **File Path Construction:** Combines the base directory (`/tmp/`) with the - provided filename to determine the target file's location. + 3. **File Locking and Reading**: The `EntityFileManager` context manager is used + to acquire a lock on the file (creating a `.lock` file) and read its current contents + into memory. - 3. **File Locking and Reading:** Utilizes the `EntityFileManager` to acquire a - file lock (preventing concurrent access issues) and reads the existing identifiers - from the file into memory. + 4. **Entity Iteration**: The action iterates through all `target_entities` provided + in the current SOAR context. - 4. **Entity Processing:** Iterates through every target entity in the SOAR case. - For each entity, it checks if the identifier exists in the loaded list. + 5. **Removal Logic**: For each entity, the action checks if its identifier exists + in the file's content. If it exists, the identifier is removed from the list. + If it does not exist, the action logs this and prepares to return a failure status + for the overall result. - 5. **Removal Logic:** If an identifier is found, it is removed from the list. - If an identifier is not found, the action logs the absence and flags the final - result as `False` (indicating not all entities were successfully removed/found). + 6. **Persistence**: After processing all entities, the updated list is written + back to the file, and the file lock is released. - 6. **Persistence:** Upon completion of the loop, the updated list of identifiers - is written back to the file, and the file lock is released. + 7. **Final Output**: The action returns a summary message detailing which entities + were removed and which were not found, along with a boolean result indicating + if all entities were successfully located and removed. ### Parameters Description - | Parameter | Description | Type | Mandatory | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Filename | The name of the file (located in `/tmp/`) from which the entity identifiers - should be removed. | String | Yes | + | Filename | string | True | The name of the file (located in `/tmp/`) from which + the entity identifiers should be removed. | ### Additional Notes - - The action will return a `False` result value if any of the target entities - are not found within the specified file. + - The action will return `False` as its result value if even one of the target + entities is not found in the file, although it will still proceed to remove any + other entities that *are* found. - - The file operations are performed locally on the system where the Google SecOps - agent/runner is executing. + - The file is expected to be a line-delimited text file where each line represents + an entity identifier. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false - can_mutate_external_data: false + can_mutate_external_data: true can_mutate_internal_data: false can_update_entities: false - external_data_mutation_explanation: null + external_data_mutation_explanation: >- + Modifies a file on the local filesystem by removing specific entity identifier + strings. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1205,6 +1294,7 @@ Remove Entity from File: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Save Base64 to File: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1218,69 +1308,47 @@ Remove Entity from File: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Save Base64 to File: - ai_description: >- - ### General Description - - The **Save Base64 to File** action is a utility designed to convert base64-encoded - strings into physical files stored on the Google SecOps (Chronicle) runner's local - file system (either the Playbook server or a Remote Agent). This action is particularly - useful for reconstructing file attachments, images, or logs that have been passed - through a playbook as encoded text. It supports bulk processing via comma-separated - lists for both inputs and filenames. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **Base64 Input** | String | Yes | A comma-separated list of base64-encoded strings - to be converted into files. | - - | **Filename** | String | Yes | A comma-separated list of filenames corresponding - to the base64 inputs. | - - | **File Extension** | String | No | An optional comma-separated list of extensions - (e.g., 'png', '.txt') to append to the filenames. If fewer extensions are provided - than filenames, the last extension in the list is applied to all remaining files. - | - - - ### Flow Description - - 1. **Input Parsing:** The action retrieves the `Base64 Input`, `Filename`, and - `File Extension` parameters, splitting them into lists based on comma delimiters. - - 2. **Environment Detection:** It determines the appropriate storage path (`downloads` - folder) based on whether the action is running on a remote agent or the local - server. - - 3. **Directory Preparation:** The action ensures the target directory exists, - creating it if necessary. - - 4. **File Processing:** It iterates through the provided lists, decoding each - base64 string and writing the resulting binary data to a file with the specified - name and extension. - - 5. **Result Compilation:** Metadata for each created file (name, path, and extension) - is collected into a JSON result object. - - 6. **Completion:** The action ends by returning a success message containing the - paths of all saved files. + ai_description: "Saves one or more base64-encoded strings as files on the local\ + \ filesystem of the Google SecOps runner or agent. This action is primarily used\ + \ to convert encoded data\u2014such as email attachments, forensic artifacts,\ + \ or exported logs\u2014into physical files that can be processed by subsequent\ + \ actions in a playbook. It supports batch processing through comma-separated\ + \ input lists.\n\n### Parameters Description\n\n| Parameter | Type | Mandatory\ + \ | Description |\n| :--- | :--- | :--- | :--- |\n| Base64 Input | String | Yes\ + \ | A comma-separated list of base64-encoded strings to be converted into files.\ + \ |\n| Filename | String | Yes | A comma-separated list of filenames to be used\ + \ for the saved files. The order must match the 'Base64 Input' list. |\n| File\ + \ Extension | String | No | An optional comma-separated list of file extensions\ + \ (e.g., 'txt', '.png') to append to the filenames. If fewer extensions are provided\ + \ than filenames, the last extension in the list is applied to all remaining files.\ + \ |\n\n### Flow Description\n\n1. **Input Parsing:** The action retrieves the\ + \ `Base64 Input`, `Filename`, and `File Extension` parameters, splitting them\ + \ into lists based on comma delimiters.\n2. **Directory Setup:** It identifies\ + \ the appropriate storage path (either a local 'downloads' folder or the agent's\ + \ download directory) and creates the directory if it does not already exist.\n\ + 3. **Filename Sanitization:** Each provided filename is sanitized to remove invalid\ + \ characters and spaces, ensuring compatibility with the filesystem.\n4. **Decoding\ + \ and Writing:** For each input pair, the action decodes the base64 string into\ + \ binary data and writes it to the calculated file path, appending the extension\ + \ if provided.\n5. **Result Compilation:** It generates a JSON object containing\ + \ metadata for all successfully saved files, including the original filename,\ + \ the full file path, and the extension.\n6. **Completion:** The action ends by\ + \ returning a success message listing the paths of the saved files." capabilities: can_create_case_comments: false can_create_insight: false @@ -1294,7 +1362,7 @@ Save Base64 to File: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1308,28 +1376,3 @@ Save Base64 to File: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/power_ups/functions/resources/ai/actions_ai_description.yaml b/content/response_integrations/power_ups/functions/resources/ai/actions_ai_description.yaml index 50b344a8b..d734b9939 100644 --- a/content/response_integrations/power_ups/functions/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/power_ups/functions/resources/ai/actions_ai_description.yaml @@ -1,32 +1,93 @@ Calculate Timestamp: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description\nUse the 'Calculate Timestamp' action to find a new point - in time by moving forward or backward from a starting time. This utility action - is useful for playbook logic that requires time-based windows, such as searching - for logs within a specific range relative to an alert's creation.\n\n### Parameters - Description\n| Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- - | :--- |\n| Input Type | DDL | No | The starting point for the calculation. Options: - Current Time, Alert Creation Time, Case Creation Time, Custom Timestamp. Default - is Current Time. |\n| Custom Timestamp | String | No | The specific date and time - value used as the starting point when 'Input Type' is set to 'Custom Timestamp'. - |\n| Custom Timestamp Format | String | No | The format of the 'Custom Timestamp'. - If not provided, the action attempts to parse as epoch time. |\n| Timestamp Delta - | String | No | A comma-separated list of time offsets (e.g., +30M, -1H). Supported - units: m (months), d (days), H (hours), M (minutes), S (seconds). |\n| Output - Timestamp Format | String | No | The desired structure for the resulting calculated - timestamp. Defaults to epoch time. |\n\n### Additional Notes\n- If 'Input Type' - is set to 'Custom Timestamp', the 'Custom Timestamp' parameter must be provided.\n- - The 'Timestamp Delta' parameter requires an operator (+ or -) and a unit.\n\n### - Flow Description\n1. **Parameter Extraction**: The action retrieves the input - type, custom timestamp details, and the desired time offsets.\n2. **Base Time - Determination**: It identifies the starting timestamp based on the 'Input Type' - (e.g., the current system time or the creation time of the alert/case).\n3. **Offset - Calculation**: It parses the 'Timestamp Delta' string and applies each specified - offset (addition or subtraction) to the base timestamp using the Arrow library.\n4. - **Formatting**: The original and all calculated timestamps are formatted according - to the 'Output Timestamp Format'.\n5. **Result Output**: The action returns a - JSON object containing the original timestamp and a dictionary of the calculated - results. + The 'Calculate Timestamp' action is a utility function designed to compute one + or more new timestamps by applying specific time offsets (deltas) to a designated + starting point. This is particularly useful for playbooks that need to define + time windows for searches, set expiration dates, or calculate relative timeframes + based on alert or case events. + + + ### Parameters + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Input Type | DDL | No | Defines the baseline time. Options: 'Current Time' (default), + 'Alert Creation Time', 'Case Creation Time', or 'Custom Timestamp'. | + + | Custom Timestamp | String | No | The specific date/time string to use if 'Input + Type' is set to 'Custom Timestamp'. | + + | Custom Timestamp Format | String | No | The format used to parse the 'Custom + Timestamp'. Defaults to '%Y-%m-%dT%H:%M:%S%z'. If empty, the action attempts to + parse as epoch. | + + | Timestamp Delta | String | No | A comma-separated list of offsets (e.g., '+30M', + '-1d'). Supports months (m), days (d), hours (H), minutes (M), and seconds (S). + Default is '+30M,-30M'. | + + | Output Timestamp Format | String | No | The desired format for the calculated + results. Defaults to '%Y-%m-%dT%H:%M:%S%z'. Use 'epoch' for Unix timestamps. | + + + ### Additional Notes + + - If 'Input Type' is set to 'Custom Timestamp', the 'Custom Timestamp' parameter + becomes effectively mandatory for the action to succeed. + + - The action uses the `arrow` library for robust date manipulation and parsing. + + - Multiple deltas can be processed in a single execution, returning a map of results. + + + ### Flow Description + + 1. **Initialization**: The action extracts and validates the input parameters, + ensuring formats and deltas match expected patterns (e.g., regex validation for + deltas). + + 2. **Baseline Determination**: It identifies the starting timestamp based on the + 'Input Type'. It retrieves the creation time from the alert or case context if + requested. + + 3. **Offset Calculation**: For each delta provided in the 'Timestamp Delta' list, + the action applies the mathematical shift (addition or subtraction) to the baseline + timestamp. + + 4. **Formatting**: The original and all calculated timestamps are converted into + the format specified in 'Output Timestamp Format'. + + 5. **Result Delivery**: The final results are returned as a JSON object containing + the 'original_timestamp' and a dictionary of 'calculated_timestamps'. capabilities: can_create_case_comments: false can_create_insight: false @@ -40,7 +101,7 @@ Calculate Timestamp: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -54,6 +115,7 @@ Calculate Timestamp: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Convert Time Format: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -67,53 +129,75 @@ Calculate Timestamp: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Convert Time Format: - ai_description: "### General Description\nThe **Convert Time Format** action is\ - \ a utility function designed to transform datetime values from one format to\ - \ another. It allows for flexible parsing of input strings (including Unix timestamps),\ - \ applying time offsets (shifts), and converting the result to a specific timezone.\ - \ This is primarily used within playbooks to normalize time data received from\ - \ various security tools into a consistent format for downstream processing or\ - \ reporting.\n\n### Parameters Description\n| Parameter | Type | Mandatory | Description\ - \ |\n| :--- | :--- | :--- | :--- |\n| **Input** | string | Yes | The input datetime\ - \ value to be converted. Can be a formatted string or a Unix timestamp (10 or\ - \ 13 digits). If left empty, the current time is used. |\n| **From Format** |\ - \ string | Yes | The `strftime` format of the input string (e.g., `%Y-%m-%d %H:%M:%S`).\ - \ If the input is a numeric timestamp, this may be bypassed by the logic. |\n\ - | **To Format** | string | Yes | The desired output format using [Arrow tokens](https://arrow.readthedocs.io/en/stable/#supported-tokens)\ - \ (e.g., `YYYY/MM/DD HH:mm:ss`). |\n| **Time Delta In Seconds** | string | Yes\ - \ | A numeric value (positive or negative) representing the number of seconds\ - \ to shift the time. Default is \"0\". |\n| **Timezone** | string | No | The target\ - \ timezone for the output (e.g., `UTC`, `US/Eastern`). If omitted, the timezone\ - \ of the parsed input is maintained. |\n\n### Flow Description\n1. **Parameter\ - \ Extraction:** The action retrieves the input string, source format, target format,\ - \ time delta, and target timezone from the environment.\n2. **Special Suffix\ - \ Handling:** It checks if the `From Format` ends with \"UTC\" or \"GMT\" and\ - \ adjusts the time delta accordingly if those strings are present in the input.\n\ - 3. **Parsing:** \n * If the input is empty, it defaults to the current system\ - \ time.\n * If the input is a 10-digit (seconds) or 13-digit (milliseconds)\ - \ number, it parses it as a Unix timestamp.\n * Otherwise, it attempts to\ - \ parse the string using the provided `From Format` via the `Arrow` library.\n\ - 4. **Time Shifting:** The parsed time is shifted by the specified `Time Delta\ - \ In Seconds`.\n5. **Timezone Conversion:** If a `Timezone` is provided, the\ - \ datetime object is converted to that specific zone.\n6. **Formatting and Output:**\ - \ The final datetime object is formatted according to the `To Format` and returned\ - \ as the action result.\n\n### Additional Notes\n* This action does not interact\ - \ with external APIs; it is a local processing utility.\n* The action is robust\ - \ enough to attempt parsing even if the provided `From Format` is slightly mismatched,\ - \ provided the input looks like a standard timestamp." + ai_description: >- + Converts a datetime value from one format to another. This utility action allows + for parsing input strings or timestamps, applying time offsets (shifts), and converting + the result into a specific timezone and output format. + + + ### Flow Description: + + 1. **Parameter Retrieval:** The action extracts the input datetime string, the + source format, the target format, the time delta (in seconds), and the target + timezone from the configuration. + + 2. **Parsing:** It attempts to parse the input. If the input is numeric, it treats + it as a Unix timestamp (seconds or milliseconds). If it is a string, it uses the + provided 'From Format' to interpret the date. + + 3. **Time Shifting:** If a 'Time Delta In Seconds' is provided, the action shifts + the datetime object forward or backward by that amount. + + 4. **Timezone Conversion:** If a 'Timezone' is specified, the datetime is converted + to that specific timezone. + + 5. **Formatting:** Finally, the datetime is formatted according to the 'To Format' + string and returned as the action result. + + + ### Parameters Description: + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Input | string | True | The input datetime value or timestamp that will be converted. + If left empty, the current time is used. | + + | From Format | string | True | The datetime format the input string is in (e.g., + %Y-%m-%d %H:%M:%S). Supports strftime format. | + + | To Format | string | True | The desired time format of the output. Uses Arrow + tokens (e.g., YYYY/MM/DD). | + + | Time Delta In Seconds | string | True | Shift parameter to change the output + time to the future (positive) or past (negative), measured in seconds. | + + | Timezone | string | False | The target timezone for the output (e.g., UTC, US/Eastern). + | + + + ### Additional Notes: + + - If the 'From Format' ends with 'UTC' or 'GMT', the action performs specific + logic to handle timezone offsets provided within the input string. + + - The action is a local utility and does not interact with external APIs. capabilities: can_create_case_comments: false can_create_insight: false @@ -127,7 +211,7 @@ Convert Time Format: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -141,6 +225,7 @@ Convert Time Format: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Create Thumbnail: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -154,77 +239,51 @@ Convert Time Format: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Create Thumbnail: - ai_description: >- - ### General Description - - The **Create Thumbnail** action is a utility function designed to generate a resized, - Base64-encoded thumbnail from an existing Base64 image string. This action is - used to optimize image data for display within the SOAR interface or to reduce - the size of image payloads before passing them to other systems or playbooks. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **Base64 Image** | String | No | The raw Base64 string of the image to be resized. - This is used if `Input JSON` is not provided. | - - | **Thumbnail Size** | String | Yes | Comma-separated pixel dimensions (e.g., - "250,250") for the output thumbnail. | - - | **Input JSON** | String | No | A JSON-formatted string containing image data. - If provided, the action can process multiple images defined within the JSON structure. - | - - | **Image Key Path** | String | No | The dot-separated path (e.g., `data.image_base64`) - used to locate the image field within the `Input JSON`. | - - - ### Additional Notes - - - To execute successfully, the action requires either a direct image string via - the **Base64 Image** parameter or a valid **Input JSON** accompanied by an **Image - Key Path**. - - - The action performs all processing locally using the PIL (Pillow) library and - does not communicate with external APIs. - - - ### Flow Description - - 1. **Parameter Extraction**: The action retrieves the input image data (either - as a direct string or within a JSON object), the target dimensions, and the key - path configuration. - - 2. **Data Parsing**: If **Input JSON** is provided, the action parses the JSON - and uses the **Image Key Path** to extract the Base64 image string(s) from the - provided data structure. - - 3. **Image Processing**: The action decodes the Base64 string into raw bytes and - utilizes the PIL library to open and resize the image to the specified **Thumbnail - Size**. - - 4. **Encoding**: The resized image is saved in PNG format and re-encoded into - a Base64 string. - - 5. **Output Generation**: The resulting Base64 thumbnail is returned as a JSON - result, which can be used in subsequent playbook steps. + ai_description: "### General Description\nThe **Create Thumbnail** action is a utility\ + \ function designed to generate a resized thumbnail of an image. It accepts image\ + \ data in Base64 format and outputs a new Base64-encoded PNG thumbnail based on\ + \ user-defined dimensions. This action is particularly useful for optimizing image\ + \ display within the SOAR interface or preparing images for external notifications\ + \ where smaller file sizes are required.\n\n### Parameters Description\n| Parameter\ + \ Name | Expected Type | Mandatory | Description |\n| :--- | :--- | :--- | :---\ + \ |\n| **Base64 Image** | String | No | The raw Base64-encoded string of the image\ + \ to be resized. This is used if `Input JSON` is not provided. |\n| **Thumbnail\ + \ Size** | String | Yes | The desired dimensions for the thumbnail in pixels,\ + \ formatted as 'Width,Height' (e.g., '250,250'). |\n| **Input JSON** | String\ + \ | No | A JSON-formatted string (usually an array of objects) containing image\ + \ data to be processed in bulk. |\n| **Image Key Path** | String | No | If using\ + \ `Input JSON`, this specifies the dot-notation path (e.g., 'data.image_content')\ + \ to the field containing the Base64 image string. |\n\n### Additional Notes\n\ + - Either the **Base64 Image** parameter or the **Input JSON** parameter must be\ + \ provided for the action to have data to process.\n- The action uses the PIL\ + \ (Pillow) library to perform image manipulation.\n- The output is always returned\ + \ as a PNG-formatted Base64 string.\n\n### Flow Description\n1. **Parameter Extraction:**\ + \ The action retrieves the input image data, the target dimensions, and any JSON\ + \ pathing configurations.\n2. **Data Parsing:** \n - If **Input JSON** is provided,\ + \ the action parses the JSON and iterates through the entries, using the **Image\ + \ Key Path** to locate the Base64 strings.\n - If **Input JSON** is absent,\ + \ it proceeds with the single string provided in **Base64 Image**.\n3. **Image\ + \ Processing:** For each identified image string, the action decodes the Base64\ + \ data, opens it as an image object, and resizes it to the specified **Thumbnail\ + \ Size**.\n4. **Encoding:** The resized image is saved into a memory buffer as\ + \ a PNG and then re-encoded into a Base64 string.\n5. **Result Delivery:** The\ + \ resulting thumbnail(s) are added to the action's JSON results for use in subsequent\ + \ playbook steps." capabilities: can_create_case_comments: false can_create_insight: false @@ -238,7 +297,7 @@ Create Thumbnail: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -252,6 +311,7 @@ Create Thumbnail: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Defang Text: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -265,57 +325,62 @@ Create Thumbnail: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Defang Text: ai_description: >- - ### General Description + Defangs the provided input text by sanitizing URLs, IP addresses, and email addresses + to prevent accidental interaction. This utility action is useful for preparing + data for display or logging where active links or resolvable addresses are undesirable. - The **Defang Text** action is a utility designed to sanitize potentially malicious - or active indicators within a text string. It 'defangs' URLs, IP addresses, and - email addresses by modifying their syntax (e.g., changing `http` to `hxxp` or - `.` to `[.]`), making them non-clickable and preventing accidental execution or - navigation by analysts. + ### Flow Description - ### Parameters Description + 1. **Parameter Extraction:** Retrieves the `Input` string from the action parameters. - | Parameter | Description | Type | Mandatory | Notes | + 2. **Empty Check:** If the input is empty, the action terminates early with an + empty result. - | :--- | :--- | :--- | :--- | :--- | + 3. **URL Defanging:** Uses regular expressions to find HTTP/HTTPS URLs, changing + the protocol to 'hxxp' and escaping dots in the domain (e.g., `http://example.com` + becomes `hxxp://example[.]com`). - | Input | The raw text string that needs to be defanged. | String | No | If left - empty, the action returns an empty result. | + 4. **IP Defanging:** Identifies IPv4 patterns and replaces dots with bracketed + dots (e.g., `1.1.1.1` becomes `1[.]1[.]1[.]1`). + 5. **Email Defanging:** Locates email addresses, replacing the '@' symbol with + `[at]` and escaping dots in the domain portion (e.g., `user@example.com` becomes + `user[at]example[.]com`). - ### Flow Description + 6. **Result Output:** Returns the modified text in the `converted_text` JSON field. - 1. **Parameter Extraction:** The action retrieves the `Input` string provided - by the user. - 2. **Empty Check:** If the input is null or empty, the action terminates and returns - an empty result. + ### Parameters Description + + | Parameter | Description | Type | Mandatory | + + | :--- | :--- | :--- | :--- | - 3. **URL Defanging:** Identifies `http` or `https` links and replaces the protocol - with `hxxp/hxxps` and escapes dots in the domain name using `[.]`. + | Input | The raw text string that requires defanging. | String | No | - 4. **IP Defanging:** Identifies IPv4 addresses and replaces all dots with `[.]`. - 5. **Email Defanging:** Identifies email addresses, replaces the `@` symbol with - `[at]`, and escapes dots in the domain portion. + ### Additional Notes - 6. **Result Output:** The final defanged string is returned in the `JsonResult` - under the key `converted_text`. + - This action does not interact with external APIs or modify Google SecOps entities. + + - It is a pure text transformation utility designed for data sanitization. capabilities: can_create_case_comments: false can_create_insight: false @@ -329,7 +394,7 @@ Defang Text: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -343,6 +408,7 @@ Defang Text: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Detect Hash Type: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -354,29 +420,30 @@ Defang Text: download_file: false enable_identity: false enrich_asset: false - enrich_ioc: false + enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Detect Hash Type: ai_description: >- ### General Description - The **Detect Hash Type** action identifies the most likely cryptographic hash - algorithm for a given set of strings or `FILEHASH` entities. It supports detection - for **MD5**, **SHA-1**, **SHA-256**, and **SHA-512**. This utility is primarily - used to normalize data or determine which subsequent enrichment actions are appropriate - based on the hash format. + Identifies the most likely hash algorithm (MD5, SHA-1, SHA-256, or SHA-512) for + provided hash strings or FILEHASH entities. This utility action helps analysts + quickly classify unknown hash strings and enriches FILEHASH entities within the + case with their detected algorithm type. ### Parameters Description @@ -385,41 +452,36 @@ Detect Hash Type: | :--- | :--- | :--- | :--- | - | **Hashes** | String | No | A comma-separated list of hash strings to identify. - If provided, these strings will be processed and included in the output alongside - any entities in the scope. | + | Hashes | String | No | One or more hashes that are comma separated. If provided, + the action will identify the hash type for these strings in addition to any FILEHASH + entities in the scope. | ### Flow Description - 1. **Input Parsing**: The action retrieves the `Hashes` parameter and splits it - into a list of individual strings. + 1. Retrieve the `Hashes` parameter and split it into a list if it exists. - 2. **Manual Hash Identification**: For each string provided in the parameter, - the action uses the `hashid` library to determine the most likely algorithm (MD5, - SHA-1, SHA-256, or SHA-512). + 2. Use the `hashid` library to identify the algorithm for each provided hash string, + filtering for supported types (MD5, SHA-1, SHA-256, SHA-512). - 3. **Entity Processing**: The action iterates through all `FILEHASH` entities - associated with the current context. + 3. Iterate through the `target_entities` and filter for those with the type `FILEHASH`. - 4. **Entity Identification**: For each `FILEHASH` entity, the action identifies - the hash type based on the entity's identifier. + 4. For each `FILEHASH` entity, identify its algorithm type using its identifier. - 5. **Internal Enrichment**: The detected hash type is added to the entity's `additional_properties` - attribute. + 5. Update the entity's `additional_properties` with the detected `HashType`. - 6. **Result Compilation**: The action updates the entities within Google SecOps - and returns a JSON object containing the mapping of all processed hashes to their + 6. Commit the entity updates to the SecOps platform. + + 7. Return a JSON result containing the mapping of all processed hashes to their detected types. ### Additional Notes - - If a hash type cannot be determined or does not match the supported types, it - is labeled as `UNDETECTED`. + - Supported hash types are MD5, SHA-1, SHA-256, and SHA-512. - - This action performs local identification using a library and does not make - external API calls. + - If a hash type cannot be determined or is not in the supported list, it is marked + as 'UNDETECTED'. capabilities: can_create_case_comments: false can_create_insight: false @@ -428,15 +490,15 @@ Detect Hash Type: can_mutate_internal_data: true can_update_entities: true external_data_mutation_explanation: null - fetches_data: false + fetches_data: true internal_data_mutation_explanation: >- Updates the 'additional_properties' attribute of FILEHASH entities with the - detected hash type. + detected hash type (e.g., SHA-256, MD5). categories: - enrichment: false + enrichment: true entity_usage: entity_types: - - FILEHASH + - FILEHASH filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -450,6 +512,7 @@ Detect Hash Type: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Detect IP Type: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -460,69 +523,67 @@ Detect Hash Type: disable_identity: false download_file: false enable_identity: false - enrich_asset: false + enrich_asset: true enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Detect IP Type: ai_description: >- - ### General Description - - The **Detect IP Type** action identifies whether a given IP address follows the - IPv4 or IPv6 protocol. It uses regular expression matching to categorize addresses - and enriches existing IP Address entities within the Google SecOps environment - by adding an `IPType` field to their additional properties. + Identifies whether an IP address is in IPv4 or IPv6 format. This action processes + a list of IP addresses provided as a parameter and also automatically evaluates + all 'ADDRESS' entities present in the current case. For entities, it enriches + their profile by adding an 'IPType' field to their additional properties, which + can be used for downstream logic or filtering in playbooks. - ### Parameters Description - - | Parameter | Type | Mandatory | Description | + ### Flow Description: - | :--- | :--- | :--- | :--- | + 1. **Input Parsing**: Retrieves the optional 'IP Addresses' parameter and splits + it into individual strings if provided. - | IP Addresses | String | No | A comma-separated list of IP addresses to be analyzed. - If provided, these will be processed in addition to any entities in the case. - | + 2. **Manual Evaluation**: Iterates through the provided IP strings and uses regular + expressions to determine if they are IPv4, IPv6, or undetected. + 3. **Entity Processing**: Iterates through all entities in the case, filtering + specifically for those of type 'ADDRESS'. - ### Flow Description + 4. **Internal Enrichment**: For each identified 'ADDRESS' entity, the action determines + its IP type and updates the entity's 'additional_properties' with the result. - 1. **Input Retrieval**: The action retrieves the optional `IP Addresses` parameter. + 5. **Result Aggregation**: Consolidates all findings into a JSON result and updates + the entities within the Google SecOps platform. - 2. **Manual IP Processing**: If the parameter is provided, it splits the string - and uses regex to classify each address as `IPV4`, `IPV6`, or `UNDETECTED`. - 3. **Entity Processing**: The action iterates through the `target_entities` in - the current context, specifically looking for entities of type `ADDRESS`. + ### Parameters Description: - 4. **Classification**: For each identified entity, it applies the same regex logic - to the entity's identifier. + | Parameter | Type | Mandatory | Description | - 5. **Internal Enrichment**: It updates the `additional_properties` of the entities - with the detected `IPType`. + | :--- | :--- | :--- | :--- | - 6. **Result Reporting**: The action compiles all results into a JSON object and - updates the entities in the SecOps platform. + | IP Addresses | String | No | A comma-separated list of IP addresses to be evaluated. + If left empty, the action will only process existing case entities. | - ### Additional Notes + ### Additional Notes: - - This action does not perform external lookups; all detection is done locally - via regex. + - This action is a local utility and does not perform any external API calls or + reputation checks. - - If an address does not match either IPv4 or IPv6 patterns, it is labeled as - `UNDETECTED`. + - The 'IPType' field added to entities will contain one of the following values: + 'IPV4', 'IPV6', or 'UNDETECTED'. capabilities: can_create_case_comments: false can_create_insight: false @@ -534,12 +595,12 @@ Detect IP Type: fetches_data: false internal_data_mutation_explanation: >- Updates the 'additional_properties' attribute of ADDRESS entities with the detected - IP type. + IP type (IPv4, IPv6, or UNDETECTED). categories: enrichment: false entity_usage: entity_types: - - ADDRESS + - ADDRESS filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -553,6 +614,7 @@ Detect IP Type: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Extract IOCs: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -563,36 +625,33 @@ Detect IP Type: disable_identity: false download_file: false enable_identity: false - enrich_asset: true + enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Extract IOCs: ai_description: >- - Extracts Indicators of Compromise (IOCs) including domains, IPv4/IPv6 addresses, - URLs, and email addresses from a provided input string. This utility action is - designed to parse unstructured text to identify potential security indicators - for further analysis or automation. - - ### General Description - This action takes a raw string as input and applies various extraction techniques - (regular expressions and specialized libraries) to identify common IOC types. - It handles URL cleaning, domain derivation from URLs, and IP address validation. - The results are returned as a structured JSON object containing lists for each - IOC category. + The **Extract IOCs** action is a utility designed to parse a provided text string + and identify various Indicators of Compromise (IOCs). It uses regular expressions + and specialized libraries to detect and extract domains, IPv4/IPv6 addresses, + URLs, and email addresses. This is particularly useful for processing unstructured + data like email bodies, log snippets, or threat reports to identify actionable + indicators. ### Parameters Description @@ -601,8 +660,8 @@ Extract IOCs: | :--- | :--- | :--- | :--- | - | Input String | String | Yes | The raw text content from which the action will - attempt to extract domains, IPs, URLs, and emails. | + | Input String | String | Yes | The raw text string from which the action will + attempt to extract IOCs. | ### Flow Description @@ -610,29 +669,31 @@ Extract IOCs: 1. **Parameter Extraction**: The action retrieves the `Input String` provided by the user. - 2. **URL Extraction**: Uses the `urlextract` library to find URLs within the text, - filtering out invalid formats and standalone IP addresses. + 2. **URL Extraction**: Uses the `URLExtract` library to find valid URLs within + the text, performing basic cleaning and validation (e.g., ignoring URLs that are + actually IP addresses). - 3. **Domain Extraction**: Processes the discovered URLs to extract the Effective - Fully Qualified Domain Name (eFLD) using the `tld` library. + 3. **Domain Extraction**: For every URL found, the action uses the `tld` library + to extract the Effective Top-Level Domain (e.g., extracting `google.com` from + `https://sub.google.com/path`). - 4. **IP Extraction**: Uses regular expressions to find potential IPv4 and IPv6 - addresses, then validates them using the `ipaddress` module to ensure they are - legitimate network addresses. + 4. **IP Extraction**: Uses regular expressions to find IPv4 and IPv6 patterns, + then validates them using the `ipaddress` library. It filters out invalid formats. - 5. **Email Extraction**: Applies a comprehensive regular expression to identify - email addresses within the string. + 5. **Email Extraction**: Uses a comprehensive regular expression to identify email + addresses. - 6. **Result Aggregation**: Consolidates all identified indicators into a JSON - object and generates a human-readable summary message for the action output. + 6. **Result Compilation**: Aggregates all found indicators into a structured JSON + object and provides a summary message for the action output. ### Additional Notes - - This action does not perform external lookups or reputation checks; it is strictly - a parsing utility. + - This action does not interact with external threat intelligence services; it + performs local parsing of the input string. - - Internal/Private IP addresses are included in the extraction results by default. + - It does not automatically create entities in the Google SecOps platform; it + returns the data for use in subsequent playbook steps. capabilities: can_create_case_comments: false can_create_insight: false @@ -646,7 +707,7 @@ Extract IOCs: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -660,6 +721,7 @@ Extract IOCs: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +IP to Integer: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -673,61 +735,64 @@ Extract IOCs: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -IP to Integer: ai_description: >- ### General Description - This utility action converts one or more IPv4 addresses into their corresponding - integer (long) format. It is primarily used for data normalization or when integrating - with systems that require IP addresses in numerical format rather than dot-decimal - notation. + Converts one or more IPv4 addresses into their corresponding integer (long) format. + This utility action is primarily used for data transformation within playbooks, + allowing analysts to normalize IP data for comparison, database lookups, or mathematical + operations. ### Parameters Description - | Parameter Name | Type | Mandatory | Description | + | Parameter | Description | Type | Mandatory | Notes | - | :--- | :--- | :--- | :--- | + | :--- | :--- | :--- | :--- | :--- | - | IP Addresses | String | Yes | A comma-separated list of IPv4 addresses to be - converted into integers. | + | IP Addresses | A comma-separated list of IPv4 addresses to be converted into + integers. | String | Yes | Expects standard dot-decimal notation (e.g., '192.168.1.1'). + | - ### Flow Description + ### Additional Notes - 1. **Input Retrieval:** The action retrieves the comma-separated string of IP - addresses from the `IP Addresses` parameter. + - This action performs local computation using standard Python libraries (`socket`, + `struct`) and does not make external API calls. - 2. **Parsing:** The string is split by commas and stripped of whitespace to create - a list of individual IP strings. + - It does not interact with SecOps entities directly; it processes the string + provided in the input parameter. - 3. **Conversion:** For each IP address, the action uses the `socket` and `struct` - libraries to convert the address into a 32-bit packed binary format and then unpacks - it as a long integer. - 4. **Result Compilation:** The results are stored in a JSON object (mapping the - original IP to the integer) and a comma-separated string of the resulting integers. + ### Flow Description - 5. **Output:** The action returns the JSON result and the string result to the - Google SecOps platform. + 1. **Input Parsing**: The action retrieves the `IP Addresses` string from the + parameters and splits it into a list, removing any leading or trailing whitespace. + 2. **Conversion**: For each IP address in the list, it uses `socket.inet_aton` + to convert the string to network bytes and `struct.unpack` to transform those + bytes into a 32-bit unsigned integer. - ### Additional Notes + 3. **Result Aggregation**: The converted integers are stored in a JSON dictionary + (mapping the original IP to the integer) and a comma-separated string. - This action performs local calculations and does not interact with any external - APIs or Google SecOps entities. + 4. **Output**: The action returns the comma-separated string as the main result + value and attaches the detailed mapping as a JSON result. capabilities: can_create_case_comments: false can_create_insight: false @@ -741,7 +806,7 @@ IP to Integer: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -755,6 +820,7 @@ IP to Integer: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Math Arithmetic: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -768,64 +834,73 @@ IP to Integer: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Math Arithmetic: ai_description: >- ### General Description - Performs basic arithmetic operations on two provided numeric arguments. This utility - action allows for mathematical calculations within a playbook flow, supporting - addition, subtraction, multiplication, division, and modulo operations. + The **Math Arithmetic** action is a utility function designed to perform basic + mathematical operations on two provided numerical arguments. It supports addition, + subtraction, multiplication, division, and modulo operations. This action is typically + used within playbooks to perform calculations on data extracted from previous + steps or entities. ### Parameters Description - | Parameter | Type | Mandatory | Description | + | Parameter | Type | Mandatory | Default Value | Description | - | :--- | :--- | :--- | :--- | + | :--- | :--- | :--- | :--- | :--- | - | Function | DDL | Yes | The arithmetic operation to perform. Options include: - **Plus** (Addition), **Sub** (Subtraction), **Multi** (Multiplication), **Div** - (Division), and **Mod** (Modulo). | + | **Function** | DDL | Yes | Plus | The mathematical operation to perform. Options: + `Plus`, `Sub`, `Multi`, `Div`, `Mod`. | - | Arg 1 | String | Yes | The first numeric value (integer or float) for the calculation. + | **Arg 1** | String | Yes | {} | The first numerical argument for the operation. | - | Arg 2 | String | Yes | The second numeric value (integer or float) for the calculation. + | **Arg 2** | String | Yes | {} | The second numerical argument for the operation. | ### Additional Notes - This action is a local utility and does not interact with any external APIs or - Google SecOps entities. It processes the input parameters and returns the result - as a script output. + - The action attempts to parse the input strings (`Arg 1` and `Arg 2`) into integers + first, and then into floats if integer parsing fails. + + - If the `Div` (Division) function is used and `Arg 2` is zero, the action will + fail with a standard Python `ZeroDivisionError`. ### Flow Description - 1. **Retrieve Parameters**: The action fetches the selected `Function` and the - two input arguments (`Arg 1` and `Arg 2`) from the configuration. + 1. **Parameter Retrieval**: The action retrieves the selected mathematical function + and the two input arguments from the integration parameters. - 2. **Data Parsing**: The input strings are parsed into numeric types (integers - or floats). + 2. **Data Parsing**: The input strings are converted into numerical types (int + or float). 3. **Calculation**: Based on the selected `Function`, the action performs the - corresponding mathematical operation. - - 4. **Output**: The action concludes by returning the calculated result and a formatted - message (e.g., "10 + 5 = 15") to the SOAR platform. + corresponding arithmetic operation: + - `Plus`: Adds Arg 1 and Arg 2. + - `Sub`: Subtracts Arg 2 from Arg 1. + - `Multi`: Multiplies Arg 1 by Arg 2. + - `Div`: Divides Arg 1 by Arg 2. + - `Mod`: Calculates the remainder of Arg 1 divided by Arg 2. + 4. **Output**: The action returns the calculated result as the `ScriptResult` + and provides a human-readable message summarizing the operation. capabilities: can_create_case_comments: false can_create_insight: false @@ -839,7 +914,7 @@ Math Arithmetic: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -853,6 +928,7 @@ Math Arithmetic: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Math Functions: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -866,46 +942,46 @@ Math Arithmetic: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Math Functions: ai_description: "### General Description\nThe **Math Functions** action provides\ - \ a suite of built-in Python mathematical operations that can be applied to a\ + \ a suite of built-in Python mathematical operations to process numeric data within\ + \ a playbook. It allows users to perform calculations or transformations on a\ \ list of numbers provided as a comma-separated string. This utility action is\ - \ designed for data transformation and calculation within a playbook, allowing\ - \ users to perform operations like finding the maximum value, summing a list,\ - \ or converting numbers to different formats (e.g., Hexadecimal or Integer) without\ - \ writing custom code.\n\n### Parameters Description\n| Parameter | Type | Mandatory\ - \ | Description |\n| :--- | :--- | :--- | :--- |\n| **Function** | DDL | Yes |\ - \ The specific mathematical operation to perform. Options include: `Max`, `Min`,\ - \ `Round`, `Sort`, `Sum`, `Float`, `Hex`, `Int`, `Abs`, and `Display`. |\n| **Numbers**\ - \ | String | Yes | A comma-separated list of numbers (e.g., \"10, 20.5, -5\")\ - \ to be processed by the selected function. |\n\n### Flow Description\n1. **Input\ - \ Retrieval:** The action retrieves the comma-separated string of numbers and\ - \ the selected function name from the action parameters.\n2. **Parsing:** The\ - \ input string is split by commas, and each element is parsed into either a float\ - \ or an integer. \n3. **Execution:** The action executes the logic corresponding\ - \ to the selected `Function`:\n * **Abs/Float/Int/Round:** Iterates through\ - \ the list and applies the transformation to each number.\n * **Display:**\ - \ Formats numbers with commas for better readability (e.g., 1000 becomes 1,000).\n\ - \ * **Hex:** Converts integer values to their hexadecimal representation.\n\ - \ * **Max/Min/Sum:** Calculates a single aggregate value from the entire list.\n\ - \ * **Sort:** Returns the list of numbers sorted in ascending order.\n4. **Output:**\ - \ The processed results are added to the action's JSON output and the final script\ - \ result is returned to the SOAR platform.\n\n### Additional Notes\n* This action\ - \ does not interact with external APIs or SecOps entities; it operates strictly\ - \ on the input provided in the parameters.\n* If the `Hex` function is selected,\ - \ the action specifically attempts to parse inputs as integers." + \ ideal for data normalization, finding extremes (min/max), or aggregating values\ + \ (sum) during automated workflows.\n\n### Parameters Description\n| Parameter\ + \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| **Function**\ + \ | DDL | Yes | The specific mathematical operation to execute. Options include:\ + \ `Max`, `Min`, `Round`, `Sort`, `Sum`, `Float`, `Hex`, `Int`, `Abs`, and `Display`.\ + \ |\n| **Numbers** | String | Yes | A comma-separated list of numeric values (e.g.,\ + \ \"10, -5, 22.5\") to be processed by the selected function. |\n\n### Flow Description\n\ + 1. **Input Parsing**: The action retrieves the `Numbers` string and splits it\ + \ by commas. It attempts to parse each element into either an integer or a floating-point\ + \ number.\n2. **Function Selection**: Based on the `Function` parameter, the action\ + \ selects the corresponding logic path.\n3. **Execution**: \n * For transformation\ + \ functions (like `Abs`, `Round`, `Int`, `Float`, `Hex`, `Display`), it iterates\ + \ through the list and applies the operation to each number.\n * For aggregation/selection\ + \ functions (like `Max`, `Min`, `Sum`), it applies the operation to the entire\ + \ list to produce a single result.\n * For the `Sort` function, it returns\ + \ the list in ascending order.\n4. **Output Generation**: The results are formatted\ + \ as a JSON array and returned to the SOAR platform. The action also provides\ + \ a human-readable summary message in the action output.\n\n### Additional Notes\n\ + * This action does not interact with external APIs or SecOps entities; it is a\ + \ pure data-processing utility.\n* The `Hex` function specifically requires integer\ + \ inputs; non-integer values in the list will be ignored for this specific operation." capabilities: can_create_case_comments: false can_create_insight: false @@ -919,7 +995,7 @@ Math Functions: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -933,6 +1009,7 @@ Math Functions: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -946,25 +1023,27 @@ Math Functions: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: ai_description: >- ### General Description - Verifies the connectivity and availability of the integration within the Google - SecOps environment. This action serves as a basic health check to ensure that - the integration is correctly installed and the SOAR platform can execute its scripts. + Verifies the connectivity and availability of the Google SecOps (Chronicle) environment. + This action is used as a basic health check to ensure that the integration is + correctly configured and can communicate with the platform. ### Parameters Description @@ -974,16 +1053,16 @@ Ping: ### Additional Notes - This action does not interact with any external APIs or modify any data. It is - purely for connectivity verification. + This action does not interact with any external APIs or modify any data. It simply + returns a success message if the script execution environment is functional. ### Flow Description - 1. **Initialization**: The action initializes the Siemplify SDK environment. + 1. **Initialization**: The action initializes the Siemplify SDK. - 2. **Connectivity Check**: The action immediately concludes, returning a success - message to confirm that the execution environment is functional. + 2. **Connectivity Check**: The action immediately concludes with a success status + and a message indicating that Siemplify is connected. capabilities: can_create_case_comments: false can_create_insight: false @@ -997,7 +1076,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1011,6 +1090,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Run JSONPath Query: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1024,40 +1104,43 @@ Ping: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Run JSONPath Query: ai_description: >- ### General Description The **Run JSONPath Query** action allows users to execute JSONPath expressions - against a provided JSON string to extract specific values or subsets of data. - This is a utility action used for data parsing and transformation within playbooks, - enabling analysts to isolate relevant information from complex JSON payloads returned - by other integrations. + against a provided JSON string. This is a utility function used to parse, filter, + and extract specific values from complex JSON structures within a playbook flow. + It leverages the `jsonpath-ng` library to provide robust querying capabilities + similar to how XPath works for XML. ### Parameters Description - | Parameter | Type | Mandatory | Description | + | Parameter Name | Description | Type | Mandatory | Notes | - | :--- | :--- | :--- | :--- | + | :--- | :--- | :--- | :--- | :--- | - | Json | code | Yes | The raw JSON string that the query will be executed against. - | + | **Json** | The raw JSON string or object that you want to query. | Code | Yes + | Must be a valid JSON format. | - | JSONPath Expression | string | Yes | The JSONPath syntax used to navigate and - filter the JSON structure (e.g., `$.store.book[*].author`). | + | **JSONPath Expression** | The JSONPath syntax used to navigate and extract data + from the input JSON. | String | Yes | Follows standard JSONPath syntax (e.g., + `$.store.book[*].author`). | ### Flow Description @@ -1065,22 +1148,26 @@ Run JSONPath Query: 1. **Parameter Extraction:** The action retrieves the input JSON string and the JSONPath expression from the user-defined parameters. - 2. **JSON Parsing:** The input string is converted into a structured JSON object. + 2. **JSON Parsing:** The input string is converted into a structured JSON object + (Python dictionary). - 3. **Expression Parsing:** The JSONPath expression is parsed using the `jsonpath-ng` - library. + 3. **Expression Execution:** The JSONPath expression is parsed and applied to + the JSON object to find all matching elements. - 4. **Query Execution:** The parsed expression is applied to the JSON object to - find all matching elements. + 4. **Result Compilation:** All matching values are collected into a list under + the `matches` key. - 5. **Result Compilation:** All matching values are collected into a list and returned - as a JSON result under the `matches` key. + 5. **Output Generation:** The resulting matches are returned as a JSON object + and made available for subsequent playbook steps. ### Additional Notes - This action is a local utility and does not interact with any external APIs or - modify any Google SecOps entities or case data. + - This action does not interact with external APIs or modify any Google SecOps + entities; it is a pure data transformation utility. + + - If the JSONPath expression finds no matches, the `matches` list in the output + will be empty. capabilities: can_create_case_comments: false can_create_insight: false @@ -1094,7 +1181,7 @@ Run JSONPath Query: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1108,6 +1195,7 @@ Run JSONPath Query: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +SanitizeHTML: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1121,27 +1209,29 @@ Run JSONPath Query: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -SanitizeHTML: ai_description: >- ### General Description - The **SanitizeHTML** action is a utility designed to clean and sanitize HTML fragments. - It uses the HTML5 parsing algorithm to ensure that the output is safe and well-formed. - This is particularly useful for processing potentially malicious or malformed - HTML content from emails or web logs before displaying it or using it in other - processes. + Sanitizes an HTML fragment by parsing it according to the HTML5 parsing algorithm + and removing or escaping disallowed tags, attributes, and CSS styles. This action + uses the `bleach` library to ensure that the output is safe and well-formed, handling + issues like unclosed or misnested tags. It is primarily used as a utility to clean + up data before it is displayed in the UI or passed to other systems. ### Parameters Description @@ -1150,44 +1240,46 @@ SanitizeHTML: | :--- | :--- | :--- | :--- | - | **Input HTML** | String | Yes | The HTML fragment that will be sanitized. | + | Input HTML | string | Yes | The raw HTML fragment that needs to be sanitized. + | - | **Tags** | String | No | A comma-separated list of allowed HTML tags. Tags not - in this list will be escaped or stripped. Default includes common safe tags like - `a`, `b`, `p`, `div`, etc. | + | Tags | string | No | A comma-separated list of allowed HTML tags. Tags not in + this list will be escaped or stripped. Default includes common formatting tags + like `a`, `b`, `p`, `div`, etc. | - | **Attributes** | String | No | A comma-separated list of allowed attributes - (e.g., `href`, `src`). | + | Attributes | string | No | A comma-separated list of allowed attributes (e.g., + `href`, `src`). | - | **Styles** | String | No | A comma-separated list of allowed CSS properties - (e.g., `color`, `font-size`) if the `style` attribute is permitted. | + | Styles | string | No | A comma-separated list of allowed CSS properties if the + `style` attribute is permitted (e.g., `color`, `text-align`). | - | **Allow All Attributes** | Boolean | No | If set to `True`, all attributes will + | Allow All Attributes | boolean | No | If set to `True`, all attributes will be allowed for the permitted tags. Default is `False`. | - ### Flow Description + ### Additional Notes - 1. **Parameter Extraction**: The action retrieves the input HTML and the configuration - for allowed tags, attributes, and styles. + - This action is a utility function and does not interact with external APIs or + SecOps entities. - 2. **Sanitization Configuration**: Based on the provided parameters, the action - configures the `bleach` sanitization engine. It handles various combinations of - allowed tags, attributes, and CSS properties. + - If no specific tags, attributes, or styles are provided, the action uses the + default safe set defined by the underlying library logic. - 3. **Processing**: The input HTML is parsed and sanitized according to the defined - rules. Misnested or unclosed tags are corrected. - 4. **Output**: The sanitized HTML string is returned as the action result. + ### Flow Description + 1. **Parameter Extraction**: The action retrieves the input HTML and the configuration + for allowed tags, attributes, and styles from the action parameters. - ### Additional Notes + 2. **Sanitizer Configuration**: It initializes a CSS sanitizer if specific styles + are provided and determines the attribute filtering logic based on the `Allow + All Attributes` flag. - - The action code contains logic for `Allow All Tags` and `Allow All Styles`, - but these parameters are not defined in the standard configuration. + 3. **Sanitization Process**: The action calls the `bleach.clean` method, passing + the input HTML and the configured allow-lists to perform the transformation. - - If no specific tags or attributes are provided, the action defaults to a safe - set of standard HTML tags. + 4. **Result Output**: The sanitized HTML string is returned as the action's result + value, and a success message is logged. capabilities: can_create_case_comments: false can_create_insight: false @@ -1201,7 +1293,7 @@ SanitizeHTML: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1215,6 +1307,7 @@ SanitizeHTML: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +String Functions: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1228,27 +1321,41 @@ SanitizeHTML: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -String Functions: ai_description: >- - ### General Description + Performs a variety of string manipulation and transformation operations on a provided + input string. This utility action allows users to apply standard Python string + methods, regular expressions, and encoding/decoding logic within a playbook flow. + + + ### Flow Description + + 1. **Parameter Retrieval**: The action retrieves the `Input` string, the selected + `Function`, and optional arguments `Param 1` and `Param 2` from the action configuration. + + 2. **Placeholder Processing**: For functions like 'Replace' and 'Regex Replace', + it converts the placeholder `_SPACE_` into a literal space character. + + 3. **Logic Execution**: Based on the selected function (e.g., Lower, Regex, DecodeBase64), + the action executes the corresponding Python logic using standard libraries (`re`, + `base64`, `json`). - This action provides a suite of Python-based string manipulation utilities for - use within playbooks. It allows analysts to transform, format, and validate text - data without writing custom code. Supported operations include case conversion, - whitespace trimming, regex-based searching and replacement, base64 encoding/decoding, - and string splitting. + 4. **Result Output**: The transformed string is returned as the main script result. + For the 'Split' function, the resulting list is also added as a JSON result. ### Parameters Description @@ -1259,52 +1366,23 @@ String Functions: | Input | string | Yes | The source text string to be processed. | - | Function | ddl | Yes | The specific operation to perform. Options include: `Lower`, - `Upper`, `Count`, `Find`, `IsAlpha`, `IsDigit`, `Replace`, `Strip`, `Title`, `Regex - Replace`, `JSON Serialize`, `Regex`, `Split`, `DecodeBase64`, `EncodeBase64`, - `RemoveNewLines`. | + | Function | ddl | Yes | The specific operation to perform (e.g., Lower, Upper, + Replace, Regex, Split, etc.). | - | Param 1 | string | No | The primary argument for the selected function (e.g., - the search pattern for `Find`, the regex pattern for `Regex`, or the encoding - type for `EncodeBase64`). | + | Param 1 | string | No | The first argument for the function. Used as a search + string, regex pattern, or encoding type (e.g., 'UTF-8'). | - | Param 2 | string | No | The secondary argument for the selected function (e.g., - the replacement string for `Replace` or the join delimiter for `Regex`). | + | Param 2 | string | No | The second argument for the function. Used as a replacement + string or a joiner for regex results. | ### Additional Notes - - **Placeholders:** For `Replace` and `Regex Replace` functions, the string `_SPACE_` - can be used in `Param 1` or `Param 2` to represent a literal space character. - - - **Base64 Encoding:** `DecodeBase64` and `EncodeBase64` default to `UTF-8` if - `Param 1` is not explicitly set to `UTF-8` or `ASCII`. - - - **Split Output:** When using the `Split` function, the resulting list is also - provided as a JSON result (`JsonResult`) for easier downstream processing. - - - ### Flow Description + - The placeholder `_SPACE_` can be used in `Param 1` and `Param 2` for replacement + functions to represent a literal space. - 1. **Initialization:** The action retrieves the `Input` string and the selected - `Function` from the parameters. - - 2. **Argument Preparation:** It fetches optional `Param 1` and `Param 2` values - required by specific functions. - - 3. **Execution:** The action executes the corresponding Python logic based on - the `Function` parameter: - - **Basic Transforms:** Performs `lower()`, `upper()`, `strip()`, or `title()` - on the input. - - **Search/Count:** Uses `count()` or `find()` to locate substrings. - - **Validation:** Checks string properties using `isalpha()` or `isdigit()`. - - **Replacement:** Performs standard or regex-based replacements, handling - the `_SPACE_` placeholder. - - **Encoding/Serialization:** Handles Base64 operations or JSON serialization. - - **Regex/Split:** Extracts matches using regex or splits the string into - a list based on a delimiter. - 4. **Completion:** The transformed string is returned as the `ScriptResult`, and - an informative message is generated for the action output. + - Base64 functions default to 'UTF-8' if an invalid encoding is provided in `Param + 1`. capabilities: can_create_case_comments: false can_create_insight: false @@ -1318,7 +1396,7 @@ String Functions: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1332,6 +1410,7 @@ String Functions: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Time Duration Calculator: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1345,72 +1424,75 @@ String Functions: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Time Duration Calculator: ai_description: >- - ### General Description + Calculates the time duration or difference between two provided date-time values. + This utility action is designed to help analysts determine the elapsed time between + events, such as the time between an alert creation and a specific log entry, or + the age of an account. It supports custom date formats using strftime syntax and + can dynamically use the current system time. - Calculates the elapsed time or difference between two date-time values. This utility - action is useful for determining the duration of an event, the age of an alert, - or the time between two specific log entries within a playbook. + ### Flow Description: - ### Parameters Description - - | Parameter | Type | Mandatory | Description | + 1. **Parameter Extraction:** The action retrieves two date-time strings and their + corresponding format strings from the input parameters. - | :--- | :--- | :--- | :--- | + 2. **Date Parsing:** It converts the input strings into Python datetime objects. + If an input is set to "now", it uses the current UTC time. If a date is not timezone-aware, + it automatically localizes it to UTC. - | Input DateTime 1 | String | Yes | The first input datetime value. Supports strftime - format or "now" for the current time. | + 3. **Duration Calculation:** The action calculates the difference between the + two dates. - | Input DateTime 1 Format | String | Yes | The strftime format (e.g., `%Y-%m-%dT%H:%M:%S%z`) - used to parse Input DateTime 1. | + 4. **Unit Conversion:** It breaks down the total difference into years, days, + hours, minutes, and seconds. - | Input DateTime 2 | String | Yes | The second input datetime value. Supports - strftime format or "now" for the current time. | + 5. **Output Generation:** The action returns a JSON object containing the breakdown + of the duration and sets the total seconds as the primary result value for use + in playbooks. - | Input DateTime 2 Format | String | Yes | The strftime format used to parse Input - DateTime 2. | + ### Parameters Description: - ### Flow Description + | Parameter Name | Expected Type | Mandatory | Description | - 1. **Parameter Extraction**: Retrieves the two date-time strings and their respective - formats from the action parameters. + | :--- | :--- | :--- | :--- | - 2. **Date Parsing**: Converts the input strings into timezone-aware Python datetime - objects. If "now" is provided, the current UTC time is used. If a string is provided - without timezone info, it is localized to UTC. + | Input DateTime 1 | string | Yes | The first input datetime value. Supports either + a formatted string or the keyword "now" for the current time. | - 3. **Duration Calculation**: Calculates the difference between the two datetime - objects. + | Input DateTime 1 Format | string | Yes | The strftime format (e.g., %Y-%m-%dT%H:%M:%S%z) + used to parse Input DateTime 1. | - 4. **Formatting**: Breaks down the total duration into years, days, hours, minutes, - and seconds. + | Input DateTime 2 | string | Yes | The second input datetime value. Supports + either a formatted string or the keyword "now" for the current time. | - 5. **Output Generation**: Returns a JSON object containing the breakdown and a - human-readable summary string. The action's main result value is set to the total - number of seconds. + | Input DateTime 2 Format | string | Yes | The strftime format used to parse Input + DateTime 2. | - ### Additional Notes + ### Additional Notes: - - This action does not interact with external APIs or SecOps entities. + - This action is a local utility and does not interact with external APIs or SecOps + entities. - - Ensure the format strings match the input date-time strings exactly to avoid - parsing errors. + - Timezone awareness is handled automatically; if a timestamp lacks timezone info, + UTC is assumed. capabilities: can_create_case_comments: false can_create_insight: false @@ -1424,7 +1506,7 @@ Time Duration Calculator: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1438,6 +1520,7 @@ Time Duration Calculator: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +XMLtoJson: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1451,56 +1534,58 @@ Time Duration Calculator: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -XMLtoJson: ai_description: >- - The XMLtoJson action is a utility function designed to convert XML-formatted strings - into JSON objects. This is particularly useful in automation playbooks when interacting - with legacy systems or APIs that return data in XML format, allowing subsequent - actions to easily access and manipulate the data using JSON keys. + ### General Description + Converts XML formatted data into a JSON object. This utility action is designed + to transform data structures within a playbook, allowing subsequent actions to + easily access and manipulate data originally provided in XML format. - ### Flow Description - 1. **Parameter Extraction**: The action retrieves the `xml` string provided by - the user or a previous playbook step. + ### Parameters Description - 2. **Parsing**: It utilizes the `xmltodict` library to parse the XML string into - a Python dictionary. + | Parameter | Description | Type | Mandatory | Notes | - 3. **Result Output**: The resulting dictionary is attached to the action's execution - results as a JSON object, making it available for downstream playbook tasks. + | :--- | :--- | :--- | :--- | :--- | - 4. **Error Handling**: If the XML is malformed or parsing fails, the action catches - the exception, marks the execution as failed, and provides the error message in - the output. + | xml | The XML formatted string that needs to be converted to JSON. | String + | Yes | Expects a valid XML structure. | - ### Parameters Description + ### Flow Description - | Parameter Name | Expected Type | Mandatory | Description | + 1. **Extract Input:** The action retrieves the XML string from the `xml` input + parameter. - | :--- | :--- | :--- | :--- | + 2. **Parsing:** It utilizes the `xmltodict` library to parse the XML string into + a Python dictionary. + + 3. **Output Generation:** The resulting dictionary is added to the action's JSON + results, making it available as a JSON object for the rest of the playbook execution. - | xml | string | Yes | The raw XML string that needs to be converted into JSON - format. | + 4. **Error Handling:** If the XML is malformed or parsing fails, the action catches + the exception and returns a failed status. ### Additional Notes - - This action does not interact with any external APIs or Google SecOps entities; - it is a pure data transformation utility. + This is a pure data transformation utility and does not interact with any external + APIs or modify any entities within Google SecOps. capabilities: can_create_case_comments: false can_create_insight: false @@ -1514,7 +1599,7 @@ XMLtoJson: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1528,28 +1613,3 @@ XMLtoJson: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/power_ups/git_sync/resources/ai/actions_ai_description.yaml b/content/response_integrations/power_ups/git_sync/resources/ai/actions_ai_description.yaml index cbfc35eef..c7fd78031 100644 --- a/content/response_integrations/power_ups/git_sync/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/power_ups/git_sync/resources/ai/actions_ai_description.yaml @@ -1,49 +1,75 @@ Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - Tests the connectivity and configuration for the GitSync integration. This action - verifies that the Google SecOps environment can successfully communicate with - both the internal Chronicle SOAR API and the external Git repository using the - provided credentials and settings. - + ### General Description - ### Flow Description: + The **Ping** action is a diagnostic tool used to verify the connectivity and configuration + of the GitSync integration. It ensures that the Google SecOps environment can + successfully communicate with both the internal Chronicle SOAR API and the external + Git repository (via SSH or HTTPS) using the provided credentials and settings. - 1. **Parameter Extraction:** Retrieves integration configuration parameters including - Repository URL, Branch, Git credentials, and SOAR API credentials. - 2. **Validation:** Validates the 'Commit Author' format using a regular expression - to ensure it follows the 'Name ' pattern. + ### Parameters Description - 3. **SOAR Connectivity Test:** Attempts to connect to the Chronicle SOAR API and - retrieves the system version to verify the 'SOAR Username' and 'SOAR Password'. + This action does not have any action-specific input parameters. It utilizes the + global integration configuration parameters, such as the Repository URL, Branch, + Git Credentials, and SOAR API credentials, to perform its connectivity tests. - 4. **Git Connectivity & Fingerprint Verification:** If a 'Git Server Fingerprint' - is provided, the action connects to the Git server to verify the host key fingerprint - (supporting SHA256 and MD5) and ensures the repository is accessible. - 5. **Result Reporting:** Returns 'True' if all connectivity tests pass; otherwise, - it raises an exception with details about the failure. + ### Flow Description + 1. **Configuration Loading**: The action retrieves integration-level settings, + including repository details, authentication tokens, and SSL verification preferences. - ### Parameters Description: + 2. **Author Format Validation**: It validates the `Commit Author` string against + a specific regex pattern (`Name `) to ensure future commits + will be valid. - | Parameter Name | Expected Type | Mandatory | Description | + 3. **SOAR API Connectivity Test**: It attempts to connect to the Chronicle SOAR + API and retrieve the current system version. A failure here indicates incorrect + SOAR credentials or network issues. - | :--- | :--- | :--- | :--- | + 4. **Git Repository Connectivity Test**: If a `Git Server Fingerprint` is provided, + the action connects to the remote Git server to verify the SSH host key and attempts + to fetch the repository's head tree. This verifies both the network path and the + Git credentials (SSH key or Token). - | None | N/A | N/A | This action does not take any input parameters; it relies - entirely on the Integration Configuration settings. | + 5. **Final Status**: If all checks pass, the action completes successfully, confirming + the integration is ready for use. - ### Additional Notes: + ### Additional Notes - - This action is primarily used for troubleshooting and initial setup verification. + - This action is intended for troubleshooting and initial setup verification. - - It supports both SSH (via private keys) and HTTP/HTTPS (via passwords or tokens) - for Git authentication. - - - Fingerprint verification is optional but recommended for SSH connections to - prevent Man-in-the-Middle (MitM) attacks. + - It does not process any entities. capabilities: can_create_case_comments: false can_create_insight: false @@ -57,7 +83,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -71,28 +97,3 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/power_ups/git_sync/resources/ai/jobs_ai_description.yaml b/content/response_integrations/power_ups/git_sync/resources/ai/jobs_ai_description.yaml index 712a87d8b..ed4f44f29 100644 --- a/content/response_integrations/power_ups/git_sync/resources/ai/jobs_ai_description.yaml +++ b/content/response_integrations/power_ups/git_sync/resources/ai/jobs_ai_description.yaml @@ -2,14 +2,12 @@ Pull Connector: ai_description: >- ### General Description - The **Pull Connector** job is a maintenance and synchronization utility within - the **GitSync** integration. Its primary purpose is to retrieve a specific connector's - configuration from a Git repository and install or update it within the Google - SecOps (Chronicle) SOAR platform. This ensures that connector settings, including - environment-specific configurations and integration versions, are kept in sync - with a version-controlled source of truth. Additionally, the job can optionally - pull and install associated dependencies such as Visual Families and Ontology - Mappings to ensure the connector is fully operational upon import. + The **Pull Connector** job is part of the **GitSync** integration. Its primary + purpose is to synchronize a specific connector's configuration and logic from + a remote Git repository to the Google SecOps (Chronicle) SOAR platform. This job + facilitates version control and automated deployment of connectors, ensuring that + the SOAR environment stays updated with the latest connector definitions, including + optional related components like Visual Families and Ontology Mappings. ### Parameters Description @@ -18,122 +16,114 @@ Pull Connector: | :--- | :--- | :--- | :--- | - | Repo URL | String | No | Optional parameter to override the Git repository URL - configured in the integration instance. | + | Repo URL | String | No | Optional parameter to override the repository URL found + in the integration instance settings. | - | Branch | String | No | Optional parameter to override the Git branch configured - in the integration instance. | + | Branch | String | No | Optional parameter to override the Git branch found in + the integration instance settings. | | Git Server Fingerprint | String | No | Optional parameter to override the SSH - server fingerprint (SHA256 or MD5) for secure Git connections. | + fingerprint for Git server verification. | - | Connector Name | String | Yes | The exact name of the connector to be pulled - from the repository. | + | Connector Name | String | Yes | The exact name of the connector to pull from + the Git repository. | - | Include Visual Families | Boolean | No | If set to `true`, the job will identify - and install custom visual families associated with the connector's mappings. | + | Include Visual Families | Boolean | No | Whether to pull and install the visual + families associated with the connector's alert types. | - | Include Mappings | Boolean | No | If set to `true`, the job will install the - ontology mapping rules (event-to-visual-family associations) for the connector's - integration. | + | Include Mappings | Boolean | No | Whether to pull and install the ontology mappings + (rules and records) associated with the connector. | ### Flow Description - 1. **Initialization**: The job initializes the `GitSyncManager` using the provided - repository URL, branch, and credentials. It extracts the target connector name - and dependency flags. + 1. **Initialization**: The job extracts the target connector name and configuration + overrides (URL, Branch, Fingerprint) from the job parameters. - 2. **Repository Retrieval**: It connects to the Git repository and searches for - the connector's JSON configuration file within the `Connectors/` directory. + 2. **Git Connection**: It initializes the `GitSyncManager` to connect to the specified + Git repository and the SOAR API. - 3. **Connector Installation**: If the connector is found, the job installs or - updates the connector instance in the SOAR platform. It also checks if the installed - integration version matches the connector's requirements, flagging updates if - necessary. + 3. **Fetch Connector**: The job searches the repository for the specified connector + definition. - 4. **Dependency Analysis**: If either `Include Visual Families` or `Include Mappings` - is enabled, the job retrieves the mapping definitions associated with the connector's - parent integration from the repository. + 4. **Installation**: If found, the job installs or updates the connector in the + SOAR platform using the `install_connector` logic, which also handles integration + dependency checks. - 5. **Visual Family Sync**: If `Include Visual Families` is active, the job identifies - visual families referenced in the mappings that are not yet present in the SOAR - platform and installs them. + 5. **Dependency Resolution**: If the user opted to include Visual Families or + Mappings, the job retrieves the mapping data for the connector's integration. - 6. **Mapping Sync**: If `Include Mappings` is active, the job installs the ontology - records and rules, ensuring events are correctly mapped to the appropriate visual - families. + 6. **Visual Family Sync**: If enabled, it identifies visual families referenced + in the mappings that are not yet installed in the SOAR platform and pulls/installs + them from Git. - 7. **Completion**: The job logs the success of the installation and terminates - the script. + 7. **Mapping Sync**: If enabled, it installs the ontology mapping rules and records + to ensure incoming alerts are correctly visualized and parsed. Pull Content: ai_description: "### General Description\nThis job is a core component of the GitSync\ - \ integration, designed to synchronize security operations content from a Git\ - \ repository into the Google SecOps (Chronicle) SOAR platform. It facilitates\ - \ 'Configuration as Code' by allowing administrators to deploy, update, and manage\ - \ various SOAR resources\u2014including playbooks, integrations, connectors, and\ - \ environment settings\u2014directly from a version-controlled repository. The\ - \ job ensures that the local SOAR environment matches the state defined in Git,\ - \ supporting automated deployment pipelines and environment consistency.\n\n###\ - \ Parameters Description\n| Parameter | Type | Mandatory | Description |\n| :---\ - \ | :--- | :--- | :--- |\n| Repo URL | String | No | Optional parameter to override\ - \ the repository URL configured in the integration instance. |\n| Branch | String\ - \ | No | Optional parameter to override the target Git branch. |\n| Git Server\ - \ Fingerprint | String | No | Optional parameter to override the SSH fingerprint\ - \ for server verification. |\n| Integrations | Boolean | Yes | If true, pulls\ - \ and installs custom integrations and custom code from the repository. |\n| Playbooks\ - \ | Boolean | Yes | If true, pulls and updates playbooks and blocks based on their\ - \ names. |\n| Jobs | Boolean | Yes | If true, pulls and installs job definitions.\ - \ |\n| Connectors | Boolean | Yes | If true, pulls and installs connector instances.\ - \ |\n| Integration Instances | Boolean | Yes | If true, synchronizes integration\ - \ instances across environments. Note: Passwords may be overwritten. |\n| Visual\ - \ Families | Boolean | Yes | If true, synchronizes custom visual families for\ - \ the ontology. |\n| Mappings | Boolean | Yes | If true, synchronizes event-to-ontology\ - \ mapping rules. |\n| Environments | Boolean | Yes | If true, creates or updates\ - \ environment records. |\n| Dynamic Parameters | Boolean | Yes | If true, synchronizes\ - \ environment-specific dynamic parameters. |\n| Logo | Boolean | Yes | If true,\ - \ pulls and updates the custom company logo. |\n| Case Tags | Boolean | Yes |\ - \ If true, synchronizes case tag definitions. |\n| Case Stages | Boolean | Yes\ - \ | If true, synchronizes case stage definitions. |\n| Case Title Settings | Boolean\ - \ | Yes | If true, synchronizes settings for automatic case titling. |\n| Case\ - \ Close Reasons | Boolean | Yes | If true, synchronizes custom root causes and\ - \ close reasons. |\n| Networks | Boolean | Yes | If true, synchronizes network\ - \ CIDR and metadata definitions. |\n| Domains | Boolean | Yes | If true, synchronizes\ - \ domain alias records. |\n| Custom Lists | Boolean | Yes | If true, synchronizes\ - \ tracking/custom lists. |\n| Email Templates | Boolean | Yes | If true, synchronizes\ - \ email templates used in playbooks. |\n| Blacklists | Boolean | Yes | If true,\ - \ synchronizes blocklist/denylist records. |\n| SLA Records | Boolean | Yes |\ - \ If true, synchronizes SLA definition records. |\n| Simulated Cases | Boolean\ - \ | Yes | If true, pulls and imports simulated cases for testing. |\n\n### Flow\ - \ Description\n1. **Initialization**: The job initializes the `GitSyncManager`,\ - \ which clones or pulls the specified Git repository and branch to a temporary\ - \ local directory.\n2. **Parameter Extraction**: It extracts all feature flags\ - \ (boolean parameters) to determine which specific content types should be synchronized\ - \ during the run.\n3. **Environment Setup**: The job first processes foundational\ - \ settings, including Environment Dynamic Parameters and Environment records,\ - \ ensuring the target infrastructure is ready.\n4. **Core Content Installation**:\ - \ It iterates through logic-heavy components, installing or updating Integrations,\ - \ Connectors, Jobs, and Playbooks. For playbooks, it handles dependency ordering\ - \ (installing blocks before playbooks).\n5. **Ontology and Mapping**: The job\ - \ synchronizes Visual Families and Mappings to ensure data is correctly visualized\ - \ and parsed within the platform.\n6. **Platform Configuration**: It updates administrative\ - \ settings such as Case Tags, Stages, Close Reasons, Title Settings, and SLA Records.\n\ - 7. **Data and Assets**: The job synchronizes operational data including Networks,\ - \ Domains, Custom Lists, Email Templates, Blacklists, and the company Logo.\n\ - 8. **Validation and Cleanup**: Throughout the process, the job uses an ID validator\ - \ to match Git resources with existing SOAR resources by name, ensuring updates\ - \ occur rather than duplicate creations. Finally, it cleans up temporary files\ - \ and closes the Git connection." + \ integration, designed to synchronize and deploy content from a Git repository\ + \ into a Google SecOps (Chronicle) environment. It enables a CI/CD-like workflow\ + \ for SOAR resources, allowing users to pull playbooks, integrations, connectors,\ + \ jobs, and various system settings (like environments, tags, and SLA records)\ + \ from a version-controlled source. This job is essential for promoting content\ + \ between environments (e.g., from Development to Production) or restoring a system\ + \ configuration from a backup.\n\n### Parameters Description\n| Parameter | Type\ + \ | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Repo URL | String\ + \ | No | Optional override for the Git repository URL defined in the integration\ + \ instance. |\n| Branch | String | No | Optional override for the Git branch to\ + \ pull content from. |\n| Git Server Fingerprint | String | No | Optional override\ + \ for the SSH fingerprint used to verify the Git server. |\n| Integrations | Boolean\ + \ | Yes | If enabled, pulls and installs custom integrations and custom code.\ + \ |\n| Playbooks | Boolean | Yes | If enabled, pulls and installs playbooks and\ + \ blocks, updating them based on name. |\n| Jobs | Boolean | Yes | If enabled,\ + \ pulls and installs job definitions. |\n| Connectors | Boolean | Yes | If enabled,\ + \ pulls and installs connector definitions. |\n| Integration Instances | Boolean\ + \ | Yes | If enabled, pulls and configures integration instances; note that passwords\ + \ may be overwritten. |\n| Visual Families | Boolean | Yes | If enabled, pulls\ + \ and updates ontology visual family definitions. |\n| Mappings | Boolean | Yes\ + \ | If enabled, pulls and updates ontology mapping rules. |\n| Environments |\ + \ Boolean | Yes | If enabled, creates or updates environment records. |\n| Dynamic\ + \ Parameters | Boolean | Yes | If enabled, creates or updates environment-specific\ + \ dynamic parameters. |\n| Logo | Boolean | Yes | If enabled, pulls and applies\ + \ the custom company logo. |\n| Case Tags | Boolean | Yes | If enabled, pulls\ + \ and updates case tag definitions. |\n| Case Stages | Boolean | Yes | If enabled,\ + \ pulls and updates case stage definitions. |\n| Case Title Settings | Boolean\ + \ | Yes | If enabled, pulls and applies case title formatting settings. |\n| Case\ + \ Close Reasons | Boolean | Yes | If enabled, pulls and updates custom case closure\ + \ reasons. |\n| Networks | Boolean | Yes | If enabled, pulls and updates network\ + \ definitions. |\n| Domains | Boolean | Yes | If enabled, pulls and updates domain\ + \ alias definitions. |\n| Custom Lists | Boolean | Yes | If enabled, pulls and\ + \ updates custom tracking lists. |\n| Email Templates | Boolean | Yes | If enabled,\ + \ pulls and updates email template definitions. |\n| Blacklists | Boolean | Yes\ + \ | If enabled, pulls and updates blocklist/denylist records. |\n| SLA Records\ + \ | Boolean | Yes | If enabled, pulls and updates SLA definition records. |\n\ + | Simulated Cases | Boolean | Yes | If enabled, pulls and installs simulated cases\ + \ for testing purposes. |\n\n### Flow Description\n1. **Initialization**: The\ + \ job initializes the Git connection using the provided repository URL, branch,\ + \ and credentials (SSH key or Token).\n2. **Repository Sync**: It clones the repository\ + \ to a temporary directory or pulls the latest changes if the repository was previously\ + \ cloned.\n3. **Feature Selection**: The job checks the boolean parameters to\ + \ determine which types of content (e.g., Playbooks, Integrations, Settings) should\ + \ be processed.\n4. **Resource Processing**: For each enabled category, the job\ + \ reads the corresponding JSON or definition files from the Git repository.\n\ + 5. **State Comparison**: It queries the Google SecOps API to identify existing\ + \ resources. It uses an internal validator to match resources by name or unique\ + \ identifiers.\n6. **Deployment (Upsert)**: \n * **Integrations/Connectors/Jobs**:\ + \ Installs or updates the code and definitions.\n * **Playbooks**: Uses a specialized\ + \ installer to handle complex logic, including mapping nested blocks and re-assigning\ + \ integration instances based on the target environment's availability.\n *\ + \ **System Settings**: Updates global configurations like Environments, SLA records,\ + \ and Case Tags.\n7. **Completion**: Logs the results of the synchronization and\ + \ cleans up temporary files." Pull Custom Family: ai_description: >- ### General Description The **Pull Custom Family** job is part of the **GitSync** integration. Its primary - purpose is to import or update a specific Visual Family configuration from a Git - repository into the Google SecOps (Chronicle) SOAR platform. This job enables - teams to maintain their ontology and visualization settings as code, ensuring - consistency across different environments by pulling version-controlled family - definitions (including rules and icons) directly from a repository. + purpose is to synchronize a specific Visual Family definition from a remote Git + repository into the Google SecOps SOAR platform. This job enables teams to maintain + their ontology configurations (Visual Families) in a version-controlled environment + and deploy them programmatically to SOAR instances. ### Parameters Description @@ -149,41 +139,42 @@ Pull Custom Family: in the integration instance settings. | | Git Server Fingerprint | String | No | Optional parameter to override the SSH - server fingerprint for host verification. | + fingerprint used for Git server verification. | - | Family Name | String | Yes | The exact name of the visual family to be retrieved - from the repository and imported into the platform. | + | Family Name | String | Yes | The exact name of the Visual Family to be retrieved + from the repository. | ### Flow Description - 1. **Parameter Extraction**: The job retrieves the mandatory `Family Name` and - optional Git configuration overrides from the job settings. + 1. **Parameter Extraction**: The job retrieves the target `Family Name` and any + optional Git configuration overrides (URL, Branch, Fingerprint) from the job settings. - 2. **Git Initialization**: It initializes the `GitSyncManager`, which clones or - pulls the latest changes from the specified Git repository to a temporary working - directory. + 2. **Git Connection**: It initializes the `GitSyncManager`, which establishes + a connection to the Git repository, cloning or pulling the latest changes to a + temporary directory. - 3. **Content Retrieval**: The job searches the repository's internal structure - (specifically under the `Ontology/VisualFamilies/` path) for a JSON definition - matching the provided `Family Name`. + 3. **Content Retrieval**: The job searches the repository's directory structure + (specifically under `Ontology/VisualFamilies/`) for a JSON definition matching + the provided `Family Name`. - 4. **Platform Update**: If the family definition is found, the job sends the raw - configuration data to the Google SecOps API using the `AddOrUpdateVisualFamily` - endpoint. + 4. **Ontology Update**: If the Visual Family is found in the repository, the job + extracts its raw data and sends a request to the Google SecOps API to create or + update the Visual Family in the platform's ontology. - 5. **Completion**: The job logs whether the family was successfully updated or - if it could not be found in the repository, then cleans up temporary resources. + 5. **Completion**: The job logs the success or failure of the synchronization + and terminates the script. Pull Integration: ai_description: >- ### General Description - This job automates the synchronization of integrations from a Git repository to - the Google SecOps (Chronicle) SOAR platform. It allows administrators to pull - specific integrations defined in a whitelist, ensuring that custom code, actions, - connectors, and jobs are updated or installed directly from version control. The - job supports both custom integrations (imported as full packages) and commercial - integrations (where specific custom components are updated). + The **Pull Integration** job is a core component of the **GitSync** integration, + designed to automate the deployment and synchronization of Google SecOps integrations + from a Git repository. It allows administrators to maintain 'Integration as Code' + by pulling specific integration definitions and scripts from a version-controlled + repository and installing or updating them within the SOAR platform. The job supports + both custom integrations and commercial integrations that have been extended with + custom logic. ### Parameters Description @@ -193,56 +184,86 @@ Pull Integration: | :--- | :--- | :--- | :--- | | Install Whitelist | String | Yes | A comma-separated list of integration identifiers - (e.g., "VirusTotal, ServiceNow") to be pulled and installed from the Git repository. - | + (e.g., 'VirusTotal, ServiceNow') to be pulled from the Git repository and installed + or updated. | - | Repo URL | String | No | Optional parameter to override the repository URL configured - in the GitSync integration instance. | + | Repo URL | String | No | The URL of the Git repository (HTTPS or SSH). If provided, + this overrides the default repository URL defined in the integration's configuration. + | - | Branch | String | No | Optional parameter to override the Git branch configured - in the GitSync integration instance. | + | Branch | String | No | The specific Git branch to pull content from. If provided, + this overrides the default branch defined in the integration's configuration. + | - | Git Server Fingerprint | String | No | Optional parameter to override the SSH - server fingerprint (SHA256 or MD5) for host verification. | + | Git Server Fingerprint | String | No | The SSH fingerprint (SHA256 or MD5) used + to verify the Git server's identity. If provided, this overrides the fingerprint + defined in the integration's configuration. | ### Flow Description - 1. **Initialization**: The job parses the `Install Whitelist` to identify which - integrations need to be processed. + 1. **Initialization**: The job extracts the list of integrations to process from + the 'Install Whitelist' and retrieves any provided Git configuration overrides + (URL, Branch, Fingerprint). - 2. **Git Connection**: It establishes a connection to the Git repository using - the provided overrides or the default integration instance settings (URL, Branch, - Credentials). + 2. **Git Synchronization**: It initializes a connection to the Git repository, + cloning or pulling the latest changes into a temporary working directory on the + SOAR runner. - 3. **Repository Sync**: The job clones or pulls the latest state of the repository - into a temporary working directory. + 3. **Content Discovery**: The job iterates through the whitelist, searching the + repository's `Integrations/` directory for the specified integration folders and + their corresponding `.def` (definition) files. - 4. **Integration Retrieval**: For each integration in the whitelist, the job searches - the repository's `Integrations/` directory for the corresponding definition and - source files. - - 5. **Installation Logic**: + 4. **Installation Logic**: * **Custom Integrations**: If the integration is marked as custom, the job - packages the files into a ZIP and imports them into the SOAR platform using the - `ImportPackage` API. + packages the repository files into a ZIP blob and performs a full package import + via the SOAR API. * **Commercial Integrations**: If the integration is commercial, the job ensures - it is installed (attempting to install from the Marketplace if missing) and then - iterates through custom Actions, Jobs, Connectors, and Managers to update their - logic in the IDE. - 6. **Completion**: The job logs the installation status for each item and cleans - up the temporary working directory. + the base integration is installed (attempting a marketplace installation if missing) + and then iterates through individual components (Actions, Connectors, Jobs, and + Managers) to update their scripts and metadata in the IDE. + 5. **Completion**: The job logs the success or failure of each integration pull + and performs a cleanup of the temporary local repository files. Pull Jobs: + ai_description: "### General Description\nThe **Pull Jobs** job is part of the **GitSync**\ + \ integration and is designed to synchronize SOAR Job definitions from a remote\ + \ Git repository to the Google SecOps platform. This enables a 'Configuration\ + \ as Code' workflow, allowing administrators to manage job settings\u2014such\ + \ as execution intervals and input parameters\u2014within a version-controlled\ + \ environment and deploy them automatically to the SOAR instance.\n\n### Parameters\ + \ Description\n| Parameter | Type | Mandatory | Description |\n| :--- | :--- |\ + \ :--- | :--- |\n| Job Whitelist | String | Yes | A comma-separated list of the\ + \ specific job names to be retrieved and installed from the Git repository. |\n\ + | Repo URL | String | No | Optional override for the Git repository URL. If not\ + \ provided, the URL from the integration instance configuration is used. |\n|\ + \ Branch | String | No | Optional override for the Git branch to pull from. If\ + \ not provided, the branch from the integration instance configuration is used.\ + \ |\n| Git Server Fingerprint | String | No | Optional override for the SSH fingerprint\ + \ (SHA256 or MD5) used to verify the Git server's identity. |\n\n### Flow Description\n\ + 1. **Parameter Extraction**: The job parses the `Job Whitelist` to identify which\ + \ jobs need to be synchronized.\n2. **Git Initialization**: It initializes the\ + \ `GitSyncManager`, which establishes a connection to the Git repository using\ + \ the provided credentials (SSH key or Token) and overrides.\n3. **Repository\ + \ Sync**: The job clones or pulls the latest state of the repository to a temporary\ + \ working directory.\n4. **Job Retrieval**: For each job specified in the whitelist,\ + \ the job searches the `Jobs/` directory in the repository for a matching JSON\ + \ definition file.\n5. **Dependency Validation**: It verifies that the integration\ + \ associated with the job is already installed in the SOAR environment.\n6. **ID\ + \ Resolution**: The job queries the SOAR API to resolve the internal `jobDefinitionId`\ + \ (from the IDE) and checks if the job already exists to determine whether to\ + \ perform an update or a new installation.\n7. **Installation**: The job pushes\ + \ the configuration to the SOAR platform, updating the job's settings, parameters,\ + \ and run intervals.\n8. **Completion**: The script logs the success or failure\ + \ of each job pull and terminates." +Pull Mappings: ai_description: >- ### General Description - The **Pull Jobs** job is a maintenance utility within the **GitSync** integration - designed to synchronize job definitions from a Git repository to the Google SecOps - (Chronicle) environment. It allows administrators to manage SOAR jobs as code, - ensuring that automation scripts and their configurations are version-controlled - and consistently deployed across different environments. The job fetches job metadata - from the repository and performs an "upsert" (update or insert) operation in the - local SOAR instance. + This job is part of the GitSync integration and is designed to synchronize ontology + mappings from a Git repository to Google SecOps. It allows administrators to manage + alert mapping rules and visual family associations in a version-controlled environment + and deploy them automatically to the SOAR platform. The job specifically targets + mappings associated with a provided 'Source' (integration identifier or vendor). ### Parameters Description @@ -251,81 +272,47 @@ Pull Jobs: | :--- | :--- | :--- | :--- | - | Job Whitelist | String | Yes | A comma-separated list of job names to pull from - the Git repository. Only jobs specified in this list will be processed. | - | Repo URL | String | No | Optional parameter to override the repository URL configured in the integration instance. | - | Branch | String | No | Optional parameter to override the Git branch configured - in the integration instance. | + | Branch | String | No | Optional parameter to override the Git branch used for + synchronization. | | Git Server Fingerprint | String | No | Optional parameter to override the SSH - server fingerprint (SHA256 or MD5) for host verification. | + fingerprint for Git server verification. | + | Source | String | Yes | The integration identifier or vendor name. The job pulls + all mappings related to this source from the repository (e.g., 'VirusTotal'). + | - ### Flow Description - - 1. **Parameter Extraction**: The job parses the `Job Whitelist` to identify which - specific jobs need to be imported. - 2. **Git Initialization**: It initializes the `GitSyncManager`, which clones or - pulls the latest changes from the configured Git repository into a temporary working - directory. + ### Flow Description - 3. **Content Retrieval**: For each job name in the whitelist, the job searches - the repository's `Jobs/` directory for the corresponding JSON definition file. + 1. **Parameter Extraction**: The job retrieves the 'Source' parameter and any + optional Git configuration overrides. - 4. **Dependency Validation**: It verifies that the integration associated with - the job is already installed in the SOAR environment. + 2. **Git Initialization**: Initializes the GitSync manager to establish a connection + with the remote repository and pull the latest changes to a local temporary directory. - 5. **ID Resolution**: The job attempts to resolve the `jobDefinitionId` by querying - the IDE cards and checks if the job already exists locally to determine if an - update or a new creation is required. + 3. **Content Retrieval**: Locates the mapping files within the repository under + the path `Ontology/Mappings/{Source}/`, specifically looking for record and rule + JSON files. - 6. **Installation**: It calls the SOAR API to save or update the job configuration - based on the data retrieved from Git. + 4. **Ontology Update**: Parses the retrieved mapping rules and updates the Google + SecOps ontology by adding or updating mapping rules for family and system fields. - 7. **Completion**: The job logs the success or failure of each individual job - import and cleans up temporary resources. -Pull Mappings: - ai_description: "### General Description\nThe **Pull Mappings** job is a maintenance\ - \ and synchronization component of the **GitSync** integration. Its primary purpose\ - \ is to import and apply ontology mappings\u2014specifically event-to-visual-family\ - \ associations and mapping rules\u2014from a remote Git repository into the Google\ - \ SecOps (Chronicle) platform. This enables security teams to manage their event\ - \ categorization and visualization logic using version control, ensuring consistency\ - \ across different environments.\n\n### Parameters Description\n| Parameter |\ - \ Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Repo URL\ - \ | String | No | Optional parameter to override the Git repository URL configured\ - \ in the integration instance. |\n| Branch | String | No | Optional parameter\ - \ to override the Git branch used for pulling content. |\n| Git Server Fingerprint\ - \ | String | No | Optional parameter to override the SSH fingerprint for Git server\ - \ verification. |\n| Source | String | Yes | The integration identifier or vendor\ - \ name (e.g., 'MicrosoftSentinel'). The job pulls all mappings associated with\ - \ this specific source from the repository. |\n\n### Flow Description\n1. **Parameter\ - \ Extraction**: The job retrieves the `Source` parameter and optional Git configuration\ - \ overrides.\n2. **Git Synchronization**: It initializes the `GitSyncManager`,\ - \ which clones or pulls the latest changes from the specified Git repository to\ - \ a temporary local directory.\n3. **Content Retrieval**: The job utilizes the\ - \ `GitContentManager` to locate mapping files within the repository's structure,\ - \ specifically looking for `{Source}_Records.json` and `{Source}_Rules.json` under\ - \ the `Ontology/Mappings` path.\n4. **Rule Installation**: It parses the retrieved\ - \ mapping rules (family and system fields) and updates the Google SecOps ontology\ - \ via the API.\n5. **Visual Family Association**: The job iterates through the\ - \ mapping records and updates the platform's configuration to link specific products\ - \ and event names to their designated Visual Families.\n6. **Cleanup**: The temporary\ - \ working directory is cleaned up, and the script execution ends." + 5. **Visual Family Association**: Updates the platform's visualization settings + by linking the specified products and event names to their respective visual families + as defined in the repository. Pull Playbook: ai_description: >- ### General Description - The **Pull Playbook** job is designed to synchronize specific playbooks and blocks - from a Git repository into the Google SecOps (Chronicle) environment. As part - of the **GitSync** integration, it enables teams to maintain playbooks in version - control and deploy them programmatically. The job allows for targeted synchronization - via a whitelist and can automatically resolve dependencies by pulling any blocks - referenced within the selected playbooks. + This job automates the retrieval and installation of specific playbooks and playbook + blocks from a Git repository into the Google SecOps (Chronicle) SOAR platform. + It allows teams to maintain version-controlled workflows in Git and selectively + synchronize them to the SOAR environment, ensuring that automation logic is consistent + and up to date. ### Parameters Description @@ -334,61 +321,51 @@ Pull Playbook: | :--- | :--- | :--- | :--- | - | Repo URL | String | No | Overrides the repository URL defined in the integration - instance settings. | + | Repo URL | String | No | Optional parameter to override the repository URL defined + in the integration instance settings. | - | Branch | String | No | Overrides the Git branch defined in the integration instance - settings. | + | Branch | String | No | Optional parameter to override the Git branch defined + in the integration instance settings. | - | Git Server Fingerprint | String | No | Overrides the SSH server fingerprint - used for host verification. | + | Git Server Fingerprint | String | No | Optional parameter to override the SSH + fingerprint used for Git server verification. | | Playbook Whitelist | String | Yes | A comma-separated list of playbook names to pull from the repository. | - | Include Playbook Blocks | Boolean | Yes | If True, the job identifies and pulls - all blocks used by the playbooks in the whitelist to ensure full functionality. + | Include Playbook Blocks | Boolean | Yes | If set to True, the job automatically + identifies and pulls any playbook blocks referenced by the playbooks in the whitelist. | ### Flow Description - 1. **Environment Setup**: The job initializes the `GitSyncManager`, which handles - the connection to the Git provider and manages a temporary local clone of the - repository. - - 2. **Target Identification**: It parses the `Playbook Whitelist` to create a list - of specific playbooks to be imported. + 1. **Initialization**: The job extracts configuration parameters and initializes + the GitSync manager to establish a connection with the Git repository. - 3. **Content Fetching**: The job retrieves the JSON definitions for each specified - playbook from the repository's `Playbooks` directory. + 2. **Playbook Discovery**: It iterates through the provided whitelist and attempts + to locate the corresponding playbook files within the repository's directory structure. - 4. **Dependency Analysis**: If `Include Playbook Blocks` is enabled, the job scans - the retrieved playbooks for any 'Block' type steps and fetches those block definitions + 3. **Dependency Mapping**: If the "Include Playbook Blocks" flag is enabled, the + job parses the retrieved playbooks to identify any nested blocks and fetches them from the repository as well. - 5. **Workflow Installation**: The collected playbooks and blocks are passed to - the `WorkflowInstaller`, which performs the following sub-tasks: - * **Environment Validation**: Ensures the target environments assigned to - the playbooks exist in the local SOAR instance. - * **Instance Mapping**: Automatically maps integration instances within playbook - steps to available instances in the local environment (supporting both static - and dynamic/AutomaticEnvironment modes). - * **Conflict Resolution**: Compares modification timestamps against a local - cache to determine if an update is required and warns if local changes are about - to be overwritten. - * **ID Synchronization**: Matches identifiers for existing playbooks to maintain - consistency or generates new UUIDs for new content. - 6. **Persistence**: The finalized playbook and block definitions are saved to - the Google SecOps platform, and the local modification cache is updated. + 4. **Workflow Installation**: The job passes the collected playbooks and blocks + to the installation logic, which handles the creation of new workflows or the + updating of existing ones. + + 5. **ID and Environment Alignment**: During installation, the job automatically + maps environment names, reconciles internal identifiers with existing local versions, + and updates the local modification cache to track synchronization state. Pull Simulated Cases: ai_description: >- ### General Description - This job imports specific simulated cases from a Git repository into the Google - SecOps platform. It enables security teams to maintain attack simulation content - in version control and synchronize it with their SOAR environment for consistent - testing and validation of detection and response capabilities. + This job is part of the **GitSync** integration and is designed to automate the + import of simulated cases from a Git repository into Google SecOps. It allows + security teams to maintain simulation content (used for testing playbooks or training) + in a version-controlled environment and synchronize specific cases to the SOAR + platform on demand or on a schedule. ### Parameters Description @@ -398,44 +375,45 @@ Pull Simulated Cases: | :--- | :--- | :--- | :--- | | Simulated Cases | String | Yes | A comma-separated list of simulated case names - to pull from the repository. | + to pull from the repository (e.g., "Phishing_Simulation, Malware_Test"). | - | Repo URL | String | No | Optional parameter to override the repository URL found - in the GitSync integration instance. | + | Repo URL | String | No | Optional parameter to override the Git repository URL + configured in the integration instance. | - | Branch | String | No | Optional parameter to override the branch name found - in the GitSync integration instance. | + | Branch | String | No | Optional parameter to override the Git branch configured + in the integration instance. | | Git Server Fingerprint | String | No | Optional parameter to override the SSH - server fingerprint found in the GitSync integration instance. | + fingerprint (SHA256 or MD5) for the Git server. | ### Flow Description - 1. **Parameter Extraction**: The job parses the comma-separated list of simulated - case names provided in the job configuration. + 1. **Parameter Extraction**: The job parses the `Simulated Cases` string into + a list of individual case names. - 2. **GitSync Initialization**: It initializes the GitSync manager, which clones - or pulls the latest changes from the specified Git repository and branch. + 2. **Manager Initialization**: It initializes the `GitSyncManager`, which handles + the connection to the Git repository and the Google SecOps API. - 3. **Content Retrieval**: For each specified case name, the job searches the repository's - `SimulatedCases/` directory for the corresponding `.case` file. + 3. **Content Retrieval**: For each specified case name, the job queries the Git + repository's `SimulatedCases/` directory to retrieve the corresponding `.case` + file content. - 4. **Import Execution**: The job reads the JSON content of the case file and uses - the Google SecOps API to import the simulated case into the platform. + 4. **Platform Import**: The job sends the retrieved case data to the Google SecOps + API to import or update the simulated case in the platform. - 5. **Logging**: Success or failure for each individual case import is logged to - the job output. + 5. **Logging and Completion**: It logs the success or failure of each individual + case import and terminates the script once the list is processed. Push Connectors: ai_description: >- ### General Description - This job exports specific connectors and their associated metadata from Google - SecOps to a Git repository. It enables version control for connector configurations - and scripts, allowing teams to maintain a history of changes and synchronize connector - settings across different environments. Beyond the connector itself, the job can - optionally include related ontology mappings and visual families to ensure a complete - export of the integration's logic. + The **Push Connectors** job exports specific connector configurations from Google + SecOps to a Git repository. This job facilitates version control and portability + of connector settings, allowing users to back up or migrate connector definitions. + Beyond the connector itself, the job can optionally package associated ontology + components, such as mapping rules and visual families, ensuring that the entire + ingestion logic for a specific integration is preserved in the repository. ### Parameters Description @@ -444,67 +422,124 @@ Push Connectors: | :--- | :--- | :--- | :--- | - | Commit | String | Yes | The commit message to describe the changes in the Git - repository. | + | Commit | String | Yes | The commit message to be used for the Git transaction. + | | Connectors | String | Yes | A comma-separated list of connector display names to be pushed to the repository. | - | Branch | String | No | Optional parameter to override the Git branch specified + | Branch | String | No | Optional parameter to override the Git branch defined in the integration instance. | | Git Server Fingerprint | String | No | Optional parameter to override the SSH fingerprint for the Git server. | - | Repo URL | String | No | Optional parameter to override the repository URL found + | Repo URL | String | No | Optional parameter to override the repository URL defined in the integration instance. | | Commit Author | String | No | Optional parameter to override the commit author - (format: `Name `). | + (Format: `Name `). | - | Include Visual Families | Boolean | No | If set to `true`, the job will also - export related visual families used by the connector's alerts. | + | Include Visual Families | Boolean | No | If set to `true`, the job will identify + and export visual families associated with the connector's mappings. | - | Include Mappings | Boolean | No | If set to `true`, the job will also export - related ontology mappings used by the connector's alerts. | + | Include Mappings | Boolean | No | If set to `true`, the job will export the + ontology mapping rules and records associated with the connector's integration. + | - | Readme Addon | String | No | Optional markdown text to append to the end of - the README file for all connectors pushed during this run. | + | Readme Addon | String | No | Markdown text to append to the end of the README + file for all connectors pushed during this run. | ### Flow Description - 1. **Initialization**: The job extracts the provided parameters and initializes - the `GitSyncManager`, which handles the connection to the Git repository and local - workspace management. - - 2. **Connector Retrieval**: Fetches all installed connectors from the Google SecOps - platform and filters them based on the names provided in the `Connectors` parameter. - - 3. **Metadata Preparation**: For each matching connector, the job prepares the - connector's JSON definition and script. If a `Readme Addon` is provided, it updates - the GitSync metadata to include this text in the connector's documentation. - - 4. **Dependency Analysis**: If `Include Mappings` or `Include Visual Families` - is enabled, the job identifies the integration associated with the connector and - retrieves the corresponding ontology records and mapping rules. - - 5. **Asset Staging**: The job stages the connector files, and optionally the mapping - and visual family files, into the local repository structure. - - 6. **Commit and Push**: Finally, the job creates a Git commit with the specified - message and author, then pushes the changes to the remote repository branch. + 1. **Initialization**: The job initializes the `GitSyncManager`, which clones + or pulls the latest state of the target Git repository and validates the connection. + + 2. **Connector Filtering**: It retrieves all installed connectors from the SOAR + environment and filters them to match the names provided in the `Connectors` parameter. + + 3. **Metadata Update**: If a `Readme Addon` is provided, the job updates the `GitSync.json` + metadata file to include the additional documentation for the selected connectors. + + 4. **Connector Export**: For each matching connector, the job generates the JSON + definition and a README file, then stages them for the Git commit. + + 5. **Ontology Enrichment (Optional)**: + * If **Include Mappings** is enabled, the job fetches all ontology records + and mapping rules associated with the connector's parent integration and stages + them. + * If **Include Visual Families** is enabled, the job identifies the specific + visual families used by those mappings and exports their definitions and icons + (PNG). + 6. **Finalization**: The job performs a Git commit with the provided message and + author details, then pushes the changes to the remote repository. Push Content: + ai_description: "### General Description\nThis job automates the backup and version\ + \ control of Google SecOps (Chronicle) platform content by pushing it to a Git\ + \ repository. It allows administrators to synchronize a wide range of platform\ + \ components\u2014including playbooks, integrations, connectors, and system settings\u2014\ + to a remote repository for configuration management, auditing, and disaster recovery\ + \ purposes. The job supports granular control over which content types are synchronized\ + \ and provides options to override repository configurations and handle sensitive\ + \ data like passwords.\n\n### Parameters Description\n| Parameter | Type | Mandatory\ + \ | Description |\n| :--- | :--- | :--- | :--- |\n| Commit | String | Yes | The\ + \ commit message to be used for the Git operation. |\n| Repo URL | String | No\ + \ | Optional parameter to override the repository URL defined in the integration\ + \ instance. |\n| Branch | String | No | Optional parameter to override the target\ + \ Git branch. |\n| Git Server Fingerprint | String | No | Optional parameter to\ + \ override the SSH fingerprint for server verification. |\n| Commit Author | String\ + \ | No | Optional parameter to override the commit author (Format: `Name `).\ + \ |\n| Commit Passwords | Boolean | Yes | If set to true, includes passwords in\ + \ the synchronization. **Warning:** Use only for testing; never commit passwords\ + \ to production repositories. |\n| Integrations | Boolean | Yes | Whether to push\ + \ all custom and commercial integrations. |\n| Playbooks | Boolean | Yes | Whether\ + \ to push all playbooks and blocks. |\n| Jobs | Boolean | Yes | Whether to push\ + \ all defined jobs. |\n| Connectors | Boolean | Yes | Whether to push all defined\ + \ connectors. |\n| Integration Instances | Boolean | Yes | Whether to push integration\ + \ instance configurations across all environments. |\n| Visual Families | Boolean\ + \ | Yes | Whether to push custom visual families from the ontology. |\n| Mappings\ + \ | Boolean | Yes | Whether to push ontology mapping rules and records. |\n| Environments\ + \ | Boolean | Yes | Whether to push environment definitions. |\n| Dynamic Parameters\ + \ | Boolean | Yes | Whether to push environment-specific dynamic parameters. |\n\ + | Logo | Boolean | Yes | Whether to push the platform logo settings. |\n| Case\ + \ Tags | Boolean | Yes | Whether to push case tag definitions. |\n| Case Stages\ + \ | Boolean | Yes | Whether to push case stage definitions. |\n| Case Title Settings\ + \ | Boolean | Yes | Whether to push case title formatting settings. |\n| Case\ + \ Close Reasons | Boolean | Yes | Whether to push case close reasons and root\ + \ causes. |\n| Networks | Boolean | Yes | Whether to push network definitions.\ + \ |\n| Domains | Boolean | Yes | Whether to push domain records. |\n| Custom Lists\ + \ | Boolean | Yes | Whether to push custom tracking lists. |\n| Email Templates\ + \ | Boolean | Yes | Whether to push email templates. |\n| Blacklists | Boolean\ + \ | Yes | Whether to push denylist/blocklist records. |\n| SLA Records | Boolean\ + \ | Yes | Whether to push SLA definition records. |\n| Simulated Cases | Boolean\ + \ | Yes | Whether to push simulated cases used for testing. |\n\n### Flow Description\n\ + 1. **Initialization**: The job initializes the `GitSyncManager`, which sets up\ + \ a temporary working directory and establishes a connection to the Git repository\ + \ using the provided credentials and configuration overrides.\n2. **Feature Selection**:\ + \ It evaluates the boolean parameters to determine which platform components (features)\ + \ are selected for synchronization.\n3. **Content Extraction**: For each enabled\ + \ feature, the job calls the SecOps API to fetch the relevant data:\n * **Integrations/Playbooks/Connectors**:\ + \ Exports the packages or definitions and prepares them for Git storage.\n \ + \ * **Settings**: Retrieves system-wide configurations like Networks, SLA records,\ + \ and Case Tags.\n * **Integration Instances**: Iterates through environments\ + \ to fetch instance settings, optionally including passwords if the `Commit Passwords`\ + \ flag is enabled.\n4. **Staging**: The extracted content is formatted into JSON\ + \ or appropriate file types and staged in the local Git tree managed by the `GitSyncManager`.\n\ + 5. **Commit and Push**: Once all selected content is staged, the job generates\ + \ a root `README.md` summarizing the repository content, performs a Git commit\ + \ with the specified message, and pushes the changes to the remote repository." +Push Custom Family: ai_description: >- ### General Description - This job automates the process of exporting and synchronizing Google SecOps (Chronicle) - content and configurations to a remote Git repository. It serves as a version - control and backup mechanism, allowing administrators to push playbooks, integrations, - connectors, jobs, and various system settings (such as mappings, environments, - and case tags) to a centralized repository. The job supports granular control - over which content types are included and provides options for handling sensitive - data like passwords during the export process. + The **Push Custom Family** job is part of the **GitSync** integration. Its primary + purpose is to export custom Visual Families (ontology visualization configurations) + from the Google SecOps platform to a Git repository. This enables version control, + backup, and the ability to synchronize visualization rules across different environments. + The job retrieves the full configuration of specified families, including their + rules and associated icons, and pushes them to the repository along with generated + documentation. ### Parameters Description @@ -513,112 +548,63 @@ Push Content: | :--- | :--- | :--- | :--- | - | Commit | String | Yes | The commit message to be used for the Git push operation. - | + | Commit | String | Yes | The commit message to use when pushing changes to the + Git repository. | - | Repo URL | String | No | Optional override for the Git repository URL defined + | Repo URL | String | No | Optional override for the Git repository URL configured in the integration instance. | - | Branch | String | No | Optional override for the target Git branch. | + | Branch | String | No | Optional override for the Git branch configured in the + integration instance. | | Git Server Fingerprint | String | No | Optional override for the SSH fingerprint - used to verify the Git server. | - - | Commit Author | String | No | Optional override for the commit author (Format: - Name ). | - - | Commit Passwords | Boolean | Yes | If true, includes passwords/secrets in the - exported integration instance settings. **Warning: Use with caution.** | - - | Integrations | Boolean | Yes | Whether to push all custom and commercial integrations. - | - - | Playbooks | Boolean | Yes | Whether to push all playbooks and blocks. | - - | Jobs | Boolean | Yes | Whether to push all defined maintenance and enrichment - jobs. | - - | Connectors | Boolean | Yes | Whether to push all configured connector instances. - | - - | Integration Instances | Boolean | Yes | Whether to push integration instance - configurations and settings. | - - | Visual Families | Boolean | Yes | Whether to push ontology visual family definitions. - | - - | Mappings | Boolean | Yes | Whether to push ontology mapping records and rules. - | - - | Environments | Boolean | Yes | Whether to push environment definitions. | - - | Dynamic Parameters | Boolean | Yes | Whether to push environment-specific dynamic - parameters. | - - | Logo | Boolean | Yes | Whether to push the platform's custom logo settings. - | - - | Case Tags | Boolean | Yes | Whether to push case tag definitions. | - - | Case Stages | Boolean | Yes | Whether to push case stage definitions. | + of the Git server for verification. | - | Case Title Settings | Boolean | Yes | Whether to push case title formatting - settings. | + | Commit Author | String | No | Optional override for the commit author (e.g., + "John Doe "). | - | Case Close Reasons | Boolean | Yes | Whether to push case closure reasons and - root causes. | + | Family Name | String | Yes | A comma-separated list of the names of custom visual + families to export. | - | Networks | Boolean | Yes | Whether to push network range definitions. | + | Readme Addon | String | No | Optional Markdown text to append to the README.md + file of the exported visual families. | - | Domains | Boolean | Yes | Whether to push domain alias records. | - | Custom Lists | Boolean | Yes | Whether to push custom tracking lists. | + ### Flow Description - | Email Templates | Boolean | Yes | Whether to push email communication templates. - | + 1. **Initialization**: The job extracts the commit message, the list of visual + family names to export, and any optional configuration overrides. - | Blacklists | Boolean | Yes | Whether to push blocklist/denylist records. | + 2. **Git Setup**: It initializes the GitSync manager, which clones the remote + repository or pulls the latest changes into a temporary working directory. - | SLA Records | Boolean | Yes | Whether to push Service Level Agreement definitions. - | + 3. **Data Retrieval**: The job queries the Google SecOps API to fetch all custom + visual families defined in the system. - | Simulated Cases | Boolean | Yes | Whether to push simulated case data for testing. - | + 4. **Filtering**: It iterates through the retrieved families and identifies those + that match the names provided in the `Family Name` parameter. + 5. **Metadata Update**: If a `Readme Addon` is provided, the job updates the GitSync + metadata file (`GitSync.json`) to include the additional documentation for the + selected families. - ### Flow Description + 6. **Staging**: For each matching family, the job retrieves the full data (including + rules and the base64-encoded image) and stages the corresponding JSON, PNG, and + README files in the local repository structure. - 1. **Initialization**: The job initializes the `GitSyncManager`, which clones - or pulls the latest changes from the specified Git repository and branch. - - 2. **Parameter Extraction**: It extracts the commit message and all boolean flags - to determine which content categories should be processed. - - 3. **Content Collection**: For each enabled category, the job queries the Google - SecOps API to retrieve the relevant data: - * **Integrations/Playbooks**: Exports packages and definitions, updating internal - references (like instance names) to ensure portability. - * **Settings**: Collects system-wide configurations like Networks, Domains, - SLA records, and Case Tags. - * **Secrets Handling**: If `Commit Passwords` is enabled, it attempts to retrieve - and include sensitive configuration values for integration instances. - 4. **Git Staging**: The collected content is transformed into structured JSON - or YAML files and staged within the local Git tree managed by the job. - - 5. **Documentation Generation**: Automatically generates or updates `README.md` - files for integrations, playbooks, and the repository root to provide human-readable - summaries of the exported content. - - 6. **Commit and Push**: Finalizes the process by committing the staged changes - with the provided message and pushing them to the remote Git server. -Push Custom Family: + 7. **Commit and Push**: Finally, the job commits the staged changes with the provided + commit message and pushes the new commit to the remote Git repository. +Push Integration: ai_description: >- ### General Description - This job exports specific Visual Families (ontology definitions) from Google SecOps - to a Git repository. It enables version control, backup, and portability of custom - visualization rules, entity relations, and icons by staging the family's data - model, image, and documentation in a structured repository format. + The **Push Integration** job automates the synchronization of Google SecOps (Chronicle) + integrations from the SOAR environment to a remote Git repository. It enables + version control for both custom and commercial integrations by exporting their + definitions, scripts, and resources, and then committing them to a specified Git + branch. This job is essential for maintaining a 'Configuration as Code' workflow, + allowing teams to track changes, collaborate on integration development, and maintain + a backup of their SOAR logic in a centralized repository. ### Parameters Description @@ -627,58 +613,63 @@ Push Custom Family: | :--- | :--- | :--- | :--- | - | Commit | String | Yes | The commit message to describe the changes in the Git - repository. | + | Commit | String | Yes | The commit message to be used for the Git operation. + | - | Repo URL | String | No | Optional parameter to override the repository URL defined - in the integration instance. | + | Push Whitelist | String | Yes | A comma-separated list of integration identifiers + (e.g., 'VirusTotal, ServiceNow') that should be exported and pushed to the repository. + | - | Branch | String | No | Optional parameter to override the target Git branch - defined in the integration instance. | + | Repo URL | String | No | Optional override for the Git repository URL defined + in the integration instance settings. | - | Git Server Fingerprint | String | No | Optional parameter to override the SSH - server fingerprint (SHA256 or MD5) for host verification. | + | Branch | String | No | Optional override for the target Git branch defined in + the integration instance settings. | - | Commit Author | String | No | Optional parameter to override the commit author. - Must follow the format: `Name `. | + | Git Server Fingerprint | String | No | Optional override for the SSH fingerprint + (SHA256 or MD5) used to verify the Git server's identity. | - | Family Name | String | Yes | A comma-separated list of Visual Family names to - be pushed to the repository. | + | Commit Author | String | No | Optional override for the commit author. Must + follow the format: `Name `. | - | Readme Addon | String | No | Markdown text to append to the end of the README.md - file for all custom families pushed during this run. | + | Readme Addon | String | No | Optional markdown text to append to the end of + the generated README.md file for every integration pushed during this execution. + | ### Flow Description - 1. **Initialization**: The job initializes the GitSync manager, which clones or - pulls the target repository to a temporary working directory. + 1. **Initialization**: The job initializes the GitSync manager, which handles + the local cloning or pulling of the target Git repository and establishes a connection + to the Google SecOps API. - 2. **Parameter Parsing**: It extracts the list of Visual Family names to export - and any optional overrides for Git configuration. + 2. **Integration Filtering**: It retrieves all available IDE items (integrations) + from the SOAR environment and filters them against the provided **Push Whitelist**. - 3. **Data Retrieval**: The job fetches all custom Visual Families from the Google - SecOps environment and filters them based on the provided names. + 3. **Package Export**: For each integration in the whitelist, the job exports + the full integration package (including scripts, definitions, and dependencies) + from the SOAR platform. - 4. **Metadata Update**: If a `Readme Addon` is provided, the job updates the `GitSync.json` - metadata file to include the additional documentation for the selected families. + 4. **Metadata & Documentation**: If a **Readme Addon** is provided, the job updates + the `GitSync.json` metadata file. It then generates or updates the `README.md` + for the integration, incorporating the addon text. - 5. **Staging**: For each matching family, the job retrieves the full data model - (including rules and the base64-encoded icon) and stages the corresponding JSON, - PNG, and README files in the local repository tree. + 5. **Staging**: The job prepares the file structure within the local repository + clone, overwriting the existing integration folders with the newly exported data. - 6. **Synchronization**: Finally, the job performs a Git commit with the specified - message and pushes the changes to the remote repository branch. -Push Integration: + 6. **Commit and Push**: Finally, the job creates a Git commit with the specified + **Commit** message and author, and pushes the changes to the remote repository + branch. +Push Job: ai_description: >- ### General Description - This job automates the process of exporting and pushing specific integrations - from Google SecOps to a Git repository. It enables version control and backup - of SOAR content by synchronizing local integration definitions, scripts, and resources - with a remote Git server. The job allows for selective synchronization via a whitelist - and supports the addition of custom markdown content to the README files of the - pushed integrations. + The **Push Job** is a maintenance utility designed to export specific SOAR job + configurations and metadata from Google SecOps to a remote Git repository. This + job facilitates version control and backup of automation logic by synchronizing + job definitions, including their parameters and run intervals, into a structured + repository format. It allows users to specify a whitelist of jobs to export and + provides the ability to append custom documentation to the generated README files. ### Parameters Description @@ -690,59 +681,57 @@ Push Integration: | Commit | String | Yes | The commit message to be used for the Git operation. | - | Push Whitelist | String | Yes | A comma-separated list of integration identifiers - (e.g., 'VirusTotal, ServiceNow') to be pushed to the repository. | + | Repo URL | String | No | Optional override for the Git repository URL defined + in the integration instance. | - | Repo URL | String | No | Optional parameter to override the repository URL configured - in the GitSync integration instance. | + | Branch | String | No | Optional override for the target Git branch defined in + the integration instance. | - | Branch | String | No | Optional parameter to override the target branch name - configured in the GitSync integration instance. | + | Git Server Fingerprint | String | No | Optional override for the Git server + SSH fingerprint (SHA256 or MD5). | - | Git Server Fingerprint | String | No | Optional SSH fingerprint (SHA256 or MD5) - used to verify the identity of the Git server. | + | Commit Author | String | No | Optional override for the commit author. Must + follow the format: `Name `. | - | Commit Author | String | No | Optional parameter to override the commit author - (format: 'Name '). | + | Job Whitelist | String | Yes | A comma-separated list of job names to be exported + to the repository. | - | Readme Addon | String | No | Markdown text that will be appended to the end - of the README file for every integration pushed during this execution. | + | Readme Addon | String | No | Markdown text to append to the end of the README + file for every job pushed during this run. | ### Flow Description - 1. **Parameter Extraction**: The job retrieves the commit message, the list of - integrations to push (whitelist), and any optional overrides or README additions. + 1. **Initialization**: The job initializes the `GitSyncManager`, which establishes + a connection to the remote Git repository and the SOAR API, applying any provided + parameter overrides (URL, Branch, Author). - 2. **Manager Initialization**: Initializes the `GitSyncManager`, which handles - the connection to the Git repository and the Google SecOps API. + 2. **Job Retrieval**: Fetches all installed jobs from the Google SecOps environment + via the API. - 3. **Integration Filtering**: Fetches all available integration 'IDE cards' from - the platform and filters them to include only those specified in the `Push Whitelist`. + 3. **Filtering**: Filters the retrieved jobs based on the `Job Whitelist`. It + automatically excludes internal system jobs (e.g., Monitors) and jobs belonging + to the `GitSync` integration itself to prevent recursion. - 4. **Package Export**: For each identified integration, the job exports the full - integration package (including definitions, Python scripts, and resources) as - a byte stream. + 4. **Content Preparation**: For each whitelisted job, it generates the job definition + JSON. If a `Readme Addon` is provided, it updates the GitSync metadata to include + this documentation for the specific job. - 5. **Metadata Enhancement**: If a `Readme Addon` is provided, the job updates - the `GitSync.json` metadata file to include the custom markdown for the specific - integration. + 5. **Documentation Generation**: Updates the individual job README files and regenerates + the repository's root README to reflect the current state of exported jobs. - 6. **Staging**: The job prepares the file structure for the repository, overwriting - the existing integration folders with the newly exported content. - - 7. **Commit and Push**: Finally, the job creates a Git commit with the provided - message and pushes the changes to the configured remote branch. -Push Job: + 6. **Synchronization**: Commits the changes to the local repository clone using + the provided commit message and pushes the updates to the remote Git server. +Push Mappings: ai_description: >- ### General Description - This job exports specific Google SecOps (Chronicle) jobs to a Git repository for - version control and backup. It allows users to select a subset of jobs via a whitelist, - optionally append custom documentation to their README files, and synchronize - the job configurations (including parameters and run intervals) to a remote Git - server. The job also maintains a central README file in the repository to provide - an overview of all exported jobs. + This job exports ontology mappings from Google SecOps to a Git repository. It + identifies mapping records and rules associated with a specific source, cleanses + the data (such as removing example event fields), and synchronizes them to the + repository for version control and configuration management. This ensures that + mapping logic for specific integrations or products is backed up and can be shared + across environments. ### Parameters Description @@ -751,7 +740,7 @@ Push Job: | :--- | :--- | :--- | :--- | - | Commit | String | Yes | The commit message to be used for the Git push operation. + | Commit | String | Yes | The commit message to be used for the Git operation. | | Repo URL | String | No | Optional parameter to override the repository URL configured @@ -764,86 +753,49 @@ Push Job: fingerprint used for Git server verification. | | Commit Author | String | No | Optional parameter to override the commit author - (Format: Name ). | + (Format: "Name "). | - | Job Whitelist | String | Yes | A comma-separated list of job names to be pushed - to the repository. | + | Source | String | Yes | The specific source (e.g., integration or product name) + whose mappings will be exported. | - | Readme Addon | String | No | Markdown text to append to the end of the README - file for all jobs pushed during this run. | + | Readme Addon | String | No | Optional markdown text to append to the end of + the README.md file for the mappings pushed in this run. | ### Flow Description - 1. **Initialization**: The job initializes the `GitSyncManager`, which sets up - a temporary local workspace and establishes a connection to the Git repository - using the provided credentials and configuration. + 1. **Initialization**: The job initializes the GitSync manager using provided + parameters or integration instance defaults to establish a connection with the + Git repository. - 2. **Job Retrieval**: It fetches all installed jobs from the Google SecOps platform - via the internal API. + 2. **Data Retrieval**: It fetches all ontology records from the SOAR platform + and filters them to find records matching the specified `Source` parameter. - 3. **Filtering**: The job filters the retrieved list based on the `Job Whitelist` - parameter, while automatically excluding internal system monitor jobs and the - GitSync integration itself. + 3. **Rule Processing**: For each matching record, the job retrieves the corresponding + mapping rules (family and system fields) and filters them to ensure they belong + to the target source. - 4. **Metadata Update**: If a `Readme Addon` is provided, it updates the `GitSync.json` - metadata file to include the custom documentation for the selected jobs. + 4. **Data Cleansing**: It removes `exampleEventFields` from the records to ensure + sensitive or unnecessary event data is not exported to the repository. - 5. **Staging**: For each whitelisted job, the configuration is converted to a - JSON format and staged in the local Git repository structure under the `Jobs/` - directory. + 5. **Metadata Update**: If a `Readme Addon` is provided, the job updates the GitSync + metadata file (`GitSync.json`) with the additional markdown content. - 6. **Documentation Generation**: The job generates or updates individual README - files for the exported jobs and updates the root README file for the Jobs section - to reflect the current state of the repository. + 6. **Staging**: The job generates the mapping files (Records JSON, Rules JSON, + and a README) and stages them in the local repository clone. - 7. **Commit and Push**: Finally, the job commits the changes with the specified - commit message and pushes the updates to the remote Git repository. -Push Mappings: - ai_description: "### General Description\nThis job exports ontology mapping configurations\u2014\ - including records and rules\u2014from Google SecOps to a Git repository. It is\ - \ designed to facilitate version control and synchronization of how events are\ - \ mapped to entities and visual families for a specific source integration. By\ - \ automating the export of these mappings, teams can maintain a 'configuration\ - \ as code' approach for their SOAR environment.\n\n### Parameters Description\n\ - | Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ - | Commit | String | Yes | The message to be used for the Git commit. |\n| Source\ - \ | String | Yes | The name of the source integration (e.g., 'Active Directory',\ - \ 'CrowdStrike') whose mappings should be exported. |\n| Repo URL | String | No\ - \ | Optional override for the Git repository URL defined in the integration instance.\ - \ |\n| Branch | String | No | Optional override for the target Git branch. |\n\ - | Git Server Fingerprint | String | No | Optional override for the SSH server\ - \ fingerprint used for host verification. |\n| Commit Author | String | No | Optional\ - \ override for the commit author. Must follow the format: `Name `.\ - \ |\n| Readme Addon | String | No | Markdown text to append to the end of the\ - \ generated README file for the exported mappings. |\n\n### Flow Description\n\ - 1. **Initialization**: The job extracts configuration parameters and initializes\ - \ the `GitSyncManager` to handle repository operations and API communication.\n\ - 2. **Data Retrieval**: It fetches all ontology status records from the Google\ - \ SecOps platform.\n3. **Filtering**: The job filters the retrieved records to\ - \ include only those associated with the specified `Source` integration.\n4. **Rule\ - \ Collection**: For each matching record, it retrieves the corresponding mapping\ - \ rules (both family and system fields) from the platform.\n5. **Data Sanitization**:\ - \ It cleans the records by removing `exampleEventFields` to ensure the exported\ - \ files remain focused on configuration rather than specific event data.\n6. **Metadata\ - \ Update**: If a `Readme Addon` is provided, the job updates the `GitSync.json`\ - \ metadata file to include the additional markdown content.\n7. **Staging**: The\ - \ job prepares the mapping data (JSON files for records and rules) and generates\ - \ a README file, staging them within the local repository structure.\n8. **Push**:\ - \ Finally, it commits the changes using the provided commit message and author\ - \ details, then pushes the update to the remote Git repository." + 7. **Commit and Push**: Finally, it commits the changes with the specified `Commit` + message and pushes the updates to the remote Git repository. Push Playbook: ai_description: >- ### General Description - This job exports playbooks and playbook blocks from Google SecOps to a Git repository. - It allows for granular control over which content is synchronized by using whitelists - for specific playbooks or entire folders (categories). A key feature of this job - is its ability to maintain portability; it automatically converts internal integration - instance identifiers within playbook steps into their corresponding display names, - ensuring that exported playbooks can be successfully imported into different environments. - It also handles dependencies by optionally including all blocks referenced by - the selected playbooks. + This job automates the export of playbooks and blocks from Google SecOps to a + Git repository. It facilitates version control and synchronization of automation + logic by allowing users to selectively push content based on specific names or + folders. The job ensures that exported playbooks remain portable by updating integration + instance references and can optionally include all dependent blocks and custom + documentation addons. ### Parameters Description @@ -852,70 +804,70 @@ Push Playbook: | :--- | :--- | :--- | :--- | - | Branch | String | No | The Git branch to push the content to. If not provided, - the branch defined in the integration instance is used. | + | Branch | String | No | Optional branch name to override the default branch configured + in the integration instance. | | Commit | String | Yes | The commit message to be used for the Git push operation. | - | Repo URL | String | No | The URL of the target Git repository. If not provided, - the URL defined in the integration instance is used. | + | Repo URL | String | No | Optional repository URL to override the default URL + configured in the integration instance. | - | Git Server Fingerprint | String | No | The SSH fingerprint of the Git server - for verification. Overrides the integration instance setting if provided. | + | Git Server Fingerprint | String | No | Optional SSH fingerprint for Git server + verification (SHA256 or MD5). | - | Commit Author | String | No | The author of the commit, formatted as `Name `. - Overrides the integration instance setting if provided. | + | Commit Author | String | No | Optional author details in the format: `Name `. + | - | Folders Whitelist | String | No | A comma-separated list of playbook categories - (folders) to export. | + | Folders Whitelist | String | No | Comma-separated list of playbook categories + (folders) to include in the export. | - | Playbook Whitelist | String | No | A comma-separated list of specific playbook - names to export. | + | Playbook Whitelist | String | No | Comma-separated list of specific playbook + names to include in the export. | - | Readme Addon | String | No | Markdown text to be appended to the end of the - `README.md` file for every playbook exported during this run. | + | Readme Addon | String | No | Markdown text to append to the end of the README + file for every playbook pushed during this run. | - | Include Playbook Blocks | Boolean | Yes | If set to `true`, the job will automatically - identify and export all playbook blocks referenced by the selected playbooks. + | Include Playbook Blocks | Boolean | Yes | If set to `True`, the job will also + identify and export all blocks (nested workflows) used within the selected playbooks. | ### Flow Description - 1. **Initialization**: Extracts job parameters and validates that at least one - whitelist (Folders or Playbooks) has been provided. - - 2. **Git Setup**: Initializes the Git manager, clones or pulls the target repository, - and checks out the specified branch. - - 3. **Content Filtering**: Retrieves all playbooks from the SOAR environment and - filters them based on the `Playbook Whitelist` and `Folders Whitelist` parameters. - - 4. **Playbook Processing**: For each matching playbook, the job: - * Appends the `Readme Addon` to the playbook metadata if specified. - * Fetches the full playbook definition. - * Updates step parameters (like `IntegrationInstance`) from internal UUIDs - to display names to ensure the playbook remains portable across different SOAR - instances. - * Stages the playbook JSON and generated README files in the local Git repository - structure. - 5. **Block Processing**: If `Include Playbook Blocks` is enabled, the job identifies - all blocks used within the processed playbooks, retrieves their definitions, updates - their instance names, and stages them for export. - - 6. **Finalization**: Generates an updated root README for the Playbooks directory, - commits all staged changes with the provided commit message, and pushes the updates - to the remote Git repository. + 1. **Initialization**: Extracts job parameters and initializes the `GitSyncManager` + to establish a connection with the remote repository. + + 2. **Content Discovery**: Fetches all playbooks currently installed in the Google + SecOps environment. + + 3. **Filtering**: Iterates through the playbooks and identifies those that match + the names in the `Playbook Whitelist` or belong to categories in the `Folders + Whitelist`. + + 4. **Processing**: For each matching playbook, it retrieves the full workflow + definition and updates integration instance display names to ensure the exported + JSON is descriptive and portable. + + 5. **Documentation Enrichment**: If a `Readme Addon` is provided, it updates the + metadata to ensure the custom markdown is appended to the playbook's documentation. + + 6. **Dependency Handling**: If `Include Playbook Blocks` is enabled, the job recursively + finds and processes all blocks referenced by the selected playbooks. + + 7. **Repository Update**: Generates an updated root README for the playbooks directory + and stages all changes in the local Git tree. + + 8. **Commit and Push**: Finalizes the process by committing the changes with the + provided message and pushing them to the remote Git repository. Push Simulated Cases: ai_description: >- ### General Description This job exports specific simulated cases from the Google SecOps platform to a Git repository. It enables version control and sharing of simulated attack scenarios - by allowing users to select cases by name and push them to a configured Git branch. - This is particularly useful for maintaining a library of attack simulations across - different environments. + by programmatically pushing selected cases to a centralized repository managed + via the GitSync integration. ### Parameters Description @@ -924,20 +876,20 @@ Push Simulated Cases: | :--- | :--- | :--- | :--- | - | Commit | String | Yes | The commit message to be used for the Git push operation. - | + | Commit | String | Yes | The message to be associated with the Git commit. | - | Repo URL | String | No | Optional parameter to override the repository URL configured - in the integration instance. | + | Repo URL | String | No | Optional URL of the Git repository. If provided, it + overrides the URL configured in the integration instance. | - | Branch | String | No | Optional parameter to override the target branch configured - in the integration instance. | + | Branch | String | No | Optional Git branch name. If provided, it overrides the + branch configured in the integration instance. | - | Git Server Fingerprint | String | No | Optional parameter to override the SSH - fingerprint for the Git server. | + | Git Server Fingerprint | String | No | Optional SSH fingerprint for Git server + verification. If provided, it overrides the fingerprint configured in the integration + instance. | - | Commit Author | String | No | Optional parameter to override the commit author - (e.g., "Name "). | + | Commit Author | String | No | Optional author details (e.g., "Name "). + If provided, it overrides the author configured in the integration instance. | | Simulated Cases | String | Yes | A comma-separated list of simulated case names to be exported to the repository. | @@ -946,17 +898,20 @@ Push Simulated Cases: ### Flow Description 1. **Parameter Extraction**: The job retrieves the commit message and the list - of simulated case names provided by the user. + of simulated case names from the configuration. + + 2. **Manager Initialization**: It initializes the `GitSyncManager`, which handles + the connection to the Git repository and the Google SecOps API. - 2. **Initialization**: It initializes the `GitSyncManager`, which sets up the - connection to the Git repository and the Google SecOps API. + 3. **Case Retrieval**: The job fetches the list of all custom simulated cases + currently available in the platform. - 3. **Case Retrieval**: The job fetches all available custom simulated cases from - the Google SecOps platform. + 4. **Filtering and Export**: It iterates through the platform's cases, identifying + those that match the names provided in the parameters. For each match, it exports + the case data. - 4. **Filtering and Staging**: It iterates through the platform's cases, matching - them against the user-provided list. For each match, it exports the case data - and stages it as a `.case` file in the repository's `SimulatedCases/` directory. + 5. **Staging**: The exported case data is staged as a `.case` file within the + local repository structure. - 5. **Commit and Push**: Finally, it performs a Git commit with the specified message - and pushes the staged files to the remote repository. + 6. **Commit and Push**: Finally, the job commits the changes using the provided + commit message and pushes the new or updated case files to the remote Git repository. diff --git a/content/response_integrations/power_ups/image_utilities/resources/ai/actions_ai_description.yaml b/content/response_integrations/power_ups/image_utilities/resources/ai/actions_ai_description.yaml index 82158b8a0..a199bfeaa 100644 --- a/content/response_integrations/power_ups/image_utilities/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/power_ups/image_utilities/resources/ai/actions_ai_description.yaml @@ -1,63 +1,84 @@ Convert File: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - The **Convert File** action is a utility designed to transform files between **PNG** - and **PDF** formats. This action is executed locally on a **Remote Agent**, allowing - for secure file processing within the customer's environment. It is particularly - useful for standardizing image formats for reporting, documentation, or further - forensic analysis. + Converts files between PNG and PDF formats. This action is designed to run on + a Remote Agent to access local file systems and utilize system-level conversion + utilities. It supports bidirectional conversion between PNG images and PDF documents. ### Parameters Description + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Input File Format** | DDL | Yes | The original format of the file to be converted. - Supported values: `PNG`, `PDF`. | + | Input File Format | DDL | Yes | The original format of the file to be converted. + Supported values: PNG, PDF. | - | **Input File Path** | String | Yes | The absolute path to the source file on - the Remote Agent's filesystem. | + | Input File Path | String | Yes | The absolute path to the source file located + on the Remote Agent's filesystem. | - | **Output File Format** | DDL | Yes | The desired format after the conversion - process. Supported values: `PNG`, `PDF`. | + | Output File Format | DDL | Yes | The target format for the conversion. Supported + values: PNG, PDF. Must be different from the input format. | ### Additional Notes - - **Remote Agent Required**: This action can only be executed on a Remote Agent. - - - **Format Mismatch**: The `Input File Format` and `Output File Format` must be - different; otherwise, the action will fail. + - **Remote Agent Required**: This action must be executed on a Remote Agent. It + will fail if run on a cloud-based environment. - **Dependencies**: PDF to PNG conversion requires `poppler-utils` (specifically - the `pdftoppm` utility) to be installed on the Remote Agent. PNG to PDF conversion - uses the `Pillow` library. + `pdftoppm`) to be installed on the Remote Agent host. - - **PDF Conversion Scope**: When converting from PDF to PNG, the action currently - extracts and saves only the first page of the PDF document. + - **Output Location**: Converted files are stored in the system's temporary directory + with a timestamped filename. ### Flow Description - 1. **Environment Validation**: The action first verifies that it is running on - a Remote Agent. + 1. **Environment Validation**: Checks if the action is running on a Remote Agent. - 2. **Parameter Validation**: It checks if the input file exists at the specified - path and ensures that the input and output formats are not identical. + 2. **Parameter Validation**: Verifies that the input file exists, the formats + are supported, and that the input and output formats are not identical. - 3. **Output Path Generation**: A unique output filename is generated in the system's - temporary directory, incorporating the original filename and a timestamp. + 3. **Path Generation**: Constructs a unique output file path in the temporary + directory using the original filename and a current timestamp. - 4. **File Conversion**: - - **PDF to PNG**: Uses the `pdf2image` library to render the first page of - the PDF as a PNG image. - - **PNG to PDF**: Uses the `Pillow` library to convert the image to RGB mode - and save it as a PDF file. - 5. **Result Reporting**: Upon success, the action returns the path to the converted - file and the output format in the JSON results. + 4. **Conversion Logic**: + - If converting **PDF to PNG**: Uses the `pdf2image` library to extract the + first page of the PDF and save it as a PNG image. + - If converting **PNG to PDF**: Uses the `Pillow` (PIL) library to convert + the image to RGB mode and save it as a PDF document. + 5. **Result Reporting**: Returns the path of the newly created file and the output + format in the JSON results. capabilities: can_create_case_comments: false can_create_insight: false @@ -71,7 +92,7 @@ Convert File: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -85,6 +106,7 @@ Convert File: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +OCR Image: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -98,44 +120,71 @@ Convert File: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -OCR Image: - ai_description: "### General Description\nThe **OCR Image** action performs Optical\ - \ Character Recognition (OCR) on an image to extract text content. This utility\ - \ is designed to process visual data\u2014such as screenshots of logs, error messages,\ - \ or phishing content\u2014and convert it into machine-readable text for use in\ - \ downstream playbook logic.\n\n### Parameters Description\n| Parameter | Type\ - \ | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Base64 Encoded\ - \ Image | String | No | The base64 encoded string of the image file. If provided,\ - \ this parameter takes precedence over the 'File Path'. |\n| File Path | String\ - \ | No | The local file system path to the image file. This is used if no Base64\ - \ string is provided. |\n\n### Additional Notes\n- **Execution Environment:**\ - \ This action **must** be executed on a **Remote Agent**.\n- **System Dependencies:**\ - \ The Remote Agent's environment must have the `tesseract-ocr` package installed\ - \ (e.g., via `apt-get install -y tesseract-ocr`).\n- **Input Logic:** At least\ - \ one of the two parameters ('Base64 Encoded Image' or 'File Path') must be provided\ - \ for the action to run. If both are provided, the Base64 string is processed.\n\ - \n### Flow Description\n1. **Environment Verification:** The action checks if\ - \ it is running on a Remote Agent; if not, it raises an error.\n2. **Parameter\ - \ Extraction:** Retrieves the Base64 string or the file path from the input.\n\ - 3. **Input Validation:** Ensures that at least one valid input source is available.\n\ - 4. **Image Processing:** \n - If a Base64 string is provided, it is decoded\ - \ and saved to a temporary file.\n - If only a file path is provided, the action\ - \ targets that specific path.\n5. **OCR Extraction:** The action uses the Tesseract\ - \ OCR engine (via the `pytesseract` library) to analyze the image and extract\ - \ text.\n6. **Result Delivery:** The extracted text is cleaned (stripped of leading/trailing\ - \ whitespace) and returned as a JSON result." + ai_description: >- + ### General Description + + The **OCR Image** action performs Optical Character Recognition (OCR) to extract + text from image files. This utility is designed to help analysts process visual + data such as screenshots or scanned documents directly within their playbooks. + It requires the Tesseract OCR engine to be installed on a Remote Agent. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Base64 Encoded Image | String | No | The base64 encoded string of the image + file to be processed. | + + | File Path | String | No | The local file system path to the image file on the + Remote Agent. | + + + ### Additional Notes + + * **Requirement:** This action can only be executed on a **Remote Agent**. + + * **Dependency:** The `tesseract-ocr` package must be installed in the Remote + Agent environment (e.g., `apt-get install -y tesseract-ocr`). + + * **Logic:** Either the 'Base64 Encoded Image' or the 'File Path' must be provided. + If both are supplied, the action will prioritize the 'Base64 Encoded Image'. + + + ### Flow Description + + 1. **Environment Validation:** Checks if the action is running on a Remote Agent. + + 2. **Parameter Extraction:** Retrieves the Base64 string or the file path from + the input. + + 3. **Input Validation:** Ensures that at least one valid image source is provided. + + 4. **Image Processing:** If Base64 is provided, it decodes the data and saves + it to a temporary file. Otherwise, it uses the provided file path. + + 5. **OCR Execution:** Invokes the Tesseract OCR engine via the `pytesseract` library + to extract text from the image. + + 6. **Result Delivery:** Returns the extracted text in the `extracted_text` field + of the JSON results. capabilities: can_create_case_comments: false can_create_insight: false @@ -149,7 +198,7 @@ OCR Image: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -163,6 +212,7 @@ OCR Image: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -176,40 +226,36 @@ OCR Image: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: - ai_description: "### General Description\nThe **Ping** action is a diagnostic tool\ - \ designed to verify the connectivity and environment readiness for the **Image\ - \ Utilities** integration. Its primary purpose is to ensure that the Google SecOps\ - \ Remote Agent is correctly configured and that all necessary local dependencies\u2014\ - specifically **Tesseract OCR** and **Playwright (Chromium)**\u2014are installed\ - \ and functional. This action is typically used during initial setup or troubleshooting\ - \ to confirm that the environment can support image processing and web content\ - \ rasterization tasks.\n\n### Parameters Description\n| Parameter | Type | Mandatory\ - \ | Description |\n| :--- | :--- | :--- | :--- |\n| N/A | N/A | N/A | This action\ - \ does not require any input parameters. |\n\n### Flow Description\n1. **Remote\ - \ Agent Validation**: The action first checks if it is being executed on a Remote\ - \ Agent. If not, it raises a `RemoteAgentRequiredError`.\n2. **Tesseract OCR Verification**:\ - \ It attempts to retrieve the version of the Tesseract OCR engine using the `pytesseract`\ - \ library. If Tesseract is missing, it provides detailed instructions on how to\ - \ install it within the container.\n3. **Playwright/Chromium Verification**: It\ - \ uses the Playwright library to attempt to launch a headless Chromium browser\ - \ instance. If the browser binaries or dependencies are missing, it raises an\ - \ error with specific installation and permission commands for the user to follow.\n\ - \n### Additional Notes\n- This action does not interact with any external APIs;\ - \ it performs local system checks on the Remote Agent container.\n- It is a prerequisite\ - \ for other actions in this integration, such as 'OCR Image' or 'Rasterize Content'." + ai_description: >- + ### General Description\nValidates the environment and connectivity for the Image + Utilities integration. This action ensures that the necessary system-level dependencies + required for image processing and web content rasterization are correctly configured + on the Google SecOps Remote Agent.\n\n### Parameters Description\nThere are no + parameters for this action.\n\n### Additional Notes\nThis action must be executed + on a **Remote Agent**. It specifically checks for the presence of the Tesseract + OCR engine and Playwright browser binaries. If these are missing, the action provides + detailed troubleshooting steps to install them within the container environment.\n\n### + Flow Description\n1. **Remote Agent Validation**: Confirms the action is executing + within a Remote Agent environment.\n2. **Tesseract Verification**: Checks if the + Tesseract OCR engine is installed and accessible via the `pytesseract` library.\n3. + **Playwright Verification**: Attempts to launch a headless Chromium instance using + Playwright to ensure browser binaries and dependencies are functional.\n4. **Connectivity + Confirmation**: Returns a success message if all local environment checks pass. capabilities: can_create_case_comments: false can_create_insight: false @@ -223,7 +269,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -237,6 +283,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Rasterize Content: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -245,103 +292,58 @@ Ping: create_ticket: false delete_email: false disable_identity: false - download_file: false + download_file: true enable_identity: false enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Rasterize Content: - ai_description: >- - ### General Description - - The **Rasterize Content** action converts vector or complex content (URLs, HTML, - or Email bodies) into fixed bitmap image formats (PNG) or document formats (PDF). - This action utilizes a headless Chromium browser (via Playwright) to render the - content exactly as it would appear to a user, making it ideal for capturing visual - evidence of phishing sites, suspicious emails, or dynamic web pages. **Note:** - This action requires execution on a **Remote Agent** with the necessary browser - binaries installed. - - - ### Parameters Description - - | Parameter | Description | Type | Mandatory | Default Value | - - | :--- | :--- | :--- | :--- | :--- | - - | **Input Type** | The type of content to be processed. Options: `URL`, `HTML`, - `Email`. | DDL | Yes | HTML | - - | **URLs or Body** | The actual content to rasterize. Provide a comma-separated - list for URLs, or the full body for HTML/Email. | String | Yes | - | - - | **Output Type** | The desired output format. Options: `PNG`, `PDF`, `Both`. - | DDL | No | PNG | - - | **Export Method** | How to handle the generated files. Options: `Case Attachment`, - `File Path`, `Both`. | DDL | No | Case Attachment | - - | **Width** | The browser viewport width in pixels. | String | Yes | 1920 | - - | **Height** | The browser viewport height in pixels. | String | Yes | 1080 | - - | **Full Screen** | If true, the action calculates the full scroll height of the - page and captures the entire content. | Boolean | Yes | False | - - | **Timeout** | Maximum time (seconds) to wait for rendering. Max: 120. | String - | No | 120 | - - | **Wait For** | The browser state to reach before capturing. Options: `LOAD`, - `DOM_CONTENT_LOADED`, `NETWORK_IDLE`, `COMMIT`. | DDL | No | NETWORK_IDLE | - - | **Wait for Selector** | A CSS selector to wait for (e.g., `#content-loaded`) - before capturing. | String | No | - | - - - ### Additional Notes - - - **Remote Agent Requirement:** This action will fail if not run on a Remote Agent. - The agent must have Playwright and Chromium dependencies installed. - - - **Full Screen Logic:** When `Full Screen` is enabled, the `Height` parameter - is ignored as the action dynamically adjusts the viewport to match the document's - scroll height. - - - **Exporting:** If `Case Attachment` is selected, files are uploaded to the SOAR - case and then deleted from the agent's local storage. If `File Path` is selected, - the local path on the agent is returned in the JSON results. - - - ### Flow Description - - 1. **Validation:** The action verifies it is running on a Remote Agent and validates - all input parameters (DDL values, numeric ranges). - - 2. **Initialization:** Launches a headless Chromium browser instance using Playwright. - - 3. **Content Loading:** Depending on the `Input Type`, the browser either navigates - to the provided URLs or sets the page content using the provided HTML/Email body. - - 4. **Rendering Wait:** The browser waits for the specified `Wait For` state and, - if provided, the `Wait for Selector` to become visible. - - 5. **Capture:** Generates a PNG screenshot and/or a PDF document based on the - `Output Type`. If `Full Screen` is active, it captures the entire page length. - - 6. **Export:** Processes the generated files according to the `Export Method`, - either attaching them to the case, returning the file paths, or both. + ai_description: "Converts vector or complex content such as URLs, HTML, or Email\ + \ bodies into fixed bitmap images (PNG) or PDF documents. This action utilizes\ + \ a headless browser (Playwright) to render the content exactly as it would appear\ + \ to a user, making it ideal for capturing visual evidence of phishing sites,\ + \ formatted emails, or web reports. \n\n### Flow Description:\n1. **Validation**:\ + \ Verifies that the action is running on a Remote Agent and validates input parameters\ + \ (dimensions, timeouts, and formats).\n2. **Initialization**: Launches a headless\ + \ Chromium browser instance via Playwright.\n3. **Content Loading**: Depending\ + \ on the 'Input Type', the browser either navigates to a list of URLs or renders\ + \ provided HTML/Email content.\n4. **Rendering Control**: Waits for the specified\ + \ browser state (e.g., Network Idle) or a specific CSS selector to ensure dynamic\ + \ content is fully loaded.\n5. **Capture**: Generates a PNG screenshot and/or\ + \ a PDF document based on the 'Output Type' and 'Full Screen' settings.\n6. **Export**:\ + \ Saves the resulting files to the local file system and/or attaches them directly\ + \ to the Google SecOps case.\n\n### Parameters Description:\n| Parameter | Type\ + \ | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Input Type | DDL\ + \ | Yes | Specifies the source format: URL, HTML, or Email. |\n| URLs or Body\ + \ | String | Yes | The actual content to process. Can be a comma-separated list\ + \ of URLs or a raw HTML/Email string. |\n| Output Type | DDL | No | The desired\ + \ format of the result: PNG, PDF, or Both. Defaults to PNG. |\n| Export Method\ + \ | DDL | No | Determines where to save the output: Case Attachment, File Path,\ + \ or Both. Defaults to Case Attachment. |\n| Width | String | Yes | The browser\ + \ viewport width in pixels. Defaults to 1920. |\n| Height | String | Yes | The\ + \ browser viewport height in pixels. Defaults to 1080. |\n| Full Screen | Boolean\ + \ | Yes | If true, the action captures the entire scrollable length of the page,\ + \ ignoring the Height parameter. |\n| Timeout | String | No | Maximum time in\ + \ seconds to wait for rendering. Max 120s. |\n| Wait For | DDL | No | The browser\ + \ state to reach before capturing (e.g., NETWORK_IDLE). |\n| Wait for Selector\ + \ | String | No | A CSS selector that must be visible before the capture occurs.\ + \ |\n\n### Additional Notes:\n- This action **requires a Remote Agent** with Playwright\ + \ and Chromium binaries installed to function.\n- If 'Full Screen' is enabled,\ + \ the 'Height' parameter is ignored for the final output." capabilities: can_create_case_comments: false can_create_insight: false @@ -352,11 +354,12 @@ Rasterize Content: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Adds the generated PNG or PDF files as attachments to the Google SecOps case. + The action attaches the generated PNG or PDF files to the current Google SecOps + case as attachments. categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -370,28 +373,3 @@ Rasterize Content: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/power_ups/image_utilities/resources/ai/integration_ai_description.yaml b/content/response_integrations/power_ups/image_utilities/resources/ai/integration_ai_description.yaml index 0801c7556..29179c290 100644 --- a/content/response_integrations/power_ups/image_utilities/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/power_ups/image_utilities/resources/ai/integration_ai_description.yaml @@ -3,10 +3,10 @@ product_categories: cloud_security: false collaboration: false edr: false - email_security: false + email_security: true iam_and_identity_management: false itsm: false network_security: false siem: false - threat_intelligence: false + threat_intelligence: true vulnerability_management: false diff --git a/content/response_integrations/power_ups/insights/resources/ai/actions_ai_description.yaml b/content/response_integrations/power_ups/insights/resources/ai/actions_ai_description.yaml index 9cacfa46e..364615e80 100644 --- a/content/response_integrations/power_ups/insights/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/power_ups/insights/resources/ai/actions_ai_description.yaml @@ -1,55 +1,79 @@ Create Entity Insight From Enrichment: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description + Creates formatted entity insights by populating a template message with data stored + in an entity's `additional_properties`. This action is primarily used to surface + specific enrichment data (previously gathered by other actions) directly onto + the entity's insight panel for analyst visibility. - The **Create Entity Insight From Enrichment** action is a utility designed to - transform raw enrichment data stored within an entity's `additional_properties` - into a human-readable insight. It uses a templating system to inject specific - data points into a formatted message, which is then posted to the entity's insight - wall in Google SecOps. This allows analysts to see summarized results from previous - enrichment steps directly on the entity. - - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Message | String | Yes | A template string containing placeholders in curly - braces (e.g., `{AD_DisplayName}`). These placeholders must correspond to keys - found in the entity's `additional_properties`. | + | Message | string | Yes | A template string that uses placeholders in curly braces + `{}` to reference keys within the entity's `additional_properties`. For example: + `User {manager_name} approved this access.` | - | Triggered By | String | No | Specifies the integration name to be displayed - as the source of the insight. Defaults to "Siemplify". | + | Triggered By | string | No | The name of the integration or source to be associated + with the created insight. Defaults to 'Siemplify'. | - ### Flow Description + ### Additional Notes + + - This action does not fetch new data from external sources; it transforms existing + internal entity data into a readable insight. - 1. **Parameter Retrieval:** The action fetches the template `Message` and the - `Triggered By` source name from the action parameters. + - If a placeholder key is not found in the entity's properties, the resulting + message may be empty or incomplete depending on the template logic. - 2. **Entity Iteration:** The action loops through all entities provided in the - current context (target entities). - 3. **Template Parsing:** For each entity, the action uses the `ToolsCommon` library - to parse the `Message` string, replacing placeholders with corresponding values - found in the entity's `additional_properties` dictionary. + ### Flow Description - 4. **Insight Creation:** If the message is successfully constructed (i.e., placeholders - are resolved), the action calls the SOAR API to add an entity insight to that - specific entity. + 1. **Parameter Retrieval:** The action retrieves the template `Message` and the + `Triggered By` source name from the input parameters. - 5. **Reporting:** The action concludes by providing a summary message listing - all entities that successfully received an insight. + 2. **Entity Iteration:** The action iterates through all entities currently in + the scope of the alert or case. + 3. **Template Parsing:** For each entity, it uses the `ToolsCommon` library to + parse the `Message` template, replacing placeholders with corresponding values + found in the entity's `additional_properties` (enrichment data). - ### Additional Notes + 4. **Insight Creation:** If the message is successfully generated, the action + calls the SOAR SDK to add an entity insight to the specific entity. - This action is highly dependent on the presence of specific keys within the `additional_properties` - of the entities. If a placeholder key is missing or the `additional_properties` - are empty, the message parsing might fail or return an empty string, preventing - the insight from being created for that specific entity. + 5. **Execution Summary:** The action tracks which entities received insights and + returns a success status if at least one insight was created. capabilities: can_create_case_comments: false can_create_insight: true @@ -60,48 +84,48 @@ Create Entity Insight From Enrichment: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Creates entity insights within the Google SecOps platform based on provided - templates and entity properties. + Creates entity insights within the Google SecOps platform based on existing + entity enrichment data. categories: enrichment: false entity_usage: entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME - filters_by_additional_properties: true + - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME + filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false filters_by_creation_time: false @@ -114,6 +138,7 @@ Create Entity Insight From Enrichment: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Create Entity Insight From JSON: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -127,33 +152,29 @@ Create Entity Insight From Enrichment: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Create Entity Insight From JSON: ai_description: >- - Creates an entity insight within Google SecOps by processing a provided JSON string - and mapping its data to entities in the current case. This action is a utility - designed to transform raw JSON data (often passed from a previous playbook step) - into human-readable insights associated with specific entities. - - ### General Description - The action takes a JSON array, identifies specific objects within that array that - match entities in the case (based on a configurable identifier path), and then - formats a message using placeholders to create an insight. This is particularly - useful for displaying complex data structures or external tool outputs directly - on the entity's insight panel. + The **Create Entity Insight From JSON** action is a utility designed to generate + and attach insights to entities within a Google SecOps case using data provided + in a JSON format. This action allows users to take structured data (e.g., from + a previous integration step or a file) and map it to specific entities to provide + analysts with immediate context. ### Parameters Description @@ -162,47 +183,46 @@ Create Entity Insight From JSON: | :--- | :--- | :--- | :--- | - | JSON | string | True | A JSON-formatted string (usually an array of objects) - containing the data to be processed. | - - | Identifier KeyPath | string | True | The dot-notation path (e.g., `user.email` - or `id`) within the JSON objects used to match the data to a SecOps entity's identifier. + | JSON | string | Yes | The JSON string containing the data to be processed. This + should be a list of objects or a single object containing entity-related information. | - | Message | string | True | A template string for the insight. Use curly braces + | Identifier KeyPath | string | Yes | The dot-notation path (e.g., `data.id`) + within the JSON objects used to match against the entity's identifier. | + + | Message | string | Yes | A template string for the insight. Use curly braces `{}` to reference keys from the JSON (e.g., `User {name} has role {role}`). Supports - pipe functions like `default()`, `count()`, and `join()`. | + advanced formatting pipes like `join`, `count`, and `to_str`. | - | Triggered By | string | False | The name of the integration or source to be - displayed as the creator of the insight. Defaults to 'Siemplify'. | + | Triggered By | string | No | The name of the integration or source to be displayed + as the creator of the insight. Defaults to 'Siemplify'. | ### Flow Description - 1. **JSON Parsing**: The action parses the input `JSON` string into a Python list - of dictionaries. + 1. **JSON Parsing:** The action parses the provided JSON string into a Python + object. - 2. **Entity Iteration**: It iterates through all `target_entities` available in - the current scope. + 2. **Entity Iteration:** It iterates through all entities currently associated + with the case. - 3. **Data Matching**: For each entity, it searches the JSON list for an object - where the value at `Identifier KeyPath` matches the entity's identifier (case-insensitive). + 3. **Data Matching:** For each entity, it searches the JSON for an entry where + the value at the `Identifier KeyPath` matches the entity's identifier (case-insensitive). - 4. **Message Formatting**: If a match is found, the action uses the `Message` - template and the matched JSON object to resolve placeholders and apply any specified - pipe functions (e.g., formatting lists or providing default values). + 4. **Message Formatting:** If a match is found, it extracts the relevant data + and populates the `Message` template, resolving any placeholders and applying + formatting functions. - 5. **Insight Creation**: The formatted message is added as an entity insight to - the specific entity in the Google SecOps case. + 5. **Insight Creation:** The formatted message is added as an insight to the specific + entity using the `add_entity_insight` method. ### Additional Notes - - The `Identifier KeyPath` supports nested keys using dot notation (e.g., `metadata.system_info.id`). + - The `Identifier KeyPath` supports nested objects using dot notation. - - The `Message` parameter supports advanced formatting via pipes, such as `{results|count()}` - to show the number of items in a list or `{tags|join( )}` to concatenate array - elements. + - The action will only create insights for entities that have a corresponding + match in the provided JSON data. capabilities: can_create_case_comments: false can_create_insight: true @@ -213,47 +233,47 @@ Create Entity Insight From JSON: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Creates an entity insight within the Google SecOps case to provide additional - context for analysts. + The action creates entity insights within the Google SecOps case based on the + provided JSON input. categories: enrichment: false entity_usage: entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -267,6 +287,7 @@ Create Entity Insight From JSON: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +"Create Entity Insight From Multiple JSONs": action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -280,28 +301,31 @@ Create Entity Insight From JSON: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -"Create Entity Insight From Multiple JSONs": ai_description: >- ### General Description The **Create Entity Insight From Multiple JSONs** action is a utility designed - to transform raw JSON data into structured, human-readable Entity Insights within - Google SecOps. It allows analysts to pass up to five different JSON datasets and - define specific extraction paths to pull relevant information for each entity - present in the case. This is particularly useful for visualizing data retrieved - in previous playbook steps that was not automatically formatted into insights. + to transform raw JSON data into human-readable entity insights. It allows analysts + to provide up to five JSON strings (typically outputs from previous playbook steps) + and define specific fields to extract for each entity. The extracted data is then + formatted into HTML tables and attached directly to the relevant entities as insights, + facilitating quick review of complex data structures within the Google SecOps + platform. ### Parameters Description @@ -310,47 +334,51 @@ Create Entity Insight From JSON: | :--- | :--- | :--- | :--- | - | **JSON1 - JSON5** | String | No | The raw JSON strings to be parsed. These should - contain data mapped to entity identifiers. | + | JSON1 - JSON5 | String | No | The JSON string containing data to be parsed. + The action expects a list of objects where each object contains an 'Entity' key + matching the entity identifier and an 'EntityResult' key containing the data. + | - | **Fields1 - Fields5** | String | No | The extraction logic for the corresponding - JSON. Uses the format `Label:{path.to.key}`. Multiple fields can be separated - by the Placeholder Separator. | + | Fields1 - Fields5 | String | No | A string defining which fields to extract + and how to display them. Format: `DisplayName:path.to.key`. Multiple fields are + separated by the Placeholder Separator. | - | **Title1 - Title5** | String | No | The title used for the specific section + | Title1 - Title5 | String | No | The title or header used for the specific section of the entity insight. | - | **Placeholder Separator** | String | No | The character used to separate field - definitions in the 'Fields' parameters (default is `,`). | + | Placeholder Separator | String | No | The character used to separate multiple + field definitions in the 'Fields' parameters. Default is a comma (`,`). | - ### Flow Description + ### Additional Notes - 1. **Data Collection:** The action retrieves up to five sets of JSON data, field - extraction strings, and titles from the action parameters. + - The action identifies the correct data for an entity by looking for a key named + `Entity` within the provided JSON objects and extracts the content of `EntityResult`. - 2. **Entity Iteration:** The action iterates through all entities currently associated - with the SecOps case. + - If a field path is provided without a display name (e.g., just `path.to.key`), + the value will be added to the insight as a plain string instead of a table row. - 3. **Data Extraction:** For each entity, the action searches the provided JSON - strings for a matching `Entity` identifier within the JSON structure. + - This action is a local utility and does not perform any external API calls. - 4. **Field Parsing:** If a match is found, it parses the specified fields using - the provided paths, supporting nested JSON structures and basic transformation - pipes (like `count` or `to_str`). - 5. **Insight Creation:** The extracted data is formatted into an HTML table and - attached as an Insight to the specific entity, using the provided title as the - trigger/header. + ### Flow Description + 1. **Initialization**: The action retrieves the JSON strings, field mappings, + and titles for the data sets from the action parameters. - ### Additional Notes + 2. **Entity Iteration**: The action loops through all entities currently associated + with the alert or case. - - This action is a data transformation utility and does not interact with external - APIs. + 3. **Data Extraction**: For each entity, it searches the provided JSON arrays + for an entry where the `Entity` field matches the entity's identifier. - - The JSON input is expected to follow a structure where entity identifiers are - mapped to results (e.g., `[{"Entity": "1.1.1.1", "EntityResult": {...}}]`). + 4. **Field Parsing**: If a match is found, it uses the `Fields` mapping to extract + specific values from the `EntityResult` object using dot-notation paths and optional + pipe functions (like `count` or `to_str`). + + 5. **Insight Creation**: The extracted values are formatted into an HTML table. + The action then adds this table as an insight to the entity, using the provided + `Title` as the trigger context. capabilities: can_create_case_comments: false can_create_insight: true @@ -361,47 +389,46 @@ Create Entity Insight From JSON: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - The action creates Entity Insights within the Google SecOps case based on the - provided JSON data and field extraction logic. + Creates entity insights within Google SecOps based on the provided JSON parameters. categories: enrichment: false entity_usage: entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -415,6 +442,7 @@ Create Entity Insight From JSON: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -428,26 +456,27 @@ Create Entity Insight From JSON: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: ai_description: >- ### General Description - The **Ping** action is a connectivity test designed to verify the communication - between the Google SecOps (Chronicle) platform and the Insights integration. It - serves as a diagnostic tool to ensure that the integration is correctly configured - and that the execution environment is responsive. + Verifies the connectivity between the Google SecOps platform and the integration. + This action is a standard health check used to ensure that the integration environment + is properly configured and that the action execution engine is responsive. ### Parameters Description @@ -455,22 +484,18 @@ Ping: There are no parameters for this action. - ### Flow Description - - 1. **Initialization**: The action initializes the Siemplify SDK to establish a - context for the execution. + ### Additional Notes - 2. **Connectivity Check**: The action performs a simple internal check to confirm - the script can execute within the environment. + This action does not interact with any external APIs or modify any data within + the SOAR. It is strictly used for connectivity validation. - 3. **Completion**: The action terminates immediately, returning a success status - and the message "Siemplify is connected". + ### Flow Description - ### Additional Notes + 1. Initialize the Siemplify action context. - This action does not interact with any external APIs or modify any data within - the SecOps platform. It is strictly used for health checks. + 2. Immediately terminate the action with a success status and the message "Siemplify + is connected". capabilities: can_create_case_comments: false can_create_insight: false @@ -484,7 +509,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -498,28 +523,3 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/power_ups/lists/resources/ai/actions_ai_description.yaml b/content/response_integrations/power_ups/lists/resources/ai/actions_ai_description.yaml index 2e8d95563..0894f429d 100644 --- a/content/response_integrations/power_ups/lists/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/power_ups/lists/resources/ai/actions_ai_description.yaml @@ -1,47 +1,76 @@ Add String to Custom List: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: true + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Add String to Custom List** action allows users to programmatically add - a specific string to a designated Custom List category within Google SecOps. This - is a utility action used for managing internal lists such as allowlists, blocklists, - or watchlists directly from a playbook without requiring manual entry in the UI. + This action adds a specific string to a designated custom list category within + Google SecOps. It is primarily used for managing internal lists, such as allowlists + or blocklists, by programmatically inserting new entries based on user input or + playbook logic. ### Parameters Description - | Parameter | Type | Mandatory | Description | + | Parameter | Description | Type | Mandatory | | :--- | :--- | :--- | :--- | - | **ListItem** | string | Yes | The specific string value to be added to the custom - list. | + | ListItem | The specific string value that you want to add to the custom list. + | String | Yes | - | **Category** | string | Yes | The name of the custom list category where the - string should be added (e.g., "WhiteList"). | + | Category | The name of the custom list category (e.g., 'WhiteList', 'BlackList') + where the string should be stored. | String | Yes | ### Additional Notes - This action does not operate on entities within the current context; it uses the - provided string parameter. It modifies internal Google SecOps data (Custom Lists) - but does not interact with external systems. There are no entity-based filters - applied. + - This action does not process entities from the case; it operates strictly on + the provided `ListItem` string parameter. + + - The action uses the current environment context of the SOAR platform when adding + the item to the list. ### Flow Description - 1. **Parameter Retrieval**: The action extracts the `ListItem` (the string to - add) and the `Category` (the target list) from the input parameters. + 1. **Parameter Extraction**: The action retrieves the `Category` and `ListItem` + values from the input parameters. - 2. **Object Creation**: It constructs a `CustomList` object using the provided - string, category, and the current environment context. + 2. **Object Creation**: It creates a `CustomList` data object containing the input + string, the target category, and the environment identifier. - 3. **List Update**: It calls the internal SDK method `add_entities_to_custom_list` - to add the constructed item to the specified custom list in Google SecOps. + 3. **Internal Update**: The action calls the internal SDK method `add_entities_to_custom_list` + to save the new entry into the Google SecOps custom list database. 4. **Completion**: The action returns a success message indicating the string - has been added to the category and terminates with a completed status. + has been added to the specified category. capabilities: can_create_case_comments: false can_create_insight: false @@ -52,11 +81,11 @@ Add String to Custom List: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Adds a string to a specified Custom List category within Google SecOps. + Adds a new string entry to an internal Google SecOps custom list category. categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -70,6 +99,7 @@ Add String to Custom List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Is String In Custom List: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -83,43 +113,28 @@ Add String to Custom List: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Is String In Custom List: ai_description: >- - Checks if a specific set of strings exists within a designated Google SecOps Custom - List category. This action is primarily used for whitelist or blacklist validation - by comparing user-provided identifiers against internal lists stored within the - platform. - - - ### Flow Description - - 1. **Parse Input:** The action retrieves the `IdentifierList` and `Category` parameters. - It attempts to parse the `IdentifierList` as a JSON array; if that fails, it treats - it as a comma-separated string. - - 2. **Iterate Identifiers:** For each string in the list, the action creates a - `CustomList` object associated with the specified category and the current environment. - - 3. **Query Custom Lists:** It uses the internal SDK method `any_entity_in_custom_list` - to check if the identifier exists in the specified category. - - 4. **Aggregate Results:** The action tracks which identifiers were found and maintains - a total count of matches. + ### General Description - 5. **Finalize:** It outputs a JSON mapping of each identifier to its presence - status (true/false) and returns the total count of found items as the result value. + This action checks if a specific set of strings exists within a designated Google + SecOps Custom List category. It is primarily used for logic branching or validation + within playbooks, such as checking if an indicator is part of a known whitelist + or blacklist maintained internally. ### Parameters Description @@ -128,21 +143,31 @@ Is String In Custom List: | :--- | :--- | :--- | :--- | - | IdentifierList | string | Yes | A list of strings to compare against the custom - list. Can be a JSON-formatted list (e.g., `["1.1.1.1", "google.com"]`) or a comma-separated - string (e.g., `1.1.1.1,google.com`). | + | IdentifierList | string | True | A list of strings to compare against the custom + list. This parameter accepts either a JSON-formatted array (e.g., `["1.1.1.1", + "google.com"]`) or a comma-separated string (e.g., `1.1.1.1,google.com`). | - | Category | string | Yes | The name of the Custom List category to search within - (e.g., 'WhiteList', 'BlackList'). | + | Category | string | True | The name of the Custom List category (e.g., 'WhiteList', + 'BlackList') to search within for the current environment. | - ### Additional Notes + ### Flow Description + + 1. **Input Parsing**: The action retrieves the `Category` and `IdentifierList` + parameters. It attempts to parse the `IdentifierList` as a JSON array; if that + fails, it splits the string by commas and strips whitespace from each item. + + 2. **Custom List Query**: For each identifier in the list, the action creates + a `CustomList` object and uses the SOAR SDK method `any_entity_in_custom_list` + to check if that specific string exists in the specified category for the current + environment. - - This action does not interact with the entities currently present in the alert; - it only processes the strings provided in the `IdentifierList` parameter. + 3. **Result Aggregation**: The action builds a JSON object where each identifier + is a key and the value is a boolean (`true` if found, `false` otherwise). It also + maintains a counter for the total number of matches found. - - The search is environment-aware, meaning it only checks lists associated with - the environment in which the action is running. + 4. **Completion**: The action outputs the total count of matches as the main result + value and provides the detailed boolean mapping in the JSON result. capabilities: can_create_case_comments: false can_create_insight: false @@ -156,7 +181,7 @@ Is String In Custom List: categories: enrichment: true entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -170,6 +195,7 @@ Is String In Custom List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -183,26 +209,29 @@ Is String In Custom List: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: ai_description: >- ### General Description The **Ping** action is a diagnostic utility designed to verify the connectivity - between the Google SecOps platform and the Lists integration environment. It serves - as a health check to ensure that the integration is correctly configured and that - the execution environment can successfully initialize the integration's components. + and functional status of the **Lists** integration within Google SecOps. Its primary + purpose is to ensure that the integration is correctly configured and that the + SOAR environment can successfully communicate with the integration's underlying + logic. ### Parameters Description @@ -212,18 +241,20 @@ Ping: ### Additional Notes - This action does not interact with any external APIs or internal data stores. - It is strictly used for connectivity testing. + This action does not perform any external API calls, retrieve data, or modify + any internal or external records. It is a standard health-check mechanism. ### Flow Description - 1. **Initialization**: The action initializes the Siemplify API object. + 1. **Initialization**: The action initializes the Siemplify SDK to establish the + execution context. - 2. **Connectivity Check**: The script executes a simple completion command. + 2. **Connectivity Verification**: The script executes a minimal logic path to + confirm the integration environment is responsive. - 3. **Result Reporting**: The action terminates with a success message ('Siemplify - is connected') to indicate that the integration logic is reachable and functional. + 3. **Execution Completion**: The action concludes by returning a success message + ('Siemplify is connected') to the SOAR platform. capabilities: can_create_case_comments: false can_create_insight: false @@ -237,7 +268,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -251,6 +282,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Remove String from Custom List: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -264,38 +296,62 @@ Ping: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Remove String from Custom List: ai_description: >- - ### General Description\n\nThe **Remove String from Custom List** action allows - users to programmatically delete a specific string entry from an existing Google - SecOps custom list. This is typically used to manage internal allowlists, blocklists, - or watchlists by removing indicators that are no longer relevant.\n\n### Parameters - Description\n\n| Parameter | Type | Mandatory | Description |\n| :--- | :--- | - :--- | :--- |\n| **Category** | String | Yes | The name of the custom list category - (e.g., \"WhiteList\") from which the item will be removed. |\n| **ListItem** | - String | Yes | The specific string value to be removed from the custom list. |\n\n### - Flow Description\n\n1. **Parameter Extraction**: The action retrieves the target - custom list category and the specific string to be removed from the input parameters.\n2. - **Object Preparation**: It creates a `CustomList` object containing the string - and category information.\n3. **Removal Execution**: The action calls the internal - SDK method `remove_entities_from_custom_list` to perform the deletion within the - SecOps platform.\n4. **Finalization**: The action returns a success message confirming - the removal or a failure message if an error occurs.\n\n### Additional Notes\n\n- - This action operates on internal Google SecOps custom lists and does not affect - external security controls directly.\n- Ensure the `Category` name matches the - existing list name exactly. + ### General Description + + Removes a specific string from a designated Google SecOps custom list. This action + is used to manage internal lists (such as allowlists or blocklists) by programmatically + deleting entries based on user-provided input. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Category | string | Yes | The name of the custom list category from which the + string should be removed. | + + | ListItem | string | Yes | The specific string value to be removed from the custom + list. | + + + ### Additional Notes + + This action operates on internal Google SecOps custom lists and does not interact + with external security controls or iterate over entities present in the current + case. + + + ### Flow Description + + 1. **Retrieve Parameters**: The action extracts the `Category` and `ListItem` + values from the input parameters. + + 2. **Prepare List Item**: It creates a `CustomList` object using the provided + string, category, and the current environment context. + + 3. **Remove from List**: The action calls the internal SDK method `remove_entities_from_custom_list` + to delete the specified string from the internal database. + + 4. **Finalize**: The action returns a success message confirming the removal or + a failure status if an error occurs. capabilities: can_create_case_comments: false can_create_insight: false @@ -306,11 +362,11 @@ Remove String from Custom List: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Removes a string entry from a Google SecOps custom list. + Removes a string entry from an internal Google SecOps custom list. categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -324,6 +380,7 @@ Remove String from Custom List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Search Custom Lists: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -337,73 +394,74 @@ Remove String from Custom List: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Search Custom Lists: ai_description: >- - ### General Description - - This action searches for a specific string within the records of Google SecOps - Custom Lists. It allows users to filter the search by specific categories or perform - a global search across all custom lists. If no search string or categories are - provided, the action retrieves all available custom list records. The results - are returned as a JSON object containing the matching records. + Searches for specific records within Google SecOps Custom Lists based on a search + string and/or specific categories. This action is primarily used to retrieve and + filter internal list data for use in playbooks, such as checking if a value exists + in a watchlist or global blocklist managed within the SOAR platform. ### Parameters Description + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | String to Search | String | No | The specific substring to look for within the + | String to Search | String | No | The specific string to look for within the `entityIdentifier` field of the custom list records. If omitted, all records in - the specified categories (or all categories) are returned. | + the specified categories are returned. | | Categories | String | No | A comma-separated list of custom list categories - to restrict the search to. If omitted, the action searches across all available - custom lists. | + to search within. If omitted, the action searches across all available custom + lists. | ### Flow Description - 1. **Parameter Extraction:** The action retrieves the `String to Search` and `Categories` - from the input. - 2. **Data Retrieval:** It calls the internal SOAR API to fetch custom list records, - optionally filtered by the provided categories. + 1. **Parameter Extraction:** The action retrieves the `Categories` and `String + to Search` from the user input. - 3. **Category Filtering:** If categories were provided, the action ensures only - records belonging to those categories are processed. + 2. **Data Retrieval:** It calls the internal SOAR API to fetch records from the + custom lists. If categories are provided, it limits the initial fetch to those + categories. - 4. **String Matching:** If a search string is provided, the action iterates through - the records and identifies those where the `entityIdentifier` contains the search - string (case-sensitive). + 3. **Category Filtering:** If categories were specified, the action filters the + retrieved records to ensure they match the requested categories. - 5. **Result Compilation:** Matching records are collected into a list. + 4. **String Matching:** If a search string is provided, the action iterates through + the records and performs a partial match check against the `entityIdentifier` + field. - 6. **Output:** The list of matching records is attached to the action results - as a JSON object, and the action completes with a summary message indicating the - number of matches found. + 5. **Output Generation:** The matching records are formatted into a JSON array + and attached to the action's results. If no matches are found, the action completes + with a 'False' result value. ### Additional Notes - - This action interacts with internal Google SecOps data (Custom Lists) and does - not communicate with external third-party services. - - If no records match the criteria, the action will complete successfully but - indicate that no matching records were found. + * If both parameters are left empty, the action will attempt to return all records + from all custom lists. + + * This action does not interact with entities in the current case scope; it + operates globally on the platform's custom list data. capabilities: can_create_case_comments: false can_create_insight: false @@ -417,7 +475,7 @@ Search Custom Lists: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -431,6 +489,7 @@ Search Custom Lists: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Search Environment Custom Lists: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -444,65 +503,69 @@ Search Custom Lists: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Search Environment Custom Lists: ai_description: >- - Searches for a specified string within the records of the environment's custom - lists in Google SecOps. This action allows users to filter results by specific - categories and search for matches within the entity identifiers of the list records. - If no parameters are provided, the action returns all available custom list records. + ### General Description + Searches for specific records within the Google SecOps environment's custom lists. + This action allows users to filter records by category and search for specific + strings within the entity identifiers of the list entries. It is primarily used + to retrieve internal list data for use in subsequent playbook steps. If no parameters + are provided, the action returns all records from the environment's custom lists. - ### Flow Description: - 1. **Parameter Extraction**: The action retrieves the 'Categories' and 'String - to Search' parameters from the input. + ### Parameters Description - 2. **Data Retrieval**: It calls the internal SOAR API to fetch custom list records - filtered by the provided categories and string. - 3. **Category Filtering**: If categories are specified, the action filters the - retrieved records to include only those belonging to the specified categories. + | Parameter | Type | Mandatory | Description | - 4. **String Matching**: If a search string is provided, the action iterates through - the records and identifies those where the 'entityIdentifier' contains the search - string. + | :--- | :--- | :--- | :--- | - 5. **Result Output**: The matching records are added to the action's JSON results, - and a summary message indicating the number of matches found is returned. + | String to Search | String | No | The string to search for within the 'entityIdentifier' + field of the list records. If omitted, no string filtering is applied. | + | Categories | String | No | A comma-separated list of categories to filter the + custom list records. If omitted, records from all categories are considered. | - ### Parameters Description: - | Parameter | Type | Mandatory | Description | + ### Flow Description - | :--- | :--- | :--- | :--- | + 1. **Parameter Extraction**: The action retrieves the 'Categories' and 'String + to Search' parameters from the input. - | String to Search | String | No | The specific string to look for within the - 'entityIdentifier' field of the custom list records. | + 2. **Data Retrieval**: It calls an internal API method (`get_traking_list_records_filtered`) + to fetch custom list records from the Google SecOps environment. - | Categories | String | No | A comma-separated list of categories used to filter - which custom lists are searched. | + 3. **Category Filtering**: If the 'Categories' parameter is provided, the action + filters the retrieved records to include only those matching the specified categories. + 4. **String Filtering**: If the 'String to Search' parameter is provided, the + action iterates through the records and performs a substring match against the + 'entityIdentifier' field. - ### Additional Notes: + 5. **Result Output**: The matching records are formatted as a JSON object and + added to the action's results. If no records match the criteria, the action reports + that no matching records were found. - - If both parameters are left empty, the action will attempt to return all records - from all custom lists in the environment. - - This action interacts with internal Google SecOps data and does not communicate - with external third-party services. + ### Additional Notes + + This action is a utility for internal data retrieval and does not interact with + external systems or modify existing entities or alerts within the case. capabilities: can_create_case_comments: false can_create_insight: false @@ -516,7 +579,7 @@ Search Environment Custom Lists: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -530,28 +593,3 @@ Search Environment Custom Lists: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/power_ups/template_engine/resources/ai/actions_ai_description.yaml b/content/response_integrations/power_ups/template_engine/resources/ai/actions_ai_description.yaml index 72a5ad4f4..0a8d1a1a7 100644 --- a/content/response_integrations/power_ups/template_engine/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/power_ups/template_engine/resources/ai/actions_ai_description.yaml @@ -1,120 +1,150 @@ Entity Insight: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - The **Entity Insight** action is a powerful utility within the Template Engine - integration designed to transform raw JSON data into human-readable insights using - Jinja2 templates. It allows analysts to take complex data structures (typically - from previous enrichment steps) and format them into structured HTML or text insights - that are then attached directly to entities within Google SecOps. This action - is highly customizable, supporting a wide array of custom Jinja filters for data - manipulation, table generation, and regex operations. + The **Entity Insight** action is a utility designed to transform raw JSON data + into human-readable insights for entities within a case. Using the Jinja2 templating + engine, it allows analysts to create custom visual representations of data retrieved + by other actions. This is particularly useful for summarizing complex API responses + into concise tables or summaries directly on the entity's insight tab. ### Parameters Description + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **JSON Object** | JSON Object | Yes | The raw JSON data (in EntityResult format) - that will be used as the context for the Jinja2 template. | + | **JSON Object** | Content | Yes | The raw JSON data (in EntityResult format) + that will be used to populate the template. | - | **Template** | Template | No | The Jinja2 template used to render the insight. - This can be an HTML template or plain text. | + | **Template** | Email Content | No | The Jinja2 template used to render the insight. + Can be a predefined HTML template or custom code. | - | **Triggered By** | String | Yes | Specifies the name of the integration that - will be credited as the source of the created entity insight. | + | **Triggered By** | String | Yes | The name of the integration or process that + generated the data, used as the source label for the insight. | - | **Remove BRs** | Boolean | No | If set to `true`, the action will strip all - `
` tags from the final rendered template. Default is `false`. | + | **Remove BRs** | Boolean | No | If set to `true`, all `
` tags will be stripped + from the rendered output. Default is `false`. | - | **Create Insight** | Boolean | No | Determines whether the action should actually - create an Entity Insight in the UI. Default is `true`. | + | **Create Insight** | Boolean | No | If set to `true`, the action will generate + an Entity Insight in the SOAR. Default is `true`. | ### Additional Notes - - The action automatically excludes entities of type 'ALERT' from processing. + - The action includes a wide array of custom Jinja filters such as `json2tbl` + (for converting JSON to HTML tables), `regex_replace`, and `filter_datetime` to + assist in data formatting. - - It supports advanced Jinja filters such as `json2tbl` (converts JSON to HTML - tables), `regex_match`, `filter_datetime`, and `dedup_list_of_dicts`. + - The input JSON must follow a specific structure where each entry contains an + "Entity" identifier and an "EntityResult" object. - - The input JSON is expected to be a list of objects where each object contains - an "Entity" identifier and an "EntityResult" payload. + - Entities identified as type "ALERT" via their additional properties are excluded + from processing. ### Flow Description - 1. **Parameter Extraction:** The action retrieves the input JSON, the Jinja2 template, - and configuration flags (Remove BRs, Create Insight). + 1. **Parameter Extraction**: Retrieves the input JSON, Jinja2 template, and configuration + settings from the action parameters. - 2. **Environment Setup:** It initializes a Jinja2 environment and loads a comprehensive - suite of custom filters for data formatting and transformation. + 2. **Environment Setup**: Initializes the Jinja2 environment and loads a comprehensive + set of standard and custom filters for advanced data manipulation. - 3. **Entity Filtering:** The action iterates through the target entities in the - case, filtering out any entities identified as 'ALERT' types via their additional - properties. + 3. **Entity Iteration**: Loops through all entities currently associated with + the case scope. - 4. **Data Mapping:** For each valid entity, the action searches the provided **JSON - Object** for an entry matching the entity's identifier. + 4. **Type Filtering**: Skips entities where the `Type` property in `additional_properties` + is set to "ALERT". - 5. **Template Rendering:** If a match is found, the action combines the entity's - metadata with the specific JSON result and renders the Jinja2 template. + 5. **Data Matching**: For each valid entity, searches the input JSON object for + an entry matching the entity's identifier. - 6. **Internal Mutation:** The rendered output is attached to the entity as a JSON - result. If **Create Insight** is enabled, the action also generates a formal Entity - Insight visible in the Google SecOps case wall. + 6. **Template Rendering**: If a match is found, it merges the entity's metadata + with the JSON result and renders the Jinja2 template into a final string. + + 7. **Insight Creation**: If the `Create Insight` flag is enabled, it creates an + Entity Insight with the rendered content and attaches the raw result as entity + JSON for further use. capabilities: can_create_case_comments: false can_create_insight: true can_modify_alert_data: false can_mutate_external_data: false can_mutate_internal_data: true - can_update_entities: true + can_update_entities: false external_data_mutation_explanation: null - fetches_data: true + fetches_data: false internal_data_mutation_explanation: >- - The action creates entity insights and updates entity JSON results within the - Google SecOps platform based on the provided template and data. + Creates entity insights and attaches JSON results to entities within the Google + SecOps platform based on the provided template and data. categories: - enrichment: true + enrichment: false entity_usage: entity_types: - - ADDRESS - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME filters_by_additional_properties: true filters_by_alert_identifier: false filters_by_case_identifier: false @@ -128,6 +158,7 @@ Entity Insight: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -141,54 +172,52 @@ Entity Insight: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: ai_description: >- ### General Description The **Ping** action is a diagnostic utility designed to verify the connectivity - and operational status of the **TemplateEngine** integration within Google SecOps. - Its primary purpose is to confirm that the SOAR platform can successfully communicate - with the integration and execute its logic. It returns a simple success message - upon completion. + and functional status of the TemplateEngine integration within Google SecOps. + Its primary purpose is to ensure that the integration's environment is correctly + configured and that the SOAR platform can successfully communicate with the integration's + underlying logic. ### Parameters Description - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | None | N/A | N/A | This action does not require any input parameters. | - + There are no parameters for this action. - ### Additional Notes - - This action is a standard health check and does not perform any data retrieval - or state changes. + ### Flow Description - - It does not interact with external APIs or process SecOps entities. + 1. **Initialization**: The action initializes the Siemplify context to establish + a connection with the SOAR platform. + 2. **Connectivity Check**: The script executes a simple completion command without + performing any external API calls or data processing. - ### Flow Description + 3. **Finalization**: The action terminates with a success message, "Siemplify + is connected," confirming that the integration is operational. - 1. **Initialization**: The action initializes the Siemplify action module. - 2. **Status Verification**: The script confirms the execution environment is active. + ### Additional Notes - 3. **Completion**: The action terminates with a success status and the message - "Siemplify is connected". + This action does not interact with any external services, nor does it process + or modify any entity or case data. It is strictly used for health-check purposes. capabilities: can_create_case_comments: false can_create_insight: false @@ -202,7 +231,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -216,6 +245,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Render Template: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -229,82 +259,79 @@ Ping: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Render Template: ai_description: >- - Renders a Jinja2 template using provided JSON data and optionally current case - data (entities and events). This utility action is designed to format complex - data into human-readable HTML or text, which can then be used for reporting, email - notifications, or case wall logs. It includes a variety of built-in filters for - data manipulation, such as converting JSON to HTML tables, regex operations, and - date formatting. + ### General Description + The **Render Template** action allows users to generate formatted text or HTML + by applying a Jinja2 template to a JSON data structure. This action is primarily + used within playbooks to prepare content for notifications (such as emails or + Slack messages) or to create structured reports from raw event and entity data. - ### Parameters Description + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | JSON Object | JSON Object | No | The raw JSON object that will be used as the - primary data source (`input_json`) for the Jinja template. Defaults to an empty - object `{}`. | + | **JSON Object** | JSON Object | No | The raw JSON object used as the primary + data source (`input_json`) for the template. Defaults to `{}`. | - | Jinja | Code | No | The Jinja2 template code to be rendered. If provided, this - value overrides the 'Template' parameter. | + | **Jinja** | Jinja | No | The Jinja2 template code to be rendered. If provided, + this overrides the `Template` parameter. | - | Include Case Data | Boolean | No | When enabled (true), the action automatically - injects the current alert's security events and target entities into the template - context under `input_json['SiemplifyEvents']` and `input_json['SiemplifyEntities']`. - | + | **Include Case Data** | Boolean | No | When enabled, the action automatically + injects the alert's security events and entities into the template context under + `input_json['SiemplifyEvents']` and `input_json['SiemplifyEntities']`. | - | Template | Email Content | No | The Jinja2 template to be rendered. This can - be a pre-defined HTML template from the environment settings or a custom string. - | + | **Template** | email_content | No | An alternative way to provide the Jinja2 + template, often used for selecting pre-defined HTML templates from the environment + settings. | - ### Additional Notes - - - Either the 'Jinja' or 'Template' parameter should be provided for the action - to produce a meaningful result. If both are provided, 'Jinja' takes precedence. + ### Flow Description - - The action supports custom filters defined in the `JinjaFilters` and `CustomFilters` - modules, allowing for advanced transformations like `json2tbl`, `regex_replace`, - and `epochTimeToHuman`. + 1. **Data Collection**: The action extracts the `JSON Object` input and, if `Include + Case Data` is enabled, gathers all security events and entities associated with + the current alert context. + 2. **Environment Setup**: A Jinja2 environment is initialized, loading a comprehensive + set of filters including `json2tbl` (for converting JSON to HTML tables), regex + utilities, and date/time formatters. - ### Flow Description + 3. **Template Selection**: The action determines whether to use the raw `Jinja` + code or the `Template` parameter (with `Jinja` taking precedence). - 1. **Initialization**: The action extracts the input parameters and initializes - the Jinja2 environment. + 4. **Rendering**: The template is rendered using the provided JSON data. If the + input JSON is a list, the action iterates through the list and appends the rendered + results for each entry. - 2. **Data Collection**: It retrieves security events and target entities from - the current Siemplify alert context. + 5. **Output**: The final rendered string is returned as the action's result and + is also stored in the `JsonResult` as `html_output`. - 3. **Context Preparation**: The input JSON string is parsed. If 'Include Case - Data' is enabled, the collected events and entities are merged into the data context. - 4. **Filter Loading**: Standard and custom Jinja filters are loaded into the environment - to enable advanced template logic. + ### Additional Notes - 5. **Rendering**: The action renders the template (from 'Jinja' or 'Template') - using the prepared data context. It supports both single dictionary inputs and - lists of dictionaries (rendering the template once for each item in the list). + - Either the **Jinja** or **Template** parameter must be configured for the action + to produce output. - 6. **Output**: The rendered string is saved to the action's JSON results under - the key `html_output` and returned as the script result. + - Use the `|safe` filter in your Jinja code to disable HTML auto-escaping if you + are generating HTML content. capabilities: can_create_case_comments: false can_create_insight: false @@ -319,42 +346,41 @@ Render Template: enrichment: false entity_usage: entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME - filters_by_additional_properties: false + - ADDRESS + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME + filters_by_additional_properties: true filters_by_alert_identifier: false filters_by_case_identifier: false filters_by_creation_time: false @@ -367,6 +393,7 @@ Render Template: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Render Template from Array: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -380,76 +407,83 @@ Render Template: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Render Template from Array: ai_description: >- - Renders a Jinja2 template for each item in a provided JSON array. This utility - action is designed to transform lists of data into formatted strings, such as - HTML tables, comma-separated lists, or custom text blocks, which can then be used - in emails, reports, or other playbook actions. + ### General Description + The **Render Template from Array** action is a utility designed to transform a + list of data items into a single formatted string using Jinja2 templating. It + iterates through a provided JSON array, applies a specific template to each element, + and joins the results together. This is particularly useful for generating HTML + reports, summaries, or formatted logs from a collection of entities or event data + within a playbook. - ### Flow Description - 1. **Input Parsing**: The action parses the 'Array input' parameter as a JSON - object. If the input is a single dictionary instead of a list, it is automatically - wrapped into a single-element list. + ### Parameters Description + + | Parameter | Type | Mandatory | Description | - 2. **Environment Setup**: Initializes a Jinja2 environment, loading standard extensions - and a comprehensive set of custom filters (e.g., `json2tbl`, `regex_match`, `filter_datetime`, - `epochTimeToHuman`). + | :--- | :--- | :--- | :--- | - 3. **Template Rendering**: Iterates through each item in the array. For each item, - it renders the provided 'Jinja' template code. The current item is accessible - within the template using the `row` variable or directly via its keys. + | **Array input** | Content | No | A JSON-formatted string representing the array + of items to process. Usually mapped from the output of a previous action. Defaults + to an empty list. | - 4. **Aggregation**: Collects all rendered strings into a list and joins them using - the specified 'join' character. + | **Jinja** | Code | No | The Jinja2 template logic to apply to each item in the + array. The current item is accessible via the `row` variable. | - 5. **Final Formatting**: Prepends the 'prefix' and appends the 'suffix' to the - joined string to produce the final output. + | **join** | String | No | The character or string used to concatenate the rendered + output of each array item (e.g., a comma, newline, or HTML break). | + | **prefix** | String | No | A static string to prepend to the very beginning + of the final concatenated output. | - ### Parameters Description + | **suffix** | String | No | A static string to append to the very end of the + final concatenated output. | - | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + ### Additional Notes + + - If the **Array input** provided is a single JSON object instead of a list, the + action will automatically treat it as a single-element array. - | **Array input** | content | No | A JSON array (list of objects) typically passed - from the output of a previous action. Defaults to an empty list. | + - The action supports a wide range of custom Jinja filters (e.g., `json2tbl`, + `regex_match`, `filter_datetime`) to assist in complex data formatting. - | **Jinja** | code | No | The Jinja2 template string to be applied to each item - in the array. Use `{{ row.key_name }}` to access data. | - | **join** | string | No | The character or string used to join the rendered output - of each array item (e.g., a newline `\n` or a comma `,`). | + ### Flow Description - | **prefix** | string | No | A static string to be added at the very beginning - of the final rendered output. | + 1. **Initialization**: The action extracts the input parameters and initializes + the Jinja2 environment, loading standard and custom filters. - | **suffix** | string | No | A static string to be added at the very end of the - final rendered output. | + 2. **Data Parsing**: The `Array input` string is parsed into a Python list. If + the input is a dictionary, it is converted into a list containing that dictionary. + 3. **Template Rendering**: The action loops through each item in the list. For + each item, it renders the provided `Jinja` template, passing the item as the context + (accessible as `row`). - ### Additional Notes + 4. **Concatenation**: All rendered strings are collected into a list and joined + into a single string using the `join` parameter. - - This action includes specialized filters like `json2tbl` which can convert JSON - data directly into HTML tables, making it highly effective for creating dynamic - email content. + 5. **Final Formatting**: The `prefix` and `suffix` are added to the joined string. - - If the 'Array input' is not valid JSON, the action will fail. + 6. **Output**: The final string is returned as the action's result value and included + in the `html_output` field of the JSON result. capabilities: can_create_case_comments: false can_create_insight: false @@ -463,7 +497,7 @@ Render Template from Array: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -477,28 +511,3 @@ Render Template from Array: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/power_ups/tools/resources/ai/actions_ai_description.yaml b/content/response_integrations/power_ups/tools/resources/ai/actions_ai_description.yaml index d26dc209a..610a3bce1 100644 --- a/content/response_integrations/power_ups/tools/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/power_ups/tools/resources/ai/actions_ai_description.yaml @@ -1,56 +1,90 @@ Add Alert Scoring Information: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: true + update_email: false + update_identity: false + update_ticket: false ai_description: >- + ### General Description + This action adds an entry to an internal alert scoring database stored within - the alert's context properties. It calculates a cumulative risk score for the - alert based on a weighted ratio system: 5 Low severities equal 1 Medium, 3 Mediums - equal 1 High, and 2 Highs equal 1 Critical. The action updates the alert's overall - score and severity level based on these calculations. + the alert's context properties. It is designed to aggregate multiple security + checks into a single, weighted alert score and severity level. The scoring logic + follows a specific ratio: 5 Low = 1 Medium, 3 Medium = 1 High, and 2 High = 1 + Critical. This allows for a granular yet consolidated view of risk within a single + alert. ### Parameters Description - | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Name | string | Yes | The name of the specific check or rule being performed - on the alert. | + | **Name** | string | Yes | The name of the specific check being performed (e.g., + 'Malicious URL Check'). | - | Description | string | Yes | A detailed description of the check being performed. - | + | **Description** | string | Yes | A detailed description of the check and its + findings. | - | Severity | ddl | Yes | The severity assigned to this specific check. Options: - Informational, Low, Medium, High, Critical. | + | **Severity** | ddl | Yes | The severity of this specific check. Options: Informational, + Low, Medium, High, Critical. | - | Category | string | Yes | The category of the check (e.g., 'Malware', 'Phishing'). - Scores are grouped by category. | + | **Category** | string | Yes | The category used to group related checks (e.g., + 'Phishing', 'Malware'). | - | Source | string | No | Optional. The specific part of the alert the score was - derived from, such as 'Files', 'Email', or 'User'. | + | **Source** | string | No | The specific part of the alert the score was derived + from, such as 'Files', 'Email', or 'User'. | ### Flow Description + 1. **Data Retrieval**: The action retrieves existing scoring information from + the alert's context property `ALERT_SCORE_INFO`. + + 2. **Score Processing**: It parses the existing JSON data and appends the new + score entry to the specified category. If the category does not exist, a new one + is created. - 1. **Extract Parameters:** The action retrieves the check name, description, category, - severity, and optional source from the input. + 3. **Weighted Calculation**: The action recalculates the score for each category + and the overall alert using a weighted ratio logic (e.g., multiple lower-severity + findings can escalate the overall alert severity). - 2. **Retrieve Existing Data:** It fetches the current scoring information (`ALERT_SCORE_INFO`) - from the alert's context properties. If none exists, it initializes an empty list. + 4. **Context Update**: It updates three alert context properties: `ALERT_SCORE_INFO` + (the full JSON audit trail), `ALERT_SCORE` (the numeric aggregate score), and + `ALERT_SEVERITY` (the string representation of the aggregate score). - 3. **Update Scoring Information:** It appends the new score entry to the appropriate - category. If the category doesn't exist, it creates a new one. + 5. **Result Output**: The action returns the updated scoring structure as a JSON + result and sets the final action output to the calculated alert severity. - 4. **Calculate Scores:** It recalculates the score for each category and the overall - alert score using the defined ratio logic (e.g., 5 Low = 1 Medium). - 5. **Persist Data:** The action updates the alert context properties: `ALERT_SCORE_INFO` - (the full JSON list of scores), `ALERT_SCORE` (the numeric risk level), and `ALERT_SEVERITY` - (the string representation of the risk level). + ### Additional Notes - 6. **Output Results:** It returns a JSON representation of the updated scoring - structure and sets the action's final result to the new alert severity. + This action does not interact with external APIs; it functions entirely within + the Google SecOps environment to manage alert-level metadata. capabilities: can_create_case_comments: false can_create_insight: false @@ -61,12 +95,12 @@ Add Alert Scoring Information: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Updates alert context properties (ALERT_SCORE_INFO, ALERT_SCORE, ALERT_SEVERITY) - to track and calculate the overall risk score of the alert. + The action updates alert context properties (ALERT_SCORE_INFO, ALERT_SCORE, + and ALERT_SEVERITY) to store and manage internal scoring metadata. categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -80,6 +114,7 @@ Add Alert Scoring Information: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Add Comment to Entity Log: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -93,26 +128,28 @@ Add Alert Scoring Information: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false - update_alert: true + update_alert: false update_email: false update_identity: false update_ticket: false -Add Comment to Entity Log: ai_description: >- ### General Description - The **Add Comment to Entity Log** action allows users to programmatically append - comments to the internal logs of entities within the Google SecOps environment. - This is primarily used for maintaining an audit trail or providing additional - context for specific entities during an investigation. + The **Add Comment to Entity Log** action allows users to programmatically add + comments to the internal logs of specific entities within Google SecOps. This + is useful for auditing, providing context for future investigations, or documenting + automated findings directly on the entity's record in the Entity Explorer. ### Parameters Description @@ -121,33 +158,35 @@ Add Comment to Entity Log: | :--- | :--- | :--- | :--- | - | **User** | User | Yes | The username or identifier of the person or system creating - the comment. | + | **User** | String | Yes | The username or identifier of the person or system + account that will be credited as the author of the comment. Defaults to `@Administrator`. + | - | **Comment** | Content | Yes | The actual text content of the comment to be added - to the entity log. | + | **Comment** | String | Yes | The actual text content that will be appended to + the entity's log. | ### Flow Description 1. **Parameter Extraction**: The action retrieves the `User` and `Comment` values - from the input parameters. + from the input configuration. - 2. **Entity Iteration**: The action identifies all entities currently in the scope - of the playbook or manual execution. + 2. **Entity Iteration**: The script iterates through all entities currently in + the action's scope (`target_entities`). - 3. **Internal API Call**: For each entity, the action invokes an internal SOAR - API method (`add_comment_to_entity`) to record the comment against that specific - entity's log. + 3. **Internal API Call**: For each entity, it invokes the `add_comment_to_entity` + helper function, which sends a request to the Google SecOps internal API to attach + the comment to the entity's log in the specified environment. - 4. **Completion**: The action generates a summary message listing the entities - that were updated and concludes the execution. + 4. **Result Reporting**: The action compiles a summary message detailing which + entities received the comment and completes the execution. ### Additional Notes - This action does not interact with external systems; it only modifies internal - metadata associated with entities in the SecOps platform. + This action does not modify the entity's attributes (like reputation or tags) + but rather adds a historical log entry visible in the Entity Explorer. It uses + an internal API call to interact with the Google SecOps platform. capabilities: can_create_case_comments: false can_create_insight: false @@ -158,46 +197,47 @@ Add Comment to Entity Log: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Adds a comment to the internal entity log for each entity in scope. + Adds a comment to the internal entity log within Google SecOps for auditing + and documentation purposes. categories: enrichment: false entity_usage: entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -211,6 +251,7 @@ Add Comment to Entity Log: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Add Or Update Alert Additional Data: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -224,45 +265,49 @@ Add Comment to Entity Log: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false - update_alert: false + update_alert: true update_email: false update_identity: false update_ticket: false -Add Or Update Alert Additional Data: ai_description: "### General Description\nThis action allows for the dynamic addition\ - \ or modification of metadata stored within an alert's `additional_data` field\ - \ in Google SecOps. It is designed to facilitate state management and data persistence\ - \ across different stages of a playbook by allowing users to store structured\ - \ JSON or plain text directly on the alert object.\n\n### Parameters Description\n\ - | Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ - | Json Fields | string | Yes | The data to be added or updated. This can be a\ - \ JSON-formatted string (representing a Dictionary or List) or plain text. If\ - \ a JSON dictionary is provided, it updates the existing dictionary; if a list\ - \ is provided, it appends to the existing list; otherwise, it populates a general\ - \ 'data' field. |\n\n### Additional Notes\n- The action maintains a specific internal\ - \ structure within the alert's additional data, categorizing inputs into `list`,\ - \ `dict`, or `data` keys to prevent data loss during updates.\n- If the `Json\ - \ Fields` parameter contains invalid JSON, the action will treat the entire input\ - \ as a raw string.\n\n### Flow Description\n1. **Input Retrieval**: The action\ - \ retrieves the value from the `Json Fields` parameter.\n2. **Data Parsing**:\ - \ It attempts to parse the input string into a JSON object (dictionary or list).\ - \ If parsing fails, the input is treated as a standard string.\n3. **Context Retrieval**:\ - \ The action fetches the current alert's existing `additional_data` from Google\ - \ SecOps.\n4. **Merging Logic**: \n - If the input is a **list**, it is appended\ - \ to the existing list in the alert data.\n - If the input is a **dictionary**,\ - \ it updates the existing dictionary in the alert data.\n - If the input is\ - \ a **string**, it overwrites the 'data' field in the alert data.\n5. **Internal\ - \ Update**: The action calls the Google SecOps API to update the alert's `additional_data`\ - \ with the newly merged structure.\n6. **Result Output**: The final accumulated\ - \ data is returned as a JSON result and the action completes." + \ or updating of information within the 'Additional Data' field of a Google SecOps\ + \ alert. It is designed to act as a temporary or persistent storage mechanism\ + \ for data collected during a playbook's execution, enabling subsequent actions\ + \ to access this accumulated context. The action supports structured JSON (dictionaries\ + \ and lists) as well as plain text.\n\n### Parameters Description\n| Parameter\ + \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Json Fields\ + \ | string | Yes | The data to be added to the alert. This can be a raw string,\ + \ a JSON-formatted dictionary, or a JSON-formatted list. If a dictionary is provided,\ + \ it is merged into the existing 'dict' key. If a list is provided, it is appended\ + \ to the 'list' key. Any other input is stored in the 'data' key. |\n\n### Additional\ + \ Notes\n- The action automatically initializes a structured schema within the\ + \ alert's additional data if it doesn't exist, containing 'dict', 'list', and\ + \ 'data' keys.\n- If the input string is not valid JSON, it will be treated as\ + \ a standard string and stored in the 'data' field.\n\n### Flow Description\n\ + 1. **Input Parsing**: The action retrieves the 'Json Fields' parameter and attempts\ + \ to parse it as a JSON object (dictionary or list). If parsing fails, it treats\ + \ the input as a raw string.\n2. **Data Retrieval**: It fetches the current alert's\ + \ existing 'additional_data' content.\n3. **Structure Normalization**: If the\ + \ existing data is empty or lacks the standard keys ('dict', 'list', 'data'),\ + \ the action initializes them to ensure a consistent data structure.\n4. **Data\ + \ Merging**: \n - If the input is a **List**, it extends the existing list\ + \ in the alert data.\n - If the input is a **Dictionary**, it updates the existing\ + \ dictionary in the alert data with the new key-value pairs.\n - If the input\ + \ is a **String**, it overwrites the 'data' field with the new value.\n5. **Internal\ + \ Update**: The action calls the Google SecOps API to update the alert's metadata\ + \ with the newly merged JSON structure.\n6. **Output**: The final accumulated\ + \ data is returned as a JSON result for use in the playbook." capabilities: can_create_case_comments: false can_create_insight: false @@ -274,11 +319,11 @@ Add Or Update Alert Additional Data: fetches_data: false internal_data_mutation_explanation: >- Updates the 'additional_data' field of the current alert within Google SecOps - to store or modify metadata. + to store or merge context for playbook execution. categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -292,6 +337,7 @@ Add Or Update Alert Additional Data: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Append to Context Value: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -305,42 +351,48 @@ Add Or Update Alert Additional Data: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: true update_email: false update_identity: false update_ticket: false -Append to Context Value: - ai_description: "Appends a specified string value to an existing context property\ - \ or creates a new context property if the key does not exist. This action allows\ - \ for the aggregation of data within the scope of an Alert, a Case, or Globally\ - \ across the environment. It is primarily used for maintaining state or collecting\ - \ multiple values (like a list of IDs or names) during playbook execution.\n\n\ - ### Parameters\n| Parameter | Type | Mandatory | Description |\n| :--- | :---\ - \ | :--- | :--- |\n| Scope | ddl | Yes | The level at which the context property\ - \ exists. Options are 'Alert', 'Case', or 'Global'. |\n| Key | string | Yes |\ - \ The unique identifier (name) of the context property to modify or create. |\n\ - | Value | string | Yes | The string value to be appended to the existing property.\ - \ |\n| Delimiter | string | Yes | The character or string used to separate the\ - \ existing value from the new value (e.g., a comma or semicolon). Default is ','.\ - \ |\n\n### Flow Description\n1. **Parameter Extraction:** The action retrieves\ - \ the 'Scope', 'Key', 'Value', and 'Delimiter' from the input parameters.\n2.\ - \ **Context Retrieval:** Based on the selected 'Scope', the action attempts to\ - \ fetch the current value of the context property associated with the provided\ - \ 'Key'.\n3. **Value Concatenation:** \n * If the property already exists,\ - \ the action appends the new 'Value' to the existing string, separated by the\ - \ 'Delimiter'.\n * If the property does not exist, the action initializes the\ - \ property with the provided 'Value'.\n4. **Context Update:** The action saves\ - \ the updated (or new) value back to the specified context scope (Alert, Case,\ - \ or Global).\n5. **Completion:** The action returns a success message and the\ - \ final concatenated string as the result." + ai_description: "### General Description\nAppends a specified string value to an\ + \ existing context property or creates a new context property if the key does\ + \ not already exist. This action is designed to facilitate data accumulation across\ + \ playbook steps by storing values in a structured format using a delimiter. It\ + \ supports three distinct scopes: Alert, Case, and Global.\n\n### Parameters Description\n\ + | Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ + | **Scope** | DDL | Yes | Determines the storage scope for the context property.\ + \ Options are 'Alert' (specific to the current alert), 'Case' (shared across the\ + \ entire case), or 'Global' (shared across the environment). Default is 'Alert'.\ + \ |\n| **Key** | String | Yes | The unique identifier/name of the context property\ + \ to be updated or created. |\n| **Value** | String | Yes | The string value to\ + \ append to the existing property or to set as the initial value. |\n| **Delimiter**\ + \ | String | Yes | The character or string used to separate the existing value\ + \ from the new value when appending. Default is a comma (','). |\n\n### Flow Description\n\ + 1. **Parameter Extraction:** The action retrieves the `Scope`, `Key`, `Value`,\ + \ and `Delimiter` from the input configuration.\n2. **Context Retrieval:** Based\ + \ on the selected `Scope`, the action attempts to fetch the current value of the\ + \ specified `Key` from the internal Google SecOps context storage using scope-specific\ + \ methods (`get_alert_context_property`, `get_case_context_property`, or a custom\ + \ global getter).\n3. **Value Processing:** \n * If the key already contains\ + \ data, the action concatenates the existing value, the provided delimiter, and\ + \ the new value.\n * If the key is empty or does not exist, the action initializes\ + \ it with the provided value.\n4. **Context Update:** The updated string is saved\ + \ back into the corresponding context scope (Alert, Case, or Global) using scope-specific\ + \ methods (`set_alert_context_property`, `set_case_context_property`, or a custom\ + \ global setter).\n5. **Completion:** The action returns a success message indicating\ + \ whether the value was appended to an existing key or a new key was created." capabilities: can_create_case_comments: false can_create_insight: false @@ -351,12 +403,12 @@ Append to Context Value: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Updates or creates context properties within the Google SecOps platform at the - Alert, Case, or Global scope. + The action modifies internal context properties at the Alert, Case, or Global + level to store and accumulate data for use in playbooks. categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -370,6 +422,7 @@ Append to Context Value: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Assign Case to User: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -383,59 +436,69 @@ Append to Context Value: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: true update_email: false update_identity: false update_ticket: false -Assign Case to User: ai_description: >- ### General Description This action assigns a specific user to a case within Google SecOps. It is primarily - used for workflow automation to ensure that cases are routed to the correct analyst - or administrator for investigation. + used for workflow orchestration to ensure that cases are routed to the correct + analysts or administrators for investigation. This action interacts with the internal + SOAR API to update the case ownership. ### Parameters Description - | Parameter Name | Description | Type | Mandatory | Additional Notes | - | :--- | :--- | :--- | :--- | :--- | + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | - | Case Id | The unique identifier of the case to which the user will be assigned. - | String | Yes | | + | Case Id | String | Yes | The unique identifier of the case that needs to be + assigned. | - | Assign To | The username or identifier of the user who will be assigned to the - case. | String | Yes | Default value is '@Admin'. | + | Assign To | String | Yes | The username or identifier of the user to whom the + case will be assigned (e.g., '@Admin'). | - | Alert Id | The unique identifier of the alert associated with the case. | String - | Yes | | + | Alert Id | String | Yes | The unique identifier of the alert associated with + the case. | - ### Flow Description + ### Additional Notes - 1. **Parameter Extraction**: The action retrieves the `Case Id`, `Assign To` (target - user), and `Alert Id` from the input parameters. + - This action performs an internal state change within the Google SecOps SOAR + platform by updating the case ownership. - 2. **API Interaction**: It calls the internal SOAR API function `assign_case_to_user` - using the provided identifiers. + - It does not interact with external third-party APIs. - 3. **Execution Completion**: The action logs the result of the assignment operation - and terminates with a success status. + - It does not process or require any entities to run. - ### Additional Notes + ### Flow Description + + 1. **Parameter Extraction**: The action retrieves the `Case Id`, `Assign To` user, + and `Alert Id` from the input parameters. - This action performs an internal state change within the Google SecOps platform - and does not interact with external third-party integrations. + 2. **API Call**: It utilizes the `assign_case_to_user` utility from the `TIPCommon` + library to communicate with the internal SOAR API. + + 3. **Assignment**: The internal API updates the case record to reflect the new + assignee. + + 4. **Completion**: The action logs the result and terminates successfully. capabilities: can_create_case_comments: false can_create_insight: false @@ -446,12 +509,11 @@ Assign Case to User: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Updates the assignee field of a case and its associated alert within the Google - SecOps platform. + Updates the case record within Google SecOps to assign it to a specific user. categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -465,6 +527,7 @@ Assign Case to User: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Attach Playbook to Alert: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -478,58 +541,64 @@ Assign Case to User: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: true update_email: false update_identity: false update_ticket: false -Attach Playbook to Alert: ai_description: >- - Attaches one or more playbooks or blocks to a specific alert within a Google SecOps - case. This action allows for automated workflow triggering by dynamically linking - playbooks based on provided names. It supports handling multiple playbooks via - a comma-separated list and includes logic to prevent or allow duplicate attachments - based on user configuration. + ### General Description + This action attaches one or more playbooks (or blocks) to a specific alert within + Google SecOps. It is primarily used to dynamically trigger additional automated + workflows based on the logic or findings of a parent playbook. The action can + handle multiple playbook names provided as a comma-separated list and includes + logic to prevent or allow duplicate attachments. - ### Parameters + + ### Parameters Description | Parameter Name | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Playbook Name | String | True | A comma-separated list of playbook names that - should be attached to the alert. | + | Playbook Name | String | Yes | A comma-separated list of the names of the playbooks + or blocks that should be attached to the alert. | - | Allow Duplicates | Boolean | False | If set to `true` (default), the action - will attach the playbook even if it is already attached to the alert. If `false`, - it will skip playbooks that are already present. | + | Allow Duplicates | Boolean | No | If set to `true` (default), the action will + attach the playbook even if it is already attached to the alert. If `false`, it + will skip playbooks that are already present. | ### Flow Description - 1. **Fetch Existing Workflows:** The action identifies the current alert and retrieves - a list of all playbooks currently attached to it using the `get_workflow_instance_card` - API. + 1. **Parameter Extraction**: The action retrieves the list of playbook names and + the duplicate attachment policy from the input parameters. - 2. **Parse Input:** The `Playbook Name` string is split by commas and cleaned - of whitespace to create a list of target playbooks. + 2. **Fetch Existing Workflows**: It identifies the current alert and calls the + internal API to retrieve a list of playbooks already attached to that specific + alert. - 3. **Duplicate Check:** If `Allow Duplicates` is disabled, the action compares - the target list against the already attached playbooks. + 3. **Validation and Filtering**: The action iterates through the requested playbook + names. If `Allow Duplicates` is disabled, it checks the requested names against + the list of already attached playbooks. - 4. **Attachment Execution:** For each valid playbook name, the action calls the - internal SDK method `attach_workflow_to_case` to link the playbook to the alert. + 4. **Attachment**: For each valid playbook name, it invokes the `attach_workflow_to_case` + method to link the playbook to the alert context. - 5. **Reporting:** The action aggregates the results, providing a summary of successfully - attached playbooks, skipped duplicates, and any failures (e.g., due to misspellings). + 5. **Reporting**: The action compiles a summary message indicating which playbooks + were successfully attached, which were skipped as duplicates, and which failed + (e.g., due to spelling errors). capabilities: can_create_case_comments: false can_create_insight: false @@ -540,12 +609,12 @@ Attach Playbook to Alert: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Attaches new workflow instances (playbooks) to an existing alert within the - Google SecOps platform, changing the state of the case. + Attaches one or more playbooks or blocks to a specific alert within the Google + SecOps platform. categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -559,6 +628,7 @@ Attach Playbook to Alert: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Attach Playbook to All Case Alerts: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -572,58 +642,57 @@ Attach Playbook to Alert: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: true update_email: false update_identity: false update_ticket: false -Attach Playbook to All Case Alerts: ai_description: >- - Attaches a specified playbook (workflow) to all alerts associated with the current - case in Google SecOps. This action is designed to standardize the response process - by ensuring that every alert within a case is governed by the same automated logic. + ### General Description + The **Attach Playbook to All Case Alerts** action programmatically assigns a specified + playbook to every alert within a Google SecOps case. This ensures consistent automated + response workflows across all alerts in an investigation. - ### Flow Description: - 1. **Parameter Retrieval:** The action retrieves the 'Playbook Name' provided - by the user. + ### Parameters Description - 2. **Alert Iteration:** It iterates through every alert currently linked to the - active case. + | Parameter | Type | Mandatory | Description | - 3. **Playbook Attachment:** For each alert, it invokes the internal system method - to attach the specified playbook using the case ID and alert identifier. + | :--- | :--- | :--- | :--- | - 4. **Outcome Reporting:** The action tracks the success of the attachment and - returns a summary message indicating whether the playbook was successfully applied - to the alerts. + | **Playbook Name** | String | Yes | The exact name of the playbook to attach + to all alerts in the case. | - ### Parameters Description: + ### Flow Description - | Parameter Name | Description | Type | Mandatory | + 1. **Input Retrieval**: Retrieves the `Playbook Name` from the action parameters. - | :--- | :--- | :--- | :--- | + 2. **Alert Iteration**: Accesses the current case and iterates through all associated + alerts. - | Playbook Name | The exact name of the playbook/workflow that should be attached - to all alerts in the case. | String | Yes | + 3. **Workflow Attachment**: For each alert, it calls the internal API to attach + the specified playbook using the alert's identifier. + 4. **Status Reporting**: Returns a success or failure message based on the attachment + process. - ### Additional Notes: - - This action modifies the state of alerts within the Google SecOps platform by - assigning workflows to them. + ### Additional Notes - - It does not interact with external third-party APIs; it performs internal orchestration - within the SOAR environment. + This action operates entirely within the Google SecOps environment and does not + interact with external systems. capabilities: can_create_case_comments: false can_create_insight: false @@ -634,12 +703,12 @@ Attach Playbook to All Case Alerts: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Attaches a specified playbook (workflow) to all alerts within the current case, - changing the automation state of those alerts. + Attaches a specified playbook to all alerts within the current case, modifying + the workflow associated with those alerts. categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -653,6 +722,7 @@ Attach Playbook to All Case Alerts: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Buffer: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -666,39 +736,45 @@ Attach Playbook to All Case Alerts: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false - update_alert: true + update_alert: false update_email: false update_identity: false update_ticket: false -Buffer: - ai_description: "### General Description\nThe **Buffer** action is a utility tool\ - \ designed to receive a JSON string and return it as a structured JSON object\ - \ within the Google SecOps platform. This is primarily used in playbooks to transform\ - \ string-based data into a format that can be easily accessed and parsed by subsequent\ - \ actions. It also allows for setting a custom script result value.\n\n### Parameters\ - \ Description\n| Parameter | Type | Mandatory | Description |\n| :--- | :--- |\ - \ :--- | :--- |\n| ResultValue | String | No | The value that will be returned\ - \ as the primary script result of the action. |\n| JSON | String | No | A string\ - \ representing a JSON object. If provided, the action attempts to parse this string\ - \ and return it as structured JSON data. |\n\n### Flow Description\n1. **Parameter\ - \ Retrieval**: The action retrieves the `JSON` and `ResultValue` inputs from the\ - \ environment.\n2. **JSON Parsing**: If the `JSON` parameter is provided, the\ - \ script attempts to deserialize the string using `json.loads()`.\n3. **Data Attachment**:\ - \ \n * If parsing is successful, the resulting object is added to the action's\ - \ result JSON and also stored under the key 'Json'.\n * If parsing fails, an\ - \ error message is appended to the output message.\n4. **Completion**: The action\ - \ terminates, returning the `ResultValue` as the script result and providing a\ - \ status message indicating whether the input values were successfully processed.\n\ - \n### Additional Notes\n* This action does not interact with external APIs or\ - \ modify entities; it is strictly a data manipulation utility." + ai_description: "### General Description\n\nThe **Buffer** action is a utility tool\ + \ within the Tools integration designed to facilitate data handling and flow control\ + \ within playbooks. Its primary purpose is to receive a JSON string and a result\ + \ value as inputs and 'buffer' them into the action's output. This is particularly\ + \ useful for converting string-based JSON data into a structured format that subsequent\ + \ playbook actions can easily consume, or for explicitly setting the result value\ + \ of a step to control playbook logic flow.\n\n### Parameters Description\n\n\ + | Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ + | **JSON** | String | No | A JSON-formatted string. If provided, the action attempts\ + \ to parse this string and include the resulting object in the action's JSON results.\ + \ |\n| **ResultValue** | String | No | A string value that will be returned as\ + \ the primary result of the action. This is often used for conditional branching\ + \ in playbooks. |\n\n### Flow Description\n\n1. **Parameter Retrieval:** The action\ + \ starts by retrieving the `JSON` and `ResultValue` inputs from the playbook context.\n\ + 2. **JSON Parsing:** If the `JSON` parameter is populated, the script attempts\ + \ to deserialize the string into a structured JSON object using `json.loads()`.\n\ + 3. **Result Attachment:** \n * If parsing is successful, the structured data\ + \ is added to the action's result JSON using `add_result_json` and `add_json`\ + \ (under the key 'Json').\n * If parsing fails, an error message is appended\ + \ to the final output message.\n4. **Action Completion:** The action concludes\ + \ by calling `siemplify.end()` with a status message and the provided `ResultValue`.\n\ + \n### Additional Notes\n\n* This action does not interact with any external APIs\ + \ or modify any SecOps entities.\n* It serves strictly as a data transformation\ + \ and flow control utility." capabilities: can_create_case_comments: false can_create_insight: false @@ -712,7 +788,7 @@ Buffer: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -726,6 +802,7 @@ Buffer: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Change Case Name: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -739,40 +816,69 @@ Buffer: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Change Case Name: - ai_description: "### General Description\nThis action changes the title (name) of\ - \ the current case within Google SecOps. It is primarily used for case management\ - \ and organization, allowing playbooks to dynamically rename cases based on logic\ - \ or specific alert attributes. \n\n### Parameters Description\n| Parameter |\ - \ Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| New Name\ - \ | String | No | The new title to be assigned to the case. |\n| Only If First\ - \ Alert | Boolean | No | If set to `True`, the action will only rename the case\ - \ if the current alert being processed is the chronologically first alert (based\ - \ on detection time) associated with the case. Defaults to `False`. |\n\n### Additional\ - \ Notes\n- If the `Only If First Alert` condition is not met, the action will\ - \ complete successfully but will not modify the case name.\n- This action interacts\ - \ with the internal Google SecOps API to perform the update.\n\n### Flow Description\n\ - 1. **Sort Alerts:** The action retrieves all alerts associated with the current\ - \ case and sorts them by their `detected_time` to identify the chronological order.\n\ - 2. **Condition Check:** It evaluates the `Only If First Alert` parameter. If `True`,\ - \ it compares the identifier of the current alert with the identifier of the first\ - \ alert in the sorted list.\n3. **Rename Case:** If the condition is met (or if\ - \ the parameter is `False`), the action calls the `rename_case` utility to update\ - \ the case title using the provided `New Name`.\n4. **Finalize:** The action returns\ - \ a success message indicating whether the title was changed or skipped based\ - \ on the alert order logic." + ai_description: >- + ### General Description + + This action changes the title (name) of a case within Google SecOps. It is primarily + used for case management and organization, allowing playbooks to dynamically rename + cases based on specific logic or findings. The action can be configured to execute + conditionally based on whether the current alert is the first alert in the case. + + + ### Parameters Description + + | Parameter Name | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | New Name | String | Yes | The new title to be assigned to the case. | + + | Only If First Alert | Boolean | No | If set to `True`, the action will only + rename the case if it is being executed in the context of the chronologically + first alert (based on detection time) within that case. Default is `False`. | + + + ### Additional Notes + + - While `New Name` is marked as not mandatory in the configuration file, the action + logic requires a value to perform the rename operation. + + - If `Only If First Alert` is enabled and the action is triggered by a subsequent + alert, the case name will remain unchanged. + + + ### Flow Description + + 1. **Initialization**: The action retrieves the `New Name` and `Only If First + Alert` parameters from the input. + + 2. **Alert Sorting**: It retrieves all alerts associated with the current case + and sorts them by their `detected_time` to establish chronological order. + + 3. **Condition Check**: If `Only If First Alert` is enabled, the action compares + the identifier of the current alert with the identifier of the first alert in + the sorted list. + + 4. **Execution**: If the condition is met (or if the condition check is disabled), + the action calls the internal SOAR API `rename_case` to update the case title. + + 5. **Completion**: The action concludes by providing an output message indicating + whether the name was changed or if it was skipped due to the 'First Alert' constraint. capabilities: can_create_case_comments: false can_create_insight: false @@ -783,12 +889,11 @@ Change Case Name: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - This action modifies the 'title' attribute of the Case object within Google - SecOps. + Updates the title (name) of the case within the Google SecOps platform. categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -802,6 +907,7 @@ Change Case Name: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Check Entities Fields In Text: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -815,85 +921,86 @@ Change Case Name: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Check Entities Fields In Text: ai_description: >- - This action allows for searching specific fields within each entity in the scope - (or multiple fields using regex) and comparing them with one or more values provided - in a text input. The action uses regular expressions to identify fields, extract - values from those fields, and process the search data. A match is identified if - the processed value from the entity enrichment matches any of the processed values - in the search data. + ### General Description + This utility action allows for the comparison of specific entity fields against + a provided text block using regular expressions. It is designed to identify matches + between threat intelligence or enrichment data already associated with entities + and external text data (such as email bodies, logs, or event descriptions). The + action can optionally tag entities that meet the match criteria with a custom + property. - ### Flow Description: - 1. **Parameter Parsing:** The action parses the `FieldsInput` and `SearchInData` - JSON strings to determine which entity fields to inspect and what data to search - against. + ### Parameters Description - 2. **Field Identification:** For each entity in the scope, the action scans its - `additional_properties`. It identifies fields either by an exact `FieldName` or - by matching keys against a `RegexForFieldName`. + | Parameter | Type | Mandatory | Description | - 3. **Value Extraction:** Once a field is identified, the action retrieves its - value. If `RegexForFieldValue` is provided, it applies the regex to the value - to extract specific sub-strings. + | :--- | :--- | :--- | :--- | - 4. **Search Data Preparation:** The action processes the `SearchInData` by applying - the provided `RegEx` to the `Data` strings to isolate the target search strings. + | SearchInData | string | True | A JSON array of objects containing the text to + search in and an optional regex to pre-process that text. Format: `[{"Data": "text", + "RegEx": "pattern"}]`. | - 5. **Comparison Logic:** The action compares the extracted entity values against - the prepared search strings. This comparison respects the `IsCaseSensitive` toggle. + | FieldsInput | string | True | A JSON array of objects defining which entity + fields to extract and compare. Supports direct field names or regex patterns for + field names and values. Format: `[{"FieldName": "name", "RegexForFieldName": "pattern", + "RegexForFieldValue": "pattern"}]`. | - 6. **Internal Mutation (Optional):** If a match is found and `ShouldEnrichEntity` - is configured, the action updates the entity's `additional_properties` by adding - the specified key with a value of `True`. + | ShouldEnrichEntity | string | False | If provided, this string will be used + as a key in the entity's additional properties, set to `True` if a match is found. + | - 7. **Results Reporting:** The action compiles a detailed JSON result mapping entity - identifiers to their match results and returns the count of successful matches. + | IsCaseSensitive | boolean | False | Determines if the string comparison between + the entity field and the search data should be case-sensitive. Default is `false`. + | - ### Parameters Description: + ### Additional Notes - | Parameter | Type | Mandatory | Description | + - The action primarily interacts with the `additional_properties` attribute of + entities. - | :--- | :--- | :--- | :--- | + - If `ShouldEnrichEntity` is configured, the action will perform an internal mutation + by updating the entity's properties in Google SecOps. - | SearchInData | String (JSON) | Yes | A JSON array of objects: `[{"Data": "...", - "RegEx": "..."}]`. Defines the text blocks to search in and the regex to apply - to them. | - | FieldsInput | String (JSON) | Yes | A JSON array of objects: `[{"FieldName": - "...", "RegexForFieldName": "...", "RegexForFieldValue": "..."}]`. Defines which - entity properties to check and how to extract values. | + ### Flow Description - | ShouldEnrichEntity | String | No | If provided, this string is used as a key - in the entity's additional properties. If a match is found, this key is set to - `True`. | + 1. **Initialization**: Parses the input JSON parameters (`FieldsInput` and `SearchInData`) + and matching configurations. - | IsCaseSensitive | Boolean | No | If set to `True`, the string comparison between - entity values and search data will be case-sensitive. Defaults to `False`. | + 2. **Data Extraction**: Iterates through all entities in the current scope. For + each entity, it extracts values from `additional_properties` based on the provided + `FieldName` or `RegexForFieldName`. If `RegexForFieldValue` is provided, it further + filters the extracted value. + 3. **Search Preparation**: Processes the `SearchInData` by applying the specified + regex to the raw text strings to isolate the relevant content for comparison. - ### Additional Notes: + 4. **Comparison**: Performs a substring match check between the extracted entity + values and the processed search strings, respecting the `IsCaseSensitive` flag. - - This action is primarily a logic and utility tool for cross-referencing entity - metadata with external text or event data within a playbook. + 5. **Internal Update**: If a match is found and `ShouldEnrichEntity` is set, the + action adds the specified key to the entity's properties. - - The action relies heavily on the `additional_properties` attribute of entities, - which is typically populated by previous enrichment actions. + 6. **Finalization**: Updates the entities in the system, attaches a detailed JSON + result of all matches, and returns the count of successfully matched entities. capabilities: can_create_case_comments: false can_create_insight: false @@ -904,47 +1011,47 @@ Check Entities Fields In Text: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - The action can update entity additional properties with a custom match flag - if the 'ShouldEnrichEntity' parameter is provided. + Updates the 'additional_properties' of entities with a custom tag if a match + is found between the entity fields and the provided text. categories: enrichment: false entity_usage: entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME filters_by_additional_properties: true filters_by_alert_identifier: false filters_by_case_identifier: false @@ -958,6 +1065,7 @@ Check Entities Fields In Text: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Check List Subset: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -971,39 +1079,42 @@ Check Entities Fields In Text: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Check List Subset: - ai_description: "Checks if all elements of a 'Subset' list are present within an\ - \ 'Original' list. This utility action is designed for logic branching within\ - \ playbooks, allowing analysts to verify if a specific set of values (e.g., a\ - \ list of detected hashes) is entirely contained within a reference list (e.g.,\ - \ a known allowlist or a previous search result).\n\n### Parameters Description\n\ - \n| Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :---\ - \ |\n| Original | String | Yes | The master list to check against. Can be provided\ - \ as a JSON-formatted list (e.g., `[\"a\", \"b\"]`) or a comma-separated string\ - \ (e.g., `a, b`). |\n| Subset | String | Yes | The list of items to verify. Can\ - \ be provided as a JSON-formatted list or a comma-separated string. |\n\n### Flow\ - \ Description\n\n1. **Parameter Extraction:** The action retrieves the `Original`\ - \ and `Subset` strings from the action parameters.\n2. **Data Parsing:** It attempts\ - \ to parse each input as a JSON list. If JSON parsing fails, it falls back to\ - \ splitting the string by commas, stripping whitespace, and converting numeric\ - \ strings to integers.\n3. **Set Comparison:** Both parsed lists are converted\ - \ into Python sets. The action then performs a subset comparison (`subset <= original`).\n\ - 4. **Result Reporting:** \n * If the subset condition is met, the action\ - \ returns `true` with a success message.\n * If the subset condition is not\ - \ met, the action returns `false` and provides a message listing the specific\ - \ items found in the subset that were missing from the original list." + ai_description: "### General Description\nThe **Check List Subset** action is a\ + \ utility tool designed to compare two lists and determine if one (the 'Subset')\ + \ is entirely contained within the other (the 'Original'). This is particularly\ + \ useful in playbook logic for validating if a set of observed values matches\ + \ a predefined whitelist or a collection of expected attributes.\n\n### Parameters\ + \ Description\n| Parameter | Type | Mandatory | Description |\n| :--- | :--- |\ + \ :--- | :--- |\n| **Original** | String | Yes | The master list of items to check\ + \ against. This can be provided as a JSON-formatted list (e.g., `[\"a\", \"b\"\ + ]`) or a comma-separated string (e.g., `a, b`). |\n| **Subset** | String | Yes\ + \ | The list of items to verify. This can be provided as a JSON-formatted list\ + \ or a comma-separated string. |\n\n### Flow Description\n1. **Parameter Extraction**:\ + \ The action retrieves the `Original` and `Subset` strings from the input parameters.\n\ + 2. **Data Parsing**: It attempts to parse each input as a JSON list. If JSON parsing\ + \ fails, it falls back to splitting the string by commas, stripping whitespace,\ + \ and converting numeric strings to integers.\n3. **Subset Validation**: The action\ + \ converts both lists into sets and performs a subset comparison (`subset <= original`).\n\ + 4. **Result Generation**: \n * If the subset condition is met, it returns a\ + \ success message.\n * If items in the 'Subset' are missing from the 'Original',\ + \ it identifies the specific missing items and includes them in the output message.\n\ + 5. **Action Completion**: The action ends by returning a boolean result (`True`\ + \ for subset match, `False` otherwise) and the descriptive message." capabilities: can_create_case_comments: false can_create_insight: false @@ -1017,7 +1128,7 @@ Check List Subset: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1031,6 +1142,7 @@ Check List Subset: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Convert Into Simulated Case: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1044,103 +1156,106 @@ Check List Subset: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Convert Into Simulated Case: - ai_description: >- - ### General Description - - This action converts alert data into a format compatible with the Google SecOps - Simulator. It specifically retrieves raw alert content stored within an entity's - additional properties (the `SourceFileContent` attribute), normalizes event-level - fields such as class IDs and names, and prepares the data for simulation. The - action can either push the resulting case directly to the SecOps Simulator or - save it as a downloadable `.case` file on the Case Wall. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Push to Simulated Cases | Boolean | No | If set to `true`, the action will push - the generated case JSON to the SecOps Simulator using the `import_simulator_custom_case` - method. Default is `false`. | - - | Save JSON as Case Wall File | Boolean | No | If set to `true`, the action will - encode the case JSON and attach it as a downloadable `.case` file to the Case - Wall. Default is `true`. | - - | Override Alert Name | String | No | Allows the user to manually specify a name - for the generated case, overriding any automated naming logic. | - - | Full path name | Boolean | No | If set to `true`, the action constructs the - case name using a combination of the `SourceSystemName`, `DeviceProduct`, and - the original alert name. Default is `false`. | - - - ### Additional Notes - - * This action requires the first entity of the current alert to have a property - named `SourceFileContent` containing the JSON representation of the alert data. - If this property is missing, the action will log an error and terminate. - - * The action performs internal normalization on the `Events` list within the JSON, - ensuring `DeviceEventClassId` and `Name` fields are correctly populated in the - raw data fields. - - - ### Flow Description - - 1. **Parameter Extraction:** The action retrieves the configuration for pushing - to the simulator, saving to the case wall, and naming overrides. - - 2. **Data Retrieval:** It accesses the first entity associated with the current - alert and extracts the JSON string from the `SourceFileContent` additional property. - - 3. **Data Normalization:** It iterates through the events in the extracted data, - mapping `DeviceEventClassId` or `deviceEventClassId` to the raw data fields to - ensure consistency. - - 4. **Naming Logic:** It determines the final name of the case based on the `Full - path name` or `Override Alert Name` parameters. - - 5. **Simulator Integration:** If `Push to Simulated Cases` is enabled, it calls - the simulator API to import the custom case. - - 6. **Case Wall Attachment:** If `Save JSON as Case Wall File` is enabled, it base64-encodes - the JSON and adds it as an attachment to the case wall. - - 7. **Completion:** The action returns the final JSON structure as the script result - and completes the execution. + ai_description: "### General Description\nConverts alert data into a format suitable\ + \ for the Google SecOps Case Simulator. This action extracts raw event data from\ + \ an entity's additional properties, transforms it into a standardized case JSON\ + \ structure, and provides options to either push the case directly to the simulator\ + \ or save it as a file attachment on the case wall for manual import.\n\n### Parameters\ + \ Description\n| Parameter | Type | Mandatory | Description |\n| :--- | :--- |\ + \ :--- | :--- |\n| Push to Simulated Cases | boolean | No | If set to `true`,\ + \ the action will automatically import the generated case JSON into the Google\ + \ SecOps Simulator via the SOAR API. |\n| Save JSON as Case Wall File | boolean\ + \ | No | If set to `true`, the action will base64-encode the generated JSON and\ + \ attach it as a `.case` file to the case wall for manual download. |\n| Override\ + \ Alert Name | string | No | Allows the user to specify a custom name for the\ + \ simulated case, overriding the default name derived from the source data. |\n\ + | Full path name | boolean | No | If set to `true`, the action constructs the\ + \ case name using the format: `SourceSystemName_DeviceProduct_Name`. |\n\n###\ + \ Additional Notes\n* The action specifically targets the **first entity** of\ + \ the current alert and expects it to contain a `SourceFileContent` property within\ + \ its `additional_properties` attribute. If this property is missing or contains\ + \ invalid JSON, the action will fail.\n* This action is primarily used for testing\ + \ and simulation purposes within the Google SecOps platform.\n\n### Flow Description\n\ + 1. **Initialization**: The action initializes the Siemplify context and extracts\ + \ the user-provided parameters for simulation, file storage, and naming conventions.\n\ + 2. **Data Retrieval**: It accesses the first entity of the current alert and retrieves\ + \ the `SourceFileContent` string from its `additional_properties`.\n3. **Data\ + \ Transformation**: The action parses the JSON content and normalizes event fields,\ + \ specifically ensuring that `DeviceEventClassId` and `Name` are correctly mapped\ + \ within the event list.\n4. **Naming Logic**: It determines the final name of\ + \ the case based on whether `Full path name` is enabled or if an `Override Alert\ + \ Name` has been provided.\n5. **Simulation and Storage**: \n * If `Push to\ + \ Simulated Cases` is enabled, it calls the internal SOAR API to import the case\ + \ into the simulator.\n * If `Save JSON as Case Wall File` is enabled, it base64-encodes\ + \ the JSON and adds it as an attachment to the case wall.\n6. **Finalization**:\ + \ The action outputs the processed JSON as a result and completes the execution\ + \ with a status message." capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false - can_mutate_external_data: true + can_mutate_external_data: false can_mutate_internal_data: true can_update_entities: false - external_data_mutation_explanation: >- - Pushes case definition data to the Google SecOps Simulator API to create or - update simulated cases. + external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Adds a .case file attachment to the Case Wall of the current alert. + Imports a new case into the Google SecOps Case Simulator via the SOAR API and + adds a file attachment to the case wall. categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: + - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1154,6 +1269,7 @@ Convert Into Simulated Case: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Create Entities with Separator: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1167,27 +1283,29 @@ Convert Into Simulated Case: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false - update_alert: false + update_alert: true update_email: false update_identity: false update_ticket: false -Create Entities with Separator: ai_description: >- ### General Description The **Create Entities with Separator** action allows users to dynamically create - and add multiple entities to a Google SecOps alert. It takes a string of identifiers, - splits them using a configurable separator, and injects them into the case context. - This is particularly useful for processing bulk data from logs or external systems - that need to be represented as formal entities within the SOAR platform. + multiple entities and attach them to a specific alert within Google SecOps. It + takes a delimited string of identifiers, splits them based on a user-defined separator, + and creates new entities of a specified type. Additionally, it can populate the + created entities with custom enrichment data provided in JSON format. ### Parameters Description @@ -1196,54 +1314,59 @@ Create Entities with Separator: | :--- | :--- | :--- | :--- | - | **Entities Identifiers** | String | Yes | A string containing one or more entity - identifiers (e.g., IP addresses, hostnames) to be added to the alert. | + | Entities Identifiers | String | Yes | A string containing one or more entity + identifiers to be created, separated by the defined separator. | - | **Entity Type** | EntityType | Yes | The specific Siemplify entity type to assign - to the created entities (e.g., ADDRESS, HOSTNAME, USERNAME). | + | Entity Type | Entity Type | Yes | The Google SecOps entity type to assign to + the new entities (e.g., HOSTNAME, USERNAME, ADDRESS). | - | **Is Internal** | Boolean | No | If set to `true`, the created entities will - be marked as internal to the network. Default is `false`. | + | Is Internal | Boolean | No | If set to true, the created entities will be marked + as part of the internal network. Defaults to false. | - | **Entities Separator** | String | Yes | The character used to split the `Entities - Identifiers` string. Default is a comma (`,`). | + | Entities Separator | String | Yes | The character used to split the 'Entities + Identifiers' string. Defaults to a comma (','). | - | **Enrichment JSON** | Code | No | A JSON object containing additional data to - be attached to the entities as enrichment. | + | Enrichment JSON | Code | No | A JSON object containing key-value pairs to be + added to the entity's 'additional_properties'. | - | **PrefixForEnrichment** | String | No | An optional prefix to prepend to the - keys in the `Enrichment JSON` data. | + | PrefixForEnrichment | String | No | An optional prefix to be added to the keys + of the enrichment data before it is attached to the entity. | ### Additional Notes - - If the **Entity Type** is set to `ADDRESS`, the action performs a validation + - If the 'Entity Type' is set to **ADDRESS**, the action will perform a validation check to ensure the identifier is a valid IP address before creation. - - The action checks for existing entities within the alert to prevent the creation - of duplicates. + - The action checks for existing entities in the alert to avoid creating duplicates. + If an entity with the same identifier already exists, the creation for that specific + identifier will be skipped. - - If **Enrichment JSON** is provided, the action will populate the `additional_properties` - of the newly created entities. + - All identifiers are converted to uppercase during processing. ### Flow Description - 1. **Input Parsing:** The action retrieves the list of identifiers and splits - them based on the provided **Entities Separator**. + 1. **Parameter Parsing:** The action retrieves the input identifiers, the separator, + the target entity type, and any optional enrichment JSON. + + 2. **Splitting:** The 'Entities Identifiers' string is split into a list using + the provided 'Entities Separator'. + + 3. **Duplicate Check:** The action fetches all existing entities currently associated + with the alert and compares their identifiers (case-insensitive) against the new + list. - 2. **Enrichment Preparation:** If **Enrichment JSON** is provided, it parses the - JSON and applies the **PrefixForEnrichment** if specified. + 4. **Validation:** If the target type is 'ADDRESS', each identifier is validated + as a valid IP address using the `ipaddress` library. - 3. **Duplicate Check:** It retrieves all existing entities currently associated - with the alert to ensure no duplicate identifiers are processed. + 5. **Entity Creation:** For each unique and valid identifier, the action calls + `add_entity_to_case` to create the entity, setting its type, internal status, + and populating its 'additional_properties' with the parsed (and optionally prefixed) + enrichment JSON. - 4. **Validation & Creation:** For each unique identifier: - - If the type is `ADDRESS`, it validates the IP format. - - It calls the internal SDK to add the entity to the case with the specified - metadata (internal status, enrichment data, etc.). - 5. **Reporting:** The action returns a JSON summary of created, enriched, and - failed entities, and provides a status message to the case wall. + 6. **Reporting:** The action tracks successful creations, enrichments, and failures, + returning a JSON summary and a status message to the SOAR interface. capabilities: can_create_case_comments: false can_create_insight: false @@ -1252,14 +1375,14 @@ Create Entities with Separator: can_mutate_internal_data: true can_update_entities: true external_data_mutation_explanation: null - fetches_data: false + fetches_data: true internal_data_mutation_explanation: >- - Creates new entities within the Google SecOps case and populates their attributes - and enrichment fields. + Creates new entities within the Google SecOps alert and updates existing entities + with enrichment data provided in the parameters. categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1273,6 +1396,7 @@ Create Entities with Separator: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Create Entity Relationships: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1286,73 +1410,98 @@ Create Entities with Separator: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false - update_alert: true + update_alert: false update_email: false update_identity: false update_ticket: false -Create Entity Relationships: ai_description: >- - Creates relationships between entities within a Google SecOps case. This action - allows users to define connections between a set of 'Entity Identifiers' and 'Target - Entities' already present in the alert. If the specified 'Entity Identifiers' - do not exist in the system, the action will create them automatically. It supports - three types of relationships: Source, Destination, and Linked. Additionally, users - can provide a JSON object to enrich the newly created or linked entities with - custom attributes. + ### General Description + + Creates relationships between specified entities and existing entities within + a Google SecOps case. This action can create new entities if they do not already + exist and link them to target entities based on type or specific identifiers. + It supports defining the relationship as a Source, Destination, or a general Link. + Additionally, it can enrich the created or linked entities with custom attributes + provided via a JSON object. **Note: This action supports Siemplify version 5.6 + or higher.** + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + | Entity Identifier(s) | String | Yes | A list of entity identifiers to be created + or used for the relationship. Multiple values should be separated by the 'Separator + Character'. | - ### Flow Description: + | Entity Identifier(s) Type | EntityType | Yes | The Siemplify entity type (e.g., + HOSTNAME, ADDRESS, USERUNIQNAME) for the identifiers provided in 'Entity Identifier(s)'. + | - 1. **Parameter Extraction:** The action parses the input identifiers, entity types, - relationship direction (Connect As), and optional enrichment JSON. + | Connect As | DDL | Yes | Defines the nature of the relationship. Options are + 'Source' (directional), 'Destination' (directional), or 'Linked' (non-directional). + | - 2. **Target Identification:** It scans the current alert to find existing entities - that match the 'Target Entity Type' and, if provided, the 'Target Entity Identifier(s)'. + | Target Entity Type | EntityType | Yes | The type of existing entities in the + alert to which the new entities will be linked. | - 3. **Entity Creation & Linking:** For each provided identifier, the action uses - the internal SOAR API to create the entity (if missing) and establish the relationship - to the identified target entities. + | Target Entity Identifier(s) | String | No | A list of specific identifiers for + existing entities of the 'Target Entity Type'. If left empty, the action will + link the new entities to all existing entities of the specified 'Target Entity + Type' found in the alert. | - 4. **Enrichment:** If an 'Enrichment JSON' is provided, the action reloads the - case data, identifies the relevant entities, and updates their additional properties - with the provided key-value pairs. + | Enrichment JSON | String | No | An optional JSON object containing key-value + pairs to be added to the 'additional_properties' of the entities involved. | + | Separator Character | String | No | The character used to separate lists in + the identifier parameters. Defaults to a comma (`,`). | - ### Parameters Description: - | Parameter Name | Type | Mandatory | Description | + ### Flow Description - | :--- | :--- | :--- | :--- | + 1. **Parameter Extraction:** The action retrieves all input parameters and parses + the identifier lists using the specified separator. - | Entity Identifier(s) | String | Yes | A comma-separated list of entity values - to create or link. | + 2. **Relationship Configuration:** It determines the relationship direction and + primary link status based on the 'Connect As' selection. - | Entity Identifier(s) Type | Entity Type | Yes | The Siemplify entity type for - the identifiers provided (e.g., USERUNIQNAME, HOSTNAME). | + 3. **Target Identification:** It scans all entities within the current alert to + find matches for the 'Target Entity Type' and, if provided, the 'Target Entity + Identifier(s)'. - | Connect As | DDL | Yes | Defines the relationship direction: 'Source', 'Destination', - or 'Linked'. | + 4. **Entity Creation and Linking:** For each identifier in the 'Entity Identifier(s)' + list, it calls the SOAR API to ensure the entity exists and establishes the relationship + with the identified target entities. - | Target Entity Type | Entity Type | Yes | The type of existing entities in the - alert to which the new entities should be linked. | + 5. **Enrichment:** If an 'Enrichment JSON' is provided, the action reloads the + case data, identifies the relevant entities, updates their additional properties, + and saves the changes back to the system. - | Target Entity Identifier(s) | String | No | A comma-separated list of specific - existing entity values to link to. If empty, links to all entities of the 'Target - Entity Type'. | - | Enrichment JSON | String | No | A JSON object containing key/value pairs to - add as attributes to the entities. | + ### Additional Notes + + - **Siemplify Version:** This action is compatible only with Siemplify version + 5.6 and above. - | Separator Character | String | No | The character used to split the identifier - lists. Defaults to a comma. | + - **Targeting Logic:** If 'Target Entity Identifier(s)' is not provided, the action + will attempt to link the new entities to *all* entities of the specified 'Target + Entity Type' found in the alert. + + - **Execution Delay:** The action includes a 3-second pause before applying enrichment + to ensure the platform has finished processing the entity creation and linking. capabilities: can_create_case_comments: false can_create_insight: false @@ -1363,13 +1512,12 @@ Create Entity Relationships: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Creates new entities and establishes relationships between entities within the - Google SecOps case. It also updates entity attributes if enrichment JSON is - provided. + Creates new entities, establishes relationships between entities, and updates + entity additional properties within the Google SecOps case. categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1383,6 +1531,7 @@ Create Entity Relationships: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Create Siemplify Task: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1396,42 +1545,73 @@ Create Entity Relationships: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Create Siemplify Task: - ai_description: "### General Description\nAssigns a new task to a specific user\ - \ or role within the current Google SecOps case. This action is used to manage\ - \ manual workflows, analyst assignments, or follow-up actions directly within\ - \ the platform's case management system.\n\n### Parameters Description\n\n| Parameter\ - \ | Description | Type | Mandatory |\n| :--- | :--- | :--- | :--- |\n| Assign\ - \ To | The user or the role the task will be assigned to. | User | Yes |\n| Task\ - \ Content | The detailed instructions or content of the task. | Content | Yes\ - \ |\n| SLA (in minutes) | The amount of time (in minutes) the assigned user/role\ - \ has to respond to the task. Default is 480. | String | No |\n| Task Title |\ - \ The title of the task. Supports Siemplify versions 6.0.0.0 and higher. | String\ - \ | No |\n| Due Date | Specific due date for the task in ISO8601 format. | String\ - \ | No |\n\n### Additional Notes\n* Either the **Due Date** or the **SLA (in minutes)**\ - \ parameter must be configured for the action to run. \n* If both **Due Date**\ - \ and **SLA (in minutes)** are provided, the **Due Date** parameter takes priority.\n\ - \n### Flow Description\n1. **Extract Parameters:** Retrieves the assignee, task\ - \ content, SLA, title, and due date from the action configuration.\n2. **Validate\ - \ Inputs:** Ensures that at least one deadline parameter (either Due Date or SLA)\ - \ is provided.\n3. **Compute Deadline:** Calculates the task's expiration time\ - \ in epoch milliseconds. If a Due Date is provided, it is parsed; otherwise, the\ - \ SLA duration is added to the current system time.\n4. **Version Check:** Identifies\ - \ the Google SecOps (Siemplify) system version to determine the correct API method\ - \ for task creation.\n5. **Create Task:** Calls the internal SOAR API to create\ - \ and assign the task within the context of the active case." + ai_description: >- + This action creates and assigns a new task to a specific user or role within the + context of the current Google SecOps case. It is used to manage manual workflows + or follow-up actions by setting clear instructions and deadlines. + + + ### Parameters + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Assign To | User | Yes | The user or role the task will be assigned to. | + + | Task Content | Content | Yes | The detailed instructions or content of the task. + | + + | SLA (in minutes) | String | No | The amount of time (in minutes) the assigned + user/role has to respond. Default is 480. | + + | Task Title | String | No | The title of the task (Supported in versions 6.0.0.0 + and higher). | + + | Due Date | String | No | Specific deadline for the task in ISO8601 format. If + provided, this takes priority over the SLA parameter. | + + + ### Additional Notes + + - Either the "Due Date" or the "SLA (in minutes)" parameter must be configured + for the action to execute successfully. + + - If both are provided, the "Due Date" parameter takes precedence. + + + ### Flow Description + + 1. **Parameter Extraction:** The action retrieves the assignee, task content, + title, and deadline parameters (SLA or Due Date). + + 2. **Validation:** It verifies that at least one deadline mechanism (SLA or Due + Date) is provided. + + 3. **Deadline Calculation:** The action calculates the task's expiration time + in epoch milliseconds. If a Due Date is provided, it parses the ISO8601 string; + otherwise, it adds the SLA minutes to the current system time. + + 4. **Version Compatibility Check:** The script checks the Google SecOps system + version to determine whether to use the v5 or v6 API for task creation. + + 5. **Task Creation:** The action calls the internal SOAR API to create the task + and link it to the current case ID. capabilities: can_create_case_comments: false can_create_insight: false @@ -1442,12 +1622,12 @@ Create Siemplify Task: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Creates a new task within the Google SecOps case, assigning it to a specific - user or role with a defined deadline. + Creates a new task record within the Google SecOps case management system, assigned + to a specific user or role. categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1461,6 +1641,7 @@ Create Siemplify Task: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +DNS Lookup: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1472,73 +1653,78 @@ Create Siemplify Task: download_file: false enable_identity: false enrich_asset: false - enrich_ioc: false + enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -DNS Lookup: ai_description: >- - ### General Description - - The **DNS Lookup** action performs DNS queries against specified DNS servers for - **Address** (IP) and **Hostname** entities. It allows analysts to retrieve various - DNS record types to identify domain associations, mail servers, or reverse lookup - information. + Performs DNS lookups for IP Address and Hostname entities using specified DNS + servers. This action allows analysts to retrieve various DNS record types (such + as A, MX, TXT, or PTR) to verify domain configurations or identify associated + hostnames for IP addresses. ### Parameters Description + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **DNS Servers** | String | Yes | A comma-separated list of DNS server IP addresses - to query (e.g., `8.8.8.8, 1.1.1.1`). | + | DNS Servers | String | Yes | A single IP address or a comma-separated list of + DNS server IP addresses (e.g., '1.1.1.1, 8.8.8.8') to be used for the queries. + | + + | Data Type | DDL | Yes | The specific DNS record type to query (e.g., A, AAAA, + MX, TXT, ANY). **Note:** This parameter only applies to Hostname entities; IP + Address entities always perform a PTR (reverse) lookup. | - | **Data Type** | DDL | Yes | The specific DNS record type to query for Hostname - entities. Defaults to `ANY`. Supported types include `A`, `AAAA`, `MX`, `TXT`, - `CNAME`, etc. | + ### Flow Description - ### Additional Notes - - For **Address** entities, the action automatically performs a reverse DNS lookup - to find **PTR** records. + 1. **Initialization**: The action parses the provided comma-separated list of + DNS servers and retrieves the requested DNS record type from the parameters. - - For **Hostname** entities, the action performs a query based on the selected - **Data Type**. + 2. **Entity Iteration**: The action iterates through all target entities in the + current context. - - If multiple DNS servers are provided, the action will attempt to query each - one for every entity. + 3. **IP Address Processing**: For each IP Address entity, the action performs + a reverse DNS lookup (PTR record) against every DNS server in the list. + 4. **Hostname Processing**: For each Hostname entity, the action constructs a + DNS query for the specified 'Data Type' and sends it to every DNS server in the + list via UDP. - ### Flow Description + 5. **Data Collection**: The action captures successful responses, including the + record type, the returned data, and the specific DNS server that provided the + response. - 1. **Initialization**: Retrieves the list of DNS servers and the target record - type from the action parameters. + 6. **Finalization**: All gathered DNS information is aggregated into a JSON result. + The action completes with a success status if at least one record was found. - 2. **Entity Processing**: Iterates through the entities in the current context. - 3. **Reverse Lookup (IPs)**: For each `ADDRESS` entity, it attempts to resolve - the reverse DNS name (PTR record) using the provided DNS servers. + ### Additional Notes - 4. **Forward Lookup (Hostnames)**: For each `HOSTNAME` entity, it constructs a - DNS query for the specified `Data Type` and sends it to the DNS servers via UDP. - 5. **Result Aggregation**: Collects all successful DNS responses, including the - record type, response data, and the server that provided the answer. + - If multiple DNS servers are provided, the action will attempt to query each + one for every applicable entity. - 6. **Output**: Returns the collected data as a JSON result and completes the action. + - The action does not modify the entities themselves but provides the lookup results + as raw JSON for downstream playbook tasks. capabilities: can_create_case_comments: false can_create_insight: false @@ -1553,8 +1739,8 @@ DNS Lookup: enrichment: true entity_usage: entity_types: - - ADDRESS - - HOSTNAME + - ADDRESS + - HOSTNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1568,6 +1754,7 @@ DNS Lookup: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Delay Playbook: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1579,84 +1766,76 @@ DNS Lookup: download_file: false enable_identity: false enrich_asset: false - enrich_ioc: true + enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Delay Playbook: ai_description: >- ### General Description - The **Delay Playbook** action is a utility tool designed to pause the execution - of a playbook for a specified duration. It leverages the asynchronous execution - capabilities of the Google SecOps SOAR platform to wait for a calculated amount - of time before allowing the workflow to proceed to the next step. This is particularly - useful for scenarios requiring a cooling-off period, waiting for external processes - to complete, or throttling automated responses. + This action pauses the execution of a playbook for a specified duration. It is + designed to introduce a delay in the workflow, allowing for external processes + to complete or for a specific amount of time to pass before the next playbook + step is executed. The action is asynchronous, meaning it will yield execution + and check back periodically until the target time is reached. ### Parameters Description - | Parameter | Type | Mandatory | Description | + | Parameter | Type | Mandatory | Default | Description | - | :--- | :--- | :--- | :--- | + | :--- | :--- | :--- | :--- | :--- | - | **Seconds** | string | Yes | The number of seconds to add to the delay. Defaults - to "0". | + | Seconds | string | Yes | 0 | The number of seconds to delay the playbook. | - | **Minutes** | string | Yes | The number of minutes to add to the delay. Defaults - to "1". | + | Minutes | string | Yes | 1 | The number of minutes to delay the playbook. | - | **Hours** | string | Yes | The number of hours to add to the delay. Defaults - to "0". | + | Hours | string | Yes | 0 | The number of hours to delay the playbook. | - | **Days** | string | Yes | The number of days to add to the delay. Defaults to - "0". | + | Days | string | Yes | 0 | The number of days to delay the playbook. | ### Additional Notes - * This action is **asynchronous**. It does not block the execution engine but - rather schedules itself to be checked periodically until the time condition is - met. - - * The total delay time is the sum of all provided parameters (Days + Hours + Minutes - + Seconds). + - The total delay time is the sum of all provided time parameters (Days + Hours + + Minutes + Seconds). - * If all parameters are set to "0", the action will complete immediately. + - If all parameters are set to 0, the action will complete immediately. ### Flow Description 1. **Initialization**: The action retrieves the delay values from the input parameters. - 2. **Target Calculation**: It calculates a `target_date` by adding the specified - days, hours, minutes, and seconds to the current UTC time. + 2. **Target Calculation**: It calculates a target UTC timestamp by adding the + specified delay (days, hours, minutes, and seconds) to the current UTC time. - 3. **Immediate Completion Check**: If the calculated `target_date` is in the past - or equal to the current time, the action completes immediately with a success - status. + 3. **Initial Check**: If the calculated target time is less than or equal to the + current time, the action completes immediately with a success status. - 4. **Asynchronous Wait**: If the `target_date` is in the future, the action enters - an `IN_PROGRESS` state and stores the target timestamp in the `additional_data` - field. + 4. **Async State**: If the target time is in the future, the action sets its execution + state to 'In Progress' and stores the target timestamp in the action's persistent + state (additional_data). - 5. **Periodic Re-evaluation**: The SOAR framework periodically invokes the `wait` - logic. The script parses the stored timestamp and compares it against the current - UTC time. + 5. **Polling/Wait Phase**: In subsequent execution cycles (the 'wait' phase), + the action retrieves the stored target timestamp from the previous run. - 6. **Finalization**: Once the current time meets or exceeds the `target_date`, - the action transitions to a `COMPLETED` state, allowing the playbook to continue. + 6. **Completion**: The action compares the current time against the stored target + timestamp. Once the current time meets or exceeds the target, the action transitions + to the 'Completed' state, allowing the playbook to proceed. capabilities: can_create_case_comments: false can_create_insight: false @@ -1670,7 +1849,7 @@ Delay Playbook: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1684,6 +1863,7 @@ Delay Playbook: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Delay Playbook Synchronous: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1697,55 +1877,77 @@ Delay Playbook: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Delay Playbook Synchronous: - ai_description: "Pauses the execution of a playbook synchronously for a specified\ - \ duration of up to 30 seconds. This utility action is designed for short, immediate\ - \ delays within a playbook flow where a brief wait is required before proceeding\ - \ to the next step. It operates by calculating a target end time and entering\ - \ a sleep loop until that time is reached.\n\n### Parameters Description\n\n|\ - \ Parameter | Description | Type | Mandatory | Notes |\n| :--- | :--- | :--- |\ - \ :--- | :--- |\n| Seconds | The number of seconds to pause the playbook execution.\ - \ | String | Yes | Must be a positive integer between 0 and 30. |\n\n### Additional\ - \ Notes\n\n* **Synchronous Execution:** This action blocks the execution thread\ - \ for the duration of the delay. \n* **Time Limit:** The maximum allowed delay\ - \ is 30 seconds. For delays longer than 30 seconds, it is recommended to use the\ - \ \"Delay Playbook V2\" action, which handles longer durations more efficiently.\n\ - * **No Entity Interaction:** This action does not interact with or require any\ - \ entities to function.\n\n### Flow Description\n\n1. **Parameter Extraction:**\ - \ The action retrieves the `Seconds` value provided by the user.\n2. **Validation:**\ - \ It validates that the input is a positive number and falls within the supported\ - \ range of 0 to 30 seconds.\n3. **Target Calculation:** The action calculates\ - \ the exact timestamp when the delay should conclude.\n4. **Sleep Loop:** It\ - \ enters a loop that pauses execution in small increments (up to 1 second) until\ - \ the current time meets or exceeds the target timestamp.\n5. **Completion:**\ - \ Once the delay is finished, the action returns a success message indicating\ - \ the configured delay was reached." - capabilities: - can_create_case_comments: false - can_create_insight: false - can_modify_alert_data: false - can_mutate_external_data: false - can_mutate_internal_data: false - can_update_entities: false - external_data_mutation_explanation: null - fetches_data: false - internal_data_mutation_explanation: null - categories: - enrichment: false - entity_usage: - entity_types: [ ] + ai_description: >- + ### General Description + + The **Delay Playbook Synchronous** action is a utility designed to pause the execution + of a playbook for a short, specified duration. This is typically used to allow + external systems time to process previous requests or to manage API rate limits. + Because this action runs synchronously, it is strictly limited to a maximum delay + of 30 seconds to ensure playbook stability. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | **Seconds** | String | Yes | The duration of the delay in seconds. The value + must be a positive integer between 0 and 30. | + + + ### Additional Notes + + - This action is intended for short-term pauses. If a delay longer than 30 seconds + is required, the "Delay Playbook V2" action should be used instead. + + - The action validates the input range; if the provided value is outside the 0-30 + second window, the action will fail validation. + + + ### Flow Description + + 1. **Parameter Extraction:** The action retrieves the `Seconds` value from the + playbook configuration. + + 2. **Validation:** It verifies that the input is a valid positive integer and + does not exceed the 30-second limit defined in the integration constants. + + 3. **Execution:** The action calculates a target end time and enters a synchronous + sleep loop, pausing execution until the specified time has elapsed. + + 4. **Output:** Upon completion, the action provides a success message confirming + the delay duration and the exact timestamp when execution resumed. + capabilities: + can_create_case_comments: false + can_create_insight: false + can_modify_alert_data: false + can_mutate_external_data: false + can_mutate_internal_data: false + can_update_entities: false + external_data_mutation_explanation: null + fetches_data: false + internal_data_mutation_explanation: null + categories: + enrichment: false + entity_usage: + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1759,6 +1961,7 @@ Delay Playbook Synchronous: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Delay Playbook V2: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1772,51 +1975,50 @@ Delay Playbook Synchronous: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Delay Playbook V2: - ai_description: "### General Description\nThe **Delay Playbook V2** action is a\ - \ utility designed to pause the execution of a playbook for a specified duration\ - \ or until a specific time condition is met. It supports both relative time delays\ - \ (seconds, minutes, hours, days) and absolute scheduling using Cron expressions.\ - \ This is an asynchronous action, meaning it will put the playbook into a waiting\ - \ state without consuming active execution resources until the timer expires.\n\ - \n### Parameters Description\n| Parameter | Type | Mandatory | Description |\n\ - | :--- | :--- | :--- | :--- |\n| Seconds | string | No | The amount of seconds\ - \ to delay the playbook. Defaults to \"0\". |\n| Minutes | string | No | The amount\ - \ of minutes to delay the playbook. Defaults to \"1\". |\n| Hours | string | No\ - \ | The amount of hours to delay the playbook. Defaults to \"0\". |\n| Days |\ - \ string | No | The amount of days to delay the playbook. Defaults to \"0\". |\n\ - | Cron Expression | string | No | A standard cron expression (e.g., `0 12 * *\ - \ *`). If provided, this takes precedence over the relative time parameters and\ - \ determines the next occurrence when the playbook should resume. |\n\n### Additional\ - \ Notes\n- If the **Cron Expression** is provided, the relative time parameters\ - \ (Seconds, Minutes, etc.) are ignored.\n- If no parameters are provided, the\ - \ action defaults to a 1-minute delay.\n- Because this is an asynchronous action,\ - \ the SOAR platform will periodically re-evaluate the condition until the target\ - \ time is reached.\n\n### Flow Description\n1. **Initialization**: The action\ - \ retrieves the delay parameters or the Cron expression from the input.\n2. **Target\ - \ Calculation**: \n - If a **Cron Expression** is present, the action calculates\ - \ the next valid timestamp based on the current UTC time.\n - If relative parameters\ - \ are used, the action calculates a target date by adding the specified seconds,\ - \ minutes, hours, and days to the current UTC time.\n3. **Execution Check**: The\ - \ action compares the calculated target time with the current time.\n4. **State\ - \ Management**: \n - If the target time has already passed or is reached, the\ - \ action returns a `COMPLETED` status, allowing the playbook to continue.\n \ - \ - If the target time is in the future, the action returns an `IN_PROGRESS`\ - \ status and stores the target timestamp in the `additional_data` field.\n5. **Async\ - \ Wait**: The SOAR framework's `wait` mechanism periodically triggers the script\ - \ to check if the current time has finally met or exceeded the stored target timestamp." + ai_description: "### General Description\nThis action pauses the execution of a\ + \ playbook for a specified duration or until a specific time defined by a cron\ + \ expression. It is an asynchronous action that allows for precise control over\ + \ playbook timing, useful for waiting for external processes to complete or scheduling\ + \ tasks for specific windows.\n\n### Parameters Description\n| Parameter | Type\ + \ | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Seconds | string\ + \ | No | The number of seconds to delay the playbook. Default is 0. |\n| Minutes\ + \ | string | No | The number of minutes to delay the playbook. Default is 1. |\n\ + | Hours | string | No | The number of hours to delay the playbook. Default is\ + \ 0. |\n| Days | string | No | The number of days to delay the playbook. Default\ + \ is 0. |\n| Cron Expression | string | No | A standard cron expression (e.g.,\ + \ `0 12 * * *`) used to determine the next execution time. If provided, this parameter\ + \ takes precedence over the relative time parameters (Seconds, Minutes, etc.).\ + \ |\n\n### Additional Notes\n- This action is asynchronous (`is_async: true`).\ + \ It will put the playbook step into an 'In Progress' state until the calculated\ + \ time is reached.\n- If both relative time parameters and a Cron Expression are\ + \ provided, the Cron Expression is prioritized.\n\n### Flow Description\n1. **Initialization**:\ + \ The action retrieves the time parameters or the cron expression from the input.\n\ + 2. **Target Calculation**: \n - If a **Cron Expression** is provided, the action\ + \ calculates the next occurrence of that expression relative to the current time.\n\ + \ - If no cron expression is provided, the action calculates a **Target Date**\ + \ by adding the specified Seconds, Minutes, Hours, and Days to the current UTC\ + \ time.\n3. **Execution Check**: The action compares the current time with the\ + \ calculated target time.\n4. **State Management**:\n - If the target time\ + \ has **not** been reached, the action returns an `INPROGRESS` state and stores\ + \ the target timestamp in the action's internal state (`additional_data`).\n \ + \ - The SOAR platform will periodically re-invoke the action's `wait` logic.\n\ + \ - Once the current time meets or exceeds the target timestamp, the action\ + \ returns a `COMPLETED` state, allowing the playbook to proceed." capabilities: can_create_case_comments: false can_create_insight: false @@ -1830,7 +2032,7 @@ Delay Playbook V2: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1844,6 +2046,7 @@ Delay Playbook V2: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Extract URL Domain: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1855,70 +2058,80 @@ Delay Playbook V2: download_file: false enable_identity: false enrich_asset: false - enrich_ioc: false + enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Extract URL Domain: ai_description: >- - Extracts domain information from entity identifiers and user-provided URL strings. - This utility action parses strings to identify the registered domain and suffix, - with an optional toggle to include subdomains. For entities, it enriches the object - by adding the extracted domain to a specific custom field ('siemplifytools_extracted_domain'), - facilitating downstream playbooks that require domain-level logic regardless of - the original entity type (e.g., URL, Hostname, or even Email). + ### General Description + Extracts the domain or subdomain from entity identifiers or a provided list of + URLs. This action is a utility tool that parses strings to identify valid domain + structures using the `tldextract` library. It can process all entities in the + current context or a specific list of URLs provided as a parameter. - ### Parameters Description + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Separator | String | Yes | The character(s) used to separate multiple URLs in - the 'URLs' parameter (default is a comma). | + | Separator | string | Yes | The character or string used to split the values + provided in the `URLs` parameter. Default is a comma (`,`). | - | URLs | String | No | A list of URLs to process manually, separated by the defined - 'Separator'. | + | URLs | string | No | A list of URLs or strings to process manually. If provided, + the action will extract domains from these strings in addition to any entities + in scope. | - | Extract subdomain | Boolean | No | If set to True, the action will include the - subdomain (e.g., 'sub' in 'sub.example.com') in the result. | + | Extract subdomain | boolean | No | If set to `true`, the action will include + the subdomain in the result (e.g., `sub.example.com`). If `false`, it only extracts + the root domain and suffix (e.g., `example.com`). | - ### Flow Description + ### Additional Notes + + - This action updates the entity's `additional_properties` with the key `siemplifytools_extracted_domain`. + - If an entity identifier does not contain a valid domain (e.g., a file hash), + no domain will be extracted for that entity. + + + ### Flow Description - 1. **Parameter Extraction:** The action retrieves the list of URLs (if provided), - the separator, and the subdomain extraction preference from the action parameters. + 1. **Initialization**: The action retrieves the `URLs`, `Separator`, and `Extract + subdomain` parameters. - 2. **Manual URL Processing:** If the 'URLs' parameter is populated, the action - splits the string using the provided separator and extracts domains for each item, - adding the results to the JSON output. + 2. **Parameter Processing**: If the `URLs` parameter is populated, the string + is split by the `Separator`. Each resulting string is parsed to extract the domain. + Results are stored in the action's JSON output. - 3. **Entity Iteration:** The action iterates through all entities currently in - the scope of the playbook step. + 3. **Entity Processing**: The action iterates through all entities in the current + scope (`target_entities`). - 4. **Domain Extraction:** For each entity, it attempts to parse the identifier - to find a valid domain and suffix using the `tldextract` library logic. + 4. **Domain Extraction**: For each entity, the identifier is parsed. If a valid + domain is found, it is added to the entity's `additional_properties` under the + key `siemplifytools_extracted_domain`. - 5. **Internal Enrichment:** For every entity where a domain is successfully parsed, - the action updates the entity's `additional_properties` with the key `siemplifytools_extracted_domain` - containing the result. + 5. **Internal Update**: The action updates the entities within Google SecOps to + persist the new `siemplifytools_extracted_domain` field. - 6. **Finalization:** The action updates the modified entities within Google SecOps, - attaches a comprehensive JSON result mapping identifiers to their extracted domains - (or errors), and returns a summary message of the operation. + 6. **Final Output**: The action returns a JSON result containing the mapping of + identifiers to extracted domains and provides a summary message of successful + and failed extractions. capabilities: can_create_case_comments: false can_create_insight: false @@ -1929,47 +2142,46 @@ Extract URL Domain: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates the 'siemplifytools_extracted_domain' attribute in the additional properties - of the processed entities. + Updates the 'additional_properties' of entities with the extracted domain value. categories: enrichment: true entity_usage: entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1983,6 +2195,7 @@ Extract URL Domain: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Find First Alert: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1996,38 +2209,43 @@ Extract URL Domain: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Find First Alert: - ai_description: "### General Description\nThe **Find First Alert** action is a utility\ - \ designed to identify the chronologically earliest alert within a specific Google\ - \ SecOps case. It compares the current alert being processed by the playbook against\ - \ the entire list of alerts in the case to determine if the current alert is the\ - \ 'root' or first alert. This is particularly useful for logic branching in playbooks\ - \ where certain actions should only be performed once per case (on the first alert).\n\ - \n### Parameters Description\nThere are no parameters for this action.\n\n###\ - \ Flow Description\n1. **Retrieve Alerts**: The action accesses the `alerts` collection\ - \ from the current case context.\n2. **Sort Chronologically**: It sorts all alerts\ - \ in the case based on their `creation_time` attribute in ascending order.\n3.\ - \ **Identify First Alert**: The alert at the first index (index 0) of the sorted\ - \ list is identified as the first alert.\n4. **Comparison**: The action compares\ - \ the unique identifier of the `current_alert` with the identifier of the identified\ - \ first alert.\n5. **Output Result**: \n * If they match, it returns the identifier\ - \ of the alert and a message stating it is the first alert.\n * If they do\ - \ not match, it returns the string `\"false\"` and a message stating it is not\ - \ the first alert.\n\n### Additional Notes\nThis action does not interact with\ - \ external APIs or modify any data; it performs internal logic based on existing\ - \ case metadata." + ai_description: "### General Description\nThis utility action identifies whether\ + \ the alert currently being processed is the chronologically first alert within\ + \ its parent case. It is designed to facilitate playbook logic, allowing analysts\ + \ to ensure that specific tasks\u2014such as opening an external ticket, sending\ + \ an initial notification, or performing one-time setup actions\u2014are executed\ + \ only once per case, specifically on the initial triggering event.\n\n### Parameters\ + \ Description\n| Parameter | Type | Mandatory | Description |\n| :--- | :--- |\ + \ :--- | :--- |\n| None | N/A | N/A | This action does not require any input parameters.\ + \ |\n\n### Additional Notes\n- This action relies on the `creation_time` attribute\ + \ of alerts within the case to determine the sequence.\n- It is an internal logic\ + \ tool and does not interact with external APIs.\n\n### Flow Description\n1. **Retrieve\ + \ Case Alerts**: The action accesses the collection of all alerts currently associated\ + \ with the case.\n2. **Chronological Sorting**: It sorts the retrieved alerts\ + \ based on their `creation_time` to establish the true order of occurrence.\n\ + 3. **Identify Earliest Alert**: The action identifies the alert with the earliest\ + \ timestamp (the first element in the sorted list).\n4. **Identity Comparison**:\ + \ It compares the unique identifier of the `current_alert` (the one triggering\ + \ the playbook) against the identifier of the earliest alert found in step 3.\n\ + 5. **Result Output**: \n - If the identifiers match, the action concludes that\ + \ the current alert is the first one and returns the alert's identifier as the\ + \ script result.\n - If the identifiers do not match, it returns the string\ + \ `\"false\"`." capabilities: can_create_case_comments: false can_create_insight: false @@ -2041,7 +2259,7 @@ Find First Alert: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2055,6 +2273,7 @@ Find First Alert: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Case Data: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -2068,75 +2287,85 @@ Find First Alert: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: true remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Case Data: ai_description: >- ### General Description - The **Get Case Data** action retrieves comprehensive information associated with - a specific case in Google SecOps and returns it as a structured JSON object. This - data includes case comments, entity details, insights, playbook execution metadata, - alert information, and events. It is designed to provide playbooks with a full - context of a case for logic branching or data passing to external systems. + The **Get Case Data** action retrieves comprehensive information for a specific + case within Google SecOps and returns it as a structured JSON object. This data + includes comments, entity information, insights, playbooks, alert details, and + events. It is primarily used as a utility to gather context for playbook logic + or to export case details to external systems. ### Parameters Description + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Case Id** | String | No | The unique identifier of the case to query. If not - provided, the action defaults to the current case ID. | + | **Case Id** | String | No | The unique identifier of the case to query. If left + empty, the action defaults to the current case ID where the playbook is executing. + | - | **Fields to Return** | String | No | A comma-separated list of specific fields - to include in the output. Supports nested keys (e.g., `alerts.0.name`). If empty, - all available case data is returned. | + | **Fields to Return** | String | No | A comma-separated list of specific JSON + fields to include in the output. If omitted, the entire case data object is returned. + Supports nested paths (e.g., `alerts.0.events`) using the specified delimiter. + | | **Nested Keys Delimiter** | String | No | The character used to separate levels - in a nested key path. Defaults to `.`. Note: This cannot be a comma (`,`). | + in nested field paths within the 'Fields to Return' parameter. Defaults to a dot + (`.`). This cannot be a comma (`,`). | - ### Additional Notes + ### Flow Description - - The action will fail if the `Nested Keys Delimiter` is configured as a comma, - as this conflicts with the list parsing of the `Fields to Return` parameter. + 1. **Initialization:** The action extracts the Case ID, requested fields, and + the nested key delimiter from the input parameters. - - If specific fields are requested but none are found in the case data, the action - will return a failure status. + 2. **Validation:** It verifies that the 'Nested Keys Delimiter' is not a comma + to avoid conflicts with the field list parsing. - - The action automatically handles the retrieval and decoding of insight content - blobs stored within the platform. + 3. **Case Data Retrieval:** The action calls the internal SOAR API to fetch the + full overview of the case, including metadata and alert cards. + 4. **Data Transformation:** The retrieved data is converted to JSON, and the `alertCards` + field is renamed to `alerts` for consistency. - ### Flow Description + 5. **Filtering:** If specific fields were requested, the action traverses the + JSON structure and extracts only the relevant data points. - 1. **Parameter Extraction**: Retrieves the Case ID, field filters, and delimiter - settings from the action configuration. + 6. **Insight Enrichment:** The action identifies all insights associated with + the case. For insights that reference external data blobs, it performs additional + internal API calls to retrieve, Base64-decode, and parse the content into the + final JSON structure. - 2. **Case Data Retrieval**: Fetches the full case overview details from the internal - SOAR API, including expanded tags and alert cards. + 7. **Final Output:** The aggregated data is returned as a JSON result for use + in subsequent playbook steps. - 3. **Data Filtering**: If `Fields to Return` is specified, the action traverses - the case JSON structure to extract only the requested data points. - 4. **Insight Processing**: Retrieves all insights for the case. For insights that - reference external content blobs, the action performs additional API calls to - fetch, decode (Base64), and parse the JSON content. + ### Additional Notes + + - This action is strictly read-only; it does not modify any data within Google + SecOps or external systems. - 5. **Result Aggregation**: Combines the filtered case data and processed insights - into a single JSON object and attaches it to the script results. + - If 'Fields to Return' is provided but none of the specified fields exist in + the case data, the action will result in a failure. capabilities: can_create_case_comments: false can_create_insight: false @@ -2148,9 +2377,9 @@ Get Case Data: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: false + enrichment: true entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2164,6 +2393,7 @@ Get Case Data: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Case SLA: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -2177,63 +2407,71 @@ Get Case Data: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Case SLA: ai_description: >- ### General Description The **Get Case SLA** action retrieves the Service Level Agreement (SLA) and Critical SLA expiration times for the current case within Google SecOps. It provides these - timestamps in both Unix format and a customizable human-readable date-time format. - This is primarily used for playbook logic that needs to calculate remaining time - or log SLA deadlines. + timestamps in both Unix format and a human-readable string format based on a user-defined + pattern. This action is primarily used for tracking deadlines and timing within + playbooks. ### Parameters Description - | Parameter | Type | Mandatory | Default | Description | + | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | :--- | + | :--- | :--- | :--- | :--- | - | DateTime Format | String | Yes | `%Y-%m-%d %H:%M:%S` | The format in which the - SLA expiration times will be presented. Uses standard Python `strftime` syntax. + | **DateTime Format** | String | Yes | Specifies the format for the human-readable + SLA expiration times (e.g., `%Y-%m-%d %H:%M:%S`). Defaults to `%Y-%m-%d %H:%M:%S`. | - ### Flow Description + ### Additional Notes - 1. **Parameter Extraction**: The action retrieves the `DateTime Format` from the - input parameters. + - This action retrieves data from the internal Google SecOps API and does not + interact with external third-party services. - 2. **Data Retrieval**: It calls the internal Google SecOps API (`get_case_overview_details`) - to fetch the metadata for the current case. + - It does not modify the case or any entities; it only returns the SLA information + as action results. - 3. **SLA Extraction**: The logic extracts the `slaExpirationTime` and `criticalExpirationTime` - from the case or stage SLA data. + - If an SLA is not set for the case, the action will fail with a specific error + message. - 4. **Formatting**: The Unix timestamps are converted into the specified human-readable - format. - 5. **Output**: The action returns a JSON object containing both the raw Unix timestamps - and the formatted strings, and sets the action output message with the formatted - values. + ### Flow Description + 1. **Parameter Extraction**: The action retrieves the `DateTime Format` parameter + from the input, defaulting to `%Y-%m-%d %H:%M:%S` if not provided. - ### Additional Notes + 2. **Data Retrieval**: It fetches the case overview details from the internal + Google SecOps API using the current case identifier. + + 3. **SLA Extraction**: The logic identifies the expiration timestamps for both + the standard SLA and the critical SLA from the retrieved case data, checking both + case-level (`sla`) and stage-level (`stageSla`) fields. - - If no SLA is set for the case, the action will fail with a specific error message - indicating that the SLA was not set. + 4. **Formatting**: It converts the Unix timestamps into formatted strings using + the provided date-time pattern. + + 5. **Output**: The action returns a JSON object containing the Unix and formatted + timestamps and sets the action output message with the results. capabilities: can_create_case_comments: false can_create_insight: false @@ -2247,7 +2485,7 @@ Get Case SLA: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2261,6 +2499,7 @@ Get Case SLA: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Certificate Details: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -2274,65 +2513,67 @@ Get Case SLA: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Certificate Details: ai_description: >- ### General Description - Retrieves and analyzes the SSL/TLS certificate for a specified URL. This action - connects to the target host over port 443, performs a TLS handshake, and extracts - detailed certificate metadata including validity dates, issuer information, and - Subject Alternative Names (SAN). It is primarily used for verifying certificate - status, checking for expiration, and identifying self-signed certificates during - investigations. + The **Get Certificate Details** action retrieves and analyzes the SSL/TLS certificate + for a specified URL. It provides critical security information such as the certificate's + validity, issuer, and expiration status, helping analysts verify the trust and + integrity of a remote host. ### Parameters Description + | Parameter | Description | Type | Mandatory | Notes | - | Parameter | Description | Type | Mandatory | - - | :--- | :--- | :--- | :--- | + | :--- | :--- | :--- | :--- | :--- | | Url to check | The hostname or URL from which to retrieve the SSL certificate. - The action will attempt to connect to this host on port 443. | String | Yes | + | String | Yes | Defaults to `expired.badssl.com`. | ### Flow Description - 1. **Parameter Extraction:** The action retrieves the target URL from the input - parameters. + 1. **Input Extraction**: Retrieves the target URL from the action parameters. - 2. **Connection Establishment:** It creates a network socket and attempts to connect - to the specified hostname on port 443. + 2. **Connection**: Establishes a network connection to the target host on port + 443 using a default SSL context (TLS v1.2 minimum). - 3. **SSL Handshake:** A default SSL context (requiring at least TLS 1.2) is used - to wrap the socket and perform a handshake to retrieve the server's certificate - in binary (DER) format. + 3. **Certificate Retrieval**: Fetches the peer certificate in binary (DER) format. - 4. **Certificate Parsing:** The `cryptography` library parses the binary certificate - into a structured object. + 4. **Parsing**: Uses the `cryptography` library to parse the X.509 certificate. - 5. **Metadata Extraction:** The action extracts the Common Name (CN), Subject - Alternative Names (SAN), and Issuer information. + 5. **Data Extraction**: Extracts the Common Name (CN), Subject Alternative Names + (SAN), and Issuer information. + + 6. **Analysis**: Calculates the number of days until expiration and determines + if the certificate is expired or self-signed. + + 7. **Output**: Returns a structured JSON object containing all extracted and calculated + certificate details. + + + ### Additional Notes - 6. **Validation Logic:** It calculates the number of days until expiration, determines - if the certificate is currently expired, and checks if it is self-signed (where - the Subject matches the Issuer). + - This action does not process entities from the Google SecOps environment; it + operates solely on the provided URL parameter. - 7. **Result Output:** The collected data is formatted into a JSON object and returned - as the action result. + - It uses port 443 by default for the connection. capabilities: can_create_case_comments: false can_create_insight: false @@ -2344,9 +2585,9 @@ Get Certificate Details: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: true + enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2360,6 +2601,7 @@ Get Certificate Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Context Value: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -2373,28 +2615,29 @@ Get Certificate Details: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Context Value: ai_description: >- ### General Description - The **Get Context Value** action is a utility designed to retrieve specific data - points (values) stored within the Google SecOps platform's context. It allows - playbooks to access variables that were previously saved at different levels of - granularity: the specific alert, the overall case, or a global system-wide scope. - This is particularly useful for passing data between different playbook steps - or maintaining state across multiple alerts. + The **Get Context Value** action retrieves a specific value associated with a + key from a defined context scope (Alert, Case, or Global) within Google SecOps. + This utility is essential for playbooks to access data that was previously stored + during the execution flow, enabling dynamic decision-making based on historical + or shared context. ### Parameters Description @@ -2403,43 +2646,38 @@ Get Context Value: | :--- | :--- | :--- | :--- | - | **Scope** | DDL | Yes | Specifies the context level to search. Options are `Alert` - (current alert context), `Case` (entire case context), or `Global` (system-wide + | **Scope** | DDL | Yes | Specifies the context level to search. Options: 'Alert' + (current alert context), 'Case' (current case context), or 'Global' (system-wide context). | - | **Key** | String | Yes | The unique identifier (name) of the property/value - you wish to retrieve. | + | **Key** | String | Yes | The unique identifier for the property value to be + retrieved. | ### Flow Description - 1. **Parameter Extraction**: The action identifies the target `Key` and the desired - `Scope` from the input parameters. + 1. **Parameter Extraction**: Retrieves the 'Scope' and 'Key' values provided by + the user. + + 2. **Context Selection**: Determines the appropriate SDK method to call based + on the 'Scope' (Alert, Case, or Global). + + 3. **Data Retrieval**: Queries the internal SecOps database for the value associated + with the provided 'Key'. - 2. **Context Query**: Depending on the selected `Scope`, the action performs one - of the following: - * **Alert**: Calls the internal method to retrieve a property from the current - alert's context. - * **Case**: Calls the internal method to retrieve a property from the current - case's context. - * **Global**: Queries the global context store using the reserved "GLOBAL" - identifier. - 3. **Data Sanitization**: If a value is successfully retrieved, the action strips - any surrounding double quotes to ensure the raw string value is returned to the - playbook. + 4. **Data Sanitization**: If a value is found, it strips any surrounding double + quotes to ensure the output is clean. - 4. **Result Reporting**: The retrieved value is set as the action's result. If - the key is found, a success message is generated; otherwise, it reports that the - value was not found for the specified key and scope. + 5. **Completion**: Returns the found value as the action's result and provides + a status message indicating success or failure. ### Additional Notes - * This action is strictly read-only and does not modify any context values or - external systems. + - If the key does not exist in the specified scope, the action will complete with + a 'Not found' message. - * If the key does not exist in the specified scope, the action will return an - empty result value and a 'Not found' message. + - This action is read-only and does not modify any data. capabilities: can_create_case_comments: false can_create_insight: false @@ -2453,7 +2691,7 @@ Get Context Value: categories: enrichment: true entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2467,6 +2705,7 @@ Get Context Value: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Current Time: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -2480,56 +2719,51 @@ Get Context Value: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Current Time: ai_description: >- - ### General Description - - Returns the current system date and time formatted according to a user-specified + Returns the current system date and time formatted according to a user-provided string. This utility action is primarily used within playbooks to generate timestamps - for logging, naming conventions, or time-based logic. + for logging, reporting, or for use in subsequent logic steps that require a specific + time format. - ### Parameters Description + ### Parameters - | Parameter Name | Type | Mandatory | Description | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Datetime Format | string | Yes | The desired format for the output date and - time. Uses standard Python `strftime` format codes (e.g., `%d/%m/%Y %H:%M`). | + | Datetime Format | string | Yes | The strftime-compatible format string used + to format the current date and time (e.g., '%d/%m/%Y %H:%M'). | - ### Flow Description + ### Flow - 1. **Parameter Extraction**: The action retrieves the `Datetime Format` string + 1. **Parameter Extraction**: The action retrieves the 'Datetime Format' string from the input parameters. - 2. **Time Retrieval**: The script captures the current local system time using - the `datetime.now()` method. + 2. **Time Retrieval**: The current system date and time are captured using the + Python datetime library. 3. **Formatting**: The captured time is converted into a string based on the provided - format code. - - 4. **Output**: The formatted time string is returned as the action's result value - and printed to the execution log. - + 'Datetime Format'. - ### Additional Notes - - This action does not interact with any external APIs or SecOps entities. It is - a local utility function. + 4. **Completion**: The formatted time string is returned as the action's result + value, and the execution state is set to completed. capabilities: can_create_case_comments: false can_create_insight: false @@ -2543,7 +2777,7 @@ Get Current Time: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2557,6 +2791,7 @@ Get Current Time: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Email Templates: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -2570,54 +2805,60 @@ Get Current Time: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Email Templates: ai_description: >- - Retrieves a list of email templates from the Google SecOps (Chronicle) SOAR platform. - This action allows users to fetch either HTML-formatted templates or standard - text templates stored within the system. It is primarily used as a utility to - dynamically select templates for subsequent email-sending actions within a playbook. + ### General Description + The **Get Email Templates** action retrieves a list of available email templates + from the Google SecOps (Chronicle) SOAR platform. This utility action allows playbooks + to programmatically access template metadata, which is often used to dynamically + select templates for automated email communications. - ### Parameters Description + ### Parameters Description - | Parameter | Type | Mandatory | Default | Description | + | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | :--- | + | :--- | :--- | :--- | :--- | - | Template Type | ddl | Yes | Standard | Specifies the type of email templates - to retrieve. Options are 'HTML' (for rich-text templates) or 'Standard' (for plain-text - templates). | + | **Template Type** | DDL | Yes | Specifies the category of templates to retrieve. + Users can choose between `HTML` (for rich-text formatted templates) or `Standard` + (for basic or legacy templates). | ### Flow Description + 1. **Parameter Extraction**: The action retrieves the `Template Type` parameter + provided by the user. - 1. **Parameter Extraction**: The action retrieves the 'Template Type' input provided - by the user. + 2. **Data Retrieval**: It calls the internal SOAR API to fetch all email templates + defined in the system. - 2. **Data Retrieval**: It calls the internal SOAR API to fetch all available email - templates configured in the environment. + 3. **Filtering**: The script iterates through the retrieved templates and filters + them based on the selected type (HTML vs. Standard) using internal type identifiers. - 3. **Filtering**: The action iterates through the retrieved templates and filters - them based on the 'Template Type' parameter. It maps internal type identifiers - (e.g., 1 or 'HtmlFormat' for HTML; 0 or 'Template' for Standard) to the user's - selection. + 4. **Output**: The filtered list of templates is returned as a JSON object and + a human-readable summary is provided in the action result. - 4. **Output Generation**: The filtered list of templates is formatted into a JSON - object and returned as the action result. + + ### Additional Notes + + This action is a read-only utility. It does not interact with external services + or modify any internal case or entity data. capabilities: can_create_case_comments: false can_create_insight: false @@ -2631,7 +2872,7 @@ Get Email Templates: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2645,6 +2886,7 @@ Get Email Templates: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Integration Instances: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -2658,42 +2900,58 @@ Get Email Templates: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Integration Instances: ai_description: >- Retrieves a list of all installed integration instances for the current environment - and the global scope. This action is useful for identifying available tools and - their configurations within the SOAR platform. + and the global environment. This action is useful for programmatically identifying + which integrations are configured and active within the Google SecOps SOAR platform. ### Parameters - There are no parameters for this action. + | Parameter Name | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + | None | N/A | N/A | This action does not have any parameters. | - ### Flow - 1. **Identify Scopes:** The action identifies the current environment and the - global scope ('*'). + ### Flow Description - 2. **Fetch Integrations:** It queries the internal SOAR API to retrieve all installed - integration instances for the identified scopes. + 1. **Initialize Action**: Sets up the Siemplify action context and identifies + the script name. - 3. **Aggregate Results:** The retrieved integration data is converted to JSON - format and aggregated into a single list. + 2. **Define Search Scope**: Prepares a search list containing the current environment + identifier and a wildcard ('*') to include global instances. - 4. **Output:** The final list of integration instances is returned as a JSON result. + 3. **Fetch Integrations**: Iterates through the search scope and calls the internal + SOAR API to retrieve metadata for all installed integration instances. + + 4. **Process Results**: Aggregates the retrieved integration objects and converts + them into a JSON-compatible format. + + 5. **Output Data**: Returns the final list of integration instances as a JSON + result and completes the action. + + + ### Additional Notes + + This action is a utility designed for system introspection and does not interact + with external security products or process specific alert entities. capabilities: can_create_case_comments: false can_create_insight: false @@ -2707,7 +2965,7 @@ Get Integration Instances: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2721,6 +2979,7 @@ Get Integration Instances: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Original Alert Json: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -2734,55 +2993,61 @@ Get Integration Instances: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: true remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Original Alert Json: ai_description: >- ### General Description - The **Get Original Alert Json** action retrieves the raw JSON data of the original - alert from the `SourceFileContent` property of the first entity associated with - the alert. This is a utility action designed to expose the full, unmapped context - of an alert, allowing playbooks to access specific data points that were not captured - during the initial ingestion and mapping process. + The **Get Original Alert Json** action is a utility designed to extract and expose + the raw JSON data of the original alert. This is particularly useful for playbooks + that need to access specific fields from the source event that were not automatically + mapped to entities or alert properties during the ingestion process. ### Parameters Description - This action does not require any input parameters. + There are no parameters for this action. ### Additional Notes - * The action relies on the convention that the raw alert content is stored in - the `additional_properties` of the first entity under the key `SourceFileContent`. + - This action specifically retrieves data from the `SourceFileContent` key within + the `additional_properties` of the first entity associated with the alert. - * If the entity list is empty or the specific key is missing, the action will - encounter a runtime error. + - The output is provided as a JSON result, making the raw alert data programmatically + accessible for subsequent playbook steps. ### Flow Description - 1. **Access Alert Entities**: The action retrieves the entities associated with - the current alert context. + 1. **Initialization**: The action initializes the Siemplify environment and prepares + to access alert data. + + 2. **Entity Selection**: It targets the first entity (index 0) in the current + alert's entity list. - 2. **Extract Raw Data**: It targets the first entity in the list and extracts - the string value from the `SourceFileContent` attribute within its `additional_properties`. + 3. **Data Retrieval**: It accesses the `SourceFileContent` attribute from that + entity's `additional_properties` dictionary, which contains the raw alert string. - 3. **Parse JSON**: The extracted string is parsed into a structured JSON object. + 4. **Parsing**: The retrieved string is parsed from a JSON-formatted string into + a Python dictionary (JSON object). - 4. **Output Results**: The parsed JSON is added to the action's result JSON and - returned as the primary output for use in subsequent playbook steps. + 5. **Output**: The resulting JSON object is added to the action's result JSON + and the execution concludes, providing the data in the technical details of the + action run. capabilities: can_create_case_comments: false can_create_insight: false @@ -2796,7 +3061,42 @@ Get Original Alert Json: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: + - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2810,6 +3110,7 @@ Get Original Alert Json: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Siemplify Users: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -2823,37 +3124,60 @@ Get Original Alert Json: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Siemplify Users: ai_description: >- - ### General Description\nRetrieves a comprehensive list of all users configured - within the Google SecOps (Siemplify) system. This action is primarily used for - administrative, auditing, or playbook logic purposes, such as identifying available - analysts or verifying user roles within a workflow.\n\n### Flow Description\n1. - **Parameter Extraction**: The action reads the 'Hide Disabled Users' boolean parameter - to determine the scope of the user query.\n2. **API Interaction**: It invokes - the internal SOAR API method 'get_siemplify_user_details' with a default page - size of 1000 to fetch user metadata.\n3. **Data Processing**: The retrieved user - objects are converted into a structured JSON format.\n4. **Result Delivery**: - The list of users is attached to the action's JSON results, and the action completes - with a success message.\n\n### Parameters Description\n| Parameter Name | Type - | Mandatory | Description | Expected Value |\n| :--- | :--- | :--- | :--- | :--- - |\n| Hide Disabled Users | Boolean | No | If set to 'true' (default), the action - filters out users who are currently marked as disabled in the system. | True/False - |\n\n### Additional Notes\n- This action does not require or process any entities - from the current case scope.\n- It returns a maximum of 1000 users in a single - execution. + ### General Description + + Retrieves a comprehensive list of all users configured within the Google SecOps + environment. This utility action is primarily used for auditing system access + or identifying specific user accounts to be used in downstream playbook logic. + It interacts with the internal SOAR API to collect user metadata such as roles, + email addresses, and account status. + + + ### Parameters Description + + | Parameter Name | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Hide Disabled Users | Boolean | No | Determines whether to exclude inactive + user accounts from the results. Defaults to `true`. | + + + ### Flow Description + + 1. **Configuration**: The action retrieves the `Hide Disabled Users` parameter + to set the filtering scope. + + 2. **Data Retrieval**: It calls the internal SOAR API to fetch user details, including + account status and metadata. + + 3. **Data Transformation**: The raw user objects are processed and converted into + a structured JSON format. + + 4. **Completion**: The action outputs the list of users to the `JsonResult` and + terminates with a success message. + + + ### Additional Notes + + This action does not process or interact with case entities (e.g., IP addresses, + Hostnames). It provides global system-level information. capabilities: can_create_case_comments: false can_create_insight: false @@ -2867,7 +3191,7 @@ Get Siemplify Users: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2881,6 +3205,7 @@ Get Siemplify Users: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Lock Playbook: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -2894,43 +3219,45 @@ Get Siemplify Users: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Lock Playbook: - ai_description: "### General Description\nThis action is a synchronization utility\ - \ designed to manage the execution flow of playbooks within a case. It pauses\ - \ the current playbook's execution until all playbooks associated with the chronologically\ - \ preceding alert in the same case have successfully completed. This ensures that\ - \ alerts are processed in a strict sequential order based on their creation time,\ - \ preventing race conditions or out-of-order processing logic.\n\n### Parameters\ - \ Description\nThere are no parameters for this action.\n\n### Additional Notes\n\ - - This action is marked as asynchronous (`is_async: true`), allowing it to remain\ - \ in an 'In Progress' state while waiting for previous playbooks to finish without\ - \ consuming active execution slots.\n- If the current alert is the first alert\ - \ in the case, the action completes immediately, allowing the playbook to proceed.\n\ + ai_description: "Pauses the execution of the current playbook until all playbooks\ + \ associated with the chronologically preceding alert in the same case have finished.\ + \ This action is used to enforce sequential processing of alerts within a single\ + \ case, ensuring that automation logic for one alert does not overlap with or\ + \ precede the completion of a previous alert's logic.\n\n### Parameters\n| Parameter\ + \ Name | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| None\ + \ | N/A | N/A | This action does not take any input parameters. |\n\n### Additional\ + \ Notes\n- This action is asynchronous (`is_async: true`), allowing it to remain\ + \ in an 'In Progress' state until the dependency is met.\n- It relies on the `creation_time`\ + \ of alerts within a case to determine the execution order.\n- It uses the internal\ + \ SOAR API to check the status of workflow instances for other alerts in the case.\n\ \n### Flow Description\n1. **Alert Retrieval:** Fetches all alerts associated\ - \ with the current case and sorts them by their creation timestamp.\n2. **Current\ - \ Alert Identification:** Locates the current alert within the sorted list to\ - \ determine its sequence.\n3. **Sequence Check:** \n - If the current alert\ - \ is the first in the sequence (index 0), the action completes successfully.\n\ - \ - If there is a previous alert, the action identifies its unique identifier.\n\ - 4. **Status Verification:** Calls the internal SOAR API to retrieve the status\ - \ of all workflow (playbook) instances associated with the previous alert.\n5.\ - \ **Locking Logic:** \n - If any playbooks for the previous alert are not in\ - \ a 'Completed' state, the action sets its status to 'In Progress', effectively\ - \ pausing the current playbook.\n - If all playbooks for the previous alert\ - \ are completed, the action sets its status to 'Completed', releasing the lock\ - \ and allowing the current playbook to continue." + \ with the current case and sorts them by their creation timestamp.\n2. **Position\ + \ Identification:** Determines the index of the current alert within the sorted\ + \ list based on its identifier.\n3. **First Alert Check:** If the current alert\ + \ is the first one in the case (index 0), the action completes immediately to\ + \ allow the playbook to proceed.\n4. **Dependency Check:** If the current alert\ + \ is not the first, the action identifies the immediately preceding alert and\ + \ queries the SOAR API for the status of its workflow instances.\n5. **State Management:**\ + \ \n - If any playbooks for the previous alert are still running (not in a\ + \ 'Completed' state), the action returns an 'In Progress' status, effectively\ + \ locking the current playbook.\n - Once all playbooks for the previous alert\ + \ are confirmed as 'Completed', the action returns a 'Completed' status, releasing\ + \ the lock and allowing the current playbook to continue." capabilities: can_create_case_comments: false can_create_insight: false @@ -2939,12 +3266,12 @@ Lock Playbook: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: true + fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2958,6 +3285,7 @@ Lock Playbook: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Look-A-Like Domains: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -2969,57 +3297,74 @@ Lock Playbook: download_file: false enable_identity: false enrich_asset: false - enrich_ioc: false + enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Look-A-Like Domains: ai_description: >- ### General Description - The **Look-A-Like Domains** action identifies potential typosquatting or phishing - attempts by comparing domain entities within a case against a list of authorized - or internal domains configured for the specific environment. It uses the Levenshtein - distance algorithm to detect subtle variations in domain names that might indicate - malicious intent. + Identifies potential typosquatting or look-alike domain attacks by comparing DOMAIN + entities in a case against a list of authorized internal domains defined for the + environment. It uses the Levenshtein edit distance algorithm to determine similarity + and flag suspicious entities. ### Parameters Description - There are no user-configurable parameters for this action. + | Parameter Name | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | None | N/A | No | This action does not have any user-configurable parameters. + | + + + ### Additional Notes + + - The action relies on the 'Internal Domains' configuration within the Google + SecOps platform. + + - It specifically targets entities of type 'DOMAIN'. + + - A domain is flagged if the edit distance is between 1 and 3 (inclusive). ### Flow Description - 1. **Fetch Environment Domains:** The action retrieves a list of internal or authorized - domains associated with the current environment from the Google SecOps platform - using internal API calls. + 1. **Fetch Internal Domains**: Retrieves the list of internal domains from the + Google SecOps environment via the SOAR API using the `get_domain_alias` method. + + 2. **Filter by Environment**: Filters the retrieved list to match the current + environment context of the action execution. - 2. **Entity Filtering:** It identifies all entities of type `DOMAIN` within the - current case context. + 3. **Iterate Entities**: Processes each entity in the case that is identified + as a 'DOMAIN'. - 3. **Similarity Analysis:** For each domain entity, it calculates the edit distance - against the list of environment domains using the `nltk.edit_distance` method. + 4. **Calculate Similarity**: Computes the edit distance between the entity identifier + and each internal domain using the NLTK library's edit distance function. - 4. **Threshold Evaluation:** If the edit distance is between 1 and 3 (inclusive), - the domain is considered a 'look-alike'. + 5. **Flag Look-Alikes**: If a match is found with an edit distance between 1 and + 3, the entity is marked as suspicious (`is_suspicious = True`). - 5. **Enrichment and Flagging:** Entities identified as look-alikes are marked - as suspicious (`is_suspicious = True`) and enriched with the matching domain name - in their `additional_properties` field. + 6. **Enrich Entity**: Adds the matching internal domain to the entity's additional + properties under the key 'look_a_like_domain'. - 6. **Result Reporting:** The action updates the entities in the platform and provides - a JSON result mapping each entity to its identified look-alike domains. + 7. **Update Case**: Commits the entity updates back to the Google SecOps case + and provides a JSON result containing the matches for each processed domain. capabilities: can_create_case_comments: false can_create_insight: false @@ -3030,13 +3375,13 @@ Look-A-Like Domains: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates domain entities by marking them as suspicious and adding the 'look_a_like_domain' - property to their metadata. + Updates the 'is_suspicious' flag and 'additional_properties' of DOMAIN entities + within the SecOps case if they are identified as look-alike domains. categories: enrichment: true entity_usage: entity_types: - - DOMAIN + - DOMAIN filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -3050,6 +3395,7 @@ Look-A-Like Domains: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Normalize Entity Enrichment: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -3061,28 +3407,32 @@ Look-A-Like Domains: download_file: false enable_identity: false enrich_asset: false - enrich_ioc: true + enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Normalize Entity Enrichment: ai_description: >- ### General Description - Normalizes entity enrichment data by mapping existing fields in an entity's `additional_properties` - to new, standardized keys. This action is primarily used to maintain data consistency - across different enrichment sources within a playbook by renaming or aliasing - internal entity attributes. + The **Normalize Entity Enrichment** action is a utility designed to standardize + the naming of enrichment data stored within an entity's `additional_properties`. + It allows users to map existing, potentially inconsistent field names (e.g., from + different threat intelligence providers) to a unified schema within the Google + SecOps SOAR environment. This is particularly useful for ensuring downstream playbooks + or insights can rely on consistent key names regardless of the data source. ### Parameters Description @@ -3091,44 +3441,38 @@ Normalize Entity Enrichment: | :--- | :--- | :--- | :--- | - | Normalization Data | String | Yes | A JSON string representing a list of mapping - objects. Each object must contain `entitiy_field_name` (the source key currently - in `additional_properties`) and `new_name` (the target key to be created). | - - - ### Additional Notes + | **Normalization Data** | string | Yes | A JSON-formatted string containing a + list of mapping objects. Each object must include `entitiy_field_name` (the current + key in the entity's additional properties) and `new_name` (the target normalized + key name). | - * The action expects a valid JSON array of objects as input for the `Normalization - Data` parameter. - * If a source field specified in the mapping is not found on an entity, the target - field will be created with an empty string value (unless the target key already - exists). + ### Flow Description - * This action does not remove the original fields; it creates or updates the new - keys with the values from the source fields. + 1. **Input Parsing**: The action retrieves the `Normalization Data` parameter + and parses it from a JSON string into a Python list of dictionaries. + 2. **Entity Iteration**: The script iterates through all `target_entities` currently + in the action's scope. - ### Flow Description + 3. **Property Mapping**: For each entity, it checks if the specified `entitiy_field_name` + exists within the entity's `additional_properties` dictionary. - 1. **Retrieve Configuration:** The action fetches the `Normalization Data` JSON - string from the input parameters. + 4. **Value Assignment**: If the source key is found, its value is copied to a + new key defined by `new_name`. If the source key is missing, the action initializes + the `new_name` key with an empty string (provided the key does not already exist). - 2. **Parse Mappings:** The JSON string is parsed into a list of source-to-target - mapping pairs. + 5. **Internal Update**: The action collects all processed entities and uses the + `update_entities` method to commit the changes back to the SOAR case. - 3. **Iterate Entities:** The action iterates through all entities currently in - the playbook scope (`target_entities`). - 4. **Apply Normalization:** For each entity, it checks the `additional_properties` - for the presence of the source fields defined in the mappings. + ### Additional Notes - 5. **Update Properties:** If a source field is found, its value is assigned to - the new field name. If not found, and the new field name doesn't exist, it initializes - the new field with an empty string. + - This action does not delete or replace the original keys; it creates new keys + with the mapped names, effectively duplicating the data under a normalized header. - 6. **Persist Changes:** The action updates the entities within the Google SecOps - platform to save the modified `additional_properties`. + - If the `new_name` already exists on the entity, it will be overwritten by the + value from `entitiy_field_name` if that source field is present. capabilities: can_create_case_comments: false can_create_insight: false @@ -3139,47 +3483,47 @@ Normalize Entity Enrichment: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Updates entity additional properties by mapping existing fields to new normalized - field names based on the provided JSON configuration. + Updates the 'additional_properties' attribute of entities within the Google + SecOps case to standardize field names based on the provided mapping. categories: enrichment: false entity_usage: entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -3193,6 +3537,7 @@ Normalize Entity Enrichment: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -3203,29 +3548,30 @@ Normalize Entity Enrichment: disable_identity: false download_file: false enable_identity: false - enrich_asset: true + enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: ai_description: >- ### General Description - The **Ping** action is a diagnostic utility designed to verify the connectivity - and operational status of the Tools integration within Google SecOps. Its primary - purpose is to confirm that the integration environment is reachable and that the - SOAR agent can successfully execute scripts associated with this integration. + Verifies the connectivity and availability of the Google SecOps (Chronicle) SOAR + environment. This action serves as a basic health check to ensure that the integration + is correctly configured and that the platform can successfully execute scripts. ### Parameters Description @@ -3235,19 +3581,17 @@ Ping: ### Additional Notes - This action is a standard health check and does not perform any data retrieval - from external services, nor does it modify any internal or external records. + This action does not interact with any external services or process any entity + data. It is strictly used for connectivity testing within the SOAR environment. ### Flow Description - 1. **Initialization**: The action initializes the Siemplify SDK to establish a - context for the execution. + 1. **Initialization**: The action initializes the Siemplify SOAR SDK context. - 2. **Connectivity Confirmation**: The script immediately prepares a success signal. - - 3. **Execution Completion**: The action terminates with the message "Siemplify - is connected" and returns a boolean success status. + 2. **Connectivity Check**: It immediately concludes the execution with a success + message, 'Siemplify is connected', confirming that the script execution environment + is functional. capabilities: can_create_case_comments: false can_create_insight: false @@ -3261,7 +3605,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -3275,6 +3619,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Re-Attach Playbook: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -3288,60 +3633,90 @@ Ping: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Re-Attach Playbook: - ai_description: "Re-attaches a specified playbook to a case, effectively resetting\ - \ its execution state and allowing it to run again from the beginning. This action\ - \ is primarily used for troubleshooting or re-triggering automation that may have\ - \ failed or needs to be executed again with updated context.\n\n### Parameters\ - \ Description\n\n| Parameter Name | Type | Mandatory | Description |\n| :--- |\ - \ :--- | :--- | :--- |\n| Playbook Name | playbook_name | Yes | The exact name\ - \ of the playbook that will be removed from the case and then re-attached to trigger\ - \ a fresh execution. |\n\n### Flow Description\n\n1. **Configuration Retrieval:**\ - \ The action identifies and retrieves connection details for the 'PostgreSQL'\ - \ integration instance named 'Siemplify'.\n2. **Database Connection:** It establishes\ - \ connections to two internal databases: `siemplify_orchestration_db` (for workflow\ - \ state) and `siemplify_system_db` (for action results).\n3. **State Identification:**\ - \ The action queries the databases to find all existing instances and results\ - \ associated with the specified playbook name and the current Case ID.\n4. **Cleanup:**\ - \ It executes SQL DELETE commands to remove the identified workflow instances\ - \ and their corresponding action results, clearing the previous execution history\ - \ for that playbook in the context of the case.\n5. **Re-attachment:** Finally,\ - \ it utilizes the SOAR API to programmatically attach the playbook back to the\ - \ case (specifically to the relevant alerts), which triggers the playbook to start\ - \ running again automatically.\n\n### Additional Notes\n\n* This action requires\ - \ the **PostgreSQL** integration to be installed and configured with an instance\ - \ named **Siemplify** pointing to the SOAR's backend database. \n* This action\ - \ does not process entities; it operates at the Case and Playbook management level." + ai_description: >- + ### General Description + + The **Re-Attach Playbook** action is designed to reset and restart a specific + playbook within a Google SecOps case. It performs a deep reset by manually removing + the playbook's execution state and result data from the underlying orchestration + databases before re-attaching the playbook to the case. This is particularly useful + for troubleshooting failed playbooks or re-running logic after environmental configurations + have been updated. + + + ### Parameters Description + + | Parameter Name | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Playbook Name | String | Yes | The exact name of the playbook that will be removed + from the case and re-attached. Once re-attached, it will trigger a new execution. + | + + + ### Additional Notes + + * **Prerequisite:** This action requires the **PostgreSQL** integration to be + installed and configured. Specifically, an instance named `Siemplify` must be + configured in the Shared Environment, pointing to the SOAR's internal orchestration + and system databases. + + * This action interacts directly with the database layer to ensure all traces + of the previous playbook run (including action results) are cleared before the + restart. + + + ### Flow Description + + 1. **Configuration Retrieval:** The action identifies the PostgreSQL integration + instance named 'Siemplify' to obtain database credentials (server, username, password). + + 2. **Database Connection:** It establishes connections to two internal databases: + `siemplify_orchestration_db` and `siemplify_system_db`. + + 3. **State Identification:** It queries the `WorkflowInstances` table to find + all active or completed instances of the specified playbook associated with the + current Case ID. + + 4. **Cleanup:** For each found instance, it deletes the workflow record from the + orchestration database and removes all associated action results from the system + database. + + 5. **Re-attachment:** Finally, it uses the SOAR API to re-attach the playbook + to the specific alert group within the case, which triggers the playbook to run + again automatically. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false - can_mutate_external_data: true + can_mutate_external_data: false can_mutate_internal_data: true can_update_entities: false - external_data_mutation_explanation: >- - Executes DELETE queries on the PostgreSQL databases (siemplify_orchestration_db - and siemplify_system_db) to remove existing workflow instances and action results. + external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Uses the SOAR API to attach a playbook to the case, which modifies the case's - active playbook list and triggers new automation execution. + Deletes playbook execution state and action results from the internal orchestration + and system databases, then re-attaches the playbook to the case. categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -3355,6 +3730,7 @@ Re-Attach Playbook: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Search Text: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -3368,77 +3744,78 @@ Re-Attach Playbook: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Search Text: ai_description: >- ### General Description - The **Search Text** action is a utility designed to identify specific strings - or patterns within a provided block of text. It allows users to perform simple - string matching or complex regular expression searches, making it highly versatile - for parsing logs, emails, or any other textual data within a playbook. + Searches for a specific string or a list of regular expressions within a provided + text block. This utility action is used to validate the presence of specific patterns + or keywords in data extracted from previous playbook steps or alert fields. It + returns a boolean result indicating whether a match was found and provides detailed + match information in JSON format. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Text** | String | Yes | The source text that will be searched. | + | Text | String | Yes | The source text that will be searched. | - | **Search For** | String | No | The specific literal string to search for within - the input text. | + | Search For | String | No | The specific string to search for within the Text. + | - | **Search For Regex** | String | No | A comma-separated list of regular expressions - to search for. Patterns should be wrapped in double quotes (e.g., "[0-9]+"). | + | Search For Regex | String | No | A comma-separated list of regular expressions + to search for. Regexes should be wrapped in double quotes. | - | **Case Sensitive** | Boolean | No | If set to `true`, the search will distinguish - between uppercase and lowercase letters. Default is `false`. | + | Case Sensitive | Boolean | No | If true, the search will be case-sensitive. + Default is false. | ### Additional Notes - - At least one of the parameters **Search For** or **Search For Regex** must be - configured for the action to execute successfully. - - - If multiple regexes are provided, the action will return `true` if any of the - patterns match. + * At least one of the parameters **Search For** or **Search For Regex** must be + provided for the action to execute successfully. If both are empty, the action + will fail. - - The action supports multiline searching for regex patterns. - - - The action strips double quotes from the regex patterns before execution. + * The action supports multiline searching for regex patterns. ### Flow Description - 1. **Input Extraction**: The action retrieves the input text, search string, regex - list, and case sensitivity setting. + 1. **Parameter Extraction**: Retrieves the input text, search string, regex list, + and case sensitivity setting from the action parameters. - 2. **Validation**: It checks if either a search string or a regex pattern has - been provided. If both are empty, the action fails. + 2. **Validation**: Checks if at least one search method (string or regex) is defined. + If both are missing, the action status is set to failed. - 3. **String Matching**: If a literal search string is provided, the action checks - for its presence in the text, applying case sensitivity if requested. + 3. **String Search**: If the **Search For** parameter is provided, the action + performs a substring check on the input text, respecting the case sensitivity + flag. If a match is found, the result is set to true. - 4. **Regex Matching**: If regex patterns are provided, the action iterates through - each pattern, stripping surrounding quotes and performing a multiline search against - the input text. + 4. **Regex Search**: If the **Search For Regex** parameter is provided, the action + splits the input into a list of patterns, strips quotes, and iterates through + them. It attempts to find a match using Python's regex engine with multiline support. + If any pattern matches, the result is set to true. - 5. **Result Aggregation**: If any match is found (string or regex), the `match_found` - result is set to `true`. Detailed match information, including the search pattern - and the input text, is added to the JSON result. + 5. **Result Aggregation**: The action adds a JSON object containing the list of + successful matches to the execution results and terminates with the final match + status. capabilities: can_create_case_comments: false can_create_insight: false @@ -3452,7 +3829,7 @@ Search Text: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -3466,6 +3843,7 @@ Search Text: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Set Context Value: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -3479,66 +3857,41 @@ Search Text: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Set Context Value: ai_description: >- - ### General Description - - The **Set Context Value** action allows users to store information as key-value - pairs within specific scopes of the Google SecOps platform. This is a utility - action primarily used for data persistence and sharing information between different - stages of a playbook or across different playbooks. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **Key** | string | Yes | The name of the context property to be created or updated. - | - - | **Value** | string | Yes | The value to be assigned to the specified key. | - - | **Scope** | ddl | Yes | Defines the visibility and lifecycle of the context - value. Options are: `Alert` (specific to the current alert), `Case` (shared across - all alerts in the case), or `Global` (accessible across the entire environment). - | - - - ### Flow Description - - 1. **Parameter Extraction:** The action retrieves the `Key`, `Value`, and `Scope` - from the input parameters. - - 2. **Scope Determination:** The logic checks the selected `Scope` value. - - 3. **Context Update:** Depending on the scope, the action calls the relevant SDK - method: - - If `Alert`, it updates the property for the specific alert context. - - If `Case`, it updates the property for the entire case context. - - If `Global`, it updates a global context property using a predefined identifier. - 4. **Completion:** The action returns a success message indicating the field, - value, and scope updated. - - - ### Additional Notes - - - This action does not interact with external APIs. - - - It is purely an internal state management tool for the SOAR platform. + ### General Description\nThe **Set Context Value** action allows users to store + and manage data dynamically within a Google SecOps playbook by setting key-value + pairs in a specific context scope. This is primarily used to pass information + between different steps of a playbook or to maintain state across different alerts + and cases.\n\n### Parameters Description\n| Parameter | Type | Mandatory | Description + |\n| :--- | :--- | :--- | :--- |\n| **Key** | String | Yes | The name of the property/key + to be set in the context. |\n| **Value** | String | Yes | The value to be assigned + to the specified key. |\n| **Scope** | DDL | Yes | Determines the visibility and + persistence of the data. Options are:
1. **Alert**: Data is accessible only + within the current alert.
2. **Case**: Data is accessible across all alerts + within the current case.
3. **Global**: Data is accessible globally across + the environment. |\n\n### Flow Description\n1. **Parameter Extraction**: The action + retrieves the `Scope`, `Key`, and `Value` from the input parameters.\n2. **Scope + Determination**: The logic checks the selected `Scope` value.\n3. **Context Update**: + \n * If **Alert**, it uses the SDK to set a property specific to the alert + context.\n * If **Case**, it uses the SDK to set a property specific to the + case context.\n * If **Global**, it uses a specialized helper to set a property + in the global system context.\n4. **Completion**: The action returns a success + message indicating which field was updated in which scope. capabilities: can_create_case_comments: false can_create_insight: false @@ -3549,13 +3902,12 @@ Set Context Value: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Sets or updates context properties (key-value pairs) at the Alert, Case, or - Global level within the Google SecOps platform to maintain state or share data - between playbook steps. + Sets or updates key-value pairs in the Alert, Case, or Global context scopes + within Google SecOps. categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -3569,6 +3921,7 @@ Set Context Value: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Spell Check String: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -3582,64 +3935,71 @@ Set Context Value: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false - update_alert: true + update_alert: false update_email: false update_identity: false update_ticket: false -Spell Check String: ai_description: >- - The **Spell Check String** action analyzes a provided text string for spelling - errors. It utilizes a spell-checking library to identify misspelled words, suggest - corrections, and calculate an overall accuracy score for the input text. + ### General Description + The **Spell Check String** action is a utility designed to analyze the spelling + of a provided text string. It identifies misspelled words, suggests corrections, + calculates an overall accuracy percentage, and generates a version of the input + string with all identified errors corrected. This is useful for cleaning up automated + logs, user-submitted tickets, or alert descriptions before further processing. - ### Parameters - | Parameter | Description | Type | Mandatory | + ### Parameters Description + + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | String | The input text string that will be checked for spelling errors. | String - | Yes | + | **String** | String | Yes | The input text that will be analyzed for spelling + errors. | ### Flow Description - 1. **Input Extraction:** The action retrieves the input string from the `String` - parameter. + 1. **Input Extraction**: The action retrieves the mandatory `String` parameter + provided by the user or playbook. - 2. **Preprocessing:** It removes punctuation from the string using regular expressions - and splits the text into individual words. + 2. **Preprocessing**: It removes punctuation from the input string using regular + expressions and splits the text into individual words. - 3. **Spelling Analysis:** The action identifies misspelled words by comparing - them against a dictionary using the `spellchecker` library. + 3. **Spelling Analysis**: Using a spell-checking library, the action identifies + words that are not recognized in the dictionary. - 4. **Correction Generation:** For each misspelled word, the action attempts to - find the most likely correction and builds a 'corrected' version of the original - string. + 4. **Correction Generation**: For every misspelled word, the action attempts to + find the most likely correction. It then performs a case-sensitive replacement + of the misspelled word in the original string to create a 'corrected' version. - 5. **Metrics Calculation:** It calculates the total word count, the number of - misspelled words, and an accuracy percentage. + 5. **Metrics Calculation**: The action calculates the total word count, the number + of misspelled words, and an accuracy percentage (ratio of correct words to total + words). - 6. **Result Output:** The action returns the accuracy percentage as the main result - and provides a detailed JSON object containing the original string, corrected - string, and a list of specific errors found. + 6. **Output**: The results are returned as a JSON object containing the detailed + breakdown and a summary message indicating the accuracy percentage. ### Additional Notes - - If the input string is empty, the action returns an accuracy of 0 and a message - indicating no input was provided. + - If the input string is empty, the action returns an accuracy of 0% and a message + stating 'No input to test.' - - This action is a local utility and does not communicate with external APIs. + - The action uses word boundaries (`\b`) for replacements to ensure that sub-strings + within larger words are not accidentally modified. capabilities: can_create_case_comments: false can_create_insight: false @@ -3653,7 +4013,7 @@ Spell Check String: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -3667,6 +4027,7 @@ Spell Check String: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Unflatten JSON: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -3680,67 +4041,71 @@ Spell Check String: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Unflatten JSON: ai_description: >- - Unflattens a JSON object or a list of JSON objects by converting delimited keys - into nested structures. This utility action is designed to restore the original - hierarchy of data that has been flattened (e.g., for CSV export or simplified - storage) back into its native nested format. + ### General Description + Unflattens a flattened JSON object or a list of flattened JSON objects into a + nested structure. This action is particularly useful for transforming data from + systems that provide flat key-value pairs (e.g., `user_id`, `user_name`) into + a hierarchical JSON format required by other integrations or playbooks. - ### Flow Description: - 1. **Parameter Extraction:** The action retrieves the mandatory `JSON Object` - string and the optional `Delimiter` from the input parameters. + ### Parameters Description - 2. **JSON Parsing:** The input string is converted into a Python data structure - (dictionary or list). + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | - 3. **Unflattening Logic:** The action recursively processes the data. For each - key in a dictionary, it splits the key name into tokens using the provided delimiter. - If no delimiter is specified, it uses a regular expression to split by any non-alphanumeric - character (excluding underscores). + | **JSON Object** | String | Yes | The JSON string (object or list) that needs + to be unflattened. | - 4. **Structure Reconstruction:** It reconstructs the nested hierarchy. If a token - is identified as a digit, the action creates a list at that level; otherwise, - it creates a dictionary. + | **Delimiter** | String | No | The character used to separate keys for nesting + (e.g., `_` or `.`). If left empty, the action will split keys by any non-alphanumeric + character (excluding underscores) using a word-boundary regex. | - 5. **Result Output:** The final nested JSON structure is attached to the action - results for use in subsequent playbook steps. + ### Additional Notes - ### Parameters Description: + - If the input JSON is a list, the action will iterate through and unflatten each + item in the list. - | Parameter | Type | Mandatory | Description | + - If a key token is a digit, the action will attempt to create a list at that + level of the hierarchy. - | :--- | :--- | :--- | :--- | - | JSON Object | string | Yes | The flattened JSON string that needs to be converted - back to a nested format. | + ### Flow Description - | Delimiter | string | No | The character used to separate nested keys (e.g., - '.', '_'). If left empty, the action separates keys by every value that is not - a letter, number, or underscore. | + 1. **Initialization**: The action retrieves the input JSON string and the optional + delimiter from the parameters. + 2. **Parsing**: The input string is parsed into a Python dictionary or list using + the standard JSON library. - ### Additional Notes: + 3. **Unflattening Logic**: The action iterates through the keys of the object. + For each key, it splits the string into tokens based on the provided delimiter + or regex. - - The action handles both individual JSON objects and lists of objects. + 4. **Structure Reconstruction**: It recursively builds a nested dictionary or + list structure by traversing the tokens. If a token represents an index (digit), + it initializes a list; otherwise, it initializes a dictionary. - - If the provided `JSON Object` is not a valid JSON string, the action will return - a failure status with a specific error message regarding the JSON structure. + 5. **Output**: The final nested JSON structure is returned as the action's JSON + result. capabilities: can_create_case_comments: false can_create_insight: false @@ -3754,7 +4119,7 @@ Unflatten JSON: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -3768,6 +4133,7 @@ Unflatten JSON: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Update Alert Score: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -3781,68 +4147,66 @@ Unflatten JSON: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false - update_alert: false + update_alert: true update_email: false update_identity: false update_ticket: false -Update Alert Score: ai_description: >- ### General Description The **Update Alert Score** action is a utility designed to dynamically modify - the numerical score associated with an alert within the Google SecOps platform. - This is typically used in playbooks to adjust the perceived risk or priority of - an alert based on findings from previous steps. It retrieves the current score - from the alert's context, applies an increment or decrement based on user input, - and saves the updated value back to the alert context. + the numerical score associated with an alert in Google SecOps. This is typically + used within playbooks to adjust the priority or risk level of an alert based on + logic-driven findings (e.g., increasing the score if a file is found to be malicious + or decreasing it if an IP is internal). ### Parameters Description - | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Input** | String | Yes | The integer value to increment (e.g., "10") or decrement - (e.g., "-5") the current alert score by. Defaults to "0". | + | **Input** | String | Yes | The integer value to increment or decrement the alert + score by. For example, '10' increases the score, while '-5' decreases it. | ### Additional Notes - - This action specifically targets the internal alert context property named `ALERT_SCORE`. + - The action interacts with the internal alert context property `ALERT_SCORE`. - - If the `ALERT_SCORE` property does not exist in the current context, it defaults - to 0 before applying the input value. + - If no current score exists, the action defaults the starting score to 0. - - The input is treated as an integer; providing non-numeric strings will cause - the action to fail. + - The input must be a string representation of an integer. ### Flow Description - 1. **Retrieve Current Score:** The action fetches the current value of the `ALERT_SCORE` - property from the alert's context. + 1. **Extract Input:** The action retrieves the `Input` value provided by the user + or playbook. - 2. **Parameter Extraction:** It extracts the `Input` value provided in the action - configuration. + 2. **Retrieve Current Score:** It fetches the current value of the `ALERT_SCORE` + property from the alert's context. - 3. **Calculation:** It converts both the current score and the input value to - integers and calculates the sum. + 3. **Calculate New Score:** It converts both the current score and the input value + to integers and calculates the sum. - 4. **Update Context:** The new calculated score is converted back to a string - and saved to the `ALERT_SCORE` property in the alert context. + 4. **Update Context:** The action saves the newly calculated score back to the + alert's `ALERT_SCORE` context property. - 5. **Completion:** The action ends, returning the new score as the result value - and providing a status message. + 5. **Finalize:** The action completes, returning the new score as the result value + and displaying a success message. capabilities: can_create_case_comments: false can_create_insight: false @@ -3853,12 +4217,12 @@ Update Alert Score: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Updates the 'ALERT_SCORE' property within the alert's context, which is used - to track and manage the risk level of the alert inside Google SecOps. + Updates the 'ALERT_SCORE' property within the alert's context to reflect changes + in risk or priority. categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -3872,6 +4236,7 @@ Update Alert Score: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Update Case Description: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -3885,54 +4250,57 @@ Update Alert Score: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false - update_alert: true + update_alert: false update_email: false update_identity: false update_ticket: false -Update Case Description: ai_description: >- - Updates the description of the current case in Google SecOps. This action allows - analysts or automated playbooks to programmatically change the high-level summary - of a case to reflect new findings or status updates. + ### General Description + Updates the description of the current case in Google SecOps. This action is used + to dynamically modify the high-level summary or context of a case based on information + gathered during a playbook execution or manual investigation. - ### Flow Description - 1. **Parameter Retrieval**: The action retrieves the provided 'Case Description' - string from the input parameters. + ### Parameters Description - 2. **Context Identification**: It identifies the unique identifier (Case ID) of - the case currently being processed. + | Parameter | Type | Mandatory | Description | - 3. **API Execution**: It utilizes the internal SOAR API (`change_case_description`) - to submit the update request to the Google SecOps platform. + | :--- | :--- | :--- | :--- | - 4. **Completion**: The action concludes by providing a success message confirming - the new description has been applied. + | Case Description | String | Yes | The new text that will be assigned as the + description for the current case. | - ### Parameters Description + ### Additional Notes - | Parameter Name | Type | Mandatory | Description | + This action modifies internal case metadata and does not interact with external + systems. - | :--- | :--- | :--- | :--- | - | Case Description | String | Yes | The new text that will replace the existing - description of the case. | + ### Flow Description + + 1. **Parameter Extraction:** The action retrieves the 'Case Description' string + from the input parameters. + 2. **Context Identification:** It identifies the unique ID of the case currently + being processed. - ### Additional Notes + 3. **Internal API Call:** It utilizes the internal SOAR API (`change_case_description`) + to update the case's metadata with the new description. - - This action modifies internal case metadata and does not interact with external - third-party integrations. + 4. **Completion:** The action returns a success message confirming the update. capabilities: can_create_case_comments: false can_create_insight: false @@ -3943,11 +4311,11 @@ Update Case Description: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Updates the description field of the current case within the Google SecOps platform. + Updates the description of the current case in Google SecOps. categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -3961,6 +4329,7 @@ Update Case Description: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Wait for Playbook to Complete: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -3974,40 +4343,68 @@ Update Case Description: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Wait for Playbook to Complete: - ai_description: "### General Description\nThis action pauses the execution of the\ - \ current playbook until a specified target playbook or block, running within\ - \ the context of the same alert, reaches a terminal state (Completed, Failed,\ - \ or Terminated). It is primarily used for synchronization when multiple playbooks\ - \ are triggered for a single alert and one depends on the results or completion\ - \ of another.\n\n### Parameters Description\n\n| Parameter | Description | Type\ - \ | Mandatory |\n| :--- | :--- | :--- | :--- |\n| Playbook Name | The exact name\ - \ of the playbook or block that this action should wait for. | String | Yes |\n\ - \n### Additional Notes\n- This is an **asynchronous** action. It will periodically\ - \ check the status of the target playbook and remain in an 'In Progress' state\ - \ until the target finishes.\n- If the specified playbook is not found associated\ - \ with the alert, the action will complete immediately to avoid deadlocks.\n\n\ - ### Flow Description\n1. **Retrieve Parameter**: The action identifies the target\ - \ playbook name from the input.\n2. **Fetch Workflow Status**: It queries the\ - \ Google SecOps API to retrieve the status of all workflow instances linked to\ - \ the current alert group.\n3. **Status Evaluation**: \n - If the target playbook's\ - \ status is `Completed`, `Failed`, or `Terminated`, the action finishes successfully.\n\ - \ - If the target playbook's status is `In Progress`, `Pending in Queue`, or\ - \ `Pending for User`, the action sets its state to `In Progress` to wait for the\ - \ next check cycle.\n - If the target playbook is not found, the action completes\ - \ with a message indicating it was not found." + ai_description: >- + ### General Description + + This action synchronizes playbook execution by pausing the current playbook until + another specified playbook or block, running on the same alert, reaches a terminal + state. It is primarily used to manage dependencies between parallel processes + within the same security alert context. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Playbook Name | String | Yes | The exact name of the playbook or block that + the current execution should wait for. | + + + ### Additional Notes + + - This action is asynchronous. If the target playbook is still running, the action + will remain in an 'In Progress' state and retry periodically until the target + playbook finishes or is not found. + + - To avoid permanent deadlocks, the action will complete successfully if the specified + playbook name cannot be found in the current alert context. + + + ### Flow Description + + 1. **Initialization**: The action retrieves the target playbook name from the + input parameters. + + 2. **Status Retrieval**: It queries the Google SecOps API to fetch the status + of all workflow instances associated with the current alert group. + + 3. **Status Evaluation**: + * If the target playbook is in a terminal state (**Completed**, **Failed**, + or **Terminated**), the action completes successfully, allowing the current playbook + to proceed. + * If the target playbook is still active (**In Progress**, **Pending in Queue**, + or **Pending for User**), the action sets its own state to 'In Progress'. + * If the target playbook is not found, the action completes to avoid a permanent + deadlock. + 4. **Completion**: Once the target playbook finishes, the 'lock' is released and + the current playbook continues its next steps. capabilities: can_create_case_comments: false can_create_insight: false @@ -4021,7 +4418,7 @@ Wait for Playbook to Complete: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -4035,28 +4432,3 @@ Wait for Playbook to Complete: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/power_ups/tools/resources/ai/integration_ai_description.yaml b/content/response_integrations/power_ups/tools/resources/ai/integration_ai_description.yaml index 4788aca80..8a09972f0 100644 --- a/content/response_integrations/power_ups/tools/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/power_ups/tools/resources/ai/integration_ai_description.yaml @@ -1,7 +1,7 @@ product_categories: asset_inventory: false cloud_security: false - collaboration: false + collaboration: true edr: false email_security: false iam_and_identity_management: false diff --git a/content/response_integrations/power_ups/tools/resources/ai/jobs_ai_description.yaml b/content/response_integrations/power_ups/tools/resources/ai/jobs_ai_description.yaml index d465dd0e6..78d657265 100644 --- a/content/response_integrations/power_ups/tools/resources/ai/jobs_ai_description.yaml +++ b/content/response_integrations/power_ups/tools/resources/ai/jobs_ai_description.yaml @@ -1,62 +1,39 @@ Close Cases Based On Search: - ai_description: >- - ### General Description - - This job automates the bulk closure of cases within Google SecOps based on specific - search criteria. It is designed for maintenance and cleanup tasks, allowing users - to programmatically identify and close multiple cases that match a defined search - query. The job ensures that only open cases are targeted and applies a consistent - closure reason, root cause, and comment to all affected records. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Search Payload | String | No | A JSON-formatted string representing the search - criteria. This should match the payload used in the 'CaseSearchEverything' API - call. | - - | Close Comment | String | Yes | The text comment to be added to the case wall - of all closed cases. | - - | Close Reason | Integer | Yes | The numeric identifier for the closure reason - (e.g., 0 for Malicious, 1 for Not Malicious). | - - | Root Cause | String | Yes | The specific root cause category to assign to the - cases, corresponding to values in Settings -> Case Data -> Case Close Root Cause. - | - - - ### Flow Description - - 1. **Initialize Search**: The job retrieves the `Search Payload` from the configuration - and explicitly sets the `isCaseClosed` filter to `False` to ensure only active - cases are processed. - - 2. **Execute Search**: It calls the `search_cases_by_everything` API to find all - cases matching the provided JSON criteria. - - 3. **Identify Cases**: The job extracts the unique Case IDs from the search results. - - 4. **Bulk Closure**: If matching cases are found, it executes the `execute_bulk_close_case` - command, passing the collected Case IDs along with the user-defined `Close Reason`, - `Root Cause`, and `Close Comment`. - - 5. **Logging**: The job logs the specific Case IDs that were affected and provides - a final count of the successfully closed cases. + ai_description: "### General Description\nThis job automates the bulk closure of\ + \ cases within Google SecOps based on specific search criteria. It allows users\ + \ to define a search payload\u2014identical to the one used by the platform's\ + \ 'Search Everything' API\u2014to identify open cases and close them systematically.\ + \ This is highly effective for maintenance tasks, such as clearing out high volumes\ + \ of false positives or legacy alerts that meet specific metadata criteria.\n\n\ + ### Parameters Description\n| Parameter | Type | Mandatory | Description |\n|\ + \ :--- | :--- | :--- | :--- |\n| Search Payload | String (JSON) | No | The JSON\ + \ payload used for the 'CaseSearchEverything' API call. It defines the filters\ + \ (e.g., time range, priority, labels) for cases to be closed. Defaults to `{}`.\ + \ |\n| Close Comment | String | Yes | The audit comment to be attached to all\ + \ cases closed by this job. |\n| Close Reason | Integer | Yes | The numeric value\ + \ representing the closure reason. Typically `0` for Malicious and `1` for Not\ + \ Malicious. |\n| Root Cause | String | Yes | The specific root cause string to\ + \ apply to the cases, matching the values configured in the SOAR Case Data settings.\ + \ |\n\n### Flow Description\n1. **Parse Search Criteria**: The job retrieves the\ + \ **Search Payload** from the configuration and parses it as JSON.\n2. **Filter\ + \ for Open Cases**: It automatically injects or overrides the `isCaseClosed` flag\ + \ to `False` to ensure the job only targets active cases.\n3. **Identify Target\ + \ Cases**: It executes a global search using the provided payload to retrieve\ + \ a list of matching cases.\n4. **Extract Identifiers**: The job extracts the\ + \ unique Case IDs from the search results.\n5. **Execute Bulk Closure**: If matching\ + \ cases are found, it triggers a bulk closure API call, applying the specified\ + \ **Close Reason**, **Root Cause**, and **Close Comment** to every identified\ + \ case.\n6. **Logging**: The job logs the specific Case IDs affected and reports\ + \ the total count of closed cases to the job execution history." Tag Untouched Cases: ai_description: >- ### General Description - This job automates the identification and flagging of stagnant incidents within - Google SecOps. It monitors all open cases and identifies those that have not been - modified within a user-defined timeframe (in hours). Once identified, the job - applies specific administrative tags to these cases, enabling SOC managers and - analysts to easily filter and prioritize cases that require immediate attention - or review. + This job automates the identification and labeling of stagnant open cases within + Google SecOps. It monitors cases that have not been modified for a user-defined + period and applies specific tags to them. This functionality is essential for + maintaining SOC hygiene, ensuring that cases requiring attention are highlighted + for review and do not remain idle without oversight. ### Parameters Description @@ -65,11 +42,11 @@ Tag Untouched Cases: | :--- | :--- | :--- | :--- | - | Tags | String | Yes | A comma-separated list of tags to apply to the cases that - meet the inactivity criteria (e.g., "Open Case Review, Stale"). | + | Tags | String | Yes | A comma-separated list of tags to apply to cases that + meet the inactivity threshold (e.g., "Open Case Review, Stale"). | - | Unmodified Time | Integer | Yes | The threshold of inactivity in hours. Any - open case not updated within this many hours will be tagged. | + | Unmodified Time | Integer | Yes | The duration of inactivity, measured in hours, + required to trigger the tagging action. | ### Flow Description @@ -77,18 +54,17 @@ Tag Untouched Cases: 1. **Parameter Retrieval**: The job fetches the `Unmodified Time` threshold and the list of `Tags` from the configuration. - 2. **Time Calculation**: It calculates a cutoff timestamp by subtracting the specified - number of hours from the current system time. + 2. **Cutoff Calculation**: It calculates a cutoff timestamp by subtracting the + specified number of hours from the current time. - 3. **Case Filtering**: The job queries the platform for all cases currently in - an "OPEN" status that have a "Last Modified" timestamp older than the calculated - cutoff. + 3. **Case Filtering**: The job queries Google SecOps for all cases currently in + an "OPEN" status that have not been updated since the calculated cutoff timestamp. - 4. **Tag Parsing**: The comma-separated string of tags is parsed into an array, - removing any leading or trailing whitespace from individual tags. + 4. **Tag Parsing**: The comma-separated string of tags is parsed into an array + of individual tag values. - 5. **Tag Application**: For every case identified in the filtering step, the job - iterates through the tag list and applies each tag to the case. + 5. **Tag Application**: For every case identified as untouched, the job iterates + through the tag list and applies each tag to the case. - 6. **Logging**: The job logs the IDs of the affected cases and provides a summary - of the total number of cases updated. + 6. **Logging**: The job logs the IDs of the affected cases and the total count + of cases updated during the execution. diff --git a/content/response_integrations/third_party/community/abuse_ipdb/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/abuse_ipdb/resources/ai/actions_ai_description.yaml index 400fc7c51..cfe796d96 100644 --- a/content/response_integrations/third_party/community/abuse_ipdb/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/abuse_ipdb/resources/ai/actions_ai_description.yaml @@ -1,62 +1,64 @@ Check IP Reputation: - ai_description: >- - Enriches IP Address entities by retrieving reputation data from AbuseIPDB. This - action checks if an IP address has been reported for malicious activity, providing - details such as the abuse confidence score, ISP, domain, and country. It allows - for filtering out internal addresses to conserve API quota and can automatically - mark entities as suspicious based on a configurable threshold. - - - ### Parameters - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Exclude Internal Addresses | boolean | No | If set to true, the action will - skip any address entities marked as internal in Google SecOps. Default is true. - | - - | Suspicious Threshold | string | Yes | An abuse confidence score (0-100) equal - to or above this value will mark the entity as suspicious. Set to 0 to disable - this logic. | - - | Create Insight | boolean | No | If true, creates a detailed insight on the entity's - case wall containing the reputation report summary. Default is true. | - - | Max Age in Days | string | Yes | Specifies the timeframe (in days) for the reputation - report (e.g., check reports from the last 90 days). | - - - ### Additional Notes - - - The action specifically targets `ADDRESS` entities. - - - Data retrieved from AbuseIPDB is mapped to the entity's additional properties - with the prefix `AbuseIPDB_`. - - - ### Flow Description - - 1. **Filter Entities:** Identifies all `ADDRESS` entities in the current scope. - If `Exclude Internal Addresses` is enabled, it filters out entities where `is_internal` - is true. - - 2. **API Request:** For each valid IP, it queries the AbuseIPDB API using the - provided API key and the `Max Age in Days` parameter. - - 3. **Data Mapping:** Parses the API response and populates the entity's additional - properties (e.g., `AbuseIPDB_isp`, `AbuseIPDB_abuseConfidenceScore`). - - 4. **Suspicious Evaluation:** Compares the retrieved `abuseConfidenceScore` against - the `Suspicious Threshold`. If the score meets or exceeds the threshold, the entity - is marked as suspicious. - - 5. **Insight Creation:** If `Create Insight` is enabled, a formatted HTML insight - is added to the entity in the SecOps case. - - 6. **Update Entities:** Updates the entities in the Google SecOps platform with - the new enrichment data and status. + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "### General Description\nEnriches IP Address entities by retrieving\ + \ reputation data from AbuseIPDB. This action checks if an IP address has been\ + \ reported for malicious activity, providing details such as the abuse confidence\ + \ score, country, ISP, and domain. It helps analysts quickly identify potentially\ + \ harmful network actors and automatically flags suspicious entities based on\ + \ configurable thresholds.\n\n### Parameters Description\n| Parameter Name | Type\ + \ | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Exclude Internal\ + \ Addresses | boolean | No | If set to `true`, the action will skip any IP entities\ + \ marked as internal in the environment, preserving API quota. |\n| Suspicious\ + \ Threshold | string | Yes | An integer value (0-100). If the Abuse Confidence\ + \ Score returned by AbuseIPDB is equal to or higher than this value, the entity\ + \ is marked as suspicious in Google SecOps. Set to 0 to disable this behavior.\ + \ |\n| Create Insight | boolean | No | If set to `true`, a detailed HTML insight\ + \ will be created for each processed IP entity, summarizing the reputation report.\ + \ |\n| Max Age in Days | string | Yes | Defines the time window (in days) for\ + \ which AbuseIPDB should search for reports. Only reports within this age limit\ + \ contribute to the score. |\n\n### Additional Notes\n- The action specifically\ + \ targets entities of type `ADDRESS`.\n- If an IP is not found in the AbuseIPDB\ + \ database, it will be noted in the action output but will not result in a failure.\n\ + \n### Flow Description\n1. **Initialization**: Extracts the API key and configuration\ + \ settings, then validates the `Max Age in Days` parameter.\n2. **Entity Filtering**:\ + \ Identifies all `ADDRESS` entities in the current scope. If `Exclude Internal\ + \ Addresses` is enabled, it filters out entities where `is_internal` is true.\n\ + 3. **API Request**: For each valid entity, it performs a GET request to the AbuseIPDB\ + \ `/check` endpoint using the entity's identifier and the specified `Max Age`.\n\ + 4. **Data Mapping**: \n - Appends the raw report data to the entity's additional\ + \ properties with the prefix `AbuseIPDB_`.\n - Compares the `abuseConfidenceScore`\ + \ against the `Suspicious Threshold` to potentially update the entity's suspicious\ + \ status.\n5. **Insight Generation**: If enabled, constructs an HTML summary of\ + \ the IP's reputation (score, ISP, domain, etc.) and attaches it as an entity\ + \ insight.\n6. **Finalization**: Updates the entities in the Google SecOps platform\ + \ and returns a summary of successful, failed, or missing IPs." capabilities: can_create_case_comments: false can_create_insight: true @@ -67,13 +69,13 @@ Check IP Reputation: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity attributes with reputation data, sets the suspicious status of - entities, and creates case insights. + Updates entity additional properties, sets the 'is_suspicious' flag based on + reputation scores, and creates entity-level insights. categories: enrichment: true entity_usage: entity_types: - - ADDRESS + - ADDRESS filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -87,6 +89,7 @@ Check IP Reputation: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -98,72 +101,71 @@ Check IP Reputation: download_file: false enable_identity: false enrich_asset: false - enrich_ioc: true + enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: ai_description: >- ### General Description - The Ping action is a utility designed to verify the connectivity between Google - SecOps and the AbuseIPDB API. It ensures that the provided API key is valid and - that the network path to the service is open. This is typically used during the - initial setup or troubleshooting of the integration. + The **Ping** action is a diagnostic tool used to verify the connectivity between + the Google SecOps platform and the AbuseIPDB API. It ensures that the provided + API key is valid and that the network configuration allows for successful communication + with the external service. ### Parameters Description - This action does not have any action-specific parameters. It relies solely on - the integration's global configuration parameters: - - - | Parameter Name | Expected Type | Mandatory | Description | + | Parameter Name | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | | Api Key | String | Yes | The API key used to authenticate requests to AbuseIPDB. - | + This is retrieved from the integration configuration. | | Verify SSL | Boolean | No | If enabled, the action will verify the SSL certificate - of the AbuseIPDB API endpoint. Defaults to False. | + of the AbuseIPDB API. Defaults to `False`. | ### Additional Notes - * The action performs a test lookup for a dummy IP address (1.1.1.1) to validate - the API response. + * This action does not process any entities from the case. It uses a hardcoded + dummy IP address (`1.1.1.1`) to perform a test lookup. - * If the API key is invalid, the action will return a failure state with a specific + * If the API key is invalid, the action will return a failed status with a specific error message regarding forbidden access. ### Flow Description - 1. **Initialization**: The action retrieves the global configuration (API Key - and SSL verification settings). + 1. **Initialization**: The action initializes the Siemplify context and retrieves + the integration configuration parameters (API Key and SSL verification setting). - 2. **Connectivity Test**: The action calls the AbuseIPDB manager to perform a - `test_connectivity` operation. + 2. **Manager Setup**: An instance of the `AbuseIPDBManager` is created using the + provided credentials. - 3. **API Request**: The manager executes a GET request to the AbuseIPDB 'check' - endpoint using a hardcoded dummy IP (1.1.1.1). + 3. **Connectivity Test**: The action calls the `test_connectivity` method, which + performs a GET request to the AbuseIPDB 'check' endpoint for the IP `1.1.1.1`. - 4. **Validation**: The response is checked for HTTP errors (e.g., 403 Forbidden - for invalid keys or 204 for rate limits). + 4. **Validation**: The response is validated for HTTP errors and specific status + codes (e.g., 403 for invalid keys). - 5. **Outcome**: If the request is successful, the action returns 'true'. If an - exception occurs or the key is invalid, it returns 'false' and logs the error. + 5. **Completion**: If the request is successful, the action returns a "Connection + Established" message. If an error occurs, it logs the exception and returns a + failure status. capabilities: can_create_case_comments: false can_create_insight: false @@ -177,7 +179,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -191,28 +193,3 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/third_party/community/air_table/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/air_table/resources/ai/actions_ai_description.yaml index d05005c2e..fb7ced458 100644 --- a/content/response_integrations/third_party/community/air_table/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/air_table/resources/ai/actions_ai_description.yaml @@ -1,32 +1,89 @@ AddOrUpdate: - ai_description: "### General Description\nThe **AddOrUpdate** action allows users\ - \ to synchronize data with an Airtable table by either inserting new records or\ - \ updating existing ones. It acts as an 'upsert' operation, ensuring that the\ - \ target table reflects the provided data without creating duplicates based on\ - \ a specific identifier field.\n\n### Parameters Description\n| Parameter | Description\ - \ | Type | Mandatory | \n| :--- | :--- | :--- | :--- |\n| **Base id** | The unique\ - \ identifier for the Airtable base where the table resides. | string | Yes |\n\ - | **Table name** | The name of the specific table within the Airtable base to\ - \ perform operations on. | string | Yes |\n| **Field name** | The name of the\ - \ field used to check for existing records (e.g., 'Email' or 'ID'). This field\ - \ is used in the search query. | string | Yes |\n| **Json fields** | A JSON-formatted\ - \ string (list of objects) containing the data to be added or updated. Each object\ - \ should contain the keys corresponding to Airtable columns. | string | Yes |\n\ - \n### Additional Notes\n- The action expects the `Json fields` parameter to be\ - \ a valid JSON array of objects. \n- The `Field name` provided must exist in the\ - \ Airtable table and should ideally contain unique values for the search logic\ - \ to work correctly.\n\n### Flow Description\n1. **Initialization**: The action\ - \ retrieves the Airtable API key from the integration configuration and extracts\ - \ the Base ID, Table Name, Field Name, and JSON data from the parameters.\n2.\ - \ **Data Parsing**: The `Json fields` string is parsed into a Python list of dictionaries.\n\ - 3. **Search and Upsert Logic**: For each item in the provided list:\n - The\ - \ action searches the Airtable table for records where the specified `Field name`\ - \ matches the value in the current item.\n - **Update**: If one or more matching\ - \ records are found, the action updates those records with the data provided in\ - \ the item.\n - **Insert**: If no matching records are found, the action inserts\ - \ a new record into the table.\n4. **Completion**: The action calculates the total\ - \ number of inserted and updated records and returns a summary message to the\ - \ Google SecOps platform." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + ### General Description + + The **AddOrUpdate** action allows users to synchronize data with an Airtable table + by either inserting new records or updating existing ones. It processes a list + of data objects provided in JSON format and uses a specific field as a unique + identifier to determine whether a record already exists in the target Airtable + base and table. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | **Base id** | String | Yes | The unique identifier for the Airtable base where + the data will be managed. | + + | **Table name** | String | Yes | The name of the specific table within the Airtable + base. | + + | **Field name** | String | Yes | The name of the field used to search for existing + records. This acts as the 'key' for the upsert logic. | + + | **Json fields** | String | Yes | A JSON-formatted string representing a list + of dictionaries. Each dictionary contains the field-value pairs to be inserted + or updated. | + + + ### Flow Description + + 1. **Initialization**: The action retrieves the Airtable API key from the integration + configuration and extracts the base ID, table name, search field, and the JSON + data from the action parameters. + + 2. **Data Parsing**: The `Json fields` string is parsed into a Python list of + dictionaries. + + 3. **Search and Upsert Logic**: For each item in the provided list: + * The action searches the specified Airtable table for records where the `Field + name` matches the value provided in the current item. + * **Update**: If one or more matching records are found, the action updates + those specific records with the data provided in the item. + * **Insert**: If no matching records are found, the action creates a new record + in the table using the data provided in the item. + 4. **Completion**: The action calculates the total number of inserted and updated + records and returns a summary message to the Google SecOps platform. + + + ### Additional Notes + + * This action does not operate on SecOps entities (like IPs or Hostnames) directly; + it processes raw data provided via the `Json fields` parameter. + + * Ensure the `Json fields` parameter is a valid JSON array of objects, and that + the `Field name` exists within those objects. capabilities: can_create_case_comments: false can_create_insight: false @@ -35,14 +92,14 @@ AddOrUpdate: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - The action performs 'update' and 'insert' operations on the specified Airtable + The action performs 'update' and 'insert' operations on the target Airtable table, modifying the state of the external database. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -56,12 +113,13 @@ AddOrUpdate: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Create: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false contain_host: false - create_ticket: false + create_ticket: true delete_email: false disable_identity: false download_file: false @@ -69,70 +127,77 @@ AddOrUpdate: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Create: ai_description: >- - The 'Create' action allows users to programmatically add new records to a specific - table within an Airtable base. It is designed to handle bulk creation by accepting - a JSON-formatted list of records. This action is useful for logging SOAR activities, - tracking incident metadata, or synchronizing data between Google SecOps and Airtable. + ### General Description + The **Create** action allows users to programmatically insert new records into + a specific table within an Airtable base. It is designed to handle bulk creation + by accepting a JSON array of objects, where each object represents a new row to + be added. This action is useful for logging SOAR activities, tracking incidents + in a database, or synchronizing data with external Airtable-based workflows. - ### Flow Description - 1. **Configuration Extraction:** The action retrieves the Airtable API key from - the integration configuration and the Base ID, Table Name, and JSON fields from - the action parameters. + ### Parameters Description - 2. **Data Parsing:** It parses the provided 'Json fields' string into a list of - Python dictionaries, where each dictionary represents a single record to be created. + | Parameter Name | Type | Mandatory | Description | - 3. **Record Insertion:** The action iterates through the list of records and uses - the Airtable SDK to insert each one into the specified table. + | :--- | :--- | :--- | :--- | - 4. **Result Compilation:** It collects the unique IDs and field data of the successfully - created records. + | **Base id** | string | Yes | The unique identifier for the Airtable base (database). + This can be found in the URL of the Airtable API documentation page for that specific + base. | - 5. **Finalization:** The action outputs the created records as a JSON result and - provides a summary message indicating the total number of records added. + | **Table name** | string | Yes | The name of the table within the specified base + where the records should be inserted. | + | **Json fields** | content | Yes | A JSON-formatted array of objects. Each object + contains key-value pairs where the key is the field (column) name and the value + is the data to be inserted into that field. Supports multiple records in one execution. + | - ### Parameters Description - | Parameter Name | Type | Mandatory | Description | + ### Flow Description - | :--- | :--- | :--- | :--- | + 1. **Configuration Extraction**: The action retrieves the Airtable API key from + the integration configuration. - | Base id | string | True | The unique identifier for the Airtable base (database). - This can be found in the Airtable API documentation URL for that specific base. - | + 2. **Parameter Parsing**: It extracts the Base ID, Table Name, and the JSON string + containing the record data from the action parameters. + + 3. **Data Processing**: The JSON string is parsed into a Python list of dictionaries. - | Table name | string | True | The name of the table within the base where the - records should be inserted. | + 4. **External Interaction**: For each dictionary (record) in the list, the action + calls the Airtable API to insert the data into the specified table. - | Json fields | content | True | A JSON-formatted array of objects. Each object - represents a row to be created, with keys matching the Airtable field names and - values representing the data for those fields. | + 5. **Result Compilation**: The action collects the unique IDs and field data returned + by Airtable for each successfully created record. + + 6. **Final Output**: The action returns a JSON summary of the created records + and ends with a success message indicating the total count of records added. ### Additional Notes - - This action does not interact with Google SecOps entities; it operates purely - on the data provided in the 'Json fields' parameter. + - Ensure that the field names in the **Json fields** parameter exactly match the + column names in your Airtable table (case-sensitive). - - Ensure that the field names in the JSON input exactly match the column names - in the target Airtable table to avoid insertion errors. + - The action will fail if the JSON provided is not a valid list of objects or + if the API key lacks the necessary permissions for the specified base. capabilities: can_create_case_comments: false can_create_insight: false @@ -141,13 +206,14 @@ Create: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates new records (rows) in the specified Airtable base and table. + This action creates new records (rows) in a specified Airtable base and table + using the Airtable API. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -161,6 +227,7 @@ Create: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Delete: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -174,27 +241,28 @@ Create: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Delete: ai_description: >- ### General Description - The **Delete** action allows users to remove specific records from an Airtable - table based on a search match. It identifies records by comparing a provided value - against a specific field (column) and deletes all matching records up to a defined - limit. This is useful for automated data cleanup or removing specific entries - from a tracking base during incident response. + The **Delete** action allows users to remove records from a specific Airtable + table based on a matching field value. It performs a search to identify records + where a designated column (field) matches a provided value and subsequently deletes + those records, up to a user-defined limit. ### Parameters Description @@ -204,47 +272,44 @@ Delete: | :--- | :--- | :--- | :--- | | **Base id** | string | Yes | The unique identifier for the Airtable base (database). - This can be found in the URL of the Airtable API documentation for that base. - | + Found in the API documentation URL for the base. | | **Table name** | string | Yes | The name of the specific table within the base - where the records are stored. | + where the deletion should occur. | - | **Field name** | string | Yes | The name of the column/field to search within - to find records for deletion. | + | **Field name** | string | Yes | The name of the column (field) to search for + matching values. | - | **Field value** | string | Yes | The specific value to match in the 'Field name' - column. Any record containing this value in the specified field will be targeted. - | + | **Field value** | string | Yes | The specific value to look for in the designated + field. Records containing this value will be targeted for deletion. | - | **Max records** | string | Yes | The maximum number of matching records to delete - in a single execution. Defaults to 100 if not specified or invalid. | + | **Max records** | string | Yes | The maximum number of records that the action + will delete in a single execution. Default is 100. | ### Flow Description - 1. **Configuration Retrieval**: The action extracts the API key from the integration - settings and the Base ID, Table Name, and search criteria from the action parameters. + 1. **Initialization**: The action extracts the API key from the integration configuration + and the base ID, table name, field name, field value, and max records from the + action parameters. - 2. **Search Phase**: It performs a search in the specified Airtable table for - records where the 'Field name' matches the 'Field value'. + 2. **Search**: It connects to the Airtable API and searches the specified table + for records where the `Field name` matches the `Field value`, limiting the results + to the `Max records` count. - 3. **Deletion Phase**: The action iterates through the list of found records (limited - by the 'Max records' parameter) and sends a delete request for each unique record - ID. + 3. **Deletion**: The action iterates through the list of records returned by the + search and issues a delete request for each record ID. - 4. **Finalization**: The action calculates the total number of deleted records - and returns a success message to the SecOps platform. + 4. **Completion**: It calculates the total number of deleted records and returns + a success message to the Google SecOps platform. ### Additional Notes - - **Data Loss Warning**: This action performs a permanent deletion of data in - the external Airtable system. Ensure that the search criteria (Field name and - Field value) are precise to avoid unintended data loss. + * This action does not operate on SecOps entities; it relies entirely on the provided + parameters to identify data in Airtable. - - **Rate Limiting**: Large values for 'Max records' may be subject to Airtable - API rate limits. + * The action performs a destructive operation (deletion) on external data. capabilities: can_create_case_comments: false can_create_insight: false @@ -253,14 +318,14 @@ Delete: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - The action deletes records from the specified Airtable table based on the search - results matching the provided field name and value. + The action deletes records from an Airtable table based on search criteria provided + in the parameters. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -274,6 +339,7 @@ Delete: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Delete All Records: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -287,68 +353,67 @@ Delete: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Delete All Records: ai_description: >- - ### General Description - - The **Delete All Records** action is designed to purge all data from a specific - table within an Airtable base. This is a destructive action used for data cleanup - or resetting a table's state. It works by first retrieving all record identifiers - from the target table and then executing a batch deletion process. + Deletes all records from a specified table within an Airtable base. This action + is useful for clearing out temporary data or resetting a table's state. It first + retrieves all existing record IDs from the target table and then performs a batch + deletion to remove them. - ### Parameters Description + ### Flow Description: - | Parameter Name | Description | Type | Mandatory | Notes | + 1. **Configuration Extraction:** Retrieves the Airtable API key from the integration + settings and the Base ID and Table Name from the action parameters. - | :--- | :--- | :--- | :--- | :--- | + 2. **Record Retrieval:** Connects to the specified Airtable base and table to + fetch all existing records. - | **Base Id** | The unique identifier for the Airtable base (database). This can - be found in the Airtable API documentation URL for the specific base. | String - | Yes | Required to locate the correct database. | + 3. **ID Collection:** Extracts the unique record IDs for every record found in + the table. - | **Table name** | The name of the table within the specified base where all records - should be deleted. | String | Yes | Required to target the specific data set. - | + 4. **Batch Deletion:** Executes a batch delete operation using the collected IDs + to remove all records from the table. + 5. **Completion:** Returns a success message indicating the total number of records + deleted. - ### Additional Notes - - **Destructive Action**: This action permanently removes all records from the - specified table. Use with caution. + ### Parameters Description: - - **API Limits**: The action adjusts the Airtable API limit internally to handle - batch deletions efficiently. + | Parameter Name | Type | Mandatory | Description | - - **No Entities**: This action does not run on specific SOAR entities; it operates - globally on the specified Airtable table. + | :--- | :--- | :--- | :--- | + | Base Id | String | True | The unique identifier for the Airtable base (database). + This can be found in the URL of the Airtable API documentation page for that base. + | - ### Flow Description + | Table name | String | True | The name of the specific table within the base + from which all records will be deleted. | - 1. **Configuration Extraction**: The action retrieves the Airtable API key from - the integration configuration and the Base ID and Table Name from the action parameters. - 2. **Data Retrieval**: It connects to the specified Airtable table and fetches - all existing records to collect their unique record IDs. + ### Additional Notes: - 3. **Batch Deletion**: The action uses the collected IDs to perform a batch delete - operation, effectively clearing the table. + - This action performs a destructive operation. Once records are deleted via the + API, they cannot be easily recovered unless a backup exists within Airtable. - 4. **Reporting**: Finally, it calculates the total number of deleted records and - returns a success message to the Google SecOps platform. + - The action handles API rate limits by setting a specific limit on the Airtable + client before performing the batch delete. capabilities: can_create_case_comments: false can_create_insight: false @@ -357,14 +422,14 @@ Delete All Records: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - The action performs a batch delete operation in Airtable, permanently removing - all records from the specified table. + Deletes all records from the specified Airtable table using the batch delete + API method. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -378,6 +443,7 @@ Delete All Records: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Enrich Entities From Table: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -388,85 +454,88 @@ Delete All Records: disable_identity: false download_file: false enable_identity: false - enrich_asset: false - enrich_ioc: false + enrich_asset: true + enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Enrich Entities From Table: ai_description: >- - Enriches entities by searching for matching records within a specified Airtable - table. This action allows users to map external data stored in Airtable (such - as asset owners, threat intelligence, or contact information) directly onto SecOps - entities. It searches a specific column in Airtable using either the entity's - identifier or a custom property as the search key. When a match is found, the - record's fields are flattened, prefixed, and added to the entity's additional - properties. + Enriches entities by searching for matching records in a specified Airtable table. + This action allows users to map SOAR entities to custom data stored in Airtable + (such as asset inventories, user directories, or threat intelligence lists) and + pull that data back into the entity's additional properties. - ### Parameters Description + ### Flow Description + 1. **Parameter Extraction:** Retrieves the Airtable API key, Base ID, Table Name, + and search parameters from the action configuration. - | Parameter | Type | Mandatory | Description | + 2. **Search Value Determination:** For each target entity, the action determines + the search value. By default, it uses the entity's identifier, but it can be configured + to use a specific value from the entity's existing additional properties via the + 'Entity Field' parameter. - | :--- | :--- | :--- | :--- | + 3. **Airtable Query:** Executes a search in the specified Airtable table, looking + for records where the 'Field name' column matches the search value. It performs + a case-sensitive search first, followed by a case-insensitive search if no results + are found. - | Enrichment Prefix | string | No | A prefix (default: 'AT_') added to the keys - of the data retrieved from Airtable before adding them to the entity. | + 4. **Data Processing:** If a record is found, the action flattens the Airtable + record (handling nested dictionaries and lists) and applies the specified 'Enrichment + Prefix'. - | Max records | string | No | The maximum number of records to retrieve from Airtable - for the search query (default: 100). | + 5. **Entity Update:** Updates the entity's additional properties with the retrieved + data and saves the changes within Google SecOps. - | Base id | string | Yes | The unique identifier for the Airtable Base (database). - | - | Table name | string | Yes | The name of the table within the Airtable Base to - search. | + ### Parameters Description - | Field name | string | Yes | The name of the column (field) in Airtable to match - against the entity value. | + | Parameter | Type | Mandatory | Description | - | Entity Field | string | No | The specific entity property to use for the search. - If left blank, the action uses the Entity Identifier. | + | :--- | :--- | :--- | :--- | + | Enrichment Prefix | string | No | A prefix (default: 'AT_') added to the keys + of the data retrieved from Airtable before adding them to the entity properties. + | - ### Flow Description + | Max records | string | No | The maximum number of records to retrieve from Airtable + (default: 100). Note: The action currently processes only the first record found. + | + | Base id | string | Yes | The unique identifier for the Airtable base (database). + Found in the Airtable API documentation URL. | - 1. **Initialization:** Retrieves Airtable API credentials and action parameters - (Base ID, Table Name, Field Name, etc.). + | Table name | string | Yes | The name of the specific table within the base to + search. | - 2. **Entity Processing:** Iterates through all target entities in the current - context. + | Field name | string | Yes | The name of the column in the Airtable table to + match against the entity value. | - 3. **Search Key Determination:** For each entity, identifies the search value. - It uses the value from the property specified in 'Entity Field' if provided; otherwise, - it defaults to the entity's identifier. + | Entity Field | string | No | The specific entity property to use for the search. + If left blank, the entity's Identifier is used. | - 4. **Airtable Query:** Executes a search in the specified Airtable table where - the 'Field name' matches the search key. It performs a case-sensitive search first, - followed by a case-insensitive search if no results are found. - 5. **Data Transformation:** If a record is found, the action takes the first - result, flattens any nested JSON structures, and applies the configured 'Enrichment - Prefix' to the keys. + ### Additional Notes - 6. **Internal Mutation:** Updates the entity's 'additional_properties' with the - processed Airtable data. + - The action is designed to handle complex Airtable data structures by flattening + them into a key-value format suitable for entity properties. - 7. **Finalization:** Updates all successful entities in the SecOps platform and - outputs a summary message along with raw JSON results for the enriched entities - and any errors encountered. + - If multiple records are found in Airtable, the action currently only utilizes + the first record returned. capabilities: can_create_case_comments: false can_create_insight: false @@ -477,47 +546,46 @@ Enrich Entities From Table: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates the 'additional_properties' of entities with data retrieved from Airtable - records. + Updates entity additional properties with data retrieved from Airtable. categories: enrichment: true entity_usage: entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME filters_by_additional_properties: true filters_by_alert_identifier: false filters_by_case_identifier: false @@ -531,6 +599,7 @@ Enrich Entities From Table: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get All Records: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -541,85 +610,80 @@ Enrich Entities From Table: disable_identity: false download_file: false enable_identity: false - enrich_asset: true - enrich_ioc: true + enrich_asset: false + enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get All Records: ai_description: >- ### General Description - The **Get All Records** action retrieves a collection of records from a specified - table within an Airtable base. It is designed to fetch bulk data, allowing users - to limit the number of returned records and apply sorting based on a specific - column and direction. This action is primarily used for data retrieval and synchronization - tasks where external Airtable data needs to be brought into the Google SecOps - environment for analysis or reporting. + The **Get All Records** action retrieves a list of records from a specified table + within an Airtable base. This action is designed to fetch structured data from + Airtable, allowing users to pull reference information, lookup tables, or logs + into a Google SecOps playbook. It supports limiting the number of records returned + and sorting the results based on a specific column. ### Parameters Description - | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Base Id** | string | Yes | The unique identifier for the Airtable base (database). - This can be found in the Airtable API documentation for the specific base. | + | **Base Id** | String | Yes | The unique identifier for the Airtable base (database). + This can be found in the URL of the Airtable API documentation page for that base. + | - | **Table name** | string | Yes | The name of the table within the specified base + | **Table name** | String | Yes | The name of the specific table within the base from which to retrieve records. | - | **Max Records** | string | Yes | The maximum number of rows/records to be retrieved - in a single execution. | + | **Max Records** | String | Yes | The maximum number of rows/records to fetch + from the table. | - | **Sort by** | string | No | The name of the column (field) to use for sorting - the results. If left empty, no specific sorting is applied. | + | **Sort by** | String | No | The name of the column (field) you wish to sort + the records by. | - | **Sort Direction** | ddl | Yes | Specifies the order of the sorted records. - Options are `Descending` or `Ascending`. Defaults to `Descending`. | - - - ### Additional Notes + | **Sort Direction** | DDL | Yes | The order in which to sort the records: 'Ascending' + or 'Descending'. | - - This action does not operate on specific entities within a case; it performs - a global fetch based on the provided parameters. - - The results are returned as a JSON array containing the record objects from - Airtable. + ### Flow Description + 1. **Initialization**: The action retrieves the Airtable API key from the integration + configuration and the specific base and table details from the action parameters. - ### Flow Description + 2. **Sorting Logic**: It evaluates the 'Sort Direction' and 'Sort by' parameters + to construct the appropriate sorting criteria for the Airtable API request. - 1. **Configuration Extraction:** The action retrieves the Airtable API key from - the integration configuration. + 3. **Data Retrieval**: The action calls the Airtable API's `get_all` method, applying + the record limit and sorting parameters. - 2. **Parameter Parsing:** It extracts the Base ID, Table Name, record limit, - and sorting preferences from the action parameters. + 4. **Output**: The fetched records are converted to a JSON string and added to + the action's results. The action concludes by reporting the total number of records + successfully retrieved. - 3. **Client Initialization:** An Airtable client is initialized using the provided - Base ID, Table Name, and API Key. - 4. **Data Retrieval:** The action calls the Airtable API to fetch records. If - a 'Sort by' column is provided, it applies the specified sorting logic; otherwise, - it fetches records up to the 'Max Records' limit. + ### Additional Notes - 5. **Result Processing:** The retrieved records are counted and formatted into - JSON. + - This action does not target specific entities (such as IP addresses or Hostnames) + but instead performs a global fetch from the specified Airtable table. - 6. **Output:** The action attaches the raw JSON results to the action output - and provides a summary message indicating the number of records successfully fetched. + - If the **Sort by** parameter is left empty, the action will retrieve records + in the default order provided by the Airtable API. capabilities: can_create_case_comments: false can_create_insight: false @@ -633,7 +697,7 @@ Get All Records: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -647,6 +711,7 @@ Get All Records: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -660,53 +725,49 @@ Get All Records: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: true + search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: ai_description: >- ### General Description - The **Ping** action is a diagnostic tool designed to verify the connectivity between - Google SecOps and the AirTable service. It ensures that the provided credentials - (API Key, Base ID, and Table Name) are valid and that the network path to the - AirTable API is open. + The **Ping** action is designed to verify the connectivity between Google SecOps + and the AirTable service. It ensures that the provided credentials (API Key, Base + ID, and Table Name) are valid and that the environment can successfully communicate + with the AirTable API. ### Parameters Description - There are no parameters for this action. - - - ### Additional Notes - - This action is typically used during the initial setup of the AirTable integration - or for troubleshooting connectivity issues. It performs a read-only operation - by attempting to fetch a single record from the configured table. + There are no input parameters for this action. It relies entirely on the integration's + configuration settings. ### Flow Description - 1. **Configuration Extraction:** The action retrieves the `Api key`, `Base id`, - and `Table name` from the integration's configuration settings. + 1. **Configuration Extraction**: The action retrieves the `Api key`, `Base id`, + and `Table name` from the AirTable integration configuration. - 2. **Client Initialization:** It initializes the AirTable client using the extracted + 2. **Client Initialization**: It initializes the AirTable client using the extracted credentials. - 3. **Connectivity Test:** The action executes a request to fetch a maximum of - one record (`maxRecords=1`) from the specified AirTable base and table. + 3. **Connectivity Test**: The action attempts to fetch a single record (`maxRecords=1`) + from the specified table to confirm read access. - 4. **Result Reporting:** If the request is successful, the action concludes with - a success message indicating that AirTable is connected. + 4. **Completion**: If the request is successful, the action concludes with a success + message indicating that AirTable is connected. capabilities: can_create_case_comments: false can_create_insight: false @@ -720,7 +781,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -734,6 +795,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Search: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -747,26 +809,27 @@ Ping: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: false + search_events: true send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Search: ai_description: >- ### General Description - The **Search** action allows users to query an Airtable base for specific records. - It searches a designated column (field) for a specific value within a chosen table. - This is useful for retrieving structured data stored in Airtable to provide context - during an investigation. + The **Search** action allows users to query a specific table within an Airtable + base to find records that match a particular field value. It is a read-only operation + designed to retrieve structured data from Airtable for use in playbooks or investigations. ### Parameters Description @@ -775,43 +838,51 @@ Search: | :--- | :--- | :--- | :--- | - | **Base id** | string | Yes | The unique identifier for the Airtable base (found - in the API URL). | + | **Field value** | String | Yes | The specific value you are looking for within + the designated field. | - | **Table name** | string | Yes | The name of the table within the base to search. - | + | **Field name** | String | Yes | The name of the column (field) in the Airtable + table where the search should be performed. | - | **Field name** | string | Yes | The name of the column/field to perform the - search on. | + | **Table name** | String | Yes | The name of the table within the Airtable base + that contains the data. | - | **Field value** | string | Yes | The specific value to look for in the defined - field. | + | **Base id** | String | Yes | The unique identifier for the Airtable base (found + in the API documentation or URL). | - | **Max records** | string | No | The maximum number of records to return (default - is 100). | + | **Max records** | String | No | The maximum number of records to return. Defaults + to 100 if not specified. | - ### Flow Description + ### Additional Notes - 1. **Initialization**: The action retrieves the API key from the integration configuration - and the search parameters from the action input. + - This action does not process SOAR entities; it operates strictly based on the + provided parameters. - 2. **Connection**: It establishes a connection to the specified Airtable base - and table using the Airtable SDK. + - The search is performed using the Airtable API's search functionality, which + typically looks for exact matches or specific patterns depending on the field + type. - 3. **Execution**: It performs a search query using the provided field name and - value, respecting the maximum records limit. - 4. **Output**: The results are returned as a JSON object, and a summary message - indicates how many records were matched. + ### Flow Description + 1. **Configuration Extraction**: The action retrieves the Airtable API key from + the integration configuration. - ### Additional Notes + 2. **Parameter Parsing**: It extracts the Base ID, Table Name, Field Name, Field + Value, and the maximum number of records to return from the action input. - - This action is read-only and does not modify any data in Airtable. + 3. **Client Initialization**: An Airtable client is initialized using the provided + Base ID and Table Name. - - It does not automatically process entities from the SecOps case; all search - criteria must be provided via parameters. + 4. **Execution**: The action calls the Airtable `search` method, passing the field + name and value to filter the records. + + 5. **Result Processing**: The retrieved records are counted and formatted into + a JSON structure. + + 6. **Output**: The action returns the JSON results to the SOAR platform and provides + a summary message indicating how many records were successfully matched. capabilities: can_create_case_comments: false can_create_insight: false @@ -825,7 +896,7 @@ Search: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -839,6 +910,7 @@ Search: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Update: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -852,75 +924,42 @@ Search: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: true + search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false - update_ticket: false -Update: + update_ticket: true ai_description: >- - ### General Description - - The **Update** action allows users to modify existing records within an Airtable - table. It functions by searching for records that match a specific criteria (field - name and value) and then applying updates to those records based on a provided - JSON object. This is useful for synchronizing data between Google SecOps and Airtable - or for updating status fields in a tracking table. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **Base id** | string | Yes | The unique identifier for the Airtable base. | - - | **Table name** | string | Yes | The name of the specific table to update. | - - | **Field name** | string | Yes | The column name used to filter which records - should be updated. | - - | **Field value** | string | Yes | The value to look for in the specified `Field - name`. | - - | **Json fields** | content | Yes | A JSON string representing the fields and - their new values (e.g., `{"Status": "Resolved"}`). | - - | **Max records** | string | Yes | Limits the number of records that will be updated - in a single execution. | - - - ### Flow Description - - 1. **Initialization**: Retrieves the API key from the integration configuration - and parameters from the action input. - - 2. **Validation**: Parses the `Json fields` parameter into a dictionary and converts - `Max records` to an integer. - - 3. **Search**: Queries the specified Airtable base and table for records where - the `Field name` matches the `Field value`. - - 4. **Update**: Iterates through the retrieved records (up to the `Max records` - limit) and updates each one with the data provided in `Json fields`. - - 5. **Completion**: Returns a success message indicating the total number of records - updated. - - - ### Additional Notes - - - Ensure the `Json fields` parameter is a valid JSON string. - - - The action will only update records that are found during the search phase. + ### General Description\nUpdates specific records in an Airtable table based on + a search criterion. This action allows for bulk updates of records that match + a specific field value, enabling automated data management within Airtable bases.\n\n### + Parameters Description\n| Parameter | Type | Mandatory | Description |\n| :--- + | :--- | :--- | :--- |\n| Base id | String | Yes | The ID of the Airtable base + (found in the API URL). |\n| Table name | String | Yes | The name of the table + within the base. |\n| Field name | String | Yes | The name of the field (column) + to search for matching records. |\n| Field value | String | Yes | The value to + match in the specified 'Field name'. |\n| Json fields | Content | Yes | A JSON + dictionary of field names and their new values to be updated (e.g., `{\"Status\": + \"Closed\"}`). |\n| Max records | String | Yes | The maximum number of records + to be updated in a single execution. |\n\n### Flow Description\n1. **Search**: + The action searches the specified Airtable table for records where the 'Field + name' matches the 'Field value'.\n2. **Limit**: It retrieves up to the number + of records specified in 'Max records'.\n3. **Update**: For each record found, + it applies the updates defined in the 'Json fields' parameter using the Airtable + record ID.\n4. **Report**: Returns the total count of successfully updated records + as the action result.\n\n### Additional Notes\nEnsure the 'Json fields' parameter + is a valid JSON string. If 'Max records' is not a valid integer, the action defaults + to a limit of 5 records. capabilities: can_create_case_comments: false can_create_insight: false @@ -929,14 +968,14 @@ Update: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates existing records in an Airtable table with new field values based on - a search query. + Updates existing records in an Airtable table with new field values provided + in the 'Json fields' parameter. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -950,28 +989,3 @@ Update: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/third_party/community/air_table/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/air_table/resources/ai/connectors_ai_description.yaml index 624425975..2e182c899 100644 --- a/content/response_integrations/third_party/community/air_table/resources/ai/connectors_ai_description.yaml +++ b/content/response_integrations/third_party/community/air_table/resources/ai/connectors_ai_description.yaml @@ -1,35 +1,31 @@ AirTable Connector: - ai_description: "### General Description\nThe AirTable Connector enables the ingestion\ - \ of records from Airtable tables into Google SecOps as alerts and cases. This\ - \ integration allows security teams to treat Airtable as a data source for tracking\ - \ incidents, assets, or logs, facilitating automated response workflows based\ - \ on spreadsheet-style data.\n\n### Parameters Description\n| Parameter | Type\ - \ | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Api key | Password\ - \ | Yes | Your Airtable API Key, found in your account overview. |\n| Base id\ - \ | String | Yes | The unique ID for the Airtable base (database), found in the\ - \ API documentation URL for that base. |\n| Table name | String | Yes | The name\ - \ of the specific table within the base to fetch records from. |\n| Alert type\ - \ | String | Yes | Determines the Alert Type (Rule Generator) for the ingested\ - \ cases. |\n| Max records | String | Yes | The maximum number of rows to fetch\ - \ from the table per execution. |\n| Alert name field | String | No | The Airtable\ - \ column name used to populate the Alert name. |\n| Alert name prefix | String\ - \ | No | A string to prepend to the Alert name for better identification. |\n\ - | Field name | String | No | The column name to use for filtering records. |\n\ - | Field value | String | No | The specific value(s) to search for in the 'Field\ - \ name' column (supports comma-separated values). |\n| DeviceProductField | String\ - \ | Yes | The field name used to determine the device product (defaults to 'AirTable'\ - \ in logic). |\n| EventClassId | String | Yes | The field name used to determine\ - \ the event name or sub-type. |\n| PythonProcessTimeout | String | Yes | The timeout\ - \ limit (in seconds) for the connector execution. |\n\n### Flow Description\n\ - 1. **Authentication**: Connects to the Airtable API using the provided API Key\ - \ and targets the specified Base ID.\n2. **Data Retrieval**: \n * If a `Field\ - \ name` and `Field value` are provided, the connector searches for records where\ - \ that column matches the specified values (handling comma-separated lists).\n\ - \ * If no filter is provided, it fetches all available records from the specified\ - \ `Table name` up to the `Max records` limit.\n3. **Mapping**: Iterates through\ - \ each retrieved record and maps Airtable columns to Google SecOps case extensions.\ - \ Spaces in column names are replaced with underscores.\n4. **Case Creation**:\ - \ Generates a `CaseInfo` object for each record, setting the alert name based\ - \ on the `Alert name field` and applying the `Alert type`.\n5. **Ingestion**:\ - \ Packages the cases and events, then sends them to the Google SecOps platform\ - \ for processing." + ai_description: "### General Description\nThe AirTable Connector enables Google\ + \ SecOps to ingest records from specific AirTable bases and tables. It allows\ + \ security teams to monitor AirTable data\u2014such as asset lists, indicator\ + \ feeds, or manual logs\u2014and automatically convert them into cases and alerts\ + \ for orchestration and response.\n\n### Parameters Description\n| Parameter |\ + \ Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Api key |\ + \ Password | Yes | Your API Key found in your account overview under API. |\n\ + | Base id | String | Yes | The database ID found in the URL of the base's API\ + \ page. |\n| Table name | String | Yes | The name of the table within the base\ + \ to ingest from. |\n| Alert type | String | Yes | Determines the Alert type/Rule\ + \ Generator for the ingested cases. |\n| DeviceProductField | String | Yes | The\ + \ field name used to determine the device product. |\n| EventClassId | String\ + \ | Yes | The field name used to determine the event name (sub-type). |\n| Max\ + \ records | String | Yes | The maximum number of rows to fetch (default 300).\ + \ |\n| PythonProcessTimeout | String | Yes | Timeout limit in seconds for the\ + \ script execution. |\n| Alert name field | String | No | Column name to use for\ + \ the Alert name. |\n| Alert name prefix | String | No | Prefix to add to the\ + \ alert name. |\n| Field name | String | No | The column name to filter records\ + \ by. |\n| Field value | String | No | The value(s) (comma-separated) to search\ + \ for in the Field name column. |\n\n### Flow Description\n1. Establishes a connection\ + \ to the AirTable API using the provided API Key, Base ID, and Table Name.\n2.\ + \ Determines the retrieval strategy: if 'Field name' and 'Field value' are provided,\ + \ it performs a targeted search; otherwise, it retrieves all records up to the\ + \ 'Max records' limit.\n3. Iterates through the retrieved records and maps all\ + \ AirTable fields to case extensions.\n4. Generates a unique CaseInfo object for\ + \ each record, assigning a unique ticket ID and source grouping identifier.\n\ + 5. Configures the case name using the 'Alert name field' and optional 'Alert name\ + \ prefix'.\n6. Sets the alert priority to Medium (60) and assigns the 'Alert type'\ + \ as the rule generator.\n7. Packages the records as cases and ingests them into\ + \ Google SecOps." diff --git a/content/response_integrations/third_party/community/arcanna_ai/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/arcanna_ai/resources/ai/actions_ai_description.yaml index 2beccae54..278de80ba 100644 --- a/content/response_integrations/third_party/community/arcanna_ai/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/arcanna_ai/resources/ai/actions_ai_description.yaml @@ -1,11 +1,40 @@ Export full event: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: true + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Export full event** action retrieves the complete data associated with a - specific event from a designated Arcanna.ai job. This is primarily used for deep-dive - analysis or forensic review of events processed by the Arcanna.ai engine, allowing - analysts to see the full raw and processed context of a decision. + The **Export full event** action retrieves the complete raw or processed data + for a specific event from Arcanna.ai. By providing a Job ID and an Event ID, analysts + can fetch the full context of an event that has been processed by the Arcanna + AI engine, which is essential for deep-dive forensic analysis or manual verification + of AI decisions. ### Parameters Description @@ -14,37 +43,35 @@ Export full event: | :--- | :--- | :--- | :--- | - | **Job ID** | string | Yes | The unique identifier of the Arcanna job where the - event is located. The action converts this to an integer internally. | + | **Job ID** | String | Yes | The unique identifier of the Arcanna job where the + event is stored. Note: The action internally treats this as an integer. | - | **Event ID** | string | Yes | The unique identifier of the specific event to - be exported. | + | **Event ID** | String | Yes | The unique identifier of the specific event to + be retrieved from the specified job. | ### Flow Description - 1. **Configuration Extraction:** The action retrieves the Arcanna URL, API Key, - and SSL verification settings from the integration configuration. + 1. **Configuration Retrieval**: The action extracts the Arcanna URL, API Key, + and SSL verification settings from the integration's global configuration. - 2. **Parameter Retrieval:** It extracts the `Job ID` and `Event ID` provided by - the user. + 2. **Input Validation**: The action retrieves the mandatory `Job ID` and `Event + ID` from the action parameters provided in the playbook or by the user. - 3. **API Interaction:** The action initializes the `ArcannaClient` and performs - a GET request to the `/api/v1/events/{job_id}/{event_id}/export` endpoint. + 3. **API Request**: The action initializes the Arcanna client and executes an + HTTP GET request to the export endpoint: `/api/v1/events/{job_id}/{event_id}/export`. - 4. **Data Processing:** The full event data returned by the API is captured as - a JSON object. - - 5. **Result Output:** The retrieved JSON is attached to the action results for - use in subsequent playbook steps or for analyst review. + 4. **Data Output**: The full JSON response containing the event details is captured + and added to the action's result JSON, making it available for subsequent playbook + steps. ### Additional Notes - - This action does not operate on SOAR entities; it requires specific IDs as input - parameters. + - This action does not process or filter entities from the SecOps case; it relies + entirely on the provided ID parameters. - - The output is provided as a raw JSON result (`JsonResult`). + - The action is read-only regarding the external Arcanna.ai system. capabilities: can_create_case_comments: false can_create_insight: false @@ -58,7 +85,7 @@ Export full event: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -72,6 +99,7 @@ Export full event: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get AI Job by name: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -85,56 +113,60 @@ Export full event: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: true + search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get AI Job by name: ai_description: >- Retrieves detailed information about a specific AI job from the Arcanna.ai platform - using its name. This action is primarily used as a utility to fetch job metadata, - such as job IDs or configuration details, which can then be used in subsequent - workflow steps. + using the job's name. This action is primarily used to fetch configuration details, + status, or metadata associated with a defined job in Arcanna.ai, which can then + be used in subsequent playbook steps. - ### Flow Description: + ### Flow Description - 1. **Configuration Retrieval:** The action starts by extracting the Arcanna URL, - API Key, and SSL verification settings from the integration's global configuration. + 1. **Configuration Extraction:** The action retrieves the Arcanna.ai URL, API + Key, and SSL verification settings from the integration configuration. - 2. **Parameter Extraction:** It retrieves the mandatory 'Job name' provided by - the user. + 2. **Parameter Retrieval:** The action extracts the mandatory `Job name` provided + by the user. - 3. **API Request:** The action initializes the Arcanna client and sends a request - to the `/api/v1/jobs/get_by_name` endpoint to search for the specified job. + 3. **API Interaction:** It initializes the Arcanna client and performs a request + to the `/api/v1/jobs/get_by_name` endpoint to fetch the job's details. - 4. **Result Handling:** If the job is found, the full JSON response containing - the job's details is added to the action's results. If the request fails, an error - is logged and the action is marked as failed. + 4. **Result Processing:** The retrieved JSON response containing the job details + is added to the action's execution results. - ### Parameters Description: + ### Parameters Description - | Parameter | Type | Mandatory | Description | + | Parameter Name | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Job name | String | Yes | The specific name of the AI job in Arcanna for which - you want to retrieve details. | + | Job name | String | Yes | The specific name of the AI job in Arcanna.ai for + which details should be retrieved. | - ### Additional Notes: + ### Additional Notes - - This action does not process or filter SecOps entities (like IPs or Hostnames); - it is a management utility for the Arcanna.ai integration. + * This action does not operate on entities; it is a utility action for retrieving + system-level job information. + + * Although the underlying API call uses a POST method, it is a read-only operation + used for searching/retrieving data based on a name. capabilities: can_create_case_comments: false can_create_insight: false @@ -148,7 +180,7 @@ Get AI Job by name: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -162,6 +194,7 @@ Get AI Job by name: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get AI Job decision set: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -175,62 +208,63 @@ Get AI Job by name: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get AI Job decision set: ai_description: >- - Retrieves the set of possible decisions (labels) associated with a specific AI - job in Arcanna.ai. This action is used to identify the classification categories - that the AI model can assign to events processed by the specified job. The results - are returned as a JSON object containing the decision set metadata. + ### General Description + The **Get AI Job decision set** action retrieves the list of possible labels (the + decision set) for a specific AI Job configured in Arcanna.ai. This is a utility + action used to understand the classification options or outcomes that a specific + AI model is trained to provide. It is particularly useful for workflows that need + to map Arcanna's AI decisions to specific downstream logic. - ### Parameters - | Parameter | Description | Type | Mandatory | Notes | - - | :--- | :--- | :--- | :--- | :--- | + ### Parameters Description - | Job ID | The unique identifier for the Arcanna AI job for which the decision - set should be fetched. | String | Yes | This value is converted to an integer - internally. | + | Parameter | Type | Mandatory | Description | + | :--- | :--- | :--- | :--- | - ### Additional Notes + | Job ID | String | Yes | The unique identifier of the Arcanna AI Job. Note: Although + provided as a string in the UI, the action logic converts this to an integer for + the API call. | - - This action does not interact with SecOps entities; it retrieves configuration - data directly from the Arcanna.ai platform based on the provided Job ID. - - Ensure the API Key provided in the integration settings has the necessary permissions - to view job details. + ### Flow Description + 1. **Configuration Retrieval:** The action extracts the Arcanna URL, API Key, + and SSL verification settings from the integration's global configuration. - ### Flow Description + 2. **Parameter Extraction:** The action retrieves the `Job ID` provided by the + user. - 1. **Configuration Extraction**: Retrieves the Arcanna URL, API Key, and SSL verification - settings from the integration configuration. + 3. **API Request:** The action initializes the Arcanna client and performs a GET + request to the `/api/v1/jobs/{job_id}/labels` endpoint. - 2. **Parameter Extraction**: Retrieves the mandatory `Job ID` from the action - parameters. + 4. **Result Handling:** The action parses the JSON response containing the decision + set (labels) and attaches it as the `JsonResult` for use in subsequent playbook + steps. - 3. **Client Initialization**: Initializes the `ArcannaClient` with the provided - credentials and connection settings. - 4. **API Request**: Executes a GET request to the `/api/v1/jobs/{job_id}/labels` - endpoint to fetch the decision set. + ### Additional Notes - 5. **Result Processing**: Adds the retrieved JSON response to the action results - and completes the execution. + This action does not process SOAR entities and does not modify any data within + the SecOps platform or the external Arcanna system. It is strictly a data retrieval + utility. capabilities: can_create_case_comments: false can_create_insight: false @@ -244,7 +278,7 @@ Get AI Job decision set: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -258,6 +292,7 @@ Get AI Job decision set: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get AI Job decision set by job name: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -271,64 +306,64 @@ Get AI Job decision set: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get AI Job decision set by job name: ai_description: >- ### General Description - Retrieves the decision set (available labels) for a specific AI job in Arcanna.ai - based on the job's name. This action allows users to programmatically identify - the possible classification outcomes configured for a particular job, which is - essential for downstream logic that processes AI decisions. + The **Get AI Job decision set by job name** action retrieves the set of possible + decisions (labels) associated with a specific AI job in Arcanna.ai using its name. + This allows users to programmatically identify the classification categories or + labels that a specific AI model is trained to output, which is essential for mapping + AI results to downstream logic. ### Parameters Description - | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Job name | String | Yes | The unique name of the Arcanna.ai job for which the - decision set (labels) should be retrieved. | + | **Job name** | String | Yes | The unique name of the AI job for which the decision + set (labels) should be retrieved. | ### Flow Description - 1. **Configuration Extraction**: Retrieves the Arcanna URL, API Key, and SSL verification - settings from the integration configuration. + 1. **Configuration Retrieval:** The action fetches the Arcanna.ai URL, API Key, + and SSL verification settings from the integration configuration. - 2. **Parameter Extraction**: Retrieves the target 'Job name' from the action parameters. + 2. **Parameter Extraction:** It extracts the mandatory `Job name` provided by + the user. - 3. **API Interaction**: Initializes the Arcanna client and performs a POST request - to the `/api/v1/jobs/get_by_name/labels` endpoint with the job name to fetch the - associated labels. + 3. **API Interaction:** The action utilizes the `ArcannaClient` to send a request + to the `/api/v1/jobs/get_by_name/labels` endpoint. - 4. **Result Processing**: Captures the JSON response containing the decision set - and attaches it to the action's execution results using `add_result_json`. + 4. **Data Processing:** The response from Arcanna.ai, containing the decision + set (labels), is captured. - 5. **Completion**: Finalizes the action with a success or failure status based - on the API response. + 5. **Output:** The retrieved data is attached to the action's JSON results for + use in subsequent playbook steps. ### Additional Notes - - This action does not operate on SOAR entities; it is a utility action for job - metadata retrieval. - - - Although the underlying API call uses a POST method, it is a read-only operation - used to fetch data by name and does not modify the state of the AI job. + - This action uses a POST request internally to perform the lookup by name, but + it is a read-only operation that does not modify the job configuration or state + in Arcanna.ai. capabilities: can_create_case_comments: false can_create_insight: false @@ -342,7 +377,7 @@ Get AI Job decision set by job name: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -356,6 +391,7 @@ Get AI Job decision set by job name: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Arcanna decision: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -369,46 +405,79 @@ Get AI Job decision set by job name: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: true remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Arcanna decision: - ai_description: "### General Description\nRetrieves an AI-driven decision from Arcanna.ai\ - \ for a specific event. This action is used to poll the Arcanna API to obtain\ - \ the inference result (decision) associated with a previously submitted event.\ - \ It is particularly useful in automated workflows where a decision from an AI\ - \ model is required to determine the next steps in an investigation.\n\n### Parameters\ - \ Description\n| Parameter | Description | Type | Mandatory | \n| :--- | :---\ - \ | :--- | :--- |\n| Job Id | The unique identifier of the Arcanna Job associated\ - \ with the event. | string | Yes |\n| Event Id | The unique identifier of the\ - \ specific event for which the decision is being requested. | string | Yes |\n\ - | Retry count | The maximum number of times the action will poll the Arcanna API\ - \ if the decision is still pending. | string | Yes |\n| Seconds per retry | The\ - \ duration (in seconds) to wait between each polling attempt. | string | Yes |\n\ - \n### Additional Notes\n- The action uses a polling mechanism because AI inference\ - \ may not be instantaneous. \n- If the `Retry count` is exhausted and the decision\ - \ is still pending, the action will return a failure state.\n- This action does\ - \ not process SecOps entities; it relies entirely on the provided Job and Event\ - \ IDs.\n\n### Flow Description\n1. **Initialization**: Extracts the Arcanna URL\ - \ and API Key from the integration configuration and the Job/Event IDs from the\ - \ action parameters.\n2. **Retry Loop**: Enters a loop based on the `Retry count`\ - \ and `Seconds per retry` settings.\n3. **API Request**: Calls the Arcanna `get_event_status`\ - \ endpoint for the specified Job and Event.\n4. **Status Evaluation**:\n -\ - \ If the status is **OK**: The decision data is retrieved, added to the action\ - \ results, and the process completes successfully.\n - If the status is **pending_inference**:\ - \ The script logs that the decision is pending, waits for the specified interval,\ - \ and retries.\n - If the status is **ERROR**: The action logs the error and\ - \ terminates with a failure state.\n5. **Timeout**: If the loop finishes without\ - \ receiving an 'OK' or 'ERROR' status, the action fails due to a timeout." + ai_description: >- + ### General Description + + Retrieves an AI-driven decision for a specific event from the Arcanna.ai platform. + This action is typically used to poll for the results of an inference job after + an event has been submitted for analysis. It supports a configurable retry mechanism + to account for the time required by the AI engine to process the data and generate + a decision. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | **Job Id** | string | Yes | The unique identifier of the Arcanna job associated + with the event. | + + | **Event Id** | string | Yes | The unique identifier of the specific event for + which the decision is being requested. | + + | **Retry count** | string | Yes | The maximum number of times the action will + poll the Arcanna API if the decision is still pending. Default is 20. | + + | **Seconds per retry** | string | Yes | The duration (in seconds) to wait between + each polling attempt. Default is 5. | + + + ### Flow Description + + 1. **Initialization**: Extracts integration configuration (URL, API Key, SSL settings) + and action parameters (Job ID, Event ID, Retry settings). + + 2. **Polling Loop**: Enters a loop that executes up to the specified `Retry count` + plus one. + + 3. **API Request**: Calls the Arcanna API to retrieve the current status of the + event using the provided Job and Event IDs. + + 4. **Status Evaluation**: + * If the status is `pending_inference`, the action logs the status, waits + for the specified `Seconds per retry`, and continues to the next iteration. + * If the status is `OK`, the action retrieves the decision data, adds it to + the JSON results, and terminates successfully. + * If the status is `ERROR`, the action logs the error response and terminates + with a failure state. + 5. **Timeout Handling**: If the retry limit is reached without receiving a final + decision, the action terminates with a failure message suggesting an increase + in the retry window. + + + ### Additional Notes + + * This action does not operate on SecOps entities; it requires specific IDs provided + as input parameters. + + * The total wait time is approximately `Retry count` * `Seconds per retry`. capabilities: can_create_case_comments: false can_create_insight: false @@ -422,7 +491,7 @@ Get Arcanna decision: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -436,6 +505,7 @@ Get Arcanna decision: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Jobs: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -449,61 +519,62 @@ Get Arcanna decision: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: true + search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Jobs: ai_description: >- ### General Description - This action retrieves a list of all available jobs from the Arcanna.AI platform. - It is primarily used as a utility to discover job IDs or names required for other - Arcanna.AI actions, such as sending cases or getting decisions. The action fetches - the job metadata and saves the raw JSON response into the action's results. + Retrieves a list of all available jobs from the Arcanna.AI platform. This action + serves as a utility to discover job configurations, including their unique identifiers + and names, which are often required as inputs for other Arcanna.AI integration + actions such as sending cases or triggering training. ### Parameters Description - | Parameter Name | Type | Mandatory | Description | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | None | N/A | N/A | This action does not require any input parameters. It relies - solely on the integration's global configuration (URL and API Key). | + | None | N/A | N/A | This action does not have any input parameters. It relies + solely on the integration's global configuration. | ### Additional Notes - - This action does not interact with any entities in the current case. + - The action uses the integration's global settings (URL, API Key, and SSL Verification) + to authenticate and communicate with the Arcanna.AI instance. - - The results are provided in a raw JSON format, which can be used by subsequent - playbook steps to iterate over job configurations. + - The results are returned as a JSON array of job objects, which can be used in + subsequent playbook steps. ### Flow Description - 1. **Configuration Extraction**: The action retrieves the Arcanna.AI URL, API - Key, and SSL verification settings from the integration's configuration. - - 2. **Client Initialization**: An Arcanna.AI API client is initialized using the - extracted credentials. + 1. **Initialization**: The action initializes the Arcanna.AI client using the + base URL and API Key provided in the integration's global configuration. - 3. **API Request**: The action sends a GET request to the `/api/v1/jobs` endpoint - of the Arcanna.AI service. + 2. **API Request**: It executes a GET request to the `/api/v1/jobs` endpoint of + the Arcanna.AI API. - 4. **Data Processing**: The service returns a JSON list of available jobs. + 3. **Data Retrieval**: The action captures the JSON response containing the list + of all jobs available in the system. - 5. **Result Output**: The retrieved JSON data is attached to the action's result - and the execution is marked as completed. + 4. **Output**: The retrieved job data is added to the action's JSON results, and + the execution is marked as completed. capabilities: can_create_case_comments: false can_create_insight: false @@ -517,7 +588,7 @@ Get Jobs: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -531,6 +602,7 @@ Get Jobs: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -544,58 +616,62 @@ Get Jobs: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: ai_description: >- ### General Description - Tests the connectivity between Google SecOps and the Arcanna.ai instance. This - action is used to verify that the provided API key and URL are correct and that - the network allows communication with the Arcanna.ai health endpoint. + The **Ping** action is a utility designed to verify the connectivity between Google + SecOps and the Arcanna.ai instance. It serves as a diagnostic tool to ensure that + the provided API credentials and URL are correct and that the Arcanna.ai service + is reachable and healthy. ### Parameters Description - This action does not have any input parameters. It relies solely on the integration's - global configuration (URL, API Key, and SSL Verification settings). + There are no action-specific parameters for this action. It relies entirely on + the global integration configuration (URL, API Key, and SSL Verification settings). - ### Additional Notes + ### Flow Description - - The action performs a simple GET request to the `/api/v1/health` endpoint of - the Arcanna.ai API. + 1. **Configuration Retrieval**: The action extracts the integration's base URL, + API Key, and SSL verification settings from the environment configuration. - - If the connection is successful, the action returns the health status JSON from - the server. + 2. **Client Initialization**: An `ArcannaClient` is initialized using the retrieved + credentials. + 3. **Health Check**: The action performs a GET request to the `/api/v1/health` + endpoint of the Arcanna.ai API. - ### Flow Description + 4. **Result Processing**: The response from the health endpoint is captured and + added to the action's JSON results. - 1. **Configuration Extraction**: Retrieves the Arcanna URL, API Key, and SSL verification - settings from the integration configuration. + 5. **Completion**: The action concludes with a success status if the API responds + correctly, or a failure status if an exception occurs (e.g., connection timeout, + invalid credentials). - 2. **Client Initialization**: Initializes the Arcanna API client with the provided - credentials. - 3. **Connectivity Test**: Executes a GET request to the health check endpoint - (`/api/v1/health`). + ### Additional Notes - 4. **Result Processing**: Captures the API response and adds it to the action's - result JSON. + * This action is strictly for connectivity testing and does not process any case + data or entities. - 5. **Completion**: Reports whether the connection was successful or failed based - on the HTTP response status. + * According to standard SOAR practices, Ping actions are excluded from being categorized + as enrichment actions. capabilities: can_create_case_comments: false can_create_insight: false @@ -609,7 +685,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -623,6 +699,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Send Active Alert from Case to Arcanna: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -636,69 +713,75 @@ Ping: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Send Active Alert from Case to Arcanna: ai_description: >- - Sends the currently active alert from a Google SecOps case to Arcanna.ai for AI-assisted - analysis. This action retrieves the full alert payload from the case context and - transmits it to a specific Arcanna job. It allows for mapping a specific field - from the alert to serve as the unique identifier within the Arcanna platform. + Sends the current active alert from a Google SecOps case to Arcanna.ai for automated + analysis. This action identifies the specific alert context within a case, extracts + the raw alert payload, and ingests it into a specified Arcanna Job. It allows + for custom mapping of alert identifiers to ensure consistency between systems. - ### Flow Description + ### Flow Description: - 1. **Configuration Retrieval:** Extracts the Arcanna API key, base URL, and SSL - settings from the integration configuration. + 1. **Parameter Extraction:** Retrieves the Arcanna URL, API Key, and SSL settings + from the integration configuration, along with the Job ID and identifier settings + from the action parameters. - 2. **Parameter Extraction:** Retrieves the target Arcanna Job ID and identifier - mapping settings from the action parameters. + 2. **Case Context Retrieval:** Fetches the full case details and identifies the + `current_alert` being processed. - 3. **Case Context Fetching:** Accesses the full case data and identifies the specific - alert currently being processed in the playbook. + 3. **Alert Matching:** Iterates through the case's `cyber_alerts` to find the + one matching the current alert's identifier. - 4. **Alert Matching:** Iterates through the case's cyber alerts to find the payload - matching the current alert's identifier. + 4. **Identifier Mapping:** If configured, extracts a specific value from the alert + payload (using the provided JSON path) to serve as the event ID in Arcanna. - 5. **Data Transmission:** Sends the raw alert payload to the Arcanna API via a - POST request, optionally including a custom event ID if configured. + 5. **Data Ingestion:** Sends the raw alert JSON to the Arcanna API via a POST + request to the specified Job ID. + 6. **Result Handling:** Captures the Arcanna response and attaches it to the action + results. - ### Parameters Description + + ### Parameters Description: | Parameter Name | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Job ID | string | Yes | The specific Job ID in Arcanna.ai that should receive - and process the alert data. | + | Job ID | string | Yes | The unique identifier of the Job in Arcanna.ai that + will process the ingested alert. | - | Alert identifier field | string | No | The JSON path within the alert payload - (e.g., "identifier") to be used as the unique ID in Arcanna. Defaults to "identifier". - | + | Alert identifier field | string | No | The JSON path (e.g., "identifier" or + "metadata.id") within the alert payload used to extract a custom ID. Defaults + to "identifier". | - | Use Alert ID as ID in Arcanna | boolean | Yes | If set to True, the action will - use the value found in the 'Alert identifier field' as the event ID in Arcanna. - If False, Arcanna generates a new unique ID. | + | Use Alert ID as ID in Arcanna | boolean | Yes | If set to `True`, the action + uses the value from the 'Alert identifier field' as the ID in Arcanna. If `False`, + Arcanna generates a new unique ID. | - ### Additional Notes + ### Additional Notes: - - This action operates at the Alert level within a Case. It specifically targets - the 'current alert' context of the playbook execution. + - This action operates on the alert level within a case context and does not process + individual entities (IPs, Hosts, etc.). - - The 'Job ID' is expected to be a numeric string that the script converts to - an integer. + - Ensure the 'Alert identifier field' correctly matches the structure of your + incoming Google SecOps alerts if you choose to use existing IDs. capabilities: can_create_case_comments: false can_create_insight: false @@ -707,14 +790,14 @@ Send Active Alert from Case to Arcanna: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new event or alert record in the Arcanna.ai platform for processing - and analysis. + Creates a new event record within the Arcanna.ai platform by sending the raw + alert payload for analysis. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -728,6 +811,7 @@ Send Active Alert from Case to Arcanna: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Send Analyst Feedback to Arcanna: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -741,26 +825,28 @@ Send Active Alert from Case to Arcanna: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Send Analyst Feedback to Arcanna: ai_description: >- ### General Description - The **Send Analyst Feedback to Arcanna** action allows an analyst to submit feedback - or labels for a specific event processed by Arcanna.ai. This feedback is used - by the Arcanna platform to refine its AI models and improve future decision-making - accuracy. + The **Send Analyst Feedback to Arcanna** action allows analysts to submit feedback + or labels for specific events processed by Arcanna AI. This is a crucial step + in the human-in-the-loop workflow, enabling the AI model to learn from analyst + decisions and improve its future predictions. ### Parameters Description @@ -769,41 +855,41 @@ Send Analyst Feedback to Arcanna: | :--- | :--- | :--- | :--- | - | **Event Id** | String | Yes | The unique identifier of the event in Arcanna - for which feedback is being provided. | + | Event Id | String | Yes | The unique identifier of the event in Arcanna that + requires feedback. | - | **Username** | User | Yes | The name or identifier of the analyst providing - the feedback. | + | Username | User | Yes | The username of the analyst providing the feedback. + | - | **Job Id** | String | Yes | The unique identifier of the Arcanna job associated - with the event. | + | Job Id | String | Yes | The identifier of the Arcanna job that the event belongs + to. | - | **Analyst Feedback** | String | Yes | The specific feedback or label (e.g., - 'True Positive', 'False Positive') to be assigned to the event. | + | Analyst Feedback | String | Yes | The specific feedback or label (e.g., 'True + Positive', 'False Positive') to be assigned to the event. | ### Flow Description - 1. **Parameter Extraction**: The action retrieves the Arcanna API credentials - (URL, API Key) from the integration configuration and the specific event details - (Event ID, Job ID, Username, Feedback) from the action parameters. + 1. **Configuration Retrieval**: The action fetches the Arcanna URL, API Key, and + SSL verification settings from the integration configuration. - 2. **Client Initialization**: An Arcanna API client is initialized with the provided - connection details and SSL verification settings. + 2. **Parameter Extraction**: It retrieves the Job ID, Event ID, Username, and + the feedback content provided by the user. - 3. **Feedback Submission**: The action performs a `PUT` request to the Arcanna - endpoint (`/api/v1/events/{job_id}/{event_id}/feedback`) containing the analyst's - username and the feedback string. + 3. **API Interaction**: The action uses the Arcanna Client to send a `PUT` request + to the Arcanna API endpoint (`/api/v1/events/{job_id}/{event_id}/feedback`). - 4. **Result Processing**: The response from the Arcanna API is captured and attached - to the action's execution results as a JSON object for further use in the playbook. + 4. **Result Processing**: The response from Arcanna is captured and added to the + action's JSON results for audit and visibility. ### Additional Notes - This action does not operate on SecOps entities; it requires specific IDs provided - as parameters. It is primarily used for model training and feedback loops within - the Arcanna.ai ecosystem. + - This action performs an external mutation by updating the state of an event + in the Arcanna AI platform. + + - Ensure that the `Job Id` and `Event Id` accurately match the records in Arcanna + to avoid execution errors. capabilities: can_create_case_comments: false can_create_insight: false @@ -812,14 +898,14 @@ Send Analyst Feedback to Arcanna: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the feedback label for a specific event in the Arcanna.ai platform using - a PUT request. + Updates the feedback and analyst label for a specific event in the Arcanna AI + platform via a PUT request. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -833,12 +919,13 @@ Send Analyst Feedback to Arcanna: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Send Case to Arcanna: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false contain_host: false - create_ticket: false + create_ticket: true delete_email: false disable_identity: false download_file: false @@ -846,74 +933,70 @@ Send Analyst Feedback to Arcanna: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Send Case to Arcanna: ai_description: >- - ### General Description - - The **Send Case to Arcanna** action exports the complete data of a Google SecOps - case, including its associated entities, to the Arcanna.ai platform. This integration - allows for external AI-driven analysis and decision-making by submitting case - details to a specific Arcanna job. + Sends the current Google SecOps case data to Arcanna.ai for AI-assisted analysis + and decision-making. This action retrieves the full case details, including associated + entities, and ingests them into a specific Arcanna.ai job. It allows for mapping + a specific case field to be used as the unique identifier within the Arcanna platform. - ### Parameters Description - - | Parameter | Type | Mandatory | Description | + ### Flow Description - | :--- | :--- | :--- | :--- | + 1. **Parameter Extraction:** Retrieves the Arcanna.ai URL, API Key, and SSL settings + from the integration configuration, along with the Job ID and identifier settings + from the action parameters. - | Job ID | String | Yes | The unique identifier of the Arcanna job that will receive - and process the case data. | + 2. **Data Retrieval:** Fetches the complete case object from Google SecOps and + collects all entities currently in the action's context. - | Case identifier field | String | No | The JSON path in the case object (e.g., - `identifier`) to be used as the event ID in Arcanna. | + 3. **Payload Construction:** Combines the case data and the list of entities into + a single JSON payload. - | Use case ID as ID in Arcanna | Boolean | No | If set to `True`, the action uses - the value from the 'Case identifier field' as the ID in Arcanna. If `False`, Arcanna - generates a new unique ID. | + 4. **External Ingestion:** Sends the payload to the Arcanna.ai API via a POST + request to the specified Job ID. If configured, it uses a specific case field + as the external event ID. + 5. **Result Processing:** Captures the response from Arcanna.ai and attaches it + as a JSON result to the action. - ### Flow Description - 1. **Initialization**: The action initializes the Arcanna API client using the - provided URL and API Key from the integration configuration. + ### Parameters Description - 2. **Data Retrieval**: It fetches the full case object and the list of entities - currently in the context. + | Parameter Name | Type | Mandatory | Description | - 3. **Payload Construction**: The case data is prepared as the primary payload, - with the entity list appended to it. + | :--- | :--- | :--- | :--- | - 4. **ID Mapping**: If configured, it extracts a specific field from the case to - serve as the external event ID. + | Job ID | string | Yes | The unique identifier of the Arcanna.ai job that will + process the ingested case data. | - 5. **Submission**: The action sends the payload to Arcanna.ai via a POST request - associated with the specified Job ID. + | Case identifier field | string | No | The field within the Google SecOps case + object (e.g., "identifier") to be used as the ID in Arcanna.ai. Defaults to "identifier". + | - 6. **Result Handling**: The API response from Arcanna is returned and added to - the action's JSON results. + | Use case ID as ID in Arcanna | boolean | Yes | If set to True, the action will + use the value from the 'Case identifier field' as the ID in Arcanna. If False, + Arcanna generates its own unique ID. | ### Additional Notes - * This action performs an external mutation by creating a new record (event) in - the Arcanna.ai system. - - * Note: The script contains a technical quirk where it attempts to extract the - 'Api Key' from the 'SSL Verification' configuration block for SSL verification - settings. + - This action is primarily used for exporting case data to Arcanna.ai to leverage + its machine learning capabilities for alert disposition or triage. capabilities: can_create_case_comments: false can_create_insight: false @@ -922,14 +1005,14 @@ Send Case to Arcanna: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new event record in Arcanna.ai by sending the case data via a POST - request. + Creates a new event or case record within the Arcanna.ai platform for processing + and analysis. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -943,12 +1026,13 @@ Send Case to Arcanna: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Send JSON Document to Arcanna: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false contain_host: false - create_ticket: true + create_ticket: false delete_email: false disable_identity: false download_file: false @@ -956,41 +1040,47 @@ Send Case to Arcanna: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Send JSON Document to Arcanna: ai_description: >- - Sends a JSON document to Arcanna.ai for ingestion and analysis. This action allows - users to provide a raw JSON payload, specify a Job ID, and optionally define a - unique identifier from within the JSON structure to be used as the event ID in - Arcanna. This is useful for integrating custom data sources or specific event - logs into the Arcanna AI workflow. + Sends a custom JSON document to Arcanna.ai for processing and analysis. This action + allows users to ingest arbitrary data into a specific Arcanna Job, enabling the + AI engine to evaluate the document based on its trained models. The action supports + using a specific field within the JSON as a unique identifier for the document + in Arcanna. ### Flow Description - 1. **JSON Parsing:** The action parses the provided 'JSON Document' string into - a JSON object. + 1. **Parameter Extraction**: Retrieves the Arcanna URL, API Key, and SSL settings + from the integration configuration, and the Job ID, Identifier field, and JSON + document from the action parameters. - 2. **ID Extraction (Optional):** If 'Use document ID as ID in Arcanna' is enabled, - the action uses the 'Identifier field' (supporting dot notation) to extract a - specific value from the JSON to serve as the event's unique ID. + 2. **JSON Parsing**: Validates and parses the provided 'JSON Document' string + into a Python dictionary. It ensures the root of the document is not a list. - 3. **API Interaction:** The action sends a POST request to the Arcanna API's events - endpoint, including the Job ID and the raw JSON body. + 3. **ID Extraction (Optional)**: If 'Use document ID as ID in Arcanna' is enabled, + the action uses dot notation to extract a specific value from the JSON document + to serve as the event identifier. - 4. **Result Handling:** The response from Arcanna is captured and added to the - action's execution results. + 4. **API Interaction**: Sends the JSON payload and Job ID to the Arcanna.ai API + via a POST request. + + 5. **Result Handling**: Captures the API response, adds it to the action's JSON + results, and completes the execution. ### Parameters Description @@ -999,22 +1089,28 @@ Send JSON Document to Arcanna: | :--- | :--- | :--- | :--- | - | Job ID | string | Yes | The specific Arcanna.ai Job ID that will process the - ingested document. | + | Job ID | string | Yes | The unique identifier of the Arcanna job that will process + the document. | - | Identifier field | string | No | The path (e.g., 'id' or 'metadata.uuid') to - the field in the JSON document that should be used as the unique identifier. | + | Identifier field | string | No | The path (supporting dot notation, e.g., 'metadata.id') + to the field in the JSON document that should be used as the unique ID in Arcanna. + | - | Use document ID as ID in Arcanna | boolean | Yes | If true, the value found - in the 'Identifier field' is used as the ID in Arcanna. If false, Arcanna generates - a new ID. | + | Use document ID as ID in Arcanna | boolean | Yes | If set to 'true', the action + will attempt to extract an ID from the 'Identifier field'. If 'false', Arcanna + generates a unique ID automatically. | - | JSON Document | code | Yes | The actual JSON data to be sent to Arcanna. | + | JSON Document | code | Yes | The actual JSON data to be sent to Arcanna.ai for + analysis. | ### Additional Notes - * The root of the JSON document must be an object, not a list. + - The 'JSON Document' must be a valid JSON object. Root-level lists are not supported + by this action. + + - Ensure the 'Job ID' corresponds to an existing and active job in your Arcanna.ai + instance. capabilities: can_create_case_comments: false can_create_insight: false @@ -1023,14 +1119,14 @@ Send JSON Document to Arcanna: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new event record in the Arcanna.ai platform for the specified Job - ID. + Sends a POST request to the Arcanna.ai API to create a new event/document record + within a specific job context. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1044,6 +1140,7 @@ Send JSON Document to Arcanna: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Send event to Arcanna: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1057,77 +1154,81 @@ Send JSON Document to Arcanna: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Send event to Arcanna: ai_description: >- - ### General Description + Sends event data (either a full case or a specific alert) to Arcanna.ai for processing + and AI-assisted decision-making. This action allows security teams to offload + event evaluation to Arcanna's AI models by providing the raw event context, associated + entities, and audit information. The action can be configured to send the entire + case or just the active alert, and it supports mapping specific fields to serve + as the reference Event ID in Arcanna. - The **Send event to Arcanna** action exports security event data from Google SecOps - to the Arcanna.ai platform. This allows for external AI-assisted analysis, triage, - and decision-making. The action can be configured to send either the entire case - context or specific alert details to a designated Arcanna job. - - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Job ID** | String | Yes | The specific Job ID in Arcanna.ai that will process - the incoming event. | + | Job ID | string | Yes | The unique identifier of the Arcanna.ai job that will + process the event. | - | **Username** | User | Yes | The username of the analyst or system account performing - the action, used for auditing within Arcanna. | + | Username | user | Yes | The username registered for audit purposes, identifying + who or what triggered the submission. | - | **Event ID mapping field** | String | No | A dot-notation path (e.g., `alert.id` - or `external_id`) used to extract a specific value from the case/alert to serve - as the reference ID in Arcanna. | + | Event ID mapping field | string | No | A dot-notated path (e.g., `alert.id`) + used to extract a specific value from the payload to serve as the Arcanna Event + ID. | - | **Send individual alerts from case** | Boolean | No | If set to `true`, the - action only sends the current alert context. If `false` (default), the entire - case object is sent. | + | Send individual alerts from case | boolean | No | If set to `true`, only the + current alert context is sent. If `false` (default), the entire case data is sent. + | - ### Flow Description + ### Additional Notes - 1. **Initialization**: Retrieves integration configuration (URL, API Key) and - action parameters (Job ID, Username, Mapping Field). + - The action requires a valid Job ID from Arcanna.ai to function correctly. - 2. **Data Retrieval**: Fetches the full case details from the Google SecOps platform. + - If `Send individual alerts from case` is enabled, the action specifically looks + for the alert matching the current execution context within the case's alert list. - 3. **Payload Construction**: - - If `Send individual alerts from case` is true: Filters the case's alerts - to find the one matching the current alert identifier. - - If false: Prepares the entire case object, including target entities, as - the payload. - 4. **ID Mapping**: If an `Event ID mapping field` is provided, it parses the JSON - structure of the case or alert to find the specified reference ID. - 5. **API Interaction**: Sends a POST request to the Arcanna.ai `/api/v1/events/` - endpoint with the constructed payload and Job ID. + ### Flow Description - 6. **Completion**: Captures the Arcanna response and attaches it as a JSON result - to the action. + 1. **Configuration Retrieval:** Fetches the Arcanna URL and API Key from the integration's + global configuration. + 2. **Parameter Extraction:** Retrieves the Job ID, Username, and optional mapping/toggle + settings from the action parameters. - ### Additional Notes + 3. **Data Preparation:** + - If `Send individual alerts from case` is `true`, the action iterates through + the case's alerts to find the one matching the current context and prepares its + raw payload. + - If `false`, the action prepares the full case object, including all associated + target entities and metadata. + 4. **ID Mapping:** If an `Event ID mapping field` is provided, the action parses + the prepared payload using dot-notation to extract the specified reference ID. - - This action does not modify any data within Google SecOps; it is strictly an - outbound data integration. + 5. **External Submission:** Sends the prepared payload and audit username to the + Arcanna.ai API via a POST request to the events endpoint. - - Ensure the `Job ID` exists in your Arcanna.ai instance before running the action. + 6. **Result Handling:** Captures the API response (which typically includes the + Arcanna event status) and attaches it as a JSON result to the action execution. capabilities: can_create_case_comments: false can_create_insight: false @@ -1136,14 +1237,14 @@ Send event to Arcanna: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates new event records in the Arcanna.ai platform via POST requests for AI - analysis. - fetches_data: false + Creates a new event record in Arcanna.ai for AI analysis and processing via + a POST request. + fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1157,6 +1258,7 @@ Send event to Arcanna: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Trigger AI Model training: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1170,25 +1272,28 @@ Send event to Arcanna: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Trigger AI Model training: ai_description: >- ### General Description - Triggers the training process for a specific AI model associated with a Job ID - in the Arcanna.ai platform. This action is typically used to initiate model updates - or retraining cycles based on collected feedback or new datasets. + Triggers the training process for a specific AI model job within the Arcanna.ai + platform. This action is used to initiate the learning phase of a model based + on the feedback and data collected for a particular job ID. It requires an audit + username to track who initiated the training. ### Parameters Description @@ -1201,30 +1306,32 @@ Trigger AI Model training: AI model training will be triggered. | | Username | user | Yes | The username of the analyst or system account triggering - the training, used for audit logging within Arcanna.ai. | + the training, used for audit purposes within Arcanna.ai. | - ### Additional Notes + ### Flow Description - This action does not operate on SecOps entities (IPs, Hosts, etc.). It is a direct - API command to the Arcanna.ai management interface. Ensure the Job ID provided - exists and is accessible by the configured API key. + 1. **Configuration Extraction**: Retrieves the Arcanna URL, API Key, and SSL verification + settings from the integration configuration. + 2. **Parameter Extraction**: Retrieves the `Job ID` and `Username` from the action + parameters. - ### Flow Description + 3. **Client Initialization**: Initializes the `ArcannaClient` with the provided + credentials and base URL. - 1. **Parameter Extraction:** Retrieves the Arcanna URL, API Key, and SSL settings - from the integration configuration, and the Job ID and Username from the action - parameters. + 4. **API Request**: Sends a POST request to the Arcanna API endpoint `/api/v1/jobs/{job_id}/train` + with the specified username. - 2. **Client Initialization:** Establishes a connection to the Arcanna.ai API using - the provided credentials. + 5. **Result Processing**: Captures the API response, adds it to the action's JSON + results, and completes the execution with a success or failure status based on + the API's response. - 3. **Trigger Training:** Executes a POST request to the Arcanna training endpoint - (`/api/v1/jobs/{job_id}/train`) including the username for auditing. - 4. **Result Processing:** Captures the API response, which typically includes - the status of the training request, and attaches it to the action's JSON results. + ### Additional Notes + + - This action does not run on entities; it is a standalone task that interacts + directly with the Arcanna.ai API using the provided Job ID. capabilities: can_create_case_comments: false can_create_insight: false @@ -1233,14 +1340,14 @@ Trigger AI Model training: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Triggers a model training process on the Arcanna.ai server, which initiates - a computational job and changes the state of the AI model lifecycle. + Triggers a model training process for a specific job in the Arcanna.ai platform, + which changes the state of the AI model. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1254,6 +1361,7 @@ Trigger AI Model training: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Update alert priority: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1267,43 +1375,41 @@ Trigger AI Model training: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false - update_alert: false + update_alert: true update_email: false update_identity: false update_ticket: false -Update alert priority: ai_description: >- - Updates the priority level of the current alert within Google SecOps. This action - allows analysts or automated workflows to dynamically adjust alert severity based - on logic or external decision-making tools (like Arcanna.ai). It validates the - input against a set of allowed priority levels and ensures the platform version - supports the update operation. + Updates the priority level of the current alert within the Google SecOps platform. + This action allows analysts or automated workflows to dynamically adjust the severity + of an alert based on external logic or decision-making tools like ArcannaAI. ### Flow Description: - 1. **Parameter Extraction:** Retrieves the 'Priority' value from the action parameters. + 1. **Identifier Retrieval:** The action first retrieves the unique identifier + for the current alert. - 2. **Validation:** Checks if the provided priority is one of the allowed values: - 'Informative', 'Low', 'Medium', 'High', or 'Critical'. + 2. **Parameter Validation:** It validates that the provided `Priority` parameter + matches one of the allowed values: Informative, Low, Medium, High, or Critical. - 3. **Version Check:** Verifies that the Google SecOps (Siemplify) version is 5.6 - or higher, as earlier versions do not support this SDK method. + 3. **Version Check:** It verifies that the Google SecOps (Siemplify) environment + version is 5.6 or higher, as earlier versions do not support this API endpoint. - 4. **Internal API Call:** Constructs a request to the internal SOAR SDK endpoint - (`/external/v1/sdk/UpdateAlertPriority`) containing the Case ID, Alert Identifier, - Alert Name, and the new Priority. - - 5. **Execution:** Executes a POST request to update the alert state within the - platform. + 4. **Internal API Call:** It executes a POST request to the internal SOAR API + (`/external/v1/sdk/UpdateAlertPriority`) with the case ID, alert identifier, and + the new priority value. ### Parameters Description: @@ -1313,15 +1419,16 @@ Update alert priority: | :--- | :--- | :--- | :--- | | Priority | String | Yes | The new priority level to assign to the alert. Must - be one of: 'Informative', 'Low', 'Medium', 'High', 'Critical'. | + be one of: `Informative`, `Low`, `Medium`, `High`, or `Critical`. | ### Additional Notes: - - This action modifies internal platform metadata (Alert Priority) rather than - external system data. + - This action interacts with the internal Google SecOps API rather than an external + ArcannaAI endpoint to perform the update. - - It requires the action to be running within the context of an active alert. + - If the alert identifier is missing or the version is unsupported, the action + will terminate with a failure message. capabilities: can_create_case_comments: false can_create_insight: false @@ -1332,12 +1439,12 @@ Update alert priority: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Updates the priority field of the current alert within the Google SecOps platform - via an internal SDK API call. + Updates the priority level of the current alert within the Google SecOps platform + via an internal API call. categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1351,28 +1458,3 @@ Update alert priority: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: true - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/third_party/community/asana/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/asana/resources/ai/actions_ai_description.yaml index f3f5bcf10..89421c798 100644 --- a/content/response_integrations/third_party/community/asana/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/asana/resources/ai/actions_ai_description.yaml @@ -1,46 +1,77 @@ Add User To Workspace: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: true + update_ticket: false ai_description: >- - This action adds a user to a specific Asana workspace using their email address. - It first resolves the workspace name to a workspace ID and then performs a POST - request to the Asana API to associate the user with that workspace. + ### General Description + Adds a user to a specific Asana workspace using their email address. This action + is designed to manage workspace membership by programmatically inviting or adding + users to an organization's workspace environment. - ### Flow Description: - 1. **Parameter Extraction:** The action retrieves the 'Workspace Name' and 'User's - Email' from the action parameters. + ### Parameters Description - 2. **Workspace ID Retrieval:** It calls the Asana API to list all workspaces and - searches for the one matching the provided name to obtain its unique identifier - (GID). + | Parameter Name | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | - 3. **User Addition:** It sends a POST request to the Asana endpoint `/workspaces/{workspace_id}/addUser`, - passing the user's email in the request body. + | Workspace Name | string | Yes | The name of the Asana workspace to which the + user will be added. Note: This parameter is case-sensitive. | - 4. **Result Processing:** The action captures the API response, adds it as a JSON - result to the SOAR case, and provides a success or failure message based on the - response data. + | User's Email | string | Yes | The email address of the user to be added to the + specified workspace. | - ### Parameters Description: + ### Additional Notes - | Parameter Name | Description | Type | Mandatory | Default Value | + This action does not operate on SecOps entities. It relies entirely on the provided + action parameters to identify the target workspace and the user. Ensure the 'Workspace + Name' matches exactly as it appears in Asana. - | :--- | :--- | :--- | :--- | :--- | - | Workspace Name | The name of the Asana workspace to which the user will be added. - Note: This is case-sensitive. | String | Yes | Your Workspace Name | + ### Flow Description - | User's Email | The email address of the user to be added to the workspace. | - String | Yes | email@gmail.com | + 1. **Configuration Extraction**: Retrieves the Asana API Token and Base URL from + the integration settings. + 2. **Parameter Extraction**: Retrieves the target 'Workspace Name' and the 'User's + Email' from the action inputs. - ### Additional Notes: + 3. **Workspace Identification**: Queries the Asana API to list all workspaces + and identifies the unique Workspace GID (Global ID) corresponding to the provided + name. - - This action does not process entities from the SOAR case; it relies entirely - on the provided input parameters. + 4. **User Addition**: Executes a POST request to the Asana workspace's `addUser` + endpoint, passing the user's email address. - - The workspace name must match exactly (including case) as it appears in Asana. + 5. **Result Processing**: Evaluates the API response to confirm if the user was + successfully added and outputs the resulting JSON data to the action results. capabilities: can_create_case_comments: false can_create_insight: false @@ -49,14 +80,14 @@ Add User To Workspace: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Adds a user to an Asana workspace, which modifies the membership state of that - workspace in the external Asana system. + Adds a user to a specific Asana workspace by sending a POST request to the workspace's + addUser endpoint. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -70,12 +101,13 @@ Add User To Workspace: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Create Task: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false contain_host: false - create_ticket: false + create_ticket: true delete_email: false disable_identity: false download_file: false @@ -83,66 +115,69 @@ Add User To Workspace: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false - update_identity: true + update_identity: false update_ticket: false -Create Task: ai_description: >- - Creates a new task within a specified Asana project. This action allows users + Creates a new task in Asana within a specified project. This action allows users to programmatically generate tasks, assign them to specific users, and set due dates and descriptions directly from Google SecOps. - ### Flow Description: + ### Flow Description - 1. **Project Identification:** The action retrieves the unique identifier (GID) - for the project using the provided 'Project Name'. + 1. **Retrieve Project ID**: The action first searches for the internal Asana GID + (Global ID) associated with the provided 'Project Name'. - 2. **User Identification (Optional):** If an 'Assignee' is specified, the action - fetches the corresponding user's GID based on their email or identifier. + 2. **Retrieve Assignee ID (Optional)**: If an 'Assignee' email is provided, the + action fetches the corresponding user's GID from Asana. - 3. **Task Creation:** A POST request is sent to Asana to create the task with - the provided subject, description, assignee, and due date. + 3. **Create Task**: The action sends a POST request to Asana to create the task + with the specified subject, description, project association, and optional assignee/due + date. - 4. **Result Handling:** Upon success, the action provides a direct permalink to - the new Asana task and attaches the full JSON response. + 4. **Output Results**: Upon success, the action provides a direct link to the + created task in the Asana UI and returns the full task object as JSON. - ### Parameters Description: + ### Parameters Description - | Parameter | Type | Mandatory | Description | + | Parameter Name | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Task Subject | string | true | The title/subject of the new Asana task. | + | Task Subject | string | True | The title/subject of the new task. | - | Assignee | string | false | The email or identifier of the user to assign the - task to (case-sensitive). | + | Assignee | string | False | The email address of the user to whom the task will + be assigned. Note: This is case-sensitive. | - | Due Date | string | false | The deadline for the task in YYYY-MM-DD format. + | Due Date | string | False | The deadline for the task in YYYY-MM-DD format. | - | Description | string | true | Detailed notes or description for the task. | + | Description | string | True | Detailed notes or description for the task. | - | Project Name | string | true | The exact name of the Asana project where the - task will be created. | + | Project Name | string | True | The name of the Asana project where the task + should be created. Note: This is case-sensitive. | - ### Additional Notes: + ### Additional Notes - - The 'Project Name' and 'Assignee' fields are case-sensitive. + - The action requires a valid Personal Access Token (PAT) and Base URL configured + in the Asana integration settings. - - If the project name is not found, the action will fail to retrieve a project - ID and the task creation will not proceed. + - If the project name or assignee email cannot be found, the action will fail. capabilities: can_create_case_comments: false can_create_insight: false @@ -151,13 +186,13 @@ Create Task: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new task in the Asana platform via a POST request to the /tasks endpoint. + Creates a new task record in the Asana project management system. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -171,12 +206,13 @@ Create Task: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Task: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false contain_host: false - create_ticket: true + create_ticket: false delete_email: false disable_identity: false download_file: false @@ -184,41 +220,40 @@ Create Task: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Task: ai_description: "### General Description\nThe **Get Task** action retrieves detailed\ - \ information for a specific task in Asana using its unique Task ID. This action\ - \ allows analysts to pull external project management context into the Google\ - \ SecOps platform, facilitating better visibility into task statuses, due dates,\ - \ and descriptions associated with security incidents.\n\n### Parameters Description\n\ - | Parameter | Description | Type | Mandatory |\n| :--- | :--- | :--- | :--- |\n\ - | **Task ID** | The unique identifier of the Asana task. This ID can be found\ - \ in the task's URL (e.g., `https://app.asana.com/0/{project_id}/{task_id}`).\ - \ | String | Yes |\n\n### Flow Description\n1. **Configuration Extraction:** The\ - \ action retrieves the Asana API Token and Base URL from the integration's configuration\ - \ settings.\n2. **Parameter Retrieval:** The mandatory `Task ID` is extracted\ - \ from the action's input parameters.\n3. **API Interaction:** The action initializes\ - \ the `AsanaManager` and executes a GET request to the Asana API to fetch the\ - \ specific task's metadata.\n4. **Result Processing:** \n * If the task is\ - \ found, the action generates a clickable link in the SOAR UI containing the task\ - \ name and its due date.\n * The complete task details are attached to the\ - \ action results as a JSON object.\n5. **Completion:** The action concludes with\ - \ a success message if the task data was successfully retrieved, or a failure\ - \ message if the task was not found.\n\n### Additional Notes\nThis action is a\ - \ retrieval-only utility and does not interact with or process SecOps entities\ - \ (such as IPs, Hostnames, or Users) from the case context. It relies entirely\ - \ on the provided `Task ID` parameter." + \ information about a specific task in Asana using its unique Task ID. This action\ + \ is used to fetch metadata such as the task name, due date, and permalink, allowing\ + \ analysts to programmatically access task context within a playbook.\n\n### Parameters\ + \ Description\n| Parameter | Type | Mandatory | Description |\n| :--- | :--- |\ + \ :--- | :--- |\n| **Task ID** | String | Yes | The unique identifier for the\ + \ Asana task. This ID is typically found in the task's URL (e.g., `https://app.asana.com/0/{project_id}/{task_id}`).\ + \ |\n\n### Flow Description\n1. **Initialization**: The action extracts the Asana\ + \ API Token and Base URL from the integration configuration.\n2. **Parameter Extraction**:\ + \ The **Task ID** is retrieved from the action input parameters.\n3. **API Request**:\ + \ The action calls the Asana API's GET endpoint for tasks (`/tasks/{task_id}`)\ + \ via the AsanaManager.\n4. **Data Processing**: \n * If the task exists: The\ + \ action extracts the task name, due date, and permalink URL. It then adds a direct\ + \ link to the task in the Google SecOps results.\n * If the task does not exist:\ + \ The action returns a failure message indicating the task was not found.\n5.\ + \ **Output**: The full JSON response from Asana is attached to the action results\ + \ for further processing.\n\n### Additional Notes\nThis action does not operate\ + \ on entities (IPs, Hostnames, etc.) and instead relies entirely on the provided\ + \ Task ID parameter." capabilities: can_create_case_comments: false can_create_insight: false @@ -230,9 +265,9 @@ Get Task: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: false + enrichment: true entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -246,6 +281,7 @@ Get Task: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +List My Tasks: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -259,26 +295,28 @@ Get Task: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -List My Tasks: ai_description: >- ### General Description - Lists all tasks associated with a specific user within a designated Asana workspace. - This action allows analysts to retrieve task details, including names, due dates, - and permalinks, filtered by their completion status. It is primarily used for - visibility into user workloads or tracking project-related tasks during an investigation. + The **List My Tasks** action retrieves all tasks associated with a specific user + within a designated Asana workspace. This action is useful for tracking user productivity, + auditing task assignments, or gathering context on a user's current workload during + a security investigation. ### Parameters Description @@ -287,47 +325,52 @@ List My Tasks: | :--- | :--- | :--- | :--- | - | User's Email | String | Yes | The email address of the Asana user whose tasks + | User's Email | string | True | The email address of the Asana user whose tasks you want to retrieve. | - | Workspace Name | String | Yes | The case-sensitive name of the Asana workspace - to search within. | + | Workspace Name | string | True | The exact name of the Asana workspace (case-sensitive). + | - | Completed Status | Boolean | No | If set to `true`, the action retrieves only - tasks marked as completed. If `false` (default), it retrieves only incomplete - tasks. | + | Completed Status | boolean | False | If set to `true`, the action will only + return tasks that have been marked as completed. If `false` (default), it returns + incomplete tasks. | ### Additional Notes - This action does not run on entities; it relies entirely on the provided input - parameters to query the Asana API. It performs multiple sequential API calls to - resolve human-readable names (Email, Workspace Name) into Asana Global Identifiers - (GIDs) before fetching task data. + - The `Workspace Name` parameter is case-sensitive and must match the name in + Asana exactly. + + - The action provides direct URLs to the tasks in the SOAR interface for quick + access. + + - If no tasks are found for the user, the action will complete with a "False" + result. ### Flow Description - 1. **Authentication**: Initializes the Asana manager using the configured Personal - Access Token and Base URL. + 1. **Parameter Extraction:** The action retrieves the user's email, workspace + name, and completion status filter from the input parameters. - 2. **User Resolution**: Calls the Asana API to retrieve the unique `GID` for the - user based on the provided `User's Email`. + 2. **User Identification:** It queries the Asana API to find the unique `gid` + (Global ID) for the user based on the provided email. - 3. **Workspace Resolution**: Retrieves all workspaces for the authenticated user - and matches the `Workspace Name` to find the corresponding `Workspace GID`. + 3. **Workspace Identification:** It fetches all workspaces available to the authenticated + token and matches the provided `Workspace Name` to find the corresponding `workspace_id`. - 4. **Task List Retrieval**: Fetches the specific `User Task List ID` associated - with the identified User and Workspace. + 4. **Task List Retrieval:** It identifies the specific "User Task List" ID for + that user within the identified workspace. - 5. **Task Fetching**: Retrieves the list of tasks from the user's task list. + 5. **Task Fetching:** The action retrieves the list of tasks from the user's task + list. - 6. **Detail Enrichment & Filtering**: For each task found, the action fetches - full task details to check the `completed` attribute against the `Completed Status` + 6. **Detail Enrichment & Filtering:** For each task, it fetches full details (including + completion status and due dates) and filters them based on the `Completed Status` parameter. - 7. **Output Generation**: Adds the filtered task details to the JSON result and - generates clickable permalinks for each task in the Google SecOps UI. + 7. **Result Compilation:** It compiles the task names, details, and permalinks + into a JSON result and adds clickable links to the SOAR action output. capabilities: can_create_case_comments: false can_create_insight: false @@ -339,9 +382,9 @@ List My Tasks: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: false + enrichment: true entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -355,6 +398,7 @@ List My Tasks: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +List Project Tasks: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -368,71 +412,73 @@ List My Tasks: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -List Project Tasks: ai_description: >- - Lists all tasks associated with a specific project in Asana. This action allows - users to retrieve task details, including names and due dates, and provides direct - links to the tasks within the Asana platform. It supports filtering tasks based - on their completion status. + ### General Description + Lists all the tasks associated with a specific project in Asana. This action allows + analysts to retrieve a comprehensive list of tasks from a named project, with + the ability to filter results based on their completion status. It provides detailed + task information, including due dates and direct links to the tasks in the Asana + web interface. - ### Parameters Description + ### Parameters Description - | Parameter | Type | Mandatory | Description | + | Parameter Name | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Project Name | String | Yes | The name of the project from which you would like - to fetch all the tasks. | + | Project Name | string | True | The name of the project from which you would + like to fetch all the tasks. | - | Completed Status | Boolean | No | If set to true, the action retrieves only + | Completed Status | boolean | False | If set to true, the action retrieves only tasks that are marked as completed. If false, it retrieves only incomplete tasks. | - ### Flow Description - - - 1. **Authentication**: The action retrieves the API token and base URL from the - integration configuration. + ### Additional Notes - 2. **Project Identification**: It calls the Asana API to find the unique ID associated - with the provided 'Project Name'. + - The action performs a lookup to find the internal Asana Project ID based on + the provided 'Project Name' before fetching tasks. - 3. **Task Retrieval**: It fetches a list of all tasks belonging to the identified - project. + - For each task found, a secondary API call is made to retrieve full task details, + including the permalink and completion status. - 4. **Detail Enrichment**: For each task found, the action performs a follow-up - request to get full task details (e.g., completion status, due date, permalink). - 5. **Filtering**: The action filters the detailed task list based on the 'Completed - Status' parameter. + ### Flow Description - 6. **Output Generation**: It populates the action results with a JSON object - containing task details and adds clickable links for each task to the SOAR interface. + 1. **Configuration Extraction**: Retrieves the Asana API token and base URL from + the integration settings. + 2. **Project Identification**: Calls the Asana API to find the unique Project + ID corresponding to the provided 'Project Name'. - ### Additional Notes + 3. **Task Retrieval**: Fetches a list of all task summaries associated with the + identified Project ID. + 4. **Detail Enrichment & Filtering**: For each task summary, the action retrieves + full task details and filters them based on the 'Completed Status' parameter. - * This action does not run on entities; it operates based on the provided project - name parameter. + 5. **Result Compilation**: Adds the filtered task details to the JSON result and + generates clickable links (permalinks) for each task in the Google SecOps interface. - * The 'Completed Status' parameter is a boolean toggle; ensure it is set correctly - to see the desired subset of tasks. + 6. **Finalization**: Ends the action with a summary message indicating success + or if no tasks were found. capabilities: can_create_case_comments: false can_create_insight: false @@ -446,7 +492,7 @@ List Project Tasks: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -460,6 +506,7 @@ List Project Tasks: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -473,47 +520,59 @@ List Project Tasks: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: true + search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: ai_description: >- ### General Description The **Ping** action is a diagnostic tool used to verify the connectivity between - Google SecOps and the Asana instance. It ensures that the provided API Token and - Base URL are correct and that the service is reachable. + Google SecOps and the Asana instance. It ensures that the provided Personal Access + Token (PAT) and Base URL are correct and that the network path to the Asana API + is open. This action is typically used during the initial setup of the integration + or for troubleshooting communication issues. ### Flow Description - 1. **Configuration Retrieval**: The action extracts the 'Token' and 'Base URL' + 1. **Configuration Extraction**: The action retrieves the `Token` and `Base URL` from the integration's configuration settings. - 2. **Manager Initialization**: It initializes the `AsanaManager` with the retrieved + 2. **Manager Initialization**: It initializes the `AsanaManager` with the extracted credentials. 3. **Connectivity Test**: The action calls the `test_connectivity` method, which - performs a GET request to the Asana `/users/me` endpoint. + performs a `GET` request to the `/users/me` endpoint of the Asana API. - 4. **Result Handling**: If the API returns a successful response, the action concludes - with a success message. If the request fails or returns an error, it reports a - connection failure. + 4. **Result Evaluation**: If the API returns a successful response (HTTP 200) + and valid JSON, the action concludes with a success message. Otherwise, it returns + a failure. ### Parameters Description - There are no action-specific parameters for this action. It relies entirely on - the integration's global configuration (Token and Base URL). + There are no specific action parameters for this action. It relies entirely on + the global integration configuration (Token and Base URL). + + + ### Additional Notes + + * This action does not process any entities. + + * It is a read-only operation that does not modify any data in Asana or Google + SecOps. capabilities: can_create_case_comments: false can_create_insight: false @@ -527,7 +586,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -541,6 +600,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Remove User From Workspace: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -554,64 +614,39 @@ Ping: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false - update_identity: false + update_identity: true update_ticket: false -Remove User From Workspace: - ai_description: >- - Removes a specific user from an Asana workspace using their email address. This - action first resolves the workspace name to a unique workspace ID and then performs - a removal operation via the Asana API. - - - ### Flow Description: - - 1. **Configuration Retrieval**: Extracts the Asana API token and base URL from - the integration settings. - - 2. **Parameter Extraction**: Retrieves the target workspace name and the email - address of the user to be removed from the action parameters. - - 3. **Workspace Resolution**: Calls the Asana API to list all workspaces and identifies - the specific `workspace_id` matching the provided name (case-sensitive). - - 4. **User Removal**: Sends a POST request to the Asana `/workspaces/{workspace_id}/removeUser` - endpoint with the user's email. - - 5. **Result Handling**: Validates the API response to confirm if the user was - successfully removed and provides a status message to the Google SecOps case. - - - ### Parameters Description: - - - | Parameter Name | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Workspace Name | String | Yes | The exact name of the Asana workspace from which - the user should be removed. Note: This is case-sensitive. | - - | User's Email | String | Yes | The email address of the Asana user to be removed - from the workspace. | - - - ### Additional Notes: - - - This action does not run on entities; it uses the provided email address parameter - directly. - - - If the workspace name is not found or the API call fails, the action will return - a failure status. + ai_description: "Removes a specific user from an Asana workspace using their email\ + \ address. This action is useful for offboarding users or managing workspace access\ + \ dynamically during incident response. \n\n### Flow Description:\n1. **Configuration\ + \ Retrieval:** Extracts the Asana API token and base URL from the integration\ + \ settings.\n2. **Parameter Extraction:** Retrieves the target 'Workspace Name'\ + \ and the 'User's Email' from the action parameters.\n3. **Workspace Identification:**\ + \ Calls the Asana API to find the unique Workspace GID associated with the provided\ + \ workspace name.\n4. **User Removal:** Sends a POST request to the Asana endpoint\ + \ `/workspaces/{workspace_id}/removeUser` to remove the specified user.\n5. **Result\ + \ Reporting:** Returns a success message if the user was removed or a failure\ + \ message if the operation could not be completed.\n\n### Parameters Description:\n\ + | Parameter Name | Type | Mandatory | Description |\n| :--- | :--- | :--- | :---\ + \ |\n| Workspace Name | string | True | The case-sensitive name of the Asana workspace\ + \ from which the user should be removed. |\n| User's Email | string | True | The\ + \ email address of the user to be removed from the workspace. |\n\n### Additional\ + \ Notes:\n- This action does not run on SecOps entities; it uses the provided\ + \ email string directly.\n- The workspace name must match exactly (case-sensitive)\ + \ as it appears in Asana." capabilities: can_create_case_comments: false can_create_insight: false @@ -620,14 +655,13 @@ Remove User From Workspace: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Removes a user's access and membership from a specific Asana workspace by making - a POST request to the /removeUser endpoint. + Removes a user's access and membership from a specific Asana workspace. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -641,6 +675,7 @@ Remove User From Workspace: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Update Task: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -654,45 +689,47 @@ Remove User From Workspace: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false - update_identity: true - update_ticket: false -Update Task: + update_identity: false + update_ticket: true ai_description: >- - Updates an existing task in Asana with new details such as the assignee, due date, - and description. The action first resolves the provided assignee email to a unique - Asana user ID and then submits a PUT request to the Asana API to modify the specified + Updates an existing task in Asana by modifying its assignee, due date, or description. + The action first resolves the provided assignee email to a unique Asana user ID + and then submits a PUT request to the Asana API to apply the changes to the specified task. - ### Flow Description: + ### Flow Description - 1. **Credential Retrieval:** Extracts the Asana API Token and Base URL from the - integration configuration. + 1. **Configuration Extraction:** Retrieves the Asana API Token and Base URL from + the integration settings. - 2. **Parameter Extraction:** Retrieves the Task ID, Assignee email, Due Date, - and Description from the action parameters. + 2. **Parameter Extraction:** Collects the Task ID, Assignee email, Due Date, and + Description from the action input. - 3. **User Resolution:** Calls the Asana API to convert the provided assignee email - into a GID (Global Identifier). + 3. **User Resolution:** Calls the Asana API to convert the provided Assignee email + into a Global Identifier (GID). 4. **Task Update:** Executes a PUT request to the Asana `/tasks/{task_id}` endpoint - with the updated fields. + with the updated metadata. - 5. **Result Processing:** Returns the updated task metadata as a JSON result and + 5. **Result Processing:** Returns the updated task object as a JSON result and provides a success message. - ### Parameters Description: + ### Parameters Description | Parameter | Type | Mandatory | Description | @@ -711,13 +748,13 @@ Update Task: be re-assigned. Note: This is case-sensitive. | - ### Additional Notes: + ### Additional Notes - - If the Assignee parameter is provided, the action will attempt to resolve the - email to a user ID. If the email is not found, the action may fail depending on - the API response. + - This action does not process SecOps entities; it operates strictly based on + the provided parameters. - - This action modifies data in an external system (Asana). + - If the Assignee email is provided, the action will attempt to resolve it to + a GID before updating the task. capabilities: can_create_case_comments: false can_create_insight: false @@ -726,14 +763,14 @@ Update Task: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates task attributes including assignee, due date, and description in the - Asana project management platform via a PUT request. + Updates the assignee, due date, and description fields of an existing task in + the Asana project management system. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -747,28 +784,3 @@ Update Task: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: true diff --git a/content/response_integrations/third_party/community/asana/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/asana/resources/ai/integration_ai_description.yaml index 6896a3667..9194cf1be 100644 --- a/content/response_integrations/third_party/community/asana/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/community/asana/resources/ai/integration_ai_description.yaml @@ -4,7 +4,7 @@ product_categories: collaboration: true edr: false email_security: false - iam_and_identity_management: false + iam_and_identity_management: true itsm: true network_security: false siem: false diff --git a/content/response_integrations/third_party/community/aws_ec2/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/aws_ec2/resources/ai/actions_ai_description.yaml index bca6b6349..3a0545ccf 100644 --- a/content/response_integrations/third_party/community/aws_ec2/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/aws_ec2/resources/ai/actions_ai_description.yaml @@ -1,50 +1,80 @@ Authorize Security Group Egress: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: true + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - Adds or updates outbound (egress) IP permissions for a specific AWS VPC Security - Group. This action allows administrators to programmatically define network traffic - rules that permit traffic leaving a security group based on protocol, port range, - and destination IP ranges (CIDR blocks). + ### General Description + This action adds or updates outbound (egress) IP permissions for a specific AWS + EC2 Security Group within a VPC. It allows administrators to programmatically + define network traffic rules, specifying protocols, port ranges, and destination + IP ranges (CIDR) that are permitted to leave the security group. - ### Flow Description: - 1. **Credential Extraction:** Retrieves AWS Access Key, Secret Key, and Default - Region from the integration configuration. + ### Parameters Description - 2. **Parameter Parsing:** Extracts the target Security Group ID and the IP permissions - defined in a JSON format. + | Parameter | Type | Mandatory | Description | - 3. **Data Transformation:** Converts the IP permissions JSON string into a Python - list of dictionaries required by the AWS SDK. + | :--- | :--- | :--- | :--- | - 4. **AWS API Interaction:** Calls the `authorize_security_group_egress` method - via the Boto3 EC2 client to apply the rules to the specified security group. + | Group ID | string | Yes | The unique identifier of the AWS Security Group (e.g., + `sg-1a2b3c4d`) where the outbound rules will be applied. | - 5. **Result Handling:** Logs the outcome and attaches the raw AWS response to - the action results in Google SecOps. + | IP Permissions | code | Yes | A JSON-formatted string defining the egress rules. + It must include fields like `IpProtocol`, `FromPort`, `ToPort`, and `IpRanges` + (containing `CidrIp`). | - ### Parameters Description: + ### Flow Description - | Parameter Name | Type | Mandatory | Description | + 1. **Configuration Extraction:** The action retrieves AWS credentials (Access + Key ID, Secret Access Key) and the default region from the integration settings. - | :--- | :--- | :--- | :--- | + 2. **Parameter Parsing:** It extracts the target Security Group ID and the IP + Permissions JSON string from the action inputs. - | Group ID | string | Yes | The unique identifier (e.g., sg-1a2b3c4d) of the security - group where outbound rules will be added. | + 3. **Data Transformation:** The IP Permissions JSON string is parsed into a Python + dictionary and wrapped in a list to meet the AWS SDK (boto3) requirements. - | IP Permissions | code | Yes | A JSON-formatted string defining the egress rules. - It must include `IpProtocol`, and optionally `FromPort`, `ToPort`, and `IpRanges` - (with `CidrIp`). | + 4. **AWS Interaction:** The action uses the `EC2Manager` to call the AWS `authorize_security_group_egress` + API, which applies the specified rules to the security group. + 5. **Result Handling:** If successful, the AWS response metadata is attached as + a JSON result to the action, and a success message is returned. If an error occurs, + it is logged and the action fails. - ### Additional Notes: - - This action specifically targets **egress** (outbound) rules. For inbound rules, - use the 'Authorize Security Group Ingress' action. + ### Additional Notes + + - This action performs a state change in AWS by modifying security group configurations. - - The `IP Permissions` parameter must be a valid JSON array or object representing - the rule structure expected by the AWS EC2 API. + - The `IP Permissions` parameter must be a valid JSON object representing the + rule structure expected by the AWS EC2 API. capabilities: can_create_case_comments: false can_create_insight: false @@ -53,14 +83,14 @@ Authorize Security Group Egress: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - This action modifies the configuration of an AWS Security Group by adding or - updating outbound (egress) firewall rules. + Modifies the egress (outbound) rules of the specified AWS Security Group to + allow traffic based on the provided IP permissions. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -74,9 +104,10 @@ Authorize Security Group Egress: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Authorize Security Group Ingress: action_product_categories: add_alert_comment: false - add_ioc_to_allowlist: false + add_ioc_to_allowlist: true add_ioc_to_blocklist: false contain_host: false create_ticket: false @@ -87,62 +118,75 @@ Authorize Security Group Egress: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Authorize Security Group Ingress: ai_description: >- - Adds or updates inbound (ingress) IP permissions for a specific AWS EC2 security - group within a VPC. This action allows administrators to programmatically define - firewall rules, specifying protocols, port ranges, and source IP ranges (CIDR). - It interacts directly with the AWS EC2 service to apply these changes. + ### General Description + Adds or updates inbound (ingress) IP permissions for a specific Amazon EC2 Security + Group within a VPC. This action allows administrators to programmatically define + firewall rules, specifying protocols, ports, and CIDR ranges that are permitted + to access resources associated with the security group. - ### Flow Description: - 1. **Credential Retrieval:** Extracts AWS Access Key, Secret Key, and Default - Region from the integration configuration. + ### Parameters Description - 2. **Parameter Extraction:** Retrieves the target Security Group ID and the IP - permissions defined in JSON format from the action parameters. + | Parameter | Type | Mandatory | Description | - 3. **Data Parsing:** Converts the IP permissions JSON string into a structured - dictionary for the AWS SDK. + | :--- | :--- | :--- | :--- | - 4. **AWS API Call:** Executes the `authorize_security_group_ingress` command via - the Boto3 library to update the security group rules. + | Group ID | string | No | The unique identifier of the security group (e.g., + sg-1a2b3c4d) where the inbound permissions will be applied. While marked as not + mandatory in configuration, the AWS API requires this to identify the target group. + | - 5. **Result Processing:** Captures the AWS response, logs the outcome, and returns - the result JSON to the Google SecOps platform. + | IP Permissions | code | No | A JSON-formatted string defining the ingress rules. + It includes fields like `FromPort`, `ToPort`, `IpProtocol`, and `IpRanges` (e.g., + `{"FromPort": 80, "IpProtocol": "tcp", "IpRanges": [{"CidrIp": "1.1.1.1/16"}], + "ToPort": 80}`). | - ### Parameters Description: + ### Additional Notes - | Parameter | Type | Mandatory | Description | + - This action performs a state-changing operation in AWS by modifying network + access control lists. - | :--- | :--- | :--- | :--- | + - The action expects the `IP Permissions` parameter to be a valid JSON string + representing a single rule or a set of rules as defined by the Boto3 EC2 client + documentation. - | Group ID | String | No | The unique identifier of the security group (e.g., - sg-1a2b3c4d) to which the rules will be added. | - | IP Permissions | Code | No | A JSON-formatted string defining the ingress rules, - including `IpProtocol`, `FromPort`, `ToPort`, and `IpRanges`. | + ### Flow Description + 1. **Configuration Extraction:** Retrieves AWS credentials (Access Key ID, Secret + Access Key) and the default region from the integration settings. - ### Additional Notes: + 2. **Parameter Parsing:** Extracts the `Group ID` and the `IP Permissions` JSON + string from the action parameters. The JSON string is converted into a Python + dictionary. + + 3. **Manager Initialization:** Initializes the `EC2Manager` using the provided + AWS credentials and region. - * This action performs a state change in the AWS environment by modifying network - security policies. While parameters are marked as not mandatory in the configuration, - they are logically required for the action to perform a meaningful update. + 4. **API Execution:** Calls the AWS EC2 service to authorize the specified ingress + rules for the target security group. + + 5. **Result Handling:** Logs the success or failure of the operation, attaches + the raw AWS response as a JSON result to the action, and terminates with a status + message. capabilities: can_create_case_comments: false can_create_insight: false @@ -151,14 +195,14 @@ Authorize Security Group Ingress: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Adds or updates inbound IP permissions (ingress rules) for a specific AWS EC2 - security group, changing the network access control state in the AWS environment. - fetches_data: true + Adds or updates inbound IP permissions (ingress rules) for a specific AWS Security + Group, effectively changing the network security posture of the VPC. + fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -172,9 +216,10 @@ Authorize Security Group Ingress: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Create Instance: action_product_categories: add_alert_comment: false - add_ioc_to_allowlist: true + add_ioc_to_allowlist: false add_ioc_to_blocklist: false contain_host: false create_ticket: false @@ -185,44 +230,46 @@ Authorize Security Group Ingress: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Create Instance: ai_description: >- - Creates new Amazon EC2 instances based on a specified Amazon Machine Image (AMI). - This action allows for the automated provisioning of virtual servers in the AWS - environment, supporting configurations for instance types, counts, and security - group assignments. It operates asynchronously, meaning it will poll the AWS API - until the requested instances transition from a 'pending' state to a 'running' - state before completing. + Creates new AWS EC2 instances based on a specified Amazon Machine Image (AMI). + This action allows for the automated provisioning of virtual infrastructure by + defining the image ID, instance type, and the number of instances to be created. + It supports asynchronous execution, meaning it will poll the AWS environment until + the instances transition from a 'pending' state to a 'running' state, ensuring + the instances are fully operational before completing the action. ### Flow Description: - 1. **Initialization:** The action retrieves AWS connection details (Access Key, - Secret Key, Region) from the integration configuration and instance specifications - (AMI ID, Type, Counts, Security Groups) from the action parameters. + 1. **Initialization**: Extracts AWS credentials (Access Key, Secret Key, Region) + and action parameters (AMI ID, Instance Type, Counts, and Security Groups). - 2. **Instance Creation (First Run):** It calls the AWS EC2 service to run new - instances. If the instances are immediately 'running', it collects their details. - If they are 'pending', it stores their IDs and enters an 'In Progress' state. + 2. **Instance Creation**: In the first run, it calls the AWS EC2 API to launch + the requested number of instances. - 3. **Status Polling (Subsequent Runs):** In follow-up executions, the action checks - the current state of the pending instances using the 'describe_instances' method. + 3. **Status Check**: If instances are in a 'pending' state, the action saves the + instance IDs and enters an 'In Progress' state. - 4. **Completion:** Once all requested instances have reached the 'running' state, - the action returns the full JSON metadata for the created resources and marks - the execution as completed. + 4. **Polling**: In subsequent runs, it describes the specific instances to check + their current state. + + 5. **Completion**: Once all instances reach the 'running' state, it retrieves + the full metadata for each instance and completes the execution. ### Parameters Description: @@ -231,27 +278,27 @@ Create Instance: | :--- | :--- | :--- | :--- | - | Image ID | string | No | The AMI ID used to create the new instance (e.g., ami-12345). - Defaults to a placeholder if not provided. | + | Image ID | String | No | The ID of the AMI to use for creating the instance + (e.g., ami-12345). | - | Instance Type | string | No | The hardware specification for the instance (e.g., - m1.small). Defaults to m1.small if not provided. | + | Instance Type | String | No | The hardware specification for the instance (e.g., + m1.small). | - | Max Count | string | Yes | The maximum number of instances to create. | + | Max Count | Integer | Yes | The maximum number of instances to create. | - | Min Count | string | Yes | The minimum number of instances to create. | + | Min Count | Integer | Yes | The minimum number of instances to create. | - | Security Group ID | string | No | A comma-separated list of Security Group IDs - to assign to the instances (e.g., sg-12345, sg-6789). | + | Security Group ID | String | No | A comma-separated list of Security Group IDs + to associate with the instances. | ### Additional Notes: - - This action does not process SecOps entities; it relies entirely on user-provided - parameters. + - This action is asynchronous and will continue to run until the instances are + in a 'running' state or an error occurs. - - The action will remain in an 'In Progress' state until AWS reports that all - instances are fully running. + - If no Instance Type is provided, it defaults to 'm1.small' within the manager + logic. capabilities: can_create_case_comments: false can_create_insight: false @@ -260,13 +307,13 @@ Create Instance: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates new EC2 instances and associated resources within the AWS environment. + Creates and provisions new virtual machine instances within the AWS EC2 environment. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -280,6 +327,7 @@ Create Instance: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Create Tags: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -293,64 +341,65 @@ Create Instance: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Create Tags: ai_description: >- - Creates or overwrites tags for specified AWS EC2 resources, such as instances, - volumes, or security groups. This action allows for the organization and categorization - of AWS assets directly from Google SecOps by applying key-value pairs to the target - resource identifiers. - - - ### Flow Description: + ### General Description - 1. **Configuration Extraction:** Retrieves AWS credentials (Access Key ID, Secret - Access Key) and the default region from the integration settings. + The 'Create Tags' action allows users to add or overwrite tags for specific AWS + EC2 resources (such as instances, volumes, or security groups). This action is + useful for organizing resources, managing costs, or triggering automation based + on resource metadata within an AWS environment. - 2. **Parameter Parsing:** Extracts the list of Resource IDs (comma-separated) - and the JSON-formatted tags from the action parameters. - 3. **Tag Preparation:** Converts the provided tags JSON into a list of tag objects - compatible with the AWS SDK. + ### Parameters Description - 4. **Execution:** Iterates through each provided Resource ID and calls the AWS - EC2 `create_tags` API to apply the specified tags. + | Parameter | Type | Mandatory | Description | - 5. **Result Reporting:** Tracks which resources were successfully tagged and which - failed, providing a detailed JSON result and an output message for the analyst. + | :--- | :--- | :--- | :--- | + | Resources ID | String | Yes | A comma-separated list of AWS resource IDs (e.g., + i-1234567890abcdef0) that you want to tag. | - ### Parameters Description: + | Tags | Code | Yes | A JSON-formatted string representing the tags to be created. + The expected format is a JSON object with a 'tags' key containing a list of Key-Value + pairs, for example: `{"tags": [{"Key": "Environment", "Value": "Production"}]}`. + | - | Parameter Name | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + ### Flow Description - | Resources ID | string | Yes | A comma-separated list of AWS resource identifiers - (e.g., i-1234567890abcdef0) that you want to tag. | + 1. **Configuration Extraction**: The action retrieves AWS credentials (Access + Key ID, Secret Access Key) and the default region from the integration settings. - | Tags | code | Yes | A JSON object containing the tags to be created. Expected - format: `{"tags": [{"Key": "key1", "Value": "value1"}]}`. Note that keys are case-sensitive. - | + 2. **Parameter Parsing**: It extracts the list of resource IDs and the JSON string + of tags from the action parameters. The tags are converted from a JSON string + into a Python list of dictionaries. + 3. **Resource Iteration**: The action splits the comma-separated resource IDs + and iterates through each one. - ### Additional Notes: + 4. **AWS API Call**: For each resource, it calls the AWS EC2 `create_tags` API + via the `EC2Manager` to apply the specified tags. - - This action uses the Boto3 `create_tags` method. If a tag with the same key - already exists on a resource, its value will be overwritten. + 5. **Result Collection**: The action tracks which resources were successfully + tagged and which encountered errors. - - Each resource can have a maximum of 50 tags. + 6. **Finalization**: It outputs a summary message indicating success or failure + for the provided resource IDs and returns a boolean result value. capabilities: can_create_case_comments: false can_create_insight: false @@ -359,14 +408,14 @@ Create Tags: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Adds or overwrites tags (key-value pairs) on specified AWS EC2 resources using - the AWS API. + This action adds or overwrites tags on AWS EC2 resources by calling the AWS + EC2 'create_tags' API. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -380,11 +429,12 @@ Create Tags: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Delete Instance: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false - contain_host: false + contain_host: true create_ticket: false delete_email: false disable_identity: false @@ -393,25 +443,29 @@ Create Tags: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Delete Instance: ai_description: >- ### General Description - The **Delete Instance** action terminates one or more specified Amazon EC2 instances - within a designated AWS region. This is a destructive operation that permanently - removes the instances from the AWS environment. + The **Delete Instance** action terminates specific Amazon EC2 instances within + an AWS environment. This is a destructive remediation action that permanently + deletes the specified instances, making them inaccessible. Note that terminated + instances remain visible in the AWS console for approximately one hour after the + deletion process begins. ### Parameters Description @@ -420,44 +474,37 @@ Delete Instance: | :--- | :--- | :--- | :--- | - | **Instance Ids** | String | Yes | A comma-separated list of AWS EC2 instance - identifiers (e.g., `i-1234567890abcdef0, i-0fedcba9876543210`) to be deleted. - | + | Instance Ids | String (Content) | Yes | A comma-separated list of EC2 instance + IDs to be deleted (e.g., `i-1234567890abcdef0, i-0987654321fedcba0`). | ### Additional Notes - - Terminated instances remain visible in the AWS console for approximately one - hour after deletion. + - This action is asynchronous; if instances are in the "shutting-down" state, + the action will report as in-progress until the process completes. - - The action returns the total count of instances successfully moved to a 'terminated' - or 'shutting-down' state. + - The result value of the action is the total count of successfully deleted instances. - - This action is marked as asynchronous and can track the progress of the termination - process. + - Detailed JSON results for each instance are provided in the action output. ### Flow Description 1. **Configuration Extraction:** Retrieves AWS credentials (Access Key ID, Secret - Access Key) and the default region from the integration settings. + Access Key) and the target region from the integration settings. + + 2. **Input Parsing:** Splits the provided `Instance Ids` string into a list of + individual identifiers and strips any whitespace. + + 3. **Termination Execution:** Iterates through the list and calls the AWS EC2 + `terminate_instances` API for each ID via the EC2 Manager. - 2. **Parameter Parsing:** Extracts the `Instance Ids` string and splits it into - a list of individual identifiers, stripping any extra whitespace. - - 3. **AWS Interaction:** For each instance ID, the action calls the AWS EC2 `terminate_instances` - API via the `EC2Manager`. - - 4. **State Verification:** Evaluates the `CurrentState` returned by the AWS API - for each instance: - - If the state is `terminated`, it is logged as a success. - - If the state is `shutting-down`, the action status is set to `IN_PROGRESS` - to reflect the ongoing transition. - - If the instance is in a state that cannot be deleted, an exception is raised - for that specific instance. - 5. **Result Reporting:** Aggregates the results, provides a summary message to - the case wall, and returns the count of deleted instances along with detailed - JSON data for each processed instance. + 4. **State Verification:** Monitors the response for each instance to verify if + the current state is `terminated` or `shutting-down`. + + 5. **Result Aggregation:** Collects success/failure details for each instance, + updates the action log, and returns the count of deleted instances along with + a detailed JSON report. capabilities: can_create_case_comments: false can_create_insight: false @@ -466,14 +513,13 @@ Delete Instance: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Terminates (deletes) specified EC2 instances in the AWS environment, which is - a permanent state change. + Terminates (deletes) EC2 instances in the AWS environment. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -487,6 +533,7 @@ Delete Instance: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Find Instance: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -500,27 +547,29 @@ Delete Instance: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: true search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Find Instance: ai_description: >- ### General Description - The **Find Instance** action retrieves detailed information about one or more - Amazon EC2 instances from an AWS environment. It allows users to query specific - instances by their unique IDs or to search for instances based on custom filters - such as instance type, state, or tags. This action is primarily used for asset - enrichment, providing visibility into the configuration and status of cloud resources. + The **Find Instance** action retrieves detailed information about specific Amazon + EC2 instances or a collection of instances based on provided criteria. It is primarily + used for asset discovery and situational awareness within an AWS environment. + If no specific instance IDs or filters are provided, the action can return information + for all instances (subject to the maximum results limit). ### Parameters Description @@ -530,51 +579,47 @@ Find Instance: | :--- | :--- | :--- | :--- | | **Instance Ids** | String | No | A comma-separated list of AWS Instance IDs - to fetch (e.g., `i-1234567890abcdef0`). If provided, the action fetches details - for these specific instances. | + to fetch (e.g., `i-1234567890abcdef0`). If provided, the action focuses on these + specific resources. | - | **Filters** | Content (JSON) | No | A JSON object defining filters for the search. - Default is `{"Name": "instance-type", "Values": ["t2.micro"]}`. This is used when - specific IDs are not provided or to further narrow the search. | + | **Filters** | Content (JSON) | No | A JSON-formatted string defining filters + to narrow down the search (e.g., `{"Name": "instance-type", "Values": ["t2.micro"]}`). + Default filters for `t2.micro` are often pre-configured. | | **Max Results** | String | No | The maximum number of results to return in a - single call, ranging from 5 to 1000. Defaults to 1000 if not specified. | + single execution, ranging from 5 to 1000. | - ### Additional Notes + ### Flow Description + + 1. **Configuration Extraction:** The action retrieves AWS credentials (Access + Key ID, Secret Access Key) and the default region from the integration settings. - - If neither **Instance Ids** nor **Filters** are specified, the action will attempt - to fetch information for all instances in the configured region, up to the limit - defined by **Max Results**. + 2. **Parameter Parsing:** It extracts the `Instance Ids`, `Filters`, and `Max + Results` from the action input. If `Filters` are provided, they are parsed from + a JSON string into a list. - - The **Filters** parameter must be a valid JSON object following the AWS Boto3 - `describe_instances` filter syntax. + 3. **Manager Initialization:** An `EC2Manager` instance is created to handle + communication with the AWS EC2 service via the Boto3 SDK. - - This action does not run on SecOps entities; it relies entirely on the provided - input parameters. + 4. **Data Retrieval:** + * If **Instance Ids** are specified: The action iterates through each ID + and calls the `describe_instances` API to fetch specific metadata. + * If **Instance Ids** are NOT specified: The action calls the `describe_instances` + API using the provided `Filters` and `Max Results` to find matching instances. + 5. **Result Processing:** The retrieved instance data is aggregated into a JSON + object. + 6. **Output:** The action attaches the raw JSON data to the execution result + and provides a summary message indicating which instances were successfully fetched. - ### Flow Description - 1. **Configuration Retrieval:** The action retrieves AWS credentials (Access Key - ID, Secret Access Key) and the Default Region from the integration's configuration. - - 2. **Parameter Parsing:** It extracts the provided **Instance Ids**, **Filters**, - and **Max Results** from the action input. If **Filters** are provided, they are - parsed from a JSON string into a list. - - 3. **Instance Lookup:** - - **Specific IDs:** If **Instance Ids** are provided, the action iterates - through each ID and calls the AWS `describe_instances` API to fetch specific details - for each. - - **Bulk/Filtered Query:** If no **Instance Ids** are provided, the action - performs a single bulk query using the provided **Filters** and **Max Results**. - 4. **Result Processing:** The retrieved instance metadata is aggregated into a - JSON result object. The action tracks which instances were successfully found - and which (if any) failed to be retrieved. - - 5. **Output:** The action returns the aggregated JSON data to the SOAR platform - and provides a summary message indicating the success or failure of the operation. + ### Additional Notes + + * This action is read-only and does not modify any AWS resources. + + * If both `Instance Ids` and `Filters` are provided, the AWS API typically applies + both constraints (logical AND). capabilities: can_create_case_comments: false can_create_insight: false @@ -586,9 +631,9 @@ Find Instance: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: true + enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -602,6 +647,7 @@ Find Instance: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -612,43 +658,66 @@ Find Instance: disable_identity: false download_file: false enable_identity: false - enrich_asset: true + enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: - ai_description: "### General Description\nThe **Ping** action is designed to verify\ - \ the connectivity between the Google SecOps platform and the Amazon Web Services\ - \ (AWS) EC2 environment. It serves as a diagnostic tool to ensure that the provided\ - \ credentials (Access Key ID and Secret Access Key) are valid and that the integration\ - \ can successfully communicate with the AWS API within the specified region.\n\ - \n### Parameters Description\nThis action does not require any additional input\ - \ parameters. It relies entirely on the global integration configuration parameters:\n\ - * **Access Key ID**: The AWS access key used for authentication.\n* **Secret Access\ - \ Key**: The AWS secret key used for authentication.\n* **Default Region**: The\ - \ AWS region to which the connectivity test is directed.\n\n### Flow Description\n\ - 1. **Configuration Extraction**: The action retrieves the AWS credentials and\ - \ region settings from the integration's configuration.\n2. **Manager Initialization**:\ - \ An instance of the `EC2Manager` is created using the extracted credentials.\n\ - 3. **Connectivity Test**: The action calls the `test_connectivity` method, which\ - \ executes the AWS `describe_regions` API call.\n4. **Result Evaluation**: \n\ - \ * If the API call returns a valid response, the action concludes with a success\ - \ message (\"Connected successfully\").\n * If the API call fails or returns\ - \ no data, the action concludes with a failure message (\"The Connection failed\"\ - ).\n\n### Additional Notes\nThis action is typically used during the initial setup\ - \ of the AWS EC2 integration or for troubleshooting credential/network issues.\ - \ It does not interact with or modify any specific EC2 instances or SecOps entities." + ai_description: >- + ### General Description + + The **Ping** action is a diagnostic tool designed to verify the connectivity between + the Google SecOps platform and the Amazon Web Services (AWS) EC2 environment. + It ensures that the provided credentials (Access Key ID and Secret Access Key) + are valid and that the platform can successfully communicate with the AWS API + within the specified region. + + + ### Parameters Description + + There are no action-specific parameters for this action. It relies entirely on + the global integration configuration parameters: + + * **Access Key ID**: The AWS access key used for authentication. + + * **Secret Access Key**: The AWS secret key used for authentication. + + * **Default Region**: The AWS region to which the connection is tested. + + + ### Flow Description + + 1. **Configuration Extraction**: The action retrieves the AWS credentials and + region settings from the integration's configuration. + + 2. **Manager Initialization**: An instance of the `EC2Manager` is created using + the retrieved credentials. + + 3. **Connectivity Test**: The action calls the `test_connectivity` method, which + executes the AWS `describe_regions` API call. + + 4. **Result Evaluation**: If the API call returns a valid response, the action + concludes with a success status. If the call fails (e.g., due to invalid credentials + or network issues), it returns a failure status. + + + ### Additional Notes + + This action does not process any entities and is strictly used for system health + checks and configuration validation. capabilities: can_create_case_comments: false can_create_insight: false @@ -662,7 +731,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -676,6 +745,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Revoke Security Group Egress: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -689,68 +759,72 @@ Ping: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Revoke Security Group Egress: ai_description: >- - Revokes outbound (egress) IP permissions from a specific AWS EC2 Security Group - within a VPC. This action is used to tighten security posture by removing existing - rules that allow traffic to leave the network based on specific protocols, ports, - and CIDR ranges. It interacts directly with the AWS EC2 API to modify the security - group configuration. + ### General Description + This action revokes specific outbound (egress) IP permissions from an AWS EC2 + Security Group within a Virtual Private Cloud (VPC). It is primarily used to tighten + network security by removing existing rules that allow traffic to leave the VPC + to specified destinations, protocols, or ports. - ### Flow Description: - 1. **Configuration Extraction:** Retrieves AWS credentials (Access Key ID, Secret - Access Key) and the default region from the integration settings. + ### Flow Description - 2. **Parameter Parsing:** Extracts the target Security Group ID and the IP permissions - JSON string from the action parameters. + 1. **Configuration Extraction**: The action retrieves AWS credentials (Access + Key ID, Secret Access Key) and the default region from the integration settings. - 3. **Data Transformation:** Converts the IP permissions JSON string into a structured - dictionary required by the AWS SDK (Boto3). + 2. **Parameter Extraction**: It extracts the target Security Group ID and the + specific IP permissions to be revoked from the action parameters. - 4. **AWS API Interaction:** Executes the `revoke_security_group_egress` command - via the EC2 Manager to remove the specified rules. + 3. **Permission Parsing**: The provided IP permissions, expected in JSON format, + are parsed into a structured list for the AWS SDK. - 5. **Result Reporting:** Logs the outcome, provides the raw JSON response from - AWS, and sets the action status to success or failure. + 4. **AWS Interaction**: The action uses the `EC2Manager` to call the Boto3 `revoke_security_group_egress` + method, which communicates with the AWS EC2 API to remove the specified rules. + 5. **Result Handling**: The action logs the outcome, adds the raw API response + to the JSON results, and provides a success or failure message to the SOAR case. - ### Parameters Description: + + ### Parameters Description | Parameter Name | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | | Group ID | String | No | The unique identifier of the security group (e.g., - `sg-1a2b3c4d`) from which permissions will be revoked. While marked as not mandatory - in metadata, it is required for the API call to succeed. | + `sg-1a2b3c4d`) from which you want to revoke outbound permissions. While marked + as non-mandatory in configuration, it is required for the API call to succeed. + | | IP Permissions | Code | No | A JSON-formatted string defining the rules to revoke. - Must include `IpProtocol`, `FromPort`, `ToPort`, and `IpRanges` (with `CidrIp`). - Example: `{"FromPort": 80, "IpProtocol": "tcp", "IpRanges": [{"CidrIp": "1.1.1.1/16"}], - "ToPort": 80}`. | + It includes fields like `IpProtocol`, `FromPort`, `ToPort`, and `IpRanges` (e.g., + `{"FromPort": 80, "IpProtocol": "tcp", "IpRanges": [{"CidrIp": "1.1.1.1/16"}], + "ToPort": 80}`). | - ### Additional Notes: + ### Additional Notes - - This action specifically targets **egress** (outbound) rules. To revoke ingress - (inbound) rules, a different action should be used. + - This action performs a state change in the AWS environment by deleting firewall-like + rules. - - If the specified rule does not exist in the security group, the AWS API may - return an error which will be captured in the action logs. + - If the specified rules do not exist in the security group, the AWS API may return + an error which will be captured in the action logs. capabilities: can_create_case_comments: false can_create_insight: false @@ -759,14 +833,14 @@ Revoke Security Group Egress: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Removes outbound firewall rules (egress permissions) from an AWS EC2 Security - Group, changing the network access control configuration in the AWS environment. + Removes egress (outbound) network rules from an AWS Security Group, effectively + changing the firewall configuration of the VPC. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -780,6 +854,7 @@ Revoke Security Group Egress: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Revoke Security Group ingress: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -793,70 +868,71 @@ Revoke Security Group Egress: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: true remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Revoke Security Group ingress: ai_description: >- ### General Description - The **Revoke Security Group ingress** action removes specific inbound (ingress) - IP permissions from an existing AWS EC2 Security Group within a Virtual Private - Cloud (VPC). This action is primarily used for containment and security hardening - by programmatically withdrawing previously granted network access rules. + Revokes specific inbound (ingress) IP permissions from an AWS EC2 Security Group. + This action is used to remediate security risks by removing existing network access + rules that allow traffic into a VPC. It interacts directly with the AWS EC2 API + to modify the security group's configuration. ### Parameters Description - | Parameter | Type | Mandatory | Description | + | Parameter Name | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Group ID** | String | No | The unique identifier of the AWS Security Group - (e.g., `sg-1a2b3c4d`) from which you want to revoke inbound permissions. | + | Group ID | string | No | The unique identifier (e.g., sg-1a2b3c4d) of the security + group from which you want to revoke inbound permissions. | - | **IP Permissions** | Code (JSON) | No | A JSON-formatted string defining the - specific IP rules to be removed. It includes fields like `FromPort`, `ToPort`, - `IpProtocol`, and `IpRanges`. | + | IP Permissions | code | No | A JSON-formatted string defining the specific rule + to revoke. It must include fields like `IpProtocol`, `FromPort`, `ToPort`, and + `IpRanges`. Example: `{"FromPort": 80, "IpProtocol": "tcp", "IpRanges": [{"CidrIp": + "1.1.1.1/16"}], "ToPort": 80}`. | - ### Flow Description + ### Additional Notes - 1. **Configuration Extraction:** The action retrieves AWS credentials (Access - Key ID, Secret Access Key) and the default region from the integration settings. + * Although the parameters are marked as not mandatory in the configuration, the + action logic requires both a valid `Group ID` and correctly formatted `IP Permissions` + JSON to successfully execute the revocation in AWS. - 2. **Parameter Parsing:** It extracts the target Security Group ID and the IP - permissions JSON string. The JSON string is converted into a Python dictionary - for processing. + * This action performs a state change in the external AWS environment by deleting + security rules. - 3. **AWS Interaction:** The action uses the `EC2Manager` (via the Boto3 SDK) to - call the `revoke_security_group_ingress` API on the specified AWS account and - region. - 4. **Result Handling:** If the revocation is successful, the action returns the - raw response from AWS as a JSON result and sets the action status to success. - If an error occurs (e.g., invalid permissions or group ID), it logs the error - and returns a failure status. + ### Flow Description + 1. **Configuration Extraction**: Retrieves AWS credentials (Access Key ID, Secret + Access Key) and the default region from the integration settings. - ### Additional Notes + 2. **Parameter Parsing**: Extracts the target Security Group ID and the IP permissions + JSON string from the action inputs. - * **Mandatory Fields:** While the metadata marks parameters as not mandatory, - the action logic requires both a valid `Group ID` and correctly formatted `IP - Permissions` JSON to execute successfully. If these are missing or malformed, - the action will fail. + 3. **Data Transformation**: Converts the IP permissions JSON string into a Python + dictionary for processing by the AWS SDK. - * **JSON Format:** The `IP Permissions` parameter must strictly follow the AWS - Boto3 structure for `IpPermissions` objects. + 4. **AWS Interaction**: Uses the `EC2Manager` to call the AWS `revoke_security_group_ingress` + API method. + + 5. **Result Handling**: Captures the response from AWS, logs the outcome, and + attaches the raw JSON response to the action results in Google SecOps. capabilities: can_create_case_comments: false can_create_insight: false @@ -865,15 +941,14 @@ Revoke Security Group ingress: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - This action modifies the configuration of an AWS Security Group by removing - inbound firewall rules, which changes the network access control state in the - AWS environment. + Removes specified inbound (ingress) firewall rules from an AWS EC2 Security + Group, effectively blocking previously allowed traffic. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -887,6 +962,7 @@ Revoke Security Group ingress: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Start Instance: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -900,26 +976,27 @@ Revoke Security Group ingress: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false - remove_ioc_from_allowlist: true + get_alert_information: false + remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Start Instance: ai_description: >- ### General Description - Starts one or more specified AWS EC2 instances. This action is used to programmatically - resume instances that are currently in a stopped state. It provides real-time - feedback on the transition state (pending/running) and returns the count of successfully - started instances. + Starts one or more specified AWS EC2 instances. This action is used to transition + instances from a stopped state to a running state within an AWS environment, which + is useful for automated remediation or forensic workflows. ### Parameters Description @@ -929,33 +1006,35 @@ Start Instance: | :--- | :--- | :--- | :--- | | Instance Ids | The instance IDs which you want to start (comma separated). For - example: instance_id1, instance_id2. | String | Yes | - + example: `i-1234567890abcdef0, i-0987654321fedcba0`. | String | Yes | - ### Additional Notes - - This action is asynchronous. If an instance is in a 'pending' state, the action - will return an 'In Progress' status to allow for state transition. + ### Flow Description - - The result value represents the total count of instances successfully moved - to a 'running' state during the execution. + 1. **Configuration Extraction**: Retrieves AWS Access Key ID, Secret Access Key, + and Default Region from the integration settings. + 2. **Parameter Parsing**: Extracts the `Instance Ids` string and converts it into + a list of individual identifiers. - ### Flow Description + 3. **Instance Initialization**: For each provided ID, the action attempts to start + the instance using the AWS EC2 API. - 1. Extract configuration parameters (Access Key, Secret Key, Region). + 4. **State Verification**: Checks the current state of the instance. If the state + is `pending` or `running`, the operation is considered successful for that instance. - 2. Extract the 'Instance Ids' action parameter and split it into a list. + 5. **Result Aggregation**: Tracks the number of successfully started instances + and compiles detailed JSON metadata for each. - 3. Initialize the EC2Manager. + 6. **Completion**: Returns the total count of started instances and updates the + action status to `IN_PROGRESS` if any instances are still in a pending state, + or `COMPLETED` otherwise. - 4. Iterate through each Instance ID and attempt to start it using the AWS SDK. - 5. Evaluate the response: if the state is 'pending', mark the action as 'In Progress'; - if 'running', mark as success. + ### Additional Notes - 6. Aggregate results, including a count of started instances and detailed JSON - output. + This action is asynchronous. If an instance is in a `pending` state, the action + will signal that it is still in progress. capabilities: can_create_case_comments: false can_create_insight: false @@ -964,14 +1043,13 @@ Start Instance: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Starts stopped EC2 instances in the AWS environment, changing their state from - 'stopped' to 'pending' or 'running'. - fetches_data: true + Starts AWS EC2 instances, changing their operational state from stopped to running. + fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -985,11 +1063,12 @@ Start Instance: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Stop Instance: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false - contain_host: false + contain_host: true create_ticket: false delete_email: false disable_identity: false @@ -998,59 +1077,62 @@ Start Instance: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Stop Instance: ai_description: >- - Stops one or more specified Amazon EC2 instances. This action interacts with the + Stops one or more specified AWS EC2 instances. This action interacts with the AWS EC2 service to transition instances from a running state to a stopped state. It supports stopping multiple instances simultaneously via a comma-separated list - and provides an option to force the shutdown. + and provides an option to force the shutdown. The action is asynchronous, meaning + it can monitor the transition state (stopping vs. stopped) and report progress. ### Parameters - | Parameter | Type | Mandatory | Description | + | Parameter Name | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Instance Ids | String | Yes | Comma-separated list of AWS EC2 instance IDs to - be stopped (e.g., i-0123456789abcdef0). | + | Instance Ids | String | Yes | A comma-separated list of AWS EC2 instance identifiers + (e.g., i-1234567890abcdef0, i-0987654321fedcba0) to be stopped. | - | Force Instance To Stop | Boolean | No | If set to true, the instance is forced - to stop without waiting for file system caches or metadata to be processed. Default - is false. | + | Force Instance To Stop | Boolean | No | If set to 'true', forces the instance + to stop without processing file system caches or metadata. Default is 'false'. + | ### Flow Description - 1. **Credential Retrieval**: Extracts AWS Access Key, Secret Key, and Region from - the integration configuration. + 1. **Initialization**: Retrieves AWS credentials (Access Key ID, Secret Access + Key, and Default Region) from the integration configuration. - 2. **Input Parsing**: Parses the provided string of Instance IDs into a list. + 2. **Parameter Extraction**: Parses the 'Instance Ids' string into a list and + retrieves the 'Force Instance To Stop' boolean flag. - 3. **API Execution**: Iterates through the list and calls the AWS `stop_instances` - API for each identifier. + 3. **Execution**: Iterates through each provided Instance ID and calls the AWS + EC2 API to initiate the stop command. - 4. **State Verification**: Checks the current state of each instance returned - by the API. + 4. **State Monitoring**: Checks the current state of each instance returned by + the API. If an instance is in the 'stopping' state, the action marks itself as + 'In Progress' to allow for asynchronous completion. If the state is 'stopped', + it is marked as successful. - 5. **Status Handling**: If instances are in the 'stopping' state, the action sets - its status to 'In Progress' for asynchronous tracking. If 'stopped', it marks - them as successful. - - 6. **Result Reporting**: Returns the total count of stopped instances and detailed - JSON response data for each successful operation. + 5. **Result Reporting**: Aggregates the results, providing a count of stopped + instances as the main result value and detailed JSON metadata for each instance's + state transition. capabilities: can_create_case_comments: false can_create_insight: false @@ -1059,14 +1141,13 @@ Stop Instance: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Stops the specified EC2 instances in the AWS environment, changing their operational - state from running to stopped. - fetches_data: true + Changes the operational state of AWS EC2 instances from running to stopped. + fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1080,28 +1161,3 @@ Stop Instance: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: true - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/third_party/community/azure_devops/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/azure_devops/resources/ai/actions_ai_description.yaml index 01a82fcf4..8c47f84da 100644 --- a/content/response_integrations/third_party/community/azure_devops/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/azure_devops/resources/ai/actions_ai_description.yaml @@ -1,21 +1,77 @@ Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description\nTests the connectivity between Google SecOps and the - Azure DevOps instance. This action verifies that the provided credentials and - configuration are valid by attempting to retrieve a list of projects from the - specified organization.\n\n### Parameters Description\nThere are no action parameters - for this action. It relies on the integration's configuration parameters (Personal - Access Token, Organization, and Base URL).\n\n### Flow Description\n1. **Parameter - Extraction**: Retrieves the Personal Access Token, Organization name, and Base - URL from the integration configuration.\n2. **Authentication**: Initializes a - basic authentication object using the Personal Access Token.\n3. **Connection - Establishment**: Creates a connection to the Azure DevOps service using the provided - Base URL and Organization.\n4. **Connectivity Test**: Calls the `get_projects` - method from the core client to verify that the connection is functional and the - credentials have sufficient permissions.\n5. **Result Reporting**: Returns a success - status if the projects are retrieved successfully; otherwise, it reports a connection - failure with the error details.\n\n### Additional Notes\nThis action does not - interact with or process any entities within the case. + ### General Description + + The **Ping** action is a utility designed to verify the connectivity between the + Google SecOps platform and a specific Azure DevOps instance. It ensures that the + provided credentials (Personal Access Token) and configuration (Organization and + Base URL) are valid and that the network path is open. + + + ### Parameters Description + + There are no action-specific parameters for this action. It relies entirely on + the integration's global configuration parameters: + + * **Personal Access Token**: The token used for authentication. + + * **Organization**: The Azure DevOps organization name. + + * **Base URL**: The base URL of the Azure DevOps instance. + + + ### Additional Notes + + This action is typically used during the initial setup of the integration or for + troubleshooting connection issues. It does not process any entities or modify + any data. + + + ### Flow Description + + 1. **Parameter Extraction**: The action retrieves the `Personal Access Token`, + `Organization`, and `Base URL` from the integration configuration. + + 2. **Authentication**: It initializes a basic authentication object using the + provided token. + + 3. **Connection Initialization**: It establishes a connection to the Azure DevOps + API using the constructed organization URL. + + 4. **Connectivity Test**: The action attempts to fetch a list of projects using + the `get_projects` method from the Azure DevOps Core Client to verify API access. + + 5. **Result Reporting**: If the request is successful, it reports a successful + connection. If an exception occurs, it captures the error and reports a connection + failure. capabilities: can_create_case_comments: false can_create_insight: false @@ -24,12 +80,12 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: true + fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -43,6 +99,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Trigger Azure Build: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -56,65 +113,68 @@ Ping: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Trigger Azure Build: ai_description: >- ### General Description - Triggers an Azure DevOps pipeline (build) for a specified definition ID and monitors - its progress until completion. This action is useful for automating CI/CD workflows, - such as deploying infrastructure or running automated tests as part of an incident - response playbook. + Triggers a specific build pipeline in Azure DevOps using a Build Definition ID + and optional variables. This action is asynchronous, meaning it initiates the + build and then periodically polls Azure DevOps to monitor the progress until the + build completes, fails, or is canceled. ### Parameters Description - | Parameter Name | Type | Mandatory | Description | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Build Definition Id | string | Yes | The unique identifier (ID) of the build - definition/pipeline you want to trigger in Azure DevOps. | + | Build Definition Id | String | Yes | The unique identifier of the build definition + (pipeline) you want to trigger. | - | Build Variables | code | Yes | A JSON-formatted string containing the variables - to pass to the pipeline (e.g., `{"ENV": "production"}`). | + | Build Variables | Code (JSON) | Yes | A JSON-formatted string containing the + variables to be passed to the pipeline execution. | ### Flow Description - 1. **Initialization**: The action retrieves integration configuration (Organization, - Project, PAT, Base URL) and action parameters. + 1. **Initialization**: Retrieves integration configuration (Organization, Project, + Personal Access Token, and Base URL) and action parameters. - 2. **Trigger Build**: It sends a POST request to the Azure DevOps Builds API to - initiate a new build for the provided `Build Definition Id` using the specified - `Build Variables`. + 2. **Trigger Build**: Sends a POST request to the Azure DevOps Build API to queue + a new build for the specified definition ID with the provided variables. - 3. **Async Monitoring**: The action captures the `build_id` from the response - and enters an asynchronous state (`IN_PROGRESS`). + 3. **Capture Build ID**: Extracts the unique ID of the newly created build from + the API response. - 4. **Status Polling**: The `query_job` function periodically polls the Azure DevOps - API using the `build_id` to check the current status and result of the build. + 4. **Status Polling (Async)**: Enters a polling phase where it sends GET requests + to the Azure DevOps API to check the current status (`status`) and outcome (`result`) + of the build. - 5. **Completion**: The action finishes with a `COMPLETED` status if the build - succeeds or partially succeeds, and a `FAILED` status if the build fails or is - canceled. + 5. **Completion**: The action finishes with a 'Completed' status if the build + succeeds or partially succeeds, and 'Failed' if the build fails or is canceled. ### Additional Notes - This action is asynchronous and will wait for the external build process to finish - before returning a final result to the Google SecOps playbook. + - This action requires a Personal Access Token (PAT) with sufficient permissions + to trigger and view builds in the specified Azure DevOps project. + + - The `Build Variables` parameter must be a valid JSON string. capabilities: can_create_case_comments: false can_create_insight: false @@ -123,13 +183,14 @@ Trigger Azure Build: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Triggers a new build execution (pipeline run) in the Azure DevOps environment. + Triggers a new build pipeline execution in the Azure DevOps environment via + a POST request. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -143,6 +204,7 @@ Trigger Azure Build: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Wait Until Web Resource Is Up: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -156,38 +218,57 @@ Trigger Azure Build: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Wait Until Web Resource Is Up: - ai_description: "### General Description\nThis action monitors the availability\ - \ of a specific web resource by its URL. It functions as an asynchronous task,\ - \ meaning it will repeatedly check the status of the provided URL until it returns\ - \ a successful HTTP response (status code less than 400). This is typically used\ - \ in playbooks to ensure a service, API, or endpoint is fully operational before\ - \ proceeding to subsequent automation steps.\n\n### Parameters Description\n|\ - \ Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ - | URL | String | Yes | The full URL of the web resource to monitor (e.g., `https://dev.azure.com/organization`).\ - \ |\n\n### Flow Description\n1. **Parameter Extraction**: The action retrieves\ - \ the target `URL` from the input parameters.\n2. **Connectivity Check**: It performs\ - \ an HTTP GET request to the specified URL with a 5-second timeout.\n3. **Status\ - \ Evaluation**: The action evaluates the response. If the HTTP status code is\ - \ successful (less than 400), the resource is considered 'up'.\n4. **Execution\ - \ State Management**: \n * If the resource is 'up', the action state is set\ - \ to `COMPLETED`.\n * If the resource is 'down' or the request fails, the action\ - \ state is set to `IN_PROGRESS`. In an asynchronous context, this triggers the\ - \ SOAR platform to retry the action after a delay.\n\n### Additional Notes\nThis\ - \ action is a utility for flow control and does not modify any data within Azure\ - \ DevOps or the Google SecOps platform. It relies on basic HTTP reachability." + ai_description: >- + Wait Until Web Resource Is Up is a utility action designed to monitor the availability + of a specific URL. It functions as an asynchronous polling mechanism that repeatedly + checks the status of a web resource until it becomes accessible. + + + ### Flow Description: + + 1. **Parameter Extraction:** The action retrieves the target URL from the input + parameters. + + 2. **Connectivity Check:** It performs an HTTP GET request to the specified URL + with a 5-second timeout. + + 3. **Status Evaluation:** The action checks if the HTTP response indicates success + (status code < 400). + + 4. **Execution State Management:** + * If the resource is accessible, the action state is set to `COMPLETED`. + * If the resource is inaccessible or the request fails, the action state is + set to `IN_PROGRESS`, allowing the SOAR platform to retry the check after a delay. + + ### Parameters Description: + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | URL | String | Yes | The full web address (e.g., https://example.com) of the + resource to monitor. | + + + ### Additional Notes: + + This action is typically used in playbooks to ensure a service or endpoint is + fully operational before proceeding to subsequent steps that depend on that resource. capabilities: can_create_case_comments: false can_create_insight: false @@ -201,7 +282,7 @@ Wait Until Web Resource Is Up: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -215,28 +296,3 @@ Wait Until Web Resource Is Up: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/third_party/community/azure_devops/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/azure_devops/resources/ai/integration_ai_description.yaml index 9e2bf295d..0801c7556 100644 --- a/content/response_integrations/third_party/community/azure_devops/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/community/azure_devops/resources/ai/integration_ai_description.yaml @@ -1,6 +1,6 @@ product_categories: asset_inventory: false - cloud_security: true + cloud_security: false collaboration: false edr: false email_security: false diff --git a/content/response_integrations/third_party/community/bandura_cyber/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/bandura_cyber/resources/ai/actions_ai_description.yaml index 3900088fb..8b34cff3a 100644 --- a/content/response_integrations/third_party/community/bandura_cyber/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/bandura_cyber/resources/ai/actions_ai_description.yaml @@ -1,46 +1,78 @@ Add Domain to Allowed Lists: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: true + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - Adds a domain extracted from a URL entity to a specified Allowed List in Bandura - Cyber. This action is used to whitelist domains, ensuring they are not blocked - by Bandura's security policies. + ### General Description + + Adds URL entities to a specified Domain Allowed List in Bandura Cyber. This action + extracts the domain from the URL and adds it to the target list, allowing for + optional descriptions and expiration dates for the entry. - ### Parameters + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | List Name | string | Yes | The name of the Allowed List in Bandura Cyber where - the domain should be added. This value is case-sensitive. | + | List Name | String | Yes | The case-sensitive name of the Allowed List where + the domain will be added. | - | Description | string | No | A descriptive note to associate with the allowed - domain entry. | + | Description | String | No | A description or note to associate with the allowed + list entry. | - | Expiration Date | string | No | The date and time when the domain should be - automatically removed from the list (e.g., 2020-01-01T12:00:00.000+00:00). | + | Expiration Date | String | No | The date and time when the entity should be + automatically removed from the list (Format: YYYY-MM-DDTHH:MM:SS.mmm+00:00). | ### Flow Description - 1. **Parameter Extraction:** The action retrieves the target list name, description, - and expiration date from the user input. + 1. **Parameter Extraction:** Retrieves the API configuration and action parameters + (List Name, Description, Expiration Date). - 2. **Entity Filtering:** It identifies all URL entities within the current alert - scope. + 2. **Entity Filtering:** Identifies URL entities from the target entities list. - 3. **Domain Extraction:** For each URL entity, the action parses the URL to extract - the domain (netloc). + 3. **Domain Extraction:** For each URL, the domain (netloc) is extracted using + URL parsing. - 4. **List Identification:** It queries Bandura Cyber to find the unique identifier - (UUID) of the Allowed List matching the provided 'List Name'. + 4. **List Identification:** Queries Bandura Cyber to find the unique identifier + (UUID) for the specified list name. + + 5. **Addition:** Sends a POST request to Bandura Cyber to add the domain to the + identified allowed list. - 5. **External Mutation:** The action sends a POST request to Bandura Cyber to - add the extracted domain to the identified Allowed List, including the optional - description and expiration date. - 6. **Result Reporting:** The action returns a JSON result containing the details - of the added entries and updates the action output message. + ### Additional Notes + + The action specifically targets URL entities and will parse them to extract the + domain name before submission. If no URL entities are found, the action will complete + without adding any entries. capabilities: can_create_case_comments: false can_create_insight: false @@ -49,15 +81,14 @@ Add Domain to Allowed Lists: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Adds a domain entry to a specific Allowed List within the Bandura Cyber platform - via a POST request. + Adds a domain to a specific allowed list in Bandura Cyber. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: entity_types: - - DestinationURL + - DestinationURL filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -71,10 +102,11 @@ Add Domain to Allowed Lists: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Add Domain to Denied Lists: action_product_categories: add_alert_comment: false - add_ioc_to_allowlist: true - add_ioc_to_blocklist: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: true contain_host: false create_ticket: false delete_email: false @@ -84,62 +116,77 @@ Add Domain to Allowed Lists: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Add Domain to Denied Lists: ai_description: >- - Adds URL entities to a specified Domain Denied List in Bandura Cyber. This action - extracts the domain (network location) from the URL entity and registers it in - the external Bandura Cyber system to block or monitor traffic. It supports optional - descriptions and expiration dates for the entries. + ### General Description + Adds URL entities to a specified Denied List in Bandura Cyber. This action extracts + the domain (netloc) from the provided URL entities and performs a state-changing + operation on the Bandura Cyber platform to block future traffic associated with + those domains. It allows for setting an optional description and an expiration + date for the block entry. - ### Parameters + + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | List Name | string | Yes | The name of the Denied List where the domain will + | List Name | String | Yes | The name of the Denied List where the domain will be added. Note: This value is case-sensitive. | - | Description | string | No | A descriptive note to associate with the domain - entry in the denied list. | + | Description | String | No | A descriptive note to associate with the entry in + the denied list for administrative tracking. | - | Expiration Date | string | No | The date and time when the domain should be - automatically removed from the list (e.g., 2020-01-01T12:00:00.000+00:00). | + | Expiration Date | String | No | The date and time when the domain should be + automatically removed from the list. Expected format: 2020-01-01T12:00:00.000+00:00. + | ### Flow Description - 1. **Authentication**: Connects to the Bandura Cyber API using provided credentials - (Username, Password, API Root). + 1. **Initialization**: Retrieves API credentials (API Root, Username, Password) + and action parameters (List Name, Description, Expiration Date). + + 2. **Entity Filtering**: Identifies and collects all URL entities from the target + entities list. + + 3. **Domain Extraction**: For each URL entity, it extracts the network location + (domain) using URL parsing logic. + + 4. **List Identification**: Queries the Bandura Cyber API to retrieve the unique + identifier (UUID) for the Denied List specified by the 'List Name' parameter. + + 5. **External Mutation**: Executes a POST request to the Bandura Cyber API to + add the extracted domain to the identified Denied List, including the provided + description and expiration date. - 2. **Entity Filtering**: Identifies all URL entities within the current SecOps - context. + 6. **Reporting**: Aggregates the API responses and provides a summary message + to the SOAR platform indicating which entities were successfully added. - 3. **Domain Extraction**: For each URL, it parses the string to extract the 'netloc' - (the domain portion). - 4. **List Resolution**: Queries the Bandura Cyber system to find the unique identifier - (UUID) for the denied list specified in the 'List Name' parameter. + ### Additional Notes - 5. **External Update**: Sends a POST request to Bandura Cyber to add the extracted - domain to the identified denied list, including the description and expiration - date if provided. + - The action specifically targets the domain portion of a URL. If a full URL is + provided, only the domain will be blocked. - 6. **Reporting**: Returns a JSON result of the operation and updates the action - output message with the list of successfully added domains. + - The 'List Name' must match exactly (including case) with an existing list in + Bandura Cyber for the action to succeed. capabilities: can_create_case_comments: false can_create_insight: false @@ -148,15 +195,15 @@ Add Domain to Denied Lists: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Adds a domain entry to a specified denied list in Bandura Cyber, which modifies - the security policy configuration of the external system. + Adds a domain entry to a specific Denied List in Bandura Cyber via a POST request + to the /denied-lists/domain/{uuid}/entries endpoint. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: entity_types: - - DestinationURL + - DestinationURL filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -170,10 +217,11 @@ Add Domain to Denied Lists: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Add IP to Allowed Lists: action_product_categories: add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: true + add_ioc_to_allowlist: true + add_ioc_to_blocklist: false contain_host: false create_ticket: false delete_email: false @@ -183,62 +231,80 @@ Add Domain to Denied Lists: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Add IP to Allowed Lists: ai_description: >- - Adds IP Address entities to a specific IPv4 Allowed List in Bandura Cyber. This - action allows analysts to whitelist specific IP addresses to prevent them from - being blocked by Bandura security controls. It supports defining a network mask - (maskbit), an optional description for the entry, and an expiration date for temporary - whitelisting. + ### General Description + + The **Add IP to Allowed Lists** action allows analysts to add IP Address entities + to a specific IPv4 Allowed List within the Bandura Cyber platform. This action + is primarily used for allowlisting known-good or trusted IP addresses to prevent + them from being blocked by security policies. It supports defining the network + range via maskbits and setting an expiration date for the entry. + + ### Parameters Description - ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | List Name | string | Yes | The exact name (case-sensitive) of the Allowed List - in Bandura Cyber where the IP should be added. | + | **List Name** | String | Yes | The case-sensitive name of the Allowed List in + Bandura Cyber where the IP should be added. | - | Description | string | No | A descriptive note to associate with the IP entry - in the allowed list. | + | **Description** | String | No | A descriptive note to associate with the IP + entry in the allowed list. | - | Maskbit | string | No | The CIDR mask bit for the IP range (e.g., '32' for a - single host). Defaults to '32'. | + | **Maskbit** | Integer | No | The CIDR mask bit defining the IP range. Defaults + to 32 (single IP). | - | Expiration Date | string | No | The date and time when the IP should be automatically - removed from the list (Format: YYYY-MM-DDTHH:MM:SS.SSS+00:00). | + | **Expiration Date** | String | No | The date and time when the IP should be + automatically removed from the list. Expected format: `YYYY-MM-DDTHH:MM:SS.SSS+00:00`. + | ### Flow Description - 1. **Authentication**: The action authenticates with Bandura Cyber using the provided - credentials to obtain an access token. + 1. **Initialization**: The action retrieves the integration configuration (API + Root, credentials) and the user-provided parameters (List Name, Maskbit, etc.). - 2. **List Identification**: It searches for the specified 'List Name' to retrieve - its unique identifier (UUID). + 2. **Entity Filtering**: It identifies all `ADDRESS` (IP) entities within the + current alert scope. - 3. **Entity Processing**: For each IP Address entity in the current context, it - sends a request to Bandura Cyber to add the IP to the identified list. + 3. **List Resolution**: For each entity, the action queries Bandura Cyber to find + the unique identifier (UUID) of the Allowed List matching the provided **List + Name**. - 4. **Configuration**: The request includes the IP address, the specified maskbit, - the description, and the expiration date if provided. + 4. **Addition**: It sends a POST request to the Bandura Cyber API to add the IP + address, along with the specified mask, description, and expiration date, to the + target list. - 5. **Result Reporting**: The action collects the response for each entity and - provides a summary of which IPs were successfully added to the allowed list. + 5. **Reporting**: The action collects the API responses and provides a summary + of which entities were successfully added. + + + ### Additional Notes + + * The **List Name** parameter is strictly case-sensitive. If the name does not + match exactly what is configured in Bandura Cyber, the action will fail to find + the list UUID and will not add the entity. + + * If no **Maskbit** is provided, the action defaults to `32`, targeting only the + specific IP address of the entity. capabilities: can_create_case_comments: false can_create_insight: false @@ -247,15 +313,15 @@ Add IP to Allowed Lists: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Adds IP addresses to the 'Allowed List' configuration within the Bandura Cyber - platform, which modifies the active security policy of the external system. + Adds IP address entries to a specified allowed list in the Bandura Cyber platform + via a POST request. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: entity_types: - - ADDRESS + - ADDRESS filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -269,10 +335,11 @@ Add IP to Allowed Lists: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Add IP to Denied Lists: action_product_categories: add_alert_comment: false - add_ioc_to_allowlist: true - add_ioc_to_blocklist: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: true contain_host: false create_ticket: false delete_email: false @@ -282,62 +349,75 @@ Add IP to Allowed Lists: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Add IP to Denied Lists: ai_description: >- + ### General Description + Adds IP Address entities to a specified Denied List in Bandura Cyber. This action - is used to block or restrict network traffic from specific IP addresses by including - them in managed security lists. The action allows for specifying the network mask, - an entry description, and an optional expiration date for the block. + is used to enforce security policies by blocking traffic from specific indicators. + It allows for granular control by specifying CIDR maskbits and expiration dates + for the entries. - ### Parameters + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | List Name | string | Yes | The name of the Denied List where the IP will be - added. Note: This value is case-sensitive. | + | List Name | string | Yes | The exact name of the Denied List in Bandura Cyber + where the IP will be added. Note: This is case-sensitive. | + + | Description | string | No | A descriptive note to associate with the entry in + the denied list. | + + | Maskbit | integer | No | Defines the CIDR range for the IP address. Defaults + to 32 (single host). | + + | Expiration Date | string | No | The date and time when the IP should be automatically + removed from the list. Expected format: `YYYY-MM-DDTHH:MM:SS.SSS+00:00`. | - | Description | string | No | A descriptive note to associate with the IP entry - in the denied list. | - | Maskbit | string | No | Defines the range of IP addresses (CIDR mask) to add. - Defaults to '32' for a single host. | + ### Additional Notes - | Expiration Date | string | No | The date and time when the entity should be - automatically removed from the list (e.g., 2020-01-01T12:00:00.000+00:00). | + The action first performs a lookup to find the internal UUID of the list provided + in the 'List Name' parameter before attempting to add the entity. If the list + name does not exist, the action will fail for that entity. ### Flow Description - 1. **Initialization**: The action retrieves the Bandura Cyber connection details - and the user-provided parameters (List Name, Maskbit, etc.). + 1. **Initialization**: Retrieves API credentials and connection settings from + the integration configuration. + + 2. **Parameter Extraction**: Collects the target list name, description, maskbit, + and expiration date from the action inputs. - 2. **List Identification**: It queries the Bandura Cyber API to find the unique - identifier (UUID) for the Denied List matching the provided 'List Name'. + 3. **Entity Filtering**: Identifies all `ADDRESS` (IP) entities within the current + scope. - 3. **Entity Processing**: It iterates through all IP Address entities associated - with the current alert/case. + 4. **List Lookup**: For each entity, the action queries the Bandura Cyber API + to find the unique identifier (UUID) of the specified Denied List. - 4. **External Mutation**: For each IP entity, it sends a POST request to the Bandura - Cyber API to add the IP address to the identified Denied List with the specified - configuration. + 5. **Entity Addition**: Sends a POST request to the Bandura Cyber API to add the + IP address to the identified Denied List with the provided metadata. - 5. **Reporting**: The action collects the API responses and provides a summary - of which entities were successfully added to the list. + 6. **Result Processing**: Aggregates the API responses and provides a summary + of which entities were successfully added. capabilities: can_create_case_comments: false can_create_insight: false @@ -346,16 +426,15 @@ Add IP to Denied Lists: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Adds the specified IP address entity to a designated Denied List in Bandura - Cyber, which modifies the active security policy and blocking rules of the external - system. + Adds IP address entries to a Denied List within the Bandura Cyber platform, + which modifies the active security policy of the external system. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: entity_types: - - ADDRESS + - ADDRESS filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -369,10 +448,11 @@ Add IP to Denied Lists: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Allowed Domain Lists: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false - add_ioc_to_blocklist: true + add_ioc_to_blocklist: false contain_host: false create_ticket: false delete_email: false @@ -382,53 +462,61 @@ Add IP to Denied Lists: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Allowed Domain Lists: - ai_description: "Retrieves information about Allowed Domain Lists from the Bandura\ - \ Cyber platform. This action allows users to fetch a comprehensive list of all\ - \ allowed domain configurations or filter for a specific list by its name. The\ - \ retrieved data is presented as a data table within the Google SecOps case and\ - \ also attached as a raw JSON file for further analysis.\n\n### Parameters\n|\ - \ Parameter Name | Description | Type | Mandatory | Notes |\n| :--- | :--- | :---\ - \ | :--- | :--- |\n| List Name | The specific name of the allowed domain list\ - \ to retrieve. This field is case-sensitive. | String | No | If omitted, the action\ - \ retrieves all available allowed domain lists. |\n\n### Flow Description\n1.\ - \ **Authentication**: The action establishes a session with the Bandura Cyber\ - \ API using the provided credentials (Username and Password).\n2. **Data Retrieval**:\ - \ It calls the Bandura Cyber API to fetch allowed domain list data. If a `List\ - \ Name` is provided, the results are filtered to match that specific name.\n3.\ - \ **Output Generation**: \n * The raw JSON response is added as an attachment\ - \ named `allowed_domain_lists.txt`.\n * A data table named `Bandura Allowed\ - \ Domain Lists` is created to display the list details in the UI.\n * The\ - \ results are also stored in the action's JSON result object.\n4. **Session Termination**:\ - \ The action explicitly logs out of the Bandura Cyber platform to close the session.\n\ - 5. **Completion**: The action concludes with a success message if lists are found,\ - \ or a failure message if no matching lists exist." + ai_description: "### General Description\nThe **Get Allowed Domain Lists** action\ + \ retrieves information about domain lists configured in the Bandura Cyber 'Allowed'\ + \ category. This action is used to audit current configurations or verify if specific\ + \ domains are part of an existing allowlist. It provides the data in multiple\ + \ formats, including a raw JSON result, a formatted data table, and a text attachment\ + \ for forensic or reporting purposes.\n\n### Parameters Description\n| Parameter\ + \ | Description | Type | Mandatory |\n| :--- | :--- | :--- | :--- |\n| List Name\ + \ | The specific name of the allowed domain list to retrieve. If left empty, the\ + \ action retrieves all available allowed domain lists. Note: This parameter is\ + \ case-sensitive. | String | No |\n\n### Flow Description\n1. **Parameter Extraction:**\ + \ The action retrieves the integration credentials (API Root, Username, Password)\ + \ and the optional `List Name` parameter.\n2. **Authentication:** It establishes\ + \ a session with the Bandura Cyber API using the provided credentials.\n3. **Data\ + \ Retrieval:** The action calls the Bandura Cyber API to fetch allowed domain\ + \ lists. If a `List Name` was provided, it filters the API response to return\ + \ only the matching list.\n4. **Session Termination:** The action logs out of\ + \ the Bandura Cyber session to ensure security.\n5. **Output Generation:** \n\ + \ * It attaches the full JSON response as a file named `allowed_domain_lists.txt`.\n\ + \ * It creates a data table named `Bandura Allowed Domain Lists` within the\ + \ case.\n * It populates the JSON result for use in playbooks.\n\n### Additional\ + \ Notes\n* If no lists are found (either globally or matching the provided name),\ + \ the action will complete with a 'False' result value.\n* This action does not\ + \ require or process specific entities from the case; it operates based on the\ + \ provided parameter or fetches global configuration data." capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: false + can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: null + internal_data_mutation_explanation: >- + The action adds a data table and a file attachment to the case to display the + retrieved domain list information. categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -442,6 +530,7 @@ Get Allowed Domain Lists: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Allowed IP Lists: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -455,55 +544,63 @@ Get Allowed Domain Lists: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Allowed IP Lists: ai_description: >- - Retrieves information about Allowed IPv4 Lists from the Bandura Cyber platform. - This action allows analysts to view all configured allowed IP lists or filter - for a specific list by name. The retrieved data includes list metadata such as - UUIDs, names, and descriptions, which are presented as a data table and a JSON - attachment within the case for further analysis. + ### General Description + Retrieves information about Allowed IPv4 Lists from the Bandura Cyber GMC platform. + This action allows users to fetch metadata for all configured allowed lists or + filter for a specific list by name. The retrieved data includes list UUIDs, names, + descriptions, and status, which are then presented as a data table and a file + attachment within the case. - ### Parameters - | Parameter Name | Description | Type | Mandatory | Notes | + ### Parameters Description + + | Parameter | Type | Mandatory | Description | - | --- | --- | --- | --- | --- | + | :--- | :--- | :--- | :--- | - | List Name | The specific name of the list to retrieve. This field is case-sensitive. - | String | No | If omitted, the action retrieves all available Allowed IPv4 Lists. - | + | List Name | String | No | The specific name of the Allowed IPv4 List to retrieve. + This field is case-sensitive. If left empty, the action returns all available + allowed lists. | ### Flow Description - 1. **Authentication**: The action authenticates with the Bandura Cyber API using - the provided credentials to obtain an access token. + 1. **Authentication**: Connects to the Bandura Cyber API using the provided credentials + to establish a session. + + 2. **Data Retrieval**: Executes a request to the Bandura Cyber API to fetch the + collection of Allowed IPv4 Lists. + + 3. **Filtering**: If a `List Name` is provided, the action filters the returned + data to find the specific list matching that name. - 2. **Data Retrieval**: It requests the collection of Allowed IPv4 Lists from the - Bandura Cyber management console. + 4. **Output Generation**: Formats the retrieved list data into a JSON result, + a CSV-formatted data table, and a text attachment for the case wall. - 3. **Filtering**: If a `List Name` is provided, the action filters the retrieved - collection to find the specific list matching the name. + 5. **Cleanup**: Terminates the session by logging out of the Bandura Cyber manager. - 4. **Output Generation**: The results are processed into three formats: a raw - JSON result, a CSV-formatted data table, and a text file attachment containing - the full JSON response. - 5. **Session Termination**: The action explicitly logs out of the Bandura Cyber - session to ensure security and resource management. + ### Additional Notes + + This action does not process or require any entities from the Google SecOps case; + it operates as a global data retrieval utility. capabilities: can_create_case_comments: false can_create_insight: false @@ -517,7 +614,7 @@ Get Allowed IP Lists: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -531,6 +628,7 @@ Get Allowed IP Lists: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Denied Domain Lists: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -544,76 +642,79 @@ Get Allowed IP Lists: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: true + search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Denied Domain Lists: ai_description: >- - Retrieves information about denied domain lists from the Bandura Cyber platform. - This action allows users to fetch all available denied domain lists or filter - for a specific list by name. The retrieved data is presented as a data table within - the case and also provided as a raw JSON attachment for detailed analysis. + ### General Description + Retrieves Denied Domain Lists from the Bandura Cyber platform. This action allows + users to fetch all configured denied domain lists or filter for a specific list + by name. The retrieved data is presented as a data table, a JSON result, and a + file attachment for further analysis. - ### Flow Description - 1. **Authentication:** The action authenticates with the Bandura Cyber API using - the provided credentials to obtain an access token. + ### Parameters Description - 2. **Data Retrieval:** It sends a GET request to the Bandura Cyber endpoint to - fetch the denied domain lists. + | Parameter | Description | Type | Mandatory | - 3. **Filtering:** If a 'List Name' parameter is provided, the action filters the - retrieved lists to find an exact, case-sensitive match. + | :--- | :--- | :--- | :--- | - 4. **Output Generation:** The results are processed to create a data table and - a text file attachment containing the raw JSON data. + | List Name | The name of the specific denied domain list to retrieve. This parameter + is case-sensitive. If omitted, the action returns all available denied domain + lists. | String | No | - 5. **Cleanup:** The action performs a logout to terminate the API session. + ### Flow Description - ### Parameters Description + 1. **Authentication**: The action authenticates with the Bandura Cyber API using + the provided Username and Password to obtain an access token. - | Parameter Name | Type | Mandatory | Description | + 2. **Data Retrieval**: It sends a GET request to the Bandura Cyber API to fetch + the denied domain lists. - | :--- | :--- | :--- | :--- | + 3. **Filtering**: If a 'List Name' is provided, the action filters the retrieved + lists to find a match (case-sensitive). - | List Name | String | No | The specific name of the denied domain list to retrieve. - This value is case-sensitive. If omitted, all denied domain lists are returned. - | + 4. **Session Termination**: The action performs a logout to invalidate the session + token. + 5. **Output Generation**: The results are processed and added to the action output + as a JSON result, a formatted data table, and a text file attachment containing + the raw JSON data. - ### Additional Notes - - This action does not operate on specific entities within the case; it performs - a global lookup of configuration data from Bandura Cyber. + ### Additional Notes - - The action will fail if the provided credentials or API Root are incorrect. + This action does not operate on specific entities within the case; it is a global + retrieval action used to audit or verify the state of denied domain lists in Bandura + Cyber. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: true + can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: >- - The action adds a data table and a file attachment to the Google SecOps case - to display the retrieved domain list information. + internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -627,6 +728,7 @@ Get Denied Domain Lists: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Denied IP Lists: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -640,77 +742,56 @@ Get Denied Domain Lists: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: true + search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Denied IP Lists: - ai_description: >- - Retrieves denied IPv4 lists from the Bandura Cyber platform. This action allows - users to fetch all denied IP lists or filter for a specific list by name. The - retrieved data is then presented within Google SecOps as a data table, a JSON - result, and a file attachment for further analysis. - - - ### Flow Description - - 1. **Authentication:** Connects to the Bandura Cyber API using provided credentials - (Username and Password) to obtain an access token. - - 2. **Data Retrieval:** Calls the Bandura Cyber API to fetch the denied IPv4 lists. - If a 'List Name' is provided, the results are filtered to match that specific - list. - - 3. **Session Termination:** Logs out of the Bandura Cyber session to ensure security - and resource management. - - 4. **Output Generation:** If lists are found, the action attaches the raw JSON - as a file, constructs a CSV-formatted data table, and sets the action's JSON result. - If no lists are found, it reports the absence of data. - - - ### Parameters Description - - | Parameter Name | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | List Name | string | No | The specific name of the denied IP list to retrieve. - This field is case-sensitive. If left empty, all denied IP lists will be returned. - | - - - ### Additional Notes - - - This action does not operate on specific entities within a case; it performs - a global retrieval of list data from the Bandura Cyber platform. - - - The action requires valid API Root, Username, and Password configuration to - function. + ai_description: "### General Description\nRetrieves information about denied IPv4\ + \ lists from the Bandura Cyber platform. This action allows analysts to view the\ + \ metadata of existing denied lists, which is useful for verifying configurations\ + \ or identifying specific list UUIDs for subsequent management actions.\n\n###\ + \ Parameters Description\n| Parameter Name | Type | Mandatory | Description |\n\ + | :--- | :--- | :--- | :--- |\n| List Name | String | No | The specific name of\ + \ the denied IP list to retrieve. If provided, the action filters the results\ + \ to match this name (case-sensitive). If omitted, all denied IP lists are returned.\ + \ |\n\n### Additional Notes\nThis action does not process specific entities; it\ + \ retrieves global list information from the Bandura Cyber integration. The results\ + \ are provided as a data table and a file attachment for analyst review.\n\n###\ + \ Flow Description\n1. **Authentication**: Establishes a session with the Bandura\ + \ Cyber API using the configured credentials.\n2. **Data Retrieval**: Executes\ + \ a GET request to the `/denied-lists/ipv4` endpoint to fetch all denied IP lists.\n\ + 3. **Filtering**: If the `List Name` parameter is provided, the action filters\ + \ the API response to find the specific list matching that name.\n4. **Output\ + \ Generation**: \n * Adds the raw JSON response as a file attachment named\ + \ `denied_ip_lists.txt` to the case.\n * Constructs a data table named `Bandura\ + \ Denied IP Lists` containing the list details.\n * Returns the list data\ + \ as a JSON result for use in downstream playbook logic.\n5. **Session Termination**:\ + \ Logs out of the Bandura Cyber API." capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: true + can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: >- - The action adds a data table and a file attachment to the Google SecOps case - containing the retrieved denied IP list information. + internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -724,6 +805,7 @@ Get Denied IP Lists: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -737,61 +819,73 @@ Get Denied IP Lists: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: true + search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: ai_description: >- - Tests connectivity to the Bandura Cyber platform. This action validates the integration - configuration by attempting to authenticate with the provided credentials and - then logging out. It ensures that the API Root, Username, and Password are correct - and that the network connection is functional. + ### General Description + Tests the connectivity between Google SecOps and the Bandura Cyber GMC (Global + Management Center) API. This action verifies that the integration can successfully + authenticate using the provided configuration credentials and reach the specified + API endpoint. - ### Flow Description - 1. **Initialization**: The action retrieves the integration configuration parameters, - including API Root, Username, Password, and SSL verification settings. + ### Parameters Description + + This action does not have any action-specific parameters. It utilizes the following + integration configuration parameters: - 2. **Authentication**: It instantiates the `BanduraCyberManager`, which automatically - attempts to log in to the Bandura Cyber API to obtain an access token via a POST - request. + | Parameter | Type | Mandatory | Description | - 3. **Session Termination**: The action calls the `logout` method to close the - session immediately after testing the connection. + | :--- | :--- | :--- | :--- | - 4. **Result Validation**: It checks if an access token was successfully generated. - If so, it reports a successful connection; otherwise, it reports a failure. + | API Root | String | Yes | The base URL for the Bandura Cyber API. | + | Username | String | Yes | The username used for authentication. | - ### Parameters Description + | Password | String | Yes | The password used for authentication. | - | Parameter | Type | Mandatory | Description | + | Verify SSL | Boolean | No | If enabled, the action will verify the SSL certificate + of the API server. | - | :--- | :--- | :--- | :--- | - | API Root | String | Yes | The base URL of the Bandura Cyber API instance. | + ### Flow Description - | Username | String | Yes | The username used for API authentication. | + 1. **Configuration Extraction**: Retrieves the API Root, Username, Password, and + SSL verification settings from the integration's global configuration. - | Password | String | Yes | The password used for API authentication. | + 2. **Authentication Attempt**: Initializes the `BanduraCyberManager`, which automatically + attempts to log in to the Bandura Cyber API via a POST request to the `/auth/login` + endpoint to obtain an access token. - | Verify SSL | Boolean | No | If enabled, the action will verify the SSL certificate - of the API endpoint. Defaults to False. | + 3. **Session Termination**: Immediately calls the `logout` method to close the + session created during the connectivity test via a POST request to the `/auth/logout` + endpoint. + + 4. **Connectivity Validation**: Evaluates whether an access token was successfully + obtained during the login process. + + 5. **Status Reporting**: Outputs a 'Connection Established' message if successful, + or 'Connection Failed' if the authentication or network request failed. ### Additional Notes - * This action does not process any entities and is purely for diagnostic purposes. + This is a health-check action and does not interact with any entities or modify + any data within the SOAR or the external system. capabilities: can_create_case_comments: false can_create_insight: false @@ -805,7 +899,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -819,28 +913,3 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/third_party/community/be_secure/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/be_secure/resources/ai/actions_ai_description.yaml index b98a634e9..994424f18 100644 --- a/content/response_integrations/third_party/community/be_secure/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/be_secure/resources/ai/actions_ai_description.yaml @@ -1,48 +1,65 @@ Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Ping** action is designed to verify the connectivity and authentication - between Google SecOps and the beSECURE (Beyond Security) platform. It performs - a test API call to retrieve network information, ensuring that the provided URL - and API Key are valid and that the network path is open. + The **Ping** action is designed to verify the connectivity between the Google + SecOps (Chronicle) environment and the **beSECURE** server. It ensures that the + provided URL and API Key are valid and that the network path is open by attempting + to retrieve a list of networks from the beSECURE API. ### Parameters Description - There are no input parameters for this action. It relies entirely on the integration's - global configuration (URL, API Key, and SSL verification settings). - - - ### Additional Notes - - - This action is primarily used for troubleshooting and initial setup validation. - - - It specifically attempts to call the `returnnetworks` action on the beSECURE - API. - - - The API Key is automatically sanitized to remove non-alphanumeric characters - (except hyphens) before the request is made. + There are no action-specific parameters for this action. It relies entirely on + the integration's global configuration (URL, API Key, and SSL verification settings). ### Flow Description - 1. **Configuration Retrieval**: The action fetches the integration's global settings, - including the API Key, Base URL, and SSL verification preference. + 1. **Configuration Retrieval:** The action fetches the integration's global settings, + including the API Key, Server URL, and SSL verification preference. - 2. **URL Formatting**: It ensures the URL is prefixed with the correct protocol - (HTTP/HTTPS). + 2. **Data Sanitization:** The API Key is cleaned of non-alphanumeric characters, + and the URL is formatted to ensure it includes the correct protocol (HTTPS/HTTP). - 3. **API Key Sanitization**: It cleans the API Key using a regular expression - to ensure only valid characters are sent. + 3. **Connectivity Test:** The action performs a GET request to the beSECURE `/json.cgi` + endpoint using the `returnnetworks` action parameter to test the credentials and + connectivity. - 4. **Connectivity Test**: It executes a GET request to the beSECURE `/json.cgi` - endpoint with hardcoded parameters (`primary="admin"`, `secondary="networks"`, - `action="returnnetworks"`) to simulate a data retrieval task. + 4. **Validation:** The script checks the JSON response for any error keys returned + by the beSECURE API. - 5. **Validation**: The action checks the JSON response for an "error" key. If - an error is found or the request fails, the action reports a failure. Otherwise, - it returns a successful execution state. + 5. **Result Reporting:** If the request is successful and no errors are found, + the action completes with a success status. If an error is detected or the request + fails, it reports a failure. capabilities: can_create_case_comments: false can_create_insight: false @@ -56,7 +73,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -70,28 +87,3 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/third_party/community/be_secure/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/be_secure/resources/ai/connectors_ai_description.yaml index bbd1359e6..d35f9a885 100644 --- a/content/response_integrations/third_party/community/be_secure/resources/ai/connectors_ai_description.yaml +++ b/content/response_integrations/third_party/community/be_secure/resources/ai/connectors_ai_description.yaml @@ -2,11 +2,11 @@ Pull reports: ai_description: >- ### General Description - This connector integrates with Beyond Security's **beSECURE**, a Vulnerability - Assessment and Management solution. It automatically pulls vulnerability scan - reports and ingests them into Google SecOps as alerts and events. The connector - identifies vulnerable hosts, assesses their risk levels, and provides detailed - information about the vulnerabilities found during network scans. + The beSECURE connector integrates Google SecOps with Beyond Security's beSECURE + Vulnerability Assessment and Management solution. It automatically retrieves vulnerability + scan results for networks and hosts, converting identified vulnerabilities into + actionable alerts. This allows security teams to monitor scan progress and respond + to newly discovered vulnerabilities directly within the SOAR platform. ### Parameters Description @@ -15,53 +15,53 @@ Pull reports: | :--- | :--- | :--- | :--- | - | URL | String | Yes | The base URL of the beSECURE instance (e.g., `https://besecure.company.com`). - | + | Verify SSL Ceritifcate? | Boolean | No | If set to true, the connector will + verify the SSL certificate of the beSECURE server. | - | API Key | Password | Yes | The API Key used to authenticate requests to the - beSECURE API. | + | Check Every X Minutes | String | Yes | The lookback window (in minutes) to check + for completed scans during each execution. | - | Check Every X Minutes | String | Yes | The time interval (in minutes) to look - back for completed scans. | + | URL | String | Yes | The base URL of the beSECURE instance (e.g., `https://besecure.yourdomain.com`). + | - | Verify SSL Certificate? | Boolean | No | If set to true, the connector will - verify the SSL certificate of the beSECURE server. | + | API Key | Password | Yes | The API key required to authenticate with the beSECURE + JSON API. | - | DeviceProductField | String | Yes | The field name used to determine the device - product in the ingested data. | + | DeviceProductField | String | Yes | The field name used to identify the device + product in the ingested events (default: beSECURE Pull Reports). | | EventClassId | String | No | The field name used to determine the event name or sub-type. | - | PythonProcessTimeout | String | Yes | The maximum time (in seconds) allowed - for the connector script to run. | + | PythonProcessTimeout | String | Yes | The maximum execution time allowed for + the connector script in seconds. | ### Flow Description - 1. **Connection**: The connector establishes a connection to the beSECURE API - using the provided URL and API Key. + 1. **Initialization**: The connector extracts configuration parameters and cleans + the API key of any non-alphanumeric characters. - 2. **Scan Discovery**: It queries for network scans that have finished within - the specified lookback window (defined by the 'Check Every X Minutes' parameter). + 2. **Scan Discovery**: It queries the beSECURE API (`returnnetworks` action) to + identify scans that have finished within the specified rotation time. 3. **Deduplication**: The connector maintains a local state file (`previous_scans.json`) - to track processed scan IDs and scan numbers, ensuring that the same report is - not ingested multiple times. + to track processed scan IDs and scan numbers, ensuring that duplicate alerts are + not created for the same scan results. 4. **Report Retrieval**: For each new scan identified, the connector fetches the - full vulnerability report in JSON format. + detailed vulnerability report in JSON format using the `getreport` action. - 5. **Vulnerability Filtering**: It parses the report and filters for vulnerable - hosts that have a `RiskFactor` of 1 or higher. + 5. **Vulnerability Parsing**: It iterates through the `VulnerableHosts` list. + It filters out vulnerabilities with a `RiskFactor` of 0 (informational) to focus + on actionable security risks. - 6. **Alert Mapping**: Each vulnerability is mapped to a Google SecOps alert. The - priority is determined by the `RiskFactor` (1 maps to Low, 4 to Medium, and 8 - to High). + 6. **Alert Creation**: For each valid vulnerability, it creates a Google SecOps + alert. The alert priority is dynamically mapped based on the beSECURE `RiskFactor` + (8 = High, 4 = Medium, 1 = Low). - 7. **Event Creation**: Detailed event data is generated for each vulnerability, - including the Host ID, Destination Address, Port, Protocol, and the specific Test - Category/ID. + 7. **Event Mapping**: Detailed host information, including HostID, Port, Service, + and TestID, is mapped into the event structure associated with the alert. - 8. **Ingestion**: The mapped alerts and events are packaged and sent to Google - SecOps for case creation and alert creation. + 8. **Ingestion**: The final set of alerts and events is returned to Google SecOps + for case creation and further investigation. diff --git a/content/response_integrations/third_party/community/bitdefender_gravity_zone/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/bitdefender_gravity_zone/resources/ai/actions_ai_description.yaml index f6c81f601..96b63eadc 100644 --- a/content/response_integrations/third_party/community/bitdefender_gravity_zone/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/bitdefender_gravity_zone/resources/ai/actions_ai_description.yaml @@ -1,43 +1,82 @@ Blocklist - Add Hashes: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: true + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - Adds one or more file hashes to the Bitdefender GravityZone blocklist. This action - allows security teams to proactively block malicious files across their managed - endpoints by providing a list of MD5 or SHA256 hashes. The action validates the - hash format, categorizes them by type, and submits them to the GravityZone Control + Adds one or more file hashes to the Bitdefender GravityZone Blocklist to prevent + execution or interaction within the protected environment. This action supports + both MD5 and SHA256 hash formats. It parses a comma-separated list of hashes provided + by the user, categorizes them by type, and submits them to the Bitdefender Control Center with associated source information for context. - ### Parameters Description + ### Flow Description: + 1. **Configuration Extraction:** Retrieves the API Key, Access URL, and SSL verification + settings from the integration configuration. - | Parameter | Type | Mandatory | Description | + 2. **Parameter Retrieval:** Extracts the 'Hash List' (comma-separated string) + and 'Source Info' from the action parameters. - | :--- | :--- | :--- | :--- | + 3. **Connection Initialization:** Establishes a connection to the Bitdefender + GravityZone Control Center using the provided credentials. - | Hash List | string | True | A comma-separated list of SHA256 or MD5 hashes to - be added to the blocklist. | + 4. **Hash Categorization:** Splits the input string into individual hashes and + uses regular expressions to distinguish between MD5 and SHA256 formats. - | Source Info | string | True | A description or context for the hashes (e.g., - 'Determined to be malicious' or 'IOC from threat report'). | + 5. **API Submission:** Performs separate API calls to the Bitdefender 'addToBlocklist' + endpoint for each hash type (MD5 and SHA256) found in the list. + 6. **Result Handling:** Returns a JSON summary of the hashes successfully processed + and categorized. - ### Flow Description + ### Parameters Description: - 1. **Initialization**: Connects to the Bitdefender GravityZone Control Center - using the provided API Key and Access URL. + | Parameter Name | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | - 2. **Parsing**: Splits the provided 'Hash List' string into individual hash values. + | Hash List | String | Yes | A comma-separated list of file hashes to be blocked. + Supports MD5 (32 chars) and SHA256 (64 chars). | - 3. **Validation and Categorization**: Iterates through the hashes, using regex - to identify whether each is an MD5 or SHA256 hash. Any unsupported hash formats - will cause the action to fail. + | Source Info | String | Yes | A descriptive string providing context or a reason + for why these hashes are being added to the blocklist (e.g., 'Determined to be + malicious'). | - 4. **Submission**: Sends separate API requests to the Bitdefender GravityZone - 'addToBlocklist' endpoint for the collected SHA256 hashes and MD5 hashes. - 5. **Completion**: Returns a JSON result containing the lists of successfully - processed hashes categorized by type. + ### Additional Notes: + + - If a hash is provided that does not match the MD5 or SHA256 format, the action + will raise an error and fail to process the list. + + - This action does not automatically iterate over entities in the current case; + it relies strictly on the manual input provided in the 'Hash List' parameter. capabilities: can_create_case_comments: false can_create_insight: false @@ -47,14 +86,14 @@ Blocklist - Add Hashes: can_update_entities: false external_data_mutation_explanation: >- Adds file hashes to the Bitdefender GravityZone blocklist, which changes the - security policy state in the external system to prevent the execution of those - files. + security policy state in the external system to prevent the execution of files + matching those hashes. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -68,10 +107,11 @@ Blocklist - Add Hashes: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Blocklist - List Items: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false - add_ioc_to_blocklist: true + add_ioc_to_blocklist: false contain_host: false create_ticket: false delete_email: false @@ -81,74 +121,69 @@ Blocklist - Add Hashes: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Blocklist - List Items: ai_description: >- ### General Description - This action retrieves a comprehensive list of all file hashes (such as MD5 and - SHA256) currently stored in the Bitdefender GravityZone blocklist. It is primarily - used for auditing existing security controls, verifying blocked indicators, or - synchronizing threat intelligence across multiple security platforms. The action - interacts with the Bitdefender GravityZone Incidents API and handles pagination - automatically to ensure the entire blocklist is captured. + This action retrieves the complete list of file hashes (MD5 and SHA256) currently + stored in the Bitdefender GravityZone blocklist. It is a utility action used to + audit or synchronize the state of blocked indicators within the GravityZone environment. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. **Authentication**: Connects to the Bitdefender GravityZone Control Center + using the provided API Key and Access URL. - | :--- | :--- | :--- | :--- | + 2. **Data Retrieval**: Calls the `getBlocklistItems` API method via the Incidents + service. - | Use JSON Filter | String | No | A flag or configuration string used to determine - if the results should be filtered using JSON logic. Note: The current implementation - fetches the full list. | + 3. **Pagination Handling**: Automatically iterates through all result pages to + ensure the entire blocklist is captured. - | Filter | String | No | Specific criteria used to filter the blocklist items - retrieved from the server. | + 4. **Output**: Aggregates the retrieved items and returns them as a JSON result + for use in subsequent playbook steps. - | Parent ID | String | No | The unique identifier of a parent group or container - to narrow down the scope of the blocklist. | - | Endpoints | String | No | Specifies the endpoint scope (e.g., 'Managed', 'Unmanaged') - to consider when listing blocklist items. | + ### Parameters Description + | Parameter | Type | Mandatory | Description | - ### Flow Description + | :--- | :--- | :--- | :--- | - 1. **Authentication**: The action initializes a connection to the Bitdefender - GravityZone Control Center using the provided API Key and Access URL. + | Use JSON Filter | String | No | Placeholder parameter. Currently not utilized + by the underlying API logic for this specific action. | - 2. **Request Initiation**: It calls the `getBlocklistItems` method via a POST - request to the Incidents API endpoint. + | Filter | String | No | Placeholder parameter. Currently not utilized by the + underlying API logic for this specific action. | - 3. **Pagination Handling**: The action checks for multiple pages of results. If - more than one page exists, it iteratively fetches all subsequent pages to compile - a complete list of hashes. + | Parent ID | String | No | Placeholder parameter. Currently not utilized by the + underlying API logic for this specific action. | - 4. **Data Output**: The final compiled list of blocklist objects is returned as - a JSON result and made available for subsequent playbook steps. + | Endpoints | String | No | Placeholder parameter. Currently not utilized by the + underlying API logic for this specific action. | ### Additional Notes - * This action does not require or process specific entities from the SOAR case; - it performs a global retrieval of the blocklist configuration. - - * Although parameters like 'Filter' and 'Parent ID' are extracted, the underlying - manager method for listing blocklist items currently requests the full set of - items from the API. + While the action script extracts several parameters (Use JSON Filter, Filter, + Parent ID, Endpoints), the current implementation of the `blocklist_hashes_list` + method in the integration manager does not apply these filters to the API request. + The action will return the full blocklist regardless of these inputs. capabilities: can_create_case_comments: false can_create_insight: false @@ -162,7 +197,7 @@ Blocklist - List Items: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -176,6 +211,7 @@ Blocklist - List Items: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Blocklist - Remove Item: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -189,58 +225,58 @@ Blocklist - List Items: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false + remove_ioc_from_blocklist: true reset_identity_password: false + search_asset: false search_email: false - search_events: true + search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Blocklist - Remove Item: ai_description: >- - Removes a specific hash entry from the Bitdefender GravityZone blocklist using - its unique Hash ID. This action is used to manage and clean up the blocklist by - targeting specific items previously added to the security environment's restricted - list. + Removes a specific item from the Bitdefender GravityZone blocklist using its unique + identifier (Hash ID). This action is used to restore the reputation or execution + rights of a file hash that was previously blocked within the GravityZone environment. - ### Flow Description + ### Flow Description: 1. **Authentication**: Connects to the Bitdefender GravityZone Control Center using the provided API Key and Access URL. - 2. **Parameter Extraction**: Retrieves the mandatory `Hash ID` from the action - parameters. + 2. **Parameter Extraction**: Retrieves the mandatory `Hash ID` parameter provided + by the user. 3. **API Execution**: Calls the `removeFromBlocklist` method via the Bitdefender - API, passing the specific Hash ID. + API, passing the specific `hashItemId`. 4. **Result Handling**: Evaluates the API response to determine if the removal - was successful and reports the final status to the SOAR platform. + was successful and reports the final status to the Google SecOps platform. - ### Parameters Description + ### Parameters Description: - | Parameter | Description | Type | Mandatory | + | Parameter Name | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Hash ID | The unique identifier (UUID) of the item in the Bitdefender Blocklist - that needs to be deleted. | String | Yes | - + | Hash ID | String | Yes | The unique identifier (UUID) of the item in the Bitdefender + Blocklist that needs to be deleted. Example: `0df7568c-59c1-48e0-a31b-18d83e6d9810`. + | - ### Additional Notes - * This action does not process entities from the case; it operates strictly on - the provided `Hash ID` parameter. + ### Additional Notes: - * The Hash ID is typically obtained from a previous 'List Blocklist' action or - external Bitdefender logs. + - This action does not run on entities automatically; it requires the specific + internal ID of the blocklist entry, which is typically obtained from a previous + 'List Blocklist' action or external search. capabilities: can_create_case_comments: false can_create_insight: false @@ -249,14 +285,14 @@ Blocklist - Remove Item: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Removes a specific hash entry from the Bitdefender GravityZone blocklist, effectively - changing the security policy state in the external system. + Removes a hash entry from the Bitdefender GravityZone blocklist, effectively + unblocking that file hash in the external security system. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -270,6 +306,7 @@ Blocklist - Remove Item: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Create Scan Task: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -282,80 +319,78 @@ Blocklist - Remove Item: enable_identity: false enrich_asset: false enrich_ioc: false - execute_command_on_the_host: false + execute_command_on_the_host: true + get_alert_information: false remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: true + remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Create Scan Task: ai_description: >- - ### General Description + Initiates a scan task on specified endpoints or containers within Bitdefender + GravityZone. This action allows users to trigger various types of scans, including + Quick, Full, Memory, and Custom scans, to identify potential threats on target + systems. - This action creates and initiates a scan task in Bitdefender GravityZone for specified - target IDs. It allows security teams to remotely trigger various types of scans - (Quick, Full, Memory, or Custom) on endpoints or containers to identify potential - threats. For custom scans, users can further define the scan depth and specific - file paths to be analyzed. + ### Flow Description: - ### Parameters Description - - | Parameter | Type | Mandatory | Description | + 1. **Configuration Extraction:** Retrieves the API Key, Access URL, and SSL verification + settings from the integration configuration. - | :--- | :--- | :--- | :--- | + 2. **Parameter Parsing:** Extracts the target IDs, scan type, and optional custom + scan settings (depth and paths) from the action parameters. - | Target IDs | String | Yes | A comma-separated list of IDs representing the endpoints - or containers to be scanned. | + 3. **API Connection:** Establishes a connection to the Bitdefender GravityZone + Control Center using the provided credentials. - | Scan Type | DDL | Yes | The type of scan to perform. Options include: Quick, - Full, Memory, or Custom. | + 4. **Task Creation:** Maps the user-provided scan settings to the Bitdefender + API format and sends a request to create the scan task for the specified targets. - | Task Name | String | No | An optional name for the scan task. If not provided, - Bitdefender will automatically generate a name. | + 5. **Result Reporting:** Returns a success or failure status based on whether + the task was successfully created in the external system. - | Custom Scan - Depth | DDL | No | Specifies the scan intensity for 'Custom' scan - types. Options: Aggressive, Normal, or Permissive. Defaults to Normal. | - | Custom Scan - Paths | String | No | A comma-separated list of target paths to - be scanned. This is only utilized when the Scan Type is set to 'Custom'. | + ### Parameters Description: + | Parameter | Type | Mandatory | Description | - ### Additional Notes + | :--- | :--- | :--- | :--- | - * **Discrepancy Note:** While the metadata description in the configuration - file mentions isolating endpoints, the actual implementation logic and API calls - are strictly for creating scan tasks. + | Target IDs | string | Yes | A comma-separated list of the IDs of the targets + to scan. These IDs can represent endpoints or containers. | - * **Custom Scan Logic:** The 'Custom Scan - Depth' and 'Custom Scan - Paths' - parameters are only processed by the Bitdefender API when the 'Scan Type' is set - to 'Custom'. + | Scan Type | ddl | Yes | The type of scan to perform. Options include: Quick, + Full, Memory, or Custom. | + | Task Name | string | No | The name to assign to the task. If not provided, the + system generates a name automatically. | - ### Flow Description + | Custom Scan - Depth | ddl | No | The scan profile depth (Aggressive, Normal, + Permissive). This is only utilized when the 'Scan Type' is set to 'Custom'. | - 1. **Configuration Extraction:** Retrieves the API Key, Access URL, and SSL verification - settings from the integration configuration. + | Custom Scan - Paths | string | No | A comma-separated list of target paths to + be scanned. This is only utilized when the 'Scan Type' is set to 'Custom'. | - 2. **Parameter Extraction:** Collects the target IDs, scan type, task name, and - custom scan settings from the action inputs. - 3. **Manager Initialization:** Initializes the Bitdefender GravityZone Manager - using the provided credentials. + ### Additional Notes: - 4. **Task Creation:** Sends a POST request to the Bitdefender API's `createScanTask` - method with the mapped scan parameters and target IDs. + * **Note on Description:** While the internal metadata description mentions isolation, + the actual logic and parameters of this action are strictly for creating scan + tasks. - 5. **Result Handling:** Evaluates the API response and ends the action with a - success or failure status based on whether the task was successfully created in - the external system. + * **Custom Scans:** When selecting 'Custom' as the Scan Type, ensure that 'Custom + Scan - Depth' and 'Custom Scan - Paths' are configured to define the scope of + the scan. capabilities: can_create_case_comments: false can_create_insight: false @@ -364,14 +399,14 @@ Create Scan Task: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new scan task record and initiates a scanning process on remote endpoints - within the Bitdefender GravityZone environment. + Creates a new scan task in the Bitdefender GravityZone Control Center for the + specified target endpoints or containers. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -385,6 +420,7 @@ Create Scan Task: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Create Scan Task by MAC Address: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -398,71 +434,83 @@ Create Scan Task: enrich_asset: false enrich_ioc: false execute_command_on_the_host: true + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Create Scan Task by MAC Address: ai_description: >- - Generates a scan task for managed endpoints in Bitdefender GravityZone identified - by their MAC addresses. This action allows security administrators to remotely - trigger various types of scans (Quick, Full, Memory, or Custom) on specific devices - to identify potential threats. It supports scanning up to 100 MAC addresses in - a single execution and allows for detailed configuration when performing custom - scans, including scan depth and specific file paths. + ### General Description + The **Create Scan Task by MAC Address** action allows analysts to trigger on-demand + malware scans on specific endpoints within the Bitdefender GravityZone environment + using their MAC addresses. This action is primarily used for immediate forensic + investigation or remediation when specific hosts are suspected of being compromised. - ### Parameters Description + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | MAC Addresses | String | Yes | A comma-separated list of MAC addresses for the - endpoints to be scanned. Maximum of 100 addresses allowed. | + | **MAC Addresses** | String | Yes | A comma-separated list of MAC addresses for + the target endpoints. A maximum of 100 addresses can be processed in a single + request. | - | Scan Type | DDL | Yes | The type of scan to perform. Options: Quick, Full, Memory, - Custom. | + | **Scan Type** | DDL | Yes | Specifies the type of scan to perform. Available + options: `Quick`, `Full`, `Memory`, or `Custom`. | - | Task Name | String | No | A custom name for the scan task. If omitted, Bitdefender - will automatically generate a name. | + | **Task Name** | String | No | A custom name for the scan task. If omitted, Bitdefender + will generate a name automatically. | - | Custom Scan - Depth | DDL | No | The scanning intensity. Options: Aggressive, - Normal, Permissive. Only applicable if 'Scan Type' is set to 'Custom'. | + | **Custom Scan - Depth** | DDL | No | Defines the thoroughness of the scan. Options: + `Aggressive`, `Normal`, `Permissive`. This is only utilized when **Scan Type** + is set to `Custom`. | - | Custom Scan - Paths | String | No | A comma-separated list of target file paths - to be scanned. Only applicable if 'Scan Type' is set to 'Custom'. | + | **Custom Scan - Paths** | String | No | A comma-separated list of specific file + system paths to scan. This is only utilized when **Scan Type** is set to `Custom`. + | - ### Flow Description + ### Additional Notes + - The action validates that no more than 100 MAC addresses are submitted at once + to comply with Bitdefender API limits. - 1. **Configuration Extraction:** Retrieves the Bitdefender API Key, Access URL, - and SSL verification settings from the integration configuration. + - The endpoints must be 'Managed' within GravityZone for the scan task to be successfully + created. - 2. **Parameter Parsing:** Extracts the target MAC addresses, scan type, task name, - and custom scan settings from the action input. - 3. **Manager Initialization:** Establishes a connection to the Bitdefender GravityZone - Control Center using the provided credentials. + ### Flow Description - 4. **Validation:** Checks if the number of MAC addresses provided exceeds the + 1. **Authentication**: The action authenticates with the Bitdefender GravityZone + Control Center using the configured API Key and Access URL. + + 2. **Input Parsing**: It extracts the list of MAC addresses and the desired scan + configuration (type, depth, and paths). + + 3. **Validation**: The action checks if the number of MAC addresses exceeds the limit of 100. - 5. **Task Creation:** Sends a JSON-RPC request to the Bitdefender API (method: - `createScanTaskByMac`) with the mapped scan parameters and target identifiers. + 4. **API Mapping**: Human-readable scan types and depths are converted into the + specific integer codes required by the Bitdefender JSON-RPC API. + + 5. **Task Execution**: The action sends a `createScanTaskByMac` request to the + Bitdefender Network API. - 6. **Result Handling:** Reports whether the scan task was successfully created - in the external system. + 6. **Result Reporting**: The action concludes with a success or failure message + based on the response from the Bitdefender platform. capabilities: can_create_case_comments: false can_create_insight: false @@ -471,14 +519,14 @@ Create Scan Task by MAC Address: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new scan task in the Bitdefender GravityZone environment, which triggers - an active security operation on the target endpoints. + Initiates a new malware scan task on the specified endpoints within the Bitdefender + GravityZone environment. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -492,6 +540,7 @@ Create Scan Task by MAC Address: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Custom Groups List: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -504,60 +553,67 @@ Create Scan Task by MAC Address: enable_identity: false enrich_asset: false enrich_ioc: false - execute_command_on_the_host: true + execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Custom Groups List: ai_description: >- ### General Description - The **Get Custom Groups List** action retrieves a list of child groups associated - with a specific parent group within Bitdefender GravityZone. This utility is designed - to help analysts navigate the organizational structure of managed endpoints. If - no `Parent ID` is provided, the action defaults to returning the root-level groups, - specifically 'Computers and Groups' and 'Deleted'. + Retrieves a list of child groups associated with a specific parent group within + the Bitdefender GravityZone environment. This action is primarily used to explore + the organizational structure of managed endpoints and identify group hierarchies + for administrative or investigative purposes. ### Parameters Description + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Parent ID** | String | No | The unique identifier of the parent group for - which child groups should be listed. If left empty, the action retrieves the top-level - groups. | + | Parent ID | String | No | The unique identifier of the parent group for which + child groups should be listed. If this parameter is null or left empty, the action + returns the default 'Computers and Groups' and 'Deleted' groups. | ### Flow Description - 1. **Authentication**: Establishes a connection to the Bitdefender GravityZone - Control Center using the provided API Key and Access URL. + 1. **Authentication**: The action establishes a secure connection to the Bitdefender + GravityZone Control Center using the configured API Key and Access URL. + + 2. **Parameter Extraction**: It retrieves the `Parent ID` from the action parameters. - 2. **Request**: Executes the `getCustomGroupsList` JSON-RPC method via a POST - request to the Network API endpoint. + 3. **API Request**: It executes a JSON-RPC request using the `getCustomGroupsList` + method to the Bitdefender Network API endpoint. - 3. **Processing**: Passes the `Parent ID` (if provided) to filter the results - to a specific branch of the group tree. + 4. **Data Processing**: The action validates the response from the manager and + extracts the list of group items. - 4. **Output**: Returns the resulting list of groups and their metadata in a JSON - format for use in subsequent playbook steps. + 5. **Output**: The retrieved group data is added to the action's JSON results + for use in subsequent playbook logic. ### Additional Notes - - This action does not operate on specific SOAR entities; it is a utility for - querying the Bitdefender environment structure. + - This action does not operate on specific entities (like IPs or Hostnames) but + rather retrieves global organizational data. + + - If no `Parent ID` is provided, the action defaults to the root level of the + group hierarchy. capabilities: can_create_case_comments: false can_create_insight: false @@ -569,9 +625,9 @@ Get Custom Groups List: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: false + enrichment: true entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -585,6 +641,7 @@ Get Custom Groups List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Endpoints List: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -598,58 +655,60 @@ Get Custom Groups List: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: true search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Endpoints List: ai_description: >- - ### General Description + Retrieves a comprehensive list of endpoints from Bitdefender GravityZone based + on specified filtering criteria. This action allows analysts to search for endpoints + by name, MAC address, SSID, or management status (Managed, Unmanaged, or All). + It also supports filtering by specific roles such as Security Servers, Managed + Relays, and Managed Exchange Servers. The action handles pagination automatically + to ensure all matching results are returned and provides the data in a structured + JSON format for further processing. - Retrieves a comprehensive list of endpoints from the Bitdefender GravityZone Control - Center. This action allows analysts to query the network inventory and filter - results based on management status, specific roles (like Relays or Exchange servers), - and identifiers such as MAC addresses or SSIDs. It is primarily used for asset - discovery and visibility within the Bitdefender environment. + ### Flow Description: - ### Parameters Description + 1. **Authentication**: Connects to the Bitdefender GravityZone Control Center + using the provided API Key and Access URL. - | Parameter | Type | Mandatory | Description | + 2. **Parameter Extraction**: Retrieves filtering parameters including Parent ID, + endpoint management status, and specific attribute filters (Name, MAC, SSID). - | :--- | :--- | :--- | :--- | + 3. **API Request**: Executes the `getEndpointsList` method against the Bitdefender + Network API. - | **Endpoints** | DDL | Yes | Determines whether to return 'All', 'Managed', or - 'Unmanaged' endpoints. | + 4. **Pagination Handling**: Iterates through all available pages of results if + the response exceeds the single-page limit. - | **Parent ID** | String | No | The ID of the target company or group to narrow - the search scope. | + 5. **Output**: Returns the aggregated list of endpoints as a JSON result and completes + the execution. - | **Filter - SSID** | String | No | Filters endpoints by their Active Directory - Security Identifier (SID). | - | **Filter - Depth - All Items Recursively** | Boolean | No | If true, searches - all endpoints recursively within the company's network inventory. | + ### Parameters Description: - | **Filter - Security Servers** | Boolean | No | Filters the list to include only - Security Servers. | + | Parameter | Type | Mandatory | Description | - | **Filter - Managed Relays** | Boolean | No | Filters the list to include only - endpoints with the Relay role. | + | :--- | :--- | :--- | :--- | - | **Filter - Managed Exchange Servers** | Boolean | No | Filters the list to include - only protected Exchange servers. | + | **Endpoints** | DDL | Yes | Determines whether to return 'All', 'Managed', or + 'Unmanaged' endpoints. | - | **Filter - Managed with BEST** | Boolean | No | Filters for endpoints that have - the Bitdefender Endpoint Security Tools (BEST) agent installed. | + | **Parent ID** | String | No | The ID of the target company or group to narrow + the search scope. | | **Filter - Name** | String | No | Filters items by name. Requires a minimum of three characters. | @@ -657,33 +716,32 @@ Get Endpoints List: | **Filter - MAC Addresses** | String | No | A comma-separated list of MAC addresses to filter the endpoints. | + | **Filter - SSID** | String | No | The Active Directory SID of the endpoint used + for filtering. | - ### Additional Notes - - - The **Filter - Name** parameter requires at least 3 characters to be processed - by the Bitdefender API; otherwise, the action will raise an error. + | **Filter - Managed with BEST** | Boolean | No | If true, filters for endpoints + with the Bitdefender Endpoint Security Tools (BEST) agent installed. | - - This action does not operate on specific SOAR entities but rather performs a - global query against the Bitdefender inventory. + | **Filter - Managed Exchange Servers** | Boolean | No | If true, filters for + protected Exchange servers. | + | **Filter - Managed Relays** | Boolean | No | If true, filters for endpoints + with the Relay role. | - ### Flow Description + | **Filter - Security Servers** | Boolean | No | If true, filters for Security + Servers. | - 1. **Initialization**: Extracts integration configuration (API Key, URL) and action - parameters (filters). + | **Filter - Depth - All Items Recursively** | Boolean | No | If true, performs + a recursive search within the Network Inventory. | - 2. **Connection**: Establishes a session with the Bitdefender GravityZone API - using Basic Authentication. - 3. **Request Construction**: Builds a JSON-RPC request for the `getEndpointsList` - method, applying all provided filters. + ### Additional Notes: - 4. **Data Retrieval**: Executes the request. If the results span multiple pages, - the action automatically iterates through all pages to collect the full list of - endpoints. + - The **Filter - Name** parameter must contain at least 3 characters if provided; + otherwise, the action will return an error. - 5. **Output**: Returns the aggregated list of endpoints as a JSON object and completes - the execution. + - This action does not operate on specific SOAR entities but rather performs a + global search/list operation within the Bitdefender environment. capabilities: can_create_case_comments: false can_create_insight: false @@ -697,7 +755,7 @@ Get Endpoints List: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -711,6 +769,7 @@ Get Endpoints List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Hourly Usage for EC2 Instances: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -724,27 +783,29 @@ Get Endpoints List: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Hourly Usage for EC2 Instances: ai_description: >- ### General Description The **Get Hourly Usage for EC2 Instances** action retrieves detailed hourly usage - statistics for Amazon EC2 instance categories (such as micro, medium, etc.) from - the Bitdefender GravityZone Control Center. This action is primarily used for - auditing and monitoring license consumption or operational usage of AWS resources - managed through Bitdefender for a specific month. + statistics for Amazon EC2 instance categories (e.g., micro, medium, etc.) managed + within Bitdefender GravityZone. This action is designed to provide visibility + into resource consumption and licensing usage for a specific billing month, which + is useful for cost management and auditing purposes. ### Parameters Description @@ -753,8 +814,10 @@ Get Hourly Usage for EC2 Instances: | :--- | :--- | :--- | :--- | - | Target Month | String | Yes | The month for which the usage data is retrieved. - The value must be provided in the `mm/yyyy` format (e.g., 05/2023). | + | **Target Month** | String | Yes | The specific month for which usage data is + requested. The value must be provided in the `mm/yyyy` format (e.g., `01/2020`). + If not provided, the integration logic typically defaults to the current month, + though the parameter is marked as mandatory in the configuration. | ### Flow Description @@ -762,20 +825,24 @@ Get Hourly Usage for EC2 Instances: 1. **Connection**: The action initializes a connection to the Bitdefender GravityZone Control Center using the configured API Key and Access URL. - 2. **Request**: It sends a JSON-RPC request using the `getHourlyUsageForAmazonEC2Instances` - method, passing the `Target Month` as a parameter. + 2. **Request Execution**: It performs a JSON-RPC call using the `getHourlyUsageForAmazonEC2Instances` + method, passing the `Target Month` as the primary filter. - 3. **Processing**: The action receives the hourly usage data from the external - system. + 3. **Data Processing**: The action receives the usage data from the Bitdefender + API and attaches the raw result to the action's JSON output. - 4. **Output**: The retrieved data is added to the action's JSON results, making - it available for subsequent playbook tasks. + 4. **Completion**: The action concludes with a success status, making the usage + data available for subsequent playbook tasks. ### Additional Notes - - This action does not require or process any SecOps entities (IPs, Hostnames, - etc.); it performs a global lookup based on the provided month parameter. + - This action does not operate on specific entities (like IPs or Hostnames) within + a case; it performs a global retrieval of usage data for the entire integrated + AWS environment. + + - The output is provided as a JSON result, which can be parsed by other logic + in the SOAR platform. capabilities: can_create_case_comments: false can_create_insight: false @@ -789,7 +856,7 @@ Get Hourly Usage for EC2 Instances: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -803,6 +870,7 @@ Get Hourly Usage for EC2 Instances: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Managed Endpoint Details: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -813,63 +881,60 @@ Get Hourly Usage for EC2 Instances: disable_identity: false download_file: false enable_identity: false - enrich_asset: false + enrich_asset: true enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: true + search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Managed Endpoint Details: ai_description: >- ### General Description - The **Get Managed Endpoint Details** action retrieves comprehensive metadata and - status information for a specific endpoint managed within Bitdefender GravityZone. - It is primarily used to gain visibility into an asset's security posture, including - agent details and the operational status of various protection modules (e.g., - Antimalware, Firewall, Content Control). + The **Get Managed Endpoint Details** action retrieves comprehensive information + about a specific endpoint managed within Bitdefender GravityZone. This includes + identification details for the endpoint and its security agent, as well as the + current status of various installed protection modules. - ### Parameters + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Endpoint ID | String | Yes | The unique identifier of the endpoint in Bitdefender - GravityZone for which details are requested. | + | **Endpoint ID** | String | Yes | The unique identifier of the endpoint for which + details are being requested. | ### Flow Description - 1. **Initialization**: The action extracts the necessary API credentials (API - Key, Access URL) and the target `Endpoint ID` from the action parameters. - - 2. **Connection**: It establishes a secure connection to the Bitdefender GravityZone - JSON-RPC API using the provided credentials. + 1. **Authentication**: The action establishes a connection to the Bitdefender + GravityZone Control Center using the provided API Key and Access URL. - 3. **Data Retrieval**: The action executes the `getManagedEndpointDetails` method - to fetch the endpoint's configuration, security agent details, and module status. + 2. **Data Retrieval**: It executes a request to the `getManagedEndpointDetails` + API method using the provided **Endpoint ID**. - 4. **Result Processing**: The retrieved data is attached to the action's results - as a JSON object, making it available for subsequent playbook logic. + 3. **Output**: The retrieved endpoint metadata, including security agent status + and protection module details, is returned as a JSON object for use in subsequent + playbook steps. ### Additional Notes - This action does not automatically iterate over entities in the SecOps case; it - requires a specific `Endpoint ID` provided as an input parameter. If you need - to run this for entities in a case, you must first obtain their Bitdefender IDs - (e.g., via a search action) and pass them to this action. + This action does not process SecOps entities automatically; it requires a specific + Endpoint ID as input. capabilities: can_create_case_comments: false can_create_insight: false @@ -883,7 +948,7 @@ Get Managed Endpoint Details: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -897,6 +962,7 @@ Get Managed Endpoint Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Network Inventory Items: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -910,103 +976,96 @@ Get Managed Endpoint Details: enrich_asset: true enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: true search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Network Inventory Items: ai_description: >- - Retrieves a list of network inventory items from Bitdefender GravityZone. This - action allows users to query the Bitdefender environment for various asset types, - including computers, virtual machines, Amazon EC2 instances, and security servers. - It supports complex filtering by name (partial match), MAC addresses, and SSIDs. - The results are returned as a JSON array, providing detailed metadata about the - discovered assets. + Retrieves network inventory items from Bitdefender GravityZone. This action allows + users to search for and list endpoints, virtual machines, and groups within the + network hierarchy using a wide range of filters. It is primarily used for asset + discovery and gathering metadata about the managed environment. - ### Parameters Description + ### Flow Description + 1. **Parameter Extraction:** The action retrieves integration credentials (API + Key, Access URL) and action-specific filters (Name, MAC, SSID, Parent ID, etc.). - | Parameter | Type | Mandatory | Description | + 2. **Manager Initialization:** Initializes the Bitdefender GravityZone Manager + to handle API communication. - | :--- | :--- | :--- | :--- | + 3. **API Request:** Executes the `getNetworkInventoryItems` method via the Bitdefender + JSON-RPC API, applying all configured filters. - | Filter - Name | String | No | Filters items by name. Requires a minimum of 3 - characters. Supports partial matching and wildcards (*). | + 4. **Result Processing:** The retrieved list of inventory items is returned as + a JSON object and the action completes successfully. - | Filter - MAC Addresses | String | No | Comma-separated list of MAC addresses - to filter endpoints. | - | Filter - SSID | String | No | The Active Directory SID of the endpoint used - for filtering. | + ### Parameters Description - | Filter - Depth - All Items Recursively | Boolean | No | If set to true, filters - all endpoints recursively within the Network Inventory. Default is false. | + | Parameter | Type | Mandatory | Description | - | Filter - Security Servers | Boolean | No | If set to true, filters for Security - Servers. Default is false. | + | :--- | :--- | :--- | :--- | - | Filter - Managed Relays | Boolean | No | If set to true, filters for endpoints - with the Relay role. Default is false. | + | Filter - Name | String | No | Filters items by name. Supports partial matching + (min 3 chars). Use '*' for suffix matching. | - | Filter - Managed Exchange Servers | Boolean | No | If set to true, filters for - protected Exchange servers. Default is false. | + | Filter - MAC Addresses | String | No | Comma-separated list of MAC addresses + to filter endpoints. | - | Filter - Managed with BEST | Boolean | No | If set to true, filters for endpoints - with the BEST security agent installed. Default is false. | + | Filter - SSID | String | No | Active Directory SID used to filter endpoints. + | - | Filter - Virtual Machines | Boolean | No | If set to true, filters for virtual - machines. Default is false. | + | Filter - Depth - All Items Recursively | Boolean | No | If true, searches all + endpoints recursively within the network inventory. Default is false. | - | Filter - Computers | Boolean | No | If set to true, filters for physical computers. + | Filter - Security Servers | Boolean | No | If true, filters for Security Servers. Default is false. | - | Filter - EC2 Instances | Boolean | No | If set to true, filters for Amazon EC2 - instances. Default is false. | - - | Filter - Groups | Boolean | No | If set to true, filters for custom groups of - endpoints. Default is false. | + | Filter - Managed Relays | Boolean | No | If true, filters for endpoints with + the Relay role. Default is false. | - | Parent ID | String | No | The ID of the container for which the network items - will be returned. | + | Filter - Managed Exchange Servers | Boolean | No | If true, filters for protected + Exchange servers. Default is false. | + | Filter - Managed with BEST | Boolean | No | If true, filters for endpoints with + the Bitdefender Endpoint Security Tools agent. Default is false. | - ### Additional Notes - - - The 'Filter - Name' parameter must be at least 3 characters long if provided; - otherwise, the action will fail. - - - Some filters may be ignored by the Bitdefender API if the corresponding license - is not active in the target environment. + | Filter - Virtual Machines | Boolean | No | If true, filters for virtual machines. + Default is false. | + | Filter - Computers | Boolean | No | If true, filters for physical computers. + Default is false. | - ### Flow Description + | Filter - EC2 Instances | Boolean | No | If true, filters for Amazon EC2 Instances. + Default is false. | - 1. **Configuration Extraction:** Retrieves the API Key, Access URL, and SSL verification - settings from the integration configuration. + | Filter - Groups | Boolean | No | If true, filters for custom groups of endpoints. + Default is false. | - 2. **Parameter Parsing:** Extracts all 13 optional filter parameters and the Parent - ID from the action input. + | Parent ID | String | No | The ID of the container/folder from which to return + network items. | - 3. **Manager Initialization:** Initializes the Bitdefender GravityZone Manager - using the provided credentials. - 4. **API Request:** Executes a paginated POST request to the Bitdefender JSON-RPC - endpoint (`getNetworkInventoryItems`) with the constructed filter object. + ### Additional Notes - 5. **Data Aggregation:** The manager handles pagination automatically, collecting - all matching inventory items into a single list. + - Some filters require specific licenses to be active in Bitdefender GravityZone; + otherwise, they may be ignored by the API. - 6. **Result Output:** Adds the retrieved inventory data to the action's JSON result - and completes the execution. + - The 'Filter - Name' parameter requires at least 3 characters to be processed + by the manager logic. capabilities: can_create_case_comments: false can_create_insight: false @@ -1020,7 +1079,7 @@ Get Network Inventory Items: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1034,6 +1093,7 @@ Get Network Inventory Items: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Scan Tasks List: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1047,62 +1107,69 @@ Get Network Inventory Items: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Scan Tasks List: ai_description: >- - Retrieves a list of scan tasks from Bitdefender GravityZone Control Center. This - action allows users to monitor the status of scanning operations across the environment - by filtering for specific task names or statuses. It is primarily used for auditing - and tracking the progress of on-demand or scheduled scans. + ### General Description + The **Get Scan Tasks List** action retrieves a comprehensive list of scan tasks + from the Bitdefender GravityZone Control Center. This utility is primarily used + for monitoring the progress and results of on-demand or scheduled scanning operations + across the managed network. - ### Flow Description: - 1. **Authentication:** Establishes a connection to the Bitdefender GravityZone - API using the provided credentials (API Key) and Access URL. + ### Parameters Description - 2. **Data Retrieval:** Executes the `getScanTasksList` method via the manager, - applying filters for task name and status. + | Parameter | Type | Mandatory | Description | - 3. **Pagination Handling:** Automatically iterates through paginated results provided - by the Bitdefender API to compile a complete list of matching scan tasks. + | :--- | :--- | :--- | :--- | - 4. **Output:** Returns the compiled list of tasks as a JSON object for use in - subsequent playbook steps. + | **Task Status** | DDL | Yes | Filters the returned tasks based on their current + state. Options include: `All`, `Pending`, `In-progress`, and `Finished`. | + | **Task Name** | String | No | Filters tasks by their name. If an asterisk (`*`) + is used at the beginning, the action performs a 'contains' search; otherwise, + it matches names starting with the keyword. | - ### Parameters Description: - | Parameter | Type | Mandatory | Description | + ### Flow Description - | :--- | :--- | :--- | :--- | + 1. **Configuration Extraction**: Retrieves the API Key, Access URL, and SSL verification + settings from the integration configuration. - | **Task Status** | DDL | Yes | Filters the list by task state. Supported values: - 'All', 'Pending', 'In-progress', 'Finished'. | + 2. **Parameter Processing**: Captures the user-defined filters for task status + and name. - | **Task Name** | String | No | Filters tasks by name. Use an asterisk (*) in - front to search for the keyword anywhere in the name; otherwise, it matches the - start of the string. | + 3. **API Connection**: Establishes a connection to the Bitdefender GravityZone + service using the provided credentials. + 4. **Data Retrieval**: Calls the `getScanTasksList` method. The action automatically + handles pagination to ensure all relevant task records are collected. - ### Additional Notes: + 5. **Output Generation**: Formats the retrieved task list into a JSON object and + returns it as the action result. - * This action does not interact with SOAR entities; it performs a global search - for scan tasks within the Bitdefender environment. - * The action uses the JSON-RPC 2.0 protocol to communicate with the GravityZone - API. + ### Additional Notes + + - This action does not require or process any specific entities (like IPs or Hostnames) + from the current context; it performs a global search based on the provided parameters. + + - If the `Task Name` is omitted, the action will return all tasks matching the + selected status. capabilities: can_create_case_comments: false can_create_insight: false @@ -1114,9 +1181,9 @@ Get Scan Tasks List: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: false + enrichment: true entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1130,11 +1197,12 @@ Get Scan Tasks List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Isolate Endpoint: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false - contain_host: false + contain_host: true create_ticket: false delete_email: false disable_identity: false @@ -1143,62 +1211,60 @@ Get Scan Tasks List: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: true + search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Isolate Endpoint: ai_description: >- ### General Description - The **Isolate Endpoint** action is designed to programmatically isolate a specific - host within the Bitdefender GravityZone environment. By creating an isolation - task, the action effectively severs the network connectivity of a compromised - or suspicious endpoint, preventing lateral movement or data exfiltration while - still allowing communication with the GravityZone management console for remediation. + The **Isolate Endpoint** action allows security analysts to programmatically isolate + a compromised or suspicious endpoint within the Bitdefender GravityZone environment. + By providing a specific Endpoint ID, the action triggers a task in the Bitdefender + Control Center to disconnect the device from the network, preventing lateral movement + or further data exfiltration while maintaining connectivity to the management + console for remediation. ### Parameters Description - | Parameter | Description | Type | Mandatory | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Endpoint ID | The unique identifier of the endpoint in Bitdefender GravityZone - that needs to be isolated. | String | Yes | + | **Endpoint ID** | String | Yes | The unique identifier of the endpoint that + needs to be isolated. | ### Flow Description - 1. **Authentication**: The action initializes a connection to the Bitdefender - GravityZone Control Center using the configured API Key and Access URL. + 1. **Authentication**: The action establishes a connection to the Bitdefender + GravityZone API using the provided API Key and Access URL. - 2. **Parameter Extraction**: It retrieves the `Endpoint ID` provided by the user - or playbook. + 2. **Parameter Extraction**: It retrieves the `Endpoint ID` from the action input. - 3. **Task Creation**: The action calls the `createIsolateEndpointTask` method - via the Bitdefender JSON-RPC API. + 3. **Task Creation**: It sends a POST request to the Bitdefender JSON-RPC API + (specifically the `createIsolateEndpointTask` method) to initiate the isolation. - 4. **Execution Status**: It evaluates the API response to determine if the isolation - task was successfully created. - - 5. **Completion**: The action concludes by reporting a success or failure status - to the Google SecOps workbench. + 4. **Result Handling**: The action evaluates the API response and reports whether + the isolation task was successfully created. ### Additional Notes - This action requires the Bitdefender GravityZone incident response module to be - active for the target endpoint. It does not automatically update the entity status - within Google SecOps; it only triggers the external isolation task. + This action does not automatically identify entities from the SOAR case; it requires + the explicit `Endpoint ID` as an input parameter. capabilities: can_create_case_comments: false can_create_insight: false @@ -1207,15 +1273,14 @@ Isolate Endpoint: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - This action creates an isolation task in Bitdefender GravityZone, which changes - the network state of the target endpoint to 'Isolated', restricting its network - communication. + Creates a task in Bitdefender GravityZone to isolate the specified endpoint + from the network, changing its connectivity state. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1229,11 +1294,12 @@ Isolate Endpoint: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false - contain_host: true + contain_host: false create_ticket: false delete_email: false disable_identity: false @@ -1242,40 +1308,58 @@ Isolate Endpoint: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: - ai_description: "### General Description\nThe **Ping** action is a diagnostic tool\ - \ used to verify the connectivity between Google SecOps and the Bitdefender GravityZone\ - \ Control Center. Its primary purpose is to ensure that the integration's configuration\ - \ parameters\u2014specifically the API Key and Access URL\u2014are correct and\ - \ that the network path is open. It performs a lightweight API call to retrieve\ - \ the details of the provided API key to confirm authorization.\n\n### Parameters\ - \ Description\nThis action does not have any action-specific parameters. It relies\ - \ entirely on the global integration configuration:\n* **API Key**: The credential\ - \ used to authenticate with Bitdefender GravityZone.\n* **Access URL**: The base\ - \ URL for the Bitdefender GravityZone API instance.\n* **Verify SSL**: A boolean\ - \ flag determining whether to validate the SSL certificate of the target server.\n\ - \n### Flow Description\n1. **Initialization**: The action initializes the SOAR\ - \ SDK and retrieves the global integration settings (API Key, Access URL, and\ - \ SSL verification preference).\n2. **Manager Setup**: It instantiates the `BitdefenderGravityZoneManager`\ - \ using the provided credentials.\n3. **Connectivity Test**: The action calls\ - \ the `getApiKeyDetails` method via the manager. This triggers a POST request\ - \ to the `GENERAL_URL` endpoint of the Bitdefender API.\n4. **Validation**: The\ - \ script checks if the API response is successful and contains valid key details.\ - \ If the response is empty or an error occurs (e.g., 401 Unauthorized), the action\ - \ fails.\n5. **Completion**: If the API call succeeds, the action returns a \"\ - Connection Established\" message and sets the result value to `true`." + ai_description: >- + ### General Description + + The **Ping** action is used to verify the connectivity between Google SecOps and + the Bitdefender GravityZone Control Center. It ensures that the provided integration + parameters, such as the API Key and Access URL, are valid and that the network + connection is functional. + + + ### Parameters Description + + There are no action-specific parameters for this action. It relies solely on the + integration's configuration parameters (API Key, Access URL, and Verify SSL). + + + ### Flow Description + + 1. **Parameter Extraction:** The action retrieves the API Key, Access URL, and + Verify SSL settings from the integration configuration. + + 2. **Manager Initialization:** It initializes the `BitdefenderGravityZoneManager` + using the provided credentials. + + 3. **Connectivity Check:** The action calls the `getApiKeyDetails` API method + to test the connection. + + 4. **Validation:** It checks if the API returns valid details. If the response + is empty or an error occurs, the connection is considered failed. + + 5. **Result Reporting:** The action returns a success message if the connection + is established or an error message if it fails. + + + ### Additional Notes + + This action is primarily used for troubleshooting and initial setup verification. + It does not process any entities or modify any data within Bitdefender GravityZone. capabilities: can_create_case_comments: false can_create_insight: false @@ -1289,7 +1373,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1303,6 +1387,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Policies - Get Details: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1316,60 +1401,60 @@ Ping: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Policies - Get Details: ai_description: >- - Retrieves comprehensive information for a specific security policy in Bitdefender - GravityZone using its unique identifier. This action allows analysts to fetch - detailed configuration data, which is useful for auditing policy settings, verifying - compliance, or making automated decisions in playbooks based on policy attributes. - The retrieved data is returned as a structured JSON object. + ### General Description + The **Policies - Get Details** action retrieves comprehensive information and + configuration settings for a specific security policy within Bitdefender GravityZone. + This action is primarily used for administrative auditing, policy verification, + and understanding the security configurations applied to various groups or endpoints. - ### Flow Description - 1. **Extract Parameters**: Retrieves the API credentials (API Key, Access URL) - and the mandatory 'Policy ID' from the action configuration. + ### Parameters Description - 2. **Initialize Connection**: Establishes a secure connection to the Bitdefender - GravityZone Control Center. + | Parameter | Type | Mandatory | Description | - 3. **Fetch Policy Details**: Executes the `getPolicyDetails` JSON-RPC method to - retrieve the full metadata and configuration settings for the specified policy. + | :--- | :--- | :--- | :--- | - 4. **Output Results**: Processes the API response and adds the policy details - to the action's JSON results for use in subsequent playbook steps. + | Policy ID | String | Yes | The unique identifier of the security policy to be + queried. This ID can typically be found via the 'Policies - List' action or within + the Bitdefender console. | - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. **Authentication**: The action establishes a connection to the Bitdefender + GravityZone Control Center using the configured API Key and Access URL. - | :--- | :--- | :--- | :--- | + 2. **Request Execution**: It sends a JSON-RPC request using the `getPolicyDetails` + method to the Policies API endpoint, passing the provided `Policy ID`. - | Policy ID | String | Yes | The unique identifier of the security policy to be - queried. This ID can be obtained from the Bitdefender console or via the 'Policies - - List' action. | + 3. **Data Processing**: The action receives the policy metadata, including settings + for various security modules (antimalware, firewall, etc.). + 4. **Result Delivery**: The retrieved policy details are attached to the action's + JSON results for use in subsequent playbook steps. - ### Additional Notes - - This action does not process entities from the SecOps case; it relies entirely - on the manually provided 'Policy ID' parameter. + ### Additional Notes - - The output is a raw JSON representation of the policy as returned by the Bitdefender - API. + This action does not process or iterate over SecOps entities (such as IPs or Hostnames). + It is a utility action that requires a direct input of a Policy ID. capabilities: can_create_case_comments: false can_create_insight: false @@ -1383,7 +1468,7 @@ Policies - Get Details: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1397,6 +1482,7 @@ Policies - Get Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Policies - List All: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1410,58 +1496,56 @@ Policies - Get Details: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Policies - List All: ai_description: >- - Retrieves a comprehensive list of all available security policies from the Bitdefender - GravityZone Control Center. This action is useful for auditing existing security - configurations or identifying specific policy IDs for use in other automation - tasks. - + ### General Description - ### Flow Description: + This action retrieves a comprehensive list of all available security policies + configured within the Bitdefender GravityZone Control Center. It is primarily + used for administrative oversight, auditing, or as a helper step to identify policy + IDs for other management actions. The action interacts with the Bitdefender JSON-RPC + API to fetch policy metadata. - 1. **Authentication**: Establishes a connection to the Bitdefender GravityZone - API using the provided API Key and Access URL. - 2. **Data Retrieval**: Executes the `getPoliciesList` JSON-RPC method to fetch - policy information. + ### Parameters Description - 3. **Pagination Handling**: Automatically iterates through multiple pages of results - if the number of policies exceeds the single-page limit, ensuring a complete list - is retrieved. + There are no input parameters for this action. - 4. **Result Processing**: Aggregates all policy items and returns them as a structured - JSON object in the action's results. + ### Additional Notes - ### Parameters Description: + This action does not require any specific entities to be present in the context. + It performs a global retrieval of policies associated with the configured API + key and Access URL. - | Parameter Name | Description | Type | Mandatory | Notes | - | :--- | :--- | :--- | :--- | :--- | + ### Flow Description - | None | This action does not require any input parameters. | N/A | No | The action - relies solely on the integration's configuration (API Key, Access URL). | + 1. **Authentication**: The action initializes the Bitdefender GravityZone Manager + using the API Key and Access URL provided in the integration configuration. + 2. **API Request**: It calls the `getPoliciesList` method via the Bitdefender + Policies API endpoint. - ### Additional Notes: + 3. **Pagination Handling**: The manager automatically handles paginated responses + from the API to ensure all policy records are collected into a single result set. - - This is a read-only action and does not modify any settings within Bitdefender - GravityZone. - - - The output includes metadata for each policy, such as its name and unique identifier. + 4. **Output**: The collected policy data is attached to the action's JSON result, + and the execution is marked as completed. capabilities: can_create_case_comments: false can_create_insight: false @@ -1475,7 +1559,7 @@ Policies - List All: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1489,6 +1573,7 @@ Policies - List All: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Quarantine - Add File: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1502,65 +1587,66 @@ Policies - List All: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Quarantine - Add File: ai_description: >- ### General Description - Creates a new task in Bitdefender GravityZone to add a specific file to quarantine - on one or more target endpoints. This action is primarily used for remediation - and incident response to isolate potentially malicious files found on disk across - managed endpoints. + The **Quarantine - Add File** action allows analysts to remotely quarantine a + specific file on one or more endpoints managed by Bitdefender GravityZone. This + is achieved by creating a task in the GravityZone Control Center that instructs + the EDR sensor on the target machines to move the specified file to a secure quarantine + location. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. **Authentication**: The action authenticates with the Bitdefender GravityZone + API using the provided API Key and Access URL. - | :--- | :--- | :--- | :--- | + 2. **Parameter Extraction**: It retrieves the target endpoint IDs and the absolute + file path from the action parameters. - | File Path | string | True | The absolute file path on disk to be quarantined. - This can be at most 4096 characters and must follow the format suitable for the - target's operating system (e.g., C:\Users\Public\malicious.exe). | + 3. **Task Creation**: A request is sent to the Bitdefender API (`createAddFileToQuarantineTask`) + to initiate the quarantine process for the specified file path on the provided + endpoint IDs. - | Endpoint IDs | string | True | A comma-separated list of the target endpoint - IDs where the quarantine task should be executed. Max 100 targets per action. - | + 4. **Completion**: The action monitors the API response and reports whether the + task creation was successful. - ### Flow Description + ### Parameters Description - 1. **Connection**: The action establishes a connection to the Bitdefender GravityZone - Control Center using the configured API Key and Access URL. + | Parameter | Type | Mandatory | Description | - 2. **Parameter Extraction**: It retrieves the target file path and the list of - endpoint IDs from the action parameters. + | :--- | :--- | :--- | :--- | - 3. **Task Creation**: It calls the Bitdefender API (`createAddFileToQuarantineTask`) - to initiate a quarantine operation for the specified file path on the provided - list of endpoints. + | **File Path** | String | True | The absolute file path on the target disk (e.g., + `C:\Users\Public\malicious.exe`). Max 4096 characters. | - 4. **Execution Status**: The action monitors the API response and marks the execution - as completed with a success or failure message based on whether the task was successfully - created in the Bitdefender console. + | **Endpoint IDs** | String | True | A comma-separated list of Bitdefender endpoint + IDs (Max 100). | ### Additional Notes - Only endpoints that have the EDR Sensor module active are considered valid targets - for this action. If an endpoint does not meet this requirement, the task creation - for that specific ID may fail or be ignored by the Bitdefender platform. + - Only endpoints with an active EDR Sensor module are valid targets for this action. + + - This action does not automatically process entities from the SecOps case; it + relies entirely on the provided parameters. capabilities: can_create_case_comments: false can_create_insight: false @@ -1569,16 +1655,14 @@ Quarantine - Add File: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new quarantine task in Bitdefender GravityZone, which instructs the - EDR sensors on the target endpoints to move the specified file to a secure quarantine - location, effectively changing the state of the file system on those remote - hosts. + Creates a task in Bitdefender GravityZone to quarantine a file on specified + endpoints, which changes the state of the file system on those endpoints. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1592,6 +1676,7 @@ Quarantine - Add File: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Quarantine - Get Items List: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1605,27 +1690,28 @@ Quarantine - Add File: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: false + search_events: true send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Quarantine - Get Items List: ai_description: >- ### General Description - The **Quarantine - Get Items List** action retrieves a comprehensive list of items - currently held in quarantine within the Bitdefender GravityZone environment. This - includes both malicious files found on endpoints and suspicious Microsoft Exchange - objects. The action allows for granular filtering to locate specific threats or - items across the network or on a per-endpoint basis. + This action retrieves a list of quarantined items from Bitdefender GravityZone. + Quarantined items can include malicious files found on endpoints or suspicious + Microsoft Exchange objects. The action allows for granular filtering to locate + specific threats across the network or on a single endpoint. ### Parameters Description @@ -1634,55 +1720,52 @@ Quarantine - Get Items List: | :--- | :--- | :--- | :--- | - | **Service** | DDL | Yes | Specifies the service to query: `Computers` (for files - on VMs/workstations) or `Exchange` (for mail objects). | + | Service | DDL | Yes | Specifies the source of the data: 'Computers' for files + on endpoints or 'Exchange' for email-related objects. | - | **Filter - Threat Name** | String | No | Filters results by the name of the - detected threat. Supports partial matching. | + | Filter - Threat Name | String | No | Filters results by the name of the detected + threat. Supports partial matching. | - | **Filter - Start Date** | String | No | Filters for items quarantined after - this date (ISO 8601 format). | + | Filter - Start Date | String | No | Filters items quarantined after this date + (ISO 8601 format). | - | **Filter - End Date** | String | No | Filters for items quarantined before this - date (ISO 8601 format). | + | Filter - End Date | String | No | Filters items quarantined before this date + (ISO 8601 format). | - | **Filter - File Path** | String | No | Filters by the file's location. Supports - partial matching and wildcards (e.g., `C:\temp` or `*myfile.exe`). Only for `Computers` - service. | + | Filter - File Path | String | No | Filters by file path. Supports partial matching + and wildcards (e.g., *myfile.exe). Only applicable to the 'Computers' service. + | - | **Filter - IP Address** | String | No | Filters by the IP address of the source - endpoint. Supports partial matching. Only for `Computers` service. | + | Filter - IP Address | String | No | Filters by the IP address of the endpoint. + Supports partial matching. Only applicable to the 'Computers' service. | - | **Filter - Action Status** | DDL | No | Filters by the current status of the - item (e.g., `Saved`, `Pending Save`). | + | Filter - Action Status | DDL | No | Filters by the current status of the quarantined + item (e.g., 'Saved', 'Pending Save'). | - | **Endpoint ID** | String | No | Restricts the search to a specific computer - ID. If omitted, the action searches the entire network. | + | Endpoint ID | String | No | The unique identifier of a specific computer to + retrieve items for. If omitted, the action searches the entire network. | ### Flow Description - 1. **Authentication**: Connects to the Bitdefender GravityZone Control Center - using the provided API Key and Access URL. - - 2. **Parameter Extraction**: Retrieves user-defined filters and service selection - from the action parameters. + 1. **Parameter Extraction**: The action retrieves the integration configuration + (API Key, URL) and the user-provided filter parameters. - 3. **API Request**: Executes a paginated request to the `getQuarantineItemsList` - endpoint, targeting the specific service sub-path (e.g., `/computers` or `/exchange`). + 2. **Connection**: It establishes a connection to the Bitdefender GravityZone + Control Center using the provided credentials. - 4. **Data Aggregation**: Iterates through all available pages of results to ensure - a complete list of quarantined items is collected. + 3. **Data Retrieval**: The action calls the `getQuarantineItemsList` API method. + It handles pagination automatically to ensure all matching records are collected. - 5. **Output**: Returns the aggregated list of items as a JSON object for use in - subsequent playbook steps. + 4. **Output**: The retrieved list of quarantined items is formatted and returned + as a JSON object for use in subsequent playbook steps. ### Additional Notes - Partial matching is supported for Threat Name, File Path, and IP Address. - - The `Exchange` service filters require a valid license for Security for Exchange. + - The 'Exchange' service filters require a valid license for Security for Exchange. capabilities: can_create_case_comments: false can_create_insight: false @@ -1694,9 +1777,9 @@ Quarantine - Get Items List: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: true + enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1710,6 +1793,7 @@ Quarantine - Get Items List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Quarantine - Remove Items: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1723,63 +1807,66 @@ Quarantine - Get Items List: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: true + search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Quarantine - Remove Items: ai_description: >- - Removes items from the Bitdefender GravityZone quarantine by creating a removal - task in the Control Center. This action allows analysts to permanently delete - quarantined items associated with either endpoint computers/virtual machines or - the Security for Exchange service. + Removes specified items from the Bitdefender GravityZone quarantine. This action + is used to permanently delete malicious or suspicious items that were previously + isolated by the security agent. It supports items from both endpoint computers + and Exchange servers. - ### Flow Description: + ### Parameters - 1. **Authentication:** Connects to the Bitdefender GravityZone API using the configured - API Key and Access URL. + | Parameter | Type | Mandatory | Description | - 2. **Parameter Extraction:** Retrieves the target service type (Computers or Exchange) - and the list of Quarantine Item IDs from the action parameters. + | :--- | :--- | :--- | :--- | - 3. **Task Initiation:** Sends a JSON-RPC request to the Bitdefender API using - the `createRemoveQuarantineItemTask` method, passing the list of IDs to the service-specific - endpoint. + | Service | ddl | Yes | Specifies whether to remove items from the 'Computers' + (Computers and Virtual Machines) or 'Exchange' (Security for Exchange) quarantine + service. | - 4. **Result Handling:** Processes the API response to determine if the task creation - was successful and terminates the action with a corresponding status message. + | Quarantine Item IDs | string | Yes | A comma-separated list of unique identifiers + for the items to be removed. A maximum of 100 IDs can be processed in a single + request. | - ### Parameters Description: + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. **Authentication**: The action initializes a connection to the Bitdefender + GravityZone Control Center using the configured API Key and Access URL. - | :--- | :--- | :--- | :--- | + 2. **Parameter Extraction**: It retrieves the 'Service' and 'Quarantine Item IDs' + from the action parameters. - | Service | DDL | Yes | Determines the service context for the removal. Options - are 'Computers' (for endpoints and VMs) or 'Exchange' (for mail security). | + 3. **API Request**: It formats a JSON-RPC request to the Bitdefender API, targeting + the specific quarantine service endpoint (Computers or Exchange). - | Quarantine Item IDs | String | Yes | A comma-separated list of unique identifiers - for the quarantine items to be removed. A maximum of 100 items can be processed - in a single request. | + 4. **Task Creation**: It triggers the `createRemoveQuarantineItemTask` method + to initiate the removal process in the external system. + 5. **Completion**: The action completes with a success status if the removal task + is successfully created. - ### Additional Notes: - * This action triggers a background task in Bitdefender GravityZone. The actual - removal of items happens asynchronously on the target endpoints or mail servers. + ### Additional Notes + + - This action is destructive as it removes items from the quarantine repository. - * Removing items from quarantine is a permanent action and cannot be reversed - through this integration. + - Ensure that the Item IDs provided are valid for the selected Service. capabilities: can_create_case_comments: false can_create_insight: false @@ -1788,15 +1875,14 @@ Quarantine - Remove Items: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a task in Bitdefender GravityZone to permanently remove specified items - from the quarantine, which results in the deletion of those files or mail items - from the external system. + Creates a task in Bitdefender GravityZone to permanently remove/delete specified + items from the quarantine repository. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1810,6 +1896,7 @@ Quarantine - Remove Items: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Quarantine - Restore Exchange Items: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1823,64 +1910,69 @@ Quarantine - Remove Items: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: true update_identity: false update_ticket: false -Quarantine - Restore Exchange Items: ai_description: >- - Restores quarantined items on Microsoft Exchange Servers via Bitdefender GravityZone. - This action initiates a task in the GravityZone Control Center to move specific - items from the quarantine back to their original location in the user's mailbox. - It requires Exchange credentials and the specific IDs of the items to be restored. + Restores quarantined items to Microsoft Exchange servers using Bitdefender GravityZone. + This action creates a restoration task in the GravityZone Control Center for specific + items identified by their IDs. It requires Exchange credentials and optionally + an EWS URL or specific email address to facilitate the restoration process. - ### Parameters + ### Flow Description: - | Parameter | Type | Mandatory | Description | + 1. **Parameter Extraction:** Retrieves the integration configuration (API Key, + Access URL) and action parameters (Quarantine Item IDs, Username, Password, Email, + EWS URL). - | :--- | :--- | :--- | :--- | + 2. **Connection Initialization:** Establishes a connection to the Bitdefender + GravityZone API using the provided credentials. - | Quarantine Item IDs | string | Yes | A comma-separated list of the unique identifiers - for the items to be restored from quarantine (maximum 100 items). | + 3. **Task Creation:** Sends a JSON-RPC request to the GravityZone endpoint (`createRestoreQuarantineExchangeItemTask`) + to initiate the restoration of the specified items. - | Username | string | Yes | The username of the Microsoft Exchange user, including - the domain name (e.g., domain\user). | + 4. **Result Handling:** Processes the API response and returns a success or failure + status based on whether the restoration task was successfully created. - | Password | password | Yes | The password associated with the provided Exchange - username. | - | Email | string | No | The email address of the Exchange user. This is required - if the email address differs from the username. | + ### Parameters Description: - | EWS URL | string | No | The Exchange Web Services (EWS) URL. Use this if Exchange - Autodiscovery is not functioning or available. | + | Parameter Name | Type | Mandatory | Description | + | :--- | :--- | :--- | :--- | - ### Flow Description + | EWS URL | string | No | The Exchange Web Services URL. Necessary if Exchange + Autodiscovery is not functional. | - 1. **Configuration Extraction:** The action retrieves the Bitdefender API key, - Access URL, and SSL verification settings from the integration configuration. + | Email | string | No | The email address of the Exchange user. Required if the + email address differs from the username. | - 2. **Parameter Retrieval:** It extracts the mandatory item IDs, Exchange credentials, - and optional connection details (Email, EWS URL) from the action input. + | Password | password | Yes | The password of the Microsoft Exchange user. | + + | Username | string | Yes | The username of the Microsoft Exchange user, including + the domain name. | + + | Quarantine Item IDs | string | Yes | A comma-separated list of quarantine item + IDs to be restored (maximum 100 items). | - 3. **Manager Initialization:** Initializes the Bitdefender GravityZone Manager - to handle API communication. - 4. **Task Creation:** Calls the `createRestoreQuarantineExchangeItemTask` API - endpoint, passing the item IDs and Exchange authentication details. + ### Additional Notes: - 5. **Result Handling:** Reports whether the restoration task was successfully - created in the Bitdefender Control Center. + - This action does not run on SecOps entities; it operates based on the IDs provided + in the 'Quarantine Item IDs' parameter. capabilities: can_create_case_comments: false can_create_insight: false @@ -1889,15 +1981,14 @@ Quarantine - Restore Exchange Items: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a task in Bitdefender GravityZone to restore items from the Exchange - quarantine, which changes the state of those items in the external Exchange - environment. + Creates a task in Bitdefender GravityZone to restore items from quarantine back + to the Microsoft Exchange server environment. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1911,6 +2002,7 @@ Quarantine - Restore Exchange Items: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Quarantine - Restore Items: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1924,74 +2016,49 @@ Quarantine - Restore Exchange Items: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false - update_email: true + update_email: false update_identity: false update_ticket: false -Quarantine - Restore Items: ai_description: >- - Restores items from the Bitdefender GravityZone quarantine. This action creates - a task in the Bitdefender Control Center to move quarantined files back to their - original location or a specified alternative path. It supports both 'Computers' - and 'Exchange' services and allows for the optional creation of policy exclusions - to prevent the restored files from being flagged in future scans. - - - ### Flow Description - - 1. **Authentication**: Connects to the Bitdefender GravityZone API using the configured - API Key and Access URL. - - 2. **Parameter Extraction**: Retrieves the list of Quarantine Item IDs, the target - service type, the optional restoration path, and the exclusion preference. - - 3. **Task Creation**: Sends a request to the Bitdefender API to initiate a `createRestoreQuarantineItemTask` - for the specified IDs. - - 4. **Execution**: The external system processes the restoration task asynchronously. - - 5. **Completion**: Returns a success or failure status based on whether the task - creation request was accepted by Bitdefender. - - - ### Parameters Description - - | Parameter Name | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Quarantine Item IDs | string | Yes | A comma-separated list of unique identifiers - for the items to be restored from quarantine. Maximum of 100 items per request. - | - - | Service | ddl | Yes | Specifies the Bitdefender service context. Options are - 'Computers' (for endpoints/VMs) or 'Exchange' (for mail security). | - - | Location to Restore | string | No | The absolute file system path where the - items should be restored. If left empty, the items are restored to their original - location. | - - | Add Exclusion in Policy | boolean | No | If set to true, the restored files - will be added to a policy exclusion list to prevent them from being quarantined - again in future scans. | - - - ### Additional Notes - - - This action does not run on SecOps entities; it requires manual input of Quarantine - Item IDs, which are typically retrieved from a previous 'Quarantine - List Items' - action or external logs. - - - Exclusions created via the 'Add Exclusion in Policy' parameter do not apply - to items assigned the 'Default Policy'. + ### General Description\nThis action creates a new task in Bitdefender GravityZone + to restore items from the quarantine. It supports restoring items for both 'Computers' + (Computers and Virtual Machines) and 'Exchange' (Security for Exchange) services. + Users can specify a custom restoration path and optionally add the restored items + to a policy exclusion list to prevent them from being quarantined again in future + scans.\n\n### Parameters Description\n| Parameter | Type | Mandatory | Description + |\n| :--- | :--- | :--- | :--- |\n| Quarantine Item IDs | String | Yes | A comma-separated + list of unique identifiers for the items to be restored from quarantine. A maximum + of 100 items can be processed in a single request. |\n| Service | DDL | Yes | + Specifies the service context for the restoration. Options are 'Computers' for + endpoint files or 'Exchange' for email items. |\n| Location to Restore | String + | No | The absolute file system path where the items should be restored. If not + provided, the items are returned to their original location. |\n| Add Exclusion + in Policy | Boolean | No | If set to true, the restored items will be added to + the exclusion list in the active policy to prevent future detection (does not + apply to the Default Policy). |\n\n### Flow Description\n1. **Authentication**: + The action establishes a connection with the Bitdefender GravityZone Control Center + using the configured API Key and Access URL.\n2. **Parameter Extraction**: It + retrieves the list of item IDs, the selected service, the optional restoration + path, and the exclusion preference from the action parameters.\n3. **Task Creation**: + The action calls the Bitdefender API (`createRestoreQuarantineItemTask`) to initiate + the restoration process for the specified items.\n4. **Status Reporting**: The + action monitors the API response and reports whether the restoration task was + successfully created in the external system.\n\n### Additional Notes\n- This action + does not operate on SecOps entities directly; it requires specific Quarantine + Item IDs as input.\n- Restoration to a custom location requires the absolute path + to be correctly formatted for the target operating system. capabilities: can_create_case_comments: false can_create_insight: false @@ -2000,15 +2067,14 @@ Quarantine - Restore Items: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a task in Bitdefender GravityZone to restore files from quarantine to - the host's file system and can optionally modify security policies by adding - file exclusions. + Creates a task in Bitdefender GravityZone to restore files or emails from quarantine + to their original or a specified location and can modify policy exclusions. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2022,6 +2088,7 @@ Quarantine - Restore Items: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Reports - Get Download Links: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -2035,57 +2102,59 @@ Quarantine - Restore Items: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Reports - Get Download Links: ai_description: >- ### General Description - This action retrieves download links and availability information for a specific - report within Bitdefender GravityZone. It allows users to obtain the necessary - URLs to download report files, distinguishing between instant reports (available - for less than 24 hours) and scheduled reports (stored in the GravityZone database). + Retrieves download links and availability information for a specific report within + Bitdefender GravityZone. This action is designed to facilitate the retrieval of + generated security reports, allowing for automated collection of threat data, + compliance reports, or activity logs. ### Parameters Description - | Parameter | Type | Mandatory | Description | + | Parameter | Description | Type | Mandatory | | :--- | :--- | :--- | :--- | - | Report ID | String | Yes | The unique identifier of the report to fetch download - links for. | + | Report ID | The unique identifier of the report to fetch download links for. + | String | Yes | + + ### Additional Notes - ### Flow Description + Instant reports are available for download for less than 24 hours after creation. + Scheduled reports are stored in the GravityZone database and remain available + for longer periods. This action does not download the file content itself but + provides the URLs to do so. - 1. **Authentication**: The action initializes a connection to the Bitdefender - GravityZone Control Center using the provided API Key and Access URL. - 2. **Request**: It sends a request to the `getDownloadLinks` endpoint of the Reports - API, passing the specified `Report ID`. + ### Flow Description - 3. **Data Retrieval**: The action receives an object containing metadata about - the report's availability and the specific download links. + 1. Extract integration configuration (API Key, Access URL, SSL verification). - 4. **Output**: The retrieved report data is added to the action's JSON results - for use in subsequent playbook steps. + 2. Extract the Report ID from the action parameters. + 3. Connect to the Bitdefender GravityZone Control Center via the JSON-RPC API. - ### Additional Notes + 4. Execute the 'getDownloadLinks' method for the specified report. - This action does not process entities; it operates solely based on the provided - `Report ID` parameter. + 5. Return the report availability status and download links as a JSON result. capabilities: can_create_case_comments: false can_create_insight: false @@ -2099,7 +2168,7 @@ Reports - Get Download Links: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2113,6 +2182,7 @@ Reports - Get Download Links: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Reports - List All: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -2126,68 +2196,67 @@ Reports - Get Download Links: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: true + search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Reports - List All: ai_description: >- - ### General Description - - Lists all scheduled reports from Bitdefender GravityZone. This action allows users - to retrieve a comprehensive list of reports, optionally filtered by name or type. - It interacts with the Bitdefender JSON-RPC API to fetch report metadata, including - report IDs and configurations, which can be used for further reporting or automation - tasks. + Lists all scheduled reports from Bitdefender GravityZone Control Center. This + action allows users to retrieve a comprehensive list of reports, optionally filtered + by name or type, providing visibility into the reporting configuration and available + data exports within the GravityZone environment. - ### Parameters Description - - | Parameter | Type | Mandatory | Description | + ### Flow Description: - | :--- | :--- | :--- | :--- | + 1. **Configuration Extraction**: Retrieves the API Key, Access URL, and SSL verification + settings from the integration configuration. - | Report Name | String | No | The specific name of the report to search for. | + 2. **Parameter Extraction**: Retrieves the optional 'Report Name' and 'Report + Type' filters from the action parameters. - | Report Type | DDL | No | The category of the report (e.g., 'Malware Status', - 'Firewall Activity'). | + 3. **Manager Initialization**: Establishes a connection to the Bitdefender GravityZone + API using the provided credentials. + 4. **Data Retrieval**: Executes the `getReportsList` JSON-RPC method. If multiple + pages of results exist, the action automatically iterates through them to compile + a complete list. - ### Flow Description + 5. **Result Processing**: Outputs the list of reports as a JSON object for use + in subsequent playbook steps. - 1. **Configuration Extraction**: The action retrieves the API Key, Access URL, - and SSL verification settings from the integration configuration. - 2. **Parameter Extraction**: It extracts the optional `Report Name` and `Report - Type` filters provided by the user. + ### Parameters Description: - 3. **API Connection**: Initializes the `BitdefenderGravityZoneManager` to establish - a connection with the GravityZone Control Center. + | Parameter | Type | Mandatory | Description | - 4. **Data Retrieval**: Calls the `getReportsList` method. If a `Report Type` is - provided, it maps the display name to the corresponding internal integer ID. + | :--- | :--- | :--- | :--- | - 5. **Pagination Handling**: The manager handles paginated responses from the API - to ensure all matching report records are collected. + | Report Name | String | No | Filters the list to only include reports matching + this specific name. | - 6. **Result Output**: The final list of reports is attached to the action result - as a JSON object for use in subsequent playbook steps. + | Report Type | DDL | No | Filters the list by the category of the report (e.g., + 'Malware Status', 'Firewall Activity'). | - ### Additional Notes + ### Additional Notes: - - If no filters are provided, the action returns all available scheduled reports. + - This action is a read-only operation and does not modify any data within Bitdefender + GravityZone. - - The `Report Type` parameter uses a predefined list of supported Bitdefender - report categories. + - If no filters are provided, all scheduled reports accessible to the API key + will be returned. capabilities: can_create_case_comments: false can_create_insight: false @@ -2201,7 +2270,7 @@ Reports - List All: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2215,6 +2284,7 @@ Reports - List All: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Restore Isolated Endpoint: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -2228,45 +2298,54 @@ Reports - List All: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false - uncontain_host: false + uncontain_host: true update_alert: false update_email: false update_identity: false update_ticket: false -Restore Isolated Endpoint: ai_description: >- Restores a specified endpoint from network isolation using Bitdefender GravityZone. - This action triggers a task in the GravityZone Control Center to reconnect the + This action creates a task in the GravityZone Control Center to reconnect the endpoint to the network, reversing a previous isolation command. - ### Parameters + ### Flow Description: - | Parameter | Description | Type | Mandatory | + 1. **Authentication**: Connects to the Bitdefender GravityZone Control Center + using the provided API Key and Access URL. - | --- | --- | --- | --- | + 2. **Task Creation**: Sends a request to the Bitdefender API to create a 'Restore + Endpoint From Isolation' task for the specific Endpoint ID provided. - | Endpoint ID | The unique identifier of the endpoint to be restored from isolation. - | String | Yes | + 3. **Execution Status**: Evaluates the response from the API to determine if the + task was successfully created and returns a success or failure result. - ### Flow Description + ### Parameters Description: - 1. **Authentication**: Establishes a connection to the Bitdefender GravityZone - Control Center using the provided API Key and Access URL. + | Parameter Name | Description | Type | Mandatory | Notes | + + | :--- | :--- | :--- | :--- | :--- | - 2. **Task Creation**: Sends a JSON-RPC request to the Incidents API to create - a `createRestoreEndpointFromIsolationTask` for the specified Endpoint ID. + | Endpoint ID | The unique identifier of the endpoint for which the restoration + task will be created. | String | True | This ID is specific to the Bitdefender + GravityZone inventory. | - 3. **Execution Status**: Evaluates the response from the manager and returns a - success or failure status to the SOAR platform. + + ### Additional Notes: + + This action does not automatically identify entities from the SOAR case; it requires + the specific Bitdefender Endpoint ID to be passed as a parameter. capabilities: can_create_case_comments: false can_create_insight: false @@ -2276,13 +2355,13 @@ Restore Isolated Endpoint: can_update_entities: false external_data_mutation_explanation: >- Creates a task in Bitdefender GravityZone to restore a previously isolated endpoint, - changing its network connectivity status from isolated to active. + changing its network connectivity status in the external system. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2296,6 +2375,7 @@ Restore Isolated Endpoint: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Set Endpoint Label: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -2309,55 +2389,69 @@ Restore Isolated Endpoint: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false - uncontain_host: true + uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Set Endpoint Label: ai_description: >- - Sets or resets a label for a specific endpoint in Bitdefender GravityZone. This - action allows analysts to tag endpoints with custom metadata (up to 64 characters) - for better organization or tracking within the GravityZone Control Center. If - an empty string is provided as the label, any existing label on the endpoint will - be cleared. + ### General Description + Sets or updates a label for a specific endpoint within the Bitdefender GravityZone + environment. This action allows security analysts to tag endpoints with custom + metadata (up to 64 characters) for better categorization, tracking, or policy + application. Providing an empty string as the label will reset any previously + assigned label for that endpoint. - ### Parameters + + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Endpoint ID | string | Yes | The unique identifier of the endpoint in Bitdefender - GravityZone. | + | Endpoint ID | String | Yes | The unique identifier of the endpoint in Bitdefender + GravityZone for which the label will be set. | + + | Label | String | Yes | The string representing the label to be applied. Maximum + length is 64 characters. Use an empty string to clear an existing label. | + - | Label | string | Yes | The string representing the label to be set (max 64 characters). - Enter an empty string to reset/clear the label. | + ### Additional Notes + + - This action interacts with the Bitdefender GravityZone JSON-RPC API using the + `setEndpointLabel` method. + + - The action requires a valid 'Access URL' and 'API Key' configured in the integration + settings. ### Flow Description - 1. **Parameter Extraction:** The action retrieves the API credentials from the - integration configuration and the target Endpoint ID and Label from the action - parameters. + 1. **Parameter Extraction**: The action retrieves the 'Endpoint ID' and 'Label' + from the user input and the integration's connection details (API Key, Access + URL, SSL verification) from the configuration. - 2. **Manager Initialization:** It initializes the Bitdefender GravityZone Manager - using the provided API Key and Access URL. + 2. **Connection Initialization**: It establishes a connection to the Bitdefender + GravityZone Control Center via the `BitdefenderGravityZoneManager`. - 3. **API Interaction:** The action calls the `setEndpointLabel` method via a POST - request to the Bitdefender JSON-RPC API. + 3. **API Execution**: The action sends a POST request to the Bitdefender Network + API endpoint with the `setEndpointLabel` method, passing the target `endpointId` + and the desired `label`. - 4. **Result Handling:** It evaluates the API response to determine if the label - was successfully applied and terminates the action with a corresponding success - or failure message. + 4. **Result Processing**: The action evaluates the API response. If the operation + is successful, it returns a 'success' status; otherwise, it logs the error and + returns a 'failed' status. capabilities: can_create_case_comments: false can_create_insight: false @@ -2367,13 +2461,13 @@ Set Endpoint Label: can_update_entities: false external_data_mutation_explanation: >- Updates the label attribute of a specific endpoint within the Bitdefender GravityZone - Control Center. + management console. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2387,28 +2481,3 @@ Set Endpoint Label: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/third_party/community/bitdefender_gravity_zone/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/bitdefender_gravity_zone/resources/ai/integration_ai_description.yaml index cf49db887..cb513bac3 100644 --- a/content/response_integrations/third_party/community/bitdefender_gravity_zone/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/community/bitdefender_gravity_zone/resources/ai/integration_ai_description.yaml @@ -1,6 +1,6 @@ product_categories: asset_inventory: true - cloud_security: false + cloud_security: true collaboration: false edr: true email_security: true diff --git a/content/response_integrations/third_party/community/chronicle_support_tools/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/chronicle_support_tools/resources/ai/actions_ai_description.yaml index 870833005..bc36eda45 100644 --- a/content/response_integrations/third_party/community/chronicle_support_tools/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/chronicle_support_tools/resources/ai/actions_ai_description.yaml @@ -1,60 +1,82 @@ Gather Remote Agent Datapoints: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - - Gathers comprehensive diagnostic data and remote agent datapoints for troubleshooting - purposes. This action collects system-level performance metrics, agent status - configurations, environment variables, and parses local log files for errors related - to specific integrations and connectors. It is primarily used by support teams - to identify issues within the Google SecOps Remote Agent environment. - - - ### Parameters Description + Gathers diagnostic information and logs from a Google SecOps Remote Agent to assist + in troubleshooting integration or connector issues. This action collects a wide + range of telemetry, including agent status, system resource utilization (CPU, + memory, uptime), file system structure, and recent error logs from both the core + agent and specific integration components. - | Parameter | Type | Mandatory | Description | + ### Flow Description: - | :--- | :--- | :--- | :--- | + 1. **Parameter Extraction:** Retrieves the target `IntegrationName` and optional + `ConnectorName` from the action configuration. - | IntegrationName | string | Yes | The name of the integration for which you want - to analyze agent data. | + 2. **Agent Status Collection:** Reads and parses the `agent_status.json` file + to identify installed versions and general agent health. - | ConnectorName | string | No | The name of the specific connector to retrieve - logs for. | + 3. **System Load Analysis:** Executes system commands (`lscpu`, `uptime`, `free`) + to capture the current performance state of the host machine. + 4. **File Metadata Retrieval:** Lists files within the agent's installation directory + to verify deployment structure. - ### Flow Description + 5. **Log Parsing:** Scans `/var/log/SiemplifyAgent/agent.log` and specific connector + log files for recent error patterns, filtering out sensitive information like + tokens or keys. + 6. **Diagnostic Logging:** Outputs all gathered data to the action's execution + logs for analyst review. - 1. **Configuration Extraction**: The action retrieves the `IntegrationName` and - `ConnectorName` from the input parameters. - 2. **Agent Status Retrieval**: It reads the `agent_status.json` file to collect - information about installed integrations, their versions, and the current SSL - version. + ### Parameters Description: - 3. **System Load Collection**: It executes system commands to gather CPU info - (`lscpu`), system uptime, and memory usage (`free -h`). + | Parameter | Type | Mandatory | Description | - 4. **Environment and File Audit**: It collects environment variables (filtering - out sensitive data like keys and tokens) and lists the contents of the agent's - directory. + | :--- | :--- | :--- | :--- | - 5. **Log Analysis**: It parses the main agent log and specific connector logs - (if a connector name is provided) to identify and capture the most recent error - messages. + | IntegrationName | String | Yes | The name of the integration for which diagnostic + data is being collected. | - 6. **Logging**: All collected diagnostic information is written to the action's - execution log for analysis. + | ConnectorName | String | No | The specific name of the connector to analyze + for errors. | - ### Additional Notes + ### Additional Notes: + - This action is primarily a support and debugging tool. It does not modify the + state of the agent or the external systems it monitors. - This action is intended for debugging and support scenarios. It does not modify - any system settings or case data; it only performs read-only diagnostic operations - on the host where the Remote Agent is installed. + - Sensitive data such as IP addresses, MAC addresses, and environment tokens are + automatically truncated or filtered from the logs. capabilities: can_create_case_comments: false can_create_insight: false @@ -66,9 +88,9 @@ Gather Remote Agent Datapoints: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: true + enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -82,28 +104,3 @@ Gather Remote Agent Datapoints: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: true - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/third_party/community/country_flags/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/country_flags/resources/ai/actions_ai_description.yaml index 8f11f86ce..1ab6ad28a 100644 --- a/content/response_integrations/third_party/community/country_flags/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/country_flags/resources/ai/actions_ai_description.yaml @@ -1,63 +1,89 @@ Get Country Flag: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Get Country Flag** action retrieves a country's flag image in Base64 format. - It is designed to provide visual context for geographic data by converting 2-digit - ISO country codes (e.g., 'US', 'FR') into encoded image strings. The action can - process country codes provided manually as a parameter or dynamically extracted - from the `additional_properties` of entities within a case. It utilizes an external - service (`countryflags.io`) to fetch flags and maintains a local cache file (`flags.json`) - to optimize performance and reduce redundant API calls. + The **Get Country Flag** action retrieves a base64-encoded string representing + a country's flag image from an external service. It is designed to provide visual + context for entities or specific country codes within a playbook. The action supports + extracting country codes from entity properties or via direct manual input and + utilizes a local caching mechanism to minimize external API calls. ### Parameters Description - | Parameter Name | Type | Mandatory | Description | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Country Code Two Digit** | String | No | A manual 2-digit ISO country code - (e.g., 'us', 'gb') to fetch a flag for. | + | Country Code Two Digit | String | No | A specific 2-digit ISO country code (e.g., + 'us', 'uk') to fetch the flag for. | - | **Country Code From Entity Field** | String | No | A comma-separated list of - field names to look for in the `additional_properties` of entities. If found, - the value of that field is used as the country code. | + | Country Code From Entity Field | String | No | A comma-separated list of field + names to look for in the `additional_properties` of the target entities. The action + will extract the country code from the first matching field found. | ### Additional Notes - - If neither parameter is provided, the action will not perform any lookups. - - - The action maintains a local cache file named `flags.json` in the execution - folder to store previously fetched flags. + - At least one of the parameters should be provided for the action to return meaningful + data. - - The results are returned as a JSON object mapping the identifier (entity or - country code) to the Base64 string. + - The action returns the base64 data in the `JsonResult` but does not update the + entity attributes or create insights automatically. ### Flow Description - 1. **Initialization**: The action initializes and attempts to load the `flags.json` - cache file from the local execution environment. + 1. **Cache Loading**: The action attempts to read a local `flags.json` file from + the execution environment to retrieve previously cached flag data. - 2. **Parameter Retrieval**: It retrieves the manual `Country Code Two Digit` and - the list of entity fields to check from `Country Code From Entity Field`. + 2. **Entity Analysis**: If `Country Code From Entity Field` is specified, the + action iterates through all target entities and checks their `additional_properties` + for the provided keys to find a country code. - 3. **Entity Processing**: For each entity in the case, the action checks if any - of the specified fields exist in the entity's `additional_properties`. If a country - code is found, it proceeds to fetch the flag. + 3. **Manual Input**: If `Country Code Two Digit` is provided, the action adds + this code to the processing queue. - 4. **Flag Retrieval**: For each identified country code (from entities or manual - input), the action checks the local cache. If the flag is missing, it performs - a GET request to `https://www.countryflags.io/`, encodes the resulting image to - Base64, and updates the cache. + 4. **External Retrieval**: For each unique country code found (and not present + in the cache), the action sends a GET request to `countryflags.io` to fetch the + flag image. - 5. **Cache Update**: If new flags were fetched, the action overwrites the local - `flags.json` file with the updated data. + 5. **Base64 Encoding**: The fetched image content is converted into a base64-encoded + string. - 6. **Output**: The action attaches the Base64 flag data to the action's JSON results - and completes the execution. + 6. **Result Mapping**: The base64 strings are mapped to their respective entity + identifiers or country codes in the final JSON output. + + 7. **Cache Persistence**: If new flags were fetched, the local cache file is updated + with the new data for future executions. capabilities: can_create_case_comments: false can_create_insight: false @@ -69,44 +95,44 @@ Get Country Flag: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: false + enrichment: true entity_usage: entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME filters_by_additional_properties: true filters_by_alert_identifier: false filters_by_case_identifier: false @@ -120,6 +146,7 @@ Get Country Flag: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -133,56 +160,59 @@ Get Country Flag: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: ai_description: >- ### General Description - Tests connectivity to the Country Flags service by attempting to retrieve the - flag for a hardcoded country code ('us'). This action is primarily used to verify - that the integration is correctly configured and can reach the external API. + The **Ping** action is designed to verify the connectivity between Google SecOps + and the Country Flags service. It serves as a health check to ensure that the + integration can successfully reach the external API and process image data. ### Parameters Description - There are no parameters for this action. + There are no parameters configured for this action. ### Additional Notes - This is a standard 'Ping' action. It utilizes a local cache file (`flags.json`) - to store retrieved flag data in base64 format to optimize subsequent requests. - It does not process any entities from the case. + This action uses a hardcoded country code ('us') to perform the connectivity test. + It also utilizes a local cache file (`flags.json`) to store and retrieve previously + fetched flag data in base64 format to optimize performance during the test. ### Flow Description - 1. **Initialize Action**: Sets up the Siemplify action context and identifies - the script as 'GetCountryFlag'. + 1. **Initialize Action:** The script initializes the Siemplify action context. + + 2. **Load Cache:** It attempts to read a local JSON file named `flags.json` from + the execution folder to load existing flag data. - 2. **Load Cache**: Attempts to read the `flags.json` file from the execution folder - to retrieve previously cached flags. If the file is missing or invalid, it initializes - an empty cache. + 3. **Check Cache:** The script checks if the flag for the country code 'us' is + already present in the loaded cache. - 3. **Connectivity Test**: Uses a hardcoded country code ('us') to check for a - flag. + 4. **External API Call:** If the flag is not in the cache, it performs a GET request + to the Country Flags API (`https://www.countryflags.io/us/flat/64.png`). - 4. **External Request**: If the flag for 'us' is not in the cache, it performs - a GET request to the Country Flags API (https://www.countryflags.io/us/flat/64.png). + 5. **Process Response:** Upon a successful API response, the image content is + encoded into a base64 string. - 5. **Finalize**: Returns a success status if the flag data is retrieved or found - in the cache; otherwise, it terminates with a failure state. + 6. **Finalize:** If the base64 data is successfully retrieved (either from cache + or API), the action terminates with a 'Successful' status. capabilities: can_create_case_comments: false can_create_insight: false @@ -196,7 +226,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -210,28 +240,3 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/third_party/community/cybersixgill_actionable_alerts/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/cybersixgill_actionable_alerts/resources/ai/actions_ai_description.yaml index dae018e81..3296d9c7f 100644 --- a/content/response_integrations/third_party/community/cybersixgill_actionable_alerts/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/cybersixgill_actionable_alerts/resources/ai/actions_ai_description.yaml @@ -1,52 +1,4 @@ Ping: - ai_description: "### General Description\nThe **Ping** action is a diagnostic utility\ - \ designed to verify the connectivity and authentication configuration between\ - \ Google SecOps and the Cybersixgill platform. It ensures that the provided credentials\ - \ (Client ID and Client Secret) are valid and that the environment can successfully\ - \ communicate with the Cybersixgill API.\n\n### Parameters Description\n| Parameter\ - \ Name | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Client\ - \ Id | password | Yes | The unique client identifier provided by Cybersixgill\ - \ for API access. |\n| Client Secret | password | Yes | The secret key associated\ - \ with the Client ID used for authentication. |\n\n### Flow Description\n1. **Parameter\ - \ Extraction:** The action retrieves the `Client Id` and `Client Secret` from\ - \ the integration configuration.\n2. **Client Initialization:** It initializes\ - \ the `SixgillEnrichManager` using the extracted credentials.\n3. **Authentication\ - \ Check:** The manager attempts to create a Cybersixgill client and perform a\ - \ handshake by requesting an access token via the `get_access_token` method.\n\ - 4. **Result Reporting:** \n * If the token is successfully retrieved, the action\ - \ returns a success status and a confirmation message.\n * If the authentication\ - \ fails or a connection error occurs, the action catches the exception and returns\ - \ a failure status with the error details.\n\n### Additional Notes\n* This action\ - \ does not process any entities and is strictly used for configuration validation.\n\ - * As a 'Ping' type action, it is excluded from enrichment classifications regardless\ - \ of its data-fetching behavior." - capabilities: - can_create_case_comments: false - can_create_insight: false - can_modify_alert_data: false - can_mutate_external_data: false - can_mutate_internal_data: false - can_update_entities: false - external_data_mutation_explanation: null - fetches_data: true - internal_data_mutation_explanation: null - categories: - enrichment: false - entity_usage: - entity_types: [ ] - filters_by_additional_properties: false - filters_by_alert_identifier: false - filters_by_case_identifier: false - filters_by_creation_time: false - filters_by_entity_type: false - filters_by_identifier: false - filters_by_is_artifact: false - filters_by_is_enriched: false - filters_by_is_internal: false - filters_by_is_pivot: false - filters_by_is_suspicious: false - filters_by_is_vulnerable: false - filters_by_modification_time: false action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -60,15 +12,89 @@ Ping: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false + ai_description: >- + ### General Description + + The **Ping** action is used to verify the connectivity between Google SecOps and + the Cybersixgill platform. It validates that the provided credentials (Client + ID and Client Secret) are correct and that the environment can successfully communicate + with the Cybersixgill API by attempting to retrieve an authentication token. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | **Client Id** | Password | Yes | The unique identifier for the Cybersixgill + API client used for authentication. | + + | **Client Secret** | Password | Yes | The secret key associated with the Cybersixgill + API client used for authentication. | + + + ### Flow Description + + 1. **Credential Extraction**: The action retrieves the `Client Id` and `Client + Secret` from the integration configuration parameters. + + 2. **Client Initialization**: It initializes the Cybersixgill communication manager + using the provided credentials. + + 3. **Authentication Test**: The action attempts to retrieve an OAuth2 access token + from the Cybersixgill API. + + 4. **Result Reporting**: If the token is successfully retrieved, the action returns + a success status and a confirmation message. If an error occurs (e.g., invalid + credentials or network timeout), it reports a failure with the specific error + details. + + + ### Additional Notes + + This action does not process any entities, fetch contextual data, or modify any + internal or external records. It is strictly a diagnostic tool for connectivity + testing. + capabilities: + can_create_case_comments: false + can_create_insight: false + can_modify_alert_data: false + can_mutate_external_data: false + can_mutate_internal_data: false + can_update_entities: false + external_data_mutation_explanation: null + fetches_data: false + internal_data_mutation_explanation: null + categories: + enrichment: false + entity_usage: + entity_types: [] + filters_by_additional_properties: false + filters_by_alert_identifier: false + filters_by_case_identifier: false + filters_by_creation_time: false + filters_by_entity_type: false + filters_by_identifier: false + filters_by_is_artifact: false + filters_by_is_enriched: false + filters_by_is_internal: false + filters_by_is_pivot: false + filters_by_is_suspicious: false + filters_by_is_vulnerable: false + filters_by_modification_time: false diff --git a/content/response_integrations/third_party/community/cybersixgill_actionable_alerts/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/cybersixgill_actionable_alerts/resources/ai/connectors_ai_description.yaml index dabdf918e..6eacb393d 100644 --- a/content/response_integrations/third_party/community/cybersixgill_actionable_alerts/resources/ai/connectors_ai_description.yaml +++ b/content/response_integrations/third_party/community/cybersixgill_actionable_alerts/resources/ai/connectors_ai_description.yaml @@ -3,10 +3,10 @@ Cybersixgill Actionable Alerts: ### General Description The Cybersixgill Actionable Alerts connector integrates Google SecOps with the - Cybersixgill platform to ingest high-fidelity threat intelligence alerts. This - connector monitors the deep and dark web for threats specifically targeting an - organization, providing detailed context such as threat assessments, recommendations, - and CVE-related data to enable proactive security responses. + Cybersixgill portal to ingest high-fidelity actionable alerts. It enables security + teams to monitor deep and dark web threats, including data leaks, credential theft, + and vulnerability exploits (CVEs), by automatically creating cases in Google SecOps + for rapid response. ### Parameters Description @@ -15,59 +15,59 @@ Cybersixgill Actionable Alerts: | :--- | :--- | :--- | :--- | - | Client Id | Password | Yes | The Client ID used for authenticating with the - Cybersixgill API. | + | Client Id | Password | Yes | The Client ID provided by Cybersixgill for API + authentication. | - | Client Secret | Password | Yes | The Client Secret used for authenticating with - the Cybersixgill API. | + | Client Secret | Password | Yes | The Client Secret provided by Cybersixgill + for API authentication. | - | Alerts Limit | Integer | Yes | The maximum number of alerts to retrieve in a - single execution cycle. | + | Alerts Limit | Integer | Yes | The maximum number of alerts to fetch in a single + execution cycle (default is 50). | - | Organization id | String | No | Optional filter to fetch alerts for a specific - Cybersixgill Organization ID. | + | Organization id | String | No | Optional filter to fetch alerts specific to + a particular Cybersixgill Organization ID. | - | Threat Level | String | No | Optional filter to retrieve alerts matching a specific - threat level (e.g., 'imminent'). | + | Threat Level | String | No | Filter alerts by threat level (e.g., 'imminent'). + | - | Threat Type | String | No | Optional comma-separated list of threat types to - filter the results. | + | Threat Type | String | No | Filter alerts by threat type. Supports a comma-separated + list of types. | - | DeviceProductField | String | Yes | The field name used to identify the device - product in Google SecOps. | + | DeviceProductField | String | Yes | The field name used to determine the device + product in the SOAR (default: Cybersixgill Actionable Alerts). | - | EventClassId | String | Yes | The field name used to identify the event name - or sub-type in Google SecOps. | + | EventClassId | String | Yes | The field name used to determine the event name/sub-type + (default: Cybersixgill Actionable Alerts). | - | PythonProcessTimeout | String | Yes | The maximum time (in seconds) allowed - for the connector script to run. | + | PythonProcessTimeout | String | Yes | The timeout limit in seconds for the connector + execution process. | ### Flow Description - 1. **Authentication**: The connector establishes a connection to the Cybersixgill - API using the provided Client ID and Client Secret. - - 2. **Time Range Determination**: It calculates the time window for fetching alerts - by checking the last saved timestamp. On the first run, it defaults to a 30-day - lookback period. - - 3. **Alert Retrieval**: The connector queries the Cybersixgill Actionable Alerts - bulk API, applying configured filters for limit, threat level, threat type, and - organization ID. - - 4. **Detailed Enrichment**: For each retrieved alert, the connector performs a - secondary call to fetch full alert details, including descriptions, asset attributes, - and recommendations. - - 5. **CVE & Sub-Alert Processing**: If the alert contains vulnerability data, it - extracts CVE IDs, CVSS scores, and DVE scores. It also parses any associated sub-alerts - into a formatted HTML table for better visibility. - - 6. **Case Creation**: The processed data is mapped to the Google SecOps AlertInfo - model. Alerts marked as 'imminent' are assigned Critical priority, while others - are assigned High priority. - - 7. **Ingestion & Checkpointing**: The alerts are ingested into Google SecOps, - and the timestamp of the most recent alert is saved to ensure subsequent runs - only fetch new data. + 1. **Authentication**: The connector authenticates with the Cybersixgill API using + the provided Client ID and Client Secret to establish a session. + + 2. **Time Range Calculation**: It determines the fetch window. On the first run, + it defaults to a look-back period (typically 30 days); on subsequent runs, it + fetches alerts starting from the timestamp of the last ingested alert. + + 3. **Alert Retrieval**: Queries the Cybersixgill Actionable Alerts API for new + alerts, applying filters for Threat Level, Threat Type, and Organization ID if + configured. + + 4. **Data Enrichment**: For each retrieved alert, the connector fetches full details, + including: + * **Metadata**: Title, description, and threat assessment. + * **Contextual Links**: Direct URLs to the Cybersixgill Portal for the specific + alert. + * **CVE Data**: If the alert is vulnerability-related, it extracts CVE IDs, + CVSS scores (v2/v3), and DVE (Dynamic Vulnerability Exploit) scores. + * **Sub-Alerts**: Aggregates related sub-events into an HTML-formatted table + for better visibility within the SOAR case wall. + 5. **Case Creation**: Maps the enriched data into the Google SecOps AlertInfo + model, assigning priorities based on the threat level (e.g., 'imminent' alerts + are mapped to Critical priority). + + 6. **State Management**: Saves the timestamp of the most recent alert to ensure + subsequent runs only process new data. diff --git a/content/response_integrations/third_party/community/cybersixgill_darkfeed/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/cybersixgill_darkfeed/resources/ai/actions_ai_description.yaml index b3818783c..c987a6d3a 100644 --- a/content/response_integrations/third_party/community/cybersixgill_darkfeed/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/cybersixgill_darkfeed/resources/ai/actions_ai_description.yaml @@ -1,39 +1,67 @@ Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Ping** action is designed to verify the connectivity between Google SecOps - and the Cybersixgill Darkfeed service. It serves as a diagnostic tool to ensure - that the integration's configuration parameters, specifically the Client ID and - Client Secret, are correct and that the SecOps environment can successfully authenticate - with the Cybersixgill API. + The **Ping** action is used to verify the connectivity between Google SecOps and + the Cybersixgill Darkfeed platform. It ensures that the integration's configuration + parameters, specifically the **Client ID** and **Client Secret**, are correct + and that the Cybersixgill API is accessible. - ### Flow Description + ### Parameters Description - 1. **Configuration Extraction**: The action retrieves the `Client Id` and `Client - Secret` from the integration's global configuration. + There are no input parameters for this action. It relies solely on the integration's + global configuration. - 2. **Manager Initialization**: It initializes the `SixgillEnrichManager` using - the extracted credentials. - 3. **Authentication Check**: The manager attempts to create a Sixgill client and - perform a handshake by requesting an access token from the Cybersixgill API. + ### Additional Notes - 4. **Execution Completion**: If the access token is successfully retrieved, the - action returns a success message and a boolean `True` result. If the authentication - fails or a network error occurs, the action raises an error and reports the failure. + This action is typically used during the initial setup of the integration or for + troubleshooting connectivity issues. Per standard SOAR practices, Ping actions + are not categorized as enrichment actions. - ### Parameters Description + ### Flow Description - This action does not require any input parameters. + 1. **Extract Configuration:** The action retrieves the `Client Id` and `Client + Secret` from the integration settings. + 2. **Initialize Manager:** It initializes the `SixgillEnrichManager` with the + retrieved credentials. - ### Additional Notes + 3. **Authentication Test:** The manager attempts to authenticate with the Cybersixgill + API by requesting an access token. - As per standard SOAR practices, this action is used to validate the health of - the integration connector and does not process any entities or modify any data. + 4. **Result Reporting:** If the token is successfully retrieved, the action completes + with a success status. If authentication fails, an error is raised. capabilities: can_create_case_comments: false can_create_insight: false @@ -47,7 +75,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -61,28 +89,3 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/third_party/community/cybersixgill_darkfeed/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/cybersixgill_darkfeed/resources/ai/connectors_ai_description.yaml index ea8c965f3..dbfec9281 100644 --- a/content/response_integrations/third_party/community/cybersixgill_darkfeed/resources/ai/connectors_ai_description.yaml +++ b/content/response_integrations/third_party/community/cybersixgill_darkfeed/resources/ai/connectors_ai_description.yaml @@ -2,11 +2,11 @@ Cybersixgill - Darkfeed Connector: ai_description: >- ### General Description - The Cybersixgill Darkfeed connector integrates Google SecOps with Cybersixgill's - automated feed of malicious indicators of compromise (IOCs). It fetches real-time - data from the deep and dark web, including domains, URLs, hashes, and IP addresses. - This connector allows security teams to preemptively ingest actionable threat - intelligence into the SOAR platform for automated blocking and investigation. + The Cybersixgill Darkfeed connector integrates with Cybersixgill's automated threat + intelligence platform to ingest malicious Indicators of Compromise (IOCs) sourced + from the deep and dark web. It provides real-time, actionable data including domains, + URLs, hashes, and IP addresses, enabling security teams to preemptively identify + and block threats within the Google SecOps environment. ### Parameters Description @@ -19,46 +19,41 @@ Cybersixgill - Darkfeed Connector: python process running the current script. | | EventClassId | String | Yes | The field name used to determine the event name - (sub-type). Default is 'Cybersixgill Darkfeed '. | + (sub-type). | | DeviceProductField | String | Yes | The field name used to determine the device - product. Default is 'Cybersixgill Darkfeed '. | + product. | - | Client Secret | Password | Yes | The Secret Key provided by Cybersixgill for - API authentication. | + | Client Secret | Password | Yes | The Secret Key used for authentication with + Cybersixgill. | - | Client Id | String | Yes | The Client ID provided by Cybersixgill for API authentication. + | Client Id | String | Yes | The Client ID used for authentication with Cybersixgill. | - | Alerts Limit | Integer | Yes | The maximum number of indicators/alerts to be - ingested into the platform per execution cycle. | + | Alerts Limit | Integer | Yes | The maximum number of alerts to be ingested into + the platform per execution cycle. | ### Flow Description - 1. **Authentication**: The connector establishes a connection with the Cybersixgill - API using the provided Client ID and Client Secret. + 1. **Authentication**: The connector authenticates with the Cybersixgill API using + the provided Client ID and Client Secret. - 2. **Data Retrieval**: It queries the Cybersixgill Darkfeed stream to retrieve - a bundle of indicators, limited by the 'Alerts Limit' parameter. + 2. **Data Retrieval**: It queries the Cybersixgill Darkfeed stream for a batch + of indicators, limited by the "Alerts Limit" parameter. - 3. **Filtering**: The script filters the retrieved objects to identify valid indicators - and excludes any that have been marked as 'revoked'. + 3. **Filtering**: The connector filters the retrieved objects to ensure they are + valid indicators and have not been revoked. - 4. **IOC Extraction**: It parses the STIX-formatted patterns within the indicators - using regular expressions to extract specific IOC values, such as MD5/SHA hashes, - URLs, domains, and IPv4 addresses. + 4. **Parsing**: For each indicator, the connector parses the STIX pattern to extract + specific IOC types such as MD5, SHA-1, SHA-256 hashes, URLs, domains, and IPv4 + addresses. - 5. **Metadata Enrichment**: Each event is enriched with Cybersixgill-specific - metadata, including actor information, feed source, confidence levels, severity, - and external references (such as VirusTotal positive rates or MITRE ATT&CK tactics). + 5. **Enrichment**: It enriches the event data with additional context, including + VirusTotal positive rates and MITRE ATT&CK tactics/descriptions where available. - 6. **Alert Creation**: The connector maps the processed indicator data into Google - SecOps AlertInfo objects, assigning a default priority of 'Medium' (60). + 6. **Case Creation**: Each indicator is mapped to a Google SecOps Alert and Event, + then ingested into the system. - 7. **Checkpointing**: It calls the `commit_indicators` method to acknowledge the - processed data, ensuring that the same indicators are not ingested multiple times - in subsequent runs. - - 8. **Ingestion**: The final list of alerts is returned to the Google SecOps platform - for case creation. + 7. **Checkpointing**: The connector commits the processed indicators back to the + Cybersixgill client to ensure subsequent runs fetch only new data. diff --git a/content/response_integrations/third_party/community/cybersixgill_darkfeed_enrichment/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/cybersixgill_darkfeed_enrichment/resources/ai/actions_ai_description.yaml index 274b05be5..cd344ef28 100644 --- a/content/response_integrations/third_party/community/cybersixgill_darkfeed_enrichment/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/cybersixgill_darkfeed_enrichment/resources/ai/actions_ai_description.yaml @@ -1,53 +1,61 @@ Enrich Actor: - ai_description: >- - Enriches Threat Actor entities using Cybersixgill Darkfeed intelligence to provide - a comprehensive view of their underground activity. The action retrieves IOCs - shared by the actor in the last 90 days, identifies their areas of activity, choice - of targets, and techniques used. It updates the entity's metadata within Google - SecOps, marks it as suspicious, and generates detailed insights including links - to the Cybersixgill portal, VirusTotal, and MITRE ATT&CK frameworks. - - - ### Flow Description: - - 1. **Configuration Extraction:** Retrieves the Client ID and Client Secret from - the integration configuration. - - 2. **Entity Filtering:** Identifies and processes only Threat Actor entities from - the current context. - - 3. **Data Retrieval:** Queries the Cybersixgill API to fetch enrichment data specific - to the threat actor's identifier. - - 4. **Entity Enrichment:** Updates the entity's internal state by setting `is_enriched` - and `is_suspicious` to true, and populates `additional_properties` with detailed - intelligence (e.g., feed name, source, post titles, confidence, and severity). - - 5. **Insight Generation:** Creates a case insight containing a summary of the - actor's activity and adds data tables for structured visualization. - - 6. **Link Association:** Adds external links to the entity for direct access to - the Cybersixgill portal and related threat intelligence sources. - - - ### Parameters Description: - - | Parameter Name | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Client Id | String | Yes | The API Client ID used to authenticate with Cybersixgill - services. | - - | Client Secret | String | Yes | The API Client Secret used to authenticate with - Cybersixgill services. | - - - ### Additional Notes: - - This action specifically targets the `THREATACTOR` entity type. While the underlying - processor supports other types, this specific implementation is scoped to actors - to provide deep underground context. + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "### General Description\nEnriches Threat Actor entities using Cybersixgill\ + \ Darkfeed intelligence. This action retrieves a comprehensive profile of a threat\ + \ actor's activity within underground forums and dark web sources over the last\ + \ 90 days. It identifies shared Indicators of Compromise (IOCs), areas of activity,\ + \ preferred targets, and techniques used by the actor. The retrieved data is used\ + \ to update entity attributes, add detailed properties, and generate insights\ + \ and data tables within the case for better analyst visibility.\n\n### Parameters\ + \ Description\n| Parameter Name | Expected Type | Mandatory | Description |\n\ + | :--- | :--- | :--- | :--- |\n| None | N/A | N/A | This action does not have\ + \ any specific input parameters. It relies on the integration's configuration\ + \ (Client ID and Client Secret) and the entities present in the case. |\n\n###\ + \ Additional Notes\n- This action specifically targets entities of type `THREATACTOR`.\n\ + - It automatically marks enriched entities as 'Suspicious' and 'Enriched' within\ + \ the Google SecOps platform.\n- The action provides deep links to the Cybersixgill\ + \ portal for each identified post or activity.\n\n### Flow Description\n1. **Initialization**:\ + \ The action initializes the Cybersixgill manager using the integration's Client\ + \ ID and Client Secret.\n2. **Entity Identification**: It identifies all `THREATACTOR`\ + \ entities within the current alert or case context.\n3. **Data Retrieval**: For\ + \ each identified actor, the action queries the Cybersixgill API to fetch intelligence\ + \ data, focusing on activity from the last 90 days.\n4. **Data Processing**: The\ + \ results are parsed to extract key information, including post titles, source\ + \ feeds, severity, confidence scores, and external references like MITRE ATT&CK\ + \ tactics/techniques or VirusTotal scores.\n5. **Internal Mutation (Enrichment)**:\ + \ \n - Updates the entity's `additional_properties` with the retrieved Sixgill\ + \ metadata.\n - Sets the entity's `is_enriched` and `is_suspicious` flags to\ + \ true.\n6. **Reporting**: \n - Generates a detailed Case Insight containing\ + \ the actor's activity summary.\n - Adds a Data Table to the entity with structured\ + \ information about the findings.\n - Adds external links to the entity for\ + \ direct access to the Cybersixgill portal." capabilities: can_create_case_comments: false can_create_insight: true @@ -58,14 +66,13 @@ Enrich Actor: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity attributes (is_enriched, is_suspicious, additional_properties), - creates case insights, adds entity tables, and associates external links with - entities. + Updates entity attributes (is_enriched, is_suspicious), adds custom entity properties, + creates case insights, and adds data tables to entities. categories: enrichment: true entity_usage: entity_types: - - THREATACTOR + - THREATACTOR filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -79,6 +86,7 @@ Enrich Actor: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Enrich Domain: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -92,66 +100,63 @@ Enrich Actor: enrich_asset: false enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Enrich Domain: ai_description: >- - Enriches Domain (Hostname) entities using Cybersixgill Darkfeed threat intelligence. - This action identifies if a domain is associated with compromised sites or is - being sold on the dark web. It retrieves detailed metadata including feed names, - actors, post titles, and external references to VirusTotal and MITRE ATT&CK. The - action updates the entity's suspicious status, adds enrichment attributes, and - generates detailed case insights and data tables for analyst review. - + Enriches Hostname entities using Cybersixgill Darkfeed intelligence. This action + identifies domains associated with compromised sites or those listed for sale + on the dark web. It retrieves comprehensive threat intelligence, including actor + details, post titles, severity, and confidence scores. The action updates entity + attributes, marks entities as suspicious when matches are found, and generates + detailed case insights and data tables for analyst review. - ### Flow Description: - 1. **Credential Extraction:** Retrieves the Client ID and Client Secret from the - integration configuration. + ### Parameters - 2. **Entity Filtering:** Identifies all Hostname entities within the current context. + | Parameter | Description | Type | Mandatory | - 3. **Intelligence Retrieval:** Queries the Cybersixgill API for each domain to - find matches in dark web feeds. + | :--- | :--- | :--- | :--- | - 4. **Entity Enrichment:** Updates the entity's internal state (marking it as enriched - and suspicious) and populates additional properties with Sixgill metadata. + | None | This action does not have any input parameters. | N/A | N/A | - 5. **Insight Generation:** Creates a detailed case insight containing a summary - of the threat intelligence and adds a data table to the entity for structured - viewing. - 6. **External Linking:** Adds links to the Cybersixgill portal and other external - references (like VirusTotal) to the entity. + ### Additional Notes + - This action specifically targets Hostname entities to perform domain-based enrichment. - ### Parameters Description: + - It automatically marks entities as suspicious if threat intelligence is found + in the Cybersixgill database. - | Parameter Name | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + ### Flow Description - | Client Id | String | Yes | The API Client ID used to authenticate with Cybersixgill - services. | + 1. **Credential Retrieval**: Extracts the Client ID and Client Secret from the + integration configuration. - | Client Secret | String | Yes | The API Client Secret used to authenticate with - Cybersixgill services. | + 2. **Entity Filtering**: Identifies Hostname entities within the current context. + 3. **External Lookup**: Queries the Cybersixgill Darkfeed API for each domain + to check for dark web presence or compromise. - ### Additional Notes: + 4. **Internal Enrichment**: Updates the entity's additional properties with Sixgill + metadata and marks the entity as suspicious and enriched. - This action specifically targets Hostname entities. While the underlying processor - supports other types, this specific action script restricts processing to Hostnames. + 5. **Reporting**: Generates a case insight, adds a data table to the entity, and + provides external links (e.g., to the Sixgill Portal or VirusTotal) for further + investigation. capabilities: can_create_case_comments: false can_create_insight: true @@ -162,13 +167,14 @@ Enrich Domain: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity attributes including 'is_enriched', 'is_suspicious', and 'additional_properties'. - It also creates case insights and entity data tables. + Updates entity attributes (additional properties), sets the 'is_suspicious' + and 'is_enriched' flags, creates case insights, and adds data tables containing + dark web intelligence. categories: enrichment: true entity_usage: entity_types: - - HOSTNAME + - HOSTNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -182,6 +188,7 @@ Enrich Domain: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Enrich Hash: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -195,41 +202,44 @@ Enrich Domain: enrich_asset: false enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Enrich Hash: ai_description: "Enriches File Hash entities using Cybersixgill Darkfeed intelligence.\ - \ This action proactively investigates malware hashes by searching for them on\ - \ the dark web, providing context even for malware undetected by traditional antivirus\ - \ vendors. It retrieves comprehensive threat intelligence, including actor attribution,\ - \ malware family details, and cross-references with VirusTotal and MITRE ATT&CK\ - \ frameworks.\n\n### Flow Description:\n1. **Credential Retrieval:** Extracts\ - \ the Cybersixgill Client ID and Client Secret from the integration configuration.\n\ - 2. **Entity Filtering:** Identifies all File Hash entities within the current\ - \ context.\n3. **Data Retrieval:** Queries the Cybersixgill Darkfeed API for each\ - \ hash to retrieve enrichment data.\n4. **Internal Enrichment:** Updates the entities\ - \ in Google SecOps by marking them as enriched and suspicious, and populates additional\ - \ properties with metadata such as feed names, confidence scores, and severity.\n\ - 5. **Insight Generation:** Creates detailed case insights and data tables containing\ - \ technical details, VirusTotal positive rates, and MITRE ATT&CK tactics/techniques.\n\ - 6. **Link Association:** Adds external links to the entities, pointing to the\ - \ Cybersixgill Portal, VirusTotal, and MITRE documentation.\n\n### Parameters\ - \ Description:\n| Parameter Name | Type | Mandatory | Description |\n| :--- |\ - \ :--- | :--- | :--- |\n| None | N/A | No | This action does not require any manual\ - \ input parameters; it operates directly on the entities present in the case.\ - \ |\n\n### Additional Notes:\n* This action specifically targets `FILEHASH` entities.\ - \ \n* It automatically marks enriched entities as 'Suspicious' within the platform\ - \ if data is found in the Cybersixgill feed." + \ This action proactively analyzes and investigates malware hashes as they emerge\ + \ on the dark web, providing context on malware that may be undetected by traditional\ + \ antivirus vendors. It retrieves detailed metadata including feed names, source\ + \ information, actor attribution, and cross-references with VirusTotal and MITRE\ + \ ATT&CK frameworks.\n\n### Flow Description:\n1. **Credential Retrieval:** Extracts\ + \ the Client ID and Client Secret from the integration configuration.\n2. **Entity\ + \ Filtering:** Identifies all File Hash entities within the current context.\n\ + 3. **External Query:** For each hash, it queries the Cybersixgill Darkfeed API\ + \ to retrieve enrichment data.\n4. **Internal Enrichment:** \n * Updates the\ + \ entity's suspicious and enriched status.\n * Populates the entity's additional\ + \ properties with Sixgill-specific metadata (e.g., Confidence, Severity, Actor).\n\ + \ * Maps and adds related hashes (MD5, SHA-1, SHA-256) found in the STIX patterns.\n\ + 5. **Reporting:** \n * Generates a detailed Case Insight for each entity containing\ + \ a summary of the findings.\n * Adds a data table to the entity with comprehensive\ + \ technical details.\n * Attaches external links to the Cybersixgill portal,\ + \ VirusTotal, and MITRE ATT&CK for further investigation.\n\n### Parameters Description:\n\ + | Parameter Name | Type | Mandatory | Description |\n| :--- | :--- | :--- | :---\ + \ |\n| None | N/A | N/A | This action does not have any action-specific parameters;\ + \ it relies on the integration's global configuration for authentication. |\n\n\ + ### Additional Notes:\n* This action specifically targets `FILEHASH` entities.\ + \ \n* It automatically marks enriched entities as 'Suspicious' if data is found\ + \ in the Cybersixgill feed." capabilities: can_create_case_comments: false can_create_insight: true @@ -240,13 +250,13 @@ Enrich Hash: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity attributes including 'is_enriched', 'is_suspicious', and 'additional_properties'. - It also creates case insights and data tables. + Updates entity attributes (is_enriched, is_suspicious, additional_properties) + and creates case insights and data tables within Google SecOps. categories: enrichment: true entity_usage: entity_types: - - FILEHASH + - FILEHASH filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -260,6 +270,7 @@ Enrich Hash: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Enrich IP: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -273,74 +284,70 @@ Enrich Hash: enrich_asset: false enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Enrich IP: ai_description: >- ### General Description Enriches IP Address entities using Cybersixgill Darkfeed threat intelligence. - This action identifies if an IP is associated with malicious activities such as - Command and Control (C&C) servers, botnets, DDoS attacks, or compromised RDP addresses. - It retrieves detailed metadata including feed names, actors, confidence scores, - and severity levels. The action automatically marks the entity as suspicious and - enriched in Google SecOps, adds a detailed case insight, attaches a data table - with the findings, and provides direct links to the Cybersixgill portal and external - references like VirusTotal or MITRE ATT&CK. + This action retrieves detailed context regarding indicators of compromise (IOCs), + including associations with C&C servers, botnets, DDoS attacks, proxy anonymization, + and compromised RDP addresses. It provides reputation data, confidence scores, + and severity levels to help analysts assess the risk of specific IP addresses. ### Parameters Description - | Parameter | Type | Mandatory | Description | + | Parameter Name | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | None | N/A | N/A | This action does not have any action-specific parameters. - It relies on the integration's configuration for authentication. | + | None | N/A | N/A | This action does not require any user-provided parameters; + it uses global integration configuration for credentials. | ### Additional Notes - - The action uses the **Client Id** and **Client Secret** configured at the integration - level for authentication. + * **Internal Updates:** This action automatically marks enriched entities as + 'Suspicious' and 'Enriched' within the Google SecOps platform if data is found. - - Entities found in the Cybersixgill Darkfeed are automatically marked as **Suspicious** - and **Enriched**. - - - The action specifically targets **IP Address** entities. + * **External Links:** The action generates links to the Cybersixgill Portal, + VirusTotal, and MITRE ATT&CK documentation where applicable. ### Flow Description - 1. **Authentication**: The action retrieves the Client ID and Client Secret from - the integration configuration to authenticate with the Cybersixgill API. + 1. **Credential Retrieval:** Extracts the Client ID and Client Secret from the + integration configuration. - 2. **Entity Filtering**: It identifies all IP Address entities within the current - context. + 2. **Entity Filtering:** Identifies all IP Address entities within the current + alert scope. - 3. **Data Retrieval**: For each IP, it queries the Cybersixgill Darkfeed to find - matching threat indicators. + 3. **Data Retrieval:** Queries the Cybersixgill Darkfeed API for each identified + IP address to fetch enrichment data. - 4. **Entity Enrichment**: If data is found, the entity is marked as 'Suspicious' - and 'Enriched'. Additional properties (e.g., Sixgill Feedname, Actor, Confidence) - are added to the entity's metadata. + 4. **Entity Enrichment:** Updates the entity's additional properties with metadata + such as feed name, source, actor, confidence, and severity. It also sets the entity's + status to 'Suspicious' and 'Enriched'. - 5. **Insight Generation**: A comprehensive case insight is created, summarizing - the threat intelligence. + 5. **Insight Generation:** Creates a detailed Case Insight for each enriched + entity, summarizing the threat intelligence found. - 6. **Result Visualization**: A data table is attached to the entity for easy review, - and external links (e.g., to the Cybersixgill Portal or VirusTotal) are added - to the entity's links section. + 6. **UI Enhancement:** Adds data tables to the entity view and provides direct + links to external analysis tools (VirusTotal, MITRE) and the Cybersixgill portal. capabilities: can_create_case_comments: false can_create_insight: true @@ -351,14 +358,13 @@ Enrich IP: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action updates entity attributes (is_suspicious, is_enriched, additional_properties), - creates case insights, adds entity links, and attaches data tables to entities - within Google SecOps. + Updates entity attributes including 'is_enriched', 'is_suspicious', and 'additional_properties'. + It also creates case insights and adds entity links/tables. categories: enrichment: true entity_usage: entity_types: - - ADDRESS + - ADDRESS filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -372,6 +378,7 @@ Enrich IP: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Enrich URL: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -385,63 +392,47 @@ Enrich IP: enrich_asset: false enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Enrich URL: - ai_description: >- - ### General Description - - Enriches URL entities using Cybersixgill Darkfeed threat intelligence. This action - identifies and investigates malware-related URLs shared on underground file-sharing - and paste sites. It provides detailed context such as feed names, actors, confidence - scores, and severity levels to help analysts assess the risk associated with specific - URLs. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | None | N/A | N/A | This action does not have any input parameters. | - - - ### Additional Notes - - This action requires valid Cybersixgill API credentials (Client Id and Client - Secret) to be configured in the integration settings. It automatically marks enriched - entities as suspicious and enriched within the Google SecOps platform. - - - ### Flow Description - - 1. **Authentication**: Extracts Cybersixgill credentials from the integration - configuration. - - 2. **Entity Filtering**: Identifies URL entities within the current case context. - - 3. **Data Retrieval**: Queries the Cybersixgill Darkfeed API for each identified - URL to retrieve relevant threat intelligence. - - 4. **Entity Enrichment**: Updates the URL entities with enriched metadata, including - descriptions, feed names, actors, confidence, and severity. - - 5. **Internal State Update**: Marks the entities as suspicious and enriched, and - updates their additional properties. - - 6. **Insight Generation**: Creates case insights, data tables, and external links - (to the Cybersixgill portal, VirusTotal, or Mitre Attack) for analyst review. + ai_description: "Enriches URL entities using Cybersixgill Darkfeed threat intelligence.\ + \ This action identifies and investigates URLs shared or hosted on underground\ + \ file-sharing and paste sites, providing context on malware associations and\ + \ actor activity.\n\n### General Description\nThe action retrieves detailed threat\ + \ intelligence for URL entities from Cybersixgill. It evaluates the URL's reputation,\ + \ identifies associated threat actors, and extracts metadata such as severity,\ + \ confidence scores, and source information. The results are used to update the\ + \ entity's status within Google SecOps, create detailed insights, and provide\ + \ direct links to the Cybersixgill portal for deeper investigation.\n\n### Parameters\ + \ Description\nThere are no parameters for this action.\n\n### Additional Notes\n\ + - The action automatically marks enriched entities as 'Suspicious' if data is\ + \ found in the Cybersixgill database.\n- It extracts and maps STIX-based indicators\ + \ (like MD5/SHA hashes) found in the threat patterns to the entity's additional\ + \ properties.\n\n### Flow Description\n1. **Credential Extraction**: Retrieves\ + \ the Client ID and Client Secret from the integration configuration.\n2. **Entity\ + \ Filtering**: Identifies all URL entities within the current alert scope.\n3.\ + \ **External Query**: For each URL, it queries the Cybersixgill Enrich API to\ + \ fetch associated threat data.\n4. **Internal Data Mutation**: \n - Updates\ + \ the entity's `is_enriched` and `is_suspicious` flags.\n - Populates the entity's\ + \ `additional_properties` with Sixgill metadata (e.g., Feed Name, Actor, Severity).\n\ + 5. **Insight & Table Generation**: \n - Creates a detailed Case Insight containing\ + \ a summary of the threat intelligence.\n - Adds a Data Table to the entity\ + \ with structured fields like VirusTotal positive rates and MITRE ATT&CK mappings.\n\ + 6. **Link Association**: Adds external links to the entity that point directly\ + \ to the Cybersixgill portal and relevant external references (e.g., VirusTotal,\ + \ MITRE)." capabilities: can_create_case_comments: false can_create_insight: true @@ -452,13 +443,13 @@ Enrich URL: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity attributes (additional properties), marks entities as suspicious - and enriched, creates case insights, and adds entity tables and links. + Updates entity attributes (is_enriched, is_suspicious, additional_properties), + creates case insights, adds entity tables, and adds entity links. categories: enrichment: true entity_usage: entity_types: - - DestinationURL + - DestinationURL filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -472,6 +463,7 @@ Enrich URL: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -483,48 +475,62 @@ Enrich URL: download_file: false enable_identity: false enrich_asset: false - enrich_ioc: true + enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: ai_description: >- - The Ping action is designed to verify the connectivity between the Google SecOps - platform and the Cybersixgill Darkfeed Enrichment service. It ensures that the - provided API credentials (Client ID and Client Secret) are valid and that the - network path to the service is open. + ### General Description + The **Ping** action is a diagnostic tool designed to verify the connectivity between + the Google SecOps platform and the Cybersixgill Darkfeed Enrichment service. Its + primary purpose is to ensure that the integration is correctly configured and + that the provided API credentials (Client ID and Client Secret) are valid and + authorized to make requests. - ### Flow Description - 1. **Configuration Extraction:** The action retrieves the 'Client Id' and 'Client - Secret' from the integration's configuration settings. + ### Parameters Description + + There are no user-configurable parameters for this action. It relies solely on + the integration's global configuration settings. - 2. **Manager Initialization:** It initializes the `SixgillEnrichManager` and `SixgillActionResultProcessor` - using the extracted credentials. - 3. **Connectivity Test:** The action executes the `test_connectivity` method, - which attempts to perform a sample IOC enrichment request for a hardcoded IP address - (8.8.8.8) to confirm the API is responsive. + ### Additional Notes - 4. **Result Reporting:** Based on the success or failure of the API call, the - action returns a completion status and a descriptive message to the SOAR workbench. + - This action performs a live API call to Cybersixgill using a hardcoded test + indicator (IP: `8.8.8.8`) to confirm end-to-end communication. + - It is recommended to run this action during the initial setup of the integration + or when troubleshooting authentication errors. - ### Parameters Description - There are no action-specific parameters for this action. It relies entirely on - the integration's global configuration parameters (Client Id and Client Secret). + ### Flow Description + + 1. **Configuration Extraction**: The action retrieves the `Client Id` and `Client + Secret` from the integration's configuration. + + 2. **Manager Initialization**: It initializes the `SixgillEnrichManager` and the + `SixgillActionResultProcessor` using the extracted credentials. + + 3. **Connectivity Test**: The action calls the `test_connectivity` method, which + attempts to create a Cybersixgill client and perform a sample enrichment request + for the IP address `8.8.8.8`. + + 4. **Result Reporting**: Based on the success or failure of the API call, the + action returns a completion status and a descriptive message to the SOAR interface. capabilities: can_create_case_comments: false can_create_insight: false @@ -533,12 +539,12 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: true + fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -552,28 +558,3 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/third_party/community/cybersixgill_dve_enrichment/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/cybersixgill_dve_enrichment/resources/ai/actions_ai_description.yaml index 1700b6bdb..17d3b9230 100644 --- a/content/response_integrations/third_party/community/cybersixgill_dve_enrichment/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/cybersixgill_dve_enrichment/resources/ai/actions_ai_description.yaml @@ -1,27 +1,51 @@ Enrich CVE: - ai_description: "Enriches CVE entities using Cybersixgill's Dynamic Vulnerability\ - \ Exploit (DVE) Score and threat intelligence. This action retrieves deep and\ - \ dark web context for vulnerabilities, including exploit probability, trending\ - \ status, and NVD metadata. It enhances the security analyst's ability to prioritize\ - \ vulnerabilities by providing real-time risk scores and technical details directly\ - \ within the case.\n\n### Flow Description:\n1. **Credential Retrieval:** Extracts\ - \ the Cybersixgill Client ID and Client Secret from the integration configuration.\n\ - 2. **Entity Filtering:** Iterates through the target entities in the current context,\ - \ specifically identifying those of type `CVE`.\n3. **External Query:** For each\ - \ CVE, it queries the Cybersixgill API to fetch the DVE score and associated STIX-based\ - \ threat intelligence.\n4. **Internal Enrichment:** \n * Updates the entity's\ - \ additional properties with Cybersixgill-prefixed attributes.\n * Marks the\ - \ entity as enriched within the SOAR platform.\n5. **Reporting:** \n * Generates\ - \ a detailed Case Insight containing descriptions, scores, and NVD links.\n \ - \ * Adds a structured data table to the entity for quick reference of CVSS scores\ - \ and exploitability metrics.\n * Attaches the raw JSON response to the action\ - \ results.\n\n### Parameters Description:\n| Parameter Name | Type | Mandatory\ - \ | Description |\n| :--- | :--- | :--- | :--- |\n| None | N/A | N/A | This action\ - \ does not require any runtime parameters; it uses the integration's global configuration\ - \ and the entities present in the case. |\n\n### Additional Notes:\n* This action\ - \ specifically targets `CVE` entity types. Other entity types will be logged as\ - \ invalid and skipped.\n* The enrichment includes both Cybersixgill proprietary\ - \ scores (DVE) and standard NVD (National Vulnerability Database) data." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "Enriches CVE entities with Cybersixgill\u2019s Dynamic Vulnerability\ + \ Exploit (DVE) Score and associated threat intelligence. This action retrieves\ + \ deep and dark web context for vulnerabilities, including trending status, exploit\ + \ probability, and NVD metadata. The gathered intelligence is used to update entity\ + \ attributes, create detailed case insights, and generate data tables for analyst\ + \ review.\n\n### Flow Description:\n1. **Credential Extraction:** Retrieves the\ + \ Cybersixgill Client ID and Client Secret from the integration configuration.\n\ + 2. **Entity Filtering:** Identifies CVE entities within the current case scope.\n\ + 3. **External Enrichment:** Queries the Cybersixgill API for each CVE to fetch\ + \ DVE scores and vulnerability context.\n4. **Internal Data Update:** Updates\ + \ the SecOps entities with enriched properties (prefixed with 'Cybersixgill')\ + \ and marks them as enriched.\n5. **Insight & Table Generation:** Creates a case\ + \ insight summarizing the vulnerability risk and adds a detailed data table containing\ + \ CVSS scores, NVD links, and exploitability metrics.\n\n### Parameters Description:\n\ + | Parameter Name | Expected Type | Mandatory | Description |\n| :--- | :--- |\ + \ :--- | :--- |\n| None | N/A | N/A | This action does not have any specific input\ + \ parameters; it operates on the CVE entities present in the case. |\n\n### Additional\ + \ Notes:\n- This action specifically targets entities of type `CVE`.\n- The enrichment\ + \ includes both Cybersixgill proprietary scores (DVE) and standard NVD data." capabilities: can_create_case_comments: false can_create_insight: true @@ -32,13 +56,13 @@ Enrich CVE: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action updates entity properties, sets the 'is_enriched' flag, and creates - case insights and data tables within the SOAR platform. + Updates entity attributes with Cybersixgill DVE data, sets the 'is_enriched' + flag on entities, and creates case insights and entity tables. categories: enrichment: true entity_usage: entity_types: - - CVE + - CVE filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -52,6 +76,7 @@ Enrich CVE: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -63,59 +88,59 @@ Enrich CVE: download_file: false enable_identity: false enrich_asset: false - enrich_ioc: true + enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: ai_description: >- ### General Description - The **Ping** action is a diagnostic utility designed to verify the connectivity - between the Google SecOps platform and the Cybersixgill API. Its primary purpose - is to ensure that the integration's configuration parameters, specifically the - Client ID and Client Secret, are valid and that the environment can successfully - establish a network connection to the Cybersixgill service. + The Ping action is a diagnostic utility designed to verify the connectivity between + the Google SecOps platform and the Cybersixgill API. It ensures that the provided + credentials (Client ID and Client Secret) are valid and that the network path + to the Cybersixgill service is open. This action is typically used during the + initial setup of the integration or for troubleshooting purposes. ### Parameters Description - This action does not require any input parameters. It utilizes the global integration - configuration to perform the connectivity test. + There are no parameters for this action. - ### Flow Description + ### Additional Notes - 1. **Configuration Retrieval**: The action extracts the `Client Id` and `Client - Secret` from the integration's configuration settings. + This action does not process any entities or modify any data within the SOAR or + the external Cybersixgill environment. It strictly performs an authentication + check. - 2. **Manager Initialization**: It initializes the `SixgillEnrichManager` using - the extracted credentials. - 3. **Connectivity Verification**: The manager attempts to authenticate with the - Cybersixgill API by requesting an access token. This step validates both the credentials - and the network reachability. + ### Flow Description - 4. **Execution Completion**: The action concludes by returning a success message - and a boolean `True` if the connection is established, or a failure message and - `False` if an error occurs during the authentication process. + 1. **Configuration Extraction:** The action retrieves the 'Client Id' and 'Client + Secret' from the integration's global configuration. + 2. **Manager Initialization:** It initializes the `SixgillEnrichManager` using + the extracted credentials. - ### Additional Notes + 3. **Connectivity Test:** The manager attempts to authenticate with the Cybersixgill + service by requesting an access token via the `SixgillBaseClient`. - As a standard connectivity test, this action does not interact with entities, - fetch contextual threat intelligence, or modify any data within Google SecOps - or Cybersixgill. + 4. **Result Reporting:** Based on whether the token retrieval was successful, + the action returns a completion status (Success/Failed) and a descriptive message + to the user interface. capabilities: can_create_case_comments: false can_create_insight: false @@ -124,12 +149,12 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: false + fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -143,28 +168,3 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/third_party/community/cybersixgill_dve_feed/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/cybersixgill_dve_feed/resources/ai/actions_ai_description.yaml index d55bd2b5c..3aa4afb6f 100644 --- a/content/response_integrations/third_party/community/cybersixgill_dve_feed/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/cybersixgill_dve_feed/resources/ai/actions_ai_description.yaml @@ -1,39 +1,67 @@ Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Ping** action is a diagnostic utility designed to verify the connectivity - between the Google SecOps platform and the Cybersixgill API. Its primary purpose - is to validate that the configured credentials (Client ID and Client Secret) are - correct and that the Cybersixgill service is accessible from the environment. + The **Ping** action is a diagnostic tool used to verify the connectivity between + Google SecOps and the Cybersixgill platform. Its primary purpose is to validate + that the configured credentials (Client ID and Client Secret) are correct and + that the system can successfully authenticate with the Cybersixgill API. ### Parameters Description - There are no user-input parameters for this action. It relies entirely on the - integration's global configuration settings. + There are no input parameters for this action. It uses the global integration + configuration for authentication. - ### Additional Notes + ### Flow Description - This action is a standard connectivity check and does not process any entities - or modify any data within Google SecOps or Cybersixgill. + 1. **Credential Retrieval**: The action extracts the `Client Id` and `Client Secret` + from the integration's configuration parameters. + 2. **Client Initialization**: It initializes the Cybersixgill manager and base + client using the provided credentials. - ### Flow Description + 3. **Connectivity Test**: The action attempts to retrieve an access token from + the Cybersixgill API via the `get_access_token` method. - 1. **Configuration Retrieval**: The action extracts the `Client Id` and `Client - Secret` from the Cybersixgill integration settings. + 4. **Status Reporting**: If the token is successfully retrieved, the action returns + a success message and a boolean `True` result. If the authentication fails or + a network error occurs, an exception is raised. - 2. **Manager Initialization**: It initializes the `SixgillEnrichManager` using - the extracted credentials. - 3. **Authentication Check**: The manager attempts to establish a connection by - requesting an access token from the Cybersixgill API using the `SixgillBaseClient`. + ### Additional Notes - 4. **Execution Completion**: If the access token is successfully retrieved, the - action returns a success status and message. If the connection fails, it raises - a `SixgillManagerError`. + This action does not interact with any entities or modify any internal or external + data. It is used exclusively for testing the integration setup. capabilities: can_create_case_comments: false can_create_insight: false @@ -42,12 +70,12 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: false + fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -61,28 +89,3 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/third_party/community/cybersixgill_dve_feed/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/cybersixgill_dve_feed/resources/ai/connectors_ai_description.yaml index 54ea9a8e5..ee6360fb2 100644 --- a/content/response_integrations/third_party/community/cybersixgill_dve_feed/resources/ai/connectors_ai_description.yaml +++ b/content/response_integrations/third_party/community/cybersixgill_dve_feed/resources/ai/connectors_ai_description.yaml @@ -2,12 +2,12 @@ Cybersixgill - DVE Connector: ai_description: >- ### General Description - The Cybersixgill DVE Connector integrates with the Cybersixgill Dynamic Vulnerability - Exploit (DVE) feed to ingest vulnerability-related threat intelligence into Google - SecOps. It focuses on CVEs, providing real-time context on threat actor intent - and the probability of exploitation. This allows security teams to prioritize - vulnerabilities based on dynamic risk scores and dark web intelligence rather - than static severity metrics. + The Cybersixgill DVE Connector integrates Google SecOps with the Cybersixgill + Dynamic Vulnerability Exploit (DVE) Feed. This connector allows security teams + to ingest real-time intelligence regarding vulnerabilities (CVEs) and their likelihood + of exploitation. By leveraging Cybersixgill's unique DVE score, which is based + on threat actor intent and dark web activity, users can prioritize remediation + efforts for the most critical risks directly within the Google SecOps platform. ### Parameters Description @@ -16,46 +16,46 @@ Cybersixgill - DVE Connector: | :--- | :--- | :--- | :--- | - | Client Id | String | Yes | The Client ID for authenticating with the Cybersixgill - API. | + | PythonProcessTimeout | String | Yes | The timeout limit (in seconds) for the + python process running the current script. | - | Client Secret | Password | Yes | The Secret Key for authenticating with the - Cybersixgill API. | + | EventClassId | String | Yes | The field name used to determine the event name + (sub-type) for the ingested data. | - | Alerts Limit | Integer | Yes | The maximum number of vulnerability alerts to - ingest in a single execution cycle. | + | DeviceProductField | String | Yes | The field name used to determine the device + product for the ingested data. | - | EventClassId | String | Yes | The field name used to determine the event name/sub-type. - Default is 'Cybersixgill DVE Feed'. | + | Client Secret | Password | Yes | The Secret Key used for authenticating with + the Cybersixgill API. | - | DeviceProductField | String | Yes | The field name used to determine the device - product. Default is 'Cybersixgill DVE Feed'. | + | Client Id | String | Yes | The Client ID used for authenticating with the Cybersixgill + API. | - | PythonProcessTimeout | String | Yes | The timeout limit (in seconds) for the - python process running the current script. | + | Alerts Limit | Integer | Yes | The maximum number of vulnerability alerts to + be ingested into the platform per execution cycle. | ### Flow Description - 1. **Authentication**: The connector authenticates with the Cybersixgill API using - the provided Client ID and Client Secret. + 1. **Authentication**: The connector establishes a connection with the Cybersixgill + API using the provided Client ID and Client Secret. - 2. **Data Retrieval**: It establishes a connection to the Cybersixgill DVE Feed - stream using a dedicated channel ID. + 2. **Data Fetching**: It requests a bundle of vulnerability intelligence from + the Cybersixgill DVE Feed stream, limited by the 'Alerts Limit' parameter. - 3. **Fetching Indicators**: The connector fetches a bundle of vulnerability indicators - (CVEs) from the feed, limited by the 'Alerts Limit' parameter. + 3. **Filtering**: The script filters the raw response to identify valid indicator + objects (CVEs) for processing. - 4. **Filtering**: The script filters the retrieved objects to ensure only valid - indicators are processed for alert creation. + 4. **Alert Mapping**: For each identified vulnerability, the connector creates + a Google SecOps alert. It maps the CVE ID as the alert name and sets a default + priority of Medium (60). - 5. **Mapping**: Each vulnerability record is mapped to a Google SecOps Alert. - This includes enriching the alert with specific DVE metadata such as current scores, - highest historical scores, exploitation status, and NVD (National Vulnerability - Database) details like CVSS v2/v3 scores and vectors. + 5. **Event Enrichment**: Detailed metadata is extracted for each vulnerability, + including current and highest DVE scores, NVD CVSS scores (v2.0 and v3.1), severity + levels, and publication dates. - 6. **Ingestion**: The mapped alerts and their associated events are ingested into - the platform to create cases. + 6. **Ingestion**: The mapped alerts and enriched events are returned to Google + SecOps for case creation. - 7. **Checkpointing**: The connector commits the processed indicators back to the - Cybersixgill API to ensure that the same data is not re-ingested in future runs. + 7. **Commitment**: The connector commits the processed indicators to the Cybersixgill + client to ensure that the same data is not ingested multiple times in future runs. diff --git a/content/response_integrations/third_party/community/data_dog/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/data_dog/resources/ai/actions_ai_description.yaml index 905124703..a03faf1b8 100644 --- a/content/response_integrations/third_party/community/data_dog/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/data_dog/resources/ai/actions_ai_description.yaml @@ -1,45 +1,79 @@ Get Beautiful Metric: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - Analyzes a provided set of metric timeseries points from DataDog to generate statistical - summaries. This action does not fetch data directly from the DataDog API; instead, - it processes a JSON-formatted series object provided as an input parameter. It - calculates the sum, average, minimum, and maximum values for the metric data points - within the specified time range and returns these statistics along with metadata - such as the unit and aggregation method. + ### General Description + This action analyzes DataDog metric timeseries points provided as a JSON input. + It processes a list of data points to calculate statistical summaries, including + the sum, average, minimum, and maximum values within a specified time range. This + is primarily a utility action used to interpret raw metric data fetched in previous + playbook steps. - ### Flow Description - 1. **Parameter Extraction:** Retrieves the DataDog API/APP keys from the integration - configuration and the `Series` JSON object from the action parameters. + ### Parameters Description - 2. **Data Parsing:** Parses the `Series` input to extract the `pointlist` (the - actual metric values), `start` time, and `end` time. + | Parameter | Description | Type | Mandatory | Notes | - 3. **Statistical Calculation:** Iterates through the `pointlist` to compute the - sum, average, minimum, and maximum of the raw metric values. + | :--- | :--- | :--- | :--- | :--- | - 4. **Result Construction:** Packages the calculated statistics, the original timeseries - points, and metadata (unit, aggregation, expression) into a structured JSON result. + | **Series** | A JSON-formatted string containing the timeseries points and metadata + (e.g., `pointlist`, `start`, `end`, `unit`, `aggr`). | Code | Yes | The action + expects a specific structure containing a `pointlist` key which is a list of [timestamp, + value] pairs. | - 5. **Completion:** Ends the action by providing the JSON result to the SOAR platform. + ### Flow Description - ### Parameters Description + 1. **Initialization**: The action extracts the DataDog integration configuration + (API Key, APP Key) and the `Series` input parameter. - | Parameter | Type | Mandatory | Description | + 2. **Parsing**: The `Series` parameter is parsed from a JSON string into a dictionary. - | :--- | :--- | :--- | :--- | + 3. **Validation**: The script checks for the presence of the `pointlist` key within + the input data. - | Series | code | True | A JSON string representing the DataDog metric series. - It must contain a `pointlist` key (a list of [timestamp, value] pairs) and metadata - like `start`, `end`, `unit`, and `aggr`. | + 4. **Calculation**: If valid, the script iterates through the `pointlist`, extracting + raw metric values to calculate: + * **Sum**: Total of all metric values. + * **Average**: Mean of the metric values. + * **Minimum**: The lowest value in the set. + * **Maximum**: The highest value in the set. + 5. **Output**: The calculated statistics, along with original metadata (unit, + aggregation type, time range, and expression), are packaged into a JSON result + and returned to the SOAR platform. ### Additional Notes - * This action is primarily a utility for data transformation and analysis of metrics - already retrieved by other actions or processes. + * This action does not perform any external API calls to DataDog; it processes + data already provided in the `Series` parameter. * If the `Series` parameter is missing the `pointlist` key, the action will log an error and return an empty result. @@ -56,7 +90,7 @@ Get Beautiful Metric: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -70,6 +104,7 @@ Get Beautiful Metric: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Event Details: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -83,38 +118,41 @@ Get Beautiful Metric: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: true remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Event Details: ai_description: "### General Description\nThe **Get Event Details** action retrieves\ - \ comprehensive information for a specific event from DataDog using its unique\ - \ Event ID. This action is primarily used to fetch the full context of an event,\ - \ including its message, tags, priority, and metadata, which can then be used\ - \ for further analysis or decision-making within a playbook.\n\n### Parameters\ - \ Description\n| Parameter | Type | Mandatory | Description |\n| :--- | :--- |\ - \ :--- | :--- |\n| Event ID | String | Yes | The unique identifier of the DataDog\ - \ event to be retrieved. |\n\n### Flow Description\n1. **Configuration Extraction:**\ - \ The action retrieves the API Key and APP Key from the DataDog integration configuration.\n\ - 2. **Parameter Retrieval:** The action extracts the `Event ID` provided by the\ - \ user or playbook.\n3. **API Interaction:** The action initializes the `DataDogManager`\ - \ and calls the `get_event_details` method, which performs a GET request to the\ - \ DataDog API endpoint: `https://api.datadoghq.com/api/v1/events/{event_id}`.\n\ - 4. **Result Processing:** \n * If the event is found, the action logs a success\ - \ message and attaches the event details as a JSON result.\n * If the event\ - \ is not found or the API call fails, the action logs a failure message.\n5. **Completion:**\ - \ The action terminates, returning the success status and the retrieved data.\n\ - \n### Additional Notes\nThis action does not iterate over or modify SOAR entities.\ - \ It operates strictly on the provided `Event ID` parameter." + \ comprehensive information about a specific event from DataDog using its unique\ + \ Event ID. This action is designed to provide analysts with the full context\ + \ of a DataDog event, including its metadata, tags, and message content, which\ + \ can be used for further investigation or automated decision-making within a\ + \ playbook.\n\n### Parameters Description\n| Parameter | Description | Type |\ + \ Mandatory |\n| :--- | :--- | :--- | :--- |\n| Event ID | The unique identifier\ + \ of the DataDog event you want to retrieve. | String | Yes |\n\n### Flow Description\n\ + 1. **Authentication**: The action retrieves the API Key and APP Key from the DataDog\ + \ integration configuration.\n2. **Input Extraction**: The `Event ID` provided\ + \ as an action parameter is extracted.\n3. **API Interaction**: The action initializes\ + \ the `DataDogManager` and performs a GET request to the DataDog API endpoint\ + \ `/api/v1/events/{event_id}`.\n4. **Data Processing**: The action checks if the\ + \ event details were successfully retrieved from DataDog.\n5. **Output**: \n \ + \ - If successful, the event details are added to the action's JSON result,\ + \ and a success message is returned.\n - If the event cannot be found or the\ + \ request fails, a failure message is returned.\n\n### Additional Notes\n- This\ + \ action does not operate on SecOps entities (like IPs or Hostnames); it is a\ + \ utility action that fetches data based on a specific ID provided by the user\ + \ or a previous playbook step." capabilities: can_create_case_comments: false can_create_insight: false @@ -126,9 +164,9 @@ Get Event Details: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: true + enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -142,6 +180,7 @@ Get Event Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Events: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -155,77 +194,79 @@ Get Event Details: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: true send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Events: ai_description: >- - Retrieves event data from DataDog based on specific search criteria. This action - allows analysts to query the DataDog Events API to fetch logs and event details - within a specified time range, filtered by sources, tags, and priority levels. - The results are returned as a JSON object for further analysis within the SOAR - platform. + ### General Description + The **Get Events** action retrieves event logs from DataDog within a specified + time range. It allows analysts to filter events by source, priority, and tags, + providing visibility into system activities, monitors, and alerts directly within + the Google SecOps platform. This action is primarily used for log retrieval and + historical analysis. - ### Flow Description: - 1. **Authentication**: Extracts the API Key and APP Key from the integration configuration - to authenticate with the DataDog API. + ### Parameters Description - 2. **Parameter Extraction**: Retrieves user-defined parameters including the event - sources, start/end times (in Unix format), priority filters, tags, and aggregation - preferences. + | Parameter | Type | Mandatory | Description | - 3. **API Request**: Initializes the DataDog manager and executes a GET request - to the `/api/v1/events` endpoint with the provided filters. + | :--- | :--- | :--- | :--- | - 4. **Result Processing**: Captures the returned event list. If events are found, - they are added to the action's JSON results and the action completes successfully. - If no events match the criteria, it reports a successful execution with an empty - result set. + | **Sources** | String | Yes | The sources to retrieve the events from. For example, + to see events from a triggered monitor, use 'alert'. | + | **Start Time** | String | Yes | The start time of the events in Unix timestamp + format (e.g., 1400000470). | - ### Parameters Description: + | **End Time** | String | Yes | The end time of the events in Unix timestamp format + (e.g., 1610557457). | - | Parameter | Type | Mandatory | Description | + | **Priority** | DDL | No | The priority of the events to retrieve. Options include + `all`, `normal`, or `low`. Default is `all`. | - | :--- | :--- | :--- | :--- | + | **Tags** | String | No | A comma-separated list of tags to filter the events + by scope (e.g., 'monitor'). | - | Sources | String | Yes | The specific sources to retrieve events from (e.g., - 'alert', 'monitor'). | + | **Unaggregated** | Boolean | No | If set to `True`, the action retrieves the + full list of events. If `False`, it retrieves an aggregated list. | - | Start Time | String | Yes | The start of the time range for event retrieval - in Unixtime format. | - | End Time | String | Yes | The end of the time range for event retrieval in Unixtime - format. | + ### Flow Description + + 1. **Configuration Retrieval**: The action extracts the DataDog API Key and APP + Key from the integration settings. - | Priority | DDL | No | Filters events by priority level. Options include 'all', - 'normal', or 'low'. Default is 'all'. | + 2. **Parameter Extraction**: It collects the search criteria, including the time + window (Start/End Time), sources, and optional filters like priority and tags. - | Tags | String | No | A comma-separated list of tags to filter the events (e.g., - 'env:prod'). | + 3. **API Interaction**: The action calls the DataDog API's events endpoint (`/api/v1/events`) + using a GET request with the specified query parameters. - | Unaggregated | Boolean | No | If set to 'true', retrieves the full list of events. - If 'false', retrieves an aggregated list. | + 4. **Result Handling**: The retrieved event data is processed and added to the + action's JSON results. If events are found, the action completes successfully; + otherwise, it reports that no events were fetched. - ### Additional Notes: + ### Additional Notes - - This action does not operate on specific entities within the case; it performs - a global search based on the provided time and filter parameters. + - Ensure that the `Start Time` and `End Time` are provided as valid Unix timestamps + in seconds. - - Ensure that the Start Time and End Time are provided in valid Unix timestamp - format (seconds). + - This action does not target specific entities but rather performs a global search + within the DataDog environment based on the provided parameters. capabilities: can_create_case_comments: false can_create_insight: false @@ -239,7 +280,7 @@ Get Events: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -253,6 +294,7 @@ Get Events: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Logs: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -266,25 +308,27 @@ Get Events: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: true send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Logs: ai_description: >- ### General Description - Retrieves Kubernetes logs from DataDog for specific namespaces within a defined - time range. This action is useful for forensic investigations or monitoring specific - application environments by pulling log data directly into the SOAR platform. + Retrieves Kubernetes logs from DataDog for specified namespaces within a defined + time range. This action allows analysts to query historical log data directly + from DataDog to assist in investigations involving containerized environments. ### Parameters Description @@ -293,34 +337,42 @@ Get Logs: | :--- | :--- | :--- | :--- | - | Namespace | String | Yes | Comma-separated list of Kubernetes namespaces to - fetch logs for. | + | Start Time | string | True | The start time from which you want to retrieve + the logs (e.g., '2020-02-02T02:02:02Z'). | - | Start Time | String | Yes | The start time (ISO-8601) for the log search. | + | End Time | string | True | The end time until which you want to retrieve the + logs (e.g., '2020-02-02T02:02:02Z'). | - | End Time | String | Yes | The end time (ISO-8601) for the log search. | + | Namespace | string | True | A comma-separated list of Kubernetes namespaces + to fetch logs for (e.g., 'name_space1, name_space2'). | - ### Flow Description + ### Additional Notes - 1. The action retrieves the DataDog API and App keys from the integration configuration. + - The action uses the DataDog Logs API (`/api/v1/logs-queries/list`) via a POST + request to perform the query. - 2. It extracts the Namespace, Start Time, and End Time from the action parameters. + - Multiple namespaces can be queried in a single execution by providing them as + a comma-separated list. - 3. The Namespace string is split into a list of individual namespaces. - 4. For each namespace, the action calls the DataDog API to retrieve logs matching - the kube_namespace query within the specified time window. + ### Flow Description - 5. Successfully retrieved logs are aggregated into a JSON result. + 1. **Configuration Extraction**: Retrieves the API Key and APP Key from the integration + configuration. - 6. The action completes, providing the logs as a JSON output and a summary message. + 2. **Parameter Parsing**: Extracts the Start Time, End Time, and Namespace list + from the action parameters. The Namespace string is split into a list of individual + namespaces. + 3. **Log Retrieval**: Iterates through each provided namespace and calls the DataDog + API to fetch logs matching the `kube_namespace` and the specified time window. - ### Additional Notes + 4. **Result Aggregation**: Collects the logs for each namespace where data is + found and organizes them into a structured JSON result. - This action does not process SOAR entities; it relies entirely on the provided - Namespace parameter. + 5. **Finalization**: Returns the aggregated log data as a JSON result and provides + a status message indicating which namespaces were successfully queried. capabilities: can_create_case_comments: false can_create_insight: false @@ -334,7 +386,7 @@ Get Logs: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -348,6 +400,7 @@ Get Logs: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Metric Snapshot Graph: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -361,43 +414,47 @@ Get Logs: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: true remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: true + search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Metric Snapshot Graph: - ai_description: "### General Description\nThe **Get Metric Snapshot Graph** action\ - \ retrieves a URL for a metric snapshot graph from Datadog based on a specific\ - \ metric query and time range. This action is designed to provide visual context\ - \ for telemetry data (such as CPU, memory, or custom application metrics) directly\ - \ within the Google SecOps platform, aiding in incident investigation and performance\ - \ monitoring.\n\n### Parameters Description\n| Parameter | Type | Mandatory |\ - \ Description |\n| :--- | :--- | :--- | :--- |\n| Query | String | Yes | The Datadog\ - \ metric query to visualize. For example: `avg:aws.rds.cpuutilization{cloud_env:production}by{dbinstanceidentifier}`.\ - \ |\n| Start Time | String | Yes | The start time for the metric snapshot graph,\ - \ provided as a Unix timestamp (seconds). |\n| End Time | String | Yes | The end\ - \ time for the metric snapshot graph, provided as a Unix timestamp (seconds).\ - \ |\n\n### Flow Description\n1. **Authentication:** The action initializes the\ - \ Datadog manager using the API Key and APP Key from the integration configuration.\n\ - 2. **Input Processing:** It extracts the user-defined metric query and the specified\ - \ time window (Start and End times).\n3. **Data Retrieval:** The action calls\ - \ the Datadog API endpoint `/api/v1/graph/snapshot` to generate a snapshot graph\ - \ for the provided query.\n4. **Output Generation:** \n * If a snapshot is\ - \ successfully generated, the action retrieves the `snapshot_url`.\n * It adds\ - \ a clickable link to the SOAR case titled 'The graph snapshot URL'.\n * It\ - \ attaches the full JSON response from Datadog to the action results for further\ - \ analysis.\n\n### Additional Notes\n* This action does not operate on specific\ - \ entities (like IPs or Hostnames) but rather on a global metric query.\n* Ensure\ - \ that the time range provided is valid and that the query follows Datadog's query\ - \ syntax." + ai_description: "### General Description\nThis action retrieves a metric snapshot\ + \ graph from DataDog based on a user-provided metric query and a specific time\ + \ range. It is primarily used to provide visual context and telemetry data within\ + \ a Google SecOps case, allowing analysts to see performance or status trends\ + \ related to the investigation.\n\n### Parameters Description\n| Parameter | Description\ + \ | Type | Mandatory | Additional Notes |\n| :--- | :--- | :--- | :--- | :---\ + \ |\n| Query | The metric query for which you want to generate a snapshot graph\ + \ (e.g., `avg:aws.rds.cpuutilization{cloud_env:production}by{dbinstanceidentifier}`).\ + \ | string | Yes | Must follow DataDog's query syntax. |\n| Start Time | The start\ + \ time of the metric snapshot graph in Unix time (seconds). | string | Yes | Ensure\ + \ the timestamp is in the past relative to the End Time. |\n| End Time | The end\ + \ time of the metric snapshot graph in Unix time (seconds). | string | Yes | Defines\ + \ the conclusion of the data window. |\n\n### Additional Notes\n- This action\ + \ does not run on specific entities; it executes a global query against the DataDog\ + \ API.\n- The resulting graph is provided as a URL link added to the case and\ + \ as a raw JSON object in the action results.\n\n### Flow Description\n1. **Configuration\ + \ Extraction:** The action retrieves the DataDog API Key and APP Key from the\ + \ integration settings.\n2. **Parameter Parsing:** It extracts the `Query`, `Start\ + \ Time`, and `End Time` provided by the user.\n3. **API Interaction:** The action\ + \ calls the DataDog API's `/api/v1/graph/snapshot` endpoint with the specified\ + \ parameters.\n4. **Result Processing:** \n - If a snapshot is successfully\ + \ generated, the action extracts the `snapshot_url`.\n - It adds the URL as\ + \ a clickable link in the Google SecOps platform.\n - It attaches the full\ + \ JSON response from DataDog to the action results for further use in playbooks.\n\ + 5. **Completion:** The action concludes with a success message if the graph was\ + \ fetched or a failure message if the API returned no data." capabilities: can_create_case_comments: false can_create_insight: false @@ -409,9 +466,9 @@ Get Metric Snapshot Graph: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: false + enrichment: true entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -425,6 +482,7 @@ Get Metric Snapshot Graph: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Metric Timeseries Points: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -438,30 +496,28 @@ Get Metric Snapshot Graph: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: true send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Metric Timeseries Points: ai_description: >- - Retrieves metric timeseries points from DataDog based on a specific query and - time range. This action allows users to fetch historical performance data or telemetry - for analysis within Google SecOps. - - ### General Description - This action interacts with the DataDog API to retrieve timeseries data points - for a provided metric query. It is primarily used for monitoring, troubleshooting, - and incident investigation by pulling specific metric trends over a defined period. + Retrieves metric timeseries data points from DataDog based on a specific query + and time range. This action is used to fetch historical telemetry data, such as + CPU usage, memory consumption, or custom application metrics, for analysis within + a SOAR workflow. ### Parameters Description @@ -470,32 +526,40 @@ Get Metric Timeseries Points: | :--- | :--- | :--- | :--- | - | Query | string | Yes | The DataDog metric query to execute (e.g., `avg:system.cpu.idle{host:host0}`). + | **Query** | string | True | The DataDog metric query to execute (e.g., `avg:system.cpu.idle{host:host0}`). | - | Start Time | string | Yes | The start time of the timeseries points in Unix - timestamp format (e.g., `1400000470`). | + | **Start Time** | string | True | The start time of the timeseries points in + Unix timestamp format (seconds). | - | End Time | string | Yes | The end time of the timeseries points in Unix timestamp - format (e.g., `1610557457`). | + | **End Time** | string | True | The end time of the timeseries points in Unix + timestamp format (seconds). | + + + ### Additional Notes + + - This action does not process entities; it relies entirely on the provided query + and time parameters. + + - The results are returned as a JSON object containing the series data and status. ### Flow Description - 1. **Configuration Extraction**: Retrieves the DataDog API Key and APP Key from - the integration settings. + 1. **Extract Configuration:** Retrieves the DataDog API Key and APP Key from the + integration settings. - 2. **Parameter Parsing**: Extracts the user-provided metric query, start time, - and end time. + 2. **Extract Parameters:** Collects the `Query`, `Start Time`, and `End Time` + from the action inputs. - 3. **API Request**: Executes a GET request to the DataDog `/api/v1/query` endpoint - with the specified parameters. + 3. **API Request:** Calls the DataDog API v1 query endpoint (`/api/v1/query`) + using a GET request with the provided parameters. - 4. **Validation**: Checks if the API response status is 'ok' and if any data series - were returned. + 4. **Process Response:** Validates the response status and checks if any data + series were returned. - 5. **Result Processing**: Logs the outcome and attaches the raw timeseries data - to the action's JSON results for use in subsequent playbook steps. + 5. **Output Results:** Adds the raw JSON response to the action results and provides + a success or failure message based on whether data was found. capabilities: can_create_case_comments: false can_create_insight: false @@ -509,7 +573,7 @@ Get Metric Timeseries Points: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -523,6 +587,7 @@ Get Metric Timeseries Points: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Pod Metric: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -536,72 +601,69 @@ Get Metric Timeseries Points: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: true send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Pod Metric: ai_description: >- - Retrieves performance metrics and process information for Kubernetes Pods from - DataDog. This action fetches CPU utilization, memory usage percentages, and a - list of active processes associated with specific Pod names within a defined time - range. The data is retrieved via DataDog's timeseries and processes APIs and returned - as a structured JSON object. - - - ### Flow Description - - 1. **Authentication**: Initializes the DataDog manager using the provided API - and APP keys from the integration configuration. + ### General Description - 2. **Parameter Extraction**: Retrieves the list of Pod names, start time, and - end time from the action parameters. + The **Get Pod Metric** action retrieves performance telemetry and process information + for specific Kubernetes Pods from DataDog. It is designed to provide visibility + into the resource consumption (CPU and Memory) and the active processes running + within a pod over a specified time range. This data is useful for troubleshooting + performance issues or investigating suspicious activity within a containerized + environment. - 3. **Metric Retrieval**: For each Pod provided in the comma-separated list: - * Queries the DataDog Timeseries API for average CPU system total metrics - (`kubernetes.cpu.system.total`). - * Queries the DataDog Timeseries API for average memory usage percentage metrics - (`kubernetes.memory.usage_pct`). - * Queries the DataDog Processes API for all processes tagged with the specific - `pod_name`. - 4. **Data Aggregation**: Consolidates the CPU, memory, and process data into a - single JSON result mapped by Pod name. - 5. **Output**: Returns the aggregated JSON data and provides a status message - indicating which metrics were successfully fetched. + ### Parameters Description + | Parameter Name | Description | Type | Mandatory | Additional Notes | - ### Parameters Description + | :--- | :--- | :--- | :--- | :--- | - | Parameter Name | Type | Mandatory | Description | + | **Pod Name** | The name of the Pod(s) to query. Supports a comma-separated list + of names. | String | Yes | The code uses this as a tag filter (`pod_name:`). + | - | :--- | :--- | :--- | :--- | + | **Start Time** | The start time of the metric query in Unix timestamp format. + | String | Yes | Example: `1507040000` | - | Pod Name | string | Yes | A comma-separated list of Kubernetes Pod names (or - namespaces as per the UI description) to retrieve metrics for. | + | **End Time** | The end time of the metric query in Unix timestamp format. | + String | Yes | Example: `1610557457` | - | Start Time | string | Yes | The start time of the metric window in Unix timestamp - format (e.g., 1507040000). | - | End Time | string | Yes | The end time of the metric window in Unix timestamp - format (e.g., 1610557457). | + ### Flow Description + 1. **Initialization**: Extracts the DataDog API and APP keys from the integration + configuration. - ### Additional Notes + 2. **Parameter Extraction**: Retrieves the list of Pod names, start time, and + end time from the action parameters. - * The action does not interact with SecOps entities; it relies entirely on the - string input provided in the 'Pod Name' parameter. + 3. **Data Retrieval**: For each Pod name provided: + * Queries the DataDog Timeseries API for average CPU system total usage + (`kubernetes.cpu.system.total`). + * Queries the DataDog Timeseries API for average memory usage percentage + (`kubernetes.memory.usage_pct`). + * Queries the DataDog Processes API to list all processes associated with + the `pod_name` tag. + 4. **Result Aggregation**: Consolidates the CPU, Memory, and Process data into + a structured JSON object. - * The time range must be provided in Unix timestamp format for the DataDog API - to process the query correctly. + 5. **Output**: Returns the aggregated JSON data and provides a status message + indicating which metrics were successfully retrieved. capabilities: can_create_case_comments: false can_create_insight: false @@ -613,9 +675,9 @@ Get Pod Metric: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: true + enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -629,6 +691,7 @@ Get Pod Metric: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get RDS Metric: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -639,80 +702,74 @@ Get Pod Metric: disable_identity: false download_file: false enable_identity: false - enrich_asset: false + enrich_asset: true enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: true + search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get RDS Metric: ai_description: >- - ### General Description - - The **Get RDS Metric** action retrieves performance metrics for Amazon RDS (Relational - Database Service) instances from Datadog. It specifically fetches data regarding - CPU utilization, freeable memory, and free storage space for a given set of database - instance identifiers within a specified time range. This action is useful for - monitoring database health and resource consumption during incident investigation - or performance auditing. + Retrieves AWS RDS performance metrics from Datadog for specified database instances. + This action fetches CPU utilization, freeable memory, and free storage space metrics + within a defined time range. It processes a comma-separated list of database identifiers + and returns the aggregated time-series data in a structured JSON format. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. **Parameter Extraction:** Retrieves the Datadog API and APP keys from the integration + configuration, along with the Database Instance Identifiers, Start Time, and End + Time from the action parameters. - | :--- | :--- | :--- | :--- | + 2. **Identifier Parsing:** Splits the provided comma-separated string of database + identifiers into a list for individual processing. - | Database Instance Identifier | String | Yes | A comma-separated list of AWS - RDS database instance identifiers (e.g., `db-instance-1, db-instance-2`) to query - metrics for. | + 3. **Metric Retrieval:** For each database identifier, the action makes three + distinct API calls to Datadog to fetch: + * CPU Utilization (`aws.rds.cpuutilization`) + * Freeable Memory (`aws.rds.freeable_memory`) + * Free Storage Space (`aws.rds.free_storage_space`) + 4. **Data Aggregation:** Collects the successful metric responses into a results + object, distinguishing between found and not-found identifiers. - | Start Time | String | Yes | The start of the time window for the metrics in - Unix timestamp format (e.g., `1507040000`). | + 5. **Output Generation:** Adds the aggregated metrics to the action's JSON result + and provides a summary message to the user. - | End Time | String | Yes | The end of the time window for the metrics in Unix - timestamp format (e.g., `1610557457`). | + ### Parameters Description - ### Flow Description + | Parameter Name | Type | Mandatory | Description | - 1. **Initialization**: The action extracts the Datadog API and APP keys from the - integration configuration and retrieves the database identifiers and time range - from the action parameters. + | :--- | :--- | :--- | :--- | - 2. **Input Parsing**: The comma-separated string of database identifiers is split - into a list for individual processing. + | Database Instance Identifier | string | True | A comma-separated list of AWS + RDS database instance identifiers (e.g., `db-1, db-2`) to query. | - 3. **Metric Retrieval**: For each database identifier, the action makes three - separate API calls to Datadog to retrieve: - * **CPU Utilization**: Average CPU usage percentage. - * **Freeable Memory**: The amount of available RAM. - * **Free Storage Space**: The amount of available disk space. - 4. **Data Aggregation**: The retrieved metrics are validated (checking for an - "ok" status and existing data series) and aggregated into a structured dictionary. + | Start Time | string | True | The start time for the metric query in Unix timestamp + format (e.g., `1507040000`). | - 5. **Result Reporting**: The action identifies which database identifiers were - successfully queried and which were not. The final results are attached as a JSON - object to the action execution, and the action completes with a success message - if at least one metric was found. + | End Time | string | True | The end time for the metric query in Unix timestamp + format (e.g., `1610557457`). | ### Additional Notes - * The action uses the Datadog `/api/v1/query` endpoint to perform time-series - queries. + * The action requires valid Datadog API and APP keys configured at the integration + level. - * If a specific metric (e.g., CPU) is missing for an identifier but others (e.g., - Memory) are present, the action will still report success for that identifier. + * Metrics are retrieved using the `avg` aggregator grouped by `dbinstanceidentifier`. capabilities: can_create_case_comments: false can_create_insight: false @@ -726,7 +783,7 @@ Get RDS Metric: categories: enrichment: true entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -740,6 +797,7 @@ Get RDS Metric: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -753,36 +811,60 @@ Get RDS Metric: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: true + search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: - ai_description: "### General Description\nThe **Ping** action is a diagnostic tool\ - \ used to verify the connectivity between the Google SecOps platform and the DataDog\ - \ service. It ensures that the provided API Key and Application Key (APP Key)\ - \ are valid and that the DataDog API is reachable from the environment.\n\n###\ - \ Parameters Description\nThere are no input parameters for this action. It relies\ - \ entirely on the integration's global configuration (API Key and APP Key).\n\n\ - ### Flow Description\n1. **Configuration Extraction**: The action retrieves the\ - \ `API Key` and `APP Key` from the DataDog integration settings.\n2. **Manager\ - \ Initialization**: It initializes the `DataDogManager` with the extracted credentials.\n\ - 3. **Connectivity Test**: The action calls the `test_connectivity` method, which\ - \ sends a GET request to the DataDog validation endpoint (`/api/v1/validate`).\n\ - 4. **Result Evaluation**: \n * If the API returns a valid response, the action\ - \ concludes with a success message: \"Connected successfully\".\n * If the\ - \ API returns an invalid response or an error occurs, the action concludes with\ - \ a failure message: \"The Connection failed\".\n\n### Additional Notes\nThis\ - \ action does not process any entities and is strictly used for system health\ - \ and configuration validation." + ai_description: >- + ### General Description + + The **Ping** action is a diagnostic tool designed to verify the connectivity between + Google SecOps and the DataDog platform. Its primary purpose is to ensure that + the provided API Key and Application Key are valid and that the network path to + the DataDog API is open. This action is typically used during the initial setup + of the integration or for troubleshooting authentication issues. + + + ### Parameters Description + + There are no action-specific parameters for this action. It relies entirely on + the integration's global configuration (API Key and APP Key). + + + ### Additional Notes + + - This action does not process any entities. + + - It performs a read-only validation check against the DataDog `/api/v1/validate` + endpoint. + + + ### Flow Description + + 1. **Configuration Extraction:** The action retrieves the `API Key` and `APP Key` + from the DataDog integration settings. + + 2. **Manager Initialization:** It initializes the `DataDogManager` using the extracted + credentials. + + 3. **Connectivity Test:** The action calls the `test_connectivity` method, which + sends a GET request to the DataDog validation endpoint. + + 4. **Response Validation:** It checks the API response for a `valid: true` status. + + 5. **Final Output:** The action returns a success message if the connection is + established or a failure message if the credentials or connection are invalid. capabilities: can_create_case_comments: false can_create_insight: false @@ -796,7 +878,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -810,28 +892,3 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/third_party/community/data_dog/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/data_dog/resources/ai/connectors_ai_description.yaml index d2c9184d1..f28653057 100644 --- a/content/response_integrations/third_party/community/data_dog/resources/ai/connectors_ai_description.yaml +++ b/content/response_integrations/third_party/community/data_dog/resources/ai/connectors_ai_description.yaml @@ -1,73 +1,40 @@ DataDog Connector: - ai_description: >- - ### General Description - - The DataDog Connector enables the ingestion of events and alerts from DataDog - into Google SecOps. It specifically monitors for triggered alerts (errors and - warnings) from DataDog monitors, allowing security teams to centralize monitoring - data and respond to infrastructure or application issues within the SOAR platform. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | API Key | Password | Yes | The API Key for authenticating with DataDog. | - - | APP Key | Password | Yes | The Application Key for authenticating with DataDog. - | - - | Base URL | String | Yes | The base URL for the DataDog API (e.g., `https://api.datadoghq.com`). - | - - | DeviceProductField | String | Yes | The field name used to determine the device - product in the ingested data. | - - | EventClassId | String | Yes | The field name used to determine the event name - or sub-type. | - - | Max Days Back | Integer | Yes | The maximum number of days to look back for - events during the initial run. | - - | Priority | String | No | Filter events by priority (e.g., 'low', 'normal', or - 'all'). | - - | PythonProcessTimeout | String | Yes | The timeout limit in seconds for the script - execution. | - - | Sources | String | Yes | The sources to retrieve events from (e.g., 'alert'). - | - - | Tags | String | No | A comma-separated list of tags to filter monitors (e.g., - 'monitor'). | - - | Unaggregated | Boolean | No | If true, retrieves the full list of events; if - false, retrieves aggregated events. | - - - ### Flow Description - - 1. **Authentication**: Connects to the DataDog API using the provided API Key - and APP Key. - - 2. **Timestamp Check**: Retrieves the last successful execution timestamp or calculates - the start time based on the "Max Days Back" parameter. - - 3. **Event Retrieval**: Queries DataDog for events occurring between the last - run and the current time, filtered by sources, tags, and priority. - - 4. **Filtering**: Filters the retrieved events to include only those with an alert - type of 'error' or 'warning'. - - 5. **Detail Enrichment**: For each relevant event, the connector fetches full - event details. If an event contains "children" events, each child is processed - as an individual alert. - - 6. **Data Mapping**: Maps DataDog event data (monitor name, metrics, tags, and - timestamps) to the Google SecOps AlertInfo model, including flattening nested - JSON structures and extracting product names from metrics. - - 7. **Ingestion**: Ingests the formatted alerts into Google SecOps and updates - the execution timestamp for the next cycle. + ai_description: "### General Description\nThe DataDog Connector enables the ingestion\ + \ of events and alerts from DataDog into Google SecOps. It specifically monitors\ + \ for triggered alerts from DataDog monitors, focusing on 'error' and 'warning'\ + \ states. The connector transforms these events into structured alerts, providing\ + \ security teams with visibility into infrastructure and application issues detected\ + \ by DataDog.\n\n### Parameters Description\n| Parameter | Type | Mandatory |\ + \ Description |\n| :--- | :--- | :--- | :--- |\n| API Key | Password | Yes | The\ + \ API Key used to authenticate with the DataDog API. |\n| APP Key | Password |\ + \ Yes | The Application Key used to authenticate with the DataDog API. |\n| Base\ + \ URL | String | Yes | The base URL for the DataDog API (e.g., `https://api.datadoghq.com`).\ + \ |\n| DeviceProductField | String | Yes | The field name used to determine the\ + \ device product in the SOAR platform. |\n| EventClassId | String | Yes | The\ + \ field name used to determine the event name or sub-type. |\n| Max Days Back\ + \ | Integer | Yes | The number of days to look back for events during the initial\ + \ run. |\n| Priority | String | No | Filter events by priority. Options include\ + \ 'low', 'normal', or 'all'. |\n| PythonProcessTimeout | String | Yes | The timeout\ + \ limit (in seconds) for the python process running the script. |\n| Sources |\ + \ String | Yes | The sources to retrieve events from (e.g., 'alert' for monitor\ + \ triggers). |\n| Tags | String | No | A comma-separated list of tags to filter\ + \ the list of monitors by scope (e.g., 'monitor'). |\n| Unaggregated | Boolean\ + \ | No | If true, retrieves the full list of events; if false, retrieves an aggregated\ + \ list. |\n\n### Flow Description\n1. **Authentication**: The connector initializes\ + \ a session with DataDog using the provided API Key and Application Key.\n2. **Timestamp\ + \ Tracking**: It retrieves the last saved timestamp to ensure only new events\ + \ are processed. On the first run, it uses the 'Max Days Back' parameter.\n3.\ + \ **Event Fetching**: Queries the DataDog Events API for events within the time\ + \ range, filtered by the configured sources, tags, and priority.\n4. **Alert Filtering**:\ + \ The connector iterates through the results, specifically selecting events with\ + \ an `alert_type` of 'error' or 'warning'.\n5. **Child Event Processing**: If\ + \ a parent event contains 'children' events, the connector treats each child as\ + \ an individual alert to ensure granular visibility.\n6. **Detail Enrichment**:\ + \ For each identified event, the connector fetches full details (including the\ + \ payload) to extract metrics, monitor names, and snapshot URLs.\n7. **Mapping\ + \ and Normalization**: \n * Extracts tags into key-value pairs.\n * \ + \ Determines the `device_product` based on the metric name (e.g., identifying\ + \ AWS services).\n * Maps DataDog alert types to SOAR priority levels (Error:\ + \ 100, Warning: 80).\n8. **Ingestion**: The processed events are converted into\ + \ `AlertInfo` objects and ingested into Google SecOps as cases. The latest event\ + \ timestamp is then saved for the next iteration." diff --git a/content/response_integrations/third_party/community/data_dog/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/data_dog/resources/ai/integration_ai_description.yaml index e044f2bbd..a888df70b 100644 --- a/content/response_integrations/third_party/community/data_dog/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/community/data_dog/resources/ai/integration_ai_description.yaml @@ -2,7 +2,7 @@ product_categories: asset_inventory: false cloud_security: true collaboration: false - edr: true + edr: false email_security: false iam_and_identity_management: false itsm: false diff --git a/content/response_integrations/third_party/community/docker_hub/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/docker_hub/resources/ai/actions_ai_description.yaml index 3177f76eb..698093faf 100644 --- a/content/response_integrations/third_party/community/docker_hub/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/docker_hub/resources/ai/actions_ai_description.yaml @@ -1,38 +1,77 @@ Invite User: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: true + update_ticket: false ai_description: >- + ### General Description + Invites a user to a specific team within a Docker Hub organization using their - email address. This action facilitates access management by programmatically adding - members to organizational groups. + email address. This action facilitates access management by programmatically sending + membership invitations to external users, allowing them to join collaborative + environments in Docker Hub. - ### Flow Description: + ### Parameters Description - 1. **Authentication**: Initializes the Docker Hub manager using the provided username - and password from the integration configuration. + | Parameter | Type | Mandatory | Description | - 2. **Parameter Retrieval**: Extracts the target Organization, Team, and user Email - from the action parameters. + | :--- | :--- | :--- | :--- | - 3. **Invitation Request**: Sends a POST request to the Docker Hub API endpoint - for the specified organization and team, including the user's email in the payload. + | Organization | String | Yes | The name of the Docker Hub organization where + the invitation will be sent. | - 4. **Completion**: Returns a success message if the invitation is successfully - sent or logs the error if the request fails. + | Team | String | Yes | The specific team within the organization that the user + is being invited to join. | + | Email | String | Yes | The email address of the user who will receive the invitation. + | - ### Parameters Description: - | Parameter | Type | Mandatory | Description | + ### Additional Notes + + This action does not run on SOAR entities; it relies entirely on the provided + input parameters. It requires valid Docker Hub administrator or owner credentials + to perform the invitation. - | :--- | :--- | :--- | :--- | - | Team | String | Yes | The name of the team within the Docker Hub organization - to which the user will be invited. | + ### Flow Description - | Organization | String | Yes | The name of the Docker Hub organization that owns - the team. | + 1. **Authentication**: The action authenticates with Docker Hub using the provided + username and password to obtain a JWT token. - | Email | String | Yes | The email address of the user to be invited. | + 2. **Parameter Retrieval**: It extracts the target Organization, Team, and Email + from the action parameters. + + 3. **Invitation Request**: It sends a POST request to the Docker Hub API endpoint + (`/orgs/{org}/groups/{team}/members/`) with the user's email. + + 4. **Completion**: The action returns a success message if the invitation is successfully + dispatched or an error message if the request fails. capabilities: can_create_case_comments: false can_create_insight: false @@ -41,15 +80,14 @@ Invite User: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Sends a POST request to Docker Hub to create a new user invitation for a specific - team and organization, which changes the state of the organization's membership - list. + Sends a membership invitation to a user in Docker Hub, which creates a pending + invitation record within the specified organization and team. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -63,6 +101,7 @@ Invite User: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -76,37 +115,65 @@ Invite User: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false - update_identity: true + update_identity: false update_ticket: false -Ping: - ai_description: "### General Description\nThe **Ping** action is a diagnostic utility\ - \ designed to verify the connectivity between Google SecOps and the Docker Hub\ - \ API. Its primary purpose is to validate that the integration's configuration\u2014\ - specifically the Username and Password\u2014is correct and that the system can\ - \ successfully authenticate and communicate with Docker Hub.\n\n### Parameters\ - \ Description\nThere are no parameters for this action.\n\n### Additional Notes\n\ - While the metadata description in the configuration file mentions inviting users,\ - \ the actual implementation of this specific action is strictly a connectivity\ - \ test. It is typically used during integration setup or for troubleshooting communication\ - \ issues.\n\n### Flow Description\n1. **Credential Retrieval**: The action retrieves\ - \ the configured Username and Password from the Docker Hub integration settings.\n\ - 2. **Authentication**: It initializes the Docker Hub manager, which triggers an\ - \ authentication flow by sending a POST request to the Docker Hub login endpoint\ - \ to retrieve a JWT token.\n3. **API Validation**: The action calls the `test_connectivity`\ - \ method, which performs a GET request to the `_catalog` endpoint to ensure the\ - \ API is responsive and the token is valid.\n4. **Status Reporting**: If the API\ - \ call succeeds without error, the action terminates with a success status, confirming\ - \ the integration is functional." + ai_description: >- + ### General Description + + The **Ping** action is designed to verify the connectivity between Google SecOps + and the Docker Hub API. It ensures that the provided credentials (Username and + Password) are valid and that the network path to the Docker Hub service is open. + This is a standard health check action used to validate integration settings. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | None | N/A | N/A | This action does not take any input parameters; it uses the + integration's configuration settings (Username and Password). | + + + ### Additional Notes + + * **Note on Metadata**: While the provided metadata description mentions inviting + a user, the actual implementation logic and action name are strictly for connectivity + testing (Ping). + + * **Authentication**: The action uses the Username and Password defined in the + integration configuration to generate a JWT token for the session. + + + ### Flow Description + + 1. **Configuration Retrieval**: The action fetches the `Username` and `Password` + from the Docker Hub integration settings. + + 2. **Client Initialization**: A `DockerHub` manager instance is created using + the retrieved credentials, which involves an authentication step to obtain a JWT + token. + + 3. **Connectivity Test**: The action calls the `test_connectivity` method, which + sends a GET request to the Docker Hub `_catalog` endpoint. + + 4. **Result Handling**: If the request is successful, the action completes with + a success status. If an HTTP error occurs (other than a 404), the action fails, + indicating a configuration or connectivity issue. capabilities: can_create_case_comments: false can_create_insight: false @@ -120,7 +187,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -134,28 +201,3 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/third_party/community/duo/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/duo/resources/ai/actions_ai_description.yaml index e6e7d9728..59200ddcf 100644 --- a/content/response_integrations/third_party/community/duo/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/duo/resources/ai/actions_ai_description.yaml @@ -1,57 +1,92 @@ Get Authentication Logs for User: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: true + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - Retrieves user profile information and authentication history from Duo Security - for a specific username. This action queries the Duo Admin API to fetch logs over - a specified lookback period and performs a frequency analysis on successful authentication - attempts. It identifies common access patterns such as IP addresses, operating - systems, and devices that meet a user-defined 'Authentication Threshold'. + ### General Description + The **Get Authentication Logs for User** action retrieves detailed user profile + information and historical authentication logs from DUO MFA for a specific username. + It is designed to provide security analysts with visibility into a user's authentication + behavior, identifying common source IPs, devices, and authentication factors used + over a configurable period. The action also calculates frequency counts for various + authentication attributes and filters them against a threshold to help distinguish + between routine and anomalous access patterns. - ### Flow Description: - 1. **Authentication**: Connects to the Duo Admin API using the configured API - Hostname, Secret Key, and Integration Key. + ### Parameters Description - 2. **User Lookup**: Searches for the Duo `user_id` corresponding to the provided - `Username` parameter. + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | - 3. **Log Retrieval**: Fetches authentication logs for the identified user within - the timeframe defined by the `Number Days Back` parameter. + | Username | String | No | The DUO username to query. Note: While marked as non-mandatory + in configuration, the action requires this value to successfully identify a user + and retrieve logs. | - 4. **Pattern Analysis**: Iterates through successful authentication logs to count - occurrences of access IPs, geographic states, OS versions, applications, and hardware - devices. + | Number Days Back | String | Yes | The number of days prior to the current time + to include in the log search (e.g., '1' for the last 24 hours). | - 5. **Threshold Filtering**: Filters the aggregated counts, retaining only those - sources that meet or exceed the `Authentication Threshold` value. + | Authentication Threshold | String | Yes | The minimum number of successful authentications + required for a specific source (IP, OS, Device, etc.) to be included in the filtered + 'known' summary results. | - 6. **Output Generation**: Returns a JSON object containing the user's Duo profile, - raw authentication logs, and the filtered frequency statistics. + ### Flow Description - ### Parameters Description: + 1. **Authentication**: Initializes a connection to the DUO Admin API using the + provided API Hostname, Integration Key, and Secret Key. - | Parameter | Type | Mandatory | Description | + 2. **User Lookup**: Performs a lookup to retrieve the internal DUO `user_id` associated + with the provided `Username` parameter. - | :--- | :--- | :--- | :--- | + 3. **Log Retrieval**: Queries the DUO authentication logs for the identified user, + spanning from the calculated 'Days Back' timestamp to the current time. - | Authentication Threshold | String | Yes | The minimum number of successful authentications - required for a source (e.g., IP, device) to be included in the summary results. - Default is 2. | + 4. **Data Aggregation**: Processes the retrieved logs to count occurrences of + successful authentication attempts by IP address, geographic state, operating + system, application, endpoint key, authentication device, and factor. - | Number Days Back | String | Yes | The number of days prior to the current time - to search for authentication logs. Default is 1. | + 5. **Threshold Filtering**: Evaluates the aggregated counts against the `Authentication + Threshold`. Attributes that do not meet the minimum count are removed from the + summary dictionaries to highlight frequent/trusted sources. - | Username | String | No | The Duo username for which to retrieve data. | + 6. **Result Output**: Returns a comprehensive JSON object containing the raw user + metadata, the full authentication log history, and the filtered frequency summaries. - ### Additional Notes: + ### Additional Notes - - This action does not process entities from the Google SecOps case; it relies - entirely on the `Username` parameter. + - This action does not automatically iterate over entities in the SecOps case; + it operates strictly on the provided `Username` parameter. - - If the `Username` is not found in Duo or not provided, the action will report - that no username was provided. + - The script includes built-in retry logic (60-second wait) to handle potential + DUO API rate-limiting errors. capabilities: can_create_case_comments: false can_create_insight: false @@ -63,9 +98,9 @@ Get Authentication Logs for User: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: false + enrichment: true entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -79,6 +114,7 @@ Get Authentication Logs for User: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Trust Monitor Events: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -92,60 +128,66 @@ Get Authentication Logs for User: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: true send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Trust Monitor Events: ai_description: >- ### General Description - This action retrieves Trust Monitor events from DUO Security for a specified lookback - period. It is designed to provide visibility into security events and anomalies - detected by DUO's Trust Monitor feature, allowing analysts to review historical - event data within Google SecOps. + The **Get Trust Monitor Events** action retrieves Trust Monitor events from DUO + Security for a specified historical period. This action is designed to pull security + telemetry related to trust assessments, providing visibility into DUO's trust + monitoring logs for auditing or investigation purposes. ### Parameters Description - | Parameter Name | Expected Type | Mandatory | Description | + + | Parameter Name | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Number Days Back | String/Number | Yes | The number of days prior to the current - time from which to start fetching events. Defaults to '1'. | + | Number Days Back | String | Yes | The number of days in the past from the current + time to retrieve events from. The value is converted to an integer and used to + calculate the start timestamp. | ### Flow Description - 1. **Configuration Extraction**: The action retrieves the DUO API Hostname, Admin - Secret Key, and Admin Integration Key from the integration settings. + 1. **Credential Retrieval:** The action extracts the DUO API Hostname, Admin Secret + Key, and Admin Integration Key from the integration configuration. - 2. **Parameter Processing**: It extracts the 'Number Days Back' parameter and - calculates the start (mintime) and end (maxtime) timestamps in milliseconds. + 2. **Time Calculation:** It takes the 'Number Days Back' input and calculates + a millisecond-based timestamp range starting from X days ago up to the current + time. - 3. **API Interaction**: Using the DUO Python SDK (`duo_client`), the action authenticates - to the Admin API and calls the `get_trust_monitor_events_by_offset` method. + 3. **API Authentication:** It initializes the DUO Admin API client using the provided + credentials. - 4. **Data Output**: The retrieved events are formatted into a JSON object and - added to the action's execution results for use in subsequent playbook steps. + 4. **Data Retrieval:** The action calls the DUO SDK method `get_trust_monitor_events_by_offset` + using the calculated time range to fetch the events. + 5. **Output Generation:** The retrieved events are packaged into a JSON result + and returned to the Google SecOps platform. - ### Additional Notes - - This action does not process specific entities; it performs a global fetch of - events based on the time range provided. + ### Additional Notes - - Ensure the DUO Admin API keys have the necessary permissions to access Trust - Monitor data. + This action does not process or filter specific entities (like Users or IPs) from + the case; it performs a global search for events within the DUO environment based + solely on the time parameter. capabilities: can_create_case_comments: false can_create_insight: false @@ -159,7 +201,7 @@ Get Trust Monitor Events: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -173,6 +215,7 @@ Get Trust Monitor Events: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Users by Name: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -183,42 +226,65 @@ Get Trust Monitor Events: disable_identity: false download_file: false enable_identity: false - enrich_asset: false + enrich_asset: true enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: true search_email: false - search_events: true + search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Users by Name: - ai_description: "### General Description\nThis action queries the DUO Admin API\ - \ to retrieve detailed information about a specific user based on a provided username.\ - \ It is designed to fetch contextual data such as user IDs, authentication history,\ - \ and associated device information from the DUO MFA platform. This information\ - \ is typically used for investigation and identity verification during security\ - \ incidents.\n\n### Parameters Description\n| Parameter Name | Type | Mandatory\ - \ | Description | \n| :--- | :--- | :--- | :--- |\n| Username | string | Yes |\ - \ The specific DUO username for which to retrieve account and device data. |\n\ - \n### Flow Description\n1. **Configuration Extraction**: The action retrieves\ - \ the DUO API Hostname, Admin Secret Key, and Admin Integration Key from the integration's\ - \ configuration settings.\n2. **Parameter Extraction**: The action extracts the\ - \ `Username` provided by the user or playbook.\n3. **API Initialization**: It\ - \ initializes the DUO Admin API client using the provided credentials and hostname.\n\ - 4. **Data Retrieval**: The action calls the `get_users_by_name` method from the\ - \ DUO SDK to fetch all data associated with the specified username.\n5. **Result\ - \ Processing**: It extracts the `user_id` from the response and packages the full\ - \ user data into a structured JSON format.\n6. **Output**: The results are added\ - \ to the action's JSON output for use in subsequent playbook steps.\n\n### Additional\ - \ Notes\nThis action does not automatically iterate over entities in a case; it\ - \ relies strictly on the `Username` parameter provided in the action configuration." + ai_description: >- + ### General Description + + Retrieves detailed user information from DUO MFA using a specific username. This + action is designed to query the DUO Admin API to obtain the `user_id`, authentication + status, and device data associated with a specific identity. It is primarily used + for identity verification and gathering context during security investigations. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Username | String | Yes | The specific username to query within the DUO Admin + API. | + + + ### Flow Description + + 1. **Authentication**: Initializes the DUO Admin API client using the configured + API Hostname, Admin Secret Key, and Admin Integration Key. + + 2. **Parameter Extraction**: Retrieves the target `Username` from the action input + parameters. + + 3. **API Request**: Executes a call to the DUO `get_users_by_name` endpoint using + the DUO Python SDK. + + 4. **Data Processing**: Iterates through the returned user data to identify the + unique `user_id` and aggregates the full response. + + 5. **Output**: Returns a structured JSON object containing the username, user + ID, and the complete user data retrieved from DUO. + + + ### Additional Notes + + This action does not process entities from the SecOps case automatically. It operates + strictly on the `Username` provided as a manual or playbook-driven parameter. capabilities: can_create_case_comments: false can_create_insight: false @@ -232,7 +298,7 @@ Get Users by Name: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -246,6 +312,7 @@ Get Users by Name: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -256,40 +323,60 @@ Get Users by Name: disable_identity: false download_file: false enable_identity: false - enrich_asset: true + enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: - ai_description: "### General Description\nThe **Ping** action is a diagnostic utility\ - \ designed to verify the connectivity and authentication configuration between\ - \ Google SecOps and the DUO Auth API. It validates that the integration's global\ - \ settings\u2014specifically the API Hostname, Auth Integration Key, and Auth\ - \ Secret Key\u2014are correct and that the environment can successfully generate\ - \ the required request signatures to communicate with DUO.\n\n### Parameters Description\n\ - There are no parameters for this action.\n\n### Additional Notes\nThis action\ - \ is primarily used for health checks and troubleshooting. It does not process\ - \ any entities or modify any data within Google SecOps or DUO.\n\n### Flow Description\n\ - 1. **Configuration Retrieval:** The action extracts the `API Hostname`, `Auth\ - \ Secret Key`, and `Auth Integration Key` from the DUO integration configuration.\n\ - 2. **Client Initialization:** It initializes the DUO Python SDK `Auth` client\ - \ using the extracted credentials.\n3. **Validation Call:** The action executes\ - \ the `/check` endpoint via the SDK to verify the validity of the keys and the\ - \ connectivity to the host.\n4. **Execution Outcome:** If the API call succeeds,\ - \ the action completes with a success message. If an exception occurs (e.g., authentication\ - \ failure or network error), the action catches the error and reports a failure\ - \ status." + ai_description: >- + ### General Description + + The **Ping** action is a diagnostic tool used to verify the connectivity and authentication + configuration between Google SecOps and the DUO Auth API. It ensures that the + integration's credentials (API Hostname, Integration Key, and Secret Key) are + valid and that the system can successfully generate the required request signatures + to communicate with DUO. + + + ### Parameters Description + + There are no action-specific parameters for this action. It utilizes the global + configuration parameters defined at the integration level. + + + ### Flow Description + + 1. **Configuration Extraction**: The action retrieves the `API Hostname`, `Auth + Secret Key`, and `Auth Integration Key` from the DUO integration settings. + + 2. **Client Initialization**: It initializes the DUO Python SDK's Auth client + using the extracted credentials. + + 3. **Validation Call**: The action executes a call to the DUO `/check` endpoint, + which is specifically designed to validate credentials and signature generation. + + 4. **Execution Completion**: If the call is successful, the action completes with + a success status. If an exception is raised (e.g., due to network issues or invalid + keys), it catches the error and returns a failure status with the error details. + + + ### Additional Notes + + This action does not interact with or process any entities. It is strictly intended + for health checks and troubleshooting during the integration setup. capabilities: can_create_case_comments: false can_create_insight: false @@ -303,7 +390,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -317,28 +404,3 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/third_party/community/duo/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/duo/resources/ai/connectors_ai_description.yaml index aded74594..2c217901f 100644 --- a/content/response_integrations/third_party/community/duo/resources/ai/connectors_ai_description.yaml +++ b/content/response_integrations/third_party/community/duo/resources/ai/connectors_ai_description.yaml @@ -2,21 +2,23 @@ DUO - Trust Monitor Connector: ai_description: >- ### General Description - The DUO Trust Monitor Connector integrates with the Cisco Duo Admin API to ingest - Trust Monitor events into Google SecOps. Duo Trust Monitor uses machine learning - to identify anomalous authentication patterns and potential security risks. This - connector automates the retrieval of these security events, transforming them - into actionable cases for security analysts to investigate within the SOAR platform. + + The **DUO - Trust Monitor Connector** integrates with the Cisco Duo Admin API + to ingest security events identified by Duo Trust Monitor. Trust Monitor uses + machine learning to detect anomalous authentication behavior and potential security + risks within your Duo environment. This connector fetches these events and transforms + them into cases within Google SecOps for centralized monitoring and incident response. ### Parameters Description + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | | PythonProcessTimeout | String | Yes | The timeout limit (in seconds) for the - python process running the current script. | + Python process running the script. Default is 30. | | EventClassId | String | Yes | The field name used to determine the event name (sub-type). Default is 'event_name'. | @@ -27,36 +29,37 @@ DUO - Trust Monitor Connector: | Days Back | Integer | Yes | The maximum number of days back to retrieve data from. | - | API Hostname | String | Yes | API hostname for your Duo tenant (e.g., api-XXXXXXXX.duosecurity.com). + | API Hostname | String | Yes | The API hostname for your Duo tenant (e.g., api-XXXXXXXX.duosecurity.com). | - | Admin Secret Key | Password | Yes | DUO Admin API Secret Key used for authentication. + | Admin Secret Key | Password | Yes | The Duo Admin API Secret Key used for authentication. | - | Admin Integration Key | Password | Yes | DUO Admin API Integration Key used + | Admin Integration Key | Password | Yes | The Duo Admin API Integration Key used for authentication. | ### Flow Description - 1. **Initialization**: The connector retrieves configuration parameters, including - API credentials, the Duo hostname, and the lookback window defined by 'Days Back'. - 2. **Time Range Calculation**: It calculates the start and end timestamps for - the query based on the current time and the configured 'Days Back' value. + 1. **Authentication**: The connector establishes a connection to the Duo Admin + API using the provided API Hostname, Integration Key, and Secret Key. - 3. **API Connection**: The connector establishes a connection to the Duo Admin - API using the provided Integration Key and Secret Key. + 2. **Time Window Calculation**: It determines the ingestion time window by calculating + the difference between the current time and the number of days specified in the + 'Days Back' parameter. - 4. **Data Retrieval**: It queries the Duo Trust Monitor endpoint to fetch all - security events that occurred within the calculated time range. + 3. **Data Retrieval**: The connector calls the Duo `get_trust_monitor_events_by_offset` + endpoint to retrieve all security events that occurred within the calculated time + window. - 5. **Data Transformation**: For each event found, the connector flattens the nested - JSON data structure to ensure all metadata is accessible within the SOAR environment. + 4. **Event Flattening**: For each retrieved event, the connector flattens the + nested JSON structure into a key-value format suitable for Google SecOps ingestion. - 6. **Case Creation**: The connector maps the Duo event data (using the transaction - ID as a unique identifier) to the Google SecOps CaseInfo model, setting a default - priority of Medium (60). + 5. **Case Mapping**: Each Trust Monitor event is mapped to a Google SecOps Case. + The connector uses the Duo transaction ID (`txid`) as the unique identifier and + sets a default priority of Medium (60). - 7. **Ingestion**: The processed alerts are packaged and ingested into Google SecOps - as new cases. + 6. **Ingestion**: The mapped cases, containing detailed event data such as the + surfaced authentication details and user information, are returned to the Google + SecOps platform. diff --git a/content/response_integrations/third_party/community/duo/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/duo/resources/ai/integration_ai_description.yaml index 9236ddeae..5bf4348e8 100644 --- a/content/response_integrations/third_party/community/duo/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/community/duo/resources/ai/integration_ai_description.yaml @@ -1,5 +1,5 @@ product_categories: - asset_inventory: false + asset_inventory: true cloud_security: false collaboration: false edr: false diff --git a/content/response_integrations/third_party/community/eclectic_iq/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/eclectic_iq/resources/ai/actions_ai_description.yaml index 289c94c1d..a167fffd2 100644 --- a/content/response_integrations/third_party/community/eclectic_iq/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/eclectic_iq/resources/ai/actions_ai_description.yaml @@ -1,12 +1,41 @@ Enrich Entities: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Enriches multiple entity types using the EclecticIQ threat intelligence platform. - This action retrieves detailed context, including observable types, confidence - scores (maliciousness), and related entity information such as titles, descriptions, - tags, and sources. The retrieved data is used to update the entity's profile within - Google SecOps, providing analysts with immediate threat context. + Enriches entities within Google SecOps by retrieving threat intelligence data + from the EclecticIQ platform. This action queries EclecticIQ for observables matching + the entity identifiers and fetches associated entity metadata, such as confidence + levels, maliciousness, tags, and source information. The retrieved data is used + to update entity attributes, provide direct platform links, and populate data + tables for analyst review. ### Parameters Description @@ -14,25 +43,35 @@ Enrich Entities: There are no parameters for this action. + ### Additional Notes + + - The action automatically prefixes enriched entity fields with "EIQ". + + - It sets the `is_enriched` flag to `true` for all successfully processed entities. + + - It generates external links to the EclecticIQ platform for both observables + and related entities. + + ### Flow Description 1. **Initialization**: Connects to the EclecticIQ API using the configured URL and API Token. - 2. **Data Retrieval**: Fetches observable information for all target entities - in the current scope from the EclecticIQ platform. + 2. **Observable Lookup**: Queries the EclecticIQ `/api/v2/observables` endpoint + using the identifiers of all target entities in the current context. + + 3. **Entity Retrieval**: For every observable found, it queries the `/api/v2/entities` + endpoint to find related threat intelligence entities. - 3. **Contextual Enrichment**: Retrieves related entity data from EclecticIQ for - the identified observables to provide broader threat context. + 4. **Source Enrichment**: Fetches source names from the EclecticIQ platform to + provide context on where the intelligence originated. - 4. **Data Processing**: - * Generates a JSON result containing the full enrichment payload. - * Creates platform links for each enriched entity, allowing analysts to pivot - directly to the EclecticIQ UI. - * Constructs CSV tables for each entity detailing related threat intelligence - and sources. - 5. **Entity Update**: Updates the Google SecOps entities with the retrieved metadata - (prefixed with 'EIQ') and marks them as enriched. + 5. **Internal Data Update**: Flattens the retrieved intelligence and updates the + Google SecOps entities' `additional_properties`. + + 6. **UI Enhancement**: Adds CSV-formatted data tables and direct platform links + to the entity's context in the SecOps interface. capabilities: can_create_case_comments: false can_create_insight: false @@ -43,47 +82,47 @@ Enrich Entities: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity additional properties with threat intelligence data and sets - the 'is_enriched' flag to true. + Updates entity additional properties with flattened threat intelligence data + from EclecticIQ and sets the is_enriched flag to true. categories: enrichment: true entity_usage: entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -97,6 +136,7 @@ Enrich Entities: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -108,40 +148,61 @@ Enrich Entities: download_file: false enable_identity: false enrich_asset: false - enrich_ioc: true + enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: - ai_description: "### General Description\nThe **Ping** action is a diagnostic tool\ - \ used to verify the connectivity between the Google SecOps platform and the EclecticIQ\ - \ instance. It ensures that the provided configuration parameters, such as the\ - \ URL and API Token, are correct and that the network path is open.\n\n### Parameters\ - \ Description\nThis action does not require any input parameters. It relies solely\ - \ on the integration's global configuration settings (EclecticIQ URL, API Token,\ - \ and Verify SSL).\n\n### Flow Description\n1. **Initialization**: The action\ - \ initializes the Siemplify context and retrieves the global integration configuration.\n\ - 2. **Manager Setup**: It instantiates the `EclecticIQManager` using the configured\ - \ URL, API Token, and SSL verification setting.\n3. **Connectivity Test**: The\ - \ action calls the `test_connectivity` method, which performs a GET request to\ - \ the EclecticIQ `/api/v2/sources` endpoint.\n4. **Result Handling**: \n *\ - \ If the request is successful, the action completes with a success status and\ - \ a confirmation message.\n * If an exception occurs (e.g., authentication\ - \ failure, network timeout), the action fails and provides the error details in\ - \ the output message.\n\n### Additional Notes\n- This action is typically used\ - \ during the initial setup of the integration or for troubleshooting communication\ - \ issues.\n- It does not process any entities or modify any data within EclecticIQ\ - \ or Google SecOps." + ai_description: >- + ### General Description + + The **Ping** action is a diagnostic utility designed to verify the connectivity + between Google SecOps and the **EclecticIQ** platform. It ensures that the provided + configuration parameters, such as the URL and API Token, are correct and that + the network path is open. + + + ### Parameters Description + + There are no user-input parameters for this action. It relies entirely on the + integration's global configuration (EclecticIQ URL, API Token, and Verify SSL). + + + ### Additional Notes + + - This action is typically used during the initial setup of the integration or + for troubleshooting communication issues. + + - It performs a simple GET request to the EclecticIQ 'sources' endpoint to validate + the API Token and connectivity. + + + ### Flow Description + + 1. **Configuration Retrieval:** The action fetches the `EclecticIQ URL`, `API + Token`, and `Verify SSL` settings from the integration configuration. + + 2. **Manager Initialization:** An instance of the `EclecticIQManager` is created + using the retrieved settings. + + 3. **Connectivity Test:** The manager executes a `test_connectivity` call, which + sends a GET request to the EclecticIQ API `/api/v2/sources` endpoint. + + 4. **Result Handling:** If the request is successful, the action completes with + a success status. If an exception occurs (e.g., authentication failure or network + timeout), the action fails and provides a descriptive error message. capabilities: can_create_case_comments: false can_create_insight: false @@ -155,7 +216,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -169,8 +230,9 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Send Entities to EclecticIQ: action_product_categories: - add_alert_comment: false + add_alert_comment: true add_ioc_to_allowlist: false add_ioc_to_blocklist: false contain_host: false @@ -182,72 +244,74 @@ Ping: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Send Entities to EclecticIQ: ai_description: >- - Sends entities from a Google SecOps case to the EclecticIQ Intelligence Center. - This action allows analysts to export case context and associated entities as - sightings or indicators within EclecticIQ, facilitating threat intelligence sharing - and external tracking. By default, the action creates a sighting for each supported - entity found in the case. If configured, it can also create an indicator object. - The action utilizes case metadata such as title, description, priority, and status - to provide context for the created objects in EclecticIQ. + ### General Description + Sends entities from a Google SecOps case to the EclecticIQ Intelligence Center. + By default, the action creates a **sighting** for each supported entity, associating + it with the current case metadata. Users can optionally configure the action to + also create an **indicator** entity in EclecticIQ. - ### Flow Description: - 1. **Parameter Extraction:** Retrieves the EclecticIQ configuration (URL, API - Token) and action parameters (Group Name, Create Indicator flag). + ### Parameters Description - 2. **Source Identification:** Queries the EclecticIQ API to find the internal - source ID associated with the provided 'Group Name'. + | Parameter | Type | Mandatory | Description | - 3. **Entity Mapping:** Iterates through the target entities in the SecOps case - and maps them to EclecticIQ extract types (e.g., IP to ipv4, Domain to domain). + | :--- | :--- | :--- | :--- | - 4. **Data Construction:** Builds a sighting object (and optionally an indicator - object) containing the case metadata and the list of entity extracts. + | **Group Name** | String | Yes | The name of the EclecticIQ Intelligence Center + Group (e.g., "Testing Group") where the entities will be created. | - 5. **External Creation:** Sends a PUT request to the EclecticIQ API to create - the entities within the platform. + | **Create Indicator** | Boolean | No | If set to `true`, the action creates both + a sighting and an indicator in EclecticIQ. If `false` (default), only a sighting + is created. | - 6. **Internal Updates:** Adds a comment to the SecOps case confirming the action's - success and provides a direct platform link to the created data in the action - results. + ### Flow Description - ### Parameters Description: + 1. **Parameter Extraction:** Retrieves the EclecticIQ URL, API token, and SSL + verification settings from the integration configuration, along with the action-specific + parameters (`Group Name`, `Create Indicator`). - | Parameter | Type | Mandatory | Description | + 2. **Source Identification:** Queries the EclecticIQ API to find the internal + `source_id` associated with the provided `Group Name`. - | :--- | :--- | :--- | :--- | + 3. **Data Preparation:** Maps SecOps entities (IPs, Domains, Hashes, etc.) to + their corresponding EclecticIQ observable types. It also aggregates case metadata + (Title, Description, Priority, etc.) to include in the EclecticIQ description + field. - | Group Name | string | Yes | The name of the EclecticIQ Intelligence Center Group - (e.g., 'Testing Group') where the sightings/indicators will be created. | + 4. **Entity Creation:** Sends a `PUT` request to the EclecticIQ `/api/v2/entities` + endpoint to create the sighting (and optionally the indicator). - | Create Indicator | boolean | No | If set to 'true', the action creates both - a sighting and an indicator in EclecticIQ. If 'false' (default), only a sighting - is created. | + 5. **Internal Updates:** Adds a comment to the SecOps case wall confirming the + operation and provides a direct platform link to the created entity in the action + results. - ### Additional Notes: + ### Additional Notes - - The action supports a wide range of entity types including IP addresses, hostnames, - file hashes, domains, and CVEs. + - Supported entity types include Hostnames, IP Addresses, Processes, File Names, + File Hashes (SHA256), URLs, CVEs, Credit Cards, Phone Numbers, Threat Actors, + and Domains. - - Case metadata is formatted as HTML within the EclecticIQ description field to - maintain readability. + - The action uses UUID v5 (based on the case identifier) to ensure consistent + ID generation for sightings and indicators within EclecticIQ. capabilities: can_create_case_comments: true can_create_insight: false @@ -256,34 +320,34 @@ Send Entities to EclecticIQ: can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: >- - Creates new sighting and indicator records within the EclecticIQ Intelligence - Center platform via PUT requests. + Creates new sighting and indicator entities within the EclecticIQ platform via + a PUT request. fetches_data: true internal_data_mutation_explanation: >- - Adds a comment to the Google SecOps case to log the successful export of entities - to EclecticIQ. + Adds a comment to the case wall and attaches an external platform link to the + action results. categories: enrichment: false entity_usage: entity_types: - - ADDRESS - - CHILDHASH - - CHILDPROCESS - - CREDITCARD - - CVE - - CVEID - - DESTINATIONDOMAIN - - DOMAIN - - FILEHASH - - FILENAME - - HOSTNAME - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - PROCESS - - SOURCEDOMAIN - - THREATACTOR - - DestinationURL + - ADDRESS + - CHILDHASH + - CHILDPROCESS + - CREDITCARD + - CVE + - CVEID + - DESTINATIONDOMAIN + - DOMAIN + - FILEHASH + - FILENAME + - HOSTNAME + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - PROCESS + - SOURCEDOMAIN + - THREATACTOR + - DestinationURL filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -297,28 +361,3 @@ Send Entities to EclecticIQ: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: true - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/third_party/community/eclectic_iq/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/eclectic_iq/resources/ai/connectors_ai_description.yaml index 3a54dfb86..acd698d93 100644 --- a/content/response_integrations/third_party/community/eclectic_iq/resources/ai/connectors_ai_description.yaml +++ b/content/response_integrations/third_party/community/eclectic_iq/resources/ai/connectors_ai_description.yaml @@ -1,37 +1,64 @@ EclecticIQ - Feed Connector: - ai_description: "### General Description\nThis connector integrates with the EclecticIQ\ - \ Intelligence Center to ingest threat intelligence data into Google SecOps. It\ - \ specifically targets \"Outgoing Feeds\" configured within EclecticIQ, downloading\ - \ content blocks (typically in CSV format) and converting the contained observables\ - \ and entities into structured alerts and events. This enables security teams\ - \ to automate the ingestion of curated intelligence for correlation and incident\ - \ response.\n\n### Parameters Description\n| Parameter | Type | Mandatory | Description\ - \ |\n| :--- | :--- | :--- | :--- |\n| API Token | Password | Yes | The API token\ - \ used to authenticate with the EclecticIQ Intelligence Center API. |\n| EclecticIQ\ - \ URL | String | Yes | The base URL of the EclecticIQ instance (e.g., https://eclecticiq.local).\ - \ |\n| Outgoing Feed ID | String | Yes | The specific ID of the Outgoing Feed\ - \ from which the connector will fetch entities. |\n| DeviceProductField | String\ - \ | Yes | The field name used to determine the device product in the ingested\ - \ data (Default: EclecticIQ). |\n| EventClassId | String | Yes | The field name\ - \ used to determine the event name or sub-type (Default: Threat Intelligence).\ - \ |\n| PythonProcessTimeout | String | Yes | The timeout limit (in seconds) for\ - \ the python process running the current script. |\n| Verify SSL | Boolean | No\ - \ | If enabled, the connector will verify the SSL certificate of the EclecticIQ\ - \ server. |\n\n### Flow Description\n1. **Authentication**: The connector establishes\ - \ a secure session with the EclecticIQ Intelligence Center using the provided\ - \ API Token and URL.\n2. **Feed Validation**: It verifies that the configured\ - \ `Outgoing Feed ID` is valid and accessible on the platform.\n3. **Content Discovery**:\ - \ The connector queries for available content blocks associated with the specified\ - \ outgoing feed.\n4. **Checkpointing**: It retrieves the ID of the last successfully\ - \ processed content block from the internal database to ensure only new data is\ - \ ingested.\n5. **Data Retrieval and Parsing**: For every new content block identified,\ - \ the connector downloads the data (CSV format) and parses it into individual\ - \ records.\n6. **Alert Transformation**: Each record is mapped to a Google SecOps\ - \ Alert object, utilizing fields like `entity.title` for the alert name and `entity.id`\ - \ for the unique identifier.\n7. **Event Mapping**: Detailed attributes from the\ - \ EclecticIQ record\u2014including observable values, types, descriptions, confidence\ - \ levels, and source names\u2014are mapped into a SOAR event attached to the alert.\n\ - 8. **Ingestion**: The generated alerts and events are ingested into Google SecOps\ - \ for case creation.\n9. **State Update**: Upon successful processing, the connector\ - \ updates the checkpoint with the latest content block ID to prevent duplicate\ - \ ingestion in subsequent runs." + ai_description: >- + ### General Description + + This connector integrates with the EclecticIQ Intelligence Center to ingest threat + intelligence data from configured outgoing feeds. It retrieves indicators and + observables from specific feeds and converts them into alerts and cases within + Google SecOps, enabling security teams to monitor and act on external threat intelligence. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | API Token | Password | Yes | The API token used to authenticate with the EclecticIQ + Intelligence Center. | + + | EclecticIQ URL | String | Yes | The base URL of the EclecticIQ instance (e.g., + https://eclecticiq.local). | + + | Outgoing Feed ID | String | Yes | The specific ID of the outgoing feed from + which to fetch data. | + + | DeviceProductField | String | Yes | The field name used to determine the device + product (default: EclecticIQ). | + + | EventClassId | String | Yes | The field name used to determine the event name/sub-type + (default: Threat Intelligence). | + + | PythonProcessTimeout | String | Yes | The timeout limit in seconds for the script + execution. | + + | Verify SSL | Boolean | No | Whether to verify the SSL certificate of the EclecticIQ + server. | + + + ### Flow Description + + 1. **Authentication**: Connects to the EclecticIQ Intelligence Center using the + provided API Token and URL. + + 2. **Feed Validation**: Validates that the specified `Outgoing Feed ID` exists + and is accessible. + + 3. **Content Discovery**: Retrieves a list of available content blocks (data batches) + associated with the configured feed. + + 4. **Checkpointing**: Reads the last processed block ID from the internal database + to ensure only new data is ingested. + + 5. **Data Retrieval**: Fetches the CSV-formatted data for each new content block + identified. + + 6. **Parsing and Mapping**: Parses the CSV records, extracting entity details + such as titles, descriptions, confidence levels, tags, and platform URLs. + + 7. **Alert Creation**: Maps the extracted data into Google SecOps Alert and Event + objects, assigning a default priority and categorizing them under the EclecticIQ + product. + + 8. **Ingestion**: Ingests the alerts into the system and updates the checkpoint + with the latest processed block ID to maintain state for the next run. diff --git a/content/response_integrations/third_party/community/flashpoint/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/flashpoint/resources/ai/actions_ai_description.yaml index 0b9cc30d9..16301cacc 100644 --- a/content/response_integrations/third_party/community/flashpoint/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/flashpoint/resources/ai/actions_ai_description.yaml @@ -1,53 +1,76 @@ Custom Query: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: true + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Executes a custom search query against the Flashpoint API. This action provides - the flexibility to perform advanced searches by allowing users to specify both - the query parameters in JSON format and the specific API endpoint path. It is - primarily used to retrieve tailored threat intelligence data, such as forum posts, - carding information, or exploit discussions, directly into the Google SecOps platform. + The **Custom Query** action allows users to execute arbitrary search queries against + the Flashpoint API. It provides flexibility by allowing the user to specify both + the API endpoint path and the JSON-formatted query body. This is useful for advanced + searches that are not covered by standard enrichment actions. ### Parameters Description + | Parameter | Type | Mandatory | Description | - | Parameter | Description | Type | Mandatory | Notes | + | :--- | :--- | :--- | :--- | - | :--- | :--- | :--- | :--- | :--- | + | **Query Content** | Code | Yes | A JSON-formatted string representing the body + of the search request. It typically includes fields like `query`, `limit`, `start_date`, + and `search_tags`. | - | Query Content | A JSON-formatted string containing the search parameters. | - Code | Yes | Expected to contain keys like `query`, `limit`, `start_date`, `end_date`, - `search_tags`, and `sort_timestamp`. | - - | New Query URL | The specific API endpoint path to target. | String | Yes | This - path is appended to the base Flashpoint API URL (e.g., `/all/search` or `/indicators/attribute`). - | + | **New Query URL** | String | Yes | The API endpoint path to be appended to the + base Flashpoint API URL (e.g., `/all/search`). | ### Additional Notes - - The action uses a POST request to send the query parameters to the Flashpoint - API. + - This action uses a POST request to the Flashpoint API to accommodate complex + query structures. - - The results are returned as a raw JSON object and attached to the action's execution - results. + - The results are returned as a raw JSON object in the action's results. ### Flow Description - 1. **Initialization**: Extracts the Flashpoint API Key from the integration configuration. - - 2. **Parameter Extraction**: Retrieves the `Query Content` (JSON string) and the - `New Query URL` from the action input. + 1. **Extract Configuration:** Retrieves the Flashpoint API Key from the integration + settings. - 3. **API Request**: Uses the `FlashpointManager` to send a POST request to the - constructed URL (Base API + New Query URL) with the parsed JSON query parameters. + 2. **Extract Parameters:** Retrieves the user-provided query JSON and the target + URL path. - 4. **Result Processing**: Receives the JSON response from Flashpoint. + 3. **Execute Request:** Sends a POST request to the Flashpoint API with the provided + JSON payload. - 5. **Output**: Adds the raw JSON response to the action results and completes - the execution with a success message. + 4. **Process Results:** Captures the JSON response from Flashpoint and attaches + it to the action's output. capabilities: can_create_case_comments: false can_create_insight: false @@ -61,7 +84,7 @@ Custom Query: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -75,6 +98,7 @@ Custom Query: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +IOC_Enrichment: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -86,47 +110,48 @@ Custom Query: download_file: false enable_identity: false enrich_asset: false - enrich_ioc: false + enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: true + search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -IOC_Enrichment: - ai_description: "Enriches entities using Flashpoint's indicator attribute intelligence.\ - \ This action queries the Flashpoint API to retrieve threat intelligence and contextual\ - \ data for various indicators. It automatically updates the entity's profile within\ - \ Google SecOps with the retrieved information, marks the entity as enriched and\ - \ suspicious, and generates an insight for the analyst.\n\n### Flow Description\n\ - 1. **Initialization**: The action initializes the Flashpoint manager using the\ - \ provided API key from the integration configuration.\n2. **Parameter Extraction**:\ - \ It retrieves the 'Limit' parameter to determine the maximum number of results\ - \ to fetch for each entity.\n3. **Entity Iteration**: The action iterates through\ - \ all target entities provided in the context.\n4. **External Query**: For each\ - \ entity, it calls the Flashpoint `/indicators/attribute` endpoint using the entity's\ - \ identifier.\n5. **Data Processing**: If a report is found, the action flattens\ - \ the JSON response and adds a 'FlashPoint' prefix to the keys.\n6. **Internal\ - \ Mutation**: \n * Updates the entity's `additional_properties` with the\ - \ flattened data.\n * Sets the entity's `is_enriched` status to `True`.\n\ - \ * Sets the entity's `is_suspicious` status to `True`.\n * Creates\ - \ an entity insight titled 'Flashpoint - [identifier] marked as suspicious'.\n\ - 7. **Completion**: Aggregates the results and provides a summary message of which\ - \ entities were enriched or not found.\n\n### Parameters Description\n| Parameter\ - \ | Type | Mandatory | Default | Description |\n| :--- | :--- | :--- | :--- |\ - \ :--- |\n| Limit | string | No | 100 | The maximum number of result objects to\ - \ return from the Flashpoint API for each entity. |\n\n### Additional Notes\n\ - * This action automatically marks any entity found in Flashpoint as 'suspicious'\ - \ regardless of the specific score or content of the report.\n* The action processes\ - \ all entity types without specific filtering, making it a versatile enrichment\ - \ tool for any indicator supported by Flashpoint." + ai_description: "### General Description\nThe **IOC Enrichment** action retrieves\ + \ threat intelligence for indicator entities from the Flashpoint platform. It\ + \ queries the Flashpoint API to find matching indicator attributes, providing\ + \ context such as associated tags, technical details, and historical sightings.\ + \ This action is primarily used to determine the risk level of an indicator and\ + \ to populate the SOAR environment with external threat data.\n\n### Parameters\ + \ Description\n| Parameter | Type | Mandatory | Description |\n| :--- | :--- |\ + \ :--- | :--- |\n| **Limit** | String | No | The maximum number of result objects\ + \ to return from Flashpoint for each entity. Defaults to \"100\". |\n\n### Flow\ + \ Description\n1. **Initialization**: The action initializes the Flashpoint manager\ + \ using the provided API Key.\n2. **Entity Iteration**: The script iterates through\ + \ all target entities provided in the context.\n3. **API Query**: For each entity,\ + \ it performs a GET request to the Flashpoint `/indicators/attribute` endpoint\ + \ using the entity's identifier as the query.\n4. **Data Processing**: \n *\ + \ If a report is found, the action flattens the JSON data and prepends the \"\ + FlashPoint\" prefix to the keys.\n * It updates the entity's `additional_properties`\ + \ with the enriched data.\n * It marks the entity as `is_enriched` and `is_suspicious`.\n\ + 5. **Insight Generation**: An entity insight is created for every successfully\ + \ enriched entity, highlighting that it was marked as suspicious by Flashpoint.\n\ + 6. **Finalization**: The action attaches the full JSON report to the entity and\ + \ the script results, then concludes with a summary of found and not-found entities.\n\ + \n### Additional Notes\n* This action automatically marks any entity found in\ + \ the Flashpoint database as **suspicious** within the Google SecOps platform.\n\ + * If an entity is not found in Flashpoint, it is tracked and reported in the final\ + \ output message." capabilities: can_create_case_comments: false can_create_insight: true @@ -137,47 +162,47 @@ IOC_Enrichment: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity additional properties with enrichment data, marks entities as - enriched and suspicious, and creates entity insights. + Updates entity additional properties, sets the enriched and suspicious flags, + and creates entity insights based on the data retrieved from Flashpoint. categories: enrichment: true entity_usage: entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -191,6 +216,7 @@ IOC_Enrichment: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Indicators Custom Query: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -202,29 +228,31 @@ IOC_Enrichment: download_file: false enable_identity: false enrich_asset: false - enrich_ioc: true + enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: false + search_events: true send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Indicators Custom Query: ai_description: >- ### General Description - Executes a custom query against the Flashpoint API to retrieve specific indicators, - events, or attributes. This action allows for granular searching using keywords, - tags, date ranges, and specific indicator types (simple, event, or attribute). - It is designed to fetch threat intelligence data based on user-defined criteria - rather than enriching specific entities within a case. + The **Indicators Custom Query** action allows users to perform advanced searches + against the Flashpoint indicator database. It retrieves specific events or attributes + based on a variety of filtering criteria such as keywords, tags, and date ranges. + This action is primarily used for threat hunting and gathering intelligence on + specific indicators of compromise (IOCs) stored within Flashpoint. ### Parameters Description @@ -233,54 +261,52 @@ Indicators Custom Query: | :--- | :--- | :--- | :--- | - | Indicator Type | ddl | Yes | Defines the scope of the search: 'simple' (simplified - list), 'event' (groupings of IOCs), or 'attribute' (individual IOCs). | - - | Query | string | No | The specific search query string to execute against the - Flashpoint database. | + | **Indicator Type** | DDL | Yes | Determines the scope of the search. Options + include 'simple' (simplified list), 'event' (groupings of IOCs), or 'attribute' + (specific IOCs). | - | Search Tags | string | No | Comma-separated keywords (e.g., malware, ransomware) - to filter the results. | + | **Query** | String | No | The specific search string or custom query to execute. + | - | Limit | string | No | The maximum number of result objects to return (default - is 10). | + | **Search Tags** | String | No | A comma-separated list of tags to filter results + (e.g., 'malware, ransomware'). | - | Start Date | string | No | Retrieves values created after this specified date - (e.g., 2020-02-26T14:49:07Z). | + | **Entity Types** | String | No | A comma-separated list of Flashpoint-specific + entity types to retrieve (e.g., 'url, domain, ip-src'). | - | End Date | string | No | Retrieves values created before this specified date - (e.g., 2020-02-25T14:49:07Z). | + | **Start Date** | String | No | Filters for indicators created after this ISO + 8601 timestamp (e.g., '2020-02-26T14:49:07Z'). | - | Entity Types | string | No | Comma-separated MISP-style entity types to retrieve - data for (e.g., url, domain, ip-src). | + | **End Date** | String | No | Filters for indicators created before this ISO + 8601 timestamp. | - | Sort By Time | ddl | No | Presents the data in 'Ascending' or 'Descending' order - based on the timestamp. | + | **Limit** | String | No | The maximum number of result objects to return. Default + is 10. | + | **Sort By Time** | DDL | No | Specifies whether to return results in 'Ascending' + or 'Descending' chronological order. | - ### Additional Notes - The 'Indicator Type' parameter is critical as it determines the specific API endpoint - used for the query. While most parameters are optional, providing a 'Query' or - 'Search Tags' is recommended to narrow down results effectively. + ### Flow Description + 1. **Configuration Extraction:** The action retrieves the Flashpoint API Key from + the integration settings and all user-provided search parameters. - ### Flow Description + 2. **Manager Initialization:** An instance of the Flashpoint Manager is created + to handle API communication. - 1. **Configuration Retrieval**: Extracts the API Key from the integration settings. + 3. **API Request:** The action constructs a GET request to the Flashpoint `/indicators/{type}` + endpoint, passing the query parameters, filters, and sorting preferences. - 2. **Parameter Extraction**: Collects all user-provided search filters, including - the mandatory Indicator Type. + 4. **Result Processing:** If the API returns data, the results are formatted as + a JSON object and attached to the action output. If no data is found, the action + reports a failure to find entities. - 3. **Manager Initialization**: Initializes the Flashpoint Manager with the provided - credentials. - 4. **API Execution**: Sends a GET request to the Flashpoint Indicators API endpoint - corresponding to the selected Indicator Type, applying all provided filters as - query parameters. + ### Additional Notes - 5. **Result Processing**: If data is found, it is formatted and added to the action's - JSON results for use in subsequent playbook steps. + This action does not process entities currently present in the Google SecOps case; + it is a standalone search utility that returns data based on the provided parameters. capabilities: can_create_case_comments: false can_create_insight: false @@ -294,7 +320,7 @@ Indicators Custom Query: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -308,6 +334,7 @@ Indicators Custom Query: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -321,51 +348,46 @@ Indicators Custom Query: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: true + search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: ai_description: >- - Tests the connectivity between Google SecOps and the Flashpoint API to ensure - that the provided credentials and network configurations are valid. This action - performs a sample search query to verify that the API is reachable and responding - as expected. + Tests the connectivity between Google SecOps and the Flashpoint API. This action + validates the provided API key by performing a sample search query for forum data + related to carding and exploits. It ensures that the integration can successfully + communicate with the Flashpoint service. ### Parameters - | Parameter Name | Description | Type | Mandatory | Notes | - - | :--- | :--- | :--- | :--- | :--- | - - | None | This action does not require any input parameters. | N/A | N/A | N/A - | + There are no parameters for this action. ### Flow Description - 1. **Configuration Extraction**: Retrieves the API Key from the integration's - shared configuration. - - 2. **Manager Initialization**: Initializes the Flashpoint API manager with the - provided credentials. + 1. **Initialize Manager**: The action initializes the Flashpoint API manager using + the configured API key. - 3. **Connectivity Test**: Executes a GET request to the Flashpoint search endpoint - using a predefined query. + 2. **Test Connectivity**: It executes a GET request to the Flashpoint search endpoint + with a predefined query to verify the API key and network access. - 4. **Response Validation**: Checks if the API returns a valid JSON response. + 3. **Validate Response**: The action checks if the API returns a valid JSON response + and handles potential errors. - 5. **Finalization**: Reports a successful connection or failure based on the API - response. + 4. **Report Result**: Returns a success message if the connection is established, + or a failure message if the connection fails. capabilities: can_create_case_comments: false can_create_insight: false @@ -379,7 +401,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -393,6 +415,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Run Query: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -406,28 +429,28 @@ Ping: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: false + search_events: true send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Run Query: ai_description: >- ### General Description - The **Run Query** action executes custom search queries against the Flashpoint - platform to retrieve threat intelligence, forum posts, or indicators. It allows - analysts to perform broad searches across Flashpoint's datasets using specific - query syntax, filtering by tags, date ranges, and sorting preferences. The results - are returned as a raw JSON object, providing flexible data retrieval for complex - investigations. + Executes a custom search query against the Flashpoint platform to retrieve intelligence + data. This action allows analysts to perform flexible searches using Flashpoint's + query language, applying filters for tags, date ranges, and sorting preferences. + The results are returned as a JSON object for further processing within the playbook. ### Parameters Description @@ -436,44 +459,44 @@ Run Query: | :--- | :--- | :--- | :--- | - | **Query** | String | Yes | The search query content using Flashpoint syntax - (e.g., `+basetypes:+indicator`). | + | Query | string | Yes | The search query content using Flashpoint syntax (e.g., + `+basetypes:+indicator`). | - | **Results count limit** | String | No | The maximum number of results to return. + | Results count limit | string | No | The maximum number of results to retrieve. Defaults to 100. | - | **Sort By** | String | No | Specifies the fields and order for sorting results - (e.g., `posted_at:desc,title:asc`). | + | Sort By | string | No | Specifies the fields and order for sorting results (e.g., + `posted_at:desc,title:asc`). | - | **Tags** | String | No | A comma-separated list of tags to filter the search - results (e.g., `+tag_1, +tag_2`). | + | Tags | string | No | A comma-separated list of tags to filter the search results + (e.g., `+tag_1, +tag_2`). | - | **Date Range** | String | No | The timeframe for the search (e.g., `[now-1y + | Date Range | string | No | The timeframe for the search query (e.g., `[now-1y TO now]`). | ### Additional Notes - This action does not process specific entities from the Google SecOps case; it - is a standalone search utility. The output is provided as a JSON result for use - in subsequent playbook steps. + This action does not operate on specific entities within the case; instead, it + performs a global search based on the provided query parameters. The results are + provided in the `JsonResult` output. ### Flow Description - 1. **Initialization:** The action initializes the Flashpoint manager using the - provided API Key from the integration configuration. + 1. **Configuration Retrieval:** Fetches the Flashpoint API Key from the integration + settings. - 2. **Parameter Extraction:** It retrieves the query string, result limit, date - range, sorting criteria, and tags from the action parameters. + 2. **Parameter Extraction:** Collects the query string, result limit, date range, + sorting criteria, and tags from the action input. - 3. **API Execution:** The action calls the Flashpoint API to execute the custom - query with the specified filters. + 3. **API Interaction:** Initializes the Flashpoint Manager and executes the search + query against the Flashpoint API. - 4. **Data Capture:** The raw JSON response from Flashpoint is captured. + 4. **Result Processing:** Receives the query response and attaches the raw data + to the action's JSON results. - 5. **Completion:** The action attaches the JSON results to the execution context - and finishes with a success message. + 5. **Completion:** Ends the action with a success message and a boolean status. capabilities: can_create_case_comments: false can_create_insight: false @@ -487,7 +510,7 @@ Run Query: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -501,28 +524,3 @@ Run Query: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: true - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/third_party/community/flashpoint/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/flashpoint/resources/ai/connectors_ai_description.yaml index 4e51bfadd..74d19c9e4 100644 --- a/content/response_integrations/third_party/community/flashpoint/resources/ai/connectors_ai_description.yaml +++ b/content/response_integrations/third_party/community/flashpoint/resources/ai/connectors_ai_description.yaml @@ -3,11 +3,12 @@ ### General Description The Flashpoint Compromised Credential Connector integrates with the Flashpoint - platform to monitor and ingest alerts related to compromised credentials. It specifically - targets 'credential-sighting' events, which occur when employee credentials are - detected as being used or exposed on the web. This connector allows security teams - to proactively respond to potential account takeovers by automatically creating - cases in Google SecOps for every detected sighting. + API to monitor and ingest alerts related to compromised credentials. It specifically + tracks "credential-sighting" events, which occur when employee credentials (such + as emails and passwords) are discovered in external data sources like the deep + or dark web. This connector enables security teams to proactively respond to potential + account takeovers by automatically creating cases in Google SecOps for every detected + sighting. ### Parameters Description @@ -17,7 +18,7 @@ | :--- | :--- | :--- | :--- | | API Key | Password | Yes | The API key used to authenticate with the Flashpoint - API. | + v4 API. | | DeviceProductField | String | Yes | The field name in the source data used to determine the device product (defaults to 'Flashpoint'). | @@ -25,46 +26,43 @@ | EventClassId | String | No | The field name used to determine the event name or sub-type. | - | Limit | Integer | Yes | The maximum number of events to retrieve in a single - execution cycle. | + | Limit | Integer | Yes | The maximum number of events to retrieve per execution + cycle. | | Max Days Back | Integer | No | The maximum number of days to look back for data - during the first run or if the saved timestamp is invalid. | + during the first run or if no previous timestamp exists. | | Proxy Server Address | String | No | The address of the proxy server to use - for outgoing requests. | + for network communication. | | Proxy Username | String | No | The username for proxy authentication. | | Proxy Password | Password | No | The password for proxy authentication. | - | PythonProcessTimeout | String | Yes | The timeout limit in seconds for the connector's - execution. | + | PythonProcessTimeout | String | Yes | The timeout limit (in seconds) for the + Python process running the script. | ### Flow Description - 1. **Authentication**: The connector establishes a session with the Flashpoint - API using the provided API Key. + 1. **Timestamp Retrieval**: The connector fetches the last saved timestamp from + the SOAR database. If no timestamp is found, it uses the "Max Days Back" parameter + to define the starting point. - 2. **Timestamp Retrieval**: It fetches the last saved timestamp to determine the - starting point for the search. If no timestamp is found, it calculates a starting - point based on the 'Max Days Back' parameter. + 2. **API Query**: It connects to the Flashpoint `/all/search` endpoint using a + Bearer token. It specifically queries for `basetypes:(credential-sighting)` within + the time range from the last timestamp to the current time. - 3. **Search Query**: The connector executes a search against the Flashpoint `/all/search` - endpoint, filtering for `basetypes:(credential-sighting)` within the calculated - time range. + 3. **Data Processing**: The connector retrieves a list of hits (up to the configured + Limit) and flattens the nested JSON structure of each alert for easier mapping. - 4. **Data Flattening**: Each result (hit) from the API is processed and flattened - into a single-level dictionary to ensure all metadata is captured within the event. + 4. **Case Creation**: Each sighting is mapped to a Google SecOps `CaseInfo` object. + The priority is set to 60 (Medium), and the event name is hardcoded as "Credential + Sighting". - 5. **Case Mapping**: The connector maps the Flashpoint data to the Google SecOps - CaseInfo model, assigning a default priority of 60 and using the sighting's indexed - time as the event time. + 5. **Overflow Validation**: Before ingestion, the connector checks if the alert + matches overflow criteria to prevent redundant case creation. - 6. **Overflow Validation**: It checks each alert against the system's overflow - rules to prevent duplicate or excessive ingestion. - - 7. **Ingestion and Checkpointing**: Valid cases are ingested into Google SecOps, - and the timestamp of the most recent sighting is saved to ensure the next iteration - picks up where the last one finished. + 6. **Ingestion and State Management**: Valid cases are ingested into the platform, + and the timestamp of the most recent alert is saved to ensure the next run starts + from where the current one ended. diff --git a/content/response_integrations/third_party/community/flashpoint/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/flashpoint/resources/ai/integration_ai_description.yaml index 2e831240c..ac8e64b44 100644 --- a/content/response_integrations/third_party/community/flashpoint/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/community/flashpoint/resources/ai/integration_ai_description.yaml @@ -9,4 +9,4 @@ product_categories: network_security: false siem: false threat_intelligence: true - vulnerability_management: false + vulnerability_management: true diff --git a/content/response_integrations/third_party/community/full_contact/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/full_contact/resources/ai/actions_ai_description.yaml index 6915d802b..cc1da7598 100644 --- a/content/response_integrations/third_party/community/full_contact/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/full_contact/resources/ai/actions_ai_description.yaml @@ -1,58 +1,49 @@ Enrich Entities: - ai_description: >- - ### General Description - - Enriches User entities with detailed person and company information using the - Full Contact API. This action takes the email address from a User entity, extracts - the domain, and queries Full Contact to retrieve professional and organizational - metadata. The retrieved data is then mapped to the entity's additional properties - within Google SecOps, providing analysts with deeper context about the individuals - and organizations involved in an alert. - - - ### Parameters Description - - There are no action-specific parameters for this action. It relies on the 'API - Key' configured in the integration settings. - - - ### Additional Notes - - * This action specifically targets entities of type **USER**. - - * It performs two types of enrichment: Person enrichment (using the full email) - and Company enrichment (using the email domain). - - * The action handles HTTP 202 (Accepted) responses from Full Contact by polling - until the data is ready. - - - ### Flow Description - - 1. **Configuration Retrieval:** Fetches the Full Contact API Key from the integration - configuration. - - 2. **Entity Filtering:** Iterates through the target entities and identifies those - of type `USER`. - - 3. **Data Extraction:** For each User entity, extracts the full email address - and the domain part of the email. - - 4. **Company Enrichment:** Queries the Full Contact `company.enrich` endpoint - using the extracted domain to get details like company name, size, industry, and - location. - - 5. **Person Enrichment:** Queries the Full Contact `person.enrich` endpoint using - the email address to get details like gender, job title, and LinkedIn profile. - - 6. **Internal Mutation:** Maps the retrieved data points to the entity's `additional_properties` - (e.g., `FullContact_CompanyName`, `FullContact_Person_Linkedin`). - - 7. **Entity Update:** Updates the entities in Google SecOps with the new enriched - attributes. - - 8. **Result Reporting:** Returns a JSON result containing the raw enrichment data - for each successfully enriched entity. + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "Enriches User entities using the Full Contact API. This action\ + \ retrieves comprehensive person and company metadata based on the email address\ + \ of the User entity. It extracts professional details such as job titles and\ + \ LinkedIn profiles, as well as organizational data including company size, industry,\ + \ and location.\n\n### Flow Description:\n1. **Configuration Retrieval:** Fetches\ + \ the Full Contact API key from the integration settings.\n2. **Entity Filtering:**\ + \ Iterates through the target entities and identifies those of type `USER`.\n\ + 3. **Data Extraction:** For each User entity, it extracts the email address and\ + \ the associated domain.\n4. **External API Interaction:** \n * Calls the Full\ + \ Contact `company.enrich` endpoint using the domain to get organizational context.\n\ + \ * Calls the Full Contact `person.enrich` endpoint using the email to get\ + \ individual context.\n5. **Data Mapping:** Maps the retrieved attributes (e.g.,\ + \ Company Name, Industry, Employee Count, Person Title, Gender, LinkedIn URL)\ + \ to the entity's `additional_properties`.\n6. **Internal Update:** Updates the\ + \ entities within Google SecOps with the new enrichment data and provides a JSON\ + \ result for the action.\n\n### Parameters Description:\nThere are no input parameters\ + \ for this action." capabilities: can_create_case_comments: false can_create_insight: false @@ -63,13 +54,13 @@ Enrich Entities: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates the 'additional_properties' attribute of User entities with enriched - data retrieved from Full Contact. + Updates the 'additional_properties' of User entities with enrichment data retrieved + from Full Contact. categories: enrichment: true entity_usage: entity_types: - - USERUNIQNAME + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -83,6 +74,7 @@ Enrich Entities: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -93,28 +85,30 @@ Enrich Entities: disable_identity: false download_file: false enable_identity: false - enrich_asset: true + enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: ai_description: >- ### General Description - The **Ping** action is designed to verify the connectivity between Google SecOps - and the Full Contact API. Its primary purpose is to ensure that the integration's - configuration, specifically the API Key, is correct and that the service is reachable. + Tests connectivity with the Full Contact service. This action is used to verify + that the API key provided in the integration configuration is valid and that the + Google SecOps environment can reach the Full Contact API endpoints. ### Parameters Description @@ -124,28 +118,23 @@ Ping: ### Additional Notes - This action performs a test enrichment request using a hardcoded domain ('google.com') - against the Full Contact Company Enrichment API. It is used as a diagnostic tool - rather than a functional enrichment step for case entities. + This action uses a hardcoded domain ('google.com') to perform a test enrichment + request. It does not process any entities from the case. ### Flow Description - 1. **Retrieve Configuration:** The action fetches the 'API Key' from the Full - Contact integration settings. + 1. **Configuration Retrieval:** Fetches the 'API Key' from the 'Full Contact' + integration settings. - 2. **Initialize Manager:** It sets up the `FullContactManager` with the provided - credentials. + 2. **API Request:** Sends a POST request to the Full Contact company enrichment + endpoint using the hardcoded domain 'google.com'. - 3. **Execute Test Request:** The action sends a POST request to the `https://api.fullcontact.com/v3/company.enrich` - endpoint for the domain 'google.com'. + 3. **Authentication Check:** Evaluates the response status. If a 401 Unauthorized + status is returned, an exception is raised. - 4. **Error Handling:** It specifically monitors for a 401 Unauthorized status - code. If detected, it raises an exception to notify the user of an authentication - failure. - - 5. **Finalize:** If the request completes without authentication errors, the action - returns a success status. + 4. **Completion:** If the request is successful (or returns a non-401 status), + the action concludes with a success message. capabilities: can_create_case_comments: false can_create_insight: false @@ -159,7 +148,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -173,28 +162,3 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/third_party/community/full_contact/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/full_contact/resources/ai/integration_ai_description.yaml index b88dc4ab4..0b062e038 100644 --- a/content/response_integrations/third_party/community/full_contact/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/community/full_contact/resources/ai/integration_ai_description.yaml @@ -4,7 +4,7 @@ product_categories: collaboration: false edr: false email_security: false - iam_and_identity_management: false + iam_and_identity_management: true itsm: false network_security: false siem: false diff --git a/content/response_integrations/third_party/community/google_docs/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/google_docs/resources/ai/actions_ai_description.yaml index d86e3e09c..418a3bf8c 100644 --- a/content/response_integrations/third_party/community/google_docs/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/google_docs/resources/ai/actions_ai_description.yaml @@ -1,55 +1,81 @@ Create Content: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Create Content** action allows users to programmatically insert text into - an existing Google Document. It is designed to automate the documentation process - by placing specific strings of text at designated character offsets (indices) - within the document body. This is particularly useful for appending automated - report summaries, logs, or status updates to a centralized document. + Creates and inserts text content into a specific Google Document. This action + allows users to programmatically update a document by providing a list of text + strings and their corresponding insertion indices. It is useful for automated + reporting, logging, or document generation within a workflow. ### Parameters Description - | Parameter | Type | Mandatory | Description | + | Parameter Name | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Document Id** | String | True | The unique identifier of the Google Document, - found in the URL (e.g., `https://docs.google.com/document/d/{DocumentId}/`). | + | Document Id | string | True | The unique identifier of the Google Document, + which can be found in the document's URL (e.g., https://docs.google.com/document/d/{DocumentId}/). + | - | **Json** | Code | True | A JSON-formatted string containing an array of items. - Each item must include an `index` (integer) representing the character position - and `text` (string) representing the content to insert. | + | Json | code | True | A JSON-formatted string containing an array of items to + insert. Each item must include an `index` (the character offset where the text + should be inserted) and the `text` to be inserted. | - ### Flow Description + ### Additional Notes - 1. **Configuration Extraction:** The action retrieves the service account credentials - from the integration settings. + The `Json` parameter must follow a specific structure: `{"items": [{"index": 1, + "text": "example"}]}`. The indices refer to the character offsets in the document; + ensure that the indices provided are valid for the target document's current length + to avoid errors. - 2. **Parameter Parsing:** It extracts the target `Document Id` and the `Json` - payload containing the content updates. - 3. **Request Construction:** The action parses the input JSON and iterates through - the items to build a list of `insertText` requests compatible with the Google - Docs API. - - 4. **API Execution:** It utilizes the `GoogleDocsManager` to send a `batchUpdate` - request to the Google Docs service. + ### Flow Description - 5. **Result Handling:** The response from the Google Docs API (confirming the - updates) is attached as a JSON result in the SOAR platform, and the action completes - with a success message. + 1. **Configuration Extraction:** The action retrieves the Google Docs service + account credentials from the integration configuration. + 2. **Parameter Parsing:** It extracts the `Document Id` and the `Json` payload + containing the content to be inserted. - ### Additional Notes + 3. **Request Construction:** The action parses the JSON input and iterates through + the items to build a list of `insertText` requests compatible with the Google + Docs `batchUpdate` API. - - The `index` parameter in the JSON input is zero-based. Ensure the index exists - within the document's current character range to avoid API errors. + 4. **API Execution:** It initializes the `GoogleDocsManager` and executes the + batch update request against the specified document. - - This action requires the `https://www.googleapis.com/auth/drive.file` scope - to be authorized for the service account. + 5. **Result Handling:** The action captures the API response, adds it to the result + JSON, and concludes with a success message. capabilities: can_create_case_comments: false can_create_insight: false @@ -58,14 +84,14 @@ Create Content: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - This action modifies the content of an existing Google Document by inserting - text at specified indices using the Google Docs API batchUpdate method. - fetches_data: true + Modifies the content of an existing Google Document by inserting text at specified + indices. + fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -79,6 +105,7 @@ Create Content: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Create Document: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -92,25 +119,27 @@ Create Content: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Create Document: ai_description: >- ### General Description - Creates a new Google Document and manages its initial sharing permissions. This - action is useful for automated reporting, incident documentation, or collaborative - evidence gathering during an investigation. + Creates a new Google Document and manages sharing permissions for specified users. + This action is useful for automating the creation of incident reports, investigation + notes, or collaborative documents directly from a SOAR playbook. ### Parameters Description @@ -119,41 +148,41 @@ Create Document: | :--- | :--- | :--- | :--- | - | Title | string | Yes | The document title of the document you would like to - create. Default is 'New Document'. | - - | Role | ddl | Yes | The permission level to grant to the specified emails. Options: - 'owner' (full control), 'writer' (can comment/edit), 'reader' (view only). | + | Title | string | Yes | The title of the document to be created. Defaults to + 'New Document'. | - | Emails | string | Yes | Semicolon-separated list of email addresses (e.g., 'user1@company.com;user2@company.com') - to grant access to the document. | + | Role | ddl | Yes | The permission level granted to the specified emails. Options + are 'owner' (full control), 'writer' (can edit/comment), or 'reader' (view only). + | + | Emails | string | Yes | A semicolon-separated list of email addresses (e.g., + 'user1@example.com;user2@example.com') that will be granted the specified role + on the document. | - ### Additional Notes - - The action requires a valid Service Account JSON with 'https://www.googleapis.com/auth/drive.file' - scope configured in the integration settings. + ### Flow Description - - Notifications are not sent to the users when permissions are added. + 1. **Parameter Extraction:** The action retrieves the document title, the desired + user role, and the list of email addresses from the input parameters. + 2. **Document Creation:** It interacts with the Google Docs API to create a new, + empty document with the provided title. - ### Flow Description + 3. **Permission Assignment:** It iterates through the provided list of email addresses + and uses the Google Drive API to grant each user the specified access role (Owner, + Writer, or Reader). - 1. **Parameter Extraction**: Retrieves the document title, the desired access - role, and the list of email addresses from the action input. + 4. **Metadata Retrieval:** After creation and sharing, it fetches the complete + metadata for the new file from Google Drive. - 2. **Document Creation**: Uses the Google Docs API to create a new, empty document - with the specified title. + 5. **Result Reporting:** The action returns the document metadata as a JSON result + and provides the Document ID as the final script output. - 3. **Permission Assignment**: Parses the semicolon-separated email list and iterates - through each email, using the Google Drive API to create user-specific permissions - based on the selected role. - 4. **Metadata Retrieval**: Fetches the complete metadata of the newly created - file from Google Drive. + ### Additional Notes - 5. **Result Reporting**: Returns the document metadata (including the Document - ID) to the SOAR platform and sets the Document ID as the action's result value. + This action requires a valid Service Account JSON with appropriate Google Drive + and Google Docs scopes configured in the integration settings. capabilities: can_create_case_comments: false can_create_insight: false @@ -163,13 +192,13 @@ Create Document: can_update_entities: false external_data_mutation_explanation: >- Creates a new document in Google Docs and modifies file permissions in Google - Drive for the specified email addresses. + Drive to share the document with specified users. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -183,6 +212,7 @@ Create Document: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -196,62 +226,64 @@ Create Document: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: ai_description: >- ### General Description - - The **Ping** action is designed to verify the connectivity between Google SecOps - and the Google Docs and Google Drive APIs. It ensures that the provided service - account credentials are valid and that the integration has the necessary permissions - to communicate with the Google Cloud environment. + The **Ping** action is a diagnostic tool designed to verify the connectivity between + Google SecOps and the Google Docs/Drive API. It ensures that the provided service + account credentials are valid and that the environment has the necessary network + permissions to reach Google's services. ### Parameters Description - - | Parameter | Type | Mandatory | Description | + | Parameter Name | Expected Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | None | N/A | N/A | This action does not have any input parameters. It relies - on the 'Credentials Json' provided in the integration configuration. | + | Credentials Json | String | Yes | The JSON content of the Google Service Account + key used for authentication. This is typically extracted from the integration + configuration. | ### Flow Description + 1. **Configuration Extraction:** The action retrieves the `Credentials Json` from + the integration settings. - 1. **Credential Extraction**: The action retrieves the service account JSON from - the integration's global configuration. - - 2. **Service Initialization**: It initializes the Google Docs and Google Drive - API clients using the provided credentials and the required scopes. + 2. **Service Initialization:** It initializes the Google Drive and Google Docs + API clients using the provided service account info and the required OAuth scopes. - 3. **Connectivity Test**: It executes a lightweight 'list' request to the Google - Drive API to verify that the connection is active and authorized. + 3. **Connectivity Test:** The action executes a `list` request to the Google Drive + API (specifically looking for image/jpeg mime types as a lightweight check) to + confirm the API is responsive. - 4. **Result Reporting**: If the API call is successful, the action concludes with - a success message. If any step fails (e.g., invalid JSON or authentication error), - an exception is raised. + 4. **Result Reporting:** If the API call is successful, the action terminates + with a success status and a "Connected successfully" message. If any step fails + (e.g., invalid JSON, authentication error, network timeout), the action will report + a failure. ### Additional Notes + - This action does not process any entities. - This action is strictly for diagnostic purposes and does not perform any data - enrichment or modification in either Google SecOps or the Google Docs environment. + - It is strictly used for configuration validation and troubleshooting. capabilities: can_create_case_comments: false can_create_insight: false @@ -265,7 +297,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -279,6 +311,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Remove Content: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -292,28 +325,27 @@ Ping: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Remove Content: ai_description: >- ### General Description - The **Remove Content** action allows users to programmatically delete specific - sections of text or elements within a Google Document. By providing the document's - unique ID and a JSON-formatted list of character offsets (start and end indices), - the action executes a batch update to modify the document's body. This is particularly - useful for automated redaction, cleaning up template placeholders, or removing - sensitive information from shared documents. + Removes specific content ranges from a Google Document. This action is useful + for automated document redaction or cleaning up specific sections of a document + based on character offsets (indices). ### Parameters Description @@ -322,41 +354,42 @@ Remove Content: | :--- | :--- | :--- | :--- | - | **Document Id** | String | Yes | The unique identifier of the Google Document, - found in the URL (e.g., `https://docs.google.com/document/d/{DocumentId}/`). | + | Document Id | string | Yes | The unique identifier of the Google Document, found + in the document's URL (e.g., `https://docs.google.com/document/d/{DocumentId}/`). + | - | **Json** | Code | Yes | A JSON object containing an array of items. Each item - must specify a `start_index` and `end_index` representing the character range - to be removed. | + | Json | code | Yes | A JSON object containing an array of items to remove. Each + item must specify a `start_index` and an `end_index`. Example: `{"items": [{"start_index": + 1, "end_index": 10}]}`. | ### Flow Description - 1. **Configuration Extraction:** The action retrieves the Google service account - credentials from the integration settings. + 1. **Parameter Extraction**: The action retrieves the Google Docs credentials + from the integration configuration and the `Document Id` and `Json` payload from + the action parameters. - 2. **Parameter Parsing:** It extracts the `Document Id` and the `Json` payload - containing the deletion ranges. + 2. **JSON Parsing**: The `Json` string is parsed into a Python dictionary to extract + the list of content ranges (items) to be deleted. - 3. **Request Construction:** The action iterates through the provided JSON items - and builds a list of `deleteContentRange` requests compatible with the Google - Docs API. + 3. **Request Construction**: For each item in the list, the action constructs + a `deleteContentRange` request object containing the specified `startIndex` and + `endIndex`. - 4. **API Execution:** It initializes the `GoogleDocsManager` and sends a `batchUpdate` - request to the Google Docs service. + 4. **API Execution**: The action uses the `GoogleDocsManager` to send a `batchUpdate` + request to the Google Docs API with the compiled list of deletion requests. - 5. **Result Handling:** The response from the Google API (detailing the update - status) is attached to the action results, and the action completes with a success - message. + 5. **Result Handling**: The response from the Google Docs API is captured and + added to the action's JSON results, and the action completes with a success message. ### Additional Notes - - The `start_index` and `end_index` are zero-based offsets based on the UTF-16 - code units of the document's body content. + - The `start_index` and `end_index` are zero-based offsets from the beginning + of the document body. - - Ensure the service account has sufficient permissions (Editor access) to modify - the target document. + - Ensure that the indices provided are valid and do not overlap in a way that + causes API errors. capabilities: can_create_case_comments: false can_create_insight: false @@ -365,14 +398,14 @@ Remove Content: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - This action modifies the content of a Google Document by deleting text or elements - within specified character ranges using the Google Docs API batchUpdate method. - fetches_data: true + Deletes content from a Google Document by sending a batchUpdate request with + deleteContentRange instructions to the Google Docs API. + fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -386,6 +419,7 @@ Remove Content: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Replace Content: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -399,27 +433,29 @@ Remove Content: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Replace Content: ai_description: >- ### General Description - The **Replace Content** action allows users to programmatically search and replace - text within a specific Google Document. It is designed to handle multiple replacement - pairs in a single execution by processing a JSON-formatted input. This is particularly - useful for automating document templating, updating reports, or sanitizing sensitive - information across Google Docs. + The **Replace Content** action allows users to programmatically search for and + replace specific text strings within a Google Document. It is designed for automated + document updates, such as updating templates, reports, or logs stored in Google + Docs. The action uses the Google Docs API `batchUpdate` method to perform multiple + replacements in a single execution. ### Parameters Description @@ -428,43 +464,38 @@ Replace Content: | :--- | :--- | :--- | :--- | - | **Document Id** | string | True | The unique identifier of the Google Document. - This can be extracted from the document's URL (e.g., `https://docs.google.com/document/d/{DocumentId}/`). - | + | **Document Id** | string | True | The unique identifier of the Google Document, + found in the URL (e.g., `https://docs.google.com/document/d/{DocumentId}/`). | - | **Json** | code | True | A JSON object containing an array of replacement items. - Each item must include `text_to_search`, `text_to_replace`, and `match_case` (a - string "true" or "false"). | + | **Json** | code | True | A JSON-formatted string containing an array of replacement + items. Each item must include `text_to_search`, `text_to_replace`, and `match_case` + (boolean string). | ### Flow Description - 1. **Parameter Extraction:** The action retrieves the Google Docs credentials - from the integration configuration and the Document ID and JSON payload from the - action parameters. + 1. **Configuration Extraction:** The action retrieves the Google Docs service + account credentials from the integration settings. - 2. **JSON Parsing:** The provided JSON string is parsed to extract the list of - search and replace instructions. + 2. **Parameter Parsing:** It extracts the target `Document Id` and the `Json` + payload containing the search-and-replace logic. - 3. **Request Construction:** For each item in the input list, the action constructs - a `replaceAllText` request compatible with the Google Docs API, specifying the - search string, the replacement string, and whether to match the case. + 3. **Request Construction:** The action iterates through the provided JSON items + and constructs a list of `replaceAllText` requests compatible with the Google + Docs API. - 4. **API Execution:** The action uses the `GoogleDocsManager` to send a `batchUpdate` - request to the Google Docs API for the specified Document ID. + 4. **API Execution:** It initializes the `GoogleDocsManager` and sends a `batchUpdate` + request to the Google Docs service. - 5. **Result Handling:** The API response (detailing the results of the batch update) - is attached to the action's JSON results, and the action completes with a success - message. + 5. **Result Handling:** The action returns the API response as a JSON object and + concludes by outputting the Document ID as the primary result value. ### Additional Notes - - The `Json` parameter must follow a specific schema: `{"items": [{"text_to_search": - "...", "text_to_replace": "...", "match_case": "true/false"}]}`. - - - This action requires a service account with appropriate permissions (specifically - `https://www.googleapis.com/auth/drive.file`) to modify the target document. + The `Json` parameter must follow a specific structure: `{"items": [{"text_to_search": + "...", "text_to_replace": "...", "match_case": "true"}]}`. Failure to provide + valid JSON will result in an error. capabilities: can_create_case_comments: false can_create_insight: false @@ -473,14 +504,14 @@ Replace Content: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - The action modifies the content of an external Google Document by replacing - text strings using the Google Docs API batchUpdate method. + Modifies the content of a Google Document by replacing existing text with new + text via the Google Docs API. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -494,28 +525,3 @@ Replace Content: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/third_party/community/google_drive/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/google_drive/resources/ai/actions_ai_description.yaml index f8c7192fa..a33be2af4 100644 --- a/content/response_integrations/third_party/community/google_drive/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/google_drive/resources/ai/actions_ai_description.yaml @@ -1,12 +1,39 @@ Add Permission: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Adds permissions for a specific file stored in Google Drive to one or more users. + Adds permissions to a specific file stored in Google Drive for one or more users. This action allows administrators or automated workflows to programmatically manage - access control by granting roles such as 'Owner', 'Writer', or 'Reader' to specified - email addresses. It is particularly useful for sharing forensic evidence, reports, - or documentation during an incident response process. + access control by assigning roles such as Owner, Writer, or Reader to specified + email addresses. ### Parameters Description @@ -15,49 +42,50 @@ Add Permission: | :--- | :--- | :--- | :--- | - | File Id | String | Yes | The unique identifier of the file in Google Drive. - This can be found in the file's URL (e.g., the string after '/file/d/'). | + | File Id | String | Yes | The unique identifier of the file, typically found + in the file's URL (e.g., https://drive.google.com/drive/u/0/folders/{file-id}). + | | Role | DDL | Yes | The level of access to grant. Options include: **owner** (full control), **writer** (can edit and comment), and **reader** (view only). | | Emails | String | Yes | A semicolon-separated list of email addresses (e.g., - `user1@company.com;user2@company.com`) to which the permissions will be granted. - | + user1@gmail.com;user2@gmail.com) to which the permissions will be granted. | - | Should send notification | Boolean | No | If set to `true`, Google Drive will - send an automated email notification to the users informing them that access has - been granted. Defaults to `true`. | + | Should send notification | Boolean | No | If set to true, Google Drive will + send an automated email notification to the users informing them of their new + access. | ### Additional Notes - - This action does not operate on SecOps entities (IPs, Hosts, etc.); it relies - entirely on the provided `File Id` and `Emails` parameters. + - Multiple email addresses must be separated by a semicolon (`;`). - - Granting the 'Owner' role may have significant security implications and should - be used cautiously. + - The action performs a direct mutation on the Google Drive file's permission + metadata. ### Flow Description - 1. **Initialization**: The action extracts the Google Drive credentials from the - integration configuration and the specific file and user details from the action - parameters. + 1. **Configuration Retrieval:** Extracts the Google Drive service account credentials + from the integration settings. + + 2. **Parameter Extraction:** Retrieves the target File ID, the assigned Role, + the list of Emails, and the notification preference from the action inputs. - 2. **Email Parsing**: The provided `Emails` string is split by semicolons into - individual email addresses. + 3. **Email Parsing:** Splits the provided email string into a list of individual + recipients. - 3. **Permission Insertion**: For each email address, the action calls the Google - Drive API's `permissions.create` method, applying the selected `Role` and `File - Id`. + 4. **Permission Insertion:** Iterates through each email address and calls the + Google Drive API's `permissions.create` method to apply the specified role to + the file. - 4. **Notification**: If enabled, the Google Drive service dispatches notification - emails to the recipients during the permission creation process. + 5. **Notification:** If enabled, the Google Drive API handles sending the notification + emails to the recipients. - 5. **Completion**: The action concludes by providing a summary message of the - granted permissions and returns the `File Id` as the script result. + 6. **Completion:** Returns a success message indicating the role granted and the + file affected. capabilities: can_create_case_comments: false can_create_insight: false @@ -66,14 +94,14 @@ Add Permission: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates new permission records in Google Drive, granting specific users access - to a file. + Adds new permission records to a file in Google Drive, effectively changing + the access control list (ACL) for that resource. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -87,6 +115,7 @@ Add Permission: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Delete File: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -100,63 +129,67 @@ Add Permission: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Delete File: ai_description: >- ### General Description - The **Delete File** action permanently deletes a specific file from Google Drive - using its unique File ID. This action is destructive and bypasses the trash/recycle - bin, making it useful for automated remediation where malicious or sensitive files - must be immediately removed from the environment. + The **Delete File** action permanently deletes a specific file stored in Google + Drive using its unique File ID. Unlike moving a file to the trash, this operation + is destructive and removes the file immediately from the drive. ### Parameters Description - | Parameter | Type | Mandatory | Description | + | Parameter | Description | Type | Mandatory | Notes | - | :--- | :--- | :--- | :--- | + | :--- | :--- | :--- | :--- | :--- | - | **File Id** | String | Yes | The unique identifier of the file to be deleted. - This ID can typically be found in the file's sharing URL (e.g., the string following - `/file/d/` or within the folder URL). | + | **File Id** | The unique identifier of the file to be deleted. This can be found + in the file's sharing URL (e.g., the string following `/folders/` or `/d/`). | + String | Yes | This ID must be valid and the service account must have sufficient + permissions to delete the file. | - ### Flow Description + ### Additional Notes - 1. **Configuration Extraction**: The action retrieves the Google Drive service - account credentials from the integration configuration. + * **Destructive Action:** This action skips the Google Drive 'Trash' and permanently + deletes the resource. It cannot be undone via this action. - 2. **Parameter Retrieval**: The action extracts the `File Id` provided by the - user or playbook. + * **Permissions:** The integration's service account must have the appropriate + OAuth scopes (e.g., `https://www.googleapis.com/auth/drive`) and file-level permissions + to perform deletions. - 3. **Manager Initialization**: A connection to the Google Drive API (v3) is established - using the provided credentials. - 4. **Execution**: The action calls the Google Drive API's `delete` method for - the specified `File Id`. + ### Flow Description - 5. **Completion**: Upon successful deletion, the action returns a success message - and the deleted File ID as the script result. + 1. **Configuration Extraction:** The action retrieves the Google Drive service + account credentials from the integration settings. + 2. **Parameter Retrieval:** The action extracts the mandatory `File Id` provided + by the user. - ### Additional Notes + 3. **Manager Initialization:** A connection to the Google Drive API (v3) is established + using the provided credentials. - * **Warning**: This action performs a permanent deletion. The file will not be - moved to the 'Trash' and cannot be easily recovered through standard user interfaces. + 4. **Execution:** The action calls the Google Drive API's delete method for the + specified `File Id`. - * This action does not run on entities; it requires a specific File ID as input. + 5. **Completion:** Upon successful deletion, the action returns a success message + and the deleted File ID as the script result. capabilities: can_create_case_comments: false can_create_insight: false @@ -165,14 +198,14 @@ Delete File: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Permanently deletes a file from the target Google Drive account, bypassing the + Permanently deletes a file from the user's Google Drive storage, bypassing the trash folder. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -186,6 +219,7 @@ Delete File: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Download File To Base64: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -194,60 +228,52 @@ Delete File: create_ticket: false delete_email: false disable_identity: false - download_file: false + download_file: true enable_identity: false enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Download File To Base64: - ai_description: >- - ### General Description - - Downloads a file from Google Drive and converts its content into a Base64 string. - This action is designed to retrieve documents, spreadsheets, or binary files using - their unique File ID and provide the content in a format suitable for further - automated processing within the SOAR platform. - - - ### Parameters - - | Parameter | Description | Type | Mandatory | - - | :--- | :--- | :--- | :--- | - - | File Id | The unique identifier of the file in Google Drive, typically found - in the file's URL. | String | Yes | - - - ### Flow Description - - 1. The action initializes the Google Drive manager using provided service account - credentials. - - 2. It retrieves the metadata for the specified File ID to determine the file name - and MIME type. - - 3. If the file is a Google Workspace document (e.g., Doc, Sheet, Slide), it is - exported to a standard Office format (e.g., .docx, .xlsx, .pptx). - - 4. The file content is downloaded as a binary stream from the Google Drive API. - - 5. The binary stream is encoded into a Base64 string. - - 6. The resulting Base64 string and file metadata are returned as a JSON object - for use in subsequent playbook steps. + ai_description: "### General Description\nDownloads a file from Google Drive and\ + \ converts its content into a Base64 encoded string. This action is designed to\ + \ retrieve documents, spreadsheets, presentations, or binary files from a Google\ + \ Drive account using a specific File ID. It handles the conversion of Google\ + \ Workspace-specific formats (like Google Docs, Sheets, and Slides) into standard\ + \ Office formats (DOCX, XLSX, PPTX) during the download process, providing the\ + \ final content as a Base64 string for use in downstream automation steps.\n\n\ + ### Parameters Description\n| Parameter Name | Type | Mandatory | Description\ + \ |\n| :--- | :--- | :--- | :--- |\n| File Id | string | Yes | The unique identifier\ + \ of the file in Google Drive. This ID can be found in the file's sharing URL\ + \ (e.g., `https://drive.google.com/file/d/{file-id}/view`). |\n\n### Flow Description\n\ + 1. **Configuration Extraction:** The action retrieves the Google Drive service\ + \ account credentials from the integration configuration.\n2. **Parameter Retrieval:**\ + \ The action extracts the mandatory `File Id` provided by the user.\n3. **Metadata\ + \ Retrieval:** It queries the Google Drive API to fetch the file's metadata, including\ + \ its name and MIME type.\n4. **Content Download:** \n * If the file is a Google\ + \ Workspace document (Doc, Sheet, or Slide), the action uses the `export` method\ + \ to convert it to a standard OpenXML format (DOCX, XLSX, or PPTX).\n * If\ + \ the file is a standard binary file, it uses the `get_media` method to download\ + \ the raw content.\n5. **Base64 Encoding:** The retrieved binary stream is encoded\ + \ into a Base64 string.\n6. **Result Output:** The action returns a JSON object\ + \ containing the file name, the determined file type, the file size (for binary\ + \ files), and the Base64 encoded content.\n\n### Additional Notes\nThis action\ + \ is strictly a retrieval tool and does not modify the file or its permissions\ + \ in Google Drive. Because it downloads file content, it is not classified as\ + \ an enrichment action." capabilities: can_create_case_comments: false can_create_insight: false @@ -261,7 +287,7 @@ Download File To Base64: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -275,6 +301,7 @@ Download File To Base64: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Download File To Path: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -288,78 +315,46 @@ Download File To Base64: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Download File To Path: - ai_description: >- - Downloads a file from Google Drive to a specified local directory on the execution - environment. This action is useful for retrieving evidence or documents for further - processing within a playbook. - - - ### General Description - - This action interacts with the Google Drive API to retrieve a file's content and - metadata. It supports both standard binary files and Google Workspace documents - (Docs, Sheets, Slides), which are automatically converted to Microsoft Office - formats (docx, xlsx, pptx) during the download process. The file is saved to a - local path on the system running the action. - - - ### Parameters Description - - | Parameter Name | Type | Mandatory | Default Value | Description | - - | :--- | :--- | :--- | :--- | :--- | - - | File Id | String | Yes | N/A | The unique identifier of the file in Google Drive. - This can be found in the file's sharing URL. | - - | Folder Path | String | No | /temp | The local directory path on the runner where - the file will be saved. | - - - ### Additional Notes - - - If the file is a Google Doc, it will be exported as a `.docx` file. - - - If the file is a Google Sheet, it will be exported as an `.xlsx` file. - - - If the file is a Google Slide, it will be exported as a `.pptx` file. - - - Ensure the execution environment has the necessary write permissions for the - specified `Folder Path`. - - - ### Flow Description - - 1. **Initialization**: Extracts the Google Drive credentials from the integration - configuration and the `File Id` and `Folder Path` from the action parameters. - - 2. **Metadata Retrieval**: Connects to Google Drive to fetch the file's metadata, - including its name and MIME type. - - 3. **Format Handling**: Determines if the file is a native Google Workspace document - and selects the appropriate export format if necessary. - - 4. **Content Download**: Downloads the file content as a binary stream using the - Google Drive API. - - 5. **Local Storage**: Writes the binary stream to the specified local path on - the filesystem. - - 6. **Completion**: Returns a JSON result containing the file name, type, and the - final saved path. + ai_description: "### General Description\nDownloads a file from Google Drive to\ + \ a specified local directory on the Google SecOps execution environment. This\ + \ action is useful for retrieving evidence, logs, or documents stored in Google\ + \ Drive for further processing or forensic analysis within a playbook.\n\n###\ + \ Parameters Description\n| Parameter | Type | Mandatory | Default | Description\ + \ |\n| :--- | :--- | :--- | :--- | :--- |\n| File Id | string | Yes | N/A | The\ + \ unique identifier of the file in Google Drive. This can be found in the file's\ + \ sharing URL (e.g., `https://drive.google.com/file/d/{file-id}/view`). |\n| Folder\ + \ Path | string | No | /temp | The local directory path on the SOAR runner where\ + \ the file should be saved. |\n\n### Additional Notes\n- If the target file is\ + \ a Google Workspace document (Google Docs, Sheets, or Slides), the action automatically\ + \ converts it to a standard Microsoft Office format (.docx, .xlsx, or .pptx) during\ + \ the download process.\n- The action requires valid service account credentials\ + \ with appropriate Google Drive API scopes.\n\n### Flow Description\n1. **Initialize\ + \ Connection:** Authenticates with the Google Drive API using the provided service\ + \ account credentials.\n2. **Retrieve Metadata:** Fetches the metadata for the\ + \ specified `File Id` to determine the file name and MIME type.\n3. **Determine\ + \ Download Method:** \n - If the file is a Google-native format, it prepares\ + \ an export request to convert it to an Office format.\n - If the file is a\ + \ binary file, it prepares a direct media download request.\n4. **Download Content:**\ + \ Executes the download/export request and streams the binary data.\n5. **Save\ + \ to Path:** Writes the downloaded content to the local filesystem at the location\ + \ specified by the `Folder Path` and the original file name.\n6. **Report Result:**\ + \ Returns a JSON object containing the file name, MIME type, and the final local\ + \ path where the file was saved." capabilities: can_create_case_comments: false can_create_insight: false @@ -373,7 +368,7 @@ Download File To Path: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -387,6 +382,7 @@ Download File To Path: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get File Metadata: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -395,59 +391,67 @@ Download File To Path: create_ticket: false delete_email: false disable_identity: false - download_file: true + download_file: false enable_identity: false enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get File Metadata: ai_description: >- - Retrieves comprehensive metadata for a specific file stored in Google Drive. This - action uses the Google Drive API to fetch all available properties of a file, - such as its name, MIME type, size, creation time, and permissions, based on a - provided File ID. + ### General Description + Retrieves comprehensive metadata for a specific file stored in Google Drive using + its unique File ID. This action is designed to provide visibility into file properties + such as ownership, creation and modification timestamps, MIME types, and sharing + permissions without downloading the actual file content. - ### Parameters - | Parameter | Description | Type | Mandatory | + ### Parameters Description + + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | File Id | The unique identifier of the file, which can be found in the file's - URL (e.g., https://drive.google.com/drive/u/0/folders/{file-id}). | String | Yes - | + | File Id | String | Yes | The unique identifier of the file. This ID can be found + in the Google Drive URL (e.g., the string following `/file/d/` or within a folder + URL). | ### Flow Description - 1. **Configuration Extraction:** The action retrieves the necessary service account - credentials from the integration configuration. + 1. **Configuration Extraction:** The action retrieves the service account credentials + (JSON) from the integration configuration. + + 2. **Parameter Retrieval:** The `File Id` is extracted from the action's input + parameters. - 2. **Parameter Retrieval:** The action extracts the `File Id` provided by the - user. + 3. **API Interaction:** The action initializes the Google Drive Manager and calls + the Google Drive API (v3) to fetch the full resource metadata (using `fields="*"`) + for the specified file ID. - 3. **API Interaction:** The `GoogleDriveManager` initializes a connection to the - Google Drive API and executes a `get` request for the specified file ID, requesting - all available metadata fields (`fields="*"`). + 4. **Result Processing:** The retrieved metadata is added to the action's JSON + results, and the action completes successfully, returning the file ID as the primary + result value. - 4. **Result Processing:** The retrieved metadata is attached to the action's execution - results as a JSON object. - 5. **Completion:** The action concludes by returning a success message and the - file's ID as the primary output value. + ### Additional Notes + + This action is strictly a metadata retrieval operation and does not perform any + file downloads or modifications to the file or its permissions. capabilities: can_create_case_comments: false can_create_insight: false @@ -459,9 +463,9 @@ Get File Metadata: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: false + enrichment: true entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -475,6 +479,7 @@ Get File Metadata: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Permission List: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -488,25 +493,29 @@ Get File Metadata: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Permission List: ai_description: >- ### General Description - Retrieves a comprehensive list of users and their associated permissions for a - specific file stored in Google Drive. This action is useful for auditing access, - identifying over-privileged files, or verifying sharing settings during an investigation. + The **Permission List** action retrieves a comprehensive list of users and their + associated permissions for a specific file stored in Google Drive. This action + is primarily used for security auditing and access reviews to identify who has + access to sensitive documents and what level of access (e.g., owner, writer, reader) + they possess. ### Parameters Description @@ -515,40 +524,36 @@ Permission List: | :--- | :--- | :--- | :--- | - | File Id | String | Yes | The unique identifier for the file. This ID can be - found in the file's URL (e.g., in `https://drive.google.com/drive/u/0/folders/{file-id}`). + | **File Id** | String | Yes | The unique identifier of the Google Drive file. + This ID is typically found in the file's sharing URL (e.g., `https://drive.google.com/file/d/{file-id}/view`). | - ### Additional Notes - - - This action requires a valid Service Account JSON with the necessary Google - Drive API scopes (`drive.metadata`, `drive.file`, or `drive`). + ### Flow Description - - The action returns the raw JSON list of permissions provided by the Google Drive - API, which includes details like the user's email, role (e.g., owner, writer, - reader), and permission ID. + 1. **Credential Retrieval**: The action extracts the Google service account credentials + from the integration configuration. + 2. **Parameter Extraction**: It retrieves the mandatory `File Id` provided as + an input parameter. - ### Flow Description + 3. **API Request**: The action utilizes the Google Drive API v3 to list all permissions + associated with the specified file ID, requesting all available fields for each + permission entry. - 1. **Configuration Extraction**: Retrieves the Google Drive credentials from the - integration settings. + 4. **Data Processing**: It calculates the total number of permission entries retrieved. - 2. **Parameter Extraction**: Retrieves the mandatory `File Id` from the action - input. + 5. **Output Generation**: The action attaches the full list of permissions as + a JSON result and provides a summary message indicating the total count of permissions + found. - 3. **Manager Initialization**: Initializes the `GoogleDriveManager` using the - provided credentials. - 4. **API Interaction**: Calls the Google Drive API's `permissions().list()` method - for the specified `File Id` to fetch all permission entries. + ### Additional Notes - 5. **Result Processing**: Counts the number of permissions retrieved and attaches - the full JSON response to the action results. + - This action is a read-only operation and does not modify, add, or remove any + permissions in Google Drive. - 6. **Completion**: Ends the action with a summary message indicating how many - permissions were found. + - This action does not process or require any SecOps entities to execute. capabilities: can_create_case_comments: false can_create_insight: false @@ -560,9 +565,9 @@ Permission List: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: false + enrichment: true entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -576,6 +581,7 @@ Permission List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -589,56 +595,68 @@ Permission List: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: ai_description: >- ### General Description - The **Ping** action is a diagnostic utility designed to verify the connectivity - between Google SecOps and the Google Drive service. Its primary purpose is to - ensure that the integration is correctly configured and that the provided service - account credentials have the necessary permissions to interact with the Google - Drive API. + The **Ping** action is a diagnostic tool designed to verify the connectivity between + Google SecOps and the Google Drive API. It ensures that the provided service account + credentials are valid and that the environment has the necessary network permissions + to reach Google's services. ### Parameters Description - There are no action-specific parameters for this action. It utilizes the **Credentials - Json** provided in the integration's shared configuration settings. - - ### Additional Notes + | Parameter | Type | Mandatory | Description | - - This action does not process or interact with any entities. + | :--- | :--- | :--- | :--- | - - It is typically used during the initial setup of the Google Drive integration - or for troubleshooting connectivity issues. + | Credentials Json | String | Yes | (Configuration Parameter) The raw JSON content + of the Google Service Account key. This is used to authenticate the session with + Google Drive. | ### Flow Description - 1. **Configuration Extraction:** The action retrieves the service account credentials - from the integration's configuration. + 1. **Configuration Extraction**: The action retrieves the `Credentials Json` from + the integration's configuration settings. + + 2. **Manager Initialization**: It initializes the `GoogleDriveManager`, which + parses the JSON credentials and builds a Google Drive API client (v3) with the + required OAuth2 scopes. + + 3. **Connectivity Test**: The action calls the `test_connectivity` method, which + executes a `files().list()` request to the Google Drive API. This request specifically + looks for JPEG images to verify that the 'Read' and 'Metadata' permissions are + functional. - 2. **Manager Initialization:** It initializes the Google Drive API client using - the provided credentials and required scopes. + 4. **Completion**: If the API call returns successfully, the action ends with + a "Connected successfully" status. If an error occurs (e.g., invalid credentials + or network timeout), the action fails. + + + ### Additional Notes - 3. **Connectivity Test:** The action executes a `list` request on the files resource - to confirm the API is reachable and the credentials are valid. + - This action does not interact with any entities (IPs, Hostnames, etc.) in the + SOAR case. - 4. **Result Reporting:** If the request completes successfully, the action ends - with a success message. + - It is strictly a system-level check and does not perform any data enrichment + or mutation. capabilities: can_create_case_comments: false can_create_insight: false @@ -647,12 +665,12 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: true + fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -666,6 +684,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Remove Permission: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -679,68 +698,69 @@ Ping: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Remove Permission: ai_description: >- ### General Description - The **Remove Permission** action is designed to revoke a specific user or group's - access to a file stored in Google Drive. By providing the unique File ID and the - specific Permission ID, security analysts can programmatically restrict access - to sensitive documents during an incident response or audit process. + Removes a specific permission from a file stored in Google Drive. This action + is used to revoke access (e.g., read, write, or owner) for a specific user or + group from a document or folder. It is typically used in response to unauthorized + access or as part of a cleanup process during an incident. ### Parameters Description - | Parameter | Type | Mandatory | Description | + | Parameter Name | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **File Id** | string | Yes | The unique identifier of the Google Drive file. + | File Id | String | Yes | The unique identifier of the file in Google Drive. This can be found in the file's URL (e.g., `https://drive.google.com/drive/u/0/folders/{file-id}`). | - | **Permission Id** | string | Yes | The unique identifier for the specific permission - entry to be removed. This ID can be retrieved using the 'List Permissions' action. - | + | Permission Id | String | Yes | The unique identifier of the permission to be + removed. This ID can be retrieved using the 'List Permissions' action for the + specific file. | ### Additional Notes - - This action performs a permanent deletion of the permission entry from the file's - Access Control List (ACL). - - - To identify which `Permission Id` corresponds to which user, it is recommended - to run the **List Permissions** action first. + This action performs a permanent deletion of the permission record in Google Drive. + To identify which permission to remove, it is recommended to run the 'List Permissions' + action first to find the correct `Permission Id` associated with a specific user + or role. ### Flow Description - 1. **Configuration Extraction:** The action retrieves the Google Drive service - account credentials from the integration settings. + 1. **Extract Configuration**: Retrieves the Google Drive service account credentials + from the integration settings. - 2. **Parameter Retrieval:** It extracts the `File Id` and `Permission Id` provided + 2. **Extract Parameters**: Retrieves the `File Id` and `Permission Id` provided by the user. - 3. **Manager Initialization:** The `GoogleDriveManager` is initialized using the - provided credentials to establish a connection with the Google Drive API (v3). + 3. **Initialize Manager**: Authenticates with the Google Drive API using the provided + credentials. - 4. **Permission Deletion:** The action calls the Google Drive API's `permissions().delete` - method to remove the specified permission from the target file. + 4. **Remove Permission**: Calls the Google Drive API's `permissions().delete` + method to remove the specified permission from the file. - 5. **Execution Completion:** Upon success, the action returns a confirmation message - to the Google SecOps workbench. + 5. **Finalize**: Returns a success message indicating the permission was successfully + removed. capabilities: can_create_case_comments: false can_create_insight: false @@ -749,14 +769,14 @@ Remove Permission: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - This action deletes a permission entry from a file's Access Control List (ACL) - in Google Drive, effectively changing who can access the resource. + Deletes a permission record from a file or folder in Google Drive via the Google + Drive API. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -770,6 +790,7 @@ Remove Permission: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Upload File From Base64: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -783,26 +804,30 @@ Remove Permission: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Upload File From Base64: ai_description: >- ### General Description - Uploads a file to Google Drive using a Base64 encoded string. This action allows - users to programmatically save file content to a Google Drive account and optionally - share the uploaded file with specific email addresses by granting them 'writer' - permissions. + The **Upload File From Base64** action enables the uploading of files to Google + Drive by providing the file content as a Base64 encoded string. This action is + useful for programmatically storing reports, logs, or captured artifacts directly + into a cloud storage environment. It also includes functionality to automatically + share the uploaded file with a list of specified email addresses, granting them + 'writer' access. ### Parameters Description @@ -811,41 +836,43 @@ Upload File From Base64: | :--- | :--- | :--- | :--- | - | File Name | String | Yes | The name of the file to be created in Google Drive - (e.g., 'report.txt'). | + | **File Name** | String | Yes | The desired name for the file in Google Drive, + including the extension (e.g., 'evidence.txt'). | - | Base64 String | String | Yes | The Base64 encoded content of the file to be - uploaded. | - - | Share with emails | String | Yes | A semicolon-separated list of email addresses - (e.g., 'user1@gmail.com;user2@gmail.com') to grant 'writer' access to the file. + | **Base64 String** | String | Yes | The file content encoded in Base64 format. | + | **Share with emails** | String | Yes | A semicolon-separated list of email addresses + to grant 'writer' permissions to the uploaded file. | - ### Additional Notes - The action uses the Google Drive API v3. The MIME type of the file is automatically - determined based on the file extension provided in the 'File Name' parameter. - If no extension is provided, it defaults to 'application/octet-stream'. + ### Flow Description + 1. **Setup**: The action extracts the Google Drive service account credentials + and the user-provided parameters. - ### Flow Description + 2. **Decoding**: The provided Base64 string is decoded into a binary stream. - 1. **Configuration Retrieval**: The action retrieves the Google Drive service - account credentials from the integration configuration. + 3. **MIME Detection**: The action determines the appropriate MIME type based on + the file extension provided in the 'File Name' parameter. - 2. **Parameter Extraction**: It extracts the file name, Base64 content, and the - list of emails to share with from the action parameters. + 4. **Upload**: The file is uploaded to the root of the Google Drive associated + with the service account. - 3. **File Upload**: The Base64 string is decoded into a binary stream and uploaded - to Google Drive using the `files.create` method. + 5. **Permission Management**: If email addresses are provided, the action iterates + through the list and assigns 'writer' permissions to each user for the specific + file ID created. - 4. **Permission Assignment**: If email addresses are provided, the action iterates - through the list and grants 'writer' permissions to each email for the newly created - file using the `permissions.create` method. + 6. **Output**: The action returns the full JSON metadata of the created file, + including its unique Google Drive ID. + + + ### Additional Notes - 5. **Result Reporting**: The action returns the metadata of the created file, - including its unique Google Drive ID, and marks the execution as completed. + - Ensure the service account has the necessary Google Drive API scopes enabled. + + - The 'Share with emails' parameter expects a semicolon (;) as a separator for + multiple recipients. capabilities: can_create_case_comments: false can_create_insight: false @@ -854,14 +881,14 @@ Upload File From Base64: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new file in Google Drive and assigns 'writer' permissions to specified - email addresses. - fetches_data: false + Creates a new file in the user's Google Drive and modifies the file's access + control list (ACL) by adding new permissions for specified email addresses. + fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -875,6 +902,7 @@ Upload File From Base64: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Upload File From Path: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -888,52 +916,76 @@ Upload File From Base64: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Upload File From Path: ai_description: >- - Uploads a file from a specified local path to Google Drive. This action is designed - to move files, such as forensic artifacts or reports, from the local SOAR environment - to cloud storage. It also supports automated sharing by granting 'writer' permissions - to a list of specified email addresses. + ### General Description + Uploads a file from a specified local path to Google Drive and optionally shares + it with specific users. This action is designed to move local files (such as forensic + artifacts, logs, or reports) into a centralized cloud storage environment. It + also automates the permission-granting process, allowing specified collaborators + to access the file immediately after upload. - ### Parameters + + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | File Path | String | Yes | The local path of the file to be uploaded to Google - Drive (e.g., `/tmp/report.pdf`). | + | File Path | string | True | The absolute file path on the local system from + which the file will be uploaded to Google Drive. | + + | Share with emails | string | True | A semicolon-separated list of email addresses + (e.g., `analyst@company.com;manager@company.com`) that will be granted 'writer' + permissions to the uploaded file. | + + + ### Additional Notes + + - The action requires valid Google Drive Service Account credentials configured + in the integration settings. + + - Although the code handles the 'Share with emails' parameter as optional, the + integration metadata marks it as mandatory; therefore, at least one email or a + placeholder should be provided based on the UI configuration. + - | Share with emails | String | Yes | A semicolon-separated list of email addresses - to grant 'writer' access to the uploaded file. | + ### Flow Description + 1. **Configuration Extraction**: Retrieves the Google Drive service account credentials + from the integration's configuration. - ### Flow + 2. **Parameter Retrieval**: Extracts the local file path and the list of emails + to share the file with from the action's input parameters. - 1. **Setup**: Initializes the Google Drive manager using the provided service - account credentials. + 3. **File Upload**: Uses the Google Drive API to upload the file from the specified + local path. The file name in Google Drive will match the original file name from + the path. - 2. **Upload**: Reads the file from the local `File Path` and uploads it to Google - Drive using the file's original name. + 4. **Permission Management**: If email addresses are provided, the action splits + the string by semicolons and iterates through each email. - 3. **Permissions**: Parses the `Share with emails` string and, for each email - address, creates a 'writer' permission for the uploaded file. + 5. **Grant Access**: For each email, it calls the Google Drive API to insert a + 'writer' permission for the newly uploaded file. - 4. **Output**: Returns the full metadata of the created file, including the unique - File ID, and sets the File ID as the action's result value. + 6. **Result Reporting**: Returns the Google Drive File ID as the main output and + provides the full JSON response from the upload operation for further use in the + playbook. capabilities: can_create_case_comments: false can_create_insight: false @@ -942,14 +994,14 @@ Upload File From Path: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new file object in the target Google Drive account and modifies the - file's Access Control List (ACL) by adding new permissions for specified users. + Uploads a new file to the user's Google Drive and modifies the file's permissions + to grant access to specified email addresses. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -963,28 +1015,3 @@ Upload File From Path: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/third_party/community/google_safe_browsing/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/google_safe_browsing/resources/ai/actions_ai_description.yaml index c5bf868db..53750d928 100644 --- a/content/response_integrations/third_party/community/google_safe_browsing/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/google_safe_browsing/resources/ai/actions_ai_description.yaml @@ -1,47 +1,72 @@ Lookup: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Lookup** action allows users to check a specific URL against the Google - Safe Browsing database to determine if it is considered safe or malicious. This - is a utility action that performs a real-time reputation check based on a provided - input parameter. + The **Lookup** action checks a specific URL against the Google Safe Browsing database + to determine if it is flagged as malicious (e.g., malware, phishing, or unwanted + software). This action is useful for verifying the safety of URLs found in alerts + or logs by retrieving real-time threat intelligence from Google's services. ### Parameters Description - | Parameter | Type | Mandatory | Description | + | Parameter | Type | Mandatory | Default Value | Description | - | :--- | :--- | :--- | :--- | + | :--- | :--- | :--- | :--- | :--- | - | Url | String | Yes | The specific URL to be checked in Google Safe Browsing. - Defaults to a malware testing URL if not provided. | + | **Url** | String | Yes | `http://malware.testing.google.test/testing/malware/` + | The specific URL to be checked in Google Safe Browsing. | ### Flow Description - 1. **Configuration Retrieval**: The action retrieves the API Key from the integration's - configuration settings. - - 2. **Parameter Extraction**: The action extracts the target URL from the action - parameters. + 1. **Configuration Extraction**: Retrieves the API Key from the integration settings + and the target URL from the action parameters. - 3. **API Interaction**: It initializes the `SafeBrowsing` manager and performs - a lookup for the specified URL. + 2. **API Request**: Uses the `pysafebrowsing` library to perform a lookup for + the provided URL against Google's database. - 4. **Result Processing**: The raw API response is captured and added to the action's - JSON results. + 3. **Result Processing**: Parses the response to identify if the URL is marked + as malicious. - 5. **Completion**: The action evaluates the 'malicious' flag in the response and - terminates with a message indicating whether the URL was found to be malicious - or safe. + 4. **Output Generation**: Adds the full API response to the action's JSON results + and terminates with a status message and boolean result indicating whether the + URL was found to be malicious. ### Additional Notes - This action does not iterate over entities within a Google SecOps case. It operates - strictly on the URL provided in the 'Url' parameter. If you wish to check entities, - you must map the entity identifier to this parameter in a playbook. + This action does not automatically process entities from the SecOps case; it requires + the URL to be provided explicitly as a parameter. It does not modify any internal + entity data or create insights. capabilities: can_create_case_comments: false can_create_insight: false @@ -55,7 +80,7 @@ Lookup: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -69,6 +94,7 @@ Lookup: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -82,54 +108,60 @@ Lookup: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: ai_description: >- ### General Description - The **Ping** action is designed to verify the connectivity between Google SecOps - and the Google Safe Browsing API. It serves as a diagnostic tool to ensure that - the integration's API key is valid and that the environment can successfully communicate - with Google's services. + The **Ping** action is a diagnostic utility designed to verify the connectivity + between Google SecOps and the Google Safe Browsing API. It ensures that the integration's + configuration, specifically the API Key, is valid and that the network path to + the service is open. ### Parameters Description - There are no action-specific parameters for this action. It utilizes the global - integration configuration for authentication. + | Parameter | Type | Mandatory | Description | + | :--- | :--- | :--- | :--- | - ### Flow Description + | N/A | N/A | N/A | This action does not have any input parameters. | - 1. **Configuration Retrieval**: The action extracts the 'Api Key' from the integration's - global settings. - 2. **Service Initialization**: It initializes the Google Safe Browsing client - library with the provided credentials. + ### Additional Notes - 3. **Connectivity Check**: The action executes a lookup request for a standard - Google test URL (`http://malware.testing.google.test/testing/malware/`) to validate - the API connection. + * This action is used for health checks and troubleshooting. - 4. **Result Reporting**: If the API call returns without error, the action reports - a successful connection. + * It utilizes a hardcoded test URL to perform a lookup, ensuring the API responds + as expected. - ### Additional Notes + ### Flow Description + + 1. **Configuration Retrieval**: The action extracts the 'Api Key' from the integration's + shared configuration parameters. - This action does not process any entities or modify any data; it is strictly for - configuration validation. + 2. **Client Initialization**: It initializes the Google Safe Browsing client using + the provided API Key. + + 3. **Connectivity Test**: The action performs a URL lookup for a known test URL + (`http://malware.testing.google.test/testing/malware/`). + + 4. **Execution Completion**: If the request is successful, the action returns + a success status and a confirmation message. capabilities: can_create_case_comments: false can_create_insight: false @@ -138,12 +170,12 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: true + fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -157,28 +189,3 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/third_party/community/google_sheets/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/google_sheets/resources/ai/actions_ai_description.yaml index 0cde8be52..a6b4e2212 100644 --- a/content/response_integrations/third_party/community/google_sheets/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/google_sheets/resources/ai/actions_ai_description.yaml @@ -1,53 +1,72 @@ Add Permission: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - The **Add Permission** action allows analysts to programmatically grant access - to a specific Google Spreadsheet. It supports adding multiple users at once and - assigning specific roles such as Owner, Writer, or Reader. This is useful for - sharing reports, logs, or investigation trackers stored in Google Sheets with - relevant stakeholders. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | + This action adds permissions to a specific Google Sheet for one or more users. + It allows administrators or automated workflows to grant 'Owner', 'Writer', or + 'Reader' access levels to users identified by their email addresses. The action + interacts with the Google Sheets and Google Drive APIs via a service account to + update the spreadsheet's access control list. - | :--- | :--- | :--- | :--- | - - | **Sheet Id** | String | Yes | The unique identifier of the spreadsheet, found - in the URL (e.g., `https://docs.google.com/spreadsheets/d/{SheetId}/edit`). | - | **Role** | DDL | Yes | The access level to grant: `Owner` (full control), `Writer` - (can edit/comment), or `Reader` (view only). | + ### Flow Description - | **Emails** | String | Yes | A semicolon-separated list of email addresses (e.g., - `user1@example.com;user2@example.com`) to receive the permissions. | + 1. **Parameter Extraction:** The action retrieves the Google Sheets credentials + from the integration configuration and the 'Sheet Id', 'Role', and 'Emails' from + the action parameters. + 2. **Client Initialization:** It initializes a Google Sheets client using the + provided service account credentials and required OAuth scopes. - ### Flow Description + 3. **Permission Insertion:** The action processes the semicolon-separated list + of emails and calls the Google API to grant the specified role (Owner, Writer, + or Reader) to each user for the target spreadsheet. - 1. **Configuration Extraction**: Retrieves the service account credentials from - the integration settings. + 4. **Completion:** The action returns a success message if the permissions are + granted or a failure message if an error occurs during the API call. - 2. **Parameter Parsing**: Extracts the target Sheet ID, the desired role, and - the list of email addresses from the action input. - 3. **Client Initialization**: Authenticates with Google APIs using the provided - credentials. + ### Parameters Description - 4. **Permission Insertion**: Executes the request to add the specified users to - the spreadsheet's access control list with the chosen role. + | Parameter | Type | Mandatory | Description | - 5. **Completion**: Reports the success or failure of the operation to the SOAR - case. + | :--- | :--- | :--- | :--- | + | Sheet Id | string | True | The unique identifier of the spreadsheet, found in + the URL (e.g., `https://docs.google.com/spreadsheets/d/{SheetId}/edit`). | - ### Additional Notes + | Role | ddl | True | The access level to grant: 'Owner' (full control), 'Writer' + (can edit/comment), or 'Reader' (view only). | - - Ensure the service account used in the integration has sufficient permissions - to manage the target spreadsheet (e.g., it should be an Owner or have Editor access - if adding others). + | Emails | string | True | A semicolon-separated list of email addresses for the + users receiving the permissions (e.g., `user1@example.com;user2@example.com`). + | capabilities: can_create_case_comments: false can_create_insight: false @@ -56,14 +75,14 @@ Add Permission: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Modifies the Access Control List (ACL) of a Google Spreadsheet by adding new - user permissions. + Modifies the access control list (ACL) of a Google Spreadsheet by adding new + user permissions (Owner, Writer, or Reader). fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -77,6 +96,7 @@ Add Permission: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Add Row: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -90,79 +110,81 @@ Add Permission: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Add Row: ai_description: >- ### General Description - The **Add Row** action allows users to programmatically append or insert a new - row of data into a specific Google Sheets spreadsheet. This is useful for logging - alert data, tracking incident response progress, or maintaining external audit - trails directly from a Google SecOps playbook. + This action adds a new row of data to a specified Google Sheet. It is useful for + logging information, tracking incident response progress, or exporting data from + Google SecOps to a spreadsheet for external reporting. ### Parameters Description - | Parameter Name | Expected Type | Mandatory | Description | + | Parameter Name | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Sheet Id** | String | Yes | The unique identifier of the spreadsheet, found - in the URL: `https://docs.google.com/spreadsheets/d/{Sheet-Id}/edit`. | + | Sheet Id | String | Yes | The unique identifier of the spreadsheet, found in + the URL: `https://docs.google.com/spreadsheets/d/{Sheet-Id}/edit`. | - | **Worksheet Name** | String | No | The name of the specific tab (worksheet) - within the spreadsheet. Defaults to the first sheet (usually "Sheet1") if not - provided. Note: This is case-sensitive. | + | Worksheet Name | String | No | The name of the specific tab (worksheet) within + the spreadsheet. Defaults to the first sheet if not provided. Note: This is case-sensitive. + | - | **Row Index** | String | No | The one-based index where the row should be inserted. - If omitted, the row is typically appended or inserted at the default position - defined by the API (usually the top). | + | Row Index | String | No | The one-based index where the row should be inserted. + If not provided, the row is typically appended or inserted at a default position + defined by the API. | - | **Values** | String | Yes | A comma-separated list of values to be placed in - the cells of the new row (e.g., "Value1,Value2,Value3"). | + | Values | String | Yes | A comma-separated list of values to be inserted into + the new row (e.g., "value1,value2,value3"). | ### Additional Notes - - The action requires valid Service Account credentials (JSON format) configured - in the integration settings to authenticate with the Google Sheets API. + - The `Values` parameter must be a comma-separated string. Each comma-separated + element will occupy one cell in the new row. - - The `Row Index` must be a valid integer string if provided. + - Ensure the service account associated with the provided credentials has 'Editor' + access to the target spreadsheet. ### Flow Description - 1. **Initialization**: The action extracts the Google Sheets credentials from - the integration configuration and the user-provided parameters (Sheet ID, Worksheet - Name, Row Index, and Values). + 1. **Configuration Extraction:** The action retrieves the Google Sheets service + account credentials from the integration configuration. + + 2. **Parameter Parsing:** It extracts the `Sheet Id`, `Worksheet Name`, `Row Index`, + and the `Values` string from the action input. - 2. **Data Parsing**: The comma-separated `Values` string is split into a list - of individual cell values. + 3. **Data Preparation:** The `Values` string is split by commas into a list of + individual cell values. - 3. **Connection**: The action uses the `GoogleSheetFactory` to authenticate and - open the spreadsheet identified by the `Sheet Id`. + 4. **Authentication & Connection:** The action initializes a Google Sheets client + and opens the spreadsheet using the provided `Sheet Id`. - 4. **Worksheet Selection**: It selects the worksheet by name if provided; otherwise, - it defaults to the first worksheet in the file. + 5. **Worksheet Selection:** It selects the specified worksheet by name or defaults + to the first worksheet if no name is provided. - 5. **Row Insertion**: The action calls the Google Sheets API to insert the row - at the specified `Row Index`. If no index is provided, it inserts the row at the - default position. + 6. **Row Insertion:** The action inserts the prepared values into the worksheet + at the specified `Row Index` (or uses the default insertion logic if no index + is provided). - 6. **Completion**: The action returns a success status if the row is added successfully, - or a failure status if an error occurs (e.g., invalid Sheet ID or permissions - issues). + 7. **Completion:** The action returns a success status if the row is added successfully. capabilities: can_create_case_comments: false can_create_insight: false @@ -171,14 +193,14 @@ Add Row: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - This action adds a new row of data to an external Google Sheets spreadsheet, - modifying the content of the file. + This action adds a new row of data to an external Google Sheet, modifying the + content of the spreadsheet. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -192,6 +214,7 @@ Add Row: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Add or Update Rows: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -205,86 +228,88 @@ Add Row: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Add or Update Rows: ai_description: >- ### General Description - Adds or updates rows in a Google Spreadsheet based on a search key. This action - allows for dynamic data management within a spreadsheet, enabling users to either - update existing records if a match is found or append new records if no match - exists. + This action allows users to manage data within a Google Spreadsheet by either + updating existing rows or adding new ones. It searches for a specific value within + a designated column; if a match is found, the action updates the corresponding + row within a specified column range. If no match is found, the data is appended + as a new row at the end of the sheet. This is particularly useful for maintaining + dynamic lists, logs, or tracking statuses in a centralized spreadsheet. ### Parameters Description - | Parameter | Type | Mandatory | Description | + | Parameter Name | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Column Number | String | Yes | The column index (e.g., '1') used to search for - the value of the 'Field Name'. | + | Column Number | string | Yes | The index of the column (e.g., "1") where the + action will search for the value specified by the 'Field Name'. | - | Start Column | String | Yes | The starting column for the update or add operation. - | + | Start Column | string | Yes | The starting column letter (e.g., "A") for the + range to be updated or added. | - | End Column | String | Yes | The ending column for the update or add operation. - | + | End Column | string | Yes | The ending column letter (e.g., "C") for the range + to be updated or added. | - | Field Name | String | Yes | The key in the input JSON whose value is used for - searching in the spreadsheet. | + | Field Name | string | Yes | The key within the provided JSON object whose value + will be used as the search term in the spreadsheet. | - | Json | Code | Yes | A JSON array of objects representing the rows to be added - or updated. | + | Json | code | Yes | A JSON array of objects representing the rows to be processed. + Each object should contain the keys to be mapped to the spreadsheet columns. | - | Sheet Id | String | Yes | The unique identifier of the Google Spreadsheet, found + | Sheet Id | string | Yes | The unique identifier of the Google Spreadsheet, found in the URL. | - | Worksheet Name | String | No | The name of the specific worksheet tab. Defaults - to 'Sheet1' if not provided. | + | Worksheet Name | string | No | The name of the specific tab/worksheet to use. + Defaults to the first sheet if not provided. | ### Flow Description - 1. The action authenticates with the Google Sheets API using the provided credentials. - - 2. It opens the spreadsheet identified by the 'Sheet Id' and selects the specified - worksheet. - - 3. It parses the 'Json' input into a list of row data. - - 4. For each row, it searches the specified 'Column Number' for the value associated - with the 'Field Name'. + 1. **Authentication**: The action authenticates with the Google Sheets API using + the provided service account credentials. - 5. If a match is found, it updates the existing row within the range defined by - 'Start Column' and 'End Column'. + 2. **Initialization**: It opens the spreadsheet using the `Sheet Id` and selects + the target worksheet. - 6. If no match is found, it appends the row data as a new entry at the end of - the worksheet. + 3. **Data Parsing**: The input `Json` string is parsed into a list of row objects. - 7. The action concludes by reporting the number of rows processed and the updated - ranges. + 4. **Search and Process**: For each row object in the list: + * It extracts the value associated with the `Field Name` key. + * It searches the specified `Column Number` in the worksheet for this value. + * **Update**: If the value is found, the action calculates the target range + (using `Start Column`, `End Column`, and the found row index) and updates the + cells with the values from the JSON object. + * **Append**: If the value is not found, the action appends the values from + the JSON object as a new row at the bottom of the worksheet. + 5. **Completion**: The action returns the total count of rows that were successfully + added or updated. ### Additional Notes - - The 'Json' parameter must be a valid JSON array of objects. - - - Column indices are 1-based (e.g., '1' for column A). + * The `Json` parameter must be a valid JSON array of objects. - - The action requires appropriate permissions for the service account on the target - spreadsheet. + * Ensure the service account has the necessary permissions (Editor access) to + the target spreadsheet. capabilities: can_create_case_comments: false can_create_insight: false @@ -293,13 +318,14 @@ Add or Update Rows: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates existing rows or appends new rows in the specified Google Spreadsheet. + This action updates existing cell values or appends new rows to a Google Spreadsheet + based on the provided input data. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -313,6 +339,7 @@ Add or Update Rows: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Create Sheet: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -326,71 +353,68 @@ Add or Update Rows: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Create Sheet: ai_description: >- ### General Description - This action creates a new Google Spreadsheet within the connected Google Sheets - account. It allows users to specify a name for the new sheet and optionally share - it with a list of email addresses, granting them 'writer' permissions. This is - useful for automated reporting, data collection, or collaborative incident tracking. + Creates a new Google Spreadsheet and optionally shares it with specified email + addresses. This action is useful for automating the creation of reports, tracking + logs, or collaborative documents directly from a SOAR workflow. ### Parameters Description - | Parameter Name | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | + | Parameter | Description | Type | Mandatory | Notes | - | Sheet Name | string | Yes | The name of the new spreadsheet to be created. | + | :--- | :--- | :--- | :--- | :--- | - | Share with emails | string | No | A semicolon-separated list of email addresses - (e.g., `user1@example.com;user2@example.com`) to grant 'writer' access to the - newly created sheet. | + | Sheet Name | The name of the new spreadsheet to be created. | String | Yes | + This will be the title of the file in Google Drive. | + | Share with emails | A semicolon-separated list of email addresses (e.g., `user1@example.com;user2@example.com`) + to grant access to the sheet. | String | No | If provided, each user will be granted + 'writer' permissions. | - ### Flow Description - 1. **Configuration Extraction**: The action retrieves the Google service account - credentials from the integration configuration. + ### Additional Notes - 2. **Parameter Parsing**: It extracts the desired sheet name and the optional - list of emails to share the sheet with. + - The action requires valid Google Service Account credentials with the necessary + scopes for Google Sheets and Google Drive. - 3. **Client Initialization**: A Google Sheets client is initialized using the - provided service account credentials. + - Users shared via the 'Share with emails' parameter are granted 'writer' (editor) + access by default. - 4. **Spreadsheet Creation**: The action calls the Google Sheets API to create - a new spreadsheet with the specified name. - 5. **Permission Management**: If email addresses were provided, the action iterates - through each email and updates the spreadsheet's permissions to grant 'writer' - (editor) access to those users. + ### Flow Description - 6. **Completion**: The action returns the unique ID of the newly created spreadsheet - and a success message. + 1. **Authentication**: Initializes a connection to the Google Sheets API using + the provided Service Account credentials. + 2. **Spreadsheet Creation**: Creates a new spreadsheet in the service account's + Google Drive with the name specified in the 'Sheet Name' parameter. - ### Additional Notes + 3. **Permission Management**: If the 'Share with emails' parameter is populated, + the action parses the list and iterates through each email address. - - The service account used must have sufficient permissions to create files in - Google Drive and manage sharing permissions. + 4. **Sharing**: For each email, it updates the spreadsheet's permissions to grant + 'writer' access to that specific user. - - If the sharing step fails for any specific email, the entire action may report - a failure depending on the exception handling, though the sheet itself might have - already been created. + 5. **Completion**: Returns the unique ID of the newly created spreadsheet and + completes the execution. capabilities: can_create_case_comments: false can_create_insight: false @@ -399,14 +423,14 @@ Create Sheet: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new spreadsheet resource in Google Sheets and modifies sharing permissions - (ACLs) for that resource. + Creates a new spreadsheet file in Google Drive and modifies its access control + list (ACL) by sharing it with specified email addresses. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -420,6 +444,7 @@ Create Sheet: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Delete Rows: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -433,72 +458,70 @@ Create Sheet: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Delete Rows: ai_description: >- ### General Description - Deletes a specified range of rows from a Google Sheets worksheet. This action - is useful for cleaning up logs, removing processed data, or managing spreadsheet-based - databases directly from a SOAR workflow. + Deletes a range of rows from a specified Google Sheets worksheet. This action + is useful for cleaning up data, removing processed entries, or managing spreadsheet-based + logs directly from a SOAR playbook. ### Parameters Description - | Parameter | Type | Mandatory | Description | + | Parameter Name | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | | Sheet Id | string | Yes | The unique identifier of the spreadsheet, found in - the URL: `https://docs.google.com/spreadsheets/d/{SheetId}/edit`. | + the URL: `https://docs.google.com/spreadsheets/d/{Sheet-Id}/edit`. | - | Worksheet Name | string | No | The name of the specific tab/worksheet. Defaults - to the first sheet (Sheet1) if not provided. Note: This is case-sensitive. | + | Worksheet Name | string | No | The name of the specific tab (worksheet) within + the spreadsheet. If not provided, the action defaults to the first sheet (Sheet1). + Note: This is case-sensitive. | - | From Row | string | Yes | The starting row number for the deletion range (inclusive). + | From Row | string | Yes | The row number where the deletion range starts (inclusive). | - | To Row | string | Yes | The ending row number for the deletion range (inclusive). + | To Row | string | Yes | The row number where the deletion range ends (inclusive). | ### Additional Notes - - The action requires valid Google Service Account credentials with appropriate - permissions (Spreadsheets and Drive scopes) configured in the integration settings. + - This action does not run on entities; it operates based on the provided spreadsheet + parameters. - - Row numbers are 1-indexed. + - Ensure the service account associated with the provided credentials has 'Editor' + permissions on the target spreadsheet. ### Flow Description - 1. **Configuration Extraction:** Retrieves the Google Service Account credentials - from the integration configuration. + 1. **Authentication**: The action initializes a connection to the Google Sheets + API using the provided service account credentials. - 2. **Parameter Parsing:** Extracts the Sheet ID, Worksheet Name, and the row range - (From/To) from the action input. + 2. **Spreadsheet Access**: It opens the spreadsheet identified by the `Sheet Id`. - 3. **Authentication:** Initializes a connection to the Google Sheets API using - the provided credentials. - - 4. **Worksheet Selection:** Opens the spreadsheet by ID and selects the specified - worksheet (or the first one by default). + 3. **Worksheet Selection**: It selects the worksheet specified by `Worksheet Name` + or defaults to the first worksheet if the parameter is empty. - 5. **Execution:** Executes the row deletion command for the specified range. - - 6. **Completion:** Returns a success message if the rows are deleted or an error - message if the operation fails. + 4. **Row Deletion**: It executes a command to delete the rows within the range + defined by `From Row` and `To Row`. capabilities: can_create_case_comments: false can_create_insight: false @@ -507,14 +530,14 @@ Delete Rows: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Deletes rows from a Google Sheets worksheet, permanently removing data from - the external spreadsheet. + Deletes rows from a specified Google Sheets worksheet, which permanently modifies + the external spreadsheet data. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -528,6 +551,7 @@ Delete Rows: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Delete Sheet: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -541,64 +565,62 @@ Delete Rows: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Delete Sheet: ai_description: >- ### General Description - The **Delete Sheet** action allows users to permanently remove a specific Google - Spreadsheet from their Google Drive/Sheets environment using its unique Spreadsheet - ID. This action is useful for cleaning up temporary reports, removing sensitive - data after processing, or managing automated spreadsheet lifecycles within a SOAR - workflow. + Deletes a specific Google Spreadsheet from Google Drive using its unique Sheet + ID. This action is designed to programmatically remove spreadsheets, which is + useful for automated cleanup of temporary reports or managing data lifecycle within + Google Sheets. ### Parameters Description - | Parameter | Description | Expected Type | Mandatory | + | Parameter | Description | Type | Mandatory | | :--- | :--- | :--- | :--- | - | **Sheet Id** | The unique identifier for the spreadsheet. This can be found - in the URL of the sheet: `https://docs.google.com/spreadsheets/d/{Sheet_Id}/edit`. + | Sheet Id | The unique identifier of the spreadsheet. This ID can be found in + the spreadsheet's URL: `https://docs.google.com/spreadsheets/d/{SheetId}/edit`. | String | Yes | - ### Additional Notes - - * **Irreversible Action:** Deleting a sheet is a destructive operation. Ensure - the correct ID is provided, as the action does not typically move the file to - the 'Trash' but performs a direct deletion via the API. + ### Flow Description - * **Permissions:** The service account used in the integration configuration - must have sufficient permissions (Editor/Owner) to delete the target spreadsheet. + 1. **Configuration Retrieval**: The action extracts the `Credentials Json` from + the integration settings and the `Sheet Id` from the action parameters. + 2. **Client Initialization**: It uses the `GoogleSheetFactory` to authenticate + with Google APIs using the service account credentials and creates a Google Sheets + client. - ### Flow Description + 3. **Spreadsheet Deletion**: The action invokes the `del_spreadsheet` method on + the client for the specified `Sheet Id` to remove the file from Google Drive. - 1. **Initialization:** The action retrieves the Google Sheets credentials from - the integration configuration and the target **Sheet Id** from the action parameters. + 4. **Execution Result**: If the deletion is successful, the action completes with + a success message. If an error occurs (e.g., invalid ID or insufficient permissions), + the action fails and returns the error details. - 2. **Authentication:** It initializes a connection to the Google Sheets API using - the provided service account credentials. - 3. **Execution:** The action calls the `del_spreadsheet` method on the Google - Sheets client, passing the provided **Sheet Id**. + ### Additional Notes - 4. **Completion:** If the deletion is successful, the action returns a success - message. If an error occurs (e.g., invalid ID, insufficient permissions), the - action fails and provides the error details. + - The service account associated with the `Credentials Json` must have the necessary + permissions (Google Drive and Google Sheets scopes) to delete the target spreadsheet. capabilities: can_create_case_comments: false can_create_insight: false @@ -607,14 +629,14 @@ Delete Sheet: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - This action deletes a spreadsheet file from the external Google Sheets/Google - Drive service. + Deletes a Google Spreadsheet from the user's Google Drive/Sheets environment + using the Google Sheets API. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -628,6 +650,7 @@ Delete Sheet: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get All: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -641,27 +664,29 @@ Delete Sheet: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get All: ai_description: >- ### General Description - The **Get All** action retrieves all data records from a specified Google Sheets - worksheet. It allows users to ingest tabular data from a spreadsheet into a Google - SecOps playbook for further analysis, lookups, or automation logic. The action - returns the data as a JSON array of objects, where each object represents a row - with keys corresponding to the column headers. + The **Get All** action retrieves all rows and columns from a specified worksheet + within a Google Spreadsheet. It converts the spreadsheet data into a list of JSON + objects, where each object represents a row and the keys correspond to the column + headers. This action is primarily used for ingesting reference data, lookup tables, + or logs stored in Google Sheets into a Google SecOps workflow for further processing. ### Parameters Description @@ -670,45 +695,40 @@ Get All: | :--- | :--- | :--- | :--- | - | Sheet Id | String | Yes | The unique identifier of the spreadsheet, found in - the URL (e.g., `https://docs.google.com/spreadsheets/d/{Sheet-Id}/edit`). | - - | Worksheet Name | String | No | The name of the specific tab (worksheet) to retrieve - data from. If left blank, the action defaults to the first worksheet in the spreadsheet - (usually "Sheet1"). Note: This value is case-sensitive. | - + | **Sheet Id** | String | Yes | The unique identifier of the spreadsheet, found + in the URL: `https://docs.google.com/spreadsheets/d/{Sheet-Id}/edit`. | - ### Additional Notes + | **Worksheet Name** | String | No | The name of the specific tab (worksheet) + to retrieve data from. If not provided, the action defaults to the first worksheet + in the spreadsheet. Note: This value is case-sensitive. | - - The action requires a valid **Credentials Json** to be configured in the integration - settings. - - The service account associated with the credentials must have at least "Viewer" - permissions on the target spreadsheet. + ### Flow Description - - If the worksheet name provided does not exist, the action will fail. + 1. **Initialization**: Extracts the service account credentials from the integration + configuration and the Sheet ID and Worksheet Name from the action parameters. + 2. **Connection**: Authenticates with the Google Sheets API using the provided + service account credentials. - ### Flow Description + 3. **Access**: Opens the spreadsheet using the provided `Sheet Id`. - 1. **Configuration Retrieval:** The action extracts the service account credentials - from the integration configuration. + 4. **Selection**: Targets the worksheet specified by the `Worksheet Name` parameter. + If the parameter is empty, it defaults to the first sheet in the workbook. - 2. **Parameter Extraction:** It retrieves the `Sheet Id` and the optional `Worksheet - Name` from the action parameters. + 5. **Data Retrieval**: Fetches all records from the selected worksheet, converting + them into a list of dictionaries. - 3. **API Connection:** Initializes a connection to the Google Sheets API using - the `gspread` library. + 6. **Output**: Returns the retrieved data as a JSON result and completes the execution. - 4. **Spreadsheet Access:** Opens the spreadsheet using the provided `Sheet Id`. - 5. **Worksheet Selection:** Selects the worksheet specified by the user or defaults - to the first worksheet if no name is provided. + ### Additional Notes - 6. **Data Fetching:** Executes a request to retrieve all records from the worksheet. + - This action does not interact with or filter entities within the Google SecOps + environment. - 7. **Result Output:** Adds the retrieved records to the action's JSON result and - completes the execution with a success message. + - Ensure the service account associated with the provided Credentials JSON has + at least "Viewer" permissions on the target spreadsheet. capabilities: can_create_case_comments: false can_create_insight: false @@ -722,7 +742,7 @@ Get All: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -736,6 +756,7 @@ Get All: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Range: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -749,66 +770,73 @@ Get All: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: true + search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Range: ai_description: >- - Retrieves values from a specified range within a Google Sheets spreadsheet. This - action is designed to fetch data such as lookup tables, reference lists, or configuration - data stored in a spreadsheet for use within a playbook logic flow. + ### General Description + The **Get Range** action retrieves cell values from a specified range within a + Google Sheet. This utility action allows users to pull external data stored in + spreadsheets into a Google SecOps workflow for further processing, validation, + or reporting. It supports A1 notation for defining the data range and can target + specific worksheets within a spreadsheet. - ### Flow Description: - 1. **Authentication**: Initializes the Google Sheets API client using the provided - service account credentials from the integration configuration. + ### Parameters Description - 2. **Spreadsheet Access**: Connects to the specific spreadsheet using the provided - `Sheet Id`. + | Parameter | Type | Mandatory | Description | - 3. **Worksheet Selection**: Selects the target worksheet (tab). If a `Worksheet - Name` is provided, it selects that specific tab; otherwise, it defaults to the - first worksheet in the file. + | :--- | :--- | :--- | :--- | - 4. **Data Extraction**: Retrieves the values from the cells defined by the `Range` - parameter using A1 notation. + | **Sheet Id** | String | Yes | The unique identifier of the spreadsheet, which + can be found in the URL: `https://docs.google.com/spreadsheets/d/{SheetId}/edit`. + | - 5. **Result Processing**: Returns the fetched data as a JSON object and completes - the action with a success message. + | **Worksheet Name** | String | No | The name of the specific tab (worksheet) + to query. If not provided, the action defaults to the first worksheet in the file. + | + | **Range** | String | Yes | The range of cells to retrieve using A1 notation + (e.g., 'A1:B10' or 'Sheet1!A1:B10'). | - ### Parameters Description: - | Parameter Name | Type | Mandatory | Description | + ### Flow Description - | :--- | :--- | :--- | :--- | + 1. **Authentication**: The action initializes a connection to the Google Sheets + API using the service account credentials provided in the integration configuration. - | Sheet Id | String | Yes | The unique identifier of the spreadsheet, found in - the URL: `https://docs.google.com/spreadsheets/d/{SheetId}/edit`. | + 2. **Spreadsheet Access**: It opens the target spreadsheet using the provided + **Sheet Id**. - | Worksheet Name | String | No | The name of the worksheet tab. Note that this - is case-sensitive. If left blank, the action defaults to the first tab. | + 3. **Worksheet Selection**: If a **Worksheet Name** is specified, the action selects + that tab; otherwise, it defaults to the first sheet. - | Range | String | Yes | The cell range to extract using A1 notation (e.g., "A1:C10" - or "Sheet1!A1:B5"). | + 4. **Data Retrieval**: The action executes a batch get request to fetch the values + within the defined **Range**. + 5. **Result Processing**: The retrieved data is formatted and added to the action's + JSON results for use in subsequent playbook steps. - ### Additional Notes: - - This action is read-only and does not modify the contents of the Google Sheet. + ### Additional Notes + + - This action does not interact with or filter SecOps entities. - Ensure the service account associated with the credentials has at least 'Viewer' - access to the spreadsheet. + permissions on the target Google Sheet. capabilities: can_create_case_comments: false can_create_insight: false @@ -822,7 +850,7 @@ Get Range: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -836,6 +864,7 @@ Get Range: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Row: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -849,26 +878,27 @@ Get Range: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Row: ai_description: >- ### General Description - The **Get Row** action retrieves all values from a specific row within a Google - Sheets spreadsheet. This is useful for fetching contextual data, configuration - settings, or lookup information stored in a spreadsheet format. The action returns - the row data as a JSON array of values. + Retrieves the values of a single row from a specified Google Sheet. This action + is useful for fetching reference data, configuration settings, or logs stored + within a spreadsheet for use in subsequent playbook steps. ### Parameters Description @@ -877,15 +907,13 @@ Get Row: | :--- | :--- | :--- | :--- | - | **Sheet Id** | String | Yes | The unique identifier of the spreadsheet, found - in the spreadsheet's URL (e.g., `https://docs.google.com/spreadsheets/d//edit`). - | + | Sheet Id | string | Yes | The unique identifier of the spreadsheet, which can + be found in the spreadsheet's URL. | - | **Worksheet Name** | String | No | The name of the specific worksheet (tab) - to retrieve the row from. If not provided, the action defaults to the first worksheet - (`sheet1`). | + | Worksheet Name | string | No | The name of the specific worksheet (tab) to retrieve + data from. If not provided, the action defaults to the first worksheet. | - | **Row Number** | String | Yes | The one-based index of the row to retrieve (e.g., + | Row Number | string | Yes | The one-based index of the row to retrieve (e.g., '1' for the first row). | @@ -894,26 +922,23 @@ Get Row: - The action uses service account credentials configured in the integration settings to access the Google Sheets API. - - The row number is one-based, meaning the first row is 1, the second is 2, and - so on. + - The result is returned as a JSON array containing the values of the cells in + the specified row. ### Flow Description - 1. **Authentication**: The action initializes a connection to Google Sheets using - the provided service account credentials. + 1. **Authentication**: Initializes the Google Sheets client using the provided + service account credentials. - 2. **Spreadsheet Access**: It opens the spreadsheet identified by the **Sheet - Id**. + 2. **Spreadsheet Access**: Opens the spreadsheet identified by the `Sheet Id`. - 3. **Worksheet Selection**: If a **Worksheet Name** is provided, it selects that - specific tab; otherwise, it defaults to the first tab in the spreadsheet. + 3. **Worksheet Selection**: Selects the worksheet specified by `Worksheet Name`. + If no name is provided, it defaults to the first sheet in the workbook. - 4. **Data Retrieval**: The action fetches all values for the specified **Row Number** - using the `row_values` method. + 4. **Data Retrieval**: Fetches all cell values for the row specified by `Row Number`. - 5. **Output**: The retrieved values are added to the action's JSON results and - the execution completes successfully. + 5. **Output**: Returns the row values as a JSON object and completes the action. capabilities: can_create_case_comments: false can_create_insight: false @@ -925,9 +950,9 @@ Get Row: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: true + enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -941,6 +966,7 @@ Get Row: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Import CSV: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -954,66 +980,61 @@ Get Row: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Import CSV: ai_description: >- - ### General Description - - The **Import CSV** action allows users to upload the contents of a local CSV file - directly into a Google Spreadsheet. This action is primarily used for reporting - or data synchronization tasks. **Warning:** This action is destructive to the - target spreadsheet; it replaces all content in the first worksheet with the CSV - data and deletes all other worksheets within that spreadsheet. - + Imports data from a local CSV file into a Google Spreadsheet. This action targets + the first worksheet of the specified spreadsheet, replacing its entire content + with the data from the CSV file. Note that this operation is destructive: it removes + all other worksheets within the spreadsheet and overwrites the first one. - ### Parameters Description - | Parameter Name | Description | Type | Mandatory | Notes | + ### Flow Description - | :--- | :--- | :--- | :--- | :--- | + 1. **Parameter Extraction:** Retrieves the 'Sheet Id' and 'CSV Path' from the + action parameters and the 'Credentials Json' from the integration configuration. - | Sheet Id | The unique identifier for the Google Spreadsheet, found in the URL - (e.g., `https://docs.google.com/spreadsheets/d/{SheetId}/edit`). | String | Yes - | The service account must have editor access to this sheet. | + 2. **Client Initialization:** Authenticates with Google Sheets using the provided + service account credentials. - | CSV Path | The local file system path where the CSV file to be imported is located. - | String | Yes | Ensure the SOAR runner has read permissions for this path. | + 3. **File Reading:** Reads the raw content of the CSV file located at the specified + local path. + 4. **Data Import:** Executes the import command via the Google Sheets API, which + overwrites the first sheet and deletes all other sheets in the workbook. - ### Additional Notes - - This action uses the `gspread` library to perform a bulk import of CSV data. + ### Parameters Description - - Because this action deletes other worksheets and overwrites the first one, it - should be used with caution on spreadsheets containing existing important data. + | Parameter Name | Type | Mandatory | Description | + | :--- | :--- | :--- | :--- | - ### Flow Description + | Sheet Id | String | Yes | The unique identifier of the spreadsheet, found in + the URL (e.g., `https://docs.google.com/spreadsheets/d/{SheetId}/edit`). | - 1. **Configuration Extraction:** The action retrieves the Google Service Account - credentials from the integration settings and the `Sheet Id` and `CSV Path` from - the action parameters. + | CSV Path | String | Yes | The local file system path to the CSV file that contains + the data to be imported. | - 2. **File Access:** The script reads the raw text content of the CSV file located - at the provided `CSV Path`. - 3. **Authentication:** A connection is established with the Google Sheets API - using the provided service account credentials. + ### Additional Notes - 4. **Data Import:** The action calls the Google Sheets API to import the CSV content - into the specified spreadsheet. This process automatically clears the first worksheet, - populates it with the new data, and removes any additional worksheets in the file. + - **Warning:** This action will delete all worksheets in the spreadsheet except + for the first one, which will be overwritten. Use with caution on spreadsheets + containing multiple tabs of data. capabilities: can_create_case_comments: false can_create_insight: false @@ -1022,14 +1043,14 @@ Import CSV: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - This action overwrites the content of the first worksheet in the target Google - Spreadsheet and deletes all other worksheets in that file. + Replaces the content of the first worksheet and deletes all other worksheets + in the specified Google Spreadsheet. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1043,6 +1064,7 @@ Import CSV: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1056,62 +1078,65 @@ Import CSV: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: ai_description: >- ### General Description - The **Ping** action is designed to verify the connectivity and authentication - between Google SecOps and the Google Sheets API. It ensures that the provided - service account credentials have the necessary permissions to perform basic operations, - such as creating and deleting spreadsheets. + The **Ping** action is designed to verify the connectivity and authorization between + Google SecOps and the Google Sheets API. It ensures that the provided service + account credentials are valid and have the appropriate permissions to perform + file operations within the Google Drive and Sheets environment. ### Parameters Description - There are no action-specific parameters for this action. It relies entirely on - the integration's configuration parameters (specifically the 'Credentials Json'). - - - ### Additional Notes + | Parameter | Type | Mandatory | Description | - * This action requires the 'Credentials Json' to be correctly configured in the - Google Sheets integration settings. + | :--- | :--- | :--- | :--- | - * The action performs a 'smoke test' by creating a temporary file and then removing - it. This confirms that the service account has both write and delete permissions - in the target environment. + | Credentials Json | String | Yes | (Configuration Parameter) The JSON content + of the Google Service Account key used for authentication. | ### Flow Description - 1. **Credential Extraction**: The action retrieves the 'Credentials Json' from - the integration's configuration. + 1. **Authentication**: The action retrieves the service account credentials from + the integration's configuration settings. 2. **Client Initialization**: It initializes a Google Sheets client using the - provided service account information and the required OAuth scopes (Spreadsheets - and Drive). + `gspread` library with the required OAuth2 scopes for Spreadsheets and Drive. + + 3. **Validation Operation**: To test end-to-end functionality, the action attempts + to create a new spreadsheet with a unique name (prefixed with 'Test-' and a UUID). - 3. **Connectivity Test (Create)**: The action attempts to create a new spreadsheet - with a unique name (e.g., 'Test-' followed by a random UUID). + 4. **Cleanup**: Immediately after a successful creation, the action attempts to + delete the temporary spreadsheet to ensure no residual data is left in the user's + Google Drive. - 4. **Cleanup (Delete)**: Immediately after creation, the action attempts to delete - the temporary spreadsheet using its ID. + 5. **Result Reporting**: If all steps succeed, the action completes with a 'Connected + successfully' message. If any step fails (e.g., due to invalid credentials or + insufficient API permissions), the action fails and returns the specific error + message. - 5. **Result Reporting**: If both the creation and deletion are successful, the - action returns a 'Connected successfully' message. If any step fails, it captures - the error and reports a failure. + + ### Additional Notes + + This action is a diagnostic tool used to confirm that the integration is correctly + configured and that the Google Cloud Project has the necessary APIs enabled. capabilities: can_create_case_comments: false can_create_insight: false @@ -1120,14 +1145,14 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - The action creates a temporary spreadsheet in Google Drive and then deletes - it to verify that the credentials have sufficient permissions. + The action creates a temporary spreadsheet and then immediately deletes it to + verify that the service account has write and delete permissions. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1141,6 +1166,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Search Row: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1154,26 +1180,28 @@ Ping: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Search Row: ai_description: >- ### General Description - The **Search Row** action allows users to find a specific row within a Google - Spreadsheet based on a search value. It is primarily used to retrieve data associated - with a specific identifier or record stored in a sheet, returning the entire row's - content as a JSON object and the row index as the result value. + Finds a specific row in a Google Spreadsheet based on a provided search value. + This action is useful for retrieving contextual information stored in spreadsheets, + such as asset lists, contact information, or historical logs, and bringing that + data into the Google SecOps environment for further analysis. ### Parameters Description @@ -1183,44 +1211,50 @@ Search Row: | :--- | :--- | :--- | :--- | | **Sheet Id** | String | Yes | The unique identifier of the spreadsheet, found - in the URL: `https://docs.google.com/spreadsheets/d/{SheetId}/edit`. | + in the URL: `https://docs.google.com/spreadsheets/d/{Sheet-Id}/edit`. | - | **Worksheet Name** | String | No | The name of the specific tab/worksheet to - search. Defaults to the first sheet (Sheet1) if not provided. Note: This is case-sensitive. + | **Worksheet Name** | String | No | The name of the specific tab within the spreadsheet. + Defaults to the first sheet (Sheet1) if not provided. Note: This is case-sensitive. | - | **Column Number** | String | Yes | The column index (starting from 1) where - the search should be performed. | + | **Column Number** | String | Yes | The column number where the search should + be performed. **Note:** In the current implementation, the search is performed + across the entire worksheet, and this parameter is primarily used for logging + purposes. | - | **Search value** | String | Yes | The specific string or value to look for within - the specified column. | + | **Search value** | String | Yes | The specific string or value to search for + within the worksheet. | ### Additional Notes - - The action uses the `gspread` library to interact with the Google Sheets API. + - The action uses service account credentials to authenticate with the Google + Sheets API. - - If the value is not found, the action will return a failure status. + - If the search value is found, the action retrieves all values for that specific + row and returns them as a JSON array. - - The action returns the full content of the row where the first match is found. + - If the value is not found, the action will return a failed status. ### Flow Description - 1. **Authentication**: The action initializes a connection to Google Sheets using - provided Service Account credentials. + 1. **Authentication:** The action authenticates with Google APIs using the provided + JSON credentials. + + 2. **Spreadsheet Access:** It opens the spreadsheet identified by the `Sheet Id`. - 2. **Spreadsheet Access**: It opens the spreadsheet using the `Sheet Id` and selects - the target worksheet (either by name or the default first sheet). + 3. **Worksheet Selection:** It selects the worksheet specified by `Worksheet Name` + or defaults to the first tab. - 3. **Search Execution**: It performs a search for the `Search value` within the - worksheet. + 4. **Search Operation:** It searches the worksheet for the first occurrence of + the `Search value`. - 4. **Data Retrieval**: If a match is found, it retrieves the values for the entire - row containing that cell. + 5. **Data Retrieval:** If found, it retrieves all cell values for the row containing + the match. - 5. **Output**: The row data is added to the action's JSON results, and the row - number is returned as the main output value. + 6. **Output:** The row data is added to the action results as JSON, and the row + index is returned as the primary result value. capabilities: can_create_case_comments: false can_create_insight: false @@ -1234,7 +1268,7 @@ Search Row: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1248,6 +1282,7 @@ Search Row: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Search Rows: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1261,27 +1296,28 @@ Search Row: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Search Rows: ai_description: >- ### General Description - The **Search Rows** action enables users to locate specific rows within a Google - Sheet by searching for a value in a designated column. This action is primarily - used for data retrieval and lookups, allowing playbooks to query spreadsheets - for contextual information such as asset owners, contact details, or allowlisted - indicators. + The **Search Rows** action allows users to search for specific values within a + designated column of a Google Sheet. It is primarily used to retrieve row indices + and data for rows that match a search criterion, facilitating the use of Google + Sheets as a simple database or lookup table for automation workflows. ### Parameters Description @@ -1290,48 +1326,51 @@ Search Rows: | :--- | :--- | :--- | :--- | - | **Sheet Id** | String | Yes | The unique identifier of the spreadsheet, which - can be extracted from the URL: `https://docs.google.com/spreadsheets/d/{SheetId}/edit`. + | Sheet Id | string | Yes | The unique identifier of the spreadsheet, which can + be found in the URL: `https://docs.google.com/spreadsheets/d/{Sheet-Id}/edit`. | - | **Worksheet Name** | String | No | The name of the specific tab (worksheet) - to search. If left blank, the action defaults to the first sheet (Sheet1). Note: - This is case-sensitive. | + | Worksheet Name | string | No | The name of the specific tab (worksheet) to search + in. If not provided, the action defaults to the first worksheet ("Sheet1"). | - | **Column Number** | String | Yes | The numerical index of the column to search - within (e.g., '1' for column A). | + | Column Number | string | Yes | The numerical index of the column to search (e.g., + "1" for Column A, "2" for Column B). | - | **Search value** | String | Yes | The specific text or value to search for within + | Search value | string | Yes | The specific string or value to look for within the specified column. | - ### Flow Description + ### Additional Notes - 1. **Authentication**: The action initializes a connection to Google Sheets using - the provided Service Account credentials. + - The action returns a list of all row numbers where the search value was found + in the specified column. - 2. **Worksheet Selection**: It opens the spreadsheet via the `Sheet Id` and selects - the target worksheet based on the `Worksheet Name` parameter. + - It also provides the values of the first matching row in the JSON result. - 3. **Search Execution**: The action performs a global search for the `Search value` - across the entire worksheet. + - If the value is not found, the action will return a failed status. - 4. **Column Filtering**: It iterates through the search results and filters for - matches that specifically occur within the provided `Column Number`. - 5. **Data Extraction**: For every valid match, the action retrieves the row number - and the full list of values for that row. + ### Flow Description - 6. **Result Reporting**: The action returns the total count of found rows, the - list of row numbers, and the content of the matching rows as JSON output. + 1. **Authentication**: The action initializes a connection to the Google Sheets + API using the provided service account credentials. + 2. **Spreadsheet Access**: It opens the spreadsheet identified by the `Sheet Id`. - ### Additional Notes + 3. **Worksheet Selection**: It selects the worksheet specified by `Worksheet Name` + or defaults to the first sheet. + + 4. **Search Execution**: The action performs a global search (`findall`) for the + `Search value` across the entire worksheet. - - If the search value is not found in the specified column, the action will return - a failure status. + 5. **Column Filtering**: It iterates through the search results and filters for + cells that belong to the user-specified `Column Number`. - - This action does not modify the spreadsheet; it is strictly read-only. + 6. **Data Collection**: It collects the row numbers of all matches and retrieves + the full row values for the first match found. + + 7. **Output**: The action outputs the list of row numbers, the count of rows found, + and the data from the first matching row into the action results. capabilities: can_create_case_comments: false can_create_insight: false @@ -1345,7 +1384,7 @@ Search Rows: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1359,6 +1398,7 @@ Search Rows: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Update Cell: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1372,70 +1412,78 @@ Search Rows: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: true + search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Update Cell: ai_description: >- - Updates a specific cell within a Google Sheets spreadsheet. This action allows - for direct modification of spreadsheet data by specifying the spreadsheet ID, - the worksheet name, the target cell (in A1 notation), and the new value to be - inserted. + ### General Description + The **Update Cell** action allows users to modify the content of a specific cell + within a Google Sheets spreadsheet. This action is primarily used for automated + reporting, logging incident metadata, or updating tracking sheets directly from + a SOAR playbook. - ### Flow Description: - 1. **Credential Retrieval:** Extracts the service account credentials from the - integration configuration. + ### Parameters Description - 2. **Parameter Extraction:** Retrieves the Sheet ID, Worksheet Name, Cell coordinates, - and the Value to be updated from the action parameters. + | Parameter | Type | Mandatory | Description | - 3. **Connection Establishment:** Uses the Google Sheets API to authenticate and - open the specified spreadsheet. + | :--- | :--- | :--- | :--- | - 4. **Worksheet Selection:** Identifies the target worksheet. If no worksheet name - is provided, it defaults to the first sheet in the workbook. + | **Sheet Id** | String | Yes | The unique identifier of the spreadsheet, which + can be found in the URL: `https://docs.google.com/spreadsheets/d/{SheetId}/edit`. + | - 5. **Cell Update:** Executes the update command to change the value of the specified - cell. + | **Worksheet Name** | String | No | The name of the specific tab (worksheet) + to update. If not provided, the action defaults to the first worksheet (Sheet1). + Note: This is case-sensitive. | + | **Cell** | String | Yes | The A1 notation of the cell to update (e.g., "A1", + "C10"). | - ### Parameters Description: + | **Value** | String | Yes | The data or text to be written into the specified + cell. | - | Parameter Name | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + ### Flow Description - | Sheet Id | String | Yes | The unique identifier of the spreadsheet, found in - the URL (e.g., `https://docs.google.com/spreadsheets/d/{SheetId}/edit`). | + 1. **Initialization**: The action extracts the service account credentials from + the integration configuration. - | Worksheet Name | String | No | The name of the specific tab/worksheet to update. - Case-sensitive. Defaults to the first sheet if left empty. | + 2. **Connection**: It establishes a connection to the Google Sheets API using + the provided credentials. - | Cell | String | Yes | The cell address in A1 notation (e.g., 'A1', 'B10') that - you wish to update. | + 3. **Spreadsheet Access**: The action opens the target spreadsheet using the `Sheet + Id`. - | Value | String | Yes | The new content or value to be written into the specified - cell. | + 4. **Worksheet Selection**: It identifies the correct worksheet based on the `Worksheet + Name` parameter or defaults to the first sheet. + 5. **Data Update**: It performs a write operation to update the specified `Cell` + with the provided `Value`. - ### Additional Notes: + 6. **Finalization**: The action returns a success message if the update is confirmed + by the API, or an error message if the operation fails. - - This action does not process or filter entities from the Google SecOps case; - it operates strictly based on the provided parameters. - - Ensure the service account associated with the provided credentials has 'Editor' - permissions on the target spreadsheet. + ### Additional Notes + + - The service account used in the integration must have "Editor" permissions on + the target Google Sheet. + + - If the `Worksheet Name` does not exist, the action will fail. capabilities: can_create_case_comments: false can_create_insight: false @@ -1444,14 +1492,14 @@ Update Cell: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the content of a specific cell within a Google Sheets spreadsheet via - the Google Sheets API. + Updates the content of a specific cell within a Google Sheets spreadsheet by + writing a new value to it. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1465,6 +1513,7 @@ Update Cell: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Update Row: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1478,74 +1527,81 @@ Update Cell: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Update Row: ai_description: >- - Updates a specific row in a Google Sheets spreadsheet with a provided list of - values. This action allows for the modification of existing data within a worksheet - by specifying the row index and a comma-separated string of values that will be - mapped to columns sequentially starting from the first column. + ### General Description + Updates a specific row in a Google Spreadsheet with a provided list of values. + This action allows users to programmatically modify existing spreadsheet data + by specifying the spreadsheet ID, the worksheet name, the row index, and the new + cell values. - ### Parameters - | Parameter Name | Type | Mandatory | Description | + ### Parameters Description + + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Sheet Id | string | Yes | The unique identifier of the spreadsheet, found in - the URL: `https://docs.google.com/spreadsheets/d/{SheetId}/edit`. | + | Sheet Id | String | Yes | The unique identifier of the spreadsheet, found in + the URL: `https://docs.google.com/spreadsheets/d/{Sheet-Id}/edit`. | - | Worksheet Name | string | No | The name of the specific tab (worksheet) to update. - If not provided, the action defaults to the first sheet ('Sheet1'). Note: This - is case-sensitive. | + | Worksheet Name | String | No | The name of the specific tab (worksheet) to update. + If not provided, the action defaults to the first sheet (Sheet1). Note: This is + case-sensitive. | - | Row Number | string | Yes | The numerical index of the row to be updated (e.g., - '1', '2'). | + | Row Number | String | Yes | The numerical index of the row to be updated (e.g., + "1", "2"). | - | Values | string | Yes | A comma-separated list of values (e.g., 'val1,val2,val3') - to be written into the row. | + | Values | String | Yes | A comma-separated list of values to be placed in the + row, starting from the first column (e.g., "val1,val2,val3"). | ### Additional Notes - - The action overwrites existing data in the specified row starting from Column - A (Column 1). + - The action iterates through the comma-separated values provided in the 'Values' + parameter and updates cells sequentially starting from Column A (Column 1) of + the specified row. - - The `Values` parameter is split by commas; ensure that values containing commas - are handled according to the logic or that the input string is formatted correctly. + - Ensure the service account associated with the provided credentials has 'Editor' + access to the target spreadsheet. ### Flow Description - 1. **Initialization**: Extracts the service account credentials from the integration - configuration and the spreadsheet details from the action parameters. + 1. **Initialization**: Extracts the Google Sheets credentials from the integration + configuration and the action parameters (Sheet Id, Worksheet Name, Row Number, + and Values). - 2. **Connection**: Authenticates with the Google Sheets API and opens the spreadsheet - using the provided `Sheet Id`. + 2. **Connection**: Establishes a connection to the Google Sheets API using the + provided service account credentials. - 3. **Worksheet Selection**: Selects the target worksheet based on the `Worksheet - Name` parameter or defaults to the first available sheet. + 3. **Resource Selection**: Opens the spreadsheet using the 'Sheet Id'. If a 'Worksheet + Name' is provided, it selects that specific tab; otherwise, it defaults to the + first worksheet. - 4. **Data Processing**: Splits the `Values` string into a list of individual cell - values. + 4. **Data Processing**: Splits the 'Values' string into a list based on the comma + delimiter. - 5. **Execution**: Iterates through the list of values and updates each cell in - the specified `Row Number`, incrementing the column index for each value. + 5. **Execution**: Iterates through the list of values, updating each cell in the + specified 'Row Number' starting from the first column. - 6. **Completion**: Returns a success message if the row is updated or an error - message if the operation fails. + 6. **Completion**: Returns a success message if the row is updated successfully + or an error message if the operation fails. capabilities: can_create_case_comments: false can_create_insight: false @@ -1554,13 +1610,14 @@ Update Row: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates cell values within a specific row of an external Google Sheets spreadsheet. + Updates cell values within a specific row of a Google Spreadsheet via the Google + Sheets API. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1574,6 +1631,7 @@ Update Row: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Update Rows: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1587,77 +1645,81 @@ Update Row: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Update Rows: ai_description: >- ### General Description - The **Update Rows** action allows users to modify specific rows within a Google - Spreadsheet. It is designed to take a list of row numbers and a set of values, - then sequentially update the cells in those rows starting from the first column. - This is useful for logging, tracking status changes, or updating shared records - directly from a SOAR workflow. + Updates specific rows in a Google Sheets spreadsheet with a provided set of values. + This action is designed to modify existing data within a spreadsheet, making it + useful for maintaining external logs, tracking incident progress, or updating + shared records directly from a SOAR playbook. ### Parameters Description - | Parameter Name | Type | Mandatory | Description | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Row Number** | String | Yes | A comma-separated list of row indices (e.g., - "1,2,5") that you want to update in the sheet. | + | Row Number | String | Yes | A comma-separated list of row indices to be updated + (e.g., "1, 5, 10"). | - | **Values** | Content | Yes | A comma-separated list of values (e.g., "Value1,Value2") - to be placed in the columns of the specified rows. The first value goes to Column - A, the second to Column B, and so on. | + | Values | Content | Yes | A comma-separated list of values to be written into + the cells of the specified rows. The values are applied sequentially starting + from the first column (Column A). | - | **Sheet Id** | String | Yes | The unique identifier of the spreadsheet, found - in the URL: `https://docs.google.com/spreadsheets/d/{SheetId}/edit`. | + | Sheet Id | String | Yes | The unique ID of the spreadsheet, which can be extracted + from the spreadsheet's URL. | - | **Worksheet Name** | String | No | The name of the specific tab (worksheet) - to update. If left blank, the action defaults to the first worksheet (Sheet1). + | Worksheet Name | String | No | The name of the specific tab (worksheet) within + the spreadsheet. If not provided, the action defaults to the first worksheet. | - ### Additional Notes + ### Flow Description - - The action uses service account credentials configured in the integration settings - to authenticate with the Google Sheets API. + 1. **Initialization**: The action retrieves the service account credentials from + the integration configuration and the target spreadsheet details from the action + parameters. - - Ensure the service account has 'Editor' permissions on the target spreadsheet. + 2. **Connection**: It establishes a connection to the Google Sheets API using + the `gspread` library. - - Column updates always start from Column 1 (Column A). + 3. **Worksheet Selection**: The action opens the spreadsheet by its ID and selects + the specified worksheet (or the first one by default). + 4. **Data Processing**: It parses the comma-separated strings for row numbers + and values. - ### Flow Description + 5. **Cell Updates**: For every row number provided, the action iterates through + the list of values and updates the corresponding cells in that row, starting from + column 1. - 1. **Initialization**: The action extracts the Google Sheets credentials from - the integration configuration and the row/value details from the action parameters. + 6. **Completion**: Returns a success message once all specified cells have been + updated. - 2. **Connection**: It establishes a connection to the Google Sheets API using - the provided service account JSON. - 3. **Targeting**: It opens the spreadsheet identified by the `Sheet Id` and selects - the specified `Worksheet Name` (or the first sheet by default). + ### Additional Notes - 4. **Execution**: It iterates through each provided row number. For every row, - it iterates through the list of values and updates the corresponding cells (Row - X, Column 1; Row X, Column 2, etc.). + - The service account used in the configuration must have "Editor" permissions + on the target Google Sheet. - 5. **Completion**: If all updates are successful, the action returns a success - message; otherwise, it catches and reports the specific error encountered. + - The action updates cells sequentially; for example, if three values are provided, + they will populate columns A, B, and C of the target rows. capabilities: can_create_case_comments: false can_create_insight: false @@ -1666,14 +1728,14 @@ Update Rows: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates cell values within a Google Spreadsheet by writing new data to specified - rows and columns. + Updates cell values within a Google Sheets spreadsheet based on the provided + row numbers and values. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1687,28 +1749,3 @@ Update Rows: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/third_party/community/google_sheets/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/google_sheets/resources/ai/connectors_ai_description.yaml index 421f213b9..82899304a 100644 --- a/content/response_integrations/third_party/community/google_sheets/resources/ai/connectors_ai_description.yaml +++ b/content/response_integrations/third_party/community/google_sheets/resources/ai/connectors_ai_description.yaml @@ -2,11 +2,10 @@ Sheet Connector: ai_description: >- ### General Description - The Sheet Connector allows Google SecOps to ingest data directly from Google Sheets. - It treats each row in a specified worksheet as a potential security event, converting - them into alerts and cases. This is particularly useful for ingesting manually - maintained watchlists, tracking logs, or simple automation triggers stored in - a spreadsheet format. + This connector integrates with Google Sheets to ingest data rows as alerts into + Google SecOps. It allows security teams to automate the ingestion of manual logs, + tracking spreadsheets, or any tabular data stored in Google Drive, converting + each row into a structured alert for further investigation. ### Parameters Description @@ -15,56 +14,56 @@ Sheet Connector: | :--- | :--- | :--- | :--- | - | Alert Name Column Index | Integer | Yes | The zero-based index of the column - to be used as the Alert Name. | + | Credentials Json | String | Yes | Service account credentials in JSON format + used for Google API authentication. | - | Credentials Json | String | Yes | The JSON content of a Google Service Account - key with access to the sheet. | + | Sheet Id | String | Yes | The unique identifier of the Google Spreadsheet (found + in the URL). | - | DeviceProductField | String | Yes | The field name used to determine the device - product in the SOAR. | + | Worksheet Name | String | Yes | The name of the specific tab/worksheet to pull + data from (e.g., 'Sheet1'). | - | EventClassId | String | Yes | The field name used to determine the event name - or sub-type. | + | Alert Name Column Index | Integer | Yes | The 0-based index of the column to + use for the Alert Name. Set to -1 to use the Product name instead. | - | Filter Alert Column Index | Integer | No | The index of a column used to filter - which rows should be ingested. | + | Product | String | Yes | The product name to assign to the ingested alerts and + events. | - | Filter Alert Column Value | String | No | The specific value required in the - filter column for a row to be processed. | + | Filter Alert Column Index | Integer | No | The 0-based index of the column used + to filter rows for ingestion. | - | Product | String | Yes | The product name assigned to the ingested alerts. | + | Filter Alert Column Value | String | No | The specific value to match in the + filter column; only matching rows will be ingested. | - | PythonProcessTimeout | String | Yes | The timeout limit (in seconds) for the - connector execution. | + | DeviceProductField | String | Yes | The field name used to determine the device + product in the SOAR mapping. | - | Sheet Id | String | Yes | The unique ID of the Google Sheet (found in the URL). - | + | EventClassId | String | Yes | The field name used to determine the event name + or sub-type. | - | Worksheet Name | String | Yes | The name of the specific tab/worksheet to pull - data from (e.g., Sheet1). | + | PythonProcessTimeout | String | Yes | The timeout limit (in seconds) for the + connector execution. | ### Flow Description - 1. **Authentication**: The connector authenticates with the Google Sheets API - using the provided Service Account JSON credentials. + 1. **Authentication**: Connects to the Google Sheets API using the provided Service + Account JSON credentials. - 2. **Sheet Access**: It opens the spreadsheet identified by the Sheet Id and selects - the specified Worksheet Name. + 2. **Resource Access**: Opens the spreadsheet using the 'Sheet Id' and selects + the specified 'Worksheet Name'. - 3. **Data Retrieval**: The connector fetches all values from the worksheet, identifying - the first row as the header for field mapping. + 3. **Data Retrieval**: Reads the first row to establish headers and then fetches + all subsequent data rows. - 4. **Filtering**: For each row (starting from the second row), it checks if a - filter is configured. If the value in the Filter Alert Column Index does not match - the Filter Alert Column Value, the row is skipped. + 4. **Filtering**: If filtering parameters are provided, the connector checks the + value at the specified column index for each row, skipping rows that do not match. - 5. **Alert Creation**: For valid rows, it generates a unique Alert ID and sets - the Alert Name based on the configured column index. + 5. **Alert Creation**: For each valid row, a unique Alert object is created. The + alert name is derived from the configured column index. - 6. **Event Mapping**: Each cell in the row is mapped to an event field using the - header names retrieved in step 3. + 6. **Event Mapping**: Maps every cell in the row to an event dictionary, using + the worksheet headers as keys. - 7. **Ingestion**: The constructed alerts, containing the row data as events, are - returned to Google SecOps for case creation. + 7. **Ingestion**: Packages the alerts and events, then sends them to Google SecOps + for case creation. diff --git a/content/response_integrations/third_party/community/google_sheets/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/google_sheets/resources/ai/integration_ai_description.yaml index 7b58b8805..4857505e8 100644 --- a/content/response_integrations/third_party/community/google_sheets/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/community/google_sheets/resources/ai/integration_ai_description.yaml @@ -7,6 +7,6 @@ product_categories: iam_and_identity_management: false itsm: true network_security: false - siem: false + siem: true threat_intelligence: false vulnerability_management: false diff --git a/content/response_integrations/third_party/community/goqr/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/goqr/resources/ai/actions_ai_description.yaml index 2ed595254..0f5580958 100644 --- a/content/response_integrations/third_party/community/goqr/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/goqr/resources/ai/actions_ai_description.yaml @@ -1,64 +1,99 @@ Generate QR Code: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Generate QR Code** action creates a QR code image from a provided string - of data, such as a URL or text. This utility action is useful for generating visual - representations of data that can be scanned by mobile devices or other QR readers. - The resulting image is automatically attached to the case wall in Google SecOps - and provided as a base64-encoded string in the action's output. + Use the **Generate QR Code** action to create a QR code image from a provided + string of data, such as a URL, text, or identifier. This utility action is useful + for visual representation of data within a case. The generated image is automatically + attached to the case wall for easy access by analysts. ### Parameters Description - | Parameter | Type | Mandatory | Default | Description | - | :--- | :--- | :--- | :--- | :--- | + | Parameter | Description | Expected Type | Mandatory | - | **Content** | String | Yes | N/A | The data, URL, or text string to encode into - the QR code. | + | :--- | :--- | :--- | :--- | - | **Size** | String | No | 200x200 | The dimensions of the generated image in - pixels (e.g., 300x300). Max 1000x1000. | + | Content | The data, URL, or text string to encode into the QR code. | String + | Yes | - | **Image Format** | DDL | No | png | The file format for the output image (png, - jpg, gif, svg). | + | Size | The dimensions of the generated image in pixels in the format {width}x{height}. + The maximum value is 1000x1000. Default is 200x200. | String | No | - | **Error Correction** | DDL | No | Low | Level of data redundancy (Low, Medium, - Quartile, High). | + | Image Format | The file format for the output image. Options: png, jpg, gif, + svg. Default is png. | DDL | No | - | **Margin** | String | No | 1 | Width of the blank border around the QR code - in pixels. | + | Error Correction | The level of data redundancy applied to the QR code. Higher + levels increase damage resistance but result in a more complex image. Options: + Low (7%), Medium (15%), Quartile (25%), High (30%). Default is Low. | DDL | No + | - | **Foreground Color** | String | No | 0-0-0 | Color of the QR code modules in - R-G-B format. | + | Margin | The width of the blank border (quiet zone) around the QR code, measured + in pixels. Default is 1. | String | No | - | **Background Color** | String | No | 255-255-255 | Color of the image background - in R-G-B format. | + | Foreground Color | The color of the QR code modules in R-G-B format. Default: + 0-0-0 (black). | String | No | + | Background Color | The color of the image background in R-G-B format. Default: + 255-255-255 (white). | String | No | - ### Flow Description - 1. **Parameter Extraction**: The action retrieves the input string and optional - formatting parameters (size, colors, etc.). + ### Additional Notes - 2. **API Request**: It sends a request to the GOQR API to generate the QR code - based on the provided configuration. + - This action does not run on Google SecOps entities. - 3. **File Handling**: The received image bytes are saved as a temporary file. + - The generated QR code is saved as a temporary file and then uploaded as a case + attachment. - 4. **Case Integration**: The temporary file is uploaded as an attachment to the - current Google SecOps case. + - The action returns a base64 encoded string of the image in the JSON results + for use in subsequent playbook steps. - 5. **Result Generation**: The action returns a JSON object containing the base64-encoded - image and metadata, and cleans up temporary files. + ### Flow Description - ### Additional Notes + 1. **Extract Parameters:** The action retrieves the input string and optional + formatting parameters (size, colors, error correction) from the user configuration. - - This action does not process or require Google SecOps entities. + 2. **API Request:** It sends a request to the GOQR API to generate the QR code + image based on the provided specifications. - - The generated QR code is visible on the Case Wall as an attachment. + 3. **File Handling:** The received image bytes are saved to a temporary file on + the system. + + 4. **Case Integration:** The temporary file is attached to the Google SecOps case + wall. + + 5. **Result Reporting:** The action populates the JSON results with the base64-encoded + image and metadata, then cleans up temporary files. capabilities: can_create_case_comments: false can_create_insight: false @@ -66,14 +101,14 @@ Generate QR Code: can_mutate_external_data: false can_mutate_internal_data: true can_update_entities: false - external_data_mutation_explanation: null + external_data_mutation_explanation: 'null' fetches_data: true internal_data_mutation_explanation: >- Adds the generated QR code image as an attachment to the case wall. categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -87,6 +122,7 @@ Generate QR Code: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -100,52 +136,55 @@ Generate QR Code: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: ai_description: >- ### General Description The **Ping** action is a diagnostic tool used to verify the connectivity between - the Google SecOps platform and the GOQR (QR Server) API. Its primary purpose is - to ensure that the integration's configuration (such as the API Root and SSL settings) - is correct and that the external service is reachable. + the Google SecOps platform and the QR Server API. It ensures that the integration + is correctly configured and that the network path to the API endpoint is open. ### Parameters Description - This action does not require any input parameters. + There are no parameters for this action. - ### Flow Description + ### Additional Notes - 1. **Initialization**: The action initializes the GOQR API client using the global - integration configuration (API Root and Verify SSL). + This action uses the 'API Root' and 'Verify SSL' settings defined in the integration + configuration to establish the connection. It performs a lightweight request to + a specific endpoint to confirm the service is responsive. - 2. **Connectivity Test**: It executes a lightweight API call to the QR Server's - `create-qr-code` endpoint using a static 'PingCheck' data string. - 3. **Validation**: The action checks the response from the server. If the server - responds successfully, the action concludes that the connection is established. + ### Flow Description - 4. **Output**: A success message is returned if the connection is valid; otherwise, - an error message is generated to assist in troubleshooting. + 1. **Initialize API Client**: The action starts by retrieving the integration's + global configuration, including the API Root URL and SSL verification settings. + 2. **Execute Connectivity Test**: It sends a test request to the QR Server API + (specifically targeting the QR code creation endpoint with a 'PingCheck' payload). - ### Additional Notes + 3. **Evaluate Response**: The action checks if the API responds successfully without + errors. - - This action is typically used during the initial setup of the integration or - for troubleshooting communication issues. + 4. **Report Status**: If the connection is successful, it returns a confirmation + message; otherwise, it provides an error message indicating a configuration or + connectivity issue. capabilities: can_create_case_comments: false can_create_insight: false @@ -159,7 +198,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -173,6 +212,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Scan QR Code: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -186,63 +226,68 @@ Ping: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Scan QR Code: ai_description: >- ### General Description - The **Scan QR Code** action extracts and decodes data from a QR code image provided - as a Base64-encoded string. This utility is primarily used to programmatically - retrieve the URL or text content embedded within QR codes found in attachments - or screenshots during security investigations. + The **Scan QR Code** action allows users to extract and decode information from + a QR code image. The image must be provided as a Base64-encoded string. This utility + is particularly useful for security analysts who need to programmatically inspect + the contents of QR codes found in phishing emails, documents, or other suspicious + artifacts. ### Parameters Description - | Parameter | Description | Type | Mandatory | Default | + | Parameter | Description | Type | Mandatory | Default Value | | :--- | :--- | :--- | :--- | :--- | | QR Image Base64 Blob | The Base64-encoded string representing the QR code image - file to be scanned. | String | Yes | N/A | + file to be scanned. | string | True | "" | ### Flow Description - 1. **Parameter Extraction:** The action retrieves the Base64-encoded image string + 1. **Parameter Extraction**: The action retrieves the Base64-encoded image string from the input parameters. - 2. **Base64 Decoding:** The string is decoded into raw image bytes. If decoding - fails, an error is raised. + 2. **Base64 Decoding**: The string is decoded into raw image bytes. If the string + is not valid Base64, the action raises a `GOQRError`. - 3. **API Interaction:** The image bytes are sent to the GOQR API's `read-qr-code` + 3. **API Request**: The image bytes are sent to the GOQR API's `read-qr-code` endpoint. - 4. **Result Processing:** The action parses the API response, extracting the decoded - data from the QR symbols. + 4. **Response Validation**: The action checks if the API successfully identified + and decoded any QR code symbols within the image. - 5. **Output Generation:** The decoded content is saved into the action's JSON - results, and the action completes successfully if data is found. + 5. **Data Extraction**: If valid symbols are found, the action extracts the decoded + data and metadata (such as the QR code type). + + 6. **Output Generation**: The decoded results are formatted into a JSON object, + and the action completes successfully. ### Additional Notes - * The action expects a valid Base64 string. Ensure that any headers (like `data:image/png;base64,`) - are stripped if necessary. + - The action expects a valid image file (e.g., PNG, JPG) encoded in Base64 format. - * If the image contains no recognizable QR code or the API fails to decode it, - the action will result in a failure. + - If the image does not contain a recognizable QR code or if the API cannot decode + it, the action will fail with a descriptive error message. capabilities: can_create_case_comments: false can_create_insight: false @@ -256,7 +301,7 @@ Scan QR Code: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -270,28 +315,3 @@ Scan QR Code: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/third_party/community/hibob/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/hibob/resources/ai/actions_ai_description.yaml index 4d1658634..67d62df9e 100644 --- a/content/response_integrations/third_party/community/hibob/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/hibob/resources/ai/actions_ai_description.yaml @@ -1,41 +1,76 @@ Enrich Entities: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - Enriches USER entities with detailed profile information from the Hibob HRIS platform. - This action retrieves comprehensive employee data, flattens the hierarchical structure, - and maps it directly to the entity's additional properties within Google SecOps. + ### General Description + + The **Enrich Entities** action retrieves detailed employee information from the + Hibob HR platform for User entities within a case. It is designed to provide security + analysts with organizational context, such as department, role, and manager details, + by mapping Hibob user attributes directly to the entity's properties in Google + SecOps. - ### Parameters + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | | Get User Image | Boolean | No | If enabled, the action logic is prepared to - handle user avatar retrieval (though the primary flow focuses on profile metadata). + handle user avatar retrieval, though the primary flow focuses on metadata enrichment. | ### Flow Description - 1. **Initialization**: Retrieves the Hibob API token from the integration configuration - and initializes the Hibob Manager. + 1. **Initialization**: The action initializes the Hibob manager using the provided + API Token and base URL. + + 2. **Entity Filtering**: It iterates through all target entities in the current + context, specifically filtering for those of type **USER**. - 2. **Entity Filtering**: Iterates through the target entities and identifies those - of type `USER`. + 3. **Data Retrieval**: For each User entity, the action queries the Hibob API + (`/v1/people/{identifier}`) using the entity's identifier (typically an email + or employee ID). - 3. **Data Retrieval**: For each identified user, it queries the Hibob API (`/v1/people/{identifier}`) - using the entity's identifier (email or ID). + 4. **Data Transformation**: The retrieved JSON response is flattened into a single-level + dictionary to ensure compatibility with entity attributes. - 4. **Data Transformation**: Flattens the resulting JSON response to ensure all - nested attributes are accessible and prefixes all keys with 'Hibob' for clear - attribution. + 5. **Namespace Prefixing**: A "Hibob" prefix is added to all retrieved keys to + prevent data collisions and clearly identify the source of the enrichment. - 5. **Internal Update**: Updates the entity's `additional_properties` with the - flattened data and sets the `is_enriched` flag to true. + 6. **Internal Update**: The entity's `additional_properties` are updated with + the new metadata, and the entity is marked as `is_enriched`. - 6. **Finalization**: Commits the updated entity profiles to the case and returns - a full JSON result of the retrieved data. + 7. **Finalization**: The action updates the entities within Google SecOps and + outputs a summary message of the enriched users along with the raw JSON results. capabilities: can_create_case_comments: false can_create_insight: false @@ -47,12 +82,12 @@ Enrich Entities: fetches_data: true internal_data_mutation_explanation: >- Updates entity additional properties with flattened Hibob user metadata and - sets the 'is_enriched' flag on processed entities. + sets the 'is_enriched' flag to true. categories: enrichment: true entity_usage: entity_types: - - USERUNIQNAME + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -66,6 +101,7 @@ Enrich Entities: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get User Image: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -79,51 +115,64 @@ Enrich Entities: enrich_asset: true enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get User Image: ai_description: >- - Retrieves the profile image for a specific employee from the Hibob platform. The - action uses an email address to identify the user, fetches their unique employee - ID, and then retrieves the associated avatar data. The resulting image is processed - and returned as a Base64-encoded string and a raw URL string within the JSON results. + ### General Description + The **Get User Image** action retrieves the profile image (avatar) for a specific + employee from the Hibob platform using their email address. This action is useful + for enriching user profiles within a security context or for identity verification + processes. It returns the image in both Base64 encoded format and as a decoded + string. - ### Parameters + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Employee's Email | string | True | The email address of the employee whose profile - photo you want to retrieve. | + | Employee's Email | String | True | The email address of the employee whose photo + you want to retrieve. | ### Flow Description + 1. **Parameter Extraction**: The action retrieves the provided employee email + from the input parameters. + + 2. **User Identification**: It queries the Hibob API to find the employee's internal + unique identifier associated with the provided email address. + + 3. **Image Retrieval**: Using the internal identifier, it fetches the employee's + avatar data from the Hibob avatar endpoint. + + 4. **Data Processing**: The binary image content is encoded into a Base64 string + for easy transport and display. - 1. **Identify User:** The action calls the Hibob API to retrieve employee details - based on the provided email address to obtain the internal employee ID. + 5. **Result Output**: The action returns a JSON object containing the Base64 string + and the decoded content, along with status flags indicating if the user and image + exist. - 2. **Fetch Image:** Using the employee ID, the action makes a request to the Hibob - avatar endpoint to retrieve the binary image content. - 3. **Process Data:** The binary image data is encoded into a Base64 string for - easy use in downstream tasks or UI components. + ### Additional Notes - 4. **Output Results:** The action populates a JSON result containing the Base64 - string, the image URL/content, and a boolean indicating if the user exists. + - If the user is not found or does not have an image associated with their profile, + the action will return a failure status with a descriptive message. capabilities: can_create_case_comments: false can_create_insight: false @@ -137,7 +186,7 @@ Get User Image: categories: enrichment: true entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -151,6 +200,7 @@ Get User Image: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -161,53 +211,62 @@ Get User Image: disable_identity: false download_file: false enable_identity: false - enrich_asset: true + enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: ai_description: >- ### General Description - The Ping action is designed to verify the connectivity between the Google SecOps - platform and the Hibob service. It ensures that the provided API credentials (API - Token) are valid and that the Hibob API endpoint is reachable. This is typically - used as a health check for the integration. + + The **Ping** action is used to verify the connectivity between Google SecOps and + the Hibob platform. It ensures that the provided API credentials and the network + path to the Hibob API are functional. ### Parameters Description + There are no parameters for this action. + ### Additional Notes + + + This action is primarily used for troubleshooting and initial setup verification. + + ### Flow Description - 1. **Initialization**: The action initializes the Siemplify context and retrieves - the integration configuration, specifically the API Token. - 2. **Manager Setup**: An instance of the HibobManager is created using the hardcoded - API root (`https://api.hibob.com`) and the retrieved API Token. + 1. **Configuration Retrieval**: The action retrieves the API Token from the integration + settings. + + 2. **Manager Initialization**: An instance of the Hibob Manager is created using + the API root and token. 3. **Connectivity Test**: The action calls the `test_connectivity` method, which performs a GET request to the `/api/user` endpoint. - 4. **Validation**: The manager checks for successful HTTP status codes. It specifically - handles 401 (Unauthorized) and 404 (Not Found) errors to provide descriptive exceptions. + 4. **Response Validation**: The action checks for successful HTTP status codes + and valid JSON responses. - 5. **Output**: If the request is successful and returns valid JSON, the action - concludes with a 'Connected successfully' message. Otherwise, it reports a connection - failure. + 5. **Final Output**: Returns a success message if the connection is established, + or an error message if it fails. capabilities: can_create_case_comments: false can_create_insight: false @@ -221,7 +280,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -235,6 +294,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Revoke Access: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -242,32 +302,34 @@ Ping: contain_host: false create_ticket: false delete_email: false - disable_identity: false + disable_identity: true download_file: false enable_identity: false enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false - update_identity: false + update_identity: true update_ticket: false -Revoke Access: ai_description: >- ### General Description - The **Revoke Access** action disables a specific employee's access to the Hibob - platform using their email address. This action is primarily used for offboarding - or responding to security incidents by ensuring a user can no longer authenticate - to the Hibob HRIS system. + The **Revoke Access** action is designed to disable a specific employee's access + to the Hibob platform using their email address. This action is primarily used + for offboarding or security containment to ensure a user can no longer authenticate + or access company resources within Hibob. ### Parameters Description @@ -276,32 +338,33 @@ Revoke Access: | :--- | :--- | :--- | :--- | - | Employee's Email | The email address of the employee whose access you want to - revoke in Hibob. | String | Yes | + | Employee's Email | The email address of the employee whose access needs to be + revoked in Hibob. | String | Yes | + + + ### Additional Notes + + This action does not process entities from the Google SecOps case; it relies entirely + on the provided email parameter. It performs a state-changing operation in Hibob + by 'uninviting' the user. ### Flow Description - 1. **Retrieve User Details:** The action calls the Hibob API to fetch the employee's - internal identifier and current invitation state based on the provided email address. + 1. **Retrieve Employee Details:** The action calls the Hibob API to find the employee's + internal ID and current status based on the provided email address. 2. **Validate Existence:** If the employee is not found in Hibob, the action returns - a message stating the user does not exist. + a failure status. 3. **Check Current Status:** The action checks if the employee's status is already - set to 'uninvited'. If so, it concludes that access was already revoked. + 'uninvited'. If so, it concludes that the revocation was already performed. 4. **Execute Revocation:** If the employee is active, the action sends a POST - request to the Hibob `/uninvite` endpoint to revoke the user's access. + request to the Hibob `/uninvite` endpoint to revoke their access. 5. **Report Result:** The action returns a JSON result indicating whether the - user existed and if the revocation was successfully performed. - - - ### Additional Notes - - This action operates independently of Google SecOps entities and relies entirely - on the manually provided email parameter. + user existed and if the revocation was successfully completed. capabilities: can_create_case_comments: false can_create_insight: false @@ -310,15 +373,14 @@ Revoke Access: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - The action sends a POST request to the Hibob API's uninvite endpoint, which - changes the employee's account state to 'uninvited', effectively disabling their - access to the platform. + The action sends a POST request to the Hibob '/uninvite' endpoint, which changes + the employee's status to 'uninvited' and revokes their access to the platform. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -332,6 +394,7 @@ Revoke Access: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Search User: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -339,50 +402,65 @@ Revoke Access: contain_host: false create_ticket: false delete_email: false - disable_identity: true + disable_identity: false download_file: false enable_identity: false - enrich_asset: false + enrich_asset: true enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: true search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Search User: - ai_description: "### General Description\nThe **Search User** action allows analysts\ - \ to verify the existence of a specific employee within the Hibob HR platform\ - \ and retrieve their detailed profile information. By providing an email address,\ - \ the action queries the Hibob API to fetch comprehensive metadata about the user,\ - \ such as their role, department, and contact details. This is particularly useful\ - \ for identity verification during security investigations or for enriching playbook\ - \ context with organizational data.\n\n### Parameters Description\n| Parameter\ - \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| **Employee's\ - \ Email** | String | Yes | The email address of the employee to search for in\ - \ Hibob. This serves as the unique identifier for the lookup. |\n\n### Flow Description\n\ - 1. **Initialization**: The action initializes the Hibob Manager using the provided\ - \ API Token and the base URL (https://api.hibob.com).\n2. **Parameter Extraction**:\ - \ It retrieves the target email address from the action's input parameters.\n\ - 3. **API Request**: The action performs a GET request to the Hibob `/v1/people/{employee_identifier}`\ - \ endpoint using the provided email.\n4. **Response Handling**: \n * If the\ - \ user is found (HTTP 200), the action parses the JSON response containing the\ - \ employee's details.\n * If the user is not found (HTTP 404), the action identifies\ - \ that the user does not exist.\n5. **Result Output**: The retrieved user data\ - \ is added to the action's JSON results, and the action completes with a success\ - \ or failure message based on whether the user was located.\n\n### Additional\ - \ Notes\n* This action does not iterate over entities in the Google SecOps case;\ - \ it relies strictly on the manual input provided in the 'Employee's Email' parameter.\n\ - * While the code contains comments suggesting entity enrichment, the current implementation\ - \ only returns data via JSON results and does not update entity attributes or\ - \ create insights." + ai_description: >- + Searches for a specific user's details in Hibob using their email address. This + action is primarily used to verify the existence of an employee and retrieve their + profile information from the Hibob HRIS platform. It retrieves a comprehensive + JSON object containing the user's data if a match is found. + + + ### Flow Description: + + 1. **Parameter Extraction:** The action retrieves the 'Employee's Email' from + the user-provided parameters. + + 2. **API Request:** It initializes the Hibob Manager and performs a GET request + to the Hibob API endpoint `/v1/people/{email}`. + + 3. **Data Processing:** The action checks the API response. If the user exists + (HTTP 200), it captures the user's profile details. + + 4. **Result Reporting:** The retrieved data is added to the action's JSON results, + and the action completes with a success message. If the user is not found (HTTP + 404), it returns a failure message. + + + ### Parameters Description: + + | Parameter Name | Description | Type | Mandatory | Notes | + + | :--- | :--- | :--- | :--- | :--- | + + | Employee's Email | The email address of the employee to search for in Hibob. + | String | Yes | Default value is 'email@gmail.com'. | + + + ### Additional Notes: + + This action operates independently of the entities present in the Google SecOps + case. It relies strictly on the email address provided in the 'Employee's Email' + parameter. capabilities: can_create_case_comments: false can_create_insight: false @@ -394,9 +472,9 @@ Search User: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: true + enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -410,6 +488,7 @@ Search User: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Send Invitation: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -419,69 +498,78 @@ Search User: delete_email: false disable_identity: false download_file: false - enable_identity: false - enrich_asset: true + enable_identity: true + enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false - update_identity: false + update_identity: true update_ticket: false -Send Invitation: ai_description: >- - Sends a login invitation to an employee in the Hibob system. This action is primarily - used to invite new employees to log in for the first time or to re-invite users - who were previously disabled. It validates the employee's existence and current - invitation status before proceeding. + ### General Description + This action sends an invitation to a new or existing employee in the Hibob HR + system. It is primarily used to invite users to log in for the first time or to + re-invite users who were previously disabled or whose invitation state is not + currently active. The action identifies the user by their email address and applies + a specific onboarding 'Welcome Wizard' flow as defined in the Hibob settings. - ### Flow Description: - 1. **Retrieve Employee Details:** The action fetches the employee's profile from - Hibob using the provided email address to obtain their unique internal ID and - current invitation state. + ### Parameters Description - 2. **Status Validation:** It checks if the employee is already in an 'invited' - state. If so, the action stops to prevent redundant invitations. + | Parameter | Description | Type | Mandatory | Notes | - 3. **Wizard Identification:** If the employee is eligible for an invitation, the - action retrieves a list of all available onboarding wizards (flows) from Hibob. + | :--- | :--- | :--- | :--- | :--- | - 4. **Match Wizard:** It searches the list for a wizard matching the 'Welcome Wizard - Name' parameter to find the corresponding Wizard ID. + | Employee's Email | The email address of the employee to be invited. | String + | True | Used to look up the employee's unique ID in Hibob. | - 5. **Send Invitation:** Finally, it executes a POST request to the Hibob API to - send the invitation using the identified Employee ID and Wizard ID. + | Welcome Wizard Name | The name of the onboarding wizard flow (e.g., 'Welcome!'). + | String | True | This value is case-sensitive and must match the name configured + in Hibob (Settings -> Flows). | - ### Parameters Description: + ### Additional Notes - | Parameter Name | Type | Mandatory | Description | + - The action first verifies if the employee exists in Hibob before attempting + to send an invitation. - | :--- | :--- | :--- | :--- | + - If the employee is already in an 'invited' state, the action will terminate + without sending a duplicate invitation to avoid spamming the user. - | Employee's Email | string | True | The email address of the employee to whom - the invitation will be sent. | + - The 'Welcome Wizard Name' must exactly match the name in Hibob for the corresponding + ID to be correctly resolved. - | Welcome Wizard Name | string | True | The exact name of the onboarding wizard/flow - configured in Hibob (e.g., "Welcome!"). This field is case-sensitive. | + ### Flow Description - ### Additional Notes: + 1. **Fetch Employee Details:** The action calls the Hibob API to retrieve the + employee's unique identifier and current invitation state based on the provided + email. + + 2. **Validate State:** It checks if the employee exists and if they have already + been invited. + + 3. **Retrieve Wizards:** If the employee is eligible for an invitation, the action + fetches a list of all available onboarding wizards from Hibob. - - This action does not run on SecOps entities; it uses the email address provided - in the action parameters. + 4. **Resolve Wizard ID:** It searches the list of wizards to find the ID corresponding + to the provided 'Welcome Wizard Name'. - - The 'Welcome Wizard Name' must match exactly as defined in Hibob (Settings -> - Flows). + 5. **Send Invitation:** The action performs a POST request to Hibob to trigger + the invitation for the employee using the identified wizard ID. capabilities: can_create_case_comments: false can_create_insight: false @@ -490,14 +578,15 @@ Send Invitation: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Sends an invitation email to the employee and updates their invitation status - within the Hibob platform via a POST request. + The action performs a POST request to the Hibob API to send an invitation to + a specific employee, which modifies the employee's invitation state in the Hibob + system and triggers an automated email. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -511,6 +600,7 @@ Send Invitation: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Upload User Image: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -520,70 +610,66 @@ Send Invitation: delete_email: false disable_identity: false download_file: false - enable_identity: true + enable_identity: false enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false - update_identity: false + update_identity: true update_ticket: false -Upload User Image: ai_description: >- ### General Description - This action allows for the programmatic updating of an employee's profile picture - in the Hibob HR platform. It takes an employee's email address and a URL pointing - to an image, resolves the email to a Hibob internal employee ID, and then updates - the user's avatar. + The **Upload User Image** action allows analysts to update or set a profile picture + for a specific employee within the Hibob HR platform. By providing the employee's + email and a direct URL to an image, the action automatically resolves the internal + Hibob employee identifier and performs the update. ### Parameters Description - | Parameter | Type | Mandatory | Description | + | Parameter Name | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Employee's Email | string | Yes | The email address of the employee whose image - you want to update. This is used to look up the employee's internal ID. | + | Employee's Email | String | Yes | The email address of the employee whose profile + image you want to update. | - | Url Image | string | Yes | The direct URL of the image to be set as the employee's - new profile picture. | + | Url Image | String | Yes | The public URL of the image to be uploaded as the + employee's avatar. | ### Flow Description - 1. **Configuration Retrieval:** The action retrieves the Hibob API token and root - URL from the integration settings. - - 2. **Employee Lookup:** It calls the Hibob API to fetch the details of the employee - associated with the provided email address. + 1. **Retrieve Employee ID**: The action first queries the Hibob API using the + provided email address to fetch the employee's unique internal identifier. - 3. **ID Extraction:** If the employee is found, the action extracts their unique - internal identifier (ID). + 2. **Validation**: It checks if the user exists in the Hibob system. If not, the + action terminates with a failure message. - 4. **Image Upload:** The action sends a PUT request to the Hibob avatar endpoint - for that specific employee ID, providing the new image URL. + 3. **Upload Image**: Using the retrieved employee ID, the action sends a PUT request + to the Hibob avatars endpoint, passing the provided image URL in the request body. - 5. **Result Handling:** The action checks the response from Hibob. If the upload - is successful, it returns a success message; otherwise, it reports a failure (e.g., - if the user was not found or the upload failed). + 4. **Final Status**: The action returns a success message if the image is updated + or an error message if the upload fails (e.g., 404 error from the API). ### Additional Notes - - This action requires a valid API token with permissions to read employee data - and update avatars. - - - The image URL must be accessible by the Hibob service. + This action requires a valid API Token with permissions to read employee data + and update avatars in Hibob. capabilities: can_create_case_comments: false can_create_insight: false @@ -592,14 +678,14 @@ Upload User Image: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - The action performs a PUT request to the Hibob '/v1/avatars/{employee_identifier}' - endpoint to update the profile image of a specific employee. + Updates the employee's profile avatar in the Hibob platform via a PUT request + to the avatars endpoint. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -613,28 +699,3 @@ Upload User Image: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: true - update_ticket: false diff --git a/content/response_integrations/third_party/community/imgbb/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/imgbb/resources/ai/actions_ai_description.yaml index aacc3b78e..f52dc522c 100644 --- a/content/response_integrations/third_party/community/imgbb/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/imgbb/resources/ai/actions_ai_description.yaml @@ -1,19 +1,73 @@ Ping: - ai_description: "Verifies connectivity to the Imgbb service by performing a test\ - \ image upload. This action is used to ensure that the integration configuration,\ - \ specifically the API Key, is valid and that the Imgbb API is reachable from\ - \ the Google SecOps environment.\n\n### Flow Description:\n1. **Configuration\ - \ Retrieval:** The action retrieves the 'API Key' from the Imgbb integration settings.\n\ - 2. **Request Construction:** It prepares a POST request to the Imgbb upload API\ - \ endpoint (`https://api.imgbb.com/1/upload`).\n3. **Connectivity Test:** The\ - \ action sends a sample base64-encoded image as a payload to the API.\n4. **Validation:**\ - \ It checks the HTTP response status. If the request is successful (status code\ - \ 200), it confirms connectivity.\n5. **Completion:** The action returns a success\ - \ message and a boolean result to the playbook.\n\n### Parameters Description:\n\ - | Parameter Name | Description | Type | Mandatory | \n| :--- | :--- | :--- | :---\ - \ |\n| None | This action does not require any input parameters. | N/A | N/A |\n\ - \n### Additional Notes:\n* This action is a standard 'Ping' utility used primarily\ - \ for health checks and troubleshooting integration connectivity." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + ### General Description + + The **Ping** action is designed to verify the connectivity between Google SecOps + and the Imgbb service. It ensures that the provided API key is valid and that + the network path to the Imgbb API is open. Unlike a standard ICMP ping, this action + performs a functional test by attempting to upload a small sample image to the + service. + + + ### Parameters Description + + There are no user-configurable parameters for this action. It relies entirely + on the integration's global configuration (API Key). + + + ### Additional Notes + + * This action is primarily used for troubleshooting and initial setup verification. + + * Although named 'Ping', the action performs a POST request to the upload endpoint, + which results in a temporary resource creation on the Imgbb servers (set to expire + in 600 seconds). + + + ### Flow Description + + 1. **Configuration Retrieval:** The action fetches the 'API Key' from the Imgbb + integration settings. + + 2. **Request Construction:** It prepares a POST request to the Imgbb upload API + (`https://api.imgbb.com/1/upload`) including the API key and a hardcoded base64-encoded + sample image. + + 3. **Connectivity Test:** The action executes the HTTP POST request. + + 4. **Validation:** It checks the HTTP response status code. If the request is + successful (2xx status), it confirms connectivity. + + 5. **Completion:** The action returns a success message and a boolean result to + the SOAR platform. capabilities: can_create_case_comments: false can_create_insight: false @@ -22,14 +76,14 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - The action performs a POST request to the Imgbb upload endpoint, which results - in a temporary image being uploaded to the service to verify the API key's validity. + The action performs a POST request to the Imgbb upload endpoint, which creates + a temporary image resource on the external service. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -43,6 +97,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Upload Image From Base64: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -56,63 +111,67 @@ Ping: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false - submit_file: false + send_message: false + submit_file: true uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Upload Image From Base64: ai_description: >- ### General Description - This action uploads a base64-encoded image to the Imgbb hosting service. It is - primarily used to convert local image data into a publicly or semi-publicly accessible - URL, which can then be used in subsequent workflow steps such as sending emails, - updating tickets, or adding comments with visual evidence. + This action uploads an image to the Imgbb hosting service using a base64 encoded + string. It is designed to facilitate the external hosting of image-based evidence + (such as screenshots or captured visual data) and retrieve a publicly accessible + URL for use in reports or further automation steps. ### Parameters Description - | Parameter Name | Type | Mandatory | Description | + | Parameter Name | Description | Type | Mandatory | Additional Notes | - | :--- | :--- | :--- | :--- | + | :--- | :--- | :--- | :--- | :--- | - | Image in base64 | String | Yes | The base64-encoded string representing the - image file you wish to upload to Imgbb. | + | Image in base64 | The base64 encoded string of the image you would like to upload + to Imgbb. | string | True | Ensure the string is a valid base64 representation + of an image file. | ### Additional Notes - * The action automatically sets an expiration for the uploaded image (defaulted - in the code to 600 seconds/10 minutes via the API URL). + - The action hardcodes an expiration of 600 seconds (10 minutes) for the uploaded + image via the API URL. - * The resulting URL is provided both as a clickable link in the action results - and within the JSON output. + - The action provides the resulting URL as both a clickable link in the SOAR interface + and a structured JSON result. ### Flow Description - 1. **Configuration Retrieval:** The action fetches the API Key and SSL verification + 1. **Configuration Retrieval**: The action fetches the API Key and SSL verification settings from the Imgbb integration configuration. - 2. **Parameter Extraction:** It extracts the base64 image string provided by the - user. + 2. **Parameter Extraction**: It retrieves the base64 image string provided by + the user. - 3. **External API Call:** It performs a POST request to the Imgbb API (`/1/upload`) + 3. **External API Interaction**: A POST request is sent to the Imgbb API (`https://api.imgbb.com/1/upload`) containing the image data. - 4. **Response Processing:** The action parses the JSON response from Imgbb to - retrieve the unique URL of the uploaded image. + 4. **Response Processing**: The action parses the JSON response from Imgbb to + extract the `url` of the uploaded image. - 5. **Result Reporting:** It adds the image URL as a link to the action results, - populates the JSON result object, and concludes the action with a success message. + 5. **Result Output**: If successful, it adds the image URL as a link to the action + results and populates the JSON result object. If it fails, it captures the error + message from the API. capabilities: can_create_case_comments: false can_create_insight: false @@ -121,14 +180,14 @@ Upload Image From Base64: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Uploads image data to the Imgbb service, creating a new hosted image resource + Uploads a new image to the Imgbb hosting service, creating a new remote resource on their servers. - fetches_data: false + fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -142,6 +201,7 @@ Upload Image From Base64: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Upload Image From File Path: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -155,68 +215,69 @@ Upload Image From Base64: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: true uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Upload Image From File Path: ai_description: >- ### General Description - The **Upload Image From File Path** action allows users to upload a local image - file from the Google SecOps environment to the Imgbb hosting service. This action - is primarily used to convert local image files (such as screenshots or forensic - captures) into publicly or internally accessible URLs for easier sharing and documentation - within a case. + Uploads an image file from a specified local file path to the Imgbb hosting service. + This action is designed to facilitate the sharing of visual evidence (such as + screenshots or forensic captures) by converting local files into accessible web + URLs. The resulting URL is provided as a link in the action results and within + the JSON output. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. **Configuration Retrieval**: Fetches the API Key and SSL verification settings + from the integration configuration. - | :--- | :--- | :--- | :--- | + 2. **Parameter Extraction**: Retrieves the mandatory 'Image File Path' provided + by the user. - | Image File Path | String | Yes | The full local directory path to the image - file that needs to be uploaded. | + 3. **File Processing**: Opens the file from the local directory, reads its binary + content, and encodes it into a base64 string. + 4. **External API Interaction**: Sends a POST request to the Imgbb API containing + the base64-encoded image. - ### Flow Description + 5. **Response Handling**: Parses the JSON response from Imgbb to extract the generated + image URL. - 1. **Configuration Retrieval:** The action fetches the API Key and SSL verification - settings from the Imgbb integration configuration. + 6. **Output Generation**: Adds the image URL as a clickable link to the SOAR action + result and populates the JSON result for downstream use in the playbook. - 2. **File Reading:** It opens the file specified in the `Image File Path` parameter - in binary mode. - 3. **Encoding:** The binary content of the image is encoded into a Base64 string - to meet the requirements of the Imgbb API. + ### Parameters Description - 4. **API Request:** The action sends a POST request to the Imgbb upload endpoint - (`https://api.imgbb.com/1/upload`) with the Base64 image data. Note: The request - includes a hardcoded expiration of 600 seconds (10 minutes). + | Parameter | Type | Mandatory | Description | - 5. **Response Handling:** It parses the JSON response from Imgbb to extract the - generated image URL. + | :--- | :--- | :--- | :--- | - 6. **Result Reporting:** The action adds the image URL to the JSON results and - creates a clickable link in the SOAR interface for the analyst. + | Image File Path | string | True | The absolute file system path of the image + to be uploaded to Imgbb. | ### Additional Notes - - This action does not interact with or filter SecOps entities (IPs, Hostnames, - etc.). + * The action automatically sets an expiration of 600 seconds (10 minutes) for + the uploaded image via the API URL parameter. - - The uploaded image is temporary and will expire after 10 minutes based on the - API call parameters. + * If the upload fails or the service does not return a URL, the action will return + a failure status. capabilities: can_create_case_comments: false can_create_insight: false @@ -225,14 +286,14 @@ Upload Image From File Path: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Uploads an image file to the Imgbb service, creating a new hosted image resource + Uploads a file to the Imgbb service, which creates a new hosted image resource on their servers. - fetches_data: false + fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -246,28 +307,3 @@ Upload Image From File Path: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/third_party/community/ipqs_fraud_and_risk_scoring/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/ipqs_fraud_and_risk_scoring/resources/ai/actions_ai_description.yaml index decb208b7..2733f2d57 100644 --- a/content/response_integrations/third_party/community/ipqs_fraud_and_risk_scoring/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/ipqs_fraud_and_risk_scoring/resources/ai/actions_ai_description.yaml @@ -1,76 +1,4 @@ Enrich Domain: - ai_description: >- - Enriches Hostname entities using the IPQualityScore (IPQS) service to detect suspicious - URLs, phishing links, and malware in real-time. The action utilizes machine learning - models to provide risk scores and identify domain attributes such as parking status, - spam scores, and domain age. - - - ### Flow Description - - 1. **Parameter Extraction:** Retrieves the API Key from the integration configuration - and the 'Strictness' and 'Fast' parameters from the action settings. - - 2. **Entity Filtering:** Identifies Hostname entities within the current context. - - 3. **External API Query:** For each Hostname, it sends a request to the IPQS URL - API endpoint with the specified strictness and speed settings. - - 4. **Risk Scoring:** Processes the API response to calculate a risk verdict (e.g., - Clean, Suspicious, High Risk) based on malware, phishing, and risk score indicators. - - 5. **Internal Updates:** Updates the entity's additional properties with enriched - metadata, sets the 'is_enriched' flag, updates the 'is_suspicious' status if applicable, - and generates a detailed Case Insight and data table. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Strictness | DDL | Yes | Determines the scan's intensity (0, 1, or 2). Higher - levels increase detection but may raise false positives. | - - | Fast | Boolean | No | If enabled, the API performs lighter checks to provide - faster response times. | - - - ### Additional Notes - - - This action specifically targets Hostname entities. While the underlying manager - supports other types, this specific action logic restricts processing to Hostnames. - capabilities: - can_create_case_comments: false - can_create_insight: true - can_modify_alert_data: false - can_mutate_external_data: false - can_mutate_internal_data: true - can_update_entities: true - external_data_mutation_explanation: null - fetches_data: true - internal_data_mutation_explanation: >- - Updates entity additional properties with IPQS metadata, modifies entity suspicious/enriched - flags, and creates case insights with risk scoring details. - categories: - enrichment: true - entity_usage: - entity_types: - - HOSTNAME - filters_by_additional_properties: false - filters_by_alert_identifier: false - filters_by_case_identifier: false - filters_by_creation_time: false - filters_by_entity_type: true - filters_by_identifier: false - filters_by_is_artifact: false - filters_by_is_enriched: false - filters_by_is_internal: false - filters_by_is_pivot: false - filters_by_is_suspicious: false - filters_by_is_vulnerable: false - filters_by_modification_time: false action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -84,48 +12,76 @@ Enrich Domain: enrich_asset: false enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Enrich Email: - ai_description: "Enriches Email address entities (represented as User entities)\ - \ using the IPQualityScore (IPQS) Fraud and Risk Scoring API. This action provides\ - \ real-time email validation, reputation scoring, and risk assessment by performing\ - \ syntax checks, DNS verification, and SMTP checks to determine if an inbox exists\ - \ and is active. It identifies disposable email services, honeypots, and addresses\ - \ associated with recent abuse or fraudulent behavior.\n\n### Flow Description:\n\ - 1. **Parameter Extraction:** Retrieves the API key from the integration configuration\ - \ and action parameters including Abuse Strictness, Fast mode, Timeout, and Domain\ - \ Suggestion.\n2. **Entity Filtering:** Identifies User entities within the case\ - \ that match a standard email address format using regex.\n3. **External API Interaction:**\ - \ Sends a POST request to the IPQS Email Validation API for each valid email address.\n\ - 4. **Risk Scoring:** Evaluates the API response (fraud score, disposable status,\ - \ validity) to assign a risk verdict (e.g., CLEAN, LOW RISK, HIGH RISK, INVALID).\n\ - 5. **Internal Data Enrichment:** \n * Updates the entity's `additional_properties`\ - \ with detailed IPQS metadata.\n * Sets the entity's `is_enriched` flag to\ - \ true.\n * Sets the `is_suspicious` flag if the risk score exceeds defined\ - \ thresholds.\n6. **Reporting:** Generates a detailed data table and a Case Insight\ - \ within Google SecOps for analyst review.\n\n### Parameters Description:\n| Parameter\ - \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Abuse Strictness\ - \ | DDL | Yes | Sets the strictness level (0, 1, or 2) for machine learning pattern\ - \ recognition of abusive email addresses. |\n| Fast | Boolean | No | If enabled,\ - \ skips the SMTP check with the mail provider to increase API speed. |\n| Timeout\ - \ in seconds | String | No | Maximum seconds to wait for a reply from the mail\ - \ service provider (default is 7). |\n| Suggest Domain | Boolean | No | If enabled,\ - \ checks if the email domain has a typo and suggests corrections for popular mail\ - \ services. |\n\n### Additional Notes:\n* This action specifically targets `USER`\ - \ entities that contain valid email strings.\n* The `is_suspicious` flag is automatically\ - \ triggered if the email is identified as disposable, invalid, or has a high fraud\ - \ score." + ai_description: >- + ### General Description + + The **Enrich Domain** action leverages IPQualityScore (IPQS) to perform real-time + analysis of Hostname entities. It identifies malicious URLs, phishing attempts, + malware distribution points, and parked domains using advanced machine learning + models. The action provides detailed intelligence including risk scores, domain + age, and reputation data to help analysts assess the threat level of a domain. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | **Strictness** | DDL | Yes | Determines the intensity of the scan. Options are + 0, 1, or 2. Higher levels perform more rigorous checks but may increase the false-positive + rate. | + + | **Fast** | Boolean | No | When enabled, the API provides quicker response times + by utilizing lighter checks and analysis. | + + + ### Flow Description + + 1. **Parameter Extraction:** Retrieves the API Key from the integration configuration + and the Strictness and Fast settings from the action parameters. + + 2. **Entity Filtering:** Identifies all Hostname entities within the current context + to be processed. + + 3. **External API Query:** For each Hostname, sends a POST request to the IPQS + URL API to retrieve reputation and risk data. + + 4. **Risk Assessment:** Evaluates the returned risk score and specific threat + flags (e.g., malware, phishing, suspicious) to determine a final risk verdict + (e.g., Clean, Suspicious, High Risk, Critical). + + 5. **Internal Enrichment:** + * Updates the entity's additional properties with IPQS metadata prefixed + with 'IPQualityScore'. + * Sets the entity's status to 'Enriched' and marks it as 'Suspicious' if + the risk scoring logic determines a threat. + * Creates a detailed Case Insight and adds a data table to the entity for + immediate visibility in the SOAR interface. + 6. **Result Reporting:** Consolidates the results into a JSON object and provides + a summary message of the processed entities. + + + ### Additional Notes + + This action is specifically targeted at Hostname entities. While the underlying + manager supports multiple types, this specific action script restricts processing + to Hostnames. capabilities: can_create_case_comments: false can_create_insight: true @@ -136,20 +92,19 @@ Enrich Email: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity attributes with IPQS reputation data, modifies the suspicious - status of entities based on risk scores, and creates case insights and data - tables. + Updates entity attributes with enrichment data, sets the suspicious status of + entities based on risk scores, and creates case insights for analyst visibility. categories: enrichment: true entity_usage: entity_types: - - USERUNIQNAME + - HOSTNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false filters_by_creation_time: false filters_by_entity_type: true - filters_by_identifier: true + filters_by_identifier: false filters_by_is_artifact: false filters_by_is_enriched: false filters_by_is_internal: false @@ -157,6 +112,7 @@ Enrich Email: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Enrich Email: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -170,85 +126,88 @@ Enrich Email: enrich_asset: false enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Enrich IP: ai_description: >- - Enriches IP Address entities using the IPQualityScore (IPQS) API to perform real-time - fraud and risk scoring. The action retrieves comprehensive threat intelligence, - including fraud scores, proxy/VPN/TOR detection, ISP information, and geolocation - data. Based on the retrieved fraud score, the action automatically flags entities - as suspicious and generates detailed case insights for analysts. + ### General Description + Enriches Email addresses (represented as User entities) using the IPQualityScore + (IPQS) API. This action performs real-time validation, including syntax and DNS + checks, and determines if an email address is associated with abuse, fraud, or + disposable mail services. It calculates a fraud score and provides a risk verdict, + which is then used to update the entity's suspicious status and create detailed + case insights. - ### Flow Description - 1. **Parameter Extraction:** Retrieves the API key from the integration configuration - and extracts action parameters including strictness levels and optional forensic - flags (Fast, Mobile, etc.). + ### Parameters Description - 2. **Entity Filtering:** Identifies all IP Address entities within the current - context. + | Parameter | Type | Mandatory | Description | - 3. **External API Interaction:** For each IP address, it sends a POST request - to the IPQS API with the configured forensic parameters and user-agent/language - headers if provided. + | :--- | :--- | :--- | :--- | - 4. **Risk Evaluation:** Processes the API response to calculate a risk verdict - (Clean, Suspicious, Moderate, High, or Critical) based on the returned fraud score. + | Abuse Strictness | DDL | Yes | Sets the strictness level (0, 1, or 2) for machine + learning pattern recognition of abusive email addresses. | - 5. **Internal Data Enrichment:** Updates the entity's additional properties with - IPQS metadata, marks the entity as enriched, and sets the 'is_suspicious' flag - if the risk threshold is met. + | Fast | Boolean | No | If enabled, skips the SMTP check to increase API response + speed. | - 6. **Insight Generation:** Creates a case insight containing the IPQS verdict - and adds a detailed data table to the entity. + | Timeout in seconds | String | No | Maximum time (default 7s) to wait for a response + from the mail service provider. | + | Suggest Domain | Boolean | No | If enabled, checks for and suggests corrections + for typos in the email domain. | - ### Parameters Description - | Parameter | Type | Mandatory | Description | + ### Additional Notes - | :--- | :--- | :--- | :--- | + - The action specifically targets `USER` entities and validates that their identifier + matches an email regex pattern before processing. - | Strictness | DDL | Yes | Sets the depth of the query (0, 1, or 2). Higher values - provide more in-depth analysis but may increase false positives. | + - Internal risk scoring logic determines the 'is_suspicious' status based on the + `fraud_score`, `disposable`, and `valid` fields returned by the API. - | User Language | String | No | Optional user language header to help evaluate - fraud scores based on regional context. | - | User Agent | String | No | Optional browser user-agent string to detect bots - or invalid browsers. | + ### Flow Description - | Fast | Boolean | No | If enabled, skips certain time-consuming forensic checks - to speed up processing. | + 1. **Configuration Retrieval**: Retrieves the API key from the integration configuration + and extracts action parameters (Abuse Strictness, Fast mode, Timeout, and Suggest + Domain). - | Mobile | Boolean | No | If enabled, treats the lookup specifically as a mobile - device connection. | + 2. **Entity Filtering**: Filters the target entities to identify those of type + `USER`. - | Allow Public Access Points | Boolean | No | Bypasses checks for known public - access points like schools or corporate connections. | + 3. **Email Validation**: For each identified `USER` entity, the action verifies + if the identifier matches a standard email format using a regular expression. - | Lighter Penalties | Boolean | No | Skips specific denylists to reduce false - positives for sensitive audiences. | + 4. **API Interaction**: Sends a POST request to the IPQS Email Validation API + for each valid email address, passing the configured strictness and speed parameters. + 5. **Risk Assessment**: Parses the API response to calculate a risk verdict (e.g., + CLEAN, LOW RISK, HIGH RISK, INVALID, or DISPOSABLE) based on the fraud score and + validation flags. - ### Additional Notes + 6. **Internal Data Mutation**: Updates the Google SecOps entity with enrichment + attributes (prefixed with 'IPQualityScore'), sets the `is_enriched` flag, and + marks the entity as `is_suspicious` if the risk level is elevated. - - The action specifically targets `ADDRESS` entities. While the underlying manager - supports other types, this specific action logic is restricted to IP addresses. + 7. **Insight Generation**: Creates a Case Insight for each processed entity, providing + a summary of the IPQS verdict. - - The 'is_suspicious' flag is triggered if the fraud score is 60 or higher. + 8. **Result Reporting**: Adds a detailed data table to the entity and populates + the action's JSON results with the full API response. capabilities: can_create_case_comments: false can_create_insight: true @@ -259,13 +218,13 @@ Enrich IP: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity additional properties with IPQS metadata, sets the 'is_enriched' - and 'is_suspicious' flags, and creates case insights. + Updates entity attributes with enrichment data, sets the 'is_suspicious' flag + based on the fraud score, and creates case insights. categories: enrichment: true entity_usage: entity_types: - - ADDRESS + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -279,6 +238,7 @@ Enrich IP: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Enrich IP: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -292,61 +252,52 @@ Enrich IP: enrich_asset: false enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Enrich Phone: - ai_description: >- - Enriches Phone Number entities using the IPQualityScore (IPQS) API to verify authenticity - and assess reputation. This action retrieves detailed metadata including carrier - information, line type (e.g., mobile, VOIP), and geographic data while performing - risk analysis to detect fraudulent or disposable numbers. - - - ### Parameters - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Strictness | DDL | Yes | Sets the depth of the reputation check (0, 1, or 2). - Higher levels are more restrictive but may increase false positives. | - - | Country(For multiple countries, provide comma-separated values) | String | No - | Optional comma-separated list of ISO country codes suspected to be associated - with the phone number to improve validation accuracy. | - - - ### Flow Description - - 1. **Initialization**: Retrieves the API key from the integration configuration - and extracts the 'Strictness' and 'Country' parameters from the action input. - - 2. **Entity Filtering**: Identifies all Phone Number entities within the current - context. - - 3. **External API Interaction**: For each phone number, it sends a POST request - to the IPQS Phone Validation API endpoint with the configured strictness and country - settings. - - 4. **Risk Scoring**: Analyzes the API response (Fraud Score, validity, and active - status) to determine a risk verdict (e.g., Clean, Suspicious, High Risk). - - 5. **Internal Enrichment**: Updates the entity in Google SecOps by adding enrichment - attributes (prefixed with 'IPQualityScore'), marking the entity as enriched, and - potentially flagging it as suspicious based on the risk score. - - 6. **Reporting**: Generates a detailed entity data table and creates a Case Insight - containing the IPQS risk verdict. + ai_description: "### General Description\nEnriches IP Address entities using the\ + \ IPQualityScore (IPQS) Fraud and Risk Scoring service. This action performs real-time\ + \ lookups to determine the risk level of an IP address, identifying if it is associated\ + \ with a proxy, VPN, or TOR connection, and providing over 20 data points including\ + \ fraud scores, geolocation, ISP, and connection type. It helps analysts identify\ + \ malicious actors, bots, and fraudulent transactions by providing a comprehensive\ + \ reputation profile.\n\n### Parameters Description\n| Parameter | Type | Mandatory\ + \ | Description |\n| :--- | :--- | :--- | :--- |\n| Strictness | ddl | Yes | Determines\ + \ how in-depth (strict) the query should be. Higher values (0, 1, 2) take longer\ + \ but provide more rigorous analysis. |\n| User Agent | string | No | Optional\ + \ browser user agent string to help identify bots or invalid browsers. |\n| User\ + \ Language | string | No | Optional user language header to assist in evaluating\ + \ the 'fraud_score'. |\n| Fast | boolean | No | If enabled, skips certain forensic\ + \ checks to speed up processing. |\n| Mobile | boolean | No | If enabled, specifies\ + \ that the lookup should be treated as a mobile device. |\n| Allow Public Access\ + \ Points | boolean | No | Bypasses checks for IP addresses from education, research,\ + \ or corporate connections. |\n| Lighter Penalties | boolean | No | Skips certain\ + \ denylists to reduce false positives for sensitive audiences. |\n\n### Flow Description\n\ + 1. **Configuration Extraction:** Retrieves the API Key from the integration configuration\ + \ and the action parameters (Strictness, User Agent, etc.).\n2. **Entity Filtering:**\ + \ Identifies all IP Address entities within the current context.\n3. **External\ + \ API Interaction:** For each IP address, sends a POST request to the IPQualityScore\ + \ API with the configured parameters.\n4. **Risk Scoring:** Evaluates the returned\ + \ 'fraud_score' and other indicators (proxy, VPN, malware status) to determine\ + \ a risk verdict (e.g., CLEAN, SUSPICIOUS, HIGH RISK, CRITICAL).\n5. **Internal\ + \ Data Enrichment:** \n * Updates the entity's additional properties with IPQS\ + \ metadata (ISP, ASN, Organization, etc.).\n * Sets the entity's 'is_enriched'\ + \ flag to true.\n * Marks the entity as 'is_suspicious' if the risk score exceeds\ + \ defined thresholds.\n6. **Insight Generation:** Creates a Case Insight for each\ + \ entity containing the IPQS verdict and adds a detailed data table to the entity's\ + \ results." capabilities: can_create_case_comments: false can_create_insight: true @@ -357,13 +308,13 @@ Enrich Phone: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity attributes with enrichment data, sets the suspicious flag based - on risk scores, and creates case insights. + Updates entity attributes with enrichment data, sets the suspicious status based + on fraud scores, and creates case insights. categories: enrichment: true entity_usage: entity_types: - - PHONENUMBER + - ADDRESS filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -377,6 +328,7 @@ Enrich Phone: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Enrich Phone: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -390,63 +342,69 @@ Enrich Phone: enrich_asset: false enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Enrich URL: ai_description: >- - ### General Description + Enriches Phone Number entities using the IPQualityScore (IPQS) API to verify validity + and assess risk. This action retrieves carrier information, line type (e.g., VOIP, + mobile, landline), and fraud scores to identify suspicious or disposable numbers. - Enriches URL entities using the IPQualityScore (IPQS) API to detect malicious - links, phishing attempts, and malware. This action performs real-time scanning - using machine learning models to provide risk scores and detailed domain intelligence, - such as domain age and parking status. It updates the entity's suspicious status - in Google SecOps based on the retrieved risk metrics and generates detailed insights - and data tables for further investigation. + ### Flow Description - ### Parameters Description + 1. **Parameter Extraction:** Retrieves the API key from the integration configuration + and the 'Strictness' and 'Country' parameters from the action settings. - | Parameter | Type | Mandatory | Description | + 2. **Entity Filtering:** Identifies all Phone Number entities within the current + alert context. - | :--- | :--- | :--- | :--- | + 3. **External API Query:** For each phone number, it sends a POST request to the + IPQS phone validation endpoint. - | Strictness | DDL | Yes | Determines the intensity of the scan (0, 1, or 2). - Higher levels increase detection accuracy but may raise the false-positive rate. - | + 4. **Risk Assessment:** Analyzes the API response (fraud score, active status, + validity) to determine a risk verdict (e.g., CLEAN, SUSPICIOUS, HIGH RISK). - | Fast | Boolean | No | If enabled, the API provides quicker response times by - using lighter checks and analysis. | + 5. **Internal Data Update:** Updates the entity's 'additional_properties' with + enrichment data, marks the entity as enriched, and sets the 'is_suspicious' flag + if risk thresholds are met. + 6. **Insight Generation:** Creates a case insight and adds a data table to the + entity containing the detailed verification results. - ### Flow Description - 1. **Initialization**: Retrieves the API key from the integration configuration - and the Strictness and Fast parameters from the action settings. + ### Parameters Description - 2. **Entity Filtering**: Identifies URL entities within the current case context. + | Parameter | Type | Mandatory | Description | - 3. **API Query**: For each URL, sends a request to the IPQS URL API endpoint with - the specified strictness and speed settings. + | :--- | :--- | :--- | :--- | - 4. **Data Analysis**: Parses the API response for risk scores, malware/phishing - flags, and domain metadata (e.g., domain rank, DNS validity, category). + | Strictness | DDL | Yes | Determines the depth of the reputation check (0, 1, + or 2). Higher levels are stricter but may increase false positives. | - 5. **Internal Mutation**: Updates the URL entity's attributes with enrichment - data and marks it as suspicious if the risk score or threat flags exceed defined - thresholds. + | Country(For multiple countries, provide comma-separated values) | String | No + | Optional list of ISO country codes suspected to be associated with the phone + number to improve validation accuracy. | - 6. **Reporting**: Creates a case insight summarizing the verdict and adds a detailed - data table and raw JSON result to the case for analyst review. + + ### Additional Notes + + - The action uses the `IPQualityScore` prefix for all added entity attributes. + + - Risk verdicts are calculated based on a combination of the `fraud_score`, `valid`, + and `active` fields returned by the API. capabilities: can_create_case_comments: false can_create_insight: true @@ -457,13 +415,13 @@ Enrich URL: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity attributes with enrichment data, sets suspicious status, and - creates case insights. + Updates entity attributes with enrichment data, sets the suspicious status of + entities, and creates case insights based on the fraud analysis. categories: enrichment: true entity_usage: entity_types: - - DestinationURL + - PHONENUMBER filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -477,6 +435,7 @@ Enrich URL: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Enrich URL: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -490,58 +449,70 @@ Enrich URL: enrich_asset: false enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: - ai_description: "### General Description\nThe **Ping** action is a diagnostic utility\ - \ used to verify the connectivity between the Google SecOps platform and the IPQualityScore\ - \ (IPQS) API. It ensures that the integration is correctly configured, the network\ - \ path is open, and the provided API Key is valid and active.\n\n### Parameters\ - \ Description\n| Parameter | Type | Mandatory | Description |\n| :--- | :--- |\ - \ :--- | :--- |\n| N/A | N/A | N/A | This action does not have any input parameters.\ - \ It relies on the 'API Key' defined in the integration's shared configuration.\ - \ |\n\n### Flow Description\n1. **Configuration Extraction**: The action retrieves\ - \ the 'API Key' from the integration's global settings.\n2. **Test Payload Preparation**:\ - \ It prepares a sample request using a hardcoded support email address (`support@ipqualityscore.com`)\ - \ to test the API's response.\n3. **API Connectivity Check**: The action sends\ - \ a POST request to the IPQS email validation endpoint via the `IPQSManager`.\n\ - 4. **Response Analysis**: It evaluates the JSON response from the service, specifically\ - \ checking the 'success' boolean flag.\n5. **Execution Outcome**: \n * If the\ - \ API responds with a success status, the action returns a 'Successfully Connected'\ - \ message.\n * If the connection fails or the API returns an error (e.g., invalid\ - \ key), the action fails and reports the specific error message provided by the\ - \ service.\n\n### Additional Notes\n- This action does not process, filter, or\ - \ enrich any entities within a Google SecOps case.\n- It is strictly intended\ - \ for health checks and troubleshooting integration connectivity." + ai_description: "Enriches URL entities using the IPQualityScore (IPQS) service to\ + \ detect malicious activity in real-time. This action leverages machine learning\ + \ models to identify phishing links, malware URLs, viruses, and parked domains.\ + \ It retrieves detailed intelligence including risk scores, domain age, and classification\ + \ categories. Based on the results, the action updates the entity's suspicious\ + \ status in Google SecOps, adds enrichment attributes, and generates a case insight\ + \ for analysts.\n\n### Parameters\n| Parameter | Type | Mandatory | Description\ + \ |\n| :--- | :--- | :--- | :--- |\n| Strictness | ddl | Yes | Determines the\ + \ strictness of the scan (0, 1, or 2). Higher levels increase detection but may\ + \ raise false positives. |\n| Fast | boolean | No | If enabled, the API performs\ + \ lighter checks for faster response times. |\n\n### Additional Notes\n- This\ + \ action specifically targets URL entities. \n- The risk verdict (Clean, Low Risk,\ + \ Moderate Risk, High Risk, or Critical) is calculated based on the risk score\ + \ and specific threat flags (malware/phishing) returned by IPQS.\n\n### Flow Description\n\ + 1. **Initialization**: Extracts the API key from the integration configuration\ + \ and the 'Strictness' and 'Fast' parameters from the action settings.\n2. **Entity\ + \ Filtering**: Identifies all URL entities within the current alert context.\n\ + 3. **External API Interaction**: For each URL, sends a POST request to the IPQS\ + \ URL API endpoint with the configured strictness and speed settings.\n4. **Data\ + \ Processing**: Parses the API response to extract threat indicators (e.g., malware,\ + \ phishing, risk score) and metadata (e.g., domain age, IP address).\n5. **Internal\ + \ Mutation**: \n - Updates the entity's additional properties with the retrieved\ + \ data.\n - Sets the entity as 'suspicious' if the risk score or threat flags\ + \ exceed defined thresholds.\n - Creates a detailed Case Insight containing\ + \ the IPQS verdict.\n - Adds a data table to the entity for quick reference.\n\ + 6. **Completion**: Updates the entities in the SecOps platform and returns a summary\ + \ of the processed URLs." capabilities: can_create_case_comments: false - can_create_insight: false + can_create_insight: true can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: false - can_update_entities: false + can_mutate_internal_data: true + can_update_entities: true external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: null + internal_data_mutation_explanation: >- + Updates entity attributes with enrichment data, sets the suspicious flag based + on risk scores, and creates case insights. categories: - enrichment: false + enrichment: true entity_usage: - entity_types: [ ] + entity_types: + - DestinationURL filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false filters_by_creation_time: false - filters_by_entity_type: false + filters_by_entity_type: true filters_by_identifier: false filters_by_is_artifact: false filters_by_is_enriched: false @@ -550,6 +521,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -563,15 +535,63 @@ Ping: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false + ai_description: "### General Description\nThe **Ping** action is a diagnostic tool\ + \ designed to verify the connectivity between the Google SecOps platform and the\ + \ IPQualityScore (IPQS) API. It ensures that the provided API Key is valid and\ + \ that the network path to the IPQS servers is open. This action is typically\ + \ used during the initial setup of the integration or for troubleshooting communication\ + \ issues.\n\n### Parameters Description\nThere are no parameters for this action.\n\ + \n### Additional Notes\nThis action performs a test query using a hardcoded email\ + \ address (`support@ipqualityscore.com`) to validate the API response. It does\ + \ not process any entities from the current case or alert.\n\n### Flow Description\n\ + 1. **Configuration Extraction:** The action retrieves the 'API Key' from the integration's\ + \ configuration settings.\n2. **Payload Preparation:** A static JSON payload is\ + \ created containing a test email address.\n3. **API Request:** The action sends\ + \ a POST request to the IPQS email validation endpoint using the `IPQSManager`.\n\ + 4. **Response Validation:** The action checks the `success` field in the API response.\n\ + 5. **Final Status:** \n * If the request is successful, the action completes\ + \ with a success message.\n * If the request fails (e.g., invalid API key or\ + \ network error), the action fails and provides the error message returned by\ + \ the API." + capabilities: + can_create_case_comments: false + can_create_insight: false + can_modify_alert_data: false + can_mutate_external_data: false + can_mutate_internal_data: false + can_update_entities: false + external_data_mutation_explanation: null + fetches_data: true + internal_data_mutation_explanation: null + categories: + enrichment: false + entity_usage: + entity_types: [] + filters_by_additional_properties: false + filters_by_alert_identifier: false + filters_by_case_identifier: false + filters_by_creation_time: false + filters_by_entity_type: false + filters_by_identifier: false + filters_by_is_artifact: false + filters_by_is_enriched: false + filters_by_is_internal: false + filters_by_is_pivot: false + filters_by_is_suspicious: false + filters_by_is_vulnerable: false + filters_by_modification_time: false diff --git a/content/response_integrations/third_party/community/lacework/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/lacework/resources/ai/connectors_ai_description.yaml index 879195ebe..126bf1f0b 100644 --- a/content/response_integrations/third_party/community/lacework/resources/ai/connectors_ai_description.yaml +++ b/content/response_integrations/third_party/community/lacework/resources/ai/connectors_ai_description.yaml @@ -2,11 +2,11 @@ Lacework Connector: ai_description: >- ### General Description - The Lacework Connector integrates with the Lacework Events API to ingest security - events into Google SecOps. It allows security teams to monitor cloud security - posture, container activity, and compliance violations by automatically fetching - and converting Lacework events into actionable cases. The connector supports severity-based - filtering to ensure only relevant security incidents are processed. + The Lacework Connector enables Google SecOps to ingest security events from the + Lacework platform. It monitors for cloud security threats, compliance violations, + and anomalous behavior by pulling data from the Lacework Events API, allowing + security teams to centralize Lacework alerts within their SOAR environment for + automated response and investigation. ### Parameters Description @@ -15,44 +15,45 @@ Lacework Connector: | :--- | :--- | :--- | :--- | - | accountName | String | Yes | The Lacework account URL (e.g., [youraccount].lacework.net). + | accountName | String | Yes | The Lacework account URL (e.g., youraccount.lacework.net). | - | keyId | String | Yes | The Lacework API Access Key ID. | + | keyId | String | Yes | The Lacework API Access Key ID used for authentication. + | - | secret | Password | Yes | The Lacework API Secret Key. | + | secret | Password | Yes | The Lacework API Secret Key used for authentication. + | - | severity_threshold | String | Yes | The maximum severity level to ingest (1-Critical, - 2-High, 3-Medium, 4-Low, 5-Info). Events with a numerical value higher than this - threshold are ignored. | + | severity_threshold | String | Yes | The minimum severity level to fetch (1-Critical, + 2-High, 3-Medium, 4-Low, 5-Info). The connector fetches the selected level and + all levels above it (e.g., 3 fetches Medium, High, and Critical). | | DeviceProductField | String | Yes | The field name used to determine the device - product (Default: device_product). | + product in the ingested data. | - | EventClassId | String | Yes | The field name used to determine the event name/sub-type - (Default: event_name). | + | EventClassId | String | Yes | The field name used to determine the event name + (sub-type). | - | PythonProcessTimeout | String | Yes | The timeout limit in seconds for the connector - execution (Default: 30). | + | PythonProcessTimeout | String | Yes | The timeout limit (in seconds) for the + python process running the connector script. | ### Flow Description 1. **Authentication**: The connector uses the provided `keyId` and `secret` to - request a temporary bearer token from the Lacework Access Token API. + request a temporary access token from the Lacework API. - 2. **Event Discovery**: It queries the `GetEventsForDateRange` endpoint to retrieve - a list of events generated within the last hour. + 2. **Event Retrieval**: It queries the Lacework Events API for a list of events + that occurred within the last hour. - 3. **Severity Filtering**: For each event found, the connector compares its severity - against the `severity_threshold`. Only events meeting the threshold (e.g., severity - 1, 2, or 3 if the threshold is 3) are processed further. + 3. **Severity Filtering**: The connector iterates through the retrieved events + and filters out any that do not meet the configured `severity_threshold` (where + lower numerical values represent higher severity). - 4. **Detail Enrichment**: For every event passing the filter, the connector makes - a secondary call to `GetEventDetails` to fetch the full metadata and context of - the alert. + 4. **Detail Enrichment**: For each event that passes the filter, the connector + makes a secondary API call to fetch the full event details using the unique Event + ID. - 5. **Mapping and Ingestion**: The connector maps Lacework event fields (such as - `EVENT_TYPE`, `EVENT_MODEL`, and `START_TIME`) to the Google SecOps AlertInfo - model, converts the severity to the platform's priority scale, and ingests the - data as a new alert. + 5. **Mapping and Ingestion**: The connector maps Lacework severity levels to Google + SecOps priority levels, flattens the event data, and creates `AlertInfo` objects + which are then ingested into the system as cases. diff --git a/content/response_integrations/third_party/community/lacework/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/lacework/resources/ai/integration_ai_description.yaml index b16aaa23c..a888df70b 100644 --- a/content/response_integrations/third_party/community/lacework/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/community/lacework/resources/ai/integration_ai_description.yaml @@ -4,7 +4,7 @@ product_categories: collaboration: false edr: false email_security: false - iam_and_identity_management: true + iam_and_identity_management: false itsm: false network_security: false siem: true diff --git a/content/response_integrations/third_party/community/logzio/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/logzio/resources/ai/actions_ai_description.yaml index af097a891..7698c3b97 100644 --- a/content/response_integrations/third_party/community/logzio/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/logzio/resources/ai/actions_ai_description.yaml @@ -1,59 +1,89 @@ Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Ping** action is designed to test and validate the connectivity between - Google SecOps and the Logz.io platform. It verifies the validity of both the Security - and Operations API tokens by making a request to the Logz.io `whoami` endpoint. - This ensures that the integration is correctly configured and that the provided - credentials have the necessary permissions to interact with the Logz.io API. + + The **Ping** action is designed to verify the connectivity between Google SecOps + and the Logz.io platform. It validates the provided API tokens for both Security + and Operations accounts by making a request to the Logz.io `whoami` endpoint. + This action is primarily used during the initial setup or for troubleshooting + to ensure that the integration can successfully communicate with the Logz.io API. ### Parameters Description - | Parameter Name | Expected Type | Mandatory | Description | + + | Parameter Name | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **logzio_security_token** | String | Yes | The API token associated with your - Logz.io Security account. | + | `logzio_security_token` | String | Yes | The API token for the Logz.io Security + account. This is an integration configuration parameter. | - | **logzio_operations_token** | String | Yes | The API token associated with your - Logz.io Operations account. | + | `logzio_operations_token` | String | Yes | The API token for the Logz.io Operations + account. This is an integration configuration parameter. | - | **logzio_region** | String | No | The geographic region where your Logz.io account - is hosted (e.g., 'us', 'eu', 'uk'). Defaults to 'us' if left empty. | + | `logzio_region` | String | No | The region where the Logz.io account is hosted + (e.g., 'us', 'eu'). Defaults to 'us' if not provided. This is an integration configuration + parameter. | - | **logzio_custom_endpoint** | String | No | A custom URL for the Logz.io API. - If provided, this overrides the region-based URL construction. | + | `logzio_custom_endpoint` | String | No | A custom URL for the Logz.io API, if + applicable. This is an integration configuration parameter. | - ### Additional Notes + ### Flow Description - - This action does not process any entities from the case; it relies entirely - on the integration's configuration parameters. - - The action performs a `GET` request to the `v1/account-management/whoami` endpoint - for both tokens provided. + 1. **Configuration Extraction**: The action retrieves the security token, operations + token, region, and optional custom endpoint from the integration's configuration + settings. + 2. **Token Validation**: It performs a basic check to ensure the tokens are non-empty + strings and properly formatted. - ### Flow Description + 3. **Connectivity Test**: It constructs the API URL (handling specific regions + or custom endpoints) and sends a GET request to the `v1/account-management/whoami` + endpoint for both the Security and Operations tokens. - 1. **Parameter Extraction:** The action retrieves the Security token, Operations - token, region, and optional custom endpoint from the integration configuration. + 4. **Response Verification**: The action checks if the API returns a 200 OK status + code. If successful, it logs the associated account name to confirm authentication + and connectivity. - 2. **Token Validation:** It performs a basic check to ensure the tokens are non-empty - strings. - 3. **Endpoint Construction:** It determines the correct API URL based on the provided - region or custom endpoint. + ### Additional Notes - 4. **Connectivity Test:** It sends a `GET` request to the Logz.io API for the - Security token and then for the Operations token. - 5. **Response Verification:** If both requests return a `200 OK` status code, - the action logs the account names and completes successfully. If any request fails, - the action reports a failure. + This action does not process any entities and does not modify any data. It is + strictly a connectivity test. There are no action-specific parameters; it relies + entirely on the integration's configuration. capabilities: can_create_case_comments: false can_create_insight: false @@ -62,12 +92,12 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: true + fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -81,6 +111,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +json-adapter: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -94,28 +125,30 @@ Ping: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -json-adapter: ai_description: >- ### General Description - The **json-adapter** action is a utility designed to transform raw JSON log data - from Logz.io into a standardized format compatible with Google SecOps (Chronicle) - playbooks. It specifically looks for a 'results' array within the input JSON and - extracts specified fields, mapping them to a consistent structure of 'entityType' - and 'entityIdentifier'. This allows downstream playbook actions to easily consume - data that might otherwise have varying schemas. + The **json-adapter** action is a utility designed to transform raw log data from + Logz.io into a standardized JSON format compatible with Google SecOps playbooks. + It specifically targets JSON structures containing a 'results' array and extracts + user-defined fields, mapping them to a generic entity-like structure consisting + of `entityType` and `entityIdentifier`. This allows downstream playbook actions + to easily consume specific data points from complex log objects. ### Parameters Description @@ -126,43 +159,44 @@ json-adapter: | :--- | :--- | :--- | :--- | | **fields_to_search** | String | Yes | A comma-separated list of keys (fields) - to look for within each object in the JSON 'results' array. | + to look for within each log entry in the provided JSON. | - | **raw_json** | String | Yes | The raw JSON string containing the data to be - processed. The script expects a top-level 'results' key containing a list of objects. + | **raw_json** | String | Yes | The raw JSON string containing the logs to be + processed. The action expects a top-level 'results' key containing a list of objects. | ### Flow Description - 1. **Parameter Extraction**: The action retrieves the `fields_to_search` and `raw_json` - strings from the action parameters. + 1. **Parameter Extraction:** The action retrieves the `fields_to_search` and `raw_json` + from the input parameters. + + 2. **Data Parsing:** The `raw_json` string is parsed into a JSON object, and the + `fields_to_search` string is split into a list of individual field names. - 2. **Data Parsing**: It parses the `raw_json` into a Python dictionary and splits - the `fields_to_search` into a list of individual field names. + 3. **Log Iteration:** The action iterates through each log entry found in the + `results` array of the input JSON. - 3. **Search Logic**: The script iterates through every object found in the `results` - list of the input JSON. + 4. **Field Extraction:** For each log entry, the action checks if any of the specified + search fields exist as keys. - 4. **Field Mapping**: For each object, it checks if any of the requested fields - exist. If a field is found, it creates a new dictionary mapping the field name - to `entityType` and the field's value to `entityIdentifier`. + 5. **Standardization:** If a field is found, its key and value are mapped to a + new object: `{"entityType": , "entityIdentifier": }`. - 5. **Result Aggregation**: All identified mappings are collected into a final - output list. + 6. **Result Compilation:** All mapped objects are collected into a final results + list. - 6. **Output Generation**: If at least one field was successfully found and mapped, - the action returns the formatted JSON and completes successfully. If no fields - are found, the action is marked as failed. + 7. **Output Generation:** If matches are found, the action returns the standardized + JSON and completes successfully. If no fields are found, the action fails. ### Additional Notes - - This action is strictly a data transformation utility and does not interact - with external APIs or modify SecOps entities directly. + - This action does not interact with external APIs; it performs local data transformation + on the provided input. - - The input JSON must contain a key named `results` which holds an array of objects - for the script to process correctly. + - The action will only succeed (EXECUTION_STATE_COMPLETED) if at least one of + the requested fields is found in the provided JSON. capabilities: can_create_case_comments: false can_create_insight: false @@ -176,7 +210,7 @@ json-adapter: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -190,6 +224,7 @@ json-adapter: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +logzio-get-logs-by-event-id: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -203,66 +238,73 @@ json-adapter: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: false + search_events: true send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -logzio-get-logs-by-event-id: ai_description: >- - Fetches the logs that triggered a specific security event in Logz.io and returns - them as a paginated JSON list. This action is used to investigate the underlying - data of a security alert by retrieving the raw logs associated with a unique event - identifier. + Fetches the logs that triggered a specific security event from Logz.io. This action + allows analysts to retrieve the raw log data associated with an alert for deeper + investigation. It supports pagination to handle large volumes of logs and automatically + creates case insights in Google SecOps to display the retrieved information. - ### Flow Description + ### Flow Description: - 1. **Configuration Extraction:** Retrieves the Logz.io API token, region, and - optional custom endpoint from the integration settings. + 1. **Configuration Retrieval:** The action starts by extracting the Logz.io API + token, region, and optional custom endpoint from the integration settings. - 2. **Endpoint Construction:** Determines the correct API URL based on the provided - region or custom endpoint. + 2. **API Endpoint Determination:** It constructs the appropriate Logz.io API URL + based on the provided region or custom endpoint. - 3. **Initial Fetch:** Executes a POST request to the Logz.io search API using - the provided `alert_event_id` to retrieve the first page of logs. + 3. **Initial Data Fetch:** It sends a POST request to the Logz.io security search + API using the mandatory `alert_event_id` to retrieve the first page of logs. 4. **Pagination Handling:** If the total number of logs exceeds the initial page - size, the action uses a thread pool to concurrently fetch all remaining pages. + size, the action uses a thread pool to concurrently fetch all remaining pages + of logs. - 5. **Data Aggregation:** Combines all retrieved logs into a single JSON structure. + 5. **Data Processing:** The collected logs are aggregated into a single JSON structure. - 6. **Insight Creation:** Generates case insights within Google SecOps containing - the log data for immediate analyst visibility. + 6. **Insight Creation:** The action iterates through the logs and creates case + insights within the Google SecOps platform to provide immediate visibility into + the event data. + 7. **Result Reporting:** Finally, it attaches the full JSON result to the action + and completes the execution. - ### Parameters Description + + ### Parameters Description: | Parameter Name | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | alert_event_id | String | Yes | The unique GUID of the security event in the - Logz.io security account that you want to investigate. | + | alert_event_id | String | Yes | The unique GUID of the security event in Logz.io + that you want to investigate. | | page_size | String | No | Controls the number of results per page. Valid inputs are 1 to 1000. Defaults to 25. | - ### Additional Notes + ### Additional Notes: - - The action automatically handles pagination to ensure all logs associated with - the event ID are retrieved, up to the limits of the Logz.io API. + - This action does not operate on entities (IPs, Hosts, etc.) but rather on a + specific Event ID provided as a parameter. - - If more than 3 logs are returned, they are grouped into a single insight; otherwise, - individual insights are created for each log. + - The action uses multi-threading to speed up the retrieval of logs when multiple + pages are present. capabilities: can_create_case_comments: false can_create_insight: true @@ -273,12 +315,12 @@ logzio-get-logs-by-event-id: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action creates case insights within Google SecOps to display the retrieved - log data. + The action creates case insights within Google SecOps to display the logs retrieved + from Logz.io. categories: - enrichment: true + enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -292,6 +334,7 @@ logzio-get-logs-by-event-id: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +logzio-search-logs: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -305,70 +348,84 @@ logzio-get-logs-by-event-id: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: true send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -logzio-search-logs: ai_description: >- - Searches logs in a Logz.io operations account using Lucene syntax. This action - allows users to retrieve historical log data within a specified time range and - limit the number of results returned. The retrieved logs are provided as a JSON - object for further analysis within the playbook. + ### General Description + The **Logz.io Search Logs** action allows users to query and retrieve logs from + their Logz.io operations account. It utilizes the Logz.io Search API (v1) to perform + Lucene-based searches within a specified time range. This action is primarily + used for log investigation and gathering telemetry data related to security incidents. - ### Parameters - | Parameter | Type | Mandatory | Description | + ### Parameters Description + + | Parameter | Description | Type | Mandatory | | :--- | :--- | :--- | :--- | - | query | string | No | A search query written in valid Lucene syntax. Defaults - to '*' (all logs) if not provided. | + | **query** | A search query written in valid Lucene syntax. If not provided, + it defaults to a wildcard (`*`) to match all logs. | String | No | - | size | string | No | Number of log results per query. Limited to a maximum of - 1000 logs. | + | **size** | The number of log results to return per query. The value must be + between 1 and 1000. If invalid or empty, it defaults to 1000. | String | No | - | from_time | string | Yes | Earliest time to search. Supports Unix timestamps, - relative time (e.g., '5 minutes ago'), or specific date formats. | + | **from_time** | The earliest time to search. It accepts various formats including + Unix timestamps, relative time (e.g., "5 minutes ago"), or specific date strings. + | String | Yes | - | to_time | string | No | Latest time to search. If left empty, the search extends - to the current time. | + | **to_time** | The latest time to search. Similar to `from_time`, it accepts + multiple date formats. If left empty, the search extends to the current time. + | String | No | ### Flow Description - 1. **Configuration Extraction:** Retrieves the Logz.io API token, region, and - optional custom endpoint from the integration settings. + 1. **Configuration Extraction:** The action retrieves the Logz.io API token, region, + and optional custom endpoint from the integration settings. - 2. **Parameter Validation:** Validates the 'size' parameter to ensure it falls - within the 1-1000 range and parses the 'from_time' and 'to_time' into Unix timestamps - using the `dateparser` library. + 2. **Parameter Validation:** It extracts the search query, result size, and time + range parameters. The `size` is validated to ensure it stays within the 1-1000 + range. - 3. **Request Construction:** Builds a JSON request body containing the Lucene - query, size limit, and time range filters. + 3. **Time Parsing:** The `from_time` and `to_time` strings are parsed into Unix + millisecond timestamps using the `dateparser` library to ensure compatibility + with the Logz.io API. - 4. **API Interaction:** Sends a POST request to the Logz.io Search API endpoint. + 4. **Request Construction:** An Elasticsearch-compatible JSON request body is + created, incorporating the Lucene query and the timestamp range filter. - 5. **Data Processing:** Parses the API response, extracts the log source data - from the hits, and attaches the results to the action output as a JSON object. + 5. **API Execution:** A POST request is sent to the Logz.io Search API endpoint + (determined by the region or custom endpoint). + + 6. **Data Processing:** The action parses the API response, extracts the raw log + data (`_source` field) from the hits, and formats them into a JSON result. + + 7. **Completion:** The retrieved logs are attached to the action's output, and + a summary message indicating the number of logs found is returned. ### Additional Notes - - The action uses a POST request to the `/v1/search` endpoint, but this is strictly - for querying data and does not modify any external state. + - The action is limited to a maximum of 1000 logs per execution. + + - If the API token is missing or invalid, the action will fail. - - If no logs match the query, the action completes successfully with an informative - message. + - The `from_time` parameter is mandatory to define the search window. capabilities: can_create_case_comments: false can_create_insight: false @@ -380,9 +437,9 @@ logzio-search-logs: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: false + enrichment: true entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -396,28 +453,3 @@ logzio-search-logs: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: true - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/third_party/community/logzio/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/logzio/resources/ai/connectors_ai_description.yaml index 2d0cd9ffa..5b9150962 100644 --- a/content/response_integrations/third_party/community/logzio/resources/ai/connectors_ai_description.yaml +++ b/content/response_integrations/third_party/community/logzio/resources/ai/connectors_ai_description.yaml @@ -2,12 +2,11 @@ LOGZIO fetch-security-events: ai_description: >- ### General Description - The Logz.io connector fetches security rule events from a Logz.io security account - and ingests them as cases into Google SecOps. It provides a seamless integration - for monitoring security alerts generated within Logz.io, supporting multi-region - environments and custom API endpoints. The connector allows for granular filtering - based on rule names and severities, ensuring that only relevant security incidents - are escalated for investigation. + The Logz.io Fetch Security Events connector integrates with the Logz.io Cloud + SIEM to automatically ingest security rule events into Google SecOps. It allows + security teams to centralize their monitoring by converting Logz.io security alerts + into actionable cases, ensuring that triggered rules are investigated within the + SOAR platform. ### Parameters Description @@ -16,63 +15,61 @@ LOGZIO fetch-security-events: | :--- | :--- | :--- | :--- | - | logzio_token | Password | Yes | API token for your Logz.io security account. - | + | DeviceProductField | String | Yes | The field name used to determine the device + product (default: `device_product`). | - | from_date | String | Yes | Earliest time to search on the first run. Supports - Unix timestamps, relative time (e.g., '1 day ago'), or ISO 8601 format. | + | EventClassId | String | Yes | The field name used to determine the event name + or sub-type (default: `event_name`). | - | logzio_region | String | No | 2-letter region code for your Logz.io account - (e.g., 'us', 'eu', 'wa'). Defaults to 'us'. | + | from_date | String | Yes | The earliest time to search for events during the + first run. Supports Unix timestamps, relative time (e.g., '1 day ago'), or ISO + 8601 format. | | logzio_custom_endpoint | String | No | Optional custom URL for the Logz.io API. - If provided, it overrides the region setting. | + If provided, it overrides the `logzio_region` parameter. | - | search_term | String | No | Filter to fetch only events where the rule name - matches this string. | + | logzio_region | String | No | The 2-letter region code for your Logz.io account + (e.g., 'us', 'eu', 'uk'). Defaults to 'us' if left empty. | - | severities | String | No | A comma-delimited list of severities to fetch: INFO, - LOW, MEDIUM, HIGH, SEVERE. | + | logzio_token | Password | Yes | The API token for your Logz.io security account + used for authentication. | - | page_size | Integer | No | Controls the number of results per API page. Valid - range is 1 to 1000 (Default: 25). | + | page_size | Integer | No | The number of results to retrieve per API call. Valid + range is 1 to 1000 (default: 25). | - | DeviceProductField | String | Yes | The field name used to determine the device - product in the SOAR (Default: 'device_product'). | + | PythonProcessTimeout | String | Yes | The timeout limit in seconds for the connector's + execution process. | - | EventClassId | String | Yes | The field name used to determine the event name/sub-type - (Default: 'event_name'). | + | search_term | String | No | A filter string to match against the security rule + names. | - | PythonProcessTimeout | String | Yes | The timeout limit in seconds for the connector - execution process. | + | severities | String | No | A comma-delimited list of severities to fetch (e.g., + "HIGH, SEVERE"). Supported values: INFO, LOW, MEDIUM, HIGH, SEVERE. | ### Flow Description - 1. **Timestamp Management**: The connector retrieves the last successful execution - timestamp. If it's the first run, it uses the `from_date` parameter. The search - window ends at the current time minus 3 minutes to account for data ingestion - latency in Logz.io. + 1. **Endpoint Resolution**: The connector determines the Logz.io API endpoint + using the provided region or custom endpoint URL. - 2. **Endpoint Configuration**: It determines the correct API endpoint using either - the `logzio_custom_endpoint` or by constructing a regional URL based on the `logzio_region` - parameter. + 2. **Time Window Calculation**: It identifies the start time for the search. On + the first run, it uses the `from_date` parameter; on subsequent runs, it uses + the timestamp of the last ingested event plus a 100ms offset. The end time is + set to 3 minutes prior to the current time to ensure data consistency. - 3. **Data Fetching**: The connector queries the Logz.io `v2/security/rules/events/search` - API. It applies filters for the time range, search terms, and specified severities. + 3. **Event Querying**: A POST request is sent to the Logz.io Security Events Search + API with filters for time range, search terms, and severities. - 4. **Concurrent Pagination**: If the result set exceeds the page size, the connector - utilizes a thread pool to concurrently fetch all remaining pages of event data - to optimize performance. + 4. **Concurrent Pagination**: If the search results span multiple pages, the connector + utilizes a thread pool to fetch all pages concurrently, optimizing data retrieval + speed. - 5. **Alert Mapping**: Each retrieved Logz.io event is transformed into a Google - SecOps `AlertInfo` object. This includes mapping Logz.io severities to SOAR priorities - and extracting metadata such as tags, hits, and 'group by' fields into the event - context. + 5. **Data Transformation**: Each Logz.io event is mapped to a Google SecOps Alert + object. This includes mapping Logz.io severities to platform priorities and extracting + metadata such as rule descriptions, tags, and group-by fields. - 6. **Case Creation**: The mapped alerts are returned to Google SecOps to be created - as cases. + 6. **Timestamp Persistence**: The connector tracks the latest event timestamp + and saves it to the system state to prevent duplicate ingestion in future cycles. - 7. **Checkpointing**: The connector saves the timestamp of the most recent event - (or one hour ago, whichever is later) to ensure the next execution starts from - where the previous one finished. + 7. **Case Ingestion**: The compiled list of alerts is returned to Google SecOps + for case creation and further orchestration. diff --git a/content/response_integrations/third_party/community/luminar_iocs_and_leaked_credentials/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/luminar_iocs_and_leaked_credentials/resources/ai/actions_ai_description.yaml index 9fb8b22ed..0e2e6a33b 100644 --- a/content/response_integrations/third_party/community/luminar_iocs_and_leaked_credentials/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/luminar_iocs_and_leaked_credentials/resources/ai/actions_ai_description.yaml @@ -1,25 +1,54 @@ Ping: - ai_description: "### General Description\nThe **Ping** action is a diagnostic utility\ + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "### General Description\nThe **Ping** action is a diagnostic tool\ \ designed to verify the connectivity between Google SecOps and the **Luminar\ - \ IOCs and Leaked Credentials** platform. Its primary purpose is to validate that\ - \ the integration's configuration parameters\u2014specifically the API Client\ - \ ID, Client Secret, Account ID, and Base URL\u2014are correct and that the external\ - \ service is reachable.\n\n### Parameters Description\nThere are no action-specific\ - \ parameters for this action. It utilizes the global integration configuration\ - \ settings.\n\n### Additional Notes\n* This action does not process entities or\ - \ modify any data within Google SecOps or the Luminar platform.\n* It is strictly\ - \ used for testing the authentication handshake and network connectivity.\n\n\ - ### Flow Description\n1. **Configuration Retrieval:** The action extracts the\ - \ `Luminar API Client ID`, `Luminar API Client Secret`, `Luminar API Account ID`,\ - \ and `Luminar Base URL` from the integration's configuration settings.\n2. **Manager\ - \ Initialization:** It initializes the `LuminarManager` using the extracted credentials\ - \ and URL.\n3. **Connectivity Test:** The action calls the `test_connectivity`\ - \ method, which sends a POST request to the Luminar authentication endpoint (`/externalApi/realm/{account_id}/token`)\ - \ to request an OAuth2 access token.\n4. **Response Evaluation:** The action evaluates\ - \ the HTTP response. A successful response (200 OK) confirms valid credentials\ - \ and connectivity, while error codes (e.g., 401, 403) indicate authentication\ - \ or configuration issues.\n5. **Execution Completion:** The action terminates\ - \ by reporting the connection status and a descriptive message to the SOAR platform." + \ IOCs and Leaked Credentials** API. Its primary purpose is to validate that the\ + \ integration's configuration parameters\u2014specifically the Client ID, Client\ + \ Secret, Account ID, and Base URL\u2014are correct and that the external service\ + \ is reachable.\n\n### Parameters Description\nThis action does not require any\ + \ input parameters. It utilizes the global integration configuration settings\ + \ to perform the connectivity test.\n\n### Flow Description\n1. **Configuration\ + \ Retrieval**: The action extracts the `Luminar API Client ID`, `Luminar API Client\ + \ Secret`, `Luminar API Account ID`, and `Luminar Base URL` from the integration's\ + \ shared settings.\n2. **Authentication Request**: It initializes the `LuminarManager`\ + \ and executes the `test_connectivity` method. This method sends a `POST` request\ + \ to the Luminar token endpoint (`/externalApi/realm/{account_id}/token`) using\ + \ the `client_credentials` grant type.\n3. **Response Validation**: \n * If\ + \ the API returns a successful response (HTTP 200), the action confirms a successful\ + \ connection.\n * If the API returns authentication errors (HTTP 401, 403)\ + \ or other failure codes, the action identifies the failure and provides a descriptive\ + \ error message.\n4. **Execution Completion**: The action concludes by reporting\ + \ the final status (Success or Failure) to the SOAR interface.\n\n### Additional\ + \ Notes\nThis action is intended for initial setup and troubleshooting. It does\ + \ not process entities or modify any data within Google SecOps or the Luminar\ + \ platform." capabilities: can_create_case_comments: false can_create_insight: false @@ -33,7 +62,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -47,28 +76,3 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/third_party/community/luminar_iocs_and_leaked_credentials/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/luminar_iocs_and_leaked_credentials/resources/ai/connectors_ai_description.yaml index aef5d7b7f..cbbe33bd4 100644 --- a/content/response_integrations/third_party/community/luminar_iocs_and_leaked_credentials/resources/ai/connectors_ai_description.yaml +++ b/content/response_integrations/third_party/community/luminar_iocs_and_leaked_credentials/resources/ai/connectors_ai_description.yaml @@ -1,78 +1,39 @@ "Luminar IOCs and Leaked Credentials Connector": - ai_description: >- - ### General Description - - The Luminar IOCs and Leaked Credentials connector integrates Google SecOps with - Cognyte's Luminar platform. It fetches cyber threat intelligence data, specifically - Indicators of Compromise (IOCs) and Leaked Credentials, formatted as STIX objects. - The connector identifies malicious activity related to malware families and compromised - user accounts, transforming this data into actionable alerts and cases within - the SOAR platform. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | DeviceProductField | String | Yes | The field name used to determine the device - product (default: device_product). | - - | EventClassId | String | Yes | The field name used to determine the event name/sub-type - (default: event_type). | - - | Luminar API Account ID | Password | Yes | The unique Account ID for the Luminar - API. | - - | Luminar API Client ID | Password | Yes | The Client ID used for API authentication. - | - - | Luminar API Client Secret | Password | Yes | The Client Secret used for API - authentication. | - - | Luminar Base URL | String | Yes | The base URL of the Luminar instance (e.g., - https://demo.cyberluminar.com). | - - | Proxy Password | Password | No | Password for the proxy server if required. - | - - | Proxy Port | Integer | No | Port number for the proxy server. | - - | Proxy Server Address | String | No | The network address of the proxy server. - | - - | Proxy Username | String | No | Username for the proxy server. | - - | PythonProcessTimeout | String | Yes | The maximum execution time allowed for - the connector script in seconds. | - - | Verify SSL | Boolean | No | If enabled, the connector will verify the SSL certificate - of the Luminar server. | - - - ### Flow Description - - 1. **Authentication**: The connector establishes a connection to the Luminar API - using the provided Account ID, Client ID, and Client Secret to retrieve an OAuth2 - access token. - - 2. **Data Ingestion**: It queries the `/externalApi/stix` endpoint using a persistent - timestamp to fetch new STIX-formatted objects since the last execution. - - 3. **Object Processing**: The connector parses the STIX bundle, identifying specific - object types including `malware`, `incident`, `indicator`, and `relationship`. - - 4. **Categorization & Enrichment**: - * **Malware IOCs**: Maps indicators (IPs, Hashes, Domains, URLs) to their - respective malware families based on STIX relationships. - * **Leaked Credentials**: Associates compromised user accounts with specific - security incidents. - * **Expiring IOCs**: Filters and groups indicators that are nearing their - expiration date. - 5. **Alert Generation**: Events are aggregated into alerts (limited to 500 events - per alert to optimize performance). Each alert is assigned a priority and mapped - to the Google SecOps data model. - - 6. **State Management**: Upon successful ingestion, the connector updates the - internal timestamp to ensure subsequent runs only process new intelligence data. + ai_description: "### General Description\nThe Luminar IOCs and Leaked Credentials\ + \ connector integrates with Cognyte Luminar to ingest high-fidelity threat intelligence\ + \ into Google SecOps. It fetches Indicators of Compromise (IOCs) and leaked credential\ + \ data provided in STIX format, allowing security teams to monitor for malicious\ + \ infrastructure and compromised accounts identified by Luminar's intelligence\ + \ platform.\n\n### Parameters Description\n| Parameter | Type | Mandatory | Description\ + \ |\n| :--- | :--- | :--- | :--- |\n| Luminar API Account ID | Password | Yes\ + \ | The unique Account ID required for Luminar API authentication. |\n| Luminar\ + \ API Client ID | Password | Yes | The Client ID used to generate OAuth2 access\ + \ tokens. |\n| Luminar API Client Secret | Password | Yes | The Client Secret\ + \ used to generate OAuth2 access tokens. |\n| Luminar Base URL | String | Yes\ + \ | The base URL of the Luminar API instance (e.g., https://demo.cyberluminar.com).\ + \ |\n| DeviceProductField | String | Yes | The field name used to determine the\ + \ device product in the ingested events. |\n| EventClassId | String | Yes | The\ + \ field name used to determine the event sub-type or name. |\n| PythonProcessTimeout\ + \ | String | Yes | The maximum execution time (in seconds) allowed for the connector\ + \ script. |\n| Verify SSL | Boolean | No | If enabled, the connector will verify\ + \ the SSL certificate of the Luminar API server. |\n| Proxy Server Address | String\ + \ | No | The address of the proxy server if one is required for outbound communication.\ + \ |\n| Proxy Port | Integer | No | The port of the proxy server. |\n| Proxy Username\ + \ | String | No | The username for proxy authentication. |\n| Proxy Password |\ + \ Password | No | The password for proxy authentication. |\n\n### Flow Description\n\ + 1. **Authentication**: The connector establishes a session with the Luminar API\ + \ by exchanging the Client ID and Client Secret for an OAuth2 access token.\n\ + 2. **Timestamp Management**: It retrieves the last successful execution timestamp\ + \ to perform incremental fetching, ensuring only new threat data is processed.\n\ + 3. **Data Ingestion**: The connector queries the `/externalApi/stix` endpoint\ + \ to retrieve threat objects, including malware, incidents, indicators, and their\ + \ relationships.\n4. **STIX Processing**: \n * **IOCs**: Correlates STIX indicators\ + \ (IPs, Domains, URLs, Hashes) with their associated Malware families using relationship\ + \ objects.\n * **Leaked Credentials**: Correlates user account data with specific\ + \ data breach incidents.\n * **Expiration Monitoring**: Identifies indicators\ + \ with valid expiration dates and groups them for lifecycle management.\n5. **Event\ + \ Aggregation**: To optimize case management, the connector slices large datasets\ + \ into chunks (maximum 499 events per alert) and groups them by Malware Family,\ + \ Incident Name, or Expiration Date.\n6. **Alert Creation**: Structured AlertInfo\ + \ objects are created and sent to Google SecOps, mapping Luminar's threat attributes\ + \ to standard security event fields." diff --git a/content/response_integrations/third_party/community/luminar_iocs_and_leaked_credentials/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/luminar_iocs_and_leaked_credentials/resources/ai/integration_ai_description.yaml index 4fe442a77..2e831240c 100644 --- a/content/response_integrations/third_party/community/luminar_iocs_and_leaked_credentials/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/community/luminar_iocs_and_leaked_credentials/resources/ai/integration_ai_description.yaml @@ -4,7 +4,7 @@ product_categories: collaboration: false edr: false email_security: false - iam_and_identity_management: true + iam_and_identity_management: false itsm: false network_security: false siem: false diff --git a/content/response_integrations/third_party/community/luminar_iocs_and_leaked_credentials/resources/ai/jobs_ai_description.yaml b/content/response_integrations/third_party/community/luminar_iocs_and_leaked_credentials/resources/ai/jobs_ai_description.yaml index fb92c7a3b..320d9c2d1 100644 --- a/content/response_integrations/third_party/community/luminar_iocs_and_leaked_credentials/resources/ai/jobs_ai_description.yaml +++ b/content/response_integrations/third_party/community/luminar_iocs_and_leaked_credentials/resources/ai/jobs_ai_description.yaml @@ -2,12 +2,12 @@ Luminar IOC and Leaked Credentials Job: ai_description: >- ### General Description - This job performs automated maintenance for cases generated by the Luminar integration - within Google SecOps. It identifies open cases titled "Luminar IOCs" and evaluates - whether the indicators associated with those cases have reached their expiration - date. If an indicator is found to be expired, the job automatically assigns the - case to the configured user and closes it with a maintenance reason, ensuring - the case queue remains relevant and free of outdated intelligence. + This job performs automated maintenance for cases generated by the Luminar IOCs + and Leaked Credentials integration. It identifies open cases related to Luminar + indicators and checks their expiration status. If an indicator is found to be + expired based on its metadata, the job automatically assigns the case to a designated + user and closes it with a maintenance reason, ensuring the case queue remains + relevant and up-to-date. ### Parameters Description @@ -17,31 +17,29 @@ Luminar IOC and Leaked Credentials Job: | :--- | :--- | :--- | :--- | | Siemplify Username | String | Yes | The username used to authenticate with the - Google SecOps internal API to perform case search, assignment, and closure. | + Google SecOps API and the user to whom expired cases will be assigned before closure. + | | Siemplify Password | Password | Yes | The password for the specified Siemplify - Username. | + Username to facilitate API authentication. | ### Flow Description - 1. **Authentication**: The job authenticates against the Google SecOps API using - the provided credentials to retrieve a bearer token for subsequent requests. + 1. **Authentication**: Logs into the Google SecOps (Siemplify) API using the provided + username and password to retrieve a bearer token for subsequent requests. - 2. **Case Search**: It searches for all currently open cases that match the specific - title "Luminar IOCs". + 2. **Case Search**: Queries the system for all open cases that contain the title + "Luminar IOCs". 3. **Detail Retrieval**: For each matching case, the job fetches the full case details to access specific alert fields. - 4. **Expiration Check**: It extracts the expiration date from the security event - card fields within the case data. + 4. **Expiration Check**: Extracts the expiration date from the security event + cards within the case and compares it against the current system time. - 5. **Date Comparison**: The job compares the extracted expiration date against - the current system time. + 5. **Case Assignment**: If the expiration date has passed, the job performs a + bulk assignment of the case to the configured Siemplify Username. - 6. **Case Assignment**: If the expiration date is in the past, the job performs - a bulk assignment of the case to the provided username. - - 7. **Case Closure**: Finally, the job executes a bulk close action on the expired - cases, marking them with the reason "Maintenance" and the comment "Expired IOCs". + 6. **Case Closure**: Executes a bulk close operation on the expired cases, marking + them with a "Maintenance" reason and a comment indicating the IOCs have expired. diff --git a/content/response_integrations/third_party/community/marketo/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/marketo/resources/ai/actions_ai_description.yaml index 9e13c7f37..eae0cb16a 100644 --- a/content/response_integrations/third_party/community/marketo/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/marketo/resources/ai/actions_ai_description.yaml @@ -1,56 +1,80 @@ Create lead: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: true + update_ticket: false ai_description: >- ### General Description - Creates a new lead in Marketo using provided user details. This action is used - to programmatically register a new contact within the Marketo marketing automation - platform by providing their email, name, and country information. + The **Create lead** action allows users to create a new lead record within the + Marketo platform. This is typically used to synchronize user information or register + new contacts discovered during an investigation into marketing or CRM workflows. - ### Parameters Description - - | Parameter | Type | Mandatory | Description | + ### Flow Description - | :--- | :--- | :--- | :--- | + 1. **Parameter Extraction:** The action retrieves integration credentials (Client + Id, Client Secret, Munchkin Id) and action-specific parameters (Email, First Name, + Last Name, Country). - | Email | String | Yes | The email address of the new lead you want to create. - This is used as the primary lookup field. | + 2. **API Connection:** It initializes the Marketo Client using the provided credentials. - | First Name | String | Yes | The first name of the new lead. | + 3. **Lead Creation:** The action sends a request to Marketo to create a lead using + the `createOnly` method, ensuring that it only creates a new record and does not + update existing ones based on the email address. - | Last Name | String | Yes | The last name of the new lead. | + 4. **Response Handling:** It parses the API response. If the creation is successful, + it returns the lead ID. If it fails (e.g., lead already exists or invalid data), + it captures the error reasons. - | Country | String | Yes | The country of the new lead. | + 5. **Finalization:** The action reports the execution status and provides the + raw JSON response from Marketo. - ### Additional Notes + ### Parameters Description - This action uses the `createOnly` method, meaning it will attempt to create a - new record and will not update an existing one if the email already exists in - Marketo. The action requires valid Marketo API credentials (Client ID, Client - Secret, and Munchkin ID) to be configured in the integration settings. + | Parameter | Type | Mandatory | Description | + | :--- | :--- | :--- | :--- | - ### Flow Description + | Email | String | Yes | The email address of the new lead. Used as the primary + lookup field. | - 1. **Parameter Extraction**: The action retrieves the Marketo API credentials - from the integration configuration and the lead details (Email, First Name, Last - Name, Country) from the action parameters. + | First Name | String | Yes | The first name of the new lead. | - 2. **Client Initialization**: Initializes the MarketoClient using the provided - Munchkin ID and credentials. + | Last Name | String | Yes | The last name of the new lead. | - 3. **Data Preparation**: Formats the input data into a structure compatible with - the Marketo API. + | Country | String | Yes | The country associated with the new lead. | - 4. **API Execution**: Calls the Marketo API's `create_update_leads` method with - the `createOnly` action flag. - 5. **Response Handling**: Parses the API response to check for success or specific - error reasons. + ### Additional Notes - 6. **Finalization**: Returns a success message with the new Lead ID or a failure - message with error details to the Google SecOps platform. + * This action does not process SOAR entities; it relies entirely on the provided + input parameters. capabilities: can_create_case_comments: false can_create_insight: false @@ -59,13 +83,13 @@ Create lead: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new lead record in the Marketo marketing automation platform. + Creates a new lead record in the Marketo system. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -79,6 +103,7 @@ Create lead: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Lead By Email Param: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -89,44 +114,46 @@ Create lead: disable_identity: false download_file: false enable_identity: false - enrich_asset: false + enrich_asset: true enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false - update_identity: true + update_identity: false update_ticket: false -Get Lead By Email Param: ai_description: "### General Description\nThe **Get Lead By Email Param** action\ \ retrieves detailed lead information from Marketo for a specific email address\ - \ provided as an input parameter. This action is designed to fetch marketing-related\ - \ context about a user, such as their Lead ID and other profile attributes stored\ - \ in Marketo, without requiring the email to be an existing entity in the Google\ - \ SecOps case.\n\n### Parameters Description\n| Parameter | Type | Mandatory |\ - \ Description |\n| :--- | :--- | :--- | :--- |\n| Email | String | Yes | The email\ - \ address of the user you want to retrieve details for. The value is converted\ - \ to lowercase before the search. |\n\n### Flow Description\n1. **Initialization**:\ - \ The action extracts Marketo API credentials (Client ID, Client Secret, and Munchkin\ - \ ID) from the integration configuration.\n2. **Input Processing**: The action\ - \ retrieves the `Email` parameter and converts it to lowercase to ensure consistency\ - \ with Marketo's search requirements.\n3. **API Interaction**: The action uses\ - \ the Marketo REST API client to execute a search (`get_multiple_leads_by_filter_type`)\ - \ using the email as the filter.\n4. **Result Evaluation**: \n * If lead data\ - \ is returned, the action identifies the Lead ID and constructs a success message.\n\ - \ * If no data is found, the action reports that the user does not exist in\ - \ Marketo.\n5. **Output**: The action attaches the raw lead details as a JSON\ - \ result and terminates with a summary message and a boolean status indicating\ - \ if the lead was found.\n\n### Additional Notes\nThis action operates independently\ - \ of the entities present in the SecOps case. It relies strictly on the provided\ - \ `Email` parameter." + \ provided as an input parameter. This action allows analysts to fetch marketing\ + \ and identity context for a user directly by their email address, independent\ + \ of the entities currently present in a Google SecOps case.\n\n### Parameters\ + \ Description\n| Parameter | Type | Mandatory | Description |\n| :--- | :--- |\ + \ :--- | :--- |\n| Email | String | True | The email address of the user you want\ + \ to retrieve details for. The value is case-insensitive as the action converts\ + \ it to lowercase before processing. |\n\n### Flow Description\n1. **Configuration\ + \ Retrieval:** The action extracts the necessary Marketo API credentials (Client\ + \ Id, Client Secret, and Munchkin Id) from the integration settings.\n2. **Input\ + \ Processing:** The action retrieves the target email address from the input parameters\ + \ and converts it to lowercase.\n3. **API Interaction:** It initializes the Marketo\ + \ client and executes a query using the `get_multiple_leads_by_filter_type` method,\ + \ filtering specifically by the 'email' field.\n4. **Outcome Determination:**\ + \ \n * If lead data is returned, the action identifies the Lead ID, constructs\ + \ a success message, and sets the result value to `True`.\n * If no lead is\ + \ found, it informs the user that the lead does not exist and sets the result\ + \ value to `False`.\n5. **Data Output:** The full JSON response from Marketo is\ + \ attached to the action results for further use in playbooks.\n\n### Additional\ + \ Notes\nThis action is parameter-driven and does not iterate over or modify Google\ + \ SecOps entities. It is strictly a data retrieval task." capabilities: can_create_case_comments: false can_create_insight: false @@ -140,7 +167,7 @@ Get Lead By Email Param: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -154,6 +181,7 @@ Get Lead By Email Param: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Lead By Entity Email: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -164,66 +192,64 @@ Get Lead By Email Param: disable_identity: false download_file: false enable_identity: false - enrich_asset: false + enrich_asset: true enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Lead By Entity Email: ai_description: >- ### General Description - The **Get Lead By Entity Email** action enriches USER entities by retrieving corresponding - lead information from the Marketo platform. It uses the entity's identifier (email - address) to query Marketo's database for associated metadata such as names and - lead IDs. + The **Get Lead By Entity Email** action enriches User entities within Google SecOps + by retrieving corresponding lead information from Marketo. It uses the entity's + identifier (email address) to query the Marketo database and returns key details + such as the Lead ID, first name, and last name. ### Parameters Description - There are no action-specific parameters for this action. It relies on the global - integration configuration (Client Id, Client Secret, and Munchkin Id) to authenticate - with the Marketo API. + There are no action-specific parameters for this action. It relies on the integration's + global configuration (Client ID, Client Secret, and Munchkin ID). ### Flow Description - 1. **Authentication**: The action initializes the Marketo client using the provided - integration credentials (Client Id, Client Secret, and Munchkin Id). + 1. **Initialization**: The action initializes the Marketo client using the provided + integration credentials. 2. **Entity Filtering**: It iterates through the target entities, selecting only - those of type `USER`. - - 3. **Email Validation**: For each USER entity, it performs a regex check to ensure - the identifier is a valid email address format. + those of type `USER` that possess a valid email format (verified via regex). - 4. **Data Retrieval**: It queries Marketo for lead details using the validated - email address as a filter. + 3. **Data Retrieval**: For each valid entity, the action queries Marketo using + the `get_multiple_leads_by_filter_type` method with the email as the filter. - 5. **Enrichment**: If a lead is found, the action extracts the first name, last - name, email, and lead ID from the Marketo response. + 4. **Enrichment**: If a matching lead is found, the action extracts the Lead ID, + first name, last name, and email. - 6. **Internal Update**: The action updates the entity's `additional_properties` - with the retrieved data (prefixed with 'Marketo_') and marks the entity as enriched - (`is_enriched = True`). + 5. **Internal Update**: The extracted data is added to the entity's `additional_properties`, + the `is_enriched` flag is set to `true`, and the entity is updated within the + SOAR platform. - 7. **Output**: Finally, it provides a JSON result containing the enrichment details - for all processed entities and the total count of leads found. + 6. **Results**: A JSON result containing the enrichment details for all processed + entities and the total count of leads found is attached to the action output. ### Additional Notes - Entities that do not match the email regex or are not of type `USER` are skipped + - Entities that do not match the email regex or are not of type `USER` are skipped with a log message. capabilities: can_create_case_comments: false @@ -235,19 +261,19 @@ Get Lead By Entity Email: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity additional properties with Marketo lead information (first name, - last name, email, lead ID) and sets the is_enriched flag to true. + Updates entity additional properties with Marketo lead information and sets + the is_enriched flag to true. categories: enrichment: true entity_usage: entity_types: - - USERUNIQNAME + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false filters_by_creation_time: false filters_by_entity_type: true - filters_by_identifier: false + filters_by_identifier: true filters_by_is_artifact: false filters_by_is_enriched: false filters_by_is_internal: false @@ -255,6 +281,7 @@ Get Lead By Entity Email: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -265,28 +292,30 @@ Get Lead By Entity Email: disable_identity: false download_file: false enable_identity: false - enrich_asset: true + enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: ai_description: >- ### General Description The **Ping** action is designed to verify the connectivity between Google SecOps - and the **Marketo** instance. It ensures that the provided credentials (Client - Id, Client Secret, and Munchkin Id) are valid and that the system can successfully + and the Marketo platform. It ensures that the provided credentials (Client ID, + Client Secret, and Munchkin ID) are valid and that the environment can successfully communicate with the Marketo API. @@ -296,34 +325,28 @@ Ping: the integration's configuration parameters. - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | N/A | N/A | N/A | This action does not require any input parameters. | - + ### Flow Description - ### Additional Notes + 1. **Configuration Extraction**: The action retrieves the `Client Id`, `Client + Secret`, and `Munchkin Id` from the Marketo integration settings. - This action is typically used during the initial setup or troubleshooting phase - to confirm that the integration is correctly configured. + 2. **Client Initialization**: It initializes the `MarketoClient` using the extracted + credentials. + 3. **Connectivity Test**: The action attempts to execute a `get_lead_by_id` request + for a lead with ID `1`. This serves as a functional test to confirm API access + and permissions. - ### Flow Description + 4. **Execution Result**: If the API call is successful, the action terminates + with a success status. If an exception occurs during the process, it is raised, + indicating a connectivity or configuration issue. - 1. **Configuration Extraction**: The action retrieves the `Client Id`, `Client - Secret`, and `Munchkin Id` from the integration settings. - 2. **Client Initialization**: It initializes the `MarketoClient` using the retrieved - credentials. + ### Additional Notes - 3. **Connectivity Test**: It attempts to fetch a lead with the ID `1` using the - `get_lead_by_id` method. This serves as a lightweight request to validate the - API connection. + * This action does not process any entities from the case. - 4. **Result Reporting**: If the request is successful, the action completes with - a success status. If an exception occurs, it indicates a connectivity or authentication - failure. + * It is strictly used for health checks and troubleshooting integration setup. capabilities: can_create_case_comments: false can_create_insight: false @@ -337,7 +360,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -351,6 +374,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Request Campaign: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -364,41 +388,28 @@ Ping: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Request Campaign: ai_description: >- - Triggers a specific Marketo campaign for a designated lead. This action allows - security or marketing automation workflows to programmatically initiate campaigns - within Marketo by providing the Campaign ID and Lead ID. It also supports passing - custom tokens via a JSON string to personalize the campaign execution. - - - ### Flow Description - - 1. **Parameter Extraction:** The action retrieves Marketo configuration credentials - (Client ID, Secret, Munchkin ID) and action parameters (Campaign ID, Lead ID, - and optional Tokens JSON). - - 2. **Token Processing:** If provided, the Tokens JSON is parsed and processed - to ensure keys are formatted correctly (lowercase, unless they contain sensitive - strings like 'password'). - - 3. **API Execution:** The action initializes the Marketo client and executes the - `request_campaign` method using the provided IDs and tokens. + ### General Description - 4. **Result Reporting:** The action returns a success message if the campaign - was triggered successfully or an error message if the request failed. + The **Request Campaign** action allows users to trigger a specific marketing campaign + for a designated lead within the Marketo platform. This action is primarily used + to automate marketing workflows or responses based on security events or identified + user behavior. ### Parameters Description @@ -408,19 +419,36 @@ Request Campaign: | :--- | :--- | :--- | :--- | | Campaign Id | string | Yes | The unique identifier of the Marketo campaign to - be triggered. The value is treated as an integer. | + be triggered. The action converts this to an integer internally. | - | Lead Id | string | Yes | The unique identifier of the Marketo lead for whom - the campaign is triggered. The value is treated as an integer. | + | Lead Id | string | Yes | The unique identifier of the lead (user/contact) for + whom the campaign should be requested. The action converts this to an integer + internally. | | Tokens Json | string | No | A JSON-formatted string containing key-value pairs - of tokens to be used in the campaign. | + representing tokens to be passed to the campaign. Keys are processed to ensure + lowercase values unless they contain the word 'password'. | - ### Additional Notes + ### Flow Description + + 1. **Initialization**: The action retrieves Marketo integration credentials (Client + ID, Client Secret, Munchkin ID) and the specific action parameters (Campaign ID, + Lead ID, and Tokens JSON). + + 2. **Token Processing**: If provided, the `Tokens Json` is parsed. The logic iterates + through the keys and converts values to lowercase, except for values associated + with keys containing 'password' to preserve credential integrity. - This action does not process entities from the Google SecOps case; it relies entirely - on the provided input parameters. + 3. **API Connection**: A connection is established with the Marketo API using + the `MarketoClient` and the provided credentials. + + 4. **Execution**: The action calls the `request_campaign` method on the Marketo + client, passing the Campaign ID, the Lead ID (as a list), and the processed tokens. + + 5. **Completion**: If the API call is successful, the action returns a success + message and a boolean result of `True`. If an error occurs, it logs the exception + and returns a failure status. capabilities: can_create_case_comments: false can_create_insight: false @@ -430,13 +458,13 @@ Request Campaign: can_update_entities: false external_data_mutation_explanation: >- Triggers a marketing campaign for a specific lead in Marketo, which initiates - an automated workflow or communication in the external system. + external workflows and communications. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -450,28 +478,3 @@ Request Campaign: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/third_party/community/marketo/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/marketo/resources/ai/integration_ai_description.yaml index 0801c7556..0b062e038 100644 --- a/content/response_integrations/third_party/community/marketo/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/community/marketo/resources/ai/integration_ai_description.yaml @@ -1,10 +1,10 @@ product_categories: - asset_inventory: false + asset_inventory: true cloud_security: false collaboration: false edr: false email_security: false - iam_and_identity_management: false + iam_and_identity_management: true itsm: false network_security: false siem: false diff --git a/content/response_integrations/third_party/community/microsoft_graph_security_tools/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/microsoft_graph_security_tools/resources/ai/actions_ai_description.yaml index f5c24eea9..7fb30806e 100644 --- a/content/response_integrations/third_party/community/microsoft_graph_security_tools/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/microsoft_graph_security_tools/resources/ai/actions_ai_description.yaml @@ -1,51 +1,52 @@ Delete Attachment: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: true + update_identity: false + update_ticket: false ai_description: >- - Deletes a specific attachment from a user's email message within a Microsoft 365 - mailbox using the Microsoft Graph API. This action is primarily used for remediation - purposes, such as removing malicious files from an inbox after they have been - identified. It requires the specific identifiers for the user, the message, and - the attachment itself. - - - ### Parameters - - | Parameter Name | Description | Type | Mandatory | - - | :--- | :--- | :--- | :--- | - - | User ID | The userPrincipalName (typically the email address) of the mailbox - owner. | String | Yes | - - | Message ID | The unique identifier of the email message containing the attachment. - | String | Yes | - - | Attachment ID | The unique identifier of the specific attachment to be deleted. - | String | Yes | - - - ### Flow Description - - 1. **Authentication**: The action authenticates with Microsoft Graph using the - provided Integration parameters (Client ID, Secret/Certificate, and Tenant ID). - - 2. **Parameter Extraction**: It retrieves the User ID, Message ID, and Attachment - ID from the action input. - - 3. **API Request**: It sends an HTTP DELETE request to the Microsoft Graph endpoint: - `https://graph.microsoft.com/v1.0/users/{user_id}/messages/{message_id}/attachments/{attachment_id}`. - - 4. **Result Processing**: The action checks the response status code. An HTTP - 204 status indicates a successful deletion. The result is then logged and returned - to the SOAR platform. - - - ### Additional Notes - - - This action performs a permanent deletion of the attachment from the message. - It does not move it to a deleted items folder. - - - Ensure the application permissions in Azure AD are correctly configured to allow - `Mail.ReadWrite` for the target mailboxes. + ### General Description\nDeletes a specific attachment from a user's mailbox using + the Microsoft Graph API. This action is primarily used as a remediation step to + remove malicious or unauthorized files from an email message after they have been + identified.\n\n### Parameters Description\n| Parameter | Type | Mandatory | Description + |\n| :--- | :--- | :--- | :--- |\n| **User ID** | String | Yes | The email address + or `userPrincipalName` of the user whose mailbox contains the message. |\n| **Message + ID** | String | Yes | The unique identifier of the email message containing the + attachment. |\n| **Attachment ID** | String | Yes | The unique identifier of the + specific attachment to be deleted. |\n\n### Flow Description\n1. **Authentication**: + The action connects to Microsoft Graph using the configured Client ID, Tenant + ID, and either a Client Secret or a Certificate.\n2. **Parameter Extraction**: + It retrieves the `User ID`, `Message ID`, and `Attachment ID` from the action + input parameters.\n3. **API Execution**: It sends a `DELETE` request to the Microsoft + Graph endpoint for the specific attachment: `https://graph.microsoft.com/v1.0/users/{user_id}/messages/{message_id}/attachments/{attachment_id}`.\n4. + **Result Handling**: The action evaluates the response. A `204 No Content` status + indicates a successful deletion. The result is logged and returned as a JSON object.\n\n### + Additional Notes\n- This action performs a permanent deletion of the attachment.\n- + The integration must have the `Mail.ReadWrite` permission granted in the Azure + portal for this action to function correctly. capabilities: can_create_case_comments: false can_create_insight: false @@ -54,14 +55,14 @@ Delete Attachment: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Deletes a specific attachment from a user's mailbox in Microsoft 365 via the - Microsoft Graph API. + Deletes a specific attachment from a user's email message in Microsoft Graph + (Office 365). fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -75,77 +76,57 @@ Delete Attachment: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Delete Message: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false contain_host: false create_ticket: false - delete_email: false + delete_email: true disable_identity: false download_file: false enable_identity: false enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false - update_email: true + update_email: false update_identity: false update_ticket: false -Delete Message: - ai_description: >- - Deletes a specific email message from one or more Microsoft 365 mailboxes using - the Microsoft Graph API. This action is primarily used for remediation, such as - removing malicious emails (phishing) identified during an investigation. It supports - targeting multiple users simultaneously via a comma-separated list of email addresses. - - - ### Flow Description: - - 1. **Authentication**: The action establishes a connection to the Microsoft Graph - API using the provided Client ID, Tenant ID, and either a Client Secret or a Certificate. - - 2. **Parameter Extraction**: It retrieves the 'Message ID' and 'User ID' from - the action parameters. The 'User ID' can be a single email or a CSV list of emails. - - 3. **Execution**: The action iterates through the provided user identifiers and - sends a DELETE request to the Microsoft Graph endpoint for the specified message. - - 4. **Result Reporting**: It captures the HTTP response status (expecting 204 No - Content for success) and returns a summary of the operation's outcome to the Google - SecOps case. - - - ### Parameters Description: - - | Parameter Name | Description | Type | Mandatory | Notes | - - | :--- | :--- | :--- | :--- | :--- | - - | Message ID | The unique identifier of the message to be deleted. | String | - Yes | This ID is typically retrieved from a previous 'List Messages' or 'Search' - action. | - - | User ID | The email address or userPrincipalName of the mailbox owner. | String - | Yes | Supports a CSV input (e.g., user1@domain.com,user2@domain.com) to delete - the same message ID from multiple mailboxes. | - - - ### Additional Notes: - - - This action performs a permanent deletion (or moves to 'Deleted Items' depending - on API behavior/mailbox settings) and cannot be undone via this integration. - - - If a CSV list is provided for 'User ID', the action will attempt to delete the - message from every mailbox in the list. + ai_description: "### General Description\nDeletes a specific email message from\ + \ one or more Microsoft 365 mailboxes using the Microsoft Graph API. This action\ + \ is primarily used for remediation purposes, such as removing phishing emails\ + \ or unauthorized communications from user inboxes.\n\n### Parameters Description\n\ + | Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ + | Message ID | String | Yes | The unique identifier of the email message to be\ + \ deleted. |\n| User ID | String | Yes | The email address or userPrincipalName\ + \ of the user. This parameter supports a comma-separated list (CSV) to perform\ + \ the deletion across multiple mailboxes in a single execution. |\n\n### Flow\ + \ Description\n1. **Authentication**: The action initializes a connection to the\ + \ Microsoft Graph API using the configured Client ID, Tenant ID, and either a\ + \ Client Secret or Certificate.\n2. **Input Processing**: It extracts the target\ + \ Message ID and the User ID(s) provided in the action parameters.\n3. **Deletion\ + \ Logic**: \n - If a single User ID is provided, the action sends a DELETE\ + \ request to the Microsoft Graph endpoint for that specific message.\n - If\ + \ a CSV list of User IDs is provided, the action iterates through each user and\ + \ attempts to delete the message from their respective mailbox.\n4. **Completion**:\ + \ The action captures the API response status (expecting HTTP 204 for success)\ + \ and returns a summary of the operation's success or failure.\n\n### Additional\ + \ Notes\n- This action does not process SecOps entities; it relies entirely on\ + \ the provided Message ID and User ID parameters.\n- Ensure the Azure Application\ + \ has the appropriate permissions (e.g., `Mail.ReadWrite`) to perform deletions." capabilities: can_create_case_comments: false can_create_insight: false @@ -154,14 +135,14 @@ Delete Message: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Deletes email messages from specified user mailboxes within the Microsoft 365 - environment via the Microsoft Graph API. + Deletes email messages from Microsoft 365 mailboxes via the Microsoft Graph + API. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -175,40 +156,43 @@ Delete Message: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Message: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false contain_host: false create_ticket: false - delete_email: true + delete_email: false disable_identity: false download_file: false enable_identity: false enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Message: ai_description: >- ### General Description - The **Get Message** action retrieves the full details and metadata of a specific - email message from a user's Microsoft 365 inbox using the Microsoft Graph API. - This action is primarily used for forensic investigation, allowing security analysts - to inspect the content, headers, and properties of a specific email identified - in an alert. + The **Get Message** action retrieves the full details of a specific email message + from a user's Microsoft 365 inbox using the Microsoft Graph API. This action is + primarily used for forensic investigation or automated response flows where the + content or metadata of a specific email (identified by its unique ID) needs to + be analyzed. ### Parameters Description @@ -217,35 +201,38 @@ Get Message: | :--- | :--- | :--- | :--- | - | **User ID** | String | Yes | The email address or `userPrincipalName` of the - user whose mailbox is being accessed. | + | **User ID** | string | Yes | The `userPrincipalName` (typically the email address) + of the user whose mailbox is being accessed. | - | **Message ID** | String | Yes | The unique identifier (ID) of the specific email - message to be retrieved. | + | **Message ID** | string | Yes | The unique identifier of the specific email + message to retrieve. | ### Flow Description - 1. **Authentication**: The action establishes a connection to the Microsoft Graph - API using the configured Client ID, Tenant ID, and either a Client Secret or Certificate. + 1. **Authentication**: The action initializes a connection to the Microsoft Graph + API using the integration's Client ID, Secret, and Tenant ID. + + 2. **Parameter Extraction**: It extracts the target **User ID** and **Message + ID** from the action parameters. - 2. **Parameter Retrieval**: The action extracts the target `User ID` and `Message - ID` from the user input. + 3. **API Retrieval**: The action performs a GET request to the Microsoft Graph + endpoint: `https://graph.microsoft.com/v1.0/users/{User ID}/messages/{Message + ID}`. - 3. **Data Retrieval**: It executes a GET request to the Microsoft Graph endpoint: - `https://graph.microsoft.com/v1.0/users/{user_id}/messages/{message_id}`. + 4. **Data Processing**: The retrieved JSON data, containing message properties + such as subject, body, sender, and timestamps, is processed. - 4. **Output**: The retrieved message data is returned as a JSON object and attached - to the action results in Google SecOps. + 5. **Output**: The action returns the message details as a JSON result and completes + with a success status. ### Additional Notes - - This action is read-only and does not change the state of the email (e.g., it - does not mark the email as read). + - This action is read-only and does not modify the state of the email or the mailbox. - - The integration must have the appropriate API permissions (such as `Mail.Read` - or `Mail.ReadWrite`) configured in the Azure portal. + - Ensure the registered Azure AD application has the `Mail.Read` or `Mail.ReadWrite` + permissions. capabilities: can_create_case_comments: false can_create_insight: false @@ -257,9 +244,9 @@ Get Message: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: true + enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -273,6 +260,7 @@ Get Message: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get User MFA: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -283,78 +271,80 @@ Get Message: disable_identity: false download_file: false enable_identity: false - enrich_asset: false + enrich_asset: true enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: true search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get User MFA: ai_description: >- ### General Description Retrieves Multi-Factor Authentication (MFA) registration and status details for - users from Microsoft Graph. This action helps analysts determine if a user is - properly enrolled in MFA, which authentication methods they have configured, and - whether they are capable of performing MFA challenges. It processes both a manually - provided email address and any email-like entities found within the case context. - + users from Microsoft Graph. This action is designed to provide visibility into + a user's security posture by identifying whether they have registered for MFA, + if it is enabled, and which authentication methods are configured. It processes + a specific email address provided as a parameter and also automatically scans + all entities in the case that appear to be email addresses. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Create Insight | boolean | No | If set to `true`, the action will generate a - detailed Case Insight for every user successfully queried, summarizing their MFA - status. | + 1. **Authentication**: Connects to the Microsoft Graph API using the provided + Client ID, Secret ID (or Certificate), and Tenant ID. - | User Email | string | Yes | The specific User Principal Name (UPN) or email - address to search for. This user will always be the first entry in the results. - | + 2. **Parameter Processing**: Fetches MFA statistics for the primary user email + specified in the `User Email` action parameter. + 3. **Entity Processing**: Iterates through all entities associated with the current + case. It identifies entities whose identifiers contain an "@" symbol (treating + them as potential user principal names). - ### Flow Description + 4. **Data Retrieval**: For each identified user (from parameters and entities), + it queries the Microsoft Graph beta reports endpoint to retrieve credential registration + details. - 1. **Authentication**: Connects to the Microsoft Graph API using the integration's - Client ID, Tenant ID, and either a Client Secret or Certificate. + 5. **Insight Generation**: If the `Create Insight` parameter is enabled, the action + generates a detailed case insight for each user, summarizing their MFA registration + status, capabilities, and methods. - 2. **Manual User Query**: Fetches MFA statistics for the email address provided - in the `User Email` parameter via the `credentialUserRegistrationDetails` endpoint. + 6. **Output**: Returns a comprehensive JSON array containing the MFA statistics + for all processed users. - 3. **Initial Insight**: If `Create Insight` is enabled, it creates a case insight - for the manually provided user. - 4. **Entity Processing**: Iterates through all entities in the current SOAR case. + ### Parameters Description - 5. **Identifier Filtering**: For each entity, it checks if the identifier contains - an `@` symbol (treating it as a potential email/UPN). + | Parameter | Type | Mandatory | Description | - 6. **Contextual Enrichment**: For every matching entity, it retrieves the corresponding - MFA statistics from Microsoft Graph. + | :--- | :--- | :--- | :--- | - 7. **Contextual Insights**: If `Create Insight` is enabled, it generates insights - for each discovered entity. + | User Email | string | True | The primary userPrincipalName (email) to search + for. This user's data will always be the first entry in the results. | - 8. **Final Output**: Aggregates all retrieved MFA records into a JSON array and - returns a success status. + | Create Insight | boolean | False | If set to `true`, the action will create + a detailed insight in the Google SecOps case for every user successfully queried. + Defaults to `false`. | ### Additional Notes - The JSON result will always return the data for the `User Email` input at index - zero, followed by any data found for entities in the case. + - The action uses the Microsoft Graph Beta API endpoint (`/beta/reports/credentialUserRegistrationDetails`) + to fetch detailed MFA statistics. + + - The JSON result will always return the data for the `User Email` input at index + zero, followed by any data found for matching entities. capabilities: can_create_case_comments: false can_create_insight: true @@ -365,47 +355,47 @@ Get User MFA: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Creates case insights containing MFA registration details (isRegistered, isEnabled, - isCapable, authMethods) for the queried users. + Creates case insights containing MFA registration and capability details for + the specified users. categories: enrichment: true entity_usage: entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -419,6 +409,7 @@ Get User MFA: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +List Attachments: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -429,29 +420,31 @@ Get User MFA: disable_identity: false download_file: false enable_identity: false - enrich_asset: true + enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false - search_email: false + search_asset: false + search_email: true search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -List Attachments: ai_description: >- ### General Description Retrieves a list of attachment objects associated with a specific email message - using the Microsoft Graph API. This action allows analysts to view metadata for - all files attached to a message, such as file names, sizes, and content types, - which is essential for phishing investigations and forensic analysis. + in a user's mailbox using the Microsoft Graph API. This action provides metadata + for all files or items attached to the message, which is essential for forensic + analysis and email investigations. ### Parameters Description @@ -460,32 +453,39 @@ List Attachments: | :--- | :--- | :--- | :--- | - | User ID | String | Yes | The userPrincipalName (email) or unique ID of the user - whose mailbox is being accessed. | + | User ID | string | Yes | The email address (userPrincipalName) or the unique + identifier of the user whose mailbox is being accessed. | - | Message ID | String | No | The unique identifier of the message from which to - retrieve the attachment list. | + | Message ID | string | No | The unique identifier of the message from which to + retrieve the attachment list. Note: While marked as non-mandatory in configuration, + the underlying API call requires this ID to target a specific message. | - ### Flow Description + ### Additional Notes + + - This action performs a read-only operation and does not modify the mailbox or + the attachments. - 1. **Authentication**: The action initializes a connection to Microsoft Graph - using the provided Client ID, Tenant ID, and either a Client Secret or a Certificate. + - The results are returned as a JSON array containing attachment metadata (e.g., + name, content type, size). - 2. **Parameter Extraction**: It extracts the target User ID and Message ID from - the action parameters. - 3. **API Call**: It performs a GET request to the Microsoft Graph endpoint: `/users/{user_id}/messages/{message_id}/attachments`. + ### Flow Description - 4. **Data Output**: The retrieved list of attachment metadata is added to the - action's JSON results for use in playbooks. + 1. **Authentication**: The action initializes the Microsoft Graph Security Manager + using the provided Client ID, Secret/Certificate, and Tenant ID. + 2. **Parameter Extraction**: It retrieves the `User ID` and `Message ID` from + the action input parameters. - ### Additional Notes + 3. **API Request**: It executes a GET request to the Microsoft Graph endpoint: + `https://graph.microsoft.com/v1.0/users/{user_id}/messages/{message_id}/attachments`. + + 4. **Data Processing**: The action validates the API response and extracts the + list of attachment objects. - While the 'Message ID' is marked as not mandatory in the configuration, it is - required by the underlying API endpoint to successfully locate the message. If - omitted, the action may fail during the API request phase. + 5. **Output**: The retrieved data is attached to the action results as a JSON + object, and the action completes successfully. capabilities: can_create_case_comments: false can_create_insight: false @@ -497,9 +497,9 @@ List Attachments: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: false + enrichment: true entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -513,6 +513,7 @@ List Attachments: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +List Mail Rules: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -523,68 +524,64 @@ List Attachments: disable_identity: false download_file: false enable_identity: false - enrich_asset: false + enrich_asset: true enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false - search_email: true + search_asset: false + search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -List Mail Rules: ai_description: >- - ### General Description - - The **List Mail Rules** action retrieves all message rules (inbox rules) defined - for a specific user's inbox using the Microsoft Graph API. This action is a critical - tool for security analysts investigating Business Email Compromise (BEC) or account - takeover incidents, as it allows for the identification of suspicious rules that - may be automatically forwarding, hiding, or deleting incoming correspondence. + The 'List Mail Rules' action retrieves all message rules defined for a specific + user's inbox within Microsoft Graph. This is useful for identifying potentially + malicious or suspicious mail forwarding, deletion, or redirection rules that could + indicate account compromise or data exfiltration. - ### Parameters Description + ### Flow Description: - | Parameter | Type | Mandatory | Description | + 1. **Authentication:** The action establishes a connection to the Microsoft Graph + API using the provided Client ID, Secret/Certificate, and Tenant ID. - | :--- | :--- | :--- | :--- | + 2. **Parameter Extraction:** It retrieves the 'User ID' (email address) from the + action parameters. - | **User ID** | String | Yes | The `userPrincipalName` or email address of the - target user whose inbox rules are to be retrieved. | + 3. **API Request:** It sends a GET request to the Microsoft Graph endpoint: `https://graph.microsoft.com/v1.0/users/{user_id}/mailFolders/inbox/messageRules`. + 4. **Data Processing:** The action receives the list of rule objects from the + response. - ### Flow Description + 5. **Output:** The retrieved mail rules are attached to the action result as a + JSON object for further analysis or playbook logic. - 1. **Authentication**: The action initializes a connection to the Microsoft Graph - API using the integration's Client ID, Tenant ID, and either a Client Secret or - Certificate. - 2. **Input Retrieval**: The action extracts the target `User ID` from the provided - action parameters. + ### Parameters Description: - 3. **API Invocation**: It executes a GET request to the Microsoft Graph endpoint: - `/v1.0/users/{User ID}/mailFolders/inbox/messageRules`. + | Parameter | Type | Mandatory | Description | - 4. **Result Processing**: The action captures the list of `messageRule` objects - returned by the API. + | :--- | :--- | :--- | :--- | - 5. **Completion**: The retrieved rules are added to the action's JSON results, - and the action concludes with a success status. + | User ID | string | True | The userPrincipalName or email address of the user + whose inbox rules are being queried. | - ### Additional Notes + ### Additional Notes: - - This action does not automatically iterate over entities in the SecOps case; - the target user must be explicitly provided via the **User ID** parameter. + - This action does not modify any data in Microsoft Graph; it is strictly a read-only + operation. - - The output includes detailed rule configurations, including conditions (e.g., - from specific senders) and actions (e.g., move to folder, delete, or forward). + - The results are returned in the `JsonResult` field of the action output. capabilities: can_create_case_comments: false can_create_insight: false @@ -596,9 +593,9 @@ List Mail Rules: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: false + enrichment: true entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -612,6 +609,7 @@ List Mail Rules: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +List Messages: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -622,30 +620,32 @@ List Mail Rules: disable_identity: false download_file: false enable_identity: false - enrich_asset: true + enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false - search_email: false + search_asset: false + search_email: true search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -List Messages: ai_description: >- ### General Description - This action retrieves a list of email messages from a specific user's mailbox - using the Microsoft Graph API. It allows for granular searching and filtering - of messages based on OData query parameters and specific field selection. This - is primarily used for investigative purposes to identify suspicious emails or - audit mailbox activity. + Lists email messages from a specific user's Microsoft 365 mailbox using the Microsoft + Graph API. This action allows analysts to retrieve a collection of messages based + on specific criteria, which is essential for investigating phishing attempts, + data exfiltration, or verifying user communications. It supports OData query parameters + for advanced filtering and field selection to optimize the data returned. ### Parameters Description @@ -654,42 +654,45 @@ List Messages: | :--- | :--- | :--- | :--- | - | User ID | string | Yes | The userPrincipalName (email address) or unique ID - of the user whose mailbox will be queried. | + | User ID | String | Yes | The email address or userPrincipalName of the target + user whose mailbox will be queried. | - | Select Filter | string | No | A comma-separated list of specific message properties - to return (e.g., 'subject,sender,receivedDateTime'). If left empty, default fields - are returned. | + | Select Filter | String | No | A comma-separated list of specific fields to return + for each message (e.g., `sender,subject,receivedDateTime`). This helps reduce + the payload size. | - | Query Parameters | string | No | Standard Microsoft Graph OData query parameters - used to filter or sort results. Must begin with '$' (e.g., '$filter=subject eq - 'Urgent''). | + | Query Parameters | String | No | Standard Microsoft Graph OData query parameters. + Should begin with '$'. For example: `$filter=subject eq 'test'` or `$top=10`. + | - ### Additional Notes + ### Flow Description - - The action uses the Microsoft Graph `/users/{id}/messages` endpoint. + 1. **Initialization**: The action extracts the integration's connection details + (Client ID, Secret, Tenant ID) and the user-provided parameters (User ID, Select + Filter, Query Parameters). - - Ensure the integration has the necessary 'Mail.Read' or 'Mail.ReadWrite' permissions - in Azure AD. + 2. **Authentication**: It establishes a connection to Microsoft Graph using the + provided credentials (either client secret or certificate-based authentication). + 3. **Request Construction**: The action constructs the API request URL targeting + the `/users/{user_id}/messages` endpoint, appending the `$select` and other OData + query parameters if provided. - ### Flow Description + 4. **Data Retrieval**: It executes a GET request to the Microsoft Graph API to + fetch the list of messages. - 1. **Authentication**: The action establishes a connection to Microsoft Graph - using the configured Client ID, Secret, and Tenant ID. + 5. **Result Processing**: The retrieved message data is returned as a JSON object + and the action execution state is set to completed. - 2. **Parameter Extraction**: It retrieves the target User ID and optional filters - from the action parameters. - 3. **Query Construction**: The action builds the API request URL, appending the - `$select` filter and any provided OData query parameters. + ### Additional Notes - 4. **Data Retrieval**: A GET request is sent to the Microsoft Graph API to fetch - the message data. + - Ensure the Azure App Registration has the necessary permissions (e.g., `Mail.Read` + or `Mail.Read.All`) to access user mailboxes. - 5. **Result Processing**: The retrieved list of messages is formatted and attached - to the action's JSON results for use in subsequent playbook steps. + - The `Query Parameters` must follow the Microsoft Graph OData syntax to avoid + API errors. capabilities: can_create_case_comments: false can_create_insight: false @@ -701,9 +704,9 @@ List Messages: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: true + enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -717,6 +720,7 @@ List Messages: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -730,58 +734,63 @@ List Messages: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false - search_email: true + search_asset: false + search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: ai_description: >- ### General Description - The **Ping** action is a diagnostic tool used to verify the connectivity between - the Google SecOps platform and the Microsoft Graph Security API. It ensures that - the provided integration credentials (Client ID, Secret, Tenant ID, or Certificate) - are valid and that the environment can successfully authenticate and communicate - with the external service. + Verifies the connectivity between Google SecOps and the Microsoft Graph Security + API. This action validates the integration's configuration by attempting to authenticate + and retrieve an OAuth2 access token using the provided credentials (Client ID, + Secret ID, or Certificate and Tenant ID). ### Parameters Description - This action does not require any input parameters. It relies entirely on the global - integration configuration settings. + | Parameter | Type | Mandatory | Description | + | :--- | :--- | :--- | :--- | - ### Flow Description + | None | N/A | N/A | This action does not have any input parameters. It relies + solely on the integration's configuration settings. | - 1. **Configuration Extraction:** The action retrieves the authentication details - (Client ID, Secret ID, Tenant ID, Certificate Path, and Certificate Password) - from the integration's configuration. - 2. **Manager Initialization:** It initializes the `MicrosoftGraphSecurityManager` - using the extracted credentials. + ### Flow Description + + 1. **Configuration Extraction**: The action retrieves the integration's global + configuration parameters, including the Client ID, Secret ID, Tenant ID, and certificate + details. - 3. **Authentication Attempt:** During initialization, the manager attempts to - request an OAuth2 access token from the Microsoft identity platform (`login.microsoftonline.com`). + 2. **Manager Initialization**: It instantiates the `MicrosoftGraphSecurityManager` + using the extracted configuration. - 4. **Validation:** If the token is successfully retrieved, the connection is validated. + 3. **Authentication Check**: Upon initialization, the manager attempts to perform + an OAuth2 handshake with the Microsoft identity platform to acquire an access + token. - 5. **Result Reporting:** The action returns a success status if the connection - is established or a failure status with an error message if authentication fails - or a network error occurs. + 4. **Execution Outcome**: If the authentication is successful, the action returns + a success status and a 'Connection Established' message. If the authentication + fails or a network error occurs, the action catches the exception and returns + a failure status with the error details. ### Additional Notes - * This action is typically used during the initial setup of the integration or - for troubleshooting connectivity issues. + This is a standard diagnostic action used to ensure that the integration is correctly + configured and has the necessary permissions to communicate with Microsoft Graph. capabilities: can_create_case_comments: false can_create_insight: false @@ -795,7 +804,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -809,28 +818,3 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/third_party/community/microsoft_graph_security_tools/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/microsoft_graph_security_tools/resources/ai/connectors_ai_description.yaml index 435d6765e..ecd104a03 100644 --- a/content/response_integrations/third_party/community/microsoft_graph_security_tools/resources/ai/connectors_ai_description.yaml +++ b/content/response_integrations/third_party/community/microsoft_graph_security_tools/resources/ai/connectors_ai_description.yaml @@ -1,73 +1,108 @@ MS SecureScore Alert: - ai_description: "### General Description\nThe MS SecureScore Alert connector monitors\ - \ the Microsoft Secure Score for an Azure tenant via the Microsoft Graph API.\ - \ It is designed to proactively alert security teams when the organization's security\ - \ posture\u2014represented by the Secure Score\u2014falls below a user-defined\ - \ threshold. This helps in identifying security regressions, configuration drifts,\ - \ or a decrease in compliance across Microsoft 365 services.\n\n### Parameters\ - \ Description\n| Parameter | Type | Mandatory | Description |\n| :--- | :--- |\ - \ :--- | :--- |\n| Threshold | Integer | No | The Secure Score value limit. An\ - \ alert is triggered if the current score drops below this value. |\n| Tenant\ - \ ID | String | Yes | The Azure Active Directory Tenant ID. |\n| Secret ID | Password\ - \ | Yes | The Client Secret for the Azure App Registration. |\n| Client ID | String\ - \ | Yes | The Client ID for the Azure App Registration. |\n| Default Priority\ - \ | Integer | Yes | The priority assigned to the created alert (-1 to 100). |\n\ - | Certificate Path | String | No | Local path to a PFX certificate for authentication\ - \ if not using a Client Secret. |\n| Certificate Password | Password | No | Password\ - \ for the provided certificate file. |\n| EventClassId | String | Yes | The field\ - \ name used to determine the event name (sub-type) in the SOAR. |\n| DeviceProductField\ - \ | String | Yes | The field name used to determine the device product in the\ - \ SOAR. |\n| PythonProcessTimeout | String | Yes | The timeout limit (in seconds)\ - \ for the python process running the script. |\n\n### Flow Description\n1. **Authentication**:\ - \ The connector authenticates with the Microsoft Graph API using the provided\ - \ Client ID and either a Client Secret or a Certificate.\n2. **Data Retrieval**:\ - \ It calls the Microsoft Graph `secureScores` endpoint to fetch the most recent\ - \ security score data for the tenant.\n3. **Threshold Comparison**: The connector\ - \ compares the `currentScore` from the retrieved data against the configured `Threshold`\ - \ parameter.\n4. **Alert Generation**: If the current score is lower than the\ - \ threshold, the connector initiates the alert creation process.\n5. **Event Mapping**:\ - \ It extracts specific metrics such as active user counts, enabled services, and\ - \ comparative averages (Industry, Total Seats, and Tenant averages) and maps them\ - \ into a SOAR event.\n6. **Ingestion**: The alert, containing the detailed score\ - \ breakdown, is ingested into Google SecOps for further analysis." + ai_description: >- + ### General Description + + The **MS SecureScore Alert** connector monitors the Microsoft Secure Score for + a given tenant using the Microsoft Graph API. It is designed to proactively alert + security teams when the organization's security posture, as measured by the Secure + Score, falls below a predefined threshold. This allows for rapid response to changes + in security configurations or compliance across Microsoft 365 environments. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Client ID | String | Yes | The Application (client) ID from the Azure App Registration. + | + + | Secret ID | Password | Yes | The Client Secret from the Azure App Registration + (required if not using certificates). | + + | Tenant ID | String | Yes | The Directory (tenant) ID from Azure. | + + | Threshold | Integer | No | The numerical value representing the minimum acceptable + Secure Score. An alert is raised if the score drops below this. | + + | Default Priority | Integer | Yes | The priority assigned to the created alert + (-1: Informative, 40: Low, 60: Medium, 80: High, 100: Critical). | + + | Certificate Path | String | No | Local path to a certificate file on the server + if using certificate-based authentication. | + + | Certificate Password | Password | No | The password for the certificate file, + if applicable. | + + | EventClassId | String | Yes | The field name used to determine the event name + (default: SecureScore). | + + | DeviceProductField | String | Yes | The field name used to determine the device + product (default: Microsoft 365). | + + | PythonProcessTimeout | String | Yes | The timeout limit in seconds for the script + execution. | + + + ### Flow Description + + 1. **Authentication**: The connector authenticates with the Microsoft Graph API + using either the Client Secret or a provided Certificate. + + 2. **Data Retrieval**: It queries the Microsoft Graph Beta endpoint (`/security/secureScores`) + to retrieve the most recent Secure Score data. + + 3. **Threshold Comparison**: The script extracts the `currentScore` from the API + response and compares it against the user-configured `Threshold` parameter. + + 4. **Alert Generation**: If the current score is strictly less than the threshold, + the connector initiates the alert creation process. + + 5. **Event Mapping**: The connector creates a detailed event containing the current + score, active user counts, and comparative averages (Industry, Total Seats, and + Tenant averages). + + 6. **Ingestion**: The alert and its associated event data are packaged and ingested + into Google SecOps for analyst review. MS365 MFA Alert: - ai_description: "### General Description\nThe MS365 MFA Alert connector monitors\ - \ Microsoft 365 environments for Multi-Factor Authentication (MFA) compliance\ - \ and security posture. By integrating with the Microsoft Graph API, it identifies\ - \ users who lack MFA registration or possess self-service reset capabilities that\ - \ may violate organizational security policies. This connector helps security\ - \ teams proactively identify and remediate identity-based risks.\n\n### Parameters\ - \ Description\n| Parameter | Type | Mandatory | Description |\n| :--- | :--- |\ - \ :--- | :--- |\n| Tenant ID | String | Yes | The Azure AD Tenant ID associated\ - \ with the Microsoft 365 environment. |\n| Client ID | String | Yes | The Application\ - \ (client) ID of the Azure app registration used for authentication. |\n| Secret\ - \ ID | Password | Yes | The Client Secret for the Azure app registration (required\ - \ if not using certificates). |\n| Certificate Path | String | No | The local\ - \ file path to a PFX certificate if using certificate-based authentication. |\n\ - | Certificate Password | Password | No | The password required to access the PFX\ - \ certificate file. |\n| MFA Registration Alert | Boolean | No | If enabled (true),\ - \ the connector generates alerts for users who are not registered for MFA. |\n\ - | Self Service Reset Alert | Boolean | No | If enabled (true), the connector generates\ - \ alerts for users who have the ability to perform self-service password or MFA\ - \ resets. |\n| Exclude Guests | Boolean | No | If enabled (true), the connector\ - \ will ignore external/guest users (identified by '#EXT#' in their UPN). |\n|\ - \ EventClassId | String | Yes | The field name used to determine the event sub-type\ - \ in the SOAR (default: 'MFA Alert'). |\n| DeviceProductField | String | Yes |\ - \ The field name used to determine the device product (default: 'Microsoft 365').\ - \ |\n| PythonProcessTimeout | String | Yes | The timeout limit in seconds for\ - \ the execution of the connector script. |\n\n### Flow Description\n1. **Authentication**:\ - \ The connector establishes a session with the Microsoft Graph API using either\ - \ the provided Client Secret or a PFX certificate.\n2. **Data Retrieval**: It\ - \ queries the `reports/credentialUserRegistrationDetails` endpoint to fetch the\ - \ current MFA registration status and capabilities for all users in the tenant.\n\ - 3. **Filtering**: \n * It excludes guest users if the 'Exclude Guests' parameter\ - \ is set to true.\n * It checks the user's Principal Name against the SOAR's\ - \ internal allowlist to skip authorized exceptions (e.g., legacy service accounts).\n\ - 4. **Alert Evaluation**: The connector evaluates each user based on the 'MFA Registration\ - \ Alert' and 'Self Service Reset Alert' logic. If a user is not registered for\ - \ MFA or is capable of self-service resets (and the corresponding parameter is\ - \ enabled), an alert is triggered.\n5. **Case Creation**: For every non-compliant\ - \ user identified, the connector creates a SOAR alert containing user metadata\ - \ such as Display Name, UPN, and specific registration flags.\n6. **Ingestion**:\ - \ The generated alerts are packaged and sent to the SOAR platform for analyst\ - \ review." + ai_description: "### General Description\nThe **MS365 MFA Alert** connector integrates\ + \ with the Microsoft Graph API to monitor and alert on the Multi-Factor Authentication\ + \ (MFA) registration status of users within a Microsoft 365 tenant. Its primary\ + \ purpose is to identify security gaps, such as users who have not registered\ + \ for MFA or users who have self-service password reset capabilities enabled,\ + \ which could pose a risk if not properly managed. By ingesting these status changes\ + \ as alerts, security teams can proactively enforce MFA policies and secure user\ + \ accounts.\n\n### Parameters Description\n| Parameter | Type | Mandatory | Description\ + \ |\n| :--- | :--- | :--- | :--- |\n| Tenant ID | String | Yes | The Azure Active\ + \ Directory Tenant ID. |\n| Client ID | String | Yes | The Application (client)\ + \ ID of the Azure App Registration. |\n| Secret ID | Password | Yes | The Client\ + \ Secret for the Azure App Registration. Required if not using certificate-based\ + \ authentication. |\n| Certificate Path | String | No | The local file path to\ + \ a certificate on the server if using certificate-based authentication instead\ + \ of a secret. |\n| Certificate Password | Password | No | The password for the\ + \ certificate file, if applicable. |\n| MFA Registration Alert | Boolean | No\ + \ | If enabled (true), the connector creates alerts for users who are not registered\ + \ for MFA. |\n| Self Service Reset Alert | Boolean | No | If enabled (true), the\ + \ connector creates alerts for users who have the ability to perform a self-service\ + \ password reset. |\n| Exclude Guests | Boolean | No | If enabled (true), the\ + \ connector will ignore guest/external users (identified by '#EXT#' in their UPN).\ + \ |\n| EventClassId | String | Yes | The value used to populate the event name/sub-type\ + \ (default: 'MFA Alert'). |\n| DeviceProductField | String | Yes | The value used\ + \ to identify the device product in the SOAR (default: 'Microsoft 365'). |\n|\ + \ PythonProcessTimeout | String | Yes | The maximum time in seconds allowed for\ + \ the connector execution. |\n\n### Flow Description\n1. **Authentication**: The\ + \ connector authenticates to the Microsoft Graph API using the provided Tenant\ + \ ID, Client ID, and either a Client Secret or a Certificate.\n2. **Data Retrieval**:\ + \ It queries the Microsoft Graph `credentialUserRegistrationDetails` report endpoint\ + \ to fetch MFA registration and capability statistics for all users in the tenant.\n\ + 3. **Filtering**: \n * It checks the global allowlist (whitelist) to exclude\ + \ specific service accounts or legacy users.\n * If 'Exclude Guests' is active,\ + \ it filters out any user principal names containing '#EXT#'.\n4. **Alert Evaluation**:\ + \ For each remaining user, the connector checks:\n * If the user is not MFA-registered\ + \ and 'MFA Registration Alert' is enabled.\n * If the user is capable of self-service\ + \ reset and 'Self Service Reset Alert' is enabled.\n5. **Case Creation**: For\ + \ every user meeting the alert criteria, the connector generates a SOAR Alert\ + \ containing user identity details (UPN, Display Name) and their specific MFA\ + \ registration status.\n6. **Ingestion**: The generated alerts and associated\ + \ events are packaged and sent to Google SecOps for case management and investigation." diff --git a/content/response_integrations/third_party/community/nucleon_cyber/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/nucleon_cyber/resources/ai/actions_ai_description.yaml index fb4bb5bf9..987b29b1c 100644 --- a/content/response_integrations/third_party/community/nucleon_cyber/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/nucleon_cyber/resources/ai/actions_ai_description.yaml @@ -1,52 +1,70 @@ GetIPs: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: true + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **GetIPs** action retrieves active threat intelligence data from the Nucleon - Cyber Active Threats API. It is designed to fetch a list of recently collected - cyber intelligence data points, typically used for feed ingestion or broad threat - hunting within a playbook. The action returns the raw intelligence data in a structured - JSON format. + Retrieves a list of active cyber threats from the Nucleon Cyber Active Threats + API. This action provides a JSON object containing intelligence data which can + be used for further analysis or correlation within a playbook. ### Parameters Description + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **limit** | string | Yes | Specifies the maximum number of threat intelligence - records to retrieve from the API. Defaults to '10'. | - - - ### Additional Notes - - * This action does not process specific entities from the Google SecOps case; - instead, it fetches a global feed of active threats based on the provided credentials - and limit. - - * The action requires valid integration-level configuration for `Username`, `Password`, - `client name`, and `client id` to authenticate successfully. + | limit | string | Yes | The maximum number of threat records to retrieve from + the API. Default is 10. | ### Flow Description - 1. **Configuration Retrieval:** The action extracts the necessary API credentials - (Username, Password, Client Name, Client ID) from the integration settings and - the `limit` parameter from the action input. + 1. **Configuration Extraction**: The action retrieves the necessary credentials + (Username, Password) and client identifiers (Client Name, Client ID) from the + integration configuration. - 2. **API Request:** It performs a POST request to the Nucleon Cyber `activethreats` - endpoint, passing the client identifiers and the result limit in the request body. + 2. **Parameter Retrieval**: It fetches the `limit` parameter to determine how + many threat records to request. - 3. **Authentication & Validation:** The script validates the response status code - and checks for specific error strings (e.g., 'ApiKey authenticate failed') to - ensure the connection was successful. + 3. **API Interaction**: A POST request is sent to the Nucleon Cyber `activethreats` + endpoint with the provided credentials and parameters. - 4. **Data Extraction:** It parses the JSON response to extract the `data` section - containing the threat intelligence. + 4. **Error Handling**: The action checks for a successful HTTP 200 response and + validates that the API key/credentials are correct. - 5. **Output Generation:** The retrieved data is added to the action's JSON results - and context details, making it available for subsequent playbook steps. + 5. **Data Processing**: It extracts the threat data from the response JSON. + + 6. **Output Generation**: The retrieved data is added to the action's JSON results, + making it available for subsequent steps in the SOAR workflow. capabilities: can_create_case_comments: false can_create_insight: false @@ -60,7 +78,7 @@ GetIPs: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -74,6 +92,7 @@ GetIPs: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -87,26 +106,28 @@ GetIPs: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: true + search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: ai_description: >- ### General Description - The **Ping** action is designed to verify the connectivity between Google SecOps - and the NucleonCyber API. It serves as a diagnostic tool to ensure that the provided - credentials (Username, Password) and configuration parameters (Client Name, Client - ID) are valid and that the external service is reachable. + Verifies connectivity to the NucleonCyber API. This action performs a test request + to the active threats endpoint to ensure that the provided credentials (Username, + Password) and client identifiers (Client Name, Client ID) are valid and that the + service is reachable. ### Parameters Description @@ -115,33 +136,32 @@ Ping: | :--- | :--- | :--- | :--- | - | **limit** | String | Yes | Specifies the number of API results to request during - the connectivity test. Defaults to "5". | + | limit | string | Yes | Specifies the number of API results to request during + the connectivity test to verify data retrieval capabilities. | - ### Flow Description + ### Additional Notes - 1. **Configuration Extraction**: The action retrieves the integration's global - settings, including the Username, Password, Client Name, and Client ID. + This is a standard connectivity test (Ping) action and does not process or enrich + specific entities within a case. - 2. **Parameter Extraction**: The action retrieves the `limit` parameter from the - action input. - 3. **API Request**: It performs a POST request to the NucleonCyber `activethreats` - endpoint (`https://api.nucleoncyber.com/feed/activethreats`) using Basic Authentication. + ### Flow Description - 4. **Validation**: The action checks the HTTP response status code. If the status - code is 200, it confirms a successful connection. + 1. **Configuration Extraction**: Retrieves the integration's global configuration + parameters, including Username, Password, Client Name, and Client ID. - 5. **Outcome**: If the connection is successful, the action returns a success - message. If the credentials or connection fail (non-200 status), an exception - is raised. + 2. **Parameter Extraction**: Retrieves the `limit` action parameter. + 3. **API Request**: Executes a POST request to the NucleonCyber `activethreats` + endpoint using basic authentication and the client identifiers in the request + body. - ### Additional Notes + 4. **Validation**: Checks the HTTP response status. If the status code is not + 200, it raises an exception indicating bad credentials or a connection error. - * This action does not process any entities and is strictly used for integration - health checks. + 5. **Completion**: Ends the action with a success message if the connection is + established. capabilities: can_create_case_comments: false can_create_insight: false @@ -155,7 +175,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -169,28 +189,3 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/third_party/community/pager_duty/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/pager_duty/resources/ai/actions_ai_description.yaml index a6c5b58d6..4a5c0f363 100644 --- a/content/response_integrations/third_party/community/pager_duty/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/pager_duty/resources/ai/actions_ai_description.yaml @@ -1,53 +1,82 @@ Create Incident: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: true + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - This action creates a new incident in PagerDuty using the provided details. It - is typically used to escalate security alerts from Google SecOps to an on-call - rotation or incident management workflow in PagerDuty. + Creates a new incident in PagerDuty using specified parameters. This action allows + analysts to programmatically trigger PagerDuty incidents directly from Google + SecOps, ensuring that the right teams are notified with the necessary context. ### Parameters Description - | Parameter | Description | Type | Mandatory | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Details | A detailed description of the incident, providing context for the - responder. | String | Yes | + | Details | string | Yes | A detailed description of the incident, providing context + for the responder (e.g., 'A disk is getting full on this machine'). | - | Title | A short, descriptive title for the PagerDuty incident. | String | Yes - | + | Title | string | Yes | A short, descriptive title for the incident (e.g., 'The + server is on fire'). | - | Email | The email address of the user creating the incident. This is used in - the 'From' header required by the PagerDuty API. | String | Yes | + | Email | string | Yes | The email address of the PagerDuty user creating the + incident. This is used for the 'From' header in the API request. | - | Urgency | The urgency level of the incident (e.g., 'high' or 'low'). | String - | Yes | + | Urgency | string | Yes | The urgency level of the incident. Common values include + 'high' or 'low'. | ### Additional Notes - * This action requires the 'Services' ID to be configured in the PagerDuty integration - settings, as it determines which service the incident will be associated with. + * This action requires a 'Services' ID to be configured in the integration settings, + as PagerDuty incidents must be associated with a specific service. - * The action does not run on specific entities; it uses the provided parameters - to generate the external record. + * The action does not process entities; it creates a global incident based on + the provided parameters. ### Flow Description 1. **Initialization**: The action initializes the PagerDuty manager using the - API token and service configuration from the integration settings. + API token and retrieves the 'Services' ID from the integration configuration. - 2. **Parameter Extraction**: It retrieves the Title, Email, Urgency, and Details + 2. **Parameter Extraction**: It extracts the Title, Email, Urgency, and Details from the action parameters. - 3. **API Request**: The action sends a POST request to the PagerDuty `/incidents` - endpoint with the constructed payload. + 3. **API Request**: It sends a POST request to the PagerDuty `/incidents` endpoint + with the incident payload, including the 'From' header required by PagerDuty for + user attribution. - 4. **Result Processing**: If successful, the full JSON response of the created - incident is returned and added to the action results. + 4. **Result Handling**: If successful, the action returns the full JSON response + of the created incident and sets the execution state to completed. capabilities: can_create_case_comments: false can_create_insight: false @@ -56,13 +85,13 @@ Create Incident: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new incident record in the PagerDuty platform via a POST request. + Creates a new incident record in the PagerDuty platform. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -76,12 +105,13 @@ Create Incident: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Filtered Incident List: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false contain_host: false - create_ticket: true + create_ticket: false delete_email: false disable_identity: false download_file: false @@ -89,102 +119,95 @@ Create Incident: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: true remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Filtered Incident List: ai_description: >- - ### General Description + Retrieves a filtered list of incidents from PagerDuty based on specified criteria. + This action allows analysts to search for incidents using parameters such as status, + urgency, assigned users, teams, and specific time ranges. It is primarily used + to gather context about existing PagerDuty incidents or to find specific alerts + for further investigation. - This action retrieves a filtered list of incidents from PagerDuty based on a wide - variety of criteria. It allows analysts to search for specific incidents by status, - urgency, assigned users, teams, services, and time ranges. The results are returned - as a JSON object, making it ideal for automated reporting, incident auditing, - or as a precursor to bulk incident management within a playbook. + ### Flow Description: - ### Parameters Description - - | Parameter | Description | Type | Mandatory | - - | :--- | :--- | :--- | :--- | + 1. **Parameter Extraction:** The action retrieves configuration details (API Key) + and user-provided filter parameters from the environment. - | Email | The email address of the user making the request. This is often required - by PagerDuty for auditing purposes. | String | Yes | + 2. **Parameter Parsing:** It processes multi-choice parameters (like Urgencies, + Statuses, and IDs), handling them as lists or JSON-formatted strings to ensure + compatibility with the API request. - | Additional_Data | Specifies additional details to include in the response, such - as 'users', 'services', 'assignees', or 'teams'. | Multi-choice | No | + 3. **Filter Construction:** A query dictionary is built, mapping the provided + filters to the expected PagerDuty API query parameters (e.g., `statuses[]`, `urgencies[]`, + `since`, `until`). - | sort_by | Determines the field to sort by (e.g., incident_number, created_at) - and the order (asc, desc). | Multi-choice | No | + 4. **API Interaction:** The action calls the PagerDuty API's `/incidents` endpoint + using a GET request with the constructed query string. - | Urgencies | Filters incidents by their urgency level (low or high). | Multi-choice - | No | + 5. **Result Processing:** The retrieved list of incidents is returned as a JSON + object, and the action completes with a success message if incidents are found. - | User_IDS | Filters incidents assigned to specific User IDs. Multiple IDs can - be provided. | String | No | - | Team_IDS | Filters incidents assigned to specific Team IDs. Multiple IDs can - be provided. | String | No | + ### Parameters Description: - | Incident_Key | Filters for a specific incident using its unique Incident Key. - | String | No | + | Parameter | Type | Mandatory | Description | - | Incidents_Statuses | Filters incidents by their current state: triggered, acknowledged, - or resolved. | Multi-choice | No | + | :--- | :--- | :--- | :--- | - | Data_Range | Filters incidents based on a predefined data range string. | String - | No | + | **Email** | String | Yes | The email address of the user making the request. + Required for PagerDuty API headers. | - | Since | The start date for the search range in YYYY-MM-DD format. Maximum range - is 6 months. | String | No | + | **Urgencies** | Multi-choice | No | Filter incidents by urgency level (e.g., + 'low', 'high'). | - | Until | The end date for the search range in YYYY-MM-DD format. | String | No - | + | **Incidents_Statuses** | Multi-choice | No | Filter incidents by their current + state (e.g., 'triggered', 'acknowledged', 'resolved'). | - | Service_IDS | Filters incidents associated with specific Service IDs. | String - | No | + | **User_IDS** | String | No | Filter incidents assigned to specific user IDs + (can be a comma-separated list or JSON array). | + | **Team_IDS** | String | No | Filter incidents associated with specific team + IDs. | - ### Additional Notes + | **Service_IDS** | String | No | Filter incidents associated with specific service + IDs. | - - The action handles multi-choice parameters by parsing them as JSON lists if - they are formatted as such. + | **Incident_Key** | String | No | Filter by the unique incident key. | - - The `Since` parameter is restricted to a maximum lookback of 6 months by the - PagerDuty API. + | **Since** | String | No | Start date for the search (format: YYYY-MM-DD). | - - While the `Email` parameter is mandatory in the configuration, the underlying - logic for this specific search action primarily relies on the API Token for authentication. + | **Until** | String | No | End date for the search (format: YYYY-MM-DD). | + | **Data_Range** | String | No | A predefined date range for the search. | - ### Flow Description + | **sort_by** | Multi-choice | No | Determines the field to sort by and the order + (asc/desc). | - 1. **Initialization**: The action initializes the PagerDuty manager using the - integration's API key. + | **Additional_Data** | Multi-choice | No | Specifies additional incident details + to include in the response (e.g., 'users', 'services'). | - 2. **Parameter Extraction**: It extracts all filter parameters from the environment, - including mandatory fields like Email and optional filters like Statuses and IDs. - 3. **Data Parsing**: The script processes multi-choice and list-based parameters, - ensuring they are correctly formatted for the API request and removing any empty - values. + ### Additional Notes: - 4. **API Request**: It constructs a query dictionary and executes a GET request - to the PagerDuty `/incidents` endpoint with the specified filters. + - The `Since` and `Until` parameters should follow the `YYYY-MM-DD` format. The + maximum range for the search is typically 6 months. - 5. **Result Processing**: The action captures the list of incidents and attaches - them to the action's JSON result, completing the execution with a success message - if data is found. + - This action does not require any entities to be present in the SecOps case to + run. capabilities: can_create_case_comments: false can_create_insight: false @@ -198,7 +221,7 @@ Filtered Incident List: categories: enrichment: true entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -212,6 +235,7 @@ Filtered Incident List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Incident By ID: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -225,26 +249,29 @@ Filtered Incident List: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: true remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: true + search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Incident By ID: ai_description: >- ### General Description - Retrieves detailed information about a specific PagerDuty incident using its unique - Incident Key. This action is useful for fetching the current status, urgency, - and metadata of an incident directly from PagerDuty to assist in automated workflows - or manual investigations within Google SecOps. + The **Get Incident By ID** action retrieves detailed information about a specific + incident from PagerDuty using its unique incident key. This action is primarily + used to fetch external context regarding a PagerDuty incident and bring it into + the Google SecOps environment for further analysis or automated decision-making + within a playbook. ### Parameters Description @@ -253,36 +280,39 @@ Get Incident By ID: | :--- | :--- | :--- | :--- | - | Incident Key | string | Yes | The unique identifier (Incident Key) of the PagerDuty - incident to retrieve. | + | Incident Key | string | Yes | The unique identifier (key) of the PagerDuty incident + to be retrieved. | - | Email | string | Yes | The email address of the user performing the action. - This is required by the PagerDuty API for the 'From' header to track who is making - the request. | + | Email | string | Yes | The email address of the PagerDuty user making the request. + This is required for the 'From' header in the PagerDuty API request. | ### Flow Description - 1. **Parameter Extraction**: The action extracts the `Incident Key` and the requester's - `Email` from the input parameters. + 1. **Parameter Extraction**: The action extracts the `Incident Key` and `Email` + from the input parameters and retrieves the API token from the integration configuration. - 2. **Manager Initialization**: Initializes the PagerDuty API manager using the - configured API token. + 2. **Manager Initialization**: It initializes the PagerDuty manager with the provided + API token. - 3. **API Request**: Sends a GET request to the PagerDuty `/incidents` endpoint, - including the user's email in the 'From' header. + 3. **Data Retrieval**: The action sends a GET request to the PagerDuty incidents + endpoint to fetch incident data. - 4. **Data Filtering**: Iterates through the returned incidents to find the one - that matches the provided `Incident Key`. + 4. **Filtering**: It iterates through the retrieved incidents to find the specific + record where the `incident_key` matches the provided input. - 5. **Result Processing**: If found, the incident details are added to the action's - JSON results. If not found, an appropriate message is returned. + 5. **Result Output**: If a match is found, the incident details are added to the + action's JSON results. The action then concludes with a success message and a + boolean result indicating whether the incident was found. ### Additional Notes - This action does not run on entities; it relies entirely on the provided `Incident - Key` parameter to identify the target record. + - This action does not operate on SecOps entities (like IPs or Hostnames); it + relies entirely on the provided `Incident Key` parameter. + + - The `Email` parameter is mandatory because PagerDuty's API requires the 'From' + header to identify the user performing the action. capabilities: can_create_case_comments: false can_create_insight: false @@ -296,7 +326,7 @@ Get Incident By ID: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -310,6 +340,7 @@ Get Incident By ID: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get User By Email: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -323,57 +354,63 @@ Get Incident By ID: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: true search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get User By Email: ai_description: >- ### General Description - Retrieves detailed information for a specific PagerDuty user based on their email - address. This action is useful for identifying user roles, contact information, - and account status within PagerDuty during an incident response workflow. + Retrieves detailed information for a specific PagerDuty user by providing their + email address. This action is primarily used to fetch user metadata such as names, + IDs, roles, and contact information from PagerDuty to assist in incident response + and user identification. ### Parameters Description - | Parameter | Description | Type | Mandatory | Notes | + | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | :--- | + | :--- | :--- | :--- | :--- | - | Email | The email address of the PagerDuty user to retrieve information for. - | string | Yes | Default value is 'test@example.com'. | + | Email | string | Yes | The email address of the PagerDuty user to retrieve information + for. Defaults to 'test@example.com' in configuration. | ### Flow Description - 1. **Parameter Retrieval**: The action extracts the `Email` parameter provided - by the user. + 1. **Initialization**: The action initializes the PagerDuty manager using the + API token provided in the integration configuration. + + 2. **Parameter Retrieval**: It extracts the target email address from the action + parameters. - 2. **API Query**: It calls the PagerDuty `/users` API endpoint using the email - as a query parameter. + 3. **API Request**: The action calls the PagerDuty `/users` endpoint with a query + parameter matching the provided email. - 3. **Data Filtering**: The action iterates through the returned list of users - to find an exact match for the provided email address. + 4. **Data Processing**: It iterates through the results returned by the API to + find an exact match for the email address. - 4. **Result Output**: If a match is found, the user's full profile (JSON) is added - to the action results. If no user is found, the action fails with an informative - message. + 5. **Result Handling**: If a match is found, the user's details are added to the + action's JSON results, and a success message is generated. If no user is found + or an error occurs, the action fails with an appropriate error message. ### Additional Notes - This action does not automatically process entities from the SecOps case; it relies - solely on the manual input provided in the `Email` parameter. + This action does not operate on SecOps entities; it relies entirely on the 'Email' + string parameter provided by the user or playbook. capabilities: can_create_case_comments: false can_create_insight: false @@ -387,7 +424,7 @@ Get User By Email: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -401,6 +438,7 @@ Get User By Email: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get User By ID: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -414,36 +452,39 @@ Get User By Email: enrich_asset: true enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get User By ID: - ai_description: "### General Description\nRetrieves detailed information for a specific\ - \ PagerDuty user using their unique User ID. This action is primarily used to\ - \ fetch metadata such as a user's name, email, time zone, role, and description\ - \ directly from the PagerDuty platform.\n\n### Parameters Description\n\n| Parameter\ - \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| UserID\ - \ | string | Yes | The unique identifier (ID) of the PagerDuty user to retrieve\ - \ information for. |\n\n### Flow Description\n1. **Initialization**: The action\ - \ initializes the PagerDuty manager using the API key provided in the integration\ - \ configuration.\n2. **Parameter Extraction**: It retrieves the `UserID` provided\ - \ by the user in the action parameters.\n3. **API Request**: The action performs\ - \ a GET request to the PagerDuty API endpoint `/users/{userID}`.\n4. **Data Processing**:\ - \ \n * If the user is found, the action extracts the user object from the response.\n\ - \ * If the user is not found or the request fails, an error message is generated.\n\ - 5. **Output**: The retrieved user data is added to the action's JSON results,\ - \ and the action completes with a success message containing the user's email.\n\ - \n### Additional Notes\nThis action does not process SecOps entities. It relies\ - \ entirely on the manual input of a PagerDuty User ID." + ai_description: "### General Description\nThe **Get User By ID** action retrieves\ + \ detailed information for a specific PagerDuty user using their unique User ID.\ + \ This action is primarily used to gather metadata about a user, such as their\ + \ name, email, role, time zone, and contact methods, which can be essential for\ + \ incident response and escalation workflows.\n\n### Parameters Description\n\ + | Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ + | **UserID** | String | Yes | The unique identifier of the user in PagerDuty (e.g.,\ + \ 'PXP9SRE'). |\n\n### Flow Description\n1. **Input Retrieval**: The action extracts\ + \ the `UserID` from the action parameters.\n2. **API Connection**: It initializes\ + \ the PagerDuty manager using the integration's API key.\n3. **Data Fetching**:\ + \ The action performs a GET request to the PagerDuty `/users/{id}` endpoint.\n\ + 4. **Result Handling**: \n * If the user is found, the action returns the user's\ + \ profile data as a JSON object and completes successfully.\n * If the user\ + \ is not found or the API call fails, the action returns an error message and\ + \ marks the execution as failed.\n\n### Additional Notes\n- This action does not\ + \ automatically process entities from the SecOps case; it requires the specific\ + \ User ID to be provided as a parameter.\n- The retrieved data is stored in the\ + \ `JsonResult` output." capabilities: can_create_case_comments: false can_create_insight: false @@ -457,7 +498,7 @@ Get User By ID: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -471,6 +512,7 @@ Get User By ID: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +List All OnCall: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -484,57 +526,55 @@ Get User By ID: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -List All OnCall: ai_description: >- ### General Description - Retrieves a list of all current on-call shifts from PagerDuty. This action provides - visibility into which users are currently assigned to on-call schedules across - various services and escalation policies. It is primarily used to identify the - correct personnel to contact or escalate to during an incident response process. - + The **List All OnCall** action retrieves a comprehensive list of all current on-call + shifts and assignments from PagerDuty. This utility action provides visibility + into which users are currently responsible for incident response across all configured + services and schedules within the PagerDuty environment. - ### Flow Description - - 1. **Authentication**: The action initializes the PagerDuty manager using the - API key provided in the integration configuration. - 2. **API Request**: It executes a GET request to the PagerDuty `/oncalls` endpoint - to retrieve the current on-call status. + ### Parameters Description - 3. **Data Extraction**: The action parses the API response and extracts the list - of on-call entries. + There are no parameters for this action. - 4. **Result Output**: The retrieved list is added to the action's JSON results, - and the action completes with a success message. + ### Additional Notes - ### Parameters Description + This action does not operate on specific entities (such as Hostnames or IP Addresses) + and does not require any input parameters. It performs a global retrieval of on-call + data from the PagerDuty API. - | Parameter Name | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + ### Flow Description - | None | N/A | N/A | This action does not take any input parameters. | + 1. **Authentication**: The action initializes the PagerDuty manager using the + API key provided in the integration configuration. + 2. **Data Retrieval**: It executes a GET request to the PagerDuty `/oncalls` endpoint + to fetch the current on-call list. - ### Additional Notes + 3. **Result Handling**: The action extracts the list of on-call objects from the + response and attaches them to the action's JSON results. - This action does not interact with or filter based on entities within the Google - SecOps case. It returns a global list of on-call assignments for the PagerDuty - account. + 4. **Completion**: The action concludes with a success message indicating that + the users were successfully retrieved. capabilities: can_create_case_comments: false can_create_insight: false @@ -546,9 +586,9 @@ List All OnCall: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: true + enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -562,6 +602,7 @@ List All OnCall: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +List Incidents: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -575,52 +616,60 @@ List All OnCall: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: true remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -List Incidents: ai_description: >- ### General Description - The **List Incidents** action retrieves a comprehensive list of all incidents - from the PagerDuty platform. It provides visibility into the current state of - all incidents managed within the PagerDuty account, returning detailed metadata - for each incident found. + The **List Incidents** action retrieves a complete list of all incidents from + the PagerDuty platform. This is a utility action designed to provide broad visibility + into the current state of PagerDuty incidents, allowing analysts to see active + or historical records without needing to target a specific entity or alert ID. ### Parameters Description - There are no parameters for this action. + | Parameter Name | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | None | N/A | N/A | This action does not take any input parameters. | ### Flow Description - 1. **Initialization**: The action initializes the PagerDuty manager using the - API token retrieved from the integration's configuration. + 1. **Configuration Retrieval**: The action starts by fetching the PagerDuty API + key from the integration's configuration settings. - 2. **API Request**: It executes a GET request to the PagerDuty `/incidents` endpoint - to fetch all incident records. + 2. **API Interaction**: It initializes the PagerDuty manager and calls the `get_all_incidents` + method, which performs a GET request to the `/incidents` endpoint. - 3. **Data Output**: The retrieved list of incidents is added to the action's JSON - result for use in downstream playbook logic. + 3. **Data Processing**: The action receives the list of incidents from PagerDuty + and checks if any data was returned. - 4. **Finalization**: The action completes with a success message if incidents - are retrieved, or a 'not found' message if the list is empty. + 4. **Output Generation**: The retrieved incident data is added to the action's + JSON results, and the action completes with a success message indicating whether + incidents were found. ### Additional Notes - This action operates at a global level and does not filter results based on specific - entities or case context. + This action does not operate on specific entities (like IPs or Hostnames) and + does not modify any data within PagerDuty or Google SecOps. It is strictly a data + retrieval utility. capabilities: can_create_case_comments: false can_create_insight: false @@ -634,7 +683,7 @@ List Incidents: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -648,6 +697,7 @@ List Incidents: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +List Users: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -661,52 +711,57 @@ List Incidents: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: true + search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -List Users: ai_description: >- ### General Description The **List Users** action retrieves a comprehensive list of all users associated - with the PagerDuty account. This action is primarily used for administrative visibility - or to provide a reference list of users for other automated workflows within the - SOAR platform. + with the PagerDuty account. This is a utility action used for administrative oversight, + user discovery, or to provide context for other PagerDuty-related workflows within + Google SecOps. It interacts with the PagerDuty API to fetch user metadata such + as names, emails, roles, and time zones. ### Parameters Description - There are no input parameters for this action. + There are no parameters required for this action. ### Flow Description - 1. **Authentication**: The action retrieves the API key from the integration configuration - and initializes the PagerDuty manager. + 1. **Initialization**: The action initializes the PagerDuty manager using the + API token provided in the integration configuration. - 2. **Data Retrieval**: It executes a GET request to the PagerDuty `/users` endpoint - to fetch all user records. + 2. **API Request**: It executes a GET request to the PagerDuty `/users` endpoint + to retrieve the full list of user objects. - 3. **Result Handling**: The action parses the response, extracts the list of users, - and attaches the raw data to the action's JSON results. + 3. **Data Processing**: The action captures the list of users returned by the + API. - 4. **Completion**: The action concludes with a success message if users are found, - or a 'no users found' message if the list is empty. + 4. **Output**: The retrieved user data is added to the action's JSON results, + and a success message is generated for the analyst. ### Additional Notes - This action does not operate on specific entities and fetches data at the global - account level. + * This action does not require any input entities or parameters to run. + + * If no users are found in the PagerDuty account, the action will complete successfully + but report that no users were found. capabilities: can_create_case_comments: false can_create_insight: false @@ -720,7 +775,7 @@ List Users: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -734,6 +789,7 @@ List Users: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -747,57 +803,40 @@ List Users: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: ai_description: >- - ### General Description - - The **Ping** action is a utility designed to verify the connectivity between the - Google SecOps platform and the PagerDuty API. It ensures that the provided API - key is valid and that the network path to PagerDuty's services is open. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | N/A | N/A | N/A | This action does not have any input parameters. It relies - on the integration's configuration (API Key). | - - - ### Additional Notes - - - This action is primarily used for troubleshooting and initial setup validation. - - - It does not interact with any SecOps entities or modify any data. - - - ### Flow Description - - 1. **Configuration Extraction**: The action retrieves the `api_key` from the PagerDuty - integration settings. - - 2. **Client Initialization**: A connection session is established using the PagerDuty - Manager. - - 3. **Connectivity Test**: The action performs a GET request to the `/abilities` - endpoint of the PagerDuty API. - - 4. **Validation**: The action checks the response status; a successful response - confirms connectivity. + ### General Description\n\nThe **Ping** action is used to verify the connectivity + between Google SecOps and the PagerDuty API. It ensures that the provided API + key is valid and that the PagerDuty service is reachable. This action is essential + for confirming that the integration is correctly configured and ready for use.\n\n### + Parameters Description\n\n| Parameter | Type | Mandatory | Description |\n| :--- + | :--- | :--- | :--- |\n| None | N/A | N/A | This action does not have any input + parameters. |\n\n### Additional Notes\n\n* The action relies on the `api_key` + provided in the integration configuration. This key must have the necessary permissions + to access the PagerDuty API (specifically the `/abilities` endpoint).\n* This + action is typically used during the initial setup or troubleshooting of the PagerDuty + integration.\n\n### Flow Description\n\n1. **Parameter Extraction**: The action + retrieves the `api_key` from the PagerDuty integration configuration.\n2. **Client + Initialization**: A `PagerDutyManager` instance is created using the API key.\n3. + **Connectivity Test**: The action calls the `test_connectivity` method, which + performs a `GET` request to the PagerDuty `/abilities` endpoint.\n4. **Result + Validation**: If the request is successful (HTTP 200), the action returns a success + message. If the request fails (e.g., due to an invalid API key or network issues), + an error message is generated. capabilities: can_create_case_comments: false can_create_insight: false @@ -806,12 +845,12 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: true + fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -825,6 +864,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Run Response Play: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -838,62 +878,68 @@ Ping: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Run Response Play: ai_description: >- - Runs a specified PagerDuty Response Play on a given incident. Response plays are - pre-configured packages of actions in PagerDuty that can be manually or automatically - triggered to streamline incident response, such as notifying specific stakeholders - or adding responders. Note: This action is marked as deprecated. + ### General Description + The **Run Response Play** action triggers a specified PagerDuty Response Play + for a given incident. Response Plays are predefined sets of actions that can be + executed to manage incidents efficiently, such as notifying specific teams or + updating incident statuses. This action is currently marked as deprecated. - ### Flow Description: - 1. **Parameter Extraction:** Retrieves the user's email, the Response Play ID, - and the Incident ID from the action parameters. + ### Parameters Description - 2. **Manager Initialization:** Initializes the PagerDuty API manager using the - provided API key. + | Parameter | Type | Mandatory | Description | - 3. **Execution:** Sends a POST request to the PagerDuty API endpoint `/response_plays/{response_plays_id}/run` - with the incident reference in the payload. + | :--- | :--- | :--- | :--- | - 4. **Result Handling:** Captures the API response and reports the success or failure - of the play execution to the Google SecOps case wall. + | Email | string | Yes | The email address of the PagerDuty user. This is used + in the 'From' header for API authentication and auditing. Default is 'test@example.com'. + | + | Response ID | string | Yes | The unique identifier of the Response Play to be + executed. Default is 'test'. | - ### Parameters Description: + | Incident_ID | string | Yes | The unique identifier of the PagerDuty incident + on which the play will be run. Default is 'Default'. | - | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + ### Flow Description - | Email | String | Yes | The email address of the PagerDuty user performing the - action. This is used for the 'From' header required by PagerDuty's API. | + 1. **Initialization:** The action extracts the user email, Response Play ID, and + Incident ID from the input parameters. - | Response ID | String | Yes | The unique identifier of the Response Play to be - executed. | + 2. **API Request:** It constructs and sends a POST request to the PagerDuty API + endpoint `/response_plays/{response_play_id}/run`. - | Incident_ID | String | Yes | The unique identifier of the PagerDuty incident - on which the response play will be run. | + 3. **Execution:** The request includes the incident reference in the payload and + the user's email in the headers. + 4. **Completion:** The action captures the API response, adds it to the JSON results, + and reports the success or failure of the operation. - ### Additional Notes: - - This action is deprecated and may be replaced by newer workflow capabilities. + ### Additional Notes + + - This action is deprecated and may be removed in future versions. - - The action requires a valid API key with permissions to execute response plays. + - It does not interact with SOAR entities directly; all identifiers must be provided + as parameters. capabilities: can_create_case_comments: false can_create_insight: false @@ -902,14 +948,14 @@ Run Response Play: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Triggers a Response Play in PagerDuty, which initiates automated workflows, - notifications, or status changes associated with a specific incident. + Triggers a response play in PagerDuty for a specific incident, which can initiate + various automated workflows, notifications, or status changes. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -923,6 +969,7 @@ Run Response Play: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Snooze Incident: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -936,60 +983,66 @@ Run Response Play: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: true -Snooze Incident: ai_description: >- - ### General Description + Snoozes a PagerDuty incident for a predefined duration of 3600 seconds (1 hour). + This action interacts with the PagerDuty API to temporarily silence notifications + for a specific incident, effectively changing its state in the external system. + It requires the Incident ID and the email address of the requester to authorize + the change. - Snoozes a specific PagerDuty incident for a duration of one hour. This action - changes the state of the incident in PagerDuty, preventing further notifications - for the specified period and returning the updated incident details. - - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + | --- | --- | --- | --- | | Email | string | Yes | The email address of the PagerDuty user performing the - action. This is required for the 'From' header in PagerDuty API requests. | + action. This is used in the 'From' header for API authentication and auditing. + | | IncidentID | string | Yes | The unique identifier of the PagerDuty incident - to be snoozed. | + that needs to be snoozed. | ### Flow Description - 1. **Initialization**: The action initializes the PagerDuty manager using the - API key from the integration configuration. + 1. **Initialization**: The action retrieves the PagerDuty API key from the integration + configuration and extracts the 'Email' and 'IncidentID' from the action parameters. - 2. **Parameter Extraction**: It retrieves the mandatory `Email` and `IncidentID` - from the action parameters. + 2. **API Interaction**: It utilizes the PagerDutyManager to send a POST request + to the `/incidents/{incident_id}/snooze` endpoint. - 3. **API Execution**: It calls the PagerDuty API's snooze endpoint (`POST /incidents/{incident_id}/snooze`) - with a hardcoded duration of 3600 seconds (1 hour). + 3. **Payload**: The request includes a hardcoded payload setting the snooze duration + to 3600 seconds. - 4. **Output**: Upon success, the action returns the updated incident JSON data - and completes the execution. If an HTTP error occurs, it captures the error details - and marks the action as failed. + 4. **Result Processing**: If successful, the action retrieves the updated incident + data from PagerDuty and attaches it as a JSON result to the SOAR action. If the + API returns an error (e.g., 404 or 403), the action fails and reports the HTTP + error details. ### Additional Notes - The snooze duration is currently hardcoded to 3600 seconds (1 hour) within the - integration's manager logic. + * This action does not run on entities; it operates strictly based on the provided + Incident ID parameter. + + * The snooze duration is currently fixed at 1 hour within the script logic. capabilities: can_create_case_comments: false can_create_insight: false @@ -998,14 +1051,14 @@ Snooze Incident: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Changes the status of an incident in PagerDuty to 'snoozed', which suppresses - notifications for a duration of 1 hour. + Changes the status of a PagerDuty incident to 'snoozed' for a duration of one + hour via a POST request to the PagerDuty API. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1019,28 +1072,3 @@ Snooze Incident: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: true diff --git a/content/response_integrations/third_party/community/pager_duty/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/pager_duty/resources/ai/connectors_ai_description.yaml index 2cd32e755..d74bc3c55 100644 --- a/content/response_integrations/third_party/community/pager_duty/resources/ai/connectors_ai_description.yaml +++ b/content/response_integrations/third_party/community/pager_duty/resources/ai/connectors_ai_description.yaml @@ -2,15 +2,16 @@ PagerDutyConnector: ai_description: >- ### General Description - The PagerDuty connector facilitates the ingestion of incidents from the PagerDuty - platform into Google SecOps. It allows security teams to centralize incident management - by pulling active PagerDuty incidents and converting them into actionable alerts - within the SOAR environment. Additionally, the connector supports an automated - acknowledgment feature to synchronize incident states between both platforms. + + The PagerDuty connector integrates Google SecOps with the PagerDuty API to automate + the ingestion of incidents. It monitors PagerDuty for new incidents, transforms + them into SOAR alerts, and provides an optional mechanism to automatically acknowledge + incidents within PagerDuty once they are successfully ingested into the platform. ### Parameters Description + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | @@ -18,38 +19,41 @@ PagerDutyConnector: | apiKey | String | Yes | The API Key used to authenticate with the PagerDuty API. | - | acknowledge | Boolean | No | If enabled, the connector will automatically acknowledge - the incident in PagerDuty upon successful ingestion. Requires an API key with - write permissions. | + | acknowledge | Boolean | No | If set to true, the connector will acknowledge + the incident in PagerDuty immediately after ingestion. Note: The API key must + have write permissions for incidents. | | DeviceProductField | String | Yes | The field name used to determine the device - product for the ingested alert (default: device_product). | + product in the ingested event data. | | EventClassId | String | Yes | The field name used to determine the event name - or sub-type (default: event_name). | + or sub-type. | - | PythonProcessTimeout | String | Yes | The maximum time in seconds allowed for - the connector script to execute. | + | PythonProcessTimeout | String | Yes | The maximum time (in seconds) allowed + for the connector script to execute. | ### Flow Description + 1. **Authentication**: The connector establishes a session with the PagerDuty API using the provided API Key. 2. **Incident Retrieval**: It queries the PagerDuty `/incidents` endpoint to fetch a list of current incidents. - 3. **Severity Mapping**: The connector maps PagerDuty urgency levels to Google - SecOps severity values (e.g., 'high' maps to 100, 'low' maps to -1). + 3. **Severity Mapping**: For each incident, the connector maps PagerDuty's urgency + levels ('high' or 'low') to the internal SOAR severity scale (e.g., 'high' maps + to 100). - 4. **Alert Construction**: For each incident, the connector creates an `AlertInfo` - object, populating it with the incident title, creation time, and flattened event - data. + 4. **Alert Construction**: The connector builds an `AlertInfo` object for each + incident, populating it with metadata such as the incident title, creation time, + and unique PagerDuty ID. The raw incident data is flattened and attached as an + event. - 5. **State Synchronization**: If the `acknowledge` parameter is set to true, the - connector sends a request to PagerDuty to update the incident status to 'acknowledged' - for each processed alert. + 5. **Auto-Acknowledgment**: If the `acknowledge` parameter is enabled, the connector + sends a request back to PagerDuty to update the incident status to 'acknowledged' + for every incident successfully processed. - 6. **Ingestion**: The finalized list of alerts is returned to the system for case + 6. **Ingestion**: The final list of alerts is returned to Google SecOps for case creation and further orchestration. diff --git a/content/response_integrations/third_party/community/perimeter_x/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/perimeter_x/resources/ai/actions_ai_description.yaml index 53a697701..5d7cc4339 100644 --- a/content/response_integrations/third_party/community/perimeter_x/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/perimeter_x/resources/ai/actions_ai_description.yaml @@ -1,41 +1,53 @@ Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - The Ping action is a utility designed to verify the connectivity and authentication - status between Google SecOps and the Slack API for the PerimeterX integration. - It ensures that the configured Slack API Key is valid and that the system can - successfully communicate with Slack's authentication endpoint. - - - ### Flow Description: - - 1. **Configuration Retrieval**: The action extracts the 'Slack API Key' and 'Slack - Channel' from the integration's global configuration settings. - - 2. **Manager Initialization**: It initializes the PerimeterXManager using the - retrieved Slack credentials. - - 3. **Authentication Test**: It performs a POST request to the Slack `auth.test` - API endpoint to validate the token. - - 4. **Result Validation**: The action evaluates the API response. If the response - indicates success ('ok': true), the action completes successfully. If the API - returns an error or the connection fails, the action reports a failure. - - - ### Parameters Description: - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | N/A | N/A | N/A | This action does not have any input parameters; it uses integration - configuration parameters. | - - - ### Additional Notes: - - This action is primarily used for health checks and troubleshooting to ensure - the Slack connector is properly configured within the PerimeterX integration. + ### General Description\nThe **Ping** action is a diagnostic tool designed to + verify the connectivity between Google SecOps and the Slack API using the configured + PerimeterX integration credentials. It ensures that the provided API key is valid + and that the system can successfully communicate with Slack's authentication endpoints.\n\n### + Parameters Description\n\n| Parameter | Type | Mandatory | Description |\n| :--- + | :--- | :--- | :--- |\n| Slack API Key | String | Yes | The API token used to + authenticate with Slack. This is a configuration-level parameter. |\n| Slack Channel + | String | Yes | The Slack channel name used for the integration. This is a configuration-level + parameter. |\n\n### Additional Notes\n* This action does not require any runtime + parameters; it uses the values defined in the integration configuration.\n* This + action does not process or interact with any entities or alerts.\n* As a 'Ping' + action, it is excluded from being categorized as an enrichment action.\n\n### + Flow Description\n1. **Parameter Extraction**: The action retrieves the `Slack + API Key` and `Slack Channel` from the integration's configuration settings.\n2. + **Manager Initialization**: It initializes the `PerimeterXManager` with the retrieved + Slack credentials.\n3. **Authentication Check**: The action calls the Slack `auth.test` + API endpoint to validate the token.\n4. **Result Evaluation**: If the API returns + a successful response (`ok: true`), the action reports a successful connection.\n5. + **Error Handling**: If the API call fails or returns an error, the action captures + the exception and reports a failure state. capabilities: can_create_case_comments: false can_create_insight: false @@ -49,7 +61,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -63,28 +75,3 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/third_party/community/perimeter_x/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/perimeter_x/resources/ai/connectors_ai_description.yaml index 584f5ba73..a7f8bf690 100644 --- a/content/response_integrations/third_party/community/perimeter_x/resources/ai/connectors_ai_description.yaml +++ b/content/response_integrations/third_party/community/perimeter_x/resources/ai/connectors_ai_description.yaml @@ -2,11 +2,12 @@ Slack Connector For Code Defender: ai_description: >- ### General Description - The Slack Connector For Code Defender allows Google SecOps to ingest security - alerts from PerimeterX Code Defender via a Slack integration. It monitors a designated - Slack channel where Code Defender posts incident notifications, automatically - converting these messages into structured cases and events for security orchestration - and response. + The Slack Connector For Code Defender integrates Google SecOps with Slack to ingest + security alerts generated by PerimeterX Code Defender. It monitors a designated + Slack channel where PerimeterX posts incident notifications, automatically converting + these messages into structured cases for security orchestration and response. + This connector is ideal for teams using Slack as a centralized notification hub + for their PerimeterX security events. ### Parameters Description @@ -18,43 +19,41 @@ Slack Connector For Code Defender: | Slack Channel | String | Yes | The name of the Slack channel to monitor for alerts (e.g., 'cd_alerts'). Do not include the '#' prefix. | - | Slack API Key | Password | Yes | The API Key/Token used to authenticate with + | Slack API Key | Password | Yes | The OAuth API Key used to authenticate with the Slack API. | | PythonProcessTimeout | String | Yes | The timeout limit (in seconds) for the - python process running the current script. | + Python process running the connector script. | | EventClassId | String | Yes | The field name used to determine the event name - or sub-type. | + or sub-type within the SOAR. | | DeviceProductField | String | Yes | The field name used to determine the device - product (e.g., 'PerimeterXCodeDefender'). | + product (e.g., PerimeterXCodeDefender). | ### Flow Description - 1. **Authentication and Setup**: The connector authenticates with the Slack API - using the provided API Key and resolves the specified Slack Channel name to a - unique Channel ID. + 1. **Authentication**: The connector authenticates with the Slack API using the + provided API Key. - 2. **Timestamp Management**: It retrieves the timestamp of the last successful - execution to ensure only new messages are processed, preventing duplicate alerts. + 2. **Channel Identification**: It searches for the internal Slack Channel ID corresponding + to the configured channel name. - 3. **Message Retrieval**: The connector queries the Slack `conversations.history` - endpoint, fetching messages from the channel since the last run. It supports pagination - to handle large volumes of messages. + 3. **Message Retrieval**: The connector fetches recent message history from the + channel, utilizing a stored timestamp to ensure only new messages since the last + execution are processed. - 4. **Alert Filtering**: It filters the retrieved messages to identify specific - PerimeterX Code Defender notifications by looking for the title 'Code Defender - has detected a new incident' within the message attachments. + 4. **Alert Filtering**: It filters the message stream specifically for messages + containing the title "Code Defender has detected a new incident" within the attachments. 5. **Data Extraction**: For each matching message, the connector parses the attachment - fields to extract critical metadata, including Risk Level (Severity), Script Name, - Host Domain, and deep links to the PerimeterX console. + fields to extract critical alert metadata, including Risk Level (Severity), Host + Domain, Script details, and deep links to the PerimeterX console. - 6. **Case Creation**: The extracted data is mapped to the Google SecOps AlertInfo - model. Priorities are assigned based on a mapping of Code Defender risk levels - (Informative, Low, Medium, High, Critical). + 6. **Mapping and Ingestion**: The extracted data is mapped to the Google SecOps + AlertInfo model, where Risk Levels are translated into system priorities. The + alerts are then ingested as cases. - 7. **Ingestion**: The connector packages the alerts and events, ingests them into - Google SecOps, and updates the stored timestamp for the next iteration. + 7. **Checkpointing**: The timestamp of the most recent processed message is saved + to prevent duplicate ingestion in subsequent runs. diff --git a/content/response_integrations/third_party/community/perimeter_x/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/perimeter_x/resources/ai/integration_ai_description.yaml index a67fd6077..b927e7b41 100644 --- a/content/response_integrations/third_party/community/perimeter_x/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/community/perimeter_x/resources/ai/integration_ai_description.yaml @@ -7,6 +7,6 @@ product_categories: iam_and_identity_management: false itsm: false network_security: true - siem: true + siem: false threat_intelligence: false vulnerability_management: false diff --git a/content/response_integrations/third_party/community/philips_hue/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/philips_hue/resources/ai/actions_ai_description.yaml index 9c92d02e2..8f4a18b12 100644 --- a/content/response_integrations/third_party/community/philips_hue/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/philips_hue/resources/ai/actions_ai_description.yaml @@ -1,45 +1,68 @@ Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Ping** action is designed to verify the connectivity between the Google - SecOps platform and the Philips HUE Bridge. It serves as a diagnostic tool to - ensure that the integration's configuration parameters, such as the Bridge IP - and Authorized Username, are correct and that the bridge is reachable over the - network. + The **Ping** action is used to verify the connectivity between Google SecOps and + the Philips HUE Bridge. It ensures that the provided Bridge IP and Authorized + Username are correct and that the bridge is reachable over the network. ### Parameters Description - There are no action-specific parameters for this action. It relies entirely on - the integration's global configuration parameters: + There are no action-specific parameters for this action. It relies on the integration's + configuration parameters: * **Bridge IP**: The IP address of the Philips HUE bridge. - * **Authorized Username**: The username used to authorize access to the bridge's - API. + * **Authorized Username**: The username used to authorize access to the bridge. ### Flow Description - 1. **Initialization**: The action initializes the `PhilipsManager` using the `Bridge - IP` and `Authorized Username` retrieved from the integration configuration. + 1. **Parameter Extraction**: The action retrieves the Bridge IP and Authorized + Username from the integration configuration. - 2. **Connectivity Test**: It calls the `test_connectivity` method, which performs - a synchronous GET request to the base API endpoint of the Philips HUE Bridge. + 2. **Manager Initialization**: A connection manager is initialized using the retrieved + credentials. - 3. **Validation**: The action checks if the request was successful (HTTP status - code 200). + 3. **Connectivity Test**: The action performs a GET request to the bridge's base + API endpoint. - 4. **Result Reporting**: If the connection is successful, it returns a success - message and sets the script result to `True`. If an error occurs during the request, - it captures the exception and reports a failure. + 4. **Result Handling**: If the request is successful, the action returns a success + status; otherwise, it reports a failure with the error details. ### Additional Notes - This action does not interact with any entities and is strictly used for health - checks of the integration connection. + This action is primarily used for troubleshooting and initial setup verification. capabilities: can_create_case_comments: false can_create_insight: false @@ -53,7 +76,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -67,6 +90,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Turn Off Light: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -80,64 +104,36 @@ Ping: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Turn Off Light: ai_description: >- - ### General Description - - The **Turn Off Light** action allows users to programmatically turn off a specific - Philips HUE light bulb connected to a Philips HUE Bridge. This action is designed - to interact with the Philips HUE API to change the physical state of a device - based on its unique identifier. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **Light ID** | String | Yes | The unique identifier of the light bulb you wish - to turn off. This ID can be found by listing lights via the bridge API. | - - - ### Flow Description - - 1. **Configuration Retrieval**: The action retrieves the Bridge IP and Authorized - Username from the integration's global configuration. - - 2. **ID Verification**: It queries the Philips HUE Bridge to verify that the provided - `Light ID` exists within the bridge's registry. - - 3. **Reachability Check**: It performs a check to ensure the specific light bulb - is currently reachable (powered and within range) by the bridge. - - 4. **State Mutation**: If the light is valid and reachable, the action sends a - PUT request to the bridge's state endpoint for that specific light, setting the - `on` parameter to `false`. - - 5. **Result Reporting**: The action provides an output message indicating success - or failure and returns the raw JSON response from the bridge API. - - - ### Additional Notes - - - This action requires a pre-configured and authorized username on the Philips - HUE Bridge. - - - If the light is physically powered off at a wall switch, the action will identify - it as 'unreachable' and fail to change the state. + Turns off a specific Philips Hue light bulb using its unique identifier. This + action interacts with the Philips Hue Bridge API to verify the light's existence + and reachability before sending a command to update its state to 'off'.\n\n### + Flow Description:\n1. **Parameter Extraction:** Retrieves the Bridge IP and Authorized + Username from the integration configuration and the Light ID from the action parameters.\n2. + **Existence Check:** Queries the bridge to ensure the provided Light ID exists.\n3. + **Reachability Check:** Verifies if the light is currently reachable by the bridge.\n4. + **State Update:** Sends a PUT request to the bridge to set the light's 'on' state + to false.\n5. **Result Reporting:** Returns the status of the operation and the + details of the light's state.\n\n### Parameters Description:\n| Parameter | Type + | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Light ID | String + | Yes | The unique identifier of the light bulb you wish to turn off. |\n\n### + Additional Notes:\n- This action does not process SecOps entities; it operates + directly on the provided Light ID parameter. capabilities: can_create_case_comments: false can_create_insight: false @@ -146,14 +142,14 @@ Turn Off Light: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Modifies the physical state of a Philips HUE light bulb by sending a PUT request - to the bridge API to set the 'on' property to false. + Changes the state of a physical light bulb to 'off' via the Philips Hue Bridge + API. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -167,6 +163,7 @@ Turn Off Light: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Turn On Light and Color: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -180,25 +177,28 @@ Turn Off Light: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Turn On Light and Color: ai_description: >- ### General Description - Turns on a specific Philips Hue light bulb and configures its color and visual - alert effect. This action is designed to provide physical notifications or status - indicators within a workspace by interacting with a Philips Hue Bridge. + Turns on a specific Philips Hue light bulb and applies a selected color and alert + effect. This action is used to provide physical visual indicators (e.g., turning + a light red during a high-severity incident) by interacting with the Philips Hue + Bridge API. ### Parameters Description @@ -207,43 +207,38 @@ Turn On Light and Color: | :--- | :--- | :--- | :--- | - | Light ID | string | Yes | The unique identifier of the light bulb to be controlled. - | + | Light ID | string | Yes | The unique identifier of the light bulb you want to + control. | - | Color | ddl | Yes | The color to apply to the light. Supported values: Red, - Orange, Yellow, Green, Blue, Purple, Pink. | + | Color | ddl | Yes | The color to apply to the light. Options include Red, Orange, + Yellow, Green, Blue, Purple, and Pink. | - | Alert effect | ddl | Yes | The visual effect to trigger. 'None' turns the light - on normally. 'Flicker-Once' flashes the light once. 'Flicker-Loop' flashes the - light for 15 seconds. | + | Alert effect | ddl | Yes | The visual effect to trigger. 'None' just turns the + light on; 'Flicker-Once' performs a single alert cycle; 'Flicker-Loop' performs + alert cycles for 15 seconds. | ### Flow Description - 1. **Initialization**: Retrieves the Bridge IP and Authorized Username from the - integration configuration. + 1. **Initialization**: Extracts the Bridge IP and Username from the integration + configuration, and the Light ID, Color, and Alert effect from the action parameters. - 2. **Validation**: Checks the Philips Hue Bridge to ensure the provided Light - ID exists. + 2. **Validation**: Checks if the provided Light ID exists on the Philips Hue Bridge. 3. **Reachability Check**: Verifies if the specific light bulb is currently reachable - by the Bridge. + by the bridge. - 4. **Execution**: Sends a PUT request to the Bridge API to turn the light on, - set the specific hue corresponding to the chosen color, and apply the selected - alert effect. + 4. **Execution**: Sends a PUT request to the bridge to turn the light on, set + the hue (based on the chosen color), and apply the selected alert effect. - 5. **Reporting**: Returns the result of the operation, including reachability - status and API response details. + 5. **Reporting**: Returns a success message if the light was successfully updated, + or an error message if the light was unreachable or the ID was invalid. ### Additional Notes - - This action requires the Philips Hue Bridge to be accessible from the Google - SecOps environment. - - - If the light bulb is powered off at the switch or out of range, the action will - fail and report that the light is unreachable. + This action does not run on entities; it requires a specific Light ID to be provided + manually as a parameter. capabilities: can_create_case_comments: false can_create_insight: false @@ -252,15 +247,14 @@ Turn On Light and Color: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the physical state of a Philips Hue light bulb, including its power - status (on/off), color (hue), and visual alert effects via a PUT request to - the Hue Bridge API. + Changes the state of a physical Philips Hue light bulb by turning it on and + modifying its color and alert effect settings via a PUT request to the Hue Bridge. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -274,28 +268,3 @@ Turn On Light and Color: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/third_party/community/phish_tank/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/phish_tank/resources/ai/actions_ai_description.yaml index f9dbdc1f7..ce6404370 100644 --- a/content/response_integrations/third_party/community/phish_tank/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/phish_tank/resources/ai/actions_ai_description.yaml @@ -1,28 +1,80 @@ Check Url: - ai_description: "### General Description\nThe **Check Url** action queries the PhishTank\ - \ community database to determine if specific URL entities are associated with\ - \ phishing activities. It retrieves metadata such as verification status, validity,\ - \ and direct links to PhishTank detail pages. This action is primarily used for\ - \ automated URL enrichment and threat validation within a security orchestration\ - \ workflow.\n\n### Parameters Description\nThere are no action-specific parameters\ - \ for this action. It relies on the global integration configuration for the PhishTank\ - \ Service URL.\n\n### Additional Notes\n* This action requires the **Service Url**\ - \ to be correctly configured in the PhishTank integration settings.\n* The action\ - \ uses the `OriginalIdentifier` of an entity if available; otherwise, it defaults\ - \ to the standard identifier.\n* Results are returned in both a human-readable\ - \ summary and a structured JSON format for downstream playbook logic.\n\n### Flow\ - \ Description\n1. **Configuration Retrieval**: The action fetches the PhishTank\ - \ Service URL from the integration's provider configuration.\n2. **Entity Filtering**:\ - \ It identifies all entities of type `URL` (DestinationURL) within the current\ - \ alert scope.\n3. **External Query**: For each URL, it sends a POST request to\ - \ the PhishTank API to check its status.\n4. **Data Parsing**: The action parses\ - \ the XML response from PhishTank to extract phishing details.\n5. **Internal\ - \ Updates**: \n * If a URL is found in the database, it generates an **Entity\ - \ Insight** containing the PhishTank link and verification status.\n * If the\ - \ URL is explicitly marked as **verified** in PhishTank, the action sets the entity's\ - \ `is_suspicious` attribute to `True`.\n6. **Finalization**: The action updates\ - \ the modified entities in Google SecOps and provides a summary message of the\ - \ findings." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + ### General Description + + Enriches URL entities by checking their reputation against the PhishTank community + database. This action identifies if a URL is known for phishing activities, retrieves + verification status, and provides direct links to PhishTank detail pages. + + + ### Parameters Description + + | Parameter Name | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Service Url | String | Yes | The PhishTank API endpoint URL, configured at the + integration level. | + + + ### Flow Description + + 1. **Configuration Retrieval:** Fetches the PhishTank service URL from the integration + settings. + + 2. **Entity Filtering:** Identifies all `URL` entities within the current action + scope. + + 3. **Reputation Lookup:** For each URL, sends a POST request to the PhishTank + API to query its status. + + 4. **Data Parsing:** Processes the XML response to extract database presence, + verification status, and validity. + + 5. **Insight Generation:** Adds an entity insight to the SOAR case for each URL, + detailing whether it was found and its verification status. + + 6. **Entity Update:** If a URL is verified as a phish, the action marks the entity + as suspicious and updates its status in Google SecOps. + + 7. **Result Reporting:** Returns a summary of found, suspicious, and failed entities, + along with the raw JSON data for further analysis. + + + ### Additional Notes + + - This action uses the `OriginalIdentifier` of the entity if available, falling + back to the standard identifier for the lookup. + + - A score modifier of 50 is applied internally to entities found in the database. capabilities: can_create_case_comments: false can_create_insight: true @@ -33,13 +85,13 @@ Check Url: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates the 'is_suspicious' attribute of URL entities and creates entity insights - based on PhishTank reputation data. + Updates the 'is_suspicious' attribute of URL entities if they are verified as + phishing in PhishTank and adds entity insights to the case. categories: enrichment: true entity_usage: entity_types: - - DestinationURL + - DestinationURL filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -53,6 +105,7 @@ Check Url: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -64,65 +117,57 @@ Check Url: download_file: false enable_identity: false enrich_asset: false - enrich_ioc: true + enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: ai_description: >- ### General Description - The **Ping** action is a utility designed to verify the connectivity between Google - SecOps and the PhishTank service. Its primary purpose is to ensure that the integration - is correctly configured and that the PhishTank API is reachable from the environment. + The **Ping** action is a diagnostic tool used to verify the connectivity between + the Google SecOps environment and the PhishTank service. It ensures that the integration + is correctly configured and that the PhishTank API is reachable and responding + to requests. ### Parameters Description - There are no action-specific parameters for this action. It utilizes the global - integration configuration to perform the connectivity test. - - - | Parameter Name | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | N/A | N/A | N/A | This action does not take any input parameters. | + There are no user-configurable parameters for this action. It relies solely on + the integration's global configuration. ### Additional Notes - * This action uses a hardcoded test URL (`google.com`) to perform a POST request - to the PhishTank API to validate the connection. - - * It relies on the 'Service Url' defined in the PhishTank integration settings. + This action performs a test request using a hardcoded URL (`google.com`) to validate + the API's response format and availability. ### Flow Description - 1. **Configuration Retrieval**: The action retrieves the 'Service Url' from the - PhishTank integration configuration. + 1. **Configuration Extraction**: The action retrieves the `Service Url` from the + PhishTank integration settings. - 2. **Request Construction**: It prepares a POST request with a payload containing - a test URL (`google.com`) and specifies the format as JSON. + 2. **Connectivity Request**: It executes a POST request to the service URL with + a sample payload containing a test URL and a request for a JSON response. - 3. **Connectivity Test**: The action sends the request to the PhishTank service - using the configured headers. + 3. **Status Verification**: The action checks the HTTP response status code. If + the request fails (e.g., 4xx or 5xx error), an exception is raised. - 4. **Validation**: It checks the response status. If the request is successful - (HTTP 200 OK), it confirms the connection. - - 5. **Completion**: The action ends with a success message: 'PhishTank is connected'. + 4. **Result Reporting**: Upon a successful response, the action concludes by reporting + that the service is connected. capabilities: can_create_case_comments: false can_create_insight: false @@ -131,12 +176,12 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: false + fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -150,28 +195,3 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/third_party/community/pulsedive/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/pulsedive/resources/ai/actions_ai_description.yaml index c5e79a3c4..b30c0700b 100644 --- a/content/response_integrations/third_party/community/pulsedive/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/pulsedive/resources/ai/actions_ai_description.yaml @@ -1,34 +1,63 @@ Enrich IP: - ai_description: "Enriches IP Address entities using threat intelligence from Pulsedive.\ - \ This action retrieves detailed indicator data, including risk levels, risk factors,\ - \ and community comments, to provide context for security alerts.\n\n### Flow\ - \ Description\n1. **Filter Entities:** Identifies all IP Address (ADDRESS) entities\ - \ within the current context.\n2. **Fetch Intelligence:** For each IP, it queries\ - \ the Pulsedive API to retrieve reputation data, risk scores, and optionally,\ - \ community comments.\n3. **Risk Evaluation:** Compares the retrieved risk level\ - \ against the user-defined 'Threshold'. If the risk meets or exceeds the threshold,\ - \ the entity is marked as suspicious in Google SecOps.\n4. **Internal Enrichment:**\ - \ Updates the entity's additional properties with Pulsedive metadata and sets\ - \ the 'is_enriched' flag.\n5. **Insight & Reporting:** \n * Creates an entity\ - \ insight containing a summary of the risk analysis.\n * If comments are retrieved,\ - \ it constructs a data table on the case wall for analyst review.\n6. **Final\ - \ Update:** Commits all entity changes (suspicious status and enrichment properties)\ - \ back to the SecOps platform.\n\n### Parameters Description\n| Parameter | Type\ - \ | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Threshold | DDL\ - \ | Yes | The risk level (verylow, low, medium, high, critical) at which an entity\ - \ should be marked as suspicious. Default is 'medium'. |\n| Retrieve Comments\ - \ | Boolean | No | If enabled, the action fetches community comments associated\ - \ with the IP from Pulsedive. Default is true. |\n| Only Suspicious Entity Insight\ - \ | Boolean | No | If enabled, insights will only be created for entities that\ - \ meet the risk threshold. Default is false. |\n| Max Comments To Return | String\ - \ | No | Specifies the maximum number of comments to retrieve and display in the\ - \ data table. Default is 50. |\n\n### Additional Notes\n* The action uses a mapping\ - \ system to translate Pulsedive's risk strings into numerical scores for comparison\ - \ against the user-provided threshold.\n* Data tables are added to the case wall\ - \ for each entity that has associated comments, provided 'Retrieve Comments' is\ - \ enabled." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "Enriches IP Address entities using Pulsedive threat intelligence.\ + \ This action retrieves comprehensive data about an IP, including its risk level,\ + \ risk factors, and community comments. It evaluates the risk against a user-defined\ + \ threshold to automatically mark entities as suspicious within Google SecOps.\n\ + \n### Flow Description\n1. **Filter Entities:** Identifies all IP Address entities\ + \ (ADDRESS) within the current context.\n2. **Fetch Intelligence:** For each IP,\ + \ it queries the Pulsedive API to retrieve indicator details, risk scores, and\ + \ optionally, community comments.\n3. **Risk Evaluation:** Compares the retrieved\ + \ Pulsedive risk level (e.g., 'high', 'critical') against the user-provided 'Threshold'\ + \ parameter.\n4. **Internal Enrichment:** \n * Updates the entity's additional\ + \ properties with Pulsedive metadata (prefixed with 'PD').\n * Marks the entity\ + \ as 'suspicious' if the risk meets or exceeds the threshold.\n * Marks the\ + \ entity as 'enriched'.\n5. **Reporting:** \n * Generates an Entity Insight\ + \ containing a formatted HTML report of the risk factors and indicator details.\n\ + \ * If enabled, creates a Data Table on the case wall containing community\ + \ comments.\n6. **Finalize:** Updates the entities in the SecOps platform and\ + \ returns a JSON result summarizing the findings.\n\n### Parameters Description\n\ + | Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ + | **Threshold** | DDL | Yes | The minimum risk level (verylow, low, medium, high,\ + \ critical) required for the action to mark an entity as suspicious. |\n| **Retrieve\ + \ Comments** | Boolean | No | If true, the action fetches and displays community\ + \ comments from Pulsedive. Default is true. |\n| **Only Suspicious Entity Insight**\ + \ | Boolean | No | If true, insights will only be created for entities that meet\ + \ the risk threshold. Default is false. |\n| **Max Comments To Return** | String\ + \ | No | Limits the number of comments retrieved and displayed in the data table.\ + \ Default is 50. |\n\n### Additional Notes\n* The action uses a mapping system\ + \ to convert Pulsedive's string-based risk levels into numerical scores for comparison\ + \ against the user-defined threshold.\n* Enrichment data is added to entities\ + \ with the prefix 'PD' to distinguish Pulsedive data from other sources." capabilities: - can_create_case_comments: true + can_create_case_comments: false can_create_insight: true can_modify_alert_data: false can_mutate_external_data: false @@ -37,14 +66,13 @@ Enrich IP: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action updates entity attributes with enrichment data, marks entities as - suspicious based on risk thresholds, creates entity insights, and adds data - tables containing comments to the case wall. + Updates entity suspicious status, adds enrichment properties to the entity objects, + creates entity insights, and adds data tables to the case wall. categories: enrichment: true entity_usage: entity_types: - - ADDRESS + - ADDRESS filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -58,8 +86,9 @@ Enrich IP: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Enrich URL: action_product_categories: - add_alert_comment: true + add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false contain_host: false @@ -71,74 +100,77 @@ Enrich IP: enrich_asset: false enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Enrich URL: ai_description: >- ### General Description Enriches URL entities using threat intelligence from Pulsedive. This action retrieves - comprehensive indicator data, including risk levels, risk factors, and community - comments, to provide security analysts with actionable context. It evaluates the - URL's risk against a user-defined threshold and can automatically mark entities - as suspicious within the platform. + comprehensive indicator data, including risk levels, risk factors, and user comments. + It evaluates the risk of each URL against a user-defined threshold to determine + if the entity should be marked as suspicious within Google SecOps. - ### Parameters + ### Parameters Description | Parameter | Type | Mandatory | Description | - | --- | --- | --- | --- | + | :--- | :--- | :--- | :--- | - | Max Comments To Return | String | No | Specifies the maximum number of Pulsedive - comments to retrieve and display (Default: 50). | + | Max Comments To Return | String | No | Specifies the maximum number of comments + to retrieve from Pulsedive for each entity. Default is 50. | - | Threshold | DDL | Yes | The risk level (verylow, low, medium, high, critical) - at which the entity should be labeled as suspicious. | + | Threshold | DDL | Yes | Defines the risk level at which an entity is marked + as suspicious. Options include: `verylow`, `low`, `medium`, `high`, and `critical`. + | | Retrieve Comments | Boolean | No | If enabled, the action fetches community - comments associated with the URL. | + comments associated with the URL. Default is `true`. | - | Only Suspicious Entity Insight | Boolean | No | If enabled, insights will only - be generated for entities that meet or exceed the risk threshold. | + | Only Suspicious Entity Insight | Boolean | No | If enabled, entity insights + will only be created for URLs that meet or exceed the specified risk threshold. + Default is `false`. | - ### Flow Description + ### Additional Notes + + - The action maps Pulsedive risk levels to numerical scores for comparison: `unknown` + (-1), `none` (0), `low` (1), `medium` (2), `high` (3), and `critical` (4). - 1. **Initialization**: The action initializes the Pulsedive manager using the - provided API root and key. + - Enrichment data is prefixed with `PD` in the entity's additional properties. - 2. **Entity Filtering**: It identifies all URL entities within the current alert - context. - 3. **Data Retrieval**: For each URL, it queries the Pulsedive API to fetch indicator - details, risk scores, and (optionally) comments. + ### Flow Description + + 1. **Filter Entities:** Identifies all URL entities within the current context. - 4. **Risk Evaluation**: The URL's risk level is compared against the user-defined - threshold. If the risk is equal to or higher than the threshold, the entity is - marked as suspicious. + 2. **Fetch Intelligence:** For each URL, queries the Pulsedive API to retrieve + indicator details, risk scores, and comments. - 5. **Enrichment**: Entity attributes are updated with Pulsedive metadata (prefixed - with 'PD'), and the entity is marked as enriched. + 3. **Risk Evaluation:** Compares the retrieved risk level against the configured + `Threshold` parameter. - 6. **Case Wall Reporting**: If comments are retrieved, they are formatted into - a data table and added to the case wall. + 4. **Internal Mutation:** If the threshold is met, marks the entity as suspicious + (`is_suspicious = True`). - 7. **Insight Generation**: A detailed HTML insight is created for the entity, - summarizing the risk level and specific risk factors identified by Pulsedive. + 5. **Enrichment:** Updates the entity's additional properties with Pulsedive metadata + and sets the `is_enriched` flag. - 8. **Finalization**: The action updates the entities in Google SecOps and returns - a summary of successful and failed enrichments. + 6. **Reporting:** Adds a data table to the case wall for retrieved comments and + generates an entity insight based on the analysis results and user preferences. capabilities: can_create_case_comments: false can_create_insight: true @@ -149,13 +181,13 @@ Enrich URL: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity suspicious status, populates enrichment fields, adds data tables - to the case wall for comments, and creates entity insights. + Updates entity suspicious status, populates additional properties with enrichment + data, creates entity insights, and adds data tables to the case wall. categories: enrichment: true entity_usage: entity_types: - - DestinationURL + - DestinationURL filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -169,6 +201,7 @@ Enrich URL: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Threat Details: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -182,26 +215,29 @@ Enrich URL: enrich_asset: false enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Threat Details: ai_description: >- ### General Description - Retrieves comprehensive threat intelligence from Pulsedive based on a specific - threat name or threat ID. This action provides detailed context including risk - summaries, associated news, and user comments, helping analysts understand the - nature and severity of a known threat actor or campaign. + The **Get Threat Details** action retrieves comprehensive threat intelligence + from Pulsedive using either a threat name or a specific threat ID. It provides + detailed context including risk levels, categories, wiki summaries, related news, + and user comments. This information helps analysts understand the nature and severity + of a specific threat actor or campaign. ### Parameters Description @@ -210,47 +246,50 @@ Get Threat Details: | :--- | :--- | :--- | :--- | - | Threat Name | String | No | The name of the threat to retrieve information for - (e.g., 'Zeus'). | + | **Threat Name** | String | No | The name of the threat to retrieve information + for (e.g., "Zeus"). | - | Threat ID | String | No | The unique Pulsedive ID for the threat. | + | **Threat ID** | String | No | The unique Pulsedive ID for the threat. | - | Retrieve Comments | Boolean | No | If set to true, retrieves and displays user - comments associated with the threat. Default is true. | + | **Retrieve Comments** | Boolean | No | If set to `True`, retrieves user comments + associated with the threat. Default is `True`. | - | Split Risk | Boolean | No | If set to true, categorizes the associated indicator - counts by their risk levels. Default is true. | + | **Split Risk** | Boolean | No | If set to `True`, breaks down indicator counts + by risk level. Default is `True`. | - | Create Insight | Boolean | No | If set to true, generates a detailed Siemplify - Insight within the case containing the threat's risk summary and news. Default - is false. | + | **Create Insight** | Boolean | No | If set to `True`, creates a detailed case + insight in Google SecOps. Default is `False`. | - ### Flow Description + ### Additional Notes - 1. **Parameter Initialization:** The action extracts API credentials from the - integration configuration and retrieves the user-provided threat identifiers and - display options. + - Either **Threat Name** or **Threat ID** should be provided for the action to + function correctly. - 2. **Data Retrieval:** It queries the Pulsedive API using either the provided - `Threat Name` or `Threat ID` to fetch the threat's metadata, risk summary, and - news. + - The action adds a data table to the case wall containing threat comments if + they are retrieved. - 3. **Comment Processing:** If `Retrieve Comments` is enabled, the action fetches - associated comments and formats them into a data table for the case wall. - 4. **Insight Generation:** If `Create Insight` is enabled, the action constructs - a formatted HTML insight containing the threat's category, risk summary (counts - of indicators by risk level), wiki summary, and recent news links. + ### Flow Description - 5. **Result Output:** The action returns the full threat data as a JSON object - and provides a success message if the threat details were successfully found. + 1. **Parameter Extraction:** The action retrieves the API configuration and user-provided + parameters (Threat Name, ID, and display options). + 2. **Pulsedive Query:** It calls the Pulsedive API to fetch threat data based + on the provided identifier. - ### Additional Notes + 3. **Data Processing:** The action parses the response, extracting risk summaries, + wiki information, and news. + + 4. **Comment Retrieval:** If enabled, it fetches and formats user comments into + a CSV-style table. - Either the **Threat Name** or the **Threat ID** must be provided for the action - to successfully locate threat data. If neither is provided, the action will fail. + 5. **Internal Mutation:** + - Adds a data table to the case wall for comments. + - If **Create Insight** is enabled, it generates a formatted insight with + the threat's risk summary and news. + 6. **Output:** Returns the full threat data as a JSON object and completes the + action. capabilities: can_create_case_comments: false can_create_insight: true @@ -261,12 +300,12 @@ Get Threat Details: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action creates a case insight containing threat intelligence and adds a - data table for threat comments to the action results. + Adds a data table for threat comments to the case wall and can create a case + insight with threat details. categories: - enrichment: true + enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -280,6 +319,7 @@ Get Threat Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -291,62 +331,42 @@ Get Threat Details: download_file: false enable_identity: false enrich_asset: false - enrich_ioc: true + enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: - ai_description: >- - ### General Description - - The **Ping** action is a diagnostic utility designed to verify the connectivity - between the Google SecOps platform and the Pulsedive API. It ensures that the - provided configuration parameters, such as the API Root and API Key, are valid - and that the network path is open. - - - ### Parameters Description - - There are no runtime parameters for this action. It relies entirely on the integration's - global configuration (API Root, API Key, and Verify SSL). - - - ### Additional Notes - - - This action is typically used during the initial setup of the Pulsedive integration - or for troubleshooting connection issues. - - - It performs a test search request to the Pulsedive API to confirm that the credentials - have the necessary permissions to interact with the service. - - - ### Flow Description - - 1. **Initialization**: The action initializes the Siemplify context and retrieves - the global configuration parameters (API Root, API Key, and SSL verification settings). - - 2. **Manager Setup**: It instantiates the `PulsediveManager` using the retrieved - configuration. - - 3. **Connectivity Test**: The action calls the `test_connectivity` method, which - executes a GET request to the Pulsedive search endpoint with a set of test parameters. - - 4. **Validation**: If the API responds with a successful status code, the action - confirms connectivity. If an exception occurs (e.g., 401 Unauthorized, 404 Not - Found, or network timeout), the action captures the error. - - 5. **Completion**: The action terminates, returning a success message if the connection - was established or a failure message with error details if it was not. + ai_description: "### General Description\nThe **Ping** action is a diagnostic utility\ + \ designed to verify the connectivity between the Google SecOps platform and the\ + \ Pulsedive API. Its primary purpose is to ensure that the integration's configuration\ + \ parameters\u2014such as the API Root, API Key, and SSL verification settings\u2014\ + are valid and that the Pulsedive service is reachable over the network.\n\n###\ + \ Parameters Description\nThis action does not require any input parameters.\n\ + \n### Additional Notes\nThis action is typically used during the initial setup\ + \ of the Pulsedive integration or when troubleshooting communication failures.\ + \ It does not process any entities or modify any data within the SOAR or Pulsedive.\n\ + \n### Flow Description\n1. **Extract Configuration**: The action retrieves the\ + \ global integration settings, including the `API Root`, `API Key`, and `Verify\ + \ SSL` preference.\n2. **Initialize Manager**: It instantiates the `PulsediveManager`\ + \ using the extracted configuration.\n3. **Connectivity Test**: The manager executes\ + \ a GET request to the Pulsedive search endpoint (`/api/search.php`) to test the\ + \ API's responsiveness.\n4. **Response Validation**: The script validates the\ + \ HTTP response. If the status code indicates success, the action proceeds; otherwise,\ + \ it catches the exception.\n5. **Finalize Execution**: The action returns a success\ + \ message if the connection is established or a detailed error message if the\ + \ connection fails." capabilities: can_create_case_comments: false can_create_insight: false @@ -355,12 +375,12 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: true + fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -374,6 +394,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Scan Indicator: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -385,137 +406,134 @@ Ping: download_file: false enable_identity: false enrich_asset: false - enrich_ioc: false + enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Scan Indicator: ai_description: >- - Performs a scan on indicators (IPs, Domains, URLs, Hashes) using Pulsedive to - retrieve threat intelligence, risk scores, and community comments. This is an - asynchronous action that initiates a scan task, polls for completion, and then - enriches the entities within Google SecOps based on the results. - - - ### Parameters Description + Performs a security scan on indicators using Pulsedive to retrieve comprehensive + threat intelligence. This action is asynchronous and supports both Passive (metadata + lookup) and Active (direct probing) scan types. It evaluates the risk level of + each entity against a user-defined threshold, marking entities as suspicious if + they meet or exceed the limit. The action enriches entities with Pulsedive-specific + properties, generates detailed HTML insights, and creates data tables for community + comments. - | Parameter | Type | Mandatory | Description | + ### Flow Description: - | :--- | :--- | :--- | :--- | + 1. **Submission**: The action iterates through all target entities and submits + them to Pulsedive for analysis based on the selected `Scan Type` (Passive or Active). - | Scan Type | DDL | Yes | Choose between 'Passive' (retrieves existing data without - direct interaction) or 'Active' (performs a live, more intrusive scan). | + 2. **Polling**: As an asynchronous action, it periodically checks the status of + the scan using the queue ID (QID) until the report is marked as 'done'. - | Threshold | DDL | Yes | Specifies the risk level (verylow, low, medium, high, - critical) at which an entity should be marked as suspicious in Google SecOps. - | + 3. **Data Retrieval**: Once the scan is complete, the action fetches the full + report, including risk scores, risk factors, and community comments. - | Only Suspicious Entity Insight | Boolean | No | If enabled, the action will - only generate an entity insight if the indicator's risk level meets or exceeds - the specified 'Threshold'. | + 4. **Risk Evaluation**: The retrieved risk level is compared against the user-provided + `Threshold`. If the risk is equal to or higher than the threshold, the entity's + suspicious status is updated in the SOAR. - | Retrieve Comments | Boolean | No | If enabled, the action will fetch community - comments associated with the indicator from Pulsedive. | + 5. **Enrichment & Insights**: The action updates the entity's additional properties + with Pulsedive metadata, creates an HTML insight for the analyst, and adds a data + table containing community comments to the case wall. - | Max Comments To Return | String | No | Defines the maximum number of comments - to retrieve and display in the case wall data table. Default is 50. | + ### Parameters Description: - ### Flow Description - - - 1. **Submission**: The action submits the target entities to Pulsedive's analysis - engine via a POST request, specifying the desired scan type (Active or Passive). + | Parameter | Type | Mandatory | Description | - 2. **Polling**: As an asynchronous operation, the action periodically checks the - status of the submitted scan IDs until Pulsedive marks them as 'done'. + | :--- | :--- | :--- | :--- | - 3. **Data Retrieval**: Once completed, the action fetches the full indicator report, - including the risk level, risk factors, and community comments. + | Only Suspicious Entity Insight | Boolean | No | If enabled, insights will only + be created for entities that meet or exceed the risk threshold. Default is false. + | - 4. **Risk Evaluation**: It compares the indicator's risk level against the user-defined - 'Threshold'. If the risk is equal to or higher than the threshold, the entity - is marked as suspicious (`is_suspicious = True`). + | Scan Type | DDL | Yes | Choose between 'Passive' (fetch existing data without + direct contact) or 'Active' (perform a live, more intrusive scan). | - 5. **Enrichment**: The action updates the entity's additional properties with - Pulsedive metadata and sets the 'is_enriched' flag. + | Max Comments To Return | String | No | The maximum number of community comments + to retrieve for the indicator. Default is 50. | - 6. **Reporting**: It generates entity insights (optionally filtered) and populates - data tables with community comments for analyst review. + | Threshold | DDL | Yes | The risk level (verylow, low, medium, high, critical) + required to mark an entity as suspicious. | + | Retrieve Comments | Boolean | No | If enabled, community comments from Pulsedive + will be retrieved and displayed in a data table. Default is true. | - ### Additional Notes + ### Additional Notes: - * This action is asynchronous and its execution time depends on Pulsedive's processing - speed and the chosen scan type. + - The action uses the `OriginalIdentifier` property of the entity if available, + otherwise it uses the standard identifier. - * The 'Threshold' parameter uses a mapping where 'verylow' corresponds to Pulsedive's - 'none' risk score. + - Risk scores are mapped internally to numerical values (0-4) to facilitate threshold + comparison. capabilities: can_create_case_comments: false can_create_insight: true can_modify_alert_data: false - can_mutate_external_data: true + can_mutate_external_data: false can_mutate_internal_data: true can_update_entities: true - external_data_mutation_explanation: >- - Initiates a scan request on the Pulsedive platform via a POST request to the - analysis endpoint, which creates a new analysis task. + external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity suspicious status, adds enrichment data to entity properties, - creates entity insights, and adds data tables for comments to the case wall. + Updates entity suspicious status, adds enrichment properties to entities, and + creates entity insights and data tables within the SOAR case. categories: - enrichment: false + enrichment: true entity_usage: entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -529,28 +547,3 @@ Scan Indicator: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: true - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/third_party/community/sample_integration/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/sample_integration/resources/ai/actions_ai_description.yaml index b2e9aa3f1..af057d215 100644 --- a/content/response_integrations/third_party/community/sample_integration/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/sample_integration/resources/ai/actions_ai_description.yaml @@ -1,58 +1,47 @@ Async Action Example: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - The **Async Action Example** is a flow-control utility designed to synchronize - playbook execution based on the status of Google SecOps cases. It allows a playbook - to pause and wait until a specific tag is applied to one or more cases. This is - particularly useful for manual review steps or cross-case dependencies where an - automated process must wait for an analyst's signal (via a tag) before proceeding. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **Case IDs** | String | No | A comma-separated list of Case IDs to monitor. - If left empty, the action defaults to monitoring the current case where the action - is running. | - - | **Case Tag To Wait For** | String | Yes | The specific tag string the action - is looking for. The action will remain 'In Progress' until all specified cases - have this tag. | - - - ### Additional Notes - - - This is an **Asynchronous** action, meaning it runs in cycles until the condition - is met or it times out. - - - It does not modify any data; it is strictly a monitoring/polling utility. - - - If no Case IDs are provided, the action automatically targets the case ID from - which it was executed. - - - ### Flow Description - - 1. **Initialization**: The action retrieves the list of Case IDs and the target - tag from the input parameters. - - 2. **Data Retrieval**: For each Case ID, the action performs an internal API call - to fetch the case's overview details, including its current tags. - - 3. **Tag Validation**: The action checks if the 'Case Tag To Wait For' exists - in the list of tags for each case. - - 4. **State Management**: If all monitored cases possess the required tag, the - action completes successfully. If any cases are still missing the tag, the action - saves its current progress and enters an 'In Progress' state to be re-evaluated - in the next polling cycle. - - 5. **Timeout**: If the action exceeds the defined timeout period before all tags - are found, it will fail with a timeout error. + This is an asynchronous action that monitors specified cases until they are assigned + a particular tag. It is designed to pause execution flow until the required condition + (a specific tag on a case) is met. Parameters: Case IDs (string, optional): A + comma-separated list of case IDs to monitor. If not provided, the action defaults + to the current case ID. Case Tag To Wait For (string, mandatory): The specific + tag the action is waiting to see on the cases. Flow: 1. Extracts the Case IDs + and Case Tag To Wait For parameters. 2. On the first run, it retrieves the details + for each specified case. 3. It checks if the cases have the required tag. 4. If + cases are missing the tag, it enters a waiting state (IN_PROGRESS) and stores + the state of processed/waiting cases. 5. On subsequent runs, it re-checks the + cases that were previously missing the tag. 6. Once all specified cases have the + required tag, the action completes successfully. Additional Notes: This is an + asynchronous action. It will continue to run until the timeout is reached or all + specified cases have the required tag. capabilities: can_create_case_comments: false can_create_insight: false @@ -60,13 +49,13 @@ Async Action Example: can_mutate_external_data: false can_mutate_internal_data: false can_update_entities: false - external_data_mutation_explanation: 'null' + external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: 'null' + internal_data_mutation_explanation: null categories: - enrichment: true + enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -80,6 +69,7 @@ Async Action Example: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Enrich Entity Action Example: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -93,26 +83,28 @@ Async Action Example: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Enrich Entity Action Example: ai_description: >- ### General Description - The **Enrich Entity Action Example** is a sample enrichment action designed to - demonstrate how to process and augment entities within Google SecOps. It targets - specific entity types (IP, Hash, User, or all) and adds simulated enrichment data, - including a timestamp and a status flag, to the entity's context. + This action demonstrates how to enrich entities within Google SecOps. It processes + entities based on the selected "Entity Type" parameter and adds enrichment data + (timestamp and status) to the entity. This action is a sample implementation and + does not perform actual external API calls. ### Parameters Description @@ -121,35 +113,24 @@ Enrich Entity Action Example: | :--- | :--- | :--- | :--- | - | **Entity Type** | DDL | Yes | Specifies which entities from the alert scope - should be processed. Options include 'All Entities', 'IP', 'Hash', and 'User'. - | + | Entity Type | ddl | Yes | Defines the category of entities to process. Options: + "All Entities", "IP", "Hash", "User". | ### Flow Description - 1. **Parameter Extraction:** The action retrieves the 'Entity Type' selection - from the user input. + 1. Extract the "Entity Type" parameter. - 2. **Entity Filtering:** It filters the available entities in the alert scope - based on the selected type (e.g., mapping 'IP' to 'ADDRESS' entities). + 2. Validate the parameter against supported entity types. - 3. **Enrichment Generation:** For each matching entity, it generates a JSON object - containing a 'true' enrichment status and a current Unix timestamp. + 3. Iterate through the target entities that match the selected type. - 4. **Internal Mutation:** It applies a prefix ('SampleIntegration_') to the enrichment - data, updates the entity's fields, and attaches a CSV-formatted Data Table to - the entity. + 4. For each entity, generate enrichment data (a dictionary with a timestamp). - 5. **Finalization:** The action reports the list of successfully enriched entities - in the output message. + 5. Update the entity with the enrichment data and add a data table to the action + results. - - ### Additional Notes - - This action is intended as a template for developers. It does not communicate - with an external API but demonstrates the standard workflow for internal data - enrichment and entity updates. + 6. Finalize the action with a success message listing the enriched entities. capabilities: can_create_case_comments: false can_create_insight: false @@ -158,49 +139,48 @@ Enrich Entity Action Example: can_mutate_internal_data: true can_update_entities: true external_data_mutation_explanation: null - fetches_data: true + fetches_data: false internal_data_mutation_explanation: >- - Updates entity fields with enrichment data and adds data tables to the entities - in Google SecOps. + Updates entity fields with enrichment data. categories: - enrichment: true + enrichment: false entity_usage: entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -214,6 +194,7 @@ Enrich Entity Action Example: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -224,55 +205,36 @@ Enrich Entity Action Example: disable_identity: false download_file: false enable_identity: false - enrich_asset: true - enrich_ioc: true + enrich_asset: false + enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: ai_description: >- - ### General Description - - The **Ping** action is a diagnostic tool used to verify the connectivity between - the Google SecOps platform and the external API Service. It ensures that the integration's - configuration parameters, such as the API Root, Password, and SSL verification - settings, are correct and that the service is reachable. - - - ### Parameters Description - - There are no action-specific parameters for this action. It relies entirely on - the global integration configuration. - - - ### Flow Description - - 1. **Initialization**: The action initializes the API client using the global - integration settings (API Root, Password, and Verify SSL). - - 2. **Connectivity Test**: It executes a test request (typically a GET request - to a lightweight endpoint like `/rates`) to the configured API Service. - - 3. **Validation**: If the request is successful, the action returns a success - message. If the request fails due to network issues, incorrect credentials, or - SSL errors, it returns an error message. - - - ### Additional Notes - - - This action is primarily used during the initial setup or troubleshooting of - the integration to confirm that the environment can communicate with the target - API. + ### General Description\nTests connectivity to the API Service. This action verifies + that the integration can successfully communicate with the configured API endpoint + using the provided credentials.\n\n### Flow Description\n1. The action initializes + the API client using the provided configuration parameters (API Root, Password, + Verify SSL).\n2. It performs a connectivity test by sending a request to the API + service.\n3. Based on the response, it returns a success or failure message.\n\n### + Parameters Description\n| Parameter | Type | Mandatory | Description |\n| :--- + | :--- | :--- | :--- |\n| API Root | String | Yes | The base URL of the API service. + |\n| Password Field | String | No | The password for authentication. |\n| Verify + SSL | Boolean | Yes | Whether to verify SSL certificates. |\n\n### Additional + Notes\nThere are no additional notes. capabilities: can_create_case_comments: false can_create_insight: false @@ -286,7 +248,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -300,6 +262,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Simple Action Example: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -313,49 +276,34 @@ Ping: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: false + search_events: true send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Simple Action Example: ai_description: >- - ### General Description\nThis action retrieves currency exchange rate data from - the external service `api.vatcomply.com`. It allows users to specify multiple - currencies and a time range (up to 7 days) to fetch historical or current rates. - The results are presented as Data Tables, Links, and a JSON attachment within - the Google SecOps case. This action does not interact with or process any entities.\n\n### - Parameters Description\n| Parameter | Type | Mandatory | Description |\n| :--- - | :--- | :--- | :--- |\n| Currencies String | String | No | A comma-separated - list of currency codes (e.g., USD, EUR) to process. |\n| Currencies DDL | DDL - | No | A dropdown menu to select a single currency code. |\n| Time Frame | DDL - | No | Defines the period for the data: 'Today', 'Last 7 Days', or 'Custom'. |\n| - Start Time | String | No* | The start date in ISO 8601 format. Mandatory if 'Time - Frame' is set to 'Custom'. |\n| End Time | String | No | The end date in ISO 8601 - format. Defaults to current time if omitted. |\n| Return JSON Result | Boolean - | Yes | If enabled, the action will output the raw data in the JSON result field. - |\n\n### Additional Notes\n- Either 'Currencies String' or 'Currencies DDL' must - be provided for the action to execute.\n- The maximum allowed duration between - 'Start Time' and 'End Time' is 7 days. If a larger range is provided, the action - automatically truncates the end date to 7 days after the start date.\n- This action - is purely informational regarding external systems and does not modify any external - system state.\n\n### Flow Description\n1. **Parameter Extraction:** The action - retrieves all user-provided inputs, including currency lists and time configurations.\n2. - **Validation:** It ensures at least one currency is specified and validates the - time range logic, enforcing the 7-day maximum delta.\n3. **Data Retrieval:** The - action performs a GET request to the `api.vatcomply.com` service to fetch exchange - rates for the specified currencies and dates.\n4. **Internal Data Creation:** - Generates Data Tables for each currency and date, creates Links pointing to the - specific API endpoint for each rate, and saves the full result as a JSON attachment - added to the current case.\n5. **Output:** Returns a success message summarizing - the processed currencies and time range. + ### General Description: This action fetches currency exchange rates from the + api.vatcomply.com service based on the provided parameters. ### Parameters: | + Parameter | Type | Mandatory | Description | | --- | --- | --- | --- | | Currencies + String | string | No | Comma-separated list of currencies. | | Currencies DDL + | ddl | No | Select a currency from a list. | | Time Frame | ddl | No | Time range + (Today, Last 7 Days, Custom). | | Start Time | string | No | Start date (ISO 8601). + | | End Time | string | No | End date (ISO 8601). | | Return JSON Result | boolean + | Yes | Whether to return the result as JSON. | ### Flow Description: 1. Extract + and validate parameters. 2. Fetch exchange rate data from the external API. 3. + Create data tables and links for the results. 4. Attach the JSON results to the + current case. ### Additional Notes: This action does not work with Google SecOps + entities. capabilities: can_create_case_comments: false can_create_insight: false @@ -366,11 +314,11 @@ Simple Action Example: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Adds data tables, links, and a JSON file attachment to the Google SecOps case. + Adds the retrieved exchange rate data as a JSON attachment to the current case. categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -384,28 +332,3 @@ Simple Action Example: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: true - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/third_party/community/sample_integration/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/sample_integration/resources/ai/connectors_ai_description.yaml index 89118fafa..71aa17aeb 100644 --- a/content/response_integrations/third_party/community/sample_integration/resources/ai/connectors_ai_description.yaml +++ b/content/response_integrations/third_party/community/sample_integration/resources/ai/connectors_ai_description.yaml @@ -1,58 +1,89 @@ "Sample Integration - Simple Connector Example": - ai_description: "### General Description\nThis connector integrates with the `api.vatcomply.com`\ - \ service to fetch currency exchange rate data and ingest it as alerts into Google\ - \ SecOps. It serves as a comprehensive example of a SOAR connector, demonstrating\ - \ core capabilities such as historical data fetching, dynamic filtering via whitelists/blocklists,\ - \ environment mapping, and attachment management. The connector allows security\ - \ teams to monitor financial data or use exchange rates as a trigger for automated\ - \ workflows.\n\n### Parameters Description\n| Parameter | Type | Mandatory | Description\ - \ |\n| :--- | :--- | :--- | :--- |\n| DeviceProductField | String | Yes | The\ - \ source field name used to retrieve the Product Field name for the alert metadata.\ - \ |\n| EventClassId | String | Yes | The source field name used to retrieve the\ - \ Event Field name for the alert metadata. |\n| Environment Field Name | String\ - \ | No | The name of the field where the environment name is stored. Defaults\ - \ to the default environment if not found. |\n| Environment Regex Pattern | String\ - \ | No | A regex pattern applied to the Environment Field Name to manipulate or\ - \ extract the environment value. |\n| PythonProcessTimeout | String | Yes | The\ - \ timeout limit in seconds for the Python process running the connector script.\ - \ |\n| API Root | String | Yes | The base URL for the vatcomply API (default:\ - \ `https://api.vatcomply.com`). |\n| Password Field | Password | No | An example\ - \ password field for authentication (not strictly required by the public vatcomply\ - \ API). |\n| Currencies To Fetch | String | No | A comma-separated list of currency\ - \ codes (e.g., USD, EUR) to retrieve exchange rates for. |\n| Create Alert Per\ - \ Exchange Rate | Boolean | No | If enabled, the connector creates a separate\ - \ alert for every currency pair. If disabled, it creates one combined alert per\ - \ date. |\n| Alert Severity | String | No | The severity assigned to the ingested\ - \ alerts (Critical, High, Medium, Low, Informational). |\n| Add Attachment | Boolean\ - \ | No | If enabled, the raw JSON exchange rate data is added as an attachment\ - \ to the alert. |\n| Max Days Backwards | Integer | Yes | The maximum number of\ - \ days to look back for historical data (Limit: 1-30 days). |\n| Max Alerts To\ - \ Fetch | String | Yes | Dictates how many alerts (dates) are processed in a single\ - \ connector iteration. |\n| Use dynamic list as blocklist | Boolean | Yes | If\ - \ enabled, the connector's dynamic list (whitelist) will function as a blocklist.\ - \ |\n| Disable Overflow | Boolean | No | If enabled, the connector will bypass\ - \ the standard SOAR overflow protection mechanism. |\n| Verify SSL | Boolean |\ - \ Yes | Whether to verify the SSL certificate for the connection to the API server.\ - \ |\n| Proxy Server Address | String | No | The address of the proxy server to\ - \ use for outgoing requests. |\n| Proxy Username | String | No | The username\ - \ for proxy authentication. |\n| Proxy Password | Password | No | The password\ - \ for proxy authentication. |\n\n### Flow Description\n1. **Initialization**:\ - \ The connector establishes a session with the `api.vatcomply.com` service using\ - \ the provided API Root and SSL configurations.\n2. **Context Loading**: It retrieves\ - \ the timestamp of the last successful execution and a list of previously processed\ - \ alert IDs from the SOAR database to prevent duplicate ingestion.\n3. **Data\ - \ Retrieval**: The connector requests exchange rate data for the configured currencies,\ - \ starting from the last success time up to the current date (limited by the 'Max\ - \ Days Backwards' parameter).\n4. **Alert Construction**: \n * If 'Create Alert\ - \ Per Exchange Rate' is active, it generates individual `AlertInfo` objects for\ - \ every currency rate found.\n * Otherwise, it aggregates all rates for a specific\ - \ date into a single `AlertInfo` object.\n5. **Filtering and Validation**: \n\ - \ * **Dynamic List Filter**: It checks the currency against the connector's\ - \ whitelist/blocklist.\n * **Deduplication**: It filters out any alerts whose\ - \ IDs already exist in the processed IDs cache.\n * **Overflow Check**: It\ - \ verifies if the alert should be suppressed based on overflow settings.\n6. **Enrichment**:\ - \ If 'Add Attachment' is enabled, the connector converts the raw API response\ - \ into a JSON file and attaches it to the alert.\n7. **Ingestion**: The finalized\ - \ alerts are sent to the Google SecOps platform for case creation.\n8. **Checkpointing**:\ - \ The connector updates the 'Last Success Time' and saves the new set of processed\ - \ alert IDs to ensure the next run starts from the correct point." + ai_description: >- + ### General Description + + This connector integrates with the `api.vatcomply.com` service to fetch currency + exchange rates and ingest them as alerts into Google SecOps. It provides flexible + configuration for how rates are processed, allowing users to create individual + alerts per currency or combined alerts, and supports filtering via dynamic lists. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | DeviceProductField | String | Yes | Source field name for the Product Field. + | + + | EventClassId | String | Yes | Source field name for the Event Field. | + + | Environment Field Name | String | No | Field name where the environment name + is stored. | + + | Environment Regex Pattern | String | No | Regex pattern to manipulate the environment + field value. | + + | PythonProcessTimeout | String | Yes | Timeout limit (in seconds) for the python + process. | + + | API Root | String | Yes | API Root for the integration service. | + + | Password Field | Password | No | API password field (showcase purpose). | + + | Currencies To Fetch | String | No | Comma-separated list of currencies to fetch. + | + + | Create Alert Per Exchange Rate | Boolean | No | If enabled, creates a separate + alert per exchange rate. | + + | Alert Severity | String | No | Severity level (Critical, High, Medium, Low, + Informational). | + + | Add Attachment | Boolean | No | If enabled, adds a JSON object attachment to + the alert. | + + | Max Days Backwards | Integer | Yes | Amount of days to fetch alerts from (Max: + 30). | + + | Max Alerts To Fetch | String | Yes | Number of alerts/dates to process per iteration. + | + + | Use dynamic list as blocklist | Boolean | Yes | If enabled, uses the dynamic + list as a blocklist. | + + | Disable Overflow | Boolean | No | If enabled, ignores the overflow mechanism. + | + + | Verify SSL | Boolean | Yes | If enabled, verifies the SSL certificate. | + + | Proxy Server Address | String | No | Proxy server address. | + + | Proxy Username | String | No | Proxy username. | + + | Proxy Password | Password | No | Proxy password. | + + + ### Flow Description + + 1. **Initialization**: The connector initializes the API client using the provided + API root, SSL settings, and authentication parameters. + + 2. **Context Retrieval**: It reads existing alert IDs from the SOAR platform to + ensure only new data is processed. + + 3. **Data Fetching**: It queries `api.vatcomply.com` for exchange rates for the + configured currencies, starting from the last successful execution time. + + 4. **Alert Creation**: It maps the retrieved exchange rates into `AlertInfo` objects. + Depending on the configuration, it creates either a single alert per currency + or a combined alert containing all rates. + + 5. **Filtering**: It filters the generated alerts against the SOAR whitelist/blocklist + (using the dynamic list) and checks for overflow conditions. + + 6. **Ingestion**: Valid alerts are ingested into Google SecOps. + + 7. **State Management**: The connector updates the last success time and saves + the processed alert IDs to the context for future iterations. diff --git a/content/response_integrations/third_party/community/sample_integration/resources/ai/jobs_ai_description.yaml b/content/response_integrations/third_party/community/sample_integration/resources/ai/jobs_ai_description.yaml index 027f99445..3ad07d047 100644 --- a/content/response_integrations/third_party/community/sample_integration/resources/ai/jobs_ai_description.yaml +++ b/content/response_integrations/third_party/community/sample_integration/resources/ai/jobs_ai_description.yaml @@ -2,13 +2,10 @@ Simple Job Example: ai_description: >- ### General Description - This job performs automated case management and data enrichment within Google - SecOps. It identifies open cases based on specific tags to either automate the - closure process or enrich the case with real-time financial data. Specifically, - it handles cases tagged with "Closed" by closing them formally in the system and - handles cases tagged with "Currency" by fetching and posting the latest EUR exchange - rates from the vatcomply API. The job includes a state-management mechanism (context) - to ensure that enrichment comments are added only once per case per day. + This job automates case management and enrichment by monitoring open cases for + specific tags. It performs two primary functions: closing cases tagged as "Closed" + and enriching cases tagged as "Currency" with current exchange rate data retrieved + from an external API. ### Parameters Description @@ -17,36 +14,27 @@ Simple Job Example: | :--- | :--- | :--- | :--- | - | API Root | String | Yes | The root URL for the vatcomply API service (default: - `https://api.vatcomply.com`). | + | API Root | String | Yes | The base URL for the external API service. | - | Password Field | Password | No | A placeholder password field used for demonstration - purposes; the current API does not require authentication. | + | Password Field | Password | No | API password field for authentication purposes. + | - | Verify SSL | Boolean | Yes | If enabled, the job validates the SSL certificate - of the API service during connection. | + | Verify SSL | Boolean | Yes | Whether to validate SSL certificates when connecting + to the API. | ### Flow Description - 1. **Initialize API Client**: Establishes a connection to the external API service - using the provided root URL and SSL settings. + 1. Initializes the API client using the provided configuration parameters. - 2. **Load Job Context**: Retrieves the persistent state from Google SecOps to - track the current date and a list of cases that have already received currency - updates. + 2. Loads the job context to track processed cases and the current date. - 3. **Fetch Target Cases**: Queries the SOAR platform for open cases that possess - either the "Closed" or "Currency" tags, limited to a predefined processing threshold. + 3. Queries SOAR for open cases tagged with either "Closed" or "Currency". - 4. **Automated Case Closure**: For every case tagged with "Closed", the job executes - a closure command with the reason "Maintenance" and a standard system comment. + 4. Iterates through the retrieved cases: + * If a case is tagged "Closed", it closes the case in SOAR. + * If a case is tagged "Currency" and has not been commented on today, it fetches + the EUR exchange rate from the external API and adds a comment to the case. + 5. Updates the job context with the IDs of cases that received a comment. - 5. **Currency Enrichment**: For cases tagged with "Currency" (and not already - processed in the current session): - * Calls the external API to retrieve the latest exchange rate for EUR. - * Posts a formatted comment to the case wall containing the exchange rate - and the retrieval date. - 6. **State Persistence**: Updates the job context with the IDs of newly enriched - cases and saves the state back to the platform to prevent duplicate comments in - the next execution cycle. + 6. Saves the updated context to ensure state persistence across job runs. diff --git a/content/response_integrations/third_party/community/send_grid/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/send_grid/resources/ai/actions_ai_description.yaml index 552a2d2d2..541c9d9de 100644 --- a/content/response_integrations/third_party/community/send_grid/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/send_grid/resources/ai/actions_ai_description.yaml @@ -1,23 +1,52 @@ Ping: - ai_description: "### General Description\nThe **Ping** action is a connectivity\ - \ test designed to verify the integration between Google SecOps and the SendGrid\ - \ service. Its primary purpose is to ensure that the provided API Token is valid\ - \ and possesses the necessary permissions to perform core functions, specifically\ - \ sending emails.\n\n### Parameters Description\nThere are no parameters for this\ - \ action. It relies solely on the integration's global configuration (API Token).\n\ - \n### Additional Notes\nThis action specifically checks for the `mail.send` scope\ - \ in the SendGrid account permissions. If the token is valid but lacks this specific\ - \ scope, the action will return a failure status, as the integration would be\ - \ unable to perform its primary email-sending tasks.\n\n### Flow Description\n\ - 1. **Configuration Retrieval:** The action retrieves the `API Token` from the\ - \ SendGrid integration settings.\n2. **API Request:** It performs an HTTPS GET\ - \ request to the SendGrid `/v3/scopes` endpoint using the provided token for authentication.\n\ - 3. **Response Parsing:** The action decodes the JSON response from SendGrid to\ - \ extract the list of authorized scopes.\n4. **Permission Validation:** It uses\ - \ a regular expression to search for the `mail.send` string within the retrieved\ - \ scopes.\n5. **Result Reporting:** \n * If `mail.send` is found, it returns\ - \ a success message and sets the result to `True`.\n * If the scope is missing\ - \ or the API call fails, it returns an error message and sets the result to `False`." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "### General Description\nThe **Ping** action is a diagnostic tool\ + \ designed to verify the connectivity between Google SecOps and the SendGrid service.\ + \ It validates the provided API Token by checking its permissions against the\ + \ SendGrid API. Specifically, it ensures that the token has the necessary authorization\ + \ to send emails, which is a prerequisite for other SendGrid actions.\n\n### Parameters\ + \ Description\nThere are no input parameters for this action. It relies entirely\ + \ on the integration's global configuration (specifically the **API Token**).\n\ + \n### Additional Notes\n* This action is primarily used during the initial setup\ + \ or troubleshooting of the SendGrid integration to ensure the API key is valid\ + \ and has the correct scopes.\n* The action specifically looks for the `mail.send`\ + \ scope in the API response.\n\n### Flow Description\n1. **Configuration Retrieval**:\ + \ The action retrieves the `API Token` from the SendGrid integration settings.\n\ + 2. **API Request**: It initiates an HTTPS GET request to the SendGrid endpoint\ + \ `/v3/scopes` using the provided token for authentication.\n3. **Response Parsing**:\ + \ The action parses the JSON response from SendGrid to extract the list of authorized\ + \ scopes.\n4. **Permission Validation**: It uses a regular expression to search\ + \ for the `mail.send` permission within the retrieved scopes.\n5. **Result Finalization**:\ + \ \n * If the `mail.send` scope is found, the action returns a success message\ + \ and a `True` result value.\n * If the scope is missing or the connection\ + \ fails, it returns an error message and a `False` result value." capabilities: can_create_case_comments: false can_create_insight: false @@ -31,7 +60,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -45,6 +74,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Send Email: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -58,69 +88,44 @@ Ping: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false - send_email: false + send_email: true + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Send Email: - ai_description: >- - Sends an email message using the SendGrid API. This action allows users to dispatch - formatted HTML emails to specific recipients by providing sender details, subject - lines, and message content. It is primarily used for notifications, reporting, - or communication within automated playbooks. - - - ### Flow Description - - 1. **Initialization**: The action initializes the SendGrid API client using the - provided API Token from the integration configuration. - - 2. **Message Construction**: It constructs a mail object containing the sender's - email, recipient's email, subject, and HTML content derived from the action parameters. - - 3. **API Request**: The action sends the email request to the SendGrid service. - - 4. **Result Handling**: If the 'Return Message Status' parameter is enabled, the - action captures the API response status code and timestamp, attaching them as - a JSON result to the action execution. - - - ### Parameters Description - - | Parameter Name | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Email From | string | Yes | The email address that will appear in the 'From' - field of the sent email. | - - | Email To | string | Yes | The recipient's email address. | - - | Subject | string | Yes | The subject line of the email. | - - | Content | email_content | Yes | The HTML-formatted body of the email message. - | - - | Return Message Status | boolean | No | If set to 'true', the action will return - the SendGrid API response status code and delivery metadata in the JSON results. - Default is 'false'. | - - - ### Additional Notes - - - This action does not operate on specific SecOps entities; it uses the provided - parameter values to execute the mail delivery. - - - No retry logic is implemented within this specific action; failures in the API - call will result in an execution failure state. + ai_description: "### General Description\nThis action sends an email message through\ + \ the SendGrid API. It is primarily used for automated notifications, reporting,\ + \ or communication within a security orchestration workflow. The action allows\ + \ for full customization of the sender, recipient, subject, and HTML content.\n\ + \n### Parameters Description\n| Parameter | Type | Mandatory | Description |\n\ + | :--- | :--- | :--- | :--- |\n| Email From | string | Yes | The email address\ + \ that will appear as the sender. |\n| Email To | string | Yes | The recipient's\ + \ email address. |\n| Subject | string | Yes | The subject line of the email.\ + \ |\n| Content | email_content | Yes | The HTML body content of the email. Supports\ + \ dynamic placeholders and HTML formatting. |\n| Return Message Status | boolean\ + \ | No | If set to `true`, the action will return the SendGrid API response status\ + \ code and recipient details in the execution results. Default is `false`. |\n\ + \n### Additional Notes\nThis action does not process entities from the SecOps\ + \ environment; it relies entirely on the provided input parameters to define the\ + \ email's destination and content.\n\n### Flow Description\n1. **Initialization**:\ + \ The action loads the SendGrid API token from the integration configuration and\ + \ retrieves the email parameters (From, To, Subject, Content).\n2. **Message Construction**:\ + \ A SendGrid Mail object is created using the provided sender, recipient, subject,\ + \ and HTML content.\n3. **API Interaction**: The action initializes the SendGrid\ + \ API client and attempts to send the message.\n4. **Result Handling**: \n \ + \ * If successful, it logs the success.\n * If `Return Message Status` is enabled,\ + \ it captures the API status code and metadata into a JSON result.\n * If the\ + \ API call fails, an error is logged and the action returns a failure status." capabilities: can_create_case_comments: false can_create_insight: false @@ -129,14 +134,14 @@ Send Email: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Sends an outbound email through the SendGrid API, which creates a new email - transaction and record within the SendGrid service. + Sends an outbound email message through the SendGrid service to the specified + recipient. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -150,28 +155,3 @@ Send Email: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: true - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/third_party/community/signal_sciences/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/signal_sciences/resources/ai/actions_ai_description.yaml index 1fc84611c..d4a948b34 100644 --- a/content/response_integrations/third_party/community/signal_sciences/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/signal_sciences/resources/ai/actions_ai_description.yaml @@ -1,83 +1,4 @@ Add IP to Allow List: - ai_description: >- - Adds one or more IP addresses to the Signal Sciences Allow List for a specific - site. This action allows analysts to proactively permit traffic from specific - sources by updating the Signal Sciences configuration. It processes IP addresses - provided directly as parameters as well as IP Address entities present in the - current SOAR context. - - - ### Flow Description - - 1. **Parameter Extraction:** Retrieves the 'Site Name', 'IP Address' (optional - list), and 'Note' (mandatory justification) from the action input. - - 2. **Target Identification:** Collects IP addresses from the 'IP Address' parameter - and identifies all 'ADDRESS' entities within the case. - - 3. **Pre-check:** Fetches the existing allow list for the specified site from - Signal Sciences to identify IPs that are already listed. - - 4. **Validation and Execution:** Validates the format of each target IP. For IPs - not already on the list, it performs a PUT request to the Signal Sciences API - to add them, including the provided note. - - 5. **Finalization:** Consolidates the results, reporting which IPs were successfully - added, which already existed, and which failed (due to invalid format or API errors). - - - ### Parameters Description - - | Parameter Name | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Site Name | String | Yes | The API name of the site as defined in the Signal - Sciences dashboard where the IP will be allowed. | - - | IP Address | String | No | A comma-separated list of IP addresses to add. If - left empty, the action will only process IP Address entities from the case. | - - | Note | String | Yes | A descriptive note or justification for allowing the IP. - This is a required field by the Signal Sciences API. | - - - ### Additional Notes - - - The action deduplicates IP addresses found in both the parameters and the entities. - - - If an IP address is already present in the Signal Sciences allow list, the action - treats it as a success but does not attempt to re-add it. - capabilities: - can_create_case_comments: false - can_create_insight: false - can_modify_alert_data: false - can_mutate_external_data: true - can_mutate_internal_data: false - can_update_entities: false - external_data_mutation_explanation: >- - Adds the specified IP addresses to the Signal Sciences allow list for a specific - site via a PUT request to the /whitelist endpoint. - fetches_data: true - internal_data_mutation_explanation: null - categories: - enrichment: false - entity_usage: - entity_types: - - ADDRESS - filters_by_additional_properties: false - filters_by_alert_identifier: false - filters_by_case_identifier: false - filters_by_creation_time: false - filters_by_entity_type: true - filters_by_identifier: false - filters_by_is_artifact: false - filters_by_is_enriched: false - filters_by_is_internal: false - filters_by_is_pivot: false - filters_by_is_suspicious: false - filters_by_is_vulnerable: false - filters_by_modification_time: false action_product_categories: add_alert_comment: false add_ioc_to_allowlist: true @@ -91,28 +12,29 @@ Add IP to Allow List: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Add IP to Block List: ai_description: >- ### General Description - The **Add IP to Block List** action allows security analysts to programmatically - add IP addresses to the block list of a specific site within Signal Sciences. - This action is used for containment and remediation by preventing traffic from - known malicious or suspicious IP addresses. It supports both manual input via - parameters and automatic processing of IP Address entities present in the Google - SecOps case. + Adds IP addresses to the Signal Sciences allow list for a specific site. This + action allows users to provide IP addresses either through a comma-separated parameter + or by automatically processing IP entities present in the current SecOps case. + It validates the IP format and checks for existing entries to avoid duplicates + before performing the update. ### Parameters Description @@ -122,46 +44,46 @@ Add IP to Block List: | :--- | :--- | :--- | :--- | | Site Name | String | Yes | The API name of the site as defined in the Signal - Sciences dashboard where the IP will be blocked. | + Sciences dashboard. | | IP Address | String | No | A comma-separated list of IP addresses to add. If - left empty, the action will only process IP Address entities from the case. | + provided, these are processed in addition to any IP entities found in the case. + | - | Note | String | Yes | A mandatory descriptive note or justification for blocking - the IP address, which is required by the Signal Sciences API. | + | Note | String | Yes | The descriptive note or justification associated with + the allowed IP address. This is required by the Signal Sciences API. | ### Additional Notes - - The action performs a de-duplication check: if an IP address is already present - in the site's block list, it will not attempt to add it again but will report - it as a success. + - The action will skip IP addresses that are already present in the site's allow + list. - - Both IPv4 and IPv6 addresses are supported and validated before submission. + - Both IPv4 and IPv6 addresses are supported and validated before processing. - If no IPs are provided via parameters and no IP entities are found in the case, - the action will fail with an informative message. + the action will terminate with a message. ### Flow Description - 1. **Parameter Extraction:** The action retrieves the `Site Name`, `IP Address` - list, and the mandatory `Note` from the input. + 1. **Parameter Extraction**: Retrieves the 'Site Name', 'IP Address' list, and + 'Note' from the action configuration. + + 2. **Entity Collection**: Identifies target IP addresses from the 'IP Address' + parameter and filters the case's target entities for those of type ADDRESS. - 2. **Target Identification:** It identifies target IP addresses by combining those - provided in the `IP Address` parameter with any `ADDRESS` entities found in the - current case context. + 3. **Deduplication and Validation**: Combines all identified IPs, removes duplicates, + and validates that each string is a valid IP address. - 3. **Pre-check:** It fetches the current block list for the specified site from - Signal Sciences to identify IPs that are already blocked. + 4. **Pre-check**: Fetches the current allow list for the specified site from Signal + Sciences to identify IPs that are already allowed. - 4. **Validation and Execution:** For each unique target IP, the action validates - the IP format. If valid and not already blocked, it sends a request to the Signal - Sciences API to add the IP to the block list using the provided note. + 5. **External Mutation**: For each valid IP not already on the list, sends a PUT + request to the Signal Sciences API to add the IP with the provided note. - 5. **Result Compilation:** The action tracks successful additions and failures, - providing a summary message and a detailed JSON result containing the status of - each processed IP. + 6. **Finalization**: Aggregates the results, providing a summary of successfully + added IPs and any that failed or were skipped. capabilities: can_create_case_comments: false can_create_insight: false @@ -170,15 +92,15 @@ Add IP to Block List: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Adds the specified IP addresses to the Signal Sciences block list for a specific - site via a PUT request to the Signal Sciences API. + Adds specified IP addresses to the Signal Sciences allow list for a specific + site using a PUT request. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: entity_types: - - ADDRESS + - ADDRESS filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -192,6 +114,7 @@ Add IP to Block List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Add IP to Block List: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -205,83 +128,90 @@ Add IP to Block List: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -List Sites: ai_description: >- - Retrieves a list of all sites associated with the configured corporation in Signal - Sciences. This action is useful for discovering available site names and their - metadata, such as display names and agent levels, which are often required as - inputs for other Signal Sciences actions. It supports automatic pagination to - ensure all requested records are retrieved. + ### General Description + Use the **Add IP to Block List** action to add specific IP addresses to the block + list of a designated site in Signal Sciences. This action helps in mitigating + threats by blocking malicious traffic at the WAF level. - ### Parameters + ### Parameters Description - | Parameter | Type | Mandatory | Default | Description | + | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | :--- | + | :--- | :--- | :--- | :--- | - | Max Sites To Return | string | No | 50 | The maximum number of sites to return. - Setting this value to 0 or leaving it empty returns all available sites. | + | Site Name | String | Yes | The API name of the site as defined in the Signal + Sciences dashboard. | + | IP Address | String | No | A comma-separated list of IP addresses to add. If + empty, the action uses ADDRESS entities from the case. | - ### Additional Notes + | Note | String | Yes | The descriptive note or justification for blocking the + IP. | - - This action does not require any input entities and runs at the corporation - level. - - The results are presented both as a JSON object and as a formatted data table - named 'Signal Sciences Sites'. + ### Flow Description + 1. **Parameter Extraction:** The action retrieves the Site Name, IP Address list, + and Note. - ### Flow Description + 2. **IP Collection:** It identifies target IPs from the input parameter and the + case's ADDRESS entities, then deduplicates them. - 1. **Parameter Extraction:** The action retrieves the 'Max Sites To Return' parameter - and validates that it is a valid integer. + 3. **Validation:** Each IP is checked for valid IPv4/IPv6 format. - 2. **API Interaction:** It calls the Signal Sciences API to fetch site information - for the configured corporation. + 4. **Pre-check:** The action fetches the existing block list for the site to avoid + redundant API calls. - 3. **Pagination:** The action handles pagination automatically, continuing to - fetch pages until the specified limit is reached or all sites are retrieved. + 5. **Execution:** It adds new IPs to the Signal Sciences block list using the + provided note. - 4. **Data Processing:** The raw API response is transformed into structured 'Site' - objects. + 6. **Finalization:** Success and failure statuses are reported for each IP. - 5. **Output Generation:** The action populates the JSON results, creates a data - table for the case wall, and generates a success message listing the names of - the retrieved sites. + + ### Additional Notes + + Either the 'IP Address' parameter must be populated, or the case must contain + ADDRESS entities for the action to have targets to process. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false - can_mutate_external_data: false + can_mutate_external_data: true can_mutate_internal_data: false can_update_entities: false - external_data_mutation_explanation: null + external_data_mutation_explanation: >- + Adds the specified IP addresses to the Signal Sciences block list for a designated + site. fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: true + enrichment: false entity_usage: - entity_types: [ ] + entity_types: + - ADDRESS filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false filters_by_creation_time: false - filters_by_entity_type: false + filters_by_entity_type: true filters_by_identifier: false filters_by_is_artifact: false filters_by_is_enriched: false @@ -290,6 +220,7 @@ List Sites: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +List Sites: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -303,56 +234,46 @@ List Sites: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: - ai_description: >- - ### General Description - - The **Ping** action is a utility designed to verify the connectivity between the - Google SecOps platform and the Signal Sciences API. It ensures that the integration - is correctly configured and that the service is reachable using the provided credentials. - - - ### Parameters Description - - There are no action-specific parameters for this action. It relies on the global - integration configuration parameters (API Root, Email, API Token, and Corporation - Name) to establish a connection. - - - ### Additional Notes - - This action is typically used during the initial setup of the integration or for - troubleshooting communication issues. It does not process any entities or modify - any data. - - - ### Flow Description - - 1. **Initialize Client**: The action initializes the Signal Sciences API manager - using the integration's configuration settings (API Root, Email, API Token, Corporation - Name, and SSL verification settings). - - 2. **Test Connectivity**: It performs a GET request to the Signal Sciences Corporation - endpoint (`/corps/{corp_name}`) to validate the credentials and the corporation - name. - - 3. **Validate Response**: - - If the API returns a successful response (HTTP 200), the action completes - with a success message indicating connectivity. - - If an exception occurs (e.g., network error, 401 Unauthorized, 404 Not Found), - the action catches the error, logs the reason, and returns a failure status. + ai_description: "### General Description\nThe **List Sites** action retrieves a\ + \ list of all sites available within the configured corporation in Signal Sciences.\ + \ This action is primarily used for discovery purposes, allowing users to identify\ + \ the specific site names required as inputs for other Signal Sciences actions,\ + \ such as blocking or allowing IP addresses.\n\n### Parameters Description\n|\ + \ Parameter Name | Type | Mandatory | Description |\n| :--- | :--- | :--- | :---\ + \ |\n| Max Sites To Return | String | No | The maximum number of sites to return\ + \ in the results. If set to 0 or left empty, the action will attempt to retrieve\ + \ all available sites. The default value is 50. |\n\n### Flow Description\n1.\ + \ **Parameter Extraction and Validation**: The action extracts the `Max Sites\ + \ To Return` parameter and validates that it is a valid integer. If the parameter\ + \ is missing or empty, it defaults to 0 (returning all sites).\n2. **API Interaction**:\ + \ The action calls the Signal Sciences API to fetch site information. It uses\ + \ internal pagination logic to ensure that the requested number of records (or\ + \ all records) are retrieved correctly from the corporation's account.\n3. **Data\ + \ Transformation**: The raw API response is processed into structured `Site` data\ + \ models. \n4. **Result Generation**: \n * **JSON Results**: The action populates\ + \ the JSON results with the raw data for each site found.\n * **Data Table**:\ + \ A table named \"Signal Sciences Sites\" is created, displaying the API Name,\ + \ Display Name, Creation Date, and Agent Level for each site.\n * **Output\ + \ Message**: A summary message is generated listing the names of all successfully\ + \ fetched sites.\n\n### Additional Notes\n- This action does not operate on specific\ + \ entities (like IPs or Hostnames) and instead fetches global configuration data\ + \ for the corporation.\n- If no sites are found, the action will return a successful\ + \ status with a message indicating that no sites were found." capabilities: can_create_case_comments: false can_create_insight: false @@ -366,7 +287,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -380,6 +301,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -393,97 +315,91 @@ Ping: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Remove IP from Allow List: ai_description: >- ### General Description - The **Remove IP from Allow List** action is used to remove specific IP addresses - from the allow list of a designated site within Signal Sciences. This action is - useful for revoking previously granted access or trust for specific network indicators. - It can process IP addresses provided directly as parameters or automatically identify - and process IP Address entities within the SOAR case context. + The **Ping** action is used to verify the connectivity between Google SecOps and + the Signal Sciences platform. It ensures that the provided credentials (Email, + API Token) and configuration (API Root, Corporation Name) are correct and that + the network allows communication with the Signal Sciences API. ### Parameters Description + There are no action-specific parameters for this action. It relies entirely on + the global integration configuration parameters: + + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Site Name | String | Yes | The API name of the site as defined in the Signal - Sciences dashboard. This determines which site's allow list will be modified. - | + | API Root | String | No | The base URL of the Signal Sciences API. Defaults to + `https://dashboard.signalsciences.net`. | - | IP Address | String | No | A comma-separated list of IP addresses to remove. - If this parameter is left empty, the action will attempt to use all IP Address - entities found in the current context. | + | Email | String | Yes | The email address associated with the Signal Sciences + API user. | + | API Token | String | Yes | The API token for authentication. | - ### Flow Description + | Corporation Name | String | Yes | The name of the corporation in Signal Sciences. + | - 1. **Parameter Extraction:** The action retrieves the `Site Name` and the optional - `IP Address` list from the input parameters. + | Verify SSL | Boolean | No | Whether to verify the SSL certificate of the API + server. Defaults to `True`. | - 2. **Target Identification:** It identifies target IP addresses by combining those - provided in the `IP Address` parameter with any `ADDRESS` entities found in the - case context. The list is then deduplicated. - 3. **Allow List Retrieval:** The action fetches the current allow list for the - specified site from the Signal Sciences API to find the internal IDs associated - with the target IPs. + ### Flow Description - 4. **Validation and Matching:** For each target IP, the action validates the IP - format. It then searches the retrieved allow list for entries where the source - matches the target IP. + 1. **Initialize Client**: The action initializes the Signal Sciences API client + using the integration's configuration parameters. - 5. **Removal Execution:** For every matching entry found, the action sends a DELETE - request to Signal Sciences to remove that specific item from the allow list. + 2. **Test Connectivity**: It executes a `GET` request to the `/corps/{corp_name}` + endpoint to verify that the API token and corporation name are valid. - 6. **Finalization:** The action summarizes the results, listing which IPs were - successfully removed and which encountered errors. + 3. **Evaluate Result**: If the request returns a successful status code, the action + reports a successful connection. If an exception occurs (e.g., 401 Unauthorized + or connection timeout), it captures the error and marks the action as failed. ### Additional Notes - - If an IP address is not found in the allow list, the action treats it as a success - (as the desired state of the IP not being on the list is met). - - - Either the `IP Address` parameter must be populated, or the case must contain - `ADDRESS` entities for the action to have targets to process. + This action does not process any entities or modify any data. It is strictly for + diagnostic purposes to ensure the integration is configured correctly. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false - can_mutate_external_data: true + can_mutate_external_data: false can_mutate_internal_data: false can_update_entities: false - external_data_mutation_explanation: >- - The action performs DELETE requests to the Signal Sciences API to remove specific - IP address entries from a site's allow list. + external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: - - ADDRESS + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false filters_by_creation_time: false - filters_by_entity_type: true + filters_by_entity_type: false filters_by_identifier: false filters_by_is_artifact: false filters_by_is_enriched: false @@ -492,6 +408,7 @@ Remove IP from Allow List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Remove IP from Allow List: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -505,70 +422,80 @@ Remove IP from Allow List: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: true remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Remove IP from Block List: ai_description: >- - Removes specific IP addresses from the Signal Sciences block list (blacklist) - for a designated site. The action identifies target IPs from both the 'IP Address' - input parameter and any IP Address entities present in the current context. It - first retrieves the existing block list for the specified site to find the internal - IDs associated with the target IPs and then issues deletion requests to remove - them. + ### General Description + The **Remove IP from Allow List** action is designed to remove specific IP addresses + from the allow list (whitelist) of a designated site within the Signal Sciences + platform. This action is useful for revoking trusted status from IPs that are + no longer considered safe or were added temporarily. It can process IPs provided + directly as a parameter or identified as entities within the Google SecOps environment. - ### Flow Description - 1. **Parameter Extraction:** Retrieves the mandatory 'Site Name' and the optional - 'IP Address' list from the action configuration. + ### Parameters Description - 2. **Entity Identification:** Collects IP addresses from the 'IP Address' parameter - and identifies all 'ADDRESS' entities in the scope. + | Parameter | Type | Mandatory | Description | - 3. **Data Retrieval:** Fetches the current block list for the specified site from - Signal Sciences to map IP addresses to their unique item IDs. + | :--- | :--- | :--- | :--- | - 4. **Validation:** Validates that each target IP is a correctly formatted IPv4 - or IPv6 address. + | Site Name | string | Yes | The API name of the site as defined in the Signal + Sciences dashboard. This determines which site's allow list will be modified. + | - 5. **Removal Logic:** For each valid target IP, the action searches the retrieved - block list. If a match is found, it calls the Signal Sciences API to delete that - specific entry. + | IP Address | string | No | A comma-separated list of IP addresses to remove. + If this parameter is provided, the action will process these IPs in addition to + any IP Address entities found in the context. | - 6. **Finalization:** Summarizes the results, listing which IPs were successfully - removed and which failed (due to invalid format or API errors). + ### Additional Notes - ### Parameters Description + - The action first retrieves the current allow list for the specified site to + find the internal IDs associated with the target IP addresses. - | Parameter Name | Type | Mandatory | Description | + - If an IP address is not found in the allow list, the action treats it as successfully + removed (since the desired state is achieved). - | :--- | :--- | :--- | :--- | + - The action validates that the provided strings are valid IPv4 or IPv6 addresses + before attempting removal. - | Site Name | string | True | The API name of the site as defined in the Signal - Sciences dashboard. | - | IP Address | string | False | A comma-separated list of IP addresses to remove. - If not provided, the action will only process IP Address entities. | + ### Flow Description + 1. **Parameter Extraction:** The action retrieves the `Site Name` and the optional + `IP Address` list from the input parameters. - ### Additional Notes + 2. **Entity Collection:** It identifies all `ADDRESS` entities within the current + alert context. + + 3. **Consolidation:** It combines the IPs from the parameters and the entities + into a single, deduplicated list of target IPs. - - If an IP address is already absent from the block list, the action treats it - as a success. + 4. **Allow List Retrieval:** The action calls the Signal Sciences API to fetch + the existing allow list for the specified site. - - The action requires the 'Site Name' to be the API-specific name, not necessarily - the display name. + 5. **Validation and Matching:** For each target IP, the action validates the format + and searches for a matching entry in the retrieved allow list. + + 6. **Removal:** If a match is found, the action sends a DELETE request to Signal + Sciences using the specific item ID to remove the IP from the list. + + 7. **Finalization:** The action reports the success or failure of the removal + process for each IP and sets the final execution status. capabilities: can_create_case_comments: false can_create_insight: false @@ -577,15 +504,15 @@ Remove IP from Block List: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Deletes IP address entries from the Signal Sciences block list (blacklist) for - a specific site via the API. + The action performs a DELETE request to the Signal Sciences API to remove specific + IP entries from the site's allow list. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: entity_types: - - ADDRESS + - ADDRESS filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -599,6 +526,7 @@ Remove IP from Block List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Remove IP from Block List: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -612,15 +540,75 @@ Remove IP from Block List: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: true reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false + ai_description: "### General Description\nThe **Remove IP from Block List** action\ + \ is used to remove specific IP addresses from the block list of a designated\ + \ site within Signal Sciences. This action is typically used in response to false\ + \ positives or when a previously blocked IP is deemed safe, restoring its ability\ + \ to interact with the protected site.\n\n### Parameters Description\n| Parameter\ + \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Site Name\ + \ | string | True | The API name of the site as defined in the Signal Sciences\ + \ dashboard. |\n| IP Address | string | False | A comma-separated list of IP addresses\ + \ to remove from the Signal Sciences block list. If provided, these will be processed\ + \ alongside any IP entities found in the scope. |\n\n### Additional Notes\n- The\ + \ action processes both IP addresses provided in the `IP Address` parameter and\ + \ any `ADDRESS` entities present in the current context.\n- If an IP address is\ + \ not found in the block list, the action treats it as a success (as the desired\ + \ state\u2014not being blocked\u2014is already met).\n- The action validates that\ + \ the provided strings are valid IPv4 or IPv6 addresses before attempting removal.\n\ + \n### Flow Description\n1. **Parameter Extraction:** The action retrieves the\ + \ `Site Name` and the optional `IP Address` list from the input parameters.\n\ + 2. **Entity Identification:** It identifies all `ADDRESS` entities in the current\ + \ SOAR context.\n3. **Target Consolidation:** It combines the IPs from the parameters\ + \ and the entities into a single, deduplicated list of target IPs.\n4. **Block\ + \ List Retrieval:** The action fetches the current block list for the specified\ + \ site from Signal Sciences to identify the internal IDs associated with the target\ + \ IPs.\n5. **Removal Execution:** For each target IP, the action searches for\ + \ a matching entry in the retrieved block list. If found, it sends a request to\ + \ Signal Sciences to delete that specific block list item.\n6. **Finalization:**\ + \ The action reports which IPs were successfully removed (or were already absent)\ + \ and which ones failed (e.g., due to invalid format or API errors)." + capabilities: + can_create_case_comments: false + can_create_insight: false + can_modify_alert_data: false + can_mutate_external_data: true + can_mutate_internal_data: false + can_update_entities: false + external_data_mutation_explanation: >- + Removes specified IP addresses from the Signal Sciences block list for a specific + site using a DELETE request. + fetches_data: true + internal_data_mutation_explanation: null + categories: + enrichment: false + entity_usage: + entity_types: + - ADDRESS + filters_by_additional_properties: false + filters_by_alert_identifier: false + filters_by_case_identifier: false + filters_by_creation_time: false + filters_by_entity_type: true + filters_by_identifier: false + filters_by_is_artifact: false + filters_by_is_enriched: false + filters_by_is_internal: false + filters_by_is_pivot: false + filters_by_is_suspicious: false + filters_by_is_vulnerable: false + filters_by_modification_time: false diff --git a/content/response_integrations/third_party/community/spell_checker/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/spell_checker/resources/ai/actions_ai_description.yaml index 41c9faaa9..0fc2a8e83 100644 --- a/content/response_integrations/third_party/community/spell_checker/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/spell_checker/resources/ai/actions_ai_description.yaml @@ -1,35 +1,58 @@ Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description The **Ping** action is a diagnostic utility designed to verify the connectivity - and operational status of the **Spell Checker** integration within Google SecOps. - Its primary purpose is to ensure that the integration is correctly configured - and that the system can successfully execute logic associated with the Spell Checker - module. + and functional status of the **Spell Checker** integration within Google SecOps. + It serves as a basic health check to ensure that the integration is correctly + installed and that the environment can execute its associated scripts. ### Parameters Description - There are no parameters configured for this action. + There are no parameters for this action. - ### Flow Description + ### Additional Notes - 1. **Initialization**: The action initializes the `SiemplifyAction` handler to - interface with the Google SecOps environment. + This action does not perform any actual spell-checking logic or external API calls. + It is strictly used for verifying the integration's presence and operational readiness. - 2. **Status Verification**: The script executes a minimal logic path to confirm - the integration's availability. - 3. **Execution Completion**: The action terminates successfully, returning a static - message ('Spell Checker is connected') to indicate that the integration is functional. + ### Flow Description + 1. **Initialization**: The action initializes the Siemplify SDK context. - ### Additional Notes - - This action does not interact with any external APIs or perform any data processing; - it serves strictly as a heartbeat check. + 2. **Status Confirmation**: The action immediately terminates with a success message, + "Spell Checker is connected," confirming that the integration is reachable. capabilities: can_create_case_comments: false can_create_insight: false @@ -43,7 +66,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -57,6 +80,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Spelling Check: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -70,42 +94,39 @@ Ping: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Spelling Check: ai_description: >- - ### General Description\nThis action identifies misspelled words within a provided - text string and suggests potential corrections based on word frequency. It is - a utility action designed to improve the quality of text data processed within - Google SecOps playbooks by identifying errors and providing recommendations.\n\n### - Parameters\n| Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- - | :--- |\n| Input | String | No | The text that will be checked by the Spell Checker. - Note: While marked as not mandatory in configuration, the action logic expects - a string to process. |\n\n### Additional Notes\n- The action utilizes a local - spell-checking library and does not communicate with external web services, ensuring - data privacy.\n- It includes a built-in allowlist for common technical terms like - 'Microsoft', 'Google', 'Siemplify', and 'SaaS' to prevent them from being flagged - as errors.\n- Emails and URLs are automatically excluded from the check to reduce - false positives.\n\n### Flow Description\n1. **Input Acquisition**: Retrieves - the text string from the 'Input' parameter.\n2. **Text Cleaning**: Applies regular - expressions to remove non-alphabetic characters and noise while preserving word - boundaries.\n3. **Word Extraction**: Splits the cleaned text into individual words, - filtering out any tokens that appear to be email addresses or URLs.\n4. **Spelling - Analysis**: Identifies words not found in the dictionary (misspellings) using - the SpellCheckerManager.\n5. **Correction Discovery**: Generates a list of candidate - corrections for each identified misspelling based on word frequency.\n6. **Result - Reporting**: Outputs the count of mistakes, a JSON mapping of errors to suggestions, - and a data table for analyst review. + ### General Description The **Spelling Check** action identifies misspelled words + within a provided text string and suggests potential corrections based on word + frequency. It is designed to help analysts clean up notes, reports, or extracted + text within a playbook. ### Parameters Description | Parameter | Type | Mandatory + | Description | | :--- | :--- | :--- | :--- | | Input | String | No | The text + content that will be analyzed for spelling errors. | ### Flow Description 1. + **Text Extraction**: The action retrieves the string provided in the `Input` parameter. + 2. **Sanitization**: It cleans the input text using regular expressions to remove + special characters and punctuation, while preserving letters, spaces, and specific + symbols like '@'. 3. **Misspelling Identification**: The cleaned text is split + into individual words, which are then checked against a dictionary (including + a custom allowlist of technical terms like 'microsoft', 'google', 'playbook'). + 4. **Suggestion Generation**: For every word identified as misspelled, the action + generates a list of likely correct candidates. 5. **Reporting**: The results are + compiled into a JSON object and a data table named 'Found spelling mistakes' for + use in subsequent playbook steps. ### Additional Notes This action performs + local processing and does not communicate with external web services. capabilities: can_create_case_comments: false can_create_insight: false @@ -119,7 +140,7 @@ Spelling Check: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -133,28 +154,3 @@ Spelling Check: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/third_party/community/superna_zero_trust/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/superna_zero_trust/resources/ai/actions_ai_description.yaml index 374218a77..bf94065e1 100644 --- a/content/response_integrations/third_party/community/superna_zero_trust/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/superna_zero_trust/resources/ai/actions_ai_description.yaml @@ -1,56 +1,54 @@ Ping: - ai_description: >- - ### General Description - - The **Ping** action is designed to verify the connectivity and health of the Superna - Eyeglass Zero Trust API. It performs a simple GET request to the health check - endpoint of the configured Eyeglass server to ensure that the integration can - successfully communicate with the external service using the provided credentials. - - - ### Parameters Description - - | Parameter Name | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | api_token | String | Yes | The API key used to authenticate requests to the - Superna Eyeglass server. This is retrieved from the integration configuration. - | - - | eyeglass_ip | String | Yes | The IP address or hostname of the Superna Eyeglass - server. This is retrieved from the integration configuration. | - - | Verify SSL | Boolean | No | Determines whether to verify the SSL certificate - of the Eyeglass server. Defaults to `False`. | - - - ### Additional Notes - - - This action is primarily used for troubleshooting and initial setup verification. - - - It does not process any entities from the SOAR case. - - - As per standard conventions, actions named 'Ping' are not classified as enrichment - actions. - - - ### Flow Description - - 1. **Configuration Retrieval:** The action extracts the `api_token`, `eyeglass_ip`, - and `Verify SSL` settings from the integration configuration. - - 2. **URL Construction:** It constructs the full API endpoint URL using the `eyeglass_ip` - and the hardcoded path `/sera/v1/healthcheck`. - - 3. **Request Execution:** A GET request is sent to the constructed URL with the - `api_key` included in the headers. - - 4. **Error Handling:** The script handles various network and HTTP exceptions, - including timeouts and connection failures. - - 5. **Result Reporting:** The action logs the API response and terminates with - a status of `COMPLETED`, `FAILED`, or `TIMEDOUT` based on the outcome of the request. + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "### General Description\nThe **Ping** action is designed to verify\ + \ the connectivity and health of the Superna Eyeglass Zero Trust API. It performs\ + \ a simple health check by sending a GET request to the configured Eyeglass IP\ + \ address. This is primarily used during setup or troubleshooting to ensure that\ + \ the Google SecOps environment can successfully communicate with the Superna\ + \ Zero Trust management interface.\n\n### Parameters Description\nThere are no\ + \ action-specific parameters for this action. It relies entirely on the integration's\ + \ global configuration settings:\n* **api_token**: The API key used for authentication.\n\ + * **eyeglass_ip**: The IP address or hostname of the Superna Eyeglass server.\n\ + * **Verify SSL**: A boolean flag indicating whether to verify the SSL certificate\ + \ of the server.\n\n### Additional Notes\n* This action does not process any entities.\n\ + * As per standard SOAR conventions, 'Ping' actions are used for connectivity testing\ + \ and are not classified as enrichment.\n\n### Flow Description\n1. **Configuration\ + \ Retrieval**: The action extracts the `api_token`, `eyeglass_ip`, and `Verify\ + \ SSL` settings from the integration configuration.\n2. **URL Construction**:\ + \ It constructs the full API endpoint URL using the provided IP and the hardcoded\ + \ path `/sera/v1/healthcheck`.\n3. **API Request**: It executes an authenticated\ + \ HTTP GET request to the health check endpoint with a 30-second timeout.\n4.\ + \ **Response Handling**: \n * If the request is successful (HTTP 200), it logs\ + \ the response and marks the action as completed.\n * If a timeout, connection\ + \ error, or HTTP error occurs, it catches the exception, logs the error details,\ + \ and marks the action as failed." capabilities: can_create_case_comments: false can_create_insight: false @@ -64,7 +62,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -78,6 +76,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Superna Snapshot Critical NAS Data: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -91,70 +90,80 @@ Ping: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Superna Snapshot Critical NAS Data: ai_description: >- - Triggers a Cyber Snapshot of critical NAS (Network Attached Storage) data using - the Superna Eyeglass Zero Trust API. This action is designed to provide ransomware - protection by initiating snapshots of critical data paths defined within the Superna - environment. It communicates with the Superna Eyeglass server via a POST request - to the ransomware critical paths endpoint. + ### General Description + + The **Superna Snapshot Critical NAS Data** action triggers a 'Cyber Snapshot' + for critical NAS (Network Attached Storage) data paths using the Superna Eyeglass + Zero Trust API. This action is designed to interact with the ransomware protection + module of Superna Eyeglass to identify and secure critical data paths, providing + a point-in-time snapshot for recovery or security analysis. + + + ### Parameters Description + This action does not have any action-specific parameters. It relies entirely on + the **SupernaZeroTrust** integration configuration: - ### Parameters - | Parameter Name | Type | Mandatory | Description | + | Parameter | Expected Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | api_token | String | Yes | The API token used for authentication with the Superna - Eyeglass server. This is retrieved from the integration configuration. | + | api_token | String | Yes | The API key used to authenticate with the Superna + Eyeglass server. | | eyeglass_ip | String | Yes | The IP address or hostname of the Superna Eyeglass - server. This is retrieved from the integration configuration. | + instance. | - | Verify SSL | Boolean | No | Whether to verify the SSL certificate of the Superna - Eyeglass server. Defaults to False. This is retrieved from the integration configuration. - | + | Verify SSL | Boolean | No | If enabled, the action will verify the SSL certificate + of the Eyeglass server. Defaults to False. | ### Additional Notes - - This action does not take any direct input parameters; instead, it relies entirely - on the global integration configuration for connection details. + - This action is executed asynchronously. + + - It performs a POST request to the `/sera/v2/ransomware/criticalpaths` endpoint, + which typically triggers a state change or a snapshot process in the external + system. - - The action is marked as asynchronous in the metadata, although the provided - script follows a synchronous execution flow. + - This action does not process or require any SecOps entities (IPs, Hosts, etc.) + to run. ### Flow Description - 1. **Configuration Retrieval:** The action extracts the `api_token`, `eyeglass_ip`, - and `Verify SSL` settings from the SupernaZeroTrust integration configuration. + 1. **Configuration Retrieval:** The action extracts the API token, Eyeglass IP, + and SSL verification settings from the integration's global configuration. - 2. **Endpoint Construction:** It constructs the full API URL using the provided - Eyeglass IP and the specific ransomware critical paths route (`/sera/v2/ransomware/criticalpaths`). + 2. **Endpoint Construction:** It constructs the target API URL using the provided + Eyeglass IP and the ransomware critical paths route. - 3. **API Request:** It sends a POST request to the Superna Eyeglass server with - the required authentication headers. + 3. **API Execution:** It sends a POST request to the Superna Eyeglass server, + including the API key in the headers. - 4. **Response Handling:** The action processes the server's response. If successful, - it returns the response text. It includes comprehensive error handling for timeouts, - connection issues, and HTTP errors. + 4. **Response Handling:** The action monitors the request for success, timeouts, + or connection errors. - 5. **Completion:** The action terminates by providing the execution status and - the raw API response to the Google SecOps platform. + 5. **Completion:** The raw response text from the Superna API is returned as the + action's result value, and the execution status is set to completed or failed + based on the HTTP response. capabilities: can_create_case_comments: false can_create_insight: false @@ -163,14 +172,14 @@ Superna Snapshot Critical NAS Data: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Initiates a snapshot of critical NAS data on the storage systems managed by - Superna Eyeglass, which creates a new point-in-time data state. + The action performs a POST request to the Superna Eyeglass ransomware critical + paths endpoint, which triggers a snapshot or state change for NAS data protection. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -184,6 +193,7 @@ Superna Snapshot Critical NAS Data: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Superna Zero Trust User Lockout: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -191,55 +201,70 @@ Superna Snapshot Critical NAS Data: contain_host: false create_ticket: false delete_email: false - disable_identity: false + disable_identity: true download_file: false enable_identity: false enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Superna Zero Trust User Lockout: ai_description: >- - This action locks out a suspected user from all Superna protected NAS storage. - It interacts with the Superna Eyeglass API to resolve user permissions and apply - a 'deny read' permission to SMB shares, effectively preventing the user from accessing - data on the NAS. + ### General Description + This action locks out a suspected user from all Superna-protected NAS storage. + It interacts with the Superna Eyeglass Zero Trust API to resolve user permissions + and apply a 'deny read' permission to SMB shares, effectively isolating the user + from sensitive data. - ### Parameters + + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | UserName | String | Yes | The username to be locked out. Expected format is - `domain\username` or `user@domain`. | + | UserName | String | Yes | The identifier of the user to be locked out. Expected + format is `domain\username` or `user@domain`. | ### Flow Description - 1. **Initialization**: Retrieves the API token, Eyeglass IP, and SSL verification - settings from the integration configuration. + 1. **Parameter Initialization**: The action retrieves the integration configuration, + including the Eyeglass IP, API token, and SSL verification settings. + + 2. **Input Processing**: It extracts the `UserName` from the action parameters + and URL-encodes it to ensure it is safe for use in an API request. + + 3. **API Request Construction**: The action builds the specific API endpoint for + user lockout using the provided Eyeglass IP and the encoded username. + + 4. **Execution**: A POST request is sent to the Superna Eyeglass server. The action + includes the API key in the headers for authentication. - 2. **Input Processing**: Extracts the `UserName` parameter and URL-encodes it - to ensure it is safe for the API call. + 5. **Response Handling**: The action captures the response from the server, handling + potential timeouts, connection errors, or HTTP errors, and reports the final status + back to Google SecOps. - 3. **API Request**: Constructs the lockout API URL and sends a POST request to - the Superna Eyeglass server. - 4. **Outcome**: Processes the server's response. If successful, the user is locked - out; otherwise, an error is reported based on the HTTP status or connection result. + ### Additional Notes + + This action performs a state change in an external system (Superna Eyeglass) and + does not process entities from the current alert context; it relies solely on + the provided `UserName` parameter. capabilities: can_create_case_comments: false can_create_insight: false @@ -249,13 +274,13 @@ Superna Zero Trust User Lockout: can_update_entities: false external_data_mutation_explanation: >- Locks out a user from Superna protected NAS storage by applying deny read permissions - to SMB shares via a POST request to the Superna Eyeglass API. + to SMB shares via a POST request to the Eyeglass API. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -269,6 +294,7 @@ Superna Zero Trust User Lockout: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Superna Zero Trust User Un Lock: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -276,60 +302,73 @@ Superna Zero Trust User Lockout: contain_host: false create_ticket: false delete_email: false - disable_identity: true + disable_identity: false download_file: false - enable_identity: false + enable_identity: true enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false - update_identity: true + update_identity: false update_ticket: false -Superna Zero Trust User Un Lock: ai_description: >- - Unlocks a user account in Superna Zero Trust that was previously locked out from - protected NAS storage. This action communicates with the Superna Eyeglass API - to restore access for a specific user identifier. + ### General Description + Unlocks a user account that was previously locked out from Superna protected NAS + storage. This action is primarily used to restore access for users who were restricted + due to security policies, such as automated ransomware protection triggers. It + communicates with the Superna Eyeglass API to perform the unlock operation. - ### Flow Description - 1. **Parameter Extraction:** Retrieves the API token, Eyeglass IP, and SSL verification - settings from the integration configuration. + ### Parameters Description - 2. **Input Processing:** Extracts the `UserName` from the action parameters and - URL-encodes it to ensure safe transmission in the API path. + | Parameter | Type | Mandatory | Description | - 3. **API Request:** Constructs a POST request to the `/sera/v2/ransomware/unlock/` - endpoint on the target Superna Eyeglass server. + | :--- | :--- | :--- | :--- | - 4. **Response Handling:** Processes the server response, handling potential timeouts, - connection errors, or HTTP failures, and returns the result to the SecOps platform. + | UserName | String | Yes | The identifier of the user to unlock. The expected + format is either `domain\username` or `username@domain`. This value is URL-encoded + before being sent to the API. | - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. **Initialization**: The action retrieves the necessary configuration parameters, + including the API token, Eyeglass IP address, and SSL verification settings. - | :--- | :--- | :--- | :--- | + 2. **Parameter Extraction**: It extracts the `UserName` provided by the user or + playbook. + + 3. **Data Preparation**: The username is URL-encoded to ensure it is correctly + handled in the API request path. - | UserName | String | Yes | The identifier of the user to unlock. Expected format - is `domain\username` or `username@domain`. | + 4. **API Request**: A POST request is constructed and sent to the Superna Eyeglass + endpoint: `https://{eyeglass_ip}/sera/v2/ransomware/unlock/{user}`. + + 5. **Response Handling**: The action evaluates the API response. If successful, + it completes the execution; otherwise, it handles timeouts, connection errors, + or HTTP errors and reports the failure. ### Additional Notes - - This action requires a valid API token and the IP address of the Superna Eyeglass - management console to be configured in the integration settings. + - This action requires the `api_token` and `eyeglass_ip` to be correctly configured + in the integration settings. + + - The action does not process entities from the case; it relies solely on the + provided `UserName` parameter. capabilities: can_create_case_comments: false can_create_insight: false @@ -338,14 +377,14 @@ Superna Zero Trust User Un Lock: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Unlocks a user account within the Superna Zero Trust environment, changing the - user's access state on protected NAS storage systems. + Unlocks a user account in the Superna protected NAS storage system by sending + a POST request to the Superna Eyeglass API. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -359,28 +398,3 @@ Superna Zero Trust User Un Lock: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: true - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/third_party/community/team_cymru_scout/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/team_cymru_scout/resources/ai/actions_ai_description.yaml index 4806db53f..29577245d 100644 --- a/content/response_integrations/third_party/community/team_cymru_scout/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/team_cymru_scout/resources/ai/actions_ai_description.yaml @@ -1,66 +1,83 @@ Account Usage: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Account Usage** action retrieves real-time metrics regarding the API consumption - for the Team Cymru Scout integration. It provides visibility into the number of - queries used, the remaining quota, and the overall query limits for both the standard - Scout API and the Foundation API. This is primarily a utility action used by administrators - or analysts to monitor license usage and ensure API availability for automated - playbooks. + The **Account Usage** action retrieves and displays the current API consumption + metrics for the Team Cymru Scout integration. It provides visibility into query + limits and remaining balances for both standard and foundation API services, helping + analysts monitor quota usage and prevent service interruptions. - ### Parameters Description + ### Parameters This action does not require any input parameters. - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | N/A | N/A | N/A | No parameters are required for this action. | - - - ### Additional Notes - - - The action performs a read-only GET request to the `/usage` endpoint. - - - Results are displayed in a structured data table within the Google SecOps case - wall. + ### Flow Description + 1. **Authentication**: The action establishes a connection with the Team Cymru + Scout API using the configured credentials (API Key or Username/Password). - ### Flow Description + 2. **Data Retrieval**: It sends a GET request to the `/usage` endpoint to fetch + real-time account statistics. - 1. **Initialization**: The action initializes the Siemplify environment and retrieves - the integration's authentication configuration (either API Key or Username/Password). + 3. **Data Processing**: The response is parsed to extract metrics such as used + queries, remaining queries, and query limits for both the primary and foundation + APIs. - 2. **API Connection**: It establishes a session with the Team Cymru Scout API - manager, applying SSL verification settings as configured. + 4. **Output Generation**: The action populates a JSON result with the raw response + and renders a formatted data table named 'Account Usage' in the Google SecOps + UI for easy review. - 3. **Data Retrieval**: The action executes a GET request to the account usage - endpoint to fetch current metric data. - 4. **Response Handling**: If the request is successful, the raw JSON response - is attached to the action results. + ### Additional Notes - 5. **Table Rendering**: The action parses the response into a human-readable format - and renders a data table titled "Account Usage" containing specific fields like - `Used Queries`, `Remaining Queries`, and `Query Limit`. + This is a utility action and does not process or enrich specific entities within + a case. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: false + can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: null + internal_data_mutation_explanation: >- + The action adds a data table named 'Account Usage' to the action results within + the Google SecOps platform. categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -74,6 +91,7 @@ Account Usage: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Advanced Query: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -87,92 +105,99 @@ Account Usage: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: false + search_events: true send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Advanced Query: ai_description: >- - The Advanced Query action executes a search using the Team Cymru Scout query language - to retrieve comprehensive summary information about network indicators. This action - is primarily used for threat hunting and deep-dive investigations by allowing - analysts to query the Scout platform for specific communication patterns, IP behaviors, - and historical metadata. + ### General Description + The **Advanced Query** action executes a search using the Team Cymru Scout query + language to retrieve comprehensive summary information from the platform. It allows + analysts to perform complex searches across historical telemetry and threat intelligence + data, returning detailed results including PDNS information, open ports, peer + communications, and digital certificates. - ### Flow Description - 1. **Parameter Extraction:** The action retrieves the mandatory 'Query' string - and optional filters including 'Start Date', 'End Date', 'Days', and 'Size'. + ### Parameters Description - 2. **Validation:** It validates the date formats (YYYY-MM-DD) and ensures the - requested time range does not exceed platform limits (e.g., 90-day lookback, 30-day - window). + | Parameter | Expected Type | Mandatory | Description | - 3. **API Interaction:** Sends a GET request to the Team Cymru Scout `/search` - endpoint with the constructed query and parameters. + | :--- | :--- | :--- | :--- | - 4. **Data Processing:** Parses the returned JSON which includes IP summaries, - passive DNS (PDNS) records, open ports, top peers, service counts, fingerprints, - and X.509 certificates. + | Query | String | Yes | A simple or advanced query following the Scout query + language (e.g., `comms.ip="1.1.1.1"`). | - 5. **Output Generation:** Populates multiple data tables in the Google SecOps - case and attaches the full raw JSON response for further analysis. It also provides - a table detailing current API account usage. + | Start Date | String | No | The beginning of the date range for results, formatted + as `YYYY-MM-DD` in UTC. Defaults to 29 days prior to the current date. | + | End Date | String | No | The end of the date range for results, formatted as + `YYYY-MM-DD` in UTC. Defaults to the current date. | - ### Parameters Description + | Days | String | No | A relative offset in days from the current time. If provided, + this integer value takes priority over the `Start Date` and `End Date`. | - | Parameter | Type | Mandatory | Description | + | Size | String | No | The maximum number of records to return in the search results. + The maximum allowed value is 5000. | - | :--- | :--- | :--- | :--- | - | Query | String | Yes | A simple or advanced query using Scout query language - (e.g., `comms.ip="1.1.1.1"`). | + ### Additional Notes - | Start Date | String | No | The latest date for results (YYYY-MM-DD). Defaults - to 29 days prior to today if not provided. | + - The `Days` parameter is an integer offset that overrides specific date range + parameters if both are provided. - | End Date | String | No | The earliest date for results (YYYY-MM-DD). Defaults - to today's date. | + - The action enforces a maximum result size of 5000 records to ensure performance. - | Days | String | No | Relative offset in days from current time. If provided, - this takes priority over Start/End dates. | + - All dates must be provided in the `YYYY-MM-DD` format and are processed in UTC + time. - | Size | String | No | The number of records to return (Maximum 5000). | + ### Flow Description - ### Additional Notes + 1. **Parameter Extraction:** The action retrieves the Scout query, date ranges, + relative day offset, and result size from the input parameters. + + 2. **Validation:** It validates the date formats and ensures the start date is + not after the end date. It also checks that the requested size does not exceed + the platform limit. - - This action does not run on specific entities within the case; it relies entirely - on the user-provided 'Query' parameter. + 3. **API Execution:** The action sends a GET request to the `/search` endpoint + of the Team Cymru Scout API with the constructed query and filters. - - The 'Days' parameter overrides specific date ranges if both are provided. + 4. **Data Processing:** Upon receiving a successful response, the action parses + the JSON data to extract IP summaries, PDNS records, open ports, peer communications, + service counts, fingerprints, and X.509 certificates. + + 5. **Output Generation:** The action generates multiple data tables for each category + of information and attaches the raw JSON response to the action results. + + 6. **Usage Tracking:** It creates an 'Account Usage' table to inform the user + of their remaining query quota. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: true + can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: >- - The action populates multiple data tables (Summary, PDNS, Open Ports, Top Peers, - Service Counts, Fingerprints, and Certs) within the Google SecOps case and attaches - raw JSON results. + internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -186,6 +211,7 @@ Advanced Query: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Enrich IPs: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -197,71 +223,45 @@ Advanced Query: download_file: false enable_identity: false enrich_asset: false - enrich_ioc: false + enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: true + search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Enrich IPs: - ai_description: >- - ### General Description - - The **Enrich IPs** action retrieves threat intelligence for IP Address entities - from the Team Cymru Scout platform. It provides critical context such as reputation - ratings (e.g., malicious, suspicious) and associated tags to help analysts evaluate - the risk of network indicators. To optimize performance and API usage, the action - includes a built-in caching mechanism that skips entities enriched within the - last 24 hours. - - - ### Flow Description - - 1. **Entity Identification:** The action scans the current context for all `ADDRESS` - entities. - - 2. **Redundancy Check:** For each identified IP, the action checks the `TCS_last_enriched` - field in the entity's `additional_properties`. If the timestamp indicates the - entity was enriched within the last 24 hours, it is skipped. - - 3. **Data Retrieval:** The action fetches IP summary data from the Team Cymru - Scout API for all eligible entities using batch processing. - - 4. **Entity Enrichment:** - * **Suspicious Status:** The `is_suspicious` flag is set to `True` if the - Team Cymru Scout rating is 'malicious' or 'suspicious'. - * **Metadata Update:** The entity's `additional_properties` are updated with - the rating, tags, and a new `TCS_last_enriched` timestamp. - * **Enrichment Flag:** The entity is marked as `is_enriched = True`. - 5. **Platform Update:** The action updates the entities within Google SecOps and - returns a JSON summary of the enrichment results. - - - ### Parameters Description - - | Parameter Name | Usage | Expected Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | :--- | - - | N/A | N/A | N/A | N/A | This action does not have any input parameters. It processes - all IP Address entities in the scope using global integration settings. | - - - ### Additional Notes - - * **Caching:** The 24-hour enrichment cache is stored locally on the entity object - within Google SecOps. - - * **Batching:** The action processes IPs in batches of 10 to ensure efficient - API communication. + ai_description: "### General Description\nEnriches IP Address entities using the\ + \ Team Cymru Scout platform. This action retrieves reputation data, tags, and\ + \ ASN information to provide context for network-based indicators. It includes\ + \ a built-in caching mechanism that checks if an entity has been enriched within\ + \ the last 24 hours to optimize API usage and prevent redundant calls.\n\n###\ + \ Parameters Description\nThere are no user-configurable parameters for this action.\ + \ It automatically processes all IP Address entities present in the current context.\n\ + \n### Additional Notes\n- The action applies a 'TCS' prefix to all enriched data\ + \ fields added to the entity's additional properties.\n- Entities are marked as\ + \ 'Suspicious' in Google SecOps if the Team Cymru Scout rating is 'malicious'\ + \ or 'suspicious'.\n\n### Flow Description\n1. **Entity Identification**: The\ + \ action identifies all `ADDRESS` entities within the target scope.\n2. **Cache\ + \ Check**: For each IP, it checks the `TCS_last_enriched` property. If the entity\ + \ was enriched less than 24 hours ago, it skips the API call for that specific\ + \ entity.\n3. **Data Retrieval**: It batches the remaining IP addresses and queries\ + \ the Team Cymru Scout foundation API to retrieve summary information.\n4. **Data\ + \ Processing**: The action parses the API response, extracting the overall rating,\ + \ tags, and ASN details.\n5. **Internal Mutation**: \n - Updates the `is_suspicious`\ + \ flag based on the threat rating.\n - Populates `additional_properties` with\ + \ the enrichment data (prefixed with 'TCS').\n - Sets the `is_enriched` flag\ + \ to true.\n6. **Finalization**: Updates the entities in Google SecOps and provides\ + \ a summary JSON of the retrieved data." capabilities: can_create_case_comments: false can_create_insight: false @@ -272,14 +272,13 @@ Enrich IPs: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates the entity's suspicious status, enrichment status, and populates additional - properties with Team Cymru Scout metadata including reputation ratings, tags, - and enrichment timestamps. + Updates entity fields (additional properties), sets the suspicious status based + on threat ratings, and marks entities as enriched. categories: enrichment: true entity_usage: entity_types: - - ADDRESS + - ADDRESS filters_by_additional_properties: true filters_by_alert_identifier: false filters_by_case_identifier: false @@ -293,6 +292,7 @@ Enrich IPs: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Extract Tags: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -306,45 +306,73 @@ Enrich IPs: enrich_asset: false enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Extract Tags: - ai_description: "Extracts and searches for specific threat tags associated with\ - \ a provided IP address and its communicating peers using the Team Cymru Scout\ - \ intelligence platform. This action is designed to identify if an IP or its network\ - \ neighbors are linked to known malicious activities like phishing or malware\ - \ based on a user-defined list of tags.\n\n### Flow Description:\n1. **Parameter\ - \ Extraction:** Retrieves the target 'IP Address' and the 'Tags to Search' (comma-separated)\ - \ from the action parameters.\n2. **Validation:** Validates the format of the\ - \ provided IP address to ensure it is a valid IPv4 or IPv6 string.\n3. **Data\ - \ Retrieval:** Calls the Team Cymru Scout API (`get_ip_details`) to fetch comprehensive\ - \ metadata, including tags for the target IP and a list of its communicating peers\ - \ with their respective tags.\n4. **Tag Processing:** Aggregates all tags found\ - \ for the primary IP and its peers into a searchable structure.\n5. **Matching\ - \ Logic:** Performs an intersection between the tags retrieved from the API and\ - \ the tags provided by the user.\n6. **Result Reporting:** \n * If matches\ - \ are found, it identifies which IPs (primary or peers) triggered the match and\ - \ returns the specific matching tags.\n * Generates a JSON result containing\ - \ the matching IPs and their full tag sets.\n * Always produces an 'Account\ - \ Usage' data table showing remaining API query limits.\n\n### Parameters Description:\n\ - | Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ - | IP Address | String | True | The specific IP address to investigate for associated\ - \ tags. |\n| Tags to Search | String | True | A comma-separated list of tags to\ - \ look for (e.g., 'malware, phishing, botnet'). |\n\n### Additional Notes:\n*\ - \ This action does not automatically process entities from the SOAR case; it relies\ - \ strictly on the 'IP Address' string parameter provided in the input.\n* The\ - \ search includes 'peers', which are other IP addresses that have communicated\ - \ with the target IP according to Team Cymru's telemetry." + ai_description: >- + ### General Description + + The **Extract Tags** action retrieves and analyzes tags associated with a specific + IP address and its communicating peers using the Team Cymru Scout threat intelligence + platform. It allows analysts to provide a list of specific tags (e.g., 'malware', + 'phishing') and checks if the target IP or any of its peers are associated with + those tags. This is useful for identifying related infrastructure or confirming + the nature of a suspicious IP based on community-sourced or proprietary tagging. + + + ### Parameters Description + + | Parameter | Description | Type | Mandatory | + + | :--- | :--- | :--- | :--- | + + | IP Address | The specific IP address for which tags and peer tags will be extracted. + | String | Yes | + + | Tags to Search | A comma-separated list of tags to look for within the results + (e.g., 'malware, phishing, botnet'). | String | Yes | + + + ### Flow Description + + 1. **Parameter Extraction:** The action extracts the target IP address and the + search tags from the input parameters. + + 2. **Validation:** It validates the format of the provided IP address to ensure + it is a valid IPv4 or IPv6 address. + + 3. **API Interaction:** The action calls the Team Cymru Scout 'Get IP Details' + endpoint to fetch metadata, including tags for the target IP and its known communicating + peers. + + 4. **Data Processing:** It parses the API response to create a mapping of IP addresses + to their respective tags. + + 5. **Tag Matching:** The action performs an intersection between the tags found + in the API response and the tags provided in the 'Tags to Search' parameter. + + 6. **Result Generation:** It identifies which IPs (target or peers) matched the + search criteria, adds the detailed results to the action's JSON output, and renders + an 'Account Usage' table to track API consumption. + + + ### Additional Notes + + This action does not run on SecOps entities automatically; it requires the IP + address to be passed as a manual parameter. It is primarily used for deep-dive + enrichment and correlation of network peers. capabilities: can_create_case_comments: false can_create_insight: false @@ -358,7 +386,7 @@ Extract Tags: categories: enrichment: true entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -372,6 +400,7 @@ Extract Tags: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Communications Info: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -385,67 +414,105 @@ Extract Tags: enrich_asset: false enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Communications Info: - ai_description: "### General Description\nThe **Get Communications Info** action\ - \ retrieves detailed network communication metadata for a list of provided IP\ - \ addresses from the Team Cymru Scout platform. It focuses on identifying 'peers'\u2014\ - other IP addresses that the target IP has interacted with\u2014along with protocol\ - \ details, service ports, and geographic/ASN context for both sides of the communication.\ - \ This action is primarily used for threat intelligence and network forensics\ - \ to understand the communication patterns of suspicious indicators.\n\n### Parameters\ - \ Description\n| Parameter | Type | Mandatory | Description |\n| :--- | :--- |\ - \ :--- | :--- |\n| **IP Addresses** | String | Yes | A comma-separated list of\ - \ IPv4 or IPv6 addresses to investigate. |\n| **Limit** | String | Yes | The maximum\ - \ number of valid IP addresses from the input list to process (default is 10).\ - \ |\n| **Start Date** | String | No | The latest date for results, formatted YYYY-MM-DD\ - \ in UTC. If not provided, defaults to 29 days prior to today. |\n| **End Date**\ - \ | String | No | The earliest date for results, formatted YYYY-MM-DD in UTC.\ - \ If not provided, defaults to today's date. |\n| **Days** | String | No | Relative\ - \ offset in days (integer) from current time in UTC. **Note:** This takes priority\ - \ over Start Date and End Date if all three are provided. |\n| **Size** | String\ - \ | No | The number of records to return per IP (maximum 1000). |\n\n### Flow\ - \ Description\n1. **Validation**: The action parses the input IP list, removing\ - \ duplicates and identifying invalid formats. It also validates date formats and\ - \ ensures 'Days' and 'Size' are valid integers.\n2. **API Request**: For each\ - \ valid IP (up to the specified limit), the action queries the Team Cymru Scout\ - \ `/ip/{ip}/details` endpoint, specifically requesting the 'comms' (communications)\ - \ section.\n3. **Data Processing**: The response is parsed to extract peer information,\ - \ including protocol text, client/server IPs, country codes, top services, and\ - \ AS names for both the target and the peer.\n4. **Output Generation**:\n *\ - \ A raw JSON result containing the full API response for all processed IPs is\ - \ attached.\n * A **Peers** data table is created, listing detailed interaction\ - \ metrics such as First/Last seen, Event counts, and service ports.\n * An\ - \ **Account Usage** table is generated to show remaining API query quotas for\ - \ the integration.\n\n### Additional Notes\n* This action does not automatically\ - \ process entities from the SOAR case; it relies strictly on the manual input\ - \ provided in the **IP Addresses** parameter.\n* The **Days** parameter, if\ - \ provided, overrides any specific **Start Date** or **End Date** configurations." + ai_description: >- + ### General Description + + Retrieves detailed communication information for specified IP addresses from Team + Cymru Scout. This action allows security analysts to investigate network traffic + patterns by identifying peers, protocols, and event counts associated with an + IP. It is particularly useful for understanding the communication profile of a + suspicious indicator, including its top services and autonomous system (AS) associations. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | IP Addresses | String | Yes | A comma-separated list of IPv4 or IPv6 addresses + to fetch detailed communication information for. | + + | Limit | String | Yes | The maximum number of valid IP addresses to be allowed + for processing in a single execution (Default: 10). | + + | Start Date | String | No | The latest date for results, formatted as YYYY-MM-DD + in UTC. If not provided, defaults to 29 days prior to today. | + + | End Date | String | No | The earliest date for results, formatted as YYYY-MM-DD + in UTC. If not provided, defaults to today's date. | + + | Days | String | No | Relative offset in days (integer) from the current time + in UTC. Note: This parameter takes priority over Start Date and End Date if all + three are provided. | + + | Size | String | No | The size, in records, of the search results (Maximum allowed + size is 1000). | + + + ### Flow Description + + 1. **Parameter Extraction**: The action extracts the target IP addresses, processing + limits, and time-based filters (Start Date, End Date, Days, Size) from the input + parameters. + + 2. **Validation**: It validates the format of the provided IP addresses and ensures + that date parameters are logically consistent (e.g., start date is not after the + end date and is within the 90-day historical limit). + + 3. **API Manager Initialization**: Initializes the connection to Team Cymru Scout + using the configured authentication method (API Key or Username/Password). + + 4. **Data Retrieval**: Iterates through the validated IP addresses (up to the + specified limit) and performs GET requests to the Team Cymru Scout API to retrieve + 'comms' (communications) section data. + + 5. **Result Aggregation**: Processes the API responses to aggregate communication + details, including peer IPs, protocols, country codes, and AS names. + + 6. **Output Generation**: Generates a 'Peers' data table for the case wall, adds + the raw JSON response to the action results, and creates an 'Account Usage' table + to track API quota consumption. + + + ### Additional Notes + + - The action performs strictly read-only operations against the Team Cymru Scout + API. + + - If the 'Days' parameter is provided, it will override any values provided in + 'Start Date' or 'End Date'. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: false + can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: null + internal_data_mutation_explanation: >- + Adds data tables (Peers, Account Usage) and JSON results to the action output + within the Google SecOps case. categories: - enrichment: true + enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -459,6 +526,7 @@ Get Communications Info: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Fingerprints Info: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -472,85 +540,83 @@ Get Communications Info: enrich_asset: false enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Fingerprints Info: ai_description: >- - Retrieves detailed fingerprint information for specified IP addresses from Team - Cymru Scout. This action is used to gather technical metadata about network indicators, - including fingerprint types, signatures, and observation timelines (first and - last seen). It supports both IPv4 and IPv6 addresses and allows for time-based - filtering and result size limits. + ### General Description + The **Get Fingerprints Info** action retrieves detailed fingerprinting data for + a list of IP addresses from the Team Cymru Scout platform. This information helps + analysts identify the types of services, protocols, and unique signatures associated + with an IP, providing deep visibility into the nature of the traffic or the host's + identity. - ### Parameters Description + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | IP Addresses | String | Yes | A comma-separated list of IPv4 or IPv6 addresses - to fetch fingerprint information for. | - - | Limit | String | Yes | The maximum number of valid IP addresses to process in - a single execution. Default is 10. | - - | Start Date | String | No | The latest date for results in YYYY-MM-DD format - (UTC). Defaults to 29 days prior to today if not provided. | + | **IP Addresses** | String | Yes | A comma-separated list of IPv4 or IPv6 addresses + to investigate. | - | End Date | String | No | The earliest date for results in YYYY-MM-DD format - (UTC). Defaults to the current date if not provided. | + | **Limit** | String | Yes | The maximum number of valid IP addresses to process + in a single execution. | - | Days | String | No | Relative offset in days from the current time. If provided, - this takes priority over Start Date and End Date. | + | **Start Date** | String | No | The beginning of the search window (YYYY-MM-DD). + Defaults to 29 days ago. | - | Size | String | No | The number of records to return per search (maximum 1000). - | + | **End Date** | String | No | The end of the search window (YYYY-MM-DD). Defaults + to today. | + | **Days** | String | No | An integer representing a relative offset in days from + the current time. If provided, this takes priority over Start/End dates. | - ### Additional Notes + | **Size** | String | No | The maximum number of fingerprint records to return + per IP (Max: 1000). | - - The action performs validation on all input IP addresses, skipping duplicates - and invalid formats. - - If the number of valid IPs exceeds the 'Limit' parameter, the additional IPs - are skipped. + ### Flow Description - - The 'Days' parameter, if used, overrides any specific date range provided. + 1. **Parameter Extraction:** The action parses the input IP addresses and configuration + settings (Limit, Dates, Size). + 2. **Validation:** It validates the format of the IP addresses and ensures the + date ranges or 'Days' offset are within the allowed limits (e.g., Start Date within + 90 days). - ### Flow Description + 3. **API Interaction:** For each valid IP (up to the defined Limit), the action + performs a GET request to the Team Cymru Scout `/ip/{ip}/details` endpoint, specifically + requesting the 'fingerprints' section. - 1. **Initialization**: Retrieves integration credentials (API Key or Username/Password) - and validates the 'Limit' and 'IP Addresses' parameters. + 4. **Data Processing:** The retrieved JSON data is parsed to extract fingerprint + signatures, ports, protocols, and observation timestamps. - 2. **Validation**: Parses the input IP list, identifying valid, invalid, and duplicate - addresses. It also validates date formats and ranges. + 5. **Output Generation:** The action populates a "Fingerprints" data table and + an "Account Usage" table in the Google SecOps case and attaches the raw JSON response + for further analysis. - 3. **API Interaction**: For each valid IP (up to the limit), it calls the Team - Cymru Scout API (`/ip/{ip}/details`) with the specified filters (dates, size, - and section set to 'fingerprints'). - 4. **Data Processing**: Aggregates the API responses, including raw JSON data - and usage statistics. + ### Additional Notes - 5. **Output Generation**: Creates a 'Fingerprints' data table containing details - like Type, Signature, and Event Count for each IP. It also generates an 'Account - Usage' table to track API quota consumption. + - If the **Days** parameter is provided, it will override the **Start Date** and + **End Date** parameters. - 6. **Completion**: Returns the aggregated JSON result and a summary message indicating - the number of successfully processed IPs. + - The action supports both IPv4 and IPv6 addresses. capabilities: can_create_case_comments: false can_create_insight: false @@ -561,12 +627,12 @@ Get Fingerprints Info: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action adds a 'Fingerprints' data table and an 'Account Usage' data table - to the Google SecOps case to display the retrieved intelligence. + The action adds data tables (Fingerprints, Account Usage) and result JSON to + the Google SecOps case. categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -580,6 +646,7 @@ Get Fingerprints Info: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get IP Details: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -593,98 +660,113 @@ Get Fingerprints Info: enrich_asset: false enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get IP Details: ai_description: >- ### General Description - Retrieves detailed threat intelligence for specific IP addresses from Team Cymru - Scout. This action provides comprehensive metadata including WHOIS information, - Passive DNS (PDNS) records, network peers, open ports, SSL/X509 certificates, - and fingerprints. It is designed to help security analysts understand the context, - ownership, and historical behavior of IP addresses involved in security incidents. + This action retrieves comprehensive threat intelligence and network telemetry + for a list of provided IP addresses from Team Cymru Scout. It is designed to provide + analysts with deep visibility into an IP's history and behavior, including WHOIS + records, Passive DNS (PDNS) data, open ports, SSL/TLS certificates, and communication + peers. The action processes multiple IPs simultaneously (up to a configurable + limit) and presents the findings in structured data tables for easy analysis within + the SOAR interface. ### Parameters Description - | Parameter | Description | Type | Mandatory | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | IP Addresses | A comma-separated list of IPv4 or IPv6 addresses to investigate. - | String | Yes | - - | Limit | The maximum number of valid IP addresses to process in a single execution - (default is 10). | String | Yes | + | **IP Addresses** | String | Yes | A comma-separated list of IPv4 or IPv6 addresses + to investigate. | - | Start Date | The latest date for results, formatted as YYYY-MM-DD in UTC. Defaults - to 29 days prior to today if not provided. | String | No | + | **Limit** | String | Yes | The maximum number of valid IP addresses to process + in a single execution (default is 10). | - | End Date | The earliest date for results, formatted as YYYY-MM-DD in UTC. Defaults - to today's date if not provided. | String | No | + | **Start Date** | String | No | The start of the search window in YYYY-MM-DD + format (UTC). Defaults to 29 days ago if not provided. | - | Days | Relative offset in days (integer) from the current time in UTC. This - parameter takes priority over Start Date and End Date if all three are provided. - | String | No | + | **End Date** | String | No | The end of the search window in YYYY-MM-DD format + (UTC). Defaults to the current date if not provided. | - | Size | The number of records to return in the search results (maximum allowed - is 1000). | String | No | + | **Days** | String | No | A relative offset in days from the current time. If + provided, this takes priority over Start/End dates. | + | **Size** | String | No | The maximum number of records to return for specific + search results (max 1000). | - ### Additional Notes - - The action performs validation on all input IP addresses and will skip duplicates - or invalid formats, reporting these in the output message. + ### Flow Description - - The `Days` parameter is a convenient way to specify a lookback window and will - override specific date ranges. + 1. **Input Validation:** The action parses the comma-separated list of IP addresses, + removes duplicates, and validates the format (IPv4/IPv6). It also validates date + formats and the 'Days'/'Size' integers. - - Results are presented as a raw JSON object and multiple structured data tables - for easy review within the case wall. + 2. **API Authentication:** Connects to the Team Cymru Scout API using either an + API Key or Username/Password credentials. + 3. **Data Retrieval:** For each valid IP address (up to the specified limit), + the action performs a GET request to the `/ip/{ip}/details` endpoint, applying + the date and size filters. - ### Flow Description + 4. **Result Aggregation:** The raw JSON response for each IP is collected. The + action also calculates API usage statistics (remaining queries). - 1. **Input Validation:** The action extracts the provided IP addresses and parameters, - validating IP formats and ensuring the count does not exceed the specified limit. + 5. **Table Generation:** The action transforms the complex JSON response into + several human-readable data tables: + * **Summary Information:** High-level overview including Country Code, WHOIS + data, and overall insight ratings. + * **Insights:** Specific threat indicators or behavioral observations. + * **Top PDNS:** Recent Passive DNS resolutions. + * **Top Peers:** Significant network communication partners. + * **Top Open Ports:** Services identified on the host. + * **Top Fingerprints & Certificates:** Cryptographic and service-level identification + data. + 6. **Final Output:** The action returns a success status if at least one IP was + successfully queried, providing the full JSON result and the generated tables + to the case wall. - 2. **Time Range Calculation:** It determines the search window based on the `Days`, - `Start Date`, and `End Date` parameters. - 3. **API Query:** For each valid IP address, the action sends a request to the - Team Cymru Scout API to retrieve detailed intelligence. + ### Additional Notes - 4. **Data Categorization:** The response is parsed into specific categories such - as WHOIS, PDNS, Peers, and Certificates. + - If the number of valid IPs exceeds the **Limit** parameter, the extra IPs are + skipped and a warning is logged. - 5. **Result Population:** The action attaches the full JSON response to the result - and generates several data tables (e.g., 'Summary Information', 'Top PDNS', 'Top - Peers') to display the enrichment data in the SecOps platform. + - The **Days** parameter, if provided, will override any values in **Start Date** + or **End Date**. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: false + can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: null + internal_data_mutation_explanation: >- + The action populates the action results with multiple data tables (Summary, + Insights, PDNS, Peers, Ports, Fingerprints, Certificates) and a JSON result + containing the raw intelligence data. categories: enrichment: true entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -698,6 +780,7 @@ Get IP Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get PDNS Info: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -711,27 +794,30 @@ Get IP Details: enrich_asset: false enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get PDNS Info: ai_description: >- ### General Description The **Get PDNS Info** action retrieves detailed Passive DNS (PDNS) information - for a specified list of IP addresses from Team Cymru Scout. This action is designed - to provide analysts with historical domain resolution data, including event counts - and first/last seen timestamps, which is essential for identifying malicious infrastructure, - tracking domain-to-IP relationships, and uncovering related threat activity. + for a specified list of IP addresses from the Team Cymru Scout platform. This + action provides historical context on domain resolutions associated with an IP, + enabling analysts to identify malicious infrastructure, historical activity, and + prevalence. It outputs results as a JSON object and populates data tables within + the case for easy review. ### Parameters Description @@ -744,65 +830,66 @@ Get PDNS Info: to fetch PDNS information for. | | **Limit** | String | Yes | The maximum number of valid IP addresses to process - from the input list. This helps manage API quota and performance. | + in a single execution. Must be a positive integer. | - | **Start Date** | String | No | The latest date for results in UTC, formatted - as YYYY-MM-DD. If not provided, it defaults to 29 days prior to the current date. - | + | **Start Date** | String | No | The latest date for results, formatted as YYYY-MM-DD + in UTC. Defaults to 29 days prior to today if not provided. | - | **End Date** | String | No | The earliest date for results in UTC, formatted - as YYYY-MM-DD. If not provided, it defaults to the current date. | + | **End Date** | String | No | The earliest date for results, formatted as YYYY-MM-DD + in UTC. Defaults to the current date if not provided. | - | **Days** | String | No | An integer representing a relative offset in days from - the current time. If provided, this value takes priority over the Start and End - dates. | + | **Days** | String | No | Relative offset in days (integer) from the current + time. **Note:** This parameter takes priority over Start Date and End Date if + all three are provided. | - | **Size** | String | No | The number of records to return in the search results - (Maximum allowed is 1000). | + | **Size** | String | No | The number of records to return per search (maximum + 1000). | ### Flow Description - 1. **Initialization:** The action initializes the Team Cymru Scout API manager - and extracts the user-provided parameters. + 1. **Initialization:** The action extracts the provided IP addresses and configuration + parameters, including limits and time-range filters. - 2. **Validation:** It validates the format of the provided IP addresses, ensuring - they are valid IPv4 or IPv6 strings. It also validates the date formats and the - result size constraints. + 2. **Validation:** It validates the format of the IP addresses and ensures the + date parameters are logically sound (e.g., Start Date is not after End Date and + is within the 90-day historical limit). - 3. **API Request:** For each valid IP address (up to the specified limit), the - action performs a GET request to the Team Cymru Scout `/ip/{ip}/details` endpoint, - specifically requesting the 'pdns' section. + 3. **API Execution:** For each valid IP address (up to the specified limit), the + action performs a GET request to the Team Cymru Scout `/ip/{ip}/details` endpoint + to retrieve PDNS records. - 4. **Data Processing:** The action parses the API response, extracting domain - names, event counts, and visibility windows (first/last seen). + 4. **Data Processing:** The retrieved data is parsed to extract domain names, + event counts, and first/last seen timestamps. - 5. **Output:** The action generates a JSON result containing the raw PDNS data - and renders two data tables: one for the detailed PDNS information and another - for the integration's Account Usage statistics. + 5. **Output Generation:** The action adds the raw response to the JSON result, + renders a data table for the PDNS information, and creates an 'Account Usage' + table to track remaining API credits. ### Additional Notes - - This action does not automatically iterate over entities in the Google SecOps - case; it processes only the IP addresses provided in the **IP Addresses** parameter. + - The action handles batching and respects the maximum record size of 1000 per + IP. - - The **Days** parameter is the most efficient way to define a search window and - will override specific date parameters if both are supplied. + - If the `Days` parameter is used, it overrides any values provided in `Start + Date` or `End Date`. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: false + can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: null + internal_data_mutation_explanation: >- + Adds data tables containing PDNS records and API usage statistics to the Google + SecOps case. categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -816,6 +903,7 @@ Get PDNS Info: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Ports Info: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -829,49 +917,81 @@ Get PDNS Info: enrich_asset: false enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: false + search_events: true send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Ports Info: - ai_description: "### General Description\nThe **Get Ports Info** action retrieves\ - \ detailed information about open ports and associated services for a specified\ - \ list of IP addresses using the Team Cymru Scout platform. It provides visibility\ - \ into the network profile of an IP, including service names, port numbers, protocols,\ - \ and observation timestamps, which is essential for attack surface mapping and\ - \ vulnerability assessment.\n\n### Parameters Description\n| Parameter | Type\ - \ | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| **IP Addresses**\ - \ | String | Yes | A comma-separated list of IPv4 or IPv6 addresses to fetch port\ - \ information for. |\n| **Limit** | String | Yes | The maximum number of valid\ - \ IP addresses to process in a single execution (Default: 10). |\n| **Start Date**\ - \ | String | No | The earliest date for results (YYYY-MM-DD). Defaults to 29 days\ - \ prior to the current date if not provided. |\n| **End Date** | String | No |\ - \ The latest date for results (YYYY-MM-DD). Defaults to the current date if not\ - \ provided. |\n| **Days** | String | No | A relative offset in days from the current\ - \ time. If provided, this value takes priority over the Start and End dates. |\n\ - | **Size** | String | No | The maximum number of records to return per search\ - \ (Maximum: 1000). |\n\n### Flow Description\n1. **Initialization:** The action\ - \ extracts the provided IP addresses and time-range parameters (Dates or Days).\n\ - 2. **Validation:** It validates the IP formats, removes duplicates, and ensures\ - \ the number of IPs does not exceed the specified 'Limit'.\n3. **API Request:**\ - \ For each valid IP, the action performs a GET request to the Team Cymru Scout\ - \ `/ip/{ip}/details` endpoint, specifically requesting the `open_ports` section.\n\ - 4. **Data Parsing:** The action processes the API response, extracting fields\ - \ such as Service, Port, Protocol, and First/Last Seen dates.\n5. **Output Generation:**\ - \ \n - A JSON result containing the raw data is added to the action output.\n\ - \ - An 'Open Ports' data table is rendered in the Google SecOps interface for\ - \ analyst review.\n - An 'Account Usage' table is generated to display remaining\ - \ API quotas.\n\n### Additional Notes\n- The action supports both IPv4 and IPv6\ - \ addresses.\n- If the `Days` parameter is used, it will override any values provided\ - \ in `Start Date` or `End Date`." + ai_description: >- + Retrieves detailed open ports information for specified IP addresses from Team + Cymru Scout. This action allows analysts to investigate the network footprint + of an IP by identifying active services, protocols, and historical visibility + of open ports. + + + ### Flow Description + + 1. **Parameter Extraction & Validation**: The action parses the input `IP Addresses` + (comma-separated) and validates them against IPv4/IPv6 formats. It also validates + time-range parameters like `Days`, `Start Date`, and `End Date`. + + 2. **Authentication**: Connects to the Team Cymru Scout API using the configured + authentication method (API Key or Username/Password). + + 3. **Data Retrieval**: For each valid IP address (up to the specified `Limit`), + the action fetches detailed port information from the `open_ports` section of + the API. + + 4. **Data Processing**: The retrieved data is transformed into a structured format, + including service names, port numbers, protocols, and first/last seen timestamps. + + 5. **Output Generation**: The action generates an "Open Ports" data table and + an "Account Usage" table (showing API quota status) within the Google SecOps case. + It also returns the raw JSON response for use in subsequent playbook steps. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | IP Addresses | String | Yes | Comma-separated list of IPv4 or IPv6 addresses + to fetch port information for. | + + | Limit | String | Yes | The maximum number of valid IP addresses to process in + a single execution (Default is 10). | + + | Start Date | String | No | The latest date for results (YYYY-MM-DD). Defaults + to 29 days prior to today if not provided. | + + | End Date | String | No | The earliest date for results (YYYY-MM-DD). Defaults + to today's date. | + + | Days | String | No | Relative offset in days from current time. This takes priority + over Start/End dates if provided. | + + | Size | String | No | The number of records to return per search (Maximum allowed + is 1000). | + + + ### Additional Notes + + - The `Days` parameter is an integer representing a relative offset and will override + specific date filters if both are provided. + + - The action performs internal mutations by adding data tables to the case wall + but does not modify external system states or existing entity attributes. capabilities: can_create_case_comments: false can_create_insight: false @@ -882,12 +1002,12 @@ Get Ports Info: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action populates the 'Open Ports' and 'Account Usage' data tables within - the Google SecOps action results. + Adds data tables for 'Open Ports' and 'Account Usage' to the Google SecOps case + and populates the action's JSON result with the raw API response. categories: - enrichment: true + enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -901,6 +1021,7 @@ Get Ports Info: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Proto Info: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -914,76 +1035,51 @@ Get Ports Info: enrich_asset: false enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Proto Info: - ai_description: >- - ### General Description - - The **Get Proto Info** action retrieves detailed protocol-level communication - information for a specified list of IP addresses from the Team Cymru Scout platform. - It is primarily used for network forensics and threat hunting to understand the - types of protocols an IP has been observed using over a specific timeframe. The - action outputs the raw data in JSON format and provides a formatted data table - for analyst review. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | IP Addresses | String | Yes | A comma-separated list of IPv4 or IPv6 addresses - to fetch protocol information for. | - - | Limit | String | Yes | The maximum number of valid IP addresses from the input - list to process in a single execution. Default is 10. | - - | Start Date | String | No | The start of the time range for the query, formatted - as YYYY-MM-DD (UTC). If omitted, it defaults to 29 days prior to the current date. - | - - | End Date | String | No | The end of the time range for the query, formatted - as YYYY-MM-DD (UTC). If omitted, it defaults to the current date. | - - | Days | String | No | An integer representing a relative offset in days from - the current time. If provided, this value takes precedence over the Start and - End date parameters. | - - | Size | String | No | The number of records to retrieve per search. The maximum - allowed value is 1000. | - - - ### Flow Description - - 1. **Parameter Extraction:** The action extracts the list of IP addresses, processing - limits, and time-range filters (Dates or Days) from the user input. - - 2. **Validation:** It validates the format of the IP addresses and ensures the - date range is valid (e.g., start date is not after the end date and is within - the 90-day historical limit). - - 3. **API Interaction:** For each valid IP address (up to the defined limit), the - action performs a GET request to the Team Cymru Scout API's `/ip/{ip}/details` - endpoint, specifically requesting the `proto_by_ip` section. - - 4. **Data Processing:** The retrieved protocol data, which includes protocol types - and observation dates, is parsed and aggregated. - - 5. **Output Generation:** The action populates the `JsonResult` with the raw API - response and generates two data tables: 'Proto By IP' (containing the protocol - details) and 'Account Usage' (showing remaining API quota). + ai_description: "### General Description\nRetrieves detailed protocol information\ + \ for specified IP addresses from Team Cymru Scout. This action allows analysts\ + \ to investigate network traffic patterns by fetching historical protocol data\ + \ associated with an IP, including event counts and date-based breakdowns. It\ + \ is useful for identifying unusual protocol usage or verifying communication\ + \ patterns during forensic investigations.\n\n### Parameters Description\n| Parameter\ + \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| IP Addresses\ + \ | String | Yes | A comma-separated list of IPv4 or IPv6 addresses to fetch detailed\ + \ protocol information for. |\n| Limit | String | Yes | The maximum number of\ + \ valid IP addresses to process in a single execution. Default is 10. |\n| Start\ + \ Date | String | No | The latest date for results in YYYY-MM-DD format (UTC).\ + \ Defaults to 29 days prior to today if not provided. |\n| End Date | String |\ + \ No | The earliest date for results in YYYY-MM-DD format (UTC). Defaults to today's\ + \ date if not provided. |\n| Days | String | No | Relative offset in days (integer)\ + \ from the current time. If provided, this takes priority over Start Date and\ + \ End Date. |\n| Size | String | No | The number of records to return in the search\ + \ results (maximum 1000). |\n\n### Additional Notes\n- The action performs validation\ + \ on the provided IP addresses and date ranges. \n- If the `Days` parameter is\ + \ provided, it will override any values in `Start Date` or `End Date`.\n- The\ + \ action provides an 'Account Usage' table to help track API quota consumption.\n\ + \n### Flow Description\n1. **Parameter Extraction**: The action extracts the IP\ + \ addresses, limit, and optional date/size filters from the input.\n2. **Validation**:\ + \ It validates the format of the IP addresses and ensures the date range is within\ + \ the supported limits (e.g., start date not older than 90 days, range not exceeding\ + \ 30 days).\n3. **API Interaction**: For each valid IP address (up to the specified\ + \ limit), the action queries the Team Cymru Scout API's `proto_by_ip` section.\n\ + 4. **Data Processing**: The retrieved protocol data is aggregated and formatted\ + \ into a JSON result.\n5. **Output Generation**: The action generates a data table\ + \ named 'Proto By IP' containing the detailed protocol records and an 'Account\ + \ Usage' table showing remaining API queries." capabilities: can_create_case_comments: false can_create_insight: false @@ -997,7 +1093,7 @@ Get Proto Info: categories: enrichment: true entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1011,6 +1107,7 @@ Get Proto Info: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Whois Info: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1024,98 +1121,94 @@ Get Proto Info: enrich_asset: false enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Whois Info: ai_description: >- - The 'Get Whois Info' action retrieves detailed Whois information for a provided - list of IP addresses from the Team Cymru Scout platform. This action is primarily - used for gathering administrative and network context, such as ASN, AS Name, BGP - information, and organizational details (Net Name, Org Name, contact emails) for - specific indicators. It supports both IPv4 and IPv6 addresses and allows for time-based - filtering of the results. + ### General Description + The **Get Whois Info** action retrieves detailed Whois registration data for a + list of IP addresses from the Team Cymru Scout platform. It provides critical + context for security investigations, such as Autonomous System Numbers (ASN), + organization names, network names, and contact information. - ### Flow Description - 1. **Parameter Extraction:** The action extracts the comma-separated list of IP - addresses, processing limits, and optional time filters (Start Date, End Date, - Days, and Size) from the user input. + ### Parameters Description - 2. **Validation:** It validates the format of the IP addresses and ensures that - date parameters are correctly formatted (YYYY-MM-DD) and within allowed ranges - (e.g., start date not older than 90 days). + | Parameter | Type | Mandatory | Description | - 3. **API Interaction:** For each valid IP address (up to the defined limit), the - action performs a GET request to the Team Cymru Scout API's IP details endpoint, - specifically requesting the 'whois' section. + | :--- | :--- | :--- | :--- | - 4. **Data Processing:** The action parses the JSON response, extracting key Whois - fields like ASN, BGP ASN, and organizational contact information. + | **IP Addresses** | String | Yes | A comma-separated list of IPv4 or IPv6 addresses + to investigate. | - 5. **Output Generation:** It generates a data table titled 'Whois' containing - the extracted details and another table for 'Account Usage' to track API consumption. - The full raw response is also attached as a JSON result. + | **Limit** | String | Yes | The maximum number of valid IP addresses to process + in a single execution (default is 10). | + | **Start Date** | String | No | The latest date for results in YYYY-MM-DD format + (UTC). Defaults to 29 days ago if not provided. | - ### Parameters Description + | **End Date** | String | No | The earliest date for results in YYYY-MM-DD format + (UTC). Defaults to today if not provided. | - | Parameter | Type | Mandatory | Description | + | **Days** | String | No | An integer representing a relative offset in days from + the current time. If provided, this takes priority over Start and End dates. | - | :--- | :--- | :--- | :--- | + | **Size** | String | No | The number of records to return per search (maximum + 1000). | - | IP Addresses | String | Yes | A comma-separated list of IPv4 or IPv6 addresses - to fetch Whois information for. | - | Limit | String | Yes | The maximum number of valid IP addresses to process in - a single execution (default is 10). | + ### Flow Description - | Start Date | String | No | The latest date for results in YYYY-MM-DD format - (UTC). Defaults to 29 days prior to today if not provided. | + 1. **Initialization**: The action extracts authentication credentials and input + parameters from the integration environment. - | End Date | String | No | The earliest date for results in YYYY-MM-DD format - (UTC). Defaults to today's date if not provided. | + 2. **Validation**: It validates the format of the provided IP addresses, removes + duplicates, and enforces the processing limit defined by the user. - | Days | String | No | Relative offset in days from the current time. If provided, - this takes priority over Start/End dates. | + 3. **Data Retrieval**: For each valid IP address, the action sends a request to + the Team Cymru Scout API to fetch Whois-specific details. - | Size | String | No | The number of records to return in the search results (maximum - 1000). | + 4. **Data Processing**: The raw API response is parsed to extract key fields like + ASN, BGP information, and organizational contacts. + + 5. **Output Generation**: The action populates a data table named 'Whois' with + the findings, attaches the full raw response as JSON, and provides a summary of + the API usage. ### Additional Notes - - If the 'Days' parameter is provided, it will override any values provided in - 'Start Date' and 'End Date'. + - This action is read-only and does not modify any data within Team Cymru Scout. - - The action performs validation to skip duplicate or malformed IP addresses and - will report these in the output message. + - If the 'Days' parameter is provided, it will override any values provided in + the 'Start Date' and 'End Date' parameters. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: true + can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: >- - The action adds data tables (Whois information and Account Usage) and JSON results - to the action output within Google SecOps. + internal_data_mutation_explanation: null categories: - enrichment: false + enrichment: true entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1129,6 +1222,7 @@ Get Whois Info: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get X509 Info: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1140,68 +1234,69 @@ Get Whois Info: download_file: false enable_identity: false enrich_asset: false - enrich_ioc: true + enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: false + search_events: true send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get X509 Info: - ai_description: "### General Description\nThe **Get X509 Info** action retrieves\ - \ detailed X509 certificate information for a list of provided IP addresses from\ - \ the Team Cymru Scout platform. This action is designed to provide security analysts\ - \ with visibility into the SSL/TLS certificate history and metadata associated\ - \ with specific network indicators, aiding in infrastructure mapping and threat\ - \ intelligence gathering.\n\n### Parameters Description\n| Parameter | Type |\ - \ Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| **IP Addresses**\ - \ | String | Yes | A comma-separated list of IPv4 or IPv6 addresses to fetch certificate\ - \ information for. |\n| **Limit** | String | Yes | The maximum number of valid\ - \ IP addresses to process in a single execution. Default is 10. |\n| **Start Date**\ - \ | String | No | The latest date for results in UTC (YYYY-MM-DD). If omitted,\ - \ defaults to 29 days prior to the current date. |\n| **End Date** | String |\ - \ No | The earliest date for results in UTC (YYYY-MM-DD). If omitted, defaults\ - \ to the current date. |\n| **Days** | String | No | A relative offset in days\ - \ (integer) from the current time. If provided, this parameter takes priority\ - \ over Start Date and End Date. |\n| **Size** | String | No | The number of records\ - \ to return per search (Maximum allowed is 1000). |\n\n### Flow Description\n\ - 1. **Input Extraction**: The action extracts the target IP addresses and query\ - \ filters (Limit, Dates, Days, Size) from the user-provided parameters.\n2. **Validation**:\ - \ It validates the format of the IP addresses and ensures that the date ranges\ - \ or 'Days' values are within the supported limits (e.g., Start Date must be within\ - \ the last 90 days).\n3. **API Interaction**: For each valid IP address (up to\ - \ the specified limit), the action sends a GET request to the Team Cymru Scout\ - \ API to retrieve data from the 'x509' section.\n4. **Data Processing**: The action\ - \ parses the API response, extracting certificate details such as issuer, subject,\ - \ validity period, and fingerprints.\n5. **Output Generation**: \n * The\ - \ raw data is attached as a JSON result.\n * A data table named \"Certificates\"\ - \ is created to display the certificate details for each IP.\n * An \"Account\ - \ Usage\" table is generated to inform the user of their remaining API query quota.\n\ - \n### Additional Notes\n* If the `Days` parameter is used, it overrides the\ - \ `Start Date` and `End Date` parameters.\n* The action handles duplicate and\ - \ invalid IP addresses by filtering them out and reporting the count in the final\ - \ output message." + ai_description: "Retrieves detailed X509 certificate information for specified IP\ + \ addresses from Team Cymru Scout. This action allows analysts to investigate\ + \ the SSL/TLS certificates associated with an IP, providing insights into the\ + \ certificate's validity, issuer, and subject details. It supports both IPv4 and\ + \ IPv6 addresses and allows for historical lookups within a 90-day window.\n\n\ + ### Parameters Description\n\n| Parameter | Type | Mandatory | Description |\n\ + | :--- | :--- | :--- | :--- |\n| IP Addresses | String | Yes | A comma-separated\ + \ list of IPv4 or IPv6 addresses to fetch certificate information for. |\n| Limit\ + \ | String | Yes | The maximum number of valid IP addresses to process in a single\ + \ execution. Default is 10. |\n| Start Date | String | No | The latest date for\ + \ results (YYYY-MM-DD) in UTC. Defaults to 29 days prior to today. |\n| End Date\ + \ | String | No | The earliest date for results (YYYY-MM-DD) in UTC. Defaults\ + \ to the current date. |\n| Days | String | No | A relative offset in days from\ + \ the current time. If provided, this takes priority over Start Date and End Date.\ + \ |\n| Size | String | No | The number of records to retrieve per search. Maximum\ + \ allowed value is 1000. |\n\n### Flow Description\n\n1. **Validation**: The\ + \ action parses the input IP addresses and validates their format (IPv4/IPv6).\ + \ It also validates the date parameters, ensuring the search range does not exceed\ + \ 30 days and the start date is not older than 90 days.\n2. **API Interaction**:\ + \ For each valid IP address (up to the specified limit), the action calls the\ + \ Team Cymru Scout API to retrieve X509 certificate metadata.\n3. **Data Processing**:\ + \ The action extracts certificate details such as the common name, issuer, serial\ + \ number, and validity period.\n4. **Output Generation**: \n * A **Certificates**\ + \ data table is created containing the processed certificate information.\n \ + \ * An **Account Usage** data table is generated to show remaining API query\ + \ quotas.\n * The raw API response is attached as a JSON result for further\ + \ automated processing.\n\n### Additional Notes\n\n* The `Days` parameter is\ + \ the most efficient way to define a relative search window and will override\ + \ specific date inputs.\n* If multiple IPs are provided, the action processes\ + \ them sequentially up to the defined `Limit`." capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: false + can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: null + internal_data_mutation_explanation: >- + The action populates the 'Certificates' and 'Account Usage' data tables and + the action's JSON result within the Google SecOps case. categories: - enrichment: true + enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1215,6 +1310,7 @@ Get X509 Info: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +List IP Summary: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1228,47 +1324,74 @@ Get X509 Info: enrich_asset: false enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -List IP Summary: - ai_description: "### General Description\nThe **List IP Summary** action retrieves\ - \ comprehensive summary information for a specified list of IP addresses from\ - \ the Team Cymru Scout platform. It is designed for bulk lookups, allowing analysts\ - \ to gather threat intelligence, geographic data, and autonomous system (AS) information\ - \ for multiple indicators in a single execution. The action includes built-in\ - \ validation to handle duplicate or malformed IP addresses and allows for a processing\ - \ limit to manage API quota usage.\n\n### Parameters Description\n| Parameter\ - \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| **IP Addresses**\ - \ | string | Yes | A comma-separated list of IP addresses (e.g., \"1.1.1.1, 8.8.8.8\"\ - ) to be queried for summary information. |\n| **Limit** | string | Yes | The maximum\ - \ number of valid IP addresses to process from the provided list. Defaults to\ - \ 10. Must be a positive integer. |\n\n### Flow Description\n1. **Input Parsing:**\ - \ The action extracts the comma-separated string of IP addresses and the processing\ - \ limit from the user input.\n2. **Validation:** It validates each IP address\ - \ format, identifies duplicates, and filters out invalid entries. If the number\ - \ of valid IPs exceeds the specified limit, the excess IPs are skipped.\n3. **API\ - \ Execution:** The action batches the valid IP addresses (up to 10 per batch)\ - \ and performs GET requests to the Team Cymru Scout `/ip/foundation` endpoint.\n\ - 4. **Data Aggregation:** It aggregates the responses from all batches, including\ - \ summary details, insights, and API usage statistics.\n5. **Output Generation:**\ - \ \n * Adds the raw summary data as a JSON result.\n * Generates a \"\ - Summary Information for IPs\" data table containing IP, Country Code, ASN, and\ - \ Insight Ratings.\n * Generates an \"Insights\" data table detailing specific\ - \ threat observations.\n * Generates an \"Account Usage\" table showing remaining\ - \ API query limits.\n\n### Additional Notes\n* This action does not run on existing\ - \ SecOps entities; it processes the IP addresses provided directly in the parameter\ - \ field.\n* If all provided IP addresses are invalid or if the API calls fail,\ - \ the action will report a failure state." + ai_description: >- + ### General Description + + The **List IP Summary** action fetches comprehensive threat intelligence and reputation + data for a provided list of IP addresses from the Team Cymru Scout platform. It + is designed to provide quick summary information, including ASN details, country + codes, and overall reputation ratings, for multiple indicators in a single execution. + This action is particularly useful for bulk enrichment of IP addresses during + the initial stages of an investigation. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | Expected Value | Flow Impact | + + | :--- | :--- | :--- | :--- | :--- | :--- | + + | **IP Addresses** | String | Yes | The list of IP addresses to be enriched. | + A comma-separated string of IPs (e.g., "1.1.1.1, 2.2.2.2"). | Determines the set + of indicators the action will query. | + + | **Limit** | String | Yes | The maximum number of valid IP addresses to process. + | A positive integer string (e.g., "10"). | Truncates the input list if the number + of valid IPs exceeds this value. | + + + ### Flow Description + + 1. **Parameter Extraction:** The action retrieves the comma-separated list of + IP addresses and the processing limit from the input parameters. + + 2. **Validation and Cleaning:** It validates each IP address, removes duplicates, + and filters out invalid formats. If the number of valid IPs exceeds the specified + limit, the list is truncated. + + 3. **API Interaction:** The action sends batched requests to the Team Cymru Scout + "Foundation" API endpoint to retrieve summary data for the valid IPs. + + 4. **Data Aggregation:** It processes the API responses, aggregating threat insights, + ASN information, and geographic data for each IP. + + 5. **Output Generation:** The action populates the execution results with a JSON + object containing the raw data and generates three data tables: "Summary Information + for IPs", "Insights", and "Account Usage". + + + ### Additional Notes + + - This action does not automatically process entities from the alert context; + it relies strictly on the manual input provided in the "IP Addresses" parameter. + + - API usage statistics are tracked and displayed in the "Account Usage" table + to help monitor query quotas. capabilities: can_create_case_comments: false can_create_insight: false @@ -1280,9 +1403,9 @@ List IP Summary: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: false + enrichment: true entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1296,6 +1419,7 @@ List IP Summary: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1309,40 +1433,56 @@ List IP Summary: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: true + search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: - ai_description: "### General Description\nThe **Ping** action is designed to verify\ - \ the connectivity and authentication configuration between Google SecOps and\ - \ the Team Cymru Scout platform. It serves as a diagnostic tool to ensure that\ - \ the provided credentials (either API Key or Username/Password) and network settings\ - \ (like SSL verification) are correct and that the Team Cymru Scout API is reachable.\n\ - \n### Parameters Description\nThis action does not require any input parameters.\n\ - \n### Flow Description\n1. **Configuration Retrieval**: The action fetches the\ - \ integration's global configuration parameters, including the authentication\ - \ type, credentials, and SSL verification settings.\n2. **API Initialization**:\ - \ An internal API manager is initialized using the retrieved settings to handle\ - \ communication with the Team Cymru Scout service.\n3. **Connectivity Test**:\ - \ The action performs a GET request to the `/usage` endpoint of the Team Cymru\ - \ Scout API. This endpoint is used to check the current API usage and effectively\ - \ validates the provided credentials.\n4. **Result Processing**: \n * If the\ - \ API call is successful (HTTP 200), the action completes with a success status\ - \ and a message confirming the connection.\n * If the API call fails (e.g.,\ - \ due to invalid credentials or network issues), the action logs the error and\ - \ completes with a failure status, providing the error details in the output message.\n\ - \n### Additional Notes\n* This action is typically used during the initial setup\ - \ of the integration or for troubleshooting connectivity issues.\n* It does not\ - \ process any entities or modify any data within Google SecOps or Team Cymru Scout." + ai_description: >- + ### General Description + + Tests the connectivity and configuration of the Team Cymru Scout integration. + This action verifies that the provided credentials (either API Key or Username/Password) + are valid and that the Google SecOps environment can successfully communicate + with the Team Cymru Scout API. + + + ### Parameters Description + + There are no parameters for this action. + + + ### Additional Notes + + This action is primarily used for troubleshooting and initial setup verification. + It targets the `/usage` endpoint of the Team Cymru Scout API to confirm access. + + + ### Flow Description + + 1. **Retrieve Configuration:** The action fetches the integration's configuration + parameters, including the authentication type, credentials, and SSL verification + settings. + + 2. **Initialize API Manager:** An instance of the `ApiManager` is created using + the retrieved credentials. + + 3. **Connectivity Test:** The action calls the `api_usage` method, which performs + a GET request to the `/usage` endpoint. + + 4. **Result Handling:** If the API call returns a successful response (HTTP 200), + the action completes with a success message. If the call fails (e.g., due to invalid + credentials or network issues), the action fails and provides the error details. capabilities: can_create_case_comments: false can_create_insight: false @@ -1356,7 +1496,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1370,28 +1510,3 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/third_party/community/telegram/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/telegram/resources/ai/actions_ai_description.yaml index acc3f2465..a7cc133ea 100644 --- a/content/response_integrations/third_party/community/telegram/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/telegram/resources/ai/actions_ai_description.yaml @@ -1,39 +1,48 @@ Get Bot Details: - ai_description: >- - Retrieves the configuration details and metadata of the Telegram bot associated - with the provided API token. This action is primarily used to verify the bot's - identity and status within the Telegram platform. - - - ### Flow Description: - - 1. **Configuration Retrieval:** The action extracts the 'API Token' from the Telegram - integration's global configuration. - - 2. **Manager Initialization:** It initializes the Telegram Manager using the retrieved - token. - - 3. **API Interaction:** The action calls the Telegram API's `/getMe` endpoint - to fetch the bot's details. - - 4. **Result Processing:** The retrieved JSON data, containing information such - as the bot's ID, name, and username, is attached to the action's execution results. - - - ### Parameters Description: - - | Parameter Name | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | None | N/A | N/A | This action does not require any action-specific parameters. - It relies on the global integration configuration for the API Token. | - - - ### Additional Notes: - - - This action is a diagnostic or utility task used to confirm that the bot is - correctly configured and reachable. + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "### General Description\nRetrieves the details of the Telegram\ + \ bot configured in the integration. This action is primarily used to verify the\ + \ bot's identity and connectivity by fetching its basic information, such as its\ + \ ID, name, and username, directly from the Telegram API.\n\n### Parameters Description\n\ + This action does not require any input parameters.\n\n### Additional Notes\n*\ + \ The action relies on the **API Token** provided in the integration's configuration\ + \ to authenticate with the Telegram Bot API.\n* It uses the Telegram `getMe` endpoint,\ + \ which is a simple method for testing a bot's auth token.\n\n### Flow Description\n\ + 1. **Configuration Extraction:** The action retrieves the `API Token` from the\ + \ Telegram integration settings.\n2. **Manager Initialization:** It initializes\ + \ the `TelegramManager` using the extracted token.\n3. **API Interaction:** The\ + \ action calls the `get_bot_details` method, which sends a GET request to the\ + \ Telegram `getMe` endpoint.\n4. **Result Processing:** \n * If successful,\ + \ the bot's details (JSON) are added to the action's results.\n * If the request\ + \ fails (e.g., invalid token or network error), the action reports a failure with\ + \ the corresponding error message." capabilities: can_create_case_comments: false can_create_insight: false @@ -47,7 +56,7 @@ Get Bot Details: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -61,6 +70,7 @@ Get Bot Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Chat Details: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -74,28 +84,28 @@ Get Bot Details: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Chat Details: ai_description: >- ### General Description - The **Get Chat Details** action retrieves comprehensive metadata for a specific - Telegram chat using its unique identifier or username. This action is primarily - used to gather context about a communication channel, such as its title, type - (private, group, supergroup, or channel), and invite link. It is a utility action - that helps analysts verify the existence and properties of a chat involved in - an investigation. + Retrieves detailed information about a specific Telegram chat using its unique + identifier or username. This action is useful for gathering metadata about groups, + channels, or private chats, such as the chat title, type, and the invite link + if available. ### Parameters Description @@ -104,35 +114,32 @@ Get Chat Details: | :--- | :--- | :--- | :--- | - | **Chat ID** | String | Yes | The unique identifier or username (e.g., '@username') - of the target Telegram chat. | + | Chat ID | String | Yes | The unique identifier or username for the target Telegram + chat (e.g., a numeric ID or '@username'). | ### Flow Description - 1. **Initialization:** The action retrieves the Telegram Bot API Token from the - integration's configuration settings. + 1. **Initialization**: The action initializes the Telegram Manager using the API + Token provided in the integration configuration. - 2. **Parameter Extraction:** The `Chat ID` provided by the user is extracted. + 2. **Parameter Extraction**: It retrieves the 'Chat ID' from the action parameters. - 3. **API Request:** The action utilizes the `TelegramManager` to call the Telegram - `getChat` API endpoint with the specified ID. + 3. **API Interaction**: The action calls the Telegram API's `getChat` endpoint + to fetch the details of the specified chat. - 4. **Data Extraction:** Upon a successful response, the action extracts the chat's - invite link (if available). + 4. **Data Processing**: It extracts the `invite_link` from the API response to + provide a direct link to the chat. - 5. **Output Generation:** The action adds the invite link to the SOAR result interface - and attaches the full JSON response containing all chat details for use in downstream - playbook logic. + 5. **Output**: The action returns the full chat details as a JSON object and adds + the invite link to the action results in the Google SecOps interface. ### Additional Notes - - This action does not operate on SecOps entities; it requires a manually provided - `Chat ID`. - - - The bot must be a member of the chat or have sufficient permissions to retrieve - its details. + This action does not operate on entities; it requires a specific Chat ID to be + provided manually or via a playbook property. It is a read-only operation and + does not modify any data within Telegram. capabilities: can_create_case_comments: false can_create_insight: false @@ -146,7 +153,7 @@ Get Chat Details: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -160,6 +167,7 @@ Get Chat Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Messages: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -173,68 +181,67 @@ Get Chat Details: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: false + search_events: true send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Messages: ai_description: >- ### General Description - The **Get Messages** action retrieves updates and messages from a specific Telegram - chat where the bot is a member. It utilizes the Telegram Bot API's `getUpdates` - method to pull incoming data, allowing analysts to monitor chat activity, channel - posts, or poll results directly within Google SecOps. + Retrieves messages and updates from a Telegram chat where the bot is a member. + This action interacts with the Telegram Bot API's `getUpdates` endpoint to pull + communication data, which can then be used for further analysis or ingestion within + the SOAR platform. It allows for filtering by message type and starting from a + specific message ID (offset). ### Parameters Description - | Parameter | Description | Type | Mandatory | + | Parameter Name | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Last Message ID | The ID of the last message (offset) from which the action - will start pulling messages. This helps in controlling the starting point of the - data retrieval. | String | No | + | Last Message ID | string | No | The ID of the last message from which the action + will start pulling all subsequent messages. This corresponds to the 'offset' parameter + in the Telegram API. | - | Message Types | A list of update types to retrieve (e.g., `['channel_post', - 'poll_answer']`). If left empty, all supported update types are returned. | Content - | No | + | Message Types | content | No | A list of the message/update types to retrieve + (e.g., `['message', 'channel_post', 'poll_answer']`). If empty, all types are + retrieved. | ### Flow Description - 1. **Initialization**: The action extracts the Telegram API Token from the integration - configuration. - - 2. **Parameter Extraction**: It retrieves the `Last Message ID` (used as an offset) - and the `Message Types` (allowed updates) from the action input. + 1. **Initialization**: The action initializes the Telegram Manager using the provided + API Token from the integration configuration. - 3. **API Interaction**: The action initializes the `TelegramManager` and calls - the `get_messages` method, which sends a GET request to the Telegram Bot API's - `/getUpdates` endpoint. + 2. **Parameter Extraction**: It extracts the `Last Message ID` (used as an offset) + and the `Message Types` (allowed updates) from the action parameters. - 4. **Data Processing**: The retrieved JSON response containing the messages is - captured. + 3. **API Interaction**: The action calls the Telegram `getUpdates` method via + a GET request to fetch the latest messages based on the provided filters. - 5. **Output**: The action attaches the raw message data to the action's JSON results - for further processing or inspection in the SOAR platform. + 4. **Result Processing**: The retrieved messages are returned as a JSON object + and stored in the action's execution results. ### Additional Notes - - The bot must be a member of the chat or channel to successfully retrieve messages. + - The bot must be a member of the chat/channel to retrieve its messages. - - This action does not target specific entities but rather fetches global updates - for the configured bot. + - This action does not target specific entities and operates as a general data + retrieval task. capabilities: can_create_case_comments: false can_create_insight: false @@ -248,7 +255,7 @@ Get Messages: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -262,6 +269,7 @@ Get Messages: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -275,58 +283,62 @@ Get Messages: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: true + search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: ai_description: >- ### General Description - The **Ping** action is a diagnostic utility designed to verify the connectivity - between Google SecOps and the Telegram Bot API. Its primary purpose is to ensure - that the integration is correctly configured and that the provided API Token is - valid and authorized to communicate with Telegram's servers. + The **Ping** action is designed to test and verify the connectivity between the + Google SecOps platform and the Telegram API. Its primary purpose is to ensure + that the integration is correctly configured and that the provided Bot API Token + is valid and authorized to communicate with Telegram's servers. ### Parameters Description - | Parameter Name | Type | Mandatory | Description | + There are no action-specific parameters for this action. It relies entirely on + the global integration configuration (specifically the 'API Token'). - | :--- | :--- | :--- | :--- | - | None | N/A | N/A | This action does not take any input parameters. It uses the - 'API Token' defined in the integration configuration. | + ### Additional Notes + - This action does not interact with any entities (IPs, Users, etc.). - ### Flow Description + - It is a read-only operation that checks the status of the bot account. - 1. **Configuration Extraction**: The action retrieves the 'API Token' from the - Telegram integration's shared configuration. + - Per standard SOAR practices, Ping actions are used for health checks and are + not classified as enrichment. - 2. **Connectivity Check**: It initializes the Telegram Manager and executes a - GET request to the `getMe` endpoint of the Telegram Bot API. - 3. **Response Evaluation**: The action parses the API response to check the `ok` - status field. + ### Flow Description - 4. **Execution Outcome**: If the API returns a successful response, the action - completes with a success message. If the request fails or the token is invalid, - it reports a connection failure. + 1. **Configuration Retrieval**: The action extracts the 'API Token' from the Telegram + integration settings. + 2. **Manager Initialization**: It initializes the Telegram communication manager + with the provided token. - ### Additional Notes + 3. **API Request**: The action executes a GET request to the Telegram `/getMe` + endpoint. - This is a standard health-check action and does not interact with or modify any - entities or alert data within the SOAR platform. + 4. **Validation**: It checks the response from Telegram to confirm the bot is + active and the token is valid. + + 5. **Final Status**: The action returns a success message if the connection is + established, or a failure message if the API call fails or returns an error. capabilities: can_create_case_comments: false can_create_insight: false @@ -335,12 +347,12 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: false + fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -354,6 +366,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Send Document: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -367,65 +380,59 @@ Ping: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: true submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Send Document: ai_description: >- ### General Description - Sends a document to a specified Telegram chat or channel using a provided URL. - This action is useful for automated reporting or sharing files (such as logs, - evidence, or summaries) directly to a Telegram-based communication channel during - an incident response workflow. + Sends a document to a specific Telegram chat using a provided URL. This action + allows users to share files (such as PDFs, logs, or images) hosted at a public + or accessible URL directly into a Telegram conversation or channel via a bot. ### Parameters Description + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Document URL | string | Yes | The web URL of the document to be sent. Telegram - will download the file from this URL and send it to the chat. | - - | Chat ID | string | Yes | The unique identifier for the target chat, group, or - channel where the document should be sent. | - + | Document URL | String | Yes | The direct URL of the document to be sent to the + Telegram chat. | - ### Additional Notes - - - This action requires a valid Telegram Bot API Token to be configured in the - integration settings. - - - The document is sent via the Telegram Bot API's `sendDocument` method. + | Chat ID | String | Yes | The unique identifier or username of the target Telegram + chat where the document will be sent. | ### Flow Description - 1. **Parameter Extraction**: The action retrieves the Telegram Bot API Token from - the integration configuration and the 'Chat ID' and 'Document URL' from the action - parameters. + 1. **Configuration Retrieval**: The action fetches the Telegram Bot API Token + from the integration settings. - 2. **Manager Initialization**: It initializes the `TelegramManager` using the - provided API token. + 2. **Parameter Extraction**: The target Chat ID and the URL of the document are + retrieved from the action input. - 3. **API Execution**: The action calls the `send_doc` method, which sends a request - to the Telegram API to deliver the document from the specified URL to the target - chat. + 3. **API Interaction**: The action uses the Telegram Manager to call the `sendDocument` + endpoint of the Telegram Bot API. - 4. **Result Handling**: If the API call is successful, the action returns a success - status and includes the JSON response from Telegram in the results. If it fails, - an error message is captured and the action is marked as failed. + 4. **Result Processing**: The response from Telegram, containing details of the + sent message, is captured and added to the action's JSON results. + + 5. **Completion**: The action concludes by reporting whether the document was + successfully sent. capabilities: can_create_case_comments: false can_create_insight: false @@ -434,14 +441,14 @@ Send Document: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Sends a document to a specified Telegram chat or channel, which modifies the - chat history/state in the external Telegram platform. - fetches_data: false + Sends a document to a Telegram chat, which creates a new message/post in the + external Telegram system. + fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -455,6 +462,7 @@ Send Document: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Send Location: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -468,66 +476,68 @@ Send Document: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: true submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Send Location: ai_description: >- - Sends a specific geographic location to a designated Telegram chat using a bot. - This action is primarily used for notification or coordination purposes, allowing - a SOAR playbook to share coordinates directly into a Telegram conversation. + ### General Description + Sends a geographic location (latitude and longitude) to a specific Telegram chat + using a bot. This action is useful for sharing physical coordinates or points + of interest directly into a communication channel during incident response or + coordination. - ### Flow Description - 1. **Parameter Extraction:** The action retrieves the Telegram Bot API Token from - the integration configuration and the Chat ID, Latitude, and Longitude from the - action parameters. + ### Parameters Description - 2. **Manager Initialization:** It initializes the `TelegramManager` with the provided - API token to facilitate communication with the Telegram Bot API. + | Parameter | Type | Mandatory | Description | - 3. **API Interaction:** The action calls the `sendLocation` method, which sends - a GET request to the Telegram API endpoint with the specified coordinates and - target chat identifier. + | :--- | :--- | :--- | :--- | - 4. **Result Handling:** The response from Telegram (containing details of the - sent message) is captured and added to the action's JSON results. The action then - terminates with a success or failure message based on the API response. + | Chat ID | string | Yes | The unique identifier for the target chat or the username + of the target channel (e.g., '123456789'). | + | Latitude | string | Yes | The latitude coordinate of the location to be sent + (e.g., '30.0123213'). | - ### Parameters Description + | Longitude | string | Yes | The longitude coordinate of the location to be sent + (e.g., '30.456468'). | - | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + ### Additional Notes - | Chat ID | String | Yes | The unique identifier or username for the target chat - (e.g., a user ID or a group chat ID). | + This action does not process or interact with Google SecOps entities. It relies + solely on the provided action parameters to execute the request to the Telegram + Bot API. - | Latitude | String | Yes | The latitude coordinate of the location to be sent - (e.g., 30.0123213). | - | Longitude | String | Yes | The longitude coordinate of the location to be sent - (e.g., 30.456468). | + ### Flow Description + 1. **Parameter Extraction**: The action retrieves the Telegram API Token from + the integration configuration and the Chat ID, Latitude, and Longitude from the + action parameters. - ### Additional Notes + 2. **Manager Initialization**: Initializes the Telegram Manager using the provided + API Token. - * This action does not process SecOps entities; it relies entirely on the provided - input parameters. + 3. **API Interaction**: Calls the Telegram `sendLocation` endpoint with the specified + chat ID and coordinates. - * The Telegram Bot must have the necessary permissions to send messages to the - specified Chat ID. + 4. **Result Processing**: Captures the API response, attaches it as a JSON result + to the action, and reports a success or failure message based on the outcome of + the network request. capabilities: can_create_case_comments: false can_create_insight: false @@ -536,14 +546,14 @@ Send Location: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Sends a location message to a Telegram chat, which creates a new message entry - in the external Telegram system's chat history. + Sends a location message to a specified Telegram chat, which creates a new message + entry in the external Telegram platform. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -557,6 +567,7 @@ Send Location: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Send Message: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -570,62 +581,62 @@ Send Location: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: true submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Send Message: ai_description: >- - ### General Description + Sends a message to a specific Telegram chat using a configured bot. This action + allows for automated notifications or communications to be dispatched directly + from a playbook to a Telegram user, group, or channel. - The **Send Message** action allows a configured Telegram bot to send a text message - to a specific chat. This is primarily used for automated notifications, alerting - analysts, or communicating status updates to a Telegram group or individual user - directly from a Google SecOps playbook. + ### Flow Description - ### Parameters Description - - | Parameter | Type | Mandatory | Description | + 1. **Initialization**: The action initializes the Telegram Manager using the provided + Bot API Token from the integration configuration. - | :--- | :--- | :--- | :--- | + 2. **Parameter Extraction**: It retrieves the target 'Chat ID' and the 'Message' + content from the action parameters. - | **Chat ID** | String | Yes | The unique identifier for the Telegram chat (group, - channel, or private) where the message should be sent. | + 3. **API Interaction**: The action calls the Telegram Bot API's `sendMessage` + endpoint with the specified chat identifier and message text. - | **Message** | String | Yes | The actual text content of the message to be delivered - by the bot. | + 4. **Result Processing**: The response from Telegram (containing the sent message + details) is captured as a JSON result, and the action completes with a success + or failure status based on the API response. - ### Flow Description + ### Parameters Description - 1. **Initialization**: The action retrieves the bot's API Token from the integration - configuration and the target Chat ID and Message content from the action parameters. + | Parameter Name | Type | Mandatory | Description | - 2. **API Connection**: It initializes the Telegram Manager and prepares a request - to the Telegram Bot API's `sendMessage` endpoint. + | :--- | :--- | :--- | :--- | - 3. **Execution**: The bot sends the message to the specified chat via an HTTP - request. + | Chat ID | String | Yes | The unique identifier for the target chat or the username + of the target channel (e.g., '123456' or '@my_channel'). | - 4. **Result Handling**: The action captures the JSON response from Telegram (containing - message details) and reports a success or failure status back to the SOAR platform. + | Message | String | Yes | The text content of the message you want to send to + the specified chat. | ### Additional Notes - - This action does not process or iterate over SecOps entities; it relies entirely - on the provided parameters. + - This action does not operate on SecOps entities; it relies entirely on the provided + parameters. - - Ensure the bot has the necessary permissions to post in the target chat ID. + - Ensure the Bot has the necessary permissions to post in the target chat or channel. capabilities: can_create_case_comments: false can_create_insight: false @@ -634,14 +645,14 @@ Send Message: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Sends a message to a Telegram chat, which creates new data (a message) in the - external Telegram system. + Sends a new message to a Telegram chat, which creates new data/content within + the Telegram platform. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -655,6 +666,7 @@ Send Message: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Send Photo: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -668,64 +680,67 @@ Send Message: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: true submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Send Photo: ai_description: >- ### General Description - Sends a photo to a specific Telegram chat using a provided image URL. This action - allows automated bots to share visual information, such as screenshots, graphs, - or evidence, directly into a Telegram conversation or channel. + The **Send Photo** action allows a Google SecOps bot to send an image to a specific + Telegram chat or channel. This is useful for automated notifications that require + visual context, such as screenshots of dashboards, security alerts, or forensic + evidence. The action requires a direct URL to the image and the target Chat ID. ### Parameters Description - | Parameter | Type | Mandatory | Description | + | Parameter Name | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Photo URL | string | Yes | The HTTP URL of the photo to be sent. The URL must - point to a valid image file and should end with a supported extension like .png, - .jpeg, or .jpg. | + | **Chat ID** | String | Yes | The unique identifier for the target Telegram chat + or channel where the photo will be sent. | - | Chat ID | string | Yes | The unique identifier for the target chat or the username - of the target channel (e.g., '123456' or '@my_channel'). | + | **Photo URL** | String | Yes | The HTTP/HTTPS URL of the photo to be sent. The + URL must point directly to an image file and should end with a valid extension + (e.g., .png, .jpeg, .jpg). | ### Additional Notes - - The action requires a valid Telegram Bot API Token to be configured in the integration - settings. + - The Telegram Bot must have the necessary permissions to post in the specified + Chat ID. - - The bot must have the necessary permissions to send messages/photos in the target - chat. + - The image must be accessible via the provided URL by the Telegram servers. ### Flow Description - 1. **Initialization**: The action retrieves the Telegram API Token from the integration - configuration. + 1. **Configuration Retrieval:** The action retrieves the Telegram Bot API Token + from the integration configuration. - 2. **Parameter Extraction**: It extracts the target 'Chat ID' and the 'Photo URL' - from the action inputs. + 2. **Parameter Extraction:** It extracts the target `Chat ID` and the `Photo URL` + from the action input. - 3. **API Interaction**: The action uses the TelegramManager to call the Telegram - Bot API's `sendPhoto` endpoint, passing the chat identifier and the image link. + 3. **API Interaction:** The action initializes the `TelegramManager` and calls + the `send_photo` method, which sends a request to the Telegram Bot API endpoint + `/sendPhoto`. - 4. **Result Processing**: If the API call is successful, the response data is - attached to the action's JSON results. If it fails, an error message is returned - and the action status is set to failed. + 4. **Result Processing:** If successful, the action returns the metadata of the + sent message as a JSON result. If the request fails (e.g., invalid Chat ID or + inaccessible URL), the action reports a failure state. capabilities: can_create_case_comments: false can_create_insight: false @@ -734,14 +749,14 @@ Send Photo: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Sends a photo to a Telegram chat, which creates a new message/content in the - external Telegram platform. + Sends a photo to a Telegram chat, which creates a new message record in the + external Telegram system. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -755,6 +770,7 @@ Send Photo: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Send Poll: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -768,70 +784,70 @@ Send Photo: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: true submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Send Poll: ai_description: >- - ### General Description + Sends a poll with pre-defined answer options to a specific Telegram chat or group. + This action allows users to create interactive polls via a Telegram bot, facilitating + decision-making or data collection directly within the communication platform. - Sends a poll with pre-defined answer options to a specific Telegram chat or channel - using a Telegram Bot. This action is useful for gathering feedback or making collaborative - decisions within a chat environment directly from a SOAR playbook. + ### Flow Description - ### Parameters Description - - | Parameter | Type | Mandatory | Description | + 1. **Parameter Extraction:** The action retrieves the Telegram API Token from + the integration configuration and the Chat ID, Question, Options, and Anonymity + settings from the action parameters. - | :--- | :--- | :--- | :--- | + 2. **Manager Initialization:** Initializes the Telegram Manager to handle communication + with the Telegram Bot API. - | Chat ID | String | Yes | The unique identifier for the target chat or the username - of the target channel (e.g., @channelusername). Note: Non-anonymous polls cannot - be sent to channel chats. | + 3. **API Interaction:** Calls the Telegram `sendPoll` endpoint with the specified + question and answer options. - | Question | String | Yes | The question text to be sent in the poll. | + 4. **Result Processing:** Captures the API response (the created poll object), + attaches it as a JSON result, and provides a success or failure message to the + SOAR platform. - | Options | Content (Array) | Yes | A JSON array of strings representing the answer - options (e.g., ["Yes", "No"]). Telegram typically requires between 2 and 10 options. - | - | Is Anonymous | Boolean | No | Determines if the poll results will be anonymous. - If set to false, users' identities will be visible to the bot and other users. - Default is false. | + ### Parameters Description + | Parameter Name | Type | Mandatory | Description | - ### Flow Description + | :--- | :--- | :--- | :--- | - 1. **Configuration Retrieval**: The action retrieves the Telegram Bot API Token - from the integration settings. + | Chat ID | String | Yes | The unique identifier for the target chat or the username + of the target channel (e.g., "123456"). Note: Non-anonymous polls cannot be sent + to channel chats. | - 2. **Parameter Extraction**: It extracts the target Chat ID, the question text, - the list of options, and the anonymity preference from the action parameters. + | Question | String | Yes | The text of the question you want to send to the chat. + | - 3. **API Interaction**: The action calls the Telegram `sendPoll` API endpoint - via the `TelegramManager`. + | Options | Content (Array) | Yes | A JSON array of strings representing the answer + options (e.g., `["Option 1", "Option 2"]`). | - 4. **Result Processing**: If successful, the action returns the metadata of the - sent poll (including the poll ID and message details) as a JSON result and completes - the execution. + | Is Anonymous | Boolean | No | Determines if the poll responses will be anonymous. + Default is false. Note: Non-anonymous polls cannot be sent to channel chats. | ### Additional Notes - - Ensure the bot has the necessary permissions to post in the specified chat or - channel. + - Ensure the Telegram Bot has the necessary permissions to send messages and polls + in the target chat. - - Non-anonymous polls are restricted from being sent to Telegram Channels. + - If sending to a channel, the poll **must** be anonymous. capabilities: can_create_case_comments: false can_create_insight: false @@ -840,14 +856,14 @@ Send Poll: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates and sends a new poll message to a Telegram chat or channel, which changes - the state of the external Telegram environment. - fetches_data: true + Sends a poll to a Telegram chat, which creates a new interactive message/object + within the external Telegram platform. + fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -861,6 +877,7 @@ Send Poll: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Set Default Chat Permissions: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -874,44 +891,84 @@ Send Poll: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Set Default Chat Permissions: - ai_description: "Sets default chat permissions for all new members in a specified\ - \ Telegram group or supergroup. This action allows administrators to define the\ - \ baseline capabilities for new participants, such as their ability to send messages,\ - \ polls, invite others, or modify chat settings. \n\n### Parameters\n| Parameter\ - \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Chat ID\ - \ | string | Yes | The unique identifier or username of the target chat where\ - \ permissions will be applied. |\n| Can Send Messages | boolean | No | If true,\ - \ allows users to send text messages, contacts, and locations. Default is true.\ - \ |\n| Can Send Polls | boolean | No | If true, allows users to send polls. Default\ - \ is true. |\n| Can Invite Users | boolean | No | If true, allows users to invite\ - \ new members to the chat. Default is true. |\n| Can Pin Messages | boolean |\ - \ No | If true, allows users to pin messages. Note: This cannot be applied in\ - \ supergroups. Default is true. |\n| Can Edit Info | boolean | No | If true, allows\ - \ users to edit chat titles, photos, and other settings. Note: This cannot be\ - \ applied in supergroups. Default is true. |\n\n### Additional Notes\n- The Telegram\ - \ bot must be an administrator in the target group or supergroup.\n- The bot must\ - \ specifically have the `can_restrict_members` administrative permission for this\ - \ action to succeed.\n\n### Flow Description\n1. **Initialization**: The action\ - \ retrieves the Telegram API Token from the integration configuration and extracts\ - \ the Chat ID and permission flags from the action parameters.\n2. **API Interaction**:\ - \ The action uses the `TelegramManager` to call the Telegram `setChatPermissions`\ - \ endpoint with the provided configuration.\n3. **Result Processing**: The action\ - \ captures the API response, which indicates whether the permission update was\ - \ successful.\n4. **Finalization**: The action outputs a success or failure message\ - \ to the SOAR case wall and attaches the raw JSON response from Telegram for auditing." + ai_description: >- + ### General Description + + Sets the default chat permissions for all new members in a specified Telegram + chat or group. This action allows administrators to define the baseline capabilities + for new participants, such as their ability to send messages, polls, invite other + users, or modify chat information. It is primarily used for group management and + automated moderation within Telegram communities. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Chat ID | String | Yes | The unique identifier for the target chat or group + where permissions will be applied. | + + | Can Send Messages | Boolean | No | Determines if new members are allowed to + send text messages, contacts, and locations. Default is true. | + + | Can Edit Info | Boolean | No | Determines if new members can edit the chat title, + photo, and other settings. Note: This cannot be applied in supergroups. Default + is true. | + + | Can Invite Users | Boolean | No | Determines if new members can invite other + users to the chat. Default is true. | + + | Can Pin Messages | Boolean | No | Determines if new members are allowed to pin + messages. Note: This cannot be applied in supergroups. Default is true. | + + | Can Send Polls | Boolean | No | Determines if new members are allowed to send + polls. Default is true. | + + + ### Additional Notes + + * The bot must be an administrator in the target group or supergroup for this + action to function. + + * The bot must specifically have the `can_restrict_members` administrative permission. + + * Certain permissions (like 'Can Edit Info' and 'Can Pin Messages') are restricted + by Telegram and cannot be applied to supergroups via this specific method. + + + ### Flow Description + + 1. **Configuration Retrieval:** The action retrieves the Telegram Bot API Token + from the integration settings. + + 2. **Parameter Extraction:** It extracts the target Chat ID and the specific permission + flags (Send Messages, Edit Info, Invite Users, Pin Messages, Send Polls) provided + by the user. + + 3. **API Interaction:** The action initializes the Telegram Manager and calls + the `setChatPermissions` endpoint on the Telegram API with the specified parameters. + + 4. **Result Processing:** If the API call is successful, the action returns a + success message and the raw JSON response from Telegram. If the call fails (e.g., + due to insufficient bot permissions or an invalid Chat ID), it returns an error + message and marks the action as failed. capabilities: can_create_case_comments: false can_create_insight: false @@ -920,14 +977,14 @@ Set Default Chat Permissions: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the default permission configuration for a Telegram chat, which affects - the capabilities of all new members joining the group. + Updates the default chat permissions for all new members in a specific Telegram + chat or group via the Telegram Bot API. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -941,6 +998,7 @@ Set Default Chat Permissions: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Set User Permissions: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -954,52 +1012,89 @@ Set Default Chat Permissions: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false - update_identity: false + update_identity: true update_ticket: false -Set User Permissions: - ai_description: "### General Description\nUpdates or revokes specific administrative\ - \ permissions for a user within a Telegram supergroup or channel. This action\ - \ allows for granular control over user capabilities such as pinning messages,\ - \ deleting content, or inviting new members. For this action to succeed, the configured\ - \ Telegram bot must already be an administrator in the target chat with the necessary\ - \ rights to promote or demote other members.\n\n### Parameters Description\n|\ - \ Parameter Name | Description | Type | Mandatory | \n| :--- | :--- | :--- | :---\ - \ |\n| Chat ID | The unique identifier or username of the target Telegram chat.\ - \ | String | Yes |\n| User ID | The unique identifier of the user whose permissions\ - \ are being modified. | String | Yes |\n| Is Anonymous | If set to true, the user's\ - \ presence in the chat is hidden. | Boolean | No |\n| Can Edit The Info | Allows\ - \ the user to change the chat title, photo, and other settings. | Boolean | No\ - \ |\n| Can Post Messages | Allows the user to post messages (relevant for channels).\ - \ | Boolean | No |\n| Can Edit Messages | Allows the user to edit messages sent\ - \ by others (relevant for channels). | Boolean | No |\n| Can Delete Messages |\ - \ Allows the user to delete messages sent by others. | Boolean | No |\n| Can Invite\ - \ Users | Allows the user to invite new users to the chat. | Boolean | No |\n\ - | Can Restrict Members | Allows the user to restrict, ban, or unban chat members.\ - \ | Boolean | No |\n| Can Promote Members | Allows the user to add or revoke permissions\ - \ for other administrators. | Boolean | No |\n| Can Pin Messages | Allows the\ - \ user to pin messages (relevant for supergroups). | Boolean | No |\n\n### Additional\ - \ Notes\nThis action uses the Telegram `promoteChatMember` API endpoint. While\ - \ the manager uses a GET request, the operation results in a state change on the\ - \ Telegram platform. If a permission parameter is not provided, it defaults to\ - \ the value specified in the integration settings (usually 'true' in the provided\ - \ YAML).\n\n### Flow Description\n1. **Initialization**: Retrieves the Telegram\ - \ API Token from the integration configuration.\n2. **Parameter Extraction**:\ - \ Collects the mandatory Chat ID and User ID, along with all optional permission\ - \ boolean flags from the action input.\n3. **API Execution**: Calls the `set_user_permissions`\ - \ method in the Telegram Manager, which sends a request to the `promoteChatMember`\ - \ endpoint with the specified permission set.\n4. **Result Processing**: Captures\ - \ the API response. If successful, it returns a confirmation message and the raw\ - \ JSON result; otherwise, it reports a failure with the error details." + ai_description: >- + Adds or revokes user permissions in a Telegram supergroup or a channel. This action + allows a bot (which must be an administrator with appropriate rights) to manage + specific administrative and member privileges for a target user. It can be used + to promote users to admin roles or restrict their capabilities within a chat. + + + ### Flow Description + + 1. **Initialization**: The action initializes the Telegram Manager using the provided + API Token. + + 2. **Parameter Extraction**: It retrieves the target `Chat ID`, `User ID`, and + various boolean permission flags from the action parameters. + + 3. **API Interaction**: The action calls the Telegram `promoteChatMember` API + endpoint, passing the permission flags to update the user's status. + + 4. **Result Processing**: It captures the API response, determines if the operation + was successful, and outputs the resulting JSON data. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | User ID | string | Yes | The unique identifier of the user whose permissions + are being modified. | + + | Chat ID | string | Yes | The unique identifier or username of the target supergroup + or channel. | + + | Can Pin Messages | boolean | No | If true, the user can pin messages (relevant + for supergroups only). | + + | Can Promote Members | boolean | No | If true, the user can add new administrators + or revoke existing ones. | + + | Can Restrict Members | boolean | No | If true, the user can restrict, ban, or + unban chat members. | + + | Can Post Messages | boolean | No | If true, the user can post messages (relevant + for channels only). | + + | Can Edit The Info | boolean | No | If true, the user can edit chat title, photo, + and other settings. | + + | Is Anonymous | boolean | No | If true, the user's presence in the chat is hidden. + | + + | Can Invite Users | boolean | No | If true, the user can invite new users to + the chat. | + + | Can Delete Messages | boolean | No | If true, the user can delete messages of + other users. | + + | Can Edit Messages | boolean | No | If true, the user can edit messages of other + users. | + + + ### Additional Notes + + - The bot must be an administrator in the target chat for this action to work. + + - The bot must have the specific administrative permissions it is trying to grant + or revoke from others. capabilities: can_create_case_comments: false can_create_insight: false @@ -1008,14 +1103,14 @@ Set User Permissions: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Modifies user permissions and administrative rights within a Telegram chat or - channel via the promoteChatMember API. - fetches_data: false + Modifies user permissions and administrative rights within a Telegram supergroup + or channel using the promoteChatMember API endpoint. + fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1029,6 +1124,7 @@ Set User Permissions: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Wait for poll results: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1042,88 +1138,86 @@ Set User Permissions: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false - update_identity: true + update_identity: false update_ticket: false -Wait for poll results: ai_description: >- ### General Description - This action monitors a specific Telegram poll and retrieves its results once certain - conditions are met. It is an asynchronous action that periodically checks for - updates from the Telegram bot until either a specified vote threshold is reached - for any poll option or a maximum waiting timeframe expires. This is primarily - used in automated workflows to pause execution until a user or group provides - feedback via a Telegram poll. + The **Wait for poll results** action is an asynchronous utility designed to monitor + a specific Telegram poll and retrieve its results. It is typically used in workflows + where a decision or input is required from a user via a Telegram poll. The action + continues to poll the Telegram API until either a specific vote threshold is reached + for any of the poll options or a pre-defined waiting timeframe expires. ### Parameters Description - | Parameter | Description | Type | Mandatory | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Poll ID** | The unique identifier of the Telegram poll to monitor for answers. - | String | Yes | + | **Poll ID** | String | Yes | The unique identifier of the poll to fetch answers + for. | - | **Answer Votes Threshold** | The number of votes required for any single poll - option to satisfy the condition and stop the waiting process. | String | Yes | + | **Answer Votes Threshold** | String | Yes | The number of votes an answer must + receive for the action to stop waiting and return a successful result. | - | **Waiting Timeframe** | The maximum duration (in minutes) the action will wait - for the threshold to be met. If this time passes, the action completes with the - current results. | String | Yes | + | **Waiting Timeframe** | String | Yes | The maximum amount of time (in minutes) + to wait for votes before the action stops, even if the threshold wasn't met. | - | **Scan back Limit** | The maximum number of recent Telegram updates to retrieve - and scan when searching for the poll's status. | String | Yes | + | **Scan back Limit** | String | Yes | The maximum number of poll answers/updates + to scan in the Telegram history (specifically for polls sent by the bot). | - ### Additional Notes - - - This action is **asynchronous**. If the threshold is not met and the timeframe - has not expired, the action will enter an 'In Progress' state and resume in the - next execution cycle. + ### Flow Description - - The action uses the `getUpdates` Telegram API method, specifically filtering - for 'poll' update types. + 1. **Initialization**: The action retrieves the Telegram API token from the integration + configuration and extracts the user-defined parameters (Poll ID, Threshold, Timeframe, + and Scan Limit). + 2. **State Management**: On the first run, it initializes the start time. On subsequent + runs (asynchronous retries), it retrieves the previous state (start time, timeframe, + and last scanned update ID) from the action's internal `additional_data` parameter. - ### Flow Description + 3. **Data Retrieval**: It calls the Telegram `getUpdates` API to fetch recent + activity, specifically looking for poll-related updates. - 1. **Initialization**: The action retrieves the Telegram API Token from the integration - configuration and extracts the Poll ID, Vote Threshold, Timeframe, and Scan Limit - from the action parameters. + 4. **Filtering**: The action filters the retrieved updates to find matches for + the specific **Poll ID** provided in the parameters. - 2. **State Recovery**: If this is a subsequent run (async), it recovers the start - time and the last processed update ID from the previous execution's state. + 5. **Threshold Evaluation**: It checks the `voter_count` for each option in the + poll. If any option meets or exceeds the **Answer Votes Threshold**, the action + completes successfully. - 3. **Data Retrieval**: It calls the Telegram API to fetch recent updates based - on the **Scan back Limit** and the last known update offset. + 6. **Timeout Check**: If the threshold is not met, it calculates the elapsed time. + If the **Waiting Timeframe** has been reached, the action completes, returning + the current state of the poll even if the threshold wasn't met. - 4. **Filtering**: The action filters the retrieved updates to find those matching - the specified **Poll ID**. + 7. **Iteration**: If neither the threshold nor the timeout is met, the action + sets its state to `IN_PROGRESS` and schedules a retry, passing the current state + forward to the next execution cycle. - 5. **Threshold Evaluation**: It checks the current vote counts for all options - in the identified poll. If any option's `voter_count` is greater than or equal - to the **Answer Votes Threshold**, the action marks itself as completed. - 6. **Timeframe Check**: If the threshold is not met, it calculates the elapsed - time. If the elapsed time exceeds the **Waiting Timeframe**, the action completes. + ### Additional Notes - 7. **Asynchronous Wait**: If neither the threshold nor the timeframe has been - reached, the action saves its current state (start time, timeframe, and last update - ID) and sets its status to 'In Progress' to be re-executed later. + - This action is asynchronous and will run multiple times until a concluding condition + is met. - 8. **Result Reporting**: Upon completion or during the wait, the action provides - the current poll answers and raw update data in the JSON results. + - The **Scan back Limit** helps optimize performance by limiting how far back + in the update history the bot looks for the specific poll. capabilities: can_create_case_comments: false can_create_insight: false @@ -1135,9 +1229,9 @@ Wait for poll results: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: false + enrichment: true entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1151,28 +1245,3 @@ Wait for poll results: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/third_party/community/telegram/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/telegram/resources/ai/connectors_ai_description.yaml index 8de9f4020..6271ce4bb 100644 --- a/content/response_integrations/third_party/community/telegram/resources/ai/connectors_ai_description.yaml +++ b/content/response_integrations/third_party/community/telegram/resources/ai/connectors_ai_description.yaml @@ -1,30 +1,60 @@ Telegram Connector: - ai_description: "### General Description\nThe Telegram Connector allows Google SecOps\ - \ to ingest messages from Telegram channels, supergroups, and private chats where\ - \ a configured bot is a member. It enables security teams to monitor communication\ - \ platforms for potential threats, data leaks, or automated alerts. \n\n**Note:**\ - \ For the connector to function, the bot must be an administrator in channels\ - \ or have message access enabled in groups. Additionally, this connector uses\ - \ polling and cannot operate if an active Webhook is configured for the same bot\ - \ token.\n\n### Parameters Description\n| Parameter | Type | Mandatory | Description\ - \ |\n| :--- | :--- | :--- | :--- |\n| API Token | Password | Yes | The unique\ - \ API token provided by Telegram's BotFather for authentication. |\n| DeviceProductField\ - \ | String | Yes | The field name used to determine the device product in the\ - \ SOAR platform (Default: device_product). |\n| EventClassId | String | Yes |\ - \ The field name used to determine the event name or sub-type (Default: event_name).\ - \ |\n| PythonProcessTimeout | String | Yes | The maximum time in seconds allowed\ - \ for the connector script to execute (Default: 30). |\n\n### Flow Description\n\ - 1. **Authentication**: The connector initializes a connection to the Telegram\ - \ Bot API using the provided API Token.\n2. **State Tracking**: It retrieves the\ - \ `update_id` of the last processed message from the internal storage to ensure\ - \ only new data is ingested.\n3. **Data Fetching**: The connector polls the Telegram\ - \ `getUpdates` endpoint, starting from the next available `update_id`.\n4. **Message\ - \ Processing**: \n * It identifies whether the update is a standard message\ - \ (private/group) or a channel post.\n * The message payload is flattened into\ - \ a structured format.\n * Timestamps and product metadata are assigned to\ - \ the event.\n5. **Alert Creation**: Each message is encapsulated into a SOAR\ - \ Alert with a default priority of Medium (60).\n6. **Checkpointing**: After successful\ - \ processing, the connector saves the latest `update_id` back to the internal\ - \ storage to prevent duplicate ingestion in the next cycle.\n7. **Ingestion**:\ - \ The generated alerts are returned to Google SecOps for case creation and further\ - \ investigation." + ai_description: >- + ### General Description + + + The Telegram Connector ingests messages from Telegram channels, supergroups, and + private chats into Google SecOps as alerts. This integration allows security teams + to monitor Telegram communications for potential threats, data leaks, or malicious + activity. The connector utilizes a Telegram Bot to poll for new updates. For successful + ingestion, the bot must be an administrator in channels or have message access + in groups. Additionally, this connector is incompatible with active Telegram webhooks; + any existing webhooks must be disabled for the polling mechanism to work. + + + ### Parameters Description + + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | API Token | Password | Yes | The unique API Token for your Telegram Bot. | + + | DeviceProductField | String | Yes | The field name used to determine the device + product in the ingested event (Default: device_product). | + + | EventClassId | String | Yes | The field name used to determine the event name + or sub-type (Default: event_name). | + + | PythonProcessTimeout | String | Yes | The timeout limit (in seconds) for the + Python process running the script (Default: 30). | + + + ### Flow Description + + + 1. **Authentication**: The connector establishes a session with the Telegram Bot + API using the provided API Token. + + 2. **State Management**: It retrieves the `update_id` of the last processed message + from the Google SecOps connector context to ensure only new data is ingested. + + 3. **Data Retrieval**: The connector polls the Telegram `getUpdates` endpoint, + using the saved `update_id` as an offset to fetch all messages sent since the + last execution. + + 4. **Message Processing**: The script iterates through the retrieved updates, + distinguishing between standard messages (private/group) and channel posts. + + 5. **Event Mapping**: Each message is flattened and mapped to a Google SecOps + event structure, capturing the message content, sender details, and timestamps. + + 6. **Alert Creation**: The events are encapsulated into `AlertInfo` objects with + a default priority of Medium (60) and a standardized naming convention. + + 7. **System Ingestion**: The alerts are returned to Google SecOps for case creation + and further analysis. + + 8. **Checkpointing**: Upon successful processing, the connector saves the `update_id` + of the most recent message back to the context storage for the next polling cycle. diff --git a/content/response_integrations/third_party/community/vanilla_forums/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/vanilla_forums/resources/ai/actions_ai_description.yaml index 1f86e9eac..9f218f04c 100644 --- a/content/response_integrations/third_party/community/vanilla_forums/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/vanilla_forums/resources/ai/actions_ai_description.yaml @@ -1,59 +1,99 @@ Add User: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: true + update_ticket: false ai_description: >- + ### General Description + Adds a new user to Vanilla Forums with comprehensive profile details including - name, email, role, and password. The action includes logic to handle username - collisions by attempting to use alternative separators (e.g., underscores or hyphens) - if the primary name is already taken and duplicity is allowed. It validates password - complexity requirements before attempting creation. + name, email, role, and password. This action is useful for automated user provisioning + or onboarding processes within a community management workflow. It includes built-in + logic to handle username collisions by appending or replacing characters based + on user-defined separators. - ### Parameters + ### Parameters Description - | Parameter | Type | Mandatory | Description | + | Parameter Name | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | First Name | string | True | The first name of the new user. | + | First Name | string | Yes | The first name of the new user. | + + | Last Name | string | Yes | The last name of the new user. | - | Last Name | string | True | The last name of the new user. | + | Email | string | Yes | The email address for the new account. | - | Email | string | True | The email address for the new account. | + | Role ID | string | Yes | The numeric ID of the role to be assigned to the user + (e.g., '8'). | - | Password | password | True | The account password. Must be at least 6 characters - and contain both letters and digits. | + | Password | password | Yes | The password for the new user. Must be at least + 6 characters long and contain both letters and digits. | - | Role ID | string | True | The numeric ID of the role to assign to the user (e.g., - '8'). | + | Override Name Duplicity | boolean | No | If set to 'True', the action will attempt + to create the user even if the username already exists by using alternative identifiers. + Default is 'False'. | - | Override Name Duplicity | boolean | False | If 'True', allows creating a user - even if the username exists (provided the email is different). | + | Additional Identifiers | string | No | A comma-separated list of characters + (e.g., '_,~,-') used to replace the space between first and last names if the + primary username is taken. | - | Additional Identifiers | string | False | A comma-separated list of characters - (e.g., '_,~,-') to use as separators between first and last names if the default - space is taken. | + | Email Confirmed | boolean | No | Whether the user's email address is marked + as confirmed upon creation. Default is 'True'. | - | Email Confirmed | boolean | False | Whether the user's email address is pre-confirmed. - Default is 'true'. | + | Photo URL | string | No | The URL for the new user's profile picture. | - | Photo URL | string | False | URL for the user's profile picture. | + + ### Additional Notes + + - The action performs a validation check on the password complexity before attempting + to communicate with the Vanilla Forums API. + + - If `Override Name Duplicity` is enabled and all provided `Additional Identifiers` + result in existing usernames, the action will fail. ### Flow Description - 1. **Validation:** Validates that the provided password meets the complexity requirements - (minimum 6 characters, contains letters and digits). + 1. **Validation**: Validates that the provided password meets the complexity requirements + (minimum 6 characters, includes letters and digits). - 2. **Availability Check:** Searches Vanilla Forums for the proposed username (First - Name + Space + Last Name). + 2. **Username Check**: Checks if a user with the combined 'First Name' and 'Last + Name' already exists in Vanilla Forums. - 3. **Collision Handling:** If the name exists and 'Override Name Duplicity' is - enabled, the action iterates through the 'Additional Identifiers' to find an available - username variant (e.g., First_Last). + 3. **Collision Handling**: If the name exists and `Override Name Duplicity` is + enabled, the action iterates through the `Additional Identifiers` to find a unique + username variation. - 4. **User Creation:** Sends a POST request to the Vanilla Forums API to create + 4. **User Creation**: Sends a POST request to the Vanilla Forums API to create the user account with the specified attributes. - 5. **Result Reporting:** Returns the created user's details, including the assigned + 5. **Result Processing**: Returns the created user's details, including the assigned email and password, as a JSON result. capabilities: can_create_case_comments: false @@ -63,14 +103,14 @@ Add User: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new user account in the Vanilla Forums platform via a POST request - to the /v2/users endpoint. + Creates a new user account record in the Vanilla Forums database via a POST + request to the /v2/users endpoint. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -84,6 +124,7 @@ Add User: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Generate Password: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -97,60 +138,59 @@ Add User: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false - update_identity: true + update_identity: false update_ticket: false -Generate Password: ai_description: >- - ### General Description + Generates a random password string that adheres to Vanilla Forums' complexity + requirements. The action creates a password consisting of at least one uppercase + letter, one lowercase letter, and a sequence of digits to reach the specified + length. - Generates a random password that complies with Vanilla Forums' password requirements. - The generated password consists of at least one uppercase letter, one lowercase - letter, and the remainder as digits, ensuring a minimum complexity level for user - accounts. + ### Flow Description: - ### Parameters Description + 1. **Parameter Extraction:** Retrieves the desired password length from the action + parameters. - | Parameter | Type | Mandatory | Description | + 2. **Validation:** Checks if the requested length is at least 6 characters; if + not, the action fails. - | :--- | :--- | :--- | :--- | + 3. **Password Generation:** Uses a local utility to construct a string with one + uppercase letter, one lowercase letter, and the remaining characters as digits. - | Length | String | No | The desired length of the generated password. Must be - an integer of at least 6. Defaults to 6 if not specified. | + 4. **Output:** Returns the generated password string as the script result. - ### Additional Notes + ### Parameters Description: - - The action performs local string generation logic and does not communicate with - the Vanilla Forums API to generate the password. + | Parameter Name | Expected Type | Mandatory | Description | - - If a length less than 6 is provided, the action will fail with an error message. + | :--- | :--- | :--- | :--- | + | Length | String | No | The total number of characters for the generated password. + Must be at least 6. Defaults to 6 if not specified. | - ### Flow Description - 1. **Parameter Extraction**: The action retrieves the `Length` parameter from - the input and converts it to an integer. + ### Additional Notes: - 2. **Validation**: It checks if the length is at least 6 characters. If not, it - raises an exception. + * This action does not interact with any external APIs; it performs local string + generation logic. - 3. **Password Generation**: The `VanillaManager` generates a password string by: - - Selecting one random uppercase letter. - - Selecting one random lowercase letter. - - Selecting random digits for the remaining length (Length - 2). - 4. **Completion**: The generated password is returned as the action's result value - and the execution state is set to completed. + * The generated password is provided as the raw result of the action for use in + subsequent playbook steps (e.g., creating a user). capabilities: can_create_case_comments: false can_create_insight: false @@ -164,7 +204,7 @@ Generate Password: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -178,6 +218,7 @@ Generate Password: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get User Details: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -191,40 +232,59 @@ Generate Password: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get User Details: - ai_description: "### General Description\nThe **Get User Details** action retrieves\ - \ comprehensive information about a specific user from Vanilla Forums using their\ - \ unique User ID. This action is designed to fetch metadata such as the user's\ - \ name, email, roles, rank, and profile information, providing administrative\ - \ context for investigations or auditing purposes.\n\n### Parameters Description\n\ - | Parameter | Description | Type | Mandatory | Notes |\n| :--- | :--- | :--- |\ - \ :--- | :--- |\n| **User ID** | The unique identifier of the user whose details\ - \ are to be retrieved. | String | Yes | Default value is \"0\". |\n\n### Flow\ - \ Description\n1. **Initialization**: The action initializes the connection to\ - \ Vanilla Forums using the API Token and Base URL from the integration configuration.\n\ - 2. **Parameter Extraction**: The `User ID` is extracted from the action parameters\ - \ and trimmed of whitespace.\n3. **API Request**: The action calls the `get_user_details`\ - \ method in the `VanillaManager`, which executes a GET request to the `/v2/users/{user_id}`\ - \ endpoint.\n4. **Response Handling**: \n - If successful, the user's JSON\ - \ data is captured.\n - If the user is not found or the request fails, an error\ - \ is logged and the action status is set to failed.\n5. **Output**: The retrieved\ - \ JSON data is added to the action's results, and the action completes with a\ - \ descriptive message.\n\n### Additional Notes\n- This action does not interact\ - \ with Google SecOps entities (e.g., it does not iterate over `target_entities`).\ - \ It operates strictly based on the provided `User ID` parameter.\n- There are\ - \ no parameters that are conditionally mandatory; only the `User ID` is required." + ai_description: >- + ### General Description + + The **Get User Details** action retrieves comprehensive profile information for + a specific user from Vanilla Forums using their unique User ID. This action is + designed to fetch metadata such as usernames, email addresses, roles, and ranks, + providing context for investigations involving forum participants. + + + ### Parameters Description + + | Parameter | Description | Type | Mandatory | Default Value | + + | :--- | :--- | :--- | :--- | :--- | + + | User ID | The unique identifier of the user whose details you want to fetch. + | String | Yes | 0 | + + + ### Flow Description + + 1. **Initialization:** The action initializes the Siemplify environment and retrieves + the Vanilla Forums API token and Base URL from the integration configuration. + + 2. **Parameter Extraction:** It extracts the `User ID` provided by the user. + + 3. **API Interaction:** The action calls the `get_user_details` method in the + `VanillaManager`, which executes a GET request to the `/v2/users/{user_id}` endpoint. + + 4. **Result Handling:** If successful, the full JSON response from Vanilla Forums + is attached to the action results. If the user is not found or an error occurs, + the action reports a failure. + + + ### Additional Notes + + - This action does not process SecOps entities; it relies entirely on the manually + provided `User ID` parameter. capabilities: can_create_case_comments: false can_create_insight: false @@ -238,7 +298,7 @@ Get User Details: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -252,6 +312,7 @@ Get User Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get a Leaderboard Analytics: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -265,71 +326,65 @@ Get User Details: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: false + search_events: true send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get a Leaderboard Analytics: ai_description: >- - ### General Description - - The **Get a Leaderboard Analytics** action retrieves statistical data for specified - leaderboards from a Vanilla Forums instance. It allows analysts to gather engagement - metrics (such as top posters or discussion starters) within a specific timeframe - to understand community activity or identify influential users. + Fetches analytics for specific leaderboards from Vanilla Forums within a defined + date range. This action allows analysts to retrieve performance and activity data + (such as top posters or discussion starters) for community management or auditing + purposes. It queries the Vanilla Forums API for each specified leaderboard and + returns the aggregated data as a JSON result. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Leaderboards** | String | Yes | A comma-separated list of leaderboard names - to query (e.g., `top-posters, top-discussion-starters`). | + | Leaderboards | string | Yes | A comma-separated list of leaderboard identifiers + to query (e.g., 'top-posters, top-discussion-starters'). | - | **From** | String | Yes | The start date for the analytics report in `YYYY-MM-DD` - format. | + | To | string | Yes | The end date of the analytics timeframe in YYYY-MM-DD format. + | - | **To** | String | Yes | The end date for the analytics report in `YYYY-MM-DD` - format. | + | Amount Limit | string | Yes | The maximum number of rows/records to return for + each individual leaderboard. | - | **Amount Limit** | String | Yes | The maximum number of records to return for - each requested leaderboard. | + | From | string | Yes | The start date of the analytics timeframe in YYYY-MM-DD + format. | ### Flow Description - 1. **Parameter Extraction:** The action retrieves the list of leaderboards, the - date range (From/To), and the result limit from the user input. - - 2. **Input Processing:** The `Leaderboards` string is split into a list of individual - board identifiers. - - 3. **Data Retrieval:** For each leaderboard in the list, the action calls the - Vanilla Forums API (`/v2/analytics/leaderboard`) to fetch the corresponding analytics - data. - - 4. **Result Aggregation:** The retrieved data for all boards is compiled into - a single JSON structure. - - 5. **Output:** The action provides the aggregated JSON results and a status message - indicating success or failure for each board. + 1. **Initialization**: The action initializes the Vanilla Forums manager using + the provided API Token and Base URL from the integration configuration. + 2. **Parameter Parsing**: It extracts the list of leaderboards, the date range + (From/To), and the result limit from the action parameters. - ### Additional Notes + 3. **Data Retrieval**: The action iterates through each requested leaderboard + and calls the Vanilla Forums API to fetch the corresponding analytics data for + the specified timeframe. - - Ensure the date format strictly follows `YYYY-MM-DD` to avoid API errors. + 4. **Result Aggregation**: The retrieved data for each board is collected into + a structured JSON list. - - The `Amount Limit` should be provided as a string representing a numeric value. + 5. **Completion**: The action outputs the aggregated JSON results and a summary + message indicating which leaderboards were successfully processed. capabilities: can_create_case_comments: false can_create_insight: false @@ -341,9 +396,9 @@ Get a Leaderboard Analytics: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: true + enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -357,6 +412,7 @@ Get a Leaderboard Analytics: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -370,37 +426,55 @@ Get a Leaderboard Analytics: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: true + search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: - ai_description: "### General Description\nThe **Ping** action is a diagnostic tool\ - \ designed to verify the connectivity between Google SecOps and the VanillaForums\ - \ platform. It ensures that the provided API Token and Base URL are correct and\ - \ that the network path to the VanillaForums API is open. This action is typically\ - \ used during the initial setup of the integration or for troubleshooting communication\ - \ issues.\n\n### Parameters Description\nThere are no parameters for this action.\n\ - \n### Flow Description\n1. **Configuration Retrieval:** The action starts by fetching\ - \ the integration's configuration, specifically the 'API Token' and 'URL'.\n2.\ - \ **Manager Initialization:** It initializes the `VanillaManager` using the retrieved\ - \ credentials.\n3. **Connectivity Test:** The action calls the `test_connectivity`\ - \ method, which sends a GET request to the `/v2/categories` endpoint of the VanillaForums\ - \ API with a limit of 1 item to minimize data transfer.\n4. **Result Handling:**\ - \ \n * If the API responds with a success status code, the action concludes\ - \ with a success message indicating a successful connection.\n * If an exception\ - \ occurs (e.g., authentication failure, timeout, or invalid URL), the error is\ - \ caught, and a failure message containing the error details is returned.\n\n\ - ### Additional Notes\nThis action does not interact with any entities in the SecOps\ - \ environment and does not modify any data within VanillaForums or Google SecOps." + ai_description: >- + ### General Description + + Verifies the connectivity between Google SecOps and the VanillaForums instance. + This action is used to ensure that the provided API Token and Base URL are valid + and that the network path to the service is open. + + + ### Parameters Description + + There are no parameters for this action. + + + ### Additional Notes + + This action relies on the integration's global configuration (API Token and URL) + to perform the connectivity test. + + + ### Flow Description + + 1. **Configuration Retrieval**: The action retrieves the `API Token` and `URL` + from the VanillaForums integration configuration. + + 2. **Manager Initialization**: It initializes the `VanillaManager` with the retrieved + credentials. + + 3. **Connectivity Test**: The action executes a GET request to the `/v2/categories` + endpoint of the VanillaForums API, requesting a single category to minimize data + transfer. + + 4. **Response Validation**: It checks the HTTP response status. If the request + is successful, it confirms connectivity; otherwise, it catches the exception and + reports the failure. capabilities: can_create_case_comments: false can_create_insight: false @@ -414,7 +488,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -428,6 +502,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Search User By Email and Name: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -441,72 +516,72 @@ Ping: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: true search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Search User By Email and Name: ai_description: >- ### General Description - This action searches for a user within the Vanilla Forums platform using both - an email address and a username. It is designed to verify the existence of a user - account and retrieve associated details if the email search is successful. The - action returns boolean indicators for the existence of the email and username - independently, providing a clear picture of whether the provided identifiers are - registered in the system. + The **Search User By Email and Name** action is designed to verify the existence + of a user within the VanillaForums platform. It performs two independent searches: + one based on a provided email address and another based on a username. This action + is primarily used to validate user accounts or retrieve specific user details + during investigations or administrative workflows. ### Parameters Description - | Parameter Name | Type | Mandatory | Description | Expected Value | - - | :--- | :--- | :--- | :--- | :--- | + | Parameter | Type | Mandatory | Description | - | User Email | string | Yes | The email address of the user to search for. | A - valid email string (e.g., `user@example.com`). | + | :--- | :--- | :--- | :--- | - | User Name | string | Yes | The full name or username of the user to search for. - | A string representing the user's display name or username. | + | **User Email** | String | Yes | The email address of the user to search for. + The search is performed case-insensitively. | + | **User Name** | String | Yes | The full name or username of the user to search + for in the platform. | - ### Additional Notes - - The action performs two separate lookups: one by email and one by username. + ### Flow Description - - If the email is found, the full user details (as returned by the Vanilla Forums - API) are included in the `UserDetails` field of the result JSON. + 1. **Parameter Extraction**: The action retrieves the `User Email` and `User Name` + from the input parameters, applying basic cleaning (stripping whitespace and converting + the email to lowercase). - - The action will succeed (result value `True`) if either the email OR the username - is found in the system. + 2. **Email Search**: It queries the VanillaForums API's `/v2/users` endpoint. + Since this endpoint returns a list, the action iterates through pages of users + to find an exact match for the provided email. + 3. **Name Search**: It queries the `/v2/users/by-names` endpoint to check for + the existence of the provided username. - ### Flow Description + 4. **Result Consolidation**: The action evaluates if a user was found via either + the email or the name search. If found by email, the full user details are captured. - 1. **Initialization**: The action extracts the integration configuration (API - Token and URL) and the user-provided parameters (`User Email` and `User Name`). + 5. **Output**: The action returns a boolean result indicating if any match was + found, along with a JSON object containing the search status for both identifiers + and the user details if available. - 2. **Email Search**: The action calls the `search_user_by_email` method, which - iterates through the `/v2/users` endpoint (handling pagination) to find a match - for the provided email. - 3. **Username Search**: The action calls the `search_user_by_name` method, which - queries the `/v2/users/by-names` endpoint to check for the existence of the provided - username. + ### Additional Notes - 4. **Data Aggregation**: The results from both searches are compiled into a JSON - object. This includes boolean flags for `Email` and `UserName` existence. + - This action does not interact with Google SecOps entities; it relies entirely + on the string values provided in the parameters. - 5. **Completion**: The action sets the final output message based on the search - results and returns the aggregated JSON data to the Google SecOps platform. + - The `UserDetails` field in the JSON output is only populated if a match is found + during the email search phase. capabilities: can_create_case_comments: false can_create_insight: false @@ -518,9 +593,9 @@ Search User By Email and Name: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: true + enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -534,6 +609,7 @@ Search User By Email and Name: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Update Badge: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -547,54 +623,60 @@ Search User By Email and Name: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false - update_identity: false + update_identity: true update_ticket: false -Update Badge: ai_description: >- - Awards a specific badge to a user within the Vanilla Forums platform. This action - uses the Vanilla Forums API to associate a badge ID with a user ID, effectively - updating the user's profile with the new achievement. It is primarily used for - community management and engagement automation. + Awards a specific badge to a user within Vanilla Forums using their respective + IDs. This action interacts with the Vanilla Forums API to grant recognition or + status to a community member. - ### Parameters + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. **Parameter Extraction:** The action retrieves the `User ID` and `Badge ID` + from the input parameters. - | :--- | :--- | :--- | :--- | + 2. **Manager Initialization:** It initializes the `VanillaManager` using the integration's + API Token and Base URL. - | User ID | string | True | The unique identifier of the user who will receive - the badge. | + 3. **API Interaction:** The action calls the `give_user_badge` method, which sends + a POST request to the Vanilla Forums `/v2/badges/{badge_id}/users` endpoint. - | Badge ID | string | True | The unique identifier of the badge to be awarded - to the user. | + 4. **Result Processing:** It captures the response from the API, updates the action + status to completed upon success, and attaches the badge details as a JSON result. - ### Flow Description + ### Parameters Description - 1. **Initialization**: The action initializes the Vanilla Forums manager using - the API Token and Base URL provided in the integration configuration. - 2. **Parameter Extraction**: It retrieves the 'User ID' and 'Badge ID' from the - action input parameters. + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | User ID | String | Yes | The unique identifier of the user who will receive + the badge. | + + | Badge ID | String | Yes | The unique identifier of the badge to be awarded to + the user. | - 3. **API Execution**: The action calls the `give_user_badge` method in the manager, - which sends a POST request to the Vanilla Forums endpoint `/v2/badges/{badge_id}/users` - with the user's ID in the payload. - 4. **Result Handling**: If the request is successful, it returns the badge assignment - details as a JSON result and completes the action. If the request fails, it captures - the error and marks the action as failed. + ### Additional Notes + + * This action does not run on SecOps entities; it relies entirely on the provided + ID parameters. capabilities: can_create_case_comments: false can_create_insight: false @@ -603,14 +685,14 @@ Update Badge: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Awards a badge to a user in Vanilla Forums, which modifies the user's profile - and badge collection in the external community platform. + Awards a badge to a user in Vanilla Forums, which changes the user's profile + state in the external system. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -624,6 +706,7 @@ Update Badge: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Update Rank: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -637,62 +720,63 @@ Update Badge: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: true update_ticket: false -Update Rank: ai_description: >- - ### General Description + Updates the rank of a specific user within Vanilla Forums. This action allows + administrators to programmatically change a user's community standing or permission + level by assigning a new Rank ID to a specific User ID. - The **Update Rank** action allows analysts to programmatically change the rank - of a specific user within the Vanilla Forums platform. This is typically used - for administrative tasks or as part of a response workflow where a user's permissions - or status needs to be adjusted based on their activity or security profile. + ### Flow Description: - ### Parameters Description + 1. **Parameter Extraction:** The action retrieves the 'Rank ID' and 'User ID' + from the action parameters. - | Parameter Name | Description | Type | Mandatory | Default Value | + 2. **Manager Initialization:** It initializes the VanillaManager using the integration's + API Token and Base URL. - | :--- | :--- | :--- | :--- | :--- | + 3. **API Interaction:** The action calls the `change_user_rank` method, which + sends a PUT request to the Vanilla Forums API endpoint `/v2/users/{user_id}/rank` + with the new rank information. - | Rank ID | The unique identifier of the rank you wish to assign to the user. - | String | Yes | 2 | + 4. **Result Handling:** If the request is successful, the action completes with + a success message and provides the raw JSON response from the API. If it fails, + an error message is logged and the action status is set to failed. - | User ID | The unique identifier of the user whose rank you want to modify. | - String | Yes | 0 | + ### Parameters Description: - ### Additional Notes + | Parameter Name | Type | Mandatory | Description | - This action does not run on SecOps entities (like IP or Hostname). Instead, it - requires specific User and Rank IDs provided as manual inputs or mapped from previous - playbook steps. It performs a direct state change in the Vanilla Forums environment. + | :--- | :--- | :--- | :--- | + | Rank ID | String | Yes | The unique identifier of the rank you wish to assign + to the user. | - ### Flow Description + | User ID | String | Yes | The unique identifier of the user whose rank is being + modified. | - 1. **Parameter Extraction:** The action retrieves the `Rank ID` and `User ID` - from the input parameters. - 2. **API Initialization:** It initializes the Vanilla Forums manager using the - integration's API Token and Base URL. + ### Additional Notes: - 3. **External Request:** The action sends a `PUT` request to the Vanilla Forums - API endpoint `/v2/users/{user_id}/rank` with the new `rankID` in the payload. + - This action performs a direct mutation on the external Vanilla Forums system. - 4. **Result Processing:** If the request is successful, the action returns a success - message and the JSON response from the API. If it fails, it captures the error - and reports a failure state. + - It does not process SecOps entities (like IP or Hostname) but operates on specific + IDs provided as input parameters. capabilities: can_create_case_comments: false can_create_insight: false @@ -701,14 +785,14 @@ Update Rank: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the rank attribute of a user profile in the Vanilla Forums platform - via a PUT request. + Updates the rank of a user in the Vanilla Forums platform via a PUT request + to the user's rank endpoint. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -722,6 +806,7 @@ Update Rank: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Update User Role: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -735,60 +820,55 @@ Update Rank: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: true update_ticket: false -Update User Role: ai_description: >- - ### General Description - - Updates the role of a specific user within the Vanilla Forums platform. This action - allows administrators to programmatically reassign user permissions by providing - the unique User ID and the target Role ID. It is primarily used for identity management - and access control workflows. - + Updates the role of a specific user within Vanilla Forums. This action allows + an analyst to programmatically change a user's permissions by assigning them a + new role ID. It interacts with the Vanilla Forums API via a PATCH request to modify + the user's profile data. - ### Parameters Description - | Parameter Name | Description | Type | Mandatory | Additional Notes | + ### Flow Description: - | :--- | :--- | :--- | :--- | :--- | + 1. **Parameter Extraction:** The action retrieves the `UserID` and `RoleID` from + the input parameters. - | RoleID | The unique identifier of the role to be assigned to the user. | String - | Yes | This should be the numeric or string ID as defined in Vanilla Forums. - | + 2. **API Interaction:** It calls the `give_user_role` method in the VanillaManager, + which sends a PATCH request to the `/v2/users/{userID}` endpoint with the new + `roleID`. - | UserID | The unique identifier of the user whose role is being changed. | String - | Yes | The target user's ID. | + 3. **Validation:** The action checks the API response to ensure the role was successfully + updated and that the provided Role ID was valid. + 4. **Result Reporting:** The updated user details are returned as a JSON result, + and the action status is updated to reflect success or failure. - ### Flow Description - 1. **Parameter Extraction**: The action retrieves the `UserID` and `RoleID` from - the input parameters. + ### Parameters Description: - 2. **API Initialization**: It initializes the `VanillaManager` using the integration's - API Token and Base URL. + | Parameter Name | Type | Mandatory | Description | - 3. **Role Update**: The action calls the `give_user_role` method, which sends - a `PATCH` request to the Vanilla Forums `/v2/users/{userID}` endpoint with the - new `roleID` in the payload. + | :--- | :--- | :--- | :--- | - 4. **Response Handling**: The action parses the API response. If the role is successfully - updated, it returns the updated user details as a JSON result. If the role ID - is invalid or the user is not found, it raises an error. + | UserID | String | True | The unique identifier of the user whose role needs + to be changed. | - 5. **Completion**: The action concludes by reporting the success or failure of - the operation to the SOAR case wall. + | RoleID | String | True | The unique identifier of the role to be assigned to + the user. | capabilities: can_create_case_comments: false can_create_insight: false @@ -797,14 +877,14 @@ Update User Role: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the 'roleID' attribute of a user profile in Vanilla Forums via a PATCH - request to the users endpoint. + Updates the role assignment for a user in the Vanilla Forums platform using + a PATCH request. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -818,28 +898,3 @@ Update User Role: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: true - update_ticket: false diff --git a/content/response_integrations/third_party/community/vectra_qux/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/vectra_qux/resources/ai/actions_ai_description.yaml index 5b1a88840..14b37f9f8 100644 --- a/content/response_integrations/third_party/community/vectra_qux/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/vectra_qux/resources/ai/actions_ai_description.yaml @@ -1,50 +1,80 @@ Add Note: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - Adds a note to a specific entity (Account, Host, or Detection) within the Vectra - platform. This action allows analysts to append contextual information or findings - directly to Vectra entities from within Google SecOps. + Adds a note to a specific entity (Account, Host, or Detection) in the Vectra QUX + platform. This action allows analysts to document findings, provide context, or + record automated observations directly within the Vectra interface from Google + SecOps. + + ### Parameters Description - ### Flow Description: - 1. **Parameter Extraction:** The action retrieves the API configuration (Root, - Token, SSL) and action parameters (Note content, Entity ID, and Entity Type). + | Parameter | Type | Mandatory | Description | - 2. **Validation:** It validates that the provided `Entity ID` is a valid integer. + | :--- | :--- | :--- | :--- | - 3. **API Interaction:** It sends a POST request to the Vectra API endpoint corresponding - to the selected `Entity Type` (Accounts, Hosts, or Detections) and the specific - `Entity ID` to create the note. + | Note | String | Yes | The text content of the note to be added to the entity. + | - 4. **Result Processing:** Upon success, it retrieves the created note's metadata - (ID, creation date, creator) and presents it in a data table and JSON format within - the SOAR case. + | Entity ID | String | Yes | The unique numerical ID of the entity in Vectra. + | + | Entity Type | DDL | Yes | The category of the entity. Supported values are: + `Account`, `Host`, and `Detection`. | - ### Parameters Description: + ### Additional Notes - | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + The `Entity ID` must be a valid integer. The action will fail if the ID does not + exist or if the user does not have sufficient permissions in Vectra QUX to add + notes to the specified entity type. - | Note | String | Yes | The text content of the note to be added to the Vectra - entity. | - | Entity ID | String | Yes | The unique numerical identifier of the entity in - Vectra. | + ### Flow Description - | Entity Type | DDL | Yes | The category of the entity in Vectra. Supported values: - `Account`, `Host`, `Detection`. | + 1. **Parameter Extraction:** The action retrieves the API connection settings + (API Root, Token, SSL verification) and the user-provided parameters: Note, Entity + ID, and Entity Type. - ### Additional Notes: + 2. **Validation:** It validates that the `Entity ID` provided is a valid integer. - * This action performs an external state change by creating a new record (a note) - in the Vectra system. + 3. **API Interaction:** It initializes the VectraQUX manager and sends a POST + request to the Vectra API endpoint corresponding to the specified entity type + and ID (e.g., `/api/v2.5/hosts/{id}/notes`). - * It does not process Google SecOps entities automatically; it requires a specific - ID to be passed as a parameter. + 4. **Result Processing:** It captures the API response, which contains the details + of the newly created note object, and outputs it to the action's data table and + JSON result for analyst review. capabilities: can_create_case_comments: false can_create_insight: false @@ -53,14 +83,14 @@ Add Note: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new note record associated with a specific entity (Host, Account, - or Detection) in the Vectra platform via a POST request. - fetches_data: true + Adds a new note to a specific entity (Account, Host, or Detection) in the Vectra + QUX platform. + fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -74,6 +104,7 @@ Add Note: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Add Outcome: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -87,56 +118,59 @@ Add Note: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Add Outcome: ai_description: >- - Adds a new assignment outcome to Vectra QUX. Outcomes are used to categorize the - results of assignments, such as when resolving a detection or entity assignment. - This action allows users to define custom outcome titles mapped to standard categories - like 'malicious_true_positive', 'benign_true_positive', or 'false_positive'. + Adds a new outcome (resolution category) to the Vectra AI platform. Outcomes are + used during the assignment resolution process to categorize detections or entities + (e.g., as a true positive or false positive). This action allows administrators + to dynamically expand the available resolution options within the Vectra environment. - ### Flow Description: + ### Flow Description - 1. **Parameter Extraction:** Retrieves the 'Title' and 'Category' from the action - input and API credentials from the integration configuration. + 1. **Parameter Extraction**: Retrieves the 'Title' and 'Category' from the action + input. - 2. **API Interaction:** Sends a POST request to the Vectra QUX `/assignment_outcomes` - endpoint with the provided title and category. + 2. **API Interaction**: Sends a POST request to the Vectra API (`/api/v2.5/assignment_outcomes`) + with the provided details. - 3. **Result Processing:** Captures the created outcome's ID and metadata from - the response. + 3. **Result Processing**: Captures the newly created outcome's metadata, including + its unique ID and system status. - 4. **Output Generation:** Populates a data table and JSON result with the new - outcome information for use in subsequent playbook steps. + 4. **Output Generation**: Populates a data table and JSON result with the outcome + details for the analyst. - ### Parameters Description: + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Title | String | Yes | The unique title for the new outcome. | + | Title | String | Yes | The unique name/title for the new outcome. | - | Category | DDL | Yes | The category classification. Expected values: `malicious_true_positive`, - `benign_true_positive`, or `false_positive`. | + | Category | DDL | Yes | The classification category for the outcome. Supported + values: `malicious_true_positive`, `benign_true_positive`, `false_positive`. | - ### Additional Notes: + ### Additional Notes - - This action does not process or require any entities from the SOAR case. + - This action does not run on entities; it is a management action that modifies + the configuration of the Vectra AI platform. capabilities: can_create_case_comments: false can_create_insight: false @@ -145,14 +179,14 @@ Add Outcome: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new assignment outcome record in the Vectra QUX platform via a POST - request. + Creates a new outcome resource (resolution category) in the Vectra AI platform + via a POST request. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -166,6 +200,7 @@ Add Outcome: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Add Tags: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -179,70 +214,70 @@ Add Outcome: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false - update_identity: false + update_identity: true update_ticket: false -Add Tags: ai_description: >- - ### General Description + Adds tags to specific entities (Accounts, Hosts, or Detections) in the Vectra + AI platform. This action allows users to provide a comma-separated list of tags + and a comma-separated list of entity IDs. It first retrieves the existing tags + for each entity to ensure no duplicates are created, then updates the entity with + the combined list of tags. The results, including the status of each update, are + presented in a data table. - Adds one or more tags to specific entities (Accounts, Hosts, or Detections) within - the Vectra platform. This action allows for bulk tagging by providing a comma-separated - list of Entity IDs. It ensures data integrity by first fetching existing tags - for each entity and merging them with the new tags to prevent duplicates before - performing a partial update (PATCH) on the external system. - - ### Parameters Description + ### Parameters - | Parameter | Description | Type | Mandatory | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Tags | A comma-separated list of tags to be added to the specified entities. - | String | Yes | + | Tags | string | True | List of the Tags which user wants to add to the account, + host or detection. | - | Entity IDs | A comma-separated list of internal Vectra IDs for the entities - to be updated. | String | Yes | + | Entity IDs | string | True | List of the Entity IDs in which user wants to add + Tags. | - | Entity Type | The category of the entities being tagged. Supported values are - 'Account', 'Host', and 'Detection'. | DDL | Yes | + | Entity Type | ddl | True | The type of the entity in which tags will be added. + Supported values: Account, Host, Detection. | ### Flow Description - 1. **Initialization**: The action initializes the Vectra manager using the provided - API Root and Token. - 2. **Input Processing**: It parses the `Tags` and `Entity IDs` parameters, splitting - them by commas and removing any duplicates or whitespace. + 1. **Parameter Extraction:** Retrieves the API configuration and action parameters, + including the tags to add, the target entity IDs, and the entity type (Account, + Host, or Detection). - 3. **Validation**: Validates that the provided `Entity IDs` are valid integers. + 2. **Tag Processing:** Splits the provided tags string into a unique list and + removes whitespace. - 4. **Tag Enrichment Loop**: For each Entity ID: - - It retrieves the current list of tags from the Vectra API. - - It merges the existing tags with the new tags provided in the input. - - It sends a PATCH request to Vectra to update the entity with the new combined - tag list. 5. **Result Compilation**: Tracks successes and failures for each ID. + 3. **Entity Processing:** Splits the provided entity IDs string into a unique + list of validated integers. - 6. **Output**: Generates a summary data table and a detailed JSON result showing - the status and final tag list for each processed entity. + 4. **Tag Retrieval:** For each entity ID, the action fetches the current tags + from Vectra AI via a GET request. + 5. **Tag Merging:** Combines the existing tags with the new tags, ensuring uniqueness. - ### Additional Notes + 6. **External Update:** Sends a PATCH request to Vectra AI to update the entity's + tags with the merged list. - This action does not run on SOAR entities automatically; it requires the user - to provide specific Vectra internal IDs as input parameters. + 7. **Result Compilation:** Tracks successes and failures for each ID, adding a + summary data table and JSON result to the action output. capabilities: can_create_case_comments: false can_create_insight: false @@ -251,14 +286,14 @@ Add Tags: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the metadata of entities (Accounts, Hosts, or Detections) in the Vectra - platform by adding new tags via a PATCH request. + Updates the tags associated with specific entities (Accounts, Hosts, or Detections) + in the Vectra AI platform using a PATCH request. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -272,6 +307,7 @@ Add Tags: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Assign Entity: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -285,66 +321,69 @@ Add Tags: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false - update_identity: true + update_identity: false update_ticket: false -Assign Entity: ai_description: >- - Assigns a specific entity (Host or Account) to a user within the Vectra QUX platform. - This action is primarily used to establish ownership or accountability for a detected - threat or asset during an investigation. It creates a formal assignment record - in Vectra, which can then be tracked or resolved. The action requires the internal - Vectra IDs for both the user and the entity. + ### General Description + Assigns a specific entity (either a Host or an Account) to a user within the Vectra + platform. This action is primarily used for workflow management, allowing analysts + to programmatically set ownership or responsibility for specific detected entities + to a particular user ID in Vectra. - ### Flow Description: - 1. **Parameter Extraction:** Retrieves the API configuration and action parameters, - including the User ID, Entity ID, and Entity Type (Host or Account). + ### Parameters Description - 2. **Validation:** Validates that the provided User ID and Entity ID are valid - integers. + | Parameter | Type | Mandatory | Description | - 3. **API Interaction:** Sends a POST request to the Vectra QUX `/api/v2.5/assignments` - endpoint to create the assignment. + | :--- | :--- | :--- | :--- | - 4. **Result Processing:** Parses the response into an Assignment object, adds - a summary data table to the case, and provides the raw JSON response for further - automation steps. + | Entity ID | string | Yes | The unique numeric identifier of the entity in Vectra + that you want to assign. | + | Entity Type | ddl | Yes | Specifies the type of the entity being assigned. Options + are 'Account' or 'Host'. | - ### Parameters Description: + | User ID | string | Yes | The unique numeric identifier of the Vectra user to + whom the entity will be assigned. | - | Parameter Name | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + ### Additional Notes - | Entity ID | String | Yes | The unique internal identifier of the entity in Vectra - QUX. | + - Both the **Entity ID** and **User ID** must be valid numeric strings, as the + action performs an integer validation check before proceeding. - | Entity Type | DDL | Yes | Specifies whether the entity is a 'Host' or an 'Account'. - | + - This action creates a new assignment record in Vectra via a POST request. - | User ID | String | Yes | The unique internal identifier of the Vectra user to - whom the entity will be assigned. | + ### Flow Description - ### Additional Notes: + 1. **Parameter Extraction**: The action retrieves the API configuration (Root, + Token, SSL) and the action parameters (User ID, Entity ID, Entity Type). - - This action does not run on SOAR entities automatically; it requires specific - ID values provided as input parameters. + 2. **Validation**: It validates that the provided `Entity ID` and `User ID` are + valid integers. - - The 'Entity Type' parameter is case-insensitive in the logic but provided as - a dropdown for ease of use. + 3. **API Interaction**: It initializes the VectraQUX manager and calls the `assign_entity` + method, which sends a POST request to the Vectra `/assignments` endpoint with + the user and entity details. + + 4. **Result Processing**: Upon success, it retrieves the assignment details (including + the new Assignment ID) and outputs them into a data table and a raw JSON result + for the SOAR platform. capabilities: can_create_case_comments: false can_create_insight: false @@ -353,14 +392,14 @@ Assign Entity: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new assignment record in the Vectra QUX platform, linking a specific - user to a host or account entity. + Creates a new assignment record in the Vectra platform, linking a specific host + or account entity to a user ID. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -374,6 +413,7 @@ Assign Entity: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Assign Group: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -387,69 +427,45 @@ Assign Entity: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: true update_ticket: false -Assign Group: - ai_description: >- - Assigns members to a specific group in Vectra QUX. This action allows users to - add multiple members to an existing group by providing the Group ID and a comma-separated - list of member identifiers. The action uses an 'append' logic, meaning existing - members are preserved while new ones are added. It validates the Group ID and - processes the member list before making a PATCH request to the Vectra API. After - the update, the action verifies which members were successfully assigned and provides - a detailed HTML summary of the group's current state. - - - ### Flow Description: - - 1. **Parameter Extraction:** Retrieves the Group ID and the list of members from - the action parameters. - - 2. **Validation:** Validates that the Group ID is a positive integer and splits - the members string into a list. - - 3. **API Interaction:** Calls the Vectra QUX API using a PATCH request to append - the specified members to the group. - - 4. **Verification:** Compares the requested members against the updated group - membership returned by the API to identify any failed assignments. - - 5. **Output Generation:** Renders an HTML table showing the group's properties - (ID, Name, Type, Description, and Members) and attaches the raw JSON response. - - - ### Parameters Description: - - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Group ID | string | True | The unique numerical identifier of the group in Vectra - QUX. | - - | Members | string | True | A comma-separated list of members to assign to the - group. The member identifiers (e.g., IP, hostname, account UID) must match the - group's defined type. | - - - ### Additional Notes: - - - The action will fail if the Group ID does not exist or if none of the provided - members are valid for the group's type. - - - If some members are successfully added while others fail (e.g., due to invalid - format or non-existence), the action will complete with a partial success message. + ai_description: "### General Description\nThe **Assign Group** action allows users\ + \ to add multiple members to a specific group within the Vectra platform. This\ + \ action is designed to manage group memberships by appending new identifiers\ + \ (such as Hosts, Accounts, IPs, or Domains) to an existing group identified by\ + \ its ID. It is particularly useful for organizing entities for policy enforcement\ + \ or investigative tracking.\n\n### Parameters Description\n| Parameter | Type\ + \ | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| **Group ID** |\ + \ String | Yes | The unique numeric identifier of the group in Vectra to which\ + \ members will be assigned. |\n| **Members** | String | Yes | A comma-separated\ + \ list of member identifiers (e.g., IP addresses, hostnames, or account UIDs)\ + \ to be added to the group. |\n\n### Flow Description\n1. **Parameter Extraction:**\ + \ The action retrieves the `Group ID` and the `Members` string from the input\ + \ parameters.\n2. **Validation:** The `Group ID` is validated to ensure it is\ + \ a valid positive integer. The `Members` string is processed into a unique list\ + \ of identifiers.\n3. **API Interaction:** The action calls the Vectra API using\ + \ a `PATCH` request to the group's endpoint. It uses the `membership_action=append`\ + \ parameter to ensure new members are added without removing existing ones.\n\ + 4. **Verification:** After the update, the action compares the requested members\ + \ against the actual membership list returned by the API to determine which members\ + \ were successfully assigned and which were not.\n5. **Output Generation:** \n\ + \ * If no members were assigned, the action returns a failure status.\n \ + \ * If some or all members were assigned, it generates an HTML table displaying\ + \ the updated group details (ID, Name, Type, Description, and Members) and provides\ + \ the full raw JSON response." capabilities: can_create_case_comments: false can_create_insight: false @@ -458,14 +474,14 @@ Assign Group: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates group membership in Vectra QUX by appending new members to the specified - group via a PATCH request. + Updates the membership list of a group in the Vectra platform by appending new + members via a PATCH request. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -479,6 +495,7 @@ Assign Group: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Describe Assignment: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -492,63 +509,53 @@ Assign Group: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false - update_identity: true + update_identity: false update_ticket: false -Describe Assignment: ai_description: >- ### General Description - The **Describe Assignment** action retrieves comprehensive details for a specific - assignment within the Vectra QUX platform using its unique ID. This action allows - analysts to programmatically fetch metadata about how a detection or entity has - been assigned, including the assigned user, the resolution outcome, and any associated - notes. It is an informational action used to track the lifecycle and ownership - of security tasks in Vectra QUX. + Retrieves detailed information about a specific assignment from the VectraQUX + platform. This action fetches the assignment details based on the provided Assignment + ID and presents the data in both JSON and table formats for analysis. ### Parameters Description + | Parameter | Type | Mandatory | Description | - | Parameter | Description | Type | Mandatory | Notes | - - | :--- | :--- | :--- | :--- | :--- | - - | Assignment ID | The unique identifier of the assignment to retrieve. | String - | Yes | Must be a valid numeric string representing a non-negative integer. | - + | :--- | :--- | :--- | :--- | - ### Additional Notes + | Assignment ID | string | Yes | The unique identifier of the assignment to retrieve. + | - - This action does not process SOAR entities (e.g., IP, Hostname) from the case - scope; it relies entirely on the provided `Assignment ID` parameter. - - If the assignment ID does not exist, the action will return a 'not found' error. + ### Flow Description + 1. Extract configuration parameters (API Root, API Token, Verify SSL). - ### Flow Description + 2. Extract the `Assignment ID` parameter. - 1. **Input Validation**: The action extracts the `Assignment ID` from the input - parameters and validates that it is a valid integer. + 3. Initialize the `VectraQUXManager` with the provided credentials. - 2. **API Request**: It initializes the `VectraQUXManager` and sends a GET request - to the assignments endpoint (`/api/v2.5/assignments/{assignment_id}`). + 4. Execute the `describe_assignment` method to fetch data from the VectraQUX API. - 3. **Data Parsing**: The manager parses the JSON response into an internal `Assignment` - data model, extracting fields such as `assigned_to`, `resolved_by`, and `outcome`. + 5. Add the raw JSON response to the action results. - 4. **Result Output**: The action attaches the full JSON response to the script - results and generates a formatted data table (CSV) containing a summary of the - assignment details for display in the SOAR interface. + 6. Construct and add a data table containing the assignment details to the action + results. capabilities: can_create_case_comments: false can_create_insight: false @@ -562,7 +569,7 @@ Describe Assignment: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -576,6 +583,7 @@ Describe Assignment: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Describe Detection: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -589,45 +597,65 @@ Describe Assignment: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: true remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Describe Detection: - ai_description: "### General Description\nThe **Describe Detection** action retrieves\ - \ comprehensive details for a specific detection from the Vectra QUX platform\ - \ using its unique identifier. This action is designed to provide analysts with\ - \ the full context, current state, and metadata associated with a security event,\ - \ facilitating deep-dive investigations within the Google SecOps environment.\n\ - \n### Parameters Description\n\n| Parameter | Description | Type | Mandatory |\ - \ Default Value |\n| :--- | :--- | :--- | :--- | :--- |\n| Detection ID | The\ - \ unique identifier of the detection to be retrieved. The action validates that\ - \ this input is a valid non-negative integer. | String | Yes | 0 |\n\n### Flow\ - \ Description\n1. **Parameter Extraction:** The action retrieves the `Detection\ - \ ID` from the user input and the API configuration (Root, Token, and SSL verification)\ - \ from the integration settings.\n2. **Validation:** It performs a validation\ - \ check to ensure the `Detection ID` is a valid integer. If the ID is invalid\ - \ or negative, the action fails with an error message.\n3. **API Request:** The\ - \ action initializes the `VectraQUXManager` and executes a GET request to the\ - \ Vectra QUX API endpoint `/api/v2.5/detections/{detection_id}`.\n4. **Data Parsing:**\ - \ The raw JSON response from the API is parsed into a structured `Detection` object\ - \ using the `VectraQUXParser`.\n5. **Result Output:** \n - A data table titled\ - \ \"Describe Detection\" is created, containing key fields such as ID, Detection\ - \ Type, State, Category, and Source Entity information.\n - The full raw JSON\ - \ data of the detection is added to the action's result JSON for use in subsequent\ - \ playbook steps.\n\n### Additional Notes\n- **Error Handling:** The action explicitly\ - \ handles cases where the detection is not found (404 error), providing a user-friendly\ - \ message to verify the ID.\n- **Entity Interaction:** This action does not process\ - \ or filter existing entities in the case; it operates solely based on the provided\ - \ `Detection ID` parameter." + ai_description: >- + ### General Description + + The **Describe Detection** action retrieves detailed information for a specific + detection from the Vectra AI platform using its unique Detection ID. It provides + analysts with granular visibility into a threat, including its type, category, + current state, and the source entity (host or account) involved. + + + ### Parameters Description + + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Detection ID | String | Yes | The unique identifier of the detection to be described. + This value must be a valid integer. | + + + ### Additional Notes + + - This action does not process entities from the SOAR case; it operates solely + based on the provided `Detection ID` parameter. + + - The results are presented both as a formatted data table and as a raw JSON object + for further downstream processing. + + + ### Flow Description + + 1. **Input Validation**: The action first validates that the `Detection ID` provided + is a valid non-negative integer. + + 2. **API Interaction**: It initializes the VectraQUX manager and performs a GET + request to the `/detections/{detection_id}` endpoint. + + 3. **Data Parsing**: The raw API response is transformed into a structured Detection + object, which includes cleaning up internal API versioning from URLs. + + 4. **Result Generation**: + - A data table titled "Describe Detection" is created containing key fields: + ID, Detection Type, State, Category, Source Entity ID, and Source Entity Name. + - The full raw JSON payload is added to the action results. capabilities: can_create_case_comments: false can_create_insight: false @@ -639,9 +667,9 @@ Describe Detection: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: true + enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -655,6 +683,7 @@ Describe Detection: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Describe Entity: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -665,42 +694,45 @@ Describe Detection: disable_identity: false download_file: false enable_identity: false - enrich_asset: false + enrich_asset: true enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: true search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Describe Entity: - ai_description: >- - Retrieves detailed information for a specific Host or Account entity from Vectra - QUX using its unique identifier. This action allows analysts to perform a targeted - lookup of asset metadata, including threat scores, severity, state, and associated - detection summaries. The retrieved data is presented as a structured data table - and a raw JSON object for further analysis.\n\n### Parameters Description\n\n| - Parameter | Description | Type | Mandatory |\n| :--- | :--- | :--- | :--- |\n| - Entity ID | The unique numerical identifier for the Account or Host to be described. - | String | Yes |\n| Entity Type | Specifies the category of the entity to retrieve. - Must be either 'Account' or 'Host'. | DDL | Yes |\n\n### Flow Description\n\n1. - **Parameter Extraction**: Retrieves the API configuration and the specific Entity - ID and Entity Type from the action input.\n2. **Validation**: Validates that the - provided Entity ID is a valid non-negative integer.\n3. **API Interaction**: Connects - to the Vectra QUX API and requests the full details for the specified entity type - and ID.\n4. **Data Processing**: Parses the API response into a standardized entity - model.\n5. **Output Generation**: Populates a CSV-formatted data table with key - entity attributes and attaches the complete raw JSON response to the action results.\n\n### - Additional Notes\n\n* This action performs a direct lookup by ID and does not - automatically iterate over entities present in the current alert context unless - explicitly mapped in a playbook step. + ai_description: "Retrieves comprehensive details for a specific entity (Host or\ + \ Account) from Vectra QUX using its unique identifier. This action is used to\ + \ gather deep contextual metadata about an asset, including its state, threat\ + \ scores, severity, and associated detection summaries. The retrieved information\ + \ is presented as both a structured data table and a raw JSON object for further\ + \ analysis.\n\n### Flow Description:\n1. **Parameter Extraction:** The action\ + \ retrieves the API configuration (Root, Token, SSL) and the specific action parameters:\ + \ `Entity ID` and `Entity Type`.\n2. **Validation:** Validates that the provided\ + \ `Entity ID` is a proper integer.\n3. **API Interaction:** Connects to the Vectra\ + \ QUX manager to perform a GET request against the specific entity endpoint (either\ + \ `/hosts/{id}` or `/accounts/{id}`).\n4. **Data Processing:** Parses the API\ + \ response into an internal Entity model.\n5. **Output Generation:** Converts\ + \ the entity data into a flat CSV-style table for the SOAR interface and attaches\ + \ the full raw JSON response to the action results.\n\n### Parameters Description:\n\ + | Parameter Name | Type | Mandatory | Description |\n| :--- | :--- | :--- | :---\ + \ |\n| Entity ID | String | Yes | The unique numerical identifier for the Account\ + \ or Host in Vectra QUX. |\n| Entity Type | DDL | Yes | Specifies the category\ + \ of the entity. Must be either 'Account' or 'Host'. |\n\n### Additional Notes:\n\ + - This action does not run on SOAR entities automatically; it requires a specific\ + \ ID provided as an input parameter. \n- If the entity is not found, the action\ + \ will return a failure status with a descriptive error message." capabilities: can_create_case_comments: false can_create_insight: false @@ -712,9 +744,9 @@ Describe Entity: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: false + enrichment: true entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -728,6 +760,7 @@ Describe Entity: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Download PCAP: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -736,39 +769,77 @@ Describe Entity: create_ticket: false delete_email: false disable_identity: false - download_file: false + download_file: true enable_identity: false - enrich_asset: true + enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Download PCAP: ai_description: >- + ### General Description + Downloads a PCAP (Packet Capture) file associated with a specific detection ID from Vectra QUX. This action is used to retrieve network traffic data for forensic - analysis and investigation of security detections. Flow Description: 1. Parameter - Extraction: Retrieves the Detection ID from the action input. 2. Validation: Validates - that the provided Detection ID is a valid integer. 3. API Request: Sends a GET - request to the Vectra QUX API endpoint for PCAP downloads using the provided ID. - 4. File Retrieval: Receives the binary content of the PCAP file and extracts the - filename from the response headers. 5. Attachment: Encodes the file content and - adds it as an attachment to the action result in Google SecOps. Parameters Description: - Detection ID (String, Mandatory): The unique identifier of the detection in Vectra - QUX for which the PCAP file should be downloaded. Although passed as a string, - it must represent a valid integer. Additional Notes: This action does not run - on entities; it requires a specific Detection ID as input. Downloaded files are - attached to the action result for analyst review. + analysis and deep packet inspection related to a security event identified by + Vectra. + + + ### Parameters Description + + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Detection ID | String | Yes | The unique identifier of the detection in Vectra + QUX for which the PCAP file should be retrieved. This value must be a valid integer. + | + + + ### Additional Notes + + - The action validates that the provided `Detection ID` is a valid integer before + attempting the download. + + - The retrieved file is attached directly to the action result in base64 format, + making it available for download within the Google SecOps platform. + + - If the file is not found or the ID is invalid, the action will fail with a descriptive + error message. + + + ### Flow Description + + 1. **Parameter Extraction**: Retrieves the API configuration (Root, Token, SSL) + and the `Detection ID` from the action input. + + 2. **Validation**: Validates that the `Detection ID` is a valid non-negative integer. + + 3. **API Request**: Connects to the Vectra QUX API and sends a GET request to + the PCAP download endpoint for the specified detection. + + 4. **File Processing**: Receives the binary file content and extracts the filename + from the response headers. + + 5. **Attachment**: Encodes the file content to base64 and attaches it to the Siemplify + action result. + + 6. **Completion**: Ends the action, providing a success message with the filename + or an error message if the process fails. capabilities: can_create_case_comments: false can_create_insight: false @@ -782,7 +853,7 @@ Download PCAP: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -796,6 +867,7 @@ Download PCAP: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +List Assignments: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -804,58 +876,87 @@ Download PCAP: create_ticket: false delete_email: false disable_identity: false - download_file: true + download_file: false enable_identity: false enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -List Assignments: - ai_description: "The 'List Assignments' action retrieves a list of assignments from\ - \ the Vectra QUX platform based on user-defined filtering criteria. It allows\ - \ analysts to query assignments associated with specific accounts, hosts, assignees,\ - \ or resolution outcomes. The action supports filtering by resolution status (resolved\ - \ or unresolved) and creation time. The results are presented both as a structured\ - \ data table for quick review and a raw JSON object for downstream automation\ - \ logic.\n\n### Parameters Description\n\n| Parameter | Type | Mandatory | Description\ - \ |\n| :--- | :--- | :--- | :--- |\n| Accounts IDs | String | No | A comma-separated\ - \ list of account IDs to filter the assignments. |\n| Hosts IDs | String | No\ - \ | A comma-separated list of host IDs to filter the assignments. |\n| Assignees\ - \ IDs | String | No | A comma-separated list of assignee (user) IDs to filter\ - \ the assignments. |\n| Resolution IDs | String | No | A comma-separated list\ - \ of outcome/resolution IDs to filter the assignments. |\n| Resolved | DDL | No\ - \ | Filters assignments by their resolution status. Options: 'None' (no filter),\ - \ 'True' (only resolved), 'False' (only unresolved). |\n| Created After | String\ - \ | No | Filters assignments created after a specific timestamp. Supports relative\ - \ formats (e.g., '2 days') or absolute ISO 8601 timestamps. |\n| Limit | String\ - \ | No | Specifies the maximum number of assignment records to retrieve. Defaults\ - \ to the system limit if not provided. |\n\n### Additional Notes\n- This action\ - \ does not require entities to be present in the current scope; it operates entirely\ - \ based on the provided input parameters.\n- All ID-based parameters (Accounts,\ - \ Hosts, Assignees, Resolutions) are validated to ensure they are integers.\n\n\ - ### Flow Description\n1. **Parameter Extraction:** The action retrieves the API\ - \ configuration (Root, Token, SSL) and the user-provided filter parameters.\n\ - 2. **Validation:** It validates the 'Limit' parameter and converts comma-separated\ - \ ID strings into lists of integers.\n3. **Query Construction:** A query mapping\ - \ is built using the provided filters (e.g., `resolved`, `created_after`, `hosts`,\ - \ `accounts`).\n4. **API Interaction:** The action calls the Vectra QUX API's\ - \ assignment endpoint using a paginated GET request to fetch the records up to\ - \ the specified limit.\n5. **Data Processing:** The retrieved assignment objects\ - \ are parsed and formatted.\n6. **Output Generation:** \n - A data table named\ - \ 'Assignment Details' is created containing key fields like Assignment ID, Assigned\ - \ User, and Entity Type.\n - The full raw response is attached as a JSON result\ - \ for further processing." + ai_description: >- + Lists all assignments from Vectra QUX based on provided query parameters. This + action allows analysts to filter assignments by associated accounts, hosts, assignees, + resolution status, and creation time. The results are presented in a structured + data table and as a raw JSON object for further processing. + + + ### Flow Description + + 1. **Parameter Extraction:** The action retrieves configuration details (API Root, + Token) and user-provided filters (IDs, resolution status, time range, and limit). + + 2. **Validation:** It validates the 'Limit' parameter to ensure it is a valid + integer and processes comma-separated ID strings into lists. + + 3. **Query Construction:** It maps all filters into a query parameter dictionary + compatible with the Vectra API. + + 4. **Data Retrieval:** It calls the Vectra API to fetch assignments, handling + pagination automatically to respect the specified limit. + + 5. **Output Generation:** If assignments are found, it populates a data table + with key details (IDs, users, outcomes) and attaches the full JSON response to + the action results. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Accounts IDs | String | No | Comma-separated account IDs to filter the assignments. + | + + | Hosts IDs | String | No | Comma-separated host IDs to filter the assignments. + | + + | Assignees IDs | String | No | Comma-separated assignee IDs to filter the assignments. + | + + | Resolution IDs | String | No | Comma-separated outcome/resolution IDs to filter + the assignments. | + + | Resolved | DDL | No | Filter by resolution status. Options: None, True, False. + | + + | Created After | String | No | Filter assignments created after a specific timestamp + (e.g., '2 days', 'yyyy-mm-dd'). | + + | Limit | String | No | The maximum number of assignment records to retrieve. + | + + + ### Additional Notes + + - If no assignments match the criteria, the action completes successfully with + a 'No assignments found' message. + + - The 'Limit' parameter defaults to a system maximum if not specified or set to + 0. capabilities: can_create_case_comments: false can_create_insight: false @@ -867,9 +968,9 @@ List Assignments: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: true + enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -883,6 +984,7 @@ List Assignments: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +List Entity Detections: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -893,74 +995,84 @@ List Assignments: disable_identity: false download_file: false enable_identity: false - enrich_asset: false + enrich_asset: true enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: true send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -List Entity Detections: ai_description: >- - Retrieves a list of detections associated with a specific entity ID (Host or Account) - from the Vectra QUX platform. This action allows analysts to query historical - or active security detections for a known entity identifier, providing visibility - into the threat activity linked to that specific asset. It supports filtering - by the state of the detection (Active, Inactive, or Fixed) and allows for limiting - the number of returned records. + Retrieves a list of detections associated with a specific entity (either a Host + or an Account) from the Vectra QUX platform. This action allows analysts to query + historical and active security events related to a specific asset by providing + its unique identifier. It supports filtering by the detection state and limiting + the number of results returned, providing essential context for incident investigation. - ### Flow Description + ### Parameters Description - 1. **Parameter Extraction:** The action retrieves the API configuration and action - parameters, including the `Entity ID`, `Entity Type`, `Limit`, and `State`. - 2. **Validation:** It validates that the `Entity ID` and `Limit` are valid integer - values. + | Parameter | Type | Mandatory | Description | - 3. **API Interaction:** The action uses the `VectraQUXManager` to perform a GET - request to the Vectra search detections endpoint, using a query string that filters - by the source entity's ID and the specified detection state. + | :--- | :--- | :--- | :--- | - 4. **Data Processing:** The retrieved detections are parsed into structured objects. - If detections are found, they are converted into a JSON result and a CSV-formatted - data table. + | Entity ID | String | Yes | The unique identifier for the Account or Host within + the Vectra platform. | - 5. **Output:** The action completes by providing a summary message and attaching - the detection data to the case for analyst review. + | Entity Type | DDL | Yes | Specifies the category of the entity. Options are + 'Account' or 'Host'. | + | Limit | String | No | The maximum number of detection records to retrieve from + the API. | - ### Parameters Description + | State | DDL | Yes | Filters detections based on their current status. Options + include 'Active', 'Inactive', or 'Fixed'. | - | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + ### Additional Notes - | Entity ID | String | Yes | The unique identifier for the Account or Host within - the Vectra platform. | - | Entity Type | DDL | Yes | Specifies whether the provided ID refers to an 'Account' - or a 'Host'. | + - The action constructs a specific query string for the Vectra search API based + on the provided entity type (e.g., `detection.src_host.id` for Hosts or `detection.src_linked_account.id` + for Accounts). - | Limit | String | No | The maximum number of detection records to fetch. If not - provided, the system default is used. | + - Results are returned as a raw JSON object and also formatted into a data table + for immediate visibility in the SOAR case wall. - | State | DDL | Yes | Filters detections based on their current status: 'Active', - 'Inactive', or 'Fixed'. | + ### Flow Description - ### Additional Notes - - This action does not automatically iterate over entities in the current Google - SecOps case; it requires a specific `Entity ID` to be provided as an input parameter. + 1. **Initialization**: The action extracts the API configuration (Root, Token, + SSL) and the user-provided parameters (Entity ID, Type, Limit, State). + + 2. **Validation**: It validates that the 'Entity ID' and 'Limit' inputs are valid + integers to ensure API compatibility. + + 3. **API Request**: It initializes the VectraQUXManager and calls the `list_entity_detections` + method, which targets the `/api/v2.5/search/detections` endpoint. + + 4. **Query Execution**: The manager builds a query string combining the entity + identifier and the requested state (e.g., `detection.src_host.id:123 AND detection.state:"active"`). + + 5. **Pagination**: The action handles API pagination to fetch all relevant records + up to the specified limit. + + 6. **Output**: The retrieved detections are parsed into data models and added + to the action results as both a JSON object and a structured data table containing + IDs, categories, and timestamps. capabilities: can_create_case_comments: false can_create_insight: false @@ -972,9 +1084,9 @@ List Entity Detections: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: false + enrichment: true entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -988,6 +1100,7 @@ List Entity Detections: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +List Groups: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1001,117 +1114,72 @@ List Entity Detections: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: true search_email: false - search_events: true + search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -List Groups: - ai_description: >- - ### General Description - - The **List Groups** action retrieves a list of groups from the Vectra QUX platform - based on a variety of user-defined query parameters. It allows analysts to search - for specific groups by host names, account names, domains, IP addresses, importance - levels, and modification metadata. This action is primarily used for auditing - group memberships or identifying specific group configurations within the Vectra - environment. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Host Names | String | No | A comma-separated list of host names to filter the - groups. | - - | Account Names | String | No | A comma-separated list of account names to filter - the groups. | - - | Domains | String | No | A comma-separated list of domains to filter the groups. - | - - | Host Ids | String | No | A comma-separated list of host IDs to filter the groups. - | - - | Importance | DDL | No | Filters groups by their importance level (e.g., low, - medium, high, never_prioritize). | - - | IPs | String | No | A comma-separated list of IP addresses to filter the groups. - | - - | Last Modified Timestamp GTE | String | No | Filters groups modified on or after - this specific timestamp. | - - | Last Modified By | String | No | Filters groups based on the username of the - person who last modified them. | - - | Name | String | No | Filters groups by their specific name. | - - | Type | DDL | No | Filters groups by their type (e.g., host, account, ip, domain). - | - - | Limit | String | No | Specifies the maximum number of records to fetch from - the API. | - - | Description | String | No | Performs a case-insensitive match against the group's - description field. | - - - ### Additional Notes - - - This action does not process Google SecOps entities automatically; it relies - entirely on the provided input parameters. - - - If no parameters are provided, the action will attempt to list all groups up - to the specified limit. - - - The 'Limit' parameter defaults to a system-defined maximum if not specified. - - - ### Flow Description - - 1. **Parameter Extraction**: The action retrieves the integration configuration - (API Root, Token) and all optional search filters provided by the user. - - 2. **Input Sanitization**: Comma-separated strings for hosts, accounts, domains, - and IPs are split into lists and stripped of whitespace. - - 3. **Validation**: The 'Limit' parameter is validated to ensure it is a positive - integer. - - 4. **API Request**: The action initializes the VectraQUX manager and performs - a paginated GET request to the `/groups` endpoint, applying the filters as query - parameters. - - 5. **Data Parsing**: The raw JSON response is parsed into structured Group objects. - - 6. **Output Generation**: If groups are found, the action populates a data table - named 'List Of Groups' in the SOAR case and attaches the full JSON result for - further analysis. + ai_description: "### General Description\nLists groups from Vectra QUX based on\ + \ various query parameters. This action allows analysts to search for and retrieve\ + \ metadata about host, account, IP, or domain groups defined within the Vectra\ + \ platform. It supports filtering by group name, type, importance, members (IPs,\ + \ hostnames, etc.), and modification history. The results are presented as a data\ + \ table for quick review and a full JSON object for further automation.\n\n###\ + \ Parameters Description\n| Parameter | Type | Mandatory | Description |\n| :---\ + \ | :--- | :--- | :--- |\n| Host Names | string | No | Comma-separated list of\ + \ host names to filter groups by. |\n| Account Names | string | No | Comma-separated\ + \ list of account names to filter groups by. |\n| Domains | string | No | Comma-separated\ + \ list of domains to filter groups by. |\n| Host Ids | string | No | Comma-separated\ + \ list of host IDs to filter groups by. |\n| Importance | ddl | No | Filter groups\ + \ by importance level (low, medium, high, never_prioritize). |\n| IPs | string\ + \ | No | Comma-separated list of IP addresses to filter groups by. |\n| Last Modified\ + \ Timestamp GTE | string | No | Filter groups modified on or after this timestamp.\ + \ |\n| Last Modified By | string | No | Filter groups modified by a specific username.\ + \ |\n| Name | string | No | Filter by the specific name of the group. |\n| Type\ + \ | ddl | No | Filter by group type (host, account, ip, domain). |\n| Limit |\ + \ string | No | Maximum number of group records to fetch. |\n| Description | string\ + \ | No | Case-insensitive match for the group description. |\n\n### Additional\ + \ Notes\n- If no parameters are provided, the action will attempt to list all\ + \ groups up to the specified limit.\n- The 'Limit' parameter defaults to a system\ + \ maximum if not specified or set to 0.\n\n### Flow Description\n1. **Parameter\ + \ Extraction:** The action retrieves configuration details (API Root, Token) and\ + \ all optional filter parameters from the user input.\n2. **Validation:** Validates\ + \ the 'Limit' parameter to ensure it is a valid integer.\n3. **API Request:**\ + \ Initializes the VectraQUXManager and calls the `get_group_list` method, which\ + \ performs a GET request to the `/api/v2.5/groups` endpoint with the specified\ + \ query parameters.\n4. **Pagination:** If the number of results exceeds the page\ + \ size, the action automatically paginates through the Vectra API to collect the\ + \ requested number of records.\n5. **Output Generation:** \n - If groups are\ + \ found, it constructs a data table named 'List Of Groups' containing the ID,\ + \ Name, Type, and Description of each group.\n - The full raw JSON response\ + \ is attached to the action results.\n - A summary message indicates the number\ + \ of groups successfully retrieved." capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: false + can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: null + internal_data_mutation_explanation: >- + Adds a data table 'List Of Groups' to the case wall containing details of the + retrieved groups. categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1125,6 +1193,7 @@ List Groups: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +List Outcomes: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1138,64 +1207,58 @@ List Groups: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: true + search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -List Outcomes: ai_description: >- - ### General Description + Lists all assignment outcomes from Vectra QUX. This action retrieves a list of + possible outcomes that can be used when resolving assignments within the Vectra + platform. It provides details such as the outcome ID, title, category, and whether + it is a built-in or user-selectable option. - The **List Outcomes** action retrieves a comprehensive list of all assignment - outcomes configured in the Vectra QUX platform. This utility action is primarily - used to discover valid outcome titles and IDs, which are required for subsequent - workflow steps such as resolving assignments or triaging detections. It provides - visibility into both built-in and user-defined outcomes. + ### Flow Description - ### Parameters Description + 1. **Parameter Initialization**: Retrieves the API Root, Token, and SSL verification + settings from the integration configuration, and the 'Limit' parameter from the + action input. - | Parameter | Type | Mandatory | Description | + 2. **Validation**: Validates that the 'Limit' parameter is a valid non-negative + integer. If the limit is set to 0, the action will fail. - | :--- | :--- | :--- | :--- | + 3. **API Interaction**: Connects to the Vectra QUX API and fetches the list of + assignment outcomes, applying pagination if necessary based on the specified limit. - | Limit | String | No | Specifies the maximum number of outcome records to return. - If not provided, the action will use the default system limit. The value must - be a valid non-negative integer string. | + 4. **Output Generation**: Formats the retrieved outcomes into a data table named + 'Outcome Details' and provides the full raw data in JSON format. - ### Flow Description + ### Parameters Description - 1. **Parameter Initialization**: The action retrieves the integration configuration - (API Root, Token, SSL settings) and the optional `Limit` parameter. + | Parameter | Type | Mandatory | Description | - 2. **Validation**: The `Limit` parameter is validated to ensure it is a valid - integer greater than or equal to zero. + | :--- | :--- | :--- | :--- | - 3. **Data Retrieval**: The action performs a paginated GET request to the Vectra - QUX `/assignment_outcomes` endpoint using the `VectraQUXManager`. + | Limit | string | No | Specifies the maximum number of outcome records to retrieve. + If not provided, the system default limit is used. | - 4. **Output Generation**: - * If outcomes are found, a data table named "Outcome Details" is created, - containing fields like Outcome ID, Title, Category, and whether it is Built-In - or User Selectable. - * The full raw response is attached as a JSON result for further processing - in the playbook. - * If no outcomes are found, a success message is returned indicating no - data was retrieved. ### Additional Notes - * This action does not operate on specific entities (IPs, Hosts, etc.) but rather - fetches global configuration data from the Vectra QUX environment. + - This action does not operate on specific entities and returns a global list + of outcomes available in the Vectra QUX instance. capabilities: can_create_case_comments: false can_create_insight: false @@ -1209,7 +1272,7 @@ List Outcomes: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1223,6 +1286,7 @@ List Outcomes: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +List Users: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1236,82 +1300,51 @@ List Outcomes: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -List Users: - ai_description: >- - The **List Users** action retrieves a list of user accounts from the Vectra QUX - platform based on specified filtering criteria. It allows analysts to search for - users by their role, account type, authentication profile, or username, and can - filter based on the last login timestamp. This action is primarily used for administrative - auditing, identifying specific user accounts, or verifying user permissions within - the Vectra environment. - - - ### Parameters Description - - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Role | String | No | Filter users by their assigned role in Vectra (e.g., 'admin', - 'readonly'). | - - | Authentication Profile | String | No | Filter users by their authentication - profile name. | - - | Last Login GTE | String | No | Filter users whose last login timestamp is greater - than or equal to this value. | - - | User Name | String | No | Filter by a specific username. | - - | Account Type | String | No | Filter by the type of account (e.g., 'local', 'ldap'). - | - - | Limit | String | No | The maximum number of user records to retrieve. Defaults - to the system limit if not specified. | - - - ### Flow Description - - - 1. **Parameter Extraction:** The action retrieves the API configuration (Root, - Token) and the optional filter parameters provided by the user. - - 2. **Validation:** It validates the `Limit` parameter to ensure it is a valid - non-negative integer. - - 3. **API Request:** It initializes the VectraQUX manager and performs a GET request - to the `/users` endpoint, applying the provided filters (Role, Username, etc.) - as query parameters. - - 4. **Pagination:** The action handles pagination automatically to retrieve results - up to the specified limit. - - 5. **Output Generation:** - * If users are found, it constructs a CSV-formatted data table containing - key user details: ID, Username, Role, Account Type, and Last Login. - * It attaches the full raw JSON response to the action results for further - processing. - * If no users match the criteria, it returns a message stating that no users - were found. - - ### Additional Notes - - - * There are no mandatory action parameters; if none are provided, the action will - return a list of all users up to the default or specified limit. + ai_description: "### General Description\nRetrieves a list of users from Vectra\ + \ QUX based on specified query parameters. This action allows analysts to search\ + \ for and audit user accounts within the Vectra platform by filtering for specific\ + \ roles, authentication profiles, login activity, and account types. It is primarily\ + \ used for administrative oversight and identifying user context during investigations.\n\ + \n### Parameters Description\n| Parameter | Type | Mandatory | Description |\n\ + | :--- | :--- | :--- | :--- |\n| Role | String | No | Filters the results to users\ + \ assigned a specific role in Vectra QUX. |\n| Authentication Profile | String\ + \ | No | Filters users based on their associated authentication profile. |\n|\ + \ Last Login GTE | String | No | Filters for users whose last login timestamp\ + \ is greater than or equal to the provided value. |\n| User Name | String | No\ + \ | Filters for a specific username. |\n| Account Type | String | No | Filters\ + \ users by their account type (e.g., local, LDAP). |\n| Limit | String | No |\ + \ Specifies the maximum number of user records to retrieve. Defaults to the system\ + \ limit if not provided. |\n\n### Flow Description\n1. **Initialization**: The\ + \ action initializes the Vectra QUX manager using the provided API Root and Token.\n\ + 2. **Parameter Validation**: The 'Limit' parameter is validated to ensure it is\ + \ a valid non-negative integer.\n3. **Data Retrieval**: The action performs a\ + \ GET request to the Vectra QUX users endpoint, applying the provided filters\ + \ (Role, Username, etc.) as query parameters.\n4. **Pagination**: If a limit is\ + \ specified, the action handles pagination to retrieve the requested number of\ + \ records.\n5. **Output Generation**: \n - If users are found, it constructs\ + \ a data table named 'List Of Users' containing key details (ID, Username, Role,\ + \ Account Type, Last Login).\n - It also attaches the full raw JSON response\ + \ to the action results.\n6. **Completion**: The action concludes with a success\ + \ message indicating the number of users retrieved or a message stating no users\ + \ were found.\n\n### Additional Notes\n- If no parameters are provided, the action\ + \ will attempt to list all users up to the specified or default limit.\n- The\ + \ 'Last Login GTE' parameter expects a timestamp format compatible with the Vectra\ + \ API." capabilities: can_create_case_comments: false can_create_insight: false @@ -1325,7 +1358,7 @@ List Users: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1339,6 +1372,7 @@ List Users: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Mark Detection Fixed: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1352,26 +1386,27 @@ List Users: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Mark Detection Fixed: ai_description: >- ### General Description - Marks specific detections as fixed in the Vectra platform. This action is used - to programmatically update the status of security detections, indicating that - the identified threats or activities have been addressed or resolved by an analyst. - It allows for bulk updates by providing a list of detection identifiers. + Marks specific detections in Vectra AI as fixed. This action allows analysts to + update the state of one or more detections in the Vectra platform directly from + Google SecOps, facilitating the remediation workflow. ### Parameters Description @@ -1380,36 +1415,32 @@ Mark Detection Fixed: | :--- | :--- | :--- | :--- | - | Detection IDs | string | Yes | A comma-separated list of numeric IDs representing - the detections in Vectra that should be marked as fixed. Each ID must be a valid - integer. | + | Detection IDs | String | Yes | A comma-separated list of numeric identifiers + for the detections that should be marked as fixed in Vectra. | - ### Flow Description - - 1. **Parameter Extraction**: The action retrieves the `Detection IDs` string from - the input parameters. + ### Additional Notes - 2. **Validation**: The comma-separated string is split into individual IDs. Each - ID is stripped of whitespace and validated to ensure it is a valid integer. + - This action does not run on entities; it requires explicit IDs provided as a + parameter. - 3. **API Interaction**: The action uses the `VectraQUXManager` to send a `PATCH` - request to the Vectra detections endpoint (`/api/v2.5/detections`). + - The action validates that the provided IDs are integers before sending the request. - 4. **State Mutation**: The request payload specifies the list of detection IDs - and sets the `mark_as_fixed` attribute to `True`. - 5. **Result Handling**: The raw JSON response from the Vectra API is added to - the action results, and the action completes with a success message if the update - was accepted. + ### Flow Description + 1. **Parameter Extraction**: Retrieves the 'Detection IDs' from the action input + and configuration details (API Root, Token) from the integration settings. - ### Additional Notes + 2. **Validation**: Parses the comma-separated string of IDs and validates that + each ID is a valid integer using the `validate_integer` utility. - - This action does not run on SecOps entities; it relies entirely on the IDs provided - in the `Detection IDs` parameter. + 3. **API Interaction**: Initializes the `VectraQUXManager` and calls the `mark_detection_as_fixed` + method, which sends a PATCH request to the Vectra AI detections endpoint with + the payload `mark_as_fixed: True`. - - If any provided ID is not a valid integer, the action will fail with an `InvalidIntegerException`. + 4. **Result Processing**: Adds the raw JSON response from the API to the action + results and completes the execution with a success message. capabilities: can_create_case_comments: false can_create_insight: false @@ -1418,14 +1449,14 @@ Mark Detection Fixed: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the status of specific detections in the external Vectra platform to - 'fixed' via a PATCH request to the detections API endpoint. + Updates the status of specific detections in Vectra AI to 'fixed' by sending + a PATCH request to the detections endpoint. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1439,6 +1470,7 @@ Mark Detection Fixed: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Mark Entity Fixed: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1452,61 +1484,40 @@ Mark Detection Fixed: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Mark Entity Fixed: ai_description: >- - ### General Description - - The **Mark Entity Fixed** action transitions the state of all security detections - associated with a specific entity (Host or Account) to 'Fixed' within the Vectra - QUX platform. This action is used to programmatically resolve detections in Vectra - after an investigation is complete. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **Entity ID** | string | Yes | The unique numerical identifier of the entity - in Vectra QUX. | - - | **Entity Type** | ddl | Yes | The type of entity, can be either 'Account' or - 'Host'. | - - - ### Flow Description - - 1. **Input Validation**: Validates that the provided Entity ID is a valid integer. - - 2. **Entity Retrieval**: Fetches the entity's details from Vectra QUX to identify - all associated detection IDs. - - 3. **Status Update**: Sends a PATCH request to the Vectra QUX API to mark all - identified detections as 'fixed'. - - 4. **Result Reporting**: Returns the API response confirming the update. - - - ### Additional Notes - - - This action does not run on SOAR entities; it requires a manual Entity ID and - Type. - - - If no detections are found for the entity, the action completes with a success - message but no changes are made. + ### General Description\nMarks all detections associated with a specific entity + (Host or Account) as 'fixed' in the Vectra platform. This action is useful for + bulk-remediating or closing out detections once an entity has been investigated + and the issues resolved.\n\n### Parameters Description\n| Parameter | Type | Mandatory + | Description |\n| :--- | :--- | :--- | :--- |\n| Entity ID | String | Yes | The + unique identifier of the entity in Vectra. This value is validated as an integer. + |\n| Entity Type | DDL | Yes | The type of the entity. Can be either 'Account' + or 'Host'. |\n\n### Additional Notes\n- The action first retrieves the entity + details to identify all associated detection IDs before attempting to mark them + as fixed.\n- If no detections are found for the entity, the action completes successfully + with a message indicating no detections were found.\n- The Entity ID must be a + valid integer.\n\n### Flow Description\n1. **Parameter Extraction**: Retrieves + the API configuration and action parameters (Entity ID and Entity Type).\n2. **Validation**: + Validates that the provided Entity ID is a valid integer.\n3. **Entity Lookup**: + Calls the Vectra API to describe the entity and extract the list of associated + detection IDs.\n4. **Remediation**: If detections exist, sends a PATCH request + to Vectra to mark all identified detections as fixed.\n5. **Result Reporting**: + Adds the API response to the action results and provides a summary message. capabilities: can_create_case_comments: false can_create_insight: false @@ -1515,14 +1526,14 @@ Mark Entity Fixed: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Marks all detections associated with the specified entity as 'fixed' in the - Vectra QUX platform via a PATCH request. + Updates the status of detections associated with the specified entity to 'fixed' + in the Vectra platform via a PATCH request. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1536,6 +1547,7 @@ Mark Entity Fixed: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1549,41 +1561,45 @@ Mark Entity Fixed: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: - ai_description: "The Ping action is a diagnostic utility designed to verify the\ - \ connectivity between the Google SecOps (Chronicle) environment and the Vectra\ - \ platform. It ensures that the integration's configuration parameters, such as\ - \ the API Root and API Token, are correct and that the network path is open.\n\ - \n### Parameters Description\n\n| Parameter Name | Type | Mandatory | Description\ - \ |\n| :--- | :--- | :--- | :--- |\n| API Root | String | Yes | The base URL of\ - \ the Vectra API instance (e.g., https://vectra-brain.example.com). |\n| API Token\ - \ | String | Yes | The authentication token used to authorize requests to the\ - \ Vectra API. |\n| Verify SSL | Boolean | Yes | Determines whether the action\ - \ should verify the SSL certificate of the Vectra server. Default is True. |\n\ - \n### Flow Description\n\n1. **Initialization**: The action initializes the Siemplify\ - \ context and logs the start of the connectivity test.\n2. **Configuration Extraction**:\ - \ It retrieves the integration's global configuration parameters, including the\ - \ API Root, API Token, and SSL verification setting.\n3. **Manager Setup**: An\ - \ instance of the `VectraQUXManager` is created using the extracted credentials.\n\ - 4. **Connectivity Test**: The manager executes the `test_connectivity` method,\ - \ which performs a simple `GET` request to the Vectra `/api/v2.5/hosts` endpoint\ - \ to confirm the API is responsive and the token is valid.\n5. **Result Handling**:\ - \ \n * If the request succeeds, the action returns a success message and\ - \ a boolean `True` result.\n * If the request fails (e.g., due to network\ - \ issues, invalid credentials, or SSL errors), an exception is caught, an error\ - \ message is logged, and the action returns `False` with a failure status." + ai_description: "### General Description\nThe **Ping** action is a utility designed\ + \ to verify the connectivity between the Google SecOps (Chronicle) server and\ + \ the Vectra platform. It ensures that the provided configuration parameters,\ + \ such as the API Root and API Token, are correct and that the network path is\ + \ open.\n\n### Parameters Description\n| Parameter Name | Description | Type |\ + \ Mandatory | Notes |\n| :--- | :--- | :--- | :--- | :--- |\n| API Root | The\ + \ base URL of the Vectra platform API. | String | Yes | Configured at the integration\ + \ level. |\n| API Token | The authentication token used to authorize requests\ + \ to the Vectra API. | String | Yes | Configured at the integration level. |\n\ + | Verify SSL | Specifies whether to verify the SSL certificate of the Vectra server.\ + \ | Boolean | Yes | Default is True. |\n\n### Additional Notes\n- This action\ + \ does not process any entities.\n- It is primarily used for troubleshooting and\ + \ initial setup verification.\n- According to standard classification, Ping actions\ + \ are not considered enrichment actions.\n\n### Flow Description\n1. **Initialization**:\ + \ The action initializes the Siemplify SDK and retrieves the integration configuration\ + \ parameters (API Root, API Token, and Verify SSL).\n2. **Manager Setup**: It\ + \ instantiates the `VectraQUXManager` using the retrieved configuration.\n3. **Connectivity\ + \ Test**: The manager executes the `test_connectivity` method, which performs\ + \ a simple `GET` request to the Vectra hosts endpoint (`/api/v2.5/hosts`).\n4.\ + \ **Result Handling**: \n - If the request is successful, the action returns\ + \ a success message and a boolean result of `True`.\n - If an exception occurs\ + \ (e.g., authentication failure, timeout, or invalid URL), the action catches\ + \ the error, logs the details, and returns a failure message with a boolean result\ + \ of `False`." capabilities: can_create_case_comments: false can_create_insight: false @@ -1597,7 +1613,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1611,6 +1627,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Remove Assignment: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1624,60 +1641,67 @@ Ping: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Remove Assignment: ai_description: >- - Removes the analyst assignment for a specific entity (Account or Host) within - the Vectra AI platform. This action is used to clear the ownership or investigation - status of an entity by deleting its current assignment record. It first verifies - the existence of an assignment for the provided Entity ID before attempting the - deletion. + ### General Description + Removes the assignment for a specific entity (Account or Host) in Vectra QUX. + This action is used to clear analyst assignments from entities in the Vectra platform, + allowing them to be returned to an unassigned state or reassigned. It first verifies + the existence of an assignment for the specified entity before attempting the + deletion. - ### Parameters Description + ### Parameters - | Parameter | Type | Mandatory | Description | + | Parameter | Description | Type | Mandatory | | :--- | :--- | :--- | :--- | - | Entity ID | String | Yes | The unique numerical identifier of the entity in - Vectra AI whose assignment should be removed. | + | Entity ID | The unique identifier of the entity in Vectra QUX whose assignment + should be removed. | String | Yes | - | Entity Type | DDL | Yes | The category of the entity. Must be either 'Account' - or 'Host'. | + | Entity Type | The category of the entity. Supported values are 'Account' and + 'Host'. | DDL | Yes | - ### Flow Description + ### Flow + 1. **Validation**: Validates that the provided `Entity ID` is a valid integer. - 1. **Parameter Extraction:** The action retrieves the 'Entity ID' and 'Entity - Type' from the input parameters. + 2. **Entity Lookup**: Retrieves the current details of the entity from Vectra + QUX using the `Entity ID` and `Entity Type` to check for active assignments. - 2. **Validation:** Validates that the 'Entity ID' is a valid integer. + 3. **Assignment Identification**: Checks the entity's metadata for an existing + `assignment` object and extracts its `id`. - 3. **Entity Lookup:** Calls the Vectra API to describe the entity and check if - it currently has an active assignment. + 4. **Removal**: If an assignment is found, the action sends a DELETE request to + the Vectra QUX API to remove the specific assignment. - 4. **Assignment Identification:** If an assignment is found, the action extracts - the specific 'Assignment ID'. + 5. **Completion**: Returns a success message if the assignment was successfully + deleted. If the entity had no assignment, the action fails with a descriptive + message. - 5. **Deletion:** Executes a DELETE request to the Vectra assignments endpoint - using the identified 'Assignment ID'. - 6. **Outcome Reporting:** Returns a success message if the assignment is deleted, - or a failure message if the entity had no assignment or the ID was not found. + ### Additional Notes + + This action performs a state change in the external Vectra QUX system by deleting + an assignment record. It does not modify entities or alerts within the Google + SecOps platform directly. capabilities: can_create_case_comments: false can_create_insight: false @@ -1686,14 +1710,14 @@ Remove Assignment: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - The action performs a DELETE request to the Vectra AI API to remove an assignment - record associated with a specific entity. + Deletes an assignment record in Vectra QUX associated with a specific Host or + Account entity via a DELETE request to the assignments endpoint. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1707,6 +1731,7 @@ Remove Assignment: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Remove Group: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1720,25 +1745,27 @@ Remove Assignment: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false - update_identity: false + update_identity: true update_ticket: false -Remove Group: ai_description: >- - Removes specific members from a Vectra QUX group based on a provided Group ID. - This action interacts with the Vectra QUX API to modify group membership by removing - a comma-separated list of members (which can be IPs, hostnames, account UIDs, - or domains depending on the group's type). It provides a detailed HTML summary - of the group's state after the removal operation and returns the raw JSON response. + Removes members from a specified group in Vectra QUX. This action allows analysts + to manage group memberships by providing a Group ID and a comma-separated list + of members to be removed. It validates the input, performs the removal via the + Vectra API, and provides a detailed summary of which members were successfully + removed and which were not found or could not be removed. ### Parameters @@ -1747,34 +1774,32 @@ Remove Group: | :--- | :--- | :--- | :--- | - | Group ID | String | Yes | The unique integer identifier of the Vectra group - from which members will be removed. | + | Group ID | String | Yes | The unique integer ID of the Vectra group from which + members will be removed. | - | Members | String | Yes | A comma-separated list of member identifiers to be - removed from the group. | + | Members | String | Yes | A comma-separated list of members to remove. The format + of the members (e.g., IP, Hostname, Account UID) depends on the group's type. + | ### Flow Description - 1. **Validation**: The action validates that the provided `Group ID` is a valid - non-zero integer. + 1. **Validation**: Validates that the provided Group ID is a valid positive integer. - 2. **Member Processing**: The `Members` string is parsed into a unique list of - identifiers. + 2. **Member Processing**: Parses the comma-separated string of members into a + unique list. - 3. **Pre-check**: The action fetches the current membership list of the group - to verify existence and current state. + 3. **Pre-check**: Retrieves the current group members from Vectra QUX to establish + a baseline. - 4. **API Interaction**: A PATCH request is sent to the Vectra QUX API with the - `membership_action` set to `remove` for the specified members. + 4. **Removal**: Sends a PATCH request to the Vectra QUX API with the `membership_action="remove"` + parameter to update the group. - 5. **Result Analysis**: The action compares the requested removal list against - the updated group membership to determine which members were successfully removed - and which were not found or could not be removed. + 5. **Verification**: Compares the updated group membership list against the initial + list and the requested members to determine which removals were successful. - 6. **Output Generation**: An HTML table is rendered showing the updated group - properties and membership, and the full JSON response is attached to the action - results. + 6. **Output**: Renders an HTML table showing the updated group properties and + members, and provides the full group object in JSON format. capabilities: can_create_case_comments: false can_create_insight: false @@ -1783,14 +1808,14 @@ Remove Group: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Removes specified members from a group configuration within the Vectra QUX platform - via a PATCH request. + Removes specified members from a group in Vectra QUX using a PATCH request to + the groups endpoint. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1804,6 +1829,7 @@ Remove Group: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Remove Note: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1817,27 +1843,28 @@ Remove Group: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false - update_identity: true + update_identity: false update_ticket: false -Remove Note: ai_description: >- ### General Description - The **Remove Note** action allows users to delete a specific note associated with - an entity in the Vectra platform. This action supports three types of entities: - Accounts, Hosts, and Detections. It is primarily used for managing and cleaning - up documentation or analyst notes within the Vectra environment directly from - Google SecOps. + Removes a specific note from a designated entity within the Vectra QUX platform. + This action allows analysts to manage and clean up annotations associated with + Accounts, Hosts, or Detections by providing the specific Note ID and the parent + Entity ID. ### Parameters Description @@ -1846,43 +1873,38 @@ Remove Note: | :--- | :--- | :--- | :--- | - | **Entity ID** | String | Yes | The unique identifier of the entity (Account, - Host, or Detection) from which the note should be removed. | - - | **Note ID** | String | Yes | The unique identifier of the specific note to be - deleted. | - - | **Entity Type** | DDL | Yes | The type of entity the note is attached to. Supported - values are: `Account`, `Host`, and `Detection`. | + | Entity ID | String | Yes | The unique identifier of the entity (Account, Host, + or Detection) from which the note should be removed. | + | Note ID | String | Yes | The unique identifier of the specific note to be deleted. + | - ### Flow Description + | Entity Type | DDL | Yes | The category of the entity. Supported values: `Account`, + `Host`, `Detection`. | - 1. **Initialization**: The action initializes the Vectra manager using the provided - API Root and Token. - 2. **Parameter Extraction**: It extracts the `Entity ID`, `Note ID`, and `Entity - Type` from the action parameters. + ### Additional Notes - 3. **Validation**: The action validates that both the `Entity ID` and `Note ID` - are valid integer values before proceeding. + This action performs a permanent deletion of the note in the external Vectra QUX + system. The action validates that the provided IDs are integers before attempting + the API call. - 4. **API Execution**: It calls the Vectra API using a `DELETE` request to the - specific endpoint constructed from the entity type and IDs. - 5. **Completion**: Upon a successful response from the API, the action returns - a success message confirming the deletion of the note. If the note or entity does - not exist, or if the user lacks permissions, it handles the exception and reports - the failure. + ### Flow Description + 1. **Parameter Extraction:** The action retrieves the `Entity ID`, `Note ID`, + and `Entity Type` from the input parameters. - ### Additional Notes + 2. **Validation:** It validates that both the `Entity ID` and `Note ID` are valid + integer values using an internal utility. - - This action performs a permanent state change in the external Vectra system - by deleting data. + 3. **API Interaction:** The action initializes the VectraQUXManager and sends + a `DELETE` request to the Vectra QUX API endpoint corresponding to the specified + entity type and IDs. - - The action does not process entities from the Google SecOps case context; it - relies entirely on the provided input parameters. + 4. **Result Handling:** Upon a successful deletion, the action returns a success + message. If the note or entity is not found, or if permissions are insufficient, + it catches the specific exception and reports the failure. capabilities: can_create_case_comments: false can_create_insight: false @@ -1891,14 +1913,14 @@ Remove Note: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - The action performs a DELETE request to the Vectra API to permanently remove - a note record associated with a specific entity. + Deletes a specific note record associated with an entity (Host, Account, or + Detection) in the Vectra QUX platform. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1912,6 +1934,7 @@ Remove Note: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Remove Tags: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1925,66 +1948,78 @@ Remove Note: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false - update_identity: false + update_identity: true update_ticket: false -Remove Tags: ai_description: >- - Removes specific tags from a Vectra QUX entity, such as an Account, Host, or Detection, - based on a provided Entity ID. The action first retrieves the current tags associated - with the entity, identifies which of the user-specified tags are present, and - then submits an update to the Vectra QUX API to remove them. + ### General Description + Removes specific tags from a Vectra entity (Account, Host, or Detection) based + on a provided Entity ID. This action allows analysts to manage metadata within + the Vectra platform by programmatically stripping unwanted or outdated labels + from assets or detections. - ### Parameters Description + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Tags | string | Yes | A comma-separated list of tags to be removed from the - entity. | + | Tags | String | Yes | A comma-separated list of tags to be removed from the + specified entity. | - | Entity ID | string | Yes | The unique identifier of the entity in Vectra QUX. - | + | Entity ID | String | Yes | The unique identifier of the entity in Vectra from + which tags will be removed. | - | Entity Type | ddl | Yes | The type of entity to target. Options are 'Account', - 'Host', or 'Detection'. | + | Entity Type | DDL | Yes | The category of the entity. Supported values are: + `Account`, `Host`, and `Detection`. | - ### Flow Description + ### Additional Notes + + - The action first retrieves the current tags for the entity. If the entity is + not found or none of the specified tags exist on the entity, the action will fail. + + - The `Entity ID` must be a valid integer. + + - The action uses a `PATCH` request to update the tag list on the external Vectra + system. - 1. **Parameter Extraction:** The action retrieves the API configuration and the - user-provided parameters: Tags, Entity ID, and Entity Type. + ### Flow Description + + 1. **Parameter Initialization**: Extracts the API configuration and action parameters + (`Tags`, `Entity ID`, `Entity Type`). - 2. **Tag Processing:** The input string of tags is split into a list, and whitespace - is trimmed. + 2. **Tag Processing**: Splits the input `Tags` string into a unique list of stripped + tag names. - 3. **Data Retrieval:** The action calls the Vectra QUX API to fetch the current - tags for the specified entity. + 3. **Entity Validation**: Validates that the `Entity ID` is a proper integer. - 4. **Validation:** It checks if the entity exists. If not, an error is raised. + 4. **Data Retrieval**: Fetches the current list of tags associated with the entity + from Vectra. - 5. **Tag Comparison:** The action compares the user-provided tags with the existing - tags. It identifies which tags can be successfully removed and which do not exist - on the entity. + 5. **Tag Comparison**: Iterates through the requested tags to remove. It identifies + which tags currently exist on the entity and prepares a new list excluding them. - 6. **Update Execution:** If at least one tag is found for removal, the action - sends a PATCH request to Vectra QUX with the updated (reduced) tag list. + 6. **External Mutation**: Sends a `PATCH` request to Vectra with the updated (reduced) + tag list. - 7. **Result Reporting:** The action outputs a summary of the operation, including - a JSON result and a data table showing the updated status of the entity's tags. + 7. **Result Reporting**: Outputs a JSON result and a data table summarizing the + update status and the final list of tags remaining on the entity. capabilities: can_create_case_comments: false can_create_insight: false @@ -1993,14 +2028,14 @@ Remove Tags: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - The action modifies the state of an entity in Vectra QUX by updating its tag - list via a PATCH request to the tagging API endpoint. + Removes specified tags from an entity (Account, Host, or Detection) in the Vectra + platform by sending a PATCH request with the updated tag list. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2014,6 +2049,7 @@ Remove Tags: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Resolve Assignment: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -2027,81 +2063,45 @@ Remove Tags: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false - update_alert: true + update_alert: false update_email: false - update_identity: true + update_identity: false update_ticket: false -Resolve Assignment: - ai_description: >- - Resolves a specific assignment in Vectra QUX using a provided assignment ID and - outcome ID. This action allows analysts to close out tasks by specifying whether - the activity was benign, malicious, or a false positive. It also supports adding - notes, applying triage rules, and associating specific detection IDs with the - resolution. The action performs a state change in the Vectra QUX platform and - returns the updated assignment details. - - - ### Parameters Description - - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Assignment ID | String | Yes | The unique identifier of the assignment to be - resolved. Must be a valid integer. | - - | Outcome ID | String | Yes | The ID representing the resolution outcome. Common - values: 1 (Benign True Positive), 2 (Malicious True Positive), 3 (False Positive). - Custom outcomes are also supported. | - - | Note Title | String | No | An optional note or comment to be attached to the - assignment resolution. | - - | Triage As | String | No | An optional triage rule to apply when resolving the - assignment. | - - | Detection IDs | String | No | A comma-separated list of integer detection IDs - to associate with this resolution. **Note:** This parameter is mandatory if 'Triage - As' is provided. | - - - ### Additional Notes - - - The action validates that 'Assignment ID' and 'Outcome ID' are valid integers. - - - If 'Triage As' is configured, at least one 'Detection ID' must be provided, - or the action will fail. - - - The 'Triage As' parameter must be at least 4 characters long and cannot contain - special characters like `!@#$%^&*()`. - - - ### Flow Description - - 1. **Parameter Extraction:** The action retrieves the Assignment ID, Outcome ID, - and optional parameters (Note, Triage, Detections) from the input. - - 2. **Validation:** It validates that the IDs are integers and checks the conditional - requirement between 'Triage As' and 'Detection IDs'. - - 3. **API Interaction:** It sends a PUT request to the Vectra QUX API endpoint - `/assignments/{assignment_id}/resolve` with the resolution payload. - - 4. **Data Processing:** The response from Vectra is parsed into an Assignment - object. - - 5. **Output Generation:** The action provides a JSON result of the API response - and creates a data table named 'Resolved Assignment' containing the key details - of the resolved task. + ai_description: "Resolves an assignment in VectraQUX based on a specific assignment\ + \ ID and outcome ID. This action is used to finalize the status of a security\ + \ assignment by providing a resolution outcome (e.g., Benign True Positive, Malicious\ + \ True Positive, or False Positive), optional triage rules, and notes. It performs\ + \ a state change in the VectraQUX platform.\n\n### Flow Description\n1. **Parameter\ + \ Validation**: Validates that the `Assignment ID` and `Outcome ID` are valid\ + \ integers. If `Detection IDs` are provided, they are also validated as integers.\ + \ \n2. **Triage Logic**: If a `Triage As` rule is specified, the action ensures\ + \ that at least one `Detection ID` is also provided, as required by the Vectra\ + \ API logic.\n3. **API Interaction**: Sends a PUT request to the VectraQUX `/assignments/{assignment_id}/resolve`\ + \ endpoint with the resolution details.\n4. **Result Processing**: Retrieves the\ + \ updated assignment object and outputs it as a JSON result and a formatted data\ + \ table in the SOAR case.\n\n### Parameters Description\n| Parameter Name | Type\ + \ | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Outcome ID | String\ + \ | Yes | The ID representing the resolution outcome. Common values: 1 (Benign\ + \ True Positive), 2 (Malicious True Positive), 3 (False Positive). Custom IDs\ + \ are also supported. |\n| Assignment ID | String | Yes | The unique integer identifier\ + \ of the assignment to be resolved. |\n| Note Title | String | No | An optional\ + \ note or title to be attached to the resolution record in VectraQUX. |\n| Triage\ + \ As | String | No | An optional triage rule name to apply during resolution.\ + \ |\n| Detection IDs | String | No | A comma-separated list of integer detection\ + \ IDs to associate with this resolution. |\n\n### Additional Notes\n* **Dependency**:\ + \ If the `Triage As` parameter is used, at least one `Detection ID` must be provided;\ + \ otherwise, the action will fail with a validation error." capabilities: can_create_case_comments: false can_create_insight: false @@ -2110,14 +2110,14 @@ Resolve Assignment: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the status of an assignment in the Vectra QUX platform to 'Resolved' - and applies outcomes, notes, and triage rules. + Updates the status of an assignment in the VectraQUX platform to 'Resolved' + and applies the specified outcome, notes, and triage metadata. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2131,6 +2131,7 @@ Resolve Assignment: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Search Accounts: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -2144,28 +2145,34 @@ Resolve Assignment: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: true search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false - update_ticket: true -Search Accounts: + update_ticket: false ai_description: >- + Searches for and retrieves account details from the Vectra QUX platform based + on a wide range of filtering criteria. This action allows analysts to query the + Vectra API to find specific accounts, evaluate their threat and certainty scores, + and review their detection history. + + ### General Description - This action searches for and retrieves account information from Vectra QUX based - on a wide range of user-defined query parameters. It is primarily used for threat - hunting and investigation to identify accounts that meet specific criteria such - as high threat scores, specific privilege levels, or recent detection activity. - The action returns detailed JSON data for each account and provides a summary - data table within the Google SecOps case. + The action performs a paginated search against the Vectra QUX `/accounts` endpoint. + It supports complex filtering including account state, score thresholds, timestamps, + and tags. The results are returned as a comprehensive JSON object and summarized + in a data table within the Google SecOps case for quick review. ### Parameters Description @@ -2174,78 +2181,74 @@ Search Accounts: | :--- | :--- | :--- | :--- | - | Order | DDL | No | Determines the sort direction of the results. Options: 'Ascending' - or 'Descending'. | + | Order | ddl | No | Determines if the results should be returned in 'Ascending' + or 'Descending' order. | - | Limit | String | No | The maximum number of account records to retrieve. | + | Limit | string | No | The maximum number of account records to retrieve. | - | Order By | DDL | No | The field used to sort the results. Options: 't_score' - (Threat Score), 'c_score' (Certainty Score), 'last_detection_timestamp', or 'id'. - | + | Order By | ddl | No | The field used to sort the results (e.g., threat score, + certainty score, timestamp, or ID). | - | Fields | Multi-choice | No | A selection of specific account attributes to include - in the response (e.g., id, name, state, threat, certainty). | + | Fields | multi_choice | No | A list of specific account attributes to include + in the response (e.g., name, state, tags, privilege_level). | - | Name | String | No | Filters accounts by their name. | + | Name | string | No | Filter accounts by a specific name. | - | State | DDL | No | Filters accounts based on their current state. Options: 'Active' - or 'Inactive'. | + | State | ddl | No | Filter accounts by their current state ('Active' or 'Inactive'). + | - | Threat GTE | String | No | Filters for accounts with a threat score greater - than or equal to this value. | + | Threat GTE | string | No | Filter for accounts with a threat score Greater Than + or Equal to this value. | - | Certainty GTE | String | No | Filters for accounts with a certainty score greater - than or equal to this value. | + | Certainty GTE | string | No | Filter for accounts with a certainty score Greater + Than or Equal to this value. | - | Last Detection Timestamp GTE | String | No | Filters for accounts with a last - detection timestamp greater than or equal to this ISO-formatted date. | + | Last Detection Timestamp GTE | string | No | Filter for accounts with a last + detection timestamp Greater Than or Equal to this date. | - | Last Detection Timestamp LTE | String | No | Filters for accounts with a last - detection timestamp less than or equal to this ISO-formatted date. | + | Last Detection Timestamp LTE | string | No | Filter for accounts with a last + detection timestamp Less Than or Equal to this date. | - | Tags | String | No | Filters accounts based on a comma-separated list of tags. - | + | Tags | string | No | Filter accounts by specific tags (comma-separated). | - | Note Modified Timestamp GTE | String | No | Filters for accounts where notes + | Note Modified Timestamp GTE | string | No | Filter for accounts where notes were modified after this timestamp. | - | Privilege Level | String | No | Filters accounts by a specific numeric privilege + | Privilege Level | string | No | Filter accounts by their assigned privilege level. | - | Privilege Category | DDL | No | Filters accounts by privilege category. Options: - 'Low', 'Medium', or 'High'. | + | Privilege Category | ddl | No | Filter accounts by privilege category ('Low', + 'Medium', 'High'). | ### Additional Notes - - The action performs pagination automatically to fetch the number of records - specified in the 'Limit' parameter. + - If 'Order' is set to 'Descending' and an 'Order By' field is selected, the action + automatically prefixes the sort field with a minus sign for the API call. - - If 'Descending' is selected in the 'Order' parameter, the action prepends a - '-' to the 'Order By' field in the API request. + - The action performs internal validation on integer-based parameters like 'Limit', + 'Threat GTE', and 'Certainty GTE' to ensure they are valid non-negative values. - - The action cleans up API versioning strings (e.g., /api/v2.5) from returned - URLs for better readability. + - API version strings are automatically stripped from returned URLs to provide + cleaner data links. ### Flow Description - 1. **Initialization:** The action extracts the integration configuration (API - Root, Token) and all user-provided search parameters. + 1. **Parameter Extraction:** The action retrieves configuration settings (API + Root, Token) and all user-provided search filters. - 2. **Validation:** It validates numeric inputs such as 'Limit', 'Threat GTE', - 'Certainty GTE', and 'Privilege Level' to ensure they are valid integers. + 2. **Validation:** It validates that numerical inputs (Limit, Scores) are correctly + formatted integers. - 3. **API Query:** The action constructs a GET request to the Vectra QUX `/accounts` - endpoint, applying the filters, sorting, and field selections provided by the - user. + 3. **API Request:** It constructs a GET request with the specified query parameters + and executes a paginated search via the `VectraQUXManager`. - 4. **Data Processing:** Upon receiving the results, the action iterates through - the accounts, cleaning up URL fields and extracting mandatory fields (ID, Name, - Threat, Certainty, State, Timestamp, Severity) for the summary table. + 4. **Data Processing:** The action iterates through the retrieved account objects, + cleaning up URL fields and extracting mandatory fields for display. - 5. **Output:** The action populates the JSON result with the full account data - and adds a 'List Of Accounts' data table to the case wall. + 5. **Output Generation:** It populates a data table named 'List Of Accounts' and + attaches the full raw JSON results to the action output. capabilities: can_create_case_comments: false can_create_insight: false @@ -2259,7 +2262,7 @@ Search Accounts: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2273,6 +2276,7 @@ Search Accounts: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Search Detections: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -2286,52 +2290,34 @@ Search Accounts: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: true send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Search Detections: ai_description: >- - Searches for and retrieves detections from the Vectra QUX platform based on a - wide range of filtering criteria. This action allows analysts to query security - detections using parameters such as source IP, host ID, threat and certainty scores, - detection types, and categories. It supports pagination through a limit parameter - and allows for custom ordering and field selection. The retrieved detections are - presented in a structured data table and a full JSON result for further analysis. - - - ### Flow Description: - - 1. **Parameter Extraction:** The action begins by extracting configuration details - (API Root, Token) and all 15 optional search parameters from the environment and - action input. - - 2. **Validation:** It validates numeric inputs such as 'Limit', 'Threat GTE', - and 'Certainty GTE' to ensure they are valid integers. - - 3. **API Interaction:** The action initializes the VectraQUXManager and performs - a GET request to the detections endpoint, applying the specified filters as query - parameters. - - 4. **Data Processing:** If detections are found, the action iterates through the - results to normalize URLs (removing API version prefixes) and extracts a subset - of mandatory fields (ID, type, category, timestamps, state) for the summary table. + ### General Description - 5. **Output Generation:** The processed data is added to the action's execution - results as a JSON object and a formatted data table titled 'List Of Detections'. + The **Search Detections** action allows users to query and retrieve a list of + detections from the Vectra QUX platform based on a wide array of filtering criteria. + It is primarily used for threat hunting, investigation, and reporting by fetching + detailed metadata about security events, such as detection types, categories, + threat scores, and associated host or IP information. - ### Parameters Description: + ### Parameters Description - | Parameter | Type | Mandatory | Description | + | Parameter Name | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | @@ -2356,51 +2342,71 @@ Search Detections: | Order By | DDL | No | The field used to sort results (e.g., last_timestamp, t_score, c_score). | - | Fields | Multi-Choice | No | Specifies which data fields to include in the response - (e.g., src_ip, state, threat). | + | Fields | Multi-Choice | No | A list of specific fields to include in the response + (e.g., id, category, src_ip). | | State | DDL | No | Filters detections by their current state: 'Active', 'Inactive', or 'Fixed'. | | Detection Type | String | No | Filters by the specific type of detection (e.g., - 'Hidden HTTP Tunnel'). | + 'Suspicious HTTP Service'). | - | Detection Category | DDL | No | Filters by detection category (e.g., 'Command - and Control', 'Exfiltration'). | + | Detection Category | DDL | No | Filters by the broad category (e.g., 'Lateral + Movement', 'Exfiltration'). | | Src IP | String | No | Filters detections originating from a specific source IP address. | | Threat GTE | String | No | Filters detections with a threat score greater than - or equal to the provided value. | + or equal to this value. | | Certainty GTE | String | No | Filters detections with a certainty score greater - than or equal to the provided value. | + than or equal to this value. | + + + ### Additional Notes + - If the **Order** is set to 'Descending' and an **Order By** field is selected, + the action automatically prefixes the field with a minus sign for the API request. - ### Additional Notes: + - The action cleans up URLs in the returned data by removing API versioning prefixes + (e.g., `/api/v2.5`) to provide cleaner links for analysts. - - If no detections match the criteria, the action completes successfully with - an informative message. - - The 'Fields' parameter is processed as a JSON-encoded list of strings. + ### Flow Description + + 1. **Parameter Extraction**: The action retrieves configuration settings (API + Root, Token) and all user-provided filter parameters. + + 2. **Validation**: It validates numeric inputs like 'Limit', 'Threat GTE', and + 'Certainty GTE' to ensure they are valid integers. + + 3. **API Request**: The action calls the Vectra QUX API's detections endpoint + using a GET request, applying the constructed query parameters and pagination + logic. - - The 'Order' parameter works in conjunction with 'Order By'; selecting 'Descending' - prepends a minus sign to the sort field in the API request. + 4. **Data Processing**: If detections are found, the action iterates through the + results to normalize URLs and extract key fields for display. + + 5. **Output Generation**: The full raw data is attached as a JSON result, and + a summary table titled 'List Of Detections' is added to the case wall for quick + review. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: false + can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: null + internal_data_mutation_explanation: >- + The action adds a data table named 'List Of Detections' to the case wall containing + summary information of the retrieved detections. categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2414,6 +2420,7 @@ Search Detections: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Search Hosts: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -2427,26 +2434,30 @@ Search Detections: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: true search_email: false - search_events: true + search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Search Hosts: ai_description: >- - Searches for and lists hosts in Vectra QUX based on a wide range of query parameters. - This action allows analysts to filter hosts by name, state, threat and certainty - scores, tags, privilege levels, and activity timestamps. It retrieves detailed - host metadata, cleans up API versioning from URLs in the response, and presents - the results in both a raw JSON format and a structured data table within the SOAR - case. + ### General Description + + Searches for and retrieves host details from Vectra QUX based on a wide variety + of filtering criteria. This action allows security analysts to perform discovery + and asset management by querying the Vectra platform for hosts that match specific + security postures, such as high threat scores, specific tags, or active network + traffic. The results provide comprehensive metadata for each host, including IP + addresses, severity levels, and detection summaries. ### Parameters Description @@ -2456,88 +2467,84 @@ Search Hosts: | :--- | :--- | :--- | :--- | - | Limit | string | No | The maximum number of host records to fetch. Must be greater - than 0. | + | Limit | String | No | The maximum number of host records to return. Defaults + to the system limit if not specified. | - | Tags | string | No | Filter hosts based on specific tags. | + | Tags | String | No | Filter hosts based on specific tags assigned in Vectra. + | - | Last Source | string | No | Filter hosts based on their last reported source. + | Last Source | String | No | Filter hosts based on the last source identifier. | - | Order | ddl | No | Specifies the sort order: 'Ascending' or 'Descending'. | + | Order | DDL | No | Specifies whether to sort results in 'Ascending' or 'Descending' + order. | - | Fields | multi_choice_parameter | No | A list of specific fields to include - in the response (e.g., id, name, ip, threat). | + | Fields | Multi-select | No | A list of specific host fields to include in the + response (e.g., id, name, ip, threat). | - | Name | string | No | Filter hosts by their name. | + | Name | String | No | Filter hosts by their display name. | - | State | ddl | No | Filter hosts by their current state: 'Active' or 'Inactive'. + | State | DDL | No | Filter hosts by their current state: 'Active' or 'Inactive'. | - | Threat GTE | string | No | Filter hosts with a threat score greater than or - equal to the provided value. | + | Threat GTE | String | No | Filter for hosts with a threat score greater than + or equal to this value. | - | Certainty GTE | string | No | Filter hosts with a certainty score greater than - or equal to the provided value. | + | Certainty GTE | String | No | Filter for hosts with a certainty score greater + than or equal to this value. | - | Last Detection Timestamp GTE | string | No | Filter hosts with a last detection - timestamp greater than or equal to the provided value. | + | Last Detection Timestamp GTE | String | No | Filter for hosts with a last detection + timestamp greater than or equal to this value. | - | Last Detection Timestamp LTE | string | No | Filter hosts with a last detection - timestamp less than or equal to the provided value. | + | Last Detection Timestamp LTE | String | No | Filter for hosts with a last detection + timestamp less than or equal to this value. | - | Is Targeting Key Asset | ddl | No | Filter hosts based on whether they are - targeting key assets ('True' or 'False'). | + | Is Targeting Key Asset | DDL | No | Filter hosts based on whether they are targeting + key assets (True/False). | - | Privilege Level GTE | string | No | Filter hosts with a privilege level greater - than or equal to the provided value. | + | Privilege Level GTE | String | No | Filter for hosts with a privilege level + greater than or equal to this value. | - | Privilege Category | ddl | No | Filter hosts by privilege category: 'Low', 'Medium', + | Privilege Category | DDL | No | Filter by privilege category: 'Low', 'Medium', or 'High'. | - | Active Traffic | ddl | No | Filter hosts that have shown active traffic within - the last two hours ('True' or 'False'). | + | Active Traffic | DDL | No | Filter for hosts that have shown active traffic + within the last two hours (True/False). | - | Order By | ddl | No | The field to sort the results by (e.g., t_score, c_score, + | Order By | DDL | No | The field used to sort the results (e.g., t_score, c_score, last_detection_timestamp). | - | Note Modified Timestamp GTE | string | No | Filter hosts based on when their + | Note Modified Timestamp GTE | String | No | Filter based on when the host's notes were last modified. | ### Additional Notes + - This action is read-only and does not modify any data within Vectra QUX. - - The `Limit` parameter must be a positive integer string; if set to "0", the - action will fail. + - If no hosts match the provided criteria, the action will complete successfully + with a message indicating no results were found. - - Parameters like `Threat GTE`, `Certainty GTE`, and `Privilege Level GTE` are - validated as integers. - - - Categorical parameters such as `State`, `Privilege Category`, and `Active Traffic` - are processed in lowercase. - - - If `Order` is set to 'Descending', the `Order By` field is prefixed with a minus - sign for the API request. + - Timestamps should be provided in a format recognized by the Vectra API (typically + ISO 8601). ### Flow Description + 1. **Initialization:** Extracts the API configuration (Root URL, Token) and all + user-provided search filters. - 1. **Parameter Initialization:** Extracts configuration settings (API Root, Token) - and all 17 action parameters. - - 2. **Validation:** Validates that `Limit` is greater than 0 and ensures integer-based - parameters are correctly formatted. + 2. **Validation:** Validates numerical parameters such as 'Limit', 'Threat GTE', + and 'Certainty GTE' to ensure they are valid integers. - 3. **API Query:** Constructs a GET request to the Vectra QUX hosts endpoint, applying - all provided filters and pagination logic. + 3. **API Query:** Constructs a paginated GET request to the Vectra QUX `/hosts` + endpoint, applying the filters as query parameters. - 4. **Data Processing:** Iterates through the retrieved hosts, removing API version - strings from internal URLs and extracting mandatory fields for display. + 4. **Data Sanitization:** Processes the retrieved host list to clean up internal + API versioning strings from URLs and detection sets for better readability. - 5. **Output Generation:** Adds the full host details as a JSON result and creates - a formatted data table titled 'List Of Hosts' in the SOAR interface. + 5. **Output:** Returns the full host details as a JSON object and generates a + summary data table containing key attributes like ID, Name, IP, and Threat Score. capabilities: can_create_case_comments: false can_create_insight: false @@ -2551,7 +2558,7 @@ Search Hosts: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2565,6 +2572,7 @@ Search Hosts: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Unmark Detection Fixed: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -2578,61 +2586,66 @@ Search Hosts: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: true + search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Unmark Detection Fixed: ai_description: >- - Unmarks specific detections as fixed in the Vectra QUX platform. This action is - used to revert the status of detections that were previously marked as resolved - or fixed, effectively reopening them for further investigation or workflow processing. - It accepts a list of detection IDs and performs a bulk update via a PATCH request - to the Vectra API. + ### General Description + + Reverts the 'fixed' status of specific detections in Vectra AI. This action allows + analysts to unmark detections that were previously flagged as resolved or fixed, + effectively reopening them for further investigation or monitoring within the + Vectra platform. - ### Flow Description: + ### Parameters Description + - 1. **Parameter Extraction**: The action retrieves the 'Detection IDs' from the - input parameters. + | Parameter | Type | Mandatory | Description | - 2. **Validation**: It splits the comma-separated string of IDs and validates that - each ID is a valid integer. + | :--- | :--- | :--- | :--- | - 3. **API Interaction**: It calls the Vectra QUX Manager to send a PATCH request - to the detections endpoint, setting the 'mark_as_fixed' attribute to 'False' for - the provided IDs. + | Detection IDs | String | Yes | A comma-separated list of Vectra detection IDs + (e.g., "123, 456") that should be unmarked as fixed. | - 4. **Result Handling**: The raw JSON response from the Vectra API is attached - to the action results, and the action completes with a success or failure status - based on the API's response. + ### Additional Notes - ### Parameters Description: + - The action validates that all provided IDs are valid integers before sending + the request to Vectra AI. - | Parameter Name | Expected Type | Mandatory | Description | + - If any ID in the list is invalid or does not exist, the action may fail or return + an error message from the Vectra API. - | :--- | :--- | :--- | :--- | - | Detection IDs | String | Yes | A comma-separated list of numeric IDs representing - the detections to be unmarked as fixed. | + ### Flow Description + + 1. **Parameter Extraction**: Retrieves the `Detection IDs` string from the action + parameters. + 2. **Validation**: Splits the input string by commas and validates that each individual + ID is a valid integer. - ### Additional Notes: + 3. **API Interaction**: Connects to the Vectra AI API and sends a `PATCH` request + to the detections endpoint. - - This action does not run on entities; it operates solely based on the provided - Detection IDs. + 4. **Status Update**: The request payload explicitly sets the `mark_as_fixed` + attribute to `False` for the specified list of detection IDs. - - If any ID in the list is invalid or not found, the action may fail depending - on the API's error handling logic. + 5. **Result Reporting**: Captures the API response and adds it to the action's + JSON results for the analyst to review. capabilities: can_create_case_comments: false can_create_insight: false @@ -2641,14 +2654,14 @@ Unmark Detection Fixed: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the status of detections in the Vectra QUX platform by setting the 'mark_as_fixed' - flag to 'False'. + Updates the status of specific detections in Vectra AI by unmarking them as + 'fixed' via a PATCH request to the detections endpoint. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2662,6 +2675,7 @@ Unmark Detection Fixed: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Update Assignment: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -2675,74 +2689,83 @@ Unmark Detection Fixed: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Update Assignment: ai_description: >- - ### General Description - - The **Update Assignment** action is used to modify the assigned user for an existing - assignment associated with a specific entity (either a Host or an Account) within - the Vectra AI platform. This action is essential for reassigning investigations - or ownership of security entities to different analysts or teams. + Updates the assigned user for a specific entity (Host or Account) in Vectra QUX. + This action is used to change the ownership or responsibility of an entity within + the Vectra platform by modifying its existing assignment. It first retrieves the + entity's current details to identify the active assignment ID and then performs + a PUT request to update the 'assign_to_user_id' field. This is particularly useful + for workflow orchestration where an analyst or automated process needs to reassign + a resource for investigation. ### Parameters Description + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Entity ID | String | Yes | The unique identifier of the entity (Host or Account) - in Vectra AI whose assignment needs to be updated. | + | Entity ID | String | Yes | The unique integer identifier of the entity (Host + or Account) in Vectra QUX. | - | Entity Type | DDL | Yes | The category of the entity. Supported values are 'Account' - and 'Host'. | + | Entity Type | DDL | Yes | The category of the entity to update. Supported values + are 'Account' and 'Host'. | - | User ID | String | Yes | The unique identifier of the user to whom the entity - assignment will be updated. | + | User ID | String | Yes | The unique integer identifier of the Vectra user to + whom the entity should be reassigned. | - ### Flow Description + ### Additional Notes - 1. **Parameter Extraction**: The action retrieves the API configuration (API Root, - Token, SSL verification) and the specific Entity ID, Entity Type, and User ID - from the input parameters. - 2. **Validation**: It validates that the provided Entity ID and User ID are valid - integer strings. + * **Prerequisite:** The target entity must already have an existing assignment + in Vectra QUX. If no assignment is found, the action will fail with an informative + message. - 3. **Entity Retrieval**: It fetches the current details of the specified entity - from Vectra AI to check for an existing assignment. + * **Validation:** Both 'Entity ID' and 'User ID' must be valid numeric strings + that can be converted to integers. - 4. **Assignment Verification**: The action checks if the entity currently has - an assignment. If no assignment is found, the action fails, as it is designed - only to update existing assignments. + * **Output:** The action provides a data table named 'Updated Assignment' containing + the new assignment details and the full JSON response from the Vectra API. - 5. **Update Execution**: If an assignment exists, the action performs a PUT request - to the Vectra AI API to update the assignment with the new User ID. - 6. **Output Generation**: Upon success, the action returns the raw JSON response - and creates a data table titled 'Updated Assignment' containing the updated assignment - details. + ### Flow Description - ### Additional Notes + 1. **Parameter Extraction:** Retrieves the API configuration and the action parameters + (Entity ID, Entity Type, and User ID). - - This action requires an existing assignment to be present on the entity. To - create a new assignment for an unassigned entity, use the 'Assign Entity' action. + 2. **Input Validation:** Validates that the provided Entity ID and User ID are + valid non-negative integers. - - Both Entity ID and User ID must be numeric strings. + 3. **Entity Lookup:** Calls the Vectra API to describe the specified entity and + check for an existing assignment. + + 4. **Assignment Identification:** Extracts the 'assignment_id' from the entity's + current assignment metadata. + + 5. **External Update:** Executes a PUT request to the Vectra assignments endpoint + to update the assigned user to the new User ID. + + 6. **Result Reporting:** Adds the updated assignment details to a data table and + the raw response to the JSON results, then completes the action with a success + message. capabilities: can_create_case_comments: false can_create_insight: false @@ -2751,14 +2774,14 @@ Update Assignment: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the assigned user for an existing assignment in Vectra AI using a PUT - request to the assignments endpoint. + Updates the 'assign_to_user_id' field for an existing assignment in Vectra QUX + via a PUT request to the assignments API endpoint. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2772,28 +2795,3 @@ Update Assignment: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/third_party/community/vectra_qux/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/vectra_qux/resources/ai/connectors_ai_description.yaml index 7f313f203..1c5eea981 100644 --- a/content/response_integrations/third_party/community/vectra_qux/resources/ai/connectors_ai_description.yaml +++ b/content/response_integrations/third_party/community/vectra_qux/resources/ai/connectors_ai_description.yaml @@ -1,49 +1,46 @@ Vectra QUX - Entities Connector: - ai_description: "### General Description\nThe Vectra QUX - Entities Connector integrates\ - \ with the Vectra QUX platform to retrieve security entities (Hosts or Accounts)\ - \ and their associated detections. It transforms each Vectra entity into a Google\ - \ SecOps alert, while the specific detections linked to that entity are ingested\ - \ as individual events within the alert. This approach provides a consolidated\ - \ view of the threat landscape for specific network assets or user accounts.\n\ - \n### Parameters Description\n| Parameter | Type | Mandatory | Description |\n\ - | :--- | :--- | :--- | :--- |\n| API Root | String | Yes | The base URL of the\ - \ Vectra QUX API (e.g., https://
:). |\n| API Token | Password |\ - \ Yes | The unique identifier used to authenticate and authorize access to the\ - \ Vectra API. |\n| Entity Type | String | Yes | The type of entity to retrieve.\ - \ Supported values: 'Host' or 'Account'. Default is 'Host'. |\n| DeviceProductField\ - \ | String | Yes | The field name used to determine the device product in the\ - \ alert metadata. Default: 'Vectra QUX'. |\n| EventClassId | String | Yes | The\ - \ field name used to determine the event name/sub-type. Default: 'detection_type'.\ - \ |\n| PythonProcessTimeout | String | Yes | The timeout limit (in seconds) for\ - \ the python process running the script. |\n| Threat Score GTE | Integer | No\ - \ | Filters for entities with a threat score greater than or equal to this value.\ - \ |\n| Certainty Score GTE | Integer | No | Filters for entities with a certainty\ - \ score greater than or equal to this value. |\n| Detection Category | String\ - \ | No | Filters results by category (e.g., Command & Control, Botnet Activity,\ - \ Reconnaissance, Lateral Movement, Exfiltration, Info). |\n| Detection Type |\ - \ String | No | Filters results by a specific Vectra detection type. |\n| Limit\ - \ | Integer | No | Maximum number of entities to fetch in a single execution cycle.\ - \ |\n| Max Hours Backwards | Integer | No | The number of hours to look back for\ - \ entities during the first connector iteration. |\n| Query | String | No | A\ - \ custom query string used to specify advanced conditions for filtering results.\ - \ |\n| Specific Tag | String | No | Filters results by a specific tag assigned\ + ai_description: "### General Description\nThe Vectra QUX - Entities Connector enables\ + \ the ingestion of security data from the Vectra QUX platform into Google SecOps.\ + \ Unlike standard alert connectors, this integration focuses on **Entities** (Hosts\ + \ or Accounts). It retrieves entities that have active detections and maps each\ + \ entity to a Google SecOps alert, while the individual detections associated\ + \ with that entity are ingested as alert events. This provides a consolidated,\ + \ asset-centric view of malicious activity.\n\n### Parameters Description\n| Parameter\ + \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| API Root\ + \ | String | Yes | The base URL of the Vectra QUX API (e.g., `https://
:`).\ + \ |\n| API Token | Password | Yes | A unique identifier used to authenticate and\ + \ authorize access to the API. |\n| Entity Type | String | Yes | The type of entity\ + \ to fetch. Supported values: `Host`, `Account`. Default is `Host`. |\n| DeviceProductField\ + \ | String | Yes | The field name used to determine the device product. Default:\ + \ `Vectra QUX`. |\n| EventClassId | String | Yes | The field name used to determine\ + \ the event name/sub-type. Default: `detection_type`. |\n| Max Hours Backwards\ + \ | Integer | No | Number of hours before the first connector iteration to retrieve\ + \ data from. Default: `0`. |\n| Threat Score GTE | Integer | No | Filters for\ + \ entities with threat scores greater than or equal to this value. |\n| Certainty\ + \ Score GTE | Integer | No | Filters for entities with certainty scores greater\ + \ than or equal to this value. |\n| Detection Category | String | No | Filters\ + \ results by category (e.g., Command & Control, Lateral Movement, Exfiltration).\ + \ |\n| Detection Type | String | No | Filters results by a specific Vectra detection\ + \ type. |\n| Specific Tag | String | No | Filters results by a specific tag assigned\ \ in Vectra. |\n| Partial Tag | String | No | Filters results by a partial tag\ - \ match. |\n| Verify SSL | Boolean | No | If enabled, the connector will verify\ - \ the SSL certificate of the Vectra API endpoint. |\n\n### Flow Description\n\ - 1. **Authentication & Initialization**: The connector establishes a session with\ - \ the Vectra QUX API using the provided API Token and Root URL.\n2. **Timeframe\ - \ Determination**: It calculates the retrieval window based on the last successful\ - \ execution timestamp or the `Max Hours Backwards` parameter for initial runs.\n\ - 3. **Entity Discovery**: The connector queries the Vectra `/api/v2.5/search/{entity_type}s`\ - \ endpoint, applying filters for threat/certainty scores, categories, tags, and\ - \ custom queries. It specifically targets entities in an 'active' state.\n4. **Detection\ - \ Retrieval**: For every entity found, the connector performs a secondary lookup\ - \ to fetch all associated 'active' detections for that specific Host or Account\ - \ ID.\n5. **Alert Mapping**: \n * The **Entity** metadata (ID, name, severity,\ - \ threat score) is mapped to the primary Alert object.\n * The **Detections**\ - \ are mapped as individual Events within that alert.\n * The `source_grouping_identifier`\ - \ is constructed as `{entity_type}#{entity_id}` to ensure that updates to the\ - \ same entity are grouped into the same case in Google SecOps.\n6. **Ingestion\ - \ & State Management**: The connector ingests the alerts into the SOAR platform\ - \ and saves the latest entity IDs and timestamps to ensure only new or updated\ - \ data is processed in the next cycle." + \ match. |\n| Query | String | No | A custom query string used to specify advanced\ + \ conditions for filtering results. |\n| Limit | Integer | No | Maximum number\ + \ of entities to fetch in a single iteration. |\n| Verify SSL | Boolean | No |\ + \ If enabled, the connector will verify the SSL certificate of the API Root. |\n\ + | PythonProcessTimeout | String | Yes | The timeout limit (in seconds) for the\ + \ python process running the script. |\n\n### Flow Description\n1. **Initialization**:\ + \ The connector authenticates with the Vectra QUX API and retrieves the timestamp\ + \ of the last successful run and a list of previously processed entity IDs to\ + \ avoid duplicates.\n2. **Entity Fetching**: It queries the Vectra `/search/hosts`\ + \ or `/search/accounts` endpoint for entities modified since the last execution,\ + \ applying user-defined filters such as Threat/Certainty scores, tags, and categories.\n\ + 3. **Detection Enrichment**: For every entity identified, the connector performs\ + \ a secondary API call to fetch all associated \"active\" detections for that\ + \ specific asset.\n4. **Data Mapping**: \n * The **Entity** metadata (ID,\ + \ Name, Severity) is mapped to a Google SecOps **Alert**.\n * Each **Detection**\ + \ associated with the entity is transformed into a SecOps **Event**.\n * \ + \ Vectra severity levels (Low, Medium, High, Critical) are mapped to corresponding\ + \ SecOps priority values.\n5. **Case Creation**: The connector packages the mapped\ + \ data into `AlertInfo` objects and ingests them into Google SecOps.\n6. **State\ + \ Persistence**: Upon successful ingestion, the connector updates the last modification\ + \ timestamp and the list of processed IDs to ensure continuity in the next iteration." diff --git a/content/response_integrations/third_party/community/vectra_qux/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/vectra_qux/resources/ai/integration_ai_description.yaml index 14535ab0f..971d37ab1 100644 --- a/content/response_integrations/third_party/community/vectra_qux/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/community/vectra_qux/resources/ai/integration_ai_description.yaml @@ -1,12 +1,12 @@ product_categories: asset_inventory: true - cloud_security: false + cloud_security: true collaboration: false edr: false email_security: false iam_and_identity_management: true itsm: true - network_security: false + network_security: true siem: true - threat_intelligence: false + threat_intelligence: true vulnerability_management: false diff --git a/content/response_integrations/third_party/community/vectra_qux/resources/ai/jobs_ai_description.yaml b/content/response_integrations/third_party/community/vectra_qux/resources/ai/jobs_ai_description.yaml index d66cf25b1..5187f2db6 100644 --- a/content/response_integrations/third_party/community/vectra_qux/resources/ai/jobs_ai_description.yaml +++ b/content/response_integrations/third_party/community/vectra_qux/resources/ai/jobs_ai_description.yaml @@ -1,36 +1,34 @@ Vectra QUX - Clear Empty Cases Job: - ai_description: "### General Description\nThis job performs automated maintenance\ - \ on Google SecOps cases generated by the Vectra QUX integration. Its primary\ - \ purpose is to reduce analyst fatigue by identifying and closing redundant or\ - \ \"empty\" cases and alerts. It analyzes open cases within specified environments\ - \ and products, comparing the underlying detection IDs (event IDs) across alerts.\ - \ If an alert's detections are entirely covered by other active alerts or cases,\ - \ the job programmatically closes the redundant alert or the entire case, ensuring\ - \ that investigators focus only on unique security incidents.\n\n### Parameters\ - \ Description\n| Parameter | Type | Mandatory | Description |\n| :--- | :--- |\ - \ :--- | :--- |\n| Max Hours Backwards | String | No | The maximum number of hours\ - \ to look back for open cases. Setting this to '0' will cause the job to process\ - \ all open cases regardless of their creation time. Default is 24. |\n| Environments\ - \ | String | Yes | A comma-separated list of environments to include in the cleanup\ - \ process. Default is 'Default Environment'. |\n| Products | String | Yes | A\ - \ comma-separated list of product names (DeviceProduct field) used to filter the\ - \ alerts within the cases. Default is 'Vectra QUX'. |\n\n### Flow Description\n\ - 1. **Initialization**: Retrieves the job configuration, including the lookback\ - \ window, target environments, and product names.\n2. **Time Range Calculation**:\ - \ Determines the starting timestamp for the search by comparing the `Max Hours\ - \ Backwards` parameter against the last successful execution time stored in the\ - \ job's context.\n3. **Case Retrieval**: Queries the SOAR platform to fetch IDs\ - \ of all cases currently in \"OPEN\" status that fall within the calculated time\ - \ range.\n4. **Data Extraction**: For each retrieved case, the job fetches the\ - \ full case details and filters alerts based on the provided `Environments` and\ - \ `Products` parameters.\n5. **Detection Mapping**: Extracts unique detection\ - \ IDs (event IDs) from the security events associated with each valid alert and\ - \ maps them to their respective cases.\n6. **Redundancy Analysis**: Compares alerts\ - \ across all processed cases. An alert is flagged as redundant if all of its associated\ - \ detection IDs are already present in other active alerts or cases.\n7. **Automated\ - \ Closure**: \n * Closes individual alerts identified as duplicates with the\ - \ reason: \"Similar alert already under investigation\".\n * Closes entire\ - \ cases if all alerts within them are found to be redundant with the reason: \"\ - Similar case already under investigation\".\n8. **State Persistence**: Saves the\ - \ current timestamp as the last successful run time to the internal database for\ - \ use in the next execution cycle." + ai_description: "### General Description\nThe **Vectra QUX - Clear Empty Cases Job**\ + \ is a maintenance utility designed to reduce noise and redundancy within Google\ + \ SecOps. It identifies and closes cases or individual alerts that contain duplicate\ + \ security events already being tracked in other open cases. By analyzing the\ + \ unique detection IDs provided by Vectra QUX, the job ensures that analysts are\ + \ not investigating the same underlying threat across multiple tickets, effectively\ + \ streamlining the incident response workflow.\n\n### Parameters Description\n\ + | Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ + | Max Hours Backwards | String | No | The maximum number of hours to look back\ + \ for open cases. Setting this to '0' will cause the job to process all open cases\ + \ regardless of their creation time. Default is '24'. |\n| Environments | String\ + \ | Yes | A comma-separated list of environments to include in the cleanup process.\ + \ Only cases within these environments will be processed. Default is 'Default\ + \ Environment'. |\n| Products | String | Yes | A comma-separated list of product\ + \ names to filter alerts. The job only evaluates alerts where the 'DeviceProduct'\ + \ matches these values. Default is 'Vectra QUX'. |\n\n### Flow Description\n1.\ + \ **Initialization**: The job retrieves the configuration parameters and calculates\ + \ the time range for processing based on the last successful execution and the\ + \ `Max Hours Backwards` setting.\n2. **Case Fetching**: It queries the SOAR platform\ + \ for all cases currently in an \"OPEN\" status that fall within the specified\ + \ time window.\n3. **Filtering and Extraction**: For each retrieved case, the\ + \ job verifies if it belongs to the allowed `Environments` and `Products`. It\ + \ then extracts the unique detection (event) IDs from the alerts associated with\ + \ those cases.\n4. **Duplicate Analysis**: The job builds a map of event IDs\ + \ to identify overlaps between different cases and alerts. It determines if an\ + \ alert's events are entirely contained within other active cases.\n5. **Case\ + \ and Alert Closure**: \n * If an entire case consists of alerts that are\ + \ duplicates of events in other cases, the job closes the case with the root cause:\ + \ \"Similar case already under investigation\".\n * If only specific alerts\ + \ within a case are redundant, those individual alerts are closed with the root\ + \ cause: \"Similar alert already under investigation\".\n6. **Timestamp Update**:\ + \ Finally, the job saves the current execution timestamp to the internal database\ + \ to serve as the starting point for the next scheduled run." diff --git a/content/response_integrations/third_party/community/vectra_rux/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/vectra_rux/resources/ai/actions_ai_description.yaml index 2fbd0b7cd..bc40b95a1 100644 --- a/content/response_integrations/third_party/community/vectra_rux/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/vectra_rux/resources/ai/actions_ai_description.yaml @@ -1,60 +1,76 @@ Add Note: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - The **Add Note** action allows analysts to attach a text-based note to a specific - entity within the Vectra AI platform. This action supports adding notes to three - types of entities: **Accounts**, **Hosts**, and **Detections**. It is primarily - used to document investigation findings, provide context for other analysts, or - maintain an audit trail directly within the Vectra console from Google SecOps. + Adds a note to a specific entity (Account, Host, or Detection) within the Vectra + platform. This action allows analysts to document findings or provide context + directly on the Vectra resource from within Google SecOps, ensuring that information + is synchronized between the two platforms. - ### Parameters Description - - | Parameter | Description | Type | Mandatory | - - | :--- | :--- | :--- | :--- | + ### Flow Description - | Note | The textual content of the note to be added to the specified entity. - | String | Yes | + 1. **Parameter Extraction**: Retrieves the note content, target entity ID, and + entity type from the action parameters. - | Entity ID | The unique numerical identifier of the entity in Vectra AI where - the note will be attached. | String | Yes | + 2. **Validation**: Validates that the provided Entity ID is a valid integer. - | Entity Type | The category of the target entity. Supported values are 'Account', - 'Host', and 'Detection'. | DDL | Yes | + 3. **API Interaction**: Executes a POST request to the Vectra API's notes endpoint + for the specified entity. + 4. **Result Processing**: Captures the API response (the created note object) + and presents it in a data table and JSON format for the analyst. - ### Additional Notes - * The **Entity ID** must be a valid integer. The action will perform a validation - check and fail if a non-integer value is provided. + ### Parameters Description - * The **Entity Type** parameter is case-insensitive in the logic but should - be selected from the provided dropdown list (Account, Host, Detection). + | Parameter | Type | Mandatory | Description | + | :--- | :--- | :--- | :--- | - ### Flow Description + | Note | String | Yes | The text content of the note to be added to the Vectra + entity. | - 1. **Initialization**: The action extracts the integration configuration (API - Root, Client ID, Client Secret) and the action parameters (Note, Entity ID, Entity - Type). + | Entity ID | String | Yes | The unique numeric identifier of the entity in Vectra. + | - 2. **Validation**: The provided `Entity ID` is validated to ensure it is a proper - integer. + | Entity Type | DDL | Yes | The type of entity to which the note will be added. + Options: Account, Host, or Detection. | - 3. **Authentication**: The action authenticates with the Vectra AI API using - the provided credentials to obtain a bearer token. - 4. **API Execution**: A POST request is sent to the Vectra API endpoint `/entities/{entity_id}/notes`, - passing the `Entity Type` as a query parameter and the `Note` content in the request - body. + ### Additional Notes - 5. **Result Processing**: Upon a successful response, the action parses the metadata - of the newly created note (ID, creation date, creator). + - The Entity ID must be a numeric value corresponding to an existing resource + in the Vectra environment. - 6. **Output**: The action populates a data table with the note's details and - provides the raw JSON response for downstream use in the playbook. + - This action performs a state change in the external Vectra system by creating + a new note record. capabilities: can_create_case_comments: false can_create_insight: false @@ -63,14 +79,14 @@ Add Note: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new note record associated with a specific entity (Account, Host, - or Detection) in the Vectra AI platform. + Creates a new note record in the Vectra platform associated with a specific + Account, Host, or Detection entity. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -84,6 +100,7 @@ Add Note: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Add Tags: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -97,73 +114,75 @@ Add Note: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false - update_identity: false + update_identity: true update_ticket: false -Add Tags: ai_description: >- - ### General Description - - The **Add Tags** action allows users to append one or more tags to specific entities - in the Vectra AI platform. It supports tagging for Accounts, Hosts, and Detections. - By providing a list of IDs and the desired tags, the action ensures that the new - tags are integrated with existing ones, maintaining the entity's historical context - while adding new metadata. + Adds tags to specific entities in the Vectra RUX platform. This action allows + users to append one or more tags to Accounts, Hosts, or Detections by providing + their unique Vectra IDs. The action first retrieves the existing tags for each + specified entity to ensure that existing data is preserved and only new, unique + tags are added. It then performs a PATCH request to update the entity's tag list + in the external system. ### Parameters Description - | Parameter | Expected Type | Mandatory | Description | + + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Tags | String | Yes | A comma-separated list of tags to add to the entities. - | + | Tags | String | Yes | A comma-separated list of tags to be added to the specified + entities. | - | Entity IDs | String | Yes | A comma-separated list of the internal Vectra IDs - for the target entities. | + | Entity IDs | String | Yes | A comma-separated list of the unique Vectra identifiers + for the entities to be tagged. | - | Entity Type | DDL | Yes | The type of entity to tag. Options are: Account, Host, - or Detection. | + | Entity Type | DDL | Yes | The category of the entity being tagged. Options include: + `Account`, `Host`, or `Detection`. | - ### Flow Description + ### Additional Notes - 1. **Initialization**: The action starts by extracting the necessary configuration - and action parameters. + - This action does not process Google SecOps entities automatically; it requires + explicit Vectra IDs as input parameters. - 2. **Data Preparation**: It splits the `Tags` and `Entity IDs` strings into lists - and validates that the IDs are integers. + - The action ensures that duplicate tags are not created by merging the new tags + with the existing ones retrieved from the API. - 3. **Processing Loop**: It iterates through each provided Entity ID. - 4. **Context Retrieval**: For each ID, it performs a GET request to Vectra to - retrieve the current tags. + ### Flow Description - 5. **Logic Execution**: It merges the existing tags with the new ones to create - a unique, updated list. + 1. **Parameter Extraction:** The action retrieves the list of tags, entity IDs, + and the entity type from the user input. - 6. **State Change**: It performs a PATCH request to Vectra to update the entity - with the new tag list. + 2. **Validation:** It validates that the provided Entity IDs are integers and + cleans the tag strings. - 7. **Output Generation**: It records the outcome for each ID and produces a summary - data table and a detailed JSON result. + 3. **Tag Retrieval:** For each entity ID, the action calls the Vectra API to fetch + the current list of tags. + 4. **Merging:** It combines the existing tags with the new tags, removing any + duplicates. - ### Additional Notes + 5. **External Update:** The action sends a PATCH request to Vectra RUX to update + the entity with the new combined tag list. - The action is designed to be additive, meaning it will not remove existing tags - from the entities. It also handles partial failures, allowing the action to complete - even if some entity IDs are invalid or not found. + 6. **Reporting:** It generates a data table and a JSON result summarizing the + success or failure of the tag update for each ID. capabilities: can_create_case_comments: false can_create_insight: false @@ -172,14 +191,14 @@ Add Tags: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the 'tags' attribute of entities (Accounts, Hosts, or Detections) in - Vectra AI via a PATCH request. + Updates the tag metadata for Accounts, Hosts, or Detections in the Vectra RUX + platform via a PATCH request. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -193,6 +212,7 @@ Add Tags: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Assign Entity: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -206,45 +226,60 @@ Add Tags: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false - update_alert: true + update_alert: false update_email: false update_identity: true update_ticket: false -Assign Entity: ai_description: >- - ### General Description\nThe **Assign Entity** action allows security analysts - to assign a specific entity, such as a **Host** or an **Account**, to a designated - user within the Vectra RUX platform. This action is primarily used for workflow - management and incident response orchestration, ensuring that specific assets - are tracked and managed by the appropriate personnel directly from the Google - SecOps environment.\n\n### Parameters Description\n| Parameter | Type | Mandatory - | Description |\n| :--- | :--- | :--- | :--- |\n| **Entity ID** | String | Yes - | The unique numerical identifier of the entity (Host or Account) in Vectra RUX - to be assigned. |\n| **Entity Type** | DDL | Yes | The category of the entity - being assigned. Supported values are `Account` and `Host`. |\n| **User ID** | - String | Yes | The unique numerical identifier of the Vectra RUX user to whom - the entity will be assigned. |\n\n### Flow Description\n1. **Input Extraction**: - The action retrieves the `Entity ID`, `Entity Type`, and `User ID` from the provided - parameters.\n2. **Validation**: It validates that the `Entity ID` and `User ID` - are valid non-negative integers, which is a requirement for the Vectra RUX API.\n3. - **API Interaction**: The action initializes the Vectra RUX manager and sends a - `POST` request to the `/assignments` endpoint. It dynamically maps the `Entity - ID` to either `assign_host_id` or `assign_account_id` based on the selected `Entity - Type`.\n4. **Result Processing**: Upon a successful assignment, the action parses - the response into an Assignment object.\n5. **Output Generation**: The action - adds a data table to the case wall containing the new Assignment ID, the User - ID, and the Entity ID, and provides the raw JSON response for downstream playbook - logic.\n\n### Additional Notes\n* This action does not automatically iterate over - entities in the SOAR context; it requires the specific IDs to be manually provided - or mapped from previous playbook steps. + Assigns a Vectra RUX entity (Host or Account) to a specific user. This action + creates an assignment record within the Vectra platform, facilitating ownership + and accountability for investigation or remediation tasks. It validates that the + provided IDs are integers before making the API request and returns the details + of the created assignment. + + + ### Parameters + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Entity ID | string | Yes | The unique identifier of the Host or Account in Vectra + RUX that will be assigned. | + + | Entity Type | ddl | Yes | Specifies whether the Entity ID refers to an 'Account' + or a 'Host'. | + + | User ID | string | Yes | The unique identifier of the Vectra RUX user to whom + the assignment will be made. | + + + ### Flow Description + + 1. **Initialization**: Extracts the API configuration and the action parameters + (User ID, Entity ID, and Entity Type). + + 2. **Validation**: Validates that the `Entity ID` and `User ID` are valid positive + integers. + + 3. **API Interaction**: Initializes the VectraRUXManager and calls the `assign_entity` + method, which sends a POST request to the Vectra RUX assignments endpoint. + + 4. **Result Processing**: Parses the API response into an Assignment object. + + 5. **Output**: Adds a data table containing the assignment details and the raw + JSON response to the action results in Google SecOps. capabilities: can_create_case_comments: false can_create_insight: false @@ -253,14 +288,14 @@ Assign Entity: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new assignment record in the Vectra RUX platform, linking a specific - host or account to a user via a POST request to the /assignments endpoint. + Creates a new assignment record in Vectra RUX, linking a specific entity (Host + or Account) to a user. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -274,6 +309,7 @@ Assign Entity: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Assign Group: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -287,38 +323,71 @@ Assign Entity: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false - update_identity: false + update_identity: true update_ticket: false -Assign Group: ai_description: >- - ### General Description Add members to a specific group in Vectra RUX. This action - allows analysts to manage group memberships by appending a list of identifiers - (such as IPs, hostnames, or account UIDs) to an existing group ID. ### Parameters - Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- - | :--- | | Group ID | String | Yes | The unique ID of the Vectra group to which - members will be added. | | Members | String | Yes | A comma-separated list of - member identifiers (e.g., hostnames, IPs, or account UIDs) to be assigned to the - group. | ### Flow Description 1. Extracts the Group ID and the list of members - from the action parameters. 2. Validates that the Group ID is a valid integer. - 3. Processes the members string into a list of unique, stripped identifiers. 4. - Executes a PATCH request to the Vectra RUX API to append the provided members - to the specified group. 5. Compares the requested members against the updated - group state returned by the API to identify any members that were not successfully - assigned. 6. Generates an HTML table and a JSON object containing the updated - group details and membership status. ### Additional Notes This action uses the - 'append' membership action, meaning existing members are preserved. The type of - identifier required in the 'Members' parameter depends on the group's type (e.g., - IP for IP groups, UID for account groups). + ### General Description + + Adds members to a specific group in Vectra AI. This action allows analysts to + manage group memberships dynamically by appending a list of members (such as hosts, + IPs, or accounts) to an existing group identified by its ID. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Group ID | String | True | The unique identifier of the group in Vectra AI. + This value must be a positive integer. | + + | Members | String | True | A comma-separated list of members to be added to the + group. The type of member (e.g., hostname, IP, account UID) should correspond + to the group's defined type. | + + + ### Additional Notes + + - The action uses the 'append' membership action, ensuring that existing group + members are preserved and not overwritten. + + - The action provides a detailed HTML view of the group's properties and membership + status after the update. + + + ### Flow Description + + 1. **Parameter Extraction**: The action retrieves the `Group ID` and `Members` + list from the input parameters. + + 2. **Validation**: It validates that the `Group ID` is a valid integer and processes + the `Members` string into a list of unique, stripped strings. + + 3. **Authentication**: Connects to the Vectra AI API using the provided credentials + (API Root, Client ID, and Client Secret). + + 4. **Group Update**: Sends a PATCH request to the Vectra API to add the new members + to the specified group using the `append` membership action. + + 5. **Verification**: Compares the requested members against the updated group + membership returned by the API to identify any members that could not be assigned. + + 6. **Output Generation**: Returns the updated group details in JSON format and + renders an HTML table for the case wall showing the group's current state. capabilities: can_create_case_comments: false can_create_insight: false @@ -327,14 +396,14 @@ Assign Group: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the membership list of a specified group in Vectra RUX by appending - new members via a PATCH request. + Updates the membership list of a group in Vectra AI using a PATCH request to + the groups endpoint. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -348,6 +417,7 @@ Assign Group: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Describe Assignment: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -361,26 +431,29 @@ Assign Group: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: true remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false - update_identity: true + update_identity: false update_ticket: false -Describe Assignment: ai_description: >- ### General Description - The **Describe Assignment** action retrieves detailed information for a specific - assignment within the Vectra RUX platform using its unique Assignment ID. This - action is designed to provide analysts with programmatic access to the metadata, - participants, and status of investigative assignments. + Retrieves comprehensive details for a specific assignment within Vectra RUX using + its unique identifier. This action allows analysts to view metadata associated + with an assignment, including the assigned user, the resolver, the outcome, and + associated entity IDs (Host or Account). It is primarily used to audit or verify + the status of tasks within the Vectra platform. ### Parameters Description @@ -389,33 +462,33 @@ Describe Assignment: | :--- | :--- | :--- | :--- | - | **Assignment ID** | String | Yes | The unique identifier of the assignment to - retrieve. The value must be a valid integer. | + | Assignment ID | String | Yes | The unique numerical identifier of the assignment + to retrieve. The value is validated as a non-negative integer before processing. + | ### Flow Description - 1. **Input Validation**: The action validates that the provided `Assignment ID` - is a valid integer. + 1. **Parameter Initialization**: The action extracts the `Assignment ID` from + the user input and validates that it is a valid integer. + + 2. **Authentication**: The action initializes the `VectraRUXManager`, which handles + OAuth2 token generation and session management. - 2. **Authentication**: Establishes a session with the Vectra RUX API using the - configured Client ID and Secret. + 3. **Data Retrieval**: A GET request is sent to the Vectra RUX API endpoint `/api/v3.4/assignments/{assignment_id}`. - 3. **Data Retrieval**: Executes a GET request to the assignments endpoint for - the specified ID. + 4. **Data Parsing**: The response is parsed into an `Assignment` data model, which + extracts key fields such as `Assigned User`, `Outcome Title`, and `Entity ID`. - 4. **Result Processing**: - - The raw JSON response from the API is added to the action results. - - A data table is generated containing key assignment details such as Assigned - User, Resolved By, and Outcome. - 5. **Completion**: Returns a success message if the assignment is found, or a - failure message if the ID is invalid or not found. + 5. **Output Generation**: The action returns the full raw JSON response and constructs + a data table named 'Describe Assignment' containing the flattened assignment details. ### Additional Notes - - This action does not operate on SecOps entities; it requires a direct ID input - via the action parameters. + This action does not process entities from the Google SecOps case; it operates + strictly based on the provided `Assignment ID` parameter. If the ID is not found, + the action will return a failure status. capabilities: can_create_case_comments: false can_create_insight: false @@ -427,9 +500,9 @@ Describe Assignment: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: false + enrichment: true entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -443,6 +516,7 @@ Describe Assignment: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Describe Detection: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -456,58 +530,40 @@ Describe Assignment: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: true remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: true + search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Describe Detection: - ai_description: >- - Retrieves comprehensive details for a specific detection from Vectra AI using - its unique ID. This action is designed to provide analysts with deep-dive context - into a specific security event identified by the Vectra platform, including its - state, category, threat level, and associated entity information. - - - ### Flow Description - - 1. **Parameter Extraction**: The action retrieves the `Detection ID` from the - input parameters. - - 2. **Validation**: It validates that the provided `Detection ID` is a valid integer - format. - - 3. **API Interaction**: It authenticates with the Vectra AI platform and performs - a GET request to the `/api/v3.4/detections/{detection_id}` endpoint. - - 4. **Data Parsing**: The response is parsed into a structured Detection data model, - which includes metadata like detection type, category, and source entity details. - - 5. **Output Generation**: The action generates a data table for the case wall - and attaches the full raw JSON response to the action results for further inspection. - - - ### Parameters Description - - | Parameter Name | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Detection ID | String | Yes | The unique identifier of the detection to retrieve - from Vectra AI. | - - - ### Additional Notes - - - This action is a utility/search action and does not automatically iterate over - entities in the SOAR case scope. It requires a specific ID provided as a parameter. + ai_description: "### General Description\nThe **Describe Detection** action retrieves\ + \ comprehensive details for a specific detection from the Vectra RUX platform\ + \ using its unique identifier. It is primarily used for deep-dive investigations\ + \ where an analyst needs to see the full raw data and metadata associated with\ + \ a specific security event identified by Vectra.\n\n### Parameters Description\n\ + | Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ + | **Detection ID** | String | Yes | The unique identifier of the detection to\ + \ retrieve. This value is validated as an integer before the request is made.\ + \ |\n\n### Flow Description\n1. **Parameter Initialization**: The action retrieves\ + \ the integration configuration (API Root, Client ID, Client Secret) and the mandatory\ + \ `Detection ID` parameter.\n2. **Validation**: The `Detection ID` is validated\ + \ to ensure it is a valid non-negative integer.\n3. **API Interaction**: The\ + \ action authenticates with Vectra RUX and performs a GET request to the `/detections/{detection_id}`\ + \ endpoint.\n4. **Data Processing**: The raw JSON response is parsed into a `Detection`\ + \ data model, which extracts key fields such as state, category, type, and source\ + \ entity information.\n5. **Output Generation**: \n * A data table titled\ + \ \"Describe Detection\" is added to the case wall, containing a summary of the\ + \ detection.\n * The full raw JSON response is attached to the action results\ + \ for detailed inspection." capabilities: can_create_case_comments: false can_create_insight: false @@ -521,7 +577,7 @@ Describe Detection: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -535,6 +591,7 @@ Describe Detection: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Describe Entity: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -545,47 +602,70 @@ Describe Detection: disable_identity: false download_file: false enable_identity: false - enrich_asset: false + enrich_asset: true enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: true search_email: false - search_events: true + search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Describe Entity: - ai_description: "### General Description\nThe **Describe Entity** action retrieves\ - \ comprehensive metadata and status information for a specific entity (either\ - \ a Host or an Account) from Vectra RUX using its unique identifier. This action\ - \ is designed to provide analysts with deep-dive visibility into an asset's urgency\ - \ score, attack rating, importance, and associated detection history, facilitating\ - \ informed decision-making during incident response.\n\n### Parameters Description\n\ - | Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ - | **Entity ID** | String | Yes | The unique identifier of the entity in Vectra\ - \ RUX. Although provided as a string, the value must represent a valid integer.\ - \ |\n| **Entity Type** | DDL | Yes | The category of the entity to describe. Supported\ - \ values are `Account` and `Host`. |\n\n### Flow Description\n1. **Initialization**:\ - \ The action initializes the Vectra RUX manager using the provided API Root, Client\ - \ ID, and Client Secret.\n2. **Parameter Extraction**: It extracts the `Entity\ - \ ID` and `Entity Type` from the action parameters.\n3. **Validation**: The `Entity\ - \ ID` is validated to ensure it is a non-negative integer.\n4. **Data Retrieval**:\ - \ The action performs a GET request to the Vectra RUX API to fetch the specific\ - \ details of the entity based on the provided ID and type.\n5. **Output Generation**:\ - \ \n - A data table named \"Describe Entity\" is created, containing key attributes\ - \ such as Name, State, Urgency Score, and Importance.\n - The full raw JSON\ - \ response from the API is attached to the action results for granular analysis.\n\ - \n### Additional Notes\n- This action does not automatically process entities\ - \ currently associated with the SecOps case; it operates strictly on the ID provided\ - \ in the parameters.\n- The \"Detection Set\" field in the output table provides\ - \ a list of detection IDs linked to the entity, which can be used for further\ - \ investigation." + ai_description: >- + ### General Description + + The **Describe Entity** action retrieves comprehensive details for a specific + entity (either a **Host** or an **Account**) from the Vectra RUX platform using + its unique identifier. This action is primarily used for deep-dive investigations + where an analyst needs the full metadata associated with a Vectra-tracked asset, + including its state, severity, urgency scores, and associated detection IDs. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | **Entity ID** | String | Yes | The unique numerical identifier for the entity + in Vectra RUX. | + + | **Entity Type** | DDL | Yes | The category of the entity. Must be either `Account` + or `Host`. | + + + ### Flow Description + + 1. **Parameter Extraction:** The action retrieves the `Entity ID` and `Entity + Type` from the user input. + + 2. **Validation:** It validates that the `Entity ID` is a valid integer. + + 3. **API Request:** It calls the Vectra RUX API to fetch the raw data for the + specified entity using a GET request. + + 4. **Data Processing:** The response is parsed into a structured Entity object. + + 5. **Output Generation:** The action creates a Data Table with key entity attributes + and attaches the full raw API response as a JSON result. + + + ### Additional Notes + + * This action does not automatically process entities present in the Google SecOps + case; it requires a specific ID as input. + + * If the entity is not found, the action will return a failure status with an + informative error message. capabilities: can_create_case_comments: false can_create_insight: false @@ -597,9 +677,9 @@ Describe Entity: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: false + enrichment: true entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -613,6 +693,7 @@ Describe Entity: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Download PCAP: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -621,32 +702,33 @@ Describe Entity: create_ticket: false delete_email: false disable_identity: false - download_file: false + download_file: true enable_identity: false - enrich_asset: true + enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Download PCAP: ai_description: >- ### General Description - Downloads a PCAP (Packet Capture) file associated with a specific detection ID - from the Vectra RUX platform. This action is designed to facilitate deep-dive - forensic analysis by providing the raw network traffic data related to a security - detection. The retrieved file is automatically attached to the action result within - Google SecOps. + The **Download PCAP** action retrieves a Packet Capture (PCAP) file associated + with a specific detection ID from the Vectra RUX platform. This action is designed + to facilitate forensic investigations by providing analysts with the raw network + traffic data that triggered a specific security detection. ### Parameters Description @@ -656,54 +738,52 @@ Download PCAP: | :--- | :--- | :--- | :--- | | Detection ID | String | Yes | The unique identifier of the Vectra detection - for which the PCAP file should be downloaded. Although provided as a string, the - value must represent a valid integer. | + for which the PCAP file should be downloaded. The value must be a valid integer. + | ### Flow Description - 1. **Parameter Extraction**: The action retrieves the `Detection ID` from the - action parameters. - - 2. **Validation**: It validates that the `Detection ID` is a valid integer using - internal utility functions. + 1. **Initialization:** The action initializes the Vectra RUX manager using the + provided API credentials and root URL. - 3. **API Interaction**: The action uses the `VectraRUXManager` to send a GET request - to the Vectra RUX API endpoint specifically for PCAP downloads (`/detections/{detection_id}/pcap`). + 2. **Validation:** The provided `Detection ID` is validated to ensure it is a + valid integer. - 4. **File Retrieval**: Upon a successful response (HTTP 200), the action extracts - the filename from the `Content-Disposition` header and retrieves the binary content - of the PCAP file. + 3. **Data Retrieval:** The action makes a GET request to the Vectra RUX API to + download the PCAP file content associated with the detection. - 5. **Local Storage & Attachment**: The file is temporarily saved to the local - execution environment and then encoded in Base64 to be added as an attachment - to the Siemplify action result. + 4. **File Handling:** The action extracts the filename from the API response headers + and saves the file content. - 6. **Completion**: The action concludes by providing a success message containing - the filename and the associated detection ID. + 5. **Attachment:** The downloaded PCAP file is encoded and added as an attachment + to the action result in Google SecOps, making it available for download by the + analyst. ### Additional Notes - - This action does not process or filter entities from the case; it operates solely - based on the provided `Detection ID` parameter. + - This action does not process entities from the case; it relies solely on the + `Detection ID` parameter. - - If the file is not found or the API returns an error, the action will fail with - a descriptive error message. + - If the PCAP file is not available for the specified detection, the action will + return a failure status. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: false + can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: null + internal_data_mutation_explanation: >- + Adds the downloaded PCAP file as an attachment to the action result within the + Google SecOps platform. categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -717,6 +797,7 @@ Download PCAP: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +List Assignments: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -725,53 +806,58 @@ Download PCAP: create_ticket: false delete_email: false disable_identity: false - download_file: true + download_file: false enable_identity: false enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -List Assignments: - ai_description: "### General Description\nLists assignments from Vectra RUX based\ - \ on specified query parameters. This action allows analysts to retrieve a filtered\ - \ list of assignments, providing visibility into how detections, hosts, or accounts\ - \ are being handled within the Vectra platform. The results are presented as a\ - \ data table for quick review and a full JSON object for further automated processing.\n\ - \n### Parameters Description\n| Parameter | Type | Mandatory | Description |\n\ - | :--- | :--- | :--- | :--- |\n| Accounts IDs | string | No | Comma-separated\ - \ list of account IDs to filter the assignments. |\n| Assignees IDs | string |\ - \ No | Comma-separated list of user IDs (assignees) to filter the assignments.\ - \ |\n| Resolution IDs | string | No | Comma-separated list of outcome/resolution\ - \ IDs to filter the assignments. |\n| Resolved | ddl | No | Filter assignments\ - \ by their resolution status. Options: None, True, False. |\n| Created After |\ - \ string | No | Filter assignments created after a specific timestamp. Supports\ - \ relative formats (e.g., '2 days') or absolute ISO formats. |\n| Limit | string\ - \ | No | The maximum number of assignment records to retrieve. |\n| Hosts IDs\ - \ | string | No | Comma-separated list of host IDs to filter the assignments.\ - \ |\n\n### Flow Description\n1. **Initialization**: The action initializes the\ - \ Vectra RUX manager using the provided API credentials (API Root, Client ID,\ - \ and Client Secret).\n2. **Parameter Extraction**: It extracts all optional filters,\ - \ including Account IDs, Host IDs, Assignee IDs, and Resolution IDs, converting\ - \ comma-separated strings into lists of integers.\n3. **Query Construction**:\ - \ A query parameter mapping is built based on the provided inputs, including the\ - \ 'Resolved' status and 'Created After' timestamp.\n4. **Data Retrieval**: The\ - \ action performs a paginated GET request to the Vectra RUX assignments endpoint\ - \ using the constructed filters and the specified limit.\n5. **Output Generation**:\ - \ \n * If assignments are found, it constructs a data table titled 'Assignment\ - \ Details' containing key fields like Assignment ID, Assigned User, and Outcome.\n\ - \ * The full raw JSON response is attached to the action results.\n * A\ - \ summary message indicates the number of assignments successfully retrieved." + ai_description: "### General Description\nThis action retrieves a list of assignments\ + \ from the Vectra RUX platform based on various filtering criteria. It allows\ + \ analysts to search for assignments associated with specific accounts, hosts,\ + \ assignees, or resolution outcomes. The results are presented as a data table\ + \ for quick review and as a raw JSON object for further automated processing.\n\ + \n### Parameters Description\n| Parameter Name | Type | Mandatory | Description\ + \ |\n| :--- | :--- | :--- | :--- |\n| Accounts IDs | String | No | A comma-separated\ + \ list of account IDs to filter the assignments. |\n| Assignees IDs | String |\ + \ No | A comma-separated list of user IDs (assignees) to filter the assignments.\ + \ |\n| Resolution IDs | String | No | A comma-separated list of outcome/resolution\ + \ IDs to filter the assignments. |\n| Resolved | DDL | No | Filter assignments\ + \ by their resolution status. Options: `None` (no filter), `True` (only resolved),\ + \ `False` (only unresolved). |\n| Created After | String | No | Filter assignments\ + \ created after a specific timestamp. Supports relative formats (e.g., '2 days')\ + \ or absolute ISO 8601 formats. |\n| Limit | String | No | The maximum number\ + \ of assignment records to retrieve. |\n| Hosts IDs | String | No | A comma-separated\ + \ list of host IDs to filter the assignments. |\n\n### Additional Notes\n- If\ + \ no filters are provided, the action will attempt to list assignments based on\ + \ the default limit.\n- The `Limit` parameter is validated to ensure it is a positive\ + \ integer.\n- The action uses pagination to handle large sets of results from\ + \ the Vectra API.\n\n### Flow Description\n1. **Parameter Extraction**: The action\ + \ extracts configuration details (API Root, Credentials) and user-provided filter\ + \ parameters.\n2. **Input Validation**: Comma-separated ID strings are processed\ + \ into lists, and the `Limit` parameter is validated as an integer.\n3. **API\ + \ Request Construction**: A query parameter mapping is built based on the provided\ + \ filters (e.g., `resolved`, `created_after`, `accounts`, `hosts`).\n4. **Data\ + \ Retrieval**: The `VectraRUXManager` executes a paginated GET request to the\ + \ `/assignments` endpoint.\n5. **Result Processing**: The retrieved assignments\ + \ are parsed into internal data models.\n6. **Output Generation**: \n - A data\ + \ table titled \"Assignment Details\" is created containing key fields like Assignment\ + \ ID, Assigned User, and Outcome.\n - The full raw JSON response is attached\ + \ to the action results." capabilities: can_create_case_comments: false can_create_insight: false @@ -785,7 +871,7 @@ List Assignments: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -799,6 +885,7 @@ List Assignments: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +List Detections: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -812,29 +899,35 @@ List Assignments: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: true remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: true send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -List Detections: ai_description: >- + Lists detections from the Vectra AI platform based on a wide variety of filtering + criteria. This action allows analysts to query for specific security events (detections) + associated with hosts or accounts, or to perform broader searches across the environment. + It retrieves detailed metadata for each detection, including threat and certainty + scores, timestamps, and detection types. + + ### General Description - The **List Detections** action retrieves a list of security detections from the - Vectra RUX platform based on a wide array of filtering criteria. It is designed - to provide analysts with visibility into specific threats associated with hosts - or accounts, allowing for deep-dive investigations into detection categories, - threat levels, and temporal data. The action outputs a structured data table for - quick review within the SOAR case and provides the full raw JSON response for - further automated processing. + This action interacts with the Vectra RUX API to retrieve a list of detections. + It supports extensive filtering, including by entity ID, detection category, threat/certainty + thresholds, and time ranges. The results are presented as a summary data table + in the SOAR interface and as a full JSON object for downstream playbook logic. ### Parameters Description @@ -843,77 +936,74 @@ List Detections: | :--- | :--- | :--- | :--- | - | Detection Category | DDL | No | Filters results by the Vectra detection category - (e.g., Exfiltration, Lateral Movement, Reconnaissance). | + | Detection Category | DDL | No | Filters detections by category (e.g., Exfiltration, + Lateral Movement, Reconnaissance). | | Threat GTE | String | No | Filters detections with a threat score greater than - or equal to this value. | + or equal to the provided value. | | Certainty GTE | String | No | Filters detections with a certainty score greater - than or equal to this value. | + than or equal to the provided value. | - | Last Timestamp GTE | String | No | Filters detections occurring on or after - this timestamp. | + | Last Timestamp GTE | String | No | Filters detections with a last seen timestamp + greater than or equal to the provided value. | - | Last Timestamp LTE | String | No | Filters detections occurring on or before - this timestamp. | + | Last Timestamp LTE | String | No | Filters detections with a last seen timestamp + less than or equal to the provided value. | - | Tags | String | No | A comma-separated list of tags to filter the detections. - | + | Tags | String | No | Comma-separated list of tags to filter detections. | - | Entity Type | DDL | No | Specifies the type of entity to filter by (Host or - Account). | + | Entity Type | DDL | No | The type of entity to filter by (Host or Account). + | - | Entity ID | String | No | The unique identifier of the entity in Vectra to retrieve - detections for. | + | Entity ID | String | No | The specific ID of the entity to retrieve detections + for. | | Is Targeting Key Asset | DDL | No | Filters detections based on whether they - target a designated key asset (True/False). | + target a key asset (True/False). | - | Note Modified Timestamp GTE | String | No | Filters detections where the associated - notes were modified after this timestamp. | + | Note Modified Timestamp GTE | String | No | Filters detections where notes were + modified after the specified timestamp. | | Limit | String | No | The maximum number of detection records to retrieve. | | Order | DDL | No | Specifies the sort order (Ascending or Descending). | - | Order By | DDL | No | The field used for sorting (last_timestamp, threat_score, - or certainty_score). | + | Order By | DDL | No | Specifies the field to sort by (last_timestamp, threat_score, + certainty_score). | | State | DDL | No | Filters detections by their current state (Active, Inactive, - or Fixed). | + Fixed). | - | Detection Type | String | No | Filters by the specific name or type of detection. + | Detection Type | String | No | Filters by a specific detection type string. | - ### Flow Description + ### Additional Notes - 1. **Parameter Extraction:** The action retrieves configuration details (API Root, - Credentials) and all user-provided filter parameters. + - The action automatically handles API versioning by stripping version strings + from returned URLs to ensure compatibility with the platform's UI. - 2. **Validation:** It validates numeric inputs such as `Threat GTE`, `Certainty - GTE`, and `Limit` to ensure they are valid integers. + - If no detections match the provided filters, the action will complete successfully + with an informative message. - 3. **API Request:** The action initializes the VectraRUX manager, authenticates, - and sends a GET request to the detections endpoint using the constructed query - parameters. - 4. **Data Processing:** For each retrieved detection, the action cleans up internal - API versioning strings from URLs to ensure they are user-friendly. + ### Flow Description - 5. **Output Generation:** It extracts key fields (ID, Type, Category, Timestamps, - State) to create a 'List Of Detections' data table and attaches the complete JSON - payload to the action results. + 1. **Authentication:** Connects to the Vectra API using the configured Client + ID and Client Secret to obtain an access token. + 2. **Parameter Validation:** Validates numeric inputs like 'Limit', 'Threat GTE', + and 'Certainty GTE' to ensure they are valid integers. - ### Additional Notes + 3. **API Query:** Constructs a GET request to the `/detections` endpoint, applying + all provided filter parameters. - - This action does not run on SOAR entities automatically; it relies on the `Entity - ID` and `Entity Type` parameters provided in the action configuration. + 4. **Data Processing:** Iterates through the retrieved detections, cleaning up + URL fields and extracting key fields for the summary table. - - If no detections match the provided filters, the action will complete successfully - with an informative message. + 5. **Output Generation:** Adds a formatted data table to the case wall and attaches + the full raw JSON response to the action results. capabilities: can_create_case_comments: false can_create_insight: false @@ -925,9 +1015,9 @@ List Detections: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: false + enrichment: true entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -941,6 +1031,7 @@ List Detections: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +List Entities: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -954,117 +1045,107 @@ List Detections: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: true search_email: false - search_events: true + search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -List Entities: ai_description: >- - Lists entities (Hosts or Accounts) from the Vectra RUX platform based on specified - query parameters. This action allows analysts to search for and retrieve detailed - metadata about assets within the Vectra environment using various filters such - as entity name, state, urgency scores, and tags. It is particularly useful for - threat hunting, asset discovery, or gathering context on a group of related entities. - The action retrieves data via a paginated GET request and presents the results - in both a structured data table for the SOAR UI and a full JSON response for downstream - processing. + ### General Description + Retrieves a list of entities (Hosts or Accounts) from the Vectra RUX platform + based on user-defined query parameters. This action is useful for broad searches + or audits of assets within the Vectra environment, allowing analysts to filter + by state, tags, urgency scores, and timeframes. - ### Parameters Description + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Entity Type | DDL | Yes | Specifies the type of entities to retrieve. Valid - values are "Host" or "Account". | + | Entity Type | DDL | Yes | Specifies whether to fetch 'Host' or 'Account' entities. + | - | Order By | DDL | No | Sorts the results by a specific field such as `urgency_score`, - `last_detection_timestamp`, `name`, or `last_modified_timestamp`. | + | Order By | DDL | No | Field used to sort the results (e.g., urgency_score, last_detection_timestamp). + | - | Fields | Multi-choice | No | Allows selection of specific fields to include - in the response (e.g., `id`, `name`, `ip`, `severity`). | + | Fields | Multi-choice | No | Specific fields to include in the output. | - | Name | String | No | Filters entities by their display name. | + | Name | String | No | Filter results by the entity's name. | - | State | DDL | No | Filters entities by their current state: "Active" or "Inactive". - | + | State | DDL | No | Filter by the entity's state (Active or Inactive). | - | Last Detection Timestamp GTE | String | No | Filters for entities with a last - detection timestamp greater than or equal to the provided value. | + | Last Detection Timestamp GTE | String | No | Filter for entities with a last + detection timestamp greater than or equal to this value. | - | Last Detection Timestamp LTE | String | No | Filters for entities with a last - detection timestamp less than or equal to the provided value. | + | Last Detection Timestamp LTE | String | No | Filter for entities with a last + detection timestamp less than or equal to this value. | - | Tags | String | No | Filters entities by associated tags (provide as a comma-separated - list). | + | Tags | String | No | Filter by comma-separated tags. | - | Note Modified Timestamp GTE | String | No | Filters for entities where notes - were modified after the provided timestamp. | + | Note Modified Timestamp GTE | String | No | Filter for entities where notes + were modified after this timestamp. | - | Prioritized | DDL | No | Filters entities based on whether they are marked as - prioritized ("True" or "False"). | + | Prioritized | DDL | No | Filter based on whether the entity is prioritized (True/False). + | | Limit | String | No | The maximum number of entities to retrieve. | - | Order | DDL | No | Specifies the sort order: "Ascending" or "Descending". | + | Order | DDL | No | Sort order (Ascending or Descending). | - ### Additional Notes - - - The `Limit` parameter is validated to ensure it is a positive integer. If not - provided, the system defaults to a predefined maximum. + ### Flow Description - - If `Order` is set to "Descending", the `Order By` field is automatically prefixed - with a minus sign (`-`) for the API request. + 1. **Parameter Extraction**: The action retrieves configuration settings and user-provided + filter parameters. - - The action automatically cleans up URLs in the response by removing the API - version substring for better readability. + 2. **Validation**: Validates the 'Limit' parameter to ensure it is a valid integer. + 3. **API Request**: Calls the Vectra RUX API's list entities endpoint with the + specified filters and pagination logic. - ### Flow Description + 4. **Data Processing**: Iterates through the returned entities, cleans up internal + API URLs, and extracts a subset of mandatory fields (ID, Name, Severity, etc.) + for display. - 1. **Parameter Extraction:** Retrieves configuration (API Root, Credentials) and - action parameters (filters, sorting, limit). + 5. **Output Generation**: Adds a formatted data table 'List Of Entities' to the + action results and provides the full raw JSON response for further processing. - 2. **Validation:** Validates the `Limit` parameter and formats the `Order By` - field based on the selected `Order`. - 3. **Manager Initialization:** Initializes the VectraRUXManager and authenticates - with the platform. - - 4. **API Request:** Executes a paginated GET request to the Vectra `entities` - endpoint using the constructed query parameters. + ### Additional Notes - 5. **Data Processing:** Iterates through the retrieved entities, cleans up URL - fields, and extracts mandatory fields (ID, Type, Name, Severity, etc.) for the - UI table. + - The 'Entity Type' parameter is mandatory and determines the scope of the search. - 6. **Output Generation:** Adds a CSV-formatted data table to the action results - and attaches the full raw JSON response. + - If no entities match the criteria, the action completes with a message indicating + no results were found. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: false + can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: null + internal_data_mutation_explanation: >- + Adds a data table 'List Of Entities' to the action results containing the retrieved + entity details. categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1078,6 +1159,7 @@ List Entities: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +List Entity Detections: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1091,26 +1173,28 @@ List Entities: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: true send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -List Entity Detections: ai_description: >- ### General Description - This action retrieves a list of detections associated with a specific entity ID - (either a Host or an Account) from the Vectra RUX platform. It is used to gain - visibility into the security events linked to a particular asset by fetching detailed - detection metadata, including detection types, categories, and timestamps. + Retrieves a list of detections associated with a specific entity (Host or Account) + from the Vectra RUX platform. This action is useful for security analysts to quickly + identify all security events or 'detections' linked to a particular asset or user + account, providing context for investigation and incident response. ### Parameters Description @@ -1119,42 +1203,44 @@ List Entity Detections: | :--- | :--- | :--- | :--- | - | Entity ID | String | Yes | The unique numerical identifier of the entity in - Vectra. | + | Entity ID | string | Yes | The unique numerical identifier of the entity (Host + or Account) in Vectra RUX. | - | Entity Type | DDL | Yes | Specifies whether the ID belongs to an 'Account' or - a 'Host'. | + | Entity Type | ddl | Yes | Specifies whether the provided ID belongs to an 'Account' + or a 'Host'. | - | Limit | String | No | The maximum number of detections to retrieve. If not provided, - a default limit is applied. | + | Limit | string | No | The maximum number of detections to retrieve. If not provided, + the system uses a default limit. | - | State | DDL | Yes | Filters detections by their current state. Options include + | State | ddl | Yes | Filters detections by their current state. Options include 'Active', 'Inactive', or 'Fixed'. | ### Additional Notes - - The action first performs a lookup to describe the entity and retrieve its associated - detection IDs before fetching the full detection details. + - The action first fetches the entity details to extract the list of associated + detection IDs before querying the detection details. - - The 'Entity ID' must be a valid integer. + - Results are presented both as a raw JSON object and a formatted data table for + easy viewing in the SOAR interface. ### Flow Description - 1. **Parameter Extraction:** The action retrieves the API configuration and the - user-provided parameters (Entity ID, Type, Limit, and State). + 1. **Parameter Extraction**: The action retrieves the Entity ID, Entity Type, + Limit, and State from the user input. - 2. **Validation:** It validates that the 'Entity ID' and 'Limit' are valid integers. + 2. **Validation**: It validates that the Entity ID and Limit are valid integers. - 3. **Entity Lookup:** It calls the Vectra API to describe the entity and extract - the list of detection IDs associated with it. + 3. **Entity Lookup**: It calls the Vectra RUX API to describe the entity and retrieve + its associated `detection_ids`. - 4. **Detection Retrieval:** If detections are found, it fetches the detailed information - for each detection ID, applying the 'State' filter and 'Limit'. + 4. **Detection Retrieval**: If detections exist, it queries the detections endpoint + using the retrieved IDs and applies the state filter and limit. - 5. **Output Generation:** The results are processed into a JSON object and a data - table, which are then attached to the action results in Google SecOps. + 5. **Output Generation**: The retrieved detection data is processed into a JSON + result and a data table containing key fields like ID, URL, Type, Category, and + Last Timestamp. capabilities: can_create_case_comments: false can_create_insight: false @@ -1166,9 +1252,9 @@ List Entity Detections: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: false + enrichment: true entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1182,6 +1268,7 @@ List Entity Detections: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +List Groups: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1195,92 +1282,93 @@ List Entity Detections: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: true + search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -List Groups: ai_description: >- - ### General Description + Retrieves a list of groups from Vectra RUX based on specified filtering criteria. + This action allows analysts to search for groups by name, type (account, IP, domain, + host), importance level, and associated identifiers like hostnames or account + names. It is useful for identifying group memberships and organizational structures + within the Vectra platform. - Retrieves a list of groups from Vectra RUX based on specified query parameters. - This action allows analysts to search for and list groups by name, type, importance, - and associated members such as hosts, accounts, IPs, or domains. + ### Flow Description: - ### Parameters Description + 1. **Parameter Initialization**: The action extracts configuration details (API + Root, Client ID, Client Secret) and user-provided search filters. - | Parameter | Type | Mandatory | Description | + 2. **Input Processing**: Comma-separated strings for parameters like 'Host Names', + 'Account Names', 'Domains', and 'IPs' are parsed into lists for the API query. - | :--- | :--- | :--- | :--- | + 3. **Validation**: The 'Limit' parameter is validated to ensure it is a positive + integer. - | Last Modified Timestamp GTE | String | No | Filter groups modified on or after - this timestamp (e.g., 2023-10-27T12:00). | + 4. **API Query**: The action calls the Vectra RUX API's group listing endpoint, + applying the provided filters and handling pagination to retrieve the requested + number of records. - | Last Modified By | String | No | Filter by the username of the person who modified - the group. | + 5. **Output Generation**: If groups are found, they are presented in a structured + data table and a full JSON result is attached to the action output. - | Name | String | No | Filter by the specific name of the group. | - | Type | DDL | No | Filter by the type of group: account, ip, domain, or host. - | + ### Parameters Description: - | Limit | String | No | The maximum number of group records to return. | + | Parameter | Type | Mandatory | Description | - | Account Names | String | No | Comma-separated list of account names to filter - group membership. | + | :--- | :--- | :--- | :--- | - | Domains | String | No | Comma-separated list of domains to filter group membership. - | + | Last Modified Timestamp GTE | String | No | Filters groups modified on or after + this timestamp. | - | Host Ids | String | No | Comma-separated list of host IDs to filter group membership. + | Last Modified By | String | No | Filters groups modified by a specific username. | - | Host Names | String | No | Comma-separated list of host names to filter group - membership. | + | Name | String | No | Filters groups by their name. | - | Importance | DDL | No | Filter by the importance level: low, medium, high, or - never_prioritize. | - - | IPs | String | No | Comma-separated list of IP addresses to filter group membership. + | Type | DDL | No | Filters groups by type: 'account', 'ip', 'domain', or 'host'. | - | Description | String | No | Filter by the group's description (case-insensitive - match). | + | Limit | String | No | The maximum number of group records to retrieve. | + | Account Names | String | No | Comma-separated list of account names to filter + by. | - ### Flow Description + | Domains | String | No | Comma-separated list of domains to filter by. | - 1. **Initialization**: The action initializes the Vectra RUX manager using the - provided API credentials. + | Host Ids | String | No | Comma-separated list of host IDs to filter by. | - 2. **Parameter Processing**: It extracts all optional filters and validates the - 'Limit' parameter to ensure it is a valid integer. + | Host Names | String | No | Comma-separated list of host names to filter by. + | - 3. **API Retrieval**: The action performs a paginated GET request to the Vectra - RUX `/groups` endpoint, applying the specified filters. + | Importance | DDL | No | Filters groups by importance level (e.g., low, medium, + high). | - 4. **Result Formatting**: If groups are found, they are formatted into a data - table titled 'List Of Groups' and the full raw data is returned as a JSON result. + | IPs | String | No | Comma-separated list of IP addresses to filter by. | - 5. **Completion**: The action concludes by reporting the number of groups successfully - retrieved. + | Description | String | No | Filters groups by description (case-insensitive + match). | - ### Additional Notes + ### Additional Notes: - - If no groups match the provided filters, the action will complete successfully - with a message stating no groups were found. + - This action does not run on entities automatically; it relies entirely on the + provided input parameters. - - The 'Limit' parameter defaults to a system-defined maximum if not specified. + - If no parameters are provided, the action will attempt to list all groups up + to the default limit. capabilities: can_create_case_comments: false can_create_insight: false @@ -1294,7 +1382,7 @@ List Groups: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1308,6 +1396,7 @@ List Groups: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +List Outcomes: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1321,55 +1410,62 @@ List Groups: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -List Outcomes: - ai_description: "### General Description\nThis action retrieves a list of all available\ - \ assignment outcomes from the Vectra RUX platform. Assignment outcomes represent\ - \ the possible resolutions or classifications that can be applied when resolving\ - \ an assignment (e.g., 'True Positive', 'Benign'). This is primarily a utility\ - \ action used to identify valid outcome IDs for use in other assignment-related\ - \ actions.\n\n### Parameters Description\n| Parameter | Type | Mandatory | Description\ - \ |\n| :--- | :--- | :--- | :--- |\n| Limit | string | No | Specifies the maximum\ - \ number of outcome records to fetch from the API. If not provided, a default\ - \ system limit is applied. |\n\n### Additional Notes\n- The action validates that\ - \ the 'Limit' parameter is a positive integer.\n- The results are presented both\ - \ as a structured data table ('Outcome Details') and as a raw JSON object.\n\n\ - ### Flow Description\n1. **Parameter Initialization**: The action extracts the\ - \ API configuration (Root, Client ID, Client Secret) and the 'Limit' action parameter.\n\ - 2. **Validation**: It validates that the 'Limit' parameter is a valid non-negative\ - \ integer.\n3. **API Interaction**: It initializes the VectraRUXManager and calls\ - \ the `get_outcome_list` method, which performs a GET request to the `/assignment_outcomes`\ - \ endpoint.\n4. **Data Processing**: The manager paginates through the results\ - \ if necessary (up to the specified limit) and parses the raw JSON into Outcome\ - \ data models.\n5. **Output Generation**: \n - A data table named 'Outcome\ - \ Details' is created containing the Outcome ID, Title, Category, and flags for\ - \ 'Built In' and 'User Selectable'.\n - The full JSON response is attached\ - \ to the action result." + ai_description: "### General Description\nRetrieves a list of all available assignment\ + \ outcomes from the Vectra RUX platform. This action provides visibility into\ + \ the possible resolution states (e.g., 'True Positive', 'False Positive') and\ + \ categories that can be applied when resolving assignments or detections. The\ + \ results are presented both as a structured JSON object and a formatted data\ + \ table for easy review by analysts.\n\n### Parameters Description\n| Parameter\ + \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Limit |\ + \ String | No | Specifies the maximum number of outcome records to fetch from\ + \ the API. If left empty, the action will attempt to retrieve all available outcomes\ + \ up to the system's default limit. |\n\n### Flow Description\n1. **Parameter\ + \ Initialization**: The action extracts the API configuration (Root, Client ID,\ + \ Client Secret) and the optional 'Limit' parameter.\n2. **Validation**: The 'Limit'\ + \ parameter is validated to ensure it is a valid non-negative integer.\n3. **API\ + \ Interaction**: The action connects to the Vectra RUX API and requests the list\ + \ of assignment outcomes from the `/assignment_outcomes` endpoint, applying pagination\ + \ if necessary based on the provided limit.\n4. **Data Processing**: The retrieved\ + \ outcomes are parsed into a standardized model containing the Outcome ID, Title,\ + \ Category, and whether it is a built-in or user-selectable outcome.\n5. **Output\ + \ Generation**: \n * A data table titled \"Outcome Details\" is created and\ + \ added to the case.\n * The full raw response is attached as a JSON result.\n\ + \ * A success message indicates the number of outcomes retrieved.\n\n###\ + \ Additional Notes\n- If no outcomes are found, the action will complete successfully\ + \ with a \"No outcomes found\" message.\n- This action is primarily used for administrative\ + \ or investigative context to understand how alerts can be classified during the\ + \ resolution phase." capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: false + can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: null + internal_data_mutation_explanation: >- + Adds a data table named 'Outcome Details' to the action results within Google + SecOps. categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1383,6 +1479,7 @@ List Outcomes: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +List Users: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1396,71 +1493,43 @@ List Outcomes: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -List Users: ai_description: >- - ### General Description - - The **List Users** action retrieves a list of users from the Vectra RUX platform - based on specified filtering criteria. It allows analysts to search for users - by their role, email address, or a minimum last login timestamp. The results are - presented as a data table and a raw JSON object within the Google SecOps environment. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **Role** | String | No | Filters the user list to only include users with the - specified role. | - - | **Email** | String | No | Filters the user list to only include the user with - the specified email address. | - - | **Last Login GTE** | String | No | Filters users whose last login timestamp - is greater than or equal to the provided value (Format: YYYY-MM-DDTHH:MM). | - - | **Limit** | String | No | Specifies the maximum number of user records to retrieve. - If not provided, a default limit is applied. | - - - ### Additional Notes - - - This action does not require any entities to be present in the context. - - - The `Limit` parameter must be a positive integer if provided. - - - ### Flow Description - - 1. **Parameter Extraction:** The action retrieves the configuration (API Root, - Credentials) and action parameters (Role, Email, Last Login GTE, Limit). - - 2. **Validation:** The `Limit` parameter is validated to ensure it is a valid - integer. - - 3. **API Interaction:** The action connects to the Vectra RUX API and performs - a paginated GET request to the `/users` endpoint using the provided filters. - - 4. **Data Processing:** The retrieved user objects are parsed into a structured - format. - - 5. **Output Generation:** A data table titled "List Of Users" is created with - key user details (Name, Email, Role, ID, Last Login), and the full raw response - is attached as a JSON result. + Lists users from the Vectra RUX platform based on query parameters. This action + enables security analysts to search for and retrieve user account information, + including roles, email addresses, and login history. It is primarily used for + identity verification and investigative research within the Vectra environment. + ### Flow Description: 1. **Parameter Extraction:** Retrieves API credentials and + filter criteria (Role, Email, Last Login GTE, Limit) from the action configuration. + 2. **Validation:** Validates the 'Limit' parameter to ensure it is a valid integer. + 3. **API Interaction:** Connects to the Vectra RUX API and requests the user list + using the specified filters. 4. **Pagination:** Handles paginated responses from + the API to collect all relevant user records up to the defined limit. 5. **Data + Processing:** Parses the raw API response into structured User objects. 6. **Output + Generation:** Populates a data table ('List Of Users') in the SOAR case and provides + the full JSON response for downstream tasks. ### Parameters Description: | Parameter + | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | | Role | String + | No | Filters the user list by a specific role (e.g., 'admin', 'readonly'). | + | Email | String | No | Filters the user list by a specific email address. | | + Last Login GTE | String | No | Filters for users whose last login timestamp is + greater than or equal to the provided value. | | Limit | String | No | Specifies + the maximum number of user records to retrieve. | ### Additional Notes: - If no + users match the criteria, the action completes successfully with an informative + message. - The 'Limit' parameter defaults to a system-defined maximum if not provided. capabilities: can_create_case_comments: false can_create_insight: false @@ -1474,7 +1543,7 @@ List Users: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1488,6 +1557,7 @@ List Users: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Mark Detection Fixed: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1501,58 +1571,61 @@ List Users: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Mark Detection Fixed: ai_description: >- - ### General Description - - Marks one or more detections as 'fixed' in the Vectra AI platform. This action - is used to programmatically update the status of detections, indicating that the - underlying security issue has been addressed or resolved within the Vectra environment. + Marks specific detections as fixed in the Vectra platform. This action allows + analysts to programmatically update the status of one or more detections by providing + their unique identifiers. It is useful for closing out handled threats directly + from the SOAR workflow. ### Flow Description - 1. **Parameter Extraction**: Retrieves the API configuration (API Root, Client - ID, and Client Secret) and the 'Detection IDs' provided by the user. + 1. **Parameter Extraction**: Retrieves the API configuration (Root, Client ID, + Secret) and the list of Detection IDs from the action input. - 2. **Validation**: Parses the comma-separated string of IDs and validates that - each ID is a valid integer using internal utility managers. + 2. **Validation**: Parses the comma-separated string of Detection IDs and validates + that each ID is a valid integer. - 3. **API Interaction**: Initializes the VectraRUXManager and sends a PATCH request - to the Vectra detections endpoint with the list of IDs and the `mark_as_fixed` - parameter set to `True`. + 3. **API Interaction**: Connects to the Vectra API and sends a PATCH request to + the detections endpoint, setting the `mark_as_fixed` flag to `True` for all provided + IDs. - 4. **Result Processing**: Captures the API response and attaches it as a JSON - result to the action execution, providing feedback on the success of the operation. + 4. **Result Handling**: Captures the API response and reports the success or failure + of the operation. ### Parameters Description - | Parameter | Description | Type | Mandatory | Notes | + | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | :--- | + | :--- | :--- | :--- | :--- | - | Detection IDs | A comma-separated list of numeric IDs representing the detections - to be marked as fixed. | String | Yes | Each ID must be a valid integer. | + | Detection IDs | String | Yes | A comma-separated list of numeric IDs for the + detections that should be marked as fixed. | ### Additional Notes - This action performs a bulk update on the external Vectra system. It does not - interact with or modify entities within the Google SecOps case directly, nor does - it create insights or comments. + - This action does not run on entities; it requires explicit IDs provided via + the 'Detection IDs' parameter. + + - The action uses a PATCH request to modify the state of detections in the external + Vectra system. capabilities: can_create_case_comments: false can_create_insight: false @@ -1561,14 +1634,14 @@ Mark Detection Fixed: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the status of specific detections in the Vectra AI platform to 'fixed' - via a PATCH request to the detections API endpoint. + Updates the 'mark_as_fixed' status of detections to 'True' in the Vectra platform + via a PATCH request. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1582,6 +1655,7 @@ Mark Detection Fixed: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Mark Entity Fixed: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1595,66 +1669,64 @@ Mark Detection Fixed: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false - update_alert: true + update_alert: false update_email: false update_identity: false update_ticket: false -Mark Entity Fixed: ai_description: >- - ### General Description - - The **Mark Entity Fixed** action is used to programmatically resolve all security - detections associated with a specific entity (either a Host or an Account) within - the Vectra RUX platform. By providing the unique Entity ID and specifying its - type, the action identifies all linked detections and updates their status to - 'fixed,' effectively clearing them from the active queue in Vectra. + Marks all detections associated with a specific entity as 'fixed' in the Vectra + platform. This action identifies all active detections for a given Host or Account + and updates their status to prevent further alerting on those specific instances. - ### Parameters Description + ### Flow Description: - | Parameter | Type | Mandatory | Description | + 1. **Parameter Extraction:** Retrieves the 'Entity ID' and 'Entity Type' (Host + or Account) from the action parameters. - | :--- | :--- | :--- | :--- | + 2. **Entity Validation:** Validates that the provided Entity ID is a valid integer. - | **Entity ID** | String | Yes | The unique numerical identifier of the entity - in Vectra whose detections should be marked as fixed. | + 3. **Detection Retrieval:** Calls the Vectra API to describe the entity and retrieve + the list of all associated detection IDs. - | **Entity Type** | DDL | Yes | The type of entity being targeted. Options are - `Account` or `Host`. | + 4. **Status Update:** If detections are found, it sends a PATCH request to the + Vectra platform to mark all retrieved detection IDs as fixed. + 5. **Result Reporting:** Returns the API response as a JSON result and provides + a summary message of the operation. - ### Flow Description - 1. **Parameter Extraction:** The action retrieves the `Entity ID` and `Entity - Type` from the user input. + ### Parameters Description: - 2. **Entity Validation:** The `Entity ID` is validated to ensure it is a proper - integer. + | Parameter Name | Type | Mandatory | Description | - 3. **Detection Retrieval:** The action calls the Vectra API to describe the entity, - which returns a list of all `detection_ids` currently associated with that entity. + | :--- | :--- | :--- | :--- | - 4. **State Update:** If detections are found, the action sends a PATCH request - to Vectra's detections endpoint to mark all identified IDs as 'fixed'. + | Entity ID | string | Yes | The unique numerical identifier of the entity in + Vectra whose detections should be marked as fixed. | - 5. **Result Reporting:** The action returns the API response from Vectra and provides - a summary message of the operation's success. + | Entity Type | ddl | Yes | The category of the entity. Must be either 'Account' + or 'Host'. | - ### Additional Notes + ### Additional Notes: - - This action performs a state change in the external Vectra system. + - This action performs a state change in the external Vectra system by updating + the status of detections. - - If no detections are found for the provided Entity ID, the action will complete - successfully but will report that no detections were found. + - If no detections are associated with the provided Entity ID, the action will + complete successfully with a message indicating no detections were found. capabilities: can_create_case_comments: false can_create_insight: false @@ -1663,14 +1735,14 @@ Mark Entity Fixed: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the state of detections associated with a specific entity to 'fixed' - in the Vectra RUX platform via a PATCH request. + Updates the status of detections in the Vectra platform to 'fixed' via a PATCH + request to the /detections endpoint. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1684,6 +1756,7 @@ Mark Entity Fixed: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1697,48 +1770,60 @@ Mark Entity Fixed: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: - ai_description: "### General Description\nThe **Ping** action is a diagnostic tool\ - \ designed to verify the connectivity between the Google SecOps (Chronicle) environment\ - \ and the Vectra RUX platform. Its primary purpose is to ensure that the integration's\ - \ configuration parameters (API Root, Client ID, and Client Secret) are correct\ - \ and that the network path to the Vectra API is open. This action is typically\ - \ used during the initial setup of the integration or for troubleshooting communication\ - \ issues.\n\n### Parameters Description\nThis action does not require any input\ - \ parameters at the action level. It relies entirely on the integration's global\ - \ configuration settings:\n\n| Parameter | Type | Mandatory | Description |\n\ - | :--- | :--- | :--- | :--- |\n| API Root | String | Yes | The base URL of the\ - \ Vectra RUX API instance. |\n| Client ID | String | Yes | The unique identifier\ - \ for the API client used for authentication. |\n| Client Secret | Password |\ - \ Yes | The secret key associated with the Client ID for secure authentication.\ - \ |\n\n### Flow Description\n1. **Initialization**: The action starts by initializing\ - \ the Siemplify SDK and retrieving the global configuration parameters (API Root,\ - \ Client ID, and Client Secret).\n2. **Manager Setup**: It instantiates the `VectraRUXManager`.\ - \ During instantiation, the manager attempts to generate an OAuth2 access token\ - \ by sending a POST request to the `oauth2/token` endpoint.\n3. **Connectivity\ - \ Test**: The action calls the `test_connectivity` method. This method validates\ - \ the stored tokens or attempts to re-authenticate if the credentials have changed.\n\ - 4. **Result Reporting**: \n * If the authentication and connection are successful,\ - \ the action returns a success message: \"Successfully connected to the VectraRUX\ - \ server\".\n * If an error occurs (e.g., invalid credentials, network timeout,\ - \ or API error), the action catches the exception, logs the error details, and\ - \ returns a failure message.\n\n### Additional Notes\n* **Authentication Mechanism**:\ - \ The action uses OAuth2 Client Credentials flow. It manages token persistence\ - \ internally using a local JSON file to avoid redundant authentication requests.\n\ - * **Error Handling**: The action includes robust error handling to distinguish\ - \ between authentication failures (401/403) and server-side issues (500+)." + ai_description: >- + ### General Description + + Tests the connectivity of the Chronicle SOAR server to the Vectra platform. This + action verifies that the provided API Root, Client ID, and Client Secret are valid + and that the SOAR server can reach the Vectra API endpoints by attempting to generate + an OAuth2 token. + + + ### Parameters Description + + | Parameter | Description | Type | Mandatory | + + | :--- | :--- | :--- | :--- | + + | None | This action does not have any input parameters. | N/A | N/A | + + + ### Flow Description + + 1. **Initialization**: The action initializes the Siemplify context and retrieves + the integration's global configuration parameters (API Root, Client ID, and Client + Secret). + + 2. **Manager Setup**: It instantiates the `VectraRUXManager` which handles the + session and authentication logic. + + 3. **Connectivity Test**: The manager attempts to authenticate with the Vectra + platform using the provided credentials. This involves checking for existing tokens + or requesting a new one via the OAuth2 token endpoint. + + 4. **Result Reporting**: If the authentication is successful, the action returns + a success message. If an error occurs (e.g., network timeout, invalid credentials), + it logs the error and reports a failure. + + + ### Additional Notes + + There are no additional notes for this action. capabilities: can_create_case_comments: false can_create_insight: false @@ -1752,7 +1837,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1766,6 +1851,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Remove Assignment: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1779,56 +1865,67 @@ Ping: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false - update_identity: false + update_identity: true update_ticket: false -Remove Assignment: ai_description: >- - Removes the assignment associated with a specific entity (Host or Account) in - Vectra RUX. This action is used to clear the ownership or analyst assignment of - a detection target within the Vectra platform. + ### General Description + Removes the assignment associated with a specific entity (either an Account or + a Host) in Vectra RUX. This action is used to clear ownership or responsibility + status for an entity within the Vectra platform by deleting the assignment record. - ### Flow Description: - 1. **Validation**: Validates that the provided `Entity ID` is a valid integer. + ### Parameters Description - 2. **Retrieval**: Fetches the current metadata for the specified entity from Vectra - RUX to identify if an active assignment exists. + | Parameter | Type | Mandatory | Description | - 3. **Identification**: Extracts the `assignment_id` from the entity's details - if present. + | :--- | :--- | :--- | :--- | - 4. **Deletion**: Executes a DELETE request to the Vectra API to remove the identified - assignment. + | Entity ID | String | Yes | The unique identifier of the entity in Vectra RUX + from which the assignment should be removed. | + | Entity Type | DDL | Yes | The type of the entity. Supported values are 'Account' + or 'Host'. | - ### Parameters Description: - | Parameter Name | Type | Mandatory | Description | + ### Flow Description - | :--- | :--- | :--- | :--- | + 1. **Parameter Extraction:** Retrieves the `Entity ID` and `Entity Type` from + the action parameters. - | Entity ID | String | Yes | The unique numeric identifier of the entity in Vectra - RUX. | + 2. **Validation:** Validates that the provided `Entity ID` is a valid integer. - | Entity Type | DDL | Yes | The category of the entity. Supported values are 'Account' - or 'Host'. | + 3. **Entity Lookup:** Fetches the current information for the specified entity + from Vectra RUX to verify its state. + 4. **Assignment Check:** Checks if the entity currently has an active assignment + associated with it. - ### Additional Notes: + 5. **Removal:** If an assignment exists, it extracts the `Assignment ID` and sends + a DELETE request to the Vectra RUX API to remove the assignment. + + 6. **Completion:** Returns a success message if the assignment was successfully + deleted, or an error message if the entity did not have an assignment or if the + entity was not found. - * If the entity does not have an active assignment, the action will fail with - a message indicating that no assignment was found. + + ### Additional Notes + + This action requires valid API credentials (Client ID and Client Secret) and the + API Root URL for the Vectra RUX instance to be configured in the integration settings. capabilities: can_create_case_comments: false can_create_insight: false @@ -1837,14 +1934,13 @@ Remove Assignment: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Deletes an existing assignment record in the Vectra RUX platform via a DELETE - request to the assignments API endpoint. + Deletes an assignment record in Vectra RUX associated with the specified entity. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1858,6 +1954,7 @@ Remove Assignment: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Remove Group: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1871,58 +1968,74 @@ Remove Assignment: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false - update_identity: false + update_identity: true update_ticket: false -Remove Group: ai_description: >- - Removes specified members from a group in Vectra AI. This action identifies a - group by its ID and removes a list of provided members (which can be accounts, - hosts, IPs, or domains depending on the group type). It validates the input, performs - a PATCH request to update the group membership in the external system, and provides - a summary of which members were successfully removed and which were not found - in the group. + Removes specified members from a group in Vectra AI. This action allows for automated + management of Vectra groups by providing a Group ID and a list of members to be + detached. It performs a state change in the Vectra platform and provides a detailed + summary of the operation, including an HTML visualization of the group's updated + state. - ### Flow Description + ### Parameters Description - 1. **Parameter Extraction**: Retrieves the Group ID and the comma-separated list - of members from the action parameters. - 2. **Validation**: Validates that the Group ID is a positive integer. + | Parameter | Type | Mandatory | Description | - 3. **Pre-check**: Fetches the current members of the group to verify existence - and prepare for comparison. + | :--- | :--- | :--- | :--- | - 4. **External Mutation**: Sends a PATCH request to the Vectra AI API with the - `membership_action` set to 'remove' to update the group's member list. + | Group ID | String | True | The unique integer ID of the group in Vectra AI. + | - 5. **Result Processing**: Compares the member list before and after the operation - to determine success. It then renders an HTML table showing the updated group - details and returns the raw JSON response. + | Members | String | True | A comma-separated list of members to remove. The format + of the members (e.g., IP, hostname, UID, or domain) must match the group's type + configuration in Vectra. | - ### Parameters Description + ### Additional Notes - | Parameter | Type | Mandatory | Description | + - The **Group ID** must be a valid positive integer. - | :--- | :--- | :--- | :--- | + - The action will identify which members were successfully removed and which were + not found in the group. - | Group ID | String | Yes | The unique integer identifier of the group in Vectra - AI. | + - The result includes an HTML table showing the updated group properties and its + current member list. + + + ### Flow Description + + 1. **Parameter Extraction:** Retrieves API credentials and action parameters (Group + ID and Members). + + 2. **Validation:** Validates that the Group ID is a positive integer and processes + the comma-separated Members string into a list. + + 3. **Pre-check:** Fetches the current group members from Vectra AI to verify the + group's existence and current state. + + 4. **Mutation:** Executes a PATCH request to the Vectra API endpoint for the specified + group with the `membership_action` set to `remove`. - | Members | String | Yes | A comma-separated list of member identifiers to remove. - These should match the group's type (e.g., account UIDs, hostnames, IP addresses, - or domains). | + 5. **Analysis:** Compares the requested removals against the updated group state + returned by the API to determine successful and failed removals. + + 6. **Output Generation:** Renders an HTML table of the updated group details and + returns the full group object as a JSON result. capabilities: can_create_case_comments: false can_create_insight: false @@ -1931,14 +2044,14 @@ Remove Group: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Removes members from a group in Vectra AI by performing a PATCH request to the - group's endpoint with a 'remove' membership action. + Removes specified members from a group in Vectra AI by sending a PATCH request + to the `/groups/{group_id}` endpoint with the `membership_action=remove` parameter. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1952,6 +2065,7 @@ Remove Group: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Remove Note: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1965,61 +2079,70 @@ Remove Group: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false - update_identity: true + update_identity: false update_ticket: false -Remove Note: ai_description: >- ### General Description - Removes a specific note from a designated entity within the Vectra platform. This - action allows analysts to manage and delete notes associated with Accounts, Hosts, - or Detections by providing the specific Entity ID and Note ID. + Removes a specific note from a designated entity within the Vectra RUX platform. + This action allows analysts to manage and clean up notes associated with Accounts, + Hosts, or Detections by providing the unique identifiers for both the entity and + the note. ### Parameters Description - | Parameter | Description | Type | Mandatory | + | Parameter | Description | Type | Mandatory | Expected Value | - | :--- | :--- | :--- | :--- | + | :--- | :--- | :--- | :--- | :--- | | Entity ID | The unique identifier of the entity (Account, Host, or Detection) - from which the note should be removed. | String | Yes | + from which the note should be removed. | String | Yes | A numeric string representing + the Entity ID. | | Note ID | The unique identifier of the specific note to be deleted. | String - | Yes | + | Yes | A numeric string representing the Note ID. | - | Entity Type | The category of the entity the note is attached to. Options are - Account, Host, or Detection. | DDL | Yes | + | Entity Type | The category of the entity from which the note is being removed. + | DDL | Yes | One of: 'Account', 'Host', or 'Detection'. | - ### Flow Description + ### Additional Notes - 1. **Initialization**: Retrieve the API configuration (API Root, Client ID, Client - Secret) and action parameters (Entity ID, Note ID, Entity Type). + This action performs a permanent deletion of the note in the external Vectra RUX + system. The 'Entity ID' and 'Note ID' parameters are validated as integers before + the request is sent. - 2. **Validation**: Validate that the provided Entity ID and Note ID are valid - integers. - 3. **Execution**: Send a DELETE request to the Vectra API endpoint corresponding - to the specified entity type and IDs. + ### Flow Description - 4. **Completion**: Return a success message upon successful deletion or an error - message if the operation fails. + 1. **Initialization**: The action initializes the Vectra RUX manager using the + provided API credentials (API Root, Client ID, and Client Secret). + 2. **Parameter Extraction**: It retrieves the `Entity ID`, `Note ID`, and `Entity + Type` from the action inputs. - ### Additional Notes + 3. **Validation**: The `Entity ID` and `Note ID` are validated to ensure they + are valid integer values. - There are no additional notes for this action. + 4. **Execution**: The action calls the Vectra RUX API using a DELETE request to + the endpoint `api/v3.4/entities/{entity_id}/notes/{note_id}`. + + 5. **Completion**: Upon successful deletion, the action returns a confirmation + message and sets the result value to true. capabilities: can_create_case_comments: false can_create_insight: false @@ -2028,13 +2151,14 @@ Remove Note: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Removes a note from an entity in the Vectra platform via a DELETE request. + Deletes a specific note associated with an entity (Account, Host, or Detection) + in the Vectra RUX platform. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2048,6 +2172,7 @@ Remove Note: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Remove Tags: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -2061,70 +2186,73 @@ Remove Note: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Remove Tags: ai_description: >- - Removes specific tags from a Vectra AI entity, such as an Account, Host, or Detection. - The action first retrieves the current tags associated with the specified Entity - ID to verify existence, then filters out the tags provided by the user, and finally - updates the entity in Vectra AI with the modified tag list. + Removes specific tags from a Vectra entity (Account, Host, or Detection) identified + by its ID. This action first retrieves the current tags associated with the entity, + identifies which of the requested tags are present, and then updates the entity's + tag list on the Vectra platform by removing those tags. It provides a summary + of the operation, including which tags were successfully removed and which were + not found. - ### Flow Description: + ### Flow Description - 1. **Parameter Extraction:** Retrieves the API configuration and action parameters, - including the comma-separated list of tags to remove, the target Entity ID, and - the Entity Type (Account, Host, or Detection). + 1. **Parameter Extraction:** Retrieves the target tags (comma-separated), the + Entity ID, and the Entity Type (Account, Host, or Detection) from the action parameters. - 2. **Tag Retrieval:** Calls the Vectra AI API to fetch the current list of tags - for the specified entity. + 2. **Data Retrieval:** Calls the Vectra API to fetch the current list of tags + associated with the specified entity ID and type. - 3. **Tag Comparison:** Compares the user-provided tags against the existing tags. - It identifies which tags can be successfully removed and which do not exist on - the entity. + 3. **Tag Comparison:** Compares the provided tags against the existing tags. It + identifies tags that can be removed and those that do not exist on the entity. - 4. **External Update:** If at least one tag is found for removal, it sends a PATCH - request to Vectra AI to update the entity's tag list. + 4. **External Mutation:** If valid tags for removal are found, it constructs a + new tag list (excluding the removed tags) and sends a PATCH request to the Vectra + platform to update the entity. - 5. **Result Reporting:** Generates a data table and JSON result summarizing the - status of the removal operation, including which tags were removed and which were - not found. + 5. **Output Generation:** Adds a JSON result and a data table to the SOAR case + detailing the update status, the entity ID, and the final tag list. - ### Parameters Description: + ### Parameters Description + | Parameter | Type | Mandatory | Description | - | --- | --- | --- | --- | + | :--- | :--- | :--- | :--- | - | Tags | String | Yes | A comma-separated list of tags to be removed from the + | Tags | string | Yes | A comma-separated list of tags to be removed from the entity. | - | Entity ID | String | Yes | The unique identifier of the entity in Vectra AI - from which tags will be removed. | + | Entity ID | string | Yes | The unique identifier of the entity in Vectra from + which tags will be removed. | - | Entity Type | DDL | Yes | The category of the entity. Supported values are 'Account', - 'Host', or 'Detection'. | + | Entity Type | ddl | Yes | The category of the entity. Supported values: Account, + Host, Detection. | - ### Additional Notes: + ### Additional Notes - - If none of the specified tags exist on the target entity, the action will fail - with a 'TagsUpdateFailException'. + - This action does not process entities from the SOAR entity list; it operates + strictly on the ID provided in the 'Entity ID' parameter. - - The action performs a state change in the external Vectra AI system by modifying - the metadata of the specified entity. + - If none of the specified tags exist on the entity, the action will fail with + a 'TagsUpdateFailException'. capabilities: can_create_case_comments: false can_create_insight: false @@ -2133,15 +2261,14 @@ Remove Tags: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the tag list of an entity (Account, Host, or Detection) in Vectra AI - by sending a PATCH request to the tagging endpoint, effectively removing the - specified tags from the external system. + Updates the entity's metadata in the Vectra platform by removing specified tags + via a PATCH request to the tagging API endpoint. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2155,6 +2282,7 @@ Remove Tags: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Resolve Assignment: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -2168,76 +2296,80 @@ Remove Tags: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false - update_ticket: false -Resolve Assignment: + update_ticket: true ai_description: >- ### General Description - Resolves a Vectra AI assignment using a specified outcome. This action is used - to close out workflow items in Vectra AI, allowing for the categorization of the - resolution (e.g., as a true or false positive) and the inclusion of supporting - evidence such as notes and detection IDs. + Resolves a specific assignment in Vectra AI using its unique assignment ID and + a designated outcome ID. This action allows analysts to close out tasks within + the Vectra platform directly from Google SecOps, providing options to add notes, + apply triage rules, and associate specific detections with the resolution. ### Parameters Description - | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Outcome ID | String | Yes | The outcome for resolving the assignment. Common - values: 1 (Benign True Positive), 2 (Malicious True Positive), 3 (False Positive). - Custom outcomes are also supported. | - - | Assignment ID | String | Yes | The unique identifier of the assignment to be + | Assignment ID | String | Yes | The unique integer ID of the assignment to be resolved. | - | Note Title | String | No | A note or title to be added to the assignment resolution. - | + | Outcome ID | String | Yes | The integer ID representing the resolution outcome + (e.g., 1 for Benign True Positive, 2 for Malicious True Positive, 3 for False + Positive). Custom IDs are also supported. | - | Triage As | String | No | The triage rule to apply when resolving the assignment. - | + | Note Title | String | No | A descriptive note or title to be attached to the + resolution record in Vectra. | + + | Triage As | String | No | A triage rule string to apply to the resolution. Must + be at least 4 characters long and contain no special characters. | | Detection IDs | String | No | A comma-separated list of integer detection IDs - to associate with the resolution. | + to be associated with the triage rule. | - ### Flow Description + ### Additional Notes - 1. **Parameter Extraction:** Retrieves API credentials and action parameters (`Assignment - ID`, `Outcome ID`, `Note Title`, `Triage As`, `Detection IDs`). + - **Dependency:** If the 'Triage As' parameter is provided, at least one 'Detection + ID' must also be provided for the action to succeed. - 2. **Validation:** Validates that `Assignment ID` and `Outcome ID` are integers. - If `Detection IDs` are provided, they are also validated as integers. + - **Validation:** The action performs strict validation on 'Assignment ID' and + 'Outcome ID' to ensure they are valid non-negative integers. - 3. **Dependency Check:** Ensures that if `Triage As` is specified, `Detection - IDs` are not empty. - 4. **API Interaction:** Calls the Vectra AI API via a `PUT` request to resolve - the assignment. + ### Flow Description - 5. **Result Processing:** Captures the API response, creates a data table named - 'Resolved Assignment', and attaches the raw JSON result. + 1. **Parameter Extraction:** The action retrieves the Assignment ID, Outcome ID, + and optional metadata (Note, Triage, Detections) from the input. + 2. **Validation Logic:** It validates that IDs are integers and checks that 'Triage + As' meets the character requirements. It also enforces the requirement that 'Detection + IDs' must be present if 'Triage As' is used. - ### Additional Notes + 3. **External API Call:** The action sends a `PUT` request to the Vectra RUX API + endpoint `/assignments/{assignment_id}/resolve` with the resolution payload. - * If the `Triage As` parameter is configured, the `Detection IDs` parameter must - also be provided; otherwise, the action will fail. + 4. **Data Processing:** Upon a successful API response, the action parses the + updated assignment details. - * The `Assignment ID` and `Outcome ID` must be valid integer values. + 5. **Output Generation:** The action produces a JSON result containing the full + API response and creates a data table named 'Resolved Assignment' for the case + wall. capabilities: can_create_case_comments: false can_create_insight: false @@ -2246,14 +2378,14 @@ Resolve Assignment: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Resolves an assignment in Vectra AI by updating its status with a specific outcome - ID, and optionally adding notes, triage rules, and associated detection IDs. + Updates the state of an assignment in the Vectra AI platform to 'Resolved' and + applies outcome, triage, and note metadata. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2267,6 +2399,7 @@ Resolve Assignment: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Unmark Detection Fixed: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -2280,60 +2413,65 @@ Resolve Assignment: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false - update_ticket: true -Unmark Detection Fixed: + update_ticket: false ai_description: >- ### General Description - Unmarks specific detections as fixed in the Vectra AI platform. This action is - used to revert the status of detections that were previously marked as resolved - or fixed, allowing them to be re-evaluated or monitored again within the Vectra - interface. + Unmarks specific detections as fixed within the Vectra AI platform. This action + is used to revert the status of detections that were previously marked as resolved + or fixed, allowing them to be re-evaluated or monitored again in the Vectra dashboard. ### Parameters Description - | Parameter | Type | Mandatory | Description | + | Parameter | Description | Type | Mandatory | | :--- | :--- | :--- | :--- | - | Detection IDs | String | Yes | A comma-separated list of numeric IDs representing - the detections to be unmarked as fixed. | + | Detection IDs | A comma-separated list of numeric IDs representing the detections + to be unmarked as fixed. | String | Yes | - ### Flow Description + ### Additional Notes - 1. **Parameter Extraction**: Retrieves the `Detection IDs` string from the action - input. + - The action validates that each provided ID is a valid integer before attempting + the API call. + + - This action performs a bulk update on the external Vectra AI system. - 2. **Validation**: Splits the comma-separated string into individual IDs and validates - that each ID is a valid integer. - 3. **API Interaction**: Initializes the `VectraRUXManager` and sends a `PATCH` - request to the Vectra AI detections endpoint. The request payload sets the `mark_as_fixed` - attribute to `False` for the provided list of detection IDs. + ### Flow Description - 4. **Result Processing**: Captures the API response and attaches it to the action - results as a JSON object for further use in the playbook. + 1. **Parameter Extraction**: The action retrieves the `Detection IDs` string from + the input parameters. + 2. **Validation**: It splits the comma-separated string and validates that each + ID is a valid integer using the `validate_integer` utility. - ### Additional Notes + 3. **Authentication**: The action initializes the `VectraRUXManager`, which handles + OAuth2 token generation or retrieval from the local cache. - - This action performs a state change in the external Vectra AI system. + 4. **External Update**: It calls the `unmark_detection_as_fixed` method, which + sends a `PATCH` request to the Vectra API endpoint with the `mark_as_fixed` payload + set to `False` for the specified IDs. - - Ensure that the provided IDs correspond to existing detections in the target - Vectra environment. + 5. **Result Processing**: The API response is captured, added to the action's + JSON results, and the execution state is set to completed or failed based on the + success of the request. capabilities: can_create_case_comments: false can_create_insight: false @@ -2349,7 +2487,7 @@ Unmark Detection Fixed: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2363,6 +2501,7 @@ Unmark Detection Fixed: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Update Assignment: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -2376,27 +2515,28 @@ Unmark Detection Fixed: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Update Assignment: ai_description: >- ### General Description - The **Update Assignment** action is designed to change the assigned user for a - specific assignment associated with a Host or Account entity within the Vectra - RUX platform. This action is primarily used for workflow management, allowing - analysts to programmatically reassign investigations or tasks to different users - based on their User ID. + Updates the assigned user for a specific assignment associated with a Host or + Account in Vectra AI. This action is used to reassign ownership of a detection + or entity investigation within the Vectra platform by modifying the 'assign_to_user_id' + field of an existing assignment. ### Parameters Description @@ -2405,42 +2545,40 @@ Update Assignment: | :--- | :--- | :--- | :--- | - | **Entity ID** | string | Yes | The unique identifier of the entity (Host or - Account) whose assignment needs to be updated. | + | Entity ID | String | Yes | The unique identifier of the Host or Account in Vectra + AI. | - | **Entity Type** | ddl | Yes | The type of the entity. Expected values are 'Account' + | Entity Type | DDL | Yes | The type of entity to update. Options are 'Account' or 'Host'. | - | **User ID** | string | Yes | The unique identifier of the user to whom the assignment + | User ID | String | Yes | The unique identifier of the user to whom the assignment will be reassigned. | - ### Flow Description + ### Additional Notes - 1. **Validation**: The action first validates that the provided `Entity ID` and - `User ID` are valid integers. + The action first retrieves the entity's current information to identify the active + `assignment_id`. If the entity does not have an active assignment, the action + will fail with an 'ItemNotFound' error. - 2. **Entity Lookup**: It performs a GET request to the Vectra API to retrieve - information about the specified entity (Host or Account). - 3. **Assignment Identification**: From the entity details, the action extracts - the current `assignment_id`. If no assignment is found for the entity, the action - fails with an 'Item Not Found' error. + ### Flow Description - 4. **Update Request**: The action sends a PUT request to the Vectra assignments - endpoint, updating the `assign_to_user_id` field with the new `User ID`. + 1. **Parameter Extraction**: Retrieves the Entity ID, Entity Type, and User ID + from the action inputs. - 5. **Output**: Upon success, the action returns the updated assignment details - in a JSON format and populates a data table named 'Updated Assignment' with the - change details. + 2. **Validation**: Validates that the Entity ID and User ID are provided as valid + integer strings. + 3. **Fetch Assignment ID**: Calls the Vectra API to retrieve the specific entity's + metadata and extracts the ID of the current assignment. - ### Additional Notes + 4. **Update Assignment**: Sends a PUT request to the Vectra assignments endpoint + to update the assigned user to the provided User ID. - This action performs a state change in the external Vectra RUX system by modifying - the ownership of an assignment. It does not interact with Google SecOps entities - directly from the case context but rather uses the provided parameters to identify - the target resource. + 5. **Result Processing**: Adds the raw API response to the action results and + creates a data table named 'Updated Assignment' containing the assignment ID, + the new user ID, and the entity details. capabilities: can_create_case_comments: false can_create_insight: false @@ -2449,14 +2587,14 @@ Update Assignment: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the 'assign_to_user_id' field of an existing assignment in the Vectra - RUX platform via a PUT request. + Updates the 'assign_to_user_id' field for an existing assignment object in the + Vectra AI platform via a PUT request. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2470,28 +2608,3 @@ Update Assignment: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: true diff --git a/content/response_integrations/third_party/community/vectra_rux/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/vectra_rux/resources/ai/connectors_ai_description.yaml index ce0c3a893..bd0c4ab68 100644 --- a/content/response_integrations/third_party/community/vectra_rux/resources/ai/connectors_ai_description.yaml +++ b/content/response_integrations/third_party/community/vectra_rux/resources/ai/connectors_ai_description.yaml @@ -3,12 +3,12 @@ Vectra RUX - Entities Connector: ### General Description The Vectra RUX - Entities Connector integrates with the Vectra RUX platform to - ingest security data into Google SecOps. It focuses on monitoring 'Entities' (either - Hosts or Accounts) that have active detections. The connector maps each Vectra - entity to a SOAR alert and its associated detections to alert events, providing - a comprehensive view of suspicious asset activity. It supports stateful tracking - to ensure only new or modified entities are processed and uses source grouping - to maintain case continuity. + ingest security entities (Hosts or Accounts) and their associated detections into + Google SecOps. It transforms each Vectra entity into a SOAR alert, where individual + detections are represented as events within that alert. This allows for a consolidated + view of all malicious activity related to a specific host or account within a + single case. The connector supports stateful tracking, ensuring that updates to + existing entities are correctly grouped and duplicates are avoided. ### Parameters Description @@ -27,56 +27,55 @@ Vectra RUX - Entities Connector: ID for secure authorization. | | DeviceProductField | String | Yes | The field name used to determine the device - product (Default: Vectra RUX). | + product (default: Vectra RUX). | - | Entity Type | String | Yes | The type of Vectra entity to retrieve: 'Host' or - 'Account'. | + | Entity Type | String | Yes | The type of entity to retrieve: 'Host' or 'Account'. + | - | EventClassId | String | Yes | The field name used to determine the event name - or sub-type (Default: detection_type). | + | EventClassId | String | Yes | The field name used to determine the event name/sub-type + (default: detection_type). | - | Limit | Integer | No | Maximum number of entities to fetch in a single execution - cycle. | + | Limit | Integer | No | Maximum number of entities to fetch in a single execution. + | | Max Hours Backwards | Integer | No | Number of hours to look back for entities during the first connector iteration. | | Prioritized | Boolean | No | If enabled, only entities with a priority score - above the configured threshold are retrieved. | + above the configured threshold are fetched. | - | PythonProcessTimeout | String | Yes | The timeout limit (in seconds) for the - Python process running the script. | + | Specific Tag | String | No | A specific tag used to filter the entity results. + | - | Specific Tag | String | No | A specific tag used to filter the entities retrieved - from the platform. | + | PythonProcessTimeout | String | Yes | The timeout limit (in seconds) for the + python process running the script. | ### Flow Description - 1. **Authentication**: The connector establishes a session with the Vectra RUX - API using OAuth2 credentials (Client ID and Secret), managing access and refresh - tokens via a local file stream. + 1. **Authentication**: The connector authenticates with the Vectra RUX API using + OAuth2 (Client ID and Secret) and manages access/refresh tokens stored in a local + configuration file. - 2. **Initialization & Validation**: It validates input parameters, ensuring the - entity type is either 'Host' or 'Account' and calculating the start time based - on the 'Max Hours Backwards' or the last successful execution timestamp. + 2. **Entity Discovery**: It queries the Vectra RUX `/entities` endpoint, filtering + by the configured `Entity Type` (Host or Account), `Specific Tag`, and `Prioritized` + status. - 3. **Entity Retrieval**: The connector queries the Vectra RUX `/entities` endpoint - for active entities modified since the last run. It applies filters for prioritization - and specific tags if provided. + 3. **Time-based Filtering**: The connector retrieves entities modified since the + last successful execution or within the `Max Hours Backwards` window for the initial + run. - 4. **Duplicate Prevention**: It filters out already processed entities by comparing - a unique identifier composed of the Entity ID and its Last Modified Timestamp - against a stored list of IDs. + 4. **Detection Retrieval**: For each discovered entity, the connector fetches + all associated active detections from the `/detections` endpoint. - 5. **Detection & Assignment Enrichment**: For each valid entity, the connector - fetches associated active detections (to be used as events) and current user assignments - from the Vectra platform. + 5. **Assignment Enrichment**: It retrieves assignment information (assigned user, + resolution status, and outcomes) for the entity and attaches it to the alert metadata. - 6. **Alert Mapping**: The Vectra Entity is mapped to a Google SecOps Alert. Detections - are flattened and mapped as Events within that alert. A Source Grouping Identifier - (`entity_type#entity_id`) is assigned to facilitate case grouping. + 6. **Alert Mapping**: The connector maps the Vectra entity to a Google SecOps + alert and its detections to individual events. It generates a `source_grouping_identifier` + based on the Entity ID to ensure that updates to the same entity are grouped into + the same SOAR case. - 7. **Ingestion**: The connector checks for alert overflow and then ingests the - processed alerts into Google SecOps, updating the last success timestamp and ID - list upon completion. + 7. **Ingestion and State Management**: The constructed `AlertInfo` objects are + ingested into the system. The connector then saves the last processed timestamp + and entity IDs to prevent duplicate ingestion in future cycles. diff --git a/content/response_integrations/third_party/community/vectra_rux/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/vectra_rux/resources/ai/integration_ai_description.yaml index 971d37ab1..c5805635b 100644 --- a/content/response_integrations/third_party/community/vectra_rux/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/community/vectra_rux/resources/ai/integration_ai_description.yaml @@ -4,7 +4,7 @@ product_categories: collaboration: false edr: false email_security: false - iam_and_identity_management: true + iam_and_identity_management: false itsm: true network_security: true siem: true diff --git a/content/response_integrations/third_party/community/vectra_rux/resources/ai/jobs_ai_description.yaml b/content/response_integrations/third_party/community/vectra_rux/resources/ai/jobs_ai_description.yaml index 993bbbe9f..862e25acd 100644 --- a/content/response_integrations/third_party/community/vectra_rux/resources/ai/jobs_ai_description.yaml +++ b/content/response_integrations/third_party/community/vectra_rux/resources/ai/jobs_ai_description.yaml @@ -1,32 +1,55 @@ Vectra RUX - Clear Empty Cases Job: - ai_description: "### General Description\nThis job performs maintenance on Google\ - \ SecOps cases generated by the Vectra RUX integration. Its primary purpose is\ - \ to reduce SOC noise by identifying and closing redundant or duplicate cases\ - \ and alerts. The job analyzes open cases to determine if the underlying detections\ - \ (events) are already being investigated in other active cases. If a case or\ - \ alert is found to be a complete duplicate of another, it is automatically closed\ - \ with a specific root cause, ensuring analysts focus only on unique security\ - \ incidents.\n\n### Parameters Description\n| Parameter | Type | Mandatory | Description\ - \ |\n| :--- | :--- | :--- | :--- |\n| Max Hours Backwards | String | No | The\ - \ maximum number of hours to look back for open cases to process. Default is '24'.\ - \ Set to '0' to fetch and process all open cases regardless of their creation\ - \ time. |\n| Environments | String | Yes | A comma-separated list of environments\ - \ to include in the cleanup process. Default is 'Default Environment'. |\n| Products\ - \ | String | Yes | A comma-separated list of product names used to filter relevant\ - \ alerts within the cases. Default is 'Vectra RUX'. |\n\n### Flow Description\n\ - 1. **Initialization**: The job retrieves the configuration parameters and determines\ - \ the starting timestamp for the search based on the \"Max Hours Backwards\" setting\ - \ and the last successful execution time stored in the database.\n2. **Case Retrieval**:\ - \ It queries Google SecOps for all open cases that match the specified time range\ - \ and environment filters.\n3. **Alert Analysis**: For each retrieved case, the\ - \ job fetches associated alerts and filters them by the specified product names.\ - \ It then extracts the unique detection (event) IDs from these alerts.\n4. **Redundancy\ - \ Check**: The job builds a map of detections across all processed cases. It identifies\ - \ alerts or entire cases where all associated detection IDs are already present\ - \ in other active investigations.\n5. **Cleanup**: \n * If an entire case is\ - \ found to be redundant (all its alerts are duplicates), the job closes the case\ - \ with the reason \"Similar case already under investigation\".\n * If only\ - \ specific alerts within a case are redundant, it closes those individual alerts\ - \ with the reason \"Similar alert already under investigation\".\n6. **Finalization**:\ - \ The job saves the current execution timestamp to the scoped job context to serve\ - \ as the baseline for the next run." + ai_description: >- + ### General Description + + This job performs maintenance on Google SecOps cases generated by the Vectra RUX + integration. It identifies and closes redundant cases and alerts that contain + duplicate detection data already present in other open investigations. By analyzing + the underlying event IDs within alerts, the job ensures that analysts are not + working on multiple cases for the same underlying security events, effectively + deduplicating the workload and reducing noise. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Max Hours Backwards | String | No | The maximum number of hours to look back + for open cases. Default is 24. Set to '0' to process all open cases regardless + of age. | + + | Environments | String | Yes | Comma-separated list of environments to include + in the cleanup process (e.g., 'Default Environment'). | + + | Products | String | Yes | Comma-separated list of product names to filter alerts + (e.g., 'Vectra RUX'). Only alerts from these products are evaluated for deduplication. + | + + + ### Flow Description + + 1. Retrieves configuration parameters for the time range, target environments, + and product names. + + 2. Calculates the starting timestamp for the search based on the 'Max Hours Backwards' + parameter or the timestamp of the last successful run. + + 3. Queries the SOAR platform for all cases currently in 'OPEN' status that fall + within the calculated time window. + + 4. Filters the retrieved cases to include only those matching the specified environments + and containing alerts from the target products. + + 5. Extracts and maps unique detection/event IDs from the alerts within the filtered + cases. + + 6. Identifies redundant alerts where all associated event IDs are already present + in other active alerts or cases. + + 7. Closes redundant cases or individual alerts using a predefined root cause indicating + that a similar case is already under investigation. + + 8. Updates the job's internal execution timestamp to mark the successful completion + of the run. diff --git a/content/response_integrations/third_party/community/vorlon/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/vorlon/resources/ai/actions_ai_description.yaml index da9a6eba0..d7ae4d479 100644 --- a/content/response_integrations/third_party/community/vorlon/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/vorlon/resources/ai/actions_ai_description.yaml @@ -1,35 +1,81 @@ Get Alerts: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: true + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - Retrieves a list of alerts from the Vorlon platform based on specified filtering - criteria. This action allows analysts to query for alerts by requesting or responding - service IDs, specific alert IDs, time ranges, and alert statuses. The results - are returned as a JSON object for further processing within the playbook. + ### General Description + The **Get Alerts** action retrieves a list of alerts from the Vorlon server based + on user-defined filters. It allows analysts to query the external system for specific + alerts using identifiers, service associations, time ranges, and status. The results + are returned as a JSON object for use in playbooks. - ### Parameters Description + ### Flow Description + + 1. **Parameter Extraction**: The action retrieves configuration details (API Root, + Client ID, Client Secret) and action parameters including service IDs, alert IDs, + time filters, and status. + + 2. **Manager Initialization**: It initializes the `VorlonManager` which handles + authentication and session management with the Vorlon API. + + 3. **Data Retrieval**: The action calls the `get_alerts` method, which constructs + a GET request to the `/rest/v1/alerts` endpoint. It processes time strings into + epoch timestamps and cleans comma-separated strings for the query. + + 4. **Result Output**: The fetched alerts are added to the action's JSON results, + and the action completes with a success message. + + + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | | Requesting Service | String | No | A comma-separated list of service IDs that - initiated the request associated with the alert. | + initiated the alerts. | | Responding Service | String | No | A comma-separated list of service IDs that - responded to the request associated with the alert. | + responded to the alerts. | - | Alert IDs | String | No | A comma-separated list of specific Vorlon alert IDs - to retrieve. | + | Alert IDs | String | No | A comma-separated list of specific alert IDs to retrieve. + | - | From | String | No | The start time for the alert search in 'YYYY-MM-DDTHH:MM:SS' - format (e.g., 2023-10-01T12:00:00). | + | From | String | No | Filter alerts from this time (Format: `YYYY-MM-DDTHH:MM:SS`). + | - | To | String | No | The end time for the alert search in 'YYYY-MM-DDTHH:MM:SS' - format. | + | To | String | No | Filter alerts up to this time (Format: `YYYY-MM-DDTHH:MM:SS`). + | - | Alert Status | DDL | No | Filters alerts by their current status. Options: 'open', - 'dismissed', 'resolved'. Default is 'open'. | + | Alert Status | DDL | No | Filter by alert status: `open` (default), `dismissed`, + or `resolved`. | | Limit | String | No | The maximum number of alerts to return. Default is 100. | @@ -37,28 +83,11 @@ Get Alerts: ### Additional Notes - - This action does not run on entities; it is a standalone search action. - - - Time parameters must follow the strict ISO-like format 'YYYY-MM-DDTHH:MM:SS' - to be correctly converted to epoch time for the API request. - + - The `From` and `To` parameters must strictly follow the `YYYY-MM-DDTHH:MM:SS` + format (e.g., 2023-10-27T10:00:00) to be correctly parsed into epoch timestamps. - ### Flow Description - - 1. **Parameter Extraction:** The action retrieves configuration settings (API - Root, Credentials) and user-provided filter parameters. - - 2. **Manager Initialization:** A VorlonManager instance is created to handle authentication - and API communication. - - 3. **Data Transformation:** Comma-separated strings for services and IDs are cleaned - of whitespace. Date strings are converted into Unix epoch timestamps. - - 4. **API Request:** The action performs a GET request to the Vorlon `/rest/v1/alerts` - endpoint with the constructed query parameters. - - 5. **Result Processing:** The retrieved alerts are added to the action's JSON - results, and the execution status is updated based on the success of the API call. + - If no filters are provided, the action defaults to fetching the most recent + 'open' alerts. capabilities: can_create_case_comments: false can_create_insight: false @@ -72,7 +101,7 @@ Get Alerts: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -86,6 +115,7 @@ Get Alerts: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get All Services: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -99,53 +129,58 @@ Get Alerts: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: true + search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get All Services: ai_description: >- ### General Description The **Get All Services** action retrieves a comprehensive list of all detected - and observed services from the Vorlon server. This action is primarily used for - inventory discovery and visibility into the services monitored by the Vorlon platform. + and observed services from the Vorlon platform. This action is primarily used + for discovery and inventory purposes, providing visibility into the services monitored + by the Vorlon server. - ### Parameters Description + ### Flow Description - There are no action-specific parameters for this action. It relies solely on the - integration's global configuration (API Root, Client ID, and Client Secret) to - authenticate and communicate with the Vorlon API. + 1. **Authentication**: The action establishes a session with the Vorlon API using + the configured API Root, Client ID, and Client Secret. + 2. **API Request**: It performs a GET request to the `/rest/v1/services` endpoint + to retrieve the full list of services. - ### Flow Description + 3. **Result Processing**: The action captures the JSON response from the server + and attaches it as a JSON result to the action execution. + + 4. **Completion**: The action concludes by reporting the success or failure of + the data retrieval process. - 1. **Initialization**: The action initializes the Siemplify environment and retrieves - the necessary configuration parameters for the Vorlon integration. - 2. **Authentication**: It establishes a session with the Vorlon server using the - provided credentials to obtain an OAuth2 access token. + ### Parameters Description - 3. **Data Retrieval**: The action calls the `get_all_services` method in the Vorlon - Manager, which executes a GET request to the `/rest/v1/services` endpoint. + | Parameter | Type | Mandatory | Description | - 4. **Result Processing**: The retrieved JSON list of services is attached to the - action's results, and the action completes with a success message. + | :--- | :--- | :--- | :--- | + + | N/A | N/A | N/A | This action does not require any input parameters. | ### Additional Notes - This action does not operate on specific entities within a case; it performs a - global fetch of service data from the external system. + This action does not operate on specific entities (such as IPs or Hostnames) and + instead returns a global list of services from the integrated Vorlon instance. capabilities: can_create_case_comments: false can_create_insight: false @@ -159,7 +194,7 @@ Get All Services: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -173,6 +208,7 @@ Get All Services: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Connection Summary: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -186,76 +222,85 @@ Get All Services: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: true send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Connection Summary: ai_description: >- - Retrieves a summary of network connections for a specific service from the Vorlon - platform. This action allows analysts to query connection data based on service - identifiers, time ranges, and connection types (observed or detected). The retrieved - data is returned as a JSON object for use in subsequent playbook steps. + ### General Description + This action retrieves a summary of network connections associated with a specific + service from the Vorlon platform. It allows analysts to fetch aggregated connection + data by providing a Service ID and applying optional filters such as Instance + ID, time range, connection type (observed or detected), and specific secret IDs. + The results are returned as a JSON object for further analysis within the SOAR + platform. - ### Parameters + + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Service ID | string | Yes | The unique identifier for the service (typically - the service or app name) to retrieve the connection summary for. | + | Service ID | String | Yes | The unique identifier for the service (typically + the service name or app name) for which to retrieve the connection summary. | - | Instance ID | string | No | If provided, filters the results by a specific instance - ID of the service. | + | Instance ID | String | No | If provided, filters the connection summary by a + specific instance ID of the service. | - | From | string | No | Filters results by a start time in 'YYYY-MM-DDTHH:MM:SS' - format (e.g., 2023-10-01T12:00:00). | + | From | String | No | If provided, filters the summary by a start time in the + format `YYYY-MM-DDTHH:MM:SS` (e.g., 2023-10-27T10:00:00). | - | To | string | No | Filters results by an end time in 'YYYY-MM-DDTHH:MM:SS' format - (e.g., 2023-10-01T13:00:00). | + | To | String | No | If provided, filters the summary by an end time in the format + `YYYY-MM-DDTHH:MM:SS` (e.g., 2023-10-27T11:00:00). | - | Type | ddl | No | The type of connection to retrieve. Options are 'observed' - (default) or 'detected'. | + | Type | DDL | No | The type of connection to summarize. Options are `observed` + (default) or `detected`. | - | Secret IDs | string | No | A comma-separated list of secret IDs to filter the + | Secret IDs | String | No | A comma-separated list of secret IDs to filter the connection summary. | ### Flow Description - 1. **Parameter Extraction:** The action retrieves the API configuration (Root - URL, Client ID, Client Secret) and the user-provided action parameters. + 1. **Initialization**: The action extracts the Vorlon integration configuration + (API Root, Client ID, Client Secret) and the user-provided action parameters. - 2. **Manager Initialization:** Initializes the VorlonManager, which handles authentication - and token management. + 2. **Manager Setup**: A `VorlonManager` instance is initialized to handle communication + with the Vorlon API. - 3. **Data Transformation:** Converts the 'From' and 'To' timestamp strings into - epoch format and cleans the 'Secret IDs' string by removing unnecessary spaces. + 3. **Time Processing**: If the `From` or `To` parameters are provided, the action + validates the string format and converts them into epoch timestamps required by + the API. - 4. **API Request:** Executes a GET request to the Vorlon API endpoint `/rest/v1/connections/summary/{service_id}` - with the specified filters. + 4. **API Execution**: The action calls the Vorlon API's connection summary endpoint + using the specified Service ID and optional query parameters (secrets, instance, + time range, type). - 5. **Result Processing:** Validates the response and attaches the connection summary - data to the action's JSON result. + 5. **Result Handling**: The retrieved connection summary is added to the action's + JSON results. If the fetch is successful, the action completes with a success + message; otherwise, it reports a failure. ### Additional Notes - - The 'Service ID' is a path parameter in the API request and is strictly required - for the action to execute. + - The `Service ID` is a mandatory parameter and must be provided for the action + to run. - - Time parameters must follow the exact format 'YYYY-MM-DDTHH:MM:SS' or the action - will fail during the conversion process. + - Time filters must strictly follow the `YYYY-MM-DDTHH:MM:SS` format to avoid + execution errors. capabilities: can_create_case_comments: false can_create_insight: false @@ -269,7 +314,7 @@ Get Connection Summary: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -283,6 +328,7 @@ Get Connection Summary: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Connections: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -296,65 +342,83 @@ Get Connection Summary: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: true send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Connections: ai_description: >- - Retrieves connection records for a specified service from the Vorlon platform. - This action allows analysts to query historical connection data, filtered by instance, - time range, and associated secrets, to understand service interactions and potential - security implications. + ### General Description + This action retrieves connection logs for a specific service from the Vorlon server. + It allows analysts to query historical telemetry data regarding how services are + interacting, filtered by time ranges, specific instances, or secret identifiers. + The results are returned as a JSON object for further analysis within the SOAR + platform. - ### Parameters - | Parameter | Type | Mandatory | Description | + ### Parameters Description + + | Parameter | Mandatory | Type | Description | | :--- | :--- | :--- | :--- | - | Service ID | string | Yes | The unique identifier or name of the service (e.g., - app name) to retrieve connections for. | + | Service ID | Yes | String | The unique identifier (typically the service or + app name) for which to retrieve connection data. | - | Instance ID | string | No | If provided, filters the results by the specific - instance ID of the service. | + | Instance ID | No | String | Filters the results to a specific instance of the + service. | - | From | string | No | Filters connections starting from this time. Expected format: + | From | No | String | Filters connections starting from this time. Expected format: "YYYY-MM-DDTHH:MM:SS" (e.g., 1970-01-01T00:00:00). | - | To | string | No | Filters connections up to this time. Expected format: "YYYY-MM-DDTHH:MM:SS" + | To | No | String | Filters connections up to this time. Expected format: "YYYY-MM-DDTHH:MM:SS" (e.g., 1970-01-01T00:00:00). | - | Secret IDs | string | No | A comma-separated list of secret IDs to filter the + | Secret IDs | No | String | A comma-separated list of secret IDs to filter the connection results. | - | Limit | string | No | The maximum number of connection records to return. Default - value is 100. | + | Limit | No | String | The maximum number of connection records to return. Defaults + to 100 if not specified. | ### Flow Description - 1. **Authentication:** The action initializes the Vorlon manager using the provided - API Root, Client ID, and Client Secret to obtain an access token. + 1. **Parameter Extraction**: The action extracts the API configuration (Root URL, + Client ID, Client Secret) and the user-provided action parameters (Service ID, + Instance ID, Time range, Secret IDs, and Limit). + + 2. **Manager Initialization**: It initializes the `VorlonManager` to handle authentication + and API communication. + + 3. **Data Retrieval**: The action calls the `get_connections` method, which performs + a GET request to the Vorlon API endpoint `/rest/v1/connections/{service_id}` with + the specified filters. + + 4. **Result Processing**: The retrieved connection data is attached to the action's + execution context as a JSON result. - 2. **Parameter Processing:** It extracts the Service ID and optional filters (Instance - ID, Secret IDs, Limit). It also validates and converts the 'From' and 'To' date - strings into epoch timestamps. + 5. **Completion**: The action terminates with a success message indicating that + connections were successfully fetched, or an error message if the request failed. - 3. **Data Retrieval:** The action performs a GET request to the Vorlon API endpoint - specific to the provided Service ID, applying the defined filters as query parameters. - 4. **Result Handling:** The retrieved connection data is added to the action's - JSON results, and the execution is marked as completed with a success message. + ### Additional Notes + + - The `From` and `To` parameters must strictly follow the `YYYY-MM-DDTHH:MM:SS` + format to be correctly converted to epoch time by the integration logic. + + - If the API returns an empty response for a valid service ID, the action will + raise an exception. capabilities: can_create_case_comments: false can_create_insight: false @@ -366,9 +430,9 @@ Get Connections: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: false + enrichment: true entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -382,6 +446,7 @@ Get Connections: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Linked Alerts: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -395,75 +460,68 @@ Get Connections: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: true remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: true + search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Linked Alerts: ai_description: >- ### General Description - The **Get Linked Alerts** action retrieves a list of alerts from the Vorlon platform - that are logically linked to a specific Alert ID. Alerts are considered linked - if they share the same secret ID and belong to the same alert group. This action - is primarily used for incident investigation to identify related security events - and understand the broader scope of a potential threat. + Retrieves alerts linked to a specific Alert ID from the Vorlon platform. Linked + alerts are defined as those sharing the same secret ID and alert group. This action + is useful for identifying related security incidents and understanding the scope + of a potential threat by aggregating related telemetry. ### Parameters Description + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Alert ID** | string | Yes | The unique identifier of the alert for which linked + | Alert ID | String | Yes | The unique identifier of the alert for which linked alerts should be retrieved. | - | **Alert Status** | ddl | No | Filters the results by the status of the linked - alerts. Options include: `open`, `dismissed`, `resolved`. | + | Alert Status | DDL | No | Filters the results by alert status. Supported values: + `open`, `dismissed`, `resolved`. | - | **Page** | string | No | The page number to retrieve for paginated results. - | + | Page | String | No | The page number for paginated results. | - | **Limit** | string | No | The maximum number of linked alerts to return. Defaults - to 100 if not specified. | + | Limit | String | No | The maximum number of alerts to return. Default is 100. + | ### Flow Description - 1. **Parameter Extraction:** The action retrieves the API configuration (Root - URL, Client ID, Client Secret) and the user-provided parameters (Alert ID, Status, - Page, Limit). + 1. **Authentication**: Connects to the Vorlon API using the configured API Root, + Client ID, and Client Secret to obtain a bearer token. - 2. **Manager Initialization:** A `VorlonManager` instance is created to handle - authentication and communication with the Vorlon API. + 2. **Parameter Extraction**: Retrieves the mandatory Alert ID and optional filters + (Status, Page, Limit) from the action input. - 3. **Data Retrieval:** The action calls the `get_linked_alerts` method, which - sends a GET request to the Vorlon server's linked alerts endpoint using the provided - Alert ID and filters. + 3. **Data Retrieval**: Executes a GET request to the Vorlon endpoint (`/rest/v1/alerts/linked/{id}`) + to fetch alerts linked to the provided ID. - 4. **Result Processing:** The retrieved list of linked alerts is attached to - the action's execution results as a JSON object. - - 5. **Completion:** The action concludes with a success message if data is retrieved - or an error message if the request fails or no linked alerts are found. + 4. **Output**: Returns the list of linked alerts as a JSON result for use in subsequent + playbook steps. ### Additional Notes - * This action does not process entities from the SOAR case; it relies entirely - on the provided **Alert ID** parameter. - - * If no linked alerts are found, the action will return a failure status with - a descriptive message. + This action does not operate on SecOps entities; it requires a specific Alert + ID as input. If no linked alerts are found, the action will return a failure status. capabilities: can_create_case_comments: false can_create_insight: false @@ -475,9 +533,9 @@ Get Linked Alerts: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: true + enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -491,6 +549,7 @@ Get Linked Alerts: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Secrets: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -504,27 +563,28 @@ Get Linked Alerts: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: true + search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Secrets: ai_description: >- ### General Description - The **Get Secrets** action retrieves detailed information about secrets stored - within the Vorlon platform. It allows users to query for specific secrets by their - unique identifiers or to list all secrets associated with a particular service. - This action is primarily used for gathering metadata and configuration details - about managed secrets. + Retrieves detailed information about secrets from the Vorlon platform. This action + allows users to fetch metadata for specific secrets using their IDs or to retrieve + all secrets associated with a particular service. It is primarily used for gathering + context about credentials or sensitive configurations managed within Vorlon. ### Parameters Description @@ -533,38 +593,36 @@ Get Secrets: | :--- | :--- | :--- | :--- | - | **Service ID** | String | No | The unique identifier for a service (typically - the service name). When provided, the action fetches all secrets linked to this - specific service. | + | Service ID | String | No | The unique identifier (typically the service name) + for which to retrieve all associated secrets. | - | **Secret IDs** | String | No | A comma-separated list of specific secret identifiers - to retrieve. | + | Secret IDs | String | No | A comma-separated list of specific secret identifiers + to retrieve details for. | ### Additional Notes - - **Mutual Exclusivity:** The action requires exactly one of the two parameters - to be configured. Providing both the `Service ID` and `Secret IDs`, or leaving - both empty, will result in an execution failure. - - - This action does not process or filter SOAR entities; it operates as a standalone - data retrieval utility. + **Important:** Either the `Secret IDs` parameter or the `Service ID` parameter + must be provided for the action to execute successfully. If both parameters are + provided, or if neither is provided, the action will fail with an error message. ### Flow Description - 1. **Authentication:** The action initializes the Vorlon manager and authenticates - with the API using the configured Client ID and Client Secret to obtain a bearer - token. + 1. **Initialization:** The action initializes the Vorlon manager using the provided + API Root, Client ID, and Client Secret from the integration configuration. + + 2. **Parameter Extraction:** It retrieves the `Secret IDs` and `Service ID` from + the action input parameters. - 2. **Input Validation:** The logic verifies that either `Secret IDs` or `Service - ID` is provided, ensuring they are not used simultaneously. + 3. **Validation:** The logic checks that exactly one of the two parameters is + populated. If both or neither are provided, an exception is raised. - 3. **API Request:** A GET request is dispatched to the `/rest/v1/secrets` endpoint, - passing the selected identifier as a query parameter. + 4. **Data Retrieval:** The action calls the Vorlon API's secrets endpoint (`GET + /rest/v1/secrets`) with the appropriate query parameters (`ids` or `service_id`). - 4. **Result Processing:** The JSON response containing the secret details is captured - and attached to the action's execution results. + 5. **Output:** The retrieved secret details are added to the action's JSON results + and a success message is returned to the SOAR platform. capabilities: can_create_case_comments: false can_create_insight: false @@ -576,9 +634,9 @@ Get Secrets: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: false + enrichment: true entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -592,6 +650,7 @@ Get Secrets: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -605,40 +664,64 @@ Get Secrets: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: - ai_description: "### General Description\nThe **Ping** action is a diagnostic tool\ - \ designed to verify the connectivity between Google SecOps and the **Vorlon**\ - \ platform. It validates that the integration's configuration parameters\u2014\ - specifically the API Root, Client ID, and Client Secret\u2014are correct and that\ - \ the Vorlon API is reachable and responding to requests.\n\n### Parameters Description\n\ - This action does not have any input parameters. It utilizes the global integration\ - \ configuration settings:\n\n| Parameter | Type | Mandatory | Description |\n\ - | :--- | :--- | :--- | :--- |\n| API Root | String | Yes | The base URL of the\ - \ Vorlon API instance. |\n| Client ID | String | Yes | The unique identifier used\ - \ for OAuth2 authentication. |\n| Client Secret | String | Yes | The secret key\ - \ used for OAuth2 authentication. |\n\n### Flow Description\n1. **Parameter Extraction**:\ - \ The action retrieves the API Root, Client ID, and Client Secret from the integration's\ - \ configuration.\n2. **Manager Initialization**: It initializes the `VorlonManager`.\ - \ During initialization, the manager performs an authentication handshake by sending\ - \ a POST request to the token endpoint to obtain a Bearer token.\n3. **Connectivity\ - \ Check**: The action executes the `test_connectivity` method, which performs\ - \ a GET request to the `/rest/v1/services` endpoint.\n4. **Execution Outcome**:\ - \ If the API call is successful, the action returns a success message. If the\ - \ authentication fails or the endpoint is unreachable, the action catches the\ - \ exception and reports a failure status with the error details.\n\n### Additional\ - \ Notes\nThere are no action-specific parameters for this resource." + ai_description: >- + ### General Description + + The **Ping** action is a diagnostic tool used to verify the connectivity between + the Google SecOps (Chronicle) environment and the **Vorlon** instance. It ensures + that the provided credentials (Client ID and Client Secret) are valid and that + the API Root URL is reachable. This action is typically used during the initial + setup of the integration or for troubleshooting communication issues. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | N/A | N/A | N/A | This action does not have any input parameters. It relies + solely on the integration's configuration settings (API Root, Client ID, and Client + Secret). | + + + ### Additional Notes + + - This action does not process any entities. + + - It performs an authentication handshake followed by a basic GET request to the + services endpoint to confirm end-to-end connectivity. + + + ### Flow Description + + 1. **Configuration Extraction**: The action retrieves the `API Root`, `Client + ID`, and `Client Secret` from the integration's configuration. + + 2. **Manager Initialization**: It initializes the `VorlonManager`, which automatically + attempts to fetch an OAuth2 access token using the provided credentials. + + 3. **Connectivity Test**: The action calls the `test_connectivity` method, which + sends a GET request to the `/rest/v1/services` endpoint of the Vorlon API. + + 4. **Result Reporting**: If the request is successful, the action completes with + a success message. If any step fails (e.g., authentication error or network timeout), + it catches the exception and reports a failure. capabilities: can_create_case_comments: false can_create_insight: false @@ -647,12 +730,12 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: false + fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -666,6 +749,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Update Alert: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -679,32 +763,28 @@ Ping: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Update Alert: ai_description: >- - Updates an alert's details or status within the Vorlon platform. This action allows - for programmatic modification of alert attributes by submitting a JSON-formatted - update request to the Vorlon API. - - ### General Description - This action interacts with the Vorlon REST API to update existing alerts. It is - primarily used to change alert statuses (e.g., dismissing an alert) or to apply - updates across linked alerts. The action requires a raw JSON string representing - the update payload, providing flexibility for various update scenarios supported - by the Vorlon platform. + The **Update Alert** action allows users to modify the properties of an existing + alert within the Vorlon platform. This action is primarily used to change the + status of an alert (e.g., dismissing it) or to apply updates to linked alerts + by providing a structured JSON payload. ### Parameters Description @@ -714,29 +794,31 @@ Update Alert: | :--- | :--- | :--- | :--- | | Alert Object | String | Yes | A JSON-formatted string containing the update - details. It typically requires an `alert_id` and the fields to be updated, such - as `new_status` or `apply_to_linked_alerts`. | + details. It must include the `alert_id` and the specific fields to be updated, + such as `new_status` or `apply_to_linked_alerts`. | ### Flow Description - 1. **Configuration Retrieval:** The action fetches the API Root, Client ID, and - Client Secret from the integration settings. + 1. **Parameter Extraction:** The action retrieves the API configuration (API Root, + Client ID, Client Secret) and the `Alert Object` input string. - 2. **Parameter Extraction:** The `Alert Object` string is retrieved from the action - input. + 2. **JSON Validation:** The action attempts to parse the `Alert Object` string + into a JSON object. If the string is not valid JSON, the action fails. - 3. **Manager Initialization:** A `VorlonManager` instance is created, which handles - authentication and token management. + 3. **API Interaction:** The action calls the Vorlon Manager's `update_alert` method, + which sends a `PUT` request to the `/rest/v1/alerts/update` endpoint with the + validated JSON payload. - 4. **JSON Validation:** The action attempts to parse the `Alert Object` string - into a JSON object to ensure it is valid before transmission. + 4. **Result Processing:** The response from the Vorlon server, containing the + updated alert's data, is added to the action's JSON results for use in subsequent + playbook steps. - 5. **API Execution:** The manager sends a `PUT` request to the `/rest/v1/alerts/update` - endpoint with the provided JSON payload. - 6. **Result Processing:** The response from the Vorlon server is captured and - added to the action's JSON results for use in subsequent playbook steps. + ### Additional Notes + + - This action does not run on specific SecOps entities; it operates based on the + `alert_id` provided within the `Alert Object` parameter. capabilities: can_create_case_comments: false can_create_insight: false @@ -745,14 +827,14 @@ Update Alert: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the status or properties of an alert in the Vorlon platform via a PUT - request to the /rest/v1/alerts/update endpoint. - fetches_data: false + Updates the status or properties of an alert on the Vorlon server using a PUT + request. + fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -766,28 +848,3 @@ Update Alert: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: true - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/third_party/community/vorlon/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/vorlon/resources/ai/connectors_ai_description.yaml index d1ddddc12..09aec72cd 100644 --- a/content/response_integrations/third_party/community/vorlon/resources/ai/connectors_ai_description.yaml +++ b/content/response_integrations/third_party/community/vorlon/resources/ai/connectors_ai_description.yaml @@ -2,10 +2,11 @@ Vorlon Connector: ai_description: >- ### General Description - The Vorlon Connector enables the ingestion of security alerts from the Vorlon - platform into Google SecOps. It provides visibility into service-to-service interactions, - secret usage, and potential security risks by fetching detailed alert data and - converting it into actionable cases within the SOAR environment. + The Vorlon Connector integrates Google SecOps with the Vorlon platform to automate + the ingestion of security alerts. It monitors for unauthorized or suspicious service-to-service + connections and secret usage, converting these alerts into structured cases for + investigation within the SOAR platform. This allows security teams to centralize + their monitoring of service interactions and potential secret exposures. ### Parameters Description @@ -14,57 +15,54 @@ Vorlon Connector: | :--- | :--- | :--- | :--- | - | API Root | String | Yes | The base URL of your Vorlon instance (e.g., `https://.vorlon.io`). + | API Root | String | Yes | The base URL of the Vorlon instance (e.g., `https://.vorlon.io`). | - | Client ID | String | Yes | The Client ID used for OAuth2 authentication with - the Vorlon API. | + | Client ID | String | Yes | The Client ID used for OAuth2 authentication. | - | Client Secret | Password | Yes | The Client Secret used for OAuth2 authentication - with the Vorlon API. | + | Client Secret | Password | Yes | The Client Secret used for OAuth2 authentication. + | | DeviceProductField | String | Yes | The field name used to determine the device - product in the ingested events. Default is 'Vorlon'. | + product (Default: Vorlon). | - | EventClassId | String | Yes | The field name used to determine the event name - or sub-type. Default is 'type'. | + | EventClassId | String | Yes | The field name used to determine the event name/sub-type + (Default: type). | | Max Days Backwards | String | No | The number of days to look back for alerts - during the first run or if no timestamp is found. Default is 1 day. | + on the first run (Default: 1). | | Max Incidents per Fetch | String | Yes | The maximum number of alerts to retrieve - in a single execution cycle. | + in a single execution cycle (Default: 10). | - | Open Alerts Only | Boolean | No | If enabled, the connector only fetches alerts - with an 'open' status. Otherwise, it fetches open, dismissed, and resolved alerts. - | + | Open Alerts Only | Boolean | No | If enabled, only fetches alerts with an "open" + status. If disabled, fetches open, dismissed, and resolved alerts. | - | PythonProcessTimeout | String | Yes | The timeout limit (in seconds) for the - connector's Python process. | + | PythonProcessTimeout | String | Yes | The timeout limit in seconds for the connector + execution process. | ### Flow Description - 1. **Authentication**: The connector uses the Client ID and Client Secret to request - an OAuth2 access token from the Vorlon `/rest/v1/token` endpoint. - - 2. **Timestamp Calculation**: It identifies the starting point for the fetch by - checking the last saved timestamp. If unavailable, it uses the 'Max Days Backwards' - parameter. + 1. **Authentication**: The connector authenticates with the Vorlon API using the + provided Client ID and Client Secret to obtain an OAuth2 bearer token via the + `/rest/v1/token` endpoint. - 3. **Alert Fetching**: The connector queries the Vorlon `/rest/v1/alerts` endpoint, - applying filters for the start time, alert status (based on 'Open Alerts Only'), - and the fetch limit. + 2. **Timestamp Management**: It retrieves the last successful execution timestamp + from the SOAR database. If no timestamp exists (e.g., first run), it calculates + a starting point based on the "Max Days Backwards" parameter. - 4. **Pagination**: If more alerts are available than the 'Max Incidents per Fetch' - limit, the connector iterates through pages to collect the requested number of - alerts. + 3. **Alert Retrieval**: The connector queries the Vorlon `/rest/v1/alerts` endpoint, + applying filters for the last saved timestamp, alert status (based on the "Open + Alerts Only" setting), and the "Max Incidents per Fetch" limit. - 5. **Event Mapping**: Each fetched alert is parsed to extract metadata, including - requesting/responding service details, secret types, and severity levels. + 4. **Data Mapping**: Each retrieved alert is transformed into a SOAR event. The + connector extracts critical metadata including requesting/responding service IDs, + service names, secret types, and severity levels. - 6. **Case Ingestion**: The parsed alerts are transformed into Google SecOps `CaseInfo` - objects and sent to the system for processing. + 5. **Case Creation**: The processed events are encapsulated into `CaseInfo` objects, + mapping Vorlon alert titles and IDs to case names and rule generators. - 7. **Checkpointing**: The connector saves the timestamp of the most recent alert - to ensure that the next execution only retrieves new data. + 6. **Ingestion and Checkpointing**: The cases are ingested into Google SecOps, + and the timestamp of the most recent alert is saved to ensure the next iteration + only fetches new data. diff --git a/content/response_integrations/third_party/community/vorlon/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/vorlon/resources/ai/integration_ai_description.yaml index a888df70b..7bf893de0 100644 --- a/content/response_integrations/third_party/community/vorlon/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/community/vorlon/resources/ai/integration_ai_description.yaml @@ -1,5 +1,5 @@ product_categories: - asset_inventory: false + asset_inventory: true cloud_security: true collaboration: false edr: false diff --git a/content/response_integrations/third_party/community/webhook/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/webhook/resources/ai/actions_ai_description.yaml index 5840f2968..b285388f5 100644 --- a/content/response_integrations/third_party/community/webhook/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/webhook/resources/ai/actions_ai_description.yaml @@ -1,57 +1,81 @@ Create Token: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Create Token** action generates a new webhook token within the Webhook integration. - This action is primarily used to set up a unique URL that can receive incoming - HTTP requests. When the generated URL is accessed, the service will respond with - the user-defined content and content type. This is highly useful for testing external - callbacks, orchestrating multi-step automation flows that require external triggers, - or verifying connectivity. + Creates a new webhook token on the Webhook service. This action generates a unique + URL that can be used to receive incoming HTTP requests, which is useful for testing + integrations or setting up temporary callback endpoints. ### Parameters Description - | Parameter Name | Type | Mandatory | Description | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Default Content** | string | True | The specific content or message that will - be displayed/returned when the generated webhook URL is visited or called. | + | Default Content | string | Yes | The content that will be displayed or returned + in the response body when the generated webhook URL is accessed. | - | **Default Content Type** | string | True | The MIME type of the content (e.g., - `text/html`, `application/json`) to be returned by the webhook URL. | + | Default Content Type | string | Yes | The MIME type of the content (e.g., `text/html` + or `application/json`) to be returned by the webhook URL. | - | **Timeout** | string | False | The number of seconds (0-10) the service should - wait before returning a response when the webhook is triggered. Used for testing - timeout scenarios. | + | Timeout | string | No | The number of seconds (max 10) the service should wait + before returning a response to a request sent to the webhook URL. | - ### Additional Notes + ### Flow Description - - This action does not operate on specific SecOps entities; it is a utility action - that interacts with the Webhook service to create infrastructure for the case. + 1. **Parameter Extraction**: The action retrieves the 'Default Content', 'Default + Content Type', and 'Timeout' values from the input parameters. - - The action returns a `webhookURL` which is the concatenation of the integration's - base URL and the newly created token's UUID. + 2. **Manager Initialization**: It initializes the WebhookManager using the base + URL from the integration configuration. + 3. **Token Creation**: The action calls the `create_token` method, which sends + a POST request to the external service's `/token` endpoint with the specified + payload. - ### Flow Description + 4. **URL Generation**: Upon receiving a successful response containing a UUID, + the action constructs the full webhook URL. - 1. **Parameter Extraction:** The action retrieves the `Default Content`, `Default - Content Type`, and `Timeout` from the user input. + 5. **Output**: The action returns the generated URL and the full JSON response + from the service to the SOAR platform. - 2. **Manager Initialization:** It initializes the `WebhookManager` using the base - URL configured in the integration settings. - 3. **Token Creation:** The action sends a POST request to the `/token` endpoint - of the Webhook service with the provided parameters. + ### Additional Notes - 4. **URL Construction:** Upon a successful response, it extracts the `uuid` and - constructs the full `webhookURL`. + - The 'Timeout' parameter is intended for testing timeout behaviors and is capped + at 10 seconds. - 5. **Result Reporting:** The action outputs the full JSON response from the service - and provides the created URL in the output message. + - The generated webhook URL is unique to the created token. capabilities: can_create_case_comments: false can_create_insight: false @@ -60,14 +84,14 @@ Create Token: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - This action performs a POST request to the external Webhook service to create - a new token resource, which generates a unique endpoint on that system. + Creates a new webhook token on the external service, which generates a unique + URL for receiving incoming requests. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -81,6 +105,7 @@ Create Token: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Delete Token: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -94,60 +119,59 @@ Create Token: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Delete Token: ai_description: >- - Deletes a specific Webhook token using its unique identifier. This action communicates - with the Webhook service to remove the token, which results in the associated - webhook URL becoming inaccessible. It is primarily used for cleaning up temporary - webhooks or revoking access to specific endpoints. + ### General Description + Deletes a Webhook token using its unique identifier. This action interacts with + the Webhook service to remove the specified token, effectively disabling the associated + webhook URL and preventing any further requests from being received or processed + through it. - ### Flow Description: - 1. **Parameter Extraction:** The action retrieves the 'Token ID' from the input - parameters. + ### Parameters Description - 2. **Manager Initialization:** It initializes the WebhookManager using the base - URL provided in the integration configuration. + | Parameter | Description | Type | Mandatory | - 3. **External Request:** The action calls the `delete_token` method, which sends - an HTTP DELETE request to the external service's token endpoint. + | :--- | :--- | :--- | :--- | - 4. **Result Handling:** If the request is successful, it returns a completion - status and a success message. If the request fails, it captures the error and - reports a failure. + | Token ID | The unique identifier of the token to be deleted. | String | Yes + | - ### Parameters Description: + ### Flow Description - | Parameter Name | Description | Type | Mandatory | Notes | + 1. **Parameter Extraction**: The action retrieves the `Token ID` provided by the + user. - | :--- | :--- | :--- | :--- | :--- | + 2. **Manager Initialization**: Initializes the Webhook manager using the configured + base URL. - | Token ID | The unique identifier of the webhook token that needs to be deleted. - | String | Yes | This ID is used to construct the specific API endpoint for deletion. - | + 3. **External Request**: Executes a DELETE request to the external Webhook service + endpoint corresponding to the provided token ID. + 4. **Result Handling**: Captures the response status from the external service + and updates the action result to indicate whether the deletion was successful. - ### Additional Notes: - - This action does not process or interact with SOAR entities (IPs, Hostnames, - etc.). + ### Additional Notes - - Successful execution results in a permanent state change in the external Webhook - service. + There are no entities involved in this action; it operates solely based on the + provided `Token ID` parameter. capabilities: can_create_case_comments: false can_create_insight: false @@ -156,14 +180,14 @@ Delete Token: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - The action sends an HTTP DELETE request to the external Webhook service to remove - a specific token, making the associated URL endpoint permanently inaccessible. + Deletes a specific webhook token from the external service, making the associated + URL inaccessible. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -177,6 +201,7 @@ Delete Token: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Webhook Response: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -190,82 +215,80 @@ Delete Token: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: false + search_events: true send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Webhook Response: ai_description: >- - The 'Get Webhook Response' action is an asynchronous task designed to retrieve - request data sent to a specific Webhook URL associated with a provided Token ID. - It allows analysts to monitor incoming HTTP requests to a webhook endpoint, which - is often used for receiving callbacks or manual interactions from external users. - The action supports two modes of operation: waiting for a predefined duration - (TimeFrame) or waiting until at least one request is detected (AwaitClick). It - automatically filters out automated requests from Slackbots to ensure data relevance. + The 'Get Webhook Response' action is designed to retrieve data from requests sent + to a specific webhook URL, formatted as `{Base URL}/{Token ID}`. This action is + asynchronous and can be configured to wait for data based on two distinct conditions: + a fixed timeframe or until the first request is detected. It is primarily used + to capture external callbacks or manual interactions (like a user clicking a link) + and bring that data back into the SOAR platform for analysis. - ### Flow Description: - - 1. **Initialization**: The action extracts the base URL from the integration configuration - and retrieves user-provided parameters including the Token ID, retrieval preference - (All vs. Latest), and the pending condition logic. + ### Flow Description - 2. **Condition Evaluation**: - * **TimeFrame Mode**: If the action is in its first run, it calculates the - expiration time. In subsequent runs, it checks if the specified timeframe has - elapsed. If the time has passed, it proceeds to fetch the data; otherwise, it - remains in an 'In Progress' state. - * **AwaitClick Mode**: The action immediately attempts to fetch requests. - If requests are found, it completes. If no requests are found, it remains 'In - Progress' to check again in the next cycle. - 3. **Data Retrieval**: The action calls the Webhook API to fetch request logs - for the specific Token ID. + 1. **Parameter Initialization:** The action retrieves the `Token ID`, `Responses + To Retrieve` (All or Latest), `TimeFrame`, and `Pending Condition` from the input + parameters. - 4. **Data Processing**: It filters the results to exclude requests generated by - Slack user agents and, if configured, restricts the output to only the most recent - request. + 2. **Condition Handling:** + * **TimeFrame Mode:** The action calculates the start time. If the current + execution is within the specified `TimeFrame` (in minutes), it sets the status + to 'In Progress' and waits. Once the timeframe expires, it performs a single fetch + of the webhook requests. + * **AwaitClick Mode:** The action immediately checks for any requests associated + with the `Token ID`. If at least one request is found, it completes. If no requests + are found, it sets the status to 'In Progress' to check again in the next iteration. + 3. **Data Retrieval:** The action calls the Webhook API to fetch request data. + It automatically filters out requests generated by Slackbots (based on the User-Agent). - 5. **Finalization**: The retrieved data is attached as a JSON result, and the - action completes with a summary message. + 4. **Result Processing:** Depending on the `Responses To Retrieve` parameter, + it returns either the full list of requests or only the most recent one. The data + is then attached to the action results as a JSON object. - ### Parameters Description: + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Pending Condition | DDL | Yes | Determines the wait logic. 'TimeFrame' waits - for a set duration before fetching. 'AwaitClick' waits until the first request + | Pending Condition | DDL | Yes | Determines the wait logic. `TimeFrame` waits + for a set duration before fetching; `AwaitClick` waits until at least one request is received. | - | TimeFrame | String | Yes | The number of minutes to wait before the action stops - listening and returns the collected data. Only relevant if 'Pending Condition' - is set to 'TimeFrame'. | + | TimeFrame | String | Yes | The number of minutes to wait before fetching data + when `Pending Condition` is set to `TimeFrame`. | - | Responses To Retrieve | DDL | Yes | Specifies whether to return 'All' requests - captured during the window or only the 'Latest' single request. | + | Responses To Retrieve | DDL | Yes | Determines the scope of data returned. `All` + retrieves all captured requests; `Latest` retrieves only the most recent request. + | - | Token ID | String | Yes | The unique identifier of the webhook token to monitor - for incoming requests. | + | Token ID | String | Yes | The unique identifier for the webhook token to monitor. + | - ### Additional Notes: + ### Additional Notes - * This action is **Asynchronous**, meaning it will run repeatedly in the background - until the specified condition (time or data arrival) is met. + * This action does not process SOAR entities; it operates strictly based on the + provided `Token ID` parameter. - * The action is designed to work with the Webhook integration's token system where - URLs follow the pattern `{Base URL}/{Token ID}`. + * The action is asynchronous (`is_async: true`), meaning it will yield execution + and resume until the specified condition is met or a system timeout occurs. capabilities: can_create_case_comments: false can_create_insight: false @@ -279,7 +302,7 @@ Get Webhook Response: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -293,6 +316,7 @@ Get Webhook Response: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -306,55 +330,55 @@ Get Webhook Response: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: true + search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: ai_description: >- ### General Description - The **Ping** action is a diagnostic tool used to verify the connectivity between - the Google SecOps platform and the Webhook service. It ensures that the configured - URL is reachable and that the integration can successfully communicate with the - target endpoint. + The **Ping** action is a diagnostic utility designed to verify the connectivity + between the Google SecOps platform and the Webhook service. Its primary purpose + is to ensure that the integration configuration (specifically the base URL) is + correct and that the external service is reachable and responding to requests. ### Parameters Description - There are no user-input parameters for this action. It relies solely on the integration's - global configuration settings (specifically the 'URL' parameter). + There are no parameters for this action. ### Additional Notes - This action is typically used during the initial setup of the integration or for - troubleshooting communication issues. It does not interact with any entities or - modify any data. + This action relies on the 'URL' parameter provided in the integration's global + configuration. It does not interact with any entities or alert data. ### Flow Description - 1. **Configuration Retrieval**: The action fetches the `URL` parameter from the - integration's global configuration. + 1. **Configuration Retrieval**: The action retrieves the 'URL' setting from the + Webhook integration configuration. - 2. **Manager Initialization**: It initializes the `WebhookManager` with the retrieved + 2. **Manager Initialization**: It initializes the `WebhookManager` with the provided base URL. - 3. **Connectivity Test**: The action calls the `test_connectivity` method, which - performs a standard HTTP GET request to the base URL. + 3. **Connectivity Test**: The action executes the `test_connectivity` method, + which performs an HTTP GET request to the base URL. - 4. **Result Reporting**: If the request returns a successful status code (2xx), - the action reports a successful connection. If an exception occurs or the status - code indicates an error, the action fails and provides the error details. + 4. **Execution Outcome**: If the request is successful (no exceptions raised), + the action returns a success message. If the request fails, it captures the error + and returns a failure state. capabilities: can_create_case_comments: false can_create_insight: false @@ -363,12 +387,12 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: true + fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -382,28 +406,3 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/third_party/community/whois_xml_api/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/whois_xml_api/resources/ai/actions_ai_description.yaml index 200799713..c8f651d46 100644 --- a/content/response_integrations/third_party/community/whois_xml_api/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/whois_xml_api/resources/ai/actions_ai_description.yaml @@ -1,54 +1,69 @@ Enrich Entities: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Enrich Entities** action retrieves WHOIS registration information for Hostname - and URL entities using the Whois XML API. It specifically targets external hostnames - and all URLs to gather registrant details such as name, organization, and contact - information, which are then appended to the entity's metadata within Google SecOps - to provide analysts with ownership context. + Enriches Hostname and URL entities using the Whois XML API. This action retrieves + detailed registration information, such as registrant name, organization, and + contact details, and maps this data directly to the entity's additional properties + within Google SecOps. This provides analysts with immediate context regarding + the ownership and history of external domains and URLs. ### Parameters Description - | Parameter | Expected Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | API Key | String | Yes | This is an integration-level configuration parameter - used to authenticate requests to the Whois XML API. It is not an action-specific - parameter but is required for the action to function. | - - - ### Additional Notes - - - This action only processes Hostname entities that are marked as **not internal** - (`is_internal` is false). - - - The retrieved registrant details are added to the `additional_properties` of - the entity, making them visible in the Entity Explorer. + There are no action-specific parameters for this action. It relies on the 'API + Key' provided in the integration configuration. ### Flow Description - 1. **Initialization**: The action retrieves the API Key from the integration configuration - and constructs the base URL for the Whois XML API service. + 1. **Configuration Retrieval**: Extracts the Whois XML API Key from the integration's + global configuration. - 2. **Entity Filtering**: It iterates through the `target_entities` in the current - context, selecting only Hostnames (where `is_internal` is false) and URLs. + 2. **Entity Filtering**: Iterates through the target entities in the current context, + selecting only those that are of type `HOSTNAME` (and are not marked as internal) + or `URL`. - 3. **API Request**: For each valid entity, a GET request is sent to the Whois - XML API to fetch the WHOIS record in JSON format. + 3. **External API Query**: For each eligible entity, it performs a GET request + to the Whois XML API service using the entity's identifier as the domain name. - 4. **Data Extraction**: The action parses the API response to extract registrant - details (e.g., name, organization) from the `WhoisRecord` object. + 4. **Data Extraction**: Parses the JSON response to locate the `WhoisRecord` and + specifically the `registrant` details. - 5. **Internal Enrichment**: If registrant data is found, the action updates the - entity's `additional_properties` with this information. + 5. **Internal Enrichment**: Updates the entity's `additional_properties` with + the retrieved registrant information. - 6. **Finalization**: The action updates the entities within Google SecOps, attaches - the full JSON response to the action results, and returns a summary message listing - the successfully processed entities. + 6. **Finalization**: Reports the successfully enriched entities back to Google + SecOps, updates the entity objects in the platform, and provides a summary message + of the results. capabilities: can_create_case_comments: false can_create_insight: false @@ -59,14 +74,14 @@ Enrich Entities: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity additional properties with WHOIS registrant information retrieved - from the API. + Updates entity additional properties with registrant details retrieved from + the Whois XML API. categories: enrichment: true entity_usage: entity_types: - - HOSTNAME - - DestinationURL + - HOSTNAME + - DestinationURL filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -80,6 +95,7 @@ Enrich Entities: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Domain Details: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -93,67 +109,63 @@ Enrich Entities: enrich_asset: false enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Domain Details: ai_description: >- ### General Description The **Get Domain Details** action retrieves comprehensive WHOIS information for - a specified domain using the WHOIS XML API. It allows analysts to gather registration - details, ownership information, and optionally check the domain's availability - status. The results are returned as a JSON object, making them accessible for - subsequent playbook steps. + a specified domain using the WHOIS XML API. It provides details such as registration + dates, registrar information, registrant contact details, and name servers. This + action is primarily used to gather context about a domain during an investigation. ### Parameters Description - | Parameter | Type | Mandatory | Description | + | Parameter Name | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Domain Name | String | Yes | The specific domain (e.g., google.com) to perform - the WHOIS lookup on. | + | Domain Name | String | Yes | The domain name to retrieve WHOIS details for (e.g., + google.com). | - | Check availability | Boolean | No | If set to "true", the action will include - domain availability information in the response. Defaults to "false". | + | Check availability | Boolean | No | If set to true, the action will also check + the availability of the domain. Defaults to false. | - ### Additional Notes - - This action does not automatically process entities from the Google SecOps case. - It relies entirely on the provided "Domain Name" parameter. To use this action - with case entities, the domain must be passed into the "Domain Name" parameter - via a placeholder. + ### Flow Description + 1. **Initialization**: The action retrieves the API Key from the integration configuration. - ### Flow Description + 2. **Parameter Extraction**: It extracts the target domain name and the optional + availability check flag from the action parameters. - 1. **Configuration Retrieval**: The action retrieves the API Key from the integration's - configuration settings. + 3. **Request Construction**: A GET request URL is constructed targeting the WHOIS + XML API endpoint, including the domain name and the availability check preference. - 2. **Parameter Extraction**: It extracts the target domain name and the availability - check preference from the action parameters. + 4. **Data Retrieval**: The action sends a request to the external API. - 3. **Request Construction**: A GET request URL is constructed, incorporating the - API key, the target domain, and the availability flag. + 5. **Output**: The resulting JSON data is attached to the action results and made + available for subsequent playbook steps. - 4. **API Interaction**: The action sends a request to the WHOIS XML API service. - 5. **Data Processing**: The JSON response from the API is captured. + ### Additional Notes - 6. **Result Output**: The retrieved data is attached to the action results in - JSON format for use in the Google SecOps platform. + This action does not automatically process entities from the case; it requires + a domain name to be provided as a direct input parameter. capabilities: can_create_case_comments: false can_create_insight: false @@ -167,7 +179,7 @@ Get Domain Details: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -181,6 +193,7 @@ Get Domain Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -194,49 +207,57 @@ Get Domain Details: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: ai_description: >- ### General Description - The **Ping** action is a diagnostic utility used to verify the connectivity between - Google SecOps and the **Whois XML API** service. Its primary purpose is to ensure - that the integration's configuration, specifically the API Key, is valid and that - the service endpoint is reachable. + The **Ping** action is a diagnostic utility designed to verify the connectivity + between the Google SecOps environment and the Whois XML API service. Its primary + purpose is to ensure that the integration is correctly configured and that the + API credentials provided are valid. ### Parameters Description - This action does not require any input parameters. It relies solely on the global - integration configuration. + There are no input parameters for this action. It relies solely on the integration's + configuration settings (API Key). + + + ### Additional Notes + + This action is a standard connectivity check. According to the classification + rules, actions named 'Ping' are not categorized as enrichment actions, even though + they perform a read-only request to an external service. ### Flow Description - 1. **Configuration Retrieval**: The action extracts the `API Key` from the integration's - configuration settings. + 1. **Configuration Extraction**: The action retrieves the 'API Key' from the integration's + global configuration. - 2. **Connectivity Test**: It performs a test GET request to the Whois XML API - endpoint, specifically requesting WHOIS data for the domain `google.com` to validate - the connection. + 2. **Connectivity Test**: It performs an HTTP GET request to the Whois XML API + endpoint, using a test query for 'google.com' to validate the communication path. - 3. **Authentication Check**: The action inspects the API response for specific - error strings, such as "ApiKey authenticate failed", to determine if the credentials + 3. **Credential Validation**: The action inspects the response body for specific + error strings (e.g., 'ApiKey authenticate failed') to determine if the credentials are valid. - 4. **Status Reporting**: If the request is successful and no authentication errors - are found, the action returns a success status; otherwise, it raises an exception. + 4. **Status Reporting**: If the request is successful and credentials are valid, + the action concludes with a 'Successful Connection' status. capabilities: can_create_case_comments: false can_create_insight: false @@ -250,7 +271,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -264,28 +285,3 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/third_party/community/workflow_tools/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/workflow_tools/resources/ai/actions_ai_description.yaml index ffe616fa2..365d16dba 100644 --- a/content/response_integrations/third_party/community/workflow_tools/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/workflow_tools/resources/ai/actions_ai_description.yaml @@ -1,54 +1,59 @@ Approval Request: - ai_description: >- - ### General Description - - The **Approval Request** action is designed to pause a workflow and require manual - intervention from a designated reviewer. It manages the assignment of cases within - Google SecOps and provides external notification via Slack to ensure reviewers - are alerted promptly. A key feature is the ability to isolate a specific alert - into its own case, preventing a single approval from inadvertently affecting other - alerts grouped in the same case. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Move Alert If Grouped | Boolean | No | If set to `true` (default), and the current - case contains more than one alert, the action will move the specific alert being - processed into a new, separate case before assigning it to the reviewer. | - - - ### Flow Description - - 1. **Configuration Retrieval:** The action fetches necessary integration settings, - including Siemplify API credentials, the Slack webhook URL, and the designated - Approval Managers. - - 2. **Case/Alert Evaluation:** It identifies the current case and alert identifiers. - - 3. **Alert Isolation (Optional):** If `Move Alert If Grouped` is enabled and the - case has multiple alerts, the action calls the Siemplify API to move the current - alert to a new case. - - 4. **Assignment:** The action assigns the target case (either the original or - the newly created one) to the primary Approval Manager. - - 5. **Notification:** A message containing a direct link to the case is sent to - the configured Slack webhook. - - 6. **Result Reporting:** The action returns a JSON object containing the original - and (if applicable) new case IDs, along with the assigned managers. - - - ### Additional Notes - - - This action requires the "Workflow Tools" integration to be properly configured - with an API Key that has permissions to move alerts and assign cases. - - - If no Slack Webhook URL is provided, the notification step is skipped. + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: true + submit_file: false + uncontain_host: false + update_alert: true + update_email: false + update_identity: false + update_ticket: false + ai_description: "### General Description\nThe **Approval Request** action is designed\ + \ to facilitate manual intervention within a workflow by pausing execution and\ + \ requiring a reviewer's approval. It manages the assignment of cases to specific\ + \ approval managers and provides the option to isolate a specific alert into its\ + \ own case if it is currently grouped with others. Additionally, it integrates\ + \ with Slack to notify the designated reviewer that a case is awaiting their attention.\n\ + \n### Parameters Description\n| Parameter | Description | Type | Mandatory | \n\ + | :--- | :--- | :--- | :--- |\n| Move Alert If Grouped | If set to `true` and\ + \ the current case contains multiple alerts, the action will move the specific\ + \ alert being processed into a new, separate case before assigning it for approval.\ + \ If `false`, the entire case is assigned as-is. | Boolean | No (Default: true)\ + \ |\n\n### Additional Notes\n- This action requires several integration-level\ + \ configuration parameters to be set, including the Siemplify API Key, API Root,\ + \ Instance Hostname, and a Slack Webhook URL.\n- The 'Approval Manager' and 'Secondary\ + \ Approval Manager' are defined at the integration configuration level, not as\ + \ action parameters.\n- If the alert is moved to a new case, the action returns\ + \ both the original and the new case IDs in the JSON result.\n\n### Flow Description\n\ + 1. **Initialization**: The action retrieves configuration details for the Siemplify\ + \ API and Slack webhook.\n2. **Grouping Check**: It evaluates the `Move Alert\ + \ If Grouped` parameter. If enabled and the case contains more than one alert,\ + \ it triggers a request to the Siemplify API to move the current alert to a new\ + \ case.\n3. **Case Assignment**: The action assigns the relevant case (either\ + \ the original one or the newly created one) to the designated 'Approval Manager'.\n\ + 4. **Notification**: It constructs a message containing a direct link to the case\ + \ and sends it to the configured Slack channel via a webhook.\n5. **Completion**:\ + \ The action finishes with a status of 'Completed', providing the case IDs and\ + \ assignment details in the output." capabilities: can_create_case_comments: false can_create_insight: false @@ -57,15 +62,16 @@ Approval Request: can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: >- - Sends a notification message to a Slack channel via a webhook. - fetches_data: true + Sends a notification message to an external Slack channel via a webhook to alert + a reviewer. + fetches_data: false internal_data_mutation_explanation: >- - Reassigns the case to a specific reviewer and potentially moves an alert to - a new case within Google SecOps. + Reassigns the case to a specific user and potentially moves an alert to a new + case, changing the case structure within Google SecOps. categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -79,8 +85,9 @@ Approval Request: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Approval Response: action_product_categories: - add_alert_comment: false + add_alert_comment: true add_ioc_to_allowlist: false add_ioc_to_blocklist: false contain_host: false @@ -92,70 +99,48 @@ Approval Request: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: true submit_file: false uncontain_host: false - update_alert: true + update_alert: false update_email: false update_identity: false update_ticket: false -Approval Response: - ai_description: >- - Processes an approval or denial for a workflow request within a Google SecOps - case. This action validates that the user executing the action is an authorized - 'Approval Manager' or 'Secondary Approval Manager' (supporting both specific usernames - and roles starting with '@'). If authorized, it records the decision, adds any - provided comments to the case, and sends a notification to a configured Slack - webhook. - - - ### Flow Description - - 1. **Authentication & Setup:** Extracts configuration parameters including API - credentials, Slack Webhook URL, and authorized Approval Managers. - - 2. **User Validation:** Identifies the user who triggered the action and verifies - if they match the authorized managers or belong to the authorized SOC roles by - querying the internal User Profiles API. - - 3. **Decision Processing:** Based on the 'Action Approved' parameter, it determines - the approval status and constructs a notification message. - - 4. **Internal Mutation:** If 'Response Comments' are provided, it appends them - as a comment to the current case and alert. - - 5. **External Notification:** Sends the final approval or denial message (including - links to the case) to the specified Slack channel. - - 6. **Result Reporting:** Returns a JSON object containing the reviewer's name, - comments, and the final approval status. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Action Approved | boolean | No | Determines the outcome of the request. If true, - the request is marked as approved; if false, it is denied. Default is false. | - - | Response Comments | string | No | Optional notes provided by the reviewer. These - are added as a case comment and included in the Slack notification. | - - - ### Additional Notes - - - The action will fail with an error if the user attempting to run it is not listed - as an 'Approval Manager' or 'Secondary Approval Manager' in the integration settings. - - - Role-based authorization is supported by prefixing the manager name with '@' - (e.g., '@SOC_Managers'). + ai_description: "### General Description\nThe **Approval Response** action allows\ + \ an authorized user (Approval Manager) to respond to a pending approval request\ + \ within a Google SecOps workflow. It validates the identity of the user attempting\ + \ the action against a predefined list of managers or roles. Once validated, it\ + \ records the approval or denial decision, attaches reviewer comments to the case,\ + \ and sends a notification to a Slack channel.\n\n### Parameters Description\n\ + \n| Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :---\ + \ |\n| Action Approved | Boolean | Yes | Determines the outcome of the request.\ + \ If set to `True`, the request is approved; if `False`, it is denied. |\n| Response\ + \ Comments | String | No | Optional notes or justification provided by the reviewer.\ + \ These are added as a comment to the case. |\n\n### Flow Description\n1. **Configuration\ + \ Extraction:** The action retrieves integration settings including API credentials,\ + \ Slack webhook URLs, and the identities of authorized Approval Managers.\n2.\ + \ **User Validation:** It identifies the user who triggered the action (`original_requesting_user`)\ + \ and checks if they match the authorized manager names or belong to the authorized\ + \ SOC roles by querying the Google SecOps API.\n3. **Decision Processing:** \n\ + \ * If the user is authorized and the action is approved, it prepares an approval\ + \ message.\n * If the user is authorized and the action is denied, it prepares\ + \ a denial message.\n * If the user is unauthorized, the action fails and sends\ + \ an error notification to Slack.\n4. **Internal Documentation:** If comments\ + \ were provided, the action adds them to the case wall using the `add_comment`\ + \ method.\n5. **External Notification:** The final decision (including the reviewer's\ + \ name and comments) is posted to the configured Slack webhook.\n\n### Additional\ + \ Notes\n* This action requires the `Workflow Tools` integration to be configured\ + \ with a valid Siemplify API Key and Root to perform user role validation.\n*\ + \ If the `Approval Manager` parameter starts with an `@` symbol, the action treats\ + \ it as a Role check rather than a specific username check." capabilities: can_create_case_comments: true can_create_insight: false @@ -164,16 +149,16 @@ Approval Response: can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: >- - Sends a notification message to a Slack channel via a webhook to inform stakeholders - about the approval or denial of the workflow request. + Sends a notification message to an external Slack channel via a webhook to report + the approval or denial of a request. fetches_data: true internal_data_mutation_explanation: >- - Adds a case comment to the Google SecOps case containing the reviewer's notes - and the approval decision. + Adds a comment to the Google SecOps case containing the reviewer's notes and + decision details. categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -187,8 +172,9 @@ Approval Response: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Assign Case to Current User: action_product_categories: - add_alert_comment: true + add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false contain_host: false @@ -200,67 +186,40 @@ Approval Response: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false - update_alert: false + update_alert: true update_email: false update_identity: false update_ticket: false -Assign Case to Current User: - ai_description: >- - ### General Description - - Assigns the current case and alert to the user who manually triggered the action. - This action is designed to be used at the beginning of a playbook to ensure that - the analyst who initiates the investigation is officially recorded as the owner - of the case and the specific alert within the Google SecOps platform. - - - ### Parameters Description - - | Parameter Name | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | None | N/A | N/A | This action does not require any input parameters. | - - - ### Additional Notes - - * **Manual Execution Required:** This action will fail if executed automatically - by the system (e.g., as part of an automated playbook trigger) because it relies - on the `original_requesting_user` context, which is only populated during manual - execution. - - * **System User Check:** The action explicitly checks if the requesting user is - "System" and will raise an error if so, preventing automated assignments to the - system account. - - - ### Flow Description - - 1. **Configuration Retrieval:** The action retrieves the necessary API credentials - and instance hostname from the integration configuration. - - 2. **Context Identification:** It identifies the current Case ID and Alert ID - from the execution context. - - 3. **User Identification:** It retrieves the identifier of the user who triggered - the action (`original_requesting_user`). - - 4. **Validation:** It verifies that the requesting user is not the "System" user. - - 5. **Assignment:** It calls the internal SDK method to assign the case and alert - to the identified user. - - 6. **Completion:** The action ends, returning the username of the assigned user - as the result value. + ai_description: "### General Description\nThis action assigns the current case and\ + \ alert to the user who manually triggered the action. It is specifically designed\ + \ to be used at the beginning of a playbook to establish ownership when an analyst\ + \ begins investigating a case. \n\n### Parameters Description\nThere are no input\ + \ parameters for this action.\n\n### Additional Notes\n* This action **must**\ + \ be executed manually by a user. If triggered automatically by the system (e.g.,\ + \ as part of an automated playbook run without manual intervention), the action\ + \ will fail because it cannot assign a case to the 'System' user.\n* The action\ + \ requires the 'Workflow Tools' integration to be configured with a valid Siemplify\ + \ API Key and Root URL to perform the assignment.\n\n### Flow Description\n1.\ + \ **Configuration Extraction:** The action retrieves the API Key, API Root, and\ + \ Instance Hostname from the integration settings.\n2. **Context Retrieval:**\ + \ It identifies the current Case ID, Alert ID, and the username of the person\ + \ who requested the action execution.\n3. **User Validation:** The action checks\ + \ if the requesting user is the 'System' user. If it is, the action raises an\ + \ error, as it requires a human analyst for assignment.\n4. **Assignment:** If\ + \ valid, the action calls the internal API to assign the specific case and alert\ + \ to the requesting user.\n5. **Completion:** The action finishes by returning\ + \ the username of the assigned analyst as the result value." capabilities: can_create_case_comments: false can_create_insight: false @@ -271,12 +230,12 @@ Assign Case to Current User: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Updates the owner/assignee of the current case and alert within the Google SecOps - platform. + Assigns the current case and alert to the user who triggered the action within + the Google SecOps platform. categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -290,6 +249,7 @@ Assign Case to Current User: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -303,58 +263,62 @@ Assign Case to Current User: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: true submit_file: false uncontain_host: false - update_alert: true + update_alert: false update_email: false update_identity: false update_ticket: false -Ping: ai_description: >- ### General Description The **Ping** action is a diagnostic tool designed to verify the connectivity and - configuration of the Workflow Tools integration. It ensures that the Google SecOps - platform can successfully communicate with its internal API and external services - like Slack. + configuration of the Workflow Tools integration. It performs a two-fold validation: + first, it checks the availability and permissions of the configured Approval Managers + within the Google SecOps (Chronicle) environment; second, it verifies the outbound + communication to Slack by sending a test message via a webhook. ### Parameters Description - There are no action-specific parameters for this action. It relies entirely on - the integration's configuration settings, such as the API Key, API Root, and Slack - Webhook URL. + This action does not take any dynamic input parameters. It relies entirely on + the integration's global configuration settings: + * **Siemplify API Key/Root**: Used to authenticate and communicate with the internal + SecOps API. - ### Flow Description + * **Slack Webhook URL**: The endpoint used to send the test notification. - 1. **Configuration Extraction**: The action retrieves integration-level settings, - including the Siemplify API Key, API Root, and Slack Webhook URL. + * **Approval Manager / Secondary Approval Manager**: The identities or roles that + the action attempts to verify. - 2. **Manager Initialization**: Initializes the `WorkflowToolsManager` with the - extracted configuration to handle API requests. - 3. **User/Role Validation**: The action calls the internal API (`GetUserProfiles`) - to verify the existence and roles of the primary and secondary approval managers - specified in the configuration. + ### Flow Description - 4. **External Connectivity Test**: Sends a test notification message to the configured - Slack Webhook URL to verify outbound communication. + 1. **Configuration Extraction**: The action retrieves the API keys, hostnames, + and reviewer identities from the integration settings. - 5. **Execution Completion**: If all checks (API connectivity and Slack messaging) - succeed, the action completes with a success status. + 2. **Manager Initialization**: Initializes the `WorkflowToolsManager` to handle + API requests. + 3. **User Verification**: Calls the internal SecOps API (`GetUserProfiles`) to + verify that the primary and secondary Approval Managers exist or that the current + user belongs to the specified roles. - ### Additional Notes + 4. **External Notification**: Sends a test message ("This is a test message. Posted + by Workflow Tools Ping.") to the configured Slack Webhook URL. - This action does not interact with or process any entities within a case. It is - strictly for system health and configuration validation. + 5. **Completion**: If all API calls and the Slack webhook request succeed, the + action returns a success status. capabilities: can_create_case_comments: false can_create_insight: false @@ -363,14 +327,13 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Sends a test message to a Slack channel via a configured webhook URL to verify - connectivity. + Sends a test message to a Slack channel using the configured Webhook URL. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -384,28 +347,3 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/third_party/community/zoom/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/zoom/resources/ai/actions_ai_description.yaml index 0436c162f..9227c9fb7 100644 --- a/content/response_integrations/third_party/community/zoom/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/zoom/resources/ai/actions_ai_description.yaml @@ -1,10 +1,38 @@ Create Meeting: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Create a scheduled or instant meeting in Zoom for a specific host. This action - allows users to automate the creation of Zoom meetings directly from a playbook, - providing a join URL and full meeting details upon success. + Creates a scheduled or instant meeting in Zoom for a specified host. This action + allows for the automated creation of collaboration sessions directly from a playbook, + facilitating rapid incident response coordination. ### Parameters Description @@ -13,46 +41,49 @@ Create Meeting: | :--- | :--- | :--- | :--- | - | Meeting Type | ddl | Yes | The type of the meeting: 'Instant' or 'Scheduled'. - | + | Meeting Type | Dropdown | Yes | Specifies if the meeting is 'Instant' or 'Scheduled'. + Note that 'Instant' will override 'Scheduled' configurations. | - | Meeting Start Time | string | Yes | Meeting start time in GMT (yyyy-mm-dd hh:mm:ss). - Used for scheduled meetings. | + | Meeting Start Time | String | Yes | The start time for scheduled meetings. Expected + format is GMT 'yyyy-mm-dd hh:mm:ss'. | - | Meeting Topic | string | Yes | The topic or title of the meeting. | + | Meeting Topic | String | Yes | The title or subject of the meeting. | - | Auto Recording Type | ddl | Yes | Recording preference: 'local', 'cloud', or - 'none'. | + | Auto Recording Type | Dropdown | Yes | Determines if the meeting should be recorded + automatically. Options are 'local', 'cloud', or 'none'. | - | Time Zone | string | Yes | The time zone in 'Continent/Country' format. | + | Time Zone | String | Yes | The time zone for the meeting in 'Continent/Country' + format (e.g., 'Europe/London'). | - | Meeting Duration | string | Yes | The duration of the meeting in minutes. | + | Meeting Duration | String | Yes | The length of the meeting in minutes. | - | Host Email Address | string | Yes | The email address of the Zoom user who will - host the meeting. | + | Host Email Address | String | Yes | The email address of the Zoom user who will + be the host of the meeting. | - ### Flow Description + ### Additional Notes - 1. **Parameter Extraction**: The action retrieves the meeting details (topic, - type, time, duration, etc.) and the host's email from the input parameters. + - This action requires either OAuth credentials (Account ID, Client ID, Client + Secret) or a JWT Token to be configured in the Zoom integration settings. - 2. **API Interaction**: It uses the Zoom API to send a POST request to the `/users/{host_email}/meetings` - endpoint. + - Upon successful creation, the action provides a direct 'Meeting URL link' in + the SOAR interface for easy access. - 3. **Link Generation**: If the meeting is created successfully, the action extracts - the `join_url` and adds it as a link to the action results for easy access. - 4. **Result Reporting**: The action outputs the full JSON response from Zoom and - marks the execution as completed. + ### Flow Description + 1. **Parameter Extraction**: The action retrieves all user-provided parameters + including topic, type, timing, and host email. - ### Additional Notes + 2. **Authentication**: Initializes the Zoom Manager using the integration's configuration + to authenticate with the Zoom API. - - Ensure the 'Host Email Address' belongs to a registered user in your Zoom account. + 3. **API Request**: Sends a POST request to the Zoom API endpoint `/users/{host_email}/meetings` + with a payload containing the meeting configuration. - - The 'Meeting Start Time' is mandatory but only effectively used when the 'Meeting - Type' is set to 'Scheduled'. + 4. **Output Generation**: If the meeting is created, the action extracts the join + URL to create a clickable link in the SOAR and returns the complete meeting metadata + as a JSON result. capabilities: can_create_case_comments: false can_create_insight: false @@ -61,13 +92,13 @@ Create Meeting: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new meeting record in the Zoom platform. + Creates a new meeting record in the Zoom platform for the specified host email. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -81,6 +112,7 @@ Create Meeting: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Create User: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -94,39 +126,70 @@ Create Meeting: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false - update_identity: false + update_identity: true update_ticket: false -Create User: - ai_description: "Creates a new user in the Zoom platform. This action allows administrators\ - \ to provision new Zoom accounts by providing the user's first name, last name,\ - \ email address, and license type. \n\n### Flow Description:\n1. **Parameter Extraction:**\ - \ The action retrieves the 'First Name', 'Last Name', 'Email', and 'User Type'\ - \ from the action parameters.\n2. **Pre-check:** It calls the Zoom API to check\ - \ if a user with the provided email already exists to prevent duplicate account\ - \ creation.\n3. **User Creation:** If the user does not exist, it sends a POST\ - \ request to the Zoom `/users` endpoint with the specified user details and license\ - \ type.\n4. **Result Handling:** If successful, the action returns the created\ - \ user's details in JSON format and marks the execution as completed.\n\n### Parameters\ - \ Description:\n| Parameter Name | Type | Mandatory | Description |\n| :--- |\ - \ :--- | :--- | :--- |\n| First Name | String | Yes | The first name of the user\ - \ to be created. |\n| Last Name | String | Yes | The last name of the user to\ - \ be created. |\n| Email | String | Yes | The email address of the user to be\ - \ created. This serves as the unique identifier in Zoom. |\n| User Type | DDL\ - \ | Yes | The license type for the new user. Supported values are 'Basic', 'Licensed',\ - \ and 'On-prem'. |\n\n### Additional Notes:\n- This action requires valid Zoom\ - \ API credentials (either OAuth or JWT) configured in the integration settings.\n\ - - If the user already exists, the action will fail with a 'User Already Exists'\ - \ error." + ai_description: >- + ### General Description + + The **Create User** action allows administrators to programmatically create a + new user account within the Zoom platform. It facilitates identity management + by automating the provisioning of users with specific license types and contact + information directly from Google SecOps. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | **First Name** | string | True | The first name of the user to be created. | + + | **Last Name** | string | True | The last name of the user to be created. | + + | **Email** | string | True | The email address associated with the new Zoom account. + This serves as the unique identifier. | + + | **User Type** | ddl | True | The license level for the user. Options include: + 'Basic', 'Licensed', or 'On-prem'. | + + + ### Additional Notes + + * The action first performs a check to see if a user with the provided email already + exists in Zoom. If the user exists, the action will fail to prevent duplicate + creation. + + * The 'User Type' determines the features and limitations available to the user + within Zoom. + + + ### Flow Description + + 1. **Parameter Extraction:** The action retrieves the first name, last name, email, + and user type from the input parameters. + + 2. **Pre-check:** It queries the Zoom API to verify if the email address is already + registered. + + 3. **User Creation:** If the email is unique, it sends a POST request to the Zoom + `/users` endpoint with the specified user details. + + 4. **Result Processing:** Upon successful creation, the action retrieves the new + user's metadata from Zoom and attaches it as a JSON result to the action output. capabilities: can_create_case_comments: false can_create_insight: false @@ -135,14 +198,14 @@ Create User: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new user account in the Zoom platform via a POST request to the Zoom - API. + Creates a new user account in the Zoom platform via a POST request to the /users + endpoint. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -156,6 +219,7 @@ Create User: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Delete User: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -163,47 +227,83 @@ Create User: contain_host: false create_ticket: false delete_email: false - disable_identity: false + disable_identity: true download_file: false enable_identity: false enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: true update_ticket: false -Delete User: - ai_description: "Deletes a user permanently from a Zoom account. This action allows\ - \ for the optional transfer of the user's scheduled meetings, webinars, and cloud\ - \ recordings to another specified user before the deletion is finalized. \n\n\ - ### Flow Description:\n1. **Parameter Extraction:** The action retrieves the email\ - \ of the user to be deleted and the transfer preferences (meetings, recordings,\ - \ webinars, and the recipient's email).\n2. **Pre-check:** It verifies if the\ - \ user has existing recordings, webinars, or meetings to transfer if the corresponding\ - \ transfer flags are set to true.\n3. **Deletion Execution:** It sends a DELETE\ - \ request to the Zoom API, passing the transfer parameters to ensure data is moved\ - \ to the designated recipient during the deletion process.\n4. **Result Handling:**\ - \ The action returns a success message if the user is deleted or an error message\ - \ if the user is not found or if the API request fails.\n\n### Parameters Description:\n\ - | Parameter Name | Type | Mandatory | Description |\n| :--- | :--- | :--- | :---\ - \ |\n| Deleted User Email | string | True | The email address of the Zoom user\ - \ to be permanently deleted. |\n| Transfer Meeting | boolean | False | If set\ - \ to true, transfers all future scheduled meetings to the 'Transfer Email'. Defaults\ - \ to false. |\n| Transfer Recordings | boolean | False | If set to true, transfers\ - \ all past cloud recordings to the 'Transfer Email'. Defaults to false. |\n| Transfer\ - \ Webinar | boolean | False | If set to true, transfers all future scheduled webinars\ - \ to the 'Transfer Email'. Defaults to false. |\n| Transfer Email | string | False\ - \ | The email address of the user who will receive the transferred data. Required\ - \ if any transfer flag is set to true. |" + ai_description: >- + ### General Description + + Deletes a user permanently from the Zoom platform. This action allows for the + optional transfer of the user's associated data, including future meetings, past + recordings, and future webinars, to a designated recipient email address before + the account is removed. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Deleted User Email | string | Yes | The email address of the Zoom user to be + permanently deleted. | + + | Transfer Email | string | No | The email address of the user who will receive + the transferred data (meetings, recordings, webinars). | + + | Transfer Meeting | boolean | No | If set to true, transfers all future scheduled + meetings to the Transfer Email recipient. | + + | Transfer Recordings | boolean | No | If set to true, transfers all past cloud + recordings to the Transfer Email recipient. | + + | Transfer Webinar | boolean | No | If set to true, transfers all future scheduled + webinars to the Transfer Email recipient. | + + + ### Additional Notes + + - The action first checks if the user has any recordings, webinars, or meetings + before attempting a transfer. If no data is found for a specific category, the + transfer flag for that category is automatically set to false to prevent API errors. + + - This action performs a permanent deletion (disassociation) of the user account. + + + ### Flow Description + + 1. **Parameter Extraction:** Retrieves the target user's email and the transfer + configurations from the action parameters. + + 2. **Data Validation:** Queries the Zoom API to check for the existence of recordings, + webinars, and meetings for the target user. + + 3. **Conditional Flag Adjustment:** Updates the transfer flags based on whether + data actually exists to be transferred. + + 4. **User Deletion:** Sends a DELETE request to the Zoom API with the specified + transfer parameters. + + 5. **Result Reporting:** Returns a JSON result indicating whether the deletion + was successful or if the user was not found. capabilities: can_create_case_comments: false can_create_insight: false @@ -212,14 +312,14 @@ Delete User: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Permanently deletes a user from the Zoom platform and optionally transfers their - data (meetings, webinars, recordings) to another user account. + Permanently deletes a user account from the Zoom platform and optionally transfers + their data (meetings, webinars, recordings) to another user. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -233,6 +333,7 @@ Delete User: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Enrich Entities: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -240,72 +341,49 @@ Delete User: contain_host: false create_ticket: false delete_email: false - disable_identity: true + disable_identity: false download_file: false enable_identity: false - enrich_asset: false + enrich_asset: true enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false - update_identity: true + update_identity: false update_ticket: false -Enrich Entities: - ai_description: >- - ### General Description - - The **Enrich Entities** action retrieves detailed profile information for User - entities from the Zoom platform. It is designed to provide security analysts with - contextual data about a user's Zoom account, such as their status, department, - job title, and account type, directly within the Google SecOps environment. - - - ### Parameters Description - - There are no action-specific parameters for this component. It relies on the global - integration configuration (JWT or OAuth credentials) to authenticate with the - Zoom API. - - - ### Additional Notes - - * This action specifically targets entities of type **USER**. - - * Retrieved data is flattened and prefixed with "Zoom" before being appended to - the entity's additional properties. - - * If a user is not found in Zoom or an error occurs for a specific entity, the - action will log the error and continue processing the remaining entities. - - - ### Flow Description - - 1. **Initialization**: The action initializes the Zoom API manager using the provided - integration credentials (JWT or OAuth). - - 2. **Entity Filtering**: It iterates through the target entities in the current - context and filters for those of type **USER**. - - 3. **Data Retrieval**: For each identified User entity, the action calls the Zoom - API's `/users/{email}` endpoint using the entity's identifier (email address). - - 4. **Data Processing**: The resulting JSON data is flattened into a single-level - dictionary, and keys are prefixed with "Zoom" to avoid naming collisions. - - 5. **Internal Update**: The entity's `additional_properties` are updated with - the Zoom data, and the entity is marked as `is_enriched = True`. - - 6. **Finalization**: The action updates the entities within Google SecOps and - returns a comprehensive JSON result containing the raw data for all successfully - enriched users. + ai_description: "Enriches User entities with account information retrieved from\ + \ Zoom. This action identifies User entities within the current context, queries\ + \ the Zoom API for their specific profile details (such as department, job title,\ + \ account status, and creation time), and maps this data back to the entity's\ + \ additional properties in Google SecOps. \n\n### Flow Description:\n1. **Initialization**:\ + \ The action initializes the Zoom Manager using the integration's configuration\ + \ credentials (OAuth or JWT).\n2. **Entity Filtering**: It iterates through the\ + \ target entities and filters for those of type 'USER'.\n3. **Data Retrieval**:\ + \ For each identified User entity, it performs a GET request to the Zoom API using\ + \ the entity's identifier (email address) to fetch comprehensive user details.\n\ + 4. **Data Processing**: The retrieved JSON data is flattened and prefixed with\ + \ 'Zoom' to ensure clarity and prevent data collisions.\n5. **Internal Update**:\ + \ The action updates the entity's 'additional_properties' with the enriched data\ + \ and marks the entity as 'enriched'.\n6. **Completion**: It updates the entities\ + \ within the SecOps platform and provides a JSON result containing the raw data\ + \ for all successfully enriched users.\n\n### Parameters Description:\n| Parameter\ + \ Name | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| None\ + \ | N/A | No | This action does not have any action-specific parameters; it relies\ + \ on the global integration configuration for authentication. |\n\n### Additional\ + \ Notes:\n* This action is strictly read-only regarding the external Zoom environment.\n\ + * If an error occurs while processing a specific entity, the action logs the error\ + \ and continues to the next entity." capabilities: can_create_case_comments: false can_create_insight: false @@ -316,13 +394,13 @@ Enrich Entities: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates the 'additional_properties' and 'is_enriched' status of User entities - within the SOAR case. + Updates the 'additional_properties' and 'is_enriched' fields of the User entities + within Google SecOps. categories: enrichment: true entity_usage: entity_types: - - USERUNIQNAME + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -336,6 +414,7 @@ Enrich Entities: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Meeting Recording: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -346,69 +425,62 @@ Enrich Entities: disable_identity: false download_file: false enable_identity: false - enrich_asset: true + enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Meeting Recording: ai_description: >- ### General Description - The **Get Meeting Recording** action retrieves metadata and the shareable URL - for a specific Zoom meeting recording stored in the cloud. This action is designed - to provide security analysts with quick access to recorded meeting content for - forensic investigations, compliance audits, or incident response documentation - based on a known Meeting ID. + The **Get Meeting Recording** action retrieves the details and sharing URL of + a specific Zoom meeting recording stored in the cloud. This action is primarily + used to gather evidence or review recorded communications associated with a security + incident. It fetches comprehensive metadata about the recording, including the + start time, duration, and individual recording files. ### Parameters Description - | Parameter | Type | Mandatory | Description | + | Parameter Name | Description | Type | Mandatory | Notes | - | :--- | :--- | :--- | :--- | + | :--- | :--- | :--- | :--- | :--- | - | Meeting ID | String | Yes | The unique identifier of the Zoom meeting recording - to be retrieved. | + | Meeting ID | The unique identifier of the Zoom meeting for which the recording + is being requested. | String | Yes | This ID is used to construct the API request + path. | ### Flow Description - 1. **Parameter Extraction**: The action retrieves the `Meeting ID` from the input - parameters. - - 2. **Authentication**: The action initializes the `ZoomManager` using the provided - integration credentials (OAuth or JWT). + 1. **Parameter Extraction:** The action retrieves the `Meeting ID` provided by + the user. - 3. **API Interaction**: The action performs a GET request to the Zoom API endpoint - `/meetings/{meeting_id}/recordings` to fetch the recording details. + 2. **Manager Initialization:** It initializes the `ZoomManager` using the integration's + configuration (OAuth or JWT credentials). - 4. **Data Extraction**: It extracts the `share_url` from the API response to serve - as the primary result value. + 3. **API Interaction:** The action calls the Zoom API's GET `/meetings/{meeting_id}/recordings` + endpoint to fetch recording data. - 5. **SOAR Enrichment**: The action adds the recording URL as a clickable link - in the Google SecOps interface and attaches the full JSON response containing - all recording metadata (e.g., file sizes, recording types, timestamps) to the - action results. - - - ### Additional Notes + 4. **Data Processing:** It extracts the `share_url` from the API response to provide + a direct link to the recording. - - This action specifically targets recordings stored in the Zoom Cloud; it cannot - retrieve local recordings. - - - The integration must be configured with credentials that have the `recording:read` - or `recording:read:admin` scopes. + 5. **Result Output:** The action adds the sharing URL as a clickable link in the + SOAR interface and attaches the full JSON response containing all recording details + for downstream use in the playbook. capabilities: can_create_case_comments: false can_create_insight: false @@ -420,9 +492,9 @@ Get Meeting Recording: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: true + enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -436,6 +508,7 @@ Get Meeting Recording: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -449,64 +522,44 @@ Get Meeting Recording: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: - ai_description: >- - ### General Description - - The **Ping** action is a diagnostic tool used to verify the connectivity between - Google SecOps and the Zoom API. It ensures that the provided credentials (either - JWT or OAuth) are valid and that the network path to Zoom's service is open. This - action is typically used during the initial setup of the integration or for troubleshooting - purposes. - - - ### Parameters Description - - This action does not require any input parameters. It relies entirely on the integration's - global configuration (JWT Token or OAuth Client ID, Client Secret, and Account - ID). - - - ### Flow Description - - 1. **Configuration Retrieval:** The action fetches the integration's configuration - parameters, including authentication credentials. - - 2. **Manager Initialization:** It initializes the `ZoomManager` which handles - the authentication logic (OAuth token exchange or JWT header setup). - - 3. **Connectivity Test:** The action calls the `test_connectivity` method, which - performs a `GET` request to the Zoom `/users` endpoint (requesting a small page - of active users). - - 4. **Validation:** If the API responds with a success status code (HTTP 200) and - valid JSON, the action returns a success message. - - 5. **Error Handling:** If the request fails due to invalid credentials, network - timeouts, or API errors, the action catches the exception and reports the failure - details. - - - ### Additional Notes - - - This action is strictly for connectivity testing and does not process any entities - or modify any data. - - - Either a JWT Token or a complete set of OAuth credentials (Account ID, Client - ID, Client Secret) must be configured in the integration settings for this action - to succeed. + ai_description: "### General Description\nThe **Ping** action is a diagnostic tool\ + \ designed to verify the connectivity between Google SecOps and the Zoom API.\ + \ It ensures that the provided credentials (either JWT or OAuth) are valid and\ + \ that the network path to the Zoom service is open. This action is typically\ + \ used during the initial setup of the integration or for troubleshooting authentication\ + \ issues.\n\n### Parameters Description\nThere are no action-specific parameters\ + \ for this action. It relies entirely on the integration's configuration parameters\ + \ (JWT Token or OAuth credentials).\n\n### Additional Notes\n* The action requires\ + \ at least one valid authentication method to be configured: either a **JWT Token**\ + \ or a combination of **Account ID**, **Client ID**, and **Client Secret** for\ + \ OAuth.\n* The connectivity test is performed by attempting to list active\ + \ users from the Zoom account. If the API returns a successful response, the connection\ + \ is considered established.\n\n### Flow Description\n1. **Initialization**:\ + \ The action initializes the Siemplify environment and logger.\n2. **Configuration\ + \ Retrieval**: It fetches the integration configuration, including authentication\ + \ credentials.\n3. **Manager Setup**: The `ZoomManager` is instantiated using\ + \ the retrieved credentials, handling the authentication logic (OAuth login or\ + \ JWT header setup).\n4. **Connectivity Test**: The action calls the `test_connectivity`\ + \ method, which executes a GET request to the Zoom `/users` endpoint.\n5. **Result\ + \ Handling**: \n * If the request succeeds, the action returns a success\ + \ status with the message \"Connected successfully\".\n * If the request\ + \ fails (e.g., due to invalid credentials or network errors), an exception is\ + \ caught, and the action returns a failure status with the specific error message." capabilities: can_create_case_comments: false can_create_insight: false @@ -520,7 +573,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -534,28 +587,3 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/third_party/partner/anyrun_sandbox/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/anyrun_sandbox/resources/ai/actions_ai_description.yaml index f154d7e69..63d773013 100644 --- a/content/response_integrations/third_party/partner/anyrun_sandbox/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/anyrun_sandbox/resources/ai/actions_ai_description.yaml @@ -1,86 +1,122 @@ File Android Analysis: + action_product_categories: + add_alert_comment: true + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: true + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **File Android Analysis** action enables security analysts to perform automated - file detonation and behavioral analysis using the ANY.RUN Sandbox's Android Virtual - Machine. The action retrieves a file attachment from a Google SecOps case, uploads - it to the ANY.RUN platform with highly granular configuration options (such as - network routing, privacy levels, and environment locales), and retrieves comprehensive - analysis results including HTML reports and Indicators of Compromise (IOCs). + Performs automated malware analysis of file attachments using an Android Virtual + Machine in the ANY.RUN Sandbox. This action allows security analysts to safely + execute suspicious files in a controlled environment to observe behavior, network + activity, and identify malicious indicators. It retrieves a file attachment from + the SecOps case, submits it for analysis with customizable network and privacy + settings, and returns a comprehensive report including IOCs and a final verdict. - ### Flow Description + ### Parameters Description - 1. **Attachment Acquisition**: The action fetches the first available attachment - from the current Google SecOps case. - 2. **Sandbox Submission**: The file is uploaded to the ANY.RUN Sandbox. The submission - includes specific Android VM configurations based on the provided parameters like - network connectivity, Tor usage, and MITM proxy settings. + | Parameter | Type | Mandatory | Description | - 3. **Interactive Link Generation**: A comment is added to the case containing - a direct URL to the live interactive analysis session in ANY.RUN. + | :--- | :--- | :--- | :--- | - 4. **Status Monitoring**: The action polls the sandbox for task completion. + | Timeout In Seconds | string | No | Select task completion time. Range: 10-660 + seconds. Default is 240. | - 5. **Report Retrieval & Storage**: Once the analysis is finished, the action downloads - the full HTML report and saves it as a new attachment on the case wall. + | Change to valid extension | boolean | No | Automatically change file extension + to a valid one if necessary. | - 6. **IOC Extraction**: The action retrieves identified IOCs and posts a summary - comment to the case, highlighting any indicators flagged as 'Suspicious' or 'Malicious'. + | Command line | string | No | Optional command-line arguments for the analyzed + object. | + | System's language | string | No | Operating system's language (e.g., 'en-US' + or 'Brazil'). | - ### Parameters Description + | User Tags | string | No | Add user tags (max 8 tags, 16 characters each). | - | Parameter | Type | Mandatory | Description | + | Analysis Privacy Type | ddl | No | Privacy settings for the task. Supports: + public, bylink, owner, byteam. | - | :--- | :--- | :--- | :--- | + | Network Connect | boolean | No | Enable network connection for the VM. | - | Timeout In Seconds | String | No | Defines the duration of the analysis task - (Range: 10-660 seconds). Default is 240. | + | Network Fakenet | boolean | No | Enable FakeNet feature to simulate network + services. | - | Change to valid extension | Boolean | No | If enabled, the sandbox will automatically - correct the file extension to a valid format. | + | Network Tor | boolean | No | Enable TOR for network traffic. | - | Command line | String | No | Optional command-line arguments to be executed - with the file. | + | Network Geo | string | No | TOR geolocation option (e.g., US, AU). | - | System's language | String | No | Sets the OS locale/language (e.g., 'en-US' - or 'Brazil'). | + | Network Mitm | boolean | No | Enable HTTPS MITM Proxy for traffic inspection. + | - | User Tags | String | No | Custom tags for task categorization in ANY.RUN (Max - 8 tags, 16 chars each). | + | Network Residential Proxy | boolean | No | Use a residential proxy for the analysis. + | - | Analysis Privacy Type | DDL | No | Controls visibility: 'public', 'bylink', - 'owner', or 'byteam'. | + | Network Residential Proxy Geo | string | No | Residential proxy geolocation + option (e.g., US, AU). | - | Network Connect | Boolean | No | Enables or disables internet access for the - Android VM. | - | Network Fakenet | Boolean | No | Enables the FakeNet feature to simulate network - services. | + ### Flow Description - | Network Tor | Boolean | No | Routes VM traffic through the Tor network. | + 1. **Retrieve Attachment:** The action fetches the list of attachments associated + with the current Google SecOps case and selects the first one. - | Network Geo | String | No | Specifies the geolocation for Tor exit nodes (e.g., - 'US', 'AU'). | + 2. **Submit to Sandbox:** The file is uploaded to the ANY.RUN Sandbox using the + Android VM environment, applying all configured network, privacy, and timeout + parameters. + + 3. **Interactive Link:** A comment is added to the case wall providing a direct + URL to the interactive analysis session in ANY.RUN. + + 4. **Monitor Status:** The action polls the ANY.RUN API to monitor the progress + of the analysis task. + + 5. **Retrieve Report:** Once analysis is complete, the action downloads the full + HTML report. - | Network Mitm | Boolean | No | Enables HTTPS Man-in-the-Middle proxying for traffic - inspection. | + 6. **Internal Mutation (Case Wall):** The HTML report is saved as a new attachment + to the case wall for forensic record-keeping. - | Network Residential Proxy | Boolean | No | Enables the use of residential proxies - for the analysis. | + 7. **Extract IOCs:** The action retrieves identified Indicators of Compromise + (IOCs) and posts a summary comment to the case if suspicious or malicious indicators + are found. - | Network Residential Proxy Geo | String | No | Specifies the geolocation for - the residential proxy. | + 8. **Final Verdict:** The action concludes by providing the final analysis verdict + (e.g., Malicious, Suspicious, No threats detected). ### Additional Notes - This action is specifically designed for Android-compatible files (e.g., APKs). - It requires a valid API Key for ANY.RUN to be configured in the integration settings. - The action will fail if no attachments are found in the case. + - **Prerequisites:** Requires a valid ANY.RUN Sandbox API Key configured in the + integration settings. + + - **Error Handling:** If no attachments are found in the case, the action will + fail with an 'Attachment is not found' message. capabilities: can_create_case_comments: true can_create_insight: false @@ -89,16 +125,17 @@ File Android Analysis: can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: >- - Creates a new analysis task and uploads a file to the ANY.RUN Sandbox environment - for detonation. + Submits a file to the ANY.RUN sandbox to create a new analysis task, which consumes + sandbox resources and creates a new record in the external system. fetches_data: true internal_data_mutation_explanation: >- - Adds comments to the case containing analysis links and IOC summaries, and saves - the HTML analysis report as a new attachment to the case wall. + Adds comments to the case wall with analysis links and IOC summaries, and saves + the downloaded HTML analysis report as a new attachment in the Google SecOps + case. categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -112,6 +149,7 @@ File Android Analysis: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +File Linux Analysis: action_product_categories: add_alert_comment: true add_ioc_to_allowlist: false @@ -123,32 +161,31 @@ File Android Analysis: download_file: false enable_identity: false enrich_asset: false - enrich_ioc: false + enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: true uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -File Linux Analysis: ai_description: >- ### General Description - Performs automated file analysis in an ANY.RUN Linux sandbox environment. This - action retrieves the first attachment from a Google SecOps case, uploads it to - the ANY.RUN platform, and executes it within a specified Linux virtual machine - (Ubuntu or Debian). It allows for extensive configuration of the sandbox environment, - including network settings (FakeNet, TOR, MITM proxy), execution privileges, and - privacy levels. The action monitors the task until completion, then retrieves - a detailed HTML report and a summary of malicious or suspicious Indicators of - Compromise (IOCs). + The **File Linux Analysis** action submits a file attachment from a Google SecOps + case to the ANY.RUN sandbox for automated and interactive analysis within a Linux + environment (Ubuntu or Debian). It allows security analysts to safely execute + suspicious files in a controlled virtual machine to observe behavior, network + activity, and identify potential threats. ### Parameters Description @@ -157,94 +194,83 @@ File Linux Analysis: | :--- | :--- | :--- | :--- | - | Env Os | ddl | Yes | Version of the Linux OS to use for analysis. Supports 'ubuntu' - and 'debian'. | - - | StartFolder | ddl | No | The directory where the file execution starts. Supports - 'desktop', 'home', 'downloads', and 'temp'. | + | **Env Os** | DDL | Yes | Specifies the Linux distribution for the analysis environment. + Supports 'ubuntu' and 'debian'. | - | Run As Root | boolean | No | If true, executes the file with superuser (root) - privileges. | + | **StartFolder** | DDL | No | Defines the initial directory where the file will + be placed in the VM (desktop, home, downloads, temp). | - | Timeout In Seconds | string | No | The duration of the sandbox task. Range: - 10-660 seconds. Default is 240. | + | **Run As Root** | Boolean | No | If enabled, the file will be executed with + superuser (root) privileges. | - | Change to valid extension | boolean | No | If true, automatically renames the - file to have a valid extension before analysis. | + | **Timeout In Seconds** | String | No | Sets the duration for the analysis task. + Range: 10-660 seconds. Default is 240. | - | Command line | string | No | Optional command-line arguments to pass to the - analyzed object. | + | **Change to valid extension** | Boolean | No | If enabled, the sandbox will + automatically correct the file extension to a valid one before execution. | - | System's language | string | No | The locale or country name for the operating - system (e.g., 'en-US'). | + | **Command line** | String | No | Optional command-line arguments to be passed + to the file during execution. | - | User Tags | string | No | Custom tags to associate with the ANY.RUN task (max - 8 tags, 16 characters each). | + | **System's language** | String | No | Sets the operating system's locale or + language (e.g., 'en-US' or 'Brazil'). | - | Analysis Privacy Type | ddl | No | Privacy level for the analysis task. Supports - 'public', 'bylink', 'owner', and 'byteam'. | + | **User Tags** | String | No | Custom tags to categorize the task in the ANY.RUN + interface (max 8 tags, 16 chars each). | - | Network Connect | boolean | No | Enables or disables network connectivity for - the sandbox. | + | **Analysis Privacy Type** | DDL | No | Controls the visibility of the analysis + task (public, bylink, owner, byteam). | - | Network Fakenet | boolean | No | Enables the FakeNet feature to simulate network - services. | + | **Network Connect** | Boolean | No | Enables or disables network connectivity + for the analysis VM. | - | Network Tor | boolean | No | Enables the use of the TOR network for sandbox - traffic. | + | **Network Fakenet** | Boolean | No | Enables the FakeNet feature to simulate + network services and intercept traffic. | - | Network Geo | string | No | Specifies the TOR exit node geolocation (e.g., 'US', - 'AU'). | + | **Network Tor** | Boolean | No | Routes the VM's network traffic through the + TOR network. | - | Network Mitm | boolean | No | Enables an HTTPS MITM Proxy for traffic inspection. - | - - | Network Residential Proxy | boolean | No | Enables the use of a residential - proxy for network traffic. | - - | Network Residential Proxy Geo | string | No | Specifies the geolocation for - the residential proxy. | + | **Network Geo** | String | No | Specifies the TOR exit node geolocation (e.g., + 'US', 'AU'). | + | **Network Mitm** | Boolean | No | Enables an HTTPS Man-In-The-Middle proxy for + inspecting encrypted traffic. | - ### Additional Notes + | **Network Residential Proxy** | Boolean | No | Uses a residential proxy for + the VM's network traffic. | - * **Discrepancy Note:** The YAML configuration defines the parameter as `Env Os`, - but the underlying Python script attempts to extract a parameter named `Machine - Os`. Ensure the parameter name in the UI matches the script's expectation or vice - versa. + | **Network Residential Proxy Geo** | String | No | Specifies the geolocation + for the residential proxy. | - * **Attachment Handling:** This action specifically targets the first attachment - found in the current case. If no attachments are present, the action will fail. - * **Internal Mutation:** This action modifies the case by adding comments and - attaching the final HTML report to the case wall. + ### Flow Description + 1. **Attachment Retrieval:** The action identifies and retrieves the first available + file attachment from the Google SecOps case. - ### Flow Description + 2. **Task Submission:** The file is uploaded to the ANY.RUN sandbox, and a Linux + analysis task is initiated using the configured OS and network parameters. - 1. **Initialization:** Retrieves the ANY.RUN API key and SSL verification settings - from the integration configuration. + 3. **Interactive Link:** The action immediately adds a comment to the case containing + a direct link to the live interactive analysis in ANY.RUN. - 2. **Attachment Retrieval:** Fetches all attachments associated with the current - case and selects the first one for analysis. + 4. **Status Polling:** The action monitors the progress of the analysis task until + completion. - 3. **Task Submission:** Uploads the file data to the ANY.RUN Sandbox, configuring - the Linux environment based on the provided action parameters. + 5. **Report Retrieval:** Once finished, the action downloads the full HTML analysis + report. - 4. **Interactive Link:** Adds a comment to the case wall containing a direct link - to the interactive analysis task on the ANY.RUN platform. + 6. **Case Enrichment:** The HTML report is saved as a new attachment on the case + wall. Additionally, the action extracts any identified Malicious or Suspicious + Indicators of Compromise (IOCs) and posts them as a summary comment in the case. - 5. **Monitoring:** Polls the ANY.RUN API to track the status of the analysis task - until it reaches a terminal state. - 6. **Report Retrieval:** Downloads the final analysis report in HTML format and - attaches it to the case wall. + ### Additional Notes - 7. **IOC Extraction:** Fetches a list of IOCs identified during analysis. If any - are classified as suspicious or malicious, a summary comment is added to the case. + - This action requires at least one attachment to be present in the case to function. - 8. **Completion:** Ends the action by providing the final analysis verdict (e.g., - malicious, suspicious, or clean). + - The action uses the ANY.RUN Linux connector specifically for non-Windows file + analysis. capabilities: can_create_case_comments: true can_create_insight: false @@ -253,15 +279,15 @@ File Linux Analysis: can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: >- - Creates a new sandbox analysis task and uploads a file to the ANY.RUN platform. + Submits a file to the ANY.RUN sandbox platform and creates a new analysis task. fetches_data: true internal_data_mutation_explanation: >- - Adds case comments containing analysis links and IOC summaries, and attaches - the HTML analysis report to the case wall. + Adds comments to the case and saves the analysis report as a new attachment + on the case wall. categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -275,8 +301,9 @@ File Linux Analysis: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +File Windows Analysis: action_product_categories: - add_alert_comment: false + add_alert_comment: true add_ioc_to_allowlist: false add_ioc_to_blocklist: false contain_host: false @@ -288,63 +315,117 @@ File Linux Analysis: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: true uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -File Windows Analysis: - ai_description: "Uploads a file attachment from a Google SecOps case to the ANY.RUN\ - \ sandbox for dynamic analysis within a Windows virtual machine. This action allows\ - \ analysts to execute suspicious files in a controlled environment to observe\ - \ behavior, network activity, and potential threats. It supports extensive configuration\ - \ of the analysis environment, including OS version, bitness, and network routing\ - \ options like Tor or residential proxies. \n\n### Flow Description:\n1. **Attachment\ - \ Retrieval:** The action identifies and retrieves the first available file attachment\ - \ from the current Google SecOps case.\n2. **Sandbox Submission:** The file is\ - \ uploaded to the ANY.RUN sandbox with the specified environment parameters (OS,\ - \ network settings, timeout, etc.).\n3. **Interactive Link:** A comment is added\ - \ to the case providing a direct URL to the live interactive analysis session\ - \ in ANY.RUN.\n4. **Status Monitoring:** The action polls the sandbox for the\ - \ task status until completion.\n5. **Report Retrieval:** Once finished, the action\ - \ downloads the full HTML analysis report and saves it as a new attachment on\ - \ the case wall.\n6. **IOC Extraction:** It fetches identified Indicators of Compromise\ - \ (IOCs) and appends a summary of suspicious or malicious indicators to the case\ - \ comments.\n\n### Parameters Description:\n| Parameter Name | Type | Mandatory\ - \ | Description |\n| :--- | :--- | :--- | :--- |\n| Environment Version | DDL\ - \ | No | Specifies the Windows OS version (7, 10, or 11). Default is 10. |\n|\ - \ Environment Bitness | DDL | No | Specifies the OS architecture (32 or 64 bit).\ - \ Default is 64. |\n| Environment Type | DDL | No | Selects the environment preset.\ - \ 'development' is only for Win 10 x64; 'complete' is required for others. |\n\ - | File Force Elevation | Boolean | No | If true, executes the file with administrative/elevated\ - \ privileges. |\n| StartFolder | DDL | No | The directory where the file execution\ - \ starts (e.g., temp, desktop, downloads). |\n| Timeout In Seconds | String |\ - \ No | The duration of the analysis task (10-660 seconds). Default is 240. |\n\ - | Change to valid extension | Boolean | No | Automatically corrects the file extension\ - \ to a valid one before execution. |\n| Command line | String | No | Optional\ - \ CLI arguments to pass to the file during execution. |\n| System's language |\ - \ String | No | The locale/language of the guest OS (e.g., 'en-US'). |\n| User\ - \ Tags | String | No | Custom tags to label the task in ANY.RUN. Default is 'secops-alert'.\ - \ |\n| Analysis Privacy Type | DDL | No | Sets visibility of the analysis (public,\ - \ bylink, owner, byteam). |\n| Network Connect | Boolean | No | Enables or disables\ - \ internet access for the sandbox environment. |\n| Network Fakenet | Boolean\ - \ | No | Enables FakeNet to simulate network services and intercept traffic. |\n\ - | Network Tor | Boolean | No | Routes sandbox network traffic through the Tor\ - \ network. |\n| Network Geo | String | No | Specifies the geolocation for Tor\ - \ exit nodes (e.g., 'US', 'AU'). |\n| Network Mitm | Boolean | No | Enables HTTPS\ - \ MITM proxy for SSL/TLS inspection. |\n| Network Residential Proxy | Boolean\ - \ | No | Uses a residential proxy for network traffic. |\n| Network Residential\ - \ Proxy Geo | String | No | Specifies the geolocation for the residential proxy.\ - \ |\n\n### Additional Notes:\n- This action requires at least one attachment to\ - \ be present in the case to function.\n- The 'Environment Type' must be set to\ - \ 'complete' for any OS version other than Windows 10 x64." + ai_description: >- + ### General Description + + Submits a file attachment from a Google SecOps case to the ANY.RUN sandbox for + interactive analysis on a Windows virtual machine. This action allows analysts + to perform deep forensic analysis of suspicious files by executing them in a controlled + environment and retrieving detailed reports, including network activity, process + behavior, and Indicators of Compromise (IOCs). + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Environment Version | ddl | No | Version of OS. Supports 7, 10, 11. Default + is 10. | + + | Environment Bitness | ddl | No | Bitness of Operation System. Supports 32, 64. + Default is 64. | + + | Environment Type | ddl | No | Environment preset type. Select **development** + for Windows 10 x64; otherwise, **complete** is required. | + + | File Force Elevation | boolean | No | Forces the file to execute with elevated + privileges (for PE32, PE32+, PE64 files only). | + + | StartFolder | ddl | No | The folder where the file execution starts (desktop, + home, downloads, temp, appdata, windows, root). | + + | Timeout In Seconds | string | No | Task completion time range: 10-660 seconds. + Default is 240. | + + | Change to valid extension | boolean | No | Automatically change file extension + to a valid one. | + + | Command line | string | No | Optional command-line arguments for the analyzed + object. | + + | System's language | string | No | Operation system's language (e.g., 'en-US' + or 'Brazil'). | + + | User Tags | string | No | Custom tags for the task (max 8 tags, max 16 chars + each). | + + | Analysis Privacy Type | ddl | No | Privacy settings: public, bylink, owner, + byteam. Default is bylink. | + + | Network Connect | boolean | No | Enable network connection for the sandbox. + | + + | Network Fakenet | boolean | No | Enable FakeNet feature. | + + | Network Tor | boolean | No | Enable TOR usage. | + + | Network Geo | string | No | TOR geolocation option (e.g., US, AU). | + + | Network Mitm | boolean | No | Enable HTTPS MITM Proxy. | + + | Network Residential Proxy | boolean | No | Enable residential proxy usage. | + + | Network Residential Proxy Geo | string | No | Residential proxy geolocation + option. | + + + ### Additional Notes + + * The action requires at least one attachment to be present in the Google SecOps + case to function. + + * It automatically polls the sandbox until the analysis is complete or the timeout + is reached. + + + ### Flow Description + + 1. **Attachment Retrieval:** Fetches the first available attachment from the Google + SecOps case. + + 2. **Sandbox Submission:** Submits the file to the ANY.RUN Windows sandbox using + the configured environment (OS version, bitness) and network settings. + + 3. **Interactive Link:** Adds a comment to the case with a direct link to the + interactive analysis task in ANY.RUN. + + 4. **Status Polling:** Monitors the task status until the analysis is finished. + + 5. **Report Retrieval:** Downloads the HTML analysis report and saves it as an + attachment to the case wall. + + 6. **IOC Extraction:** Retrieves Indicators of Compromise (IOCs) from the report. + If suspicious or malicious indicators are identified, a summary comment is added + to the case. + + 7. **Verdict:** Ends the action by providing the final analysis verdict. capabilities: can_create_case_comments: true can_create_insight: false @@ -353,15 +434,16 @@ File Windows Analysis: can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: >- - Creates a new analysis task and uploads a file to the ANY.RUN sandbox platform. + Submits a file to the ANY.RUN sandbox, which creates a new analysis task/resource + in the external system. fetches_data: true internal_data_mutation_explanation: >- - Adds comments to the case and saves the sandbox analysis report as an attachment - to the case wall. + Adds comments to the case and saves the analysis report as an attachment to + the case wall. categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -375,6 +457,7 @@ File Windows Analysis: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -388,63 +471,44 @@ File Windows Analysis: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false - submit_file: true + send_message: false + submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: - ai_description: >- - ### General Description - - The Ping action is a diagnostic tool designed to verify the connectivity between - the Google SecOps environment and the ANY.RUN Sandbox service. Its primary purpose - is to ensure that the integration is correctly configured, the API key is valid, - and the network path (including optional proxies) is open. - - - ### Flow Description - - 1. **Configuration Extraction**: The action retrieves the integration's global - configuration, including the ANY.RUN Sandbox API Key, SSL verification preference, - and proxy settings. - - 2. **Proxy Validation**: If proxy support is enabled in the configuration, the - action first attempts to validate the connection through the specified proxy host - and port. - - 3. **Authorization Check**: The action initializes a connection to the ANY.RUN - Sandbox API using the provided credentials and performs a standard authorization - check to confirm the API key's validity. - - 4. **Result Reporting**: Based on the success or failure of the API call, the - action returns a completion status and an informative message to the user. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | N/A | N/A | N/A | This action does not take any input parameters. It uses the - global integration configuration. | - - - ### Additional Notes - - - This action is strictly for connectivity testing and does not process any entities - or alert data. - - - It relies on the 'ANYRUN Sandbox API KEY', 'Verify SSL', and 'Enable proxy' - settings defined at the integration level. + ai_description: "### General Description\nThe **Ping** action is a diagnostic tool\ + \ designed to verify the connectivity between the Google SecOps environment and\ + \ the ANY.RUN Sandbox service. Its primary purpose is to ensure that the integration\ + \ is correctly configured, the API key is valid, and network paths (including\ + \ optional proxies) are functional.\n\n### Parameters Description\nThere are no\ + \ action-specific parameters for this action. It relies entirely on the global\ + \ integration configuration parameters:\n* **ANYRUN Sandbox API KEY**: The authentication\ + \ token used to access the ANY.RUN API.\n* **Verify SSL**: Boolean flag to enable\ + \ or disable SSL certificate validation.\n* **Enable proxy**: Boolean flag to\ + \ determine if a proxy should be used for the connection.\n* **Proxy host**: The\ + \ hostname or IP of the proxy server (if enabled).\n* **Proxy port**: The port\ + \ of the proxy server (if enabled).\n\n### Flow Description\n1. **Configuration\ + \ Extraction**: The action retrieves the API key, SSL verification settings, and\ + \ proxy configurations from the integration's global settings.\n2. **Proxy Validation\ + \ (Optional)**: If the 'Enable proxy' setting is active, the action first attempts\ + \ to establish a connection through the specified proxy host and port to ensure\ + \ the network path is open.\n3. **Authorization Check**: The action initializes\ + \ a connection to the ANY.RUN Sandbox service and executes an authorization check\ + \ (`check_authorization`) to validate the provided API key.\n4. **Result Reporting**:\ + \ \n * If the connection and authorization are successful, the action completes\ + \ with a success status and an informative message.\n * If a connection error\ + \ or authentication failure occurs, the action catches the exception, logs the\ + \ error, and returns a failed execution state." capabilities: can_create_case_comments: false can_create_insight: false @@ -453,12 +517,12 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: false + fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -472,8 +536,9 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +URL Android Analysis: action_product_categories: - add_alert_comment: false + add_alert_comment: true add_ioc_to_allowlist: false add_ioc_to_blocklist: false contain_host: false @@ -483,55 +548,112 @@ Ping: download_file: false enable_identity: false enrich_asset: false - enrich_ioc: false + enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false - submit_file: false + send_message: false + submit_file: true uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -URL Android Analysis: - ai_description: "Performs automated URL analysis using an Android Virtual Machine\ - \ in the ANY.RUN sandbox. This action allows analysts to submit suspicious URLs\ - \ to a controlled environment to observe behavior, network activity, and potential\ - \ threats. \n\n### Flow Description:\n1. **Configuration Retrieval:** Retrieves\ - \ the ANY.RUN API key and SSL verification settings from the integration configuration.\n\ - 2. **Input Processing:** Extracts the target URL(s) from the action parameters.\ - \ If multiple URLs are provided (comma-separated), it processes them sequentially.\n\ - 3. **Task Submission:** For each URL, it initiates an analysis task on an ANY.RUN\ - \ Android VM using the specified network and environment parameters.\n4. **Monitoring:**\ - \ Polls the ANY.RUN API to monitor the task status until the analysis is complete.\n\ - 5. **Report Retrieval:** Downloads the HTML analysis report and attaches it to\ - \ the Google SecOps case wall for forensic review.\n6. **IOC Extraction:** Fetches\ - \ identified Indicators of Compromise (IOCs) from the analysis and adds a summary\ - \ comment to the case if suspicious or malicious indicators are found.\n7. **Verdict\ - \ Reporting:** Retrieves the final analysis verdict and posts it as a concluding\ - \ comment to the case.\n\n### Parameters Description:\n| Parameter | Type | Mandatory\ - \ | Description |\n| :--- | :--- | :--- | :--- |\n| Url | string | Yes | The destination\ - \ URL(s) to be analyzed. Supports comma-separated values. Defaults to [Entity.Identifier].\ - \ |\n| Timeout In Seconds | string | No | The duration for the analysis task (10-660\ - \ seconds). Default is 120. |\n| Command line | string | No | Optional command-line\ - \ arguments for the analyzed object. |\n| System's language | string | No | The\ - \ OS locale or country name (e.g., 'en-US' or 'Brazil'). |\n| User Tags | string\ - \ | No | Custom tags for the task (max 8 tags, 16 chars each). |\n| Analysis Privacy\ - \ Type | ddl | No | Privacy level: public, bylink, owner, or byteam. |\n| Network\ - \ Connect | boolean | No | Whether to enable network connectivity in the VM. |\n\ - | Network Fakenet | boolean | No | Whether to enable the FakeNet feature. |\n\ - | Network Tor | boolean | No | Whether to use TOR for network traffic. |\n| Network\ - \ Geo | string | No | TOR geolocation (e.g., US, AU). |\n| Network Mitm | boolean\ - \ | No | Whether to enable HTTPS MITM Proxy. |\n| Network Residential Proxy |\ - \ boolean | No | Whether to use a residential proxy. |\n| Network Residential\ - \ Proxy Geo | string | No | Residential proxy geolocation. |\n\n### Additional\ - \ Notes:\n- This action creates a new task in the ANY.RUN platform for every URL\ - \ processed.\n- The HTML report is saved as a case wall attachment, which is not\ - \ considered a standard enrichment update." + ai_description: >- + ### General Description + + Performs automated URL analysis using an Android Virtual Machine in the ANY.RUN + sandbox. This action allows security analysts to safely investigate suspicious + URLs by detonating them in a controlled mobile environment to observe behavior, + network activity, and potential threats. It retrieves detailed reports, extracts + indicators of compromise (IOCs), and provides a final verdict directly within + the SecOps platform. + + + ### Parameters Description + + | Parameter | Description | Type | Mandatory | + + | :--- | :--- | :--- | :--- | + + | Url | The destination URL(s) to analyze. Supports comma-separated values for + bulk analysis. | String | Yes | + + | Timeout In Seconds | Select task completion time. Size range: 10-660 seconds. + | String | No | + + | Command line | Optional command-line arguments for the analyzed object. | String + | No | + + | System's language | Operation system's language (e.g., 'en-US' or 'Brazil'). + | String | No | + + | User Tags | Custom tags for the task (max 8 tags, 16 characters each). | String + | No | + + | Analysis Privacy Type | Privacy settings for the task (public, bylink, owner, + byteam). | DDL | No | + + | Network Connect | Enable network connection in the sandbox VM. | Boolean | No + | + + | Network Fakenet | Enable FakeNet feature to simulate network responses. | Boolean + | No | + + | Network Tor | Enable TOR usage for the analysis. | Boolean | No | + + | Network Geo | TOR geolocation option (e.g., US, AU). | String | No | + + | Network Mitm | Enable HTTPS MITM Proxy for traffic inspection. | Boolean | No + | + + | Network Residential Proxy | Enable residential proxy usage. | Boolean | No | + + | Network Residential Proxy Geo | Residential proxy geolocation option (e.g., + US, AU). | String | No | + + + ### Additional Notes + + - This action specifically utilizes an Android VM for analysis, making it ideal + for mobile-specific threats. + + - The action supports multiple URLs by splitting the input string by commas. + + - It automatically handles report generation and attachment to the case wall. + + + ### Flow Description + + 1. **Initialization**: Extracts the ANY.RUN API key and SSL configuration from + the integration settings. + + 2. **Input Parsing**: Retrieves the target URL(s) from the action parameters. + + 3. **Task Creation**: For each URL, it initiates a new Android sandbox analysis + task in ANY.RUN with the specified network and environment configurations. + + 4. **Interactive Link**: Adds a comment to the case containing a direct link to + the ANY.RUN interactive analysis session. + + 5. **Status Monitoring**: Polls the ANY.RUN API to monitor the progress of the + analysis task until completion. + + 6. **Report Retrieval**: Downloads the full HTML analysis report and attaches + it to the case wall as a base64-encoded file. + + 7. **IOC Extraction**: Fetches extracted indicators (IOCs) from the analysis and + adds a summary comment to the case if any suspicious or malicious indicators are + identified. + + 8. **Final Verdict**: Retrieves the final analysis verdict and posts a concluding + status comment to the case. capabilities: can_create_case_comments: true can_create_insight: false @@ -540,16 +662,16 @@ URL Android Analysis: can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: >- - Submits a URL to the ANY.RUN sandbox to initiate a new automated analysis task, - creating a record/job in the external system. + Creates a new URL analysis task/job in the ANY.RUN sandbox environment for every + URL provided. fetches_data: true internal_data_mutation_explanation: >- - Adds comments to the case summarizing IOCs and verdicts, and uploads the HTML - analysis report as an attachment to the case wall. + Adds multiple comments to the case (analysis links, IOC summaries, and verdicts) + and saves the HTML analysis report as an attachment to the case wall. categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -563,6 +685,7 @@ URL Android Analysis: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +URL Linux Analysis: action_product_categories: add_alert_comment: true add_ioc_to_allowlist: false @@ -571,120 +694,121 @@ URL Android Analysis: create_ticket: false delete_email: false disable_identity: false - download_file: false + download_file: true enable_identity: false enrich_asset: false enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: true uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -URL Linux Analysis: ai_description: >- - Submits URLs to the ANY.RUN Linux-based sandbox for automated behavioral analysis. - This action allows security analysts to execute and observe potentially malicious - links within a controlled Linux environment (Ubuntu or Debian) using popular browsers - like Google Chrome or Mozilla Firefox. It provides comprehensive visibility into - network activity, process execution, and potential threats associated with the - submitted URL. + Performs automated URL analysis using a Linux virtual machine within the ANY.RUN + sandbox environment. This action allows analysts to submit one or more URLs for + dynamic analysis, specifying the operating system (Ubuntu or Debian) and the browser + (Chrome or Firefox). It facilitates deep inspection of web-based threats by providing + interactive analysis links, detailed HTML reports, and a summary of extracted + Indicators of Compromise (IOCs). - ### Flow Description + ### Parameters Description - 1. **Initialization**: Retrieves the ANY.RUN API key and SSL verification settings - from the integration configuration. - 2. **Input Processing**: Extracts the target URL(s) from the action parameters, - supporting comma-separated inputs. + | Parameter | Description | Type | Mandatory | - 3. **Task Submission**: For each URL, it initiates a new Linux analysis task in - the ANY.RUN sandbox using the specified OS, browser, and network configurations - (e.g., Tor, VPN, MITM proxy). + | :--- | :--- | :--- | :--- | - 4. **Interactive Access**: Immediately posts a case comment containing a direct - link to the interactive ANY.RUN analysis session. + | Url | The destination URL(s) to be analyzed. Supports comma-separated values. + Defaults to the entity identifier. | String | Yes | - 5. **Status Monitoring**: Polls the ANY.RUN API to monitor the progress of the - analysis task until completion. + | Machine Os | The Linux distribution to use for the analysis. Options: ubuntu, + debian. | DDL | Yes | - 6. **Report Retrieval**: Downloads the final HTML analysis report and attaches - it to the Google SecOps case wall for forensic documentation. + | Browser | The web browser to use for the analysis. Options: Google Chrome, Mozilla + Firefox. | DDL | Yes | - 7. **IOC Extraction**: Retrieves identified Indicators of Compromise (IOCs) from - the analysis and summarizes suspicious or malicious findings in a case comment. + | Timeout In Seconds | The duration for the analysis task (range: 10-660 seconds). + Default is 120. | String | No | - 8. **Verdict Reporting**: Fetches the final analysis verdict and posts a concluding - status update to the case. + | Command line | Optional command-line arguments for the analyzed object. | String + | No | + | System's language | The OS locale identifier or country name (e.g., 'en-US'). + | String | No | - ### Parameters Description + | User Tags | Custom tags for the task (max 8 tags, 16 characters each). | String + | No | - | Parameter | Description | Type | Mandatory | Notes | + | Analysis Privacy Type | Privacy level for the analysis: public, bylink, owner, + or byteam. | DDL | No | - | :--- | :--- | :--- | :--- | :--- | + | Network Connect | Enables network connectivity during analysis. | Boolean | + No | - | Url | The destination URL(s) to be analyzed in the sandbox. | String | Yes | - Supports comma-separated values; defaults to the entity identifier. | + | Network Fakenet | Enables the FakeNet feature to simulate network services. + | Boolean | No | - | Machine Os | The Linux distribution to use for the analysis. | DDL | Yes | Supports - 'ubuntu' and 'debian'. | + | Network Tor | Enables routing traffic through the TOR network. | Boolean | No + | - | Browser | The web browser to use for opening the URL. | DDL | Yes | Supports - 'Google Chrome' and 'Mozilla Firefox'. | + | Network Geo | Specifies the TOR geolocation (e.g., US, AU). | String | No | - | Timeout In Seconds | The duration of the analysis task. | String | No | Range: - 10-660 seconds. Default: 120. | + | Network Mitm | Enables HTTPS MITM Proxy for traffic decryption. | Boolean | + No | - | Command line | Optional command-line arguments for the browser or analyzed object. - | String | No | | + | Network Residential Proxy | Enables the use of a residential proxy. | Boolean + | No | - | System's language | The locale or language for the operating system. | String - | No | Example: 'en-US' or 'Brazil'. | + | Network Residential Proxy Geo | Specifies the residential proxy geolocation. + | String | No | - | User Tags | Custom tags to categorize the task in ANY.RUN. | String | No | Max - 8 unique tags, 16 chars each. | - | Analysis Privacy Type | Privacy level for the analysis task. | DDL | No | Options: - public, bylink, owner, byteam. Default: bylink. | + ### Additional Notes - | Network Connect | Enables or disables network connectivity for the VM. | Boolean - | No | Default: true. | + - This action initiates a state change in the ANY.RUN platform by creating a new + analysis task. - | Network Fakenet | Enables the FakeNet feature to simulate network services. - | Boolean | No | Default: false. | + - It retrieves and attaches an HTML report directly to the Google SecOps case + wall. - | Network Tor | Routes network traffic through the Tor network. | Boolean | No - | Default: false. | + - Extracted IOCs with suspicious or malicious reputations are summarized in case + comments. - | Network Geo | Specifies the Tor exit node geolocation. | String | No | Default: - 'fastest'. | - | Network Mitm | Enables HTTPS MITM Proxy for traffic inspection. | Boolean | - No | Default: false. | + ### Flow Description - | Network Residential Proxy | Uses a residential proxy for the analysis. | Boolean - | No | Default: false. | + 1. **Initialization:** Extracts the API key and SSL configuration from the integration + settings. - | Network Residential Proxy Geo | Geolocation for the residential proxy. | String - | No | Default: 'fastest'. | + 2. **Submission:** Submits the provided URL(s) to the ANY.RUN API to start a Linux-based + sandbox analysis task with the specified OS and browser configurations. + 3. **Interaction:** Adds a comment to the case wall containing a direct link to + the interactive ANY.RUN task. - ### Additional Notes + 4. **Monitoring:** Polls the ANY.RUN service to monitor the task status until + completion. - - This action performs a mutation in the external ANY.RUN system by creating a - new analysis task. + 5. **Reporting:** Downloads the full HTML analysis report and saves it as an attachment + to the case wall. - - The action modifies internal case data by adding comments and file attachments - (HTML reports). + 6. **IOC Extraction:** Retrieves extracted indicators from the analysis and posts + a summary of any suspicious or malicious IOCs as a case comment. + + 7. **Verdict:** Fetches the final analysis verdict and posts a concluding status + comment to the case. capabilities: can_create_case_comments: true can_create_insight: false @@ -693,16 +817,17 @@ URL Linux Analysis: can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: >- - Creates a new URL analysis task/resource in the ANY.RUN sandbox environment. + Submits a URL to the ANY.RUN sandbox to initiate a new automated analysis task, + creating a new resource/record in the external system. fetches_data: true internal_data_mutation_explanation: >- - Adds descriptive comments to the case and uploads the HTML analysis report as - an attachment to the case wall. + Adds multiple comments to the case wall regarding task status, IOC summaries, + and verdicts. It also saves the HTML analysis report as an attachment to the + case wall. categories: enrichment: false entity_usage: - entity_types: - - DestinationURL + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -716,6 +841,7 @@ URL Linux Analysis: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +URL Windows Analysis: action_product_categories: add_alert_comment: true add_ioc_to_allowlist: false @@ -724,117 +850,121 @@ URL Linux Analysis: create_ticket: false delete_email: false disable_identity: false - download_file: false + download_file: true enable_identity: false enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: true uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -URL Windows Analysis: ai_description: >- - Performs automated URL analysis using the ANY.RUN interactive sandbox on a Windows - virtual machine. This action allows security analysts to submit suspicious URLs - to a controlled environment to observe behavior, network activity, and potential - threats. It supports various browser configurations and advanced network settings - like TOR, FakeNet, and residential proxies. The action retrieves a comprehensive - HTML report, extracts indicators of compromise (IOCs), and provides a final verdict, - all of which are integrated back into the SecOps case for further investigation. + ### General Description + + Submits one or more URLs to the ANY.RUN sandbox for automated analysis within + a Windows virtual machine environment. This action allows security analysts to + observe the behavior of suspicious links in a controlled environment, providing + detailed reports on network activity, process execution, and potential indicators + of compromise (IOCs). + + ### Parameters Description - ### Flow Description: + | Parameter | Description | Type | Mandatory | Default Value | - 1. **Initialization:** Extracts the API key and SSL verification settings from - the integration configuration. + | :--- | :--- | :--- | :--- | :--- | - 2. **Parameter Extraction:** Retrieves the target URL(s) and analysis parameters - (browser, timeout, network settings, etc.) from the action input. + | Url | The destination URL(s) to be analyzed. Multiple URLs can be provided as + a comma-separated list. | string | Yes | [Entity.Identifier] | - 3. **Analysis Submission:** For each provided URL, it initiates a new Windows-based - sandbox analysis task in ANY.RUN. + | Browser | The web browser to use for the analysis (e.g., Microsoft Edge, Google + Chrome). | ddl | Yes | Microsoft Edge | - 4. **Interactive Link:** Immediately posts a comment to the case wall containing - a direct link to the live interactive analysis session. + | Timeout In Seconds | The duration for the sandbox task (range: 10-660 seconds). + | string | No | 120 | - 5. **Status Monitoring:** Polls the ANY.RUN API to monitor the progress of the - analysis task until completion. + | Command line | Optional command-line arguments to be used during the analysis. + | string | No | "" | - 6. **Report Retrieval:** Downloads the full HTML analysis report and attaches - it to the case wall as a file. + | System's language | The operating system locale/language (e.g., 'en-US'). | + string | No | en-US | - 7. **IOC Extraction:** Fetches extracted indicators from the analysis. If any - indicators are identified as suspicious or malicious, it summarizes them in a - case comment. + | User Tags | Custom tags to associate with the analysis task (max 8 tags, 16 + chars each). | string | No | secops-alert | - 8. **Verdict Reporting:** Retrieves the final analysis verdict (e.g., malicious, - clean) and posts it as a concluding comment to the case. + | Analysis Privacy Type | Privacy level for the task (public, bylink, owner, byteam). + | ddl | No | bylink | + | Network Connect | Enables or disables network connectivity for the VM. | boolean + | No | true | - ### Parameters Description: + | Network Fakenet | Enables the FakeNet feature to simulate network services. + | boolean | No | false | - | Parameter | Description | Type | Mandatory | + | Network Tor | Enables the use of the TOR network for the analysis. | boolean + | No | false | - | :--- | :--- | :--- | :--- | + | Network Geo | Specifies the TOR geolocation (e.g., US, AU). | string | No | + fastest | - | Url | The destination URL(s) to analyze. Supports multiple URLs separated by - commas. Defaults to the entity identifier. | string | Yes | + | Network Mitm | Enables HTTPS MITM (Man-In-The-Middle) proxying. | boolean | + No | false | - | Browser | The web browser to use for the analysis (Microsoft Edge, Google Chrome, - Mozilla Firefox, or Internet Explorer). | ddl | Yes | + | Network Residential Proxy | Enables the use of a residential proxy. | boolean + | No | false | - | Timeout In Seconds | The duration of the analysis task (range: 10-660 seconds). - Default is 120. | string | No | + | Network Residential Proxy Geo | Specifies the residential proxy geolocation. + | string | No | fastest | - | Command line | Optional command-line arguments to be used during the analysis. - | string | No | - | System's language | The operating system's locale or language (e.g., 'en-US'). - | string | No | + ### Flow Description - | User Tags | Custom tags to associate with the analysis task (max 8 tags, 16 - characters each). | string | No | + 1. **Initialization:** Retrieves the ANY.RUN API key and SSL verification settings + from the integration configuration. - | Analysis Privacy Type | Privacy level for the analysis (public, bylink, owner, - or byteam). | ddl | No | + 2. **Input Parsing:** Extracts the URL(s) provided in the action parameters. - | Network Connect | Enables or disables network connectivity within the sandbox. - | boolean | No | + 3. **Task Creation:** For each URL, it initiates a Windows-based sandbox analysis + task in ANY.RUN using the specified browser and network configurations. - | Network Fakenet | Enables the FakeNet feature to simulate network services. - | boolean | No | + 4. **Interactive Link:** Immediately posts a comment to the case wall containing + a direct link to the interactive ANY.RUN task. - | Network Tor | Enables the use of the TOR network for analysis traffic. | boolean - | No | + 5. **Monitoring:** Polls the ANY.RUN API to monitor the status of the analysis + task until completion. - | Network Geo | Specifies the TOR geolocation (e.g., 'US', 'AU'). | string | No - | + 6. **Report Retrieval:** Once finished, it downloads the full analysis report + in HTML format. - | Network Mitm | Enables an HTTPS MITM proxy for traffic inspection. | boolean - | No | + 7. **Internal Mutation (Attachment):** Attaches the HTML report to the Google + SecOps case wall for forensic review. - | Network Residential Proxy | Enables the use of a residential proxy for the analysis. - | boolean | No | + 8. **IOC Extraction:** Fetches a list of IOCs identified during the analysis. + If suspicious or malicious indicators are found, it summarizes them in a case + comment. - | Network Residential Proxy Geo | Specifies the residential proxy geolocation - (e.g., 'US', 'AU'). | string | No | + 9. **Final Verdict:** Retrieves the final analysis verdict and posts it as a concluding + comment on the case. - ### Additional Notes: + ### Additional Notes - - This action creates a new task in the ANY.RUN platform for every execution, - which may consume API credits. + - This action performs external mutations by creating tasks on the ANY.RUN platform. - - The HTML report is saved directly to the case wall for forensic review. + - It performs internal mutations by adding multiple comments and file attachments + to the case wall. capabilities: can_create_case_comments: true can_create_insight: false @@ -843,15 +973,16 @@ URL Windows Analysis: can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: >- - Creates a new URL analysis task/job in the ANY.RUN sandbox environment. + Creates a new URL analysis task in the ANY.RUN sandbox environment for every + URL provided. fetches_data: true internal_data_mutation_explanation: >- - Adds multiple comments to the case wall and uploads an HTML analysis report - as a case attachment. + Adds multiple comments to the case wall (interactive links, IOC summaries, and + verdicts) and uploads the HTML analysis report as a case attachment. categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -865,28 +996,3 @@ URL Windows Analysis: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: true - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: true - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/third_party/partner/anyrun_ti_feeds/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/anyrun_ti_feeds/resources/ai/actions_ai_description.yaml index fd2cfc019..f37d802e8 100644 --- a/content/response_integrations/third_party/partner/anyrun_ti_feeds/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/anyrun_ti_feeds/resources/ai/actions_ai_description.yaml @@ -1,54 +1,85 @@ Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Tests the connectivity and authentication with the ANY.RUN TI Feeds service. This - action validates the provided API key and, if configured, verifies the proxy settings - to ensure the integration can communicate with the external API. - - - ### Flow Description - - 1. **Parameter Extraction:** Retrieves the API key, SSL verification preference, - and proxy settings from the integration configuration. - - 2. **Proxy Verification (Optional):** If proxy usage is enabled, the action attempts - to establish a connection through the specified proxy host and port. - - 3. **Authorization Check:** Uses the ANY.RUN FeedsConnector to verify the validity - of the API key by calling the authorization endpoint. - - 4. **Status Reporting:** Logs the success or failure of the connection attempt - and terminates the action with the corresponding execution state. + Tests the connectivity and authentication between Google SecOps and the ANY.RUN + TI Feeds service. This action ensures that the integration is correctly configured + and can communicate with the external API. It verifies the validity of the API + key and tests network paths, including optional proxy configurations. ### Parameters Description - | Parameter Name | Type | Mandatory | Description | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | | ANYRUN TI Feeds API key | String | Yes | The API key used to authenticate with - ANY.RUN TI Feeds. | + the ANY.RUN TI Feeds service. | | Verify SSL | Boolean | No | If enabled, the action will verify the SSL certificate - of the API endpoint. | + of the ANY.RUN server. | | Enable proxy | Boolean | No | If enabled, the action will use the configured - proxy settings. | + proxy settings to connect. | - | Proxy host | String | No | The hostname or IP address of the proxy server. Required - if 'Enable proxy' is true. | + | Proxy host | String | No | The host address of the proxy server. This is required + if 'Enable proxy' is set to true. | - | Proxy port | String | No | The port of the proxy server. Required if 'Enable - proxy' is true. | + | Proxy port | String | No | The port of the proxy server. This is required if + 'Enable proxy' is set to true. | ### Additional Notes - * This action does not process entities and is used solely for health checks and - configuration validation. Note that while parameters are extracted from the configuration, - they are essential for the action's execution. + This action does not process any entities and is used solely for configuration + validation. Either the direct connection or the proxy connection must be successful + for the action to complete with a success status. + + + ### Flow Description + + 1. **Extract Configuration**: The action retrieves the API key, SSL verification + preference, and proxy settings from the integration configuration. + + 2. **Proxy Validation (Optional)**: If proxying is enabled, the action attempts + to establish a connection through the specified proxy host and port to verify + the proxy settings. + + 3. **Authentication Check**: The action initializes a connection to the ANY.RUN + TI Feeds service and performs an authorization check to verify that the provided + API key is valid. + + 4. **Result Reporting**: The action concludes by logging the success or failure + of the connection attempt and returns the execution state to the SecOps platform. capabilities: can_create_case_comments: false can_create_insight: false @@ -62,7 +93,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -76,28 +107,3 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/third_party/partner/anyrun_ti_feeds/resources/ai/jobs_ai_description.yaml b/content/response_integrations/third_party/partner/anyrun_ti_feeds/resources/ai/jobs_ai_description.yaml index be6a40c3d..fad0b480d 100644 --- a/content/response_integrations/third_party/partner/anyrun_ti_feeds/resources/ai/jobs_ai_description.yaml +++ b/content/response_integrations/third_party/partner/anyrun_ti_feeds/resources/ai/jobs_ai_description.yaml @@ -1,33 +1,65 @@ ANYRUN TI Feeds: - ai_description: "### General Description\nThis job synchronizes threat intelligence\ - \ feeds from ANY.RUN to Google SecOps DataTables. It automates the retrieval of\ - \ Indicators of Compromise (IOCs)\u2014specifically IPs, URLs, and Domains\u2014\ - and stores them in dedicated DataTables (`anyrun_feed_ip`, `anyrun_feed_url`,\ - \ `anyrun_feed_domain`). This ensures that security analysts have access to up-to-date\ - \ reputation data within the Google SecOps environment for detection and enrichment\ - \ purposes. The job performs a full refresh of the data by recreating the tables\ - \ during each execution to maintain data integrity.\n\n### Parameters Description\n\ - | Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ - | Feed Fetch Depth | String | Yes | Specify the lookback period in days for fetching\ - \ indicators (e.g., 90). |\n| ANYRUN TI Feeds API key | String | Yes | The API\ - \ key used to authenticate with ANY.RUN TI services. |\n| Project ID | String\ - \ | Yes | The Google Cloud Project ID associated with the SecOps instance. |\n\ - | Project location | String | Yes | The regional location of the Google SecOps\ - \ instance. |\n| Instance ID | String | Yes | The specific Instance ID of the\ - \ Google SecOps environment. |\n| Google service account | String | Yes | The\ - \ JSON key of the Google Service Account used for SecOps API authentication. |\n\ - | Verify SSL | Boolean | No | If enabled, the job will verify SSL certificates\ - \ for outgoing requests. |\n| Enable proxy | Boolean | No | If enabled, the job\ - \ will use the configured proxy settings for communication. |\n\n### Flow Description\n\ - 1. **Initialization**: The job retrieves configuration settings for both ANY.RUN\ - \ and the Google SecOps API, including authentication credentials and the lookback\ - \ window.\n2. **Cleanup**: For each indicator type (IP, URL, Domain), the job\ - \ checks if a corresponding DataTable already exists in Google SecOps. If it exists,\ - \ the table is deleted to prepare for a fresh data load.\n3. **Schema Creation**:\ - \ New DataTables are created with a predefined schema containing columns for the\ - \ IOC value, confidence level, labels, creation date, and modification date.\n\ - 4. **Data Retrieval**: The job connects to the ANY.RUN TAXII/STIX endpoint and\ - \ fetches indicators modified within the specified `Feed Fetch Depth` period.\n\ - 5. **Data Transformation**: The raw ANY.RUN indicators are parsed and mapped to\ - \ the Google SecOps DataTable row format.\n6. **Bulk Loading**: The processed\ - \ indicators are uploaded in bulk to the newly created DataTables in Google SecOps." + ai_description: >- + ### General Description + + This job synchronizes threat intelligence indicators from ANY.RUN to Google SecOps + DataTables. It automates the retrieval of IP, URL, and Domain indicators via the + TAXII/STIX protocol and stores them in dedicated DataTables (`anyrun_feed_ip`, + `anyrun_feed_url`, `anyrun_feed_domain`). This ensures that security teams have + access to up-to-date ANY.RUN threat intelligence directly within Google SecOps + for detection and enrichment purposes. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Feed Fetch Depth | String | Yes | Specify the number of days back to fetch indicators + from the ANY.RUN feed. Default is 90 days. | + + | ANYRUN TI Feeds API key | String | Yes | The API key used to authenticate with + the ANY.RUN TI Feeds service (configured in integration settings). | + + | Project ID | String | Yes | The Google Cloud Project ID for the SecOps instance + (configured in integration settings). | + + | Project location | String | Yes | The location of the Google Cloud Project (e.g., + 'us', 'europe') (configured in integration settings). | + + | Instance ID | String | Yes | The specific Google SecOps Instance ID (configured + in integration settings). | + + | Google service account | String | Yes | The JSON key for the Google Service + Account used to interact with the SecOps API (configured in integration settings). + | + + | Verify SSL | Boolean | No | Whether to verify SSL certificates for the connection + to ANY.RUN (configured in integration settings). | + + + ### Flow Description + + 1. **Initialization**: The job extracts the necessary configuration parameters, + including API keys, Google SecOps instance details, and the fetch depth. + + 2. **Connection Setup**: Establishes an authorized session with the Google SecOps + API and a connection to the ANY.RUN TAXII/STIX feed. + + 3. **Indicator Processing**: Iterates through the defined indicator types (IP, + URL, and Domain). + + 4. **DataTable Maintenance**: For each indicator type, the job checks if the corresponding + DataTable exists in Google SecOps. If it does, the job deletes the existing table + to perform a clean synchronization. + + 5. **Schema Creation**: Creates a new DataTable with a structured schema including + columns for the indicator value, confidence level, labels, creation date, and + modification date. + + 6. **Data Retrieval**: Fetches indicators from the ANY.RUN feed that have been + modified within the specified `Feed Fetch Depth` period. + + 7. **Bulk Upload**: Converts the retrieved indicators into the required format + and performs a bulk upload into the newly created Google SecOps DataTables. diff --git a/content/response_integrations/third_party/partner/anyrun_ti_lookup/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/anyrun_ti_lookup/resources/ai/actions_ai_description.yaml index a0db4d32e..6b7f2f223 100644 --- a/content/response_integrations/third_party/partner/anyrun_ti_lookup/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/anyrun_ti_lookup/resources/ai/actions_ai_description.yaml @@ -1,67 +1,62 @@ ANYRUN TI Lookup: - ai_description: >- - Performs threat intelligence lookups on ANY.RUN for specific entities or raw queries. - This action retrieves threat levels and detailed intelligence reports, providing - analysts with context on potentially malicious indicators. It supports lookups - for IP addresses, domains, URLs, processes, and file hashes. The action attaches - a full JSON summary of the intelligence report to the case wall and adds comments - with direct lookup links and a summary of the findings. - - - ### Parameters - - | Parameter | Description | Type | Mandatory | Default Value | - - | :--- | :--- | :--- | :--- | :--- | - - | Lookup Depth | Specify the number of days from the current date for which you - want to lookup. | string | Yes | 90 | - - | Query | Raw query with necessary filters. Supports condition concatenation with - AND, OR, NOT and Parentheses (). | string | No | | - - | Identifiers | The target case entity identifiers. | string | Yes | [Entity.Identifier] - | - - | Types | The target case entity types. | string | Yes | [Entity.Type] | - - - ### Additional Notes - - * If the **Query** parameter is provided, the action will perform a raw query - lookup and ignore the **Identifiers** and **Types** parameters. - - * Supported entity types include: ADDRESS, IPSET, DestinationURL, DOMAIN, PROCESS, - and FILEHASH. - - * The action requires an ANY.RUN TI Lookup API KEY to be configured in the integration - settings. - - - ### Flow Description - - 1. **Initialization:** Extract action parameters (Lookup Depth, Query, Identifiers, - Types) and integration configuration (API Key, Verify SSL, Proxy settings). - - 2. **Query Execution:** If a raw **Query** is provided, the action performs a - single lookup using that query. - - 3. **Entity Processing:** If no raw query is provided, the action iterates through - the provided **Identifiers** and **Types**. - - 4. **Type Validation:** For each entity, it checks if the type is supported (Address, - IPSet, DestinationURL, Domain, Process, FileHash). - - 5. **Intelligence Retrieval:** For each valid entity or query, it calls the ANY.RUN - API to fetch threat intelligence data based on the specified **Lookup Depth**. - - 6. **Internal Updates:** For each successful lookup, it adds a comment to the - case with a direct link to the ANY.RUN analysis and attaches the full JSON report - to the case wall. - - 7. **Final Summary:** Once all lookups are complete, it adds a final summary comment - to the case listing the type, value, and verdict (Malicious, Suspicious, Unknown, - or No info) for each item processed. + action_product_categories: + add_alert_comment: true + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "### General Description\nPerforms threat intelligence lookups using\ + \ the ANY.RUN TI Lookup service. This action allows analysts to retrieve detailed\ + \ threat reports, reputation scores, and analysis links for various entity types\ + \ including IP addresses, domains, URLs, file hashes, and processes. It can process\ + \ specific entities or execute raw queries to gather intelligence from the ANY.RUN\ + \ platform.\n\n### Parameters Description\n| Parameter | Description | Type |\ + \ Mandatory | Notes |\n| :--- | :--- | :--- | :--- | :--- |\n| Lookup Depth |\ + \ Specifies the number of days from the current date for which you want to lookup\ + \ intelligence data. | String | Yes | Default is 90 days. |\n| Query | A raw query\ + \ string with necessary filters. Supports condition concatenation with AND, OR,\ + \ NOT, and parentheses. | String | No | If provided, the action performs a lookup\ + \ based on this query instead of individual entities. |\n| Identifiers | The target\ + \ case entity identifiers to be looked up. | String | Yes | Usually mapped to\ + \ `[Entity.Identifier]`. |\n| Types | The target case entity types corresponding\ + \ to the identifiers. | String | Yes | Usually mapped to `[Entity.Type]`. |\n\n\ + ### Flow Description\n1. **Initialization**: Extracts the API key, SSL verification\ + \ settings, and lookup depth from the integration configuration and action parameters.\n\ + 2. **Query Execution**: \n * If a **Query** parameter is provided, the action\ + \ executes a raw search against the ANY.RUN TI Lookup API.\n * If no query\ + \ is provided, the action iterates through the provided **Identifiers** and **Types**.\n\ + 3. **Intelligence Retrieval**: For each supported entity (IP, IPSet, Domain, URL,\ + \ Process, FileHash), the action calls the ANY.RUN API to fetch intelligence data.\n\ + 4. **Internal Updates**:\n * Adds a comment to the case containing a direct\ + \ hyperlink to the ANY.RUN analysis page for the entity.\n * Saves the full\ + \ JSON report as an attachment to the case wall for forensic review.\n5. **Result\ + \ Summarization**: Calculates a text-based verdict (Malicious, Suspicious, Unknown)\ + \ based on the threat level returned by ANY.RUN and posts a final summary comment\ + \ to the case wall.\n\n### Additional Notes\n- Supported entity types are: `address`,\ + \ `ipset`, `destinationurl`, `domain`, `process`, and `filehash`.\n- The action\ + \ requires a valid ANY.RUN TI Lookup API Key configured in the integration settings." capabilities: can_create_case_comments: true can_create_insight: false @@ -72,18 +67,18 @@ ANYRUN TI Lookup: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Adds comments to the case containing lookup URLs and a summary of results. It - also saves the full JSON intelligence report as an attachment to the case wall. + The action adds comments to the case and saves detailed JSON reports as attachments + to the case wall. categories: enrichment: false entity_usage: entity_types: - - ADDRESS - - IPSET - - DestinationURL - - DOMAIN - - PROCESS - - FILEHASH + - ADDRESS + - IPSET + - DestinationURL + - DOMAIN + - PROCESS + - FILEHASH filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -97,8 +92,9 @@ ANYRUN TI Lookup: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: - add_alert_comment: true + add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false contain_host: false @@ -108,72 +104,80 @@ ANYRUN TI Lookup: download_file: false enable_identity: false enrich_asset: false - enrich_ioc: true + enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: ai_description: >- ### General Description - Tests the connectivity between Google SecOps and the ANY.RUN TI Lookup service. - This action validates the provided API key and network configuration (including - proxy settings) to ensure that subsequent enrichment actions can communicate with - the ANY.RUN API successfully. + The **Ping** action is a utility designed to verify the connectivity and authentication + status between the Google SecOps environment and the **ANY.RUN TI Lookup** service. + It ensures that the integration is correctly configured and can successfully communicate + with the external API. ### Parameters Description - | Parameter | Type | Mandatory | Description | + This action does not have any instance-specific parameters. It relies on the following + **Integration Configuration** parameters: + + + | Parameter Name | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | ANYRUN TI Lookup API KEY | String | Yes | The API key used to authenticate with - the ANY.RUN TI Lookup service. | + | ANYRUN TI Lookup API KEY | String | Yes | The API key required to authenticate + requests to ANY.RUN. | | Verify SSL | Boolean | No | If enabled, the action will verify the SSL certificate - of the ANY.RUN server. | + of the ANY.RUN API. | - | Enable proxy | Boolean | No | If enabled, the action will use the configured - proxy to connect to the service. | + | Enable proxy | Boolean | No | If enabled, the action will route traffic through + the configured proxy. | - | Proxy host | String | No | The hostname or IP address of the proxy server. Required - if 'Enable proxy' is true. | + | Proxy host | String | No | The hostname or IP address of the proxy server (required + if proxy is enabled). | - | Proxy port | String | No | The port of the proxy server. Required if 'Enable - proxy' is true. | + | Proxy port | String | No | The port number of the proxy server (required if + proxy is enabled). | - ### Additional Notes + ### Flow Description - This is a utility action used for troubleshooting and initial setup. It does not - process entities or modify any data within the SOAR or the external service. If - 'Enable proxy' is set to true, both 'Proxy host' and 'Proxy port' must be provided. + 1. **Configuration Extraction**: The action retrieves the API key and network + settings (SSL, Proxy) from the integration configuration. + 2. **Proxy Validation (Optional)**: If proxying is enabled, the action attempts + to establish a connection through the specified proxy host and port using the + `check_proxy` method. - ### Flow Description + 3. **Authorization Check**: The action initializes a connection to the ANY.RUN + service and performs an authorization check via the `check_authorization` method + to validate the API key. - 1. Extract configuration parameters including the API Key, SSL verification preference, - and proxy settings. + 4. **Result Reporting**: The action logs the outcome (Success or Failure) and + terminates with the appropriate execution state (`COMPLETED` or `FAILED`). - 2. If proxying is enabled, validate the proxy connection using the provided host - and port. - 3. Initialize the ANY.RUN connector and perform an authorization check against - the ANY.RUN TI Lookup API. + ### Additional Notes + + - This action is primarily used for troubleshooting and initial setup verification. - 4. Return a success message if the connection is established and authorized, otherwise - return a failure message with the error details. + - It does not process or enrich any entities. capabilities: can_create_case_comments: false can_create_insight: false @@ -187,7 +191,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -201,28 +205,3 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/third_party/partner/censys/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/censys/resources/ai/actions_ai_description.yaml index 1a2d86c32..34a73b6bf 100644 --- a/content/response_integrations/third_party/partner/censys/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/censys/resources/ai/actions_ai_description.yaml @@ -1,48 +1,76 @@ Enrich Certificates: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - Enriches FILEHASH entities with comprehensive SSL/TLS certificate intelligence - using the Censys Platform API. The action identifies certificates by their SHA-256 - fingerprint and retrieves detailed metadata including issuer information, subject - details, validity periods, and self-signed status. - + ### General Description - ### Flow Description: + Enriches `FILEHASH` entities with comprehensive SSL/TLS certificate intelligence + using the Censys Platform API. This action treats the entity identifier as a certificate's + SHA-256 fingerprint and retrieves detailed metadata including issuer information, + subject details, validity periods, and self-signed status. The retrieved data + is mapped to the entity's additional properties, providing analysts with immediate + context regarding the certificate's legitimacy and configuration. - 1. **Entity Collection:** Identifies all FILEHASH entities within the current - scope. - 2. **Validation:** Validates that the entity identifiers are formatted as 64-character - hexadecimal strings (SHA-256 fingerprints). + ### Parameters Description - 3. **API Interaction:** Performs a batch request to the Censys `/v3/global/asset/certificate` - endpoint to retrieve certificate data. + There are no action-specific parameters for this action. It relies on the integration's + global configuration (API Key and Organization ID) and the entities present in + the current scope. - 4. **Data Processing:** For each matching certificate found, it parses the API - response into a structured data model. - 5. **Internal Update:** Clears any existing Censys-specific enrichment data on - the entity, updates the entity's additional properties with the new certificate - metadata, and marks the entity as enriched. + ### Flow Description + 1. **Entity Extraction:** Identifies all `FILEHASH` entities within the current + SOAR scope. - ### Parameters Description: + 2. **Validation:** Validates that each entity identifier follows the required + format for a certificate fingerprint (exactly 64 hexadecimal characters). - | Parameter Name | Type | Mandatory | Description | + 3. **API Interaction:** Performs a batch POST request to the Censys `/v3/global/asset/certificate` + endpoint using the validated fingerprints. - | :--- | :--- | :--- | :--- | + 4. **Data Processing:** For each matching result, it parses the certificate's + subject DN, issuer DN, common name, validity start/end dates, and signature details. - | None | N/A | N/A | This action does not require any action-specific parameters; - it relies on the integration's global configuration (API Key, Organization ID). - | + 5. **Internal Update:** Clears any existing Censys enrichment data on the entity, + updates the entity's additional properties with the new metadata, and marks the + entity as enriched in the SOAR platform. - ### Additional Notes: + ### Additional Notes - * This action specifically targets FILEHASH entities. If an entity identifier - is not a valid SHA-256 hash, it will be skipped and reported as invalid. + - This action specifically targets `FILEHASH` entities because Censys identifies + certificates by their SHA-256 hash. - * The action performs internal state changes by updating entity attributes and - clearing previous enrichment keys to ensure data freshness. + - If an entity identifier is not a valid 64-character hex string, it is skipped + and reported as invalid in the output message. capabilities: can_create_case_comments: false can_create_insight: false @@ -53,14 +81,13 @@ Enrich Certificates: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity additional properties with certificate metadata (issuer, subject, - validity) and sets the 'is_enriched' flag to true. It also clears previous Censys - enrichment data for the entity to prevent stale data. + Updates FILEHASH entity attributes with certificate metadata (issuer, subject, + validity) and sets the enrichment status to true. categories: enrichment: true entity_usage: entity_types: - - FILEHASH + - FILEHASH filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -74,6 +101,7 @@ Enrich Certificates: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Enrich IPs: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -87,69 +115,67 @@ Enrich Certificates: enrich_asset: false enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Enrich IPs: ai_description: >- - Enriches IP Address entities using the Censys Platform API to provide comprehensive - intelligence about internet-facing infrastructure. This action retrieves detailed - data including active services, open ports, protocols, SSL/TLS certificates, known - vulnerabilities, and geographic location data. It supports historical lookups - via a timestamp parameter, allowing analysts to view the state of a host at a - specific point in time. - + Enriches IP Address entities using the Censys Platform API. This action retrieves + comprehensive intelligence about internet-facing infrastructure, including active + services, open ports, protocols, SSL/TLS certificates, known vulnerabilities, + and geographic location data. It helps security teams understand the attack surface + exposure of specific IP addresses. - ### Parameters Description + ### Flow Description: - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | + 1. **Parameter Extraction:** Retrieves integration configuration (API Key, Org + ID) and the optional 'At Time' action parameter. - | At Time | String | No | An RFC3339 formatted timestamp (e.g., '2024-01-15T00:00:00Z') - used to retrieve historical host data from a specific point in time. | + 2. **Entity Identification:** Filters the current context for IP Address (ADDRESS) + entities. + 3. **Validation:** Validates the format of the identified IP addresses and the + provided RFC3339 timestamp. - ### Additional Notes + 4. **API Interaction:** Performs a batch request to the Censys `/v3/global/asset/host` + endpoint to fetch host intelligence. - - This action specifically targets entities of type `ADDRESS` (IP addresses). + 5. **Data Processing:** Parses the API response using a dedicated data model to + extract relevant enrichment fields. - - If the `At Time` parameter is provided, it must follow the RFC3339 format; otherwise, - the action will fail validation. + 6. **Internal Update:** Clears previous Censys enrichment data, updates the entity's + additional properties with new intelligence, and marks the entity as enriched. - - The action automatically clears previous Censys IP enrichment data on the entity - before applying new results to ensure data freshness. + ### Parameters Description: - ### Flow Description + | Parameter | Type | Mandatory | Description | - 1. **Parameter Extraction:** The action retrieves the optional `At Time` parameter - and validates its format if provided. + | :--- | :--- | :--- | :--- | - 2. **Entity Filtering:** It identifies all `ADDRESS` entities within the current - scope and validates that they are correctly formatted IP addresses. + | At Time | String | No | An RFC3339 formatted timestamp (e.g., 2024-01-15T00:00:00Z) + used to retrieve historical host data from a specific point in time. | - 3. **API Interaction:** A batch request is sent to the Censys `/v3/global/asset/host` - endpoint to fetch intelligence for all valid IP addresses. - 4. **Data Mapping:** For each successful response, the action parses the host - data (ASN, location, services, vulnerabilities) using a structured data model. + ### Additional Notes: - 5. **Internal Update:** The action clears old enrichment keys, updates the entity's - additional properties with the new intelligence, and marks the entity as enriched. + - This action performs batch processing for efficiency but updates each entity + individually within the SOAR platform. - 6. **Completion:** The action updates the entities in the Google SecOps platform - and returns a summary message of the enrichment results. + - If an IP is not found in the Censys database, the action will report it as 'not + found' in the output message but will continue processing other entities. capabilities: can_create_case_comments: false can_create_insight: false @@ -160,13 +186,13 @@ Enrich IPs: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity additional properties with Censys host intelligence data and - sets the 'is_enriched' flag to true. + Updates entity additional properties with Censys host intelligence data (ports, + services, location, etc.) and sets the 'is_enriched' flag to true. categories: enrichment: true entity_usage: entity_types: - - ADDRESS + - ADDRESS filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -180,6 +206,7 @@ Enrich IPs: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Enrich Web Properties: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -193,79 +220,79 @@ Enrich IPs: enrich_asset: false enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Enrich Web Properties: ai_description: >- - Enriches IP Address (ADDRESS) and Domain (DOMAIN) entities with comprehensive - web property intelligence using the Censys Platform API. This action retrieves - detailed information about web-facing assets, including HTTP/HTTPS service details, - SSL/TLS certificates, identified software/technologies, and associated security - threats or vulnerabilities. Enrichment data is added to the entity's additional - properties using port-specific prefixes (e.g., Censys_80_...) to allow for multiple - port enrichments on a single entity. + ### General Description + Enriches IP Address and Domain entities with comprehensive web property intelligence + using the Censys Platform API. This action retrieves detailed data about web-facing + assets, including HTTP/HTTPS service details, SSL/TLS certificates, software technologies, + and security configurations. It allows analysts to investigate specific ports + and even view historical data for a specific point in time. - ### Flow Description - 1. **Parameter Extraction:** Retrieves the 'Port' (comma-separated list) and the - optional 'At Time' (RFC3339 timestamp for historical data) from the action parameters. + ### Parameters Description - 2. **Entity Identification:** Filters the target entities to identify valid ADDRESS - (IP) and DOMAIN (Hostname) objects. + | Parameter | Type | Mandatory | Default | Description | - 3. **Validation:** Validates the format of IP addresses, domain names, and port - numbers (1-65535). It also ensures the 'At Time' parameter follows the RFC3339 - standard if provided. + | :--- | :--- | :--- | :--- | :--- | - 4. **API Request Construction:** Combines each valid entity identifier with each - specified port to create unique web property IDs (e.g., 'example.com:443') and - sends a bulk enrichment request to the Censys API. + | Port | String | True | 80, 443 | A comma-separated list of port numbers (e.g., + "80, 443, 8080") to investigate for each entity. | - 5. **Data Parsing:** Processes the API response using a specialized data model - to extract software vendors, products, versions, certificate fingerprints, subject/issuer - details, and threat names. + | At Time | String | False | None | An RFC3339 formatted timestamp (e.g., "2024-01-15T00:00:00Z") + to retrieve historical web property data from a specific point in time. | - 6. **Internal Update:** Clears existing Censys enrichment for the specific ports - being processed, updates the entity's additional properties with the new data, - and marks the entity as enriched. - 7. **Result Reporting:** Updates the entities in the SOAR platform and provides - a detailed JSON result for each processed web property. + ### Flow Description + 1. **Parameter Extraction:** The action retrieves the `Port` and `At Time` parameters + and validates their format (e.g., ensuring ports are within the 1-65535 range + and the timestamp is valid RFC3339). - ### Parameters Description + 2. **Entity Identification:** It identifies all `ADDRESS` (IP) and `DOMAIN` entities + in the current scope. - | Parameter | Type | Mandatory | Default | Description | + 3. **Identifier Generation:** For every valid entity and every specified port, + it constructs a unique web property identifier in the format `hostname:port`. - | :--- | :--- | :--- | :--- | :--- | + 4. **API Interaction:** The action sends a POST request to the Censys Platform + API (`/v3/global/asset/webproperty`) with the list of identifiers and the optional + timestamp. - | Port | String | True | 80, 443 | A comma-separated list of ports associated - with the domain or hostname to be queried (e.g., "80, 443, 8080"). | + 5. **Data Parsing:** It processes the API response, matching returned resources + back to the original entities and ports. It uses a specialized data model to extract + fields like software vendors, certificate fingerprints, and threat names. - | At Time | String | False | None | An RFC3339 formatted timestamp (e.g., "2024-01-15T00:00:00Z") - used to retrieve historical data for the web property at a specific point in time. - | + 6. **Internal Mutation:** For each match, it clears any existing Censys enrichment + data for that specific port on the entity and then updates the entity's `additional_properties` + with the new intelligence. + + 7. **Finalization:** The action marks the entities as enriched, updates them within + Google SecOps, and provides a summary message of the results. ### Additional Notes - * The action uses port-prefixed keys in the entity's additional properties (e.g., - `Censys_443_web_cert_issuer`) to prevent data collisions when multiple ports are - enriched for the same host. + - This action specifically targets `ADDRESS` and `DOMAIN` entity types. Other + types will be ignored. - * If an entity is invalid or no data is found for a specific host/port combination, - the action will log the skip and continue processing other entities. + - Enrichment data is prefixed with `Censys_{port}_` to allow for multiple port + enrichments on a single entity without data collisions. capabilities: can_create_case_comments: false can_create_insight: false @@ -276,14 +303,14 @@ Enrich Web Properties: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity additional properties with port-prefixed enrichment data (e.g., - software, certificates, threats) and sets the 'is_enriched' flag to true. + Updates entity additional properties with web property enrichment data (services, + certificates, software) and sets the 'is_enriched' flag to true. categories: enrichment: true entity_usage: entity_types: - - ADDRESS - - DOMAIN + - ADDRESS + - DOMAIN filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -297,6 +324,7 @@ Enrich Web Properties: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Host History: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -308,68 +336,83 @@ Enrich Web Properties: download_file: false enable_identity: false enrich_asset: false - enrich_ioc: true + enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: false + search_events: true send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Host History: ai_description: >- - Retrieves the event history for a specific host (IP address) from Censys. This - action allows analysts to view historical scan data, track infrastructure changes - over time, and identify when services were added, removed, or modified. It performs - time-based pagination to collect up to 1,000 records within the specified RFC3339 - time range. + ### General Description + This action retrieves the historical event timeline for a specific host (IP address) + from Censys. It allows security analysts to track infrastructure changes over + time, identifying when specific services were added, removed, or modified. This + is particularly useful for forensic investigations, tracking threat actor infrastructure + evolution, or auditing asset changes. - ### Flow Description: - 1. **Validation**: Validates that the 'Host ID' is a valid IP address and that - 'Start Time' and 'End Time' are in the correct RFC3339 format. + ### Parameters Description - 2. **API Request**: Initiates a GET request to the Censys Host Timeline API endpoint. + | Parameter | Type | Mandatory | Description | - 3. **Pagination**: Automatically handles pagination to retrieve multiple pages - of history, respecting a maximum threshold of 1,000 records or 10 API calls. + | :--- | :--- | :--- | :--- | - 4. **Data Processing**: Parses the raw event data (e.g., service scans, DNS resolutions, - location updates) into a structured format. + | Host ID | String | Yes | The IP address of the host to retrieve history for. + | - 5. **Output**: Generates a data table for the SOAR interface and provides the - full raw results in JSON format. + | Start Time | String | Yes | The start time of the host timeline. Must be a valid + RFC3339 string (e.g., 2025-01-01T00:00:00Z). This represents the beginning of + the historical window. | + | End Time | String | Yes | The end time of the host timeline. Must be a valid + RFC3339 string (e.g., 2025-01-02T00:00:00Z). This represents the end of the historical + window and must be later than the Start Time. | - ### Parameters Description: - | Parameter Name | Type | Mandatory | Description | + ### Additional Notes - | :--- | :--- | :--- | :--- | + - The action implements time-based pagination, fetching up to 1000 records or + 10 pages of data. - | Host ID | String | Yes | The IP address of the host to query. | + - If the API returns more than 1000 records, a warning is provided, and the analyst + is directed to the Censys platform for full exploration. - | Start Time | String | Yes | The beginning of the timeline range. Must be a valid - RFC3339 string (e.g., 2025-01-01T00:00:00Z). | + - The action handles partial data collection; if an error occurs during pagination, + it will return the events collected up to that point with a warning. - | End Time | String | Yes | The end of the timeline range. Must be a valid RFC3339 - string (e.g., 2025-01-02T00:00:00Z). | + ### Flow Description - ### Additional Notes: + 1. **Parameter Extraction**: Retrieves the `Host ID`, `Start Time`, and `End Time` + from the action configuration. - - The action enforces a chronological check where 'Start Time' must be earlier - than 'End Time'. + 2. **Validation**: Validates that the `Host ID` is a properly formatted IP address + and that both timestamps adhere to the RFC3339 standard. - - If the API returns more than 1,000 records, the action will truncate the results - and provide a link to the Censys platform for further exploration. + 3. **API Initialization**: Sets up the Censys API manager using the provided API + Key and Organization ID. + + 4. **Data Retrieval**: Executes a paginated GET request to the Censys host timeline + endpoint. It reverses the user-provided chronological times to match the API's + reverse-chronological requirements. + + 5. **Data Processing**: Iterates through the retrieved events, parsing resource + details (like service ports, protocols, DNS names, or ASN changes) using the `HostHistoryEventModel`. + + 6. **Output Generation**: Populates a data table named "Host History Events" with + the parsed data and attaches the full raw response as a JSON result to the case. capabilities: can_create_case_comments: false can_create_insight: false @@ -383,7 +426,7 @@ Get Host History: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -397,6 +440,7 @@ Get Host History: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Rescan Status: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -410,60 +454,62 @@ Get Host History: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: true + search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Rescan Status: ai_description: >- - Retrieves the current status of a scan by its ID from Censys. This action is primarily - used to monitor the progress of previously initiated rescans and determine when - results are available for further processing. It supports asynchronous execution, - allowing the SOAR platform to poll for completion. + ### General Description + The **Get Rescan Status** action retrieves the current status of a scan from Censys + using its unique Scan ID. This action is designed to be used asynchronously, allowing + the SOAR platform to monitor the progress of a scan (such as one started by the + 'Initiate Rescan' action) until it reaches a terminal state (Completed or Failed). - ### Parameters Description + ### Parameters Description - | Parameter Name | Type | Mandatory | Description | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Scan ID | String | Yes | The unique identifier of the tracked scan, typically - obtained from the output of an 'Initiate Rescan' action. | + | Scan ID | string | Yes | The unique identifier of the tracked scan. This ID + is typically obtained from the output of a previous rescan initiation action. + | ### Flow Description + 1. **Parameter Extraction:** The action extracts the `Scan ID` provided by the + user or a previous playbook step. - 1. **Parameter Extraction:** The action extracts the `Scan ID` from the input - parameters and validates that it is a non-empty string. + 2. **API Request:** It sends a GET request to the Censys API (`/v3/global/scans/{scan_id}`) + to fetch the current metadata of the scan. - 2. **API Initialization:** Initializes the Censys API Manager using the integration's - API Key and Organization ID. + 3. **Status Evaluation:** The action checks the `completed` field in the API response: + * If the field is missing, the scan is considered still running, and the action + returns an `IN_PROGRESS` status. + * If the field is `True`, the scan is finished, and the action returns `COMPLETED`. + * If the field is `False`, the scan is marked as `FAILED`. + 4. **Result Reporting:** The full JSON response from Censys is attached to the + action results for further use in the playbook. - 3. **Status Retrieval:** Makes a GET request to the Censys API (`/v3/global/scans/{scan_id}`) - to fetch the current state of the scan. - 4. **Result Processing:** Adds the raw API response to the action results as - a JSON object. + ### Additional Notes - 5. **State Determination:** Analyzes the response to determine the execution - state: - * If the 'completed' field is missing, the action returns an `IN_PROGRESS` - state. - * If 'completed' is `True`, the action returns a `COMPLETED` state. - * If 'completed' is `False`, the action returns a `FAILED` state. - 6. **Finalization:** Ends the action with a descriptive output message and the - calculated execution status. + This action is intended for use in playbooks that require waiting for external + scan results before proceeding with enrichment or analysis. capabilities: can_create_case_comments: false can_create_insight: false @@ -477,7 +523,7 @@ Get Rescan Status: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -491,6 +537,7 @@ Get Rescan Status: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Initiate Rescan: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -504,72 +551,76 @@ Get Rescan Status: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Initiate Rescan: ai_description: >- - Initiates a live rescan for a known host service or web origin in Censys. This - action allows analysts to trigger an immediate update of Censys's data for a specific - target (IP/Port or Hostname/Port) rather than waiting for the next scheduled crawl. - The action returns a unique Scan ID which can be used with the 'Get Rescan Status' - action to monitor the progress and results of the scan. + ### General Description + Initiates a live rescan for a known host service or web origin on the Censys platform. + This action allows analysts to trigger an immediate update of Censys's data for + a specific endpoint (IP or domain) and port. The action returns a unique scan + ID which can be used to track the progress and results of the scan. - ### Flow Description: - 1. **Parameter Validation**: Validates that the 'Port' is a valid integer (1-65535) - and ensures that if the 'IOC Type' is 'Service', a 'Protocol' is provided and - the 'IOC Value' is a valid IP address. + ### Parameters Description - 2. **API Request Construction**: Builds a JSON payload for the Censys API. For - 'Service' targets, it includes IP, port, protocol, and transport protocol. For - 'Web Origin' targets, it includes hostname and port. + | Parameter | Type | Mandatory | Description | - 3. **External Interaction**: Sends a POST request to the Censys `/v3/global/scans/rescan` - endpoint. + | :--- | :--- | :--- | :--- | - 4. **Result Processing**: Extracts the `tracked_scan_id`, task count, and creation - time from the response and provides them as action results. + | IOC Type | DDL | Yes | Determines the type of target to scan. Options are 'Service' + (for IP-based targets) or 'Web Origin' (for domain-based targets). | + | IOC Value | String | Yes | The specific IP address or domain name to be rescanned. + | - ### Parameters Description: + | Port | String | Yes | The port number associated with the service or web origin + (valid range: 1 to 65535). Defaults to 443. | - | Parameter | Type | Mandatory | Description | + | Protocol | String | No | The application-level protocol (e.g., 'http', 'ssh'). + This is **mandatory** if the 'IOC Type' is set to 'Service'. | - | :--- | :--- | :--- | :--- | + | Transport Protocol | DDL | No | The transport layer protocol. Options include + 'Unknown', 'TCP', 'UDP', 'ICMP', or 'QUIC'. | - | IOC Type | DDL | Yes | Specifies the target type: 'Service' (for IP-based targets) - or 'Web Origin' (for hostname-based targets). | - | IOC Value | String | Yes | The IP address (for Service) or domain name (for - Web Origin) to be rescanned. | + ### Additional Notes - | Port | String | Yes | The port associated with the target. Must be between 1 - and 65535. Default is 443. | + - If 'IOC Type' is set to 'Service', the 'IOC Value' must be a valid IP address + and the 'Protocol' parameter must be provided. - | Protocol | String | No | The service protocol (e.g., http, ssh). This is **mandatory** - if 'IOC Type' is set to 'Service'. | + - The scan may take several minutes to complete in the external Censys system. - | Transport Protocol | DDL | No | The transport layer protocol (TCP, UDP, etc.). - Used when 'IOC Type' is 'Service'. Defaults to 'Unknown'. | + ### Flow Description - ### Additional Notes: + 1. **Parameter Extraction:** The action retrieves the target details (Type, Value, + Port, Protocol) from the user input. - - This action does not run on SOAR entities automatically; it requires manual - input or mapping of entity identifiers to the 'IOC Value' parameter. + 2. **Validation:** It validates that the port is within the legal range and ensures + that if a 'Service' scan is requested, an IP address and protocol are provided. - - The rescan process may take several minutes to complete in the Censys platform. + 3. **API Request:** The action sends a POST request to the Censys `/v3/global/scans/rescan` + endpoint with the target configuration. + + 4. **Result Processing:** It captures the `tracked_scan_id` and task information + from the Censys response. + + 5. **Output:** The action returns the scan ID and creation time to the SOAR case + and provides the full JSON response for further automation steps. capabilities: can_create_case_comments: false can_create_insight: false @@ -578,14 +629,14 @@ Initiate Rescan: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Initiates a new scanning job/task in the Censys platform, which creates a new - tracked scan record and consumes scanning resources. + Initiates a live rescan on the Censys platform, which triggers new scanning + activity and updates the state of the target's data within the Censys system. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -599,6 +650,7 @@ Initiate Rescan: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -612,40 +664,72 @@ Initiate Rescan: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: - ai_description: "### General Description\nThe **Ping** action is a diagnostic tool\ - \ used to verify the connectivity between the Google SecOps SOAR environment and\ - \ the Censys platform. Its primary purpose is to ensure that the integration's\ - \ configuration parameters\u2014specifically the API Key and Organization ID\u2014\ - are correct and that the SOAR server can successfully communicate with the Censys\ - \ API endpoints.\n\n### Parameters Description\nThis action does not require any\ - \ input parameters. It relies entirely on the global integration configuration\ - \ (API Key, Organization ID, and Verify SSL).\n\n### Additional Notes\n- This\ - \ action is typically used during the initial setup of the Censys integration\ - \ or for troubleshooting communication issues.\n- It performs a simple GET request\ - \ to the Censys account/organization endpoint to validate credentials.\n\n###\ - \ Flow Description\n1. **Parameter Retrieval:** The action extracts the global\ - \ integration settings, including the API Key, Organization ID, and SSL verification\ - \ preference.\n2. **Manager Initialization:** It initializes the `APIManager`\ - \ with the retrieved credentials.\n3. **Connectivity Test:** The action calls\ - \ the `test_connectivity` method, which executes a GET request to the Censys API\ - \ (`/v3/accounts/organizations/{organization_id}`).\n4. **Result Handling:** \n\ - \ - If the request is successful, it returns a success message and sets the\ - \ connectivity result to `True`.\n - If an exception occurs (e.g., authentication\ - \ failure, network timeout), it captures the error, logs it, and returns a failure\ - \ message with the connectivity result set to `False`." + ai_description: >- + ### General Description + + The **Ping** action is a utility designed to verify the connectivity and authentication + between the Google SecOps SOAR platform and the Censys API. It ensures that the + integration is correctly configured with a valid API Key and Organization ID, + and that the server can reach the Censys platform over the network. + + + ### Parameters Description + + This action does not require any input parameters. It relies entirely on the global + integration configuration (API Key, Organization ID, and Verify SSL). + + + | Parameter Name | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | N/A | N/A | N/A | No parameters are used for this action. | + + + ### Additional Notes + + - This action is primarily used for health checks and initial configuration validation. + + - It performs a read-only GET request to the Censys account/organization endpoint. + + - Per system rules, Ping actions are not classified as enrichment actions. + + + ### Flow Description + + 1. **Initialization**: The action starts by initializing the Siemplify context + and logging the execution start. + + 2. **Configuration Retrieval**: It extracts the global integration settings: `API + Key`, `Organization ID`, and `Verify SSL`. + + 3. **API Client Setup**: An instance of the `APIManager` is created using the + retrieved credentials. + + 4. **Connectivity Check**: The action calls the `test_connectivity` method, which + executes a GET request to the Censys API endpoint `/v3/accounts/organizations/{organization_id}`. + + 5. **Execution Completion**: + - If the API call is successful, the action ends with a "Successfully connected" + message and a `True` result. + - If an error occurs (e.g., 401 Unauthorized or connection timeout), the action + catches the exception, logs the error details, and ends with a failure message + and a `False` result. capabilities: can_create_case_comments: false can_create_insight: false @@ -659,7 +743,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -673,28 +757,3 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/third_party/partner/clarotyxdome/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/clarotyxdome/resources/ai/actions_ai_description.yaml index 9aec71134..1213b7e18 100644 --- a/content/response_integrations/third_party/partner/clarotyxdome/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/clarotyxdome/resources/ai/actions_ai_description.yaml @@ -1,53 +1,61 @@ AddVulnerabilities: - ai_description: >- - Enriches entities with vulnerability information retrieved from Claroty xDome. - The action identifies devices by their IP address, MAC address, or xDome Unique - Identifier (UID) and queries the xDome API to retrieve associated security vulnerabilities. - It fetches detailed data including CVE IDs, vulnerability names, risk scores, - and descriptions. The gathered information is then appended to the entity's additional - properties in Google SecOps, and the entity is marked as enriched. - - - ### Parameters Description - - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | xdomeHost | String | Yes | The base URL for the Claroty xDome instance (e.g., - `https://example.xdome.claroty.com`). | - - | xdomeApiToken | String | Yes | The API token used for authenticating requests - to the xDome API. | - - | Verify SSL | Boolean | No | If enabled, the action will validate SSL certificates - for the API connection. Defaults to true. | - - - ### Flow Description - - - 1. **Configuration Extraction:** The action retrieves the xDome host, API token, - and SSL verification settings from the integration configuration. - - 2. **Entity Identification:** It iterates through the target entities and determines - if the identifier is a UID, an IP address (v4/v6), or a MAC address using regular - expressions. - - 3. **Device Resolution:** For IP or MAC identifiers, the action queries the xDome - `/api/v1/devices/` endpoint to find the corresponding device UID. - - 4. **Vulnerability Retrieval:** Using the device UID, the action queries the `/api/v1/device_vulnerability_relations/` - endpoint to fetch all related vulnerability records. - - 5. **Data Enrichment:** The retrieved vulnerability details (count, list of CVEs, - risk scores) are mapped to the entity's `additional_properties` and the `is_enriched` - flag is set to true. - - 6. **Internal Update:** The action updates the entities within the Google SecOps - platform and returns a JSON result containing the enrichment data for each processed - entity. + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "### General Description\nEnriches entities with vulnerability information\ + \ retrieved from Claroty xDome. This action identifies devices within the xDome\ + \ platform using their IP address, MAC address, or a unique identifier (UID) and\ + \ fetches associated vulnerability data, including CVE IDs, risk scores, and remediation\ + \ recommendations. The retrieved data is then appended to the entity's additional\ + \ properties in Google SecOps.\n\n### Parameters Description\n| Parameter | Description\ + \ | Type | Mandatory |\n| :--- | :--- | :--- | :--- |\n| xdomeHost | The base\ + \ URL for the Claroty xDome instance (e.g., https://example.xdome.claroty.com).\ + \ | String | Yes |\n| xdomeApiToken | The API token used for authenticating requests\ + \ to the Claroty xDome API. | String | Yes |\n| Verify SSL | If enabled, the action\ + \ will validate the SSL certificate of the xDome API endpoint. | Boolean | No\ + \ |\n\n### Flow Description\n1. **Configuration Extraction**: Retrieves the xDome\ + \ host, API token, and SSL verification settings from the integration configuration.\n\ + 2. **Entity Iteration**: Processes each target entity provided in the current\ + \ context.\n3. **Device Identification**: \n * Checks if the entity identifier\ + \ is a UID (32-40 character hex string).\n * If not a UID, it attempts to match\ + \ the identifier against IP (v4/v6) or MAC address patterns.\n * Performs a\ + \ search in xDome to find the corresponding device record.\n4. **Vulnerability\ + \ Retrieval**: For each identified device, it queries the xDome API to fetch all\ + \ related vulnerability records, including details like severity, EPSS scores,\ + \ and descriptions.\n5. **Internal Enrichment**: \n * Updates the entity's\ + \ `additional_properties` with the vulnerability list, total count, and a `is_vulnerable`\ + \ flag.\n * Sets the entity's `is_enriched` status to `True`.\n6. **Entity\ + \ Update**: Commits the enriched data back to the Google SecOps platform.\n7.\ + \ **Final Reporting**: Provides a summary message indicating which entities were\ + \ successfully enriched and which failed.\n\n### Additional Notes\n- The action\ + \ uses a timeout of 5 seconds for API requests.\n- It limits the device search\ + \ to the first 5 matches and vulnerability retrieval to the first 100 records\ + \ per device." capabilities: can_create_case_comments: false can_create_insight: false @@ -58,47 +66,47 @@ AddVulnerabilities: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity additional properties with vulnerability data and sets the enrichment - status flag. + Updates entity additional properties with vulnerability data and sets the is_enriched + flag. categories: enrichment: true entity_usage: entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -112,6 +120,7 @@ AddVulnerabilities: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +EnrichAlerts: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -122,61 +131,66 @@ AddVulnerabilities: disable_identity: false download_file: false enable_identity: false - enrich_asset: true + enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: true remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false - update_alert: false + update_alert: true update_email: false update_identity: false update_ticket: false -EnrichAlerts: ai_description: >- - Enriches a Google SecOps alert with detailed metadata from a Claroty xDome alert. - This action uses a specific Claroty Alert ID to fetch comprehensive information, - including alert classification, timing, and MITRE ATT&CK mapping. The retrieved - data is then mapped to the current alert's additional properties and security - result fields to provide analysts with better context. + ### General Description + The **EnrichAlerts** action retrieves comprehensive details for a specific alert + from Claroty xDome and maps that information onto the current Google SecOps alert. + This enrichment process includes populating additional properties with Claroty-specific + metadata and updating the alert's security results with MITRE ATT&CK tactics and + techniques (supporting both ICS and Enterprise frameworks). - ### Parameters + + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | clarotyAlertId | String | Yes | The unique alert ID from Claroty xDome used - to fetch details. | + | `clarotyAlertId` | String | Yes | The unique identifier of the alert within + the Claroty xDome platform. | ### Flow Description - 1. **Configuration Retrieval:** Extracts the Claroty xDome host and API token - from the integration settings. - - 2. **Parameter Extraction:** Retrieves the mandatory `clarotyAlertId` provided - by the user. + 1. **Authentication**: The action retrieves the Claroty xDome host and API token + from the integration configuration. - 3. **External API Query:** Sends a POST request to the Claroty xDome `/api/v1/alerts/` - endpoint, filtering by the specific alert ID. + 2. **Data Retrieval**: It sends a POST request to the Claroty API to fetch details + for the alert specified by the `clarotyAlertId` parameter. - 4. **Data Mapping:** If an alert is found, the script iterates through predefined - Claroty fields (e.g., `alert_type_name`, `category`, `description`) and adds them + 3. **Property Mapping**: If the alert is found, the action iterates through the + Claroty alert fields (such as alert name, type, class, and status) and adds them to the Google SecOps alert's `additional_properties` with a `Claroty_` prefix. - 5. **MITRE Enrichment:** Extracts MITRE ATT&CK Enterprise or ICS tactics and techniques - from the Claroty data and updates the alert's `security_result` fields (tactic, - tactic_id, technique, technique_id). + 4. **MITRE Enrichment**: The action extracts MITRE technique names and IDs (checking + both Enterprise and ICS fields) and updates the `security_result` field of the + alert with the corresponding tactic and technique information. - 6. **Result Reporting:** Returns the raw JSON of the fetched alert and updates - the action status. + + ### Additional Notes + + This action specifically targets the alert object itself rather than individual + entities. It is designed to provide context to the analyst by bringing external + alert metadata directly into the SecOps case management interface. capabilities: can_create_case_comments: false can_create_insight: false @@ -187,12 +201,12 @@ EnrichAlerts: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action modifies the current alert's 'additional_properties' by adding Claroty - metadata and updates the 'security_result' field with MITRE ATT&CK information. + Updates the current alert's additional properties and security result fields + (MITRE tactics and techniques) with data retrieved from Claroty xDome. categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -206,6 +220,7 @@ EnrichAlerts: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +EnrichXDomeAssetInformation: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -216,70 +231,75 @@ EnrichAlerts: disable_identity: false download_file: false enable_identity: false - enrich_asset: false + enrich_asset: true enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false - update_alert: true + update_alert: false update_email: false update_identity: false update_ticket: false -EnrichXDomeAssetInformation: ai_description: >- - Enriches IP Address and MAC Address entities with asset information from Claroty - xDome. This action retrieves detailed device metadata, including device category, - type, manufacturer, and risk scores. It also fetches associated vulnerability - data to provide a comprehensive security posture for the identified asset. + ### General Description + Enriches IP Address and MAC Address entities with detailed asset metadata and + vulnerability information retrieved from Claroty xDome. This action helps analysts + understand the context of a device, including its category, manufacturer, risk + score, and known vulnerabilities, by querying the Claroty xDome API. - ### Flow Description - 1. **Entity Validation**: The action iterates through target entities, filtering - for IP Addresses and MAC Addresses. It uses regex to ensure the identifiers are - valid formats. + ### Parameters Description - 2. **Device Lookup**: For each valid entity, it queries the Claroty xDome `/api/v1/devices/` - endpoint to find matching active (non-retired) devices. + | Parameter | Type | Mandatory | Description | - 3. **Vulnerability Retrieval**: If a device is found, the action performs a secondary - query to `/api/v1/device_vulnerability_relations/` using the device's unique identifier - (UID) to fetch known vulnerabilities. + | :--- | :--- | :--- | :--- | - 4. **Data Processing**: It summarizes the top 5 vulnerabilities and compiles asset - metadata (e.g., site name, risk score, firmware version) into a compact format. + | xdomeHost | playbook_name | Yes | The base URL for the Claroty xDome instance + (e.g., `https://example.xdome.claroty.com`). | - 5. **Enrichment**: The action updates the entity's additional properties in Google - SecOps and marks the entity as enriched. + | xdomeApiToken | playbook_name | Yes | The API token used for authenticating + requests to the Claroty xDome instance. | - ### Parameters Description + ### Additional Notes - | Parameter | Type | Mandatory | Description | + - The action specifically targets `ADDRESS` (IP) and `MacAddress` entity types. - | :--- | :--- | :--- | :--- | + - It uses regex to distinguish between IPv4, IPv6, and MAC addresses to apply + the correct search filter in the Claroty API. - | xdomeHost | String | True | The base URL for the Claroty xDome instance (e.g., - https://example.xdome.claroty.com). | + - If multiple devices are found for a single identifier, only the first result + is used for enrichment. - | xdomeApiToken | String | True | The API token used for authenticating requests - to the Claroty xDome API. | + ### Flow Description - ### Additional Notes + 1. **Validation**: The action iterates through the target entities and filters + for supported types (`ADDRESS` or `MacAddress`). It further validates the identifier + format using regex. + + 2. **Device Lookup**: For each valid entity, it performs a search in Claroty xDome + to find matching devices based on the IP or MAC address. - - The action supports both IPv4 and IPv6 addresses. + 3. **Vulnerability Retrieval**: If a device is found, the action retrieves a list + of associated vulnerabilities using the device's unique identifier (UID). - - MAC addresses are normalized to uppercase before querying the external system. + 4. **Data Processing**: It compiles a set of enrichment fields, including device + category, risk score, and a summary of the top 5 vulnerabilities. - - Only the first matching device found in xDome is used for enrichment if multiple - matches exist. + 5. **Entity Update**: The compiled data is added to the entity's `additional_properties` + (prefixed with `Claroty_`), and the entity is marked as enriched within Google + SecOps. capabilities: can_create_case_comments: false can_create_insight: false @@ -290,14 +310,14 @@ EnrichXDomeAssetInformation: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity additional properties with asset details and vulnerability information + Updates entity additional properties with asset metadata and vulnerability information retrieved from Claroty xDome. categories: enrichment: true entity_usage: entity_types: - - ADDRESS - - MacAddress + - ADDRESS + - MacAddress filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -311,6 +331,7 @@ EnrichXDomeAssetInformation: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -321,65 +342,69 @@ EnrichXDomeAssetInformation: disable_identity: false download_file: false enable_identity: false - enrich_asset: true + enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: ai_description: >- ### General Description - The **Ping** action is a utility designed to verify the connectivity between Google - SecOps and the Claroty xDome platform. It ensures that the provided API host and - token are valid and that the network path is open. + Tests the connectivity to the Claroty xDome platform using the provided configuration + parameters. This action ensures that the Google SecOps environment can successfully + authenticate and communicate with the Claroty xDome API by attempting to retrieve + a single alert record. ### Parameters Description - | Parameter Name | Type | Mandatory | Description | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **xdomeHost** | String | Yes | The base URL or Host address of the Claroty xDome - instance. | + | xdomeHost | String | Yes | The base URL of the Claroty xDome instance (e.g., + https://api.xdome.claroty.com). | - | **xdomeApiToken** | String | Yes | The API token used for authentication with - the Claroty xDome API. | + | xdomeApiToken | String | Yes | The API token used for Bearer authentication. + | - | **Verify SSL** | Boolean | No | If enabled, the action will verify the SSL certificate - of the host. Defaults to false if not specified. | + | Verify SSL | Boolean | No | If enabled, the action will verify the SSL certificate + of the xDome host. Defaults to False if not specified. | ### Flow Description - 1. **Parameter Extraction**: The action retrieves the host URL, API token, and - SSL verification settings from the integration configuration. + 1. **Parameter Extraction**: The action retrieves the integration's configuration + parameters, including the host URL, API token, and SSL verification preference. + + 2. **API Request**: It constructs a POST request to the `/api/v1/alerts/` endpoint. + The request includes a JSON payload designed to fetch only one alert (`limit: + 1`) to minimize data transfer while verifying access. - 2. **Connectivity Test**: It performs a POST request to the `/api/v1/alerts/` - endpoint. The request includes a minimal payload (limit of 1) to test if the API - responds correctly to the provided credentials. + 3. **Validation**: The action checks the response status. If the request is successful + (HTTP 2xx), it confirms connectivity. - 3. **Validation**: If the API returns a successful status code, the action completes - with a success message. If an exception occurs (e.g., connection error, authentication - failure), it logs the error and reports a failure. + 4. **Error Handling**: If the request fails due to network issues, invalid credentials, + or server errors, the exception is caught, logged, and a failure status is returned. ### Additional Notes - This action does not process any entities and is strictly used for configuration - validation. There are no input parameters required at the action level; it relies - on the integration's configuration parameters. + This action does not have specific action-level parameters; it relies entirely + on the integration's global configuration settings. capabilities: can_create_case_comments: false can_create_insight: false @@ -393,7 +418,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -407,28 +432,3 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/third_party/partner/cyjax_threat_intelligence/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/cyjax_threat_intelligence/resources/ai/actions_ai_description.yaml index 0759ab831..d70f2adf9 100644 --- a/content/response_integrations/third_party/partner/cyjax_threat_intelligence/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/cyjax_threat_intelligence/resources/ai/actions_ai_description.yaml @@ -1,62 +1,81 @@ Domain monitor: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: true + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - The **Domain Monitor** action retrieves information from the Cyjax Domain Monitor - feature. This feature is designed to track specific brands against newly registered - global domains and Certificate Transparency Logs (CTL) to identify potential brand - impersonation or malicious domain registrations. The action allows users to search - for specific domain strings and filter results by a time range. + Retrieves information from the Cyjax Domain Monitor feature, which tracks brands + against newly registered global domains and Certificate Transparency Logs (CTL). + This action allows users to search for specific domain patterns or monitor registrations + within a specific timeframe. The results provide visibility into potentially malicious + or brand-infringing domains. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Query** | String | No | A query string used to search for a specific domain - or a partial domain match. | + | Query | String | No | A query string to search for a domain or part of it. | - | **Since** | String | No | The start date and time for the search in ISO8601 - format (e.g., `2026-02-09T15:01:39Z`). | + | Since | String | No | The start date time in ISO8601 format (e.g., 2026-02-09T15:01:39Z). + | - | **Until** | String | No | The end date and time for the search in ISO8601 format - (e.g., `2026-02-09T15:01:39Z`). | + | Until | String | No | The end date time in ISO8601 format (e.g., 2026-02-09T15:01:39Z). + | ### Additional Notes - - The action performs automatic pagination and can retrieve up to a maximum of - 1000 records from the Cyjax API. + - The action retrieves a maximum of 1000 records due to API pagination limits. - - If the `Since` date is configured to be later than the `Until` date, the action - will fail with a validation error. + - If no results are found, the action completes successfully with an informative + message. - - Results are presented both as a data table for quick review and as a raw JSON - object for downstream playbook processing. + - Dates must be provided in the YYYY-MM-DDTHH:MM:SSZ format. ### Flow Description - 1. **Parameter Extraction:** The action retrieves the API token and SSL verification - settings from the integration configuration, followed by the `Query`, `Since`, - and `Until` action parameters. + 1. **Parameter Extraction:** Retrieves the `Query`, `Since`, and `Until` parameters + from the action configuration. - 2. **Validation:** It validates that the provided dates are in the correct ISO8601 - format and ensures the start date is not after the end date. + 2. **Validation:** Validates that the provided dates are in the correct ISO8601 + format and that the `Since` date is not after the `Until` date. - 3. **API Interaction:** The action initializes the Cyjax API client and calls - the Domain Monitor endpoint. It handles pagination automatically to fetch all - available results up to the 1000-record limit. + 3. **API Request:** Initializes the Cyjax API client and performs a paginated + search against the Domain Monitor endpoint. - 4. **Data Processing:** Retrieved records are parsed into a structured data model. - If results are found, they are formatted into a CSV-style list for the data table. + 4. **Data Processing:** Parses the raw API response into structured domain monitor + results, limiting the output to the first 1000 records. - 5. **Output Generation:** The action populates a data table named "Domain Monitor - Results" in the Google SecOps case wall and attaches the full result set as a - JSON object. It then concludes with a status message indicating the number of - records found. + 5. **Output Generation:** Populates a data table named "Domain Monitor Results" + and attaches the full JSON response to the action results. capabilities: can_create_case_comments: false can_create_insight: false @@ -67,12 +86,12 @@ Domain monitor: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action creates a data table named "Domain Monitor Results" within the Google - SecOps case to display the retrieved domain monitoring records. + The action adds a data table named "Domain Monitor Results" to the case and + populates the JSON result with the retrieved domain information. categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -86,6 +105,7 @@ Domain monitor: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Enrich IOCs: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -97,67 +117,68 @@ Domain monitor: download_file: false enable_identity: false enrich_asset: false - enrich_ioc: false + enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: true + search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Enrich IOCs: ai_description: >- - Enriches Indicators of Compromise (IOCs) using Cyjax threat intelligence. This - action retrieves detailed contextual information for various indicator types, - including sightings from monitored sources, GeoIP data, and ASN details. It automatically - processes entities within the case, updates their properties with the retrieved - intelligence, and provides a summary table for quick analysis. + ### General Description + Enriches Indicators of Compromise (IOCs) using the Cyjax threat intelligence platform. + This action retrieves comprehensive contextual data for various indicator types, + including sightings from monitored sources, GeoIP location information, and Autonomous + System Number (ASN) details. It is designed to provide analysts with immediate + visibility into the prevalence and origin of a threat actor's infrastructure. - ### Parameters - | Parameter Name | Type | Mandatory | Description | + ### Parameters Description - | :--- | :--- | :--- | :--- | + This action does not require any manual input parameters. It automatically processes + all supported entities currently attached to the case. - | None | N/A | N/A | This action does not require manual parameters; it automatically - processes all supported entities attached to the case. | + ### Flow Description - ### Additional Notes + 1. **Entity Retrieval**: The action identifies all target entities associated + with the current Google SecOps case. - - Supported IOC types include: Domain, Email, Hostname, FileHash (MD5, SHA1, SHA256), - IPv4, IPv6, URL, and CVE. + 2. **API Interaction**: For each entity, the action performs a GET request to + the Cyjax API's enrichment endpoint using the entity's identifier. - - The action clears any existing Cyjax-prefixed enrichment data on the entity - before applying new results to ensure data freshness. + 3. **Data Cleaning**: Before applying new data, the action clears any existing + Cyjax-specific enrichment properties (prefixed with `Cyjax_`) from the entity + to ensure data freshness. + 4. **Entity Enrichment**: The action updates the entity's additional properties + with retrieved intelligence, including `Cyjax_Last_Seen`, `Cyjax_Sightings_Count`, + GeoIP details (Country, City), and ASN organization/number. - ### Flow Description + 5. **Internal State Update**: The action marks the entities as enriched and updates + them within the Google SecOps platform. - 1. **Entity Retrieval**: The action identifies all target entities associated - with the current case. + 6. **Reporting**: Finally, it generates a detailed CSV data table named "Enriched + IOCs" and attaches the raw JSON results to the case for further analysis. - 2. **API Interaction**: For each entity, the action queries the Cyjax API's enrichment - endpoint using the entity's identifier. - 3. **Data Cleaning**: Existing enrichment properties (prefixed with 'Cyjax_') - on the entity are reset to ensure no stale data remains. - - 4. **Enrichment**: The action parses the API response to extract GeoIP (city, - country), ASN (organization, number), and sighting information. - - 5. **Internal Update**: Entity attributes are updated with the new intelligence, - and the entity is marked as 'enriched'. + ### Additional Notes - 6. **Reporting**: A data table named 'Enriched IOCs' is added to the case, and - a JSON result containing the raw data is attached. + Supported IOC types include Domain, Email, Hostname, FileHash (MD5, SHA1, SHA256), + IPv4, IPv6, URL, and CVE. If an IOC is not found in the Cyjax database, the action + will report it as 'not found' in the output message without failing the entire + execution. capabilities: can_create_case_comments: false can_create_insight: false @@ -169,46 +190,46 @@ Enrich IOCs: fetches_data: true internal_data_mutation_explanation: >- Updates entity additional properties with Cyjax threat intelligence data and - adds a data table to the case. + sets the 'is_enriched' flag to true. categories: enrichment: true entity_usage: entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -222,6 +243,7 @@ Enrich IOCs: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +List Data Breaches: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -233,67 +255,64 @@ Enrich IOCs: download_file: false enable_identity: false enrich_asset: false - enrich_ioc: true + enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: false + search_events: true send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -List Data Breaches: - ai_description: "### General Description\nThe **List Data Breaches** action retrieves\ - \ a list of email addresses and associated metadata that have been identified\ - \ in data breaches, using the Cyjax Threat Intelligence platform. It allows analysts\ - \ to search for specific email addresses or patterns and filter results by a specific\ - \ time range. The action provides visibility into leaked credentials, including\ - \ the source of the breach, the specific data classes exposed (e.g., passwords,\ - \ usernames), and the discovery date.\n\n### Parameters Description\n\n| Parameter\ - \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| **Query**\ - \ | string | No | A query string to search for a specific email address or a partial\ - \ string. If omitted, the action retrieves general breach data based on time filters.\ - \ |\n| **Since** | string | No | The start date and time for the search in ISO8601\ - \ format (e.g., `2026-02-09T15:01:39Z`). |\n| **Until** | string | No | The end\ - \ date and time for the search in ISO8601 format (e.g., `2026-02-09T15:01:39Z`).\ - \ |\n\n### Additional Notes\n- The action implements automatic pagination and\ - \ will retrieve up to a maximum of 1,000 records from the Cyjax API.\n- If the\ - \ `Since` date is configured to be later than the `Until` date, the action will\ - \ fail with a validation error.\n- Results are presented both as a formatted data\ - \ table for quick review and as a raw JSON object for downstream playbook processing.\n\ - \n### Flow Description\n1. **Parameter Extraction:** The action retrieves the\ - \ `Query`, `Since`, and `Until` parameters provided by the user.\n2. **Validation:**\ - \ It validates that the provided dates are in the correct ISO8601 format and ensures\ - \ the start date is not after the end date.\n3. **API Interaction:** The action\ - \ initializes the Cyjax API client and performs a GET request to the data leak\ - \ credentials endpoint.\n4. **Pagination:** It automatically iterates through\ - \ result pages until all matching records are found or the 1,000-record limit\ - \ is reached.\n5. **Data Processing:** The raw API response is parsed into structured\ - \ data models.\n6. **Output Generation:** \n - A data table named \"Data Breach\ - \ Results\" is added to the case, containing columns for ID, Email, Source, Breach\ - \ Name, Data Classes, and Discovery Date.\n - The full result set is attached\ - \ as a JSON object to the action's output." + ai_description: "Lists all email addresses and associated data breach records collected\ + \ by Cyjax. This action allows users to search for specific email addresses or\ + \ patterns within the Cyjax data leak database and filter results by a specific\ + \ time range. It retrieves detailed information about each breach, including the\ + \ breach name, source, discovery date, and the types of data classes (e.g., passwords,\ + \ usernames) that were compromised.\n\n### Flow Description\n1. **Parameter Extraction:**\ + \ The action retrieves the `Query`, `Since`, and `Until` parameters from the user\ + \ input.\n2. **Validation:** It validates that the provided dates are in the correct\ + \ ISO8601 format (`YYYY-MM-DDTHH:MM:SSZ`) and ensures the `Since` date is not\ + \ later than the `Until` date.\n3. **API Initialization:** Initializes the Cyjax\ + \ API manager using the configured API token.\n4. **Data Retrieval:** Executes\ + \ a paginated GET request to the Cyjax `/data-leak/credentials` endpoint. It automatically\ + \ handles pagination to fetch up to 1,000 records.\n5. **Output Generation:**\ + \ \n * Converts the raw API response into a structured data table named 'Data\ + \ Breach Results'.\n * Attaches the full raw data as a JSON result for further\ + \ processing in the playbook.\n * Provides a status message indicating the\ + \ number of records found and any pagination limits reached.\n\n### Parameters\ + \ Description\n| Parameter | Type | Mandatory | Description |\n| :--- | :--- |\ + \ :--- | :--- |\n| Query | String | False | A search string used to find an email\ + \ address or a partial match within the breach database. |\n| Since | String |\ + \ False | The start date and time for the search in ISO8601 format (e.g., 2026-02-09T15:01:39Z).\ + \ |\n| Until | String | False | The end date and time for the search in ISO8601\ + \ format (e.g., 2026-02-09T15:01:39Z). |\n\n### Additional Notes\n* **Pagination\ + \ Limit:** The action is hardcoded to retrieve a maximum of 1,000 records to prevent\ + \ performance issues. If the limit is reached, a note is added to the output message.\n\ + * **Date Format:** Both `Since` and `Until` must strictly follow the `YYYY-MM-DDTHH:MM:SSZ`\ + \ format." capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: true + can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: >- - The action adds a data table named 'Data Breach Results' to the Google SecOps - case to display the retrieved breach information. + internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -307,6 +326,7 @@ List Data Breaches: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -320,39 +340,42 @@ List Data Breaches: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: true + search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: - ai_description: "### General Description\nThe **Ping** action is a diagnostic utility\ - \ designed to verify the connectivity between the Google SecOps SOAR platform\ - \ and the Cyjax Threat Intelligence instance. It ensures that the provided API\ - \ Token is valid, the network path is open, and the integration has the necessary\ - \ permissions to interact with the Cyjax API.\n\n### Parameters Description\n\ - There are no input parameters for this action. It relies solely on the global\ - \ integration configuration (API Token and Verify SSL settings).\n\n### Flow Description\n\ - 1. **Initialization**: The action initializes the Siemplify environment and retrieves\ - \ the global integration parameters, specifically the API Token and SSL verification\ - \ preference.\n2. **Manager Setup**: It instantiates the `APIManager` using the\ - \ retrieved credentials.\n3. **Connectivity Test**: The action calls the `ping()`\ - \ method, which executes an authenticated `GET` request to the Cyjax `/indicator-of-compromise`\ - \ endpoint with a result limit of 1 to minimize data transfer.\n4. **Result Handling**:\ - \ \n * If the request is successful (HTTP 200), the action returns a success\ - \ message and sets the result value to `True`.\n * If an exception occurs (e.g.,\ - \ 401 Unauthorized, 403 Forbidden, or network timeout), the action captures the\ - \ error, logs the details, and returns a failure status with the result value\ - \ set to `False`.\n\n### Additional Notes\nThis action is intended for health\ - \ checks and troubleshooting during the initial setup or when connectivity issues\ - \ are suspected. It does not process any case entities or modify any data." + ai_description: "### General Description\nThe **Ping** action is a diagnostic tool\ + \ used to verify the connectivity between the Google SecOps SOAR platform and\ + \ the Cyjax Threat Intelligence API. It ensures that the provided API Token is\ + \ valid and that the network configuration (including SSL verification settings)\ + \ allows for successful communication with the Cyjax service.\n\n### Parameters\ + \ Description\nThere are no parameters for this action.\n\n### Additional Notes\n\ + This action uses the integration's global configuration parameters (API Token\ + \ and Verify SSL) to perform the connectivity test. It does not process any entities\ + \ or modify any data within the SOAR or Cyjax platforms.\n\n### Flow Description\n\ + 1. **Initialization**: The action starts by initializing the Siemplify context\ + \ and logging the start of the process.\n2. **Configuration Retrieval**: It extracts\ + \ the `API Token` and `Verify SSL` settings from the integration's configuration.\n\ + 3. **API Manager Setup**: An instance of the `APIManager` is created using the\ + \ retrieved credentials.\n4. **Connectivity Test**: The action calls the `ping`\ + \ method in the manager, which executes a `GET` request to the `/indicator-of-compromise`\ + \ endpoint with a minimal result set (`per-page=1`) to verify the authentication\ + \ and endpoint availability.\n5. **Result Handling**: \n - If the request is\ + \ successful, it logs the success and returns a positive result value (`True`).\n\ + \ - If an exception occurs (e.g., 401 Unauthorized, connection timeout, or\ + \ 500 Server Error), it captures the error, logs the details, and returns a failed\ + \ status with a `False` result value." capabilities: can_create_case_comments: false can_create_insight: false @@ -361,12 +384,12 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: false + fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -380,28 +403,3 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/third_party/partner/cylusone/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/cylusone/resources/ai/actions_ai_description.yaml index a2319ae67..baddb850b 100644 --- a/content/response_integrations/third_party/partner/cylusone/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/cylusone/resources/ai/actions_ai_description.yaml @@ -1,11 +1,39 @@ EnrichAssetInformation: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: true + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description Enriches IP Address entities with detailed asset information retrieved from the - CylusOne platform. This action is designed to provide security analysts with contextual - metadata about network assets, such as MAC addresses, associated IPs, and custom - asset properties, directly within the Google SecOps case. + Cylus platform. This action is designed to provide security analysts with contextual + metadata about network assets, such as MAC addresses, operating system details, + and custom properties, by querying the Cylus API using the entity's IP address. ### Parameters Description @@ -15,34 +43,42 @@ EnrichAssetInformation: ### Additional Notes - - The action specifically targets entities of type **ADDRESS** (IP addresses). + - The action specifically targets entities of type `ADDRESS` (IP addresses). + + - It performs a validation check to ensure the IP address is in a valid IPv4 format + before making API calls. - - Enriched data is added to the entity's `additional_properties` with a `Cylus_` - prefix. + - Enrichment data is prefixed with `Cylus_` to avoid collisions with other data + sources. - - The action marks the entity as `is_enriched = True` upon successful data retrieval. + - List-based fields (like MACs or IPs) are truncated to a maximum of 5 items and + formatted as comma-separated strings. ### Flow Description - 1. **Initialization**: The action initializes the CylusOne API manager using the + 1. **Initialization**: The action initializes the Cylus API manager using the integration's base URL and API key. 2. **Entity Filtering**: It iterates through the target entities in the current - context, filtering for those of type `ADDRESS` and validating that they follow - a proper IPv4 format. + context, filtering for those of type `ADDRESS`. - 3. **Data Retrieval**: For each valid IP address, the action performs a GET request - to the CylusOne `/rest/v1/assets/by-ip` endpoint. + 3. **Validation**: For each valid entity, it verifies the IPv4 format of the identifier. - 4. **Data Processing**: If an asset is found, the action flattens the JSON response, - formatting list fields (like MACs) and custom properties into a key-value structure. + 4. **Data Retrieval**: It performs a GET request to the Cylus `/rest/v1/assets/by-ip` + endpoint using the IP address. - 5. **Internal Update**: The processed metadata is appended to the entity's additional - properties, and the entity is updated within the Google SecOps platform. + 5. **Data Processing**: If an asset is found, the action flattens the JSON response, + cleans property names (converting them to snake_case), and formats list values. - 6. **Finalization**: The action returns a summary message indicating which entities - were successfully enriched and which failed. + 6. **Internal Mutation**: The processed data is added to the entity's `additional_properties` + and the `is_enriched` flag is set to true. + + 7. **Update**: The action updates the entities within Google SecOps to persist + the enrichment data. + + 8. **Completion**: It returns a summary message indicating which entities were + successfully enriched and provides the raw data in the JSON result. capabilities: can_create_case_comments: false can_create_insight: false @@ -53,13 +89,13 @@ EnrichAssetInformation: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity additional properties with asset information from Cylus and sets - the 'is_enriched' flag to true. + Updates the entity's additional properties with asset information from Cylus + and sets the 'is_enriched' flag to true. categories: enrichment: true entity_usage: entity_types: - - ADDRESS + - ADDRESS filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -73,6 +109,7 @@ EnrichAssetInformation: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -83,43 +120,43 @@ EnrichAssetInformation: disable_identity: false download_file: false enable_identity: false - enrich_asset: true + enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: - ai_description: "### General Description\nThe **Ping** action is a diagnostic tool\ + ai_description: "### General Description\nThe **Ping** action is a diagnostic utility\ \ designed to verify the connectivity between the Google SecOps platform and the\ - \ CylusOne instance. It ensures that the provided Base URL is reachable and that\ - \ the API Key is valid by performing a test API call. This action is typically\ - \ used during the initial setup or for troubleshooting communication issues.\n\ - \n### Parameters Description\nThere are no action-specific parameters for this\ - \ action. It relies entirely on the integration's global configuration parameters\ - \ (Base URL, API Key, and Verify SSL).\n\n### Flow Description\n1. **Parameter\ - \ Extraction:** The action retrieves the global integration settings, including\ - \ the Base URL, API Key, and SSL verification preference.\n2. **API Initialization:**\ - \ An API Manager instance is created using the retrieved credentials.\n3. **Connectivity\ - \ Test:** The action executes a `GET` request to a sample asset endpoint (`/rest/v1/assets/by-ip`)\ - \ using a dummy IP address.\n4. **Response Validation:** \n * If the API returns\ - \ a `200 OK` or `404 Not Found` (indicating the service is reachable even if the\ - \ dummy IP doesn't exist), the connection is considered successful.\n * If\ - \ the API returns `401` or `403`, it identifies authentication or permission errors.\n\ - \ * If a connection timeout or network error occurs, it captures the specific\ - \ failure reason.\n5. **Final Result:** The action reports a success or failure\ - \ status along with a descriptive message to the Siemplify interface.\n\n### Additional\ - \ Notes\nThis action does not process any entities and does not modify any data\ - \ within CylusOne or Google SecOps." + \ **CylusOne** instance. It validates that the integration's configuration parameters,\ + \ such as the Base URL and API Key, are correct and that the network path is open.\n\ + \n### Parameters Description\n| Parameter | Type | Mandatory | Description |\n\ + | :--- | :--- | :--- | :--- |\n| None | N/A | N/A | This action does not require\ + \ any input parameters as it uses the global integration configuration. |\n\n\ + ### Additional Notes\nThis action is strictly for connectivity testing and does\ + \ not interact with any entities in the current case or alert context.\n\n###\ + \ Flow Description\n1. **Parameter Extraction**: The action retrieves the `Base\ + \ URL`, `Cylus API Key`, and `Verify SSL` settings from the integration configuration.\n\ + 2. **API Client Initialization**: It initializes the `ApiManager` with the provided\ + \ credentials and connection settings.\n3. **Connectivity Verification**: The\ + \ action executes a `GET` request to the assets endpoint using a hardcoded test\ + \ IP address (`10.0.0.5`) to verify the API's responsiveness.\n4. **Status Reporting**:\ + \ \n * If the API returns a successful response (200 OK) or a valid 'Not Found'\ + \ (404), the action completes successfully.\n * If the API returns authentication\ + \ errors (401/403) or connection failures, the action reports a failure with the\ + \ specific error message." capabilities: can_create_case_comments: false can_create_insight: false @@ -128,12 +165,12 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: true + fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -147,28 +184,3 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/third_party/partner/cylusone/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/cylusone/resources/ai/integration_ai_description.yaml index b88dc4ab4..fb8271382 100644 --- a/content/response_integrations/third_party/partner/cylusone/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/partner/cylusone/resources/ai/integration_ai_description.yaml @@ -6,7 +6,7 @@ product_categories: email_security: false iam_and_identity_management: false itsm: false - network_security: false + network_security: true siem: false threat_intelligence: false vulnerability_management: false diff --git a/content/response_integrations/third_party/partner/cyware_intel_exchange/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/cyware_intel_exchange/resources/ai/actions_ai_description.yaml index 9aa0e4d17..67a47bcad 100644 --- a/content/response_integrations/third_party/partner/cyware_intel_exchange/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/cyware_intel_exchange/resources/ai/actions_ai_description.yaml @@ -1,58 +1,48 @@ Add IOCs to Allowed list: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: true + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - ### General Description - - Marks indicators (IOCs) as allowed (whitelisted) in Cyware Intel Exchange (CTIX). - This action is used to prevent specific indicators from being flagged as threats - or to manage false positives by adding them to the global allowed list within - the Cyware platform. It processes all entities present in the current case and - submits them in bulk to the external system. - - - ### Parameters Description - - | Parameter Name | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **IOC Type** | DDL | Yes | Specifies the STIX-compatible type of the indicator - (e.g., `ipv4-addr`, `domain-name`, `file`). This must match the type of the entities - being processed. | - - | **Reason** | String | Yes | Provides a justification or context for why these - indicators are being added to the allowed list. Default is 'Allow IOCs from Google - Secops'. | - - - ### Additional Notes - - - This action performs a state change in the external Cyware CTIX system. - - - If no entities are found in the case, the action will complete successfully - without making an API call. - - - The action returns a summary of the operation, including the count of newly - created entries, entries that already existed, and any invalid entries. - - - ### Flow Description - - 1. **Parameter Extraction:** The action retrieves the `IOC Type` and `Reason` - from the user input and the integration configuration (Base URL, Access ID, Secret - Key). - - 2. **Entity Collection:** It gathers the identifiers of all entities currently - associated with the SecOps case. - - 3. **API Interaction:** The action sends a POST request to the Cyware `allowed_indicators` - endpoint with the list of entity identifiers, the specified IOC type, and the - provided reason. - - 4. **Response Processing:** It parses the API response to determine the status - of each indicator (New, Already Exists, or Invalid). - - 5. **Result Reporting:** The action outputs a summary message to the case wall - and attaches the full JSON response as a script result. + ### General Description: Marks indicators (IOCs) as allowed in Cyware Intel Exchange + (CTIX). This action prevents these indicators from being flagged as threats in + future intelligence processing by adding them to the platform's whitelist. ### + Parameters Description: | Parameter | Type | Mandatory | Description | | :--- + | :--- | :--- | :--- | | IOC Type | DDL | Yes | The STIX-compatible type of the + indicator (e.g., ipv4-addr, domain-name, file). | | Reason | String | Yes | The + justification for allowlisting these indicators. | ### Flow Description: 1. Retrieve + integration configuration and action parameters (IOC Type and Reason). 2. Collect + all entity identifiers from the current SOAR context. 3. Initialize the Cyware + API Manager. 4. Send a POST request to the Cyware allowed_indicators endpoint + with the collected identifiers and parameters. 5. Parse the response to determine + how many indicators were newly created, already existed, or were invalid. 6. Output + the summary message and the full JSON response. ### Additional Notes: The action + processes all entities in the context using the single specified IOC Type. There + are no parameters that are conditionally mandatory. capabilities: can_create_case_comments: false can_create_insight: false @@ -61,50 +51,48 @@ Add IOCs to Allowed list: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Adds the provided entity identifiers to the allowed list (whitelist) configuration - in the Cyware Intel Exchange platform, which changes how those indicators are - treated in future threat intelligence lookups. - fetches_data: true + Adds indicators to the allowed list (whitelist) in the Cyware CTIX platform. + fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -118,9 +106,10 @@ Add IOCs to Allowed list: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Add Note to IOCs: action_product_categories: add_alert_comment: false - add_ioc_to_allowlist: true + add_ioc_to_allowlist: false add_ioc_to_blocklist: false contain_host: false create_ticket: false @@ -131,26 +120,29 @@ Add IOCs to Allowed list: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Add Note to IOCs: ai_description: >- ### General Description - Adds a note to an existing threat data object (indicator) in Cyware Intel Exchange. - This action allows analysts to append context, findings, or metadata to specific - IOCs directly from Google SecOps. It supports both plain text and JSON-formatted - notes. + Adds a note to an existing threat data object (IOC) in Cyware Intel Exchange. + This action allows analysts to append contextual information, analysis results, + or metadata to indicators stored in the CTIX platform. It supports both plain + text and JSON-formatted notes. The action automatically resolves SecOps entities + to their corresponding Cyware internal IDs before attaching the note. ### Parameters Description @@ -159,44 +151,46 @@ Add Note to IOCs: | :--- | :--- | :--- | :--- | - | Note Type | String | True | The type or category of the note (e.g., 'threatdata'). - | + | Note Type | String | Yes | The category or type of the note (e.g., 'threatdata'). + This helps organize notes within the Cyware platform. | - | Note | String | True | The actual content or description of the note to be added. + | Note | String | Yes | The actual content of the note to be added to the indicator. | - | Is the Note in Json format | Boolean | False | If set to true, the action validates - that the 'Note' parameter is a valid JSON string before sending it to Cyware. - Default is false. | + | Is the Note in Json format | Boolean | No | If set to true, the action validates + that the 'Note' parameter contains a valid JSON string before submission. Default + is false. | ### Flow Description - 1. **Parameter Initialization**: The action retrieves the integration configuration - (Base URL, Credentials) and the action parameters (Note, Note Type, JSON flag). + 1. **Initialization**: Retrieves integration configuration (API credentials) and + action parameters (Note, Note Type, JSON flag). - 2. **Entity Identification**: It identifies all target entities attached to the - case. + 2. **Entity Identification**: Collects all target entities from the current SecOps + context. - 3. **Bulk Lookup**: The action performs a bulk lookup against the Cyware Intel - Exchange API to map the entity identifiers (IOC values) to their corresponding - internal Cyware IDs. + 3. **Bulk Lookup**: Sends the entity identifiers to the Cyware CTIX bulk lookup + endpoint to retrieve the internal indicator IDs required for the note-adding API. - 4. **Validation**: It identifies which indicators exist in Cyware and which are - missing. Missing indicators are skipped. + 4. **Note Submission**: Iterates through the valid indicators found in Cyware + and sends a POST request to the `/ingestion/notes/` endpoint for each, attaching + the specified note content. - 5. **Note Creation**: For each valid indicator found, the action sends a POST - request to the Cyware API to create a new note record associated with that indicator's - ID. + 5. **Validation**: If the note is marked as JSON, the script parses and re-serializes + it to ensure it is valid JSON before the API call. - 6. **Result Aggregation**: The action collects the responses from the API, including - the new Note IDs, and returns a summary of successful and failed operations. + 6. **Reporting**: Aggregates the responses from Cyware, including the unique IDs + of the created notes, and outputs a summary of successes and failures. ### Additional Notes - If 'Is the Note in Json format' is enabled but the 'Note' content is not valid - JSON, the action will fail with a specific error message. + * **Entity Matching**: Only entities that already exist as indicators in Cyware + Intel Exchange will be processed; others are skipped. + + * **JSON Validation**: If 'Is the Note in Json format' is enabled but the input + is not valid JSON, the action will terminate with a failure status. capabilities: can_create_case_comments: false can_create_insight: false @@ -205,49 +199,49 @@ Add Note to IOCs: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new note record in the Cyware Intel Exchange platform associated with - the specific indicator. + Adds a new note record to an existing indicator object in the Cyware Intel Exchange + (CTIX) platform via a POST request to the /ingestion/notes/ endpoint. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -261,6 +255,7 @@ Add Note to IOCs: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Create Intel in Cyware Intel Exchange: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -274,86 +269,87 @@ Add Note to IOCs: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Create Intel in Cyware Intel Exchange: ai_description: >- - ### General Description + Creates a new intelligence record in Cyware Intel Exchange for each provided entity. + This action allows analysts to contribute threat intelligence to their Cyware + CTIX instance directly from a case, supporting various indicator types and metadata + such as TLP, confidence scores, and tags. - The **Create Intel in Cyware Intel Exchange** action allows users to create new - intelligence records (indicators) within the Cyware Intel Exchange (CTIX) platform - based on entities present in a Google SecOps case. It supports various indicator - types and allows for the inclusion of metadata such as TLP, confidence scores, - and tags. This action is primarily used to share or store threat intelligence - discovered during an investigation. + ### Flow Description - ### Parameters Description - - | Parameter | Type | Mandatory | Description | + 1. **Parameter Extraction:** The action retrieves configuration parameters (Base + URL, Credentials) and action parameters (Title, TLP, Confidence, Tags, Expiry, + Description, and IOC Type). - | :--- | :--- | :--- | :--- | + 2. **Input Validation:** It validates that the Title and Description do not exceed + character limits and ensures that numerical values like Confidence and Expiry + are within valid ranges. - | **Title** | String | Yes | The title for the intelligence record (max 100 characters). - Defaults to the Alert Name. | + 3. **Intel Submission:** For each target entity in the case, the action constructs + a payload and sends a POST request to the Cyware Quick Intel API to create a STIX-based + intelligence record. - | **IOC Type** | DDL | Yes | The STIX-compliant type of the indicator (e.g., `ipv4-addr`, - `domain-name`, `file`, `SHA-256`). | + 4. **Status Polling:** After submission, the action retrieves a Task ID and enters + a polling loop, checking the status of the intel creation process at regular intervals + until it reaches a success or failure state. - | **TLP** | DDL | No | The Traffic Light Protocol level (RED, CLEAR, AMBER, AMBER_STRICT, - NONE, GREEN). Defaults to `NONE`. | + 5. **Result Aggregation:** The action collects the API responses for all processed + entities and returns them as a JSON result, providing a summary of successful + and failed submissions. - | **Metadata Confidence Score** | String | No | A source confidence score between - 0 and 100. | - | **Tags** | String | No | Comma-separated list of tags to associate with the - intel. | + ### Parameters Description - | **Deprecates After** | String | No | Expiration time in days (1 to 1000). Defaults - to 180. | + | Parameter | Type | Mandatory | Description | - | **Description** | String | No | A detailed description for the intel (max 1000 - characters). | + | :--- | :--- | :--- | :--- | + | Title | string | True | The title for the intel record (max 100 characters). + Defaults to the Alert Name. | - ### Flow Description + | IOC Type | ddl | True | The STIX-compatible indicator type (e.g., ipv4-addr, + domain-name, file). | - 1. **Initialization**: The action retrieves integration parameters (Base URL, - Access ID, Secret Key) and the list of target entities from the current context. + | TLP | ddl | False | The Traffic Light Protocol level (RED, CLEAR, AMBER, AMBER_STRICT, + NONE, GREEN). | - 2. **Validation**: It validates the lengths of the Title and Description, and - ensures the Confidence Score and Deprecation period are within valid integer ranges. + | Metadata Confidence Score | string | False | A source confidence score between + 0 and 100. | - 3. **Intel Creation**: For each entity identifier, the action constructs a 'Quick - Intel' payload and sends a POST request to the Cyware API endpoint `/conversion/quick-intel/create-stix/`. + | Tags | string | False | Comma-separated list of tags to associate with the intel. + | - 4. **Status Polling**: After submission, the action enters a polling loop, checking - the status of the creation task using the returned Task ID via GET requests to - `/conversion/quick-intel/receive-report/` until it reaches a success or failure - state (or times out after 24 attempts). + | Deprecates After | string | False | Expiration time for the indicator in days + (max 1000). Defaults to 180. | - 5. **Result Reporting**: The action aggregates the results, including the creation - responses and final statuses, and outputs them as a JSON result for the analyst. + | Description | string | False | A detailed description for the intel record (max + 1000 characters). | ### Additional Notes - - This action processes all entities in the context regardless of their type; - the user must specify the correct `IOC Type` that applies to the entities being - submitted. + - This action processes all target entities attached to the case using the single + 'IOC Type' selected in the parameters. Ensure that the entities in the scope match + the selected type. - - If no entities are found in the context, the action completes with a message - indicating no processing occurred. + - The action includes a built-in polling mechanism that waits for Cyware to process + the 'Quick Intel' task before completing. capabilities: can_create_case_comments: false can_create_insight: false @@ -362,49 +358,49 @@ Create Intel in Cyware Intel Exchange: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates new intelligence records (indicators) in Cyware Intel Exchange via POST - requests. + Creates new intelligence records (indicators/reports) in the Cyware Intel Exchange + platform via POST requests. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -418,12 +414,13 @@ Create Intel in Cyware Intel Exchange: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Create Task for IOCs: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false contain_host: false - create_ticket: false + create_ticket: true delete_email: false disable_identity: false download_file: false @@ -431,86 +428,75 @@ Create Intel in Cyware Intel Exchange: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Create Task for IOCs: ai_description: >- - ### General Description + Creates tasks for IOC entities in Cyware Intel Exchange. This action facilitates + workflow management by allowing users to generate tasks with specific descriptions, + priorities, and deadlines associated with threat indicators. It supports assigning + tasks to specific users via email and handles bulk processing of entities. - This action creates tasks within the Cyware Intel Exchange platform for specific - Indicator of Compromise (IOC) entities present in a Google SecOps case. It allows - analysts to automate the assignment of investigative or remediation work related - to threat intelligence by linking tasks directly to indicators in the Cyware environment. + ### Flow Description - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | + 1. **Parameter Extraction:** Retrieves task details including text, priority, + status, deadline, and an optional assignee email. - | Text | String | Yes | The description or instructions for the task. Limited - to a maximum of 2000 characters. | + 2. **Deadline Calculation:** Validates the deadline (1-365 days) and calculates + the target epoch timestamp. - | Priority | DDL | Yes | The urgency level of the task. Options include: high, - medium, low. | + 3. **User Resolution:** If an assignee email is provided, the action fetches the + corresponding User ID from Cyware. - | Status | DDL | Yes | The initial state of the task. Options include: not_started, - in_progress, completed. | + 4. **IOC Lookup:** Performs a bulk lookup to map the identifiers of the target + entities to their internal Cyware indicator IDs. - | Deadline | String | Yes | The number of days from the current time until the - task is due. Must be an integer between 1 and 365. | + 5. **Task Creation:** Iterates through the valid indicators and sends a POST request + to Cyware to create a task for each, including the specified metadata. - | Assignee Email ID | String | No | The email address of the Cyware user to whom - the task should be assigned. If not provided, the task will be created as unassigned. - | + ### Parameters Description - ### Additional Notes - - - The action performs a bulk lookup to resolve entity identifiers to internal - Cyware object IDs before task creation. Tasks are only created for IOCs that already - exist in Cyware Intel Exchange. + | Parameter | Type | Mandatory | Description | - - If an `Assignee Email ID` is provided but the user cannot be found in Cyware, - the action will fail to ensure tasks are not assigned to non-existent users. + | :--- | :--- | :--- | :--- | - - The deadline is calculated as an epoch timestamp based on the number of days - provided from the moment of execution. + | Text | string | Yes | The description of the task to be performed. Limited to + 2000 characters. | + | Priority | ddl | Yes | The priority level of the task. Options: high, medium, + low. | - ### Flow Description + | Status | ddl | Yes | The initial status of the task. Options: not_started, in_progress, + completed. | - 1. **Parameter Extraction:** Retrieves the task description, priority, status, - deadline, and optional assignee email from the action configuration. + | Deadline | string | Yes | The deadline for the task in days from the current + time. Must be between 1 and 365. | - 2. **Entity Retrieval:** Collects all target entities from the current case context. + | Assignee Email ID | string | No | The email address of a valid Cyware user to + assign the task to. If not provided, the task remains unassigned. | - 3. **Validation:** Validates that the task text does not exceed character limits - and that the deadline is a valid integer within the allowed range (1-365 days). - 4. **User Resolution:** If an assignee email is provided, the action queries the - Cyware API to retrieve the corresponding internal User ID. - - 5. **IOC Lookup:** Executes a bulk lookup against Cyware Intel Exchange to map - the SecOps entity identifiers to internal Cyware indicator IDs. + ### Additional Notes - 6. **Task Creation:** Iterates through the valid indicators and sends a POST request - to Cyware to create a task for each, including the description, priority, status, - and calculated deadline. + - The action will fail if an 'Assignee Email ID' is provided but the user cannot + be found in Cyware Intel Exchange. - 7. **Result Reporting:** Returns a JSON result containing the details of the created - tasks and provides a summary message of successful and failed operations. + - Only entities that are successfully resolved to existing indicators in Cyware + will have tasks created for them; others will be skipped. capabilities: can_create_case_comments: false can_create_insight: false @@ -519,49 +505,49 @@ Create Task for IOCs: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates new task records in Cyware Intel Exchange associated with specific indicators - (IOCs). + Creates new task records in the Cyware Intel Exchange platform associated with + specific threat indicators. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -575,12 +561,13 @@ Create Task for IOCs: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Allowed IOCs: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false contain_host: false - create_ticket: true + create_ticket: false delete_email: false disable_identity: false download_file: false @@ -588,65 +575,69 @@ Create Task for IOCs: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Allowed IOCs: ai_description: >- - Retrieves a list of allowed (whitelisted) Indicators of Compromise (IOCs) from - the Cyware Intel Exchange (CTIX) platform. This action allows analysts to audit - or verify which indicators are currently bypassed by security logic based on their - type or creation time. + Retrieves a list of Indicators of Compromise (IOCs) that are marked as allowed + (whitelisted) within the Cyware Intel Exchange (CTIX) platform. This action allows + analysts to audit or verify the current allowlist based on specific criteria such + as indicator type or creation time. - ### Flow Description + ### Flow Description: - 1. **Parameter Extraction:** The action retrieves the `IOC Type` and `Created - From` filter parameters from the user input. + 1. **Parameter Extraction:** The action retrieves the 'IOC Type' and 'Created + From' parameters from the user input. - 2. **Validation:** It validates the `Created From` parameter to ensure it is a - valid non-negative integer representing an epoch timestamp. + 2. **Validation:** It validates the 'Created From' parameter to ensure it is a + valid epoch timestamp (integer). - 3. **API Query:** It connects to the Cyware CTIX API and performs a paginated - search for indicators marked as 'allowed'. + 3. **API Interaction:** It connects to the Cyware CTIX API and queries the allowed + indicators endpoint, automatically handling pagination to aggregate all matching + results. - 4. **Data Processing:** The raw API response is parsed into structured data models. + 4. **Data Processing:** The raw API response is parsed into internal data models. If results are found, it prepares a summary for a data table. 5. **Output Generation:** It populates a data table named 'Allowed IOCs' in the - Google SecOps case (limited to the first 10 records for visibility) and attaches - the full JSON result for further automated processing. + Google SecOps case (limited to the first 10 records for visibility) and provides + the full result set in JSON format. - ### Parameters Description + ### Parameters Description: + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **IOC Type** | DDL | No | Filters the results by a specific indicator type (e.g., - `domain-name`, `ipv4-addr`). Selecting 'All' retrieves all types. | + | IOC Type | DDL | No | Filters the retrieved indicators by a specific type (e.g., + 'domain-name', 'ipv4-addr'). Defaults to 'All'. | - | **Created From** | String | No | An epoch timestamp in seconds (e.g., `1767160932`). - If provided, the action only retrieves IOCs created after this time. | + | Created From | String | No | An epoch timestamp in seconds. If provided, the + action only retrieves indicators created after this time. | - ### Additional Notes + ### Additional Notes: - - This action does not run on specific entities within the case; it performs a - global search against the Cyware allowlist. + - This action does not require or process entities from the Google SecOps case; + it performs a global search within the Cyware platform. - - The data table displayed in the UI is capped at 10 records to prevent performance - issues, but the full list is available in the JSON result. + - The data table displayed in the UI is capped at 10 records to maintain performance, + but the full list is available in the JSON result. capabilities: can_create_case_comments: false can_create_insight: false @@ -657,12 +648,12 @@ Get Allowed IOCs: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action adds a data table named 'Allowed IOCs' to the Google SecOps case - to display the retrieved indicators. + Adds a data table named 'Allowed IOCs' to the Google SecOps case containing + the retrieved indicator details. categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -676,6 +667,7 @@ Get Allowed IOCs: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get IOC Details: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -687,46 +679,73 @@ Get Allowed IOCs: download_file: false enable_identity: false enrich_asset: false - enrich_ioc: false + enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get IOC Details: - ai_description: "Retrieves comprehensive threat intelligence for IOCs from Cyware\ - \ Intel Exchange. This action performs a bulk lookup for indicators present in\ - \ the case, fetching details such as analyst scores, confidence levels, TLP, and\ - \ tags. It enriches the entities within Google SecOps by updating their additional\ - \ properties with the retrieved intelligence and provides a summary table for\ - \ quick analyst review.\n\n### Flow Description\n1. **Parameter Extraction:**\ - \ Retrieves the 'Enrichment Data', 'Relation Data', and 'Fields' parameters to\ - \ customize the API request.\n2. **Entity Identification:** Collects all target\ - \ entities from the current case context.\n3. **API Lookup:** Executes a bulk\ - \ lookup request to the Cyware Intel Exchange API for the identified IOC values.\n\ - 4. **Data Processing:** Parses the API response into structured data models, handling\ - \ pagination and record limits for display.\n5. **Case Enrichment:** \n * Adds\ - \ a detailed 'IOC Details' data table to the case wall.\n * Updates matching\ - \ entities with specific threat attributes (e.g., `Cyware_analyst_score`, `Cyware_tlp`).\n\ - \ * Sets the `is_enriched` flag to true for all successfully processed entities.\n\ - \n### Parameters Description\n| Parameter | Type | Mandatory | Description |\n\ - | :--- | :--- | :--- | :--- |\n| Enrichment Data | boolean | No | If set to true,\ - \ the action will request additional enrichment data from Cyware for each IOC.\ - \ Default is false. |\n| Relation Data | boolean | No | If set to true, the action\ - \ will include relationship data (e.g., associated campaigns or actors) in the\ - \ results. Default is false. |\n| Fields | string | No | A comma-separated list\ - \ of specific fields to retrieve (e.g., 'name,id,tlp'). If left empty, default\ - \ fields are returned. |\n\n### Additional Notes\n* The action limits the number\ - \ of records displayed in the data table to 10 to maintain performance and readability,\ - \ though all retrieved data is included in the JSON results." + ai_description: >- + Retrieves detailed threat intelligence for entities from Cyware Intel Exchange + (CTIX). This action performs a bulk lookup for indicators, fetching metadata such + as analyst scores, confidence scores, TLP levels, and whitelist status. It enriches + the entities within Google SecOps by updating their additional properties and + marking them as enriched, while also providing a summary table of the findings. + + + ### Flow Description + + 1. **Parameter Initialization**: Extracts action parameters including 'Enrichment + Data', 'Relation Data', and specific 'Fields' to retrieve. + + 2. **Entity Collection**: Gathers all target entities from the current context + to use their identifiers for the lookup. + + 3. **API Request**: Executes a bulk lookup request to the Cyware CTIX API using + the collected entity identifiers. + + 4. **Data Processing**: Parses the API response into structured data models, creating + a CSV-formatted data table for the case wall. + + 5. **Entity Enrichment**: Iterates through the results and updates the corresponding + SecOps entities with enrichment attributes (e.g., Cyware_analyst_score, Cyware_tlp) + and sets the 'is_enriched' flag to true. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Enrichment Data | boolean | No | If set to true, the action will request and + include extended enrichment metadata from CTIX in the results. | + + | Relation Data | boolean | No | If set to true, the action will retrieve information + about related threat objects. | + + | Fields | string | No | A comma-separated list of specific fields (e.g., 'name,id,tlp') + to include in the API response. If left empty, default fields are returned. | + + + ### Additional Notes + + - This action is primarily used for IOC enrichment and does not modify any data + within the Cyware platform. + + - The action processes all entity types attached to the case without specific + type filtering. capabilities: can_create_case_comments: false can_create_insight: false @@ -738,46 +757,46 @@ Get IOC Details: fetches_data: true internal_data_mutation_explanation: >- Updates entity additional properties with threat intelligence data (scores, - TLP, whitelist status) and sets the 'is_enriched' flag to true. + TLP, whitelist status) and marks them as enriched. categories: enrichment: true entity_usage: entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -791,6 +810,7 @@ Get IOC Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Manage Tags in IOCs: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -802,77 +822,76 @@ Get IOC Details: download_file: false enable_identity: false enrich_asset: false - enrich_ioc: true + enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Manage Tags in IOCs: ai_description: >- - ### General Description + Manages tags for Indicators of Compromise (IOCs) within Cyware Intel Exchange. + This action allows users to either add or remove specific tags from entities identified + in a case. If the 'Add Tag' operation is selected and a specified tag does not + exist in Cyware, the action will automatically create the tag before associating + it with the IOC. The action performs a lookup to resolve entity identifiers to + their corresponding Cyware object IDs before applying the tag changes. - The **Manage Tags in IOCs** action allows analysts to programmatically add or - remove tags from Indicators of Compromise (IOCs) within the Cyware Intel Exchange - platform. This action is essential for maintaining organized threat intelligence - by labeling indicators based on campaigns, threat actors, or internal tracking - requirements. + ### Flow Description - ### Parameters Description + 1. **Parameter Initialization**: Retrieves integration configuration (Base URL, + credentials) and action parameters (Tags, Operation Type). - | Parameter | Type | Mandatory | Description | + 2. **Entity Retrieval**: Collects all target entities from the current case context. - | :--- | :--- | :--- | :--- | + 3. **Tag Resolution**: Fetches the list of all available tags from Cyware Intel + Exchange to map the provided tag names to their internal IDs. - | Tags | String | Yes | A comma-separated list of tag names to be applied or removed - (e.g., "malware-family", "apt-28"). | + 4. **IOC Lookup**: Resolves the identifiers of the target entities to their internal + Cyware object IDs. - | Operation Type | DDL | Yes | Determines the action to perform. Options are **Add - Tag** (associates tags with IOCs) or **Remove Tag** (disassociates tags from IOCs). - | + 5. **Tag Management (Add)**: If the operation is 'Add Tag', it identifies missing + tags, creates them in Cyware, and then performs a bulk update to add all valid + tag IDs to the identified IOCs. + 6. **Tag Management (Remove)**: If the operation is 'Remove Tag', it performs + a bulk update to remove the specified tag IDs from the identified IOCs. - ### Flow Description + 7. **Result Reporting**: Returns a JSON result containing the API response and + provides a summary message of the tags added or removed. - 1. **Parameter Extraction:** The action retrieves the list of tags and the desired - operation type from the user input. - 2. **Entity Identification:** It collects the identifiers of all target entities - currently attached to the case. + ### Parameters Description - 3. **Tag Resolution:** The action queries Cyware Intel Exchange to fetch all existing - tags and maps the provided tag names to their corresponding internal IDs. + | Parameter | Type | Mandatory | Description | - 4. **IOC Lookup:** It resolves the SOAR entity identifiers to specific IOC object - IDs within the Cyware platform. + | :--- | :--- | :--- | :--- | - 5. **Tag Management Logic:** - * **Add Tag:** If any specified tags do not exist in Cyware, the action - automatically creates them. It then performs a bulk operation to associate the - tag IDs with the identified IOCs. - * **Remove Tag:** The action performs a bulk operation to remove the association - between the specified tag IDs and the identified IOCs. - 6. **Result Reporting:** The action provides a summary of the number of tags successfully - managed and lists any invalid IOCs or tags that were skipped. + | Tags | String | Yes | A comma-separated list of tag names to be added or removed + (e.g., "test-1", "test-2"). | + + | Operation Type | DDL | Yes | Determines whether to 'Add Tag' or 'Remove Tag'. + If 'Add Tag' is chosen, missing tags will be created automatically. | ### Additional Notes - * **Automatic Tag Creation:** During the "Add Tag" operation, if a tag name provided - in the input does not exist in Cyware, the action will attempt to create it before - proceeding. + - This action requires the entities to already exist as indicators in Cyware Intel + Exchange to be successfully tagged. - * **Validation:** The action validates entities against the Cyware database; entities - not found in Cyware as IOCs will be reported as invalid and skipped. + - If an entity is not found in Cyware, it will be skipped, and the action will + report the invalid IOCs in the output message. capabilities: can_create_case_comments: false can_create_insight: false @@ -881,51 +900,50 @@ Manage Tags in IOCs: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - This action modifies the metadata of Indicators of Compromise (IOCs) in Cyware - Intel Exchange by adding or removing tags. Additionally, if the 'Add Tag' operation - is selected and a specified tag does not exist, the action creates the new tag - in the external system. + Adds or removes tags associated with indicators in Cyware Intel Exchange. Additionally, + if the 'Add Tag' operation is used with tag names that do not exist, the action + creates those new tags in the external system. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -939,6 +957,7 @@ Manage Tags in IOCs: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Mark IOCs False Positive: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -952,58 +971,64 @@ Manage Tags in IOCs: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Mark IOCs False Positive: ai_description: >- Marks multiple Indicator of Compromise (IOC) entities as false positives within - the Cyware Intel Exchange (CTIX) platform. This action is used to tune threat - intelligence by identifying indicators that are no longer considered threats or - were incorrectly flagged. + the Cyware Intel Exchange (CTIX) platform. This action facilitates the management + of threat intelligence by allowing analysts to bulk-update the status of indicators + that have been determined to be non-threatening. The process involves an initial + lookup to map entity identifiers to their internal Cyware IDs before applying + the false positive status. - ### Flow Description + ### Flow Description: - 1. **Entity Retrieval**: The action identifies all target entities associated - with the current Google SecOps case. + 1. **Entity Retrieval:** The action identifies all target entities associated + with the current case. - 2. **ID Resolution**: It performs a bulk lookup against Cyware Intel Exchange - to map the entity identifiers (e.g., IP addresses, domains, hashes) to their corresponding - internal Cyware Object IDs. + 2. **ID Resolution:** It performs a bulk lookup in Cyware CTIX to retrieve the + internal object IDs for the provided entity identifiers. - 3. **Validation**: The action filters out any entities that do not exist in the - Cyware platform, logging them as skipped. + 3. **Validation:** The action identifies which indicators exist in the CTIX platform; + any indicators not found are logged and skipped. - 4. **Status Update**: For all valid indicators found, it sends a bulk request - to the Cyware API to update their status to 'False Positive'. + 4. **Status Update:** A bulk request is sent to the Cyware API to mark the validated + indicator IDs as false positives. - 5. **Result Reporting**: The action returns the API response, including a success - message and the count of updated indicators. + 5. **Result Reporting:** The action returns the API response and provides a summary + message indicating the number of successfully updated indicators. - ### Parameters Description + ### Parameters Description: - There are no specific action parameters for this resource; it operates directly - on the entities present in the case scope. + | Parameter | Type | Mandatory | Description | + | :--- | :--- | :--- | :--- | - ### Additional Notes + | N/A | N/A | N/A | This action does not require any input parameters. | + + + ### Additional Notes: - * This action requires valid Cyware API credentials (Access ID and Secret Key) - configured in the integration settings. + - Indicators that do not exist in the Cyware Intel Exchange environment will be + skipped during the execution. - * Only entities that already exist in the Cyware Intel Exchange database can be - marked as false positives. + - This action does not modify internal Google SecOps entity attributes or create + insights; it focuses solely on updating the state in the external Cyware platform. capabilities: can_create_case_comments: false can_create_insight: false @@ -1012,49 +1037,50 @@ Mark IOCs False Positive: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the status of indicators in the Cyware Intel Exchange platform to 'False - Positive'. + Updates the 'is_false_positive' status of indicators in the Cyware Intel Exchange + (CTIX) platform via a bulk POST request to the /ingestion/threat-data/bulk-action/false_positive/ + endpoint. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1068,9 +1094,10 @@ Mark IOCs False Positive: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false - add_ioc_to_allowlist: true + add_ioc_to_allowlist: false add_ioc_to_blocklist: false contain_host: false create_ticket: false @@ -1081,43 +1108,45 @@ Mark IOCs False Positive: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: - ai_description: "### General Description\nThe **Ping** action is a diagnostic utility\ - \ designed to verify the connectivity between Google SecOps and the Cyware Intel\ - \ Exchange (CTIX) instance. It ensures that the provided configuration parameters\u2014\ - such as the Base URL, Access ID, and Secret Key\u2014are correct and that the\ - \ network path is open.\n\n### Parameters Description\nThis action does not require\ - \ any input parameters. It relies solely on the integration's global configuration\ - \ settings.\n\n| Parameter Name | Type | Mandatory | Description |\n| :--- | :---\ - \ | :--- | :--- |\n| N/A | N/A | N/A | No parameters are used for this action.\ - \ |\n\n### Flow Description\n1. **Initialization**: The action initializes the\ - \ Siemplify SDK and retrieves the global integration parameters (Base URL, Access\ - \ ID, Secret Key, and SSL verification settings).\n2. **API Client Setup**: An\ - \ instance of the `APIManager` is created using the retrieved credentials.\n3.\ - \ **Connectivity Test**: The action calls the `test_connectivity` method, which\ - \ executes a `GET` request to the `/ping/` endpoint of the Cyware API.\n4. **Response\ - \ Handling**: \n * If the API returns a successful response (HTTP 200), the\ - \ action logs the success and returns a result value of `True`.\n * If the\ - \ request fails due to authentication errors, network issues, or server errors,\ - \ an exception is caught, the error is logged, and the action returns a result\ - \ value of `False` with a failure status.\n5. **Finalization**: The action terminates,\ - \ providing an output message indicating whether the connection was successful\ - \ or detailing the reason for failure.\n\n### Additional Notes\n* This action\ - \ is typically used during the initial setup of the integration or for troubleshooting\ - \ communication issues.\n* It does not interact with any entities or modify\ - \ any data within Cyware or Google SecOps." + ai_description: "### General Description\nThe **Ping** action is a diagnostic tool\ + \ used to verify the connectivity between the Google SecOps environment and the\ + \ Cyware Intel Exchange (CTIX) instance. It ensures that the integration's configuration\ + \ parameters\u2014such as the Base URL, Access ID, and Secret Key\u2014are valid\ + \ and that the network path to the Cyware server is open.\n\n### Parameters Description\n\ + There are no action-specific parameters for this action. It relies entirely on\ + \ the global integration configuration settings:\n* **Base URL**: The root URL\ + \ of the Cyware CTIX tenant.\n* **Access ID**: The API Access ID used for authentication.\n\ + * **Secret Key**: The API Secret Key used for signing requests.\n* **Verify\ + \ SSL**: A boolean flag to determine if SSL certificates should be validated.\n\ + \n### Additional Notes\n* This action does not process any entities or modify\ + \ any data within Google SecOps or Cyware.\n* It is primarily used during the\ + \ initial setup of the integration or for troubleshooting communication issues.\n\ + \n### Flow Description\n1. **Parameter Initialization**: The action retrieves\ + \ the global integration configuration (Base URL, Access ID, Secret Key, and SSL\ + \ verification setting).\n2. **API Manager Setup**: An instance of the `APIManager`\ + \ is initialized using the retrieved credentials.\n3. **Connectivity Test**:\ + \ The action calls the `test_connectivity` method, which performs an authenticated\ + \ HTTP GET request to the `/ping/` endpoint of the Cyware API.\n4. **Result Handling**:\ + \ \n * If the server responds successfully (HTTP 200), the action returns\ + \ a success message and sets the result value to `True`.\n * If the request\ + \ fails (e.g., due to invalid credentials, timeout, or network errors), an exception\ + \ is caught, an error message is logged, and the action execution state is set\ + \ to `Failed`." capabilities: can_create_case_comments: false can_create_insight: false @@ -1126,12 +1155,12 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: true + fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1145,6 +1174,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Remove IOCs from Allowed list: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1158,61 +1188,61 @@ Ping: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false - remove_ioc_from_allowlist: false + get_alert_information: false + remove_ioc_from_allowlist: true remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Remove IOCs from Allowed list: ai_description: >- - Removes indicators (IOCs) from the allowed list (un-whitelists them) in Cyware - Intel Exchange. This action is used to revert the 'allowed' status of specific - entities, ensuring they are no longer excluded from security monitoring or correlation - logic within the Cyware platform. + ### General Description + Removes Indicators of Compromise (IOCs) from the Cyware Intel Exchange allowed + list (un-whitelisting). This action identifies the internal Cyware IDs for the + provided entities and performs a bulk un-whitelist operation to restore standard + monitoring for these indicators. - ### Flow Description: - 1. **Parameter Initialization:** Retrieves integration credentials (Base URL, - Access ID, Secret Key) and identifies all target entities associated with the - current context. + ### Parameters Description - 2. **Indicator Lookup:** Performs a bulk lookup against Cyware Intel Exchange - to map the provided entity identifiers to their corresponding internal Cyware - Indicator IDs. + | Parameter | Type | Mandatory | Description | - 3. **Validation:** Filters the list to identify which indicators exist in the - external system; entities not found in Cyware are logged and skipped. + | :--- | :--- | :--- | :--- | - 4. **Removal Process:** Executes a bulk API request to the Cyware 'un_whitelist' - endpoint using the gathered Indicator IDs. + | None | N/A | N/A | No parameters are required for this action. | - 5. **Result Reporting:** Returns the API response, including success messages - and counts of removed indicators, to the Google SecOps platform. + ### Additional Notes - ### Parameters Description: + - This action performs a bulk operation on all target entities. - | Parameter Name | Type | Mandatory | Description | + - Only indicators that already exist in Cyware Intel Exchange can be removed from + the allowed list. - | :--- | :--- | :--- | :--- | + - Indicators not found in Cyware will be skipped without failing the action. - | None | N/A | N/A | This action does not require any action-specific parameters; - it operates directly on the entities present in the case scope. | + ### Flow Description - ### Additional Notes: + 1. **Initialization**: Retrieve integration settings and target entities. + + 2. **ID Resolution**: Perform a bulk lookup in Cyware to find internal IDs for + the entities. + + 3. **Filtering**: Identify valid indicators and skip those not found in the system. + + 4. **Execution**: Send a POST request to the Cyware bulk un-whitelist endpoint. - * This action requires the indicators to already exist in Cyware Intel Exchange - to be successfully removed from the allowlist. If an indicator is not found during - the lookup phase, it will be ignored. + 5. **Completion**: Return the API response and set the action status. capabilities: can_create_case_comments: false can_create_insight: false @@ -1221,49 +1251,49 @@ Remove IOCs from Allowed list: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Removes indicators from the allowed list (un-whitelists) in Cyware Intel Exchange - via a POST request to the bulk-action/un_whitelist endpoint. + Removes specified indicators from the allowed list (un-whitelists them) in Cyware + Intel Exchange. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1277,28 +1307,3 @@ Remove IOCs from Allowed list: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: true - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/third_party/partner/darktrace/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/darktrace/resources/ai/actions_ai_description.yaml index 2f73c3e0d..2ab907570 100644 --- a/content/response_integrations/third_party/partner/darktrace/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/darktrace/resources/ai/actions_ai_description.yaml @@ -1,44 +1,65 @@ Add Comment To Model Breach: + action_product_categories: + add_alert_comment: true + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- Adds a comment to a specific model breach in Darktrace. This action allows analysts - to append notes, documentation, or context to an existing Darktrace alert (model - breach) directly from Google SecOps. It requires the unique identifier of the - model breach and the text of the comment to be submitted. - - - ### Flow Description + to document findings, provide context, or update the status of a breach directly + within the Darktrace platform from Google SecOps. It requires the unique identifier + of the model breach and the text of the comment to be added. - 1. **Parameter Extraction:** The action retrieves the 'Model Breach ID' and the - 'Comment' text from the user input. - 2. **Manager Initialization:** It initializes the Darktrace Manager using the - provided API credentials (API Root, Token, Private Token) and SSL settings. + ### Parameters - 3. **API Interaction:** The action sends a POST request to the Darktrace API endpoint - `/modelbreaches/{model_breach_id}/comments` with the comment message in the payload. + | Parameter | Type | Mandatory | Description | - 4. **Result Handling:** It captures the response from Darktrace. If the breach - ID is not found, it returns a failure; otherwise, it completes the execution and - logs the result. + | :--- | :--- | :--- | :--- | + | Model Breach ID | string | True | Specify the ID of the model breach to which + you want to add a comment. | - ### Parameters Description + | Comment | string | True | Specify the comment text for the model breach. | - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - | Model Breach ID | string | True | The unique identifier of the model breach - in Darktrace that you want to comment on. | + ### Flow Description - | Comment | string | True | The actual text content of the comment to be added - to the breach record. | + 1. **Parameter Extraction**: The action retrieves the API configuration (Root, + Token, Private Token) and the action parameters (Model Breach ID and Comment). + 2. **Manager Initialization**: Initializes the Darktrace Manager to handle authentication + and API communication. - ### Additional Notes + 3. **API Interaction**: Executes a POST request to the Darktrace `/modelbreaches/{model_breach_id}/comments` + endpoint with the provided comment text. - - This action performs a state change in the external Darktrace system by adding - data to its records. + 4. **Result Handling**: Captures the API response and adds it to the action's + JSON results. If the breach ID is not found, it reports a failure with a specific + error message. capabilities: can_create_case_comments: false can_create_insight: false @@ -47,14 +68,14 @@ Add Comment To Model Breach: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Adds a new comment record to a specific model breach within the Darktrace platform + Adds a comment to a specific model breach record within the Darktrace platform via a POST request. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -68,8 +89,9 @@ Add Comment To Model Breach: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Enrich Entities: action_product_categories: - add_alert_comment: true + add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false contain_host: false @@ -78,71 +100,48 @@ Add Comment To Model Breach: disable_identity: false download_file: false enable_identity: false - enrich_asset: false - enrich_ioc: false + enrich_asset: true + enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false - update_alert: true + update_alert: false update_email: false update_identity: false update_ticket: false -Enrich Entities: - ai_description: >- - Enriches IP Address, Hostname, MacAddress, and URL entities using network visibility - and threat intelligence data from Darktrace. This action identifies devices and - endpoints within the Darktrace environment to provide contextual metadata such - as OS versions, device labels, and location information. - - - ### Parameters - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Fetch Connection Data | Boolean | No | If enabled, the action retrieves additional - information about network connections related to internal endpoints. | - - | Max Hours Backwards | String | No | Specifies the lookback window (in hours) - for fetching connection data. Defaults to 24 hours. | - - | Create Endpoint Insight | Boolean | No | If enabled, the action generates a - detailed insight on the entity containing Darktrace endpoint information. | - - - ### Additional Notes - - - For URL entities, the action automatically extracts the domain or network path - to perform the lookup. - - - If 'Max Hours Backwards' is set to a value less than 1, the default value of - 24 will be used. - - - ### Flow Description - - 1. **Filter Entities:** The action identifies supported entities (IP, Hostname, - MAC, URL) from the current context. - - 2. **Query Darktrace:** For each entity, it queries the Darktrace API to find - matching device records or endpoint details. - - 3. **Fetch Connections (Optional):** If 'Fetch Connection Data' is enabled, it - retrieves historical connection logs for the identified device based on the specified - timeframe. - - 4. **Enrichment:** The action populates the entity's additional properties with - metadata (e.g., OS, Vendor, ASN, Location) and marks the entity as enriched. - - 5. **Internal Updates:** It creates data tables for connection and device interaction - data and, if configured, generates an entity insight for the analyst. + ai_description: "Enriches IP Address, Hostname, MacAddress, and URL entities using\ + \ information from Darktrace. This action retrieves detailed device metadata,\ + \ endpoint information, and optionally historical connection data to provide context\ + \ for security investigations.\n\n### Flow Description\n1. **Parameter Initialization:**\ + \ Extracts API configuration and action parameters, including connection data\ + \ fetching preferences and insight creation settings.\n2. **Entity Filtering:**\ + \ Identifies supported entities (IP, Hostname, MAC, and URL) from the target list.\n\ + 3. **Data Retrieval:** \n * For **IP/MAC** entities: Queries Darktrace for\ + \ specific device details.\n * For **Hostname** entities: Searches for the\ + \ device and retrieves details via MAC or IP.\n * For **URL** entities: Extracts\ + \ the domain and fetches endpoint details.\n4. **Connection Enrichment:** If enabled,\ + \ retrieves historical connection data for the identified internal endpoints based\ + \ on the specified lookback period.\n5. **SOAR Update:** Updates entity enrichment\ + \ fields, populates data tables (Interacted Devices, Connection Data), and creates\ + \ entity insights if configured.\n\n### Parameters Description\n| Parameter |\ + \ Type | Mandatory | Description |\n| --- | --- | --- | --- |\n| Fetch Connection\ + \ Data | Boolean | No | If enabled, the action retrieves additional information\ + \ about connections related to internal endpoints. Default is true. |\n| Max Hours\ + \ Backwards | String | No | Specifies the number of hours to look back when fetching\ + \ connection data. Default is 24. |\n| Create Endpoint Insight | Boolean | No\ + \ | If enabled, creates a SOAR insight containing summary information about the\ + \ Darktrace internal endpoint. Default is true. |\n\n### Additional Notes\n* For\ + \ URL entities, the action automatically extracts the domain part for querying.\n\ + * If 'Max Hours Backwards' is set to less than 1, it defaults to 24 hours." capabilities: can_create_case_comments: false can_create_insight: true @@ -153,16 +152,16 @@ Enrich Entities: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action updates entity enrichment attributes (additional_properties), sets - the 'is_enriched' flag, adds data tables to the case, and creates entity insights. + Updates entity enrichment attributes and creates entity insights within the + SOAR case. categories: enrichment: true entity_usage: entity_types: - - ADDRESS - - HOSTNAME - - MacAddress - - DestinationURL + - ADDRESS + - HOSTNAME + - MacAddress + - DestinationURL filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -176,6 +175,7 @@ Enrich Entities: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Execute Custom Search: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -186,90 +186,81 @@ Enrich Entities: disable_identity: false download_file: false enable_identity: false - enrich_asset: true - enrich_ioc: true + enrich_asset: false + enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: false + search_events: true send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Execute Custom Search: ai_description: >- - ### General Description - - - The **Execute Custom Search** action allows users to perform advanced, ad-hoc - queries against the Darktrace platform. It is designed to retrieve specific telemetry, - event data, or security hits based on a user-defined query string and a specified - time range. This action is particularly useful for threat hunting or gathering - additional context during an investigation that isn't covered by standard enrichment - actions. - + Executes a custom search query in Darktrace to retrieve specific event or telemetry + data. This action allows analysts to perform advanced hunting or data retrieval + by providing a raw Darktrace query and defining a specific time window. The results + are returned as a JSON object containing the hits found in the Darktrace environment. - ### Parameters Description - - - | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + ### Flow Description - | **Query** | String | Yes | Specify the query that needs to be executed. | + 1. **Parameter Extraction**: The action retrieves the API configuration and user-provided + parameters, including the search query, timeframe, and result limit. - | **Time Frame** | DDL | No | Specify a time frame for the results. Options include - predefined ranges (e.g., 'Last Hour', 'Last Week') or 'Custom'. Defaults to 'Last - Hour'. | + 2. **Timeframe Calculation**: It determines the start and end timestamps for the + search. This can be based on predefined relative ranges (e.g., 'Last Hour'), times + relative to the current alert (e.g., '5 Minutes Around Alert Time'), or a specific + custom ISO 8601 range. - | **Start Time** | String | No | Specify the start time for the results in ISO - 8601 format. This parameter is mandatory if 'Custom' is selected for the 'Time - Frame' parameter. | + 3. **Request Preparation**: The search query and timeframe parameters are bundled + into a JSON payload, which is then Base64 encoded to meet the requirements of + the Darktrace Advanced Search API. - | **End Time** | String | No | Specify the end time for the results in ISO 8601 - format. If nothing is provided and 'Custom' is selected, the current time is used. - | + 4. **API Execution**: A GET request is sent to the Darktrace `advanced_search` + endpoint using the encoded query. - | **Max Results To Return** | String | No | Specify how many results to return. - Default is 50. | + 5. **Result Processing**: The action parses the API response, converts the hits + into a structured format, and attaches them to the action results in Google SecOps. - ### Additional Notes + ### Parameters Description + | Parameter | Type | Mandatory | Description | - * If **Time Frame** is set to 'Custom', the **Start Time** must be provided; - otherwise, the action will fail. + | :--- | :--- | :--- | :--- | - * The action can use the alert's start and end times when relative time frames - like '30 Minutes Around Alert Time' are selected, allowing for context-aware searching. + | Query | string | Yes | The specific Darktrace query string to be executed. | + | Time Frame | ddl | No | Predefined time ranges for the search. Options include + 'Last Hour', 'Last 24 Hours', 'Alert Time Till Now', '30 Minutes Around Alert + Time', etc. Defaults to 'Last Hour'. | - ### Flow Description + | Start Time | string | No | The start time for the search in ISO 8601 format. + Mandatory only if 'Time Frame' is set to 'Custom'. | + | End Time | string | No | The end time for the search in ISO 8601 format. If + 'Custom' is selected and this is empty, the current time is used. | - 1. **Parameter Extraction:** The action retrieves the API configuration (API - Root, Tokens) and the user-provided search parameters. + | Max Results To Return | string | No | Limits the number of search results returned. + Defaults to 50. | - 2. **Time Range Calculation:** It determines the precise start and end timestamps - based on the **Time Frame** selection. It handles relative ranges (like 'Last - Hour') and alert-relative ranges (like 'Alert Time Till Now') using the alert's - metadata. - 3. **Query Encoding:** The search query, timeframe, and limit are formatted into - a JSON object and then Base64 encoded to construct the URL for the Darktrace Advanced - Search API. + ### Additional Notes - 4. **API Execution:** A GET request is sent to the Darktrace endpoint using the - encoded query string. + - If 'Custom' is selected for the 'Time Frame', the 'Start Time' parameter must + be provided, otherwise the action will fail. - 5. **Result Processing:** The action parses the JSON response from Darktrace, - extracts the 'hits', and adds them to the action's result JSON for use in the - SOAR platform. + - The action uses the alert's internal start and end times when relative alert-based + timeframes are selected. capabilities: can_create_case_comments: false can_create_insight: false @@ -281,9 +272,9 @@ Execute Custom Search: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: true + enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -297,6 +288,7 @@ Execute Custom Search: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +List Endpoint Events: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -310,69 +302,94 @@ Execute Custom Search: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: true send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -List Endpoint Events: - ai_description: "### General Description\nLists the latest security and network\ - \ events associated with specific endpoints in Darktrace. This action enables\ - \ analysts to retrieve detailed logs for various event categories\u2014including\ - \ connections, unusual activities, and model breaches\u2014across a specified\ - \ time range. By supporting IP Address, Hostname, and MacAddress entities, it\ - \ provides a comprehensive view of endpoint activity, outputting data in both\ - \ structured tables and JSON for analysis.\n\n### Parameters Description\n| Parameter\ - \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Event Type\ - \ | String | Yes | A comma-separated list of event types to retrieve. Possible\ - \ values: connection, unusualconnection, newconnection, notice, devicehistory,\ - \ modelbreach. |\n| Time Frame | DDL | Yes | The time window for the search. Options\ - \ include Last Hour, Last 6 Hours, Last 24 Hours, Last Week, Last Month, or Custom.\ - \ |\n| Start Time | String | No | The start time for the search in ISO 8601 format.\ - \ Mandatory if \"Time Frame\" is set to \"Custom\". |\n| End Time | String | No\ - \ | The end time for the search in ISO 8601 format. If omitted with \"Custom\"\ - \ time frame, the current time is used. |\n| Max Events To Return | String | No\ - \ | The maximum number of events to return per event type. Defaults to 50. |\n\ - \n### Additional Notes\n* Events are returned in the UTC timezone.\n* If \"Custom\"\ - \ is selected for \"Time Frame\", \"Start Time\" must be provided.\n* The action\ - \ supports IP, Hostname, and MacAddress entities.\n* The action validates that\ - \ \"Max Events To Return\" is a positive number.\n\n### Flow Description\n1. **Parameter\ - \ Initialization:** Extract configuration (API Root, Tokens) and action parameters\ - \ (Event Types, Time Frame, etc.).\n2. **Validation:** Verify that the provided\ - \ event types are valid and the limit is a non-negative integer.\n3. **Time Range\ - \ Calculation:** Calculate the start and end timestamps based on the selected\ - \ \"Time Frame\". If \"Custom\" is used, parse the \"Start Time\" and \"End Time\"\ - .\n4. **Entity Filtering:** Identify target entities that are of type IP Address,\ - \ Hostname, or MacAddress.\n5. **Device Resolution:** For each entity, query Darktrace\ - \ to find the internal device ID (`did`).\n6. **Event Retrieval:** For each resolved\ - \ device and each requested event type, fetch the events from Darktrace within\ - \ the calculated time range, up to the specified limit.\n7. **Output Generation:**\ - \ Create data tables for each entity's events and compile a final JSON result\ - \ containing all retrieved data." + ai_description: >- + Retrieves historical event logs for specific endpoint entities (IP, Hostname, + or MacAddress) from Darktrace. This action allows analysts to query various event + types such as connections, unusual connections, and model breaches within a defined + timeframe. The retrieved data is presented as formatted data tables on the case + wall and as a raw JSON result for further automation. + + + ### Flow Description + + 1. **Parameter Validation:** The action validates the provided event types and + ensures the 'Max Events To Return' is a positive integer. It also calculates the + start and end timestamps based on the 'Time Frame' selection. + + 2. **Device Identification:** For each supported entity, the action queries Darktrace + to find the corresponding internal Device ID (`did`). + + 3. **Event Retrieval:** If a device is found, the action iterates through the + requested event types and fetches the latest events for that specific device within + the timeframe. + + 4. **Data Presentation:** Successfully retrieved events are converted into CSV-formatted + data tables and attached to the case. A comprehensive JSON object containing all + events is also returned. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Event Type | String | Yes | A comma-separated list of event types to retrieve + (e.g., connection, unusualconnection, notice, devicehistory, modelbreach). | + + | Time Frame | DDL | Yes | The time range for the search (e.g., Last Hour, Last + 24 Hours). If 'Custom' is selected, 'Start Time' must be provided. | + + | Start Time | String | No | The start time for the search in ISO 8601 format. + Mandatory only if 'Time Frame' is set to 'Custom'. | + + | End Time | String | No | The end time for the search in ISO 8601 format. Defaults + to the current time if left empty. | + + | Max Events To Return | String | No | The maximum number of events to return + per event type. Defaults to 50. | + + + ### Additional Notes + + - Events are returned in the UTC timezone. + + - If 'Custom' is selected for 'Time Frame', the 'Start Time' parameter becomes + effectively mandatory for the action to succeed. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: false + can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: null + internal_data_mutation_explanation: >- + The action adds data tables to the SOAR case wall containing the retrieved endpoint + events. categories: - enrichment: true + enrichment: false entity_usage: entity_types: - - ADDRESS - - HOSTNAME - - MacAddress + - ADDRESS + - HOSTNAME + - MacAddress filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -386,6 +403,7 @@ List Endpoint Events: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +List Similar Devices: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -399,68 +417,42 @@ List Endpoint Events: enrich_asset: true enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: true search_email: false - search_events: true + search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -List Similar Devices: - ai_description: >- - ### General Description - - This action identifies and lists devices in Darktrace that are similar to a provided - endpoint entity (IP Address, Hostname, or MAC Address). It is primarily used for - asset enrichment and identifying potentially related or similar-behaving devices - within the network environment. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Max Devices To Return | String | No | Specifies the maximum number of similar - devices to retrieve for each entity. The value must be a positive integer. Default - is 50. | - - - ### Additional Notes - - * The action requires a valid connection to the Darktrace API. - - * The 'Max Devices To Return' parameter must be greater than 0; otherwise, the - action will fail. - - * The action first resolves the entity to a Darktrace internal device ID (DID) - before querying for similar devices. - - - ### Flow Description - - 1. **Parameter Extraction:** The action retrieves the API configuration and the - 'Max Devices To Return' parameter. - - 2. **Connectivity Test:** It verifies the connection to the Darktrace instance. - - 3. **Entity Resolution:** For each supported entity (IP, Hostname, or MAC Address), - the action queries Darktrace to find the corresponding device and its unique identifier - (DID). - - 4. **Similarity Query:** If a device is found, the action calls the Darktrace - API to retrieve a list of similar devices based on the resolved DID and the specified - limit. - - 5. **Data Output:** The action populates an entity-level data table with the similar - devices' details (IP, MAC, OS, Hostname, Type, etc.) and attaches the raw JSON - results to the action output. + ai_description: "Retrieves a list of devices from Darktrace that exhibit similar\ + \ behavioral patterns to the target entities (IP Address, Hostname, or MAC Address).\ + \ This action helps analysts identify related assets or potential lateral movement\ + \ by leveraging Darktrace's similarity analysis. \n\n### Flow Description\n1.\ + \ **Initialization**: Validates configuration parameters (API Root, Tokens) and\ + \ establishes a connection to the Darktrace API.\n2. **Entity Filtering**: Identifies\ + \ supported entities within the case, specifically IP Addresses, Hostnames, and\ + \ MAC Addresses.\n3. **Device Identification**: For each supported entity, the\ + \ action queries Darktrace to find the corresponding internal Device ID (DID).\n\ + 4. **Similarity Query**: Uses the retrieved DID to fetch a list of similar devices,\ + \ respecting the 'Max Devices To Return' limit.\n5. **Data Enrichment**: Populates\ + \ an entity-level data table with details of the similar devices, including their\ + \ IP, MAC, OS, Hostname, and seen timestamps.\n6. **Finalization**: Aggregates\ + \ the results into a JSON object and provides a summary message of successful\ + \ and failed entity processing.\n\n### Parameters Description\n| Parameter | Type\ + \ | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Max Devices To\ + \ Return | Integer | No | Specifies the maximum number of similar devices to retrieve\ + \ for each entity. Default is 50. The value must be greater than 0. |\n\n### Additional\ + \ Notes\n- The action will fail if 'Max Devices To Return' is set to 0 or a negative\ + \ number.\n- If a device cannot be found in Darktrace for a given entity identifier,\ + \ that entity will be marked as failed." capabilities: can_create_case_comments: false can_create_insight: false @@ -471,15 +463,15 @@ List Similar Devices: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action adds a data table to the entity within the Google SecOps case, containing - details of similar devices found in Darktrace. + Adds a data table to each processed entity containing details of similar devices + found in Darktrace. categories: enrichment: false entity_usage: entity_types: - - ADDRESS - - HOSTNAME - - MacAddress + - ADDRESS + - HOSTNAME + - MacAddress filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -493,6 +485,7 @@ List Similar Devices: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -503,38 +496,48 @@ List Similar Devices: disable_identity: false download_file: false enable_identity: false - enrich_asset: true + enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: ai_description: >- - ### General Description + Tests the connectivity between Google SecOps and the Darktrace server using the + provided integration configuration parameters. This action is primarily used to + verify that the API Root, API Token, and API Private Token are correct and that + the network path to the Darktrace instance is open. - The **Ping** action is a diagnostic utility used to verify the connectivity between - Google SecOps and the Darktrace server. It validates the integration's configuration - by attempting to authenticate and communicate with the Darktrace API status endpoint. - This action is essential for ensuring that the API Root, API Token, and API Private - Token are correctly configured and that the network environment allows communication - with the Darktrace instance. + ### Flow Description: - ### Parameters Description + 1. **Parameter Extraction:** Retrieves the integration's global configuration + parameters, including the API Root, API Token, API Private Token, and SSL verification + settings. + + 2. **Manager Initialization:** Initializes the Darktrace API manager with the + extracted credentials and settings. - This action does not have any action-specific parameters. It utilizes the global - configuration parameters defined at the integration level: + 3. **Connectivity Test:** Executes a GET request to the Darktrace `/status` endpoint + to verify the validity of the credentials and the reachability of the server. + 4. **Result Reporting:** Returns a success message if the server responds correctly, + or an error message detailing the failure if the connection cannot be established. + + + ### Parameters Description: | Parameter Name | Type | Mandatory | Description | @@ -542,40 +545,21 @@ Ping: | API Root | String | Yes | The base URL of the Darktrace API instance. | - | API Token | String | Yes | The public API token used for authentication. | + | API Token | String | Yes | The public API token for authentication. | - | API Private Token | String | Yes | The private API token used for HMAC signature - generation. | + | API Private Token | String | Yes | The private API token used for generating + request signatures. | | Verify SSL | Boolean | No | If enabled, the action will verify the SSL certificate - of the Darktrace server. | - - - ### Flow Description - - 1. **Initialization:** The action initializes the Siemplify context and extracts - the global integration configuration parameters (API Root, Tokens, and SSL settings). - - 2. **Manager Setup:** It instantiates the `DarktraceManager` which handles the - logic for request signing and API communication. + of the Darktrace server. Defaults to True. | - 3. **Connectivity Test:** The action calls the `test_connectivity` method, which - sends a signed GET request to the `/status` endpoint of the Darktrace API. - 4. **Response Validation:** The manager validates the HTTP response. If the request - is successful (HTTP 200) and contains no application-level errors, the action - returns a success status. + ### Additional Notes: - 5. **Completion:** The action reports the connection status back to the SOAR platform, - providing an error message if the connection fails. + * This action does not require any input entities and does not modify any data + within Darktrace or Google SecOps. - - ### Additional Notes - - - This action does not process any entities. - - - As a 'Ping' action, it is excluded from being categorized as an enrichment action - regardless of its data-fetching behavior. + * It is intended for troubleshooting and initial setup verification. capabilities: can_create_case_comments: false can_create_insight: false @@ -589,7 +573,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -603,6 +587,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Update Model Breach Status: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -616,67 +601,61 @@ Ping: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false - update_alert: false + update_alert: true update_email: false update_identity: false update_ticket: false -Update Model Breach Status: ai_description: >- - ### General Description - - Updates the acknowledgment status of a specific model breach within the Darktrace - platform. This action allows analysts to programmatically mark breaches as either - 'Acknowledged' or 'Unacknowledged' directly from Google SecOps, facilitating incident - lifecycle management. + Updates the status of a specific model breach in Darktrace to either 'Acknowledged' + or 'Unacknowledged'. This action allows analysts to manage the lifecycle of Darktrace + detections directly from the SOAR platform. - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | + ### Flow Description - | Status | DDL | Yes | The target status for the model breach. Options are 'Acknowledged' - (marks the breach as reviewed) or 'Unacknowledged' (reverts the breach to an unreviewed - state). | + 1. **Fetch Current Status**: The action first retrieves the current state of the + specified model breach from Darktrace to verify its existence and current acknowledgment + status. - | Model Breach ID | String | Yes | The unique identifier (pbid) of the Darktrace - model breach to be updated. | + 2. **Status Comparison**: It compares the requested status with the current status. + If the breach is already in the desired state, the action completes successfully + without making further API calls. + 3. **Update Execution**: If a change is required, the action sends a POST request + to the Darktrace API to either acknowledge or unacknowledge the breach based on + the input parameter. - ### Flow Description - 1. **Parameter Extraction**: Retrieves the API configuration (Root, Tokens) and - the specific `Model Breach ID` and target `Status` from the action input. + ### Parameters Description - 2. **Status Verification**: Queries the Darktrace API to fetch the current state - of the specified model breach to ensure it exists and to check its current acknowledgment - status. + | Parameter | Type | Mandatory | Description | - 3. **Redundancy Check**: Compares the current status with the requested status. - If the breach is already in the desired state, the action completes with an 'Already - Applied' message to avoid redundant API calls. + | :--- | :--- | :--- | :--- | - 4. **Status Update**: If the statuses differ, the action sends a POST request - to the appropriate Darktrace endpoint (`/acknowledge` or `/unacknowledge`) to - update the breach status. + | Status | DDL | Yes | The target status to set for the model breach. Options + are 'Acknowledged' or 'Unacknowledged'. | - 5. **Completion**: Reports the success or failure of the update operation to the - Google SecOps case. + | Model Breach ID | String | Yes | The unique identifier of the model breach in + Darktrace that needs to be updated. | ### Additional Notes - - This action does not process entities from the case; it operates strictly on - the `Model Breach ID` provided as a parameter. + - This action performs a state change in the external Darktrace system. + + - If the provided Model Breach ID is not found in Darktrace, the action will fail + with a 'Not Found' error. capabilities: can_create_case_comments: false can_create_insight: false @@ -685,14 +664,14 @@ Update Model Breach Status: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the acknowledgment status of a model breach in Darktrace via POST requests - to the /acknowledge or /unacknowledge endpoints. + Updates the acknowledgment status of a model breach in the Darktrace console + via POST requests to the /acknowledge or /unacknowledge endpoints. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -706,28 +685,3 @@ Update Model Breach Status: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/third_party/partner/darktrace/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/partner/darktrace/resources/ai/connectors_ai_description.yaml index 0676d9c5a..ddbb01a5e 100644 --- a/content/response_integrations/third_party/partner/darktrace/resources/ai/connectors_ai_description.yaml +++ b/content/response_integrations/third_party/partner/darktrace/resources/ai/connectors_ai_description.yaml @@ -1,129 +1,101 @@ Darktrace - AI Incident Events Connector: - ai_description: >- - ### General Description - - The Darktrace - AI Incident Events Connector integrates with the Darktrace AI - Analyst to fetch high-fidelity security incidents and ingest them into Google - SecOps as cases. This connector allows security teams to automate the monitoring - of AI-detected anomalies, ensuring that significant breaches identified by Darktrace's - autonomous analysis are prioritized for investigation. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | API Root | String | Yes | The API root URL of your Darktrace instance (e.g., - https://darktrace-instance.com). | - - | API Token | String | Yes | The public API token for authentication. | - - | API Private Token | Password | Yes | The private API token used for generating - request signatures. | - - | Verify SSL | Boolean | Yes | If enabled, verifies the SSL certificate of the - Darktrace server. | - - | Lowest AI Incident Score To Fetch | Integer | Yes | The minimum AI Analyst score - (0-100) required to fetch an incident. | - - | Max Hours Backwards | Integer | No | The number of hours to look back for incidents - during the first run or as a fallback. | - - | Max AI Incidents To Fetch | Integer | No | The maximum number of incidents to - process in a single connector iteration (Max: 100). | - - | Use dynamic list as a blocklist | Boolean | Yes | If enabled, the SOAR dynamic - list will act as a blocklist for incident titles; otherwise, it acts as a whitelist. - | - - | DeviceProductField | String | Yes | The source field name used to populate the - Product Name in the SOAR case. | - - | EventClassId | String | Yes | The source field name used to populate the Event - Field name. | - - | Environment Field Name | String | No | The field name used to determine the - environment for the ingested case. | - - | Environment Regex Pattern | String | No | A regex pattern to extract or manipulate - the environment value. | - - | PythonProcessTimeout | Integer | Yes | The timeout limit in seconds for the - connector execution. | - - - ### Flow Description - - 1. **Authentication**: The connector establishes a secure connection to the Darktrace - API using the provided API Token and Private Token, generating a HMAC-SHA1 signature - for each request. - - 2. **Time Window Calculation**: It determines the fetch window by checking the - last successful run timestamp stored in the system. If no timestamp exists, it - uses the 'Max Hours Backwards' parameter. - - 3. **Data Retrieval**: The connector queries the `/aianalyst/incidentevents` endpoint, - filtering for incidents that occurred within the time window and meet the 'Lowest - AI Incident Score To Fetch' threshold. - - 4. **Filtering**: Fetched incidents are filtered against a dynamic list (whitelist - or blocklist) based on their title to exclude irrelevant alerts. - - 5. **Data Transformation**: For each valid incident, the connector flattens nested - 'details' into individual events. It maps the incident metadata (score, summary, - timestamps) to the Google SecOps case format, assigning severity based on the - AI score. - - 6. **Case Ingestion**: The transformed incidents and their associated events are - ingested into Google SecOps as cases. - - 7. **Checkpointing**: The connector saves the ID of processed incidents and updates - the last run timestamp to ensure no duplicate ingestion in subsequent cycles. + ai_description: "### General Description\nThe Darktrace - AI Incident Events Connector\ + \ integrates Google SecOps with Darktrace's AI Analyst to ingest high-fidelity\ + \ security incidents. Unlike standard model breaches, AI Analyst incidents provide\ + \ a synthesized view of related events, offering a narrative summary of detected\ + \ threats. This connector allows security teams to automate the ingestion of these\ + \ machine-learning-driven insights, ensuring that complex attack patterns identified\ + \ by Darktrace are immediately available for orchestration and response.\n\n###\ + \ Parameters Description\n| Parameter | Type | Mandatory | Description |\n| :---\ + \ | :--- | :--- | :--- |\n| DeviceProductField | String | Yes | The source field\ + \ name used to retrieve the Product Field name (default: Product Name). |\n| EventClassId\ + \ | String | Yes | The source field name used to retrieve the Event Field name\ + \ (default: data_type). |\n| Environment Field Name | String | No | The field\ + \ name where the environment name is stored for multi-tenant support. |\n| Environment\ + \ Regex Pattern | String | No | A regex pattern to extract or manipulate the environment\ + \ value. |\n| PythonProcessTimeout | Integer | Yes | The timeout limit in seconds\ + \ for the connector execution. |\n| API Root | String | Yes | The API root URL\ + \ of the Darktrace instance (e.g., https://darktrace-instance.com). |\n| API Token\ + \ | String | Yes | The Darktrace API public token. |\n| API Private Token | Password\ + \ | Yes | The Darktrace API private token used for HMAC signature generation.\ + \ |\n| Verify SSL | Boolean | Yes | If enabled, verifies the SSL certificate of\ + \ the Darktrace server. |\n| Lowest AI Incident Score To Fetch | Integer | Yes\ + \ | The minimum AI Analyst score (0-100) required to ingest an incident. |\n|\ + \ Max Hours Backwards | Integer | No | The number of hours to look back for incidents\ + \ during the first run or fallback. |\n| Max AI Incidents To Fetch | Integer |\ + \ No | The maximum number of incidents to process per iteration (Max: 100). |\n\ + | Use dynamic list as a blocklist | Boolean | Yes | If enabled, the SOAR dynamic\ + \ list will act as a blocklist for incident titles. |\n| Proxy Server Address\ + \ | String | No | The address of the proxy server if required. |\n| Proxy Username\ + \ | String | No | The username for proxy authentication. |\n| Proxy Password |\ + \ Password | No | The password for proxy authentication. |\n\n### Flow Description\n\ + 1. **Authentication**: The connector establishes a connection to the Darktrace\ + \ API using a custom HMAC signature generated from the API Token, Private Token,\ + \ and current UTC timestamp.\n2. **Time Management**: It determines the fetch\ + \ window by checking the last successful execution timestamp. If no timestamp\ + \ exists, it uses the `Max Hours Backwards` parameter. It applies a 4-hour split\ + \ interval and a 1-hour padding to ensure data consistency.\n3. **Data Retrieval**:\ + \ The connector queries the `/aianalyst/incidentevents` endpoint, filtering by\ + \ the `Lowest AI Incident Score To Fetch` and the calculated time range.\n4. **Deduplication\ + \ and Filtering**: Fetched incidents are compared against a list of previously\ + \ processed IDs. It then applies a dynamic list filter (whitelist or blacklist)\ + \ against the incident title.\n5. **Data Transformation**: \n * The connector\ + \ flattens complex, nested JSON structures from the AI Analyst (including 'details'\ + \ and 'periods') into flat event dictionaries.\n * It maps the Darktrace\ + \ `aiaScore` to Google SecOps severity levels (e.g., 100 = Critical, 80 = High).\n\ + \ * It assigns the environment based on the configured regex or default settings.\n\ + 6. **Ingestion**: Transformed incidents are packaged as `AlertInfo` objects and\ + \ ingested into Google SecOps as cases.\n7. **State Persistence**: The connector\ + \ saves the IDs of processed incidents and updates the last success timestamp\ + \ to prevent duplicate ingestion in future cycles." Darktrace - Model Breaches Connector: - ai_description: "### General Description\nThe Darktrace - Model Breaches Connector\ - \ enables the ingestion of security alerts from the Darktrace platform into Google\ - \ SecOps. It specifically focuses on 'Model Breaches,' which represent anomalous\ - \ behaviors detected by Darktrace's AI. The connector not only pulls the high-level\ - \ breach information but also enriches each alert with detailed connection events\ - \ and metadata, providing analysts with the necessary context to investigate potential\ - \ threats detected within the network environment.\n\n### Parameters Description\n\ + ai_description: "### General Description\n\nThe Darktrace - Model Breaches Connector\ + \ integrates Google SecOps with the Darktrace platform to ingest \"Model Breaches\"\ + \ as cases. This connector monitors for anomalous network behaviors detected by\ + \ Darktrace's AI and retrieves detailed connection events associated with each\ + \ breach to provide comprehensive context for security investigations. It supports\ + \ advanced filtering by score, priority, and behavior category to ensure only\ + \ relevant security incidents are ingested.\n\n### Parameters Description\n\n\ | Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ | API Root | String | Yes | The API root URL of the Darktrace instance (e.g.,\ - \ https://instance.darktrace.com). |\n| API Token | String | Yes | The public\ - \ API token for authentication. |\n| API Private Token | Password | Yes | The\ - \ private API token used for generating request signatures. |\n| Verify SSL |\ - \ Boolean | Yes | If enabled, verifies the SSL certificate of the Darktrace server.\ - \ |\n| DeviceProductField | String | Yes | The source field name used to populate\ - \ the 'Product Name' in Google SecOps. |\n| EventClassId | String | Yes | The\ - \ source field name used to populate the 'Event Field' name. |\n| Lowest Model\ - \ Breach Score To Fetch | Integer | No | The minimum score (0-100) required to\ - \ fetch a model breach. Default is 0. |\n| Lowest Priority To Fetch | Integer\ - \ | No | The minimum priority level (1-5) to fetch. 1-3: Informational, 4: Suspicious,\ - \ 5: Critical. |\n| Max Hours Backwards | Integer | No | The number of hours to\ - \ look back for alerts during the first run or as a fallback. |\n| Max Model Breaches\ - \ To Fetch | Integer | No | Maximum number of breaches to process per iteration\ - \ (Max: 1000). |\n| Use whitelist as a blacklist | Boolean | Yes | If enabled,\ - \ the provided whitelist will act as a exclusion list (blacklist). |\n| Behaviour\ - \ Visibility | String | No | Comma-separated list of categories to ingest (e.g.,\ - \ Critical, Suspicious, Compliance, Informational). |\n| Padding Time | Integer\ - \ | No | Optional hours of overlap to ensure no alerts are missed between cycles\ - \ (Max: 100). |\n| PythonProcessTimeout | Integer | Yes | The maximum execution\ - \ time for the connector script in seconds. |\n\n### Flow Description\n1. **Authentication**:\ - \ The connector establishes a secure connection to the Darktrace API using HMAC-SHA1\ - \ signatures generated from the API Token and Private Token.\n2. **Time Management**:\ - \ It calculates the fetch window based on the last successful execution timestamp,\ - \ applying 'Max Hours Backwards' for initial runs and 'Padding Time' to prevent\ - \ data gaps.\n3. **Alert Retrieval**: Queries the `/modelbreaches` endpoint to\ - \ retrieve breaches that meet the configured 'Lowest Model Breach Score' and 'Lowest\ - \ Priority' thresholds.\n4. **Filtering**: \n * **Deduplication**: Skips\ - \ alerts already processed in previous cycles using stored IDs.\n * **Whitelist/Blacklist**:\ - \ Filters alerts based on their name using the configured whitelist logic.\n \ - \ * **Behaviour Visibility**: Filters alerts based on their model category\ - \ (e.g., only ingesting 'Critical' or 'Suspicious' behaviors).\n5. **Enrichment**:\ - \ For every valid breach, the connector performs a secondary call to the `/details`\ - \ endpoint to fetch associated connection events and triggered components.\n6.\ - \ **Ingestion**: Maps the breach data and its enriched events into Google SecOps\ - \ AlertInfo objects and creates cases for investigation." + \ https://darktrace-instance.com). |\n| API Token | String | Yes | The public\ + \ API token for Darktrace authentication. |\n| API Private Token | Password |\ + \ Yes | The private API token used to generate cryptographic signatures for requests.\ + \ |\n| Verify SSL | Boolean | Yes | If enabled, verifies the SSL certificate of\ + \ the Darktrace server. |\n| DeviceProductField | String | Yes | The source field\ + \ name used to retrieve the Product Name (Default: Product Name). |\n| EventClassId\ + \ | String | Yes | The source field name used to retrieve the Event Field name\ + \ (Default: eventType). |\n| Lowest Model Breach Score To Fetch | Integer | No\ + \ | The minimum score (0-100) required for a model breach to be ingested. |\n\ + | Lowest Priority To Fetch | Integer | No | The minimum priority (1-5) required\ + \ for a model breach to be ingested (1-3: Informational, 4: Suspicious, 5: Critical).\ + \ |\n| Max Hours Backwards | Integer | No | The number of hours to look back for\ + \ breaches during the initial run or as a fallback. |\n| Max Model Breaches To\ + \ Fetch | Integer | No | Maximum number of breaches to process per iteration (Maximum:\ + \ 1000). |\n| Use whitelist as a blacklist | Boolean | Yes | If enabled, the configured\ + \ whitelist will function as a blacklist. |\n| Behaviour Visibility | String |\ + \ No | Comma-separated list of behavior categories to ingest (e.g., Critical,\ + \ Suspicious, Compliance, Informational). |\n| Padding Time | Integer | No | Amount\ + \ of hours used as a padding for the fetch window (Maximum: 100). |\n| Environment\ + \ Field Name | String | No | The field name where the environment name is stored\ + \ for multi-tenant setups. |\n| Environment Regex Pattern | String | No | A regex\ + \ pattern to extract or manipulate the environment name from the environment field.\ + \ |\n| PythonProcessTimeout | Integer | Yes | Timeout limit in seconds for the\ + \ connector execution. |\n\n### Flow Description\n\n1. **Authentication**: The\ + \ connector establishes a connection to the Darktrace API using the provided API\ + \ Root and Tokens, generating a HMAC-SHA1 signature for each request.\n2. **Time\ + \ Management**: It calculates the fetch window based on the last successful execution\ + \ timestamp, applying `Max Hours Backwards` for initial runs and adjusting with\ + \ `Padding Time` if configured.\n3. **Alert Retrieval**: The connector queries\ + \ the `/modelbreaches` endpoint to fetch recent breaches that meet the `Lowest\ + \ Model Breach Score` and `Lowest Priority` thresholds.\n4. **Filtering**: \n\ + \ * **Whitelist/Blacklist**: Filters breaches based on their name using the\ + \ provided list.\n * **Behavior Visibility**: Filters breaches based on their\ + \ category (e.g., Critical, Suspicious) as defined in the `Behaviour Visibility`\ + \ parameter.\n5. **Enrichment**: For each breach, the connector fetches granular\ + \ connection details and event data from the `/details` endpoint to populate the\ + \ case events.\n6. **Case Creation**: The connector maps the Darktrace breach\ + \ data and associated events into the Google SecOps AlertInfo format, applying\ + \ environment and product mapping logic.\n7. **Persistence**: Successfully processed\ + \ breach IDs and the latest timestamp are saved to prevent duplicate ingestion\ + \ in subsequent cycles." diff --git a/content/response_integrations/third_party/partner/domain_tools/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/domain_tools/resources/ai/actions_ai_description.yaml index 5d1f10f03..ca0da5e0b 100644 --- a/content/response_integrations/third_party/partner/domain_tools/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/domain_tools/resources/ai/actions_ai_description.yaml @@ -1,48 +1,58 @@ Get Domain Rdap: - ai_description: >- - ### General Description - - Enriches external domain entities with DomainTools threat intelligence data. This - action retrieves RDAP (Registration Data Access Protocol) information, including - registrar details, registration dates, and contact information, providing context - for domain-based investigations. - - - ### Parameters Description - - | Parameter | Default Value | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | :--- | - - | Domain | | string | false | The domain to get the parsed domain RDAP result. - If provided, the action runs on this domain instead of case entities. | - - - ### Additional Notes - - - This action requires a valid DomainTools license for the 'parsed-domain-rdap' - product. - - - Entities are updated with flattened RDAP data in their additional properties. - - - The action extracts the base domain from URLs and Hostnames. - - - ### Flow Description - - 1. **Configuration**: Retrieves API credentials and SSL settings. - - 2. **Targeting**: Checks if a specific domain is provided via the 'Domain' parameter. - If not, it identifies all URL, Hostname, and Domain entities in the case. - - 3. **Extraction**: Extracts the root domain from the identifiers. - - 4. **API Query**: Requests RDAP data for each domain from the DomainTools API. - - 5. **Parsing**: Processes the raw API response into a structured format. - - 6. **Enrichment**: Updates entity properties with the prefix 'DT', adds an entity-specific - table, and creates a global summary table for the case. + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "### General Description\nEnriches Domain, Hostname, and URL entities\ + \ with parsed RDAP (Registration Data Access Protocol) information from DomainTools.\ + \ This action retrieves detailed registration data, including registrar details,\ + \ contact information, creation/expiration dates, and nameservers. The retrieved\ + \ data is used to enrich the entity's additional properties and generate informative\ + \ data tables within the case.\n\n### Parameters Description\n| Parameter | Expected\ + \ Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Domain |\ + \ string | False | A specific domain to get the parsed RDAP result for. If provided,\ + \ the action will run only on this domain, ignoring other entities in the case\ + \ context. |\n\n### Flow Description\n1. **Initialization**: Extracts configuration\ + \ parameters (Username, API Token, Verify SSL) and the optional 'Domain' action\ + \ parameter.\n2. **Entity Identification**: If a specific 'Domain' parameter is\ + \ provided, it creates a temporary domain entity. Otherwise, it identifies all\ + \ supported entities (URL, Hostname, Domain) within the current case context.\n\ + 3. **Domain Extraction**: For each target entity, it extracts the base domain\ + \ name from the identifier (e.g., extracting from a URL or email).\n4. **Data\ + \ Retrieval**: Queries the DomainTools API using the `get_parsed_domain_rdap`\ + \ method to fetch registration data.\n5. **Internal Mutation**: \n * Flattens\ + \ the RDAP data and adds it to the entity's `additional_properties` with a 'DT'\ + \ prefix.\n * Generates an entity-specific table containing the RDAP details.\n\ + \ * Appends summary data to a global case data table named 'DomainTools Parsed\ + \ Domain RDAP'.\n6. **Completion**: Updates the enriched entities in Google SecOps\ + \ and returns the results as JSON.\n\n### Additional Notes\n* If the 'Domain'\ + \ parameter is used, the action logic bypasses the standard entity iteration and\ + \ focuses solely on the provided string.\n* The action handles cases where no\ + \ RDAP record is found by logging the status and providing a placeholder result." capabilities: can_create_case_comments: false can_create_insight: false @@ -53,15 +63,15 @@ Get Domain Rdap: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity additional properties with RDAP information and adds data tables - to the case. + Updates entity additional properties with RDAP registration data and adds data + tables to the case results. categories: enrichment: true entity_usage: entity_types: - - HOSTNAME - - DestinationURL - - DOMAIN + - DOMAIN + - HOSTNAME + - DestinationURL filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -75,6 +85,7 @@ Get Domain Rdap: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get WhoIs History: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -88,27 +99,29 @@ Get Domain Rdap: enrich_asset: false enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get WhoIs History: ai_description: >- ### General Description - The **Get WhoIs History** action enriches Domain, Hostname, and URL entities with - historical Whois registration data retrieved from DomainTools. It provides a chronological - view of changes to a domain's registrar, registration dates, and registrant information, - which is vital for tracking ownership changes and identifying potentially malicious - infrastructure. + The **Get WhoIs History** action enriches domain-related entities (Domain, Hostname, + and URL) with historical Whois information retrieved from DomainTools. This action + provides visibility into past registration details, registrar changes, and ownership + history, which is essential for identifying domain aging, ownership shifts, or + infrastructure patterns used by adversaries. ### Parameters Description @@ -117,39 +130,46 @@ Get WhoIs History: | :--- | :--- | :--- | :--- | - | **Domain** | String | No | A specific domain to query. If provided, the action - will process this domain instead of the entities in the case. | + | Domain | String | No | A specific domain to query. If provided, the action will + focus solely on this value and ignore other entities in the case context. | - ### Flow Description + ### Additional Notes - 1. **Initialization**: Retrieves API credentials (Username and API Key) from the - integration configuration. + - The action supports **DOMAIN**, **HOSTNAME**, and **DestinationURL** entity + types. - 2. **Target Identification**: Determines the domains to process. It prioritizes - the manual `Domain` parameter; if empty, it identifies all `URL`, `HOSTNAME`, - and `DOMAIN` entities within the current SecOps case. + - If the `Domain` parameter is left empty, the action automatically processes + all supported entities within the current case context. - 3. **Data Retrieval**: For each identified domain, it queries the DomainTools - API to fetch its Whois history records. + - Enrichment results are added to the entity's additional properties (prefixed + with `DT`) and presented in both entity-specific tables and a consolidated case-wide + data table. - 4. **Entity Enrichment**: Flattens the retrieved Whois data and appends it to - the entity's `additional_properties` with a `DT` prefix. - 5. **Reporting**: - * Creates an **Entity Table** for each processed entity showing its specific - Whois history. - * Generates a global **Data Table** named "DomainTools Whois History" summarizing - the history for all enriched entities. - * Updates the entities in the SecOps platform to reflect the new metadata. + ### Flow Description - ### Additional Notes + 1. **Initialization**: Retrieves API credentials (Username and API Token) from + the integration configuration and initializes the DomainTools manager. - * If the `Domain` parameter is used, the action creates a temporary domain entity - for the scope of the execution. + 2. **Entity Identification**: Determines the target domains by either using the + provided `Domain` parameter or filtering the case's entities for supported types + (URL, Hostname, Domain). - * The action handles cases where no history is found by logging the status and - continuing to the next entity. + 3. **Data Retrieval**: For each identified domain, the action queries the DomainTools + API to fetch its Whois history records. + + 4. **Data Processing**: Parses the retrieved historical data, including registration + dates, registrar names, and registrant information. + + 5. **Internal Enrichment**: + - Updates the entity's **additional_properties** with flattened Whois data. + - Adds a detailed **entity table** containing the history for each specific + domain. + - Creates a global **data table** named "DomainTools Whois History" to summarize + all enriched entities in the case. + 6. **Completion**: Updates the entities in Google SecOps and returns a summary + message of the enrichment results. capabilities: can_create_case_comments: false can_create_insight: false @@ -160,15 +180,15 @@ Get WhoIs History: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity additional properties with Whois history data and adds data tables - to the case. + Updates entity additional properties with historical Whois data and adds data + tables to the case for visualization. categories: enrichment: true entity_usage: entity_types: - - DOMAIN - - HOSTNAME - - DestinationURL + - DOMAIN + - HOSTNAME + - DestinationURL filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -182,6 +202,7 @@ Get WhoIs History: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Investigate Domain: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -195,68 +216,61 @@ Get WhoIs History: enrich_asset: false enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Investigate Domain: ai_description: >- ### General Description Enriches Domain, Hostname, and URL entities using DomainTools Iris Investigate. - This action provides deep visibility into domain ownership, registration history, - and risk profiles. It retrieves a wide array of data points including overall - risk scores, proximity risk, malware/phishing/spam scores, registrant information, - hosting details (IPs, MX servers, SSL certificates), and tracking codes (Google - Analytics, Adsense, etc.). + This action retrieves comprehensive threat intelligence, including overall risk + scores, proximity risk, threat profiles (malware, phishing, spam), registration + dates, and hosting details. It helps analysts quickly assess the reputation and + history of a domain by providing both summary tables and detailed entity attributes. ### Parameters Description - | Parameter | Type | Mandatory | Description | + | Parameter | Default Value | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + | :--- | :--- | :--- | :--- | :--- | - | Domain | String | No | A specific domain to investigate. If provided, the action - will process this domain instead of the entities present in the case. | + | Domain | "" | string | False | A specific domain to investigate. If provided, + the action will focus on this domain instead of the case entities. | ### Flow Description - 1. **Initialization**: Retrieves API credentials (Username and API Token) from - the integration configuration. - - 2. **Entity Identification**: Determines the domains to investigate. If the 'Domain' - parameter is provided, it takes precedence. Otherwise, it extracts domains from - all supported entities (URL, Hostname, Domain) in the current case. + 1. **Initialization**: Extract integration configuration parameters (Username, + API Token, SSL settings) and identify target entities (URL, Hostname, Domain). - 3. **API Interaction**: Sends the domains to the DomainTools Iris Investigate - endpoint. The action handles batching (up to 100 domains per call) to optimize - API usage. + 2. **Target Selection**: If the 'Domain' parameter is provided, it creates a temporary + domain entity for investigation. Otherwise, it extracts domains from all supported + entities in the case. - 4. **Data Parsing**: Processes the API response, extracting risk analytics, identity - details, registration dates, and hosting infrastructure. + 3. **API Interaction**: Queries the DomainTools Iris Investigate API for the identified + domains. The action supports batching up to 100 domains per call to optimize performance. - 5. **Enrichment**: Updates the SecOps entities with the retrieved data, adding - them as additional properties prefixed with 'DT'. + 4. **Data Parsing**: Processes the API response into structured data models, extracting + risk scores, identity information, registration dates, and hosting details. - 6. **Reporting**: Generates detailed CSV tables for each entity and a comprehensive - summary table for the entire case. - - - ### Additional Notes + 5. **Internal Updates**: Updates the entities in Google SecOps with the retrieved + intelligence data (prefixed with 'DT') and sets the 'is_enriched' flag to true. - - The action automatically extracts the root domain from URLs or email-like strings. - - - Entities are marked as 'enriched' upon successful data retrieval. + 6. **Output Generation**: Generates entity-specific tables and a comprehensive + summary data table for the case wall, along with JSON results for downstream automation. capabilities: can_create_case_comments: false can_create_insight: false @@ -267,15 +281,15 @@ Investigate Domain: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity additional properties with enriched DomainTools data and marks - entities as enriched. + Updates entity additional properties with DomainTools intelligence data and + sets the 'is_enriched' flag to true. categories: enrichment: true entity_usage: entity_types: - - HOSTNAME - - DestinationURL - - DOMAIN + - DOMAIN + - HOSTNAME + - DestinationURL filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -289,6 +303,7 @@ Investigate Domain: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -300,60 +315,61 @@ Investigate Domain: download_file: false enable_identity: false enrich_asset: false - enrich_ioc: true + enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: ai_description: >- ### General Description - The **Ping** action is designed to verify the connectivity between Google SecOps - and the DomainTools API. It ensures that the provided credentials (Username and - API Token) are valid and that the environment can successfully communicate with - the DomainTools service. + Tests the connectivity to the DomainTools API using the provided credentials (Username + and API Token). This action ensures that the integration is correctly configured + and that the Google SecOps environment can reach the DomainTools service. It verifies + the validity of the credentials by attempting to retrieve account and license + information from the external service. ### Parameters Description - | Parameter | Type | Mandatory | Description | + | Parameter Name | Description | Type | Mandatory | | :--- | :--- | :--- | :--- | - | N/A | N/A | N/A | This action does not have any input parameters. | + | N/A | This action does not have any input parameters. | N/A | N/A | ### Additional Notes - This action is typically used during the initial setup or troubleshooting of the - DomainTools integration to confirm that the API is reachable and the license is - active. It does not process any entities. + This action relies on the integration's global configuration (Username, API Token, + and Verify SSL) to establish a connection. It performs a call to the DomainTools + `account_information` endpoint during the initialization of the manager class. ### Flow Description - 1. **Configuration Retrieval**: The action retrieves the Username, API Token, - and SSL verification settings from the integration configuration. + 1. **Retrieve Configuration**: The action fetches the integration settings, including + the Username, API Token, and SSL verification preference. - 2. **Manager Initialization**: It initializes the `DomainToolsManager`, which - triggers an internal call to the DomainTools `account_information` endpoint to - verify the license. + 2. **Initialize Manager**: It instantiates the `DomainToolsManager`. During this + process, the manager automatically calls the DomainTools API's account information + endpoint to verify credentials and retrieve available product licenses. - 3. **Connectivity Check**: If the API call succeeds and the manager is successfully - instantiated, the action confirms the connection. - - 4. **Final Output**: The action ends with a message indicating whether the connection - was established or failed. + 3. **Verify Connection**: If the API responds successfully, the action concludes + with a 'Connection Established' message. If an exception is raised during the + API call or initialization, the connection is considered failed. capabilities: can_create_case_comments: false can_create_insight: false @@ -367,7 +383,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -381,28 +397,3 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/third_party/partner/doppel_vision/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/doppel_vision/resources/ai/actions_ai_description.yaml index 12a037033..fa9cb6f00 100644 --- a/content/response_integrations/third_party/partner/doppel_vision/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/doppel_vision/resources/ai/actions_ai_description.yaml @@ -1,42 +1,69 @@ Create Abuse Alert: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: true + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - Creates an abuse alert for a specific entity within the DoppelVision platform. - This action is used to report suspicious values, such as URLs, to the Doppel abuse - box for further investigation. It requires a specific entity value as input and - returns the details of the created alert. Note that the action will fail if the - provided entity is invalid or belongs to a protected domain list within Doppel's - system. - + ### General Description - ### Flow Description: + Creates an abuse alert for a specified entity within the Doppel system. This action + is primarily used to report suspicious entities, such as URLs, to the Doppel abuse + box for investigation. It will fail if the provided entity is invalid or belongs + to a protected list (e.g., well-known domains like google.com). - 1. **Parameter Extraction:** Retrieves the API credentials (API Key, User API - Key, Org Code) and the target entity from the action parameters. - 2. **Manager Initialization:** Initializes the DoppelManager to handle communication - with the Doppel API. + ### Parameters Description - 3. **API Request:** Executes a POST request to the `/alert/abuse` endpoint with - the provided entity. + | Parameter | Description | Type | Mandatory | Default Value | - 4. **Result Processing:** Captures the API response, stores it as JSON results, - and completes the action with a success or failure status. + | :--- | :--- | :--- | :--- | :--- | + | Entity | The specific entity (e.g., a URL) that should be reported to the Doppel + abuse box. | string | Yes | https://dummyabuseurl.com | - ### Parameters Description: - | Parameter | Type | Mandatory | Description | + ### Flow Description - | :--- | :--- | :--- | :--- | + 1. **Parameter Extraction**: The action retrieves the necessary API credentials + (API Key, User API Key, Organization Code) from the integration configuration + and the target entity from the action parameters. - | Entity | String | Yes | The specific value (e.g., a URL) to be reported and - alerted on in the Doppel abuse box. | + 2. **Manager Initialization**: Initializes the `DoppelManager` with the provided + credentials to facilitate communication with the Doppel API. + 3. **API Interaction**: Executes a POST request to the `/alert/abuse` endpoint + of the Doppel API, passing the entity identifier. - ### Additional Notes: + 4. **Result Processing**: If the API call is successful, the resulting alert data + is stored in the action's JSON results. If the call fails or the entity is protected/invalid, + an exception is raised and the action is marked as failed. - * This action does not process entities from the current SecOps context; it relies - solely on the 'Entity' parameter input. + 5. **Completion**: Logs the execution status and returns the final output message + to the Google SecOps platform. capabilities: can_create_case_comments: false can_create_insight: false @@ -45,14 +72,13 @@ Create Abuse Alert: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new abuse alert record in the DoppelVision platform via a POST request - to the /alert/abuse endpoint. + Creates a new abuse alert record in the Doppel external system via a POST request. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -66,6 +92,7 @@ Create Abuse Alert: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Create Alert: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -79,39 +106,43 @@ Create Abuse Alert: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Create Alert: - ai_description: "### General Description\nThe **Create Alert** action allows users\ - \ to programmatically generate a new alert within the DoppelVision platform for\ - \ a specific entity, such as a URL or domain. This action is primarily used to\ - \ escalate or flag specific indicators for monitoring or protection within the\ - \ Doppel ecosystem. It requires a direct input of the entity and returns the full\ - \ API response upon successful creation.\n\n### Parameters Description\n\n| Parameter\ - \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| **Entity**\ - \ | String | Yes | The specific entity (e.g., a URL) for which the alert will\ - \ be created in DoppelVision. |\n\n### Flow Description\n\n1. **Credential Retrieval:**\ - \ The action extracts the API Key, User API Key, and Organization Code from the\ - \ integration's configuration settings.\n2. **Input Extraction:** The action retrieves\ - \ the target entity string from the action parameters.\n3. **API Interaction:**\ - \ The action uses the `DoppelManager` to send a POST request to the DoppelVision\ - \ `/alert` endpoint with the entity identifier.\n4. **Response Handling:** \n\ - \ * If the alert is created successfully, the action captures the JSON response\ - \ and attaches it to the execution results.\n * If the creation fails (e.g.,\ - \ due to an invalid entity or a protected resource), the action logs the error\ - \ and marks the execution as failed.\n\n### Additional Notes\n\n* This action\ - \ does not iterate over SecOps entities automatically; it operates strictly on\ - \ the value provided in the **Entity** parameter." + ai_description: "### General Description\nThis action creates a new alert within\ + \ the DoppelVision platform for a specified entity. It is primarily used to programmatically\ + \ trigger Doppel's internal monitoring or investigation workflows for a specific\ + \ indicator (such as a URL). The action communicates with the Doppel API via a\ + \ POST request and returns the details of the created alert.\n\n### Parameters\ + \ Description\n| Parameter | Description | Type | Mandatory | Notes |\n| :---\ + \ | :--- | :--- | :--- | :--- |\n| Entity | The specific entity (e.g., a URL or\ + \ identifier) for which the alert should be created in DoppelVision. | string\ + \ | Yes | Default value is 'https://dummyrul.com'. |\n\n### Flow Description\n\ + 1. **Configuration Extraction**: The action retrieves the API Key, User API Key,\ + \ and Organization Code from the integration configuration.\n2. **Parameter Extraction**:\ + \ The action retrieves the 'Entity' string provided by the user.\n3. **Manager\ + \ Initialization**: A `DoppelManager` instance is initialized with the provided\ + \ credentials.\n4. **API Interaction**: The action calls the `create_alert` method,\ + \ which sends a POST request to the DoppelVision `/alert` endpoint with the entity\ + \ payload.\n5. **Result Processing**: \n * If the API returns a successful\ + \ response, the alert data is stored in the action's JSON results.\n * If the\ + \ API call fails or returns an empty response, an exception is raised.\n6. **Completion**:\ + \ The action concludes by reporting the execution status and an output message\ + \ to the Google SecOps workbench.\n\n### Additional Notes\nThis action does not\ + \ iterate over SecOps entities automatically; it requires the 'Entity' parameter\ + \ to be explicitly passed, typically from a playbook variable or manual input." capabilities: can_create_case_comments: false can_create_insight: false @@ -127,7 +158,7 @@ Create Alert: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -141,12 +172,13 @@ Create Alert: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Alert: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false contain_host: false - create_ticket: true + create_ticket: false delete_email: false disable_identity: false download_file: false @@ -154,69 +186,65 @@ Create Alert: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: true remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Alert: ai_description: >- - ### General Description - - The **Get Alert** action retrieves detailed information about a specific alert - from the DoppelVision platform. It allows users to look up alert data using either - a unique Alert ID or an entity identifier (such as a URL). This action is primarily - used to gather context and metadata for investigation purposes within the SOAR - environment. + Retrieves detailed information about a specific alert from the DoppelVision platform. + The action allows users to fetch alert data using either a specific Alert ID or + an entity identifier (such as a URL). It is primarily used to gather context about + existing alerts within the Doppel ecosystem and returns the raw JSON data for + use in subsequent playbook steps. ### Parameters Description + | Parameter | Description | Type | Mandatory | Notes | | :--- | :--- | :--- | :--- | :--- | - | **Entity** | The entity identifier (e.g., a URL) associated with the alert you - wish to retrieve. | String | No | Either this or `Alert_ID` must be provided. - | + | Entity | The entity identifier (e.g., a URL) associated with the alert. | String + | No | Either 'Entity' or 'Alert_ID' must be provided, but not both. | - | **Alert_ID** | The unique identifier of the alert on the Doppel Tenant. | String - | No | Either this or `Entity` must be provided. | + | Alert_ID | The unique identifier of the alert in the Doppel tenant. | String + | No | Either 'Entity' or 'Alert_ID' must be provided, but not both. | ### Additional Notes - - **Validation Logic:** The action will fail if both `Entity` and `Alert_ID` are - provided simultaneously, or if neither is provided. Exactly one of these parameters - must be configured for the action to execute successfully. + - This action does not process entities from the Google SecOps case; it relies + strictly on the provided input parameters. - - **Output:** The retrieved alert details are returned as a JSON object and stored - in the `JsonResult` field. + - The action will fail if both parameters are provided or if both are omitted. ### Flow Description - 1. **Parameter Extraction:** The action extracts the API configuration (API Key, - User API Key, Org Code) and the action parameters (`Entity`, `Alert_ID`). + 1. **Parameter Extraction:** The action retrieves the API credentials from the + integration configuration and the 'Entity' or 'Alert_ID' from the action parameters. - 2. **Validation:** It checks that exactly one of the two search parameters is - present. + 2. **Validation:** It checks that exactly one of the two search parameters ('Entity' + or 'Alert_ID') is populated. - 3. **API Interaction:** The `DoppelManager` sends a GET request to the Doppel - API endpoint (`/alert`) with the specified identifier. + 3. **API Request:** It calls the DoppelVision API's GET endpoint for alerts using + the provided identifier. - 4. **Result Processing:** If an alert is found, the data is added to the action's - JSON results. - - 5. **Completion:** The action completes with a success message if data is retrieved, - or fails if the alert is not found or an API error occurs. + 4. **Result Processing:** If an alert is found, the full JSON response is added + to the action's results. If no alert is found or the API returns an error, the + action fails. capabilities: can_create_case_comments: false can_create_insight: false @@ -228,9 +256,9 @@ Get Alert: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: true + enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -244,6 +272,7 @@ Get Alert: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Alerts: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -257,27 +286,29 @@ Get Alert: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: true remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: false + search_events: true send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Alerts: ai_description: >- ### General Description - The **Get Alerts** action retrieves a list of alerts from the DoppelVision platform. - It allows users to query the Doppel tenant for specific security incidents or - reports based on a wide range of filters such as product category, creation time, - queue status, and tags. This action is primarily used for searching and auditing - alerts within the Doppel ecosystem. + This action fetches alerts from the Doppel Vision platform based on specified + filtering criteria. It is designed to retrieve a list of alerts for review or + further processing within Google SecOps. The action interacts with the Doppel + API's `/alerts` endpoint using a GET request, making it a read-only operation + relative to the external system. ### Parameters Description @@ -286,56 +317,58 @@ Get Alerts: | :--- | :--- | :--- | :--- | - | Search Key | String | No | Filters alerts by a specific key, currently supporting + | Search Key | string | No | Filters alerts by a specific key, currently supporting search by URL. | - | Product | DDL | No | Filters by product category (e.g., domains, social_media, + | Product | ddl | No | Filters alerts by product category (e.g., domains, social_media, mobile_apps, ecommerce, crypto, emails, paid_adds). | - | Created Before | String | No | Filters alerts created before a specific ISO - 8601 timestamp (e.g., '2024-01-05T13:45:30'). | + | Created Before | string | No | Filters alerts created before a specific timestamp + (ISO 8601 format, e.g., '2024-01-05T13:45:30'). | - | Created After | String | No | Filters alerts created after a specific ISO 8601 - timestamp (e.g., '2024-01-05T13:45:30'). | + | Created After | string | No | Filters alerts created after a specific timestamp + (ISO 8601 format, e.g., '2024-01-05T13:45:30'). | - | Sort Type | DDL | No | Field to sort results by ('date_sourced' or 'date_last_actioned'). - Defaults to 'date_sourced'. | + | Sort Type | ddl | No | The field to sort the results by. Options include 'date_sourced' + (default) or 'date_last_actioned'. | - | Sort Order | DDL | No | Order of sorting ('asc' or 'desc'). Defaults to 'desc'. + | Sort Order | ddl | No | The order of sorting. Options are 'asc' or 'desc' (default). | - | Page | String | No | Page number for paginated results; defaults to 0. | + | Page | string | No | Page number for pagination; defaults to 0. | - | Queue State | DDL | No | Filters alerts by their current queue status (e.g., - 'doppel_review', 'actioned', 'taken_down'). | + | Queue State | ddl | No | Filters alerts by their current queue status (e.g., + doppel_review, actioned, needs_confirmation, taken_down, monitoring, archived). + | - | Tags | String | No | A comma-separated list of tags to filter the alerts. | + | Tags | string | No | A comma-separated list of tags to filter the alerts. | ### Additional Notes - - This action does not operate on specific entities within the SOAR case; it performs - a global search against the DoppelVision API. + - This action does not require any input entities to run; it fetches data globally + for the configured tenant. - - Timestamps for 'Created Before' and 'Created After' should follow the format - 'YYYY-MM-DDTHH:MM:SS'. + - All parameters are optional. If no parameters are provided, the action fetches + the most recent alerts based on default API behavior. ### Flow Description - 1. **Configuration Extraction:** Retrieves API credentials (API Key, User API - Key, and Organization Code) from the integration settings. + 1. **Configuration Extraction:** The action retrieves the API Key, User API Key, + and Organization Code from the integration settings. + + 2. **Parameter Parsing:** It extracts optional filters such as `Search Key`, `Product`, + `Queue State`, and date ranges from the action input. - 2. **Parameter Parsing:** Collects optional filter parameters provided by the - user, including time ranges, categories, and sorting preferences. It also parses - the 'Tags' string into a list. + 3. **Filter Construction:** A filter dictionary is built, removing any null values + and splitting the `Tags` string into a list. - 3. **API Request:** Executes a GET request to the DoppelVision `/alerts` endpoint - using the constructed filter set via the DoppelManager. + 4. **API Interaction:** The `DoppelManager` is initialized and calls the `get_alerts` + method, which performs a GET request to the Doppel API. - 4. **Result Processing:** If alerts are found, they are returned as a JSON object - and stored in the action's execution results. If no alerts match the criteria - or an empty response is received, the action reports a failure. + 5. **Result Processing:** The retrieved list of alerts is added to the action's + JSON results. If no alerts are found, the action fails with an informative message. capabilities: can_create_case_comments: false can_create_insight: false @@ -349,7 +382,7 @@ Get Alerts: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -363,6 +396,7 @@ Get Alerts: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -376,36 +410,56 @@ Get Alerts: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: true + search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: - ai_description: "### General Description\nThe **Ping** action is a diagnostic tool\ - \ designed to verify the connectivity between Google SecOps and the DoppelVision\ - \ platform. Its primary purpose is to validate that the provided integration credentials\ - \ (API Key, User API Key, and Organization Code) are correct and that the DoppelVision\ - \ API endpoint is reachable.\n\n### Parameters Description\nThis action does not\ - \ require any input parameters. It relies entirely on the configuration parameters\ - \ defined at the integration level.\n\n### Flow Description\n1. **Configuration\ - \ Extraction:** The action retrieves the `API Key`, `User API Key`, and `Organization\ - \ Code` from the DoppelVision integration settings.\n2. **Manager Initialization:**\ - \ It initializes the `DoppelManager` using the extracted credentials.\n3. **Connectivity\ - \ Test:** The action calls the `connection_test` method, which performs a `GET`\ - \ request to the `/alerts` endpoint of the DoppelVision API.\n4. **Result Reporting:**\ - \ \n * If the API responds successfully (HTTP 200), the action ends with a\ - \ success message.\n * If the request fails or returns an error (e.g., 401\ - \ Unauthorized), the action reports a connection failure.\n\n### Additional Notes\n\ - This action is intended for use during the initial setup or troubleshooting of\ - \ the DoppelVision integration to ensure the communication channel is functional." + ai_description: >- + ### General Description + + The **Ping** action is used to verify the connectivity between Google SecOps and + the DoppelVision platform. It validates the provided configuration parameters, + such as the API Key, User API Key, and Organization Code, by attempting a basic + API request to the Doppel service to ensure the integration is correctly configured. + + + ### Parameters Description + + There are no input parameters for this action. It relies entirely on the integration's + global configuration settings (API Key, User API Key, and Organization Code). + + + ### Flow Description + + 1. **Configuration Extraction**: The action retrieves the API Key, User API Key, + and Organization Code from the integration's shared configuration. + + 2. **Manager Initialization**: An instance of the DoppelManager is created using + the extracted credentials. + + 3. **Connectivity Test**: The action executes a connection test by performing + a GET request to the Doppel `/alerts` endpoint. + + 4. **Result Reporting**: If the API responds with a success status, the action + ends with a 'Connection successful' message. If the request fails or the credentials + are invalid, it returns a failure message. + + + ### Additional Notes + + This action is strictly for connectivity testing and does not interact with entities + or modify any data within Google SecOps or DoppelVision. capabilities: can_create_case_comments: false can_create_insight: false @@ -419,7 +473,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -433,6 +487,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Update Alert: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -446,42 +501,78 @@ Ping: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Update Alert: - ai_description: "Updates an alert's status and entity state within the DoppelVision\ - \ platform. This action allows analysts to transition alerts through different\ - \ queue states and update the operational status of the associated entity. The\ - \ target alert is identified using either a unique Alert ID or the Entity URL.\n\ - \n### Parameters\n| Parameter | Type | Mandatory | Description |\n| :--- | :---\ - \ | :--- | :--- |\n| Alert_ID | String | No | Unique identity for each specific\ - \ alert in the Doppel tenant. |\n| Entity | String | No | The URL or identifier\ - \ of the entity associated with the alert. |\n| Queue_State | DDL | Yes | The\ - \ target queue state for the alert. Options include: \"doppel_review\", \"needs_confirmation\"\ - , \"monitoring\", \"taken_down\", \"actioned\", \"archived\". |\n| Entity_State\ - \ | DDL | Yes | The target state for the entity. Options include: \"active\",\ - \ \"down\", \"parked\". |\n\n### Additional Notes\n* Either the **Alert_ID** or\ - \ the **Entity** parameter must be provided for the action to run. \n* If both\ - \ **Alert_ID** and **Entity** are provided simultaneously, the action will fail\ - \ with a validation error.\n\n### Flow Description\n1. **Extract Parameters:**\ - \ The action retrieves the API configuration (API Key, User API Key, Org Code)\ - \ and the action-specific parameters (Alert_ID, Entity, Queue_State, Entity_State).\n\ - 2. **Validation:** It checks that exactly one identifier (either Alert_ID or Entity)\ - \ is provided.\n3. **API Interaction:** It calls the DoppelManager's `update_alert`\ - \ method, which sends a PUT request to the DoppelVision API with the specified\ - \ states.\n4. **Result Processing:** If the update is successful, the updated\ - \ alert details are added to the action's JSON results. If the API returns an\ - \ error or an empty response, the action fails." + ai_description: >- + ### General Description + + The **Update Alert** action allows users to modify the status and state of an + existing alert within the DoppelVision platform. It specifically targets the `Queue_State` + (e.g., moving an alert to 'actioned' or 'archived') and the `Entity_State` (e.g., + marking a URL as 'active', 'down', or 'parked'). This action is primarily used + to synchronize remediation or review progress from Google SecOps back to the DoppelVision + source system. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | **Alert_ID** | String | No | The unique identifier for the specific alert in + the Doppel tenant. | + + | **Entity** | String | No | The entity (usually a URL) associated with the alert. + | + + | **Queue_State** | DDL | Yes | The target queue state for the alert. Supported + values: `doppel_review`, `needs_confirmation`, `monitoring`, `taken_down`, `actioned`, + `archived`. | + + | **Entity_State** | DDL | Yes | The target state of the entity. Supported values: + `active`, `down`, `parked`. | + + + ### Additional Notes + + - **Validation Logic**: The action requires exactly one identifier to be provided. + You must provide **either** the `Alert_ID` or the `Entity` parameter. Providing + both or neither will result in a validation error and action failure. + + - This action performs an external state change (PUT request) in the DoppelVision + API. + + + ### Flow Description + + 1. **Parameter Extraction**: The action retrieves the integration configuration + (API Key, User API Key, Organization Code) and the action parameters (`Alert_ID`, + `Entity`, `Queue_State`, `Entity_State`). + + 2. **Input Validation**: It verifies that either `Alert_ID` or `Entity` is provided, + ensuring they are not both present or both missing. + + 3. **API Interaction**: It calls the DoppelVision API's update endpoint using + a PUT request, passing the selected identifier and the new state values. + + 4. **Result Processing**: Upon a successful response, the action stores the updated + alert details in the JSON results and completes with a success message. If the + update fails or returns an empty response, the action terminates with a failure + status. capabilities: can_create_case_comments: false can_create_insight: false @@ -490,14 +581,14 @@ Update Alert: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the 'queue_state' and 'entity_state' of an existing alert in the DoppelVision + Updates the 'queue_state' and 'entity_state' of an alert record within the DoppelVision platform via a PUT request. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -511,28 +602,3 @@ Update Alert: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: true - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/third_party/partner/grey_noise/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/grey_noise/resources/ai/actions_ai_description.yaml index 44c4cab56..132e6f031 100644 --- a/content/response_integrations/third_party/partner/grey_noise/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/grey_noise/resources/ai/actions_ai_description.yaml @@ -1,50 +1,80 @@ Execute GNQL Query: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: true + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - Executes custom GNQL (GreyNoise Query Language) queries to search the GreyNoise - threat intelligence database. This action allows users to perform complex searches - for IP addresses based on various attributes like tags, classifications, or last - seen dates. It supports automatic pagination to retrieve large datasets up to - a specified limit and provides options to control the verbosity of the returned - data. + Executes custom GreyNoise Query Language (GNQL) queries to search GreyNoise threat + intelligence data. This action allows users to perform complex searches across + the GreyNoise dataset, retrieving information about IP addresses, classifications, + and scanning behavior. It supports pagination to handle large result sets and + provides options to simplify the output or exclude raw data for performance. - ### Parameters + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. **Parameter Extraction:** The action retrieves the GNQL query, maximum results + limit, and output preferences (Quick mode and Exclude Raw). - | :--- | :--- | :--- | :--- | + 2. **Validation:** Validates that the 'Max Results' parameter is a positive integer. - | GNQL Query | String | Yes | The GreyNoise Query Language query string to execute - (e.g., 'last_seen:1d'). | + 3. **API Interaction:** Connects to the GreyNoise API and executes the query. - | Max Results | String | No | The maximum number of results to return across all - paginated requests. Default is 1000. | + 4. **Pagination:** If the result set exceeds the page size, the action automatically + uses scroll tokens to fetch subsequent pages until the 'Max Results' limit is + reached or all data is retrieved. + + 5. **Result Aggregation:** Collects all fetched records and returns them as a + JSON object. - | Quick | Boolean | No | If set to true, the response will only include the IP - address and the classification or trust level, reducing payload size. | - | Exclude Raw | Boolean | No | Whether to exclude raw scan data from the response - to simplify the output. Default is true. | + ### Parameters Description + | Parameter | Type | Mandatory | Description | - ### Flow Description + | :--- | :--- | :--- | :--- | - 1. **Initialization:** Extracts the GNQL query, result limits, and display preferences - from the action parameters. + | GNQL Query | String | Yes | The GreyNoise Query Language query string to execute + (e.g., 'last_seen:1d'). | - 2. **Validation:** Validates that the 'Max Results' parameter is a positive integer. + | Max Results | String | No | The maximum number of records to return. Default + is 1000. | - 3. **API Connection:** Establishes a connection to the GreyNoise API using the - configured API key. + | Quick | Boolean | No | If set to true, the response will only include the IP + address and the classification or trust level. | - 4. **Paginated Execution:** Enters a loop to execute the GNQL query. It uses scroll - tokens provided by the GreyNoise API to fetch subsequent pages of data. + | Exclude Raw | Boolean | No | If set to true, raw scan data will be excluded + from the response to reduce payload size. | - 5. **Data Aggregation:** Appends results from each page to a master list until - the 'Max Results' limit is reached or the API indicates no more data is available. - 6. **Finalization:** Returns the aggregated list of results as a JSON object and - provides a summary message indicating the total number of records fetched. + ### Additional Notes + + - This action does not operate on specific entities within the SecOps case; it + performs a global search based on the provided query string. capabilities: can_create_case_comments: false can_create_insight: false @@ -58,7 +88,7 @@ Execute GNQL Query: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -72,6 +102,7 @@ Execute GNQL Query: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get CVE Details: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -83,86 +114,76 @@ Execute GNQL Query: download_file: false enable_identity: false enrich_asset: false - enrich_ioc: false + enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: true + search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get CVE Details: ai_description: >- - ### General Description - Enriches CVE entities using GreyNoise intelligence to provide deep context on - vulnerabilities. This action retrieves critical data points including CVSS scores, - EPSS (Exploit Prediction Scoring System) scores, exploit availability, and real-world - exploitation activity observed by GreyNoise sensors. The retrieved information - is used to update the entity's attributes and generate a comprehensive HTML insight - for analysts. + vulnerabilities and active exploitation. This action retrieves critical data points + including CVSS scores, EPSS (Exploit Prediction Scoring System) scores, CISA KEV + (Known Exploited Vulnerabilities) status, and real-time threat activity counts. + It helps analysts prioritize vulnerabilities by identifying which ones are being + actively exploited in the wild. ### Parameters Description - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | None | N/A | N/A | This action does not require any input parameters beyond - the integration configuration. | - - - ### Additional Notes - - - The action validates that CVE identifiers follow the standard 'CVE-YYYY-NNNN' - format. - - - Requires a valid GreyNoise API key configured in the integration settings. - - - Only processes entities of type CVE. + There are no specific action parameters for this action. It automatically processes + all CVE entities present in the current context using the integration's global + API key. ### Flow Description - 1. **Entity Identification**: Retrieves all CVE entities from the current case - context. + 1. **Entity Identification**: The action scans the current case for entities of + type CVE. - 2. **Format Validation**: Validates each CVE identifier against the standard format - (e.g., CVE-2024-12345). + 2. **Format Validation**: Each CVE identifier is validated against the standard + format (CVE-YYYY-NNNN). - 3. **GreyNoise Lookup**: Queries the GreyNoise API for each valid CVE to retrieve - vulnerability and exploitation intelligence. + 3. **GreyNoise Lookup**: For each valid CVE, the action queries the GreyNoise + API to retrieve vulnerability details and exploitation intelligence. - 4. **Entity Enrichment**: Updates the CVE entity's additional properties with - data such as CVSS score, EPSS score, and exploit status. + 4. **Data Enrichment**: The retrieved data (CVSS, EPSS, description, etc.) is + mapped to entity attributes prefixed with `GN_`. - 5. **Insight Generation**: Generates and attaches a detailed HTML insight to the - entity, visualizing threat assessments and active exploitation activity. + 5. **Insight Generation**: A detailed HTML insight is generated for each CVE, + featuring color-coded severity levels, exploit availability badges, and active + threat IP counts. - 6. **Finalization**: Updates the entities in the platform and returns a summary - of the enrichment process. + 6. **Internal Update**: The action updates the CVE entities in Google SecOps with + the new enrichment data and attaches the generated insights to the case wall. capabilities: can_create_case_comments: false can_create_insight: true can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: false + can_mutate_internal_data: true can_update_entities: true external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: null + internal_data_mutation_explanation: >- + Updates CVE entities with enrichment attributes (CVSS, EPSS, threat counts) + and creates detailed HTML insights within the Google SecOps case. categories: enrichment: true entity_usage: entity_types: - - CVE + - CVE filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -176,6 +197,7 @@ Get CVE Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +IP Lookup: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -189,43 +211,47 @@ Get CVE Details: enrich_asset: false enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -IP Lookup: - ai_description: "Enriches IP Address entities with comprehensive threat intelligence\ - \ from GreyNoise, including classification (benign, suspicious, malicious), actor\ - \ attribution, associated tags, CVEs, and business service intelligence. The action\ - \ automatically detects the API tier (Community vs. Enterprise) to optimize data\ - \ retrieval, using batch lookups for Enterprise keys. It updates the entity's\ - \ suspicious status based on GreyNoise classification and generates a detailed\ - \ HTML insight for the case wall.\n\n### Flow Description:\n1. **Identify Entities:**\ - \ Filters the target entities to identify all IP Address (ADDRESS) entities.\n\ - 2. **Tier Detection:** Checks the provided GreyNoise API key to determine if it\ - \ belongs to the Community or Enterprise tier.\n3. **Data Retrieval:** \n *\ - \ For **Enterprise** keys: Performs a batch lookup for all identified IPs to maximize\ - \ efficiency.\n * For **Community** keys: Performs individual lookups for each\ - \ IP.\n4. **Entity Enrichment:** For each IP found in the GreyNoise dataset, it\ - \ updates the entity's `additional_properties` with metadata (e.g., country, organization,\ - \ tags) and marks the entity as enriched.\n5. **Risk Assessment:** Sets the entity's\ - \ `is_suspicious` flag to true if GreyNoise classifies the IP as 'suspicious'\ - \ or 'malicious'.\n6. **Insight Generation:** Creates a formatted HTML insight\ - \ for each successfully processed entity, providing a visual summary of the intelligence.\n\ - \n### Parameters Description:\n| Parameter Name | Type | Mandatory | Description\ - \ |\n| :--- | :--- | :--- | :--- |\n| GN API Key | String | Yes | The API key\ - \ used to authenticate with GreyNoise services. This is configured at the integration\ - \ level. |\n\n### Additional Notes:\n* This action is read-only regarding external\ - \ systems and is classified as an enrichment action.\n* Community tier users will\ - \ receive a limited set of data compared to Enterprise users." + ai_description: "Enriches IP Address entities using GreyNoise intelligence to provide\ + \ comprehensive context on internet-wide scanning activity and business service\ + \ associations. The action identifies whether an IP is a known scanner, its classification\ + \ (benign, suspicious, or malicious), associated threat actors, and any related\ + \ CVEs. It automatically adapts its execution logic based on the API key tier\ + \ (Community vs. Enterprise), utilizing batch lookups for Enterprise users to\ + \ optimize performance.\n\n### Flow Description:\n1. **Entity Identification:**\ + \ Filters the target entities to identify all IP Address (ADDRESS) entities within\ + \ the current context.\n2. **Tier Detection:** Checks the provided GreyNoise API\ + \ key to determine if it belongs to the Community or Enterprise tier.\n3. **Data\ + \ Retrieval:** \n * For **Enterprise** keys: Performs a batch lookup for all\ + \ identified IPs simultaneously.\n * For **Community** keys: Performs individual\ + \ lookups for each IP.\n4. **Enrichment & Classification:** Processes the API\ + \ response to extract classification, actor names, tags, and CVE data. It updates\ + \ the entity's suspicious status if the classification is 'suspicious' or 'malicious'.\n\ + 5. **Internal Updates:** Populates the entity's additional properties with GreyNoise\ + \ metadata (prefixed with `GN_`) and marks the entity as enriched.\n6. **Insight\ + \ Generation:** Creates a detailed HTML insight for each successfully processed\ + \ IP, providing a visual summary of the intelligence gathered.\n\n### Parameters\ + \ Description:\n| Parameter | Type | Mandatory | Description |\n| :--- | :---\ + \ | :--- | :--- |\n| GN API Key | String | Yes | The API key used to authenticate\ + \ with GreyNoise services. This is configured at the integration level. |\n\n\ + ### Additional Notes:\n* This action is strictly read-only regarding external\ + \ systems and is classified as an enrichment action.\n* If no IP Address entities\ + \ are found, the action will complete successfully with a message indicating no\ + \ entities were processed." capabilities: can_create_case_comments: false can_create_insight: true @@ -236,13 +262,13 @@ IP Lookup: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity attributes including 'is_enriched', 'is_suspicious', and 'additional_properties'. - It also generates entity insights. + Updates entity attributes with GreyNoise intelligence (classification, actor, + tags, CVEs) and creates detailed entity insights. categories: enrichment: true entity_usage: entity_types: - - ADDRESS + - ADDRESS filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -256,6 +282,7 @@ IP Lookup: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +IP Timeline Lookup: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -269,69 +296,75 @@ IP Lookup: enrich_asset: false enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -IP Timeline Lookup: ai_description: >- Retrieves the historical activity timeline for IP Address entities from GreyNoise, - providing visibility into how an indicator's behavior has changed over time. This - action allows analysts to track shifts in classification, associated tags, destination - ports, and other metadata with configurable time granularity. + providing visibility into how an IP's behavior and classification have changed + over time. This action allows analysts to visualize trends in scanning activity, + port usage, or tag associations. - ### Parameters Description + ### Flow Description: + 1. **Parameter Initialization:** Extracts the 'Days', 'Field', and 'Granularity' + parameters from the action configuration and validates that 'Days' is a positive + integer. - | Parameter | Type | Mandatory | Description | + 2. **Entity Filtering:** Identifies all IP Address entities within the current + context. - | :--- | :--- | :--- | :--- | + 3. **External Lookup:** For each IP, it queries the GreyNoise Timeline API using + the specified field (e.g., classification, tag_ids) and time range. - | Field | DDL | No | Specifies the attribute to aggregate data by. Options include - classification, destination_port, http_path, http_user_agent, source_asn, source_org, - source_rdns, and tag_ids. Default is 'classification'. | + 4. **Metadata Enrichment:** If the 'Field' is set to 'tag_ids', the action performs + additional lookups to fetch descriptive metadata for each tag identified in the + timeline. - | Granularity | String | No | Defines the time bucket size for the timeline. Supports - hours (e.g., '1h' to '24h') or days (e.g., '1d' to '90d'). Default is '1d'. | + 5. **Internal Updates:** Enriches the SOAR entities with the retrieved timeline + data and marks them as enriched. - | Days | String | No | The total lookback period in days (1 to 90). Default is - '30'. | + 6. **Insight Generation:** Creates a detailed HTML insight for each entity, featuring + a formatted timeline overview and links to the GreyNoise Visualizer. - ### Flow Description + ### Parameters Description: + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | - 1. **Initialization**: Extracts the GreyNoise API key from the integration configuration - and validates the 'Days' parameter to ensure it is a positive integer. + | Field | DDL | No | The specific attribute to track over time. Options include: + destination_port, http_path, http_user_agent, source_asn, source_org, source_rdns, + tag_ids, or classification (default). | - 2. **Entity Identification**: Filters the target entities to identify all IP Address - (ADDRESS) objects. + | Granularity | String | No | The time bucket size for the timeline. Supports + hours (e.g., 1h to 24h) or days (e.g., 1d to 90d). Default is '1d'. | - 3. **Data Retrieval**: For each identified IP, the action queries the GreyNoise - Timeline API using the specified field, granularity, and lookback period. + | Days | String | No | The total lookback period in days. Must be a positive integer. + Default is '30'. | - 4. **Tag Enrichment**: If the 'Field' parameter is set to 'tag_ids', the action - performs secondary API calls to fetch descriptive metadata (name, intention, category) - for each tag ID found in the timeline. - 5. **Internal Mutation**: Updates the entity's additional properties with the - timeline metadata and raw results. It also sets the 'is_enriched' flag to true. + ### Additional Notes: - 6. **Insight Generation**: Constructs a detailed HTML insight containing a visual - summary of the activity timeline, including overview statistics and a breakdown - of events. + - This action is primarily used for historical context and trend analysis rather + than real-time reputation checks. - 7. **Finalization**: Updates the entities within Google SecOps and returns a JSON - result containing the full timeline data for each processed IP. + - If 'tag_ids' is selected as the field, the action will automatically fetch tag + names and descriptions to provide more context in the insights. capabilities: can_create_case_comments: false can_create_insight: true @@ -342,13 +375,13 @@ IP Timeline Lookup: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity additional properties with GreyNoise timeline metadata and data, - and creates entity insights containing HTML summaries of the activity. + Updates entity additional properties with GreyNoise timeline data and creates + entity insights containing activity summaries. categories: enrichment: true entity_usage: entity_types: - - ADDRESS + - ADDRESS filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -362,6 +395,7 @@ IP Timeline Lookup: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -373,63 +407,52 @@ IP Timeline Lookup: download_file: false enable_identity: false enrich_asset: false - enrich_ioc: true + enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: ai_description: >- - ### General Description - - The **Ping** action is a diagnostic utility designed to verify the connectivity - between Google SecOps and the GreyNoise API. Its primary purpose is to validate - that the provided API key is correct, active, and has not expired, ensuring that - subsequent enrichment or search actions can proceed without authentication issues. + Tests the connectivity to the GreyNoise API and validates the provided API key. + This action is primarily used to ensure that the integration is correctly configured + and that the SOAR platform can communicate with GreyNoise services. It checks + the validity of the API key and, for enterprise-tier keys, verifies that the key + has not expired. - ### Parameters Description - - There are no parameters for this action. - - - ### Additional Notes - - - This action is typically used during the initial setup of the GreyNoise integration - or for troubleshooting connection issues. + ### Parameters - - It checks for API key expiration for Enterprise-tier keys and logs a warning - if the key is no longer valid. + There are no action-specific parameters for this action. It relies on the global + integration configuration (GN API Key). ### Flow Description - 1. **Initialization**: The action initializes the Siemplify SDK and retrieves - the GreyNoise API key from the integration configuration. - - 2. **API Connection**: It establishes a session with the GreyNoise API using the - provided credentials. - - 3. **Connectivity Test**: It executes a `test_connection` call to the GreyNoise - service. + 1. **Initialization**: The action initializes the Siemplify context and retrieves + the GreyNoise API key from the integration's configuration settings. - 4. **Validation**: The action parses the response to confirm the API tier (Community - vs. Enterprise) and checks the expiration date for Enterprise keys. + 2. **Connectivity Test**: It uses the GreyNoise API Manager to call the `test_connection` + endpoint of the GreyNoise API. - 5. **Error Handling**: If a rate limit is reached or a request fails, the action - captures the specific error and marks the execution as failed. + 3. **Expiration Check**: If the connection is successful and the API key is not + a 'community' tier key, the action parses the expiration date from the response + and compares it against the current date to ensure the key is still valid. - 6. **Completion**: Returns a success message and a boolean result indicating whether - the connection was successful. + 4. **Result Handling**: The action captures any exceptions (such as rate limits + or request failures) and returns a success or failure message to the SOAR platform + along with the execution status. capabilities: can_create_case_comments: false can_create_insight: false @@ -443,7 +466,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -457,6 +480,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Quick IP Lookup: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -468,62 +492,70 @@ Ping: download_file: false enable_identity: false enrich_asset: false - enrich_ioc: false + enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Quick IP Lookup: ai_description: >- - Performs a lightweight IP classification lookup using GreyNoise to determine trust - levels, internet scanner status, and business service status for IP Address entities. - This action is designed for high-speed enrichment of multiple IPs simultaneously. + Performs a lightweight IP classification lookup using the GreyNoise service to + identify internet scanners and business services. This action is designed for + high-speed enrichment of IP Address entities, providing immediate context on whether + an IP is known for 'noise' (mass scanning) or belongs to a trusted business service. - ### Parameters + ### Flow Description - There are no user-configurable parameters for this action beyond the global integration - API key. + 1. **Entity Extraction:** Identifies all IP Address entities within the current + alert or case context. + 2. **GreyNoise Query:** Executes a bulk 'quick lookup' request to the GreyNoise + API for all identified IP addresses. - ### Flow Description + 3. **Data Processing:** Iterates through the API responses to determine if GreyNoise + has data ('noise') for each IP. - 1. **Entity Identification:** The action identifies all `ADDRESS` (IP) entities - within the current scope. + 4. **Entity Enrichment:** For IPs found in the dataset, it updates the entity's + additional properties with trust levels and classifications. - 2. **Batch Lookup:** It sends a batch request to the GreyNoise Quick Lookup API - for all identified IP addresses. + 5. **Risk Assessment:** Automatically marks entities as suspicious if GreyNoise + classifies them as 'malicious' or 'suspicious'. - 3. **Data Processing:** For each IP found in the GreyNoise dataset, the action: - * Updates the entity's `additional_properties` with GreyNoise metadata (e.g., - `GN_is_business_service`, `GN_is_internet_scanner`, `GN_trust_level`, `GN_classification`). - * Sets the entity's `is_enriched` status to `true`. - * Updates the entity's `is_suspicious` status if the GreyNoise classification - is 'suspicious' or 'malicious'. - 4. **Insight Generation:** Creates a detailed HTML insight for each enriched entity, - providing a visual summary of the IP's intelligence (Business Service vs. Internet - Scanner status). + 6. **Insight Generation:** Creates and attaches a formatted HTML insight to each + enriched entity, providing a visual summary of the intelligence. - 5. **Finalization:** Updates the entities in the Google SecOps platform and returns - a summary message along with the raw JSON results for all processed IPs. + 7. **Result Reporting:** Returns a comprehensive JSON object containing the lookup + results for all processed entities. + + + ### Parameters Description + + | Parameter Name | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | None | N/A | N/A | This action does not require any input parameters beyond + the global integration configuration (API Key). | ### Additional Notes - * This action uses the GreyNoise 'Quick' endpoint, which is optimized for speed - and batch processing but provides less detail than a full IP lookup. + * This action specifically targets `ADDRESS` entities. - * If no IP entities are found, the action completes gracefully with an informative - message. + * It uses the GreyNoise 'quick' endpoint, which is optimized for performance and + provides a subset of the full IP context (classification and trust level). capabilities: can_create_case_comments: false can_create_insight: true @@ -534,13 +566,14 @@ Quick IP Lookup: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity attributes including additional_properties, is_enriched, and - is_suspicious status. It also generates and attaches entity insights. + Updates entity additional properties with GreyNoise metadata, sets the entity's + suspicious status based on classification, and adds HTML insights to the entity + context. categories: enrichment: true entity_usage: entity_types: - - ADDRESS + - ADDRESS filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -554,28 +587,3 @@ Quick IP Lookup: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: true - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/third_party/partner/grey_noise/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/partner/grey_noise/resources/ai/connectors_ai_description.yaml index 3b6006c9d..b329f6190 100644 --- a/content/response_integrations/third_party/partner/grey_noise/resources/ai/connectors_ai_description.yaml +++ b/content/response_integrations/third_party/partner/grey_noise/resources/ai/connectors_ai_description.yaml @@ -1,35 +1,62 @@ Generate Alert from GreyNoise GNQL: - ai_description: "### General Description\nThe GreyNoise GNQL connector enables automated\ - \ ingestion of threat intelligence data into Google SecOps by executing GreyNoise\ - \ Query Language (GNQL) queries. It identifies IP addresses with specific characteristics\u2014\ - such as malicious intent, specific tags, or recent activity\u2014and generates\ - \ corresponding alerts and cases. This integration allows security teams to proactively\ - \ monitor for known scanners, business services, or malicious actors observed\ - \ by the GreyNoise sensor network.\n\n### Parameters Description\n| Parameter\ - \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| GN API\ - \ Key | Password | Yes | The API key used to authenticate with GreyNoise services.\ - \ |\n| Query | String | Yes | The GNQL query string used to filter GreyNoise data\ - \ (e.g., `last_seen:1d` or `classification:malicious`). |\n| Max Results | Integer\ - \ | No | The maximum number of indicators to fetch and process in a single execution\ - \ cycle (Default: 100). |\n| DeviceProductField | String | Yes | The field name\ - \ used to populate the device product attribute in the alert (Default: GreyNoise).\ - \ |\n| EventClassId | String | Yes | The field name used to determine the event\ - \ type or sub-type (Default: event_type). |\n| PythonProcessTimeout | Integer\ - \ | Yes | The maximum time in seconds allowed for the connector script to run\ - \ before terminating (Default: 1200). |\n\n### Flow Description\n1. **Authentication**:\ - \ The connector authenticates with the GreyNoise API using the provided API Key.\n\ - 2. **State Management**: It retrieves the list of previously processed event IDs\ - \ from the local store to ensure deduplication and prevent redundant alert creation.\n\ - 3. **Query Execution**: It executes the configured GNQL query to fetch matching\ - \ IP indicators from the GreyNoise database.\n4. **Pagination**: If the result\ - \ set is large, the connector utilizes scroll tokens to paginate through the results\ - \ until the `Max Results` limit or the end of the data is reached.\n5. **Data\ - \ Transformation**: Each retrieved IP record is mapped to a standard SOAR `AlertInfo`\ - \ object. Severity is dynamically assigned based on the GreyNoise classification\ - \ (e.g., Malicious IPs are mapped to High severity, while Suspicious IPs are mapped\ - \ to Medium).\n6. **Deduplication & Overflow Check**: The connector filters out\ - \ already processed IDs and performs an overflow check to ensure the system is\ - \ not overwhelmed by high-volume alerts.\n7. **Ingestion**: Validated alerts are\ - \ packaged and ingested into Google SecOps as new cases for investigation.\n8.\ - \ **Update State**: The connector saves the IDs of the newly processed events\ - \ to the local store for reference in the next execution cycle." + ai_description: >- + ### General Description + + This connector retrieves threat intelligence data from GreyNoise using GreyNoise + Query Language (GNQL) and generates security alerts in Google SecOps. It allows + security teams to monitor for specific IP behaviors, classifications (malicious, + suspicious, benign), or actors seen across the internet. Each unique IP matching + the query criteria is ingested as an alert, providing enriched context such as + actor names, associated CVEs, and VPN/TOR status. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | GN API Key | Password | Yes | The API key used to authenticate with GreyNoise + services. | + + | Query | String | Yes | The GNQL query to execute (e.g., `last_seen:1d`). If + left empty, it defaults to `last_seen:1d`. | + + | Max Results | Integer | No | The maximum number of results to fetch in a single + execution. Default is 100. | + + | DeviceProductField | String | Yes | The field name used to determine the device + product in the SOAR. Default is 'GreyNoise'. | + + | EventClassId | String | Yes | The field name used to determine the event name + (sub-type). | + + | PythonProcessTimeout | Integer | Yes | The timeout limit (in seconds) for the + python process running the script. Default is 1200. | + + + ### Flow Description + + 1. **Initialization**: The connector initializes the GreyNoise API client using + the provided API Key and retrieves previously processed event IDs from the local + state to prevent duplicate alerts. + + 2. **Query Execution**: It executes the configured GNQL query against the GreyNoise + API to find matching IP indicators. + + 3. **Pagination & Fetching**: The connector iterates through the results, supporting + pagination via scroll tokens until the `Max Results` limit is reached or all available + data is fetched. + + 4. **Deduplication**: Each result is checked against the list of already processed + event IDs (a unique combination of IP and timestamp). + + 5. **Alert Mapping**: Matching IP records are transformed into SOAR Alert objects. + Severity is dynamically assigned based on GreyNoise classification: 'Malicious' + maps to High, 'Suspicious' to Medium, and 'Benign' or 'Unknown' to Low. + + 6. **Ingestion**: The connector performs an overflow check and then ingests the + unique alerts into the system. + + 7. **State Persistence**: Processed IDs are saved back to the system to ensure + they are skipped in subsequent runs. diff --git a/content/response_integrations/third_party/partner/group_ib_ti/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/group_ib_ti/resources/ai/actions_ai_description.yaml index 6c8d0b8b5..ebb13ef88 100644 --- a/content/response_integrations/third_party/partner/group_ib_ti/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/group_ib_ti/resources/ai/actions_ai_description.yaml @@ -1,34 +1,89 @@ Get-Collection-Info-Async: - ai_description: "Fetches threat intelligence data from specific Group-IB TI collections.\ - \ This action is designed for bulk data retrieval or periodic updates rather than\ - \ per-entity enrichment. It utilizes sequence update numbers to track progress,\ - \ allowing it to be run on a schedule (e.g., daily) to retrieve only new updates\ - \ since the last execution. The action retrieves data from a wide variety of collections\ - \ including APT threats, malware configurations, compromised accounts, and suspicious\ - \ IP lists.\n\n### Flow Description:\n1. **Initialization**: Initializes the Group-IB\ - \ TI connector and poller using provided API credentials.\n2. **State Retrieval**:\ - \ Attempts to fetch the last successful sequence update number from the internal\ - \ storage (timestamp). \n3. **Start Point Determination**: If no previous state\ - \ is found, it calculates the starting sequence number based on the provided 'Start\ - \ date' (defaulting to 1 day ago if not specified).\n4. **Data Retrieval**: Initiates\ - \ a request to the Group-IB TI API for the chosen 'Collection', limited by the\ - \ 'Portion limit' parameter.\n5. **Data Processing**: Iterates through the retrieved\ - \ data portions. If 'Enable mapping parser' is true, it applies predefined mapping\ - \ logic to structure the data; otherwise, it collects the raw JSON items.\n6.\ - \ **Output**: Aggregates all retrieved items into a single JSON result and completes\ - \ the action.\n\n### Parameters Description:\n| Parameter | Type | Mandatory |\ - \ Description |\n| :--- | :--- | :--- | :--- |\n| Enable mapping parser | Boolean\ - \ | No | If enabled, the action will parse the raw API response into a structured\ - \ format based on Group-IB's internal mapping keys. Default is false. |\n| Collection\ - \ | DDL | Yes | The specific threat intelligence collection to query (e.g., 'apt/threat',\ - \ 'malware/cnc', 'compromised/account_group'). |\n| Start date | String | No |\ - \ The date (YYYY-MM-DD) to start fetching data from if no previous execution state\ - \ (timestamp) exists. |\n| Portion limit | DDL | Yes | Controls the volume of\ - \ data retrieved by setting the maximum number of portions to fetch in a single\ - \ run. Default is 100. |\n\n### Additional Notes:\n- This action **ignores all\ - \ entities** in the case. It is intended to be used as a data-gathering task within\ - \ a playbook.\n- The action is asynchronous and uses internal state management\ - \ (timestamps) to ensure data continuity across multiple runs." + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: true + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: >- + Retrieves threat intelligence data from specific Group-IB TI collections. This + action is designed to fetch updates from the TI portal, utilizing a sequence-based + tracking system (timestamps) to ensure only new data is ingested in subsequent + runs. It operates independently of SecOps entities, making it suitable for scheduled + playbooks that sync threat intelligence feeds into the platform. + + + ### Parameters Description + + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Enable mapping parser | boolean | No | If enabled, the action will parse the + raw API response using predefined mapping keys for the collection to provide a + structured output. | + + | Collection | ddl | Yes | The specific Group-IB TI collection to download (e.g., + apt/threat, malware/cnc, compromised/account_group). | + + | Start date | string | No | The date (YYYY-MM-DD) to begin fetching data from + if no previous checkpoint (timestamp) exists. | + + | Portion limit | ddl | Yes | The maximum number of data portions to retrieve + from the API in a single execution run. | + + + ### Additional Notes + + - This action ignores any input entities and uses the input entity only as a start + trigger. + + - It uses internal storage via `fetch_timestamp` to track the last retrieved sequence + number, allowing for incremental updates and preventing duplicate data ingestion. + + + ### Flow Description + + 1. **Initialization**: The action initializes and extracts user-defined parameters + including the target collection, portion limits, and parsing preferences. + + 2. **Checkpoint Retrieval**: It checks for a stored sequence update number (timestamp) + from a previous execution to determine the starting point for the fetch. + + 3. **Fallback Logic**: If no previous timestamp is found, it calculates a starting + sequence number based on the provided 'Start date' or defaults to one day ago. + + 4. **API Connection**: Establishes a connection to the Group-IB TI API and initializes + a data generator for the selected collection. + + 5. **Data Ingestion**: Fetches data in portions, optionally applying a mapping + parser to transform raw API items into standardized JSON objects. + + 6. **Result Aggregation**: Aggregates all retrieved items into a single JSON result + and completes the task. capabilities: can_create_case_comments: false can_create_insight: false @@ -42,7 +97,7 @@ Get-Collection-Info-Async: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -56,6 +111,7 @@ Get-Collection-Info-Async: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get-Graph-Info: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -67,66 +123,56 @@ Get-Collection-Info-Async: download_file: false enable_identity: false enrich_asset: false - enrich_ioc: false + enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: true + search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get-Graph-Info: ai_description: >- ### General Description - The **Get-Graph-Info** action retrieves WHOIS and relationship graph information - for **IP Address** and **Domain** entities from the Group-IB Threat Intelligence - (TI) platform. This action is designed to provide analysts with infrastructure - context and potential connections between indicators to aid in threat investigation. + Retrieves WHOIS and relationship graph information for IP and Domain entities + from Group-IB Threat Intelligence. This action helps analysts understand the infrastructure, + ownership details, and potential connections associated with network indicators + by querying the Group-IB TI Graph API. - ### Parameters Description + ### Parameters - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | N/A | N/A | N/A | This action does not require any input parameters. | + There are no parameters for this action. ### Flow Description - 1. **Entity Identification**: The action iterates through all entities attached - to the alert/case. - - 2. **Type Validation**: It uses an internal validator to identify which entities - are valid IPs or Domains. Any other entity types (e.g., File Hashes, URLs) are - ignored. - - 3. **API Request**: For each valid IP or Domain, the action sends a GET request - to the Group-IB TI `utils/graph` endpoint using the entity identifier as a query - parameter. + 1. **Initialization**: The action initializes the Group-IB TI poller using the + integration's configuration (API login, key, and URL). - 4. **Data Aggregation**: The action collects the API responses, including WHOIS - data and graph metadata, into a structured JSON object. + 2. **Entity Identification**: It identifies all entities associated with the current + context. - 5. **Result Output**: The final aggregated data is attached to the action's JSON - result for use in playbooks or for manual review by an analyst. + 3. **Filtering**: The action filters the entities, processing only those identified + as IP addresses or Domains (using an internal validator). + 4. **Data Retrieval**: For each valid entity, it sends a request to the Group-IB + TI Graph API endpoint (`utils/graph/{type}`) to fetch WHOIS and connectivity data. - ### Additional Notes - - - **Rate Limiting**: The action includes a 1-second sleep interval between requests - to ensure compliance with API rate limits. + 5. **Result Aggregation**: The API responses are collected and formatted into + a structured JSON result object. - - **Scope**: This action is strictly for enrichment and does not modify any external - or internal system states beyond providing the retrieved data. + 6. **Completion**: The aggregated JSON is attached to the action output, and the + action completes with a success status. capabilities: can_create_case_comments: false can_create_insight: false @@ -141,8 +187,8 @@ Get-Graph-Info: enrichment: true entity_usage: entity_types: - - ADDRESS - - DOMAIN + - ADDRESS + - DOMAIN filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -156,6 +202,7 @@ Get-Graph-Info: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get-TI-Search-Info: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -166,74 +213,80 @@ Get-Graph-Info: disable_identity: false download_file: false enable_identity: false - enrich_asset: false + enrich_asset: true enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get-TI-Search-Info: ai_description: >- - ### General Description - - The **Get-TI-Search-Info** action allows analysts to search the Group-IB Threat - Intelligence (TI) database for comprehensive information regarding specific indicators. - It supports searching for IP addresses, domains, file hashes, email addresses, - and bank card numbers. The action identifies which collections in the Group-IB - TI database contain information about the provided entities and retrieves the - relevant records, providing deep context from various threat intelligence feeds. + Searches the Group-IB Threat Intelligence (TI) database for comprehensive information + regarding various entity types, including Domains, IP Addresses, File Hashes, + Bank Cards, and Email addresses. This action acts as a global search tool that + identifies which TI collections contain data about the target entities and then + retrieves the specific records from those collections. ### Parameters Description + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Enable mapping parser | Boolean | No | If set to `true`, the action will use - a predefined mapping parser to structure the retrieved data into a more readable - format based on the collection type. If `false` (default), the raw JSON items - from the API are returned. | + | Enable mapping parser | Boolean | No | Determines whether the action should + parse the retrieved TI data using predefined mapping keys (`true`) or return the + raw data items (`false`). Default is `false`. | ### Flow Description - 1. **Initialization**: The action initializes the connection to Group-IB TI using - the provided API credentials and configuration. - 2. **Entity Identification**: It iterates through all target entities in the current - context and uses a validator to determine their type (e.g., IP, Domain, Hash, - Email, or Bank Card) based on the format of their identifier. + 1. **Initialize Connection**: Sets up the Group-IB TI poller using the integration's + API credentials (Login, Key, and URL). + + 2. **Entity Processing**: Iterates through all entities associated with the current + context. - 3. **Global Search**: For each identified entity, it performs a global search - across the Group-IB TI platform to find all collections (API paths) that contain - data for that specific indicator. + 3. **Type Validation**: For each entity, it uses a validator to determine if the + identifier corresponds to a supported type (Domain, IP, Hash, Email, or Credit + Card). It also handles URLs by extracting the host domain or IP. - 4. **Data Retrieval**: For every collection found, the action queries the database - to fetch the detailed records associated with the entity using a query formatted - as `type:value`. + 4. **Discovery**: Executes a global search for each valid entity to discover which + specific TI collections (e.g., `apt/threat`, `malware/cnc`, `compromised/bank_card_group`) + contain relevant information. - 5. **Parsing and Output**: The retrieved data is either parsed using the mapping - engine (if enabled) or collected as raw items. The final results are aggregated - into a single JSON object and attached to the action result. + 5. **Data Extraction**: For each discovered collection, it queries the Group-IB + database to retrieve detailed records, applying a limit of 3000 items per collection. + + 6. **Formatting**: If the "Enable mapping parser" parameter is enabled, it transforms + the raw API response into a structured format based on internal mapping configurations. + + 7. **Output**: Aggregates all findings into a comprehensive JSON object, organized + by collection name, and returns it as the action's result. ### Additional Notes - - This action is primarily used for deep enrichment and cross-collection searching - within the Group-IB ecosystem. - - A 1-second delay is implemented between API calls to ensure compliance with - API rate limits. + - The action includes built-in rate limiting (1-second sleeps) between API calls + to ensure stability. + + - This action is primarily used for data gathering; it does not automatically + update entity attributes or create insights within the platform. The retrieved + data is intended for use by subsequent playbook steps via the `JsonResult`. capabilities: can_create_case_comments: false can_create_insight: false @@ -248,47 +301,47 @@ Get-TI-Search-Info: enrichment: true entity_usage: entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false filters_by_creation_time: false filters_by_entity_type: false - filters_by_identifier: false + filters_by_identifier: true filters_by_is_artifact: false filters_by_is_enriched: false filters_by_is_internal: false @@ -296,6 +349,7 @@ Get-TI-Search-Info: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get-TI-Search-Info-By-Collection: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -309,49 +363,78 @@ Get-TI-Search-Info: enrich_asset: false enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: true + search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get-TI-Search-Info-By-Collection: - ai_description: "Searches the Group-IB Threat Intelligence (TI) database for information\ - \ related to specific entities within a chosen collection. This action allows\ - \ analysts to query a wide variety of TI data\u2014including threat actors, malware\ - \ configurations, phishing kits, and compromised accounts\u2014directly from Google\ - \ SecOps. It supports 31 distinct collections and provides an optional mapping\ - \ parser to structure the raw API response into a more readable format.\n\n###\ - \ Parameters Description\n\n| Parameter | Type | Mandatory | Description |\n|\ - \ :--- | :--- | :--- | :--- |\n| Collection | DDL | Yes | Specifies the Group-IB\ - \ TI collection to search (e.g., `apt/threat`, `malware/cnc`, `suspicious_ip/tor_node`).\ - \ |\n| Enable mapping parser | Boolean | No | If set to `true`, the action will\ - \ use predefined mapping keys to parse the raw JSON output into a structured format.\ - \ Default is `false`. |\n| Search tag | String | No | Allows for targeted field\ - \ searches. If provided, the query is formatted as `tag:entity` (e.g., `domain:google.com`).\ - \ If empty, a general search is performed. |\n\n### Flow Description\n\n1. **Initialization**:\ - \ The action initializes the Group-IB TI poller using the integration's API credentials\ - \ and configuration.\n2. **Parameter Extraction**: It retrieves the selected `Collection`,\ - \ the `Search tag`, and the `Enable mapping parser` toggle.\n3. **Entity Processing**:\ - \ The action iterates through all target entities provided in the context.\n4.\ - \ **Query Construction**: For each entity, it constructs a search query. If a\ - \ `Search tag` is specified, it prefixes the entity identifier with the tag; otherwise,\ - \ it uses the raw identifier.\n5. **Data Retrieval**: It queries the Group-IB\ - \ TI API for the specified collection and query string, retrieving up to 3,000\ - \ results.\n6. **Parsing**: If the mapping parser is enabled, the action transforms\ - \ the raw API items into a structured format based on the integration's mapping\ - \ configuration.\n7. **Output**: The aggregated results from all entities are\ - \ added to the action's JSON result and returned to the platform.\n\n### Additional\ - \ Notes\n\n- This action is primarily used for deep-dive threat intelligence lookups\ - \ across Group-IB's extensive database of cybercriminal activity and compromised\ - \ data.\n- The `Collection` parameter is a dropdown list containing 31 specific\ - \ categories of intelligence." + ai_description: >- + Searches the Group-IB Threat Intelligence (TI) database for information related + to specific entities within a chosen collection. This action allows analysts to + retrieve deep contextual data on indicators such as IPs, Domains, Hashes, URLs, + Emails, and Credit Cards by querying specialized Group-IB collections (e.g., APT + threats, malware configs, compromised accounts). It supports optional data mapping + to transform raw API responses into a structured format and allows for targeted + searches using specific tags. + + + ### Parameters + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Collection | DDL | Yes | The specific Group-IB TI collection to search within + (e.g., `apt/threat`, `malware/cnc`, `compromised/account_group`). | + + | Enable mapping parser | Boolean | No | If enabled, the action will parse the + raw API response using predefined mapping keys to provide a more structured output. + Default is `false`. | + + | Search tag | String | No | Allows for targeted field searches. If provided, + the query is formatted as `tag:entity` (e.g., `domain:google.com`). If empty, + a general search is performed. | + + + ### Additional Notes + + - The action automatically detects the entity type (IP, Domain, Hash, etc.) from + the entity identifier to optimize the search query. + + - The `Enable mapping parser` parameter is treated as a string comparison in the + logic; ensure the boolean value is passed correctly from the playbook. + + + ### Flow Description + + 1. **Initialization**: Retrieves the user-defined parameters: `Collection`, `Enable + mapping parser`, and `Search tag`. + + 2. **Entity Processing**: Iterates through the target entities in the case and + uses an internal validator to determine their specific type (e.g., converting + a URL to its underlying domain or IP). + + 3. **Query Construction**: For each valid entity, constructs a search query. If + a `Search tag` is provided, it prefixes the entity identifier with the tag. + + 4. **API Interaction**: Calls the Group-IB TI API using a poller to search the + specified `Collection` with the constructed query, limited to 3000 results. + + 5. **Data Parsing**: Depending on the `Enable mapping parser` setting, either + parses the results into a structured format or retrieves the raw JSON items. + + 6. **Output**: Aggregates all findings and attaches them to the action result + as a JSON object. capabilities: can_create_case_comments: false can_create_insight: false @@ -366,46 +449,17 @@ Get-TI-Search-Info-By-Collection: enrichment: true entity_usage: entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + - ADDRESS + - DOMAIN + - FILEHASH + - DestinationURL + - USERUNIQNAME + - CREDITCARD filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false filters_by_creation_time: false - filters_by_entity_type: false + filters_by_entity_type: true filters_by_identifier: false filters_by_is_artifact: false filters_by_is_enriched: false @@ -414,6 +468,7 @@ Get-TI-Search-Info-By-Collection: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -425,66 +480,65 @@ Get-TI-Search-Info-By-Collection: download_file: false enable_identity: false enrich_asset: false - enrich_ioc: true + enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: true + search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: ai_description: >- - Tests the connectivity to the Group-IB Threat Intelligence service. This action - validates the provided API credentials (API Login, API Key, and API URL) and retrieves - a list of all data collections accessible under the current subscription. It is - primarily used for troubleshooting and verifying that the integration is correctly - configured. - + ### General Description - ### Flow Description: + Tests connectivity to the Group-IB Threat Intelligence API and retrieves a list + of available data collections based on the user's subscription. This action is + used to verify that the integration is correctly configured and to identify which + threat intelligence feeds are accessible to the current account. - 1. **Initialization**: The action initializes the Siemplify context and sets the - script name. - 2. **Configuration Retrieval**: It retrieves the integration's global configuration - parameters, including the API login, API key, and API URL. + ### Parameters Description - 3. **API Connection**: It initializes the Group-IB TI adapter and poller to establish - a session with the external service. + | Parameter | Description | Expected Type | Mandatory | - 4. **Data Retrieval**: The action sends a GET request to the `user/granted_collections` - endpoint to verify access. + | :--- | :--- | :--- | :--- | - 5. **Result Processing**: If successful, the list of granted collections is added - to the action's JSON results. If the request fails, an error message is logged - and the action status is set to failed. + | N/A | This action does not take any input parameters. | N/A | N/A | - 6. **Completion**: The action ends by reporting the connectivity status and an - output message. + ### Additional Notes - ### Parameters Description: + - This action relies solely on the integration's global configuration parameters + (API Login, API Key, and API URL). - | Parameter | Type | Mandatory | Description | + - The output includes a JSON object containing the available collections, which + helps analysts understand the scope of data available for enrichment and automated + connectors. - | :--- | :--- | :--- | :--- | - | N/A | N/A | N/A | This action does not have any input parameters. | + ### Flow Description + 1. **Initialize Connection**: The action retrieves the API Login, API Key, and + API URL from the integration configuration. - ### Additional Notes: + 2. **Request Collections**: It sends a GET request to the Group-IB `user/granted_collections` + endpoint. - - This action relies on the global integration configuration for authentication. + 3. **Process Response**: The action parses the JSON response from the API containing + the list of authorized collections. - - The JSON output provides visibility into which Group-IB TI collections (e.g., - `apt/threat`, `malware/cnc`) are available for the configured account. + 4. **Finalize**: If successful, it returns a 'Connection Established' message + and attaches the list of granted collections to the action results. If the request + fails, it reports the specific error encountered. capabilities: can_create_case_comments: false can_create_insight: false @@ -498,7 +552,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -512,28 +566,3 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/third_party/partner/group_ib_ti/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/partner/group_ib_ti/resources/ai/connectors_ai_description.yaml index f586e806e..7a8b8d9c7 100644 --- a/content/response_integrations/third_party/partner/group_ib_ti/resources/ai/connectors_ai_description.yaml +++ b/content/response_integrations/third_party/partner/group_ib_ti/resources/ai/connectors_ai_description.yaml @@ -2,11 +2,12 @@ TI IoC Hash Connector: ai_description: >- ### General Description - This connector integrates with the Group-IB Threat Intelligence (TI) Portal to - ingest File Hash Indicators of Compromise (IoCs). It specifically monitors the - `ioc/common` collection for new hash-based threats and creates cases in Google - SecOps. This allows security teams to stay updated on malicious file signatures - identified by Group-IB's global intelligence network. + The **TI IoC Hash Connector** integrates Google SecOps with the Group-IB Threat + Intelligence (TI) Portal to ingest file hash Indicators of Compromise (IoCs). + It specifically monitors the `ioc/common` collection for new malicious file hashes, + allowing security teams to stay updated on global file-based threats. The connector + aggregates these indicators into cases within Google SecOps for automated response + and investigation. ### Parameters Description @@ -17,29 +18,32 @@ TI IoC Hash Connector: | API key | Password | Yes | API key generated at your Group-IB TI Profile. | - | API login | Email | Yes | Email address used to enter the Group-IB TI Portal. + | API login | Email | Yes | Your email address used to enter the Group-IB TI Portal. | - | API URL | String | Yes | Group-IB TI Portal API URL (default: https://tap.group-ib.com/api/v2/). + | API URL | String | Yes | Group-IB TI Portal URL (default: `https://tap.group-ib.com/api/v2/`). | - | Case name | String | Yes | The name to be displayed for the created cases (default: - IoC Hash). | + | Case name | String | Yes | The name to display for the created cases in the + SOAR. | - | Case severity | String | Yes | Severity level for the cases: Informative, Low, - Medium, High, Critical. | + | Case severity | String | Yes | Severity level for the cases (Informative, Low, + Medium, High, Critical). | - | Case type | String | Yes | The case type used to trigger specific playbooks - or actions (default: IoC). | + | Case type | String | Yes | Case type used to trigger specific playbooks or actions. + | - | DeviceProductField | String | Yes | Field name used to determine the device - product (default: title). | + | DeviceProductField | String | Yes | The field name used to determine the device + product (default: `title`). | - | EventClassId | String | Yes | Field name used to determine the event name/sub-type - (default: id). | + | EventClassId | String | Yes | The field name used to determine the event name + or sub-type (default: `id`). | + + | PythonProcessTimeout | String | Yes | The timeout limit (in seconds) for the + script execution. | | Start date | String | No | Initial date to start downloading data (YYYY-MM-DD). - If not provided, defaults to 1 day back. | + If not provided, it defaults to one day back. | | Verify SSL | Boolean | Yes | Whether to verify SSL certificates for API requests. | @@ -47,40 +51,38 @@ TI IoC Hash Connector: ### Flow Description - 1. **Authentication**: The connector connects to the Group-IB TI Portal using - the provided API Login and API Key. - - 2. **State Management**: It retrieves the last processed sequence update number - from the Google SecOps internal storage to ensure only new data is fetched. + 1. **Authentication**: The connector establishes a connection to the Group-IB + TI Portal using the provided API Login and API Key. - 3. **Initialization**: If no previous state exists, it uses the "Start date" parameter - (or defaults to 24 hours ago) to determine the starting sequence update number - for the `ioc/common` collection. + 2. **State Retrieval**: It fetches the last processed sequence update number (timestamp) + from the internal storage. If no timestamp is found, it uses the `Start date` + parameter or defaults to 24 hours ago to determine the starting point. - 4. **Data Retrieval**: It queries the Group-IB API for new IoC updates starting - from the saved sequence number, limited to 50 items per cycle. + 3. **Data Ingestion**: The connector queries the `ioc/common` collection for new + updates. It uses a generator to fetch data in portions (limit of 50 per batch) + to ensure efficient processing. - 5. **Filtering**: The connector parses the retrieved data, specifically filtering - for entries containing file hash indicators (`file_ioc__hash`). + 4. **Filtering and Parsing**: It filters the incoming data to extract valid file + hashes and associated metadata (such as the Group-IB object ID). - 6. **Event Creation**: For each identified hash, it creates an event object containing - the hash value, event type ("FileHash"), and associated metadata. + 5. **Alert Aggregation**: Extracted hashes are mapped to SOAR events and aggregated + into a single `AlertInfo` object representing a case. - 7. **Case Ingestion**: Events are aggregated into a single Alert/Case using the - configured "Case name", "Case type", and "Case severity". + 6. **Case Creation**: The aggregated alert is ingested into Google SecOps with + the configured severity, name, and type. - 8. **Checkpointing**: The connector saves the latest sequence update number back - to the internal storage to mark the progress for the next execution. + 7. **Checkpointing**: Upon successful processing, the connector saves the latest + sequence update number to the internal storage to ensure the next execution resumes + from the last processed record. TI IoC IP Connector: ai_description: >- ### General Description - This connector integrates with the Group-IB Threat Intelligence (TI) Portal to - automatically fetch Indicators of Compromise (IoCs), specifically focusing on - malicious IP addresses. It monitors the `ioc/common` collection within the Group-IB - TI platform and ingests these indicators into Google SecOps as cases. This allows - security teams to proactively identify and respond to network-based threats based - on Group-IB's global threat intelligence data. + The TI IoC IP Connector integrates Google SecOps with the Group-IB Threat Intelligence + (TI) Portal to ingest IP-based Indicators of Compromise (IoCs). It periodically + monitors the Group-IB `ioc/common` collection to fetch the latest malicious IP + addresses and automatically creates cases within Google SecOps for security analysis + and automated response. ### Parameters Description @@ -89,62 +91,63 @@ TI IoC IP Connector: | :--- | :--- | :--- | :--- | - | API login | Email | Yes | Your email address used to access the Group-IB TI - Portal. | + | API login | Email | Yes | Your email address used to enter the Group-IB TI Portal. + | - | API URL | String | Yes | The base URL for the Group-IB TI Portal API (e.g., + | API URL | String | Yes | The base URL for the Group-IB TI Portal API (default: https://tap.group-ib.com/api/v2/). | - | Case name | String | Yes | The display name for the cases created in Google - SecOps. | + | Case name | String | Yes | The name to be displayed for the created cases in + Google SecOps. | - | Case severity | String | Yes | The severity level assigned to created cases - (Informative, Low, Medium, High, Critical). | + | Case severity | String | Yes | The severity level for the created cases (Informative, + Low, Medium, High, Critical). | - | Case type | String | Yes | The case type used to categorize the alert and trigger - specific playbooks. | + | Case type | String | Yes | The case type used to trigger specific playbooks + or actions. | | DeviceProductField | String | Yes | The field name used to determine the device product in the event metadata. | - | EventClassId | String | Yes | The field name used to determine the event name - or sub-type. | + | EventClassId | String | Yes | The field name used to determine the event name/sub-type. + | - | PythonProcessTimeout | String | Yes | The maximum execution time (in seconds) - allowed for the connector script. | + | PythonProcessTimeout | String | Yes | The timeout limit in seconds for the connector + execution. | - | Start date | String | No | The initial date (YYYY-MM-DD) to begin fetching data - if no previous checkpoint exists. Defaults to 1 day back. | + | Start date | String | No | The starting date (YYYY-MM-DD) to fetch data if no + previous checkpoint exists. Defaults to one day back. | | API key | Password | Yes | The API key generated from your Group-IB TI Profile. | - | Verify SSL | Boolean | Yes | If enabled, the connector will verify SSL certificates - for API requests. | + | Verify SSL | Boolean | Yes | Whether to verify SSL certificates for API requests. + | ### Flow Description - 1. **Authentication**: The connector authenticates with the Group-IB TI Portal - using the provided API Login and API Key. + 1. **Authentication**: The connector establishes a connection to the Group-IB + TI Portal using the provided API login and API key. - 2. **State Tracking**: It retrieves the last processed 'sequence update' number - from the internal storage. If this is the first run, it uses the `Start date` - parameter or defaults to fetching data from the last 24 hours. + 2. **Checkpoint Retrieval**: It checks the Google SecOps internal storage for + the last processed sequence update number (timestamp) to ensure data continuity. - 3. **Data Collection**: The connector queries the `ioc/common` collection for - new threat intelligence updates released since the last successful execution. + 3. **Initial Sync**: If no previous checkpoint is found, the connector uses the + configured `Start date` (or defaults to 24 hours ago) to determine the starting + sequence update number from the Group-IB API. - 4. **Parsing and Filtering**: It iterates through the retrieved intelligence portions, - specifically extracting network profiles that contain valid IP addresses. + 4. **Data Ingestion**: The connector queries the `ioc/common` collection for new + threat data using the sequence update number. - 5. **Alert Construction**: For each identified malicious IP, the connector creates - an internal event and aggregates them into a single Alert/Case structure defined - by the `Case name` and `Case severity` parameters. + 5. **Filtering and Parsing**: It parses the retrieved data, specifically filtering + for indicators that contain IP address information within the `network_profile` + section. - 6. **Ingestion**: The aggregated alert and its associated events are returned - to Google SecOps for case creation. + 6. **Case and Event Creation**: For the identified IoCs, the connector generates + a Google SecOps case containing individual events for each malicious IP address, + applying the configured severity and case type. - 7. **Checkpointing**: Upon successful processing, the connector saves the latest - sequence update number to ensure that the next run only fetches new, unprocessed - indicators. + 7. **State Persistence**: Upon successful ingestion, the connector saves the latest + sequence update number back to the internal storage to prevent duplicate ingestion + in the next run. diff --git a/content/response_integrations/third_party/partner/houdin_io/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/houdin_io/resources/ai/actions_ai_description.yaml index 227b16465..bb0cea519 100644 --- a/content/response_integrations/third_party/partner/houdin_io/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/houdin_io/resources/ai/actions_ai_description.yaml @@ -1,11 +1,42 @@ Enrich Entities: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Enrich Entities** action enriches compatible entities (Public IPv4/IPv6, - URL, Domain, and File Hashes) by scanning them on the Houdin.io platform. It retrieves - comprehensive threat intelligence, including threat scores and AI-driven analysis - summaries, and updates the entity attributes within Google SecOps. + Enriches entities by performing scans on Houdin.io to retrieve threat intelligence + and AI-driven analysis. The action supports multiple entity types including Public + IP addresses, URLs, Domains, and File Hashes. It allows users to specify which + scanners (e.g., VirusTotal, URLScan, AbuseIPDB, Triage) should be utilized for + the enrichment process. Results, including threat scores and AI-generated summaries, + are appended to the entities as additional properties, providing analysts with + immediate context within the Google SecOps platform. ### Parameters Description @@ -14,64 +45,67 @@ Enrich Entities: | :--- | :--- | :--- | :--- | - | **scanOn** | multi_choice_parameter | No | An array of scanners you want Houdin - to use. Supported options include: `vt`, `urlscan`, `alienvault`, `abuseipdb`, - `triage`, `mesmer`, and `servicenow`. | + | scanOn | Multi-choice | No | (Optional) An array of scanners you want Houdin + to use. Supported options include: vt, urlscan, alienvault, abuseipdb, triage, + mesmer, and servicenow. If not provided, Houdin uses its default scanner set. + | ### Additional Notes - - This action is **asynchronous**; ensure the script timeout in the Google SecOps - IDE is adjusted if necessary to accommodate polling times. - - - **IP Filtering:** Only global (public) IP addresses are processed. Internal - or private IP addresses are automatically skipped. + - The action is asynchronous and involves polling the Houdin.io API for results + after the initial scan request. - - **File Hashes:** Compatible hash types include MD5, SHA1, and SHA256. + - It specifically filters for Public IP addresses (global) and will skip internal/private + IP addresses. - - **Configuration:** Requires a valid API Key to be configured in the Houdin-io - integration settings. + - Compatible artifact types for scanning include: Public IPv4/IPv6, URL, Domain, + MD5, SHA1, and SHA256 hashes. ### Flow Description - 1. **Identify Compatible Entities:** The action filters the target entities for - supported types: Public IPs, URLs, Domains, and File Hashes. + 1. **Filter Entities:** The action iterates through target entities and identifies + compatible types: URL, Domain, FileHash, DestinationURL, or Public IP addresses + (verified via global scope check). - 2. **Launch Scans:** For each compatible entity, the action sends a POST request - to Houdin.io to initiate a scan, optionally specifying the scanners to be used. + 2. **Launch Scans:** For each compatible entity, it initiates a scan request to + the Houdin.io API using the `launch_scan` method, passing the optional scanner + list. - 3. **Poll for Results:** The action polls the Houdin.io API using the returned - scan IDs until the analysis is complete. + 3. **Poll Results:** The action polls the Houdin.io API for each generated scan + ID until the analysis is complete or the maximum retry limit is reached. - 4. **Extract Intelligence:** It retrieves the threat score (from the Mesmer engine), - an AI-generated analysis summary, and the list of analysis sources. + 4. **Extract Intelligence:** It parses the returned scan results to extract the + 'Mesmer' global threat score, AI analysis summary, and the list of sources used + for the scan. 5. **Enrich Entities:** The action updates the `additional_properties` of the - entities in Google SecOps with the retrieved data and provides a detailed JSON - result. + successful entities with the retrieved threat intelligence (e.g., `Houdin-io_Threat_Score`, + `Houdin-io_AI_Analysis`). + + 6. **Finalize:** It updates the entities in the case, adds a detailed JSON result + for each entity, and returns a summary message of the processed indicators. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false - can_mutate_external_data: true + can_mutate_external_data: false can_mutate_internal_data: true can_update_entities: true - external_data_mutation_explanation: >- - The action initiates a new scan job on the Houdin.io platform by sending a POST - request with the entity identifier. + external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action updates the 'additional_properties' of entities in Google SecOps - with threat scores, AI analysis summaries, and analysis sources. + Updates entity additional properties with Houdin-io threat scores, AI analysis + summaries, and analysis sources. categories: - enrichment: false + enrichment: true entity_usage: entity_types: - - ADDRESS - - DOMAIN - - FILEHASH - - DestinationURL + - ADDRESS + - DOMAIN + - FILEHASH + - DestinationURL filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -85,6 +119,7 @@ Enrich Entities: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -96,63 +131,47 @@ Enrich Entities: download_file: false enable_identity: false enrich_asset: false - enrich_ioc: true + enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false - submit_file: true + send_message: false + submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: - ai_description: >- - The Ping action is a utility designed to verify the connectivity between Google - SecOps and the Houdin.io API. It ensures that the provided API Key is valid and - that the network path to the service is open. This action is typically used during - the initial setup of the integration or for troubleshooting communication issues. - - - ### Flow Description: - - 1. **Initialization**: The action retrieves the 'API Key' and 'Verify SSL' settings - from the integration's global configuration. - - 2. **Manager Setup**: It initializes the `HoudinManager` with these credentials. - - 3. **Connectivity Test**: It calls the `test_connectivity` method, which sends - a POST request to the Houdin.io `/ping` endpoint. - - 4. **Validation**: The action checks the HTTP response status. If it receives - a 200 OK, the connection is confirmed. - - 5. **Completion**: The action returns a boolean 'true' on success or 'false' if - an exception or authentication error occurs. - - - ### Parameters Description: - - | Parameter Name | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | No Action Parameters | N/A | N/A | This action does not take any input parameters; - it relies solely on the integration's configuration (API Key and Verify SSL). - | - - - ### Additional Notes: - - * This action is strictly for health checks and does not process any entities - or alert data. - - * It uses a POST request for the ping endpoint as required by the Houdin.io API - specification. + ai_description: "### General Description\nThe **Ping** action is a utility designed\ + \ to verify the connectivity between the Google SecOps platform and the Houdin.io\ + \ API. It ensures that the provided API Key is valid and that the network path\ + \ to the API endpoint is open and functional. This action is typically used during\ + \ the initial setup of the integration or for troubleshooting communication issues.\n\ + \n### Parameters Description\n| Parameter Name | Type | Mandatory | Description\ + \ |\n| :--- | :--- | :--- | :--- |\n| None | N/A | N/A | This action does not\ + \ have any input parameters. It relies solely on the integration's configuration\ + \ (API Key and Verify SSL). |\n\n### Additional Notes\n- This action uses a POST\ + \ request to the `/ping` endpoint of the Houdin.io API.\n- It includes a retry\ + \ mechanism that attempts the connection up to two times if a 500 Internal Server\ + \ Error is encountered.\n- The action returns a boolean value (`true` or `false`)\ + \ to indicate the success or failure of the connectivity test.\n\n### Flow Description\n\ + 1. **Initialization**: The action extracts the global integration configuration,\ + \ specifically the **API Key** and the **Verify SSL** setting.\n2. **Manager Setup**:\ + \ It initializes the `HoudinManager` with the extracted credentials.\n3. **Connectivity\ + \ Test**: The action calls the `test_connectivity` method, which sends an authenticated\ + \ POST request to `https://app.houdin.io/api/v1/ping`.\n4. **Response Handling**:\ + \ \n - If the API returns a 200 OK status, the action logs a success message\ + \ and sets the result to `true`.\n - If the API returns a 500 error, it retries\ + \ once.\n - If the API returns any other error status or a connection exception\ + \ occurs, the action catches the error, logs it, and sets the result to `false`.\n\ + 5. **Completion**: The action terminates, providing the connectivity status and\ + \ a descriptive output message." capabilities: can_create_case_comments: false can_create_insight: false @@ -166,7 +185,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -180,6 +199,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Scan Artifact: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -193,28 +213,29 @@ Ping: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false - submit_file: false + send_message: false + submit_file: true uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Scan Artifact: ai_description: >- ### General Description - The **Scan Artifact** action allows users to submit a specific artifact (such - as an IP address, URL, Domain, or File Hash) to the Houdin.io platform for comprehensive - security analysis. It supports a variety of third-party scanners and returns the - aggregated results directly into the Google SecOps platform. This action is asynchronous, - meaning it initiates a scan and then polls for the results until the analysis - is complete. + Launches a scan on the Houdin.io platform for a specific artifact and retrieves + the analysis results. This action supports multiple artifact types, including + IP addresses (IPv4/IPv6), URLs, domains, and file hashes (MD5, SHA1, SHA256). + It operates by initiating a scan job and then polling the Houdin API until the + results are available. ### Parameters Description @@ -223,39 +244,38 @@ Scan Artifact: | :--- | :--- | :--- | :--- | - | **artifact** | String | Yes | The specific indicator to be scanned. Supported - formats include Public IPv4/IPv6, URL, Domain, MD5, SHA1, and SHA256. | + | artifact | string | Yes | The specific artifact to be scanned. Supported types: + IPv4, IPv6, URL, Domain, MD5, SHA1, SHA256. | - | **scanOn** | Multi-choice | No | A list of specific scanners to be utilized - by Houdin.io. Options include `vt` (VirusTotal), `urlscan`, `alienvault`, `abuseipdb`, - `triage`, `mesmer`, and `servicenow`. If left empty, default scanners are used. + | scanOn | multi_choice_parameter | No | A list of specific scanners to be utilized + by Houdin (e.g., vt, urlscan, alienvault, abuseipdb, triage, mesmer, servicenow). | ### Flow Description - 1. **Initialization**: The action extracts the API Key from the integration configuration - and the artifact/scanner details from the action parameters. + 1. **Setup**: The action extracts the API Key from the integration configuration + and initializes the Houdin communication manager. - 2. **Scan Launch**: It sends a POST request to the Houdin.io API to initiate a - scan for the provided artifact. + 2. **Input Processing**: It retrieves the `artifact` and the optional `scanOn` + list of scanners from the action parameters. - 3. **Polling**: Because the action is asynchronous, it enters a polling loop, - periodically checking the status of the scan using the unique Scan ID received - during the launch phase. + 3. **Scan Initiation**: The action sends a POST request to the Houdin API to launch + a new scan for the provided artifact. - 4. **Data Retrieval**: Once the scan status indicates completion, the action retrieves - the full JSON report of the findings. + 4. **Polling**: Because the scan takes time, the action enters a polling phase, + repeatedly checking the status of the scan ID via GET requests until the analysis + is finished. - 5. **Output**: The final results are attached to the action execution as a JSON - result and a specific 'HoudinResult' object for use in downstream playbook logic. + 5. **Completion**: Once the scan is complete, the full result set is retrieved + and attached to the action's output as a JSON result. ### Additional Notes - - This action is marked as **async**. Users should ensure that the script timeout - in the Google SecOps IDE is configured to allow enough time for external scanners - to complete their analysis. + This action is executed asynchronously. Users should ensure that the script timeout + value in the Google SecOps IDE is set high enough to accommodate the time required + for external scanners to complete their analysis. capabilities: can_create_case_comments: false can_create_insight: false @@ -264,14 +284,13 @@ Scan Artifact: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - The action performs a POST request to the Houdin.io API to 'launch' a new scan - job, which creates a new record/task on the external platform. + Initiates a new scan job and creates a scan record on the Houdin.io platform. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -285,28 +304,3 @@ Scan Artifact: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: true - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: true - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/third_party/partner/infoblox_nios/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/infoblox_nios/resources/ai/actions_ai_description.yaml index 3f9f44af4..4e1cfbc4b 100644 --- a/content/response_integrations/third_party/partner/infoblox_nios/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/infoblox_nios/resources/ai/actions_ai_description.yaml @@ -1,43 +1,74 @@ Create Host Record: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - Adds a host record to Infoblox NIOS with associated IPv4 and IPv6 addresses. This - action is primarily used for IPAM (IP Address Management) and DNS inventory management. - When the 'Configure for DNS' parameter is enabled, the action automatically creates - the corresponding A, AAAA, and PTR DNS records in the specified DNS view. + ### General Description + The **Create Host Record** action adds a new host record to the Infoblox NIOS + system. This action is used for IP Address Management (IPAM) and DNS inventory, + allowing users to define a host with its associated IPv4 and IPv6 addresses. If + configured, the action can also automatically generate corresponding DNS records + such as A, AAAA, and PTR records. - ### Flow Description: - 1. **Parameter Extraction:** The action retrieves the host name (FQDN), IP address - arrays, DNS view, and other optional configurations like aliases and extended - attributes from the action parameters. + ### Flow Description - 2. **Validation:** It validates that the host name is provided and that the IP - address objects (IPv4/IPv6) are in the correct JSON format. + 1. **Parameter Extraction:** The action retrieves the host name, IP address lists, + DNS view, and optional metadata including comments, aliases, and extended attributes. - 3. **API Interaction:** It sends a POST request to the Infoblox NIOS WAPI `/record:host` - endpoint to create the host record. + 2. **Validation:** It ensures the host name is provided and validates that the + IP address objects and additional parameters are in the correct JSON format. - 4. **Result Processing:** Upon success, it returns the created record's details - in JSON format and populates a data table named 'Hosts' in the Google SecOps case. + 3. **API Interaction:** It initializes the Infoblox API manager and executes a + POST request to the `/record:host` endpoint to create the record. + 4. **Output:** Upon successful creation, the action returns the full details of + the new host record as a JSON result and displays a summary table in the SOAR + interface. - ### Parameters Description: + + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Name | String | Yes | The FQDN of the host (e.g., `server1.auth.threat.zone`). - It must belong to an existing DNS zone. | + | Name | String | Yes | The FQDN of the host (e.g., server1.example.com). It must + belong to an existing DNS zone. | - | IPv4 Addresses | String | No | A JSON array of IPv4 objects, e.g., `[{"ipv4addr":"192.168.1.100","mac":"00:11:22:33:44:55","configure_for_dhcp":true}]`. + | IPv4 Addresses | String | No | A JSON array of IPv4 objects (e.g., [{"ipv4addr":"192.168.1.100","mac":"00:11:22:33:44:55","configure_for_dhcp":true}]). | - | IPv6 Addresses | String | No | A JSON array of IPv6 objects, e.g., `[{"ipv6addr":"2001:db8::1"}]`. + | IPv6 Addresses | String | No | A JSON array of IPv6 objects (e.g., [{"ipv6addr":"2001:db8::1"}]). | - | View | String | No | The DNS view in which the record resides (default is 'default'). + | View | String | No | The DNS view in which the record resides (default: "default"). | | Comment | String | No | Additional information or notes about this host record. @@ -46,22 +77,24 @@ Create Host Record: | Aliases | String | No | Comma-separated list of DNS aliases (CNAMEs) for this host. | - | Configure for DNS | Boolean | No | When true (default), the host record includes - associated DNS records. | + | Configure for DNS | Boolean | No | When true, creates associated DNS records + (A/AAAA/PTR). Default is true. | - | Extended Attributes | String | No | Comma-separated key/value formatted filter - for extended attributes (e.g., `Site=New York`). | + | Extended Attributes | String | No | Comma-separated key/value formatted string + for extended attributes (e.g., "Site=New York"). | - | Additional Parameters | String | No | A JSON object containing additional parameters - supported by the Infoblox API (e.g., `{"use_ttl":true}`). | + | Additional Parameters | String | No | JSON object for additional parameters + supported by the Infoblox API. | - ### Additional Notes: + ### Additional Notes - - The 'Name' parameter must be a valid FQDN. + - The **Name** parameter is mandatory despite being marked as optional in the + parameter extraction logic, as it is explicitly validated as a required string + before the API call. - - IP address parameters must be formatted as valid JSON arrays of objects as required - by the Infoblox WAPI. + - The **IPv4 Addresses** and **IPv6 Addresses** parameters must be valid JSON + arrays of objects. capabilities: can_create_case_comments: false can_create_insight: false @@ -70,14 +103,14 @@ Create Host Record: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new host record and potentially associated DNS A, AAAA, and PTR records - in the Infoblox NIOS instance. + Creates a new host record and potentially associated DNS records (A, AAAA, PTR) + in the Infoblox NIOS system via a POST request to the /record:host endpoint. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -91,10 +124,11 @@ Create Host Record: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Create RPZ A Rule: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false - add_ioc_to_blocklist: false + add_ioc_to_blocklist: true contain_host: false create_ticket: false delete_email: false @@ -104,75 +138,77 @@ Create Host Record: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Create RPZ A Rule: ai_description: >- - Creates an RPZ (Response Policy Zone) Substitute rule in Infoblox NIOS. This action + Creates a Response Policy Zone (RPZ) Substitute rule in Infoblox NIOS. This action allows administrators to map a specific domain name (A record) or an IPv4 address to a substitute IPv4 address. This is primarily used for DNS redirection, sinkholing, - or blocking malicious traffic at the DNS level. + or blocking access to specific network resources by overriding standard DNS resolution. - ### Flow Description + ### Flow Description: - 1. **Parameter Extraction:** The action retrieves the object type (Domain or IP), - the rule name, the target RP Zone, and the substitute IPv4 address from the input + 1. **Parameter Extraction:** The action retrieves the object type, rule name, + target RP zone, substitute IPv4 address, and optional comments or additional JSON parameters. - 2. **Validation:** It validates that the rule name and RP Zone are non-empty strings - and ensures the provided IPv4 address is in a valid format. + 2. **Validation:** It validates that the rule name and RP zone are provided, and + ensures the substitute IPv4 address is a valid IPv4 format. - 3. **Endpoint Selection:** Based on the 'Object Type' parameter, the action selects - the appropriate Infoblox WAPI endpoint (either `record:rpz:a` for domains or `record:rpz:a:ipaddress` - for IP addresses). + 3. **Record Type Determination:** Based on the 'Object Type' parameter, the action + determines whether to create a standard RPZ A rule (`record:rpz:a`) for domains + or an IP-based RPZ A rule (`record:rpz:a:ipaddress`). - 4. **Rule Creation:** It sends a POST request to the Infoblox API to create the - new rule, including any optional comments or additional JSON parameters provided - by the user. + 4. **API Execution:** It constructs the rule name (appending the zone if not already + present) and sends a POST request to the Infoblox WAPI to create the record. - 5. **Output Generation:** Upon success, the action returns the raw JSON of the - created record and populates a data table named 'RPZ A Rule' with the rule's details. + 5. **Result Processing:** Upon success, it returns the raw JSON response and creates + a data table in the SOAR case wall summarizing the new rule's details. - ### Parameters Description + ### Parameters Description: | Parameter Name | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Object Type | DDL | Yes | Determines the type of record to create. Options are - 'Domain Name' or 'IP Address'. | + | **Object Type** | DDL | Yes | Determines the record category. Options are 'Domain + Name' (standard A record) or 'IP Address' (IP-based rule). | - | Name | String | Yes | The domain name or IP address that the rule will apply - to. | + | **Name** | String | Yes | The name/FQDN of the rule to be created. | - | RP Zone | String | Yes | The name of the Response Policy Zone where the rule - will be created. | + | **RP Zone** | String | Yes | The specific Response Policy Zone where the rule + will be assigned. | - | IPv4 Address | String | Yes | The substitute IPv4 address that the DNS query - will be redirected to. | + | **IPv4 Address** | String | Yes | The substitute IPv4 address that the DNS query + will resolve to. | - | Comment | String | No | An optional description or note for the rule. | + | **Comment** | String | No | An optional descriptive comment for the rule. | - | Additional Parameters | String | No | A JSON object string containing extra - Infoblox-specific parameters for the record creation. | + | **Additional Parameters** | String | No | A JSON object string containing extra + parameters supported by the Infoblox WAPI for RPZ rules. | - ### Additional Notes + ### Additional Notes: + + - The action automatically formats the rule name by appending the RP Zone if the + provided name does not already end with it. - - The 'Name' parameter is automatically formatted to include the 'RP Zone' suffix - if it is not already present, ensuring compatibility with Infoblox naming conventions. + - If 'Additional Parameters' is provided, it must be a valid JSON object string. capabilities: can_create_case_comments: false can_create_insight: false @@ -181,14 +217,14 @@ Create RPZ A Rule: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new RPZ A rule (DNS record) in the Infoblox NIOS system to redirect - or block traffic. + Creates a new RPZ A rule record in the Infoblox NIOS system via a POST request + to the WAPI. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -202,6 +238,7 @@ Create RPZ A Rule: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Create RPZ AAAA Rule: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -215,71 +252,79 @@ Create RPZ A Rule: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Create RPZ AAAA Rule: ai_description: >- - Creates an RPZ (Response Policy Zone) AAAA rule in Infoblox NIOS. This action - allows for DNS redirection or blocking by mapping a domain name or an IPv6 address - to a substitute IPv6 address. It is primarily used to implement security policies - at the DNS level, such as sinkholing malicious domains or redirecting traffic - from known bad IPv6 addresses. + ### General Description + Creates an RPZ AAAA rule in Infoblox NIOS. This action allows for mapping a domain + name or an IPv6 address to a substitute IPv6 address within a specific Response + Policy Zone (RPZ). This is commonly used for DNS-based redirection or blocking + of malicious traffic. - ### Flow Description: - 1. **Parameter Extraction:** The action retrieves the object type (Domain Name - or IP Address), the rule name, the target RP Zone, and the substitute IPv6 address - from the input parameters. + ### Parameters Description - 2. **Validation:** It validates that the required strings are non-empty and that - the provided IPv6 address follows the correct format. + | Parameter | Type | Mandatory | Description | - 3. **API Interaction:** Based on the 'Object Type', it determines the specific - Infoblox WAPI endpoint (either `record:rpz:aaaa` or `record:rpz:aaaa:ipaddress`) - and sends a POST request to create the record. + | :--- | :--- | :--- | :--- | - 4. **Result Processing:** Upon success, the action retrieves the created record's - details, formats them into a data table, and provides the raw JSON response. + | Object Type | String | Yes | The type of the object for which to create the + record. Options: 'Domain Name', 'IP Address'. | + | Name | String | Yes | The name of the rule (e.g., the domain name or IP address + to be redirected). | - ### Parameters Description: + | RP Zone | String | Yes | The name of the Response Policy Zone where the rule + will be created. | - | Parameter Name | Type | Mandatory | Description | + | IPv6 Address | String | Yes | The substitute IPv6 address that the target will + be redirected to. | - | :--- | :--- | :--- | :--- | + | Comment | String | No | An optional comment to associate with the rule. | + + | Additional Parameters | String | No | A JSON string containing any additional + Infoblox WAPI parameters for the record creation. | - | **Object Type** | DDL | Yes | Determines if the rule targets a 'Domain Name' - or an 'IP Address'. | - | **Name** | String | Yes | The FQDN or identifier for the rule. | + ### Additional Notes - | **RP Zone** | String | Yes | The name of the Response Policy Zone where the - rule will be created. | + - The action performs validation to ensure the provided IPv6 Address is in a valid + format. - | **IPv6 Address** | String | Yes | The substitute IPv6 address used for redirection - or blocking. | + - Depending on the 'Object Type' selected, the action creates either a 'record:rpz:aaaa' + or a 'record:rpz:aaaa:ipaddress' in Infoblox. - | **Comment** | String | No | An optional descriptive comment for the rule. | - | **Additional Parameters** | String | No | A JSON string containing extra key-value - pairs for advanced Infoblox record configuration. | + ### Flow Description + 1. **Initialization:** The action extracts the integration configuration and the + user-provided parameters. - ### Additional Notes: + 2. **Validation:** It verifies that the Name, RP Zone, and IPv6 Address are provided + and that the IPv6 address is valid. + + 3. **API Preparation:** It determines the appropriate Infoblox WAPI endpoint and + record type based on the 'Object Type' parameter. + + 4. **Execution:** It sends a POST request to the Infoblox NIOS API to create the + new RPZ AAAA rule. - - The 'Name' parameter is automatically suffixed with the 'RP Zone' name if it - doesn't already end with it to ensure the FQDN is correctly formed for Infoblox. + 5. **Output:** Upon successful creation, it adds the raw API response to the action + results and generates a data table for the analyst. capabilities: can_create_case_comments: false can_create_insight: false @@ -288,14 +333,14 @@ Create RPZ AAAA Rule: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new RPZ AAAA rule record in the Infoblox NIOS system, which modifies - the DNS response policy configuration. + Creates a new RPZ AAAA rule in Infoblox NIOS, which modifies the DNS configuration + of the specified Response Policy Zone. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -309,6 +354,7 @@ Create RPZ AAAA Rule: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Create RPZ CNAME Rule: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -322,89 +368,52 @@ Create RPZ AAAA Rule: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Create RPZ CNAME Rule: - ai_description: >- - Adds a CNAME rule to an existing Response Policy Zone (RPZ) in Infoblox NIOS. - This action allows administrators to override DNS behavior for specific domains - or IP addresses, enabling capabilities such as blocking resolution, passing traffic - through, or redirecting to a substitute domain. It supports different object types - including Domain Names, IP Addresses, and Client IP Addresses. - - - ### Parameters Description - - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Name | String | Yes | The rule name in a FQDN format. | - - | RP Zone | String | Yes | The target Response Policy Zone to which the rule will - be added. | - - | Rule Type | DDL | Yes | The behavior of the rule. Options: `Passthru`, `Block - (No such domain)`, `Substitute (Domain name)`, `Block (No data)`. | - - | Object Type | DDL | Yes | The type of object the rule targets. Options: `Domain - Name`, `IP Address`, `Client IP Address`. | - - | Substitute Name | String | No | The domain name to use as a substitute. This - is required if the 'Rule Type' is set to 'Substitute (Domain name)'. | - - | View | String | No | The DNS view in which the records are located. Defaults - to 'default'. | - - | Comment | String | No | A descriptive comment for the rule. | - - | Additional Parameters | String | No | A JSON object containing any additional - parameters for the Infoblox API request. | - - - ### Flow Description - - - 1. **Parameter Extraction:** The action retrieves all input parameters, including - the rule name, zone, type, and object target. - - 2. **Validation:** It validates that mandatory fields like 'Name' and 'RP Zone' - are provided and ensures 'Additional Parameters' is a valid JSON object. - - 3. **Endpoint Selection:** Based on the 'Object Type' (Domain, IP, or Client IP), - the action selects the corresponding Infoblox WAPI endpoint. - - 4. **Logic Mapping:** The action maps the 'Rule Type' to the specific 'canonical' - value required by Infoblox (e.g., '*' for 'Block (No data)', 'rpz-passthru' for - 'Passthru' on Client IPs). - - 5. **API Execution:** A POST request is sent to the Infoblox NIOS server to create - the rule. - - 6. **Result Processing:** The action parses the API response, creates a data table - with the new rule's details, and returns the execution status. - - - ### Additional Notes - - - - **Conditional Requirement:** If the 'Rule Type' is set to 'Substitute (Domain - name)', the 'Substitute Name' parameter must be provided. - - - **Compatibility:** The 'Substitute (Domain name)' rule type is only applicable - when the 'Object Type' is 'Domain Name'. It cannot be used with IP Address or - Client IP Address object types. + ai_description: "Adds a CNAME rule to an existing Response Policy Zone (RPZ) in\ + \ Infoblox NIOS to override DNS behavior. This action allows administrators to\ + \ define how specific domain names or IP addresses should be handled by the DNS\ + \ firewall, such as blocking them, allowing them to pass through, or substituting\ + \ them with a different domain name.\n\n### Flow Description:\n1. **Parameter\ + \ Extraction:** The action retrieves the rule name, target RP zone, rule type,\ + \ object type, and optional configurations like comments and DNS views.\n2. **Validation:**\ + \ It validates that mandatory fields (Name, RP Zone) are provided and that 'Additional\ + \ Parameters' is a valid JSON object.\n3. **Logic Mapping:** \n * It determines\ + \ the specific Infoblox API endpoint based on the 'Object Type' (Domain Name,\ + \ IP Address, or Client IP Address).\n * It maps the 'Rule Type' to the corresponding\ + \ 'canonical' value required by Infoblox (e.g., '*' for 'Block (No data)', 'rpz-passthru'\ + \ for 'Passthru' on Client IPs).\n4. **API Execution:** A POST request is sent\ + \ to the Infoblox NIOS server to create the rule.\n5. **Result Processing:** Upon\ + \ success, the action returns the raw JSON response and displays the created rule\ + \ details in a structured data table.\n\n### Parameters Description:\n| Parameter\ + \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Name |\ + \ string | Yes | The rule name in FQDN format. |\n| RP Zone | string | Yes | The\ + \ Response Policy Zone to which the rule will be assigned. |\n| Rule Type | ddl\ + \ | Yes | The action to take: 'Passthru', 'Block (No such domain)', 'Substitute\ + \ (Domain name)', or 'Block (No data)'. |\n| Object Type | ddl | Yes | The type\ + \ of object the rule applies to: 'Domain Name', 'IP Address', or 'Client IP Address'.\ + \ |\n| Substitute Name | string | No | The domain name to substitute. Required\ + \ only if 'Rule Type' is set to 'Substitute (Domain name)'. |\n| View | string\ + \ | No | The DNS view where the records are located. Defaults to 'default'. |\n\ + | Comment | string | No | An optional comment or description for the rule. |\n\ + | Additional Parameters | string | No | A JSON object containing any extra parameters\ + \ supported by the Infoblox API for RPZ rules. |\n\n### Additional Notes:\n* The\ + \ 'Substitute (Domain name)' rule type is only applicable when the 'Object Type'\ + \ is 'Domain Name'.\n* If the 'Name' provided does not end with the 'RP Zone'\ + \ name, the action automatically appends the zone name to ensure a valid FQDN." capabilities: can_create_case_comments: false can_create_insight: false @@ -413,14 +422,14 @@ Create RPZ CNAME Rule: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new CNAME rule in the specified Response Policy Zone (RPZ) on the - Infoblox NIOS server, which modifies the DNS resolution policy. + Creates a new CNAME record within a Response Policy Zone (RPZ) on the Infoblox + NIOS server, which modifies DNS resolution behavior for the specified targets. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -434,10 +443,11 @@ Create RPZ CNAME Rule: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Create RPZ MX Rule: action_product_categories: add_alert_comment: false - add_ioc_to_allowlist: true - add_ioc_to_blocklist: true + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false contain_host: false create_ticket: false delete_email: false @@ -447,44 +457,44 @@ Create RPZ CNAME Rule: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Create RPZ MX Rule: ai_description: >- Adds a mail exchange (MX) override rule to a Response Policy Zone (RPZ) in Infoblox - NIOS. This action allows administrators to define custom mail routing for specific - domains within a security policy zone, typically used for redirecting or managing - mail traffic for policy enforcement. + NIOS. This action allows administrators to define custom mail routing logic within + a specific DNS zone by creating an MX record. It supports standard MX parameters + like preference and mail exchanger host, along with optional comments and advanced + JSON-based parameters for the Infoblox WAPI. ### Flow Description - 1. **Parameter Initialization:** The action retrieves integration credentials - (API Root, Username, Password) and extracts user-provided parameters including - the target RP Zone, the rule name, the mail exchanger address, and the preference - value. + 1. **Parameter Extraction:** The action retrieves integration credentials and + action parameters including the rule name, target RP zone, mail exchanger, and + preference. - 2. **Validation:** It validates that mandatory fields (Name, RP Zone, Mail Exchanger, - Preference) are provided and that the Preference is a valid integer within the - allowed range (0-65535). + 2. **Validation:** It validates that mandatory fields are non-empty, ensures the + 'Preference' is a valid integer, and checks that 'Additional Parameters' is a + valid JSON object. - 3. **API Interaction:** The action sends a POST request to the Infoblox WAPI endpoint - `/record:rpz:mx` with the rule details and any optional additional parameters - provided in JSON format. + 3. **API Interaction:** It constructs a POST request to the Infoblox NIOS WAPI + (`/record:rpz:mx`) to create the rule. - 4. **Output Generation:** Upon success, it returns the raw JSON of the created - record and displays a formatted data table containing the Reference ID, Name, - Mail Exchanger, and Preference of the new rule. + 4. **Result Processing:** Upon success, it formats the created rule's data into + a JSON result and a CSV-formatted data table for display in the SOAR interface. ### Parameters Description @@ -493,22 +503,27 @@ Create RPZ MX Rule: | :--- | :--- | :--- | :--- | - | Name | String | Yes | The name of the rule (e.g., the domain name to override). - | + | Name | String | Yes | The name of the rule to be created. | - | RP Zone | String | Yes | The specific Response Policy Zone where the rule will - be created. | + | RP Zone | String | Yes | The Response Policy Zone where the rule will be assigned. + | - | Mail Exchanger | String | Yes | The hostname of the mail server that will handle - mail for this rule. | + | Mail Exchanger | String | Yes | Specify the mail exchanger host for the rule. + | - | Preference | String | Yes | The priority of the mail exchanger (lower values - have higher priority). Must be an integer between 0 and 65535. | + | Preference | String | Yes | The preference value for the MX rule (must be a + non-negative integer). | | Comment | String | No | An optional descriptive comment for the rule. | - | Additional Parameters | String | No | A JSON object string containing extra - Infoblox WAPI parameters for the record creation. | + | Additional Parameters | String | No | A JSON object containing additional parameters + to be passed to the Infoblox API. | + + + ### Additional Notes + + - The action automatically appends the RP Zone name to the Rule Name if it is + not already present to ensure a fully qualified domain name (FQDN) format. capabilities: can_create_case_comments: false can_create_insight: false @@ -517,14 +532,14 @@ Create RPZ MX Rule: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new mail exchange (MX) record within a Response Policy Zone (RPZ) - on the Infoblox NIOS server via a POST request. - fetches_data: true + Creates a new Mail Exchange (MX) override rule record within the Infoblox NIOS + Response Policy Zone (RPZ) configuration. + fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -538,6 +553,7 @@ Create RPZ MX Rule: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Create RPZ NAPTR Rule: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -551,81 +567,83 @@ Create RPZ MX Rule: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Create RPZ NAPTR Rule: ai_description: >- - Creates a NAPTR (Naming Authority Pointer) rule within a Response Policy Zone - (RPZ) in Infoblox NIOS. This action allows for the control of DNS-based service - discovery by defining how specific domain names should be rewritten or redirected. - It is primarily used for advanced DNS traffic management and policy enforcement. + ### General Description + Adds a NAPTR (Naming Authority Pointer) override rule in a Response Policy Zone + (RPZ) within Infoblox NIOS. This action allows for the control of DNS-based service + discovery by defining how specific domain names should be processed and replaced. + It is useful for redirecting or modifying DNS responses for service discovery + queries within a managed environment. - ### Flow Description - 1. **Parameter Extraction:** Retrieves the rule name, target RP Zone, order, preference, - replacement domain, and optional comments or additional JSON parameters. + ### Parameters Description - 2. **Validation:** Ensures that mandatory fields (Name, RP Zone, Replacement) - are provided. It specifically validates that 'Order' and 'Preference' are integers - between 0 and 65535. + | Parameter | Type | Mandatory | Description | - 3. **Data Preparation:** Formats the rule name to ensure it is correctly associated - with the specified RP Zone and parses any provided 'Additional Parameters' from - a JSON string. + | :--- | :--- | :--- | :--- | - 4. **API Interaction:** Executes a POST request to the Infoblox NIOS WAPI (`/record:rpz:naptr`) - to create the new rule. + | Name | String | Yes | Specify the name of the rule. | - 5. **Result Processing:** If successful, it adds the raw API response to the action - results and generates a data table summarizing the created NAPTR rule details. + | RP Zone | String | Yes | The zone to assign the rule to. | + | Order | String | Yes | Order parameter in NAPTR record defines the sequence + of rule application when multiple rules exist. | - ### Parameters Description + | Preference | String | Yes | The preference of the Substitute (NAPTR Record) + Rule record. | - | Parameter | Type | Mandatory | Description | + | Replacement | String | Yes | Substitute rule object `replacement` field of the + NAPTR record. For non-terminal NAPTR records, this field specifies the next domain + name to look up. | - | :--- | :--- | :--- | :--- | + | Comment | String | No | Comment for this rule. | - | Name | String | Yes | The name of the NAPTR rule. The action automatically appends - the RP Zone name if not already present. | + | Additional Parameters | String | No | JSON object containing additional parameters + to create response policy zone. | - | RP Zone | String | Yes | The specific Response Policy Zone where the rule will - be created. | - | Order | String | Yes | An integer (0-65535) defining the sequence in which NAPTR - records are processed. | + ### Flow Description - | Preference | String | Yes | An integer (0-65535) defining the priority of the - rule when multiple records have the same order. | + 1. **Extract and Validate Parameters**: The action retrieves the Name, RP Zone, + Order, Preference, Replacement, Comment, and Additional Parameters. It ensures + that mandatory string fields are not empty. - | Replacement | String | Yes | The replacement domain name used for the substitution - logic in the NAPTR record. | + 2. **Integer Validation**: The 'Order' and 'Preference' values are validated to + ensure they are non-negative integers within the range of 0 to 65535. - | Comment | String | No | A descriptive comment for the rule record in Infoblox. - | + 3. **JSON Parsing**: If 'Additional Parameters' are provided, they are parsed + from a JSON string into a dictionary. + + 4. **API Execution**: The action uses the Infoblox API Manager to send a POST + request to the `/record:rpz:naptr` endpoint with the specified rule details. - | Additional Parameters | String | No | A JSON-formatted string containing any - additional supported Infoblox WAPI fields for the NAPTR record. | + 5. **Result Processing**: Upon success, the action adds the raw JSON response + and a formatted data table to the case and returns a success message. ### Additional Notes - - The 'Order' and 'Preference' parameters must be valid integers; otherwise, the - action will fail during the validation stage. + - The 'Order' and 'Preference' parameters are mandatory and must be valid integers + between 0 and 65535. - - 'Additional Parameters' must be a valid JSON object (e.g., `{"extattrs": {"Site": - {"value": "New York"}}}`). + - The 'Additional Parameters' field allows for advanced configuration by providing + a JSON object with extra Infoblox WAPI fields. capabilities: can_create_case_comments: false can_create_insight: false @@ -634,14 +652,13 @@ Create RPZ NAPTR Rule: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new NAPTR (Naming Authority Pointer) record within a Response Policy - Zone (RPZ) on the Infoblox NIOS server. + Creates a new NAPTR rule record in the Infoblox NIOS Response Policy Zone. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -655,6 +672,7 @@ Create RPZ NAPTR Rule: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Create RPZ PTR Rule: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -668,71 +686,50 @@ Create RPZ NAPTR Rule: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Create RPZ PTR Rule: - ai_description: >- - Adds a reverse DNS lookup override in a Response Policy Zone (RPZ) for an IP address - within Infoblox NIOS. This action allows administrators to define how specific - IP addresses should be resolved in reverse DNS lookups within a security policy - context. - - - ### Flow Description - - 1. **Parameter Extraction:** Retrieves the target RP Zone, PTR DName, and optional - fields like Name, Comment, and IP addresses from the action input. - - 2. **Validation:** Ensures mandatory strings are present, validates the format - of IPv4 and IPv6 addresses, and parses any provided JSON for additional parameters. - - 3. **API Interaction:** Executes a POST request to the Infoblox WAPI `record:rpz:ptr` - endpoint to create the new rule. - - 4. **Result Processing:** Captures the API response, formats the created rule - data into a structured table, and returns the JSON result to the SOAR platform. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **PTR DName** | String | Yes | The domain name of the RPZ substitute rule object - of the PTR record. | - - | **RP Zone** | String | Yes | The specific Response Policy Zone to which the - rule will be assigned. | - - | **Name** | String | No | The name of the RPZ Substitute rule object. | - - | **Comment** | String | No | A descriptive comment for the rule. | - - | **IPv4 Address** | String | No | The IPv4 address associated with the substitute - rule. | - - | **IPv6 Address** | String | No | The IPv6 address associated with the substitute - rule. | - - | **Additional Parameters** | String | No | A JSON object containing extra parameters - supported by the Infoblox WAPI for RPZ PTR records. | - - - ### Additional Notes - - * At least one of 'Name', 'IPv4 Address', or 'IPv6 Address' must be provided for - the rule creation to be valid according to the integration logic. + ai_description: "### General Description\nThe **Create RPZ PTR Rule** action allows\ + \ users to create a reverse DNS (PTR) substitute rule within a specific Response\ + \ Policy Zone (RPZ) in Infoblox NIOS. This action is used to override standard\ + \ reverse DNS lookups for specific IP addresses, which is a common practice for\ + \ implementing security redirections or custom DNS policies.\n\n### Parameters\ + \ Description\n| Parameter | Type | Mandatory | Description |\n| :--- | :--- |\ + \ :--- | :--- |\n| **PTR DName** | String | Yes | The domain name of the RPZ substitute\ + \ rule object of the PTR record. |\n| **RP Zone** | String | Yes | The name of\ + \ the Response Policy Zone where the rule will be assigned. |\n| **Name** | String\ + \ | No | The name of the RPZ Substitute rule object of the PTR record. |\n| **Comment**\ + \ | String | No | A descriptive comment for the rule. |\n| **IPv4 Address** |\ + \ String | No | The IPv4 address of the substitute rule. |\n| **IPv6 Address**\ + \ | String | No | The IPv6 address of the substitute rule. |\n| **Additional Parameters**\ + \ | String | No | A JSON-formatted string containing additional WAPI parameters\ + \ for the rule creation. |\n\n### Additional Notes\n- **Conditional Requirement:**\ + \ At least one of the following parameters must be provided for the action to\ + \ execute successfully: `Name`, `IPv4 Address`, or `IPv6 Address`.\n- **IP Validation:**\ + \ The action performs strict validation on the format of `IPv4 Address` and `IPv6\ + \ Address` if they are provided.\n\n### Flow Description\n1. **Initialization:**\ + \ Retrieves integration configuration (API Root, credentials) and action parameters.\n\ + 2. **Validation:** \n - Ensures mandatory fields `PTR DName` and `RP Zone`\ + \ are non-empty.\n - Validates that at least one identifier (`Name`, `IPv4\ + \ Address`, or `IPv6 Address`) is present.\n - Validates the format of provided\ + \ IP addresses and ensures `Additional Parameters` is a valid JSON object.\n3.\ + \ **API Execution:** Constructs a payload and sends a POST request to the Infoblox\ + \ NIOS WAPI endpoint for `record:rpz:ptr`.\n4. **Output:** \n - On success,\ + \ it captures the created record's details.\n - Generates a data table titled\ + \ \"RPZ PTR Rule\" and attaches the full JSON response to the action results.\n\ + \ - Returns a success message indicating the rule was created." capabilities: can_create_case_comments: false can_create_insight: false @@ -741,14 +738,14 @@ Create RPZ PTR Rule: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new RPZ PTR (Pointer) record in the Infoblox NIOS system, which modifies - the DNS response policy configuration. + Creates a new 'record:rpz:ptr' object in the Infoblox NIOS system, modifying + the DNS configuration of the specified Response Policy Zone. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -762,10 +759,11 @@ Create RPZ PTR Rule: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Create RPZ SRV Rule: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false - add_ioc_to_blocklist: false + add_ioc_to_blocklist: true contain_host: false create_ticket: false delete_email: false @@ -775,77 +773,84 @@ Create RPZ PTR Rule: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Create RPZ SRV Rule: ai_description: >- - ### General Description - - Adds an SRV (Service) record override in a Response Policy Zone (RPZ) within Infoblox - NIOS. This action is used to manage service-based DNS lookups, allowing administrators - to define how specific services are resolved or redirected within a managed zone. + Adds a Substitute (SRV Record) Rule to a Response Policy Zone (RPZ) in Infoblox + NIOS. This action allows security administrators to override service-based DNS + lookups by creating specific SRV records within a policy zone, which can be used + for redirection or policy enforcement. The action validates that numerical parameters + like Priority, Port, and Weight are within valid ranges before submitting the + request to the Infoblox WAPI. - ### Parameters Description + ### Flow Description: - | Parameter | Type | Mandatory | Description | + 1. **Parameter Extraction:** The action retrieves mandatory parameters including + the Rule Name, Priority, RP Zone, Port, Target, and Weight, along with optional + Comments and Additional Parameters. - | :--- | :--- | :--- | :--- | + 2. **Validation:** It validates that the Rule Name, RP Zone, and Target are non-empty + strings. It also ensures that Priority, Port, and Weight are valid non-negative + integers. - | Name | String | Yes | The name of the SRV rule to be created. | + 3. **API Interaction:** It initializes the Infoblox API Manager and sends a POST + request to the `record:rpz:srv` endpoint to create the rule in the specified zone. - | Priority | String | Yes | The priority of the SRV record. Must be a non-negative - integer (0-65535). | + 4. **Result Processing:** If the rule is created successfully, the action returns + the raw JSON response and populates a data table with the rule's details (Reference + ID, Name, Target, Port, Priority, Weight, etc.). - | RP Zone | String | Yes | The name of the Response Policy Zone where the record - will reside. | - | Port | String | Yes | The port of the service. Must be a non-negative integer - (0-65535). | + ### Parameters Description: - | Target | String | Yes | The target host associated with the SRV record. | + | Parameter | Type | Mandatory | Description | - | Weight | String | Yes | The weight of the SRV record. Must be a non-negative - integer (0-65535). | + | :--- | :--- | :--- | :--- | - | Comment | String | No | An optional comment for the rule. | + | Name | string | True | The name of the SRV rule to create. | - | Additional Parameters | String | No | A JSON object containing additional Infoblox - WAPI parameters for the record creation. | + | Priority | string | True | The priority of the SRV record (must be a non-negative + integer). | + | RP Zone | string | True | The name of the Response Policy Zone where the record + will reside. | - ### Flow Description + | Port | string | True | The port of the service (must be a non-negative integer). + | - 1. **Parameter Extraction:** The action retrieves the RP Zone, Name, Priority, - Port, Weight, Target, and optional Comment/Additional Parameters from the input. + | Target | string | True | The target host or text associated with the SRV record. + | - 2. **Validation:** It validates that mandatory strings are non-empty and that - Priority, Port, and Weight are valid non-negative integers within the range of - 0 to 65535. + | Weight | string | True | The weight of the SRV record (must be a non-negative + integer). | - 3. **API Interaction:** It initializes the Infoblox API Manager and sends a POST - request to the `record:rpz:srv` endpoint to create the rule. + | Comment | string | False | An optional descriptive comment for the rule. | - 4. **Result Processing:** Upon success, the action adds the created rule's details - to a data table and returns the full JSON response to the SOAR. + | Additional Parameters | string | False | A JSON object containing any additional + Infoblox WAPI parameters for the record creation. | - ### Additional Notes + ### Additional Notes: - - The Priority, Port, and Weight parameters are accepted as strings but must represent - valid integers. + - The action automatically appends the RP Zone name to the Rule Name if it is + not already present to ensure the FQDN is correctly formatted for Infoblox. - - If 'Additional Parameters' is provided, it must be a valid JSON object. + - Numerical parameters (Priority, Port, Weight) are accepted as strings but must + represent integers between 0 and 65535. capabilities: can_create_case_comments: false can_create_insight: false @@ -854,14 +859,14 @@ Create RPZ SRV Rule: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new SRV record override (record:rpz:srv) in the specified Response - Policy Zone on the Infoblox NIOS server. + Creates a new SRV record override (record:rpz:srv) within a Response Policy + Zone in the Infoblox NIOS system. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -875,6 +880,7 @@ Create RPZ SRV Rule: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Create RPZ TXT Rule: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -888,76 +894,66 @@ Create RPZ SRV Rule: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Create RPZ TXT Rule: ai_description: >- - Adds a TXT record rule in a Response Policy Zone (RPZ) within Infoblox NIOS. This - action is used to associate specific text data with a DNS response for policy - or informational purposes. - + Adds a TXT record rule to a Response Policy Zone (RPZ) in Infoblox NIOS. This + action allows users to associate specific text data with a DNS response, which + can be used for policy documentation, SPF records, or other informational purposes + within the DNS security framework. - ### Parameters Description - - - | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | - - | RP Zone | String | Yes | The specific Response Policy Zone where the rule will - be assigned. | - - | Name | String | Yes | The name of the rule to be created. | + ### Flow Description: - | Text | String | Yes | The text data to be associated with the TXT record. | + 1. **Parameter Extraction:** Retrieves the RP Zone, Rule Name, Text content, and + optional comments or additional parameters from the action input. - | Comment | String | No | An optional comment to describe the purpose of the rule. - | + 2. **Validation:** Ensures mandatory fields (RP Zone, Name, Text) are provided + and that additional parameters are in valid JSON format. - | Additional Parameters | String | No | A JSON-formatted string containing any - additional Infoblox-specific parameters for the record creation. | + 3. **API Interaction:** Sends a POST request to the Infoblox NIOS WAPI (`/record:rpz:txt`) + to create the new rule. + 4. **Result Processing:** Captures the API response, updates the action status, + and generates a data table containing the details of the created TXT rule. - ### Flow Description + ### Parameters Description: - 1. **Initialization**: The action initializes the Infoblox API manager using the - provided integration credentials (API Root, Username, Password). + | Parameter | Type | Mandatory | Description | - 2. **Parameter Extraction**: It extracts the mandatory parameters (`RP Zone`, - `Name`, `Text`) and optional parameters (`Comment`, `Additional Parameters`) from - the action configuration. + | :--- | :--- | :--- | :--- | - 3. **Validation**: The action validates that the mandatory strings are not empty - and that the `Additional Parameters` (if provided) is a valid JSON object. + | RP Zone | String | Yes | The specific Response Policy Zone where the rule will + be created. | - 4. **Rule Creation**: It calls the Infoblox API to create the RPZ TXT rule (`record:rpz:txt`). - The rule name is automatically formatted to include the zone suffix if it is not - already present. + | Name | String | Yes | The name/owner of the TXT record. | - 5. **Result Processing**: Upon success, the action returns the raw JSON response - and populates a data table named "RPZ TXT Rule" with the record details, including - the Reference ID and the associated text. + | Text | String | Yes | The actual text data to be stored in the TXT record. | + | Comment | String | No | An optional descriptive comment for the rule. | - ### Additional Notes + | Additional Parameters | String | No | A JSON object containing any extra WAPI + parameters supported by Infoblox for this record type. | - * The action will fail if the specified RP Zone does not exist or if the provided - `Additional Parameters` JSON is malformed. + ### Additional Notes: - * This action does not process entities from the SecOps environment; it relies - entirely on user-provided parameters. + * This action does not run on entities; it uses the provided parameters to create + the record directly. capabilities: can_create_case_comments: false can_create_insight: false @@ -966,14 +962,14 @@ Create RPZ TXT Rule: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new TXT record rule within a specified Response Policy Zone (RPZ) - in the Infoblox NIOS system. + Creates a new TXT record rule in the specified Response Policy Zone (RPZ) on + the Infoblox NIOS server via a POST request. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -987,6 +983,7 @@ Create RPZ TXT Rule: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Create Response Policy Zone: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1000,81 +997,82 @@ Create RPZ TXT Rule: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Create Response Policy Zone: ai_description: >- Creates a new Response Policy Zone (RPZ) in Infoblox NIOS to define custom DNS - responses. This action allows administrators to programmatically set up DNS zones - that can be used for security policies, such as redirecting or blocking specific - DNS queries. It supports various policy types (GIVEN, NODATA, NXDOMAIN, PASSTHRU, - SUBSTITUTE) and allows for detailed configuration including severity levels, zone - types, and FireEye rule mappings. + responses. This action allows administrators to set up zones that can override + standard DNS resolution for security or policy enforcement purposes. It supports + configuring the zone's policy (e.g., NXDOMAIN, SUBSTITUTE), severity, and type + (LOCAL, FEED, or FIREEYE). - ### Flow Description + ### Flow Description: - 1. **Parameter Extraction:** Retrieves the FQDN, policy settings, severity, and - optional JSON configurations (FireEye mappings and additional parameters) from - the action input. + 1. **Parameter Extraction:** The action retrieves the FQDN, RPZ Policy, Severity, + Type, and other optional parameters like Substitute Name and Comment from the + user input. - 2. **Validation:** Ensures the FQDN is provided and validates that 'Additional - Parameters' and 'Fireeye Rule Mapping' are valid JSON objects. + 2. **Validation:** It validates that the FQDN is provided and that 'Additional + Parameters' and 'Fireeye Rule Mapping' (if provided) are valid JSON objects. - 3. **API Interaction:** Sends a POST request to the Infoblox WAPI `/zone_rp` endpoint - with the configured zone details. + 3. **API Interaction:** It uses the Infoblox NIOS API Manager to send a POST request + to the `/zone_rp` endpoint with the specified configuration. - 4. **Result Processing:** If successful, it parses the returned zone metadata, - creates a 'RP Zone' data table for the UI, and returns the full JSON response. + 4. **Result Processing:** Upon successful creation, the action retrieves the details + of the new RPZ, formats them into a data table, and returns the raw JSON result. - ### Parameters Description + ### Parameters Description: | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | FQDN | string | Yes | The Fully Qualified Domain Name of the DNS zone to be + | FQDN | String | Yes | The fully qualified domain name of the DNS zone to be created. | - | Substitute Name | string | No | The alternative name of the redirect target - if using a substitute response policy. | + | Substitute Name | String | No | The alternative name of the redirect target + if the policy is set to SUBSTITUTE. | - | Comment | string | No | A descriptive comment for the zone. | + | Comment | String | No | A descriptive comment for the zone. | - | RPZ Policy | ddl | No | The override policy (e.g., GIVEN, NXDOMAIN, PASSTHRU). + | RPZ Policy | DDL | No | The override policy (e.g., GIVEN, NXDOMAIN, PASSTHRU). Default is GIVEN. | - | RPZ Severity | ddl | No | The severity level assigned to the zone (e.g., CRITICAL, - MAJOR). Default is MAJOR. | + | RPZ Severity | DDL | No | The severity level of the zone (e.g., CRITICAL, MAJOR). + Default is MAJOR. | - | RPZ Type | ddl | No | The type of RPZ (FEED, FIREEYE, or LOCAL). Default is + | RPZ Type | DDL | No | The type of RPZ (LOCAL, FEED, or FIREEYE). Default is LOCAL. | - | Fireeye Rule Mapping | string | No | A JSON object defining rules to map FireEye - alerts to this zone. | + | Fireeye Rule Mapping | String | No | A JSON object defining rules to map FireEye + alerts to the zone. | - | Additional Parameters | string | No | A JSON object containing any other supported - Infoblox WAPI parameters for zone creation. | + | Additional Parameters | String | No | A JSON object containing any extra parameters + supported by the Infoblox WAPI for zone creation. | - ### Additional Notes + ### Additional Notes: - - This action does not run on entities; it is a management action that requires - manual input of the FQDN. + - This action is primarily used for infrastructure management and security policy + setup rather than direct incident enrichment. - The 'Additional Parameters' field allows for advanced configuration not explicitly - covered by the standard action fields. + covered by the standard action parameters. capabilities: can_create_case_comments: false can_create_insight: false @@ -1083,14 +1081,14 @@ Create Response Policy Zone: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new Response Policy Zone (RPZ) resource within the Infoblox NIOS system + Creates a new Response Policy Zone (RPZ) resource within the Infoblox NIOS environment via a POST request. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1104,6 +1102,7 @@ Create Response Policy Zone: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +DHCP Lease Lookup: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1114,89 +1113,90 @@ Create Response Policy Zone: disable_identity: false download_file: false enable_identity: false - enrich_asset: false + enrich_asset: true enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: true search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -DHCP Lease Lookup: ai_description: >- - ### General Description + Retrieves DHCP lease details for a MAC or IP address from Infoblox NIOS. This + action allows analysts to query the Infoblox DHCP database to find active or historical + lease information associated with specific network identifiers. It supports filtering + by various attributes such as IP address, hardware MAC, hostname, and user identity. - The **DHCP Lease Lookup** action retrieves detailed DHCP lease information from - Infoblox NIOS. It allows security analysts to search for lease records using various - identifiers such as IP addresses, MAC addresses (Hardware), hostnames, or usernames. - This action is essential for forensic investigations to identify which device - or user was assigned a specific IP address at a given point in time. + ### Flow Description: - ### Parameters Description + 1. **Parameter Initialization:** The action retrieves integration configuration + (API Root, credentials) and action-specific parameters (IP, MAC, Hostname, etc.). - | Parameter | Type | Mandatory | Description | + 2. **Validation:** It validates the format of the provided IP address and ensures + the 'Limit' parameter is a positive integer. - | :--- | :--- | :--- | :--- | + 3. **API Interaction:** The action connects to the Infoblox NIOS WAPI and performs + a GET request to the `/lease` endpoint. It uses a pagination mechanism to handle + large result sets up to the user-defined limit. - | **IP Address** | String | No | The IPv4 or IPv6 address to search for in the - lease database. | + 4. **Data Processing:** Retrieved lease records are parsed into a structured data + model. - | **Hardware** | String | No | The MAC address for IPv4 leases. Supports regex - or exact search. | + 5. **Output Generation:** The action populates the execution results with a raw + JSON array of lease details and creates a data table on the case wall showing + key fields like IP Address, Hardware, Client Hostname, and Binding State. - | **Hostname** | String | No | The hostname sent via DHCP option 12. Supports - regex or exact search. | - | **IPv6 DUID** | String | No | The IPv6 DUID identifier for IPv6 leases. Supports - regex or exact search. | + ### Parameters Description: - | **Protocol** | DDL | No | Filters results by protocol: `Both`, `IPv4`, or `IPv6`. - Default is `Both`. | - | **Fingerprint** | String | No | The DHCP client fingerprint; supports case-insensitive - or regex search. | + | Parameter | Type | Mandatory | Description | - | **Username** | String | No | The user associated with the lease request; supports - case-insensitive or regex search. | + | :--- | :--- | :--- | :--- | - | **Limit** | String | No | The maximum number of lease objects to return. Default - is 100. | + | IP Address | string | No | The IPv4 or IPv6 address of the lease to look up. + | + | Hardware | string | No | The MAC address for IPv4 leases. Supports regex or + exact search. | - ### Additional Notes + | Hostname | string | No | The hostname sent via DHCP option 12. Supports regex + or exact search. | - - This action does not automatically process entities from the case. It relies - on the provided search parameters. + | IPv6 DUID | string | No | The IPv6 DUID identifier for IPv6 leases. Supports + regex or exact search. | - - Results are output as a JSON object and a summary data table (displaying up - to 20 records) on the case wall. + | Protocol | ddl | No | Filters results by protocol. Options: Both (default), + IPv4, IPv6. | + | Fingerprint | string | No | The DHCP client fingerprint; supports case-insensitive + or regex search. | - ### Flow Description + | Username | string | No | The user associated with the lease request; supports + case-insensitive or regex search. | - 1. **Parameter Extraction:** The action retrieves search filters (IP, MAC, Hostname, - etc.) and the result limit from the user input. + | Limit | string | No | Maximum number of objects to be returned (Default is 100). + | - 2. **Validation:** It validates the `Limit` parameter to ensure it is a positive - integer and checks the format of the `IP Address` if provided. - 3. **API Request:** It executes a GET request to the Infoblox NIOS WAPI `/lease` - endpoint, applying the specified filters as query parameters. + ### Additional Notes: - 4. **Data Processing:** The action parses the returned lease records into a structured - format using the `DHCPLeaseLookup` data model. + * This action does not run on SecOps entities automatically; identifiers must + be provided as manual input parameters. - 5. **Output Generation:** It populates the action's JSON result with the full - dataset and generates a data table for the case wall to provide immediate visibility - into the findings. + * If no results are found, the action will complete successfully with an informative + message. capabilities: can_create_case_comments: false can_create_insight: false @@ -1208,9 +1208,9 @@ DHCP Lease Lookup: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: false + enrichment: true entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1224,6 +1224,7 @@ DHCP Lease Lookup: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Delete RPZ Rule: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1237,55 +1238,58 @@ DHCP Lease Lookup: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false + remove_ioc_from_blocklist: true reset_identity_password: false + search_asset: false search_email: false - search_events: true + search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Delete RPZ Rule: ai_description: >- - Deletes a specific rule from a Response Policy Zone (RPZ) within Infoblox NIOS. - This action is used to remove existing DNS policies, such as blocks, redirects, - or passthru rules, by targeting the unique reference ID of the rule. It supports - all RPZ record types (A, AAAA, CNAME, MX, TXT, etc.) because the deletion is performed - against the object's unique identifier in the Infoblox database. - + Deletes a Response Policy Zone (RPZ) rule from Infoblox NIOS. This action uses + the unique reference ID of a rule to remove it from the specified RPZ, effectively + reversing DNS-based blocking or redirection policies associated with that rule. + It supports all RPZ record types by targeting the specific object reference provided + by the user. - ### Parameters Description + ### Parameters - | Parameter | Description | Type | Mandatory | + | Parameter | Description | Type | Mandatory | Notes | - | :--- | :--- | :--- | :--- | + | --- | --- | --- | --- | --- | - | Reference ID | The unique WAPI reference string for the RPZ rule to be deleted - (e.g., `record:rpz:cname/ZG5zLmJpbmRfcnB6X2N6X25hbWUuY29tLmV4YW1wbGUuY29t:example.com/default`). - | String | Yes | + | Reference ID | The unique WAPI reference ID of the RPZ rule to be deleted (e.g., + `record:rpz:cname/ZG5zLm5ldHdvcmtfcG9saWN5X3pvbmUkLl9kZWZhdWx0LmNvbS5leGFtcGxl:example.com`). + | String | Yes | This ID is typically obtained from search or creation actions. + | ### Flow Description + 1. **Parameter Extraction:** The action retrieves the `Reference ID` from the + input parameters and the integration configuration (API Root, Username, Password). - 1. **Parameter Extraction**: The action retrieves the `Reference ID` from the - user input and the connection details (API Root, Username, Password) from the - integration configuration. + 2. **Validation:** It ensures the `Reference ID` is a non-empty string. - 2. **Validation**: It validates that the `Reference ID` is a non-empty string. - - 3. **API Interaction**: The action initializes the `APIManager` and sends a `DELETE` - request to the Infoblox NIOS WAPI endpoint corresponding to the provided reference + 3. **API Interaction:** The action initializes the `APIManager` and sends a `DELETE` + request to the Infoblox WAPI endpoint corresponding to the provided reference ID. - 4. **Response Processing**: If the API returns a success status, the action completes - with a success message. If the rule is not found (404) or the API returns an error, - the action catches the exception and reports the failure to the SOAR platform. + 4. **Error Handling:** If the reference ID is not found (404), it returns a specific + 'not found' message. Other API errors or connection issues are caught and reported + as failures. + + 5. **Completion:** The action concludes by providing a success message if the + rule was successfully deleted. capabilities: can_create_case_comments: false can_create_insight: false @@ -1294,14 +1298,14 @@ Delete RPZ Rule: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Deletes a specific Response Policy Zone (RPZ) rule from the Infoblox NIOS server, - which modifies the DNS policy configuration. + Deletes a specific RPZ rule (DNS record) from the Infoblox NIOS server, which + modifies the active DNS response policy configuration. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1315,6 +1319,7 @@ Delete RPZ Rule: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Delete Response Policy Zone: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1328,60 +1333,64 @@ Delete RPZ Rule: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: true + remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Delete Response Policy Zone: ai_description: >- - Deletes an existing Response Policy Zone (RPZ) from Infoblox NIOS. This action - uses the unique reference ID of the zone to perform a hard deletion via the Infoblox - WAPI. It is typically used for automated cleanup or decommissioning of security - policies. + Deletes an existing Response Policy Zone (RPZ) from Infoblox NIOS using its unique + reference ID. This action is used to clean up or remove DNS security policies + that are no longer required. - ### Flow Description + ### Flow Description: - 1. **Parameter Extraction:** Retrieves the 'Reference ID' from the action parameters - and integration configuration (API Root, credentials). + 1. **Parameter Extraction:** The action retrieves the `Reference ID` from the + input parameters. - 2. **Validation:** Ensures the 'Reference ID' is a non-empty string. + 2. **Validation:** It validates that the `Reference ID` is a non-empty string. - 3. **API Interaction:** Executes a DELETE request to the Infoblox WAPI endpoint - corresponding to the provided reference ID. + 3. **API Initialization:** Initializes the Infoblox API Manager using the integration's + configuration (API Root, Username, Password). - 4. **Error Handling:** Specifically catches 'ItemNotFoundException' if the reference - ID does not exist, as well as general Infoblox or connection errors. + 4. **Execution:** Sends a `DELETE` request to the Infoblox WAPI endpoint associated + with the provided reference ID. - 5. **Result Reporting:** Returns a success message if the deletion is confirmed - by the server. + 5. **Error Handling:** If the reference ID is not found (404), it returns a specific + 'not found' message. Other API or connection errors are caught and reported as + failures. - ### Parameters Description + ### Parameters Description: - | Parameter Name | Type | Mandatory | Description | + | Parameter Name | Description | Type | Mandatory | Notes | - | :--- | :--- | :--- | :--- | + | :--- | :--- | :--- | :--- | :--- | - | Reference ID | String | Yes | The unique internal reference identifier (e.g., - `zone_rp/ZG5zLnpvbmUkLl9kZWZhdWx0LmNvbS5leGFtcGxl:example.com/default`) of the - Response Policy Zone to be deleted. | + | Reference ID | The unique WAPI reference ID of the response policy zone to be + deleted (e.g., `zone_rp/ZG5zLnpvbmUkLl9kZWZhdWx0LmNvbS5leGFtcGxlLnJwei:example.rpz/default`). + | String | Yes | This ID is typically obtained from a previous 'Search' or 'Get + Details' action. | - ### Additional Notes + ### Additional Notes: - - This action performs a destructive operation in the external Infoblox system. + - This action does not run on entities; it requires a specific Reference ID as + input. - - If the Reference ID is not found, the action will fail with a specific 'not - found' error message. + - Deleting a Response Policy Zone is a destructive operation and cannot be undone + via this action. capabilities: can_create_case_comments: false can_create_insight: false @@ -1390,14 +1399,13 @@ Delete Response Policy Zone: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Deletes a Response Policy Zone resource from the Infoblox NIOS server using - a DELETE request. + Deletes a Response Policy Zone (RPZ) configuration from the Infoblox NIOS server. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1411,6 +1419,7 @@ Delete Response Policy Zone: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Response Policy Zone Details: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1424,96 +1433,92 @@ Delete Response Policy Zone: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Response Policy Zone Details: ai_description: >- ### General Description Retrieves configuration details for Response Policy Zones (RPZ) from Infoblox - NIOS. This action allows analysts to query the DNS security policy configurations, - including policy types, severities, and associated comments, providing visibility - into how specific DNS zones are being managed and filtered. + NIOS. This action is used to query the Infoblox environment for specific DNS zones + to inspect their security policies, severity settings, and operational status. + It is a read-only action intended for configuration auditing and visibility within + the security operations workflow. ### Parameters Description - | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | FQDN | String | No | The name of the DNS zone in FQDN format to filter the search. - | + | FQDN | string | No | The name of the DNS zone in FQDN format. If provided, filters + results to this specific zone. | - | View | String | No | The name of the DNS view in which the zone resides (e.g., - "external"). Defaults to "default" if not specified. | + | View | string | No | The name of the DNS view in which the zone resides (e.g., + "external"). If not provided, the action defaults to the "default" view. | - | Comment | String | No | Filter results by the comment string associated with - the zone. | + | Comment | string | No | A comment string used to filter the zones. This allows + for searching zones based on administrative notes. | - | Limit | String | No | Maximum number of objects to be returned by the API. Defaults - to 100. | - - - ### Flow Description + | Limit | string | No | The maximum number of objects to be returned by the query. + Defaults to "100". | - 1. **Initialization**: The action initializes the Infoblox API manager using the - provided API Root, Username, and Password from the integration configuration. - 2. **Parameter Extraction**: It extracts the FQDN, View, Comment, and Limit parameters - from the action input. + ### Additional Notes - 3. **Validation**: The 'Limit' parameter is validated to ensure it is a positive - integer. + - This action does not process or require any Google SecOps entities (such as + IP or Hostname) to execute. - 4. **API Request**: The action performs a GET request to the Infoblox `/zone_rp` - endpoint, applying filters for FQDN, View, and Comment if provided. + - The data table displayed in the interface is limited to the first 20 records + found for performance reasons, while the full JSON result contains all retrieved + records up to the specified limit. - 5. **Data Processing**: The retrieved zone data is parsed and added to the action's - JSON results. - 6. **UI Enhancement**: If zones are found, the action generates a data table titled - "Response Policy Zones" containing key fields such as Reference ID, FQDN, Policy, - Severity, and Type. + ### Flow Description - 7. **Completion**: The action concludes by reporting the number of zones successfully - retrieved. + 1. **Initialize Manager:** Connects to the Infoblox NIOS API using the provided + credentials and API root configuration. + 2. **Validate Inputs:** Extracts user-provided parameters and ensures the 'Limit' + parameter is a valid positive integer. - ### Additional Notes + 3. **Query Infoblox:** Sends a GET request to the `/zone_rp` endpoint. If filters + (FQDN, View, Comment) are provided, they are included as query parameters to narrow + the search. - - If no specific FQDN is provided, the action will list all available Response - Policy Zones within the specified View. + 4. **Paginate Results:** If the number of results exceeds the internal page size, + the action automatically handles pagination to retrieve all records up to the + user-defined limit. - - The data table displays a maximum of 20 records to maintain readability within - the Google SecOps interface. + 5. **Format Output:** Converts the raw API response into a structured JSON result + and a flattened data table for display in the Google SecOps case wall. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: true + can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: >- - The action creates a data table named 'Response Policy Zones' within the Google - SecOps case to display the retrieved configuration details. + internal_data_mutation_explanation: null categories: - enrichment: false + enrichment: true entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1527,6 +1532,7 @@ Get Response Policy Zone Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +IP Lookup: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1537,91 +1543,90 @@ Get Response Policy Zone Details: disable_identity: false download_file: false enable_identity: false - enrich_asset: false - enrich_ioc: false + enrich_asset: true + enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: true search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -IP Lookup: ai_description: >- - Retrieves IP Address Management (IPAM) information from Infoblox NIOS for a specific - IP address, network, or IP range. This action allows analysts to query the Infoblox - database to identify the status, MAC address, and associated metadata of network - resources. It supports filtering by device status and extended attributes, providing - a comprehensive view of IP allocation and usage within the environment. - - - ### Parameters Description - - - | Parameter | Type | Mandatory | Description | + The **IP Lookup** action retrieves detailed IP Address Management (IPAM) information + from Infoblox NIOS for a specific IP address, a network, or a range of IP addresses. + It allows analysts to query the Infoblox database to identify the status, MAC + address, associated names, and extended attributes of network assets. The action + supports both IPv4 and IPv6 lookups and provides results in both a structured + data table and raw JSON format. - | :--- | :--- | :--- | :--- | - - | IP Address | string | No | The specific IP address to look up (e.g., "192.168.1.1"). - | - | Network | string | No | The network to search in FQDN/CIDR format (e.g., "192.168.1.0/24"). - | + ### Flow Description - | From IP | string | No | The start of an IP range for the search. Must be used - with 'To IP'. | + 1. **Parameter Validation**: The action ensures that exactly one search criteria + is provided: either an `IP Address`, a `Network` (CIDR), or an IP range (`From + IP` and `To IP`). It also validates the format of the provided IP/Network strings. - | To IP | string | No | The end of an IP range for the search. Must be used with - 'From IP'. | + 2. **API Connection**: Initializes a connection to the Infoblox NIOS WAPI using + the provided integration credentials. - | Status | ddl | No | Filter results by device status. Options: All, Active, Used, - Unused. Default is 'All'. | + 3. **Data Retrieval**: Executes a GET request to the appropriate Infoblox endpoint + (`ipv4address` or `ipv6address`) with the specified filters (Status, Extended + Attributes) and pagination limits. - | Limit | string | No | Maximum number of objects to return. Default is 100. | + 4. **Data Processing**: Parses the API response, converting raw data into `IPLookup` + models which include fields like MAC Address, Usage, and Conflict status. - | Extended Attributes | string | No | Comma-separated key/value filter for extended - attributes (e.g., "Site=New York"). | + 5. **Output Generation**: Populates a Google SecOps data table with the first + 20 records and attaches the full result set as a JSON object to the action output. - ### Additional Notes + ### Parameters Description + | Parameter | Type | Mandatory | Description | - * **Search Criteria**: At least one of the following must be provided: 'IP Address', - 'Network', or both 'From IP' and 'To IP'. + | :--- | :--- | :--- | :--- | - * **Exclusivity**: Only one search method (Single IP, Network, or Range) can be - used per action execution. + | **IP Address** | String | No | The specific IP address to retrieve information + for. Cannot be used with Network or Range parameters. | - * **IP Versions**: The action automatically handles both IPv4 and IPv6 addresses - based on the input format. + | **Network** | String | No | The network in FQDN/CIDR format (e.g., 192.168.1.0/24). + Cannot be used with IP or Range parameters. | + | **From IP** | String | No | The start of an IP range. Must be used with 'To + IP'. | - ### Flow Description + | **To IP** | String | No | The end of an IP range. Must be used with 'From IP'. + | + | **Status** | DDL | No | Filters results by device status: All, Active, Used, + or Unused. Default is 'All'. | - 1. **Parameter Extraction**: Retrieves configuration settings and action parameters - from the SOAR environment. + | **Limit** | String | No | Maximum number of objects to return from the API. + Default is 100. | - 2. **Input Validation**: Ensures that exactly one valid search criteria is provided - and validates the format of IP and network strings. + | **Extended Attributes** | String | No | Comma-separated key/value pairs to filter + by Infoblox extended attributes (e.g., 'Site=New York'). | - 3. **API Connection**: Initializes the Infoblox API manager using the provided - credentials and API root. - 4. **Data Retrieval**: Executes a paginated GET request to the Infoblox WAPI endpoints - (`/ipv4address` or `/ipv6address`) based on the input. + ### Additional Notes - 5. **Data Processing**: Maps the raw API response to a structured data model, - extracting key fields such as MAC address, status, and usage. + * **Mutual Exclusivity**: You must provide exactly one of the following: `IP + Address`, `Network`, or the pair of `From IP` and `To IP`. Providing more than + one set or none at all will result in an execution failure. - 6. **Output Generation**: Populates the action results with the full JSON response - and creates a CSV-formatted data table for the case wall. + * **Table Limits**: While the action can fetch many records based on the `Limit` + parameter, only the first 20 records are displayed in the UI data table for performance + reasons. capabilities: can_create_case_comments: false can_create_insight: false @@ -1633,9 +1638,9 @@ IP Lookup: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: false + enrichment: true entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1649,6 +1654,7 @@ IP Lookup: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +List Host Info: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1662,76 +1668,74 @@ IP Lookup: enrich_asset: true enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: true search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -List Host Info: ai_description: >- - Retrieves host records from Infoblox NIOS based on specific search criteria such - as hostname, IPv4/IPv6 addresses, or extended attributes. This action is primarily - used for searching and listing existing host information within the Infoblox environment - without modifying any records. - + ### General Description - ### Flow Description: + Retrieves host records from Infoblox NIOS, providing detailed information such + as hostnames, associated IPv4/IPv6 addresses (A/AAAA records), PTR records, DNS + view information, and configured extensible attributes. This action allows for + flexible searching of the IPAM database to identify and enrich asset information + based on specific criteria. - 1. **Parameter Extraction:** The action retrieves the search criteria from the - user inputs, including 'Name', 'IPv4 Address', 'IPv6 Address', 'Extended Attributes', - and a 'Limit' for the number of results. - 2. **Validation:** It validates that the provided IP addresses are in the correct - format and that the 'Limit' is a positive integer. + ### Flow Description - 3. **API Query:** It performs a GET request to the Infoblox WAPI `/record:host` - endpoint, applying the filters provided in the parameters. + 1. **Parameter Extraction**: The action retrieves search criteria from the user, + including hostname, IPv4/IPv6 addresses, and extended attribute filters. - 4. **Pagination:** If the number of results exceeds the page size, the action - handles pagination to retrieve records up to the specified limit. + 2. **Validation**: Validates the format of provided IP addresses and ensures the + limit parameter is a valid integer. - 5. **Output Generation:** The retrieved host data is returned as a JSON object. - Additionally, a summary table ('Hosts') is created in the Google SecOps case, - displaying key details like Reference ID, Name, View, Zone, and associated IP - addresses for the first 20 records. + 3. **API Request**: Queries the Infoblox WAPI `/record:host` endpoint using the + provided filters and pagination logic to handle large result sets. + 4. **Data Processing**: Parses the raw API response into structured host objects, + extracting key fields like DNS views, aliases, and attributes. - ### Parameters Description: + 5. **Output Generation**: Adds the full JSON response to the action results and + creates a formatted data table for the first 20 records found. - | Parameter | Type | Mandatory | Description | + ### Parameters Description - | :--- | :--- | :--- | :--- | + | Parameter | Description | Expected Type | Mandatory | Default | - | Name | String | No | The hostname to search for in Infoblox host records. | + | :--- | :--- | :--- | :--- | :--- | - | IPv4 Address | String | No | The IPv4 address associated with the host record. - | + | IPv4 Address | Filter host records by a specific IPv4 address. | String | No + | N/A | - | IPv6 Address | String | No | The IPv6 address associated with the host record. - | + | Name | Filter host records by hostname. | String | No | N/A | - | Extended Attributes | String | No | Comma-separated key/value pairs used to - filter hosts by custom metadata (e.g., "Site=New York,Dept=IT"). | + | IPv6 Address | Filter host records by a specific IPv6 address. | String | No + | N/A | - | Limit | String | No | The maximum number of host records to return. Defaults - to 100. | + | Extended Attributes | Comma-separated key/value pairs for filtering by extensible + attributes (e.g., "Site=New York"). | String | No | N/A | + | Limit | The maximum number of host records to return. | String | No | 100 | - ### Additional Notes: - * This action does not iterate over entities in the Google SecOps case; it relies - entirely on the provided input parameters. + ### Additional Notes - * If no search criteria (Name, IPv4, IPv6, or Extended Attributes) are provided, - the action will return all host records up to the specified limit. + This action does not automatically process entities from the SecOps case. It relies + entirely on the input parameters provided in the action configuration to perform + the search. capabilities: can_create_case_comments: false can_create_insight: false @@ -1743,9 +1747,9 @@ List Host Info: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: false + enrichment: true entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1759,6 +1763,7 @@ List Host Info: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +List Network Info: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1772,64 +1777,77 @@ List Host Info: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: true + search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -List Network Info: ai_description: >- - Lists defined IPv4/IPv6 networks and subnets in Infoblox NIOS IPAM. This action - allows users to retrieve a list of network objects filtered by CIDR notation or - extended attributes. It is primarily used for network discovery and verifying - subnet configurations within the IPAM environment. + ### General Description + The **List Network Info** action retrieves a list of defined IPv4 and IPv6 networks + and subnets from the Infoblox NIOS IPAM (IP Address Management) system. It allows + analysts to search for specific network ranges using CIDR notation or filter results + based on custom extended attributes defined within Infoblox. The action is primarily + used for visibility and discovery of network infrastructure directly from the + SOAR platform. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. **Parameter Initialization:** The action extracts the `Network` CIDR, `Limit`, + and `Extended Attributes` from the user input. - | :--- | :--- | :--- | :--- | + 2. **Validation:** It validates that the `Limit` is a positive integer and ensures + the `Network` parameter (if provided) conforms to valid CIDR formatting. - | Network | String | No | The network address in CIDR notation (e.g., "192.168.1.0/24") - to filter the results. | + 3. **API Interaction:** The action connects to the Infoblox WAPI and performs + a GET request to the `/network` endpoint. It applies filters based on the provided + network address and parses the `Extended Attributes` string into the format required + by the Infoblox API. - | Limit | String | No | Maximum number of objects to be returned. Defaults to - 100 if not specified. | + 4. **Pagination:** If the result set is large, the action utilizes the Infoblox + paging mechanism to fetch records up to the specified `Limit`. - | Extended Attributes | String | No | Comma-separated key/value pairs used to - filter results by Infoblox extended attributes (e.g., "Site=New York,Owner=IT"). - | + 5. **Data Output:** The retrieved network details (such as network address, view, + utilization, and comments) are added to the action's JSON results and displayed + in a structured data table named "Networks". - ### Flow Description + ### Parameters Description + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | - 1. **Parameter Extraction**: The action retrieves the 'Network', 'Limit', and - 'Extended Attributes' from the input parameters. + | Network | String | No | The network address in CIDR notation (e.g., "192.168.1.0/24"). + If provided, the search is restricted to this specific network. | - 2. **Validation**: It validates that the 'Limit' is a positive integer and that - the 'Network' (if provided) follows valid CIDR notation for IPv4 or IPv6. + | Limit | String | No | The maximum number of network objects to return. Defaults + to 100 if not specified. | - 3. **API Interaction**: The action connects to the Infoblox NIOS WAPI and performs - a GET request to the `/network` endpoint, applying the provided filters and handling - pagination to respect the 'Limit'. + | Extended Attributes | String | No | A comma-separated list of key/value pairs + (e.g., "Site=New York,Department=IT") used to filter networks based on Infoblox + metadata. | + + + ### Additional Notes - 4. **Data Processing**: The retrieved network data is processed using the internal - Network data model to extract fields such as Network View, Container, Comment, - and Utilization. + * This action does not run on specific entities; it is a general search utility + that takes string inputs to query the IPAM database. - 5. **Output Generation**: The action attaches the complete JSON response to the - case and generates a 'Networks' data table displaying the first 20 results for - quick analyst review. + * The data table in the SOAR interface will display up to 20 records for readability, + while the full result set is available in the JSON output. capabilities: can_create_case_comments: false can_create_insight: false @@ -1841,9 +1859,9 @@ List Network Info: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: true + enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1857,6 +1875,7 @@ List Network Info: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1870,39 +1889,40 @@ List Network Info: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: - ai_description: "Tests the connectivity to the Infoblox NIOS server to ensure that\ - \ the integration can successfully communicate with the API. This action uses\ - \ the provided integration configuration parameters (API Root, Username, and Password)\ - \ to perform a basic authentication check and network reachability test against\ - \ the Infoblox WAPI.\n\n### Flow Description\n1. **Configuration Retrieval**:\ - \ The action starts by extracting the global integration parameters, including\ - \ the API Root URL, Username, and Password.\n2. **Manager Initialization**: It\ - \ initializes the `APIManager` which handles the HTTP session and authentication.\n\ - 3. **Connectivity Check**: The manager executes a `GET` request to the Infoblox\ - \ WAPI schema endpoint (`/?_schema`). This serves as a lightweight way to verify\ - \ that the credentials are valid and the server is reachable.\n4. **Outcome Reporting**:\ - \ \n * If the request is successful, the action returns a success message and\ - \ a result value of `True`.\n * If an exception occurs (e.g., authentication\ - \ failure, timeout, or DNS error), the action logs the error and returns a failure\ - \ message with a result value of `False`.\n\n### Parameters Description\n| Parameter\ - \ Name | Description | Type | Mandatory |\n| :--- | :--- | :--- | :--- |\n| N/A\ - \ | This action does not take any input parameters. It relies solely on the integration's\ - \ configuration settings. | N/A | N/A |\n\n### Additional Notes\n* This action\ - \ is typically used during the initial setup of the integration or for troubleshooting\ - \ communication issues between Google SecOps and the Infoblox environment." + ai_description: "### General Description\nThe **Ping** action is a diagnostic tool\ + \ used to verify the connectivity between the Google SecOps environment and the\ + \ Infoblox NIOS server. It ensures that the provided integration configuration\ + \ parameters (API Root, Username, and Password) are correct and that the Infoblox\ + \ API is reachable.\n\n### Parameters Description\nThere are no action-specific\ + \ parameters for this action. It relies entirely on the integration's global configuration\ + \ settings.\n\n### Additional Notes\n* This action performs a simple `GET` request\ + \ to the Infoblox WAPI schema endpoint (`/?_schema`) to validate the connection.\n\ + * It does not interact with or modify any DNS records, DHCP leases, or network\ + \ configurations.\n\n### Flow Description\n1. **Parameter Extraction:** The action\ + \ retrieves the global integration configuration, including the API Root, Username,\ + \ and Password.\n2. **Manager Initialization:** An instance of the `APIManager`\ + \ is initialized using the extracted credentials.\n3. **Connectivity Test:** The\ + \ action calls the `test_connectivity` method, which executes a `GET` request\ + \ to the Infoblox API schema endpoint.\n4. **Result Handling:** \n * If the\ + \ request is successful, the action returns a success message and sets the result\ + \ value to `True`.\n * If the request fails (e.g., due to network issues or\ + \ invalid credentials), the action catches the exception, logs the error, and\ + \ returns a failure message with the result value set to `False`." capabilities: can_create_case_comments: false can_create_insight: false @@ -1916,7 +1936,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1930,6 +1950,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Search RPZ Rule: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1943,86 +1964,91 @@ Ping: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Search RPZ Rule: ai_description: >- - ### General Description - Searches for specific Response Policy Zone (RPZ) rules within Infoblox NIOS. This - action allows users to query for various RPZ record types (like A, CNAME, MX, - etc.) by their name. It retrieves detailed configuration data, which is then presented - as a JSON result and a formatted data table within the SOAR case for analyst review. - - - ### Parameters Description + action allows analysts to query the Infoblox WAPI for various RPZ record types + (such as A, AAAA, CNAME, MX, etc.) based on a rule name and specific object types. + It retrieves detailed configuration data for the matching rules, which can be + used to verify existing security policies or prepare for rule modifications. - | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + ### Flow Description: - | Object Type | DDL | Yes | The Infoblox object type to search for (e.g., record:rpz:a, - record:rpz:cname). | + 1. **Parameter Initialization:** The action retrieves the Infoblox API credentials + and the user-provided search criteria, including the object type, rule name, and + desired output fields. - | Rule Name | String | No | The full name of the rule (e.g., name.domain.com). - | + 2. **Validation:** It validates the 'Limit' parameter to ensure it is a positive + integer. - | Output Fields | String | No | Comma-separated fields to include in the response. - 'name' and 'view' are included by default. | + 3. **API Query:** The action performs a GET request to the Infoblox WAPI, utilizing + pagination if the number of results exceeds the page size, up to the specified + limit. - | Limit | String | No | Maximum number of objects to return. Defaults to 100. - | + 4. **Data Processing:** The retrieved rule data is processed and formatted. If + specific output fields were requested, they are included alongside default fields + like 'name' and 'view'. + 5. **Output Generation:** The results are attached to the action as a JSON result + and displayed in a structured data table named 'RPZ Rules' within the SOAR interface. - ### Additional Notes - - This action does not process entities from the case; it relies entirely on the - provided input parameters. + ### Parameters Description: - - If 'Output Fields' are provided, the action automatically includes 'name' and - 'view' in the results. + | Parameter | Type | Mandatory | Description | - - The data table displays up to 20 records. + | :--- | :--- | :--- | :--- | + | **Object Type** | DDL | Yes | The specific Infoblox RPZ object type to search + for (e.g., `record:rpz:cname`, `record:rpz:a`, `record:rpz:txt`). | - ### Flow Description + | **Rule Name** | String | No | The full name of the rule to search for (e.g., + `malicious.domain.com.rpz_zone`). If omitted, the action may return all rules + of the specified type depending on server configuration. | - 1. Initialize the Infoblox API manager with provided credentials. + | **Output Fields** | String | No | A comma-separated list of additional fields + to include in the response (e.g., `comment`, `disable`). | - 2. Validate the 'Limit' parameter to ensure it is a positive integer. + | **Limit** | String | No | The maximum number of rule objects to return. Defaults + to 100. | - 3. Construct the API request using the specified 'Object Type' and 'Rule Name'. - 4. Execute a paginated GET request to the Infoblox WAPI. + ### Additional Notes: - 5. Process the returned rules and generate a data table for the first 20 records. + * This action does not run on entities; it is a standalone search utility based + on the provided parameters. - 6. Output the full results in JSON format. + * The data table displays a maximum of 20 records for readability, while the full + result set is available in the JSON output. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: true + can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: >- - Adds a data table named 'RPZ Rules' to the case containing the search results. + internal_data_mutation_explanation: null categories: - enrichment: false + enrichment: true entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2036,10 +2062,11 @@ Search RPZ Rule: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Update RPZ CNAME Rule: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false - add_ioc_to_blocklist: false + add_ioc_to_blocklist: true contain_host: false create_ticket: false delete_email: false @@ -2049,42 +2076,51 @@ Search RPZ Rule: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Update RPZ CNAME Rule: ai_description: >- Updates an existing Response Policy Zone (RPZ) CNAME rule in Infoblox NIOS to - modify DNS behavior. This action allows for the modification of rule types, names, - and associated zones, enabling dynamic control over DNS filtering and redirection. + modify DNS response behavior. This action allows analysts to change the policy + of a specific DNS rule, such as switching between blocking, passing through, or + substituting domain names. It interacts with the Infoblox WAPI using a PUT request + to apply changes to the rule identified by its Reference ID. - ### Flow Description + ### Flow Description: - 1. **Parameter Validation:** The action validates that the mandatory parameters - 'Reference ID', 'RP Zone', and 'Name' are provided and non-empty. + 1. **Parameter Extraction:** The action retrieves the Reference ID, Rule Type, + Name, RP Zone, and other optional parameters from the user input. - 2. **Logic Determination:** It determines the 'canonical' value for the DNS rule - based on the selected 'Rule Type' (e.g., setting it to '*' for 'Block (No data)' - or 'rpz-passthru' for 'Passthru'). + 2. **Validation:** It validates that mandatory fields (Reference ID, Name, RP + Zone) are provided and that 'Additional Parameters' is a valid JSON object. It + also ensures that a 'Substitute Name' is provided if the 'Substitute (Domain name)' + rule type is selected. - 3. **API Interaction:** It executes a PUT request to the Infoblox WAPI using the - provided 'Reference ID' to update the rule configuration. + 3. **Canonical Mapping:** Based on the selected 'Rule Type', the action determines + the correct 'canonical' value (e.g., '*' for Block No Data, 'rpz-passthru' for + Passthru, or the provided Substitute Name). - 4. **Output Generation:** Upon success, it retrieves the updated rule details, - formats them into a data table ('RPZ CNAME Rule'), and provides the raw JSON response. + 4. **API Execution:** It calls the Infoblox API via a PUT request to update the + specific rule record. + 5. **Output Generation:** Upon success, the action returns the updated rule details + in a JSON format and populates a data table for the analyst. - ### Parameters Description + + ### Parameters Description: | Parameter | Type | Mandatory | Description | @@ -2093,33 +2129,34 @@ Update RPZ CNAME Rule: | Reference ID | String | Yes | The unique reference ID of the existing RPZ rule to be updated. | - | Rule Type | DDL | Yes | The behavior of the rule. Options: Passthru, Block (No - such Domain), Block (No data), Substitute (Domain name). | + | Rule Type | DDL | Yes | The desired DNS behavior: Passthru, Block (No such Domain), + Block (No data), or Substitute (Domain name). | | Name | String | Yes | The rule name in FQDN format. | - | RP Zone | String | Yes | The Response Policy Zone to which the rule is assigned. + | RP Zone | String | Yes | The Response Policy Zone to which the rule belongs. | - | Comment | String | No | An optional comment or description for the rule. | + | Comment | String | No | An optional comment to associate with the rule. | - | Substitute Name | String | No | The domain name to substitute. Required only - if 'Rule Type' is set to 'Substitute (Domain name)'. | + | Substitute Name | String | No | The domain name to substitute. **Mandatory** + if Rule Type is 'Substitute (Domain name)'. | | View | String | No | The DNS view where the record is located. Defaults to 'default'. | - | Additional Parameters | String | No | A JSON object containing any additional - Infoblox API parameters for rule modification. | + | Additional Parameters | String | No | A JSON object containing any extra parameters + supported by the Infoblox WAPI for RPZ rules. | - ### Additional Notes + ### Additional Notes: - - If 'Rule Type' is 'Substitute (Domain name)', the 'Substitute Name' parameter - must be provided. + - The 'Substitute (Domain name)' rule type is only applicable to standard CNAME + rules and cannot be used if the Reference ID points to an IP Address or Client + IP Address object type. - - The action will fail if the 'Reference ID' does not exist or if the 'Substitute - (Domain name)' type is applied to IP-based RPZ rules. + - If the 'Rule Type' is 'Passthru' and the reference ID indicates a client IP + address, the canonical value is automatically set to 'rpz-passthru'. capabilities: can_create_case_comments: false can_create_insight: false @@ -2128,15 +2165,14 @@ Update RPZ CNAME Rule: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates an existing RPZ CNAME rule configuration in the Infoblox NIOS system - via a PUT request, which changes the DNS resolution behavior for the specified - domain or IP. + Updates an existing RPZ CNAME rule in Infoblox NIOS via a PUT request to the + WAPI. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2150,28 +2186,3 @@ Update RPZ CNAME Rule: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/third_party/partner/infoblox_threat_defense_with_ddi/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/infoblox_threat_defense_with_ddi/resources/ai/actions_ai_description.yaml index 20cd67225..3fbfb20cd 100644 --- a/content/response_integrations/third_party/partner/infoblox_threat_defense_with_ddi/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/infoblox_threat_defense_with_ddi/resources/ai/actions_ai_description.yaml @@ -1,9 +1,38 @@ Create Custom List: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- Creates a new custom list in Infoblox Threat Defense for use in security policies. - This action allows users to define a list of indicators (IPv4, IPv6, or domains) - along with metadata such as threat level, confidence level, and tags. The created - list can then be referenced in security policies to manage traffic filtering. + This action allows users to define a list of indicators (IP addresses or domains) + along with metadata such as confidence levels, threat levels, and tags. The action + validates the format of the provided indicators before submission and outputs + the details of the created list into a data table on the case wall. ### Parameters @@ -12,64 +41,67 @@ Create Custom List: | :--- | :--- | :--- | :--- | - | Name | String | Yes | The unique name of the Custom List to create. | - - | Type | String | Yes | The type of Custom List (default: 'custom_list'). | + | Name | string | True | The unique name of the Custom List to be created. | - | Items | String | No | Comma-separated indicators (IPs or domains) to include - in the list. | + | Type | string | True | The type of Custom List (default is 'custom_list'). | - | Description | String | No | A brief description of the list's purpose. | + | Items | string | False | Comma-separated list of indicators (IPv4, IPv6, or + domains) to include in the list. | - | Confidence Level | DDL | No | Confidence level for the list (High, Medium, Low). + | Description | string | False | A brief description of the Custom List's purpose. | - | Threat Level | DDL | No | Threat level for the list (High, Medium, Low, Info). - | + | Confidence Level | ddl | False | The confidence level for the list (High, Medium, + Low). Default is High. | - | Tags | String | No | A JSON object string representing tags for categorization. - | + | Threat Level | ddl | False | The threat level for the list (High, Medium, Low, + Info). Default is Low. | + + | Tags | string | False | A JSON object string representing tags to categorize + the list (e.g., '{"key": "value"}'). | ### Additional Notes - - The 'Tags' parameter must be a valid JSON object string (e.g., '{"key": "value"}'). + - The 'Items' parameter must contain valid IPv4, IPv6, or domain name formats; + otherwise, the action will fail validation. - - The 'Items' parameter is validated to ensure all entries are valid IPv4, IPv6, - or domain formats. + - The 'Tags' parameter must be a valid JSON object string. ### Flow Description - 1. **Parameter Extraction:** Retrieves the list name, type, items, and metadata - from the action input. - - 2. **Validation:** Validates that the name and type are provided and that any - items provided follow valid IP or domain formats. + 1. **Parameter Extraction:** The action retrieves the integration configuration + and action parameters provided by the user. - 3. **Payload Construction:** Builds the request body, including optional fields - like description and tags (parsed from JSON). + 2. **Validation:** It validates that mandatory fields are present, checks that + the 'Items' string contains valid network indicators, and ensures 'Tags' is a + valid JSON object. - 4. **API Interaction:** Sends a POST request to the Infoblox `/api/atcfw/v1/named_lists` - endpoint. + 3. **API Request:** It constructs a payload and sends a POST request to the Infoblox + API endpoint `/api/atcfw/v1/named_lists` to create the resource. - 5. **Result Processing:** Returns the API response as JSON and populates a data - table with the new list's details. + 4. **Result Processing:** Upon success, the action parses the API response, adds + the raw JSON to the action results, and generates a data table named 'Custom List + Details' for the case wall. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: true - can_mutate_internal_data: false + can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: >- - Creates a new custom list resource in Infoblox Threat Defense. - fetches_data: false - internal_data_mutation_explanation: null + Creates a new custom list resource in the Infoblox Threat Defense platform via + a POST request. + fetches_data: true + internal_data_mutation_explanation: >- + Adds a data table containing the created custom list details to the Google SecOps + case wall. categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -83,6 +115,7 @@ Create Custom List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Create Network List: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -96,64 +129,63 @@ Create Custom List: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Create Network List: ai_description: >- ### General Description Creates a new network list in Infoblox Threat Defense. Network lists are used - to group IP addresses or CIDR blocks, which can then be referenced in security - policies to define where specific security rules should be applied. + to define specific sets of IP addresses or CIDR blocks where security policies + should be applied. This action allows for the programmatic creation of these containers + to streamline security policy management. ### Parameters Description - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Name | String | Yes | The unique name for the network list to be created. | - | Items | String | Yes | A comma-separated list of IP addresses or CIDR blocks - to include in the network list. | + | Parameter | Description | Type | Mandatory | - | Description | String | No | A descriptive text providing more context about - the network list. | + | :--- | :--- | :--- | :--- | + | Name | The unique name for the network list being created. | String | Yes | - ### Additional Notes + | Items | A comma-separated list of items (e.g., IPv4 addresses, IPv6 addresses, + or CIDR blocks) to be included in the network list. | String | Yes | - This action does not operate on SecOps entities. It uses the provided input parameters - to create a resource directly in the Infoblox platform. If the network list name - already exists, the action will fail. + | Description | A brief explanation or context for the network list. | String + | No | ### Flow Description - 1. **Parameter Extraction**: The action retrieves the `Name`, `Items`, and `Description` + 1. **Parameter Extraction:** The action retrieves the `Name`, `Items`, and `Description` from the user input. - 2. **Validation**: It ensures that the mandatory `Name` and `Items` fields are - populated and converts the comma-separated `Items` string into a list format. + 2. **Validation:** It validates that the `Name` and `Items` strings are not empty + and converts the `Items` string into a list format. - 3. **API Interaction**: The action sends a POST request to the Infoblox API endpoint - `/api/atcfw/v1/network_lists` with the provided details. + 3. **API Interaction:** The action uses the `APIManager` to send a POST request + to the Infoblox `/api/atcfw/v1/network_lists` endpoint with the provided details. - 4. **Result Processing**: Upon success, it parses the response into a `NetworkList` - data model, adds the raw JSON to the action results, and creates a data table - named 'Network List Details' containing the ID, Name, and Security Policy ID of - the new list. + 4. **Data Processing:** Upon a successful response, the action parses the returned + data into a `NetworkList` object. + + 5. **Output Generation:** The action populates a data table named "Network List + Details" with the ID, Name, and Description of the new list and provides the full + raw JSON response for further use in playbooks. capabilities: can_create_case_comments: false can_create_insight: false @@ -169,7 +201,7 @@ Create Network List: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -183,6 +215,7 @@ Create Network List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Create Security Policy: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -196,93 +229,94 @@ Create Network List: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Create Security Policy: ai_description: >- - Creates a new security policy in Infoblox Threat Defense. This action allows for - the comprehensive definition of security policies, including rules, network list - associations, DNS Forwarding Proxy (DFP) assignments, and roaming device group - configurations. It also supports enabling security features such as DNS rebinding - protection and safe search filtering. - + ### General Description - ### Flow Description: + Creates a new security policy in Infoblox Threat Defense. This action allows for + the programmatic creation of security policies, enabling automated management + of DNS security rules, network lists, and device group associations. It is useful + for establishing baseline security postures or dynamically creating policies during + incident response. - 1. **Parameter Extraction:** The action retrieves the policy name, description, - rules, network lists, DFPs, roaming device groups, and other configuration settings - from the input parameters. - 2. **Validation:** It validates that the mandatory 'Policy Name' is provided and - ensures that complex parameters like 'Rules', 'Tags', and 'Additional Parameters' - are valid JSON strings. + ### Parameters Description - 3. **Payload Construction:** A JSON payload is constructed, converting comma-separated - lists into integer arrays and parsing JSON strings into objects. + | Parameter | Type | Mandatory | Description | - 4. **API Interaction:** The action sends a POST request to the Infoblox API to - create the security policy. + | :--- | :--- | :--- | :--- | - 5. **Result Processing:** Upon success, the action returns the raw JSON response - and populates a data table with the new policy's ID, name, description, and default - action. + | Policy Name | String | Yes | The unique name for the new security policy. | + | Description | String | No | A brief explanation of the policy's purpose. | - ### Parameters Description: + | Rules | String | No | A JSON array of rule objects, each containing fields like + action, type, and data. | + | Network Lists | String | No | Comma-separated IDs of network lists to associate + with this policy. | - | Parameter | Type | Mandatory | Description | + | DFPS | String | No | Comma-separated IDs of DNS Forwarding Proxies to associate + with this policy. | - | :--- | :--- | :--- | :--- | + | Roaming Device Groups | String | No | Comma-separated IDs of Roaming Device + Groups to associate with this policy. | - | Policy Name | String | True | The unique name for the new security policy. | + | Block DNS Rebinding | Boolean | No | Specify whether to block DNS rebinding + attacks. Defaults to false. | - | Description | String | False | A brief description of the security policy's - purpose. | + | Safe Search | Boolean | No | Specify whether to enable safe search filtering. + Defaults to false. | - | Rules | String | False | A JSON array of rule objects defining actions (e.g., - block, allow) and criteria. | + | Tags | String | No | A JSON object containing tags used to categorize and organize + the Security Policy. | - | Network Lists | String | False | Comma-separated IDs of network lists to associate - with the policy. | + | Additional Parameters | String | No | A JSON object containing advanced parameters + such as precedence, doh_enabled, or ecs. | - | DFPS | String | False | Comma-separated IDs of DNS Forwarding Proxies to associate - with the policy. | - | Roaming Device Groups | String | False | Comma-separated IDs of roaming device - groups to associate with the policy. | + ### Flow Description - | Block DNS Rebinding | Boolean | False | If true, enables protection against - DNS rebinding attacks. Default is false. | + 1. **Parameter Extraction:** The action retrieves the integration configuration + (API Root, API Key) and all user-provided action parameters. - | Safe Search | Boolean | False | If true, enables safe search filtering for the - policy. Default is false. | + 2. **Validation:** Validates that the 'Policy Name' is non-empty and ensures that + 'Rules', 'Tags', and 'Additional Parameters' are valid JSON strings if provided. - | Tags | String | False | A JSON object containing key-value pairs for categorizing - the policy. | + 3. **Payload Construction:** Constructs a structured JSON payload for the Infoblox + API. It parses comma-separated strings for network lists and device groups into + integer lists and validates that 'Additional Parameters' only contains supported + keys. - | Additional Parameters | String | False | A JSON object for advanced fields like - precedence, access_codes, or doh_enabled. | + 4. **API Execution:** Sends a POST request to the Infoblox `/api/atcfw/v1/security_policies` + endpoint via the APIManager. + 5. **Result Processing:** Upon success, the action returns the full API response + as a JSON result and populates a data table named 'Security Policy Details' with + the ID, name, and description of the newly created policy. - ### Additional Notes: - - The 'Rules' parameter must be a valid JSON array of objects. + ### Additional Notes - - The 'Tags' and 'Additional Parameters' must be valid JSON objects. + - The `Rules` parameter must be formatted as a JSON array of objects. - - Network Lists, DFPS, and Roaming Device Groups should be provided as comma-separated - numeric IDs. + - Supported keys for `Additional Parameters` include: `precedence`, `access_codes`, + `doh_enabled`, `doh_fqdn`, `ecs`, `onprem_resolve`, `dfp_services`, `net_address_dfps`, + `user_groups`, and `default_redirect_name`. capabilities: can_create_case_comments: false can_create_insight: false @@ -291,14 +325,14 @@ Create Security Policy: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new security policy configuration within the Infoblox Threat Defense - platform. + Creates a new security policy resource in the Infoblox Threat Defense platform + via a POST request. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -312,6 +346,7 @@ Create Security Policy: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +DHCP Lease Lookup: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -322,91 +357,64 @@ Create Security Policy: disable_identity: false download_file: false enable_identity: false - enrich_asset: false + enrich_asset: true enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: true search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -DHCP Lease Lookup: - ai_description: >- - ### General Description - - This action retrieves DHCP lease information from Infoblox based on specific filter - criteria provided by the user. It is primarily used to identify the hardware (MAC - address), hostname, and state of a lease associated with a particular IP address - or other network identifiers. The results are returned as a raw JSON object and - a formatted data table within the Google SecOps platform. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | DHCP Lease Filter | string | No | A logical expression used to filter DHCP leases. - For example: `address == "192.168.1.10"` or `hostname == "workstation-01"`. | - - | Offset | string | No | The starting point for pagination. Defaults to "0". | - - | Limit | string | No | The maximum number of lease records to return. Defaults - to "100". | - - | Order By | string | No | A comma-separated list of fields to sort the results - by (e.g., `address asc`). | - - - ### Additional Notes - - - This action does not automatically process entities from the current alert or - case. It relies entirely on the `DHCP Lease Filter` parameter to define the search - scope. - - - The data table displayed in the UI is limited to the first 20 records for readability, - while the full result set is available in the JSON output. - - - ### Flow Description - - 1. **Parameter Extraction:** The action retrieves the filter, offset, limit, and - sorting parameters from the user input. - - 2. **Validation:** It validates that the `Offset` and `Limit` parameters are valid - non-negative integers. - - 3. **API Interaction:** It sends a GET request to the Infoblox DDI API endpoint - `/api/ddi/v1/dhcp/lease` with the specified filters and pagination settings. - - 4. **Data Processing:** The raw API response is captured. If records are found, - they are mapped to a internal data model. - - 5. **Output Generation:** The action attaches the full JSON response to the script - results and constructs a CSV-formatted data table named "DHCP Leases" for the - analyst view. + ai_description: "### General Description\nRetrieves DHCP lease information from\ + \ Infoblox Threat Defense with DDI based on specified filter criteria. This action\ + \ allows analysts to look up details such as IP addresses, hostnames, MAC addresses,\ + \ and lease states (e.g., used, free) to gain context about network assets and\ + \ their historical or current assignments.\n\n### Parameters Description\n| Parameter\ + \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| DHCP Lease\ + \ Filter | string | No | A logical expression used to filter DHCP leases (e.g.,\ + \ `address == \"192.168.1.10\"` or `hostname == \"workstation-01\"`). |\n| Offset\ + \ | string | No | The starting point for pagination. Defaults to \"0\". |\n| Limit\ + \ | string | No | The maximum number of results to return. Defaults to \"100\"\ + . |\n| Order By | string | No | Comma-separated fields to sort the results (e.g.,\ + \ `address asc`). Supports dot notation for nested fields. |\n\n### Flow Description\n\ + 1. **Parameter Initialization:** The action extracts the integration configuration\ + \ (API Root, API Key) and the user-provided parameters (Filter, Offset, Limit,\ + \ Order By).\n2. **Validation:** The `Offset` and `Limit` parameters are validated\ + \ to ensure they are non-negative integers.\n3. **API Request:** The action calls\ + \ the Infoblox API's DHCP lease endpoint (`/api/ddi/v1/dhcp/lease`) using a GET\ + \ request with the specified filters and pagination settings.\n4. **Data Processing:**\ + \ \n * The raw JSON response is attached to the action results.\n * If records\ + \ are found, the action parses them into a structured format and creates a data\ + \ table named \"DHCP Leases\" (showing up to 20 records) for display in the case\ + \ wall.\n5. **Completion:** The action returns a success message indicating the\ + \ number of records retrieved or a failure message if an error occurs during the\ + \ API call." capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: false + can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: null + internal_data_mutation_explanation: >- + Adds a data table named 'DHCP Leases' to the Google SecOps case containing the + retrieved lease records. categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -420,6 +428,7 @@ DHCP Lease Lookup: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +DNS Record Lookup: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -433,55 +442,96 @@ DHCP Lease Lookup: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: true send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -DNS Record Lookup: ai_description: >- - ### General Description\nPerforms a DNS record query within Infoblox Threat Defense - and DDI to retrieve associated IP addresses or domains. This action allows users - to search for specific DNS records using flexible filtering criteria, including - record types, zone names, and tags. It supports pagination and custom sorting - to manage large result sets. The retrieved data is presented as a JSON object - and a formatted data table for analyst review.\n\n### Flow Description\n1. **Parameter - Initialization:** Retrieves and validates input parameters including DNS filters, - tag filters, pagination offsets, and limits.\n2. **API Request:** Executes a GET - request to the Infoblox DDI API endpoint for DNS records.\n3. **Data Processing:** - Parses the API response into structured DNS record models.\n4. **Output Generation:** - Populates the action results with the raw JSON response and creates a 'DNS Records' - data table in the SecOps case.\n\n### Parameters Description\n| Parameter | Type - | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| DNS Record Filter - | String | No | Logical expression to filter DNS records (e.g., `type=='PTR'`). - |\n| Tag Filter | String | No | Logical expression to filter records by assigned - tags. |\n| Offset | String | No | The starting index for pagination (defaults - to 0). |\n| Limit | String | No | The maximum number of records to return (defaults - to 100). |\n| Order By | String | No | Comma-separated fields to sort results - (e.g., `name desc`). |\n\n### Additional Notes\nThis action does not run on specific - entities but rather performs a global search based on the provided parameters. + ### General Description + + Performs a DNS record query in Infoblox Threat Defense with DDI to retrieve associated + IP addresses or domains based on user-defined filter criteria. This action is + useful for broad searches across the DNS infrastructure, allowing analysts to + find records matching specific types, zones, or tags without needing to target + a specific entity. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | DNS Record Filter | String | No | Filter DNS records by specific criteria using + logical expressions (e.g., `type=="PTR"` and `absolute_zone_name == "Test"`). + | + + | Tag Filter | String | No | Filter DNS records by specific tags using logical + expressions (e.g., `'nios/federation_enabled'==true`). | + + | Offset | String | No | Specify the offset from where to start pagination. Defaults + to "0". | + + | Limit | String | No | Specify the maximum number of results to return. Defaults + to "100". | + + | Order By | String | No | Comma-separated JSON fields to sort the results. Supports + `asc` or `desc` for direction and dot notation for nested fields. | + + + ### Additional Notes + + - This action does not process specific SecOps entities; it is a global lookup + action based on the provided filter parameters. + + - The action limits the number of records displayed in the UI data table to a + predefined maximum (20) to ensure readability, while the full result set is available + in the JSON output. + + + ### Flow Description + + 1. **Parameter Initialization**: The action retrieves the integration configuration + and extracts the user-provided filters, pagination, and sorting parameters. + + 2. **Validation**: The `Offset` and `Limit` parameters are validated to ensure + they are valid, non-negative integers. + + 3. **API Request**: The action calls the Infoblox API manager to perform a GET + request against the DNS record endpoint (`/api/ddi/v1/dns/record`) using the constructed + query parameters. + + 4. **Data Processing**: The raw API response is parsed, and the DNS records are + mapped to the `DNSRecord` data model. + + 5. **Output Generation**: The action populates a data table named "DNS Records" + with the formatted results and attaches the complete raw JSON response to the + action results. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: true + can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: >- - Adds a data table to the case containing the retrieved DNS record information. + internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -495,6 +545,7 @@ DNS Record Lookup: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Custom List: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -508,27 +559,30 @@ DNS Record Lookup: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: true + search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Custom List: ai_description: >- ### General Description - The **Get Custom List** action retrieves the contents and metadata of custom lists - from Infoblox Threat Defense. This action allows analysts to audit existing lists, - verify configurations such as threat levels and confidence scores, or discover - list IDs for use in other automation tasks. It supports fetching a specific list - by its unique ID or searching for lists based on name, type, and tags. + Retrieves the contents and metadata of custom lists from Infoblox Threat Defense. + This action allows users to fetch a specific list by its unique ID or search for + multiple lists using names, types, or tag-based filters. The retrieved data includes + list identifiers, names, descriptions, threat levels, and item counts. Results + are presented in both a structured data table for quick review and a raw JSON + format for downstream automation. ### Parameters Description @@ -537,59 +591,59 @@ Get Custom List: | :--- | :--- | :--- | :--- | - | **Custom List ID** | String | No | The unique identifier of the specific custom - list to retrieve. If provided, this takes precedence over other filters. | + | Custom List ID | String | No | The unique identifier of the custom list to retrieve. + If provided, other filters like Name and Tags are ignored. | - | **Name** | String | No | The name of the custom list to search for. This parameter - is used in conjunction with the **Type** parameter. | + | Name | String | No | The name of the custom list to search for. This parameter + is used in conjunction with 'Type'. | - | **Type** | String | No | The type of the custom list (e.g., 'custom_list'). - Defaults to 'custom_list'. | + | Type | String | No | The type of the custom list (default: 'custom_list'). Required + when searching by Name. | - | **Tag Filter** | String | No | Filter security policies or lists by specific - tags using the format `'tag_name'='tag_value'`. | + | Tag Filter | String | No | Filter security policies or lists by specific tags + using the format: `'tag_name'='tag_value'`. | - | **Tag Sort Filter** | String | No | Sort the retrieved custom lists based on - specific tags (e.g., 'Test1'). | + | Tag Sort Filter | String | No | Sort the retrieved custom lists based on specific + tags (e.g., 'Test1'). | - | **Offset** | String | No | The starting point for pagination (default is '0'). + | Offset | String | No | Specify the starting point for pagination (default: '0'). | - | **Limit** | String | No | The maximum number of results to return (default is + | Limit | String | No | Specify the maximum number of results to return (default: '100'). | ### Additional Notes - - If **Custom List ID** is provided, the action fetches that specific list directly, - ignoring other filters. + - **Priority Logic**: If 'Custom List ID' is provided, the action fetches that + specific list. If 'Name' and 'Type' are both provided, the action searches for + lists matching those criteria. Otherwise, it uses the 'Tag Filter' and 'Tag Sort + Filter'. - - If both **Name** and **Type** are provided, the action performs a targeted search - for a list matching those criteria. - - - If no specific identifiers are provided, the action returns a paginated list - of all available custom lists, optionally filtered by tags. + - **Table Constraints**: The 'Custom List Details' table displays a maximum of + 20 records, even if the 'Limit' parameter is set higher. The full set of results + is always available in the JSON output. ### Flow Description - 1. **Parameter Extraction:** The action extracts the API configuration and user-provided - search parameters from the environment. + 1. **Parameter Initialization**: Extracts configuration (API Root, API Key) and + action parameters (ID, Name, Filters, Pagination). + + 2. **Input Validation**: Validates that 'Offset', 'Limit', and 'Custom List ID' + (if provided) are valid non-negative integers. - 2. **Validation:** Integer-based parameters such as `Offset`, `Limit`, and `Custom - List ID` are validated to ensure they are non-negative integers. + 3. **API Request Construction**: Determines the correct Infoblox endpoint based + on the provided parameters, prioritizing specific IDs over general filters. - 3. **API Request:** The action constructs a GET request to the Infoblox API. The - endpoint varies based on whether a specific ID, a name/type pair, or general filters - are provided. + 4. **Data Retrieval**: Executes a GET request to the Infoblox Threat Defense API + to fetch the list data. - 4. **Data Processing:** The raw API response is parsed using the `CustomList` - data model to extract key fields like ID, Name, Description, Confidence Level, - and Threat Level. + 5. **Data Modeling**: Maps the raw API response to internal `CustomList` data + models to extract key fields like Threat Level and Item Count. - 5. **Output Generation:** The action populates a data table titled 'Custom List - Details' with the processed information and attaches the full raw JSON response - to the action results. + 6. **Output Generation**: Produces a CSV-formatted data table for the UI and attaches + the complete JSON response to the action result. capabilities: can_create_case_comments: false can_create_insight: false @@ -603,7 +657,7 @@ Get Custom List: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -617,6 +671,7 @@ Get Custom List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Indicator Intel Lookup Result: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -628,36 +683,47 @@ Get Custom List: download_file: false enable_identity: false enrich_asset: false - enrich_ioc: false + enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Indicator Intel Lookup Result: - ai_description: >- - ### General Description: Retrieves the results of a previously initiated Dossier - lookup job for indicators (IP, URL, Host, Email, or Hash) from Infoblox Threat - Defense. This action is used to fetch detailed threat intelligence data once a - background lookup job has been completed. ### Parameters Description: 1. Job ID - (String, Mandatory): The unique identifier of the Dossier lookup job to retrieve - results for. ### Flow Description: 1. Parameter Extraction: Retrieves the Job - ID from the action input. 2. API Request: Calls the Infoblox API endpoint /tide/api/services/intel/lookup/jobs/{job_id}/results - to fetch the job status and data. 3. Data Processing: Parses the returned JSON, - mapping results to the IndicatorIntelLookupResult data model. 4. Output Generation: - Adds the complete raw response to the action results and constructs a data table - showing up to 20 dossier records, including source, status, and truncated data - details. ### Additional Notes: This action does not run on entities directly; - it requires a valid Job ID generated by a preceding 'Initiate Indicator Intel - Lookup With Dossier' action. + ai_description: "### General Description\nThe **Get Indicator Intel Lookup Result**\ + \ action retrieves the results of a Dossier lookup job previously initiated in\ + \ Infoblox Threat Defense. This action is designed to fetch comprehensive threat\ + \ intelligence for indicators such as IP addresses, URLs, Hostnames, Email addresses,\ + \ and File Hashes using a specific Job ID. It is typically used in automated workflows\ + \ to poll for results after an asynchronous investigation has been started.\n\n\ + ### Parameters Description\n| Parameter | Type | Mandatory | Description |\n|\ + \ :--- | :--- | :--- | :--- |\n| **Job ID** | string | Yes | The unique identifier\ + \ of the Dossier lookup job for which results are being requested. This ID is\ + \ obtained from the 'Initiate Indicator Intel Lookup With Dossier' action. |\n\ + \n### Flow Description\n1. **Parameter Extraction:** The action extracts the `Job\ + \ ID` from the input parameters and validates that it is a non-empty string.\n\ + 2. **API Interaction:** It connects to the Infoblox API and performs a GET request\ + \ to the Dossier results endpoint using the provided Job ID.\n3. **Data Parsing:**\ + \ The action processes the API response, converting the raw data into a structured\ + \ format. It specifically extracts fields like the intelligence source, status,\ + \ and timestamp.\n4. **Result Reporting:** \n * The full JSON response from\ + \ the API is attached to the action results.\n * A data table named \"Dossier\ + \ Lookup Results\" is generated, displaying up to 20 records for quick analyst\ + \ review.\n5. **Finalization:** The action completes with a success message indicating\ + \ the number of dossier results retrieved for the given Job ID.\n\n### Additional\ + \ Notes\nThis action does not interact with SecOps entities directly; it operates\ + \ solely based on the provided `Job ID`. If the Job ID does not exist or the API\ + \ returns an error, the action will fail with a descriptive error message." capabilities: can_create_case_comments: false can_create_insight: false @@ -671,7 +737,7 @@ Get Indicator Intel Lookup Result: categories: enrichment: true entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -685,6 +751,7 @@ Get Indicator Intel Lookup Result: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Network List: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -696,29 +763,31 @@ Get Indicator Intel Lookup Result: download_file: false enable_identity: false enrich_asset: false - enrich_ioc: true + enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Network List: ai_description: >- ### General Description The **Get Network List** action retrieves the contents and metadata of network - lists from the Infoblox Threat Defense platform. This action allows analysts to - fetch specific network lists by their unique ID or to search through available - lists using logical filter expressions. It is useful for auditing network configurations - or dynamically retrieving list details for use in security playbooks. + lists from Infoblox Threat Defense. It allows users to fetch a specific list by + its unique identifier or search for multiple lists using logical filter expressions. + This action is primarily used for auditing existing network configurations or + verifying the contents of CIDR/IP blocks managed within the Infoblox environment. ### Parameters Description @@ -727,47 +796,49 @@ Get Network List: | :--- | :--- | :--- | :--- | - | Network List ID | String | No | The unique identifier of a specific network - list. If provided, the action fetches this specific list directly, ignoring other - filters. | + | **Network List ID** | String | No | The unique identifier of the network list + to retrieve. If provided, the action fetches only this specific list and ignores + the filter parameter. | - | Security Network Filter | String | No | A logical expression string (e.g., `name - == 'net_list1'`) used to filter the collection of network lists returned by the - API. | + | **Security Network Filter** | String | No | A logical expression string (e.g., + `name == 'net_list1'`) used to filter the returned network lists based on specific + criteria. | - | Offset | String | No | The pagination offset specifying the starting point of - the results. Defaults to "0". | + | **Offset** | String | No | The pagination offset indicating where to start the + results. Default is "0". | - | Limit | String | No | The maximum number of network lists to return in the response. - Defaults to "100". | + | **Limit** | String | No | The maximum number of results to return in a single + request. Default is "100". | - ### Additional Notes + ### Flow Description - - The action validates that the `Network List ID`, `Offset`, and `Limit` are valid - non-negative integers before execution. + 1. **Parameter Initialization**: The action extracts the API configuration (Root, + Key, SSL) and the user-provided parameters including the Network List ID, filter, + offset, and limit. - - Results are presented in a structured data table (limited to the first 20 records - for display) and the full raw response is attached as a JSON result. + 2. **Validation**: It validates that the `Network List ID` (if provided), `Offset`, + and `Limit` are valid non-negative integers. + 3. **API Request**: It sends a GET request to the Infoblox `/api/atcfw/v1/network_lists` + endpoint. If a specific `Network List ID` is provided, it appends the ID to the + URL to target that specific resource. - ### Flow Description + 4. **Data Processing**: The retrieved JSON data is added to the action's result + JSON. - 1. **Parameter Initialization**: The action extracts integration configuration - (API Root, API Key) and user-provided parameters. + 5. **Output Generation**: If results are found, the action creates a data table + in the SOAR case displaying the Network List ID, Name, Description, and Security + Policy ID for up to 20 records. - 2. **Validation**: It validates that the pagination parameters and the Network - List ID (if provided) are correctly formatted integers. - 3. **API Request**: The action performs a GET request to the Infoblox `/api/atcfw/v1/network_lists` - endpoint. If a specific ID is provided, it targets that resource directly. + ### Additional Notes - 4. **Data Parsing**: The raw API response is processed using the `NetworkList` - data model to extract relevant fields like Name, Description, and Security Policy - ID. + - If the **Network List ID** is provided, the **Security Network Filter** is ignored + by the Infoblox API. - 5. **Output Generation**: The action populates a SOAR data table with the retrieved - network list information and provides the full JSON payload for downstream tasks. + - The action supports pagination through the **Offset** and **Limit** parameters + to handle large sets of network lists. capabilities: can_create_case_comments: false can_create_insight: false @@ -781,7 +852,7 @@ Get Network List: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -795,6 +866,7 @@ Get Network List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get SOC Insights Assets: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -805,104 +877,73 @@ Get Network List: disable_identity: false download_file: false enable_identity: false - enrich_asset: false + enrich_asset: true enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: true search_email: false - search_events: true + search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get SOC Insights Assets: - ai_description: >- - Retrieves a list of assets associated with a specific SOC Insight ID from Infoblox - Threat Defense. This action allows analysts to identify which devices or users - were involved in a particular security insight, providing critical context for - investigation. The results can be filtered by IP address, MAC address, operating - system version, or associated user, and the output is presented both as a raw - JSON and a formatted data table within the case. - - - ### Parameters Description - - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Insight ID | String | Yes | The unique identifier of the Infoblox SOC Insight - to query assets for. | - - | Asset IP | String | No | Filter the results to only include assets matching - this IP address. | - - | MAC Address | String | No | Filter the results to only include assets matching - this MAC address. | - - | OS Version | String | No | Filter the results to only include assets running - this specific operating system version. | - - | User | String | No | Filter the results to only include assets associated with - this specific username. | - - | Limit | String | No | The maximum number of asset records to return (default - is 100). | - - | From | String | No | Filter for assets changed after this timestamp (Format: - YYYY-MM-DDTHH:mm:ss.SSS). | - - | To | String | No | Filter for assets changed before this timestamp (Format: - YYYY-MM-DDTHH:mm:ss.SSS). | - - - ### Additional Notes - - - This action does not run on entities; it requires a specific Insight ID as input. - - - The data table displayed in the UI is limited to the first 20 records for readability, - while the full results are available in the JSON output. - - - ### Flow Description - - 1. **Parameter Extraction:** The action retrieves the Insight ID and optional - filters (IP, MAC, OS, User, Time range, and Limit) from the user input. - - 2. **Validation:** It validates that the Insight ID is provided and that the Limit - is a valid positive integer. - - 3. **API Request:** It sends a GET request to the Infoblox API endpoint for the - specified Insight's assets, applying the provided filters as query parameters. - - 4. **Data Processing:** The response is parsed, and asset data is mapped to a - structured data model. - - 5. **Output Generation:** The action adds the full API response as a JSON result - and constructs a CSV-formatted data table named 'Assets' containing key details - like IP, MAC, OS, and User for the retrieved assets. + ai_description: "### General Description\nThis action retrieves a detailed list\ + \ of assets associated with a specific Infoblox SOC Insight ID. It allows analysts\ + \ to identify which resources (IP addresses, MAC addresses, hostnames) were involved\ + \ in a particular threat insight. The action supports various filters to narrow\ + \ down the asset list and provides the results in both a structured data table\ + \ and a raw JSON format for downstream processing.\n\n### Parameters Description\n\ + | Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ + | Insight ID | String | Yes | The unique identifier of the SOC Insight from which\ + \ to retrieve associated assets. |\n| Asset IP | String | No | Filters the results\ + \ to include only assets matching this specific IP address. |\n| MAC Address |\ + \ String | No | Filters the results to include only assets matching this specific\ + \ MAC address. |\n| OS Version | String | No | Filters the results to include\ + \ only assets running this specific operating system version. |\n| User | String\ + \ | No | Filters the results to include only assets associated with this specific\ + \ username. |\n| Limit | String | No | The maximum number of asset records to\ + \ return. Defaults to 100. |\n| From | String | No | Filters for assets changed\ + \ after this timestamp. Expected format: `YYYY-MM-DDTHH:mm:ss.SSS`. |\n| To |\ + \ String | No | Filters for assets changed before this timestamp. Expected format:\ + \ `YYYY-MM-DDTHH:mm:ss.SSS`. |\n\n### Flow Description\n1. **Parameter Extraction:**\ + \ The action extracts the mandatory `Insight ID` and optional filter parameters\ + \ (IP, MAC, OS, User, Time range, and Limit) from the environment.\n2. **Validation:**\ + \ It validates that the `Insight ID` is provided and that the `Limit` is a valid\ + \ positive integer.\n3. **API Request:** The action calls the Infoblox API via\ + \ the `APIManager` to fetch asset data associated with the specified Insight ID,\ + \ applying all provided filters as query parameters.\n4. **Data Processing:**\ + \ The retrieved asset data is parsed into `SOCInsightAsset` data models.\n5. **Output\ + \ Generation:** \n * The full API response is added as a JSON result.\n \ + \ * A data table named \"Assets\" is created, containing key details like\ + \ Asset IP, MAC Address, Threat Level, OS Version, and User (up to a maximum of\ + \ 20 records for display).\n6. **Completion:** The action concludes with a success\ + \ message indicating the number of assets found.\n\n### Additional Notes\n* \ + \ If no assets are found for the provided Insight ID, the action will complete\ + \ successfully but report that no assets were found.\n* The data table is limited\ + \ to showing the first 20 records to maintain performance and readability within\ + \ the UI, while the full result set is available in the JSON output." capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: true + can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: >- - Adds a data table named 'Assets' to the Google SecOps case containing details - of the retrieved assets. + internal_data_mutation_explanation: null categories: - enrichment: false + enrichment: true entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -916,6 +957,7 @@ Get SOC Insights Assets: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get SOC Insights Comments: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -926,48 +968,50 @@ Get SOC Insights Assets: disable_identity: false download_file: false enable_identity: false - enrich_asset: true + enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: true remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get SOC Insights Comments: ai_description: "### General Description\nRetrieves the list of comments associated\ - \ with a specific SOC Insight from Infoblox Threat Defense. This action allows\ - \ security analysts to view the chronological history of notes, status changes,\ - \ and manual entries associated with an insight, providing critical context for\ - \ investigation. It supports time-based filtering to narrow down results to a\ - \ specific window.\n\n### Parameters Description\n| Parameter | Type | Mandatory\ - \ | Description |\n| :--- | :--- | :--- | :--- |\n| Insight ID | String | Yes\ - \ | The unique identifier of the SOC Insight from which to retrieve comments.\ - \ |\n| From | String | No | Filter comments changed after this time. Expected\ - \ format: `YYYY-MM-DDTHH:mm:ss.SSS`. |\n| To | String | No | Filter comments changed\ - \ before this time. Expected format: `YYYY-MM-DDTHH:mm:ss.SSS`. |\n\n### Additional\ - \ Notes\n- The action retrieves comments via a GET request and does not modify\ - \ any data in Infoblox.\n- Results are displayed in a formatted data table named\ - \ \"SOC Insight Comments\" (up to a maximum of 20 records) and the full response\ - \ is provided in JSON format.\n\n### Flow Description\n1. **Initialization**:\ - \ Extracts API credentials and action parameters including the mandatory `Insight\ - \ ID` and optional `From`/`To` time filters.\n2. **Validation**: Ensures the `Insight\ - \ ID` is a non-empty string.\n3. **API Interaction**: Calls the Infoblox API GET\ - \ endpoint `/api/v1/insights/{insight_id}/comments` with the provided time filters\ - \ as query parameters.\n4. **Data Parsing**: Processes the returned comment list\ - \ using the `SOCInsightComment` data model, extracting fields such as the changer's\ - \ name, date of change, and the comment content.\n5. **Output Generation**: \n\ - \ - Populates a SOAR data table with the formatted comment details.\n -\ - \ Attaches the complete raw JSON response to the action results.\n6. **Finalization**:\ - \ Returns a success message indicating the number of comments retrieved or a failure\ - \ message if the Insight ID is invalid or the API call fails." + \ with a specific SOC Insight in Infoblox Threat Defense. This action allows analysts\ + \ to review the history, manual notes, or automated updates related to a security\ + \ finding directly within the Google SecOps platform. It supports time-based filtering\ + \ to narrow down the results to a specific period.\n\n### Parameters Description\n\ + \n| Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :---\ + \ |\n| Insight ID | String | Yes | The unique identifier of the SOC Insight to\ + \ retrieve comments from. |\n| From | String | No | Filter by comments changed\ + \ after this time. Expected format: `YYYY-MM-DDTHH:mm:ss.SSS`. |\n| To | String\ + \ | No | Filter by comments changed before this time. Expected format: `YYYY-MM-DDTHH:mm:ss.SSS`.\ + \ |\n\n### Flow Description\n1. **Parameter Initialization:** The action extracts\ + \ the integration configuration (API Root, API Key) and the user-provided parameters\ + \ (`Insight ID`, `From`, `To`).\n2. **Validation:** Validates that the mandatory\ + \ `Insight ID` is provided and is a non-empty string.\n3. **API Interaction:**\ + \ Connects to the Infoblox API and sends a GET request to the SOC Insights comments\ + \ endpoint for the specified ID, applying any provided time filters.\n4. **Data\ + \ Processing:** Parses the response. If comments are found, it maps them to the\ + \ `SOCInsightComment` data model.\n5. **Output Generation:** \n - Creates a\ + \ data table named \"SOC Insight Comments\" containing up to 20 of the most recent\ + \ comments.\n - Attaches the full raw JSON response to the action results for\ + \ use in subsequent playbook steps.\n6. **Completion:** Returns a success message\ + \ indicating the number of comments retrieved.\n\n### Additional Notes\n- The\ + \ UI data table is limited to showing the first 20 records for performance, but\ + \ the complete set of retrieved comments is available in the `JsonResult`.\n-\ + \ Ensure that the `From` and `To` timestamps strictly follow the ISO-like format\ + \ `YYYY-MM-DDTHH:mm:ss.SSS` to avoid API errors." capabilities: can_create_case_comments: false can_create_insight: false @@ -979,9 +1023,9 @@ Get SOC Insights Comments: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: false + enrichment: true entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -995,6 +1039,7 @@ Get SOC Insights Comments: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get SOC Insights Events: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1008,27 +1053,28 @@ Get SOC Insights Comments: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: true remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: false + search_events: true send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get SOC Insights Events: ai_description: >- ### General Description - The **Get SOC Insights Events** action retrieves a detailed list of security events - associated with a specific SOC Insight ID from Infoblox Threat Defense. This action - allows security analysts to investigate the underlying telemetry, DNS queries, - and policy actions that contributed to a specific threat detection or insight, - providing granular visibility into the observed malicious activity. + Retrieves a list of events associated with a specific SOC Insight from Infoblox + Threat Defense. This action allows analysts to drill down into the specific activities + (such as DNS queries) that triggered a threat insight, providing granular visibility + into the detected threat and its context. ### Parameters Description @@ -1037,67 +1083,65 @@ Get SOC Insights Events: | :--- | :--- | :--- | :--- | - | **Insight ID** | String | Yes | The unique identifier of the SOC insight to - query. | + | Insight ID | String | Yes | The unique identifier of the SOC insight to retrieve + events for. | - | **Device IP** | String | No | Filters the results to events involving a specific - device IP address. | + | Device IP | String | No | Filter the events by a specific device's IP address. + | - | **Query** | String | No | Filters events by a specific DNS query string (e.g., - a malicious domain). | + | Query | String | No | Filter events by a specific query string. | - | **Query Type** | String | No | Filters events by DNS record types (e.g., A, - TXT, MX). | + | Query Type | String | No | Filter events by DNS query type (e.g., TXT, A, MX). + | - | **Source** | String | No | Filters events by the threat intelligence source - or feed (e.g., DFP). | + | Source | String | No | Filter events by the threat intelligence source or feed + (e.g., DFP). | - | **Indicator** | String | No | Filters events by a specific threat indicator - such as a domain, IP, or hash. | + | Indicator | String | No | Filter events by a specific threat indicator such + as a domain, IP, or hash. | - | **Threat Level** | DDL | No | Filters events by severity level. Options: All, - Info, Low, Medium, High. | + | Threat Level | DDL | No | Filter by threat level. Options: All, Info, Low, Medium, + High. Default is 'All'. | - | **Confidence Level** | DDL | No | Filters events by confidence level. Options: - All, Low, Medium, High. | + | Confidence Level | DDL | No | Filter by confidence level. Options: All, Low, + Medium, High. Default is 'All'. | - | **Limit** | String | No | The maximum number of events to return. Defaults to - 100. | + | Limit | String | No | Specify the maximum number of results to return. Default + is 100. | - | **From** | String | No | Start time for the event search in YYYY-MM-DDTHH:mm:ss.SSS - format. | + | From | String | No | Filter by events detected after this time (Format: YYYY-MM-DDTHH:mm:ss.SSS). + | - | **To** | String | No | End time for the event search in YYYY-MM-DDTHH:mm:ss.SSS - format. | + | To | String | No | Filter by events detected before this time (Format: YYYY-MM-DDTHH:mm:ss.SSS). + | - ### Flow Description + ### Additional Notes - 1. **Parameter Extraction:** The action retrieves the mandatory Insight ID and - optional filter criteria (IP, Query, Source, Time range, etc.) from the user input. + - The action generates a data table named "SOC Insight Events" containing key + event details like Confidence Level, Device Name, Device IP, Action, Policy, Threat + Family, and Threat Level. - 2. **Validation:** It validates that the Insight ID is non-empty and that the - Limit parameter is a valid positive integer. + - The full API response is attached as a JSON result for comprehensive analysis. - 3. **API Request:** The action sends a GET request to the Infoblox SOC Insights - API endpoint for events, applying all provided filter parameters. - 4. **Data Processing:** The retrieved events are parsed into a structured format, - capturing details such as Device Name, Action taken, Security Policy triggered, - and Threat Family. + ### Flow Description - 5. **Output Generation:** A data table named 'SOC Insight Events' is created (showing - up to 20 records for readability), and the full raw JSON response is attached - to the action results for further analysis. + 1. **Parameter Extraction:** The action extracts the mandatory `Insight ID` and + various optional filtering parameters (Device IP, Query, Threat Level, etc.) from + the user input. + 2. **Validation:** It validates that the `Insight ID` is a non-empty string and + that the `Limit` is a valid positive integer. - ### Additional Notes + 3. **API Interaction:** It initializes the APIManager and calls the `get_soc_insights_events` + method, which performs a GET request to the Infoblox SOC Insights API endpoint. - - If the 'Threat Level' or 'Confidence Level' is set to 'All', the filter is ignored - to return all available levels. + 4. **Data Processing:** The action parses the returned events using the `SOCInsightEvent` + data model and prepares a flattened list for the data table. - - The action will return a success status even if no events are found, provided - the Insight ID is valid. + 5. **Output Generation:** It adds a data table to the case wall showing up to + 20 records and provides the complete JSON response as a script result. capabilities: can_create_case_comments: false can_create_insight: false @@ -1111,7 +1155,7 @@ Get SOC Insights Events: categories: enrichment: true entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1125,6 +1169,7 @@ Get SOC Insights Events: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get SOC Insights Indicators: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1136,104 +1181,106 @@ Get SOC Insights Events: download_file: false enable_identity: false enrich_asset: false - enrich_ioc: false + enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: true + search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get SOC Insights Indicators: ai_description: >- ### General Description - The **Get SOC Insights Indicators** action retrieves a list of indicators (such - as domains, IPs, or hashes) associated with a specific SOC Insight in Infoblox - Threat Defense. This action is used to gather detailed threat intelligence and - context about the indicators that triggered or are related to a specific security - insight, allowing analysts to understand the scope of the threat. + Retrieves a list of indicators associated with a specific Infoblox SOC Insight. + This action allows analysts to fetch detailed threat intelligence for indicators + linked to an insight, including confidence scores, threat levels, and associated + threat actors. The results are presented in a data table for quick review and + as a full JSON object for further processing. ### Parameters Description - | Parameter | Type | Mandatory | Description | + + | Parameter | Description | Expected Type | Mandatory | | :--- | :--- | :--- | :--- | - | **Insight ID** | String | Yes | The unique identifier of the SOC insight to - retrieve indicators from. | + | Insight ID | The unique identifier of the SOC insight to retrieve indicators + from. | String | Yes | - | **Confidence** | String | No | Filter indicators by their confidence score. + | Confidence | Filter the results by a specific confidence score. | String | No | - | **Indicator** | String | No | Filter for a specific indicator value (e.g., a - specific domain or IP). | + | Indicator | Filter the results by a specific indicator value (e.g., a domain + or IP). | String | No | - | **Actor** | String | No | Filter by a specific threat actor associated with - the indicators. | + | Actor | Filter the results by a specific threat actor. | String | No | - | **From** | String | No | Filter for indicators seen after this time. Expected - format: `YYYY-MM-DDTHH:mm:ss.SSS`. | + | From | Filter by indicators seen after this time. Expected format: YYYY-MM-DDTHH:mm:ss.SSS. + | String | No | - | **To** | String | No | Filter for indicators seen before this time. Expected - format: `YYYY-MM-DDTHH:mm:ss.SSS`. | + | To | Filter by indicators seen before this time. Expected format: YYYY-MM-DDTHH:mm:ss.SSS. + | String | No | - | **Action** | String | No | Filter by the action taken on the indicator (e.g., - Blocked, Logged). | + | Action | Filter by the action taken on the indicator (e.g., blocked, allowed). + | String | No | - | **Limit** | String | No | The maximum number of results to return. Defaults - to 100. | + | Limit | Specify the maximum number of results to return. Defaults to 100. | + String | No | ### Additional Notes - - The action provides a summary table in the case wall showing up to 20 records - for quick review. + - This action does not run on entities; it uses the 'Insight ID' parameter to + query Infoblox. - - The full API response is available in the JSON results for use in subsequent - playbook logic. + - The action displays up to 20 indicator records in the 'SOC Insight Indicators' + data table, while the full list is available in the JSON result. ### Flow Description - 1. **Parameter Extraction:** The action extracts the mandatory `Insight ID` and - optional filters including Confidence, Indicator, Actor, Time range, Action, and - Limit. + 1. **Parameter Initialization:** Extracts the mandatory 'Insight ID' and optional + filters (Confidence, Indicator, Actor, Time range, Action, and Limit) from the + action parameters. - 2. **Validation:** It validates that the `Insight ID` is a non-empty string and - that the `Limit` is a valid positive integer. + 2. **Validation:** Validates that the 'Insight ID' is provided and that the 'Limit' + is a valid positive integer. - 3. **API Request:** Sends a GET request to the Infoblox API endpoint for SOC insight - indicators using the provided filters. + 3. **API Interaction:** Initializes the Infoblox API Manager and performs a GET + request to the SOC Insights indicators endpoint using the provided filters. - 4. **Data Processing:** Parses the returned indicator data. If indicators are - found, it constructs a data table named "SOC Insight Indicators" containing fields - such as Action, Confidence, Count, Feed Name, Threat Level Max, Indicator, and - Actor. + 4. **Data Processing:** Parses the API response. If indicators are found, it converts + the first 20 records into a flat format suitable for a data table. - 5. **Output:** Returns the full JSON response and displays the data table in the - Google SecOps case wall for analyst review. + 5. **Output Generation:** Adds the 'SOC Insight Indicators' data table to the + case and provides the complete raw response as a JSON result. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: false + can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: null + internal_data_mutation_explanation: >- + Adds a data table 'SOC Insight Indicators' to the case containing the retrieved + indicator details. categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1247,6 +1294,7 @@ Get SOC Insights Indicators: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Security Policies: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1258,75 +1306,76 @@ Get SOC Insights Indicators: download_file: false enable_identity: false enrich_asset: false - enrich_ioc: true + enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: true + search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Security Policies: ai_description: >- Retrieves all configured security policies and their metadata from Infoblox Threat - Defense. This action allows users to filter policies based on logical expressions - or specific tags and supports pagination through offset and limit parameters. - The results are presented as a JSON object and a formatted data table for easy - review of policy names, descriptions, and default actions. + Defense. This action allows analysts to audit or review the security posture by + listing policies, optionally filtered by specific criteria or tags. - ### Flow Description + ### Flow Description: 1. **Parameter Initialization:** The action extracts integration configuration - (API Root, API Key) and action-specific parameters (Filters, Offset, Limit). + and user-provided parameters, including filters for policies and tags, as well + as pagination settings (Offset and Limit). - 2. **Validation:** It validates that the 'Offset' and 'Limit' parameters are valid - non-negative integers. + 2. **Validation:** Validates that the Offset and Limit parameters are non-negative + integers. - 3. **API Interaction:** The action calls the Infoblox API (GET /api/atcfw/v1/security_policies) - using the provided filters and pagination settings. + 3. **API Interaction:** Sends a GET request to the Infoblox `/api/atcfw/v1/security_policies` + endpoint with the specified filters and pagination. - 4. **Data Processing:** The raw API response is parsed into `SecurityPolicy` data - models to extract key fields like ID, Name, and Default Action. + 4. **Data Processing:** Parses the API response into structured `SecurityPolicy` + models. - 5. **Output Generation:** The action returns the full JSON response and constructs - a data table titled 'Security Policies' containing the processed metadata. + 5. **Output Generation:** Populates the action results with the raw JSON response + and creates a data table displaying key policy details (ID, Name, Description, + Default Action). - ### Parameters Description + ### Parameters Description: - | Parameter | Description | Type | Mandatory | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Security Policy Filter | A logical expression string to filter security policies - (e.g., name== 'sec_policy_a'). | String | No | + | Security Policy Filter | String | No | A logical expression string to filter + security policies (e.g., `name=='sec_policy_a'`). | - | Tag Filter | Filter security policy by specific tags format: ''=''. - | String | No | + | Tag Filter | String | No | Filter security policy by specific tags using the + format: `''=''`. | - | Tag Sort Filter | Sort security policy list by Tags. | String | No | + | Tag Sort Filter | String | No | Sort the security policy list based on Tags. + | - | Offset | Specify the offset from where to start pagination. Default is 0. | - String | No | + | Offset | String | No | The starting point for pagination (Default: 0). | - | Limit | Specify the maximum number of results to return. Default is 100. | String - | No | + | Limit | String | No | The maximum number of results to return (Default: 100). + | - ### Additional Notes + ### Additional Notes: - This action does not operate on specific entities; it retrieves global configuration - data from the Infoblox platform. + data. - - The data table displays up to a maximum number of records defined by the integration's - internal constants (typically 20). + - The data table displays a maximum of 20 records for readability. capabilities: can_create_case_comments: false can_create_insight: false @@ -1338,9 +1387,9 @@ Get Security Policies: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: false + enrichment: true entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1354,6 +1403,7 @@ Get Security Policies: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Host Lookup: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1367,41 +1417,46 @@ Get Security Policies: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: true search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Host Lookup: ai_description: >- - Retrieves host information from Infoblox IPAM (DDI). This action allows for searching - host records using flexible filters, tag-based criteria, and pagination settings. - The results are presented as a raw JSON response and a formatted data table within - the case. + Retrieves host information from Infoblox IPAM. This action allows users to search + for host asset records using flexible filters for host attributes and tags. It + supports pagination and custom sorting of results. The retrieved data is presented + in a structured data table and as a raw JSON result for further processing in + the playbook. ### Flow Description - 1. **Parameter Initialization:** Extracts API credentials and action parameters - including filters, pagination (Offset/Limit), and sorting (Order By). + 1. **Parameter Extraction**: The action retrieves the API connection details and + the user-provided search filters (Host Filter, Tag Filter) and pagination settings + (Offset, Limit, Order By). - 2. **Validation:** Ensures that Offset and Limit are valid non-negative integers. + 2. **Validation**: It validates that the Offset and Limit parameters are valid + non-negative integers. - 3. **API Request:** Performs a GET request to the Infoblox `/api/ddi/v1/ipam/host` - endpoint using the provided filters. + 3. **API Request**: It calls the Infoblox API (`/api/ddi/v1/ipam/host`) with the + specified filters and sorting parameters. - 4. **Data Processing:** Parses the API response and maps host records to a structured - data model. + 4. **Data Processing**: The action parses the returned host records, converting + them into a flat format suitable for a CSV-style data table. - 5. **Output Generation:** Adds the full JSON response to the action results and - constructs a 'Hosts' data table for display in the Google SecOps UI. + 5. **Output Generation**: It adds the full JSON response to the action results + and populates a data table named "Hosts" with the first 20 records found. ### Parameters Description @@ -1416,36 +1471,28 @@ Host Lookup: | Tag Filter | String | No | Filter IP addresses by specific tags (e.g. `'Tenable_scan'=='true'`). | - | Offset | String | No | Specify the offset from where to start pagination. Defaults - to "0". | + | Offset | String | No | Specify the offset from where to start pagination. Default + is "0". | - | Limit | String | No | Specify the maximum number of results to return. Defaults - to "100". | + | Limit | String | No | Specify the maximum number of results to return. Default + is "100". | | Order By | String | No | Comma-separated JSON fields to sort the results. Supports - asc/desc and dot notation. | - - - ### Additional Notes - - - This action does not run on specific entities but rather queries the Infoblox - database based on the provided input parameters. + dot notation and `asc`/`desc`. | capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: true + can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: >- - Adds a data table named "Hosts" to the Google SecOps case containing the retrieved - host information. + internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1459,6 +1506,7 @@ Host Lookup: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +IP Lookup: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1469,66 +1517,96 @@ Host Lookup: disable_identity: false download_file: false enable_identity: false - enrich_asset: true + enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: true search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -IP Lookup: ai_description: >- - ### General Description\nRetrieves detailed IP address information from Infoblox - DDI based on user-defined filters, state, and scope. This action is primarily - used for searching the IPAM (IP Address Management) database to find records matching - specific criteria such as IP address, usage state, or associated tags. It returns - a comprehensive list of matching records, including hostnames, hardware addresses, - and protocols.\n\n### Parameters Description\n| Parameter | Type | Mandatory | - Description |\n| :--- | :--- | :--- | :--- |\n| IP Filter | String | No | Logical - expression to filter IP addresses (e.g., address=='192.168.1.100' or state=='USED'). - |\n| Address State | DDL | No | Filter by the state of the IP address. Options: - Any, Free, Used. Defaults to 'Used'. |\n| Scope | String | No | The network scope - to search within. |\n| Tag Filter | String | No | Filter results by specific tags - (e.g., 'Tenable_scan'=='true'). |\n| Offset | String | No | The starting point - for pagination. Defaults to '0'. |\n| Limit | String | No | The maximum number - of records to return. Defaults to '100'. |\n| Order By | String | No | Comma-separated - fields to sort the results (e.g., 'address asc'). |\n\n### Additional Notes\nThis - action does not run on specific entities in the case; instead, it performs a global - search based on the provided parameters. The results are displayed in a data table - and attached as a JSON result.\n\n### Flow Description\n1. **Parameter Initialization:** - The action extracts configuration settings and user-provided filters, including - pagination and sorting preferences.\n2. **Validation:** It validates that the - 'Offset' and 'Limit' parameters are valid non-negative integers.\n3. **API Request:** - The action sends a GET request to the Infoblox DDI IPAM address endpoint with - the specified filters.\n4. **Data Processing:** The response is parsed using the - IPLookup data model to extract key fields like Address, Host Name, State, and - MAC Address.\n5. **Output Generation:** The action populates a data table named - 'IP Lookup Data' with the first 20 results and attaches the full response as a - JSON object to the action result. + ### General Description + + The **IP Lookup** action retrieves detailed IP address information from Infoblox + IPAM. It allows users to search for IP records using various filters such as IP + state, tags, and custom filter expressions. The results include metadata like + hardware addresses, hostnames, and usage status, which are presented in a data + table and as raw JSON for further processing. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | **IP Filter** | String | No | A logical expression to filter IP addresses (e.g., + `address=="192.168.1.100"`). | + + | **Address State** | DDL | No | Filters by the state of the IP address. Options: + `Any`, `Free`, `Used`. Default is `Used`. | + + | **Scope** | String | No | Specifies the network scope for the lookup. | + + | **Tag Filter** | String | No | Filters results based on specific tags (e.g., + `'Tenable_scan'=='true'`). | + + | **Offset** | String | No | The starting point for pagination. Default is `0`. + | + + | **Limit** | String | No | The maximum number of records to return. Default is + `100`. | + + | **Order By** | String | No | Comma-separated fields to sort the results (e.g., + `address asc`). | + + + ### Flow Description + + 1. **Parameter Extraction:** The action retrieves user-provided filters and pagination + settings. + + 2. **Validation:** It validates that `Offset` and `Limit` are non-negative integers. + + 3. **API Interaction:** It sends a GET request to the Infoblox `/api/ddi/v1/ipam/address` + endpoint with the specified query parameters. + + 4. **Data Processing:** The response is parsed, and up to 20 records are formatted + into a data table. + + 5. **Output:** The action returns the full JSON response and displays the formatted + table in the SOAR interface. + + + ### Additional Notes + + This action does not automatically process entities from the alert context; it + relies entirely on the provided input parameters. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: true + can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: >- - The action adds a data table named 'IP Lookup Data' to the case containing the - retrieved IPAM records. + internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1542,6 +1620,7 @@ IP Lookup: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Indicator Threat Lookup With TIDE: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1553,92 +1632,93 @@ IP Lookup: download_file: false enable_identity: false enrich_asset: false - enrich_ioc: false + enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: true + search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Indicator Threat Lookup With TIDE: ai_description: >- ### General Description - Looks up threat intelligence details for specific indicators or criteria using - Infoblox TIDE (Threat Intelligence Data Exchange). This action allows analysts - to query the TIDE database for reputation data, threat levels, and classifications - associated with IP addresses, hostnames, URLs, email addresses, or file hashes. - It supports filtering by domain, top-level domain (TLD), threat class, and target, - providing a comprehensive view of known threats. + Retrieves threat intelligence for specific indicators (IP, Host, URL, Email, or + Hash) from Infoblox TIDE (Threat Intelligence Data Exchange). This action allows + analysts to query the TIDE database using various filters such as threat class, + target, and top-level domains to identify known malicious activity associated + with an indicator. The results provide context on the threat level, class, and + profile of the detected indicators. ### Parameters Description + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Indicator Type | ddl | No | Specify the type of indicator to search for (Host, - IP, URL, Email, Hash, All). Default is 'All'. | + | Indicator Type | ddl | No | Specifies the category of indicator to search for. + Options include All, IP, Host, URL, Email, and Hash. Default is "All". | - | Indicator Value | string | No | Specify the indicator value(s) based on the - indicator type you want to search for. | + | Indicator Value | string | No | The specific value of the indicator to look + up (e.g., an IP address or domain). | - | Domain | string | No | Specify the comma-separated domain(s) to search for. - | + | Domain | string | No | A comma-separated list of domains to filter the threat + search. | - | Top-Level Domain | string | No | Specify the comma-separated top-level domain(s) - to search for. | + | Top-Level Domain | string | No | A comma-separated list of top-level domains + (TLDs) to filter the search. | - | Threat Class | string | No | Specify the comma-separated threat class(es) to - search for. | + | Threat Class | string | No | A comma-separated list of threat classes (e.g., + malware, botnet) to filter the results. | - | Target | string | No | Specify the comma-separated target(s) to search for. + | Target | string | No | A comma-separated list of targets to filter the search. | - | Expiration | string | No | Period of time after which data is no longer considered - active (ISO8601 format). | + | Expiration | string | No | A period of time or ISO8601 date after which data + is no longer considered active. | - | Limit | string | No | Specify the maximum number of results to return. Default - is 1000. | + | Limit | string | No | The maximum number of results to return from the API. + Default is 100. | ### Additional Notes - - If 'Indicator Type' is set to a specific value (e.g., IP), the 'Indicator Value' - parameter should be populated to perform a targeted lookup. - - - The action returns a maximum of 20 records in the UI data table for readability, - while the full results are available in the JSON output. + This action does not automatically iterate over entities in a Google SecOps case. + It relies on the provided "Indicator Value" and other filter parameters to perform + the lookup. If "Indicator Type" is set to "All", the "Indicator Value" is ignored + in the specific type-based query parameters. ### Flow Description - 1. **Parameter Extraction:** The action retrieves the API configuration and user-provided - search parameters, including indicator details and filtering criteria. - - 2. **Validation:** It validates the 'Limit' parameter to ensure it is a valid - positive integer. + 1. **Parameter Extraction:** The action retrieves integration configuration (API + Root, Key) and action-specific parameters including the indicator type, value, + and various filters. - 3. **API Request:** It constructs a GET request to the Infoblox TIDE threats endpoint - (`/tide/api/data/threats`) using the provided filters. + 2. **Validation:** Validates the 'Limit' parameter to ensure it is a positive + integer. - 4. **Data Processing:** The action parses the API response, iterating through - the identified threats and mapping them to a structured data model. + 3. **API Request:** Initiates a GET request to the Infoblox TIDE threat data endpoint + (`/tide/api/data/threats`) using the constructed query parameters. - 5. **Output Generation:** It attaches the complete raw JSON response to the action - results and constructs a data table summarizing the key threat details (Indicator, - Type, Threat Level, Class, etc.). + 4. **Data Processing:** Parses the "threat" array from the API response. It maps + the raw data to a structured model, extracting fields like Threat Level, Class, + and Profile. - 6. **Completion:** The action concludes by reporting the number of threat records - found or indicating if no data was retrieved. + 5. **Output Generation:** Adds the full JSON response to the action results and + constructs a data table showing up to the first 20 threat records for analyst + review. capabilities: can_create_case_comments: false can_create_insight: false @@ -1650,9 +1730,9 @@ Indicator Threat Lookup With TIDE: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: false + enrichment: true entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1666,6 +1746,7 @@ Indicator Threat Lookup With TIDE: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +"Initiate Indicator Intel Lookup With Dossier": action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1679,27 +1760,29 @@ Indicator Threat Lookup With TIDE: enrich_asset: false enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -"Initiate Indicator Intel Lookup With Dossier": ai_description: >- ### General Description - Initiates an indicator investigation using the Infoblox Dossier service. This - action allows analysts to perform deep-dive lookups on various indicator types - (IP, Host, URL, Email, or Hash) to retrieve threat intelligence and contextual - data. It supports both synchronous execution (waiting for the full report) and - asynchronous execution (returning a Job ID for later retrieval). + Initiates an indicator investigation using Infoblox Dossier. This action allows + users to perform threat intelligence lookups for various indicator types, including + IP addresses, hostnames, URLs, email addresses, and file hashes. It can operate + in either a synchronous mode (waiting for results) or an asynchronous mode (returning + a Job ID for later retrieval). ### Parameters Description @@ -1708,65 +1791,57 @@ Indicator Threat Lookup With TIDE: | :--- | :--- | :--- | :--- | - | Indicator Type | DDL | Yes | The category of the indicator being searched. Supported - values: IP, Host, URL, Email, Hash. | + | Indicator Type | DDL | Yes | Specify the type of indicator to search for. Supported + values: Host, IP, URL, Email, Hash. | - | Indicator Value | String | Yes | The specific value (e.g., an IP address or - domain name) to investigate. | + | Indicator Value | String | Yes | Specify the indicator value to search for. + | - | Source | String | No | A comma-separated list of specific threat intelligence - sources to query within Dossier. | + | Source | String | No | Specify comma-separated sources to query within Dossier. + | - | Wait for Results | Boolean | No | Determines the execution mode. If `True`, - the action waits for the full report. If `False`, it returns a Job ID and status - immediately. | + | Wait for Results | Boolean | No | If set to true, the action will wait for the + investigation to complete and return the results. If false, it returns a Job ID + immediately. Default is false. | - ### Additional Notes + ### Flow Description - - This action is parameter-driven and does not automatically iterate over entities - from the case wall. It requires manual input or mapped values for the 'Indicator - Value' parameter. + 1. **Parameter Extraction:** The action retrieves the indicator type, value, sources, + and the wait flag from the input parameters. - - When `Wait for Results` is set to `False`, the returned Job ID can be used in - the 'Get Indicator Intel Lookup Result' action once processing is complete. + 2. **Validation:** It validates that the indicator value is a non-empty string. - - The action displays up to 20 records in the results table. + 3. **API Interaction:** It calls the Infoblox Dossier API via a GET request to + initiate the lookup. + 4. **Result Processing:** + - If **Wait for Results** is true: The action processes the returned dossier + results and populates a data table with details such as Source, Status, and Data. + - If **Wait for Results** is false: The action retrieves the Job ID and status, + populating a data table with these tracking details. + 5. **Output:** The raw API response is attached as a JSON result, and a summary + message is provided to the user. - ### Flow Description - 1. **Parameter Extraction:** Retrieves the indicator type, value, and execution - preferences from the user input. - - 2. **API Request:** Sends a GET request to the Infoblox Dossier API endpoint corresponding - to the indicator type. - - 3. **Execution Mode Handling:** - - **Synchronous:** If 'Wait for Results' is enabled, the action pauses until - the dossier report is ready, then parses the results into a CSV table using the - `DossierWaitResult` model. - - **Asynchronous:** If 'Wait for Results' is disabled, the action captures - the `job_id` and `status` from the initial response and presents them in a CSV - table using the `DossierJobResult` model. - 4. **Data Presentation:** Formats the retrieved data into a CSV table and attaches - the raw JSON response to the action results for further use in the playbook. + ### Additional Notes + + This action does not automatically iterate over entities in the SecOps case; it + requires the indicator value to be provided as a direct parameter. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: true + can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: >- - Adds a data table to the case wall containing the Dossier lookup results or - the Job ID information. + internal_data_mutation_explanation: null categories: - enrichment: false + enrichment: true entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1780,6 +1855,7 @@ Indicator Threat Lookup With TIDE: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1791,55 +1867,45 @@ Indicator Threat Lookup With TIDE: download_file: false enable_identity: false enrich_asset: false - enrich_ioc: true + enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: - ai_description: >- - ### General Description - - The **Ping** action is a utility designed to verify the connectivity between Google - SecOps and the Infoblox Threat Defense with DDI platform. It ensures that the - provided API Root and API Key are valid and that the network path is open. - - - ### Parameters Description - - There are no input parameters for this action. It relies solely on the integration's - global configuration settings (API Root, API Key, and Verify SSL). - - - ### Additional Notes - - This action is typically used during the initial setup of the integration or for - troubleshooting connection issues. It performs a read-only request to the Infoblox - account endpoint. - - - ### Flow Description - - 1. **Initialization**: The action initializes the Siemplify context and retrieves - the global integration parameters. - - 2. **Connectivity Test**: It calls the `test_connectivity` method in the APIManager, - which sends a GET request to the `/api/authn/v1/account` endpoint. - - 3. **Validation**: The action validates the API response. If the status code is - successful, it confirms connectivity. - - 4. **Completion**: The action ends by returning a success or failure message along - with a boolean result indicating the connection status. + ai_description: "### General Description\nThe **Ping** action is a diagnostic utility\ + \ designed to verify the connectivity between Google SecOps and the Infoblox Threat\ + \ Defense with DDI platform. It ensures that the integration's configuration parameters\u2014\ + specifically the API Root and API Key\u2014are correct and that the network path\ + \ is open. This action is typically used during initial setup or troubleshooting\ + \ to confirm that the SOAR can successfully authenticate and communicate with\ + \ the Infoblox API.\n\n### Parameters Description\nThere are no input parameters\ + \ for this action. It relies entirely on the integration's global configuration\ + \ settings (API Root, API Key, and Verify SSL).\n\n### Flow Description\n1. **Initialization**:\ + \ The action initializes the Siemplify SDK and retrieves the global integration\ + \ configuration (API Root, API Key, and SSL verification settings).\n2. **Manager\ + \ Setup**: An instance of the `APIManager` is created using the retrieved credentials.\n\ + 3. **Connectivity Test**: The action calls the `test_connectivity` method, which\ + \ performs a `GET` request to the Infoblox authentication endpoint (`/api/authn/v1/account`).\n\ + 4. **Result Handling**: \n * If the request is successful (HTTP 200), the action\ + \ returns a success message and sets the result value to `True`.\n * If an\ + \ exception occurs (e.g., authentication failure, timeout, or connection error),\ + \ the action logs the error, returns a failure message, and sets the execution\ + \ state to `FAILED`.\n\n### Additional Notes\n* This action does not process any\ + \ entities or modify any data within Infoblox or Google SecOps.\n* As per standard\ + \ SOAR practices, actions named 'Ping' are excluded from being categorized as\ + \ enrichment actions." capabilities: can_create_case_comments: false can_create_insight: false @@ -1853,7 +1919,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1867,6 +1933,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Remove Custom List: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1880,50 +1947,57 @@ Ping: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Remove Custom List: ai_description: >- - Deletes a specified custom list from the Infoblox Threat Defense system. This - action is used for administrative cleanup or to remove threat intelligence lists - that are no longer required. It requires the unique identifier of the custom list - to perform the deletion. + ### General Description + Deletes a specified custom list from the Infoblox Threat Defense system using + its unique identifier. This action is used to manage and clean up threat intelligence + lists or policy-related named lists within the Infoblox environment. - ### Parameters - | Parameter Name | Description | Type | Mandatory | Notes | + ### Parameters Description - | :--- | :--- | :--- | :--- | :--- | + | Parameter | Type | Mandatory | Description | - | Custom List ID | The unique identifier (ID) of the custom list to be removed. - | String | Yes | The value must be a positive integer. | + | :--- | :--- | :--- | :--- | + + | Custom List ID | String | Yes | The unique identifier of the custom list to + be removed. This value must be a positive integer. | + + + ### Additional Notes + + - The action performs a destructive operation (DELETE) on the external system. + + - Ensure the ID is correct, as this operation cannot be undone via the SOAR. ### Flow Description - 1. **Parameter Extraction:** The action retrieves the `Custom List ID` from the - input parameters. + 1. **Parameter Extraction**: Retrieves the `Custom List ID` from the action parameters. - 2. **Validation:** The `Custom List ID` is validated to ensure it is a positive - integer. + 2. **Validation**: Validates that the provided ID is a valid positive integer. - 3. **API Interaction:** The action initializes the Infoblox API Manager and sends - a DELETE request to the `/api/atcfw/v1/named_lists/{custom_list_id}` endpoint. + 3. **API Interaction**: Sends a DELETE request to the Infoblox API endpoint for + named lists using the provided ID. - 4. **Result Handling:** If the API call is successful, the action completes with - a success message. If the ID is not found or an error occurs, the action fails - with a descriptive error message. + 4. **Result Handling**: Returns a success message if the deletion is confirmed + or an error message if the list is not found or the request fails. capabilities: can_create_case_comments: false can_create_insight: false @@ -1932,14 +2006,13 @@ Remove Custom List: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Deletes a custom list resource from the Infoblox Threat Defense platform via - a DELETE request. + Deletes a specified custom list from the Infoblox Threat Defense system. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1953,6 +2026,7 @@ Remove Custom List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Remove Network List: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1966,60 +2040,60 @@ Remove Custom List: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Remove Network List: ai_description: >- - ### General Description - Removes an existing network list from the Infoblox Threat Defense environment. - This action is used for administrative cleanup or policy management by deleting - a specific network list identified by its unique ID. + This action targets a specific network list by its unique identifier and performs + a permanent deletion in the external system. It is typically used for cleaning + up security configurations or decommissioning specific network groupings. - ### Parameters Description + ### Flow Description: - | Parameter | Description | Type | Mandatory | Notes | + 1. **Parameter Extraction:** The action retrieves the 'Network List ID' from the + input parameters. - | :--- | :--- | :--- | :--- | :--- | + 2. **Validation:** It validates that the provided ID is a positive integer. - | Network List ID | Specify the ID of the network list to remove. | String | Yes - | Must be a positive integer. | + 3. **API Interaction:** The action initializes the Infoblox API Manager and sends + a DELETE request to the `/api/atcfw/v1/network_lists/{network_list_id}` endpoint. + 4. **Result Handling:** If the deletion is successful, it returns a completion + status. If the list is assigned to a security policy or does not exist, it captures + the error and fails the action. - ### Additional Notes - * The action will fail if the network list is currently assigned to a security - policy. + ### Parameters Description: - * The default value of '0' for the ID will trigger a validation error as the ID - must be a positive integer. + | Parameter Name | Expected Type | Mandatory | Description | + | :--- | :--- | :--- | :--- | - ### Flow Description + | Network List ID | String | True | The unique numerical identifier of the network + list to be removed. Must be a positive integer. | - 1. **Parameter Extraction**: The action retrieves the `Network List ID` from the - input parameters. - 2. **Validation**: The ID is validated to ensure it is a valid positive integer - greater than zero. + ### Additional Notes: - 3. **API Interaction**: The action initializes the Infoblox API Manager and sends - a `DELETE` request to the Infoblox API endpoint for the specified network list. + - This action does not run on entities; it requires a specific ID provided as + a parameter. - 4. **Result Handling**: If the deletion is successful, the action completes with - a success message. If the API returns an error (e.g., list not found or list is - in use), the action fails and reports the error reason. + - Deletion may fail if the network list is currently associated with an active + security policy. capabilities: can_create_case_comments: false can_create_insight: false @@ -2028,14 +2102,14 @@ Remove Network List: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Deletes an existing network list resource from the Infoblox Threat Defense platform - using a DELETE request. + Deletes a network list resource from the Infoblox Threat Defense platform using + a DELETE request. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2049,6 +2123,7 @@ Remove Network List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Remove Security Policy: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -2062,59 +2137,54 @@ Remove Network List: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false + remove_ioc_from_blocklist: true reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Remove Security Policy: ai_description: >- - ### General Description - Deletes a specified security policy from the Infoblox Threat Defense system. This - action is used to manage security configurations by removing policies that are - no longer required or to unblock indicators by removing the policy that restricts - them. + action is primarily used to remove security restrictions or unblock indicators + by deleting the policy that governs their behavior. It requires a specific Security + Policy ID to identify the target for deletion. ### Parameters Description - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Security Policy ID | String | Yes | The unique identifier of the security policy - to delete. The value must be a positive integer. | + | Parameter | Description | Type | Mandatory | - ### Additional Notes + | :--- | :--- | :--- | :--- | - This action performs a permanent deletion of the security policy in the external - Infoblox system. It does not process or iterate over entities within the SOAR - case; it operates solely based on the provided ID. + | Security Policy ID | The unique identifier of the security policy to be deleted. + The value must be a positive integer string. | String | Yes | ### Flow Description + 1. **Parameter Extraction**: The action retrieves the `Security Policy ID` from the input parameters. 2. **Validation**: It validates that the ID is a non-empty string and represents a valid positive integer. - 3. **API Interaction**: The action sends a `DELETE` request to the Infoblox API - endpoint `/api/atcfw/v1/security_policies/{security_policy_id}`. + 3. **API Interaction**: The action initializes the Infoblox API Manager and sends + a `DELETE` request to the security policies endpoint using the provided ID. - 4. **Result Handling**: If the API returns a success status, the action completes - with a success message. If the policy is not found or an error occurs, it reports - a failure. + 4. **Result Handling**: If the deletion is successful, the action completes with + a success message. If the API returns an error (e.g., policy not found), the action + fails and reports the error reason. capabilities: can_create_case_comments: false can_create_insight: false @@ -2123,14 +2193,14 @@ Remove Security Policy: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Deletes a security policy from the Infoblox Threat Defense system using a DELETE - request to the security policies endpoint. + Deletes a security policy from the Infoblox Threat Defense system via a DELETE + request to the API. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2144,6 +2214,7 @@ Remove Security Policy: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Update Custom List: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -2157,82 +2228,47 @@ Remove Security Policy: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Update Custom List: - ai_description: >- - ### General Description - - Updates the metadata of an existing custom list in Infoblox Threat Defense. This - action allows users to modify the name, description, confidence level, threat - level, and tags associated with a specific custom list identified by its ID. It - ensures data consistency by fetching the current state of the list and only updating - the fields provided by the user. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **Custom List ID** | String | Yes | The unique ID of the custom list to update. - Must be a positive integer. | - - | **Name** | String | No | The new name for the custom list. If not provided, - the existing name is preserved. | - - | **Description** | String | No | The new description for the custom list. Use - the keyword `empty` to remove the existing description. | - - | **Confidence Level** | DDL | No | The new confidence level (High, Medium, Low). - If not provided, the existing level is preserved. | - - | **Threat Level** | DDL | No | The new threat level (High, Medium, Low, Info). - If not provided, the existing level is preserved. | - - | **Tags** | String | No | A JSON object string representing tags to categorize - the list. Use the keyword `empty` to remove all existing tags. | - - - ### Additional Notes - - - The action performs a 'read-before-write' operation: it fetches the existing - list configuration first to inherit values for any parameters that are not explicitly - provided in the action configuration. - - - The `Custom List ID` must be a valid positive integer greater than zero. - - - ### Flow Description - - 1. **Parameter Extraction**: Retrieves the Custom List ID and optional metadata - fields (Name, Description, Levels, Tags) from the action input. - - 2. **Validation**: Validates that the `Custom List ID` is a valid positive integer. - - 3. **State Retrieval**: Calls the Infoblox API to fetch the current configuration - of the specified custom list. - - 4. **Payload Construction**: Merges the user-provided updates with the existing - list data. If a parameter is missing, the existing value is used; if the keyword - `empty` is used, the field is cleared. - - 5. **API Update**: Sends a `PUT` request to the Infoblox `/api/atcfw/v1/named_lists/{id}` - endpoint with the constructed payload. - - 6. **Result Processing**: Parses the API response, adds the full JSON result to - the action output, and generates a 'Custom List Details' data table for the analyst. + ai_description: "Updates the metadata and configuration of an existing custom list\ + \ in Infoblox Threat Defense. This action allows for modifying the list's name,\ + \ description, confidence level, threat level, and tags. It follows a 'fetch-and-patch'\ + \ logic where it first retrieves the current state of the list to ensure that\ + \ any parameters not provided by the user remain unchanged.\n\n### Flow Description:\n\ + 1. **Fetch Existing Data:** The action retrieves the current configuration of\ + \ the custom list using the provided `Custom List ID` to ensure data continuity.\n\ + 2. **Parameter Merging:** It merges the user-provided inputs with the existing\ + \ data. If a parameter is left blank, the current value is retained. \n3. **Nullification\ + \ Logic:** If the keyword `empty` is used for the `Description` or `Tags` parameters,\ + \ those fields are cleared in the external system.\n4. **API Update:** A `PUT`\ + \ request is sent to the Infoblox API with the updated payload.\n5. **Result Processing:**\ + \ The action returns the updated list details as a JSON result and populates a\ + \ data table named 'Custom List Details'.\n\n### Parameters Description:\n| Parameter\ + \ Name | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Custom\ + \ List ID | string | Yes | The unique identifier of the custom list to be updated.\ + \ Must be a positive integer. |\n| Name | string | No | The new name for the custom\ + \ list. |\n| Description | string | No | The new description for the custom list.\ + \ Use the keyword `empty` to remove the existing description. |\n| Confidence\ + \ Level | ddl | No | The confidence level for the custom list. Options: High,\ + \ Medium, Low. |\n| Threat Level | ddl | No | The threat level for the custom\ + \ list. Options: High, Medium, Low, Info. |\n| Tags | string | No | A JSON object\ + \ string representing tags to categorize the list. Use the keyword `empty` to\ + \ remove existing tags. |\n\n### Additional Notes:\n- This action does not modify\ + \ the actual items (indicators) within the list; it only modifies the list's metadata.\ + \ To update items, use the 'Update Custom List Items' action." capabilities: can_create_case_comments: false can_create_insight: false @@ -2241,15 +2277,14 @@ Update Custom List: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the configuration metadata (name, description, confidence/threat levels, - and tags) of an existing custom list in the Infoblox Threat Defense platform - via a PUT request. + Updates the metadata (name, description, confidence level, threat level, and + tags) of an existing custom list in Infoblox Threat Defense via a PUT request. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2263,6 +2298,7 @@ Update Custom List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Update Custom List Items: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -2276,43 +2312,76 @@ Update Custom List: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Update Custom List Items: - ai_description: "Updates the items within an existing Infoblox Custom List. This\ - \ action allows users to either add or remove specific indicators\u2014such as\ - \ IPv4 addresses, IPv6 addresses, or domain names\u2014from a designated list\ - \ identified by its ID. It performs data validation on the provided items to ensure\ - \ they conform to standard networking formats before communicating with the Infoblox\ - \ API via a PATCH request.\n\n### Flow Description:\n1. **Parameter Extraction:**\ - \ Retrieves the Custom List ID, the desired action (Add or Remove), and the comma-separated\ - \ string of items from the action parameters.\n2. **Validation:** Validates that\ - \ the Custom List ID is a positive integer and parses the items string into a\ - \ list. Each item is checked against regex patterns for valid IPv4, IPv6, or domain\ - \ name formats.\n3. **API Interaction:** Sends a PATCH request to the Infoblox\ - \ endpoint `/api/atcfw/v1/named_lists/{custom_list_id}/items` with a payload containing\ - \ the items to be inserted or deleted.\n4. **Result Processing:** Analyzes the\ - \ API response to determine the number of items successfully added, removed, or\ - \ updated, and provides a summary message to the user.\n\n### Parameters Description:\n\ - | Parameter Name | Type | Mandatory | Description |\n| :--- | :--- | :--- | :---\ - \ |\n| Custom List ID | String | Yes | The unique numerical identifier of the\ - \ Infoblox Custom List to be modified. |\n| Action | DDL | Yes | Specifies whether\ - \ to 'Add' or 'Remove' the provided items from the list. |\n| Items | String |\ - \ Yes | A comma-separated list of indicators (IPs or Domains) to be processed.\ - \ |\n\n### Additional Notes:\n- This action does not run on SOAR entities; it\ - \ processes data provided directly through the 'Items' parameter.\n- If no items\ - \ are successfully modified, the action will return a message indicating no changes\ - \ were made." + ai_description: >- + ### General Description + + The **Update Custom List Items** action allows users to modify the contents of + an existing Custom List within Infoblox Threat Defense. It supports adding or + removing multiple indicators, such as IPv4 addresses, IPv6 addresses, and domain + names, in a single execution. This is primarily a management action used to maintain + lists that are often referenced by security policies for blocking or allowing + traffic. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | **Custom List ID** | String | Yes | The unique identifier of the Custom List + to be updated. Although provided as a string, it must represent a positive integer. + | + + | **Action** | DDL | Yes | The operation to perform on the list. Options are `Add` + (to insert new items) or `Remove` (to delete existing items). | + + | **Items** | String | Yes | A comma-separated list of indicators (IPv4, IPv6, + or domains) to be processed. | + + + ### Flow Description + + 1. **Parameter Extraction and Validation:** The action retrieves the Custom List + ID, the desired action (Add/Remove), and the list of items. It validates that + the ID is a positive integer and that the items provided are valid IPv4/IPv6 addresses + or domain names. + + 2. **API Request Construction:** Based on the selected action, the script constructs + a `PATCH` request body containing either `inserted_items_described` or `deleted_items_described`. + + 3. **External Interaction:** The action sends the `PATCH` request to the Infoblox + API endpoint: `/api/atcfw/v1/named_lists/{custom_list_id}/items`. + + 4. **Response Processing:** The action parses the API response to identify how + many items were successfully added, removed, or updated. It then outputs a summary + message and the raw JSON response. + + + ### Additional Notes + + - **Entity Usage:** This action does not process SecOps entities (like IP or Domain + objects in the case). It operates strictly on the strings provided in the **Items** + parameter. + + - **Validation Constraints:** The `Custom List ID` must be greater than zero. + If the `Items` parameter results in an empty list after parsing, the action will + fail. capabilities: can_create_case_comments: false can_create_insight: false @@ -2321,14 +2390,14 @@ Update Custom List Items: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Adds or removes indicators (IPs, domains, or networks) from a specified custom - list in Infoblox Threat Defense, which can affect security policy enforcement. + Updates (adds or removes) indicators within a specific Custom List in the Infoblox + Threat Defense platform using a PATCH request. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2342,9 +2411,10 @@ Update Custom List Items: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Update Network List: action_product_categories: add_alert_comment: false - add_ioc_to_allowlist: true + add_ioc_to_allowlist: false add_ioc_to_blocklist: true contain_host: false create_ticket: false @@ -2355,39 +2425,76 @@ Update Custom List Items: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false - remove_ioc_from_allowlist: true + get_alert_information: false + remove_ioc_from_allowlist: false remove_ioc_from_blocklist: true reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Update Network List: ai_description: >- Updates an existing network list in Infoblox Threat Defense with a new name, items, - or description. This action is useful for managing network boundaries or lists - used in security policies. ### Flow Description: 1. **Parameter Extraction:** - Retrieves the Network List ID, Name, Items, and Description from the action parameters. - 2. **Validation:** Validates that the Network List ID is a positive integer. 3. - **Data Retrieval:** Fetches the current configuration of the specified network - list to allow for partial updates. 4. **Payload Construction:** Merges the provided - parameters with existing data. If a parameter is not provided, the existing value - is retained. The keyword 'empty' can be used to clear the description. 5. **API - Update:** Executes a PUT request to the Infoblox API to apply the changes. 6. - **Output Generation:** Returns the updated network list details as a JSON result - and populates a data table. ### Parameters Description: | Parameter | Type | Mandatory - | Description | | :--- | :--- | :--- | :--- | | Network List ID | String | Yes - | The unique ID of the network list to update. | | Name | String | No | The new - name for the network list. | | Items | String | No | Comma-separated items (e.g., - IP addresses) to include in the list. | | Description | String | No | The new - description. Use the keyword 'empty' to remove the existing description. | ### - Additional Notes: - If optional parameters (Name, Items, Description) are left - blank, the action will preserve the current values stored in Infoblox. + or description. This action allows for granular updates to network lists used + for security policies. If optional parameters like Name, Items, or Description + are not provided, the action fetches the current configuration from Infoblox and + preserves the existing values. The action also supports clearing the description + field using a specific keyword. + + + ### Flow Description: + + 1. **Parameter Extraction:** The action retrieves the Network List ID (mandatory) + and optional fields (Name, Items, Description) from the user input. + + 2. **Validation:** Validates that the Network List ID is a positive integer. + + 3. **Data Retrieval:** Fetches the current state of the specified network list + from the Infoblox API to ensure that any fields not being updated retain their + current values. + + 4. **Payload Construction:** Merges the new inputs with the existing data. If + the 'Description' parameter is set to 'empty', the field is cleared. + + 5. **External Update:** Sends a PUT request to the Infoblox API to update the + network list. + + 6. **Output Generation:** Returns the updated network list details as a JSON object + and populates a data table named 'Network List Details' in the SecOps platform. + + + ### Parameters Description: + + | Parameter Name | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Network List ID | string | True | The unique identifier of the network list + to be updated. Must be a positive integer. | + + | Name | string | False | The new name for the network list. If omitted, the current + name is kept. | + + | Items | string | False | A comma-separated list of items (e.g., IP addresses + or CIDRs) to include in the network list. If omitted, current items are kept. + | + + | Description | string | False | A new description for the network list. Use the + keyword `empty` to remove the existing description. If omitted, the current description + is kept. | + + + ### Additional Notes: + + - This action performs a 'Read-Modify-Write' pattern by fetching current data + before updating to prevent accidental data loss of non-specified fields. capabilities: can_create_case_comments: false can_create_insight: false @@ -2397,13 +2504,13 @@ Update Network List: can_update_entities: false external_data_mutation_explanation: >- Updates the configuration (name, items, or description) of an existing network - list in Infoblox via a PUT request. + list in the Infoblox Threat Defense platform via a PUT request. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2417,6 +2524,7 @@ Update Network List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Update Security Policy: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -2430,53 +2538,102 @@ Update Network List: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Update Security Policy: - ai_description: "Modifies an existing security policy's configurations or linked\ - \ lists in Infoblox Threat Defense. This action allows for comprehensive updates\ - \ to policy metadata, network associations, security rules, and advanced settings.\ - \ It first retrieves the current state of the policy to ensure that only the specified\ - \ fields are updated while preserving others. \n\n### Flow Description:\n1. **Validation:**\ - \ Validates that the provided `Security Policy ID` is a positive integer.\n2.\ - \ **Data Retrieval:** Fetches the existing configuration of the specified security\ - \ policy from Infoblox to serve as a baseline.\n3. **Payload Construction:** Merges\ - \ the user-provided parameters with the existing policy data. If a parameter is\ - \ provided as `empty`, the corresponding field is cleared; if a parameter is omitted,\ - \ the existing value is retained.\n4. **Update Execution:** Sends a PUT request\ - \ to the Infoblox API to apply the changes to the security policy.\n5. **Output\ - \ Generation:** Returns the full JSON response of the updated policy and populates\ - \ a data table with key policy details.\n\n### Parameters Description:\n| Parameter\ - \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Security\ - \ Policy ID | String | Yes | The unique identifier of the security policy to update.\ - \ |\n| Policy Name | String | No | The updated name for the security policy. |\n\ - | Description | String | No | The updated description. Use the keyword `empty`\ - \ to remove the existing description. |\n| Network Lists | String | No | Comma-separated\ - \ IDs of network lists to associate with this policy. Use `empty` to remove all\ - \ associations. |\n| DFPS | String | No | Comma-separated Default Forwarding Policies\ - \ (DFPs) to update. Use `empty` to remove all DFPs. |\n| Roaming Device Groups\ - \ | String | No | Comma-separated IDs of Roaming Device Groups to associate. Use\ - \ `empty` to remove all groups. |\n| Rules | String | No | A JSON array of rule\ - \ objects (action, type, data, etc.). Use `empty` to remove all rules. |\n| Safe\ - \ Search | DDL | No | Specify whether to enable (`True`) or disable (`False`)\ - \ safe search filtering. |\n| Block DNS Rebinding | DDL | No | Specify whether\ - \ to enable (`True`) or disable (`False`) protection against DNS rebinding attacks.\ - \ |\n| Tags | String | No | A JSON object containing tags to categorize the policy.\ - \ |\n| Additional Parameters | String | No | A JSON object for advanced settings\ - \ such as `precedence`, `doh_enabled`, `ecs`, or `access_codes`. |\n\n### Additional\ - \ Notes:\n- The action uses a 'merge' logic: only parameters explicitly defined\ - \ by the user (or set to `empty`) will change the existing policy configuration.\n\ - - The `Rules`, `Tags`, and `Additional Parameters` fields must be valid JSON strings." + ai_description: >- + ### General Description + + Updates an existing security policy in Infoblox Threat Defense. This action allows + for the modification of policy names, descriptions, network lists, forwarding + policies (DFPS), roaming device groups, security rules, and advanced settings + like safe search or DNS rebinding protection. It ensures data consistency by fetching + the current policy state before applying updates, merging the new parameters with + existing configurations. + + + ### Parameters Description + + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Security Policy ID | String | Yes | The unique identifier of the security policy + to update. | + + | Policy Name | String | No | The updated name for the security policy. | + + | Description | String | No | An updated description for the policy. Use the keyword + `empty` to remove the existing description. | + + | Network Lists | String | No | Comma-separated IDs of network lists to associate + with this policy. Use the keyword `empty` to remove all network lists. | + + | DFPS | String | No | Comma-separated IDs of Default Forwarding Policies to update. + Use the keyword `empty` to remove all DFPS. | + + | Roaming Device Groups | String | No | Comma-separated IDs of Roaming Device + Groups to associate with this policy. Use the keyword `empty` to remove all groups. + | + + | Rules | String | No | A JSON list of security rule objects (action, type, data, + etc.). Use the keyword `empty` to remove all rules. | + + | Safe Search | DDL | No | Specify whether to enable (`True`) or disable (`False`) + safe search filtering. | + + | Block DNS Rebinding | DDL | No | Specify whether to block (`True`) or allow + (`False`) DNS rebinding attacks. | + + | Tags | String | No | A JSON object containing tags to categorize the policy. + | + + | Additional Parameters | String | No | A JSON object containing advanced parameters + such as `precedence`, `access_codes`, `doh_enabled`, or `doh_fqdn`. | + + + ### Additional Notes + + - The action uses a "fetch-then-update" logic: it retrieves the existing policy + data first to ensure that fields not specified in the action parameters are preserved + rather than overwritten with null values. + + - The keyword `empty` is specifically handled for `Description`, `Network Lists`, + `DFPS`, `Roaming Device Groups`, and `Rules` to allow clearing those configurations. + + + ### Flow Description + + 1. **Parameter Extraction:** The action extracts the mandatory `Security Policy + ID` and all optional update parameters. + + 2. **Validation:** Validates that the `Security Policy ID` is a positive integer. + + 3. **Data Retrieval:** Fetches the current configuration of the specified security + policy from the Infoblox API. + + 4. **Payload Construction:** Merges the provided updates with the existing policy + data. If a parameter is not provided, the existing value is kept. If `empty` is + provided, the field is cleared. + + 5. **API Update:** Sends a PUT request to the Infoblox endpoint to update the + security policy with the new payload. + + 6. **Output:** Returns the updated policy details as a JSON result and populates + a data table named "Security Policy Details" for the analyst. capabilities: can_create_case_comments: false can_create_insight: false @@ -2485,15 +2642,15 @@ Update Security Policy: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the configuration of a security policy in the Infoblox Threat Defense - platform via a PUT request, potentially changing rules, network associations, - and security filtering settings. + Updates the configuration of an existing security policy in Infoblox Threat + Defense via a PUT request, potentially changing rules, network associations, + and security settings. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2507,28 +2664,3 @@ Update Security Policy: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/third_party/partner/infoblox_threat_defense_with_ddi/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/partner/infoblox_threat_defense_with_ddi/resources/ai/connectors_ai_description.yaml index 9a43e7052..6f5635a62 100644 --- a/content/response_integrations/third_party/partner/infoblox_threat_defense_with_ddi/resources/ai/connectors_ai_description.yaml +++ b/content/response_integrations/third_party/partner/infoblox_threat_defense_with_ddi/resources/ai/connectors_ai_description.yaml @@ -2,13 +2,11 @@ Infoblox - DNS Security Events Connector: ai_description: >- ### General Description - The Infoblox - DNS Security Events connector integrates with the Infoblox Threat - Defense platform to ingest DNS-related security events into Google SecOps. This - connector allows security teams to monitor malicious DNS activity, such as malware - communications, phishing attempts, and data exfiltration, by pulling detailed - event logs. It supports extensive filtering capabilities based on threat categories, - severity levels, and policy actions to ensure only relevant security data is ingested - for investigation. + The **Infoblox - DNS Security Events Connector** retrieves DNS security events + from the Infoblox Threat Defense platform and ingests them as alerts into Google + SecOps. This connector allows security teams to monitor and respond to malicious + DNS activity, such as domain lookups associated with malware, phishing, or data + exfiltration, by centralizing Infoblox telemetry within the SOAR environment. ### Parameters Description @@ -17,14 +15,14 @@ Infoblox - DNS Security Events Connector: | :--- | :--- | :--- | :--- | - | API Root | String | Yes | The base URL of the Infoblox API, typically `https://csp.infoblox.com/`. + | API Root | String | Yes | The base URL of the Infoblox CSP API (e.g., `https://csp.infoblox.com/`). | - | API Key | Password | Yes | The unique identifier used to authenticate and authorize + | API Key | Password | Yes | A unique identifier used to authenticate and authorize access to the Infoblox API. | | PythonProcessTimeout | String | Yes | The timeout limit (in seconds) for the - python process running the connector script. | + python process running the script. | | EventClassId | String | Yes | The field name used to determine the event name/sub-type (default: `tclass`). | @@ -32,38 +30,38 @@ Infoblox - DNS Security Events Connector: | DeviceProductField | String | Yes | The field name used to determine the device product (default: `Infoblox Threat Defense with DDI`). | - | Limit | String | No | Specify the maximum number of alerts to create per execution - cycle. Default is 100. | - - | Max Hours Backwards | String | No | Number of hours before the first connector - iteration to retrieve alerts from. Default is 24. | + | Feed Name | String | No | Filter by comma-separated threat feed or custom list + names. | - | Threat Level | String | No | Filter events by severity level (LOW, MEDIUM, HIGH, - CRITICAL). | + | Limit | String | No | Specify the maximum number of alerts to create per iteration + (default: `100`). | - | Policy Action | String | No | Filter by the action performed by Infoblox (Log, - Block, Default, Redirect). | + | Max Hours Backwards | String | No | Number of hours to look back for alerts + during the first connector iteration (default: `24`). | - | Feed Name | String | No | Filter by comma-separated threat feed or custom list - names. | + | Network | String | No | Filter by comma-separated network names, on-premises + hosts, or endpoints. | - | Threat Class | String | No | Filter by threat category (e.g., "Malware", "MalwareDownload"). - | + | Policy Action | String | No | Filter by comma-separated actions performed (e.g., + `Log`, `Block`, `Redirect`). | - | Threat Family | String | No | Filter by threat family (e.g., "Log4Shell", "OPENRESOLVER"). + | Policy Name | String | No | Filter by comma-separated security policy names. | | Queried name | String | No | Filter by comma-separated queried domain names. | - | Threat Indicator | String | No | Filter by comma-separated threat indicators - (domains, IPs). | + | Threat Class | String | No | Filter by comma-separated threat categories (e.g., + `Malware`, `MalwareDownload`). | - | Policy Name | String | No | Filter by comma-separated security policy names. - | + | Threat Family | String | No | Filter by comma-separated threat families (e.g., + `Log4Shell`, `OPENRESOLVER`). | + + | Threat Indicator | String | No | Filter by comma-separated threat indicators + (domains or IPs). | - | Network | String | No | Filter by comma-separated network name, on-premises - host, endpoint, or DFP name. | + | Threat Level | String | No | Filter by threat severity level (`LOW`, `MEDIUM`, + `HIGH`, `CRITICAL`). | | Verify SSL | Boolean | No | If enabled, the connector will verify the SSL certificate of the API endpoint. | @@ -71,60 +69,96 @@ Infoblox - DNS Security Events Connector: ### Flow Description - 1. **Authentication**: The connector establishes a session with the Infoblox API - using the provided API Key and Root URL. + 1. **Authentication**: The connector establishes a session with the Infoblox Cloud + Services Portal (CSP) using the provided API Key. - 2. **Time Window Determination**: It calculates the polling window by checking - the timestamp of the last successful run. If no previous timestamp exists, it - uses the 'Max Hours Backwards' parameter. + 2. **Time Range Calculation**: It determines the starting timestamp by checking + the last successful execution time. If no previous state exists, it uses the "Max + Hours Backwards" parameter. - 3. **Event Fetching**: The connector queries the `/api/dnsdata/v2/dns_event` endpoint, - applying all configured filters (e.g., Threat Level, Policy Action, Network) to - retrieve DNS security events. + 3. **Data Retrieval**: The connector queries the Infoblox `/api/dnsdata/v2/dns_event` + endpoint, applying all configured filters such as Threat Level, Policy Name, and + Feed Name. - 4. **Deduplication**: It compares retrieved events against a list of previously - processed IDs stored in the SOAR environment to prevent duplicate alert creation. + 4. **Pagination**: It paginates through the API results until the specified "Limit" + is reached or all new events are fetched. - 5. **Alert Mapping**: Each unique event is transformed into a Google SecOps `AlertInfo` - object. The alert name is dynamically generated using the threat class and queried - domain name. + 5. **Deduplication**: For each event, a unique composite ID is generated based + on the event time, queried name, device, and feed name to ensure no duplicate + alerts are created. - 6. **Case Creation**: The mapped alerts are sent to the Google SecOps platform, - where they are converted into cases for analyst review. + 6. **Alert Mapping**: The raw DNS event data is mapped to the Google SecOps AlertInfo + model. This includes mapping Infoblox severity levels to SOAR priorities and populating + event extensions with the full JSON payload. - 7. **State Persistence**: Upon successful ingestion, the connector saves the latest - event timestamp and updated list of processed IDs to ensure the next run starts - exactly where the current one finished. + 7. **Ingestion**: The processed alerts are sent to Google SecOps, and the connector + saves the timestamp of the latest event to ensure the next run starts from where + it left off. Infoblox - SOC Insights Connector: - ai_description: "### General Description\nThe Infoblox - SOC Insights Connector\ - \ retrieves high-fidelity Security Operations Center (SOC) insights from the Infoblox\ - \ Threat Defense platform. These insights represent aggregated security events\ - \ and detections, allowing security teams to ingest prioritized threat data into\ - \ Google SecOps for automated investigation, enrichment, and response. The connector\ - \ supports deduplication and filtering to ensure only relevant, new insights are\ - \ processed.\n\n### Parameters Description\n| Parameter | Type | Mandatory | Description\ - \ |\n| :--- | :--- | :--- | :--- |\n| API Root | String | Yes | The base URL of\ - \ the Infoblox API (e.g., https://csp.infoblox.com/). |\n| API Key | Password\ - \ | Yes | Unique identifier used to authenticate and authorize access to the Infoblox\ - \ API. |\n| Verify SSL | Boolean | Yes | If enabled, the connector will verify\ - \ the SSL certificate for API requests. |\n| PythonProcessTimeout | Integer |\ - \ Yes | The timeout limit (in seconds) for the python process running the script.\ - \ |\n| EventClassId | String | Yes | The field name used to determine the event\ - \ name/sub-type (default: tclass). |\n| DeviceProductField | String | Yes | The\ - \ field name used to determine the device product (default: Infoblox Threat Defense\ - \ with DDI). |\n| Status | String | No | Filter Insights by their current status\ - \ (e.g., ACTIVE, CLOSED). |\n| Threat Type | String | No | Filter Insights by\ - \ the specific type of threat detected. |\n| Priority | String | No | Filter Insights\ - \ by priority level (INFO, LOW, MEDIUM, HIGH, CRITICAL). |\n\n### Flow Description\n\ - 1. **Authentication**: Establishes a connection to the Infoblox API using the\ - \ provided API Key and Root URL.\n2. **Deduplication**: Retrieves the list of\ - \ previously processed Insight IDs from the system to ensure no duplicate alerts\ - \ are created.\n3. **Data Retrieval**: Queries the Infoblox `/api/v1/insights`\ - \ endpoint, applying user-defined filters for Status, Threat Type, and Priority.\n\ - 4. **Validation & Filtering**: \n * Validates each insight against the `PythonProcessTimeout`\ - \ to ensure graceful exit if the process runs too long.\n * Checks for case\ - \ overflow to prevent system flooding.\n5. **Mapping**: Converts each SOC Insight\ - \ into the Google SecOps `AlertInfo` format, mapping fields such as `insightId`\ - \ to `ticket_id`, and translating Infoblox priority text into numerical severity\ - \ values.\n6. **Ingestion**: Ingests the processed alerts into Google SecOps and\ - \ updates the persistent storage with the new Insight IDs for future deduplication." + ai_description: >- + ### General Description + + This connector retrieves SOC Insights from the Infoblox Threat Defense with DDI + platform and ingests them as alerts into Google SecOps. It allows security teams + to centralize high-fidelity security insights generated by Infoblox's DNS security + analytics and threat intelligence for automated investigation and response. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | API Root | String | Yes | The base URL of the Infoblox API (e.g., https://csp.infoblox.com/). + | + + | API Key | Password | Yes | A unique identifier used to authenticate and authorize + access to the Infoblox API. | + + | Verify SSL | Boolean | Yes | Enable or disable SSL certificate verification + for API requests. | + + | Status | String | No | Filter Insights by their current status (e.g., ACTIVE, + CLOSED). | + + | Threat Type | String | No | Filter Insights by the specific type of threat detected. + | + + | Priority | String | No | Filter Insights by priority level (INFO, LOW, MEDIUM, + HIGH, CRITICAL). | + + | DeviceProductField | String | Yes | The field name used to determine the device + product in the SOAR alert (Default: Infoblox Threat Defense with DDI). | + + | EventClassId | String | Yes | The field name used to determine the event name + or sub-type (Default: tclass). | + + | PythonProcessTimeout | Integer | Yes | The timeout limit (in seconds) for the + connector execution process. | + + + ### Flow Description + + 1. **Authentication**: The connector establishes a connection to the Infoblox + API using the provided API Key and API Root. + + 2. **Deduplication**: It retrieves the list of previously processed Insight IDs + from the system to ensure only new data is ingested. + + 3. **Data Retrieval**: The connector queries the Infoblox `/api/v1/insights` endpoint, + applying filters for Status, Threat Type, and Priority if configured. + + 4. **Validation**: Input parameters like Status and Priority are validated against + allowed values (e.g., Active/Closed) before the request is made. + + 5. **Alert Transformation**: Each retrieved SOC Insight is mapped to a Google + SecOps AlertInfo object. This includes mapping the threat severity (e.g., CRITICAL + to 100), setting the environment, and populating extensions with the full raw + JSON data. + + 6. **Safety Checks**: During processing, the connector monitors for script timeouts + and case overflow limits to ensure system stability. + + 7. **Ingestion**: Validated alerts are returned to the system, and the processed + Insight IDs are saved to prevent future duplication. diff --git a/content/response_integrations/third_party/partner/ip_info/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/ip_info/resources/ai/actions_ai_description.yaml index 88c5ffcfe..742d5ca9f 100644 --- a/content/response_integrations/third_party/partner/ip_info/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/ip_info/resources/ai/actions_ai_description.yaml @@ -1,44 +1,50 @@ Get Domain Information: - ai_description: >- - ### General Description - - Fetches domain information for Hostname entities using the IPInfo service. This - action retrieves metadata associated with a domain, such as registration details - and other contextual information, to assist in security investigations. - - - ### Parameters Description - - There are no parameters for this action. - - - ### Additional Notes - - This action specifically targets Hostname entities and uses the `get_domain` utility - to ensure the identifier is in the correct format before querying the API. - - - ### Flow Description - - 1. **Identify Entities**: The action identifies all Hostname entities within the - current alert context. - - 2. **Extract Domain**: For each entity, it extracts the domain name from the identifier. - - 3. **API Query**: It sends a GET request to the IPInfo API's `/domains` endpoint - for each domain. - - 4. **Data Processing**: The retrieved JSON data is flattened and prefixed with - 'IPInfo'. - - 5. **Enrichment**: The action updates the entity's additional properties with - the domain data and marks the entity as enriched. - - 6. **Visualization**: A data table containing the domain information is added - to the entity in the Google SecOps interface. - - 7. **Final Update**: The action updates the entities in the system and returns - a summary of the results. + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "### General Description\nEnriches Hostname entities by fetching\ + \ detailed domain information from the IPInfo service. This action extracts the\ + \ domain from a hostname, retrieves associated metadata from the IPInfo API, and\ + \ populates the entity's additional properties and case data tables with the results.\n\ + \n### Parameters Description\nThere are no parameters for this action.\n\n###\ + \ Additional Notes\nThis action specifically targets Hostname entities. It uses\ + \ a helper utility to ensure that even if a full URL or complex hostname is provided,\ + \ only the base domain is queried against the IPInfo API.\n\n### Flow Description\n\ + 1. **Initialization**: Connects to the IPInfo API using the configured API Root\ + \ and Token.\n2. **Entity Filtering**: Identifies all Hostname entities within\ + \ the current scope.\n3. **Domain Extraction**: For each Hostname, it extracts\ + \ the base domain name.\n4. **Data Retrieval**: Queries the IPInfo `/domains`\ + \ endpoint for information related to the extracted domain.\n5. **Internal Enrichment**:\ + \ \n * Updates the entity's `additional_properties` with flattened domain\ + \ data.\n * Marks the entity as enriched.\n * Adds a data table to the\ + \ entity in the Google SecOps UI containing the domain details.\n6. **Finalization**:\ + \ Updates all processed entities in the system and returns a summary of the fetched\ + \ information." capabilities: can_create_case_comments: false can_create_insight: false @@ -49,13 +55,13 @@ Get Domain Information: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity additional properties with domain information and sets the 'is_enriched' - flag to true. + Updates entity additional properties with domain information and adds entity + tables to the case. categories: enrichment: true entity_usage: entity_types: - - HOSTNAME + - HOSTNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -69,6 +75,7 @@ Get Domain Information: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get IP Information: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -82,36 +89,42 @@ Get Domain Information: enrich_asset: false enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get IP Information: - ai_description: "Enriches IP Address entities using the IPInfo service. This action\ - \ retrieves detailed contextual information for IP addresses, including geographic\ - \ location (city, region, country), ASN details, and company information. \n\n\ - ### Flow Description\n1. **Entity Filtering:** The action identifies all entities\ - \ of type `ADDRESS` within the current context.\n2. **Data Retrieval:** For each\ - \ identified IP address, it queries the IPInfo API using the configured API Root\ - \ and Token.\n3. **Data Processing:** The retrieved JSON data is flattened and\ - \ prefixed with 'IPInfo'.\n4. **Internal Updates:** The flattened data is added\ - \ to the entity's 'additional_properties', the entity is marked as 'enriched',\ - \ and an entity-specific data table is created.\n5. **Finalization:** The action\ - \ updates the entities within Google SecOps and provides a summary of the enriched\ - \ IPs and any errors encountered.\n\n### Parameters Description\n| Parameter Name\ - \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| None |\ - \ N/A | N/A | This action does not have any input parameters. It relies on the\ - \ integration's configuration (API Root, Token, Verify SSL). |\n\n### Additional\ - \ Notes\n- This action is strictly for enrichment and does not modify any external\ - \ data.\n- It specifically targets entities of type `ADDRESS`." + ai_description: "### General Description\nEnriches IP Address entities using the\ + \ IPInfo service. This action retrieves detailed contextual information for IP\ + \ addresses, including geolocation (city, region, country), ASN (Autonomous System\ + \ Number), and organizational details. The retrieved data is used to update the\ + \ entity's profile within Google SecOps, providing analysts with immediate visibility\ + \ into the origin and ownership of the IP.\n\n### Parameters Description\nThere\ + \ are no specific action parameters for this action. It relies on the global integration\ + \ configuration (API Root, Token, and Verify SSL).\n\n### Additional Notes\n*\ + \ This action only processes entities of type **ADDRESS**.\n* It updates the entity's\ + \ `additional_properties` with a prefix of `IPInfo` to avoid field collisions.\n\ + * It marks the entity as `enriched` upon successful data retrieval.\n\n### Flow\ + \ Description\n1. **Entity Filtering**: The action identifies all entities in\ + \ the current context that are of type `ADDRESS`.\n2. **API Interaction**: For\ + \ each identified IP address, the action calls the IPInfo API to fetch its metadata.\n\ + 3. **Data Processing**: The JSON response from IPInfo is flattened and prefixed\ + \ with `IPInfo`.\n4. **Internal Updates**: \n * The flattened data is added\ + \ to the entity's `additional_properties`.\n * A data table containing the\ + \ IP information is attached to the entity.\n * The entity is marked as enriched.\n\ + 5. **Finalization**: The action updates all modified entities in the platform\ + \ and returns a consolidated JSON result containing the raw data for all processed\ + \ IPs." capabilities: can_create_case_comments: false can_create_insight: false @@ -122,13 +135,13 @@ Get IP Information: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity additional properties with enriched IP information, sets the - 'is_enriched' flag to true, and adds entity data tables. + Updates entity additional properties with enriched IP metadata and adds a data + table to the entity in the case. categories: enrichment: true entity_usage: entity_types: - - ADDRESS + - ADDRESS filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -142,6 +155,7 @@ Get IP Information: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -153,28 +167,29 @@ Get IP Information: download_file: false enable_identity: false enrich_asset: false - enrich_ioc: true + enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: ai_description: >- ### General Description - Validates the connectivity and API token for the IPInfo integration. This action - performs a test request to the IPInfo API using a hardcoded IP address (8.8.8.8) - to ensure that the service is reachable and the provided credentials (API Root - and Token) are valid. + The **Ping** action is designed to verify the connectivity between Google SecOps + and the IPInfo service. It ensures that the provided API token is valid and that + the API root URL is accessible by performing a test request to the external service. ### Parameters Description @@ -182,27 +197,30 @@ Ping: There are no parameters for this action. - ### Additional Notes + ### Flow Description - This is a standard connectivity check action used to verify that the integration - configuration is correct. + 1. **Configuration Retrieval**: The action retrieves the integration configuration, + including the API Root, Token, and SSL verification settings from the integration + settings. + 2. **Manager Initialization**: An instance of the `IPInfoManager` is created using + the retrieved configuration. - ### Flow Description + 3. **Connectivity Test**: The action calls the `ping` method, which performs a + GET request to the IPInfo API using a hardcoded test IP address (`8.8.8.8`). - 1. **Retrieve Configuration**: Fetches the API Root, Token, and SSL verification - settings from the integration configuration. + 4. **Response Validation**: The response is validated for HTTP errors and specific + error messages in the content to confirm the API token's validity. - 2. **Initialize Manager**: Instantiates the IPInfoManager with the provided credentials. + 5. **Result Reporting**: If the request is successful, the action ends with a + 'Connection Established' message and returns `True` as the script result. - 3. **Execute Ping**: Calls the `ping` method, which sends a GET request to the - IPInfo API for the test IP '8.8.8.8'. - 4. **Validate Response**: Checks the HTTP response status and ensures no error - messages are present in the content. + ### Additional Notes - 5. **Finalize**: Returns a success message 'Connection Established.' if the request - is successful. + This action is primarily used for troubleshooting and verifying the initial setup + or ongoing health of the IPInfo integration. It does not process any entities + from the current case. capabilities: can_create_case_comments: false can_create_insight: false @@ -211,12 +229,12 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: true + fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -230,28 +248,3 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/third_party/partner/jamf/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/jamf/resources/ai/actions_ai_description.yaml index db727c08f..b6796a830 100644 --- a/content/response_integrations/third_party/partner/jamf/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/jamf/resources/ai/actions_ai_description.yaml @@ -1,67 +1,92 @@ Assign to Group: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: true + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - Adds computers to a specific computer group in Jamf Pro using various identifiers - such as computer IDs, names, or serial numbers. This action is primarily used - for asset management and organizing devices for policy application or security - workflows. + ### General Description + Adds computers to a specific computer group in Jamf Pro using various identifiers. + This action is primarily used for containment, policy enforcement, or organizational + tasks by grouping devices together within the Jamf management console. - ### General Description - This action allows an analyst to programmatically assign one or more computers - to a Jamf Pro computer group. It supports bulk operations by accepting comma-separated - lists of identifiers. Because computer names are not unique in Jamf Pro, the action - provides warnings and recommends using Computer IDs or Serial Numbers for precise - targeting. + ### Parameters Description - ### Flow Description + | Parameter | Description | Type | Mandatory | - 1. **Initialization:** Connects to the Jamf Pro API using provided credentials - and validates the session token. + | :--- | :--- | :--- | :--- | - 2. **Parameter Validation:** Checks that a Group ID is provided and that at least - one computer identifier (IDs, Names, or Serial Numbers) is present. + | Group ID | The unique identifier (ID) of the computer group in Jamf Pro that + you want to modify. | String | Yes | - 3. **Data Parsing:** Splits the comma-separated input strings into clean lists - of identifiers. + | Computer IDs | A comma-separated list of Jamf computer IDs to add to the group + (e.g., "123, 456"). | String | No | - 4. **API Request:** Constructs an XML payload for the Jamf Classic API and performs - a PUT request to the computer group endpoint (`/JSSResource/computergroups/id/{id}`). + | Computer Names | A comma-separated list of computer names to add to the group. + Note: Names may not be unique in Jamf. | String | No | - 5. **Response Handling:** Parses the XML response to extract the group name and - confirm the number of computers successfully added. + | Computer Serial Numbers | A comma-separated list of computer serial numbers + to add to the group. | String | No | - 6. **Output:** Returns a summary message and a JSON object containing the operation - results. + ### Additional Notes - ### Parameters Description + - **Requirement:** At least one of the following parameters must be provided for + the action to execute: `Computer IDs`, `Computer Names`, or `Computer Serial Numbers`. - | Parameter | Type | Mandatory | Description | + - **Reliability:** It is recommended to use `Computer IDs` or `Computer Serial + Numbers` for reliable identification, as computer names are not required to be + unique in Jamf Pro. - | :--- | :--- | :--- | :--- | + - **API Usage:** This action interacts with the Jamf Pro Classic API using XML-formatted + PUT requests. - | Group ID | String | Yes | The unique numeric ID of the computer group to modify. - | - | Computer IDs | String | No | A comma-separated list of Jamf computer IDs (e.g., - "10,11,12"). | + ### Flow Description - | Computer Names | String | No | A comma-separated list of computer names. Note: - The API acts on the first matching record found if names are duplicated. | + 1. **Initialization:** The action initializes the Jamf Pro API manager using the + provided API Root, Client ID, and Client Secret. - | Computer Serial Numbers | String | No | A comma-separated list of computer serial - numbers (e.g., "C02LW5EEF8JC"). | + 2. **Parameter Validation:** It checks if at least one computer identifier (ID, + Name, or Serial Number) has been provided. If all are empty, the action fails. + 3. **Data Parsing:** Comma-separated strings for IDs, Names, and Serial Numbers + are parsed into individual lists, stripping whitespace. - ### Additional Notes + 4. **API Request Construction:** The action constructs an XML payload containing + the `` block with the specified identifiers. - - **Requirement:** At least one of the following parameters must be configured - for the action to run: 'Computer IDs', 'Computer Names', or 'Computer Serial Numbers'. + 5. **Execution:** A PUT request is sent to the Jamf Pro Classic API endpoint `/JSSResource/computergroups/id/{id}`. - - **Reliability:** It is highly recommended to use 'Computer IDs' or 'Computer - Serial Numbers' to avoid ambiguity caused by non-unique computer names. + 6. **Result Processing:** The action parses the XML response from Jamf, extracts + the group name (if available), and returns a JSON summary of the processed computers + and the operation status. capabilities: can_create_case_comments: false can_create_insight: false @@ -70,14 +95,15 @@ Assign to Group: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Adds computer records to a computer group in Jamf Pro by sending a PUT request - with an XML payload to the Jamf Classic API endpoint. - fetches_data: true + Updates the membership of a computer group in Jamf Pro by adding specified computers. + This can trigger configuration changes, software deployments, or security restrictions + on the target devices based on the group's assigned policies. + fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -91,6 +117,7 @@ Assign to Group: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Computer Inventory: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -101,88 +128,93 @@ Assign to Group: disable_identity: false download_file: false enable_identity: false - enrich_asset: false + enrich_asset: true enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: true search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Computer Inventory: ai_description: >- + ### General Description + Retrieves paginated computer inventory records from Jamf Pro. This action allows - for comprehensive searching and filtering of managed computers based on specific - criteria such as name, serial number, UDID, username, or email. It supports advanced - sorting and allows users to specify which data sections (e.g., Hardware, Security, - Applications) should be included in the results to optimize performance. + analysts to perform comprehensive searches for managed computers using various + filters such as name, serial number, UDID, username, or email. It supports detailed + data retrieval by allowing the selection of specific inventory sections (e.g., + Hardware, Security, Operating System, Applications) and provides sorting capabilities + to organize the results. ### Parameters Description - | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Page | String | No | The page number to retrieve (starts at 0). | - - | Page Size | String | No | The number of records to return per page (default - is 100, maximum is 2000). | + | Page | String | No | The page number to retrieve. Defaults to 0. | - | Filter | DDL | Yes | The field to use for filtering results (e.g., `general.name`, - `hardware.serialNumber`, `udid`). | - - | Filter Value | String | Yes | The specific value to search for in the selected - filter field. | + | Page Size | String | No | The number of records to return per page. Defaults + to 100. | - | Section | Multi-Choice | No | Specific data sections to include in the response - (e.g., `HARDWARE`, `SECURITY`, `APPLICATIONS`). Defaults to `ALL`. | - - | Sort | Multi-Choice | No | Criteria for sorting the results, including field - name and direction (e.g., `general.name:asc`). | + | Filter | DDL | Yes | The field to filter the inventory by. Options include `general.name`, + `hardware.serialNumber`, `udid`, `userAndLocation.username`, and `userAndLocation.email`. + | + | Filter Value | String | Yes | The specific value to search for based on the + selected Filter field. | - ### Flow Description + | Section | Multi-choice | No | Specific inventory sections to include in the + response (e.g., HARDWARE, SECURITY, APPLICATIONS). Selecting specific sections + can optimize data retrieval. Defaults to ALL. | + | Sort | Multi-choice | No | Criteria to sort the results, including field name + and direction (asc/desc). | - 1. **Initialization**: The action extracts the Jamf Pro API configuration and - user-provided parameters. - 2. **Validation**: It validates that `Page` and `Page Size` are valid integers - and within acceptable ranges. + ### Additional Notes - 3. **Request Construction**: It builds a filter string in the Jamf Pro API format - (e.g., `field=="value"`) and processes the sort and section selections. + - If a `Filter` is provided but the `Filter Value` is empty (or vice versa), the + action will skip the filtering logic and return results based on pagination and + sorting only. - 4. **Section Optimization**: If a filter is applied to a specific field (like - UDID), the action automatically ensures the corresponding data section (like `HARDWARE`) - is included in the request if not already specified. + - The action automatically ensures that the section corresponding to the `Filter` + field is included in the API request to ensure the filter can be processed correctly + by Jamf Pro. - 5. **API Execution**: It performs a GET request to the Jamf Pro `/api/v1/computers-inventory` - endpoint with the constructed query parameters. - 6. **Data Processing**: The retrieved inventory data is cleaned to ensure valid - JSON formatting and to handle special characters that might cause parsing issues. + ### Flow Description - 7. **Output**: The action returns the inventory results as a JSON object and provides - a summary message including the total count of records found. + 1. **Initialization**: Extracts the Jamf Pro API configuration (Root URL, Client + ID, Secret) and the action parameters. + 2. **Validation**: Converts and validates pagination parameters (`Page`, `Page + Size`) to ensure they are valid integers. - ### Additional Notes + 3. **Criteria Processing**: Processes the `Sort` criteria and constructs the `Filter` + string in the Jamf Pro API format (e.g., `field=="value"`). + 4. **Section Selection**: Determines which inventory sections to request. If specific + sections are requested, it ensures the section required for the active filter + is also included. - - If `Section` is set to `ALL`, the action retrieves all available data points - for the computers, which may impact performance for large datasets. + 5. **API Execution**: Initializes the Jamf Manager and calls the `get_computer_inventory` + endpoint with the processed parameters. - - The action is read-only and does not modify any data within Jamf Pro. + 6. **Result Handling**: Captures the inventory data, calculates pagination metadata + (e.g., if more pages are available), and outputs the results as a JSON object + for use in the SOAR platform. capabilities: can_create_case_comments: false can_create_insight: false @@ -194,9 +226,9 @@ Get Computer Inventory: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: false + enrichment: true entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -210,6 +242,7 @@ Get Computer Inventory: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Device Group Membership: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -223,63 +256,62 @@ Get Computer Inventory: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: true + search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Device Group Membership: ai_description: >- ### General Description - Retrieves the membership information for a specific computer group from Jamf Pro. - This action fetches detailed data about all member devices within a group, supporting - both static and smart computer groups. It provides the total count of members - and the full membership data structure, which is useful for identifying devices - subject to specific policies or configurations. + The **Get Device Group Membership** action retrieves the list of computers belonging + to a specific computer group in Jamf Pro. It is designed to provide visibility + into the composition of both Static and Smart computer groups, returning details + such as the total member count and basic information for each device in the group. ### Parameters Description - | Name | Type | Mandatory | Description | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Group ID | string | Yes | The unique identifier of the computer group in Jamf - Pro to retrieve membership for. | + | Group ID | String | Yes | The unique identifier of the computer group in Jamf + Pro for which membership information is requested. | ### Flow Description - 1. **Initialization**: The action initializes the Jamf Pro API manager using the - integration's configuration parameters, including the API Root, Client ID, and - Client Secret. - - 2. **Parameter Extraction**: The `Group ID` is extracted from the action input - parameters. + 1. **Authentication**: The action authenticates with the Jamf Pro API using the + configured Client ID and Client Secret to obtain a bearer token. - 3. **API Request**: The action sends a GET request to the Jamf Pro Classic API - endpoint (`/JSSResource/computergroups/id/{id}`) to fetch membership details. + 2. **API Request**: It performs a GET request to the Jamf Classic API endpoint + (`/JSSResource/computergroups/id/{id}`) using the provided Group ID. - 4. **Data Processing**: It parses the API response to extract the list of member - computers and calculates the total member count. + 3. **Data Extraction**: The action parses the response to extract the list of + member computers and calculates the total number of members. - 5. **Result Output**: The membership data and count are added to the action's - JSON results, and a success message is returned to the SOAR platform. + 4. **Result Processing**: The retrieved membership data is formatted into a JSON + object and attached to the action results. If no group is found, the action reports + that no membership data was available. ### Additional Notes - This action does not operate on specific entities within the Google SecOps case; - it retrieves group-level data based on the provided ID. There are no parameters - that are conditionally mandatory. + This action does not operate on SecOps entities (like Hostnames or IPs). It is + a standalone lookup action that requires a specific Jamf Group ID to function. + It is classified as an enrichment action because it retrieves data without modifying + the state of Jamf Pro or the SecOps case. capabilities: can_create_case_comments: false can_create_insight: false @@ -293,7 +325,7 @@ Get Device Group Membership: categories: enrichment: true entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -307,6 +339,7 @@ Get Device Group Membership: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Device Information: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -317,39 +350,68 @@ Get Device Group Membership: disable_identity: false download_file: false enable_identity: false - enrich_asset: false + enrich_asset: true enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: true search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Device Information: ai_description: >- - ### General Description\nThe **Get Device Information** action retrieves detailed - computer information from Jamf Pro using a specific Computer ID. It is designed - to provide analysts with comprehensive visibility into a managed asset, including - hardware specifications, operating system details, and user/location data.\n\n### - Parameters Description\n| Parameter | Type | Mandatory | Description |\n| :--- - | :--- | :--- | :--- |\n| **Computer ID** | String | Yes | The unique ID of the - computer in Jamf Pro to retrieve information for. |\n\n### Flow Description\n1. - **Initialize Manager**: Sets up the Jamf Pro API connection using configuration - credentials.\n2. **Fetch Data**: Executes a GET request to the Jamf Pro API for - the specific computer ID.\n3. **Sanitize Result**: Cleans the resulting JSON to - ensure special characters or malformed structures from Jamf do not break the SOAR - UI.\n4. **Return Results**: Populates the action's JSON result with the device - details.\n\n### Additional Notes\n- This action does not process entities from - the case context; it relies solely on the provided Computer ID parameter.\n- If - the device is not found, the action completes successfully but indicates no data - was found. + ### General Description + + Retrieves detailed information for a specific computer from Jamf Pro using its + unique ID. This action provides comprehensive visibility into the device's hardware + specifications, operating system details, user/location data, and security posture. + It is primarily used for asset enrichment and gathering context during security + investigations. + + + ### Parameters Description + + | Parameter | Description | Type | Mandatory | + + | :--- | :--- | :--- | :--- | + + | Computer ID | The unique identifier of the computer in Jamf Pro to retrieve + information for. | String | Yes | + + + ### Flow Description + + 1. **Parameter Extraction:** The action retrieves the `Computer ID` from the user + input. + + 2. **Authentication:** The `JamfManager` authenticates with the Jamf Pro API using + the provided Client ID and Secret to obtain a temporary access token. + + 3. **Data Retrieval:** The action calls the Jamf Pro API endpoint `/api/v1/computers-inventory-detail/{id}` + to fetch the full inventory record for the specified device. + + 4. **Data Sanitization:** The manager cleans the returned JSON data to ensure + special characters or malformed strings do not interfere with the SOAR platform's + processing. + + 5. **Result Output:** The detailed device information is added to the action's + JSON results, and the execution status is set to completed. + + + ### Additional Notes + + This action does not automatically iterate over entities in a case. It requires + a specific `Computer ID` as input, which can be obtained from other Jamf search + actions or inventory listings. capabilities: can_create_case_comments: false can_create_insight: false @@ -363,7 +425,7 @@ Get Device Information: categories: enrichment: true entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -377,6 +439,7 @@ Get Device Information: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Mobile Device Inventory: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -390,27 +453,30 @@ Get Device Information: enrich_asset: true enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: true search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Mobile Device Inventory: ai_description: >- ### General Description - Retrieves mobile device inventory from Jamf Pro using the v2 API. This action - allows for granular data retrieval by supporting pagination, sorting, and filtering - based on specific device attributes like serial number, UDID, or username. It - is primarily used for asset discovery and gathering detailed hardware, software, - and security configuration data for mobile devices managed within Jamf Pro. + The **Get Mobile Device Inventory** action retrieves detailed inventory information + for mobile devices managed within Jamf Pro. It utilizes the Jamf Pro v2 API to + fetch data, supporting advanced features such as pagination, multi-field sorting, + and specific data section selection (e.g., Hardware, Security, Applications). + This action is primarily used for asset discovery and gathering contextual metadata + about mobile endpoints during an investigation. ### Parameters Description @@ -419,47 +485,55 @@ Get Mobile Device Inventory: | :--- | :--- | :--- | :--- | - | Page | String | No | The page number to retrieve (starts at 0). | + | **Page** | String | No | The page number to retrieve for paginated results. + Defaults to 0. | - | Page Size | String | No | The number of records to return per page (default - 100). | + | **Page Size** | String | No | The number of records to return per page (Max + 2000). Defaults to 100. | - | Filter | DDL | Yes | The attribute to filter by (serialNumber, udid, username, - emailAddress). | + | **Filter** | DDL | Yes | The field used to filter the inventory search. Options + include `serialNumber`, `udid`, `username`, and `emailAddress`. | - | Filter Value | String | Yes | The specific value to search for in the selected + | **Filter Value** | String | Yes | The specific value to search for in the selected filter field. | - | Section | DDL | No | Specifies which data sections to include (e.g., HARDWARE, - SECURITY, APPLICATIONS). Defaults to ALL. | + | **Section** | DDL | No | Specifies which data sections to include in the response + (e.g., `HARDWARE`, `SECURITY`, `NETWORK`). Selecting specific sections optimizes + data retrieval. Defaults to `ALL`. | - | Sort | Multi-choice | No | Defines the sorting order for the results (e.g., - displayName:asc). Supports over 200 sorting options. | + | **Sort** | Multi-Choice | No | Defines the sorting order of the results using + `field:direction` pairs (e.g., `displayName:asc`). | ### Flow Description - 1. **Authentication**: The action authenticates with the Jamf Pro API using provided - client credentials to obtain a bearer token. + 1. **Parameter Extraction:** The action retrieves configuration details (API Root, + Credentials) and user-provided parameters (Filter, Pagination, Sorting). - 2. **Parameter Processing**: Validates pagination integers and constructs the - filter query string (e.g., `username=="value"`). + 2. **Validation:** It validates that `Page` and `Page Size` are valid integers + and within acceptable ranges. + + 3. **Query Construction:** Processes the `Sort` criteria into an API-compatible + string and constructs a filter query string based on the `Filter` and `Filter + Value` parameters. It also automatically ensures that the required data section + for the chosen filter field is included in the request. - 3. **Section Selection**: Determines which inventory sections to request; if a - filter is used, the corresponding section is automatically included to ensure - the filter works. + 4. **API Interaction:** Authenticates with Jamf Pro and sends a GET request to + the `/api/v2/mobile-devices/detail` endpoint with the constructed query parameters. - 4. **Data Retrieval**: Sends a GET request to the `/api/v2/mobile-devices/detail` - endpoint with the constructed query parameters. + 5. **Data Processing:** Cleans the returned JSON data to ensure compatibility + and handles any API errors or empty result sets. - 5. **Result Handling**: Cleans the returned JSON data to ensure compatibility - and outputs the inventory records to the action results. + 6. **Output:** Returns the inventory data as a JSON result in the SOAR platform. ### Additional Notes - This action does not run on entities within the SOAR case; it performs a direct - search against the Jamf Pro inventory based on the provided filter parameters. + * This action does not run on SecOps entities; it performs a direct search based + on the provided parameters. + + * If no devices match the criteria, the action will complete successfully but + indicate that no results were found. capabilities: can_create_case_comments: false can_create_insight: false @@ -471,9 +545,9 @@ Get Mobile Device Inventory: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: false + enrichment: true entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -487,6 +561,7 @@ Get Mobile Device Inventory: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +List Computer Groups: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -497,40 +572,61 @@ Get Mobile Device Inventory: disable_identity: false download_file: false enable_identity: false - enrich_asset: true + enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: true + search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -List Computer Groups: ai_description: >- - ### General Description\nThis action retrieves a comprehensive list of all computer - groups configured within Jamf Pro. It includes both static groups (manually assigned) - and smart groups (criteria-based). The retrieved data is provided in a structured - JSON format, allowing for further processing or automation based on group membership - or configuration.\n\n### Parameters Description\n| Parameter Name | Type | Mandatory - | Description |\n| :--- | :--- | :--- | :--- |\n| None | N/A | N/A | This action - does not require any input parameters. |\n\n### Additional Notes\nThis action - does not require any input entities and operates at the system level to provide - visibility into the Jamf Pro environment's group structure. It is primarily used - for discovery and environment mapping.\n\n### Flow Description\n1. **Authentication**: - The action connects to the Jamf Pro API using the provided credentials (API Root, - Client ID, and Client Secret) to obtain a Bearer token.\n2. **Data Retrieval**: - It sends a GET request to the `/api/v1/computer-groups` endpoint to fetch the - list of all computer groups.\n3. **Processing**: The action parses the API response, - handling both direct list formats and potential empty results.\n4. **Output**: - The list of computer groups is attached to the action's JSON result for use in - subsequent playbook steps. + ### General Description + + Retrieves all computer groups from Jamf Pro. This action fetches a comprehensive + list of both static and smart computer groups configured in the Jamf Pro environment. + The results are returned as a JSON object, allowing playbooks to dynamically reference + group names or IDs for subsequent management tasks. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | None | N/A | N/A | This action does not have any input parameters. It relies + solely on the integration's configuration for authentication and connectivity. + | + + + ### Flow Description + + 1. **Authentication**: The action authenticates with the Jamf Pro API using the + provided Client API ID and Secret to obtain an OAuth2 access token. + + 2. **Data Retrieval**: It sends a GET request to the Jamf Pro `/api/v1/computer-groups` + endpoint to fetch the complete list of computer groups. + + 3. **Result Processing**: The retrieved list is formatted into a JSON object and + returned as the action's result. If no groups are found, an empty list is returned. + + + ### Additional Notes + + This action does not target specific entities and operates at the system-wide + level of the Jamf Pro instance. It is primarily used for discovery and utility + purposes within playbooks. capabilities: can_create_case_comments: false can_create_insight: false @@ -542,9 +638,9 @@ List Computer Groups: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: true + enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -558,6 +654,7 @@ List Computer Groups: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -571,50 +668,81 @@ List Computer Groups: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: - ai_description: "### General Description\nThe **Ping** action is a diagnostic tool\ - \ designed to verify the connectivity and authentication configuration between\ - \ Google SecOps and the Jamf Pro and Jamf Protect platforms. It ensures that the\ - \ provided API credentials (Client ID and Secret) are valid and that the network\ - \ path to the specified API roots is open.\n\n### Parameters Description\n| Parameter\ - \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Jamf Pro\ - \ API Root | String | Yes | The base URL of the Jamf Pro server (e.g., `https://yourserver.jamfcloud.com`).\ - \ |\n| Jamf Pro Client API ID | String | Yes | The Client ID used for OAuth2 authentication\ - \ with Jamf Pro. |\n| Jamf Pro Client API Secret | String | Yes | The Client Secret\ - \ used for OAuth2 authentication with Jamf Pro. |\n| Verify SSL | Boolean | No\ - \ | If enabled, the action will verify the SSL certificate of the Jamf servers.\ - \ Defaults to `True`. |\n| Jamf Protect API Root | String | No | The base URL\ - \ of the Jamf Protect server. |\n| Jamf Protect Client API ID | String | No |\ - \ The Client ID used for authentication with Jamf Protect. |\n| Jamf Protect Client\ - \ API Secret | String | No | The Client Secret used for authentication with Jamf\ - \ Protect. |\n\n### Flow Description\n1. **Parameter Extraction:** The action\ - \ retrieves the Jamf Pro configuration (Root, ID, Secret, SSL) and optional Jamf\ - \ Protect configuration from the integration settings.\n2. **Jamf Pro Connectivity\ - \ Test:** \n * Initializes the `JamfManager`.\n * Attempts to obtain an\ - \ OAuth access token using the provided Client ID and Secret.\n * Performs\ - \ a GET request to the `/api/v1/jamf-pro-version` endpoint to confirm the API\ - \ is responsive.\n3. **Jamf Protect Connectivity Test (Optional):** \n * If\ - \ all Jamf Protect parameters (Root, ID, Secret) are provided, the action initializes\ - \ the `JamfProtectManager`.\n * Attempts to obtain an access token from the\ - \ Jamf Protect authentication endpoint.\n4. **Result Reporting:** If the connection\ - \ tests are successful, the action completes with a success message. If any step\ - \ fails (e.g., authentication error, timeout), it returns a failure status with\ - \ the error details.\n\n### Additional Notes\n* Jamf Protect connectivity is only\ - \ tested if all three related parameters are configured. If any are missing, the\ - \ Protect test is skipped.\n* This action does not process any entities and is\ - \ strictly for system health checks." + ai_description: >- + ### General Description + + Verifies connectivity to the Jamf Pro and Jamf Protect APIs. This action ensures + that the SOAR platform can successfully authenticate and communicate with the + configured Jamf instances using the provided credentials. It is primarily used + for troubleshooting and initial setup validation. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Jamf Pro API Root | String | Yes | The base URL of the Jamf Pro server (e.g., + https://yourserver.jamfcloud.com). | + + | Jamf Pro Client API ID | String | Yes | The Client ID used for Jamf Pro API + authentication. | + + | Jamf Pro Client API Secret | String | Yes | The Client Secret used for Jamf + Pro API authentication. | + + | Verify SSL | Boolean | No | If enabled, the action will verify the SSL certificate + of the Jamf servers. Defaults to True. | + + | Jamf Protect API Root | String | No | The base URL of the Jamf Protect server. + | + + | Jamf Protect Client API ID | String | No | The Client ID used for Jamf Protect + API authentication. | + + | Jamf Protect Client API Secret | String | No | The Client Secret used for Jamf + Protect API authentication. | + + + ### Additional Notes + + - Jamf Pro connectivity is always tested as it is the primary component of the + integration. + + - Jamf Protect connectivity is optional and will only be tested if all three Protect-related + parameters (API Root, Client ID, and Client Secret) are provided. + + + ### Flow Description + + 1. **Parameter Extraction:** Retrieves Jamf Pro and optional Jamf Protect configuration + parameters from the integration settings. + + 2. **Jamf Pro Validation:** Initializes the Jamf Pro manager, requests an OAuth + access token, and calls the version endpoint to verify the connection. + + 3. **Optional Jamf Protect Validation:** If Jamf Protect credentials are provided, + it initializes the Jamf Protect manager and attempts to retrieve an authentication + token. + + 4. **Result Reporting:** Returns a success message if the connection tests pass, + or a failure message with error details if any step fails. capabilities: can_create_case_comments: false can_create_insight: false @@ -628,7 +756,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -642,11 +770,12 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Remote Lock Managed Device: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false - contain_host: false + contain_host: true create_ticket: false delete_email: false disable_identity: false @@ -655,69 +784,69 @@ Ping: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Remote Lock Managed Device: ai_description: >- - Remotely locks a managed computer using Jamf Pro MDM commands. This action is - specifically designed for computer objects within Jamf. It triggers a device lock - screen that prevents user access until a specific PIN is entered. The action also - allows for a custom message and a contact phone number to be displayed on the - lock screen. Note that this action requires the computer's management ID, which - it retrieves automatically using the provided Computer ID. + Remotely lock a managed computer using Jamf Pro MDM commands. This action is designed + specifically for computers and allows an analyst to secure a device by locking + its screen. The action requires a 6-digit PIN which will be needed to unlock the + device physically. Optionally, a custom message and phone number can be displayed + on the lock screen to provide instructions or contact information to the user. ### Flow Description: - 1. **Authentication**: Connects to the Jamf Pro API using provided credentials - to obtain an access token. + 1. **Parameter Extraction:** The action retrieves the Computer ID, PIN, and optional + display details (Message and Phone Number) from the input parameters. - 2. **Management ID Retrieval**: Fetches detailed inventory information for the - specified Computer ID to extract the required `managementId`. + 2. **Management ID Retrieval:** It queries the Jamf Pro API to find the `managementId` + associated with the provided Computer ID, which is required for MDM command routing. - 3. **Command Execution**: Sends a `DEVICE_LOCK` MDM command to the Jamf Pro API - targeting the retrieved management ID. + 3. **MDM Command Execution:** It sends a `DEVICE_LOCK` command to the Jamf Pro + MDM server, including the mandatory PIN and any optional display text. - 4. **Result Processing**: Captures the API response and provides a summary of - the command initiation status. + 4. **Result Reporting:** The action returns the status of the command initiation + and provides a JSON result containing the command details and the API response. ### Parameters Description: - | Parameter Name | Type | Mandatory | Description | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Computer ID | String | Yes | The unique identifier of the computer in Jamf Pro - that you wish to lock. | + | Computer ID | String | Yes | The unique ID of the computer in Jamf Pro to be + locked. | - | PIN | String | Yes | A 6-digit numeric code required to unlock the device. Although - marked as optional in some configurations, the underlying logic requires a valid - 6-digit PIN for the command to succeed. | + | PIN | String | Yes | A 6-digit numeric code required to unlock the device. Note: + The underlying logic requires this to be exactly 6 digits. | - | Message | String | No | An optional custom message to display on the device's - lock screen (e.g., "This device has been locked by Security"). | + | Message | String | No | An optional custom message to display on the locked + screen. | - | Phone Number | String | No | An optional phone number to display on the lock - screen for the user to contact support. | + | Phone Number | String | No | An optional phone number to display on the locked + screen. | ### Additional Notes: - - This action is intended for computers; for mobile devices (iOS/iPadOS), use - the "Remote Lock Mobile Device" action. + * This action is intended for computers. For mobile devices (iOS/iPadOS), use + the 'Remote Lock Mobile Device' action. - - The PIN must be exactly 6 digits. + * The PIN must be exactly 6 digits; otherwise, the action will fail during validation. capabilities: can_create_case_comments: false can_create_insight: false @@ -726,15 +855,14 @@ Remote Lock Managed Device: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Sends a 'DEVICE_LOCK' MDM command to the Jamf Pro API, which changes the state - of the physical or virtual managed computer by locking its screen and requiring - a PIN for access. + Sends a 'DEVICE_LOCK' MDM command to Jamf Pro to remotely lock a managed computer, + changing the physical state of the device to a locked screen. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -748,6 +876,7 @@ Remote Lock Managed Device: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Remote Lock Mobile Device: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -761,29 +890,47 @@ Remote Lock Managed Device: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Remote Lock Mobile Device: ai_description: >- - ### General Description - - Remotely lock a managed mobile device using Jamf Pro MDM commands. This action + Remotely locks a managed mobile device using Jamf Pro MDM commands. This action is used to secure a device by locking its screen, preventing unauthorized access. It allows for an optional custom message and phone number to be displayed on the - locked screen. + lock screen to assist in recovery or provide instructions to the user. - ### Parameters Description + ### Flow Description: + + 1. **Parameter Extraction:** Retrieves the Mobile Device ID and optional display + information (Message and Phone Number) from the action parameters. + + 2. **Authentication:** Establishes a session with the Jamf Pro API using provided + client credentials. + + 3. **Device Context Retrieval:** Fetches detailed information for the specified + Mobile Device ID to obtain its unique `managementId` required for MDM commands. + + 4. **Command Execution:** Sends a `DEVICE_LOCK` MDM command to the Jamf Pro server + targeting the specific `managementId` via the MDM commands endpoint. + + 5. **Result Processing:** Captures the API response and logs the command initiation + status and details within the SOAR. + + + ### Parameters Description: | Parameter | Type | Mandatory | Description | @@ -799,25 +946,13 @@ Remote Lock Mobile Device: lock screen. | - ### Flow Description - - 1. **Authentication**: The action authenticates with the Jamf Pro API using the - provided credentials. - - 2. **Device Lookup**: It retrieves the detailed information for the specified - `Mobile Device ID` to obtain the necessary `managementId` required for MDM commands. - - 3. **Command Execution**: It sends a `DEVICE_LOCK` MDM command to the Jamf Pro - server for the target device. - - 4. **Result Processing**: The action captures the response from Jamf Pro and outputs - the command initiation status and details as a JSON result. - + ### Additional Notes: - ### Additional Notes + * This action requires the device to be currently managed by Jamf Pro and have + a valid MDM profile installed to receive the lock command. - This action requires the Jamf Pro API user to have sufficient permissions to send - MDM commands and view mobile device inventory. + * The action first performs a lookup to resolve the management ID before issuing + the lock command. capabilities: can_create_case_comments: false can_create_insight: false @@ -826,14 +961,14 @@ Remote Lock Mobile Device: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Sends a 'DEVICE_LOCK' MDM command to Jamf Pro, which remotely locks the screen - of the target mobile device. + Sends a 'DEVICE_LOCK' MDM command to the Jamf Pro API, which triggers a remote + screen lock on the physical or virtual mobile device. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -847,11 +982,12 @@ Remote Lock Mobile Device: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Update Extension Attribute: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false - contain_host: true + contain_host: false create_ticket: false delete_email: false disable_identity: false @@ -860,63 +996,71 @@ Remote Lock Mobile Device: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Update Extension Attribute: ai_description: >- - ### General Description + Updates a specific extension attribute for a computer managed in Jamf Pro. This + action allows administrators to modify custom metadata fields (extension attributes) + for a specific device by providing the computer's ID and the desired attribute + name and values. - Updates a single extension attribute for a specific computer managed in Jamf Pro. - This action allows analysts to modify custom metadata, such as department, tags, - or location, directly within the Jamf Pro inventory. + ### Flow Description: - ### Parameters Description + 1. **Parameter Extraction:** Retrieves the Jamf Pro API configuration and action + parameters, including the Computer ID, Extension Attribute Name, and the new values. - | Parameter | Type | Mandatory | Description | + 2. **Attribute Discovery:** Fetches the complete list of available computer extension + attributes from Jamf Pro to resolve the provided attribute name into its corresponding + internal Definition ID. - | :--- | :--- | :--- | :--- | + 3. **Value Parsing:** Processes the provided 'Values' string, splitting it into + a list if multiple comma-separated values are provided. - | Computer ID | String | Yes | The unique identifier of the computer in Jamf Pro. - | + 4. **External Update:** Executes a PATCH request to the Jamf Pro API for the specified + computer, updating the targeted extension attribute with the new values. - | Extension Attribute Name | String | Yes | The name of the extension attribute - to be updated. | + 5. **Result Processing:** Captures the API response, extracts basic computer details + (Name, Serial, Platform) for the output message, and attaches the full raw response + as a JSON result. - | Values | String | Yes | A comma-separated list of values to assign to the attribute. - | + ### Parameters Description: - ### Flow Description + | Parameter Name | Type | Mandatory | Description | - 1. **Attribute Resolution**: The action fetches all available computer extension - attributes from Jamf Pro to map the provided name to its internal definition ID. + | :--- | :--- | :--- | :--- | - 2. **Validation**: It verifies that the specified attribute name exists in the - Jamf Pro environment. + | Computer ID | String | Yes | The unique identifier of the computer in Jamf Pro + that needs to be updated. | - 3. **API Update**: It constructs a PATCH request containing the new values and - sends it to the Jamf Pro computer inventory endpoint. + | Extension Attribute Name | String | Yes | The display name of the extension + attribute to update (e.g., 'Department', 'Asset Tag'). | - 4. **Result Processing**: The action captures the API response, providing details - about the updated computer and the values set. + | Values | String | Yes | A comma-separated list of values to set for the extension + attribute. Multiple values are supported for attributes that allow them. | - ### Additional Notes + ### Additional Notes: - - This action performs a case-insensitive search for the attribute name. + - The action performs a lookup of all extension attributes first; if the provided + 'Extension Attribute Name' does not exist in Jamf Pro, the action will fail and + list available attributes in the error message. - - Multiple values are supported for attributes that allow them. + - This action specifically targets the Jamf Pro 'Computers' inventory. capabilities: can_create_case_comments: false can_create_insight: false @@ -925,14 +1069,14 @@ Update Extension Attribute: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the extension attribute values of a computer record in Jamf Pro using - a PATCH request. + Updates the values of a specific extension attribute for a computer record within + the Jamf Pro inventory via a PATCH request. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -946,10 +1090,11 @@ Update Extension Attribute: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Update Protect Prevent List: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false - add_ioc_to_blocklist: false + add_ioc_to_blocklist: true contain_host: false create_ticket: false delete_email: false @@ -959,78 +1104,85 @@ Update Extension Attribute: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Update Protect Prevent List: ai_description: >- - Updates an existing prevent list in Jamf Protect to include additional indicators - such as file hashes, Team IDs, or signing identifiers. This action is primarily - used for containment by expanding the scope of blocked items on managed macOS - devices. + Updates an existing prevent list in Jamf Protect to block specific indicators + such as file hashes, Team IDs, or Signing IDs. This action retrieves the current + state of a named prevent list, validates that the provided indicators match the + list's required format (e.g., SHA-1/SHA-256 for hashes), and appends the new data + and tags to the existing list. It ensures that the prevent type of an existing + list is not changed, as this is not supported by the Jamf Protect API. - ### Flow Description + ### Parameters - 1. **Authentication**: Initializes the Jamf Protect Manager and obtains a GraphQL - access token. + | Parameter | Type | Mandatory | Description | - 2. **List Retrieval**: Fetches all existing prevent lists from Jamf Protect to - locate the target list by name. + | :--- | :--- | :--- | :--- | - 3. **Validation**: Verifies that the target list exists and that the provided - 'Prevent Type' matches the existing list's configuration (the type cannot be changed - during an update). + | Prevent List Name | string | Yes | The name of the existing prevent list in + Jamf Protect that you want to update. | - 4. **Data Merging**: Parses the new indicators and tags from comma-separated strings, - then merges and deduplicates them with the existing data in the list. + | Prevent List Description | string | No | An optional updated description for + the prevent list. If left empty, the existing description is preserved. | - 5. **Indicator Validation**: Validates the format of the new indicators (e.g., - checking for valid SHA-1/SHA-256 hashes or Apple Team IDs) based on the prevent - type. + | Prevent Type | ddl | Yes | The category of indicators the list contains. Options + include: File Hash, Signing Information - Team ID, Signing Information - Code + Directory Hash, or Signing Information - Signing ID. This must match the existing + list's type. | - 6. **External Update**: Executes a GraphQL mutation to update the prevent list - in Jamf Protect with the merged data. + | Prevent List Data | string | Yes | A comma-separated list of identifiers (e.g., + hashes or IDs) to be added to the prevent list. | + | Prevent List Tags | string | No | A comma-separated list of tags to be associated + with the prevent list. New tags are merged with existing ones. | - ### Parameters Description - | Parameter | Type | Mandatory | Description | + ### Additional Notes - | :--- | :--- | :--- | :--- | + - The action will fail if the specified 'Prevent List Name' does not exist in + Jamf Protect. - | Prevent List Name | String | Yes | The exact name of the existing prevent list - to be updated. | + - The 'Prevent Type' cannot be changed for an existing list; the action will raise + an error if the input type differs from the remote list type. - | Prevent List Description | String | No | An optional updated description for - the prevent list. If left empty, the existing description is preserved. | + - At least one tag must exist for the list (either provided in the parameters + or already present on the remote list). - | Prevent Type | DDL | Yes | The category of indicators being added (e.g., File - Hash, Team ID). This must match the type of the existing list. | - | Prevent List Data | String | Yes | A comma-separated list of identifiers (hashes, - IDs) to add to the prevent list. | + ### Flow Description - | Prevent List Tags | String | No | A comma-separated list of tags to associate - with the prevent list. | + 1. **Fetch Existing Lists:** Retrieves all prevent lists from Jamf Protect to + find a match for the provided name. + 2. **Type Validation:** Verifies that the input 'Prevent Type' matches the type + of the existing list found in Jamf Protect. - ### Additional Notes + 3. **Data Parsing:** Parses the comma-separated strings for indicators and tags + into clean lists. + + 4. **Format Validation:** Validates the format of the new indicators based on + the 'Prevent Type' (e.g., checking for valid Apple Team ID structure or hash lengths). - - This action performs a 'merge' operation; it does not overwrite existing indicators - but appends new ones to the list. + 5. **Merge Data:** Combines and deduplicates the new indicators and tags with + the existing data from the remote list. - - The 'Prevent Type' is strictly enforced; if you attempt to update a 'File Hash' - list using 'Team ID' data, the action will fail. + 6. **Update Mutation:** Executes a GraphQL mutation to update the prevent list + in Jamf Protect with the merged data. capabilities: can_create_case_comments: false can_create_insight: false @@ -1039,14 +1191,14 @@ Update Protect Prevent List: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates an existing prevent list configuration in Jamf Protect by adding new - indicators and tags via a GraphQL mutation. + Updates an existing prevent list (blocklist) in Jamf Protect by adding new indicators + and tags via a GraphQL mutation. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1060,11 +1212,12 @@ Update Protect Prevent List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Wipe Managed Device: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false - add_ioc_to_blocklist: true - contain_host: false + add_ioc_to_blocklist: false + contain_host: true create_ticket: false delete_email: false disable_identity: false @@ -1073,45 +1226,84 @@ Update Protect Prevent List: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Wipe Managed Device: - ai_description: "Remotely erases or wipes a managed computer using the Jamf Pro\ - \ `ERASE_DEVICE` MDM command. This action is specifically designed for macOS computers\ - \ and allows for granular control over the wipe process, including obliteration\ - \ behavior and 'Return to Service' configurations. \n\n### Flow Description:\n\ - 1. **Authentication:** Initializes a connection to the Jamf Pro API using provided\ - \ credentials.\n2. **Management ID Retrieval:** Fetches the device's `managementId`\ - \ using the provided `Computer ID` to ensure the command is routed correctly.\n\ - 3. **Command Construction:** Builds the `ERASE_DEVICE` MDM command payload, incorporating\ - \ the PIN, obliteration behavior, and optional Return to Service profiles (MDM\ - \ and WiFi).\n4. **Execution:** Sends the POST request to the Jamf Pro MDM commands\ - \ endpoint to initiate the wipe.\n5. **Reporting:** Returns the initiation status\ - \ and command details as a JSON result.\n\n### Parameters Description:\n| Parameter\ - \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Computer\ - \ ID | String | Yes | The unique identifier of the computer in Jamf Pro to be\ - \ erased. |\n| PIN | String | Yes | A 6-digit PIN required for the erase command\ - \ on certain hardware. |\n| Obliteration Behavior | DDL | Yes | Specifies how\ - \ the device should be obliterated (Default, DoNotObliterate, ObliterateWithWarning,\ - \ Always). |\n| Return to Service | Boolean | Yes | If enabled, the device will\ - \ attempt to re-enroll automatically after the wipe. |\n| MDM Profile Data | String\ - \ | No | Base64-encoded MDM profile data required if 'Return to Service' is enabled.\ - \ |\n| WiFi Profile Data | String | No | Base64-encoded WiFi profile data required\ - \ if 'Return to Service' is enabled to provide network connectivity. |\n\n###\ - \ Additional Notes:\n* This action is intended for computers only; use the 'Wipe\ - \ Mobile Device' action for iOS/iPadOS devices.\n* If 'Return to Service' is enabled,\ - \ at least one profile (MDM or WiFi) should typically be provided to ensure the\ - \ device can reconnect and re-enroll." + ai_description: >- + Remotely erases or wipes a managed computer using the Jamf Pro `ERASE_DEVICE` + MDM command. This action is specifically designed for macOS computers managed + via Jamf Pro. It retrieves the device's management ID and then issues a command + to perform a factory reset or secure wipe based on the provided obliteration behavior. + It also supports 'Return to Service' configurations, allowing the device to automatically + re-enroll or connect to Wi-Fi after the wipe process is complete. + + + ### Flow Description: + + 1. **Parameter Extraction:** Retrieves Jamf Pro connection details and action + parameters including Computer ID, PIN, and obliteration settings. + + 2. **Manager Initialization:** Initializes the JamfManager and authenticates with + the Jamf Pro API to obtain a bearer token. + + 3. **Management ID Retrieval:** Calls the Jamf Pro API to fetch detailed inventory + for the specified Computer ID to extract its `managementId`. + + 4. **Command Execution:** Sends a POST request to the Jamf Pro MDM commands endpoint + with the `ERASE_DEVICE` command type and specified parameters (PIN, obliteration + behavior, and Return to Service profiles). + + 5. **Result Reporting:** Returns a JSON object containing the API response from + Jamf and the details of the command initiated. + + + ### Parameters Description: + + | Parameter | Type | Mandatory | Description | + + | --- | --- | --- | --- | + + | Computer ID | string | Yes | The unique identifier of the computer in Jamf Pro + to be wiped. | + + | PIN | string | Yes | A 6-digit PIN required for the erase command. Note: While + marked mandatory in configuration, the logic handles empty strings if the device + doesn't require one. | + + | Obliteration Behavior | ddl | Yes | Determines how the device is wiped. Options: + Default, DoNotObliterate, ObliterateWithWarning, Always. | + + | Return to Service | boolean | Yes | If enabled, the device will attempt to return + to a managed state after wiping. | + + | MDM Profile Data | string | No | Base64-encoded MDM profile data used for Return + to Service. | + + | WiFi Profile Data | string | No | Base64-encoded WiFi profile data used for + Return to Service. | + + + ### Additional Notes: + + - **Return to Service Requirements:** If 'Return to Service' is enabled, at least + one of 'MDM Profile Data' or 'WiFi Profile Data' must be provided; otherwise, + the action will fail with a parameter error. + + - **Device Compatibility:** This action uses the Jamf Pro computer inventory endpoints + and is intended for computers. For mobile devices (iOS/iPadOS), use the 'Wipe + Mobile Device' action. capabilities: can_create_case_comments: false can_create_insight: false @@ -1120,14 +1312,14 @@ Wipe Managed Device: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Initiates an ERASE_DEVICE MDM command in Jamf Pro which remotely wipes the target - managed computer. + Initiates an ERASE_DEVICE MDM command in Jamf Pro, which results in the remote + wiping/erasing of the target managed computer. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1141,6 +1333,7 @@ Wipe Managed Device: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Wipe Mobile Device: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1154,83 +1347,83 @@ Wipe Managed Device: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Wipe Mobile Device: ai_description: >- - ### General Description - - Remotely erase or wipe a managed mobile device using the Jamf Pro `ERASE_DEVICE` - MDM command. This containment action is designed to secure lost or compromised - devices by performing a full factory reset. It supports advanced configuration - options such as preserving eSIM data plans and enabling "Return to Service," which - allows a device to automatically re-enroll in MDM after being wiped, provided - the necessary profile data is supplied. + Remotely erase or wipe a managed mobile device using the Jamf Pro ERASE_DEVICE + MDM command. This action is used for containment and data protection by completely + wiping a device's data. It supports advanced options such as preserving data plans + for eSIM devices, disabling proximity setup on reboot, and configuring 'Return + to Service' settings to automate re-enrollment after the wipe. - ### Parameters Description - - | Parameter | Type | Mandatory | Description | + ### Flow Description: - | :--- | :--- | :--- | :--- | + 1. **Authentication**: The action authenticates with the Jamf Pro API using the + provided Client ID and Secret to obtain an OAuth access token. - | Mobile Device ID | string | Yes | The ID of the mobile device to erase. | + 2. **Device Identification**: It retrieves the specific management ID for the + provided Mobile Device ID, which is required to issue MDM commands. - | Preserve Data Plan | boolean | No | Whether to preserve the data plan on a mobile - device with eSIM functionality (iOS 11+). | + 3. **Command Construction**: The action constructs an ERASE_DEVICE MDM command + payload, incorporating parameters for data plan preservation, proximity setup + restrictions, and Return to Service configurations (including MDM/WiFi profiles + and bootstrap tokens). - | Disallow Proximity Setup | boolean | No | Whether to disable Proximity Setup - on the next reboot and skip the pane in Setup Assistant (iOS 11+). | + 4. **Execution**: The command is sent to the Jamf Pro MDM server via a POST request. - | Return to Service | boolean | Yes | Whether to enable return to service after - erase (requires MDM profile data). | + 5. **Reporting**: The action returns the command status and execution details + as a JSON result. - | MDM Profile Data | string | No | Base64-encoded MDM profile data for return - to service. | - | WiFi Profile Data | string | No | Base64-encoded WiFi profile data for return - to service. | + ### Parameters Description: - | Bootstrap Token | string | No | Base64 encoded bootstrap token for the device. - | + | Parameter Name | Type | Mandatory | Description | + | :--- | :--- | :--- | :--- | - ### Flow Description + | Mobile Device ID | String | Yes | The unique identifier of the mobile device + in Jamf Pro to be erased. | - 1. **Parameter Extraction**: The action retrieves the Jamf Pro API configuration - and the specific mobile device ID and wipe options from the input parameters. + | Preserve Data Plan | Boolean | No | If true, preserves the data plan on devices + with eSIM functionality (iOS 11+). Default is false. | - 2. **Authentication**: It authenticates with the Jamf Pro API using the provided - Client ID and Secret to obtain a bearer token. + | Disallow Proximity Setup | Boolean | No | If true, disables Proximity Setup + on the next reboot and skips the pane in Setup Assistant (iOS 11+). Default is + false. | - 3. **Device Context Retrieval**: It fetches the detailed inventory information - for the specified mobile device to retrieve its `managementId`, which is required - for MDM commands. + | Return to Service | Boolean | Yes | Whether to enable the 'Return to Service' + feature, which allows the device to automatically re-enroll after being erased. + Default is true. | - 4. **Command Execution**: It constructs and sends an `ERASE_DEVICE` MDM command - to the Jamf Pro API, including optional settings like data plan preservation and - "Return to Service" profiles. + | MDM Profile Data | String | No | Base64-encoded MDM profile data required for + Return to Service. | - 5. **Result Reporting**: The action captures the response from Jamf Pro and reports - the command initiation status and details back to the SecOps platform. + | WiFi Profile Data | String | No | Base64-encoded WiFi profile data required + for Return to Service. | + | Bootstrap Token | String | No | Base64-encoded bootstrap token for the device, + used for Return to Service. | - ### Additional Notes - - The "Return to Service" feature requires MDM profile data to be effective. + ### Additional Notes: - - Prior to iOS 14, the "Disallow Proximity Setup" option should not be used with - any other option. + - The 'Return to Service' feature requires valid MDM and/or WiFi profile data + to function correctly. If enabled without providing profile data, the action may + fail or the device may not re-enroll automatically. capabilities: can_create_case_comments: false can_create_insight: false @@ -1239,14 +1432,14 @@ Wipe Mobile Device: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Sends an ERASE_DEVICE MDM command to Jamf Pro to remotely wipe the specified - mobile device. + Sends an ERASE_DEVICE MDM command to Jamf Pro, which triggers a remote factory + reset/wipe of the physical or virtual mobile device. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1260,28 +1453,3 @@ Wipe Mobile Device: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: true - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/third_party/partner/netappransomwareresilience/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/netappransomwareresilience/resources/ai/actions_ai_description.yaml index f9b6d4b46..a402d4023 100644 --- a/content/response_integrations/third_party/partner/netappransomwareresilience/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/netappransomwareresilience/resources/ai/actions_ai_description.yaml @@ -1,11 +1,40 @@ Check Job Status: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Checks the status of a previously triggered asynchronous job within the NetApp - Ransomware Resilience Service (RRS). This action is typically used in playbooks - to poll for the completion of long-running tasks like snapshot creation or volume - management. + The **Check Job Status** action is a utility designed to monitor the progress + and outcome of asynchronous operations within the NetApp Ransomware Resilience + Service (RRS). It queries the NetApp BlueXP API to retrieve the current state + of a specific job, enabling playbooks to track long-running tasks such as snapshot + creation or volume management. ### Parameters Description @@ -14,34 +43,37 @@ Check Job Status: | :--- | :--- | :--- | :--- | - | Source | string | Yes | The source identifier of the request (e.g., 'rps-agent'). + | Source | String | Yes | The source identifier for the request, typically 'rps-agent'. | - | Agent ID | string | Yes | The Console Agent ID associated with the job. | + | Agent ID | String | Yes | The unique identifier for the Console Agent associated + with the job. | - | Job ID | string | Yes | The unique identifier for the job whose status is being - queried. | + | Job ID | String | Yes | The unique identifier of the asynchronous job whose + status is being queried. | ### Flow Description - 1. **Initialization**: Sets up the API manager and handles OAuth authentication. + 1. **Parameter Extraction**: The action retrieves the `Source`, `Agent ID`, and + `Job ID` from the user-provided input parameters. - 2. **Parameter Extraction**: Retrieves the Source, Agent ID, and Job ID from the - action inputs. + 2. **API Interaction**: It uses the `ApiManager` to authenticate via OAuth2 and + perform a GET request to the RRS job status endpoint. - 3. **API Request**: Executes a GET request to the RRS job status endpoint using - the provided identifiers. + 3. **Data Retrieval**: The action fetches the JSON response containing the job's + current status (e.g., Pending, Running, Completed, Failed) and associated metadata. - 4. **Result Processing**: Captures the API response and returns it as a JSON object - to the SOAR platform, indicating whether the job is still in progress, completed, - or failed. + 4. **Result Reporting**: The retrieved job status is attached to the action as + a JSON result, and the action completes with a success status if the API call + is successful. ### Additional Notes - This action does not operate on entities and requires specific IDs generated by - previous actions in the workflow. + This action does not process or enrich SOAR entities. It is strictly a utility + for tracking background tasks initiated by other actions in the NetApp Ransomware + Resilience integration. capabilities: can_create_case_comments: false can_create_insight: false @@ -55,7 +87,7 @@ Check Job Status: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -69,6 +101,7 @@ Check Job Status: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Enrich IP Address: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -80,56 +113,65 @@ Check Job Status: download_file: false enable_identity: false enrich_asset: false - enrich_ioc: false + enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Enrich IP Address: ai_description: >- - Enriches a specific IP address with threat intelligence data from the NetApp Ransomware - Resilience Service (RRS). This action allows analysts to retrieve contextual security - information about an IP to assist in investigation and response. + ### General Description + + Enriches a specific IP address using the NetApp Ransomware Resilience Service + (RRS). This action retrieves threat intelligence data associated with the provided + IP address to assist in security analysis and incident response. It interacts + with the NetApp BlueXP API to fetch contextual information about the indicator. - ### Flow Description: + ### Parameters Description - 1. **Authentication**: Initializes the API manager and ensures a valid OAuth token - is available for the NetApp RRS API. + | Parameter | Type | Mandatory | Description | - 2. **Parameter Extraction**: Retrieves the mandatory 'IP Address' parameter provided - by the user or playbook. + | :--- | :--- | :--- | :--- | - 3. **Data Retrieval**: Executes a POST request to the RRS enrichment endpoint - (`enrich/ip-address`) with the target IP. + | IP Address | String | Yes | The IP address that needs to be enriched with threat + intelligence data. | - 4. **Result Processing**: Captures the API response and attaches it as a JSON - result to the action output for use in downstream tasks. + ### Flow Description - ### Parameters Description: + 1. **Initialization**: The action initializes the `ApiManager`, which handles + OAuth token management and session setup. - | Parameter Name | Type | Mandatory | Description | + 2. **Parameter Extraction**: The target IP address is extracted from the action's + input parameters. - | :--- | :--- | :--- | :--- | + 3. **API Interaction**: The action sends a POST request to the NetApp RRS `enrich/ip-address` + endpoint containing the IP address. - | IP Address | String | Yes | The specific IP address to be enriched with threat - intelligence. | + 4. **Result Processing**: The retrieved enrichment data is attached to the action's + JSON results. + 5. **Completion**: The action concludes by providing a success message and the + enrichment data to the SOAR platform. - ### Additional Notes: - This action does not automatically process entities from the SOAR case; it requires - the IP address to be passed explicitly as a parameter. + ### Additional Notes + + This action does not automatically iterate over entities in the SOAR case. It + relies on the `IP Address` parameter provided during execution. If the API call + fails, the action will return a failed status with the corresponding error message. capabilities: can_create_case_comments: false can_create_insight: false @@ -143,7 +185,7 @@ Enrich IP Address: categories: enrichment: true entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -157,6 +199,7 @@ Enrich IP Address: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Enrich Storage: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -167,30 +210,32 @@ Enrich IP Address: disable_identity: false download_file: false enable_identity: false - enrich_asset: false - enrich_ioc: true + enrich_asset: true + enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Enrich Storage: ai_description: >- ### General Description - Retrieves detailed volume and storage information for a specific agent and system - from the NetApp Ransomware Resilience Service (RRS). This action is used to gather - technical metadata about storage resources to assist in security analysis and - resilience verification. It provides visibility into the state and configuration - of storage assets managed by NetApp. + The **Enrich Storage** action retrieves detailed volume and storage information + for a specific agent and system from the NetApp Ransomware Resilience Service + (RRS). This action is used to gather contextual metadata about storage assets, + which is essential for assessing the scope and impact of potential ransomware + incidents. ### Parameters Description @@ -199,36 +244,35 @@ Enrich Storage: | :--- | :--- | :--- | :--- | - | Agent ID | String | Yes | The unique identifier for the Console Agent. | + | **Agent ID** | string | Yes | The unique identifier for the Console Agent. | - | System ID | String | Yes | The unique identifier for the Storage System. | + | **System ID** | string | Yes | The unique identifier for the Storage System. + | ### Flow Description - 1. **Initialization**: Sets up the API manager and authenticates with the NetApp - RRS using the integration's configured credentials (Client ID, Client Secret, - and Account ID). + 1. **Authentication**: The action initializes the API Manager, which handles OAuth2 + authentication with the NetApp BlueXP platform, ensuring a valid access token + is available. - 2. **Parameter Extraction**: Retrieves the `Agent ID` and `System ID` from the - action input parameters. + 2. **Parameter Extraction**: The action extracts the mandatory `Agent ID` and + `System ID` from the user-provided input. - 3. **Data Retrieval**: Executes a GET request to the RRS `enrich/storage` endpoint - using the provided IDs as query parameters. + 3. **Data Retrieval**: It performs a GET request to the RRS enrichment endpoint + (`enrich/storage`) using the provided identifiers as query parameters. - 4. **Result Processing**: Captures the JSON response containing storage enrichment - data. + 4. **Result Processing**: The API response, containing storage metadata, is parsed + and attached to the action's output as a JSON result. - 5. **Completion**: Attaches the raw JSON results to the action output and marks - the execution as successful. + 5. **Completion**: The action concludes by providing a success message and the + retrieved data to the SOAR platform. ### Additional Notes - This action does not operate on standard SOAR entities (such as IP addresses or - Hostnames). It requires specific NetApp-specific identifiers provided as manual - inputs or mapped from previous playbook steps. There are no internal mutations - (like insights or entity updates) performed by this action. + This action does not operate on SOAR entities (like IPs or Hostnames) directly; + instead, it requires specific IDs provided as parameters to query the NetApp backend. capabilities: can_create_case_comments: false can_create_insight: false @@ -240,9 +284,9 @@ Enrich Storage: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: false + enrichment: true entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -256,6 +300,7 @@ Enrich Storage: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -266,29 +311,31 @@ Enrich Storage: disable_identity: false download_file: false enable_identity: false - enrich_asset: true + enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: ai_description: >- ### General Description - The **Ping** action is a diagnostic utility designed to verify the connectivity - and authentication configuration between Google SecOps and the NetApp Ransomware - Resilience Service (RRS). Its primary purpose is to ensure that the integration - can successfully communicate with the external API using the provided credentials. + The **Ping** action is a diagnostic tool designed to verify the connectivity and + authentication configuration between Google SecOps and the NetApp Ransomware Resilience + Service (RRS). It ensures that the provided credentials (Client ID, Client Secret, + and Account ID) are valid and that the RRS API endpoints are reachable. ### Parameters Description @@ -299,26 +346,24 @@ Ping: ### Flow Description 1. **Initialization**: The action initializes the `ApiManager`, which retrieves - the integration's configuration parameters (Client ID, Client Secret, and Account - ID). + the integration configuration. - 2. **Authentication Attempt**: The `ApiManager` checks for a valid OAuth token - in encrypted storage. If the token is missing or expired, it attempts to generate - a new one by making a POST request to the NetApp Auth0 endpoint. + 2. **Authentication Check**: It triggers the OAuth flow to either retrieve a cached + token from encrypted storage or generate a new one using the provided credentials. - 3. **Connectivity Validation**: The action verifies if a valid token is obtained, - effectively testing the reachability of the RRS service and the validity of the - credentials. + 3. **Connectivity Validation**: It calls the `is_token_valid` method to confirm + that a valid session can be established with the NetApp service. - 4. **Result Reporting**: The action returns a success message if the connection - is established or a failure message with error details if the authentication or - connection fails. + 4. **Result Reporting**: If the token is valid and the service responds, the action + completes successfully. If an authentication or connection error occurs, it reports + a failure with the specific error message. ### Additional Notes - This action is a standard connectivity test and does not perform any data enrichment, - entity modification, or external state changes. + This action is primarily used during the initial setup of the integration or for + troubleshooting communication issues. It does not process any entities or modify + any data. capabilities: can_create_case_comments: false can_create_insight: false @@ -332,7 +377,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -346,6 +391,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Take Snapshot: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -359,65 +405,42 @@ Ping: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Take Snapshot: - ai_description: >- - Triggers the creation of a volume snapshot using the NetApp Ransomware Resilience - Service (RRS). This action is used to create a point-in-time recovery point for - a specific storage volume, which is a critical step in ransomware mitigation and - data protection strategies. It requires specific identifiers for the volume, agent, - and storage system to execute the request via the NetApp BlueXP API. - - - ### Flow Description - - 1. **Parameter Extraction**: The action retrieves the mandatory 'Volume ID', 'Agent - ID', and 'System ID' from the input parameters. - - 2. **Authentication**: It initializes the API Manager, which handles OAuth token - generation and management using encrypted storage. - - 3. **API Request**: A POST request is sent to the NetApp RRS endpoint (`storage/take-snapshot`) - with the provided volume and system identifiers. - - 4. **Result Processing**: The action captures the API response (containing snapshot - or job details), adds it to the JSON results, and reports the execution status - (Completed or Failed) to the SOAR platform. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Volume ID | String | Yes | The unique identifier of the storage volume to be - snapshotted. | - - | Agent ID | String | Yes | The console agent ID associated with the NetApp environment. - | - - | System ID | String | Yes | The unique identifier of the storage system where - the volume resides. | - - - ### Additional Notes - - - This action does not process or iterate over SOAR entities (e.g., IP, Hostname). - It relies entirely on the provided string parameters. - - - The action performs a state-changing operation in the external NetApp environment. + ai_description: "### General Description\nThis action triggers the creation of a\ + \ volume snapshot via the NetApp Ransomware Resilience Service (RRS). It is designed\ + \ to provide a point-in-time recovery point for storage volumes, enhancing data\ + \ resilience against ransomware attacks. The action communicates with the NetApp\ + \ BlueXP API to initiate the snapshot process for a specific volume identified\ + \ by its ID, system ID, and agent ID.\n\n### Parameters Description\n\n| Parameter\ + \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Volume\ + \ ID | string | Yes | The unique identifier of the storage volume for which the\ + \ snapshot will be created. |\n| Agent ID | string | Yes | The identifier of the\ + \ Console agent responsible for managing the storage system. |\n| System ID |\ + \ string | Yes | The unique identifier of the Storage System where the volume\ + \ is located. |\n\n### Flow Description\n1. **Initialization**: The action initializes\ + \ the SOAR SDK and the NetApp RRS API Manager.\n2. **Parameter Extraction**: It\ + \ retrieves the `Volume ID`, `Agent ID`, and `System ID` from the action input\ + \ parameters.\n3. **API Call**: The action sends a POST request to the NetApp\ + \ RRS `storage/take-snapshot` endpoint using the provided identifiers.\n4. **Response\ + \ Handling**: \n * If the request is successful, it captures the snapshot metadata\ + \ returned by the API.\n * If an error occurs (authentication, connection,\ + \ or API error), it catches the exception and logs the failure.\n5. **Completion**:\ + \ The action outputs the API response as a JSON result and sets the execution\ + \ status to completed or failed based on the outcome." capabilities: can_create_case_comments: false can_create_insight: false @@ -426,14 +449,14 @@ Take Snapshot: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Initiates the creation of a new volume snapshot in the NetApp storage system - via the Ransomware Resilience Service API. - fetches_data: true + Creates a new volume snapshot in the NetApp storage system via the Ransomware + Resilience Service API. + fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -447,11 +470,12 @@ Take Snapshot: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Volume Offline: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false - contain_host: false + contain_host: true create_ticket: false delete_email: false disable_identity: false @@ -460,27 +484,29 @@ Take Snapshot: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Volume Offline: ai_description: >- ### General Description - The **Volume Offline** action is designed to programmatically take a storage volume - offline within the NetApp Ransomware Resilience Service (RRS). This action serves - as a critical response capability, allowing security teams to quickly isolate - storage resources that may be compromised or under threat during a ransomware - attack, thereby preventing further data encryption or exfiltration. + The **Volume Offline** action allows analysts to programmatically take a specific + storage volume offline via the NetApp Ransomware Resilience Service (RRS). This + action is primarily used as a containment strategy during active ransomware incidents + to prevent further data encryption or unauthorized access by isolating the affected + storage resource. ### Parameters Description @@ -492,37 +518,36 @@ Volume Offline: | **Volume ID** | String | Yes | The unique identifier of the storage volume that needs to be taken offline. | - | **Agent ID** | String | Yes | The identifier for the BlueXP Console Agent associated + | **Agent ID** | String | Yes | The identifier for the Console Agent associated with the storage system. | | **System ID** | String | Yes | The identifier for the specific storage system where the volume resides. | - ### Flow Description + ### Additional Notes - 1. **Parameter Extraction**: The action retrieves the `Volume ID`, `Agent ID`, - and `System ID` from the action parameters. + - This action performs a state-changing operation on the external NetApp storage + system. - 2. **API Initialization**: It initializes the `ApiManager`, which handles OAuth2 - authentication and session management with the NetApp BlueXP platform. + - All three parameters are required to uniquely identify the target volume within + the NetApp BlueXP architecture. - 3. **API Request**: A POST request is sent to the NetApp RRS endpoint (`storage/take-volume-offline`) - containing the volume, agent, and system identifiers in the JSON payload. - 4. **Result Processing**: The action captures the API response, which includes - the status of the operation, and returns it as a JSON result to the Google SecOps - platform. It then reports a success or failure message based on the API's response. + ### Flow Description + 1. **Parameter Extraction**: The action retrieves the `Volume ID`, `Agent ID`, + and `System ID` from the input parameters. - ### Additional Notes + 2. **Authentication**: The integration's API Manager handles OAuth2 authentication + with NetApp BlueXP to obtain a valid bearer token. - - This action performs a state-changing operation on external storage infrastructure. - It should be used with caution as taking a volume offline will disrupt access - to the data stored on it. + 3. **API Execution**: A POST request is dispatched to the RRS `storage/take-volume-offline` + endpoint with the provided identifiers. - - Ensure that the provided IDs are accurate to avoid impacting the wrong storage - resources. + 4. **Result Processing**: The action captures the API response, determines the + execution status (Completed or Failed), and attaches the raw JSON response to + the action results in Google SecOps. capabilities: can_create_case_comments: false can_create_insight: false @@ -531,14 +556,14 @@ Volume Offline: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Takes a storage volume offline in the NetApp environment, which is a state-changing - operation on the storage infrastructure. - fetches_data: true + Takes a storage volume offline in the NetApp Ransomware Resilience Service, + changing its availability state to prevent access. + fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -552,28 +577,3 @@ Volume Offline: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/third_party/partner/netappransomwareresilience/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/netappransomwareresilience/resources/ai/integration_ai_description.yaml index f762df419..b962d2eb6 100644 --- a/content/response_integrations/third_party/partner/netappransomwareresilience/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/partner/netappransomwareresilience/resources/ai/integration_ai_description.yaml @@ -1,6 +1,6 @@ product_categories: asset_inventory: true - cloud_security: true + cloud_security: false collaboration: false edr: false email_security: false diff --git a/content/response_integrations/third_party/partner/netenrich_connect/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/netenrich_connect/resources/ai/actions_ai_description.yaml index 35c5a9d98..5a8082364 100644 --- a/content/response_integrations/third_party/partner/netenrich_connect/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/netenrich_connect/resources/ai/actions_ai_description.yaml @@ -1,58 +1,71 @@ Ping: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Ping** action is a connectivity test designed to verify the communication - between Google SecOps and the **Resolution Intelligence Cloud**. It ensures that - the integration is correctly configured and that the external API endpoint is - reachable using the provided credentials. + Tests the connectivity between Google SecOps and the Resolution Intelligence Cloud + by sending a request to the configured inbound webhook URL. This action is used + to verify that the integration parameters are correct and the external service + is reachable. ### Parameters Description - This action does not have any action-specific parameters. It relies on the following - integration configuration parameters: - - - | Parameter | Expected Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | RI Inbound Webhook URL | String | Yes | The target URL for the inbound webhook. - It must contain a `{token}` placeholder. | - - | Token | String | Yes | The API token used for authentication, which replaces - the placeholder in the URL. | - - | Verify SSL | Boolean | No | Determines whether to validate the SSL certificate - of the target server. Defaults to `True`. | + There are no action parameters for this action. It relies entirely on the integration's + configuration parameters. ### Additional Notes - - The action considers HTTP status codes `200` (OK) and `400` (Bad Request) as - successful indicators of reachability. + * The action utilizes the following configuration parameters: 'RI Inbound Webhook + URL', 'Token', and 'Verify SSL'. - - If the `RI Inbound Webhook URL` is missing from the configuration, the action - will fail immediately. + * The action considers a response status code of 200 or 400 as a successful connectivity + test. ### Flow Description - 1. **Configuration Retrieval:** The action extracts the Webhook URL, Token, and - SSL verification settings from the integration configuration. + 1. **Configuration Retrieval**: The action extracts the 'RI Inbound Webhook URL', + 'Token', and 'Verify SSL' settings from the integration configuration. - 2. **URL Construction:** It replaces the `{token}` placeholder in the Webhook - URL with the actual Token value. + 2. **URL Construction**: It constructs the target URL by replacing the `{token}` + placeholder in the webhook URL with the actual token provided in the configuration. - 3. **Connectivity Check:** It sends an empty HTTP POST request to the constructed - URL. + 3. **Connectivity Test**: It executes a POST request to the constructed URL with + an empty JSON body. - 4. **Response Validation:** It evaluates the HTTP response status code. If the - code is 200 or 400, the connection is deemed successful. - - 5. **Result Reporting:** The action concludes with a success message if reachable, - or logs the error/status code and fails if unreachable. + 4. **Result Evaluation**: The action checks the HTTP status code of the response. + If the code is 200 or 400, it concludes that the API is reachable and ends successfully. + If the request fails or returns a different status code, it captures the error + or status code and ends with a failure message. capabilities: can_create_case_comments: false can_create_insight: false @@ -66,7 +79,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -80,28 +93,3 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/third_party/partner/netenrich_connect/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/netenrich_connect/resources/ai/integration_ai_description.yaml index a18433ba6..cb7ae3807 100644 --- a/content/response_integrations/third_party/partner/netenrich_connect/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/partner/netenrich_connect/resources/ai/integration_ai_description.yaml @@ -1,12 +1,12 @@ product_categories: asset_inventory: false cloud_security: false - collaboration: true + collaboration: false edr: false email_security: false iam_and_identity_management: false itsm: true network_security: false siem: true - threat_intelligence: true + threat_intelligence: false vulnerability_management: false diff --git a/content/response_integrations/third_party/partner/netenrich_connect/resources/ai/jobs_ai_description.yaml b/content/response_integrations/third_party/partner/netenrich_connect/resources/ai/jobs_ai_description.yaml index fb0ff4cf0..a784ef89d 100644 --- a/content/response_integrations/third_party/partner/netenrich_connect/resources/ai/jobs_ai_description.yaml +++ b/content/response_integrations/third_party/partner/netenrich_connect/resources/ai/jobs_ai_description.yaml @@ -1,59 +1,63 @@ Sync ActOn Updates To Case: - ai_description: "### General Description\nThis job synchronizes Netenrich Resolution\ - \ Intelligence (RI) ActOn\u2122 data with Google SecOps cases. It ensures that\ - \ case metadata, entities, comments, and attachments are kept in sync between\ - \ the two platforms. The job handles case creation, updates to core fields (title,\ - \ description, priority, stage, and status), and manages case assignments by mapping\ - \ external SOC roles to internal roles. Additionally, it stores specialized ActOn\ - \ telemetry, such as scoring evidence and alert counts, within a dedicated custom\ - \ entity for detailed investigation context.\n\n### Parameters Description\n|\ - \ Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ - | CREATE | String (JSON) | No | A JSON payload used to initialize and create a\ - \ new case based on ActOn data. |\n| UPDATE | String (JSON) | No | A JSON payload\ - \ containing updates for an existing case's metadata and entities. |\n| COMMENT\ - \ | String (JSON) | No | A JSON payload specifically for synchronizing comments\ - \ and base64-encoded attachments. |\n\n### Flow Description\n1. **Payload Extraction**:\ - \ The job identifies the operation type by checking for `CREATE`, `UPDATE`, or\ - \ `COMMENT` data in the job parameters.\n2. **Case Identification**: It retrieves\ - \ the existing case or creates a new one in Google SecOps using the external ticket\ - \ identifier.\n3. **Metadata Synchronization**: Updates the case title, description,\ - \ priority, and stage to match the current state of the ActOn.\n4. **Assignee\ - \ Management**: Maps the external SOC role to a corresponding internal role and\ - \ updates the case assignee.\n5. **Comment and Attachment Processing**: Adds comments\ - \ to the case wall and decodes base64-encoded file content to upload as case attachments.\n\ - 6. **Telemetry Storage**: Extracts scoring evidence, risk scores, and alert metadata,\ - \ storing them in a specialized custom entity (`RI_CUSTOM_ENTITY`) within the\ - \ case.\n7. **Entity Delta Sync**: Compares entities in the ActOn with those in\ - \ the SecOps case and adds any missing assets or indicators.\n8. **Status and\ - \ Webhook Notification**: Updates the case status (e.g., closing the case if resolved)\ - \ and sends a confirmation back to the Resolution Intelligence inbound webhook." + ai_description: "### General Description\nThis job synchronizes ActOn\u2122 data\ + \ from Netenrich's Resolution Intelligence Cloud (RIC) to Google SecOps cases.\ + \ It manages the entire lifecycle of a case by handling initial creation, field\ + \ updates, and comment synchronization. The job ensures that critical information\ + \ such as case priority, status, stage, and assignee are aligned between the two\ + \ systems, while also enriching cases with detailed scoring evidence and entity\ + \ data.\n\n### Parameters Description\n| Parameter | Type | Mandatory | Description\ + \ |\n| :--- | :--- | :--- | :--- |\n| CREATE | String (JSON) | No | A JSON payload\ + \ containing the initial ActOn data used to create a new case in Google SecOps.\ + \ |\n| UPDATE | String (JSON) | No | A JSON payload containing updated ActOn information\ + \ to synchronize with an existing case. |\n| COMMENT | String (JSON) | No | A\ + \ JSON payload containing new comments or attachments to be added to the case\ + \ wall. |\n\n*Note: While the job metadata defines no static parameters, the script\ + \ logic dynamically processes one of the three JSON payloads above depending on\ + \ the trigger event.*\n\n### Flow Description\n1. **Payload Extraction**: The\ + \ job identifies the operation type by checking for `CREATE`, `UPDATE`, or `COMMENT`\ + \ data in the input parameters.\n2. **Case Management**: It either creates a new\ + \ case or retrieves an existing one using the external ticket identifier from\ + \ the Resolution Intelligence Cloud.\n3. **Field Synchronization**: The job updates\ + \ core case attributes including the title, description, priority, and status\ + \ to match the external ActOn state.\n4. **Assignee & Stage Mapping**: It fetches\ + \ and maps SOC roles and case stages from the SOAR API to ensure the case is assigned\ + \ to the correct team and reflects the proper workflow stage.\n5. **Comment &\ + \ Attachment Processing**: New comments are added to the case wall. If attachments\ + \ are present, the job decodes the base64 content and uploads the files directly\ + \ to the case.\n6. **Metadata Enrichment**: It manages a specialized custom entity\ + \ within the case to store complex metadata such as scoring evidence, incident\ + \ categories, and alert counts.\n7. **Entity Delta Sync**: The job compares entities\ + \ in the incoming payload with existing case entities and adds any missing assets\ + \ or indicators.\n8. **External Notification**: Upon successful creation or update,\ + \ the job sends a confirmation back to the Netenrich inbound webhook to maintain\ + \ bi-directional synchronization." Sync Case Updates To ActOn: ai_description: "### General Description\nThis job synchronizes case updates from\ - \ Google SecOps to Netenrich's Resolution Intelligence Cloud (RIC) ActOns\u2122\ - . It ensures that manual activities, such as comments, attachments, status changes,\ - \ and assignee updates made within the SOAR, are reflected in the corresponding\ - \ RIC ActOn. The job runs on a scheduled interval (typically every 1 minute) to\ - \ maintain near real-time consistency between the two platforms.\n\n### Parameters\ - \ Description\n| Parameter | Type | Mandatory | Description |\n| :--- | :--- |\ - \ :--- | :--- |\n| RI Inbound Webhook URL | String | Yes | The URL for the Resolution\ - \ Intelligence Cloud inbound ingest webhook. |\n| Token | String | Yes | The authentication\ - \ token used to authorize requests to the RIC webhook. |\n| Environment | String\ - \ | Yes | The SOAR environment name used to filter which cases should be synchronized.\ - \ |\n\n### Flow Description\n1. **Retrieve Sync State**: Fetches the `last_sync_time`\ - \ from the job's scoped context to determine the starting point for the current\ - \ run.\n2. **Identify Updated Cases**: Queries the SOAR for all cases (regardless\ - \ of status) that have been modified since the last synchronization.\n3. **Filter\ - \ by Environment**: Iterates through the identified cases and excludes any that\ - \ do not match the configured `Environment` parameter.\n4. **Fetch Wall Activities**:\ - \ For each relevant case, retrieves the wall activities (comments, logs, etc.)\ - \ and filters for manual updates created by users (ignoring automated system updates).\n\ - 5. **Process Attachments**: If an activity includes an attachment, the job retrieves\ - \ the file content and encodes it into a base64 string for transmission.\n6. **Enrich\ - \ Case Data**: Retrieves additional metadata required for the sync, including\ - \ SOC roles for assignees and specific Case Stage IDs from the SOAR API.\n7. **Map\ - \ RIC Metadata**: Identifies the corresponding RIC ActOn ID by searching for a\ - \ specific custom entity (`RI_CUSTOM_ENTITY_FOR_CASE_{case_id}`) associated with\ - \ the case.\n8. **Transmit Updates**: Constructs a JSON payload containing the\ - \ updated posts, status, priority, and tags, then sends it to the configured RIC\ - \ Inbound Webhook.\n9. **Update Sync State**: Saves the current timestamp as the\ - \ new `last_sync_time` for the next execution cycle." + \ Google SecOps to the Netenrich Resolution Intelligence Cloud (ActOn). It is\ + \ designed to run at frequent intervals (typically every minute) to ensure that\ + \ manual activities, such as comments, attachments, status changes, and assignee\ + \ updates performed within a SecOps case, are reflected in the corresponding ActOn\ + \ ticket. This maintains data parity between the two platforms during incident\ + \ response.\n\n### Parameters Description\n| Parameter | Type | Mandatory | Description\ + \ |\n| :--- | :--- | :--- | :--- |\n| RI Inbound Webhook URL | String | Yes |\ + \ The Netenrich Resolution Intelligence webhook endpoint used to receive case\ + \ updates. |\n| Token | String | Yes | The authentication token required to authorize\ + \ requests to the Netenrich inbound webhook. |\n| Environment | String | Yes |\ + \ The specific Google SecOps environment name used to filter which cases should\ + \ be synchronized. |\n\n### Flow Description\n1. **Check Last Sync**: Retrieves\ + \ the timestamp of the last successful execution from the job's scoped context\ + \ to determine the time window for updates.\n2. **Fetch Updated Cases**: Queries\ + \ Google SecOps for all cases modified since the last synchronization timestamp.\n\ + 3. **Filter by Environment**: Filters the retrieved cases to ensure only those\ + \ belonging to the configured 'Environment' are processed.\n4. **Retrieve Wall\ + \ Activities**: For each updated case, the job fetches the case wall activities\ + \ and filters for manual comments, attachments, and assignee changes (ignoring\ + \ automated system updates).\n5. **Process Attachments**: If new attachments are\ + \ detected, the job retrieves the file data and converts it to a base64-encoded\ + \ string for transmission.\n6. **Map Metadata**: Maps SecOps case attributes\u2014\ + including status (e.g., Closed), stage IDs, tags, and assigned SOC roles\u2014\ + to the Netenrich ActOn data schema.\n7. **Transmit Updates**: Constructs a JSON\ + \ payload containing the updates and posts it to the Netenrich Resolution Intelligence\ + \ inbound webhook.\n8. **Update Context**: Saves the current execution timestamp\ + \ to the job context to serve as the starting point for the next synchronization\ + \ cycle." diff --git a/content/response_integrations/third_party/partner/orca_security/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/orca_security/resources/ai/actions_ai_description.yaml index b70765f25..893972e54 100644 --- a/content/response_integrations/third_party/partner/orca_security/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/orca_security/resources/ai/actions_ai_description.yaml @@ -1,42 +1,74 @@ Add Comment To Alert: + action_product_categories: + add_alert_comment: true + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: true + update_email: false + update_identity: false + update_ticket: false ai_description: >- - Adds a comment to a specific alert in Orca Security. This action allows analysts - to append notes or documentation directly to an alert record within the Orca Security - platform, facilitating better tracking and collaboration on security findings. + ### General Description + Adds a comment to a specific alert within the Orca Security platform. This action + allows analysts to document findings, provide updates, or add context to an existing + alert directly from Google SecOps. It interacts with the Orca Security API using + a PUT request to append the specified text to the alert's comment history. - ### Flow Description - 1. **Authentication**: The action initializes the Orca Security Manager using - the provided API Root and either an API Key or API Token. + ### Parameters Description - 2. **Parameter Extraction**: It retrieves the mandatory 'Alert ID' and 'Comment' - text from the action parameters. + | Parameter | Type | Mandatory | Description | - 3. **API Interaction**: The action sends a PUT request to the Orca Security API - endpoint (`/api/alerts/{alert_id}/comment`) containing the comment payload. + | :--- | :--- | :--- | :--- | - 4. **Result Processing**: Upon success, the action returns the JSON representation - of the created comment and confirms the operation in the output message. + | Alert ID | string | True | The unique identifier of the alert in Orca Security + to which the comment will be added. | + | Comment | string | True | The text content of the comment to be added to the + alert. | - ### Parameters Description - | Parameter | Type | Mandatory | Description | + ### Flow Description - | :--- | :--- | :--- | :--- | + 1. **Parameter Extraction**: The action retrieves the API configuration (Root, + Key/Token) and the action parameters (Alert ID and Comment). - | Alert ID | String | True | The unique identifier of the alert in Orca Security - to which the comment will be added. | + 2. **Manager Initialization**: Initializes the `OrcaSecurityManager` to handle + authentication and API communication. + + 3. **API Interaction**: Calls the `add_alert_comment` method, which sends a PUT + request to the Orca Security endpoint `/api/alerts/{alert_id}/comment` with the + comment payload. - | Comment | String | True | The text content of the comment to be appended to - the alert. | + 4. **Result Processing**: Captures the API response, converts the created comment + data into a JSON result, and provides a success message to the analyst. ### Additional Notes - - This action performs a state change in the external Orca Security system by - adding new data to an existing alert record. + This action does not interact with Google SecOps entities; it operates directly + on a specific Alert ID provided as an input parameter. capabilities: can_create_case_comments: false can_create_insight: false @@ -45,15 +77,14 @@ Add Comment To Alert: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - The action performs a PUT request to the Orca Security API to add a new comment - to an existing alert, thereby modifying the alert's metadata in the external - system. + Adds a new comment to a specific alert in the Orca Security platform via a PUT + request. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -67,8 +98,9 @@ Add Comment To Alert: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Asset Details: action_product_categories: - add_alert_comment: true + add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false contain_host: false @@ -77,31 +109,35 @@ Add Comment To Alert: disable_identity: false download_file: false enable_identity: false - enrich_asset: false + enrich_asset: true enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Asset Details: ai_description: >- - Retrieves detailed information for specific assets from Orca Security. This action - allows users to fetch comprehensive asset metadata and optionally include related - vulnerability information filtered by severity. It is designed to provide deep - visibility into the security posture of cloud assets by pulling data directly - from the Orca Security platform. + ### General Description + + Retrieves comprehensive details for specific assets from Orca Security. This action + allows analysts to fetch metadata such as asset type, account, category, and state. + Additionally, it can retrieve associated vulnerability information filtered by + a minimum severity level, providing a deeper look into the security posture of + the specified resources. - ### Parameters + ### Parameters Description | Parameter | Type | Mandatory | Description | @@ -110,41 +146,50 @@ Get Asset Details: | Asset IDs | String | Yes | A comma-separated list of unique Orca Security asset identifiers to retrieve details for. | - | Return Vulnerabilities Information | Boolean | No | If enabled (default), the - action will also fetch vulnerabilities associated with the asset. | + | Return Vulnerabilities Information | Boolean | No | If enabled, the action will + also fetch and include vulnerability data related to each asset. | - | Lowest Severity For Vulnerabilities | DDL | Yes | The minimum severity level - (Critical, High, Medium, Low, Unknown) to include when fetching vulnerabilities. - | + | Lowest Severity For Vulnerabilities | DDL | Yes | The minimum severity threshold + (e.g., Critical, High, Medium, Low, Unknown) used to filter the vulnerabilities + returned. | | Max Vulnerabilities To Fetch | String | No | The maximum number of vulnerabilities - to return per asset (Default: 50, Max: 100). | - - | Create Insight | Boolean | No | If enabled (default), creates a Google SecOps - case insight for each enriched asset. | + to retrieve per asset (Default: 50, Max: 100). | + | Create Insight | Boolean | No | If enabled, the action will generate a SOAR + case insight for each successfully enriched asset. | - ### Flow Description - 1. **Parameter Validation:** The action validates that the 'Max Vulnerabilities - To Fetch' is a positive integer and does not exceed the system limit of 100. + ### Additional Notes - 2. **Authentication:** Initializes the Orca Security Manager using the provided - API/API Token and connection settings. + - The action requires either an API Key or an API Token to be configured in the + integration settings. - 3. **Asset Retrieval:** Iterates through the provided list of Asset IDs, making - a request to Orca Security to fetch the core asset metadata. + - The `Max Vulnerabilities To Fetch` parameter must be a positive integer and + cannot exceed the system limit of 100. - 4. **Vulnerability Enrichment:** If requested, it performs a secondary lookup - for each asset to retrieve vulnerabilities that meet the specified severity threshold. - 5. **Output Generation:** For each successful retrieval, it compiles the data - into a JSON result, constructs a CSV data table for the case wall, and generates - a detailed case insight containing a direct link to the asset in the Orca Security - UI. + ### Flow Description - 6. **Error Handling:** Tracks successful and failed asset lookups, providing a - summary message at the end of execution. + 1. **Parameter Extraction:** The action retrieves the list of Asset IDs and configuration + settings (API roots, credentials). + + 2. **Validation:** It validates that the `Max Vulnerabilities To Fetch` is a positive + integer within the allowed range (1-100). + + 3. **Manager Initialization:** Initializes the `OrcaSecurityManager` to handle + API communication. + + 4. **Asset Iteration:** For each provided Asset ID: + - **Fetch Asset Details:** Queries the Orca Security API for the asset's metadata. + - **Fetch Vulnerabilities (Optional):** If requested, queries for vulnerabilities + matching the specified severity and limit. + - **Data Aggregation:** Combines asset and vulnerability data into a single + JSON object. + - **Insight Generation (Optional):** Creates a case insight containing a summary + of the asset's state and a link to the Orca UI. + 5. **Output Generation:** Adds the aggregated JSON results and a summary data + table to the SOAR action results. capabilities: can_create_case_comments: false can_create_insight: true @@ -155,12 +200,12 @@ Get Asset Details: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action creates case insights and adds data tables to the case in Google - SecOps to display asset and vulnerability details. + Creates case insights and data tables within the SOAR platform to display asset + and vulnerability information. categories: - enrichment: true + enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -174,6 +219,7 @@ Get Asset Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Compliance Info: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -184,30 +230,31 @@ Get Asset Details: disable_identity: false download_file: false enable_identity: false - enrich_asset: true + enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Compliance Info: ai_description: >- ### General Description - Retrieves compliance framework information from Orca Security. This action allows - security analysts to monitor the compliance posture of their cloud environment - by fetching details about various frameworks (e.g., CIS, SOC2, NIST). It provides - a summary of compliance scores, as well as the number of passed and failed tests - for each framework. + Retrieves detailed compliance information from Orca Security based on specified + frameworks. This action helps security teams monitor their compliance posture + by fetching scores, pass/fail counts, and status for various security frameworks + (e.g., CIS, NIST, SOC2). ### Parameters Description @@ -217,43 +264,41 @@ Get Compliance Info: | :--- | :--- | :--- | :--- | | Framework Names | String | No | A comma-separated list of framework names to - retrieve. If left empty, the action returns information about all selected frameworks - in Orca Security. | + retrieve. If left empty, the action returns information for all selected frameworks + in Orca. | - | Create Insight | Boolean | Yes | If set to true, the action generates a detailed - insight on the case wall containing the compliance summary. | + | Create Insight | Boolean | Yes | If set to true, the action generates a case + insight summarizing the compliance status of the retrieved frameworks. | - | Max Frameworks To Return | Integer | No | Specifies the maximum number of frameworks - to return in the results. Default is 50. | + | Max Frameworks To Return | Integer | No | The maximum number of frameworks to + include in the results. Default is 50. | - ### Additional Notes - - - The action will attempt to find frameworks matching the provided names. If some - frameworks are not found, they will be listed in the output message. + ### Flow Description - - If none of the provided frameworks are found, the action will fail. + 1. **Parameter Extraction:** Retrieves the API configuration and action parameters, + including framework names and result limits. - - Although 'Max Frameworks To Return' is defined as a string in the configuration, - the logic treats it as an integer. + 2. **API Request:** Connects to the Orca Security API and queries the compliance + overview endpoint for each specified framework. + 3. **Data Processing:** Parses the response into structured framework objects + containing scores and test results. - ### Flow Description + 4. **Insight Generation:** If enabled, constructs an HTML-formatted insight and + attaches it to the case. - 1. **Initialization**: Extracts API credentials (API Root, Key/Token) and action - parameters. + 5. **Output:** Populates a data table named "Compliance Details" and provides + the raw JSON results for downstream playbook use. - 2. **API Request**: Calls the Orca Security `/api/serving-layer/compliance/frameworks/overview` - endpoint to fetch framework data. - 3. **Filtering**: If specific framework names were provided, the action filters - the results to match those names. + ### Additional Notes - 4. **Insight Creation**: If 'Create Insight' is enabled, it formats the framework - scores and test results into an HTML-based case insight. + - If specific framework names are provided but none are found in Orca Security, + the action will fail. - 5. **Result Output**: Populates a data table named 'Compliance Details' and attaches - the raw JSON data to the action result. + - This action does not process specific entities from the case; it retrieves organizational-level + compliance data. capabilities: can_create_case_comments: false can_create_insight: true @@ -264,12 +309,12 @@ Get Compliance Info: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action creates a case insight and adds a data table to the case in Google - SecOps. + The action creates a case insight and adds a data table to the case containing + compliance details. categories: - enrichment: false + enrichment: true entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -283,6 +328,7 @@ Get Compliance Info: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Vulnerability Details: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -294,52 +340,87 @@ Get Compliance Info: download_file: false enable_identity: false enrich_asset: false - enrich_ioc: false + enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Vulnerability Details: - ai_description: "Retrieves detailed vulnerability information from Orca Security\ - \ for a specified list of CVE IDs. This action fetches data regarding the vulnerability's\ - \ description, severity, fix availability, and associated affected assets. It\ - \ allows users to filter the returned JSON fields and choose between JSON or CSV\ - \ output formats. Additionally, the action can generate case insights for each\ - \ enriched vulnerability and populates a data table with the findings.\n\n###\ - \ Parameters Description\n\n| Parameter | Type | Mandatory | Description |\n|\ - \ :--- | :--- | :--- | :--- |\n| CVE IDs | String | Yes | A comma-separated list\ - \ of CVE identifiers (e.g., CVE-2021-44228) to be enriched. |\n| Fields To Return\ - \ | String | No | A comma-separated list of specific fields to include in the\ - \ output. If left empty, all available fields are returned. |\n| Output | DDL\ - \ | No | The format of the action output. Options are 'JSON' (default) or 'CSV'.\ - \ If 'CSV' is selected, a file is created and the path is returned. |\n| Create\ - \ Insight | Boolean | No | If enabled (default), the action creates a detailed\ - \ case insight for every successfully enriched vulnerability. |\n| Max Assets\ - \ To Return | String | No | The maximum number of assets related to the CVE to\ - \ retrieve. Default is 50, with a maximum limit of 10,000. |\n\n### Flow Description\n\ - \n1. **Parameter Validation**: The action validates the `Max Assets To Return`\ - \ parameter to ensure it is a positive integer within the allowed limit (10,000).\n\ - 2. **Authentication**: Initializes the Orca Security Manager using the provided\ - \ API credentials (API Key or Token).\n3. **Data Retrieval**: Iterates through\ - \ the provided list of CVE IDs and performs a paginated query to the Orca Security\ - \ API to fetch vulnerability details and related asset information.\n4. **Data\ - \ Processing**: Filters the results based on the `Fields To Return` parameter\ - \ and prepares the data for the requested output format (JSON or CSV).\n5. **Internal\ - \ Mutation**: \n * If `Create Insight` is true, it generates a formatted HTML\ - \ insight for the case containing the vulnerability's severity, description, and\ - \ affected assets.\n * Adds a data table named 'Vulnerability Details' to the\ - \ case containing a summary of the enriched CVEs.\n6. **Final Output**: Returns\ - \ the processed data as a JSON result or a file path to a CSV, along with a success/failure\ - \ message for each CVE." + ai_description: >- + ### General Description + + The **Get Vulnerability Details** action retrieves comprehensive information about + specific vulnerabilities (CVEs) from Orca Security. It allows analysts to enrich + a list of CVE IDs with data such as descriptions, fix availability, affected assets, + and severity levels. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | **CVE IDs** | String | Yes | A comma-separated list of CVE identifiers (e.g., + CVE-2021-44228) to be enriched. | + + | **Fields To Return** | String | No | A comma-separated list of specific fields + to include in the output. If left empty, all available fields are returned. | + + | **Output** | DDL | No | Determines the output format. Options are `JSON` (returns + data in the action result) or `CSV` (creates a file and returns the path). | + + | **Create Insight** | Boolean | No | If enabled (true), the action will generate + a General Insight in the case for every successfully enriched vulnerability. | + + | **Max Assets To Return** | String | No | The maximum number of assets associated + with the CVE to retrieve. Default is 50, maximum is 10,000. | + + + ### Flow Description + + 1. **Parameter Extraction:** The action retrieves the CVE IDs, output preferences, + and insight configuration from the user input. + + 2. **Validation:** It validates that the `Max Assets To Return` is a positive + integer within the allowed limit (10,000). + + 3. **API Interaction:** For each provided CVE ID, the action queries the Orca + Security API using the `VulnerabilityQueryBuilder` to fetch vulnerability and + asset data. + + 4. **Data Processing:** + * If `Fields To Return` is specified, the results are filtered to include + only those keys. + * The action flattens the data for CSV/Table compatibility. + 5. **Internal Updates:** + * If `Create Insight` is true, a General Insight is created for the case, + summarizing the CVE's severity, description, and affected assets. + * A data table named "Vulnerability Details" is added to the case containing + the enrichment data. + 6. **Final Output:** The action returns the results in the selected format (JSON + or CSV path) and provides a summary message of successful and failed enrichments. + + + ### Additional Notes + + * This action does not run on entities; it processes the CVE IDs provided in the + input parameter. + + * The action is classified as non-enrichment because it modifies the case by adding + a data table, which falls outside the strict "Read-Only/Insight/Comment/Entity + Update" definition. capabilities: can_create_case_comments: false can_create_insight: true @@ -350,12 +431,12 @@ Get Vulnerability Details: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action creates case insights and adds a data table to the case containing - vulnerability details. + Creates case insights for each enriched vulnerability and adds a data table + named 'Vulnerability Details' to the case. categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -369,6 +450,7 @@ Get Vulnerability Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -380,48 +462,74 @@ Get Vulnerability Details: download_file: false enable_identity: false enrich_asset: false - enrich_ioc: true + enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: - ai_description: "### General Description\nThe **Ping** action is a diagnostic tool\ - \ designed to verify the connectivity between Google SecOps and the Orca Security\ - \ platform. It ensures that the provided configuration parameters\u2014such as\ - \ the API Root, API Key or Token, and SSL settings\u2014are correct and that the\ - \ SecOps environment can successfully communicate with the Orca Security API.\n\ - \n### Parameters Description\nThis action does not require any action-specific\ - \ parameters. It relies entirely on the global integration configuration provided\ - \ on the Marketplace tab:\n\n| Parameter | Type | Mandatory | Description |\n\ - | :--- | :--- | :--- | :--- |\n| **API Root** | String | Yes | The base URL of\ - \ the Orca Security API instance. |\n| **API Key** | String | No | The security\ - \ token used for cookie-based authentication (if Token is not provided). |\n|\ - \ **API Token** | String | No | The preferred authentication method using a Bearer-style\ - \ token. |\n| **Verify SSL** | Boolean | No | If enabled, the action will validate\ - \ the SSL certificate of the API endpoint. |\n\n### Additional Notes\n- Either\ - \ the **API Key** or the **API Token** must be configured in the integration settings\ - \ for the action to succeed.\n- This action is typically used during the initial\ - \ setup or for troubleshooting connection issues.\n\n### Flow Description\n1.\ - \ **Initialization**: The action retrieves the global configuration parameters\ - \ (API Root, Key/Token, and SSL settings) from the integration environment.\n\ - 2. **Manager Setup**: It initializes the `OrcaSecurityManager` which handles authentication\ - \ (either via cookies for API Keys or headers for API Tokens).\n3. **Connectivity\ - \ Test**: The manager executes a lightweight query (requesting a single vulnerability\ - \ record) to the Orca Security `serving-layer/query` endpoint.\n4. **Validation**:\ - \ The action validates the API response. If the request is successful, it confirms\ - \ connectivity; otherwise, it catches the exception and reports the failure details.\n\ - 5. **Completion**: The action ends with a success or failure status and a descriptive\ - \ message for the analyst." + ai_description: >- + ### General Description + + Tests the connectivity to the Orca Security API using the provided configuration + parameters. This action ensures that the API Root, authentication credentials + (API Key or Token), and SSL settings are correctly configured and that the Google + SecOps platform can communicate with the Orca Security environment. + + + ### Parameters Description + + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | API Root | String | Yes | The base URL of the Orca Security API. | + + | API Key | String | No | The API key for authentication. Used if API Token is + not provided. | + + | API Token | String | No | The API token for authentication. This is the preferred + authentication method. | + + | Verify SSL | Boolean | No | If enabled, the action will verify the SSL certificate + of the API server. | + + + ### Additional Notes + + * Either the **API Key** or the **API Token** must be configured for the integration + to authenticate successfully. + + * The action performs a small query (fetching one vulnerability) to verify that + the credentials have the necessary permissions. + + + ### Flow Description + + 1. **Parameter Extraction**: Retrieves the API Root, API Key, API Token, and SSL + verification settings from the integration configuration. + + 2. **Manager Initialization**: Initializes the Orca Security API manager with + the extracted credentials. + + 3. **Connectivity Test**: Executes a `test_connectivity` call, which sends a POST + request to the vulnerability details endpoint with a limit of 1. + + 4. **Result Reporting**: If the request is successful, the action completes with + a success message. If an exception occurs (e.g., authentication failure, network + timeout), the action fails and reports the error. capabilities: can_create_case_comments: false can_create_insight: false @@ -435,7 +543,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -449,6 +557,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Scan Assets: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -462,68 +571,72 @@ Ping: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Scan Assets: ai_description: >- ### General Description - Initiates and monitors security scans for specific assets within the Orca Security - platform. This action is designed to trigger an on-demand assessment of cloud - assets and retrieve the resulting security telemetry. It operates asynchronously - to accommodate the time required for cloud security scans to complete. + The **Scan Assets** action initiates and monitors security scans for a specified + list of asset IDs within the Orca Security platform. This action operates asynchronously, + meaning it triggers the scans and then periodically checks their status until + they are completed or a timeout occurs. It is designed to provide visibility into + the security posture of specific cloud assets on demand. - ### Flow Description + ### Parameters Description - 1. **Parameter Extraction**: The action retrieves the 'Asset IDs' provided by - the user and converts the comma-separated string into a list. + | Parameter | Type | Mandatory | Description | - 2. **Scan Initiation**: For each Asset ID, the action calls the Orca Security - API to start a scan. If a scan is already running for a particular asset, the - action captures the existing scan's identifier to monitor it. + | :--- | :--- | :--- | :--- | - 3. **Asynchronous Monitoring**: The action enters an asynchronous loop. It periodically - polls the Orca Security API to check the status of each pending scan using the - scan IDs. + | **Asset IDs** | String | Yes | A comma-separated list of unique identifiers + for the assets you wish to scan. | - 4. **Timeout Management**: The script monitors its own execution time and the - global action timeout. If a timeout is approaching, it gracefully exits and reports - the pending assets. - 5. **Result Aggregation**: Once scans reach a 'done' status, the action retrieves - the raw scan data. Successful results are added to the action's JSON output, and - a summary message is generated detailing which scans succeeded or failed. + ### Flow Description + 1. **Initialization**: The action extracts the provided Asset IDs from the parameters + and initializes the Orca Security manager using the integration's configuration + (API Root, API Key/Token). - ### Parameters Description + 2. **Scan Initiation**: During the first run, the action iterates through the + provided Asset IDs and sends a request to the Orca Security API to start a new + scan for each asset. It records the resulting scan IDs. - | Parameter | Type | Mandatory | Description | + 3. **Status Monitoring**: The action enters an asynchronous state. In subsequent + runs, it checks the status of each pending scan using the scan IDs obtained in + the previous step. - | :--- | :--- | :--- | :--- | + 4. **Data Retrieval**: Once a scan reaches the 'done' status, the action retrieves + the raw scan data from Orca Security. - | Asset IDs | string | Yes | A comma-separated list of unique identifiers for - the assets in Orca Security that you wish to scan. | + 5. **Completion**: After all scans are finished, the action aggregates the results, + adds the raw scan data to the action's JSON results, and provides a summary message + of successful and failed scans. If the process approaches the global timeout, + it will exit gracefully with a list of pending assets. ### Additional Notes - * **Async Mode**: This action is marked as asynchronous. Users should ensure the - script timeout value in the Google SecOps IDE is sufficiently high to allow the - external scanning process to finish. + * This action is **asynchronous**. Users should ensure that the script timeout + in the Google SecOps IDE is configured appropriately to allow enough time for + the scans to complete in the external system. - * **State Persistence**: The action uses the `additional_data` parameter internally - to track the state of pending scans across multiple asynchronous execution cycles. + * If a scan is already running for a specific asset in Orca Security, the action + will automatically track that existing scan instead of failing. capabilities: can_create_case_comments: false can_create_insight: false @@ -532,14 +645,14 @@ Scan Assets: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Initiates a new security scan process within the Orca Security platform for - the specified asset identifiers. + Initiates a security scan for the specified asset IDs in Orca Security via a + POST request to the scan endpoint. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -553,6 +666,7 @@ Scan Assets: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Update Alert: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -566,77 +680,88 @@ Scan Assets: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: true remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false - update_alert: false + update_alert: true update_email: false update_identity: false update_ticket: false -Update Alert: ai_description: >- - Updates the state of an alert in Orca Security. This action allows for modifying - the alert's status, managing its snooze state, or initiating a verification process. - It requires a specific Alert ID and at least one modification parameter to be - configured. After performing the requested updates, the action retrieves and returns - the updated alert details from Orca Security. + ### General Description + The **Update Alert** action allows analysts to modify the state of a specific + alert within the Orca Security platform. It supports updating the alert's status + (e.g., Open, In Progress, Close, Dismiss), managing its snooze state (Snooze or + Unsnooze), and initiating the alert verification process. This action is essential + for synchronizing incident response states between Google SecOps and Orca Security. - ### Flow Description - 1. **Parameter Validation**: Checks that at least one update operation (Status, - Verify Alert, or Snooze State) is requested. If 'Snooze' is selected, it ensures - 'Snooze Days' is provided. + ### Parameters Description - 2. **Verification**: If 'Verify Alert' is enabled, it triggers the verification - process for the specified alert. - 3. **Snooze Management**: If 'Snooze State' is set to 'Snooze', it snoozes the - alert for the defined number of days. If set to 'Unsnooze', it prepares to reset - the status. + | Parameter | Type | Mandatory | Description | - 4. **Status Update**: Updates the alert status to the specified value (Open, In - Progress, Close, or Dismiss). If 'Unsnooze' was selected without a specific status, - it defaults to 'Open'. + | :--- | :--- | :--- | :--- | - 5. **Data Retrieval**: Fetches the final state of the alert from Orca Security - to confirm changes and provide the updated data as a JSON result. + | **Alert ID** | String | Yes | The unique identifier of the alert in Orca Security + that needs to be updated. | + | **Verify Alert** | Boolean | No | If enabled, the action will initiate the verification + process for the specified alert. | - ### Parameters Description + | **Snooze State** | DDL | No | Specifies the snooze state for the alert. Options + include `Snooze` or `Unsnooze`. | - | Parameter | Type | Mandatory | Description | + | **Snooze Days** | String | No | Specifies the duration (in days) for which the + alert should be snoozed. This is required if **Snooze State** is set to `Snooze`. + Defaults to 1 day if not provided. | - | :--- | :--- | :--- | :--- | + | **Status** | DDL | No | The new status to assign to the alert. Options include + `Open`, `In Progress`, `Close`, and `Dismiss`. | - | Alert ID | String | Yes | The unique identifier of the alert to be updated. - | - | Verify Alert | Boolean | No | If enabled, initiates the verification process - for the alert. | + ### Additional Notes - | Snooze State | DDL | No | Sets the snooze state. Options: 'Snooze' or 'Unsnooze'. - | + - At least one of the following parameters must be configured for the action to + execute: **Status**, **Verify Alert**, or **Snooze State**. - | Snooze Days | String | No | Number of days to snooze the alert. Mandatory if - 'Snooze State' is 'Snooze'. Defaults to 1 if not provided. | + - If **Snooze State** is set to `Unsnooze` and no **Status** is provided, the + action will automatically set the alert status to `Open`. - | Status | DDL | No | The new status to assign to the alert. Options: 'Open', - 'In Progress', 'Close', 'Dismiss'. | + - The action performs a final fetch of the alert data after updates to provide + the most current state in the results. - ### Additional Notes + ### Flow Description + + 1. **Parameter Extraction:** The action retrieves the Alert ID and the desired + update parameters (Status, Snooze, Verification). + + 2. **Validation:** It ensures that at least one update operation is requested + and that snooze duration is provided if snoozing. + + 3. **Verification Update:** If requested, it calls the Orca Security API to initiate + the alert verification process. - * At least one of the following parameters must be provided for the action to - execute: 'Status', 'Verify Alert', or 'Snooze State'. + 4. **Snooze Update:** If a snooze state is specified, it updates the alert's snooze + settings accordingly. - * If 'Snooze State' is set to 'Unsnooze' and no 'Status' is provided, the action - automatically sets the alert status to 'Open'. + 5. **Status Update:** If a new status is provided (or implied by an unsnooze action), + it updates the alert's status in Orca Security. + + 6. **Data Retrieval:** The action fetches the latest details for the updated alert. + + 7. **Completion:** The updated alert data is returned as a JSON result, and the + action completes with a success message. capabilities: can_create_case_comments: false can_create_insight: false @@ -645,14 +770,14 @@ Update Alert: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the status, snooze state, and verification status of alerts in the Orca - Security platform using PUT requests. + Updates the status, snooze state, or verification status of an alert in Orca + Security via PUT requests. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -666,28 +791,3 @@ Update Alert: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: true - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/third_party/partner/orca_security/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/partner/orca_security/resources/ai/connectors_ai_description.yaml index bff807b0b..90c8f6d87 100644 --- a/content/response_integrations/third_party/partner/orca_security/resources/ai/connectors_ai_description.yaml +++ b/content/response_integrations/third_party/partner/orca_security/resources/ai/connectors_ai_description.yaml @@ -2,90 +2,84 @@ Orca Security - Alerts Connector: ai_description: >- ### General Description - - The Orca Security Alerts Connector fetches security findings and risks from the + The Orca Security Alerts Connector fetches security findings and alerts from the Orca Security platform and ingests them into Google SecOps as cases. It provides - a continuous stream of cloud security alerts, including vulnerabilities, misconfigurations, - and compromised assets, allowing security teams to centralize their cloud security - posture monitoring. The connector supports granular filtering by severity, category, - and Orca's proprietary risk score to ensure only relevant alerts are processed. + comprehensive visibility into cloud risks, including vulnerabilities, misconfigurations, + and compromised assets, by querying Orca's serving layer API. The connector supports + advanced filtering by severity, Orca score, and categories to ensure only relevant + security data is ingested. ### Parameters Description - | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | API Root | String | Yes | The base URL of your Orca Security instance (e.g., - https://.orcasecurity.io). | + | DeviceProductField | String | Yes | The source field name used to retrieve the + Product Field name. | - | API Key | Password | No | API Key for authentication. Used if API Token is not - provided. | - - | API Token | Password | No | API Token for authentication. This is the preferred - method and takes precedence over the API Key. | + | EventClassId | String | Yes | The source field name used to retrieve the Event + Field name. | - | DeviceProductField | String | Yes | The source field name used to populate the - Product Name in the SOAR case. Default is 'Product Name'. | + | API Root | String | Yes | The API root URL of your Orca Security instance (e.g., + https://.orcasecurity.io). | - | EventClassId | String | Yes | The source field name used to retrieve the Event - Field name. Default is 'data_RiskFindings_value_type'. | + | API Key | Password | No | API Key for authentication. If both Key and Token + are provided, the Token is used. | - | Lowest Severity To Fetch | String | No | The minimum severity level to ingest. - Options: Compromised, Imminent compromise, Hazardous, Informational. | + | API Token | Password | No | API Token for authentication. This is the preferred + authentication method. | - | Lowest Orca Score To Fetch | String | No | The minimum Orca Risk Score (1-10) - required for an alert to be ingested. | + | Verify SSL | Boolean | Yes | If enabled, verifies the SSL certificate for the + connection to the Orca Security server. | - | Category Filter | String | No | A comma-separated list of Orca categories (e.g., - Vulnerability, Malware) to include. | + | Category Filter | String | No | A comma-separated list of category names to + include during ingestion (case-sensitive). | - | Alert Type Filter | String | No | A comma-separated list of specific Orca alert - types to ingest. | + | Alert Type Filter | String | No | Specific alert types to fetch (e.g., aws_s3_bucket_accessible_to_unmonitored_account). + | - | Max Hours Backwards | Integer | No | The lookback window for the first run or - if the last run timestamp is missing. Default is 1 hour. | + | Lowest Severity To Fetch | String | No | The minimum severity level to ingest + (Compromised, Imminent compromise, Hazardous, Informational). | - | Max Alerts To Fetch | Integer | No | Maximum number of alerts to process per - iteration. Default is 100. | + | Lowest Orca Score To Fetch | String | No | The minimum Orca Score (1-10) required + for an alert to be ingested. | - | Use dynamic list as a blacklist | Boolean | Yes | If enabled, the connector - uses the SOAR environment's dynamic list (whitelist) as a blacklist for alert - titles. | + | Max Hours Backwards | Integer | No | The number of hours to look back for alerts + during the initial run or as a fallback. | - | Verify SSL | Boolean | Yes | If enabled, validates the SSL certificate of the - Orca Security API endpoint. | + | Max Alerts To Fetch | Integer | No | The maximum number of alerts to process + in a single connector iteration (default: 100). | - | PythonProcessTimeout | Integer | Yes | The maximum execution time allowed for - the connector script in seconds. | + | Use dynamic list as a blacklist | Boolean | Yes | If enabled, the SOAR dynamic + list will be used to exclude alerts based on their title. | ### Flow Description + 1. **Authentication**: The connector initializes a session with Orca Security + using either an API Token (Header-based) or an API Key (Cookie-based via a login + request). - 1. **Authentication**: The connector establishes a session with the Orca Security - API using the provided API Token (Header-based) or API Key (Cookie-based). - - 2. **Timeframe Calculation**: It determines the starting point for data retrieval - by checking the timestamp of the last successful execution. If no timestamp exists, - it uses the 'Max Hours Backwards' parameter. + 2. **Time Management**: It calculates the fetch window by checking the last successful + execution timestamp or falling back to the 'Max Hours Backwards' setting. - 3. **Query Construction**: A query is built for the Orca 'Serving Layer' API, - incorporating filters for severity, categories, alert types, and the Orca Risk - Score. + 3. **Query Construction**: An alert query is built using the `AlertQueryBuilder`, + incorporating user-defined filters for severity, Orca score, categories, and alert + types. - 4. **Data Retrieval**: The connector fetches a batch of alerts (up to the 'Max - Alerts To Fetch' limit) matching the criteria. + 4. **Data Retrieval**: The connector sends a POST request to the Orca Serving + Layer API to retrieve matching alerts. - 5. **Deduplication**: It compares retrieved alert IDs against a local cache of - previously processed IDs to prevent duplicate case creation. + 5. **Deduplication & Filtering**: It filters out previously ingested alerts using + a local ID cache and applies dynamic list logic (whitelist or blacklist) against + the alert titles. - 6. **Mapping and Ingestion**: Each unique alert is mapped to the Google SecOps - AlertInfo model. The raw alert data is attached as an event, and the alert is - ingested as a case. + 6. **Case Mapping**: Each valid alert is transformed into a Google SecOps `AlertInfo` + object. The raw alert data is attached as an event, and environment/product fields + are mapped based on configuration. - 7. **State Persistence**: Upon successful processing, the connector updates the - last run timestamp and the list of processed alert IDs to ensure continuity in - the next cycle. + 7. **Ingestion & State Persistence**: The connector ingests the alerts into the + SOAR platform, updates the last run timestamp, and saves the IDs of processed + alerts to prevent duplicates in future cycles. diff --git a/content/response_integrations/third_party/partner/recorded_future_intelligence/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/recorded_future_intelligence/resources/ai/actions_ai_description.yaml index 5fca892a5..ad9813198 100644 --- a/content/response_integrations/third_party/partner/recorded_future_intelligence/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/recorded_future_intelligence/resources/ai/actions_ai_description.yaml @@ -1,56 +1,85 @@ Add Analyst Note: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - Adds an analyst note to the Recorded Future platform. This action allows users - to publish structured intelligence notes directly from Google SecOps. It automatically - collects the identifiers of all entities currently in the action's scope and appends - them to the note text to provide context within Recorded Future. Users can specify - a title, the main body of the note, and an optional topic to categorize the intelligence - (e.g., Malware/Tool Profile, Actor Profile). + ### General Description + The **Add Analyst Note** action allows analysts to publish a custom note directly + to the Recorded Future platform. This is useful for documenting findings, sharing + intelligence, or tagging specific indicators within the Recorded Future ecosystem. + The action automatically collects the identifiers of all entities present in the + current Google SecOps case and appends them to the note text, ensuring that the + context of the investigation is preserved in the external record. - ### Parameters + ### Parameters Description - | Parameter | Type | Mandatory | Default | Description | + | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | :--- | + | :--- | :--- | :--- | :--- | - | Note Title | string | True | Note Title | The title of the analyst note to be - created in Recorded Future. | + | **Note Title** | String | Yes | The title of the analyst note to be created + in Recorded Future. | - | Note Text | string | True | Note Text | The main content/body of the note. The - action will automatically append a list of entities from the case to this text. - | + | **Note Text** | String | Yes | The main content or body of the note. The action + will automatically append a list of case entities to this text. | - | Topic | ddl | False | None | The category or topic for the note. Options include - 'Actor Profile', 'Malware/Tool Profile', 'YARA Rule', etc. | + | **Topic** | DDL | No | An optional category for the note, such as 'Malware/Tool + Profile', 'Actor Profile', or 'Indicator'. Defaults to 'None'. | ### Additional Notes - This action does not modify any data within Google SecOps; it only creates a - new record in the external Recorded Future platform. + record in the external Recorded Future system. - - The list of entities appended to the note includes all entities passed to the - action, regardless of their type. + - The resulting `note_id` from Recorded Future is returned as the action's output. ### Flow Description - 1. **Parameter Extraction:** Retrieves the note title, text, and selected topic - from the action parameters. + 1. **Parameter Extraction**: The action retrieves the API credentials from the + integration configuration and the note details (Title, Text, Topic) from the action + parameters. - 2. **Entity Collection:** Iterates through all entities in the current scope and - compiles a list of their identifiers. + 2. **Entity Collection**: It iterates through all entities associated with the + current case and compiles their identifiers into a formatted string. - 3. **Text Preparation:** Appends the compiled list of entity identifiers to the - user-provided note text for better context. + 3. **Text Augmentation**: The list of collected entity identifiers is appended + to the user-provided `Note Text` to provide context for the note in Recorded Future. - 4. **External API Call:** Uses the Recorded Future API to publish the note with - the specified title, combined text, and topic. + 4. **External API Call**: The action uses the Recorded Future Manager to send + a request to the Recorded Future API to publish the note with the specified title, + augmented text, and topic. - 5. **Completion:** Returns the unique ID of the newly created note in Recorded - Future. + 5. **Result Handling**: Upon success, the action returns the unique ID of the + created note (`note_id`) and completes the execution. capabilities: can_create_case_comments: false can_create_insight: false @@ -59,19 +88,48 @@ Add Analyst Note: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new Analyst Note record in the Recorded Future platform containing - the provided intelligence and a list of associated entities. + Creates a new Analyst Note record in the Recorded Future platform. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: entity_types: - - ADDRESS - - CVE - - DestinationURL - - FILEHASH - - HOSTNAME + - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -85,6 +143,7 @@ Add Analyst Note: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Detonate File: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -98,77 +157,78 @@ Add Analyst Note: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false - submit_file: false + send_message: false + submit_file: true uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Detonate File: ai_description: >- - Submits a file to the Recorded Future Sandbox for automated analysis and detonation. - This action is asynchronous, meaning it initiates the upload and then periodically - checks the status of the analysis until a report is ready or a timeout occurs. - Once the analysis is complete, the action retrieves the report details and generates - a comprehensive insight within the Google SecOps case. + Submits a file to the Recorded Future Sandbox (Triage) for detonation and behavioral + analysis. This action is designed to handle file samples asynchronously, allowing + the sandbox to complete its analysis before retrieving the results. It supports + fetching files from either a local file system or a Google Cloud Platform (GCP) + bucket. Once the analysis is complete, the action retrieves a comprehensive report, + including threat scores, signatures, and network flows, and attaches this information + as a case insight within Google SecOps. - ### Parameters + ### Flow Description + 1. **File Retrieval**: The action identifies the file source (GCP Bucket or Local + File System) and retrieves the file content using the provided path. - | Parameter | Type | Mandatory | Description | + 2. **Submission**: The file is uploaded to the Recorded Future Sandbox API along + with optional parameters like a specific analysis profile or an archive password. - | :--- | :--- | :--- | :--- | - - | File Path | string | Yes | The full path to the file that needs to be analyzed. - | + 3. **Polling**: As an asynchronous action, it enters an 'In Progress' state, periodically + checking the status of the submission until the sandbox reports that the analysis + is finished. - | File Source | ddl | Yes | Specifies where the action should retrieve the file - from. Options are 'GCP Bucket' (retrieves via Google Cloud Storage) or 'Local - File System' (retrieves from the local path). | + 4. **Report Generation**: Upon completion, the action fetches the overview report + from the sandbox. - | Profile | string | No | The specific Recorded Future Sandbox profile to use - for the analysis. | + 5. **Enrichment & Insights**: The action processes the report data to create a + detailed HTML insight in the SecOps case, providing visibility into the file's + behavior and risk score. - | Password | string | No | The password required to extract the file if it is - a password-protected archive. | + ### Parameters Description - ### Flow Description + | Parameter | Type | Mandatory | Description | - 1. **File Retrieval:** The action retrieves the file content based on the provided - `File Path` and `File Source` (either from a GCP Bucket or the local filesystem). + | :--- | :--- | :--- | :--- | - 2. **Submission:** The file is uploaded to the Recorded Future Sandbox API using - the provided `Profile` and `Password` (if applicable). + | File Path | string | Yes | The specific path or identifier of the file to be + detonated. | - 3. **Status Polling:** Because the action is asynchronous, it enters an 'In Progress' - state and periodically queries the Sandbox API to check if the analysis is 'reported' - (finished). + | File Source | ddl | Yes | Defines where to pull the file from. Options are 'GCP + Bucket' (default) or 'Local File System'. | - 4. **Report Retrieval:** Once the analysis is complete, the action fetches the - overview report, which includes scores, signatures, and IOCs. + | Profile | string | No | The specific Recorded Future Sandbox profile to use + for the analysis. | - 5. **Insight Generation:** The action processes the report data and creates a - detailed HTML insight in the Google SecOps case, providing visibility into the - detonation results. + | Password | string | No | The password required to extract the file if it is + a protected archive. | ### Additional Notes + - This action is asynchronous and may require multiple execution cycles depending + on the sandbox analysis time. - * This action requires a valid Recorded Future Sandbox API key and URL configured - in the integration settings. - - * The action will time out if the analysis takes longer than the configured - execution deadline. + - If the action times out, it will list the pending files that were still being + processed. capabilities: can_create_case_comments: false can_create_insight: true @@ -177,16 +237,16 @@ Detonate File: can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: >- - Submits a file to the Recorded Future Sandbox, which creates a new analysis - record and initiates a detonation process on the external platform. + Submits a new file sample to the Recorded Future Sandbox for detonation and + analysis, which creates a new analysis record in the external system. fetches_data: true internal_data_mutation_explanation: >- - Creates case insights within Google SecOps to display the results of the file - analysis. + Creates case insights within Google SecOps to display the results of the sandbox + detonation report. categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -200,6 +260,7 @@ Detonate File: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Detonate URL: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -213,63 +274,72 @@ Detonate File: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: true uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Detonate URL: ai_description: >- - Submits URL entities to the Recorded Future Sandbox for automated analysis and - detonation. This is an asynchronous action that initiates a scan and then polls - for the results. Once the analysis is complete, it retrieves a detailed report - including risk scores, signatures, and associated IOCs. + ### General Description + Submits URL entities to the Recorded Future Sandbox for detonation and behavioral + analysis. This action is designed to provide deep visibility into the nature of + a URL by executing it in a controlled environment and observing its activities, + such as network connections, file modifications, and signature matches. It is + an asynchronous action that handles the submission and then polls the sandbox + until the analysis is complete. - ### Flow Description - 1. **Extraction:** Identifies URL entities from the target entities in the current - context. + ### Parameters Description - 2. **Submission:** Submits the identified URLs to the Recorded Future Sandbox - API, optionally using a specified Sandbox profile. - 3. **Polling:** Periodically checks the status of the submitted samples until - they reach a 'reported' or 'failed' state. + | Parameter | Type | Mandatory | Description | - 4. **Retrieval:** Fetches the overview report for all successfully analyzed URLs. + | :--- | :--- | :--- | :--- | - 5. **Enrichment:** Generates detailed HTML insights for each analyzed URL, including - summary scores, scan metadata, and detected signatures/IOCs. + | Profile | String | No | Specifies the Sandbox profile to be used for the detonation. + If not provided, the default sandbox profile will be used. | - 6. **Finalization:** Populates the action results with JSON data and a summary - table of the findings. + ### Flow Description - ### Parameters Description + 1. **Entity Extraction**: The action identifies all URL entities within the current + case scope. - | Parameter | Type | Mandatory | Description | + 2. **Submission**: It submits each identified URL to the Recorded Future Sandbox + API using the provided (or default) profile. - | :--- | :--- | :--- | :--- | + 3. **Asynchronous Polling**: Since detonation takes time, the action enters an + 'In Progress' state. It periodically checks the status of the submitted samples. + + 4. **Report Retrieval**: Once the sandbox marks a sample as 'reported', the action + fetches the full overview report, including risk scores and behavioral signatures. - | Profile | String | No | Specifies the Sandbox profile to be used for the detonation - (e.g., specific OS or browser environment). | + 5. **Case Enrichment**: The action generates detailed case insights for each URL, + providing a summary of the detonation results (score, scan time, target details, + and IOCs). + + 6. **Finalization**: Once all URLs are processed, it outputs the results as a + JSON object and populates a data table in the case wall. ### Additional Notes - * This action is **asynchronous**; it will remain in an 'In Progress' state while - waiting for the Sandbox to complete the analysis. + - **Asynchronous Execution**: This action will remain in an 'In Progress' state + until the sandbox analysis is finished or a timeout occurs. - * If the action approaches the global timeout, it will report the pending URLs - in the output message. + - **Timeout Management**: If the analysis takes longer than the configured SOAR + timeout, the action will report a timeout error listing the pending URLs. capabilities: can_create_case_comments: false can_create_insight: true @@ -279,16 +349,16 @@ Detonate URL: can_update_entities: false external_data_mutation_explanation: >- Submits a URL to the Recorded Future Sandbox, which creates a new analysis sample - and job in the external system. + record and initiates a detonation process in the external system. fetches_data: true internal_data_mutation_explanation: >- - Creates case insights containing the detonation report details and adds data - tables to the action result. + Creates case insights containing the detonation report details and adds a results + data table to the case wall. categories: enrichment: false entity_usage: entity_types: - - DestinationURL + - DestinationURL filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -302,6 +372,7 @@ Detonate URL: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Enrich CVE: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -315,68 +386,76 @@ Detonate URL: enrich_asset: false enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false - submit_file: true + send_message: false + submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Enrich CVE: ai_description: >- - Enriches CVE (Common Vulnerabilities and Exposures) entities using Recorded Future's - threat intelligence. This action retrieves comprehensive vulnerability data, including - risk scores, evidence details, and intelligence card links. It evaluates the CVE - against a user-defined risk threshold to automatically mark entities as suspicious - within Google SecOps. Additionally, it can contribute detection telemetry back - to Recorded Future via the Collective Insights feature. + Enriches CVE entities using Recorded Future Intelligence. This action retrieves + comprehensive threat intelligence for vulnerabilities, including risk scores, + evidence details, and links to intelligence cards. It evaluates the risk based + on a user-defined threshold to mark entities as suspicious and contributes detection + data back to Recorded Future if Collective Insights is enabled. - ### Flow Description: + ### Parameters Description - 1. **Parameter Extraction:** Retrieves API credentials from the integration configuration - and action parameters including the Risk Score Threshold, Link inclusion preference, - and Collective Insights toggle. - 2. **Entity Filtering:** Identifies and processes only CVE entities present in - the current context. + | Parameter | Type | Mandatory | Default | Description | - 3. **Intelligence Retrieval:** Queries Recorded Future for the risk score, evidence - details, and (optionally) related entity links for each CVE. + | :--- | :--- | :--- | :--- | :--- | - 4. **External Contribution:** If 'Enable Collective Insights' is active and the - alert did not originate from Recorded Future, it submits detection metadata to - Recorded Future's telemetry API. + | Risk Score Threshold | String | True | 25 | Represents the minimum malicious + risk score (0-99) for a CVE to be marked suspicious. Levels: Very Critical (90-99), + Critical (80-89), High (65-79), Medium (25-64), Low (5-24), None (0). | - 5. **Internal Enrichment:** Updates the entity's additional properties with Recorded - Future metadata and sets the 'is_enriched' flag. + | Include Links | Boolean | False | False | If enabled, the action retrieves information + about related links for the CVE. | - 6. **Risk Assessment:** Compares the retrieved risk score against the 'Risk Score - Threshold'. If exceeded, the entity is marked as suspicious. + | Enable Collective Insights | Boolean | False | True | If enabled, the action + contributes detection telemetry back to Recorded Future's Collective Insights + platform. | - 7. **Insight & Reporting:** Generates a detailed Case Insight containing risk - evidence and populates data tables with overview and link information. + ### Additional Notes - ### Parameters Description: + - Collective Insights are only submitted if the global integration setting is + enabled and the alert reporting vendor is not Recorded Future. - | Parameter Name | Type | Mandatory | Description | + - The action updates the entity's suspicious status and adds enrichment data to + its additional properties. - | :--- | :--- | :--- | :--- | - | Risk Score Threshold | String | Yes | The minimum malicious risk score (0-99) - required to mark a CVE as suspicious. Default is 25. | + ### Flow Description + + 1. **Initialization:** Extracts API credentials from the integration configuration + and user parameters (Threshold, Links, Collective Insights) from the action settings. - | Include Links | Boolean | No | If enabled, the action retrieves and displays - related entity links from Recorded Future. | + 2. **Entity Filtering:** Identifies and processes only CVE entities present in + the current context. - | Enable Collective Insights | Boolean | No | If enabled, the action shares detection - telemetry back to Recorded Future to improve global threat intelligence. | + 3. **Data Retrieval:** Queries the Recorded Future API for each CVE to fetch risk + scores, evidence details, and intelligence card URLs. + + 4. **External Mutation:** If 'Enable Collective Insights' is active, it submits + detection data to Recorded Future. + + 5. **Risk Evaluation:** Compares the retrieved risk score against the 'Risk Score + Threshold'. If exceeded, the entity is marked as suspicious. + + 6. **Internal Updates:** Updates the entity's properties in Google SecOps, creates + detailed case insights, and adds data tables for risk rules and links. capabilities: can_create_case_comments: false can_create_insight: true @@ -385,18 +464,17 @@ Enrich CVE: can_mutate_internal_data: true can_update_entities: true external_data_mutation_explanation: >- - If the 'Enable Collective Insights' parameter is enabled, the action performs - a POST request to Recorded Future's Collective Insights API to contribute detection - telemetry. + If 'Enable Collective Insights' is enabled, the action submits detection telemetry + and incident metadata to Recorded Future's Collective Insights platform. fetches_data: true internal_data_mutation_explanation: >- - The action updates entity attributes (is_suspicious, is_enriched, additional_properties) - and creates case insights based on the retrieved threat intelligence. + Updates entity attributes such as suspicious status and additional properties, + and creates case insights containing threat intelligence summaries. categories: enrichment: false entity_usage: entity_types: - - CVE + - CVE filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -410,6 +488,7 @@ Enrich CVE: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Enrich Hash: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -423,26 +502,28 @@ Enrich CVE: enrich_asset: false enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Enrich Hash: ai_description: >- - Enriches File Hash entities using Recorded Future's threat intelligence platform. - This action retrieves comprehensive intelligence including risk scores, evidence - details, and intelligence card links. It evaluates the risk score against a user-defined - threshold to automatically mark entities as suspicious within Google SecOps. Additionally, - it can contribute detection data back to Recorded Future via the Collective Insights - feature. + Enriches File Hash entities using Recorded Future Intelligence. This action retrieves + comprehensive threat intelligence, including risk scores, evidence details, and + related entity links. It evaluates the risk based on a user-defined threshold, + updates the entity's suspicious status, and generates detailed case insights and + data tables. Additionally, it can optionally contribute detection telemetry back + to Recorded Future's Collective Insights system. ### Parameters @@ -451,50 +532,33 @@ Enrich Hash: | :--- | :--- | :--- | :--- | - | Risk Score Threshold | string | Yes | The minimum malicious risk score (0-89) - required to mark a Hash as suspicious. | - - | Include Links | boolean | No | If enabled, retrieves information about related - entity links. | - - | Enable Collective Insights | boolean | No | If enabled, contributes detection - data back to Recorded Future's community intelligence. | - - - ### Additional Notes + | Risk Score Threshold | String | Yes | Represents the minimum malicious risk + score (0-89) for a Hash to be marked malicious. | - - The 'Enable Collective Insights' feature only triggers if both the action parameter - and the global integration configuration are enabled, and the alert vendor is - not 'Recorded Future'. + | Include Links | Boolean | No | If enabled, the action retrieves information + about related links. | - - Risk bands: Unusual (5-24), Suspicious (25-64), Malicious (65-89). + | Enable Collective Insights | Boolean | No | If enabled, contributes detection + telemetry back to Recorded Future. | ### Flow Description - 1. **Initialization**: Extracts API configuration and action parameters (Threshold, - Links, Collective Insights). + 1. **Initialization:** Extracts API configuration (URL, Key, SSL) and action parameters. - 2. **Entity Filtering**: Identifies all File Hash entities within the current - context. + 2. **Entity Identification:** Filters the case for `FILEHASH` entities. - 3. **Data Retrieval**: For each hash, queries Recorded Future for its risk profile - and intelligence data. + 3. **Intelligence Retrieval:** Queries Recorded Future for each hash to fetch + risk scores, evidence, and optional links. - 4. **External Contribution**: If Collective Insights is enabled, submits the detection - event to Recorded Future. + 4. **Telemetry Submission:** If 'Enable Collective Insights' is active, submits + detection data to Recorded Future. - 5. **Internal Enrichment**: Updates the entity's additional properties with Recorded - Future metadata and adds data tables for risk rules and overview details. - - 6. **Risk Assessment**: Compares the retrieved risk score to the 'Risk Score Threshold'. - If exceeded, the entity is marked as suspicious. - - 7. **Insight Generation**: Creates a detailed Case Insight containing the risk - breakdown and a link to the Recorded Future portal. + 5. **Risk Evaluation:** Compares the hash's risk score against the 'Risk Score + Threshold'. - 8. **Completion**: Updates the entities in the case and returns the final execution - status. + 6. **Internal Enrichment:** Updates entity properties, marks entities as suspicious + if they exceed the threshold, and creates case insights with the analysis results. capabilities: can_create_case_comments: false can_create_insight: true @@ -503,18 +567,17 @@ Enrich Hash: can_mutate_internal_data: true can_update_entities: true external_data_mutation_explanation: >- - If 'Enable Collective Insights' is active, the action performs a POST request - to Recorded Future to contribute detection data to their community intelligence - database. + If 'Enable Collective Insights' is enabled, the action submits detection telemetry + to Recorded Future's Collective Insights platform. fetches_data: true internal_data_mutation_explanation: >- - Updates entity suspicious status, populates additional properties with enrichment - data, and creates case insights. + Updates entity attributes (additional properties, suspicious status, enriched + status) and creates case insights. categories: enrichment: false entity_usage: entity_types: - - FILEHASH + - FILEHASH filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -528,6 +591,7 @@ Enrich Hash: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Enrich Host: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -541,75 +605,77 @@ Enrich Hash: enrich_asset: false enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Enrich Host: ai_description: >- - ### General Description - - Enriches Hostname and Domain entities using Recorded Future intelligence. This + Enriches Hostname and Domain entities using Recorded Future Intelligence. This action retrieves comprehensive threat intelligence, including risk scores, triggered - risk rules, and evidence details. It helps analysts identify malicious hosts by - comparing risk scores against a configurable threshold and provides direct links - to the Recorded Future portal for deeper investigation. + risk rules, and related links. It evaluates the risk based on a user-defined threshold, + updates the entity's suspicious status within Google SecOps, and generates detailed + case insights and data tables for analyst review. Additionally, it can optionally + contribute detection telemetry back to Recorded Future's Collective Insights platform. - ### Parameters Description + ### Parameters - | Parameter | Type | Mandatory | Default | Description | + | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | :--- | + | :--- | :--- | :--- | :--- | - | Risk Score Threshold | String | Yes | 25 | Represents the minimum malicious - risk score (0-99) for a Host to be marked malicious. | + | Risk Score Threshold | String | Yes | Represents the minimum malicious risk + score (0-99) for a Host to be marked malicious. | - | Include Links | Boolean | No | False | If enabled, the action will retrieve - information about links from Recorded Future. | + | Include Links | Boolean | No | If enabled, the action will retrieve information + about related links. | - | Enable Collective Insights | Boolean | No | True | If enabled, contributes detection - data back to Recorded Future's Collective Insights API. | + | Enable Collective Insights | Boolean | No | If enabled, the action contributes + detection telemetry back to Recorded Future. | - ### Additional Notes + ### Flow Description - * Collective Insights are only submitted if the alert's reporting vendor is not - 'Recorded Future'. + 1. **Initialization**: Extracts API configuration and action parameters, including + the risk threshold and link inclusion settings. - * The action supports both Hostname and Domain entity types. + 2. **Entity Processing**: Filters the target entities to identify Hostnames and + Domains. + 3. **Intelligence Retrieval**: Queries the Recorded Future API for each identified + entity to fetch risk scores and evidence. - ### Flow Description + 4. **External Mutation (Optional)**: If 'Enable Collective Insights' is enabled, + the action submits detection data to Recorded Future. - 1. **Initialize Connection**: Establishes a connection to Recorded Future using - the provided API URL and Key. + 5. **Risk Evaluation**: Compares the retrieved risk score against the 'Risk Score + Threshold'. - 2. **Filter Entities**: Identifies target entities of type Hostname or Domain - for processing. + 6. **Internal Enrichment**: Updates the entity's additional properties, sets the + 'is_suspicious' flag if the threshold is met, and populates data tables with the + report summary and risk rules. - 3. **Query Intelligence**: For each entity, queries Recorded Future for enrichment - data, including risk scores and evidence details. + 7. **Insight Generation**: Creates a detailed case insight for entities deemed + risky, providing context on why the entity was flagged. - 4. **Submit Collective Insights**: If enabled and applicable, submits detection - telemetry to Recorded Future. - 5. **Evaluate Risk**: Compares the retrieved risk score against the user-defined - 'Risk Score Threshold'. + ### Additional Notes - 6. **Update Internal Data**: Updates the entity's suspicious status, adds enrichment - properties, and creates case insights with detailed risk evidence. + - The action supports both `HOSTNAME` and `DOMAIN` entity types. - 7. **Generate Results**: Adds data tables for overview, risk rules, and links - to the case wall, and provides a direct link to the Recorded Future portal. + - Collective Insights submission is skipped if the alert's reporting vendor is + 'Recorded Future' to avoid circular reporting. capabilities: can_create_case_comments: false can_create_insight: true @@ -618,18 +684,19 @@ Enrich Host: can_mutate_internal_data: true can_update_entities: true external_data_mutation_explanation: >- - Contributes detection information to Recorded Future's Collective Insights API - if the 'Enable Collective Insights' parameter is set to true. + If the 'Enable Collective Insights' parameter is enabled, the action submits + detection telemetry and incident metadata to Recorded Future's Collective Insights + API. fetches_data: true internal_data_mutation_explanation: >- - Updates entity suspicious status, adds enrichment properties to entities, and - creates case insights with risk details. + Updates entity attributes such as suspicious status, enriched status, and additional + properties. It also creates case insights and adds data tables to the case. categories: enrichment: false entity_usage: entity_types: - - HOSTNAME - - DOMAIN + - HOSTNAME + - DOMAIN filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -643,6 +710,7 @@ Enrich Host: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Enrich IOC: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -656,79 +724,80 @@ Enrich Host: enrich_asset: false enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Enrich IOC: ai_description: >- - Enriches IOC entities (IP Address, Domain, Hostname, File Hash, URL, and CVE) - using Recorded Future intelligence. This action retrieves risk scores, evidence - details, and optional related links. It automatically updates entity attributes, - marks entities as suspicious based on a configurable threshold, and generates - detailed insights for analysts. - - - ### Parameters Description + Enriches Indicators of Compromise (IOCs) using Recorded Future Intelligence. This + action retrieves comprehensive threat intelligence for multiple entity types, + including IP addresses, domains, hostnames, file hashes, URLs, and CVEs. It evaluates + the risk score of each entity against a user-defined threshold to determine if + the entity should be marked as suspicious within the platform. Additionally, the + action can contribute detection data back to Recorded Future via the Collective + Insights feature. - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Risk Score Threshold | String | Yes | Represents the minimum malicious risk - score (0-100) for each entity to be marked as suspicious. | + ### Flow Description: - | Include Links | Boolean | No | If enabled, the action will retrieve information - about related entity links from Recorded Future. | + 1. **Parameter Extraction:** Retrieves the API configuration (URL, Key, SSL) and + action parameters (Risk Score Threshold, Include Links, Enable Collective Insights). - | Enable Collective Insights | Boolean | No | If enabled, the action will contribute - detection telemetry back to Recorded Future's Collective Insights API. | + 2. **Entity Filtering:** Iterates through the target entities in the case and + filters for supported types: IP Address, Domain, Hostname, File Hash, URL, and + CVE. + 3. **Intelligence Retrieval:** For each supported entity, it queries Recorded + Future to fetch risk scores, evidence details, and optional related links. - ### Flow Description + 4. **Collective Insights Submission:** If enabled, the action submits the detection + context (case title, timestamp, and IOC) to Recorded Future's Collective Insights + API. + 5. **Risk Evaluation:** Compares the retrieved risk score against the 'Risk Score + Threshold'. If the score exceeds the threshold, the entity is marked as suspicious. - 1. **Initialization**: Extracts integration configuration (API Key, URL) and action - parameters. + 6. **Internal Enrichment:** Updates the entity's additional properties with threat + data, adds data tables for risk rules and overview, and creates a detailed Case + Insight containing the intelligence report. - 2. **Entity Filtering**: Identifies supported entities in the current context, - including IP Addresses, Domains, Hostnames, File Hashes, URLs, and CVEs. - 3. **Intelligence Retrieval**: For each supported entity, queries the Recorded - Future API to fetch enrichment data, risk scores, and evidence details. + ### Parameters Description: - 4. **Collective Insights Submission**: If 'Enable Collective Insights' is active - and the alert is from an external vendor, submits detection telemetry (IOC value, - type, and alert context) to Recorded Future. + | Parameter Name | Type | Mandatory | Description | - 5. **Data Population**: Updates entity properties with the fetched intelligence - and adds data tables (Overview, Risk Rules, and Links) to the case. + | :--- | :--- | :--- | :--- | - 6. **Risk Assessment**: Compares the entity's risk score against the 'Risk Score - Threshold'. + | Risk Score Threshold | string | Yes | The minimum malicious risk score (0-100) + required to mark an entity as suspicious. Default is 25. | - 7. **Insight Generation**: If the threshold is exceeded, marks the entity as suspicious - and generates a detailed case insight containing risk details and location data - (for IPs). + | Include Links | boolean | No | If enabled, the action retrieves and displays + information about related entity links in a data table. | - 8. **Completion**: Updates the entities within Google SecOps and provides a summary - of the enrichment results. + | Enable Collective Insights | boolean | No | If enabled, the action contributes + detection metadata back to Recorded Future. This is only active if the global + integration setting is also enabled and the alert vendor is not Recorded Future. + | - ### Additional Notes + ### Additional Notes: + - The action performs an external mutation when 'Enable Collective Insights' is + active by sending detection data to Recorded Future. - Collective Insights submissions are automatically excluded for alerts where the - reporting vendor is 'Recorded Future' to avoid redundant data submission. + - Entity suspicious status and enrichment fields are updated only for entities + successfully found in the Recorded Future database. capabilities: can_create_case_comments: false can_create_insight: true @@ -738,21 +807,22 @@ Enrich IOC: can_update_entities: true external_data_mutation_explanation: >- If 'Enable Collective Insights' is enabled, the action performs a POST request - to Recorded Future's Collective Insights API to contribute detection telemetry. + to the Recorded Future Collective Insights API to contribute detection metadata + from the current case. fetches_data: true internal_data_mutation_explanation: >- - Updates entity fields (is_suspicious, is_enriched, additional_properties) and - creates case insights containing risk scores and evidence details. + Updates entity attributes such as 'is_suspicious', 'is_enriched', and 'additional_properties'. + It also creates Case Insights and adds data tables to the action results. categories: enrichment: false entity_usage: entity_types: - - ADDRESS - - CVE - - DOMAIN - - FILEHASH - - HOSTNAME - - DestinationURL + - ADDRESS + - CVE + - FILEHASH + - HOSTNAME + - DestinationURL + - DOMAIN filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -766,6 +836,7 @@ Enrich IOC: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Enrich IOCs Bulk: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -779,68 +850,72 @@ Enrich IOC: enrich_asset: false enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Enrich IOCs Bulk: ai_description: >- - ### General Description - Enriches multiple Indicator of Compromise (IOC) entities in bulk using the Recorded - Future SOAR API. This action retrieves comprehensive threat intelligence, including - risk scores and evidence, for IP addresses, domains, hostnames, file hashes, URLs, - and CVEs. It also allows for contributing detection data back to Recorded Future - via the Collective Insights feature. + Future SOAR API. This action retrieves threat intelligence for supported entity + types including IP Addresses, Domains, Hostnames, File Hashes, URLs, and CVEs. + It provides a consolidated JSON result containing the intelligence data for all + processed entities. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. **Configuration Extraction:** Retrieves API credentials (URL, Key) and SSL + verification settings from the integration configuration. - | :--- | :--- | :--- | :--- | + 2. **Parameter Processing:** Checks the 'Enable Collective Insights' action parameter + and global settings to determine if detection data should be shared back with + Recorded Future. - | Enable Collective Insights | Boolean | No | If enabled, the action will contribute - detection data (IOCs and alert context) back to Recorded Future's Collective Insights - platform. This is only performed if the alert vendor is not Recorded Future. | + 3. **Entity Filtering:** Identifies all supported entities within the current + case context (IP, Domain, Host, Hash, URL, CVE). + 4. **Bulk Intelligence Retrieval:** Sends a single bulk request to the Recorded + Future SOAR API to fetch enrichment data for all identified entities. - ### Additional Notes + 5. **Collective Insights Submission:** If enabled and the alert source is not + Recorded Future, it submits detection metadata to the Recorded Future Collective + Insights API. - - This action is designed for bulk processing and returns data in a structured - JSON format. + 6. **Result Output:** Formats the retrieved intelligence into a JSON object and + attaches it to the action results. - - Collective Insights submission is subject to both global integration settings - and the specific action parameter. + ### Parameters Description - ### Flow Description + | Parameter Name | Type | Mandatory | Description | - 1. **Parameter Extraction:** Retrieves API credentials and the 'Enable Collective - Insights' setting. + | :--- | :--- | :--- | :--- | - 2. **Entity Identification:** Filters the case's target entities to find supported - types: Hostname, CVE, Filehash, Address, URL, and Domain. + | Enable Collective Insights | boolean | No | If enabled (default: true), the + action will contribute detection information back to Recorded Future's Collective + Insights platform, provided the global setting is also enabled and the alert did + not originate from Recorded Future. | - 3. **Bulk Request Preparation:** Groups the identified entities by type to prepare - a single bulk request for the Recorded Future SOAR API. - 4. **Intelligence Retrieval:** Executes the bulk lookup to fetch risk scores and - threat data. + ### Additional Notes - 5. **Collective Insights Submission:** If enabled and applicable, submits the - detection context to Recorded Future. + * This action is optimized for bulk processing and uses the specialized Recorded + Future SOAR API endpoint. - 6. **Result Output:** Returns the enriched data as a JSON result for use in subsequent - playbook steps. + * Unlike individual enrichment actions, this bulk action primarily returns raw + JSON data and does not automatically update entity attributes or create case insights + within the SOAR UI. capabilities: can_create_case_comments: false can_create_insight: false @@ -849,19 +924,21 @@ Enrich IOCs Bulk: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Submits detection information to Recorded Future Collective Insights if enabled. + If the 'Enable Collective Insights' parameter is enabled, the action performs + a POST request to the Recorded Future Collective Insights API to submit detection + and incident metadata. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: entity_types: - - HOSTNAME - - CVE - - FILEHASH - - ADDRESS - - DestinationURL - - DOMAIN + - ADDRESS + - CVE + - DOMAIN + - FILEHASH + - HOSTNAME + - DestinationURL filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -875,6 +952,7 @@ Enrich IOCs Bulk: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Enrich IP: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -888,82 +966,80 @@ Enrich IOCs Bulk: enrich_asset: false enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Enrich IP: ai_description: >- - Enriches IP Address entities using Recorded Future threat intelligence. This action - retrieves comprehensive data including risk scores, evidence details, location - information (ASN, country, city), and organizational context. It evaluates the - risk score against a user-defined threshold to determine if the entity should - be marked as suspicious within Google SecOps. Additionally, it can contribute - detection telemetry back to Recorded Future via the Collective Insights feature. + Enriches IP Address entities using Recorded Future Intelligence to provide comprehensive + threat context. The action retrieves risk scores, evidence details, and geographical + location data for each IP. It evaluates the risk score against a user-defined + threshold to automatically mark entities as suspicious and generate detailed case + insights. Additionally, it can contribute detection data back to Recorded Future's + Collective Insights platform. ### Parameters - | Parameter | Type | Mandatory | Description | + | Parameter | Type | Mandatory | Default | Description | - | :--- | :--- | :--- | :--- | + | :--- | :--- | :--- | :--- | :--- | - | Risk Score Threshold | String | Yes | The minimum malicious risk score (0-99) - required to mark an IP as suspicious. Below 5 is 'No Malicious Content', 5-24 - is 'Unusual', 25-64 is 'Suspicious', 65-89 is 'Malicious', and 90-99 is 'Very - Malicious'. | + | Risk Score Threshold | String | Yes | 25 | The minimum malicious risk score + (0-99) required to mark an IP as suspicious. Scores below 5 are 'No Malicious + content', 5-24 are 'Unusual', 25-64 are 'Suspicious', 65-89 are 'Malicious', and + 90-99 are 'Very Malicious'. | - | Include Links | Boolean | No | If enabled, the action retrieves and displays - information about related entity links in a separate data table. | + | Include Links | Boolean | No | False | If enabled, the action retrieves information + about related entity links from Recorded Future. | - | Enable Collective Insights | Boolean | No | If enabled, the action contributes - detection telemetry (IOC value, type, and incident metadata) back to Recorded - Future. | + | Enable Collective Insights | Boolean | No | True | If enabled, the action contributes + detection information back to Recorded Future's Collective Insights API. | ### Additional Notes - - **Collective Insights Logic**: Submission to Collective Insights only occurs - if the feature is enabled both globally in the integration configuration and specifically - for this action. Furthermore, submissions are automatically skipped if the alert's - reporting vendor is 'Recorded Future' to prevent redundant reporting. + - The action updates the entity's 'is_suspicious' and 'is_enriched' flags based + on the results and the provided threshold. - - **Risk Scoring**: If Recorded Future returns no score for an entity, a default - score of 0 is used for threshold comparison. + - Collective Insights submissions are automatically excluded if the alert's reporting + vendor matches the integration's default vendor to avoid redundant reporting. ### Flow Description - 1. **Initialization**: Extracts API credentials from the configuration and user-defined - parameters (Threshold, Links, Collective Insights). + 1. **Parameter Extraction**: Retrieves API configuration (URL, Key, SSL settings) + and action parameters (Threshold, Links, Collective Insights). - 2. **Entity Filtering**: Identifies all IP Address entities present in the current - alert or case context. + 2. **Entity Filtering**: Identifies and processes only 'ADDRESS' (IP) entities + from the target entities list. - 3. **Intelligence Retrieval**: Queries Recorded Future for each IP to obtain its - risk score, evidence details, location data, and optional links. + 3. **Intelligence Retrieval**: For each IP, it queries the Recorded Future API + to fetch risk scores, location data (ASN, Country, City, Org), and evidence details. - 4. **External Contribution**: If Collective Insights is enabled and the alert - source is external, the action submits the detection metadata to Recorded Future. + 4. **External Mutation (Optional)**: If 'Enable Collective Insights' is active, + it submits the detection context to Recorded Future. 5. **Risk Evaluation**: Compares the retrieved risk score against the 'Risk Score Threshold'. If the score exceeds the threshold, the entity is marked as suspicious. - 6. **Internal Enrichment**: Updates the entity's additional properties with Recorded - Future metadata, sets the 'is_enriched' flag, and creates a detailed Case Insight - containing risk evidence and location details. + 6. **Internal Data Enrichment**: Updates the entity's additional properties with + enrichment data, adds data tables to the case wall (Overview, Risk Rules, Links), + and creates a detailed Case Insight if the entity is deemed risky. - 7. **Reporting**: Adds data tables for the overview report, triggered risk rules, - and links to the action results, while also providing a direct link to the Recorded - Future Intel Card. + 7. **Finalization**: Updates the entities within the SecOps platform and returns + a JSON result of the enrichment data. capabilities: can_create_case_comments: false can_create_insight: true @@ -972,18 +1048,18 @@ Enrich IP: can_mutate_internal_data: true can_update_entities: true external_data_mutation_explanation: >- - If 'Enable Collective Insights' is enabled, the action submits detection telemetry - (IOC value, type, and incident metadata) to Recorded Future's Collective Insights + If 'Enable Collective Insights' is enabled, the action submits detection information + (IOC value, type, and incident context) to Recorded Future's Collective Insights API. fetches_data: true internal_data_mutation_explanation: >- - Updates entity attributes (additional properties, suspicious status, enriched - status) and creates case insights containing threat intelligence evidence. + Updates entity attributes including 'is_suspicious', 'is_enriched', and 'additional_properties'. + It also creates Case Insights and adds multiple data tables to the case. categories: enrichment: false entity_usage: entity_types: - - ADDRESS + - ADDRESS filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -997,6 +1073,7 @@ Enrich IP: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Enrich URL: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1010,45 +1087,72 @@ Enrich IP: enrich_asset: false enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Enrich URL: ai_description: >- - ### General Description\nEnriches URL entities using Recorded Future Intelligence. - This action retrieves comprehensive threat intelligence, including risk scores, - criticality levels, and evidence details. It allows analysts to automatically - mark entities as suspicious based on a configurable risk threshold and can optionally - contribute detection data back to Recorded Future via Collective Insights.\n\n### - Parameters Description\n| Parameter | Description | Type | Mandatory |\n| :--- - | :--- | :--- | :--- |\n| Risk Score Threshold | Represents the minimum malicious - risk score (0-99) for a URL to be marked as suspicious. | String | Yes |\n| Include - Links | If enabled, the action retrieves information about links associated with - the URL. | Boolean | No |\n| Enable Collective Insights | If enabled, the action - contributes detection data back to Recorded Future's Collective Insights API. - | Boolean | No |\n\n### Additional Notes\n- The action will skip Collective Insights - submission if the alert's reporting vendor is 'Recorded Future' to prevent redundant - data loops.\n- Risk scores are categorized into bands: Very Malicious (90-99), - Malicious (65-89), Suspicious (25-64), Unusual (5-24), and No Malicious content - (0).\n\n### Flow Description\n1. **Parameter Extraction**: Retrieves API configuration - and action parameters (Threshold, Include Links, Collective Insights setting).\n2. - **Entity Filtering**: Identifies URL entities within the current context.\n3. - **Intelligence Retrieval**: Queries Recorded Future for enrichment data, including - risk scores and evidence details for each URL.\n4. **External Contribution**: - If enabled and applicable, submits the detection to Recorded Future Collective - Insights.\n5. **Internal Enrichment**: Updates the entity's additional properties, - sets the enriched status, and marks the entity as suspicious if the risk score - exceeds the threshold.\n6. **Insight Generation**: Creates case insights and data - tables containing the risk analysis and evidence details for the analyst. + Enriches URL entities using Recorded Future Intelligence to provide comprehensive + threat context. The action retrieves risk scores, evidence details, and optional + related entity links from Recorded Future. It evaluates the URL against a user-defined + risk threshold to determine if it should be marked as suspicious within the case. + Additionally, it can optionally contribute detection data back to Recorded Future + via the Collective Insights feature. + + + ### Parameters Description + + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Risk Score Threshold | string | True | Represents the minimum malicious risk + score (0-99) for a URL to be marked malicious. Scores 65-89 are Malicious, 90-99 + are Very Malicious. | + + | Include Links | boolean | False | If enabled, the action retrieves information + about related entity links associated with the URL. | + + | Enable Collective Insights | boolean | False | If enabled, the action contributes + detection information back to Recorded Future. This is only active if the alert + vendor is not Recorded Future. | + + + ### Flow Description + + + 1. **Initialization**: Extracts configuration parameters (API Key, URL, SSL settings) + and action parameters (Threshold, Links toggle, Collective Insights toggle). + + 2. **Entity Filtering**: Identifies URL entities within the current case scope. + + 3. **Intelligence Retrieval**: For each URL, it queries Recorded Future to fetch + enrichment data, including risk scores and evidence. + + 4. **Collective Insights Submission**: If enabled and applicable, it submits + the detection metadata to Recorded Future's Collective Insights API. + + 5. **Risk Assessment**: Compares the retrieved risk score against the 'Risk Score + Threshold'. If the score exceeds the threshold, the entity is marked as suspicious. + + 6. **Internal Updates**: Updates the entity's additional properties with enrichment + data, adds data tables for risk rules and links, and creates a detailed case insight + for analysts. + + 7. **Completion**: Updates the entities in the SecOps platform and returns a + summary of successful, not found, or failed enrichments. capabilities: can_create_case_comments: false can_create_insight: true @@ -1057,17 +1161,17 @@ Enrich URL: can_mutate_internal_data: true can_update_entities: true external_data_mutation_explanation: >- - Submits detection information to Recorded Future's Collective Insights API if - the 'Enable Collective Insights' parameter is set to true. + Submits detection information to Recorded Future's Collective Insights platform + if the 'Enable Collective Insights' parameter is set to true. fetches_data: true internal_data_mutation_explanation: >- Updates entity attributes (additional properties, suspicious status, enriched - status) and creates case insights with threat intelligence details. + status) and creates case insights based on the retrieved intelligence. categories: enrichment: false entity_usage: entity_types: - - DestinationURL + - DestinationURL filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1081,6 +1185,7 @@ Enrich URL: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Alert Details: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1092,66 +1197,59 @@ Enrich URL: download_file: false enable_identity: false enrich_asset: false - enrich_ioc: true + enrich_ioc: false execute_command_on_the_host: false + get_alert_information: true remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Alert Details: ai_description: >- - ### General Description + Fetches detailed information about a specific Recorded Future alert using its + unique identifier. This action retrieves comprehensive metadata, including associated + documents, related entities, evidence details, and rule information. The retrieved + data is returned as a JSON object and includes a direct link to the alert report + in the Recorded Future portal for further investigation. - The **Get Alert Details** action retrieves comprehensive information about a specific - Recorded Future alert using its unique identifier. This action is designed to - provide analysts with deep-dive context, including associated documents, related - entities, and evidence details, which are returned to the Google SecOps case for - further investigation. - - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Alert ID | String | Yes | The unique identifier of the Recorded Future alert - for which you want to fetch details. | + | Alert ID | String | True | Specify the unique ID of the Recorded Future alert + for which you would like to fetch details. | ### Flow Description - 1. **Initialization**: The action initializes the Recorded Future manager using - the integration's API URL, API Key, and SSL verification settings. - - 2. **Parameter Extraction**: The mandatory `Alert ID` is retrieved from the action - input parameters. - - 3. **Data Retrieval**: The action queries the Recorded Future API to fetch the - full alert object, including hits, rules, and review status. - - 4. **Result Processing**: The retrieved alert data is converted into a JSON result - and added to the action output. - - 5. **Link Generation**: A direct web report link to the Recorded Future portal - for the specific alert is added to the case results. + 1. **Parameter Extraction:** The action retrieves the API credentials (URL, Key) + and the mandatory `Alert ID` from the input parameters. + 2. **Manager Initialization:** It initializes the `RecordedFutureManager` to handle + communication with the Recorded Future API. - ### Additional Notes + 3. **Data Retrieval:** The action calls the Recorded Future API to fetch the full + details of the specified alert. - - This action does not process or enrich entities from the Google SecOps case; - it operates strictly on the provided `Alert ID` parameter. + 4. **Data Transformation:** The raw API response is processed and transformed + into a structured `AlertDetails` object, extracting key information such as hits, + rules, and organization details. - - If the provided Alert ID is not found in Recorded Future, the action will return - a failure status with a descriptive error message. + 5. **Output Generation:** The action adds the structured alert data as a JSON + result and provides a direct web link to the Recorded Future portal for the specific + alert. capabilities: can_create_case_comments: false can_create_insight: false @@ -1163,9 +1261,9 @@ Get Alert Details: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: true + enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1179,6 +1277,7 @@ Get Alert Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Playbook Alert Details: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1192,70 +1291,60 @@ Get Alert Details: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: true remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: true + search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Playbook Alert Details: ai_description: >- - ### General Description + Fetches detailed information about a specific Recorded Future Playbook Alert and + returns the results to the Google SecOps case. This action is designed to provide + analysts with deeper context regarding alerts, such as updated DNS records, new + vulnerability stages, code repository leaks, or identity exposures. It retrieves + the full data model for the specified alert, which can then be used for further + automated analysis or manual review. - The **Get Playbook Alert Details** action retrieves exhaustive information regarding - a specific Playbook Alert from Recorded Future. This is particularly useful for - gaining deeper context on alerts related to domain abuse, vulnerabilities, data - leaks, and third-party risks. The action returns the full alert data in JSON format - and provides a direct URL to the Recorded Future Intelligence Card for the alert. - - - ### Parameters Description - + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Playbook Alert ID** | String | Yes | The unique identifier of the Playbook - Alert to be fetched. | + | Playbook Alert ID | String | Yes | The unique identifier of the Playbook Alert + for which you want to retrieve details. | - | **Category** | String | Yes | The specific category the alert belongs to. Valid - options include: `domain_abuse`, `cyber_vulnerability`, `code_repo_leakage`, `third_party_risk`, + | Category | String | Yes | The specific category of the Playbook Alert. Supported + values include: `domain_abuse`, `cyber_vulnerability`, `code_repo_leakage`, `third_party_risk`, `identity_novel_exposures`, and `geopolitics_facility`. | ### Flow Description + 1. **Parameter Extraction:** The action retrieves the API configuration (URL, + Key, SSL settings) and the user-provided Playbook Alert ID and Category. - 1. **Parameter Extraction:** The action retrieves the API credentials from the - integration configuration and the Alert ID and Category from the user-provided - parameters. - - 2. **Manager Initialization:** It initializes the `RecordedFutureManager` to handle + 2. **Manager Initialization:** It initializes the Recorded Future Manager to handle API communication. 3. **Data Retrieval:** The action calls the Recorded Future API to fetch the specific - details of the Playbook Alert based on the ID and Category. + details of the alert based on the ID and Category provided. 4. **Result Processing:** The retrieved alert object is converted to JSON and - added to the action results. + added to the action's execution results. 5. **Link Generation:** A direct web link to the Recorded Future portal for that - specific alert is added to the action output for quick access. - - - ### Additional Notes - - - * This action does not process entities from the case; it relies solely on the - provided `Playbook Alert ID` and `Category` parameters. + specific alert is added to the action results for easy access by the analyst. capabilities: can_create_case_comments: false can_create_insight: false @@ -1269,7 +1358,7 @@ Get Playbook Alert Details: categories: enrichment: true entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1283,6 +1372,7 @@ Get Playbook Alert Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1296,64 +1386,44 @@ Get Playbook Alert Details: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: true + search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: - ai_description: >- - Tests the connectivity to the Recorded Future API using the provided integration - configuration. This action validates that the SOAR environment can successfully - communicate with Recorded Future by performing a sample enrichment lookup on a - known IP address (8.8.8.8). - - - ### Flow Description: - - 1. **Parameter Initialization:** Retrieves the `ApiUrl`, `ApiKey`, and `Verify - SSL` settings from the integration configuration. - - 2. **Manager Setup:** Initializes the `RecordedFutureManager` with the retrieved - credentials. - - 3. **Connectivity Test:** Executes the `test_connectivity` method, which attempts - to fetch reputation data for the hardcoded IP `8.8.8.8` from the Recorded Future - API. - - 4. **Result Handling:** If the API call is successful, it returns a 'Connection - Established' message. If an exception occurs (e.g., unauthorized, network error), - it captures the error and reports a failure. - - - ### Parameters Description: - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | ApiUrl | String | Yes (Config) | The base URL for the Recorded Future API. | - - | ApiKey | String | Yes (Config) | The API key used for authentication. | - - | Verify SSL | Boolean | No (Config) | Determines whether to verify the SSL certificate - of the API endpoint. Defaults to False. | - - - ### Additional Notes: - - * This action does not process any entities from the SecOps case; it uses a static - IP address for the health check. - - * There are no action-specific parameters; all required values are pulled from - the integration's shared configuration. + ai_description: "### General Description\nThe Ping action is a diagnostic tool used\ + \ to verify the connectivity between Google SecOps and the Recorded Future API.\ + \ It ensures that the provided API URL and API Key are valid and that the network\ + \ configuration allows for successful communication with the service.\n\n### Parameters\ + \ Description\nThere are no action-specific parameters for this action. It relies\ + \ entirely on the integration's global configuration parameters:\n\n| Parameter\ + \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| ApiUrl\ + \ | String | Yes | The base URL for the Recorded Future API. |\n| ApiKey | String\ + \ | Yes | The API key used for authentication with Recorded Future. |\n| Verify\ + \ SSL | Boolean | No | If enabled, the action will verify the SSL certificate\ + \ of the API server. Defaults to False. |\n\n### Additional Notes\nThis action\ + \ performs a test lookup for a known public IP address (8.8.8.8) to confirm that\ + \ the enrichment service is responsive. It does not process any entities from\ + \ the current case or alert.\n\n### Flow Description\n1. **Initialization**: The\ + \ action initializes the Siemplify API and extracts the global configuration parameters\ + \ (API URL, API Key, and SSL verification settings).\n2. **Manager Setup**: It\ + \ instantiates the `RecordedFutureManager` using the provided credentials.\n3.\ + \ **Connectivity Test**: The action calls the `test_connectivity` method, which\ + \ attempts to perform a basic enrichment lookup for the IP address `8.8.8.8`.\n\ + 4. **Result Handling**: \n * If the lookup is successful, the action returns\ + \ a success status with the message \"Connection Established.\"\n * If an exception\ + \ occurs (e.g., network error, invalid API key), the action catches the error,\ + \ logs the details, and returns a failure status with a descriptive error message." capabilities: can_create_case_comments: false can_create_insight: false @@ -1367,7 +1437,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1381,6 +1451,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Refresh Playbook Alert: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1394,65 +1465,63 @@ Ping: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: true remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Refresh Playbook Alert: ai_description: >- - ### General Description + Refreshes a Recorded Future Playbook Alert within a Google SecOps case by fetching + the latest data from the Recorded Future platform. This action is specifically + designed to work with cases generated by the Recorded Future Playbook Alerts Connector. + It retrieves updated alert details based on a specific Playbook Alert ID and Category, + identifies new entities associated with the alert, and adds them to the current + case. Additionally, it generates enriched event data, including HTML-formatted + content for display in SecOps widgets, and provides a direct link to the Recorded + Future Web Report. - Updates information in a Google SecOps case created by the Recorded Future Playbook - Alerts Connector. This action fetches the latest data for a specific Playbook - Alert from the Recorded Future platform and synchronizes the case by adding any - newly discovered entities. - - - ### Flow Description - 1. **Validation**: Verifies that the current alert in Google SecOps is a Recorded - Future Playbook Alert. - - 2. **Data Retrieval**: Fetches the latest alert details from Recorded Future using - the provided Alert ID and Category. - - 3. **Entity Extraction**: Processes the alert data based on its category (e.g., - Domain Abuse, Identity Exposure) to identify relevant indicators. + ### Parameters - 4. **Case Synchronization**: Automatically adds newly discovered entities (IPs, - Domains, CVEs, etc.) to the current Google SecOps case. + | Parameter | Type | Mandatory | Description | - 5. **Output Generation**: Populates the action results with formatted JSON and - provides a direct link to the Recorded Future Intelligence Card. + | :--- | :--- | :--- | :--- | + | Playbook Alert ID | string | True | The unique identifier of the playbook alert + in Recorded Future for which you want to fetch updated details. | - ### Parameters Description + | Category | string | True | The category of the Playbook Alert. Supported values + include: `domain_abuse`, `cyber_vulnerability`, `code_repo_leakage`, `third_party_risk`, + `identity_novel_exposures`, and `geopolitics_facility`. | - | Parameter | Description | Type | Mandatory | - | :--- | :--- | :--- | :--- | + ### Flow Description - | Playbook Alert ID | The unique identifier of the playbook alert in Recorded - Future. | String | Yes | + 1. **Validation:** The action first verifies that the current Google SecOps alert + originated from the Recorded Future Playbook Alert product. - | Category | The category of the Playbook Alert. Supported values: `domain_abuse`, - `cyber_vulnerability`, `code_repo_leakage`, `third_party_risk`, `identity_novel_exposures`, - and `geopolitics_facility`. | String | Yes | + 2. **Data Retrieval:** It calls the Recorded Future API to fetch the most recent + details for the specified Playbook Alert ID and Category. + 3. **Entity Discovery:** Based on the alert category, the action parses the response + to identify relevant entities such as IP addresses, domains, hostnames, or CVEs. - ### Additional Notes + 4. **Internal Mutation:** Discovered entities are added to the Google SecOps case + using the `add_entity_to_case` method. - This action is specifically designed to work with cases generated by the Recorded - Future Playbook Alerts Connector. It ensures that the investigation context remains - up-to-date as the external alert evolves. + 5. **Output Generation:** The action constructs a JSON result containing enriched + event data (including HTML chunks for UI widgets) and adds a direct link to the + Recorded Future portal for the specific alert. capabilities: can_create_case_comments: false can_create_insight: false @@ -1463,12 +1532,12 @@ Refresh Playbook Alert: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Adds new entities discovered in the refreshed Recorded Future Playbook Alert - to the current Google SecOps case. + The action adds new entities discovered in the refreshed Recorded Future alert + data to the current Google SecOps case. categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1482,6 +1551,7 @@ Refresh Playbook Alert: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Search Hash Malware Intelligence: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1493,84 +1563,70 @@ Refresh Playbook Alert: download_file: false enable_identity: false enrich_asset: false - enrich_ioc: false + enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: true + search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Search Hash Malware Intelligence: ai_description: >- - Queries Recorded Future's Malware Intelligence to retrieve sandbox analysis reports - for SHA256 file hashes. This action allows analysts to look up historical sandbox - detonations and technical indicators associated with a specific hash without needing - to re-detonate the file. - + Queries Recorded Future to retrieve existing malware intelligence and sandbox + analysis reports for file hash entities. This action specifically targets SHA256 + hashes and searches for reports previously generated within the Recorded Future + Sandbox environment. It allows users to filter results to their own enterprise + submissions and define a specific lookback period. For every hash found, the action + generates a detailed Case Insight containing analysis summaries, risk scores, + detected signatures (including TTPs), and network flow data. - ### General Description - - The action iterates through file hash entities in the current context and queries - the Recorded Future API for existing sandbox reports. It supports filtering by - date range and can be restricted to only search for samples submitted by the user's - enterprise. The results include risk scores, malware signatures, and network flow - data, which are then presented as a Case Insight for quick review. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Default | Description | - - | :--- | :--- | :--- | :--- | :--- | - - | My Enterprise | boolean | No | false | If set to true, the action will only - return reports for samples submitted by your organization. | - - | Start Date | string | No | -30d | The starting point for the search lookback. - Supports relative formats (e.g., '-1d', '-30d') or specific dates (YYYY-MM-DD). - | - | End Date | string | No | None | The end point for the search lookback. If left - empty, it defaults to the current time. | + ### Flow Description: + 1. **Parameter Extraction:** The action retrieves the API configuration and user-provided + parameters, including the enterprise filter and date range. - ### Additional Notes + 2. **Entity Filtering:** It identifies all `FILEHASH` entities within the current + context, specifically validating that they are SHA256 (64 characters). - * This action specifically targets **SHA256** hashes. The logic explicitly filters - for hash identifiers with a length of 64 characters. + 3. **Intelligence Retrieval:** For each valid hash, it queries the Recorded Future + Malware Intelligence API for sandbox reports matching the criteria. - * If no report is found for a hash within the specified timeframe, the action - will still complete successfully but will indicate that no data was found in the - insight. + 4. **Insight Generation:** If reports are found, the action parses the technical + details (signatures, network flows, scores) and creates a formatted HTML Case + Insight for the entity. + 5. **Result Output:** The action returns a JSON object containing the raw report + data and updates the action status based on whether reports were successfully + retrieved. - ### Flow Description - 1. **Parameter Extraction:** The action retrieves the API configuration and user-provided - parameters (Enterprise filter and date range). + ### Parameters Description: - 2. **Entity Filtering:** It identifies `FILEHASH` entities from the target list, - specifically looking for SHA256 strings. + | Parameter Name | Type | Mandatory | Description | - 3. **API Query:** For each valid hash, it calls the Recorded Future Malware Intelligence - API to fetch sandbox reports. + | :--- | :--- | :--- | :--- | - 4. **Data Transformation:** The raw API response is parsed into a structured data - model containing analysis summaries, signatures, and network telemetry. + | My Enterprise | boolean | No | If set to `true`, the search is restricted to + samples submitted by your organization's Recorded Future account. Defaults to + `false`. | - 5. **Insight Generation:** A detailed HTML insight is created and attached to - the entity in the Google SecOps case, providing immediate visibility into the - malware's behavior. + | Start Date | string | No | The start date for the report search lookback. Supports + relative formats like `-30d` or absolute dates like `YYYY-MM-DD`. Defaults to + `-30d`. | - 6. **Result Output:** The full report data is added to the action's JSON results - for use in downstream playbook logic. + | End Date | string | No | The end date for the report search lookback. Supports + relative or absolute formats. If left empty, it defaults to the current date. + | capabilities: can_create_case_comments: false can_create_insight: true @@ -1581,19 +1637,19 @@ Search Hash Malware Intelligence: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action creates Case Insights within Google SecOps to display the retrieved - malware intelligence reports. + The action creates Case Insights within Google SecOps to display malware intelligence + and sandbox report details for the analyzed file hashes. categories: enrichment: true entity_usage: entity_types: - - FILEHASH + - FILEHASH filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false filters_by_creation_time: false filters_by_entity_type: true - filters_by_identifier: true + filters_by_identifier: false filters_by_is_artifact: false filters_by_is_enriched: false filters_by_is_internal: false @@ -1601,8 +1657,9 @@ Search Hash Malware Intelligence: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Update Alert: action_product_categories: - add_alert_comment: false + add_alert_comment: true add_ioc_to_allowlist: false add_ioc_to_blocklist: false contain_host: false @@ -1612,69 +1669,72 @@ Search Hash Malware Intelligence: download_file: false enable_identity: false enrich_asset: false - enrich_ioc: true + enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false - update_alert: false + update_alert: true update_email: false update_identity: false update_ticket: false -Update Alert: ai_description: >- - Updates an existing alert in the Recorded Future Intelligence platform. This action - allows analysts to modify the status, assignee, and associated notes of a specific - alert identified by its ID. It is primarily used to synchronize the state of an - investigation between Google SecOps and Recorded Future. + Updates an existing alert in Recorded Future by modifying its status, assignee, + or adding a note. This action allows analysts to synchronize the state of an alert + between Google SecOps and the Recorded Future platform. ### Flow Description: - 1. **Parameter Extraction:** The action retrieves the Alert ID, the new Status, - the Assignee (optional), and any Note (optional) from the user input. + 1. **Parameter Extraction:** The action retrieves the Recorded Future API credentials + and the specific alert details (ID, Status, Assignee, and Note) from the action + parameters. - 2. **Input Validation:** It verifies that at least one update field (Status, Assign - To, or Note) has been provided. If the Status is set to 'None' and no assignee - or note is provided, the action will fail to prevent empty updates. + 2. **Validation:** It verifies that at least one of the optional parameters (Assign + To, Note, or Status) is provided to perform an update. - 3. **API Interaction:** The action initializes the Recorded Future Manager and - sends a request to the Recorded Future API to update the specified alert record. + 3. **API Interaction:** The action uses the `RecordedFutureManager` to send a + request to the Recorded Future API, targeting the specified Alert ID with the + new values. - 4. **Result Processing:** Upon success, the action returns a JSON confirmation - of the update and provides an output message to the analyst. + 4. **Result Processing:** Upon a successful API call, the action returns a JSON + result confirming the update and provides an output message to the SecOps case + wall. ### Parameters Description: - | Parameter | Type | Mandatory | Description | + + | Parameter Name | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Alert ID | string | Yes | The unique identifier of the alert in Recorded Future + | Alert ID | String | Yes | The unique identifier of the alert in Recorded Future that needs to be updated. | - | Status | ddl | Yes | The new status to assign to the alert. Options include: - None, New, Pending, Dismissed, Resolved, Flag for Tuning. Selecting 'None' means - the status will not be changed. | - - | Assign To | string | No | The identifier of the user to whom the alert should - be assigned. This can be an ID, username, user hash, or email address. | + | Assign To | String | No | The identifier (ID, username, hash, or email) of the + user to whom the alert should be assigned. | - | Note | string | No | A text note or comment to be appended to the alert in Recorded + | Note | String | No | A text note to be added or updated on the alert in Recorded Future. | + | Status | DDL | Yes | The new status to set for the alert. Options include: New, + Pending, Dismissed, Resolved, Flag for Tuning. | + ### Additional Notes: - * **Validation Logic:** While the 'Status' parameter is mandatory, selecting 'None' - is treated as a null operation for that field. In such cases, either 'Assign To' - or 'Note' must be populated for the action to execute successfully. + * Although 'Status' is marked as mandatory in the configuration, the underlying + logic requires that at least one of 'Status', 'Assign To', or 'Note' contains + a value for the action to execute successfully. capabilities: can_create_case_comments: false can_create_insight: false @@ -1683,14 +1743,14 @@ Update Alert: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the status, assignee, and notes of an alert record within the Recorded - Future platform. + Updates the status, assignee, and notes of an alert within the Recorded Future + platform. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1704,6 +1764,7 @@ Update Alert: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Update Playbook Alert: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1717,78 +1778,76 @@ Update Alert: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false - update_alert: false + update_alert: true update_email: false update_identity: false - update_ticket: true -Update Playbook Alert: + update_ticket: false ai_description: >- Updates a playbook alert in Recorded Future with new metadata such as status, - priority, or assignee. This action allows analysts to synchronize the state of - a Recorded Future alert with the investigation progress in Google SecOps. - - - ### Parameters + priority, assignee, and comments. This action allows analysts to synchronize the + state of an alert between Google SecOps and Recorded Future. - | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + ### Flow Description: - | Playbook Alert ID | string | Yes | The unique identifier of the playbook alert - to be updated. | + 1. **Parameter Extraction:** The action retrieves the mandatory Playbook Alert + ID and Category, along with optional update parameters (Status, Priority, Assignee, + Log Entry, and Reopen Strategy). - | Playbook Alert Category | string | Yes | The category of the playbook alert - (e.g., domain_abuse, cyber_vulnerability). | + 2. **Validation:** It verifies that at least one optional update parameter has + been provided; otherwise, the action fails to prevent redundant API calls. - | Assign To | string | No | The user hash (uhash) of the Recorded Future user - to whom the alert should be assigned. | + 3. **External Interaction:** The action uses the Recorded Future Manager to fetch + the current state of the alert and then submits an update request to the Recorded + Future API. - | Log Entry | string | No | A comment or note to be added to the alert's activity - log during the update. | + 4. **Result Processing:** The updated alert details are returned as a JSON result, + and a success message is displayed in the action output. - | Status | ddl | No | The new status for the alert. Options: New, In Progress, - Dismissed, Resolved. | - | Priority | ddl | No | The new priority level for the alert. Options: High, Moderate, - Informational. | + ### Parameters Description: - | Reopen Strategy | ddl | No | Defines the strategy for reopening the alert. Options: - Never, Significant Updates. | + | Parameter | Type | Mandatory | Description | + | :--- | :--- | :--- | :--- | - ### Additional Notes + | Playbook Alert ID | String | Yes | The unique identifier of the playbook alert + to be updated. | - - At least one of the optional parameters (Assign To, Log Entry, Status, Priority, - or Reopen Strategy) must be provided for the action to execute successfully. + | Playbook Alert Category | String | Yes | The category of the playbook alert + (e.g., domain_abuse, cyber_vulnerability). | - - The action first fetches the current state of the alert from Recorded Future - before applying the requested changes. + | Assign To | String | No | The user uhash to whom the alert should be assigned + in Recorded Future. | + | Log Entry | String | No | A comment or note to be added to the alert's activity + log during the update. | - ### Flow Description + | Status | DDL | No | The new status for the alert (New, In Progress, Dismissed, + Resolved). | - 1. **Parameter Extraction:** Retrieves the Alert ID, Category, and update fields - from the action input. + | Priority | DDL | No | The new priority level for the alert (High, Moderate, + Informational). | - 2. **Validation:** Checks that at least one update field is populated to avoid - redundant API calls. + | Reopen Strategy | DDL | No | Defines the strategy for reopening the alert (Never, + Significant Updates). | - 3. **Manager Initialization:** Establishes a connection to the Recorded Future - API using the provided credentials. - 4. **External Update:** Calls the Recorded Future API to modify the specified - playbook alert attributes. + ### Additional Notes: - 5. **Result Processing:** Returns the raw JSON response of the updated alert and - provides a success message to the analyst. + At least one of the following parameters must be configured for the action to + run: 'Assign To', 'Log Entry', 'Status', 'Priority', or 'Reopen Strategy'. capabilities: can_create_case_comments: false can_create_insight: false @@ -1798,13 +1857,13 @@ Update Playbook Alert: can_update_entities: false external_data_mutation_explanation: >- Updates the status, priority, assignee, log entry, or reopen strategy of a playbook - alert record within the Recorded Future platform. + alert in the Recorded Future platform. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1818,28 +1877,3 @@ Update Playbook Alert: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: true diff --git a/content/response_integrations/third_party/partner/recorded_future_intelligence/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/partner/recorded_future_intelligence/resources/ai/connectors_ai_description.yaml index d8f0a1ed0..f4b655edf 100644 --- a/content/response_integrations/third_party/partner/recorded_future_intelligence/resources/ai/connectors_ai_description.yaml +++ b/content/response_integrations/third_party/partner/recorded_future_intelligence/resources/ai/connectors_ai_description.yaml @@ -2,12 +2,12 @@ ai_description: >- ### General Description - The Recorded Future - Classic Alerts Connector fetches "Classic Alerts" from the - Recorded Future API and ingests them into Google SecOps as cases. This integration - allows security teams to automate the monitoring of threat intelligence alerts - generated by Recorded Future's correlation rules, providing enriched event data, - AI-driven insights, and direct links to the Recorded Future portal for further - investigation. + This connector integrates with Recorded Future to ingest **Classic Alerts** into + Google SecOps. It allows security teams to monitor and automate the response to + external threat intelligence alerts generated by Recorded Future's intelligence + rules. The connector supports advanced filtering by alert status, rule names (via + allowlist/denylist), and severity, while also ingesting AI-generated insights + to provide analysts with immediate context. ### Parameters Description @@ -17,93 +17,94 @@ | :--- | :--- | :--- | :--- | | DeviceProductField | String | Yes | The source field name used to retrieve the - Product Field name (default: device_product). | + Product Field name (default: `device_product`). | | EventClassId | String | Yes | The source field name used to retrieve the Event - Field name (default: rule_name). | + Field name (default: `rule_name`). | - | Environment Field Name | String | No | The field name where the environment + | Environment Field Name | String | No | The name of the field where the environment name is stored. | - | Environment Regex Pattern | String | No | A regex pattern to extract or manipulate - the environment name from the environment field. | + | Environment Regex Pattern | String | No | A regex pattern to manipulate the + value found in the Environment Field Name. | - | PythonProcessTimeout | Integer | Yes | The timeout limit in seconds for the - connector's execution (default: 180). | + | PythonProcessTimeout | Integer | Yes | Timeout limit in seconds for the python + process (default: `180`). | - | API URL | String | Yes | The root URL of the Recorded Future API instance. | + | API URL | String | Yes | API Root of the Recorded Future instance (default: + `https://api.recordedfuture.com`). | - | API Key | Password | Yes | The API Key used to authenticate with Recorded Future. - | + | API Key | Password | Yes | Your Recorded Future API Key. | - | Fetch Max Hours Backwards | Integer | No | The number of hours to look back - for alerts during the first run or if no checkpoint exists. | + | Fetch Max Hours Backwards | Integer | No | The number of hours back from which + to fetch events if no previous timestamp exists. | - | Alert Statuses | String | No | Comma-separated list of alert statuses to fetch - (e.g., New, Pending, Resolved, Dismissed). | + | Alert Statuses | String | No | Comma-separated list of statuses to fetch (e.g., + `New, Pending, Resolved, Dismissed`). | - | Max Alerts To Fetch | Integer | No | The maximum number of alerts to process - in a single connector iteration. | + | Max Alerts To Fetch | Integer | No | Maximum number of alerts to process per + iteration (default: `100`). | - | Severity | String | Yes | The severity level (Low, Medium, High, Critical) to - assign to the created SecOps alerts. | + | Severity | String | Yes | The severity assigned to created alerts (Low, Medium, + High, Critical). | - | Use whitelist as a blacklist | Boolean | No | If enabled, the provided whitelist - will be treated as a denylist to exclude specific rules. | + | Use whitelist as a blacklist | Boolean | No | If enabled, the connector's whitelist + will act as a denylist for rule names. | | Enable Overflow | Boolean | No | If enabled, uses deduplication logic to prevent - redundant alerts from creating multiple cases. | + alert flooding. | - | Extract all Entities | Boolean | No | If enabled, extracts all entities found - in the alert events; otherwise, only primary entities are extracted. | + | Extract all Entities | Boolean | No | If enabled, extracts all entities from + alert events; otherwise, only the primary entity is extracted. | | Verify SSL | Boolean | No | If enabled, verifies the SSL certificate of the Recorded Future server. | - | Proxy Server Address | String | No | The address of the proxy server if one - is required. | + | Proxy Server Address | String | No | The address of the proxy server to use. + | - | Proxy Username | String | No | The username for proxy authentication. | + | Proxy Username | String | No | The proxy username for authentication. | - | Proxy Password | Password | No | The password for proxy authentication. | + | Proxy Password | Password | No | The proxy password for authentication. | ### Flow Description - 1. **Authentication**: The connector establishes a connection to the Recorded - Future API using the provided API Key and URL. + 1. **Initialization**: Connects to the Recorded Future API using the provided + API Key and URL, validating SSL and proxy settings if configured. - 2. **Timeframe Calculation**: It determines the starting point for the fetch based + 2. **Time Range Determination**: Calculates the starting point for the fetch based on the last successful execution timestamp or the "Fetch Max Hours Backwards" parameter. - 3. **Alert Retrieval**: The connector queries Recorded Future for alerts matching - the configured statuses (e.g., "New") and applies filtering based on the whitelist/denylist - of rule names. + 3. **Alert Discovery**: Queries Recorded Future for alert IDs that match the specified + "Alert Statuses" and (optionally) specific rule IDs defined in the whitelist. - 4. **Deduplication**: It checks the retrieved alert IDs against a local database - of previously processed IDs to ensure no duplicate cases are created. + 4. **Data Retrieval**: Fetches full alert details in bulk, including metadata, + associated entities, and AI-generated insights (AI Insights). - 5. **Data Enrichment**: For each valid alert, the connector extracts event data, - including AI-generated insights and metadata such as the alert URL and rule generator. + 5. **Filtering**: Applies whitelist/denylist logic against the Recorded Future + `rule_name` to determine which alerts should be processed. - 6. **Case Creation**: The connector maps the Recorded Future alert data to the - Google SecOps AlertInfo model, applies environment logic, and checks for overflow/deduplication - before ingesting the case into the system. + 6. **Mapping & Enrichment**: Transforms the raw Recorded Future data into the + Google SecOps AlertInfo model. This includes mapping severity, assigning environments + via regex, and attaching AI insights to the event data. - 7. **Checkpointing**: Upon successful processing, the connector saves the timestamp - of the most recent alert and updates the list of processed IDs for the next cycle. + 7. **Deduplication**: Checks if "Enable Overflow" is active to skip alerts that + meet deduplication criteria. + + 8. **Ingestion**: Creates cases in Google SecOps for each processed alert and + updates the internal state with the latest processed alert IDs and timestamps. "Recorded Future - Playbook Alerts Connector": ai_description: >- ### General Description - The Recorded Future - Playbook Alerts Connector fetches high-fidelity threat intelligence - alerts from the Recorded Future platform and ingests them into Google SecOps as - cases. It specifically targets 'Playbook Alerts,' which are categorized intelligence - findings such as domain abuse, code repository leakages, cyber vulnerabilities, - and third-party risks. This integration enables security teams to automate the - response to external threat intelligence by providing structured alert data directly - within the SOAR environment. + The Recorded Future - Playbook Alerts Connector ingests high-fidelity "Playbook + Alerts" from the Recorded Future Intelligence platform into Google SecOps. This + connector allows security teams to automate the monitoring of specific threat + categories, such as domain abuse, code repository leakages, and third-party risks, + by transforming these intelligence alerts into actionable cases within the SOAR + environment. ### Parameters Description @@ -112,119 +113,136 @@ | :--- | :--- | :--- | :--- | - | API URL | String | Yes | The API Root of the Recorded Future instance (e.g., - https://api.recordedfuture.com). | + | DeviceProductField | String | Yes | The source field name used to retrieve the + Product Field name (default: device_product). | + + | EventClassId | String | Yes | The source field name used to retrieve the Event + Field name (default: category). | - | API Key | Password | Yes | The API Key used to authenticate with Recorded Future. + | Environment Field Name | String | No | The name of the field where the environment + name is stored. | + + | Environment Regex Pattern | String | No | A regex pattern used to extract or + manipulate the environment name from the environment field. | + + | PythonProcessTimeout | Integer | Yes | The maximum time (in seconds) allowed + for the connector script to run. | + + | API URL | String | Yes | The base URL for the Recorded Future API instance. | - | Playbook Alert Categories | String | No | Comma-separated list of categories - to fetch (e.g., domain_abuse, cyber_vulnerability, code_repo_leakage). | + | API Key | Password | Yes | The API Key used for authentication with Recorded + Future. | - | Playbook Alert Statuses | String | No | Comma-separated list of statuses to - fetch (e.g., New, InProgress, Resolved). | + | Fetch Max Hours Backwards | Integer | No | The lookback window (in hours) for + fetching alerts during the first run or after a gap. | - | Playbook Alert Priorities | String | No | Comma-separated list of priorities - to fetch (e.g., Informational, Moderate, High). | + | Playbook Alert Categories | String | No | Comma-separated list of categories + to fetch (e.g., domain_abuse, cyber_vulnerability). | + + | Playbook Alert Statuses | String | No | Comma-separated list of alert statuses + to fetch (e.g., New, InProgress). | - | Fetch Max Hours Backwards | Integer | No | The number of hours back from the - current time to start fetching alerts. | + | Playbook Alert Priorities | String | No | Comma-separated list of alert priorities + to fetch (e.g., High, Moderate). | | Max Alerts To Fetch | Integer | No | The maximum number of alerts to process in a single connector iteration. | - | Severity | String | No | An optional override for the alert severity (Low, Medium, - High, Critical). | + | Severity | String | No | An optional override to set a fixed severity (Low, + Medium, High, Critical) for all ingested alerts. | - | Enable Overflow | Boolean | No | If enabled, uses Google SecOps overflow logic - to deduplicate similar alerts. | + | Enable Overflow | Boolean | No | If enabled, uses the Google SecOps overflow + mechanism to deduplicate similar alerts. | - | Verify SSL | Boolean | No | If enabled, verifies the SSL certificate for the - connection to the Recorded Future server. | + | Verify SSL | Boolean | No | If enabled, verifies the SSL certificate of the + Recorded Future server. | + + | Proxy Server Address | String | No | The address of the proxy server if one + is required. | - | Environment Field Name | String | No | The field name used to determine the - environment for the ingested alerts. | + | Proxy Username | String | No | The username for proxy authentication. | + + | Proxy Password | Password | No | The password for proxy authentication. | ### Flow Description - 1. **Initialization**: The connector validates the API credentials and configuration - parameters, including category and status filters. + 1. **Initialization**: The connector establishes a connection to the Recorded + Future API using the provided credentials and configuration. - 2. **State Retrieval**: It identifies the starting point for the fetch by checking - the last successful execution timestamp and retrieves a list of previously processed - alert IDs to avoid duplication. + 2. **Time Window Calculation**: It determines the starting point for the fetch + by checking the last successful execution timestamp or falling back to the "Fetch + Max Hours Backwards" setting. - 3. **API Query**: The connector sends a request to the Recorded Future Playbook - Alerts API, filtering by the configured categories, statuses, priorities, and - the time window defined by the 'Fetch Max Hours Backwards' parameter. + 3. **Data Retrieval**: The connector queries Recorded Future for Playbook Alerts, + applying filters for specific categories, statuses, and priorities defined in + the parameters. - 4. **Alert Transformation**: For each retrieved alert, the connector maps the - Recorded Future data model to the Google SecOps `AlertInfo` format. This includes - setting the environment, priority, and rule generator fields. + 4. **Deduplication**: It compares fetched alert IDs against a local cache of previously + processed IDs to ensure no duplicate cases are created. - 5. **Deduplication & Overflow**: If 'Enable Overflow' is active, the connector - checks the SOAR platform's overflow mechanism to skip alerts that are considered - duplicates based on defined logic. + 5. **Transformation**: Each unique alert is mapped to the Google SecOps AlertInfo + data model. This includes mapping environment details, calculating severity (or + applying overrides), and formatting the raw intelligence data into events. - 6. **Case Creation**: Validated and transformed alerts are ingested into Google - SecOps to create actionable cases. + 6. **Overflow Check**: If enabled, the connector checks if the alert matches overflow + criteria to prevent system saturation from repetitive alerts. - 7. **Checkpointing**: Upon successful completion, the connector saves the current - timestamp and the list of processed alert IDs to ensure the next iteration starts - from the correct point. + 7. **Ingestion**: Validated alerts are sent to the Google SecOps platform to be + created as cases. The connector then updates its state by saving the new timestamp + and processed IDs. "Recorded Future - Playbook Alerts Tracking Connector": - ai_description: "### General Description\nThe Recorded Future Playbook Alerts Tracking\ - \ connector monitors and ingests updates to existing Playbook Alerts from the\ - \ Recorded Future platform. Unlike standard alert connectors that fetch only new\ - \ records, this tracking connector identifies significant changes in existing\ - \ alerts\u2014such as status changes, priority escalations, or new evidence\u2014\ - and creates new cases in Google SecOps based on specific user-defined triggers.\ - \ This ensures that security teams are alerted to evolving threats and intelligence\ - \ updates throughout the lifecycle of an alert.\n\n### Parameters Description\n\ - | Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ - | DeviceProductField | String | Yes | The source field name used to retrieve the\ - \ Product Field name (default: device_product). |\n| EventClassId | String | Yes\ - \ | The source field name used to retrieve the Event Field name (default: category).\ - \ |\n| Environment Field Name | String | No | The field name where the environment\ - \ name is stored for multi-tenant environments. |\n| Environment Regex Pattern\ - \ | String | No | A regex pattern to extract or manipulate the environment name\ - \ from the environment field. |\n| PythonProcessTimeout | Integer | Yes | The\ - \ timeout limit in seconds for the connector's execution process. |\n| API URL\ - \ | String | Yes | The API Root of the Recorded Future instance (default: https://api.recordedfuture.com).\ - \ |\n| API Key | Password | Yes | The API Key used to authenticate with Recorded\ - \ Future. |\n| Search Max Hours Backwards | Integer | No | The number of hours\ - \ to look back for updates during the first run or if no checkpoint exists. |\n\ - | Playbook Alert Categories | String | No | Comma-separated list of categories\ - \ to fetch (e.g., domain_abuse, cyber_vulnerability, third_party_risk). |\n| Playbook\ - \ Alert Statuses | String | No | Comma-separated list of statuses to fetch (New,\ - \ InProgress, Resolved, Dismissed). |\n| Playbook Alert Priorities | String |\ - \ No | Comma-separated list of priorities to fetch (Informational, Moderate, High).\ - \ |\n| Playbook Alert Reopened | Boolean | No | If enabled, creates a new case\ - \ when a previously closed Playbook Alert is reopened. |\n| Priority Increased\ - \ | Boolean | No | If enabled, creates a new case when the priority of a Playbook\ - \ Alert is increased. |\n| New Assessment Added | Boolean | No | If enabled, creates\ - \ a new case when a new assessment is added to a Playbook Alert. |\n| Entity Added\ - \ | Boolean | No | If enabled, creates a new case when new entities are added\ - \ to a Playbook Alert. |\n| Max Alerts To Fetch | Integer | No | The maximum number\ - \ of alerts to process in a single connector iteration. |\n| Severity | String\ - \ | Yes | The severity level (Low, Medium, High, Critical) to assign to the created\ - \ Google SecOps cases. |\n| Enable Overflow | Boolean | No | If enabled, uses\ - \ Google SecOps overflow logic to deduplicate similar alerts. |\n| Verify SSL\ - \ | Boolean | No | If enabled, verifies the SSL certificate for the connection\ - \ to Recorded Future. |\n\n### Flow Description\n1. **Authentication**: The connector\ - \ establishes a connection to the Recorded Future API using the provided API Key\ - \ and URL.\n2. **Time Window Determination**: It calculates the search window\ - \ by checking the last successful execution timestamp or falling back to the \"\ - Search Max Hours Backwards\" setting.\n3. **Alert Retrieval**: The connector queries\ - \ Recorded Future for Playbook Alerts that have been updated within the search\ - \ window, applying filters for Category, Status, and Priority.\n4. **Update Analysis**:\ - \ For each retrieved alert, the connector analyzes the internal change logs (`panel_log_v2`)\ - \ to identify the specific nature of the update.\n5. **Trigger Filtering**: It\ - \ evaluates the updates against the enabled tracking triggers: Reopened, Priority\ - \ Increased, New Assessment Added, or Entity Added. If no enabled trigger is matched,\ - \ the update is skipped.\n6. **Case Mapping**: Alerts meeting the trigger criteria\ - \ are mapped to the Google SecOps `AlertInfo` data model, including relevant event\ - \ details and environment context.\n7. **Ingestion**: The connector ingests the\ - \ processed updates as new cases into Google SecOps and updates the execution\ - \ checkpoint." + ai_description: "### General Description\nThe **Recorded Future - Playbook Alerts\ + \ Tracking Connector** is designed to monitor and ingest updates for existing\ + \ Playbook Alerts from Recorded Future into Google SecOps. Unlike standard connectors\ + \ that fetch new alerts, this tracking connector specifically identifies modifications\ + \ to existing alerts\u2014such as status changes, priority escalations, or the\ + \ addition of new evidence\u2014and creates new cases in Google SecOps based on\ + \ these triggers. This ensures that significant developments in ongoing Recorded\ + \ Future investigations are captured as actionable events within the SOAR platform.\n\ + \n### Parameters Description\n| Parameter | Type | Mandatory | Description |\n\ + | :--- | :--- | :--- | :--- |\n| DeviceProductField | String | Yes | The source\ + \ field name used to retrieve the Product Field name (default: device_product).\ + \ |\n| EventClassId | String | Yes | The source field name used to retrieve the\ + \ Event Field name (default: category). |\n| Environment Field Name | String |\ + \ No | The field name where the environment name is stored. |\n| Environment Regex\ + \ Pattern | String | No | A regex pattern to manipulate the environment field\ + \ value. |\n| PythonProcessTimeout | Integer | Yes | Timeout limit in seconds\ + \ for the python process. |\n| API URL | String | Yes | The API Root of the Recorded\ + \ Future instance (default: https://api.recordedfuture.com). |\n| API Key | Password\ + \ | Yes | Your Recorded Future API Key. |\n| Search Max Hours Backwards | Integer\ + \ | No | The number of hours to look back for Playbook Alert updates since the\ + \ last run. |\n| Playbook Alert Categories | String | No | Comma-separated list\ + \ of categories to fetch (e.g., domain_abuse, cyber_vulnerability). |\n| Playbook\ + \ Alert Statuses | String | No | Comma-separated list of statuses to fetch (e.g.,\ + \ New, InProgress, Resolved). |\n| Playbook Alert Priorities | String | No | Comma-separated\ + \ list of priorities to fetch (e.g., Informational, Moderate, High). |\n| Playbook\ + \ Alert Reopened | Boolean | No | If true, creates a new case when a Playbook\ + \ Alert is reopened. |\n| Priority Increased | Boolean | No | If true, creates\ + \ a new case when a Playbook Alert's priority is increased. |\n| New Assessment\ + \ Added | Boolean | No | If true, creates a new case when a new assessment is\ + \ added to the alert. |\n| Entity Added | Boolean | No | If true, creates a new\ + \ case when new entities are added to the alert. |\n| Max Alerts To Fetch | Integer\ + \ | No | Maximum number of alerts to process per connector iteration. |\n| Severity\ + \ | String | Yes | The default severity (Low, Medium, High, Critical) assigned\ + \ to created alerts. |\n| Enable Overflow | Boolean | No | If enabled, uses Google\ + \ SecOps overflow logic to deduplicate similar alerts. |\n| Verify SSL | Boolean\ + \ | No | If enabled, verifies the SSL certificate for the Recorded Future server.\ + \ |\n\n### Flow Description\n1. **Initialization**: The connector establishes\ + \ a connection to the Recorded Future API using the provided API Key and URL.\n\ + 2. **Time Range Calculation**: It determines the search window by checking the\ + \ last successful execution time or falling back to the \"Search Max Hours Backwards\"\ + \ parameter.\n3. **Alert Retrieval**: It queries Recorded Future for Playbook\ + \ Alerts that have been updated within the time window, filtered by the configured\ + \ categories, statuses, and priorities.\n4. **Update Analysis**: For each retrieved\ + \ alert, the connector inspects the `panel_log_v2` (audit logs) to identify specific\ + \ changes that occurred within the search timeframe.\n5. **Trigger Evaluation**:\ + \ The connector checks if the identified changes match the enabled tracking triggers:\ + \ Reopened, Priority Increased, New Assessment Added, or Entity Added.\n6. **Case\ + \ Creation**: If a valid update trigger is detected, the connector maps the Playbook\ + \ Alert data into a Google SecOps alert format, applying environment and severity\ + \ settings.\n7. **Deduplication**: If \"Enable Overflow\" is active, the connector\ + \ checks for similar existing alerts to prevent redundant case creation.\n8. **Ingestion**:\ + \ The final alert objects are sent to Google SecOps to be created as new cases\ + \ for analyst review." diff --git a/content/response_integrations/third_party/partner/rubrik_security_cloud/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/rubrik_security_cloud/resources/ai/actions_ai_description.yaml index 17b09e2ad..36a27530c 100644 --- a/content/response_integrations/third_party/partner/rubrik_security_cloud/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/rubrik_security_cloud/resources/ai/actions_ai_description.yaml @@ -1,60 +1,93 @@ Advanced IOC Scan: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: true + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - Starts an advanced Indicator of Compromise (IOC) scan, also known as a Threat - Hunt, on specified Rubrik objects. This action allows security teams to search - for malicious files, hashes, or patterns across backup snapshots within Rubrik - Security Cloud. It supports complex filtering including file size limits, path - inclusions/exclusions, and specific snapshot time ranges. + Starts a new advanced threat hunt (IOC scan) in Rubrik Security Cloud across specified + objects. This action allows for granular scanning by supporting various indicator + types (Hashes, File Paths, or YARA rules) and filtering criteria such as date + ranges, file sizes, and path inclusions/exclusions. It initiates a bulk threat + hunt process and returns the unique identifiers for the created hunts. ### Flow Description - 1. **Parameter Validation:** The action validates the mandatory `Object ID` and - optional parameters like `Start Date`, `End Date`, and integer-based filters (file - sizes, snapshot limits). + 1. **Parameter Extraction:** Retrieves the target Object IDs, IOC details (either + via individual type/value or a JSON-encoded advanced IOC object), and various + scan filters (dates, file sizes, paths). + + 2. **Validation:** Validates that Object IDs are provided, dates are in the correct + ISO format, and integer parameters (like file sizes or snapshot limits) are valid. + It also ensures that the start date precedes the end date. - 2. **IOC Configuration:** It processes the IOC criteria provided either via the - `IOC Type` and `IOC Value` parameters or through a complex JSON object in the - `Advanced IOC` parameter. + 3. **API Initialization:** Authenticates with Rubrik Security Cloud using the + provided Service Account JSON and initializes the GraphQL API manager. - 3. **API Interaction:** It sends a GraphQL mutation (`startBulkThreatHunt`) to - Rubrik Security Cloud to initiate the scanning process. + 4. **Scan Initiation:** Executes a GraphQL mutation (`startBulkThreatHunt`) to + trigger the scan on the Rubrik platform. - 4. **Result Processing:** The action retrieves the unique IDs for the newly created - threat hunts and displays them in a data table within the SecOps case for tracking. + 5. **Result Processing:** Captures the hunt IDs and statuses from the response, + adds the raw JSON to the action results, and populates a data table in the SOAR + case for the analyst to track the progress. ### Parameters Description - | Parameter | Type | Mandatory | Description | + | Parameter Name | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Object ID** | String | Yes | Comma-separated list of Rubrik Object IDs (e.g., - virtual machines, file sets) to perform the scan on. | + | **Object ID** | String | Yes | Comma-separated list of Rubrik object IDs (e.g., + VM FIDs) to perform the scan on. | - | **IOC Type** | DDL | No | The category of indicator to search for: `PATH_OR_FILENAME`, - `HASH`, or `YARA_RULE`. | + | **IOC Type** | DDL | No | The type of indicator to scan for. Options: `INDICATOR_OF_COMPROMISE_TYPE_PATH_OR_FILENAME`, + `INDICATOR_OF_COMPROMISE_TYPE_HASH`, `INDICATOR_OF_COMPROMISE_TYPE_YARA_RULE`. + | - | **IOC Value** | String | No | The specific value (e.g., file hash or path pattern) - to search for. Required if `Advanced IOC` is not used. | + | **IOC Value** | String | No | The specific value of the indicator (e.g., a file + hash or path). Required if `IOC Type` is used. | - | **Advanced IOC** | String | No | A JSON-encoded string containing multiple indicators - of compromise. If provided, it overrides `IOC Type` and `IOC Value`. | + | **Advanced IOC** | String | No | A JSON-encoded string containing multiple IOCs. + Keys should be the IOC type and values should be lists of indicator values. | - | **Scan Name** | String | No | A custom name for the threat hunt. If omitted, + | **Scan Name** | String | No | A custom name for the threat hunt. If not provided, a name is auto-generated using the current timestamp. | - | **Start Date** | String | No | Filters snapshots to scan starting from this - date (Format: `yyyy-mm-dd` or ISO 8601). | + | **Start Date** | String | No | Filter snapshots from this date (Format: `yyyy-mm-dd` + or `yyyy-mm-ddTHH:MM:SSZ`). | - | **End Date** | String | No | Filters snapshots to scan until this date (Format: - `yyyy-mm-dd` or ISO 8601). | + | **End Date** | String | No | Filter snapshots until this date (Format: `yyyy-mm-dd` + or `yyyy-mm-ddTHH:MM:SSZ`). | - | **Max Snapshots Per Object** | String | No | Limits the number of snapshots - scanned for each specified object. | + | **Max Snapshots Per Object** | String | No | Maximum number of snapshots to + scan for each target object. | - | **Max Matches Per Snapshot** | String | No | Terminates the scan for a snapshot + | **Max Matches Per Snapshot** | String | No | The scan for a snapshot terminates once this number of matches is reached. | | **Min File Size** | String | No | Minimum file size in bytes to include in the @@ -63,11 +96,11 @@ Advanced IOC Scan: | **Max File Size** | String | No | Maximum file size in bytes to include in the scan. | - | **Paths To Include** | String | No | Comma-separated list of file paths to explicitly - include in the scan. | + | **Paths To Include** | String | No | Comma-separated list of file paths to include + in the scan. | - | **Paths To Exclude** | String | No | Comma-separated list of file paths to ignore - during the scan. | + | **Paths To Exclude** | String | No | Comma-separated list of file paths to exclude + from the scan. | | **Paths To Exempt** | String | No | Comma-separated list of paths to exempt from the exclusion list. | @@ -75,27 +108,29 @@ Advanced IOC Scan: ### Additional Notes - - Either the combination of `IOC Type` and `IOC Value` OR the `Advanced IOC` parameter - must be configured for the action to run successfully. + * **IOC Configuration:** You must provide either the `Advanced IOC` JSON parameter + OR both the `IOC Type` and `IOC Value` parameters for the action to execute successfully. - - The action returns a list of Hunt IDs which can be used in subsequent actions - to check the status or results of the scan. + * **Date Filtering:** If both `Start Date` and `End Date` are provided, the action + validates that the start date is earlier than the end date. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: true - can_mutate_internal_data: false + can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: >- - Initiates a new Threat Hunt process in Rubrik Security Cloud, which creates - new hunt records and triggers scanning tasks on the backup infrastructure. + Initiates a new threat hunt (scan job) in Rubrik Security Cloud, which creates + new hunt records and consumes system resources for the scanning process. fetches_data: true - internal_data_mutation_explanation: null + internal_data_mutation_explanation: >- + Adds a data table to the Google SecOps case containing the IDs and names of + the initiated threat hunts. categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -109,6 +144,7 @@ Advanced IOC Scan: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get CDM Cluster Connection State: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -119,55 +155,70 @@ Advanced IOC Scan: disable_identity: false download_file: false enable_identity: false - enrich_asset: false + enrich_asset: true enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get CDM Cluster Connection State: ai_description: >- - Retrieves the connection state of a specific Cloud Data Management (CDM) cluster - from Rubrik Security Cloud. This action is used to monitor the health and connectivity - status of Rubrik clusters, providing details on whether the cluster and its individual - nodes are currently connected to the Rubrik Security Cloud platform. + ### General Description + The **Get CDM Cluster Connection State** action retrieves the current connection + status of a specific Cloud Data Management (CDM) cluster within Rubrik Security + Cloud (RSC). This action is useful for monitoring the health and availability + of backup infrastructure components by checking the connectivity status of all + nodes within a cluster. - ### Parameters - | Parameter | Description | Type | Mandatory | + ### Parameters Description + + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Cluster ID | The unique identifier of the CDM cluster to query. | String | Yes - | + | **Cluster ID** | String | Yes | The unique identifier of the CDM cluster for + which the connection state is being requested. | ### Flow Description - 1. **Parameter Extraction:** Retrieves the mandatory `Cluster ID` from the action - input. + 1. **Parameter Extraction**: The action retrieves the mandatory `Cluster ID` from + the input parameters. + + 2. **Authentication**: It initializes the Rubrik API manager using the provided + service account credentials and handles OAuth token management (including automatic + refresh if expired). - 2. **API Initialization:** Sets up the Rubrik API manager using the integration's - service account credentials. + 3. **Data Retrieval**: A GraphQL query is sent to Rubrik Security Cloud to fetch + the `connectedState` for all nodes associated with the specified cluster ID. - 3. **Data Retrieval:** Executes a GraphQL query to fetch the `connectedState` - for the specified cluster and its associated nodes. + 4. **Data Processing**: The raw GraphQL response is parsed, and node connection + states are extracted and structured using a dedicated data model. - 4. **Data Processing:** Parses the API response into a structured data model. + 5. **Result Generation**: The action populates a data table named "CDM Cluster + Connection State" containing the Cluster ID and Connection State for each node. + It also attaches the full JSON response to the action results for further analysis. - 5. **Result Output:** Returns the full JSON response and generates a data table - titled 'CDM Cluster Connection State' containing the connection status for each - node. + + ### Additional Notes + + - This action does not run on entities; it requires a specific Cluster ID as input. + + - The data table is limited to the first 20 records (nodes) found to ensure performance + and readability. capabilities: can_create_case_comments: false can_create_insight: false @@ -179,9 +230,9 @@ Get CDM Cluster Connection State: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: false + enrichment: true entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -195,6 +246,7 @@ Get CDM Cluster Connection State: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get CDM Cluster Location: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -208,63 +260,68 @@ Get CDM Cluster Connection State: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: true search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get CDM Cluster Location: ai_description: >- - Retrieves the geographical location information for a specific Rubrik Cloud Data - Management (CDM) cluster. This action queries the Rubrik Security Cloud API to - find the physical address or location details associated with the nodes of a cluster - identified by its unique ID. + ### General Description + The **Get CDM Cluster Location** action retrieves the geographical location (physical + address) of a specific Rubrik CDM (Cloud Data Management) cluster. This action + is used to identify where the physical hardware or cloud instance of a cluster + is located, which is essential for data residency verification, compliance auditing, + and infrastructure management. - ### Flow Description: - 1. **Parameter Extraction:** The action extracts the mandatory `Cluster ID` from - the input parameters. + ### Parameters Description - 2. **Authentication:** It initializes the Rubrik API Manager using service account - credentials to establish a secure connection. + | Parameter | Type | Mandatory | Description | - 3. **Data Retrieval:** It executes a GraphQL query (`CDM_CLUSTER_LOCATION_QUERY`) - to fetch the `geoLocation` and `address` data for the specified cluster. + | :--- | :--- | :--- | :--- | - 4. **Data Processing:** The response is parsed to extract location details for - all nodes within the cluster. + | Cluster ID | String | Yes | The unique identifier of the CDM cluster for which + you want to retrieve the location information. | - 5. **Output Generation:** The action populates the execution results with a raw - JSON response and creates a formatted data table named 'CDM Cluster Location' - containing the Cluster ID and its corresponding address. + ### Flow Description - ### Parameters Description: + 1. **Parameter Extraction**: The action extracts the mandatory `Cluster ID` from + the user input. + 2. **Authentication**: It establishes a secure connection to the Rubrik Security + Cloud using service account credentials and OAuth token management. - | Parameter Name | Type | Mandatory | Description | + 3. **API Query**: The action executes a GraphQL query (`CDM_CLUSTER_LOCATION_QUERY`) + against the Rubrik API, filtering by the provided `Cluster ID` to retrieve `geoLocation` + data. - | :--- | :--- | :--- | :--- | + 4. **Data Processing**: It parses the response to extract the physical address + for each node associated with the cluster. - | Cluster ID | String | Yes | The unique identifier of the CDM cluster for which - you want to retrieve location information. | + 5. **Output Generation**: The results are formatted into a data table named "CDM + Cluster Location" and the full raw response is attached as a JSON result for use + in subsequent playbook steps. - ### Additional Notes: + ### Additional Notes - - This action does not run on SOAR entities; it requires a specific Cluster ID - as a manual or playbook-provided input. + - This action does not operate on SecOps entities (like IPs or Hostnames); it + requires a specific Rubrik Cluster ID as a parameter. - - The results include a data table limited to the first 20 records for display - purposes. + - If the provided Cluster ID is invalid or not found, the action will return a + failure status. capabilities: can_create_case_comments: false can_create_insight: false @@ -276,9 +333,9 @@ Get CDM Cluster Location: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: true + enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -292,6 +349,7 @@ Get CDM Cluster Location: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Sonar Sensitive Hits: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -302,72 +360,73 @@ Get CDM Cluster Location: disable_identity: false download_file: false enable_identity: false - enrich_asset: true + enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: false + search_events: true send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Sonar Sensitive Hits: ai_description: >- - Retrieves sensitive data hits detected by Rubrik Sonar for a specific object within - Rubrik Security Cloud. Rubrik Sonar is a data classification and sensitive data - discovery engine that identifies sensitive information (like PII or PCI) within - backups. This action allows analysts to identify which data classification policies - were triggered and the volume of sensitive hits found on a specific resource. + Retrieves sensitive data classification hits for a specific Rubrik object (such + as a virtual machine, database, or file set) from Rubrik Security Cloud. This + action utilizes Rubrik Sonar, a data classification engine, to identify sensitive + data violations within a specified lookback period. It is useful for identifying + data exposure or compliance risks associated with specific backup objects. ### Flow Description: - 1. **Parameter Extraction:** The action retrieves the 'Object Name' and 'Lookback - Days' from the input parameters. - - 2. **Validation:** It validates that the 'Object Name' is provided and that 'Lookback - Days' is a non-negative integer. + 1. **Parameter Validation:** Validates the mandatory 'Object Name' and the optional + 'Lookback Days' (defaulting to 7 days if not provided). - 3. **Date Calculation:** It calculates a search date by subtracting the lookback - days from the current date. + 2. **Date Calculation:** Determines the target search date by subtracting the + lookback days from the current time. - 4. **Object Discovery:** It queries the Rubrik API to list all policy objects - for the calculated date and filters the results to find the specific object matching - the provided name. + 3. **Object Discovery:** Queries the Rubrik Security Cloud GraphQL API to find + the internal identifiers (snappableFid and snapshotFid) for the object matching + the provided name on the calculated date. - 5. **Detail Retrieval:** Once the object is identified, it performs a second query - to fetch detailed sensitive hit information, including analyzer names and hit - counts. + 4. **Data Retrieval:** Executes a detailed GraphQL query to fetch sensitive hit + metrics, including analyzer groups, specific analyzer names, and total hit counts + for the identified object snapshot. - 6. **Output Generation:** The results are formatted into a JSON object and a data - table (limited to the top 20 records) for display in the SOAR interface. + 5. **Output Generation:** Formats the retrieved data into a structured data table + ('Sonar Sensitive Hits') and provides the full raw JSON response for further processing. ### Parameters Description: + | Parameter Name | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Object Name | String | Yes | The exact name of the Rubrik object (e.g., a virtual - machine or file share) to check for sensitive hits. | + | Object Name | String | True | The exact name of the Rubrik object (e.g., a VM + or Volume Group) to check for sensitive data hits. | - | Lookback Days | String | No | The number of days in the past to look for scan - results. Defaults to 7 days. | + | Lookback Days | String | False | The number of days in the past to look for + scan results. Defaults to '7'. Must be a non-negative integer. | ### Additional Notes: - - This action does not run on SOAR entities; it requires the manual input of an - 'Object Name'. + - This action does not run on SecOps entities; it performs a search based on the + provided 'Object Name' string. - - The action uses GraphQL queries to interact with the Rubrik Security Cloud API. + - If no object is found matching the name or if no snapshots exist for that object + on the target date, the action will fail with an informative error message. capabilities: can_create_case_comments: false can_create_insight: false @@ -381,7 +440,7 @@ Get Sonar Sensitive Hits: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -395,6 +454,7 @@ Get Sonar Sensitive Hits: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +IOC Scan Results: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -408,28 +468,28 @@ Get Sonar Sensitive Hits: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: true + search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -IOC Scan Results: ai_description: >- ### General Description - The **IOC Scan Results** action retrieves detailed information, metrics, and status - for a specific Turbo or Advanced Threat Hunt (IOC Scan) from Rubrik Security Cloud. - It is designed to provide analysts with visibility into the progress and findings - of a hunt, including scanned objects, affected snapshots, and specific IOC matches. - This action supports asynchronous execution, meaning it can poll the status of - a hunt until it reaches a terminal state (Succeeded or Failed). + Retrieves the results of an IOC (Indicator of Compromise) scan or threat hunt + from Rubrik Security Cloud. This action is designed to fetch detailed metrics + and status information for a specific hunt identified by its ID. It supports asynchronous + execution, allowing it to monitor the progress of a hunt that is still running. ### Parameters Description @@ -438,40 +498,38 @@ IOC Scan Results: | :--- | :--- | :--- | :--- | - | Hunt ID | String | Yes | The unique identifier of the threat hunt/IOC scan. - This ID is typically generated when starting a Turbo or Advanced IOC scan. | + | Hunt ID | String | Yes | The unique identifier of the threat hunt or IOC scan + to retrieve results for. | ### Flow Description - 1. **Initialization**: The action initializes the Rubrik Security Cloud API client - using the provided service account credentials and validates the mandatory `Hunt - ID` parameter. + 1. **Parameter Extraction**: The action retrieves the `Hunt ID` from the input + parameters and validates that it is a non-empty string. - 2. **Data Retrieval**: It executes a GraphQL query to fetch both the threat hunt - details (status, start/end times, IOC configuration) and the object metrics (total - scanned, affected, and unaffected objects). + 2. **Client Initialization**: It initializes the Rubrik Security Cloud API manager + using the provided service account credentials and handles OAuth token management. - 3. **Result Processing**: The raw JSON response is attached to the action results - for full visibility. + 3. **Data Retrieval**: A GraphQL query is sent to Rubrik to fetch `threatHuntDetailV2` + and `threatHuntObjectMetrics` for the specified ID. - 4. **Data Visualization**: A data table titled "IOC Scan Results" is created, - summarizing key metrics such as Hunt Name, Type, Status, IOC Details, Object Metrics - (Scanned/Affected), and Scan Metrics (Matched Snapshots/Unique Matches). + 4. **Data Processing**: The raw JSON response is processed and formatted into + a structured data model (`IOCScanResultsDatamodel`). - 5. **Async Handling**: The action checks the current status of the hunt. If the + 5. **Output Generation**: + * The full JSON response is added to the action results for further processing. + * A data table named "IOC Scan Results" is created, containing key metrics + such as Hunt Name, Type, Status, IOC Details, Object Metrics, and Scan Metrics. + 6. **Status Handling**: The action checks the current status of the hunt. If the status is `PENDING` or `IN_PROGRESS`, the action returns an `IN_PROGRESS` state - to the SOAR platform, allowing for subsequent polling. If the hunt is finished, - it returns a `COMPLETED` state. + to allow the SOAR platform to poll for completion. ### Additional Notes - - This action does not initiate a new scan; it only retrieves results for an existing - `Hunt ID`. - - - If the `Hunt ID` is not found, the action will fail with an informative error - message. + This action is typically used as a follow-up to the "Turbo IOC Scan" or "Advanced + IOC Scan" actions to retrieve the final findings and metrics once the scan has + processed the target snapshots. capabilities: can_create_case_comments: false can_create_insight: false @@ -485,7 +543,7 @@ IOC Scan Results: categories: enrichment: true entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -499,6 +557,7 @@ IOC Scan Results: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +List Events: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -512,24 +571,28 @@ IOC Scan Results: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: true send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -List Events: ai_description: >- - Retrieves a list of events and activities from Rubrik Security Cloud (RSC) based - on various filtering criteria. This action allows analysts to search through historical - and real-time system events, such as backup successes, failures, anomalies, and - storage activities. It supports pagination and sorting to manage large datasets. + The 'List Events' action retrieves a filtered list of events and activities from + Rubrik Security Cloud (RSC). It allows analysts to query the RSC audit and activity + logs to identify specific system behaviors, job statuses, or security-related + events. The action supports extensive filtering by activity status, type, severity, + object details, and time ranges. Results are returned as a raw JSON object and + formatted into a data table for easy review within the SOAR case. ### Parameters Description @@ -539,41 +602,41 @@ List Events: | :--- | :--- | :--- | :--- | - | Activity Status | String | No | Filter events by status (e.g., "Failure", "Success", - "Running"). Supports comma-separated values. | + | **Sort By** | DDL | No | Specifies the field to use for sorting the response + (e.g., Last Updated, Severity, Start Time). | - | Activity Type | String | No | Filter events by type (e.g., "Backup", "Anomaly", - "Sync"). Supports comma-separated values. | + | **Sort Order** | DDL | No | Specifies the order to sort the data (Ascending + or Descending). | - | Severity | String | No | Filter events by severity level (e.g., "Critical", - "Warning", "Info"). Supports comma-separated values. | + | **Limit** | String | No | The maximum number of results to retrieve (Default: + 50, Max: 1000). | - | Object Name | String | No | Filter events associated with a specific object - name. | + | **Next Page Token** | String | No | The cursor token used to retrieve the next + set of paginated results. | - | Object Type | String | No | Filter events by object type (e.g., "VmwareVm", - "WindowsFileset"). Supports comma-separated values. | + | **Activity Status** | String | No | Comma-separated list of statuses to filter + by (e.g., 'Failure', 'Success', 'Running'). | - | Cluster ID | String | No | Filter events by specific Rubrik Cluster IDs. Supports - comma-separated values. | + | **Activity Type** | String | No | Comma-separated list of activity types to + filter by (e.g., 'Backup', 'Anomaly', 'Storage'). | - | Start Date | String | No | The start date for the event range. Supported formats: - `yyyy-mm-dd`, `yyyy-mm-ddTHH:MM:SSZ`. | + | **Severity** | String | No | Comma-separated list of severity levels (e.g., + 'Critical', 'Warning', 'Info'). | - | End Date | String | No | The end date for the event range. Supported formats: - `yyyy-mm-dd`, `yyyy-mm-ddTHH:MM:SSZ`. | + | **Object Name** | String | No | Filters events based on the name of the object + involved. | - | Sort By | DDL | No | Field to sort results by (e.g., Last Updated, Severity, - Start Time). Default is Last Updated. | + | **Object Type** | String | No | Comma-separated list of object types (e.g., + 'VmwareVm', 'WindowsFileset'). | - | Sort Order | DDL | No | The order of sorting: "Asc" or "Desc". Default is Desc. - | + | **Cluster ID** | String | No | Comma-separated list of Rubrik Cluster IDs to + filter the events. | - | Limit | String | No | Maximum number of results to retrieve (Max: 1000). Default - is 50. | + | **Start Date** | String | No | The start date for the event range (Format: yyyy-mm-dd + or ISO 8601). | - | Next Page Token | String | No | Cursor token used to retrieve the next page - of results. | + | **End Date** | String | No | The end date for the event range (Format: yyyy-mm-dd + or ISO 8601). | ### Additional Notes @@ -581,7 +644,9 @@ List Events: - If both **Start Date** and **End Date** are provided, the Start Date must be chronologically before the End Date. - - The action returns a maximum of 20 records in the visible data table for performance, + - The action uses GraphQL to communicate with Rubrik Security Cloud. + + - A maximum of 20 records are displayed in the SOAR data table to maintain performance, while the full result set is available in the JSON output. @@ -590,16 +655,20 @@ List Events: 1. **Parameter Extraction:** The action extracts all filtering, sorting, and pagination parameters provided by the user. - 2. **Validation:** It validates the integer format for the 'Limit' and ensures - that 'Start Date' and 'End Date' follow the required ISO or date formats. + 2. **Validation:** It validates that the 'Limit' is a positive integer and that + the provided dates match supported formats (YYYY-MM-DD or ISO). + + 3. **API Initialization:** Initializes the Rubrik APIManager using the provided + Service Account credentials and handles OAuth token generation/refresh. + + 4. **Data Retrieval:** Executes a GraphQL query (`activitySeriesConnection`) against + the Rubrik Security Cloud endpoint with the specified filters. - 3. **API Interaction:** It initializes the Rubrik API Manager and executes a GraphQL - query (`activitySeriesConnection`) against the Rubrik Security Cloud endpoint - with the specified filters. + 5. **Result Processing:** Parses the GraphQL response, extracts the event edges + and pagination info, and converts the data into a structured format. - 4. **Data Processing:** The retrieved events are parsed into a data model. The - full response is attached as a JSON result, and a summary table containing key - event details (Event ID, Object Name, Severity, Start Time) is added to the case. + 6. **Output Generation:** Adds the full response to the action's JSON results + and populates a data table named 'Events' in the SOAR case wall. capabilities: can_create_case_comments: false can_create_insight: false @@ -613,7 +682,7 @@ List Events: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -627,6 +696,7 @@ List Events: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +List Object Snapshots: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -640,87 +710,57 @@ List Events: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: true + search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -List Object Snapshots: - ai_description: >- - Retrieves a list of snapshots for a specific object from Rubrik Security Cloud - (RSC). This action allows analysts to identify available backup points for a given - resource, which is essential for data recovery, forensic investigations, or point-in-time - analysis. It supports advanced filtering by date ranges and snapshot types, as - well as pagination for large result sets. - - - ### Parameters Description - - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **Object ID** | String | Yes | The unique identifier (FID) of the Rubrik object - to retrieve snapshots for. | - - | **Start Date** | String | No | The beginning of the time range to filter snapshots. - Supported formats: `yyyy-mm-dd`, `yyyy-mm-ddTHH:MM:SSZ`. | - - | **End Date** | String | No | The end of the time range to filter snapshots. - Supported formats: `yyyy-mm-dd`, `yyyy-mm-ddTHH:MM:SSZ`. | - - | **Snapshot Type** | String | No | A comma-separated list of snapshot types (e.g., - `OnDemand`, `Scheduled`) to filter the results. | - - | **Limit** | String | No | The maximum number of snapshots to retrieve in a single - request. Default is 50; maximum is 1000. | - - | **Next Page Token** | String | No | A cursor used to retrieve the next page - of results if more snapshots are available. | - - | **Sort Order** | DDL | No | Specifies whether to sort the snapshots in ascending - (`Asc`) or descending (`Desc`) order based on creation time. Default is `Asc`. - | - - - ### Additional Notes - - - If both **Start Date** and **End Date** are provided, the **Start Date** must - be chronologically before the **End Date**. - - - The action outputs a data table named "Object Snapshots" containing the Snapshot - ID, Creation Date, Cluster Name, and SLA Domain Name for each result. - - - ### Flow Description - - 1. **Parameter Extraction:** The action extracts the mandatory `Object ID` and - optional filters/pagination parameters from the input. - - 2. **Validation:** It validates that the `Object ID` is provided, the `Limit` - is a valid integer within bounds, and that any provided dates follow the supported - ISO formats. - - 3. **API Initialization:** It initializes the Rubrik API Manager using the provided - Service Account credentials and handles OAuth token management. - - 4. **Data Retrieval:** It executes a GraphQL query (`OBJECT_SNAPSHOTS_QUERY`) - against the Rubrik Security Cloud endpoint to fetch the snapshot metadata. - - 5. **Result Processing:** The raw JSON response is attached to the action results. - The snapshot data is then parsed into a structured format. - - 6. **Output Generation:** A data table is created for the SOAR interface, and - a summary message is generated indicating the number of snapshots found and providing - a pagination token if more results exist. + ai_description: "### General Description\nRetrieves a list of snapshots for a specific\ + \ object from Rubrik Security Cloud (RSC). This action allows analysts to query\ + \ the backup history of a workload, providing visibility into available recovery\ + \ points. It supports filtering by date range and snapshot type, as well as pagination\ + \ for large result sets.\n\n### Parameters Description\n\n| Parameter | Type |\ + \ Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| **Object ID** |\ + \ String | Yes | The unique identifier (FID) of the object for which snapshots\ + \ are to be searched. |\n| **Limit** | String | No | The maximum number of snapshots\ + \ to retrieve in the response. The value must be between 1 and 1000. Default is\ + \ 50. |\n| **Next Page Token** | String | No | The cursor used to retrieve the\ + \ next set of results if more snapshots are available. |\n| **Sort Order** | DDL\ + \ | No | Specifies the chronological order of the results based on creation time.\ + \ Options: `Asc` (default), `Desc`. |\n| **Start Date** | String | No | Filters\ + \ snapshots created on or after this date. Supported formats: `yyyy-mm-dd`, `yyyy-mm-ddTHH:MM:SSZ`.\ + \ |\n| **End Date** | String | No | Filters snapshots created on or before this\ + \ date. Supported formats: `yyyy-mm-dd`, `yyyy-mm-ddTHH:MM:SSZ`. |\n| **Snapshot\ + \ Type** | String | No | A comma-separated list of snapshot types to filter the\ + \ results (e.g., `OnDemand`). |\n\n### Flow Description\n1. **Initialization**:\ + \ The action extracts the mandatory `Object ID` and optional filter parameters\ + \ from the environment.\n2. **Validation**: It validates that the `Object ID`\ + \ is non-empty, the `Limit` is a valid integer within the allowed range (1-1000),\ + \ and that the provided dates follow the supported ISO formats. It also ensures\ + \ the `Start Date` is before the `End Date`.\n3. **API Interaction**: The action\ + \ authenticates with Rubrik Security Cloud and executes a GraphQL query (`OBJECT_SNAPSHOTS_QUERY`)\ + \ to fetch the snapshot metadata for the specified object.\n4. **Data Processing**:\ + \ The raw GraphQL response is captured. The action then processes the snapshot\ + \ edges to extract key details such as Snapshot ID, Creation Date, Cluster Name,\ + \ and SLA Domain Name.\n5. **Output**: \n - A formatted data table named \"\ + Object Snapshots\" is added to the case wall containing the processed metadata.\n\ + \ - The full raw JSON response is attached to the action results.\n - A\ + \ status message is returned indicating the number of snapshots found and providing\ + \ a pagination token if more results exist.\n\n### Additional Notes\n- If the\ + \ `Next Page Token` is returned in the output message, it can be used in a subsequent\ + \ execution of this action to fetch the next page of snapshots.\n- The data table\ + \ is limited to showing a maximum of 20 records for readability, while the full\ + \ result set is available in the JSON output." capabilities: can_create_case_comments: false can_create_insight: false @@ -734,7 +774,7 @@ List Object Snapshots: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -748,6 +788,7 @@ List Object Snapshots: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +List Sonar File Contexts: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -761,89 +802,93 @@ List Object Snapshots: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: true send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -List Sonar File Contexts: ai_description: >- ### General Description - Retrieves file contexts and sensitive data findings detected by Rubrik Sonar for - a specific object snapshot. This action allows analysts to inspect files, folders, - or file shares for sensitive information hits, providing visibility into data - risks within backups. It supports extensive filtering by file name, path, and - user ID, as well as pagination and sorting. + Retrieves file contexts detected by Rubrik Sonar for a specific object snapshot + from Rubrik Security Cloud. This action allows analysts to identify sensitive + data findings within files, folders, or file shares, providing detailed metadata + such as file size, hit counts, access types, and modification times. It supports + various filtering options including file name, path, and user ID to narrow down + results. ### Parameters Description + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Object ID** | string | Yes | The unique identifier (Snappable ID) of the object - in Rubrik. | + | Object ID | string | Yes | The unique identifier of the object (Snappable ID) + to retrieve file contexts for. | - | **Snapshot ID** | string | Yes | The unique identifier of the specific snapshot - to analyze. | + | Snapshot ID | string | Yes | The unique identifier of the snapshot associated + with the object. | - | **File Name** | string | No | Filter results by a specific file name or search - text. | + | File Name | string | No | Filter results by a specific file, folder, or file + share name. | - | **File Path** | string | No | Filter results by a standard file path. | + | File Path | string | No | Filter results by a standard file path. | - | **User ID** | string | No | Filter results by a specific User ID (SID). | + | User ID | string | No | Filter results by a specific user ID. | - | **Include Whitelisted Results** | ddl | No | Boolean (True/False) indicating - whether to include results that have been whitelisted. | + | Include Whitelisted Results | ddl | No | Indicates whether to include results + that have been whitelisted. Options: True, False. | - | **Limit** | string | No | Maximum number of results to retrieve (Default: 50, - Max: 1000). | + | Limit | string | No | Maximum number of file contexts to retrieve in the response + (default is 50). | - | **Next Page Token** | string | No | The cursor token used to retrieve the next - page of results. | + | Next Page Token | string | No | The cursor token used to retrieve the next set + of paginated results. | - | **Sort By** | ddl | No | Field to sort the response by (e.g., HITS, NAME, LAST_MODIFIED). + | Sort By | ddl | No | Field used to sort the response (e.g., HITS, NAME, LAST_MODIFIED). | - | **Sort Order** | ddl | No | The order to sort the data (Asc or Desc). Default - is Desc. | + | Sort Order | ddl | No | Specifies the order to sort the data (Asc or Desc). + Default is Desc. | - ### Additional Notes + ### Flow Description - - The action returns a detailed data table named "Sonar File Contexts" containing - file metadata, size, sensitive hit counts, and access times. + 1. **Parameter Validation**: Validates that the mandatory `Object ID` and `Snapshot + ID` are provided and that the `Limit` is a valid integer. - - Results are limited to the first 20 records in the UI data table for performance, - while the full result is available in the JSON output. + 2. **API Initialization**: Initializes the Rubrik Security Cloud API manager using + the provided service account credentials. + 3. **Data Retrieval**: Executes a GraphQL query to fetch Sonar file context data + from Rubrik, applying any provided filters such as file name, path, or user ID. - ### Flow Description + 4. **Result Processing**: Parses the API response into a structured data model + and adds the raw JSON result to the action output. - 1. **Parameter Validation**: The action extracts and validates the mandatory `Object - ID` and `Snapshot ID`, and ensures the `Limit` is a valid integer. + 5. **Output Generation**: Generates a data table named "Sonar File Contexts" containing + key file metadata and provides a status message summarizing the number of records + retrieved. - 2. **Authentication**: Initializes the Rubrik API client using OAuth credentials - stored in the integration configuration. - 3. **API Request**: Executes a GraphQL query (`SONAR_FILE_CONTEXTS_QUERY`) against - Rubrik Security Cloud, applying the provided filters and sorting parameters. + ### Additional Notes - 4. **Data Processing**: Parses the GraphQL response using the `SonarFileContextsDatamodel` - to extract file-level details and sensitive hit metrics. + - The action hardcodes the timezone to 'UTC' for the query. - 5. **Output Generation**: Adds the raw JSON response to the action results and - constructs a CSV-formatted data table for display in the Google SecOps case wall. + - The data table displayed in the SOAR interface is limited to the first 20 records + for performance and readability. capabilities: can_create_case_comments: false can_create_insight: false @@ -857,7 +902,7 @@ List Sonar File Contexts: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -871,6 +916,7 @@ List Sonar File Contexts: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -884,40 +930,57 @@ List Sonar File Contexts: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: true + search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: - ai_description: "### General Description\nThe **Ping** action is a diagnostic tool\ - \ designed to verify the connectivity between the Google SecOps SOAR server and\ - \ the Rubrik Security Cloud instance. It ensures that the provided credentials\ - \ (Service Account JSON) are valid and that the network path to the Rubrik GraphQL\ - \ API is open. This action is typically used during the initial setup of the integration\ - \ or for troubleshooting communication issues.\n\n### Parameters Description\n\ - There are no parameters for this action.\n\n### Additional Notes\nThis action\ - \ relies on the integration-level configuration parameters: `Service Account JSON`\ - \ and `Verify SSL`. If the Service Account JSON is missing the `client_id` or\ - \ `access_token_uri`, the action will fail during initialization.\n\n### Flow\ - \ Description\n1. **Initialization**: The action initializes the Siemplify SDK\ - \ and retrieves the global integration configuration parameters.\n2. **API Manager\ - \ Setup**: It instantiates the `APIManager`, which automatically handles OAuth\ - \ token management, including fetching cached tokens from encrypted storage or\ - \ generating a new token if necessary.\n3. **Connectivity Test**: The action calls\ - \ the `test_connectivity` method, which executes a simple GraphQL query (`deploymentVersion`)\ - \ against the Rubrik Security Cloud API.\n4. **Result Handling**: \n * If the\ - \ query succeeds, the action returns a success message and sets the connectivity\ - \ result to `True`.\n * If an exception occurs (e.g., authentication failure,\ - \ network timeout, or server error), the action catches the error, logs the details,\ - \ and returns a failure message with the connectivity result set to `False`." + ai_description: >- + ### General Description + + The **Ping** action is designed to verify the connectivity between the Google + SecOps SOAR platform and the Rubrik Security Cloud instance. It ensures that the + provided credentials (Service Account JSON) are valid and that the SOAR server + can successfully communicate with the Rubrik GraphQL API. + + + ### Parameters Description + + There are no parameters for this action. + + + ### Additional Notes + + This action is primarily used during the initial setup of the integration or for + troubleshooting communication issues. It utilizes OAuth 2.0 for authentication, + managing token generation and storage internally. + + + ### Flow Description + + 1. **Parameter Extraction**: The action retrieves the `Service Account JSON` and + `Verify SSL` settings from the integration configuration. + + 2. **API Manager Initialization**: It initializes the `APIManager`, which handles + the OAuth token lifecycle (checking for existing tokens in encrypted storage or + generating a new one). + + 3. **Connectivity Test**: The action executes a simple GraphQL query (`deploymentVersion`) + against the Rubrik Security Cloud endpoint. + + 4. **Result Reporting**: If the query succeeds, it returns a success message and + a `True` result value. If any step fails (authentication, network error, or API + error), it captures the exception and reports a failure. capabilities: can_create_case_comments: false can_create_insight: false @@ -931,7 +994,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -945,6 +1008,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Turbo IOC Scan: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -958,96 +1022,102 @@ Ping: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: false + search_events: true send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Turbo IOC Scan: ai_description: >- - Initiates a Turbo IOC (Indicator of Compromise) scan across Rubrik infrastructure. - This action is optimized for speed and allows for scanning multiple indicators - across clusters with configurable time ranges and snapshot limits. It triggers - a state-changing operation in Rubrik Security Cloud by starting a new threat hunt - process. + Starts a new Turbo Threat Hunt scan in Rubrik Security Cloud to search for specific + Indicators of Compromise (IOCs). This action is optimized for speed and allows + for scanning multiple IOCs across specific clusters or the entire infrastructure + within a defined time range and snapshot limit. + + ### Parameters Description - ### Parameters | Parameter | Type | Mandatory | Description | - |-----------|------|-----------|-------------| + | :--- | :--- | :--- | :--- | - | IOC | String | Yes | Comma-separated list of indicator values (e.g., file hashes) - to scan for. | + | IOC | String | Yes | A comma-separated list of indicator values (e.g., MD5, + SHA1, or SHA256 hashes) to scan for. | - | Scan Name | String | No | Custom name for the new turbo threat hunt scan. If - not provided, a name is automatically generated using the current date and time. + | Scan Name | String | No | A custom name for the new turbo threat hunt scan. + If not provided, a name is automatically generated using the format 'Google-SecOps-YYYY-MM-DD-HH:MM:SS'. | - | Cluster ID | String | No | Comma-separated list of cluster IDs on which to perform - the scan. If empty, the scan may apply to all available clusters. | + | Cluster ID | String | No | A comma-separated list of cluster IDs on which to + perform the scan. If left empty, the scan may target all available clusters. | - | Start Time | String | No | Filter snapshots from this date. Supported formats: - yyyy-mm-dd, yyyy-mm-ddTHH:MM:SSZ. | + | Start Time | String | No | Filters the snapshots from the provided date. Supported + formats: `yyyy-mm-dd`, `yyyy-mm-ddTHH:MM:SSZ`, or `yyyy-mm-ddTHH:MM:SS.fffZ`. + | - | End Time | String | No | Filter snapshots until this date. Supported formats: - yyyy-mm-dd, yyyy-mm-ddTHH:MM:SSZ. | + | End Time | String | No | Filters the snapshots until the provided date. Supported + formats: `yyyy-mm-dd`, `yyyy-mm-ddTHH:MM:SSZ`, or `yyyy-mm-ddTHH:MM:SS.fffZ`. + | - | Max Snapshots Per Object | String | No | Maximum number of snapshots to scan - per object. Must be a positive integer. | + | Max Snapshots Per Object | String | No | The maximum number of snapshots to + scan per object. Must be a positive integer. | ### Additional Notes - - The action validates that the 'Start Time' is chronologically before the 'End - Time'. + - If both `Start Time` and `End Time` are provided, the `Start Time` must be chronologically + before the `End Time`. - - The 'IOC' parameter specifically supports hash values (MD5, SHA1, SHA256) which - are mapped to 'IOC_HASH' in the Rubrik GraphQL API. + - The action returns a unique `Hunt ID` which can be used to track the progress + and results of the scan in subsequent actions. ### Flow Description - 1. **Parameter Extraction**: Retrieves and trims all input parameters from the - SOAR environment. + 1. **Parameter Extraction:** The action retrieves the IOC list, scan name, cluster + IDs, time filters, and snapshot limits from the input. - 2. **Validation**: Validates date formats, ensures 'Start Time' is before 'End - Time', and confirms 'Max Snapshots Per Object' is a valid positive integer. + 2. **Validation:** It validates that the IOC list is not empty, ensures dates + are in the correct format, and checks that the snapshot limit is a valid positive + integer. - 3. **Scan Preparation**: Generates a default scan name if none was provided and - converts comma-separated strings (IOCs and Cluster IDs) into lists. + 3. **API Initialization:** Connects to the Rubrik Security Cloud API using the + provided service account credentials. - 4. **API Interaction**: Authenticates with Rubrik Security Cloud and executes - a GraphQL mutation (`startTurboThreatHunt`) to initiate the scan. + 4. **Scan Initiation:** Executes a GraphQL mutation to start the Turbo Threat + Hunt with the specified configuration. - 5. **Result Processing**: Captures the resulting 'Hunt ID' from the API response. - - 6. **Output**: Adds the raw JSON response to the action results and creates a - data table displaying the 'Turbo Threat Hunt ID'. + 5. **Result Processing:** Captures the `huntId` from the API response, adds the + full JSON response to the action results, and creates a data table in the SOAR + case containing the Hunt ID. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: true - can_mutate_internal_data: false + can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: >- Initiates a new Turbo Threat Hunt scan process within the Rubrik Security Cloud - environment, which creates a new task/record in the external system. + environment. fetches_data: true - internal_data_mutation_explanation: null + internal_data_mutation_explanation: >- + Adds a data table to the Google SecOps case containing the unique identifier + (Hunt ID) of the initiated scan. categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1061,28 +1131,3 @@ Turbo IOC Scan: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: true - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/third_party/partner/rubrik_security_cloud/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/rubrik_security_cloud/resources/ai/integration_ai_description.yaml index 7bf893de0..4839c93dd 100644 --- a/content/response_integrations/third_party/partner/rubrik_security_cloud/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/partner/rubrik_security_cloud/resources/ai/integration_ai_description.yaml @@ -1,6 +1,6 @@ product_categories: asset_inventory: true - cloud_security: true + cloud_security: false collaboration: false edr: false email_security: false diff --git a/content/response_integrations/third_party/partner/silentpush/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/silentpush/resources/ai/actions_ai_description.yaml index 6d95d4cf3..ada291b7d 100644 --- a/content/response_integrations/third_party/partner/silentpush/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/silentpush/resources/ai/actions_ai_description.yaml @@ -1,63 +1,85 @@ Add Feed: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Add Feed** action allows users to create and register a new threat intelligence - feed within the Silent Push platform. This action is primarily used for administrative - and management purposes, enabling the organization of indicators into structured - feeds with specific metadata such as categories, vendors, and tags. + The **Add Feed** action allows users to create a new feed within the Silent Push + platform. This is a management action used to define new sources or categories + of threat intelligence data by providing metadata such as name, type, and tags. ### Parameters Description + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Name** | string | Yes | The unique name assigned to the new feed. | + | **Name** | string | Yes | The unique name for the new feed. | - | **Type** | string | Yes | The classification or type of the feed (e.g., 'domain', + | **Type** | string | Yes | The classification type of the feed (e.g., 'domain', 'ip'). | - | **Category** | string | No | The functional category the feed belongs to. | + | **Category** | string | No | The category the feed belongs to. | - | **Vendor** | string | No | The provider or vendor associated with the feed data. - | + | **Vendor** | string | No | The provider or vendor of the feed data. | - | **Feed Description** | string | No | A descriptive summary of the feed's purpose. - Note: The configuration metadata suggests this may be used for a screenshot URL - in some contexts. | + | **Feed Description** | string | No | A detailed description of the feed's purpose + or content. | - | **Tags** | string | No | A comma-separated list of tags to be associated with - the feed for easier filtering and management. | + | **Tags** | string | No | A comma-separated list of tags to associate with the + feed. | - ### Additional Notes + ### Flow Description - - This action does not operate on specific entities (like IPs or Domains) from - the SecOps case; instead, it uses the provided parameters to create a global resource - in Silent Push. + 1. **Parameter Extraction:** The action retrieves the Silent Push server URL and + API key from the integration configuration, along with the feed details from the + action parameters. - - The `Tags` parameter should be provided as a comma-separated string (e.g., `malware,phishing,critical`). + 2. **Manager Initialization:** Initializes the `SilentPushManager` to handle API + communication. + 3. **API Request:** Executes a POST request to the Silent Push `/api/v1/feeds/` + endpoint with the provided feed metadata. - ### Flow Description + 4. **Result Handling:** Processes the API response. If successful, it returns + the feed details; otherwise, it reports a failure. - 1. **Configuration Extraction**: The action retrieves the Silent Push Server URL - and API Key from the integration settings. - - 2. **Parameter Retrieval**: It extracts the feed details (Name, Type, Category, - Vendor, Description, and Tags) provided by the user. - 3. **API Interaction**: The action initializes the `SilentPushManager` and sends - a POST request to the `/api/v1/feeds/` endpoint with the constructed payload. + ### Additional Notes - 4. **Tag Processing**: If tags are provided, they are split into a list before - being sent in the request body. + - The `Tags` parameter should be provided as a comma-separated string (e.g., 'malware,phishing'). - 5. **Result Handling**: The action captures the API response. If successful, it - returns the feed details; otherwise, it logs an error and marks the action as - failed. + - This action does not interact with or modify SecOps entities directly, although + it may log entity identifiers present in the context for debugging purposes. capabilities: can_create_case_comments: false can_create_insight: false @@ -66,14 +88,14 @@ Add Feed: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new feed resource in the Silent Push platform via a POST request to + Creates a new feed resource on the Silent Push server via a POST request to the /api/v1/feeds/ endpoint. - fetches_data: true + fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -87,6 +109,7 @@ Add Feed: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Add Feed Tags: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -100,26 +123,27 @@ Add Feed: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Add Feed Tags: ai_description: >- ### General Description - The **Add Feed Tags** action allows users to append specific tags to an existing - threat intelligence feed within the Silent Push platform. This action is used - to organize and categorize feeds by adding metadata that can be used for filtering - or identification within the Silent Push console. + Adds tags to a specific feed in the Silent Push platform. This action allows users + to organize and categorize threat intelligence feeds by appending a list of descriptive + tags to a feed identified by its unique UUID. ### Parameters Description @@ -128,41 +152,37 @@ Add Feed Tags: | :--- | :--- | :--- | :--- | - | **Feed UUID** | String | No | The unique identifier (UUID) of the feed to which - the tags will be added. While marked as non-mandatory in the configuration, it - is required for the API call to succeed. | + | Feed UUID | string | Yes | The unique identifier (UUID) of the feed to which + the tags will be added. | - | **Tags** | String | No | A comma-separated list of tags (e.g., "malware, suspicious, - research") to be associated with the feed. | + | Tags | string | Yes | A comma-separated list of tags to be updated to the feed. + | - ### Flow Description + ### Additional Notes - 1. **Parameter Extraction**: The action retrieves the `Feed UUID` and the `Tags` - string from the action parameters. + - Although the parameters are marked as optional in the configuration, they are + functionally required for the action to execute its logic successfully. - 2. **Manager Initialization**: It initializes the `SilentPushManager` using the - integration's server URL and API Key. + - This action does not interact with or enrich SecOps entities; it is a management + action performed directly on the Silent Push platform. - 3. **API Request**: The action calls the `add_feed_tags` method, which splits - the comma-separated tags into a list and sends a **POST** request to the Silent - Push endpoint: `/api/v1/feeds/{feed_uuid}/tags/`. - 4. **Execution Finalization**: The action processes the API response. If successful, - it returns a confirmation message. If the API returns an error or no data is found - for the UUID, the action fails and logs the error. + ### Flow Description + 1. **Configuration Extraction**: Retrieves the Silent Push Server URL and API + Key from the integration settings. - ### Additional Notes + 2. **Parameter Extraction**: Retrieves the `Feed UUID` and the `Tags` string from + the action parameters. - - **Entity Usage**: Although the script contains a loop that iterates through - target entities, it does not use entity data for any logic or API calls. This - action is considered a data-management task rather than an entity-enrichment task. + 3. **API Interaction**: Calls the Silent Push Manager's `add_feed_tags` method, + which sends a POST request to the `/api/v1/feeds/{feed_uuid}/tags/` endpoint with + the provided tags. - - **Parameter Discrepancy**: The script attempts to extract an "ASN" parameter - which is not defined in the action's configuration (YAML), likely a remnant of - code reuse. This parameter does not affect the primary flow of adding tags to - a feed. + 4. **Result Handling**: Checks the API response. If data is returned, the action + completes successfully; otherwise, it logs an error and terminates with a failure + status. capabilities: can_create_case_comments: false can_create_insight: false @@ -171,15 +191,14 @@ Add Feed Tags: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - The action performs a POST request to the Silent Push API to add new tags to - a specific feed, thereby changing the state of the feed object in the external - system. + Adds tags to a specific feed in the Silent Push platform via a POST request + to the feeds API. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -193,10 +212,11 @@ Add Feed Tags: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Add Indicators: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false - add_ioc_to_blocklist: false + add_ioc_to_blocklist: true contain_host: false create_ticket: false delete_email: false @@ -206,74 +226,71 @@ Add Feed Tags: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Add Indicators: ai_description: >- - ### General Description - - The **Add Indicators** action allows users to programmatically add a list of indicators - (such as domains or IP addresses) to a specific feed within the Silent Push platform. - This is primarily used for managing threat intelligence feeds and ensuring that - new indicators of interest are tracked or shared across the Silent Push ecosystem. + Adds indicators to a specified feed in the Silent Push platform. This action allows + users to programmatically update threat intelligence feeds by providing a Feed + UUID and a list of indicators (such as domains or IP addresses). The indicators + are provided as a comma-separated string, which the action parses into a list + and submits via a POST request to the Silent Push API. ### Parameters Description + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Feed UUID** | String | No | The unique identifier (UUID) of the target feed - in Silent Push. If not provided, a default UUID is used. | + | Feed UUID | string | No | The unique identifier (UUID) of the feed where indicators + will be added. If not provided, a default UUID is used. | - | **Indicators** | String | No | A comma-separated string of indicators (e.g., - `example.com, 1.2.3.4`) to be added to the feed. If not provided, a default value - is used. | + | Indicators | string | No | A comma-separated list of indicators (e.g., 'example.com, + 1.2.3.4') to be added to the feed. | - ### Flow Description + ### Additional Notes - 1. **Configuration Extraction:** The action retrieves the Silent Push Server URL - and API Key from the integration settings. - 2. **Parameter Extraction:** It extracts the `Feed UUID` and the string of `Indicators` - from the action parameters. + * **Entity Usage:** Although the script iterates through the target entities in + the scope, it does not use their data to perform the action. The action relies + entirely on the provided 'Indicators' parameter. + + * **ASN Parameter:** The code attempts to extract an 'ASN' parameter, but it is + not defined in the action's configuration and is only referenced in error messages. - 3. **Manager Initialization:** A `SilentPushManager` instance is created to handle - the API communication. - 4. **Data Processing:** The manager splits the comma-separated `Indicators` string - into a list format required by the API. + ### Flow Description - 5. **External API Call:** The action sends a `POST` request to the Silent Push - endpoint: `/api/v1/feeds/{feed_uuid}/indicators/` with the indicator list in the - request body. - 6. **Result Handling:** The action checks the API response. If successful, it - returns a completion status; otherwise, it logs an error and fails. + 1. **Configuration Extraction:** Retrieves the Silent Push server URL and API + Key from the integration settings. + 2. **Parameter Extraction:** Retrieves the 'Feed UUID' and the 'Indicators' string + from the action parameters. - ### Additional Notes + 3. **Manager Initialization:** Initializes the Silent Push Manager to handle API + communication. - * **Entity Interaction:** Although the script iterates over target entities in - the environment, it does not use them to perform the action. The indicators added - are strictly defined by the `Indicators` input parameter. + 4. **API Request:** Sends a POST request to the Silent Push endpoint `/api/v1/feeds/{feed_uuid}/indicators/` + with the list of indicators. - * **Code Discrepancy:** The script contains a reference to an `ASN` parameter - and an error message mentioning "retrieving data for ASN," which appears to be - a remnant from a different action. The core logic correctly performs a mutation - (adding indicators) rather than a retrieval. + 5. **Result Handling:** Evaluates the API response. If successful, the action + completes; otherwise, it logs an error and fails. capabilities: can_create_case_comments: false can_create_insight: false @@ -282,14 +299,14 @@ Add Indicators: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Adds new indicators to a specified feed in the Silent Push platform via a POST - request to the /api/v1/feeds/{feed_uuid}/indicators/ endpoint. + Adds new indicators to a specified feed within the Silent Push platform via + a POST request. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -303,6 +320,7 @@ Add Indicators: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Add Indicators Tags: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -316,58 +334,72 @@ Add Indicators: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Add Indicators Tags: ai_description: >- ### General Description - The **Add Indicators Tags** action allows users to update or add tags to a specific - indicator (such as a domain or IP address) within an existing Silent Push feed. - This is useful for organizing threat intelligence data and labeling indicators - based on specific campaigns, threat actors, or internal tracking requirements. + Adds tags to a specific indicator within a Silent Push feed. This action allows + analysts to categorize and organize threat indicators directly on the Silent Push + platform by updating their associated metadata. It is primarily used for threat + intelligence management and feed curation. ### Parameters Description + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Feed UUID | string | Yes | The unique identifier (UUID) of the Silent Push feed - where the indicator is located. | + | Feed UUID | string | Yes | The unique identifier (UUID) of the target feed in + Silent Push. | + + | Indicator Name | string | Yes | The name of the indicator (e.g., a domain or + IP address) that will receive the new tags. | + + | Tags | string | Yes | The specific tags to be added to the indicator. Multiple + tags should be provided as a single string (the format depends on the Silent Push + API requirements, typically comma-separated). | - | Indicator Name | string | Yes | The specific name of the indicator (e.g., 'example.com') - to be tagged. | - | Tags | string | Yes | A string containing the tags to be associated with the - indicator. | + ### Additional Notes + + This action does not process Google SecOps entities. It relies entirely on the + provided parameters to identify the feed and the indicator. The action uses a + `PUT` request to update the external system state. ### Flow Description - 1. **Configuration Extraction:** Retrieves the Silent Push server URL and API + 1. **Configuration Extraction:** Retrieves the Silent Push Server URL and API Key from the integration settings. - 2. **Parameter Retrieval:** Extracts the Feed UUID, Indicator Name, and Tags provided - by the user. + 2. **Parameter Extraction:** Collects the `Feed UUID`, `Indicator Name`, and `Tags` + from the action input. + + 3. **API Initialization:** Initializes the `SilentPushManager` with the provided + credentials. - 3. **API Interaction:** Initializes the `SilentPushManager` and executes a `PUT` - request to the Silent Push API endpoint: `/api/v1/feeds/{feed_uuid}/indicators/{indicator_name}/update-tags/`. + 4. **External Mutation:** Executes a `PUT` request to the Silent Push endpoint: + `/api/v1/feeds/{feed_uuid}/indicators/{indicator_name}/update-tags/` with the + provided tags in the payload. - 4. **Result Handling:** If the API call is successful, the action completes with - a success message. If the indicator or feed is not found, or if the API returns - an error, the action fails and logs the error details. + 5. **Result Handling:** Validates the API response. If successful, it completes + the action; otherwise, it logs an error and fails the execution. capabilities: can_create_case_comments: false can_create_insight: false @@ -376,14 +408,14 @@ Add Indicators Tags: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the tags associated with a specific indicator in a Silent Push feed - using a PUT request to the external API. + Updates the tags of a specific indicator within a Silent Push feed using a PUT + request to the Silent Push API. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -397,6 +429,7 @@ Add Indicators Tags: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Density Lookup: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -408,66 +441,49 @@ Add Indicators Tags: download_file: false enable_identity: false enrich_asset: false - enrich_ioc: false + enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Density Lookup: - ai_description: >- - Queries granular DNS and IP parameters from Silent Push to retrieve density information. - This action allows analysts to look up specific infrastructure components such - as Name Servers (NS), Mail Servers (MX), IP addresses, and ASNs to understand - their prevalence and associations within the Silent Push dataset. - - - ### Flow Description: - - 1. **Parameter Extraction:** The action retrieves the query type (`Qtype`), the - query value (`Query`), and the optional `Scope` from the input parameters. - - 2. **API Interaction:** It initializes the Silent Push manager and performs a - GET request to the density lookup endpoint using the provided parameters. - - 3. **Data Validation:** The action checks the response for density records. If - no records are found, the action fails with an informative message. - - 4. **Result Processing:** If records are found, they are returned as a JSON result - for use in subsequent playbook steps. - - - ### Parameters Description: - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Qtype | String | Yes | The type of density lookup to perform. Supported values - include `nssrv`, `mxsrv`, `nshash`, `mxhash`, `ipv4`, `ipv6`, `asn`, and `chv`. - | - - | Query | String | Yes | The specific value (e.g., domain, IP, or ASN) to query - for density information. | - - | Scope | String | No | The match level or scope to apply to the query results. - | - - - ### Additional Notes: - - - This action does not automatically process entities from the SecOps case; it - relies entirely on the provided `Query` parameter. - - - The results are provided in the `JsonResult` output. + ai_description: "### General Description\nThe **Density Lookup** action queries\ + \ the Silent Push platform to retrieve granular density information for various\ + \ DNS and IP parameters. This data helps analysts understand the prevalence and\ + \ associations of specific infrastructure components, such as Name Servers (NS),\ + \ Mail Exchange (MX) servers, IP addresses, and Autonomous System Numbers (ASNs).\ + \ It is primarily used for infrastructure analysis and identifying commonalities\ + \ across different network assets.\n\n### Parameters Description\n\n| Parameter\ + \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| **Qtype**\ + \ | string | Yes | The type of density lookup to perform. Supported types include\ + \ `nssrv`, `mxsrv`, `nshash`, `mxhash`, `ipv4`, `ipv6`, `asn`, and `chv`. |\n\ + | **Query** | string | Yes | The specific value (e.g., a domain name, IP address,\ + \ or server hostname) to query for density information. |\n| **Scope** | string\ + \ | No | Defines the match level or scope for the lookup to filter results. |\n\ + \n### Additional Notes\n- This action requires a valid API Key and Server URL\ + \ configured in the Silent Push integration settings.\n- If the query returns\ + \ no records, the action will result in a failure status with an error message\ + \ indicating that no density records were found.\n\n### Flow Description\n1. **Initialization:**\ + \ The action extracts the integration configuration (Server URL and API Key) and\ + \ the action parameters (`Qtype`, `Query`, and `Scope`).\n2. **API Request:**\ + \ It initializes the `SilentPushManager` and executes a GET request to the Silent\ + \ Push density lookup endpoint using the provided parameters.\n3. **Data Validation:**\ + \ The action parses the response and checks for the presence of records in the\ + \ `response.records` field.\n4. **Execution Outcome:** \n - If records are\ + \ found, the action completes successfully and returns the data in a JSON format.\n\ + \ - If no records are found or an API error occurs, the action fails and logs\ + \ the corresponding error message." capabilities: can_create_case_comments: false can_create_insight: false @@ -481,7 +497,7 @@ Density Lookup: categories: enrichment: true entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -495,6 +511,7 @@ Density Lookup: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Forward Padns Lookup: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -508,30 +525,30 @@ Density Lookup: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: true send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Forward Padns Lookup: ai_description: >- ### General Description This action performs a forward Passive DNS (PADNS) lookup using the Silent Push - platform. It allows analysts to retrieve historical DNS records associated with - a specific domain name (`Qname`) and record type (`Qtype`). The action is designed - for deep infrastructure analysis, providing visibility into how a domain's DNS - records have changed over time. It supports extensive filtering capabilities, - including time-based constraints, network masks, and regular expressions, making - it a powerful tool for threat hunting and identifying malicious infrastructure - patterns. + API. It allows analysts to retrieve historical DNS records (such as A, AAAA, MX, + NS, etc.) for a specific domain name. The action supports extensive filtering + capabilities, including date ranges (first/last seen), regular expressions, and + network masks, making it a powerful tool for infrastructure analysis and threat + hunting. ### Parameters Description @@ -540,86 +557,82 @@ Forward Padns Lookup: | :--- | :--- | :--- | :--- | - | **Qname** | string | Yes | The DNS record name (domain) to lookup. | + | Qname | string | Yes | The DNS record name (domain) to lookup. | - | **Qtype** | string | No | The DNS record type to query (e.g., 'ns', 'a', 'mx', - 'txt'). Defaults to 'ns'. | + | Qtype | string | No | The DNS record type to query (e.g., 'ns', 'a', 'mx'). + Defaults to 'ns'. | - | **Netmask** | string | No | Filter results by a specific network mask. | + | Netmask | string | No | Filter results by a specific netmask. | - | **subdomain** | string | No | Flag to include subdomains in the lookup results. + | subdomain | string | No | Flag to include subdomains in the lookup results. | - | **Regex** | string | No | A regular expression to filter the returned DNS records. + | Regex | string | No | A regular expression to filter the returned DNS records. | - | **Match** | string | No | The type of match for the query (e.g., 'exact', 'partial'). - | + | Match | string | No | Specifies the type of match for the query (e.g., 'exact', + 'partial'). | - | **First Seen After** | string | No | Filter records first observed after this - date (ISO 8601 format). | + | First Seen After | string | No | Filter records first observed after this date + (YYYY-MM-DD). | - | **First Seen Before** | string | No | Filter records first observed before this - date (ISO 8601 format). | + | First Seen Before | string | No | Filter records first observed before this + date (YYYY-MM-DD). | - | **Last Seen After** | string | No | Filter records last observed after this - date (ISO 8601 format). | + | Last Seen After | string | No | Filter records last observed after this date + (YYYY-MM-DD). | - | **Last Seen Before** | string | No | Filter records last observed before this - date (ISO 8601 format). | + | Last Seen Before | string | No | Filter records last observed before this date + (YYYY-MM-DD). | - | **As Of** | string | No | Retrieve DNS records as they appeared at a specific - point in time. | + | As Of | string | No | Retrieve DNS records as they appeared at a specific point + in time. | - | **Sort** | string | No | Field to sort the results by (e.g., 'date', 'score'). + | Sort | string | No | Field by which to sort the results (e.g., 'date', 'score'). | - | **Output Format** | string | No | The desired format for the results (e.g., - 'JSON', 'XML'). | + | Output Format | string | No | The desired format for the returned results (e.g., + JSON, XML). | - | **Prefer** | string | No | Preference for specific DNS servers or data sources. - | + | Prefer | string | No | Preference for specific DNS servers or sources. | - | **With Metadata** | string | No | Boolean flag to include additional metadata - in the records. | + | With Metadata | string | No | Boolean flag to include additional metadata in + the records. | - | **Max Wait** | string | No | Maximum seconds to wait for the API response (0-25 - seconds). | + | Max Wait | string | No | Maximum seconds to wait for the API response (0-25). + | - | **Skip** | string | No | Number of results to skip for pagination. | + | Skip | string | No | Number of results to skip for pagination. | - | **Limit** | string | No | Maximum number of results to return. | + | Limit | string | No | Maximum number of results to return. | - ### Flow Description + ### Additional Notes - 1. **Initialization:** The action extracts the Silent Push server URL and API - key from the integration configuration. + * **Entity Usage:** Although the script contains logic to iterate over target + entities, it does not currently use them as inputs for the lookup. The action + relies entirely on the `Qname` parameter provided by the user. - 2. **Parameter Collection:** It retrieves the mandatory `Qname` and all optional - filtering parameters provided by the user. + * **Pagination:** Use the `Skip` and `Limit` parameters to manage large result + sets. - 3. **API Execution:** The action calls the Silent Push `forward_padns_lookup` - method, which executes a GET request to the `explore/padns/lookup/query` endpoint. - 4. **Error Handling:** The script validates the API response. If the API returns - an error or if no records are found for the specified query, the action terminates - with a failure status. + ### Flow Description - 5. **Output:** Upon a successful lookup, the retrieved DNS records are returned - as a JSON object in the `JsonResult` field, and the action completes successfully. + 1. **Initialization:** The action initializes the Silent Push manager using the + configured Server URL and API Key. + 2. **Parameter Extraction:** It retrieves the mandatory `Qname` and all optional + filtering/pagination parameters from the action configuration. - ### Additional Notes + 3. **API Request:** A GET request is dispatched to the Silent Push PADNS lookup + endpoint (`explore/padns/lookup/query/{qtype}/{qname}`) with the specified filters. - * **Parameter Discrepancy:** Note that while the configuration defines the parameter - as `subdomain`, the underlying Python logic attempts to extract it as `Subdomains`. - Ensure the parameter name in the UI matches the expected input in the script for - correct functionality. + 4. **Error Handling:** The script checks the API response for errors or empty + record sets. If no records are found, the action fails with a descriptive message. - * **Entity Interaction:** Although the script iterates through target entities - at the end of the execution, it does not use them to drive the lookup logic; the - query is strictly based on the `Qname` parameter. + 5. **Completion:** Upon success, the action returns the retrieved DNS records + and sets the execution state to completed. capabilities: can_create_case_comments: false can_create_insight: false @@ -633,7 +646,7 @@ Forward Padns Lookup: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -647,6 +660,7 @@ Forward Padns Lookup: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get ASN Reputation: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -658,68 +672,75 @@ Forward Padns Lookup: download_file: false enable_identity: false enrich_asset: false - enrich_ioc: false + enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: true + search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get ASN Reputation: ai_description: >- - Retrieves the reputation history for a specific Autonomous System Number (ASN) - from Silent Push. This action provides insights into historical reputation scores, - associated AS names, and dates of reputation changes. It allows users to request - detailed explanations for the reputation scores and limit the number of historical - records returned. + ### General Description + Retrieves historical reputation data for a specific Autonomous System Number (ASN) + using the Silent Push platform. This action provides insights into the threat + landscape associated with an ASN, including reputation scores and historical changes. + It is primarily used for threat intelligence and risk assessment of network infrastructure. - ### Flow Description - 1. **Parameter Extraction:** The action extracts the mandatory `ASN` and optional - `Explain` and `Limit` parameters from the input. + ### Parameters Description - 2. **API Request:** It initializes the Silent Push manager and calls the ASN reputation - endpoint to fetch historical data for the specified ASN. + | Parameter | Type | Mandatory | Description | - 3. **Data Processing:** The response is parsed to extract reputation history, - which is then sorted by date in descending order. + | :--- | :--- | :--- | :--- | - 4. **Formatting:** If the `Explain` parameter is enabled, the action includes - the reputation calculation details in the output table. + | **ASN** | string | Yes | The Autonomous System Number (ASN) to lookup (e.g., + '12345'). | - 5. **Output:** The formatted data is attached as a JSON result to the action, - and the execution status is updated based on whether data was found. + | **Explain** | boolean | No | If set to `true`, the action retrieves additional + information explaining how the reputation score was calculated. Defaults to `false`. + | + | **Limit** | string | No | Specifies the maximum number of historical reputation + records to retrieve. | - ### Parameters Description - | Parameter | Type | Mandatory | Description | + ### Flow Description - | :--- | :--- | :--- | :--- | + 1. **Configuration Extraction:** Retrieves the Silent Push Server URL and API + Key from the integration settings. - | ASN | string | Yes | The Autonomous System Number (ASN) to lookup (e.g., '12345'). - | + 2. **Parameter Retrieval:** Extracts the target `ASN`, the `Explain` flag, and + the `Limit` value from the action inputs. - | Explain | boolean | No | If set to true, the action retrieves and displays the - information used to calculate the reputation score. | + 3. **API Interaction:** Calls the Silent Push Manager's `get_asn_reputation` method, + which performs a GET request to the ASN reputation history endpoint. + + 4. **Data Processing:** Extracts the reputation data from the raw API response + and sorts the history entries by date in descending order. + + 5. **Table Preparation:** Formats the sorted data into a structured list, including + the ASN, reputation score, AS name, and date. If the `Explain` parameter is enabled, + it also includes the explanation field. - | Limit | string | No | The maximum number of reputation history records to retrieve - from the API. | + 6. **Result Output:** Adds the processed data to the action's JSON results and + completes the execution with a success message. ### Additional Notes - - This action is parameter-driven and does not automatically iterate over or enrich - entities present in the Google SecOps case, although it may be executed within - a case context. + While the action metadata description mentions IPv4, the technical implementation + and parameters specifically target Autonomous System Numbers (ASNs). capabilities: can_create_case_comments: false can_create_insight: false @@ -733,7 +754,7 @@ Get ASN Reputation: categories: enrichment: true entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -747,6 +768,7 @@ Get ASN Reputation: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get ASN Takedown Reputation: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -760,45 +782,65 @@ Get ASN Reputation: enrich_asset: false enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get ASN Takedown Reputation: - ai_description: "Retrieves the takedown reputation information for a specific Autonomous\ - \ System Number (ASN) using the Silent Push API. This action provides insights\ - \ into the historical reputation of an ASN, which can be used to assess the risk\ - \ associated with network infrastructure. The action allows users to specify the\ - \ ASN, limit the number of history records retrieved, and optionally include an\ - \ explanation of how the reputation score was calculated.\n\n### Flow Description:\n\ - 1. **Configuration Extraction:** The action retrieves the Silent Push Server URL\ - \ and API Key from the integration settings.\n2. **Parameter Processing:** It\ - \ extracts the mandatory 'ASN' parameter and optional 'Explain' and 'Limit' parameters.\ - \ The 'Explain' boolean is converted to a numeric flag (0 or 1) for the API request.\n\ - 3. **API Interaction:** The action initializes the Silent Push Manager and calls\ - \ the `get_asn_takedown_reputation` method, which performs a GET request to the\ - \ `explore/takedownreputation/asn/{asn}` endpoint.\n4. **Data Validation:** It\ - \ checks if the response contains takedown reputation history. If no data is found,\ - \ the action fails with an error message.\n5. **Result Output:** If successful,\ - \ the reputation data is returned as a JSON result mapped to the ASN identifier.\n\ - \n### Parameters Description:\n| Parameter | Type | Mandatory | Description |\n\ - | :--- | :--- | :--- | :--- |\n| ASN | string | True | The Autonomous System Number\ - \ (ASN) to lookup (e.g., \"211298\"). |\n| Explain | boolean | False | If set\ - \ to true, the API returns the information used to calculate the reputation score.\ - \ Defaults to true. |\n| Limit | string | False | The maximum number of reputation\ - \ history records to retrieve from the service. |\n\n### Additional Notes:\n*\ - \ This action does not automatically iterate over entities in the case; it relies\ - \ on the 'ASN' parameter provided in the action configuration. \n* While the script\ - \ contains a loop that prints entity identifiers, it does not use them to perform\ - \ the lookup or update their properties." + ai_description: >- + ### General Description + + The **Get ASN Takedown Reputation** action retrieves historical takedown reputation + data for a specific Autonomous System Number (ASN) from the Silent Push platform. + This information helps analysts understand the threat profile and historical malicious + activity associated with an ASN. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Default | Description | + + | :--- | :--- | :--- | :--- | :--- | + + | ASN | string | Yes | 211298 | The Autonomous System Number (ASN) to investigate. + | + + | Explain | boolean | No | true | If enabled, the response includes the specific + data points used to calculate the reputation score. | + + | Limit | string | No | | The maximum number of historical reputation records + to retrieve. | + + + ### Flow Description + + 1. **Parameter Extraction:** The action retrieves the target ASN and optional + configuration (Explain, Limit) from the user input. + + 2. **API Interaction:** It sends a GET request to the Silent Push `explore/takedownreputation/asn` + endpoint using the provided ASN. + + 3. **Data Processing:** The action parses the `takedown_reputation` history from + the API response. + + 4. **Result Output:** The retrieved history is returned as a JSON object for use + in subsequent playbook steps. + + + ### Additional Notes + + - This action does not automatically process entities from the SecOps case; it + requires the ASN to be provided as a direct parameter. capabilities: can_create_case_comments: false can_create_insight: false @@ -812,7 +854,7 @@ Get ASN Takedown Reputation: categories: enrichment: true entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -826,6 +868,7 @@ Get ASN Takedown Reputation: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get ASNs for Domain: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -839,64 +882,45 @@ Get ASN Takedown Reputation: enrich_asset: false enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get ASNs for Domain: - ai_description: >- - ### General Description - - This action retrieves Autonomous System Numbers (ASNs) associated with a specific - domain using the Silent Push platform. It is designed to identify the network - infrastructure that has hosted the domain and its subdomains within the last 30 - days, providing critical context for network-based threat intelligence and investigations. - - - ### Parameters Description - - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Domain | string | Yes | The domain name to search ASNs for. The action retrieves - ASNs associated with 'A' records for the specified domain and its subdomains in - the last 30 days. Default value is 'silentpush.com'. | - - - ### Flow Description - - 1. **Initialization**: The action connects to the Silent Push API using the configured - Server URL and API Key. - - 2. **Parameter Extraction**: It retrieves the target domain from the action input - parameters. - - 3. **API Request**: The action performs a GET request to the Silent Push `explore/padns/lookup/domain/asns/{domain}` - endpoint. - - 4. **Data Extraction**: It parses the JSON response to extract the list of ASN - records associated with the domain. - - 5. **Result Reporting**: If records are found, they are returned in the action's - JSON result and displayed in the output message. If no records are found or an - error occurs, the action reports a failure. - - - ### Additional Notes - - This action is parameter-driven and does not automatically process entities from - the case scope. To enrich specific domain entities, the entity identifier should - be mapped to the 'Domain' parameter in a playbook. + ai_description: "### General Description\nThe **Get ASNs for Domain** action retrieves\ + \ Autonomous System Numbers (ASNs) associated with a specific domain and its subdomains\ + \ using the Silent Push API. By querying Passive DNS (PADNS) data, the action\ + \ identifies the network infrastructure (ASNs) that have hosted the domain's A\ + \ records over the last 30 days. This provides security analysts with critical\ + \ context regarding the hosting environment of a domain, which is useful for infrastructure\ + \ mapping and identifying potentially malicious network patterns.\n\n### Parameters\ + \ Description\n| Parameter | Type | Mandatory | Description |\n| :--- | :--- |\ + \ :--- | :--- |\n| **Domain** | String | Yes | The domain name to search ASNs\ + \ for (e.g., `silentpush.com`). The action retrieves ASNs associated with A records\ + \ for this domain and its subdomains from the last 30 days. |\n\n### Flow Description\n\ + 1. **Configuration Extraction**: The action retrieves the Silent Push Server URL\ + \ and API Key from the integration's global configuration.\n2. **Parameter Retrieval**:\ + \ The target `Domain` is extracted from the action's input parameters.\n3. **API\ + \ Interaction**: The action initializes the `SilentPushManager` and calls the\ + \ `get_asns_for_domain` method, which performs a GET request to the `explore/padns/lookup/domain/asns/{domain}`\ + \ endpoint.\n4. **Data Processing**: The action parses the API response to extract\ + \ the list of ASN records.\n5. **Result Handling**: \n - If ASN records are\ + \ found, the action completes successfully, returning the list of ASNs in the\ + \ output message and script result.\n - If no records are found, the action\ + \ logs an error and terminates with a failed status.\n\n### Additional Notes\n\ + - This action does not automatically update entities or create insights within\ + \ Google SecOps; it primarily serves to fetch and return raw ASN data for use\ + \ in subsequent playbook steps." capabilities: can_create_case_comments: false can_create_insight: false @@ -904,13 +928,48 @@ Get ASNs for Domain: can_mutate_external_data: false can_mutate_internal_data: false can_update_entities: false - external_data_mutation_explanation: 'null' + external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: 'null' + internal_data_mutation_explanation: null categories: enrichment: true entity_usage: - entity_types: [ ] + entity_types: + - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -924,6 +983,7 @@ Get ASNs for Domain: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Data Exports: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -932,69 +992,66 @@ Get ASNs for Domain: create_ticket: false delete_email: false disable_identity: false - download_file: false + download_file: true enable_identity: false enrich_asset: false - enrich_ioc: true + enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Data Exports: ai_description: >- - ### General Description - - The **Get Data Exports** action retrieves and downloads exported data files from - the Silent Push platform. This utility is primarily used to fetch bulk indicator - lists or organization-specific exports (e.g., CSV files) previously generated - within the Silent Push environment. The action performs a direct download from - the Silent Push export repository based on a provided file identifier or relative - URL suffix. + Downloads exported feed data from Silent Push. This action retrieves the content + of a specific data export (such as indicator lists in CSV format) from the Silent + Push platform using a provided Feed URL. It is primarily used to ingest threat + intelligence feeds or exported datasets for further processing within the SOAR + platform. - ### Parameters Description - - | Parameter | Type | Mandatory | Description | + ### Flow Description - | :--- | :--- | :--- | :--- | + 1. **Configuration Retrieval:** Extracts the Silent Push server URL and API key + from the integration settings. - | Feed URL | String | Yes | The specific path or filename of the export to retrieve - (e.g., '9b38bd50-ea46-4280-8739-9b71fc3a9291_indicators.csv'). | + 2. **Parameter Extraction:** Retrieves the mandatory 'Feed URL' parameter which + specifies the file to be downloaded. + 3. **API Interaction:** Constructs the full export URL and performs an authenticated + HTTP GET request to the Silent Push export endpoint. - ### Flow Description + 4. **Response Handling:** Validates the response status. If successful, it captures + the file content and determines a filename based on the URL string. - 1. **Configuration Retrieval**: The action fetches the Silent Push Server URL - and API Key from the integration settings. + 5. **Output:** Returns the exported data content as the action result. - 2. **Parameter Extraction**: It retrieves the 'Feed URL' provided by the user. - 3. **Request Construction**: The Silent Push Manager constructs the full URL for - the export endpoint by appending the Feed URL to the base export path. + ### Parameters Description - 4. **Data Retrieval**: A GET request is sent to the Silent Push API to download - the file content. + | Parameter | Type | Mandatory | Description | - 5. **Response Validation**: The action checks for a successful HTTP 200 response. - If the download fails, an error is logged and the action fails. + | :--- | :--- | :--- | :--- | - 6. **Output**: The content of the downloaded file is returned as the action result. + | Feed URL | string | Yes | The specific URL suffix or identifier for the feed + data to be exported (e.g., '9b38bd50-ea46-4280-8739-9b71fc3a9291_indicators.csv'). + | ### Additional Notes - - This action is a utility for bulk data retrieval and does not perform specific - analysis or enrichment on individual entities within the case, although it will - iterate through any entities present in the scope for logging purposes. + - This action is classified as a download action because its primary purpose is + to retrieve raw file content from an external service. capabilities: can_create_case_comments: false can_create_insight: false @@ -1008,42 +1065,7 @@ Get Data Exports: categories: enrichment: false entity_usage: - entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1057,6 +1079,7 @@ Get Data Exports: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Domain Certificates: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1065,58 +1088,64 @@ Get Data Exports: create_ticket: false delete_email: false disable_identity: false - download_file: true + download_file: false enable_identity: false enrich_asset: false - enrich_ioc: false + enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Domain Certificates: - ai_description: "### General Description\nThis action retrieves SSL certificate\ + ai_description: "### General Description\nThis action retrieves SSL/TLS certificate\ \ data collected from domain scanning using the Silent Push platform. It allows\ - \ analysts to query a specific domain and receive a list of associated certificates,\ - \ including details about the issuer and validity dates. The action supports filtering\ - \ by regular expressions, specific issuers, and date ranges, and can handle both\ - \ immediate results and long-running asynchronous jobs.\n\n### Parameters Description\n\ + \ analysts to query specific domains for their certificate history and details,\ + \ providing valuable context for infrastructure analysis and threat hunting. The\ + \ action supports various filters such as date ranges, certificate issuers, and\ + \ regular expressions to narrow down the results.\n\n### Parameters Description\n\ | Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ - | Domain | string | Yes | The specific domain to query for certificate data (e.g.,\ - \ silentpush.com). |\n| Domain Regex | string | No | A regular expression to filter\ - \ the returned domains within the certificate data. |\n| Certificate Issuer |\ - \ string | No | Filter the results to only include certificates issued by a specific\ - \ authority. |\n| Date Min | string | No | Filter for certificates issued on or\ - \ after this date (YYYY-MM-DD). |\n| Date Max | string | No | Filter for certificates\ - \ issued on or before this date (YYYY-MM-DD). |\n| Prefer | string | No | Determines\ - \ whether to wait for results for longer-running queries or return a `job_id`\ - \ immediately. |\n| Max Wait | string | No | The number of seconds (0-25) to wait\ - \ for results before the API returns a `job_id`. |\n| With Metadata | string |\ - \ No | If set to true, includes a metadata object in the response containing result\ - \ counts and job IDs. |\n| Skip | string | No | The number of results to skip\ - \ for pagination purposes. |\n| Limit | string | No | The maximum number of certificate\ - \ results to return. |\n\n### Additional Notes\n- This action does not automatically\ - \ process entities from the Google SecOps context; it relies on the manually provided\ - \ `Domain` parameter.\n- If the query takes longer than the `Max Wait` time, the\ - \ action will return job details which can be used with a 'Get Job Status' action.\n\ - \n### Flow Description\n1. **Configuration Extraction:** The action retrieves\ - \ the Silent Push server URL and API key from the integration settings.\n2. **Parameter\ - \ Parsing:** It extracts the target domain and all optional filters (regex, issuer,\ - \ dates, pagination) from the action input.\n3. **API Request:** The action sends\ - \ a GET request to the Silent Push `explore/domain/certificates/{domain}` endpoint\ - \ with the specified filters.\n4. **Response Handling:** \n - If the API returns\ - \ a `job_status`, the action completes and provides the job details for asynchronous\ - \ tracking.\n - If certificates are returned immediately, the action parses\ - \ the list and associated metadata.\n5. **Completion:** The action outputs the\ - \ certificate data to the action message and sets the execution status to completed." + | Domain | string | True | The specific domain to query for certificate data.\ + \ |\n| Domain Regex | string | False | A regular expression used to filter the\ + \ domains in the certificate results. |\n| Certificate Issuer | string | False\ + \ | Filters the results to only include certificates issued by a specific authority.\ + \ |\n| Date Min | string | False | Filters for certificates issued on or after\ + \ this date (e.g., YYYY-MM-DD). |\n| Date Max | string | False | Filters for certificates\ + \ issued on or before this date (e.g., YYYY-MM-DD). |\n| Prefer | string | False\ + \ | Determines the API behavior for long-running queries: whether to wait for\ + \ results or return a `job_id` immediately. |\n| Max Wait | string | False | The\ + \ number of seconds (0 to 25) to wait for results before the API returns a `job_id`.\ + \ |\n| With Metadata | string | False | If set to true, the response will include\ + \ a metadata object containing result counts and job identifiers. |\n| Skip |\ + \ string | False | The number of initial results to skip (used for pagination).\ + \ |\n| Limit | string | False | The maximum number of certificate records to return\ + \ in the response. |\n\n### Additional Notes\n- If the query is complex or the\ + \ system requires more time, the action may return a `job_id` and status instead\ + \ of immediate certificate data. In such cases, the `Get Job Status` action should\ + \ be used to retrieve the final results.\n- The action returns data in a structured\ + \ JSON format (`JsonResult`) for use in subsequent playbook logic.\n\n### Flow\ + \ Description\n1. **Configuration Extraction:** The action retrieves the Silent\ + \ Push Server URL and API Key from the integration settings.\n2. **Parameter Parsing:**\ + \ It extracts the target domain and all optional filter parameters (regex, issuer,\ + \ dates, pagination settings) from the action input.\n3. **API Request:** The\ + \ action initializes the `SilentPushManager` and sends a GET request to the `explore/domain/certificates/{domain}`\ + \ endpoint with the specified filters.\n4. **Response Handling:** \n - If the\ + \ API returns a `job_status`, the action completes by providing the job details\ + \ for asynchronous tracking.\n - If the API returns certificate data directly,\ + \ it extracts the list of certificates and any associated metadata.\n5. **Result\ + \ Finalization:** The action outputs the retrieved data and sets the execution\ + \ status to completed. If no certificates are found or an error occurs, it logs\ + \ the issue and fails the action." capabilities: can_create_case_comments: false can_create_insight: false @@ -1128,9 +1157,9 @@ Get Domain Certificates: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: false + enrichment: true entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1144,6 +1173,7 @@ Get Domain Certificates: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Enrichment Data: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1155,50 +1185,81 @@ Get Domain Certificates: download_file: false enable_identity: false enrich_asset: false - enrich_ioc: false + enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Enrichment Data: - ai_description: "Retrieves comprehensive enrichment information for a specific resource,\ - \ such as a domain, IPv4, or IPv6 address, using the Silent Push platform. This\ - \ action allows analysts to gather deep contextual data, including reputation\ - \ and infrastructure details, to support threat investigation and incident response.\n\ - \n### Flow Description\n1. **Configuration Extraction:** The action retrieves\ - \ the Silent Push server URL and API key from the integration's global configuration.\n\ - 2. **Parameter Parsing:** It extracts the target resource type (domain, ipv4,\ - \ or ipv6), the specific value to enrich, and optional flags for data explanation\ - \ and scan data inclusion.\n3. **Validation:** The action validates that the provided\ - \ resource type is supported and performs IP version validation if the resource\ - \ is an IP address.\n4. **API Interaction:** It executes a GET request to the\ - \ Silent Push enrichment endpoint (`explore/enrich/{resource}/{value}`) with the\ - \ specified query parameters.\n5. **Result Handling:** The retrieved enrichment\ - \ data is processed and added to the action's JSON results. If no data is found\ - \ or the API request fails, the action terminates with a failure status.\n\n###\ - \ Parameters Description\n| Parameter | Type | Mandatory | Description |\n| :---\ - \ | :--- | :--- | :--- |\n| Resource | string | Yes | The type of resource for\ - \ which information needs to be retrieved. Supported values are `domain`, `ipv4`,\ - \ and `ipv6`. |\n| Value | string | Yes | The specific identifier (e.g., domain\ - \ name or IP address) corresponding to the selected resource type. |\n| Explain\ - \ | boolean | No | If set to `true`, the response will include detailed explanations\ - \ of how data calculations were performed. Defaults to `false`. |\n| Scan Data\ - \ | boolean | No | If set to `true`, the response will include raw scan data.\ - \ This is only applicable when the resource type is `ipv4`. Defaults to `false`.\ - \ |\n\n### Additional Notes\n* This action does not automatically iterate over\ - \ entities in the SecOps case; it relies strictly on the `Value` and `Resource`\ - \ parameters provided in the action configuration. \n* While the script contains\ - \ a loop over `target_entities`, it is only used for logging purposes and does\ - \ not affect the enrichment logic." + ai_description: >- + ### General Description + + The **Get Enrichment Data** action retrieves comprehensive threat intelligence + and enrichment information for a specific resource, such as a domain, IPv4 address, + or IPv6 address, from the Silent Push platform. This action provides deep visibility + into the reputation, infrastructure, and metadata associated with an indicator, + supporting analysts in threat analysis and investigation. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | **Resource** | String | Yes | The type of resource to enrich. Supported values: + `domain`, `ipv4`, `ipv6`. Default is `ipv4`. | + + | **Value** | String | Yes | The specific indicator value (e.g., an IP address + or domain name) to be enriched. Default is `142.251.188.102`. | + + | **Explain** | Boolean | No | If set to `true`, the response will include detailed + explanations of how the data calculations (like risk scores) were derived. Default + is `false`. | + + | **Scan Data** | Boolean | No | If set to `true`, the action will include additional + scan data. This is only applicable when the resource type is `ipv4`. Default is + `false`. | + + + ### Flow Description + + 1. **Initialization**: The action initializes the Silent Push manager using the + provided server URL and API key from the integration configuration. + + 2. **Parameter Extraction**: It retrieves the resource type, the indicator value, + and the optional flags for explanations and scan data from the action parameters. + + 3. **Validation**: If the resource is an IP address, it validates the format against + the specified type (IPv4 or IPv6) using internal validation logic. + + 4. **Data Retrieval**: It sends a GET request to the Silent Push enrichment endpoint + (`explore/enrich/{resource}/{value}`) with the specified query parameters. + + 5. **Output**: The retrieved enrichment data is returned as a JSON object. If + no data is found, the action fails with an error message. + + + ### Additional Notes + + - This action is a standalone enrichment tool that operates on a single input + value provided via parameters rather than automatically iterating through all + entities in the current scope. + + - The **Scan Data** parameter is specifically intended for use with the `ipv4` + resource type and may be ignored or return no additional data for other resource + types. capabilities: can_create_case_comments: false can_create_insight: false @@ -1212,7 +1273,7 @@ Get Enrichment Data: categories: enrichment: true entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1226,6 +1287,7 @@ Get Enrichment Data: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Future Attack Indicatiors: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1237,73 +1299,80 @@ Get Enrichment Data: download_file: false enable_identity: false enrich_asset: false - enrich_ioc: true + enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Future Attack Indicatiors: ai_description: >- - The 'Get Future Attack Indicators' action retrieves a list of indicators associated - with potential future attacks from the Silent Push platform. It uses a specific - Feed UUID to query the threat-ranking API, allowing analysts to proactively identify - emerging threats. The action supports pagination through page number and page - size parameters to handle large datasets. The retrieved indicators are returned - as a JSON object for further analysis or use in subsequent playbook steps. + ### General Description + The **Get Future Attack Indicatiors** action retrieves threat intelligence indicators + from the Silent Push platform based on a specific Feed UUID. This action is designed + to gather proactive intelligence about potential future attacks by fetching ranked + indicators associated with a designated threat feed. It is primarily used for + threat hunting and situational awareness by providing a list of indicators that + have been identified as part of emerging threat campaigns. - ### Flow Description - 1. **Configuration Extraction**: The action retrieves the Silent Push server URL - and API key from the integration configuration. + ### Parameters Description - 2. **Parameter Parsing**: It extracts the mandatory 'Feed UUID' and optional pagination - parameters ('Page No' and 'Page Size') from the action input. + | Parameter | Type | Mandatory | Description | - 3. **API Interaction**: The action initializes the Silent Push Manager and performs - a GET request to the `/api/v2/iocs/threat-ranking/` endpoint, passing the Feed - UUID and pagination details as query parameters. + | :--- | :--- | :--- | :--- | - 4. **Data Processing**: It parses the API response to extract the list of indicators. - If no indicators are found, the action terminates with a failure status. + | **Feed UUID** | String | Yes | The unique identifier for the Silent Push feed + from which to fetch indicators. | - 5. **Result Output**: The list of indicators is added to the action's JSON results, - and the action completes successfully. + | **Page No** | String | No | The specific page number of results to retrieve + from the feed. Defaults to "1". | + | **Page Size** | String | No | The number of indicator records to return per + page. Defaults to "10000". | - ### Parameters Description - | Parameter Name | Type | Mandatory | Description | Expected Value | + ### Flow Description - | :--- | :--- | :--- | :--- | :--- | + 1. **Configuration Extraction**: The action retrieves the Silent Push server URL + and API key from the integration's global configuration. - | Feed UUID | string | True | The unique identifier for the specific threat feed - to fetch indicators from. | A valid UUID string (e.g., '99da9b6a-146b-4a4d-9929-5fd5c6e2c257'). - | + 2. **Parameter Parsing**: It extracts the `Feed UUID`, `Page No`, and `Page Size` + from the action's input parameters, applying default values for pagination if + they are not provided. - | Page No | string | False | The specific page number of results to retrieve. - Defaults to '1' if not provided. | An integer string (e.g., '2'). | + 3. **API Interaction**: The action initializes the `SilentPushManager` and calls + the `get_future_attack_indicators` method, which performs a GET request to the + Silent Push `/api/v2/iocs/threat-ranking/` endpoint using the provided Feed UUID + and pagination criteria. - | Page Size | string | False | The maximum number of indicators to return per - page. Defaults to '10000'. | An integer string (e.g., '500'). | + 4. **Data Processing**: The response is parsed to extract the list of indicators. + If the response is empty or no indicators are found, the action logs an error + and terminates with a failure status. + + 5. **Result Reporting**: The retrieved indicators are added to the action's JSON + results (`ScriptResult`) for use in subsequent playbook steps. The action then + concludes with a success message containing the indicator data. ### Additional Notes - - This action does not process or enrich specific entities within the case; it - fetches global feed data based on the provided UUID. + - This action is a global fetch operation and does not target or filter specific + entities within the Google SecOps case. - - If the API returns an empty list or no 'indicators' key, the action will report - a failure. + - The action name contains a typographical error ("Indicatiors") which is preserved + from the integration metadata. capabilities: can_create_case_comments: false can_create_insight: false @@ -1317,7 +1386,7 @@ Get Future Attack Indicatiors: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1331,6 +1400,7 @@ Get Future Attack Indicatiors: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get IPV4 Reputation: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1342,63 +1412,70 @@ Get Future Attack Indicatiors: download_file: false enable_identity: false enrich_asset: false - enrich_ioc: false + enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: true + search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get IPV4 Reputation: ai_description: >- + ### General Description + Retrieves historical reputation data for a specific IPv4 address using the Silent - Push API. This action allows analysts to fetch a list of reputation scores and - the data used to calculate them for a given IP address. The results are provided - as a JSON object containing the reputation history, which can be used for further - analysis or decision-making within a playbook. + Push platform. This action provides detailed insights into the threat history + and reputation scores associated with a network indicator, allowing analysts to + assess the risk level based on historical behavior. ### Parameters Description - | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Nameserver | string | Yes | The IPv4 address for which reputation information + | Nameserver | String | Yes | The IPv4 address for which reputation information needs to be retrieved. | - | Explain | boolean | No | If set to true, the response will include the specific - information used to calculate the reputation score. Defaults to false. | + | Explain | Boolean | No | If set to true, the response includes the specific + information and logic used to calculate the reputation score. Defaults to false. + | - | Limit | string | No | The maximum number of reputation history entries to retrieve - from the API. | + | Limit | String | No | The maximum number of reputation history entries to retrieve + from the service. | ### Flow Description + 1. **Parameter Extraction**: The action extracts the target IPv4 address (Nameserver), + the explanation flag, and the result limit from the user-provided parameters. - 1. **Parameter Extraction**: The action extracts the target IPv4 address from - the 'Nameserver' parameter and retrieves the 'Explain' and 'Limit' settings. + 2. **API Request**: It calls the Silent Push `explore/ipreputation/history/ipv4` + endpoint via the `get_ipv4_reputation` manager method. - 2. **Manager Initialization**: It initializes the Silent Push Manager using the - integration's server URL and API Key. + 3. **Data Validation**: The action verifies if the response contains reputation + history data. If the history is empty, it logs an error and terminates with a + failure status. - 3. **API Request**: The action performs a GET request to the Silent Push `explore/ipreputation/history/ipv4` - endpoint using the provided IPv4 address. + 4. **Result Output**: The raw API response is attached to the action's JSON results, + making the reputation data available for downstream playbook logic. - 4. **Data Validation**: It checks the API response for the presence of reputation - history data. If no data is found, the action is marked as failed. - 5. **Result Output**: The raw API response is attached to the action results as - a JSON object, and the execution status is set to completed. + ### Additional Notes + + This action is parameter-driven and does not automatically iterate through or + update entities in the Google SecOps case. It is primarily used to fetch raw intelligence + data for a specific indicator provided in the 'Nameserver' field. capabilities: can_create_case_comments: false can_create_insight: false @@ -1410,9 +1487,9 @@ Get IPV4 Reputation: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: false + enrichment: true entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1426,6 +1503,7 @@ Get IPV4 Reputation: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Nameserver Reputation: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1439,39 +1517,71 @@ Get IPV4 Reputation: enrich_asset: false enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Nameserver Reputation: ai_description: >- - ### General description\nRetrieves historical reputation data for a specified - nameserver from the Silent Push platform. This action provides a timeline of reputation - scores and optional calculation details to help analysts assess the risk associated - with specific DNS infrastructure.\n\n### Parameters description\n| Parameter | - Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Nameserver - | string | Yes | The nameserver name (e.g., ns1.example.com) to retrieve reputation - history for. |\n| Explain | string | No | If provided, the response will include - the detailed information used to calculate the reputation score. |\n| Limit | - string | No | The maximum number of historical reputation entries to retrieve. - |\n\n### Additional notes\n- This action is parameter-driven and does not automatically - iterate over entities in the case.\n- The action will fail if no valid reputation - history is found for the provided nameserver.\n\n### Flow description\n1. **Extract - Configuration**: Retrieves the Silent Push Server URL and API Key from the integration - settings.\n2. **Extract Parameters**: Retrieves the target Nameserver, Explain - flag, and Limit value from the action input.\n3. **API Request**: Calls the Silent - Push API to fetch historical reputation data for the specified nameserver.\n4. - **Data Normalization**: Processes the results, specifically converting integer-based - dates into ISO-8601 format for better readability.\n5. **Output**: Returns the - reputation history data to the SOAR platform. + ### General Description + + Retrieves historical reputation data for a specified nameserver using the Silent + Push API. This action provides reputation scores and can optionally include detailed + information about how the score was calculated. It is primarily used to assess + the risk associated with specific DNS infrastructure. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Nameserver | string | Yes | The name of the nameserver (e.g., a.dns-servers.net.ru) + for which reputation information needs to be retrieved. | + + | Explain | string | No | If set to a truthy value, the action retrieves the specific + information used to calculate the reputation score. | + + | Limit | string | No | The maximum number of historical reputation records to + retrieve from the service. | + + + ### Flow Description + + 1. **Configuration Extraction**: Retrieves the Silent Push Server URL and API + Key from the integration's global configuration. + + 2. **Parameter Extraction**: Collects the target Nameserver, the Explain flag, + and the Limit value from the action's input parameters. + + 3. **API Interaction**: Initializes the Silent Push Manager and calls the `get_nameserver_reputation` + endpoint to fetch historical data. + + 4. **Data Transformation**: Iterates through the retrieved reputation history + items and converts integer-based date values (formatted as YYYYMMDD) into standard + ISO format strings for better readability. + + 5. **Result Finalization**: If valid reputation data is found, the action completes + successfully. If no data is returned or an error occurs during the API call, the + action terminates with a failure status. + + + ### Additional Notes + + This action does not automatically update entities or create insights within the + Google SecOps case. It returns the retrieved data as a JSON result for use in + subsequent playbook logic. capabilities: can_create_case_comments: false can_create_insight: false @@ -1485,7 +1595,7 @@ Get Nameserver Reputation: categories: enrichment: true entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1499,6 +1609,7 @@ Get Nameserver Reputation: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Subnet Reputation: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1512,68 +1623,61 @@ Get Nameserver Reputation: enrich_asset: false enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Subnet Reputation: ai_description: >- Retrieves the reputation history for a specific IPv4 subnet using the Silent Push - API. This action allows analysts to understand the historical threat context of - a network range by fetching reputation scores and optional detailed explanations - for those scores. The results are returned as a JSON object containing the history - entries. - - - ### Flow Description - - 1. **Configuration Extraction:** The action retrieves the Silent Push server URL - and API key from the integration configuration. - - 2. **Parameter Extraction:** It extracts the target 'Subnet' and optional 'Explain' - and 'Limit' parameters from the action input. - - 3. **API Interaction:** A GET request is sent to the Silent Push 'explore/ipreputation/history/subnet' - endpoint for the specified subnet. - - 4. **Data Parsing:** The action parses the 'subnet_reputation_history' from the - API response. - - 5. **Completion:** The retrieved history is returned as the action result, or - the action fails if no history is found. + platform. This action allows analysts to understand the historical threat context + and reputation scores associated with a network range, which is useful for identifying + malicious infrastructure or assessing the risk of network traffic. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Subnet | string | Yes | The IPv4 subnet (e.g., 192.168.0.0/16) for which reputation + | Subnet | string | True | The IPv4 subnet (e.g., 192.168.0.0/16) for which reputation information needs to be retrieved. | - | Explain | string | No | If provided, the API returns detailed information used - to calculate the reputation score. | + | Explain | string | False | If provided, the API returns detailed information + and the logic used to calculate the reputation score. | - | Limit | string | No | Maximum number of reputation history entries to retrieve - from the service. | + | Limit | string | False | Specifies the maximum number of reputation history + entries to retrieve from the service. | - ### Additional Notes + ### Flow Description - - This action does not automatically process entities from the SecOps case; it - relies on the manually provided 'Subnet' parameter. + 1. **Configuration Extraction:** The action retrieves the Silent Push Server URL + and API Key from the integration settings. + + 2. **Parameter Retrieval:** It extracts the target `Subnet`, the `Explain` flag, + and the `Limit` value from the action input. - - If the API returns no reputation history for the provided subnet, the action - will result in a failure state. + 3. **API Interaction:** The action initializes the `SilentPushManager` and calls + the `get_subnet_reputation` method, which performs a GET request to the Silent + Push `explore/ipreputation/history/subnet` endpoint. + + 4. **Data Processing:** It parses the response to extract the `subnet_reputation_history`. + If no history is found, the action reports a failure. + + 5. **Completion:** The action returns the reputation history data as a JSON result + and completes the execution with a summary message. capabilities: can_create_case_comments: false can_create_insight: false @@ -1585,9 +1689,9 @@ Get Subnet Reputation: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: true + enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1601,6 +1705,7 @@ Get Subnet Reputation: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get job status: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1612,29 +1717,31 @@ Get Subnet Reputation: download_file: false enable_identity: false enrich_asset: false - enrich_ioc: true + enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get job status: ai_description: >- ### General Description - The **Get job status** action is a utility task designed to track the progress - or retrieve the final output of asynchronous jobs initiated within the Silent - Push platform. It is primarily used to poll for results after launching long-running - queries or scans, allowing the playbook to wait for data before proceeding to - analysis. + The **Get job status** action retrieves the current status or the final results + of an asynchronous job previously initiated within the Silent Push platform. This + utility is essential for workflows involving long-running processes, such as bulk + domain lookups or complex scans, allowing playbooks to poll for completion and + ingest the resulting data once available. ### Parameters Description @@ -1643,44 +1750,49 @@ Get job status: | :--- | :--- | :--- | :--- | - | Job ID | string | Yes | The unique identifier of the job returned by previous - Silent Push actions. | + | **Job ID** | string | Yes | The unique identifier of the job to check, typically + returned by other Silent Push actions. | - | Max Wait | string | No | The number of seconds (0-25) the action should wait - for the job to complete before returning the current status. Defaults to 20 seconds - if not specified. | + | **Max Wait** | string | No | The number of seconds the action should wait for + the job to complete before returning the current status (valid range: 0-25 seconds). + Defaults to 20 seconds if not specified. | - | Status Only | boolean | No | If set to `true`, the action returns only the job's - status (e.g., 'complete', 'running') even if the results are available. | + | **Status Only** | boolean | No | If enabled, the action will return only the + job's status metadata, even if the job has already finished and results are available. + | - | Force Metadata On | boolean | No | Ensures that query metadata is included in - the response, regardless of the original request settings. | + | **Force Metadata On** | boolean | No | When enabled, the response will always + include query metadata, regardless of the settings used when the job was originally + created. | - | Force Metadata Off | boolean | No | Ensures that query metadata is excluded - from the response. | + | **Force Metadata Off** | boolean | No | When enabled, the response will never + include query metadata, regardless of the settings used when the job was originally + created. | - ### Flow Description + ### Additional Notes + + - This action is primarily a utility for job orchestration and does not directly + enrich entities or modify case data within Google SecOps. - 1. **Parameter Extraction:** The action retrieves the `Job ID` and optional configuration - flags (Max Wait, Status Only, Metadata toggles) from the input parameters. + - The `Max Wait` parameter is capped at 25 seconds by the Silent Push API logic. - 2. **API Request:** It performs a GET request to the Silent Push `explore/job/{job_id}` - endpoint using the provided credentials and parameters. - 3. **Status Validation:** The action checks the API response to ensure a valid - job status was found for the provided ID. + ### Flow Description - 4. **Result Delivery:** The raw JSON response, containing either the job's current - status or the full result set, is returned to the Google SecOps platform. + 1. **Initialization**: Extracts the integration configuration (API Key and Server + URL) and the user-provided action parameters. + 2. **Validation**: Converts the `Max Wait` parameter to an integer and ensures + it falls within the default range (defaulting to 20 if empty). - ### Additional Notes + 3. **API Request**: Sends a GET request to the Silent Push `explore/job/{job_id}` + endpoint with the specified query parameters. - - This action does not process or enrich entities; it operates solely based on - the `Job ID` provided. + 4. **Response Handling**: Parses the job status and results from the API response. - - The `Max Wait` parameter is capped at 25 seconds by the Silent Push API logic. + 5. **Completion**: Returns the job data as the action output. If no job status + is found for the provided ID, the action fails. capabilities: can_create_case_comments: false can_create_insight: false @@ -1694,7 +1806,42 @@ Get job status: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: + - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1708,6 +1855,7 @@ Get job status: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +List Domain Information: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1719,70 +1867,51 @@ Get job status: download_file: false enable_identity: false enrich_asset: false - enrich_ioc: false + enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: true + search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -List Domain Information: - ai_description: >- - Retrieves detailed information for multiple domains from Silent Push, including - infrastructure data, risk scores, and WHOIS records. This action allows for bulk - querying of domains provided as a comma-separated list. Users can optionally include - Silent Push risk scores (with explanations) and live WHOIS information to gain - deeper context on the reputation and ownership of the specified domains. - - - ### Parameters Description - - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Domains | string | Yes | Comma-separated list of domains to query (e.g., "example.com,test.org"). - | - - | Fetch Risk Score | boolean | No | If set to true, the action retrieves Silent - Push risk scores and detailed explanations for each domain. Defaults to false. - | - - | Fetch Whois Info | boolean | No | If set to true, the action retrieves live - WHOIS information for each domain. Defaults to false. | - - - ### Flow Description - - - 1. **Configuration Extraction**: Retrieves the Silent Push Server URL and API - Key from the integration settings. - - 2. **Input Parsing**: Extracts the 'Domains' parameter and splits the comma-separated - string into a list of individual domains. - - 3. **Bulk Domain Lookup**: Calls the Silent Push API to fetch general infrastructure - and metadata for the provided domains. - - 4. **Risk Assessment (Optional)**: If 'Fetch Risk Score' is enabled, the action - makes a secondary request to retrieve risk scores and their corresponding explanations. - - 5. **WHOIS Retrieval (Optional)**: If 'Fetch Whois Info' is enabled, the action - performs individual WHOIS lookups for each domain in the list. - - 6. **Data Aggregation**: Consolidates the retrieved information into a unified - data structure. - - 7. **Output Generation**: Formats the results into a Markdown summary for the - case wall and a detailed JSON object for use in subsequent playbook steps. + ai_description: "### General Description\nThe **List Domain Information** action\ + \ retrieves comprehensive metadata for a list of domains from the Silent Push\ + \ platform. It provides core domain information and can be optionally configured\ + \ to include Silent Push risk scores (with detailed explanations) and live WHOIS\ + \ data. This action is designed for bulk enrichment and threat assessment of domain\ + \ indicators provided as input parameters.\n\n### Parameters Description\n| Parameter\ + \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| **Domains**\ + \ | String | Yes | A comma-separated list of domains to query (e.g., \"example.com,\ + \ test.org\"). The action supports a maximum of 100 domains per request. |\n|\ + \ **Fetch Risk Score** | Boolean | No | If set to `true`, the action retrieves\ + \ the Silent Push risk score and a detailed explanation for each domain. Default\ + \ is `false`. |\n| **Fetch Whois Info** | Boolean | No | If set to `true`, the\ + \ action retrieves live WHOIS information, including registrant details, registration\ + \ dates, and nameservers. Default is `false`. |\n\n### Flow Description\n1. **Initialization**:\ + \ The action extracts the Silent Push server URL and API key from the integration\ + \ configuration.\n2. **Input Processing**: It parses the `Domains` string into\ + \ a list and evaluates the boolean flags for risk scores and WHOIS data.\n3. **Data\ + \ Retrieval**: \n - The action calls the Silent Push API to fetch bulk domain\ + \ information for the provided list.\n - If `Fetch Risk Score` is enabled,\ + \ it retrieves risk assessment data for each domain.\n - If `Fetch Whois Info`\ + \ is enabled, it performs individual WHOIS lookups for each domain.\n4. **Result\ + \ Formatting**: The retrieved data is aggregated into a structured JSON object\ + \ and a Markdown-formatted summary is generated for the Google SecOps interface.\n\ + 5. **Completion**: The action returns the results to the SOAR platform, indicating\ + \ success or failure based on the API response.\n\n### Additional Notes\n- This\ + \ action does not automatically update entities within the Google SecOps case;\ + \ it returns the enrichment data as a script result for use in subsequent playbook\ + \ steps.\n- A maximum of 100 domains can be submitted in a single execution." capabilities: can_create_case_comments: false can_create_insight: false @@ -1796,7 +1925,7 @@ List Domain Information: categories: enrichment: true entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1810,6 +1939,7 @@ List Domain Information: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +List Domain Infratags: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1823,77 +1953,71 @@ List Domain Information: enrich_asset: false enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -List Domain Infratags: ai_description: >- - Retrieves infrastructure tags (infratags) for one or more domains using the Silent - Push platform. This action allows analysts to identify the underlying infrastructure, - hosting providers, and technology stacks associated with specific domains. It - supports bulk lookups and optional clustering of results to identify related infrastructure - patterns. - - - ### Flow Description - - 1. **Input Parsing:** Extracts a comma-separated list of domains from the 'Domain' - parameter and other optional configuration settings like 'Mode' and 'Cluster'. + Retrieves infrastructure tags (infratags) for multiple domains using the Silent + Push API. This action allows analysts to identify common infrastructure patterns + and cluster domains based on shared attributes, which is useful for threat hunting + and attribution. It supports both live data and historical Passive DNS (PADNS) + data. - 2. **API Interaction:** Sends a POST request to the Silent Push 'explore/bulk/domain/infratags' - endpoint with the specified domains and filtering criteria. - 3. **Data Processing:** Receives infrastructure tags and, if requested, tag clusters - from the external service. + ### Parameters - 4. **Result Output:** Formats the retrieved infratags and clusters into a JSON - result for use in subsequent playbook steps. + | Parameter | Type | Mandatory | Description | + | :--- | :--- | :--- | :--- | - ### Parameters Description + | Domain | string | Yes | A comma-separated list of domains to investigate. | - | Parameter | Type | Mandatory | Description | + | Cluster | boolean | No | If set to true, the action will return clustered results + based on shared infrastructure tags. | - | :--- | :--- | :--- | :--- | + | Mode | string | No | The lookup mode to use: 'live' (default) or 'padns'. | - | Domain | string | Yes | A comma-separated list of domains to retrieve infrastructure - tags for (e.g., 'example.com, test.org'). | + | Match | string | No | Specifies how to handle self-hosted infrastructure (defaults + to 'self'). | - | Mode | string | No | The lookup mode to use. Options are 'live' (current data) - or 'padns' (historical passive DNS data). Defaults to 'live'. | + | As Of | string | No | A timestamp used to filter PADNS data between first and + last seen dates. | - | Cluster | boolean | No | If set to 'true', the action will return clustered - infrastructure data, grouping related tags together. | + | Use Get | boolean | No | Internal flag for request method (defaults to true). + | - | Match | string | No | Specifies how to handle self-hosted infrastructure. Defaults - to 'self'. | + | Origin UID | string | No | An optional unique identifier for the request origin. + | - | As Of | string | No | A timestamp used to build infratags from historical padns - data (between first_seen and last_seen). | - | Origin UID | string | No | A unique identifier for the origin of the request, - used for tracking or specific API permissions. | + ### Flow Description - | Use Get | boolean | No | Internal flag to determine request method, though the - implementation primarily uses POST for bulk data. | + 1. **Parameter Extraction:** The action retrieves the API key, server URL, and + user-provided parameters, including the list of domains. + 2. **Data Retrieval:** It sends a POST request to the Silent Push 'explore/bulk/domain/infratags' + endpoint with the specified domains and filtering criteria. - ### Additional Notes + 3. **Response Validation:** The action verifies that the returned data matches + the requested mode. - - This action is primarily driven by the 'Domain' input parameter rather than - the entities present in the SecOps case. + 4. **Result Processing:** If clustering is enabled, it formats the tag clusters + into a readable structure. - - If 'Cluster' is enabled, the output will include a 'Domain Tag Clusters' section - providing a higher-level view of the infrastructure relationships. + 5. **Output Generation:** The retrieved infratags and optional clusters are attached + to the action result as JSON. capabilities: can_create_case_comments: false can_create_insight: false @@ -1907,7 +2031,7 @@ List Domain Infratags: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1921,6 +2045,7 @@ List Domain Infratags: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +List IP Information: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -1934,39 +2059,42 @@ List Domain Infratags: enrich_asset: false enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -List IP Information: - ai_description: "### General Description\nThe **List IP Information** action retrieves\ - \ detailed network metadata for a provided list of IPv4 and IPv6 addresses using\ - \ the Silent Push platform. It specifically focuses on mapping IP addresses to\ - \ Autonomous System Numbers (ASN) and providing associated network context.\n\n\ - ### Parameters Description\n| Parameter | Type | Mandatory | Default Value | Description\ - \ |\n| :--- | :--- | :--- | :--- | :--- |\n| Ips | String | Yes | 142.251.188.102\ - \ | A comma-separated list of IPv4 or IPv6 addresses to be queried. |\n\n### Flow\ - \ Description\n1. **Configuration Extraction:** The action retrieves the Silent\ - \ Push Server URL and API Key from the integration settings.\n2. **Input Parsing:**\ - \ It extracts the `Ips` string parameter and splits it into a list.\n3. **Validation:**\ - \ The action validates each IP and categorizes them into IPv4 and IPv6 groups\ - \ using the Silent Push Manager.\n4. **External API Query:** \n - For IPv4 addresses,\ - \ it sends a POST request to the `explore/bulk/ip2asn/ipv4` endpoint.\n - For\ - \ IPv6 addresses, it sends a POST request to the `explore/bulk/ip2asn/ipv6` endpoint.\n\ - 5. **Data Consolidation:** The results (IP-to-ASN mappings) are aggregated into\ - \ a single list.\n6. **Output:** The action returns the consolidated IP information\ - \ as a JSON result and provides an execution status.\n\n### Additional Notes\n\ - - This action does not automatically process entities from the SecOps case; it\ - \ relies strictly on the `Ips` parameter.\n- A maximum of 100 IPs can be processed\ - \ in a single execution." + ai_description: "Retrieves comprehensive IP information, specifically IP-to-ASN\ + \ (Autonomous System Number) mapping, for multiple IPv4 and IPv6 addresses using\ + \ the Silent Push API. This action allows for bulk lookups by accepting a comma-separated\ + \ list of IP addresses, validating their format, and fetching network ownership\ + \ and routing data.\n\n### Parameters Description\n\n| Parameter | Type | Mandatory\ + \ | Description |\n| :--- | :--- | :--- | :--- |\n| Ips | String | Yes | A comma-separated\ + \ list of IPv4 or IPv6 addresses (e.g., \"142.251.188.102, 2001:4860:4860::8888\"\ + ) to be queried. |\n\n### Flow Description\n\n1. **Initialization:** The action\ + \ retrieves the Silent Push Server URL and API Key from the integration's global\ + \ configuration.\n2. **Input Parsing:** It extracts the `Ips` parameter and splits\ + \ the comma-separated string into a list of individual IP strings.\n3. **Validation:**\ + \ The action iterates through the list, using the `SilentPushManager` to categorize\ + \ each address as either IPv4 or IPv6 based on standard IP formatting.\n4. **Bulk\ + \ Querying:** \n * If IPv4 addresses are present, it performs a bulk POST\ + \ request to the Silent Push `ipv4` lookup endpoint.\n * If IPv6 addresses\ + \ are present, it performs a bulk POST request to the Silent Push `ipv6` lookup\ + \ endpoint.\n5. **Data Aggregation:** The results from both queries (containing\ + \ ASN, CIDR, and registry information) are combined into a single result set.\n\ + 6. **Finalization:** The action returns the aggregated IP information in the\ + \ output message and sets the execution status to completed. If no information\ + \ is found for any of the provided IPs, the action fails." capabilities: can_create_case_comments: false can_create_insight: false @@ -1978,9 +2106,9 @@ List IP Information: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: true + enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1994,6 +2122,7 @@ List IP Information: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Live URL Scan: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -2007,79 +2136,83 @@ List IP Information: enrich_asset: false enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Live URL Scan: ai_description: >- - ### General Description - - The **Live URL Scan** action performs an on-demand scan of a specific URL using - the Silent Push platform to retrieve hosting metadata. This action is designed - to provide analysts with immediate technical context about a URL, such as its - hosting infrastructure, without requiring manual investigation. It allows for - simulation of different platforms, operating systems, browsers, and geographic - regions to see how the URL behaves under various conditions. + Scans a specific URL using the Silent Push platform to retrieve detailed hosting + metadata and scan results. This action allows analysts to perform on-demand URL + analysis by specifying various scanning profiles, including the platform, operating + system, browser, and geographic region from which the scan should originate. The + results provide insights into the infrastructure and behavior of the target URL, + which are returned as a structured JSON object for further investigation or automated + decision-making. ### Parameters Description - | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + | Parameter | Type | Mandatory | Default Value | Description | - | URL | String | Yes | The specific URL to be scanned. Defaults to 'https://silentpush.com'. - | + | :--- | :--- | :--- | :--- | :--- | - | Platform | String | No | The device platform to simulate for the scan. Allowed - values: 'Desktop', 'Mobile', 'Crawler'. | + | URL | string | True | https://silentpush.com | The specific URL to be scanned + by Silent Push. | - | Os | String | No | The operating system to simulate. Allowed values: 'Windows', - 'Linux', 'MacOS', 'iOS', 'Android'. | + | Platform | string | False | N/A | The device type to simulate during the scan. + Supported values: `Desktop`, `Mobile`, `Crawler`. | - | Browser | String | No | The browser to simulate. Allowed values: 'Firefox', - 'Chrome', 'Edge', 'Safari'. | + | Os | string | False | N/A | The operating system to simulate during the scan. + Supported values: `Windows`, `Linux`, `MacOS`, `iOS`, `Android`. | - | Region | String | No | The geographic region from which the scan should originate. - Allowed values: 'US', 'EU', 'AS', 'TOR'. | + | Browser | string | False | N/A | The web browser to simulate during the scan. + Supported values: `Firefox`, `Chrome`, `Edge`, `Safari`. | + | Region | string | False | N/A | The geographic region from which the scan should + be initiated. Supported values: `US`, `EU`, `AS`, `TOR`. | - ### Flow Description - 1. **Parameter Extraction:** The action extracts the target URL and optional simulation - parameters (Platform, OS, Browser, and Region) from the user input. + ### Additional Notes + + - The action performs strict validation on the `Platform`, `Os`, `Browser`, and + `Region` parameters. If an invalid value is provided, the action will fail before + making the API call. + + - This action does not automatically iterate over entities; it relies on the provided + `URL` parameter. If you wish to scan a URL entity, you must map the entity's identifier + to the `URL` parameter in the playbook. - 2. **Validation:** It validates the optional parameters against a predefined list - of supported values (e.g., checking if the provided 'Platform' is one of 'Desktop', - 'Mobile', or 'Crawler'). If validation fails, the action terminates with an error. - 3. **API Execution:** The action initializes the Silent Push Manager and executes - a GET request to the `scanondemand` endpoint with the provided parameters. + ### Flow Description - 4. **Data Parsing:** It extracts the scan results and hosting metadata from the - API response. + 1. **Configuration Extraction:** Retrieves the Silent Push Server URL and API + Key from the integration settings. - 5. **Output Generation:** The retrieved scan data is formatted and added to the - action's JSON results. If no scan data is found, the action reports a failure; - otherwise, it completes successfully. + 2. **Parameter Retrieval:** Extracts the target URL and optional scanning profile + parameters (Platform, OS, Browser, Region). + 3. **Validation:** Validates the optional parameters against a list of allowed + values (e.g., ensuring the OS is one of the supported types like Windows or Linux). - ### Additional Notes + 4. **API Interaction:** Sends a GET request to the Silent Push `scanondemand` + endpoint with the specified URL and profile settings. - - This action is strictly a retrieval (GET) operation and does not modify any - data on the Silent Push platform or within the scanned URL's environment. + 5. **Data Processing:** Parses the API response to extract the `scan` metadata. - - While the code iterates over target entities, it does not use them to drive - the scan logic; the scan is driven entirely by the 'URL' parameter. + 6. **Output Generation:** Formats the scan results into a JSON object and completes + the action, providing a summary message of the scan outcome. capabilities: can_create_case_comments: false can_create_insight: false @@ -2093,7 +2226,7 @@ Live URL Scan: categories: enrichment: true entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2107,6 +2240,7 @@ Live URL Scan: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -2118,57 +2252,45 @@ Live URL Scan: download_file: false enable_identity: false enrich_asset: false - enrich_ioc: true + enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: - ai_description: >- - ### General Description - - The **Ping** action is a diagnostic tool designed to verify the connectivity between - the Google SecOps platform and the Silent Push API. It ensures that the provided - configuration parameters, such as the Server URL and API Key, are valid and that - the network path to the Silent Push service is open. - - - ### Parameters Description - - There are no action-specific parameters for this action. It relies entirely on - the integration's global configuration (Silent Push Server and API Key). - - - ### Flow Description - - 1. **Configuration Extraction**: The action retrieves the 'Silent Push Server' - and 'API Key' from the integration settings. - - 2. **Manager Initialization**: It initializes the `SilentPushManager` with the - extracted credentials. - - 3. **Connection Test**: The action calls the `test_connection` method, which internally - executes a sample domain search (limited to 1 result) to validate the API key's - permissions and the server's responsiveness. - - 4. **Result Reporting**: If the API call succeeds, it returns a success message. - If the call fails (e.g., due to invalid credentials or network issues), it catches - the exception and reports a failure state with the error details. - - - ### Additional Notes - - This action is typically used during the initial setup of the integration or for - troubleshooting purposes. It does not process any entities or modify any data. + ai_description: "### General Description\nThe **Ping** action is a diagnostic utility\ + \ designed to verify the connectivity and authentication between Google SecOps\ + \ and the Silent Push API. Its primary purpose is to ensure that the integration's\ + \ configuration parameters, specifically the Server URL and API Key, are valid\ + \ and that the Silent Push service is reachable.\n\n### Parameters Description\n\ + This action does not require any input parameters. It relies entirely on the integration's\ + \ global configuration:\n\n| Parameter Name | Expected Type | Mandatory | Description\ + \ |\n| :--- | :--- | :--- | :--- |\n| N/A | N/A | N/A | This action has no specific\ + \ input parameters. |\n\n### Flow Description\n1. **Parameter Extraction**: The\ + \ action retrieves the 'Silent Push Server' URL and 'API Key' from the integration's\ + \ configuration settings.\n2. **Credential Validation**: It checks if both the\ + \ URL and API Key are provided; if either is missing, the action fails immediately.\n\ + 3. **Connection Attempt**: The action initializes the `SilentPushManager` and\ + \ calls the `test_connection` method. This method performs a lightweight `GET`\ + \ request (searching for a single domain) to the Silent Push API to verify the\ + \ credentials.\n4. **Execution Outcome**: \n * If the API responds successfully,\ + \ the action completes with a success message.\n * If an exception occurs (e.g.,\ + \ 401 Unauthorized, 403 Forbidden, or network timeout), the action catches the\ + \ error and returns a failure status with the specific error details.\n\n### Additional\ + \ Notes\n* This action is strictly for connectivity testing and does not interact\ + \ with or modify any entities within the SOAR case.\n* Per standard SOAR conventions,\ + \ Ping actions are not classified as enrichment actions." capabilities: can_create_case_comments: false can_create_insight: false @@ -2182,7 +2304,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2196,6 +2318,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Reverse Padns Lookup: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -2209,116 +2332,116 @@ Ping: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: false + search_events: true send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Reverse Padns Lookup: ai_description: >- ### General Description - The **Reverse Padns Lookup** action performs a reverse Passive DNS (PADNS) query - using the Silent Push platform. It allows analysts to retrieve historical DNS - records associated with a specific value, such as a nameserver or IP address, - across various DNS record types (e.g., NS, A, MX). This action is primarily used - for infrastructure mapping and identifying related domains or assets during an - investigation. + The **Reverse Padns Lookup** action performs a reverse Passive DNS (pDNS) query + using the Silent Push platform. It allows security analysts to identify DNS records + (such as NS or MX records) that point to a specific domain or record name. This + capability is essential for infrastructure mapping, identifying shared infrastructure + between malicious actors, and uncovering related assets during an investigation. ### Parameters Description - | Name | Type | Description | Mandatory | Default Value | + | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | :--- | + | :--- | :--- | :--- | :--- | - | Qtype | string | The DNS record type to query (e.g., ns, a, mx). | false | ns - | + | **Qname** | String | Yes | The DNS record name to lookup (e.g., a nameserver + like `ns1.example.com` or a mail server). | - | Qname | string | The DNS record name or value to perform the reverse lookup - for. | true | vida.ns.cloudflare.com | + | **Qtype** | String | No | The DNS record type to filter the results by (e.g., + `ns`, `mx`). Defaults to `ns`. | - | Netmask | string | Optional netmask to filter the lookup results. | false | - "" | + | **Netmask** | String | No | A network mask to filter the lookup results. | - | subdomain | string | Flag to include subdomains in the lookup results. | false - | "" | + | **subdomain** | String | No | A flag to include subdomains in the lookup results. + | - | Regex | string | A regular expression to filter the returned DNS records. | - false | "" | + | **Regex** | String | No | A regular expression used to filter the returned DNS + records. | - | Match | string | The type of match for the query (e.g., exact, partial). | false - | "" | + | **Match** | String | No | The type of match for the query (e.g., `exact`, `partial`). + | - | First Seen After | string | Filter results to include only records first seen - after this date (YYYY-MM-DD). | false | "" | + | **First Seen After** | String | No | Filter results to include only records + first observed after this date. | - | First Seen Before | string | Filter results to include only records first seen - before this date (YYYY-MM-DD). | false | "" | + | **First Seen Before** | String | No | Filter results to include only records + first observed before this date. | - | Last Seen After | string | Filter results to include only records last seen - after this date (YYYY-MM-DD). | false | "" | + | **Last Seen After** | String | No | Filter results to include only records last + observed after this date. | - | Last Seen Before | string | Filter results to include only records last seen - before this date (YYYY-MM-DD). | false | "" | + | **Last Seen Before** | String | No | Filter results to include only records + last observed before this date. | - | As Of | string | Retrieve DNS records as they appeared at a specific point in - time. | false | "" | + | **As Of** | String | No | Retrieve DNS records as they appeared at a specific + point in time. | - | Sort | string | Field by which to sort the results (e.g., date, score). | false - | "" | + | **Sort** | String | No | Sort the results by a specified field (e.g., `date`, + `score`). | - | Output Format | string | The format for the returned results (e.g., JSON, XML). - | false | "" | + | **Output Format** | String | No | The format in which results should be returned + (e.g., `JSON`, `XML`). | - | Prefer | string | Preference for specific DNS servers or data sources. | false - | "" | + | **Prefer** | String | No | Preference for specific DNS servers or sources. | - | With Metadata | string | Boolean flag to include additional metadata in the - records. | false | "" | + | **With Metadata** | String | No | Flag to include additional metadata in the + DNS records. | - | Max Wait | string | Maximum seconds to wait for the API response (0-25). | false - | "" | + | **Max Wait** | String | No | Maximum number of seconds to wait for results before + timing out. | - | Skip | string | Number of results to skip for pagination. | false | "" | + | **Skip** | String | No | Number of results to skip for pagination purposes. + | - | Limit | string | Maximum number of results to return. | false | "" | + | **Limit** | String | No | Maximum number of results to return. | - ### Additional Notes + ### Flow Description - - This action is parameter-driven and does not automatically iterate over entities - in the SecOps case. The `Qname` must be provided manually or mapped from a previous - step. + 1. **Initialization**: The action initializes the Silent Push manager using the + provided Server URL and API Key from the integration configuration. - - The `Max Wait` parameter is constrained by the API to a value between 0 and - 25 seconds. + 2. **Parameter Extraction**: It extracts the mandatory `Qname` and all optional + filtering/pagination parameters from the action input. + 3. **API Request**: The action sends a GET request to the Silent Push `explore/padns/lookup/answer` + endpoint, passing the `Qtype`, `Qname`, and all provided filters. - ### Flow Description + 4. **Response Validation**: It checks the API response for errors. If the API + returns an error or no records are found, the action logs the failure and terminates. - 1. **Initialization**: The action extracts the Silent Push server URL and API - key from the integration configuration. + 5. **Output**: If records are found, they are formatted into an output message + and the action completes successfully. - 2. **Parameter Extraction**: It retrieves all user-provided parameters, ensuring - the mandatory `Qname` is present. - 3. **API Request**: The action calls the Silent Push `reverse_padns_lookup` endpoint - using a GET request, passing the `Qtype`, `Qname`, and all optional filters. + ### Additional Notes - 4. **Data Validation**: It checks the API response for errors or empty record - sets. If the API returns an error or no records are found, the action is marked - as failed. + - This is a **Global Action** and does not automatically iterate over entities + in the SecOps case. It relies entirely on the `Qname` parameter provided in the + input. - 5. **Result Output**: If successful, the retrieved DNS records are returned as - a JSON result for use in subsequent playbook steps. + - There is a minor discrepancy between the YAML parameter name (`subdomain`) and + the Python script's extraction logic (`Subdomains`); ensure the parameter is correctly + mapped in the environment. capabilities: can_create_case_comments: false can_create_insight: false @@ -2332,7 +2455,7 @@ Reverse Padns Lookup: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2346,6 +2469,7 @@ Reverse Padns Lookup: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Run Threat check: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -2357,26 +2481,29 @@ Reverse Padns Lookup: download_file: false enable_identity: false enrich_asset: false - enrich_ioc: false + enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: true + search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Run Threat check: ai_description: >- - Runs a threat check against the Silent Push Threat Check API to evaluate the risk - associated with a specific indicator, such as an IP address or a domain. This - action queries a specified data source within Silent Push and returns threat intelligence - data based on the provided query value. + Runs a threat check against the Silent Push Threat Check API to retrieve reputation + and threat intelligence for a specific indicator. This action is parameter-driven + and queries the Silent Push database for a provided value (IP or domain) against + a specified data source. It returns the raw threat check results to the action + output. ### Parameters Description @@ -2386,38 +2513,42 @@ Run Threat check: | :--- | :--- | :--- | :--- | - | Data | string | Yes | The name of the Silent Push data source to query (e.g., - 'iofa'). | + | Data | string | Yes | The name of the data source to query (e.g., 'iofa'). | - | Query | string | Yes | The specific value to check for threats, such as an IP - address or a domain name. | + | Query | string | Yes | The specific value to check for threats (e.g., an IP + address or domain name). | - | Type | string | Yes | The category of the query value (e.g., 'ip', 'domain'). + | Type | string | Yes | The type of the value being queried (e.g., 'ip', 'domain'). | - | User Identifier | string | Yes | A unique identifier for the user or system - making the request, used for tracking and attribution. | + | User Identifier | string | Yes | A unique identifier for the user making the + request, used for tracking and auditing. | - ### Flow Description + ### Additional Notes + - This action does not automatically process entities from the Google SecOps case; + it relies entirely on the values provided in the action parameters. - 1. **Configuration Extraction:** The action retrieves the Silent Push Server URL - and API Key from the integration configuration. + - The action performs a GET request to the Silent Push Threat Check API endpoint. + + + ### Flow Description - 2. **Parameter Retrieval:** It extracts the mandatory action parameters: Data - source, Query value, Type, and User Identifier. + 1. **Configuration Extraction:** Retrieves the Silent Push server URL and API + key from the integration settings. + + 2. **Parameter Retrieval:** Extracts the 'Data', 'Query', 'Type', and 'User Identifier' + from the action input. - 3. **API Interaction:** The action initializes the Silent Push Manager and performs - a GET request to the Threat Check API endpoint (`https://api.threatcheck.silentpush.com/v1/`) - using the provided parameters. + 3. **API Interaction:** Initializes the Silent Push Manager and executes a threat + check query via a GET request to the external API. - 4. **Result Processing:** The action receives the threat check data from Silent - Push. If no data is found or an error occurs, the action fails with a descriptive - message. + 4. **Result Processing:** Evaluates the API response. If data is found, it formats + the output message; otherwise, it logs an error and fails the action. - 5. **Completion:** The retrieved threat data is returned as a JSON result, and - the action completes successfully. + 5. **Completion:** Ends the action execution, returning the threat check results + as the final output message. capabilities: can_create_case_comments: false can_create_insight: false @@ -2431,7 +2562,7 @@ Run Threat check: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2445,6 +2576,7 @@ Run Threat check: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Screenshot URL: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -2456,39 +2588,67 @@ Run Threat check: download_file: false enable_identity: false enrich_asset: false - enrich_ioc: true + enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Screenshot URL: - ai_description: "Generates a screenshot of a specified URL using the Silent Push\ - \ platform's on-demand scan capabilities. This action is primarily used to visually\ - \ verify the content of a suspicious or malicious URL without requiring the analyst\ - \ to visit the site directly. \n\n### Flow Description:\n1. **Configuration Extraction:**\ - \ Retrieves the Silent Push Server URL and API Key from the integration settings.\n\ - 2. **Parameter Retrieval:** Extracts the target URL provided by the user.\n3.\ - \ **Screenshot Request:** Calls the Silent Push API (`explore/tools/scanondemand`)\ - \ to initiate a live scan and generate a screenshot.\n4. **URL Validation:** Parses\ - \ the returned screenshot URL and performs a GET request to ensure the image is\ - \ accessible and the server returns a successful HTTP 200 status.\n5. **Result\ - \ Processing:** Returns the final screenshot URL as a JSON result for use in subsequent\ - \ playbook steps.\n\n### Parameters Description:\n| Parameter Name | Type | Mandatory\ - \ | Description |\n| :--- | :--- | :--- | :--- |\n| URL | string | Yes | The specific\ - \ URL for which to generate a screenshot. Defaults to a VirusTotal domain lookup\ - \ if not specified. |\n\n### Additional Notes:\n- This action does not automatically\ - \ attach the image to the case wall; it provides the URL to the generated image.\n\ - - While the script iterates over target entities, it does not use them for the\ - \ logic; the operation is entirely driven by the `URL` input parameter." + ai_description: >- + ### General Description + + Generates a visual screenshot of a specified URL using the Silent Push platform. + This action is primarily used for visual verification of potentially malicious + websites or for documenting the state of a web resource during an investigation. + It retrieves a URL pointing to the captured image and verifies that the image + is accessible. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Default Value | Description | + + | :--- | :--- | :--- | :--- | :--- | + + | URL | string | True | https://www.virustotal.com/gui/domain/tbibank-bg.com | + The specific URL for which a screenshot should be generated. | + + + ### Flow Description + + 1. **Configuration Extraction**: Retrieves the Silent Push Server URL and API + Key from the integration settings. + + 2. **Parameter Retrieval**: Extracts the target URL from the action parameters. + + 3. **API Request**: Calls the Silent Push `scanondemand` endpoint to initiate + a screenshot capture for the provided URL. + + 4. **Response Validation**: Checks the API response for errors and ensures a `screenshot_url` + is returned. + + 5. **Image Verification**: Performs a secondary HTTP GET request to the returned + screenshot URL to verify that the image was successfully generated and is reachable. + + 6. **Result Reporting**: Outputs the original URL and the resulting screenshot + URL as a JSON result for use in subsequent playbook steps. + + + ### Additional Notes + + This action does not automatically attach the image to the case wall or update + entity attributes; it provides the URL of the screenshot as a result output. capabilities: can_create_case_comments: false can_create_insight: false @@ -2502,7 +2662,7 @@ Screenshot URL: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2516,6 +2676,7 @@ Screenshot URL: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Search Scan Data: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -2529,25 +2690,27 @@ Screenshot URL: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: false + search_events: true send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Search Scan Data: ai_description: >- Searches Silent Push scan data repositories using SPQL (Silent Push Query Language) - queries. This action allows analysts to perform complex searches across Silent - Push's raw scan data to identify infrastructure patterns, certificates, or other - technical attributes. The results are returned as a JSON object containing the - raw scan records. + queries. This action allows analysts to perform complex searches across raw scan + data to identify infrastructure patterns, historical changes, or specific attributes + associated with malicious activity. The action returns raw scan data records based + on the provided query and filtering parameters. ### Parameters Description @@ -2557,46 +2720,41 @@ Search Scan Data: | :--- | :--- | :--- | :--- | - | Query | string | Yes | The SPQL query string used to filter scan data (e.g., - `tld=cool`). | + | Query | string | True | The SPQL query string used to search the scan data (e.g., + 'tld=cool'). | - | Fields | string | No | Specific fields to return in the response. | + | Fields | string | False | A comma-separated list of specific fields to return + in the response. | - | sort | string | No | Sorting criteria for the results. | + | sort | string | False | Criteria used to sort the results. | - | Skip | string | No | Number of records to skip in the response (pagination). - | + | Skip | string | False | The number of records to skip in the response (useful + for pagination). | - | Limit | string | No | Maximum number of results to return. | + | Limit | string | False | The maximum number of results to return. | - | With Metadata | boolean | No | Whether to include metadata in the response. + | With Metadata | boolean | False | Whether to include metadata in the response. Defaults to true. | - ### Additional Notes - - - This action does not run on specific entities; it performs a global search based - on the provided SPQL query. - - - The action uses a POST request to the `explore/scandata/search/raw` endpoint. - - ### Flow Description - 1. **Configuration Extraction:** Retrieves the Silent Push Server URL and API + + 1. **Configuration Extraction:** Retrieves the Silent Push Server URL and API Key from the integration settings. - 2. **Parameter Parsing:** Extracts the SPQL query and optional filters (Fields, - Limit, Skip, etc.) from the action parameters. + 2. **Parameter Parsing:** Extracts the SPQL query and optional filtering parameters + (Fields, Limit, Skip, Sort, Metadata) from the action input. - 3. **API Interaction:** Initializes the Silent Push Manager and sends a POST request - to the scan data search endpoint with the query and filters. + 3. **API Interaction:** Initializes the Silent Push Manager and executes a POST + request to the `explore/scandata/search/raw` endpoint. - 4. **Data Processing:** Parses the API response to extract the `scandata_raw` + 4. **Data Processing:** Parses the JSON response to extract the `scandata_raw` records. - 5. **Result Finalization:** Returns the found records to the Google SecOps platform - or fails if no records are found or an error occurs. + 5. **Result Handling:** If records are found, it returns them as a JSON result + and completes the action. If no records are found or an error occurs, the action + is marked as failed. capabilities: can_create_case_comments: false can_create_insight: false @@ -2610,7 +2768,7 @@ Search Scan Data: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2624,6 +2782,7 @@ Search Scan Data: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +search domains: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -2637,30 +2796,46 @@ Search Scan Data: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: true send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -search domains: ai_description: >- - ### General Description + Searches for domains within the Silent Push platform using a variety of optional + filters such as domain names, regex patterns, name servers, and ASN details. This + action is primarily used for threat hunting and gathering a list of domains that + match specific infrastructure or registration characteristics. It retrieves a + list of records containing domain metadata from the Silent Push 'explore' API. + - The **search domains** action allows users to query the Silent Push platform for - domains matching specific criteria. It is a flexible search tool that supports - wildcards, regex patterns, and various infrastructure filters such as Name Servers, - ASNs, and Registrars. This action is primarily used for threat hunting and infrastructure - analysis by identifying domains associated with specific network attributes. + ### Flow Description: + 1. **Parameter Extraction:** Retrieves the Silent Push server URL, API key, and + all search filters provided by the user (e.g., Domain, Regex, ASN, Registrar). - ### Parameters Description + 2. **Manager Initialization:** Initializes the `SilentPushManager` to handle API + communication using the provided credentials. + + 3. **API Request:** Sends a GET request to the `explore/domain/search` endpoint + with the specified query parameters and filters. + + 4. **Result Processing:** Parses the JSON response to extract domain records. + If records are found, they are returned as a JSON result; otherwise, a 'no domains + found' message is generated. + + + ### Parameters Description: | Parameter | Type | Mandatory | Description | @@ -2669,8 +2844,8 @@ search domains: | Domain | string | No | Name or wildcard pattern of domain names to search for. | - | Domain Regex | string | No | A valid RE2 regex pattern to match domains. If - provided, this overrides the 'Domain' argument. | + | Domain Regex | string | No | A valid RE2 regex pattern to match domains. Overrides + the 'Domain' argument. | | Name Server | string | No | Name server name or wildcard pattern of the name server used by domains. | @@ -2690,48 +2865,27 @@ search domains: | | Certificate Issuer | string | No | Filter domains that had SSL certificates - issued by the specified certificate issuer. Wildcards are supported. | + issued by the specified certificate issuer. Wildcards supported. | | Whois Date After | string | No | Filter domains with a WHOIS creation date after - this date (format: YYYY-MM-DD). | + this date (YYYY-MM-DD). | | Skip | string | No | Number of results to skip in the search query for pagination. | | Limit | string | No | Number of results to return. Defaults to the SilentPush - API's default behavior. | - - - ### Additional Notes - - - The action returns a JSON result containing the list of matching domain records - found in the Silent Push database. - - - Although the underlying Python code attempts to extract parameters like `Start - Date`, `End Date`, `Risk Score Min`, and `Risk Score Max`, these are not currently - defined in the action's metadata and may not be available in the UI unless the - integration is customized. + API's behavior. | - - This action does not automatically process or enrich entities currently present - in the Google SecOps case; it functions as a standalone search utility. + ### Additional Notes: - ### Flow Description - - 1. **Initialization**: The action initializes the Silent Push manager using the - server URL and API key provided in the integration configuration. - - 2. **Parameter Extraction**: It retrieves the search filters and pagination settings - (Skip/Limit) from the action parameters. - - 3. **API Request**: The action executes a GET request to the Silent Push `explore/domain/search` - endpoint, passing all provided filters as query parameters. - - 4. **Data Processing**: It parses the API response to extract domain records. - If no records are found, it prepares a message indicating no results were returned. + - The action logic also supports 'Start Date', 'End Date', and 'Risk Score' range + parameters if they are passed through the integration, though they may not be + visible in all UI configurations. - 5. **Completion**: The action returns the raw JSON records to the SecOps platform - and completes the execution successfully. + - This action does not automatically update entities or create insights in the + SecOps case; it returns the raw search results for use in subsequent playbook + steps. capabilities: can_create_case_comments: false can_create_insight: false @@ -2745,7 +2899,7 @@ search domains: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -2759,28 +2913,3 @@ search domains: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/third_party/partner/silverfort/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/silverfort/resources/ai/actions_ai_description.yaml index 883284aab..dac323302 100644 --- a/content/response_integrations/third_party/partner/silverfort/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/silverfort/resources/ai/actions_ai_description.yaml @@ -1,41 +1,74 @@ Change Policy State: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - Enable or disable an authentication policy in Silverfort. This action provides - a streamlined way to toggle the active status of a specific policy without altering - its internal configuration or rules. It is particularly useful for temporary policy - adjustments during incident response or maintenance windows. + Enables or disables an authentication policy in Silverfort. This action provides + a quick way to toggle a policy's active state without modifying its underlying + configuration, allowing for rapid response to security requirements or maintenance + needs. ### Parameters Description - - | Parameter | Description | Type | Mandatory | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Policy ID | The unique identifier of the Silverfort policy to be modified. | - String | Yes | + | Policy ID | string | Yes | The unique identifier of the policy to enable or + disable. | - | Enable Policy | Determines the new state of the policy. Set to `True` to activate - the policy or `False` to deactivate it. | Boolean | Yes | + | Enable Policy | boolean | Yes | Set to `true` to enable the policy, or `false` + to disable it. | + + + ### Additional Notes + + This action requires the 'Policies App User ID' and 'Policies App User Secret' + to be configured in the Silverfort integration settings to authenticate with the + Policies API. ### Flow Description - 1. **Parameter Extraction**: The action retrieves the `Policy ID` and the target - `Enable Policy` state from the user input. + 1. **Parameter Extraction**: The action retrieves the `Policy ID` and the desired + `Enable Policy` state from the input parameters. 2. **Client Initialization**: It initializes the Silverfort Policy API client - using the configured integration credentials. + using the integration's authentication credentials. - 3. **API Request**: The action sends a POST request to the Silverfort `/v1/public/changePolicyState` - endpoint with the policy ID and the desired state. + 3. **API Interaction**: The action sends a POST request to the Silverfort `/v1/public/changePolicyState` + endpoint with the specified policy ID and state. - 4. **Result Processing**: Upon a successful response from the API, the action - generates a success message and populates the JSON results with the updated policy - status. + 4. **Result Reporting**: The action returns a success message and provides the + updated policy state in the JSON results. capabilities: can_create_case_comments: false can_create_insight: false @@ -44,14 +77,14 @@ Change Policy State: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Enables or disables an authentication policy in Silverfort by updating its active - state via the Policies API. + Updates the 'enabled' status of a specific authentication policy within the + Silverfort platform. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -65,6 +98,7 @@ Change Policy State: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Entity Risk: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -75,70 +109,72 @@ Change Policy State: disable_identity: false download_file: false enable_identity: false - enrich_asset: false + enrich_asset: true enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Entity Risk: ai_description: >- ### General Description - Retrieves detailed risk information for a specific user or resource from the Silverfort - Identity Security platform. This action provides visibility into an entity's security - posture by returning its current risk score, severity level (e.g., Low, Medium, - High, Critical), and specific risk factors identified by Silverfort's analysis - engine. + Retrieves risk information for a specific user or resource from Silverfort. This + action fetches the current risk score, severity level, and specific risk factors + associated with the entity to provide security context for investigations. It + is a read-only action that does not modify the state of the entity in Silverfort. ### Parameters Description - | Parameter | Type | Mandatory | Description | + + | Parameter | Description | Type | Mandatory | | :--- | :--- | :--- | :--- | - | User Principal Name | String | No | The User Principal Name (UPN) of the user - to query (e.g., `user@domain.com`). Either this or 'Resource Name' must be provided. - | + | User Principal Name | The user principal name (e.g., user@domain.com) of the + user to check. | String | No | - | Resource Name | String | No | The name of the resource/asset to query. Either - this or 'User Principal Name' must be provided. | + | Resource Name | The name of the resource (for non-user entities) to check. | + String | No | ### Additional Notes - - This action requires the **Risk API** credentials (App User ID and Secret) to - be configured in the Silverfort integration settings. - - - At least one identifier ('User Principal Name' or 'Resource Name') is required - for the action to execute successfully. If both are provided, the action will - query the API using both identifiers. + Either the **User Principal Name** or the **Resource Name** must be provided for + the action to run successfully. If both are missing, the action will raise a validation + error. ### Flow Description - 1. **Parameter Extraction**: The action retrieves the 'User Principal Name' and - 'Resource Name' from the user input. + 1. **Parameter Extraction**: The action extracts the 'User Principal Name' and + 'Resource Name' from the input parameters. - 2. **Validation**: It checks that at least one of the two identifier parameters - contains a value. If both are empty, the action terminates with an error. + 2. **Validation**: It verifies that at least one of the identifier parameters + is populated. - 3. **API Interaction**: The action authenticates with the Silverfort Risk API - and performs a GET request to fetch the risk profile for the specified entity. + 3. **API Client Initialization**: It initializes the Silverfort Risk API client + using the integration's authentication credentials (API Root and External API + Key). - 4. **Result Processing**: The action captures the API response, which includes - the risk score, severity, and a list of risk factors, and attaches it to the action's - JSON results. + 4. **Data Retrieval**: The action performs a GET request to the Silverfort Risk + API to fetch risk details for the specified entity. + + 5. **Result Processing**: The retrieved risk data (score, severity, factors, and + last update time) is processed and returned as a JSON result for use in subsequent + playbook steps. capabilities: can_create_case_comments: false can_create_insight: false @@ -152,7 +188,7 @@ Get Entity Risk: categories: enrichment: true entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -166,6 +202,7 @@ Get Entity Risk: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Policy: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -176,64 +213,68 @@ Get Entity Risk: disable_identity: false download_file: false enable_identity: false - enrich_asset: true + enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Policy: ai_description: >- - The **Get Policy** action retrieves comprehensive configuration details for a - specific authentication policy from the Silverfort platform using its unique Policy - ID. This action is primarily used to audit policy settings, verify security controls, - or gather context during an investigation regarding how specific users or resources - are being authenticated. + ### General Description + + The **Get Policy** action retrieves detailed configuration information for a specific + authentication policy from Silverfort using its unique Policy ID. This action + is essential for security analysts to understand the logic, scope, and enforcement + settings of a policy, including the users, groups, source devices, and destination + resources it affects, as well as the specific security actions (e.g., MFA, Block, + Allow) it triggers. - ### Parameters + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Policy ID** | string | Yes | The unique identifier (GUID) of the Silverfort - policy to retrieve. | + | Policy ID | String | Yes | The unique identifier of the Silverfort policy to + be retrieved. | ### Flow Description - 1. **Parameter Extraction:** The action extracts the `Policy ID` provided by the - user. + 1. **Parameter Extraction:** The action extracts the `Policy ID` from the input + parameters. - 2. **Client Initialization:** It initializes the Silverfort Policy API client - using the configured integration credentials (API Root, External API Key, and - Policy App User credentials). + 2. **Authentication:** The action initializes a connection to the Silverfort Policies + API using the configured credentials and generates a JWT token for secure communication. - 3. **API Request:** The action sends a GET request to the Silverfort V2 Policies - API endpoint (`/v2/public/policies/{policy_id}`). + 3. **API Request:** It sends a GET request to the Silverfort `/v2/public/policies/{policy_id}` + endpoint to fetch the policy's full configuration. - 4. **Data Processing:** Upon a successful response, the action parses the policy - metadata, including enabled status, authentication types, protocols, sources, - destinations, and associated actions (e.g., MFA prompts). + 4. **Data Processing:** The retrieved policy data is parsed and converted into + a structured JSON format. - 5. **Output:** The complete policy configuration is returned as a JSON object, - and a success message is displayed in the SOAR interface. + 5. **Output Generation:** The action populates the JSON results with the policy + details and provides a success message indicating the policy name and ID. ### Additional Notes - * This action requires the **Policies App User ID** and **Policies App User Secret** - to be configured in the integration settings to access the Policies API. + - This action does not modify any data within Silverfort; it is a read-only operation. + + - If the provided Policy ID does not exist, the action will return an error message. capabilities: can_create_case_comments: false can_create_insight: false @@ -247,7 +288,7 @@ Get Policy: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -261,6 +302,7 @@ Get Policy: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Service Account: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -271,66 +313,44 @@ Get Policy: disable_identity: false download_file: false enable_identity: false - enrich_asset: false + enrich_asset: true enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Service Account: ai_description: >- - Retrieves detailed information about a specific service account from Silverfort - using its unique identifier (GUID). This action is used to gather contextual metadata - such as risk scores, predictability, protection status, and account attributes - (UPN, DN, SPN) for a service account. The retrieved data is returned as a JSON - object for use in subsequent playbook steps. - - - ### Parameters - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Service Account GUID | string | Yes | The unique identifier (GUID) of the service - account to retrieve from Silverfort. | - - - ### Flow Description - - 1. **Parameter Extraction:** The action retrieves the mandatory `Service Account - GUID` from the input parameters. - - 2. **Client Initialization:** It initializes the Silverfort Service Account API - client using the configured API Root and Service Account-specific JWT credentials. - - 3. **Data Retrieval:** The action performs a GET request to the Silverfort API - endpoint `/v1/public/serviceAccounts/{guid}`. - - 4. **Result Processing:** The API response is parsed into a structured `ServiceAccount` - data model. - - 5. **Output:** The service account details are saved to the action's JSON results, - and a success message is generated including the account's display name or UPN. - - - ### Additional Notes - - - This action requires the **Service Accounts App User ID** and **Service Accounts - App User Secret** to be configured in the integration settings to generate the - necessary JWT authentication token. - - - If the provided GUID does not exist or the API credentials lack sufficient permissions, - the action will return an error. + ### General Description\nRetrieves detailed information for a specific Silverfort + service account using its unique identifier (GUID). This action fetches comprehensive + metadata including risk scores, predictability metrics, protection status, and + authentication behavior, enabling analysts to perform deep-dive investigations + into service account activities.\n\n### Parameters Description\n| Parameter | + Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| **Service Account + GUID** | String | Yes | The unique identifier (GUID) of the service account in + Silverfort to be retrieved. |\n\n### Additional Notes\n- This action does not + automatically iterate over entities; it requires a specific GUID provided as a + parameter.\n- The returned data includes attributes such as `upn`, `dn`, `risk`, + `predictability`, and flags for `highly_privileged` or `suspected_brute_force` + behavior.\n\n### Flow Description\n1. **Parameter Extraction**: The action extracts + the mandatory `Service Account GUID` from the input parameters.\n2. **Client Initialization**: + It initializes the Silverfort Service Account API client using the configured + integration credentials.\n3. **Data Retrieval**: The action sends a GET request + to the Silverfort API endpoint `/v1/public/serviceAccounts/{guid}`.\n4. **Result + Processing**: Upon a successful response, the service account data is parsed into + a structured JSON result, and a success message is generated containing the account's + display name and GUID. capabilities: can_create_case_comments: false can_create_insight: false @@ -342,9 +362,9 @@ Get Service Account: fetches_data: true internal_data_mutation_explanation: null categories: - enrichment: true + enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -358,6 +378,7 @@ Get Service Account: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +List Policies: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -368,66 +389,44 @@ Get Service Account: disable_identity: false download_file: false enable_identity: false - enrich_asset: true + enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -List Policies: ai_description: >- - Retrieves a comprehensive list of authentication policies from the Silverfort - platform. This action allows users to fetch policy configurations, including their - status, authentication types, protocols, and scope (users, groups, sources, and - destinations). It supports optional field filtering to limit the response to specific - data points of interest. - - - ### Flow Description: - - 1. **Parameter Extraction:** The action extracts the `Fields` parameter provided - by the user. - - 2. **Field Validation:** If fields are specified, the action validates them against - a list of supported policy fields (e.g., `policyName`, `enabled`, `authType`). - Invalid fields are logged as warnings and ignored. - - 3. **API Interaction:** The action authenticates with the Silverfort Policies - API and sends a request to the policy index endpoint, passing the validated field - list. - - 4. **Result Processing:** The retrieved policy data is formatted into a JSON result - and the total count of policies is reported in the output message. - - - ### Parameters Description: - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Fields | string | No | A comma-separated list of specific policy fields to include - in the response. If left empty, all available fields are returned. Supported fields - include: `enabled`, `policyName`, `authType`, `protocols`, `policyType`, `allUsersAndGroups`, - `usersAndGroups`, `allDevices`, `sources`, `allDestinations`, `destinations`, - `action`, `MFAPrompt`, `all`, `bridgeType`. | - - - ### Additional Notes: - - - This action does not operate on specific entities (like IPs or Users) but rather - fetches global configuration data from the Silverfort environment. - - - The action uses the Policies API v2 endpoint. + ### General Description Lists all authentication policies from Silverfort. This + action allows users to retrieve a comprehensive list of configured policies, including + their status, authentication types, and scope. It supports optional field filtering + to limit the returned data to specific attributes of interest. ### Parameters + Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- + | :--- | | Fields | String | No | A comma-separated list of fields to include + in the response. Available fields include: enabled, policyName, authType, protocols, + policyType, allUsersAndGroups, usersAndGroups, allDevices, sources, allDestinations, + destinations, action, MFAPrompt, all, bridgeType. If left empty, all available + fields are returned. | ### Additional Notes - If invalid fields are provided in + the Fields parameter, they will be ignored, and a warning will be logged. - This + action does not operate on specific entities and returns global policy information. + ### Flow Description 1. Extract Parameters: The action retrieves the Fields parameter + from the input. 2. Field Parsing: If fields are specified, the string is split + into a list and validated against the supported Silverfort policy fields. 3. API + Request: The action calls the Silverfort Policies API (/v2/public/policies/index) + using a POST request containing the requested fields. 4. Result Processing: The + retrieved policy list is converted to JSON format and stored in the action's results. + 5. Output: A success message is generated indicating the number of policies retrieved. capabilities: can_create_case_comments: false can_create_insight: false @@ -441,7 +440,7 @@ List Policies: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -455,6 +454,7 @@ List Policies: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +List Service Accounts: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -468,27 +468,29 @@ List Policies: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: true search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -List Service Accounts: ai_description: >- ### General Description - The **List Service Accounts** action retrieves a paginated list of service accounts - from the Silverfort platform. This utility action allows analysts to browse or - audit service accounts, providing visibility into their attributes, risk levels, - and protection status. It is primarily used for discovery and reporting rather - than direct incident response on specific entities. + Lists service accounts from Silverfort with support for pagination and specific + field selection. This action allows analysts to retrieve a comprehensive list + of service accounts and their associated metadata, such as risk scores, protection + status, and authentication patterns, which is essential for identity-based auditing + and threat hunting. ### Parameters Description @@ -497,47 +499,47 @@ List Service Accounts: | :--- | :--- | :--- | :--- | - | Page Size | String | No | The number of results to return per page (1-100). - Defaults to 50. | + | Page Size | String | No | The number of results to retrieve per page (range: + 1-100). Defaults to "50". | | Page Number | String | No | The specific page number to retrieve. Defaults to - 1. | + "1". | | Fields | String | No | A comma-separated list of specific attributes to include - in the response (e.g., `guid, display_name, risk`). If left empty, all available - fields are returned. | + in the response (e.g., `guid, risk, upn`). If left empty, all available fields + are returned. | - ### Flow Description + ### Additional Notes - 1. **Parameter Extraction**: The action retrieves the `Page Size`, `Page Number`, - and `Fields` from the user input. + - Supported fields for the `Fields` parameter include: `guid`, `display_name`, + `sources_count`, `destinations_count`, `number_of_authentications`, `risk`, `predictability`, + `protected`, `upn`, `dn`, `spn`, `comment`, `owner`, `type`, `domain`, `category`, + `creation_date`, `highly_privileged`, `interactive_login`, `broadly_used`, `suspected_brute_force`, + and `repetitive_behavior`. - 2. **Field Validation**: If specific fields are requested, the action validates - them against the supported Silverfort service account schema (`SA_INDEX_FIELDS`). - Invalid fields are logged as warnings and ignored. + - If invalid fields are provided in the `Fields` parameter, the action will log + a warning and ignore the invalid entries while processing the valid ones. - 3. **API Request**: The action authenticates using the Service Accounts API credentials - and sends a POST request to the `/v1/public/serviceAccounts/index` endpoint with - the pagination and field selection criteria. - 4. **Data Processing**: The retrieved service account data is parsed into a structured - format and stored in the action's JSON results. + ### Flow Description - 5. **Output**: The action provides a summary message indicating the number of - accounts found on the requested page. + 1. **Parameter Extraction:** The action extracts the `Page Size`, `Page Number`, + and `Fields` parameters from the input configuration. + 2. **Field Validation:** If the `Fields` parameter is provided, the action splits + the string and validates each field against the supported Silverfort service account + attribute list. - ### Additional Notes + 3. **API Interaction:** The action authenticates with the Silverfort Service Accounts + API and sends a POST request to the `/serviceAccounts/index` endpoint with the + specified pagination and field filters. - - This action does not operate on specific entities within a case; it is a global - search/list operation. + 4. **Data Processing:** The action receives the list of service accounts and converts + the results into a structured JSON format. - - Supported fields for the `Fields` parameter include: `guid`, `display_name`, - `sources_count`, `destinations_count`, `number_of_authentications`, `risk`, `predictability`, - `protected`, `upn`, `dn`, `spn`, `comment`, `owner`, `type`, `domain`, `category`, - `creation_date`, `highly_privileged`, `interactive_login`, `broadly_used`, `suspected_brute_force`, - `repetitive_behavior`. + 5. **Output Generation:** The action provides a success message indicating the + number of accounts retrieved and populates the JSON results for use in playbooks. capabilities: can_create_case_comments: false can_create_insight: false @@ -551,7 +553,7 @@ List Service Accounts: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -565,6 +567,7 @@ List Service Accounts: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -578,45 +581,61 @@ List Service Accounts: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: true + search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: - ai_description: "### General Description\nThe **Ping** action is a utility designed\ - \ to verify the connectivity between Google SecOps and the Silverfort Identity\ - \ Security platform. It validates the integration's configuration by testing the\ - \ reachability of the Silverfort API Root and the validity of the provided credentials.\ - \ Specifically, it checks the connectivity for each configured API module: Risk,\ - \ Service Accounts, and Policies. This ensures that subsequent actions relying\ - \ on these specific modules will function correctly.\n\n### Parameters Description\n\ - There are no user-input parameters for this action. It relies entirely on the\ - \ integration's global configuration settings (API Root, External API Key, and\ - \ module-specific App User IDs/Secrets).\n\n### Additional Notes\n* The action\ - \ requires at least one set of API credentials (Risk, Service Accounts, or Policies)\ - \ to be configured in the integration settings to perform a meaningful test.\n\ - * The connectivity test for each module is lightweight: the Risk API performs\ - \ a dummy risk lookup, the Service Accounts API attempts a paginated list request,\ - \ and the Policies API retrieves a list of rule names.\n\n### Flow Description\n\ - 1. **Configuration Retrieval:** The action fetches the global integration parameters,\ - \ including the API Root and authentication keys.\n2. **Module Identification:**\ - \ It identifies which Silverfort API modules (Risk, Service Accounts, Policies)\ - \ have credentials configured.\n3. **Connectivity Testing:** For each configured\ - \ module, the action initializes a specific API client and executes a `test_connectivity`\ - \ method.\n4. **Result Aggregation:** The action tracks which modules succeeded\ - \ and which failed.\n5. **Final Reporting:** \n * If all configured modules\ - \ connect successfully, it returns a success message.\n * If some modules\ - \ fail while others succeed, it returns a partial success message detailing the\ - \ status of each.\n * If no modules are configured or all configured modules\ - \ fail, it raises an error." + ai_description: >- + ### General Description + + Tests connectivity to the Silverfort API. This action validates the 'External + API Key' and verifies connectivity for each configured API module (Risk, Service + Accounts, and Policies) using their respective App User IDs and Secrets provided + in the integration configuration. + + + ### Parameters Description + + There are no action-specific parameters for this action. It relies entirely on + the integration's global configuration settings (API Root, External API Key, and + module-specific credentials). + + + ### Additional Notes + + - The action requires at least one set of API credentials (Risk, Service Accounts, + or Policies) to be configured in the integration settings to run. + + - It performs lightweight requests (e.g., listing rules or checking a test entity) + to verify that authentication tokens can be generated and accepted by the Silverfort + endpoints. + + + ### Flow Description + + 1. **Configuration Retrieval**: The action fetches the integration parameters, + including the API Root and all provided credentials. + + 2. **API Identification**: It determines which Silverfort API modules (Risk, Service + Accounts, Policies) have credentials configured. + + 3. **Connectivity Testing**: For each identified module, it initializes a specific + client and executes a `test_connectivity` method which performs a low-impact API + call. + + 4. **Result Aggregation**: It collects the status of each test and returns a summary + message indicating which APIs connected successfully and which failed. capabilities: can_create_case_comments: false can_create_insight: false @@ -630,7 +649,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -644,6 +663,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Update Entity Risk: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -657,72 +677,78 @@ Ping: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false - update_identity: false + update_identity: true update_ticket: false -Update Entity Risk: ai_description: >- - Updates risk information for a user in Silverfort. This action allows security - analysts to manually or automatically adjust a user's risk profile based on external - threat intelligence or specific security events observed in the environment. By - setting a specific risk type and severity, Silverfort can adjust its authentication - policies for that user. + ### General Description + Updates the risk information for a specific user identity within the Silverfort + platform. This action allows security analysts to manually adjust or programmatically + set risk levels (e.g., activity risk, malware risk) for a user based on external + intelligence or observed behavior. By updating the risk score and providing a + duration for its validity, analysts can influence Silverfort's authentication + policies and adaptive response logic. - ### Flow Description - 1. **Parameter Extraction:** The action retrieves the User Principal Name (UPN), - risk type, severity level, validity duration, and a descriptive reason from the - input parameters. + ### Parameters Description + + | Parameter | Type | Mandatory | Description | - 2. **Validation:** It validates that the provided risk type and severity match - Silverfort's supported enums and ensures the validity duration is a positive integer. + | :--- | :--- | :--- | :--- | - 3. **API Interaction:** The action initializes a connection to the Silverfort - Risk API and sends a POST request to the `/v1/public/updateEntityRisk` endpoint - with the specified risk metadata. + | User Principal Name | string | Yes | The unique identifier (UPN) of the user + to update (e.g., user@domain.com). | - 4. **Result Reporting:** Upon a successful API response, the action returns a - success message and populates the JSON results with the updated risk details. + | Risk Type | ddl | Yes | The specific category of risk to update. Options include: + `activity_risk`, `malware_risk`, `data_breach_risk`, or `custom_risk`. | + | Severity | ddl | Yes | The severity level assigned to the risk. Options include: + `low`, `medium`, `high`, or `critical`. | - ### Parameters Description + | Valid For Hours | string | Yes | A positive integer representing how long (in + hours) this risk indicator should remain active before expiring. | + | Description | string | Yes | A text description providing context or justification + for the risk update. | - | Parameter Name | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + ### Additional Notes - | User Principal Name | String | Yes | The user principal name (e.g., user@domain.com) - for whom the risk information will be updated. | + This action performs a state change in the Silverfort console. It requires the + 'Risk API' credentials (App User ID and Secret) to be configured in the integration + settings. The action validates that 'Valid For Hours' is a positive integer and + that the provided Risk Type and Severity match Silverfort's supported values. - | Risk Type | DDL | Yes | The category of risk to update. Options include: `activity_risk`, - `malware_risk`, `data_breach_risk`, or `custom_risk`. | - | Severity | DDL | Yes | The severity level of the risk indicator. Options include: - `low`, `medium`, `high`, or `critical`. | + ### Flow Description - | Valid For Hours | String | Yes | The duration (in hours) for which this risk - indicator should remain active in Silverfort. Must be a positive integer. | + 1. **Parameter Extraction:** The action retrieves the User Principal Name, Risk + Type, Severity, Duration, and Description from the input parameters. - | Description | String | Yes | A text description providing context or the reason - for the risk update. | + 2. **Validation:** It verifies that the Risk Type and Severity are valid according + to predefined enums and ensures the duration is a positive integer. + 3. **API Client Initialization:** It initializes the Silverfort Risk API client + using the configured credentials and JWT authentication. - ### Additional Notes + 4. **Request Execution:** It constructs a `RiskUpdate` object and sends a POST + request to the `/v1/public/updateEntityRisk` endpoint. - * This action requires the **Risk App User ID** and **Risk App User Secret** to - be configured in the integration settings to authenticate with the Silverfort - Risk API. + 5. **Result Processing:** Upon success, it returns a JSON object containing the + updated risk details and confirms the update in the output message. capabilities: can_create_case_comments: false can_create_insight: false @@ -731,14 +757,14 @@ Update Entity Risk: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the risk score and risk factors for a specific user identity within - the Silverfort platform via the Risk API. + Updates the risk level, severity, and description for a user identity in the + Silverfort platform via a POST request to the Risk API. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -752,6 +778,7 @@ Update Entity Risk: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Update Policy: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -765,91 +792,89 @@ Update Entity Risk: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: true update_ticket: false -Update Policy: ai_description: >- ### General Description - Updates an existing authentication policy in Silverfort. This action allows for - comprehensive modification of a policy's configuration, including toggling its - enabled state and dynamically managing the lists of users, groups, network sources, - and destinations associated with it. It is primarily used to adjust security controls - or access permissions for specific entities within the Silverfort environment. + Updates an authentication policy in Silverfort. This action allows for modifying + the policy's enabled state and managing the lists of users, groups, sources, and + destinations associated with the policy. It is primarily used to dynamically adjust + security controls based on incident response needs, such as enabling a policy + or adding specific users to a restricted group. ### Parameters Description - | Parameter | Type | Mandatory | Description | + | Parameter | Description | Type | Mandatory | | :--- | :--- | :--- | :--- | - | Policy ID | String | Yes | The unique identifier of the Silverfort policy to - be updated. | + | Policy ID | The unique identifier of the policy to update. | string | Yes | - | Enabled | Boolean | No | Determines whether the policy should be active (true) - or inactive (false). | + | Enabled | Determines whether the policy should be enabled (true) or disabled + (false). | boolean | No | - | Add Users and Groups | String | No | A JSON array of user/group objects to add - to the policy. Format: `[{"identifierType": "upn", "identifier": "user@domain.com", - "displayName": "User Name", "domain": "domain.com"}]`. | + | Add Users and Groups | JSON array of users/groups to add to the policy. Format: + `[{"identifierType": "upn", "identifier": "user@domain.com", "displayName": "User + Name", "domain": "domain.com"}]` | string | No | - | Remove Users and Groups | String | No | A JSON array of user/group objects to - remove from the policy. Format: `[{"identifierType": "upn", "identifier": "user@domain.com", - "displayName": "User Name", "domain": "domain.com"}]`. | + | Remove Users and Groups | JSON array of users/groups to remove from the policy. + Format: `[{"identifierType": "upn", "identifier": "user@domain.com", "displayName": + "User Name", "domain": "domain.com"}]` | string | No | - | Add Sources | String | No | A JSON array of source objects to add. Format: `[{"identifierType": - "ip", "identifier": "10.0.0.1", "displayName": "Server"}]`. | + | Add Sources | JSON array of sources to add to the policy. Format: `[{"identifierType": + "ip", "identifier": "10.0.0.1", "displayName": "Server"}]` | string | No | - | Remove Sources | String | No | A JSON array of source objects to remove. Format: - `[{"identifierType": "ip", "identifier": "10.0.0.1", "displayName": "Server"}]`. - | + | Remove Sources | JSON array of sources to remove from the policy. Format: `[{"identifierType": + "ip", "identifier": "10.0.0.1", "displayName": "Server"}]` | string | No | - | Add Destinations | String | No | A JSON array of destination objects to add. - Format: `[{"identifierType": "hostname", "identifier": "server.domain.com", "displayName": - "Server", "domain": "domain.com", "services": ["rdp"]}]`. | + | Add Destinations | JSON array of destinations to add to the policy. Format: + `[{"identifierType": "hostname", "identifier": "server.domain.com", "displayName": + "Server", "domain": "domain.com", "services": ["rdp"]}]` | string | No | - | Remove Destinations | String | No | A JSON array of destination objects to remove. + | Remove Destinations | JSON array of destinations to remove from the policy. Format: `[{"identifierType": "hostname", "identifier": "server.domain.com", "displayName": - "Server", "domain": "domain.com", "services": ["rdp"]}]`. | + "Server", "domain": "domain.com", "services": ["rdp"]}]` | string | No | ### Additional Notes - - The action expects JSON-formatted strings for all 'Add' and 'Remove' parameters. - Ensure the JSON structure matches the examples provided in the parameter descriptions - to avoid parsing errors. + - The action expects JSON-formatted strings for the 'Add/Remove' parameters. If + the JSON is malformed, the action will fail with a validation error. - - If no optional parameters are provided, the action will attempt to update the - policy with no changes, which may result in a successful but no-op API call. + - At least one update parameter (Enabled, Add/Remove lists) should be provided + alongside the Policy ID for the action to have an effect. ### Flow Description - 1. **Parameter Extraction:** The action retrieves the mandatory Policy ID and - all optional configuration parameters from the SOAR environment. + 1. **Parameter Extraction**: The action retrieves the Policy ID and all optional + update parameters from the input. - 2. **JSON Parsing:** It parses the provided JSON strings for users, groups, sources, - and destinations into structured data models (`PolicyIdentifier` and `PolicyDestination`). + 2. **JSON Parsing**: It parses the JSON strings for users, groups, sources, and + destinations into internal data models. - 3. **API Client Initialization:** Initializes the Silverfort Policy API client - using configured credentials. + 3. **API Interaction**: It initializes the Silverfort Policy API client and sends + a PATCH request to the `/v2/public/policies/{policy_id}` endpoint with the specified + changes. - 4. **Policy Update:** Executes a PATCH request to the Silverfort API endpoint - `/v2/public/policies/{policy_id}` with the specified modifications. - - 5. **Result Reporting:** Captures the API response, updates the action's JSON - results with the policy status, and provides a success message to the case wall. + 4. **Result Processing**: Upon a successful API response, it constructs a JSON + result indicating the policy was updated and returns a success message to the + SOAR. capabilities: can_create_case_comments: false can_create_insight: false @@ -858,14 +883,15 @@ Update Policy: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the configuration of an authentication policy in Silverfort, including - its status and member lists (users, groups, sources, destinations). + Modifies the configuration of an authentication policy in Silverfort, including + its enabled state and the associated users, groups, sources, and destinations + via a PATCH request. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -879,6 +905,7 @@ Update Policy: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Update SA Policy: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -892,99 +919,96 @@ Update Policy: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false - update_identity: false + update_identity: true update_ticket: false -Update SA Policy: ai_description: >- - Updates the protection policy for a specific service account in Silverfort. This - action allows for granular control over how a service account is protected, including - enabling/disabling the policy, toggling active blocking for violations, and configuring - SIEM logging. It also supports defining risk level thresholds, allowed protocols - (Kerberos, LDAP, NTLM), and managing allowlists for source and destination endpoints. - Sources and destinations can be added or removed using JSON-formatted arrays of - objects containing the endpoint key and its type (e.g., IP, hostname). - - - ### Flow Description - - 1. **Parameter Extraction:** Retrieves the mandatory Service Account GUID and - optional policy settings (Enabled, Block, Send to SIEM, Risk Level, etc.) from - the action parameters. - - 2. **Validation:** Validates that the provided Risk Level and Protocols match - the allowed values defined in the Silverfort integration constants. - - 3. **Endpoint Parsing:** Parses the JSON strings for adding or removing allowed - sources and destinations into structured endpoint objects. - - 4. **API Execution:** Calls the Silverfort Service Accounts API via a POST request - to the `/v1/public/serviceAccounts/policy/{guid}` endpoint with the updated configuration. + ### General Description - 5. **Result Handling:** Returns a success message and a JSON object containing - the GUID and update status if the operation completes successfully. + Updates the protection policy for a specific service account in Silverfort. This + action allows security teams to programmatically adjust the security posture of + service accounts by enabling or disabling policies, toggling blocking mode, configuring + SIEM integration, and managing allowlists for sources, destinations, and protocols. ### Parameters Description - | Parameter Name | Expected Type | Mandatory | Description | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Service Account GUID | string | Yes | The unique identifier (GUID) of the service - account to update. | + | Service Account GUID | String | Yes | The unique identifier (GUID) of the service + account whose policy is being updated. | - | Enabled | boolean | No | If set, enables or disables the protection policy. - | + | Enabled | Boolean | No | Toggle to enable or disable the policy. | - | Block | boolean | No | If set, enables or disables active blocking for policy - violations. | + | Block | Boolean | No | Toggle to enable or disable blocking for policy violations. + | - | Send to SIEM | boolean | No | If set, enables or disables the forwarding of - policy events to the SIEM. | + | Send to SIEM | Boolean | No | Toggle to enable or disable sending policy violation + logs to the SIEM. | - | Risk Level | ddl | No | Sets the risk level threshold for the policy. Options: - low, medium, high. | + | Risk Level | DDL | No | The risk level threshold for the policy. Supported values: + `low`, `medium`, `high`. | - | Allow All Sources | boolean | No | If true, the policy will allow all source - endpoints, ignoring the specific allowlist. | + | Allow All Sources | Boolean | No | If set to true, the policy will ignore the + specific allowed sources list and allow all sources. | - | Allow All Destinations | boolean | No | If true, the policy will allow all destination - endpoints, ignoring the specific allowlist. | + | Allow All Destinations | Boolean | No | If set to true, the policy will ignore + the specific allowed destinations list and allow all destinations. | - | Protocols | string | No | A comma-separated list of protocols to allow (e.g., - 'Kerberos, ldap, ntlm'). | + | Protocols | String | No | A comma-separated list of protocols to allow (e.g., + `Kerberos`, `ldap`, `ntlm`). | - | Add Allowed Sources | string | No | A JSON array of source objects to add to + | Add Allowed Sources | String | No | A JSON array of source objects to add to the allowlist. Format: `[{"key": "10.0.0.1", "key_type": "ip"}]`. | - | Remove Allowed Sources | string | No | A JSON array of source objects to remove + | Remove Allowed Sources | String | No | A JSON array of source objects to remove from the allowlist. Format: `[{"key": "10.0.0.1", "key_type": "ip"}]`. | - | Add Allowed Destinations | string | No | A JSON array of destination objects + | Add Allowed Destinations | String | No | A JSON array of destination objects to add to the allowlist. Format: `[{"key": "10.0.0.1", "key_type": "ip"}]`. | - | Remove Allowed Destinations | string | No | A JSON array of destination objects + | Remove Allowed Destinations | String | No | A JSON array of destination objects to remove from the allowlist. Format: `[{"key": "10.0.0.1", "key_type": "ip"}]`. | ### Additional Notes - - The action performs a state change in Silverfort and is classified as a mutation - action. + The `Add/Remove Allowed Sources/Destinations` parameters require a specific JSON + structure. Each object in the array must contain a `key` (the identifier, such + as an IP or hostname) and a `key_type` (the type of identifier). + + + ### Flow Description + + 1. **Parameter Extraction:** The action retrieves the mandatory Service Account + GUID and all optional policy configuration parameters from the input. - - Allowlist parameters (Add/Remove Sources/Destinations) must be valid JSON arrays - of objects with 'key' and 'key_type' fields. + 2. **Validation:** It validates that the provided `Risk Level` and `Protocols` + match the supported enums in the Silverfort system. + + 3. **Endpoint Parsing:** It parses the JSON strings provided for adding or removing + allowed sources and destinations into structured data models. + + 4. **API Interaction:** It sends a POST request to the Silverfort Service Accounts + API endpoint to apply the specified policy updates for the given GUID. + + 5. **Result Handling:** The action returns a success status and the GUID of the + updated service account. capabilities: can_create_case_comments: false can_create_insight: false @@ -1000,7 +1024,7 @@ Update SA Policy: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1014,28 +1038,3 @@ Update SA Policy: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: true - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: true - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: true - update_ticket: false diff --git a/content/response_integrations/third_party/partner/spycloud/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/spycloud/resources/ai/actions_ai_description.yaml index e13a014b6..26e99dda7 100644 --- a/content/response_integrations/third_party/partner/spycloud/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/spycloud/resources/ai/actions_ai_description.yaml @@ -1,68 +1,96 @@ List Catalogs: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - Lists available breach catalogs from SpyCloud based on specified timeframes and - filters. This action allows analysts to discover which data sources (catalogs) - are available in the SpyCloud database for a given period, facilitating further - investigation into specific breaches. + ### General Description + This action retrieves a list of available data catalogs from SpyCloud based on + specified timeframes and filtering criteria. It is primarily used to identify + which breach catalogs are available for further investigation or entity enrichment + within a specific period. - ### Flow Description: - 1. **Parameter Extraction:** Retrieves API credentials and action parameters including - filter logic, time range, and result limits. + ### Parameters Description + + | Parameter | Type | Mandatory | Description | - 2. **Timeframe Calculation:** Converts the selected 'Time Frame' (e.g., Last Week, - Last Month, Last Year, or Custom) into specific start and end dates using utility - functions. + | :--- | :--- | :--- | :--- | - 3. **API Request:** Sends a paginated GET request to the SpyCloud `/enterprise-v1/breach/catalog` - endpoint via the SpyCloudManager. + | Filter Logic | DDL | No | Determines how the 'Filter Value' is applied. Options + are 'Equal' (exact match on title) or 'Contains' (substring match across all fields). + Default is 'Equal'. | - 4. **Filtering:** Applies local filtering to the results if 'Equal' logic is selected, - matching the 'Filter Value' against catalog titles. If 'Contains' is selected, - the API-level query parameter handles the search. + | Filter Value | String | No | The string to search for. If 'Equal' is selected, + it matches the catalog title. If 'Contains' is selected, it searches all response + fields. | - 5. **Data Processing:** Slices the result list based on the 'Max Catalogs To Return' - parameter to ensure the output stays within the requested limit. + | Time Frame | DDL | Yes | The period to search for catalogs. Options: 'Last Week', + 'Last Month', 'Last Year', or 'Custom'. | - 6. **Output Generation:** Populates a data table named 'Available Catalogs' and - provides the raw JSON results for downstream playbook use. + | Start Time | String | No | Mandatory if 'Time Frame' is set to 'Custom'. Specifies + the beginning of the search range in ISO 8601 format. | + | End Time | String | No | Specifies the end of the search range in ISO 8601 format. + If 'Custom' is selected and this is empty, the current time is used. | - ### Parameters Description: + | Max Catalogs To Return | String | No | Limits the number of catalog records + returned. Default is 50. | - | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + ### Additional Notes - | Filter Logic | DDL | No | Determines how the 'Filter Value' is applied. 'Equal' - performs a strict title match in the script, while 'Contains' relies on the API's - query parameter. | + - If 'Custom' is selected for 'Time Frame', the 'Start Time' parameter must be + provided, otherwise the action will fail. - | Filter Value | String | No | The string to search for within the catalogs. If - 'Equal' is used, it matches the title; otherwise, it acts as a general query. - | + - The action supports pagination and will automatically fetch all results from + the SpyCloud API before applying local filters and limits. - | Time Frame | DDL | Yes | The temporal scope of the search (Last Week, Last Month, - Last Year, or Custom). | - | Start Time | String | No | Mandatory if 'Time Frame' is set to 'Custom'. Expects - ISO 8601 format. | + ### Flow Description - | End Time | String | No | ISO 8601 format. Defaults to the current time if 'Custom' - is selected and this field is left empty. | + 1. **Initialization**: The action initializes the SpyCloud manager using the provided + API credentials and configuration. - | Max Catalogs To Return | String | No | Limits the number of catalog records - returned. Default is 50. | + 2. **Timeframe Calculation**: It parses the 'Time Frame' and optional 'Start/End + Time' parameters to determine the search window. + 3. **Data Retrieval**: It performs a paginated GET request to the SpyCloud `/enterprise-v1/breach/catalog` + endpoint. - ### Additional Notes: + 4. **Filtering**: If a 'Filter Value' is provided, the action filters the retrieved + list based on the 'Filter Logic' (Equal or Contains). - - If 'Custom' is selected for 'Time Frame', the 'Start Time' parameter must be - provided or the action will fail. + 5. **Limiting**: The result set is truncated based on the 'Max Catalogs To Return' + parameter. - - The 'Equal' filter logic is case-sensitive and specifically targets the 'title' - field of the catalog objects returned by the API. + 6. **Output**: The final list of catalogs is added to the action results as a + JSON object and displayed in a data table named 'Available Catalogs'. capabilities: can_create_case_comments: false can_create_insight: false @@ -76,7 +104,7 @@ List Catalogs: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -90,6 +118,7 @@ List Catalogs: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +List Entity Breaches: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -100,81 +129,84 @@ List Catalogs: disable_identity: false download_file: false enable_identity: false - enrich_asset: false - enrich_ioc: false + enrich_asset: true + enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false - search_events: true + search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -List Entity Breaches: ai_description: >- - Enriches entities by checking for associated data breaches in the SpyCloud database. - This action supports IP Addresses, Usernames, Email Addresses, and Domains, providing - detailed information about where and when an entity's data may have been compromised. + Retrieves breach information from SpyCloud for specific entities including IP + Addresses, Usernames, Email Addresses, and Domains. This action checks if the + provided entities have been involved in known data breaches within a specified + timeframe and enriches the entities with the findings. - ### Flow Description + ### Flow Description: - 1. **Initialization**: Establishes a connection to the SpyCloud API using the - provided credentials and validates the 'Max Breaches To Return' parameter. + 1. **Initialization**: The action initializes the SpyCloud manager using the provided + API credentials and configuration. - 2. **Time Window Calculation**: Determines the start and end timestamps for the - search based on the 'Time Frame' selection (Last Week, Last Month, Last Year, - or Custom). + 2. **Timeframe Calculation**: It determines the search window based on the 'Time + Frame' parameter. If 'Custom' is selected, it validates and uses the 'Start Time' + and 'End Time' parameters. 3. **Catalog Resolution**: If a 'Catalog Filter' is provided, the action fetches - available catalogs from SpyCloud to identify the specific ID for the requested - category. - - 4. **Entity Processing**: Iterates through supported entities (IP, User, URL) - and maps them to SpyCloud breach types (ips, emails, usernames, domains). + available catalogs from SpyCloud to find the corresponding ID for targeted searching. - 5. **Data Retrieval**: Queries the SpyCloud API for breach records matching the - entity identifier, applying the catalog filter and result limit. + 4. **Entity Processing**: The action iterates through supported entities (IP, + User, URL): + * It determines the appropriate breach type (ips, emails, usernames, or domains). + * It extracts the relevant identifier (e.g., stripping the domain from a URL). + * It queries the SpyCloud API for breach records associated with that identifier + and catalog. + 5. **Enrichment and Results**: For entities with found breaches, it updates the + entity's additional properties with enrichment data, marks the entity as enriched, + and compiles the raw breach data into a JSON result for the SOAR platform. - 6. **Internal Update**: For entities with found breaches, it updates the entity's - additional properties with a 'was_breached' flag, marks the entity as enriched, - and attaches the full breach details as a JSON result. + ### Parameters Description: - ### Parameters Description - - | Parameter | Type | Mandatory | Description | + | Parameter Name | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Catalog Filter | string | No | Specify the name of the category/source in which + | Catalog Filter | string | No | Specify the name of the category/catalog in which you want to search for breaches. | - | Time Frame | ddl | Yes | Specify a time frame for the search. Options: Last - Week, Last Month, Last Year, Custom. | + | Time Frame | ddl | Yes | Predefined time range for the search (Last Week, Last + Month, Last Year, or Custom). | - | Start Time | string | No | Mandatory if 'Custom' is selected for 'Time Frame'. - Format: ISO 8601. | + | Start Time | string | No | Mandatory if 'Time Frame' is set to 'Custom'. Format: + ISO 8601. | - | End Time | string | No | Optional for 'Custom' Time Frame. If empty, defaults - to the current time. Format: ISO 8601. | + | End Time | string | No | Optional end time for 'Custom' searches. Defaults to + current time if not provided. Format: ISO 8601. | - | Max Breaches To Return | string | No | Limits the number of breach records returned - per entity. Default is 1; Maximum is 1000. | + | Max Breaches To Return | string | No | The maximum number of breach records + to retrieve per entity. Default is 1, maximum is 1000. | - ### Additional Notes + ### Additional Notes: - - If 'Custom' is selected for 'Time Frame', the 'Start Time' parameter must be - provided, or the action will fail. + * **Entity Mapping**: Username entities are automatically checked against an email + regex; if they match, they are treated as 'emails' breach types, otherwise as + 'usernames'. - - For URL entities, the action automatically extracts the domain part to perform - the search. + * **URL Handling**: For URL entities, the action automatically extracts the domain + part to perform the search. capabilities: can_create_case_comments: false can_create_insight: false @@ -185,15 +217,15 @@ List Entity Breaches: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity additional properties with a 'was_breached' flag and sets the - 'is_enriched' status to true for entities found in breach data. + Updates entity additional properties with breach information and sets the 'is_enriched' + flag to true for entities where breaches were found. categories: enrichment: true entity_usage: entity_types: - - ADDRESS - - USERUNIQNAME - - DestinationURL + - ADDRESS + - USERUNIQNAME + - DestinationURL filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -207,6 +239,7 @@ List Entity Breaches: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -217,69 +250,44 @@ List Entity Breaches: disable_identity: false download_file: false enable_identity: false - enrich_asset: true - enrich_ioc: true + enrich_asset: false + enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: - ai_description: >- - ### General Description - - The **Ping** action is a diagnostic utility designed to verify the connectivity - between the Google SecOps platform and the SpyCloud service. It ensures that the - provided API Root, API Key, and SSL settings are correct and that the SpyCloud - API is reachable and responding to requests. This action is typically used during - the initial setup of the integration or for troubleshooting communication issues. - - - ### Parameters Description - - | Parameter Name | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | None | N/A | N/A | This action does not require any runtime parameters. It utilizes - the configuration parameters defined at the integration level (API Root, API Key, - and Verify SSL). | - - - ### Additional Notes - - - This action performs a simple GET request to the `/enterprise-v1/breach/catalog/1` - endpoint to validate the credentials and network path. - - - As per standard SOAR practices, Ping actions are used for health checks and - do not process entities or modify case data. - - - ### Flow Description - - 1. **Parameter Extraction:** The action retrieves the integration's configuration - settings, including the API Root URL, the API Key, and the SSL verification flag. - - 2. **Manager Initialization:** It initializes the `SpyCloudManager` with the retrieved - configuration. - - 3. **Connectivity Test:** The manager executes the `test_connectivity` method, - which sends a GET request to the SpyCloud API. - - 4. **Response Validation:** The action checks the HTTP response status. If the - request is successful (2xx status code), the connection is considered valid. - - 5. **Final Status:** The action reports a success message to the Siemplify workbench - if the connection is established, or an error message detailing the failure if - the request fails. + ai_description: "### General Description\nThe **Ping** action is a diagnostic tool\ + \ designed to verify the connectivity between Google SecOps and the SpyCloud service.\ + \ It ensures that the provided API credentials and network configurations (such\ + \ as the API Root and SSL settings) are valid and that the SpyCloud API is reachable.\n\ + \n### Parameters Description\n| Parameter Name | Expected Type | Mandatory | Description\ + \ |\n| :--- | :--- | :--- | :--- |\n| **API Root** | String | Yes | The base URL\ + \ for the SpyCloud API instance. |\n| **API Key** | String | Yes | The API key\ + \ used for authentication with SpyCloud. |\n| **Verify SSL** | Boolean | Yes |\ + \ If enabled, the action will verify the SSL certificate of the SpyCloud server.\ + \ |\n\n### Flow Description\n1. **Parameter Extraction:** The action retrieves\ + \ the `API Root`, `API Key`, and `Verify SSL` settings from the integration configuration.\n\ + 2. **Manager Initialization:** It initializes the `SpyCloudManager` with the extracted\ + \ credentials.\n3. **Connectivity Test:** The manager executes a `GET` request\ + \ to a specific SpyCloud endpoint (`/enterprise-v1/breach/catalog/1`) to test\ + \ the connection.\n4. **Result Handling:** \n * If the request is successful,\ + \ the action completes with a success message.\n * If an error occurs (e.g.,\ + \ authentication failure, network timeout), the action fails and provides the\ + \ error details.\n\n### Additional Notes\n* This action does not process or require\ + \ any entities.\n* It is strictly used for configuration validation and does not\ + \ perform any data enrichment or mutation." capabilities: can_create_case_comments: false can_create_insight: false @@ -293,7 +301,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -307,28 +315,3 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/third_party/partner/spycloud/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/spycloud/resources/ai/integration_ai_description.yaml index 4fe442a77..2e831240c 100644 --- a/content/response_integrations/third_party/partner/spycloud/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/partner/spycloud/resources/ai/integration_ai_description.yaml @@ -4,7 +4,7 @@ product_categories: collaboration: false edr: false email_security: false - iam_and_identity_management: true + iam_and_identity_management: false itsm: false network_security: false siem: false diff --git a/content/response_integrations/third_party/partner/stairwell/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/stairwell/resources/ai/actions_ai_description.yaml index 2a912bc31..794fad4a7 100644 --- a/content/response_integrations/third_party/partner/stairwell/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/stairwell/resources/ai/actions_ai_description.yaml @@ -1,35 +1,60 @@ Enrich Hash: - ai_description: "Enriches File Hash entities with threat intelligence data from\ - \ Stairwell. This action retrieves comprehensive file metadata, including hash\ - \ variants (MD5, SHA1, SHA256), file size, entropy, MIME type, and signature information.\ - \ It also fetches Stairwell-specific intelligence such as 'MalEval' malicious\ - \ probability scores, AI-generated summaries, and sighting prevalence. The action\ - \ evaluates the file's risk level based on Stairwell's verdicts; if a file is\ - \ determined to be suspicious or malicious, it updates the entity's status in\ - \ Google SecOps and generates a detailed insight for the analyst.\n\n### Parameters\n\ - | Parameter Name | Type | Mandatory | Description |\n| :--- | :--- | :--- | :---\ - \ |\n| API Root | String | Yes | The base URL for the Stairwell API instance.\ + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "Enriches File Hash entities using threat intelligence data from\ + \ Stairwell. This action retrieves comprehensive metadata about a file, including\ + \ its size, entropy, various hash formats (MD5, SHA1, SHA256, Imphash, TLSH),\ + \ and maliciousness verdicts. It evaluates the risk level based on Stairwell's\ + \ 'Maleval' malicious probability and specific 'MALICIOUS' verdicts. The action\ + \ updates the entity's attributes, marks it as suspicious if applicable, and generates\ + \ detailed insights and data tables for analyst review.\n\n### Parameters Description\n\ + \n| Parameter Name | Type | Mandatory | Description |\n| :--- | :--- | :--- |\ + \ :--- |\n| API Root | String | Yes | The base URL of the Stairwell API instance.\ \ |\n| API Key | String | Yes | The API key used for authentication with Stairwell.\ \ |\n| Organization ID | String | No | The specific Stairwell Organization ID\ - \ to contextually scope the request. |\n| User ID | String | No | The specific\ - \ Stairwell User ID to associate with the request. |\n\n### Additional Notes\n\ - - The action specifically targets `FILEHASH` entities.\n- It uses the `OriginalIdentifier`\ - \ of the entity if available to ensure accurate lookups in Stairwell.\n- Enrichment\ - \ data is prefixed with 'SW' (Stairwell) when added to entity additional properties.\n\ - \n### Flow Description\n1. **Initialization**: Extracts API configuration (Root,\ - \ Key, Org ID, User ID) and initializes the Stairwell manager.\n2. **Entity Filtering**:\ - \ Identifies all `FILEHASH` entities within the current context.\n3. **Data Retrieval**:\ - \ For each hash, it queries the Stairwell `/object_event` endpoint to fetch the\ - \ file report.\n4. **Risk Assessment**: Analyzes the report's verdict and malicious\ - \ probability scores to determine if the file is suspicious.\n5. **Internal Updates**:\ - \ \n - Updates the entity's additional properties with the fetched metadata.\n\ - \ - Marks the entity as 'enriched'.\n - Sets the 'is_suspicious' flag based\ - \ on the assessment.\n6. **Insight & Reporting**: \n - If suspicious, creates\ - \ a detailed entity insight containing probability scores and detection labels.\n\ - \ - Adds a data table to the case wall containing a summary of the file report.\n\ - \ - Attaches the full raw JSON response to the action results.\n7. **Finalization**:\ - \ Updates all processed entities in the Google SecOps platform and provides a\ - \ summary message of successful and failed enrichments." + \ to context the request. |\n| User ID | String | No | The specific Stairwell\ + \ User ID to context the request. |\n\n### Flow Description\n\n1. **Initialization**:\ + \ Extracts the Stairwell API configuration (Root, Key, Org ID, User ID) and identifies\ + \ all File Hash entities in the current context.\n2. **Data Retrieval**: For\ + \ each File Hash entity, the action queries the Stairwell Enrichment API to fetch\ + \ the object event report.\n3. **Data Parsing**: The raw JSON response is parsed\ + \ into a structured File data model, extracting metadata like file magic, mime\ + \ type, and sightings.\n4. **Enrichment & Risk Assessment**: \n * Updates\ + \ the entity's additional properties with the retrieved metadata.\n * Determines\ + \ if the file is suspicious by checking for a 'MALICIOUS' verdict or a high 'Maleval'\ + \ malicious probability.\n5. **Internal Updates**: \n * If suspicious, creates\ + \ an Entity Insight containing the malicious probability, detection labels, and\ + \ first-seen date.\n * Adds a detailed CSV-formatted data table to the case\ + \ wall for each enriched hash.\n * Updates the entities within Google SecOps\ + \ to reflect the new enrichment data and suspicious status.\n6. **Completion**:\ + \ Returns a summary message of successfully enriched hashes and provides the full\ + \ raw data in JSON format." capabilities: can_create_case_comments: false can_create_insight: true @@ -40,14 +65,13 @@ Enrich Hash: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action updates entity additional properties with enrichment data, modifies - the 'is_suspicious' and 'is_enriched' flags of entities, creates entity insights, - and adds data tables to the case wall. + Updates entity enrichment fields, sets the 'is_suspicious' flag, creates entity + insights, and adds data tables to the case wall. categories: enrichment: true entity_usage: entity_types: - - FILEHASH + - FILEHASH filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -61,6 +85,7 @@ Enrich Hash: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Enrich Hostname: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -74,76 +99,82 @@ Enrich Hash: enrich_asset: false enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Enrich Hostname: ai_description: >- - Enriches Hostname entities with threat intelligence data from Stairwell. This - action retrieves comprehensive metadata including verdicts, opinions, comments, - and DNS records (A, AAAA, MX) for specified hostnames. It evaluates the security - posture of the entity, updates its attributes within the platform, and provides - detailed visual reports through data tables and insights. - + ### General Description - ### Flow Description + The **Enrich Hostname** action retrieves comprehensive threat intelligence and + reputation data for Hostname entities from the Stairwell platform. It provides + analysts with visibility into host verdicts, community opinions, and DNS records + (A, AAAA, MX) to assist in incident investigation and triage. - 1. **Initialization**: Connects to the Stairwell API using the provided API Root, - API Key, and optional Organization/User IDs. - 2. **Entity Filtering**: Identifies all Hostname entities within the current alert - context. + ### Parameters Description - 3. **Data Retrieval**: For each hostname, it queries the Stairwell enrichment - endpoint to fetch the latest threat intelligence report. + | Parameter | Type | Mandatory | Description | - 4. **Entity Enrichment**: Updates the entity's additional properties with the - retrieved data and marks the entity as enriched. + | :--- | :--- | :--- | :--- | - 5. **Risk Assessment**: Checks the Stairwell verdict; if the hostname is classified - as 'MALICIOUS', the entity is marked as suspicious. + | API Root | String | Yes | The base URL of the Stairwell API instance. | - 6. **Insight Generation**: Creates an entity insight for malicious hostnames to - highlight the threat to analysts. + | API Key | String | Yes | The API key used for authentication with Stairwell. + | - 7. **Reporting**: Generates a data table for the case wall containing a summary - of the host's records and attaches the full raw JSON response to the action results. + | Organization ID | String | No | Optional identifier for the specific Stairwell + organization context. | + | User ID | String | No | Optional identifier for the specific Stairwell user + context. | - ### Parameters Description - | Parameter Name | Type | Mandatory | Description | + ### Flow Description - | :--- | :--- | :--- | :--- | + 1. **Initialization:** The action extracts configuration parameters (API Root, + API Key, Org ID, User ID) and initializes the Stairwell API manager. - | API Root | String | Yes | The base URL for the Stairwell API instance. | + 2. **Entity Filtering:** It identifies all `HOSTNAME` entities within the current + alert context. - | API Key | String | Yes | The API key used for authentication with Stairwell. - | + 3. **Data Retrieval:** For each hostname, it queries the Stairwell enrichment + API to fetch the host's detailed report, including opinions and DNS records. - | Organization ID | String | No | Optional identifier for the specific Stairwell - organization. | + 4. **Entity Enrichment:** + * Updates the entity's additional properties with the retrieved data (prefixed + with 'SW'). + * Marks the entity as enriched in the SOAR platform. + * Evaluates the host's verdict; if the verdict is "MALICIOUS", the entity + is marked as suspicious. + 5. **Insight Generation:** If a host is deemed suspicious, a formatted HTML insight + is added to the entity for quick analyst review. - | User ID | String | No | Optional identifier for the specific Stairwell user. - | + 6. **Reporting:** + * Constructs a data table for each host containing DNS records and community + opinions. + * Appends raw JSON results to the action output for downstream processing. + 7. **Finalization:** Updates the entities in the SOAR platform and provides a + summary message of successful and failed enrichments. ### Additional Notes - * This action is strictly read-only regarding the Stairwell platform and does + - This action is strictly read-only regarding the Stairwell platform and does not modify any external data. - * It uses the 'OriginalIdentifier' property of the entity if available to ensure - accurate lookups. + - It specifically targets `HOSTNAME` entities and will skip other entity types. capabilities: can_create_case_comments: false can_create_insight: true @@ -154,14 +185,13 @@ Enrich Hostname: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity attributes with enrichment data, sets the suspicious flag based - on Stairwell verdicts, creates entity insights, and adds data tables to the - case wall. + Updates entity attributes with enrichment data, sets suspicious status, and + creates entity insights and data tables within the case. categories: enrichment: true entity_usage: entity_types: - - HOSTNAME + - HOSTNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -175,6 +205,7 @@ Enrich Hostname: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Enrich IP: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -188,47 +219,82 @@ Enrich Hostname: enrich_asset: false enrich_ioc: true execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Enrich IP: - ai_description: "Enriches IP Address entities with threat intelligence data from\ - \ Stairwell. This action retrieves reputation metadata, including verdicts and\ - \ opinions, to provide security context for identified IP addresses. It evaluates\ - \ the risk level based on Stairwell's analysis, updates the entity's suspicious\ - \ status within Google SecOps, and generates detailed insights and data tables\ - \ for the case wall.\n\n### Parameters\n| Parameter Name | Type | Mandatory |\ - \ Description |\n| :--- | :--- | :--- | :--- |\n| API Root | String | Yes | The\ - \ base URL of the Stairwell API instance. |\n| API Key | String | Yes | The API\ - \ key used for authentication with Stairwell. |\n| Organization ID | String |\ - \ No | The specific Organization ID to include in the request headers for multi-tenant\ - \ environments. |\n| User ID | String | No | The specific User ID to include in\ - \ the request headers if required by the API configuration. |\n\n### Additional\ - \ Notes\n- This action specifically targets entities of type `ADDRESS`.\n- An\ - \ entity is marked as suspicious if the Stairwell verdict is 'MALICIOUS'.\n- Enrichment\ - \ data is prefixed with 'SW' in the entity's additional properties.\n\n### Flow\ - \ Description\n1. **Initialization**: The action initializes the Stairwell manager\ - \ using the provided API Root, API Key, and optional Organization/User IDs.\n\ - 2. **Entity Filtering**: It identifies all IP Address entities (`ADDRESS`) within\ - \ the current alert context.\n3. **Data Retrieval**: For each identified IP, the\ - \ action performs a GET request to the Stairwell enrichment endpoint to fetch\ - \ reputation data.\n4. **Internal Updates**: \n - Updates the entity's additional\ - \ properties with the enrichment results.\n - Sets the `is_enriched` flag to\ - \ true.\n - Evaluates the verdict; if 'MALICIOUS', the entity is marked as\ - \ suspicious.\n5. **Reporting**: \n - Generates an entity insight containing\ - \ the verdict if the IP is suspicious.\n - Adds a detailed data table to the\ - \ case wall for each processed IP.\n - Appends the raw JSON results to the\ - \ action output.\n6. **Finalization**: Updates the entities in the platform and\ - \ returns a success message listing the enriched IPs." + ai_description: >- + ### General Description + + Enriches IP Address entities with threat intelligence data from Stairwell. This + action retrieves detailed reports including verdicts, opinions, and comments for + each IP address found in the case context. It helps analysts quickly identify + malicious infrastructure by providing contextual metadata and automated risk assessments. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | API Root | String | Yes | The base URL of the Stairwell API. | + + | API Key | String | Yes | The API key used for authentication with Stairwell. + | + + | Organization ID | String | No | The specific Organization ID to include in the + request headers for multi-tenant environments. | + + | User ID | String | No | The specific User ID to include in the request headers + if required by the API configuration. | + + + ### Flow Description + + 1. **Initialization**: Extracts API credentials and configuration parameters from + the integration settings. + + 2. **Entity Identification**: Filters the target entities to identify all `ADDRESS` + (IP) types. + + 3. **Data Retrieval**: For each identified IP, the action queries the Stairwell + API to fetch the latest enrichment report. + + 4. **Enrichment**: Updates the entity's additional properties with the retrieved + data and marks the entity as enriched. + + 5. **Risk Assessment**: Evaluates the verdict from Stairwell; if the verdict is + 'MALICIOUS', the entity is marked as suspicious in Google SecOps. + + 6. **Insight Generation**: Creates an HTML-formatted entity insight for suspicious + IPs, highlighting the malicious verdict. + + 7. **Result Reporting**: Generates a data table for each IP containing the report + summary and attaches the full raw JSON response to the action results. + + 8. **Finalization**: Updates all successfully processed entities within the platform + and returns a summary message. + + + ### Additional Notes + + - This action is classified as an enrichment type and does not modify any data + in the external Stairwell system. + + - If an IP is not found in Stairwell, the action will log an error for that specific + entity but continue processing others. capabilities: can_create_case_comments: false can_create_insight: true @@ -239,14 +305,13 @@ Enrich IP: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity enrichment fields (additional properties), sets the suspicious - flag based on the Stairwell verdict, creates entity insights, and adds data - tables to the case wall. + Updates entity attributes with enrichment data, sets suspicious status, and + creates entity insights based on Stairwell intelligence. categories: enrichment: true entity_usage: entity_types: - - ADDRESS + - ADDRESS filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -260,6 +325,7 @@ Enrich IP: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -271,28 +337,31 @@ Enrich IP: download_file: false enable_identity: false enrich_asset: false - enrich_ioc: true + enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: ai_description: >- ### General Description - Tests connectivity to the Stairwell API to ensure that the integration is correctly - configured and the service is reachable. This action validates the provided API - Root, API Key, and optional Organization/User IDs by performing a test request - to the enrichment endpoint using a dummy hostname. + The **Ping** action is designed to verify the connectivity between Google SecOps + and the Stairwell API. It ensures that the provided credentials (API Key, Organization + ID, etc.) and the API Root URL are correct and that the service is reachable. + This is typically used as a health check during the initial setup or troubleshooting + of the Stairwell integration. ### Parameters Description @@ -307,37 +376,38 @@ Ping: | API Key | String | Yes | The API key used for authentication with Stairwell. | - | Organization ID | String | No | The specific Organization ID to be included - in the request headers. | + | Organization ID | String | No | The specific Organization ID associated with + the Stairwell account. | - | User ID | String | No | The specific User ID to be included in the request headers. + | User ID | String | No | The specific User ID associated with the Stairwell account. | ### Additional Notes - This action does not process any entities from the SOAR case. It uses a hardcoded - dummy hostname ('www.google.com') to verify the API connection. Although the integration - metadata might classify this as an enrichment type, per architectural guidelines, - Ping actions are categorized separately from functional enrichment actions. + - This action does not process any entities from the SecOps case. It uses a hardcoded + dummy hostname (`www.google.com`) to perform a test lookup against the Stairwell + enrichment endpoint. + - If the action fails, it usually indicates an issue with the network configuration, + invalid API keys, or an incorrect API Root URL. - ### Flow Description - 1. **Parameter Initialization**: Retrieves the API Root, API Key, Organization - ID, and User ID from the integration configuration. + ### Flow Description - 2. **Manager Setup**: Initializes the Stairwell Manager with the provided credentials - and connection settings. + 1. **Parameter Initialization**: The action retrieves the integration configuration + parameters, including the API Root, API Key, and optional IDs. - 3. **Connectivity Test**: Executes the `test_connectivity` method, which triggers - a GET request to the Stairwell enrichment endpoint for a dummy hostname. + 2. **Manager Setup**: It initializes the `StairwellManager` with the provided + configuration. - 4. **Response Validation**: Checks the HTTP response status. If the request is - successful, it confirms the connection; otherwise, it captures the error. + 3. **Connectivity Test**: The action calls the `test_connectivity` method, which + attempts to fetch enrichment data for a dummy hostname (`www.google.com`) via + a GET request to the Stairwell API. - 5. **Execution Completion**: Returns a success status and a 'Connection Established' - message if the test passes, or a failure status with the error details if it fails. + 4. **Result Handling**: If the API responds successfully, the action returns a + success status and a "Connection Established" message. If an exception occurs + (e.g., HTTP error, timeout), it catches the error and reports a failure. capabilities: can_create_case_comments: false can_create_insight: false @@ -351,7 +421,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -365,28 +435,3 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/third_party/partner/thinkst_canary/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/thinkst_canary/resources/ai/actions_ai_description.yaml index b02791920..8aadaf4c4 100644 --- a/content/response_integrations/third_party/partner/thinkst_canary/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/thinkst_canary/resources/ai/actions_ai_description.yaml @@ -1,12 +1,40 @@ Acknowledge Console Alert: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- ### General Description - The **Acknowledge Console Alert** action is designed to change the status of a - specific incident to 'acknowledged' within the Thinkst Canary console. This action - is typically used as a response step in a playbook to synchronize the state of - an alert between Google SecOps and the Canary management environment, ensuring - that analysts do not need to manually acknowledge the same alert in multiple consoles. + The **Acknowledge Console Alert** action is designed to mark a specific incident + as acknowledged on the Thinkst Canary Console. This action is primarily used to + synchronize alert statuses between Google SecOps and the Canary platform, ensuring + that once an analyst has addressed an alert in the SOAR, the corresponding event + is updated in the source system to prevent duplicate effort. ### Parameters Description @@ -15,37 +43,30 @@ Acknowledge Console Alert: | :--- | :--- | :--- | :--- | - | None | N/A | N/A | This action does not require any direct input parameters. - It relies on the context of the current alert and the integration's global configuration - (API Key and Console Hash). | + | N/A | N/A | N/A | This action does not have any input parameters. | ### Additional Notes - - **Prerequisites:** This action requires that the alert in Google SecOps was - originally ingested via the Thinkst Canary connector, as it relies on the `AlertId` - being present in the `additional_properties` of the alert's security events. - - - **Configuration:** The action uses the global 'API Key' and 'Console Hash' defined - in the Thinkst integration settings. + This action relies on metadata (specifically the `AlertId`) that must be present + in the `additional_properties` of the security events associated with the alert. + This metadata is typically populated by the Thinkst Canary connector during the + ingestion process. If the `AlertId` is missing, the action will fail. ### Flow Description - 1. **Configuration Retrieval:** The action fetches the API Key, Console Hash, - and SSL verification settings from the integration configuration. + 1. **Configuration Retrieval:** The action retrieves the integration's global + settings, including the API Key and Console Hash. - 2. **Incident Identification:** It accesses the `security_events` of the current - alert in Google SecOps and extracts the `AlertId` from the `additional_properties` - of the first event. + 2. **Metadata Extraction:** It accesses the `security_events` of the current alert + in Google SecOps and extracts the `AlertId` from the first event's `additional_properties`. - 3. **API Request:** The action constructs a POST request to the Thinkst Canary - API endpoint `/incident/acknowledge`, passing the `AlertId` as the `incident` - parameter. + 3. **External API Call:** It executes a POST request to the Thinkst Canary API + endpoint `/incident/acknowledge` using the extracted `AlertId` as the identifier. - 4. **Outcome Validation:** It checks the API response. If the response indicates - success, the action completes successfully; otherwise, it fails with an error - message explaining the issue (e.g., missing AlertId or API error). + 4. **Execution Finalization:** The action concludes by reporting whether the acknowledgment + was successful based on the response from the Canary Console. capabilities: can_create_case_comments: false can_create_insight: false @@ -54,14 +75,15 @@ Acknowledge Console Alert: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the status of an incident to 'acknowledged' on the Thinkst Canary console - via a POST request to the /incident/acknowledge endpoint. + Acknowledges an incident on the Thinkst Canary Console, changing its status + from unacknowledged to acknowledged via a POST request to the /incident/acknowledge + endpoint. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -75,6 +97,7 @@ Acknowledge Console Alert: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -88,63 +111,64 @@ Acknowledge Console Alert: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: ai_description: >- - ### General Description - - The **Ping** action is a connectivity utility designed to verify the communication - between Google SecOps and the Thinkst Canary Console. It validates that the provided - API Key and Console Hash are correct and that the network path is open. This action - is typically used during initial setup or troubleshooting to ensure the integration - is properly configured. + Verifies connectivity to the Thinkst Canary Console by testing the provided API + Key and Console Hash against the `/ping` endpoint. This action is primarily used + to ensure that the integration is correctly configured and can communicate with + the external service. - ### Parameters Description + ### Flow Description - There are no action-specific parameters for this action. It relies entirely on - the integration's global configuration parameters: + 1. **Parameter Extraction:** Retrieves the 'API Key', 'Console Hash', and 'Verify + SSL' settings from the integration configuration. - * **API Key**: The authentication token for the Canary Console. + 2. **Validation:** Checks if the API Key and Console Hash have been changed from + their default placeholder values. - * **Console Hash**: The unique identifier/subdomain for your Canary Console. + 3. **Connectivity Test:** Initializes the Thinkst Manager and sends a GET request + to the `/ping` endpoint of the Canary Console. - * **Verify SSL**: Determines whether to validate the SSL certificate of the console. + 4. **Result Handling:** Evaluates the response from the console. If the response + indicates success, the action completes successfully; otherwise, it reports a + failure. - ### Flow Description + ### Parameters Description - 1. **Configuration Extraction**: The action retrieves the API Key, Console Hash, - and SSL verification settings from the integration configuration. + | Parameter Name | Type | Mandatory | Description | - 2. **Validation**: It checks if the API Key and Console Hash are provided and - are not the default placeholder values. + | :--- | :--- | :--- | :--- | - 3. **Manager Initialization**: Initializes the `ThinkstActionManager` with the - connection details. + | API Key | String | Yes (Config) | The authentication token used to access the + Thinkst Canary API. | - 4. **API Call**: Executes a GET request to the `/api/v1/ping` endpoint of the - Canary Console. + | Console Hash | String | Yes (Config) | The unique identifier/subdomain for your + Canary Console (e.g., the 'mycompany' part of 'mycompany.canary.tools'). | - 5. **Result Evaluation**: If the API returns a success result, the action completes - successfully; otherwise, it reports a failure. + | Verify SSL | Boolean | No (Config) | Determines whether to verify the SSL certificate + of the Canary Console. | ### Additional Notes - This action does not process any entities and does not modify any data within - Google SecOps or the Thinkst Canary environment. + * This action does not process any entities and is used solely for configuration + validation. capabilities: can_create_case_comments: false can_create_insight: false @@ -158,7 +182,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -172,28 +196,3 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/third_party/partner/thinkst_canary/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/partner/thinkst_canary/resources/ai/connectors_ai_description.yaml index fc317f79e..85f46e291 100644 --- a/content/response_integrations/third_party/partner/thinkst_canary/resources/ai/connectors_ai_description.yaml +++ b/content/response_integrations/third_party/partner/thinkst_canary/resources/ai/connectors_ai_description.yaml @@ -1,34 +1,37 @@ Thinkst - Alert Connector: - ai_description: "### General Description\nThe Thinkst - Alert Connector integrates\ - \ Google SecOps with the Thinkst Canary Console to automate the ingestion of security\ - \ incidents. It fetches unacknowledged incidents\u2014including Honeypot triggers,\ - \ Canarytoken activations, and operational alerts (like disconnected Canaries)\u2014\ - and converts them into cases within the SOAR platform for investigation and response.\n\ - \n### Parameters Description\n| Parameter | Type | Mandatory | Description |\n\ - | :--- | :--- | :--- | :--- |\n| API Key | Password | Yes | The API key used to\ - \ authenticate with your Thinkst Canary Console. |\n| Console Hash | String |\ - \ Yes | The unique subdomain of your console (e.g., the 'example' in 'example.canary.tools').\ - \ |\n| Verify SSL | Boolean | No | If enabled, the connector will verify SSL certificates\ - \ during API requests. Defaults to true. |\n| Ignore Informative | Boolean | No\ - \ | If enabled, incidents classified as 'Informative' (priority -1) will not be\ - \ ingested as cases. |\n| PythonProcessTimeout | String | Yes | The maximum time\ - \ in seconds allowed for the connector script to run. |\n| DeviceProductField\ - \ | String | Yes | The field name used to identify the device product in the ingested\ - \ data. |\n| EventClassId | String | Yes | The field name used to determine the\ - \ event sub-type (e.g., SourceType). |\n\n### Flow Description\n1. **Authentication**:\ - \ The connector establishes a session with the Thinkst Canary Console API using\ - \ the provided API Key and Console Hash.\n2. **State Management**: It retrieves\ - \ the last processed Incident ID and Timestamp from the internal SOAR context\ - \ to ensure only new, unacknowledged incidents are fetched.\n3. **Data Retrieval**:\ - \ The connector queries the `/incidents/unacknowledged` endpoint. It automatically\ - \ handles pagination using cursors to collect all pending incidents since the\ - \ last run.\n4. **Filtering**: If the 'Ignore Informative' parameter is set, the\ - \ connector filters out operational or low-severity incidents (such as console\ - \ setting changes or disconnected devices) based on their log type.\n5. **Data\ - \ Mapping**: Raw incident data is transformed into the SOAR AlertInfo format.\ - \ This includes mapping source/destination IPs, ports, and specific Canarytoken\ - \ metadata (like filenames or usernames) into structured event fields.\n6. **Priority\ - \ Assignment**: The connector maps Thinkst log types to SOAR priority levels (Informative,\ - \ Low, Medium, High, or Critical).\n7. **Ingestion**: Processed alerts are sent\ - \ to Google SecOps, and the connector updates its persistent state with the latest\ - \ Incident ID and Timestamp for the next iteration." + ai_description: "### General Description\nThis connector integrates with the Thinkst\ + \ Canary Console to ingest security incidents into Google SecOps. It monitors\ + \ for activity triggered by Canarytokens, Honeypots, and operational events (such\ + \ as console or flock setting changes). By converting Canary incidents into structured\ + \ alerts, it provides security teams with immediate visibility into decoy-based\ + \ detections and potential unauthorized access within their environment.\n\n###\ + \ Parameters Description\n| Parameter | Type | Mandatory | Description |\n| :---\ + \ | :--- | :--- | :--- |\n| API Key | Password | Yes | The API key used to authenticate\ + \ with the Canary Console API. |\n| Console Hash | String | Yes | The unique hash\ + \ of your Canary Console (the subdomain part before .canary.tools). |\n| Verify\ + \ SSL | Boolean | No | If enabled, the connector verifies the SSL certificate\ + \ of the Canary Console. Default is True. |\n| Ignore Informative | Boolean |\ + \ No | If enabled, incidents classified as 'Informative' (e.g., disconnections\ + \ or setting changes) will not create cases. |\n| PythonProcessTimeout | String\ + \ | Yes | The timeout limit in seconds for the python process running the connector\ + \ script. |\n| DeviceProductField | String | Yes | The field name used to determine\ + \ the device product (default: device_product). |\n| EventClassId | String | Yes\ + \ | The field name used to determine the event sub-type (default: SourceType).\ + \ |\n\n### Flow Description\n1. **Authentication**: The connector establishes\ + \ a secure connection to the Thinkst Canary Console using the provided API Key\ + \ and Console Hash.\n2. **State Management**: It checks the connector's internal\ + \ context for the last processed incident ID and timestamp. If no state is found,\ + \ it defaults to fetching incidents from the last 24 hours.\n3. **Data Retrieval**:\ + \ The connector queries the `/incidents/unacknowledged` endpoint. It handles pagination\ + \ using cursors to ensure all pending incidents are retrieved.\n4. **Filtering**:\ + \ If the 'Ignore Informative' parameter is set to true, the connector filters\ + \ out incidents with an informative priority level (e.g., logtype 1004, 23001).\n\ + 5. **Mapping & Transformation**: \n * Converts Canary incident fields into\ + \ SOAR-compatible formats.\n * Assigns priorities (Informative, Low, Medium,\ + \ High, Critical) based on the incident's logtype.\n * Categorizes events\ + \ into Source Types: 'Canarytoken', 'Operational', or 'Honeypot'.\n * Generates\ + \ descriptive alert names and includes direct links to the Canary Console portal.\n\ + 6. **Ingestion**: The processed incidents are packaged as `AlertInfo` objects\ + \ and ingested into Google SecOps as cases.\n7. **Checkpointing**: After successful\ + \ ingestion, the connector updates its context with the latest incident ID and\ + \ timestamp to prevent duplicate processing in the next iteration." diff --git a/content/response_integrations/third_party/partner/thinkst_canary/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/thinkst_canary/resources/ai/integration_ai_description.yaml index a888df70b..466738966 100644 --- a/content/response_integrations/third_party/partner/thinkst_canary/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/partner/thinkst_canary/resources/ai/integration_ai_description.yaml @@ -1,6 +1,6 @@ product_categories: asset_inventory: false - cloud_security: true + cloud_security: false collaboration: false edr: false email_security: false diff --git a/content/response_integrations/third_party/partner/torq/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/torq/resources/ai/actions_ai_description.yaml index 281833fb8..ce5ac0646 100644 --- a/content/response_integrations/third_party/partner/torq/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/torq/resources/ai/actions_ai_description.yaml @@ -1,62 +1,88 @@ Create a Case: + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: true + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false ai_description: >- - The 'Create a Case' action triggers a workflow in Torq by sending a webhook request - containing the current Google SecOps alert and case context. This action is primarily - used to escalate alerts into Torq for further orchestration and response. It packages - alert metadata, including entity details and additional properties, into a JSON - payload. If Torq API credentials or a Bearer token are provided, the action will - also poll the Torq Public API to retrieve the final execution status and output - of the triggered workflow, providing visibility into the automated response directly - within the SecOps action results. + Invokes a Torq workflow via a Webhook to create a case or incident. This action + transmits the current alert payload, including entity details and metadata, to + Torq. If API credentials or a Bearer token are configured, the action will poll + the Torq Public API to retrieve the final execution status and output of the triggered + workflow. - ### Flow Description + ### Parameters - 1. **Context Collection:** The action gathers metadata from the current SecOps - case (ID, name, environment) and the specific alert (identifier, severity, product, - entities, and raw data). - 2. **Payload Preparation:** It constructs a JSON payload containing the source - ('Google SecOps'), the action type ('create_case'), and the collected context/alert - data, along with optional deduplication and correlation keys. + | Parameter | Type | Mandatory | Description | - 3. **Webhook Invocation:** A POST request is sent to the configured Torq Webhook - URL, authenticated via a 'secret' header. + | :--- | :--- | :--- | :--- | - 4. **Execution Polling (Optional):** If an execution ID is returned by the webhook - and API credentials are available, the action enters a polling loop. It periodically - checks the Torq Public API for the workflow's completion. + | Deduplication Key | string | No | An optional idempotency key used by Torq to + prevent duplicate case creation. | - 5. **Result Reporting:** The action returns the full request/response details, - the execution ID, and the final workflow output (if polled) to the SecOps platform. + | Correlation Key | string | No | An optional key used for grouping related cases + or incidents within Torq. | + | Poll Max Seconds | string | No | The maximum duration (in seconds) to poll the + Torq API for the workflow's final result. Default is 60. | - ### Parameters Description + | Poll Interval Seconds | string | No | The interval (in seconds) between consecutive + polling requests to the Torq API. Default is 3. | - | Parameter Name | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + ### Additional Notes + - | Deduplication Key | String | No | An optional key used by Torq to prevent duplicate - cases or incidents from being created for the same event. | + * The action requires a 'Torq URL' and 'Webhook Secret' to be configured in the + integration settings. - | Correlation Key | String | No | An optional key used to group related cases - or incidents within the Torq platform. | + * To enable polling for the final execution result, 'Client ID' and 'Client Secret' + (or a 'Bearer Token override') must also be provided in the integration configuration. - | Poll Max Seconds | String | No | The maximum duration (in seconds) the action - will wait and poll the Torq API for the workflow to complete. Default is 60. | - | Poll Interval Seconds | String | No | The time interval (in seconds) between - consecutive polling requests to the Torq API. Default is 3. | + ### Flow Description - ### Additional Notes + 1. **Data Collection**: The action gathers context from the current Google SecOps + case and alert, including entity identifiers, severity, and additional properties. + + 2. **Webhook Invocation**: It sends a POST request containing the alert data to + the specified Torq Webhook URL, authenticated via the 'secret' header. - - To enable polling for the final workflow output, you must configure the Torq - integration with either a Client ID/Secret or a Bearer Token (Override). + 3. **Execution Tracking**: Upon a successful webhook trigger, the action extracts + the execution ID from the response body or headers. - - The action uses a 'secret' header for webhook authentication as required by - Torq's webhook trigger configuration. + 4. **Polling (Optional)**: If API credentials are available, the action enters + a polling loop, querying the Torq Public API for the workflow's completion status + (e.g., SUCCESS, FAILED). + + 5. **Result Reporting**: The final execution output and status are captured and + returned as a JSON result within the SecOps platform. capabilities: can_create_case_comments: false can_create_insight: false @@ -65,14 +91,14 @@ Create a Case: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Triggers a workflow in Torq via a webhook, which typically results in the creation - of a case, incident, or other state changes within the Torq platform. + Triggers a Torq workflow by sending a POST request to a webhook URL, which can + result in the creation of a case or incident within the Torq platform. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -86,12 +112,13 @@ Create a Case: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false contain_host: false - create_ticket: true + create_ticket: false delete_email: false disable_identity: false download_file: false @@ -99,76 +126,69 @@ Create a Case: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: ai_description: >- - ### General Description + Sends a ping request to a Torq workflow via a Webhook and optionally polls the + Torq Public API for the execution result. This action is primarily used to verify + connectivity or trigger a simple automated workflow in Torq from Google SecOps. - The **Ping** action triggers a specific workflow in Torq via a Webhook and optionally - polls the Torq Public API to retrieve the final execution results. This action - is primarily used to verify connectivity between Google SecOps and Torq, or to - initiate automated logic within Torq that requires context from the current SecOps - case (such as Case ID and Environment). + ### Flow Description - ### Parameters Description - - | Parameter Name | Type | Mandatory | Default Value | Description | - - | :--- | :--- | :--- | :--- | :--- | - - | Poll Max Seconds | string | No | 60 | The maximum duration (in seconds) the - action will wait and poll the Torq API for the workflow execution to reach a terminal - state. | + 1. **Configuration Retrieval:** The action fetches integration settings including + the Webhook URL, Secret, and API credentials (Client ID/Secret). - | Poll Interval Seconds | string | No | 3 | The time interval (in seconds) between - consecutive polling requests to the Torq API. | + 2. **Payload Construction:** It builds a JSON payload containing the source ('Google + SecOps'), the action name ('ping'), and minimal case context (Case ID, Case Name, + and Environment). + 3. **Webhook Trigger:** It sends a POST request to the Torq Webhook URL using + the 'secret' header for authentication. - ### Additional Notes + 4. **Execution Polling:** If the Webhook response contains an execution ID, the + action enters a polling loop. It queries the Torq Public API at the specified + interval until the workflow reaches a terminal state (e.g., SUCCESS, FAILED) or + the maximum polling time is reached. - - This action requires the **Torq URL** and **Webhook Secret** to be configured - in the integration settings. + 5. **Result Processing:** The final execution status and any output data from + the Torq workflow are captured and returned as a JSON result. - - To enable polling for execution results, the **Client ID**, **Client Secret**, - and **Region** (or a **Bearer Token Override**) must be provided in the integration - configuration to authenticate against the Torq Public API. - - If no execution ID is returned by the initial webhook call, polling is skipped. + ### Parameters Description + | Parameter Name | Type | Mandatory | Description | - ### Flow Description + | :--- | :--- | :--- | :--- | - 1. **Configuration Retrieval:** The action fetches integration settings (URLs, - secrets, region) and action parameters (polling limits). + | Poll Max Seconds | string | No | The maximum number of seconds to poll the Torq + API for the workflow execution result. Defaults to 60. | - 2. **Payload Construction:** It builds a JSON payload containing the source ("Google - SecOps"), the action name ("ping"), and metadata from the current case (Case ID, - Case Name, and Environment). + | Poll Interval Seconds | string | No | The number of seconds to wait between + each poll request to the Torq API. Defaults to 3. | - 3. **Webhook Trigger:** A POST request is sent to the configured Torq Webhook - URL using the `secret` header for authentication. - 4. **Execution Identification:** The action parses the webhook response to extract - an `execution_id` or `run_id`. + ### Additional Notes - 5. **Polling (Optional):** If an execution ID is found and API credentials are - available, the action enters a polling loop, querying the Torq Public API (`GET - /executions/{id}`) until the workflow succeeds, fails, or the timeout is reached. + * This action requires a valid Webhook URL and Secret configured in the Torq integration + settings. - 6. **Result Processing:** The final execution status, headers, and output data - are captured and attached to the action results in Google SecOps. + * If API credentials (Client ID and Client Secret) are provided, the action will + attempt to poll for the execution result; otherwise, it will only perform the + initial Webhook trigger. capabilities: can_create_case_comments: false can_create_insight: false @@ -177,14 +197,14 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Triggers the execution of a workflow in the Torq platform via a webhook POST - request. + Triggers a Torq workflow via a Webhook POST request, which initiates an automated + process in the external Torq platform. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -198,6 +218,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Run a Workflow: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -211,27 +232,30 @@ Ping: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Run a Workflow: ai_description: >- ### General Description - Triggers a Torq workflow by sending a POST request to a specified Torq webhook - URL. This action allows users to pass custom JSON data and optionally include - the full payload of the current alert to provide context to the Torq workflow. - If Torq API credentials (Client ID and Secret) are provided, the action will poll - the Torq Public API to retrieve the final execution status and output. + The **Run a Workflow** action allows users to trigger a generic workflow in **Torq** + by sending a POST request to a pre-configured webhook. This action is highly flexible, + allowing users to pass custom JSON input and optionally include the full context + of the current Google SecOps alert. If Torq API credentials (Client ID and Secret) + are configured, the action will also poll the Torq Public API to retrieve the + final execution status and any output data generated by the workflow. ### Parameters Description @@ -240,44 +264,49 @@ Run a Workflow: | :--- | :--- | :--- | :--- | - | Workflow Input | String (JSON) | Yes | A JSON object containing the data to - be passed to the Torq workflow. | - - | Include Alert Payload | Boolean | No | If true, the action includes the current - alert's metadata and associated entities in the request. | + | **Workflow Input** | String (JSON) | Yes | A JSON object containing the data + to be passed into the Torq workflow. Must be a valid JSON string. | - | Poll Max Seconds | String | No | The maximum duration (in seconds) to poll the - Torq API for the workflow's completion. Default is 60. | + | **Include Alert Payload** | Boolean | No | If set to `True`, the action will + include the current alert's metadata (identifier, name, severity, etc.) and a + list of associated entities in the request payload under the `alert` key. | - | Poll Interval Seconds | String | No | The time interval (in seconds) between - consecutive polling requests. Default is 3. | + | **Poll Max Seconds** | String | No | The maximum amount of time (in seconds) + the action should wait for the workflow to complete. Default is 60 seconds. | + | **Poll Interval Seconds** | String | No | The frequency (in seconds) at which + the action checks the Torq API for the workflow's status. Default is 3 seconds. + | - ### Additional Notes - - The integration requires a 'Torq URL' and 'Webhook Secret' to function. + ### Flow Description - - Polling for results requires 'Client ID' and 'Client Secret' to be configured - in the integration settings to generate an OAuth token. + 1. **Configuration Retrieval**: The action fetches integration settings (Webhook + URL, Secret, Region) and action parameters. - - The 'Workflow Input' must be a valid JSON object string. + 2. **Payload Construction**: It builds a JSON payload including the `Workflow + Input`. If `Include Alert Payload` is enabled, it serializes the current alert + and its entities into the payload. + 3. **Webhook Invocation**: The action sends an authenticated POST request to the + Torq webhook URL. - ### Flow Description + 4. **Execution Polling (Optional)**: If the webhook response contains an execution + ID and API credentials are available, the action enters a polling loop. It queries + the Torq Public API until the workflow reaches a terminal state (e.g., SUCCESS, + FAILED) or the timeout is reached. - 1. **Configuration Retrieval**: The action fetches Torq instance settings and - OAuth credentials. + 5. **Result Processing**: The final execution status, headers, and output data + are captured and attached to the action's result in Google SecOps. - 2. **Payload Construction**: It builds a JSON payload containing the workflow - input and optionally the current alert data. - 3. **Workflow Trigger**: It sends an authenticated POST request to the Torq webhook. + ### Additional Notes - 4. **Execution Polling**: If an execution ID is returned and API credentials exist, - the action polls the Torq Public API until completion or timeout. + - To enable polling for workflow results, the integration must be configured with + a **Client ID** and **Client Secret**. - 5. **Result Processing**: The final execution status and output are captured and - returned to Google SecOps. + - The action uses a "best-effort" approach to collect alert data, ensuring that + even if some fields are missing, the workflow trigger still proceeds. capabilities: can_create_case_comments: false can_create_insight: false @@ -293,7 +322,7 @@ Run a Workflow: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -307,28 +336,3 @@ Run a Workflow: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: false diff --git a/content/response_integrations/third_party/partner/wiz/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/wiz/resources/ai/actions_ai_description.yaml index 37fc52c17..a68507597 100644 --- a/content/response_integrations/third_party/partner/wiz/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/wiz/resources/ai/actions_ai_description.yaml @@ -1,45 +1,77 @@ Add Comment To Issue: + action_product_categories: + add_alert_comment: true + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: true ai_description: >- - Adds a comment (note) to a specific issue in the Wiz platform. This action allows - analysts to document findings, provide updates, or record automated responses - directly within the Wiz issue's timeline. It utilizes the Wiz GraphQL API to perform - a `createIssueNote` mutation, ensuring that the communication is synchronized - between Google SecOps and the Wiz security posture management console. + ### General Description + The **Add Comment To Issue** action allows users to append a text comment or note + to a specific security issue within the Wiz platform. This action is primarily + used to document investigation progress, provide updates, or synchronize analyst + notes between Google SecOps and Wiz. - ### Flow Description - 1. **Parameter Extraction:** The action retrieves the mandatory `Issue ID` and - `Comment` text from the user input. + ### Parameters Description - 2. **API Initialization:** Authenticates with the Wiz platform using OAuth2 client - credentials to obtain a bearer token. + | Parameter | Type | Mandatory | Description | - 3. **Mutation Execution:** Constructs and sends a GraphQL mutation (`createIssueNote`) - to the Wiz endpoint, targeting the specified issue with the provided comment text. + | :--- | :--- | :--- | :--- | - 4. **Result Processing:** Captures the response from Wiz, which includes the new - comment's ID and creation timestamp, and returns it as a JSON result. + | **Issue ID** | String | Yes | The unique identifier of the issue in Wiz to which + the comment will be added. | + | **Comment** | String | Yes | The text content of the comment to be added to + the issue. | - ### Parameters Description - | Parameter | Type | Mandatory | Description | + ### Flow Description - | :--- | :--- | :--- | :--- | + 1. **Parameter Extraction**: The action retrieves the `Issue ID` and the `Comment` + text from the user-provided parameters. + + 2. **API Client Initialization**: It initializes the Wiz API client using the + integration's configuration (API Root, Client ID, and Client Secret). - | Issue ID | String | True | The unique identifier of the issue in Wiz where the - comment will be added. | + 3. **Mutation Execution**: The action constructs a GraphQL mutation (`createIssueNote`) + and sends a POST request to the Wiz `/graphql` endpoint to create the comment + thread. - | Comment | String | True | The actual text content of the comment to be appended - to the issue. | + 4. **Result Processing**: Upon a successful response, the action parses the returned + JSON to extract the details of the newly created comment (ID, timestamp, and text) + and provides a success message. ### Additional Notes - - This action does not operate on SecOps entities; it requires a direct Issue - ID, which is typically obtained from a previous 'Get Issue Details' action or - an alert's external ID field. + - This action performs a state-changing mutation in the external Wiz system. + + - If the specified `Issue ID` is invalid or not found, the action will raise an + `IssueNotFoundError`. capabilities: can_create_case_comments: false can_create_insight: false @@ -48,14 +80,14 @@ Add Comment To Issue: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Adds a new comment/note to an existing issue in the Wiz platform via a GraphQL - mutation, changing the state of the issue's activity log. + Adds a new comment (note) to a specific issue in the Wiz platform using a GraphQL + mutation. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -69,6 +101,7 @@ Add Comment To Issue: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Issue Details: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -82,27 +115,29 @@ Add Comment To Issue: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: true remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false - update_ticket: true -Get Issue Details: + update_ticket: false ai_description: >- ### General Description - The **Get Issue Details** action retrieves comprehensive information about a specific - security issue from the Wiz platform using its unique identifier. This action - is primarily used for investigation and gathering context, providing details such - as the issue's status, severity, description, affected cloud resources (entity - snapshot), and associated projects or source rules. + The **Get Issue Details** action retrieves comprehensive metadata for a specific + issue identified by its unique ID in the Wiz platform. This action is designed + to provide deep context about a finding, including its current status, severity, + affected cloud resources, and associated projects, which can be used for automated + decision-making or reporting within a playbook. ### Parameters Description @@ -111,34 +146,33 @@ Get Issue Details: | :--- | :--- | :--- | :--- | - | **Issue ID** | String | Yes | The unique identifier of the Wiz issue to retrieve - or act upon. | + | Issue ID | String | Yes | The unique identifier of the Wiz issue to retrieve. + | ### Flow Description - 1. **Parameter Extraction**: The action extracts the `Issue ID` from the input - parameters. - - 2. **API Initialization**: It initializes the Wiz API client and authenticates - using the integration's credentials (Client ID and Client Secret). + 1. **Parameter Extraction**: The action retrieves the `Issue ID` provided by the + user. - 3. **Query Construction**: The action constructs a GraphQL query specifically - designed to fetch detailed fields for the provided Issue ID, including metadata - like `createdAt`, `status`, `severity`, and `entitySnapshot` (cloud platform, - region, etc.). + 2. **API Initialization**: It initializes the Wiz API client using the integration's + configuration (API Root, Client ID, Client Secret). - 4. **Data Retrieval**: It executes a POST request to the Wiz GraphQL endpoint - with the constructed query. + 3. **Data Retrieval**: A GraphQL query is constructed and sent to the Wiz `/graphql` + endpoint to fetch specific fields including `status`, `severity`, `description`, + `entitySnapshot` (cloud platform, region, etc.), and `projects`. - 5. **Result Processing**: The response is parsed into an Issue data model and - returned as a JSON result for use in subsequent playbook steps. + 4. **Result Processing**: The retrieved data is parsed into a structured format + and returned as a JSON result for use in subsequent playbook steps. ### Additional Notes - This action does not operate on SecOps entities (like IPs or Hostnames) automatically; - it requires the manual or dynamic input of a Wiz-specific Issue ID. + - This action is a read-only operation and does not modify any data in the Wiz + platform. + + - If the provided `Issue ID` is invalid or does not exist, the action will raise + an `IssueNotFoundError`. capabilities: can_create_case_comments: false can_create_insight: false @@ -152,7 +186,7 @@ Get Issue Details: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -166,6 +200,7 @@ Get Issue Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ignore Issue: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -179,27 +214,30 @@ Get Issue Details: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ignore Issue: ai_description: >- ### General Description - The **Ignore Issue** action allows analysts to dismiss or ignore specific security - findings within the Wiz platform. It is specifically designed to handle **Graph - Control** or **Cloud Configuration** issues. By executing this action, the status - of the identified issue in Wiz is transitioned to 'REJECTED', effectively removing - it from the active queue based on the provided justification. + The **Ignore Issue** action allows security analysts to dismiss or ignore specific + security issues within the Wiz platform. This action is primarily intended for + managing Graph Control or Cloud Configuration issues that are identified as false + positives or exceptions. By executing this action, the status of the specified + issue in Wiz is updated to 'REJECTED', and the provided resolution reason and + mandatory context note are attached to the record for auditability. ### Parameters Description @@ -208,48 +246,44 @@ Ignore Issue: | :--- | :--- | :--- | :--- | - | **Issue ID** | String | Yes | The unique identifier (ID) of the issue in Wiz - that you want to ignore. | + | Issue ID | String | Yes | The unique identifier of the issue in Wiz that needs + to be ignored. | - | **Resolution Reason** | DDL | No | The reason for ignoring the issue. Available - options are: `False Positive`, `Exception`, or `Won't Fix`. Defaults to `False - Positive`. | + | Resolution Reason | DDL | No | The reason for ignoring the issue. Supported + values include: 'False Positive', 'Exception', and 'Won't Fix'. If not provided, + it defaults to 'False Positive'. | - | **Resolution Note** | String | Yes | A mandatory text field to provide additional - context or justification for why this issue is being ignored. | + | Resolution Note | String | Yes | A mandatory note providing additional context + or justification for why the issue is being ignored. | - ### Additional Notes - - * **Scope:** This action is restricted to Graph Control and Cloud Configuration - issues within Wiz. + ### Flow Description - * **State Change:** This is a mutation action that changes the state of data - in the external Wiz environment. + 1. **Parameter Extraction:** The action retrieves the `Issue ID`, `Resolution + Reason`, and `Resolution Note` from the user input. - * **Discrepancy Note:** While the `Resolution Reason` is marked as non-mandatory - in the configuration, the underlying logic applies a default value of 'False Positive' - if not provided. + 2. **Validation:** It validates the `Resolution Reason` against the allowed values + defined in the integration constants. + 3. **API Client Initialization:** The action initializes an authenticated Wiz + API client using the integration's global configuration (API Root, Client ID, + and Client Secret). - ### Flow Description + 4. **External Mutation:** The action constructs and sends a GraphQL mutation to + the Wiz API to update the issue's status to 'REJECTED' and apply the specified + resolution metadata. - 1. **Parameter Extraction:** The action retrieves the `Issue ID`, `Resolution - Reason`, and `Resolution Note` from the user input. + 5. **Result Processing:** The action captures the updated issue details from the + API response, populates the JSON results, and returns a success message to the + SOAR platform. - 2. **Validation:** It validates that the `Resolution Reason` matches the allowed - values defined in the Wiz integration constants. - 3. **API Initialization:** An authenticated GraphQL API client is initialized - to communicate with the Wiz instance. + ### Additional Notes - 4. **Mutation Execution:** The action sends a GraphQL mutation request to Wiz - to update the specified issue's status to `REJECTED`, attaching the chosen reason - and the provided note. + - This action only supports Graph Control or Cloud Configuration issues in Wiz. - 5. **Result Processing:** Upon success, the action retrieves the updated issue - details from the API response, populates the JSON results, and confirms the successful - update in the output message. + - While the 'Resolution Reason' is optional in the UI, the underlying logic ensures + a default value is applied if the field is left empty. capabilities: can_create_case_comments: false can_create_insight: false @@ -258,14 +292,14 @@ Ignore Issue: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the status of a specified issue in the Wiz platform to 'REJECTED' and - applies a resolution reason and note. + Updates the status of a specified issue in Wiz to 'REJECTED' and sets the resolution + reason and note. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -279,6 +313,7 @@ Ignore Issue: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -292,55 +327,57 @@ Ignore Issue: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false - update_ticket: true -Ping: + update_ticket: false ai_description: >- - The Ping action is used to verify the connectivity between Google SecOps and the - Wiz platform. It ensures that the provided integration parameters (API Root, Client - ID, and Client Secret) are correct and that the service is reachable. - - - ### Flow Description: + ### General Description - 1. **Initialization**: The action initializes the Wiz API client using the provided - configuration parameters, including the API Root and SSL verification settings. + The **Ping** action is a diagnostic tool used to verify the connectivity between + Google SecOps and the Wiz platform. It ensures that the provided integration parameters + (API Root, Client ID, and Client Secret) are correct and that the network path + to the Wiz API is open. - 2. **Authentication**: It authenticates with the Wiz OAuth2 service using the - Client ID and Client Secret to obtain a bearer token. - 3. **Connectivity Test**: It executes a minimal GraphQL query to the Wiz `/graphql` - endpoint, attempting to retrieve the ID of a single issue to confirm API access. + ### Parameters Description - 4. **Validation**: The action validates the HTTP response and GraphQL errors. - If successful, it returns a confirmation message. + There are no parameters for this action. - ### Parameters Description: + ### Flow Description - | Parameter Name | Type | Mandatory | Description | + 1. **Authentication**: The action first attempts to authenticate with the Wiz + OAuth service using the configured Client ID and Client Secret to obtain a bearer + token. - | :--- | :--- | :--- | :--- | + 2. **API Request**: Once authenticated, it executes a minimal GraphQL query (`query + { issues(first: 1) { nodes { id } } }`) against the Wiz API endpoint. - | None | N/A | N/A | This action does not take any input parameters. It relies - solely on the integration's global configuration. | + 3. **Validation**: The action validates the HTTP response status and the GraphQL + response body. If the request is successful and no errors are returned, the connection + is confirmed. + 4. **Outcome**: If successful, a success message is returned; otherwise, an error + message detailing the failure (e.g., invalid credentials or connection timeout) + is provided. - ### Additional Notes: - - This action is primarily used for troubleshooting and initial setup verification. + ### Additional Notes - - It does not process any entities or modify any data within Wiz or Google SecOps. + This action is strictly for connectivity testing and does not process any entities + or modify any data within Wiz or Google SecOps. capabilities: can_create_case_comments: false can_create_insight: false @@ -354,7 +391,7 @@ Ping: categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -368,6 +405,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Reopen Issue: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -381,56 +419,66 @@ Ping: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false - update_ticket: false -Reopen Issue: + update_ticket: true ai_description: >- ### General Description - The **Reopen Issue** action allows users to change the status of a specific security - issue in Wiz back to **OPEN**. This is typically used when a previously resolved - or ignored issue is found to be still relevant or requires further investigation. - The action interacts with the Wiz GraphQL API to perform a state change on the - specified issue. + The **Reopen Issue** action allows analysts to change the status of a specific + issue in Wiz back to 'OPEN'. This is typically used when a previously resolved + or ignored issue is found to be still active or requires further investigation. + The action communicates with the Wiz GraphQL API to perform a mutation on the + issue's state. ### Parameters Description - | Parameter | Description | Type | Mandatory | + | Parameter Name | Description | Type | Mandatory | Notes | - | :--- | :--- | :--- | :--- | + | :--- | :--- | :--- | :--- | :--- | - | **Issue ID** | The unique identifier of the issue in Wiz to be reopened. | String - | Yes | + | Issue ID | The unique identifier of the issue in Wiz to be reopened. | String + | True | This ID is required to target the specific finding in the Wiz platform. + | ### Flow Description - 1. **Parameter Extraction**: The action retrieves the `Issue ID` provided by the - user from the action parameters. + 1. **Parameter Extraction**: The action retrieves the `Issue ID` from the input + parameters. - 2. **API Initialization**: Establishes an authenticated connection to the Wiz - API using the configured API Root, Client ID, and Client Secret. + 2. **API Initialization**: It initializes the Wiz API client using the provided + integration credentials (API Root, Client ID, Client Secret). - 3. **Mutation Construction**: Builds a GraphQL mutation targeting the `updateIssue` - endpoint. It creates a patch object that specifically sets the issue's status - to `OPEN`. + 3. **Mutation Construction**: The action builds a GraphQL mutation payload specifically + designed to update the `status` field of the issue to `OPEN`. - 4. **Execution**: Sends the GraphQL mutation request to the Wiz `/graphql` endpoint. + 4. **Execution**: The mutation is sent to the Wiz `/graphql` endpoint. - 5. **Result Processing**: Captures the updated issue data from the API response, - converts it into a structured JSON format, and returns a success message indicating - the issue has been reopened. + 5. **Result Processing**: Upon success, the action retrieves the updated issue + object from the response and provides it as a JSON result, confirming the status + change in the output message. + + + ### Additional Notes + + - This action performs a state change in the external Wiz environment. + + - If the provided `Issue ID` does not exist, the action will return an error indicating + the issue was not found. capabilities: can_create_case_comments: false can_create_insight: false @@ -439,13 +487,13 @@ Reopen Issue: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Changes the status of a specified issue in Wiz to 'OPEN' via a GraphQL mutation. + Updates the status of a specific issue in the Wiz platform to 'OPEN'. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -459,6 +507,7 @@ Reopen Issue: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Resolve Issue: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -472,24 +521,26 @@ Reopen Issue: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: true -Resolve Issue: ai_description: >- - The **Resolve Issue** action allows users to programmatically resolve a specific - issue within the Wiz platform. This action is specifically intended for use with - **Threat Detection** issues. It updates the issue's status to 'RESOLVED' and allows - the user to provide a specific resolution reason and an optional explanatory note. + Resolves a specified issue in Wiz. This action is specifically designed to work + with Threat Detection issues by updating their status to 'RESOLVED' in the Wiz + platform. It allows analysts to provide a resolution reason and an optional note + to document the closure of the finding. ### Flow Description @@ -497,16 +548,14 @@ Resolve Issue: 1. **Parameter Extraction:** The action retrieves the mandatory `Issue ID` and optional `Resolution Reason` and `Resolution Note` from the input parameters. - 2. **Validation:** It validates that the provided `Resolution Reason` is one of - the allowed values defined in the Wiz integration constants. + 2. **Validation:** It validates that the provided `Resolution Reason` matches + one of the predefined allowed values in Wiz. - 3. **API Interaction:** The action constructs a GraphQL mutation using the `UpdateIssueMutationBuilder`. - This mutation targets the specified `Issue ID` and applies a patch to change the - status to `RESOLVED` and attach the resolution metadata. + 3. **API Interaction:** The action constructs a GraphQL mutation to update the + issue's status to 'RESOLVED' and includes the resolution metadata. - 4. **Result Processing:** Upon a successful API call, the action parses the returned - JSON (representing the updated state of the issue) and provides a success message - to the user. + 4. **Result Processing:** Upon a successful API call, the action returns the updated + issue object as a JSON result and provides a success message. ### Parameters Description @@ -515,23 +564,24 @@ Resolve Issue: | :--- | :--- | :--- | :--- | - | **Issue ID** | String | Yes | The unique identifier of the issue in Wiz that - needs to be resolved. | + | Issue ID | string | Yes | The unique identifier of the issue in Wiz that needs + to be resolved. | - | **Resolution Reason** | DDL | No | The reason for resolving the issue. Defaults - to 'Not Malicious Threat'. Options include: Malicious Threat, Not Malicious Threat, - Security Test Threat, Planned Action Threat, Inconclusive Threat. | + | Resolution Reason | ddl | No | The reason for the resolution. Expected values + include: 'Malicious Threat', 'Not Malicious Threat', 'Security Test Threat', 'Planned + Action Threat', or 'Inconclusive Threat'. Defaults to 'Not Malicious Threat'. + | - | **Resolution Note** | String | No | An optional text note providing additional - context or justification for the resolution. | + | Resolution Note | string | No | An optional note providing additional context + or details regarding the resolution of the issue. | ### Additional Notes - - This action performs a state change in the external Wiz system. + - This action only supports resolving issues categorized as 'Threat Detection' + in Wiz. - - If the specified `Issue ID` does not exist, the action will return an error - indicating the issue was not found. + - If the specified `Issue ID` is not found, the action will return an error. capabilities: can_create_case_comments: false can_create_insight: false @@ -540,14 +590,14 @@ Resolve Issue: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - This action changes the status of an issue in the Wiz platform to 'RESOLVED' - and updates its resolution metadata (reason and notes). + Updates the status of a specific issue in Wiz to 'RESOLVED' and attaches a resolution + reason and note. fetches_data: true internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -561,28 +611,3 @@ Resolve Issue: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: false - update_ticket: true diff --git a/content/response_integrations/third_party/partner/wiz/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/wiz/resources/ai/integration_ai_description.yaml index a7f7000e9..15ef5e595 100644 --- a/content/response_integrations/third_party/partner/wiz/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/partner/wiz/resources/ai/integration_ai_description.yaml @@ -5,7 +5,7 @@ product_categories: edr: false email_security: false iam_and_identity_management: false - itsm: true + itsm: false network_security: false siem: false threat_intelligence: false diff --git a/content/response_integrations/third_party/partner/xm_cyber/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/xm_cyber/resources/ai/actions_ai_description.yaml index 4b8fc4c38..28c698835 100644 --- a/content/response_integrations/third_party/partner/xm_cyber/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/xm_cyber/resources/ai/actions_ai_description.yaml @@ -1,74 +1,66 @@ Calculate Risk Score: - ai_description: >- - Calculates a comprehensive risk score for an alert by processing XM Cyber-specific - attributes found within alert events and entities. This action is designed to - provide a structured JSON output that playbooks can use to filter, prioritize, - or route alerts based on calculated risk levels. It evaluates multiple security - factors such as MFA status, administrative privileges, and asset criticality based - on user-defined weights. - - - ### Flow Description: - - 1. **Parameter Collection:** Retrieves user-configured risk weights and thresholds - for various categories (e.g., Critical Assets, MFA status, AD risk levels). - - 2. **Event Processing:** Iterates through the security events associated with - the current alert, extracting XM Cyber labels and calculating individual risk - scores for assets and users mentioned in the events. - - 3. **Entity Processing:** Iterates through the alert's entities (specifically - Users and Hostnames), checking for XM Cyber enrichment data in their additional - properties to calculate entity-specific risk scores. - - 4. **Aggregation:** Consolidates all calculated scores from events and entities, - determining the maximum risk levels and aggregating labels. - - 5. **Output Generation:** Produces a final JSON object containing the base risk - score, calculated risk score, and boolean flags for various risk factors, which - is then attached to the action result. - - - ### Parameters Description: - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | AD Risk to Domain | DDL | Yes | Weight for Active Directory risk to the domain - (Disabled, Low, Default, High). | - - | AD Risky Principals | DDL | Yes | Weight for AD risky principals (Disabled, - Low, Default, High). | - - | AD Admins And DCs | DDL | Yes | Weight for AD Administrators and Domain Controllers - (Disabled, Low, Default, High). | - - | User without MFA | DDL | Yes | Weight for users identified as not having Multi-Factor - Authentication (Disabled, Low, Default, High). | - - | Is Critical Asset | DDL | Yes | Weight for entities marked as critical assets - (Disabled, Low, Default, High). | - - | Predefined Admin | DDL | Yes | Weight for predefined administrative accounts - (Disabled, Low, Default, High). | - - | Highly Privileged | DDL | Yes | Weight for highly privileged accounts (Disabled, - Low, Default, High). | - - | Compromise Risk Score | DDL | Yes | Sensitivity level for the compromise risk - score (Low, Default, High). | - - | Choke Point Score | DDL | Yes | Sensitivity level for the choke point score - (Low, Default, High). | - - - ### Additional Notes: - - - This action does not perform external API calls; it relies on data previously - populated in the alert or entities (typically by an enrichment action). - - - The final risk score is capped at 100. + action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false + enrich_ioc: false + execute_command_on_the_host: false + get_alert_information: false + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false + ai_description: "Calculates a comprehensive risk score for alerts by processing\ + \ XM Cyber metadata attached to events and entities. This action allows security\ + \ teams to define weights for specific risk factors\u2014such as the absence of\ + \ MFA, administrative privileges, or critical asset status\u2014to generate a\ + \ normalized risk score (0-100). The resulting JSON object can be used in subsequent\ + \ playbook steps for conditional branching and alert prioritization.\n\n### Flow\ + \ Description\n1. **Parameter Extraction**: Retrieves user-defined weights for\ + \ various risk components (e.g., AD Risk, MFA status) from the action parameters.\n\ + 2. **Event Processing**: Iterates through the alert's security events to identify\ + \ XM Cyber labels and calculates individual risk scores for each asset or user\ + \ mentioned in the events.\n3. **Entity Processing**: Scans target entities (Users\ + \ and Hostnames) for enriched XM Cyber metadata and calculates risk scores based\ + \ on their specific attributes.\n4. **Aggregation**: Consolidates all individual\ + \ scores by selecting the maximum values for risk, impact, and probability components.\n\ + 5. **Label Consolidation**: Aggregates all unique labels found across events and\ + \ entities into a single comma-separated string.\n6. **Output Generation**: Returns\ + \ a structured JSON object containing the final calculated risk score and supporting\ + \ metadata for use in the playbook environment.\n\n### Parameters Description\n\ + | Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ + | AD Risk to Domain | DDL | Yes | Selects the weight for Active Directory risk\ + \ to domain values in the calculation. |\n| AD Risky Principals | DDL | Yes |\ + \ Selects the weight for AD risky principals in the calculation. |\n| AD Admins\ + \ And DCs | DDL | Yes | Selects the weight for AD administrators and Domain Controllers.\ + \ |\n| User without MFA | DDL | Yes | Selects the weight for users identified\ + \ as not having Multi-Factor Authentication. |\n| Is Critical Asset | DDL | Yes\ + \ | Selects the weight for entities marked as critical assets. |\n| Predefined\ + \ Admin | DDL | Yes | Selects the weight for predefined administrative accounts.\ + \ |\n| Highly Privileged | DDL | Yes | Selects the weight for highly privileged\ + \ accounts or assets. |\n| Compromise Risk Score | DDL | Yes | Selects the multiplier\ + \ level for the compromise risk score component. |\n| Choke Point Score | DDL\ + \ | Yes | Selects the multiplier level for the choke point score component. |\n\ + \n### Additional Notes\n- This action does not perform external API calls; it\ + \ relies on data already present in the alert (e.g., from previous enrichment\ + \ steps).\n- The final risk score is capped at 100." capabilities: can_create_case_comments: false can_create_insight: false @@ -83,8 +75,8 @@ Calculate Risk Score: enrichment: false entity_usage: entity_types: - - HOSTNAME - - USERUNIQNAME + - HOSTNAME + - USERUNIQNAME filters_by_additional_properties: true filters_by_alert_identifier: false filters_by_case_identifier: false @@ -98,6 +90,7 @@ Calculate Risk Score: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Enrich Entities: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -108,65 +101,62 @@ Calculate Risk Score: disable_identity: false download_file: false enable_identity: false - enrich_asset: false + enrich_asset: true enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Enrich Entities: ai_description: >- - ### General Description + Enriches Hostname and User entities using data from the XM Cyber platform. This + action retrieves detailed metadata, including risk scores, labels, and administrative + status, to provide better context for security analysts within Google SecOps. + - The **Enrich Entities** action retrieves contextual security data from the XM - Cyber platform for **HOSTNAME** and **USER** entities associated with an alert. - It enriches these entities with attributes such as risk scores, critical asset - status, and security labels, providing analysts with immediate visibility into - the threat landscape surrounding the specific assets or identities. + ### Flow Description + 1. **Entity Identification**: Identifies all `HOSTNAME` and `USER` entities within + the current alert scope. - ### Parameters Description + 2. **Filtering**: Filters out entities that have already been enriched within + the last 24 hours (based on the `XMC_last_enriched` property) or are already present + in the security event data to avoid redundant API calls. - This action does not require any input parameters. + 3. **Data Retrieval**: Queries the XM Cyber API for enrichment data associated + with the remaining entities. + 4. **Entity Update**: Maps the retrieved XM Cyber attributes (e.g., Choke Point + Score, Critical Asset status, AD Risk) to the entity's additional properties with + an `XMC_` prefix and marks the entity as enriched. - ### Flow Description - 1. **Entity Identification**: The action identifies all entities of type `HOSTNAME` - and `USER` within the current alert scope. + ### Parameters Description - 2. **Pre-Enrichment Filtering**: It filters the identified entities to skip those - that: - - Are already present in the alert's security events (to avoid redundant processing). - - Have been enriched within the last 24 hours (based on the `XMC_last_enriched` - property). - 3. **Data Retrieval**: For the remaining entities, the action performs a GET request - to the XM Cyber API to fetch enrichment data. + | Parameter Name | Type | Mandatory | Description | - 4. **Data Processing**: The response is parsed to extract relevant attributes, - including labels (prefixed with 'XM Cyber - ') and asset/user-specific details. + | :--- | :--- | :--- | :--- | - 5. **Entity Update**: The action updates the entities' `additional_properties` - with the fetched data (prefixed with `XMC_`), sets the `is_enriched` flag to `true`, - and records the `last_enriched` timestamp. + | None | N/A | N/A | This action does not require any input parameters. | ### Additional Notes - - This action is designed to be read-only regarding the XM Cyber platform; it - does not modify any data in the external system. + - The action relies on the `XMC_last_enriched` property to manage enrichment frequency + and optimize performance. - - The 24-hour enrichment cache ensures efficient API usage and prevents unnecessary - data updates. + - Only entities of type `HOSTNAME` and `USER` are supported for enrichment. capabilities: can_create_case_comments: false can_create_insight: false @@ -177,14 +167,14 @@ Enrich Entities: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity additional properties with enrichment data (e.g., risk scores, - labels) from XM Cyber and sets the 'is_enriched' flag to true. + Updates entity additional properties with enrichment data from XM Cyber and + sets the 'is_enriched' flag to true. categories: enrichment: true entity_usage: entity_types: - - HOSTNAME - - USERUNIQNAME + - HOSTNAME + - USERUNIQNAME filters_by_additional_properties: true filters_by_alert_identifier: false filters_by_case_identifier: false @@ -198,6 +188,7 @@ Enrich Entities: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Get Event Data JSON: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -208,68 +199,73 @@ Enrich Entities: disable_identity: false download_file: false enable_identity: false - enrich_asset: true + enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Get Event Data JSON: ai_description: >- ### General Description - The **Get Event Data JSON** action is a utility designed to aggregate and format - XM Cyber enrichment data already present within a Google SecOps alert. It scans - both the security events associated with the alert and the entities (specifically - Users and Hostnames) for XM Cyber-specific attributes. The action compiles this - information into a structured JSON object, making it easier for subsequent playbook - steps or analysts to access consolidated risk scores, asset criticality, and direct - links to the XM Cyber management console. + This action extracts and aggregates XM Cyber enrichment data from security events + and entities associated with the current Google SecOps alert. It is designed to + provide a consolidated JSON object containing threat intelligence and asset context + (such as risk scores and attack techniques) that has been previously attached + to the alert context. This is primarily a utility action used to format and retrieve + data for downstream playbook logic or reporting. - ### Parameters + ### Flow Description - This action does not require any input parameters. + 1. **Data Retrieval**: The action fetches all security events from the current + alert and the list of target entities in the scope. + 2. **Event Processing**: It iterates through security events, looking for specific + XM Cyber identifiers (Asset Product Object ID or User Product Object ID) within + the event's additional properties. - ### Flow Description + 3. **Entity Processing**: It filters target entities to include only Hostnames + and Users. It then checks for the presence of XM Cyber enrichment markers in their + metadata. - 1. **Data Retrieval**: The action fetches the list of security events and target - entities from the current alert context. + 4. **Data Extraction**: For each identified XM Cyber entity, it extracts a predefined + set of parameters, including Choke Point Scores, Compromise Risk Scores, Critical + Asset status, and associated attack techniques. - 2. **Event Parsing**: It iterates through security events, looking for XM Cyber - product object IDs for assets and users in the event's additional properties. + 5. **URL Generation**: It constructs a direct deep link to the entity's overview + page within the XM Cyber web console using the configured Base URL. - 3. **Entity Parsing**: It filters target entities for Hostnames and Users, checking - their additional properties for existing XM Cyber enrichment data (prefixed with - 'XMC'). + 6. **Output**: The aggregated data is returned as a single JSON object mapping + entity identifiers to their respective XM Cyber attributes. - 4. **Data Consolidation**: For each identified entity, it extracts relevant parameters - such as 'Compromise Risk Score', 'Is Critical Asset', and 'Attacked By Techniques'. - 5. **URL Generation**: It constructs a direct deep-link URL to the entity's overview - page in the XM Cyber portal using the configured Base URL from the integration - settings. + ### Parameters Description - 6. **Output**: The final consolidated mapping of entity IDs to their respective - XM Cyber attributes is returned as a JSON object. + | Parameter Name | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | None | N/A | N/A | This action does not require any input parameters. | ### Additional Notes - This action does not perform any external API calls; it relies entirely on data - that has been previously ingested or enriched within the SecOps platform. If no - XM Cyber-specific data is found in the events or entities, the action will complete - successfully but return an empty JSON object. + * This action does not perform live API calls to XM Cyber to fetch new data; it + relies on data already present in the alert's security events or entity additional + properties (typically populated by a previous enrichment action or connector). capabilities: can_create_case_comments: false can_create_insight: false @@ -284,8 +280,8 @@ Get Event Data JSON: enrichment: false entity_usage: entity_types: - - HOSTNAME - - USERUNIQNAME + - HOSTNAME + - USERUNIQNAME filters_by_additional_properties: true filters_by_alert_identifier: false filters_by_case_identifier: false @@ -299,6 +295,7 @@ Get Event Data JSON: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Ping: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -312,37 +309,56 @@ Get Event Data JSON: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false -Ping: - ai_description: "### General Description\nTests the connectivity and authentication\ - \ configuration for the XM Cyber integration. This action ensures that the Google\ - \ SecOps environment can successfully communicate with the XM Cyber API using\ - \ the provided Base URL and credentials (either API Key or OAuth-based).\n\n###\ - \ Parameters Description\nThis action does not have any parameters.\n\n### Additional\ - \ Notes\nThis action is primarily used for initial setup verification and troubleshooting\ - \ connection issues. It does not interact with any entities or modify any data\ - \ within XM Cyber or Google SecOps.\n\n### Flow Description\n1. **Retrieve Configuration:**\ - \ The action extracts the integration's global settings, including the Authentication\ - \ Type (API Key or OAuth), Base URL, and API Key.\n2. **Initialize API Manager:**\ - \ It sets up the communication handler based on the selected authentication method.\n\ - 3. **Connectivity Check:** \n - If using **API Key Authentication**, the action\ - \ performs a POST request to the `/api/auth/` endpoint to verify the validity\ - \ of the API Key.\n - If using **OAuth Authentication**, the action initializes\ - \ the OAuth manager and client to ensure tokens can be successfully retrieved\ - \ or refreshed.\n4. **Finalize Execution:** If the connection is established without\ - \ errors, the action returns a success status. If any step fails (e.g., invalid\ - \ credentials or network timeout), it captures the error and reports a failure." + ai_description: >- + ### General Description + + Tests the connectivity and authentication credentials for the XM Cyber integration. + This action ensures that the Google SecOps platform can successfully communicate + with the XM Cyber instance using the provided Base URL and API Key or Access Token. + + + ### Parameters Description + + There are no parameters for this action. + + + ### Flow Description + + 1. **Retrieve Configuration:** Fetches the integration's global configuration + parameters, including the authentication type (Access Token Based or API Key), + Base URL, and API Key. + + 2. **Initialize API Manager:** Sets up the communication session. If OAuth is + selected, it initializes the token management flow. If API Key is selected, it + prepares the request headers. + + 3. **Validate Connection:** Performs a test request to the XM Cyber authentication + endpoint (`/api/auth/`) to verify that the credentials are valid and the server + is reachable. + + 4. **Report Status:** Returns a success message if the connection is established + or a failure message with error details if the connection fails. + + + ### Additional Notes + + This action is primarily used for troubleshooting and verifying the initial setup + of the XM Cyber integration. capabilities: can_create_case_comments: false can_create_insight: false @@ -350,13 +366,13 @@ Ping: can_mutate_external_data: false can_mutate_internal_data: false can_update_entities: false - external_data_mutation_explanation: 'null' - fetches_data: false - internal_data_mutation_explanation: 'null' + external_data_mutation_explanation: null + fetches_data: true + internal_data_mutation_explanation: null categories: enrichment: false entity_usage: - entity_types: [ ] + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -370,6 +386,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false +Push Breach Point Data: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false @@ -383,29 +400,29 @@ Ping: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false + get_alert_information: false remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false + search_asset: false search_email: false search_events: false send_email: false + send_message: false submit_file: false uncontain_host: false update_alert: false update_email: false - update_identity: false + update_identity: true update_ticket: false -Push Breach Point Data: ai_description: >- ### General Description - The **Push Breach Point Data** action is designed to synchronize security context - between Google SecOps and the XM Cyber platform. It identifies specific entities - (Users and Hosts) within a SecOps alert or event that meet user-defined criteria - and applies a custom label (Breach Point attribute) to those entities in the XM - Cyber inventory. This allows analysts to tag assets involved in a breach or high-risk - scenario directly from the SOAR, facilitating better visibility and risk management - within the XM Cyber console. + This action pushes a specific attribute (label) to entities in the XM Cyber platform. + It allows users to define criteria based on entity or event properties. If an + entity matches the criteria, the specified attribute is applied to that entity + in XM Cyber. This is typically used to mark 'Breach Points' or other security-relevant + classifications discovered during investigation. ### Parameters Description @@ -414,57 +431,34 @@ Push Breach Point Data: | :--- | :--- | :--- | :--- | - | **Attribute Name** | string | Yes | The name of the label or attribute to be - pushed to the entities in XM Cyber. Defaults to `Google_SecOps_BP`. | + | Attribute Name | string | Yes | The name of the attribute/label to be pushed + to XM Cyber (e.g., 'Google_SecOps_BP'). | - | **Parameter** | ddl | Yes | The specific field or attribute of the entity/event - to evaluate against the criteria. Options include `All` (to process all entities), - `entityID`, `Compromised Risk Score`, `Is Critical Asset`, and various other enriched - metadata fields. | + | Parameter | ddl | Yes | The entity or event property to evaluate (e.g., 'Compromised + Risk Score', 'Is Critical Asset', 'All'). | - | **Operator** | ddl | Yes | The logical operator used to compare the selected - **Parameter** with the **Value**. Supports standard comparisons like `Equals`, - `Contains`, `Greater than`, etc. | + | Operator | ddl | Yes | The comparison operator used to match the value (e.g., + 'Equals', 'Greater than', 'Contains'). | - | **Value** | string | Yes | The target value used for matching against the entity's - parameter value. | + | Value | string | Yes | The value to compare against the selected parameter. + | ### Flow Description - 1. **Authentication:** The action authenticates with the XM Cyber API using either - API Key or OAuth-based credentials provided in the integration settings. - - 2. **Parameter Extraction:** It retrieves the user-defined criteria, including - the attribute name to push and the logic for entity selection (Parameter, Operator, - and Value). - - 3. **Entity Identification:** The action scans both the security events associated - with the alert and the target entities in the SecOps case. It specifically looks - for `USER` and `HOSTNAME` entity types. - - 4. **Criteria Evaluation:** For each identified entity, the action checks if it - matches the specified criteria. If the **Parameter** is set to `All`, all supported - entities are selected. Otherwise, it evaluates the entity's properties (including - enriched XM Cyber data stored in additional properties) against the operator and - value. + 1. **Authentication**: Connects to XM Cyber using either API Key or OAuth credentials. - 5. **Data Push:** For all entities that meet the criteria, the action sends a - POST request to the XM Cyber endpoint `/api/entityInventory/applyImportedLabelsOnEntities` - to apply the specified **Attribute Name** with a value of `true`. + 2. **Parameter Extraction**: Retrieves the attribute name, criteria parameter, + operator, and target value. - 6. **Reporting:** The action concludes by providing a summary of the entities - successfully updated in XM Cyber. + 3. **Entity Identification**: Scans both the target entities (Users and Hostnames) + and the security events associated with the alert. + 4. **Criteria Evaluation**: For each entity, it checks if the specified property + (from `additional_properties`) matches the user-defined criteria. - ### Additional Notes - - - This action requires that entities have been previously enriched or contain - the `XMC_product_object_id` (for SOAR entities) or `productObjectId` (for event - principals) to correctly map them to XM Cyber records. - - - If the **Attribute Name** is left blank in the configuration, it defaults to - `Google_SecOps_BP`. + 5. **Data Submission**: For all matching entities, it sends a POST request to + the XM Cyber API to apply the label with a value of `true`. capabilities: can_create_case_comments: false can_create_insight: false @@ -473,16 +467,16 @@ Push Breach Point Data: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Adds or updates labels/attributes on entities within the XM Cyber platform inventory - via a POST request. + Applies labels/attributes to entities in the XM Cyber inventory via a POST request + to the /api/entityInventory/applyImportedLabelsOnEntities endpoint. fetches_data: false internal_data_mutation_explanation: null categories: enrichment: false entity_usage: entity_types: - - USERUNIQNAME - - HOSTNAME + - HOSTNAME + - USERUNIQNAME filters_by_additional_properties: true filters_by_alert_identifier: false filters_by_case_identifier: false @@ -496,28 +490,3 @@ Push Breach Point Data: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false - action_product_categories: - add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false - contain_host: false - create_ticket: false - delete_email: false - disable_identity: false - download_file: false - enable_identity: false - enrich_asset: false - enrich_ioc: false - execute_command_on_the_host: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false - reset_identity_password: false - search_email: false - search_events: false - send_email: false - submit_file: false - uncontain_host: false - update_alert: false - update_email: false - update_identity: true - update_ticket: false diff --git a/content/response_integrations/third_party/partner/xm_cyber/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/xm_cyber/resources/ai/integration_ai_description.yaml index b52752603..f1d4ad08f 100644 --- a/content/response_integrations/third_party/partner/xm_cyber/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/partner/xm_cyber/resources/ai/integration_ai_description.yaml @@ -8,5 +8,5 @@ product_categories: itsm: false network_security: false siem: false - threat_intelligence: false + threat_intelligence: true vulnerability_management: true diff --git a/packages/mp/src/mp/core/llm/gemini.py b/packages/mp/src/mp/core/llm/gemini.py index c7e48e240..7f1ba2ebf 100644 --- a/packages/mp/src/mp/core/llm/gemini.py +++ b/packages/mp/src/mp/core/llm/gemini.py @@ -73,7 +73,7 @@ class ApiKeyNotFoundError(Exception): class GeminiConfig(LlmConfig): - model_name: str = "gemini-3-pro-preview" + model_name: str = "gemini-3.1-pro-preview" temperature: float = 0.0 sexually_explicit: str = "OFF" dangerous_content: str = "OFF" From 9bf7e43ed88e0afdf041768aceb26982dd69e049 Mon Sep 17 00:00:00 2001 From: talshapir Date: Sun, 12 Apr 2026 11:30:23 +0300 Subject: [PATCH 21/26] update model used in mp describe --- packages/mp/src/mp/describe/common/utils/llm.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/mp/src/mp/describe/common/utils/llm.py b/packages/mp/src/mp/describe/common/utils/llm.py index f3a92152b..ff9729e33 100644 --- a/packages/mp/src/mp/describe/common/utils/llm.py +++ b/packages/mp/src/mp/describe/common/utils/llm.py @@ -27,7 +27,7 @@ from mp.core.llm.sdk import LlmConfig, LlmSdk -GEMINI_MODEL_NAME: str = "gemini-3-flash-preview" +GEMINI_MODEL_NAME: str = "gemini-3.1-flash-lite-preview" GEMINI_TEMPERATURE: float = 0.1 DESCRIBE_BULK_SIZE: int = 4 From 6f25b33e04cc87753ac663f1b32f34e76d70ea5b Mon Sep 17 00:00:00 2001 From: talshapir Date: Sun, 12 Apr 2026 11:30:40 +0300 Subject: [PATCH 22/26] update dependencies --- packages/mp/pyproject.toml | 10 ++-- packages/mp/uv.lock | 114 ++++++++++++++++++------------------- 2 files changed, 62 insertions(+), 62 deletions(-) diff --git a/packages/mp/pyproject.toml b/packages/mp/pyproject.toml index c8f1f2152..77ed8876b 100644 --- a/packages/mp/pyproject.toml +++ b/packages/mp/pyproject.toml @@ -46,7 +46,7 @@ dependencies = [ "platformdirs>=4.5.0", "ty>=0.0.29", "ruamel-yaml == 0.17.40", - "google-genai>=1.70.0", + "google-genai>=1.72.0", "tenacity>=9.1.2", "anyio>=4.12.1", "toon-format", @@ -55,10 +55,10 @@ dependencies = [ [dependency-groups] dev = [ - "hypothesis>=6.151.11", - "pytest>=8.4.0", - "pytest-cov>=6.2.1", - "pytest-xdist>=3.7.0", + "hypothesis>=6.151.12", + "pytest>=9.0.3", + "pytest-cov>=7.1.0", + "pytest-xdist>=3.8.0", ] [project.scripts] diff --git a/packages/mp/uv.lock b/packages/mp/uv.lock index 467dcee24..d1aded3e2 100644 --- a/packages/mp/uv.lock +++ b/packages/mp/uv.lock @@ -227,15 +227,15 @@ wheels = [ [[package]] name = "google-auth" -version = "2.49.1" +version = "2.49.2" source = { registry = "https://pypi.org/simple" } dependencies = [ { name = "cryptography" }, { name = "pyasn1-modules" }, ] -sdist = { url = "https://files.pythonhosted.org/packages/ea/80/6a696a07d3d3b0a92488933532f03dbefa4a24ab80fb231395b9a2a1be77/google_auth-2.49.1.tar.gz", hash = "sha256:16d40da1c3c5a0533f57d268fe72e0ebb0ae1cc3b567024122651c045d879b64", size = 333825, upload-time = "2026-03-12T19:30:58.135Z" } +sdist = { url = "https://files.pythonhosted.org/packages/c6/fc/e925290a1ad95c975c459e2df070fac2b90954e13a0370ac505dff78cb99/google_auth-2.49.2.tar.gz", hash = "sha256:c1ae38500e73065dcae57355adb6278cf8b5c8e391994ae9cbadbcb9631ab409", size = 333958, upload-time = "2026-04-10T00:41:21.888Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/e9/eb/c6c2478d8a8d633460be40e2a8a6f8f429171997a35a96f81d3b680dec83/google_auth-2.49.1-py3-none-any.whl", hash = "sha256:195ebe3dca18eddd1b3db5edc5189b76c13e96f29e73043b923ebcf3f1a860f7", size = 240737, upload-time = "2026-03-12T19:30:53.159Z" }, + { url = "https://files.pythonhosted.org/packages/73/76/d241a5c927433420507215df6cac1b1fa4ac0ba7a794df42a84326c68da8/google_auth-2.49.2-py3-none-any.whl", hash = "sha256:c2720924dfc82dedb962c9f52cabb2ab16714fd0a6a707e40561d217574ed6d5", size = 240638, upload-time = "2026-04-10T00:41:14.501Z" }, ] [package.optional-dependencies] @@ -245,7 +245,7 @@ requests = [ [[package]] name = "google-genai" -version = "1.71.0" +version = "1.72.0" source = { registry = "https://pypi.org/simple" } dependencies = [ { name = "anyio" }, @@ -259,9 +259,9 @@ dependencies = [ { name = "typing-extensions" }, { name = "websockets" }, ] -sdist = { url = "https://files.pythonhosted.org/packages/88/49/a13e9cf4d963691fc79d661f2d78f041bc1f2e7287d41ef0f831b82462f0/google_genai-1.71.0.tar.gz", hash = "sha256:044f7ac453437d5d380ec192f823dba64e001c478d7878c5a2d327432f4a28ac", size = 520044, upload-time = "2026-04-08T17:55:51.084Z" } +sdist = { url = "https://files.pythonhosted.org/packages/3c/20/2aff5ea3cd7459f85101d119c136d9ca4369fcda3dcf0cfee89b305611a4/google_genai-1.72.0.tar.gz", hash = "sha256:abe7d3aecfafb464b904e3a09c81b626fb425e160e123e71a5125a7021cea7b2", size = 522844, upload-time = "2026-04-09T21:35:46.283Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/55/d4/63c97d487f0b4861a6f530628a9e56a380f9c9704d2e207f0bed9d16e31a/google_genai-1.71.0-py3-none-any.whl", hash = "sha256:6213ebfee7fc8e6a21692c2c340309e463322cc35c2c603d1ea59e8ea34ac240", size = 760561, upload-time = "2026-04-08T17:55:49.107Z" }, + { url = "https://files.pythonhosted.org/packages/9f/3d/9f70246114cdf56a2615a40428ced08bc844f5a26247fe812b2f0dd4eaca/google_genai-1.72.0-py3-none-any.whl", hash = "sha256:ea861e4c6946e3185c24b40d95503e088fc230a73a71fec0ef78164b369a8489", size = 764230, upload-time = "2026-04-09T21:35:44.587Z" }, ] [[package]] @@ -444,7 +444,7 @@ requires-dist = [ { name = "anyio", specifier = ">=4.12.1" }, { name = "deepdiff", specifier = ">=8.6.1" }, { name = "defusedxml", specifier = ">=0.7.1" }, - { name = "google-genai", specifier = ">=1.70.0" }, + { name = "google-genai", specifier = ">=1.72.0" }, { name = "jinja2", specifier = ">=3.1.6" }, { name = "libcst", specifier = ">=1.8.2" }, { name = "packaging", specifier = ">=26.0" }, @@ -467,10 +467,10 @@ requires-dist = [ [package.metadata.requires-dev] dev = [ - { name = "hypothesis", specifier = ">=6.151.11" }, - { name = "pytest", specifier = ">=8.4.0" }, - { name = "pytest-cov", specifier = ">=6.2.1" }, - { name = "pytest-xdist", specifier = ">=3.7.0" }, + { name = "hypothesis", specifier = ">=6.151.12" }, + { name = "pytest", specifier = ">=9.0.3" }, + { name = "pytest-cov", specifier = ">=7.1.0" }, + { name = "pytest-xdist", specifier = ">=3.8.0" }, ] [[package]] @@ -712,15 +712,15 @@ wheels = [ [[package]] name = "rich" -version = "14.3.3" +version = "15.0.0" source = { registry = "https://pypi.org/simple" } dependencies = [ { name = "markdown-it-py" }, { name = "pygments" }, ] -sdist = { url = "https://files.pythonhosted.org/packages/b3/c6/f3b320c27991c46f43ee9d856302c70dc2d0fb2dba4842ff739d5f46b393/rich-14.3.3.tar.gz", hash = "sha256:b8daa0b9e4eef54dd8cf7c86c03713f53241884e814f4e2f5fb342fe520f639b", size = 230582, upload-time = "2026-02-19T17:23:12.474Z" } +sdist = { url = "https://files.pythonhosted.org/packages/c0/8f/0722ca900cc807c13a6a0c696dacf35430f72e0ec571c4275d2371fca3e9/rich-15.0.0.tar.gz", hash = "sha256:edd07a4824c6b40189fb7ac9bc4c52536e9780fbbfbddf6f1e2502c31b068c36", size = 230680, upload-time = "2026-04-12T08:24:00.75Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/14/25/b208c5683343959b670dc001595f2f3737e051da617f66c31f7c4fa93abc/rich-14.3.3-py3-none-any.whl", hash = "sha256:793431c1f8619afa7d3b52b2cdec859562b950ea0d4b6b505397612db8d5362d", size = 310458, upload-time = "2026-02-19T17:23:13.732Z" }, + { url = "https://files.pythonhosted.org/packages/82/3b/64d4899d73f91ba49a8c18a8ff3f0ea8f1c1d75481760df8c68ef5235bf5/rich-15.0.0-py3-none-any.whl", hash = "sha256:33bd4ef74232fb73fe9279a257718407f169c09b78a87ad3d296f548e27de0bb", size = 310654, upload-time = "2026-04-12T08:24:02.83Z" }, ] [[package]] @@ -755,27 +755,27 @@ wheels = [ [[package]] name = "ruff" -version = "0.15.9" -source = { registry = "https://pypi.org/simple" } -sdist = { url = "https://files.pythonhosted.org/packages/e6/97/e9f1ca355108ef7194e38c812ef40ba98c7208f47b13ad78d023caa583da/ruff-0.15.9.tar.gz", hash = "sha256:29cbb1255a9797903f6dde5ba0188c707907ff44a9006eb273b5a17bfa0739a2", size = 4617361, upload-time = "2026-04-02T18:17:20.829Z" } -wheels = [ - { url = "https://files.pythonhosted.org/packages/0b/1f/9cdfd0ac4b9d1e5a6cf09bedabdf0b56306ab5e333c85c87281273e7b041/ruff-0.15.9-py3-none-linux_armv6l.whl", hash = "sha256:6efbe303983441c51975c243e26dff328aca11f94b70992f35b093c2e71801e1", size = 10511206, upload-time = "2026-04-02T18:16:41.574Z" }, - { url = "https://files.pythonhosted.org/packages/3d/f6/32bfe3e9c136b35f02e489778d94384118bb80fd92c6d92e7ccd97db12ce/ruff-0.15.9-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:4965bac6ac9ea86772f4e23587746f0b7a395eccabb823eb8bfacc3fa06069f7", size = 10923307, upload-time = "2026-04-02T18:17:08.645Z" }, - { url = "https://files.pythonhosted.org/packages/ca/25/de55f52ab5535d12e7aaba1de37a84be6179fb20bddcbe71ec091b4a3243/ruff-0.15.9-py3-none-macosx_11_0_arm64.whl", hash = "sha256:eaf05aad70ca5b5a0a4b0e080df3a6b699803916d88f006efd1f5b46302daab8", size = 10316722, upload-time = "2026-04-02T18:16:44.206Z" }, - { url = "https://files.pythonhosted.org/packages/48/11/690d75f3fd6278fe55fff7c9eb429c92d207e14b25d1cae4064a32677029/ruff-0.15.9-py3-none-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:9439a342adb8725f32f92732e2bafb6d5246bd7a5021101166b223d312e8fc59", size = 10623674, upload-time = "2026-04-02T18:16:50.951Z" }, - { url = "https://files.pythonhosted.org/packages/bd/ec/176f6987be248fc5404199255522f57af1b4a5a1b57727e942479fec98ad/ruff-0.15.9-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:9c5e6faf9d97c8edc43877c3f406f47446fc48c40e1442d58cfcdaba2acea745", size = 10351516, upload-time = "2026-04-02T18:16:57.206Z" }, - { url = "https://files.pythonhosted.org/packages/b2/fc/51cffbd2b3f240accc380171d51446a32aa2ea43a40d4a45ada67368fbd2/ruff-0.15.9-py3-none-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:7b34a9766aeec27a222373d0b055722900fbc0582b24f39661aa96f3fe6ad901", size = 11150202, upload-time = "2026-04-02T18:17:06.452Z" }, - { url = "https://files.pythonhosted.org/packages/d6/d4/25292a6dfc125f6b6528fe6af31f5e996e19bf73ca8e3ce6eb7fa5b95885/ruff-0.15.9-py3-none-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:89dd695bc72ae76ff484ae54b7e8b0f6b50f49046e198355e44ea656e521fef9", size = 11988891, upload-time = "2026-04-02T18:17:18.575Z" }, - { url = "https://files.pythonhosted.org/packages/13/e1/1eebcb885c10e19f969dcb93d8413dfee8172578709d7ee933640f5e7147/ruff-0.15.9-py3-none-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:ce187224ef1de1bd225bc9a152ac7102a6171107f026e81f317e4257052916d5", size = 11480576, upload-time = "2026-04-02T18:16:52.986Z" }, - { url = "https://files.pythonhosted.org/packages/ff/6b/a1548ac378a78332a4c3dcf4a134c2475a36d2a22ddfa272acd574140b50/ruff-0.15.9-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:2b0c7c341f68adb01c488c3b7d4b49aa8ea97409eae6462d860a79cf55f431b6", size = 11254525, upload-time = "2026-04-02T18:17:02.041Z" }, - { url = "https://files.pythonhosted.org/packages/42/aa/4bb3af8e61acd9b1281db2ab77e8b2c3c5e5599bf2a29d4a942f1c62b8d6/ruff-0.15.9-py3-none-manylinux_2_31_riscv64.whl", hash = "sha256:55cc15eee27dc0eebdfcb0d185a6153420efbedc15eb1d38fe5e685657b0f840", size = 11204072, upload-time = "2026-04-02T18:17:13.581Z" }, - { url = "https://files.pythonhosted.org/packages/69/48/d550dc2aa6e423ea0bcc1d0ff0699325ffe8a811e2dba156bd80750b86dc/ruff-0.15.9-py3-none-musllinux_1_2_aarch64.whl", hash = "sha256:a6537f6eed5cda688c81073d46ffdfb962a5f29ecb6f7e770b2dc920598997ed", size = 10594998, upload-time = "2026-04-02T18:16:46.369Z" }, - { url = "https://files.pythonhosted.org/packages/63/47/321167e17f5344ed5ec6b0aa2cff64efef5f9e985af8f5622cfa6536043f/ruff-0.15.9-py3-none-musllinux_1_2_armv7l.whl", hash = "sha256:6d3fcbca7388b066139c523bda744c822258ebdcfbba7d24410c3f454cc9af71", size = 10359769, upload-time = "2026-04-02T18:17:10.994Z" }, - { url = "https://files.pythonhosted.org/packages/67/5e/074f00b9785d1d2c6f8c22a21e023d0c2c1817838cfca4c8243200a1fa87/ruff-0.15.9-py3-none-musllinux_1_2_i686.whl", hash = "sha256:058d8e99e1bfe79d8a0def0b481c56059ee6716214f7e425d8e737e412d69677", size = 10850236, upload-time = "2026-04-02T18:16:48.749Z" }, - { url = "https://files.pythonhosted.org/packages/76/37/804c4135a2a2caf042925d30d5f68181bdbd4461fd0d7739da28305df593/ruff-0.15.9-py3-none-musllinux_1_2_x86_64.whl", hash = "sha256:8e1ddb11dbd61d5983fa2d7d6370ef3eb210951e443cace19594c01c72abab4c", size = 11358343, upload-time = "2026-04-02T18:16:55.068Z" }, - { url = "https://files.pythonhosted.org/packages/88/3d/1364fcde8656962782aa9ea93c92d98682b1ecec2f184e625a965ad3b4a6/ruff-0.15.9-py3-none-win32.whl", hash = "sha256:bde6ff36eaf72b700f32b7196088970bf8fdb2b917b7accd8c371bfc0fd573ec", size = 10583382, upload-time = "2026-04-02T18:17:04.261Z" }, - { url = "https://files.pythonhosted.org/packages/4c/56/5c7084299bd2cacaa07ae63a91c6f4ba66edc08bf28f356b24f6b717c799/ruff-0.15.9-py3-none-win_amd64.whl", hash = "sha256:45a70921b80e1c10cf0b734ef09421f71b5aa11d27404edc89d7e8a69505e43d", size = 11744969, upload-time = "2026-04-02T18:16:59.611Z" }, - { url = "https://files.pythonhosted.org/packages/03/36/76704c4f312257d6dbaae3c959add2a622f63fcca9d864659ce6d8d97d3d/ruff-0.15.9-py3-none-win_arm64.whl", hash = "sha256:0694e601c028fd97dc5c6ee244675bc241aeefced7ef80cd9c6935a871078f53", size = 11005870, upload-time = "2026-04-02T18:17:15.773Z" }, +version = "0.15.10" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/e7/d9/aa3f7d59a10ef6b14fe3431706f854dbf03c5976be614a9796d36326810c/ruff-0.15.10.tar.gz", hash = "sha256:d1f86e67ebfdef88e00faefa1552b5e510e1d35f3be7d423dc7e84e63788c94e", size = 4631728, upload-time = "2026-04-09T14:06:09.884Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/eb/00/a1c2fdc9939b2c03691edbda290afcd297f1f389196172826b03d6b6a595/ruff-0.15.10-py3-none-linux_armv6l.whl", hash = "sha256:0744e31482f8f7d0d10a11fcbf897af272fefdfcb10f5af907b18c2813ff4d5f", size = 10563362, upload-time = "2026-04-09T14:06:21.189Z" }, + { url = "https://files.pythonhosted.org/packages/5c/15/006990029aea0bebe9d33c73c3e28c80c391ebdba408d1b08496f00d422d/ruff-0.15.10-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:b1e7c16ea0ff5a53b7c2df52d947e685973049be1cdfe2b59a9c43601897b22e", size = 10951122, upload-time = "2026-04-09T14:06:02.236Z" }, + { url = "https://files.pythonhosted.org/packages/f2/c0/4ac978fe874d0618c7da647862afe697b281c2806f13ce904ad652fa87e4/ruff-0.15.10-py3-none-macosx_11_0_arm64.whl", hash = "sha256:93cc06a19e5155b4441dd72808fdf84290d84ad8a39ca3b0f994363ade4cebb1", size = 10314005, upload-time = "2026-04-09T14:06:00.026Z" }, + { url = "https://files.pythonhosted.org/packages/da/73/c209138a5c98c0d321266372fc4e33ad43d506d7e5dd817dd89b60a8548f/ruff-0.15.10-py3-none-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:83e1dd04312997c99ea6965df66a14fb4f03ba978564574ffc68b0d61fd3989e", size = 10643450, upload-time = "2026-04-09T14:05:42.137Z" }, + { url = "https://files.pythonhosted.org/packages/ec/76/0deec355d8ec10709653635b1f90856735302cb8e149acfdf6f82a5feb70/ruff-0.15.10-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:8154d43684e4333360fedd11aaa40b1b08a4e37d8ffa9d95fee6fa5b37b6fab1", size = 10379597, upload-time = "2026-04-09T14:05:49.984Z" }, + { url = "https://files.pythonhosted.org/packages/dc/be/86bba8fc8798c081e28a4b3bb6d143ccad3fd5f6f024f02002b8f08a9fa3/ruff-0.15.10-py3-none-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:8ab88715f3a6deb6bde6c227f3a123410bec7b855c3ae331b4c006189e895cef", size = 11146645, upload-time = "2026-04-09T14:06:12.246Z" }, + { url = "https://files.pythonhosted.org/packages/a8/89/140025e65911b281c57be1d385ba1d932c2366ca88ae6663685aed8d4881/ruff-0.15.10-py3-none-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:a768ff5969b4f44c349d48edf4ab4f91eddb27fd9d77799598e130fb628aa158", size = 12030289, upload-time = "2026-04-09T14:06:04.776Z" }, + { url = "https://files.pythonhosted.org/packages/88/de/ddacca9545a5e01332567db01d44bd8cf725f2db3b3d61a80550b48308ea/ruff-0.15.10-py3-none-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:0ee3ef42dab7078bda5ff6a1bcba8539e9857deb447132ad5566a038674540d0", size = 11496266, upload-time = "2026-04-09T14:05:55.485Z" }, + { url = "https://files.pythonhosted.org/packages/bc/bb/7ddb00a83760ff4a83c4e2fc231fd63937cc7317c10c82f583302e0f6586/ruff-0.15.10-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:51cb8cc943e891ba99989dd92d61e29b1d231e14811db9be6440ecf25d5c1609", size = 11256418, upload-time = "2026-04-09T14:05:57.69Z" }, + { url = "https://files.pythonhosted.org/packages/dc/8d/55de0d35aacf6cd50b6ee91ee0f291672080021896543776f4170fc5c454/ruff-0.15.10-py3-none-manylinux_2_31_riscv64.whl", hash = "sha256:e59c9bdc056a320fb9ea1700a8d591718b8faf78af065484e801258d3a76bc3f", size = 11288416, upload-time = "2026-04-09T14:05:44.695Z" }, + { url = "https://files.pythonhosted.org/packages/68/cf/9438b1a27426ec46a80e0a718093c7f958ef72f43eb3111862949ead3cc1/ruff-0.15.10-py3-none-musllinux_1_2_aarch64.whl", hash = "sha256:136c00ca2f47b0018b073f28cb5c1506642a830ea941a60354b0e8bc8076b151", size = 10621053, upload-time = "2026-04-09T14:05:52.782Z" }, + { url = "https://files.pythonhosted.org/packages/4c/50/e29be6e2c135e9cd4cb15fbade49d6a2717e009dff3766dd080fcb82e251/ruff-0.15.10-py3-none-musllinux_1_2_armv7l.whl", hash = "sha256:8b80a2f3c9c8a950d6237f2ca12b206bccff626139be9fa005f14feb881a1ae8", size = 10378302, upload-time = "2026-04-09T14:06:14.361Z" }, + { url = "https://files.pythonhosted.org/packages/18/2f/e0b36a6f99c51bb89f3a30239bc7bf97e87a37ae80aa2d6542d6e5150364/ruff-0.15.10-py3-none-musllinux_1_2_i686.whl", hash = "sha256:e3e53c588164dc025b671c9df2462429d60357ea91af7e92e9d56c565a9f1b07", size = 10850074, upload-time = "2026-04-09T14:06:16.581Z" }, + { url = "https://files.pythonhosted.org/packages/11/08/874da392558ce087a0f9b709dc6ec0d60cbc694c1c772dab8d5f31efe8cb/ruff-0.15.10-py3-none-musllinux_1_2_x86_64.whl", hash = "sha256:b0c52744cf9f143a393e284125d2576140b68264a93c6716464e129a3e9adb48", size = 11358051, upload-time = "2026-04-09T14:06:18.948Z" }, + { url = "https://files.pythonhosted.org/packages/e4/46/602938f030adfa043e67112b73821024dc79f3ab4df5474c25fa4c1d2d14/ruff-0.15.10-py3-none-win32.whl", hash = "sha256:d4272e87e801e9a27a2e8df7b21011c909d9ddd82f4f3281d269b6ba19789ca5", size = 10588964, upload-time = "2026-04-09T14:06:07.14Z" }, + { url = "https://files.pythonhosted.org/packages/25/b6/261225b875d7a13b33a6d02508c39c28450b2041bb01d0f7f1a83d569512/ruff-0.15.10-py3-none-win_amd64.whl", hash = "sha256:28cb32d53203242d403d819fd6983152489b12e4a3ae44993543d6fe62ab42ed", size = 11745044, upload-time = "2026-04-09T14:05:39.473Z" }, + { url = "https://files.pythonhosted.org/packages/58/ed/dea90a65b7d9e69888890fb14c90d7f51bf0c1e82ad800aeb0160e4bacfd/ruff-0.15.10-py3-none-win_arm64.whl", hash = "sha256:601d1610a9e1f1c2165a4f561eeaa2e2ea1e97f3287c5aa258d3dab8b57c6188", size = 11035607, upload-time = "2026-04-09T14:05:47.593Z" }, ] [[package]] @@ -917,28 +917,28 @@ wheels = [ [[package]] name = "uv" -version = "0.11.5" -source = { registry = "https://pypi.org/simple" } -sdist = { url = "https://files.pythonhosted.org/packages/c1/cc/78a91ce11d04ce3b5ea7ea543cfe28f1564868bb5c34346fe727ae2078f1/uv-0.11.5.tar.gz", hash = "sha256:ad7582ddd9d5410ecde6d609a3bf66e01c0ec4bc8e2bb9aeaff76b033a5ec3ae", size = 4062802, upload-time = "2026-04-08T20:33:42.85Z" } -wheels = [ - { url = "https://files.pythonhosted.org/packages/aa/0c/b78efab6bdd38a278752ec551f640b8857f2ccd846a9864e5bcf4d24707a/uv-0.11.5-py3-none-linux_armv6l.whl", hash = "sha256:6fb915d9667e2692bd96ea927d46c5b435fe436312e52ce00790b5844af7b848", size = 23693092, upload-time = "2026-04-08T20:33:25.732Z" }, - { url = "https://files.pythonhosted.org/packages/f0/4c/5098a21ff28c88b969f0ca9150f44148cfe5e6c9388af422a176c505c6d9/uv-0.11.5-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:f92fd58727bcf12615e4322006a0590f4375fced6529052e7c13a81f4636846c", size = 23120003, upload-time = "2026-04-08T20:33:17.645Z" }, - { url = "https://files.pythonhosted.org/packages/60/d9/1d890e98be779e06cc4c7c2576ff1722a20d31c3b50f772c6add9ad2c3b4/uv-0.11.5-py3-none-macosx_11_0_arm64.whl", hash = "sha256:1e34d016099248ec2be4e890a71c05a225ab256ba815571eff60bbbf709410e2", size = 21674719, upload-time = "2026-04-08T20:33:20.295Z" }, - { url = "https://files.pythonhosted.org/packages/58/41/35046e9c618547a635ce926aa48fa3787946a53ceb66f330c384e26bb34c/uv-0.11.5-py3-none-manylinux_2_17_aarch64.manylinux2014_aarch64.musllinux_1_1_aarch64.whl", hash = "sha256:8fb1b7cedbe6e6f60e08cdd7aa64dcbd29ae4712089fbaab15dc2a8e8f243c4f", size = 23423173, upload-time = "2026-04-08T20:33:57.185Z" }, - { url = "https://files.pythonhosted.org/packages/c7/e9/b5417252167ecea577a3fb254d9cf8ea63c3338017c199c9d261a33ae276/uv-0.11.5-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.musllinux_1_1_armv7l.whl", hash = "sha256:063cedb810ac34a4796bca738118eb15718a3f3c0d7c7caa5f98dd1d4f65fc2e", size = 23215778, upload-time = "2026-04-08T20:33:34.605Z" }, - { url = "https://files.pythonhosted.org/packages/c0/41/8cd9595481819e9e000cf708ea07d4eb4d347de7d7117b47ae8e7e258713/uv-0.11.5-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:192b966efd1ffd230af410e1c969f94e18ef37964780f45a786dea25a6ca3d4e", size = 23233108, upload-time = "2026-04-08T20:33:40.711Z" }, - { url = "https://files.pythonhosted.org/packages/08/cb/4c731f7b48d1e7a4242c33064b0c4c88d151cdf638ecaf8117fca267f6fb/uv-0.11.5-py3-none-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:cb6ced97cd44b63aa58144e9a307e0f94a1b133220d9734f405743b20ba5567e", size = 24818189, upload-time = "2026-04-08T20:33:28.401Z" }, - { url = "https://files.pythonhosted.org/packages/6a/15/15dfd92136d651cf2e2a003acceea45bda53db3ecf56f7891f791a6e07f3/uv-0.11.5-py3-none-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:0820d2b87a50ab05721515d159010dc176aff98d35629550b733f6f3020e9419", size = 25514566, upload-time = "2026-04-08T20:33:03.262Z" }, - { url = "https://files.pythonhosted.org/packages/f3/b9/5d01bb1b9f315787c926b1ea3265125a5cacf00ab3cec7732f23dd4fff65/uv-0.11.5-py3-none-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:82c3aad922362a393373a1681dfba108bca456e9b20f7d32c3338034ba6c8375", size = 24748557, upload-time = "2026-04-08T20:33:51.276Z" }, - { url = "https://files.pythonhosted.org/packages/3e/32/a309c83d7c71307331cc657da952e2c8b1368918be0abf53ce200f976d90/uv-0.11.5-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:8d0e40e5216714c8f5a502b27282c5f0bbf7994ae4d09fb09a728a2fe8f74799", size = 24835596, upload-time = "2026-04-08T20:33:48.414Z" }, - { url = "https://files.pythonhosted.org/packages/b1/4e/d078af5949b1d4769a379b753f3d407d7515fcf36f0499e350faddb2b8e9/uv-0.11.5-py3-none-manylinux_2_28_aarch64.whl", hash = "sha256:eeadc114cc6c076f93526e89f70323865568f2b46c3209d731e7e6496ad5bc31", size = 23503142, upload-time = "2026-04-08T20:33:22.967Z" }, - { url = "https://files.pythonhosted.org/packages/ab/36/82d03488da99e774557db5e25e0e4e59e15846dc193e78f38f2fe46d3f69/uv-0.11.5-py3-none-manylinux_2_31_riscv64.musllinux_1_1_riscv64.whl", hash = "sha256:f2b89af45b8dc932fcc36270b032594fad44af9194eba7331d3b2a62f42da41d", size = 24288663, upload-time = "2026-04-08T20:33:06.346Z" }, - { url = "https://files.pythonhosted.org/packages/8d/ff/c4a0ee964ef3662927dffc286d388571833aef8044462350bd38590f3c13/uv-0.11.5-py3-none-manylinux_2_31_riscv64.whl", hash = "sha256:d285946607782d36a016d29753a64636d4fb3c7e284e11802b0e26a050d03e85", size = 24318278, upload-time = "2026-04-08T20:34:00.386Z" }, - { url = "https://files.pythonhosted.org/packages/e6/60/df2dfd7cf1d03665a97023c69cca4aa6330e72cab09994ea19b98d922bff/uv-0.11.5-py3-none-musllinux_1_1_i686.whl", hash = "sha256:cacd4288721797d2987ecbdf7b016cebdaafdfed2034ab8e442e3b96721db6ac", size = 23962394, upload-time = "2026-04-08T20:33:45.173Z" }, - { url = "https://files.pythonhosted.org/packages/93/c4/a78900d0181c8d43581518f19b2c8a9ce59ca80c609141c112f271222ec1/uv-0.11.5-py3-none-musllinux_1_1_x86_64.whl", hash = "sha256:007177234bf6e3f4e22e12b9a72764adb316fe76883c4a766c6d4a887d0bc252", size = 25030807, upload-time = "2026-04-08T20:33:54.55Z" }, - { url = "https://files.pythonhosted.org/packages/a2/f3/8e8e9c19fdb3a223b3ec53d86a3ab4f7bc541d6170b339b916cc7c81e0be/uv-0.11.5-py3-none-win32.whl", hash = "sha256:137a529da317c24639a0c8d0d632091317d987bf81b8cad8f1ef11dabc0e1e07", size = 22870047, upload-time = "2026-04-08T20:33:31.811Z" }, - { url = "https://files.pythonhosted.org/packages/00/d6/f49e3a48347cadffc5be673c91aa81c411fd67708f1488f87865558f75ee/uv-0.11.5-py3-none-win_amd64.whl", hash = "sha256:d0c0bc72f40daffe52d4479027bc37e80ed573f3ded59c5b1acd550a78ac8ebb", size = 25290444, upload-time = "2026-04-08T20:33:37.711Z" }, - { url = "https://files.pythonhosted.org/packages/1b/42/0026690d18aebbdc8b4b72f884555e2349e99822115f5938d283044e12f3/uv-0.11.5-py3-none-win_arm64.whl", hash = "sha256:b6a32bf1221cb5d25a7a3c4b4e49f3291d04574b6c2f22d11707294737db722d", size = 23781340, upload-time = "2026-04-08T20:33:14.321Z" }, +version = "0.11.6" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/dd/f3/8aceeab67ea69805293ab290e7ca8cc1b61a064d28b8a35c76d8eba063dd/uv-0.11.6.tar.gz", hash = "sha256:e3b21b7e80024c95ff339fcd147ac6fc3dd98d3613c9d45d3a1f4fd1057f127b", size = 4073298, upload-time = "2026-04-09T12:09:01.738Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/1f/fe/4b61a3d5ad9d02e8a4405026ccd43593d7044598e0fa47d892d4dafe44c9/uv-0.11.6-py3-none-linux_armv6l.whl", hash = "sha256:ada04dcf89ddea5b69d27ac9cdc5ef575a82f90a209a1392e930de504b2321d6", size = 23780079, upload-time = "2026-04-09T12:08:56.609Z" }, + { url = "https://files.pythonhosted.org/packages/52/db/d27519a9e1a5ffee9d71af1a811ad0e19ce7ab9ae815453bef39dd479389/uv-0.11.6-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:5be013888420f96879c6e0d3081e7bcf51b539b034a01777041934457dfbedf3", size = 23214721, upload-time = "2026-04-09T12:09:32.228Z" }, + { url = "https://files.pythonhosted.org/packages/a6/8f/4399fa8b882bd7e0efffc829f73ab24d117d490a93e6bc7104a50282b854/uv-0.11.6-py3-none-macosx_11_0_arm64.whl", hash = "sha256:ffa5dc1cbb52bdce3b8447e83d1601a57ad4da6b523d77d4b47366db8b1ceb18", size = 21750109, upload-time = "2026-04-09T12:09:24.357Z" }, + { url = "https://files.pythonhosted.org/packages/32/07/5a12944c31c3dda253632da7a363edddb869ed47839d4d92a2dc5f546c93/uv-0.11.6-py3-none-manylinux_2_17_aarch64.manylinux2014_aarch64.musllinux_1_1_aarch64.whl", hash = "sha256:bfb107b4dade1d2c9e572992b06992d51dd5f2136eb8ceee9e62dd124289e825", size = 23551146, upload-time = "2026-04-09T12:09:10.439Z" }, + { url = "https://files.pythonhosted.org/packages/79/5b/2ec8b0af80acd1016ed596baf205ddc77b19ece288473b01926c4a9cf6db/uv-0.11.6-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.musllinux_1_1_armv7l.whl", hash = "sha256:9e2fe7ce12161d8016b7deb1eaad7905a76ff7afec13383333ca75e0c4b5425d", size = 23331192, upload-time = "2026-04-09T12:09:34.792Z" }, + { url = "https://files.pythonhosted.org/packages/62/7d/eea35935f2112b21c296a3e42645f3e4b1aa8bcd34dcf13345fbd55134b7/uv-0.11.6-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:7ed9c6f70c25e8dfeedddf4eddaf14d353f5e6b0eb43da9a14d3a1033d51d915", size = 23337686, upload-time = "2026-04-09T12:09:18.522Z" }, + { url = "https://files.pythonhosted.org/packages/21/47/2584f5ab618f6ebe9bdefb2f765f2ca8540e9d739667606a916b35449eec/uv-0.11.6-py3-none-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:d68a013e609cebf82077cbeeb0809ed5e205257814273bfd31e02fc0353bbfc2", size = 25008139, upload-time = "2026-04-09T12:09:03.983Z" }, + { url = "https://files.pythonhosted.org/packages/95/81/497ae5c1d36355b56b97dc59f550c7e89d0291c163a3f203c6f341dff195/uv-0.11.6-py3-none-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:93f736dddca03dae732c6fdea177328d3bc4bf137c75248f3d433c57416a4311", size = 25712458, upload-time = "2026-04-09T12:09:07.598Z" }, + { url = "https://files.pythonhosted.org/packages/3c/1c/74083238e4fab2672b63575b9008f1ea418b02a714bcfcf017f4f6a309b6/uv-0.11.6-py3-none-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:e96a66abe53fced0e3389008b8d2eff8278cfa8bb545d75631ae8ceb9c929aba", size = 24915507, upload-time = "2026-04-09T12:08:50.892Z" }, + { url = "https://files.pythonhosted.org/packages/5a/ee/e14fe10ba455a823ed18233f12de6699a601890905420b5c504abf115116/uv-0.11.6-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:0b096311b2743b228df911a19532b3f18fa420bf9530547aecd6a8e04bbfaccd", size = 24971011, upload-time = "2026-04-09T12:08:54.016Z" }, + { url = "https://files.pythonhosted.org/packages/3c/a1/7b9c83eaadf98e343317ff6384a7227a4855afd02cdaf9696bcc71ee6155/uv-0.11.6-py3-none-manylinux_2_28_aarch64.whl", hash = "sha256:904d537b4a6e798015b4a64ff5622023bd4601b43b6cd1e5f423d63471f5e948", size = 23640234, upload-time = "2026-04-09T12:09:15.735Z" }, + { url = "https://files.pythonhosted.org/packages/d6/51/75ccdd23e76ff1703b70eb82881cd5b4d2a954c9679f8ef7e0136ef2cfab/uv-0.11.6-py3-none-manylinux_2_31_riscv64.musllinux_1_1_riscv64.whl", hash = "sha256:4ed8150c26b5e319381d75ae2ce6aba1e9c65888f4850f4e3b3fa839953c90a5", size = 24452664, upload-time = "2026-04-09T12:09:26.875Z" }, + { url = "https://files.pythonhosted.org/packages/4d/86/ace80fe47d8d48b5e3b5aee0b6eb1a49deaacc2313782870250b3faa36f5/uv-0.11.6-py3-none-manylinux_2_31_riscv64.whl", hash = "sha256:1c9218c8d4ac35ca6e617fb0951cc0ab2d907c91a6aea2617de0a5494cf162c0", size = 24494599, upload-time = "2026-04-09T12:09:37.368Z" }, + { url = "https://files.pythonhosted.org/packages/05/2d/4b642669b56648194f026de79bc992cbfc3ac2318b0a8d435f3c284934e8/uv-0.11.6-py3-none-musllinux_1_1_i686.whl", hash = "sha256:9e211c83cc890c569b86a4183fcf5f8b6f0c7adc33a839b699a98d30f1310d3a", size = 24159150, upload-time = "2026-04-09T12:09:13.17Z" }, + { url = "https://files.pythonhosted.org/packages/ae/24/7eecd76fe983a74fed1fc700a14882e70c4e857f1d562a9f2303d4286c12/uv-0.11.6-py3-none-musllinux_1_1_x86_64.whl", hash = "sha256:d2a1d2089afdf117ad19a4c1dd36b8189c00ae1ad4135d3bfbfced82342595cf", size = 25164324, upload-time = "2026-04-09T12:08:59.56Z" }, + { url = "https://files.pythonhosted.org/packages/27/e0/bbd4ba7c2e5067bbba617d87d306ec146889edaeeaa2081d3e122178ca08/uv-0.11.6-py3-none-win32.whl", hash = "sha256:6e8344f38fa29f85dcfd3e62dc35a700d2448f8e90381077ef393438dcd5012e", size = 22865693, upload-time = "2026-04-09T12:09:21.415Z" }, + { url = "https://files.pythonhosted.org/packages/a5/33/1983ce113c538a856f2d620d16e39691962ecceef091a84086c5785e32e5/uv-0.11.6-py3-none-win_amd64.whl", hash = "sha256:a28bea69c1186303d1200f155c7a28c449f8a4431e458fcf89360cc7ef546e40", size = 25371258, upload-time = "2026-04-09T12:09:40.52Z" }, + { url = "https://files.pythonhosted.org/packages/35/01/be0873f44b9c9bc250fcbf263367fcfc1f59feab996355bcb6b52fff080d/uv-0.11.6-py3-none-win_arm64.whl", hash = "sha256:a78f6d64b9950e24061bc7ec7f15ff8089ad7f5a976e7b65fcadce58fe02f613", size = 23869585, upload-time = "2026-04-09T12:09:29.425Z" }, ] [[package]] From 7ffe95f5b6e4cf79a6802533bd04d5ff63129f22 Mon Sep 17 00:00:00 2001 From: talshapir Date: Sun, 12 Apr 2026 09:24:19 +0000 Subject: [PATCH 23/26] Gemini prompts improvement --- .../integrations/action/ai/ai_categories.py | 11 +++ .../integrations/action/ai/capabilities.py | 12 +++ .../integrations/action/ai/entity_usage.py | 11 +++ .../action/ai/product_categories.py | 11 +++ .../integration_meta/ai/product_categories.py | 11 +++ .../mp/src/mp/describe/action/prompts/task.md | 89 ++++++++++++++++++- .../mp/describe/integration/prompts/task.md | 15 ++++ 7 files changed, 156 insertions(+), 4 deletions(-) diff --git a/packages/mp/src/mp/core/data_models/integrations/action/ai/ai_categories.py b/packages/mp/src/mp/core/data_models/integrations/action/ai/ai_categories.py index 95d28d42a..17ef02c02 100644 --- a/packages/mp/src/mp/core/data_models/integrations/action/ai/ai_categories.py +++ b/packages/mp/src/mp/core/data_models/integrations/action/ai/ai_categories.py @@ -22,6 +22,17 @@ class AiCategories(BaseModel): + reasoning: Annotated[ + str, + Field( + title="Categorization Reasoning", + description=( + "Step-by-step reasoning evaluating the action against all available AI " + "categories (e.g. enrichment). Explicitly state why the action matches or " + "does not match the criteria before setting their boolean flags." + ), + ), + ] enrichment: Annotated[ bool, Field( diff --git a/packages/mp/src/mp/core/data_models/integrations/action/ai/capabilities.py b/packages/mp/src/mp/core/data_models/integrations/action/ai/capabilities.py index ea9aee936..8e3d35fb3 100644 --- a/packages/mp/src/mp/core/data_models/integrations/action/ai/capabilities.py +++ b/packages/mp/src/mp/core/data_models/integrations/action/ai/capabilities.py @@ -20,6 +20,18 @@ class ActionCapabilities(BaseModel): + reasoning: Annotated[ + str, + Field( + title="Categorization Reasoning", + description=( + "Step-by-step reasoning evaluating the action's capabilities. Explicitly " + "state why the action fetches data, mutates external data, mutates internal " + "data, updates entities, creates insights, modifies alert data, or creates " + "case comments before setting the boolean flags." + ), + ), + ] fetches_data: Annotated[ bool, Field( diff --git a/packages/mp/src/mp/core/data_models/integrations/action/ai/entity_usage.py b/packages/mp/src/mp/core/data_models/integrations/action/ai/entity_usage.py index 6bb9421e4..6c6938548 100644 --- a/packages/mp/src/mp/core/data_models/integrations/action/ai/entity_usage.py +++ b/packages/mp/src/mp/core/data_models/integrations/action/ai/entity_usage.py @@ -22,6 +22,17 @@ class EntityUsage(BaseModel): + reasoning: Annotated[ + str, + Field( + title="Categorization Reasoning", + description=( + "Step-by-step reasoning evaluating how the action uses entities. Explicitly " + "state the entity types used and why each filtering condition is met or not " + "met before setting the boolean flags." + ), + ), + ] entity_types: Annotated[ list[EntityType], Field( diff --git a/packages/mp/src/mp/core/data_models/integrations/action/ai/product_categories.py b/packages/mp/src/mp/core/data_models/integrations/action/ai/product_categories.py index e8f30299d..2f033cf75 100644 --- a/packages/mp/src/mp/core/data_models/integrations/action/ai/product_categories.py +++ b/packages/mp/src/mp/core/data_models/integrations/action/ai/product_categories.py @@ -21,6 +21,17 @@ class ActionProductCategories(BaseModel): + reasoning: Annotated[ + str, + Field( + title="Categorization Reasoning", + description=( + "Step-by-step reasoning evaluating the action against all available product " + "categories. Explicitly state why the action matches or does not match the " + "'Expected Outcome' of relevant categories before setting their boolean flags." + ), + ), + ] enrich_ioc: Annotated[ bool, Field( diff --git a/packages/mp/src/mp/core/data_models/integrations/integration_meta/ai/product_categories.py b/packages/mp/src/mp/core/data_models/integrations/integration_meta/ai/product_categories.py index ceb50f6ce..3fbf7c4e4 100644 --- a/packages/mp/src/mp/core/data_models/integrations/integration_meta/ai/product_categories.py +++ b/packages/mp/src/mp/core/data_models/integrations/integration_meta/ai/product_categories.py @@ -21,6 +21,17 @@ class IntegrationProductCategories(BaseModel): + reasoning: Annotated[ + str, + Field( + title="Categorization Reasoning", + description=( + "Step-by-step reasoning evaluating the integration against all available product " + "categories. Explicitly state why the integration matches or does not match the " + "criteria of relevant categories before setting their boolean flags." + ), + ), + ] siem: Annotated[ bool, Field( diff --git a/packages/mp/src/mp/describe/action/prompts/task.md b/packages/mp/src/mp/describe/action/prompts/task.md index 0b39996c0..fa1e6070b 100644 --- a/packages/mp/src/mp/describe/action/prompts/task.md +++ b/packages/mp/src/mp/describe/action/prompts/task.md @@ -26,6 +26,36 @@ I have provided the following files for a Google SecOps action: * https://docs.cloud.google.com/chronicle/docs/soar/reference/script-result-module * https://docs.cloud.google.com/chronicle/docs/soar/reference/script-result-module +**Action Product Categories Definitions:** +Review these categories carefully. An action can belong to one or more categories if it matches the expected outcome. +- **Enrich IOC**: Returns reputation, prevalence, and threat intelligence for the indicator. +- **Enrich Asset**: Returns contextual metadata (e.g., OS version, owner, department, MAC address) for a user or resource. +- **Update Alert**: Changes the status, severity, or assignee of the alert within the SecOps platform. +- **Add Alert Comment**: Appends analyst notes or automated log entries to the alert's activity timeline. +- **Create Ticket**: Generates a new record in an external ITSM (e.g., Jira, ServiceNow) and returns the Ticket ID. +- **Update Ticket**: Synchronizes status, priority, or field changes from SecOps to the external ticketing system. +- **Add IOC To Blocklist**: Updates security controls (Firewall, EDR, Proxy) to prevent any future interaction with the IOC. +- **Remove IOC From Blocklist**: Restores connectivity or execution rights for an indicator by removing it from restricted lists. +- **Add IOC To Allowlist**: Marks an indicator as "known good" to prevent future security alerts or false positives. +- **Remove IOC From Allowlist**: Re-enables standard security monitoring and blocking for a previously trusted indicator. +- **Disable Identity**: Revokes active sessions and prevents a user or service account from authenticating to the network. +- **Enable Identity**: Restores authentication capabilities and system access for a previously disabled account. +- **Contain Host**: Isolates an endpoint from the network via EDR, allowing communication only with the management console. +- **Uncontain Host**: Removes network isolation and restores the endpoint's full communication capabilities. +- **Reset Identity Password**: Invalidates the current credentials and triggers a password change or temporary password generation. +- **Update Identity**: Modifies account metadata, such as group memberships, permissions, or contact information. +- **Search Events**: Returns a collection of historical logs or telemetry data matching specific search parameters. +- **Execute Command on the Host**: Runs a script or system command on a remote endpoint and returns the standard output (STDOUT). +- **Download File**: Retrieves a specific file from a remote host for local forensic analysis or sandboxing. +- **Send Email**: Dispatches an outbound email notification or response to specified recipients. +- **Search Email**: Identifies and lists emails across the mail server based on criteria like sender, subject, or attachment. +- **Delete Email**: Removes a specific email or thread from one or more user mailboxes (Purge/Withdraw). +- **Update Email**: Modifies the state of an email, such as moving it to quarantine, marking as read, or applying labels. +- **Submit File**: Uploads a file or sample to a sandbox or analysis engine (e.g., VirusTotal, Joe Sandbox) and returns a behavior report or threat score. +- **Send Message**: Sends a message to a communication app (e.g., Google Chat, Microsoft Teams). +- **Search Asset**: Searches for the asset associated with the alert within the product. +- **Get Alert Information**: Fetches information about the alert from the 3rd party product. + **Instructions:** 1. **Analyze the Description:** Synthesize the `Script Code` logic and`Script Settings` description. @@ -40,6 +70,7 @@ I have provided the following files for a Google SecOps action: `update_entities`, `add_case_comment`. 3. **Extract Entity Scopes:** Look at the `Supported entities` in the JSON description or the `SimulationDataJson` to see if it targets `ADDRESS`, `FILEHASH`, `USER`, etc. +4. **Action Product Categories & Reasoning:** You MUST write out your step-by-step reasoning in the `reasoning` field of the `action_product_categories` object BEFORE populating the boolean flags. Discuss why the action matches or fails to match specific categories based on the expected outcomes defined above. **Golden Dataset (Few-Shot Examples):** @@ -88,6 +119,7 @@ for entity in suitable_entities: "can_create_case_comments": false }, "entity_usage": { + "reasoning": "The code iterates over `siemplify.target_entities` and filters using `entity.entity_type == EntityTypes.ADDRESS and entity.is_internal`. This means it targets ADDRESS entities, filtering by entity_type and is_internal.", "run_on_entity_types": [ "ADDRESS" ], @@ -109,6 +141,7 @@ for entity in suitable_entities: "enrichment": true }, "action_product_categories": { + "reasoning": "The action fetches IP data from VirusTotal, returning threat intelligence and evaluating risk. This matches the 'Enrich IOC' expected outcome. It does not mutate data on external systems, so it is not a Contain Host or Blocklist action.", "add_alert_comment": false, "add_ioc_to_allowlist": false, "add_ioc_to_blocklist": false, @@ -182,6 +215,7 @@ if result['success']: "can_create_case_comments": false }, "entity_usage": { + "reasoning": "The code processes `entities` looking for `e.entity_type == \"ADDRESS\"`, filtering strictly by entity_type.", "run_on_entity_types": [ "ADDRESS" ], @@ -203,6 +237,7 @@ if result['success']: "enrichment": false }, "action_product_categories": { + "reasoning": "The action performs a POST to a firewall to block an IP address. This directly aligns with the 'Contain Host' expected outcome of isolating an endpoint, or 'Add IOC To Blocklist' depending on exact definition. Based on the JSON snippet, 'Contain Host' is true.", "add_alert_comment": false, "add_ioc_to_allowlist": false, "add_ioc_to_blocklist": false, @@ -257,8 +292,9 @@ results = ticket_manager.create_ticket(title, description) ```json { - "fields": { - "description": "Opens a new ticket in the ticket service by a post request.", + "ai_description": "Opens a new ticket in the ticket service by a post request.", + "capabilities": { + "reasoning": "The action makes a POST request to create a ticket (can_mutate_external_data=true). It does not fetch context data or update internal entities.", "fetches_data": false, "can_mutate_external_data": true, "external_data_mutation_explanation": "Creates a new ticket in the ticket service.", @@ -285,8 +321,39 @@ results = ticket_manager.create_ticket(title, description) "filters_by_is_enriched": false, "filters_by_is_pivot": false }, - "tags": { - "is_enrichment": false + "categories": { + "reasoning": "The action creates external data (a ticket) rather than retrieving data, so it cannot be an Enrichment action.", + "enrichment": false + }, + "action_product_categories": { + "reasoning": "The action creates a new ticket in an external ticket service. This directly aligns with the 'Create Ticket' category.", + "add_alert_comment": false, + "add_ioc_to_allowlist": false, + "add_ioc_to_blocklist": false, + "contain_host": false, + "create_ticket": true, + "delete_email": false, + "disable_identity": false, + "download_file": false, + "enable_identity": false, + "enrich_asset": false, + "enrich_ioc": false, + "execute_command_on_the_host": false, + "get_alert_information": false, + "remove_ioc_from_allowlist": false, + "remove_ioc_from_blocklist": false, + "reset_identity_password": false, + "search_asset": false, + "search_email": false, + "search_events": false, + "send_email": false, + "send_message": false, + "submit_file": false, + "uncontain_host": false, + "update_alert": false, + "update_email": false, + "update_identity": false, + "update_ticket": false } } ``` @@ -321,3 +388,17 @@ Based strictly on the provided "Current Task Input" and the guidelines defined i 1. Analyze the code flow and settings. 2. Construct the Capability Summary JSON. 3. Ensure valid JSON syntax. + +3. Ensure valid JSON syntax. +ttings. +2. Construct the Capability Summary JSON. +3. Ensure valid JSON syntax. + settings. +2. Construct the Capability Summary JSON. +3. Ensure valid JSON syntax. +ttings. +2. Construct the Capability Summary JSON. +3. Ensure valid JSON syntax. + settings. +2. Construct the Capability Summary JSON. +3. Ensure valid JSON syntax. diff --git a/packages/mp/src/mp/describe/integration/prompts/task.md b/packages/mp/src/mp/describe/integration/prompts/task.md index e5dd29f8d..f7eb84bb9 100644 --- a/packages/mp/src/mp/describe/integration/prompts/task.md +++ b/packages/mp/src/mp/describe/integration/prompts/task.md @@ -7,9 +7,24 @@ I have provided the following information for a Google SecOps integration: 4. `Connectors AI Descriptions`: A collection of AI-generated descriptions for all connectors in this integration. 5. `Jobs AI Descriptions`: A collection of AI-generated descriptions for all jobs in this integration. +**Integration Product Categories Definitions:** +Review these categories carefully. An integration can belong to multiple categories if its actions/connectors fulfill the criteria. +- **SIEM**: Use when you need to find the activity related to Assets, Users or see if an IOC has been seen globally across your logs in the last 90 days. Expected Outcome: Returns a timeline of activity, lists all internal assets that touched an IOC, and identifies source of the suspicious activity. +- **EDR**: Use when the investigation involves a specific host (workstation/server) and you need to see deep process-level activity. Expected Outcome: Returns the process tree (Parent/Child), retrieves suspicious files for analysis, or contains the host by isolating it from the network. +- **Network Security**: Use when an internal asset is communicating with a known malicious external IP or to verify if a web-based attack was blocked. Expected Outcome: Returns firewall/WAF permit/deny logs and allows the agent to block malicious IPs/URLs at the gateway. +- **Threat Intelligence**: Use as the first step of enrichment for any external indicator (IP, Hash, URL) to determine its reputation. Expected Outcome: Returns risk scores, malware family names, and historical "last seen" data to confirm if an alert is a True Positive. +- **Email Security**: Use when the alert involves a phishing report, a suspicious attachment, or a link delivered via email. Expected Outcome: Returns a list of all affected users who received the same email and allows the agent to manage emails in all inboxes. +- **IAM & Identity Management**: Use when a user account is showing suspicious behavior and you want to manage identity. Expected Outcome: Returns user or identity group/privilege levels and allows the agent to suspend accounts, force password resets, reset service accounts. +- **Cloud Security**: Use for alerts involving cloud-native resources GCP/AWS/Azure. Expected Outcome: Returns resource configuration states, findings and identifies rogue cloud instances or API keys. +- **ITSM**: Use to document the investigation, assign tasks to other teams. Expected Outcome: Creates/updates tickets, assigns tasks to specific departments. +- **Vulnerability Management**: Use to verify if a targeted asset is actually susceptible to the exploit seen in the alert. Expected Outcome: Returns CVE information and a list of missing patches on the target host to determine if the attack had a high probability of success. +- **Asset Inventory**: Use when you want to get more information about an internal asset. Expected Outcome: Returns the asset owner, department, business criticality, and whether the device is managed by IT. +- **Collaboration**: Use when an automated action requires a "Human-in-the-Loop" approval or when the SOC needs to be notified of a critical find. Expected Outcome: Sends interactive alerts to Slack/Teams for manual approval and notifies stakeholders of critical findings. + **Instructions:** Analyze the provided information and determine the product categories that best describe the integration's capabilities. Connectors are especially important for determining if the integration is a SIEM or EDR, as they handle the data ingestion. +**Reasoning First:** You MUST write out your step-by-step reasoning in the `reasoning` field before populating the boolean flags. Discuss why the integration matches or fails to match specific categories based on the definitions provided above. **Current Task Input:** From ecc06b772770eab31e3b363df95a2bf8298fc1cc Mon Sep 17 00:00:00 2001 From: talshapir Date: Sun, 12 Apr 2026 17:36:55 +0300 Subject: [PATCH 24/26] regenerate ai descriptions --- .../resources/ai/actions_ai_description.yaml | 259 +- .../ai/integration_ai_description.yaml | 13 +- .../resources/ai/actions_ai_description.yaml | 117 +- .../ai/integration_ai_description.yaml | 9 + .../resources/ai/actions_ai_description.yaml | 256 +- .../ai/integration_ai_description.yaml | 9 + .../resources/ai/actions_ai_description.yaml | 107 +- .../ai/integration_ai_description.yaml | 7 + .../resources/ai/actions_ai_description.yaml | 176 +- .../ai/integration_ai_description.yaml | 10 + .../resources/ai/actions_ai_description.yaml | 324 ++- .../ai/integration_ai_description.yaml | 21 +- .../resources/ai/actions_ai_description.yaml | 206 +- .../ai/integration_ai_description.yaml | 9 + .../resources/ai/actions_ai_description.yaml | 91 +- .../ai/integration_ai_description.yaml | 14 +- .../resources/ai/actions_ai_description.yaml | 96 +- .../ai/integration_ai_description.yaml | 10 + .../resources/ai/actions_ai_description.yaml | 102 +- .../ai/connectors_ai_description.yaml | 84 +- .../ai/integration_ai_description.yaml | 10 + .../ai/connectors_ai_description.yaml | 121 +- .../ai/integration_ai_description.yaml | 8 + .../resources/ai/actions_ai_description.yaml | 148 +- .../ai/integration_ai_description.yaml | 13 + .../resources/ai/actions_ai_description.yaml | 751 +++--- .../ai/integration_ai_description.yaml | 15 +- .../resources/ai/actions_ai_description.yaml | 980 ++++---- .../ai/integration_ai_description.yaml | 8 + .../resources/ai/actions_ai_description.yaml | 1036 ++++---- .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 72 +- .../ai/integration_ai_description.yaml | 9 + .../resources/ai/jobs_ai_description.yaml | 1102 ++++---- .../resources/ai/actions_ai_description.yaml | 312 ++- .../ai/integration_ai_description.yaml | 15 +- .../resources/ai/actions_ai_description.yaml | 285 ++- .../ai/integration_ai_description.yaml | 11 + .../resources/ai/actions_ai_description.yaml | 342 +-- .../ai/integration_ai_description.yaml | 10 +- .../resources/ai/actions_ai_description.yaml | 320 +-- .../ai/integration_ai_description.yaml | 10 + .../resources/ai/actions_ai_description.yaml | 1459 +++++++---- .../ai/integration_ai_description.yaml | 14 +- .../resources/ai/jobs_ai_description.yaml | 109 +- .../resources/ai/actions_ai_description.yaml | 170 +- .../ai/integration_ai_description.yaml | 9 + .../resources/ai/actions_ai_description.yaml | 694 +++--- .../ai/connectors_ai_description.yaml | 90 +- .../ai/integration_ai_description.yaml | 12 +- .../resources/ai/actions_ai_description.yaml | 982 ++++---- .../ai/integration_ai_description.yaml | 14 +- .../resources/ai/actions_ai_description.yaml | 555 +++-- .../ai/integration_ai_description.yaml | 17 +- .../resources/ai/actions_ai_description.yaml | 815 +++--- .../ai/integration_ai_description.yaml | 8 + .../resources/ai/actions_ai_description.yaml | 200 +- .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 657 ++--- .../ai/integration_ai_description.yaml | 8 + .../resources/ai/actions_ai_description.yaml | 61 +- .../ai/connectors_ai_description.yaml | 69 +- .../ai/integration_ai_description.yaml | 9 + .../resources/ai/actions_ai_description.yaml | 1678 +++++++------ .../ai/integration_ai_description.yaml | 16 +- .../resources/ai/actions_ai_description.yaml | 80 +- .../ai/integration_ai_description.yaml | 9 + .../resources/ai/actions_ai_description.yaml | 133 +- .../ai/integration_ai_description.yaml | 11 + .../resources/ai/actions_ai_description.yaml | 52 +- .../ai/connectors_ai_description.yaml | 88 +- .../ai/integration_ai_description.yaml | 10 + .../resources/ai/actions_ai_description.yaml | 60 +- .../ai/connectors_ai_description.yaml | 46 +- .../ai/integration_ai_description.yaml | 9 + .../resources/ai/actions_ai_description.yaml | 460 ++-- .../ai/integration_ai_description.yaml | 10 + .../resources/ai/actions_ai_description.yaml | 133 +- .../ai/integration_ai_description.yaml | 9 + .../resources/ai/actions_ai_description.yaml | 47 +- .../ai/connectors_ai_description.yaml | 56 +- .../ai/integration_ai_description.yaml | 11 + .../resources/ai/actions_ai_description.yaml | 648 ++--- .../ai/connectors_ai_description.yaml | 111 +- .../ai/integration_ai_description.yaml | 13 +- .../resources/ai/actions_ai_description.yaml | 120 +- .../ai/integration_ai_description.yaml | 12 +- .../resources/ai/actions_ai_description.yaml | 271 +- .../ai/connectors_ai_description.yaml | 53 +- .../ai/integration_ai_description.yaml | 13 +- .../resources/ai/actions_ai_description.yaml | 249 +- .../ai/connectors_ai_description.yaml | 67 +- .../ai/integration_ai_description.yaml | 11 + .../resources/ai/actions_ai_description.yaml | 360 +-- .../ai/connectors_ai_description.yaml | 65 +- .../ai/integration_ai_description.yaml | 14 +- .../resources/ai/actions_ai_description.yaml | 132 +- .../ai/integration_ai_description.yaml | 14 +- .../resources/ai/actions_ai_description.yaml | 328 +-- .../ai/integration_ai_description.yaml | 11 +- .../resources/ai/actions_ai_description.yaml | 720 +++--- .../ai/integration_ai_description.yaml | 12 +- .../resources/ai/actions_ai_description.yaml | 125 +- .../ai/integration_ai_description.yaml | 10 + .../resources/ai/actions_ai_description.yaml | 1136 ++++----- .../ai/connectors_ai_description.yaml | 68 +- .../ai/integration_ai_description.yaml | 14 +- .../resources/ai/actions_ai_description.yaml | 203 +- .../ai/integration_ai_description.yaml | 6 + .../resources/ai/actions_ai_description.yaml | 451 ++-- .../ai/integration_ai_description.yaml | 11 + .../resources/ai/actions_ai_description.yaml | 202 +- .../ai/integration_ai_description.yaml | 6 + .../resources/ai/actions_ai_description.yaml | 514 ++-- .../ai/integration_ai_description.yaml | 10 + .../ai/connectors_ai_description.yaml | 59 +- .../ai/integration_ai_description.yaml | 11 +- .../resources/ai/actions_ai_description.yaml | 333 +-- .../ai/connectors_ai_description.yaml | 77 +- .../ai/integration_ai_description.yaml | 8 + .../resources/ai/actions_ai_description.yaml | 55 +- .../ai/connectors_ai_description.yaml | 103 +- .../ai/integration_ai_description.yaml | 12 + .../resources/ai/jobs_ai_description.yaml | 36 +- .../resources/ai/actions_ai_description.yaml | 339 +-- .../ai/integration_ai_description.yaml | 13 +- .../resources/ai/actions_ai_description.yaml | 570 +++-- .../ai/connectors_ai_description.yaml | 168 +- .../ai/integration_ai_description.yaml | 13 +- .../resources/ai/actions_ai_description.yaml | 124 +- .../ai/integration_ai_description.yaml | 11 + .../resources/ai/actions_ai_description.yaml | 708 +++--- .../ai/connectors_ai_description.yaml | 54 +- .../ai/integration_ai_description.yaml | 11 + .../resources/ai/actions_ai_description.yaml | 46 +- .../ai/connectors_ai_description.yaml | 79 +- .../ai/integration_ai_description.yaml | 10 + .../resources/ai/actions_ai_description.yaml | 188 +- .../ai/integration_ai_description.yaml | 10 +- .../resources/ai/actions_ai_description.yaml | 115 +- .../ai/integration_ai_description.yaml | 12 +- .../resources/ai/actions_ai_description.yaml | 430 ++-- .../ai/integration_ai_description.yaml | 8 + .../resources/ai/actions_ai_description.yaml | 282 ++- .../ai/connectors_ai_description.yaml | 53 +- .../ai/integration_ai_description.yaml | 12 +- .../resources/ai/jobs_ai_description.yaml | 35 +- .../resources/ai/actions_ai_description.yaml | 139 +- .../ai/integration_ai_description.yaml | 8 + .../resources/ai/actions_ai_description.yaml | 475 ++-- .../ai/integration_ai_description.yaml | 8 + .../resources/ai/actions_ai_description.yaml | 86 +- .../ai/integration_ai_description.yaml | 9 + .../resources/ai/actions_ai_description.yaml | 261 +- .../ai/integration_ai_description.yaml | 10 + .../resources/ai/actions_ai_description.yaml | 1242 ++++----- .../ai/integration_ai_description.yaml | 16 +- .../resources/ai/actions_ai_description.yaml | 876 ++++--- .../ai/connectors_ai_description.yaml | 88 +- .../ai/integration_ai_description.yaml | 12 +- .../resources/ai/actions_ai_description.yaml | 572 ++--- .../ai/integration_ai_description.yaml | 11 + .../resources/ai/actions_ai_description.yaml | 2197 ++++++++-------- .../ai/connectors_ai_description.yaml | 129 +- .../ai/integration_ai_description.yaml | 17 +- .../resources/ai/jobs_ai_description.yaml | 84 +- .../resources/ai/actions_ai_description.yaml | 1911 +++++++------- .../ai/connectors_ai_description.yaml | 82 +- .../ai/integration_ai_description.yaml | 19 +- .../resources/ai/jobs_ai_description.yaml | 49 +- .../resources/ai/actions_ai_description.yaml | 552 ++-- .../ai/connectors_ai_description.yaml | 66 +- .../ai/integration_ai_description.yaml | 13 +- .../resources/ai/actions_ai_description.yaml | 266 +- .../ai/integration_ai_description.yaml | 11 +- .../resources/ai/actions_ai_description.yaml | 182 +- .../ai/integration_ai_description.yaml | 6 + .../resources/ai/actions_ai_description.yaml | 303 ++- .../ai/integration_ai_description.yaml | 11 + .../resources/ai/actions_ai_description.yaml | 462 ++-- .../ai/integration_ai_description.yaml | 13 +- .../resources/ai/actions_ai_description.yaml | 857 ++++--- .../ai/integration_ai_description.yaml | 9 + .../resources/ai/actions_ai_description.yaml | 69 +- .../ai/integration_ai_description.yaml | 9 + .../resources/ai/jobs_ai_description.yaml | 57 +- .../resources/ai/actions_ai_description.yaml | 192 +- .../ai/integration_ai_description.yaml | 10 + .../resources/ai/actions_ai_description.yaml | 523 ++-- .../ai/integration_ai_description.yaml | 9 + .../resources/ai/actions_ai_description.yaml | 356 +-- .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 337 ++- .../ai/integration_ai_description.yaml | 11 +- .../resources/ai/actions_ai_description.yaml | 136 +- .../ai/integration_ai_description.yaml | 11 +- .../resources/ai/actions_ai_description.yaml | 824 +++--- .../ai/integration_ai_description.yaml | 15 +- .../resources/ai/actions_ai_description.yaml | 527 ++-- .../ai/connectors_ai_description.yaml | 268 +- .../ai/integration_ai_description.yaml | 14 +- .../resources/ai/actions_ai_description.yaml | 321 +-- .../ai/integration_ai_description.yaml | 10 + .../resources/ai/actions_ai_description.yaml | 410 +-- .../ai/integration_ai_description.yaml | 11 +- .../resources/ai/actions_ai_description.yaml | 448 ++-- .../ai/connectors_ai_description.yaml | 58 +- .../ai/integration_ai_description.yaml | 13 + .../resources/ai/actions_ai_description.yaml | 373 +-- .../ai/connectors_ai_description.yaml | 145 +- .../ai/integration_ai_description.yaml | 13 +- .../resources/ai/actions_ai_description.yaml | 195 +- .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 1627 ++++++------ .../ai/integration_ai_description.yaml | 11 + .../resources/ai/actions_ai_description.yaml | 2215 +++++++++-------- .../ai/connectors_ai_description.yaml | 159 +- .../ai/integration_ai_description.yaml | 11 + .../resources/ai/actions_ai_description.yaml | 217 +- .../ai/integration_ai_description.yaml | 8 + .../resources/ai/actions_ai_description.yaml | 1051 ++++---- .../ai/integration_ai_description.yaml | 14 +- .../resources/ai/actions_ai_description.yaml | 395 +-- .../ai/integration_ai_description.yaml | 10 + .../resources/ai/actions_ai_description.yaml | 59 +- .../ai/integration_ai_description.yaml | 11 +- .../resources/ai/jobs_ai_description.yaml | 150 +- .../resources/ai/actions_ai_description.yaml | 568 +++-- .../ai/connectors_ai_description.yaml | 101 +- .../ai/integration_ai_description.yaml | 13 +- .../resources/ai/actions_ai_description.yaml | 1463 +++++------ .../ai/connectors_ai_description.yaml | 295 +-- .../ai/integration_ai_description.yaml | 14 +- .../resources/ai/actions_ai_description.yaml | 873 +++---- .../ai/integration_ai_description.yaml | 16 +- .../resources/ai/actions_ai_description.yaml | 2169 ++++++++-------- .../ai/integration_ai_description.yaml | 10 + .../resources/ai/actions_ai_description.yaml | 709 +++--- .../ai/integration_ai_description.yaml | 12 + .../resources/ai/actions_ai_description.yaml | 245 +- .../ai/integration_ai_description.yaml | 12 +- .../resources/ai/actions_ai_description.yaml | 343 ++- .../ai/integration_ai_description.yaml | 11 + .../resources/ai/actions_ai_description.yaml | 135 +- .../ai/connectors_ai_description.yaml | 95 +- .../ai/integration_ai_description.yaml | 13 +- .../resources/ai/actions_ai_description.yaml | 222 +- .../ai/integration_ai_description.yaml | 8 + .../resources/ai/actions_ai_description.yaml | 372 +-- .../ai/integration_ai_description.yaml | 11 + .../resources/ai/actions_ai_description.yaml | 398 +-- .../ai/integration_ai_description.yaml | 13 +- 252 files changed, 31535 insertions(+), 25322 deletions(-) diff --git a/content/response_integrations/google/cyber_x/resources/ai/actions_ai_description.yaml b/content/response_integrations/google/cyber_x/resources/ai/actions_ai_description.yaml index ad5d01d72..9ca379498 100644 --- a/content/response_integrations/google/cyber_x/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/google/cyber_x/resources/ai/actions_ai_description.yaml @@ -13,6 +13,10 @@ Enrich Endpoints: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves device metadata (e.g., device details) from CyberX and + attaches it to the entity. This matches the 'Enrich Asset' category. It does + not perform threat intelligence lookups (Enrich IOC) or other operations. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -28,39 +32,44 @@ Enrich Endpoints: update_identity: false update_ticket: false ai_description: >- - Enriches Hostname and Address entities using CyberX. This action retrieves detailed - device information from the CyberX platform to provide context about endpoints - within the network, such as OS, device type, and other metadata. + ### General Description + Enriches Hostname and Address entities using the CyberX platform. This action + retrieves detailed device information, such as device metadata, from CyberX to + provide context about endpoints within the network. It helps analysts understand + the nature of the devices involved in an alert by populating entity properties + and adding a data table to the entity. - ### Flow Description: - 1. **Authentication**: Initializes the CyberX manager using the API Root and Access - Token provided in the integration configuration. + ### Parameters Description - 2. **Entity Filtering**: Identifies all Address (IP) and Hostname entities within - the current scope. + | Parameter Name | Description | Type | Mandatory | - 3. **Data Retrieval**: For each identified entity, the action queries the CyberX - API (fetching all devices and filtering locally) to find a matching device record - by IP or Hostname. + | :--- | :--- | :--- | :--- | - 4. **Enrichment**: If a device is found, the action adds a data table to the entity - containing the raw device information and updates the entity's additional properties - with the retrieved data, prefixed with 'CX_'. + | None | This action does not have any specific input parameters; it relies on + the integration's global configuration. | N/A | N/A | - ### Parameters Description: + ### Flow Description - | Parameter Name | Description | Type | Mandatory | + 1. **Authentication**: Initializes the CyberX manager using the API Root and Access + Token provided in the integration configuration. - | :--- | :--- | :--- | :--- | + 2. **Entity Filtering**: Iterates through the `target_entities` and filters for + entities of type `ADDRESS` (IP) and `HOSTNAME`. - | None | This action does not have any specific input parameters; it relies on - the integration's global configuration. | N/A | N/A | + 3. **Data Retrieval**: For each valid entity, the action queries the CyberX API + to find a matching device record using either the IP address or the hostname. + + 4. **Enrichment**: If a device record is found, the action: + * Adds a data table to the entity containing the raw device information. + * Updates the entity's `additional_properties` with the retrieved data, prefixed + with 'CX_'. + 5. **Completion**: Returns a success message indicating which entities were enriched. - ### Additional Notes: + ### Additional Notes * This action performs a lookup against all devices known to the CyberX instance. If a large number of devices exist, performance may be impacted by the underlying @@ -75,10 +84,18 @@ Enrich Endpoints: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action updates entity additional properties with retrieved device metadata - and adds a data table to the entity for visualization. + Updates entity additional properties and adds an entity table with device information. + reasoning: >- + The action fetches device data from CyberX based on IP or Hostname. It updates + the entity's additional properties and adds a data table to the entity. It does + not mutate external systems. The internal mutation (updating entity properties) + is permitted for enrichment actions. categories: enrichment: true + reasoning: >- + The action fetches data from an external source (CyberX) and updates internal + entity properties. It does not mutate external systems. This fits the definition + of an enrichment action. entity_usage: entity_types: - ADDRESS @@ -96,6 +113,9 @@ Enrich Endpoints: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and filters for `ADDRESS` + and `HOSTNAME` types explicitly. Get Alerts: action_product_categories: add_alert_comment: false @@ -111,6 +131,10 @@ Get Alerts: enrich_ioc: false execute_command_on_the_host: false get_alert_information: true + reasoning: >- + The action fetches a list of alerts from the CyberX platform. This matches the + 'Get Alert Information' category as it retrieves alert data from the 3rd party + product. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -126,22 +150,22 @@ Get Alerts: update_identity: false update_ticket: false ai_description: >- - ### General Description The **Get Alerts** action retrieves a comprehensive list + ### General Description\nThe **Get Alerts** action retrieves a comprehensive list of all security alerts currently detected by the CyberX XSense platform. This action provides visibility into external security events by pulling them into - the Google SecOps environment for analysis and reporting. ### Parameters Description - No parameters are required for this action. It utilizes the global integration - configuration (API Root and Access Token) to authenticate and communicate with - the CyberX API. ### Flow Description 1. **Initialization**: The action initializes - the CyberX manager using the provided API credentials and SSL settings. 2. **Data - Retrieval**: It executes a GET request to the `/api/v1/alerts` endpoint to fetch - the full list of alerts from the CyberX instance. 3. **Data Processing**: If alerts - are found, the action flattens the JSON response and formats it into a CSV-compatible - structure. 4. **Output Generation**: A data table titled 'Result Alerts' is added - to the action results for display in the SOAR UI. The raw JSON data of all alerts - is returned as the script result. An output message is generated stating the total - number of alerts retrieved. ### Additional Notes This is a global retrieval action - and does not operate on specific entities within a case. + the Google SecOps environment for analysis and reporting.\n\n### Parameters Description\nThere + are no input parameters for this action. It utilizes the global integration configuration + (API Root and Access Token) to authenticate and communicate with the CyberX API.\n\n### + Flow Description\n1. **Initialization**: The action initializes the CyberX manager + using the provided API credentials and SSL settings.\n2. **Data Retrieval**: It + executes a GET request to the `/api/v1/alerts` endpoint to fetch the full list + of alerts from the CyberX instance.\n3. **Data Processing**: If alerts are found, + the action flattens the JSON response and formats it into a CSV-compatible structure.\n4. + **Output Generation**: \n * A data table titled 'Result ALerts' is added to + the action results for display in the SOAR UI.\n * The raw JSON data of all + alerts is returned as the script result.\n * An output message is generated + stating the total number of alerts retrieved.\n\n### Additional Notes\nThis is + a global retrieval action and does not operate on specific entities within a case. capabilities: can_create_case_comments: false can_create_insight: false @@ -152,8 +176,18 @@ Get Alerts: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to retrieve alerts from the CyberX API. It + does not modify any external systems or internal SOAR data (entities, insights, + or case comments). It simply returns the retrieved data as a table and JSON + result. categories: enrichment: false + reasoning: >- + The action is a global retrieval task that fetches a list of alerts. It does + not enrich specific entities or alerts, nor does it perform any allowed internal + mutations (like creating insights or adding comments). Therefore, it is not + classified as an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -169,6 +203,9 @@ Get Alerts: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or filter any entities. It is a global retrieval + action. Get Connections for Endpoint: action_product_categories: add_alert_comment: false @@ -184,10 +221,15 @@ Get Connections for Endpoint: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves network connections for a device, which provides contextual + metadata about the asset, matching 'Enrich Asset'. It also performs a lookup + to find the device ID in CyberX, which matches 'Search Asset'. It does not perform + any IOC enrichment, alert updates, or containment actions. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false - search_asset: false + search_asset: true search_email: false search_events: false send_email: false @@ -199,27 +241,23 @@ Get Connections for Endpoint: update_identity: false update_ticket: false ai_description: >- + ### General Description + The **Get Connections for Endpoint** action retrieves a comprehensive list of network connections associated with specific devices from the CyberX platform. - It supports both IP Address (ADDRESS) and Hostname (HOSTNAME) entities. This action - is primarily used for visibility and forensic investigation, allowing analysts - to see which other assets or external addresses a device has communicated with. - The retrieved data is presented as a table attached to the entity within the case. + This action is designed for visibility and forensic investigation, allowing analysts + to identify which other assets or external addresses a device has communicated + with. The retrieved connection data is presented as an entity table attached to + the respective entity within the Google SecOps case. ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | N/A | N/A | N/A | This action does not have any input parameters. | + There are no input parameters for this action. ### Additional Notes - * The action first resolves the entity to a CyberX Device ID before fetching connection data. @@ -229,7 +267,6 @@ Get Connections for Endpoint: ### Flow Description - 1. **Entity Filtering:** The action identifies all `ADDRESS` and `HOSTNAME` entities in the current context. @@ -249,12 +286,23 @@ Get Connections for Endpoint: can_modify_alert_data: false can_mutate_external_data: false can_mutate_internal_data: false - can_update_entities: false + can_update_entities: true external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs GET requests to the CyberX API to retrieve network connection + data for specific devices. It does not perform any POST, PUT, or DELETE operations + on external systems, so it does not mutate external data. It updates the entity + profile by adding an entity table, which is a standard enrichment operation + and not considered a destructive internal mutation. categories: enrichment: true + reasoning: >- + The action is designed to fetch contextual data (network connections) about + an asset (device) and present it within the SOAR platform. It does not mutate + external systems, nor does it perform unauthorized internal mutations. It fits + the criteria for an enrichment action. entity_usage: entity_types: - ADDRESS @@ -272,6 +320,10 @@ Get Connections for Endpoint: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and filters them using a + list comprehension that checks if `entity.entity_type` is either `ADDRESS` or + `HOSTNAME`. Therefore, it explicitly filters by entity type. Get Device Vulnerability Report: action_product_categories: add_alert_comment: false @@ -287,6 +339,10 @@ Get Device Vulnerability Report: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves vulnerability reports for assets, which provides contextual + metadata about the device. This matches the 'Enrich Asset' category. It does + not perform IOC enrichment, alert updates, or containment actions. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -313,7 +369,7 @@ Get Device Vulnerability Report: ### Parameters Description - There are no additional parameters for this action. + There are no parameters for this action. ### Flow Description @@ -341,13 +397,21 @@ Get Device Vulnerability Report: can_modify_alert_data: false can_mutate_external_data: false can_mutate_internal_data: true - can_update_entities: false + can_update_entities: true external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Adds a vulnerability report as an entity table to the enriched entities. + Adds an entity table containing vulnerability report data to the entity. + reasoning: >- + The action fetches data from an external API (CyberX) to retrieve vulnerability + reports. It does not mutate external systems. It modifies internal data by adding + an entity table to the relevant entities in the Google SecOps interface. categories: enrichment: true + reasoning: >- + The action fetches vulnerability data from an external source and enriches the + entity with this information via an entity table. It does not mutate external + systems and adheres to the constraints for enrichment actions. entity_usage: entity_types: - ADDRESS @@ -365,6 +429,9 @@ Get Device Vulnerability Report: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and filters them based on + `entity.entity_type` to include only `ADDRESS` and `HOSTNAME` types. Get Events: action_product_categories: add_alert_comment: false @@ -380,6 +447,10 @@ Get Events: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action fetches a list of events from the CyberX API. This directly aligns + with the 'Search Events' category, which is defined as returning a collection + of historical logs or telemetry data. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -395,23 +466,44 @@ Get Events: update_identity: false update_ticket: false ai_description: >- - ### General Description\nThe **Get Events** action retrieves a comprehensive list - of events reported to the CyberX event log. This action is designed to provide - visibility into system activities and historical logs within the CyberX platform, - facilitating auditing and monitoring workflows.\n\n### Parameters Description\n| - Parameter Name | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- - |\n| N/A | N/A | N/A | This action does not require any input parameters. |\n\n### - Additional Notes\n- This action is a global fetch operation and does not target - specific entities within a case.\n- The retrieved events are automatically flattened - and presented in a data table for easier analysis.\n\n### Flow Description\n1. - **Connection**: The action establishes a connection to the CyberX API using the - configured API Root and Access Token.\n2. **Data Retrieval**: It performs a GET - request to the `/api/v1/events` endpoint to fetch all available event logs.\n3. - **Data Transformation**: The resulting event data is processed and flattened using - utility functions to ensure compatibility with tabular displays.\n4. **Reporting**: - If events are found, they are added to a data table titled 'Result Events'.\n5. - **Completion**: The action concludes by providing a summary message of the number - of events found and returning the raw JSON data. + ### General Description + + The **Get Events** action retrieves a comprehensive list of events reported to + the CyberX event log. This action is designed to provide visibility into system + activities and historical logs within the CyberX platform, facilitating auditing + and monitoring workflows. + + + ### Parameters Description + + There are no parameters required for this action. + + + ### Additional Notes + + - This action is a global fetch operation and does not target specific entities + within a case. + + - The retrieved events are automatically flattened and presented in a data table + for easier analysis. + + + ### Flow Description + + 1. **Connection**: The action establishes a connection to the CyberX API using + the configured API Root and Access Token. + + 2. **Data Retrieval**: It performs a GET request to the `/api/v1/events` endpoint + to fetch all available event logs. + + 3. **Data Transformation**: The resulting event data is processed and flattened + using utility functions to ensure compatibility with tabular displays. + + 4. **Reporting**: If events are found, they are added to a data table titled 'Result + Events'. + + 5. **Completion**: The action concludes by providing a summary message of the + number of events found and returning the raw JSON data. capabilities: can_create_case_comments: false can_create_insight: false @@ -422,8 +514,17 @@ Get Events: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the CyberX API to retrieve event logs. + It does not modify any external systems (no POST/PUT/DELETE). It does not modify + internal SOAR case data (entities, insights, or comments), but rather outputs + the retrieved data into a result table for the analyst to review. categories: enrichment: false + reasoning: >- + The action is a data retrieval operation (Search Events) rather than an enrichment + action. It does not target specific entities or alerts to provide supplemental + context, which is the primary requirement for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -439,6 +540,9 @@ Get Events: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or process any target entities. It performs + a global fetch of events from the CyberX API. Ping: action_product_categories: add_alert_comment: false @@ -454,6 +558,11 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a diagnostic connectivity test (Ping) and does not perform any + of the defined operational tasks such as enrichment, ticketing, containment, + or alert management. Therefore, it does not match any of the provided product + categories. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -514,8 +623,15 @@ Ping: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the CyberX API to verify connectivity. + It does not mutate external or internal data, nor does it update entities or + create insights. It is a diagnostic tool. categories: enrichment: false + reasoning: >- + The action is named 'Ping'. According to the instructions, actions named 'Ping' + must not be categorized as enrichment actions, even if they fetch data. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -531,3 +647,6 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not reference `target_entities` or perform any operations on + entities. It is a global connectivity test. diff --git a/content/response_integrations/google/cyber_x/resources/ai/integration_ai_description.yaml b/content/response_integrations/google/cyber_x/resources/ai/integration_ai_description.yaml index 18fead5ae..2159d6ae3 100644 --- a/content/response_integrations/google/cyber_x/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/google/cyber_x/resources/ai/integration_ai_description.yaml @@ -6,7 +6,18 @@ product_categories: email_security: false iam_and_identity_management: false itsm: false - network_security: true + network_security: false + reasoning: >- + The 'cyber_x' integration is an OT/ICS security platform focused on asset discovery + and monitoring. It qualifies for the SIEM category because it retrieves alerts + and events from the CyberX platform, providing visibility into security activity. + It qualifies for the Asset Inventory category as it performs asset discovery and + enriches entities with device metadata. It qualifies for the Vulnerability Management + category because it includes an action to retrieve device vulnerability reports + and CVE information. It does not qualify for EDR (no process-level activity), + Network Security (no blocking or firewall log retrieval), Threat Intelligence + (no reputation lookups), Email Security, IAM, Cloud Security, ITSM, or Collaboration, + as it lacks the specific functional requirements for those domains. siem: true threat_intelligence: false vulnerability_management: true diff --git a/content/response_integrations/google/juniper_vsrx/resources/ai/actions_ai_description.yaml b/content/response_integrations/google/juniper_vsrx/resources/ai/actions_ai_description.yaml index 51903d198..1ee823e1f 100644 --- a/content/response_integrations/google/juniper_vsrx/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/google/juniper_vsrx/resources/ai/actions_ai_description.yaml @@ -2,7 +2,7 @@ Add IP To Address Set: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false - add_ioc_to_blocklist: false + add_ioc_to_blocklist: true contain_host: false create_ticket: false delete_email: false @@ -13,6 +13,12 @@ Add IP To Address Set: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action modifies the configuration of an external Juniper VSRX device by + adding an IP address to a specific address set. This is a security control update, + which aligns with the 'Add IOC To Blocklist' category, as address sets are typically + used in firewall policies to control traffic. It does not fetch data, so it + is not enrichment. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -28,13 +34,36 @@ Add IP To Address Set: update_identity: false update_ticket: false ai_description: >- + ### General Description + Adds IP address entities to a specified address set on a Juniper VSRX device. - This action allows for the organization of network addresses into sets, which - can then be used in security policies. It supports adding addresses to either - a global address book or a specific security zone's address book. + This action facilitates network security policy management by grouping IP addresses + into sets, which can then be utilized in security policies. It supports adding + addresses to either a global address book or a specific security zone's address + book. + + + ### Parameters Description + + | Parameter Name | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Address Set Name | string | True | The name of the address set where the IP + addresses should be added. | + + | Zone Name | string | False | The name of the security zone. If provided, the + address record and set update will be scoped to this specific zone; otherwise, + the global address book is used. | + + + ### Additional Notes + + - This action performs a configuration commit on the device, which may affect + other pending changes on the Juniper VSRX if not managed carefully. - ### Flow Description: + ### Flow Description 1. **Configuration Retrieval:** Fetches connection details (Address, Port, Username, Password) for the Juniper VSRX device. @@ -53,26 +82,6 @@ Add IP To Address Set: 6. **Commit Changes:** Executes a configuration commit on the Juniper VSRX to persist the changes. - - - ### Parameters Description: - - | Parameter Name | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Address Set Name | string | True | The name of the address set where the IP - addresses should be added. | - - | Zone Name | string | False | The name of the security zone. If provided, the - address record and set update will be scoped to this specific zone; otherwise, - the global address book is used. | - - - ### Additional Notes: - - - This action performs a configuration commit on the device, which may affect - other pending changes on the Juniper VSRX if not managed carefully. capabilities: can_create_case_comments: false can_create_insight: false @@ -81,12 +90,21 @@ Add IP To Address Set: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates address records and updates address sets on the Juniper VSRX device, - followed by a configuration commit. + Adds an IP address to a specified address set on the Juniper VSRX device and + commits the configuration changes. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action interacts with an external Juniper VSRX device to modify its configuration + (adding an IP to an address set). It does not fetch data from the device, nor + does it modify internal SOAR data (entities, insights, or case comments). Therefore, + it is a pure external mutation action. categories: enrichment: false + reasoning: >- + The action is not an enrichment action because it does not fetch data; instead, + it performs a state-changing operation (mutation) on an external system (Juniper + VSRX). entity_usage: entity_types: - ADDRESS @@ -103,6 +121,10 @@ Add IP To Address Set: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and filters using `entity.entity_type + == EntityTypes.ADDRESS`. This means it targets ADDRESS entities, filtering by + entity_type. Ping: action_product_categories: add_alert_comment: false @@ -118,6 +140,10 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity check (Ping) and does not perform any of the defined + functional operations such as enrichment, containment, ticket management, or + alert modification. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -181,8 +207,16 @@ Ping: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity probe (`device.probe()`) to verify the health + of the integration connection. It does not fetch data, mutate external systems, + or modify internal SOAR data. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action. Per the instructions, 'Actions named Ping must + not be categorized as enrichment actions.' Therefore, it is not an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -198,6 +232,9 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not reference `target_entities` or any entity-specific identifiers. + It operates independently of any entities. Remove IP From Address Set: action_product_categories: add_alert_comment: false @@ -213,6 +250,9 @@ Remove IP From Address Set: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action removes an IP address from an address set on a firewall/security + device. This aligns with the 'Remove IOC From Blocklist' category. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: true reset_identity_password: false @@ -228,8 +268,10 @@ Remove IP From Address Set: update_identity: false update_ticket: false ai_description: >- - Removes IP Address entities from a specified address set on a Juniper VSRX device. - This action is typically used to reverse a previous blocking or containment action + ### General Description + + Removes an IP address from a specified address set on a Juniper VSRX device. This + action is typically used to reverse a previous blocking or containment action by removing the IP from a restricted address group. @@ -242,8 +284,7 @@ Remove IP From Address Set: current scope. 3. **Record Identification:** For each IP address, it queries the Juniper VSRX - device using an RPC call to find the specific internal record name associated - with that IP. + device to find the specific internal record name associated with that IP. 4. **Configuration Staging:** It loads deletion commands into the device's configuration buffer to remove the address record and its association with the specified address @@ -281,12 +322,19 @@ Remove IP From Address Set: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Removes address records and their associations from address sets on the Juniper - VSRX device and commits the configuration changes. + Removes an IP address from an address set on the Juniper VSRX device. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action interacts with an external Juniper VSRX device to remove an IP address + from an address set. It performs a GET request to retrieve the configuration + (to find the record name) and then performs configuration changes (DELETE and + COMMIT). It does not modify internal SOAR data. categories: enrichment: false + reasoning: >- + The action mutates external data (removes an IP from a blocklist/address set), + therefore it is not an enrichment action. entity_usage: entity_types: - ADDRESS @@ -303,3 +351,6 @@ Remove IP From Address Set: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over `siemplify.target_entities` and filters for entities + of type `ADDRESS`. diff --git a/content/response_integrations/google/juniper_vsrx/resources/ai/integration_ai_description.yaml b/content/response_integrations/google/juniper_vsrx/resources/ai/integration_ai_description.yaml index b927e7b41..e47c07516 100644 --- a/content/response_integrations/google/juniper_vsrx/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/google/juniper_vsrx/resources/ai/integration_ai_description.yaml @@ -7,6 +7,15 @@ product_categories: iam_and_identity_management: false itsm: false network_security: true + reasoning: >- + The Juniper vSRX integration is a Next-Generation Firewall (NGFW) appliance. Its + primary capabilities, as demonstrated by the 'Add IP To Address Set' and 'Remove + IP From Address Set' actions, involve managing network security policies by modifying + address sets on the firewall device. This directly aligns with the 'Network Security' + category, which is defined for integrations that allow agents to block malicious + IPs at the gateway. The integration does not perform SIEM log analysis, EDR host-level + containment, threat intelligence enrichment, or any of the other specialized functions + (IAM, ITSM, etc.) defined in the categories. siem: false threat_intelligence: false vulnerability_management: false diff --git a/content/response_integrations/google/mc_afee_nsm/resources/ai/actions_ai_description.yaml b/content/response_integrations/google/mc_afee_nsm/resources/ai/actions_ai_description.yaml index 55bd89f49..70addd776 100644 --- a/content/response_integrations/google/mc_afee_nsm/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/google/mc_afee_nsm/resources/ai/actions_ai_description.yaml @@ -3,7 +3,7 @@ Block IP: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: true - contain_host: true + contain_host: false create_ticket: false delete_email: false disable_identity: false @@ -13,6 +13,10 @@ Block IP: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action blocks an IP address on a firewall (McAfee NSM). This directly aligns + with the 'Add IOC To Blocklist' category. It does not perform host containment + (EDR isolation), ticket management, or enrichment. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -28,17 +32,19 @@ Block IP: update_identity: false update_ticket: false ai_description: >- - Blocks IP address entities in McAfee Network Security Manager (NSM). The action - interacts with the NSM API to manage firewall rule objects and policies. It checks - if an IP is already blocked; if not, it either appends the IP to an existing 'Siemplify' - rule object or creates a new one if capacity is reached. Finally, it pushes the - configuration changes to the specified sensors to enforce the block. + ### General Description + + Blocks IP address entities in McAfee Network Security Manager (NSM). This action + interacts with the NSM API to manage firewall rule objects and policies, ensuring + that malicious or suspicious IP addresses are restricted. It automates the process + of checking existing block rules, creating new rule objects if necessary, and + pushing configuration changes to the specified sensors to enforce the block. - ### Flow Description: + ### Flow Description - 1. **Authentication:** Establishes a session with McAfee NSM using provided credentials - and retrieves a session token. + 1. **Authentication:** Establishes a session with McAfee NSM using the provided + credentials and retrieves a session token. 2. **Entity Filtering:** Identifies all IP Address entities (ADDRESS) within the action scope. @@ -54,18 +60,22 @@ Block IP: 5. **Cleanup:** Logs out of the NSM session. - ### Parameters Description: + ### Parameters Description + + There are no direct input parameters for this action. It relies on the integration's + global configuration settings: + | Parameter Name | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | None | N/A | N/A | This action does not take direct input parameters; it relies + | N/A | N/A | N/A | This action does not take direct input parameters; it relies on the integration's global configuration (API Root, Credentials, Policy Name, and Sensor List). | - ### Additional Notes: + ### Additional Notes * The action is designed to work with a dedicated firewall policy name specified in the integration configuration. @@ -80,12 +90,22 @@ Block IP: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates or updates firewall rule objects in McAfee NSM and triggers a configuration - push to network sensors to enforce the block. + The action modifies firewall policies and rule objects in McAfee NSM to block + specific IP addresses. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a check to see if an IP is already blocked (GET request), + which constitutes fetching data. It then performs POST/PUT requests to create + or update rule objects and update firewall policies in McAfee NSM, which constitutes + external data mutation. It does not modify internal SOAR case data, update entities, + create insights, or modify alert data. categories: enrichment: false + reasoning: >- + The action is a containment/blocking action, not an enrichment action. It does + not meet the criteria for enrichment as it primarily mutates external system + state and does not return contextual metadata for the entity. entity_usage: entity_types: - ADDRESS @@ -102,6 +122,9 @@ Block IP: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and filters using `entity.entity_type + == ADDRESS`. It does not apply any other filters. Get Alert Info Data: action_product_categories: add_alert_comment: false @@ -117,6 +140,10 @@ Get Alert Info Data: enrich_ioc: false execute_command_on_the_host: false get_alert_information: true + reasoning: >- + The action fetches alert details from the McAfee NSM product, which directly + matches the 'Get Alert Information' category. It does not perform any other + operations like blocking, ticketing, or updating alerts. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -135,9 +162,9 @@ Get Alert Info Data: ### General Description Retrieves detailed information for a specific alert from McAfee Network Security - Manager (NSM) using the Alert ID and Sensor Name. This action is useful for analysts - who need to fetch the full context of an alert recorded in NSM to assist in investigation - and response within Google SecOps. + Manager (NSM) using the provided Alert ID and Sensor Name. This action is designed + to assist analysts in gathering full context for an alert recorded in NSM to support + investigation and response workflows within Google SecOps. ### Parameters Description @@ -157,7 +184,7 @@ Get Alert Info Data: ### Flow Description 1. **Initialize Connection**: Establishes a session with the McAfee NSM manager - using provided credentials. + using the configured credentials. 2. **Resolve Sensor ID**: Looks up the internal Sensor ID corresponding to the provided `Sensor Name`. @@ -166,13 +193,15 @@ Get Alert Info Data: full alert details using the `Alert ID` and the resolved `Sensor ID`. 4. **Process Results**: If data is found, it is formatted as a JSON table and - added to the case. The raw JSON data is also attached to the action result. + added to the action result. The raw JSON data is also attached to the action result + for further use. ### Additional Notes This action does not iterate over or process Google SecOps entities; it operates - strictly based on the provided string parameters. + strictly based on the provided string parameters. It is a read-only operation + that fetches data from the external McAfee NSM system. capabilities: can_create_case_comments: false can_create_insight: false @@ -183,8 +212,17 @@ Get Alert Info Data: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the McAfee NSM API to retrieve alert details. + It does not perform any write operations on external systems (can_mutate_external_data=false). + It does not modify internal SOAR case data, entities, or insights; it only outputs + the retrieved data as a result table (can_mutate_internal_data=false). categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches data from an external source (McAfee NSM) to provide context + for an investigation. It does not mutate external systems or internal SOAR data. + Therefore, it qualifies as an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -200,6 +238,9 @@ Get Alert Info Data: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with Google SecOps entities. It relies solely on + the 'Alert ID' and 'Sensor Name' parameters provided by the user. Is IP Blocked: action_product_categories: add_alert_comment: false @@ -212,9 +253,13 @@ Is IP Blocked: download_file: false enable_identity: false enrich_asset: false - enrich_ioc: false + enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action checks the block status of an IP address in McAfee NSM. This provides + context about the indicator's reputation/status, which aligns with 'Enrich IOC'. + It does not modify the firewall, so it is not a block/unblock action. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -240,17 +285,13 @@ Is IP Blocked: ### Parameters Description - | Parameter | Description | Type | Mandatory | - - | :--- | :--- | :--- | :--- | - - | None | This action does not require any input parameters. | N/A | N/A | + This action does not require any input parameters. It uses the global integration + configuration to connect to the McAfee NSM instance. ### Flow Description - 1. **Authentication**: Connects to the McAfee NSM API using the global integration - credentials and establishes a session. + 1. **Authentication**: Connects to the McAfee NSM API and establishes a session. 2. **Entity Identification**: Filters the case entities to identify all `ADDRESS` (IP) types. @@ -281,8 +322,16 @@ Is IP Blocked: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action queries the McAfee NSM API to determine if an IP address is currently + blocked. It does not modify any external firewall configurations or internal + SOAR data. It is a read-only diagnostic action. categories: enrichment: true + reasoning: >- + The action fetches data (block status) from an external system (McAfee NSM) + without modifying any external or internal state. This qualifies as an enrichment + action. entity_usage: entity_types: - ADDRESS @@ -299,6 +348,9 @@ Is IP Blocked: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and filters them using `entity.entity_type + == ADDRESS`. Ping: action_product_categories: add_alert_comment: false @@ -314,6 +366,10 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a diagnostic connectivity test and does not perform any of the + defined security operations such as enrichment, blocking, ticketing, or alert + management. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -328,36 +384,47 @@ Ping: update_email: false update_identity: false update_ticket: false - ai_description: "### General Description\\nThe **Ping** action is a diagnostic utility\ + ai_description: "### General Description\nThe **Ping** action is a diagnostic utility\ \ designed to verify the connectivity between Google SecOps and the McAfee Network\ \ Security Manager (NSM) instance. Its primary purpose is to ensure that the integration's\ \ configuration parameters\u2014such as the API Root, credentials, and Domain\ - \ ID\u2014are correct and that the NSM service is reachable over the network.\\\ - n\\n### Parameters Description\\nThis action does not require any additional input\ - \ parameters. It relies entirely on the global integration configuration.\\n\\\ - n### Flow Description\\n1. **Configuration Retrieval**: The action fetches the\ - \ integration's configuration, including the API Root, Username, Password, and\ - \ Domain ID.\\n2. **Authentication**: It initializes the `NsmManager`, which triggers\ - \ a login request to the NSM `session` endpoint to obtain an authentication token.\\\ - n3. **Session Termination**: Immediately after a successful login, the action\ - \ calls the `logout` method to close the session on the NSM server.\\n4. **Result\ - \ Reporting**: If the login and logout sequence completes without exceptions,\ - \ the action ends with a success message: \"Connection Established.\"\\n\\n###\ - \ Additional Notes\\n* This action is strictly for connectivity testing and does\ - \ not perform any security operations or data retrieval.\\n* As per standard conventions,\ - \ this action is not classified as an enrichment action." + \ ID\u2014are correct and that the NSM service is reachable over the network.\n\ + \n### Parameters Description\nThere are no parameters for this action. It relies\ + \ entirely on the global integration configuration.\n\n### Flow Description\n\ + 1. **Configuration Retrieval**: The action fetches the integration's configuration,\ + \ including the API Root, Username, Password, and Domain ID.\n2. **Authentication**:\ + \ It initializes the `NsmManager`, which triggers a login request to the NSM `session`\ + \ endpoint to obtain an authentication token.\n3. **Session Termination**: Immediately\ + \ after a successful login, the action calls the `logout` method to close the\ + \ session on the NSM server.\n4. **Result Reporting**: If the login and logout\ + \ sequence completes without exceptions, the action ends with a success message:\ + \ \"Connection Established.\"\n\n### Additional Notes\n* This action is strictly\ + \ for connectivity testing and does not perform any security operations or data\ + \ retrieval.\n* As per standard conventions, this action is not classified as\ + \ an enrichment action." capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false - can_mutate_external_data: false + can_mutate_external_data: true can_mutate_internal_data: false can_update_entities: false - external_data_mutation_explanation: null - fetches_data: false + external_data_mutation_explanation: >- + Terminates the authentication session on the McAfee NSM server. + fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity test by initiating a session (GET request) + and immediately terminating it (DELETE request) with the McAfee NSM API. While + it interacts with the API, it does not fetch contextual data for entities or + perform security operations. The session termination is a mutation of the external + session state. categories: enrichment: false + reasoning: >- + The action is a diagnostic 'Ping' utility. Per the instructions, Ping actions + are explicitly excluded from being categorized as enrichment actions. It does + not perform any data retrieval or security operations. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -373,6 +440,8 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not process any entities. It is a global diagnostic tool. Quarantine IP: action_product_categories: add_alert_comment: false @@ -388,6 +457,10 @@ Quarantine IP: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action performs a quarantine operation on an IP address via McAfee NSM, + which is a form of network isolation. This aligns with the 'Contain Host' category, + as it restricts the network activity of the target host. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -458,12 +531,21 @@ Quarantine IP: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Triggers a quarantine command on McAfee NSM sensors to isolate the specified - IP address, restricting its network activity. - fetches_data: true + Sends a POST request to the McAfee NSM API to quarantine the specified IP address + on the configured sensors. + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to the McAfee NSM API to quarantine an IP + address, which constitutes an external data mutation. It does not fetch contextual + data about the entities, nor does it modify internal SOAR data (entities, insights, + or comments). categories: enrichment: false + reasoning: >- + The action is a containment/mutation action, not an enrichment action. It does + not fetch data to enrich the entity, but rather performs an action to isolate + it. entity_usage: entity_types: - ADDRESS @@ -480,6 +562,9 @@ Quarantine IP: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and explicitly filters for + entities where `entity.entity_type == ADDRESS`. Unblock IP: action_product_categories: add_alert_comment: false @@ -495,6 +580,10 @@ Unblock IP: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action removes an IP address from a firewall policy in McAfee NSM, which + directly matches the 'Remove IOC From Blocklist' category. It does not perform + enrichment, containment, or other listed actions. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: true reset_identity_password: false @@ -504,54 +593,55 @@ Unblock IP: send_email: false send_message: false submit_file: false - uncontain_host: true + uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false ai_description: >- + ### General Description + Unblocks IP address entities in McAfee Network Security Manager (NSM). This action identifies the firewall rule objects associated with the target IP addresses within a specific policy, removes the IP entries, and then triggers a configuration deployment - to the managed sensors to enforce the changes. + to the managed sensors to enforce the changes. This action is used to restore + network connectivity for previously blocked IP addresses. - ### Flow Description: + ### Parameters Description - 1. **Initialization**: Connects to the McAfee NSM instance using provided credentials - and configuration (API Root, Domain ID, Policy Name, and Sensor List) from the - integration settings. + | Parameter Name | Description | Type | Mandatory | - 2. **Entity Filtering**: Identifies all IP Address entities within the current - context (target entities). + | --- | --- | --- | --- | - 3. **IP Release**: For each identified IP, the action searches for the corresponding - rule object in the NSM policy. If found, it either removes the IP from the rule - object or deletes the rule object entirely if it contains no other addresses. + | None | This action does not have any specific action parameters; it relies on + the integration's global configuration. | N/A | No | - 4. **Deployment**: After processing all entities, it initiates a 'Deploy Changes' - command to push the updated firewall configuration to the specified sensors. - 5. **Cleanup**: Logs out of the NSM session to ensure security. + ### Additional Notes + - This action requires a pre-configured 'Siemplify Policy Name' and a list of + 'Sensors Names' in the integration settings to function correctly. - ### Parameters Description: + - The action performs a state change on the external firewall system. - | Parameter Name | Description | Type | Mandatory | - | --- | --- | --- | --- | + ### Flow Description - | None | This action does not have any specific action parameters; it relies on - the integration's global configuration. | N/A | No | + 1. **Initialization**: Connects to the McAfee NSM instance using provided credentials + and configuration (API Root, Domain ID, Policy Name, and Sensor List). + 2. **Entity Filtering**: Identifies all IP Address entities within the current + context. - ### Additional Notes: + 3. **IP Release**: For each identified IP, the action searches for the corresponding + rule object in the NSM policy. If found, it either removes the IP from the rule + object or deletes the rule object entirely if it contains no other addresses. - - This action requires a pre-configured 'Siemplify Policy Name' and a list of - 'Sensors Names' in the integration settings to function correctly. + 4. **Deployment**: After processing all entities, it initiates a 'Deploy Changes' + command to push the updated firewall configuration to the specified sensors. - - The action performs a state change on the external firewall system by modifying - rule objects and deploying configurations. + 5. **Cleanup**: Logs out of the NSM session. capabilities: can_create_case_comments: false can_create_insight: false @@ -560,12 +650,21 @@ Unblock IP: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Removes IP addresses from firewall rule objects and triggers a configuration - deployment to McAfee NSM sensors. - fetches_data: false + Removes the IP address from the firewall policy rule object in McAfee NSM and + deploys the updated configuration to the sensors. + fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action interacts with the McAfee NSM API to remove an IP address from a + firewall policy. It performs a PUT or DELETE operation on the external system + to modify firewall rules and then triggers a deployment, which constitutes external + data mutation. It fetches data to locate the rule object before modifying it. categories: enrichment: false + reasoning: >- + The action performs a mutation on an external system (McAfee NSM) to remove + an IP from a blocklist. It is not an enrichment action as it changes the state + of the external firewall. entity_usage: entity_types: - ADDRESS @@ -582,3 +681,6 @@ Unblock IP: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and filters for entities + of type `ADDRESS`. diff --git a/content/response_integrations/google/mc_afee_nsm/resources/ai/integration_ai_description.yaml b/content/response_integrations/google/mc_afee_nsm/resources/ai/integration_ai_description.yaml index b927e7b41..88f48bdde 100644 --- a/content/response_integrations/google/mc_afee_nsm/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/google/mc_afee_nsm/resources/ai/integration_ai_description.yaml @@ -7,6 +7,15 @@ product_categories: iam_and_identity_management: false itsm: false network_security: true + reasoning: >- + The McAfee Network Security Platform (NSM) integration is primarily focused on + network security operations. It provides actions to block and unblock IP addresses + on the firewall/IPS and to retrieve alert information from the NSM system. These + capabilities align directly with the Network Security category, which involves + managing firewall/WAF rules and blocking malicious traffic at the gateway. The + integration does not provide general SIEM log searching, EDR host-level process + analysis, or external threat intelligence feeds, and therefore does not qualify + for those categories. siem: false threat_intelligence: false vulnerability_management: false diff --git a/content/response_integrations/google/micro_focus_itsma/resources/ai/actions_ai_description.yaml b/content/response_integrations/google/micro_focus_itsma/resources/ai/actions_ai_description.yaml index a9ca3c512..c3ffb4e17 100644 --- a/content/response_integrations/google/micro_focus_itsma/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/google/micro_focus_itsma/resources/ai/actions_ai_description.yaml @@ -13,6 +13,10 @@ Create Incident: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action generates a new record in an external ITSM (MicroFocus ITSMA) and + returns the Ticket ID. This directly matches the 'Create Ticket' category. It + does not perform any other operations like enrichment, alert updates, or containment. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -28,27 +32,13 @@ Create Incident: update_identity: false update_ticket: false ai_description: >- - Creates a new incident in MicroFocus ITSMA. This action allows users to programmatically - generate incident records by providing key details such as the display label, - description, impact scope, urgency, and service category. It interacts with the - MicroFocus ITSMA API via a POST request and returns the unique identifier of the - newly created incident. - - - ### Flow Description - - 1. **Initialization**: The action initializes the MicroFocus ITSMA manager using - the provided integration configuration (API Root, Credentials, Tenant ID, etc.). - - 2. **Parameter Extraction**: It retrieves the mandatory input parameters: Display - Label, Description, Impact Scope, Urgency, and Service ID. - - 3. **API Interaction**: The action sends a POST request to the MicroFocus ITSMA - 'ces' endpoint with a payload containing the incident properties and external - system metadata. + ### General Description - 4. **Result Handling**: If successful, the action extracts the Incident ID from - the API response and returns it as the script result. + Creates a new incident in the MicroFocus ITSMA system. This action allows users + to programmatically generate incident records by providing key details such as + the display label, description, impact scope, urgency, and service category. It + interacts with the MicroFocus ITSMA API via a POST request and returns the unique + identifier of the newly created incident. ### Parameters Description @@ -79,6 +69,22 @@ Create Incident: - The 'External System' and 'External ID' used in the payload are derived from the integration's configuration settings. + + + ### Flow Description + + 1. **Initialization**: The action initializes the MicroFocus ITSMA manager using + the provided integration configuration (API Root, Credentials, Tenant ID, etc.). + + 2. **Parameter Extraction**: It retrieves the mandatory input parameters: Display + Label, Description, Impact Scope, Urgency, and Service ID. + + 3. **API Interaction**: The action sends a POST request to the MicroFocus ITSMA + 'ces' endpoint with a payload containing the incident properties and external + system metadata. + + 4. **Result Handling**: If successful, the action extracts the Incident ID from + the API response and returns it as the script result. capabilities: can_create_case_comments: false can_create_insight: false @@ -87,11 +93,19 @@ Create Incident: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new incident record in MicroFocus ITSMA with the provided details. + Creates a new incident record in the MicroFocus ITSMA system. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to an external API (MicroFocus ITSMA) to + create a new incident record. It does not fetch data, nor does it modify internal + Google SecOps data (entities, insights, or case comments). categories: enrichment: false + reasoning: >- + The action is a creation/mutation action, not an enrichment action. It does + not fetch data or perform any of the allowed internal mutations (insights, comments, + entity updates). entity_usage: entity_types: [] filters_by_additional_properties: false @@ -107,6 +121,9 @@ Create Incident: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with entities. It relies solely on input parameters + provided by the user. Ping: action_product_categories: add_alert_comment: false @@ -122,6 +139,10 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity test (Ping) and does not perform any of the defined + functional operations like enriching IOCs, updating tickets, or modifying alerts. + Therefore, no product categories are applicable. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -182,8 +203,16 @@ Ping: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity test by attempting to authenticate with the + MicroFocus ITSMA API. It does not fetch contextual data about alerts or entities, + nor does it mutate any external or internal data. It is a diagnostic tool. categories: enrichment: false + reasoning: >- + The action is a 'Ping' diagnostic tool. According to the enrichment action rules, + actions named 'Ping' must not be categorized as enrichment actions. It does + not fetch data for entities or alerts. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -199,6 +228,9 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. The `SimulationDataJson` explicitly + defines an empty list of entities, and the code does not reference `target_entities`. Update Incident: action_product_categories: add_alert_comment: false @@ -214,6 +246,9 @@ Update Incident: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action updates an existing incident in an external ITSM system (MicroFocus + ITSMA), which matches the 'Update Ticket' category. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -292,12 +327,18 @@ Update Incident: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates incident attributes such as Display Label, Description, Impact Scope, - Urgency, and Service ID in the MicroFocus ITSMA system via a POST request. + Updates an existing incident in the MicroFocus ITSMA system. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to update an incident in an external ITSM + system (MicroFocus ITSMA). It does not fetch data from external sources, nor + does it modify internal SOAR entities, insights, or alert data. categories: enrichment: false + reasoning: >- + The action is not an enrichment action because it does not fetch data and it + mutates an external system. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -313,6 +354,9 @@ Update Incident: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with entities. It operates on a specific Incident + ID provided as a parameter. Update Incident External Status: action_product_categories: add_alert_comment: false @@ -328,6 +372,9 @@ Update Incident External Status: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action updates the status of an existing incident in an external ITSM system. + This matches the definition of 'Update Ticket'. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -385,12 +432,19 @@ Update Incident External Status: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the 'ExternalStatus' field of a specific incident in the Micro Focus - ITSMA platform via a POST request. + Updates the status of an incident in the Micro Focus ITSMA platform. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to update an incident's status in an external + system (Micro Focus ITSMA). It does not fetch data, nor does it modify internal + SecOps data or entities. categories: enrichment: false + reasoning: >- + The action performs a mutation on an external system (updating an incident status) + and does not retrieve data for enrichment. Therefore, it is not an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -406,3 +460,6 @@ Update Incident External Status: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use or iterate over `target_entities`. It operates independently + of entities, using only the provided input parameters. diff --git a/content/response_integrations/google/micro_focus_itsma/resources/ai/integration_ai_description.yaml b/content/response_integrations/google/micro_focus_itsma/resources/ai/integration_ai_description.yaml index faf1e267b..279708291 100644 --- a/content/response_integrations/google/micro_focus_itsma/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/google/micro_focus_itsma/resources/ai/integration_ai_description.yaml @@ -7,6 +7,13 @@ product_categories: iam_and_identity_management: false itsm: true network_security: false + reasoning: >- + The integration 'micro_focus_itsma' is designed for IT Service Management (ITSM). + Its primary actions include creating and updating incidents within the MicroFocus + ITSMA platform. This aligns directly with the ITSM category, which is used to + document investigations and assign tasks via ticket management. It does not perform + SIEM, EDR, Network Security, Threat Intelligence, Email Security, IAM, Cloud Security, + Vulnerability Management, Asset Inventory, or Collaboration functions. siem: false threat_intelligence: false vulnerability_management: false diff --git a/content/response_integrations/google/mobile_iron/resources/ai/actions_ai_description.yaml b/content/response_integrations/google/mobile_iron/resources/ai/actions_ai_description.yaml index 91575e8d6..fe0bd3c7a 100644 --- a/content/response_integrations/google/mobile_iron/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/google/mobile_iron/resources/ai/actions_ai_description.yaml @@ -13,6 +13,9 @@ Fetch System Information: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves contextual metadata (OS version, owner, etc.) for a device + based on an IP address. This aligns with the 'Enrich Asset' category. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -53,9 +56,8 @@ Fetch System Information: - The action specifically targets **ADDRESS** (IP Address) entities. - - If multiple devices are associated with the same IP (though rare in managed - environments), the action typically returns the first match found in the MobileIron - registry. + - If multiple devices are associated with the same IP, the action typically returns + the first match found in the MobileIron registry. - The results are presented as an entity-linked data table within the Google SecOps case wall. @@ -80,12 +82,21 @@ Fetch System Information: can_modify_alert_data: false can_mutate_external_data: false can_mutate_internal_data: false - can_update_entities: false + can_update_entities: true external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches device information from MobileIron using an IP address. It + does not modify external systems. It adds a data table to the entity in the + SOAR platform, which is an enrichment operation and does not constitute a state-changing + internal mutation. categories: enrichment: true + reasoning: >- + The action fetches data from an external system (MobileIron) and enriches the + entity with a data table. It does not mutate external systems or perform unauthorized + internal mutations. It fits the definition of an enrichment action. entity_usage: entity_types: - ADDRESS @@ -102,6 +113,9 @@ Fetch System Information: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and filters for `EntityTypes.ADDRESS` + to perform the lookup. Fetch System Information By UUID: action_product_categories: add_alert_comment: false @@ -117,6 +131,10 @@ Fetch System Information By UUID: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves contextual metadata (OS version, model, etc.) for a mobile + device, which aligns with the 'Enrich Asset' category. It does not perform IOC + enrichment, alert updates, or containment actions. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -132,10 +150,12 @@ Fetch System Information By UUID: update_identity: false update_ticket: false ai_description: >- + ### General Description + Fetches detailed system information for a specific mobile device using its Unique - Universal Identifier (UUID) via the MobileIron API. This action is used to retrieve - technical metadata about a device, such as OS version, model, and ownership details, - which is then presented in a structured data table within the action results. + Universal Identifier (UUID) via the MobileIron API. This action retrieves technical + metadata about a device, such as OS version, model, and ownership details, and + presents it in a structured data table within the case results. ### Parameters @@ -151,7 +171,7 @@ Fetch System Information By UUID: ### Flow Description 1. **Parameter Extraction:** The action retrieves the mandatory `Device UUID` - from the action parameters. + from the user input. 2. **API Initialization:** It initializes the MobileIron manager using the integration's configuration settings (API Root, credentials, etc.). @@ -174,8 +194,16 @@ Fetch System Information By UUID: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to retrieve device details from MobileIron. + It does not modify external systems or internal case data (other than adding + a result table, which is standard for reporting). categories: enrichment: true + reasoning: >- + The action fetches data (system information) and does not mutate external systems + or modify internal data (beyond adding a result table). It fits the definition + of an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -191,6 +219,10 @@ Fetch System Information By UUID: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action uses a parameter 'Device UUID' to fetch information. It does not + iterate over 'siemplify.target_entities' or use entity-specific identifiers + to perform its task. Therefore, it does not run on entities. List Devices: action_product_categories: add_alert_comment: false @@ -206,10 +238,15 @@ List Devices: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves a global inventory list of devices. It does not match the + expected outcomes for enrichment (which requires targeting specific entities), + alert updates, ticketing, or containment. It is a general information retrieval + action that does not fit into the provided specific product categories. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false - search_asset: true + search_asset: false search_email: false search_events: false send_email: false @@ -257,26 +294,29 @@ List Devices: 5. **Result Reporting**: The action adds a data table named 'Devices' to the SOAR case and returns the full device list as a JSON result. - - - ### Additional Notes - - This action does not target specific entities within the case; it fetches the - global list of devices from the MobileIron environment. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: true + can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: >- - The action adds a data table named 'Devices' to the SOAR case containing the - flattened list of retrieved mobile devices. + internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to retrieve a list of devices from the MobileIron + API. It does not modify any external systems (no POST/PUT/DELETE). It reports + results by adding a data table to the SOAR case, which is a standard result + reporting mechanism and does not constitute a mutation of internal case data + (entities, insights, or comments). categories: enrichment: false + reasoning: >- + The action fetches a global list of devices from the MobileIron system. It does + not target specific entities within the case to gather supplemental context, + nor does it update entity profiles or create insights. Therefore, it does not + meet the criteria for an Enrichment Action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -292,6 +332,10 @@ List Devices: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or reference `target_entities`. It fetches + a global list of devices from the MobileIron environment regardless of the entities + present in the case. Ping: action_product_categories: add_alert_comment: false @@ -307,6 +351,10 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a diagnostic connectivity test ('Ping'). It does not perform any + of the listed operational tasks such as enrichment, containment, ticketing, + or alert management. Therefore, it does not match any of the defined categories. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -350,12 +398,6 @@ Ping: 5. **Final Result**: If the request is successful, it returns a 'Connection Established' message; otherwise, it reports a failure. - - - ### Additional Notes - - This action does not process any entities and is strictly for testing the integration - setup. capabilities: can_create_case_comments: false can_create_insight: false @@ -364,10 +406,17 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: true + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a simple connectivity check (GET request) to verify the + API is reachable. It does not retrieve entity context, modify external systems, + or update internal SOAR data. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action. Per the instructions, Ping actions are explicitly + excluded from being enrichment actions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -383,6 +432,9 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `target_entities` or use entity-specific identifiers. + It is a global connectivity test, so the `entity_types` list is empty. Unlock Device: action_product_categories: add_alert_comment: false @@ -398,6 +450,10 @@ Unlock Device: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action performs a device management operation (unlocking) on an external + system. It does not match the specific categories provided (e.g., it is not + network isolation, identity management, or ticket creation). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -407,7 +463,7 @@ Unlock Device: send_email: false send_message: false submit_file: false - uncontain_host: true + uncontain_host: false update_alert: false update_email: false update_identity: false @@ -423,20 +479,8 @@ Unlock Device: ### Parameters Description - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | N/A | N/A | N/A | This action does not have any input parameters. It relies - on the IP address entities provided in the context and the integration's global - configuration. | - - - ### Additional Notes - - This action requires the MobileIron integration to be properly configured with - an API Root, Username, Password, and Admin Device ID. It specifically targets - entities of type **ADDRESS** (IP Address). + There are no input parameters for this action. It relies on the IP address entities + provided in the context and the integration's global configuration. ### Flow Description @@ -445,7 +489,7 @@ Unlock Device: within the current SOAR context. 2. **Device Identification**: For each identified IP address, the action queries - the MobileIron API via a GET request to find the corresponding unique Device UUID. + the MobileIron API to find the corresponding unique Device UUID. 3. **Unlock Command**: Once the UUID is retrieved, the action sends a POST request to the MobileIron `Action` endpoint with the `UNLOCK_DEVICE_ONLY` command to trigger @@ -461,13 +505,19 @@ Unlock Device: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Sends a POST request to the MobileIron API to trigger the 'UNLOCK_DEVICE_ONLY' - command on the target mobile device, physically changing its state from locked - to unlocked. + Sends a POST request to the MobileIron API to unlock the specified mobile device. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches device information (UUID) from MobileIron (fetches_data=true) + and performs a POST request to unlock the device (can_mutate_external_data=true). + It does not modify internal SOAR data or entities. categories: enrichment: false + reasoning: >- + The action performs a mutation on an external system (unlocking a device) and + does not meet the criteria for an enrichment action, which must be read-only + regarding external systems. entity_usage: entity_types: - ADDRESS @@ -484,6 +534,9 @@ Unlock Device: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and filters them by `entity.entity_type + == EntityTypes.ADDRESS`. It does not apply other filters. Unlock Device by UUID: action_product_categories: add_alert_comment: false @@ -494,11 +547,16 @@ Unlock Device by UUID: delete_email: false disable_identity: false download_file: false - enable_identity: false + enable_identity: true enrich_asset: false enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action performs a POST request to unlock a device in MobileIron. This is + a remediation action that restores access to a device. This aligns with the + 'Enable Identity' category, which is defined as restoring authentication capabilities + and system access for a previously disabled account. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -508,18 +566,20 @@ Unlock Device by UUID: send_email: false send_message: false submit_file: false - uncontain_host: true + uncontain_host: false update_alert: false update_email: false update_identity: false update_ticket: false ai_description: >- + ### General Description + Unlocks a mobile device managed by MobileIron using its unique identifier (UUID). This action sends a command to the MobileIron server to remove the lock screen or restriction on the specified device, allowing the user to regain access. - ### Parameters + ### Parameters Description | Parameter | Type | Mandatory | Description | @@ -529,6 +589,13 @@ Unlock Device by UUID: device to be unlocked. | + ### Additional Notes + + This action requires a valid MobileIron integration configuration to be set up + in the Google SecOps environment. It performs a direct mutation on the external + MobileIron system. + + ### Flow Description 1. **Initialization**: Retrieves connection settings (API Root, Credentials, SSL @@ -550,12 +617,18 @@ Unlock Device by UUID: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Sends a command to the MobileIron server to remove the lock screen or restriction - on the specified mobile device, changing its operational state. + Sends a command to the MobileIron API to unlock the specified mobile device. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to the MobileIron API to unlock a device. + It does not fetch data, nor does it modify internal SOAR data (entities, insights, + etc.). categories: enrichment: false + reasoning: >- + The action is a mutation action (unlocking a device) and does not fetch data + for enrichment. Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -571,3 +644,6 @@ Unlock Device by UUID: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action uses a parameter `Device UUID` provided by the user, not the `target_entities` + list from the SOAR platform. Therefore, it does not operate on entities. diff --git a/content/response_integrations/google/mobile_iron/resources/ai/integration_ai_description.yaml b/content/response_integrations/google/mobile_iron/resources/ai/integration_ai_description.yaml index b88dc4ab4..763138e9d 100644 --- a/content/response_integrations/google/mobile_iron/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/google/mobile_iron/resources/ai/integration_ai_description.yaml @@ -7,6 +7,16 @@ product_categories: iam_and_identity_management: false itsm: false network_security: false + reasoning: >- + The MobileIron integration provides Mobile Device Management (MDM) capabilities. + Its primary function is to provide visibility into mobile assets, including retrieving + device metadata (OS version, owner, compliance status) and listing managed devices, + which directly aligns with the 'Asset Inventory' category. While the integration + includes 'Unlock Device' actions, these are device-level remediation tasks rather + than user identity management (IAM) or host-level containment (EDR). It does not + perform log analysis (SIEM), network traffic blocking (Network Security), threat + intelligence enrichment, email security, cloud security, ITSM ticketing, vulnerability + management, or collaboration/notification tasks. siem: false threat_intelligence: false vulnerability_management: false diff --git a/content/response_integrations/google/portnox/resources/ai/actions_ai_description.yaml b/content/response_integrations/google/portnox/resources/ai/actions_ai_description.yaml index 184c5942c..53405d9ac 100644 --- a/content/response_integrations/google/portnox/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/google/portnox/resources/ai/actions_ai_description.yaml @@ -13,10 +13,15 @@ Enrich Device: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves contextual metadata (security status, location, hardware + info) for a device (IP/MAC). This matches the 'Enrich Asset' category. It does + not provide threat intelligence (reputation/prevalence) for an IOC, so it is + not 'Enrich IOC'. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false - search_asset: true + search_asset: false search_email: false search_events: false send_email: false @@ -78,10 +83,18 @@ Enrich Device: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates the entity's additional properties with flattened device metadata and - sets the 'is_enriched' attribute to true. + Updates entity `additional_properties` and `is_enriched` status. + reasoning: >- + The action queries the Portnox API to retrieve device information based on IP + or MAC address. It does not modify external systems (the POST request is a search + query). It updates internal entity properties (`additional_properties`) and + marks them as enriched in Google SecOps. categories: enrichment: true + reasoning: >- + The action fetches data from an external system (Portnox) to enrich entities. + It does not mutate external systems. It performs allowed internal mutations + (updating entity properties). Therefore, it is an enrichment action. entity_usage: entity_types: - ADDRESS @@ -99,6 +112,9 @@ Enrich Device: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and explicitly checks for + `EntityTypes.ADDRESS` and `EntityTypes.MACADDRESS` to perform the enrichment. Get Device History: action_product_categories: add_alert_comment: false @@ -114,10 +130,15 @@ Get Device History: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves historical activity logs for a device, which provides contextual + metadata about the asset. This aligns with the 'Enrich Asset' category. It does + not provide threat intelligence for an IOC (not 'Enrich IOC'), nor does it perform + any containment or ticket management actions. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false - search_asset: true + search_asset: false search_email: false search_events: false send_email: false @@ -183,10 +204,20 @@ Get Device History: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action updates the entities in Google SecOps to reflect that enrichment - has occurred and attaches a data table containing the retrieved device history. + The action updates entity objects and adds entity-specific data tables to the + case. + reasoning: >- + The action fetches device history data from the Portnox API (GET requests) and + performs a search (POST request) to identify the device ID. It does not mutate + external systems. It performs internal mutations by adding data tables to entities + and updating the entities themselves using the SOAR SDK. categories: enrichment: true + reasoning: >- + The action fetches data from an external source (Portnox) to provide context + for an investigation. It does not mutate external systems. It performs allowed + internal mutations (updating entities and adding data tables). Therefore, it + qualifies as an enrichment action. entity_usage: entity_types: - ADDRESS @@ -204,6 +235,9 @@ Get Device History: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and explicitly filters for + entities where the type is `ADDRESS` or `MACADDRESS`. Get Device Locations: action_product_categories: add_alert_comment: false @@ -219,6 +253,11 @@ Get Device Locations: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves contextual location metadata for a device (asset), which + matches 'Enrich Asset'. It also performs a search for the device in the Portnox + platform, matching 'Search Asset'. It does not provide threat intelligence (Enrich + IOC) or perform containment/blocking. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -238,46 +277,44 @@ Get Device Locations: The **Get Device Locations** action retrieves physical or logical location information for devices associated with IP Address or MAC Address entities from the Portnox - NAC platform. This action helps analysts identify where a specific device is connected + NAC platform. It helps analysts understand where a specific device is connected within the network infrastructure by providing details such as switch names, ports, or site locations. ### Parameters Description - This action does not have any user-configurable parameters. It utilizes the integration's - global configuration (API Root, Username, Password) and processes the entities - available in the current context. + There are no user-configurable parameters for this action. It relies on the integration's + global configuration (API Root, Username, Password) and the entities present in + the current context. ### Flow Description 1. **Entity Identification**: The action iterates through the target entities - in the case, specifically filtering for `ADDRESS` (IP) and `MacAddress` types. + in the case, specifically looking for `ADDRESS` (IP) and `MacAddress` types. - 2. **Device Search**: For each supported entity, it queries the Portnox API to - find a matching device record using the IP or MAC address as the search key via - a search query. + 2. **Device Search**: For each supported entity, it queries Portnox to find a + matching device record using the IP or MAC address as the search key. - 3. **Location Retrieval**: If a matching device is found, the action retrieves - its current location data from the Portnox `/locations` endpoint using the device's - unique ID. + 3. **Location Retrieval**: If a device is found, the action retrieves its current + location data from the Portnox API. 4. **Data Sanitization**: The retrieved location data is cleaned by removing internal - or irrelevant fields, such as `portIds`, to ensure the output is concise. + or irrelevant fields (e.g., `portIds`). 5. **Enrichment**: The location details are formatted into a CSV table and attached - to the specific entity as an entity table. Finally, the action updates the entities - within Google SecOps to reflect the enrichment. + to the entity within Google SecOps. The entity is then updated to reflect the + enrichment. ### Additional Notes - This action is strictly read-only regarding the Portnox system; it does not - modify device status or network access policies. + change device status or network access policies. - - If no device is found for a specific entity, that entity is skipped, and the - action continues processing others. + - If no device is found for a specific entity, that entity is skipped without + failing the entire action. capabilities: can_create_case_comments: false can_create_insight: false @@ -288,10 +325,18 @@ Get Device Locations: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entities and adds entity tables containing device location information - retrieved from Portnox. + Updates entity data in Google SecOps and adds a data table to the entity. + reasoning: >- + The action queries the Portnox API to retrieve location information for devices + identified by IP or MAC address. It does not modify external system state (the + POST request is a search query). It updates internal entity data in Google SecOps + and adds a data table to the entity. categories: enrichment: true + reasoning: >- + The action fetches data (location) from an external system (Portnox) and updates + internal entities without modifying external state. This fits the definition + of an enrichment action. entity_usage: entity_types: - ADDRESS @@ -309,6 +354,10 @@ Get Device Locations: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and checks `entity.entity_type` + against `EntityTypes.ADDRESS` and `EntityTypes.MACADDRESS`. It filters entities + based on their type. Get Installed Applications: action_product_categories: add_alert_comment: false @@ -324,6 +373,10 @@ Get Installed Applications: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action searches for a device (asset) in Portnox and retrieves its installed + applications, which is contextual metadata for an asset. This matches 'Enrich + Asset' and 'Search Asset'. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -371,25 +424,24 @@ Get Installed Applications: ### Flow Description 1. **Initialization**: The action initializes the Portnox manager using the provided - integration credentials (API Root, Username, Password, and SSL verification settings). + integration credentials. 2. **Entity Filtering**: It iterates through the target entities in the current - context, filtering for those of type **ADDRESS** (IP) and **MacAddress**. + context, filtering for IP Addresses and MAC Addresses. - 3. **Device Search**: For each valid entity, it performs a search in Portnox using - the IP or MAC Address as the key to find the unique device ID. + 3. **Device Search**: For each valid entity, it performs a search in Portnox (using + the IP or MAC Address as the key) to find the unique device ID. 4. **Data Retrieval**: Once a device is identified, the action calls the Portnox API to fetch the list of installed applications associated with that device ID. - 5. **Data Formatting**: The list of applications is converted into a CSV format - using the `construct_csv` utility. + 5. **Data Formatting**: The list of applications is converted into a CSV format. 6. **Internal Update**: The CSV data is added as an entity-specific table in the - SOAR platform, and the entities are updated to reflect the enrichment process. + SOAR, and the entities are updated to reflect the enrichment process. - 7. **Completion**: The action concludes by providing a summary message indicating - which entities were successfully enriched with application data. + 7. **Completion**: The action concludes by providing a summary message of which + entities were successfully enriched. capabilities: can_create_case_comments: false can_create_insight: false @@ -400,10 +452,16 @@ Get Installed Applications: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action adds a CSV table containing installed applications to the entity's - data and updates the entity objects within the Google SecOps platform. + Updates entities and adds entity tables with the retrieved application list. + reasoning: >- + The action fetches device application data from Portnox using IP or MAC address. + It does not change external system state. It updates internal SOAR entities + with the retrieved data using `add_entity_table` and `update_entities`. categories: enrichment: true + reasoning: >- + The action fetches data (enrichment) and adds it to the entity without modifying + external systems. It fits the definition of an enrichment action. entity_usage: entity_types: - ADDRESS @@ -421,6 +479,9 @@ Get Installed Applications: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and filters for `ADDRESS` + and `MacAddress` types to perform the lookup. Get Open Ports: action_product_categories: add_alert_comment: false @@ -436,6 +497,11 @@ Get Open Ports: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves open ports for a device, which is contextual metadata for + an asset, matching 'Enrich Asset'. It also performs a search for the device + in the product, matching 'Search Asset'. It does not match other categories + like IOC enrichment, ticket creation, or containment. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -461,21 +527,19 @@ Get Open Ports: ### Flow Description 1. **Initialization**: Connects to the Portnox API using the provided credentials - and configuration (API Root, Username, Password). + and configuration. 2. **Device Search**: For each IP Address or MAC Address entity, the action queries - the Portnox `/devices` endpoint to find a matching device record and retrieve - its unique `deviceId`. + Portnox to find a matching device record. 3. **Port Retrieval**: If a device is found, the action requests the list of open - ports from the `/devices/{deviceId}/details/openports` endpoint. + ports associated with that device's ID. 4. **Data Presentation**: Converts the retrieved port data into a CSV format and - attaches it as an entity-specific data table to the entity in the Google SecOps - case. + attaches it as an entity table to the specific entity in the case. 5. **Entity Update**: Marks the entities as enriched and updates their status - within the platform. + within the Google SecOps platform. ### Parameters Description @@ -486,11 +550,8 @@ Get Open Ports: ### Additional Notes - - If multiple devices match a search query in Portnox, the action selects the - first device returned by the API. - - - If no open ports are found for an entity, no table is added for that specific - entity. + This action is designed to enrich asset information by querying the Portnox NAC. + It does not perform any destructive actions or state changes on the external system. capabilities: can_create_case_comments: false can_create_insight: false @@ -501,10 +562,20 @@ Get Open Ports: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entities to mark them as enriched and adds entity-specific data tables - containing the list of open ports retrieved from Portnox. + Updates entity status and adds an entity table to the case. + reasoning: >- + The action fetches data from the Portnox API (fetches_data=true) to retrieve + open ports for a device. It does not mutate external data (can_mutate_external_data=false) + as it only performs search and GET requests. It performs internal mutations + by updating entities and adding an entity table (can_mutate_internal_data=true, + can_update_entities=true). It does not create insights, modify alert data, or + create case comments. categories: enrichment: true + reasoning: >- + The action is an enrichment action because it fetches contextual data (open + ports) about an asset from an external system (Portnox) and updates the entity + within the SOAR platform without modifying any external system state. entity_usage: entity_types: - ADDRESS @@ -522,6 +593,9 @@ Get Open Ports: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over `siemplify.target_entities` and filters them based + on their type, specifically supporting 'ADDRESS' and 'MacAddress' entities. Get Services: action_product_categories: add_alert_comment: false @@ -537,10 +611,14 @@ Get Services: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action searches for a device (asset) in the Portnox system and retrieves + its services, which constitutes contextual metadata. This matches the 'Enrich + Asset' and 'Search Asset' categories. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false - search_asset: false + search_asset: true search_email: false search_events: false send_email: false @@ -572,12 +650,11 @@ Get Services: (`MacAddress`) types. 2. **Device Search**: For each valid entity, it queries the Portnox API to find - a matching device record using the IP or MAC address as the search key via a POST - request to the `/devices` endpoint. + a matching device record using the IP or MAC address as the search key. 3. **Service Retrieval**: If a device is successfully identified, the action makes - a follow-up GET request to Portnox to retrieve the full list of services associated - with that specific device ID from the `/details/services` endpoint. + a follow-up request to Portnox to retrieve the full list of services associated + with that specific device ID. 4. **Data Presentation**: The retrieved service list is converted into a CSV format and attached to the entity as an 'Entity Table' for easy review within the Google @@ -595,10 +672,19 @@ Get Services: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entities to reflect enrichment and adds an entity table containing the - list of services retrieved from Portnox. + The action updates the entity within Google SecOps and adds an entity table + containing the retrieved service information. + reasoning: >- + The action fetches device service information from Portnox by searching for + devices via IP or MAC address. It then attaches this information to the entity + as a table and updates the entity. It does not modify external systems, making + it a read-only operation regarding external state. categories: enrichment: true + reasoning: >- + The action fetches data (services) to enrich the entity's context. It does not + mutate external systems and only performs allowed internal mutations (updating + entities and adding an entity table). This fits the enrichment criteria. entity_usage: entity_types: - ADDRESS @@ -616,6 +702,9 @@ Get Services: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and explicitly filters by + `EntityTypes.ADDRESS` and `EntityTypes.MACADDRESS` to perform the device search. Get User History: action_product_categories: add_alert_comment: false @@ -631,10 +720,15 @@ Get User History: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves contextual metadata (user history) for a resource (device), + which matches 'Enrich Asset'. It also performs a search for the asset within + the product, matching 'Search Asset'. It does not perform IOC enrichment, alert + updates, or containment actions. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false - search_asset: false + search_asset: true search_email: false search_events: false send_email: false @@ -664,30 +758,27 @@ Get User History: This action performs a two-step process: first, it searches for the device in Portnox to obtain an internal device ID, and then it fetches the user history associated with that ID. The results are attached directly to the entity as a - data table. If no history is found or the device is not located in Portnox, the - action will complete without enriching that specific entity. + data table. ### Flow Description - 1. **Identify Entities**: The action iterates through the target entities and - filters for those of type `ADDRESS` (IP) or `MacAddress`. + 1. **Identify Entities**: The action filters the target entities to find those + of type `ADDRESS` (IP) or `MacAddress`. - 2. **Device Search**: For each valid entity, it queries the Portnox API using - a POST request to find a matching device record and retrieve its unique internal - ID. + 2. **Device Search**: For each valid entity, it queries the Portnox API to find + a matching device record. - 3. **Fetch History**: If a device is found, the action performs a GET request - to retrieve the user authentication history associated with that device ID. + 3. **Fetch History**: If a device is found, the action retrieves its user authentication + history using the Portnox device ID. - 4. **Data Formatting**: The retrieved history list is converted into a CSV format - using the `construct_csv` utility. + 4. **Data Formatting**: The retrieved history is converted into a CSV format. 5. **Enrichment**: The CSV data is attached to the entity as a data table named "[Identifier] - User History". - 6. **Update**: The action updates the entities in Google SecOps to persist the - newly attached data tables. + 6. **Update**: The action updates the entities in Google SecOps to save the newly + attached data tables. capabilities: can_create_case_comments: false can_create_insight: false @@ -698,10 +789,21 @@ Get User History: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action attaches data tables containing authentication history to the entities - and updates the entity objects within the Google SecOps platform. + The action updates entities in Google SecOps by attaching a data table containing + the retrieved user history. + reasoning: >- + The action fetches user authentication history from the Portnox API (fetches_data=true). + It does not mutate external systems (search_device is a read-only query). It + performs internal mutations by updating entities with new data tables (can_mutate_internal_data=true, + can_update_entities=true). It does not create insights, modify alert data, or + create case comments. categories: enrichment: true + reasoning: >- + The action is designed to gather supplemental context (user history) about entities + (devices). It does not mutate external systems and only performs allowed internal + mutations (updating entities). Therefore, it is classified as an enrichment + action. entity_usage: entity_types: - ADDRESS @@ -719,6 +821,10 @@ Get User History: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and explicitly checks for + `EntityTypes.ADDRESS` and `EntityTypes.MACADDRESS`. It does not apply any other + filters. Ping: action_product_categories: add_alert_comment: false @@ -734,6 +840,9 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a diagnostic test to verify connectivity. It does not perform + any of the listed functional outcomes (enrichment, containment, ticketing, etc.). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -789,8 +898,16 @@ Ping: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to verify connectivity to the Portnox API. + It does not modify external or internal data, nor does it update entities or + create insights. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action. Per the instructions, 'Actions named Ping must + not be categorized as enrichment actions.' Therefore, it is not an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -806,6 +923,9 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use any entities, as indicated by the empty `SimulationDataJson` + and the lack of entity processing in the code. Revalidate Device: action_product_categories: add_alert_comment: false @@ -821,6 +941,12 @@ Revalidate Device: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action triggers a policy revalidation on a device in the Portnox NAC system. + This is a remediation/management action. It does not fit the specific categories + provided (e.g., it is not 'Contain Host' as it does not isolate the device, + nor is it an 'Update Identity' or 'Enrich' action). Therefore, no specific category + is selected. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -839,9 +965,9 @@ Revalidate Device: ### General Description The **Revalidate Device** action triggers a policy revalidation for a specific - device within the Portnox Network Access Control (NAC) system. This is used to - force a device to undergo a fresh security posture check or authentication cycle - to ensure it complies with current network policies. + device within the Portnox Network Access Control (NAC) system. This action is + used to force a device to undergo a fresh security posture check or authentication + cycle to ensure it complies with current network policies. ### Parameters Description @@ -857,13 +983,13 @@ Revalidate Device: ### Flow Description 1. **Initialization**: The action connects to the Portnox API using the provided - credentials (API Root, Username, Password) and SSL configuration. + credentials and configuration. - 2. **Trigger Revalidation**: It sends a POST request to the Portnox endpoint `/devices/actions/revalidation` - to initiate the revalidation process for the specified `DeviceId`. + 2. **Trigger Revalidation**: It sends a POST request to the Portnox endpoint to + initiate the revalidation process for the specified `DeviceId`. 3. **Status Polling**: The action enters a polling loop, calling the device information - endpoint `/devices/{deviceId}` to monitor the `securityStatus` of the device. + endpoint to monitor the `securityStatus` of the device. 4. **Completion**: It waits until the device status reaches 'AuthorizationPassed' or a timeout occurs. Once the status is confirmed, the action completes with a @@ -885,13 +1011,20 @@ Revalidate Device: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Triggers a policy revalidation process for a specific device in Portnox NAC, - which initiates a fresh security posture check or authentication cycle on the - network access control system. + Triggers a policy revalidation for a device in the Portnox NAC system. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to trigger a revalidation process in the + external Portnox NAC system (external mutation). It also performs GET requests + to poll the device status (fetches data). It does not interact with internal + SOAR entities or modify internal case data. categories: enrichment: false + reasoning: >- + The action performs a mutation on an external system (Portnox NAC) and does + not meet the criteria for an enrichment action, which must be read-only regarding + external systems. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -907,6 +1040,9 @@ Revalidate Device: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on SOAR entities. It accepts a `DeviceId` as a direct + input parameter and does not iterate over `target_entities`. Revalidate Device By Address: action_product_categories: add_alert_comment: false @@ -922,10 +1058,14 @@ Revalidate Device By Address: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action triggers a revalidation of a device's NAC policy in Portnox. This + does not fit the specific categories provided (e.g., it is not blocking, isolating, + or updating an alert). It is a control action on a NAC system. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false - search_asset: true + search_asset: false search_email: false search_events: false send_email: false @@ -987,12 +1127,21 @@ Revalidate Device By Address: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Triggers a re-authentication and validation cycle for the device in the Portnox - NAC system. + Triggers a re-evaluation of the network access control (NAC) policy for the + device in the Portnox system. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action interacts with the Portnox API to search for devices and trigger + a revalidation process. This involves both GET requests (searching/polling) + and POST requests (triggering revalidation). Triggering revalidation is a state + change in the external Portnox system. It does not modify internal SOAR data + (entities, insights, etc.). categories: enrichment: false + reasoning: >- + The action mutates external data (triggers revalidation), so it is not an enrichment + action. entity_usage: entity_types: - ADDRESS @@ -1010,3 +1159,6 @@ Revalidate Device By Address: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and explicitly checks `entity.entity_type` + for `ADDRESS` and `MACADDRESS` types. diff --git a/content/response_integrations/google/portnox/resources/ai/integration_ai_description.yaml b/content/response_integrations/google/portnox/resources/ai/integration_ai_description.yaml index 5dd92530c..9bf2b0fdf 100644 --- a/content/response_integrations/google/portnox/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/google/portnox/resources/ai/integration_ai_description.yaml @@ -2,11 +2,24 @@ product_categories: asset_inventory: true cloud_security: false collaboration: false - edr: true + edr: false email_security: false - iam_and_identity_management: true + iam_and_identity_management: false itsm: false - network_security: true + network_security: false + reasoning: >- + The Portnox integration is a Network Access Control (NAC) solution that provides + visibility into network-connected devices. Its primary capabilities, as demonstrated + by the actions, are to provide deep contextual metadata about internal assets. + Actions such as 'Enrich Device', 'Get Device Locations', 'Get Installed Applications', + 'Get Services', and 'Get Open Ports' provide detailed information about assets, + which directly aligns with the 'Asset Inventory' category. Additionally, the 'Get + Device History' and 'Get User History' actions allow analysts to investigate activity + related to assets and users, which aligns with the 'SIEM' category's purpose of + investigating activity. The integration does not perform EDR functions (process-level + visibility), threat intelligence (reputation), or firewall/WAF management (Network + Security). While it performs NAC policy revalidation, this does not equate to + the firewall/WAF blocking capabilities defined in the Network Security category. siem: true threat_intelligence: false - vulnerability_management: true + vulnerability_management: false diff --git a/content/response_integrations/google/reversinglabs_a1000/resources/ai/actions_ai_description.yaml b/content/response_integrations/google/reversinglabs_a1000/resources/ai/actions_ai_description.yaml index 82e25b46d..c5fa1e708 100644 --- a/content/response_integrations/google/reversinglabs_a1000/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/google/reversinglabs_a1000/resources/ai/actions_ai_description.yaml @@ -13,6 +13,10 @@ Delete Sample: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action deletes samples from the A1000 appliance. This is a destructive mutation + of external data. It does not match any of the predefined categories like Enrichment, + Ticket management, Alert management, or Host containment. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -28,35 +32,20 @@ Delete Sample: update_identity: false update_ticket: false ai_description: >- - ### General Description - - The **Delete Sample** action allows analysts to remove specific file samples and - all their associated metadata from a ReversingLabs A1000 appliance. This action + ### General Description\nThe **Delete Sample** action removes specific file samples + and their associated metadata from the ReversingLabs A1000 appliance. This action is primarily used for data management, privacy compliance, or clearing out unwanted - analysis data from the appliance. - - - ### Parameters Description - - There are no user-configurable parameters for this action. It automatically processes - all `FILEHASH` entities identified in the current context. - - - ### Flow Description - - 1. **Authentication**: The action establishes a connection to the ReversingLabs - A1000 appliance using the API Root, Username, and Password provided in the integration - configuration. - - 2. **Entity Identification**: The script iterates through the target entities - in the SOAR case, specifically filtering for those of type `FILEHASH`. - - 3. **Deletion Execution**: For each identified file hash, the action sends a `DELETE` - request to the A1000 API endpoint (`/api/samples/{hash}/`). - - 4. **Status Reporting**: The action tracks successful deletions (based on HTTP - 200 responses) and returns a summary message listing the hashes that were successfully - removed from the appliance. + analysis data from the appliance.\n\n### Parameters Description\nThere are no + user-configurable parameters for this action. It automatically processes all `FILEHASH` + entities identified in the current context.\n\n### Flow Description\n1. **Authentication**: + The action establishes a connection to the ReversingLabs A1000 appliance using + the API Root, Username, and Password provided in the integration configuration.\n2. + **Entity Identification**: The script iterates through the target entities in + the SOAR case, specifically filtering for those of type `FILEHASH`.\n3. **Deletion + Execution**: For each identified file hash, the action sends a `DELETE` request + to the A1000 API endpoint (`/api/samples/{hash}/`).\n4. **Status Reporting**: + The action tracks successful deletions (based on HTTP 200 responses) and returns + a summary message listing the hashes that were successfully removed from the appliance. capabilities: can_create_case_comments: false can_create_insight: false @@ -65,12 +54,18 @@ Delete Sample: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Deletes file samples and their associated metadata from the ReversingLabs A1000 - appliance via a DELETE request to the API. + Deletes file samples and associated metadata from the ReversingLabs A1000 appliance. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a `DELETE` request to an external system (A1000 appliance) + to remove data. It does not fetch data, nor does it modify internal SOAR case + data (entities, insights, or comments). categories: enrichment: false + reasoning: >- + The action does not fetch data (it performs a deletion), so it is not an enrichment + action. entity_usage: entity_types: - FILEHASH @@ -87,6 +82,9 @@ Delete Sample: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over `siemplify.target_entities` and filters specifically + for `FILEHASH` entities using `if entity.entity_type == FILEHASH`. Get Report: action_product_categories: add_alert_comment: false @@ -102,6 +100,10 @@ Get Report: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves threat intelligence (reputation, threat level, status) + for file hashes, which directly matches the 'Enrich IOC' category. It does not + perform any other actions like blocking, ticketing, or alert management. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -130,27 +132,33 @@ Get Report: \ data tables attached to the case for each hash.\n\n### Flow Description\n1.\ \ **Entity Identification**: The action scans the current context for entities\ \ of type `FILEHASH`.\n2. **Data Retrieval**: It sends a list of these hashes\ - \ to the ReversingLabs A1000 `api/samples/list/` endpoint to fetch classification\ - \ metadata.\n3. **Context Enrichment**: For every hash found in the response,\ - \ the action extracts key fields including `threat_status`, `threat_level`, `threat_name`,\ - \ and `trust_factor`.\n4. **Output Generation**: \n * A data table containing\ - \ the flattened report is created for each hash and attached to the case.\n \ - \ * The full response dictionary is provided as a JSON result for further playbook\ - \ processing." + \ to the ReversingLabs A1000 `api/samples/list/` endpoint.\n3. **Context Enrichment**:\ + \ For every hash found, the action extracts key fields including `threat_status`,\ + \ `threat_level`, `threat_name`, and `trust_factor`.\n4. **Output Generation**:\ + \ \n * A data table is created for each hash and attached to the case.\n \ + \ * The full response is provided as a JSON result for further playbook processing." capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: true + can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: >- - Adds data tables containing the malware analysis reports to the case for each - processed file hash. + internal_data_mutation_explanation: null + reasoning: >- + The action fetches data from the ReversingLabs A1000 API using a POST request + to retrieve reports for file hashes. It does not mutate external systems (no + block/delete/update actions). It does not mutate internal SOAR data (no entity + updates, insights, or comments). It simply outputs the retrieved data as tables + and JSON results. categories: enrichment: true + reasoning: >- + The action is an enrichment action because it fetches data from an external + source (ReversingLabs A1000) to provide context for file hashes. It does not + modify any external or internal state. entity_usage: entity_types: - FILEHASH @@ -167,6 +175,9 @@ Get Report: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and filters for `FILEHASH` + types. It does not filter by any other properties. Get Scan Status: action_product_categories: add_alert_comment: false @@ -182,6 +193,11 @@ Get Scan Status: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves the processing status of file hashes from an external malware + analysis platform. This provides intelligence about the file's analysis state, + which aligns with the 'Enrich IOC' category. It does not perform any other actions + like updating alerts, creating tickets, or modifying security controls. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -201,7 +217,8 @@ Get Scan Status: Retrieves the processing status of file hash entities from the ReversingLabs A1000 Malware Analysis platform. This action allows analysts to check if submitted samples - have finished analysis or are still being processed by the appliance. + have finished analysis or are still being processed, providing visibility into + the malware analysis lifecycle. ### Parameters Description @@ -216,41 +233,50 @@ Get Scan Status: ### Additional Notes - * This action uses a POST request to the `/api/samples/status/` endpoint to perform - a bulk lookup of hash statuses. + * This action performs a bulk lookup of hash statuses using a POST request to + the `/api/samples/status/` endpoint of the A1000 API. - * If no status information is returned for the provided hashes, the action will - complete with a failure status. + * The action is designed to process `FILEHASH` entities. If no status information + is returned for the provided hashes, the action will complete with a failure status. ### Flow Description - 1. **Entity Collection**: The action identifies all `FILEHASH` entities within - the current scope. + 1. **Entity Collection**: The action iterates through the `target_entities` in + the current SOAR case and identifies all entities of type `FILEHASH`. 2. **Status Query**: It sends a bulk request to the ReversingLabs A1000 API using the collected hash values to retrieve their current processing status. - 3. **Data Processing**: The response is parsed to map each hash to its specific + 3. **Data Processing**: The API response is parsed to map each hash to its specific status (e.g., 'processed', 'uploading', 'analyzing'). 4. **Output Generation**: The action generates a data table named 'Scan Status:' - for the case wall and provides a JSON result containing the status mapping for - downstream playbook logic. + for the action result and provides a JSON result containing the status mapping + for downstream playbook logic. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: true + can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: >- - Adds a data table named 'Scan Status:' to the case wall containing the processing - status of the hashes. + internal_data_mutation_explanation: null + reasoning: >- + The action fetches data from an external system (ReversingLabs A1000) to retrieve + the status of file hashes. It does not mutate external data (it is a read-only + query operation). It does not mutate internal SOAR data (it does not update + entities, create insights, or modify alerts; it only adds a data table and JSON + result to the action output). categories: - enrichment: false + enrichment: true + reasoning: >- + The action is an enrichment action because it proactively fetches supplemental + context (processing status) for entities (file hashes) from an external source. + It does not mutate external systems, and it does not modify existing internal + SOAR data (it only adds reporting data to the action result). entity_usage: entity_types: - FILEHASH @@ -267,6 +293,9 @@ Get Scan Status: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and explicitly filters for + entities where `entity.entity_type == FILEHASH`. Ping: action_product_categories: add_alert_comment: false @@ -282,6 +311,10 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a diagnostic tool used to verify connectivity to the ReversingLabs + A1000 API. It does not perform any of the defined operational tasks such as + enrichment, containment, or ticket management. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -302,8 +335,7 @@ Ping: The **Ping** action is a diagnostic tool used to verify the connectivity between the Google SecOps platform and the **ReversingLabs A1000 Malware Analysis Appliance**. It ensures that the integration is correctly configured and that the provided - credentials (Username and Password) have the necessary permissions to interact - with the A1000 API. + credentials have the necessary permissions to interact with the A1000 API. ### Parameters Description @@ -313,21 +345,17 @@ Ping: ### Flow Description - 1. **Configuration Retrieval**: The action starts by fetching the integration's - configuration, including the API Root, Username, and Password. + 1. **Configuration Retrieval**: The action retrieves the API Root, Username, and + Password from the integration configuration. 2. **Client Initialization**: It initializes the `A1000MalwareAnalysisClient` - using the retrieved configuration. - - 3. **Authentication**: The client attempts to authenticate with the A1000 server - to obtain an authorization token. + with the provided credentials. - 4. **Connectivity Test**: The action performs a status check for a predefined - test hash (`526e57077b938b3c3dbce56f8aaaa7be`) to confirm the API is responsive - and the token is valid. + 3. **Connectivity Test**: The action executes a connectivity test by querying + the status of a predefined test hash. - 5. **Completion**: If all steps succeed, the action returns a 'Connected Successfully' - message. + 4. **Completion**: If the API responds successfully, the action returns a 'Connected + Successfully' message. ### Additional Notes @@ -344,8 +372,16 @@ Ping: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity test by making a POST request to the A1000 + API to check the status of a test hash. It does not mutate external or internal + data, nor does it update entities or create insights. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action, which is explicitly excluded from being an enrichment + action per the instructions. Additionally, it does not perform any data enrichment + or state modification. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -361,6 +397,9 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. It performs a global connectivity + test against the ReversingLabs A1000 API. Upload File: action_product_categories: add_alert_comment: false @@ -376,6 +415,11 @@ Upload File: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action uploads a file to the ReversingLabs A1000 appliance for analysis + and retrieves the report. This directly aligns with the 'Submit File' category, + which involves uploading a sample to an analysis engine and returning a behavior + report. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -394,10 +438,9 @@ Upload File: ### General Description Uploads a file to the ReversingLabs A1000 appliance for automated malware analysis. - This action is designed to submit a local file to the A1000 system, monitor its - processing status until completion, and then retrieve a comprehensive analysis - report. The report includes critical security metadata such as threat levels, - status, and classification details. + This action submits a local file to the A1000 system, monitors its processing + status until completion, and retrieves a comprehensive analysis report containing + critical security metadata such as threat levels, status, and classification details. ### Parameters Description @@ -442,12 +485,21 @@ Upload File: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Uploads a file to the ReversingLabs A1000 appliance for analysis, creating a - new analysis record on the system. + Uploads a file to the ReversingLabs A1000 appliance for malware analysis. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to upload a file to the A1000 appliance, + which constitutes an external mutation. It subsequently polls for status and + performs a GET request to retrieve the analysis report, meaning it fetches data. + It does not modify internal SOAR data (entities, insights, or case comments). categories: enrichment: false + reasoning: >- + The action performs an external mutation by uploading a file to the A1000 appliance. + According to the enrichment definition, an action is only classified as 'Enrichment' + if it does not create, update, or delete data in any external platform. Therefore, + this action is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -463,3 +515,7 @@ Upload File: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on entities. It takes a file path as a parameter + and performs an analysis on that file, independent of any specific SecOps entity + objects. diff --git a/content/response_integrations/google/reversinglabs_a1000/resources/ai/integration_ai_description.yaml b/content/response_integrations/google/reversinglabs_a1000/resources/ai/integration_ai_description.yaml index 2e831240c..ebf103f75 100644 --- a/content/response_integrations/google/reversinglabs_a1000/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/google/reversinglabs_a1000/resources/ai/integration_ai_description.yaml @@ -7,6 +7,15 @@ product_categories: iam_and_identity_management: false itsm: false network_security: false + reasoning: >- + The ReversingLabs A1000 integration is a malware analysis platform that provides + threat intelligence for file-based indicators. Its primary actions, such as 'Get + Report' and 'Get Scan Status', are designed to enrich file hashes (IOCs) with + reputation data, threat levels, and analysis status, which directly aligns with + the 'Threat Intelligence' category. It does not perform SIEM log analysis, EDR + host containment, network security blocking, email management, IAM operations, + cloud resource management, ITSM ticketing, vulnerability scanning, asset inventory + management, or collaboration/notification tasks. siem: false threat_intelligence: true vulnerability_management: false diff --git a/content/response_integrations/google/stealthwatch_v610/resources/ai/actions_ai_description.yaml b/content/response_integrations/google/stealthwatch_v610/resources/ai/actions_ai_description.yaml index a39ff126e..d96b09717 100644 --- a/content/response_integrations/google/stealthwatch_v610/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/google/stealthwatch_v610/resources/ai/actions_ai_description.yaml @@ -13,6 +13,9 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity test ('Ping') and does not perform any of the defined + product category operations (enrichment, containment, ticketing, etc.). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -27,27 +30,25 @@ Ping: update_email: false update_identity: false update_ticket: false - ai_description: "### General Description\nThe **Ping** action is a utility designed\ - \ to verify the connectivity between the Google SecOps platform and the Cisco\ - \ Stealthwatch (v6.10) instance. Its primary purpose is to ensure that the integration's\ - \ configuration parameters\u2014specifically the API Root, Username, and Password\u2014\ - are correct and that the Stealthwatch server is reachable and responding to requests.\n\ - \n### Parameters Description\nThis action does not require any input parameters.\ - \ It relies entirely on the integration's global configuration settings.\n\n###\ - \ Additional Notes\n* The action performs a live authentication check by requesting\ - \ a JWT token from the Stealthwatch server.\n* It further validates the connection\ - \ by attempting to retrieve a list of available domains (tenants) from the system.\n\ - * If any step in the authentication or domain retrieval fails, the action will\ - \ report a failure, indicating a configuration or network issue.\n\n### Flow Description\n\ - 1. **Configuration Retrieval:** The action fetches the 'Api Root', 'Username',\ - \ and 'Password' from the StealthwatchV6-10 integration settings.\n2. **Manager\ - \ Initialization:** It initializes the `StealthwatchManager`, which triggers an\ - \ authentication request (`POST /token/v2/authenticate`) to obtain a session cookie/JWT.\n\ - 3. **Connectivity Test:** The action calls the `test_connectivity` method, which\ - \ executes a `GET` request to the `/sw-reporting/v1/tenants` endpoint to verify\ - \ that the authenticated session can successfully read data.\n4. **Result Reporting:**\ - \ If the requests are successful, the action concludes with a 'Connected Successfully'\ - \ message and returns a boolean `True` status." + ai_description: "General Description: The Ping action is a utility designed to verify\ + \ the connectivity between the Google SecOps platform and the Cisco Stealthwatch\ + \ (v6.10) instance. Its primary purpose is to ensure that the integration's configuration\ + \ parameters\u2014specifically the API Root, Username, and Password\u2014are correct\ + \ and that the Stealthwatch server is reachable and responding to requests. Parameters\ + \ Description: There are no parameters for this action. Additional Notes: The\ + \ action performs a live authentication check by requesting a JWT token from the\ + \ Stealthwatch server. It further validates the connection by attempting to retrieve\ + \ a list of available domains (tenants) from the system. If any step in the authentication\ + \ or domain retrieval fails, the action will report a failure, indicating a configuration\ + \ or network issue. Flow Description: 1. Configuration Retrieval: The action fetches\ + \ the 'Api Root', 'Username', and 'Password' from the StealthwatchV6-10 integration\ + \ settings. 2. Manager Initialization: It initializes the StealthwatchManager,\ + \ which triggers an authentication request (POST /token/v2/authenticate) to obtain\ + \ a session cookie/JWT. 3. Connectivity Test: The action calls the test_connectivity\ + \ method, which executes a GET request to the /sw-reporting/v1/tenants endpoint\ + \ to verify that the authenticated session can successfully read data. 4. Result\ + \ Reporting: If the requests are successful, the action concludes with a 'Connected\ + \ Successfully' message and returns a boolean True status." capabilities: can_create_case_comments: false can_create_insight: false @@ -58,8 +59,15 @@ Ping: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity test by authenticating (POST) and fetching + data (GET) from the Cisco Stealthwatch API. It does not mutate external or internal + data, nor does it update entities or create insights. categories: enrichment: false + reasoning: >- + The action is named 'Ping' and is a connectivity test. Per the instructions, + Ping actions are not categorized as enrichment actions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -75,6 +83,8 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not process any entities. It is a global connectivity test. Search Events: action_product_categories: add_alert_comment: false @@ -90,6 +100,10 @@ Search Events: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves security events for an IP, providing threat intelligence + and context, which matches 'Enrich IOC'. It also performs a search for historical + logs, which matches 'Search Events'. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -159,10 +173,19 @@ Search Events: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action attaches security event data to the case as JSON results and creates - entity-level data tables for the processed IP addresses. + Adds JSON results and entity data tables to the case. + reasoning: >- + The action fetches security event data from Cisco Stealthwatch by performing + search queries. It does not modify external system state (no blocking or configuration + changes). It performs internal mutations by attaching JSON results and entity + data tables to the case, which is standard for enrichment actions. categories: enrichment: true + reasoning: >- + The action retrieves security events (contextual data) for IP entities and attaches + them to the case. It does not mutate external systems and the internal mutations + (adding tables/JSON) are standard enrichment practices. Therefore, it is classified + as an enrichment action. entity_usage: entity_types: - ADDRESS @@ -179,6 +202,9 @@ Search Events: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and explicitly filters for + entities where `entity.entity_type == EntityTypes.ADDRESS`. Search Flows: action_product_categories: add_alert_comment: false @@ -191,9 +217,13 @@ Search Flows: download_file: false enable_identity: false enrich_asset: false - enrich_ioc: false + enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves network flow data for IP addresses, which provides context + for investigation, matching the 'Enrich IOC' category. Additionally, it performs + a search for historical telemetry data, which matches the 'Search Events' category. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -274,8 +304,18 @@ Search Flows: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches network flow data from an external system (Cisco Stealthwatch) + based on IP entities. It does not modify any external system state (no blocking/quarantining) + nor does it modify internal case data (it does not update entities, create insights, + or add case comments). It only attaches results to the action output. categories: enrichment: true + reasoning: >- + The action is designed to fetch contextual data (network flows) for entities. + It does not mutate external systems or internal case data, and it does not perform + any forbidden actions (like ping or file downloads). Therefore, it qualifies + as an enrichment action. entity_usage: entity_types: - ADDRESS @@ -292,3 +332,6 @@ Search Flows: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and explicitly filters for + entities where `entity.entity_type == EntityTypes.ADDRESS`. diff --git a/content/response_integrations/google/stealthwatch_v610/resources/ai/integration_ai_description.yaml b/content/response_integrations/google/stealthwatch_v610/resources/ai/integration_ai_description.yaml index a67fd6077..981f2193f 100644 --- a/content/response_integrations/google/stealthwatch_v610/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/google/stealthwatch_v610/resources/ai/integration_ai_description.yaml @@ -7,6 +7,18 @@ product_categories: iam_and_identity_management: false itsm: false network_security: true + reasoning: >- + The stealthwatch_v610 integration provides network visibility and security analytics. + The available actions, 'Search Events' and 'Search Flows', allow security analysts + to retrieve security events and network flow data for IP address entities. This + functionality aligns with SIEM capabilities by enabling the investigation of activity + related to assets and IOCs. It aligns with Network Security as it provides visibility + into network traffic and communication patterns, which is essential for identifying + malicious network activity. It also aligns with Threat Intelligence, as the retrieved + events and flows serve as enrichment data to help determine the reputation of + IP indicators and confirm if alerts are True Positives. It does not provide EDR, + Email Security, IAM, ITSM, Vulnerability Management, Asset Inventory, or Collaboration + capabilities. siem: true - threat_intelligence: false + threat_intelligence: true vulnerability_management: false diff --git a/content/response_integrations/google/symantec_content_analysis/resources/ai/actions_ai_description.yaml b/content/response_integrations/google/symantec_content_analysis/resources/ai/actions_ai_description.yaml index 592372cae..ec0d9660a 100644 --- a/content/response_integrations/google/symantec_content_analysis/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/google/symantec_content_analysis/resources/ai/actions_ai_description.yaml @@ -13,6 +13,10 @@ Get Hash Report: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves threat intelligence (sample reports) for file hashes, which + aligns with the 'Enrich IOC' category. It does not perform any other actions + like ticketing, blocking, or alert management. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -28,6 +32,8 @@ Get Hash Report: update_identity: false update_ticket: false ai_description: >- + ### General Description + Enriches File Hash entities (MD5 and SHA256) by retrieving sample reports from Symantec Content Analysis. This action queries the Symantec API to find basic sample information associated with a specific file hash and provides the results @@ -83,10 +89,19 @@ Get Hash Report: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity additional properties with the retrieved report data and adds - a data table to the entity. + Updates entity additional properties and adds a data table to the entity within + the SOAR platform. + reasoning: >- + The action fetches file hash reports from Symantec Content Analysis via a GET + request. It does not modify any external systems. It performs internal mutations + by updating entity additional properties and adding a data table to the entity + within the SOAR platform. categories: enrichment: true + reasoning: >- + The action fetches data from an external source (Symantec) and updates internal + entities without modifying external systems. This fits the definition of an + enrichment action. entity_usage: entity_types: - FILEHASH @@ -103,6 +118,9 @@ Get Hash Report: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and filters specifically + for `EntityTypes.FILEHASH`. Ping: action_product_categories: add_alert_comment: false @@ -118,6 +136,10 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a diagnostic connectivity test and does not perform any of the + defined operational tasks such as enrichment, containment, ticket management, + or alert modification. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -189,8 +211,16 @@ Ping: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a diagnostic connectivity check (Ping) by sending a GET + request to the Symantec Content Analysis server. It does not fetch contextual + data regarding alerts or entities, nor does it mutate any external or internal + data. It is a purely diagnostic action. categories: enrichment: false + reasoning: >- + The action is a diagnostic 'Ping' utility. Per the instructions, Ping actions + are explicitly excluded from being categorized as enrichment actions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -206,6 +236,9 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not process any entities. It is a global diagnostic tool that + relies on integration configuration settings. Submit File: action_product_categories: add_alert_comment: false @@ -218,9 +251,13 @@ Submit File: download_file: false enable_identity: false enrich_asset: false - enrich_ioc: false + enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action submits a file to an analysis engine and returns a threat score, + which matches the 'Submit File' category. Additionally, by providing a reputation + score for the file, it serves as an 'Enrich IOC' action. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -235,25 +272,23 @@ Submit File: update_email: false update_identity: false update_ticket: false - ai_description: "### General Description\nSubmits a file to Symantec Content Analysis\ - \ for scanning and analysis. This action uploads a file from a specified local\ - \ path to the Symantec service, retrieves the resulting reputation score, and\ - \ generates case insights based on the severity of the findings.\n\n### Flow Description\n\ - 1. **Configuration Retrieval:** The action initializes the Symantec Content Analysis\ - \ manager using the provided API Root and API Key.\n2. **File Submission:** It\ - \ reads the file from the provided 'File Path' and performs a POST request to\ - \ the Symantec Content Analysis API to initiate a scan.\n3. **Score Parsing:**\ - \ The action extracts the file reputation score from the API response.\n4. **Insight\ - \ Generation:** \n * If the score is between 2 and 6, it creates a 'File Found\ - \ as Suspicious' insight.\n * If the score is between 7 and 10, it creates\ - \ a 'File Found as Malicious' insight.\n5. **Completion:** The action concludes\ - \ by returning the reputation score and a summary message.\n\n### Parameters Description\n\ - | Parameter Name | Type | Mandatory | Description |\n| :--- | :--- | :--- | :---\ - \ |\n| File Path | string | True | The local file system path of the file to be\ - \ uploaded and scanned. |\n\n### Additional Notes\n* This action does not process\ - \ SecOps entities; it operates strictly on the file path provided in the parameters.\n\ - * The action includes a timeout mechanism (defaulting to 5 minutes) for the file\ - \ submission process." + ai_description: "### General Description\nThis action submits a file from a specified\ + \ local path to the Symantec Content Analysis service for scanning and reputation\ + \ analysis. It retrieves the file's reputation score and generates case insights\ + \ within the SOAR platform based on the severity of the findings. This action\ + \ is useful for automating the initial triage of suspicious files.\n\n### Parameters\ + \ Description\n| Parameter Name | Type | Mandatory | Description |\n| :--- | :---\ + \ | :--- | :--- |\n| File Path | string | True | The local file system path of\ + \ the file to be uploaded and scanned. |\n\n### Flow Description\n1. **Configuration\ + \ Retrieval:** The action initializes the Symantec Content Analysis manager using\ + \ the provided API Root and API Key.\n2. **File Submission:** It reads the file\ + \ from the provided 'File Path' and performs a POST request to the Symantec Content\ + \ Analysis API to initiate a scan.\n3. **Score Parsing:** The action extracts\ + \ the file reputation score from the API response.\n4. **Insight Generation:**\ + \ \n * If the score is between 2 and 6, it creates a 'File Found as Suspicious'\ + \ insight.\n * If the score is between 7 and 10, it creates a 'File Found as\ + \ Malicious' insight.\n5. **Completion:** The action concludes by returning the\ + \ reputation score and a summary message." capabilities: can_create_case_comments: false can_create_insight: true @@ -264,10 +299,18 @@ Submit File: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action creates case insights within Google SecOps based on the reputation - score returned by the Symantec Content Analysis service. + Creates case insights based on the file reputation score. + reasoning: >- + The action performs a POST request to submit a file for analysis (fetching data/reputation + score). It does not modify external system configurations or security posture + (no external mutation). It performs internal mutations by creating case insights + based on the analysis results. categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches data (reputation score) and performs allowed internal mutations + (creating insights). It does not mutate external systems or perform prohibited + actions. Therefore, it qualifies as an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -283,3 +326,6 @@ Submit File: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or process SOAR entities. It operates on a + file path provided as a parameter. diff --git a/content/response_integrations/google/symantec_content_analysis/resources/ai/integration_ai_description.yaml b/content/response_integrations/google/symantec_content_analysis/resources/ai/integration_ai_description.yaml index 2e831240c..b417b3852 100644 --- a/content/response_integrations/google/symantec_content_analysis/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/google/symantec_content_analysis/resources/ai/integration_ai_description.yaml @@ -7,6 +7,16 @@ product_categories: iam_and_identity_management: false itsm: false network_security: false + reasoning: >- + The symantec_content_analysis integration is designed to analyze files and file + hashes to determine their threat potential, which is a core function of threat + intelligence. The 'Get Hash Report' action enriches file hash entities with reputation + data, and the 'Submit File' action performs sandboxing and reputation analysis. + These capabilities directly align with the 'Threat Intelligence' category, which + focuses on enriching external indicators (IPs, Hashes, URLs) to determine reputation + and confirm if an alert is a True Positive. The integration does not perform SIEM, + EDR, Network Security, Email Security, IAM, Cloud Security, ITSM, Vulnerability + Management, Asset Inventory, or Collaboration functions. siem: false threat_intelligence: true vulnerability_management: false diff --git a/content/response_integrations/google/symantec_icdx/resources/ai/actions_ai_description.yaml b/content/response_integrations/google/symantec_icdx/resources/ai/actions_ai_description.yaml index bd64af8d3..1c30687ee 100644 --- a/content/response_integrations/google/symantec_icdx/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/google/symantec_icdx/resources/ai/actions_ai_description.yaml @@ -13,6 +13,11 @@ Get Event: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves specific event data from Symantec ICDX based on a provided + UUID. This aligns with the 'Search Events' category as it returns historical + telemetry data. It does not modify external systems, update entities, or enrich + specific IOCs/assets. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -80,15 +85,21 @@ Get Event: can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: true + can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: >- - The action adds a data table to the case wall containing the flattened details - of the retrieved event. + internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to retrieve event data from Symantec ICDX + (fetches_data=true). It does not modify external systems (can_mutate_external_data=false). + It does not modify internal SOAR data (entities, insights, etc.) (can_mutate_internal_data=false). categories: enrichment: false + reasoning: >- + The action fetches data from an external system (Symantec ICDX) but does not + perform enrichment on entities or alerts. It is a retrieval action for specific + event data. Therefore, it is not classified as an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -104,6 +115,10 @@ Get Event: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities` or use any entity-specific + identifiers. It relies on a user-provided `Event UUID` parameter to fetch data. + Therefore, it does not run on any entity types. Get Events Minutes Back: action_product_categories: add_alert_comment: false @@ -119,6 +134,10 @@ Get Events Minutes Back: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action searches for historical event logs in Symantec ICDX based on a query + and time window. This directly matches the 'Search Events' category. It does + not perform enrichment, containment, or ticket management. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -199,15 +218,22 @@ Get Events Minutes Back: can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: true + can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: >- - The action adds a data table containing the retrieved event logs to the case - wall. + internal_data_mutation_explanation: null + reasoning: >- + The action performs a search query against Symantec ICDX to retrieve event logs. + It fetches data via a POST request to the search endpoint but does not modify + external systems or internal SOAR entities, insights, or case data. categories: enrichment: false + reasoning: >- + The action fetches historical event logs from an external system. While it fetches + data, it is a general search action rather than an enrichment action designed + to add context to specific entities or alerts. Therefore, it does not meet the + criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -223,6 +249,9 @@ Get Events Minutes Back: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on target entities. It performs a global search + based on the provided query parameter. Ping: action_product_categories: add_alert_comment: false @@ -238,6 +267,10 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a diagnostic connectivity test. It does not perform any of the + defined product category operations (Enrichment, Containment, Ticket management, + etc.). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -253,20 +286,34 @@ Ping: update_identity: false update_ticket: false ai_description: >- - ### General Description\nThe **Ping** action is a diagnostic utility designed - to verify the connectivity between Google SecOps and the Symantec ICDX (Integrated - Cyber Defense Exchange) platform. It validates the integration's configuration, - including the API Root, API Token, and SSL settings, by performing a test API - call.\n\n### Parameters Description\nThis action does not require any input parameters.\n\n### - Flow Description\n1. **Configuration Retrieval**: The action fetches the integration's - global configuration, including the `Api Root`, `Api Token`, and `Verify SSL` - settings.\n2. **Manager Initialization**: It initializes the `SymantecICDXManager` - using the retrieved credentials.\n3. **Connectivity Test**: The action executes - the `test_connectivity` method, which attempts to retrieve a specific event by - a hardcoded UUID from the Symantec ICDX search endpoint.\n4. **Result Reporting**: - If the API call is successful, the action concludes with a success status and - the message 'Connection Established'. If the connection fails, an exception is - raised.\n\n### Additional Notes\nThere are no parameters for this action. + ### General Description + + The **Ping** action is a diagnostic utility designed to verify the connectivity + between Google SecOps and the Symantec ICDX (Integrated Cyber Defense Exchange) + platform. It validates the integration's configuration, including the API Root, + API Token, and SSL settings, by performing a test API call. + + + ### Parameters Description + + There are no parameters for this action. + + + ### Flow Description + + 1. **Configuration Retrieval**: The action fetches the integration's global configuration, + including the `Api Root`, `Api Token`, and `Verify SSL` settings. + + 2. **Manager Initialization**: It initializes the `SymantecICDXManager` using + the retrieved credentials. + + 3. **Connectivity Test**: The action executes the `test_connectivity` method, + which attempts to retrieve a specific event by a hardcoded UUID from the Symantec + ICDX search endpoint. + + 4. **Result Reporting**: If the API call is successful, the action concludes with + a success status and the message 'Connection Established'. If the connection fails, + an exception is raised. capabilities: can_create_case_comments: false can_create_insight: false @@ -277,8 +324,16 @@ Ping: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a test API call to verify connectivity. While it technically + makes a network request (POST), it is a diagnostic 'Ping' action, not an enrichment + or mutation action. It does not modify external or internal data. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action. According to the instructions, 'Actions named + Ping must not be categorized as enrichment actions.' Therefore, it is not an + enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -294,3 +349,6 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use any entities. It is a diagnostic tool that runs independently + of any specific entity. diff --git a/content/response_integrations/google/symantec_icdx/resources/ai/connectors_ai_description.yaml b/content/response_integrations/google/symantec_icdx/resources/ai/connectors_ai_description.yaml index d0e27c963..840a60c57 100644 --- a/content/response_integrations/google/symantec_icdx/resources/ai/connectors_ai_description.yaml +++ b/content/response_integrations/google/symantec_icdx/resources/ai/connectors_ai_description.yaml @@ -2,84 +2,68 @@ SymantecICDX query Connector: ai_description: >- ### General Description - - The SymantecICDX Query Connector enables the ingestion of security events from - the Symantec Integrated Cyber Defense Exchange (ICDX) into Google SecOps. By utilizing - the ICDX Search API, the connector allows security teams to define specific search - queries to filter and pull relevant telemetry, which is then transformed into - actionable cases within the SOAR platform. + This connector integrates with the Symantec ICDX server to fetch security events + based on a user-defined query. It enables security teams to ingest relevant logs + or alerts into Google SecOps for centralized monitoring, investigation, and case + management. ### Parameters Description - | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | DeviceProductField | String | Yes | The field name in the ICDX event used to - determine the device product (defaults to `device_product`). | + | DeviceProductField | String | Yes | The field name used to determine the device + product. | | EventClassId | String | No | The field name used to determine the event name - or sub-type (defaults to `name`). | + (sub-type). | - | PythonProcessTimeout | String | Yes | The timeout limit (in seconds) for the - python process running the script. | + | PythonProcessTimeout | Integer | Yes | The timeout limit (in seconds) for the + python process. | - | Api Root | String | Yes | The base URL of the Symantec ICDX API instance. | + | Api Root | String | Yes | The base URL of the Symantec ICDX API. | - | Api Token | Password | Yes | The API token used for Basic Authentication with - the ICDX server. | + | Api Token | String | Yes | The API token for authentication. | - | Verify SSL | Boolean | Yes | Specifies whether to verify the SSL certificate - of the ICDX server. | + | Verify SSL | Boolean | Yes | Whether to use SSL verification for the connection. + | - | Search Query | String | Yes | The ICDX-specific query string used to filter - events (e.g., `category_id = 1`). | + | Search Query | String | Yes | The query string used to filter events from Symantec + ICDX. | - | Events Limit | Integer | Yes | The maximum number of events to pull in a single - execution cycle. | + | Events Limit | Integer | Yes | The maximum number of events to pull in one cycle. + | | Max Days Backwards | Integer | Yes | The maximum number of days to look back - for events during the initial run or if the timestamp is lost. | + when fetching events. | - | Proxy Server Address | String | No | The address of the proxy server if one - is required for the connection. | + | Proxy Server Address | String | No | The address of the proxy server to use. + | - | Proxy Username | String | No | The username for proxy authentication. | + | Proxy Username | String | No | The proxy username to authenticate with. | - | Proxy Password | Password | No | The password for proxy authentication. | + | Proxy Password | String | No | The proxy password to authenticate with. | ### Flow Description + 1. The connector initializes a connection to the Symantec ICDX API using the provided + credentials and API root. - 1. **Initialization**: The connector initializes the connection to the Symantec - ICDX API using the provided API Root and Token. - - 2. **Time Management**: It retrieves the last successful execution timestamp. - If no timestamp exists, it calculates the start time based on the `Max Days Backwards` - parameter. - - 3. **Data Retrieval**: The connector sends a POST request to the ICDX search - endpoint (`/r3_epmp_i/dx/archives/search`) containing the `Search Query`, `start_time`, - and `limit`. + 2. It determines the start time for the query based on the last successful run + timestamp or the configured 'Max Days Backwards' parameter. - 4. **Pagination**: If the ICDX response indicates more data is available (via - a `next` UUID), the connector iteratively fetches additional pages until the limit - is reached or no more data remains. + 3. It executes the 'Search Query' against the Symantec ICDX API to retrieve events. - 5. **Deduplication**: It filters out events that have already been processed - by comparing event UUIDs against a local tracking file (`ids.json`) that stores - IDs from the last 72 hours. + 4. It filters out events that have already been processed by checking against + a local 'ids.json' file. - 6. **Case Creation**: For each unique event, the connector maps ICDX fields (such - as `message`, `uuid`, and `log_time`) to Google SecOps Case objects. It flattens - the event JSON to ensure all data is available within the case events. + 5. For each new event, it maps the data to a Google SecOps 'CaseInfo' object, + including relevant fields like device vendor, product, and event time. - 7. **Overflow Check**: The connector checks if the alert should be filtered out - based on configured overflow rules in Google SecOps. + 6. It checks for overflow conditions to prevent ingestion issues. - 8. **Finalization**: Successfully processed cases are ingested, the execution - timestamp is updated to the time of the latest event, and the processed IDs are - saved to prevent future duplicates. + 7. Finally, it saves the new timestamp and updates the 'ids.json' file to track + processed events for the next cycle. diff --git a/content/response_integrations/google/symantec_icdx/resources/ai/integration_ai_description.yaml b/content/response_integrations/google/symantec_icdx/resources/ai/integration_ai_description.yaml index 466738966..8f1dec9a3 100644 --- a/content/response_integrations/google/symantec_icdx/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/google/symantec_icdx/resources/ai/integration_ai_description.yaml @@ -7,6 +7,16 @@ product_categories: iam_and_identity_management: false itsm: false network_security: false + reasoning: >- + The Symantec ICDX (Integrated Cyber Defense Exchange) integration functions primarily + as a data aggregator and log collector. Its connector is designed to ingest security + events and logs into the Google SecOps platform for centralized monitoring and + investigation. The available actions ('Get Event' and 'Get Events Minutes Back') + allow analysts to search through these historical logs to identify activity related + to assets or users. This aligns directly with the SIEM category, which focuses + on log ingestion, centralized monitoring, and searching for activity across logs. + It does not provide EDR, Network Security, Threat Intelligence, or other specialized + security management capabilities. siem: true threat_intelligence: false vulnerability_management: false diff --git a/content/response_integrations/power_ups/connectors/resources/ai/connectors_ai_description.yaml b/content/response_integrations/power_ups/connectors/resources/ai/connectors_ai_description.yaml index 796f4e2bd..f90e24762 100644 --- a/content/response_integrations/power_ups/connectors/resources/ai/connectors_ai_description.yaml +++ b/content/response_integrations/power_ups/connectors/resources/ai/connectors_ai_description.yaml @@ -2,12 +2,11 @@ Cron Scheduled Connector: ai_description: >- ### General Description - The **Cron Scheduled Connector** is a utility integration designed to trigger - playbooks within Google SecOps on a scheduled basis. Unlike traditional connectors - that fetch data from external security products, this connector generates synthetic - alerts based on user-defined parameters and a Cron expression. It is primarily - used for automating recurring tasks, such as health checks, periodic maintenance, - or scheduled reporting playbooks. + This connector acts as a scheduler to generate alerts and cases within Google + SecOps at specific intervals defined by a cron expression. It is highly customizable, + allowing users to define the alert name, type, product, and arbitrary alert fields + via JSON configuration. It is useful for testing playbooks, creating heartbeat + alerts, or simulating periodic events. ### Parameters Description @@ -16,65 +15,47 @@ Cron Scheduled Connector: | :--- | :--- | :--- | :--- | - | Alert fields | String | Yes | A JSON-formatted string containing the key-value - pairs to be inserted into the alert's extension fields (e.g., `{"key": "value"}`). + | Alert fields | String | Yes | JSON formatted fields to include in the alert. | - | Alert name | String | Yes | The display name for the alert that will be created - in the system. | + | Alert name | String | Yes | The name of the alert to be created. | - | Alert type | String | No | The specific alert type or rule generator name. Defaults - to "Scheduled Alert" if not provided. | + | Alert type | String | No | The type of the alert. | - | Cron Expression | String | No | A standard Cron expression (e.g., `*/5 * * * - *`) that determines the frequency and timing of alert creation. | + | Cron Expression | String | No | Cron schedule for case creation. | - | DeviceProductField | String | Yes | The field name used by the platform to identify - the device product. | + | DeviceProductField | String | Yes | Field name for device product. | - | EventClassId | String | Yes | The field name used by the platform to identify - the event class or sub-type. | + | EventClassId | String | Yes | Field name for event name. | - | Product name | String | No | The product name associated with the generated - alert. | + | Product name | String | No | The product name for the alert. | - | PythonProcessTimeout | String | Yes | The maximum time (in seconds) allowed - for the script to execute before being terminated. | + | PythonProcessTimeout | String | Yes | Timeout limit in seconds. | ### Flow Description - 1. **Parameter Extraction**: The connector retrieves the configured alert metadata - (name, type, product), the JSON payload for alert fields, and the Cron expression. + 1. The connector initializes and retrieves configuration parameters. - 2. **Schedule Validation**: The script uses the `cronex` library to compare the - current system time against the provided `Cron Expression`. + 2. It evaluates the provided Cron Expression against the current system time. - 3. **Execution Check**: If the current time does not match the Cron schedule, - the connector logs the status and exits without creating an alert. + 3. If the cron schedule matches, it parses the Alert fields JSON string. - 4. **Alert Generation**: If the schedule matches, the connector generates a unique - UUID for the alert and initializes a `CaseInfo` object. + 4. It constructs a CaseInfo object with the specified alert name, type, product, + and custom fields. - 5. **Data Mapping**: The JSON data from the `Alert fields` parameter is parsed - and mapped to the alert's extension fields. The priority is set to Medium (60) - by default. + 5. It generates a corresponding event and attaches it to the case. - 6. **Event Creation**: A dummy event is created and attached to the case to ensure - compatibility with the Google SecOps data model. - - 7. **Ingestion**: The generated case is sent to the platform, where it can trigger - playbooks based on the defined Alert Name, Type, or Product. + 6. The case is ingested into the SOAR platform for further processing by playbooks. Scheduled Connector: ai_description: >- ### General Description - The Scheduled Connector is a utility integration designed to programmatically - generate alerts and cases within Google SecOps. Unlike traditional connectors - that fetch data from external security products, this connector creates synthetic - alerts based on user-defined configuration parameters. It is primarily used to - trigger specific playbooks on a scheduled basis or to simulate alerts for testing - and automation orchestration. + This connector acts as a synthetic alert generator for Google SecOps SOAR. It + allows users to manually define and trigger alerts (cases) based on custom parameters, + such as product name, alert name, and alert type. It is primarily used to test + playbooks or trigger specific workflows by injecting custom alert data into the + SOAR platform. ### Parameters Description @@ -83,45 +64,43 @@ Scheduled Connector: | :--- | :--- | :--- | :--- | - | Alert fields | String | Yes | A JSON-formatted string representing the key-value - pairs to be included in the alert extensions (e.g., `{"src": "1.1.1.1"}`). | + | Alert fields | String | Yes | The alert fields you would like to insert in a + JSON format. | - | Alert name | String | Yes | The display name for the created alert. | + | Alert name | String | Yes | The Alert name associated with the alert that will + be created. | - | Alert type | String | No | The category or rule generator for the alert. Defaults - to "Scheduled Alert" if not provided. | + | Alert type | String | No | The Alert type associated with the alert that will + be created. | - | DeviceProductField | String | Yes | Configuration mapping used by the platform - to identify the device product field. | + | DeviceProductField | String | Yes | The field name used to determine the device + product. | - | EventClassId | String | Yes | Configuration mapping used by the platform to - identify the event class/sub-type. | + | EventClassId | String | Yes | The field name used to determine the event name + (sub-type). | - | Product name | String | No | The name of the product associated with the alert. - | + | Product name | String | No | The Product name associated with the alert that + will be created. | - | PythonProcessTimeout | String | Yes | The maximum execution time (in seconds) - allowed for the connector logic. | + | PythonProcessTimeout | String | Yes | The timeout limit (in seconds) for the + python process running current script. | ### Flow Description - 1. **Initialization**: The connector starts execution, typically triggered by - a predefined schedule in the Google SecOps environment. + 1. The connector initializes the SiemplifyConnectorExecution environment. + + 2. It retrieves the user-defined configuration parameters (Product name, Alert + name, Alert type, and Alert fields). - 2. **Parameter Extraction**: The script retrieves the alert metadata, including - the name, product, type, and the JSON string of custom fields. + 3. It parses the Alert fields JSON string into a dictionary. - 3. **Data Parsing**: The `Alert fields` JSON string is parsed into a Python dictionary - to be mapped as alert extensions. + 4. It constructs a CaseInfo object, populating it with the provided alert details, + including the alert name, type, and product. - 4. **Alert Generation**: A unique UUID is generated to serve as the Ticket ID - and Grouping Identifier. A `CaseInfo` object is then constructed using the provided - parameters. + 5. It maps the parsed Alert fields into the case extensions. - 5. **Event Creation**: A single internal event is generated and attached to the - case to satisfy the SOAR data model requirements. + 6. It generates a corresponding event and attaches it to the case. - 6. **Ingestion**: The constructed case is returned to the SOAR platform, where - it is ingested as a new alert, subsequently triggering any playbooks configured - to match the specified Product and Alert Name. + 7. Finally, it returns the constructed case package to the SOAR platform to trigger + relevant playbooks. diff --git a/content/response_integrations/power_ups/connectors/resources/ai/integration_ai_description.yaml b/content/response_integrations/power_ups/connectors/resources/ai/integration_ai_description.yaml index 0801c7556..50fcfbd4b 100644 --- a/content/response_integrations/power_ups/connectors/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/power_ups/connectors/resources/ai/integration_ai_description.yaml @@ -7,6 +7,14 @@ product_categories: iam_and_identity_management: false itsm: false network_security: false + reasoning: >- + The integration consists of connectors designed to generate synthetic alerts and + cases within Google SecOps, primarily for testing playbooks and simulating periodic + events. It does not perform security operations functions such as log analysis + (SIEM), endpoint management (EDR), network security, threat intelligence enrichment, + email security, identity management, cloud resource management, ITSM ticketing, + vulnerability scanning, asset inventory management, or collaboration/notification. + Consequently, it does not align with any of the specified product categories. siem: false threat_intelligence: false vulnerability_management: false diff --git a/content/response_integrations/power_ups/email_utilities/resources/ai/actions_ai_description.yaml b/content/response_integrations/power_ups/email_utilities/resources/ai/actions_ai_description.yaml index 0abb9506e..8e4457538 100644 --- a/content/response_integrations/power_ups/email_utilities/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/power_ups/email_utilities/resources/ai/actions_ai_description.yaml @@ -13,6 +13,10 @@ Analyze EML Headers: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action performs heuristic analysis on email headers provided as input. It + does not match any of the predefined product categories (e.g., it is not an + enrichment, containment, or ticketing action). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -28,6 +32,8 @@ Analyze EML Headers: update_identity: false update_ticket: false ai_description: >- + ### General Description + Analyzes email headers provided either as a base64-encoded EML file or a JSON-formatted list of headers. The action performs a security-focused heuristic analysis to identify potential spoofing, misconfigurations, or suspicious patterns. It evaluates @@ -40,7 +46,6 @@ Analyze EML Headers: ### Parameters Description - | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | @@ -93,8 +98,16 @@ Analyze EML Headers: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action parses provided email data and performs heuristic analysis. It does + not make external API calls (fetches_data=false), does not mutate external systems, + and does not modify internal SOAR case data (entities, insights, comments). + It only returns a result JSON. categories: enrichment: false + reasoning: >- + The action does not fetch data from an external source (it processes provided + input) and does not meet the criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -110,6 +123,9 @@ Analyze EML Headers: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not reference `target_entities` or perform any entity-based operations. + It processes email data provided via input parameters. Analyze Headers: action_product_categories: add_alert_comment: false @@ -122,9 +138,13 @@ Analyze Headers: download_file: false enable_identity: false enrich_asset: false - enrich_ioc: true + enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action analyzes email headers and returns a structured JSON result. It does + not match any of the predefined product categories (e.g., it does not enrich + an IOC entity, update an alert, or interact with an external ticketing system). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -140,14 +160,15 @@ Analyze Headers: update_identity: false update_ticket: false ai_description: >- + ### General Description + Analyzes email headers provided in JSON format to perform a comprehensive security audit of an email's origin and routing path. The action validates authentication records (SPF, DMARC, DKIM, ARC), traces the relay hops, and enriches the data - with threat intelligence including RBL status, WHOIS information, and geographic - location. + with threat intelligence. - ### Parameters + ### Parameters Description | Parameter | Type | Mandatory | Description | @@ -157,6 +178,13 @@ Analyze Headers: be analyzed. This is typically extracted from an email parsing action. | + ### Additional Notes + + This action does not operate on SOAR entities directly. It requires a JSON object + containing email headers as input. The action performs external lookups (DNS, + WHOIS, GeoIP, RBLs) to analyze the email's origin and routing. + + ### Flow Description 1. **Input Extraction:** Retrieves the `Headers JSON` parameter and parses it @@ -175,10 +203,12 @@ Analyze Headers: reverse order to reconstruct the email's journey. 6. **Threat Intelligence Enrichment:** For each relay server identified in the - hops, the action checks the IP or domain against multiple Real-time Block Lists - (RBLs), performs RDAP/WHOIS lookups to determine ownership, and retrieves geographic - location data (City, Country, Coordinates). - + hops: + * Checks the IP or domain against multiple Real-time Block Lists (RBLs) + using `pydnsbl` to identify known malicious senders. + * Performs RDAP/WHOIS lookups via `IPWhois` to determine ownership information. + * Retrieves geographic location data (City, Country, Coordinates) using + the `DbIpCity` service. 7. **Timing Analysis:** Calculates the delay (in seconds) between each relay hop to identify potential anomalies in delivery time. @@ -195,8 +225,16 @@ Analyze Headers: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action parses email headers and performs external lookups (DNS, WHOIS, GeoIP, + RBLs) to analyze the email's origin and routing. It does not modify any external + or internal systems, nor does it operate on SOAR entities. categories: - enrichment: true + enrichment: false + reasoning: >- + The action does not operate on entities and does not meet the criteria for an + enrichment action as defined (which requires operating on alerts or entities). + It is a utility action for email header analysis. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -212,6 +250,9 @@ Analyze Headers: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not reference `target_entities`. It processes a JSON string provided + as a parameter. Parse Base64 Email: action_product_categories: add_alert_comment: false @@ -227,6 +268,9 @@ Parse Base64 Email: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a utility for parsing email content. It does not match any of + the defined product categories (e.g., enrichment, containment, ticketing, etc.). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -260,7 +304,7 @@ Parse Base64 Email: | :--- | :--- | :--- | :--- | - | EML/MSG Base64 String | String | Yes | The Base64 encoded string representing + | EML/MSG Base64 String | Content | Yes | The Base64 encoded string representing the EML or MSG file to be parsed. | | Stop Transport At Header | String | No | A specific header field name. If provided, @@ -318,8 +362,16 @@ Parse Base64 Email: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action parses a Base64 encoded email blob (EML/MSG) provided as input. It + performs local processing to extract headers, body, attachments, and IOCs. It + does not interact with external APIs or modify internal SOAR data. categories: enrichment: false + reasoning: >- + The action is a local utility for parsing email blobs. It does not fetch data + from external systems, nor does it modify internal SOAR data. Therefore, it + does not meet the criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -335,6 +387,9 @@ Parse Base64 Email: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on entities. It processes a raw Base64 string provided + as a parameter. Parse Case Wall Email: action_product_categories: add_alert_comment: false @@ -347,9 +402,13 @@ Parse Case Wall Email: download_file: false enable_identity: false enrich_asset: false - enrich_ioc: true + enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action parses email files to extract indicators and create entities. It + does not match any of the specific product categories like 'Enrich IOC' (which + implies reputation fetching), 'Contain Host', or 'Create Ticket'. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -446,19 +505,27 @@ Parse Case Wall Email: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Creates new entities for email participants and indicators, uploads nested attachments - to the case wall, and updates existing Filename entities with attachment IDs. + Creates new entities (User, Subject, Indicators) and updates existing FILENAME + entities with attachment IDs. + reasoning: >- + The action reads email attachments from the case wall (fetches_data=true). It + creates new entities (User, Subject, Indicators) and updates existing FILENAME + entities with attachment IDs (can_mutate_internal_data=true, can_update_entities=true). + It does not mutate external systems. categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches data (email attachments) and performs internal mutations + (creating/updating entities) to enrich the case with indicators. It does not + mutate external systems. This fits the definition of an enrichment action. entity_usage: - entity_types: - - FILENAME + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false filters_by_creation_time: false - filters_by_entity_type: true - filters_by_identifier: true + filters_by_entity_type: false + filters_by_identifier: false filters_by_is_artifact: false filters_by_is_enriched: false filters_by_is_internal: false @@ -466,6 +533,9 @@ Parse Case Wall Email: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on `target_entities` as input. It operates on attachments + found in the case/alert wall. Parse EML Base64 Blob: action_product_categories: add_alert_comment: false @@ -481,6 +551,9 @@ Parse EML Base64 Blob: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a utility for parsing EML content. It does not match any of the + defined product categories (Enrichment, Containment, Ticket management, etc.). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -499,11 +572,11 @@ Parse EML Base64 Blob: ### General Description The **Parse EML Base64 Blob** action is a utility designed to decode a base64-encoded - string and parse its contents as an EML (Email) file. This action extracts structured - information from raw email data, including headers, metadata, and body content. - It is particularly useful in workflows where email files are passed as encoded - strings, allowing for automated analysis of sender information, recipient lists, - and message bodies without requiring external services. + string and parse its contents as an EML (Email) file. This action is used to extract + structured information from raw email data, including headers, metadata, and body + content. It is particularly useful in workflows where email files are passed as + encoded strings, allowing for automated analysis of sender information, recipient + lists, and message bodies without requiring external services. ### Parameters Description @@ -518,8 +591,8 @@ Parse EML Base64 Blob: ### Additional Notes - - This action performs local parsing using standard Python libraries and does - not interact with external APIs or Google SecOps entities. + - This action performs local parsing and does not interact with external APIs + or Google SecOps entities. - It supports recursive parsing of nested EML attachments found within the primary blob. @@ -560,8 +633,17 @@ Parse EML Base64 Blob: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action is a pure utility that parses a provided base64 string into an EML + object. It does not perform any external API calls (fetches_data=false), does + not mutate any external systems (can_mutate_external_data=false), and does not + modify any internal SOAR data such as entities, insights, or comments (can_mutate_internal_data=false). categories: enrichment: false + reasoning: >- + The action is a utility for parsing data. It does not fetch data from external + sources (not enrichment) and does not mutate any systems. Therefore, it does + not meet the criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -577,6 +659,8 @@ Parse EML Base64 Blob: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not reference or process any entities from the SOAR platform. Ping: action_product_categories: add_alert_comment: false @@ -592,6 +676,9 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a health check/ping. It does not match any of the defined product + categories (e.g., Enrich IOC, Contain Host, Create Ticket, etc.). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -644,8 +731,14 @@ Ping: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a simple connectivity check by returning a success message. + It does not fetch data, mutate external systems, or modify internal SOAR data. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action, which is explicitly excluded from enrichment + by the provided rules. It does not fetch data or perform any enrichment tasks. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -661,3 +754,6 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. The SimulationDataJson indicates + an empty list of entities, and the code does not reference target_entities. diff --git a/content/response_integrations/power_ups/email_utilities/resources/ai/integration_ai_description.yaml b/content/response_integrations/power_ups/email_utilities/resources/ai/integration_ai_description.yaml index 29179c290..16dc0deaf 100644 --- a/content/response_integrations/power_ups/email_utilities/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/power_ups/email_utilities/resources/ai/integration_ai_description.yaml @@ -7,6 +7,19 @@ product_categories: iam_and_identity_management: false itsm: false network_security: false + reasoning: >- + The integration 'email_utilities' provides a suite of tools for parsing email + files (EML/MSG) and analyzing email headers. It is classified under 'Email Security' + because its primary purpose is to assist in the investigation of email-based threats, + such as phishing reports, by parsing email content, extracting indicators, and + analyzing headers for anomalies. It is also classified under 'Threat Intelligence' + because the 'Analyze Headers' action performs external lookups (DNS, WHOIS, GeoIP, + and RBLs) to assess the reputation of relay servers and email origins, which serves + as an enrichment step for indicators. It does not meet the criteria for other + categories like SIEM, EDR, Network Security, IAM, Cloud Security, ITSM, Vulnerability + Management, Asset Inventory, or Collaboration, as it does not interact with logs, + host processes, network gateways, identity providers, cloud resources, ticketing + systems, or asset databases. siem: false threat_intelligence: true vulnerability_management: false diff --git a/content/response_integrations/power_ups/enrichment/resources/ai/actions_ai_description.yaml b/content/response_integrations/power_ups/enrichment/resources/ai/actions_ai_description.yaml index 4acf607a4..69b761684 100644 --- a/content/response_integrations/power_ups/enrichment/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/power_ups/enrichment/resources/ai/actions_ai_description.yaml @@ -13,6 +13,11 @@ Enrich Entities from List with Field: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action updates entity properties within the SOAR platform. It does not fetch + external data, nor does it perform specific product-related tasks like blocking, + ticketing, or searching. It is a generic utility for enriching entity metadata. + Therefore, it does not match any of the specific product categories. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -30,63 +35,44 @@ Enrich Entities from List with Field: ai_description: >- ### General Description - The **Enrich Entities from List with Field** action is a utility designed to bulk-update - entities within a Google SecOps case. It takes a delimited list of entity identifiers - and a specific entity type, searches for matching entities already present in - the case, and enriches them by adding or updating a custom field in their `additional_properties`. - This action is particularly useful for manual tagging or applying context derived - from external lists to existing case entities. + This action enriches specific entities within a case by adding a custom field + and value to their `additional_properties`. It is a utility action designed to + update entity metadata based on a provided list of identifiers. - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **List of Entities** | String | Yes | A delimited string containing the identifiers - (e.g., IP addresses, hostnames) of the entities to be enriched. | - - | **Entity Type** | String | Yes | The type of entities to target (e.g., ADDRESS, - HOSTNAME, USER). The action will only update entities that match this type. | + ### Flow Description - | **Entity Delimiter** | String | Yes | The character used to separate the identifiers - in the **List of Entities** parameter (default is a comma). | + 1. Parses the input `List of Entities` string using the provided `Entity Delimiter`. - | **Enrichment Field** | String | Yes | The name of the field (key) to be added - to the entity's `additional_properties`. | + 2. Retrieves all entities from the current case alerts. - | **Enrichment Value** | String | Yes | The value to be assigned to the specified - **Enrichment Field**. | + 3. Matches entities from the input list against the case entities based on identifier + and the specified `Entity Type`. + 4. Updates the `additional_properties` of the matched entities with the provided + `Enrichment Field` and `Enrichment Value`. - ### Flow Description + 5. Updates the entities in the SOAR platform. - 1. **Parsing**: The action splits the input **List of Entities** into individual - strings based on the provided **Entity Delimiter**. - 2. **Retrieval**: It retrieves all entities associated with all alerts in the - current Google SecOps case. + ### Parameters Description - 3. **Matching**: For each identifier in the parsed list, the action iterates through - the case entities to find a match. A match is confirmed if the entity's identifier - (case-insensitive) and its type both match the provided parameters. + | Parameter | Type | Mandatory | Description | - 4. **Enrichment**: For every matching entity, the action adds or updates the specified - **Enrichment Field** with the **Enrichment Value** in the entity's `additional_properties` - dictionary. + | :--- | :--- | :--- | :--- | - 5. **Update**: The action calls the internal SDK to update the modified entities - within the platform. + | List of Entities | string | Yes | A delimited list of entity identifiers to + enrich. | + | Entity Type | string | Yes | The type of entity to filter for (e.g., "ADDRESS", + "HOSTNAME"). | - ### Additional Notes + | Entity Delimiter | string | Yes | The character used to separate entities in + the list. | - - This action does not interact with external APIs; it performs internal data - manipulation within the SOAR environment. + | Enrichment Field | string | Yes | The key name for the new property. | - - If an identifier in the list does not exist in the case or does not match the - specified type, it is skipped without error. + | Enrichment Value | string | Yes | The value to assign to the new property. | capabilities: can_create_case_comments: false can_create_insight: false @@ -95,12 +81,19 @@ Enrich Entities from List with Field: can_mutate_internal_data: true can_update_entities: true external_data_mutation_explanation: null - fetches_data: true + fetches_data: false internal_data_mutation_explanation: >- - Updates the 'additional_properties' attribute of entities within the Google - SecOps case. + Updates the `additional_properties` of entities within the case. + reasoning: >- + The action updates the `additional_properties` of entities within the case (internal + mutation). It does not fetch external data, nor does it mutate external systems. + It updates entities in the SOAR platform. categories: - enrichment: true + enrichment: false + reasoning: >- + The action updates entity fields/attributes, which is an allowed internal mutation + for enrichment actions. However, it does not fetch data from an external source, + which is a requirement for an enrichment action. entity_usage: entity_types: - ADDRESS @@ -151,6 +144,11 @@ Enrich Entities from List with Field: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over `siemplify.case.alerts` and filters entities by `identifier` + and `entity_type`. It does not use `target_entities` directly but rather searches + through all alert entities. Since it filters by `entity_type` provided as a + parameter, it supports all entity types dynamically. Enrich Entity From Event Field: action_product_categories: add_alert_comment: false @@ -166,6 +164,9 @@ Enrich Entity From Event Field: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action adds contextual metadata (from event fields) to the entity. This + matches the 'Enrich Asset' category. It does not perform any other listed actions. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -183,56 +184,42 @@ Enrich Entity From Event Field: ai_description: >- ### General Description - This action enriches entities by extracting specific field values from the first - security event associated with the current alert and mapping them to the entity's - additional properties. It is designed to propagate event-level context (such as - custom metadata, department info, or specific event tags) directly onto the entities - involved in the alert, making that data available for subsequent playbook steps - or analyst review. + This action enriches entities by extracting specific fields from the associated + security event and updating the entity's additional properties. It allows analysts + to map event-specific data (e.g., user agents, source ports, or custom metadata) + directly onto the entities involved in an alert, facilitating better context and + investigation. ### Parameters Description - | Parameter Name | Expected Type | Mandatory | Description | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Fields to enrich | String | Yes | A comma-separated list of field names (keys) - to look for in the security event's additional properties. These values will be - copied to the entity's additional properties if found. | + | Fields to enrich | string | Yes | The name of the fields in the event that will + be used to enrich the entity. Supports a comma-separated list. | ### Flow Description - 1. **Parameter Parsing**: The action retrieves the comma-separated list of field - names from the input parameter. - - 2. **Event Retrieval**: It accesses the first security event (`security_events[0]`) - associated with the current alert. - - 3. **Entity Iteration**: The action iterates through all target entities in the - current scope. + 1. The action retrieves the "Fields to enrich" parameter. - 4. **Field Mapping**: For each entity, it performs a case-insensitive check to - see if the requested fields exist within the event's additional properties. + 2. It accesses the first security event associated with the current alert. - 5. **Internal Mutation**: If matches are found, the entity's `additional_properties` - are updated with the values from the event. + 3. It iterates through all target entities provided in the action context. - 6. **Persistence**: The action calls the internal SDK method to save the updated - entity attributes back to the Google SecOps platform. + 4. For each entity, it checks if the specified fields exist in the event's additional + properties. - 7. **Result Reporting**: It returns a JSON object containing the enriched fields - and a count of how many entities were successfully updated. + 5. If a match is found, it updates the entity's `additional_properties` with the + corresponding value from the event. + 6. If any entities were updated, the action calls `update_entities` to persist + the changes in the SOAR platform. - ### Additional Notes - - - This action only looks at the **first** security event in the alert. If an alert - contains multiple events with different data, only the first one is used for enrichment. - - - The field matching is case-insensitive, but the keys are stored in lowercase - in the resulting entity properties. + 7. Finally, it returns the enriched data in the action results and completes the + execution. capabilities: can_create_case_comments: false can_create_insight: false @@ -243,10 +230,18 @@ Enrich Entity From Event Field: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates the 'additional_properties' of entities within the Google SecOps platform - using data extracted from the alert's security events. + Updates entity `additional_properties` with data extracted from the event. + reasoning: >- + The action retrieves data from the internal security event object and updates + the entity's additional properties. It does not interact with external systems. + It performs an internal mutation by updating entity fields, which is an allowed + operation for enrichment actions. categories: enrichment: true + reasoning: >- + The action fetches data from the internal event and updates entity fields. This + is a valid enrichment action as it does not mutate external systems and only + performs allowed internal mutations (updating entity fields). entity_usage: entity_types: - ADDRESS @@ -297,6 +292,9 @@ Enrich Entity From Event Field: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over all `target_entities` without filtering by type, so + it supports all entity types. Enrich Entity From JSON: action_product_categories: add_alert_comment: false @@ -308,10 +306,13 @@ Enrich Entity From JSON: disable_identity: false download_file: false enable_identity: false - enrich_asset: true - enrich_ioc: true + enrich_asset: false + enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action does not match any of the predefined product categories. It is a + generic utility action for enriching entities from a JSON input. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -327,76 +328,60 @@ Enrich Entity From JSON: update_identity: false update_ticket: false ai_description: >- - Enriches entities within Google SecOps using data provided in a JSON format. This - utility action allows users to map external data (passed as a parameter) to existing - entities in a case by matching identifiers. It flattens the provided JSON data - and adds it to the entity's additional properties, optionally applying a prefix - or filtering the data using JSONPath. + ### General Description + Enriches entities by mapping data from a provided JSON input to the entity's `additional_properties`. + This action is a utility tool that allows users to inject custom data into entities + based on a JSON structure, facilitating the association of external data with + entities within the SOAR platform. - ### Parameters Description + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Enrichment JSON | String | Yes | A JSON string representing a list of objects - containing the enrichment data. | + | Enrichment JSON | string | Yes | The JSON data containing enrichment information. + Expected to be a list of JSON objects. | - | Identifier KeyPath | String | Yes | The path to the field in the JSON that contains - the entity identifier. Supports multiple paths separated by newlines. | + | Identifier KeyPath | string | Yes | The path to the identifier within the JSON, + used to match the JSON data with the entity. | - | Separator | String | Yes | The character used to separate keys in the `Identifier - KeyPath` (default is `.`). | + | Separator | string | Yes | The separator used in the key path (e.g., "."). | - | PrefixForEnrichment | String | No | An optional prefix to prepend to the keys - added to the entity's additional properties. | + | PrefixForEnrichment | string | No | A prefix to add to the enriched field names + in the entity's `additional_properties`. | - | Enrichment JSONPath | String | No | An optional JSONPath expression to filter - or select specific parts of the JSON object for enrichment. | + | Enrichment JSONPath | string | No | A JSONPath expression to filter the data + to be added to the entity. | ### Additional Notes - - - This action is a utility for manual or automated enrichment using static or - dynamically generated JSON data within a playbook. - - - It does not interact with external APIs; all data must be provided via the `Enrichment - JSON` parameter. - - - The action flattens nested JSON structures into a single-level key-value format - suitable for entity additional properties. + This action does not perform any external API calls. It relies entirely on the + provided `Enrichment JSON` parameter to perform the enrichment. It is a utility + action for mapping data to entities. ### Flow Description + 1. The action accepts a JSON string, a key path to identify the entity, and optional + configuration (separator, prefix, JSONPath). - 1. **Parse Input:** The action parses the `Enrichment JSON` string into a list - of dictionaries. - - 2. **Identify Keys:** It processes the `Identifier KeyPath` and `Separator` to - determine how to locate identifiers within the JSON objects. - - 3. **Iterate Entities:** It iterates through all target entities in the current - SOAR context. + 2. It iterates through the target entities in the case. - 4. **Match and Extract:** For each entity, it scans the JSON list. If a matching - identifier is found (based on the provided key path), it proceeds to extract the - data. + 3. For each entity, it searches the provided JSON for a matching identifier using + the specified `Identifier KeyPath`. - 5. **Apply JSONPath (Optional):** If an `Enrichment JSONPath` is provided, the - action filters the matching JSON object to extract only the specified data. + 4. If a match is found, it extracts the relevant data (optionally using the provided + `Enrichment JSONPath`). - 6. **Flatten and Prefix:** The extracted data is flattened into a flat dictionary. - If a `PrefixForEnrichment` is specified, it is prepended to all keys. + 5. The extracted data is flattened and added to the entity's `additional_properties` + (optionally with a prefix). - 7. **Update Entities:** The entity's `additional_properties` are updated with - the processed data, and the entity is marked for update in the platform. - - 8. **Finalize:** The action concludes by updating all modified entities and returning - the total count of enriched entities. + 6. Finally, the action updates the entities in the SOAR platform with the new + properties. capabilities: can_create_case_comments: false can_create_insight: false @@ -405,12 +390,19 @@ Enrich Entity From JSON: can_mutate_internal_data: true can_update_entities: true external_data_mutation_explanation: null - fetches_data: true + fetches_data: false internal_data_mutation_explanation: >- - Updates the 'additional_properties' of the entities within Google SecOps based - on the provided JSON data. + Updates entity `additional_properties` with data extracted from the provided + JSON. + reasoning: >- + The action updates entity `additional_properties` based on provided JSON input. + It does not fetch data from external systems (no API calls), nor does it mutate + external data. It performs internal mutation by updating entity fields. categories: - enrichment: true + enrichment: false + reasoning: >- + The action does not fetch data from an external source, which is a requirement + for the Enrichment category. It is a utility action for mapping data to entities. entity_usage: entity_types: - ADDRESS @@ -461,6 +453,9 @@ Enrich Entity From JSON: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over all `siemplify.target_entities` without applying any + filters, therefore it supports all entity types. Enrich Entity With Field: action_product_categories: add_alert_comment: false @@ -476,6 +471,10 @@ Enrich Entity With Field: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a utility for updating entity metadata. It does not perform any + of the defined product-specific actions like enriching IOCs, updating alerts, + or managing tickets. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -491,57 +490,38 @@ Enrich Entity With Field: update_identity: false update_ticket: false ai_description: >- - ### General Description + General description: - The **Enrich Entity With Field** action is a utility designed to manually or programmatically - inject custom metadata into entities within a Google SecOps case. It allows users - to define a list of key-value pairs that are then appended to the `additional_properties` - attribute of all entities currently in scope. This action is primarily used for - tagging entities with static information, organizational context, or data derived - from previous playbook steps that isn't automatically mapped by standard integrations. + This action allows users to manually enrich entities by adding custom key-value + pairs to their `additional_properties`. It is a utility action designed to update + entity metadata within the SOAR platform. - ### Parameters Description + Parameters description: | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + | --- | --- | --- | --- | - | **Fields to enrich** | string | Yes | A JSON-formatted string representing a - list of objects. Each object must contain `entity_field_name` and `entity_field_value`. - For example: `[{"entity_field_name": "Title", "entity_field_value": "SalesManager"}]`. + | Fields to enrich | string | Yes | A JSON-formatted string representing a list + of objects, where each object contains `entity_field_name` and `entity_field_value`. | - ### Flow Description - - 1. **Input Parsing**: The action retrieves the JSON string from the `Fields to - enrich` parameter and parses it into a list of dictionaries. + Flow description: - 2. **Entity Iteration**: The script iterates through every entity provided in - the `target_entities` list of the current context. + 1. Retrieve the `Fields to enrich` parameter. - 3. **Property Injection**: For each entity, the script loops through the parsed - fields and adds or updates the corresponding keys in the entity's `additional_properties` - dictionary. + 2. Parse the JSON string into a list of field objects. - 4. **Platform Update**: The action calls the `update_entities` method to persist - these changes within the Google SecOps platform. + 3. Iterate through all target entities. - 5. **Result Reporting**: The action generates a JSON result for each entity containing - the applied fields and concludes with a summary message indicating the number - of entities successfully updated. + 4. For each entity, update its `additional_properties` with the provided key-value + pairs. + 5. Update the entities in the SOAR platform. - ### Additional Notes - - - This action does not communicate with any external APIs; it only processes data - provided via parameters. - - - It modifies internal entity data within the SOAR environment by updating the - `additional_properties` field. - - - Ensure the JSON provided in the parameter is valid to avoid execution errors. + 6. Add the enrichment data to the action result. capabilities: can_create_case_comments: false can_create_insight: false @@ -552,10 +532,17 @@ Enrich Entity With Field: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Updates the 'additional_properties' attribute of entities within the Google - SecOps case to include custom key-value pairs provided in the action parameters. + Updates the `additional_properties` attribute of the target entities with user-provided + key-value pairs. + reasoning: >- + The action takes user-provided key-value pairs and updates the `additional_properties` + of the target entities. It does not fetch data from external sources, so it + is not an enrichment action. It modifies internal entity data. categories: enrichment: false + reasoning: >- + The action does not fetch data from an external source, so it does not meet + the criteria for an enrichment action. entity_usage: entity_types: - ADDRESS @@ -606,6 +593,9 @@ Enrich Entity With Field: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` without any filtering, meaning + it applies the enrichment fields to all entities provided in the action scope. Enrich Entity from Explorer Attributes: action_product_categories: add_alert_comment: false @@ -621,6 +611,11 @@ Enrich Entity from Explorer Attributes: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves contextual metadata for entities from the Entity Explorer + and updates the entity objects. This aligns with 'Enrich Asset'. It does not + perform IOC-specific threat intelligence lookups (like reputation scores), so + 'Enrich IOC' is false. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -638,59 +633,52 @@ Enrich Entity from Explorer Attributes: ai_description: >- ### General Description - Enriches entities within a Google SecOps case by retrieving historical attribute - data from the Entity Explorer. This action allows analysts to automatically populate - entity properties with previously discovered information, ensuring consistency - and providing deeper context without manual data entry. + Enriches entities with historical data retrieved from the Entity Explorer. This + action allows users to pull specific attributes associated with an entity from + the system's historical data and apply them to the current entity object within + the SOAR platform. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. **Configuration Extraction**: The action retrieves the 'Field Name' (a comma-delimited + list of fields) and the 'Use Field Name as Whitelist' boolean parameter. - | :--- | :--- | :--- | :--- | + 2. **Entity Iteration**: The action iterates through all entities provided in + the `target_entities` list. - | Field Name | string | False | A comma-separated list of specific fields to retrieve - from the Entity Explorer. If left empty, all available fields will be considered - based on the whitelist/denylist logic. | + 3. **Data Retrieval**: For each entity, it calls the `get_entity_data` function + to fetch historical attributes from the Entity Explorer. - | Use Field Name as Whitelist | boolean | False | Determines how the 'Field Name' - parameter is applied. If set to `true` (default), only the specified fields are - enriched. If set to `false`, the specified fields are excluded (denylist), and - all other available fields are enriched. | + 4. **Field Filtering**: It filters the retrieved fields based on the 'Field Name' + parameter, applying either a whitelist or blacklist logic depending on the 'Use + Field Name as Whitelist' setting. System fields are automatically excluded. + 5. **Entity Update**: It updates the entity's attributes or `additional_properties` + with the filtered data. - ### Flow Description + 6. **Result Reporting**: The action updates the entities in the SOAR platform + and adds the enrichment results to the action output. - 1. **Parameter Extraction:** The action retrieves the filtering logic (whitelist - vs. denylist) and the list of target field names from the user input. - 2. **Entity Iteration:** The action iterates through all entities currently associated - with the case or targeted by the playbook. + ### Parameters Description - 3. **Data Retrieval:** For each entity, it queries the internal Google SecOps - API (Entity Explorer) to fetch historical data associated with that specific entity - identifier and type. + | Parameter | Type | Mandatory | Description | - 4. **Field Filtering:** The retrieved data is filtered to exclude core system - fields (e.g., 'Type', 'Environment', 'IsInternalAsset') and then processed according - to the user-defined whitelist or denylist. + | :--- | :--- | :--- | :--- | - 5. **Entity Update:** The action updates the entity's attributes or populates - its 'additional_properties' dictionary with the filtered values. + | Field Name | string | No | A comma-delimited string of fields from the Entity + Explorer to use for enrichment. If null, all available fields are processed. | - 6. **Persistence:** Finally, the action commits the updated entity objects back - to the SecOps platform and outputs the results in JSON format. + | Use Field Name as Whitelist | boolean | No | When true, 'Field Name' acts as + a whitelist. When false, it acts as a blacklist. Defaults to true. | ### Additional Notes - - Core system fields are protected and cannot be overwritten by this action to - maintain data integrity. - - - If no fields are specified in the 'Field Name' parameter and the whitelist mode - is active, the action will attempt to enrich the entity with all available historical - fields found in the explorer. + This action performs internal updates to entity objects. It does not interact + with external third-party APIs for data retrieval, relying instead on the internal + Entity Explorer data. capabilities: can_create_case_comments: false can_create_insight: false @@ -701,10 +689,17 @@ Enrich Entity from Explorer Attributes: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity attributes and additional properties within the Google SecOps - platform using data retrieved from the Entity Explorer. + Updates entity attributes and additional_properties within the SOAR platform. + reasoning: >- + The action fetches entity data from the internal SOAR system using `get_entity_data` + and updates the entity objects within the SOAR platform using `update_entities`. + It does not interact with external systems or modify alert/case metadata. categories: enrichment: true + reasoning: >- + The action fetches data (enrichment) and updates entities (allowed internal + mutation). It does not mutate external systems. It fits the definition of an + enrichment action. entity_usage: entity_types: - ADDRESS @@ -755,6 +750,9 @@ Enrich Entity from Explorer Attributes: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over all `target_entities` without filtering by type, so + it supports all entity types. Enrich FileName Entity with Path: action_product_categories: add_alert_comment: false @@ -770,6 +768,10 @@ Enrich FileName Entity with Path: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action adds contextual metadata (file path, name, extension) to the entity, + which aligns with the 'Enrich Asset' category. It does not fetch threat intelligence + (Enrich IOC) or perform any other actions. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -787,51 +789,29 @@ Enrich FileName Entity with Path: ai_description: >- ### General Description - This action parses file paths from entity identifiers to extract and enrich the - entity with specific file metadata, including the directory path, the full filename, - and the file extension. It is designed to provide better context for entities - that represent file system locations by breaking down complex path strings into - structured data. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | None | N/A | N/A | This action does not require any input parameters. | + This action parses file path strings from entity identifiers to extract the file + name, directory path, and file extension. It then updates the entity's `additional_properties` + with these extracted details, providing enriched context for further analysis. - ### Additional Notes - - - The action automatically detects whether a path is Windows-style (e.g., starting - with a drive letter like `C:\`) or Unix-style to ensure accurate parsing. + ### Parameters - - Enrichment only occurs if a directory path is successfully identified within - the entity's identifier; simple filenames without paths may not be enriched depending - on the environment context. - - - Extracted data is stored in the entity's `additional_properties` field, making - it available for downstream playbooks and searches. + There are no parameters for this action. ### Flow Description - 1. **Retrieve Entities**: The action fetches all target entities from the current - SecOps context. + 1. The action iterates through all target entities provided in the playbook. - 2. **Path Parsing**: For each entity, the identifier is analyzed using regex and - path utilities to determine if it contains a valid file path. + 2. For each entity, it uses `ntpath` (for Windows-style paths) or `os.path` (for + POSIX-style paths) to parse the identifier. - 3. **Metadata Extraction**: If a path is found, the logic splits the identifier - into the directory path, the filename, and the file extension. + 3. It extracts the `file_name`, `file_path`, and `file_extension` from the identifier. - 4. **Internal Enrichment**: The extracted metadata (file_name, file_path, file_extension) - is added to the entity's `additional_properties` attribute. + 4. The extracted details are added to the entity's `additional_properties`. - 5. **Update and Report**: The action updates the entities within Google SecOps - and returns a JSON summary of the enriched data for all processed entities. + 5. The action updates the entities in the SOAR platform and adds a JSON result + containing the parsed information. capabilities: can_create_case_comments: false can_create_insight: false @@ -840,12 +820,20 @@ Enrich FileName Entity with Path: can_mutate_internal_data: true can_update_entities: true external_data_mutation_explanation: null - fetches_data: true + fetches_data: false internal_data_mutation_explanation: >- - Updates the 'additional_properties' attribute of entities with parsed file path, - name, and extension. + Updates the entity's `additional_properties` with parsed file path details. + reasoning: >- + The action performs local string manipulation on entity identifiers to extract + file path components. It updates the entity's `additional_properties` within + the SOAR platform. It does not interact with external systems or fetch external + data. categories: enrichment: true + reasoning: >- + The action updates entity attributes (enriching the entity's profile) without + modifying external systems or fetching external data. This fits the definition + of an enrichment action. entity_usage: entity_types: - ADDRESS @@ -896,6 +884,10 @@ Enrich FileName Entity with Path: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` without any type-based filtering. + Therefore, it is technically applicable to all entity types, although it is + logically intended for file-related entities. Enrich Source and Destinations: action_product_categories: add_alert_comment: false @@ -911,6 +903,10 @@ Enrich Source and Destinations: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action adds contextual metadata ('isSource' or 'isDest') to entities, which + aligns with the 'Enrich Asset' category. It does not fetch threat intelligence + (Enrich IOC), nor does it perform any other listed operations. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -926,53 +922,39 @@ Enrich Source and Destinations: update_identity: false update_ticket: false ai_description: >- - ### General Description - - This action enriches entities within a Google SecOps alert by identifying their - roles as either a source or a destination. It retrieves detailed alert context - via the Chronicle SOAR API, parses the security event data to find source and - destination identifiers, and then updates the corresponding entities' metadata - with specific flags (`isSource` or `isDest`). This provides analysts with immediate - visual context regarding the directionality of network traffic or events directly - on the entity objects. + Enriches entities within the current alert by identifying them as sources or destinations + based on the alert's event data. This action parses the alert's security event + cards to extract source and destination identifiers, then updates the corresponding + entities in the SOAR platform with contextual metadata. - ### Parameters Description - - | Parameter Name | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | None | N/A | N/A | This action does not require any input parameters. | - + ### Flow Description - ### Additional Notes + 1. **Fetch Alert Data**: Retrieves the current alert's details from the SOAR platform + using `get_investigator_data`. - - The action specifically targets entities associated with the current alert. + 2. **Parse Event Data**: Extracts lists of source and destination identifiers + from the alert's `securityEventCards` or fields. - - It uses case-insensitive matching to link alert metadata identifiers to SecOps - entities. + 3. **Identify Entities**: Iterates through all entities associated with the current + alert. - - While the action logic is generic, it is primarily intended for IP (ADDRESS) - and HOSTNAME entities as per the integration's design. + 4. **Update Entities**: Compares entity identifiers against the extracted source + and destination lists. If a match is found, it updates the entity's `additional_properties` + with `isSource: "true"` or `isDest: "true"`. + 5. **Commit Changes**: Updates the modified entities in the SOAR platform. - ### Flow Description - 1. **Fetch Context:** The action calls the Chronicle SOAR API to retrieve the - full investigator data for the current alert. + ### Parameters - 2. **Parse Metadata:** It extracts source and destination identifiers from the - alert's `securityEventCards` or field groups. + There are no input parameters for this action. - 3. **Match Entities:** It iterates through all entities associated with the alert - and compares their identifiers with the extracted source/destination lists. - 4. **Update Attributes:** For every match found, it updates the entity's `additional_properties` - with `isSource: true` or `isDest: true`. + ### Additional Notes - 5. **Commit Changes:** The updated entity objects are sent back to the SecOps - platform to persist the enrichment. + This action performs internal enrichment by updating entity attributes based on + existing alert data. It does not interact with external systems. capabilities: can_create_case_comments: false can_create_insight: false @@ -983,10 +965,17 @@ Enrich Source and Destinations: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates the 'additional_properties' of entities within the SecOps case to flag - them as sources or destinations based on alert metadata. + Updates entity 'additional_properties' to include 'isSource' or 'isDest' flags. + reasoning: >- + The action fetches alert data from the internal SOAR platform to identify sources + and destinations. It then updates the entity's `additional_properties` attribute + within the SOAR platform. It does not interact with or mutate any external systems. categories: enrichment: true + reasoning: >- + The action fetches internal alert data and updates entity attributes (enrichment). + It does not mutate external systems, nor does it perform forbidden internal + mutations. It meets the criteria for an enrichment action. entity_usage: entity_types: - ADDRESS @@ -1025,11 +1014,11 @@ Enrich Source and Destinations: - USB - USERUNIQNAME filters_by_additional_properties: false - filters_by_alert_identifier: true + filters_by_alert_identifier: false filters_by_case_identifier: false filters_by_creation_time: false filters_by_entity_type: false - filters_by_identifier: true + filters_by_identifier: false filters_by_is_artifact: false filters_by_is_enriched: false filters_by_is_internal: false @@ -1037,6 +1026,11 @@ Enrich Source and Destinations: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over all entities in the current alert using `get_alert_entities(siemplify)` + and updates those that match the source or destination identifiers found in + the alert data. It does not apply any type-based filtering, so it supports all + entity types. Mark Entity as Suspicious: action_product_categories: add_alert_comment: false @@ -1052,6 +1046,10 @@ Mark Entity as Suspicious: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action updates the `is_suspicious` flag on entities within the SOAR platform. + It does not match any of the provided categories, as it is an internal entity + update rather than an enrichment, containment, or ticket management action. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1067,41 +1065,24 @@ Mark Entity as Suspicious: update_identity: false update_ticket: false ai_description: >- - ### General Description - - This action marks all entities within the current scope as suspicious in Google - SecOps. It is a utility action used to programmatically flag entities for further - investigation or to trigger subsequent automated workflows that filter for suspicious - indicators. - - - ### Parameters Description - - There are no parameters for this action. - + Marks entities as suspicious within the Google SecOps platform. This action updates + the `is_suspicious` attribute of all entities in the current scope to `True`. - ### Flow Description - 1. **Initialization**: The action initializes the Siemplify API to access the - current case context. + ### Flow - 2. **Entity Iteration**: The script iterates through every entity currently present - in the action's scope (`target_entities`). + 1. Iterate through all entities provided in the action's scope. - 3. **Flag Modification**: For each entity, the `is_suspicious` attribute is set - to `True`. + 2. Update the `is_suspicious` attribute of each entity to `True`. - 4. **Internal Update**: The action calls the internal update method to commit - these changes to the Google SecOps platform. + 3. Update the entities in the SecOps platform using `siemplify.update_entities`. - 5. **Completion**: The action concludes by returning the total count of entities - that were successfully updated. + 4. Return a completion message indicating the number of entities updated. - ### Additional Notes + ### Parameters - This action does not interact with any external APIs or services. It only modifies - the internal state of entities within the SOAR platform. + There are no parameters for this action. capabilities: can_create_case_comments: false can_create_insight: false @@ -1112,10 +1093,17 @@ Mark Entity as Suspicious: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Updates the 'is_suspicious' attribute of entities within the Google SecOps platform - to True. + Updates the `is_suspicious` flag of entities within the SOAR platform. + reasoning: >- + The action iterates over `siemplify.target_entities` and sets `entity.is_suspicious + = True`. It then calls `siemplify.update_entities(updated_entities)`. It does + not fetch data from external sources, nor does it mutate external systems. It + only modifies the internal entity state within the SOAR platform. categories: enrichment: false + reasoning: >- + The action does not fetch data from any external or internal source, which is + a requirement for an enrichment action. Therefore, it is not classified as enrichment. entity_usage: entity_types: - ADDRESS @@ -1166,6 +1154,9 @@ Mark Entity as Suspicious: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` without any filtering, meaning + it processes all entity types provided in the scope. Ping: action_product_categories: add_alert_comment: false @@ -1181,6 +1172,9 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity check ('Ping') and does not perform any of the + defined product category operations (enrichment, containment, ticketing, etc.). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1196,34 +1190,12 @@ Ping: update_identity: false update_ticket: false ai_description: >- - ### General Description - - Verifies the connectivity and functional status of the integration within the - Google SecOps environment. This action serves as a basic health check to ensure - that the integration is correctly configured and that the SOAR platform can successfully - execute scripts associated with this integration. - - - ### Parameters Description - - There are no parameters for this action. - - - ### Additional Notes - - This action does not interact with any external APIs, nor does it process or enrich - any entities. It is strictly used for connectivity validation. - - - ### Flow Description - - 1. **Initialization**: The action initializes the Siemplify SOAR SDK environment. - - 2. **Connectivity Check**: The script executes a simple internal check to confirm - the integration environment is responsive. - - 3. **Completion**: The action terminates immediately, returning a success message - "Siemplify is connected" to the case wall. + This action verifies the connectivity between the Google SecOps SOAR platform + and the integration. It serves as a health check to ensure the integration is + properly configured and reachable. ### Parameters There are no parameters for + this action. ### Flow Description 1. The action initializes the SiemplifyAction + module. 2. It immediately terminates the execution with a success message, confirming + that the connection is established. capabilities: can_create_case_comments: false can_create_insight: false @@ -1234,8 +1206,14 @@ Ping: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action is a simple connectivity check. It does not fetch data, mutate external + or internal systems, or interact with entities. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action. Per the guidelines, Ping actions are explicitly + excluded from being categorized as enrichment actions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1251,6 +1229,8 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not reference target_entities or perform any operations on entities. Whois: action_product_categories: add_alert_comment: false @@ -1266,6 +1246,10 @@ Whois: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves reputation, registration, and geolocation data for indicators + (IPs, Domains). This directly matches the 'Enrich IOC' category. It does not + perform containment, ticketing, or other management operations. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1283,65 +1267,62 @@ Whois: ai_description: >- ### General Description - The **Whois** action queries WHOIS servers to retrieve registration information - for various entity types, including IP Addresses, URLs, Emails, and Domains. It - provides contextual data such as domain age, creation dates, and registrar details. - Additionally, it performs geolocation lookups for IP addresses and can automatically - create and link new DOMAIN entities to the case based on extracted data. + The Whois action queries WHOIS servers and IP geolocation services to retrieve + registration and location information for various entity types, including IP Addresses, + URLs, Email addresses, and Domains. It enriches these entities with metadata such + as geolocation (city, country, coordinates) and domain registration details (creation + date, age). Additionally, it supports the creation of linked DOMAIN entities and + can mark entities as suspicious based on a configurable domain age threshold. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Create Entities** | boolean | No | If set to `true`, the action will create - new DOMAIN entities extracted from URLs or Email addresses and link them to the - original entity. Default is `true`. | + | Create Entities | boolean | false | If set to true, the action will create and + link new DOMAIN entities to the original URL, Email, or User entities. | - | **Domain Age Threshold** | string | No | Specifies a threshold in days. If a - domain's age is less than this value, the entity will be marked as suspicious. - If set to `0` or left empty, this check is disabled. | + | Domain Age Threshold | string | false | Domains with an age (in days) less than + this value will be marked as suspicious. | - ### Flow Description + ### Additional Notes - 1. **Parameter Extraction:** Retrieves the `Create Entities` toggle and the `Domain - Age Threshold` value from the action parameters. + - The action processes entities based on their type. IP Addresses are processed + via RDAP and geolocation services, while other types (Domains, URLs, Emails) are + processed via WHOIS lookups. - 2. **Entity Iteration:** Processes each target entity associated with the action. + - If 'Create Entities' is enabled, the action may generate new DOMAIN entities + in the case. - 3. **IP Enrichment:** For `ADDRESS` entities, the action performs an RDAP lookup - using the `IPWhois` library and a geolocation lookup via the DB-IP API to retrieve - city, region, and country data. - 4. **Domain/URL/Email Enrichment:** For other entities, the action extracts the - registered domain using `tldextract` and performs a WHOIS lookup. It calculates - the domain's age in days based on the creation date. + ### Flow Description - 5. **Entity Creation & Linking:** If `Create Entities` is enabled and a domain - is extracted from a URL or Email, a new `DOMAIN` entity is created in the case - and linked to the source entity. + 1. **Initialization**: The action initializes the `SiemplifyAction` and extracts + configuration parameters ('Create Entities', 'Domain Age Threshold'). - 6. **Internal Data Enrichment:** Updates the entities' `additional_properties` - with the retrieved WHOIS and geolocation data (prefixed with "WHOIS"). + 2. **Entity Processing**: The action iterates through all target entities in the + case. - 7. **Suspicious Status Evaluation:** Compares the calculated domain age against - the `Domain Age Threshold`. If the domain is younger than the threshold, the entity - is marked as suspicious. + 3. **IP Enrichment**: If the entity is an 'ADDRESS', it performs an RDAP lookup + and retrieves geolocation data using the `DbIpCity` service. - 8. **Finalization:** Updates the entities within Google SecOps and returns a JSON - result containing the full WHOIS and geolocation data. + 4. **Domain/Other Enrichment**: If the entity is not an 'ADDRESS', it extracts + the domain and performs a WHOIS lookup. It calculates the domain age in days. + 5. **Entity Creation**: If 'Create Entities' is enabled, it creates a new DOMAIN + entity linked to the original entity. - ### Additional Notes + 6. **Entity Update**: The action updates the original entities with the retrieved + WHOIS and geolocation data in their `additional_properties`. - - This action requires outbound network connectivity to WHOIS servers and the - `api.db-ip.com` endpoint. + 7. **Suspicious Marking**: If the domain age is below the 'Domain Age Threshold', + the entity is marked as suspicious. - - The `Domain Age Threshold` is treated as an integer during logic execution; - non-numeric strings may cause the threshold check to be skipped. + 8. **Finalization**: The action updates the entities in the SOAR platform and + adds the full result JSON to the action output. capabilities: can_create_case_comments: false can_create_insight: false @@ -1352,16 +1333,25 @@ Whois: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Creates new DOMAIN entities and links them to the original entities if 'Create - Entities' is enabled. Updates entity attributes including suspicious status, - enriched status, and additional properties. + The action creates new DOMAIN entities and updates existing entities with enriched + metadata (WHOIS/Geo) and suspicious status. + reasoning: >- + The action fetches external data (WHOIS, IP geolocation) and updates internal + SOAR entities (adding properties, marking as suspicious, creating new entities). + It does not mutate external systems (read-only). It performs internal mutations + by creating and updating entities. categories: - enrichment: false + enrichment: true + reasoning: >- + The action is designed to fetch supplemental context (WHOIS/Geo) for entities. + It does not mutate external systems. It performs allowed internal mutations + (updating entities, creating entities). Therefore, it qualifies as an enrichment + action. entity_usage: entity_types: - ADDRESS - - DestinationURL - DOMAIN + - DestinationURL - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false @@ -1376,3 +1366,8 @@ Whois: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over all target entities. It explicitly checks for 'ADDRESS' + entity types to apply specific logic, while treating others as domains. It supports + ADDRESS, DOMAIN, DestinationURL, and USERUNIQNAME types based on the description + and logic. diff --git a/content/response_integrations/power_ups/enrichment/resources/ai/integration_ai_description.yaml b/content/response_integrations/power_ups/enrichment/resources/ai/integration_ai_description.yaml index 2337bb28c..f526738d8 100644 --- a/content/response_integrations/power_ups/enrichment/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/power_ups/enrichment/resources/ai/integration_ai_description.yaml @@ -7,6 +7,19 @@ product_categories: iam_and_identity_management: false itsm: false network_security: false - siem: true + reasoning: >- + The integration provides a suite of utility actions for enriching entities within + the SOAR platform. The 'Whois' action performs external lookups for IP and domain + registration and geolocation data, which qualifies it for the 'Threat Intelligence' + category as it provides reputation-related context for external indicators. Several + other actions, such as 'Enrich Entity from Explorer Attributes', 'Enrich Source + and Destinations', and 'Enrich Entity From Event Field', retrieve internal context + (from security events or the entity explorer) to populate entity metadata. This + aligns with the 'Asset Inventory' category, as these actions provide deeper context + about the assets involved in an investigation. The integration does not perform + actions related to SIEM (log searching), EDR (host containment), Network Security + (blocking traffic), Email Security, IAM, Cloud Security, ITSM, Vulnerability Management, + or Collaboration. + siem: false threat_intelligence: true vulnerability_management: false diff --git a/content/response_integrations/power_ups/file_utilities/resources/ai/actions_ai_description.yaml b/content/response_integrations/power_ups/file_utilities/resources/ai/actions_ai_description.yaml index bac88a24d..3f743586f 100644 --- a/content/response_integrations/power_ups/file_utilities/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/power_ups/file_utilities/resources/ai/actions_ai_description.yaml @@ -1,6 +1,6 @@ Add Attachment: action_product_categories: - add_alert_comment: true + add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false contain_host: false @@ -13,6 +13,10 @@ Add Attachment: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action adds an attachment to the case wall. This does not align with any + of the provided categories (e.g., Enrich IOC, Create Ticket, etc.), as it is + a specific case management utility. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -28,54 +32,51 @@ Add Attachment: update_identity: false update_ticket: false ai_description: >- - Adds a file attachment to the case wall of the current Google SecOps case. This - action allows analysts to programmatically upload evidence, logs, or reports directly - to the case timeline by providing the file content in Base64 format. It supports - marking attachments as favorites and adding descriptive metadata to the case wall - entry. + ### General Description + This action adds a file attachment to the Google SecOps case wall. It allows users + to upload files (provided as Base64 encoded strings) directly to the case, facilitating + evidence management and documentation within the platform. - ### Parameters - | Parameter | Description | Type | Mandatory | Notes | + ### Flow Description - | :--- | :--- | :--- | :--- | :--- | + 1. The action retrieves the provided parameters: Name, Base64 Blob, Type, Description, + and IsFavorite status. - | Name | The name of the attachment file. | string | True | This will be the filename - displayed in the case wall. | + 2. It constructs a `CaseWallAttachment` object using the provided details and + the current case identifier. - | IsFavorite | Whether the attachment should be marked as a favorite in the case - wall. | boolean | False | Defaults to false if not provided. | + 3. The action calls the internal SOAR API `save_attachment_to_case_wall` to upload + the file to the case wall. - | Base64 Blob | The actual content of the attachment encoded in Base64. | string - | True | Ensure the string is a valid Base64 representation of the file. | + 4. Upon success, it returns the attachment metadata as a JSON result. - | Type | The file extension or type of the attachment (e.g., .txt, .pdf, .png). - | string | True | Used to identify the file format. | - | Description | A brief description of the attachment's purpose or content. | - string | True | This text appears alongside the attachment in the case wall. | + ### Parameters Description + | Parameter | Type | Mandatory | Description | - ### Flow Description + | :--- | :--- | :--- | :--- | + + | Name | string | Yes | The name of the attachment. | - 1. **Parameter Extraction:** The action retrieves the filename, Base64 content, - file type, description, and favorite status from the input parameters. + | Base64 Blob | string | Yes | The attachment's content encoded in Base64. | - 2. **Context Retrieval:** It identifies the current case ID from the active Google - SecOps environment. + | Type | string | Yes | The file extension or type (e.g., .txt). | - 3. **Attachment Construction:** A `CaseWallAttachment` data model is created using - the provided inputs. + | Description | string | Yes | A description of the attachment. | - 4. **Internal API Call:** The action invokes the internal SOAR API (`save_attachment_to_case_wall`) - to upload the file content and metadata to the case wall. + | IsFavorite | boolean | No | Whether the attachment is marked as a favorite in + the case wall. Defaults to false. | - 5. **Result Processing:** Upon successful upload, the action parses the API response - to return detailed metadata about the new attachment, including its unique ID - and creation timestamps. + + ### Additional Notes + + This action does not interact with external systems and is strictly used for internal + case management within Google SecOps. capabilities: - can_create_case_comments: true + can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false @@ -84,10 +85,16 @@ Add Attachment: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Adds a file attachment to the case wall of the current Google SecOps case, creating - a new entry in the case timeline. + Adds a new attachment to the case wall within the SOAR platform. + reasoning: >- + The action interacts with the internal SOAR API to upload a file to the case + wall. It does not fetch external data or mutate external systems. It mutates + internal SOAR data by creating a new attachment record. categories: enrichment: false + reasoning: >- + The action does not fetch data from external sources, nor does it perform any + enrichment tasks. It is a utility action for case management. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -103,6 +110,9 @@ Add Attachment: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on specific entities; it operates on the case level + using the case identifier. Add Entity to File: action_product_categories: add_alert_comment: false @@ -118,6 +128,11 @@ Add Entity to File: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action performs a local file operation to append entity identifiers. It + does not interact with any external security products, ticketing systems, or + identity providers, nor does it modify alert or case data. Therefore, it does + not match any of the defined product categories. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -133,26 +148,39 @@ Add Entity to File: update_identity: false update_ticket: false ai_description: >- - ### General Description\nThis action adds the identifier of target entities to - a local file stored on the system. It is primarily used for tracking entities - across different executions or playbooks. The action ensures that each entity - identifier is only added once; if an entity already exists in the file, it is - skipped, and the action's final result value is set to False to indicate that - not all entities were newly added.\n\n### Parameters Description\n| Parameter - | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Filename - | String | Yes | The name of the file (located in /tmp/) where the entity identifiers - will be stored. |\n\n### Flow Description\n1. **Parameter Extraction:** The action - retrieves the `Filename` parameter.\n2. **File Access:** It attempts to open and - lock the specified file in the `/tmp/` directory to prevent concurrent access - issues.\n3. **Entity Processing:** It iterates through all target entities in - the current context.\n4. **Duplicate Check:** For each entity, it checks if the - identifier already exists in the file's content.\n5. **File Update:** If the identifier - is new, it is added to the list. If it already exists, the action logs the occurrence - and prepares to return a False result.\n6. **Finalization:** The updated list - is written back to the file, the lock is released, and the action completes with - a summary message.\n\n### Additional Notes\n- The file is stored in the `/tmp/` - directory of the execution environment.\n- The action uses a file-locking mechanism - to ensure data integrity during concurrent executions. + ### General Description + + This action appends the identifier of target entities to a specified local file + on the SOAR server. It ensures uniqueness by checking if the entity identifier + already exists in the file before adding it. This is useful for maintaining local + lists of entities for further processing or auditing. + + + ### Parameters + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Filename | string | Yes | The name of the file to write the entities to. | + + + ### Flow Description + + 1. Extract the `Filename` parameter from the action configuration. + + 2. Initialize the `EntityFileManager` to handle file locking and access, ensuring + thread-safe operations. + + 3. Iterate through the `target_entities` provided in the action. + + 4. For each entity, check if its identifier is already present in the file. + + 5. If the identifier is not present, append it to the file. + + 6. If the identifier is already present, log the occurrence and skip adding it. + + 7. Finalize the action with a summary of added entities and the execution status. capabilities: can_create_case_comments: false can_create_insight: false @@ -163,8 +191,17 @@ Add Entity to File: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a local file operation on the SOAR server. It does not fetch + data from external APIs (fetches_data=false), does not mutate external systems + (can_mutate_external_data=false), and does not modify SOAR case data such as + entities, insights, or alert data (can_mutate_internal_data=false). categories: enrichment: false + reasoning: >- + The action does not fetch data from any external or internal source, nor does + it perform any enrichment. It performs a local file operation, which does not + meet the criteria for an enrichment action. entity_usage: entity_types: - ADDRESS @@ -215,6 +252,9 @@ Add Entity to File: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` without any filtering, meaning + it processes all entity types provided in the action. Count Files: action_product_categories: add_alert_comment: false @@ -230,6 +270,10 @@ Count Files: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a utility for counting files on the local filesystem. It does + not perform any of the defined product category operations such as enrichment, + containment, ticketing, or alert management. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -245,58 +289,48 @@ Count Files: update_identity: false update_ticket: false ai_description: >- - ### General Description + The 'Count Files' action performs a local filesystem operation to count the number + of files within a specified directory that match a given file extension. This + utility action is useful for verifying the presence or volume of files on the + SOAR worker node. - The **Count Files** action is a utility designed to calculate the total number - of files within a specified directory. It allows users to filter results based - on file extensions and provides the option to perform a recursive search through - subdirectories. This is particularly useful for monitoring directory growth, verifying - file transfers, or identifying the presence of specific file types in a filesystem. + ### Flow Description - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | + 1. **Parameter Extraction**: The action retrieves the 'Folder' path, 'Is Recursive' + flag, and 'File Extension' from the action configuration. - | Folder | String | Yes | The directory path where the file count should be performed. - | + 2. **Path Construction**: It constructs the full search path using the provided + folder and extension (defaulting to '*.*' if no extension is provided). - | File Extension | String | No | A glob-style pattern (e.g., `*.txt` or `*.log`) - used to filter the files. If left empty, the action defaults to `*.*` (counting - all files). | + 3. **File Counting**: It utilizes the `glob` library to identify and count all + files matching the criteria, optionally traversing subdirectories if 'Is Recursive' + is enabled. - | Is Recursive | Boolean | No | If enabled (`true`), the action will search for - matching files in the specified folder and all of its subdirectories. Defaults - to `false`. | + 4. **Result Reporting**: The action returns the total count of files found as + the execution result. - ### Additional Notes - - - The action uses the standard Python `glob` library for pattern matching. + ### Parameters - - If the provided folder path does not exist or is inaccessible, the action will - return a count of 0 or fail depending on environment permissions. + | Parameter | Type | Mandatory | Description | + | :--- | :--- | :--- | :--- | - ### Flow Description + | Folder | string | Yes | The absolute or relative path of the folder to search. + | - 1. **Initialization:** The action extracts the `Folder`, `File Extension`, and - `Is Recursive` parameters from the input. + | File Extension | string | No | The file extension to filter by (e.g., '*.txt'). + Defaults to '*.*'. | - 2. **Path Preparation:** If no file extension is provided, it defaults to `*.*`. - It then constructs a full search path by joining the folder and the extension - pattern. + | Is Recursive | boolean | No | If enabled, the action will recursively count + files in all subdirectories. Defaults to 'false'. | - 3. **File Search:** The action executes a search using the `glob` module, applying - the recursion flag if specified. - 4. **Result Calculation:** It determines the length of the list of discovered - files. + ### Additional Notes - 5. **Execution Completion:** The action returns the total count as the final result - and completes with a success state. + This action operates strictly on the local filesystem of the SOAR worker node + and does not interact with external APIs or internal case data. capabilities: can_create_case_comments: false can_create_insight: false @@ -305,10 +339,19 @@ Count Files: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: true + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a local filesystem operation using the `glob` library to + count files. It does not interact with any external APIs, modify external systems, + or update internal SOAR data (entities, insights, or comments). Therefore, it + has no mutation or enrichment capabilities. categories: enrichment: false + reasoning: >- + The action does not fetch contextual data for entities or alerts, nor does it + modify internal or external state. It is a utility action for local file counting + and does not meet the criteria for an Enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -324,6 +367,9 @@ Count Files: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `target_entities` or any entity-related data + models. It operates solely on a provided file path string. Create Archive: action_product_categories: add_alert_comment: false @@ -339,6 +385,9 @@ Create Archive: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + This action is a file utility for creating archives. It does not perform any + of the listed security operations (enrichment, containment, ticketing, etc.). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -356,73 +405,65 @@ Create Archive: ai_description: >- ### General Description - The **Create Archive** action is a utility designed to package files or directories - into a compressed archive format directly on the Google SecOps (Chronicle) server. - It supports multiple archive formats including ZIP and various TAR configurations. - This action is primarily used for organizing forensic artifacts, preparing logs - for export, or consolidating multiple files into a single container for subsequent - processing steps. + This action creates an archive file (e.g., zip, tar) from a provided list of files + or a directory. It is a utility action designed to package data for further processing + or storage. - ### Parameters Description + ### Flow Description - | Parameter Name | Type | Mandatory | Description | + 1. Extract parameters: `Archive Type`, `Archive Input`, and `Archive Base Name`. - | :--- | :--- | :--- | :--- | + 2. Validate and create the destination directory if it does not exist. - | **Archive Type** | Dropdown | Yes | Specifies the compression format. Supported - values: `zip`, `tar` (uncompressed), `gztar` (gzip), `bztar` (bzip2), and `xztar` - (xz). | + 3. If the input is a directory, archive it directly. - | **Archive Base Name** | String | Yes | The desired name for the resulting archive - file (do not include the file extension). | + 4. If the input is a list of files, copy them to a temporary directory, archive + the temporary directory, and then remove the temporary directory. - | **Archive Input** | String | Yes | A comma-separated list of absolute file paths - or a single directory path to be archived. | + 5. Return the path of the created archive file. - ### Flow Description + ### Parameters Description - 1. **Parameter Extraction:** The action retrieves the archive format, the base - name for the output file, and the input paths (files or directory) from the user - configuration. + | Parameter | Type | Mandatory | Description | - 2. **Environment Preparation:** It checks for the existence of the default destination - directory (`/opt/siemplify/siemplify_server/Scripting/FileUtilities/Archives`) - on the server and creates it if it does not exist. + | :--- | :--- | :--- | :--- | - 3. **Input Validation:** The action determines if the provided input is a single - directory or a list of individual files. + | Archive Type | ddl | Yes | The format of the archive to create (zip, tar, gztar, + bztar, xztar). | - 4. **Archiving Logic:** - * If a **directory** is provided, it archives the entire directory structure. - * If a **list of files** is provided, it copies the files to a temporary directory, - archives that directory, and then cleans up the temporary files. - 5. **Completion:** Upon success, the action returns the full file path of the - newly created archive and provides a JSON result containing the success status - and the archive location. + | Archive Base Name | string | Yes | The name of the archive file to be created, + excluding the extension. | + | Archive Input | string | Yes | A comma-delimited list of files or a directory + path to be archived. | - ### Additional Notes - * This action operates on the local filesystem of the SOAR server. Ensure that - the paths provided in **Archive Input** are accessible by the SOAR execution environment. + ### Additional Notes - * The resulting archive is stored in a specific internal directory: `/opt/siemplify/siemplify_server/Scripting/FileUtilities/Archives`. + This action performs local file system operations on the SOAR server. It does + not interact with external APIs or modify SOAR case data. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: true + can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null fetches_data: false - internal_data_mutation_explanation: >- - Creates a directory and an archive file on the local SOAR server's filesystem - at /opt/siemplify/siemplify_server/Scripting/FileUtilities/Archives. + internal_data_mutation_explanation: null + reasoning: >- + The action performs local file system operations (creating an archive) on the + SOAR server. It does not interact with external APIs, fetch data, or modify + SOAR case data/entities. categories: enrichment: false + reasoning: >- + The action is a file utility that creates archives. It does not fetch data from + external sources, nor does it modify internal SOAR data or entities. Therefore, + it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -438,6 +479,9 @@ Create Archive: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with entities. It operates on file paths provided + as input parameters. Create Hash From Base64: action_product_categories: add_alert_comment: false @@ -453,6 +497,10 @@ Create Hash From Base64: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action performs a local computation (hashing) on provided input strings. + It does not interact with external systems, fetch threat intelligence, or modify + case data. It does not fit any of the defined categories. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -467,65 +515,22 @@ Create Hash From Base64: update_email: false update_identity: false update_ticket: false - ai_description: >- - ### General Description - - The **Create Hash From Base64** action is a utility designed to generate cryptographic - hashes from one or more Base64 encoded strings. This is particularly useful for - identifying files or data payloads when only the encoded content is available. - The action supports multiple hashing algorithms and can process a list of strings - in a single execution. - - - ### Parameters Description - - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **Base64** | Content | Yes | One or more Base64 encoded strings to be hashed. - Multiple strings should be separated by the 'Base64 Separator'. | - - | **Hash Algorythm** | DDL | Yes | The cryptographic hash function to apply (e.g., - md5, sha1, sha256, sha512). | - - | **Names** | String | No | An optional list of names (like filenames) to associate - with each Base64 string. Must match the count of Base64 strings. | - - | **Names Separator** | String | Yes | The character used to separate the list - of names (default is ','). | - - | **Include Base64** | Boolean | No | If set to 'true', the original Base64 input - string will be included in the output JSON. | - - | **Base64 Separator** | String | Yes | The character used to separate the input - Base64 strings (default is ','). | - - - ### Flow Description - - 1. **Input Parsing:** The action retrieves the Base64 strings and optional names - from the parameters, splitting them into lists based on the provided separators. - - 2. **Decoding:** Each string is decoded from Base64 format into raw bytes using - the standard base64 library. - - 3. **Hashing:** The selected hashing algorithm is dynamically invoked from the - `hashlib` library and applied to the decoded bytes to produce a hexadecimal digest. - - 4. **Result Compilation:** A dictionary is created for each input, containing - the calculated hash, the algorithm name, and optionally the name and original - Base64 string. - - 5. **Output:** The resulting list of hash objects is returned as a JSON result - and added to the action's execution context. - - - ### Additional Notes - - If the 'Names' parameter is provided, ensure that the number of names matches - the number of Base64 strings to ensure correct mapping in the output. + ai_description: "This action calculates cryptographic hashes for provided base64-encoded\ + \ strings. It is a utility action used to generate hashes (e.g., MD5, SHA256)\ + \ from raw data represented in base64 format. \n\n### Parameters\n| Name | Type\ + \ | Mandatory | Description |\n| --- | --- | --- | --- |\n| Base64 | content |\ + \ Yes | One or more base64 encoded strings. Strings should be separated by the\ + \ defined separator. |\n| Hash Algorythm | ddl | Yes | The algorithm to use (e.g.,\ + \ sha1, sha256, md5). |\n| Names | string | No | List of names identifying the\ + \ base64 strings. |\n| Names Separator | string | Yes | A character to separate\ + \ the list of names by. |\n| Include Base64 | boolean | No | Include the base64\ + \ input strings in the output. |\n| Base64 Separator | string | Yes | A character\ + \ to separate the base64 strings by. |\n\n### Flow Description\n1. The action\ + \ accepts base64 strings and a hash algorithm as input parameters.\n2. It decodes\ + \ the provided base64 strings.\n3. It computes the hash of the decoded data using\ + \ the specified algorithm (e.g., sha1, sha256, md5).\n4. The action returns the\ + \ resulting hashes, optionally including the original base64 strings and associated\ + \ names, in the action results." capabilities: can_create_case_comments: false can_create_insight: false @@ -536,8 +541,16 @@ Create Hash From Base64: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a local cryptographic hash calculation on provided input + strings. It does not fetch data from external sources, mutate external systems, + or modify internal SOAR data (entities, insights, or comments). categories: enrichment: false + reasoning: >- + The action does not fetch data from an external or internal source; it performs + a local computation on provided input parameters. Therefore, it does not meet + the criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -553,6 +566,10 @@ Create Hash From Base64: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action operates solely on input parameters provided by the user and does + not interact with the `siemplify.target_entities` object. Therefore, it does + not process any entity types. Decode Base64: action_product_categories: add_alert_comment: false @@ -568,6 +585,10 @@ Decode Base64: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + This action is a utility for decoding strings. It does not perform any of the + defined product-specific operations such as enrichment, containment, ticketing, + or alert management. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -585,46 +606,35 @@ Decode Base64: ai_description: >- ### General Description - The **Decode Base64** action is a utility designed to convert Base64 encoded strings - back into their original text format. It allows users to specify the character - encoding (UTF-8 or ASCII) to ensure the resulting string is correctly interpreted. - This is particularly useful for decoding obfuscated data found in logs, emails, - or script arguments during an investigation. + The Decode Base64 action is a utility tool designed to decode a Base64 encoded + string into its original format. It allows users to specify the input string and + the character encoding to be used during the decoding process. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Base64 Input** | string | Yes | The Base64 encoded string that you want to - decode. | + | Base64 Input | string | Yes | The Base64 encoded string that needs to be decoded. + | - | **Encoding** | ddl | Yes | The character encoding to use for the decoded output. - Options include **UTF-8** and **ASCII**. | + | Encoding | ddl | Yes | The character encoding to use for the decoded string + (e.g., UTF-8, ASCII). | ### Flow Description - 1. **Parameter Retrieval**: The action retrieves the `Base64 Input` string and - the selected `Encoding` from the user configuration. - - 2. **Decoding Process**: The input string is decoded from Base64 format into raw - bytes using Python's standard library. - - 3. **String Conversion**: The raw bytes are converted into a string based on the - provided encoding (UTF-8 or ASCII). + 1. The action retrieves the 'Base64 Input' string and the 'Encoding' type from + the provided parameters. - 4. **Result Output**: The decoded string is packaged into a JSON object (`decoded_content`) - and returned as the action's result. If decoding fails (e.g., due to invalid Base64 - format), the action reports a failure. + 2. It attempts to decode the Base64 input using the specified encoding. + 3. If successful, it returns the decoded content as a JSON object in the action + results. - ### Additional Notes - - This action does not interact with external APIs or modify any SOAR entities; - it performs local data transformation. + 4. If an error occurs during decoding, the action fails and returns an error message. capabilities: can_create_case_comments: false can_create_insight: false @@ -635,8 +645,15 @@ Decode Base64: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a local string manipulation (Base64 decoding). It does not + interact with external systems, fetch data, or modify internal SOAR data (entities, + insights, comments). It only returns a result JSON to the playbook. categories: enrichment: false + reasoning: >- + The action is a utility for data transformation (decoding). It does not fetch + data from external sources, so it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -652,6 +669,8 @@ Decode Base64: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with entities. Extract Archive: action_product_categories: add_alert_comment: false @@ -667,6 +686,9 @@ Extract Archive: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action extracts files from an archive. It does not match any of the defined + product categories (Enrichment, Containment, Ticket Management, etc.). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -682,67 +704,60 @@ Extract Archive: update_identity: false update_ticket: false ai_description: >- - Extracts one or more archive files to a specific directory on the Google SecOps - server. This action supports multiple archive formats including ZIP, TAR, GZTAR, - BZTAR, and XTAR. It processes a comma-separated list of file paths, creates a - dedicated output directory for each archive, and unpacks the contents. The action - returns a detailed JSON structure representing the extracted file hierarchy, including - file names, extensions, and full system paths. + Extracts archive files (zip, tar, gztar, bztar, xtar) to a designated directory + on the server. This utility action simplifies the process of accessing contents + within compressed files for further analysis or processing within the SOAR environment. ### Flow Description - 1. **Parameter Parsing:** The action retrieves the `Archive` parameter and splits - it into a list of individual file paths. + 1. The action parses the `Archive` parameter to retrieve a list of file paths. - 2. **Directory Preparation:** For each archive, it determines a destination path - within the predefined directory `/opt/siemplify/siemplify_server/Scripting/FileUtilities/Extract`. - It creates the directory if it does not already exist. + 2. It iterates through each provided archive path. - 3. **Extraction:** It utilizes the `shutil.unpack_archive` library to extract - the contents of the archive into the designated folder. + 3. A target directory is created for each archive to store the extracted contents. - 4. **Metadata Collection:** After extraction, it recursively scans the output - directory to build a dictionary-based representation of the files and folders - created. + 4. The action uses `shutil.unpack_archive` to extract the contents of the archive. - 5. **Result Reporting:** It compiles a JSON result containing success/failure - status for each archive, the destination folder path, and a list of all extracted - files (both as a simple list and with full paths). + 5. A JSON structure is generated, detailing the extracted files and their paths. + 6. The final result is returned to the SOAR platform using `add_result_json`. - ### Parameters Description + + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Archive | String | Yes | A comma-delimited list of full file system paths to - the archives that need to be extracted. Example: `/path/to/file1.zip, /path/to/file2.tar.gz`. - | + | Archive | string | Yes | The path of the archive to be extracted. Supports comma-delimited + paths. | ### Additional Notes - * This action operates directly on the local filesystem of the execution environment. - It does not interact with external APIs or SecOps entity models (like IP or Hostname). - - * The extraction destination is hardcoded to a specific subdirectory within the - Siemplify scripting folder. + This action performs local file system operations on the SOAR server. It does + not interact with external systems or modify SOAR case data. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: true + can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null fetches_data: false - internal_data_mutation_explanation: >- - The action creates directories and writes extracted files to the local filesystem - of the Google SecOps server at /opt/siemplify/siemplify_server/Scripting/FileUtilities/Extract. + internal_data_mutation_explanation: null + reasoning: >- + The action performs local file system operations (extracting archives) on the + SOAR server. It does not interact with external APIs, modify SOAR case data, + or update entities. categories: enrichment: false + reasoning: >- + The action does not fetch data from an external source, nor does it perform + any of the allowed internal mutations (creating insights, updating entities, + adding comments). It is a utility action for file extraction. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -758,6 +773,9 @@ Extract Archive: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `siemplify.target_entities` or any SOAR entity + objects. It operates on file paths provided as parameters. Extract Zip Files: action_product_categories: add_alert_comment: false @@ -773,6 +791,11 @@ Extract Zip Files: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action extracts files from a ZIP archive and manages them within the SOAR + platform (adding to case wall, creating entities). It does not match any of + the predefined product categories such as 'Enrich IOC', 'Contain Host', or 'Create + Ticket'. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -787,71 +810,40 @@ Extract Zip Files: update_email: false update_identity: false update_ticket: false - ai_description: >- - ### General Description - - The **Extract Zip Files** action is a utility designed to process ZIP archives - associated with a case. It identifies `FILENAME` entities that contain an `attachment_id`, - retrieves the corresponding file from the Google SecOps internal storage, and - extracts its contents. The action supports password-protected archives through - either a provided list of passwords or a brute-force mechanism using a predefined - wordlist. Extracted files can be re-uploaded to the case wall, used to create - new entities (FILENAME and FILEHASH), and included as base64 data in the action's - JSON output. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Include Data In JSON Result | boolean | No | If set to `true`, the base64 encoded - content of the extracted files will be included in the `JsonResult` output. Default - is `false`. | - - | Create Entities | boolean | No | If set to `true`, the action will automatically - create new `FILENAME` and `FILEHASH` entities for each file found inside the ZIP - archive. Default is `true`. | - - | Zip File Password | string | No | A string containing one or more passwords - used to attempt extraction of protected ZIP files. | - - | BruteForce Password | boolean | No | If set to `true`, the action will attempt - to brute-force the ZIP password using an internal wordlist if the provided passwords - fail. Default is `false`. | - - | Add to Case Wall | boolean | No | If set to `true`, each extracted file will - be uploaded back to the case wall as a new attachment. Default is `true`. | - - | Zip Password List Delimiter | string | Yes | The character used to separate - multiple passwords provided in the `Zip File Password` parameter (e.g., a comma). - Default is `,`. | - - - ### Flow Description - - 1. **Entity Filtering:** The action scans the target entities for those of type - `FILENAME` that possess an `attachment_id` attribute in their additional properties. - - 2. **Attachment Retrieval:** For each valid entity, the action fetches the binary - content of the ZIP file from the SOAR platform. - - 3. **Extraction Logic:** - * It attempts to open the ZIP file. - * If the file is encrypted, it first tries the passwords provided in the - `Zip File Password` parameter (split by the delimiter). - * If still locked and `BruteForce Password` is enabled, it iterates through - a wordlist to find the correct password. - 4. **Metadata Calculation:** For every file extracted, the action calculates - MD5, SHA1, SHA256, and SHA512 hashes, and determines the MIME type. - - 5. **Internal Updates:** - * If `Add to Case Wall` is enabled, files are uploaded to the case wall. - * If `Create Entities` is enabled, new `FILENAME` and `FILEHASH` entities - are generated and linked to the parent ZIP file entity. - 6. **Result Reporting:** The action returns a JSON object mapping the original - ZIP filename to the list of extracted file metadata. + ai_description: "### General Description\nThis action extracts files from ZIP archives\ + \ that are attached to FILENAME entities within the case. It supports password-protected\ + \ ZIP files by allowing users to provide a specific password or by enabling a\ + \ brute-force mechanism using a predefined wordlist. The action can optionally\ + \ add the extracted files to the Case Wall and create new entities for the extracted\ + \ files, linking them to the original ZIP file.\n\n### Flow Description\n1. **Initialization**:\ + \ The action initializes the `AttachmentsManager` and retrieves configuration\ + \ parameters.\n2. **Entity Filtering**: It iterates through the `target_entities`\ + \ and filters for those with `entity_type` equal to `FILENAME` that contain an\ + \ `attachment_id` in their `additional_properties`.\n3. **Extraction**: For each\ + \ valid entity, it downloads the attachment from the Case Wall, checks if it is\ + \ a valid ZIP file, and extracts the contents. If password protection is encountered,\ + \ it attempts to unlock the file using the provided password or the brute-force\ + \ list.\n4. **Case Wall & Entity Management**: \n - If `Add to Case Wall` is\ + \ enabled, extracted files are uploaded as new attachments to the case.\n -\ + \ If `Create Entities` is enabled, new entities are created for the extracted\ + \ files and linked to the parent file.\n5. **Result Generation**: The action returns\ + \ a JSON result containing the extracted file metadata (and optionally the raw\ + \ data) and updates the original entities with new properties if applicable.\n\ + \n### Parameters\n| Parameter | Type | Mandatory | Description |\n| :--- | :---\ + \ | :--- | :--- |\n| Include Data In JSON Result | boolean | false | If true,\ + \ includes the base64 encoded data of the extracted files in the action's JSON\ + \ result. |\n| Create Entities | boolean | false | If true, creates new entities\ + \ for the extracted files. |\n| Zip File Password | string | false | A password\ + \ or list of passwords (separated by the delimiter) to attempt extraction of password-protected\ + \ ZIP files. |\n| BruteForce Password | boolean | false | If true, attempts to\ + \ brute-force password-protected ZIP files using a built-in wordlist. |\n| Add\ + \ to Case Wall | boolean | false | If true, adds the extracted files as attachments\ + \ to the case wall. |\n| Zip Password List Delimiter | string | true | The character\ + \ used to separate multiple passwords in the 'Zip File Password' parameter. |\n\ + \n### Additional Notes\n- The action requires the `FILENAME` entity to have an\ + \ `attachment_id` attribute to successfully download the file from the Case Wall.\n\ + - If `Create Entities` is enabled, the action will create new entities and link\ + \ them to the parent file or email subject if applicable." capabilities: can_create_case_comments: false can_create_insight: false @@ -862,10 +854,22 @@ Extract Zip Files: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action creates new FILENAME and FILEHASH entities within the Google SecOps - case and uploads extracted files as new attachments to the case wall. + The action adds new attachments to the case wall and creates new entities within + the SOAR platform. + reasoning: >- + The action fetches attachment data from the SOAR platform (fetches_data=true). + It does not mutate external systems (can_mutate_external_data=false). It performs + internal mutations by adding attachments to the case wall and creating new entities + (can_mutate_internal_data=true). It updates existing entities with new properties + (can_update_entities=true). It does not create insights, modify alert data, + or create case comments. categories: enrichment: false + reasoning: >- + While the action fetches data, it performs internal mutations (creating new + entities) that are not included in the allowed list for enrichment actions (which + are limited to adding comments, creating insights, or updating existing entity + fields). Therefore, it is not classified as an enrichment action. entity_usage: entity_types: - FILENAME @@ -882,6 +886,10 @@ Extract Zip Files: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over `siemplify.target_entities` and explicitly filters + for entities where `entity.entity_type == 'FILENAME'`. It also checks for the + presence of the 'attachment_id' key in the entity's `additional_properties`. Get Attachment: action_product_categories: add_alert_comment: false @@ -891,12 +899,16 @@ Get Attachment: create_ticket: false delete_email: false disable_identity: false - download_file: true + download_file: false enable_identity: false enrich_asset: false enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves attachments from the case wall. It does not match any of + the specific product categories defined, such as enriching IOCs, updating tickets, + or performing containment actions. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -911,28 +923,46 @@ Get Attachment: update_email: false update_identity: false update_ticket: false - ai_description: "### General Description\nThe **Get Attachment** action retrieves\ - \ file attachments from the Google SecOps case wall or a specific alert wall.\ - \ It fetches the metadata for the attachments and then downloads the actual file\ - \ content, converting it into a Base64-encoded string. This is useful for downstream\ - \ actions that need to process file content (e.g., sandboxing, hash calculation,\ - \ or parsing) without requiring direct access to the SecOps storage.\n\n### Parameters\ - \ Description\n| Parameter Name | Type | Mandatory | Description |\n| :--- | :---\ - \ | :--- | :--- |\n| Attachment Scope | DDL | Yes | Determines the scope of the\ - \ search. If set to **Case**, the action retrieves all attachments associated\ - \ with the entire case. If set to **Alert**, it only retrieves attachments specifically\ - \ linked to the current alert context. |\n\n### Flow Description\n1. **Parameter\ - \ Retrieval**: The action identifies the user-defined scope (Case or Alert).\n\ - 2. **Metadata Fetching**: It calls the internal API to retrieve a list of all\ - \ attachment metadata associated with the current case identifier.\n3. **Filtering**:\ - \ \n * It filters the list to include only items of type 'Attachment' (Type\ - \ 4).\n * If the scope is set to **Alert**, it further filters the list to\ - \ include only those attachments whose `alertIdentifier` matches the current alert.\n\ - 4. **Content Retrieval**: For every matching attachment, the action uses the `evidenceId`\ - \ to download the raw file content.\n5. **Encoding**: The raw binary content of\ - \ each file is encoded into a Base64 string.\n6. **Output Generation**: The action\ - \ appends the Base64 string to the attachment's metadata and returns the complete\ - \ list as a JSON result." + ai_description: >- + ### General Description + + The 'Get Attachment' action retrieves attachments from the Google SecOps (Chronicle) + case wall. It allows users to fetch attachments based on a specified scope (either + the entire case or the current alert) and returns the file content encoded in + Base64 format. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Attachment Scope | ddl | Yes | The scope of the attachment that needs to be + retrieved. Options are 'Case' or 'Alert'. | + + + ### Additional Notes + + This action is a utility tool for retrieving files from the internal case wall. + It does not perform any external API calls to third-party services or modify any + data within the SOAR platform. + + + ### Flow Description + + 1. The action retrieves the 'Attachment Scope' parameter. + + 2. It fetches the metadata for all attachments associated with the current case. + + 3. It filters the attachments based on the selected scope ('Case' or 'Alert'). + + 4. For each matching attachment, it retrieves the file content from the case wall. + + 5. The file content is encoded into a Base64 string. + + 6. The action returns the list of attachments, including their metadata and Base64 + content, as a JSON result. capabilities: can_create_case_comments: false can_create_insight: false @@ -943,8 +973,16 @@ Get Attachment: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches attachment data from the case wall (internal). It does not + mutate external or internal data. It does not update entities, create insights, + or modify alerts. categories: enrichment: false + reasoning: >- + The action retrieves data (attachments) but does not add context to entities + or alerts, nor does it update the SOAR platform state. It is a utility action + for file retrieval, not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -960,6 +998,10 @@ Get Attachment: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `target_entities` or perform operations on + specific entities. It retrieves attachments based on the case or alert scope, + which are internal identifiers, not entity objects. Get Files as Base64: action_product_categories: add_alert_comment: false @@ -975,6 +1017,10 @@ Get Files as Base64: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a file utility for base64 conversion. It does not match any of + the defined product categories (Enrichment, Containment, Ticket management, + etc.). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -992,49 +1038,30 @@ Get Files as Base64: ai_description: >- ### General Description - The **Get Files as Base64** action is a utility designed to read local files from - the system and convert their contents into Base64-encoded strings. This is primarily - used to prepare binary file data for transmission to external APIs, sandboxes, - or for inclusion in structured reports where raw binary data is not supported. + This action converts local files to base64-encoded strings. It is a utility action + that reads files from the local file system and encodes them into base64 format + for further processing or analysis. ### Parameters Description - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **File Paths** | String | Yes | A comma-delimited list of absolute file paths - to be processed (e.g., `/tmp/malware.exe, /home/user/evidence.log`). | + * **File Paths** (string, mandatory): A comma-delimited list of files, including + their path. ### Flow Description - 1. **Input Parsing**: The action retrieves the `File Paths` parameter and splits - it into a list of potential file locations. + 1. Parse the `File Paths` parameter into a list of file paths. - 2. **Path Resolution**: It executes a custom resolution logic (`get_filenames`) - to verify the existence of the files on the local filesystem, handling cases where - filenames might contain commas. + 2. Iterate through the provided paths, verifying the existence of each file. - 3. **File Processing**: For each identified file: - - It extracts metadata including the directory path, filename, and file extension. - - It opens the file in binary read mode. - - It encodes the binary content into a Base64 string. - 4. **Data Aggregation**: The action constructs a JSON object containing the list - of processed filenames and a data array with the metadata and Base64 strings for - each file. + 3. Read the content of each valid file in binary mode. - 5. **Output**: The resulting JSON is added to the action's execution results, - and the action completes with a success message listing the converted files. - - - ### Additional Notes + 4. Encode the file content into a base64 string. - - This action operates on the local filesystem of the environment where the Google - SecOps agent or runner is active. + 5. Compile the results (filename, path, extension, base64 data) into a JSON object. - - Large files may consume significant memory during the Base64 encoding process. + 6. Add the JSON result to the action output and terminate the action. capabilities: can_create_case_comments: false can_create_insight: false @@ -1045,8 +1072,15 @@ Get Files as Base64: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a local file system operation to convert files to base64. + It does not interact with external APIs, modify internal case data, or update + entities. categories: enrichment: false + reasoning: >- + The action is a file utility that converts local files to base64. It does not + fetch external data or perform enrichment on entities. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1062,6 +1096,9 @@ Get Files as Base64: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use `target_entities`. It operates on file paths provided + as a parameter. Ping: action_product_categories: add_alert_comment: false @@ -1077,6 +1114,9 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity check ('Ping') and does not perform any of the + defined functional outcomes like enrichment, containment, or ticketing. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1092,34 +1132,23 @@ Ping: update_identity: false update_ticket: false ai_description: >- - ### General Description - - The **Ping** action is a diagnostic utility designed to verify the connectivity - and functional status of the File Utilities integration within Google SecOps. - It performs a basic handshake to ensure that the integration environment is correctly - configured and that the SOAR platform can successfully execute scripts associated - with this integration. + Checks connectivity to the File Utilities integration. This action performs a + simple connectivity test to verify that the integration is properly configured + and communicating with the SOAR platform. It does not perform any data retrieval + or modification. - ### Parameters Description - - There are no parameters required for this action. - - - ### Additional Notes + ### Parameters - This action does not interact with any external APIs or process any entity data. - It is strictly used for health checks. + There are no parameters for this action. ### Flow Description - 1. **Initialization**: The action initializes the Siemplify API context. - - 2. **Connectivity Check**: The script executes a simple completion command. + 1. The action initializes the `SiemplifyAction` object. - 3. **Finalization**: The action ends with a success message 'Siemplify is connected', - confirming the integration is active. + 2. It immediately terminates the execution by calling `siemplify.end` with a success + message, confirming that the integration is reachable. capabilities: can_create_case_comments: false can_create_insight: false @@ -1130,8 +1159,15 @@ Ping: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a simple connectivity check by calling `siemplify.end`. + It does not interact with external APIs, fetch data, or modify any internal + or external systems. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action, which is explicitly excluded from being an enrichment + action per the instructions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1147,6 +1183,8 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. Remove Entity from File: action_product_categories: add_alert_comment: false @@ -1162,6 +1200,10 @@ Remove Entity from File: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a file utility that removes entries from a local file. It does + not perform any of the defined product actions (Enrichment, Containment, Ticket, + etc.). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1177,73 +1219,59 @@ Remove Entity from File: update_identity: false update_ticket: false ai_description: >- - Removes the identifiers of target entities from a specified local file. This utility - action is designed to manage local lists or flat-file databases by ensuring that - specific entity strings are deleted from the file content. It employs a file-locking - mechanism to ensure thread safety and prevent data corruption during concurrent - access. - - - ### Flow Description - - 1. **Parameter Initialization**: The action retrieves the `Filename` parameter - provided by the user. - - 2. **Path Construction**: It constructs the full file path by appending the filename - to the default directory (`/tmp/`). + This action removes the identifier of a target entity from a specified local file + on the SOAR server. It iterates through the provided target entities, checks if + each identifier exists in the file, and removes it if found. The action returns + a success or failure status based on whether all entities were successfully processed. - 3. **File Locking and Reading**: The `EntityFileManager` context manager is used - to acquire a lock on the file (creating a `.lock` file) and read its current contents - into memory. - 4. **Entity Iteration**: The action iterates through all `target_entities` provided - in the current SOAR context. + ### Parameters - 5. **Removal Logic**: For each entity, the action checks if its identifier exists - in the file's content. If it exists, the identifier is removed from the list. - If it does not exist, the action logs this and prepares to return a failure status - for the overall result. + | Parameter | Type | Mandatory | Description | - 6. **Persistence**: After processing all entities, the updated list is written - back to the file, and the file lock is released. + | :--- | :--- | :--- | :--- | - 7. **Final Output**: The action returns a summary message detailing which entities - were removed and which were not found, along with a boolean result indicating - if all entities were successfully located and removed. + | Filename | string | Yes | The name of the file from which to remove the entities. + | - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. Extract the `Filename` parameter. - | :--- | :--- | :--- | :--- | + 2. Initialize `EntityFileManager` with the file path and a timeout. - | Filename | string | True | The name of the file (located in `/tmp/`) from which - the entity identifiers should be removed. | + 3. Iterate through the provided `target_entities`. + 4. Check if each entity's identifier exists in the file. - ### Additional Notes + 5. If found, remove the identifier from the file's content. - - The action will return `False` as its result value if even one of the target - entities is not found in the file, although it will still proceed to remove any - other entities that *are* found. + 6. Update the file with the modified list. - - The file is expected to be a line-delimited text file where each line represents - an entity identifier. + 7. Return a success/failure status based on whether all entities were successfully + removed. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false - can_mutate_external_data: true - can_mutate_internal_data: false + can_mutate_external_data: false + can_mutate_internal_data: true can_update_entities: false - external_data_mutation_explanation: >- - Modifies a file on the local filesystem by removing specific entity identifier - strings. + external_data_mutation_explanation: null fetches_data: false - internal_data_mutation_explanation: null + internal_data_mutation_explanation: >- + Modifies a local file on the SOAR server by removing entity identifiers. + reasoning: >- + The action modifies a local file on the SOAR server. It does not fetch external + data, mutate external systems, or update SOAR entities/insights. It is a file + utility operation. categories: enrichment: false + reasoning: >- + The action does not fetch data from an external source, nor does it perform + any of the allowed internal mutations (Case Comments, Insights, Entity updates). + It is a file utility. entity_usage: entity_types: - ADDRESS @@ -1294,6 +1322,9 @@ Remove Entity from File: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over all `target_entities` without filtering by type, so + it supports all entity types. Save Base64 to File: action_product_categories: add_alert_comment: false @@ -1309,6 +1340,10 @@ Save Base64 to File: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + This action is a utility for saving files to the local filesystem. It does not + perform any of the defined product category operations (e.g., enrichment, containment, + ticketing, etc.). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1323,32 +1358,50 @@ Save Base64 to File: update_email: false update_identity: false update_ticket: false - ai_description: "Saves one or more base64-encoded strings as files on the local\ - \ filesystem of the Google SecOps runner or agent. This action is primarily used\ - \ to convert encoded data\u2014such as email attachments, forensic artifacts,\ - \ or exported logs\u2014into physical files that can be processed by subsequent\ - \ actions in a playbook. It supports batch processing through comma-separated\ - \ input lists.\n\n### Parameters Description\n\n| Parameter | Type | Mandatory\ - \ | Description |\n| :--- | :--- | :--- | :--- |\n| Base64 Input | String | Yes\ - \ | A comma-separated list of base64-encoded strings to be converted into files.\ - \ |\n| Filename | String | Yes | A comma-separated list of filenames to be used\ - \ for the saved files. The order must match the 'Base64 Input' list. |\n| File\ - \ Extension | String | No | An optional comma-separated list of file extensions\ - \ (e.g., 'txt', '.png') to append to the filenames. If fewer extensions are provided\ - \ than filenames, the last extension in the list is applied to all remaining files.\ - \ |\n\n### Flow Description\n\n1. **Input Parsing:** The action retrieves the\ - \ `Base64 Input`, `Filename`, and `File Extension` parameters, splitting them\ - \ into lists based on comma delimiters.\n2. **Directory Setup:** It identifies\ - \ the appropriate storage path (either a local 'downloads' folder or the agent's\ - \ download directory) and creates the directory if it does not already exist.\n\ - 3. **Filename Sanitization:** Each provided filename is sanitized to remove invalid\ - \ characters and spaces, ensuring compatibility with the filesystem.\n4. **Decoding\ - \ and Writing:** For each input pair, the action decodes the base64 string into\ - \ binary data and writes it to the calculated file path, appending the extension\ - \ if provided.\n5. **Result Compilation:** It generates a JSON object containing\ - \ metadata for all successfully saved files, including the original filename,\ - \ the full file path, and the extension.\n6. **Completion:** The action ends by\ - \ returning a success message listing the paths of the saved files." + ai_description: >- + ### General Description + + The **Save Base64 to File** action converts a provided base64-encoded string into + a binary file and saves it to the local filesystem of the SOAR engine or agent. + This utility is useful for extracting files from base64 data, such as attachments + or payloads, for further analysis or storage. + + + ### Flow Description + + 1. **Input Parsing**: The action retrieves the `Base64 Input` and `Filename` parameters. + Both support comma-separated lists to process multiple files in a single execution. + + 2. **Directory Setup**: It determines the target directory (the `downloads` folder) + based on whether the action is running locally or on a remote agent. + + 3. **File Processing**: It iterates through the provided inputs, decodes the base64 + strings, and writes the resulting binary data to the specified file paths. + + 4. **Result Generation**: It constructs a JSON object containing the details of + the saved files (name, path, and extension) and returns this as the action result. + + + ### Parameters + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | `Base64 Input` | String | Yes | The base64 encoded string(s) to be converted. + Supports comma-separated values for multiple files. | + + | `Filename` | String | Yes | The name(s) to assign to the saved files. Supports + comma-separated values. | + + | `File Extension` | String | No | An optional extension to append to the output + filename(s). | + + + ### Additional Notes + + - The action does not interact with external systems or SOAR entities. It performs + purely local filesystem operations. capabilities: can_create_case_comments: false can_create_insight: false @@ -1359,8 +1412,17 @@ Save Base64 to File: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs local file system operations (writing files) based on provided + input. It does not interact with external APIs, nor does it modify SOAR case + data or entities. It does not fetch data, mutate external systems, or update + internal SOAR data. categories: enrichment: false + reasoning: >- + The action does not fetch data from external sources, nor does it perform any + enrichment or modification of SOAR entities. It is a utility action for file + creation on the local filesystem. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1376,3 +1438,5 @@ Save Base64 to File: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with or reference any SOAR entities. diff --git a/content/response_integrations/power_ups/file_utilities/resources/ai/integration_ai_description.yaml b/content/response_integrations/power_ups/file_utilities/resources/ai/integration_ai_description.yaml index 0801c7556..4dec8b11a 100644 --- a/content/response_integrations/power_ups/file_utilities/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/power_ups/file_utilities/resources/ai/integration_ai_description.yaml @@ -7,6 +7,14 @@ product_categories: iam_and_identity_management: false itsm: false network_security: false + reasoning: >- + The 'file_utilities' integration provides a collection of general-purpose utility + actions for file and data manipulation, such as archiving, hashing, base64 decoding/encoding, + and local file system operations. It also includes actions for managing file attachments + on the Google SecOps case wall. None of these actions perform security-specific + functions like threat intelligence enrichment, host containment, identity management, + ticketing, or asset inventory. Consequently, this integration does not align with + any of the defined product categories. siem: false threat_intelligence: false vulnerability_management: false diff --git a/content/response_integrations/power_ups/functions/resources/ai/actions_ai_description.yaml b/content/response_integrations/power_ups/functions/resources/ai/actions_ai_description.yaml index d734b9939..392d5091e 100644 --- a/content/response_integrations/power_ups/functions/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/power_ups/functions/resources/ai/actions_ai_description.yaml @@ -13,6 +13,11 @@ Calculate Timestamp: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a utility function that calculates timestamps based on provided + inputs. It does not interact with external systems, perform enrichment on entities, + or modify alert/case data. Therefore, it does not fit into any of the predefined + product categories. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -28,66 +33,53 @@ Calculate Timestamp: update_identity: false update_ticket: false ai_description: >- - The 'Calculate Timestamp' action is a utility function designed to compute one - or more new timestamps by applying specific time offsets (deltas) to a designated - starting point. This is particularly useful for playbooks that need to define - time windows for searches, set expiration dates, or calculate relative timeframes - based on alert or case events. + The 'Calculate Timestamp' action is a utility tool designed to compute new timestamps + by applying time offsets (deltas) to a specified baseline time. It supports various + input sources, including the current time, alert creation time, case creation + time, or a custom timestamp provided by the user. ### Parameters - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Input Type | DDL | No | Defines the baseline time. Options: 'Current Time' (default), - 'Alert Creation Time', 'Case Creation Time', or 'Custom Timestamp'. | - - | Custom Timestamp | String | No | The specific date/time string to use if 'Input - Type' is set to 'Custom Timestamp'. | - - | Custom Timestamp Format | String | No | The format used to parse the 'Custom - Timestamp'. Defaults to '%Y-%m-%dT%H:%M:%S%z'. If empty, the action attempts to - parse as epoch. | + | Parameter | Type | Mandatory | Default Value | Description | - | Timestamp Delta | String | No | A comma-separated list of offsets (e.g., '+30M', - '-1d'). Supports months (m), days (d), hours (H), minutes (M), and seconds (S). - Default is '+30M,-30M'. | + | :--- | :--- | :--- | :--- | :--- | - | Output Timestamp Format | String | No | The desired format for the calculated - results. Defaults to '%Y-%m-%dT%H:%M:%S%z'. Use 'epoch' for Unix timestamps. | + | Input Type | DDL | No | Current Time | The baseline time source for the calculation. + Options: Current Time, Alert Creation Time, Case Creation Time, Custom Timestamp. + | + | Custom Timestamp | String | No | "" | The specific date/time string to use if + 'Input Type' is set to 'Custom Timestamp'. | - ### Additional Notes + | Custom Timestamp Format | String | No | %Y-%m-%dT%H:%M:%S%z | The format of + the 'Custom Timestamp'. Defaults to epoch if not provided. | - - If 'Input Type' is set to 'Custom Timestamp', the 'Custom Timestamp' parameter - becomes effectively mandatory for the action to succeed. + | Timestamp Delta | String | No | +30M,-30M | A comma-separated list of time offsets + (e.g., +30M, -1d). Supported units: m (months), d (days), H (hours), M (minutes), + S (seconds). | - - The action uses the `arrow` library for robust date manipulation and parsing. - - - Multiple deltas can be processed in a single execution, returning a map of results. + | Output Timestamp Format | String | No | %Y-%m-%dT%H:%M:%S%z | The desired format + for the resulting timestamps. Defaults to epoch if not provided. | ### Flow Description - 1. **Initialization**: The action extracts and validates the input parameters, - ensuring formats and deltas match expected patterns (e.g., regex validation for - deltas). - - 2. **Baseline Determination**: It identifies the starting timestamp based on the - 'Input Type'. It retrieves the creation time from the alert or case context if - requested. + 1. **Parameter Extraction**: The action extracts and validates all input parameters, + ensuring that if 'Custom Timestamp' is selected, a valid timestamp and format + are provided. - 3. **Offset Calculation**: For each delta provided in the 'Timestamp Delta' list, - the action applies the mathematical shift (addition or subtraction) to the baseline - timestamp. + 2. **Baseline Determination**: Based on the 'Input Type', the action retrieves + the starting timestamp from the current system time, the alert's creation time, + the case's creation time, or the provided custom timestamp. - 4. **Formatting**: The original and all calculated timestamps are converted into - the format specified in 'Output Timestamp Format'. + 3. **Delta Calculation**: The action iterates through the provided 'Timestamp + Delta' strings, parsing the operator (+/-), value, and unit to shift the baseline + timestamp accordingly. - 5. **Result Delivery**: The final results are returned as a JSON object containing - the 'original_timestamp' and a dictionary of 'calculated_timestamps'. + 4. **Formatting and Output**: Each calculated timestamp is formatted according + to the 'Output Timestamp Format' and added to the final JSON result, which is + then returned to the SOAR platform. capabilities: can_create_case_comments: false can_create_insight: false @@ -96,10 +88,18 @@ Calculate Timestamp: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: false + fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches internal data (alert or case creation time) when required, + but it does not interact with external systems or modify any internal data (entities, + insights, or alert fields). It is a pure utility action for timestamp calculation. categories: enrichment: false + reasoning: >- + The action is a utility function that calculates timestamps. It does not gather + supplemental context about alerts or entities, nor does it modify any internal + or external data. Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -115,6 +115,10 @@ Calculate Timestamp: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `target_entities` or perform any operations + on specific entities. It operates on the alert or case context directly, or + uses a custom timestamp, making it a utility action that does not use entities. Convert Time Format: action_product_categories: add_alert_comment: false @@ -130,6 +134,10 @@ Convert Time Format: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + This action is a utility function for time manipulation. It does not perform + any of the defined product actions such as enriching IOCs, updating tickets, + or modifying alerts. It is strictly a data transformation tool. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -145,59 +153,52 @@ Convert Time Format: update_identity: false update_ticket: false ai_description: >- - Converts a datetime value from one format to another. This utility action allows - for parsing input strings or timestamps, applying time offsets (shifts), and converting - the result into a specific timezone and output format. + ### General Description + This action converts a datetime string from one format to another. It supports + time shifting and timezone conversion, providing a flexible utility for normalizing + time data within SOAR workflows. It is a pure utility function that does not interact + with external systems or modify internal SOAR data. - ### Flow Description: - 1. **Parameter Retrieval:** The action extracts the input datetime string, the - source format, the target format, the time delta (in seconds), and the target - timezone from the configuration. + ### Parameters Description - 2. **Parsing:** It attempts to parse the input. If the input is numeric, it treats - it as a Unix timestamp (seconds or milliseconds). If it is a string, it uses the - provided 'From Format' to interpret the date. + | Parameter | Type | Mandatory | Description | - 3. **Time Shifting:** If a 'Time Delta In Seconds' is provided, the action shifts - the datetime object forward or backward by that amount. + | --- | --- | --- | --- | - 4. **Timezone Conversion:** If a 'Timezone' is specified, the datetime is converted - to that specific timezone. + | Input | string | Yes | The input datetime value that will be converted. | - 5. **Formatting:** Finally, the datetime is formatted according to the 'To Format' - string and returned as the action result. + | From Format | string | Yes | The datetime format the input string is in. | + | To Format | string | Yes | The desired time format of the output. | - ### Parameters Description: + | Time Delta In Seconds | string | No | Shift parameter that allows to change + the output actual time to either the future (positive) or past (negative). | - | Parameter | Type | Mandatory | Description | + | Timezone | string | No | Output timezone. | - | :--- | :--- | :--- | :--- | - | Input | string | True | The input datetime value or timestamp that will be converted. - If left empty, the current time is used. | + ### Additional Notes - | From Format | string | True | The datetime format the input string is in (e.g., - %Y-%m-%d %H:%M:%S). Supports strftime format. | + The action uses the `arrow` library for time manipulation. The `Time Delta In + Seconds` parameter defaults to 0 if not provided. The `Timezone` parameter is + optional. - | To Format | string | True | The desired time format of the output. Uses Arrow - tokens (e.g., YYYY/MM/DD). | - | Time Delta In Seconds | string | True | Shift parameter to change the output - time to the future (positive) or past (negative), measured in seconds. | + ### Flow Description - | Timezone | string | False | The target timezone for the output (e.g., UTC, US/Eastern). - | + 1. Retrieve parameters (`Input`, `From Format`, `To Format`, `Time Delta`, `Timezone`). + 2. Parse the input string (handles timestamps or formatted strings). - ### Additional Notes: + 3. Apply time shift (if provided). - - If the 'From Format' ends with 'UTC' or 'GMT', the action performs specific - logic to handle timezone offsets provided within the input string. + 4. Convert to target timezone (if provided). - - The action is a local utility and does not interact with external APIs. + 5. Format the output string. + + 6. Return the result. capabilities: can_create_case_comments: false can_create_insight: false @@ -208,8 +209,16 @@ Convert Time Format: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs local time calculations using the `arrow` library. It does + not perform any network I/O, API calls, or modifications to external or internal + systems. categories: enrichment: false + reasoning: >- + The action does not fetch data from any external or internal source, nor does + it modify any system state. It is a pure utility function for data transformation, + thus it does not meet the criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -225,6 +234,9 @@ Convert Time Format: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action is a utility function that performs time format conversion. It does + not interact with the `target_entities` list or any specific entity objects. Create Thumbnail: action_product_categories: add_alert_comment: false @@ -240,6 +252,11 @@ Create Thumbnail: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a utility function for image processing (creating thumbnails). + It does not perform any security-related operations such as enrichment, containment, + or ticket management. Therefore, it does not match any of the defined product + categories. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -254,36 +271,22 @@ Create Thumbnail: update_email: false update_identity: false update_ticket: false - ai_description: "### General Description\nThe **Create Thumbnail** action is a utility\ - \ function designed to generate a resized thumbnail of an image. It accepts image\ - \ data in Base64 format and outputs a new Base64-encoded PNG thumbnail based on\ - \ user-defined dimensions. This action is particularly useful for optimizing image\ - \ display within the SOAR interface or preparing images for external notifications\ - \ where smaller file sizes are required.\n\n### Parameters Description\n| Parameter\ - \ Name | Expected Type | Mandatory | Description |\n| :--- | :--- | :--- | :---\ - \ |\n| **Base64 Image** | String | No | The raw Base64-encoded string of the image\ - \ to be resized. This is used if `Input JSON` is not provided. |\n| **Thumbnail\ - \ Size** | String | Yes | The desired dimensions for the thumbnail in pixels,\ - \ formatted as 'Width,Height' (e.g., '250,250'). |\n| **Input JSON** | String\ - \ | No | A JSON-formatted string (usually an array of objects) containing image\ - \ data to be processed in bulk. |\n| **Image Key Path** | String | No | If using\ - \ `Input JSON`, this specifies the dot-notation path (e.g., 'data.image_content')\ - \ to the field containing the Base64 image string. |\n\n### Additional Notes\n\ - - Either the **Base64 Image** parameter or the **Input JSON** parameter must be\ - \ provided for the action to have data to process.\n- The action uses the PIL\ - \ (Pillow) library to perform image manipulation.\n- The output is always returned\ - \ as a PNG-formatted Base64 string.\n\n### Flow Description\n1. **Parameter Extraction:**\ - \ The action retrieves the input image data, the target dimensions, and any JSON\ - \ pathing configurations.\n2. **Data Parsing:** \n - If **Input JSON** is provided,\ - \ the action parses the JSON and iterates through the entries, using the **Image\ - \ Key Path** to locate the Base64 strings.\n - If **Input JSON** is absent,\ - \ it proceeds with the single string provided in **Base64 Image**.\n3. **Image\ - \ Processing:** For each identified image string, the action decodes the Base64\ - \ data, opens it as an image object, and resizes it to the specified **Thumbnail\ - \ Size**.\n4. **Encoding:** The resized image is saved into a memory buffer as\ - \ a PNG and then re-encoded into a Base64 string.\n5. **Result Delivery:** The\ - \ resulting thumbnail(s) are added to the action's JSON results for use in subsequent\ - \ playbook steps." + ai_description: >- + General Description: Creates a Base64 thumbnail from an input image. This action + allows users to resize images provided as Base64 strings or extracted from a JSON + object, returning the processed thumbnail as a Base64 string. Parameters Description: + Base64 Image (string, optional): The Base64 string of the image. Thumbnail Size + (string, mandatory): Comma-separated pixels (e.g., 250,250) representing X and + Y dimensions. Input JSON (string, optional): A JSON object containing the image + data. Image Key Path (string, optional): The key path to locate the image within + the Input JSON. Flow Description: 1. Extract parameters: Base64 Image, Thumbnail + Size, Input JSON, and Image Key Path. 2. If Input JSON is provided, parse it and + extract the image string using the Image Key Path. 3. If Base64 Image is provided, + use it directly. 4. Decode the Base64 string, resize the image to the specified + dimensions using the PIL library, and re-encode it to Base64. 5. Return the resulting + thumbnail as a JSON object via siemplify.result.add_result_json. Additional Notes: + This action is a utility function and does not interact with external systems + or modify SOAR case data. capabilities: can_create_case_comments: false can_create_insight: false @@ -294,8 +297,16 @@ Create Thumbnail: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs local image processing using the PIL library. It does not + interact with external APIs, modify internal case data, or update entities. + It simply transforms input data and returns it as a JSON result. categories: enrichment: false + reasoning: >- + The action is a utility function for image manipulation. It does not fetch data + from external sources, nor does it modify internal SOAR data or entities. Therefore, + it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -311,6 +322,9 @@ Create Thumbnail: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not interact with siemplify.target_entities. It processes raw + input strings or JSON data provided via parameters. Defang Text: action_product_categories: add_alert_comment: false @@ -326,6 +340,10 @@ Defang Text: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a text processing utility that performs local string manipulation. + It does not interact with external systems, fetch threat intelligence, or modify + case/alert data. It does not match any of the defined product categories. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -341,46 +359,18 @@ Defang Text: update_identity: false update_ticket: false ai_description: >- - Defangs the provided input text by sanitizing URLs, IP addresses, and email addresses - to prevent accidental interaction. This utility action is useful for preparing - data for display or logging where active links or resolvable addresses are undesirable. - - - ### Flow Description - - 1. **Parameter Extraction:** Retrieves the `Input` string from the action parameters. - - 2. **Empty Check:** If the input is empty, the action terminates early with an - empty result. - - 3. **URL Defanging:** Uses regular expressions to find HTTP/HTTPS URLs, changing - the protocol to 'hxxp' and escaping dots in the domain (e.g., `http://example.com` - becomes `hxxp://example[.]com`). - - 4. **IP Defanging:** Identifies IPv4 patterns and replaces dots with bracketed - dots (e.g., `1.1.1.1` becomes `1[.]1[.]1[.]1`). - - 5. **Email Defanging:** Locates email addresses, replacing the '@' symbol with - `[at]` and escaping dots in the domain portion (e.g., `user@example.com` becomes - `user[at]example[.]com`). - - 6. **Result Output:** Returns the modified text in the `converted_text` JSON field. - - - ### Parameters Description - - | Parameter | Description | Type | Mandatory | - - | :--- | :--- | :--- | :--- | - - | Input | The raw text string that requires defanging. | String | No | - - - ### Additional Notes - - - This action does not interact with external APIs or modify Google SecOps entities. - - - It is a pure text transformation utility designed for data sanitization. + The **Defang Text** action is a utility function designed to sanitize potentially + malicious text strings. It takes an input string and applies regex-based transformations + to 'defang' indicators, making them safe for inclusion in reports or communications. + **Flow:** 1. Extract the **Input** parameter from the action configuration. 2. + Validate that the input is not empty. 3. Apply regex transformations to replace + http/https with hxxp/hxxps and dots in domains with [.]. 4. Apply regex transformations + to replace dots in IPv4 addresses with [.]. 5. Apply regex transformations to + replace @ in email addresses with [at] and dots in domains with [.]. 6. Return + the resulting defanged text in the **converted_text** JSON output. **Parameters:** + **Input** (string, optional): The raw text string to be defanged. **Additional + Notes:** If the **Input** parameter is not provided, the action returns an empty + string. capabilities: can_create_case_comments: false can_create_insight: false @@ -391,8 +381,15 @@ Defang Text: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action is a pure text transformation utility. It does not fetch data from + external APIs, nor does it mutate any external or internal systems. It simply + processes a string input and returns a transformed string. categories: enrichment: false + reasoning: >- + The action does not fetch data from any external or internal source, which is + a requirement for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -408,6 +405,10 @@ Defang Text: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over target_entities or use entity-specific identifiers. + It processes a raw string input provided via the Input parameter. Therefore, + it does not run on entities. Detect Hash Type: action_product_categories: add_alert_comment: false @@ -423,6 +424,10 @@ Detect Hash Type: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action identifies the hash type of file hash entities and updates their + properties. This provides context about the indicator, matching the 'Enrich + IOC' category. It does not perform external mutations or other actions. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -440,48 +445,43 @@ Detect Hash Type: ai_description: >- ### General Description - Identifies the most likely hash algorithm (MD5, SHA-1, SHA-256, or SHA-512) for - provided hash strings or FILEHASH entities. This utility action helps analysts - quickly classify unknown hash strings and enriches FILEHASH entities within the - case with their detected algorithm type. + Detects the cryptographic hash type (e.g., SHA256, MD5, SHA1, SHA-512) for a given + list of hash strings or for `FILEHASH` entities present in the case. This action + uses the `hashid` library to identify the hash type and updates the entity's `additional_properties` + with the result. ### Parameters Description | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + | --- | --- | --- | --- | - | Hashes | String | No | One or more hashes that are comma separated. If provided, - the action will identify the hash type for these strings in addition to any FILEHASH - entities in the scope. | + | Hashes | string | false | One or more hashes that are comma separated. | - ### Flow Description + ### Additional Notes - 1. Retrieve the `Hashes` parameter and split it into a list if it exists. + If no hashes are provided in the `Hashes` parameter, the action will only process + `FILEHASH` entities found in the case. - 2. Use the `hashid` library to identify the algorithm for each provided hash string, - filtering for supported types (MD5, SHA-1, SHA-256, SHA-512). - 3. Iterate through the `target_entities` and filter for those with the type `FILEHASH`. + ### Flow Description - 4. For each `FILEHASH` entity, identify its algorithm type using its identifier. + 1. Initialize the `HashID` utility. - 5. Update the entity's `additional_properties` with the detected `HashType`. + 2. If the `Hashes` parameter is provided, iterate through the comma-separated + list and identify the hash type for each. - 6. Commit the entity updates to the SecOps platform. + 3. Iterate through `target_entities` of type `FILEHASH`. - 7. Return a JSON result containing the mapping of all processed hashes to their - detected types. + 4. Identify the hash type for each entity using the `HashID` utility. + 5. Update the entity's `additional_properties` with the detected hash type. - ### Additional Notes + 6. Update the entities in the SOAR platform. - - Supported hash types are MD5, SHA-1, SHA-256, and SHA-512. - - - If a hash type cannot be determined or is not in the supported list, it is marked - as 'UNDETECTED'. + 7. Return the results as a JSON object. capabilities: can_create_case_comments: false can_create_insight: false @@ -492,10 +492,19 @@ Detect Hash Type: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates the 'additional_properties' attribute of FILEHASH entities with the - detected hash type (e.g., SHA-256, MD5). + Updates the `additional_properties` of `FILEHASH` entities with the detected + hash type. + reasoning: >- + The action uses the `hashid` library to determine the hash type of provided + strings or `FILEHASH` entities. It updates the `FILEHASH` entities with this + information using `siemplify.update_entities`. It does not interact with external + systems. categories: enrichment: true + reasoning: >- + The action identifies the hash type and updates the entity's properties. It + does not mutate external systems and only performs allowed internal mutations + (updating entities). It qualifies as an enrichment action. entity_usage: entity_types: - FILEHASH @@ -512,6 +521,9 @@ Detect Hash Type: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and filters for `FILEHASH` + entities using `if entity.entity_type == "FILEHASH"`. Detect IP Type: action_product_categories: add_alert_comment: false @@ -527,6 +539,11 @@ Detect IP Type: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action adds metadata ('IPType') to the entity. This matches the 'Enrich + Asset' category, which involves returning contextual metadata for a resource. + It does not fetch threat intelligence (Enrich IOC) or perform any other listed + actions. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -542,48 +559,44 @@ Detect IP Type: update_identity: false update_ticket: false ai_description: >- - Identifies whether an IP address is in IPv4 or IPv6 format. This action processes - a list of IP addresses provided as a parameter and also automatically evaluates - all 'ADDRESS' entities present in the current case. For entities, it enriches - their profile by adding an 'IPType' field to their additional properties, which - can be used for downstream logic or filtering in playbooks. + ### General Description + This action identifies whether provided IP addresses (from parameters) or IP Address + entities (from the case) are IPv4 or IPv6. It updates the entity's `additional_properties` + with the `IPType` and returns the results in the action output. - ### Flow Description: - 1. **Input Parsing**: Retrieves the optional 'IP Addresses' parameter and splits - it into individual strings if provided. + ### Parameters Description - 2. **Manual Evaluation**: Iterates through the provided IP strings and uses regular - expressions to determine if they are IPv4, IPv6, or undetected. + | Parameter | Type | Mandatory | Description | - 3. **Entity Processing**: Iterates through all entities in the case, filtering - specifically for those of type 'ADDRESS'. + | --- | --- | --- | --- | - 4. **Internal Enrichment**: For each identified 'ADDRESS' entity, the action determines - its IP type and updates the entity's 'additional_properties' with the result. + | IP Addresses | string | false | Comma-separated list of IP addresses to check. + | - 5. **Result Aggregation**: Consolidates all findings into a JSON result and updates - the entities within the Google SecOps platform. + ### Flow Description - ### Parameters Description: + 1. Retrieve the `IP Addresses` parameter (if provided). - | Parameter | Type | Mandatory | Description | + 2. For each provided IP address, determine if it is IPv4, IPv6, or UNDETECTED + using regex. - | :--- | :--- | :--- | :--- | + 3. Iterate through `target_entities` and filter for `ADDRESS` type. - | IP Addresses | String | No | A comma-separated list of IP addresses to be evaluated. - If left empty, the action will only process existing case entities. | + 4. For each `ADDRESS` entity, determine if it is IPv4, IPv6, or UNDETECTED using + regex. + 5. Update the entity's `additional_properties` with the `IPType`. - ### Additional Notes: + 6. Return the results as a JSON object in the action output. - - This action is a local utility and does not perform any external API calls or - reputation checks. - - The 'IPType' field added to entities will contain one of the following values: - 'IPV4', 'IPV6', or 'UNDETECTED'. + ### Additional Notes + + If no IP addresses are provided in the parameters, the action will only process + the `ADDRESS` entities found in the case. capabilities: can_create_case_comments: false can_create_insight: false @@ -594,10 +607,19 @@ Detect IP Type: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Updates the 'additional_properties' attribute of ADDRESS entities with the detected - IP type (IPv4, IPv6, or UNDETECTED). + Updates the entity's `additional_properties` with the `IPType` (IPv4/IPv6/UNDETECTED). + reasoning: >- + The action performs a local regex calculation to determine the IP type (IPv4/IPv6) + and updates the entity's additional properties. It does not fetch data from + an external or internal source, so it does not meet the criteria for an Enrichment + Action. It mutates internal data by updating entity properties. categories: enrichment: false + reasoning: >- + The action performs a local regex calculation to determine the IP type (IPv4/IPv6) + and updates the entity's additional properties. It does not fetch data from + an external or internal source, so it does not meet the criteria for an Enrichment + Action. entity_usage: entity_types: - ADDRESS @@ -614,6 +636,9 @@ Detect IP Type: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and filters using `if entity.entity_type + == "ADDRESS"`. This means it targets ADDRESS entities, filtering by entity_type. Extract IOCs: action_product_categories: add_alert_comment: false @@ -629,6 +654,11 @@ Extract IOCs: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a utility for extracting IOCs from text. It does not match any + of the defined product categories (Enrich IOC, Contain Host, etc.) because it + does not perform external lookups or system modifications. It is a pure data + processing function. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -646,54 +676,40 @@ Extract IOCs: ai_description: >- ### General Description - The **Extract IOCs** action is a utility designed to parse a provided text string - and identify various Indicators of Compromise (IOCs). It uses regular expressions - and specialized libraries to detect and extract domains, IPv4/IPv6 addresses, - URLs, and email addresses. This is particularly useful for processing unstructured - data like email bodies, log snippets, or threat reports to identify actionable - indicators. + This action extracts Indicators of Compromise (IOCs) such as IP addresses, domains, + URLs, and email addresses from a provided input string. It is a utility action + designed to parse unstructured text for security-relevant data. ### Parameters Description | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + | --- | --- | --- | --- | - | Input String | String | Yes | The raw text string from which the action will - attempt to extract IOCs. | + | Input String | string | true | The raw text or string content to be parsed for + IOCs. | ### Flow Description - 1. **Parameter Extraction**: The action retrieves the `Input String` provided - by the user. + 1. The action retrieves the `Input String` parameter. - 2. **URL Extraction**: Uses the `URLExtract` library to find valid URLs within - the text, performing basic cleaning and validation (e.g., ignoring URLs that are - actually IP addresses). + 2. It uses regular expressions and parsing libraries to identify URLs, domains, + IP addresses, and email addresses within the string. - 3. **Domain Extraction**: For every URL found, the action uses the `tld` library - to extract the Effective Top-Level Domain (e.g., extracting `google.com` from - `https://sub.google.com/path`). + 3. It cleans and validates the extracted data (e.g., removing invalid URLs or + internal IPs if necessary). - 4. **IP Extraction**: Uses regular expressions to find IPv4 and IPv6 patterns, - then validates them using the `ipaddress` library. It filters out invalid formats. + 4. It compiles the findings into a structured JSON object and a summary message. - 5. **Email Extraction**: Uses a comprehensive regular expression to identify email - addresses. - - 6. **Result Compilation**: Aggregates all found indicators into a structured JSON - object and provides a summary message for the action output. + 5. The results are returned to the SOAR platform for further use. ### Additional Notes - - This action does not interact with external threat intelligence services; it - performs local parsing of the input string. - - - It does not automatically create entities in the Google SecOps platform; it - returns the data for use in subsequent playbook steps. + This action is a utility function and does not perform any external API calls + or modifications to the SOAR platform. capabilities: can_create_case_comments: false can_create_insight: false @@ -704,8 +720,15 @@ Extract IOCs: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs text parsing on a provided input string. It does not perform + any external API calls, nor does it modify any internal SOAR data or entities. + It is a utility action. categories: enrichment: false + reasoning: >- + The action does not fetch data from an external source (it processes a local + string), therefore it fails the primary requirement for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -721,6 +744,9 @@ Extract IOCs: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `siemplify.target_entities`. It operates solely + on the provided `Input String` parameter. IP to Integer: action_product_categories: add_alert_comment: false @@ -736,6 +762,10 @@ IP to Integer: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a utility function that converts IP addresses to integers. It + does not perform any of the defined product category actions (e.g., enrichment, + containment, ticketing). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -751,48 +781,16 @@ IP to Integer: update_identity: false update_ticket: false ai_description: >- - ### General Description - - Converts one or more IPv4 addresses into their corresponding integer (long) format. - This utility action is primarily used for data transformation within playbooks, - allowing analysts to normalize IP data for comparison, database lookups, or mathematical - operations. - - - ### Parameters Description - - | Parameter | Description | Type | Mandatory | Notes | - - | :--- | :--- | :--- | :--- | :--- | - - | IP Addresses | A comma-separated list of IPv4 addresses to be converted into - integers. | String | Yes | Expects standard dot-decimal notation (e.g., '192.168.1.1'). - | - - - ### Additional Notes - - - This action performs local computation using standard Python libraries (`socket`, - `struct`) and does not make external API calls. - - - It does not interact with SecOps entities directly; it processes the string - provided in the input parameter. - - - ### Flow Description - - 1. **Input Parsing**: The action retrieves the `IP Addresses` string from the - parameters and splits it into a list, removing any leading or trailing whitespace. - - 2. **Conversion**: For each IP address in the list, it uses `socket.inet_aton` - to convert the string to network bytes and `struct.unpack` to transform those - bytes into a 32-bit unsigned integer. - - 3. **Result Aggregation**: The converted integers are stored in a JSON dictionary - (mapping the original IP to the integer) and a comma-separated string. - - 4. **Output**: The action returns the comma-separated string as the main result - value and attaches the detailed mapping as a JSON result. + General Description: This action converts a comma-separated list of IP addresses + into their corresponding long integer representations. It is a utility function + designed for data transformation within a playbook. Parameters: The action requires + one mandatory parameter: 'IP Addresses' (type: string), which should be a comma-separated + list of IP addresses to be converted. Flow Description: 1. The action retrieves + the 'IP Addresses' parameter. 2. It splits the input string into a list of individual + IP addresses. 3. It iterates through each IP address and converts it to a long + integer using the socket and struct libraries. 4. It stores the mapping of each + IP address to its integer value in a JSON result. 5. It returns the comma-separated + list of integers as the action result value and logs the conversion details. capabilities: can_create_case_comments: false can_create_insight: false @@ -803,8 +801,15 @@ IP to Integer: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a local calculation on input strings provided via parameters. + It does not interact with any external APIs (fetches_data=false) or modify internal + SOAR data such as entities, insights, or case wall logs (can_mutate_internal_data=false). categories: enrichment: false + reasoning: >- + The action is a utility function for data transformation. It does not fetch + data from external sources, which is a requirement for enrichment actions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -820,6 +825,8 @@ IP to Integer: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use target_entities. It processes input provided via parameters. Math Arithmetic: action_product_categories: add_alert_comment: false @@ -835,6 +842,10 @@ Math Arithmetic: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action performs basic arithmetic operations and does not align with any + of the defined security-specific product categories such as enrichment, containment, + or ticketing. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -852,55 +863,43 @@ Math Arithmetic: ai_description: >- ### General Description - The **Math Arithmetic** action is a utility function designed to perform basic - mathematical operations on two provided numerical arguments. It supports addition, - subtraction, multiplication, division, and modulo operations. This action is typically - used within playbooks to perform calculations on data extracted from previous - steps or entities. + The Math Arithmetic action provides a set of built-in mathematical operators to + perform calculations within a SOAR playbook. It allows users to execute basic + arithmetic operations on two provided numeric arguments. ### Parameters Description - | Parameter | Type | Mandatory | Default Value | Description | + | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | :--- | + | :--- | :--- | :--- | :--- | - | **Function** | DDL | Yes | Plus | The mathematical operation to perform. Options: - `Plus`, `Sub`, `Multi`, `Div`, `Mod`. | + | Function | ddl | Yes | The arithmetic operation to perform. Options: Plus, Sub, + Multi, Div, Mod. | - | **Arg 1** | String | Yes | {} | The first numerical argument for the operation. - | + | Arg 1 | string | Yes | The first numeric argument. | - | **Arg 2** | String | Yes | {} | The second numerical argument for the operation. - | + | Arg 2 | string | Yes | The second numeric argument. | - ### Additional Notes + ### Flow Description - - The action attempts to parse the input strings (`Arg 1` and `Arg 2`) into integers - first, and then into floats if integer parsing fails. + 1. The action retrieves the Function, Arg 1, and Arg 2 parameters from the configuration. - - If the `Div` (Division) function is used and `Arg 2` is zero, the action will - fail with a standard Python `ZeroDivisionError`. + 2. It attempts to parse the provided string arguments into numeric values (integer + or float). + 3. Based on the selected Function, it performs the corresponding arithmetic operation + (addition, subtraction, multiplication, division, or modulo). - ### Flow Description + 4. The action returns the calculated result and a descriptive message as the final + output. - 1. **Parameter Retrieval**: The action retrieves the selected mathematical function - and the two input arguments from the integration parameters. - 2. **Data Parsing**: The input strings are converted into numerical types (int - or float). + ### Additional Notes - 3. **Calculation**: Based on the selected `Function`, the action performs the - corresponding arithmetic operation: - - `Plus`: Adds Arg 1 and Arg 2. - - `Sub`: Subtracts Arg 2 from Arg 1. - - `Multi`: Multiplies Arg 1 by Arg 2. - - `Div`: Divides Arg 1 by Arg 2. - - `Mod`: Calculates the remainder of Arg 1 divided by Arg 2. - 4. **Output**: The action returns the calculated result as the `ScriptResult` - and provides a human-readable message summarizing the operation. + This action is a utility tool and does not interact with external systems or modify + internal SOAR data. capabilities: can_create_case_comments: false can_create_insight: false @@ -911,8 +910,17 @@ Math Arithmetic: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs local arithmetic calculations based on user-provided input. + It does not interact with external APIs (fetches_data=false), does not mutate + external systems (can_mutate_external_data=false), and does not modify internal + SOAR data or entities (can_mutate_internal_data=false). categories: enrichment: false + reasoning: >- + The action is a utility function for performing math. It does not fetch data + from external sources or enrich entities, therefore it does not meet the criteria + for an Enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -928,6 +936,9 @@ Math Arithmetic: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with the target_entities object or any entity-related + data. It operates solely on user-provided input parameters. Math Functions: action_product_categories: add_alert_comment: false @@ -943,6 +954,10 @@ Math Functions: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a utility script that performs mathematical operations on input + strings. It does not interact with alerts, tickets, identities, or external + systems. It does not match any of the defined product categories. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -957,31 +972,38 @@ Math Functions: update_email: false update_identity: false update_ticket: false - ai_description: "### General Description\nThe **Math Functions** action provides\ - \ a suite of built-in Python mathematical operations to process numeric data within\ - \ a playbook. It allows users to perform calculations or transformations on a\ - \ list of numbers provided as a comma-separated string. This utility action is\ - \ ideal for data normalization, finding extremes (min/max), or aggregating values\ - \ (sum) during automated workflows.\n\n### Parameters Description\n| Parameter\ - \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| **Function**\ - \ | DDL | Yes | The specific mathematical operation to execute. Options include:\ - \ `Max`, `Min`, `Round`, `Sort`, `Sum`, `Float`, `Hex`, `Int`, `Abs`, and `Display`.\ - \ |\n| **Numbers** | String | Yes | A comma-separated list of numeric values (e.g.,\ - \ \"10, -5, 22.5\") to be processed by the selected function. |\n\n### Flow Description\n\ - 1. **Input Parsing**: The action retrieves the `Numbers` string and splits it\ - \ by commas. It attempts to parse each element into either an integer or a floating-point\ - \ number.\n2. **Function Selection**: Based on the `Function` parameter, the action\ - \ selects the corresponding logic path.\n3. **Execution**: \n * For transformation\ - \ functions (like `Abs`, `Round`, `Int`, `Float`, `Hex`, `Display`), it iterates\ - \ through the list and applies the operation to each number.\n * For aggregation/selection\ - \ functions (like `Max`, `Min`, `Sum`), it applies the operation to the entire\ - \ list to produce a single result.\n * For the `Sort` function, it returns\ - \ the list in ascending order.\n4. **Output Generation**: The results are formatted\ - \ as a JSON array and returned to the SOAR platform. The action also provides\ - \ a human-readable summary message in the action output.\n\n### Additional Notes\n\ - * This action does not interact with external APIs or SecOps entities; it is a\ - \ pure data-processing utility.\n* The `Hex` function specifically requires integer\ - \ inputs; non-integer values in the list will be ignored for this specific operation." + ai_description: >- + The Math Functions action performs various mathematical operations on a provided + list of numbers. It accepts a comma-separated string of numbers and a selected + operation, processes the data, and returns the calculated result. This utility + is designed for data manipulation within a playbook. + + + ### Parameters + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Function | ddl | Yes | The mathematical function to apply (e.g., Max, Min, Sum, + Round, Sort, Float, Hex, Int, Abs, Display). | + + | Numbers | string | Yes | A comma-separated list of numbers to process. | + + + ### Flow + + 1. Retrieve the `Function` and `Numbers` parameters from the action configuration. + + 2. Parse the `Numbers` string into a list of numeric values. + + 3. Apply the selected mathematical function to the list. + + 4. Format the output message and result. + + 5. Add the result to the action output using `add_result_json` and `add_json`. + + 6. Terminate the action with the final output message and result. capabilities: can_create_case_comments: false can_create_insight: false @@ -992,8 +1014,17 @@ Math Functions: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs local mathematical calculations on input parameters provided + by the user. It does not interact with any external APIs, fetch external data, + or modify any internal SOAR data, entities, or alerts. It is a pure utility + action. categories: enrichment: false + reasoning: >- + The action is a utility script for mathematical operations. It does not fetch + data from external sources or perform enrichment on entities. Therefore, it + does not meet the criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1009,6 +1040,9 @@ Math Functions: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with entities. It only processes input parameters + provided in the configuration. Ping: action_product_categories: add_alert_comment: false @@ -1024,6 +1058,9 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + This is a connectivity check action ('Ping'). It does not match any of the functional + categories like enrichment, containment, or ticket management. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1041,9 +1078,9 @@ Ping: ai_description: >- ### General Description - Verifies the connectivity and availability of the Google SecOps (Chronicle) environment. - This action is used as a basic health check to ensure that the integration is - correctly configured and can communicate with the platform. + Verifies connectivity between the Google SecOps SOAR platform and the integration. + This action is a standard connectivity check used to ensure the integration is + reachable and operational. ### Parameters Description @@ -1053,16 +1090,16 @@ Ping: ### Additional Notes - This action does not interact with any external APIs or modify any data. It simply - returns a success message if the script execution environment is functional. + This action is a simple connectivity test and does not perform any functional + operations on alerts, entities, or external systems. ### Flow Description - 1. **Initialization**: The action initializes the Siemplify SDK. + 1. The action initializes the `SiemplifyAction` module. - 2. **Connectivity Check**: The action immediately concludes with a success status - and a message indicating that Siemplify is connected. + 2. It immediately terminates the execution with a success message, confirming + that the integration is reachable and operational. capabilities: can_create_case_comments: false can_create_insight: false @@ -1073,8 +1110,14 @@ Ping: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a simple connectivity check. It does not interact with external + APIs, modify any data, or perform any operations on entities or alerts. categories: enrichment: false + reasoning: >- + The action is named 'Ping', which is explicitly excluded from being an enrichment + action per the provided guidelines. It performs no data retrieval or modification. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1090,6 +1133,8 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. Run JSONPath Query: action_product_categories: add_alert_comment: false @@ -1105,6 +1150,9 @@ Run JSONPath Query: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a utility for parsing JSON data. It does not match any of the + specific product categories (Enrich IOC, Ticket creation, etc.). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1122,52 +1170,37 @@ Run JSONPath Query: ai_description: >- ### General Description - The **Run JSONPath Query** action allows users to execute JSONPath expressions - against a provided JSON string. This is a utility function used to parse, filter, - and extract specific values from complex JSON structures within a playbook flow. - It leverages the `jsonpath-ng` library to provide robust querying capabilities - similar to how XPath works for XML. + The 'Run JSONPath Query' action is a utility tool that allows users to extract + specific data points from a JSON string using JSONPath expressions. This is useful + for parsing complex JSON outputs from previous playbook actions or API responses. ### Parameters Description - | Parameter Name | Description | Type | Mandatory | Notes | + | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | :--- | + | :--- | :--- | :--- | :--- | - | **Json** | The raw JSON string or object that you want to query. | Code | Yes - | Must be a valid JSON format. | + | Json | code | Yes | The raw JSON string to be queried. | - | **JSONPath Expression** | The JSONPath syntax used to navigate and extract data - from the input JSON. | String | Yes | Follows standard JSONPath syntax (e.g., - `$.store.book[*].author`). | + | JSONPath Expression | string | Yes | The JSONPath expression used to extract + data from the JSON input. | ### Flow Description - 1. **Parameter Extraction:** The action retrieves the input JSON string and the - JSONPath expression from the user-defined parameters. - - 2. **JSON Parsing:** The input string is converted into a structured JSON object - (Python dictionary). - - 3. **Expression Execution:** The JSONPath expression is parsed and applied to - the JSON object to find all matching elements. + 1. The action retrieves the `Json` input string and the `JSONPath Expression` + from the action parameters. - 4. **Result Compilation:** All matching values are collected into a list under - the `matches` key. + 2. It parses the provided `Json` string into a Python object. - 5. **Output Generation:** The resulting matches are returned as a JSON object - and made available for subsequent playbook steps. + 3. It applies the `JSONPath Expression` to the parsed JSON object to locate matching + elements. + 4. The extracted matches are collected into a result object. - ### Additional Notes - - - This action does not interact with external APIs or modify any Google SecOps - entities; it is a pure data transformation utility. - - - If the JSONPath expression finds no matches, the `matches` list in the output - will be empty. + 5. The final result is added to the action output for use in subsequent playbook + steps. capabilities: can_create_case_comments: false can_create_insight: false @@ -1178,8 +1211,15 @@ Run JSONPath Query: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs local data processing (parsing JSON and applying a query). + It does not interact with external APIs, mutate external systems, or modify + internal SOAR entities/cases. It is a pure utility function. categories: enrichment: false + reasoning: >- + The action does not fetch data from an external source (Rule 1 of enrichment). + It is a data transformation utility. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1195,6 +1235,9 @@ Run JSONPath Query: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not reference `target_entities` or perform any operations on SOAR + entities. It is a generic utility action. SanitizeHTML: action_product_categories: add_alert_comment: false @@ -1210,6 +1253,10 @@ SanitizeHTML: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a utility script for sanitizing HTML fragments. It does not perform + any of the defined product category actions such as enrichment, containment, + ticketing, or alert management. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1225,61 +1272,51 @@ SanitizeHTML: update_identity: false update_ticket: false ai_description: >- - ### General Description - - Sanitizes an HTML fragment by parsing it according to the HTML5 parsing algorithm - and removing or escaping disallowed tags, attributes, and CSS styles. This action - uses the `bleach` library to ensure that the output is safe and well-formed, handling - issues like unclosed or misnested tags. It is primarily used as a utility to clean - up data before it is displayed in the UI or passed to other systems. + The `SanitizeHTML` action parses an HTML fragment and sanitizes it by removing + disallowed tags, attributes, and styles based on user-defined configurations. + This is useful for cleaning potentially malicious or malformed HTML content before + displaying it in reports or logs. ### Parameters Description + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Input HTML | string | Yes | The raw HTML fragment that needs to be sanitized. - | + | Tags | string | No | Comma-separated list of allowed HTML tags. Tags not in + this list will be escaped or stripped. | - | Tags | string | No | A comma-separated list of allowed HTML tags. Tags not in - this list will be escaped or stripped. Default includes common formatting tags - like `a`, `b`, `p`, `div`, etc. | + | Attributes | string | No | Comma-separated list of allowed attributes. | - | Attributes | string | No | A comma-separated list of allowed attributes (e.g., - `href`, `src`). | + | Styles | string | No | Comma-separated list of allowed CSS styles. | - | Styles | string | No | A comma-separated list of allowed CSS properties if the - `style` attribute is permitted (e.g., `color`, `text-align`). | + | Allow All Attributes | boolean | No | If set to True, allows all attributes. + | - | Allow All Attributes | boolean | No | If set to `True`, all attributes will - be allowed for the permitted tags. Default is `False`. | + | Input HTML | string | Yes | The HTML fragment that will be sanitized. | ### Additional Notes - - This action is a utility function and does not interact with external APIs or - SecOps entities. - - If no specific tags, attributes, or styles are provided, the action uses the - default safe set defined by the underlying library logic. + The `Input HTML` parameter is mandatory. Other parameters (`Tags`, `Attributes`, + `Styles`, `Allow All Attributes`) are optional and allow for fine-grained control + over the sanitization process. ### Flow Description - 1. **Parameter Extraction**: The action retrieves the input HTML and the configuration - for allowed tags, attributes, and styles from the action parameters. - 2. **Sanitizer Configuration**: It initializes a CSS sanitizer if specific styles - are provided and determines the attribute filtering logic based on the `Allow - All Attributes` flag. + 1. Extracts configuration parameters (`Tags`, `Attributes`, `Styles`, `Allow All + Attributes`) and the `Input HTML` string. + + 2. Configures the `bleach` library with the provided sanitization rules. - 3. **Sanitization Process**: The action calls the `bleach.clean` method, passing - the input HTML and the configured allow-lists to perform the transformation. + 3. Processes the `Input HTML` using `bleach.clean` based on the provided configuration. - 4. **Result Output**: The sanitized HTML string is returned as the action's result - value, and a success message is logged. + 4. Returns the sanitized HTML string as the action result. capabilities: can_create_case_comments: false can_create_insight: false @@ -1290,8 +1327,16 @@ SanitizeHTML: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a local string transformation using the `bleach` library. + It does not interact with external APIs, modify internal SOAR data, or update + entities. Therefore, it does not fetch data or mutate any system state. categories: enrichment: false + reasoning: >- + The action is a utility script that performs local string manipulation (HTML + sanitization). It does not fetch data from external or internal sources, failing + the primary requirement for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1307,6 +1352,9 @@ SanitizeHTML: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with the `target_entities` list or any entity-specific + identifiers. It is a utility script that processes a raw string input. String Functions: action_product_categories: add_alert_comment: false @@ -1322,6 +1370,10 @@ String Functions: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + This action is a utility for string manipulation and does not perform any of + the defined product-specific operations such as enrichment, containment, ticketing, + or alert management. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1337,25 +1389,30 @@ String Functions: update_identity: false update_ticket: false ai_description: >- - Performs a variety of string manipulation and transformation operations on a provided - input string. This utility action allows users to apply standard Python string - methods, regular expressions, and encoding/decoding logic within a playbook flow. + ### General Description + + The String Functions action provides a suite of utility operations to manipulate + and transform text strings. It allows users to perform common string processing + tasks such as case conversion, regex replacement, base64 encoding/decoding, and + splitting, directly within a SOAR playbook. ### Flow Description - 1. **Parameter Retrieval**: The action retrieves the `Input` string, the selected - `Function`, and optional arguments `Param 1` and `Param 2` from the action configuration. + 1. **Input Retrieval**: The action retrieves the `Input` string, the selected + `Function` to execute, and optional parameters (`Param 1`, `Param 2`) from the + action configuration. - 2. **Placeholder Processing**: For functions like 'Replace' and 'Regex Replace', - it converts the placeholder `_SPACE_` into a literal space character. + 2. **Operation Execution**: Based on the selected `Function`, the action applies + the corresponding Python string method or logic (e.g., `lower()`, `upper()`, `re.sub()`, + `base64.b64encode()`). - 3. **Logic Execution**: Based on the selected function (e.g., Lower, Regex, DecodeBase64), - the action executes the corresponding Python logic using standard libraries (`re`, - `base64`, `json`). + 3. **Result Generation**: The processed string is returned as the action result. + For specific functions like `Split`, the result is also added as a JSON object + to the action's result data. - 4. **Result Output**: The transformed string is returned as the main script result. - For the 'Split' function, the resulting list is also added as a JSON result. + 4. **Completion**: The action terminates and returns the final processed string + to the playbook. ### Parameters Description @@ -1364,25 +1421,22 @@ String Functions: | :--- | :--- | :--- | :--- | - | Input | string | Yes | The source text string to be processed. | + | Input | String | Yes | The input string to be processed. | - | Function | ddl | Yes | The specific operation to perform (e.g., Lower, Upper, - Replace, Regex, Split, etc.). | + | Function | DDL | Yes | The specific string manipulation function to execute + (e.g., Lower, Upper, Regex, Base64). | - | Param 1 | string | No | The first argument for the function. Used as a search - string, regex pattern, or encoding type (e.g., 'UTF-8'). | + | Param 1 | String | No | The first parameter required by certain functions (e.g., + the pattern for Regex or the delimiter for Split). | - | Param 2 | string | No | The second argument for the function. Used as a replacement - string or a joiner for regex results. | + | Param 2 | String | No | The second parameter required by certain functions (e.g., + the replacement string for Regex). | ### Additional Notes - - The placeholder `_SPACE_` can be used in `Param 1` and `Param 2` for replacement - functions to represent a literal space. - - - Base64 functions default to 'UTF-8' if an invalid encoding is provided in `Param - 1`. + This action is a pure utility and does not interact with external systems or modify + SOAR case data. It is designed for data transformation within a playbook workflow. capabilities: can_create_case_comments: false can_create_insight: false @@ -1393,8 +1447,18 @@ String Functions: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs local string manipulation on input parameters provided by + the user. It does not make any external API calls (fetches_data=false), does + not interact with external systems (can_mutate_external_data=false), and does + not modify any internal SOAR case data such as entities, insights, or alert + status (can_mutate_internal_data=false). categories: enrichment: false + reasoning: >- + The action is a utility for string manipulation and does not fetch data from + external sources. Therefore, it does not meet the criteria for an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1410,6 +1474,9 @@ String Functions: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not reference or iterate over `target_entities`. It processes + raw string input provided via parameters. Time Duration Calculator: action_product_categories: add_alert_comment: false @@ -1425,6 +1492,11 @@ Time Duration Calculator: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a utility function for calculating time differences. It does not + perform any security-related operations such as enriching IOCs, updating tickets, + or containing hosts. Therefore, it does not match any of the defined product + categories. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1440,59 +1512,56 @@ Time Duration Calculator: update_identity: false update_ticket: false ai_description: >- - Calculates the time duration or difference between two provided date-time values. - This utility action is designed to help analysts determine the elapsed time between - events, such as the time between an alert creation and a specific log entry, or - the age of an account. It supports custom date formats using strftime syntax and - can dynamically use the current system time. + ### General Description + The Time Duration Calculator is a utility action that calculates the elapsed time + between two provided datetime values. It supports custom date formats and the + 'now' keyword to represent the current time. The action returns the duration in + years, days, hours, minutes, and seconds, providing both a human-readable string + and a structured JSON result. - ### Flow Description: - 1. **Parameter Extraction:** The action retrieves two date-time strings and their - corresponding format strings from the input parameters. + ### Parameters Description - 2. **Date Parsing:** It converts the input strings into Python datetime objects. - If an input is set to "now", it uses the current UTC time. If a date is not timezone-aware, - it automatically localizes it to UTC. + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | - 3. **Duration Calculation:** The action calculates the difference between the - two dates. + | Input DateTime 1 | string | Yes | The first input datetime value. Supports either + strftime format or "now" for the current time. | - 4. **Unit Conversion:** It breaks down the total difference into years, days, - hours, minutes, and seconds. + | Input DateTime 1 Format | string | Yes | The strftime format of the DateTime + string. | - 5. **Output Generation:** The action returns a JSON object containing the breakdown - of the duration and sets the total seconds as the primary result value for use - in playbooks. + | Input DateTime 2 | string | Yes | The second input datetime value. Supports + either strftime format or "now" for the current time. | + | Input DateTime 2 Format | string | Yes | The strftime format of Input DateTime + 2. | - ### Parameters Description: - | Parameter Name | Expected Type | Mandatory | Description | + ### Additional Notes - | :--- | :--- | :--- | :--- | + This action is a pure utility function and does not interact with external systems, + entities, or security alerts. It performs local calculations only. - | Input DateTime 1 | string | Yes | The first input datetime value. Supports either - a formatted string or the keyword "now" for the current time. | - | Input DateTime 1 Format | string | Yes | The strftime format (e.g., %Y-%m-%dT%H:%M:%S%z) - used to parse Input DateTime 1. | + ### Flow Description - | Input DateTime 2 | string | Yes | The second input datetime value. Supports - either a formatted string or the keyword "now" for the current time. | + 1. Extract the four input parameters (DateTime 1, DateTime 1 Format, DateTime + 2, DateTime 2 Format). - | Input DateTime 2 Format | string | Yes | The strftime format used to parse Input - DateTime 2. | + 2. Parse the input strings into datetime objects. If "now" is provided, use the + current UTC time. + 3. Ensure both datetime objects are timezone-aware (localizing to UTC if necessary). - ### Additional Notes: + 4. Calculate the duration between the two datetime objects. - - This action is a local utility and does not interact with external APIs or SecOps - entities. + 5. Format the duration into years, days, hours, minutes, and seconds. - - Timezone awareness is handled automatically; if a timestamp lacks timezone info, - UTC is assumed. + 6. Return the results as a JSON object and set the action result value to the + total duration in seconds. capabilities: can_create_case_comments: false can_create_insight: false @@ -1503,8 +1572,16 @@ Time Duration Calculator: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a local calculation based on provided inputs. It does not + fetch data from external APIs, mutate external systems, or modify internal SOAR + data (entities, insights, or comments). It simply returns the calculated duration + as a JSON result. categories: enrichment: false + reasoning: >- + The action does not fetch data from an external or internal source (Rule 1). + It is a local utility function. Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1520,6 +1597,9 @@ Time Duration Calculator: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not reference `target_entities` or perform any operations on + entities. It is a standalone utility function. XMLtoJson: action_product_categories: add_alert_comment: false @@ -1535,6 +1615,10 @@ XMLtoJson: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a utility function for data conversion (XML to JSON). It does + not perform any of the listed security operations (enrichment, containment, + ticketing, etc.). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1552,40 +1636,35 @@ XMLtoJson: ai_description: >- ### General Description - Converts XML formatted data into a JSON object. This utility action is designed - to transform data structures within a playbook, allowing subsequent actions to - easily access and manipulate data originally provided in XML format. + The XMLtoJson action is a utility designed to convert XML formatted strings into + JSON format. This action is useful for parsing XML data within a playbook, allowing + subsequent steps to process the data as a JSON object. ### Parameters Description - | Parameter | Description | Type | Mandatory | Notes | + | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | :--- | + | :--- | :--- | :--- | :--- | - | xml | The XML formatted string that needs to be converted to JSON. | String - | Yes | Expects a valid XML structure. | + | xml | string | Yes | The XML formatted string to be converted to JSON. | ### Flow Description - 1. **Extract Input:** The action retrieves the XML string from the `xml` input - parameter. + 1. The action extracts the `xml` parameter from the configuration. - 2. **Parsing:** It utilizes the `xmltodict` library to parse the XML string into - a Python dictionary. + 2. It parses the provided XML string using the `xmltodict` library. - 3. **Output Generation:** The resulting dictionary is added to the action's JSON - results, making it available as a JSON object for the rest of the playbook execution. + 3. The resulting JSON object is added to the action result using `siemplify.result.add_result_json`. - 4. **Error Handling:** If the XML is malformed or parsing fails, the action catches - the exception and returns a failed status. + 4. The action completes with a success or failure status. ### Additional Notes - This is a pure data transformation utility and does not interact with any external - APIs or modify any entities within Google SecOps. + This action does not interact with any external systems or entities. It is a pure + data transformation utility. capabilities: can_create_case_comments: false can_create_insight: false @@ -1596,8 +1675,16 @@ XMLtoJson: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action is a utility function that converts an XML string to JSON. It does + not perform any network requests, does not interact with external systems, and + does not modify any internal SecOps data or entities. categories: enrichment: false + reasoning: >- + The action is a data transformation utility. It does not fetch data from external + sources, nor does it modify internal data or entities. Therefore, it does not + meet the criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1613,3 +1700,6 @@ XMLtoJson: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. It processes a raw string input + provided as a parameter. diff --git a/content/response_integrations/power_ups/functions/resources/ai/integration_ai_description.yaml b/content/response_integrations/power_ups/functions/resources/ai/integration_ai_description.yaml index 0801c7556..d68b1f945 100644 --- a/content/response_integrations/power_ups/functions/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/power_ups/functions/resources/ai/integration_ai_description.yaml @@ -7,6 +7,18 @@ product_categories: iam_and_identity_management: false itsm: false network_security: false + reasoning: >- + The integration 'functions' is a collection of utility actions designed for data + manipulation, including math, string processing, time conversion, and data parsing + (JSON/XML). It also includes basic entity metadata updates, such as detecting + hash types and IP types. These actions do not interact with external security + systems, fetch threat intelligence, manage assets, or perform security-specific + operations like containment or ticketing. While some actions perform internal + enrichment by updating entity properties (e.g., adding hash type or IP type), + this does not meet the criteria for the defined product categories, which require + specific outcomes like fetching reputation data (Threat Intelligence) or retrieving + asset owner/criticality information (Asset Inventory). Therefore, the integration + does not fit into any of the predefined product categories. siem: false threat_intelligence: false vulnerability_management: false diff --git a/content/response_integrations/power_ups/git_sync/resources/ai/actions_ai_description.yaml b/content/response_integrations/power_ups/git_sync/resources/ai/actions_ai_description.yaml index c7fd78031..f30446d00 100644 --- a/content/response_integrations/power_ups/git_sync/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/power_ups/git_sync/resources/ai/actions_ai_description.yaml @@ -13,6 +13,9 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a diagnostic tool to verify connectivity. It does not match any + of the provided categories (Enrich IOC, Contain Host, etc.). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -28,48 +31,26 @@ Ping: update_identity: false update_ticket: false ai_description: >- - ### General Description - - The **Ping** action is a diagnostic tool used to verify the connectivity and configuration - of the GitSync integration. It ensures that the Google SecOps environment can - successfully communicate with both the internal Chronicle SOAR API and the external - Git repository (via SSH or HTTPS) using the provided credentials and settings. - - - ### Parameters Description - - This action does not have any action-specific input parameters. It utilizes the - global integration configuration parameters, such as the Repository URL, Branch, - Git Credentials, and SOAR API credentials, to perform its connectivity tests. - - - ### Flow Description - - 1. **Configuration Loading**: The action retrieves integration-level settings, - including repository details, authentication tokens, and SSL verification preferences. - - 2. **Author Format Validation**: It validates the `Commit Author` string against - a specific regex pattern (`Name `) to ensure future commits - will be valid. - - 3. **SOAR API Connectivity Test**: It attempts to connect to the Chronicle SOAR - API and retrieve the current system version. A failure here indicates incorrect - SOAR credentials or network issues. - - 4. **Git Repository Connectivity Test**: If a `Git Server Fingerprint` is provided, - the action connects to the remote Git server to verify the SSH host key and attempts - to fetch the repository's head tree. This verifies both the network path and the - Git credentials (SSH key or Token). - - 5. **Final Status**: If all checks pass, the action completes successfully, confirming - the integration is ready for use. - - - ### Additional Notes - - - This action is intended for troubleshooting and initial setup verification. - - - It does not process any entities. + ### General Description The Ping action is a diagnostic tool used to verify the + connectivity and configuration of the GitSync integration. It ensures that the + Google SecOps environment can successfully communicate with both the internal + Chronicle SOAR API and the external Git repository (via SSH or HTTPS) using the + provided credentials and settings. ### Parameters Description This action does + not have any action-specific input parameters. It utilizes the global integration + configuration parameters, such as the Repository URL, Branch, Git Credentials, + and SOAR API credentials, to perform its connectivity tests. ### Flow Description + 1. Configuration Loading: The action retrieves integration-level settings, including + repository details, authentication tokens, and SSL verification preferences. 2. + Author Format Validation: It validates the Commit Author string against a specific + regex pattern (Name ) to ensure future commits will be valid. + 3. SOAR API Connectivity Test: It attempts to connect to the Chronicle SOAR API + and retrieve the current system version. A failure here indicates incorrect SOAR + credentials or network issues. 4. Git Repository Connectivity Test: If a Git Server + Fingerprint is provided, the action connects to the remote Git server to verify + the SSH host key and attempts to fetch the repository's head tree. This verifies + both the network path and the Git credentials (SSH key or Token). 5. Final Status: + If all checks pass, the action completes successfully, confirming the integration + is ready for use. capabilities: can_create_case_comments: false can_create_insight: false @@ -80,8 +61,14 @@ Ping: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs connectivity tests (GET requests) to verify the integration + setup. It does not modify any data or state. categories: enrichment: false + reasoning: >- + The action is a diagnostic Ping tool. Per instructions, Actions named Ping must + not be categorized as enrichment actions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -97,3 +84,4 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: The action does not use entities. diff --git a/content/response_integrations/power_ups/git_sync/resources/ai/integration_ai_description.yaml b/content/response_integrations/power_ups/git_sync/resources/ai/integration_ai_description.yaml index 0801c7556..520c2bf5b 100644 --- a/content/response_integrations/power_ups/git_sync/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/power_ups/git_sync/resources/ai/integration_ai_description.yaml @@ -7,6 +7,15 @@ product_categories: iam_and_identity_management: false itsm: false network_security: false + reasoning: "The git_sync integration is a platform administration and utility tool\ + \ designed for version control, configuration management, and CI/CD of the Google\ + \ SecOps SOAR platform. Its primary function is to synchronize platform assets\u2014\ + such as playbooks, integrations, jobs, and connectors\u2014between the SOAR environment\ + \ and external Git repositories. It does not perform security operations, incident\ + \ response, threat intelligence, asset management, or ITSM ticket management as\ + \ defined by the provided categories. It is strictly an administrative tool for\ + \ platform maintenance and infrastructure-as-code workflows, and therefore does\ + \ not align with any of the specified security product categories." siem: false threat_intelligence: false vulnerability_management: false diff --git a/content/response_integrations/power_ups/git_sync/resources/ai/jobs_ai_description.yaml b/content/response_integrations/power_ups/git_sync/resources/ai/jobs_ai_description.yaml index ed4f44f29..4903f402a 100644 --- a/content/response_integrations/power_ups/git_sync/resources/ai/jobs_ai_description.yaml +++ b/content/response_integrations/power_ups/git_sync/resources/ai/jobs_ai_description.yaml @@ -2,12 +2,11 @@ Pull Connector: ai_description: >- ### General Description - The **Pull Connector** job is part of the **GitSync** integration. Its primary - purpose is to synchronize a specific connector's configuration and logic from - a remote Git repository to the Google SecOps (Chronicle) SOAR platform. This job - facilitates version control and automated deployment of connectors, ensuring that - the SOAR environment stays updated with the latest connector definitions, including - optional related components like Visual Families and Ontology Mappings. + This job imports a specific connector from a configured Git repository into the + Google SecOps SOAR platform. It ensures that the SOAR environment is synchronized + with version-controlled connector definitions, and optionally, their associated + visual families and mapping rules, facilitating consistent ingestion configurations + across environments. ### Parameters Description @@ -17,113 +16,138 @@ Pull Connector: | :--- | :--- | :--- | :--- | | Repo URL | String | No | Optional parameter to override the repository URL found - in the integration instance settings. | + in the integration instance. | - | Branch | String | No | Optional parameter to override the Git branch found in - the integration instance settings. | + | Branch | String | No | Optional parameter to override the branch found in the + integration instance. | - | Git Server Fingerprint | String | No | Optional parameter to override the SSH - fingerprint for Git server verification. | + | Git Server Fingerprint | String | No | Optional parameter to override the Git + server fingerprint found in the integration instance. | - | Connector Name | String | Yes | The exact name of the connector to pull from - the Git repository. | + | Connector Name | String | Yes | The name of the connector to pull from the repository. + | - | Include Visual Families | Boolean | No | Whether to pull and install the visual - families associated with the connector's alert types. | + | Include Visual Families | Boolean | No | Whether to include related visual families + that the connector uses. | - | Include Mappings | Boolean | No | Whether to pull and install the ontology mappings - (rules and records) associated with the connector. | + | Include Mappings | Boolean | No | Whether to include related mappings that the + connector uses. | ### Flow Description - 1. **Initialization**: The job extracts the target connector name and configuration - overrides (URL, Branch, Fingerprint) from the job parameters. + 1. Initializes the `GitSyncManager` to interface with the Git repository and the + SOAR API. - 2. **Git Connection**: It initializes the `GitSyncManager` to connect to the specified - Git repository and the SOAR API. + 2. Retrieves the specified connector definition from the Git repository. - 3. **Fetch Connector**: The job searches the repository for the specified connector - definition. + 3. Installs the connector into the SOAR platform. - 4. **Installation**: If found, the job installs or updates the connector in the - SOAR platform using the `install_connector` logic, which also handles integration - dependency checks. + 4. If `Include Visual Families` is enabled, identifies and installs any missing + visual families associated with the connector. - 5. **Dependency Resolution**: If the user opted to include Visual Families or - Mappings, the job retrieves the mapping data for the connector's integration. + 5. If `Include Mappings` is enabled, installs the mapping rules associated with + the connector's integration. +Pull Content: + ai_description: >- + ### General Description - 6. **Visual Family Sync**: If enabled, it identifies visual families referenced - in the mappings that are not yet installed in the SOAR platform and pulls/installs - them from Git. + This job synchronizes content from a Git repository to the Google SecOps (Chronicle) + SOAR platform. It enables the automated deployment and update of various system + components, including integrations, playbooks, jobs, connectors, and configuration + settings. By pulling content from a version-controlled repository, this job ensures + that the SOAR environment remains consistent with the defined infrastructure-as-code + standards. - 7. **Mapping Sync**: If enabled, it installs the ontology mapping rules and records - to ensure incoming alerts are correctly visualized and parsed. -Pull Content: - ai_description: "### General Description\nThis job is a core component of the GitSync\ - \ integration, designed to synchronize and deploy content from a Git repository\ - \ into a Google SecOps (Chronicle) environment. It enables a CI/CD-like workflow\ - \ for SOAR resources, allowing users to pull playbooks, integrations, connectors,\ - \ jobs, and various system settings (like environments, tags, and SLA records)\ - \ from a version-controlled source. This job is essential for promoting content\ - \ between environments (e.g., from Development to Production) or restoring a system\ - \ configuration from a backup.\n\n### Parameters Description\n| Parameter | Type\ - \ | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Repo URL | String\ - \ | No | Optional override for the Git repository URL defined in the integration\ - \ instance. |\n| Branch | String | No | Optional override for the Git branch to\ - \ pull content from. |\n| Git Server Fingerprint | String | No | Optional override\ - \ for the SSH fingerprint used to verify the Git server. |\n| Integrations | Boolean\ - \ | Yes | If enabled, pulls and installs custom integrations and custom code.\ - \ |\n| Playbooks | Boolean | Yes | If enabled, pulls and installs playbooks and\ - \ blocks, updating them based on name. |\n| Jobs | Boolean | Yes | If enabled,\ - \ pulls and installs job definitions. |\n| Connectors | Boolean | Yes | If enabled,\ - \ pulls and installs connector definitions. |\n| Integration Instances | Boolean\ - \ | Yes | If enabled, pulls and configures integration instances; note that passwords\ - \ may be overwritten. |\n| Visual Families | Boolean | Yes | If enabled, pulls\ - \ and updates ontology visual family definitions. |\n| Mappings | Boolean | Yes\ - \ | If enabled, pulls and updates ontology mapping rules. |\n| Environments |\ - \ Boolean | Yes | If enabled, creates or updates environment records. |\n| Dynamic\ - \ Parameters | Boolean | Yes | If enabled, creates or updates environment-specific\ - \ dynamic parameters. |\n| Logo | Boolean | Yes | If enabled, pulls and applies\ - \ the custom company logo. |\n| Case Tags | Boolean | Yes | If enabled, pulls\ - \ and updates case tag definitions. |\n| Case Stages | Boolean | Yes | If enabled,\ - \ pulls and updates case stage definitions. |\n| Case Title Settings | Boolean\ - \ | Yes | If enabled, pulls and applies case title formatting settings. |\n| Case\ - \ Close Reasons | Boolean | Yes | If enabled, pulls and updates custom case closure\ - \ reasons. |\n| Networks | Boolean | Yes | If enabled, pulls and updates network\ - \ definitions. |\n| Domains | Boolean | Yes | If enabled, pulls and updates domain\ - \ alias definitions. |\n| Custom Lists | Boolean | Yes | If enabled, pulls and\ - \ updates custom tracking lists. |\n| Email Templates | Boolean | Yes | If enabled,\ - \ pulls and updates email template definitions. |\n| Blacklists | Boolean | Yes\ - \ | If enabled, pulls and updates blocklist/denylist records. |\n| SLA Records\ - \ | Boolean | Yes | If enabled, pulls and updates SLA definition records. |\n\ - | Simulated Cases | Boolean | Yes | If enabled, pulls and installs simulated cases\ - \ for testing purposes. |\n\n### Flow Description\n1. **Initialization**: The\ - \ job initializes the Git connection using the provided repository URL, branch,\ - \ and credentials (SSH key or Token).\n2. **Repository Sync**: It clones the repository\ - \ to a temporary directory or pulls the latest changes if the repository was previously\ - \ cloned.\n3. **Feature Selection**: The job checks the boolean parameters to\ - \ determine which types of content (e.g., Playbooks, Integrations, Settings) should\ - \ be processed.\n4. **Resource Processing**: For each enabled category, the job\ - \ reads the corresponding JSON or definition files from the Git repository.\n\ - 5. **State Comparison**: It queries the Google SecOps API to identify existing\ - \ resources. It uses an internal validator to match resources by name or unique\ - \ identifiers.\n6. **Deployment (Upsert)**: \n * **Integrations/Connectors/Jobs**:\ - \ Installs or updates the code and definitions.\n * **Playbooks**: Uses a specialized\ - \ installer to handle complex logic, including mapping nested blocks and re-assigning\ - \ integration instances based on the target environment's availability.\n *\ - \ **System Settings**: Updates global configurations like Environments, SLA records,\ - \ and Case Tags.\n7. **Completion**: Logs the results of the synchronization and\ - \ cleans up temporary files." + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Repo URL | String | No | Optional parameter to override the repository URL found + in the integration instance. | + + | Branch | String | No | Optional parameter to override the branch name found + in the integration instance. | + + | Git Server Fingerprint | String | No | Optional parameter to override the Git + server fingerprint found in the integration instance. | + + | Integrations | Boolean | Yes | Pull all custom integrations and custom code. + | + + | Playbooks | Boolean | Yes | Pull all playbooks. Will add or update playbooks + based on their name. | + + | Jobs | Boolean | Yes | Pull all jobs. | + + | Connectors | Boolean | Yes | Pull all connectors. | + + | Integration Instances | Boolean | Yes | Pull all integration instances. Passwords + will be overwritten if not uploaded. | + + | Visual Families | Boolean | Yes | Pulls all visual families. | + + | Mappings | Boolean | Yes | Pulls all the mappings. | + + | Environments | Boolean | Yes | Creates or updates all environments. | + + | Dynamic Parameters | Boolean | Yes | Creates or updates all environment dynamic + parameters. | + + | Logo | Boolean | Yes | Pull custom logo. | + + | Case Tags | Boolean | Yes | Pulls all case tags. | + + | Case Stages | Boolean | Yes | Pulls all case stages. | + + | Case Title Settings | Boolean | Yes | Pulls case title settings. | + + | Case Close Reasons | Boolean | Yes | Pulls custom case close reasons. | + + | Networks | Boolean | Yes | Pull networks. | + + | Domains | Boolean | Yes | Pull domains. | + + | Custom Lists | Boolean | Yes | Pull custom lists. | + + | Email Templates | Boolean | Yes | Pull email templates. | + + | Blacklists | Boolean | Yes | Pull blocklists. | + + | SLA Records | Boolean | Yes | Pull SLA Records. | + + | Simulated Cases | Boolean | Yes | Pull simulated cases. | + + + ### Flow Description + + 1. Initializes the `GitSyncManager` using the provided job parameters to establish + a connection with the Git repository. + + 2. Extracts the enabled content features from the job configuration to determine + which components to synchronize. + + 3. Iterates through each enabled feature (e.g., Playbooks, Integrations, Jobs, + etc.). + + 4. For each feature, it retrieves the content from the Git repository and performs + the corresponding API operations (create or update) in the SOAR platform. + + 5. Utilizes an `id_validator` to ensure that existing records are correctly identified + and updated rather than duplicated. + + 6. Logs the progress of each synchronization step and completes the job. Pull Custom Family: ai_description: >- ### General Description - The **Pull Custom Family** job is part of the **GitSync** integration. Its primary - purpose is to synchronize a specific Visual Family definition from a remote Git - repository into the Google SecOps SOAR platform. This job enables teams to maintain - their ontology configurations (Visual Families) in a version-controlled environment - and deploy them programmatically to SOAR instances. + This job imports a specific custom visual family definition from a configured + Git repository into the Google SecOps (Chronicle) SOAR environment. It ensures + that visual family configurations, which define how entities are visualized and + related, are synchronized from version control to the SOAR platform. ### Parameters Description @@ -132,49 +156,40 @@ Pull Custom Family: | :--- | :--- | :--- | :--- | - | Repo URL | String | No | Optional parameter to override the repository URL defined - in the integration instance settings. | + | Repo URL | String | No | Optional parameter to override the Git repository URL + found in the integration instance. | - | Branch | String | No | Optional parameter to override the Git branch defined - in the integration instance settings. | + | Branch | String | No | Optional parameter to override the Git branch found in + the integration instance. | - | Git Server Fingerprint | String | No | Optional parameter to override the SSH - fingerprint used for Git server verification. | + | Git Server Fingerprint | String | No | Optional parameter to override the Git + server SSH fingerprint found in the integration instance. | - | Family Name | String | Yes | The exact name of the Visual Family to be retrieved - from the repository. | + | Family Name | String | Yes | The name of the visual family to pull from the + repository. | ### Flow Description - 1. **Parameter Extraction**: The job retrieves the target `Family Name` and any - optional Git configuration overrides (URL, Branch, Fingerprint) from the job settings. + 1. Initialize the `GitSyncManager` using the integration's configuration and job + parameters. - 2. **Git Connection**: It initializes the `GitSyncManager`, which establishes - a connection to the Git repository, cloning or pulling the latest changes to a - temporary directory. + 2. Extract the `Family Name` from the job parameters. - 3. **Content Retrieval**: The job searches the repository's directory structure - (specifically under `Ontology/VisualFamilies/`) for a JSON definition matching - the provided `Family Name`. + 3. Query the Git repository for the specified visual family definition. - 4. **Ontology Update**: If the Visual Family is found in the repository, the job - extracts its raw data and sends a request to the Google SecOps API to create or - update the Visual Family in the platform's ontology. + 4. If the visual family is found, import or update the visual family record in + the SOAR system. - 5. **Completion**: The job logs the success or failure of the synchronization - and terminates the script. + 5. Log the success or failure of the import operation. Pull Integration: ai_description: >- ### General Description - The **Pull Integration** job is a core component of the **GitSync** integration, - designed to automate the deployment and synchronization of Google SecOps integrations - from a Git repository. It allows administrators to maintain 'Integration as Code' - by pulling specific integration definitions and scripts from a version-controlled - repository and installing or updating them within the SOAR platform. The job supports - both custom integrations and commercial integrations that have been extended with - custom logic. + This job synchronizes and installs specific integrations from a Git repository + into the Google SecOps SOAR platform. It enables users to maintain version-controlled + integrations and automate the deployment of updates or new integrations based + on a defined whitelist. ### Parameters Description @@ -183,87 +198,42 @@ Pull Integration: | :--- | :--- | :--- | :--- | - | Install Whitelist | String | Yes | A comma-separated list of integration identifiers - (e.g., 'VirusTotal, ServiceNow') to be pulled from the Git repository and installed - or updated. | + | Install Whitelist | String | Yes | A comma-separated list of integration names + to pull from the repository. | - | Repo URL | String | No | The URL of the Git repository (HTTPS or SSH). If provided, - this overrides the default repository URL defined in the integration's configuration. - | + | Repo URL | String | No | The URL of the Git repository. Overrides the value + configured in the integration instance. | - | Branch | String | No | The specific Git branch to pull content from. If provided, - this overrides the default branch defined in the integration's configuration. - | + | Branch | String | No | The Git branch to use. Overrides the value configured + in the integration instance. | - | Git Server Fingerprint | String | No | The SSH fingerprint (SHA256 or MD5) used - to verify the Git server's identity. If provided, this overrides the fingerprint - defined in the integration's configuration. | + | Git Server Fingerprint | String | No | The SSH fingerprint for Git server verification. + Overrides the value configured in the integration instance. | ### Flow Description - 1. **Initialization**: The job extracts the list of integrations to process from - the 'Install Whitelist' and retrieves any provided Git configuration overrides - (URL, Branch, Fingerprint). - - 2. **Git Synchronization**: It initializes a connection to the Git repository, - cloning or pulling the latest changes into a temporary working directory on the - SOAR runner. - - 3. **Content Discovery**: The job iterates through the whitelist, searching the - repository's `Integrations/` directory for the specified integration folders and - their corresponding `.def` (definition) files. - - 4. **Installation Logic**: - * **Custom Integrations**: If the integration is marked as custom, the job - packages the repository files into a ZIP blob and performs a full package import - via the SOAR API. - * **Commercial Integrations**: If the integration is commercial, the job ensures - the base integration is installed (attempting a marketplace installation if missing) - and then iterates through individual components (Actions, Connectors, Jobs, and - Managers) to update their scripts and metadata in the IDE. - 5. **Completion**: The job logs the success or failure of each integration pull - and performs a cleanup of the temporary local repository files. + 1. Parses the `Install Whitelist` parameter to identify the target integrations. + + 2. Initializes the `GitSyncManager` to establish a connection with the configured + Git repository. + + 3. Iterates through the list of requested integrations. + + 4. Fetches the integration definition from the Git repository. + + 5. Installs or updates the integration in the SOAR platform. + + 6. Logs the status of each installation attempt. Pull Jobs: - ai_description: "### General Description\nThe **Pull Jobs** job is part of the **GitSync**\ - \ integration and is designed to synchronize SOAR Job definitions from a remote\ - \ Git repository to the Google SecOps platform. This enables a 'Configuration\ - \ as Code' workflow, allowing administrators to manage job settings\u2014such\ - \ as execution intervals and input parameters\u2014within a version-controlled\ - \ environment and deploy them automatically to the SOAR instance.\n\n### Parameters\ - \ Description\n| Parameter | Type | Mandatory | Description |\n| :--- | :--- |\ - \ :--- | :--- |\n| Job Whitelist | String | Yes | A comma-separated list of the\ - \ specific job names to be retrieved and installed from the Git repository. |\n\ - | Repo URL | String | No | Optional override for the Git repository URL. If not\ - \ provided, the URL from the integration instance configuration is used. |\n|\ - \ Branch | String | No | Optional override for the Git branch to pull from. If\ - \ not provided, the branch from the integration instance configuration is used.\ - \ |\n| Git Server Fingerprint | String | No | Optional override for the SSH fingerprint\ - \ (SHA256 or MD5) used to verify the Git server's identity. |\n\n### Flow Description\n\ - 1. **Parameter Extraction**: The job parses the `Job Whitelist` to identify which\ - \ jobs need to be synchronized.\n2. **Git Initialization**: It initializes the\ - \ `GitSyncManager`, which establishes a connection to the Git repository using\ - \ the provided credentials (SSH key or Token) and overrides.\n3. **Repository\ - \ Sync**: The job clones or pulls the latest state of the repository to a temporary\ - \ working directory.\n4. **Job Retrieval**: For each job specified in the whitelist,\ - \ the job searches the `Jobs/` directory in the repository for a matching JSON\ - \ definition file.\n5. **Dependency Validation**: It verifies that the integration\ - \ associated with the job is already installed in the SOAR environment.\n6. **ID\ - \ Resolution**: The job queries the SOAR API to resolve the internal `jobDefinitionId`\ - \ (from the IDE) and checks if the job already exists to determine whether to\ - \ perform an update or a new installation.\n7. **Installation**: The job pushes\ - \ the configuration to the SOAR platform, updating the job's settings, parameters,\ - \ and run intervals.\n8. **Completion**: The script logs the success or failure\ - \ of each job pull and terminates." -Pull Mappings: ai_description: >- ### General Description - This job is part of the GitSync integration and is designed to synchronize ontology - mappings from a Git repository to Google SecOps. It allows administrators to manage - alert mapping rules and visual family associations in a version-controlled environment - and deploy them automatically to the SOAR platform. The job specifically targets - mappings associated with a provided 'Source' (integration identifier or vendor). + This job is part of the `GitSync` integration, designed to synchronize specific + job configurations from a version-controlled Git repository into the Google SecOps + (Chronicle) SOAR platform. It enables automated deployment and updates of job + definitions, ensuring consistency across environments by pulling the latest configurations + directly from the repository. ### Parameters Description @@ -272,47 +242,82 @@ Pull Mappings: | :--- | :--- | :--- | :--- | - | Repo URL | String | No | Optional parameter to override the repository URL configured - in the integration instance. | + | Job Whitelist | String | Yes | A comma-separated list of job names to be pulled + from the Git repository. | - | Branch | String | No | Optional parameter to override the Git branch used for - synchronization. | + | Repo URL | String | No | The URL of the Git repository. Overrides the value + defined in the integration instance. | - | Git Server Fingerprint | String | No | Optional parameter to override the SSH - fingerprint for Git server verification. | + | Branch | String | No | The Git branch to pull from. Overrides the value defined + in the integration instance. | - | Source | String | Yes | The integration identifier or vendor name. The job pulls - all mappings related to this source from the repository (e.g., 'VirusTotal'). - | + | Git Server Fingerprint | String | No | The SSH fingerprint for the Git server. + Overrides the value defined in the integration instance. | ### Flow Description - 1. **Parameter Extraction**: The job retrieves the 'Source' parameter and any - optional Git configuration overrides. + 1. Parses the `Job Whitelist` parameter to identify the specific jobs to be synchronized. + + 2. Initializes the `GitSyncManager` using the current SOAR job context and configuration + parameters. + + 3. Iterates through the list of requested job names. + + 4. Fetches the corresponding job definition from the Git repository using the + `GitContentManager`. - 2. **Git Initialization**: Initializes the GitSync manager to establish a connection - with the remote repository and pull the latest changes to a local temporary directory. + 5. Installs or updates the job definition within the SOAR platform using the `GitSyncManager`. + + 6. Logs the status of each operation, providing visibility into the synchronization + process. +Pull Mappings: + ai_description: >- + ### General Description + + This job synchronizes ontology mapping rules from a Git repository to the Google + SecOps SOAR platform. It ensures that mapping configurations, including rules + and visual family associations, are kept consistent with the version-controlled + definitions stored in the repository. - 3. **Content Retrieval**: Locates the mapping files within the repository under - the path `Ontology/Mappings/{Source}/`, specifically looking for record and rule - JSON files. - 4. **Ontology Update**: Parses the retrieved mapping rules and updates the Google - SecOps ontology by adding or updating mapping rules for family and system fields. + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | - 5. **Visual Family Association**: Updates the platform's visualization settings - by linking the specified products and event names to their respective visual families - as defined in the repository. + | Repo URL | String | No | Optional parameter to override the Git repository URL + found in the integration instance. | + + | Branch | String | No | Optional parameter to override the branch name found + in the integration instance. | + + | Git Server Fingerprint | String | No | Optional parameter to override the Git + server SSH fingerprint found in the integration instance. | + + | Source | String | Yes | The mapping source identifier (e.g., integration name + or vendor) to pull from the repository. | + + + ### Flow Description + + 1. Initializes the `GitSyncManager` using the provided configuration and credentials. + + 2. Fetches the mapping definitions (rules and records) for the specified `Source` + from the Git repository. + + 3. Installs or updates the mapping rules and visual family associations in the + SOAR platform based on the fetched data. Pull Playbook: ai_description: >- ### General Description - This job automates the retrieval and installation of specific playbooks and playbook - blocks from a Git repository into the Google SecOps (Chronicle) SOAR platform. - It allows teams to maintain version-controlled workflows in Git and selectively - synchronize them to the SOAR environment, ensuring that automation logic is consistent - and up to date. + The **Pull Playbook** job is a utility within the GitSync integration designed + to synchronize specific automation workflows from a Git repository to the Google + SecOps SOAR platform. It enables users to selectively pull and install playbooks + and their associated blocks, ensuring that automation logic remains consistent + and up-to-date with the version-controlled repository. ### Parameters Description @@ -321,51 +326,45 @@ Pull Playbook: | :--- | :--- | :--- | :--- | - | Repo URL | String | No | Optional parameter to override the repository URL defined - in the integration instance settings. | + | Repo URL | String | No | The URL of the Git repository. Overrides the instance-level + setting if provided. | - | Branch | String | No | Optional parameter to override the Git branch defined - in the integration instance settings. | + | Branch | String | No | The specific Git branch to pull from. Overrides the instance-level + setting if provided. | - | Git Server Fingerprint | String | No | Optional parameter to override the SSH - fingerprint used for Git server verification. | + | Git Server Fingerprint | String | No | The SSH fingerprint for the Git server. + Overrides the instance-level setting if provided. | | Playbook Whitelist | String | Yes | A comma-separated list of playbook names - to pull from the repository. | + to be pulled from the repository. | - | Include Playbook Blocks | Boolean | Yes | If set to True, the job automatically - identifies and pulls any playbook blocks referenced by the playbooks in the whitelist. - | + | Include Playbook Blocks | Boolean | Yes | If set to True, the job will also + pull and install any blocks associated with the specified playbooks. | ### Flow Description - 1. **Initialization**: The job extracts configuration parameters and initializes - the GitSync manager to establish a connection with the Git repository. - - 2. **Playbook Discovery**: It iterates through the provided whitelist and attempts - to locate the corresponding playbook files within the repository's directory structure. + 1. **Initialization**: The job initializes the `GitSyncManager` using the provided + job parameters and integration settings. - 3. **Dependency Mapping**: If the "Include Playbook Blocks" flag is enabled, the - job parses the retrieved playbooks to identify any nested blocks and fetches them - from the repository as well. + 2. **Parsing**: It parses the `Playbook Whitelist` parameter to identify the target + playbooks. - 4. **Workflow Installation**: The job passes the collected playbooks and blocks - to the installation logic, which handles the creation of new workflows or the - updating of existing ones. - - 5. **ID and Environment Alignment**: During installation, the job automatically - maps environment names, reconciles internal identifiers with existing local versions, - and updates the local modification cache to track synchronization state. + 3. **Fetching**: For each playbook in the whitelist: + * Retrieves the playbook definition from the Git repository. + * If `Include Playbook Blocks` is enabled, it recursively identifies and retrieves + all blocks involved in the playbook. + 4. **Installation**: Once all required playbooks and blocks are collected, the + job invokes the `GitSyncManager` to install or update these workflows within the + SOAR platform. Pull Simulated Cases: ai_description: >- ### General Description - This job is part of the **GitSync** integration and is designed to automate the - import of simulated cases from a Git repository into Google SecOps. It allows - security teams to maintain simulation content (used for testing playbooks or training) - in a version-controlled environment and synchronize specific cases to the SOAR - platform on demand or on a schedule. + This job imports specific simulated cases from a configured Git repository into + the Google SecOps (SOAR) platform. It enables users to synchronize test or simulation + data stored in version control directly into the SOAR environment for investigation + testing or training purposes. ### Parameters Description @@ -375,45 +374,40 @@ Pull Simulated Cases: | :--- | :--- | :--- | :--- | | Simulated Cases | String | Yes | A comma-separated list of simulated case names - to pull from the repository (e.g., "Phishing_Simulation, Malware_Test"). | + to pull from the repository. | - | Repo URL | String | No | Optional parameter to override the Git repository URL + | Repo URL | String | No | The URL of the Git repository. Overrides the value configured in the integration instance. | - | Branch | String | No | Optional parameter to override the Git branch configured + | Branch | String | No | The Git branch to use. Overrides the value configured in the integration instance. | - | Git Server Fingerprint | String | No | Optional parameter to override the SSH - fingerprint (SHA256 or MD5) for the Git server. | + | Git Server Fingerprint | String | No | The SSH fingerprint for the Git server. + Overrides the value configured in the integration instance. | ### Flow Description - 1. **Parameter Extraction**: The job parses the `Simulated Cases` string into - a list of individual case names. + 1. Extracts the list of simulated case names from the job parameters. + + 2. Initializes the `GitSyncManager` to establish a connection with the configured + Git repository. - 2. **Manager Initialization**: It initializes the `GitSyncManager`, which handles - the connection to the Git repository and the Google SecOps API. + 3. Iterates through each requested case name provided in the input. - 3. **Content Retrieval**: For each specified case name, the job queries the Git - repository's `SimulatedCases/` directory to retrieve the corresponding `.case` - file content. + 4. Retrieves the specific case definition from the Git repository using the `GitContentManager`. - 4. **Platform Import**: The job sends the retrieved case data to the Google SecOps - API to import or update the simulated case in the platform. + 5. Imports the retrieved case definition into the SOAR platform via the API. - 5. **Logging and Completion**: It logs the success or failure of each individual - case import and terminates the script once the list is processed. + 6. Logs the success or failure of each case import operation. Push Connectors: ai_description: >- ### General Description - The **Push Connectors** job exports specific connector configurations from Google - SecOps to a Git repository. This job facilitates version control and portability - of connector settings, allowing users to back up or migrate connector definitions. - Beyond the connector itself, the job can optionally package associated ontology - components, such as mapping rules and visual families, ensuring that the entire - ingestion logic for a specific integration is preserved in the repository. + This job exports specific connector configurations from Google SecOps to a configured + Git repository. It enables version control for connector definitions, allowing + users to synchronize their connector settings, including optional associated ontology + mappings and visual families, to a remote Git branch. ### Parameters Description @@ -422,124 +416,58 @@ Push Connectors: | :--- | :--- | :--- | :--- | - | Commit | String | Yes | The commit message to be used for the Git transaction. - | + | Commit | String | Yes | The commit message for the Git push operation. | | Connectors | String | Yes | A comma-separated list of connector display names - to be pushed to the repository. | + to export. | - | Branch | String | No | Optional parameter to override the Git branch defined - in the integration instance. | + | Branch | String | No | The target Git branch (overrides integration settings). + | - | Git Server Fingerprint | String | No | Optional parameter to override the SSH - fingerprint for the Git server. | + | Git Server Fingerprint | String | No | The SSH fingerprint for the Git server + (overrides integration settings). | - | Repo URL | String | No | Optional parameter to override the repository URL defined - in the integration instance. | + | Repo URL | String | No | The URL of the Git repository (overrides integration + settings). | - | Commit Author | String | No | Optional parameter to override the commit author - (Format: `Name `). | + | Commit Author | String | No | The author name and email for the commit (overrides + integration settings). | - | Include Visual Families | Boolean | No | If set to `true`, the job will identify - and export visual families associated with the connector's mappings. | + | Include Visual Families | Boolean | No | Whether to include related visual families + in the export. | - | Include Mappings | Boolean | No | If set to `true`, the job will export the - ontology mapping rules and records associated with the connector's integration. - | + | Include Mappings | Boolean | No | Whether to include related ontology mappings + in the export. | - | Readme Addon | String | No | Markdown text to append to the end of the README - file for all connectors pushed during this run. | + | Readme Addon | String | No | Markdown content to append to the connector's README + file. | ### Flow Description - 1. **Initialization**: The job initializes the `GitSyncManager`, which clones - or pulls the latest state of the target Git repository and validates the connection. + 1. Initializes the GitSyncManager using the provided job parameters and integration + settings. - 2. **Connector Filtering**: It retrieves all installed connectors from the SOAR - environment and filters them to match the names provided in the `Connectors` parameter. + 2. Retrieves the list of installed connectors from the SOAR platform. - 3. **Metadata Update**: If a `Readme Addon` is provided, the job updates the `GitSync.json` - metadata file to include the additional documentation for the selected connectors. + 3. Filters the connectors based on the provided Connectors parameter. - 4. **Connector Export**: For each matching connector, the job generates the JSON - definition and a README file, then stages them for the Git commit. - - 5. **Ontology Enrichment (Optional)**: - * If **Include Mappings** is enabled, the job fetches all ontology records - and mapping rules associated with the connector's parent integration and stages - them. - * If **Include Visual Families** is enabled, the job identifies the specific - visual families used by those mappings and exports their definitions and icons - (PNG). - 6. **Finalization**: The job performs a Git commit with the provided message and - author details, then pushes the changes to the remote repository. + 4. For each matching connector: + * Optionally adds a README addon if provided. + * Pushes the connector definition to the Git repository. + * If Include Mappings is enabled, fetches and pushes associated ontology mappings. + * If Include Visual Families is enabled, fetches and pushes associated visual + families. + 5. Commits the changes to the Git repository with the specified commit message + and pushes them to the remote branch. Push Content: - ai_description: "### General Description\nThis job automates the backup and version\ - \ control of Google SecOps (Chronicle) platform content by pushing it to a Git\ - \ repository. It allows administrators to synchronize a wide range of platform\ - \ components\u2014including playbooks, integrations, connectors, and system settings\u2014\ - to a remote repository for configuration management, auditing, and disaster recovery\ - \ purposes. The job supports granular control over which content types are synchronized\ - \ and provides options to override repository configurations and handle sensitive\ - \ data like passwords.\n\n### Parameters Description\n| Parameter | Type | Mandatory\ - \ | Description |\n| :--- | :--- | :--- | :--- |\n| Commit | String | Yes | The\ - \ commit message to be used for the Git operation. |\n| Repo URL | String | No\ - \ | Optional parameter to override the repository URL defined in the integration\ - \ instance. |\n| Branch | String | No | Optional parameter to override the target\ - \ Git branch. |\n| Git Server Fingerprint | String | No | Optional parameter to\ - \ override the SSH fingerprint for server verification. |\n| Commit Author | String\ - \ | No | Optional parameter to override the commit author (Format: `Name `).\ - \ |\n| Commit Passwords | Boolean | Yes | If set to true, includes passwords in\ - \ the synchronization. **Warning:** Use only for testing; never commit passwords\ - \ to production repositories. |\n| Integrations | Boolean | Yes | Whether to push\ - \ all custom and commercial integrations. |\n| Playbooks | Boolean | Yes | Whether\ - \ to push all playbooks and blocks. |\n| Jobs | Boolean | Yes | Whether to push\ - \ all defined jobs. |\n| Connectors | Boolean | Yes | Whether to push all defined\ - \ connectors. |\n| Integration Instances | Boolean | Yes | Whether to push integration\ - \ instance configurations across all environments. |\n| Visual Families | Boolean\ - \ | Yes | Whether to push custom visual families from the ontology. |\n| Mappings\ - \ | Boolean | Yes | Whether to push ontology mapping rules and records. |\n| Environments\ - \ | Boolean | Yes | Whether to push environment definitions. |\n| Dynamic Parameters\ - \ | Boolean | Yes | Whether to push environment-specific dynamic parameters. |\n\ - | Logo | Boolean | Yes | Whether to push the platform logo settings. |\n| Case\ - \ Tags | Boolean | Yes | Whether to push case tag definitions. |\n| Case Stages\ - \ | Boolean | Yes | Whether to push case stage definitions. |\n| Case Title Settings\ - \ | Boolean | Yes | Whether to push case title formatting settings. |\n| Case\ - \ Close Reasons | Boolean | Yes | Whether to push case close reasons and root\ - \ causes. |\n| Networks | Boolean | Yes | Whether to push network definitions.\ - \ |\n| Domains | Boolean | Yes | Whether to push domain records. |\n| Custom Lists\ - \ | Boolean | Yes | Whether to push custom tracking lists. |\n| Email Templates\ - \ | Boolean | Yes | Whether to push email templates. |\n| Blacklists | Boolean\ - \ | Yes | Whether to push denylist/blocklist records. |\n| SLA Records | Boolean\ - \ | Yes | Whether to push SLA definition records. |\n| Simulated Cases | Boolean\ - \ | Yes | Whether to push simulated cases used for testing. |\n\n### Flow Description\n\ - 1. **Initialization**: The job initializes the `GitSyncManager`, which sets up\ - \ a temporary working directory and establishes a connection to the Git repository\ - \ using the provided credentials and configuration overrides.\n2. **Feature Selection**:\ - \ It evaluates the boolean parameters to determine which platform components (features)\ - \ are selected for synchronization.\n3. **Content Extraction**: For each enabled\ - \ feature, the job calls the SecOps API to fetch the relevant data:\n * **Integrations/Playbooks/Connectors**:\ - \ Exports the packages or definitions and prepares them for Git storage.\n \ - \ * **Settings**: Retrieves system-wide configurations like Networks, SLA records,\ - \ and Case Tags.\n * **Integration Instances**: Iterates through environments\ - \ to fetch instance settings, optionally including passwords if the `Commit Passwords`\ - \ flag is enabled.\n4. **Staging**: The extracted content is formatted into JSON\ - \ or appropriate file types and staged in the local Git tree managed by the `GitSyncManager`.\n\ - 5. **Commit and Push**: Once all selected content is staged, the job generates\ - \ a root `README.md` summarizing the repository content, performs a Git commit\ - \ with the specified message, and pushes the changes to the remote repository." -Push Custom Family: ai_description: >- ### General Description - The **Push Custom Family** job is part of the **GitSync** integration. Its primary - purpose is to export custom Visual Families (ontology visualization configurations) - from the Google SecOps platform to a Git repository. This enables version control, - backup, and the ability to synchronize visualization rules across different environments. - The job retrieves the full configuration of specified families, including their - rules and associated icons, and pushes them to the repository along with generated - documentation. + This job synchronizes various configuration and content items from the Google + SecOps (Chronicle) SOAR platform to a Git repository. It serves as a version control + and backup mechanism for the platform's assets, ensuring that changes to integrations, + playbooks, jobs, and other settings are tracked and stored in a remote Git repository. ### Parameters Description @@ -548,63 +476,89 @@ Push Custom Family: | :--- | :--- | :--- | :--- | - | Commit | String | Yes | The commit message to use when pushing changes to the - Git repository. | + | Commit | String | Yes | The commit message for the Git push. | - | Repo URL | String | No | Optional override for the Git repository URL configured - in the integration instance. | + | Repo URL | String | No | Optional override for the Git repository URL. | - | Branch | String | No | Optional override for the Git branch configured in the - integration instance. | + | Branch | String | No | Optional override for the Git branch. | + + | Git Server Fingerprint | String | No | Optional override for the Git server + fingerprint. | + + | Commit Author | String | No | Optional override for the commit author. | + + | Commit Passwords | Boolean | Yes | If true, commits passwords to the repository + (use with caution). | + + | Integrations | Boolean | Yes | Push all integrations. | + + | Playbooks | Boolean | Yes | Push all playbooks. | + + | Jobs | Boolean | Yes | Push all defined jobs. | + + | Connectors | Boolean | Yes | Push all defined connectors. | + + | Integration Instances | Boolean | Yes | Push all integration instances. | + + | Visual Families | Boolean | Yes | Push all visual families. | + + | Mappings | Boolean | Yes | Push all mappings. | + + | Environments | Boolean | Yes | Push all environments. | + + | Dynamic Parameters | Boolean | Yes | Push all dynamic parameters. | - | Git Server Fingerprint | String | No | Optional override for the SSH fingerprint - of the Git server for verification. | + | Logo | Boolean | Yes | Push logo settings. | - | Commit Author | String | No | Optional override for the commit author (e.g., - "John Doe "). | + | Case Tags | Boolean | Yes | Push all case tags. | - | Family Name | String | Yes | A comma-separated list of the names of custom visual - families to export. | + | Case Stages | Boolean | Yes | Push Case stages. | - | Readme Addon | String | No | Optional Markdown text to append to the README.md - file of the exported visual families. | + | Case Title Settings | Boolean | Yes | Push case title settings. | + + | Case Close Reasons | Boolean | Yes | Push all case close reasons. | + + | Networks | Boolean | Yes | Push all networks. | + + | Domains | Boolean | Yes | Push all domain records. | + + | Custom Lists | Boolean | Yes | Push all custom lists. | + + | Email Templates | Boolean | Yes | Push all email templates. | + + | Blacklists | Boolean | Yes | Push all blocklist records. | + + | SLA Records | Boolean | Yes | Push all SLA Records. | + + | Simulated Cases | Boolean | Yes | Push all simulated cases. | ### Flow Description - 1. **Initialization**: The job extracts the commit message, the list of visual - family names to export, and any optional configuration overrides. + 1. Initializes the `GitSyncManager` using the provided job parameters and credentials. - 2. **Git Setup**: It initializes the GitSync manager, which clones the remote - repository or pulls the latest changes into a temporary working directory. + 2. Iterates through the enabled content types (e.g., Integrations, Playbooks, + Jobs, Connectors, etc.) as specified by the job parameters. - 3. **Data Retrieval**: The job queries the Google SecOps API to fetch all custom - visual families defined in the system. + 3. For each enabled content type, fetches the corresponding data from the SOAR + platform. - 4. **Filtering**: It iterates through the retrieved families and identifies those - that match the names provided in the `Family Name` parameter. + 4. Performs necessary data sanitization, such as removing sensitive information + or adjusting identifiers for integration instances. - 5. **Metadata Update**: If a `Readme Addon` is provided, the job updates the GitSync - metadata file (`GitSync.json`) to include the additional documentation for the - selected families. + 5. Updates the local Git repository with the fetched and processed content. - 6. **Staging**: For each matching family, the job retrieves the full data (including - rules and the base64-encoded image) and stages the corresponding JSON, PNG, and - README files in the local repository structure. + 6. Commits the changes to the Git repository using the provided commit message. - 7. **Commit and Push**: Finally, the job commits the staged changes with the provided - commit message and pushes the new commit to the remote Git repository. -Push Integration: + 7. Pushes the commit to the remote Git repository. +Push Custom Family: ai_description: >- ### General Description - The **Push Integration** job automates the synchronization of Google SecOps (Chronicle) - integrations from the SOAR environment to a remote Git repository. It enables - version control for both custom and commercial integrations by exporting their - definitions, scripts, and resources, and then committing them to a specified Git - branch. This job is essential for maintaining a 'Configuration as Code' workflow, - allowing teams to track changes, collaborate on integration development, and maintain - a backup of their SOAR logic in a centralized repository. + This job exports specific custom visual families from the Google SecOps environment + to a configured Git repository. It facilitates version control for custom visual + families, allowing users to push updates to a remote Git branch with optional + custom readme documentation. ### Parameters Description @@ -613,63 +567,49 @@ Push Integration: | :--- | :--- | :--- | :--- | - | Commit | String | Yes | The commit message to be used for the Git operation. - | + | Commit | String | Yes | The commit message for the Git operation. | - | Push Whitelist | String | Yes | A comma-separated list of integration identifiers - (e.g., 'VirusTotal, ServiceNow') that should be exported and pushed to the repository. + | Family Name | String | Yes | The name(s) of the visual family to push (comma-separated). | - | Repo URL | String | No | Optional override for the Git repository URL defined - in the integration instance settings. | + | Repo URL | String | No | Optional override for the Git repository URL. | - | Branch | String | No | Optional override for the target Git branch defined in - the integration instance settings. | + | Branch | String | No | Optional override for the target Git branch. | - | Git Server Fingerprint | String | No | Optional override for the SSH fingerprint - (SHA256 or MD5) used to verify the Git server's identity. | + | Git Server Fingerprint | String | No | Optional override for the Git server + SSH fingerprint. | - | Commit Author | String | No | Optional override for the commit author. Must - follow the format: `Name `. | + | Commit Author | String | No | Optional override for the commit author (format: + Name ). | - | Readme Addon | String | No | Optional markdown text to append to the end of - the generated README.md file for every integration pushed during this execution. - | + | Readme Addon | String | No | Markdown content to append to the visual family's + README.md file. | ### Flow Description - 1. **Initialization**: The job initializes the GitSync manager, which handles - the local cloning or pulling of the target Git repository and establishes a connection - to the Google SecOps API. + 1. Initializes the `GitSyncManager` using the provided integration settings. - 2. **Integration Filtering**: It retrieves all available IDE items (integrations) - from the SOAR environment and filters them against the provided **Push Whitelist**. + 2. Retrieves all custom visual families from the Google SecOps environment. - 3. **Package Export**: For each integration in the whitelist, the job exports - the full integration package (including scripts, definitions, and dependencies) - from the SOAR platform. + 3. Filters the retrieved families to match the names provided in the `Family Name` + parameter. - 4. **Metadata & Documentation**: If a **Readme Addon** is provided, the job updates - the `GitSync.json` metadata file. It then generates or updates the `README.md` - for the integration, incorporating the addon text. + 4. If a `Readme Addon` is provided, updates the `GitSync.json` metadata file for + the corresponding visual family. - 5. **Staging**: The job prepares the file structure within the local repository - clone, overwriting the existing integration folders with the newly exported data. + 5. Pushes the visual family data (JSON definition and image) to the Git repository. - 6. **Commit and Push**: Finally, the job creates a Git commit with the specified - **Commit** message and author, and pushes the changes to the remote repository - branch. -Push Job: + 6. Commits the changes to the Git repository with the specified commit message + and pushes them to the remote branch. +Push Integration: ai_description: >- ### General Description - The **Push Job** is a maintenance utility designed to export specific SOAR job - configurations and metadata from Google SecOps to a remote Git repository. This - job facilitates version control and backup of automation logic by synchronizing - job definitions, including their parameters and run intervals, into a structured - repository format. It allows users to specify a whitelist of jobs to export and - provides the ability to append custom documentation to the generated README files. + This job synchronizes selected integrations from the Google SecOps environment + to a configured Git repository. It enables automated version control for integrations + by allowing users to specify a whitelist of integrations to push, customize README + documentation, and commit changes to a designated branch. ### Parameters Description @@ -678,60 +618,50 @@ Push Job: | :--- | :--- | :--- | :--- | - | Commit | String | Yes | The commit message to be used for the Git operation. - | + | Commit | String | Yes | The commit message for the Git push operation. | - | Repo URL | String | No | Optional override for the Git repository URL defined - in the integration instance. | + | Push Whitelist | String | Yes | A comma-separated list of integration identifiers + to push to the repository. | - | Branch | String | No | Optional override for the target Git branch defined in - the integration instance. | + | Repo URL | String | No | The URL of the Git repository (overrides instance settings). + | - | Git Server Fingerprint | String | No | Optional override for the Git server - SSH fingerprint (SHA256 or MD5). | + | Branch | String | No | The target Git branch (overrides instance settings). + | - | Commit Author | String | No | Optional override for the commit author. Must - follow the format: `Name `. | + | Git Server Fingerprint | String | No | The SSH fingerprint for the Git server + (overrides instance settings). | - | Job Whitelist | String | Yes | A comma-separated list of job names to be exported - to the repository. | + | Commit Author | String | No | The author name and email for the commit (overrides + instance settings). | - | Readme Addon | String | No | Markdown text to append to the end of the README - file for every job pushed during this run. | + | Readme Addon | String | No | Markdown content to append to the README file of + the pushed integrations. | ### Flow Description - 1. **Initialization**: The job initializes the `GitSyncManager`, which establishes - a connection to the remote Git repository and the SOAR API, applying any provided - parameter overrides (URL, Branch, Author). - - 2. **Job Retrieval**: Fetches all installed jobs from the Google SecOps environment - via the API. - - 3. **Filtering**: Filters the retrieved jobs based on the `Job Whitelist`. It - automatically excludes internal system jobs (e.g., Monitors) and jobs belonging - to the `GitSync` integration itself to prevent recursion. + 1. Initializes the `GitSyncManager` using the provided configuration parameters. - 4. **Content Preparation**: For each whitelisted job, it generates the job definition - JSON. If a `Readme Addon` is provided, it updates the GitSync metadata to include - this documentation for the specific job. + 2. Parses the `Push Whitelist` to identify which integrations to process. - 5. **Documentation Generation**: Updates the individual job README files and regenerates - the repository's root README to reflect the current state of exported jobs. + 3. Retrieves the list of available integrations from the Google SecOps IDE. - 6. **Synchronization**: Commits the changes to the local repository clone using - the provided commit message and pushes the updates to the remote Git server. -Push Mappings: + 4. Iterates through the whitelisted integrations: + - Exports the integration package. + - Optionally appends the `Readme Addon` to the integration's metadata file + (`GitSync.json`). + - Pushes the integration files to the Git repository. + 5. Commits the changes to the Git repository with the provided `Commit` message + and pushes them to the remote server. +Push Job: ai_description: >- ### General Description - This job exports ontology mappings from Google SecOps to a Git repository. It - identifies mapping records and rules associated with a specific source, cleanses - the data (such as removing example event fields), and synchronizes them to the - repository for version control and configuration management. This ensures that - mapping logic for specific integrations or products is backed up and can be shared - across environments. + This job automates the synchronization of specific Google SecOps (Chronicle) jobs + to a remote Git repository. It allows users to select specific jobs via a whitelist, + apply custom documentation (readme addons), and commit these changes to a version-controlled + repository to maintain a backup or version history of job configurations. ### Parameters Description @@ -740,62 +670,81 @@ Push Mappings: | :--- | :--- | :--- | :--- | - | Commit | String | Yes | The commit message to be used for the Git operation. + | Commit | String | Yes | The commit message used for the Git push operation. | - | Repo URL | String | No | Optional parameter to override the repository URL configured - in the integration instance. | + | Job Whitelist | String | Yes | A comma-separated list of job names to be pushed + to the repository. | - | Branch | String | No | Optional parameter to override the Git branch configured - in the integration instance. | + | Repo URL | String | No | The URL of the Git repository (overrides the integration + instance setting). | - | Git Server Fingerprint | String | No | Optional parameter to override the SSH - fingerprint used for Git server verification. | + | Branch | String | No | The target Git branch (overrides the integration instance + setting). | - | Commit Author | String | No | Optional parameter to override the commit author - (Format: "Name "). | + | Git Server Fingerprint | String | No | The SSH fingerprint for the Git server + (overrides the integration instance setting). | - | Source | String | Yes | The specific source (e.g., integration or product name) - whose mappings will be exported. | + | Commit Author | String | No | The author name and email for the commit (overrides + the integration instance setting). | - | Readme Addon | String | No | Optional markdown text to append to the end of - the README.md file for the mappings pushed in this run. | + | Readme Addon | String | No | Markdown content to append to the readme file of + the pushed jobs. | ### Flow Description - 1. **Initialization**: The job initializes the GitSync manager using provided - parameters or integration instance defaults to establish a connection with the - Git repository. + 1. Initializes the `GitSyncManager` using the current job context to handle Git + operations and API communication. - 2. **Data Retrieval**: It fetches all ontology records from the SOAR platform - and filters them to find records matching the specified `Source` parameter. + 2. Extracts configuration parameters, including the commit message, job whitelist, + and optional readme addon. - 3. **Rule Processing**: For each matching record, the job retrieves the corresponding - mapping rules (family and system fields) and filters them to ensure they belong - to the target source. + 3. Retrieves all installed jobs from the SOAR platform. - 4. **Data Cleansing**: It removes `exampleEventFields` from the records to ensure - sensitive or unnecessary event data is not exported to the repository. + 4. Filters the retrieved jobs against the `Job Whitelist` and a predefined `IGNORED_JOBS` + list, ensuring jobs belonging to the `GitSync` integration itself are excluded. - 5. **Metadata Update**: If a `Readme Addon` is provided, the job updates the GitSync - metadata file (`GitSync.json`) with the additional markdown content. + 5. For each matching job, optionally updates its metadata with the provided `Readme + Addon` and pushes the job definition to the Git repository. - 6. **Staging**: The job generates the mapping files (Records JSON, Rules JSON, - and a README) and stages them in the local repository clone. + 6. Generates a root readme file to reflect the current state of all jobs in the + repository. - 7. **Commit and Push**: Finally, it commits the changes with the specified `Commit` - message and pushes the updates to the remote Git repository. + 7. Commits the changes with the provided `Commit` message and pushes them to the + remote Git repository. +Push Mappings: + ai_description: "### General Description\nThe \"Push Mappings\" job is a utility\ + \ designed to export mapping configurations\u2014specifically ontology records\ + \ and their associated rules\u2014from the Google SecOps (Chronicle) SOAR platform\ + \ to a version-controlled Git repository. This job facilitates the synchronization\ + \ and backup of mapping definitions, enabling teams to manage their ingestion\ + \ mappings through Git-based workflows.\n\n### Parameters Description\n| Parameter\ + \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Commit\ + \ | String | Yes | The commit message for the Git push operation. |\n| Repo URL\ + \ | String | No | Optional override for the Git repository URL. |\n| Branch |\ + \ String | No | Optional override for the Git branch name. |\n| Git Server Fingerprint\ + \ | String | No | Optional override for the Git server SSH fingerprint. |\n| Commit\ + \ Author | String | No | Optional override for the commit author. |\n| Source\ + \ | String | Yes | The source name of the mappings to export. |\n| Readme Addon\ + \ | String | No | Markdown content to append to the generated README file for\ + \ these mappings. |\n\n### Flow Description\n1. Initializes the `GitSyncManager`\ + \ using the job's configuration parameters.\n2. Queries the SOAR platform for\ + \ all ontology records and filters them by the specified `Source` parameter.\n\ + 3. Retrieves the associated mapping rules (family and system fields) for the filtered\ + \ records.\n4. Filters the retrieved rules to ensure they match the specified\ + \ `Source`.\n5. If a `Readme Addon` is provided, updates the GitSync metadata\ + \ file with the additional markdown content.\n6. Packages the mapping records\ + \ and rules into a `Mapping` object and pushes them to the Git repository.\n7.\ + \ Commits the changes to the repository using the provided `Commit` message." Push Playbook: ai_description: >- ### General Description - This job automates the export of playbooks and blocks from Google SecOps to a - Git repository. It facilitates version control and synchronization of automation - logic by allowing users to selectively push content based on specific names or - folders. The job ensures that exported playbooks remain portable by updating integration - instance references and can optionally include all dependent blocks and custom - documentation addons. + This job exports selected playbooks and their associated blocks from the Google + SecOps SOAR environment to a configured Git repository. It enables version control + and synchronization of playbook definitions, ensuring that changes made in the + SOAR environment are tracked and stored in a remote Git repository. ### Parameters Description @@ -804,70 +753,63 @@ Push Playbook: | :--- | :--- | :--- | :--- | - | Branch | String | No | Optional branch name to override the default branch configured - in the integration instance. | + | Branch | String | No | The target Git branch to push changes to. | - | Commit | String | Yes | The commit message to be used for the Git push operation. + | Commit | String | Yes | The commit message to be used for the push operation. | - | Repo URL | String | No | Optional repository URL to override the default URL - configured in the integration instance. | + | Repo URL | String | No | The URL of the Git repository. | - | Git Server Fingerprint | String | No | Optional SSH fingerprint for Git server - verification (SHA256 or MD5). | + | Git Server Fingerprint | String | No | The SSH fingerprint for the Git server + for secure connection verification. | - | Commit Author | String | No | Optional author details in the format: `Name `. - | + | Commit Author | String | No | The author name and email for the commit (format: + Name ). | - | Folders Whitelist | String | No | Comma-separated list of playbook categories - (folders) to include in the export. | + | Folders Whitelist | String | No | A comma-separated list of playbook folders + to include in the sync. | - | Playbook Whitelist | String | No | Comma-separated list of specific playbook - names to include in the export. | + | Playbook Whitelist | String | No | A comma-separated list of specific playbook + names to include in the sync. | - | Readme Addon | String | No | Markdown text to append to the end of the README - file for every playbook pushed during this run. | + | Readme Addon | String | No | Markdown content to append to the README file of + all playbooks pushed during this run. | - | Include Playbook Blocks | Boolean | Yes | If set to `True`, the job will also - identify and export all blocks (nested workflows) used within the selected playbooks. - | + | Include Playbook Blocks | Boolean | Yes | If true, automatically includes and + pushes all blocks involved in the selected playbooks. | ### Flow Description - 1. **Initialization**: Extracts job parameters and initializes the `GitSyncManager` - to establish a connection with the remote repository. - - 2. **Content Discovery**: Fetches all playbooks currently installed in the Google - SecOps environment. + 1. Initializes the `GitSyncManager` using the provided configuration parameters + to establish a connection with the Git repository and the SOAR API. - 3. **Filtering**: Iterates through the playbooks and identifies those that match - the names in the `Playbook Whitelist` or belong to categories in the `Folders - Whitelist`. + 2. Retrieves the list of all installed playbooks from the SOAR environment. - 4. **Processing**: For each matching playbook, it retrieves the full workflow - definition and updates integration instance display names to ensure the exported - JSON is descriptive and portable. + 3. Filters the retrieved playbooks based on the provided `Playbook Whitelist` + and `Folders Whitelist`. - 5. **Documentation Enrichment**: If a `Readme Addon` is provided, it updates the - metadata to ensure the custom markdown is appended to the playbook's documentation. + 4. Iterates through the filtered playbooks: + * If a `Readme Addon` is provided, it updates the GitSync metadata for the + playbook. + * Updates the instance names within the playbook steps to ensure consistency. + * Pushes the playbook definition to the Git repository. + * If `Include Playbook Blocks` is enabled, identifies all blocks involved + in the playbook and pushes them to the repository as well. + 5. Generates and updates the root README file in the repository to reflect the + current state of the synced content. - 6. **Dependency Handling**: If `Include Playbook Blocks` is enabled, the job recursively - finds and processes all blocks referenced by the selected playbooks. + 6. Commits the changes to the local Git repository using the provided `Commit` + message and `Commit Author`. - 7. **Repository Update**: Generates an updated root README for the playbooks directory - and stages all changes in the local Git tree. - - 8. **Commit and Push**: Finalizes the process by committing the changes with the - provided message and pushing them to the remote Git repository. + 7. Pushes the committed changes to the remote Git repository. Push Simulated Cases: ai_description: >- ### General Description - This job exports specific simulated cases from the Google SecOps platform to a - Git repository. It enables version control and sharing of simulated attack scenarios - by programmatically pushing selected cases to a centralized repository managed - via the GitSync integration. + This job exports specific simulated cases from Google SecOps to a configured Git + repository. It enables version control for simulated cases by synchronizing them + with a remote Git branch. ### Parameters Description @@ -876,42 +818,36 @@ Push Simulated Cases: | :--- | :--- | :--- | :--- | - | Commit | String | Yes | The message to be associated with the Git commit. | + | Commit | String | Yes | The commit message for the Git push. | - | Repo URL | String | No | Optional URL of the Git repository. If provided, it - overrides the URL configured in the integration instance. | + | Repo URL | String | No | The URL of the Git repository (overrides instance setting). + | - | Branch | String | No | Optional Git branch name. If provided, it overrides the - branch configured in the integration instance. | + | Branch | String | No | The target Git branch (overrides instance setting). | - | Git Server Fingerprint | String | No | Optional SSH fingerprint for Git server - verification. If provided, it overrides the fingerprint configured in the integration - instance. | + | Git Server Fingerprint | String | No | The SSH fingerprint for the Git server + (overrides instance setting). | - | Commit Author | String | No | Optional author details (e.g., "Name "). - If provided, it overrides the author configured in the integration instance. | + | Commit Author | String | No | The author name and email for the commit (overrides + instance setting). | | Simulated Cases | String | Yes | A comma-separated list of simulated case names - to be exported to the repository. | + to export. | ### Flow Description - 1. **Parameter Extraction**: The job retrieves the commit message and the list - of simulated case names from the configuration. + 1. Extracts job parameters, including the commit message and the list of simulated + cases to export. - 2. **Manager Initialization**: It initializes the `GitSyncManager`, which handles - the connection to the Git repository and the Google SecOps API. + 2. Initializes the GitSyncManager to handle Git repository interactions. - 3. **Case Retrieval**: The job fetches the list of all custom simulated cases - currently available in the platform. + 3. Retrieves all available simulated cases from the Google SecOps environment. - 4. **Filtering and Export**: It iterates through the platform's cases, identifying - those that match the names provided in the parameters. For each match, it exports - the case data. + 4. Filters the retrieved cases to match the list provided in the Simulated Cases + parameter. - 5. **Staging**: The exported case data is staged as a `.case` file within the - local repository structure. + 5. Exports the data for each matching case and pushes it to the Git repository. - 6. **Commit and Push**: Finally, the job commits the changes using the provided - commit message and pushes the new or updated case files to the remote Git repository. + 6. Commits the changes to the Git repository with the provided commit message + and pushes them to the remote branch. diff --git a/content/response_integrations/power_ups/image_utilities/resources/ai/actions_ai_description.yaml b/content/response_integrations/power_ups/image_utilities/resources/ai/actions_ai_description.yaml index a199bfeaa..7dc537ce7 100644 --- a/content/response_integrations/power_ups/image_utilities/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/power_ups/image_utilities/resources/ai/actions_ai_description.yaml @@ -13,6 +13,10 @@ Convert File: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a file conversion utility that performs local file operations. + It does not match any of the defined categories such as enriching IOCs, containing + hosts, or managing tickets. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -28,57 +32,57 @@ Convert File: update_identity: false update_ticket: false ai_description: >- - Converts files between PNG and PDF formats. This action is designed to run on - a Remote Agent to access local file systems and utilize system-level conversion - utilities. It supports bidirectional conversion between PNG images and PDF documents. + ### General Description + The Convert File action is a utility that converts files between PNG and PDF formats. + This action is designed to normalize file types for further analysis or reporting + within the SOAR platform. It performs the conversion locally on a Remote Agent. - ### Parameters Description + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Input File Format | DDL | Yes | The original format of the file to be converted. - Supported values: PNG, PDF. | + | Input File Format | DDL | Yes | The original format of the file (PNG or PDF). + | - | Input File Path | String | Yes | The absolute path to the source file located - on the Remote Agent's filesystem. | + | Input File Path | String | Yes | The path to the file that the action converts. + | - | Output File Format | DDL | Yes | The target format for the conversion. Supported - values: PNG, PDF. Must be different from the input format. | + | Output File Format | DDL | Yes | The resulting format of the file after the + conversion process (PNG or PDF). | ### Additional Notes - - **Remote Agent Required**: This action must be executed on a Remote Agent. It - will fail if run on a cloud-based environment. + * This action requires a Remote Agent to function correctly. - - **Dependencies**: PDF to PNG conversion requires `poppler-utils` (specifically - `pdftoppm`) to be installed on the Remote Agent host. + * The input and output file formats cannot be the same. - - **Output Location**: Converted files are stored in the system's temporary directory - with a timestamped filename. + * The action relies on `pdf2image` (which requires `pdftoppm` to be installed) + for PDF to PNG conversion and `PIL` (Pillow) for PNG to PDF conversion. ### Flow Description - 1. **Environment Validation**: Checks if the action is running on a Remote Agent. + 1. The action validates that it is running on a Remote Agent. + + 2. It extracts the `Input File Path`, `Input File Format`, and `Output File Format` + parameters. - 2. **Parameter Validation**: Verifies that the input file exists, the formats - are supported, and that the input and output formats are not identical. + 3. It verifies the existence of the source file at the provided path. - 3. **Path Generation**: Constructs a unique output file path in the temporary - directory using the original filename and a current timestamp. + 4. It validates that the input and output formats are different. - 4. **Conversion Logic**: - - If converting **PDF to PNG**: Uses the `pdf2image` library to extract the - first page of the PDF and save it as a PNG image. - - If converting **PNG to PDF**: Uses the `Pillow` (PIL) library to convert - the image to RGB mode and save it as a PDF document. - 5. **Result Reporting**: Returns the path of the newly created file and the output - format in the JSON results. + 5. It determines the conversion logic based on the requested output format (PDF + to PNG or PNG to PDF). + + 6. It performs the conversion using the appropriate library (`pdf2image` or `PIL`). + + 7. It saves the converted file to a temporary directory and returns the path of + the new file in the JSON results. capabilities: can_create_case_comments: false can_create_insight: false @@ -89,8 +93,17 @@ Convert File: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs local file conversion on a Remote Agent. It does not interact + with external APIs (no `fetches_data`), does not modify external system states + (no `can_mutate_external_data`), and does not interact with the SOAR case data + (no `can_mutate_internal_data`, `can_update_entities`, etc.). categories: enrichment: false + reasoning: >- + The action does not fetch data from an external source, nor does it enrich entities + or modify the SOAR case. It is a file conversion utility. Therefore, it is not + an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -106,6 +119,10 @@ Convert File: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not reference `target_entities` or any entity-specific identifiers. + It operates on a file path provided as a parameter. Therefore, it does not run + on any entity types. OCR Image: action_product_categories: add_alert_comment: false @@ -121,6 +138,10 @@ OCR Image: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a utility that performs OCR on an image. It does not match any + of the defined security-specific product categories such as IOC enrichment, + asset enrichment, ticket management, or containment. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -136,55 +157,45 @@ OCR Image: update_identity: false update_ticket: false ai_description: >- - ### General Description + The OCR Image action performs optical character recognition (OCR) on an image + file to extract text. This action requires a Remote Agent with the `tesseract-ocr` + package installed. - The **OCR Image** action performs Optical Character Recognition (OCR) to extract - text from image files. This utility is designed to help analysts process visual - data such as screenshots or scanned documents directly within their playbooks. - It requires the Tesseract OCR engine to be installed on a Remote Agent. - - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Base64 Encoded Image | String | No | The base64 encoded string of the image - file to be processed. | + | Base64 Encoded Image | string | false | The base64 encoded string of the image + file. | - | File Path | String | No | The local file system path to the image file on the - Remote Agent. | + | File Path | string | false | The path to the image file. | ### Additional Notes - * **Requirement:** This action can only be executed on a **Remote Agent**. - - * **Dependency:** The `tesseract-ocr` package must be installed in the Remote - Agent environment (e.g., `apt-get install -y tesseract-ocr`). - - * **Logic:** Either the 'Base64 Encoded Image' or the 'File Path' must be provided. - If both are supplied, the action will prioritize the 'Base64 Encoded Image'. + Either "Base64 Encoded Image" or "File Path" must be provided. If both are provided, + "Base64 Encoded Image" takes precedence. This action must be executed on a Remote + Agent. ### Flow Description - 1. **Environment Validation:** Checks if the action is running on a Remote Agent. + 1. Validate that the action is running on a Remote Agent. - 2. **Parameter Extraction:** Retrieves the Base64 string or the file path from - the input. + 2. Extract and validate the input parameters ("Base64 Encoded Image" or "File + Path"). - 3. **Input Validation:** Ensures that at least one valid image source is provided. + 3. If "Base64 Encoded Image" is provided, decode it and save it to a temporary + file. - 4. **Image Processing:** If Base64 is provided, it decodes the data and saves - it to a temporary file. Otherwise, it uses the provided file path. + 4. If "File Path" is provided, use the file directly. - 5. **OCR Execution:** Invokes the Tesseract OCR engine via the `pytesseract` library - to extract text from the image. + 5. Execute the Tesseract OCR engine on the image file to extract text. - 6. **Result Delivery:** Returns the extracted text in the `extracted_text` field - of the JSON results. + 6. Return the extracted text in the action results. capabilities: can_create_case_comments: false can_create_insight: false @@ -195,8 +206,17 @@ OCR Image: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a local computation (OCR) on an image file. It does not + fetch external data, mutate external systems, or modify internal SecOps data + (entities, insights, etc.). categories: enrichment: false + reasoning: >- + The action performs a local computation (OCR) on an image file. It does not + fetch external data, mutate external systems, or modify internal SecOps data + (entities, insights, etc.). Therefore, it does not meet the criteria for an + enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -212,6 +232,9 @@ OCR Image: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not reference `target_entities` or perform any operations on entities. + It processes input parameters directly to perform OCR on an image file. Ping: action_product_categories: add_alert_comment: false @@ -227,6 +250,10 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a diagnostic tool for verifying the Remote Agent environment (Tesseract + and Playwright availability). It does not perform any operational tasks like + enrichment, containment, or ticketing. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -242,20 +269,32 @@ Ping: update_identity: false update_ticket: false ai_description: >- - ### General Description\nValidates the environment and connectivity for the Image - Utilities integration. This action ensures that the necessary system-level dependencies - required for image processing and web content rasterization are correctly configured - on the Google SecOps Remote Agent.\n\n### Parameters Description\nThere are no - parameters for this action.\n\n### Additional Notes\nThis action must be executed - on a **Remote Agent**. It specifically checks for the presence of the Tesseract - OCR engine and Playwright browser binaries. If these are missing, the action provides - detailed troubleshooting steps to install them within the container environment.\n\n### - Flow Description\n1. **Remote Agent Validation**: Confirms the action is executing - within a Remote Agent environment.\n2. **Tesseract Verification**: Checks if the - Tesseract OCR engine is installed and accessible via the `pytesseract` library.\n3. - **Playwright Verification**: Attempts to launch a headless Chromium instance using - Playwright to ensure browser binaries and dependencies are functional.\n4. **Connectivity - Confirmation**: Returns a success message if all local environment checks pass. + The Ping action verifies the environment configuration for the Image Utilities + integration on the Remote Agent. It ensures that the necessary dependencies, specifically + Tesseract OCR and Playwright (with Chromium), are correctly installed and accessible. + This action is used for troubleshooting and validating that the Remote Agent is + ready to perform image processing tasks. + + + ### Flow Description + + 1. Validates that the action is executing on a Remote Agent. + + 2. Checks for the presence and version of the Tesseract OCR engine. + + 3. Attempts to launch a headless Chromium browser via Playwright to verify browser + binary availability. + + + ### Parameters + + There are no user-configurable parameters for this action. + + + ### Additional Notes + + This action is a diagnostic tool and does not interact with external APIs or Google + SecOps entities. capabilities: can_create_case_comments: false can_create_insight: false @@ -266,8 +305,16 @@ Ping: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs local environment validation (Tesseract and Playwright checks) + on the Remote Agent. It does not interact with external APIs, modify SOAR entities, + or change any system state. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action designed to verify environment configuration. + Per the instructions, 'Actions named Ping must not be categorized as enrichment + actions.' entity_usage: entity_types: [] filters_by_additional_properties: false @@ -283,6 +330,9 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with entities; it is a diagnostic tool for the + Remote Agent environment. Rasterize Content: action_product_categories: add_alert_comment: false @@ -292,12 +342,16 @@ Rasterize Content: create_ticket: false delete_email: false disable_identity: false - download_file: true + download_file: false enable_identity: false enrich_asset: false enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action rasterizes content and attaches it to the case. It does not perform + any of the listed actions like enriching IOCs, updating alerts, or managing + tickets. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -312,38 +366,74 @@ Rasterize Content: update_email: false update_identity: false update_ticket: false - ai_description: "Converts vector or complex content such as URLs, HTML, or Email\ - \ bodies into fixed bitmap images (PNG) or PDF documents. This action utilizes\ - \ a headless browser (Playwright) to render the content exactly as it would appear\ - \ to a user, making it ideal for capturing visual evidence of phishing sites,\ - \ formatted emails, or web reports. \n\n### Flow Description:\n1. **Validation**:\ - \ Verifies that the action is running on a Remote Agent and validates input parameters\ - \ (dimensions, timeouts, and formats).\n2. **Initialization**: Launches a headless\ - \ Chromium browser instance via Playwright.\n3. **Content Loading**: Depending\ - \ on the 'Input Type', the browser either navigates to a list of URLs or renders\ - \ provided HTML/Email content.\n4. **Rendering Control**: Waits for the specified\ - \ browser state (e.g., Network Idle) or a specific CSS selector to ensure dynamic\ - \ content is fully loaded.\n5. **Capture**: Generates a PNG screenshot and/or\ - \ a PDF document based on the 'Output Type' and 'Full Screen' settings.\n6. **Export**:\ - \ Saves the resulting files to the local file system and/or attaches them directly\ - \ to the Google SecOps case.\n\n### Parameters Description:\n| Parameter | Type\ - \ | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Input Type | DDL\ - \ | Yes | Specifies the source format: URL, HTML, or Email. |\n| URLs or Body\ - \ | String | Yes | The actual content to process. Can be a comma-separated list\ - \ of URLs or a raw HTML/Email string. |\n| Output Type | DDL | No | The desired\ - \ format of the result: PNG, PDF, or Both. Defaults to PNG. |\n| Export Method\ - \ | DDL | No | Determines where to save the output: Case Attachment, File Path,\ - \ or Both. Defaults to Case Attachment. |\n| Width | String | Yes | The browser\ - \ viewport width in pixels. Defaults to 1920. |\n| Height | String | Yes | The\ - \ browser viewport height in pixels. Defaults to 1080. |\n| Full Screen | Boolean\ - \ | Yes | If true, the action captures the entire scrollable length of the page,\ - \ ignoring the Height parameter. |\n| Timeout | String | No | Maximum time in\ - \ seconds to wait for rendering. Max 120s. |\n| Wait For | DDL | No | The browser\ - \ state to reach before capturing (e.g., NETWORK_IDLE). |\n| Wait for Selector\ - \ | String | No | A CSS selector that must be visible before the capture occurs.\ - \ |\n\n### Additional Notes:\n- This action **requires a Remote Agent** with Playwright\ - \ and Chromium binaries installed to function.\n- If 'Full Screen' is enabled,\ - \ the 'Height' parameter is ignored for the final output." + ai_description: >- + The **Rasterize Content** action converts vector or complex content (URLs, HTML, + or Email bodies) into bitmap image formats (PNG or PDF) using a headless browser + (Playwright). This action is useful for capturing visual evidence of web content + for forensic analysis or documentation. + + + ### Flow Description + + 1. **Validation**: The action validates all input parameters and ensures it is + running on a Remote Agent. + + 2. **Preparation**: It prepares the input content based on the selected `Input + Type` (URL, HTML, or Email). + + 3. **Initialization**: It initializes a Playwright browser instance. + + 4. **Rendering**: It navigates to the URL or sets the HTML content, waits for + the specified state (e.g., `NETWORK_IDLE`) or a CSS selector, and renders the + page. + + 5. **Rasterization**: It captures a screenshot (PNG) or generates a PDF based + on the `Output Type`. + + 6. **Export**: It exports the generated files based on the `Export Method` (attaching + them to the current case or returning the file path). + + 7. **Cleanup**: It closes the browser instance. + + + ### Parameters + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | `Input Type` | DDL | Yes | The type of content to rasterize (URL, HTML, Email). + | + + | `URLs or Body` | String | Yes | The content to be rasterized (URL list or content + body). | + + | `Output Type` | DDL | No | The output format (PNG, PDF, Both). Default: PNG. + | + + | `Export Method` | DDL | No | The method to output the content (Case Attachment, + File Path, Both). Default: Case Attachment. | + + | `Width` | String | Yes | The width in pixels. Default: 1920. | + + | `Height` | String | Yes | The height in pixels. Default: 1080. | + + | `Full Screen` | Boolean | Yes | If true, renders the entire page. Default: false. + | + + | `Timeout` | String | No | Max time in seconds for rendering. Default: 120. | + + | `Wait For` | DDL | No | Browser state to wait for (LOAD, DOM_CONTENT_LOADED, + NETWORK_IDLE, COMMIT). Default: NETWORK_IDLE. | + + | `Wait for Selector` | String | No | CSS selector to wait for before capturing. + | + + + ### Additional Notes + + This action requires a Remote Agent to function, as it relies on Playwright browser + binaries. capabilities: can_create_case_comments: false can_create_insight: false @@ -352,12 +442,19 @@ Rasterize Content: can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: null - fetches_data: true + fetches_data: false internal_data_mutation_explanation: >- - The action attaches the generated PNG or PDF files to the current Google SecOps - case as attachments. + Adds generated rasterized images (PNG/PDF) as attachments to the current case. + reasoning: >- + The action does not fetch contextual data about entities or alerts (it fetches + web content for rendering, not for enrichment). It does not mutate external + systems. It performs an internal mutation by attaching generated files to the + current case. categories: enrichment: false + reasoning: >- + The action does not fetch contextual data about entities or alerts, nor does + it perform any enrichment. It is a utility action for rasterizing content. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -373,3 +470,6 @@ Rasterize Content: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on entities. It uses input parameters to define + the content to be rasterized. diff --git a/content/response_integrations/power_ups/image_utilities/resources/ai/integration_ai_description.yaml b/content/response_integrations/power_ups/image_utilities/resources/ai/integration_ai_description.yaml index 29179c290..5f01ee541 100644 --- a/content/response_integrations/power_ups/image_utilities/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/power_ups/image_utilities/resources/ai/integration_ai_description.yaml @@ -3,10 +3,21 @@ product_categories: cloud_security: false collaboration: false edr: false - email_security: true + email_security: false iam_and_identity_management: false itsm: false network_security: false + reasoning: >- + The image_utilities integration provides utility functions for file manipulation, + including OCR, file format conversion, and content rasterization. These actions + are designed to support playbook workflows by processing data locally on a Remote + Agent. The integration does not perform security-specific tasks such as log analysis + (SIEM), host containment (EDR), network traffic blocking (Network Security), IOC + enrichment (Threat Intelligence), email management (Email Security), identity + management (IAM), cloud resource management (Cloud Security), ticket management + (ITSM), vulnerability scanning (Vulnerability Management), asset inventory management + (Asset Inventory), or collaboration/notification tasks. Therefore, it does not + align with any of the defined product categories. siem: false - threat_intelligence: true + threat_intelligence: false vulnerability_management: false diff --git a/content/response_integrations/power_ups/insights/resources/ai/actions_ai_description.yaml b/content/response_integrations/power_ups/insights/resources/ai/actions_ai_description.yaml index 364615e80..020ed3532 100644 --- a/content/response_integrations/power_ups/insights/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/power_ups/insights/resources/ai/actions_ai_description.yaml @@ -13,6 +13,10 @@ Create Entity Insight From Enrichment: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action creates an entity insight based on existing entity data. It does + not match any of the specific product categories like enrichment, containment, + or ticketing. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -28,52 +32,43 @@ Create Entity Insight From Enrichment: update_identity: false update_ticket: false ai_description: >- - Creates formatted entity insights by populating a template message with data stored - in an entity's `additional_properties`. This action is primarily used to surface - specific enrichment data (previously gathered by other actions) directly onto - the entity's insight panel for analyst visibility. + ### General Description + This action creates an entity insight for target entities based on a provided + message template. It parses the message template using data found in the entity's + `additional_properties`. - ### Parameters + + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Message | string | Yes | A template string that uses placeholders in curly braces - `{}` to reference keys within the entity's `additional_properties`. For example: - `User {manager_name} approved this access.` | + | Message | string | Yes | The template string for the insight message. Supports + placeholders (e.g., `{key_path}`). | - | Triggered By | string | No | The name of the integration or source to be associated - with the created insight. Defaults to 'Siemplify'. | + | Triggered By | string | No | The name of the integration or source triggering + the insight. Defaults to "Siemplify". | - ### Additional Notes - - - This action does not fetch new data from external sources; it transforms existing - internal entity data into a readable insight. + ### Flow Description - - If a placeholder key is not found in the entity's properties, the resulting - message may be empty or incomplete depending on the template logic. + 1. Retrieve the `Message` template and `Triggered By` parameter. + 2. Iterate through all `target_entities`. - ### Flow Description + 3. For each entity, parse the `Message` template by replacing placeholders with + values from the entity's `additional_properties`. - 1. **Parameter Retrieval:** The action retrieves the template `Message` and the - `Triggered By` source name from the input parameters. + 4. If a message is successfully generated, create an entity insight using `siemplify.add_entity_insight`. - 2. **Entity Iteration:** The action iterates through all entities currently in - the scope of the alert or case. + 5. Return the execution result. - 3. **Template Parsing:** For each entity, it uses the `ToolsCommon` library to - parse the `Message` template, replacing placeholders with corresponding values - found in the entity's `additional_properties` (enrichment data). - 4. **Insight Creation:** If the message is successfully generated, the action - calls the SOAR SDK to add an entity insight to the specific entity. + ### Additional Notes - 5. **Execution Summary:** The action tracks which entities received insights and - returns a success status if at least one insight was created. + There are no additional notes. capabilities: can_create_case_comments: false can_create_insight: true @@ -84,10 +79,17 @@ Create Entity Insight From Enrichment: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Creates entity insights within the Google SecOps platform based on existing - entity enrichment data. + Adds an entity insight to the target entities within the SOAR platform. + reasoning: >- + The action iterates over target entities, parses a message template using the + entity's `additional_properties`, and creates an entity insight. It does not + fetch external data or mutate external systems. It mutates internal SOAR data + by adding an insight. categories: enrichment: false + reasoning: >- + The action does not fetch data from an external source, so it does not meet + the criteria for an enrichment action. entity_usage: entity_types: - ADDRESS @@ -138,6 +140,9 @@ Create Entity Insight From Enrichment: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over `siemplify.target_entities` without any filtering, + meaning it processes all entity types. Create Entity Insight From JSON: action_product_categories: add_alert_comment: false @@ -153,6 +158,10 @@ Create Entity Insight From JSON: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action creates an entity insight based on provided JSON data. It does not + match any of the predefined product categories (e.g., Enrich IOC, Contain Host, + etc.). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -167,62 +176,24 @@ Create Entity Insight From JSON: update_email: false update_identity: false update_ticket: false - ai_description: >- - ### General Description - - The **Create Entity Insight From JSON** action is a utility designed to generate - and attach insights to entities within a Google SecOps case using data provided - in a JSON format. This action allows users to take structured data (e.g., from - a previous integration step or a file) and map it to specific entities to provide - analysts with immediate context. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | JSON | string | Yes | The JSON string containing the data to be processed. This - should be a list of objects or a single object containing entity-related information. - | - - | Identifier KeyPath | string | Yes | The dot-notation path (e.g., `data.id`) - within the JSON objects used to match against the entity's identifier. | - - | Message | string | Yes | A template string for the insight. Use curly braces - `{}` to reference keys from the JSON (e.g., `User {name} has role {role}`). Supports - advanced formatting pipes like `join`, `count`, and `to_str`. | - - | Triggered By | string | No | The name of the integration or source to be displayed - as the creator of the insight. Defaults to 'Siemplify'. | - - - ### Flow Description - - 1. **JSON Parsing:** The action parses the provided JSON string into a Python - object. - - 2. **Entity Iteration:** It iterates through all entities currently associated - with the case. - - 3. **Data Matching:** For each entity, it searches the JSON for an entry where - the value at the `Identifier KeyPath` matches the entity's identifier (case-insensitive). - - 4. **Message Formatting:** If a match is found, it extracts the relevant data - and populates the `Message` template, resolving any placeholders and applying - formatting functions. - - 5. **Insight Creation:** The formatted message is added as an insight to the specific - entity using the `add_entity_insight` method. - - - ### Additional Notes - - - The `Identifier KeyPath` supports nested objects using dot notation. - - - The action will only create insights for entities that have a corresponding - match in the provided JSON data. + ai_description: "Creates entity insights by parsing a provided JSON string and mapping\ + \ it to entities within the case. \n\n### Flow Description\n1. **Load Input**:\ + \ The action loads the provided JSON string from the `JSON` parameter.\n2. **Iterate\ + \ Entities**: It iterates through all target entities in the case.\n3. **Match\ + \ Entities**: For each entity, it attempts to find a matching record in the JSON\ + \ data using the provided `Identifier KeyPath`.\n4. **Parse Message**: If a match\ + \ is found, it parses the `Message` template, replacing placeholders (e.g., `{key_path|function}`)\ + \ with the corresponding values from the matched JSON data.\n5. **Add Insight**:\ + \ It adds the generated message as an entity insight to the matched entity.\n\n\ + ### Parameters Description\n| Parameter | Type | Mandatory | Description |\n|\ + \ :--- | :--- | :--- | :--- |\n| JSON | string | Yes | The JSON string containing\ + \ the data to be used for insights. |\n| Identifier KeyPath | string | Yes | The\ + \ path in the JSON to find the entity identifier for matching. |\n| Message |\ + \ string | Yes | The template string for the insight, supporting placeholders.\ + \ |\n| Triggered By | string | No | The integration name to associate with the\ + \ insight. |\n\n### Additional Notes\n- The action does not perform any external\ + \ API calls; it processes the provided JSON input locally.\n- The `Identifier\ + \ KeyPath` should be provided as a dot-separated path (e.g., `data.user.id`)." capabilities: can_create_case_comments: false can_create_insight: true @@ -232,11 +203,19 @@ Create Entity Insight From JSON: can_update_entities: false external_data_mutation_explanation: null fetches_data: false - internal_data_mutation_explanation: >- - The action creates entity insights within the Google SecOps case based on the - provided JSON input. + internal_data_mutation_explanation: Adds entity insights to the SOAR case. + reasoning: >- + The action processes provided JSON data and adds insights to entities within + the SOAR platform. It does not fetch data from external systems (fetches_data=false), + nor does it mutate external systems (can_mutate_external_data=false). It performs + an internal mutation by adding entity insights (can_mutate_internal_data=true, + can_create_insight=true). categories: enrichment: false + reasoning: >- + The action does not fetch data from an external or internal source; it processes + provided JSON input. Therefore, it does not meet the criteria for an Enrichment + action. entity_usage: entity_types: - ADDRESS @@ -287,6 +266,10 @@ Create Entity Insight From JSON: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over all `siemplify.target_entities` and matches them against + the provided JSON data using the `Identifier KeyPath`. It does not filter by + entity type or any other entity attribute, so it supports all entity types. "Create Entity Insight From Multiple JSONs": action_product_categories: add_alert_comment: false @@ -302,6 +285,10 @@ Create Entity Insight From JSON: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + This action is a utility for formatting and displaying data as insights. It + does not perform enrichment, containment, ticketing, or alert modification operations, + so it does not match any of the defined product categories. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -319,66 +306,56 @@ Create Entity Insight From JSON: ai_description: >- ### General Description - The **Create Entity Insight From Multiple JSONs** action is a utility designed - to transform raw JSON data into human-readable entity insights. It allows analysts - to provide up to five JSON strings (typically outputs from previous playbook steps) - and define specific fields to extract for each entity. The extracted data is then - formatted into HTML tables and attached directly to the relevant entities as insights, - facilitating quick review of complex data structures within the Google SecOps - platform. - + The **Create Entity Insight From Multiple JSONs** action is a utility tool designed + to parse and format structured JSON data into readable HTML insights attached + to target entities within the SOAR platform. It allows analysts to consolidate + information from multiple sources (up to five distinct JSON inputs) and present + them as organized tables or text blocks directly on the entity's insight wall. - ### Parameters Description - | Parameter | Type | Mandatory | Description | + ### Flow Description - | :--- | :--- | :--- | :--- | + 1. **Initialization**: The action retrieves the provided JSON strings, field definitions, + and section titles from the action parameters. - | JSON1 - JSON5 | String | No | The JSON string containing data to be parsed. - The action expects a list of objects where each object contains an 'Entity' key - matching the entity identifier and an 'EntityResult' key containing the data. - | + 2. **Data Processing**: It iterates through each target entity in the case. - | Fields1 - Fields5 | String | No | A string defining which fields to extract - and how to display them. Format: `DisplayName:path.to.key`. Multiple fields are - separated by the Placeholder Separator. | + 3. **Extraction**: For each entity, it attempts to locate matching data within + the provided JSON strings by comparing the entity identifier. - | Title1 - Title5 | String | No | The title or header used for the specific section - of the entity insight. | + 4. **Parsing**: It parses the JSON content based on the provided field paths (e.g., + `path.to.key`) and applies formatting rules. - | Placeholder Separator | String | No | The character used to separate multiple - field definitions in the 'Fields' parameters. Default is a comma (`,`). | + 5. **Insight Generation**: It constructs an HTML table for each valid JSON input + and attaches the resulting insight to the entity using the `add_entity_insight` + method. - ### Additional Notes - - - The action identifies the correct data for an entity by looking for a key named - `Entity` within the provided JSON objects and extracts the content of `EntityResult`. + ### Parameters Description - - If a field path is provided without a display name (e.g., just `path.to.key`), - the value will be added to the insight as a plain string instead of a table row. + | Parameter | Type | Mandatory | Description | - - This action is a local utility and does not perform any external API calls. + | :--- | :--- | :--- | :--- | + | JSON1 - JSON5 | string | No | The JSON strings to be parsed for the insight. + | - ### Flow Description + | Fields1 - Fields5 | string | No | The fields to extract from the corresponding + JSON string. Format: `Display:path.to.key`. | - 1. **Initialization**: The action retrieves the JSON strings, field mappings, - and titles for the data sets from the action parameters. + | Title1 - Title5 | string | No | The title used for the corresponding entity + section. | - 2. **Entity Iteration**: The action loops through all entities currently associated - with the alert or case. + | Placeholder Separator | string | No | A string used to separate field definitions. + Default is `,`. | - 3. **Data Extraction**: For each entity, it searches the provided JSON arrays - for an entry where the `Entity` field matches the entity's identifier. - 4. **Field Parsing**: If a match is found, it uses the `Fields` mapping to extract - specific values from the `EntityResult` object using dot-notation paths and optional - pipe functions (like `count` or `to_str`). + ### Additional Notes - 5. **Insight Creation**: The extracted values are formatted into an HTML table. - The action then adds this table as an insight to the entity, using the provided - `Title` as the trigger context. + This action does not perform any external API calls or data fetching. It relies + entirely on the JSON data provided via the action parameters. If no matching data + is found for an entity in the provided JSONs, the action will indicate that data + is missing for that specific section. capabilities: can_create_case_comments: false can_create_insight: true @@ -389,9 +366,19 @@ Create Entity Insight From JSON: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Creates entity insights within Google SecOps based on the provided JSON parameters. + The action adds insights to entities within the SOAR platform using the add_entity_insight + method. + reasoning: >- + The action processes provided JSON strings and field definitions to generate + and attach HTML-formatted insights to the target entities within the SOAR platform. + It does not interact with external systems, fetch new data, or modify entity + attributes directly. It strictly creates insights. categories: enrichment: false + reasoning: >- + The action does not fetch data from external sources; it merely formats and + displays provided JSON data as insights. Therefore, it does not meet the criteria + for an Enrichment action, which requires proactive data retrieval. entity_usage: entity_types: - ADDRESS @@ -442,6 +429,9 @@ Create Entity Insight From JSON: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over all target_entities provided in the context without + filtering by type. Therefore, it supports all entity types. Ping: action_product_categories: add_alert_comment: false @@ -457,6 +447,9 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity check ('Ping') and does not perform any of the + defined operational tasks (enrichment, containment, ticketing, etc.). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -474,28 +467,21 @@ Ping: ai_description: >- ### General Description - Verifies the connectivity between the Google SecOps platform and the integration. - This action is a standard health check used to ensure that the integration environment - is properly configured and that the action execution engine is responsive. + This action performs a connectivity check to verify that the integration is properly + configured and communicating with the SOAR platform. It is typically used to test + the integration's health. - ### Parameters Description + ### Parameters There are no parameters for this action. - ### Additional Notes - - This action does not interact with any external APIs or modify any data within - the SOAR. It is strictly used for connectivity validation. - - ### Flow Description - 1. Initialize the Siemplify action context. + 1. Initialize the `SiemplifyAction` object. - 2. Immediately terminate the action with a success status and the message "Siemplify - is connected". + 2. Terminate the action with a success message indicating the connection is established. capabilities: can_create_case_comments: false can_create_insight: false @@ -506,8 +492,15 @@ Ping: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action is a simple 'Ping' utility. It does not perform any external API + calls, data retrieval, or system mutations. It simply confirms the integration's + connectivity status. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action. According to the instructions, 'Actions named + Ping must not be categorized as enrichment actions.' entity_usage: entity_types: [] filters_by_additional_properties: false @@ -523,3 +516,5 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. diff --git a/content/response_integrations/power_ups/insights/resources/ai/integration_ai_description.yaml b/content/response_integrations/power_ups/insights/resources/ai/integration_ai_description.yaml index 0801c7556..0439ac872 100644 --- a/content/response_integrations/power_ups/insights/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/power_ups/insights/resources/ai/integration_ai_description.yaml @@ -7,6 +7,17 @@ product_categories: iam_and_identity_management: false itsm: false network_security: false + reasoning: >- + The 'insights' integration is a utility-focused integration designed to format + and display data as 'Entity Insights' within the SOAR platform. Its actions (Create + Entity Insight From Enrichment, Create Entity Insight From JSON, Create Entity + Insight From Multiple JSONs, and Ping) are strictly for internal data presentation + and connectivity testing. It does not perform external data fetching, system mutation, + or specific security operations such as threat intelligence enrichment, network + blocking, identity management, or ITSM ticketing. It does not interact with external + collaboration platforms like Slack or Teams, nor does it perform asset inventory + or vulnerability management tasks. Consequently, it does not align with any of + the defined security product categories. siem: false threat_intelligence: false vulnerability_management: false diff --git a/content/response_integrations/power_ups/lists/resources/ai/actions_ai_description.yaml b/content/response_integrations/power_ups/lists/resources/ai/actions_ai_description.yaml index 0894f429d..0b9c9502a 100644 --- a/content/response_integrations/power_ups/lists/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/power_ups/lists/resources/ai/actions_ai_description.yaml @@ -1,7 +1,7 @@ Add String to Custom List: action_product_categories: add_alert_comment: false - add_ioc_to_allowlist: true + add_ioc_to_allowlist: false add_ioc_to_blocklist: false contain_host: false create_ticket: false @@ -13,6 +13,10 @@ Add String to Custom List: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a generic utility for managing custom lists. It does not specifically + target blocklists, allowlists, or other predefined categories, so all specific + product category flags are set to false. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -30,47 +34,35 @@ Add String to Custom List: ai_description: >- ### General Description - This action adds a specific string to a designated custom list category within - Google SecOps. It is primarily used for managing internal lists, such as allowlists - or blocklists, by programmatically inserting new entries based on user input or - playbook logic. + This action adds a specified string to a custom list within the Google SecOps + SOAR platform. It allows users to dynamically update custom lists, which can be + used for various purposes such as maintaining watchlists, blocklists, or allowlists. ### Parameters Description - | Parameter | Description | Type | Mandatory | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | ListItem | The specific string value that you want to add to the custom list. - | String | Yes | - - | Category | The name of the custom list category (e.g., 'WhiteList', 'BlackList') - where the string should be stored. | String | Yes | - - - ### Additional Notes - - - This action does not process entities from the case; it operates strictly on - the provided `ListItem` string parameter. + | ListItem | string | Yes | The list item string to add to the custom list. | - - The action uses the current environment context of the SOAR platform when adding - the item to the list. + | Category | string | Yes | The category of the custom list to which the item + will be added. | ### Flow Description - 1. **Parameter Extraction**: The action retrieves the `Category` and `ListItem` - values from the input parameters. + 1. The action retrieves the `Category` and `ListItem` values from the provided + action parameters. - 2. **Object Creation**: It creates a `CustomList` data object containing the input - string, the target category, and the environment identifier. + 2. It initializes a `CustomList` object using the provided string and category. - 3. **Internal Update**: The action calls the internal SDK method `add_entities_to_custom_list` - to save the new entry into the Google SecOps custom list database. + 3. The action calls `siemplify.add_entities_to_custom_list` to persist the new + item into the specified custom list within the SOAR platform. - 4. **Completion**: The action returns a success message indicating the string - has been added to the specified category. + 4. The action concludes by returning the execution status and an output message + confirming the addition. capabilities: can_create_case_comments: false can_create_insight: false @@ -81,9 +73,17 @@ Add String to Custom List: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Adds a new string entry to an internal Google SecOps custom list category. + Modifies internal SOAR custom lists by adding a new string entry. + reasoning: >- + The action modifies internal SOAR data by adding a string to a custom list. + It does not perform any external API calls (fetches_data=false) and does not + interact with external systems (can_mutate_external_data=false). It does not + update entities, create insights, or modify alert data. categories: enrichment: false + reasoning: >- + The action does not fetch data (it is a push/write operation), therefore it + does not meet the criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -99,6 +99,9 @@ Add String to Custom List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or utilize the `target_entities` list. It processes + a string parameter directly. Is String In Custom List: action_product_categories: add_alert_comment: false @@ -114,6 +117,10 @@ Is String In Custom List: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action performs a lookup against a custom list to verify the existence of + identifiers. It does not perform any of the defined product-specific actions + such as blocking, ticketing, or asset enrichment. It is a utility lookup action. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -131,10 +138,10 @@ Is String In Custom List: ai_description: >- ### General Description - This action checks if a specific set of strings exists within a designated Google - SecOps Custom List category. It is primarily used for logic branching or validation - within playbooks, such as checking if an indicator is part of a known whitelist - or blacklist maintained internally. + This action checks if a list of provided strings exists within a specified Custom + List category in the current environment. It is a utility action designed to verify + the presence of identifiers (e.g., IPs, domains, or file hashes) against predefined + organizational lists. ### Parameters Description @@ -143,31 +150,31 @@ Is String In Custom List: | :--- | :--- | :--- | :--- | - | IdentifierList | string | True | A list of strings to compare against the custom - list. This parameter accepts either a JSON-formatted array (e.g., `["1.1.1.1", - "google.com"]`) or a comma-separated string (e.g., `1.1.1.1,google.com`). | + | IdentifierList | string | Yes | A list of strings (e.g., "1.2.3.4,google.com") + to check against the custom list. Can be provided as a JSON-formatted string or + a comma-separated string. | - | Category | string | True | The name of the Custom List category (e.g., 'WhiteList', - 'BlackList') to search within for the current environment. | + | Category | string | Yes | The name of the Custom List category to check against. + | ### Flow Description - 1. **Input Parsing**: The action retrieves the `Category` and `IdentifierList` - parameters. It attempts to parse the `IdentifierList` as a JSON array; if that - fails, it splits the string by commas and strips whitespace from each item. + 1. **Initialization**: The action initializes the `SiemplifyAction` and retrieves + the `Category` and `IdentifierList` parameters. + + 2. **Parsing**: The `IdentifierList` is parsed into a list of individual strings, + handling both JSON and comma-separated formats. - 2. **Custom List Query**: For each identifier in the list, the action creates - a `CustomList` object and uses the SOAR SDK method `any_entity_in_custom_list` - to check if that specific string exists in the specified category for the current - environment. + 3. **Lookup**: The action iterates through each identifier and queries the internal + Custom List system using `siemplify.any_entity_in_custom_list` for the specified + category. - 3. **Result Aggregation**: The action builds a JSON object where each identifier - is a key and the value is a boolean (`true` if found, `false` otherwise). It also - maintains a counter for the total number of matches found. + 4. **Result Generation**: A JSON result is constructed mapping each identifier + to a boolean value (`True` if found, `False` otherwise). - 4. **Completion**: The action outputs the total count of matches as the main result - value and provides the detailed boolean mapping in the JSON result. + 5. **Output**: The action adds the result JSON to the execution output and returns + a summary message indicating the number of items found. capabilities: can_create_case_comments: false can_create_insight: false @@ -178,8 +185,17 @@ Is String In Custom List: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches data from the internal Custom List system to verify the existence + of provided identifiers. It does not mutate external systems, nor does it modify + internal SOAR data (entities, insights, or case comments). It is a read-only + lookup operation. categories: enrichment: true + reasoning: >- + The action fetches data from an internal source (Custom Lists) to provide context + (existence check) for the provided identifiers. It does not mutate any external + or internal systems, fitting the criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -195,6 +211,10 @@ Is String In Custom List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on `siemplify.target_entities`. It processes a list + of strings provided directly via the `IdentifierList` parameter. Therefore, + it does not use or filter any entity types. Ping: action_product_categories: add_alert_comment: false @@ -210,6 +230,10 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity check ('Ping') and does not perform any functional + operations such as enrichment, containment, ticket management, or alert modification. + It simply confirms the integration's connectivity status. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -227,34 +251,22 @@ Ping: ai_description: >- ### General Description - The **Ping** action is a diagnostic utility designed to verify the connectivity - and functional status of the **Lists** integration within Google SecOps. Its primary - purpose is to ensure that the integration is correctly configured and that the - SOAR environment can successfully communicate with the integration's underlying - logic. + This action performs a connectivity check to verify that the integration is properly + configured and communicating with the SOAR platform. It is typically used to validate + the integration setup. - ### Parameters Description + ### Parameters There are no parameters for this action. - ### Additional Notes - - This action does not perform any external API calls, retrieve data, or modify - any internal or external records. It is a standard health-check mechanism. - - ### Flow Description - 1. **Initialization**: The action initializes the Siemplify SDK to establish the - execution context. - - 2. **Connectivity Verification**: The script executes a minimal logic path to - confirm the integration environment is responsive. + 1. The action initializes the `SiemplifyAction` object. - 3. **Execution Completion**: The action concludes by returning a success message - ('Siemplify is connected') to the SOAR platform. + 2. It immediately terminates the execution with a success message, confirming + that the integration is connected. capabilities: can_create_case_comments: false can_create_insight: false @@ -265,8 +277,15 @@ Ping: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a simple connectivity check by calling `siemplify.end`. + It does not interact with external APIs, modify external systems, or update + any internal SOAR data. categories: enrichment: false + reasoning: >- + The action is named 'Ping', which is explicitly excluded from being an enrichment + action. Furthermore, it does not fetch any data. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -282,6 +301,9 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not reference `target_entities` or perform any operations on entities. + Therefore, the entity list is empty and no filters are applied. Remove String from Custom List: action_product_categories: add_alert_comment: false @@ -297,6 +319,9 @@ Remove String from Custom List: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action modifies an internal SOAR custom list. It does not match any of the + provided product categories (e.g., enrichment, containment, ticketing). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -314,9 +339,9 @@ Remove String from Custom List: ai_description: >- ### General Description - Removes a specific string from a designated Google SecOps custom list. This action - is used to manage internal lists (such as allowlists or blocklists) by programmatically - deleting entries based on user-provided input. + This action removes a specified string item from a custom list category within + the Google SecOps SOAR platform. It is a utility action designed to manage internal + SOAR configuration data by deleting entries from predefined custom lists. ### Parameters Description @@ -326,32 +351,28 @@ Remove String from Custom List: | :--- | :--- | :--- | :--- | | Category | string | Yes | The name of the custom list category from which the - string should be removed. | + item should be removed. | - | ListItem | string | Yes | The specific string value to be removed from the custom - list. | + | ListItem | string | Yes | The specific string value to be removed from the list. + | ### Additional Notes - This action operates on internal Google SecOps custom lists and does not interact - with external security controls or iterate over entities present in the current - case. + This action does not interact with external systems or entities. It strictly modifies + internal SOAR configuration data. ### Flow Description - 1. **Retrieve Parameters**: The action extracts the `Category` and `ListItem` - values from the input parameters. + 1. Retrieve the `Category` and `ListItem` parameters from the action configuration. - 2. **Prepare List Item**: It creates a `CustomList` object using the provided - string, category, and the current environment context. + 2. Initialize a `CustomList` object with the provided category and item. - 3. **Remove from List**: The action calls the internal SDK method `remove_entities_from_custom_list` - to delete the specified string from the internal database. + 3. Call the `remove_entities_from_custom_list` method to update the internal SOAR + custom list. - 4. **Finalize**: The action returns a success message confirming the removal or - a failure status if an error occurs. + 4. Return the execution status and a confirmation message. capabilities: can_create_case_comments: false can_create_insight: false @@ -362,9 +383,16 @@ Remove String from Custom List: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Removes a string entry from an internal Google SecOps custom list. + Removes a string item from a custom list within the SOAR platform. + reasoning: >- + The action interacts with the internal SOAR `CustomList` object to remove an + item. It does not fetch external data or interact with external APIs. It modifies + internal SOAR configuration data. categories: enrichment: false + reasoning: >- + The action is a utility for managing internal SOAR custom lists. It does not + fetch data, so it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -380,6 +408,9 @@ Remove String from Custom List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use `target_entities`. It takes parameters directly from + the action configuration. Search Custom Lists: action_product_categories: add_alert_comment: false @@ -395,6 +426,9 @@ Search Custom Lists: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action searches custom lists for records. It does not match any of the provided + product categories (e.g., it is not searching events, assets, or alerts). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -410,58 +444,19 @@ Search Custom Lists: update_identity: false update_ticket: false ai_description: >- - Searches for specific records within Google SecOps Custom Lists based on a search - string and/or specific categories. This action is primarily used to retrieve and - filter internal list data for use in playbooks, such as checking if a value exists - in a watchlist or global blocklist managed within the SOAR platform. - - - ### Parameters Description - - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | String to Search | String | No | The specific string to look for within the - `entityIdentifier` field of the custom list records. If omitted, all records in - the specified categories are returned. | - - | Categories | String | No | A comma-separated list of custom list categories - to search within. If omitted, the action searches across all available custom - lists. | - - - ### Flow Description - - - 1. **Parameter Extraction:** The action retrieves the `Categories` and `String - to Search` from the user input. - - 2. **Data Retrieval:** It calls the internal SOAR API to fetch records from the - custom lists. If categories are provided, it limits the initial fetch to those - categories. - - 3. **Category Filtering:** If categories were specified, the action filters the - retrieved records to ensure they match the requested categories. - - 4. **String Matching:** If a search string is provided, the action iterates through - the records and performs a partial match check against the `entityIdentifier` - field. - - 5. **Output Generation:** The matching records are formatted into a JSON array - and attached to the action's results. If no matches are found, the action completes - with a 'False' result value. - - - ### Additional Notes - - - * If both parameters are left empty, the action will attempt to return all records - from all custom lists. - - * This action does not interact with entities in the current case scope; it - operates globally on the platform's custom list data. + ### General Description\nSearches for records within Google SecOps custom lists + based on optional category filtering and string matching. This action allows users + to query custom lists to find specific entries, facilitating the retrieval of + threat intelligence or other stored data.\n\n### Parameters Description\n| Parameter + | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| String to + Search | string | No | The string to search for within the `entityIdentifier` + field of the custom list records. |\n| Categories | string | No | A comma-separated + list of categories to filter the custom list records by. |\n\n### Flow Description\n1. + Extracts `Categories` and `String to Search` parameters.\n2. Retrieves custom + list records using the `get_traking_list_record` utility.\n3. Filters the retrieved + records by the provided categories (if specified).\n4. Filters the remaining records + by the `String to Search` (if specified) against the `entityIdentifier` field.\n5. + Returns the matching records as a JSON result. capabilities: can_create_case_comments: false can_create_insight: false @@ -472,8 +467,16 @@ Search Custom Lists: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action retrieves data from custom lists using `get_traking_list_record`. + It does not modify any external systems or internal SOAR data (entities, insights, + comments). categories: enrichment: false + reasoning: >- + The action retrieves data from custom lists. While it fetches data, it does + not enrich specific entities or alerts within the case context. It is a utility + action for searching custom lists. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -489,6 +492,9 @@ Search Custom Lists: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `siemplify.target_entities`. It operates independently + of any specific entity. Search Environment Custom Lists: action_product_categories: add_alert_comment: false @@ -504,6 +510,10 @@ Search Environment Custom Lists: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action searches custom lists within the environment. It does not match any + of the predefined categories (e.g., Enrich IOC, Search Events, etc.) as it is + a general utility for custom list management. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -521,51 +531,40 @@ Search Environment Custom Lists: ai_description: >- ### General Description - Searches for specific records within the Google SecOps environment's custom lists. - This action allows users to filter records by category and search for specific - strings within the entity identifiers of the list entries. It is primarily used - to retrieve internal list data for use in subsequent playbook steps. If no parameters - are provided, the action returns all records from the environment's custom lists. + This action searches for records within the environment's custom lists. It allows + filtering by category and a specific search string to identify relevant entries. - ### Parameters Description - + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. Extract `Categories` and `String to Search` parameters. - | :--- | :--- | :--- | :--- | + 2. Retrieve all custom list records using `get_traking_list_records_filtered`. - | String to Search | String | No | The string to search for within the 'entityIdentifier' - field of the list records. If omitted, no string filtering is applied. | + 3. Filter the records by the provided `Categories` (if specified). - | Categories | String | No | A comma-separated list of categories to filter the - custom list records. If omitted, records from all categories are considered. | + 4. Filter the remaining records by the `String to Search` (if specified) against + the `entityIdentifier` field. + 5. Return the matching records as a JSON result. - ### Flow Description - 1. **Parameter Extraction**: The action retrieves the 'Categories' and 'String - to Search' parameters from the input. + ### Parameters Description - 2. **Data Retrieval**: It calls an internal API method (`get_traking_list_records_filtered`) - to fetch custom list records from the Google SecOps environment. + | Parameter | Type | Mandatory | Description | - 3. **Category Filtering**: If the 'Categories' parameter is provided, the action - filters the retrieved records to include only those matching the specified categories. + | :--- | :--- | :--- | :--- | - 4. **String Filtering**: If the 'String to Search' parameter is provided, the - action iterates through the records and performs a substring match against the - 'entityIdentifier' field. + | String to Search | string | No | The string to search within the `entityIdentifier` + of the custom list records. | - 5. **Result Output**: The matching records are formatted as a JSON object and - added to the action's results. If no records match the criteria, the action reports - that no matching records were found. + | Categories | string | No | A comma-separated list of categories to filter the + custom list records by. | ### Additional Notes - This action is a utility for internal data retrieval and does not interact with - external systems or modify existing entities or alerts within the case. + If no parameters are provided, the action returns all custom list records. capabilities: can_create_case_comments: false can_create_insight: false @@ -576,8 +575,16 @@ Search Environment Custom Lists: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches data from the environment's custom lists. It does not mutate + external systems or internal SOAR data (entities, insights, comments). It only + outputs the search results as a JSON object. categories: enrichment: false + reasoning: >- + The action is a utility for searching custom lists. It does not operate on entities + or alerts to provide enrichment, nor does it modify any system state. Therefore, + it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -593,3 +600,6 @@ Search Environment Custom Lists: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not reference `siemplify.target_entities` or perform any operations + on entities. It operates on global custom list data. diff --git a/content/response_integrations/power_ups/lists/resources/ai/integration_ai_description.yaml b/content/response_integrations/power_ups/lists/resources/ai/integration_ai_description.yaml index 2e831240c..3cea743c9 100644 --- a/content/response_integrations/power_ups/lists/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/power_ups/lists/resources/ai/integration_ai_description.yaml @@ -7,6 +7,14 @@ product_categories: iam_and_identity_management: false itsm: false network_security: false + reasoning: >- + The 'lists' integration is a utility tool designed for managing custom lists within + the Google SecOps SOAR platform. Its actions (Add, Remove, Search, Check existence) + are administrative in nature, focusing on internal SOAR configuration data rather + than performing specific security operations. It does not provide SIEM log analysis, + EDR host-level visibility, Threat Intelligence reputation data (risk scores/malware + families), or any other capabilities defined in the provided product categories. + Consequently, it does not align with any of the specified security product categories. siem: false - threat_intelligence: true + threat_intelligence: false vulnerability_management: false diff --git a/content/response_integrations/power_ups/template_engine/resources/ai/actions_ai_description.yaml b/content/response_integrations/power_ups/template_engine/resources/ai/actions_ai_description.yaml index 0a8d1a1a7..6c0356689 100644 --- a/content/response_integrations/power_ups/template_engine/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/power_ups/template_engine/resources/ai/actions_ai_description.yaml @@ -13,6 +13,11 @@ Entity Insight: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a generic template engine used to create entity insights. It does + not perform any specific product-related tasks like enriching IOCs, enriching + assets, or containing hosts. Therefore, it does not match any of the predefined + product categories. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -28,90 +33,83 @@ Entity Insight: update_identity: false update_ticket: false ai_description: >- - The **Entity Insight** action is a utility designed to transform raw JSON data - into human-readable insights for entities within a case. Using the Jinja2 templating - engine, it allows analysts to create custom visual representations of data retrieved - by other actions. This is particularly useful for summarizing complex API responses - into concise tables or summaries directly on the entity's insight tab. + This action renders a Jinja2 template using a provided JSON object and entity + data to create entity insights. It is a utility action that allows for dynamic + generation of insights based on custom templates. - ### Parameters Description - - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | + ### Flow Description - | **JSON Object** | Content | Yes | The raw JSON data (in EntityResult format) - that will be used to populate the template. | + 1. Extracts action parameters: `JSON Object`, `Template`, `Triggered By`, `Remove + BRs`, and `Create Insight`. - | **Template** | Email Content | No | The Jinja2 template used to render the insight. - Can be a predefined HTML template or custom code. | + 2. Iterates through the target entities, excluding those with the type "ALERT". - | **Triggered By** | String | Yes | The name of the integration or process that - generated the data, used as the source label for the insight. | + 3. Parses the input `JSON Object`. - | **Remove BRs** | Boolean | No | If set to `true`, all `
` tags will be stripped - from the rendered output. Default is `false`. | + 4. Initializes a Jinja2 environment, loading custom filters and helper functions. - | **Create Insight** | Boolean | No | If set to `true`, the action will generate - an Entity Insight in the SOAR. Default is `true`. | + 5. Renders the template for each entity using the provided JSON data and the entity's + properties. + 6. Adds the rendered result as an entity JSON result. - ### Additional Notes + 7. Optionally creates an entity insight in the SOAR platform if `Create Insight` + is enabled. - - The action includes a wide array of custom Jinja filters such as `json2tbl` - (for converting JSON to HTML tables), `regex_replace`, and `filter_datetime` to - assist in data formatting. - - The input JSON must follow a specific structure where each entry contains an - "Entity" identifier and an "EntityResult" object. + ### Parameters Description - - Entities identified as type "ALERT" via their additional properties are excluded - from processing. + | Parameter | Type | Mandatory | Description | + | :--- | :--- | :--- | :--- | - ### Flow Description + | JSON Object | content | Yes | The raw JSON object that will be used to render + the template. | - 1. **Parameter Extraction**: Retrieves the input JSON, Jinja2 template, and configuration - settings from the action parameters. + | Template | email_content | No | The Jinja2 template to display. Can be a HTML + template from "Settings->Environment" or added in content box. | - 2. **Environment Setup**: Initializes the Jinja2 environment and loads a comprehensive - set of standard and custom filters for advanced data manipulation. + | Triggered By | string | Yes | The name of the integration that triggered this + entity insight. | - 3. **Entity Iteration**: Loops through all entities currently associated with - the case scope. + | Remove BRs | boolean | No | Remove all
tags from the rendered template. + Default is false. | - 4. **Type Filtering**: Skips entities where the `Type` property in `additional_properties` - is set to "ALERT". + | Create Insight | boolean | No | When enabled, the action will create entity + insights. Default is true. | - 5. **Data Matching**: For each valid entity, searches the input JSON object for - an entry matching the entity's identifier. - 6. **Template Rendering**: If a match is found, it merges the entity's metadata - with the JSON result and renders the Jinja2 template into a final string. + ### Additional Notes - 7. **Insight Creation**: If the `Create Insight` flag is enabled, it creates an - Entity Insight with the rendered content and attaches the raw result as entity - JSON for further use. + This action is a generic template engine and does not perform any specific external + system interactions. It is primarily used for internal data formatting and insight + creation. capabilities: can_create_case_comments: false can_create_insight: true can_modify_alert_data: false can_mutate_external_data: false can_mutate_internal_data: true - can_update_entities: false + can_update_entities: true external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Creates entity insights and attaches JSON results to entities within the Google - SecOps platform based on the provided template and data. + Creates entity insights and adds entity JSON results within the SOAR platform. + reasoning: >- + The action processes input data and entity properties to render a template. + It does not fetch data from external systems (fetches_data=false) or mutate + external systems (can_mutate_external_data=false). It performs internal mutations + by adding entity JSON results and creating entity insights (can_mutate_internal_data=true). categories: - enrichment: false + enrichment: true + reasoning: >- + The action creates entity insights, which is an allowed internal mutation for + enrichment actions. It does not fetch data from external systems or mutate external + data, and it does not perform any prohibited actions. entity_usage: entity_types: - ADDRESS - - ALERT - APPLICATION - CHILDHASH - CHILDPROCESS @@ -150,7 +148,7 @@ Entity Insight: filters_by_case_identifier: false filters_by_creation_time: false filters_by_entity_type: false - filters_by_identifier: true + filters_by_identifier: false filters_by_is_artifact: false filters_by_is_enriched: false filters_by_is_internal: false @@ -158,6 +156,10 @@ Entity Insight: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over all `siemplify.target_entities` and processes them + if their `additional_properties['Type']` is not 'ALERT'. It uses `entity.additional_properties` + to access entity data. Ping: action_product_categories: add_alert_comment: false @@ -173,6 +175,9 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity check ('Ping'). It does not perform any of the + defined functional operations (enrichment, containment, ticketing, etc.). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -190,11 +195,9 @@ Ping: ai_description: >- ### General Description - The **Ping** action is a diagnostic utility designed to verify the connectivity - and functional status of the TemplateEngine integration within Google SecOps. - Its primary purpose is to ensure that the integration's environment is correctly - configured and that the SOAR platform can successfully communicate with the integration's - underlying logic. + This action performs a connectivity check to verify that the integration is properly + configured and communicating with the SOAR platform. It is a utility action used + to confirm the environment is ready for use. ### Parameters Description @@ -204,20 +207,11 @@ Ping: ### Flow Description - 1. **Initialization**: The action initializes the Siemplify context to establish - a connection with the SOAR platform. - - 2. **Connectivity Check**: The script executes a simple completion command without - performing any external API calls or data processing. + 1. Initialize the `SiemplifyAction` object. - 3. **Finalization**: The action terminates with a success message, "Siemplify - is connected," confirming that the integration is operational. + 2. Execute the connectivity check. - - ### Additional Notes - - This action does not interact with any external services, nor does it process - or modify any entity or case data. It is strictly used for health-check purposes. + 3. Terminate the action with a success message. capabilities: can_create_case_comments: false can_create_insight: false @@ -228,8 +222,16 @@ Ping: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action is a simple 'Ping' utility. It does not fetch data from external + sources, nor does it modify any internal or external data. It is strictly used + for verifying connectivity. categories: enrichment: false + reasoning: >- + The action is named 'Ping'. According to the guidelines, actions named 'Ping' + must not be categorized as enrichment actions. It also does not perform any + data retrieval or modification. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -245,6 +247,9 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. It is a standalone connectivity + check. Render Template: action_product_categories: add_alert_comment: false @@ -260,6 +265,10 @@ Render Template: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a utility for rendering templates. It does not fit into any of + the specific product categories like enrichment, ticketing, or containment. + It is a general-purpose transformation action. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -275,63 +284,21 @@ Render Template: update_identity: false update_ticket: false ai_description: >- - ### General Description - - The **Render Template** action allows users to generate formatted text or HTML - by applying a Jinja2 template to a JSON data structure. This action is primarily - used within playbooks to prepare content for notifications (such as emails or - Slack messages) or to create structured reports from raw event and entity data. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **JSON Object** | JSON Object | No | The raw JSON object used as the primary - data source (`input_json`) for the template. Defaults to `{}`. | - - | **Jinja** | Jinja | No | The Jinja2 template code to be rendered. If provided, - this overrides the `Template` parameter. | - - | **Include Case Data** | Boolean | No | When enabled, the action automatically - injects the alert's security events and entities into the template context under - `input_json['SiemplifyEvents']` and `input_json['SiemplifyEntities']`. | - - | **Template** | email_content | No | An alternative way to provide the Jinja2 - template, often used for selecting pre-defined HTML templates from the environment - settings. | - - - ### Flow Description - - 1. **Data Collection**: The action extracts the `JSON Object` input and, if `Include - Case Data` is enabled, gathers all security events and entities associated with - the current alert context. - - 2. **Environment Setup**: A Jinja2 environment is initialized, loading a comprehensive - set of filters including `json2tbl` (for converting JSON to HTML tables), regex - utilities, and date/time formatters. - - 3. **Template Selection**: The action determines whether to use the raw `Jinja` - code or the `Template` parameter (with `Jinja` taking precedence). - - 4. **Rendering**: The template is rendered using the provided JSON data. If the - input JSON is a list, the action iterates through the list and appends the rendered - results for each entry. - - 5. **Output**: The final rendered string is returned as the action's result and - is also stored in the `JsonResult` as `html_output`. - - - ### Additional Notes - - - Either the **Jinja** or **Template** parameter must be configured for the action - to produce output. - - - Use the `|safe` filter in your Jinja code to disable HTML auto-escaping if you - are generating HTML content. + General description: This action renders a Jinja2 template using a provided JSON + object as input. It is a utility action designed to transform data into a formatted + string (e.g., HTML or text).\n\nFlow description:\n1. The action parses the provided + JSON object.\n2. If 'Include Case Data' is enabled, it retrieves security events + and entity information from the current alert.\n3. It initializes a Jinja2 environment, + loading standard and custom filters.\n4. It renders the template using the input + JSON (and case data if included).\n5. The final rendered output is returned as + a JSON result.\n\nParameters description:\n| Parameter | Type | Mandatory | Description + |\n| --- | --- | --- | --- |\n| JSON Object | content | No | The raw JSON object + used to render the template. Available as 'input_json' in the template. |\n| Template + | email_content | No | The Jinja template code to be rendered. |\n| Jinja | code + | No | Alternative Jinja template code. |\n| Include Case Data | boolean | No + | If true, includes case events and entities in the template context. |\n\nAdditional + notes: Either 'Template' or 'Jinja' should be configured to provide the template + content. capabilities: can_create_case_comments: false can_create_insight: false @@ -342,11 +309,20 @@ Render Template: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action is a utility that processes input data (JSON and templates) to generate + a rendered string. It does not interact with external systems (no external mutation + or fetching) and does not modify internal SOAR data (no internal mutation). categories: enrichment: false + reasoning: >- + The action is a utility/transformation tool. It does not fetch data from external + sources, nor does it perform any of the allowed internal mutations (comments, + insights, entity updates). Therefore, it is not an enrichment action. entity_usage: entity_types: - ADDRESS + - ALERT - APPLICATION - CHILDHASH - CHILDPROCESS @@ -384,7 +360,7 @@ Render Template: filters_by_alert_identifier: false filters_by_case_identifier: false filters_by_creation_time: false - filters_by_entity_type: true + filters_by_entity_type: false filters_by_identifier: false filters_by_is_artifact: false filters_by_is_enriched: false @@ -393,6 +369,11 @@ Render Template: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and collects data if `Include + Case Data` is enabled. It filters entities by their `additional_properties` + attribute (specifically checking for 'ALERT' type). It does not filter by entity + type, so it supports all entity types. Render Template from Array: action_product_categories: add_alert_comment: false @@ -408,6 +389,11 @@ Render Template from Array: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a utility for template rendering and does not perform any of the + listed operations such as enrichment, containment, or ticketing. It does not + interact with external systems or modify alert data, therefore it does not match + any of the product categories. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -423,67 +409,17 @@ Render Template from Array: update_identity: false update_ticket: false ai_description: >- - ### General Description - - The **Render Template from Array** action is a utility designed to transform a - list of data items into a single formatted string using Jinja2 templating. It - iterates through a provided JSON array, applies a specific template to each element, - and joins the results together. This is particularly useful for generating HTML - reports, summaries, or formatted logs from a collection of entities or event data - within a playbook. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **Array input** | Content | No | A JSON-formatted string representing the array - of items to process. Usually mapped from the output of a previous action. Defaults - to an empty list. | - - | **Jinja** | Code | No | The Jinja2 template logic to apply to each item in the - array. The current item is accessible via the `row` variable. | - - | **join** | String | No | The character or string used to concatenate the rendered - output of each array item (e.g., a comma, newline, or HTML break). | - - | **prefix** | String | No | A static string to prepend to the very beginning - of the final concatenated output. | - - | **suffix** | String | No | A static string to append to the very end of the - final concatenated output. | - - - ### Additional Notes - - - If the **Array input** provided is a single JSON object instead of a list, the - action will automatically treat it as a single-element array. - - - The action supports a wide range of custom Jinja filters (e.g., `json2tbl`, - `regex_match`, `filter_datetime`) to assist in complex data formatting. - - - ### Flow Description - - 1. **Initialization**: The action extracts the input parameters and initializes - the Jinja2 environment, loading standard and custom filters. - - 2. **Data Parsing**: The `Array input` string is parsed into a Python list. If - the input is a dictionary, it is converted into a list containing that dictionary. - - 3. **Template Rendering**: The action loops through each item in the list. For - each item, it renders the provided `Jinja` template, passing the item as the context - (accessible as `row`). - - 4. **Concatenation**: All rendered strings are collected into a list and joined - into a single string using the `join` parameter. - - 5. **Final Formatting**: The `prefix` and `suffix` are added to the joined string. - - 6. **Output**: The final string is returned as the action's result value and included - in the `html_output` field of the JSON result. + This action renders a Jinja2 template for each item in a provided JSON array. + It is useful for formatting data into custom strings, HTML, or reports. Parameters + description: Array input (Optional): A JSON array string to be processed. Jinja + (Optional): The Jinja2 template string. join (Optional): The separator string + used to join the rendered items. prefix (Optional): A string to prepend to the + final output. suffix (Optional): A string to append to the final output. Flow + description: 1. Parse the Array input parameter as a JSON object/list. 2. Initialize + a Jinja2 environment with available filters. 3. Iterate through each item in the + input array. 4. Render the provided Jinja template for each item. 5. Concatenate + the rendered results using the join parameter. 6. Apply prefix and suffix to the + final string. 7. Return the result in the html_output field. capabilities: can_create_case_comments: false can_create_insight: false @@ -494,8 +430,15 @@ Render Template from Array: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs local string manipulation and template rendering. It does + not interact with external APIs, modify internal SOAR data, or update entities. categories: enrichment: false + reasoning: >- + The action is a utility for data transformation (templating) and does not fetch + data from external sources or perform enrichment. Therefore, it is not an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -511,3 +454,6 @@ Render Template from Array: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with siemplify.target_entities or any entity-specific + logic. It operates on raw input data provided via parameters. diff --git a/content/response_integrations/power_ups/template_engine/resources/ai/integration_ai_description.yaml b/content/response_integrations/power_ups/template_engine/resources/ai/integration_ai_description.yaml index 0801c7556..2e7d01b00 100644 --- a/content/response_integrations/power_ups/template_engine/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/power_ups/template_engine/resources/ai/integration_ai_description.yaml @@ -7,6 +7,16 @@ product_categories: iam_and_identity_management: false itsm: false network_security: false + reasoning: >- + The template_engine integration is a utility-based tool designed to provide Jinja2 + template rendering capabilities. It does not interact with external security systems, + perform data enrichment, manage security infrastructure, or execute security-specific + operations such as blocking, scanning, or ticketing. While it can be used to format + data for other integrations (e.g., formatting an email body or a ticket description), + the integration itself does not fulfill the functional requirements of any of + the defined product categories (SIEM, EDR, Network Security, Threat Intelligence, + Email Security, IAM, Cloud Security, ITSM, Vulnerability Management, Asset Inventory, + or Collaboration). Therefore, all product category flags are set to false. siem: false threat_intelligence: false vulnerability_management: false diff --git a/content/response_integrations/power_ups/tools/resources/ai/actions_ai_description.yaml b/content/response_integrations/power_ups/tools/resources/ai/actions_ai_description.yaml index 610a3bce1..f10ddd119 100644 --- a/content/response_integrations/power_ups/tools/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/power_ups/tools/resources/ai/actions_ai_description.yaml @@ -13,6 +13,10 @@ Add Alert Scoring Information: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action updates the alert's severity and score context properties, which + directly modifies the alert's state within the SecOps platform. This aligns + with the 'Update Alert' category. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -93,12 +97,22 @@ Add Alert Scoring Information: can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: null - fetches_data: false + fetches_data: true internal_data_mutation_explanation: >- - The action updates alert context properties (ALERT_SCORE_INFO, ALERT_SCORE, - and ALERT_SEVERITY) to store and manage internal scoring metadata. + Updates alert context properties `ALERT_SCORE_INFO`, `ALERT_SCORE`, and `ALERT_SEVERITY`. + reasoning: >- + The action retrieves existing scoring information from the alert's context property + `ALERT_SCORE_INFO` (fetches_data=true). It then performs internal mutations + by updating the alert's context properties `ALERT_SCORE_INFO`, `ALERT_SCORE`, + and `ALERT_SEVERITY` (can_mutate_internal_data=true). It does not interact with + external systems, update entities, create insights, or add case comments. categories: enrichment: false + reasoning: >- + The action does not meet the criteria for an enrichment action. While it retrieves + internal data, it performs significant internal mutations (updating alert context + properties) that are not limited to the allowed list (insights, entities, comments). + Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -114,9 +128,12 @@ Add Alert Scoring Information: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with entities. It operates solely on alert context + properties. Add Comment to Entity Log: action_product_categories: - add_alert_comment: false + add_alert_comment: true add_ioc_to_allowlist: false add_ioc_to_blocklist: false contain_host: false @@ -129,6 +146,10 @@ Add Comment to Entity Log: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action adds a comment to the entity log, which is an internal annotation. + This matches the 'Add Alert Comment' category as it appends notes to the entity's + activity timeline. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -158,12 +179,12 @@ Add Comment to Entity Log: | :--- | :--- | :--- | :--- | - | **User** | String | Yes | The username or identifier of the person or system - account that will be credited as the author of the comment. Defaults to `@Administrator`. + | **User** | User | Yes | The username or identifier of the person or system account + that will be credited as the author of the comment. Defaults to `@Administrator`. | - | **Comment** | String | Yes | The actual text content that will be appended to - the entity's log. | + | **Comment** | Content | Yes | The actual text content that will be appended + to the entity's log. | ### Flow Description @@ -185,10 +206,9 @@ Add Comment to Entity Log: ### Additional Notes This action does not modify the entity's attributes (like reputation or tags) - but rather adds a historical log entry visible in the Entity Explorer. It uses - an internal API call to interact with the Google SecOps platform. + but rather adds a historical log entry visible in the Entity Explorer. capabilities: - can_create_case_comments: false + can_create_case_comments: true can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false @@ -197,10 +217,14 @@ Add Comment to Entity Log: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Adds a comment to the internal entity log within Google SecOps for auditing - and documentation purposes. + Adds a comment to the entity's log within the Google SecOps platform. + reasoning: >- + The action adds a comment to the entity log, which is an internal mutation. + It does not fetch data, nor does it mutate external systems. categories: enrichment: false + reasoning: >- + The action does not fetch data, which is a requirement for enrichment actions. entity_usage: entity_types: - ADDRESS @@ -251,6 +275,9 @@ Add Comment to Entity Log: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` without any filtering logic, + meaning it processes all entities provided in the scope. Add Or Update Alert Additional Data: action_product_categories: add_alert_comment: false @@ -266,6 +293,10 @@ Add Or Update Alert Additional Data: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action modifies the alert's additional data, which is a form of alert modification. + While it does not change status, severity, or assignee, it is an update to the + alert's internal data. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -276,38 +307,37 @@ Add Or Update Alert Additional Data: send_message: false submit_file: false uncontain_host: false - update_alert: true + update_alert: false update_email: false update_identity: false update_ticket: false - ai_description: "### General Description\nThis action allows for the dynamic addition\ - \ or updating of information within the 'Additional Data' field of a Google SecOps\ - \ alert. It is designed to act as a temporary or persistent storage mechanism\ - \ for data collected during a playbook's execution, enabling subsequent actions\ - \ to access this accumulated context. The action supports structured JSON (dictionaries\ - \ and lists) as well as plain text.\n\n### Parameters Description\n| Parameter\ - \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Json Fields\ - \ | string | Yes | The data to be added to the alert. This can be a raw string,\ - \ a JSON-formatted dictionary, or a JSON-formatted list. If a dictionary is provided,\ - \ it is merged into the existing 'dict' key. If a list is provided, it is appended\ - \ to the 'list' key. Any other input is stored in the 'data' key. |\n\n### Additional\ - \ Notes\n- The action automatically initializes a structured schema within the\ - \ alert's additional data if it doesn't exist, containing 'dict', 'list', and\ - \ 'data' keys.\n- If the input string is not valid JSON, it will be treated as\ - \ a standard string and stored in the 'data' field.\n\n### Flow Description\n\ - 1. **Input Parsing**: The action retrieves the 'Json Fields' parameter and attempts\ - \ to parse it as a JSON object (dictionary or list). If parsing fails, it treats\ - \ the input as a raw string.\n2. **Data Retrieval**: It fetches the current alert's\ - \ existing 'additional_data' content.\n3. **Structure Normalization**: If the\ - \ existing data is empty or lacks the standard keys ('dict', 'list', 'data'),\ - \ the action initializes them to ensure a consistent data structure.\n4. **Data\ - \ Merging**: \n - If the input is a **List**, it extends the existing list\ - \ in the alert data.\n - If the input is a **Dictionary**, it updates the existing\ - \ dictionary in the alert data with the new key-value pairs.\n - If the input\ - \ is a **String**, it overwrites the 'data' field with the new value.\n5. **Internal\ - \ Update**: The action calls the Google SecOps API to update the alert's metadata\ - \ with the newly merged JSON structure.\n6. **Output**: The final accumulated\ - \ data is returned as a JSON result for use in the playbook." + ai_description: >- + This action allows for the dynamic addition or updating of information within + the 'Additional Data' field of a Google SecOps alert. It is designed to act as + a temporary or persistent storage mechanism for data collected during a playbook's + execution, enabling subsequent actions to access this accumulated context. The + action supports structured JSON (dictionaries and lists) as well as plain text. + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- + | :--- | :--- | :--- | | Json Fields | string | Yes | The data to be added to + the alert. This can be a raw string, a JSON-formatted dictionary, or a JSON-formatted + list. If a dictionary is provided, it is merged into the existing 'dict' key. + If a list is provided, it is appended to the 'list' key. Any other input is stored + in the 'data' key. | ### Additional Notes - The action automatically initializes + a structured schema within the alert's additional data if it doesn't exist, containing + 'dict', 'list', and 'data' keys. - If the input string is not valid JSON, it will + be treated as a standard string and stored in the 'data' field. ### Flow Description + 1. Input Parsing: The action retrieves the 'Json Fields' parameter and attempts + to parse it as a JSON object (dictionary or list). If parsing fails, it treats + the input as a raw string. 2. Data Retrieval: It fetches the current alert's existing + 'additional_data' content. 3. Structure Normalization: If the existing data is + empty or lacks the standard keys ('dict', 'list', 'data'), the action initializes + them to ensure a consistent data structure. 4. Data Merging: - If the input is + a List, it extends the existing list in the alert data. - If the input is a Dictionary, + it updates the existing dictionary in the alert data with the new key-value pairs. + - If the input is a String, it overwrites the 'data' field with the new value. + 5. Internal Update: The action calls the Google SecOps API to update the alert's + metadata with the newly merged JSON structure. 6. Output: The final accumulated + data is returned as a JSON result for use in the playbook. capabilities: can_create_case_comments: false can_create_insight: false @@ -318,10 +348,15 @@ Add Or Update Alert Additional Data: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Updates the 'additional_data' field of the current alert within Google SecOps - to store or merge context for playbook execution. + Updates the 'additional_data' field of the current alert within Google SecOps. + reasoning: >- + The action modifies the internal state of the alert by updating its 'additional_data' + field. It does not interact with external systems or fetch external data. It + performs an internal mutation of the alert metadata. categories: enrichment: false + reasoning: >- + The action does not fetch external data, so it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -337,6 +372,9 @@ Add Or Update Alert Additional Data: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or process entities. It operates on the current + alert object. Append to Context Value: action_product_categories: add_alert_comment: false @@ -352,6 +390,10 @@ Append to Context Value: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a utility for managing context properties. It does not match any + of the defined product categories (e.g., enrichment, ticket management, alert + modification). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -362,7 +404,7 @@ Append to Context Value: send_message: false submit_file: false uncontain_host: false - update_alert: true + update_alert: false update_email: false update_identity: false update_ticket: false @@ -380,33 +422,40 @@ Append to Context Value: \ append to the existing property or to set as the initial value. |\n| **Delimiter**\ \ | String | Yes | The character or string used to separate the existing value\ \ from the new value when appending. Default is a comma (','). |\n\n### Flow Description\n\ - 1. **Parameter Extraction:** The action retrieves the `Scope`, `Key`, `Value`,\ - \ and `Delimiter` from the input configuration.\n2. **Context Retrieval:** Based\ - \ on the selected `Scope`, the action attempts to fetch the current value of the\ - \ specified `Key` from the internal Google SecOps context storage using scope-specific\ - \ methods (`get_alert_context_property`, `get_case_context_property`, or a custom\ - \ global getter).\n3. **Value Processing:** \n * If the key already contains\ - \ data, the action concatenates the existing value, the provided delimiter, and\ - \ the new value.\n * If the key is empty or does not exist, the action initializes\ - \ it with the provided value.\n4. **Context Update:** The updated string is saved\ - \ back into the corresponding context scope (Alert, Case, or Global) using scope-specific\ - \ methods (`set_alert_context_property`, `set_case_context_property`, or a custom\ - \ global setter).\n5. **Completion:** The action returns a success message indicating\ - \ whether the value was appended to an existing key or a new key was created." + 1. **Parameter Extraction:** The action retrieves the Scope, Key, Value, and Delimiter\ + \ from the input configuration.\n2. **Context Retrieval:** Based on the selected\ + \ Scope, the action attempts to fetch the current value of the specified Key from\ + \ the internal Google SecOps context storage.\n3. **Value Processing:** \n \ + \ * If the key already contains data, the action concatenates the existing value,\ + \ the provided delimiter, and the new value.\n * If the key is empty or does\ + \ not exist, the action initializes it with the provided value.\n4. **Context\ + \ Update:** The updated string is saved back into the corresponding context scope\ + \ (Alert, Case, or Global).\n5. **Completion:** The action returns a success message\ + \ indicating whether the value was appended to an existing key or a new key was\ + \ created." capabilities: can_create_case_comments: false can_create_insight: false - can_modify_alert_data: true + can_modify_alert_data: false can_mutate_external_data: false can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: null - fetches_data: false + fetches_data: true internal_data_mutation_explanation: >- - The action modifies internal context properties at the Alert, Case, or Global - level to store and accumulate data for use in playbooks. + Updates or creates context properties within the Google SecOps environment (Alert, + Case, or Global scope). + reasoning: >- + The action fetches existing context data from the Google SecOps environment + (fetches_data=true) and then updates or creates new context properties (can_mutate_internal_data=true). + It does not interact with external systems or modify entities, insights, or + alert metadata. categories: enrichment: false + reasoning: >- + The action is a utility for managing context properties. It does not perform + enrichment (it modifies internal state, which is not an allowed mutation for + enrichment actions) and does not fetch external data. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -422,6 +471,9 @@ Append to Context Value: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with entities. It operates on context properties + (Alert, Case, or Global scope) and does not use the target_entities list. Assign Case to User: action_product_categories: add_alert_comment: false @@ -437,6 +489,10 @@ Assign Case to User: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action assigns a user to a case. This is an internal SOAR operation. It + does not match any of the specific IOC/Asset/Ticket/Containment categories. + It is an administrative/workflow action within the platform. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -447,7 +503,7 @@ Assign Case to User: send_message: false submit_file: false uncontain_host: false - update_alert: true + update_alert: false update_email: false update_identity: false update_ticket: false @@ -456,13 +512,11 @@ Assign Case to User: This action assigns a specific user to a case within Google SecOps. It is primarily used for workflow orchestration to ensure that cases are routed to the correct - analysts or administrators for investigation. This action interacts with the internal - SOAR API to update the case ownership. + analysts or administrators for investigation. ### Parameters Description - | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | @@ -484,34 +538,39 @@ Assign Case to User: - It does not interact with external third-party APIs. - - It does not process or require any entities to run. - ### Flow Description - 1. **Parameter Extraction**: The action retrieves the `Case Id`, `Assign To` user, - and `Alert Id` from the input parameters. + 1. Parameter Extraction: The action retrieves the Case Id, Assign To user, and + Alert Id from the input parameters. - 2. **API Call**: It utilizes the `assign_case_to_user` utility from the `TIPCommon` - library to communicate with the internal SOAR API. + 2. API Call: It utilizes the assign_case_to_user utility from the TIPCommon library + to communicate with the internal SOAR API. - 3. **Assignment**: The internal API updates the case record to reflect the new - assignee. + 3. Assignment: The internal API updates the case record to reflect the new assignee. - 4. **Completion**: The action logs the result and terminates successfully. + 4. Completion: The action logs the result and terminates successfully. capabilities: can_create_case_comments: false can_create_insight: false - can_modify_alert_data: true + can_modify_alert_data: false can_mutate_external_data: false can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Updates the case record within Google SecOps to assign it to a specific user. + Updates the case ownership within the Google SecOps SOAR platform. + reasoning: >- + The action uses the TIPCommon library's assign_case_to_user function to modify + the case ownership within the Google SecOps platform. It does not fetch external + data or interact with external systems. It performs an internal mutation of + the case record. categories: enrichment: false + reasoning: >- + The action does not fetch data (not enrichment). It modifies internal SOAR data + (case assignment). It is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -527,6 +586,9 @@ Assign Case to User: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over target_entities. It uses parameters provided + in the configuration. Attach Playbook to Alert: action_product_categories: add_alert_comment: false @@ -542,6 +604,9 @@ Attach Playbook to Alert: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action modifies the alert by attaching workflows, which aligns with the + 'Update Alert' category. It does not perform any other listed actions. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -559,11 +624,9 @@ Attach Playbook to Alert: ai_description: >- ### General Description - This action attaches one or more playbooks (or blocks) to a specific alert within + This action attaches one or more playbooks or blocks to a specific alert within Google SecOps. It is primarily used to dynamically trigger additional automated - workflows based on the logic or findings of a parent playbook. The action can - handle multiple playbook names provided as a comma-separated list and includes - logic to prevent or allow duplicate attachments. + workflows based on the logic or findings of a parent playbook. ### Parameters Description @@ -609,10 +672,16 @@ Attach Playbook to Alert: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Attaches one or more playbooks or blocks to a specific alert within the Google - SecOps platform. + Attaches new workflows/playbooks to the alert within the SOAR platform. + reasoning: >- + The action fetches existing workflow data from the internal SOAR API to check + for duplicates and then modifies the alert by attaching new workflows. It does + not interact with external systems or update entities. categories: enrichment: false + reasoning: >- + The action modifies internal SOAR data (attaching workflows) and does not fetch + external context for enrichment. Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -628,6 +697,8 @@ Attach Playbook to Alert: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not process or iterate over `target_entities`. Attach Playbook to All Case Alerts: action_product_categories: add_alert_comment: false @@ -643,6 +714,9 @@ Attach Playbook to All Case Alerts: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action modifies the alert by attaching a workflow to it, which aligns with + the 'Update Alert' category. It does not perform any other listed actions. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -660,9 +734,10 @@ Attach Playbook to All Case Alerts: ai_description: >- ### General Description - The **Attach Playbook to All Case Alerts** action programmatically assigns a specified - playbook to every alert within a Google SecOps case. This ensures consistent automated - response workflows across all alerts in an investigation. + The **Attach Playbook to All Case Alerts** action is designed to programmatically + assign a specific playbook to every alert associated with a case in Google SecOps. + This is particularly useful for ensuring that all alerts within a single investigation + follow a consistent automated response or investigation workflow. ### Parameters Description @@ -671,28 +746,25 @@ Attach Playbook to All Case Alerts: | :--- | :--- | :--- | :--- | - | **Playbook Name** | String | Yes | The exact name of the playbook to attach - to all alerts in the case. | + | **Playbook Name** | String | Yes | The exact name of the playbook that should + be attached to all alerts in the current case. | ### Flow Description - 1. **Input Retrieval**: Retrieves the `Playbook Name` from the action parameters. - - 2. **Alert Iteration**: Accesses the current case and iterates through all associated - alerts. + 1. **Input Retrieval**: The action retrieves the `Playbook Name` from the user-defined + parameters. - 3. **Workflow Attachment**: For each alert, it calls the internal API to attach - the specified playbook using the alert's identifier. + 2. **Alert Iteration**: The script accesses the current case object and iterates + through every alert linked to that case. - 4. **Status Reporting**: Returns a success or failure message based on the attachment - process. + 3. **Workflow Attachment**: For each alert, the action calls the internal SOAR + API (`attach_workflow_to_case`) to link the specified playbook to the alert's + unique identifier. - - ### Additional Notes - - This action operates entirely within the Google SecOps environment and does not - interact with external systems. + 4. **Status Reporting**: The action evaluates the success of the attachment process + and returns a final message to the case wall indicating whether the playbook was + successfully attached to the alerts. capabilities: can_create_case_comments: false can_create_insight: false @@ -703,10 +775,17 @@ Attach Playbook to All Case Alerts: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Attaches a specified playbook to all alerts within the current case, modifying - the workflow associated with those alerts. + Attaches a playbook (workflow) to all alerts within the current case. + reasoning: >- + The action iterates through all alerts in the current case and uses the internal + `attach_workflow_to_case` method to link a specified playbook. This modifies + the internal state of the alerts within the SOAR platform. It does not fetch + external data or interact with external systems. categories: enrichment: false + reasoning: >- + The action does not fetch data from an external source, so it is not an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -722,6 +801,9 @@ Attach Playbook to All Case Alerts: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over `siemplify.case.alerts` to perform operations on alerts, + not on entities. Therefore, it does not use any entity types. Buffer: action_product_categories: add_alert_comment: false @@ -737,6 +819,10 @@ Buffer: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a utility tool for data transformation and flow control within + a playbook. It does not perform any of the defined product-specific operations + such as enriching IOCs, managing tickets, or modifying alerts. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -751,30 +837,31 @@ Buffer: update_email: false update_identity: false update_ticket: false - ai_description: "### General Description\n\nThe **Buffer** action is a utility tool\ - \ within the Tools integration designed to facilitate data handling and flow control\ - \ within playbooks. Its primary purpose is to receive a JSON string and a result\ - \ value as inputs and 'buffer' them into the action's output. This is particularly\ - \ useful for converting string-based JSON data into a structured format that subsequent\ - \ playbook actions can easily consume, or for explicitly setting the result value\ - \ of a step to control playbook logic flow.\n\n### Parameters Description\n\n\ - | Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ - | **JSON** | String | No | A JSON-formatted string. If provided, the action attempts\ - \ to parse this string and include the resulting object in the action's JSON results.\ - \ |\n| **ResultValue** | String | No | A string value that will be returned as\ - \ the primary result of the action. This is often used for conditional branching\ - \ in playbooks. |\n\n### Flow Description\n\n1. **Parameter Retrieval:** The action\ - \ starts by retrieving the `JSON` and `ResultValue` inputs from the playbook context.\n\ - 2. **JSON Parsing:** If the `JSON` parameter is populated, the script attempts\ - \ to deserialize the string into a structured JSON object using `json.loads()`.\n\ - 3. **Result Attachment:** \n * If parsing is successful, the structured data\ - \ is added to the action's result JSON using `add_result_json` and `add_json`\ - \ (under the key 'Json').\n * If parsing fails, an error message is appended\ - \ to the final output message.\n4. **Action Completion:** The action concludes\ - \ by calling `siemplify.end()` with a status message and the provided `ResultValue`.\n\ - \n### Additional Notes\n\n* This action does not interact with any external APIs\ - \ or modify any SecOps entities.\n* It serves strictly as a data transformation\ - \ and flow control utility." + ai_description: >- + ### General Description\n\nThe **Buffer** action is a utility tool within the + Tools integration designed to facilitate data handling and flow control within + playbooks. Its primary purpose is to receive a JSON string and a result value + as inputs and 'buffer' them into the action's output. This is particularly useful + for converting string-based JSON data into a structured format that subsequent + playbook actions can easily consume, or for explicitly setting the result value + of a step to control playbook logic flow.\n\n### Parameters Description\n\n| Parameter + | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| **JSON** + | String | No | A JSON-formatted string. If provided, the action attempts to parse + this string and include the resulting object in the action's JSON results. |\n| + **ResultValue** | String | No | A string value that will be returned as the primary + result of the action. This is often used for conditional branching in playbooks. + |\n\n### Flow Description\n\n1. **Parameter Retrieval:** The action starts by + retrieving the `JSON` and `ResultValue` inputs from the playbook context.\n2. + **JSON Parsing:** If the `JSON` parameter is populated, the script attempts to + deserialize the string into a structured JSON object using `json.loads()`.\n3. + **Result Attachment:** \n * If parsing is successful, the structured data is + added to the action's result JSON using `add_result_json` and `add_json` (under + the key 'Json').\n * If parsing fails, an error message is appended to the + final output message.\n4. **Action Completion:** The action concludes by calling + `siemplify.end()` with a status message and the provided `ResultValue`.\n\n### + Additional Notes\n\n* This action does not interact with any external APIs or + modify any SecOps entities.\n* It serves strictly as a data transformation and + flow control utility. capabilities: can_create_case_comments: false can_create_insight: false @@ -785,8 +872,16 @@ Buffer: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action parses a provided JSON string and sets a result value. It does not + perform any external API calls, nor does it modify any internal SecOps entities, + alerts, or case data. It is a pure utility action. categories: enrichment: false + reasoning: >- + The action does not fetch data from any external or internal source; it only + processes provided input parameters. Therefore, it does not meet the criteria + for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -802,6 +897,9 @@ Buffer: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not reference `target_entities` or perform any operations on entities. + It is a utility action that operates on input parameters. Change Case Name: action_product_categories: add_alert_comment: false @@ -817,6 +915,10 @@ Change Case Name: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action renames a case within the SecOps platform. It does not match any + of the provided categories (Enrichment, Ticket, Alert, IOC, Identity, Host, + Email, etc.). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -846,7 +948,9 @@ Change Case Name: | :--- | :--- | :--- | :--- | - | New Name | String | Yes | The new title to be assigned to the case. | + | New Name | String | No | The new title to be assigned to the case. While marked + as not mandatory in the configuration, the action logic expects a value to perform + the rename operation. | | Only If First Alert | Boolean | No | If set to `True`, the action will only rename the case if it is being executed in the context of the chronologically @@ -855,22 +959,19 @@ Change Case Name: ### Additional Notes - - While `New Name` is marked as not mandatory in the configuration file, the action - logic requires a value to perform the rename operation. - - If `Only If First Alert` is enabled and the action is triggered by a subsequent alert, the case name will remain unchanged. ### Flow Description - 1. **Initialization**: The action retrieves the `New Name` and `Only If First - Alert` parameters from the input. + 1. **Initialization**: The action starts by retrieving the `New Name` and `Only + If First Alert` parameters. 2. **Alert Sorting**: It retrieves all alerts associated with the current case - and sorts them by their `detected_time` to establish chronological order. + and sorts them by their `detected_time` to identify the chronological order. - 3. **Condition Check**: If `Only If First Alert` is enabled, the action compares + 3. **Condition Check**: If `Only If First Alert` is `True`, the action compares the identifier of the current alert with the identifier of the first alert in the sorted list. @@ -889,9 +990,17 @@ Change Case Name: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Updates the title (name) of the case within the Google SecOps platform. + Updates the case title within the Google SecOps platform. + reasoning: >- + The action modifies the case title within the Google SecOps platform using the + `rename_case` function. It does not interact with external systems or modify + entity/alert data directly. It is a case management operation. categories: enrichment: false + reasoning: >- + The action is a case management utility that modifies internal case metadata. + It does not fetch external data or perform enrichment, so it is not an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -907,6 +1016,9 @@ Change Case Name: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action operates on the case and its alerts, not on specific entities. It + does not iterate over `target_entities`. Check Entities Fields In Text: action_product_categories: add_alert_comment: false @@ -922,6 +1034,11 @@ Check Entities Fields In Text: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action does not fetch external threat intelligence (not `enrich_ioc`) nor + does it retrieve contextual metadata from an external source (not `enrich_asset`). + It performs internal data processing and entity property updates. Therefore, + it does not match any of the predefined product categories. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1011,10 +1128,16 @@ Check Entities Fields In Text: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Updates the 'additional_properties' of entities with a custom tag if a match - is found between the entity fields and the provided text. + Updates entity `additional_properties` when a match is found. + reasoning: >- + The action processes internal entity data and updates entity properties (`additional_properties`) + if a match is found. It does not interact with external systems. categories: - enrichment: false + enrichment: true + reasoning: >- + The action is an enrichment action because it updates entity fields/attributes + (enriching the entity's profile) based on internal data comparison. It does + not mutate external systems. entity_usage: entity_types: - ADDRESS @@ -1065,6 +1188,9 @@ Check Entities Fields In Text: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over all `target_entities` without filtering by type. It + accesses the `additional_properties` attribute of the entities to perform comparisons. Check List Subset: action_product_categories: add_alert_comment: false @@ -1080,6 +1206,10 @@ Check List Subset: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a utility tool for comparing two lists. It does not perform any + of the defined product-specific operations such as enrichment, containment, + ticketing, or alert management. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1125,8 +1255,17 @@ Check List Subset: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a local set comparison on provided input parameters. It + does not interact with any external APIs, modify internal SOAR data, or update + entities. It simply returns a boolean result and a message based on the input + comparison. categories: enrichment: false + reasoning: >- + The action is a utility script for list comparison. It does not fetch data from + external sources, nor does it modify any internal or external state. Therefore, + it does not meet the criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1142,6 +1281,9 @@ Check List Subset: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with entities. It operates solely on input parameters + provided by the user and does not reference the `target_entities` attribute. Convert Into Simulated Case: action_product_categories: add_alert_comment: false @@ -1157,6 +1299,10 @@ Convert Into Simulated Case: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action performs data transformation and internal SOAR operations (importing + a case, adding an attachment). It does not match any of the defined product + categories like enrichment, ticketing, or containment. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1180,20 +1326,20 @@ Convert Into Simulated Case: \ :--- | :--- |\n| Push to Simulated Cases | boolean | No | If set to `true`,\ \ the action will automatically import the generated case JSON into the Google\ \ SecOps Simulator via the SOAR API. |\n| Save JSON as Case Wall File | boolean\ - \ | No | If set to `true`, the action will base64-encode the generated JSON and\ - \ attach it as a `.case` file to the case wall for manual download. |\n| Override\ - \ Alert Name | string | No | Allows the user to specify a custom name for the\ - \ simulated case, overriding the default name derived from the source data. |\n\ - | Full path name | boolean | No | If set to `true`, the action constructs the\ - \ case name using the format: `SourceSystemName_DeviceProduct_Name`. |\n\n###\ - \ Additional Notes\n* The action specifically targets the **first entity** of\ - \ the current alert and expects it to contain a `SourceFileContent` property within\ - \ its `additional_properties` attribute. If this property is missing or contains\ - \ invalid JSON, the action will fail.\n* This action is primarily used for testing\ - \ and simulation purposes within the Google SecOps platform.\n\n### Flow Description\n\ - 1. **Initialization**: The action initializes the Siemplify context and extracts\ - \ the user-provided parameters for simulation, file storage, and naming conventions.\n\ - 2. **Data Retrieval**: It accesses the first entity of the current alert and retrieves\ + \ | No | If set to `true`, the action will attach the generated JSON as a `.case`\ + \ file to the case wall for manual download. |\n| Override Alert Name | string\ + \ | No | Allows the user to specify a custom name for the simulated case, overriding\ + \ the default name derived from the source data. |\n| Full path name | boolean\ + \ | No | If set to `true`, the action constructs the case name using the format:\ + \ `SourceSystemName_DeviceProduct_Name`. |\n\n### Additional Notes\n* The action\ + \ specifically targets the **first entity** of the current alert and expects it\ + \ to contain a `SourceFileContent` property within its `additional_properties`\ + \ attribute. If this property is missing or contains invalid JSON, the action\ + \ will fail.\n* This action is primarily used for testing and simulation purposes\ + \ within the Google SecOps platform.\n\n### Flow Description\n1. **Initialization**:\ + \ The action initializes the Siemplify context and extracts the user-provided\ + \ parameters for simulation, file storage, and naming conventions.\n2. **Data\ + \ Retrieval**: It accesses the first entity of the current alert and retrieves\ \ the `SourceFileContent` string from its `additional_properties`.\n3. **Data\ \ Transformation**: The action parses the JSON content and normalizes event fields,\ \ specifically ensuring that `DeviceEventClassId` and `Name` are correctly mapped\ @@ -1215,10 +1361,17 @@ Convert Into Simulated Case: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Imports a new case into the Google SecOps Case Simulator via the SOAR API and - adds a file attachment to the case wall. + Adds an attachment to the case wall and imports a case into the simulator. + reasoning: >- + The action does not fetch external data (fetches_data=false). It does not mutate + external systems (can_mutate_external_data=false). It mutates internal SOAR + data by adding an attachment to the case wall and importing a case into the + simulator (can_mutate_internal_data=true). It does not update entities, create + insights, modify alert data, or create case comments. categories: enrichment: false + reasoning: >- + The action does not fetch external data, so it is not an enrichment action. entity_usage: entity_types: - ADDRESS @@ -1256,7 +1409,7 @@ Convert Into Simulated Case: - DestinationURL - USB - USERUNIQNAME - filters_by_additional_properties: false + filters_by_additional_properties: true filters_by_alert_identifier: false filters_by_case_identifier: false filters_by_creation_time: false @@ -1269,6 +1422,10 @@ Convert Into Simulated Case: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code accesses the first entity of the current alert (`siemplify.current_alert.entities[0]`) + and checks its `additional_properties` for the `SourceFileContent` key. It does + not filter by entity type, so it supports all entity types. Create Entities with Separator: action_product_categories: add_alert_comment: false @@ -1284,6 +1441,11 @@ Create Entities with Separator: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action creates new entities within the alert. It does not fit the specific + categories like 'Enrich IOC' (no external fetch), 'Contain Host' (no external + mutation), or 'Update Alert' (no status/severity change). It is a utility action + for case management. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1294,7 +1456,7 @@ Create Entities with Separator: send_message: false submit_file: false uncontain_host: false - update_alert: true + update_alert: false update_email: false update_identity: false update_ticket: false @@ -1375,14 +1537,54 @@ Create Entities with Separator: can_mutate_internal_data: true can_update_entities: true external_data_mutation_explanation: null - fetches_data: true - internal_data_mutation_explanation: >- - Creates new entities within the Google SecOps alert and updates existing entities - with enrichment data provided in the parameters. + fetches_data: false + internal_data_mutation_explanation: Adds new entities to the case/alert. + reasoning: >- + The action interacts with the internal SOAR case/alert data to create new entities. + It does not fetch external data or mutate external systems. It performs internal + mutations by adding entities to the case. categories: enrichment: false + reasoning: >- + The action does not fetch data from an external source, which is a requirement + for an enrichment action. It is a utility action for case management. entity_usage: - entity_types: [] + entity_types: + - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1396,6 +1598,11 @@ Create Entities with Separator: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action retrieves existing entities from the alert to check for duplicates + using `get_alert_entities`. It does not filter by specific entity types in the + code logic, but rather accepts the type as a parameter, meaning it can operate + on any entity type. Create Entity Relationships: action_product_categories: add_alert_comment: false @@ -1411,6 +1618,10 @@ Create Entity Relationships: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action creates entity relationships and updates entity properties. It does + not match any of the specific product categories like 'Enrich IOC', 'Contain + Host', or 'Create Ticket'. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1512,17 +1723,62 @@ Create Entity Relationships: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Creates new entities, establishes relationships between entities, and updates - entity additional properties within the Google SecOps case. + Creates new entities and updates existing entities' additional properties within + the Google SecOps case. + reasoning: >- + The action creates new entities and establishes relationships between them and + existing entities within the Google SecOps case. It also updates entity properties + (enrichment) using the 'Enrichment JSON' parameter. It does not fetch external + data, nor does it mutate external systems. It performs internal mutations by + creating/updating entities within the SOAR platform. categories: enrichment: false + reasoning: >- + The action does not fetch external data, which is a requirement for the Enrichment + category. It performs internal mutations (creating/updating entities), but does + not meet the criteria for an Enrichment action. entity_usage: - entity_types: [] + entity_types: + - ADDRESS + - ALERT + - APPLICATION + - CHILDHASH + - CHILDPROCESS + - CLUSTER + - CONTAINER + - CREDITCARD + - CVE + - CVEID + - DATABASE + - DEPLOYMENT + - DESTINATIONDOMAIN + - DOMAIN + - EMAILSUBJECT + - EVENT + - FILEHASH + - FILENAME + - GENERICENTITY + - HOSTNAME + - IPSET + - MacAddress + - PARENTHASH + - PARENTPROCESS + - PHONENUMBER + - POD + - PROCESS + - SERVICE + - SOURCEDOMAIN + - THREATACTOR + - THREATCAMPAIGN + - THREATSIGNATURE + - DestinationURL + - USB + - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false filters_by_creation_time: false - filters_by_entity_type: false + filters_by_entity_type: true filters_by_identifier: false filters_by_is_artifact: false filters_by_is_enriched: false @@ -1531,6 +1787,11 @@ Create Entity Relationships: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over the alert's entities to identify targets based on the + 'Target Entity Type' parameter. It does not filter by other attributes like + 'is_internal' or 'is_suspicious'. Since the entity type is dynamic based on + user input, it supports all entity types. Create Siemplify Task: action_product_categories: add_alert_comment: false @@ -1546,6 +1807,10 @@ Create Siemplify Task: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action creates a task within the SOAR platform. It does not match any of + the provided categories (e.g., it is not an external ticket, not an alert update, + not an enrichment, not an IOC action). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1561,12 +1826,14 @@ Create Siemplify Task: update_identity: false update_ticket: false ai_description: >- + ### General Description + This action creates and assigns a new task to a specific user or role within the context of the current Google SecOps case. It is used to manage manual workflows or follow-up actions by setting clear instructions and deadlines. - ### Parameters + ### Parameters Description | Parameter | Type | Mandatory | Description | @@ -1592,8 +1859,6 @@ Create Siemplify Task: - Either the "Due Date" or the "SLA (in minutes)" parameter must be configured for the action to execute successfully. - - If both are provided, the "Due Date" parameter takes precedence. - ### Flow Description @@ -1622,10 +1887,17 @@ Create Siemplify Task: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Creates a new task record within the Google SecOps case management system, assigned - to a specific user or role. + Creates a new task within the Google SecOps case. + reasoning: >- + The action interacts with the internal SOAR API to create a task within a case. + It does not fetch external data, nor does it mutate external systems. It mutates + internal SOAR data by adding a task. categories: enrichment: false + reasoning: >- + The action creates a task within the SOAR platform. It does not fetch data, + nor does it perform any of the allowed enrichment mutations (add comment, insight, + update entity). Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1641,6 +1913,10 @@ Create Siemplify Task: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `target_entities` or use entity-specific identifiers. + It operates on the case level, and the `SimulationDataJson` indicates no entities + are processed. DNS Lookup: action_product_categories: add_alert_comment: false @@ -1656,6 +1932,11 @@ DNS Lookup: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action performs DNS lookups for IP and Hostname entities, which provides + contextual information (reputation/intelligence) about the indicator. This aligns + with the 'Enrich IOC' category. It does not modify external systems or internal + case data, so it is not a mutation or containment action. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1715,16 +1996,6 @@ DNS Lookup: 6. **Finalization**: All gathered DNS information is aggregated into a JSON result. The action completes with a success status if at least one record was found. - - - ### Additional Notes - - - - If multiple DNS servers are provided, the action will attempt to query each - one for every applicable entity. - - - The action does not modify the entities themselves but provides the lookup results - as raw JSON for downstream playbook tasks. capabilities: can_create_case_comments: false can_create_insight: false @@ -1735,8 +2006,18 @@ DNS Lookup: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs DNS queries (fetches data). It does not perform any write + operations to external systems (can_mutate_external_data=false) or internal + systems (can_mutate_internal_data=false). It does not update entities, create + insights, or modify alert data. categories: enrichment: true + reasoning: >- + The action fetches data (DNS records) from external DNS servers. It does not + mutate external systems (no POST/PUT/DELETE) and does not modify internal Google + SecOps data (no entity updates, insights, or comments). Therefore, it qualifies + as an enrichment action. entity_usage: entity_types: - ADDRESS @@ -1754,6 +2035,10 @@ DNS Lookup: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and filters using `entity.entity_type + == EntityTypes.ADDRESS` and `entity.entity_type == EntityTypes.HOSTNAME`. This + means it targets ADDRESS and HOSTNAME entities, filtering by entity_type. Delay Playbook: action_product_categories: add_alert_comment: false @@ -1769,6 +2054,10 @@ Delay Playbook: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + This action is a utility for playbook flow control (pausing execution). It does + not match any of the defined product categories (Enrichment, Containment, Ticket + management, etc.). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1846,8 +2135,15 @@ Delay Playbook: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs no external API calls, does not fetch data, and does not + modify any external or internal system state (entities, alerts, comments). It + purely manages the execution state of the playbook itself. categories: enrichment: false + reasoning: >- + The action does not fetch data, nor does it perform any enrichment or mutation. + It is a flow control utility. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1863,6 +2159,8 @@ Delay Playbook: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with entities. Delay Playbook Synchronous: action_product_categories: add_alert_comment: false @@ -1878,6 +2176,10 @@ Delay Playbook Synchronous: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + This action is a utility for controlling playbook execution flow (pausing). + It does not perform any of the listed product-specific operations such as enrichment, + containment, ticketing, or alert management. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1944,8 +2246,16 @@ Delay Playbook Synchronous: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a local `time.sleep` to pause execution. It does not interact + with external APIs, modify internal SOAR data, or update entities. Therefore, + it does not fetch data, mutate external or internal data, or perform any SOAR-specific + data modifications. categories: enrichment: false + reasoning: >- + The action is a utility for playbook flow control. It does not fetch data, so + it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1961,6 +2271,9 @@ Delay Playbook Synchronous: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on entities. It is a utility action that runs independently + of any specific entity context. Delay Playbook V2: action_product_categories: add_alert_comment: false @@ -1976,6 +2289,10 @@ Delay Playbook V2: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a utility for pausing playbook execution. It does not perform + any of the defined product-specific tasks such as enrichment, ticketing, or + containment. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -2029,8 +2346,16 @@ Delay Playbook V2: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action is a utility for controlling playbook execution flow. It does not + fetch data, mutate external systems, or modify internal SOAR data (entities, + alerts, insights). It simply manages the execution state of the playbook by + returning either an 'INPROGRESS' or 'COMPLETED' status. categories: enrichment: false + reasoning: >- + The action does not fetch data from external sources, nor does it perform any + enrichment tasks. It is a control flow utility. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -2046,6 +2371,9 @@ Delay Playbook V2: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with entities. It is a utility action for controlling + playbook execution flow. Extract URL Domain: action_product_categories: add_alert_comment: false @@ -2057,10 +2385,15 @@ Extract URL Domain: disable_identity: false download_file: false enable_identity: false - enrich_asset: false - enrich_ioc: true + enrich_asset: true + enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action parses strings to extract domains and updates entities with this + information. It does not fetch data from external systems, so it is not an enrichment + action. It updates entity metadata, which aligns with 'Enrich Asset' as it adds + contextual information to the asset. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -2102,14 +2435,6 @@ Extract URL Domain: the root domain and suffix (e.g., `example.com`). | - ### Additional Notes - - - This action updates the entity's `additional_properties` with the key `siemplifytools_extracted_domain`. - - - If an entity identifier does not contain a valid domain (e.g., a file hash), - no domain will be extracted for that entity. - - ### Flow Description 1. **Initialization**: The action retrieves the `URLs`, `Separator`, and `Extract @@ -2140,11 +2465,19 @@ Extract URL Domain: can_mutate_internal_data: true can_update_entities: true external_data_mutation_explanation: null - fetches_data: true + fetches_data: false internal_data_mutation_explanation: >- - Updates the 'additional_properties' of entities with the extracted domain value. + Updates entity `additional_properties` with the extracted domain. + reasoning: >- + The action parses strings to extract domains and updates entities with this + information. It does not fetch data from external systems, so `fetches_data` + is false. It updates entity `additional_properties`, which is an internal mutation + and an entity update. categories: - enrichment: true + enrichment: false + reasoning: >- + The action parses strings to extract domains. It does not fetch data from external + sources, so it does not meet the criteria for an Enrichment action. entity_usage: entity_types: - ADDRESS @@ -2195,6 +2528,9 @@ Extract URL Domain: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` without any type-based filtering. + Therefore, it processes all supported entity types. Find First Alert: action_product_categories: add_alert_comment: false @@ -2210,6 +2546,10 @@ Find First Alert: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action performs internal logic to compare alert timestamps within a case. + It does not interact with external systems, fetch external data, or modify case/alert + data. It does not fit any of the provided categories. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -2224,28 +2564,36 @@ Find First Alert: update_email: false update_identity: false update_ticket: false - ai_description: "### General Description\nThis utility action identifies whether\ - \ the alert currently being processed is the chronologically first alert within\ - \ its parent case. It is designed to facilitate playbook logic, allowing analysts\ - \ to ensure that specific tasks\u2014such as opening an external ticket, sending\ - \ an initial notification, or performing one-time setup actions\u2014are executed\ - \ only once per case, specifically on the initial triggering event.\n\n### Parameters\ - \ Description\n| Parameter | Type | Mandatory | Description |\n| :--- | :--- |\ - \ :--- | :--- |\n| None | N/A | N/A | This action does not require any input parameters.\ - \ |\n\n### Additional Notes\n- This action relies on the `creation_time` attribute\ - \ of alerts within the case to determine the sequence.\n- It is an internal logic\ - \ tool and does not interact with external APIs.\n\n### Flow Description\n1. **Retrieve\ - \ Case Alerts**: The action accesses the collection of all alerts currently associated\ - \ with the case.\n2. **Chronological Sorting**: It sorts the retrieved alerts\ - \ based on their `creation_time` to establish the true order of occurrence.\n\ - 3. **Identify Earliest Alert**: The action identifies the alert with the earliest\ - \ timestamp (the first element in the sorted list).\n4. **Identity Comparison**:\ - \ It compares the unique identifier of the `current_alert` (the one triggering\ - \ the playbook) against the identifier of the earliest alert found in step 3.\n\ - 5. **Result Output**: \n - If the identifiers match, the action concludes that\ - \ the current alert is the first one and returns the alert's identifier as the\ - \ script result.\n - If the identifiers do not match, it returns the string\ - \ `\"false\"`." + ai_description: >- + ### General Description + + This action identifies whether the current alert is the chronologically first + alert within its parent case. It is primarily used for playbook logic to ensure + specific tasks are only executed once per case, specifically on the initial triggering + alert. + + + ### Parameters Description + + There are no parameters for this action. + + + ### Flow Description + + 1. **Retrieve Case Alerts**: The action accesses the full list of alerts associated + with the current case. + + 2. **Sort Chronologically**: It sorts the alerts based on their `creation_time` + to determine the true sequence of events. + + 3. **Identify Earliest Alert**: The action identifies the alert with the earliest + timestamp (index 0 after sorting). + + 4. **Comparison**: It compares the unique identifier of the current alert against + the identifier of the earliest alert. + + 5. **Result Output**: If the current alert is the first, it returns the alert's + identifier. If not, it returns the string "false". capabilities: can_create_case_comments: false can_create_insight: false @@ -2256,8 +2604,16 @@ Find First Alert: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs internal logic to compare the current alert's creation time + against other alerts in the case. It does not interact with external APIs, modify + external systems, or update internal SOAR data (entities, insights, comments). categories: enrichment: false + reasoning: >- + The action does not fetch external data, nor does it perform any allowed internal + mutations (comments, insights, entity updates). It is a utility script for internal + logic. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -2273,6 +2629,9 @@ Find First Alert: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `target_entities` or use entity-specific identifiers. + It operates on the case's alert list. Get Case Data: action_product_categories: add_alert_comment: false @@ -2287,7 +2646,12 @@ Get Case Data: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false - get_alert_information: true + get_alert_information: false + reasoning: >- + The action retrieves comprehensive case information from the internal SOAR platform. + It does not interact with 3rd party products or perform specific enrichment + on IOCs/assets, nor does it mutate any data. Therefore, it does not fit into + the provided product-specific categories. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -2376,8 +2740,16 @@ Get Case Data: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action retrieves comprehensive case information (comments, entities, insights, + alerts) from the internal SOAR API. It does not modify any external or internal + systems. It returns the data as a JSON result for use in playbooks. categories: enrichment: true + reasoning: >- + The action fetches case data to provide context for playbooks. It does not mutate + any external or internal systems, satisfying the requirements for an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -2393,6 +2765,10 @@ Get Case Data: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code uses `siemplify.case_id` to fetch case data and does not iterate over + or filter `target_entities`. Therefore, it does not run on any specific entity + types. Get Case SLA: action_product_categories: add_alert_comment: false @@ -2407,7 +2783,11 @@ Get Case SLA: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false - get_alert_information: false + get_alert_information: true + reasoning: >- + The action retrieves case-level SLA information from the Google SecOps platform. + This aligns with the 'Get Alert Information' category, as it fetches metadata + about the current case/alert. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -2439,8 +2819,7 @@ Get Case SLA: | :--- | :--- | :--- | :--- | | **DateTime Format** | String | Yes | Specifies the format for the human-readable - SLA expiration times (e.g., `%Y-%m-%d %H:%M:%S`). Defaults to `%Y-%m-%d %H:%M:%S`. - | + SLA expiration times (e.g., `%Y-%m-%d %H:%M:%S`). | ### Additional Notes @@ -2451,9 +2830,6 @@ Get Case SLA: - It does not modify the case or any entities; it only returns the SLA information as action results. - - If an SLA is not set for the case, the action will fail with a specific error - message. - ### Flow Description @@ -2465,7 +2841,7 @@ Get Case SLA: 3. **SLA Extraction**: The logic identifies the expiration timestamps for both the standard SLA and the critical SLA from the retrieved case data, checking both - case-level (`sla`) and stage-level (`stageSla`) fields. + case-level and stage-level fields. 4. **Formatting**: It converts the Unix timestamps into formatted strings using the provided date-time pattern. @@ -2482,8 +2858,17 @@ Get Case SLA: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches case overview details from the internal Google SecOps API + (fetches_data=true). It does not perform any mutations on external systems or + internal data, nor does it update entities, create insights, or modify alert + data. categories: enrichment: false + reasoning: >- + The action fetches case-level metadata (SLA information) rather than enriching + specific alerts or entities with external threat intelligence. Therefore, it + does not meet the criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -2499,6 +2884,9 @@ Get Case SLA: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action operates on the current case context using `siemplify.case_id` and + does not iterate over or filter any `target_entities`. Get Certificate Details: action_product_categories: add_alert_comment: false @@ -2514,6 +2902,11 @@ Get Certificate Details: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves SSL certificate details for a given URL. It does not match + any of the provided product categories (e.g., Enrich IOC, Enrich Asset, etc.) + because it does not operate on entities or alerts, and it is not a containment + or ticketing action. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -2584,8 +2977,17 @@ Get Certificate Details: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action connects to an external host to retrieve certificate data (fetches_data=true). + It does not modify any external systems (can_mutate_external_data=false) or + internal SOAR data (can_mutate_internal_data=false). It does not update entities, + create insights, or modify alerts. categories: enrichment: false + reasoning: >- + The action does not operate on entities or alerts, and it does not meet the + criteria for an enrichment action as defined (which requires operating on entities/alerts + to gather context). It is a utility action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -2601,6 +3003,9 @@ Get Certificate Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use any entities from the SOAR environment. It operates + solely on a provided URL parameter. Get Context Value: action_product_categories: add_alert_comment: false @@ -2616,6 +3021,10 @@ Get Context Value: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves internal context data. It does not perform IOC enrichment, + asset enrichment, ticket management, or any other specific product category + operations. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -2646,7 +3055,7 @@ Get Context Value: | :--- | :--- | :--- | :--- | - | **Scope** | DDL | Yes | Specifies the context level to search. Options: 'Alert' + | **Scope** | String | Yes | Specifies the context level to search. Options: 'Alert' (current alert context), 'Case' (current case context), or 'Global' (system-wide context). | @@ -2688,8 +3097,17 @@ Get Context Value: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action retrieves data from the internal SecOps context (Alert, Case, or + Global). It does not perform any external API calls, nor does it modify any + internal or external data. It is a read-only operation. categories: enrichment: true + reasoning: >- + The action fetches data from an internal source (SecOps context). According + to the definition, an enrichment action must proactively fetch or retrieve data + from an external or internal source. Since this action retrieves data from an + internal source, it qualifies as an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -2705,6 +3123,9 @@ Get Context Value: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with entities. It operates on global, case, or + alert context properties. Get Current Time: action_product_categories: add_alert_comment: false @@ -2720,6 +3141,10 @@ Get Current Time: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a utility that returns a formatted timestamp. It does not perform + any of the defined product category operations (e.g., enrichment, containment, + ticketing). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -2735,13 +3160,14 @@ Get Current Time: update_identity: false update_ticket: false ai_description: >- - Returns the current system date and time formatted according to a user-provided - string. This utility action is primarily used within playbooks to generate timestamps - for logging, reporting, or for use in subsequent logic steps that require a specific - time format. + ### General Description + This action returns the current system date and time formatted according to a + user-provided string. It is a utility action used to generate timestamps for logging, + reporting, or subsequent playbook logic. - ### Parameters + + ### Parameters Description | Parameter | Type | Mandatory | Description | @@ -2751,7 +3177,12 @@ Get Current Time: to format the current date and time (e.g., '%d/%m/%Y %H:%M'). | - ### Flow + ### Additional Notes + + This action does not require any entities to run. + + + ### Flow Description 1. **Parameter Extraction**: The action retrieves the 'Datetime Format' string from the input parameters. @@ -2763,7 +3194,7 @@ Get Current Time: 'Datetime Format'. 4. **Completion**: The formatted time string is returned as the action's result - value, and the execution state is set to completed. + value. capabilities: can_create_case_comments: false can_create_insight: false @@ -2774,8 +3205,15 @@ Get Current Time: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action retrieves the current system time and formats it based on user input. + It does not perform any network requests, external API calls, or modifications + to internal/external data. categories: enrichment: false + reasoning: >- + The action does not fetch data from an external source; it generates a timestamp + locally. Therefore, it does not meet the criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -2791,6 +3229,9 @@ Get Current Time: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on entities. It is a utility action that does not + require any entity input. Get Email Templates: action_product_categories: add_alert_comment: false @@ -2806,6 +3247,10 @@ Get Email Templates: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves email templates from the SOAR platform. It does not match + any of the defined categories (e.g., Enrich IOC, Enrich Asset, Update Alert, + etc.) as it is a utility action for retrieving system configuration. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -2869,8 +3314,16 @@ Get Email Templates: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches email template data from the internal SOAR platform. It does + not mutate any external or internal data, nor does it update entities, create + insights, or modify alert data. categories: enrichment: false + reasoning: >- + The action retrieves system configuration (email templates) from the SOAR platform. + It does not gather context about alerts or entities, so it is not an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -2886,6 +3339,8 @@ Get Email Templates: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on entities. It retrieves system-wide email templates. Get Integration Instances: action_product_categories: add_alert_comment: false @@ -2901,6 +3356,10 @@ Get Integration Instances: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves a list of integration instances. It does not match any + of the provided categories, which are focused on IOC enrichment, ticketing, + identity management, or host containment. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -2923,11 +3382,7 @@ Get Integration Instances: ### Parameters - | Parameter Name | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | None | N/A | N/A | This action does not have any parameters. | + There are no parameters for this action. ### Flow Description @@ -2946,12 +3401,6 @@ Get Integration Instances: 5. **Output Data**: Returns the final list of integration instances as a JSON result and completes the action. - - - ### Additional Notes - - This action is a utility designed for system introspection and does not interact - with external security products or process specific alert entities. capabilities: can_create_case_comments: false can_create_insight: false @@ -2962,8 +3411,16 @@ Get Integration Instances: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a read-only operation to retrieve integration metadata from + the SOAR platform. It does not modify any external or internal data, nor does + it update entities or create insights. categories: enrichment: false + reasoning: >- + The action is a utility action that retrieves system configuration data (integration + instances). It does not perform enrichment on entities or alerts, nor does it + modify any state. Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -2979,6 +3436,9 @@ Get Integration Instances: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. It operates on the system level + to retrieve integration instances. Get Original Alert Json: action_product_categories: add_alert_comment: false @@ -2994,6 +3454,9 @@ Get Original Alert Json: enrich_ioc: false execute_command_on_the_host: false get_alert_information: true + reasoning: >- + The action retrieves the raw alert JSON, which aligns with the 'Get Alert Information' + category. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -3036,7 +3499,7 @@ Get Original Alert Json: 1. **Initialization**: The action initializes the Siemplify environment and prepares to access alert data. - 2. **Entity Selection**: It targets the first entity (index 0) in the current + 2. **Entity Selection**: It targets the first entity (`index 0`) in the current alert's entity list. 3. **Data Retrieval**: It accesses the `SourceFileContent` attribute from that @@ -3056,10 +3519,17 @@ Get Original Alert Json: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: false + fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action retrieves the raw alert JSON from the `additional_properties` of + the first entity. It does not mutate any external or internal data, nor does + it update entities or create insights. It simply reads and returns the data. categories: enrichment: false + reasoning: >- + The action is a utility for retrieving raw alert data. It does not perform enrichment + (adding context to entities) or any other state-changing operation. entity_usage: entity_types: - ADDRESS @@ -3110,6 +3580,10 @@ Get Original Alert Json: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action accesses the first entity in the alert's entity list (`siemplify.current_alert.entities[0]`). + It does not filter entities by any criteria; it simply processes the first one + available. Therefore, it supports all entity types. Get Siemplify Users: action_product_categories: add_alert_comment: false @@ -3125,6 +3599,10 @@ Get Siemplify Users: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves a list of users from the system. It does not match any + of the provided security-specific categories (e.g., IOC enrichment, ticket management, + containment). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -3140,44 +3618,21 @@ Get Siemplify Users: update_identity: false update_ticket: false ai_description: >- - ### General Description - - Retrieves a comprehensive list of all users configured within the Google SecOps - environment. This utility action is primarily used for auditing system access - or identifying specific user accounts to be used in downstream playbook logic. - It interacts with the internal SOAR API to collect user metadata such as roles, - email addresses, and account status. - - - ### Parameters Description - - | Parameter Name | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Hide Disabled Users | Boolean | No | Determines whether to exclude inactive - user accounts from the results. Defaults to `true`. | - - - ### Flow Description - - 1. **Configuration**: The action retrieves the `Hide Disabled Users` parameter - to set the filtering scope. - - 2. **Data Retrieval**: It calls the internal SOAR API to fetch user details, including - account status and metadata. - - 3. **Data Transformation**: The raw user objects are processed and converted into - a structured JSON format. - - 4. **Completion**: The action outputs the list of users to the `JsonResult` and - terminates with a success message. - - - ### Additional Notes - - This action does not process or interact with case entities (e.g., IP addresses, - Hostnames). It provides global system-level information. + ### General Description\nRetrieves a comprehensive list of all users configured + within the Google SecOps (formerly Siemplify) environment. This utility action + is primarily used for auditing system access or identifying specific user accounts + to be used in downstream playbook logic.\n\n### Parameters Description\n| Parameter + Name | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Hide + Disabled Users | Boolean | No | Determines whether to exclude inactive user accounts + from the results. Defaults to `true`. |\n\n### Flow Description\n1. **Configuration**: + The action retrieves the `Hide Disabled Users` parameter to set the filtering + scope.\n2. **Data Retrieval**: It calls the internal SOAR API to fetch user details, + including account status and metadata.\n3. **Data Transformation**: The raw user + objects are processed and converted into a structured JSON format.\n4. **Completion**: + The action outputs the list of users to the `JsonResult` and terminates with a + success message.\n\n### Additional Notes\nThis action does not process or interact + with case entities (e.g., IP addresses, Hostnames). It provides global system-level + information. capabilities: can_create_case_comments: false can_create_insight: false @@ -3188,8 +3643,16 @@ Get Siemplify Users: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches user data from the internal SOAR API. It does not modify + any external systems, nor does it modify internal case data, entities, or alerts. + It is a read-only utility action. categories: enrichment: false + reasoning: >- + The action retrieves system-level user information. It does not operate on alerts + or entities, nor does it provide supplemental context for them. Therefore, it + does not meet the criteria for an Enrichment Action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -3205,6 +3668,8 @@ Get Siemplify Users: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. It fetches global system data. Lock Playbook: action_product_categories: add_alert_comment: false @@ -3220,6 +3685,10 @@ Lock Playbook: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a control flow mechanism for playbook execution order. It does + not perform enrichment, containment, or ticket management. It does not match + any of the predefined categories. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -3238,19 +3707,13 @@ Lock Playbook: \ associated with the chronologically preceding alert in the same case have finished.\ \ This action is used to enforce sequential processing of alerts within a single\ \ case, ensuring that automation logic for one alert does not overlap with or\ - \ precede the completion of a previous alert's logic.\n\n### Parameters\n| Parameter\ - \ Name | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| None\ - \ | N/A | N/A | This action does not take any input parameters. |\n\n### Additional\ - \ Notes\n- This action is asynchronous (`is_async: true`), allowing it to remain\ - \ in an 'In Progress' state until the dependency is met.\n- It relies on the `creation_time`\ - \ of alerts within a case to determine the execution order.\n- It uses the internal\ - \ SOAR API to check the status of workflow instances for other alerts in the case.\n\ - \n### Flow Description\n1. **Alert Retrieval:** Fetches all alerts associated\ - \ with the current case and sorts them by their creation timestamp.\n2. **Position\ - \ Identification:** Determines the index of the current alert within the sorted\ - \ list based on its identifier.\n3. **First Alert Check:** If the current alert\ - \ is the first one in the case (index 0), the action completes immediately to\ - \ allow the playbook to proceed.\n4. **Dependency Check:** If the current alert\ + \ precede the completion of a previous alert's logic.\n\n### Parameters\nThere\ + \ are no parameters for this action.\n\n### Flow Description\n1. **Alert Retrieval:**\ + \ Fetches all alerts associated with the current case and sorts them by their\ + \ creation timestamp.\n2. **Position Identification:** Determines the index of\ + \ the current alert within the sorted list.\n3. **First Alert Check:** If the\ + \ current alert is the first one in the case (index 0), the action completes immediately\ + \ to allow the playbook to proceed.\n4. **Dependency Check:** If the current alert\ \ is not the first, the action identifies the immediately preceding alert and\ \ queries the SOAR API for the status of its workflow instances.\n5. **State Management:**\ \ \n - If any playbooks for the previous alert are still running (not in a\ @@ -3266,10 +3729,18 @@ Lock Playbook: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: false + fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches workflow status from the SOAR API to determine if it should + pause execution. It does not mutate external or internal data, update entities, + create insights, or modify alert data. categories: enrichment: false + reasoning: >- + The action is a control flow mechanism. It does not fetch supplemental context + about alerts or entities for enrichment purposes, nor does it modify internal + data or entities. Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -3285,6 +3756,10 @@ Lock Playbook: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `case.alerts` and uses `siemplify.alert_id` to identify + the current alert. It does not interact with `target_entities`. Therefore, it + does not run on entities. Look-A-Like Domains: action_product_categories: add_alert_comment: false @@ -3300,6 +3775,11 @@ Look-A-Like Domains: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action identifies look-alike domains, which provides threat intelligence + and reputation context for the domain entity. This matches the 'Enrich IOC' + expected outcome. It does not perform any other actions like blocking, ticketing, + or alert modification. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -3318,9 +3798,9 @@ Look-A-Like Domains: ### General Description Identifies potential typosquatting or look-alike domain attacks by comparing DOMAIN - entities in a case against a list of authorized internal domains defined for the - environment. It uses the Levenshtein edit distance algorithm to determine similarity - and flag suspicious entities. + entities against a list of authorized internal domains defined for the environment. + It uses the Levenshtein edit distance algorithm to determine similarity and flag + suspicious entities. ### Parameters Description @@ -3346,25 +3826,25 @@ Look-A-Like Domains: ### Flow Description 1. **Fetch Internal Domains**: Retrieves the list of internal domains from the - Google SecOps environment via the SOAR API using the `get_domain_alias` method. + Google SecOps environment via the SOAR API. 2. **Filter by Environment**: Filters the retrieved list to match the current - environment context of the action execution. + environment context. 3. **Iterate Entities**: Processes each entity in the case that is identified as a 'DOMAIN'. 4. **Calculate Similarity**: Computes the edit distance between the entity identifier - and each internal domain using the NLTK library's edit distance function. + and each internal domain using the NLTK library. 5. **Flag Look-Alikes**: If a match is found with an edit distance between 1 and - 3, the entity is marked as suspicious (`is_suspicious = True`). + 3, the entity is marked as suspicious. 6. **Enrich Entity**: Adds the matching internal domain to the entity's additional properties under the key 'look_a_like_domain'. - 7. **Update Case**: Commits the entity updates back to the Google SecOps case - and provides a JSON result containing the matches for each processed domain. + 7. **Update Case**: Commits the entity updates back to the case and provides a + JSON result of the matches. capabilities: can_create_case_comments: false can_create_insight: false @@ -3375,10 +3855,21 @@ Look-A-Like Domains: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates the 'is_suspicious' flag and 'additional_properties' of DOMAIN entities - within the SecOps case if they are identified as look-alike domains. + Updates the entity's suspicious status and adds the matching internal domain + to the entity's additional properties. + reasoning: >- + The action fetches internal domain data from the SOAR environment (fetches_data=true). + It does not mutate any external systems (can_mutate_external_data=false). It + updates entity properties and suspicious status within the SOAR platform (can_mutate_internal_data=true, + can_update_entities=true). It does not create insights, modify alert data, or + create case comments. categories: enrichment: true + reasoning: >- + The action fetches internal domain data from the SOAR environment and enriches + DOMAIN entities by updating their properties and suspicious status. It does + not mutate any external systems, and its internal mutations are limited to updating + entities, which is permitted for enrichment actions. entity_usage: entity_types: - DOMAIN @@ -3395,6 +3886,9 @@ Look-A-Like Domains: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and filters using `if entity.entity_type + == "DOMAIN"`. This means it targets DOMAIN entities, filtering by entity_type. Normalize Entity Enrichment: action_product_categories: add_alert_comment: false @@ -3410,6 +3904,10 @@ Normalize Entity Enrichment: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a utility for normalizing entity data. It does not perform any + of the defined product category actions (enrichment, containment, ticketing, + etc.). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -3425,54 +3923,28 @@ Normalize Entity Enrichment: update_identity: false update_ticket: false ai_description: >- - ### General Description - - The **Normalize Entity Enrichment** action is a utility designed to standardize - the naming of enrichment data stored within an entity's `additional_properties`. + General Description: The **Normalize Entity Enrichment** action is a utility designed + to standardize the naming of enrichment data stored within an entity's `additional_properties`. It allows users to map existing, potentially inconsistent field names (e.g., from different threat intelligence providers) to a unified schema within the Google - SecOps SOAR environment. This is particularly useful for ensuring downstream playbooks - or insights can rely on consistent key names regardless of the data source. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **Normalization Data** | string | Yes | A JSON-formatted string containing a - list of mapping objects. Each object must include `entitiy_field_name` (the current - key in the entity's additional properties) and `new_name` (the target normalized - key name). | - - - ### Flow Description - - 1. **Input Parsing**: The action retrieves the `Normalization Data` parameter - and parses it from a JSON string into a Python list of dictionaries. - - 2. **Entity Iteration**: The script iterates through all `target_entities` currently - in the action's scope. - - 3. **Property Mapping**: For each entity, it checks if the specified `entitiy_field_name` - exists within the entity's `additional_properties` dictionary. - - 4. **Value Assignment**: If the source key is found, its value is copied to a - new key defined by `new_name`. If the source key is missing, the action initializes + SecOps SOAR environment. Parameters Description: The action requires one parameter: + **Normalization Data** (string, mandatory). This is a JSON-formatted string containing + a list of mapping objects. Each object must include `entitiy_field_name` (the + current key in the entity's additional properties) and `new_name` (the target + normalized key name). Flow Description: 1. Input Parsing: The action retrieves + the `Normalization Data` parameter and parses it from a JSON string into a Python + list of dictionaries. 2. Entity Iteration: The script iterates through all `target_entities` + currently in the action's scope. 3. Property Mapping: For each entity, it checks + if the specified `entitiy_field_name` exists within the entity's `additional_properties` + dictionary. 4. Value Assignment: If the source key is found, its value is copied + to a new key defined by `new_name`. If the source key is missing, the action initializes the `new_name` key with an empty string (provided the key does not already exist). - - 5. **Internal Update**: The action collects all processed entities and uses the - `update_entities` method to commit the changes back to the SOAR case. - - - ### Additional Notes - - - This action does not delete or replace the original keys; it creates new keys - with the mapped names, effectively duplicating the data under a normalized header. - - - If the `new_name` already exists on the entity, it will be overwritten by the - value from `entitiy_field_name` if that source field is present. + 5. Internal Update: The action collects all processed entities and uses the `update_entities` + method to commit the changes back to the SOAR case. Additional Notes: This action + does not delete or replace the original keys; it creates new keys with the mapped + names, effectively duplicating the data under a normalized header. If the `new_name` + already exists on the entity, it will be overwritten by the value from `entitiy_field_name` + if that source field is present. capabilities: can_create_case_comments: false can_create_insight: false @@ -3483,10 +3955,18 @@ Normalize Entity Enrichment: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Updates the 'additional_properties' attribute of entities within the Google - SecOps case to standardize field names based on the provided mapping. + Updates entity `additional_properties` within the SOAR case. + reasoning: >- + The action reads `additional_properties` from entities and updates them with + new keys. It does not fetch external data or mutate external systems. It performs + an internal mutation by updating entity attributes. categories: enrichment: false + reasoning: >- + The action is a utility for data transformation (normalizing entity fields) + rather than an enrichment action that gathers new context from external or internal + sources. It does not meet the criteria for an enrichment action as it does not + fetch data. entity_usage: entity_types: - ADDRESS @@ -3537,6 +4017,9 @@ Normalize Entity Enrichment: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over all `target_entities` without applying any filters. + Therefore, it supports all entity types defined in the metadata. Ping: action_product_categories: add_alert_comment: false @@ -3552,6 +4035,9 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity check ('Ping') and does not perform any of the + listed functional operations (enrichment, containment, ticket management, etc.). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -3602,8 +4088,16 @@ Ping: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a simple connectivity check by initializing the SDK and + terminating with a success message. It does not interact with external APIs, + modify internal data, or process entities. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action, which is explicitly excluded from being an enrichment + action per the provided guidelines. It does not fetch data or perform any meaningful + operations. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -3619,6 +4113,8 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not reference target_entities or perform any operations on entities. Re-Attach Playbook: action_product_categories: add_alert_comment: false @@ -3634,6 +4130,10 @@ Re-Attach Playbook: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a utility for resetting/re-running playbooks. It does not match + any of the provided categories (Enrichment, Containment, Ticket management, + etc.). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -3665,9 +4165,9 @@ Re-Attach Playbook: | :--- | :--- | :--- | :--- | - | Playbook Name | String | Yes | The exact name of the playbook that will be removed - from the case and re-attached. Once re-attached, it will trigger a new execution. - | + | Playbook Name | playbook_name | Yes | The exact name of the playbook that will + be removed from the case and re-attached. Once re-attached, it will trigger a + new execution. | ### Additional Notes @@ -3705,16 +4205,24 @@ Re-Attach Playbook: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false - can_mutate_external_data: false + can_mutate_external_data: true can_mutate_internal_data: true can_update_entities: false - external_data_mutation_explanation: null + external_data_mutation_explanation: >- + Modifies the PostgreSQL database to remove previous playbook execution state + and action results. fetches_data: true internal_data_mutation_explanation: >- - Deletes playbook execution state and action results from the internal orchestration - and system databases, then re-attaches the playbook to the case. + Re-attaches the playbook to the case, triggering a new execution. + reasoning: >- + The action queries and modifies the PostgreSQL database (external system interaction) + to clear playbook state and then uses the SOAR API to re-attach the playbook + to the case (internal SOAR mutation). categories: enrichment: false + reasoning: >- + The action is a management/utility action for playbook orchestration. It does + not fetch context for entities or alerts, nor does it perform standard enrichment. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -3730,6 +4238,9 @@ Re-Attach Playbook: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action operates on the case level using `siemplify.case_id` and does not + iterate over or filter `target_entities`. Search Text: action_product_categories: add_alert_comment: false @@ -3745,6 +4256,10 @@ Search Text: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a utility for text processing (string/regex matching) and does + not interact with external systems or modify SecOps data. It does not match + any of the defined product categories. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -3826,8 +4341,15 @@ Search Text: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs local string and regex processing on input text provided + as a parameter. It does not interact with external APIs, modify external systems, + or update internal SecOps data (entities, alerts, etc.). categories: enrichment: false + reasoning: >- + The action does not fetch data from an external source, which is a requirement + for enrichment actions. It is a local utility action for text processing. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -3843,6 +4365,9 @@ Search Text: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not reference `target_entities` and processes raw text input + parameters instead. Set Context Value: action_product_categories: add_alert_comment: false @@ -3858,6 +4383,10 @@ Set Context Value: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action modifies the alert context, which is an internal SecOps operation. + It does not match any of the predefined product categories (e.g., enrichment, + ticket management, containment, etc.). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -3872,26 +4401,26 @@ Set Context Value: update_email: false update_identity: false update_ticket: false - ai_description: >- - ### General Description\nThe **Set Context Value** action allows users to store - and manage data dynamically within a Google SecOps playbook by setting key-value - pairs in a specific context scope. This is primarily used to pass information - between different steps of a playbook or to maintain state across different alerts - and cases.\n\n### Parameters Description\n| Parameter | Type | Mandatory | Description - |\n| :--- | :--- | :--- | :--- |\n| **Key** | String | Yes | The name of the property/key - to be set in the context. |\n| **Value** | String | Yes | The value to be assigned - to the specified key. |\n| **Scope** | DDL | Yes | Determines the visibility and - persistence of the data. Options are:
1. **Alert**: Data is accessible only - within the current alert.
2. **Case**: Data is accessible across all alerts - within the current case.
3. **Global**: Data is accessible globally across - the environment. |\n\n### Flow Description\n1. **Parameter Extraction**: The action - retrieves the `Scope`, `Key`, and `Value` from the input parameters.\n2. **Scope - Determination**: The logic checks the selected `Scope` value.\n3. **Context Update**: - \n * If **Alert**, it uses the SDK to set a property specific to the alert - context.\n * If **Case**, it uses the SDK to set a property specific to the - case context.\n * If **Global**, it uses a specialized helper to set a property - in the global system context.\n4. **Completion**: The action returns a success - message indicating which field was updated in which scope. + ai_description: "### General Description\nThe **Set Context Value** action allows\ + \ users to store and manage data dynamically within a Google SecOps playbook by\ + \ setting key-value pairs in a specific context scope. This is primarily used\ + \ to pass information between different steps of a playbook or to maintain state\ + \ across different alerts and cases.\n\n### Parameters Description\n| Parameter\ + \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| **Key**\ + \ | String | Yes | The name of the property/key to be set in the context. |\n\ + | **Value** | String | Yes | The value to be assigned to the specified key. |\n\ + | **Scope** | DDL | Yes | Determines the visibility and persistence of the data.\ + \ Options are:
1. **Alert**: Data is accessible only within the current alert.
2.\ + \ **Case**: Data is accessible across all alerts within the current case.
3.\ + \ **Global**: Data is accessible globally across the environment. |\n\n### Flow\ + \ Description\n1. **Parameter Extraction**: The action retrieves the `Scope`,\ + \ `Key`, and `Value` from the input parameters.\n2. **Scope Determination**: The\ + \ logic checks the selected `Scope` value.\n3. **Context Update**: \n * If\ + \ **Alert**, it uses the SDK to set a property specific to the alert context.\n\ + \ * If **Case**, it uses the SDK to set a property specific to the case context.\n\ + \ * If **Global**, it uses a specialized helper to set a property in the global\ + \ system context.\n4. **Completion**: The action returns a success message indicating\ + \ which field was updated in which scope." capabilities: can_create_case_comments: false can_create_insight: false @@ -3902,10 +4431,17 @@ Set Context Value: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Sets or updates key-value pairs in the Alert, Case, or Global context scopes - within Google SecOps. + Modifies the internal context of the alert, case, or global system by setting + a key-value pair. + reasoning: >- + The action modifies internal SecOps data by setting context properties (Alert, + Case, or Global). It does not fetch external data or interact with external + systems. It modifies alert data (context). categories: enrichment: false + reasoning: >- + The action does not fetch data; it only sets internal context values. Therefore, + it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -3921,6 +4457,9 @@ Set Context Value: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with entities. It operates on the context of the + alert, case, or global system. Spell Check String: action_product_categories: add_alert_comment: false @@ -3936,6 +4475,9 @@ Spell Check String: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a utility for text analysis. It does not perform any of the defined + product-specific tasks like enriching IOCs, updating tickets, or modifying alerts. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -4010,8 +4552,16 @@ Spell Check String: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs local text processing using the `spellchecker` library. + It does not interact with external APIs, modify external systems, or update + internal SOAR data (entities, insights, comments). categories: enrichment: false + reasoning: >- + The action does not fetch data from an external source (it uses a local library) + and does not modify any internal or external state. Therefore, it is not an + enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -4027,6 +4577,8 @@ Spell Check String: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with entities. Unflatten JSON: action_product_categories: add_alert_comment: false @@ -4042,6 +4594,11 @@ Unflatten JSON: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + This action is a utility for transforming data formats (flattened JSON to nested + JSON). It does not perform any security operations, such as enriching IOCs, + managing tickets, or modifying alerts. Therefore, it does not match any of the + defined product categories. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -4116,8 +4673,15 @@ Unflatten JSON: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action is a data transformation utility. It does not interact with external + APIs (fetches_data=false), does not mutate external systems, and does not modify + internal SOAR data (entities, insights, comments). categories: enrichment: false + reasoning: >- + The action is a data transformation utility. It does not fetch data from external + sources, which is a requirement for the Enrichment category. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -4133,6 +4697,9 @@ Unflatten JSON: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with entities. It processes a raw JSON string provided + as an input parameter. Update Alert Score: action_product_categories: add_alert_comment: false @@ -4148,6 +4715,9 @@ Update Alert Score: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action updates the alert score within the SecOps platform, which matches + the 'Update Alert' category. It does not perform any other listed operations. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -4168,8 +4738,7 @@ Update Alert Score: The **Update Alert Score** action is a utility designed to dynamically modify the numerical score associated with an alert in Google SecOps. This is typically used within playbooks to adjust the priority or risk level of an alert based on - logic-driven findings (e.g., increasing the score if a file is found to be malicious - or decreasing it if an IP is internal). + logic-driven findings. ### Parameters Description @@ -4217,10 +4786,16 @@ Update Alert Score: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Updates the 'ALERT_SCORE' property within the alert's context to reflect changes - in risk or priority. + Updates the 'ALERT_SCORE' property within the alert's context. + reasoning: >- + The action retrieves the current alert score from the internal context and updates + it by adding the provided input value. It does not interact with external systems + or fetch external data. categories: enrichment: false + reasoning: >- + The action modifies internal alert data (the score) and does not fetch external + data. Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -4236,6 +4811,9 @@ Update Alert Score: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with entities, as it operates directly on the alert + context. Update Case Description: action_product_categories: add_alert_comment: false @@ -4251,6 +4829,9 @@ Update Case Description: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action updates the case description, which is a modification of the alert/case + metadata. This aligns with the 'Update Alert' category. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -4261,7 +4842,7 @@ Update Case Description: send_message: false submit_file: false uncontain_host: false - update_alert: false + update_alert: true update_email: false update_identity: false update_ticket: false @@ -4285,8 +4866,7 @@ Update Case Description: ### Additional Notes - This action modifies internal case metadata and does not interact with external - systems. + There are no additional notes for this action. ### Flow Description @@ -4304,16 +4884,23 @@ Update Case Description: capabilities: can_create_case_comments: false can_create_insight: false - can_modify_alert_data: false + can_modify_alert_data: true can_mutate_external_data: false can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Updates the description of the current case in Google SecOps. + Updates the description of the current case within the Google SecOps platform. + reasoning: >- + The action modifies the case description, which is an internal SOAR operation. + It does not fetch data from external systems, nor does it mutate external systems. + It modifies internal case data. categories: enrichment: false + reasoning: >- + The action is not an enrichment action as it does not fetch data. It is a mutation + action that updates the case description. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -4329,6 +4916,9 @@ Update Case Description: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with entities. It operates on the case level using + the `case_id` attribute. Wait for Playbook to Complete: action_product_categories: add_alert_comment: false @@ -4344,6 +4934,11 @@ Wait for Playbook to Complete: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + This action is a control flow mechanism within the SOAR platform to synchronize + playbook execution. It does not perform enrichment, ticket creation, containment, + or any of the listed product-specific operations. It fetches internal workflow + status, which does not qualify as 'alert information from a 3rd party product'. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -4358,53 +4953,25 @@ Wait for Playbook to Complete: update_email: false update_identity: false update_ticket: false - ai_description: >- - ### General Description - - This action synchronizes playbook execution by pausing the current playbook until - another specified playbook or block, running on the same alert, reaches a terminal - state. It is primarily used to manage dependencies between parallel processes - within the same security alert context. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Playbook Name | String | Yes | The exact name of the playbook or block that - the current execution should wait for. | - - - ### Additional Notes - - - This action is asynchronous. If the target playbook is still running, the action - will remain in an 'In Progress' state and retry periodically until the target - playbook finishes or is not found. - - - To avoid permanent deadlocks, the action will complete successfully if the specified - playbook name cannot be found in the current alert context. - - - ### Flow Description - - 1. **Initialization**: The action retrieves the target playbook name from the - input parameters. - - 2. **Status Retrieval**: It queries the Google SecOps API to fetch the status - of all workflow instances associated with the current alert group. - - 3. **Status Evaluation**: - * If the target playbook is in a terminal state (**Completed**, **Failed**, - or **Terminated**), the action completes successfully, allowing the current playbook - to proceed. - * If the target playbook is still active (**In Progress**, **Pending in Queue**, - or **Pending for User**), the action sets its own state to 'In Progress'. - * If the target playbook is not found, the action completes to avoid a permanent - deadlock. - 4. **Completion**: Once the target playbook finishes, the 'lock' is released and - the current playbook continues its next steps. + ai_description: "### General Description\nThis action synchronizes playbook execution\ + \ by pausing the current playbook until another specified playbook or block, running\ + \ on the same alert, reaches a terminal state. It is primarily used to manage\ + \ dependencies between parallel processes within the same security alert context.\n\ + \n### Parameters Description\n| Parameter | Type | Mandatory | Description |\n\ + | :--- | :--- | :--- | :--- |\n| Playbook Name | String | Yes | The exact name\ + \ of the playbook or block that the current execution should wait for. |\n\n###\ + \ Flow Description\n1. **Initialization**: The action retrieves the target playbook\ + \ name from the input parameters.\n2. **Status Retrieval**: It queries the Google\ + \ SecOps API to fetch the status of all workflow instances associated with the\ + \ current alert group.\n3. **Status Evaluation**: \n * If the target playbook\ + \ is in a terminal state (**Completed**, **Failed**, or **Terminated**), the action\ + \ completes successfully, allowing the current playbook to proceed.\n * If\ + \ the target playbook is still active (**In Progress**, **Pending in Queue**,\ + \ or **Pending for User**), the action sets its own state to 'In Progress'. Because\ + \ the action is asynchronous, it will periodically re-evaluate until the condition\ + \ is met.\n * If the target playbook is not found, the action completes to\ + \ avoid a permanent deadlock.\n4. **Completion**: Once the target playbook finishes,\ + \ the 'lock' is released and the current playbook continues its next steps." capabilities: can_create_case_comments: false can_create_insight: false @@ -4415,8 +4982,17 @@ Wait for Playbook to Complete: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches workflow instance status from the SOAR platform to determine + if a specific playbook has finished. It does not mutate external systems, nor + does it modify internal case data (entities, insights, comments). It is a control + flow action. categories: enrichment: false + reasoning: >- + The action is a control flow mechanism used to synchronize playbook execution. + It does not gather supplemental context about alerts or entities for enrichment + purposes, nor does it meet the criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -4432,3 +5008,6 @@ Wait for Playbook to Complete: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with entities. It operates on the alert level to + check workflow statuses. diff --git a/content/response_integrations/power_ups/tools/resources/ai/integration_ai_description.yaml b/content/response_integrations/power_ups/tools/resources/ai/integration_ai_description.yaml index 8a09972f0..d5976cbbb 100644 --- a/content/response_integrations/power_ups/tools/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/power_ups/tools/resources/ai/integration_ai_description.yaml @@ -1,12 +1,24 @@ product_categories: asset_inventory: false cloud_security: false - collaboration: true + collaboration: false edr: false email_security: false iam_and_identity_management: false itsm: true network_security: false + reasoning: >- + The 'tools' integration provides a collection of utility actions for data manipulation, + context management, and case orchestration within the Google SecOps platform. + It supports 'Threat Intelligence' by providing enrichment actions for external + indicators, such as 'DNS Lookup' (IP/Hostname), 'Look-A-Like Domains' (Domain), + and 'Get Certificate Details' (URL), which help determine reputation. It supports + 'ITSM' by providing case management and task orchestration capabilities, including + 'Create Siemplify Task', 'Assign Case to User', and automated jobs like 'Close + Cases Based On Search' and 'Tag Untouched Cases'. It does not meet the criteria + for SIEM (as it does not search logs or find activity), EDR (no host-level activity), + Network Security (no blocking/firewall logs), Email Security, IAM, Cloud Security, + Vulnerability Management, Asset Inventory, or Collaboration. siem: false threat_intelligence: true vulnerability_management: false diff --git a/content/response_integrations/power_ups/tools/resources/ai/jobs_ai_description.yaml b/content/response_integrations/power_ups/tools/resources/ai/jobs_ai_description.yaml index 78d657265..4e397bec8 100644 --- a/content/response_integrations/power_ups/tools/resources/ai/jobs_ai_description.yaml +++ b/content/response_integrations/power_ups/tools/resources/ai/jobs_ai_description.yaml @@ -1,39 +1,12 @@ Close Cases Based On Search: - ai_description: "### General Description\nThis job automates the bulk closure of\ - \ cases within Google SecOps based on specific search criteria. It allows users\ - \ to define a search payload\u2014identical to the one used by the platform's\ - \ 'Search Everything' API\u2014to identify open cases and close them systematically.\ - \ This is highly effective for maintenance tasks, such as clearing out high volumes\ - \ of false positives or legacy alerts that meet specific metadata criteria.\n\n\ - ### Parameters Description\n| Parameter | Type | Mandatory | Description |\n|\ - \ :--- | :--- | :--- | :--- |\n| Search Payload | String (JSON) | No | The JSON\ - \ payload used for the 'CaseSearchEverything' API call. It defines the filters\ - \ (e.g., time range, priority, labels) for cases to be closed. Defaults to `{}`.\ - \ |\n| Close Comment | String | Yes | The audit comment to be attached to all\ - \ cases closed by this job. |\n| Close Reason | Integer | Yes | The numeric value\ - \ representing the closure reason. Typically `0` for Malicious and `1` for Not\ - \ Malicious. |\n| Root Cause | String | Yes | The specific root cause string to\ - \ apply to the cases, matching the values configured in the SOAR Case Data settings.\ - \ |\n\n### Flow Description\n1. **Parse Search Criteria**: The job retrieves the\ - \ **Search Payload** from the configuration and parses it as JSON.\n2. **Filter\ - \ for Open Cases**: It automatically injects or overrides the `isCaseClosed` flag\ - \ to `False` to ensure the job only targets active cases.\n3. **Identify Target\ - \ Cases**: It executes a global search using the provided payload to retrieve\ - \ a list of matching cases.\n4. **Extract Identifiers**: The job extracts the\ - \ unique Case IDs from the search results.\n5. **Execute Bulk Closure**: If matching\ - \ cases are found, it triggers a bulk closure API call, applying the specified\ - \ **Close Reason**, **Root Cause**, and **Close Comment** to every identified\ - \ case.\n6. **Logging**: The job logs the specific Case IDs affected and reports\ - \ the total count of closed cases to the job execution history." -Tag Untouched Cases: ai_description: >- ### General Description - This job automates the identification and labeling of stagnant open cases within - Google SecOps. It monitors cases that have not been modified for a user-defined - period and applies specific tags to them. This functionality is essential for - maintaining SOC hygiene, ensuring that cases requiring attention are highlighted - for review and do not remain idle without oversight. + This job automates the bulk closure of cases in Google SecOps based on a specific + search query. It identifies open cases matching the provided search criteria and + closes them using the specified reason, root cause, and comment. This is useful + for cleaning up large volumes of cases (e.g., false positives) that meet specific + criteria. ### Parameters Description @@ -42,29 +15,69 @@ Tag Untouched Cases: | :--- | :--- | :--- | :--- | - | Tags | String | Yes | A comma-separated list of tags to apply to cases that - meet the inactivity threshold (e.g., "Open Case Review, Stale"). | + | Search Payload | String | No | The JSON payload used in the 'CaseSearchEverything' + API call to identify cases to close. | + + | Close Comment | String | Yes | The comment to be added to the closed cases. + | + + | Close Reason | Integer | Yes | The reason for closing the case (0 = Malicious, + 1 = Not Malicious). | - | Unmodified Time | Integer | Yes | The duration of inactivity, measured in hours, - required to trigger the tagging action. | + | Root Cause | String | Yes | The root cause category for the closed cases (must + match settings in Case Data). | ### Flow Description - 1. **Parameter Retrieval**: The job fetches the `Unmodified Time` threshold and - the list of `Tags` from the configuration. + 1. Parses the 'Search Payload' parameter and ensures the search is restricted + to open cases by setting 'isCaseClosed' to 'False'. + + 2. Executes a search query using the 'CaseSearchEverything' API to retrieve a + list of matching case IDs. + + 3. If matching cases are found, it proceeds to perform a bulk closure operation. + + 4. Closes the identified cases using the provided 'Close Reason', 'Root Cause', + and 'Close Comment'. + + 5. Logs the outcome, including the number of cases successfully closed or a message + if no cases were found. +Tag Untouched Cases: + ai_description: >- + ### General Description + + This job automates case management by identifying "stale" or "untouched" open + cases. It scans for cases that have not been updated within a specified timeframe + and applies custom tags to them, facilitating better case prioritization and workflow + management. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Tags | String | Yes | The tags to apply to the identified cases. Multiple tags + can be provided as a comma-separated list. | + + | Unmodified Time | Integer | Yes | The duration in hours since the last case + update that triggers the tagging action. | + + + ### Flow Description - 2. **Cutoff Calculation**: It calculates a cutoff timestamp by subtracting the - specified number of hours from the current time. + 1. Calculates the cutoff timestamp based on the current time minus the configured + `Unmodified Time`. - 3. **Case Filtering**: The job queries Google SecOps for all cases currently in - an "OPEN" status that have not been updated since the calculated cutoff timestamp. + 2. Queries Google SecOps for all open cases that have not been updated since the + calculated cutoff time. - 4. **Tag Parsing**: The comma-separated string of tags is parsed into an array - of individual tag values. + 3. If matching cases are found, parses the provided `Tags` parameter into a list. - 5. **Tag Application**: For every case identified as untouched, the job iterates - through the tag list and applies each tag to the case. + 4. Iterates through each identified case and applies the specified tags using + the `add_tag` method. - 6. **Logging**: The job logs the IDs of the affected cases and the total count - of cases updated during the execution. + 5. Logs the outcome, including the number of cases tagged or a message indicating + no stale cases were found. diff --git a/content/response_integrations/third_party/community/abuse_ipdb/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/abuse_ipdb/resources/ai/actions_ai_description.yaml index cfe796d96..ccb949d1d 100644 --- a/content/response_integrations/third_party/community/abuse_ipdb/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/abuse_ipdb/resources/ai/actions_ai_description.yaml @@ -13,6 +13,11 @@ Check IP Reputation: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves reputation and threat intelligence for IP addresses from + AbuseIPDB and updates the entity with this information. This aligns perfectly + with the 'Enrich IOC' category. It does not perform any containment, ticketing, + or alert modification actions. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -27,38 +32,57 @@ Check IP Reputation: update_email: false update_identity: false update_ticket: false - ai_description: "### General Description\nEnriches IP Address entities by retrieving\ - \ reputation data from AbuseIPDB. This action checks if an IP address has been\ - \ reported for malicious activity, providing details such as the abuse confidence\ - \ score, country, ISP, and domain. It helps analysts quickly identify potentially\ - \ harmful network actors and automatically flags suspicious entities based on\ - \ configurable thresholds.\n\n### Parameters Description\n| Parameter Name | Type\ - \ | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Exclude Internal\ - \ Addresses | boolean | No | If set to `true`, the action will skip any IP entities\ - \ marked as internal in the environment, preserving API quota. |\n| Suspicious\ - \ Threshold | string | Yes | An integer value (0-100). If the Abuse Confidence\ - \ Score returned by AbuseIPDB is equal to or higher than this value, the entity\ - \ is marked as suspicious in Google SecOps. Set to 0 to disable this behavior.\ - \ |\n| Create Insight | boolean | No | If set to `true`, a detailed HTML insight\ - \ will be created for each processed IP entity, summarizing the reputation report.\ - \ |\n| Max Age in Days | string | Yes | Defines the time window (in days) for\ - \ which AbuseIPDB should search for reports. Only reports within this age limit\ - \ contribute to the score. |\n\n### Additional Notes\n- The action specifically\ - \ targets entities of type `ADDRESS`.\n- If an IP is not found in the AbuseIPDB\ - \ database, it will be noted in the action output but will not result in a failure.\n\ - \n### Flow Description\n1. **Initialization**: Extracts the API key and configuration\ - \ settings, then validates the `Max Age in Days` parameter.\n2. **Entity Filtering**:\ - \ Identifies all `ADDRESS` entities in the current scope. If `Exclude Internal\ - \ Addresses` is enabled, it filters out entities where `is_internal` is true.\n\ - 3. **API Request**: For each valid entity, it performs a GET request to the AbuseIPDB\ - \ `/check` endpoint using the entity's identifier and the specified `Max Age`.\n\ - 4. **Data Mapping**: \n - Appends the raw report data to the entity's additional\ - \ properties with the prefix `AbuseIPDB_`.\n - Compares the `abuseConfidenceScore`\ - \ against the `Suspicious Threshold` to potentially update the entity's suspicious\ - \ status.\n5. **Insight Generation**: If enabled, constructs an HTML summary of\ - \ the IP's reputation (score, ISP, domain, etc.) and attaches it as an entity\ - \ insight.\n6. **Finalization**: Updates the entities in the Google SecOps platform\ - \ and returns a summary of successful, failed, or missing IPs." + ai_description: >- + ### General Description + + This action enriches IP Address entities by querying the AbuseIPDB service to + retrieve reputation data, such as confidence scores, ISP information, and report + history. It helps analysts quickly identify potentially malicious IP addresses + within their environment. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Exclude Internal Addresses | Boolean | No | If true, skips internal IP addresses + to save API quota. | + + | Suspicious Threshold | String | Yes | The confidence score threshold (0-100) + above which an IP is marked as suspicious. Set to 0 to disable. | + + | Create Insight | Boolean | No | If true, generates a case insight with the retrieved + IP reputation details. | + + | Max Age in Days | String | Yes | The maximum age of reports to consider when + checking the IP reputation. | + + + ### Flow Description + + 1. **Initialization**: The action initializes the AbuseIPDB manager using the + provided API key. + + 2. **Filtering**: It filters the target entities to include only ADDRESS types. + If the 'Exclude Internal Addresses' parameter is set to true, it further filters + out entities marked as internal. + + 3. **Enrichment**: For each valid IP entity, the action queries the AbuseIPDB + API for reputation data. + + 4. **Data Processing**: If data is retrieved, it updates the entity's additional + properties with the AbuseIPDB report details. + + 5. **Risk Assessment**: If the abuse confidence score meets or exceeds the configured + 'Suspicious Threshold', the entity is marked as suspicious. + + 6. **Insight Creation**: If 'Create Insight' is enabled, the action generates + a case insight containing the reputation summary. + + 7. **Update**: Finally, the action updates the entities in the SOAR platform with + the new enrichment data. capabilities: can_create_case_comments: false can_create_insight: true @@ -69,10 +93,20 @@ Check IP Reputation: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity additional properties, sets the 'is_suspicious' flag based on - reputation scores, and creates entity-level insights. + Updates entity properties (is_enriched, is_suspicious, additional_properties) + and creates case insights. + reasoning: >- + The action fetches data from an external API (AbuseIPDB) to enrich IP entities. + It does not mutate external data (only performs GET requests). It mutates internal + data by updating entity properties (is_enriched, is_suspicious, additional_properties) + and creating insights. It does not modify alert data or create case comments. categories: enrichment: true + reasoning: >- + The action is designed to fetch reputation data for IP addresses and update + the entity profile within the SOAR platform. It does not mutate external systems, + and the internal mutations (updating entities, creating insights) are permitted + under the enrichment criteria. entity_usage: entity_types: - ADDRESS @@ -89,6 +123,10 @@ Check IP Reputation: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over `siemplify.target_entities` and filters them based + on `entity.entity_type == EntityTypes.ADDRESS`. It also optionally filters by + `entity.is_internal` based on the 'Exclude Internal Addresses' parameter. Ping: action_product_categories: add_alert_comment: false @@ -104,6 +142,10 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity test ('Ping'). It does not perform enrichment, + containment, or any other operational task on entities or alerts. It does not + match any of the specific product categories. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -119,53 +161,40 @@ Ping: update_identity: false update_ticket: false ai_description: >- - ### General Description - - The **Ping** action is a diagnostic tool used to verify the connectivity between - the Google SecOps platform and the AbuseIPDB API. It ensures that the provided - API key is valid and that the network configuration allows for successful communication - with the external service. + Validates connectivity to the AbuseIPDB service. This action performs a test API + call to ensure the provided API key is valid and the service is reachable. - ### Parameters Description - - | Parameter Name | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | + ### Flow - | Api Key | String | Yes | The API key used to authenticate requests to AbuseIPDB. - This is retrieved from the integration configuration. | + 1. Extracts configuration parameters: 'Api Key' and 'Verify SSL'. - | Verify SSL | Boolean | No | If enabled, the action will verify the SSL certificate - of the AbuseIPDB API. Defaults to `False`. | + 2. Initializes the AbuseIPDBManager with the provided credentials. + 3. Executes the 'test_connectivity' method, which performs a GET request to the + AbuseIPDB API using a dummy IP address. - ### Additional Notes + 4. Returns a success message if the connection is established, or a failure message + if the API key is invalid or another error occurs. - * This action does not process any entities from the case. It uses a hardcoded - dummy IP address (`1.1.1.1`) to perform a test lookup. - * If the API key is invalid, the action will return a failed status with a specific - error message regarding forbidden access. + ### Parameters + | Parameter | Type | Mandatory | Description | - ### Flow Description + | :--- | :--- | :--- | :--- | - 1. **Initialization**: The action initializes the Siemplify context and retrieves - the integration configuration parameters (API Key and SSL verification setting). + | Api Key | String | Yes | The API key for authenticating with the AbuseIPDB service. + | - 2. **Manager Setup**: An instance of the `AbuseIPDBManager` is created using the - provided credentials. + | Verify SSL | Boolean | No | Whether to verify SSL certificates for API requests. + Defaults to False. | - 3. **Connectivity Test**: The action calls the `test_connectivity` method, which - performs a GET request to the AbuseIPDB 'check' endpoint for the IP `1.1.1.1`. - 4. **Validation**: The response is validated for HTTP errors and specific status - codes (e.g., 403 for invalid keys). + ### Additional Notes - 5. **Completion**: If the request is successful, the action returns a "Connection - Established" message. If an error occurs, it logs the exception and returns a - failure status. + This action is a connectivity test and does not perform any data enrichment or + system mutations. capabilities: can_create_case_comments: false can_create_insight: false @@ -176,8 +205,14 @@ Ping: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to verify connectivity to the AbuseIPDB API. + It does not modify external systems, update internal entities, or create insights. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action, which is explicitly excluded from being an enrichment + action per the instructions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -193,3 +228,6 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use 'target_entities'. It performs a hardcoded connectivity + test. diff --git a/content/response_integrations/third_party/community/abuse_ipdb/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/abuse_ipdb/resources/ai/integration_ai_description.yaml index 2e831240c..0b5ac1f3d 100644 --- a/content/response_integrations/third_party/community/abuse_ipdb/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/community/abuse_ipdb/resources/ai/integration_ai_description.yaml @@ -7,6 +7,15 @@ product_categories: iam_and_identity_management: false itsm: false network_security: false + reasoning: >- + The abuse_ipdb integration is designed to query the AbuseIPDB service to retrieve + reputation data for IP addresses. Its primary action, 'Check IP Reputation', performs + enrichment on IP entities by fetching risk scores and report history, which directly + aligns with the 'Threat Intelligence' category definition of using external indicators + to determine reputation. The integration does not perform SIEM log analysis, EDR + host containment, network security gateway blocking, email security, IAM management, + cloud security operations, ITSM ticketing, vulnerability management, asset inventory + tracking, or collaboration/notification tasks. siem: false threat_intelligence: true vulnerability_management: false diff --git a/content/response_integrations/third_party/community/air_table/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/air_table/resources/ai/actions_ai_description.yaml index fb7ced458..a61dd2748 100644 --- a/content/response_integrations/third_party/community/air_table/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/air_table/resources/ai/actions_ai_description.yaml @@ -13,6 +13,10 @@ AddOrUpdate: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action performs data synchronization (insert/update) with an external Airtable + database. It does not match any of the predefined categories (e.g., IOC enrichment, + ticket creation, identity management, etc.). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -28,62 +32,19 @@ AddOrUpdate: update_identity: false update_ticket: false ai_description: >- - ### General Description - - The **AddOrUpdate** action allows users to synchronize data with an Airtable table - by either inserting new records or updating existing ones. It processes a list - of data objects provided in JSON format and uses a specific field as a unique - identifier to determine whether a record already exists in the target Airtable - base and table. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **Base id** | String | Yes | The unique identifier for the Airtable base where - the data will be managed. | - - | **Table name** | String | Yes | The name of the specific table within the Airtable - base. | - - | **Field name** | String | Yes | The name of the field used to search for existing - records. This acts as the 'key' for the upsert logic. | - - | **Json fields** | String | Yes | A JSON-formatted string representing a list - of dictionaries. Each dictionary contains the field-value pairs to be inserted - or updated. | - - - ### Flow Description - - 1. **Initialization**: The action retrieves the Airtable API key from the integration - configuration and extracts the base ID, table name, search field, and the JSON - data from the action parameters. - - 2. **Data Parsing**: The `Json fields` string is parsed into a Python list of - dictionaries. - - 3. **Search and Upsert Logic**: For each item in the provided list: - * The action searches the specified Airtable table for records where the `Field - name` matches the value provided in the current item. - * **Update**: If one or more matching records are found, the action updates - those specific records with the data provided in the item. - * **Insert**: If no matching records are found, the action creates a new record - in the table using the data provided in the item. - 4. **Completion**: The action calculates the total number of inserted and updated - records and returns a summary message to the Google SecOps platform. - - - ### Additional Notes - - * This action does not operate on SecOps entities (like IPs or Hostnames) directly; - it processes raw data provided via the `Json fields` parameter. - - * Ensure the `Json fields` parameter is a valid JSON array of objects, and that - the `Field name` exists within those objects. + This action synchronizes data with an Airtable database by adding new records + or updating existing ones based on a specified field identifier. Flow: 1. Extracts + configuration parameters (API key, Base ID, Table Name, Field Name, JSON fields). + 2. Parses the Json fields input string into a list of dictionaries. 3. Iterates + through each record in the list. 4. Searches for existing records in the specified + Airtable table using the provided Field name as a key. 5. If a record is found, + it updates the existing record with the new data. 6. If no record is found, it + inserts a new record into the table. 7. Returns a summary of the total records + inserted and updated. Parameters: Base id (string, mandatory): The ID of the Airtable + base. Table name (string, mandatory): The name of the table within the base. Field + name (string, mandatory): The field name used to identify existing records for + update. Json fields (string, mandatory): A JSON string representing the records + to be added or updated. capabilities: can_create_case_comments: false can_create_insight: false @@ -92,12 +53,20 @@ AddOrUpdate: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - The action performs 'update' and 'insert' operations on the target Airtable - table, modifying the state of the external database. + Updates existing records or inserts new records into the specified Airtable + table. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a search (GET) on Airtable to check for existing records, + thus fetching data. It then performs updates or inserts (POST/PATCH) to modify + external data in Airtable. It does not modify internal Google SecOps data or + entities. categories: enrichment: false + reasoning: >- + The action mutates external data (Airtable records) and does not meet the criteria + for an enrichment action, which must be read-only regarding external systems. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -113,13 +82,16 @@ AddOrUpdate: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not reference siemplify.target_entities or any entity objects. + It processes raw JSON input provided via parameters. Create: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false contain_host: false - create_ticket: true + create_ticket: false delete_email: false disable_identity: false download_file: false @@ -128,6 +100,11 @@ Create: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action creates records in an external database (Airtable). It does not match + the specific definitions of the provided categories (e.g., it is not an ITSM + ticket, not an alert update, not an IOC blocklist, etc.). Therefore, all categories + are false. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -145,59 +122,43 @@ Create: ai_description: >- ### General Description - The **Create** action allows users to programmatically insert new records into - a specific table within an Airtable base. It is designed to handle bulk creation - by accepting a JSON array of objects, where each object represents a new row to - be added. This action is useful for logging SOAR activities, tracking incidents - in a database, or synchronizing data with external Airtable-based workflows. + Creates new records in a specific Airtable base and table. This action allows + users to push structured data into Airtable by providing the base ID, table name, + and a JSON array of fields to be inserted. ### Parameters Description - | Parameter Name | Type | Mandatory | Description | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Base id** | string | Yes | The unique identifier for the Airtable base (database). - This can be found in the URL of the Airtable API documentation page for that specific - base. | - - | **Table name** | string | Yes | The name of the table within the specified base - where the records should be inserted. | + | Base id | string | Yes | The ID of the Airtable base. This can be found in the + URL of the API page of the base. | - | **Json fields** | content | Yes | A JSON-formatted array of objects. Each object - contains key-value pairs where the key is the field (column) name and the value - is the data to be inserted into that field. Supports multiple records in one execution. - | + | Table name | string | Yes | The name of the table within the base. | + | Json fields | content | Yes | A JSON array of objects representing the rows + to be created. | - ### Flow Description - 1. **Configuration Extraction**: The action retrieves the Airtable API key from - the integration configuration. - - 2. **Parameter Parsing**: It extracts the Base ID, Table Name, and the JSON string - containing the record data from the action parameters. + ### Additional Notes - 3. **Data Processing**: The JSON string is parsed into a Python list of dictionaries. + The action requires the 'Api key' to be configured in the integration settings. + The 'Json fields' parameter must be a valid JSON array of objects. - 4. **External Interaction**: For each dictionary (record) in the list, the action - calls the Airtable API to insert the data into the specified table. - 5. **Result Compilation**: The action collects the unique IDs and field data returned - by Airtable for each successfully created record. + ### Flow Description - 6. **Final Output**: The action returns a JSON summary of the created records - and ends with a success message indicating the total count of records added. + 1. Extract configuration parameters (API Key, Base ID, Table Name, JSON fields). + 2. Initialize the Airtable client. - ### Additional Notes + 3. Parse the provided JSON fields string into a list of records. - - Ensure that the field names in the **Json fields** parameter exactly match the - column names in your Airtable table (case-sensitive). + 4. Iterate through the records and insert them into the specified Airtable table. - - The action will fail if the JSON provided is not a valid list of objects or - if the API key lacks the necessary permissions for the specified base. + 5. Return the result of the insertion (IDs and fields) to the SOAR platform. capabilities: can_create_case_comments: false can_create_insight: false @@ -206,12 +167,18 @@ Create: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - This action creates new records (rows) in a specified Airtable base and table - using the Airtable API. + Creates new records in the specified Airtable base and table. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST/Insert operation to an external system (Airtable) + to create records. It does not fetch data, nor does it modify internal SOAR + entities or case data. categories: enrichment: false + reasoning: >- + The action does not fetch data (it pushes data), so it is not an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -227,6 +194,8 @@ Create: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with entities. Delete: action_product_categories: add_alert_comment: false @@ -242,6 +211,10 @@ Delete: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action deletes records from an external database (Airtable). This does not + align with any of the provided security-specific categories (e.g., IOC enrichment, + ticket management, identity management, host containment). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -257,59 +230,55 @@ Delete: update_identity: false update_ticket: false ai_description: >- - ### General Description + Deletes records from an Airtable database based on a specified field and value. + This action automates the cleanup of structured data within Airtable by searching + for records that match a given field-value pair and removing them. - The **Delete** action allows users to remove records from a specific Airtable - table based on a matching field value. It performs a search to identify records - where a designated column (field) matches a provided value and subsequently deletes - those records, up to a user-defined limit. + ### Flow Description - ### Parameters Description + 1. **Configuration Extraction**: The action retrieves the Airtable API key from + the integration configuration. - | Parameter | Type | Mandatory | Description | + 2. **Parameter Parsing**: It extracts the Base ID, Table Name, Field Name, Field + Value, and Max Records limit from the action parameters. - | :--- | :--- | :--- | :--- | + 3. **Search**: It connects to the specified Airtable base and table, searching + for records where the provided field matches the specified value. - | **Base id** | string | Yes | The unique identifier for the Airtable base (database). - Found in the API documentation URL for the base. | + 4. **Deletion**: It iterates through the retrieved records and deletes them from + the Airtable table. - | **Table name** | string | Yes | The name of the specific table within the base - where the deletion should occur. | + 5. **Completion**: It returns a summary message indicating the number of records + successfully deleted. - | **Field name** | string | Yes | The name of the column (field) to search for - matching values. | - | **Field value** | string | Yes | The specific value to look for in the designated - field. Records containing this value will be targeted for deletion. | + ### Parameters - | **Max records** | string | Yes | The maximum number of records that the action - will delete in a single execution. Default is 100. | + | Parameter | Type | Mandatory | Description | + | :--- | :--- | :--- | :--- | - ### Flow Description + | Field value | string | Yes | The value of a specific field in a table to match + for deletion. | - 1. **Initialization**: The action extracts the API key from the integration configuration - and the base ID, table name, field name, field value, and max records from the - action parameters. + | Field name | string | Yes | The name of the field (column) in the table to search. + | - 2. **Search**: It connects to the Airtable API and searches the specified table - for records where the `Field name` matches the `Field value`, limiting the results - to the `Max records` count. + | Table name | string | Yes | The name of the table within the base. | - 3. **Deletion**: The action iterates through the list of records returned by the - search and issues a delete request for each record ID. + | Base id | string | Yes | The ID of the Airtable base where the data is stored. + | - 4. **Completion**: It calculates the total number of deleted records and returns - a success message to the Google SecOps platform. + | Max records | string | Yes | The maximum number of records (rows) that will + be affected by the action. | ### Additional Notes - * This action does not operate on SecOps entities; it relies entirely on the provided - parameters to identify data in Airtable. - - * The action performs a destructive operation (deletion) on external data. + This action performs a destructive operation (deletion) on external data. Ensure + that the `Field name` and `Field value` are correctly specified to avoid accidental + data loss. capabilities: can_create_case_comments: false can_create_insight: false @@ -318,12 +287,18 @@ Delete: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - The action deletes records from an Airtable table based on search criteria provided - in the parameters. + Deletes records from the specified Airtable table based on the search criteria. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a search (fetch) and then a delete (mutate) on an external + Airtable database. It does not interact with SOAR entities or internal case + data. categories: enrichment: false + reasoning: >- + The action mutates external data (deletes records), therefore it is not an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -339,6 +314,8 @@ Delete: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use or reference any SOAR entities. Delete All Records: action_product_categories: add_alert_comment: false @@ -354,6 +331,10 @@ Delete All Records: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action deletes records from an external Airtable database. It does not match + any of the provided specific categories (e.g., IOC enrichment, host containment, + ticket management, email management). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -369,51 +350,44 @@ Delete All Records: update_identity: false update_ticket: false ai_description: >- - Deletes all records from a specified table within an Airtable base. This action - is useful for clearing out temporary data or resetting a table's state. It first - retrieves all existing record IDs from the target table and then performs a batch - deletion to remove them. + Deletes all records from a specified table in an Airtable base. + + ### Flow Description - ### Flow Description: + 1. The action extracts the `Api key`, `Base Id`, and `Table name` from the integration + configuration and action parameters. - 1. **Configuration Extraction:** Retrieves the Airtable API key from the integration - settings and the Base ID and Table Name from the action parameters. + 2. It initializes the Airtable client using the provided credentials and base + information. - 2. **Record Retrieval:** Connects to the specified Airtable base and table to - fetch all existing records. + 3. It retrieves all existing records from the specified table. - 3. **ID Collection:** Extracts the unique record IDs for every record found in - the table. + 4. It collects the unique identifiers for all retrieved records. - 4. **Batch Deletion:** Executes a batch delete operation using the collected IDs - to remove all records from the table. + 5. It performs a batch deletion operation to remove all collected records from + the Airtable table. - 5. **Completion:** Returns a success message indicating the total number of records - deleted. + 6. It returns a success message indicating the total count of deleted records. - ### Parameters Description: + ### Parameters - | Parameter Name | Type | Mandatory | Description | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Base Id | String | True | The unique identifier for the Airtable base (database). - This can be found in the URL of the Airtable API documentation page for that base. - | - - | Table name | String | True | The name of the specific table within the base - from which all records will be deleted. | + | Base Id | string | Yes | The unique identifier for the Airtable base, found + in the API URL. | + | Table name | string | Yes | The name of the table within the base to clear. + | - ### Additional Notes: - - This action performs a destructive operation. Once records are deleted via the - API, they cannot be easily recovered unless a backup exists within Airtable. + ### Additional Notes - - The action handles API rate limits by setting a specific limit on the Airtable - client before performing the batch delete. + This action performs a destructive operation by deleting all records in the specified + table. Ensure the correct `Base Id` and `Table name` are provided before execution. capabilities: can_create_case_comments: false can_create_insight: false @@ -422,12 +396,18 @@ Delete All Records: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Deletes all records from the specified Airtable table using the batch delete - API method. + Deletes all records from the specified Airtable table. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches data (records) from Airtable to identify them, then performs + a batch delete operation (mutation) on the external system. It does not interact + with internal SOAR entities or case data. categories: enrichment: false + reasoning: >- + The action is not an enrichment action because it performs a destructive mutation + on an external system (Airtable). entity_usage: entity_types: [] filters_by_additional_properties: false @@ -443,6 +423,9 @@ Delete All Records: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The script does not use `siemplify.target_entities`. It operates on external + Airtable data based on provided parameters. Enrich Entities From Table: action_product_categories: add_alert_comment: false @@ -458,6 +441,10 @@ Enrich Entities From Table: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves contextual metadata from an external database (Airtable) + and adds it to the entity. This matches the definition of 'Enrich IOC' (if the + entity is an IOC) and 'Enrich Asset' (if the entity is an asset). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -473,33 +460,37 @@ Enrich Entities From Table: update_identity: false update_ticket: false ai_description: >- - Enriches entities by searching for matching records in a specified Airtable table. - This action allows users to map SOAR entities to custom data stored in Airtable - (such as asset inventories, user directories, or threat intelligence lists) and - pull that data back into the entity's additional properties. + ### General Description + + Enriches entities by searching for their identifiers or specific properties in + an Airtable database. This action retrieves structured data from a specified Airtable + base and table, then updates the entity's additional properties with the retrieved + information, allowing analysts to correlate case data with external Airtable records. ### Flow Description - 1. **Parameter Extraction:** Retrieves the Airtable API key, Base ID, Table Name, - and search parameters from the action configuration. + 1. **Configuration Extraction**: The action retrieves the Airtable API key, Base + ID, Table Name, Field Name, and optional parameters (Entity Field, Max Records, + Enrichment Prefix) from the integration settings. - 2. **Search Value Determination:** For each target entity, the action determines - the search value. By default, it uses the entity's identifier, but it can be configured - to use a specific value from the entity's existing additional properties via the - 'Entity Field' parameter. + 2. **Entity Iteration**: The action iterates through all target entities provided + in the case. - 3. **Airtable Query:** Executes a search in the specified Airtable table, looking - for records where the 'Field name' column matches the search value. It performs - a case-sensitive search first, followed by a case-insensitive search if no results - are found. + 3. **Search Value Determination**: For each entity, it determines the search value. + If an `Entity Field` is specified, it attempts to retrieve that property from + the entity's `additional_properties`. If not specified or if the property is missing, + it defaults to the entity's `identifier`. - 4. **Data Processing:** If a record is found, the action flattens the Airtable - record (handling nested dictionaries and lists) and applies the specified 'Enrichment - Prefix'. + 4. **Airtable Query**: It performs a search against the specified Airtable table + using the determined search value. - 5. **Entity Update:** Updates the entity's additional properties with the retrieved - data and saves the changes within Google SecOps. + 5. **Data Enrichment**: If a match is found, the action flattens the retrieved + record, applies the configured `Enrichment Prefix` to the keys, and updates the + entity's `additional_properties`. + + 6. **Entity Update**: Finally, the action updates the enriched entities within + the SOAR platform and returns the count of successful and failed enrichments. ### Parameters Description @@ -508,34 +499,32 @@ Enrich Entities From Table: | :--- | :--- | :--- | :--- | - | Enrichment Prefix | string | No | A prefix (default: 'AT_') added to the keys - of the data retrieved from Airtable before adding them to the entity properties. + | Base id | string | Yes | The ID of the Airtable base where the data is stored. | - | Max records | string | No | The maximum number of records to retrieve from Airtable - (default: 100). Note: The action currently processes only the first record found. - | + | Table name | string | Yes | The name of the specific table within the Airtable + base. | - | Base id | string | Yes | The unique identifier for the Airtable base (database). - Found in the Airtable API documentation URL. | + | Field name | string | Yes | The column name in the Airtable table to search + against. | - | Table name | string | Yes | The name of the specific table within the base to - search. | + | Entity Field | string | No | The entity property to use for the search. If left + empty, the entity's identifier is used. | - | Field name | string | Yes | The name of the column in the Airtable table to - match against the entity value. | + | Max records | string | No | The maximum number of records to retrieve from Airtable. + Defaults to 100. | - | Entity Field | string | No | The specific entity property to use for the search. - If left blank, the entity's Identifier is used. | + | Enrichment Prefix | string | No | A prefix to prepend to the keys of the added + enrichment fields. Defaults to 'AT_'. | ### Additional Notes - - The action is designed to handle complex Airtable data structures by flattening - them into a key-value format suitable for entity properties. + - The action does not filter entities by type; it attempts to process all entities + provided in the target list. - - If multiple records are found in Airtable, the action currently only utilizes - the first record returned. + - If the `Entity Field` parameter is provided but the property does not exist + on the entity, the enrichment for that specific entity will fail. capabilities: can_create_case_comments: false can_create_insight: false @@ -546,9 +535,19 @@ Enrich Entities From Table: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity additional properties with data retrieved from Airtable. + Updates the entity's additional_properties with data retrieved from Airtable. + reasoning: >- + The action fetches data from an external system (Airtable) via API calls (fetches_data=true). + It does not mutate external data (can_mutate_external_data=false). It updates + internal SOAR entities with the retrieved data (can_mutate_internal_data=true, + can_update_entities=true). It does not create insights, modify alert data, or + create case comments. categories: enrichment: true + reasoning: >- + The action fetches data from an external source (Airtable) and updates internal + entities with that data. It does not mutate external systems, nor does it perform + forbidden internal mutations. Therefore, it qualifies as an enrichment action. entity_usage: entity_types: - ADDRESS @@ -599,6 +598,10 @@ Enrich Entities From Table: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over all `siemplify.target_entities` without filtering by + type, so it supports all entity types. It uses the `additional_properties` attribute + of the entity if the `Entity Field` parameter is provided. Get All Records: action_product_categories: add_alert_comment: false @@ -614,6 +617,10 @@ Get All Records: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves records from an Airtable database. It does not match any + of the specific product categories defined (e.g., IOC enrichment, asset enrichment, + containment, ticketing, etc.). It is a general-purpose data retrieval utility. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -629,61 +636,45 @@ Get All Records: update_identity: false update_ticket: false ai_description: >- - ### General Description - - The **Get All Records** action retrieves a list of records from a specified table - within an Airtable base. This action is designed to fetch structured data from - Airtable, allowing users to pull reference information, lookup tables, or logs - into a Google SecOps playbook. It supports limiting the number of records returned - and sorting the results based on a specific column. + Retrieves records from a specified table within an Airtable database. This action + allows users to query data by providing the Base ID and Table name, with optional + sorting capabilities. The action fetches the requested records and returns them + as a JSON result for further analysis or reporting within the SOAR platform. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Base Id** | String | Yes | The unique identifier for the Airtable base (database). - This can be found in the URL of the Airtable API documentation page for that base. - | + | Base Id | string | Yes | The ID of the Airtable base (database) to query. Found + in the API URL. | - | **Table name** | String | Yes | The name of the specific table within the base - from which to retrieve records. | + | Table name | string | Yes | The name of the table within the base to retrieve + records from. | - | **Max Records** | String | Yes | The maximum number of rows/records to fetch - from the table. | + | Max Records | string | Yes | The maximum number of rows to return. | - | **Sort by** | String | No | The name of the column (field) you wish to sort - the records by. | + | Sort by | string | No | The column name to sort the results by. | - | **Sort Direction** | DDL | Yes | The order in which to sort the records: 'Ascending' - or 'Descending'. | + | Sort Direction | ddl | Yes | The direction of the sort (Descending or Ascending). + | ### Flow Description - 1. **Initialization**: The action retrieves the Airtable API key from the integration - configuration and the specific base and table details from the action parameters. - - 2. **Sorting Logic**: It evaluates the 'Sort Direction' and 'Sort by' parameters - to construct the appropriate sorting criteria for the Airtable API request. - - 3. **Data Retrieval**: The action calls the Airtable API's `get_all` method, applying - the record limit and sorting parameters. - - 4. **Output**: The fetched records are converted to a JSON string and added to - the action's results. The action concludes by reporting the total number of records - successfully retrieved. + 1. The action extracts the configuration (API Key) and input parameters (Base + ID, Table name, Max Records, Sort by, Sort Direction). + 2. It initializes the Airtable client using the provided credentials. - ### Additional Notes + 3. It constructs the query, applying sorting logic if a 'Sort by' column is provided. - - This action does not target specific entities (such as IP addresses or Hostnames) - but instead performs a global fetch from the specified Airtable table. + 4. It executes the retrieval request to Airtable. - - If the **Sort by** parameter is left empty, the action will retrieve records - in the default order provided by the Airtable API. + 5. The retrieved records are output as a JSON result and a summary message is + returned to the SOAR platform. capabilities: can_create_case_comments: false can_create_insight: false @@ -694,8 +685,17 @@ Get All Records: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a read-only operation (GET) to retrieve data from an external + Airtable database. It does not modify any external systems, nor does it update + internal SOAR entities, insights, or alert data. It simply returns the fetched + data as a result. categories: enrichment: false + reasoning: >- + The action fetches data from an external system (Airtable), but it does not + operate on SOAR entities or alerts to provide enrichment context. It is a general-purpose + data retrieval action, not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -711,6 +711,9 @@ Get All Records: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with or filter any SOAR entities. It operates on + generic database records. Ping: action_product_categories: add_alert_comment: false @@ -726,6 +729,10 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity test ('Ping') and does not perform any of the defined + operational tasks (e.g., enrichment, ticketing, containment). Therefore, it + does not match any of the provided categories. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -743,31 +750,43 @@ Ping: ai_description: >- ### General Description - The **Ping** action is designed to verify the connectivity between Google SecOps - and the AirTable service. It ensures that the provided credentials (API Key, Base - ID, and Table Name) are valid and that the environment can successfully communicate - with the AirTable API. + This action tests the connectivity between the SOAR platform and the AirTable + service. It verifies that the provided credentials and identifiers are valid by + attempting to retrieve records from the specified table. ### Parameters Description - There are no input parameters for this action. It relies entirely on the integration's - configuration settings. + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Api key | String | Yes | The API key used to authenticate with the AirTable + service. | + + | Base id | String | Yes | The unique identifier for the AirTable base. | + + | Table name | String | Yes | The name of the table within the base to query. + | ### Flow Description - 1. **Configuration Extraction**: The action retrieves the `Api key`, `Base id`, - and `Table name` from the AirTable integration configuration. + 1. Extracts the required configuration parameters (`Api key`, `Base id`, `Table + name`) from the integration settings. - 2. **Client Initialization**: It initializes the AirTable client using the extracted - credentials. + 2. Initializes the AirTable client using the provided credentials and identifiers. - 3. **Connectivity Test**: The action attempts to fetch a single record (`maxRecords=1`) - from the specified table to confirm read access. + 3. Executes a `get_all` request to the specified AirTable base and table to verify + that the connection is active and authenticated. - 4. **Completion**: If the request is successful, the action concludes with a success - message indicating that AirTable is connected. + 4. Returns a success message indicating the connection status. + + + ### Additional Notes + + This is a connectivity test action and does not perform any data modification + or enrichment. capabilities: can_create_case_comments: false can_create_insight: false @@ -778,8 +797,14 @@ Ping: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a read-only request (get_all) to verify connectivity. It + does not modify any external or internal data. categories: enrichment: false + reasoning: >- + The action is named 'Ping'. According to the instructions, actions named 'Ping' + are explicitly excluded from being categorized as enrichment actions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -795,6 +820,9 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. It is a global connectivity + test. Search: action_product_categories: add_alert_comment: false @@ -810,12 +838,17 @@ Search: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action performs a search in an external database (Airtable). It does not + match any of the predefined categories like 'Enrich IOC', 'Enrich Asset', 'Search + Events', 'Search Email', 'Search Asset', or 'Get Alert Information'. It is a + general-purpose search action. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false search_asset: false search_email: false - search_events: true + search_events: false send_email: false send_message: false submit_file: false @@ -825,64 +858,42 @@ Search: update_identity: false update_ticket: false ai_description: >- - ### General Description - - The **Search** action allows users to query a specific table within an Airtable - base to find records that match a particular field value. It is a read-only operation - designed to retrieve structured data from Airtable for use in playbooks or investigations. - + Searches for records in an Airtable database. This action allows users to query + specific tables within an Airtable base by providing a field name and a corresponding + value. It retrieves matching records up to a specified limit and returns them + as a JSON result. - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **Field value** | String | Yes | The specific value you are looking for within - the designated field. | - | **Field name** | String | Yes | The name of the column (field) in the Airtable - table where the search should be performed. | + ### Flow - | **Table name** | String | Yes | The name of the table within the Airtable base - that contains the data. | + 1. Extracts configuration (API key) and parameters (Base ID, Table Name, Field + Name, Field Value, Max Records). - | **Base id** | String | Yes | The unique identifier for the Airtable base (found - in the API documentation or URL). | + 2. Initializes the Airtable client using the provided credentials and base ID. - | **Max records** | String | No | The maximum number of records to return. Defaults - to 100 if not specified. | + 3. Executes a search query on the specified table to find records matching the + provided field name and value. + 4. Returns the matching records as a JSON result in the action output. - ### Additional Notes - - - This action does not process SOAR entities; it operates strictly based on the - provided parameters. - - The search is performed using the Airtable API's search functionality, which - typically looks for exact matches or specific patterns depending on the field - type. + ### Parameters + | Parameter | Type | Mandatory | Description | - ### Flow Description - - 1. **Configuration Extraction**: The action retrieves the Airtable API key from - the integration configuration. + | --- | --- | --- | --- | - 2. **Parameter Parsing**: It extracts the Base ID, Table Name, Field Name, Field - Value, and the maximum number of records to return from the action input. + | Field value | string | Yes | The value to search for in the specified field. + | - 3. **Client Initialization**: An Airtable client is initialized using the provided - Base ID and Table Name. + | Field name | string | Yes | The column name to search within. | - 4. **Execution**: The action calls the Airtable `search` method, passing the field - name and value to filter the records. + | Table name | string | Yes | The name of the table in the Airtable base. | - 5. **Result Processing**: The retrieved records are counted and formatted into - a JSON structure. + | Base id | string | Yes | The ID of the Airtable base. | - 6. **Output**: The action returns the JSON results to the SOAR platform and provides - a summary message indicating how many records were successfully matched. + | Max records | string | No | The maximum number of records (rows) that will be + affected by the action. Default is 100. | capabilities: can_create_case_comments: false can_create_insight: false @@ -893,8 +904,17 @@ Search: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a search (GET-like operation) on an external system (Airtable). + It does not modify external data, nor does it modify internal SOAR data (entities, + insights, comments). categories: enrichment: false + reasoning: >- + The action is a generic search tool for an external database (Airtable). It + does not target specific entities or alerts for enrichment, nor does it meet + the criteria for an enrichment action as it does not operate on entities or + alerts. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -910,6 +930,9 @@ Search: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `siemplify.target_entities`. It uses user-provided + parameters to perform a search. Update: action_product_categories: add_alert_comment: false @@ -925,6 +948,10 @@ Update: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action performs a generic update on records in an Airtable database. It + does not match the specific expected outcomes for ITSM ticket updates, alert + updates, or other predefined categories. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -938,28 +965,55 @@ Update: update_alert: false update_email: false update_identity: false - update_ticket: true + update_ticket: false ai_description: >- - ### General Description\nUpdates specific records in an Airtable table based on - a search criterion. This action allows for bulk updates of records that match - a specific field value, enabling automated data management within Airtable bases.\n\n### - Parameters Description\n| Parameter | Type | Mandatory | Description |\n| :--- - | :--- | :--- | :--- |\n| Base id | String | Yes | The ID of the Airtable base - (found in the API URL). |\n| Table name | String | Yes | The name of the table - within the base. |\n| Field name | String | Yes | The name of the field (column) - to search for matching records. |\n| Field value | String | Yes | The value to - match in the specified 'Field name'. |\n| Json fields | Content | Yes | A JSON - dictionary of field names and their new values to be updated (e.g., `{\"Status\": - \"Closed\"}`). |\n| Max records | String | Yes | The maximum number of records - to be updated in a single execution. |\n\n### Flow Description\n1. **Search**: - The action searches the specified Airtable table for records where the 'Field - name' matches the 'Field value'.\n2. **Limit**: It retrieves up to the number - of records specified in 'Max records'.\n3. **Update**: For each record found, - it applies the updates defined in the 'Json fields' parameter using the Airtable - record ID.\n4. **Report**: Returns the total count of successfully updated records - as the action result.\n\n### Additional Notes\nEnsure the 'Json fields' parameter - is a valid JSON string. If 'Max records' is not a valid integer, the action defaults - to a limit of 5 records. + ### General Description + + This action updates specific records within an Airtable database. It allows users + to search for records based on a field-value pair and apply updates to those records + using a provided JSON object containing the new field values. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Base id | string | Yes | The ID of the Airtable base where the data is stored. + This can be found in the URL of the API page for the base. | + + | Table name | string | Yes | The name of the table within the Airtable base to + be updated. | + + | Field name | string | Yes | The name of the column (field) to use as the search + criteria. | + + | Field value | string | Yes | The value to search for within the specified Field + name. | + + | Json fields | content | Yes | A JSON-formatted string representing the fields + and their new values to be applied to the matching records. | + + | Max records | string | Yes | The maximum number of records (rows) that will + be affected by the update operation. | + + + ### Flow Description + + 1. The action initializes the Airtable client using the provided Base ID and API + Key. + + 2. It searches the specified table for records where the provided Field name matches + the Field value. + + 3. The search results are limited to the number specified in the Max records parameter. + + 4. For each matching record found, the action performs an update operation using + the provided Json fields. + + 5. The action concludes by returning a summary message indicating the number of + records successfully updated. capabilities: can_create_case_comments: false can_create_insight: false @@ -968,12 +1022,20 @@ Update: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates existing records in an Airtable table with new field values provided - in the 'Json fields' parameter. + Updates records in the specified Airtable table based on the provided search + criteria and field values. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action interacts with an external Airtable database. It performs a search + (fetches data) and then executes an update operation on the records found (mutates + external data). It does not interact with internal SOAR entities or case data. categories: enrichment: false + reasoning: >- + The action mutates external data (Airtable records), which violates the 'External + State Preservation' rule for enrichment actions. Therefore, it is not an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -989,3 +1051,7 @@ Update: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not reference `target_entities` or perform any operations on + SOAR entities. It relies entirely on configuration parameters provided by the + user. diff --git a/content/response_integrations/third_party/community/air_table/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/air_table/resources/ai/connectors_ai_description.yaml index 2e182c899..7cd3ab683 100644 --- a/content/response_integrations/third_party/community/air_table/resources/ai/connectors_ai_description.yaml +++ b/content/response_integrations/third_party/community/air_table/resources/ai/connectors_ai_description.yaml @@ -1,31 +1,61 @@ AirTable Connector: - ai_description: "### General Description\nThe AirTable Connector enables Google\ - \ SecOps to ingest records from specific AirTable bases and tables. It allows\ - \ security teams to monitor AirTable data\u2014such as asset lists, indicator\ - \ feeds, or manual logs\u2014and automatically convert them into cases and alerts\ - \ for orchestration and response.\n\n### Parameters Description\n| Parameter |\ - \ Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Api key |\ - \ Password | Yes | Your API Key found in your account overview under API. |\n\ - | Base id | String | Yes | The database ID found in the URL of the base's API\ - \ page. |\n| Table name | String | Yes | The name of the table within the base\ - \ to ingest from. |\n| Alert type | String | Yes | Determines the Alert type/Rule\ - \ Generator for the ingested cases. |\n| DeviceProductField | String | Yes | The\ - \ field name used to determine the device product. |\n| EventClassId | String\ - \ | Yes | The field name used to determine the event name (sub-type). |\n| Max\ - \ records | String | Yes | The maximum number of rows to fetch (default 300).\ - \ |\n| PythonProcessTimeout | String | Yes | Timeout limit in seconds for the\ - \ script execution. |\n| Alert name field | String | No | Column name to use for\ - \ the Alert name. |\n| Alert name prefix | String | No | Prefix to add to the\ - \ alert name. |\n| Field name | String | No | The column name to filter records\ - \ by. |\n| Field value | String | No | The value(s) (comma-separated) to search\ - \ for in the Field name column. |\n\n### Flow Description\n1. Establishes a connection\ - \ to the AirTable API using the provided API Key, Base ID, and Table Name.\n2.\ - \ Determines the retrieval strategy: if 'Field name' and 'Field value' are provided,\ - \ it performs a targeted search; otherwise, it retrieves all records up to the\ - \ 'Max records' limit.\n3. Iterates through the retrieved records and maps all\ - \ AirTable fields to case extensions.\n4. Generates a unique CaseInfo object for\ - \ each record, assigning a unique ticket ID and source grouping identifier.\n\ - 5. Configures the case name using the 'Alert name field' and optional 'Alert name\ - \ prefix'.\n6. Sets the alert priority to Medium (60) and assigns the 'Alert type'\ - \ as the rule generator.\n7. Packages the records as cases and ingests them into\ - \ Google SecOps." + ai_description: >- + ### General Description + + The Airtable Connector facilitates the ingestion of records from a specified Airtable + base and table into Google SecOps. It transforms Airtable records into security + cases, enabling users to monitor and respond to data stored in Airtable within + the SOAR environment. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Alert name field | String | No | Airtable column name to use for the alert name. + | + + | Alert name prefix | String | No | Prefix to prepend to the alert name. | + + | Alert type | String | Yes | The alert type/rule generator name. | + + | Api key | Password | Yes | Airtable API key. | + + | Base id | String | Yes | The ID of the Airtable base. | + + | DeviceProductField | String | Yes | Field name used to determine the device + product. | + + | EventClassId | String | Yes | Field name used to determine the event name. | + + | Field name | String | No | Airtable field name to filter by. | + + | Field value | String | No | Value to search for in the specified field. | + + | Max records | String | Yes | Maximum number of records to fetch. | + + | PythonProcessTimeout | String | Yes | Timeout limit for the script execution. + | + + | Table name | String | Yes | The name of the table within the base. | + + + ### Flow Description + + 1. The connector initializes and retrieves configuration parameters, including + authentication credentials and target Airtable details. + + 2. It establishes a connection to the Airtable API using the provided API key, + Base ID, and Table Name. + + 3. If a specific `Field name` and `Field value` are provided, the connector queries + the table for matching records; otherwise, it fetches all records up to the configured + `Max records` limit. + + 4. For each retrieved record, the connector maps the Airtable fields to case extensions + and generates a new security case. + + 5. The generated cases, including relevant event data, are packaged and ingested + into the Google SecOps platform for further analysis. diff --git a/content/response_integrations/third_party/community/air_table/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/air_table/resources/ai/integration_ai_description.yaml index 6880e92b2..dbd440a72 100644 --- a/content/response_integrations/third_party/community/air_table/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/community/air_table/resources/ai/integration_ai_description.yaml @@ -7,6 +7,16 @@ product_categories: iam_and_identity_management: false itsm: true network_security: false + reasoning: >- + The Airtable integration provides capabilities to ingest external data into the + SOAR platform as security cases (via the Airtable Connector) and to manage records + in an external database (via Add, Update, Delete, and Search actions). The 'Enrich + Entities From Table' action allows for the enrichment of internal assets with + contextual data from Airtable, which directly aligns with the 'Asset Inventory' + category. Furthermore, Airtable is commonly used for task management and project + planning, and the ability to create and update records in this system aligns with + the 'ITSM' category. The integration does not perform log analysis or IOC reputation + checks, so it does not qualify as 'SIEM' or 'Threat Intelligence'. siem: false - threat_intelligence: true + threat_intelligence: false vulnerability_management: false diff --git a/content/response_integrations/third_party/community/arcanna_ai/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/arcanna_ai/resources/ai/actions_ai_description.yaml index 278de80ba..ca19aa4fb 100644 --- a/content/response_integrations/third_party/community/arcanna_ai/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/arcanna_ai/resources/ai/actions_ai_description.yaml @@ -12,13 +12,16 @@ Export full event: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false - get_alert_information: false + get_alert_information: true + reasoning: >- + The action fetches specific event details from the Arcanna.ai platform. This + aligns with 'Get Alert Information' (fetching details about an event/alert). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false search_asset: false search_email: false - search_events: true + search_events: false send_email: false send_message: false submit_file: false @@ -30,11 +33,9 @@ Export full event: ai_description: >- ### General Description - The **Export full event** action retrieves the complete raw or processed data - for a specific event from Arcanna.ai. By providing a Job ID and an Event ID, analysts - can fetch the full context of an event that has been processed by the Arcanna - AI engine, which is essential for deep-dive forensic analysis or manual verification - of AI decisions. + Exports a full event from the Arcanna.ai platform for a specified job and event + ID. This action retrieves detailed event data from the external system and provides + it as a JSON result within the SOAR platform. ### Parameters Description @@ -43,35 +44,23 @@ Export full event: | :--- | :--- | :--- | :--- | - | **Job ID** | String | Yes | The unique identifier of the Arcanna job where the - event is stored. Note: The action internally treats this as an integer. | + | Job ID | string | Yes | The unique identifier of the job to fetch the event + from. | - | **Event ID** | String | Yes | The unique identifier of the specific event to - be retrieved from the specified job. | + | Event ID | string | Yes | The unique identifier of the event to be exported. + | ### Flow Description - 1. **Configuration Retrieval**: The action extracts the Arcanna URL, API Key, - and SSL verification settings from the integration's global configuration. - - 2. **Input Validation**: The action retrieves the mandatory `Job ID` and `Event - ID` from the action parameters provided in the playbook or by the user. - - 3. **API Request**: The action initializes the Arcanna client and executes an - HTTP GET request to the export endpoint: `/api/v1/events/{job_id}/{event_id}/export`. + 1. Initialize the `ArcannaClient` using the configured API key and URL. - 4. **Data Output**: The full JSON response containing the event details is captured - and added to the action's result JSON, making it available for subsequent playbook - steps. + 2. Extract the `Job ID` and `Event ID` from the action parameters. + 3. Call the `export_event` method, which performs a GET request to the Arcanna + API. - ### Additional Notes - - - This action does not process or filter entities from the SecOps case; it relies - entirely on the provided ID parameters. - - - The action is read-only regarding the external Arcanna.ai system. + 4. Add the resulting event data to the action's result output. capabilities: can_create_case_comments: false can_create_insight: false @@ -82,8 +71,17 @@ Export full event: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to retrieve event data from an external API + (fetches_data=true). It does not modify any external systems (can_mutate_external_data=false) + or internal SOAR data (can_mutate_internal_data=false). It does not update entities, + create insights, or modify alert data. categories: enrichment: false + reasoning: >- + The action fetches data from an external source but does not perform any enrichment + on entities or alerts within the SOAR platform (e.g., it does not update entities + or create insights). Therefore, it is not classified as an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -99,6 +97,9 @@ Export full event: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `siemplify.target_entities` and does not perform + any filtering on entities. It operates independently of the case entities. Get AI Job by name: action_product_categories: add_alert_comment: false @@ -113,7 +114,11 @@ Get AI Job by name: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false - get_alert_information: false + get_alert_information: true + reasoning: >- + The action fetches job details from the Arcanna.ai platform. This aligns with + the 'Get Alert Information' category, as it retrieves metadata about a specific + job from the integrated product. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -129,44 +134,35 @@ Get AI Job by name: update_identity: false update_ticket: false ai_description: >- - Retrieves detailed information about a specific AI job from the Arcanna.ai platform - using the job's name. This action is primarily used to fetch configuration details, - status, or metadata associated with a defined job in Arcanna.ai, which can then - be used in subsequent playbook steps. + Fetches details for a specific AI job from the Arcanna.ai platform. - ### Flow Description + ### Flow - 1. **Configuration Extraction:** The action retrieves the Arcanna.ai URL, API - Key, and SSL verification settings from the integration configuration. + 1. Extracts the required configuration parameters (URL, API Key, SSL verification) + and the `Job name` from the action settings. - 2. **Parameter Retrieval:** The action extracts the mandatory `Job name` provided - by the user. + 2. Initializes the `ArcannaClient` to communicate with the Arcanna.ai API. - 3. **API Interaction:** It initializes the Arcanna client and performs a request - to the `/api/v1/jobs/get_by_name` endpoint to fetch the job's details. + 3. Executes a request to retrieve the job details using the provided `Job name`. - 4. **Result Processing:** The retrieved JSON response containing the job details - is added to the action's execution results. + 4. Adds the resulting JSON data to the action results for further use. - ### Parameters Description + ### Parameters - | Parameter Name | Type | Mandatory | Description | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Job name | String | Yes | The specific name of the AI job in Arcanna.ai for - which details should be retrieved. | + | Job name | string | Yes | The name of the AI job for which details should be + fetched. | ### Additional Notes - * This action does not operate on entities; it is a utility action for retrieving - system-level job information. - - * Although the underlying API call uses a POST method, it is a read-only operation - used for searching/retrieving data based on a name. + This action performs a retrieval operation and does not modify any external or + internal system state. capabilities: can_create_case_comments: false can_create_insight: false @@ -177,8 +173,15 @@ Get AI Job by name: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action retrieves job metadata from the Arcanna.ai API. It does not modify + external data (the POST request is for retrieval) or internal SOAR data. categories: enrichment: false + reasoning: >- + The action fetches job details from an external system. It does not enrich entities + or alerts, nor does it modify internal SOAR data. Therefore, it is not an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -194,6 +197,9 @@ Get AI Job by name: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use `target_entities`. It relies on a user-provided `Job + name` parameter. Get AI Job decision set: action_product_categories: add_alert_comment: false @@ -208,7 +214,12 @@ Get AI Job decision set: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false - get_alert_information: false + get_alert_information: true + reasoning: >- + The action fetches job decision data from Arcanna.ai. This is external data + retrieval. It does not modify external systems, nor does it update SOAR entities + or alerts. It fits the 'Get Alert Information' category as it retrieves metadata + about an AI job process. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -224,47 +235,38 @@ Get AI Job decision set: update_identity: false update_ticket: false ai_description: >- - ### General Description + Fetches the decision set (labels) for a specific AI job from Arcanna.ai. This + action retrieves job-specific metadata and decision information, which is then + returned as a JSON result for further analysis. - The **Get AI Job decision set** action retrieves the list of possible labels (the - decision set) for a specific AI Job configured in Arcanna.ai. This is a utility - action used to understand the classification options or outcomes that a specific - AI model is trained to provide. It is particularly useful for workflows that need - to map Arcanna's AI decisions to specific downstream logic. + ### Flow Description - ### Parameters Description + 1. Extracts configuration parameters (URL, API Key, SSL verification). - | Parameter | Type | Mandatory | Description | + 2. Extracts the `Job ID` parameter. - | :--- | :--- | :--- | :--- | + 3. Initializes the `ArcannaClient`. - | Job ID | String | Yes | The unique identifier of the Arcanna AI Job. Note: Although - provided as a string in the UI, the action logic converts this to an integer for - the API call. | + 4. Performs a GET request to the Arcanna API to retrieve the decision set for + the specified job. + 5. Adds the retrieved JSON response to the action result. - ### Flow Description - 1. **Configuration Retrieval:** The action extracts the Arcanna URL, API Key, - and SSL verification settings from the integration's global configuration. + ### Parameters Description - 2. **Parameter Extraction:** The action retrieves the `Job ID` provided by the - user. + | Parameter | Type | Mandatory | Description | - 3. **API Request:** The action initializes the Arcanna client and performs a GET - request to the `/api/v1/jobs/{job_id}/labels` endpoint. + | --- | --- | --- | --- | - 4. **Result Handling:** The action parses the JSON response containing the decision - set (labels) and attaches it as the `JsonResult` for use in subsequent playbook - steps. + | Job ID | string | Yes | The unique identifier of the AI job for which the decision + set is requested. | ### Additional Notes - This action does not process SOAR entities and does not modify any data within - the SecOps platform or the external Arcanna system. It is strictly a data retrieval - utility. + There are no additional notes. capabilities: can_create_case_comments: false can_create_insight: false @@ -275,8 +277,17 @@ Get AI Job decision set: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Arcanna API to fetch job decision data. + It does not mutate external systems (no POST/PUT/DELETE). It does not mutate + internal SOAR data (no entity updates, insights, or case comments). It simply + returns the fetched JSON as an action result. categories: enrichment: false + reasoning: >- + The action fetches data from an external source (Arcanna.ai) but does not enrich + entities or alerts within the SOAR platform. It is a utility action for retrieving + job-specific information, therefore it is not classified as an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -292,6 +303,9 @@ Get AI Job decision set: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not reference `siemplify.target_entities` or perform any operations + on entities. It operates on a standalone `Job ID` parameter. Get AI Job decision set by job name: action_product_categories: add_alert_comment: false @@ -306,7 +320,11 @@ Get AI Job decision set by job name: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false - get_alert_information: false + get_alert_information: true + reasoning: >- + The action retrieves a decision set for a specific job from the Arcanna AI platform. + This aligns with fetching information from a 3rd party product, which is categorized + as 'Get Alert Information'. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -322,48 +340,20 @@ Get AI Job decision set by job name: update_identity: false update_ticket: false ai_description: >- - ### General Description - - The **Get AI Job decision set by job name** action retrieves the set of possible - decisions (labels) associated with a specific AI job in Arcanna.ai using its name. - This allows users to programmatically identify the classification categories or - labels that a specific AI model is trained to output, which is essential for mapping - AI results to downstream logic. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **Job name** | String | Yes | The unique name of the AI job for which the decision - set (labels) should be retrieved. | - - - ### Flow Description - - 1. **Configuration Retrieval:** The action fetches the Arcanna.ai URL, API Key, - and SSL verification settings from the integration configuration. - - 2. **Parameter Extraction:** It extracts the mandatory `Job name` provided by - the user. - - 3. **API Interaction:** The action utilizes the `ArcannaClient` to send a request - to the `/api/v1/jobs/get_by_name/labels` endpoint. - - 4. **Data Processing:** The response from Arcanna.ai, containing the decision - set (labels), is captured. - - 5. **Output:** The retrieved data is attached to the action's JSON results for - use in subsequent playbook steps. - - - ### Additional Notes - - - This action uses a POST request internally to perform the lookup by name, but - it is a read-only operation that does not modify the job configuration or state - in Arcanna.ai. + Fetches the decision set (labels) for a specific Arcanna AI job by its name. **General + Description:** This action retrieves the decision set associated with a specified + Arcanna AI job. It interacts with the Arcanna AI platform to fetch labels and + decision data, which can then be used for further analysis or reporting within + the SOAR platform. **Parameters:** | Name | Type | Mandatory | Description | | + --- | --- | --- | --- | | Job name | string | true | The name of the Arcanna AI + job to retrieve the decision set for. | **Flow Description:** 1. The action extracts + the necessary configuration parameters (URL, API Key, SSL verification) and the + 'Job name' parameter. 2. It initializes the ArcannaClient with the provided configuration. + 3. It calls the Arcanna API endpoint '/api/v1/jobs/get_by_name/labels' via a POST + request, passing the 'job_name' in the request body. 4. The retrieved decision + set JSON is added to the action results using the SOAR SDK. **Additional Notes:** + This action does not perform any modifications to external systems or internal + SOAR data. It is a read-only operation designed to retrieve information. capabilities: can_create_case_comments: false can_create_insight: false @@ -374,8 +364,15 @@ Get AI Job decision set by job name: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action retrieves data from the Arcanna AI platform by sending a POST request + with a job name. It does not modify external systems or internal SOAR data (other + than adding result JSON). categories: enrichment: false + reasoning: >- + The action fetches data from an external system (Arcanna AI) but does not enrich + entities or alerts. Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -391,6 +388,10 @@ Get AI Job decision set by job name: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The script does not interact with siemplify.target_entities and the YAML configuration + does not define any entity types for simulation, confirming it does not run + on entities. Get Arcanna decision: action_product_categories: add_alert_comment: false @@ -406,6 +407,10 @@ Get Arcanna decision: enrich_ioc: false execute_command_on_the_host: false get_alert_information: true + reasoning: >- + The action fetches the status/decision of an event from the Arcanna AI platform. + This matches the 'Get Alert Information' category, as it retrieves specific + information about an event/alert from the 3rd party product. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -421,63 +426,53 @@ Get Arcanna decision: update_identity: false update_ticket: false ai_description: >- - ### General Description + General description: - Retrieves an AI-driven decision for a specific event from the Arcanna.ai platform. - This action is typically used to poll for the results of an inference job after - an event has been submitted for analysis. It supports a configurable retry mechanism - to account for the time required by the AI engine to process the data and generate - a decision. + This action retrieves the decision status for a specific Arcanna AI job and event. + It polls the Arcanna API until a final decision is available or the retry limit + is reached. - ### Parameters Description + Parameters description: | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + | --- | --- | --- | --- | - | **Job Id** | string | Yes | The unique identifier of the Arcanna job associated - with the event. | + | Job Id | string | Yes | The ID of the Arcanna job to query. | - | **Event Id** | string | Yes | The unique identifier of the specific event for - which the decision is being requested. | + | Event Id | string | Yes | The ID of the event to check. | - | **Retry count** | string | Yes | The maximum number of times the action will - poll the Arcanna API if the decision is still pending. Default is 20. | + | Retry count | string | Yes | Number of times to retry the request if the status + is 'pending_inference'. | - | **Seconds per retry** | string | Yes | The duration (in seconds) to wait between - each polling attempt. Default is 5. | + | Seconds per retry | string | Yes | Time in seconds to wait between retry attempts. + | - ### Flow Description + Flow description: - 1. **Initialization**: Extracts integration configuration (URL, API Key, SSL settings) - and action parameters (Job ID, Event ID, Retry settings). + 1. Extracts configuration parameters (URL, API Key, SSL verification) and action + parameters (Job ID, Event ID, Retry count, Seconds per retry). - 2. **Polling Loop**: Enters a loop that executes up to the specified `Retry count` - plus one. + 2. Initializes the ArcannaClient with the provided credentials. - 3. **API Request**: Calls the Arcanna API to retrieve the current status of the - event using the provided Job and Event IDs. + 3. Enters a retry loop to poll the Arcanna API for the event status using the + 'get_event_status' method. - 4. **Status Evaluation**: - * If the status is `pending_inference`, the action logs the status, waits - for the specified `Seconds per retry`, and continues to the next iteration. - * If the status is `OK`, the action retrieves the decision data, adds it to - the JSON results, and terminates successfully. - * If the status is `ERROR`, the action logs the error response and terminates - with a failure state. - 5. **Timeout Handling**: If the retry limit is reached without receiving a final - decision, the action terminates with a failure message suggesting an increase - in the retry window. + 4. If the status is 'pending_inference', the action waits for the configured duration + and retries. + 5. If the status is 'OK', the action adds the response JSON to the result and + completes successfully. + + 6. If the status is 'ERROR' or the retry limit is reached, the action fails. - ### Additional Notes - * This action does not operate on SecOps entities; it requires specific IDs provided - as input parameters. + Additional notes: - * The total wait time is approximately `Retry count` * `Seconds per retry`. + This action performs a GET request to the Arcanna API and does not modify any + external systems or internal SOAR data. capabilities: can_create_case_comments: false can_create_insight: false @@ -488,8 +483,16 @@ Get Arcanna decision: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action polls the Arcanna API for the status of a specific event. It does + not modify external systems or internal SOAR data (entities, insights, comments). + It only adds the result JSON to the action output. categories: enrichment: false + reasoning: >- + The action fetches data but does not perform any of the allowed internal mutations + (update entities, create insights, add comments). Therefore, it is not an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -505,6 +508,9 @@ Get Arcanna decision: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with target_entities. It uses parameters provided + in the action configuration. Get Jobs: action_product_categories: add_alert_comment: false @@ -520,6 +526,9 @@ Get Jobs: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves a list of jobs from Arcanna.AI. It does not match any of + the provided categories (e.g., Enrich IOC, Enrich Asset, Update Alert, etc.). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -535,46 +544,14 @@ Get Jobs: update_identity: false update_ticket: false ai_description: >- - ### General Description - - Retrieves a list of all available jobs from the Arcanna.AI platform. This action - serves as a utility to discover job configurations, including their unique identifiers - and names, which are often required as inputs for other Arcanna.AI integration - actions such as sending cases or triggering training. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | None | N/A | N/A | This action does not have any input parameters. It relies - solely on the integration's global configuration. | - - - ### Additional Notes - - - The action uses the integration's global settings (URL, API Key, and SSL Verification) - to authenticate and communicate with the Arcanna.AI instance. - - - The results are returned as a JSON array of job objects, which can be used in - subsequent playbook steps. - - - ### Flow Description - - 1. **Initialization**: The action initializes the Arcanna.AI client using the - base URL and API Key provided in the integration's global configuration. - - 2. **API Request**: It executes a GET request to the `/api/v1/jobs` endpoint of - the Arcanna.AI API. - - 3. **Data Retrieval**: The action captures the JSON response containing the list - of all jobs available in the system. - - 4. **Output**: The retrieved job data is added to the action's JSON results, and - the execution is marked as completed. + Retrieves a list of available jobs from the Arcanna.AI platform. The action performs + the following steps: 1. Extracts configuration parameters including the Arcanna.AI + URL, API Key, and SSL verification setting. 2. Initializes the ArcannaClient with + the provided credentials. 3. Executes a GET request to the /api/v1/jobs endpoint + to fetch the list of jobs. 4. Adds the retrieved JSON response to the action result. + Parameters: Integration.Url (String, Mandatory) - The base URL of the Arcanna.AI + instance. Integration.Api Key (String, Mandatory) - The API key for authentication. + SSL Verification (Boolean, Mandatory) - Flag to enable or disable SSL verification. capabilities: can_create_case_comments: false can_create_insight: false @@ -585,8 +562,16 @@ Get Jobs: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Arcanna.AI API to retrieve a list of + jobs. It does not modify any external systems or internal SOAR data (entities, + insights, comments). categories: enrichment: false + reasoning: >- + The action retrieves a list of jobs from an external system. It does not enrich + entities or alerts, nor does it perform any of the allowed internal mutations + (comments, insights, entity updates). Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -602,6 +587,9 @@ Get Jobs: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with siemplify.target_entities. It operates globally + to fetch job data. Ping: action_product_categories: add_alert_comment: false @@ -617,6 +605,9 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity test (Ping). It does not perform any of the listed + functional operations (enrichment, containment, ticketing, etc.). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -634,44 +625,47 @@ Ping: ai_description: >- ### General Description - The **Ping** action is a utility designed to verify the connectivity between Google - SecOps and the Arcanna.ai instance. It serves as a diagnostic tool to ensure that - the provided API credentials and URL are correct and that the Arcanna.ai service - is reachable and healthy. + This action tests the connectivity between the SOAR platform and the Arcanna.ai + instance by performing a health check. It verifies that the integration is correctly + configured and reachable. - ### Parameters Description + ### Flow Description - There are no action-specific parameters for this action. It relies entirely on - the global integration configuration (URL, API Key, and SSL Verification settings). + 1. The action extracts the required configuration parameters: `Integration.Url`, + `Integration.Api Key`, and `SSL Verification`. + 2. It initializes the `ArcannaClient` using the provided credentials and configuration. - ### Flow Description + 3. It executes a GET request to the `/api/v1/health` endpoint of the Arcanna.ai + API. - 1. **Configuration Retrieval**: The action extracts the integration's base URL, - API Key, and SSL verification settings from the environment configuration. + 4. The response from the health check is returned as a JSON result to the SOAR + platform. - 2. **Client Initialization**: An `ArcannaClient` is initialized using the retrieved - credentials. + 5. The action concludes by reporting the success or failure of the connectivity + test. - 3. **Health Check**: The action performs a GET request to the `/api/v1/health` - endpoint of the Arcanna.ai API. - 4. **Result Processing**: The response from the health endpoint is captured and - added to the action's JSON results. + ### Parameters Description + + | Parameter | Type | Mandatory | Description | - 5. **Completion**: The action concludes with a success status if the API responds - correctly, or a failure status if an exception occurs (e.g., connection timeout, - invalid credentials). + | :--- | :--- | :--- | :--- | + | Integration.Url | String | Yes | The base URL of the Arcanna.ai instance. | - ### Additional Notes + | Integration.Api Key | String | Yes | The API key for authentication. | - * This action is strictly for connectivity testing and does not process any case - data or entities. + | SSL Verification.Api Key | String | Yes | Whether to verify SSL certificates + (expected "true" or "false"). Note: The parameter name in the code is "Api Key". + | - * According to standard SOAR practices, Ping actions are excluded from being categorized - as enrichment actions. + + ### Additional Notes + + This action is a standard connectivity test (Ping) and does not perform any data + enrichment or system mutations. capabilities: can_create_case_comments: false can_create_insight: false @@ -682,8 +676,14 @@ Ping: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the /api/v1/health endpoint to verify connectivity. + It does not modify external systems or internal SOAR data. categories: enrichment: false + reasoning: >- + The action is a "Ping" action designed to test connectivity. Per the instructions, + "Actions named Ping must not be categorized as enrichment actions." entity_usage: entity_types: [] filters_by_additional_properties: false @@ -699,6 +699,9 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities; it performs a global connectivity + test. Send Active Alert from Case to Arcanna: action_product_categories: add_alert_comment: false @@ -714,6 +717,10 @@ Send Active Alert from Case to Arcanna: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action transmits alert data to an external AI platform (Arcanna.ai). It + does not perform enrichment, containment, ticketing, or alert modification. + Therefore, it does not match any of the predefined product categories. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -729,59 +736,41 @@ Send Active Alert from Case to Arcanna: update_identity: false update_ticket: false ai_description: >- - Sends the current active alert from a Google SecOps case to Arcanna.ai for automated - analysis. This action identifies the specific alert context within a case, extracts - the raw alert payload, and ingests it into a specified Arcanna Job. It allows - for custom mapping of alert identifiers to ensure consistency between systems. + Sends an active alert from a Google SecOps case to the Arcanna.ai platform for + processing. This action allows users to specify a Job ID and optionally map an + alert identifier field to ensure the alert is correctly ingested by Arcanna.ai. - ### Flow Description: + ### Flow Description - 1. **Parameter Extraction:** Retrieves the Arcanna URL, API Key, and SSL settings - from the integration configuration, along with the Job ID and identifier settings - from the action parameters. + 1. Extracts configuration parameters (URL, API Key, SSL verification). - 2. **Case Context Retrieval:** Fetches the full case details and identifies the - `current_alert` being processed. + 2. Extracts action parameters (Job ID, Alert identifier field, and whether to + use the alert ID). - 3. **Alert Matching:** Iterates through the case's `cyber_alerts` to find the - one matching the current alert's identifier. + 3. Retrieves the current case and its associated cyber alerts. - 4. **Identifier Mapping:** If configured, extracts a specific value from the alert - payload (using the provided JSON path) to serve as the event ID in Arcanna. + 4. Identifies the specific alert matching the current alert's identifier. - 5. **Data Ingestion:** Sends the raw alert JSON to the Arcanna API via a POST - request to the specified Job ID. + 5. Sends the alert payload to the Arcanna.ai platform using the provided Job ID. - 6. **Result Handling:** Captures the Arcanna response and attaches it to the action - results. + 6. Adds the API response to the action result. - ### Parameters Description: + ### Parameters Description - | Parameter Name | Type | Mandatory | Description | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Job ID | string | Yes | The unique identifier of the Job in Arcanna.ai that - will process the ingested alert. | - - | Alert identifier field | string | No | The JSON path (e.g., "identifier" or - "metadata.id") within the alert payload used to extract a custom ID. Defaults - to "identifier". | - - | Use Alert ID as ID in Arcanna | boolean | Yes | If set to `True`, the action - uses the value from the 'Alert identifier field' as the ID in Arcanna. If `False`, - Arcanna generates a new unique ID. | + | Job ID | string | Yes | Job ID used for sending event to Arcanna.ai. | + | Alert identifier field | string | No | Identifier field that will be used as + an ID in Arcanna.ai when ingesting the alert. | - ### Additional Notes: - - - This action operates on the alert level within a case context and does not process - individual entities (IPs, Hosts, etc.). - - - Ensure the 'Alert identifier field' correctly matches the structure of your - incoming Google SecOps alerts if you choose to use existing IDs. + | Use Alert ID as ID in Arcanna | boolean | Yes | If False, Arcanna generates + a new unique ID for the alert. If True, Arcanna uses the id found in the "Alert + identifier field". | capabilities: can_create_case_comments: false can_create_insight: false @@ -790,12 +779,19 @@ Send Active Alert from Case to Arcanna: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new event record within the Arcanna.ai platform by sending the raw - alert payload for analysis. + Sends an alert payload to the Arcanna.ai platform for processing. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action makes a POST request to send an alert payload to the external Arcanna.ai + platform (can_mutate_external_data=true). It does not fetch context data from + external systems, nor does it modify internal SOAR case or alert data. categories: enrichment: false + reasoning: >- + The action transmits data to an external system (Arcanna.ai) and does not fetch + data for enrichment or modify internal SOAR data. It does not meet the criteria + for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -811,6 +807,10 @@ Send Active Alert from Case to Arcanna: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `target_entities`. It retrieves the current + case and its associated cyber alerts using `siemplify.current_alert` and `siemplify._get_case()`. + Therefore, it does not run on entities. Send Analyst Feedback to Arcanna: action_product_categories: add_alert_comment: false @@ -826,6 +826,10 @@ Send Analyst Feedback to Arcanna: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action sends feedback to an external system (Arcanna.ai). It does not match + any of the predefined categories like 'Enrich IOC', 'Contain Host', or 'Create + Ticket'. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -843,10 +847,9 @@ Send Analyst Feedback to Arcanna: ai_description: >- ### General Description - The **Send Analyst Feedback to Arcanna** action allows analysts to submit feedback - or labels for specific events processed by Arcanna AI. This is a crucial step - in the human-in-the-loop workflow, enabling the AI model to learn from analyst - decisions and improve its future predictions. + This action sends analyst feedback to the Arcanna.ai platform for a specific event. + It allows analysts to provide input on Arcanna-processed events, which can be + used for model training or decision refinement. ### Parameters Description @@ -855,41 +858,35 @@ Send Analyst Feedback to Arcanna: | :--- | :--- | :--- | :--- | - | Event Id | String | Yes | The unique identifier of the event in Arcanna that - requires feedback. | + | Event Id | string | Yes | The unique identifier of the event in Arcanna. | - | Username | User | Yes | The username of the analyst providing the feedback. + | Username | user | Yes | The username of the analyst providing the feedback. | - | Job Id | String | Yes | The identifier of the Arcanna job that the event belongs - to. | + | Job Id | string | Yes | The unique identifier of the Arcanna job associated + with the event. | - | Analyst Feedback | String | Yes | The specific feedback or label (e.g., 'True - Positive', 'False Positive') to be assigned to the event. | + | Analyst Feedback | string | Yes | The feedback string provided by the analyst. + | - ### Flow Description + ### Additional Notes - 1. **Configuration Retrieval**: The action fetches the Arcanna URL, API Key, and - SSL verification settings from the integration configuration. + There are no additional notes for this action. - 2. **Parameter Extraction**: It retrieves the Job ID, Event ID, Username, and - the feedback content provided by the user. - 3. **API Interaction**: The action uses the Arcanna Client to send a `PUT` request - to the Arcanna API endpoint (`/api/v1/events/{job_id}/{event_id}/feedback`). + ### Flow Description - 4. **Result Processing**: The response from Arcanna is captured and added to the - action's JSON results for audit and visibility. + 1. Extract configuration parameters (URL, API Key, SSL verification). + 2. Extract action parameters (Job ID, Event ID, Username, Feedback). - ### Additional Notes + 3. Initialize the `ArcannaClient` with the provided credentials. - - This action performs an external mutation by updating the state of an event - in the Arcanna AI platform. + 4. Execute the `send_feedback` method, which performs a PUT request to the Arcanna + API. - - Ensure that the `Job Id` and `Event Id` accurately match the records in Arcanna - to avoid execution errors. + 5. Add the API response to the action result. capabilities: can_create_case_comments: false can_create_insight: false @@ -898,12 +895,19 @@ Send Analyst Feedback to Arcanna: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the feedback and analyst label for a specific event in the Arcanna AI - platform via a PUT request. + Updates the feedback status for a specific event in the Arcanna.ai platform + via a PUT request. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a PUT request to an external API (Arcanna.ai) to update + feedback for an event. It does not retrieve contextual data about entities or + alerts, nor does it modify internal SOAR data. categories: enrichment: false + reasoning: >- + The action is a mutation action (sending feedback) and does not fetch data for + enrichment purposes. Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -919,13 +923,16 @@ Send Analyst Feedback to Arcanna: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `siemplify.target_entities`. It operates on + specific IDs provided as parameters. Send Case to Arcanna: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false contain_host: false - create_ticket: true + create_ticket: false delete_email: false disable_identity: false download_file: false @@ -934,6 +941,10 @@ Send Case to Arcanna: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action sends case data to an external AI platform (Arcanna.ai). It does + not match any of the predefined categories like 'Enrich IOC', 'Create Ticket', + 'Contain Host', etc. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -949,54 +960,47 @@ Send Case to Arcanna: update_identity: false update_ticket: false ai_description: >- - Sends the current Google SecOps case data to Arcanna.ai for AI-assisted analysis - and decision-making. This action retrieves the full case details, including associated - entities, and ingests them into a specific Arcanna.ai job. It allows for mapping - a specific case field to be used as the unique identifier within the Arcanna platform. + ### General Description + This action sends the current case data to Arcanna.ai for AI-driven analysis. + It retrieves the full case object from Google SecOps, optionally extracts a specific + case identifier, and prepares a payload containing the case data and target entities. + This payload is then sent to Arcanna.ai via the ArcannaClient, and the API response + is added to the action results. - ### Flow Description - 1. **Parameter Extraction:** Retrieves the Arcanna.ai URL, API Key, and SSL settings - from the integration configuration, along with the Job ID and identifier settings - from the action parameters. + ### Parameters Description - 2. **Data Retrieval:** Fetches the complete case object from Google SecOps and - collects all entities currently in the action's context. + | Parameter | Type | Mandatory | Description | - 3. **Payload Construction:** Combines the case data and the list of entities into - a single JSON payload. + | :--- | :--- | :--- | :--- | - 4. **External Ingestion:** Sends the payload to the Arcanna.ai API via a POST - request to the specified Job ID. If configured, it uses a specific case field - as the external event ID. + | Job ID | string | Yes | The ID of the job in Arcanna.ai used for sending the + event. | - 5. **Result Processing:** Captures the response from Arcanna.ai and attaches it - as a JSON result to the action. + | Case identifier field | string | No | The field in the case to use as an ID + in Arcanna.ai. | + | Use case ID as ID in Arcanna | boolean | Yes | If True, Arcanna uses the ID + found in the 'Case identifier field'. If False, Arcanna generates a new unique + ID. | - ### Parameters Description - | Parameter Name | Type | Mandatory | Description | + ### Flow Description - | :--- | :--- | :--- | :--- | + 1. Extracts configuration parameters (URL, API Key, SSL verification). - | Job ID | string | Yes | The unique identifier of the Arcanna.ai job that will - process the ingested case data. | + 2. Extracts action parameters (Job ID, Case identifier field, Use case ID flag). - | Case identifier field | string | No | The field within the Google SecOps case - object (e.g., "identifier") to be used as the ID in Arcanna.ai. Defaults to "identifier". - | + 3. Retrieves the full case object from Google SecOps. - | Use case ID as ID in Arcanna | boolean | Yes | If set to True, the action will - use the value from the 'Case identifier field' as the ID in Arcanna. If False, - Arcanna generates its own unique ID. | + 4. Optionally extracts a specific case identifier if configured. + 5. Prepares a payload containing the case data and target entities. - ### Additional Notes + 6. Sends the payload to Arcanna.ai via the `ArcannaClient`. - - This action is primarily used for exporting case data to Arcanna.ai to leverage - its machine learning capabilities for alert disposition or triage. + 7. Adds the API response to the action results. capabilities: can_create_case_comments: false can_create_insight: false @@ -1005,12 +1009,18 @@ Send Case to Arcanna: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new event or case record within the Arcanna.ai platform for processing - and analysis. + Sends case data to Arcanna.ai for processing. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action sends case data to an external system (Arcanna.ai) via a POST request. + It does not fetch data from external systems, nor does it modify internal SecOps + data (entities, insights, or comments). categories: enrichment: false + reasoning: >- + The action is not an enrichment action because it does not fetch data from an + external source to enrich the case. It is a data transmission action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1026,6 +1036,10 @@ Send Case to Arcanna: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action retrieves `target_entities` from the case context and includes them + in the payload sent to Arcanna.ai, but it does not perform any filtering or + operations on the entities themselves. Send JSON Document to Arcanna: action_product_categories: add_alert_comment: false @@ -1041,6 +1055,10 @@ Send JSON Document to Arcanna: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is an ingestion/sending tool for Arcanna.ai. It does not match the + expected outcomes of the provided categories (e.g., it is not an enrichment, + containment, ticket creation, or alert modification action). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1056,31 +1074,32 @@ Send JSON Document to Arcanna: update_identity: false update_ticket: false ai_description: >- - Sends a custom JSON document to Arcanna.ai for processing and analysis. This action - allows users to ingest arbitrary data into a specific Arcanna Job, enabling the - AI engine to evaluate the document based on its trained models. The action supports - using a specific field within the JSON as a unique identifier for the document - in Arcanna. + Sends a JSON document to the Arcanna.ai platform for processing. This action allows + users to ingest custom JSON payloads into specific Arcanna jobs, optionally using + a field within the JSON as a unique identifier. ### Flow Description - 1. **Parameter Extraction**: Retrieves the Arcanna URL, API Key, and SSL settings - from the integration configuration, and the Job ID, Identifier field, and JSON - document from the action parameters. + 1. **Configuration Extraction**: The action retrieves the Arcanna.ai integration + configuration (URL, API Key, and SSL verification settings). + + 2. **Parameter Extraction**: It extracts the action-specific parameters: `Job + ID`, `Identifier field`, `Use document ID as ID in Arcanna`, and the `JSON Document` + payload. - 2. **JSON Parsing**: Validates and parses the provided 'JSON Document' string - into a Python dictionary. It ensures the root of the document is not a list. + 3. **Validation**: The action parses the provided `JSON Document` string. If the + JSON is invalid or if the root is a list, the action fails. - 3. **ID Extraction (Optional)**: If 'Use document ID as ID in Arcanna' is enabled, - the action uses dot notation to extract a specific value from the JSON document - to serve as the event identifier. + 4. **Identifier Processing**: If `Use document ID as ID in Arcanna` is set to + `true`, the action attempts to extract the identifier from the JSON document using + the path provided in `Identifier field`. - 4. **API Interaction**: Sends the JSON payload and Job ID to the Arcanna.ai API - via a POST request. + 5. **API Interaction**: The action sends the JSON document (and the optional identifier) + to the Arcanna.ai API using the `ArcannaClient`. - 5. **Result Handling**: Captures the API response, adds it to the action's JSON - results, and completes the execution. + 6. **Result Handling**: The API response is added to the action result, and the + execution status is updated. ### Parameters Description @@ -1089,28 +1108,26 @@ Send JSON Document to Arcanna: | :--- | :--- | :--- | :--- | - | Job ID | string | Yes | The unique identifier of the Arcanna job that will process - the document. | + | **Job ID** | string | Yes | The ID of the job in Arcanna.ai to which the event + will be sent. | - | Identifier field | string | No | The path (supporting dot notation, e.g., 'metadata.id') - to the field in the JSON document that should be used as the unique ID in Arcanna. - | + | **Identifier field** | string | No | The dot-notation field path within the + JSON document to be used as an ID. This is used only if 'Use document ID as ID + in Arcanna' is set to True. | - | Use document ID as ID in Arcanna | boolean | Yes | If set to 'true', the action - will attempt to extract an ID from the 'Identifier field'. If 'false', Arcanna - generates a unique ID automatically. | + | **Use document ID as ID in Arcanna** | boolean | No | If True, the action uses + the value found in the 'Identifier field' as the event ID. If False, Arcanna generates + a new unique ID. | - | JSON Document | code | Yes | The actual JSON data to be sent to Arcanna.ai for - analysis. | + | **JSON Document** | code | Yes | The JSON document payload to be sent to Arcanna.ai. + | ### Additional Notes - - The 'JSON Document' must be a valid JSON object. Root-level lists are not supported - by this action. - - - Ensure the 'Job ID' corresponds to an existing and active job in your Arcanna.ai - instance. + - The `Identifier field` parameter is optional, but it is required if `Use document + ID as ID in Arcanna` is set to `true` for the action to correctly map the event + ID. capabilities: can_create_case_comments: false can_create_insight: false @@ -1119,12 +1136,22 @@ Send JSON Document to Arcanna: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Sends a POST request to the Arcanna.ai API to create a new event/document record - within a specific job context. - fetches_data: true + Sends a JSON document to the Arcanna.ai platform for ingestion and processing. + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to an external system (Arcanna.ai) to ingest + a JSON document. It does not fetch data from external systems (no GET requests + for context), nor does it modify internal SOAR case data (entities, insights, + etc.). The use of `siemplify.result.add_result_json` is for reporting the API + response and is not considered an internal mutation. categories: enrichment: false + reasoning: >- + The action is designed to push/ingest data into an external system (Arcanna.ai). + It does not retrieve contextual information about entities or alerts, nor does + it perform any of the allowed internal mutations (comments, insights, entity + updates). Therefore, it does not meet the criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1140,6 +1167,9 @@ Send JSON Document to Arcanna: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action operates on a raw JSON document provided as a parameter and does + not interact with or iterate over the `siemplify.target_entities` list. Send event to Arcanna: action_product_categories: add_alert_comment: false @@ -1155,6 +1185,11 @@ Send event to Arcanna: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action sends case or alert data to an external AI platform (Arcanna.ai). + It does not match any of the predefined categories such as 'Enrich IOC', 'Contain + Host', 'Create Ticket', or 'Send Message' (as it is not a communication app). + It is a specialized integration/export action. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1169,66 +1204,27 @@ Send event to Arcanna: update_email: false update_identity: false update_ticket: false - ai_description: >- - Sends event data (either a full case or a specific alert) to Arcanna.ai for processing - and AI-assisted decision-making. This action allows security teams to offload - event evaluation to Arcanna's AI models by providing the raw event context, associated - entities, and audit information. The action can be configured to send the entire - case or just the active alert, and it supports mapping specific fields to serve - as the reference Event ID in Arcanna. - - - ### Parameters - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Job ID | string | Yes | The unique identifier of the Arcanna.ai job that will - process the event. | - - | Username | user | Yes | The username registered for audit purposes, identifying - who or what triggered the submission. | - - | Event ID mapping field | string | No | A dot-notated path (e.g., `alert.id`) - used to extract a specific value from the payload to serve as the Arcanna Event - ID. | - - | Send individual alerts from case | boolean | No | If set to `true`, only the - current alert context is sent. If `false` (default), the entire case data is sent. - | - - - ### Additional Notes - - - The action requires a valid Job ID from Arcanna.ai to function correctly. - - - If `Send individual alerts from case` is enabled, the action specifically looks - for the alert matching the current execution context within the case's alert list. - - - ### Flow Description - - 1. **Configuration Retrieval:** Fetches the Arcanna URL and API Key from the integration's - global configuration. - - 2. **Parameter Extraction:** Retrieves the Job ID, Username, and optional mapping/toggle - settings from the action parameters. - - 3. **Data Preparation:** - - If `Send individual alerts from case` is `true`, the action iterates through - the case's alerts to find the one matching the current context and prepares its - raw payload. - - If `false`, the action prepares the full case object, including all associated - target entities and metadata. - 4. **ID Mapping:** If an `Event ID mapping field` is provided, the action parses - the prepared payload using dot-notation to extract the specified reference ID. - - 5. **External Submission:** Sends the prepared payload and audit username to the - Arcanna.ai API via a POST request to the events endpoint. - - 6. **Result Handling:** Captures the API response (which typically includes the - Arcanna event status) and attaches it as a JSON result to the action execution. + ai_description: "Sends case or alert data to Arcanna.ai for analysis or processing.\ + \ This action facilitates the integration between the SOAR platform and Arcanna.ai\ + \ by pushing event data to the external service.\n\n### Flow Description\n1. **Configuration\ + \ Extraction**: Retrieves the Arcanna.ai API key and base URL from the integration\ + \ configuration.\n2. **Parameter Parsing**: Extracts action parameters including\ + \ the Job ID, Username, Event ID mapping field, and the toggle for sending individual\ + \ alerts.\n3. **Case Retrieval**: Fetches the full case details from the SOAR\ + \ platform.\n4. **Data Processing**: \n - If 'Send individual alerts from case'\ + \ is enabled, it iterates through the case's cyber alerts, identifies the current\ + \ alert, and prepares the payload.\n - If disabled, it prepares the full case\ + \ payload, including target entities.\n5. **External Submission**: Sends the prepared\ + \ payload to the Arcanna.ai API via a POST request.\n6. **Result Reporting**:\ + \ Adds the API response to the action results.\n\n### Parameters\n| Parameter\ + \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Job ID\ + \ | String | Yes | The ID of the job in Arcanna.ai used for sending the event.\ + \ |\n| Username | User | Yes | The username registered for audit purposes. |\n\ + | Event ID mapping field | String | No | The field used as a reference ID with\ + \ Arcanna.ai. |\n| Send individual alerts from case | Boolean | No | If true,\ + \ sends individual alerts; otherwise, sends the full case. |\n\n### Additional\ + \ Notes\nThis action performs an outbound data push to an external system (Arcanna.ai)\ + \ and does not perform enrichment or modification of the internal SOAR case data." capabilities: can_create_case_comments: false can_create_insight: false @@ -1237,12 +1233,21 @@ Send event to Arcanna: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new event record in Arcanna.ai for AI analysis and processing via - a POST request. - fetches_data: true + Sends event or case data to the Arcanna.ai platform via a POST request. + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to an external API (Arcanna.ai) to send event + data, which constitutes external data mutation (in the context of the external + system). It does not fetch data to enrich the SOAR case, nor does it modify + internal SOAR data, entities, or case comments. categories: enrichment: false + reasoning: >- + The action is an export/integration action that pushes data to an external system. + It does not fetch data to enrich the SOAR case, nor does it perform any of the + allowed internal mutations (comments, insights, entity updates). Therefore, + it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1258,6 +1263,11 @@ Send event to Arcanna: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action retrieves 'target_entities' from the context data to include them + in the payload sent to Arcanna.ai, but it does not iterate over, filter, or + perform any operations on the entities themselves. Therefore, it does not run + on specific entity types. Trigger AI Model training: action_product_categories: add_alert_comment: false @@ -1273,6 +1283,10 @@ Trigger AI Model training: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action triggers an AI model training job in the Arcanna.ai platform. This + does not match any of the predefined categories such as enrichment, containment, + or ticketing. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1288,50 +1302,17 @@ Trigger AI Model training: update_identity: false update_ticket: false ai_description: >- - ### General Description - - Triggers the training process for a specific AI model job within the Arcanna.ai - platform. This action is used to initiate the learning phase of a model based - on the feedback and data collected for a particular job ID. It requires an audit - username to track who initiated the training. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Job ID | string | Yes | The unique identifier for the Arcanna job where the - AI model training will be triggered. | - - | Username | user | Yes | The username of the analyst or system account triggering - the training, used for audit purposes within Arcanna.ai. | - - - ### Flow Description - - 1. **Configuration Extraction**: Retrieves the Arcanna URL, API Key, and SSL verification - settings from the integration configuration. - - 2. **Parameter Extraction**: Retrieves the `Job ID` and `Username` from the action - parameters. - - 3. **Client Initialization**: Initializes the `ArcannaClient` with the provided - credentials and base URL. - - 4. **API Request**: Sends a POST request to the Arcanna API endpoint `/api/v1/jobs/{job_id}/train` - with the specified username. - - 5. **Result Processing**: Captures the API response, adds it to the action's JSON - results, and completes the execution with a success or failure status based on - the API's response. - - - ### Additional Notes - - - This action does not run on entities; it is a standalone task that interacts - directly with the Arcanna.ai API using the provided Job ID. + This action triggers an AI model training job within the Arcanna.ai platform. + The action extracts configuration parameters (URL, API Key, SSL verification) + and action parameters (Job ID, Username) to authenticate and initiate the training + process via a POST request. The action returns the API response to the SOAR platform + for audit and tracking purposes. Flow: 1. Extract configuration and action parameters. + 2. Initialize the ArcannaClient. 3. Execute the train_model method, which sends + a POST request to the Arcanna.ai API to initiate the training process. 4. Return + the API response to the SOAR platform. Parameters: | Parameter | Type | Mandatory + | Description | | --- | --- | --- | --- | | Job ID | string | Yes | The ID of + the job where training will be triggered. | | Username | user | Yes | The username + for audit purposes. | capabilities: can_create_case_comments: false can_create_insight: false @@ -1340,12 +1321,19 @@ Trigger AI Model training: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Triggers a model training process for a specific job in the Arcanna.ai platform, - which changes the state of the AI model. - fetches_data: true + Triggers an AI model training job in the Arcanna.ai platform. + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action triggers an AI model training job in the Arcanna.ai platform via + a POST request. It does not fetch contextual data for enrichment, nor does it + modify internal SOAR data or entities. categories: enrichment: false + reasoning: >- + The action triggers an external process (AI model training) and does not fetch + data for enrichment or modify internal SOAR data. Therefore, it is not an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1361,6 +1349,9 @@ Trigger AI Model training: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with entities. It uses action parameters 'Job ID' + and 'Username' to perform its task. Update alert priority: action_product_categories: add_alert_comment: false @@ -1376,6 +1367,9 @@ Update alert priority: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action updates the priority of the alert within the SecOps platform, which + directly matches the 'Update Alert' category. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1391,44 +1385,34 @@ Update alert priority: update_identity: false update_ticket: false ai_description: >- - Updates the priority level of the current alert within the Google SecOps platform. - This action allows analysts or automated workflows to dynamically adjust the severity - of an alert based on external logic or decision-making tools like ArcannaAI. - - - ### Flow Description: - - 1. **Identifier Retrieval:** The action first retrieves the unique identifier - for the current alert. - - 2. **Parameter Validation:** It validates that the provided `Priority` parameter - matches one of the allowed values: Informative, Low, Medium, High, or Critical. - - 3. **Version Check:** It verifies that the Google SecOps (Siemplify) environment - version is 5.6 or higher, as earlier versions do not support this API endpoint. + ### General Description - 4. **Internal API Call:** It executes a POST request to the internal SOAR API - (`/external/v1/sdk/UpdateAlertPriority`) with the case ID, alert identifier, and - the new priority value. + This action updates the priority of the current alert within the Google SecOps + platform. It allows analysts to programmatically change an alert's priority level + based on automated decisions or other workflow triggers. - ### Parameters Description: + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Priority | String | Yes | The new priority level to assign to the alert. Must - be one of: `Informative`, `Low`, `Medium`, `High`, or `Critical`. | + | Priority | string | Yes | The new priority level for the alert. Must be one + of the following values: 'Informative', 'Low', 'Medium', 'High', 'Critical'. | + + + ### Flow Description + 1. The action extracts the 'Priority' parameter and validates it against the allowed + list of priority values. - ### Additional Notes: + 2. It verifies that the current Siemplify version is 5.6 or higher. - - This action interacts with the internal Google SecOps API rather than an external - ArcannaAI endpoint to perform the update. + 3. It retrieves the current alert identifier and case ID from the context. - - If the alert identifier is missing or the version is unsupported, the action - will terminate with a failure message. + 4. It sends a POST request to the internal SecOps API endpoint (`/external/v1/sdk/UpdateAlertPriority`) + to update the alert's priority. capabilities: can_create_case_comments: false can_create_insight: false @@ -1439,10 +1423,16 @@ Update alert priority: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Updates the priority level of the current alert within the Google SecOps platform - via an internal API call. + Updates the priority of the current alert within the Google SecOps platform. + reasoning: >- + The action modifies the alert's priority within the SecOps platform by calling + an internal API endpoint. It does not fetch external data or mutate external + systems. categories: enrichment: false + reasoning: >- + The action is a mutation action (updates alert priority) and does not fetch + data for enrichment purposes. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1458,3 +1448,7 @@ Update alert priority: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action operates on the current alert context (`siemplify.current_alert`) + rather than iterating over `target_entities`. Therefore, it does not use any + entity types. diff --git a/content/response_integrations/third_party/community/arcanna_ai/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/arcanna_ai/resources/ai/integration_ai_description.yaml index 2e831240c..4b52710b0 100644 --- a/content/response_integrations/third_party/community/arcanna_ai/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/community/arcanna_ai/resources/ai/integration_ai_description.yaml @@ -7,6 +7,18 @@ product_categories: iam_and_identity_management: false itsm: false network_security: false + reasoning: >- + The Arcanna.ai integration is a decision intelligence platform designed to augment + SOC analysts by providing AI-driven decisions on alerts and cases. It does not + perform log analysis or IOC correlation (SIEM), host-level investigation (EDR), + network traffic blocking (Network Security), indicator reputation enrichment (Threat + Intelligence), email management (Email Security), identity management (IAM), cloud + resource management (Cloud Security), ticketing (ITSM), vulnerability management + (Vulnerability Management), asset inventory management (Asset Inventory), or collaboration/notification + (Collaboration). While the integration includes an action to update alert priority + within the SOAR platform, this is an internal utility action and does not align + with the specific functional categories provided. Consequently, none of the product + categories are applicable. siem: false - threat_intelligence: true + threat_intelligence: false vulnerability_management: false diff --git a/content/response_integrations/third_party/community/asana/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/asana/resources/ai/actions_ai_description.yaml index 89421c798..2a16e9ad7 100644 --- a/content/response_integrations/third_party/community/asana/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/asana/resources/ai/actions_ai_description.yaml @@ -13,6 +13,11 @@ Add User To Workspace: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action adds a user to an Asana workspace, which modifies workspace membership. + This aligns with the 'Update Identity' category, which includes modifying group + memberships. It does not match other categories like Enrichment, Ticket creation, + or Alert updates. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -30,48 +35,43 @@ Add User To Workspace: ai_description: >- ### General Description - Adds a user to a specific Asana workspace using their email address. This action - is designed to manage workspace membership by programmatically inviting or adding - users to an organization's workspace environment. + Adds a user to a specific Asana workspace. This action facilitates user management + by programmatically adding a user to a designated workspace within the Asana platform. ### Parameters Description - | Parameter Name | Type | Mandatory | Description | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Workspace Name | string | Yes | The name of the Asana workspace to which the - user will be added. Note: This parameter is case-sensitive. | + | Workspace Name | string | Yes | The name of the workspace to which you want + to add the user. Note: It is case sensitive! | - | User's Email | string | Yes | The email address of the user to be added to the - specified workspace. | + | User's Email | string | Yes | The email address of the user you want to add. + | ### Additional Notes - This action does not operate on SecOps entities. It relies entirely on the provided - action parameters to identify the target workspace and the user. Ensure the 'Workspace - Name' matches exactly as it appears in Asana. + - The action requires a valid Asana API token and base URL configured in the integration + settings. + + - The workspace name is case-sensitive. ### Flow Description - 1. **Configuration Extraction**: Retrieves the Asana API Token and Base URL from - the integration settings. + 1. Extracts configuration parameters (Token, Base URL) and action parameters (Workspace + Name, User's Email). - 2. **Parameter Extraction**: Retrieves the target 'Workspace Name' and the 'User's - Email' from the action inputs. + 2. Initializes the Asana manager with the provided credentials. - 3. **Workspace Identification**: Queries the Asana API to list all workspaces - and identifies the unique Workspace GID (Global ID) corresponding to the provided - name. + 3. Retrieves the workspace ID by searching for the provided workspace name. - 4. **User Addition**: Executes a POST request to the Asana workspace's `addUser` - endpoint, passing the user's email address. + 4. Sends a POST request to add the specified user to the identified workspace. - 5. **Result Processing**: Evaluates the API response to confirm if the user was - successfully added and outputs the resulting JSON data to the action results. + 5. Returns the operation result and adds the JSON result to the action. capabilities: can_create_case_comments: false can_create_insight: false @@ -80,12 +80,19 @@ Add User To Workspace: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Adds a user to a specific Asana workspace by sending a POST request to the workspace's - addUser endpoint. + Adds a user to an Asana workspace via a POST request. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action makes a POST request to add a user to a workspace (can_mutate_external_data=true). + It fetches the workspace ID (fetches_data=true). It does not update internal + entities or create insights. categories: enrichment: false + reasoning: >- + The action performs a mutation on an external system (adding a user to a workspace) + and does not fetch data for enrichment purposes. Therefore, it is not an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -101,6 +108,10 @@ Add User To Workspace: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not iterate over `siemplify.target_entities` or use entity-specific + identifiers. It extracts parameters directly from the action configuration, + so it does not run on entities. Create Task: action_product_categories: add_alert_comment: false @@ -116,6 +127,10 @@ Create Task: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action creates a new task in Asana, which is a project management tool. + This aligns with the 'Create Ticket' category, as creating a task is functionally + equivalent to creating a ticket or record in an external system. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -130,54 +145,27 @@ Create Task: update_email: false update_identity: false update_ticket: false - ai_description: >- - Creates a new task in Asana within a specified project. This action allows users - to programmatically generate tasks, assign them to specific users, and set due - dates and descriptions directly from Google SecOps. - - - ### Flow Description - - 1. **Retrieve Project ID**: The action first searches for the internal Asana GID - (Global ID) associated with the provided 'Project Name'. - - 2. **Retrieve Assignee ID (Optional)**: If an 'Assignee' email is provided, the - action fetches the corresponding user's GID from Asana. - - 3. **Create Task**: The action sends a POST request to Asana to create the task - with the specified subject, description, project association, and optional assignee/due - date. - - 4. **Output Results**: Upon success, the action provides a direct link to the - created task in the Asana UI and returns the full task object as JSON. - - - ### Parameters Description - - | Parameter Name | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Task Subject | string | True | The title/subject of the new task. | - - | Assignee | string | False | The email address of the user to whom the task will - be assigned. Note: This is case-sensitive. | - - | Due Date | string | False | The deadline for the task in YYYY-MM-DD format. - | - - | Description | string | True | Detailed notes or description for the task. | - - | Project Name | string | True | The name of the Asana project where the task - should be created. Note: This is case-sensitive. | - - - ### Additional Notes - - - The action requires a valid Personal Access Token (PAT) and Base URL configured - in the Asana integration settings. - - - If the project name or assignee email cannot be found, the action will fail. + ai_description: "Creates a new task in Asana. This action allows users to programmatically\ + \ generate tasks within a specified project, optionally assigning them to a user\ + \ and setting a due date.\n\n### Flow Description\n1. The action extracts the\ + \ configuration parameters (Token, Base URL) and the action parameters (Task Subject,\ + \ Assignee, Due Date, Description, Project Name).\n2. An `AsanaManager` instance\ + \ is initialized with the provided credentials.\n3. The action retrieves the `project_id`\ + \ from Asana using the provided `Project Name`.\n4. If an `Assignee` is provided,\ + \ the action retrieves the corresponding `user_id` from Asana.\n5. The action\ + \ creates the task in the specified project using the retrieved IDs and the provided\ + \ task details.\n6. Upon successful creation, the task's permalink URL is added\ + \ to the action results, and the full JSON response is attached to the action\ + \ output.\n\n### Parameters Description\n| Parameter | Type | Mandatory | Description\ + \ |\n| :--- | :--- | :--- | :--- |\n| Task Subject | string | Yes | The subject\ + \ of the new task. |\n| Assignee | string | No | The user to whom the task will\ + \ be assigned. Note: This is case-sensitive. |\n| Due Date | string | No | The\ + \ due date for the task in YYYY-MM-DD format. |\n| Description | string | Yes\ + \ | The description of the new task. |\n| Project Name | string | Yes | The name\ + \ of the project to which the task will be assigned. Note: This is case-sensitive.\ + \ |\n\n### Additional Notes\n- The `Project Name` and `Task Subject` are mandatory\ + \ for the action to function. \n- The `Assignee` and `Due Date` parameters are\ + \ optional; if not provided, the task will be created without them." capabilities: can_create_case_comments: false can_create_insight: false @@ -185,12 +173,19 @@ Create Task: can_mutate_external_data: true can_mutate_internal_data: false can_update_entities: false - external_data_mutation_explanation: >- - Creates a new task record in the Asana project management system. + external_data_mutation_explanation: Creates a new task in the Asana project. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs GET requests to retrieve project and user IDs (fetches_data=true) + and a POST request to create a task in Asana (can_mutate_external_data=true). + It does not modify internal Google SecOps data, update entities, create insights, + or modify alert data. categories: enrichment: false + reasoning: >- + The action creates data in an external system (Asana) rather than just retrieving + context. Therefore, it does not meet the criteria for an Enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -206,6 +201,9 @@ Create Task: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or process `siemplify.target_entities`. It + relies entirely on user-provided input parameters to perform its task. Get Task: action_product_categories: add_alert_comment: false @@ -220,7 +218,11 @@ Get Task: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false - get_alert_information: false + get_alert_information: true + reasoning: >- + The action fetches task details from Asana. This aligns with the 'Get Alert + Information' category, as it retrieves metadata about a specific object from + the third-party product. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -235,25 +237,43 @@ Get Task: update_email: false update_identity: false update_ticket: false - ai_description: "### General Description\nThe **Get Task** action retrieves detailed\ - \ information about a specific task in Asana using its unique Task ID. This action\ - \ is used to fetch metadata such as the task name, due date, and permalink, allowing\ - \ analysts to programmatically access task context within a playbook.\n\n### Parameters\ - \ Description\n| Parameter | Type | Mandatory | Description |\n| :--- | :--- |\ - \ :--- | :--- |\n| **Task ID** | String | Yes | The unique identifier for the\ - \ Asana task. This ID is typically found in the task's URL (e.g., `https://app.asana.com/0/{project_id}/{task_id}`).\ - \ |\n\n### Flow Description\n1. **Initialization**: The action extracts the Asana\ - \ API Token and Base URL from the integration configuration.\n2. **Parameter Extraction**:\ - \ The **Task ID** is retrieved from the action input parameters.\n3. **API Request**:\ - \ The action calls the Asana API's GET endpoint for tasks (`/tasks/{task_id}`)\ - \ via the AsanaManager.\n4. **Data Processing**: \n * If the task exists: The\ - \ action extracts the task name, due date, and permalink URL. It then adds a direct\ - \ link to the task in the Google SecOps results.\n * If the task does not exist:\ - \ The action returns a failure message indicating the task was not found.\n5.\ - \ **Output**: The full JSON response from Asana is attached to the action results\ - \ for further processing.\n\n### Additional Notes\nThis action does not operate\ - \ on entities (IPs, Hostnames, etc.) and instead relies entirely on the provided\ - \ Task ID parameter." + ai_description: >- + Retrieves detailed information for a specific task from Asana. This action fetches + task metadata, including the task name, due date, and a direct link to the task + in Asana, and adds this information to the action results. + + + ### Flow Description + + 1. The action extracts the required configuration parameters (Token, Base URL) + and the mandatory 'Task ID' parameter. + + 2. It initializes the `AsanaManager` to handle communication with the Asana API. + + 3. It calls the `get_a_task` method to retrieve the task details from Asana. + + 4. If the task is found, it adds a link to the task in the action results and + returns a success status. + + 5. If the task is not found, it returns a failure status. + + 6. Finally, it adds the full JSON response containing the task details to the + action results. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Task ID | string | Yes | The unique identifier for the Asana task, which can + be found in the task's URL. | + + + ### Additional Notes + + There are no additional notes for this action. capabilities: can_create_case_comments: false can_create_insight: false @@ -264,8 +284,17 @@ Get Task: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to retrieve task details from Asana. It does + not modify external data (no POST/PUT/DELETE). It does not modify internal Google + SecOps data (no entity updates, insights, or case comments). It simply fetches + data and presents it in the action results. categories: - enrichment: true + enrichment: false + reasoning: >- + The action fetches data from an external system (Asana) but does not operate + on entities or modify internal SecOps data. Therefore, it does not meet the + criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -281,6 +310,9 @@ Get Task: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with the `siemplify.target_entities` list. It operates + solely based on the provided 'Task ID' parameter. List My Tasks: action_product_categories: add_alert_comment: false @@ -296,6 +328,10 @@ List My Tasks: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves a list of tasks from Asana. It does not match any of the + defined categories, as it is a task-listing utility rather than an enrichment, + containment, or ticket management action. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -313,10 +349,8 @@ List My Tasks: ai_description: >- ### General Description - The **List My Tasks** action retrieves all tasks associated with a specific user - within a designated Asana workspace. This action is useful for tracking user productivity, - auditing task assignments, or gathering context on a user's current workload during - a security investigation. + Lists all the tasks associated with a user in Asana. This action retrieves task + details, including names and due dates, and provides links to the tasks in Asana. ### Parameters Description @@ -325,52 +359,39 @@ List My Tasks: | :--- | :--- | :--- | :--- | - | User's Email | string | True | The email address of the Asana user whose tasks - you want to retrieve. | + | User's Email | string | Yes | The email of the user you would like to retrieve + tasks for in Asana. | - | Workspace Name | string | True | The exact name of the Asana workspace (case-sensitive). + | Workspace Name | string | Yes | The workspace name. Note: This is case sensitive. | - | Completed Status | boolean | False | If set to `true`, the action will only - return tasks that have been marked as completed. If `false` (default), it returns - incomplete tasks. | + | Completed Status | boolean | No | Marking the checkbox will retrieve only the + tasks that were completed by the user. | ### Additional Notes - - The `Workspace Name` parameter is case-sensitive and must match the name in - Asana exactly. - - - The action provides direct URLs to the tasks in the SOAR interface for quick - access. - - - If no tasks are found for the user, the action will complete with a "False" - result. + The action requires a valid Asana Personal Access Token and Base URL configured + in the integration settings. ### Flow Description - 1. **Parameter Extraction:** The action retrieves the user's email, workspace - name, and completion status filter from the input parameters. + 1. Extract configuration and action parameters. - 2. **User Identification:** It queries the Asana API to find the unique `gid` - (Global ID) for the user based on the provided email. + 2. Initialize `AsanaManager`. - 3. **Workspace Identification:** It fetches all workspaces available to the authenticated - token and matches the provided `Workspace Name` to find the corresponding `workspace_id`. + 3. Retrieve `user_id` and `workspace_id`. - 4. **Task List Retrieval:** It identifies the specific "User Task List" ID for - that user within the identified workspace. + 4. Fetch the user's task list ID. - 5. **Task Fetching:** The action retrieves the list of tasks from the user's task - list. + 5. Retrieve all tasks from the user's task list. - 6. **Detail Enrichment & Filtering:** For each task, it fetches full details (including - completion status and due dates) and filters them based on the `Completed Status` - parameter. + 6. Filter tasks based on the `Completed Status` parameter. - 7. **Result Compilation:** It compiles the task names, details, and permalinks - into a JSON result and adds clickable links to the SOAR action output. + 7. Add task details to the JSON result and add links to the action results. + + 8. End the action. capabilities: can_create_case_comments: false can_create_insight: false @@ -381,8 +402,14 @@ List My Tasks: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches task data from Asana via GET requests. It does not modify + external systems or internal SOAR data (entities, insights, etc.). categories: - enrichment: true + enrichment: false + reasoning: >- + The action does not meet the criteria for an enrichment action as it does not + enrich entities or alerts, nor does it add insights or update entities. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -398,6 +425,9 @@ List My Tasks: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not reference `target_entities` and relies on action parameters + to identify the user and workspace. Therefore, it does not run on entities. List Project Tasks: action_product_categories: add_alert_comment: false @@ -413,6 +443,10 @@ List Project Tasks: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves a list of tasks from Asana based on a project name. It + does not match any of the defined categories such as 'Enrich IOC', 'Enrich Asset', + 'Search Events', or 'Get Alert Information'. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -430,55 +464,45 @@ List Project Tasks: ai_description: >- ### General Description - Lists all the tasks associated with a specific project in Asana. This action allows - analysts to retrieve a comprehensive list of tasks from a named project, with - the ability to filter results based on their completion status. It provides detailed - task information, including due dates and direct links to the tasks in the Asana - web interface. + This action retrieves a list of tasks from a specified Asana project. It allows + users to filter tasks based on their completion status. - ### Parameters Description + ### Flow Description - | Parameter Name | Type | Mandatory | Description | + 1. Extract configuration parameters (Token, Base URL) and action parameters (Project + Name, Completed Status). - | :--- | :--- | :--- | :--- | + 2. Initialize the `AsanaManager` to interact with the Asana API. - | Project Name | string | True | The name of the project from which you would - like to fetch all the tasks. | + 3. Retrieve the project ID corresponding to the provided `Project Name`. - | Completed Status | boolean | False | If set to true, the action retrieves only - tasks that are marked as completed. If false, it retrieves only incomplete tasks. - | + 4. Fetch all tasks associated with the identified project. + 5. Iterate through the tasks, retrieving detailed information for each. - ### Additional Notes + 6. Filter the tasks based on the `Completed Status` parameter. - - The action performs a lookup to find the internal Asana Project ID based on - the provided 'Project Name' before fetching tasks. + 7. Add links to the tasks in the SOAR result and return the task details as a + JSON result. - - For each task found, a secondary API call is made to retrieve full task details, - including the permalink and completion status. + ### Parameters Description - ### Flow Description + | Parameter | Type | Mandatory | Description | - 1. **Configuration Extraction**: Retrieves the Asana API token and base URL from - the integration settings. + | --- | --- | --- | --- | - 2. **Project Identification**: Calls the Asana API to find the unique Project - ID corresponding to the provided 'Project Name'. + | Project Name | string | Yes | The name of the project from which you would like + to fetch all the tasks. | - 3. **Task Retrieval**: Fetches a list of all task summaries associated with the - identified Project ID. + | Completed Status | boolean | No | Marking the checkbox will retrieve only the + tasks that were completed by the user. | - 4. **Detail Enrichment & Filtering**: For each task summary, the action retrieves - full task details and filters them based on the 'Completed Status' parameter. - 5. **Result Compilation**: Adds the filtered task details to the JSON result and - generates clickable links (permalinks) for each task in the Google SecOps interface. + ### Additional Notes - 6. **Finalization**: Ends the action with a summary message indicating success - or if no tasks were found. + None. capabilities: can_create_case_comments: false can_create_insight: false @@ -489,8 +513,16 @@ List Project Tasks: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs GET requests to the Asana API to retrieve project tasks. + It does not modify any external systems (no POST/PUT/DELETE on Asana) or internal + SOAR data (no entity updates, insights, or case comments). categories: enrichment: false + reasoning: >- + The action is a search/list operation for project tasks. It does not enrich + entities or alerts, nor does it meet the criteria for an enrichment action (which + requires operating on entities). entity_usage: entity_types: [] filters_by_additional_properties: false @@ -506,6 +538,9 @@ List Project Tasks: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use `target_entities`. It relies on user-provided parameters + (`Project Name`) to perform its search. Ping: action_product_categories: add_alert_comment: false @@ -521,6 +556,10 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity test ('Ping') and does not perform any functional + operations like enrichment, ticketing, or containment. Therefore, it does not + match any of the defined product categories. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -538,41 +577,39 @@ Ping: ai_description: >- ### General Description - The **Ping** action is a diagnostic tool used to verify the connectivity between - Google SecOps and the Asana instance. It ensures that the provided Personal Access - Token (PAT) and Base URL are correct and that the network path to the Asana API - is open. This action is typically used during the initial setup of the integration - or for troubleshooting communication issues. + This action tests the connectivity between the SOAR platform and the Asana API + to ensure the integration is configured correctly. - ### Flow Description + ### Parameters Description - 1. **Configuration Extraction**: The action retrieves the `Token` and `Base URL` - from the integration's configuration settings. + | Parameter | Type | Mandatory | Description | - 2. **Manager Initialization**: It initializes the `AsanaManager` with the extracted - credentials. + | :--- | :--- | :--- | :--- | - 3. **Connectivity Test**: The action calls the `test_connectivity` method, which - performs a `GET` request to the `/users/me` endpoint of the Asana API. + | Token | String | Yes | The personal access token (PAT) used for authentication + with the Asana API. | - 4. **Result Evaluation**: If the API returns a successful response (HTTP 200) - and valid JSON, the action concludes with a success message. Otherwise, it returns - a failure. + | Base URL | String | Yes | The base URL of the Asana API. | - ### Parameters Description + ### Additional Notes - There are no specific action parameters for this action. It relies entirely on - the global integration configuration (Token and Base URL). + This action is a connectivity test and does not perform any data enrichment or + system modifications. It is intended for verification purposes only. - ### Additional Notes + ### Flow Description - * This action does not process any entities. + 1. The action extracts the `Token` and `Base URL` from the integration configuration. - * It is a read-only operation that does not modify any data in Asana or Google - SecOps. + 2. It initializes the `AsanaManager` with these credentials. + + 3. It executes the `test_connectivity` method, which performs a `GET` request + to the Asana API endpoint `/users/me`. + + 4. If the request is successful, the action returns a success message; otherwise, + it reports a failure. capabilities: can_create_case_comments: false can_create_insight: false @@ -581,10 +618,16 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: true + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to verify connectivity. It does not modify + external systems, update internal SOAR data, or process entities. categories: enrichment: false + reasoning: >- + The action is named 'Ping' and is designed solely to test connectivity. Per + the instructions, 'Ping' actions are not categorized as enrichment actions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -600,6 +643,9 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `siemplify.target_entities` and performs a + global connectivity test. Remove User From Workspace: action_product_categories: add_alert_comment: false @@ -608,13 +654,17 @@ Remove User From Workspace: contain_host: false create_ticket: false delete_email: false - disable_identity: false + disable_identity: true download_file: false enable_identity: false enrich_asset: false enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action removes a user from an Asana workspace. This action revokes the user's + access to that workspace, which aligns with 'Disable Identity' (revoking access) + and 'Update Identity' (modifying membership/permissions). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -629,24 +679,46 @@ Remove User From Workspace: update_email: false update_identity: true update_ticket: false - ai_description: "Removes a specific user from an Asana workspace using their email\ - \ address. This action is useful for offboarding users or managing workspace access\ - \ dynamically during incident response. \n\n### Flow Description:\n1. **Configuration\ - \ Retrieval:** Extracts the Asana API token and base URL from the integration\ - \ settings.\n2. **Parameter Extraction:** Retrieves the target 'Workspace Name'\ - \ and the 'User's Email' from the action parameters.\n3. **Workspace Identification:**\ - \ Calls the Asana API to find the unique Workspace GID associated with the provided\ - \ workspace name.\n4. **User Removal:** Sends a POST request to the Asana endpoint\ - \ `/workspaces/{workspace_id}/removeUser` to remove the specified user.\n5. **Result\ - \ Reporting:** Returns a success message if the user was removed or a failure\ - \ message if the operation could not be completed.\n\n### Parameters Description:\n\ - | Parameter Name | Type | Mandatory | Description |\n| :--- | :--- | :--- | :---\ - \ |\n| Workspace Name | string | True | The case-sensitive name of the Asana workspace\ - \ from which the user should be removed. |\n| User's Email | string | True | The\ - \ email address of the user to be removed from the workspace. |\n\n### Additional\ - \ Notes:\n- This action does not run on SecOps entities; it uses the provided\ - \ email string directly.\n- The workspace name must match exactly (case-sensitive)\ - \ as it appears in Asana." + ai_description: >- + ### General Description + + This action removes a specified user from an Asana workspace. It interacts with + the Asana API to identify the workspace by name and then performs a removal operation + for the provided user email address. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Workspace Name | string | Yes | The name of the Asana workspace from which the + user should be removed. Note: This is case-sensitive. | + + | User's Email | string | Yes | The email address of the user to be removed from + the workspace. | + + + ### Flow Description + + 1. **Configuration Extraction**: The action retrieves the Asana API token and + base URL from the integration configuration. + + 2. **Parameter Extraction**: The action retrieves the `Workspace Name` and `User's + Email` from the action parameters. + + 3. **Manager Initialization**: An `AsanaManager` instance is initialized with + the provided credentials. + + 4. **Workspace Identification**: The action calls the Asana API to resolve the + `Workspace Name` to a unique `workspace_id`. + + 5. **User Removal**: The action sends a request to the Asana API to remove the + specified user from the identified workspace. + + 6. **Result Reporting**: The action returns a success or failure message based + on the API response. capabilities: can_create_case_comments: false can_create_insight: false @@ -655,11 +727,19 @@ Remove User From Workspace: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Removes a user's access and membership from a specific Asana workspace. + The action removes a user from an Asana workspace via an API call. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to retrieve the workspace ID (fetches_data=true) + and a POST request to remove the user from the workspace (can_mutate_external_data=true). + It does not modify any internal SOAR data or entities. categories: enrichment: false + reasoning: >- + The action mutates external data (removes a user from a workspace), which violates + the 'External State Preservation' rule for enrichment actions. Therefore, it + is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -675,6 +755,10 @@ Remove User From Workspace: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not utilize the `target_entities` list. It relies solely on + user-provided input parameters (Workspace Name and User's Email) to perform + its function. Update Task: action_product_categories: add_alert_comment: false @@ -690,6 +774,9 @@ Update Task: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action updates an existing task in Asana, which is a project management/ticketing + system. This aligns with the 'Update Ticket' category. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -705,28 +792,29 @@ Update Task: update_identity: false update_ticket: true ai_description: >- - Updates an existing task in Asana by modifying its assignee, due date, or description. - The action first resolves the provided assignee email to a unique Asana user ID - and then submits a PUT request to the Asana API to apply the changes to the specified - task. + ### General Description + + Updates an existing task in Asana. This action allows users to modify specific + fields of a task, such as the assignee, due date, and description, by providing + the task's unique identifier. ### Flow Description - 1. **Configuration Extraction:** Retrieves the Asana API Token and Base URL from - the integration settings. + 1. The action extracts the required configuration parameters (Token, Base URL) + and action parameters (Task ID, Assignee, Due Date, Description). - 2. **Parameter Extraction:** Collects the Task ID, Assignee email, Due Date, and - Description from the action input. + 2. An `AsanaManager` instance is initialized to handle communication with the + Asana API. - 3. **User Resolution:** Calls the Asana API to convert the provided Assignee email - into a Global Identifier (GID). + 3. If an assignee email is provided, the action resolves the email to a user ID + using the Asana API. - 4. **Task Update:** Executes a PUT request to the Asana `/tasks/{task_id}` endpoint - with the updated metadata. + 4. The action performs a `PUT` request to the Asana API to update the specified + task with the provided details (assignee, due date, and description). - 5. **Result Processing:** Returns the updated task object as a JSON result and - provides a success message. + 5. The updated task information is returned as a JSON result, and the action concludes + with a success message. ### Parameters Description @@ -735,26 +823,24 @@ Update Task: | :--- | :--- | :--- | :--- | - | Task ID | string | True | The unique identifier of the task, found in the Asana - URL. | + | Task ID | string | Yes | The unique identifier of the task to update. Can be + found in the Asana task URL. | - | Due Date | string | False | The new deadline for the task in YYYY-MM-DD format. + | Due Date | string | No | The new due date for the task in YYYY-MM-DD format. | - | Description | string | False | The updated notes or description for the task. - | + | Description | string | No | The new description for the task. | - | Assignee | string | False | The email address of the user to whom the task should - be re-assigned. Note: This is case-sensitive. | + | Assignee | string | No | The email address of the user to whom the task should + be re-assigned. | ### Additional Notes - - This action does not process SecOps entities; it operates strictly based on - the provided parameters. + - The `Assignee` parameter is case-sensitive. - - If the Assignee email is provided, the action will attempt to resolve it to - a GID before updating the task. + - The action requires a valid Personal Access Token (PAT) configured in the integration + settings. capabilities: can_create_case_comments: false can_create_insight: false @@ -763,12 +849,18 @@ Update Task: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the assignee, due date, and description fields of an existing task in - the Asana project management system. + Updates task details (assignee, due date, description) in Asana. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches user information (GET) to resolve an email to a user ID and + then updates a task (PUT) in Asana. It does not modify internal SOAR data or + entities. categories: enrichment: false + reasoning: >- + The action mutates external data (updates a task in Asana), so it is not an + enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -784,3 +876,6 @@ Update Task: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use `target_entities`. It uses a `Task ID` provided as an + action parameter to perform the update. diff --git a/content/response_integrations/third_party/community/asana/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/asana/resources/ai/integration_ai_description.yaml index 9194cf1be..133c0975d 100644 --- a/content/response_integrations/third_party/community/asana/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/community/asana/resources/ai/integration_ai_description.yaml @@ -1,12 +1,27 @@ product_categories: asset_inventory: false cloud_security: false - collaboration: true + collaboration: false edr: false email_security: false iam_and_identity_management: true itsm: true network_security: false + reasoning: >- + The Asana integration provides capabilities for task management and user access + control. It qualifies for 'IAM & Identity Management' because it includes actions + like 'Add User To Workspace' and 'Remove User From Workspace', which allow for + the management of user access and membership within the platform. It qualifies + for 'ITSM' because it includes actions like 'Create Task' and 'Update Task', which + are functionally equivalent to creating and updating tickets or assigning tasks + to teams for investigation and remediation. It does not qualify for 'Collaboration' + as defined in the context, which focuses on real-time communication platforms + like Slack/Teams for SOC notifications and human-in-the-loop approvals, whereas + Asana is a project/task management tool. It does not match other categories such + as SIEM, EDR, Network Security, Threat Intelligence, Email Security, Cloud Security, + Vulnerability Management, or Asset Inventory, as it does not interact with security + logs, endpoints, network infrastructure, threat feeds, email systems, cloud resources, + or vulnerability scanners. siem: false threat_intelligence: false vulnerability_management: false diff --git a/content/response_integrations/third_party/community/aws_ec2/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/aws_ec2/resources/ai/actions_ai_description.yaml index 3a0545ccf..77e44a19a 100644 --- a/content/response_integrations/third_party/community/aws_ec2/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/aws_ec2/resources/ai/actions_ai_description.yaml @@ -1,7 +1,7 @@ Authorize Security Group Egress: action_product_categories: add_alert_comment: false - add_ioc_to_allowlist: true + add_ioc_to_allowlist: false add_ioc_to_blocklist: false contain_host: false create_ticket: false @@ -13,6 +13,11 @@ Authorize Security Group Egress: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action modifies AWS security group egress rules. This is an infrastructure + configuration change. It does not match any of the specific predefined categories + like 'Enrich IOC', 'Contain Host', or 'Add IOC To Blocklist'. Therefore, all + categories are false. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -30,10 +35,8 @@ Authorize Security Group Egress: ai_description: >- ### General Description - This action adds or updates outbound (egress) IP permissions for a specific AWS - EC2 Security Group within a VPC. It allows administrators to programmatically - define network traffic rules, specifying protocols, port ranges, and destination - IP ranges (CIDR) that are permitted to leave the security group. + Adds or updates outbound IP permissions for a specific security group in an AWS + VPC. ### Parameters Description @@ -42,39 +45,32 @@ Authorize Security Group Egress: | :--- | :--- | :--- | :--- | - | Group ID | string | Yes | The unique identifier of the AWS Security Group (e.g., - `sg-1a2b3c4d`) where the outbound rules will be applied. | + | Group ID | string | Yes | The ID of the security group to modify. | - | IP Permissions | code | Yes | A JSON-formatted string defining the egress rules. - It must include fields like `IpProtocol`, `FromPort`, `ToPort`, and `IpRanges` - (containing `CidrIp`). | + | IP Permissions | code | Yes | JSON-formatted string defining the egress rules + (e.g., `{"FromPort": 80, "IpProtocol": "tcp", "IpRanges": [{"CidrIp": "1.1.1.1/16"}], + "ToPort": 80}`). | - ### Flow Description - - 1. **Configuration Extraction:** The action retrieves AWS credentials (Access - Key ID, Secret Access Key) and the default region from the integration settings. + ### Additional Notes - 2. **Parameter Parsing:** It extracts the target Security Group ID and the IP - Permissions JSON string from the action inputs. + This action performs a direct mutation on the AWS EC2 infrastructure. Ensure that + the provided AWS credentials have the necessary permissions to modify security + group rules. - 3. **Data Transformation:** The IP Permissions JSON string is parsed into a Python - dictionary and wrapped in a list to meet the AWS SDK (boto3) requirements. - 4. **AWS Interaction:** The action uses the `EC2Manager` to call the AWS `authorize_security_group_egress` - API, which applies the specified rules to the security group. + ### Flow Description - 5. **Result Handling:** If successful, the AWS response metadata is attached as - a JSON result to the action, and a success message is returned. If an error occurs, - it is logged and the action fails. + 1. Extracts AWS credentials and action parameters (`Group ID`, `IP Permissions`). + 2. Parses the `IP Permissions` JSON string into a dictionary. - ### Additional Notes + 3. Initializes the `EC2Manager` with the provided AWS credentials. - - This action performs a state change in AWS by modifying security group configurations. + 4. Executes the `authorize_security_group_egress` method to apply the new egress + rules to the specified security group. - - The `IP Permissions` parameter must be a valid JSON object representing the - rule structure expected by the AWS EC2 API. + 5. Logs the operation status and adds the result JSON to the action output. capabilities: can_create_case_comments: false can_create_insight: false @@ -83,12 +79,19 @@ Authorize Security Group Egress: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Modifies the egress (outbound) rules of the specified AWS Security Group to - allow traffic based on the provided IP permissions. + Modifies AWS EC2 security group egress rules by adding new permissions. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action uses `boto3` to call `authorize_security_group_egress` on AWS EC2. + This is an external mutation. It does not fetch data for enrichment, nor does + it modify internal SOAR data. categories: enrichment: false + reasoning: >- + The action performs a mutation on an external system (AWS EC2) and does not + fetch data for enrichment, nor does it modify internal SOAR data. Therefore, + it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -104,10 +107,13 @@ Authorize Security Group Egress: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not reference `target_entities` or any entity-specific logic. + It operates on parameters provided in the action configuration. Authorize Security Group Ingress: action_product_categories: add_alert_comment: false - add_ioc_to_allowlist: true + add_ioc_to_allowlist: false add_ioc_to_blocklist: false contain_host: false create_ticket: false @@ -119,6 +125,11 @@ Authorize Security Group Ingress: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action modifies AWS security group ingress rules. This is a configuration + change on an external system. It does not fit the specific definitions of IOC + block/allowlisting (which typically target specific indicators), identity management, + or ticket management provided in the list. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -134,59 +145,50 @@ Authorize Security Group Ingress: update_identity: false update_ticket: false ai_description: >- - ### General Description - - Adds or updates inbound (ingress) IP permissions for a specific Amazon EC2 Security - Group within a VPC. This action allows administrators to programmatically define - firewall rules, specifying protocols, ports, and CIDR ranges that are permitted - to access resources associated with the security group. + The Authorize Security Group Ingress action modifies an AWS EC2 security group + by adding or updating inbound IP permissions. This action allows users to programmatically + define network access rules (e.g., opening specific ports for specific IP ranges) + directly within the AWS environment. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. **Configuration Extraction**: The action retrieves the necessary AWS credentials + (Access Key ID, Secret Access Key) and the default region from the integration + configuration. - | :--- | :--- | :--- | :--- | + 2. **Parameter Extraction**: It extracts the `Group ID` and the `IP Permissions` + (provided as a JSON string) from the action parameters. - | Group ID | string | No | The unique identifier of the security group (e.g., - sg-1a2b3c4d) where the inbound permissions will be applied. While marked as not - mandatory in configuration, the AWS API requires this to identify the target group. - | + 3. **Initialization**: An `EC2Manager` instance is initialized using the extracted + credentials to interface with the AWS EC2 API. - | IP Permissions | code | No | A JSON-formatted string defining the ingress rules. - It includes fields like `FromPort`, `ToPort`, `IpProtocol`, and `IpRanges` (e.g., - `{"FromPort": 80, "IpProtocol": "tcp", "IpRanges": [{"CidrIp": "1.1.1.1/16"}], - "ToPort": 80}`). | + 4. **Execution**: The action calls the `authorize_security_group_ingress` method, + which applies the specified ingress rules to the target security group. + 5. **Result Handling**: The action logs the outcome and returns the API response + as a JSON result to the SOAR platform. - ### Additional Notes - - - This action performs a state-changing operation in AWS by modifying network - access control lists. - - The action expects the `IP Permissions` parameter to be a valid JSON string - representing a single rule or a set of rules as defined by the Boto3 EC2 client - documentation. + ### Parameters Description + | Parameter | Type | Mandatory | Description | - ### Flow Description + | :--- | :--- | :--- | :--- | - 1. **Configuration Extraction:** Retrieves AWS credentials (Access Key ID, Secret - Access Key) and the default region from the integration settings. + | Group ID | string | No | The ID of the security group (e.g., sg-1a2b3c4d) to + which the inbound IP permissions will be added. | - 2. **Parameter Parsing:** Extracts the `Group ID` and the `IP Permissions` JSON - string from the action parameters. The JSON string is converted into a Python - dictionary. + | IP Permissions | code | No | A JSON-formatted string defining the ingress rules. + Example: `{"FromPort": 80, "IpProtocol": "tcp", "IpRanges": [{"CidrIp": "1.1.1.1/16"}], + "ToPort": 80}`. | - 3. **Manager Initialization:** Initializes the `EC2Manager` using the provided - AWS credentials and region. - 4. **API Execution:** Calls the AWS EC2 service to authorize the specified ingress - rules for the target security group. + ### Additional Notes - 5. **Result Handling:** Logs the success or failure of the operation, attaches - the raw AWS response as a JSON result to the action, and terminates with a status - message. + While the parameters are marked as not mandatory in the configuration, they are + required for the action to function correctly. The `IP Permissions` parameter + must be a valid JSON string that conforms to the AWS EC2 `IpPermissions` structure. capabilities: can_create_case_comments: false can_create_insight: false @@ -195,12 +197,19 @@ Authorize Security Group Ingress: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Adds or updates inbound IP permissions (ingress rules) for a specific AWS Security - Group, effectively changing the network security posture of the VPC. + Modifies AWS EC2 security group configuration by adding inbound ingress rules. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a mutation on an external system (AWS EC2) by adding ingress + rules to a security group. It does not fetch data from external systems, nor + does it modify internal SOAR data such as entities, insights, or alert metadata. categories: enrichment: false + reasoning: >- + The action is a mutation action that changes the state of an external system + (AWS). It does not retrieve data for enrichment purposes, nor does it meet the + criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -216,6 +225,10 @@ Authorize Security Group Ingress: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with the `target_entities` list. It relies entirely + on user-provided parameters (`Group ID` and `IP Permissions`) to perform its + task. Create Instance: action_product_categories: add_alert_comment: false @@ -231,6 +244,9 @@ Create Instance: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action creates an AWS EC2 instance. This does not match any of the provided + categories (e.g., Enrichment, Ticket creation, Containment, etc.). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -245,60 +261,34 @@ Create Instance: update_email: false update_identity: false update_ticket: false - ai_description: >- - Creates new AWS EC2 instances based on a specified Amazon Machine Image (AMI). - This action allows for the automated provisioning of virtual infrastructure by - defining the image ID, instance type, and the number of instances to be created. - It supports asynchronous execution, meaning it will poll the AWS environment until - the instances transition from a 'pending' state to a 'running' state, ensuring - the instances are fully operational before completing the action. - - - ### Flow Description: - - 1. **Initialization**: Extracts AWS credentials (Access Key, Secret Key, Region) - and action parameters (AMI ID, Instance Type, Counts, and Security Groups). - - 2. **Instance Creation**: In the first run, it calls the AWS EC2 API to launch - the requested number of instances. - - 3. **Status Check**: If instances are in a 'pending' state, the action saves the - instance IDs and enters an 'In Progress' state. - - 4. **Polling**: In subsequent runs, it describes the specific instances to check - their current state. - - 5. **Completion**: Once all instances reach the 'running' state, it retrieves - the full metadata for each instance and completes the execution. - - - ### Parameters Description: - - | Parameter Name | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Image ID | String | No | The ID of the AMI to use for creating the instance - (e.g., ami-12345). | - - | Instance Type | String | No | The hardware specification for the instance (e.g., - m1.small). | - - | Max Count | Integer | Yes | The maximum number of instances to create. | - - | Min Count | Integer | Yes | The minimum number of instances to create. | - - | Security Group ID | String | No | A comma-separated list of Security Group IDs - to associate with the instances. | - - - ### Additional Notes: - - - This action is asynchronous and will continue to run until the instances are - in a 'running' state or an error occurs. - - - If no Instance Type is provided, it defaults to 'm1.small' within the manager - logic. + ai_description: "### General Description\nThis action creates a new Amazon EC2 instance\ + \ within an AWS environment based on the provided Amazon Machine Image (AMI) ID\ + \ and configuration parameters. It supports asynchronous execution, allowing the\ + \ action to poll the instance status until it reaches a 'running' state.\n\n###\ + \ Flow Description\n1. **Initialization**: The action extracts AWS credentials\ + \ (Access Key, Secret Key, Region) and action parameters (Image ID, Instance Type,\ + \ Max/Min Count, Security Group IDs).\n2. **Instance Creation**: It initializes\ + \ the `EC2Manager` and calls the AWS `run_instances` API to initiate the creation\ + \ of the requested EC2 instances.\n3. **Status Check (First Run)**: \n - If\ + \ the instance state is 'pending', the action sets the execution status to 'In\ + \ Progress' and stores the instance IDs in the `additional_data` field for subsequent\ + \ polling.\n - If the instance state is 'running', the action completes successfully\ + \ and returns the instance details.\n4. **Status Check (Subsequent Runs)**: If\ + \ the action is triggered again (polling), it uses the stored instance IDs to\ + \ call `describe_instances` to check the current status of the instances.\n5.\ + \ **Completion**: Once the instances reach the 'running' state, the action completes\ + \ and returns the instance details in the result JSON.\n\n### Parameters Description\n\ + | Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ + | Image ID | string | No | The AMI ID to create the new instance from (e.g., ami-12345).\ + \ |\n| Instance Type | string | No | The hardware configuration for the instance\ + \ (e.g., m1.small). |\n| Max Count | string | Yes | The maximum number of instances\ + \ to create. |\n| Min Count | string | Yes | The minimum number of instances to\ + \ create. |\n| Security Group ID | string | No | Comma-separated IDs of security\ + \ groups to assign to the instance (e.g., sg-12345,sg-6789). |\n\n### Additional\ + \ Notes\n- This action performs a state-changing operation on an external AWS\ + \ environment.\n- The action is designed to be asynchronous; if instances are\ + \ not immediately 'running', it will require subsequent runs to verify the final\ + \ state." capabilities: can_create_case_comments: false can_create_insight: false @@ -307,11 +297,19 @@ Create Instance: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates and provisions new virtual machine instances within the AWS EC2 environment. + The action creates new EC2 instances in the AWS environment via the run_instances + API. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action interacts with the AWS EC2 API to create instances (mutating external + data) and describes instances to check their status (fetching data). It does + not modify internal SOAR data, update entities, or create insights. categories: enrichment: false + reasoning: >- + The action is not an enrichment action because its primary purpose is to create + an external resource (EC2 instance), not to retrieve context for existing entities. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -327,6 +325,9 @@ Create Instance: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or utilize `siemplify.target_entities`. It + operates based on parameters provided in the action configuration. Create Tags: action_product_categories: add_alert_comment: false @@ -342,6 +343,10 @@ Create Tags: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action modifies AWS EC2 resources by adding tags. This does not align with + any of the provided categories (e.g., it is not an identity, alert, ticket, + or email update). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -359,47 +364,44 @@ Create Tags: ai_description: >- ### General Description - The 'Create Tags' action allows users to add or overwrite tags for specific AWS - EC2 resources (such as instances, volumes, or security groups). This action is - useful for organizing resources, managing costs, or triggering automation based - on resource metadata within an AWS environment. + Creates or updates tags for specified AWS EC2 resources. This action allows users + to apply key-value pairs to one or more EC2 resources, facilitating better resource + management and organization within the AWS environment. ### Parameters Description | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | - - | Resources ID | String | Yes | A comma-separated list of AWS resource IDs (e.g., - i-1234567890abcdef0) that you want to tag. | + | --- | --- | --- | --- | - | Tags | Code | Yes | A JSON-formatted string representing the tags to be created. - The expected format is a JSON object with a 'tags' key containing a list of Key-Value - pairs, for example: `{"tags": [{"Key": "Environment", "Value": "Production"}]}`. + | Resources ID | string | Yes | Comma-separated list of AWS resource IDs to tag. | + | Tags | code | Yes | JSON-formatted string representing the tags to apply (e.g., + `{"tags": [{"Key": "k", "Value": "v"}]}`). | + ### Flow Description - 1. **Configuration Extraction**: The action retrieves AWS credentials (Access - Key ID, Secret Access Key) and the default region from the integration settings. + 1. Extract AWS credentials (Access Key ID, Secret Access Key) and Default Region + from the integration configuration. - 2. **Parameter Parsing**: It extracts the list of resource IDs and the JSON string - of tags from the action parameters. The tags are converted from a JSON string - into a Python list of dictionaries. + 2. Extract the `Resources ID` and `Tags` parameters from the action settings. - 3. **Resource Iteration**: The action splits the comma-separated resource IDs - and iterates through each one. + 3. Parse the `Resources ID` string into a list and the `Tags` JSON string into + a list of dictionaries. - 4. **AWS API Call**: For each resource, it calls the AWS EC2 `create_tags` API - via the `EC2Manager` to apply the specified tags. + 4. Iterate through each resource ID and call the AWS EC2 `create_tags` API to + apply the specified tags. - 5. **Result Collection**: The action tracks which resources were successfully - tagged and which encountered errors. + 5. Log the outcome for each resource and return the results as a JSON object. - 6. **Finalization**: It outputs a summary message indicating success or failure - for the provided resource IDs and returns a boolean result value. + + ### Additional Notes + + This action performs a direct mutation on AWS resources. Ensure that the provided + AWS credentials have the necessary `ec2:CreateTags` permissions. capabilities: can_create_case_comments: false can_create_insight: false @@ -408,12 +410,18 @@ Create Tags: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - This action adds or overwrites tags on AWS EC2 resources by calling the AWS - EC2 'create_tags' API. + Modifies AWS EC2 resources by adding or updating tags. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a `create_tags` operation on AWS EC2 resources, which is + an external mutation. It does not fetch data for enrichment, nor does it modify + internal SOAR data (entities, insights, etc.). categories: enrichment: false + reasoning: >- + The action is a mutation action (modifying AWS resources) and does not fetch + data for enrichment purposes. Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -429,6 +437,9 @@ Create Tags: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action takes `Resources ID` as a string parameter and does not interact + with the `siemplify.target_entities` list. Delete Instance: action_product_categories: add_alert_comment: false @@ -444,6 +455,10 @@ Delete Instance: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action terminates an EC2 instance, which is a form of host-level remediation. + This aligns with the 'Contain Host' category, as it effectively removes the + instance from the operational environment. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -461,11 +476,11 @@ Delete Instance: ai_description: >- ### General Description - The **Delete Instance** action terminates specific Amazon EC2 instances within - an AWS environment. This is a destructive remediation action that permanently - deletes the specified instances, making them inaccessible. Note that terminated - instances remain visible in the AWS console for approximately one hour after the - deletion process begins. + This action terminates specified AWS EC2 instances. It is designed to perform + a destructive remediation action on cloud infrastructure by invoking the AWS EC2 + `terminate_instances` API. The action processes a list of instance IDs provided + by the user, attempts to delete them, and reports the final status of each instance + (e.g., 'shutting-down' or 'terminated'). ### Parameters Description @@ -474,37 +489,31 @@ Delete Instance: | :--- | :--- | :--- | :--- | - | Instance Ids | String (Content) | Yes | A comma-separated list of EC2 instance - IDs to be deleted (e.g., `i-1234567890abcdef0, i-0987654321fedcba0`). | - - - ### Additional Notes - - - This action is asynchronous; if instances are in the "shutting-down" state, - the action will report as in-progress until the process completes. - - - The result value of the action is the total count of successfully deleted instances. - - - Detailed JSON results for each instance are provided in the action output. + | Instance Ids | String | Yes | A comma-separated list of AWS EC2 instance IDs + to be deleted (e.g., `i-1234567890abcdef0, i-0987654321fedcba0`). | ### Flow Description - 1. **Configuration Extraction:** Retrieves AWS credentials (Access Key ID, Secret - Access Key) and the target region from the integration settings. + 1. **Configuration Extraction**: The action retrieves the necessary AWS credentials + (Access Key ID, Secret Access Key) and the default region from the integration + configuration. - 2. **Input Parsing:** Splits the provided `Instance Ids` string into a list of - individual identifiers and strips any whitespace. + 2. **Parameter Parsing**: The `Instance Ids` parameter is extracted and split + into a list of individual instance IDs. - 3. **Termination Execution:** Iterates through the list and calls the AWS EC2 - `terminate_instances` API for each ID via the EC2 Manager. + 3. **Manager Initialization**: An `EC2Manager` object is instantiated using the + provided credentials to interface with the AWS SDK (boto3). - 4. **State Verification:** Monitors the response for each instance to verify if - the current state is `terminated` or `shutting-down`. + 4. **Execution**: The action iterates through the list of instance IDs and calls + the `delete_instance` method for each. - 5. **Result Aggregation:** Collects success/failure details for each instance, - updates the action log, and returns the count of deleted instances along with - a detailed JSON report. + 5. **Status Verification**: For each request, the action checks the returned instance + state. If the state is 'shutting-down' or 'terminated', it logs the success; otherwise, + it captures and logs any errors encountered. + + 6. **Result Reporting**: The action compiles the results into a JSON object, logs + the outcome, and returns the total count of successfully deleted instances. capabilities: can_create_case_comments: false can_create_insight: false @@ -513,11 +522,20 @@ Delete Instance: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Terminates (deletes) EC2 instances in the AWS environment. + Terminates the specified AWS EC2 instances, which is a permanent state change + in the AWS environment. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a destructive mutation (termination) on external AWS EC2 + instances. It does not fetch data for enrichment purposes, nor does it modify + internal SOAR case data, entities, or insights. categories: enrichment: false + reasoning: >- + The action is a remediation/mutation action that modifies external infrastructure + state. It does not meet the criteria for an enrichment action as it does not + retrieve context for entities or alerts. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -533,6 +551,10 @@ Delete Instance: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with the SOAR `target_entities` list. It relies + entirely on a user-provided input parameter ('Instance Ids') to identify the + resources to act upon. Find Instance: action_product_categories: add_alert_comment: false @@ -548,6 +570,10 @@ Find Instance: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action searches for AWS EC2 instances based on provided IDs or filters. + This matches the 'Search Asset' category. It does not enrich existing entities, + update alerts, or perform any mutation. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -563,63 +589,23 @@ Find Instance: update_identity: false update_ticket: false ai_description: >- - ### General Description - - The **Find Instance** action retrieves detailed information about specific Amazon - EC2 instances or a collection of instances based on provided criteria. It is primarily - used for asset discovery and situational awareness within an AWS environment. - If no specific instance IDs or filters are provided, the action can return information - for all instances (subject to the maximum results limit). - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **Instance Ids** | String | No | A comma-separated list of AWS Instance IDs - to fetch (e.g., `i-1234567890abcdef0`). If provided, the action focuses on these - specific resources. | - - | **Filters** | Content (JSON) | No | A JSON-formatted string defining filters - to narrow down the search (e.g., `{"Name": "instance-type", "Values": ["t2.micro"]}`). - Default filters for `t2.micro` are often pre-configured. | - - | **Max Results** | String | No | The maximum number of results to return in a - single execution, ranging from 5 to 1000. | - - - ### Flow Description - - 1. **Configuration Extraction:** The action retrieves AWS credentials (Access - Key ID, Secret Access Key) and the default region from the integration settings. - - 2. **Parameter Parsing:** It extracts the `Instance Ids`, `Filters`, and `Max - Results` from the action input. If `Filters` are provided, they are parsed from - a JSON string into a list. - - 3. **Manager Initialization:** An `EC2Manager` instance is created to handle - communication with the AWS EC2 service via the Boto3 SDK. - - 4. **Data Retrieval:** - * If **Instance Ids** are specified: The action iterates through each ID - and calls the `describe_instances` API to fetch specific metadata. - * If **Instance Ids** are NOT specified: The action calls the `describe_instances` - API using the provided `Filters` and `Max Results` to find matching instances. - 5. **Result Processing:** The retrieved instance data is aggregated into a JSON - object. - - 6. **Output:** The action attaches the raw JSON data to the execution result - and provides a summary message indicating which instances were successfully fetched. - - - ### Additional Notes - - * This action is read-only and does not modify any AWS resources. - - * If both `Instance Ids` and `Filters` are provided, the AWS API typically applies - both constraints (logical AND). + The 'Find Instance' action retrieves detailed information about specific AWS EC2 + instances or a list of instances based on provided filters. It interacts with + the AWS EC2 API to fetch instance data, which is then returned as a JSON result + for further analysis or reporting. The action flow is as follows: 1. It extracts + the necessary AWS configuration parameters (Access Key ID, Secret Access Key, + and Default Region). 2. It extracts the action-specific parameters: 'Instance + Ids' (a comma-separated list of IDs), 'Filters' (a JSON object defining criteria + like instance type), and 'Max Results' (an integer limiting the number of returned + instances). 3. It initializes an 'EC2Manager' object to handle the AWS API communication. + 4. It calls the 'describe_instances' method using the provided parameters. 5. + It logs the success or failure of the operation for each instance ID. 6. Finally, + it adds the retrieved instance details to the action's result JSON and terminates + the action. Parameters: 'Instance Ids' (string, optional): The instance IDs to + fetch, e.g., 'i-1234567890abcdef0,i-0987654321fedcba0'. 'Filters' (content, optional): + A JSON object for filtering instances, e.g., '{"Name": "instance-type", "Values": + ["t2.micro"]}'. 'Max Results' (string, optional): The maximum number of results + to return, ranging from 5 to 1000. capabilities: can_create_case_comments: false can_create_insight: false @@ -630,8 +616,17 @@ Find Instance: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a read-only 'describe_instances' operation against the AWS + EC2 API. It fetches data based on user-provided parameters and returns it as + a JSON result. It does not modify any external system state, nor does it modify + internal SOAR case data (entities, insights, or comments). categories: enrichment: false + reasoning: >- + The action performs a search/lookup of AWS EC2 instances. It does not operate + on existing SOAR entities (no 'target_entities' iteration), so it is not an + enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -647,6 +642,10 @@ Find Instance: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over 'siemplify.target_entities'. It relies on user-provided + parameters ('Instance Ids', 'Filters') to query AWS EC2 directly. Therefore, + it does not process any entity types. Ping: action_product_categories: add_alert_comment: false @@ -662,6 +661,9 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity test ('Ping') and does not perform any of the defined + product category operations (e.g., enrichment, containment, ticket management). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -677,47 +679,45 @@ Ping: update_identity: false update_ticket: false ai_description: >- - ### General Description + ### General description - The **Ping** action is a diagnostic tool designed to verify the connectivity between - the Google SecOps platform and the Amazon Web Services (AWS) EC2 environment. - It ensures that the provided credentials (Access Key ID and Secret Access Key) - are valid and that the platform can successfully communicate with the AWS API - within the specified region. + Tests connectivity to the AWS EC2 service to verify that the provided credentials + and region configuration are valid. - ### Parameters Description + ### Parameters description - There are no action-specific parameters for this action. It relies entirely on - the global integration configuration parameters: + | Parameter | Type | Mandatory | Description | - * **Access Key ID**: The AWS access key used for authentication. + | :--- | :--- | :--- | :--- | - * **Secret Access Key**: The AWS secret key used for authentication. + | Access Key ID | String | Yes | The AWS Access Key ID used for authentication. + | - * **Default Region**: The AWS region to which the connection is tested. + | Secret Access Key | String | Yes | The AWS Secret Access Key used for authentication. + | + | Default Region | String | Yes | The AWS region to connect to (e.g., us-east-1). + | - ### Flow Description - 1. **Configuration Extraction**: The action retrieves the AWS credentials and - region settings from the integration's configuration. + ### Additional notes - 2. **Manager Initialization**: An instance of the `EC2Manager` is created using - the retrieved credentials. + This action is a connectivity test and does not perform any data enrichment or + mutation. - 3. **Connectivity Test**: The action calls the `test_connectivity` method, which - executes the AWS `describe_regions` API call. - 4. **Result Evaluation**: If the API call returns a valid response, the action - concludes with a success status. If the call fails (e.g., due to invalid credentials - or network issues), it returns a failure status. + ### Flow description + 1. The action extracts the AWS credentials and region from the integration configuration. - ### Additional Notes + 2. It initializes the `EC2Manager` with the provided credentials. + + 3. It calls the `test_connectivity` method, which performs a `describe_regions` + API call to AWS. - This action does not process any entities and is strictly used for system health - checks and configuration validation. + 4. If the API call succeeds, the action returns a success status; otherwise, it + returns a failure status. capabilities: can_create_case_comments: false can_create_insight: false @@ -728,8 +728,15 @@ Ping: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a `describe_regions` API call to AWS to verify connectivity. + This is a read-only operation that fetches data (connectivity status) but does + not mutate external or internal data. categories: enrichment: false + reasoning: >- + The action is named 'Ping' and is a connectivity test. According to the guidelines, + actions named 'Ping' must not be categorized as enrichment actions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -745,11 +752,14 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities; it only uses configuration parameters + to test connectivity. Revoke Security Group Egress: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false - add_ioc_to_blocklist: false + add_ioc_to_blocklist: true contain_host: false create_ticket: false delete_email: false @@ -760,6 +770,10 @@ Revoke Security Group Egress: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action modifies an external security control (AWS Security Group) by removing + egress rules, which prevents traffic. This aligns with the 'Add IOC To Blocklist' + category, as it updates security controls to prevent interaction. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -777,54 +791,50 @@ Revoke Security Group Egress: ai_description: >- ### General Description - This action revokes specific outbound (egress) IP permissions from an AWS EC2 - Security Group within a Virtual Private Cloud (VPC). It is primarily used to tighten - network security by removing existing rules that allow traffic to leave the VPC - to specified destinations, protocols, or ports. + This action revokes outbound IP permissions (egress rules) for a specified AWS + EC2 security group. It interacts with the AWS EC2 API to remove specific network + rules, effectively restricting outbound traffic as defined by the provided IP + permissions. - ### Flow Description + ### Parameters Description - 1. **Configuration Extraction**: The action retrieves AWS credentials (Access - Key ID, Secret Access Key) and the default region from the integration settings. + | Parameter | Type | Mandatory | Description | - 2. **Parameter Extraction**: It extracts the target Security Group ID and the - specific IP permissions to be revoked from the action parameters. + | :--- | :--- | :--- | :--- | - 3. **Permission Parsing**: The provided IP permissions, expected in JSON format, - are parsed into a structured list for the AWS SDK. + | Group ID | string | No | The security group ID for which you want to revoke + outbound IP permissions in a VPC. | - 4. **AWS Interaction**: The action uses the `EC2Manager` to call the Boto3 `revoke_security_group_egress` - method, which communicates with the AWS EC2 API to remove the specified rules. + | IP Permissions | code | No | The IP permissions in a JSON format (e.g., `{"FromPort": + 80, "IpProtocol": "tcp", "IpRanges": [{"CidrIp": "1.1.1.1/16"}], "ToPort": 80}`). + | - 5. **Result Handling**: The action logs the outcome, adds the raw API response - to the JSON results, and provides a success or failure message to the SOAR case. + ### Additional Notes - ### Parameters Description + This action performs a direct mutation on the AWS EC2 security group configuration. + Ensure that the provided `Group ID` and `IP Permissions` are accurate to avoid + unintended network restrictions. - | Parameter Name | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + ### Flow Description - | Group ID | String | No | The unique identifier of the security group (e.g., - `sg-1a2b3c4d`) from which you want to revoke outbound permissions. While marked - as non-mandatory in configuration, it is required for the API call to succeed. - | + 1. The action extracts the AWS credentials (Access Key ID, Secret Access Key, + Default Region) from the integration configuration. - | IP Permissions | Code | No | A JSON-formatted string defining the rules to revoke. - It includes fields like `IpProtocol`, `FromPort`, `ToPort`, and `IpRanges` (e.g., - `{"FromPort": 80, "IpProtocol": "tcp", "IpRanges": [{"CidrIp": "1.1.1.1/16"}], - "ToPort": 80}`). | + 2. It extracts the `Group ID` and `IP Permissions` parameters provided by the + user. + 3. The `IP Permissions` parameter is parsed from a JSON string into a dictionary. - ### Additional Notes + 4. An `EC2Manager` instance is initialized with the extracted AWS credentials. - - This action performs a state change in the AWS environment by deleting firewall-like - rules. + 5. The action calls the `revoke_security_group_egress` method of the `EC2Manager` + to remove the specified egress rules from the target security group. - - If the specified rules do not exist in the security group, the AWS API may return - an error which will be captured in the action logs. + 6. The outcome of the operation is logged, and the result is added to the action's + output. capabilities: can_create_case_comments: false can_create_insight: false @@ -833,12 +843,19 @@ Revoke Security Group Egress: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Removes egress (outbound) network rules from an AWS Security Group, effectively - changing the firewall configuration of the VPC. + Removes specified egress rules from an AWS EC2 security group, effectively blocking + outbound traffic defined by those rules. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a direct API call to AWS EC2 to modify security group rules. + It does not fetch data for enrichment, nor does it modify internal SOAR case + data. categories: enrichment: false + reasoning: >- + The action is a mutation action (modifying AWS security groups) and does not + fetch data for enrichment. Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -854,11 +871,15 @@ Revoke Security Group Egress: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities` or use entity-specific + identifiers. It relies on user-provided parameters (`Group ID` and `IP Permissions`) + to perform its task. Revoke Security Group ingress: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false - add_ioc_to_blocklist: false + add_ioc_to_blocklist: true contain_host: false create_ticket: false delete_email: false @@ -869,7 +890,12 @@ Revoke Security Group ingress: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false - remove_ioc_from_allowlist: true + reasoning: >- + The action modifies AWS security group rules to revoke inbound IP permissions. + This action effectively restricts network traffic, which aligns with the 'Add + IOC To Blocklist' category as it updates security controls to prevent future + interaction. + remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false search_asset: false @@ -884,55 +910,42 @@ Revoke Security Group ingress: update_identity: false update_ticket: false ai_description: >- - ### General Description + Revokes inbound IP permissions for a specific security group in an AWS VPC. This + action interacts with the AWS EC2 service to remove ingress rules, effectively + restricting network access based on the provided configuration. - Revokes specific inbound (ingress) IP permissions from an AWS EC2 Security Group. - This action is used to remediate security risks by removing existing network access - rules that allow traffic into a VPC. It interacts directly with the AWS EC2 API - to modify the security group's configuration. + ### Parameters - ### Parameters Description - | Parameter Name | Type | Mandatory | Description | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Group ID | string | No | The unique identifier (e.g., sg-1a2b3c4d) of the security - group from which you want to revoke inbound permissions. | + | Group ID | string | No | The security group ID for which you want to revoke + ingress IP permissions. | - | IP Permissions | code | No | A JSON-formatted string defining the specific rule - to revoke. It must include fields like `IpProtocol`, `FromPort`, `ToPort`, and - `IpRanges`. Example: `{"FromPort": 80, "IpProtocol": "tcp", "IpRanges": [{"CidrIp": - "1.1.1.1/16"}], "ToPort": 80}`. | + | IP Permissions | code | No | The IP permissions in a JSON format. For example: + `{"FromPort": 80,"IpProtocol": "tcp","IpRanges": [{"CidrIp": "1.1.1.1/16"}],"ToPort": + 80}` | - ### Additional Notes - - * Although the parameters are marked as not mandatory in the configuration, the - action logic requires both a valid `Group ID` and correctly formatted `IP Permissions` - JSON to successfully execute the revocation in AWS. - - * This action performs a state change in the external AWS environment by deleting - security rules. + ### Flow Description - ### Flow Description + 1. Extract AWS credentials (Access Key ID, Secret Access Key, Default Region) + from the integration configuration. - 1. **Configuration Extraction**: Retrieves AWS credentials (Access Key ID, Secret - Access Key) and the default region from the integration settings. + 2. Extract the `Group ID` and `IP Permissions` from the action parameters. - 2. **Parameter Parsing**: Extracts the target Security Group ID and the IP permissions - JSON string from the action inputs. + 3. Parse the `IP Permissions` parameter from a JSON string into a dictionary. - 3. **Data Transformation**: Converts the IP permissions JSON string into a Python - dictionary for processing by the AWS SDK. + 4. Initialize the `EC2Manager` with the provided AWS credentials. - 4. **AWS Interaction**: Uses the `EC2Manager` to call the AWS `revoke_security_group_ingress` - API method. + 5. Execute the `revoke_security_group_ingress` method to remove the specified + ingress rules from the AWS security group. - 5. **Result Handling**: Captures the response from AWS, logs the outcome, and - attaches the raw JSON response to the action results in Google SecOps. + 6. Log the outcome and return the result JSON. capabilities: can_create_case_comments: false can_create_insight: false @@ -941,12 +954,19 @@ Revoke Security Group ingress: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Removes specified inbound (ingress) firewall rules from an AWS EC2 Security - Group, effectively blocking previously allowed traffic. + Modifies AWS EC2 security group rules by revoking specified inbound IP permissions. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a direct mutation on an external AWS EC2 resource by calling + `revoke_security_group_ingress`. It does not fetch data for enrichment, nor + does it modify internal SOAR case data or entities. categories: enrichment: false + reasoning: >- + The action is a mutation action (modifying AWS security groups) and does not + perform any data retrieval for enrichment purposes. Therefore, it is not an + enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -962,6 +982,10 @@ Revoke Security Group ingress: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities`. It relies solely + on action parameters provided by the user. Therefore, it does not use any entity + types. Start Instance: action_product_categories: add_alert_comment: false @@ -977,6 +1001,10 @@ Start Instance: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action starts an AWS EC2 instance. This is an infrastructure management + action. It does not match any of the provided categories (Enrichment, Containment, + Ticket, etc.). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -994,47 +1022,45 @@ Start Instance: ai_description: >- ### General Description - Starts one or more specified AWS EC2 instances. This action is used to transition - instances from a stopped state to a running state within an AWS environment, which - is useful for automated remediation or forensic workflows. + Starts specified AWS EC2 instances. This action interacts with the AWS EC2 API + to initiate the startup process for one or more instances identified by their + IDs. - ### Parameters Description + ### Flow Description - | Parameter | Description | Type | Mandatory | + 1. Extract configuration parameters (Access Key ID, Secret Access Key, Default + Region) from the integration settings. - | :--- | :--- | :--- | :--- | + 2. Extract the 'Instance Ids' parameter provided by the user. - | Instance Ids | The instance IDs which you want to start (comma separated). For - example: `i-1234567890abcdef0, i-0987654321fedcba0`. | String | Yes | + 3. Initialize the `EC2Manager` with the provided credentials. + 4. Iterate through the list of instance IDs. - ### Flow Description + 5. For each ID, call the `start_instances` method via the AWS EC2 API. - 1. **Configuration Extraction**: Retrieves AWS Access Key ID, Secret Access Key, - and Default Region from the integration settings. + 6. Verify the current state of the instance (pending or running). - 2. **Parameter Parsing**: Extracts the `Instance Ids` string and converts it into - a list of individual identifiers. + 7. Log the status and add the result JSON to the action output. - 3. **Instance Initialization**: For each provided ID, the action attempts to start - the instance using the AWS EC2 API. + 8. Terminate the action with a summary message and the count of successfully started + instances. - 4. **State Verification**: Checks the current state of the instance. If the state - is `pending` or `running`, the operation is considered successful for that instance. - 5. **Result Aggregation**: Tracks the number of successfully started instances - and compiles detailed JSON metadata for each. + ### Parameters Description - 6. **Completion**: Returns the total count of started instances and updates the - action status to `IN_PROGRESS` if any instances are still in a pending state, - or `COMPLETED` otherwise. + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Instance Ids | content | Yes | A comma-separated list of EC2 instance IDs to + start. | ### Additional Notes - This action is asynchronous. If an instance is in a `pending` state, the action - will signal that it is still in progress. + This action performs a state-changing operation on external AWS infrastructure. capabilities: can_create_case_comments: false can_create_insight: false @@ -1042,12 +1068,19 @@ Start Instance: can_mutate_external_data: true can_mutate_internal_data: false can_update_entities: false - external_data_mutation_explanation: >- - Starts AWS EC2 instances, changing their operational state from stopped to running. + external_data_mutation_explanation: Starts the specified AWS EC2 instances. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a state-changing operation (starting an EC2 instance) on + an external system (AWS). It does not fetch contextual data for enrichment, + nor does it modify internal SOAR data (entities, insights, etc.). categories: enrichment: false + reasoning: >- + The action is a control/mutation action (starting an instance) and does not + perform any enrichment or data retrieval for context. Therefore, it is not an + enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1063,6 +1096,10 @@ Start Instance: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities`. It takes a string + parameter 'Instance Ids' to identify the targets. Therefore, it does not use + any entity types. Stop Instance: action_product_categories: add_alert_comment: false @@ -1078,6 +1115,9 @@ Stop Instance: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action stops an AWS EC2 instance, which is a form of containment (isolating + the host). It does not match other categories like enrichment or ticket creation. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1093,46 +1133,16 @@ Stop Instance: update_identity: false update_ticket: false ai_description: >- - Stops one or more specified AWS EC2 instances. This action interacts with the - AWS EC2 service to transition instances from a running state to a stopped state. - It supports stopping multiple instances simultaneously via a comma-separated list - and provides an option to force the shutdown. The action is asynchronous, meaning - it can monitor the transition state (stopping vs. stopped) and report progress. - - - ### Parameters - - | Parameter Name | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Instance Ids | String | Yes | A comma-separated list of AWS EC2 instance identifiers - (e.g., i-1234567890abcdef0, i-0987654321fedcba0) to be stopped. | - - | Force Instance To Stop | Boolean | No | If set to 'true', forces the instance - to stop without processing file system caches or metadata. Default is 'false'. - | - - - ### Flow Description - - 1. **Initialization**: Retrieves AWS credentials (Access Key ID, Secret Access - Key, and Default Region) from the integration configuration. - - 2. **Parameter Extraction**: Parses the 'Instance Ids' string into a list and - retrieves the 'Force Instance To Stop' boolean flag. - - 3. **Execution**: Iterates through each provided Instance ID and calls the AWS - EC2 API to initiate the stop command. - - 4. **State Monitoring**: Checks the current state of each instance returned by - the API. If an instance is in the 'stopping' state, the action marks itself as - 'In Progress' to allow for asynchronous completion. If the state is 'stopped', - it is marked as successful. - - 5. **Result Reporting**: Aggregates the results, providing a count of stopped - instances as the main result value and detailed JSON metadata for each instance's - state transition. + General description: This action stops specified AWS EC2 instances. Parameters + description: | Parameter | Type | Mandatory | Description | | --- | --- | --- + | --- | | Instance Ids | content | Yes | Comma-separated list of instance IDs + to stop. | | Force Instance To Stop | boolean | No | Forces the instance to stop + without processing file system caches/metadata. | Additional notes: None. Flow + description: 1. Extract AWS credentials and action parameters. 2. Initialize EC2Manager + with credentials. 3. Iterate through the provided list of instance IDs. 4. Call + the AWS EC2 API to stop each instance. 5. Log the status of each instance (stopping, + stopped, or error). 6. Add the result JSON to the action output and terminate + the action. capabilities: can_create_case_comments: false can_create_insight: false @@ -1140,12 +1150,16 @@ Stop Instance: can_mutate_external_data: true can_mutate_internal_data: false can_update_entities: false - external_data_mutation_explanation: >- - Changes the operational state of AWS EC2 instances from running to stopped. + external_data_mutation_explanation: Stops the specified AWS EC2 instances. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a state change on an external AWS EC2 instance by calling + the stop_instances API. It does not modify internal SOAR data or entities. categories: enrichment: false + reasoning: >- + The action is a mutation action (stopping instances) and does not perform enrichment. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1161,3 +1175,6 @@ Stop Instance: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action takes Instance Ids as a direct input parameter (string) and does + not interact with siemplify.target_entities. diff --git a/content/response_integrations/third_party/community/aws_ec2/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/aws_ec2/resources/ai/integration_ai_description.yaml index f8132bd8e..4d0b36f1b 100644 --- a/content/response_integrations/third_party/community/aws_ec2/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/community/aws_ec2/resources/ai/integration_ai_description.yaml @@ -7,6 +7,14 @@ product_categories: iam_and_identity_management: false itsm: false network_security: true + reasoning: >- + The integration provides management capabilities for AWS EC2 instances, which + are cloud-native resources, fitting the 'Cloud Security' category. It allows for + the modification of Security Group ingress and egress rules, which functions as + a network-level control, fitting the 'Network Security' category. Additionally, + the 'Find Instance' action allows for the retrieval of detailed information about + EC2 instances, aligning with 'Asset Inventory' capabilities. It does not provide + EDR (process-level activity), SIEM (log analysis), or other listed categories. siem: false threat_intelligence: false vulnerability_management: false diff --git a/content/response_integrations/third_party/community/azure_devops/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/azure_devops/resources/ai/actions_ai_description.yaml index 8c47f84da..a09e98699 100644 --- a/content/response_integrations/third_party/community/azure_devops/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/azure_devops/resources/ai/actions_ai_description.yaml @@ -13,6 +13,10 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity test (Ping). It does not match any of the specific + functional categories like Enrich IOC, Contain Host, etc. It is a utility action + for verifying integration settings. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -28,50 +32,20 @@ Ping: update_identity: false update_ticket: false ai_description: >- - ### General Description - - The **Ping** action is a utility designed to verify the connectivity between the - Google SecOps platform and a specific Azure DevOps instance. It ensures that the - provided credentials (Personal Access Token) and configuration (Organization and - Base URL) are valid and that the network path is open. - - - ### Parameters Description - - There are no action-specific parameters for this action. It relies entirely on - the integration's global configuration parameters: - - * **Personal Access Token**: The token used for authentication. - - * **Organization**: The Azure DevOps organization name. - - * **Base URL**: The base URL of the Azure DevOps instance. - - - ### Additional Notes - - This action is typically used during the initial setup of the integration or for - troubleshooting connection issues. It does not process any entities or modify - any data. - - - ### Flow Description - - 1. **Parameter Extraction**: The action retrieves the `Personal Access Token`, - `Organization`, and `Base URL` from the integration configuration. - - 2. **Authentication**: It initializes a basic authentication object using the - provided token. - - 3. **Connection Initialization**: It establishes a connection to the Azure DevOps - API using the constructed organization URL. - - 4. **Connectivity Test**: The action attempts to fetch a list of projects using - the `get_projects` method from the Azure DevOps Core Client to verify API access. - - 5. **Result Reporting**: If the request is successful, it reports a successful - connection. If an exception occurs, it captures the error and reports a connection - failure. + General description: This action tests the connectivity between the SOAR platform + and the Azure DevOps integration. It verifies that the provided credentials and + configuration settings are valid by attempting to retrieve the list of projects + from the Azure DevOps instance. Parameters description: The action requires the + following parameters: Personal Access Token (String, Mandatory): The personal + access token used for authentication with Azure DevOps. Organization (String, + Mandatory): The name of the Azure DevOps organization. Base URL (String, Mandatory): + The base URL for the Azure DevOps instance. Additional notes: This action is a + connectivity test and does not perform any data enrichment or modification of + external or internal systems. Flow description: 1. Extract the configuration parameters + (Personal Access Token, Organization, Base URL). 2. Initialize the Azure DevOps + connection using the provided credentials. 3. Attempt to retrieve the list of + projects using the core client. 4. Return a success or failure message based on + the outcome of the connection attempt. capabilities: can_create_case_comments: false can_create_insight: false @@ -80,10 +54,19 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: false + fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action attempts to connect to an external service (Azure DevOps) to verify + credentials and connectivity. It performs a GET-like operation (get_projects) + to test the connection. It does not mutate external data, nor does it interact + with internal SOAR entities or case data. categories: enrichment: false + reasoning: >- + The action is named Ping. According to the instructions, Actions named Ping + must not be categorized as enrichment actions. Even though it fetches data (projects), + it is a connectivity test, not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -99,6 +82,9 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not reference siemplify.target_entities or any entity objects. + It is a global connectivity test. Trigger Azure Build: action_product_categories: add_alert_comment: false @@ -114,6 +100,11 @@ Trigger Azure Build: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action triggers an external build process in Azure DevOps and monitors its + status. It does not perform enrichment, containment, or ticketing operations. + It is an automation/orchestration action. Therefore, it does not match any of + the provided categories. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -129,52 +120,41 @@ Trigger Azure Build: update_identity: false update_ticket: false ai_description: >- - ### General Description + Triggers an Azure DevOps pipeline build and monitors its status asynchronously. + This action allows users to initiate automated workflows in Azure DevOps by providing + a build definition ID and associated variables. - Triggers a specific build pipeline in Azure DevOps using a Build Definition ID - and optional variables. This action is asynchronous, meaning it initiates the - build and then periodically polls Azure DevOps to monitor the progress until the - build completes, fails, or is canceled. + ### Flow Description - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | + 1. Extracts configuration parameters (Project, Organization, Token, Base URL) + and action parameters (Build Definition ID, Build Variables). - | Build Definition Id | String | Yes | The unique identifier of the build definition - (pipeline) you want to trigger. | + 2. Sends a POST request to the Azure DevOps API to initiate the build. - | Build Variables | Code (JSON) | Yes | A JSON-formatted string containing the - variables to be passed to the pipeline execution. | + 3. Returns the triggered build ID. + 4. Asynchronously polls the Azure DevOps API (via `query_job`) to check the build + status until completion. - ### Flow Description - 1. **Initialization**: Retrieves integration configuration (Organization, Project, - Personal Access Token, and Base URL) and action parameters. + ### Parameters Description - 2. **Trigger Build**: Sends a POST request to the Azure DevOps Build API to queue - a new build for the specified definition ID with the provided variables. + | Parameter | Type | Mandatory | Description | - 3. **Capture Build ID**: Extracts the unique ID of the newly created build from - the API response. + | --- | --- | --- | --- | - 4. **Status Polling (Async)**: Enters a polling phase where it sends GET requests - to the Azure DevOps API to check the current status (`status`) and outcome (`result`) - of the build. + | Build Definition Id | string | Yes | The build definition ID of the pipeline + you want to trigger. | - 5. **Completion**: The action finishes with a 'Completed' status if the build - succeeds or partially succeeds, and 'Failed' if the build fails or is canceled. + | Build Variables | code | Yes | The variables to pass for the given pipeline. + | ### Additional Notes - - This action requires a Personal Access Token (PAT) with sufficient permissions - to trigger and view builds in the specified Azure DevOps project. - - - The `Build Variables` parameter must be a valid JSON string. + This action is asynchronous and will continue to run until the build is completed + or failed. capabilities: can_create_case_comments: false can_create_insight: false @@ -183,12 +163,18 @@ Trigger Azure Build: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Triggers a new build pipeline execution in the Azure DevOps environment via - a POST request. + Triggers a new build pipeline in Azure DevOps. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action triggers an external build (POST) and polls for status (GET). It + does not modify internal SOAR entities or case data. categories: enrichment: false + reasoning: >- + The action is an automation/orchestration task that triggers an external process. + It does not fetch context for entities (enrichment) or perform any of the other + defined categories. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -204,6 +190,9 @@ Trigger Azure Build: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with entities. It uses configuration and action + parameters to trigger a build. Wait Until Web Resource Is Up: action_product_categories: add_alert_comment: false @@ -219,6 +208,10 @@ Wait Until Web Resource Is Up: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action performs a health check on a URL to determine if it is reachable. + It does not fit into any of the provided categories (Enrichment, Containment, + Ticket management, etc.). It is a workflow utility action. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -234,41 +227,38 @@ Wait Until Web Resource Is Up: update_identity: false update_ticket: false ai_description: >- - Wait Until Web Resource Is Up is a utility action designed to monitor the availability - of a specific URL. It functions as an asynchronous polling mechanism that repeatedly - checks the status of a web resource until it becomes accessible. + This action polls a specified URL to check if a web resource is available (HTTP + 200 OK). It is designed to be used in asynchronous workflows where the system + needs to wait for a service or endpoint to become reachable. - ### Flow Description: + ### Parameters - 1. **Parameter Extraction:** The action retrieves the target URL from the input - parameters. + | Parameter | Type | Mandatory | Description | - 2. **Connectivity Check:** It performs an HTTP GET request to the specified URL - with a 5-second timeout. + | --- | --- | --- | --- | - 3. **Status Evaluation:** The action checks if the HTTP response indicates success - (status code < 400). + | URL | string | Yes | The URL of the web resource to check. | - 4. **Execution State Management:** - * If the resource is accessible, the action state is set to `COMPLETED`. - * If the resource is inaccessible or the request fails, the action state is - set to `IN_PROGRESS`, allowing the SOAR platform to retry the check after a delay. - ### Parameters Description: + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. Extract the `URL` parameter. + + 2. Perform an HTTP GET request to the provided URL. - | :--- | :--- | :--- | :--- | + 3. Check if the response status is successful (HTTP 200-299). - | URL | String | Yes | The full web address (e.g., https://example.com) of the - resource to monitor. | + 4. If successful, return `True` and set the execution state to `COMPLETED`. + 5. If unsuccessful, return `False` and set the execution state to `INPROGRESS` + (triggering a retry/wait). - ### Additional Notes: - This action is typically used in playbooks to ensure a service or endpoint is - fully operational before proceeding to subsequent steps that depend on that resource. + ### Additional Notes + + This is an orchestration utility action used for workflow control. It does not + perform enrichment or modify any system state. capabilities: can_create_case_comments: false can_create_insight: false @@ -279,8 +269,17 @@ Wait Until Web Resource Is Up: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs an HTTP GET request to check the availability of a web resource. + It does not modify any external or internal data. It is an orchestration/utility + action used to control workflow execution flow (wait/retry). categories: enrichment: false + reasoning: >- + The action is a utility/orchestration action used to poll a URL for availability. + It does not retrieve context about alerts or entities, nor does it update entity + profiles or case data. Therefore, it does not meet the criteria for an Enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -296,3 +295,6 @@ Wait Until Web Resource Is Up: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `siemplify.target_entities` or any entity-specific + logic. It operates on a standalone URL parameter. diff --git a/content/response_integrations/third_party/community/azure_devops/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/azure_devops/resources/ai/integration_ai_description.yaml index 0801c7556..3ae69e9e5 100644 --- a/content/response_integrations/third_party/community/azure_devops/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/community/azure_devops/resources/ai/integration_ai_description.yaml @@ -7,6 +7,18 @@ product_categories: iam_and_identity_management: false itsm: false network_security: false + reasoning: >- + The azure_devops integration is designed for CI/CD pipeline management, specifically + enabling users to trigger builds and monitor their status. Reviewing the provided + actions (Ping, Trigger Azure Build, Wait Until Web Resource Is Up), none of them + align with the security-focused categories defined in the schema. It does not + perform SIEM, EDR, Network Security, or Threat Intelligence functions. It does + not manage email, identity, or cloud infrastructure security configurations. While + Azure DevOps includes project management features that could theoretically overlap + with ITSM, the specific actions provided do not include ticket creation or task + assignment capabilities. It does not function as an asset inventory tool or a + collaboration platform for SOC workflows. Therefore, none of the defined product + categories are applicable. siem: false threat_intelligence: false vulnerability_management: false diff --git a/content/response_integrations/third_party/community/bandura_cyber/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/bandura_cyber/resources/ai/actions_ai_description.yaml index 8b34cff3a..d4dcb73f5 100644 --- a/content/response_integrations/third_party/community/bandura_cyber/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/bandura_cyber/resources/ai/actions_ai_description.yaml @@ -13,6 +13,10 @@ Add Domain to Allowed Lists: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action adds a domain to an allowed list in Bandura Cyber, which directly + matches the 'Add IOC To Allowlist' category. It does not perform enrichment, + alert updates, or other containment actions. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -30,9 +34,9 @@ Add Domain to Allowed Lists: ai_description: >- ### General Description - Adds URL entities to a specified Domain Allowed List in Bandura Cyber. This action - extracts the domain from the URL and adds it to the target list, allowing for - optional descriptions and expiration dates for the entry. + This action adds a domain to a specified Allowed List within the Bandura Cyber + platform. It processes URL entities, extracts the domain component, and performs + an API request to update the external allowlist configuration. ### Parameters Description @@ -41,38 +45,32 @@ Add Domain to Allowed Lists: | :--- | :--- | :--- | :--- | - | List Name | String | Yes | The case-sensitive name of the Allowed List where - the domain will be added. | + | List Name | string | Yes | The name of the Allowed List to which the domain + should be added. This value is case-sensitive. | - | Description | String | No | A description or note to associate with the allowed - list entry. | + | Description | string | No | A description for the entry being added to the list. + | - | Expiration Date | String | No | The date and time when the entity should be - automatically removed from the list (Format: YYYY-MM-DDTHH:MM:SS.mmm+00:00). | + | Expiration Date | string | No | The date and time when the entity should be + removed from the list. Format: 2020-01-01T12:00:00.000+00:00. | ### Flow Description - 1. **Parameter Extraction:** Retrieves the API configuration and action parameters - (List Name, Description, Expiration Date). - - 2. **Entity Filtering:** Identifies URL entities from the target entities list. + 1. **Initialization**: The action initializes the Bandura Cyber Manager using + the provided API credentials. - 3. **Domain Extraction:** For each URL, the domain (netloc) is extracted using - URL parsing. + 2. **Entity Filtering**: It iterates through the `target_entities` and filters + for those with the `URL` entity type. - 4. **List Identification:** Queries Bandura Cyber to find the unique identifier - (UUID) for the specified list name. + 3. **Domain Extraction**: For each valid entity, it extracts the domain (netloc) + from the URL. - 5. **Addition:** Sends a POST request to Bandura Cyber to add the domain to the - identified allowed list. + 4. **API Interaction**: It retrieves the list UUID from Bandura Cyber and then + sends a POST request to add the domain to the specified Allowed List. - - ### Additional Notes - - The action specifically targets URL entities and will parse them to extract the - domain name before submission. If no URL entities are found, the action will complete - without adding any entries. + 5. **Result Output**: The action adds the result of the operation to the JSON + output and terminates with a success message. capabilities: can_create_case_comments: false can_create_insight: false @@ -81,11 +79,20 @@ Add Domain to Allowed Lists: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Adds a domain to a specific allowed list in Bandura Cyber. + Adds a domain to the specified allowed list in the Bandura Cyber platform. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to the Bandura Cyber API to add a domain + to an allowed list, which constitutes external data mutation. It also performs + a GET request to retrieve the list UUID, so it fetches data. It does not modify + internal SOAR data, update entities, or create insights. categories: enrichment: false + reasoning: >- + The action mutates external data (adds to an allowlist), which violates the + 'External State Preservation' rule for enrichment actions. Therefore, it is + not an enrichment action. entity_usage: entity_types: - DestinationURL @@ -102,6 +109,9 @@ Add Domain to Allowed Lists: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and filters them using `entity.entity_type + == URL`. This indicates the action processes URL entities. Add Domain to Denied Lists: action_product_categories: add_alert_comment: false @@ -117,6 +127,9 @@ Add Domain to Denied Lists: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action adds a domain to a 'Denied List' in Bandura Cyber, which is an external + security control. This directly aligns with the 'Add IOC To Blocklist' category. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -132,61 +145,48 @@ Add Domain to Denied Lists: update_identity: false update_ticket: false ai_description: >- - ### General Description - - Adds URL entities to a specified Denied List in Bandura Cyber. This action extracts - the domain (netloc) from the provided URL entities and performs a state-changing - operation on the Bandura Cyber platform to block future traffic associated with - those domains. It allows for setting an optional description and an expiration - date for the block entry. + Adds a domain to a specific Denied List in the Bandura Cyber platform. This action + extracts the domain from URL entities, queries the Bandura Cyber API to identify + the target list's UUID, and then performs a POST request to add the domain to + that list. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | List Name | String | Yes | The name of the Denied List where the domain will - be added. Note: This value is case-sensitive. | - - | Description | String | No | A descriptive note to associate with the entry in - the denied list for administrative tracking. | + | List Name | string | Yes | The name of the Denied List to which the entity should + be added. This is case-sensitive. | - | Expiration Date | String | No | The date and time when the domain should be - automatically removed from the list. Expected format: 2020-01-01T12:00:00.000+00:00. + | Description | string | No | A description for the entry being added to the list. | + | Expiration Date | string | No | The date and time for the entity to be removed + from the list. Format: 2020-01-01T12:00:00.000+00:00. | - ### Flow Description - - 1. **Initialization**: Retrieves API credentials (API Root, Username, Password) - and action parameters (List Name, Description, Expiration Date). - 2. **Entity Filtering**: Identifies and collects all URL entities from the target - entities list. - - 3. **Domain Extraction**: For each URL entity, it extracts the network location - (domain) using URL parsing logic. - - 4. **List Identification**: Queries the Bandura Cyber API to retrieve the unique - identifier (UUID) for the Denied List specified by the 'List Name' parameter. + ### Flow Description - 5. **External Mutation**: Executes a POST request to the Bandura Cyber API to - add the extracted domain to the identified Denied List, including the provided - description and expiration date. + 1. **Configuration Initialization**: Retrieves API credentials (API Root, Username, + Password) and SSL verification settings. - 6. **Reporting**: Aggregates the API responses and provides a summary message - to the SOAR platform indicating which entities were successfully added. + 2. **Entity Filtering**: Iterates through the `target_entities` and filters for + entities of type `URL`. + 3. **Domain Extraction**: For each valid entity, parses the URL to extract the + domain (netloc). - ### Additional Notes + 4. **List Identification**: Queries the Bandura Cyber API to retrieve the list + of denied domains and matches the provided `List Name` to obtain its UUID. - - The action specifically targets the domain portion of a URL. If a full URL is - provided, only the domain will be blocked. + 5. **Mutation**: Sends a POST request to the Bandura Cyber API to add the domain + to the identified Denied List, including the optional description and expiration + date. - - The 'List Name' must match exactly (including case) with an existing list in - Bandura Cyber for the action to succeed. + 6. **Result Reporting**: Updates the action result with the status of the operation + and provides a summary message. capabilities: can_create_case_comments: false can_create_insight: false @@ -195,12 +195,19 @@ Add Domain to Denied Lists: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Adds a domain entry to a specific Denied List in Bandura Cyber via a POST request - to the /denied-lists/domain/{uuid}/entries endpoint. + Adds a domain to a denied list in the Bandura Cyber platform. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to retrieve list information (fetches_data=true) + and a POST request to add a domain to a denied list (can_mutate_external_data=true). + It does not modify internal SOAR case data, update entities, or create insights. categories: enrichment: false + reasoning: >- + The action mutates external data by adding an IOC to a blocklist. It does not + meet the criteria for an enrichment action as it performs a state change on + an external system. entity_usage: entity_types: - DestinationURL @@ -217,6 +224,9 @@ Add Domain to Denied Lists: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and filters using `entity.entity_type + == URL`. This maps to the 'DestinationURL' entity type in the provided schema. Add IP to Allowed Lists: action_product_categories: add_alert_comment: false @@ -232,6 +242,9 @@ Add IP to Allowed Lists: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action adds an IP address to an allowed list in Bandura Cyber, which directly + matches the 'Add IOC To Allowlist' expected outcome. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -247,64 +260,46 @@ Add IP to Allowed Lists: update_identity: false update_ticket: false ai_description: >- - ### General Description - - The **Add IP to Allowed Lists** action allows analysts to add IP Address entities - to a specific IPv4 Allowed List within the Bandura Cyber platform. This action - is primarily used for allowlisting known-good or trusted IP addresses to prevent - them from being blocked by security policies. It supports defining the network - range via maskbits and setting an expiration date for the entry. - - - ### Parameters Description - + Adds an IP address to a specified IPv4 Allowed List in Bandura Cyber. This action + allows security analysts to whitelist IP addresses directly from the SOAR platform, + ensuring that traffic from these IPs is permitted by the Bandura Cyber security + controls. - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **List Name** | String | Yes | The case-sensitive name of the Allowed List in - Bandura Cyber where the IP should be added. | - | **Description** | String | No | A descriptive note to associate with the IP - entry in the allowed list. | + ### Flow Description - | **Maskbit** | Integer | No | The CIDR mask bit defining the IP range. Defaults - to 32 (single IP). | + 1. **Initialization**: The action initializes the Bandura Cyber manager using + the provided credentials and API root. - | **Expiration Date** | String | No | The date and time when the IP should be - automatically removed from the list. Expected format: `YYYY-MM-DDTHH:MM:SS.SSS+00:00`. - | + 2. **Entity Filtering**: It filters the target entities to process only those + of type `ADDRESS`. + 3. **List Retrieval**: For each entity, the action performs a GET request to retrieve + the UUID of the specified Allowed List by name. - ### Flow Description + 4. **Addition**: It performs a POST request to add the IP address, along with + optional parameters like maskbit, description, and expiration date, to the identified + Allowed List. - 1. **Initialization**: The action retrieves the integration configuration (API - Root, credentials) and the user-provided parameters (List Name, Maskbit, etc.). + 5. **Result Reporting**: The action returns the result of the operation and updates + the SOAR result JSON. - 2. **Entity Filtering**: It identifies all `ADDRESS` (IP) entities within the - current alert scope. - 3. **List Resolution**: For each entity, the action queries Bandura Cyber to find - the unique identifier (UUID) of the Allowed List matching the provided **List - Name**. + ### Parameters - 4. **Addition**: It sends a POST request to the Bandura Cyber API to add the IP - address, along with the specified mask, description, and expiration date, to the - target list. + | Parameter | Type | Mandatory | Description | - 5. **Reporting**: The action collects the API responses and provides a summary - of which entities were successfully added. + | :--- | :--- | :--- | :--- | + | List Name | string | Yes | The name of the Allowed List to which the entity + should be added. This is case-sensitive. | - ### Additional Notes + | Description | string | No | A description for the allowed list entity. | - * The **List Name** parameter is strictly case-sensitive. If the name does not - match exactly what is configured in Bandura Cyber, the action will fail to find - the list UUID and will not add the entity. + | Maskbit | integer | No | The range of IP addresses to add (default is 32). | - * If no **Maskbit** is provided, the action defaults to `32`, targeting only the - specific IP address of the entity. + | Expiration Date | string | No | The date and time when the entity should be + removed from the list (e.g., 2020-01-01T12:00:00.000+00:00). | capabilities: can_create_case_comments: false can_create_insight: false @@ -313,12 +308,20 @@ Add IP to Allowed Lists: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Adds IP address entries to a specified allowed list in the Bandura Cyber platform - via a POST request. + Adds the IP address to the specified allowed list in the Bandura Cyber system. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to retrieve the list UUID and a POST request + to add the IP to the allowed list. It mutates external data (Bandura Cyber allowlist). + It does not mutate internal SOAR data (no entity updates, insights, or case + comments). categories: enrichment: false + reasoning: >- + The action mutates external data (adds to allowlist), which violates the 'External + State Preservation' rule for enrichment actions. Therefore, it is not an enrichment + action. entity_usage: entity_types: - ADDRESS @@ -335,6 +338,9 @@ Add IP to Allowed Lists: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and filters specifically + for `ADDRESS` entities using `entity.entity_type == ADDRESS`. Add IP to Denied Lists: action_product_categories: add_alert_comment: false @@ -350,6 +356,10 @@ Add IP to Denied Lists: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action adds an IP address to a 'Denied List' in Bandura Cyber, which directly + aligns with the 'Add IOC To Blocklist' category. It does not perform enrichment, + host containment, or other listed actions. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -367,10 +377,10 @@ Add IP to Denied Lists: ai_description: >- ### General Description - Adds IP Address entities to a specified Denied List in Bandura Cyber. This action - is used to enforce security policies by blocking traffic from specific indicators. - It allows for granular control by specifying CIDR maskbits and expiration dates - for the entries. + This action adds an IP address to a specified Denied List within the Bandura Cyber + platform. It allows analysts to block malicious IP addresses by adding them to + existing denied lists, supporting optional parameters like description, subnet + mask, and expiration date. ### Parameters Description @@ -379,45 +389,35 @@ Add IP to Denied Lists: | :--- | :--- | :--- | :--- | - | List Name | string | Yes | The exact name of the Denied List in Bandura Cyber - where the IP will be added. Note: This is case-sensitive. | - - | Description | string | No | A descriptive note to associate with the entry in - the denied list. | + | List Name | string | Yes | The name of the Denied List to which the entity should + be added. This is case-sensitive. | - | Maskbit | integer | No | Defines the CIDR range for the IP address. Defaults - to 32 (single host). | + | Description | string | No | A description for the denied list entry. | - | Expiration Date | string | No | The date and time when the IP should be automatically - removed from the list. Expected format: `YYYY-MM-DDTHH:MM:SS.SSS+00:00`. | - - - ### Additional Notes + | Maskbit | integer | No | The subnet mask for the IP address. Defaults to 32. + | - The action first performs a lookup to find the internal UUID of the list provided - in the 'List Name' parameter before attempting to add the entity. If the list - name does not exist, the action will fail for that entity. + | Expiration Date | string | No | The date and time when the entity should be + removed from the list. Format: 2020-01-01T12:00:00.000+00:00. | ### Flow Description - 1. **Initialization**: Retrieves API credentials and connection settings from - the integration configuration. - - 2. **Parameter Extraction**: Collects the target list name, description, maskbit, - and expiration date from the action inputs. + 1. **Initialization**: The action initializes the Bandura Cyber Manager using + the provided credentials. - 3. **Entity Filtering**: Identifies all `ADDRESS` (IP) entities within the current - scope. + 2. **Entity Filtering**: It iterates through the `target_entities` and filters + for those with the type `ADDRESS`. - 4. **List Lookup**: For each entity, the action queries the Bandura Cyber API - to find the unique identifier (UUID) of the specified Denied List. + 3. **List Retrieval**: For each valid entity, the action retrieves the UUID of + the target Denied List by name. - 5. **Entity Addition**: Sends a POST request to the Bandura Cyber API to add the - IP address to the identified Denied List with the provided metadata. + 4. **Mutation**: It performs a POST request to the Bandura Cyber API to add the + IP address to the specified Denied List with the provided configuration (maskbit, + description, expiration). - 6. **Result Processing**: Aggregates the API responses and provides a summary - of which entities were successfully added. + 5. **Result Reporting**: The action adds the result of the operation to the JSON + result output and completes the execution. capabilities: can_create_case_comments: false can_create_insight: false @@ -426,12 +426,19 @@ Add IP to Denied Lists: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Adds IP address entries to a Denied List within the Bandura Cyber platform, - which modifies the active security policy of the external system. + Adds the IP address to the specified Denied List in the Bandura Cyber platform. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches data (GET) to retrieve the list UUID and performs a mutation + (POST) to add the IP to the denied list in the external Bandura Cyber system. + It does not modify internal SOAR data (entities, insights, or case comments). categories: enrichment: false + reasoning: >- + The action mutates external data (adds an IP to a blocklist) and does not meet + the criteria for an enrichment action (which must be read-only regarding external + systems). entity_usage: entity_types: - ADDRESS @@ -448,6 +455,9 @@ Add IP to Denied Lists: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and filters specifically + for entities where `entity.entity_type == ADDRESS`. Get Allowed Domain Lists: action_product_categories: add_alert_comment: false @@ -463,6 +473,10 @@ Get Allowed Domain Lists: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves a list of allowed domains from an external system. It does + not match the expected outcomes for enrichment (as it does not enrich an indicator), + alert management, or containment. It is a general information retrieval action. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -477,44 +491,43 @@ Get Allowed Domain Lists: update_email: false update_identity: false update_ticket: false - ai_description: "### General Description\nThe **Get Allowed Domain Lists** action\ - \ retrieves information about domain lists configured in the Bandura Cyber 'Allowed'\ - \ category. This action is used to audit current configurations or verify if specific\ - \ domains are part of an existing allowlist. It provides the data in multiple\ - \ formats, including a raw JSON result, a formatted data table, and a text attachment\ - \ for forensic or reporting purposes.\n\n### Parameters Description\n| Parameter\ - \ | Description | Type | Mandatory |\n| :--- | :--- | :--- | :--- |\n| List Name\ - \ | The specific name of the allowed domain list to retrieve. If left empty, the\ - \ action retrieves all available allowed domain lists. Note: This parameter is\ - \ case-sensitive. | String | No |\n\n### Flow Description\n1. **Parameter Extraction:**\ - \ The action retrieves the integration credentials (API Root, Username, Password)\ - \ and the optional `List Name` parameter.\n2. **Authentication:** It establishes\ - \ a session with the Bandura Cyber API using the provided credentials.\n3. **Data\ - \ Retrieval:** The action calls the Bandura Cyber API to fetch allowed domain\ - \ lists. If a `List Name` was provided, it filters the API response to return\ - \ only the matching list.\n4. **Session Termination:** The action logs out of\ - \ the Bandura Cyber session to ensure security.\n5. **Output Generation:** \n\ - \ * It attaches the full JSON response as a file named `allowed_domain_lists.txt`.\n\ - \ * It creates a data table named `Bandura Allowed Domain Lists` within the\ - \ case.\n * It populates the JSON result for use in playbooks.\n\n### Additional\ - \ Notes\n* If no lists are found (either globally or matching the provided name),\ - \ the action will complete with a 'False' result value.\n* This action does not\ - \ require or process specific entities from the case; it operates based on the\ - \ provided parameter or fetches global configuration data." + ai_description: "Retrieves a list of allowed domains from the Bandura Cyber platform.\ + \ This action allows users to query the system for specific allowed domain lists\ + \ by name or retrieve all available lists if no name is provided.\n\n### Flow\ + \ Description\n1. **Initialization**: The action initializes the Bandura Cyber\ + \ manager using the provided API credentials (API Root, Username, Password).\n\ + 2. **Data Retrieval**: It performs a GET request to the Bandura Cyber API to fetch\ + \ the allowed domain lists. If a 'List Name' is provided, the results are filtered\ + \ accordingly.\n3. **Output Generation**: \n - If lists are found, the action\ + \ attaches the raw JSON response as a file, adds a data table to the action results,\ + \ and sets the result JSON.\n - If no lists are found, it returns a message\ + \ indicating no results were found.\n4. **Cleanup**: The session is closed via\ + \ the manager's logout method.\n\n### Parameters\n| Parameter | Type | Mandatory\ + \ | Description |\n| :--- | :--- | :--- | :--- |\n| List Name | string | No |\ + \ The name of the specific allowed domain list to retrieve. If left empty, all\ + \ lists are returned. |\n\n### Additional Notes\nThis action is a read-only operation\ + \ and does not modify any external or internal system state." capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: true + can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: >- - The action adds a data table and a file attachment to the case to display the - retrieved domain list information. + internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Bandura Cyber API to retrieve domain + list information. It does not perform any POST/PUT/DELETE operations on external + systems, nor does it modify internal SOAR case data such as entities, alerts, + or insights. It simply outputs the retrieved data to the action results. categories: enrichment: false + reasoning: >- + The action fetches data from an external system but does not enrich specific + entities or alerts. It is a general data retrieval action and does not meet + the criteria for an Enrichment Action as defined. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -530,6 +543,9 @@ Get Allowed Domain Lists: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with or iterate over any entities. It operates + independently of the case entities. Get Allowed IP Lists: action_product_categories: add_alert_comment: false @@ -545,6 +561,11 @@ Get Allowed IP Lists: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves a list of allowed IPs from an external system. It does + not match any of the specific categories like 'Enrich IOC' (as it doesn't take + an IOC as input), 'Search Events', or others. It is a configuration retrieval + action. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -559,48 +580,24 @@ Get Allowed IP Lists: update_email: false update_identity: false update_ticket: false - ai_description: >- - ### General Description - - Retrieves information about Allowed IPv4 Lists from the Bandura Cyber GMC platform. - This action allows users to fetch metadata for all configured allowed lists or - filter for a specific list by name. The retrieved data includes list UUIDs, names, - descriptions, and status, which are then presented as a data table and a file - attachment within the case. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | List Name | String | No | The specific name of the Allowed IPv4 List to retrieve. - This field is case-sensitive. If left empty, the action returns all available - allowed lists. | - - - ### Flow Description - - 1. **Authentication**: Connects to the Bandura Cyber API using the provided credentials - to establish a session. - - 2. **Data Retrieval**: Executes a request to the Bandura Cyber API to fetch the - collection of Allowed IPv4 Lists. - - 3. **Filtering**: If a `List Name` is provided, the action filters the returned - data to find the specific list matching that name. - - 4. **Output Generation**: Formats the retrieved list data into a JSON result, - a CSV-formatted data table, and a text attachment for the case wall. - - 5. **Cleanup**: Terminates the session by logging out of the Bandura Cyber manager. - - - ### Additional Notes - - This action does not process or require any entities from the Google SecOps case; - it operates as a global data retrieval utility. + ai_description: "Retrieves a list of allowed IPv4 addresses from the Bandura Cyber\ + \ platform. This action fetches the configured allowed IP lists, optionally filtered\ + \ by a specific list name, and provides the results as a data table and JSON attachment\ + \ for analysis.\n\n### Flow Description\n1. **Configuration Extraction**: The\ + \ action retrieves the necessary API credentials (API Root, Username, Password)\ + \ and optional parameters (List Name) from the integration configuration.\n2.\ + \ **Authentication**: It initializes the `BanduraCyberManager` and authenticates\ + \ with the Bandura Cyber API.\n3. **Data Retrieval**: It calls the `show_allowed_ip_list`\ + \ method to fetch the allowed IP lists from the external system.\n4. **Result\ + \ Processing**: \n - If lists are found, it attaches the raw JSON results to\ + \ the action, adds a data table to the case, and returns the JSON results.\n \ + \ - If no lists are found, it returns a message indicating no results were found.\n\ + 5. **Cleanup**: It logs out of the Bandura Cyber session.\n\n### Parameters\n\ + | Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ + | List Name | string | No | The name of the specific allowed IP list to retrieve.\ + \ If not provided, all lists are returned. |\n\n### Additional Notes\n- This action\ + \ does not modify any external or internal data. It is a read-only operation used\ + \ for information retrieval." capabilities: can_create_case_comments: false can_create_insight: false @@ -611,8 +608,16 @@ Get Allowed IP Lists: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to retrieve allowed IP lists from the Bandura + Cyber API. It does not modify any external systems or internal SOAR case data. + It only reports results via data tables and JSON attachments. categories: enrichment: false + reasoning: >- + The action retrieves data from an external system but does not act on specific + entities or alerts to enrich them. It is a general utility action for retrieving + configuration lists, thus it does not meet the criteria for an Enrichment Action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -628,6 +633,9 @@ Get Allowed IP Lists: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with or filter any entities. It operates independently + of the SOAR entity model. Get Denied Domain Lists: action_product_categories: add_alert_comment: false @@ -640,9 +648,13 @@ Get Denied Domain Lists: download_file: false enable_identity: false enrich_asset: false - enrich_ioc: false + enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves a list of denied domains, which provides threat intelligence + and reputation context. This aligns with the 'Enrich IOC' category. It does + not perform any other actions such as blocking, ticket creation, or host containment. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -658,49 +670,37 @@ Get Denied Domain Lists: update_identity: false update_ticket: false ai_description: >- - ### General Description - - Retrieves Denied Domain Lists from the Bandura Cyber platform. This action allows - users to fetch all configured denied domain lists or filter for a specific list - by name. The retrieved data is presented as a data table, a JSON result, and a - file attachment for further analysis. + Retrieves a list of denied domains from the Bandura Cyber platform. This action + fetches the configured denied domain lists, optionally filtered by a specific + list name, and presents the results within the SOAR case as an attachment, a data + table, and a JSON result. - ### Parameters Description + ### Parameters - | Parameter | Description | Type | Mandatory | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | List Name | The name of the specific denied domain list to retrieve. This parameter - is case-sensitive. If omitted, the action returns all available denied domain - lists. | String | No | + | List Name | string | No | The name of the specific denied domain list to retrieve. + If not provided, all lists are returned. | ### Flow Description - 1. **Authentication**: The action authenticates with the Bandura Cyber API using - the provided Username and Password to obtain an access token. - - 2. **Data Retrieval**: It sends a GET request to the Bandura Cyber API to fetch - the denied domain lists. - - 3. **Filtering**: If a 'List Name' is provided, the action filters the retrieved - lists to find a match (case-sensitive). - - 4. **Session Termination**: The action performs a logout to invalidate the session - token. + 1. Extracts integration configuration parameters (API Root, Username, Password, + Verify SSL). - 5. **Output Generation**: The results are processed and added to the action output - as a JSON result, a formatted data table, and a text file attachment containing - the raw JSON data. + 2. Initializes the `BanduraCyberManager` to establish a session with the Bandura + Cyber API. + 3. Calls the `show_denied_domain_list` method to retrieve the requested denied + domain lists. - ### Additional Notes + 4. If results are found, adds the data to the SOAR case using `add_attachment`, + `add_data_table`, and `add_result_json`. - This action does not operate on specific entities within the case; it is a global - retrieval action used to audit or verify the state of denied domain lists in Bandura - Cyber. + 5. Logs the outcome and terminates the action with a success or failure status. capabilities: can_create_case_comments: false can_create_insight: false @@ -711,8 +711,19 @@ Get Denied Domain Lists: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Bandura Cyber API to retrieve denied + domain lists. It does not mutate external systems. It adds results to the SOAR + case using standard output methods (attachments, data tables), which is standard + for enrichment actions and does not constitute a mutation of existing internal + case data. categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches threat intelligence data (denied domain lists) from an external + system and presents it within the SOAR case. It does not mutate external systems + or modify existing internal case data, fitting the criteria for an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -728,6 +739,9 @@ Get Denied Domain Lists: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or utilize `siemplify.target_entities`. It + operates globally based on the provided configuration and parameters. Get Denied IP Lists: action_product_categories: add_alert_comment: false @@ -743,6 +757,11 @@ Get Denied IP Lists: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves a list of denied IPs from an external system. It does not + match any of the specific categories like 'Enrich IOC' (no entity input), 'Contain + Host', or 'Search Events' (which typically refers to logs/telemetry). It is + a general data retrieval action. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -757,27 +776,48 @@ Get Denied IP Lists: update_email: false update_identity: false update_ticket: false - ai_description: "### General Description\nRetrieves information about denied IPv4\ - \ lists from the Bandura Cyber platform. This action allows analysts to view the\ - \ metadata of existing denied lists, which is useful for verifying configurations\ - \ or identifying specific list UUIDs for subsequent management actions.\n\n###\ - \ Parameters Description\n| Parameter Name | Type | Mandatory | Description |\n\ - | :--- | :--- | :--- | :--- |\n| List Name | String | No | The specific name of\ - \ the denied IP list to retrieve. If provided, the action filters the results\ - \ to match this name (case-sensitive). If omitted, all denied IP lists are returned.\ - \ |\n\n### Additional Notes\nThis action does not process specific entities; it\ - \ retrieves global list information from the Bandura Cyber integration. The results\ - \ are provided as a data table and a file attachment for analyst review.\n\n###\ - \ Flow Description\n1. **Authentication**: Establishes a session with the Bandura\ - \ Cyber API using the configured credentials.\n2. **Data Retrieval**: Executes\ - \ a GET request to the `/denied-lists/ipv4` endpoint to fetch all denied IP lists.\n\ - 3. **Filtering**: If the `List Name` parameter is provided, the action filters\ - \ the API response to find the specific list matching that name.\n4. **Output\ - \ Generation**: \n * Adds the raw JSON response as a file attachment named\ - \ `denied_ip_lists.txt` to the case.\n * Constructs a data table named `Bandura\ - \ Denied IP Lists` containing the list details.\n * Returns the list data\ - \ as a JSON result for use in downstream playbook logic.\n5. **Session Termination**:\ - \ Logs out of the Bandura Cyber API." + ai_description: >- + Retrieves a list of denied IPv4 addresses from the Bandura Cyber platform. This + action allows users to optionally filter by a specific list name to narrow down + the results. The retrieved data is returned as a JSON object, a data table, and + an attached text file for further analysis. + + + ### Flow Description + + 1. **Configuration Initialization**: The action initializes the integration using + the provided API Root, Username, Password, and SSL verification settings. + + 2. **Manager Instantiation**: A `BanduraCyberManager` instance is created to handle + the API communication. + + 3. **Data Retrieval**: The action calls the `show_denied_ip_list` method, passing + the optional `List Name` parameter to fetch the relevant denied IP list from the + Bandura Cyber API. + + 4. **Result Processing**: + - If data is returned, the action attaches the raw JSON output as a file, displays + the results in a data table, and adds the JSON result to the action output. + - If no data is found, the action returns a message indicating that no lists + were found. + 5. **Session Termination**: The action logs out of the Bandura Cyber session. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | List Name | string | No | The name of the specific denied IP list to retrieve. + This parameter is case-sensitive. If left empty, the action retrieves all available + denied IP lists. | + + + ### Additional Notes + + - This action is a read-only operation and does not modify any data in the Bandura + Cyber platform or the SOAR environment. capabilities: can_create_case_comments: false can_create_insight: false @@ -788,8 +828,16 @@ Get Denied IP Lists: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Bandura Cyber API to retrieve denied + IP lists. It does not modify any external systems or internal SOAR data. It + does not interact with entities, create insights, or modify alert data. categories: enrichment: false + reasoning: >- + The action does not take entities as input and does not enrich them. It is a + standalone utility to fetch data from an external system. Therefore, it does + not meet the criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -805,6 +853,9 @@ Get Denied IP Lists: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or use `siemplify.target_entities`. It operates + independently of any specific entity. Ping: action_product_categories: add_alert_comment: false @@ -820,6 +871,9 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity test (Ping) and does not perform any of the defined + functional operations like enriching IOCs, blocking, or creating tickets. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -835,69 +889,62 @@ Ping: update_identity: false update_ticket: false ai_description: >- - ### General Description - - Tests the connectivity between Google SecOps and the Bandura Cyber GMC (Global - Management Center) API. This action verifies that the integration can successfully - authenticate using the provided configuration credentials and reach the specified - API endpoint. - - - ### Parameters Description - - This action does not have any action-specific parameters. It utilizes the following - integration configuration parameters: + Tests connectivity to the Bandura Cyber API. This action verifies the integration's + ability to communicate with the external service by performing an authentication + request and subsequently terminating the session. - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - | API Root | String | Yes | The base URL for the Bandura Cyber API. | + ### Flow Description - | Username | String | Yes | The username used for authentication. | + 1. Extracts configuration parameters: **API Root**, **Username**, **Password**, + and **Verify SSL**. - | Password | String | Yes | The password used for authentication. | + 2. Initializes the `BanduraCyberManager` which performs an authentication request + (POST) to the Bandura Cyber API to retrieve an access token. - | Verify SSL | Boolean | No | If enabled, the action will verify the SSL certificate - of the API server. | + 3. Performs a logout request (POST) to terminate the session. + 4. Checks if the access token was successfully retrieved to determine the connection + status. - ### Flow Description + 5. Returns a success or failure message to the SOAR platform. - 1. **Configuration Extraction**: Retrieves the API Root, Username, Password, and - SSL verification settings from the integration's global configuration. - 2. **Authentication Attempt**: Initializes the `BanduraCyberManager`, which automatically - attempts to log in to the Bandura Cyber API via a POST request to the `/auth/login` - endpoint to obtain an access token. + ### Parameters - 3. **Session Termination**: Immediately calls the `logout` method to close the - session created during the connectivity test via a POST request to the `/auth/logout` - endpoint. + | Parameter | Type | Mandatory | Description | - 4. **Connectivity Validation**: Evaluates whether an access token was successfully - obtained during the login process. + | :--- | :--- | :--- | :--- | - 5. **Status Reporting**: Outputs a 'Connection Established' message if successful, - or 'Connection Failed' if the authentication or network request failed. + | API Root | String | Yes | The base URL for the Bandura Cyber API. | + | Username | String | Yes | The username for authentication. | - ### Additional Notes + | Password | String | Yes | The password for authentication. | - This is a health-check action and does not interact with any entities or modify - any data within the SOAR or the external system. + | Verify SSL | Boolean | No | Whether to verify SSL certificates. Defaults to + False. | capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false - can_mutate_external_data: false + can_mutate_external_data: true can_mutate_internal_data: false can_update_entities: false - external_data_mutation_explanation: null + external_data_mutation_explanation: >- + Performs authentication (login) and session termination (logout) POST requests + against the Bandura Cyber API. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to authenticate and a POST request to logout. + This constitutes external state mutation (session creation/destruction). It + does not fetch data for enrichment or modify internal SOAR data. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action, which is explicitly excluded from being an enrichment + action per the instructions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -913,3 +960,5 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. diff --git a/content/response_integrations/third_party/community/bandura_cyber/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/bandura_cyber/resources/ai/integration_ai_description.yaml index b927e7b41..60bed395f 100644 --- a/content/response_integrations/third_party/community/bandura_cyber/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/community/bandura_cyber/resources/ai/integration_ai_description.yaml @@ -7,6 +7,14 @@ product_categories: iam_and_identity_management: false itsm: false network_security: true + reasoning: >- + The Bandura Cyber integration provides capabilities to manage allow and block + lists for IP addresses and domains. This functionality directly aligns with the + Network Security category, which includes the ability to block malicious IPs and + URLs at the gateway. The integration does not perform SIEM log analysis, EDR host-level + investigation, or standard Threat Intelligence enrichment (such as reputation + lookups). It also does not interact with email, IAM, cloud, ITSM, or asset inventory + systems. Therefore, it is classified primarily under Network Security. siem: false threat_intelligence: false vulnerability_management: false diff --git a/content/response_integrations/third_party/community/be_secure/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/be_secure/resources/ai/actions_ai_description.yaml index 994424f18..9988c2f53 100644 --- a/content/response_integrations/third_party/community/be_secure/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/be_secure/resources/ai/actions_ai_description.yaml @@ -13,6 +13,10 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action performs a connectivity check ('Ping') to the beSECURE integration. + It does not perform any of the defined product category actions such as enriching + IOCs, updating alerts, or creating tickets. Therefore, no categories are selected. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -27,39 +31,19 @@ Ping: update_email: false update_identity: false update_ticket: false - ai_description: >- - ### General Description - - The **Ping** action is designed to verify the connectivity between the Google - SecOps (Chronicle) environment and the **beSECURE** server. It ensures that the - provided URL and API Key are valid and that the network path is open by attempting - to retrieve a list of networks from the beSECURE API. - - - ### Parameters Description - - There are no action-specific parameters for this action. It relies entirely on - the integration's global configuration (URL, API Key, and SSL verification settings). - - - ### Flow Description - - 1. **Configuration Retrieval:** The action fetches the integration's global settings, - including the API Key, Server URL, and SSL verification preference. - - 2. **Data Sanitization:** The API Key is cleaned of non-alphanumeric characters, - and the URL is formatted to ensure it includes the correct protocol (HTTPS/HTTP). - - 3. **Connectivity Test:** The action performs a GET request to the beSECURE `/json.cgi` - endpoint using the `returnnetworks` action parameter to test the credentials and - connectivity. - - 4. **Validation:** The script checks the JSON response for any error keys returned - by the beSECURE API. - - 5. **Result Reporting:** If the request is successful and no errors are found, - the action completes with a success status. If an error is detected or the request - fails, it reports a failure. + ai_description: "This action verifies connectivity to the beSECURE integration by\ + \ performing a GET request to the `/json.cgi` endpoint. \n\n### Parameters\n|\ + \ Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ + | API Key | String | Yes | The API key used for authentication with the beSECURE\ + \ service. |\n| URL | String | Yes | The base URL of the beSECURE instance. |\n\ + | Verify SSL Ceritifcate? | Boolean | Yes | A flag indicating whether to verify\ + \ the SSL certificate during the connection. |\n\n### Flow Description\n1. Retrieve\ + \ the integration configuration, including the API Key, URL, and SSL verification\ + \ setting.\n2. Construct a GET request to the configured URL with specific parameters\ + \ (`primary=\"admin\"`, `secondary=\"networks\"`, `action=\"returnnetworks\"`,\ + \ etc.).\n3. Execute the request to check connectivity.\n4. Validate the response;\ + \ if an \"error\" key is present, the action is marked as failed.\n5. Terminate\ + \ the action with a success or failure status." capabilities: can_create_case_comments: false can_create_insight: false @@ -70,8 +54,16 @@ Ping: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to check connectivity/retrieve data. It does + not mutate external systems (GET only). It does not mutate internal SOAR data + (no entity updates, insights, or comments). categories: enrichment: false + reasoning: >- + The action is named 'Ping'. According to the instructions, actions named 'Ping' + must not be categorized as enrichment actions, regardless of whether they fetch + data. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -87,3 +79,6 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not interact with `siemplify.target_entities` or any entity-specific + logic. It operates globally using the integration configuration. diff --git a/content/response_integrations/third_party/community/be_secure/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/be_secure/resources/ai/connectors_ai_description.yaml index d35f9a885..51618754c 100644 --- a/content/response_integrations/third_party/community/be_secure/resources/ai/connectors_ai_description.yaml +++ b/content/response_integrations/third_party/community/be_secure/resources/ai/connectors_ai_description.yaml @@ -2,11 +2,12 @@ Pull reports: ai_description: >- ### General Description - The beSECURE connector integrates Google SecOps with Beyond Security's beSECURE - Vulnerability Assessment and Management solution. It automatically retrieves vulnerability - scan results for networks and hosts, converting identified vulnerabilities into - actionable alerts. This allows security teams to monitor scan progress and respond - to newly discovered vulnerabilities directly within the SOAR platform. + The beSECURE Connector integrates with the Beyond Security beSECURE vulnerability + assessment platform to ingest vulnerability scan data into Google SecOps. It periodically + polls the beSECURE API for completed scans, retrieves detailed vulnerability reports, + and converts them into actionable alerts within the SOAR platform. This allows + security teams to monitor and respond to vulnerabilities identified by beSECURE + directly within their incident response workflows. ### Parameters Description @@ -15,53 +16,45 @@ Pull reports: | :--- | :--- | :--- | :--- | - | Verify SSL Ceritifcate? | Boolean | No | If set to true, the connector will - verify the SSL certificate of the beSECURE server. | + | Verify SSL Ceritifcate? | Boolean | No | Whether to verify the SSL certificate + of the beSECURE server. | - | Check Every X Minutes | String | Yes | The lookback window (in minutes) to check - for completed scans during each execution. | + | Check Every X Minutes | String | Yes | The interval in minutes to check for + new scans. | - | URL | String | Yes | The base URL of the beSECURE instance (e.g., `https://besecure.yourdomain.com`). - | + | URL | String | Yes | The base URL of the beSECURE instance. | - | API Key | Password | Yes | The API key required to authenticate with the beSECURE - JSON API. | + | API Key | Password | Yes | The API key for authenticating with the beSECURE + API. | - | DeviceProductField | String | Yes | The field name used to identify the device - product in the ingested events (default: beSECURE Pull Reports). | + | DeviceProductField | String | Yes | The field name used to determine the device + product. | | EventClassId | String | No | The field name used to determine the event name - or sub-type. | + (sub-type). | - | PythonProcessTimeout | String | Yes | The maximum execution time allowed for - the connector script in seconds. | + | PythonProcessTimeout | String | Yes | The timeout limit (in seconds) for the + python process. | ### Flow Description - 1. **Initialization**: The connector extracts configuration parameters and cleans - the API key of any non-alphanumeric characters. + 1. The connector initializes and connects to the beSECURE API using the provided + URL and API Key. - 2. **Scan Discovery**: It queries the beSECURE API (`returnnetworks` action) to - identify scans that have finished within the specified rotation time. + 2. It queries the API for network scans that have completed within the configured + "Check Every X Minutes" window. - 3. **Deduplication**: The connector maintains a local state file (`previous_scans.json`) - to track processed scan IDs and scan numbers, ensuring that duplicate alerts are - not created for the same scan results. + 3. It maintains a local `previous_scans.json` file to track processed scan IDs + and avoid duplicate ingestion. - 4. **Report Retrieval**: For each new scan identified, the connector fetches the - detailed vulnerability report in JSON format using the `getreport` action. + 4. For each new scan, it fetches the detailed vulnerability report in JSON format. - 5. **Vulnerability Parsing**: It iterates through the `VulnerableHosts` list. - It filters out vulnerabilities with a `RiskFactor` of 0 (informational) to focus - on actionable security risks. + 5. It iterates through the vulnerable hosts, filtering for vulnerabilities with + a `RiskFactor` of 1 or higher. - 6. **Alert Creation**: For each valid vulnerability, it creates a Google SecOps - alert. The alert priority is dynamically mapped based on the beSECURE `RiskFactor` - (8 = High, 4 = Medium, 1 = Low). + 6. Valid vulnerabilities are mapped to `AlertInfo` objects, including relevant + details like `VulnID`, `RiskFactor`, and `ScanDate`. - 7. **Event Mapping**: Detailed host information, including HostID, Port, Service, - and TestID, is mapped into the event structure associated with the alert. - - 8. **Ingestion**: The final set of alerts and events is returned to Google SecOps - for case creation and further investigation. + 7. The connector creates events for each vulnerability and returns the aggregated + alerts to the SOAR platform for case creation. diff --git a/content/response_integrations/third_party/community/be_secure/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/be_secure/resources/ai/integration_ai_description.yaml index dda0f4c70..2ffafe830 100644 --- a/content/response_integrations/third_party/community/be_secure/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/community/be_secure/resources/ai/integration_ai_description.yaml @@ -7,6 +7,15 @@ product_categories: iam_and_identity_management: false itsm: false network_security: false + reasoning: >- + The integration 'be_secure' is a vulnerability assessment and management solution. + Its primary capability, demonstrated by the 'Pull reports' connector, is to ingest + vulnerability scan data, identify vulnerable hosts, and generate alerts for security + teams to address. This directly aligns with the Vulnerability Management category, + which focuses on verifying asset susceptibility to exploits and providing vulnerability + data. It does not perform functions related to SIEM, EDR, Network Security, Threat + Intelligence, Email Security, IAM, Cloud Security, ITSM, Asset Inventory, or Collaboration + as defined in the provided criteria. siem: false threat_intelligence: false vulnerability_management: true diff --git a/content/response_integrations/third_party/community/bitdefender_gravity_zone/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/bitdefender_gravity_zone/resources/ai/actions_ai_description.yaml index 96b63eadc..88c933c00 100644 --- a/content/response_integrations/third_party/community/bitdefender_gravity_zone/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/bitdefender_gravity_zone/resources/ai/actions_ai_description.yaml @@ -13,6 +13,9 @@ Blocklist - Add Hashes: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action adds file hashes to the Bitdefender blocklist, which directly matches + the 'Add IOC To Blocklist' category. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -28,55 +31,45 @@ Blocklist - Add Hashes: update_identity: false update_ticket: false ai_description: >- - Adds one or more file hashes to the Bitdefender GravityZone Blocklist to prevent - execution or interaction within the protected environment. This action supports - both MD5 and SHA256 hash formats. It parses a comma-separated list of hashes provided - by the user, categorizes them by type, and submits them to the Bitdefender Control - Center with associated source information for context. + Adds one or more file hashes (SHA256 or MD5) to the Bitdefender GravityZone blocklist. + This action allows security analysts to proactively block malicious files across + the environment managed by Bitdefender. - ### Flow Description: - - 1. **Configuration Extraction:** Retrieves the API Key, Access URL, and SSL verification - settings from the integration configuration. + ### Flow Description - 2. **Parameter Retrieval:** Extracts the 'Hash List' (comma-separated string) - and 'Source Info' from the action parameters. + 1. The action extracts the required configuration (API Key, Access URL, SSL verification) + and action parameters (Hash List, Source Info). - 3. **Connection Initialization:** Establishes a connection to the Bitdefender - GravityZone Control Center using the provided credentials. + 2. It initializes the `BitdefenderGravityZoneManager` to establish a connection + with the Bitdefender GravityZone Control Center. - 4. **Hash Categorization:** Splits the input string into individual hashes and - uses regular expressions to distinguish between MD5 and SHA256 formats. + 3. The provided comma-separated hash list is parsed and categorized into SHA256 + and MD5 lists. - 5. **API Submission:** Performs separate API calls to the Bitdefender 'addToBlocklist' - endpoint for each hash type (MD5 and SHA256) found in the list. + 4. The action sends a POST request to the Bitdefender API to add the categorized + hashes to the blocklist, including the provided source information. - 6. **Result Handling:** Returns a JSON summary of the hashes successfully processed - and categorized. + 5. The result of the operation is returned and logged. - ### Parameters Description: + ### Parameters - | Parameter Name | Type | Mandatory | Description | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Hash List | String | Yes | A comma-separated list of file hashes to be blocked. - Supports MD5 (32 chars) and SHA256 (64 chars). | + | Hash List | string | Yes | A comma-separated list of SHA256 or MD5 hashes to + be added to the blocklist. | - | Source Info | String | Yes | A descriptive string providing context or a reason - for why these hashes are being added to the blocklist (e.g., 'Determined to be - malicious'). | + | Source Info | string | Yes | A description or reason for adding the hashes to + the blocklist. | - ### Additional Notes: - - - If a hash is provided that does not match the MD5 or SHA256 format, the action - will raise an error and fail to process the list. + ### Additional Notes - - This action does not automatically iterate over entities in the current case; - it relies strictly on the manual input provided in the 'Hash List' parameter. + - The action does not support file types other than SHA256 or MD5. If unsupported + hashes are provided, the action will raise an error. capabilities: can_create_case_comments: false can_create_insight: false @@ -85,13 +78,18 @@ Blocklist - Add Hashes: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Adds file hashes to the Bitdefender GravityZone blocklist, which changes the - security policy state in the external system to prevent the execution of files - matching those hashes. + Adds specified file hashes (SHA256/MD5) to the Bitdefender GravityZone blocklist. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to the Bitdefender GravityZone API to add + hashes to a blocklist. It does not fetch data, nor does it modify internal SOAR + entities or case data. categories: enrichment: false + reasoning: >- + The action is a mutation action (adding to blocklist) and does not fetch data + for enrichment. Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -107,6 +105,9 @@ Blocklist - Add Hashes: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities`. It accepts a raw + string input for the hash list via action parameters. Blocklist - List Items: action_product_categories: add_alert_comment: false @@ -122,6 +123,10 @@ Blocklist - List Items: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves the current blocklist from the external system. It does + not match any of the specific categories provided (e.g., it is not enriching + a specific IOC, nor is it updating an alert or ticket). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -139,24 +144,24 @@ Blocklist - List Items: ai_description: >- ### General Description - This action retrieves the complete list of file hashes (MD5 and SHA256) currently - stored in the Bitdefender GravityZone blocklist. It is a utility action used to - audit or synchronize the state of blocked indicators within the GravityZone environment. + This action retrieves the complete list of hashes currently present in the Bitdefender + GravityZone blocklist. It connects to the Bitdefender GravityZone Control Center + to fetch the blocklist data and returns it as a JSON result for further analysis + or reporting. ### Flow Description - 1. **Authentication**: Connects to the Bitdefender GravityZone Control Center - using the provided API Key and Access URL. + 1. The action initializes the Bitdefender GravityZone manager using the provided + API credentials and connection settings. - 2. **Data Retrieval**: Calls the `getBlocklistItems` API method via the Incidents - service. + 2. It executes a request to the Bitdefender API to retrieve all items currently + in the blocklist. - 3. **Pagination Handling**: Automatically iterates through all result pages to - ensure the entire blocklist is captured. + 3. The retrieved blocklist data is added to the action's result output as a JSON + object. - 4. **Output**: Aggregates the retrieved items and returns them as a JSON result - for use in subsequent playbook steps. + 4. The action completes with a success status. ### Parameters Description @@ -165,25 +170,30 @@ Blocklist - List Items: | :--- | :--- | :--- | :--- | - | Use JSON Filter | String | No | Placeholder parameter. Currently not utilized - by the underlying API logic for this specific action. | + | Integration - API Key | String | Yes | The API key used for authentication with + Bitdefender GravityZone. | + + | Integration - Access URL | String | Yes | The base URL for the Bitdefender GravityZone + API. | - | Filter | String | No | Placeholder parameter. Currently not utilized by the - underlying API logic for this specific action. | + | Integration - Verify SSL | Boolean | Yes | Whether to verify SSL certificates + when connecting to the API. | - | Parent ID | String | No | Placeholder parameter. Currently not utilized by the - underlying API logic for this specific action. | + | Use JSON Filter | Boolean | No | Flag to determine if a JSON filter should be + applied to the request. | - | Endpoints | String | No | Placeholder parameter. Currently not utilized by the - underlying API logic for this specific action. | + | Filter | String | No | A filter string to narrow down the results. | + + | Parent ID | String | No | The parent ID to scope the request. | + + | Endpoints | String | No | Specifies the endpoints to include in the request. + | ### Additional Notes - While the action script extracts several parameters (Use JSON Filter, Filter, - Parent ID, Endpoints), the current implementation of the `blocklist_hashes_list` - method in the integration manager does not apply these filters to the API request. - The action will return the full blocklist regardless of these inputs. + This action is a read-only operation that fetches data from the external system. + It does not modify any entities or alert data within the SOAR platform. capabilities: can_create_case_comments: false can_create_insight: false @@ -194,8 +204,16 @@ Blocklist - List Items: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to retrieve the blocklist from the Bitdefender + GravityZone API. It does not perform any write operations on external systems, + nor does it modify any internal SOAR data (entities, insights, or alert fields). categories: enrichment: false + reasoning: >- + The action retrieves data (the blocklist) but does not perform enrichment on + specific entities or alerts. It is a utility/retrieval action rather than an + enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -211,6 +229,9 @@ Blocklist - List Items: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with the `siemplify.target_entities` list. It operates + globally to retrieve the blocklist from the external system. Blocklist - Remove Item: action_product_categories: add_alert_comment: false @@ -226,6 +247,9 @@ Blocklist - Remove Item: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action explicitly removes an item from the Bitdefender GravityZone blocklist, + which directly matches the 'Remove IOC From Blocklist' category. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: true reset_identity_password: false @@ -241,42 +265,36 @@ Blocklist - Remove Item: update_identity: false update_ticket: false ai_description: >- - Removes a specific item from the Bitdefender GravityZone blocklist using its unique - identifier (Hash ID). This action is used to restore the reputation or execution - rights of a file hash that was previously blocked within the GravityZone environment. - + Removes a specific hash item from the Bitdefender GravityZone blocklist. This + action allows security analysts to manage the blocklist by deleting entries that + are no longer required or were added in error. - ### Flow Description: - 1. **Authentication**: Connects to the Bitdefender GravityZone Control Center - using the provided API Key and Access URL. - - 2. **Parameter Extraction**: Retrieves the mandatory `Hash ID` parameter provided - by the user. + ### Parameters - 3. **API Execution**: Calls the `removeFromBlocklist` method via the Bitdefender - API, passing the specific `hashItemId`. + | Parameter | Type | Mandatory | Description | - 4. **Result Handling**: Evaluates the API response to determine if the removal - was successful and reports the final status to the Google SecOps platform. + | :--- | :--- | :--- | :--- | + | Hash ID | string | Yes | The unique identifier of the item in the Blocklist + to be deleted. | - ### Parameters Description: - | Parameter Name | Type | Mandatory | Description | + ### Flow Description - | :--- | :--- | :--- | :--- | + 1. The action extracts the required configuration parameters (API Key, Access + URL, and SSL verification setting) from the integration settings. - | Hash ID | String | Yes | The unique identifier (UUID) of the item in the Bitdefender - Blocklist that needs to be deleted. Example: `0df7568c-59c1-48e0-a31b-18d83e6d9810`. - | + 2. It retrieves the `Hash ID` provided as an input parameter. + 3. The action initializes the `BitdefenderGravityZoneManager` to establish a connection + with the Bitdefender GravityZone Control Center. - ### Additional Notes: + 4. It invokes the `removeFromBlocklist` method, which sends a request to the Bitdefender + API to remove the specified hash item. - - This action does not run on entities automatically; it requires the specific - internal ID of the blocklist entry, which is typically obtained from a previous - 'List Blocklist' action or external search. + 5. The action concludes by returning a success or failure status based on the + API response. capabilities: can_create_case_comments: false can_create_insight: false @@ -285,12 +303,19 @@ Blocklist - Remove Item: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Removes a hash entry from the Bitdefender GravityZone blocklist, effectively - unblocking that file hash in the external security system. + Removes a specific hash item from the Bitdefender GravityZone blocklist. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a mutation on an external system (Bitdefender GravityZone) + by removing an item from the blocklist. It does not fetch data, nor does it + modify internal SOAR case data or entities. categories: enrichment: false + reasoning: >- + The action is a mutation action (removing an item from a blocklist) and does + not retrieve data for enrichment purposes. Therefore, it is not an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -306,6 +331,9 @@ Blocklist - Remove Item: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with SOAR entities. It operates based on a provided + 'Hash ID' input parameter. Create Scan Task: action_product_categories: add_alert_comment: false @@ -321,6 +349,10 @@ Create Scan Task: enrich_ioc: false execute_command_on_the_host: true get_alert_information: false + reasoning: >- + The action triggers a scan task on a remote endpoint via the Bitdefender GravityZone + platform. This aligns with the 'Execute Command on the Host' category as it + initiates a remote operation on the endpoint. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -336,61 +368,60 @@ Create Scan Task: update_identity: false update_ticket: false ai_description: >- - Initiates a scan task on specified endpoints or containers within Bitdefender - GravityZone. This action allows users to trigger various types of scans, including - Quick, Full, Memory, and Custom scans, to identify potential threats on target - systems. + ### General Description + + This action creates a scan task on the Bitdefender GravityZone platform for specified + endpoints or containers. It allows users to trigger different types of scans (Quick, + Full, Memory, or Custom) and configure custom scan settings such as depth and + paths. - ### Flow Description: + ### Flow Description - 1. **Configuration Extraction:** Retrieves the API Key, Access URL, and SSL verification - settings from the integration configuration. + 1. **Configuration Extraction**: The action retrieves the necessary integration + configuration parameters, including the API Key, Access URL, and SSL verification + settings. - 2. **Parameter Parsing:** Extracts the target IDs, scan type, and optional custom - scan settings (depth and paths) from the action parameters. + 2. **Parameter Extraction**: The action extracts the specific scan parameters + provided by the user, including the target IDs, scan type, task name, and optional + custom scan settings (depth and paths). - 3. **API Connection:** Establishes a connection to the Bitdefender GravityZone - Control Center using the provided credentials. + 3. **Manager Initialization**: The `BitdefenderGravityZoneManager` is initialized + with the provided credentials. - 4. **Task Creation:** Maps the user-provided scan settings to the Bitdefender - API format and sends a request to create the scan task for the specified targets. + 4. **Task Execution**: The action calls the `task_create_scan` method, which sends + a POST request to the Bitdefender GravityZone API to initiate the scan task. - 5. **Result Reporting:** Returns a success or failure status based on whether - the task was successfully created in the external system. + 5. **Result Handling**: The action logs the outcome of the request and terminates + with a success or failure status. - ### Parameters Description: + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | | Target IDs | string | Yes | A comma-separated list of the IDs of the targets - to scan. These IDs can represent endpoints or containers. | + (endpoints or containers) to scan. | - | Scan Type | ddl | Yes | The type of scan to perform. Options include: Quick, - Full, Memory, or Custom. | + | Scan Type | ddl | Yes | The type of scan to perform. Options: Quick, Full, Memory, + Custom. | - | Task Name | string | No | The name to assign to the task. If not provided, the - system generates a name automatically. | + | Task Name | string | No | The name of the task. If not provided, it will be + automatically generated. | - | Custom Scan - Depth | ddl | No | The scan profile depth (Aggressive, Normal, - Permissive). This is only utilized when the 'Scan Type' is set to 'Custom'. | + | Custom Scan - Depth | ddl | No | The scan profile (Aggressive, Normal, Permissive). + Only used when Scan Type is 'Custom'. | | Custom Scan - Paths | string | No | A comma-separated list of target paths to - be scanned. This is only utilized when the 'Scan Type' is set to 'Custom'. | + be scanned. Only used when Scan Type is 'Custom'. | - ### Additional Notes: - - * **Note on Description:** While the internal metadata description mentions isolation, - the actual logic and parameters of this action are strictly for creating scan - tasks. + ### Additional Notes - * **Custom Scans:** When selecting 'Custom' as the Scan Type, ensure that 'Custom - Scan - Depth' and 'Custom Scan - Paths' are configured to define the scope of - the scan. + - The parameters 'Custom Scan - Depth' and 'Custom Scan - Paths' are only utilized + when the 'Scan Type' is set to 'Custom'. capabilities: can_create_case_comments: false can_create_insight: false @@ -399,12 +430,20 @@ Create Scan Task: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new scan task in the Bitdefender GravityZone Control Center for the - specified target endpoints or containers. + Creates a new scan task on the Bitdefender GravityZone platform for the specified + endpoints. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to the Bitdefender GravityZone API to create + a scan task on the external platform. It does not fetch data for enrichment, + nor does it modify any internal SOAR data or entities. categories: enrichment: false + reasoning: >- + The action is a mutation action (creating a task) and does not fetch data for + enrichment purposes. Therefore, it does not meet the criteria for an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -420,6 +459,9 @@ Create Scan Task: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action takes 'Target IDs' as a direct input parameter string and does not + iterate over or filter 'siemplify.target_entities'. Create Scan Task by MAC Address: action_product_categories: add_alert_comment: false @@ -435,6 +477,10 @@ Create Scan Task by MAC Address: enrich_ioc: false execute_command_on_the_host: true get_alert_information: false + reasoning: >- + The action triggers a scan task on remote endpoints via the Bitdefender GravityZone + API. This aligns with the 'Execute Command on the Host' category as it initiates + a remote operation on the endpoint. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -450,67 +496,53 @@ Create Scan Task by MAC Address: update_identity: false update_ticket: false ai_description: >- - ### General Description + Generates a scan task for managed endpoints in Bitdefender GravityZone using their + MAC addresses. This action allows security analysts to trigger remote scans (Quick, + Full, Memory, or Custom) on specific endpoints to identify potential threats or + vulnerabilities. - The **Create Scan Task by MAC Address** action allows analysts to trigger on-demand - malware scans on specific endpoints within the Bitdefender GravityZone environment - using their MAC addresses. This action is primarily used for immediate forensic - investigation or remediation when specific hosts are suspected of being compromised. + ### Flow Description - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **MAC Addresses** | String | Yes | A comma-separated list of MAC addresses for - the target endpoints. A maximum of 100 addresses can be processed in a single - request. | + 1. The action extracts configuration parameters (API Key, Access URL, Verify SSL) + and action-specific inputs (MAC Addresses, Scan Type, Task Name, Custom Scan settings). - | **Scan Type** | DDL | Yes | Specifies the type of scan to perform. Available - options: `Quick`, `Full`, `Memory`, or `Custom`. | + 2. It initializes the Bitdefender GravityZone manager to establish a connection + with the Control Center. - | **Task Name** | String | No | A custom name for the scan task. If omitted, Bitdefender - will generate a name automatically. | + 3. It invokes the `task_create_scan_macaddr` method, which sends a POST request + to the Bitdefender API to initiate the scan task for the provided MAC addresses. - | **Custom Scan - Depth** | DDL | No | Defines the thoroughness of the scan. Options: - `Aggressive`, `Normal`, `Permissive`. This is only utilized when **Scan Type** - is set to `Custom`. | + 4. The action logs the outcome and returns a success or failure status to the + SOAR platform. - | **Custom Scan - Paths** | String | No | A comma-separated list of specific file - system paths to scan. This is only utilized when **Scan Type** is set to `Custom`. - | + ### Parameters Description - ### Additional Notes - - - The action validates that no more than 100 MAC addresses are submitted at once - to comply with Bitdefender API limits. + | Parameter | Type | Mandatory | Description | - - The endpoints must be 'Managed' within GravityZone for the scan task to be successfully - created. + | :--- | :--- | :--- | :--- | + | MAC Addresses | String | Yes | A comma-separated list of MAC addresses of the + endpoints to be scanned (max 100). | - ### Flow Description + | Scan Type | DDL | Yes | The type of scan to perform: Quick, Full, Memory, or + Custom. | - 1. **Authentication**: The action authenticates with the Bitdefender GravityZone - Control Center using the configured API Key and Access URL. + | Task Name | String | No | The name of the task. If not provided, it is automatically + generated. | - 2. **Input Parsing**: It extracts the list of MAC addresses and the desired scan - configuration (type, depth, and paths). + | Custom Scan - Depth | DDL | No | The scan profile (Aggressive, Normal, Permissive). + Only used when Scan Type is 'Custom'. | - 3. **Validation**: The action checks if the number of MAC addresses exceeds the - limit of 100. + | Custom Scan - Paths | String | No | A comma-separated list of target paths to + be scanned. Only used when Scan Type is 'Custom'. | - 4. **API Mapping**: Human-readable scan types and depths are converted into the - specific integer codes required by the Bitdefender JSON-RPC API. - 5. **Task Execution**: The action sends a `createScanTaskByMac` request to the - Bitdefender Network API. + ### Additional Notes - 6. **Result Reporting**: The action concludes with a success or failure message - based on the response from the Bitdefender platform. + - The 'Custom Scan - Depth' and 'Custom Scan - Paths' parameters are only relevant + when the 'Scan Type' is set to 'Custom'. capabilities: can_create_case_comments: false can_create_insight: false @@ -519,12 +551,20 @@ Create Scan Task by MAC Address: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Initiates a new malware scan task on the specified endpoints within the Bitdefender - GravityZone environment. + Creates a new scan task on the Bitdefender GravityZone platform for the specified + endpoints. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to the Bitdefender GravityZone API to create + a scan task on remote endpoints. It does not fetch data for enrichment, nor + does it modify internal SOAR data or entities. categories: enrichment: false + reasoning: >- + The action performs a state-changing operation (creating a scan task) on an + external system and does not retrieve data for enrichment purposes, therefore + it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -540,6 +580,10 @@ Create Scan Task by MAC Address: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or utilize the `siemplify.target_entities` + object. Instead, it accepts MAC addresses as a direct input parameter from the + user. Get Custom Groups List: action_product_categories: add_alert_comment: false @@ -555,6 +599,10 @@ Get Custom Groups List: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves a list of custom groups from Bitdefender GravityZone. It + does not match any of the defined categories such as enriching IOCs/Assets, + updating alerts, or performing containment actions. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -572,48 +620,38 @@ Get Custom Groups List: ai_description: >- ### General Description - Retrieves a list of child groups associated with a specific parent group within - the Bitdefender GravityZone environment. This action is primarily used to explore - the organizational structure of managed endpoints and identify group hierarchies - for administrative or investigative purposes. + Retrieves a list of custom groups from the Bitdefender GravityZone platform. This + action connects to the GravityZone Control Center and fetches the hierarchy of + groups based on an optional parent group identifier. The retrieved data is returned + as a JSON result for further use in the playbook. ### Parameters Description - | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | - - | Parent ID | String | No | The unique identifier of the parent group for which - child groups should be listed. If this parameter is null or left empty, the action - returns the default 'Computers and Groups' and 'Deleted' groups. | + | --- | --- | --- | --- | + | Parent ID | string | No | Parent group ID for which the child groups will be + listed. 'Computers and Groups' and 'Deleted' groups are returned if the passed + parameter is null. | - ### Flow Description - 1. **Authentication**: The action establishes a secure connection to the Bitdefender - GravityZone Control Center using the configured API Key and Access URL. - - 2. **Parameter Extraction**: It retrieves the `Parent ID` from the action parameters. + ### Additional Notes - 3. **API Request**: It executes a JSON-RPC request using the `getCustomGroupsList` - method to the Bitdefender Network API endpoint. + If the `Parent ID` parameter is not provided, the action returns the root groups + ('Computers and Groups' and 'Deleted'). - 4. **Data Processing**: The action validates the response from the manager and - extracts the list of group items. - 5. **Output**: The retrieved group data is added to the action's JSON results - for use in subsequent playbook logic. + ### Flow Description + 1. Initialize the Bitdefender GravityZone manager with API credentials. - ### Additional Notes + 2. Extract the `Parent ID` parameter. - - This action does not operate on specific entities (like IPs or Hostnames) but - rather retrieves global organizational data. + 3. Execute the `getCustomGroupsList` API call using the provided `Parent ID`. - - If no `Parent ID` is provided, the action defaults to the root level of the - group hierarchy. + 4. Return the list of groups in the action result. capabilities: can_create_case_comments: false can_create_insight: false @@ -624,8 +662,17 @@ Get Custom Groups List: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action makes a POST request to retrieve a list of groups (read-only operation). + It does not fetch context data for entities, nor does it update internal entities + or create insights. categories: - enrichment: true + enrichment: false + reasoning: >- + The action retrieves a list of groups from an external system. It does not perform + enrichment on any SOAR entities (e.g., updating entity fields or creating insights), + nor does it take entities as input. Therefore, it does not meet the criteria + for an Enrichment Action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -641,6 +688,10 @@ Get Custom Groups List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `siemplify.target_entities`. It operates independently + of any specific entity, using only the provided `Parent ID` parameter to query + the Bitdefender API. Get Endpoints List: action_product_categories: add_alert_comment: false @@ -656,6 +707,10 @@ Get Endpoints List: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves a list of endpoints (assets) from the Bitdefender GravityZone + platform based on user-defined filters. This aligns with the 'Search Asset' + category, as it searches for assets associated with the product. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -671,77 +726,71 @@ Get Endpoints List: update_identity: false update_ticket: false ai_description: >- - Retrieves a comprehensive list of endpoints from Bitdefender GravityZone based - on specified filtering criteria. This action allows analysts to search for endpoints - by name, MAC address, SSID, or management status (Managed, Unmanaged, or All). - It also supports filtering by specific roles such as Security Servers, Managed - Relays, and Managed Exchange Servers. The action handles pagination automatically - to ensure all matching results are returned and provides the data in a structured - JSON format for further processing. + Retrieves a list of endpoints from the Bitdefender GravityZone platform based + on specified filtering criteria. This action allows users to query the network + inventory to identify managed, unmanaged, or all endpoints, with optional filtering + by various attributes such as security agent status, server roles, and specific + identifiers. - ### Flow Description: + ### Flow Description - 1. **Authentication**: Connects to the Bitdefender GravityZone Control Center - using the provided API Key and Access URL. + 1. The action extracts integration configuration parameters (API Key, Access URL, + SSL verification) and action-specific filters. - 2. **Parameter Extraction**: Retrieves filtering parameters including Parent ID, - endpoint management status, and specific attribute filters (Name, MAC, SSID). + 2. It initializes a connection to the Bitdefender GravityZone Control Center using + the provided credentials. - 3. **API Request**: Executes the `getEndpointsList` method against the Bitdefender - Network API. + 3. It constructs a request with the specified filters (e.g., Parent ID, Endpoint + type, SSID, MAC addresses, Name, and various role-based flags). - 4. **Pagination Handling**: Iterates through all available pages of results if - the response exceeds the single-page limit. + 4. The action executes the `getEndpointsList` API call to retrieve the filtered + list of endpoints. - 5. **Output**: Returns the aggregated list of endpoints as a JSON result and completes - the execution. + 5. The retrieved endpoint data is returned as a JSON result in the action output. - ### Parameters Description: + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Endpoints** | DDL | Yes | Determines whether to return 'All', 'Managed', or - 'Unmanaged' endpoints. | - - | **Parent ID** | String | No | The ID of the target company or group to narrow - the search scope. | + | Endpoints | ddl | Yes | Select whether to return only managed endpoints, unmanaged + endpoints, or all endpoints. | - | **Filter - Name** | String | No | Filters items by name. Requires a minimum - of three characters. | + | Parent ID | string | No | The ID of the target company or group. If not specified, + returns endpoints under Computers and Groups. | - | **Filter - MAC Addresses** | String | No | A comma-separated list of MAC addresses - to filter the endpoints. | + | Filter - SSID | string | No | The SSID (Active Directory SID) used to filter + endpoints. | - | **Filter - SSID** | String | No | The Active Directory SID of the endpoint used - for filtering. | + | Filter - MAC Addresses | string | No | Comma-separated list of MAC addresses + used to filter endpoints. | - | **Filter - Managed with BEST** | Boolean | No | If true, filters for endpoints - with the Bitdefender Endpoint Security Tools (BEST) agent installed. | + | Filter - Name | string | No | A string for filtering items by name (minimum + 3 characters). | - | **Filter - Managed Exchange Servers** | Boolean | No | If true, filters for - protected Exchange servers. | + | Filter - Depth - All Items Recursively | boolean | No | If true, filters all + endpoints recursively within the Network Inventory. | - | **Filter - Managed Relays** | Boolean | No | If true, filters for endpoints - with the Relay role. | + | Filter - Security Servers | boolean | No | If true, filters all Security Servers. + | - | **Filter - Security Servers** | Boolean | No | If true, filters for Security - Servers. | + | Filter - Managed Relays | boolean | No | If true, filters all endpoints with + the Relay role. | - | **Filter - Depth - All Items Recursively** | Boolean | No | If true, performs - a recursive search within the Network Inventory. | + | Filter - Managed Exchange Servers | boolean | No | If true, filters all protected + Exchange servers. | + | Filter - Managed with BEST | boolean | No | If true, filters all endpoints with + the security agent installed. | - ### Additional Notes: - - The **Filter - Name** parameter must contain at least 3 characters if provided; - otherwise, the action will return an error. + ### Additional Notes - - This action does not operate on specific SOAR entities but rather performs a - global search/list operation within the Bitdefender environment. + This action does not operate on specific entities from the SOAR case; it performs + a global search/list operation against the Bitdefender GravityZone API. capabilities: can_create_case_comments: false can_create_insight: false @@ -752,8 +801,17 @@ Get Endpoints List: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET-like operation (via RPC POST) to retrieve a list of + endpoints from the Bitdefender GravityZone API. It does not modify any external + system state, nor does it modify any internal SOAR case data, entities, or alerts. + It simply returns the requested data to the user. categories: enrichment: false + reasoning: >- + The action retrieves data (a list of endpoints) but does not perform enrichment + on specific entities (it does not take entities as input or update them). Therefore, + it does not meet the criteria for an Enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -769,6 +827,9 @@ Get Endpoints List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with the `siemplify.target_entities` list. It performs + a standalone search operation based on parameters provided in the action configuration. Get Hourly Usage for EC2 Instances: action_product_categories: add_alert_comment: false @@ -784,6 +845,10 @@ Get Hourly Usage for EC2 Instances: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves hourly usage statistics for EC2 instances. It does not + match any of the provided categories (Enrich IOC, Enrich Asset, Update Alert, + etc.). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -801,48 +866,37 @@ Get Hourly Usage for EC2 Instances: ai_description: >- ### General Description - The **Get Hourly Usage for EC2 Instances** action retrieves detailed hourly usage - statistics for Amazon EC2 instance categories (e.g., micro, medium, etc.) managed - within Bitdefender GravityZone. This action is designed to provide visibility - into resource consumption and licensing usage for a specific billing month, which - is useful for cost management and auditing purposes. + This action retrieves the hourly usage statistics for Amazon EC2 instances from + the Bitdefender GravityZone platform for a specified month. It provides visibility + into resource consumption by category (e.g., micro, medium). ### Parameters Description | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + | --- | --- | --- | --- | - | **Target Month** | String | Yes | The specific month for which usage data is - requested. The value must be provided in the `mm/yyyy` format (e.g., `01/2020`). - If not provided, the integration logic typically defaults to the current month, - though the parameter is marked as mandatory in the configuration. | + | Target Month | string | Yes | The month for which the usage is returned, formatted + as "mm/yyyy". | ### Flow Description - 1. **Connection**: The action initializes a connection to the Bitdefender GravityZone - Control Center using the configured API Key and Access URL. + 1. Extracts configuration parameters (API Key, Access URL, Verify SSL) and the + `Target Month` parameter. - 2. **Request Execution**: It performs a JSON-RPC call using the `getHourlyUsageForAmazonEC2Instances` - method, passing the `Target Month` as the primary filter. + 2. Initializes the Bitdefender GravityZone manager. - 3. **Data Processing**: The action receives the usage data from the Bitdefender - API and attaches the raw result to the action's JSON output. + 3. Sends a POST request to the Bitdefender GravityZone API to fetch hourly EC2 + usage data for the specified month. - 4. **Completion**: The action concludes with a success status, making the usage - data available for subsequent playbook tasks. + 4. Adds the retrieved usage data to the action result JSON. ### Additional Notes - - This action does not operate on specific entities (like IPs or Hostnames) within - a case; it performs a global retrieval of usage data for the entire integrated - AWS environment. - - - The output is provided as a JSON result, which can be parsed by other logic - in the SOAR platform. + There are no additional notes. capabilities: can_create_case_comments: false can_create_insight: false @@ -853,8 +907,15 @@ Get Hourly Usage for EC2 Instances: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action retrieves usage data from the Bitdefender GravityZone API. It does + not modify any external or internal systems. It simply returns the data in the + action result. categories: enrichment: false + reasoning: >- + The action fetches data, but it does not operate on entities or alerts. It is + a general reporting action, not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -870,6 +931,9 @@ Get Hourly Usage for EC2 Instances: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not reference `siemplify.target_entities` or any entity objects. + It operates independently of entities. Get Managed Endpoint Details: action_product_categories: add_alert_comment: false @@ -885,6 +949,11 @@ Get Managed Endpoint Details: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves contextual metadata (security agent status, endpoint identification) + for a specific resource (endpoint). This directly matches the 'Enrich Asset' + category. It does not perform any other operations like ticket creation, alert + modification, or containment. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -900,41 +969,42 @@ Get Managed Endpoint Details: update_identity: false update_ticket: false ai_description: >- - ### General Description + Retrieves detailed information about a managed endpoint from the Bitdefender GravityZone + platform. This action provides visibility into endpoint identification, security + agent details, and the status of installed protection modules. - The **Get Managed Endpoint Details** action retrieves comprehensive information - about a specific endpoint managed within Bitdefender GravityZone. This includes - identification details for the endpoint and its security agent, as well as the - current status of various installed protection modules. + ### Flow Description - ### Parameters Description + 1. **Configuration Extraction**: The action retrieves the necessary integration + settings, including the API Key, Access URL, and SSL verification preference. - | Parameter | Type | Mandatory | Description | + 2. **Parameter Extraction**: The action extracts the `Endpoint ID` provided by + the user. - | :--- | :--- | :--- | :--- | + 3. **API Interaction**: The action initializes the `BitdefenderGravityZoneManager` + and executes a request to the Bitdefender GravityZone API to fetch the specific + details for the provided endpoint ID. - | **Endpoint ID** | String | Yes | The unique identifier of the endpoint for which - details are being requested. | + 4. **Result Processing**: The retrieved endpoint data is added to the action's + result output for further analysis or display in the SOAR platform. - ### Flow Description + ### Parameters - 1. **Authentication**: The action establishes a connection to the Bitdefender - GravityZone Control Center using the provided API Key and Access URL. + | Parameter | Type | Mandatory | Description | - 2. **Data Retrieval**: It executes a request to the `getManagedEndpointDetails` - API method using the provided **Endpoint ID**. + | :--- | :--- | :--- | :--- | - 3. **Output**: The retrieved endpoint metadata, including security agent status - and protection module details, is returned as a JSON object for use in subsequent - playbook steps. + | Endpoint ID | string | Yes | The unique identifier of the endpoint for which + the details will be retrieved. | ### Additional Notes - This action does not process SecOps entities automatically; it requires a specific - Endpoint ID as input. + This action performs a read-only operation to fetch data from the Bitdefender + GravityZone API. It does not modify the state of the endpoint or the Bitdefender + environment. capabilities: can_create_case_comments: false can_create_insight: false @@ -945,8 +1015,17 @@ Get Managed Endpoint Details: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET-like operation (via JSON-RPC POST) to retrieve endpoint + details from the Bitdefender GravityZone API. It does not modify any external + system state, nor does it update internal SOAR entities, insights, or case data. categories: - enrichment: false + enrichment: true + reasoning: >- + The action is designed to fetch contextual information about an endpoint from + an external source (Bitdefender GravityZone). It does not mutate external or + internal data, and it is not a Ping or download action. Therefore, it qualifies + as an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -962,6 +1041,10 @@ Get Managed Endpoint Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or process `siemplify.target_entities`. It + relies on a specific `Endpoint ID` provided as an input parameter to perform + its lookup. Get Network Inventory Items: action_product_categories: add_alert_comment: false @@ -973,10 +1056,15 @@ Get Network Inventory Items: disable_identity: false download_file: false enable_identity: false - enrich_asset: true + enrich_asset: false enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action searches for and retrieves a list of network inventory items (assets/endpoints) + from the Bitdefender GravityZone platform based on user-defined filters. This + aligns with the 'Search Asset' category. It does not perform enrichment on a + specific entity, nor does it update alerts or tickets. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -992,25 +1080,33 @@ Get Network Inventory Items: update_identity: false update_ticket: false ai_description: >- - Retrieves network inventory items from Bitdefender GravityZone. This action allows - users to search for and list endpoints, virtual machines, and groups within the - network hierarchy using a wide range of filters. It is primarily used for asset - discovery and gathering metadata about the managed environment. + ### General Description + + This action retrieves a list of network inventory items from the Bitdefender GravityZone + platform. It allows users to filter the inventory based on various criteria such + as name, MAC address, SSID, and specific endpoint types (e.g., EC2 instances, + virtual machines, computers, or managed servers). The retrieved data is returned + as a JSON result, providing visibility into the network inventory managed by Bitdefender. ### Flow Description - 1. **Parameter Extraction:** The action retrieves integration credentials (API - Key, Access URL) and action-specific filters (Name, MAC, SSID, Parent ID, etc.). + 1. **Configuration Extraction**: The action retrieves the necessary integration + configuration, including the API Key, Access URL, and SSL verification settings. - 2. **Manager Initialization:** Initializes the Bitdefender GravityZone Manager - to handle API communication. + 2. **Parameter Extraction**: It extracts the provided filters (e.g., Name, MAC + Addresses, SSID, and various boolean flags for endpoint types) from the action + parameters. - 3. **API Request:** Executes the `getNetworkInventoryItems` method via the Bitdefender - JSON-RPC API, applying all configured filters. + 3. **Connection**: It establishes a connection to the Bitdefender GravityZone + Control Center using the provided credentials. + + 4. **Data Retrieval**: It calls the `network_inventory_list` method, which sends + a request to the Bitdefender API with the specified filters to fetch the inventory + items. - 4. **Result Processing:** The retrieved list of inventory items is returned as - a JSON object and the action completes successfully. + 5. **Result Output**: The retrieved inventory data is added to the action's result + JSON, and the action completes successfully. ### Parameters Description @@ -1019,53 +1115,50 @@ Get Network Inventory Items: | :--- | :--- | :--- | :--- | - | Filter - Name | String | No | Filters items by name. Supports partial matching - (min 3 chars). Use '*' for suffix matching. | + | Filter - Name | string | No | A string for filtering items by name. Minimum + length is 3 characters. Supports '*' for suffix matching. | - | Filter - MAC Addresses | String | No | Comma-separated list of MAC addresses + | Filter - MAC Addresses | string | No | Comma-separated list of MAC addresses to filter endpoints. | - | Filter - SSID | String | No | Active Directory SID used to filter endpoints. - | + | Filter - SSID | string | No | The SSID (Active Directory SID) used to filter + endpoints. | - | Filter - Depth - All Items Recursively | Boolean | No | If true, searches all - endpoints recursively within the network inventory. Default is false. | + | Filter - Depth - All Items Recursively | boolean | No | If true, filters all + endpoints recursively within the Network Inventory. | - | Filter - Security Servers | Boolean | No | If true, filters for Security Servers. - Default is false. | + | Filter - Security Servers | boolean | No | If true, filters all Security Servers. + | - | Filter - Managed Relays | Boolean | No | If true, filters for endpoints with - the Relay role. Default is false. | + | Filter - Managed Relays | boolean | No | If true, filters all endpoints with + the Relay role. | - | Filter - Managed Exchange Servers | Boolean | No | If true, filters for protected - Exchange servers. Default is false. | + | Filter - Managed Exchange Servers | boolean | No | If true, filters all protected + Exchange servers. | - | Filter - Managed with BEST | Boolean | No | If true, filters for endpoints with - the Bitdefender Endpoint Security Tools agent. Default is false. | + | Filter - Managed with BEST | boolean | No | If true, filters all endpoints with + the security agent installed. | - | Filter - Virtual Machines | Boolean | No | If true, filters for virtual machines. - Default is false. | + | Filter - Virtual Machines | boolean | No | If true, filters all virtual machines. + | - | Filter - Computers | Boolean | No | If true, filters for physical computers. - Default is false. | + | Filter - Computers | boolean | No | If true, filters all computers. | - | Filter - EC2 Instances | Boolean | No | If true, filters for Amazon EC2 Instances. - Default is false. | + | Filter - EC2 Instances | boolean | No | If true, filters all Amazon EC2 Instances. + | - | Filter - Groups | Boolean | No | If true, filters for custom groups of endpoints. - Default is false. | + | Filter - Groups | boolean | No | If true, filters all custom groups of endpoints. + | - | Parent ID | String | No | The ID of the container/folder from which to return - network items. | + | Parent ID | string | No | The ID of the container for which the network items + will be returned. | ### Additional Notes - - Some filters require specific licenses to be active in Bitdefender GravityZone; - otherwise, they may be ignored by the API. - - - The 'Filter - Name' parameter requires at least 3 characters to be processed - by the manager logic. + This action does not require any specific entity to be selected in the SOAR platform + to run, as it performs a global search/list operation within the Bitdefender GravityZone + environment. capabilities: can_create_case_comments: false can_create_insight: false @@ -1076,8 +1169,19 @@ Get Network Inventory Items: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request (via `control_center_paged`) to the Bitdefender + GravityZone API to retrieve network inventory data. It does not modify any external + systems (no POST/PUT/DELETE that changes state), nor does it modify internal + SOAR data (entities, insights, or case comments). It simply returns the fetched + data as a JSON result. categories: enrichment: false + reasoning: >- + The action fetches data from an external system (Bitdefender GravityZone). However, + it does not operate on specific entities (it is a standalone search/list action) + and does not enrich existing entities in the SOAR case. Therefore, it does not + meet the criteria for an Enrichment Action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1093,6 +1197,10 @@ Get Network Inventory Items: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not iterate over `siemplify.target_entities` or reference any + entity objects. It performs a general search based on provided parameters. Therefore, + it does not run on any specific entity types. Get Scan Tasks List: action_product_categories: add_alert_comment: false @@ -1108,6 +1216,10 @@ Get Scan Tasks List: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves a list of scan tasks from the product. It does not match + any of the specific categories like 'Enrich IOC', 'Contain Host', or 'Create + Ticket'. It is a general utility action for retrieving information. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1123,53 +1235,36 @@ Get Scan Tasks List: update_identity: false update_ticket: false ai_description: >- - ### General Description - - The **Get Scan Tasks List** action retrieves a comprehensive list of scan tasks - from the Bitdefender GravityZone Control Center. This utility is primarily used - for monitoring the progress and results of on-demand or scheduled scanning operations - across the managed network. + Retrieves a list of scan tasks from the Bitdefender GravityZone platform based + on specified filters. This action allows analysts to query the status of scan + tasks, which can be useful for monitoring the progress of security operations. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Task Status** | DDL | Yes | Filters the returned tasks based on their current - state. Options include: `All`, `Pending`, `In-progress`, and `Finished`. | + | Task Status | ddl | Yes | The status of the task to filter by. Options: All, + Pending, In-progress, Finished. | - | **Task Name** | String | No | Filters tasks by their name. If an asterisk (`*`) - is used at the beginning, the action performs a 'contains' search; otherwise, - it matches names starting with the keyword. | + | Task Name | string | No | A keyword to search for in the task name. Use an asterisk + (*) in front to search for the keyword anywhere in the name; otherwise, it searches + for tasks starting with the keyword. | ### Flow Description - 1. **Configuration Extraction**: Retrieves the API Key, Access URL, and SSL verification - settings from the integration configuration. - - 2. **Parameter Processing**: Captures the user-defined filters for task status - and name. - - 3. **API Connection**: Establishes a connection to the Bitdefender GravityZone - service using the provided credentials. + 1. Initialize the Bitdefender GravityZone manager using the provided API key and + SSL verification settings. - 4. **Data Retrieval**: Calls the `getScanTasksList` method. The action automatically - handles pagination to ensure all relevant task records are collected. - - 5. **Output Generation**: Formats the retrieved task list into a JSON object and - returns it as the action result. - - - ### Additional Notes + 2. Extract the action parameters: `Task Status` and `Task Name`. - - This action does not require or process any specific entities (like IPs or Hostnames) - from the current context; it performs a global search based on the provided parameters. + 3. Execute the `task_scan_list` method to query the Bitdefender GravityZone API + for scan tasks matching the provided criteria. - - If the `Task Name` is omitted, the action will return all tasks matching the - selected status. + 4. Return the retrieved list of scan tasks as a JSON result to the SOAR platform. capabilities: can_create_case_comments: false can_create_insight: false @@ -1180,8 +1275,16 @@ Get Scan Tasks List: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET/List operation to retrieve scan task data from the + Bitdefender GravityZone API. It does not modify any external systems, nor does + it interact with internal SOAR entities or case data. categories: - enrichment: true + enrichment: false + reasoning: >- + The action retrieves a list of scan tasks. It does not enrich entities or alerts, + nor does it perform any mutations. Therefore, it does not meet the criteria + for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1197,6 +1300,9 @@ Get Scan Tasks List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with or filter by any SOAR entities. It operates + independently of the entity model. Isolate Endpoint: action_product_categories: add_alert_comment: false @@ -1212,6 +1318,9 @@ Isolate Endpoint: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action isolates an endpoint in Bitdefender GravityZone, which directly aligns + with the 'Contain Host' category as it restricts network access to the endpoint. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1229,42 +1338,44 @@ Isolate Endpoint: ai_description: >- ### General Description - The **Isolate Endpoint** action allows security analysts to programmatically isolate - a compromised or suspicious endpoint within the Bitdefender GravityZone environment. - By providing a specific Endpoint ID, the action triggers a task in the Bitdefender - Control Center to disconnect the device from the network, preventing lateral movement - or further data exfiltration while maintaining connectivity to the management - console for remediation. + This action isolates a specific endpoint within the Bitdefender GravityZone environment. + By triggering an isolation task, the action restricts the endpoint's network connectivity, + effectively containing potential threats or compromised assets. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. **Configuration Extraction**: The action retrieves the necessary integration + settings, including the API Key, Access URL, and SSL verification preference. - | :--- | :--- | :--- | :--- | + 2. **Parameter Extraction**: It extracts the `Endpoint ID` provided as an input + parameter. - | **Endpoint ID** | String | Yes | The unique identifier of the endpoint that - needs to be isolated. | + 3. **Manager Initialization**: The `BitdefenderGravityZoneManager` is initialized + with the provided credentials. + 4. **Task Execution**: The action calls the `isolate_endpoint` method, which sends + a POST request to the Bitdefender GravityZone API to create an isolation task + for the specified endpoint. - ### Flow Description + 5. **Result Reporting**: The action logs the outcome and terminates with a success + or failure status based on the API response. - 1. **Authentication**: The action establishes a connection to the Bitdefender - GravityZone API using the provided API Key and Access URL. - 2. **Parameter Extraction**: It retrieves the `Endpoint ID` from the action input. + ### Parameters Description + + | Parameter | Type | Mandatory | Description | - 3. **Task Creation**: It sends a POST request to the Bitdefender JSON-RPC API - (specifically the `createIsolateEndpointTask` method) to initiate the isolation. + | :--- | :--- | :--- | :--- | - 4. **Result Handling**: The action evaluates the API response and reports whether - the isolation task was successfully created. + | Endpoint ID | string | Yes | The unique identifier of the endpoint to be isolated + in Bitdefender GravityZone. | ### Additional Notes - This action does not automatically identify entities from the SOAR case; it requires - the explicit `Endpoint ID` as an input parameter. + This action does not utilize the SOAR entity model directly; it relies on the + `Endpoint ID` provided via the action parameters. capabilities: can_create_case_comments: false can_create_insight: false @@ -1273,12 +1384,19 @@ Isolate Endpoint: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a task in Bitdefender GravityZone to isolate the specified endpoint - from the network, changing its connectivity state. + The action triggers an isolation task on the target endpoint within the Bitdefender + GravityZone platform, which changes the endpoint's network state. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a state-changing operation (isolating an endpoint) on an + external system (Bitdefender GravityZone) via an API POST request. It does not + fetch data for enrichment, nor does it modify internal SOAR case data or entities. categories: enrichment: false + reasoning: >- + The action is a containment/mutation action, not an enrichment action. It does + not fetch data to enrich entities or alerts. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1294,6 +1412,10 @@ Isolate Endpoint: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities`. It uses an `Endpoint + ID` provided as a direct input parameter to identify the target, therefore it + does not run on any specific entity types. Ping: action_product_categories: add_alert_comment: false @@ -1309,6 +1431,9 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity check (Ping) and does not perform any of the defined + functional outcomes like enriching data, blocking IOCs, or managing tickets. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1326,40 +1451,44 @@ Ping: ai_description: >- ### General Description - The **Ping** action is used to verify the connectivity between Google SecOps and - the Bitdefender GravityZone Control Center. It ensures that the provided integration - parameters, such as the API Key and Access URL, are valid and that the network - connection is functional. + This action verifies connectivity to the Bitdefender GravityZone Control Center + by validating the provided API credentials. It serves as a health check to ensure + the integration is correctly configured and the API key is authorized. ### Parameters Description - There are no action-specific parameters for this action. It relies solely on the - integration's configuration parameters (API Key, Access URL, and Verify SSL). + | Parameter | Type | Mandatory | Description | + | :--- | :--- | :--- | :--- | - ### Flow Description + | API Key | String | Yes | The API key used for authentication with the Bitdefender + GravityZone Control Center. | - 1. **Parameter Extraction:** The action retrieves the API Key, Access URL, and - Verify SSL settings from the integration configuration. + | Access URL | String | Yes | The URL of the Bitdefender GravityZone Control Center. + | - 2. **Manager Initialization:** It initializes the `BitdefenderGravityZoneManager` - using the provided credentials. + | Verify SSL | Boolean | Yes | Determines whether to verify SSL certificates during + the connection. | - 3. **Connectivity Check:** The action calls the `getApiKeyDetails` API method - to test the connection. - 4. **Validation:** It checks if the API returns valid details. If the response - is empty or an error occurs, the connection is considered failed. + ### Additional Notes - 5. **Result Reporting:** The action returns a success message if the connection - is established or an error message if it fails. + This action does not perform any data retrieval or modification beyond validating + the connection. It is intended for connectivity testing purposes only. - ### Additional Notes + ### Flow Description + + 1. The action extracts the `API Key`, `Access URL`, and `Verify SSL` configuration + parameters. + + 2. It initializes the `BitdefenderGravityZoneManager` with the provided credentials. + + 3. It executes the `getApiKeyDetails` API method to test the connection. - This action is primarily used for troubleshooting and initial setup verification. - It does not process any entities or modify any data within Bitdefender GravityZone. + 4. If the API call is successful, it returns a success status. If the API key + is invalid or the connection fails, it raises an error and returns a failure status. capabilities: can_create_case_comments: false can_create_insight: false @@ -1370,8 +1499,16 @@ Ping: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity check by calling the `getApiKeyDetails` method + on the Bitdefender GravityZone API. It does not modify any external or internal + data, nor does it interact with entities. It fetches API key details to validate + the connection. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action, which is explicitly excluded from being an enrichment + action per the instructions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1387,6 +1524,8 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. Policies - Get Details: action_product_categories: add_alert_comment: false @@ -1402,6 +1541,10 @@ Policies - Get Details: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves policy details from Bitdefender GravityZone. It does not + match any of the defined categories such as Enrich IOC, Enrich Asset, or Update + Alert, as it is a specific administrative query for policy configuration. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1419,10 +1562,9 @@ Policies - Get Details: ai_description: >- ### General Description - The **Policies - Get Details** action retrieves comprehensive information and - configuration settings for a specific security policy within Bitdefender GravityZone. - This action is primarily used for administrative auditing, policy verification, - and understanding the security configurations applied to various groups or endpoints. + This action retrieves detailed information about a specific security policy from + the Bitdefender GravityZone platform. It allows analysts to query the configuration + and settings of a policy by its unique identifier. ### Parameters Description @@ -1431,30 +1573,26 @@ Policies - Get Details: | :--- | :--- | :--- | :--- | - | Policy ID | String | Yes | The unique identifier of the security policy to be - queried. This ID can typically be found via the 'Policies - List' action or within - the Bitdefender console. | + | Policy ID | string | Yes | The unique identifier of the policy to be queried. + | ### Flow Description - 1. **Authentication**: The action establishes a connection to the Bitdefender - GravityZone Control Center using the configured API Key and Access URL. - - 2. **Request Execution**: It sends a JSON-RPC request using the `getPolicyDetails` - method to the Policies API endpoint, passing the provided `Policy ID`. + 1. The action extracts the integration configuration (API Key, Access URL, and + SSL verification settings). - 3. **Data Processing**: The action receives the policy metadata, including settings - for various security modules (antimalware, firewall, etc.). + 2. It extracts the mandatory `Policy ID` parameter provided by the user. - 4. **Result Delivery**: The retrieved policy details are attached to the action's - JSON results for use in subsequent playbook steps. + 3. The action initializes the `BitdefenderGravityZoneManager` to establish a connection + with the Bitdefender GravityZone Control Center. + 4. It calls the `getPolicyDetails` method via the Bitdefender API using the provided + `Policy ID`. - ### Additional Notes + 5. The retrieved policy details are added to the action's result JSON. - This action does not process or iterate over SecOps entities (such as IPs or Hostnames). - It is a utility action that requires a direct input of a Policy ID. + 6. The action terminates and returns the success status. capabilities: can_create_case_comments: false can_create_insight: false @@ -1465,8 +1603,17 @@ Policies - Get Details: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a read-only operation to fetch policy details from the Bitdefender + GravityZone API. It does not modify any external systems, nor does it update + internal SOAR entities, insights, or alert data. It simply outputs the retrieved + data to the action result. categories: enrichment: false + reasoning: >- + The action fetches data from an external system, but it does not perform enrichment + on entities or alerts. It is a standalone utility action to retrieve policy + information. Therefore, it does not meet the criteria for an Enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1482,6 +1629,9 @@ Policies - Get Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or utilize `siemplify.target_entities`. It + operates solely based on the provided `Policy ID` parameter. Policies - List All: action_product_categories: add_alert_comment: false @@ -1497,6 +1647,10 @@ Policies - List All: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves a list of policies from Bitdefender GravityZone. It does + not match any of the specific categories like 'Enrich IOC', 'Enrich Asset', + or 'Get Alert Information' as it is a configuration/utility retrieval action. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1512,40 +1666,40 @@ Policies - List All: update_identity: false update_ticket: false ai_description: >- - ### General Description + Retrieves the list of available policies from the Bitdefender GravityZone Control + Center. This action connects to the Bitdefender API, fetches the complete list + of configured policies, and returns the data as a JSON result for use in the SOAR + platform. - This action retrieves a comprehensive list of all available security policies - configured within the Bitdefender GravityZone Control Center. It is primarily - used for administrative oversight, auditing, or as a helper step to identify policy - IDs for other management actions. The action interacts with the Bitdefender JSON-RPC - API to fetch policy metadata. + ### Parameters - ### Parameters Description + | Parameter | Type | Mandatory | Description | - There are no input parameters for this action. + | :--- | :--- | :--- | :--- | + | Integration.API Key | String | Yes | The API key used to authenticate with the + Bitdefender GravityZone API. | - ### Additional Notes + | Integration.Access URL | String | Yes | The base URL for the Bitdefender GravityZone + API. | - This action does not require any specific entities to be present in the context. - It performs a global retrieval of policies associated with the configured API - key and Access URL. + | Integration.Verify SSL | Boolean | Yes | Whether to verify the SSL certificate + when connecting to the API. | ### Flow Description - 1. **Authentication**: The action initializes the Bitdefender GravityZone Manager - using the API Key and Access URL provided in the integration configuration. + 1. The action initializes the `BitdefenderGravityZoneManager` using the provided + API key and SSL verification setting. - 2. **API Request**: It calls the `getPoliciesList` method via the Bitdefender - Policies API endpoint. + 2. It calls the `policy_list` method, which sends a `getPoliciesList` JSON-RPC + request to the Bitdefender API. - 3. **Pagination Handling**: The manager automatically handles paginated responses - from the API to ensure all policy records are collected into a single result set. + 3. The API returns the list of policies, which is then added to the action result + using `siemplify.result.add_result_json`. - 4. **Output**: The collected policy data is attached to the action's JSON result, - and the execution is marked as completed. + 4. The action completes with a success status. capabilities: can_create_case_comments: false can_create_insight: false @@ -1556,8 +1710,17 @@ Policies - List All: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a retrieval operation (JSON-RPC POST request) to fetch a + list of policies from the Bitdefender GravityZone API. It does not modify any + external system state, nor does it update internal SOAR entities, insights, + or case data. categories: enrichment: false + reasoning: >- + The action retrieves a list of policies. It does not perform enrichment on specific + entities or alerts, nor does it meet the criteria for an enrichment action as + it does not add context to entities or alerts. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1573,6 +1736,9 @@ Policies - List All: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. It is a global utility action + that retrieves configuration data from the external system. Quarantine - Add File: action_product_categories: add_alert_comment: false @@ -1588,6 +1754,12 @@ Quarantine - Add File: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action performs a remediation task (quarantining a file) on an external + system. It does not match the specific definitions for enrichment, ticket creation, + or host isolation/blocking provided in the categories list. While it is a containment-like + action, it does not isolate the host from the network as defined by the 'Contain + Host' category. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1605,27 +1777,29 @@ Quarantine - Add File: ai_description: >- ### General Description - The **Quarantine - Add File** action allows analysts to remotely quarantine a - specific file on one or more endpoints managed by Bitdefender GravityZone. This - is achieved by creating a task in the GravityZone Control Center that instructs - the EDR sensor on the target machines to move the specified file to a secure quarantine - location. + This action adds a specific file to quarantine on target endpoints using the Bitdefender + GravityZone platform. It is a remediation action designed to contain potentially + malicious files by triggering a quarantine task on the specified endpoints. ### Flow Description - 1. **Authentication**: The action authenticates with the Bitdefender GravityZone - API using the provided API Key and Access URL. + 1. **Configuration Extraction**: The action retrieves the Bitdefender GravityZone + API key, access URL, and SSL verification settings from the integration configuration. + + 2. **Parameter Extraction**: The action extracts the `Endpoint IDs` (a comma-separated + list of target endpoints) and the `File Path` (the absolute path of the file to + be quarantined) from the action parameters. - 2. **Parameter Extraction**: It retrieves the target endpoint IDs and the absolute - file path from the action parameters. + 3. **Manager Initialization**: The `BitdefenderGravityZoneManager` is initialized + with the provided credentials. - 3. **Task Creation**: A request is sent to the Bitdefender API (`createAddFileToQuarantineTask`) - to initiate the quarantine process for the specified file path on the provided - endpoint IDs. + 4. **API Execution**: The action calls the `quarantine_item_add` method, which + sends a POST request to the Bitdefender GravityZone API (`/v1.0/jsonrpc/quarantine`) + to create a task to add the specified file to quarantine on the target endpoints. - 4. **Completion**: The action monitors the API response and reports whether the - task creation was successful. + 5. **Result Reporting**: The action logs the outcome and returns a success or + failure status to the SOAR platform. ### Parameters Description @@ -1634,19 +1808,17 @@ Quarantine - Add File: | :--- | :--- | :--- | :--- | - | **File Path** | String | True | The absolute file path on the target disk (e.g., - `C:\Users\Public\malicious.exe`). Max 4096 characters. | + | File Path | string | Yes | The absolute file path on disk to be quarantined. + Max 4096 characters. | - | **Endpoint IDs** | String | True | A comma-separated list of Bitdefender endpoint - IDs (Max 100). | + | Endpoint IDs | string | Yes | A comma-separated list of the IDs of the target + endpoints. Max 100 targets at once. | ### Additional Notes - - Only endpoints with an active EDR Sensor module are valid targets for this action. - - - This action does not automatically process entities from the SecOps case; it - relies entirely on the provided parameters. + This action does not interact with SOAR entities directly; it relies on the user + providing specific Endpoint IDs as input parameters. capabilities: can_create_case_comments: false can_create_insight: false @@ -1655,12 +1827,21 @@ Quarantine - Add File: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a task in Bitdefender GravityZone to quarantine a file on specified - endpoints, which changes the state of the file system on those endpoints. + Creates a task in Bitdefender GravityZone to quarantine a specific file on target + endpoints. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to the Bitdefender GravityZone API to create + a quarantine task for a specific file on specified endpoints. It does not fetch + data for enrichment, nor does it modify internal SOAR case data (entities, insights, + or comments). categories: enrichment: false + reasoning: >- + The action is a remediation/containment action that modifies external system + state (quarantining a file). It does not fetch data for enrichment, so it is + not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1676,6 +1857,9 @@ Quarantine - Add File: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action takes 'Endpoint IDs' as a string parameter. It does not iterate over + or interact with 'siemplify.target_entities'. Quarantine - Get Items List: action_product_categories: add_alert_comment: false @@ -1691,12 +1875,17 @@ Quarantine - Get Items List: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves a list of quarantined items from Bitdefender GravityZone. + It does not match the expected outcomes for enrichment, containment, ticket + management, or alert modification. It is a specific retrieval action that does + not fit the provided product categories. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false search_asset: false search_email: false - search_events: true + search_events: false send_email: false send_message: false submit_file: false @@ -1706,66 +1895,55 @@ Quarantine - Get Items List: update_identity: false update_ticket: false ai_description: >- - ### General Description - - This action retrieves a list of quarantined items from Bitdefender GravityZone. - Quarantined items can include malicious files found on endpoints or suspicious - Microsoft Exchange objects. The action allows for granular filtering to locate - specific threats across the network or on a single endpoint. + Retrieves a list of quarantined items from the Bitdefender GravityZone platform + based on specified filters. This action allows analysts to query quarantined files + or Exchange objects across the network or for a specific endpoint. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Service | DDL | Yes | Specifies the source of the data: 'Computers' for files - on endpoints or 'Exchange' for email-related objects. | + | Service | ddl | Yes | The service to query: 'computers' (for Computers and Virtual + Machines) or 'exchange' (for Security for Exchange). | - | Filter - Threat Name | String | No | Filters results by the name of the detected - threat. Supports partial matching. | + | Filter - Threat Name | string | No | Filters the quarantined items by threat + name. | - | Filter - Start Date | String | No | Filters items quarantined after this date + | Filter - Start Date | string | No | Filters items quarantined after this date (ISO 8601 format). | - | Filter - End Date | String | No | Filters items quarantined before this date + | Filter - End Date | string | No | Filters items quarantined before this date (ISO 8601 format). | - | Filter - File Path | String | No | Filters by file path. Supports partial matching - and wildcards (e.g., *myfile.exe). Only applicable to the 'Computers' service. - | + | Filter - File Path | string | No | Filters quarantined items by file path. | - | Filter - IP Address | String | No | Filters by the IP address of the endpoint. - Supports partial matching. Only applicable to the 'Computers' service. | + | Filter - IP Address | string | No | Filters quarantined items by IP address. + | - | Filter - Action Status | DDL | No | Filters by the current status of the quarantined - item (e.g., 'Saved', 'Pending Save'). | + | Filter - Action Status | ddl | No | Filters by action status (e.g., None, Pending + Save, Saved). | - | Endpoint ID | String | No | The unique identifier of a specific computer to - retrieve items for. If omitted, the action searches the entire network. | + | Endpoint ID | string | No | The ID of the specific computer to retrieve items + for. If omitted, retrieves items for the entire network. | ### Flow Description - 1. **Parameter Extraction**: The action retrieves the integration configuration - (API Key, URL) and the user-provided filter parameters. - - 2. **Connection**: It establishes a connection to the Bitdefender GravityZone - Control Center using the provided credentials. - - 3. **Data Retrieval**: The action calls the `getQuarantineItemsList` API method. - It handles pagination automatically to ensure all matching records are collected. - - 4. **Output**: The retrieved list of quarantined items is formatted and returned - as a JSON object for use in subsequent playbook steps. + 1. **Initialization**: The action extracts the integration configuration (API + Key, Access URL, SSL verification) and the action parameters (Service, filters, + Endpoint ID). + 2. **Connection**: It initializes the `BitdefenderGravityZoneManager` to establish + a connection with the Bitdefender GravityZone Control Center. - ### Additional Notes - - - Partial matching is supported for Threat Name, File Path, and IP Address. + 3. **Data Retrieval**: It calls the `quarantine_item_list` method, passing the + provided filters to the Bitdefender API. - - The 'Exchange' service filters require a valid license for Security for Exchange. + 4. **Output**: The retrieved list of quarantined items is added to the action + result as a JSON object, and the action completes with a success status. capabilities: can_create_case_comments: false can_create_insight: false @@ -1776,8 +1954,19 @@ Quarantine - Get Items List: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Bitdefender GravityZone API to retrieve + a list of quarantined items. It does not modify any external system state (no + POST/PUT/DELETE for state changes) and does not modify any internal SOAR data + (no entity updates, insights, or case comments). It simply returns the retrieved + data to the action result. categories: enrichment: false + reasoning: >- + The action retrieves data from an external system, but it does not operate on + entities to enrich them, nor does it meet the criteria for an enrichment action + (which typically involves updating entity profiles or adding insights). It is + a retrieval/search action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1793,6 +1982,10 @@ Quarantine - Get Items List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities`. It uses input + parameters provided in the action configuration to filter the request, meaning + it does not run on specific entities. Quarantine - Remove Items: action_product_categories: add_alert_comment: false @@ -1808,6 +2001,11 @@ Quarantine - Remove Items: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action removes items from quarantine in Bitdefender GravityZone. This is + a remediation/containment-related action. It does not match any of the specific + categories provided (e.g., it is not blocking an IOC, updating an alert, or + managing identity/host containment). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1823,50 +2021,51 @@ Quarantine - Remove Items: update_identity: false update_ticket: false ai_description: >- - Removes specified items from the Bitdefender GravityZone quarantine. This action - is used to permanently delete malicious or suspicious items that were previously - isolated by the security agent. It supports items from both endpoint computers - and Exchange servers. + ### General Description + This action removes specified items from the quarantine in the Bitdefender GravityZone + platform. It allows security analysts to clear quarantined files or objects across + managed services (Computers or Exchange) by providing their unique identifiers. - ### Parameters - | Parameter | Type | Mandatory | Description | + ### Flow Description - | :--- | :--- | :--- | :--- | + 1. **Configuration Extraction**: The action retrieves the API Key, Access URL, + and SSL verification settings from the integration configuration. - | Service | ddl | Yes | Specifies whether to remove items from the 'Computers' - (Computers and Virtual Machines) or 'Exchange' (Security for Exchange) quarantine - service. | + 2. **Parameter Extraction**: It extracts the target `Service` (e.g., Computers, + Exchange) and the comma-separated list of `Quarantine Item IDs` from the action + parameters. - | Quarantine Item IDs | string | Yes | A comma-separated list of unique identifiers - for the items to be removed. A maximum of 100 IDs can be processed in a single - request. | + 3. **Connection**: It initializes the `BitdefenderGravityZoneManager` using the + provided credentials. + 4. **Execution**: The action calls the `quarantine_item_remove` method, which + sends a POST request to the Bitdefender GravityZone API to create a removal task + for the specified items. + + 5. **Result**: The action returns a success or failure status based on the API + response. - ### Flow Description - 1. **Authentication**: The action initializes a connection to the Bitdefender - GravityZone Control Center using the configured API Key and Access URL. + ### Parameters Description - 2. **Parameter Extraction**: It retrieves the 'Service' and 'Quarantine Item IDs' - from the action parameters. + | Parameter | Type | Mandatory | Description | - 3. **API Request**: It formats a JSON-RPC request to the Bitdefender API, targeting - the specific quarantine service endpoint (Computers or Exchange). + | :--- | :--- | :--- | :--- | - 4. **Task Creation**: It triggers the `createRemoveQuarantineItemTask` method - to initiate the removal process in the external system. + | Service | ddl | Yes | The service type to target. Allowed values are 'Computers' + or 'Exchange'. | - 5. **Completion**: The action completes with a success status if the removal task - is successfully created. + | Quarantine Item IDs | string | Yes | A comma-separated list of quarantine item + IDs to be removed. Maximum of 100 items per request. | ### Additional Notes - - This action is destructive as it removes items from the quarantine repository. - - - Ensure that the Item IDs provided are valid for the selected Service. + This action performs a direct mutation on the external Bitdefender GravityZone + system. Ensure that the provided API credentials have the necessary permissions + to manage quarantine items. capabilities: can_create_case_comments: false can_create_insight: false @@ -1875,12 +2074,19 @@ Quarantine - Remove Items: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a task in Bitdefender GravityZone to permanently remove/delete specified - items from the quarantine repository. + Removes items from quarantine in the Bitdefender GravityZone platform. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to the Bitdefender GravityZone API to remove + items from quarantine. This is a state-changing operation on an external system. + It does not fetch data for enrichment, nor does it modify internal SOAR case + data or entities. categories: enrichment: false + reasoning: >- + The action is a mutation action (removing items from quarantine) and does not + fetch data for enrichment purposes. Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1896,6 +2102,9 @@ Quarantine - Remove Items: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with SOAR entities. It operates based on parameters + provided directly in the action configuration (Service and Quarantine Item IDs). Quarantine - Restore Exchange Items: action_product_categories: add_alert_comment: false @@ -1911,6 +2120,10 @@ Quarantine - Restore Exchange Items: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action restores quarantined items in Bitdefender GravityZone. This does + not align with the provided categories such as IOC enrichment, identity management, + host containment, or ticket management. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1922,57 +2135,60 @@ Quarantine - Restore Exchange Items: submit_file: false uncontain_host: false update_alert: false - update_email: true + update_email: false update_identity: false update_ticket: false ai_description: >- - Restores quarantined items to Microsoft Exchange servers using Bitdefender GravityZone. - This action creates a restoration task in the GravityZone Control Center for specific - items identified by their IDs. It requires Exchange credentials and optionally - an EWS URL or specific email address to facilitate the restoration process. + ### General Description + This action restores quarantined items from the Bitdefender GravityZone Exchange + environment. It allows analysts to recover items that were previously quarantined + by the security solution, facilitating the restoration of legitimate files or + messages that may have been incorrectly flagged. - ### Flow Description: - 1. **Parameter Extraction:** Retrieves the integration configuration (API Key, - Access URL) and action parameters (Quarantine Item IDs, Username, Password, Email, - EWS URL). + ### Flow Description - 2. **Connection Initialization:** Establishes a connection to the Bitdefender - GravityZone API using the provided credentials. + 1. **Initialization**: The action connects to the Bitdefender GravityZone Control + Center using the provided API key and SSL verification settings. - 3. **Task Creation:** Sends a JSON-RPC request to the GravityZone endpoint (`createRestoreQuarantineExchangeItemTask`) - to initiate the restoration of the specified items. + 2. **Parameter Extraction**: It retrieves the required parameters, including the + list of `Quarantine Item IDs`, `Username`, `Password`, and optional parameters + like `Email` and `EWS URL`. - 4. **Result Handling:** Processes the API response and returns a success or failure - status based on whether the restoration task was successfully created. + 3. **Execution**: It invokes the `createRestoreQuarantineExchangeItemTask` method + via the Bitdefender GravityZone API to initiate the restoration process. + 4. **Completion**: The action logs the status of the operation and returns a success + or failure message to the SOAR platform. - ### Parameters Description: - | Parameter Name | Type | Mandatory | Description | + ### Parameters Description + + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | EWS URL | string | No | The Exchange Web Services URL. Necessary if Exchange + | EWS URL | string | No | The Exchange Web Services URL. Required if Exchange Autodiscovery is not functional. | | Email | string | No | The email address of the Exchange user. Required if the email address differs from the username. | - | Password | password | Yes | The password of the Microsoft Exchange user. | + | Password | password | Yes | The password of the Exchange user. | - | Username | string | Yes | The username of the Microsoft Exchange user, including - the domain name. | + | Username | string | Yes | The username of the Microsoft Exchange user (must + include the domain name). | | Quarantine Item IDs | string | Yes | A comma-separated list of quarantine item IDs to be restored (maximum 100 items). | - ### Additional Notes: + ### Additional Notes - - This action does not run on SecOps entities; it operates based on the IDs provided - in the 'Quarantine Item IDs' parameter. + This action performs a direct mutation on the external Bitdefender GravityZone + system. Ensure that the provided credentials have the necessary permissions to + perform restoration tasks within the Exchange environment. capabilities: can_create_case_comments: false can_create_insight: false @@ -1981,12 +2197,18 @@ Quarantine - Restore Exchange Items: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a task in Bitdefender GravityZone to restore items from quarantine back - to the Microsoft Exchange server environment. + Restores quarantined items in the Bitdefender GravityZone Exchange environment. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to the Bitdefender GravityZone API to restore + quarantined items. It does not fetch data, update entities, or create insights. + It is a pure mutation action on an external system. categories: enrichment: false + reasoning: >- + The action is a mutation action (restoring items) and does not fetch data for + enrichment. Therefore, it does not meet the criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -2002,6 +2224,9 @@ Quarantine - Restore Exchange Items: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use `siemplify.target_entities`. It relies entirely on action + parameters provided by the user to identify the items to restore. Quarantine - Restore Items: action_product_categories: add_alert_comment: false @@ -2017,6 +2242,10 @@ Quarantine - Restore Items: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action restores items from quarantine in Bitdefender GravityZone. This is + a remediation action. It does not match any of the provided categories (Enrichment, + Ticket, Blocklist, Identity, Host Containment, Email, etc.). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -2032,33 +2261,51 @@ Quarantine - Restore Items: update_identity: false update_ticket: false ai_description: >- - ### General Description\nThis action creates a new task in Bitdefender GravityZone - to restore items from the quarantine. It supports restoring items for both 'Computers' - (Computers and Virtual Machines) and 'Exchange' (Security for Exchange) services. - Users can specify a custom restoration path and optionally add the restored items - to a policy exclusion list to prevent them from being quarantined again in future - scans.\n\n### Parameters Description\n| Parameter | Type | Mandatory | Description - |\n| :--- | :--- | :--- | :--- |\n| Quarantine Item IDs | String | Yes | A comma-separated - list of unique identifiers for the items to be restored from quarantine. A maximum - of 100 items can be processed in a single request. |\n| Service | DDL | Yes | - Specifies the service context for the restoration. Options are 'Computers' for - endpoint files or 'Exchange' for email items. |\n| Location to Restore | String - | No | The absolute file system path where the items should be restored. If not - provided, the items are returned to their original location. |\n| Add Exclusion - in Policy | Boolean | No | If set to true, the restored items will be added to - the exclusion list in the active policy to prevent future detection (does not - apply to the Default Policy). |\n\n### Flow Description\n1. **Authentication**: - The action establishes a connection with the Bitdefender GravityZone Control Center - using the configured API Key and Access URL.\n2. **Parameter Extraction**: It - retrieves the list of item IDs, the selected service, the optional restoration - path, and the exclusion preference from the action parameters.\n3. **Task Creation**: - The action calls the Bitdefender API (`createRestoreQuarantineItemTask`) to initiate - the restoration process for the specified items.\n4. **Status Reporting**: The - action monitors the API response and reports whether the restoration task was - successfully created in the external system.\n\n### Additional Notes\n- This action - does not operate on SecOps entities directly; it requires specific Quarantine - Item IDs as input.\n- Restoration to a custom location requires the absolute path - to be correctly formatted for the target operating system. + Restores quarantined items in Bitdefender GravityZone. This action interacts with + the Bitdefender API to move files from quarantine back to their original or specified + location on the target endpoint. + + + ### Flow Description + + 1. Connects to the Bitdefender GravityZone Control Center using the provided API + key and URL. + + 2. Extracts the action parameters: `Quarantine Item IDs`, `Service`, `Add Exclusion + in Policy`, and `Location to Restore`. + + 3. Invokes the `quarantine_item_restore` method, which sends a `POST` request + to the Bitdefender API to initiate the restoration task for the specified items. + + 4. Returns the operation status (success or failure) to the SOAR platform. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Quarantine Item IDs | string | Yes | Comma-separated list of quarantine item + IDs. The maximum number of items that can be removed once is 100. | + + | Service | ddl | Yes | The service type. Allowed values are: "Computers" (for + Computers and Virtual Machines) or "Exchange" (for Security for Exchange). | + + | Add Exclusion in Policy | boolean | No | If set to true, excludes the files + to be restored from future scans. Exclusions do not apply to items with the Default + Policy assigned. | + + | Location to Restore | string | No | The absolute path to the folder where the + items will be restored. If not set, the original location will be used. | + + + ### Additional Notes + + - This action performs a mutation on the external Bitdefender GravityZone system. + + - The `Service` parameter is mandatory and must be one of the allowed values ("Computers" + or "Exchange"). capabilities: can_create_case_comments: false can_create_insight: false @@ -2067,12 +2314,19 @@ Quarantine - Restore Items: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a task in Bitdefender GravityZone to restore files or emails from quarantine - to their original or a specified location and can modify policy exclusions. + Restores quarantined items in Bitdefender GravityZone, changing their status + from quarantined to restored on the target endpoint. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a `POST` request to the Bitdefender API to restore quarantined + items. This is a state-changing operation on an external system. It does not + fetch data for enrichment or modify internal SOAR data. categories: enrichment: false + reasoning: >- + The action is a remediation/mutation action, not an enrichment action. It does + not fetch data for the purpose of enriching entities or alerts. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -2088,6 +2342,10 @@ Quarantine - Restore Items: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities` or use entity-specific + identifiers. It relies on parameters provided in the action configuration to + perform its task. Reports - Get Download Links: action_product_categories: add_alert_comment: false @@ -2103,6 +2361,10 @@ Reports - Get Download Links: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves report download links from Bitdefender GravityZone. It + does not match any of the defined categories such as Enrich IOC, Enrich Asset, + or Ticket management, as it is a specific utility for report retrieval. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -2120,41 +2382,33 @@ Reports - Get Download Links: ai_description: >- ### General Description - Retrieves download links and availability information for a specific report within - Bitdefender GravityZone. This action is designed to facilitate the retrieval of - generated security reports, allowing for automated collection of threat data, - compliance reports, or activity logs. + This action retrieves download links for a specific report from the Bitdefender + GravityZone platform. It allows users to fetch the availability status and download + URLs for reports generated within the GravityZone environment. ### Parameters Description - | Parameter | Description | Type | Mandatory | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Report ID | The unique identifier of the report to fetch download links for. - | String | Yes | - - - ### Additional Notes - - Instant reports are available for download for less than 24 hours after creation. - Scheduled reports are stored in the GravityZone database and remain available - for longer periods. This action does not download the file content itself but - provides the URLs to do so. + | Report ID | string | Yes | The unique identifier of the report to fetch. | ### Flow Description - 1. Extract integration configuration (API Key, Access URL, SSL verification). + 1. The action initializes the Bitdefender GravityZone Manager using the provided + API Key and Access URL. - 2. Extract the Report ID from the action parameters. + 2. It extracts the `Report ID` from the action parameters. - 3. Connect to the Bitdefender GravityZone Control Center via the JSON-RPC API. + 3. The action calls the `getDownloadLinks` method via the Bitdefender API to retrieve + the report's download information. - 4. Execute the 'getDownloadLinks' method for the specified report. + 4. The retrieved report data is added to the action result as a JSON object. - 5. Return the report availability status and download links as a JSON result. + 5. The action completes and returns the status. capabilities: can_create_case_comments: false can_create_insight: false @@ -2165,8 +2419,17 @@ Reports - Get Download Links: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a retrieval operation (GET/POST to fetch data) from the + Bitdefender GravityZone API. It does not modify any external system state, nor + does it modify internal SOAR case data, entities, or insights. It simply returns + the requested report information as a result. categories: enrichment: false + reasoning: >- + The action is a utility task for retrieving report information. It does not + run on entities, nor does it gather supplemental context about alerts or entities + as defined by the Enrichment Action criteria. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -2182,6 +2445,9 @@ Reports - Get Download Links: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with or iterate over any entities. It operates + solely based on the provided 'Report ID' parameter. Reports - List All: action_product_categories: add_alert_comment: false @@ -2197,6 +2463,11 @@ Reports - List All: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves a list of reports from the Bitdefender GravityZone platform. + It does not match any of the specific operational categories such as IOC enrichment, + asset enrichment, containment, or ticket management. It is a general data retrieval + action. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -2212,51 +2483,38 @@ Reports - List All: update_identity: false update_ticket: false ai_description: >- - Lists all scheduled reports from Bitdefender GravityZone Control Center. This - action allows users to retrieve a comprehensive list of reports, optionally filtered - by name or type, providing visibility into the reporting configuration and available - data exports within the GravityZone environment. - - - ### Flow Description: - - 1. **Configuration Extraction**: Retrieves the API Key, Access URL, and SSL verification - settings from the integration configuration. - - 2. **Parameter Extraction**: Retrieves the optional 'Report Name' and 'Report - Type' filters from the action parameters. - - 3. **Manager Initialization**: Establishes a connection to the Bitdefender GravityZone - API using the provided credentials. - - 4. **Data Retrieval**: Executes the `getReportsList` JSON-RPC method. If multiple - pages of results exist, the action automatically iterates through them to compile - a complete list. + ### General Description - 5. **Result Processing**: Outputs the list of reports as a JSON object for use - in subsequent playbook steps. + This action retrieves a list of scheduled reports from the Bitdefender GravityZone + Control Center. It allows users to filter the retrieved reports by name or type, + providing visibility into the reporting configuration within the Bitdefender environment. - ### Parameters Description: + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Report Name | String | No | Filters the list to only include reports matching - this specific name. | + | Report Name | string | No | The specific name of the report to filter the results + by. | + + | Report Type | ddl | No | The category of the report to filter by (e.g., 'Antiphishing + Activity', 'Malware Status', 'Network Incidents'). | - | Report Type | DDL | No | Filters the list by the category of the report (e.g., - 'Malware Status', 'Firewall Activity'). | + ### Flow Description + + 1. **Authentication**: The action connects to the Bitdefender GravityZone API + using the provided API Key and Access URL. - ### Additional Notes: + 2. **Request**: It sends a request to the API to fetch the list of reports, applying + optional filters for `Report Name` and `Report Type` if provided. - - This action is a read-only operation and does not modify any data within Bitdefender - GravityZone. + 3. **Data Retrieval**: The API returns the list of reports, which is then processed + and added to the action's result JSON. - - If no filters are provided, all scheduled reports accessible to the API key - will be returned. + 4. **Completion**: The action concludes by outputting the retrieved data. capabilities: can_create_case_comments: false can_create_insight: false @@ -2267,8 +2525,17 @@ Reports - List All: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET-like request (via RPC POST) to retrieve a list of + reports from the Bitdefender GravityZone API. It does not modify any external + systems, nor does it modify internal SOAR case data, entities, or insights. + It simply fetches and returns data. categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches data (list of reports) from an external source without mutating + any external or internal state. It does not perform any prohibited actions (like + Ping or file downloads). Therefore, it qualifies as an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -2284,6 +2551,9 @@ Reports - List All: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. It operates globally on the + Bitdefender GravityZone configuration to list reports. Restore Isolated Endpoint: action_product_categories: add_alert_comment: false @@ -2299,6 +2569,10 @@ Restore Isolated Endpoint: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action restores an endpoint from isolation in Bitdefender GravityZone. This + directly matches the 'Uncontain Host' category, which involves removing network + isolation and restoring full communication capabilities. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -2314,38 +2588,40 @@ Restore Isolated Endpoint: update_identity: false update_ticket: false ai_description: >- - Restores a specified endpoint from network isolation using Bitdefender GravityZone. - This action creates a task in the GravityZone Control Center to reconnect the - endpoint to the network, reversing a previous isolation command. + ### General Description + This action restores a previously isolated endpoint in the Bitdefender GravityZone + environment. By triggering a restoration task, it removes the network isolation + applied to the specified endpoint, allowing it to resume normal network communication. - ### Flow Description: - 1. **Authentication**: Connects to the Bitdefender GravityZone Control Center - using the provided API Key and Access URL. + ### Parameters Description - 2. **Task Creation**: Sends a request to the Bitdefender API to create a 'Restore - Endpoint From Isolation' task for the specific Endpoint ID provided. + | Parameter | Type | Mandatory | Description | - 3. **Execution Status**: Evaluates the response from the API to determine if the - task was successfully created and returns a success or failure result. + | :--- | :--- | :--- | :--- | + | Endpoint ID | string | Yes | The unique identifier of the endpoint to be restored + from isolation. | - ### Parameters Description: - | Parameter Name | Description | Type | Mandatory | Notes | + ### Flow Description - | :--- | :--- | :--- | :--- | :--- | + 1. **Configuration Extraction**: The action retrieves the necessary API credentials + (API Key, Access URL, and SSL verification settings) from the integration configuration. - | Endpoint ID | The unique identifier of the endpoint for which the restoration - task will be created. | String | True | This ID is specific to the Bitdefender - GravityZone inventory. | + 2. **Parameter Extraction**: The action extracts the `Endpoint ID` provided by + the user. + 3. **Manager Initialization**: The `BitdefenderGravityZoneManager` is initialized + with the provided credentials. - ### Additional Notes: + 4. **Execution**: The action calls the `isolate_endpoint_restore` method, which + sends a request to the Bitdefender GravityZone API to create a task for restoring + the specified endpoint. - This action does not automatically identify entities from the SOAR case; it requires - the specific Bitdefender Endpoint ID to be passed as a parameter. + 5. **Result Handling**: The action logs the outcome of the API request and terminates + with a success or failure status. capabilities: can_create_case_comments: false can_create_insight: false @@ -2354,12 +2630,18 @@ Restore Isolated Endpoint: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a task in Bitdefender GravityZone to restore a previously isolated endpoint, - changing its network connectivity status in the external system. + Restores an endpoint from network isolation in Bitdefender GravityZone. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to the Bitdefender GravityZone API to trigger + an endpoint restoration task. It does not fetch data for enrichment, nor does + it modify internal SOAR data or entities. categories: enrichment: false + reasoning: >- + The action is a remediation/containment action (un-isolating a host), not an + enrichment action. It does not fetch data to enrich entities. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -2375,6 +2657,9 @@ Restore Isolated Endpoint: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action uses an 'Endpoint ID' provided as a parameter, not an entity from + the SOAR case. Therefore, it does not run on entities. Set Endpoint Label: action_product_categories: add_alert_comment: false @@ -2390,6 +2675,11 @@ Set Endpoint Label: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action updates the label of an endpoint in Bitdefender GravityZone. This + is an administrative update to an asset's metadata. It does not match any of + the predefined categories (e.g., it is not an enrichment, containment, or alert/ticket + update action). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -2405,53 +2695,17 @@ Set Endpoint Label: update_identity: false update_ticket: false ai_description: >- - ### General Description - - Sets or updates a label for a specific endpoint within the Bitdefender GravityZone - environment. This action allows security analysts to tag endpoints with custom - metadata (up to 64 characters) for better categorization, tracking, or policy - application. Providing an empty string as the label will reset any previously - assigned label for that endpoint. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Endpoint ID | String | Yes | The unique identifier of the endpoint in Bitdefender - GravityZone for which the label will be set. | - - | Label | String | Yes | The string representing the label to be applied. Maximum - length is 64 characters. Use an empty string to clear an existing label. | - - - ### Additional Notes - - - This action interacts with the Bitdefender GravityZone JSON-RPC API using the - `setEndpointLabel` method. - - - The action requires a valid 'Access URL' and 'API Key' configured in the integration - settings. - - - ### Flow Description - - 1. **Parameter Extraction**: The action retrieves the 'Endpoint ID' and 'Label' - from the user input and the integration's connection details (API Key, Access - URL, SSL verification) from the configuration. - - 2. **Connection Initialization**: It establishes a connection to the Bitdefender - GravityZone Control Center via the `BitdefenderGravityZoneManager`. - - 3. **API Execution**: The action sends a POST request to the Bitdefender Network - API endpoint with the `setEndpointLabel` method, passing the target `endpointId` - and the desired `label`. - - 4. **Result Processing**: The action evaluates the API response. If the operation - is successful, it returns a 'success' status; otherwise, it logs the error and - returns a 'failed' status. + This action updates the label of a specific endpoint within the Bitdefender GravityZone + platform. The action flow is as follows: 1. It extracts the necessary configuration + parameters (API Key, Access URL, and SSL verification) from the integration settings. + 2. It extracts the action-specific parameters: Endpoint ID and Label. 3. It initializes + the BitdefenderGravityZoneManager to communicate with the Bitdefender API. 4. + It executes the label_endpoint_set method, which sends a POST request to the Bitdefender + API to update the endpoint's label. 5. It logs the success or failure of the operation + and terminates the action. Parameters: Label (string, mandatory): The new label + to assign to the endpoint. The maximum allowed length is 64 characters. Enter + an empty string to reset a previously set label. Endpoint ID (string, mandatory): + The ID of the endpoint for which the details will be returned. capabilities: can_create_case_comments: false can_create_insight: false @@ -2460,12 +2714,18 @@ Set Endpoint Label: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the label attribute of a specific endpoint within the Bitdefender GravityZone - management console. + Updates the label of an endpoint in the Bitdefender GravityZone system. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to the Bitdefender GravityZone API to set + a label on an endpoint. This is an external mutation. It does not fetch data, + nor does it modify internal SOAR data (entities, insights, etc.). categories: enrichment: false + reasoning: >- + The action is a mutation action (setting a label), not an enrichment action + (fetching data). Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -2481,3 +2741,7 @@ Set Endpoint Label: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action uses Endpoint ID as a direct input parameter provided by the user, + not by iterating over siemplify.target_entities. Therefore, it does not use + entities. diff --git a/content/response_integrations/third_party/community/bitdefender_gravity_zone/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/bitdefender_gravity_zone/resources/ai/integration_ai_description.yaml index cb513bac3..5250f9acf 100644 --- a/content/response_integrations/third_party/community/bitdefender_gravity_zone/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/community/bitdefender_gravity_zone/resources/ai/integration_ai_description.yaml @@ -1,12 +1,22 @@ product_categories: asset_inventory: true - cloud_security: true + cloud_security: false collaboration: false edr: true - email_security: true + email_security: false iam_and_identity_management: false itsm: false network_security: false + reasoning: >- + The bitdefender_gravity_zone integration provides comprehensive endpoint management + capabilities, including host isolation ('Isolate Endpoint'), restoration ('Restore + Isolated Endpoint'), and remote scanning ('Create Scan Task'), which directly + align with the EDR category. Additionally, the integration offers robust asset + visibility through actions like 'Get Endpoints List' and 'Get Network Inventory + Items', which fulfill the requirements for the Asset Inventory category. The integration + does not provide SIEM log analysis, network gateway security, threat intelligence + enrichment (reputation scoring), email security (phishing management), IAM, ITSM, + Vulnerability Management, or Collaboration features. siem: false - threat_intelligence: true + threat_intelligence: false vulnerability_management: false diff --git a/content/response_integrations/third_party/community/chronicle_support_tools/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/chronicle_support_tools/resources/ai/actions_ai_description.yaml index bc36eda45..7624b2c21 100644 --- a/content/response_integrations/third_party/community/chronicle_support_tools/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/chronicle_support_tools/resources/ai/actions_ai_description.yaml @@ -13,6 +13,10 @@ Gather Remote Agent Datapoints: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a diagnostic tool that collects local logs and system information. + It does not perform any of the defined product category operations (e.g., enrichment, + containment, ticketing, etc.). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -28,55 +32,51 @@ Gather Remote Agent Datapoints: update_identity: false update_ticket: false ai_description: >- - Gathers diagnostic information and logs from a Google SecOps Remote Agent to assist - in troubleshooting integration or connector issues. This action collects a wide - range of telemetry, including agent status, system resource utilization (CPU, - memory, uptime), file system structure, and recent error logs from both the core - agent and specific integration components. + ### General Description + The 'Gather Remote Agent Datapoints' action is a diagnostic tool designed to collect + comprehensive system and log information from a remote agent machine. It executes + a series of local shell commands to gather data such as system load, environment + variables, file information, and agent logs. This information is then logged to + the SOAR logger for troubleshooting and support purposes. - ### Flow Description: - 1. **Parameter Extraction:** Retrieves the target `IntegrationName` and optional - `ConnectorName` from the action configuration. + ### Parameters Description - 2. **Agent Status Collection:** Reads and parses the `agent_status.json` file - to identify installed versions and general agent health. - - 3. **System Load Analysis:** Executes system commands (`lscpu`, `uptime`, `free`) - to capture the current performance state of the host machine. + | Parameter | Type | Mandatory | Description | - 4. **File Metadata Retrieval:** Lists files within the agent's installation directory - to verify deployment structure. + | --- | --- | --- | --- | - 5. **Log Parsing:** Scans `/var/log/SiemplifyAgent/agent.log` and specific connector - log files for recent error patterns, filtering out sensitive information like - tokens or keys. + | IntegrationName | string | Yes | The name of the integration for which to analyze + logs. | - 6. **Diagnostic Logging:** Outputs all gathered data to the action's execution - logs for analyst review. + | ConnectorName | string | No | The name of the connector to filter logs. | - ### Parameters Description: + ### Additional Notes - | Parameter | Type | Mandatory | Description | + This action does not interact with external APIs or modify any internal SOAR data. + It is strictly a diagnostic tool that reads local system information and logs + it to the SOAR logger. - | :--- | :--- | :--- | :--- | - | IntegrationName | String | Yes | The name of the integration for which diagnostic - data is being collected. | + ### Flow Description - | ConnectorName | String | No | The specific name of the connector to analyze - for errors. | + 1. **Extract Parameters**: The action extracts the `IntegrationName` and `ConnectorName` + parameters from the configuration. + 2. **Initialize Collectors**: It initializes several collector classes (`RALogsCollector`, + `AgentLoadInfoCollector`, `CollectFileInformation`, `CollectAgentLogs`) to prepare + for data gathering. - ### Additional Notes: + 3. **Execute Commands**: The action runs local shell commands (e.g., `cat`, `lscpu`, + `uptime`, `free`, `env`, `ls`, `date`) on the agent machine to collect diagnostic + data. - - This action is primarily a support and debugging tool. It does not modify the - state of the agent or the external systems it monitors. + 4. **Log Information**: The collected data is logged to the `siemplify.LOGGER` + for analyst review. - - Sensitive data such as IP addresses, MAC addresses, and environment tokens are - automatically truncated or filtered from the logs. + 5. **Complete**: The action returns a completed status. capabilities: can_create_case_comments: false can_create_insight: false @@ -85,10 +85,21 @@ Gather Remote Agent Datapoints: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: true + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action executes local shell commands (e.g., `cat`, `lscpu`, `uptime`, `free`, + `env`, `ls`, `date`) on the agent machine to collect diagnostic logs and system + information. It does not interact with external APIs, nor does it modify any + internal SOAR data (entities, insights, comments). It is a diagnostic tool for + support purposes. categories: enrichment: false + reasoning: >- + The action is a diagnostic tool that collects local logs and system information. + It does not fetch data from external sources to enrich alerts or entities, nor + does it modify any internal or external data. Therefore, it does not meet the + criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -104,3 +115,6 @@ Gather Remote Agent Datapoints: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with entities. It operates based on configuration + parameters provided to the action. diff --git a/content/response_integrations/third_party/community/chronicle_support_tools/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/chronicle_support_tools/resources/ai/integration_ai_description.yaml index 0801c7556..d683c5b0f 100644 --- a/content/response_integrations/third_party/community/chronicle_support_tools/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/community/chronicle_support_tools/resources/ai/integration_ai_description.yaml @@ -7,6 +7,15 @@ product_categories: iam_and_identity_management: false itsm: false network_security: false + reasoning: >- + The 'chronicle_support_tools' integration is a diagnostic utility designed solely + for troubleshooting and maintaining the integration's own operations. It collects + local system logs and performance metrics from the host machine. It does not perform + any security-related functions such as threat intelligence enrichment, incident + response, asset management, or identity management. It does not interact with + external security APIs or modify SOAR case data. Consequently, it does not align + with any of the provided product categories, which are centered on security operations + and incident response workflows. siem: false threat_intelligence: false vulnerability_management: false diff --git a/content/response_integrations/third_party/community/country_flags/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/country_flags/resources/ai/actions_ai_description.yaml index 1ab6ad28a..684133cb8 100644 --- a/content/response_integrations/third_party/community/country_flags/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/country_flags/resources/ai/actions_ai_description.yaml @@ -13,6 +13,10 @@ Get Country Flag: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves contextual metadata (a country flag) for entities or a + provided code. This aligns with the 'Enrich Asset' category as it provides contextual + metadata for a resource. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -30,11 +34,10 @@ Get Country Flag: ai_description: >- ### General Description - The **Get Country Flag** action retrieves a base64-encoded string representing - a country's flag image from an external service. It is designed to provide visual - context for entities or specific country codes within a playbook. The action supports - extracting country codes from entity properties or via direct manual input and - utilizes a local caching mechanism to minimize external API calls. + This action retrieves a country flag image from `countryflags.io` based on a provided + country code or an entity's property. It supports caching the retrieved flags + in a local file to optimize performance and reduce external API calls. The action + returns the base64-encoded flag data in the result JSON. ### Parameters Description @@ -43,47 +46,43 @@ Get Country Flag: | :--- | :--- | :--- | :--- | - | Country Code Two Digit | String | No | A specific 2-digit ISO country code (e.g., - 'us', 'uk') to fetch the flag for. | + | Country Code Two Digit | string | No | The 2-digit country code (e.g., "us") + to fetch the flag for. | - | Country Code From Entity Field | String | No | A comma-separated list of field - names to look for in the `additional_properties` of the target entities. The action - will extract the country code from the first matching field found. | + | Country Code From Entity Field | string | No | The name of the field in the + entity's additional properties that contains the country code. If provided, the + action will extract the code from the entity and fetch the corresponding flag. + | ### Additional Notes - - At least one of the parameters should be provided for the action to return meaningful - data. - - - The action returns the base64 data in the `JsonResult` but does not update the - entity attributes or create insights automatically. + Either the `Country Code Two Digit` parameter or the `Country Code From Entity + Field` parameter should be configured for the action to perform its task. If both + are provided, the action will process both. ### Flow Description - 1. **Cache Loading**: The action attempts to read a local `flags.json` file from - the execution environment to retrieve previously cached flag data. - - 2. **Entity Analysis**: If `Country Code From Entity Field` is specified, the - action iterates through all target entities and checks their `additional_properties` - for the provided keys to find a country code. + 1. **Initialization**: The action initializes by attempting to load a local cache + file (`flags.json`) containing previously fetched flags. - 3. **Manual Input**: If `Country Code Two Digit` is provided, the action adds - this code to the processing queue. + 2. **Entity Processing**: If `Country Code From Entity Field` is provided, the + action iterates through all target entities. For each entity, it checks the specified + field in `additional_properties` to extract the country code. - 4. **External Retrieval**: For each unique country code found (and not present - in the cache), the action sends a GET request to `countryflags.io` to fetch the - flag image. + 3. **Flag Retrieval**: For each identified country code (either from the parameter + or the entity), the action checks the local cache. If the flag is not in the cache, + it performs an HTTP GET request to `countryflags.io` to download the flag image. - 5. **Base64 Encoding**: The fetched image content is converted into a base64-encoded - string. + 4. **Caching**: The downloaded flag is base64-encoded and stored in the local + cache. - 6. **Result Mapping**: The base64 strings are mapped to their respective entity - identifiers or country codes in the final JSON output. + 5. **Result Generation**: The action adds the base64-encoded flag data to the + result JSON. - 7. **Cache Persistence**: If new flags were fetched, the local cache file is updated - with the new data for future executions. + 6. **Cache Update**: If any new flags were fetched, the action updates the local + cache file. capabilities: can_create_case_comments: false can_create_insight: false @@ -94,8 +93,18 @@ Get Country Flag: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs an HTTP GET request to an external service (`countryflags.io`) + to fetch data (flag images). It does not modify any external system state (no + POST/PUT/DELETE). It does not modify internal SOAR data (entities, insights, + or case comments). While it writes to a local cache file, this is not considered + a mutation of internal SOAR data. categories: enrichment: true + reasoning: >- + The action fetches data (country flags) to provide context for entities or specific + codes. It does not mutate external systems or internal SOAR data. It fits the + definition of an enrichment action as it gathers supplemental context. entity_usage: entity_types: - ADDRESS @@ -133,7 +142,7 @@ Get Country Flag: - DestinationURL - USB - USERUNIQNAME - filters_by_additional_properties: true + filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false filters_by_creation_time: false @@ -146,6 +155,10 @@ Get Country Flag: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over `siemplify.target_entities` to extract country codes + from `additional_properties`. It does not filter by entity type, meaning it + processes all entity types provided in the target list. Ping: action_product_categories: add_alert_comment: false @@ -161,6 +174,10 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity test ('Ping') and does not perform any of the defined + product category operations (e.g., enriching IOCs/assets, updating tickets, + etc.). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -176,43 +193,28 @@ Ping: update_identity: false update_ticket: false ai_description: >- - ### General Description - - The **Ping** action is designed to verify the connectivity between Google SecOps - and the Country Flags service. It serves as a health check to ensure that the - integration can successfully reach the external API and process image data. - - - ### Parameters Description - - There are no parameters configured for this action. + General description: This action tests connectivity to the Country Flags service + by attempting to retrieve a flag image for a hardcoded country code ('us'). It + serves as a diagnostic tool to verify network reachability and service availability. - ### Additional Notes - - This action uses a hardcoded country code ('us') to perform the connectivity test. - It also utilizes a local cache file (`flags.json`) to store and retrieve previously - fetched flag data in base64 format to optimize performance during the test. + Flow description: + 1. Initialize the SiemplifyAction. - ### Flow Description + 2. Attempt to read a local cache file ('flags.json') from the run folder. - 1. **Initialize Action:** The script initializes the Siemplify action context. + 3. If the country flag is not found in the cache, perform an HTTP GET request + to 'https://www.countryflags.io/'. - 2. **Load Cache:** It attempts to read a local JSON file named `flags.json` from - the execution folder to load existing flag data. + 4. Encode the retrieved image content to base64 and update the local cache dictionary. - 3. **Check Cache:** The script checks if the flag for the country code 'us' is - already present in the loaded cache. + 5. Return success or failure based on the retrieval outcome. - 4. **External API Call:** If the flag is not in the cache, it performs a GET request - to the Country Flags API (`https://www.countryflags.io/us/flat/64.png`). - 5. **Process Response:** Upon a successful API response, the image content is - encoded into a base64 string. + Parameters description: - 6. **Finalize:** If the base64 data is successfully retrieved (either from cache - or API), the action terminates with a 'Successful' status. + There are no parameters for this action. capabilities: can_create_case_comments: false can_create_insight: false @@ -223,8 +225,16 @@ Ping: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs an HTTP GET request to an external service to fetch an image. + It does not modify external systems, nor does it modify internal SecOps data + (entities, insights, etc.). It uses a local file for caching, which is not considered + internal data mutation in the context of SecOps case data. categories: enrichment: false + reasoning: >- + The action is named 'Ping' and is explicitly excluded from being an enrichment + action per the instructions. It does not perform any enrichment on entities. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -240,3 +250,6 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with target_entities. It uses a hardcoded country + code 'us' and does not perform any operations on entities. diff --git a/content/response_integrations/third_party/community/country_flags/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/country_flags/resources/ai/integration_ai_description.yaml index 0801c7556..c717cb966 100644 --- a/content/response_integrations/third_party/community/country_flags/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/community/country_flags/resources/ai/integration_ai_description.yaml @@ -7,6 +7,17 @@ product_categories: iam_and_identity_management: false itsm: false network_security: false + reasoning: >- + The country_flags integration is a utility tool designed to provide visual context + (country flags) for entities. It does not perform any of the security-specific + functions defined in the product categories. It does not analyze logs (SIEM), + investigate hosts (EDR), manage network traffic (Network Security), provide threat + intelligence (Threat Intelligence), manage emails (Email Security), manage identities + (IAM), manage cloud resources (Cloud Security), handle ticketing (ITSM), assess + vulnerabilities (Vulnerability Management), provide asset inventory details (Asset + Inventory), or facilitate collaboration (Collaboration). While it performs enrichment, + it is purely cosmetic and does not meet the specific 'Expected Outcome' criteria + for any of the listed categories. siem: false threat_intelligence: false vulnerability_management: false diff --git a/content/response_integrations/third_party/community/cybersixgill_actionable_alerts/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/cybersixgill_actionable_alerts/resources/ai/actions_ai_description.yaml index 3296d9c7f..e5e8e2bd0 100644 --- a/content/response_integrations/third_party/community/cybersixgill_actionable_alerts/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/cybersixgill_actionable_alerts/resources/ai/actions_ai_description.yaml @@ -13,6 +13,9 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity test (Ping) and does not perform any of the defined + operational tasks like enriching IOCs, blocking, or creating tickets. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -30,10 +33,9 @@ Ping: ai_description: >- ### General Description - The **Ping** action is used to verify the connectivity between Google SecOps and - the Cybersixgill platform. It validates that the provided credentials (Client - ID and Client Secret) are correct and that the environment can successfully communicate - with the Cybersixgill API by attempting to retrieve an authentication token. + Tests connectivity to the Cybersixgill API by validating the provided credentials. + This action ensures that the integration is correctly configured and can communicate + with the external service. ### Parameters Description @@ -42,35 +44,25 @@ Ping: | :--- | :--- | :--- | :--- | - | **Client Id** | Password | Yes | The unique identifier for the Cybersixgill - API client used for authentication. | + | Client Id | password | Yes | The client ID used for authentication with the + Cybersixgill service. | - | **Client Secret** | Password | Yes | The secret key associated with the Cybersixgill - API client used for authentication. | + | Client Secret | password | Yes | The client secret used for authentication with + the Cybersixgill service. | ### Flow Description - 1. **Credential Extraction**: The action retrieves the `Client Id` and `Client - Secret` from the integration configuration parameters. + 1. The action retrieves the `Client Id` and `Client Secret` from the integration + configuration. - 2. **Client Initialization**: It initializes the Cybersixgill communication manager - using the provided credentials. + 2. It initializes the `SixgillEnrichManager` using these credentials. - 3. **Authentication Test**: The action attempts to retrieve an OAuth2 access token - from the Cybersixgill API. + 3. It attempts to authenticate with the Cybersixgill API by requesting an access + token. - 4. **Result Reporting**: If the token is successfully retrieved, the action returns - a success status and a confirmation message. If an error occurs (e.g., invalid - credentials or network timeout), it reports a failure with the specific error - details. - - - ### Additional Notes - - This action does not process any entities, fetch contextual data, or modify any - internal or external records. It is strictly a diagnostic tool for connectivity - testing. + 4. The action returns a success or failure status based on the authentication + attempt. capabilities: can_create_case_comments: false can_create_insight: false @@ -81,8 +73,15 @@ Ping: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity test (Ping) to the Cybersixgill API. It does + not fetch contextual data, mutate external systems, or modify internal SOAR + data. It is strictly a validation step. categories: enrichment: false + reasoning: >- + The action is named 'Ping' and performs a connectivity test. Per the instructions, + 'Ping' actions are explicitly excluded from being enrichment actions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -98,3 +97,6 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities; it only performs a connectivity + test using configuration parameters. diff --git a/content/response_integrations/third_party/community/cybersixgill_actionable_alerts/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/cybersixgill_actionable_alerts/resources/ai/connectors_ai_description.yaml index 6eacb393d..d1a8d0de8 100644 --- a/content/response_integrations/third_party/community/cybersixgill_actionable_alerts/resources/ai/connectors_ai_description.yaml +++ b/content/response_integrations/third_party/community/cybersixgill_actionable_alerts/resources/ai/connectors_ai_description.yaml @@ -2,11 +2,10 @@ Cybersixgill Actionable Alerts: ai_description: >- ### General Description - The Cybersixgill Actionable Alerts connector integrates Google SecOps with the - Cybersixgill portal to ingest high-fidelity actionable alerts. It enables security - teams to monitor deep and dark web threats, including data leaks, credential theft, - and vulnerability exploits (CVEs), by automatically creating cases in Google SecOps - for rapid response. + This connector integrates with Cybersixgill to fetch actionable threat intelligence + alerts. It retrieves alerts based on configured filters (threat level, threat + type) and ingests them into Google SecOps as cases, providing detailed context + including CVE information, threat assessments, and associated assets. ### Parameters Description @@ -15,59 +14,50 @@ Cybersixgill Actionable Alerts: | :--- | :--- | :--- | :--- | - | Client Id | Password | Yes | The Client ID provided by Cybersixgill for API - authentication. | - - | Client Secret | Password | Yes | The Client Secret provided by Cybersixgill - for API authentication. | - | Alerts Limit | Integer | Yes | The maximum number of alerts to fetch in a single - execution cycle (default is 50). | + execution. | - | Organization id | String | No | Optional filter to fetch alerts specific to - a particular Cybersixgill Organization ID. | - - | Threat Level | String | No | Filter alerts by threat level (e.g., 'imminent'). + | Client Id | Password | Yes | The Client ID for Cybersixgill API authentication. | - | Threat Type | String | No | Filter alerts by threat type. Supports a comma-separated - list of types. | + | Client Secret | Password | Yes | The Client Secret for Cybersixgill API authentication. + | | DeviceProductField | String | Yes | The field name used to determine the device - product in the SOAR (default: Cybersixgill Actionable Alerts). | + product. | - | EventClassId | String | Yes | The field name used to determine the event name/sub-type - (default: Cybersixgill Actionable Alerts). | + | EventClassId | String | Yes | The field name used to determine the event name + (sub-type). | - | PythonProcessTimeout | String | Yes | The timeout limit in seconds for the connector - execution process. | + | Organization id | String | No | The specific Organization ID to filter alerts. + | + + | PythonProcessTimeout | String | Yes | The timeout limit (in seconds) for the + Python process. | + + | Threat Level | String | No | Filter alerts by threat level (e.g., imminent). + | + + | Threat Type | String | No | Filter alerts by threat type (comma-separated). + | ### Flow Description - 1. **Authentication**: The connector authenticates with the Cybersixgill API using - the provided Client ID and Client Secret to establish a session. - - 2. **Time Range Calculation**: It determines the fetch window. On the first run, - it defaults to a look-back period (typically 30 days); on subsequent runs, it - fetches alerts starting from the timestamp of the last ingested alert. - - 3. **Alert Retrieval**: Queries the Cybersixgill Actionable Alerts API for new - alerts, applying filters for Threat Level, Threat Type, and Organization ID if - configured. - - 4. **Data Enrichment**: For each retrieved alert, the connector fetches full details, - including: - * **Metadata**: Title, description, and threat assessment. - * **Contextual Links**: Direct URLs to the Cybersixgill Portal for the specific - alert. - * **CVE Data**: If the alert is vulnerability-related, it extracts CVE IDs, - CVSS scores (v2/v3), and DVE (Dynamic Vulnerability Exploit) scores. - * **Sub-Alerts**: Aggregates related sub-events into an HTML-formatted table - for better visibility within the SOAR case wall. - 5. **Case Creation**: Maps the enriched data into the Google SecOps AlertInfo - model, assigning priorities based on the threat level (e.g., 'imminent' alerts - are mapped to Critical priority). - - 6. **State Management**: Saves the timestamp of the most recent alert to ensure - subsequent runs only process new data. + 1. Authenticates with the Cybersixgill API using the provided Client ID and Client + Secret. + + 2. Calculates the time range for fetching alerts based on the last run timestamp + or a default lookback period. + + 3. Queries the Cybersixgill API for actionable alerts, applying filters for threat + level, threat type, and organization ID if provided. + + 4. For each retrieved alert, fetches detailed information, including threat assessments, + recommendations, and associated CVE data. + + 5. Maps the alert data into the Google SecOps AlertInfo format, including raw + JSON, portal URLs, and sub-alert details. + + 6. Updates the connector timestamp to the latest alert creation time and returns + the processed alerts to the SOAR platform. diff --git a/content/response_integrations/third_party/community/cybersixgill_actionable_alerts/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/cybersixgill_actionable_alerts/resources/ai/integration_ai_description.yaml index ac8e64b44..27fadb659 100644 --- a/content/response_integrations/third_party/community/cybersixgill_actionable_alerts/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/community/cybersixgill_actionable_alerts/resources/ai/integration_ai_description.yaml @@ -7,6 +7,16 @@ product_categories: iam_and_identity_management: false itsm: false network_security: false + reasoning: >- + The integration is primarily a Threat Intelligence solution, as it provides actionable + intelligence from deep, dark, and surface web sources, including risk assessments + and threat data for IPs, domains, and vulnerabilities. It qualifies for the Threat + Intelligence category because it enriches alerts with external threat data. It + also qualifies for the Vulnerability Management category because it specifically + monitors for vulnerabilities and provides CVE information, which helps in assessing + the susceptibility of assets to known exploits. It does not qualify as a SIEM, + EDR, Network Security, Email Security, IAM, Cloud Security, ITSM, Asset Inventory, + or Collaboration tool based on the provided descriptions. siem: false threat_intelligence: true vulnerability_management: true diff --git a/content/response_integrations/third_party/community/cybersixgill_darkfeed/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/cybersixgill_darkfeed/resources/ai/actions_ai_description.yaml index c987a6d3a..bf97c0225 100644 --- a/content/response_integrations/third_party/community/cybersixgill_darkfeed/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/cybersixgill_darkfeed/resources/ai/actions_ai_description.yaml @@ -13,6 +13,10 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity test ('Ping') to verify credentials against the + Cybersixgill API. It does not perform any of the listed functional operations + (enrichment, containment, etc.). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -27,41 +31,15 @@ Ping: update_email: false update_identity: false update_ticket: false - ai_description: >- - ### General Description - - The **Ping** action is used to verify the connectivity between Google SecOps and - the Cybersixgill Darkfeed platform. It ensures that the integration's configuration - parameters, specifically the **Client ID** and **Client Secret**, are correct - and that the Cybersixgill API is accessible. - - - ### Parameters Description - - There are no input parameters for this action. It relies solely on the integration's - global configuration. - - - ### Additional Notes - - This action is typically used during the initial setup of the integration or for - troubleshooting connectivity issues. Per standard SOAR practices, Ping actions - are not categorized as enrichment actions. - - - ### Flow Description - - 1. **Extract Configuration:** The action retrieves the `Client Id` and `Client - Secret` from the integration settings. - - 2. **Initialize Manager:** It initializes the `SixgillEnrichManager` with the - retrieved credentials. - - 3. **Authentication Test:** The manager attempts to authenticate with the Cybersixgill - API by requesting an access token. - - 4. **Result Reporting:** If the token is successfully retrieved, the action completes - with a success status. If authentication fails, an error is raised. + ai_description: "Tests connectivity to the Cybersixgill service by validating the\ + \ provided API credentials. \n\n### Parameters\n| Parameter | Type | Mandatory\ + \ | Description |\n| --- | --- | --- | --- |\n| Client Id | String | Yes | The\ + \ Client ID for Cybersixgill authentication. |\n| Client Secret | String | Yes\ + \ | The Client Secret for Cybersixgill authentication. |\n\n### Flow Description\n\ + 1. Extract the `Client Id` and `Client Secret` from the integration configuration.\n\ + 2. Initialize the `SixgillEnrichManager` with the provided credentials.\n3. Attempt\ + \ to authenticate with the Cybersixgill API to retrieve an access token.\n4. Return\ + \ the connection status and a success/failure message." capabilities: can_create_case_comments: false can_create_insight: false @@ -70,10 +48,17 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: true + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity check (Ping) to verify API credentials. It + does not fetch data for entities, mutate external systems, or modify internal + SOAR data. categories: enrichment: false + reasoning: >- + The action is named 'Ping', which is explicitly excluded from being an enrichment + action per the provided guidelines. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -89,3 +74,6 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. It is a standalone connectivity + test. diff --git a/content/response_integrations/third_party/community/cybersixgill_darkfeed/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/cybersixgill_darkfeed/resources/ai/connectors_ai_description.yaml index dbfec9281..64afb9c62 100644 --- a/content/response_integrations/third_party/community/cybersixgill_darkfeed/resources/ai/connectors_ai_description.yaml +++ b/content/response_integrations/third_party/community/cybersixgill_darkfeed/resources/ai/connectors_ai_description.yaml @@ -2,11 +2,11 @@ Cybersixgill - Darkfeed Connector: ai_description: >- ### General Description - The Cybersixgill Darkfeed connector integrates with Cybersixgill's automated threat - intelligence platform to ingest malicious Indicators of Compromise (IOCs) sourced - from the deep and dark web. It provides real-time, actionable data including domains, - URLs, hashes, and IP addresses, enabling security teams to preemptively identify - and block threats within the Google SecOps environment. + The Cybersixgill Darkfeed Connector integrates Google SecOps SOAR with the Cybersixgill + Darkfeed service. It automatically ingests real-time threat intelligence, specifically + malicious indicators of compromise (IOCs) such as domains, URLs, file hashes, + and IP addresses. By fetching these indicators, the connector enables organizations + to preemptively identify and block threats identified on the deep and dark web. ### Parameters Description @@ -16,7 +16,7 @@ Cybersixgill - Darkfeed Connector: | :--- | :--- | :--- | :--- | | PythonProcessTimeout | String | Yes | The timeout limit (in seconds) for the - python process running the current script. | + python process running the script. | | EventClassId | String | Yes | The field name used to determine the event name (sub-type). | @@ -24,36 +24,32 @@ Cybersixgill - Darkfeed Connector: | DeviceProductField | String | Yes | The field name used to determine the device product. | - | Client Secret | Password | Yes | The Secret Key used for authentication with - Cybersixgill. | + | Client Secret | Password | Yes | The secret key for Cybersixgill API authentication. + | - | Client Id | String | Yes | The Client ID used for authentication with Cybersixgill. + | Client Id | String | Yes | The Client ID for Cybersixgill API authentication. | | Alerts Limit | Integer | Yes | The maximum number of alerts to be ingested into - the platform per execution cycle. | + the platform per run. | ### Flow Description - 1. **Authentication**: The connector authenticates with the Cybersixgill API using + 1. The connector initializes the connection to the Cybersixgill Darkfeed API using the provided Client ID and Client Secret. - 2. **Data Retrieval**: It queries the Cybersixgill Darkfeed stream for a batch - of indicators, limited by the "Alerts Limit" parameter. - - 3. **Filtering**: The connector filters the retrieved objects to ensure they are - valid indicators and have not been revoked. + 2. It queries the Darkfeed stream to retrieve a bundle of threat intelligence + records. - 4. **Parsing**: For each indicator, the connector parses the STIX pattern to extract - specific IOC types such as MD5, SHA-1, SHA-256 hashes, URLs, domains, and IPv4 - addresses. + 3. The retrieved records are filtered to ensure only valid indicators are processed + and that revoked items are ignored. - 5. **Enrichment**: It enriches the event data with additional context, including - VirusTotal positive rates and MITRE ATT&CK tactics/descriptions where available. + 4. For each valid indicator, the connector parses the pattern data using regex + to extract specific IOC types (File Hashes, URLs, Domains, IP addresses). - 6. **Case Creation**: Each indicator is mapped to a Google SecOps Alert and Event, - then ingested into the system. + 5. It maps the indicator data into a standardized SOAR Alert format, including + metadata such as threat actor, confidence score, severity, and MITRE ATT&CK mapping. - 7. **Checkpointing**: The connector commits the processed indicators back to the - Cybersixgill client to ensure subsequent runs fetch only new data. + 6. The processed alerts are ingested into the SOAR platform, and the connector + commits the indicators to the Cybersixgill client. diff --git a/content/response_integrations/third_party/community/cybersixgill_darkfeed/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/cybersixgill_darkfeed/resources/ai/integration_ai_description.yaml index 2e831240c..f3e045257 100644 --- a/content/response_integrations/third_party/community/cybersixgill_darkfeed/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/community/cybersixgill_darkfeed/resources/ai/integration_ai_description.yaml @@ -7,6 +7,15 @@ product_categories: iam_and_identity_management: false itsm: false network_security: false + reasoning: >- + The Cybersixgill Darkfeed integration is a dedicated threat intelligence feed. + Its primary function, as described in the connector metadata, is to ingest real-time + malicious indicators of compromise (IOCs) such as domains, URLs, file hashes, + and IP addresses from the deep and dark web into the SOAR platform. This directly + aligns with the Threat Intelligence category, which focuses on providing reputation + data and IOCs to confirm alerts. It does not perform SIEM log analysis, EDR host-level + containment, network gateway blocking, or identity management, and therefore does + not qualify for those categories. siem: false threat_intelligence: true vulnerability_management: false diff --git a/content/response_integrations/third_party/community/cybersixgill_darkfeed_enrichment/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/cybersixgill_darkfeed_enrichment/resources/ai/actions_ai_description.yaml index cd344ef28..e5dcf961c 100644 --- a/content/response_integrations/third_party/community/cybersixgill_darkfeed_enrichment/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/cybersixgill_darkfeed_enrichment/resources/ai/actions_ai_description.yaml @@ -13,6 +13,10 @@ Enrich Actor: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves threat intelligence (attribution, techniques, activity) + for a Threat Actor. This aligns with the 'Enrich IOC' category, which covers + returning threat intelligence for indicators. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -27,35 +31,25 @@ Enrich Actor: update_email: false update_identity: false update_ticket: false - ai_description: "### General Description\nEnriches Threat Actor entities using Cybersixgill\ - \ Darkfeed intelligence. This action retrieves a comprehensive profile of a threat\ - \ actor's activity within underground forums and dark web sources over the last\ - \ 90 days. It identifies shared Indicators of Compromise (IOCs), areas of activity,\ - \ preferred targets, and techniques used by the actor. The retrieved data is used\ - \ to update entity attributes, add detailed properties, and generate insights\ - \ and data tables within the case for better analyst visibility.\n\n### Parameters\ - \ Description\n| Parameter Name | Expected Type | Mandatory | Description |\n\ - | :--- | :--- | :--- | :--- |\n| None | N/A | N/A | This action does not have\ - \ any specific input parameters. It relies on the integration's configuration\ - \ (Client ID and Client Secret) and the entities present in the case. |\n\n###\ - \ Additional Notes\n- This action specifically targets entities of type `THREATACTOR`.\n\ - - It automatically marks enriched entities as 'Suspicious' and 'Enriched' within\ - \ the Google SecOps platform.\n- The action provides deep links to the Cybersixgill\ - \ portal for each identified post or activity.\n\n### Flow Description\n1. **Initialization**:\ - \ The action initializes the Cybersixgill manager using the integration's Client\ - \ ID and Client Secret.\n2. **Entity Identification**: It identifies all `THREATACTOR`\ - \ entities within the current alert or case context.\n3. **Data Retrieval**: For\ - \ each identified actor, the action queries the Cybersixgill API to fetch intelligence\ - \ data, focusing on activity from the last 90 days.\n4. **Data Processing**: The\ - \ results are parsed to extract key information, including post titles, source\ - \ feeds, severity, confidence scores, and external references like MITRE ATT&CK\ - \ tactics/techniques or VirusTotal scores.\n5. **Internal Mutation (Enrichment)**:\ - \ \n - Updates the entity's `additional_properties` with the retrieved Sixgill\ - \ metadata.\n - Sets the entity's `is_enriched` and `is_suspicious` flags to\ - \ true.\n6. **Reporting**: \n - Generates a detailed Case Insight containing\ - \ the actor's activity summary.\n - Adds a Data Table to the entity with structured\ - \ information about the findings.\n - Adds external links to the entity for\ - \ direct access to the Cybersixgill portal." + ai_description: "Enriches Threat Actor entities using the Cybersixgill Darkfeed\ + \ Enrichment integration. This action retrieves detailed threat intelligence,\ + \ including associated IOCs, areas of activity, target preferences, and techniques\ + \ used by the actor over the last 90 days. \n\n### Flow Description\n1. The action\ + \ initializes the Sixgill client using the provided credentials.\n2. It iterates\ + \ through the target entities, specifically filtering for `THREATACTOR` types.\n\ + 3. For each entity, it queries the Sixgill API to retrieve actor-specific intelligence.\n\ + 4. If data is found, it updates the entity's properties (e.g., `is_enriched`,\ + \ `is_suspicious`, and `additional_properties`) within the SOAR platform.\n5.\ + \ It generates a detailed entity table and a case insight containing the retrieved\ + \ intelligence, including VirusTotal and MITRE ATT&CK references.\n6. Finally,\ + \ it updates the entities and adds the results to the case.\n\n### Parameters\n\ + | Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ + | Client Id | String | Yes | The Client ID for authenticating with the Sixgill\ + \ API. |\n| Client Secret | String | Yes | The Client Secret for authenticating\ + \ with the Sixgill API. |\n\n### Additional Notes\nThis action is specifically\ + \ designed to process `THREATACTOR` entities. While the underlying processor supports\ + \ other entity types, this specific action implementation restricts processing\ + \ to `THREATACTOR` only." capabilities: can_create_case_comments: false can_create_insight: true @@ -66,10 +60,19 @@ Enrich Actor: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity attributes (is_enriched, is_suspicious), adds custom entity properties, - creates case insights, and adds data tables to entities. + Updates entity properties (is_enriched, is_suspicious, additional_properties) + and creates case insights and entity tables within the SOAR platform. + reasoning: >- + The action fetches threat intelligence data from the Sixgill API (fetches_data=true). + It does not modify any external systems (can_mutate_external_data=false). It + performs internal mutations by updating entity properties, creating case insights, + and adding entity tables (can_mutate_internal_data=true). categories: enrichment: true + reasoning: >- + The action fetches data from an external source (Sixgill) and performs allowed + internal mutations (updating entities, creating insights). It does not mutate + external systems, making it a valid enrichment action. entity_usage: entity_types: - THREATACTOR @@ -86,6 +89,9 @@ Enrich Actor: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over `siemplify.target_entities` and explicitly filters + for `THREATACTOR` entities as defined in the `main` function of the script. Enrich Domain: action_product_categories: add_alert_comment: false @@ -101,6 +107,11 @@ Enrich Domain: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves threat intelligence (reputation, feed data, actor info) + for a domain (IOC). This aligns with the 'Enrich IOC' category. It does not + perform asset-specific metadata retrieval (Enrich Asset), nor does it perform + any containment or ticketing actions. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -115,48 +126,30 @@ Enrich Domain: update_email: false update_identity: false update_ticket: false - ai_description: >- - Enriches Hostname entities using Cybersixgill Darkfeed intelligence. This action - identifies domains associated with compromised sites or those listed for sale - on the dark web. It retrieves comprehensive threat intelligence, including actor - details, post titles, severity, and confidence scores. The action updates entity - attributes, marks entities as suspicious when matches are found, and generates - detailed case insights and data tables for analyst review. - - - ### Parameters - - | Parameter | Description | Type | Mandatory | - - | :--- | :--- | :--- | :--- | - - | None | This action does not have any input parameters. | N/A | N/A | - - - ### Additional Notes - - - This action specifically targets Hostname entities to perform domain-based enrichment. - - - It automatically marks entities as suspicious if threat intelligence is found - in the Cybersixgill database. - - - ### Flow Description - - 1. **Credential Retrieval**: Extracts the Client ID and Client Secret from the - integration configuration. - - 2. **Entity Filtering**: Identifies Hostname entities within the current context. - - 3. **External Lookup**: Queries the Cybersixgill Darkfeed API for each domain - to check for dark web presence or compromise. - - 4. **Internal Enrichment**: Updates the entity's additional properties with Sixgill - metadata and marks the entity as suspicious and enriched. - - 5. **Reporting**: Generates a case insight, adds a data table to the entity, and - provides external links (e.g., to the Sixgill Portal or VirusTotal) for further - investigation. + ai_description: "### General Description\nThe **Enrich Domain** action leverages\ + \ the Cybersixgill Darkfeed Enrichment integration to gather threat intelligence\ + \ regarding domain entities. It queries the Sixgill API to identify if a domain\ + \ is associated with compromised sites, dark web activity, or other malicious\ + \ indicators. The action retrieves detailed threat data, including feed names,\ + \ actor information, confidence scores, severity levels, and associated MITRE\ + \ ATT&CK techniques.\n\n### Flow Description\n1. **Initialization**: The action\ + \ initializes the `SixgillEnrichManager` using the provided client credentials.\n\ + 2. **Entity Processing**: It iterates through the target entities, specifically\ + \ filtering for `HOSTNAME` types.\n3. **Data Retrieval**: For each valid domain,\ + \ it queries the Sixgill API to fetch relevant threat intelligence.\n4. **Enrichment**:\ + \ \n - Updates the entity's `is_enriched` and `is_suspicious` status.\n -\ + \ Populates the entity's `additional_properties` with retrieved threat data (e.g.,\ + \ feed source, confidence, severity).\n - Updates the entity within the SOAR\ + \ platform.\n5. **Reporting**: \n - Generates a case insight containing the\ + \ detailed threat report.\n - Adds a data table to the entity's result view.\n\ + \ - Attaches the raw JSON response to the action results.\n\n### Parameters\ + \ Description\n| Parameter | Type | Mandatory | Description |\n| :--- | :--- |\ + \ :--- | :--- |\n| Client Id | String | Yes | The Client ID used to authenticate\ + \ with the Cybersixgill API. |\n| Client Secret | String | Yes | The Client Secret\ + \ used to authenticate with the Cybersixgill API. |\n\n### Additional Notes\n\ + This action is specifically configured to process `HOSTNAME` entities. While the\ + \ underlying processor supports other types (IP, Hash, URL, Actor), this specific\ + \ action implementation restricts execution to domains." capabilities: can_create_case_comments: false can_create_insight: true @@ -167,11 +160,22 @@ Enrich Domain: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity attributes (additional properties), sets the 'is_suspicious' - and 'is_enriched' flags, creates case insights, and adds data tables containing - dark web intelligence. + Updates entity attributes (is_enriched, is_suspicious, additional_properties) + and creates case insights and data tables within the SOAR platform. + reasoning: >- + The action fetches threat intelligence data from the external Sixgill API (fetches_data=true). + It does not modify external systems (can_mutate_external_data=false). It performs + internal mutations by updating entity attributes (is_enriched, is_suspicious, + additional_properties), creating case insights, and adding data tables to the + SOAR case (can_mutate_internal_data=true). categories: enrichment: true + reasoning: >- + The action is designed to retrieve threat intelligence for domain entities and + update the SOAR platform with this context. It does not modify external systems + or perform containment. It meets the criteria for an enrichment action as it + fetches data and only performs allowed internal mutations (updating entities + and creating insights). entity_usage: entity_types: - HOSTNAME @@ -188,6 +192,10 @@ Enrich Domain: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over `siemplify.target_entities` and explicitly filters + for `HOSTNAME` entities via the `sixgill_process.entity_data([EntityTypes.HOSTNAME])` + and `sixgill_process.enrich([EntityTypes.HOSTNAME])` calls in the main script. Enrich Hash: action_product_categories: add_alert_comment: false @@ -203,6 +211,10 @@ Enrich Hash: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves threat intelligence (reputation, actor, MITRE mappings) + for file hashes, which directly matches the 'Enrich IOC' category. It does not + perform asset enrichment, ticket management, or containment actions. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -218,28 +230,24 @@ Enrich Hash: update_identity: false update_ticket: false ai_description: "Enriches File Hash entities using Cybersixgill Darkfeed intelligence.\ - \ This action proactively analyzes and investigates malware hashes as they emerge\ - \ on the dark web, providing context on malware that may be undetected by traditional\ - \ antivirus vendors. It retrieves detailed metadata including feed names, source\ - \ information, actor attribution, and cross-references with VirusTotal and MITRE\ - \ ATT&CK frameworks.\n\n### Flow Description:\n1. **Credential Retrieval:** Extracts\ - \ the Client ID and Client Secret from the integration configuration.\n2. **Entity\ - \ Filtering:** Identifies all File Hash entities within the current context.\n\ - 3. **External Query:** For each hash, it queries the Cybersixgill Darkfeed API\ - \ to retrieve enrichment data.\n4. **Internal Enrichment:** \n * Updates the\ - \ entity's suspicious and enriched status.\n * Populates the entity's additional\ - \ properties with Sixgill-specific metadata (e.g., Confidence, Severity, Actor).\n\ - \ * Maps and adds related hashes (MD5, SHA-1, SHA-256) found in the STIX patterns.\n\ - 5. **Reporting:** \n * Generates a detailed Case Insight for each entity containing\ - \ a summary of the findings.\n * Adds a data table to the entity with comprehensive\ - \ technical details.\n * Attaches external links to the Cybersixgill portal,\ - \ VirusTotal, and MITRE ATT&CK for further investigation.\n\n### Parameters Description:\n\ - | Parameter Name | Type | Mandatory | Description |\n| :--- | :--- | :--- | :---\ - \ |\n| None | N/A | N/A | This action does not have any action-specific parameters;\ - \ it relies on the integration's global configuration for authentication. |\n\n\ - ### Additional Notes:\n* This action specifically targets `FILEHASH` entities.\ - \ \n* It automatically marks enriched entities as 'Suspicious' if data is found\ - \ in the Cybersixgill feed." + \ This action proactively investigates malware hashes by querying the Sixgill\ + \ platform for associated threat intelligence, including actor information, feed\ + \ sources, and MITRE ATT&CK mappings. \n\n### Flow Description\n1. **Authentication**:\ + \ Extracts the Client ID and Client Secret from the integration configuration.\n\ + 2. **Entity Processing**: Iterates through the target entities, specifically filtering\ + \ for `FILEHASH` types.\n3. **Data Retrieval**: Queries the Sixgill API for threat\ + \ intelligence related to the hash.\n4. **Internal Update**: Updates the entity's\ + \ profile in Google SecOps by setting `is_enriched` and `is_suspicious` flags\ + \ to true, and populating `additional_properties` with retrieved metadata.\n5.\ + \ **Insight Generation**: Creates a case insight containing the detailed threat\ + \ report, including VirusTotal reputation data and MITRE ATT&CK tactics/techniques,\ + \ and adds a data table to the action results.\n\n### Parameters\n| Parameter\ + \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Client\ + \ Id | String | Yes | The Client ID for authenticating with the Cybersixgill API.\ + \ |\n| Client Secret | String | Yes | The Client Secret for authenticating with\ + \ the Cybersixgill API. |\n\n### Additional Notes\nThis action is strictly for\ + \ enrichment and does not perform any external mutations (e.g., blocking or containment).\ + \ It specifically targets `FILEHASH` entities." capabilities: can_create_case_comments: false can_create_insight: true @@ -251,9 +259,18 @@ Enrich Hash: fetches_data: true internal_data_mutation_explanation: >- Updates entity attributes (is_enriched, is_suspicious, additional_properties) - and creates case insights and data tables within Google SecOps. + and creates case insights within Google SecOps. + reasoning: >- + The action fetches threat intelligence data from the Sixgill API (fetches_data=true). + It does not mutate external systems (can_mutate_external_data=false). It performs + internal mutations by updating entity attributes (is_enriched, is_suspicious, + additional_properties) and creating case insights (can_mutate_internal_data=true). categories: enrichment: true + reasoning: >- + The action retrieves threat intelligence data from an external source (Sixgill) + and updates internal SOAR entities and insights without modifying external systems. + This aligns with the definition of an enrichment action. entity_usage: entity_types: - FILEHASH @@ -270,6 +287,9 @@ Enrich Hash: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over `siemplify.target_entities` and is explicitly configured + in the main script (`EnrichHash.py`) to process only `FILEHASH` entities. Enrich IP: action_product_categories: add_alert_comment: false @@ -281,10 +301,14 @@ Enrich IP: disable_identity: false download_file: false enable_identity: false - enrich_asset: false + enrich_asset: true enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves threat intelligence for IOCs (IPs, Hashes, URLs) and assets + (Hostnames), which aligns with both 'Enrich IOC' and 'Enrich Asset' categories. + It does not perform any other listed actions. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -299,55 +323,26 @@ Enrich IP: update_email: false update_identity: false update_ticket: false - ai_description: >- - ### General Description - - Enriches IP Address entities using Cybersixgill Darkfeed threat intelligence. - This action retrieves detailed context regarding indicators of compromise (IOCs), - including associations with C&C servers, botnets, DDoS attacks, proxy anonymization, - and compromised RDP addresses. It provides reputation data, confidence scores, - and severity levels to help analysts assess the risk of specific IP addresses. - - - ### Parameters Description - - | Parameter Name | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | None | N/A | N/A | This action does not require any user-provided parameters; - it uses global integration configuration for credentials. | - - - ### Additional Notes - - * **Internal Updates:** This action automatically marks enriched entities as - 'Suspicious' and 'Enriched' within the Google SecOps platform if data is found. - - * **External Links:** The action generates links to the Cybersixgill Portal, - VirusTotal, and MITRE ATT&CK documentation where applicable. - - - ### Flow Description - - 1. **Credential Retrieval:** Extracts the Client ID and Client Secret from the - integration configuration. - - 2. **Entity Filtering:** Identifies all IP Address entities within the current - alert scope. - - 3. **Data Retrieval:** Queries the Cybersixgill Darkfeed API for each identified - IP address to fetch enrichment data. - - 4. **Entity Enrichment:** Updates the entity's additional properties with metadata - such as feed name, source, actor, confidence, and severity. It also sets the entity's - status to 'Suspicious' and 'Enriched'. - - 5. **Insight Generation:** Creates a detailed Case Insight for each enriched - entity, summarizing the threat intelligence found. - - 6. **UI Enhancement:** Adds data tables to the entity view and provides direct - links to external analysis tools (VirusTotal, MITRE) and the Cybersixgill portal. + ai_description: "### General Description\nThis action enriches various entity types\ + \ (IP Address, Hostname, FileHash, URL, and ThreatActor) using the Cybersixgill\ + \ Darkfeed intelligence platform. It retrieves threat intelligence, including\ + \ malware associations, actor information, and MITRE ATT&CK mappings, to provide\ + \ context for security investigations.\n\n### Parameters\n| Parameter | Type |\ + \ Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Client Id | String\ + \ | Yes | The Client ID used to authenticate with the Cybersixgill API. |\n| Client\ + \ Secret | String | Yes | The Client Secret used to authenticate with the Cybersixgill\ + \ API. |\n\n### Flow Description\n1. **Authentication**: The action extracts the\ + \ `Client Id` and `Client Secret` from the integration configuration to initialize\ + \ the `SixgillEnrichManager`.\n2. **Entity Iteration**: The action iterates through\ + \ all `target_entities` provided in the case.\n3. **Filtering**: It filters entities\ + \ based on supported types: `ADDRESS`, `HOSTNAME`, `FILEHASH`, `URL`, and `THREATACTOR`.\n\ + 4. **Data Retrieval**: For each valid entity, it queries the Cybersixgill API\ + \ to fetch relevant threat intelligence.\n5. **Internal Update**: \n - Updates\ + \ the entity's `is_enriched` and `is_suspicious` flags.\n - Populates the entity's\ + \ `additional_properties` with detailed Sixgill data.\n - Creates a case insight\ + \ containing the enriched data.\n - Adds an entity table to the SOAR platform\ + \ for quick reference.\n6. **Finalization**: Updates the entities in the SOAR\ + \ platform and returns the execution status." capabilities: can_create_case_comments: false can_create_insight: true @@ -358,13 +353,28 @@ Enrich IP: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity attributes including 'is_enriched', 'is_suspicious', and 'additional_properties'. - It also creates case insights and adds entity links/tables. + Updates entity attributes (is_enriched, is_suspicious, additional_properties), + creates case insights, and adds entity tables within the SOAR platform. + reasoning: >- + The action fetches threat intelligence data from the external Cybersixgill API + (fetches_data=true). It does not perform any actions that change the state of + external systems (can_mutate_external_data=false). It performs internal mutations + by updating entity attributes, creating case insights, and adding entity tables + (can_mutate_internal_data=true). categories: enrichment: true + reasoning: >- + The action is designed to retrieve supplemental context (threat intelligence) + for entities. It does not mutate external systems and only performs allowed + internal mutations (updating entities and creating insights). Therefore, it + qualifies as an enrichment action. entity_usage: entity_types: - ADDRESS + - FILEHASH + - HOSTNAME + - THREATACTOR + - DestinationURL filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -378,6 +388,10 @@ Enrich IP: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over `siemplify.target_entities` and explicitly filters + them by type (`HOSTNAME`, `FILEHASH`, `ADDRESS`, `URL`, `THREATACTOR`) before + performing enrichment queries. Enrich URL: action_product_categories: add_alert_comment: false @@ -393,6 +407,10 @@ Enrich URL: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves threat intelligence for URLs, which aligns with the 'Enrich + IOC' category. It does not perform any containment, ticketing, or alert modification + actions. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -407,32 +425,46 @@ Enrich URL: update_email: false update_identity: false update_ticket: false - ai_description: "Enriches URL entities using Cybersixgill Darkfeed threat intelligence.\ - \ This action identifies and investigates URLs shared or hosted on underground\ - \ file-sharing and paste sites, providing context on malware associations and\ - \ actor activity.\n\n### General Description\nThe action retrieves detailed threat\ - \ intelligence for URL entities from Cybersixgill. It evaluates the URL's reputation,\ - \ identifies associated threat actors, and extracts metadata such as severity,\ - \ confidence scores, and source information. The results are used to update the\ - \ entity's status within Google SecOps, create detailed insights, and provide\ - \ direct links to the Cybersixgill portal for deeper investigation.\n\n### Parameters\ - \ Description\nThere are no parameters for this action.\n\n### Additional Notes\n\ - - The action automatically marks enriched entities as 'Suspicious' if data is\ - \ found in the Cybersixgill database.\n- It extracts and maps STIX-based indicators\ - \ (like MD5/SHA hashes) found in the threat patterns to the entity's additional\ - \ properties.\n\n### Flow Description\n1. **Credential Extraction**: Retrieves\ - \ the Client ID and Client Secret from the integration configuration.\n2. **Entity\ - \ Filtering**: Identifies all URL entities within the current alert scope.\n3.\ - \ **External Query**: For each URL, it queries the Cybersixgill Enrich API to\ - \ fetch associated threat data.\n4. **Internal Data Mutation**: \n - Updates\ - \ the entity's `is_enriched` and `is_suspicious` flags.\n - Populates the entity's\ - \ `additional_properties` with Sixgill metadata (e.g., Feed Name, Actor, Severity).\n\ - 5. **Insight & Table Generation**: \n - Creates a detailed Case Insight containing\ - \ a summary of the threat intelligence.\n - Adds a Data Table to the entity\ - \ with structured fields like VirusTotal positive rates and MITRE ATT&CK mappings.\n\ - 6. **Link Association**: Adds external links to the entity that point directly\ - \ to the Cybersixgill portal and relevant external references (e.g., VirusTotal,\ - \ MITRE)." + ai_description: >- + ### General Description + + This action enriches URL entities using the Cybersixgill Darkfeed platform. It + retrieves threat intelligence, including feed information, actor details, and + associated MITRE ATT&CK tactics, to provide context for URLs identified in alerts. + The action updates the entity's profile with enriched data and suspicious status, + and generates case insights for analysts. + + + ### Parameters + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Client Id | String | Yes | The Client ID used to authenticate with the Cybersixgill + API. | + + | Client Secret | String | Yes | The Client Secret used to authenticate with the + Cybersixgill API. | + + + ### Flow Description + + 1. **Authentication**: The action extracts the `Client Id` and `Client Secret` + from the integration configuration to authenticate with the Sixgill API. + + 2. **Data Retrieval**: It queries the Sixgill Darkfeed service for intelligence + related to the provided URL entities. + + 3. **Processing**: The action parses the returned data, extracting relevant fields + such as feed name, source, actor, confidence, severity, and external references + (VirusTotal, MITRE ATT&CK). + + 4. **Entity Update**: It updates the entity's `is_enriched` and `is_suspicious` + flags and populates `additional_properties` with the retrieved intelligence. + + 5. **Reporting**: It creates a case insight containing the detailed intelligence + and adds a data table to the action results for the analyst to review. capabilities: can_create_case_comments: false can_create_insight: true @@ -443,12 +475,24 @@ Enrich URL: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity attributes (is_enriched, is_suspicious, additional_properties), - creates case insights, adds entity tables, and adds entity links. + Updates entity properties (is_enriched, is_suspicious, additional_properties) + and creates case insights within the SOAR platform. + reasoning: >- + The action fetches threat intelligence from the Sixgill API (fetches_data=true). + It does not modify external systems (can_mutate_external_data=false). It performs + internal mutations by updating entity attributes (is_enriched, is_suspicious, + additional_properties) and creating case insights (can_mutate_internal_data=true). categories: enrichment: true + reasoning: >- + The action is designed to fetch threat intelligence and enrich entities without + modifying external systems. It updates internal entity data and creates insights, + which is permitted under the enrichment criteria. entity_usage: entity_types: + - DESTINATIONDOMAIN + - DOMAIN + - SOURCEDOMAIN - DestinationURL filters_by_additional_properties: false filters_by_alert_identifier: false @@ -463,6 +507,9 @@ Enrich URL: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action explicitly filters and processes only URL entities as defined in + the EnrichUrl.py script, which passes [EntityTypes.URL] to the processing methods. Ping: action_product_categories: add_alert_comment: false @@ -478,6 +525,9 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity test and does not perform any of the defined product + operations such as enrichment, containment, or ticketing. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -495,42 +545,30 @@ Ping: ai_description: >- ### General Description - The **Ping** action is a diagnostic tool designed to verify the connectivity between - the Google SecOps platform and the Cybersixgill Darkfeed Enrichment service. Its - primary purpose is to ensure that the integration is correctly configured and - that the provided API credentials (Client ID and Client Secret) are valid and - authorized to make requests. - - - ### Parameters Description + Tests connectivity to the Cybersixgill Darkfeed Enrichment service. This action + verifies that the provided API credentials are valid by performing a test query + against the Sixgill API. It does not process any entities or modify system state. - There are no user-configurable parameters for this action. It relies solely on - the integration's global configuration settings. + ### Parameters - ### Additional Notes - - - This action performs a live API call to Cybersixgill using a hardcoded test - indicator (IP: `8.8.8.8`) to confirm end-to-end communication. - - - It is recommended to run this action during the initial setup of the integration - or when troubleshooting authentication errors. + There are no parameters for this action. ### Flow Description - 1. **Configuration Extraction**: The action retrieves the `Client Id` and `Client - Secret` from the integration's configuration. + 1. **Configuration Extraction**: The action extracts the `Client Id` and `Client + Secret` from the integration configuration. - 2. **Manager Initialization**: It initializes the `SixgillEnrichManager` and the - `SixgillActionResultProcessor` using the extracted credentials. + 2. **Manager Initialization**: It initializes the `SixgillEnrichManager` using + the extracted credentials. - 3. **Connectivity Test**: The action calls the `test_connectivity` method, which - attempts to create a Cybersixgill client and perform a sample enrichment request - for the IP address `8.8.8.8`. + 3. **Connectivity Test**: The action invokes the `test_connectivity` method, which + performs a sample enrichment query (`enrich_ioc`) against the Sixgill API using + a dummy IP address (`8.8.8.8`). - 4. **Result Reporting**: Based on the success or failure of the API call, the - action returns a completion status and a descriptive message to the SOAR interface. + 4. **Result Reporting**: The action returns the connectivity status (success or + failure) and a corresponding message to the user. capabilities: can_create_case_comments: false can_create_insight: false @@ -539,10 +577,17 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: false + fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity test by calling the external API. It does + not modify external systems, update entities, or create insights. It fetches + data only for the purpose of verifying credentials. categories: enrichment: false + reasoning: >- + The action is named 'Ping' and is a connectivity test. According to the instructions, + actions named 'Ping' must not be categorized as enrichment actions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -558,3 +603,6 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with entities. It is a global connectivity test + that does not iterate over the `target_entities` list. diff --git a/content/response_integrations/third_party/community/cybersixgill_darkfeed_enrichment/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/cybersixgill_darkfeed_enrichment/resources/ai/integration_ai_description.yaml index 2e831240c..38cb308cb 100644 --- a/content/response_integrations/third_party/community/cybersixgill_darkfeed_enrichment/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/community/cybersixgill_darkfeed_enrichment/resources/ai/integration_ai_description.yaml @@ -7,6 +7,16 @@ product_categories: iam_and_identity_management: false itsm: false network_security: false + reasoning: >- + The cybersixgill_darkfeed_enrichment integration is designed to provide threat + intelligence context for various indicators of compromise (IOCs). Its primary + actions (Enrich Actor, Enrich Domain, Enrich Hash, Enrich IP, Enrich URL) all + focus on fetching external threat data (reputation, actor details, MITRE mappings) + and updating internal SOAR entities with this information. It does not perform + SIEM log analysis, EDR host containment, network security blocking, email management, + IAM operations, cloud resource management, ITSM ticketing, vulnerability scanning, + asset inventory lookups, or collaboration/notification tasks. Therefore, it is + exclusively classified under the Threat Intelligence category. siem: false threat_intelligence: true vulnerability_management: false diff --git a/content/response_integrations/third_party/community/cybersixgill_dve_enrichment/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/cybersixgill_dve_enrichment/resources/ai/actions_ai_description.yaml index 17d3b9230..51c3bb490 100644 --- a/content/response_integrations/third_party/community/cybersixgill_dve_enrichment/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/cybersixgill_dve_enrichment/resources/ai/actions_ai_description.yaml @@ -13,6 +13,10 @@ Enrich CVE: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves threat intelligence (DVE scores, exploitability) for CVE + entities, which aligns with the 'Enrich IOC' category as it provides context + for a vulnerability indicator. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -27,25 +31,39 @@ Enrich CVE: update_email: false update_identity: false update_ticket: false - ai_description: "Enriches CVE entities with Cybersixgill\u2019s Dynamic Vulnerability\ - \ Exploit (DVE) Score and associated threat intelligence. This action retrieves\ - \ deep and dark web context for vulnerabilities, including trending status, exploit\ - \ probability, and NVD metadata. The gathered intelligence is used to update entity\ - \ attributes, create detailed case insights, and generate data tables for analyst\ - \ review.\n\n### Flow Description:\n1. **Credential Extraction:** Retrieves the\ - \ Cybersixgill Client ID and Client Secret from the integration configuration.\n\ - 2. **Entity Filtering:** Identifies CVE entities within the current case scope.\n\ - 3. **External Enrichment:** Queries the Cybersixgill API for each CVE to fetch\ - \ DVE scores and vulnerability context.\n4. **Internal Data Update:** Updates\ - \ the SecOps entities with enriched properties (prefixed with 'Cybersixgill')\ - \ and marks them as enriched.\n5. **Insight & Table Generation:** Creates a case\ - \ insight summarizing the vulnerability risk and adds a detailed data table containing\ - \ CVSS scores, NVD links, and exploitability metrics.\n\n### Parameters Description:\n\ - | Parameter Name | Expected Type | Mandatory | Description |\n| :--- | :--- |\ - \ :--- | :--- |\n| None | N/A | N/A | This action does not have any specific input\ - \ parameters; it operates on the CVE entities present in the case. |\n\n### Additional\ - \ Notes:\n- This action specifically targets entities of type `CVE`.\n- The enrichment\ - \ includes both Cybersixgill proprietary scores (DVE) and standard NVD data." + ai_description: >- + Enriches CVE entities using the Cybersixgill Dynamic Vulnerability Exploit (DVE) + intelligence service. This action retrieves comprehensive vulnerability data, + including DVE scores, exploitability probabilities, and NVD details, to help analysts + prioritize remediation efforts. + + + ### Flow + + 1. The action retrieves the configured Cybersixgill `Client Id` and `Client Secret`. + + 2. It iterates through the provided `CVE` entities. + + 3. For each entity, it queries the Cybersixgill API to fetch the latest DVE intelligence. + + 4. It updates the entity's `additional_properties` with the retrieved data and + marks the entity as enriched. + + 5. It generates a case insight and an entity table containing the vulnerability + details and adds them to the SOAR case. + + + ### Parameters + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Client Id | String | Yes | The Client ID for authenticating with the Cybersixgill + API. | + + | Client Secret | String | Yes | The Client Secret for authenticating with the + Cybersixgill API. | capabilities: can_create_case_comments: false can_create_insight: true @@ -56,10 +74,17 @@ Enrich CVE: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity attributes with Cybersixgill DVE data, sets the 'is_enriched' - flag on entities, and creates case insights and entity tables. + Updates entity properties and adds insights/tables to the case. + reasoning: >- + The action fetches external threat intelligence (DVE scores) for CVE entities. + It updates the entity's internal properties and creates case insights and tables. + It does not perform any external mutations. categories: enrichment: true + reasoning: >- + The action fetches data from an external source (Cybersixgill) and performs + allowed internal mutations (updating entities, creating insights). It does not + mutate external systems. Therefore, it is classified as an enrichment action. entity_usage: entity_types: - CVE @@ -76,6 +101,9 @@ Enrich CVE: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over `siemplify.target_entities` and explicitly filters + for entities where `entity.entity_type == EntityTypes.CVE`. Ping: action_product_categories: add_alert_comment: false @@ -91,6 +119,10 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity test ('Ping') used to verify authentication credentials + with the Cybersixgill API. It does not perform any enrichment, containment, + or other operational tasks defined in the product categories. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -106,41 +138,43 @@ Ping: update_identity: false update_ticket: false ai_description: >- - ### General Description + ### General description + + Tests connectivity to the Cybersixgill API. This action validates the provided + Client ID and Client Secret by attempting to retrieve an access token from the + Cybersixgill service. It returns a success or failure status based on the ability + to authenticate. - The Ping action is a diagnostic utility designed to verify the connectivity between - the Google SecOps platform and the Cybersixgill API. It ensures that the provided - credentials (Client ID and Client Secret) are valid and that the network path - to the Cybersixgill service is open. This action is typically used during the - initial setup of the integration or for troubleshooting purposes. + ### Parameters description - ### Parameters Description + | Parameter | Type | Mandatory | Description | - There are no parameters for this action. + | --- | --- | --- | --- | + | Client Id | String | Yes | The Client ID for authentication with the Cybersixgill + API. | - ### Additional Notes + | Client Secret | String | Yes | The Client Secret for authentication with the + Cybersixgill API. | - This action does not process any entities or modify any data within the SOAR or - the external Cybersixgill environment. It strictly performs an authentication - check. + ### Additional notes - ### Flow Description + None. - 1. **Configuration Extraction:** The action retrieves the 'Client Id' and 'Client - Secret' from the integration's global configuration. - 2. **Manager Initialization:** It initializes the `SixgillEnrichManager` using - the extracted credentials. + ### Flow description - 3. **Connectivity Test:** The manager attempts to authenticate with the Cybersixgill - service by requesting an access token via the `SixgillBaseClient`. + 1. Extract Client ID and Client Secret from configuration. - 4. **Result Reporting:** Based on whether the token retrieval was successful, - the action returns a completion status (Success/Failed) and a descriptive message - to the user interface. + 2. Initialize the SixgillEnrichManager. + + 3. Call test_connectivity(). + + 4. Attempt to retrieve an access token using the provided credentials. + + 5. Return success or failure status. capabilities: can_create_case_comments: false can_create_insight: false @@ -149,10 +183,18 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: true + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity test by attempting to authenticate with the + Cybersixgill API. It does not fetch contextual data, mutate external or internal + data, or interact with entities. categories: enrichment: false + reasoning: >- + The action is named 'Ping', which is explicitly excluded from being an enrichment + action. It does not fetch contextual data about entities or alerts, nor does + it mutate any systems. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -168,3 +210,6 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. It is a standalone connectivity + test. diff --git a/content/response_integrations/third_party/community/cybersixgill_dve_enrichment/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/cybersixgill_dve_enrichment/resources/ai/integration_ai_description.yaml index ac8e64b44..1dc1a76a1 100644 --- a/content/response_integrations/third_party/community/cybersixgill_dve_enrichment/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/community/cybersixgill_dve_enrichment/resources/ai/integration_ai_description.yaml @@ -7,6 +7,15 @@ product_categories: iam_and_identity_management: false itsm: false network_security: false + reasoning: >- + The integration is designed to enrich CVE entities with threat intelligence data, + specifically DVE scores and exploitability metrics from Cybersixgill. This functionality + directly aligns with the Threat Intelligence category, as it provides risk context + for vulnerability indicators. Additionally, the integration is explicitly focused + on helping analysts prioritize CVEs based on real-world exploitability, which + fits the Vulnerability Management category's goal of assessing the impact and + risk of vulnerabilities. It does not perform functions related to SIEM, EDR, Network + Security, Email Security, IAM, Cloud Security, ITSM, Asset Inventory, or Collaboration. siem: false threat_intelligence: true vulnerability_management: true diff --git a/content/response_integrations/third_party/community/cybersixgill_dve_feed/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/cybersixgill_dve_feed/resources/ai/actions_ai_description.yaml index 3aa4afb6f..1b3e66ca6 100644 --- a/content/response_integrations/third_party/community/cybersixgill_dve_feed/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/cybersixgill_dve_feed/resources/ai/actions_ai_description.yaml @@ -13,6 +13,9 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity test (Ping) and does not perform any functional + operations like enrichment, containment, or ticket management. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -30,38 +33,33 @@ Ping: ai_description: >- ### General Description - The **Ping** action is a diagnostic tool used to verify the connectivity between - Google SecOps and the Cybersixgill platform. Its primary purpose is to validate - that the configured credentials (Client ID and Client Secret) are correct and - that the system can successfully authenticate with the Cybersixgill API. + Verifies connectivity to the Cybersixgill service by authenticating with the provided + credentials. This action ensures that the integration is correctly configured + and can communicate with the Cybersixgill API. ### Parameters Description - There are no input parameters for this action. It uses the global integration - configuration for authentication. + | Parameter | Type | Mandatory | Description | + | :--- | :--- | :--- | :--- | - ### Flow Description + | Client Id | String | Yes | The client ID for Cybersixgill authentication. | - 1. **Credential Retrieval**: The action extracts the `Client Id` and `Client Secret` - from the integration's configuration parameters. + | Client Secret | String | Yes | The client secret for Cybersixgill authentication. + | - 2. **Client Initialization**: It initializes the Cybersixgill manager and base - client using the provided credentials. - 3. **Connectivity Test**: The action attempts to retrieve an access token from - the Cybersixgill API via the `get_access_token` method. + ### Flow Description - 4. **Status Reporting**: If the token is successfully retrieved, the action returns - a success message and a boolean `True` result. If the authentication fails or - a network error occurs, an exception is raised. + 1. Extract `Client Id` and `Client Secret` from the integration configuration. + 2. Initialize the `SixgillEnrichManager` with these credentials. - ### Additional Notes + 3. Attempt to create a `SixgillBaseClient` and retrieve an access token to validate + the connection. - This action does not interact with any entities or modify any internal or external - data. It is used exclusively for testing the integration setup. + 4. Return the connection status to the SOAR platform. capabilities: can_create_case_comments: false can_create_insight: false @@ -70,10 +68,17 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: true + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity check (Ping) to the Cybersixgill API. It + does not fetch contextual data for entities, nor does it mutate any external + or internal systems. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action. According to the guidelines, Ping actions are + explicitly excluded from being categorized as enrichment actions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -89,3 +94,5 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. diff --git a/content/response_integrations/third_party/community/cybersixgill_dve_feed/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/cybersixgill_dve_feed/resources/ai/connectors_ai_description.yaml index ee6360fb2..53ebd07bf 100644 --- a/content/response_integrations/third_party/community/cybersixgill_dve_feed/resources/ai/connectors_ai_description.yaml +++ b/content/response_integrations/third_party/community/cybersixgill_dve_feed/resources/ai/connectors_ai_description.yaml @@ -2,12 +2,11 @@ Cybersixgill - DVE Connector: ai_description: >- ### General Description - The Cybersixgill DVE Connector integrates Google SecOps with the Cybersixgill - Dynamic Vulnerability Exploit (DVE) Feed. This connector allows security teams - to ingest real-time intelligence regarding vulnerabilities (CVEs) and their likelihood - of exploitation. By leveraging Cybersixgill's unique DVE score, which is based - on threat actor intent and dark web activity, users can prioritize remediation - efforts for the most critical risks directly within the Google SecOps platform. + The Cybersixgill DVE Connector integrates with the Cybersixgill Dynamic Vulnerability + Exploit (DVE) feed to ingest vulnerability intelligence into Google SecOps. It + retrieves real-time data regarding CVEs, including DVE scores, exploitability + status, and NVD details, allowing security teams to track and prioritize vulnerabilities + based on actual threat actor intent and exploit probability. ### Parameters Description @@ -17,45 +16,38 @@ Cybersixgill - DVE Connector: | :--- | :--- | :--- | :--- | | PythonProcessTimeout | String | Yes | The timeout limit (in seconds) for the - python process running the current script. | + python process running the script. | | EventClassId | String | Yes | The field name used to determine the event name - (sub-type) for the ingested data. | + (sub-type). | | DeviceProductField | String | Yes | The field name used to determine the device - product for the ingested data. | + product. | - | Client Secret | Password | Yes | The Secret Key used for authenticating with - the Cybersixgill API. | + | Client Secret | Password | Yes | The secret key for Cybersixgill API authentication. + | - | Client Id | String | Yes | The Client ID used for authenticating with the Cybersixgill - API. | + | Client Id | String | Yes | The client ID for Cybersixgill API authentication. + | - | Alerts Limit | Integer | Yes | The maximum number of vulnerability alerts to - be ingested into the platform per execution cycle. | + | Alerts Limit | Integer | Yes | The maximum number of alerts to be ingested into + the platform per run. | ### Flow Description - 1. **Authentication**: The connector establishes a connection with the Cybersixgill - API using the provided Client ID and Client Secret. + 1. The connector initializes the connection to the Cybersixgill API using the + provided Client ID and Client Secret. - 2. **Data Fetching**: It requests a bundle of vulnerability intelligence from - the Cybersixgill DVE Feed stream, limited by the 'Alerts Limit' parameter. + 2. It queries the DVE feed stream to retrieve a bundle of vulnerability records. - 3. **Filtering**: The script filters the raw response to identify valid indicator - objects (CVEs) for processing. + 3. The retrieved records are filtered to identify valid indicators. - 4. **Alert Mapping**: For each identified vulnerability, the connector creates - a Google SecOps alert. It maps the CVE ID as the alert name and sets a default - priority of Medium (60). + 4. For each indicator, the connector maps the data into a structured alert format, + including critical fields like DVE scores, CVSS metrics, and NVD publication details. - 5. **Event Enrichment**: Detailed metadata is extracted for each vulnerability, - including current and highest DVE scores, NVD CVSS scores (v2.0 and v3.1), severity - levels, and publication dates. + 5. The connector commits the processed indicators to the Cybersixgill feed to + acknowledge receipt. - 6. **Ingestion**: The mapped alerts and enriched events are returned to Google - SecOps for case creation. - - 7. **Commitment**: The connector commits the processed indicators to the Cybersixgill - client to ensure that the same data is not ingested multiple times in future runs. + 6. Finally, the aggregated alerts are ingested into Google SecOps for further + analysis and response. diff --git a/content/response_integrations/third_party/community/cybersixgill_dve_feed/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/cybersixgill_dve_feed/resources/ai/integration_ai_description.yaml index ac8e64b44..136e05a45 100644 --- a/content/response_integrations/third_party/community/cybersixgill_dve_feed/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/community/cybersixgill_dve_feed/resources/ai/integration_ai_description.yaml @@ -7,6 +7,17 @@ product_categories: iam_and_identity_management: false itsm: false network_security: false + reasoning: >- + The cybersixgill_dve_feed integration is primarily designed to ingest vulnerability + intelligence, specifically Dynamic Vulnerability Exploit (DVE) scores, CVE data, + and exploitability status. This aligns directly with the 'Threat Intelligence' + category, as it provides risk scores and context for vulnerabilities, and the + 'Vulnerability Management' category, as it enables security teams to track and + prioritize vulnerabilities based on threat actor intent and exploit probability. + It does not perform EDR, Network Security, Email Security, IAM, Cloud Security, + ITSM, Asset Inventory, or Collaboration functions. While it ingests data into + Google SecOps, it is not a SIEM integration in the context of log analysis or + IOC searching, but rather a specialized intelligence feed. siem: false threat_intelligence: true vulnerability_management: true diff --git a/content/response_integrations/third_party/community/data_dog/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/data_dog/resources/ai/actions_ai_description.yaml index a03faf1b8..599f54fe1 100644 --- a/content/response_integrations/third_party/community/data_dog/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/data_dog/resources/ai/actions_ai_description.yaml @@ -13,6 +13,10 @@ Get Beautiful Metric: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action performs statistical calculations on a provided dataset. It does + not match any of the defined product categories (Enrichment, Containment, Ticket + management, etc.) as it is a pure data processing utility. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -28,55 +32,37 @@ Get Beautiful Metric: update_identity: false update_ticket: false ai_description: >- - ### General Description - - This action analyzes DataDog metric timeseries points provided as a JSON input. - It processes a list of data points to calculate statistical summaries, including - the sum, average, minimum, and maximum values within a specified time range. This - is primarily a utility action used to interpret raw metric data fetched in previous - playbook steps. + Processes a provided timeseries metric dataset to calculate statistical summaries. + This action takes a JSON-formatted series object as input, extracts the raw metric + values, and computes the sum, average, minimum, and maximum values. The resulting + statistical analysis is returned as a JSON object for further use in the playbook. - ### Parameters Description + ### Parameters - | Parameter | Description | Type | Mandatory | Notes | + | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | :--- | + | :--- | :--- | :--- | :--- | - | **Series** | A JSON-formatted string containing the timeseries points and metadata - (e.g., `pointlist`, `start`, `end`, `unit`, `aggr`). | Code | Yes | The action - expects a specific structure containing a `pointlist` key which is a list of [timestamp, - value] pairs. | + | Series | code | Yes | The timeseries points you want to analyze, provided as + a JSON object. | ### Flow Description - 1. **Initialization**: The action extracts the DataDog integration configuration - (API Key, APP Key) and the `Series` input parameter. - - 2. **Parsing**: The `Series` parameter is parsed from a JSON string into a dictionary. + 1. The action extracts the 'Series' parameter, which is expected to be a JSON + string containing a 'pointlist' of metric values. - 3. **Validation**: The script checks for the presence of the `pointlist` key within - the input data. + 2. It parses the JSON input and validates the presence of the 'pointlist'. - 4. **Calculation**: If valid, the script iterates through the `pointlist`, extracting - raw metric values to calculate: - * **Sum**: Total of all metric values. - * **Average**: Mean of the metric values. - * **Minimum**: The lowest value in the set. - * **Maximum**: The highest value in the set. - 5. **Output**: The calculated statistics, along with original metadata (unit, - aggregation type, time range, and expression), are packaged into a JSON result - and returned to the SOAR platform. + 3. It iterates through the 'pointlist' to extract raw metric values. + 4. It calculates the sum, average, minimum, and maximum of these values. - ### Additional Notes - - * This action does not perform any external API calls to DataDog; it processes - data already provided in the `Series` parameter. + 5. It constructs a result JSON containing the calculated statistics, the unit, + aggregation type, and the original timeseries data. - * If the `Series` parameter is missing the `pointlist` key, the action will log - an error and return an empty result. + 6. The final result is added to the action output. capabilities: can_create_case_comments: false can_create_insight: false @@ -87,8 +73,18 @@ Get Beautiful Metric: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs local statistical calculations (sum, average, min, max) + on a provided JSON input parameter ('Series'). It does not perform any external + API calls, nor does it modify any internal SOAR data or entities. Although a + DataDogManager is instantiated, it is not utilized in the script logic. categories: enrichment: false + reasoning: >- + The action is a data processing utility that calculates statistics on provided + input. It does not fetch data from external sources, nor does it modify any + internal or external systems. Therefore, it does not meet the criteria for an + Enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -104,6 +100,9 @@ Get Beautiful Metric: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with the `target_entities` list or any entity-specific + logic. It operates solely on the provided 'Series' input parameter. Get Event Details: action_product_categories: add_alert_comment: false @@ -119,6 +118,10 @@ Get Event Details: enrich_ioc: false execute_command_on_the_host: false get_alert_information: true + reasoning: >- + The action fetches specific event details from DataDog. This aligns with the + 'Get Alert Information' category, as it retrieves contextual data about an event/alert + from the third-party product. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -133,26 +136,40 @@ Get Event Details: update_email: false update_identity: false update_ticket: false - ai_description: "### General Description\nThe **Get Event Details** action retrieves\ - \ comprehensive information about a specific event from DataDog using its unique\ - \ Event ID. This action is designed to provide analysts with the full context\ - \ of a DataDog event, including its metadata, tags, and message content, which\ - \ can be used for further investigation or automated decision-making within a\ - \ playbook.\n\n### Parameters Description\n| Parameter | Description | Type |\ - \ Mandatory |\n| :--- | :--- | :--- | :--- |\n| Event ID | The unique identifier\ - \ of the DataDog event you want to retrieve. | String | Yes |\n\n### Flow Description\n\ - 1. **Authentication**: The action retrieves the API Key and APP Key from the DataDog\ - \ integration configuration.\n2. **Input Extraction**: The `Event ID` provided\ - \ as an action parameter is extracted.\n3. **API Interaction**: The action initializes\ - \ the `DataDogManager` and performs a GET request to the DataDog API endpoint\ - \ `/api/v1/events/{event_id}`.\n4. **Data Processing**: The action checks if the\ - \ event details were successfully retrieved from DataDog.\n5. **Output**: \n \ - \ - If successful, the event details are added to the action's JSON result,\ - \ and a success message is returned.\n - If the event cannot be found or the\ - \ request fails, a failure message is returned.\n\n### Additional Notes\n- This\ - \ action does not operate on SecOps entities (like IPs or Hostnames); it is a\ - \ utility action that fetches data based on a specific ID provided by the user\ - \ or a previous playbook step." + ai_description: >- + ### General Description + + This action retrieves detailed information for a specific event from DataDog using + the provided Event ID. It is designed to fetch raw event data from the DataDog + platform to assist analysts in investigating specific occurrences. + + + ### Parameters + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Event ID | string | Yes | The unique identifier of the event in DataDog to be + retrieved. | + + + ### Flow Description + + 1. The action extracts the required `API Key` and `APP Key` from the integration + configuration. + + 2. It retrieves the `Event ID` from the action parameters. + + 3. The `DataDogManager` is initialized with the provided credentials. + + 4. The action calls the `get_event_details` method to fetch the event data from + DataDog. + + 5. If the event is found, the action logs a success message and attaches the event + details as a JSON result to the action output. + + 6. If the event is not found, the action logs the failure and completes. capabilities: can_create_case_comments: false can_create_insight: false @@ -163,8 +180,17 @@ Get Event Details: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the DataDog API to retrieve event details. + It does not modify any external systems, nor does it update internal SOAR entities, + insights, or case data. It simply returns the fetched data as a JSON result. categories: enrichment: false + reasoning: >- + While the action fetches data, it does not perform any of the allowed internal + mutations (updating entities, creating insights, or adding comments) required + to be classified as an Enrichment action in the SOAR context. It is a data retrieval + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -180,6 +206,9 @@ Get Event Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with or iterate over any SOAR entities. It operates + solely based on the provided Event ID parameter. Get Events: action_product_categories: add_alert_comment: false @@ -195,6 +224,11 @@ Get Events: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves a collection of historical events from Datadog based on + time and source parameters. This directly aligns with the 'Search Events' category. + It does not perform any other actions like ticketing, blocking, or identity + management. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -212,11 +246,9 @@ Get Events: ai_description: >- ### General Description - The **Get Events** action retrieves event logs from DataDog within a specified - time range. It allows analysts to filter events by source, priority, and tags, - providing visibility into system activities, monitors, and alerts directly within - the Google SecOps platform. This action is primarily used for log retrieval and - historical analysis. + This action retrieves events from Datadog within a specified time range and filter + criteria. It allows users to query Datadog for events based on sources, priority, + and tags, providing visibility into system or monitor activity. ### Parameters Description @@ -225,48 +257,38 @@ Get Events: | :--- | :--- | :--- | :--- | - | **Sources** | String | Yes | The sources to retrieve the events from. For example, - to see events from a triggered monitor, use 'alert'. | + | Sources | string | Yes | The sources to retrieve the events from (e.g., 'alert'). + | - | **Start Time** | String | Yes | The start time of the events in Unix timestamp - format (e.g., 1400000470). | + | Start Time | string | Yes | The start time of the events in Unixtime. | - | **End Time** | String | Yes | The end time of the events in Unix timestamp format - (e.g., 1610557457). | + | End Time | string | Yes | The end time of the events in Unixtime. | - | **Priority** | DDL | No | The priority of the events to retrieve. Options include - `all`, `normal`, or `low`. Default is `all`. | + | Priority | ddl | No | The priority of the events to retrieve (all, normal, low). + Default is 'all'. | - | **Tags** | String | No | A comma-separated list of tags to filter the events - by scope (e.g., 'monitor'). | + | Tags | string | No | A comma-separated list of tags that will filter the list + of monitors by scope. Default is 'monitor'. | - | **Unaggregated** | Boolean | No | If set to `True`, the action retrieves the - full list of events. If `False`, it retrieves an aggregated list. | + | Unaggregated | boolean | No | True to retrieve the full list of events; False + to retrieve an aggregated list. Default is 'true'. | ### Flow Description - 1. **Configuration Retrieval**: The action extracts the DataDog API Key and APP - Key from the integration settings. - - 2. **Parameter Extraction**: It collects the search criteria, including the time - window (Start/End Time), sources, and optional filters like priority and tags. + 1. **Initialization**: The action extracts the necessary configuration (API Key, + APP Key) and action parameters (Sources, Start Time, End Time, etc.) from the + SecOps environment. - 3. **API Interaction**: The action calls the DataDog API's events endpoint (`/api/v1/events`) - using a GET request with the specified query parameters. + 2. **Data Retrieval**: It initializes the `DataDogManager` and calls the `get_datadog_events` + method, which performs a GET request to the Datadog API (`/api/v1/events`) with + the provided filters. - 4. **Result Handling**: The retrieved event data is processed and added to the - action's JSON results. If events are found, the action completes successfully; - otherwise, it reports that no events were fetched. + 3. **Result Processing**: The retrieved events are printed to the logs and added + to the action's result JSON. - - ### Additional Notes - - - Ensure that the `Start Time` and `End Time` are provided as valid Unix timestamps - in seconds. - - - This action does not target specific entities but rather performs a global search - within the DataDog environment based on the provided parameters. + 4. **Completion**: The action concludes by logging the success or failure of the + retrieval and setting the final output message. capabilities: can_create_case_comments: false can_create_insight: false @@ -277,8 +299,16 @@ Get Events: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Datadog API to retrieve event data. + It does not perform any POST/PUT/DELETE operations on external systems, nor + does it modify any internal SOAR case data, entities, or insights. categories: enrichment: false + reasoning: >- + The action retrieves data (events) from an external system. While it fetches + data, it is a general search/retrieval action rather than an enrichment action + specifically designed to augment entity or alert context within the SOAR platform. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -294,6 +324,9 @@ Get Events: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with or filter by any entities. It operates based + on time-based and source-based parameters provided by the user. Get Logs: action_product_categories: add_alert_comment: false @@ -309,6 +342,11 @@ Get Logs: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves historical logs from Datadog based on search parameters + (namespace and time range). This directly aligns with the 'Search Events' category. + It does not perform any other actions like ticketing, blocking, or identity + management. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -326,53 +364,43 @@ Get Logs: ai_description: >- ### General Description - Retrieves Kubernetes logs from DataDog for specified namespaces within a defined - time range. This action allows analysts to query historical log data directly - from DataDog to assist in investigations involving containerized environments. + This action retrieves logs from Datadog for specified Kubernetes namespaces within + a defined time range. It allows analysts to query historical log data directly + from Datadog to support investigation and troubleshooting workflows. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Start Time | string | True | The start time from which you want to retrieve - the logs (e.g., '2020-02-02T02:02:02Z'). | - - | End Time | string | True | The end time until which you want to retrieve the - logs (e.g., '2020-02-02T02:02:02Z'). | - - | Namespace | string | True | A comma-separated list of Kubernetes namespaces - to fetch logs for (e.g., 'name_space1, name_space2'). | - + | Namespace | string | Yes | The Kubernetes namespace(s) to retrieve logs for. + Multiple namespaces can be provided as a comma-separated list. | - ### Additional Notes - - - The action uses the DataDog Logs API (`/api/v1/logs-queries/list`) via a POST - request to perform the query. + | Start Time | string | Yes | The start time for the log retrieval (e.g., 2020-02-02T02:02:02Z). + | - - Multiple namespaces can be queried in a single execution by providing them as - a comma-separated list. + | End Time | string | Yes | The end time for the log retrieval (e.g., 2020-02-02T02:02:02Z). + | ### Flow Description - 1. **Configuration Extraction**: Retrieves the API Key and APP Key from the integration - configuration. + 1. **Initialization**: The action extracts the Datadog API and APP keys from the + integration configuration and retrieves the action parameters (Namespace, Start + Time, End Time). - 2. **Parameter Parsing**: Extracts the Start Time, End Time, and Namespace list - from the action parameters. The Namespace string is split into a list of individual - namespaces. + 2. **Processing**: The action iterates through the provided list of namespaces. - 3. **Log Retrieval**: Iterates through each provided namespace and calls the DataDog - API to fetch logs matching the `kube_namespace` and the specified time window. + 3. **Data Retrieval**: For each namespace, it calls the Datadog API (`/api/v1/logs-queries/list`) + to fetch the relevant logs. - 4. **Result Aggregation**: Collects the logs for each namespace where data is - found and organizes them into a structured JSON result. + 4. **Result Aggregation**: If logs are found, they are added to a JSON result + object. If no logs are found for a namespace, an error is logged. - 5. **Finalization**: Returns the aggregated log data as a JSON result and provides - a status message indicating which namespaces were successfully queried. + 5. **Completion**: The action concludes by attaching the aggregated JSON results + to the action output and providing a summary message. capabilities: can_create_case_comments: false can_create_insight: false @@ -383,8 +411,18 @@ Get Logs: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to the Datadog API to search and retrieve + logs. This is a read-only operation (fetching data). It does not modify any + external systems, nor does it update internal SOAR entities, insights, or case + data. categories: enrichment: false + reasoning: >- + The action is a search/retrieval utility. While it fetches data, it does not + enrich specific entities or alerts within the SOAR platform. It does not meet + the criteria for an Enrichment Action as it is not designed to gather supplemental + context about specific entities or alerts. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -400,6 +438,10 @@ Get Logs: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `siemplify.target_entities`. It relies entirely + on user-provided parameters (Namespace, Start Time, End Time) to perform its + query. Get Metric Snapshot Graph: action_product_categories: add_alert_comment: false @@ -414,13 +456,17 @@ Get Metric Snapshot Graph: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false - get_alert_information: true + get_alert_information: false + reasoning: >- + The action retrieves a metric snapshot graph, which is a form of telemetry data. + This aligns with the 'Search Events' category, which covers retrieving historical + logs or telemetry data. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false search_asset: false search_email: false - search_events: false + search_events: true send_email: false send_message: false submit_file: false @@ -430,31 +476,24 @@ Get Metric Snapshot Graph: update_identity: false update_ticket: false ai_description: "### General Description\nThis action retrieves a metric snapshot\ - \ graph from DataDog based on a user-provided metric query and a specific time\ - \ range. It is primarily used to provide visual context and telemetry data within\ - \ a Google SecOps case, allowing analysts to see performance or status trends\ - \ related to the investigation.\n\n### Parameters Description\n| Parameter | Description\ - \ | Type | Mandatory | Additional Notes |\n| :--- | :--- | :--- | :--- | :---\ - \ |\n| Query | The metric query for which you want to generate a snapshot graph\ - \ (e.g., `avg:aws.rds.cpuutilization{cloud_env:production}by{dbinstanceidentifier}`).\ - \ | string | Yes | Must follow DataDog's query syntax. |\n| Start Time | The start\ - \ time of the metric snapshot graph in Unix time (seconds). | string | Yes | Ensure\ - \ the timestamp is in the past relative to the End Time. |\n| End Time | The end\ - \ time of the metric snapshot graph in Unix time (seconds). | string | Yes | Defines\ - \ the conclusion of the data window. |\n\n### Additional Notes\n- This action\ - \ does not run on specific entities; it executes a global query against the DataDog\ - \ API.\n- The resulting graph is provided as a URL link added to the case and\ - \ as a raw JSON object in the action results.\n\n### Flow Description\n1. **Configuration\ - \ Extraction:** The action retrieves the DataDog API Key and APP Key from the\ - \ integration settings.\n2. **Parameter Parsing:** It extracts the `Query`, `Start\ - \ Time`, and `End Time` provided by the user.\n3. **API Interaction:** The action\ - \ calls the DataDog API's `/api/v1/graph/snapshot` endpoint with the specified\ - \ parameters.\n4. **Result Processing:** \n - If a snapshot is successfully\ - \ generated, the action extracts the `snapshot_url`.\n - It adds the URL as\ - \ a clickable link in the Google SecOps platform.\n - It attaches the full\ - \ JSON response from DataDog to the action results for further use in playbooks.\n\ - 5. **Completion:** The action concludes with a success message if the graph was\ - \ fetched or a failure message if the API returned no data." + \ graph from DataDog for a specified query and time range. It allows analysts\ + \ to visualize metric data directly within the SOAR platform by fetching a snapshot\ + \ URL and the associated JSON data from the DataDog API.\n\n### Parameters\n|\ + \ Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ + | Query | string | Yes | The metric query to generate the snapshot graph for (e.g.,\ + \ 'avg:aws.rds.cpuutilization{cloud_env:production}by{dbinstanceidentifier}').\ + \ |\n| Start Time | string | Yes | The start time of the metric snapshot graph\ + \ in Unixtime. |\n| End Time | string | Yes | The end time of the metric snapshot\ + \ graph in Unixtime. |\n\n### Flow Description\n1. **Extraction**: The action\ + \ extracts the `Query`, `Start Time`, and `End Time` parameters from the action\ + \ configuration.\n2. **Initialization**: It initializes the `DataDogManager` using\ + \ the API and Application keys configured in the integration settings.\n3. **Data\ + \ Retrieval**: It calls the `get_graph_snapshot` method of the `DataDogManager`,\ + \ which performs a GET request to the DataDog API to retrieve the snapshot graph.\n\ + 4. **Result Reporting**: \n - If the snapshot is successfully retrieved, it\ + \ adds the snapshot URL as a link to the action result.\n - It adds the raw\ + \ snapshot JSON data to the action result.\n - It ends the action with a success\ + \ message and status." capabilities: can_create_case_comments: false can_create_insight: false @@ -465,8 +504,17 @@ Get Metric Snapshot Graph: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the DataDog API to retrieve a metric snapshot + graph. It does not modify any external systems (read-only). It does not modify + internal SOAR data (entities, case wall, or alert fields); it only reports results + using standard result methods (add_link, add_result_json). categories: - enrichment: true + enrichment: false + reasoning: >- + The action does not operate on entities (it is a standalone utility action), + therefore it does not meet the criteria for an Enrichment Action, which requires + gathering context about alerts or entities. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -482,6 +530,9 @@ Get Metric Snapshot Graph: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not reference `siemplify.target_entities` or any entity-specific + logic. It operates independently of entities. Get Metric Timeseries Points: action_product_categories: add_alert_comment: false @@ -497,6 +548,10 @@ Get Metric Timeseries Points: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves historical telemetry data (timeseries points) from Datadog + based on a query, which aligns with the 'Search Events' category. It does not + perform any other actions like ticketing, blocking, or identity management. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -511,55 +566,17 @@ Get Metric Timeseries Points: update_email: false update_identity: false update_ticket: false - ai_description: >- - ### General Description - - Retrieves metric timeseries data points from DataDog based on a specific query - and time range. This action is used to fetch historical telemetry data, such as - CPU usage, memory consumption, or custom application metrics, for analysis within - a SOAR workflow. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **Query** | string | True | The DataDog metric query to execute (e.g., `avg:system.cpu.idle{host:host0}`). - | - - | **Start Time** | string | True | The start time of the timeseries points in - Unix timestamp format (seconds). | - - | **End Time** | string | True | The end time of the timeseries points in Unix - timestamp format (seconds). | - - - ### Additional Notes - - - This action does not process entities; it relies entirely on the provided query - and time parameters. - - - The results are returned as a JSON object containing the series data and status. - - - ### Flow Description - - 1. **Extract Configuration:** Retrieves the DataDog API Key and APP Key from the - integration settings. - - 2. **Extract Parameters:** Collects the `Query`, `Start Time`, and `End Time` - from the action inputs. - - 3. **API Request:** Calls the DataDog API v1 query endpoint (`/api/v1/query`) - using a GET request with the provided parameters. - - 4. **Process Response:** Validates the response status and checks if any data - series were returned. - - 5. **Output Results:** Adds the raw JSON response to the action results and provides - a success or failure message based on whether data was found. + ai_description: "This action retrieves timeseries metric points from Datadog for\ + \ a specified query and time range. \n\n### Parameters\n| Parameter | Type | Mandatory\ + \ | Description |\n| :--- | :--- | :--- | :--- |\n| End Time | string | Yes |\ + \ The end time of the timeseries points in Unixtime. |\n| Start Time | string\ + \ | Yes | The start time of the timeseries points in Unixtime. |\n| Query | string\ + \ | Yes | The metric query to retrieve timeseries points for. |\n\n### Flow\n\ + 1. Extract configuration parameters (API Key, APP Key).\n2. Extract action parameters\ + \ (Query, Start Time, End Time).\n3. Initialize the DataDogManager.\n4. Call the\ + \ `get_timeseries_point_metrics` method via the Datadog API.\n5. Add the retrieved\ + \ JSON result to the action output.\n6. End the action with a success or failure\ + \ message." capabilities: can_create_case_comments: false can_create_insight: false @@ -570,8 +587,17 @@ Get Metric Timeseries Points: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Datadog API to retrieve timeseries + metric data based on a provided query and time range. It does not modify any + external systems or internal SOAR data. It only adds the retrieved data to the + action result. categories: enrichment: false + reasoning: >- + The action fetches metric data from Datadog. While it retrieves data, it does + not operate on entities or alerts to provide context, so it is not classified + as an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -587,6 +613,9 @@ Get Metric Timeseries Points: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `siemplify.target_entities`. It operates solely + on the provided input parameters. Get Pod Metric: action_product_categories: add_alert_comment: false @@ -598,16 +627,20 @@ Get Pod Metric: disable_identity: false download_file: false enable_identity: false - enrich_asset: false + enrich_asset: true enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves performance metrics (CPU, Memory) and process lists for + a specific resource (Pod). This aligns with the 'Enrich Asset' category, as + it provides contextual metadata for a resource. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false search_asset: false search_email: false - search_events: true + search_events: false send_email: false send_message: false submit_file: false @@ -619,51 +652,53 @@ Get Pod Metric: ai_description: >- ### General Description - The **Get Pod Metric** action retrieves performance telemetry and process information - for specific Kubernetes Pods from DataDog. It is designed to provide visibility - into the resource consumption (CPU and Memory) and the active processes running - within a pod over a specified time range. This data is useful for troubleshooting - performance issues or investigating suspicious activity within a containerized - environment. + This action retrieves performance metrics and process information for specified + Kubernetes pods from Datadog. It allows analysts to gather contextual data regarding + CPU usage, memory consumption, and active processes for a given pod within a specified + time range, aiding in troubleshooting and performance analysis. - ### Parameters Description + ### Flow Description - | Parameter Name | Description | Type | Mandatory | Additional Notes | + 1. **Initialization**: The action extracts the Datadog API and App keys from the + integration configuration. - | :--- | :--- | :--- | :--- | :--- | + 2. **Parameter Extraction**: It retrieves the `Pod Name` (a comma-separated list + of pods), `Start Time`, and `End Time` from the action parameters. - | **Pod Name** | The name of the Pod(s) to query. Supports a comma-separated list - of names. | String | Yes | The code uses this as a tag filter (`pod_name:`). - | + 3. **Data Retrieval**: The action iterates through the provided list of pods. + For each pod, it performs the following operations via the Datadog API: + * Fetches CPU metrics. + * Fetches memory usage metrics. + * Retrieves a list of running processes associated with the pod. + 4. **Aggregation**: The retrieved metrics and process data are aggregated into + a structured JSON object. - | **Start Time** | The start time of the metric query in Unix timestamp format. - | String | Yes | Example: `1507040000` | + 5. **Output**: The final JSON result is added to the action execution summary, + and the action concludes with a status message indicating success or failure for + each pod. - | **End Time** | The end time of the metric query in Unix timestamp format. | - String | Yes | Example: `1610557457` | + ### Parameters Description - ### Flow Description + | Parameter | Type | Mandatory | Description | - 1. **Initialization**: Extracts the DataDog API and APP keys from the integration - configuration. + | :--- | :--- | :--- | :--- | - 2. **Parameter Extraction**: Retrieves the list of Pod names, start time, and - end time from the action parameters. - - 3. **Data Retrieval**: For each Pod name provided: - * Queries the DataDog Timeseries API for average CPU system total usage - (`kubernetes.cpu.system.total`). - * Queries the DataDog Timeseries API for average memory usage percentage - (`kubernetes.memory.usage_pct`). - * Queries the DataDog Processes API to list all processes associated with - the `pod_name` tag. - 4. **Result Aggregation**: Consolidates the CPU, Memory, and Process data into - a structured JSON object. + | Pod Name | string | Yes | A comma-separated list of pod names or namespaces + to query. | - 5. **Output**: Returns the aggregated JSON data and provides a status message - indicating which metrics were successfully retrieved. + | Start Time | string | Yes | The start time for the metric query in Unixtime + format. | + + | End Time | string | Yes | The end time for the metric query in Unixtime format. + | + + + ### Additional Notes + + This action does not interact with SOAR entities directly; it relies entirely + on the input parameters provided by the user. capabilities: can_create_case_comments: false can_create_insight: false @@ -674,8 +709,15 @@ Get Pod Metric: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs GET requests to the Datadog API to retrieve performance + metrics and process lists for specific pods. It does not modify any external + systems or internal SOAR data (entities, insights, or comments). categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches data from an external system (Datadog) without mutating any + external or internal state. This qualifies as an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -691,6 +733,9 @@ Get Pod Metric: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `siemplify.target_entities`. It uses a user-provided + parameter for the pod name, so no entity types are processed. Get RDS Metric: action_product_categories: add_alert_comment: false @@ -706,6 +751,11 @@ Get RDS Metric: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves performance metrics (CPU, memory, storage) for a database + instance. This provides contextual metadata about a resource, aligning with + the 'Enrich Asset' category. It does not perform IOC enrichment, alert updates, + or containment actions. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -721,55 +771,49 @@ Get RDS Metric: update_identity: false update_ticket: false ai_description: >- - Retrieves AWS RDS performance metrics from Datadog for specified database instances. - This action fetches CPU utilization, freeable memory, and free storage space metrics - within a defined time range. It processes a comma-separated list of database identifiers - and returns the aggregated time-series data in a structured JSON format. - - - ### Flow Description + ### General Description - 1. **Parameter Extraction:** Retrieves the Datadog API and APP keys from the integration - configuration, along with the Database Instance Identifiers, Start Time, and End - Time from the action parameters. + This action retrieves AWS RDS performance metrics (CPU, memory, and storage) for + specified database instances from Datadog. It allows analysts to query historical + performance data within a defined time range to assist in troubleshooting or monitoring + database health. - 2. **Identifier Parsing:** Splits the provided comma-separated string of database - identifiers into a list for individual processing. - 3. **Metric Retrieval:** For each database identifier, the action makes three - distinct API calls to Datadog to fetch: - * CPU Utilization (`aws.rds.cpuutilization`) - * Freeable Memory (`aws.rds.freeable_memory`) - * Free Storage Space (`aws.rds.free_storage_space`) - 4. **Data Aggregation:** Collects the successful metric responses into a results - object, distinguishing between found and not-found identifiers. + ### Parameters Description - 5. **Output Generation:** Adds the aggregated metrics to the action's JSON result - and provides a summary message to the user. + | Parameter | Type | Mandatory | Description | + | :--- | :--- | :--- | :--- | - ### Parameters Description + | Database Instance Identifier | string | Yes | The identifier(s) of the database + instance(s) to retrieve metrics for. Multiple identifiers can be provided as a + comma-separated string. | - | Parameter Name | Type | Mandatory | Description | + | Start Time | string | Yes | The start time for the metric query in Unixtime + format. | - | :--- | :--- | :--- | :--- | + | End Time | string | Yes | The end time for the metric query in Unixtime format. + | - | Database Instance Identifier | string | True | A comma-separated list of AWS - RDS database instance identifiers (e.g., `db-1, db-2`) to query. | - | Start Time | string | True | The start time for the metric query in Unix timestamp - format (e.g., `1507040000`). | + ### Flow Description - | End Time | string | True | The end time for the metric query in Unix timestamp - format (e.g., `1610557457`). | + 1. **Initialization**: The action extracts the Datadog API and Application keys + from the integration configuration and retrieves the action parameters (Database + identifiers, Start Time, End Time). + 2. **Data Retrieval**: The action iterates through the provided list of database + instance identifiers. - ### Additional Notes + 3. **Metric Fetching**: For each identifier, it calls the `DataDogManager` to + fetch CPU utilization, memory usage, and free storage space metrics from Datadog + using the specified time range. - * The action requires valid Datadog API and APP keys configured at the integration - level. + 4. **Result Aggregation**: Successfully fetched metrics are aggregated into a + JSON object. - * Metrics are retrieved using the `avg` aggregator grouped by `dbinstanceidentifier`. + 5. **Output**: The action adds the aggregated JSON result to the SOAR action results + and terminates with a success status and a summary message. capabilities: can_create_case_comments: false can_create_insight: false @@ -780,8 +824,16 @@ Get RDS Metric: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs GET requests to the Datadog API to retrieve RDS metrics. + It does not modify any external systems or internal SOAR data (entities, insights, + comments). categories: enrichment: true + reasoning: >- + The action fetches data from an external source (Datadog) without mutating external + or internal systems. It qualifies as an enrichment action because it retrieves + contextual information about a resource. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -797,6 +849,9 @@ Get RDS Metric: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use `siemplify.target_entities`. It accepts a string parameter + for the database identifier, meaning it does not operate on SOAR entities. Ping: action_product_categories: add_alert_comment: false @@ -812,6 +867,10 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity test (Ping) and does not perform any of the defined + product category operations such as enrichment, containment, ticketing, or alert + management. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -827,44 +886,36 @@ Ping: update_identity: false update_ticket: false ai_description: >- - ### General Description + Tests the connectivity between the SOAR platform and the DataDog service. This + action validates the provided API and Application keys by making a request to + the DataDog validation endpoint. It returns a success or failure status based + on the response. - The **Ping** action is a diagnostic tool designed to verify the connectivity between - Google SecOps and the DataDog platform. Its primary purpose is to ensure that - the provided API Key and Application Key are valid and that the network path to - the DataDog API is open. This action is typically used during the initial setup - of the integration or for troubleshooting authentication issues. + ### Parameters - ### Parameters Description - - There are no action-specific parameters for this action. It relies entirely on - the integration's global configuration (API Key and APP Key). - + | Parameter | Type | Mandatory | Description | - ### Additional Notes + | --- | --- | --- | --- | - - This action does not process any entities. + | API Key | String | Yes | The API key used to authenticate with the DataDog API. + | - - It performs a read-only validation check against the DataDog `/api/v1/validate` - endpoint. + | APP Key | String | Yes | The Application key used to authenticate with the DataDog + API. | ### Flow Description - 1. **Configuration Extraction:** The action retrieves the `API Key` and `APP Key` - from the DataDog integration settings. + 1. The action extracts the API Key and APP Key from the integration configuration. - 2. **Manager Initialization:** It initializes the `DataDogManager` using the extracted - credentials. + 2. It initializes the DataDogManager with the provided credentials. - 3. **Connectivity Test:** The action calls the `test_connectivity` method, which - sends a GET request to the DataDog validation endpoint. + 3. It calls the `test_connectivity` method, which sends a GET request to the DataDog + validation endpoint (`/api/v1/validate`). - 4. **Response Validation:** It checks the API response for a `valid: true` status. - - 5. **Final Output:** The action returns a success message if the connection is - established or a failure message if the credentials or connection are invalid. + 4. If the response indicates a valid connection, the action returns a success + message. Otherwise, it returns a failure message. capabilities: can_create_case_comments: false can_create_insight: false @@ -873,10 +924,18 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: true + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a simple connectivity check (Ping) by sending a GET request + to the DataDog API validation endpoint. It does not fetch contextual data for + entities, nor does it mutate any external or internal data. categories: enrichment: false + reasoning: >- + The action is named 'Ping', which is explicitly excluded from being an enrichment + action per the provided instructions. It does not perform any data retrieval + or modification tasks. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -892,3 +951,6 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities; it is a global connectivity + test. diff --git a/content/response_integrations/third_party/community/data_dog/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/data_dog/resources/ai/connectors_ai_description.yaml index f28653057..9c608995d 100644 --- a/content/response_integrations/third_party/community/data_dog/resources/ai/connectors_ai_description.yaml +++ b/content/response_integrations/third_party/community/data_dog/resources/ai/connectors_ai_description.yaml @@ -1,40 +1,73 @@ DataDog Connector: - ai_description: "### General Description\nThe DataDog Connector enables the ingestion\ - \ of events and alerts from DataDog into Google SecOps. It specifically monitors\ - \ for triggered alerts from DataDog monitors, focusing on 'error' and 'warning'\ - \ states. The connector transforms these events into structured alerts, providing\ - \ security teams with visibility into infrastructure and application issues detected\ - \ by DataDog.\n\n### Parameters Description\n| Parameter | Type | Mandatory |\ - \ Description |\n| :--- | :--- | :--- | :--- |\n| API Key | Password | Yes | The\ - \ API Key used to authenticate with the DataDog API. |\n| APP Key | Password |\ - \ Yes | The Application Key used to authenticate with the DataDog API. |\n| Base\ - \ URL | String | Yes | The base URL for the DataDog API (e.g., `https://api.datadoghq.com`).\ - \ |\n| DeviceProductField | String | Yes | The field name used to determine the\ - \ device product in the SOAR platform. |\n| EventClassId | String | Yes | The\ - \ field name used to determine the event name or sub-type. |\n| Max Days Back\ - \ | Integer | Yes | The number of days to look back for events during the initial\ - \ run. |\n| Priority | String | No | Filter events by priority. Options include\ - \ 'low', 'normal', or 'all'. |\n| PythonProcessTimeout | String | Yes | The timeout\ - \ limit (in seconds) for the python process running the script. |\n| Sources |\ - \ String | Yes | The sources to retrieve events from (e.g., 'alert' for monitor\ - \ triggers). |\n| Tags | String | No | A comma-separated list of tags to filter\ - \ the list of monitors by scope (e.g., 'monitor'). |\n| Unaggregated | Boolean\ - \ | No | If true, retrieves the full list of events; if false, retrieves an aggregated\ - \ list. |\n\n### Flow Description\n1. **Authentication**: The connector initializes\ - \ a session with DataDog using the provided API Key and Application Key.\n2. **Timestamp\ - \ Tracking**: It retrieves the last saved timestamp to ensure only new events\ - \ are processed. On the first run, it uses the 'Max Days Back' parameter.\n3.\ - \ **Event Fetching**: Queries the DataDog Events API for events within the time\ - \ range, filtered by the configured sources, tags, and priority.\n4. **Alert Filtering**:\ - \ The connector iterates through the results, specifically selecting events with\ - \ an `alert_type` of 'error' or 'warning'.\n5. **Child Event Processing**: If\ - \ a parent event contains 'children' events, the connector treats each child as\ - \ an individual alert to ensure granular visibility.\n6. **Detail Enrichment**:\ - \ For each identified event, the connector fetches full details (including the\ - \ payload) to extract metrics, monitor names, and snapshot URLs.\n7. **Mapping\ - \ and Normalization**: \n * Extracts tags into key-value pairs.\n * \ - \ Determines the `device_product` based on the metric name (e.g., identifying\ - \ AWS services).\n * Maps DataDog alert types to SOAR priority levels (Error:\ - \ 100, Warning: 80).\n8. **Ingestion**: The processed events are converted into\ - \ `AlertInfo` objects and ingested into Google SecOps as cases. The latest event\ - \ timestamp is then saved for the next iteration." + ai_description: >- + ### General Description + + The DataDog Connector is designed to ingest events from DataDog into Google SecOps. + It allows security teams to monitor DataDog-generated incidents, such as monitor + triggers, by fetching event data based on configurable filters like tags, priority, + and source types. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | API Key | Password | Yes | The API Key used to authenticate with the DataDog + API. | + + | APP Key | Password | Yes | The Application Key used to authenticate with the + DataDog API. | + + | Base URL | String | Yes | The base URL for the DataDog API (default: https://api.datadoghq.com). + | + + | DeviceProductField | String | Yes | The field name used to determine the device + product. | + + | EventClassId | String | Yes | The field name used to determine the event name + (sub-type). | + + | Max Days Back | Integer | Yes | The maximum number of days to look back when + fetching events. | + + | Priority | String | No | The priority of events to retrieve (e.g., 'low', 'normal', + 'all'). | + + | PythonProcessTimeout | String | Yes | The timeout limit (in seconds) for the + Python process. | + + | Sources | String | Yes | The sources to retrieve events from (e.g., 'alert'). + | + + | Tags | String | No | A comma-separated list of tags to filter the list of monitors. + | + + | Unaggregated | Boolean | No | If true, retrieves the full list of events; if + false, retrieves an aggregated list. | + + + ### Flow Description + + 1. **Initialization**: Connects to the DataDog API using the provided API and + Application keys. + + 2. **Time Range Calculation**: Determines the time range for fetching events based + on the last successful run's timestamp or the configured `Max Days Back`. + + 3. **Event Retrieval**: Queries the DataDog API (`/api/v1/events`) for events + matching the specified sources, tags, priority, and aggregation settings. + + 4. **Filtering**: Iterates through the retrieved events, filtering for those with + "error" or "warning" alert types. + + 5. **Data Processing**: For each relevant event, fetches full details, maps the + data (including tags, metrics, and URLs) into a standardized `AlertInfo` format, + and identifies child events if present. + + 6. **Ingestion**: Creates and ingests the processed alerts into the Google SecOps + platform. + + 7. **State Management**: Updates the last saved timestamp to ensure subsequent + runs only fetch new events. diff --git a/content/response_integrations/third_party/community/data_dog/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/data_dog/resources/ai/integration_ai_description.yaml index a888df70b..707e5ec4c 100644 --- a/content/response_integrations/third_party/community/data_dog/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/community/data_dog/resources/ai/integration_ai_description.yaml @@ -1,5 +1,5 @@ product_categories: - asset_inventory: false + asset_inventory: true cloud_security: true collaboration: false edr: false @@ -7,6 +7,17 @@ product_categories: iam_and_identity_management: false itsm: false network_security: false + reasoning: >- + The Datadog integration is primarily a monitoring and observability platform that + provides Cloud SIEM capabilities. The connector ingests alerts and events into + the SOAR platform, which is a core SIEM function. Several actions (Get Events, + Get Logs, Get Event Details) allow for searching and investigating historical + activity, further supporting the SIEM classification. Additionally, the integration + provides visibility into cloud-native resources (Kubernetes pods, AWS RDS) through + actions like 'Get Pod Metric' and 'Get RDS Metric', which aligns with Cloud Security + and Asset Inventory categories by providing performance and health context for + these assets. It does not perform EDR, Network Security, Threat Intelligence, + Email Security, IAM, ITSM, or Collaboration functions. siem: true threat_intelligence: false vulnerability_management: false diff --git a/content/response_integrations/third_party/community/docker_hub/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/docker_hub/resources/ai/actions_ai_description.yaml index 698093faf..4f9d7f727 100644 --- a/content/response_integrations/third_party/community/docker_hub/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/docker_hub/resources/ai/actions_ai_description.yaml @@ -13,6 +13,9 @@ Invite User: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action invites a user to a team in Docker Hub. This does not match any of + the provided categories (Enrichment, Containment, Ticketing, etc.). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -25,53 +28,37 @@ Invite User: uncontain_host: false update_alert: false update_email: false - update_identity: true + update_identity: false update_ticket: false ai_description: >- - ### General Description - - Invites a user to a specific team within a Docker Hub organization using their - email address. This action facilitates access management by programmatically sending - membership invitations to external users, allowing them to join collaborative - environments in Docker Hub. - + Invites a user to a specific team in a given organization in Docker Hub. This + action automates the process of adding a user to a team by sending an invitation + request to the Docker Hub API. - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + ### Flow - | Organization | String | Yes | The name of the Docker Hub organization where - the invitation will be sent. | + 1. Retrieves configuration (credentials) and parameters (Organization, Team, Email). - | Team | String | Yes | The specific team within the organization that the user - is being invited to join. | + 2. Initializes the Docker Hub client with the provided credentials. - | Email | String | Yes | The email address of the user who will receive the invitation. - | + 3. Sends an invitation request to the specified organization and team using the + provided email address. + 4. Logs the outcome and ends the action. - ### Additional Notes - This action does not run on SOAR entities; it relies entirely on the provided - input parameters. It requires valid Docker Hub administrator or owner credentials - to perform the invitation. + ### Parameters + | Parameter | Type | Mandatory | Description | - ### Flow Description - - 1. **Authentication**: The action authenticates with Docker Hub using the provided - username and password to obtain a JWT token. + | --- | --- | --- | --- | - 2. **Parameter Retrieval**: It extracts the target Organization, Team, and Email - from the action parameters. + | Team | string | Yes | The name of the team within the organization. | - 3. **Invitation Request**: It sends a POST request to the Docker Hub API endpoint - (`/orgs/{org}/groups/{team}/members/`) with the user's email. + | Organization | string | Yes | The name of the organization. | - 4. **Completion**: The action returns a success message if the invitation is successfully - dispatched or an error message if the request fails. + | Email | string | Yes | The email address of the user to invite. | capabilities: can_create_case_comments: false can_create_insight: false @@ -80,12 +67,19 @@ Invite User: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Sends a membership invitation to a user in Docker Hub, which creates a pending - invitation record within the specified organization and team. + Invites a user to a Docker Hub team by sending a POST request to the Docker + Hub API. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to the Docker Hub API to invite a user to + a team. This is an external mutation. It does not fetch data, update entities, + or create insights. categories: enrichment: false + reasoning: >- + The action performs an external mutation (inviting a user) and does not fetch + data for enrichment. Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -101,6 +95,9 @@ Invite User: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `target_entities`. It uses parameters provided + in the action settings. Ping: action_product_categories: add_alert_comment: false @@ -116,6 +113,9 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity test (Ping) and does not perform any of the defined + product category operations (e.g., enrichment, blocking, ticketing). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -133,47 +133,37 @@ Ping: ai_description: >- ### General Description - The **Ping** action is designed to verify the connectivity between Google SecOps - and the Docker Hub API. It ensures that the provided credentials (Username and - Password) are valid and that the network path to the Docker Hub service is open. - This is a standard health check action used to validate integration settings. + Verifies connectivity to the Docker Hub API by authenticating with the provided + credentials and performing a catalog request. This action is used to ensure that + the integration is correctly configured and that the service is reachable from + the SOAR platform. ### Parameters Description - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | None | N/A | N/A | This action does not take any input parameters; it uses the - integration's configuration settings (Username and Password). | + There are no input parameters for this action. The action utilizes the integration-level + configuration (Username and Password) to authenticate and test the connection. ### Additional Notes - * **Note on Metadata**: While the provided metadata description mentions inviting - a user, the actual implementation logic and action name are strictly for connectivity - testing (Ping). - - * **Authentication**: The action uses the Username and Password defined in the - integration configuration to generate a JWT token for the session. + This action is a connectivity test (Ping) and does not perform any data enrichment + or state changes. It is intended for diagnostic purposes to validate the integration + setup. ### Flow Description - 1. **Configuration Retrieval**: The action fetches the `Username` and `Password` - from the Docker Hub integration settings. + 1. Initialize the `SiemplifyAction` and retrieve the integration configuration + (Username and Password). - 2. **Client Initialization**: A `DockerHub` manager instance is created using - the retrieved credentials, which involves an authentication step to obtain a JWT - token. + 2. Instantiate the `DockerHub` client with the provided credentials. - 3. **Connectivity Test**: The action calls the `test_connectivity` method, which - sends a GET request to the Docker Hub `_catalog` endpoint. + 3. Execute the `test_connectivity` method, which performs a GET request to the + Docker Hub `_catalog` endpoint. - 4. **Result Handling**: If the request is successful, the action completes with - a success status. If an HTTP error occurs (other than a 404), the action fails, - indicating a configuration or connectivity issue. + 4. If the request is successful, the action completes successfully. If an authentication + or connection error occurs, the action fails. capabilities: can_create_case_comments: false can_create_insight: false @@ -184,8 +174,15 @@ Ping: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Docker Hub API to verify connectivity. + It does not modify external systems, update internal entities, or create insights. + It is a standard connectivity test. categories: enrichment: false + reasoning: >- + The action is named 'Ping' and performs a connectivity test. Per the instructions, + 'Ping' actions must not be categorized as enrichment actions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -201,3 +198,6 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities; it performs a global connectivity + check. diff --git a/content/response_integrations/third_party/community/docker_hub/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/docker_hub/resources/ai/integration_ai_description.yaml index 6c27508d3..ebc015a5a 100644 --- a/content/response_integrations/third_party/community/docker_hub/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/community/docker_hub/resources/ai/integration_ai_description.yaml @@ -4,9 +4,19 @@ product_categories: collaboration: false edr: false email_security: false - iam_and_identity_management: true + iam_and_identity_management: false itsm: false network_security: false + reasoning: >- + The Docker Hub integration provides administrative capabilities, specifically + the ability to invite users to teams and perform connectivity tests. It does not + perform security-focused operations such as log analysis (SIEM), host investigation + (EDR), network traffic blocking (Network Security), threat intelligence enrichment, + email security management, security-focused identity remediation (e.g., suspending + accounts or resetting passwords), cloud infrastructure security monitoring, ticketing + (ITSM), vulnerability management, asset inventory tracking, or collaboration/notification. + As the actions are purely administrative and do not address the security-specific + outcomes defined for these categories, none of the categories are applicable. siem: false threat_intelligence: false vulnerability_management: false diff --git a/content/response_integrations/third_party/community/duo/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/duo/resources/ai/actions_ai_description.yaml index 59200ddcf..72d13c93c 100644 --- a/content/response_integrations/third_party/community/duo/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/duo/resources/ai/actions_ai_description.yaml @@ -13,6 +13,10 @@ Get Authentication Logs for User: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves authentication logs and user metadata, which provides context + for a user (Enrich Asset). It also retrieves historical logs matching specific + criteria (Search Events). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -30,63 +34,59 @@ Get Authentication Logs for User: ai_description: >- ### General Description - The **Get Authentication Logs for User** action retrieves detailed user profile - information and historical authentication logs from DUO MFA for a specific username. - It is designed to provide security analysts with visibility into a user's authentication - behavior, identifying common source IPs, devices, and authentication factors used - over a configurable period. The action also calculates frequency counts for various - authentication attributes and filters them against a threshold to help distinguish - between routine and anomalous access patterns. + This action retrieves authentication logs and user data from DUO MFA for a specified + user. It aggregates authentication sources (such as IP addresses, operating systems, + and applications) and filters them based on a provided success threshold to help + identify known-good authentication patterns. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. **Configuration Extraction**: The action retrieves the DUO API hostname, Admin + Secret Key, and Admin Integration Key from the integration configuration. - | :--- | :--- | :--- | :--- | + 2. **Parameter Extraction**: It extracts the `Username`, `Number Days Back`, and + `Authentication Threshold` from the action parameters. - | Username | String | No | The DUO username to query. Note: While marked as non-mandatory - in configuration, the action requires this value to successfully identify a user - and retrieve logs. | + 3. **Authentication**: It initializes the DUO Admin API client using the extracted + credentials. - | Number Days Back | String | Yes | The number of days prior to the current time - to include in the log search (e.g., '1' for the last 24 hours). | + 4. **User Retrieval**: It queries the DUO API to find the `user_id` associated + with the provided `Username`. - | Authentication Threshold | String | Yes | The minimum number of successful authentications - required for a specific source (IP, OS, Device, etc.) to be included in the filtered - 'known' summary results. | + 5. **Log Retrieval**: It fetches authentication logs for the identified user within + the specified timeframe (calculated from `Number Days Back`). + 6. **Data Aggregation**: It iterates through the logs, counting occurrences of + various authentication attributes (IP, state, OS, application, device, factor). + + 7. **Filtering**: It filters the aggregated counts, removing any sources that + do not meet the `Authentication Threshold`. + + 8. **Result Output**: It compiles the user data, raw logs, and aggregated statistics + into a JSON object and adds it to the action results. - ### Flow Description - 1. **Authentication**: Initializes a connection to the DUO Admin API using the - provided API Hostname, Integration Key, and Secret Key. + ### Parameters Description - 2. **User Lookup**: Performs a lookup to retrieve the internal DUO `user_id` associated - with the provided `Username` parameter. + | Parameter | Type | Mandatory | Description | - 3. **Log Retrieval**: Queries the DUO authentication logs for the identified user, - spanning from the calculated 'Days Back' timestamp to the current time. + | :--- | :--- | :--- | :--- | - 4. **Data Aggregation**: Processes the retrieved logs to count occurrences of - successful authentication attempts by IP address, geographic state, operating - system, application, endpoint key, authentication device, and factor. + | Authentication Threshold | string | Yes | Number of successful authentications + required to consider an authentication source as a known safe entity. | - 5. **Threshold Filtering**: Evaluates the aggregated counts against the `Authentication - Threshold`. Attributes that do not meet the minimum count are removed from the - summary dictionaries to highlight frequent/trusted sources. + | Number Days Back | string | Yes | Number of days back to obtain authentication + logs from. | - 6. **Result Output**: Returns a comprehensive JSON object containing the raw user - metadata, the full authentication log history, and the filtered frequency summaries. + | Username | string | No | The username to retrieve logs for. | ### Additional Notes - - This action does not automatically iterate over entities in the SecOps case; - it operates strictly on the provided `Username` parameter. - - - The script includes built-in retry logic (60-second wait) to handle potential - DUO API rate-limiting errors. + If the `Username` is not provided, the action will fail to retrieve user-specific + logs. The action relies on the DUO Admin API and may implement a retry mechanism + (sleep) if rate limiting is encountered. capabilities: can_create_case_comments: false can_create_insight: false @@ -97,8 +97,17 @@ Get Authentication Logs for User: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the DUO Admin API to fetch authentication + logs and user data. It does not modify any external systems (no POST/PUT/DELETE). + It does not modify internal SOAR data (entities, insights, or case comments), + it only returns a result JSON. categories: enrichment: true + reasoning: >- + The action fetches data (logs) from an external source (DUO) and does not mutate + any external or internal systems. It qualifies as an enrichment action as it + provides context about a user's authentication history. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -114,6 +123,9 @@ Get Authentication Logs for User: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action uses a 'Username' parameter provided by the user to query the DUO + API. It does not iterate over or process 'siemplify.target_entities'. Get Trust Monitor Events: action_product_categories: add_alert_comment: false @@ -129,6 +141,10 @@ Get Trust Monitor Events: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves historical logs (Trust Monitor events) from an external + service. This aligns with the 'Search Events' category. It does not perform + enrichment, ticketing, or containment. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -144,50 +160,12 @@ Get Trust Monitor Events: update_identity: false update_ticket: false ai_description: >- - ### General Description - - The **Get Trust Monitor Events** action retrieves Trust Monitor events from DUO - Security for a specified historical period. This action is designed to pull security - telemetry related to trust assessments, providing visibility into DUO's trust - monitoring logs for auditing or investigation purposes. - - - ### Parameters Description - - - | Parameter Name | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Number Days Back | String | Yes | The number of days in the past from the current - time to retrieve events from. The value is converted to an integer and used to - calculate the start timestamp. | - - - ### Flow Description - - 1. **Credential Retrieval:** The action extracts the DUO API Hostname, Admin Secret - Key, and Admin Integration Key from the integration configuration. - - 2. **Time Calculation:** It takes the 'Number Days Back' input and calculates - a millisecond-based timestamp range starting from X days ago up to the current - time. - - 3. **API Authentication:** It initializes the DUO Admin API client using the provided - credentials. - - 4. **Data Retrieval:** The action calls the DUO SDK method `get_trust_monitor_events_by_offset` - using the calculated time range to fetch the events. - - 5. **Output Generation:** The retrieved events are packaged into a JSON result - and returned to the Google SecOps platform. - - - ### Additional Notes - - This action does not process or filter specific entities (like Users or IPs) from - the case; it performs a global search for events within the DUO environment based - solely on the time parameter. + Retrieves DUO Trust Monitor events from the DUO Admin API for a specified lookback + period. The action extracts configuration parameters (API Hostname, Admin Secret + Key, Admin Integration Key) and the 'Number Days Back' parameter to calculate + the time range. It then queries the DUO Admin API using the 'get_trust_monitor_events_by_offset' + method and returns the events as a JSON result. Parameters: 'Number Days Back' + (String, Mandatory) - The number of days to look back for events. capabilities: can_create_case_comments: false can_create_insight: false @@ -198,8 +176,15 @@ Get Trust Monitor Events: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the DUO Admin API to retrieve logs/events. + It does not modify any external or internal systems. categories: enrichment: false + reasoning: >- + While the action fetches data, it does not enrich specific entities or alerts. + It retrieves a list of events, which classifies it as a search/retrieval action + rather than an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -215,6 +200,9 @@ Get Trust Monitor Events: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with siemplify.target_entities. It operates independently + of any specific entity. Get Users by Name: action_product_categories: add_alert_comment: false @@ -230,10 +218,14 @@ Get Users by Name: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action fetches contextual metadata (user information) from the DUO platform, + which aligns with the 'Enrich Asset' category. It does not perform any other + actions like blocking, ticketing, or alert modification. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false - search_asset: true + search_asset: false search_email: false search_events: false send_email: false @@ -245,46 +237,40 @@ Get Users by Name: update_identity: false update_ticket: false ai_description: >- - ### General Description - - Retrieves detailed user information from DUO MFA using a specific username. This - action is designed to query the DUO Admin API to obtain the `user_id`, authentication - status, and device data associated with a specific identity. It is primarily used - for identity verification and gathering context during security investigations. + Queries the DUO Admin API to retrieve user information for a specified username. + This action fetches authentication and device data associated with the user from + the DUO platform and returns it as a JSON result. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. Extract configuration parameters (API Hostname, Admin Secret Key, Admin Integration + Key) from the integration settings. - | :--- | :--- | :--- | :--- | + 2. Extract the `Username` parameter provided by the user. - | Username | String | Yes | The specific username to query within the DUO Admin - API. | + 3. Initialize the DUO Admin API client using the extracted credentials. + 4. Call the `get_users_by_name` method to fetch user data from the DUO platform. - ### Flow Description + 5. Format the retrieved user data into a JSON structure and add it to the action + result using `add_result_json`. - 1. **Authentication**: Initializes the DUO Admin API client using the configured - API Hostname, Admin Secret Key, and Admin Integration Key. - 2. **Parameter Extraction**: Retrieves the target `Username` from the action input - parameters. + ### Parameters Description - 3. **API Request**: Executes a call to the DUO `get_users_by_name` endpoint using - the DUO Python SDK. + | Parameter | Type | Mandatory | Description | - 4. **Data Processing**: Iterates through the returned user data to identify the - unique `user_id` and aggregates the full response. + | :--- | :--- | :--- | :--- | - 5. **Output**: Returns a structured JSON object containing the username, user - ID, and the complete user data retrieved from DUO. + | Username | string | Yes | The username to query in the DUO platform. | ### Additional Notes - This action does not process entities from the SecOps case automatically. It operates - strictly on the `Username` provided as a manual or playbook-driven parameter. + This action requires valid DUO Admin API credentials (API Hostname, Admin Secret + Key, and Admin Integration Key) to be configured in the integration settings for + successful execution. capabilities: can_create_case_comments: false can_create_insight: false @@ -295,8 +281,16 @@ Get Users by Name: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches user data from the DUO API (fetches_data=true). It does not + mutate external data, update entities, create insights, or modify internal SOAR + data. categories: enrichment: false + reasoning: >- + The action fetches data from an external system (DUO) but does not update any + entities or create insights within the SOAR platform. Therefore, it does not + meet the criteria for an Enrichment Action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -312,6 +306,9 @@ Get Users by Name: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `target_entities` or use entity-specific identifiers. + It takes a `Username` parameter directly. Ping: action_product_categories: add_alert_comment: false @@ -327,6 +324,9 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity test (Ping) and does not perform any of the defined + operational tasks such as enrichment, ticketing, or containment. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -342,41 +342,16 @@ Ping: update_identity: false update_ticket: false ai_description: >- - ### General Description - - The **Ping** action is a diagnostic tool used to verify the connectivity and authentication - configuration between Google SecOps and the DUO Auth API. It ensures that the - integration's credentials (API Hostname, Integration Key, and Secret Key) are - valid and that the system can successfully generate the required request signatures - to communicate with DUO. - - - ### Parameters Description - - There are no action-specific parameters for this action. It utilizes the global - configuration parameters defined at the integration level. - - - ### Flow Description - - 1. **Configuration Extraction**: The action retrieves the `API Hostname`, `Auth - Secret Key`, and `Auth Integration Key` from the DUO integration settings. - - 2. **Client Initialization**: It initializes the DUO Python SDK's Auth client - using the extracted credentials. - - 3. **Validation Call**: The action executes a call to the DUO `/check` endpoint, - which is specifically designed to validate credentials and signature generation. - - 4. **Execution Completion**: If the call is successful, the action completes with - a success status. If an exception is raised (e.g., due to network issues or invalid - keys), it catches the error and returns a failure status with the error details. - - - ### Additional Notes - - This action does not interact with or process any entities. It is strictly intended - for health checks and troubleshooting during the integration setup. + This action verifies the connectivity and validity of the DUO Auth API credentials + by performing a connectivity check against the DUO service. Parameters: API Hostname + (String, Mandatory) - The hostname for the DUO API. Auth Secret Key (String, Mandatory) + - The secret key for the DUO Auth API. Auth Integration Key (String, Mandatory) + - The integration key for the DUO Auth API. Flow: 1. Extract the required configuration + parameters (API Hostname, Auth Secret Key, Auth Integration Key) from the integration + settings. 2. Initialize the DUO Auth client using the provided credentials. 3. + Execute the check() method to validate the connection to the DUO API. 4. Return + a success message if the connection is verified, or a failure message if an exception + occurs during the process. capabilities: can_create_case_comments: false can_create_insight: false @@ -385,10 +360,17 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: true + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity test (Ping) to verify API credentials. It + does not fetch contextual data for entities or alerts, nor does it mutate any + external or internal data. categories: enrichment: false + reasoning: >- + The action is a Ping action designed to verify connectivity. According to the + guidelines, Ping actions must not be categorized as enrichment actions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -404,3 +386,6 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. It is a global connectivity + test. diff --git a/content/response_integrations/third_party/community/duo/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/duo/resources/ai/connectors_ai_description.yaml index 2c217901f..e64505864 100644 --- a/content/response_integrations/third_party/community/duo/resources/ai/connectors_ai_description.yaml +++ b/content/response_integrations/third_party/community/duo/resources/ai/connectors_ai_description.yaml @@ -2,64 +2,53 @@ DUO - Trust Monitor Connector: ai_description: >- ### General Description - - The **DUO - Trust Monitor Connector** integrates with the Cisco Duo Admin API - to ingest security events identified by Duo Trust Monitor. Trust Monitor uses - machine learning to detect anomalous authentication behavior and potential security - risks within your Duo environment. This connector fetches these events and transforms - them into cases within Google SecOps for centralized monitoring and incident response. + The DUO - Trust Monitor Connector integrates with the Duo Security Admin API to + monitor and ingest Trust Monitor events. It retrieves security events from the + specified timeframe, maps them into structured cases, and ingests them into Google + SecOps for further investigation and response. ### Parameters Description - | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | | PythonProcessTimeout | String | Yes | The timeout limit (in seconds) for the - Python process running the script. Default is 30. | + python process running the script. | | EventClassId | String | Yes | The field name used to determine the event name - (sub-type). Default is 'event_name'. | + (sub-type). | | DeviceProductField | String | Yes | The field name used to determine the device - product. Default is 'device_product'. | + product. | | Days Back | Integer | Yes | The maximum number of days back to retrieve data from. | - | API Hostname | String | Yes | The API hostname for your Duo tenant (e.g., api-XXXXXXXX.duosecurity.com). + | API Hostname | String | Yes | API hostname for your tenant (e.g., api-XXXXXXXX.duosecurity.com). | - | Admin Secret Key | Password | Yes | The Duo Admin API Secret Key used for authentication. - | + | Admin Secret Key | Password | Yes | DUO Admin API Secret Key. | - | Admin Integration Key | Password | Yes | The Duo Admin API Integration Key used - for authentication. | + | Admin Integration Key | Password | Yes | DUO Admin API Integration Key. | ### Flow Description + 1. The connector initializes the connection to the Duo Security Admin API using + the provided API Hostname, Integration Key, and Secret Key. - 1. **Authentication**: The connector establishes a connection to the Duo Admin - API using the provided API Hostname, Integration Key, and Secret Key. - - 2. **Time Window Calculation**: It determines the ingestion time window by calculating - the difference between the current time and the number of days specified in the - 'Days Back' parameter. + 2. It calculates the time range based on the configured 'Days Back' parameter. - 3. **Data Retrieval**: The connector calls the Duo `get_trust_monitor_events_by_offset` - endpoint to retrieve all security events that occurred within the calculated time - window. + 3. It queries the Duo Trust Monitor API to fetch events that occurred within the + specified timeframe. - 4. **Event Flattening**: For each retrieved event, the connector flattens the - nested JSON structure into a key-value format suitable for Google SecOps ingestion. + 4. For each retrieved event, the connector flattens the nested event data into + a structured format. - 5. **Case Mapping**: Each Trust Monitor event is mapped to a Google SecOps Case. - The connector uses the Duo transaction ID (`txid`) as the unique identifier and - sets a default priority of Medium (60). + 5. It maps the event details (such as user, timestamp, and event type) into a + Google SecOps CaseInfo object. - 6. **Ingestion**: The mapped cases, containing detailed event data such as the - surfaced authentication details and user information, are returned to the Google - SecOps platform. + 6. Finally, it packages the created alerts and returns them to the SOAR platform + for ingestion. diff --git a/content/response_integrations/third_party/community/duo/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/duo/resources/ai/integration_ai_description.yaml index 5bf4348e8..0d07406e5 100644 --- a/content/response_integrations/third_party/community/duo/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/community/duo/resources/ai/integration_ai_description.yaml @@ -1,5 +1,5 @@ product_categories: - asset_inventory: true + asset_inventory: false cloud_security: false collaboration: false edr: false @@ -7,6 +7,17 @@ product_categories: iam_and_identity_management: true itsm: false network_security: false + reasoning: >- + The Duo integration is primarily an Identity and Access Management (IAM) solution, + as it provides visibility into user authentication logs, user metadata, and MFA + events, which are essential for investigating suspicious user behavior. Additionally, + it qualifies as a SIEM integration because the 'DUO - Trust Monitor Connector' + ingests security events into Google SecOps, and the available actions allow analysts + to search for and retrieve authentication activity related to users, aligning + with the SIEM capability of finding activity related to users across logs. It + does not meet the criteria for EDR, Network Security, Cloud Security, or other + categories as it does not manage endpoints, network traffic, or cloud infrastructure + resources. siem: true threat_intelligence: false vulnerability_management: false diff --git a/content/response_integrations/third_party/community/eclectic_iq/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/eclectic_iq/resources/ai/actions_ai_description.yaml index a167fffd2..09fb3e228 100644 --- a/content/response_integrations/third_party/community/eclectic_iq/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/eclectic_iq/resources/ai/actions_ai_description.yaml @@ -9,10 +9,14 @@ Enrich Entities: disable_identity: false download_file: false enable_identity: false - enrich_asset: false + enrich_asset: true enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action fetches reputation and threat intelligence for indicators (Enrich + IOC) and contextual metadata for assets (Enrich Asset). It does not perform + containment or ticket management. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -28,53 +32,47 @@ Enrich Entities: update_identity: false update_ticket: false ai_description: >- - ### General Description + Enriches entities using the EclecticIQ platform. This action retrieves threat + intelligence, entity details, and platform links for the provided entities, updates + the entities with this information, and adds entity links and tables to the SOAR + case. - Enriches entities within Google SecOps by retrieving threat intelligence data - from the EclecticIQ platform. This action queries EclecticIQ for observables matching - the entity identifiers and fetches associated entity metadata, such as confidence - levels, maliciousness, tags, and source information. The retrieved data is used - to update entity attributes, provide direct platform links, and populate data - tables for analyst review. + ### Flow Description - ### Parameters Description + 1. Initialize `EclecticIQManager` with configuration. - There are no parameters for this action. + 2. Fetch observables and entity information from EclecticIQ for the provided target + entities. + 3. Parse the retrieved data into enrichment details, links, and tables. - ### Additional Notes + 4. Update the entities in the SOAR platform with the enriched data. - - The action automatically prefixes enriched entity fields with "EIQ". + 5. Add entity links and tables to the action results. - - It sets the `is_enriched` flag to `true` for all successfully processed entities. - - It generates external links to the EclecticIQ platform for both observables - and related entities. + ### Parameters Description + | Parameter | Type | Mandatory | Description | - ### Flow Description + | --- | --- | --- | --- | - 1. **Initialization**: Connects to the EclecticIQ API using the configured URL - and API Token. + | EclecticIQ URL | String | Yes | The base URL for the EclecticIQ instance. | - 2. **Observable Lookup**: Queries the EclecticIQ `/api/v2/observables` endpoint - using the identifiers of all target entities in the current context. + | API Token | String | Yes | The authentication token for the EclecticIQ API. + | - 3. **Entity Retrieval**: For every observable found, it queries the `/api/v2/entities` - endpoint to find related threat intelligence entities. + | Verify SSL | Boolean | Yes | Boolean flag to enable/disable SSL verification. + | - 4. **Source Enrichment**: Fetches source names from the EclecticIQ platform to - provide context on where the intelligence originated. - 5. **Internal Data Update**: Flattens the retrieved intelligence and updates the - Google SecOps entities' `additional_properties`. + ### Additional Notes - 6. **UI Enhancement**: Adds CSV-formatted data tables and direct platform links - to the entity's context in the SecOps interface. + None. capabilities: can_create_case_comments: false - can_create_insight: false + can_create_insight: true can_modify_alert_data: false can_mutate_external_data: false can_mutate_internal_data: true @@ -82,47 +80,40 @@ Enrich Entities: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity additional properties with flattened threat intelligence data - from EclecticIQ and sets the is_enriched flag to true. + Updates entity additional properties and adds entity links/tables to the SOAR + case. + reasoning: >- + The action fetches threat intelligence data from EclecticIQ (fetches_data=true). + It does not modify external systems (can_mutate_external_data=false). It updates + internal SOAR entities with the retrieved data (can_mutate_internal_data=true, + can_update_entities=true). It adds entity links and tables, which are forms + of insights (can_create_insight=true). categories: enrichment: true + reasoning: >- + The action fetches data from an external source (EclecticIQ) and updates internal + entities without modifying external systems. This fits the definition of an + Enrichment action. entity_usage: entity_types: - ADDRESS - - ALERT - - APPLICATION - CHILDHASH - CHILDPROCESS - - CLUSTER - - CONTAINER - CREDITCARD - CVE - CVEID - - DATABASE - - DEPLOYMENT - DESTINATIONDOMAIN - DOMAIN - - EMAILSUBJECT - - EVENT - FILEHASH - FILENAME - - GENERICENTITY - HOSTNAME - - IPSET - - MacAddress - PARENTHASH - PARENTPROCESS - PHONENUMBER - - POD - PROCESS - - SERVICE - SOURCEDOMAIN - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - DestinationURL - - USB - - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -136,6 +127,10 @@ Enrich Entities: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over `siemplify.target_entities` without explicit type filtering + in the main loop, meaning it attempts to enrich all provided entities. The `EclecticIQManager` + uses an `ENTITY_MAP` to handle various types. Ping: action_product_categories: add_alert_comment: false @@ -151,6 +146,9 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity test ('Ping'). It does not match any of the functional + categories like Enrich IOC, Create Ticket, etc. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -166,43 +164,15 @@ Ping: update_identity: false update_ticket: false ai_description: >- - ### General Description - - The **Ping** action is a diagnostic utility designed to verify the connectivity - between Google SecOps and the **EclecticIQ** platform. It ensures that the provided - configuration parameters, such as the URL and API Token, are correct and that - the network path is open. - - - ### Parameters Description - - There are no user-input parameters for this action. It relies entirely on the - integration's global configuration (EclecticIQ URL, API Token, and Verify SSL). - - - ### Additional Notes - - - This action is typically used during the initial setup of the integration or - for troubleshooting communication issues. - - - It performs a simple GET request to the EclecticIQ 'sources' endpoint to validate - the API Token and connectivity. - - - ### Flow Description - - 1. **Configuration Retrieval:** The action fetches the `EclecticIQ URL`, `API - Token`, and `Verify SSL` settings from the integration configuration. - - 2. **Manager Initialization:** An instance of the `EclecticIQManager` is created - using the retrieved settings. - - 3. **Connectivity Test:** The manager executes a `test_connectivity` call, which - sends a GET request to the EclecticIQ API `/api/v2/sources` endpoint. - - 4. **Result Handling:** If the request is successful, the action completes with - a success status. If an exception occurs (e.g., authentication failure or network - timeout), the action fails and provides a descriptive error message. + This action facilitates testing connectivity with EclecticIQ. It verifies that + the SOAR platform can successfully communicate with the EclecticIQ instance using + the provided credentials. The action flow is as follows: 1. Retrieve configuration + parameters (EclecticIQ URL, API Token, Verify SSL). 2. Initialize the EclecticIQ + Manager. 3. Perform a test GET request to the EclecticIQ API. 4. Return a success + or failure status based on the response. Parameters: EclecticIQ URL (String, Mandatory): + The base URL of the EclecticIQ instance. API Token (String, Mandatory): The authentication + token for the EclecticIQ API. Verify SSL (Boolean, Mandatory): Whether to verify + SSL certificates. capabilities: can_create_case_comments: false can_create_insight: false @@ -213,8 +183,14 @@ Ping: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to test connectivity. It does not modify external + or internal data, nor does it update entities or create insights. categories: enrichment: false + reasoning: >- + The action is named 'Ping' and is used for connectivity testing, not for enriching + data. Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -230,9 +206,11 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with entities. Send Entities to EclecticIQ: action_product_categories: - add_alert_comment: true + add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false contain_host: false @@ -245,6 +223,10 @@ Send Entities to EclecticIQ: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action exports case entities to an external threat intelligence platform + (EclecticIQ) to create sightings or indicators. It does not match any of the + provided categories (e.g., it is not an enrichment, ticket, or containment action). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -260,58 +242,41 @@ Send Entities to EclecticIQ: update_identity: false update_ticket: false ai_description: >- - ### General Description - - Sends entities from a Google SecOps case to the EclecticIQ Intelligence Center. - By default, the action creates a **sighting** for each supported entity, associating - it with the current case metadata. Users can optionally configure the action to - also create an **indicator** entity in EclecticIQ. + Sends entities from a Google SecOps case to the EclecticIQ Intelligence Center + as sightings or indicators. The action retrieves the source ID for the specified + group, constructs a sighting object (and optionally an indicator object) using + case and entity data, and sends the data to EclecticIQ via a PUT request. Finally, + it adds a comment to the case and links the EclecticIQ entity in the results. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Group Name** | String | Yes | The name of the EclecticIQ Intelligence Center - Group (e.g., "Testing Group") where the entities will be created. | + | Group Name | string | Yes | The EclecticIQ Intelligence Center Group Name. | - | **Create Indicator** | Boolean | No | If set to `true`, the action creates both - a sighting and an indicator in EclecticIQ. If `false` (default), only a sighting - is created. | + | Create Indicator | boolean | No | If true, creates both a sighting and an indicator; + otherwise, only a sighting. | ### Flow Description - 1. **Parameter Extraction:** Retrieves the EclecticIQ URL, API token, and SSL - verification settings from the integration configuration, along with the action-specific - parameters (`Group Name`, `Create Indicator`). + 1. Extracts configuration (URL, API Token, SSL verification) and action parameters + (Group Name, Create Indicator). - 2. **Source Identification:** Queries the EclecticIQ API to find the internal - `source_id` associated with the provided `Group Name`. + 2. Initializes the EclecticIQManager. - 3. **Data Preparation:** Maps SecOps entities (IPs, Domains, Hashes, etc.) to - their corresponding EclecticIQ observable types. It also aggregates case metadata - (Title, Description, Priority, etc.) to include in the EclecticIQ description - field. + 3. Retrieves the source ID for the specified group from EclecticIQ. - 4. **Entity Creation:** Sends a `PUT` request to the EclecticIQ `/api/v2/entities` - endpoint to create the sighting (and optionally the indicator). + 4. Constructs a sighting object containing case details and entity information. - 5. **Internal Updates:** Adds a comment to the SecOps case wall confirming the - operation and provides a direct platform link to the created entity in the action - results. + 5. Optionally constructs an indicator object if 'Create Indicator' is true. + 6. Sends the data to EclecticIQ via a PUT request. - ### Additional Notes - - - Supported entity types include Hostnames, IP Addresses, Processes, File Names, - File Hashes (SHA256), URLs, CVEs, Credit Cards, Phone Numbers, Threat Actors, - and Domains. - - - The action uses UUID v5 (based on the case identifier) to ensure consistent - ID generation for sightings and indicators within EclecticIQ. + 7. Adds a comment to the case and links the EclecticIQ entity in the results. capabilities: can_create_case_comments: true can_create_insight: false @@ -320,39 +285,45 @@ Send Entities to EclecticIQ: can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: >- - Creates new sighting and indicator entities within the EclecticIQ platform via - a PUT request. + Creates sightings and optionally indicators in the EclecticIQ Intelligence Center. fetches_data: true internal_data_mutation_explanation: >- - Adds a comment to the case wall and attaches an external platform link to the - action results. + Adds a case comment and an entity link to the Google SecOps case. + reasoning: >- + The action fetches the group source ID (fetches_data=true), creates entities + in EclecticIQ (can_mutate_external_data=true), and adds a case comment and entity + link (can_mutate_internal_data=true, can_create_case_comments=true). categories: enrichment: false + reasoning: >- + The action mutates external data (creates entities in EclecticIQ), so it is + not an enrichment action. entity_usage: entity_types: + - HOSTNAME - ADDRESS - - CHILDHASH + - PROCESS + - PARENTPROCESS - CHILDPROCESS - - CREDITCARD - - CVE - - CVEID - - DESTINATIONDOMAIN - - DOMAIN - - FILEHASH - FILENAME - - HOSTNAME + - FILEHASH - PARENTHASH - - PARENTPROCESS + - CHILDHASH + - DestinationURL + - EMAILSUBJECT + - CVEID + - CREDITCARD - PHONENUMBER - - PROCESS - - SOURCEDOMAIN + - CVE - THREATACTOR - - DestinationURL + - SOURCEDOMAIN + - DESTINATIONDOMAIN + - DOMAIN filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false filters_by_creation_time: false - filters_by_entity_type: true + filters_by_entity_type: false filters_by_identifier: false filters_by_is_artifact: false filters_by_is_enriched: false @@ -361,3 +332,7 @@ Send Entities to EclecticIQ: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and checks if they are in + `ENTITY_MAP`. It does not filter by specific entity types in the code, but it + only processes entities present in `ENTITY_MAP`. diff --git a/content/response_integrations/third_party/community/eclectic_iq/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/eclectic_iq/resources/ai/connectors_ai_description.yaml index acd698d93..ce3e96ced 100644 --- a/content/response_integrations/third_party/community/eclectic_iq/resources/ai/connectors_ai_description.yaml +++ b/content/response_integrations/third_party/community/eclectic_iq/resources/ai/connectors_ai_description.yaml @@ -2,10 +2,11 @@ EclecticIQ - Feed Connector: ai_description: >- ### General Description - This connector integrates with the EclecticIQ Intelligence Center to ingest threat - intelligence data from configured outgoing feeds. It retrieves indicators and - observables from specific feeds and converts them into alerts and cases within - Google SecOps, enabling security teams to monitor and act on external threat intelligence. + This connector facilitates the ingestion of threat intelligence data from an EclecticIQ + Intelligence Center instance into Google SecOps SOAR. By polling a configured + outgoing feed, it retrieves new content blocks and transforms them into actionable + alerts, enabling security teams to integrate EclecticIQ's threat intelligence + directly into their incident response workflows. ### Parameters Description @@ -14,51 +15,47 @@ EclecticIQ - Feed Connector: | :--- | :--- | :--- | :--- | - | API Token | Password | Yes | The API token used to authenticate with the EclecticIQ - Intelligence Center. | + | API Token | Password | Yes | The API token used for authentication with the + EclecticIQ instance. | - | EclecticIQ URL | String | Yes | The base URL of the EclecticIQ instance (e.g., - https://eclecticiq.local). | + | DeviceProductField | String | Yes | The field name used to determine the device + product. | - | Outgoing Feed ID | String | Yes | The specific ID of the outgoing feed from - which to fetch data. | + | EclecticIQ URL | String | Yes | The base URL of the EclecticIQ Intelligence + Center instance. | - | DeviceProductField | String | Yes | The field name used to determine the device - product (default: EclecticIQ). | + | EventClassId | String | Yes | The field name used to determine the event name + (sub-type). | - | EventClassId | String | Yes | The field name used to determine the event name/sub-type - (default: Threat Intelligence). | + | Outgoing Feed ID | String | Yes | The ID of the outgoing feed from which to + fetch entities. | - | PythonProcessTimeout | String | Yes | The timeout limit in seconds for the script - execution. | + | PythonProcessTimeout | String | Yes | The timeout limit (in seconds) for the + Python process. | - | Verify SSL | Boolean | No | Whether to verify the SSL certificate of the EclecticIQ - server. | + | Verify SSL | Boolean | No | Whether to verify SSL certificates when connecting + to the EclecticIQ API. | ### Flow Description - 1. **Authentication**: Connects to the EclecticIQ Intelligence Center using the - provided API Token and URL. + 1. The connector initializes a connection to the EclecticIQ Intelligence Center + using the provided URL and API token. - 2. **Feed Validation**: Validates that the specified `Outgoing Feed ID` exists - and is accessible. + 2. It validates the existence of the specified `Outgoing Feed ID`. - 3. **Content Discovery**: Retrieves a list of available content blocks (data batches) - associated with the configured feed. + 3. It retrieves a list of available content blocks from the feed. - 4. **Checkpointing**: Reads the last processed block ID from the internal database - to ensure only new data is ingested. + 4. The connector checks the local state to identify and skip previously processed + content blocks. - 5. **Data Retrieval**: Fetches the CSV-formatted data for each new content block - identified. + 5. For each new content block, it fetches the raw data from the EclecticIQ API. - 6. **Parsing and Mapping**: Parses the CSV records, extracting entity details - such as titles, descriptions, confidence levels, tags, and platform URLs. + 6. The retrieved data is parsed and mapped into `AlertInfo` objects, including + relevant metadata like entity titles, descriptions, and source information. - 7. **Alert Creation**: Maps the extracted data into Google SecOps Alert and Event - objects, assigning a default priority and categorizing them under the EclecticIQ - product. + 7. The generated alerts are returned to the SOAR platform for case creation and + further investigation. - 8. **Ingestion**: Ingests the alerts into the system and updates the checkpoint - with the latest processed block ID to maintain state for the next run. + 8. The connector updates the local state with the latest processed block ID to + ensure subsequent runs only fetch new data. diff --git a/content/response_integrations/third_party/community/eclectic_iq/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/eclectic_iq/resources/ai/integration_ai_description.yaml index 2e831240c..53935cb02 100644 --- a/content/response_integrations/third_party/community/eclectic_iq/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/community/eclectic_iq/resources/ai/integration_ai_description.yaml @@ -7,6 +7,17 @@ product_categories: iam_and_identity_management: false itsm: false network_security: false + reasoning: >- + The EclecticIQ integration is primarily designed for Threat Intelligence. The + 'Enrich Entities' action retrieves threat intelligence data (reputation, metadata) + for indicators, which directly aligns with the Threat Intelligence category's + goal of determining reputation and confirming alerts. Additionally, the 'EclecticIQ + - Feed Connector' ingests threat intelligence feeds into the SOAR platform to + create alerts, further solidifying its role in threat intelligence. The integration + does not perform SIEM log analysis, EDR host containment, network security blocking, + email security, IAM management, cloud security, ITSM ticketing, vulnerability + management, asset inventory, or collaboration/approval workflows as defined in + the provided categories. siem: false threat_intelligence: true vulnerability_management: false diff --git a/content/response_integrations/third_party/community/flashpoint/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/flashpoint/resources/ai/actions_ai_description.yaml index 16301cacc..721dc3b1e 100644 --- a/content/response_integrations/third_party/community/flashpoint/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/flashpoint/resources/ai/actions_ai_description.yaml @@ -13,6 +13,11 @@ Custom Query: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action executes a custom query against the Flashpoint API and returns the + results. This aligns with the 'Search Events' category, which involves returning + a collection of historical logs or telemetry data matching specific search parameters. + It does not perform enrichment, containment, or ticket management. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -28,49 +33,38 @@ Custom Query: update_identity: false update_ticket: false ai_description: >- - ### General Description - - The **Custom Query** action allows users to execute arbitrary search queries against - the Flashpoint API. It provides flexibility by allowing the user to specify both - the API endpoint path and the JSON-formatted query body. This is useful for advanced - searches that are not covered by standard enrichment actions. + Executes a custom query against the Flashpoint API. This action allows users to + send a JSON-formatted query body to a specified API endpoint to retrieve threat + intelligence or search results. The results are returned as a JSON object and + added to the action's output. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Query Content** | Code | Yes | A JSON-formatted string representing the body - of the search request. It typically includes fields like `query`, `limit`, `start_date`, - and `search_tags`. | - - | **New Query URL** | String | Yes | The API endpoint path to be appended to the - base Flashpoint API URL (e.g., `/all/search`). | - - - ### Additional Notes - - - This action uses a POST request to the Flashpoint API to accommodate complex - query structures. + | Query Content | code | Yes | The JSON-formatted content of the query to search. + | - - The results are returned as a raw JSON object in the action's results. + | New Query URL | string | Yes | The API endpoint path to which the query will + be sent (e.g., /all/search). | ### Flow Description - 1. **Extract Configuration:** Retrieves the Flashpoint API Key from the integration - settings. + 1. The action extracts the API Key from the integration configuration. + + 2. It extracts the 'Query Content' and 'New Query URL' parameters provided by + the user. - 2. **Extract Parameters:** Retrieves the user-provided query JSON and the target - URL path. + 3. It initializes the FlashpointManager with the API Key. - 3. **Execute Request:** Sends a POST request to the Flashpoint API with the provided - JSON payload. + 4. It executes a POST request to the specified API endpoint using the provided + query content. - 4. **Process Results:** Captures the JSON response from Flashpoint and attaches - it to the action's output. + 5. The retrieved results are added to the action's output as a JSON object. capabilities: can_create_case_comments: false can_create_insight: false @@ -81,8 +75,17 @@ Custom Query: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to the Flashpoint API to execute a custom + query. It retrieves data (search results) but does not modify the state of the + external system (no blocking, deleting, or updating). It does not interact with + internal SOAR entities, insights, or case comments. categories: enrichment: false + reasoning: >- + The action is a generic search tool that does not operate on specific entities + or alerts. It does not meet the criteria for an Enrichment Action, which requires + gathering supplemental context about specific alerts or entities. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -98,6 +101,9 @@ Custom Query: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not reference `siemplify.target_entities` and performs a generic + search operation. Therefore, it does not use any entity types. IOC_Enrichment: action_product_categories: add_alert_comment: false @@ -113,6 +119,10 @@ IOC_Enrichment: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves threat intelligence (reputation, etc.) for indicators from + Flashpoint. This aligns with the 'Enrich IOC' category. It does not perform + containment, ticket management, or other mutation operations. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -127,31 +137,47 @@ IOC_Enrichment: update_email: false update_identity: false update_ticket: false - ai_description: "### General Description\nThe **IOC Enrichment** action retrieves\ - \ threat intelligence for indicator entities from the Flashpoint platform. It\ - \ queries the Flashpoint API to find matching indicator attributes, providing\ - \ context such as associated tags, technical details, and historical sightings.\ - \ This action is primarily used to determine the risk level of an indicator and\ - \ to populate the SOAR environment with external threat data.\n\n### Parameters\ - \ Description\n| Parameter | Type | Mandatory | Description |\n| :--- | :--- |\ - \ :--- | :--- |\n| **Limit** | String | No | The maximum number of result objects\ - \ to return from Flashpoint for each entity. Defaults to \"100\". |\n\n### Flow\ - \ Description\n1. **Initialization**: The action initializes the Flashpoint manager\ - \ using the provided API Key.\n2. **Entity Iteration**: The script iterates through\ - \ all target entities provided in the context.\n3. **API Query**: For each entity,\ - \ it performs a GET request to the Flashpoint `/indicators/attribute` endpoint\ - \ using the entity's identifier as the query.\n4. **Data Processing**: \n *\ - \ If a report is found, the action flattens the JSON data and prepends the \"\ - FlashPoint\" prefix to the keys.\n * It updates the entity's `additional_properties`\ - \ with the enriched data.\n * It marks the entity as `is_enriched` and `is_suspicious`.\n\ - 5. **Insight Generation**: An entity insight is created for every successfully\ - \ enriched entity, highlighting that it was marked as suspicious by Flashpoint.\n\ - 6. **Finalization**: The action attaches the full JSON report to the entity and\ - \ the script results, then concludes with a summary of found and not-found entities.\n\ - \n### Additional Notes\n* This action automatically marks any entity found in\ - \ the Flashpoint database as **suspicious** within the Google SecOps platform.\n\ - * If an entity is not found in Flashpoint, it is tracked and reported in the final\ - \ output message." + ai_description: >- + ### General Description + + Enriches indicator entities using the Flashpoint threat intelligence platform. + This action retrieves threat intelligence data for provided entities, updates + their properties with enriched information, and flags them as suspicious if applicable. + + + ### Flow Description + + 1. Iterate through the `target_entities` provided to the action. + + 2. For each entity, query the Flashpoint API (`/indicators/attribute`) using the + entity's identifier. + + 3. If a report is returned: + - Flatten the report data and prefix keys with "FlashPoint". + - Update the entity's `additional_properties` with the enriched data. + - Set the entity's `is_enriched` flag to true. + - Mark the entity as `is_suspicious`. + - Add an entity insight to the SOAR case summarizing the enrichment. + - Store the report in the action results. + 4. If no report is found, track the entity as not found. + + 5. Return the final results and output message. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Limit | string | false | The maximum number of result objects to return. Defaults + to "100". | + + + ### Additional Notes + + This action performs read-only operations on the Flashpoint API and updates internal + SOAR entity data. It does not perform any external mutations. capabilities: can_create_case_comments: false can_create_insight: true @@ -162,10 +188,19 @@ IOC_Enrichment: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity additional properties, sets the enriched and suspicious flags, - and creates entity insights based on the data retrieved from Flashpoint. + Updates entity properties (additional_properties, is_enriched, is_suspicious) + and adds entity insights. + reasoning: >- + The action fetches threat intelligence data from the Flashpoint API via a GET + request. It performs internal mutations by updating entity properties (additional_properties, + is_enriched, is_suspicious) and adding entity insights. It does not mutate external + systems. categories: enrichment: true + reasoning: >- + The action fetches data from an external source (Flashpoint) and performs allowed + internal mutations (updating entities, adding insights). It does not mutate + external data. Therefore, it qualifies as an enrichment action. entity_usage: entity_types: - ADDRESS @@ -216,6 +251,10 @@ IOC_Enrichment: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` without any type-based filtering, + meaning it attempts to enrich any entity provided to the action. Therefore, + it supports all entity types. Indicators Custom Query: action_product_categories: add_alert_comment: false @@ -231,6 +270,11 @@ Indicators Custom Query: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action performs a search query against the Flashpoint API to retrieve indicators. + This matches the 'Search Events' category, which involves returning a collection + of historical logs or telemetry data matching specific search parameters. It + does not enrich specific IOCs or assets, nor does it perform any mutation. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -246,67 +290,55 @@ Indicators Custom Query: update_identity: false update_ticket: false ai_description: >- - ### General Description + Executes a custom query against the Flashpoint API to retrieve indicators (events + or attributes) based on user-defined criteria. This action allows analysts to + search for specific threat intelligence data by applying filters such as date + ranges, search tags, and custom query strings. - The **Indicators Custom Query** action allows users to perform advanced searches - against the Flashpoint indicator database. It retrieves specific events or attributes - based on a variety of filtering criteria such as keywords, tags, and date ranges. - This action is primarily used for threat hunting and gathering intelligence on - specific indicators of compromise (IOCs) stored within Flashpoint. + ### Flow Description - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **Indicator Type** | DDL | Yes | Determines the scope of the search. Options - include 'simple' (simplified list), 'event' (groupings of IOCs), or 'attribute' - (specific IOCs). | - - | **Query** | String | No | The specific search string or custom query to execute. - | + 1. The action extracts configuration parameters (API Key) and action-specific + parameters (Limit, Dates, Tags, Query, Sort, Entity Types, and Indicator Type). - | **Search Tags** | String | No | A comma-separated list of tags to filter results - (e.g., 'malware, ransomware'). | + 2. It initializes the FlashpointManager to establish a connection to the Flashpoint + API. - | **Entity Types** | String | No | A comma-separated list of Flashpoint-specific - entity types to retrieve (e.g., 'url, domain, ip-src'). | + 3. It executes the `indicators_custom_query` method, which performs a GET request + to the Flashpoint API endpoint based on the provided indicator type. - | **Start Date** | String | No | Filters for indicators created after this ISO - 8601 timestamp (e.g., '2020-02-26T14:49:07Z'). | + 4. If the query is successful, the results are returned as a JSON object in the + action result. If no results are found or an error occurs, the action handles + the response accordingly. - | **End Date** | String | No | Filters for indicators created before this ISO - 8601 timestamp. | - | **Limit** | String | No | The maximum number of result objects to return. Default - is 10. | + ### Parameters Description - | **Sort By Time** | DDL | No | Specifies whether to return results in 'Ascending' - or 'Descending' chronological order. | + | Parameter | Type | Mandatory | Description | + | :--- | :--- | :--- | :--- | - ### Flow Description + | Sort By Time | ddl | No | Presents the data in a descending or ascending order. + | - 1. **Configuration Extraction:** The action retrieves the Flashpoint API Key from - the integration settings and all user-provided search parameters. + | Entity Types | string | No | Entity types to retrieve data for (comma separated). + | - 2. **Manager Initialization:** An instance of the Flashpoint Manager is created - to handle API communication. + | Limit | string | No | The maximum number of result objects to return. | - 3. **API Request:** The action constructs a GET request to the Flashpoint `/indicators/{type}` - endpoint, passing the query parameters, filters, and sorting preferences. + | Start Date | string | No | Retrieves values created after the specified date + (e.g., 2020-02-26T14:49:07Z). | - 4. **Result Processing:** If the API returns data, the results are formatted as - a JSON object and attached to the action output. If no data is found, the action - reports a failure to find entities. + | End Date | string | No | Retrieves values created before the specified date + (e.g., 2020-11-25T14:49:07Z). | + | Search Tags | string | No | Search for a specific keyword (comma separated). + | - ### Additional Notes + | Query | string | No | Custom query to retrieve data for. | - This action does not process entities currently present in the Google SecOps case; - it is a standalone search utility that returns data based on the provided parameters. + | Indicator Type | ddl | Yes | The type of indicator to query: simple, event, + or attribute. | capabilities: can_create_case_comments: false can_create_insight: false @@ -317,8 +349,18 @@ Indicators Custom Query: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Flashpoint API to retrieve indicator + data based on user-provided parameters. It does not modify any external systems, + nor does it update any internal SOAR data such as entities, insights, or case + comments. categories: enrichment: false + reasoning: >- + While the action fetches data, it is not classified as an enrichment action + because it does not operate on specific entities or alerts to provide context. + It is a general search/query tool that retrieves data based on global parameters + rather than enriching a specific entity profile. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -334,6 +376,9 @@ Indicators Custom Query: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `target_entities` or use entity-specific identifiers. + It performs a global search based on provided parameters. Ping: action_product_categories: add_alert_comment: false @@ -349,6 +394,9 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity test (Ping). It does not match any of the specific + functional categories like Enrich IOC, Contain Host, etc. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -364,30 +412,28 @@ Ping: update_identity: false update_ticket: false ai_description: >- - Tests the connectivity between Google SecOps and the Flashpoint API. This action - validates the provided API key by performing a sample search query for forum data - related to carding and exploits. It ensures that the integration can successfully - communicate with the Flashpoint service. + ### General description + This action tests the connectivity between the SOAR platform and the Flashpoint + API. It verifies that the provided API key is valid and that the integration can + successfully communicate with the Flashpoint service. - ### Parameters + + ### Parameters description There are no parameters for this action. - ### Flow Description + ### Flow description - 1. **Initialize Manager**: The action initializes the Flashpoint API manager using - the configured API key. + 1. The action initializes the `SiemplifyAction` and extracts the API Key. - 2. **Test Connectivity**: It executes a GET request to the Flashpoint search endpoint - with a predefined query to verify the API key and network access. + 2. It instantiates the `FlashpointManager` with the API Key. - 3. **Validate Response**: The action checks if the API returns a valid JSON response - and handles potential errors. + 3. It calls the `test_connectivity` method, which performs a GET request to the + Flashpoint API. - 4. **Report Result**: Returns a success message if the connection is established, - or a failure message if the connection fails. + 4. Based on the response, it returns a success or failure message. capabilities: can_create_case_comments: false can_create_insight: false @@ -398,8 +444,14 @@ Ping: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to verify API connectivity. It does not modify + external or internal data. categories: enrichment: false + reasoning: >- + The action is named 'Ping'. Per the instructions, 'Actions named Ping must not + be categorized as enrichment actions.' Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -415,6 +467,8 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with entities. It is a global connectivity test. Run Query: action_product_categories: add_alert_comment: false @@ -430,6 +484,12 @@ Run Query: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action executes a search query against the Flashpoint platform and returns + the results. This aligns with the 'Search Events' category, which involves returning + collections of data matching specific search parameters. It does not perform + enrichment on specific IOCs or assets, nor does it perform any containment or + ticket management actions. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -445,58 +505,52 @@ Run Query: update_identity: false update_ticket: false ai_description: >- - ### General Description - - Executes a custom search query against the Flashpoint platform to retrieve intelligence - data. This action allows analysts to perform flexible searches using Flashpoint's - query language, applying filters for tags, date ranges, and sorting preferences. - The results are returned as a JSON object for further processing within the playbook. + Executes a custom query against the Flashpoint platform to retrieve threat intelligence + or data based on user-defined parameters. This action allows analysts to perform + broad searches across Flashpoint's data sets, such as blog posts or indicators, + using specific query strings, date ranges, and filtering tags. - ### Parameters Description - - | Parameter | Type | Mandatory | Description | + ### Flow Description - | :--- | :--- | :--- | :--- | + 1. **Parameter Extraction**: The action extracts the `Query`, `Results count limit`, + `Date Range`, `Sort By`, and `Tags` parameters provided by the user. - | Query | string | Yes | The search query content using Flashpoint syntax (e.g., - `+basetypes:+indicator`). | + 2. **Initialization**: It initializes the `FlashpointManager` using the API key + configured in the integration settings. - | Results count limit | string | No | The maximum number of results to retrieve. - Defaults to 100. | + 3. **Query Execution**: It calls the Flashpoint API to execute the custom query + with the provided filters and constraints. - | Sort By | string | No | Specifies the fields and order for sorting results (e.g., - `posted_at:desc,title:asc`). | + 4. **Result Handling**: The raw JSON response from the Flashpoint API is added + to the action results for the analyst to review. - | Tags | string | No | A comma-separated list of tags to filter the search results - (e.g., `+tag_1, +tag_2`). | - | Date Range | string | No | The timeframe for the search query (e.g., `[now-1y - TO now]`). | + ### Parameters + | Parameter | Type | Mandatory | Description | - ### Additional Notes + | :--- | :--- | :--- | :--- | - This action does not operate on specific entities within the case; instead, it - performs a global search based on the provided query parameters. The results are - provided in the `JsonResult` output. + | Query | string | Yes | The search query content (e.g., `+basetypes:+indicator`). + | + | Results count limit | string | No | The maximum number of results to return. + Defaults to 100 if not specified. | - ### Flow Description + | Sort By | string | No | The fields to sort by (e.g., `posted_at:desc,title:asc`). + | - 1. **Configuration Retrieval:** Fetches the Flashpoint API Key from the integration - settings. + | Tags | string | No | A comma-separated list of tags for filtering results. | - 2. **Parameter Extraction:** Collects the query string, result limit, date range, - sorting criteria, and tags from the action input. + | Date Range | string | No | The date range to filter the data (e.g., `[now-1y + TO now]`). | - 3. **API Interaction:** Initializes the Flashpoint Manager and executes the search - query against the Flashpoint API. - 4. **Result Processing:** Receives the query response and attaches the raw data - to the action's JSON results. + ### Additional Notes - 5. **Completion:** Ends the action with a success message and a boolean status. + This action is a generic search tool and does not operate on specific entities. + It returns raw data from the Flashpoint platform. capabilities: can_create_case_comments: false can_create_insight: false @@ -507,8 +561,18 @@ Run Query: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Flashpoint API to retrieve search results + based on user-provided query parameters. It does not modify any external systems + (no POST/PUT/DELETE for state changes) and does not modify internal SOAR data + (entities, insights, or case comments). categories: enrichment: false + reasoning: >- + While the action fetches data, it is a generic search/query tool that does not + operate on specific entities (e.g., IP, Hash) to enrich them. It does not meet + the criteria for an Enrichment Action, which requires operating on entities + to provide supplemental context. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -524,3 +588,7 @@ Run Query: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities` or use any entity-specific + identifiers. It relies entirely on user-provided input parameters to construct + the search query. diff --git a/content/response_integrations/third_party/community/flashpoint/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/flashpoint/resources/ai/connectors_ai_description.yaml index 74d19c9e4..867eac001 100644 --- a/content/response_integrations/third_party/community/flashpoint/resources/ai/connectors_ai_description.yaml +++ b/content/response_integrations/third_party/community/flashpoint/resources/ai/connectors_ai_description.yaml @@ -2,13 +2,11 @@ ai_description: >- ### General Description - The Flashpoint Compromised Credential Connector integrates with the Flashpoint - API to monitor and ingest alerts related to compromised credentials. It specifically - tracks "credential-sighting" events, which occur when employee credentials (such - as emails and passwords) are discovered in external data sources like the deep - or dark web. This connector enables security teams to proactively respond to potential - account takeovers by automatically creating cases in Google SecOps for every detected - sighting. + The Flashpoint - Compromised Credential Connector integrates with the Flashpoint + intelligence platform to monitor and ingest compromised credential sightings. + It periodically queries the Flashpoint API for new credential-related alerts and + automatically creates cases within Google SecOps, enabling security teams to respond + to potential account takeovers or credential leaks. ### Parameters Description @@ -17,27 +15,27 @@ | :--- | :--- | :--- | :--- | - | API Key | Password | Yes | The API key used to authenticate with the Flashpoint - v4 API. | + | API Key | Password | Yes | The API Key used to authenticate with the Flashpoint + service. | - | DeviceProductField | String | Yes | The field name in the source data used to - determine the device product (defaults to 'Flashpoint'). | + | DeviceProductField | String | Yes | The field name used to determine the device + product in the case. | | EventClassId | String | No | The field name used to determine the event name - or sub-type. | + (sub-type). | - | Limit | Integer | Yes | The maximum number of events to retrieve per execution - cycle. | + | Limit | Integer | Yes | The maximum number of events to retrieve per execution. + | - | Max Days Back | Integer | No | The maximum number of days to look back for data - during the first run or if no previous timestamp exists. | + | Max Days Back | Integer | No | The maximum number of days to look back when + fetching data. | - | Proxy Server Address | String | No | The address of the proxy server to use - for network communication. | + | Proxy Password | Password | No | The proxy password to authenticate with. | - | Proxy Username | String | No | The username for proxy authentication. | + | Proxy Server Address | String | No | The address of the proxy server to use. + | - | Proxy Password | Password | No | The password for proxy authentication. | + | Proxy Username | String | No | The proxy username to authenticate with. | | PythonProcessTimeout | String | Yes | The timeout limit (in seconds) for the Python process running the script. | @@ -45,24 +43,19 @@ ### Flow Description - 1. **Timestamp Retrieval**: The connector fetches the last saved timestamp from - the SOAR database. If no timestamp is found, it uses the "Max Days Back" parameter - to define the starting point. + 1. The connector initializes a connection to the Flashpoint API using the provided + API Key and optional proxy settings. - 2. **API Query**: It connects to the Flashpoint `/all/search` endpoint using a - Bearer token. It specifically queries for `basetypes:(credential-sighting)` within - the time range from the last timestamp to the current time. + 2. It calculates the time range for data retrieval based on the last successful + fetch timestamp or the configured "Max Days Back" parameter. - 3. **Data Processing**: The connector retrieves a list of hits (up to the configured - Limit) and flattens the nested JSON structure of each alert for easier mapping. + 3. It queries the Flashpoint API for "credential-sighting" events that occurred + within the calculated time window. - 4. **Case Creation**: Each sighting is mapped to a Google SecOps `CaseInfo` object. - The priority is set to 60 (Medium), and the event name is hardcoded as "Credential - Sighting". + 4. For each retrieved alert, the connector flattens the data structure and maps + it to a Google SecOps case format. - 5. **Overflow Validation**: Before ingestion, the connector checks if the alert - matches overflow criteria to prevent redundant case creation. + 5. It checks for alert overflow to prevent duplicate case creation. - 6. **Ingestion and State Management**: Valid cases are ingested into the platform, - and the timestamp of the most recent alert is saved to ensure the next run starts - from where the current one ended. + 6. Valid cases are ingested into the SOAR platform, and the latest timestamp is + saved to ensure subsequent runs only fetch new data. diff --git a/content/response_integrations/third_party/community/flashpoint/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/flashpoint/resources/ai/integration_ai_description.yaml index ac8e64b44..18b37219c 100644 --- a/content/response_integrations/third_party/community/flashpoint/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/community/flashpoint/resources/ai/integration_ai_description.yaml @@ -7,6 +7,18 @@ product_categories: iam_and_identity_management: false itsm: false network_security: false + reasoning: >- + The Flashpoint integration is primarily focused on providing risk intelligence + and threat data. The 'IOC_Enrichment' action allows users to enrich indicators + with threat intelligence, which is the core function of the Threat Intelligence + category. The connector ingests compromised credential sightings, which provides + alerts but does not perform log analysis or search internal logs, thus it does + not meet the criteria for SIEM. It does not perform host containment (EDR), network + blocking (Network Security), email management (Email Security), identity management + (IAM & Identity Management), cloud resource management (Cloud Security), ticket + creation (ITSM), vulnerability scanning (Vulnerability Management), or asset inventory + management (Asset Inventory). Therefore, it is classified solely under Threat + Intelligence. siem: false threat_intelligence: true - vulnerability_management: true + vulnerability_management: false diff --git a/content/response_integrations/third_party/community/full_contact/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/full_contact/resources/ai/actions_ai_description.yaml index cc1da7598..0ce30d04c 100644 --- a/content/response_integrations/third_party/community/full_contact/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/full_contact/resources/ai/actions_ai_description.yaml @@ -13,6 +13,10 @@ Enrich Entities: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves contextual metadata (e.g., company details, person details) + for user entities and updates their properties. This aligns with the 'Enrich + Asset' category. It does not perform IOC enrichment, ticket creation, or containment. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -27,23 +31,48 @@ Enrich Entities: update_email: false update_identity: false update_ticket: false - ai_description: "Enriches User entities using the Full Contact API. This action\ - \ retrieves comprehensive person and company metadata based on the email address\ - \ of the User entity. It extracts professional details such as job titles and\ - \ LinkedIn profiles, as well as organizational data including company size, industry,\ - \ and location.\n\n### Flow Description:\n1. **Configuration Retrieval:** Fetches\ - \ the Full Contact API key from the integration settings.\n2. **Entity Filtering:**\ - \ Iterates through the target entities and identifies those of type `USER`.\n\ - 3. **Data Extraction:** For each User entity, it extracts the email address and\ - \ the associated domain.\n4. **External API Interaction:** \n * Calls the Full\ - \ Contact `company.enrich` endpoint using the domain to get organizational context.\n\ - \ * Calls the Full Contact `person.enrich` endpoint using the email to get\ - \ individual context.\n5. **Data Mapping:** Maps the retrieved attributes (e.g.,\ - \ Company Name, Industry, Employee Count, Person Title, Gender, LinkedIn URL)\ - \ to the entity's `additional_properties`.\n6. **Internal Update:** Updates the\ - \ entities within Google SecOps with the new enrichment data and provides a JSON\ - \ result for the action.\n\n### Parameters Description:\nThere are no input parameters\ - \ for this action." + ai_description: >- + Enriches User entities using the Full Contact API. This action retrieves professional + and company-related metadata for a given user email and domain, then updates the + entity's profile within the SOAR platform. + + + ### Flow Description + + 1. The action iterates through the provided target entities. + + 2. It filters for entities of type `USER`. + + 3. For each user, it extracts the email address and the associated domain. + + 4. It queries the Full Contact API (`/v3/person.enrich` and `/v3/company.enrich`) + to retrieve contextual data. + + 5. It parses the API response to extract details such as company name, industry, + location, employee count, and person-specific details like title and LinkedIn + profile. + + 6. It updates the entity's `additional_properties` with the retrieved information. + + 7. Finally, it updates the entities in the SOAR platform and returns the enrichment + results. + + + ### Parameters + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | API Key | String | Yes | The API key required to authenticate with the Full + Contact API. This is retrieved from the integration configuration. | + + + ### Additional Notes + + This action only processes entities of type `USER`. If other entity types are + provided, they will be ignored. The action relies on the `Full Contact` integration + configuration to obtain the necessary API credentials. capabilities: can_create_case_comments: false can_create_insight: false @@ -54,10 +83,18 @@ Enrich Entities: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates the 'additional_properties' of User entities with enrichment data retrieved - from Full Contact. + Updates the entity's `additional_properties` with retrieved enrichment data. + reasoning: >- + The action fetches data from an external API (Full Contact) to enrich user entities. + It updates the entity's `additional_properties` within the SOAR platform, which + is an allowed internal mutation for enrichment actions. It does not modify external + systems or create insights/comments. categories: enrichment: true + reasoning: >- + The action fetches data from an external source (Full Contact) and updates internal + entity properties. It does not mutate external systems. This fits the definition + of an Enrichment Action. entity_usage: entity_types: - USERUNIQNAME @@ -74,6 +111,9 @@ Enrich Entities: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and explicitly checks `if + ent.entity_type == EntityTypes.USER`. Therefore, it only processes `USER` entities. Ping: action_product_categories: add_alert_comment: false @@ -89,6 +129,10 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + This action is a connectivity test (Ping). It does not perform actual enrichment + of entities, update alerts, or modify external systems. It is strictly for verifying + API connectivity. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -104,37 +148,15 @@ Ping: update_identity: false update_ticket: false ai_description: >- - ### General Description - - Tests connectivity with the Full Contact service. This action is used to verify - that the API key provided in the integration configuration is valid and that the - Google SecOps environment can reach the Full Contact API endpoints. - - - ### Parameters Description - - There are no parameters for this action. - - - ### Additional Notes - - This action uses a hardcoded domain ('google.com') to perform a test enrichment - request. It does not process any entities from the case. - - - ### Flow Description - - 1. **Configuration Retrieval:** Fetches the 'API Key' from the 'Full Contact' - integration settings. - - 2. **API Request:** Sends a POST request to the Full Contact company enrichment - endpoint using the hardcoded domain 'google.com'. - - 3. **Authentication Check:** Evaluates the response status. If a 401 Unauthorized - status is returned, an exception is raised. - - 4. **Completion:** If the request is successful (or returns a non-401 status), - the action concludes with a success message. + General Description: This action verifies connectivity to the Full Contact API + by executing a sample domain enrichment request for the domain google.com. It + is designed to test the integration's authentication and network reachability. + Parameters: There are no parameters for this action. Flow Description: 1. Initialize + the SiemplifyAction object. 2. Retrieve the API Key from the Full Contact integration + configuration. 3. Instantiate the FullContactManager with the retrieved API Key. + 4. Execute the enrich_domain method using the hardcoded domain google.com. 5. + Validate the response status; if a 401 error occurs, raise an exception. 6. Terminate + the action with a success message. capabilities: can_create_case_comments: false can_create_insight: false @@ -145,8 +167,15 @@ Ping: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs an API request to verify connectivity. It fetches data from + an external source but does not modify any external or internal systems. categories: enrichment: false + reasoning: >- + Although the action performs an API call that retrieves data, it is named Ping. + According to the guidelines, actions named Ping must not be categorized as enrichment + actions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -162,3 +191,6 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with target_entities. It uses a hardcoded domain + string (google.com) for the connectivity test. diff --git a/content/response_integrations/third_party/community/full_contact/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/full_contact/resources/ai/integration_ai_description.yaml index 0b062e038..6a1de684f 100644 --- a/content/response_integrations/third_party/community/full_contact/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/community/full_contact/resources/ai/integration_ai_description.yaml @@ -1,12 +1,22 @@ product_categories: - asset_inventory: true + asset_inventory: false cloud_security: false collaboration: false edr: false email_security: false - iam_and_identity_management: true + iam_and_identity_management: false itsm: false network_security: false + reasoning: >- + The 'full_contact' integration provides identity resolution and enrichment services + for User entities. It retrieves professional and company-related metadata (e.g., + industry, title, location) to enrich user profiles within the SOAR platform. It + does not perform threat intelligence (reputation, risk scores, malware analysis), + nor does it manage identity (suspension, password resets) or manage hardware assets. + While it provides context about users, it does not fit the specific 'Expected + Outcome' definitions for IAM (which requires management capabilities) or Asset + Inventory (which focuses on device management). Therefore, it does not align with + any of the provided product categories. siem: false threat_intelligence: false vulnerability_management: false diff --git a/content/response_integrations/third_party/community/google_docs/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/google_docs/resources/ai/actions_ai_description.yaml index 418a3bf8c..f070246b2 100644 --- a/content/response_integrations/third_party/community/google_docs/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/google_docs/resources/ai/actions_ai_description.yaml @@ -13,6 +13,11 @@ Create Content: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action performs a write operation on an external Google Document. It does + not match any of the provided security-focused categories (e.g., IOC enrichment, + ticketing, containment, identity management, or email/file operations). Therefore, + all categories are set to false. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -30,52 +35,44 @@ Create Content: ai_description: >- ### General Description - Creates and inserts text content into a specific Google Document. This action - allows users to programmatically update a document by providing a list of text - strings and their corresponding insertion indices. It is useful for automated - reporting, logging, or document generation within a workflow. + This action updates a Google Document by inserting text at specified locations. + It leverages the Google Docs API to perform batch updates on a document identified + by its ID. ### Parameters Description - | Parameter Name | Type | Mandatory | Description | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Document Id | string | True | The unique identifier of the Google Document, - which can be found in the document's URL (e.g., https://docs.google.com/document/d/{DocumentId}/). - | + | Document Id | string | Yes | The unique identifier of the Google Document to + be updated. This can be found in the document's URL. | - | Json | code | True | A JSON-formatted string containing an array of items to - insert. Each item must include an `index` (the character offset where the text - should be inserted) and the `text` to be inserted. | + | Json | code | Yes | A JSON-formatted string containing the items to insert. + Each item must specify the `index` (offset) and `text` to be inserted. | - ### Additional Notes + ### Flow Description - The `Json` parameter must follow a specific structure: `{"items": [{"index": 1, - "text": "example"}]}`. The indices refer to the character offsets in the document; - ensure that the indices provided are valid for the target document's current length - to avoid errors. + 1. The action extracts the `Document Id` and the `Json` content payload from the + action parameters. + 2. The `Json` parameter is parsed to extract the list of items, each containing + an `index` and `text`. - ### Flow Description + 3. A batch update request is constructed for each item. - 1. **Configuration Extraction:** The action retrieves the Google Docs service - account credentials from the integration configuration. + 4. The `GoogleDocsManager` executes the batch update request against the specified + Google Document. - 2. **Parameter Parsing:** It extracts the `Document Id` and the `Json` payload - containing the content to be inserted. + 5. The result of the operation is added to the action results. - 3. **Request Construction:** The action parses the JSON input and iterates through - the items to build a list of `insertText` requests compatible with the Google - Docs `batchUpdate` API. - 4. **API Execution:** It initializes the `GoogleDocsManager` and executes the - batch update request against the specified document. + ### Additional Notes - 5. **Result Handling:** The action captures the API response, adds it to the result - JSON, and concludes with a success message. + This action performs a direct mutation on an external Google Document. It does + not interact with any SOAR entities or internal case data. capabilities: can_create_case_comments: false can_create_insight: false @@ -84,12 +81,20 @@ Create Content: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Modifies the content of an existing Google Document by inserting text at specified + Modifies the content of an external Google Document by inserting text at specified indices. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a batch update on a Google Document via the Google Docs + API, which is an external system mutation. It does not fetch data, nor does + it modify internal SOAR data, entities, or alert information. categories: enrichment: false + reasoning: >- + The action is a mutation action that modifies an external Google Document. It + does not fetch data for enrichment purposes, nor does it meet the criteria for + an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -105,6 +110,10 @@ Create Content: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not interact with `siemplify.target_entities` or any entity objects. + It relies solely on action parameters provided by the user. Therefore, it does + not process any entity types. Create Document: action_product_categories: add_alert_comment: false @@ -120,6 +129,10 @@ Create Document: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action creates a document in Google Drive. It does not match any of the + provided security-specific categories such as 'Create Ticket', 'Send Email', + or 'Enrich IOC'. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -137,52 +150,48 @@ Create Document: ai_description: >- ### General Description - Creates a new Google Document and manages sharing permissions for specified users. - This action is useful for automating the creation of incident reports, investigation - notes, or collaborative documents directly from a SOAR playbook. + This action creates a new Google Document and configures sharing permissions for + specified users. It leverages the Google Drive and Google Docs APIs to generate + a document with a custom title and assign specific access roles (Owner, Writer, + or Reader) to a list of email addresses. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. **Extraction**: The action extracts the `Title`, `Role`, and `Emails` parameters + from the action configuration. - | :--- | :--- | :--- | :--- | + 2. **Initialization**: It initializes the `GoogleDocsManager` using the provided + credentials to authenticate with Google Drive and Docs services. - | Title | string | Yes | The title of the document to be created. Defaults to - 'New Document'. | + 3. **Creation**: It creates a new document via the Google Docs API. - | Role | ddl | Yes | The permission level granted to the specified emails. Options - are 'owner' (full control), 'writer' (can edit/comment), or 'reader' (view only). - | + 4. **Permission Assignment**: It iterates through the provided email addresses + and applies the specified permission role to the newly created document using + the Google Drive API. - | Emails | string | Yes | A semicolon-separated list of email addresses (e.g., - 'user1@example.com;user2@example.com') that will be granted the specified role - on the document. | + 5. **Result**: It retrieves the metadata of the created file and returns it as + the action result. - ### Flow Description + ### Parameters Description - 1. **Parameter Extraction:** The action retrieves the document title, the desired - user role, and the list of email addresses from the input parameters. + | Parameter | Type | Mandatory | Description | - 2. **Document Creation:** It interacts with the Google Docs API to create a new, - empty document with the provided title. + | :--- | :--- | :--- | :--- | - 3. **Permission Assignment:** It iterates through the provided list of email addresses - and uses the Google Drive API to grant each user the specified access role (Owner, - Writer, or Reader). + | Title | string | Yes | The title of the document to be created. | - 4. **Metadata Retrieval:** After creation and sharing, it fetches the complete - metadata for the new file from Google Drive. + | Role | ddl | Yes | The permission level to assign: "owner", "writer", or "reader". + | - 5. **Result Reporting:** The action returns the document metadata as a JSON result - and provides the Document ID as the final script output. + | Emails | string | Yes | A semicolon-separated list of email addresses to share + the document with. | ### Additional Notes - This action requires a valid Service Account JSON with appropriate Google Drive - and Google Docs scopes configured in the integration settings. + There are no additional notes. capabilities: can_create_case_comments: false can_create_insight: false @@ -191,12 +200,20 @@ Create Document: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new document in Google Docs and modifies file permissions in Google - Drive to share the document with specified users. - fetches_data: true + Creates a new document in Google Drive and assigns permissions to specified + users. + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs an external mutation by creating a document in Google Drive + and setting permissions. It does not fetch contextual data for entities or alerts, + nor does it modify internal SOAR case data. categories: enrichment: false + reasoning: >- + The action is a creation/mutation task (creating a document) and does not meet + the criteria for an enrichment action, which requires fetching data without + mutating external systems. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -212,6 +229,9 @@ Create Document: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `siemplify.target_entities`. It operates based + on input parameters provided by the user. Ping: action_product_categories: add_alert_comment: false @@ -227,6 +247,9 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity test ('Ping') and does not perform any of the defined + functional outcomes (e.g., enriching IOCs, creating tickets, blocking hosts). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -242,48 +265,32 @@ Ping: update_identity: false update_ticket: false ai_description: >- - ### General Description - - The **Ping** action is a diagnostic tool designed to verify the connectivity between - Google SecOps and the Google Docs/Drive API. It ensures that the provided service - account credentials are valid and that the environment has the necessary network - permissions to reach Google's services. + Tests connectivity to Google Docs and Google Drive by performing a test API request. + This action verifies that the provided credentials are valid and that the integration + can successfully communicate with the Google services. - ### Parameters Description + ### Parameters - | Parameter Name | Expected Type | Mandatory | Description | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Credentials Json | String | Yes | The JSON content of the Google Service Account - key used for authentication. This is typically extracted from the integration - configuration. | + | Credentials Json | String | Yes | The JSON content containing the service account + credentials required to authenticate with Google Docs and Drive. | ### Flow Description - 1. **Configuration Extraction:** The action retrieves the `Credentials Json` from - the integration settings. - - 2. **Service Initialization:** It initializes the Google Drive and Google Docs - API clients using the provided service account info and the required OAuth scopes. - - 3. **Connectivity Test:** The action executes a `list` request to the Google Drive - API (specifically looking for image/jpeg mime types as a lightweight check) to - confirm the API is responsive. - - 4. **Result Reporting:** If the API call is successful, the action terminates - with a success status and a "Connected successfully" message. If any step fails - (e.g., invalid JSON, authentication error, network timeout), the action will report - a failure. + 1. The action retrieves the `Credentials Json` parameter from the integration + configuration. + 2. It initializes the `GoogleDocsManager` using the provided credentials. - ### Additional Notes - - - This action does not process any entities. + 3. It executes a `test_connectivity` method, which performs a `files().list` request + to the Google Drive API to verify access. - - It is strictly used for configuration validation and troubleshooting. + 4. If the request succeeds, the action completes successfully. capabilities: can_create_case_comments: false can_create_insight: false @@ -294,8 +301,14 @@ Ping: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a read-only API call (`files().list`) to verify connectivity. + It does not modify any external or internal data. categories: enrichment: false + reasoning: >- + The action is named 'Ping' and is a connectivity test. Per the instructions, + 'Actions named Ping must not be categorized as enrichment actions.' entity_usage: entity_types: [] filters_by_additional_properties: false @@ -311,6 +324,9 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `target_entities`. It is a global connectivity + test. Remove Content: action_product_categories: add_alert_comment: false @@ -326,6 +342,10 @@ Remove Content: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action modifies a Google Doc by deleting content. It does not match any + of the predefined categories (Enrichment, Ticket management, Identity management, + Host containment, Email management, etc.). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -343,53 +363,43 @@ Remove Content: ai_description: >- ### General Description - Removes specific content ranges from a Google Document. This action is useful - for automated document redaction or cleaning up specific sections of a document - based on character offsets (indices). + This action removes specific content ranges from a Google Doc. It utilizes the + Google Docs API to perform a batch update, deleting text or elements defined by + start and end indices provided in the input configuration. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. The action extracts the `Document Id` and `Json` parameters from the configuration. - | :--- | :--- | :--- | :--- | + 2. It parses the `Json` parameter to retrieve a list of items, where each item + contains `start_index` and `end_index` values. - | Document Id | string | Yes | The unique identifier of the Google Document, found - in the document's URL (e.g., `https://docs.google.com/document/d/{DocumentId}/`). - | + 3. It constructs a list of `deleteContentRange` requests based on the parsed indices. - | Json | code | Yes | A JSON object containing an array of items to remove. Each - item must specify a `start_index` and an `end_index`. Example: `{"items": [{"start_index": - 1, "end_index": 10}]}`. | + 4. The action initializes the `GoogleDocsManager` and executes the batch update + request against the specified Google Doc. + 5. Finally, it returns the result of the operation. - ### Flow Description - 1. **Parameter Extraction**: The action retrieves the Google Docs credentials - from the integration configuration and the `Document Id` and `Json` payload from - the action parameters. + ### Parameters - 2. **JSON Parsing**: The `Json` string is parsed into a Python dictionary to extract - the list of content ranges (items) to be deleted. + | Parameter | Type | Mandatory | Description | - 3. **Request Construction**: For each item in the list, the action constructs - a `deleteContentRange` request object containing the specified `startIndex` and - `endIndex`. + | :--- | :--- | :--- | :--- | - 4. **API Execution**: The action uses the `GoogleDocsManager` to send a `batchUpdate` - request to the Google Docs API with the compiled list of deletion requests. + | Document Id | string | Yes | The unique identifier of the Google Doc, found + in the document URL. | - 5. **Result Handling**: The response from the Google Docs API is captured and - added to the action's JSON results, and the action completes with a success message. + | Json | code | Yes | A JSON object containing a list of items, where each item + specifies the `start_index` and `end_index` of the content to be removed. | ### Additional Notes - - The `start_index` and `end_index` are zero-based offsets from the beginning - of the document body. - - - Ensure that the indices provided are valid and do not overlap in a way that - causes API errors. + This action performs a destructive mutation on an external Google Doc. Ensure + the provided indices are correct to avoid unintended data loss. capabilities: can_create_case_comments: false can_create_insight: false @@ -398,12 +408,20 @@ Remove Content: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Deletes content from a Google Document by sending a batchUpdate request with - deleteContentRange instructions to the Google Docs API. + Modifies a Google Doc by deleting specified content ranges via the Google Docs + API. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a batch update on an external Google Doc to delete content. + It does not fetch data, nor does it interact with internal SOAR entities or + case data. It is a pure external mutation action. categories: enrichment: false + reasoning: >- + The action performs a mutation on an external system (Google Docs) and does + not retrieve information or perform any of the allowed internal mutations (comments, + insights, entity updates). Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -419,6 +437,9 @@ Remove Content: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use or iterate over `target_entities`. It operates on a + specific `Document Id` provided as a parameter. Replace Content: action_product_categories: add_alert_comment: false @@ -434,6 +455,10 @@ Replace Content: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action modifies the content of a Google Doc. None of the provided product + categories (which are focused on security operations like IOCs, tickets, identities, + or alerts) cover document content modification. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -451,11 +476,10 @@ Replace Content: ai_description: >- ### General Description - The **Replace Content** action allows users to programmatically search for and - replace specific text strings within a Google Document. It is designed for automated - document updates, such as updating templates, reports, or logs stored in Google - Docs. The action uses the Google Docs API `batchUpdate` method to perform multiple - replacements in a single execution. + This action modifies the content of a Google Doc by replacing specific text strings + based on a provided JSON configuration. It leverages the Google Docs API to perform + batch updates on a target document, allowing for automated document editing within + a SOAR workflow. ### Parameters Description @@ -464,38 +488,30 @@ Replace Content: | :--- | :--- | :--- | :--- | - | **Document Id** | string | True | The unique identifier of the Google Document, - found in the URL (e.g., `https://docs.google.com/document/d/{DocumentId}/`). | + | Document Id | string | Yes | The unique identifier of the Google Doc to be modified. + This can be found in the document's URL. | - | **Json** | code | True | A JSON-formatted string containing an array of replacement - items. Each item must include `text_to_search`, `text_to_replace`, and `match_case` - (boolean string). | + | Json | code | Yes | A JSON object containing a list of replacement items. Each + item must include `text_to_search` (the string to find), `text_to_replace` (the + new string), and `match_case` (a boolean string indicating if the search should + be case-sensitive). | ### Flow Description - 1. **Configuration Extraction:** The action retrieves the Google Docs service - account credentials from the integration settings. - - 2. **Parameter Parsing:** It extracts the target `Document Id` and the `Json` - payload containing the search-and-replace logic. - - 3. **Request Construction:** The action iterates through the provided JSON items - and constructs a list of `replaceAllText` requests compatible with the Google - Docs API. + 1. **Parameter Extraction**: The action extracts the `Document Id` and the `Json` + configuration string from the action parameters. - 4. **API Execution:** It initializes the `GoogleDocsManager` and sends a `batchUpdate` - request to the Google Docs service. + 2. **JSON Parsing**: The `Json` string is parsed into a list of replacement items. - 5. **Result Handling:** The action returns the API response as a JSON object and - concludes by outputting the Document ID as the primary result value. + 3. **Request Construction**: For each item, a `replaceAllText` request is constructed, + incorporating the search text, replacement text, and case-sensitivity settings. + 4. **Execution**: The action initializes the `GoogleDocsManager` and executes + a batch update request against the specified Google Doc. - ### Additional Notes - - The `Json` parameter must follow a specific structure: `{"items": [{"text_to_search": - "...", "text_to_replace": "...", "match_case": "true"}]}`. Failure to provide - valid JSON will result in an error. + 5. **Result**: The result of the batch update is added to the action output, and + the action concludes with a success message. capabilities: can_create_case_comments: false can_create_insight: false @@ -504,12 +520,19 @@ Replace Content: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Modifies the content of a Google Document by replacing existing text with new - text via the Google Docs API. + Modifies the content of a Google Doc by replacing specific text strings. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a batch update on an external Google Doc, which constitutes + an external system mutation. It does not fetch data from external sources, nor + does it modify internal SOAR entities, alerts, or case data. categories: enrichment: false + reasoning: >- + The action is a mutation action that modifies external data (Google Docs). It + does not fetch data for enrichment purposes, nor does it meet the criteria for + an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -525,3 +548,6 @@ Replace Content: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action operates on a specific Google Doc ID provided as a parameter and + does not interact with or iterate over `target_entities`. diff --git a/content/response_integrations/third_party/community/google_docs/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/google_docs/resources/ai/integration_ai_description.yaml index a4b23e02c..6f3937dd9 100644 --- a/content/response_integrations/third_party/community/google_docs/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/community/google_docs/resources/ai/integration_ai_description.yaml @@ -1,12 +1,21 @@ product_categories: asset_inventory: false cloud_security: false - collaboration: true + collaboration: false edr: false email_security: false iam_and_identity_management: false itsm: false network_security: false + reasoning: >- + The 'google_docs' integration provides functionality to create, update, remove, + and replace content within Google Documents. These actions are general-purpose + document management tasks and do not align with any of the defined security-focused + product categories. The integration does not perform SIEM log analysis, EDR host + containment, threat intelligence enrichment, network security blocking, email + management, identity management, cloud resource monitoring, ITSM ticketing, vulnerability + assessment, asset inventory management, or collaboration/notification tasks. Therefore, + all product category flags are set to false. siem: false threat_intelligence: false vulnerability_management: false diff --git a/content/response_integrations/third_party/community/google_drive/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/google_drive/resources/ai/actions_ai_description.yaml index a33be2af4..6a7a123f3 100644 --- a/content/response_integrations/third_party/community/google_drive/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/google_drive/resources/ai/actions_ai_description.yaml @@ -13,6 +13,10 @@ Add Permission: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action modifies permissions on a file in Google Drive. It does not match + any of the predefined categories (e.g., IOC enrichment, ticket management, identity + management, or host containment). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -28,64 +32,51 @@ Add Permission: update_identity: false update_ticket: false ai_description: >- - ### General Description - - Adds permissions to a specific file stored in Google Drive for one or more users. - This action allows administrators or automated workflows to programmatically manage - access control by assigning roles such as Owner, Writer, or Reader to specified - email addresses. - - - ### Parameters Description + Adds permissions for a specific file stored in Google Drive. This action allows + users to grant access to a file by specifying the file ID, the desired role (owner, + writer, or reader), and a list of email addresses. - | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + ### Flow Description - | File Id | String | Yes | The unique identifier of the file, typically found - in the file's URL (e.g., https://drive.google.com/drive/u/0/folders/{file-id}). - | + 1. The action extracts the required parameters: `File Id`, `Role`, `Emails`, and + `Should send notification`. - | Role | DDL | Yes | The level of access to grant. Options include: **owner** - (full control), **writer** (can edit and comment), and **reader** (view only). - | + 2. It initializes the `GoogleDriveManager` using the provided credentials. - | Emails | String | Yes | A semicolon-separated list of email addresses (e.g., - user1@gmail.com;user2@gmail.com) to which the permissions will be granted. | + 3. The `Emails` parameter is parsed into a list by splitting the semicolon-separated + string. - | Should send notification | Boolean | No | If set to true, Google Drive will - send an automated email notification to the users informing them of their new - access. | + 4. The action iterates through each email address and calls the Google Drive API + to insert the specified permission for the given file. + 5. Upon completion, the action returns a success message indicating the permissions + were granted. - ### Additional Notes - - Multiple email addresses must be separated by a semicolon (`;`). + ### Parameters Description - - The action performs a direct mutation on the Google Drive file's permission - metadata. + | Parameter | Type | Mandatory | Description | + | :--- | :--- | :--- | :--- | - ### Flow Description + | File Id | string | Yes | The unique identifier of the file in Google Drive. + | - 1. **Configuration Retrieval:** Extracts the Google Drive service account credentials - from the integration settings. + | Role | ddl | Yes | The permission level to grant: "owner", "writer", or "reader". + | - 2. **Parameter Extraction:** Retrieves the target File ID, the assigned Role, - the list of Emails, and the notification preference from the action inputs. + | Emails | string | Yes | Semicolon-separated list of email addresses to grant + access to. | - 3. **Email Parsing:** Splits the provided email string into a list of individual - recipients. + | Should send notification | boolean | No | Whether to send an email notification + to the user. Defaults to "true". | - 4. **Permission Insertion:** Iterates through each email address and calls the - Google Drive API's `permissions.create` method to apply the specified role to - the file. - 5. **Notification:** If enabled, the Google Drive API handles sending the notification - emails to the recipients. + ### Additional Notes - 6. **Completion:** Returns a success message indicating the role granted and the - file affected. + This action performs a mutation on the external Google Drive system by modifying + file permissions. capabilities: can_create_case_comments: false can_create_insight: false @@ -94,12 +85,18 @@ Add Permission: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Adds new permission records to a file in Google Drive, effectively changing - the access control list (ACL) for that resource. + Modifies file permissions in Google Drive by adding users with specified roles. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to the Google Drive API to insert a permission + for a specific file. It does not fetch data for enrichment, nor does it modify + internal SOAR data or entities. categories: enrichment: false + reasoning: >- + The action is a mutation action (modifying external file permissions) and does + not fetch data for enrichment purposes, therefore it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -115,6 +112,9 @@ Add Permission: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use `target_entities`. It operates on a file ID provided + as a parameter. Delete File: action_product_categories: add_alert_comment: false @@ -130,6 +130,10 @@ Delete File: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action deletes a file from Google Drive. This does not match any of the + provided categories, which are focused on IOCs, assets, tickets, emails, or + host containment. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -147,49 +151,40 @@ Delete File: ai_description: >- ### General Description - The **Delete File** action permanently deletes a specific file stored in Google - Drive using its unique File ID. Unlike moving a file to the trash, this operation - is destructive and removes the file immediately from the drive. + Deletes a specific file from Google Drive using the provided File ID. This action + interacts with the Google Drive API to permanently remove the file, skipping the + trash. ### Parameters Description - | Parameter | Description | Type | Mandatory | Notes | - - | :--- | :--- | :--- | :--- | :--- | + | Parameter | Type | Mandatory | Description | - | **File Id** | The unique identifier of the file to be deleted. This can be found - in the file's sharing URL (e.g., the string following `/folders/` or `/d/`). | - String | Yes | This ID must be valid and the service account must have sufficient - permissions to delete the file. | + | :--- | :--- | :--- | :--- | + | File Id | string | Yes | The unique identifier of the file to be deleted, which + can be found in the file URL (e.g., https://drive.google.com/drive/u/0/folders/{file-id}). + | - ### Additional Notes - * **Destructive Action:** This action skips the Google Drive 'Trash' and permanently - deletes the resource. It cannot be undone via this action. + ### Flow Description - * **Permissions:** The integration's service account must have the appropriate - OAuth scopes (e.g., `https://www.googleapis.com/auth/drive`) and file-level permissions - to perform deletions. + 1. Extract the `Credentials Json` from the integration configuration. + 2. Extract the `File Id` from the action parameters. - ### Flow Description + 3. Initialize the `GoogleDriveManager` with the provided credentials. - 1. **Configuration Extraction:** The action retrieves the Google Drive service - account credentials from the integration settings. + 4. Call the `delete_file` method, which invokes the Google Drive API to permanently + delete the specified file. - 2. **Parameter Retrieval:** The action extracts the mandatory `File Id` provided - by the user. + 5. Return a success message indicating the file has been deleted. - 3. **Manager Initialization:** A connection to the Google Drive API (v3) is established - using the provided credentials. - 4. **Execution:** The action calls the Google Drive API's delete method for the - specified `File Id`. + ### Additional Notes - 5. **Completion:** Upon successful deletion, the action returns a success message - and the deleted File ID as the script result. + This action performs a destructive operation on an external system. Ensure the + `File Id` is correct before executing, as the deletion is permanent. capabilities: can_create_case_comments: false can_create_insight: false @@ -198,12 +193,17 @@ Delete File: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Permanently deletes a file from the user's Google Drive storage, bypassing the - trash folder. + Permanently deletes a file from Google Drive. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a destructive API call to Google Drive to delete a file. + It does not fetch data, nor does it modify internal SOAR data. categories: enrichment: false + reasoning: >- + The action is a destructive operation (deletion) on an external system. It does + not fetch data or perform enrichment, so it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -219,6 +219,9 @@ Delete File: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `target_entities` or use entity-specific identifiers + from the SOAR case. It accepts a `File Id` parameter directly from the user/configuration. Download File To Base64: action_product_categories: add_alert_comment: false @@ -234,6 +237,10 @@ Download File To Base64: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action downloads a file from Google Drive and returns its content in Base64 + format. This matches the 'Download File' category. It does not perform any other + actions like enrichment, blocking, or ticket creation. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -248,32 +255,17 @@ Download File To Base64: update_email: false update_identity: false update_ticket: false - ai_description: "### General Description\nDownloads a file from Google Drive and\ - \ converts its content into a Base64 encoded string. This action is designed to\ - \ retrieve documents, spreadsheets, presentations, or binary files from a Google\ - \ Drive account using a specific File ID. It handles the conversion of Google\ - \ Workspace-specific formats (like Google Docs, Sheets, and Slides) into standard\ - \ Office formats (DOCX, XLSX, PPTX) during the download process, providing the\ - \ final content as a Base64 string for use in downstream automation steps.\n\n\ - ### Parameters Description\n| Parameter Name | Type | Mandatory | Description\ - \ |\n| :--- | :--- | :--- | :--- |\n| File Id | string | Yes | The unique identifier\ - \ of the file in Google Drive. This ID can be found in the file's sharing URL\ - \ (e.g., `https://drive.google.com/file/d/{file-id}/view`). |\n\n### Flow Description\n\ - 1. **Configuration Extraction:** The action retrieves the Google Drive service\ - \ account credentials from the integration configuration.\n2. **Parameter Retrieval:**\ - \ The action extracts the mandatory `File Id` provided by the user.\n3. **Metadata\ - \ Retrieval:** It queries the Google Drive API to fetch the file's metadata, including\ - \ its name and MIME type.\n4. **Content Download:** \n * If the file is a Google\ - \ Workspace document (Doc, Sheet, or Slide), the action uses the `export` method\ - \ to convert it to a standard OpenXML format (DOCX, XLSX, or PPTX).\n * If\ - \ the file is a standard binary file, it uses the `get_media` method to download\ - \ the raw content.\n5. **Base64 Encoding:** The retrieved binary stream is encoded\ - \ into a Base64 string.\n6. **Result Output:** The action returns a JSON object\ - \ containing the file name, the determined file type, the file size (for binary\ - \ files), and the Base64 encoded content.\n\n### Additional Notes\nThis action\ - \ is strictly a retrieval tool and does not modify the file or its permissions\ - \ in Google Drive. Because it downloads file content, it is not classified as\ - \ an enrichment action." + ai_description: >- + Downloads a file from Google Drive and converts it to a Base64 string for further + analysis or processing within the SOAR platform. The action flow is as follows: + 1. Extract the Google Drive credentials from the integration configuration. 2. + Extract the File Id parameter provided by the user. 3. Initialize the GoogleDriveManager + using the provided credentials. 4. Fetch the file metadata and binary content + from Google Drive using the File Id. 5. Convert the binary file content into a + Base64 encoded string. 6. Return the file name, type, and Base64 content as a + JSON result to the SOAR platform. Parameters: | Parameter | Type | Mandatory | + Description | | :--- | :--- | :--- | :--- | | File Id | string | Yes | The unique + identifier of the file in Google Drive, typically found in the file URL. | capabilities: can_create_case_comments: false can_create_insight: false @@ -284,8 +276,15 @@ Download File To Base64: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action retrieves file content from Google Drive and returns it as a Base64 + string. It does not modify external data or internal SOAR data. It fetches data + (the file content) but does not perform any mutations. categories: enrichment: false + reasoning: >- + The action downloads a file. According to the provided instructions, actions + that download files must not be categorized as enrichment actions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -301,6 +300,9 @@ Download File To Base64: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over target_entities or use entity-specific identifiers. + It relies on a user-provided File Id parameter. Download File To Path: action_product_categories: add_alert_comment: false @@ -316,6 +318,11 @@ Download File To Path: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action's primary purpose is to retrieve a file from a remote source (Google + Drive) and save it locally. This directly matches the 'Download File' category. + It does not perform any other operations such as enrichment, containment, or + ticket management. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -330,31 +337,51 @@ Download File To Path: update_email: false update_identity: false update_ticket: false - ai_description: "### General Description\nDownloads a file from Google Drive to\ - \ a specified local directory on the Google SecOps execution environment. This\ - \ action is useful for retrieving evidence, logs, or documents stored in Google\ - \ Drive for further processing or forensic analysis within a playbook.\n\n###\ - \ Parameters Description\n| Parameter | Type | Mandatory | Default | Description\ - \ |\n| :--- | :--- | :--- | :--- | :--- |\n| File Id | string | Yes | N/A | The\ - \ unique identifier of the file in Google Drive. This can be found in the file's\ - \ sharing URL (e.g., `https://drive.google.com/file/d/{file-id}/view`). |\n| Folder\ - \ Path | string | No | /temp | The local directory path on the SOAR runner where\ - \ the file should be saved. |\n\n### Additional Notes\n- If the target file is\ - \ a Google Workspace document (Google Docs, Sheets, or Slides), the action automatically\ - \ converts it to a standard Microsoft Office format (.docx, .xlsx, or .pptx) during\ - \ the download process.\n- The action requires valid service account credentials\ - \ with appropriate Google Drive API scopes.\n\n### Flow Description\n1. **Initialize\ - \ Connection:** Authenticates with the Google Drive API using the provided service\ - \ account credentials.\n2. **Retrieve Metadata:** Fetches the metadata for the\ - \ specified `File Id` to determine the file name and MIME type.\n3. **Determine\ - \ Download Method:** \n - If the file is a Google-native format, it prepares\ - \ an export request to convert it to an Office format.\n - If the file is a\ - \ binary file, it prepares a direct media download request.\n4. **Download Content:**\ - \ Executes the download/export request and streams the binary data.\n5. **Save\ - \ to Path:** Writes the downloaded content to the local filesystem at the location\ - \ specified by the `Folder Path` and the original file name.\n6. **Report Result:**\ - \ Returns a JSON object containing the file name, MIME type, and the final local\ - \ path where the file was saved." + ai_description: >- + ### General Description + + This action downloads a specific file from Google Drive to a designated local + folder path. It utilizes the Google Drive API to retrieve file metadata and content, + handling various file types (including Google Docs, Sheets, and Slides by exporting + them to standard formats) and saving them to the local filesystem. + + + ### Flow Description + + 1. **Initialization**: The action initializes the `GoogleDriveManager` using the + provided credentials. + + 2. **Parameter Extraction**: It extracts the `File Id` (the unique identifier + of the file in Google Drive) and the `Folder Path` (the local destination directory) + from the action parameters. + + 3. **File Retrieval**: The action fetches the file metadata and binary content + from Google Drive. If the file is a Google Workspace document (Doc, Sheet, Presentation), + it exports it to a compatible format (docx, xlsx, pptx). + + 4. **File Saving**: The file is written to the specified local `Folder Path`. + + 5. **Result**: The action returns a JSON result containing the file name, type, + and the full path where the file was saved. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | File Id | string | Yes | The unique identifier of the file in Google Drive, + typically found in the file URL. | + + | Folder Path | string | Yes | The local directory path where the file should + be saved. | + + + ### Additional Notes + + This action performs a read-only operation on the external Google Drive system + (downloading) and does not modify or delete files in the source system. capabilities: can_create_case_comments: false can_create_insight: false @@ -365,8 +392,16 @@ Download File To Path: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action retrieves file content from an external system (Google Drive) and + saves it locally. It does not modify the external system state (no POST/PUT/DELETE + on Drive files), nor does it modify internal SOAR case data, entities, or insights. categories: enrichment: false + reasoning: >- + While the action fetches data (the file content), the instructions explicitly + state that actions that download files must not be categorized as enrichment + actions. Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -382,6 +417,10 @@ Download File To Path: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or process `siemplify.target_entities`. It + relies entirely on the `File Id` provided as an input parameter to identify + the target file. Get File Metadata: action_product_categories: add_alert_comment: false @@ -397,6 +436,10 @@ Get File Metadata: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves file metadata from Google Drive. It does not perform enrichment + on entities, update alerts, or interact with tickets. It is a standalone utility + action for file information retrieval. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -414,10 +457,9 @@ Get File Metadata: ai_description: >- ### General Description - Retrieves comprehensive metadata for a specific file stored in Google Drive using - its unique File ID. This action is designed to provide visibility into file properties - such as ownership, creation and modification timestamps, MIME types, and sharing - permissions without downloading the actual file content. + Retrieves detailed metadata for a specified file from Google Drive. This action + is a utility tool that allows analysts to fetch file information, such as name, + type, and size, directly from the Google Drive API using a file identifier. ### Parameters Description @@ -426,32 +468,30 @@ Get File Metadata: | :--- | :--- | :--- | :--- | - | File Id | String | Yes | The unique identifier of the file. This ID can be found - in the Google Drive URL (e.g., the string following `/file/d/` or within a folder - URL). | + | File Id | string | Yes | The unique identifier of the file in Google Drive. + This can be found in the file URL (e.g., https://drive.google.com/drive/u/0/folders/{file-id}). + | - ### Flow Description + ### Additional Notes - 1. **Configuration Extraction:** The action retrieves the service account credentials - (JSON) from the integration configuration. + This action does not operate on entities and is intended for standalone file information + retrieval. It requires valid Google Drive credentials configured in the integration + settings. - 2. **Parameter Retrieval:** The `File Id` is extracted from the action's input - parameters. - 3. **API Interaction:** The action initializes the Google Drive Manager and calls - the Google Drive API (v3) to fetch the full resource metadata (using `fields="*"`) - for the specified file ID. + ### Flow Description - 4. **Result Processing:** The retrieved metadata is added to the action's JSON - results, and the action completes successfully, returning the file ID as the primary - result value. + 1. The action extracts the `Credentials Json` from the integration configuration. + 2. The action extracts the `File Id` from the action parameters. - ### Additional Notes + 3. The `GoogleDriveManager` is initialized using the provided credentials. - This action is strictly a metadata retrieval operation and does not perform any - file downloads or modifications to the file or its permissions. + 4. The action calls the Google Drive API `files().get` method to retrieve the + metadata for the specified file. + + 5. The retrieved metadata is added to the action results as a JSON object. capabilities: can_create_case_comments: false can_create_insight: false @@ -462,8 +502,16 @@ Get File Metadata: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Google Drive API to fetch file metadata. + It does not mutate external systems, nor does it modify internal SOAR data (entities, + insights, or case comments). categories: - enrichment: true + enrichment: false + reasoning: >- + The action does not operate on entities or alerts, and it does not fetch supplemental + context for them. It is a utility action for retrieving file metadata, so it + is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -479,6 +527,10 @@ Get File Metadata: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities` or use entity-specific + identifiers. It accepts a raw `File Id` string as a parameter, therefore it + does not operate on entities. Permission List: action_product_categories: add_alert_comment: false @@ -494,6 +546,9 @@ Permission List: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves file permissions from Google Drive. It does not match any + of the predefined categories (Enrich IOC, Enrich Asset, etc.). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -509,51 +564,19 @@ Permission List: update_identity: false update_ticket: false ai_description: >- - ### General Description - - The **Permission List** action retrieves a comprehensive list of users and their - associated permissions for a specific file stored in Google Drive. This action - is primarily used for security auditing and access reviews to identify who has - access to sensitive documents and what level of access (e.g., owner, writer, reader) - they possess. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **File Id** | String | Yes | The unique identifier of the Google Drive file. - This ID is typically found in the file's sharing URL (e.g., `https://drive.google.com/file/d/{file-id}/view`). - | - - - ### Flow Description - - 1. **Credential Retrieval**: The action extracts the Google service account credentials - from the integration configuration. - - 2. **Parameter Extraction**: It retrieves the mandatory `File Id` provided as - an input parameter. - - 3. **API Request**: The action utilizes the Google Drive API v3 to list all permissions - associated with the specified file ID, requesting all available fields for each - permission entry. - - 4. **Data Processing**: It calculates the total number of permission entries retrieved. - - 5. **Output Generation**: The action attaches the full list of permissions as - a JSON result and provides a summary message indicating the total count of permissions + **General Description**: Retrieves the list of users and their permissions for + a specific file in Google Drive. This action allows analysts to audit access controls + for files stored in the organization's Google Drive environment. **Parameters + Description**: File Id (string, mandatory): The ID of the file to retrieve permissions + for. This ID is found in the file URL (e.g., https://drive.google.com/drive/u/0/folders/{file-id}). + **Additional Notes**: This action does not modify any data. It is a read-only + operation that returns the permission list as a JSON result. **Flow Description**: + 1. Extract the Credentials Json from the integration configuration. 2. Extract + the File Id from the action parameters. 3. Initialize the GoogleDriveManager using + the provided credentials. 4. Call the list_permissions method to fetch the permission + data from the Google Drive API. 5. Add the retrieved permission list to the action + result. 6. End the action with a summary message indicating the number of permissions found. - - - ### Additional Notes - - - This action is a read-only operation and does not modify, add, or remove any - permissions in Google Drive. - - - This action does not process or require any SecOps entities to execute. capabilities: can_create_case_comments: false can_create_insight: false @@ -564,8 +587,14 @@ Permission List: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action retrieves permission data from Google Drive via the API. It does + not modify external systems or internal SOAR data (entities, insights, comments). categories: - enrichment: true + enrichment: false + reasoning: >- + The action fetches data (permissions) but does not operate on entities or alerts. + It is a utility action, not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -581,6 +610,9 @@ Permission List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use siemplify.target_entities. It takes a File Id as a direct + parameter. Ping: action_product_categories: add_alert_comment: false @@ -596,6 +628,9 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity check (Ping) and does not perform any of the defined + product category operations (e.g., enrichment, containment, ticketing). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -611,52 +646,16 @@ Ping: update_identity: false update_ticket: false ai_description: >- - ### General Description - - The **Ping** action is a diagnostic tool designed to verify the connectivity between - Google SecOps and the Google Drive API. It ensures that the provided service account - credentials are valid and that the environment has the necessary network permissions - to reach Google's services. - - - ### Parameters Description - - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Credentials Json | String | Yes | (Configuration Parameter) The raw JSON content - of the Google Service Account key. This is used to authenticate the session with - Google Drive. | - - - ### Flow Description - - 1. **Configuration Extraction**: The action retrieves the `Credentials Json` from - the integration's configuration settings. - - 2. **Manager Initialization**: It initializes the `GoogleDriveManager`, which - parses the JSON credentials and builds a Google Drive API client (v3) with the - required OAuth2 scopes. - - 3. **Connectivity Test**: The action calls the `test_connectivity` method, which - executes a `files().list()` request to the Google Drive API. This request specifically - looks for JPEG images to verify that the 'Read' and 'Metadata' permissions are - functional. - - 4. **Completion**: If the API call returns successfully, the action ends with - a "Connected successfully" status. If an error occurs (e.g., invalid credentials - or network timeout), the action fails. - - - ### Additional Notes - - - This action does not interact with any entities (IPs, Hostnames, etc.) in the - SOAR case. - - - It is strictly a system-level check and does not perform any data enrichment - or mutation. + Checks connectivity to Google Drive. This action verifies that the provided service + account credentials are valid and that the integration can successfully communicate + with the Google Drive API. Flow: 1. Extracts the 'Credentials Json' parameter + from the configuration. 2. Initializes the Google Drive manager using the provided + credentials. 3. Performs a test API call (listing files) to verify connectivity. + 4. Returns a success message upon successful connection. Parameters: | Parameter + | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | | Credentials + Json | String | Yes | The JSON content containing service account credentials + for Google Drive authentication. | Additional Notes: This action is a connectivity + check (Ping) and does not perform any data enrichment or mutation. capabilities: can_create_case_comments: false can_create_insight: false @@ -665,10 +664,17 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: false + fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity check by calling the Google Drive API to + list files. It does not modify external systems, update internal entities, or + create insights. It is a read-only operation used to verify configuration. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action. According to the instructions, 'Actions named + Ping must not be categorized as enrichment actions'. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -684,6 +690,9 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities; it is a global connectivity + check. Remove Permission: action_product_categories: add_alert_comment: false @@ -699,6 +708,10 @@ Remove Permission: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action removes a permission from a file in Google Drive. This does not align + with any of the provided categories (e.g., Enrich IOC, Contain Host, Update + Identity, etc.). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -714,53 +727,43 @@ Remove Permission: update_identity: false update_ticket: false ai_description: >- - ### General Description + Removes a specific permission from a file in Google Drive. This action allows + administrators to revoke access rights for users or groups on a given file. - Removes a specific permission from a file stored in Google Drive. This action - is used to revoke access (e.g., read, write, or owner) for a specific user or - group from a document or folder. It is typically used in response to unauthorized - access or as part of a cleanup process during an incident. + ### Flow Description - ### Parameters Description + 1. Extracts the `Credentials Json` from the integration configuration to authenticate + with the Google Drive API. - | Parameter Name | Type | Mandatory | Description | + 2. Extracts the `File Id` and `Permission Id` from the action parameters. - | :--- | :--- | :--- | :--- | + 3. Initializes the `GoogleDriveManager` using the provided credentials. - | File Id | String | Yes | The unique identifier of the file in Google Drive. - This can be found in the file's URL (e.g., `https://drive.google.com/drive/u/0/folders/{file-id}`). - | - - | Permission Id | String | Yes | The unique identifier of the permission to be - removed. This ID can be retrieved using the 'List Permissions' action for the - specific file. | + 4. Executes the `remove_permission` method, which calls the Google Drive API to + delete the specified permission for the given file. + 5. Returns a success message confirming the removal of the permission. - ### Additional Notes - This action performs a permanent deletion of the permission record in Google Drive. - To identify which permission to remove, it is recommended to run the 'List Permissions' - action first to find the correct `Permission Id` associated with a specific user - or role. + ### Parameters Description + | Parameter | Type | Mandatory | Description | - ### Flow Description + | :--- | :--- | :--- | :--- | - 1. **Extract Configuration**: Retrieves the Google Drive service account credentials - from the integration settings. + | File Id | string | Yes | The file ID, which can be found in the file URL (e.g., + `https://drive.google.com/drive/u/0/folders/{file-id}`). | - 2. **Extract Parameters**: Retrieves the `File Id` and `Permission Id` provided - by the user. + | Permission Id | string | Yes | The ID of the permission to be removed. This + can be retrieved using the "List Permissions" action. | - 3. **Initialize Manager**: Authenticates with the Google Drive API using the provided - credentials. - 4. **Remove Permission**: Calls the Google Drive API's `permissions().delete` - method to remove the specified permission from the file. + ### Additional Notes - 5. **Finalize**: Returns a success message indicating the permission was successfully - removed. + - This action performs a destructive mutation on the external Google Drive system. + Ensure the `Permission Id` is correct before executing, as this action cannot + be undone automatically. capabilities: can_create_case_comments: false can_create_insight: false @@ -769,12 +772,20 @@ Remove Permission: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Deletes a permission record from a file or folder in Google Drive via the Google - Drive API. + Removes a specific permission from a file in Google Drive via the Google Drive + API. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a delete operation on the Google Drive API to remove a permission + from a file. This is an external mutation. It does not fetch data, update entities, + or create insights. categories: enrichment: false + reasoning: >- + The action performs a destructive mutation (deletion) on an external system + (Google Drive) and does not retrieve data for enrichment purposes. Therefore, + it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -790,6 +801,9 @@ Remove Permission: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `siemplify.target_entities`. It uses direct + input parameters (`File Id` and `Permission Id`) to identify the target resource. Upload File From Base64: action_product_categories: add_alert_comment: false @@ -805,6 +819,10 @@ Upload File From Base64: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action uploads a file to Google Drive and sets permissions. This does not + align with any of the provided product categories, which are focused on security + operations (enrichment, containment, ticketing, etc.). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -822,12 +840,10 @@ Upload File From Base64: ai_description: >- ### General Description - The **Upload File From Base64** action enables the uploading of files to Google - Drive by providing the file content as a Base64 encoded string. This action is - useful for programmatically storing reports, logs, or captured artifacts directly - into a cloud storage environment. It also includes functionality to automatically - share the uploaded file with a list of specified email addresses, granting them - 'writer' access. + Uploads a file from a Base64 encoded string to Google Drive and optionally shares + it with specified email addresses. This action automates the process of creating + files in Google Drive from Base64 data, which is useful for storing evidence or + reports generated during an investigation. ### Parameters Description @@ -836,43 +852,37 @@ Upload File From Base64: | :--- | :--- | :--- | :--- | - | **File Name** | String | Yes | The desired name for the file in Google Drive, - including the extension (e.g., 'evidence.txt'). | - - | **Base64 String** | String | Yes | The file content encoded in Base64 format. + | File Name | string | Yes | The name of the file to be created in Google Drive. | - | **Share with emails** | String | Yes | A semicolon-separated list of email addresses - to grant 'writer' permissions to the uploaded file. | + | Share with emails | string | Yes | Semicolon-separated list of email addresses + to share the file with. | + | Base64 String | string | Yes | The Base64 encoded content of the file. | - ### Flow Description - - 1. **Setup**: The action extracts the Google Drive service account credentials - and the user-provided parameters. - 2. **Decoding**: The provided Base64 string is decoded into a binary stream. + ### Additional Notes - 3. **MIME Detection**: The action determines the appropriate MIME type based on - the file extension provided in the 'File Name' parameter. + The action requires valid Google Drive API credentials configured in the integration + settings. While the 'Share with emails' parameter is marked as mandatory in the + configuration, the action will still proceed if it is empty, though no permissions + will be added. - 4. **Upload**: The file is uploaded to the root of the Google Drive associated - with the service account. - 5. **Permission Management**: If email addresses are provided, the action iterates - through the list and assigns 'writer' permissions to each user for the specific - file ID created. + ### Flow Description - 6. **Output**: The action returns the full JSON metadata of the created file, - including its unique Google Drive ID. + 1. Extract configuration and action parameters (Base64 string, file name, and + optional email list). + 2. Initialize the Google Drive manager using provided credentials. - ### Additional Notes + 3. Upload the file to Google Drive using the provided Base64 content and file + name. - - Ensure the service account has the necessary Google Drive API scopes enabled. + 4. If email addresses are provided, iterate through them and grant 'writer' permissions + to the uploaded file. - - The 'Share with emails' parameter expects a semicolon (;) as a separator for - multiple recipients. + 5. Return the file upload result. capabilities: can_create_case_comments: false can_create_insight: false @@ -881,12 +891,20 @@ Upload File From Base64: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new file in the user's Google Drive and modifies the file's access - control list (ACL) by adding new permissions for specified email addresses. - fetches_data: true + Creates a new file in Google Drive and updates its sharing permissions. + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a mutation on an external system (Google Drive) by uploading + a file and setting permissions. It does not fetch data for enrichment purposes, + nor does it modify internal SecOps data. categories: enrichment: false + reasoning: >- + The action performs a mutation on an external system (Google Drive) by uploading + a file and setting permissions. It does not fetch data for enrichment purposes, + nor does it modify internal SecOps data. Therefore, it is not an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -902,6 +920,10 @@ Upload File From Base64: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `siemplify.target_entities` or any entity-specific + identifiers. It processes input parameters directly from the action configuration + to perform a file upload to Google Drive. Upload File From Path: action_product_categories: add_alert_comment: false @@ -917,6 +939,11 @@ Upload File From Path: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action uploads a file to Google Drive and modifies permissions. It does + not match any of the predefined categories such as 'Enrich IOC', 'Contain Host', + or 'Submit File' (which is for sandbox analysis). Therefore, no categories are + selected. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -931,61 +958,25 @@ Upload File From Path: update_email: false update_identity: false update_ticket: false - ai_description: >- - ### General Description - - Uploads a file from a specified local path to Google Drive and optionally shares - it with specific users. This action is designed to move local files (such as forensic - artifacts, logs, or reports) into a centralized cloud storage environment. It - also automates the permission-granting process, allowing specified collaborators - to access the file immediately after upload. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | File Path | string | True | The absolute file path on the local system from - which the file will be uploaded to Google Drive. | - - | Share with emails | string | True | A semicolon-separated list of email addresses - (e.g., `analyst@company.com;manager@company.com`) that will be granted 'writer' - permissions to the uploaded file. | - - - ### Additional Notes - - - The action requires valid Google Drive Service Account credentials configured - in the integration settings. - - - Although the code handles the 'Share with emails' parameter as optional, the - integration metadata marks it as mandatory; therefore, at least one email or a - placeholder should be provided based on the UI configuration. - - - ### Flow Description - - 1. **Configuration Extraction**: Retrieves the Google Drive service account credentials - from the integration's configuration. - - 2. **Parameter Retrieval**: Extracts the local file path and the list of emails - to share the file with from the action's input parameters. - - 3. **File Upload**: Uses the Google Drive API to upload the file from the specified - local path. The file name in Google Drive will match the original file name from - the path. - - 4. **Permission Management**: If email addresses are provided, the action splits - the string by semicolons and iterates through each email. - - 5. **Grant Access**: For each email, it calls the Google Drive API to insert a - 'writer' permission for the newly uploaded file. - - 6. **Result Reporting**: Returns the Google Drive File ID as the main output and - provides the full JSON response from the upload operation for further use in the - playbook. + ai_description: "Uploads a file from a specific local path to Google Drive and shares\ + \ it with specified users. \n\n### General Description\nThis action automates\ + \ the process of uploading a file from a local file system to a Google Drive account.\ + \ It also allows the user to share the uploaded file with one or more email addresses\ + \ by granting them 'writer' permissions. \n\n### Parameters Description\n| Parameter\ + \ | Type | Mandatory | Description |\n| --- | --- | --- | --- |\n| File Path |\ + \ string | Yes | The local path of the file to upload to Google Drive. |\n| Share\ + \ with emails | string | Yes | Semicolon-separated list of email addresses to\ + \ share the file with. |\n\n### Additional Notes\n- Both 'File Path' and 'Share\ + \ with emails' are mandatory parameters. Ensure the file path is accessible by\ + \ the SOAR agent and the email addresses are valid.\n\n### Flow Description\n\ + 1. Extract the 'Credentials Json' configuration parameter to authenticate with\ + \ the Google Drive API.\n2. Extract the 'File Path' and 'Share with emails' action\ + \ parameters.\n3. Initialize the 'GoogleDriveManager' using the provided credentials.\n\ + 4. Upload the file from the specified 'File Path' to Google Drive.\n5. If 'Share\ + \ with emails' is provided, iterate through the list of emails and grant 'writer'\ + \ permissions to the uploaded file using the file ID returned from the upload\ + \ operation.\n6. Return the file ID and metadata as a JSON result and end the\ + \ action." capabilities: can_create_case_comments: false can_create_insight: false @@ -994,12 +985,20 @@ Upload File From Path: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Uploads a new file to the user's Google Drive and modifies the file's permissions - to grant access to specified email addresses. + Uploads a file to Google Drive and modifies file permissions to share it with + specified users. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a file upload to an external system (Google Drive) and modifies + file permissions (a mutation). It does not fetch data for enrichment, nor does + it modify internal SOAR data or entities. categories: enrichment: false + reasoning: >- + The action performs a mutation (uploading a file) on an external system (Google + Drive) and does not retrieve data for enrichment purposes. Therefore, it is + not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1015,3 +1014,6 @@ Upload File From Path: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with 'siemplify.target_entities' or any entity + objects. It performs a file upload operation based on provided parameters. diff --git a/content/response_integrations/third_party/community/google_drive/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/google_drive/resources/ai/integration_ai_description.yaml index 9e2bf295d..744549a6c 100644 --- a/content/response_integrations/third_party/community/google_drive/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/community/google_drive/resources/ai/integration_ai_description.yaml @@ -1,12 +1,22 @@ product_categories: asset_inventory: false - cloud_security: true + cloud_security: false collaboration: false edr: false email_security: false iam_and_identity_management: false itsm: false network_security: false + reasoning: >- + The Google Drive integration provides utility actions for managing files, such + as adding permissions, deleting files, downloading content, and retrieving metadata. + It does not perform SIEM, EDR, or Network Security functions. It is not a Threat + Intelligence source for indicator reputation. It does not manage user identity + lifecycles (IAM) or email security workflows. It does not interact with cloud + infrastructure (GCP/AWS/Azure) for configuration or vulnerability management. + It does not perform ITSM or Asset Inventory functions, nor does it facilitate + collaboration via messaging platforms. Therefore, it does not fit into any of + the provided security product categories. siem: false threat_intelligence: false vulnerability_management: false diff --git a/content/response_integrations/third_party/community/google_safe_browsing/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/google_safe_browsing/resources/ai/actions_ai_description.yaml index 53750d928..5b64489ee 100644 --- a/content/response_integrations/third_party/community/google_safe_browsing/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/google_safe_browsing/resources/ai/actions_ai_description.yaml @@ -13,6 +13,10 @@ Lookup: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves reputation and threat intelligence for a URL (indicator). + This matches the 'Enrich IOC' category. It does not perform any other actions + like ticketing, blocking, or identity management. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -28,45 +32,16 @@ Lookup: update_identity: false update_ticket: false ai_description: >- - ### General Description - - The **Lookup** action checks a specific URL against the Google Safe Browsing database - to determine if it is flagged as malicious (e.g., malware, phishing, or unwanted - software). This action is useful for verifying the safety of URLs found in alerts - or logs by retrieving real-time threat intelligence from Google's services. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Default Value | Description | - - | :--- | :--- | :--- | :--- | :--- | - - | **Url** | String | Yes | `http://malware.testing.google.test/testing/malware/` - | The specific URL to be checked in Google Safe Browsing. | - - - ### Flow Description - - 1. **Configuration Extraction**: Retrieves the API Key from the integration settings - and the target URL from the action parameters. - - 2. **API Request**: Uses the `pysafebrowsing` library to perform a lookup for - the provided URL against Google's database. - - 3. **Result Processing**: Parses the response to identify if the URL is marked - as malicious. - - 4. **Output Generation**: Adds the full API response to the action's JSON results - and terminates with a status message and boolean result indicating whether the - URL was found to be malicious. - - - ### Additional Notes - - This action does not automatically process entities from the SecOps case; it requires - the URL to be provided explicitly as a parameter. It does not modify any internal - entity data or create insights. + This action checks if a specific URL is safe for browsing by querying the Google + Safe Browsing API. It retrieves the malicious status of the URL and provides the + result for further analysis. ### Parameters | Parameter | Type | Mandatory | Description + | | --- | --- | --- | --- | | Url | string | Yes | The URL you would like to check + in Google Safe Browsing. | ### Flow 1. Extract API key from configuration and + URL from action parameters. 2. Initialize the SafeBrowsing manager. 3. Query the + Google Safe Browsing API for the provided URL. 4. Add the raw JSON result to the + action output. 5. Terminate the action with a status message indicating if the + URL was found malicious. ### Additional Notes This action does not operate on + entities and does not modify any internal or external data. capabilities: can_create_case_comments: false can_create_insight: false @@ -77,8 +52,17 @@ Lookup: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a lookup against the Google Safe Browsing API to determine + if a URL is malicious. It fetches data (fetches_data=true) but does not mutate + external systems (can_mutate_external_data=false) or internal SOAR data (can_mutate_internal_data=false). categories: enrichment: false + reasoning: >- + The action fetches data from an external source (Google Safe Browsing) but does + not operate on SOAR entities or update internal case data. Therefore, it does + not meet the criteria for an Enrichment Action as defined, which requires gathering + context about alerts or entities. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -94,6 +78,10 @@ Lookup: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over target_entities or use entity-specific identifiers. + It extracts a URL from the action parameters and performs a lookup. Therefore, + it does not run on entities. Ping: action_product_categories: add_alert_comment: false @@ -109,6 +97,10 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity test ('Ping') and does not perform any of the defined + functional outcomes (e.g., enrichment, containment, ticket management). Therefore, + it does not match any of the defined product categories. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -124,44 +116,13 @@ Ping: update_identity: false update_ticket: false ai_description: >- - ### General Description - - The **Ping** action is a diagnostic utility designed to verify the connectivity - between Google SecOps and the Google Safe Browsing API. It ensures that the integration's - configuration, specifically the API Key, is valid and that the network path to - the service is open. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | N/A | N/A | N/A | This action does not have any input parameters. | - - - ### Additional Notes - - * This action is used for health checks and troubleshooting. - - * It utilizes a hardcoded test URL to perform a lookup, ensuring the API responds - as expected. - - - ### Flow Description - - 1. **Configuration Retrieval**: The action extracts the 'Api Key' from the integration's - shared configuration parameters. - - 2. **Client Initialization**: It initializes the Google Safe Browsing client using - the provided API Key. - - 3. **Connectivity Test**: The action performs a URL lookup for a known test URL - (`http://malware.testing.google.test/testing/malware/`). - - 4. **Execution Completion**: If the request is successful, the action returns - a success status and a confirmation message. + General Description: This action tests connectivity to the Google Safe Browsing + service. It verifies that the integration is correctly configured and can communicate + with the external API by performing a test URL lookup. Parameters: Api Key (Mandatory, + String): The API key used to authenticate with the Google Safe Browsing service. + Flow: 1. Extract the Api Key from the integration configuration. 2. Initialize + the SafeBrowsing client using the provided key. 3. Execute a test URL lookup against + a known test URL. 4. Return a success message if the connection is established. capabilities: can_create_case_comments: false can_create_insight: false @@ -172,8 +133,15 @@ Ping: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity test (Ping) to verify the integration configuration. + It does not fetch contextual data on alerts or entities, nor does it mutate + any external or internal data. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action, which is explicitly excluded from being an enrichment + action according to the provided rules. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -189,3 +157,6 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. It performs a connectivity test + using a hardcoded URL. diff --git a/content/response_integrations/third_party/community/google_safe_browsing/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/google_safe_browsing/resources/ai/integration_ai_description.yaml index 2e831240c..f4fffe115 100644 --- a/content/response_integrations/third_party/community/google_safe_browsing/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/community/google_safe_browsing/resources/ai/integration_ai_description.yaml @@ -7,6 +7,16 @@ product_categories: iam_and_identity_management: false itsm: false network_security: false + reasoning: >- + The integration provides a 'Lookup' action that queries the Google Safe Browsing + API to determine the reputation of a URL. This aligns directly with the 'Threat + Intelligence' category, which is used for enriching external indicators (like + URLs) to determine their reputation and confirm if an alert is a True Positive. + It does not perform SIEM log searching, EDR host containment, network gateway + blocking (it only checks reputation, it does not manage firewall/WAF rules), email + management, identity management, cloud resource management, ITSM ticketing, vulnerability + scanning, asset inventory management, or collaboration/notification tasks. Therefore, + only 'threat_intelligence' is true. siem: false threat_intelligence: true vulnerability_management: false diff --git a/content/response_integrations/third_party/community/google_sheets/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/google_sheets/resources/ai/actions_ai_description.yaml index a6b4e2212..36f289ae3 100644 --- a/content/response_integrations/third_party/community/google_sheets/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/google_sheets/resources/ai/actions_ai_description.yaml @@ -13,6 +13,10 @@ Add Permission: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action modifies external permissions on a Google Sheet. It does not match + any of the predefined security-specific categories (e.g., IOC enrichment, containment, + ticketing, email management). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -28,28 +32,21 @@ Add Permission: update_identity: false update_ticket: false ai_description: >- - This action adds permissions to a specific Google Sheet for one or more users. - It allows administrators or automated workflows to grant 'Owner', 'Writer', or - 'Reader' access levels to users identified by their email addresses. The action - interacts with the Google Sheets and Google Drive APIs via a service account to - update the spreadsheet's access control list. + Adds permissions to a Google Sheet for specified users. This action allows administrators + to grant 'Owner', 'Writer', or 'Reader' access to a target spreadsheet by providing + the Sheet ID and a list of email addresses. ### Flow Description - 1. **Parameter Extraction:** The action retrieves the Google Sheets credentials - from the integration configuration and the 'Sheet Id', 'Role', and 'Emails' from - the action parameters. + 1. Extract the `Sheet Id`, `Role`, and `Emails` from the action parameters. - 2. **Client Initialization:** It initializes a Google Sheets client using the - provided service account credentials and required OAuth scopes. + 2. Initialize the Google Sheets client using the configured credentials. - 3. **Permission Insertion:** The action processes the semicolon-separated list - of emails and calls the Google API to grant the specified role (Owner, Writer, - or Reader) to each user for the target spreadsheet. + 3. Execute the `insert_permission` method to update the spreadsheet's access control + list. - 4. **Completion:** The action returns a success message if the permissions are - granted or a failure message if an error occurs during the API call. + 4. Return the execution status (success or failure). ### Parameters Description @@ -58,15 +55,14 @@ Add Permission: | :--- | :--- | :--- | :--- | - | Sheet Id | string | True | The unique identifier of the spreadsheet, found in - the URL (e.g., `https://docs.google.com/spreadsheets/d/{SheetId}/edit`). | + | Sheet Id | string | Yes | The unique identifier of the Google Sheet, found in + the URL. | - | Role | ddl | True | The access level to grant: 'Owner' (full control), 'Writer' - (can edit/comment), or 'Reader' (view only). | - - | Emails | string | True | A semicolon-separated list of email addresses for the - users receiving the permissions (e.g., `user1@example.com;user2@example.com`). + | Role | ddl | Yes | The permission level to grant (Owner, Writer, or Reader). | + + | Emails | string | Yes | A semicolon-separated list of email addresses to receive + the specified permission. | capabilities: can_create_case_comments: false can_create_insight: false @@ -75,12 +71,18 @@ Add Permission: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Modifies the access control list (ACL) of a Google Spreadsheet by adding new - user permissions (Owner, Writer, or Reader). + Updates the sharing permissions of a Google Sheet by adding users with the specified + role. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action makes a call to the Google Sheets API to modify permissions (can_mutate_external_data=true). + It does not fetch context data or update internal entities. categories: enrichment: false + reasoning: >- + The action modifies external data (Google Sheets permissions) rather than retrieving + data, so it cannot be an Enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -96,6 +98,9 @@ Add Permission: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not reference `siemplify.target_entities` or any entity-related + logic. It operates solely on provided configuration parameters. Add Row: action_product_categories: add_alert_comment: false @@ -111,6 +116,9 @@ Add Row: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action adds a row to a Google Sheet. This does not match any of the provided + security-specific categories (e.g., IOC enrichment, ticket creation, host containment). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -128,63 +136,48 @@ Add Row: ai_description: >- ### General Description - This action adds a new row of data to a specified Google Sheet. It is useful for - logging information, tracking incident response progress, or exporting data from - Google SecOps to a spreadsheet for external reporting. + This action adds a new row to a specified Google Sheet. It allows users to append + data to a worksheet by providing the Sheet ID, optional Worksheet Name, optional + Row Index, and the values to be inserted. ### Parameters Description - | Parameter Name | Type | Mandatory | Description | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Sheet Id | String | Yes | The unique identifier of the spreadsheet, found in - the URL: `https://docs.google.com/spreadsheets/d/{Sheet-Id}/edit`. | + | Sheet Id | string | Yes | The ID of the Google Sheet, which can be found in + the sheet URL. | - | Worksheet Name | String | No | The name of the specific tab (worksheet) within - the spreadsheet. Defaults to the first sheet if not provided. Note: This is case-sensitive. - | + | Worksheet Name | string | No | The name of the tab within the sheet. If not + provided, it defaults to "Sheet1". | - | Row Index | String | No | The one-based index where the row should be inserted. - If not provided, the row is typically appended or inserted at a default position - defined by the API. | + | Row Index | string | No | The row number to insert at (one-based). If not provided, + the row is appended to the end. | - | Values | String | Yes | A comma-separated list of values to be inserted into - the new row (e.g., "value1,value2,value3"). | + | Values | string | Yes | Comma-separated values to add as a new row. | ### Additional Notes - - The `Values` parameter must be a comma-separated string. Each comma-separated - element will occupy one cell in the new row. + - The action uses the Google Sheets API to perform the insertion. - - Ensure the service account associated with the provided credentials has 'Editor' - access to the target spreadsheet. + - The `Values` parameter must be a comma-separated string. ### Flow Description - 1. **Configuration Extraction:** The action retrieves the Google Sheets service - account credentials from the integration configuration. + 1. Extract parameters: Sheet Id, Worksheet Name, Row Index, and Values. - 2. **Parameter Parsing:** It extracts the `Sheet Id`, `Worksheet Name`, `Row Index`, - and the `Values` string from the action input. + 2. Authenticate with Google Sheets using the configured credentials. - 3. **Data Preparation:** The `Values` string is split by commas into a list of - individual cell values. + 3. Open the target spreadsheet using the provided Sheet Id. - 4. **Authentication & Connection:** The action initializes a Google Sheets client - and opens the spreadsheet using the provided `Sheet Id`. + 4. Select the specified worksheet (or default to "Sheet1"). - 5. **Worksheet Selection:** It selects the specified worksheet by name or defaults - to the first worksheet if no name is provided. - - 6. **Row Insertion:** The action inserts the prepared values into the worksheet - at the specified `Row Index` (or uses the default insertion logic if no index - is provided). - - 7. **Completion:** The action returns a success status if the row is added successfully. + 5. Insert the provided comma-separated values as a new row at the specified index + (or default position). capabilities: can_create_case_comments: false can_create_insight: false @@ -193,12 +186,18 @@ Add Row: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - This action adds a new row of data to an external Google Sheet, modifying the - content of the spreadsheet. + Adds a new row to the specified Google Sheet. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a write operation to an external Google Sheet. It does not + fetch data for enrichment, nor does it modify internal SOAR entities or alerts. categories: enrichment: false + reasoning: >- + The action is a utility for modifying external data (Google Sheets). It does + not meet the criteria for an enrichment action (which must fetch data and not + mutate external systems). entity_usage: entity_types: [] filters_by_additional_properties: false @@ -214,6 +213,9 @@ Add Row: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not reference `siemplify.target_entities` or perform any operations + on entities. It operates on external Google Sheets data directly. Add or Update Rows: action_product_categories: add_alert_comment: false @@ -229,6 +231,10 @@ Add or Update Rows: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + This action is a generic utility for managing data in Google Sheets. It does + not match any of the specific security-focused categories such as IOC enrichment, + ticket management, or host containment. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -243,73 +249,31 @@ Add or Update Rows: update_email: false update_identity: false update_ticket: false - ai_description: >- - ### General Description - - This action allows users to manage data within a Google Spreadsheet by either - updating existing rows or adding new ones. It searches for a specific value within - a designated column; if a match is found, the action updates the corresponding - row within a specified column range. If no match is found, the data is appended - as a new row at the end of the sheet. This is particularly useful for maintaining - dynamic lists, logs, or tracking statuses in a centralized spreadsheet. - - - ### Parameters Description - - | Parameter Name | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Column Number | string | Yes | The index of the column (e.g., "1") where the - action will search for the value specified by the 'Field Name'. | - - | Start Column | string | Yes | The starting column letter (e.g., "A") for the - range to be updated or added. | - - | End Column | string | Yes | The ending column letter (e.g., "C") for the range - to be updated or added. | - - | Field Name | string | Yes | The key within the provided JSON object whose value - will be used as the search term in the spreadsheet. | - - | Json | code | Yes | A JSON array of objects representing the rows to be processed. - Each object should contain the keys to be mapped to the spreadsheet columns. | - - | Sheet Id | string | Yes | The unique identifier of the Google Spreadsheet, found - in the URL. | - - | Worksheet Name | string | No | The name of the specific tab/worksheet to use. - Defaults to the first sheet if not provided. | - - - ### Flow Description - - 1. **Authentication**: The action authenticates with the Google Sheets API using - the provided service account credentials. - - 2. **Initialization**: It opens the spreadsheet using the `Sheet Id` and selects - the target worksheet. - - 3. **Data Parsing**: The input `Json` string is parsed into a list of row objects. - - 4. **Search and Process**: For each row object in the list: - * It extracts the value associated with the `Field Name` key. - * It searches the specified `Column Number` in the worksheet for this value. - * **Update**: If the value is found, the action calculates the target range - (using `Start Column`, `End Column`, and the found row index) and updates the - cells with the values from the JSON object. - * **Append**: If the value is not found, the action appends the values from - the JSON object as a new row at the bottom of the worksheet. - 5. **Completion**: The action returns the total count of rows that were successfully - added or updated. - - - ### Additional Notes - - * The `Json` parameter must be a valid JSON array of objects. - - * Ensure the service account has the necessary permissions (Editor access) to - the target spreadsheet. + ai_description: "### General Description\nThis action adds or updates rows in a\ + \ Google Sheet based on a provided JSON payload. It is designed to synchronize\ + \ data into a spreadsheet by searching for a specific value in a designated column.\ + \ If the value is found, the action updates the corresponding row; if not, it\ + \ appends a new row to the sheet.\n\n### Flow Description\n1. **Configuration\ + \ Extraction**: The action retrieves the Google Sheet ID, column configuration,\ + \ and the JSON data payload from the action parameters.\n2. **Authentication**:\ + \ It establishes a connection to the Google Sheets API using the provided credentials.\n\ + 3. **Data Processing**: The action iterates through each item in the provided\ + \ JSON list.\n4. **Search**: For each item, it searches the specified column in\ + \ the worksheet for the value associated with the provided Field Name.\n5. **Mutation**:\ + \ \n - If the value is found, the action updates the existing row with the new\ + \ values.\n - If the value is not found, the action appends a new row to the\ + \ worksheet.\n6. **Result Reporting**: The action returns the updated range and\ + \ a summary message indicating the number of rows processed.\n\n### Parameters\ + \ Description\n| Parameter | Type | Mandatory | Description |\n| :--- | :--- |\ + \ :--- | :--- |\n| Column Number | string | Yes | The column number to search\ + \ for the value of the given Field Name. |\n| Start Column | string | Yes | The\ + \ starting column for the update or add operation. |\n| End Column | string |\ + \ Yes | The ending column for the update or add operation. |\n| Field Name | string\ + \ | Yes | The field name in the JSON by which to search for its value in the specified\ + \ column. |\n| Json | code | Yes | The JSON values to add or update. Each item\ + \ represents a row. |\n| Sheet Id | string | Yes | The ID of the Google Sheet\ + \ (found in the URL). |\n| Worksheet Name | string | No | The name of the specific\ + \ worksheet tab. Defaults to 'Sheet1' if not provided. |" capabilities: can_create_case_comments: false can_create_insight: false @@ -318,12 +282,20 @@ Add or Update Rows: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - This action updates existing cell values or appends new rows to a Google Spreadsheet - based on the provided input data. + The action updates existing rows or appends new rows to the specified Google + Sheet. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a search operation (fetches data) on the Google Sheet to + determine if a row exists. It then performs a write operation (mutates external + data) by either updating an existing row or appending a new one. It does not + modify internal SOAR case data, entities, or alert data. categories: enrichment: false + reasoning: >- + The action is not an enrichment action because it mutates external data (Google + Sheets). Enrichment actions must be read-only regarding external systems. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -339,6 +311,9 @@ Add or Update Rows: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with SOAR entities. It processes a JSON payload + provided as a parameter to update a Google Sheet. Create Sheet: action_product_categories: add_alert_comment: false @@ -354,6 +329,9 @@ Create Sheet: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action creates a Google Sheet and shares it. It does not match any of the + defined categories such as 'Create Ticket', 'Enrich IOC', or 'Contain Host'. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -369,52 +347,46 @@ Create Sheet: update_identity: false update_ticket: false ai_description: >- - ### General Description - - Creates a new Google Spreadsheet and optionally shares it with specified email - addresses. This action is useful for automating the creation of reports, tracking - logs, or collaborative documents directly from a SOAR workflow. - + Creates a new Google Sheet and optionally shares it with specified users. This + action automates the creation of spreadsheets within a Google Drive environment + and manages access permissions. - ### Parameters Description - | Parameter | Description | Type | Mandatory | Notes | + ### Flow Description - | :--- | :--- | :--- | :--- | :--- | + 1. **Parameter Extraction**: The action retrieves the `Sheet Name` and the optional + `Share with emails` list from the action parameters, and the `Credentials Json` + from the integration configuration. - | Sheet Name | The name of the new spreadsheet to be created. | String | Yes | - This will be the title of the file in Google Drive. | + 2. **Client Initialization**: A Google Sheets client is initialized using the + provided service account credentials. - | Share with emails | A semicolon-separated list of email addresses (e.g., `user1@example.com;user2@example.com`) - to grant access to the sheet. | String | No | If provided, each user will be granted - 'writer' permissions. | + 3. **Sheet Creation**: A new spreadsheet is created with the specified name. + 4. **Permission Management**: If email addresses are provided, the action iterates + through the list and grants 'writer' access to each user for the newly created + spreadsheet. - ### Additional Notes + 5. **Completion**: The action returns the status of the operation and the ID of + the created sheet. - - The action requires valid Google Service Account credentials with the necessary - scopes for Google Sheets and Google Drive. - - Users shared via the 'Share with emails' parameter are granted 'writer' (editor) - access by default. + ### Parameters + | Parameter | Type | Mandatory | Description | - ### Flow Description + | :--- | :--- | :--- | :--- | - 1. **Authentication**: Initializes a connection to the Google Sheets API using - the provided Service Account credentials. + | Sheet Name | string | Yes | The name of the new spreadsheet to be created. | - 2. **Spreadsheet Creation**: Creates a new spreadsheet in the service account's - Google Drive with the name specified in the 'Sheet Name' parameter. + | Share with emails | string | No | A semicolon-separated list of email addresses + to share the spreadsheet with. | - 3. **Permission Management**: If the 'Share with emails' parameter is populated, - the action parses the list and iterates through each email address. - 4. **Sharing**: For each email, it updates the spreadsheet's permissions to grant - 'writer' access to that specific user. + ### Additional Notes - 5. **Completion**: Returns the unique ID of the newly created spreadsheet and - completes the execution. + - The action requires valid Google service account credentials configured in the + integration settings to authenticate with the Google Sheets API. capabilities: can_create_case_comments: false can_create_insight: false @@ -423,12 +395,20 @@ Create Sheet: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new spreadsheet file in Google Drive and modifies its access control - list (ACL) by sharing it with specified email addresses. + Creates a new Google Sheet and updates its sharing permissions via the Google + Sheets API. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a write operation on an external system (Google Sheets) + by creating a new spreadsheet and updating its sharing permissions. It does + not fetch data from external systems, nor does it modify any internal SOAR case + data, entities, or alert information. categories: enrichment: false + reasoning: >- + The action does not fetch data from external sources, which is a requirement + for enrichment actions. It performs a mutation on an external system. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -444,6 +424,9 @@ Create Sheet: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with or process any SOAR entities. It operates + independently of the case entities. Delete Rows: action_product_categories: add_alert_comment: false @@ -459,6 +442,10 @@ Delete Rows: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action deletes rows in a Google Sheet. This does not align with any of the + provided security-specific categories (e.g., IOC enrichment, ticket management, + identity management, or host containment). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -474,54 +461,40 @@ Delete Rows: update_identity: false update_ticket: false ai_description: >- - ### General Description - - Deletes a range of rows from a specified Google Sheets worksheet. This action - is useful for cleaning up data, removing processed entries, or managing spreadsheet-based - logs directly from a SOAR playbook. - - - ### Parameters Description - - | Parameter Name | Type | Mandatory | Description | + Deletes a specified range of rows from a Google Sheet. This action interacts with + the Google Sheets API to remove rows based on user-provided row indices. - | :--- | :--- | :--- | :--- | - | Sheet Id | string | Yes | The unique identifier of the spreadsheet, found in - the URL: `https://docs.google.com/spreadsheets/d/{Sheet-Id}/edit`. | + ### Flow - | Worksheet Name | string | No | The name of the specific tab (worksheet) within - the spreadsheet. If not provided, the action defaults to the first sheet (Sheet1). - Note: This is case-sensitive. | + 1. Extracts the `Sheet Id`, `Worksheet Name`, `From Row`, and `To Row` parameters. - | From Row | string | Yes | The row number where the deletion range starts (inclusive). - | + 2. Authenticates with the Google Sheets API using the configured credentials. - | To Row | string | Yes | The row number where the deletion range ends (inclusive). - | + 3. Opens the target spreadsheet using the provided `Sheet Id`. + 4. Identifies the target worksheet (or defaults to the first sheet if no name + is provided). - ### Additional Notes + 5. Executes the deletion of the specified row range. - - This action does not run on entities; it operates based on the provided spreadsheet - parameters. - - Ensure the service account associated with the provided credentials has 'Editor' - permissions on the target spreadsheet. + ### Parameters + | Parameter | Type | Mandatory | Description | - ### Flow Description + | :--- | :--- | :--- | :--- | - 1. **Authentication**: The action initializes a connection to the Google Sheets - API using the provided service account credentials. + | Sheet Id | string | Yes | The ID of the Google Sheet, found in the sheet URL. + | - 2. **Spreadsheet Access**: It opens the spreadsheet identified by the `Sheet Id`. + | Worksheet Name | string | No | The name of the worksheet tab. Defaults to "Sheet1" + if not provided. | - 3. **Worksheet Selection**: It selects the worksheet specified by `Worksheet Name` - or defaults to the first worksheet if the parameter is empty. + | From Row | string | Yes | The row number from which to start deleting. | - 4. **Row Deletion**: It executes a command to delete the rows within the range - defined by `From Row` and `To Row`. + | To Row | string | Yes | The row number that defines the end of the range to + be deleted. | capabilities: can_create_case_comments: false can_create_insight: false @@ -530,12 +503,20 @@ Delete Rows: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Deletes rows from a specified Google Sheets worksheet, which permanently modifies - the external spreadsheet data. + Deletes rows from a specified Google Sheet worksheet. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a destructive operation (`worksheet.delete_rows`) on an + external system (Google Sheets). It does not retrieve data, nor does it modify + internal SOAR entities or alerts. categories: enrichment: false + reasoning: >- + The action is a utility for modifying external data (Google Sheets). It does + not fetch data for enrichment, nor does it perform any of the allowed internal + mutations (like adding comments or insights). Therefore, it is not an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -551,6 +532,9 @@ Delete Rows: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `siemplify.target_entities`. It operates on + external Google Sheet resources identified by parameters. Delete Sheet: action_product_categories: add_alert_comment: false @@ -566,6 +550,10 @@ Delete Sheet: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action deletes a Google Sheet from Google Drive. This operation does not + match any of the predefined categories such as enrichment, ticket management, + identity management, or host containment. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -581,46 +569,15 @@ Delete Sheet: update_identity: false update_ticket: false ai_description: >- - ### General Description - - Deletes a specific Google Spreadsheet from Google Drive using its unique Sheet - ID. This action is designed to programmatically remove spreadsheets, which is - useful for automated cleanup of temporary reports or managing data lifecycle within - Google Sheets. - - - ### Parameters Description - - | Parameter | Description | Type | Mandatory | - - | :--- | :--- | :--- | :--- | - - | Sheet Id | The unique identifier of the spreadsheet. This ID can be found in - the spreadsheet's URL: `https://docs.google.com/spreadsheets/d/{SheetId}/edit`. - | String | Yes | - - - ### Flow Description - - 1. **Configuration Retrieval**: The action extracts the `Credentials Json` from - the integration settings and the `Sheet Id` from the action parameters. - - 2. **Client Initialization**: It uses the `GoogleSheetFactory` to authenticate - with Google APIs using the service account credentials and creates a Google Sheets - client. - - 3. **Spreadsheet Deletion**: The action invokes the `del_spreadsheet` method on - the client for the specified `Sheet Id` to remove the file from Google Drive. - - 4. **Execution Result**: If the deletion is successful, the action completes with - a success message. If an error occurs (e.g., invalid ID or insufficient permissions), - the action fails and returns the error details. - - - ### Additional Notes - - - The service account associated with the `Credentials Json` must have the necessary - permissions (Google Drive and Google Sheets scopes) to delete the target spreadsheet. + This action deletes a specified Google Sheet from Google Drive. It requires the + Sheet ID to identify the target file. Parameters: | Parameter | Type | Mandatory + | Description | | --- | --- | --- | --- | | Sheet Id | string | Yes | The unique + identifier of the Google Sheet, found in the sheet URL. | Flow description: 1. + Extract the Credentials Json from the integration configuration. 2. Extract the + Sheet Id from the action parameters. 3. Initialize the GoogleSheetFactory with + the provided credentials. 4. Create a gspread client. 5. Call the del_spreadsheet + method with the provided Sheet Id to delete the file. 6. Return the execution + status (completed or failed). capabilities: can_create_case_comments: false can_create_insight: false @@ -629,12 +586,20 @@ Delete Sheet: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Deletes a Google Spreadsheet from the user's Google Drive/Sheets environment - using the Google Sheets API. + Deletes a Google Sheet from the user's Google Drive. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a destructive operation (deletion) on an external system + (Google Sheets/Drive). It does not fetch data, update internal SOAR entities, + or create insights. categories: enrichment: false + reasoning: >- + The action is a destructive mutation (deletion) of an external resource. It + does not fetch data for enrichment, nor does it perform any of the allowed internal + mutations (comments, insights, entity updates). Therefore, it is not an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -650,6 +615,9 @@ Delete Sheet: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action operates on a specific Sheet Id provided as a parameter. It does + not interact with siemplify.target_entities. Get All: action_product_categories: add_alert_comment: false @@ -665,6 +633,11 @@ Get All: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves data from a Google Sheet. It does not match any of the + predefined categories (Enrich IOC, Enrich Asset, Search Events, etc.) as it + is a general-purpose data retrieval tool for spreadsheets, not a security-specific + enrichment or containment action. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -682,11 +655,9 @@ Get All: ai_description: >- ### General Description - The **Get All** action retrieves all rows and columns from a specified worksheet - within a Google Spreadsheet. It converts the spreadsheet data into a list of JSON - objects, where each object represents a row and the keys correspond to the column - headers. This action is primarily used for ingesting reference data, lookup tables, - or logs stored in Google Sheets into a Google SecOps workflow for further processing. + This action retrieves all records from a specified Google Sheet. It allows users + to fetch data from a spreadsheet by providing the Sheet ID and an optional Worksheet + Name. ### Parameters Description @@ -695,40 +666,35 @@ Get All: | :--- | :--- | :--- | :--- | - | **Sheet Id** | String | Yes | The unique identifier of the spreadsheet, found - in the URL: `https://docs.google.com/spreadsheets/d/{Sheet-Id}/edit`. | + | Sheet Id | string | Yes | The unique identifier for the Google Sheet, found + in the sheet URL. | - | **Worksheet Name** | String | No | The name of the specific tab (worksheet) - to retrieve data from. If not provided, the action defaults to the first worksheet - in the spreadsheet. Note: This value is case-sensitive. | + | Worksheet Name | string | No | The name of the specific tab/worksheet within + the sheet. Defaults to "Sheet1" if not provided. | - ### Flow Description + ### Additional Notes - 1. **Initialization**: Extracts the service account credentials from the integration - configuration and the Sheet ID and Worksheet Name from the action parameters. + - The action requires a valid `Credentials Json` configuration parameter to authenticate + with the Google Sheets API. - 2. **Connection**: Authenticates with the Google Sheets API using the provided - service account credentials. + - The `Worksheet Name` parameter is case-sensitive. - 3. **Access**: Opens the spreadsheet using the provided `Sheet Id`. - 4. **Selection**: Targets the worksheet specified by the `Worksheet Name` parameter. - If the parameter is empty, it defaults to the first sheet in the workbook. + ### Flow Description - 5. **Data Retrieval**: Fetches all records from the selected worksheet, converting - them into a list of dictionaries. + 1. Extracts the `Credentials Json` configuration and the `Sheet Id` and `Worksheet + Name` action parameters. - 6. **Output**: Returns the retrieved data as a JSON result and completes the execution. + 2. Authenticates with the Google Sheets API using the provided credentials. + 3. Opens the specified spreadsheet using the `Sheet Id`. - ### Additional Notes + 4. Accesses the specified worksheet (or the default "Sheet1" if no name is provided). - - This action does not interact with or filter entities within the Google SecOps - environment. + 5. Retrieves all records from the worksheet. - - Ensure the service account associated with the provided Credentials JSON has - at least "Viewer" permissions on the target spreadsheet. + 6. Returns the retrieved data as a JSON result in the action output. capabilities: can_create_case_comments: false can_create_insight: false @@ -739,8 +705,15 @@ Get All: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action connects to Google Sheets, reads data, and returns it as a JSON result. + It does not modify external systems or internal SOAR data. categories: enrichment: false + reasoning: >- + The action retrieves data from an external source (Google Sheets) but does not + enrich specific entities or alerts. It is a general data retrieval utility, + not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -756,6 +729,9 @@ Get All: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `target_entities`. It operates independently + of the case entities. Get Range: action_product_categories: add_alert_comment: false @@ -771,6 +747,10 @@ Get Range: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves data from a Google Sheet. It does not match any of the + security-specific categories such as IOC enrichment, asset enrichment, ticketing, + containment, or alert management. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -786,57 +766,38 @@ Get Range: update_identity: false update_ticket: false ai_description: >- - ### General Description - - The **Get Range** action retrieves cell values from a specified range within a - Google Sheet. This utility action allows users to pull external data stored in - spreadsheets into a Google SecOps workflow for further processing, validation, - or reporting. It supports A1 notation for defining the data range and can target - specific worksheets within a spreadsheet. + Retrieves data from a specified range in a Google Sheet. This action allows users + to query spreadsheet content by providing the Spreadsheet ID, an optional Worksheet + Name, and the target range in A1 notation. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Sheet Id** | String | Yes | The unique identifier of the spreadsheet, which - can be found in the URL: `https://docs.google.com/spreadsheets/d/{SheetId}/edit`. - | + | Sheet Id | string | Yes | The unique identifier of the Google Sheet, found in + the spreadsheet URL. | - | **Worksheet Name** | String | No | The name of the specific tab (worksheet) - to query. If not provided, the action defaults to the first worksheet in the file. - | + | Worksheet Name | string | No | The name of the specific tab/worksheet. Defaults + to 'Sheet1' if not provided. | - | **Range** | String | Yes | The range of cells to retrieve using A1 notation - (e.g., 'A1:B10' or 'Sheet1!A1:B10'). | + | Range | string | Yes | The range of cells to extract (e.g., 'A1:B1'). | ### Flow Description - 1. **Authentication**: The action initializes a connection to the Google Sheets - API using the service account credentials provided in the integration configuration. - - 2. **Spreadsheet Access**: It opens the target spreadsheet using the provided - **Sheet Id**. + 1. The action extracts the required parameters: `Sheet Id`, `Worksheet Name`, + and `Range`. - 3. **Worksheet Selection**: If a **Worksheet Name** is specified, the action selects - that tab; otherwise, it defaults to the first sheet. + 2. It initializes a connection to the Google Sheets API using the provided credentials. - 4. **Data Retrieval**: The action executes a batch get request to fetch the values - within the defined **Range**. + 3. It selects the specified worksheet (or defaults to the first sheet). - 5. **Result Processing**: The retrieved data is formatted and added to the action's - JSON results for use in subsequent playbook steps. - - - ### Additional Notes + 4. It performs a batch get operation to retrieve the values from the defined range. - - This action does not interact with or filter SecOps entities. - - - Ensure the service account associated with the credentials has at least 'Viewer' - permissions on the target Google Sheet. + 5. The retrieved data is added to the action's result output. capabilities: can_create_case_comments: false can_create_insight: false @@ -847,8 +808,17 @@ Get Range: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a read-only (GET) operation to retrieve data from an external + Google Sheet. It does not modify any external systems, nor does it update any + internal Google SecOps data (such as entities, insights, or case comments). categories: enrichment: false + reasoning: >- + While the action fetches data, it is a general-purpose utility for retrieving + spreadsheet content and does not gather supplemental context about specific + alerts or entities within the SOAR platform. Therefore, it does not meet the + criteria for an Enrichment Action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -864,6 +834,10 @@ Get Range: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with the `target_entities` list. It operates on + arbitrary data retrieved from a Google Sheet and does not perform any filtering + or processing on SecOps entities. Get Row: action_product_categories: add_alert_comment: false @@ -879,6 +853,9 @@ Get Row: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves data from a Google Sheet. It does not match any of the + predefined categories like IOC enrichment, asset enrichment, or alert management. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -894,51 +871,46 @@ Get Row: update_identity: false update_ticket: false ai_description: >- - ### General Description - Retrieves the values of a single row from a specified Google Sheet. This action - is useful for fetching reference data, configuration settings, or logs stored - within a spreadsheet for use in subsequent playbook steps. + allows users to fetch data from a spreadsheet for further processing or analysis + within the SOAR platform. - ### Parameters Description - - | Parameter Name | Type | Mandatory | Description | + ### Flow Description - | :--- | :--- | :--- | :--- | + 1. **Authentication**: The action authenticates with the Google Sheets API using + the provided credentials. - | Sheet Id | string | Yes | The unique identifier of the spreadsheet, which can - be found in the spreadsheet's URL. | + 2. **Connection**: It connects to the target spreadsheet using the provided `Sheet + Id`. - | Worksheet Name | string | No | The name of the specific worksheet (tab) to retrieve - data from. If not provided, the action defaults to the first worksheet. | + 3. **Worksheet Selection**: It selects the specified worksheet by name, or defaults + to the first worksheet if no name is provided. - | Row Number | string | Yes | The one-based index of the row to retrieve (e.g., - '1' for the first row). | + 4. **Data Retrieval**: It fetches the values from the specified `Row Number`. + 5. **Output**: The retrieved row data is returned as a JSON result. - ### Additional Notes - - The action uses service account credentials configured in the integration settings - to access the Google Sheets API. + ### Parameters - - The result is returned as a JSON array containing the values of the cells in - the specified row. + | Parameter | Type | Mandatory | Description | + | :--- | :--- | :--- | :--- | - ### Flow Description + | Sheet Id | string | Yes | The unique identifier for the Google Sheet, found + in the sheet URL. | - 1. **Authentication**: Initializes the Google Sheets client using the provided - service account credentials. + | Worksheet Name | string | No | The name of the specific worksheet to query. + If not provided, the first worksheet is used. | - 2. **Spreadsheet Access**: Opens the spreadsheet identified by the `Sheet Id`. + | Row Number | string | Yes | The row number (one-based) to retrieve. | - 3. **Worksheet Selection**: Selects the worksheet specified by `Worksheet Name`. - If no name is provided, it defaults to the first sheet in the workbook. - 4. **Data Retrieval**: Fetches all cell values for the row specified by `Row Number`. + ### Additional Notes - 5. **Output**: Returns the row values as a JSON object and completes the action. + This action is a read-only operation and does not modify the spreadsheet or any + internal SOAR data. capabilities: can_create_case_comments: false can_create_insight: false @@ -949,8 +921,15 @@ Get Row: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a read-only operation to fetch data from an external Google + Sheet. It does not modify external systems, nor does it update internal SOAR + entities or alerts. categories: enrichment: false + reasoning: >- + While the action fetches data, it does not perform enrichment on specific alerts + or entities within the SOAR platform. It is a generic data retrieval utility. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -966,6 +945,9 @@ Get Row: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with SOAR entities. It operates on generic spreadsheet + data. Import CSV: action_product_categories: add_alert_comment: false @@ -981,6 +963,10 @@ Import CSV: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action imports data into a Google Sheet. This is a general data management + task and does not align with any of the provided security-specific categories + such as IOC enrichment, ticketing, containment, or alert management. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -996,45 +982,47 @@ Import CSV: update_identity: false update_ticket: false ai_description: >- - Imports data from a local CSV file into a Google Spreadsheet. This action targets - the first worksheet of the specified spreadsheet, replacing its entire content - with the data from the CSV file. Note that this operation is destructive: it removes - all other worksheets within the spreadsheet and overwrites the first one. + Imports CSV data into a Google Sheet. This action facilitates data synchronization + by reading a local CSV file and uploading its contents to a specified Google Sheet, + overwriting the existing data in the first worksheet. ### Flow Description - 1. **Parameter Extraction:** Retrieves the 'Sheet Id' and 'CSV Path' from the - action parameters and the 'Credentials Json' from the integration configuration. + 1. **Configuration Extraction**: The action retrieves the Google Sheets credentials + from the integration configuration. - 2. **Client Initialization:** Authenticates with Google Sheets using the provided - service account credentials. + 2. **Parameter Extraction**: It extracts the `Sheet Id` and `CSV Path` from the + action parameters. - 3. **File Reading:** Reads the raw content of the CSV file located at the specified - local path. + 3. **Authentication**: It authenticates with the Google Sheets API using the provided + credentials. - 4. **Data Import:** Executes the import command via the Google Sheets API, which - overwrites the first sheet and deletes all other sheets in the workbook. + 4. **Data Import**: It reads the content of the specified CSV file and imports + it into the target Google Sheet, replacing the existing content of the first worksheet. + 5. **Completion**: The action concludes by reporting the status and the ID of + the updated sheet. - ### Parameters Description - | Parameter Name | Type | Mandatory | Description | + ### Parameters + + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Sheet Id | String | Yes | The unique identifier of the spreadsheet, found in - the URL (e.g., `https://docs.google.com/spreadsheets/d/{SheetId}/edit`). | + | Sheet Id | string | Yes | The unique identifier of the Google Sheet, found in + the sheet URL. | - | CSV Path | String | Yes | The local file system path to the CSV file that contains - the data to be imported. | + | CSV Path | string | Yes | The local file path to the CSV file that needs to + be imported. | ### Additional Notes - - **Warning:** This action will delete all worksheets in the spreadsheet except - for the first one, which will be overwritten. Use with caution on spreadsheets - containing multiple tabs of data. + This action performs a destructive write operation on the target Google Sheet + (it replaces the content of the first worksheet). Ensure the `Sheet Id` and `CSV + Path` are correct before execution. capabilities: can_create_case_comments: false can_create_insight: false @@ -1043,12 +1031,20 @@ Import CSV: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Replaces the content of the first worksheet and deletes all other worksheets - in the specified Google Spreadsheet. + The action imports CSV data into a Google Sheet, which overwrites the existing + content of the first worksheet. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a write operation to an external system (Google Sheets) + by importing CSV data. It does not fetch data for enrichment, nor does it modify + internal SecOps case data, entities, or alerts. categories: enrichment: false + reasoning: >- + The action is a data management utility that modifies external data. It does + not fetch data for enrichment purposes, nor does it meet the criteria for an + enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1064,6 +1060,9 @@ Import CSV: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with or process SecOps entities. It operates on + file paths and sheet identifiers. Ping: action_product_categories: add_alert_comment: false @@ -1079,6 +1078,9 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity test ('Ping') and does not perform any of the defined + functional outcomes like enriching IOCs, creating tickets, or updating alerts. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1096,47 +1098,40 @@ Ping: ai_description: >- ### General Description - The **Ping** action is designed to verify the connectivity and authorization between - Google SecOps and the Google Sheets API. It ensures that the provided service - account credentials are valid and have the appropriate permissions to perform - file operations within the Google Drive and Sheets environment. + Tests connectivity with Google Sheets by performing a create and delete operation. + This action verifies that the provided credentials have the necessary permissions + and that the Google Sheets API is reachable. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. Extract the `Credentials Json` parameter from the integration configuration. - | :--- | :--- | :--- | :--- | + 2. Initialize the Google Sheets client using the provided service account credentials. - | Credentials Json | String | Yes | (Configuration Parameter) The JSON content - of the Google Service Account key used for authentication. | + 3. Create a temporary spreadsheet with a unique identifier. + 4. Delete the created temporary spreadsheet to ensure no residual data is left + behind. - ### Flow Description + 5. Return the connectivity status (success or failure) to the SOAR platform. - 1. **Authentication**: The action retrieves the service account credentials from - the integration's configuration settings. - 2. **Client Initialization**: It initializes a Google Sheets client using the - `gspread` library with the required OAuth2 scopes for Spreadsheets and Drive. + ### Parameters Description - 3. **Validation Operation**: To test end-to-end functionality, the action attempts - to create a new spreadsheet with a unique name (prefixed with 'Test-' and a UUID). + | Parameter | Type | Mandatory | Description | - 4. **Cleanup**: Immediately after a successful creation, the action attempts to - delete the temporary spreadsheet to ensure no residual data is left in the user's - Google Drive. + | :--- | :--- | :--- | :--- | - 5. **Result Reporting**: If all steps succeed, the action completes with a 'Connected - successfully' message. If any step fails (e.g., due to invalid credentials or - insufficient API permissions), the action fails and returns the specific error - message. + | Credentials Json | String | Yes | The JSON service account credentials used + to authenticate with the Google Sheets API. | ### Additional Notes - This action is a diagnostic tool used to confirm that the integration is correctly - configured and that the Google Cloud Project has the necessary APIs enabled. + This action is a connectivity test ("Ping") and does not perform any functional + data processing or enrichment. It is intended solely for verifying integration + health. capabilities: can_create_case_comments: false can_create_insight: false @@ -1145,12 +1140,19 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - The action creates a temporary spreadsheet and then immediately deletes it to - verify that the service account has write and delete permissions. + Creates and immediately deletes a temporary spreadsheet to verify API connectivity. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a write operation (create) and a delete operation on the + external Google Sheets system to verify connectivity. It does not fetch data + for enrichment, nor does it modify internal SOAR data. categories: enrichment: false + reasoning: >- + The action is named 'Ping' and is explicitly designed to test connectivity. + According to the guidelines, 'Ping' actions must not be categorized as enrichment + actions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1166,6 +1168,9 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities; it only performs a connectivity + test against the Google Sheets API. Search Row: action_product_categories: add_alert_comment: false @@ -1181,6 +1186,10 @@ Search Row: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action performs a search operation on a Google Sheet. It does not match + any of the predefined product categories, which are focused on security-specific + tasks like IOC enrichment, containment, or ticketing. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1196,65 +1205,42 @@ Search Row: update_identity: false update_ticket: false ai_description: >- - ### General Description - - Finds a specific row in a Google Spreadsheet based on a provided search value. - This action is useful for retrieving contextual information stored in spreadsheets, - such as asset lists, contact information, or historical logs, and bringing that - data into the Google SecOps environment for further analysis. - - - ### Parameters Description - - | Parameter Name | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | + The 'Search Row' action allows users to search for a specific value within a designated + column of a Google Sheet. This action is useful for retrieving contextual information + stored in external spreadsheets. - | **Sheet Id** | String | Yes | The unique identifier of the spreadsheet, found - in the URL: `https://docs.google.com/spreadsheets/d/{Sheet-Id}/edit`. | - | **Worksheet Name** | String | No | The name of the specific tab within the spreadsheet. - Defaults to the first sheet (Sheet1) if not provided. Note: This is case-sensitive. - | - - | **Column Number** | String | Yes | The column number where the search should - be performed. **Note:** In the current implementation, the search is performed - across the entire worksheet, and this parameter is primarily used for logging - purposes. | + ### Flow: - | **Search value** | String | Yes | The specific string or value to search for - within the worksheet. | + 1. The action extracts the required parameters: `Sheet Id`, `Column Number`, and + `Search value`, along with the optional `Worksheet Name`. + 2. It initializes a connection to the Google Sheet using the provided credentials. - ### Additional Notes + 3. It locates the specified worksheet (or defaults to 'Sheet1'). - - The action uses service account credentials to authenticate with the Google - Sheets API. + 4. It searches the specified column for the provided value. - - If the search value is found, the action retrieves all values for that specific - row and returns them as a JSON array. + 5. If the value is found, it retrieves the entire row's data and returns it as + a JSON result. - - If the value is not found, the action will return a failed status. + 6. If the value is not found, the action fails and returns an error message. - ### Flow Description + ### Parameters: - 1. **Authentication:** The action authenticates with Google APIs using the provided - JSON credentials. + | Parameter | Type | Mandatory | Description | - 2. **Spreadsheet Access:** It opens the spreadsheet identified by the `Sheet Id`. + | :--- | :--- | :--- | :--- | - 3. **Worksheet Selection:** It selects the worksheet specified by `Worksheet Name` - or defaults to the first tab. + | Sheet Id | string | Yes | The ID of the Google Sheet (found in the URL). | - 4. **Search Operation:** It searches the worksheet for the first occurrence of - the `Search value`. + | Worksheet Name | string | No | The name of the worksheet tab (defaults to 'Sheet1'). + | - 5. **Data Retrieval:** If found, it retrieves all cell values for the row containing - the match. + | Column Number | string | Yes | The column number to search in. | - 6. **Output:** The row data is added to the action results as JSON, and the row - index is returned as the primary result value. + | Search value | string | Yes | The value to search for. | capabilities: can_create_case_comments: false can_create_insight: false @@ -1265,8 +1251,16 @@ Search Row: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action reads data from a Google Sheet (fetches_data=true). It does not perform + any write operations on the external Google Sheet (can_mutate_external_data=false). + It does not modify any internal SOAR data, entities, or insights (can_mutate_internal_data=false). categories: enrichment: false + reasoning: >- + The action is a utility for searching external data (Google Sheets). It does + not perform enrichment on entities or alerts, nor does it meet the criteria + for an enrichment action as it does not operate on entities. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1282,6 +1276,9 @@ Search Row: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. It operates on a Google Sheet + based on provided parameters. Search Rows: action_product_categories: add_alert_comment: false @@ -1297,6 +1294,11 @@ Search Rows: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action searches for data in an external Google Sheet. It does not match + any of the specific categories like 'Enrich IOC' or 'Enrich Asset' because it + doesn't operate on entities. It is a general utility action for searching Google + Sheets. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1314,63 +1316,47 @@ Search Rows: ai_description: >- ### General Description - The **Search Rows** action allows users to search for specific values within a - designated column of a Google Sheet. It is primarily used to retrieve row indices - and data for rows that match a search criterion, facilitating the use of Google - Sheets as a simple database or lookup table for automation workflows. + Searches for rows in a Google Sheet containing a specific value in a designated + column. This action retrieves data from a Google Sheet, returning the row numbers + and values where the search value is found. It does not modify the sheet or interact + with SOAR entities. ### Parameters Description | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + | --- | --- | --- | --- | - | Sheet Id | string | Yes | The unique identifier of the spreadsheet, which can - be found in the URL: `https://docs.google.com/spreadsheets/d/{Sheet-Id}/edit`. - | + | Sheet Id | string | Yes | The ID of the Google Sheet. | - | Worksheet Name | string | No | The name of the specific tab (worksheet) to search - in. If not provided, the action defaults to the first worksheet ("Sheet1"). | + | Worksheet Name | string | No | The name of the worksheet tab. | - | Column Number | string | Yes | The numerical index of the column to search (e.g., - "1" for Column A, "2" for Column B). | + | Column Number | string | Yes | The column index to search. | - | Search value | string | Yes | The specific string or value to look for within - the specified column. | + | Search value | string | Yes | The value to search for. | ### Additional Notes - - The action returns a list of all row numbers where the search value was found - in the specified column. - - - It also provides the values of the first matching row in the JSON result. - - - If the value is not found, the action will return a failed status. + If the Worksheet Name is not provided, the action defaults to the first worksheet + in the spreadsheet. ### Flow Description - 1. **Authentication**: The action initializes a connection to the Google Sheets - API using the provided service account credentials. - - 2. **Spreadsheet Access**: It opens the spreadsheet identified by the `Sheet Id`. + 1. Extract configuration (credentials) and action parameters (Sheet Id, Worksheet + Name, Column Number, Search value). - 3. **Worksheet Selection**: It selects the worksheet specified by `Worksheet Name` - or defaults to the first sheet. + 2. Authenticate with Google Sheets API using the provided credentials. - 4. **Search Execution**: The action performs a global search (`findall`) for the - `Search value` across the entire worksheet. + 3. Open the specified spreadsheet and worksheet. - 5. **Column Filtering**: It iterates through the search results and filters for - cells that belong to the user-specified `Column Number`. + 4. Search the specified column for the provided search value. - 6. **Data Collection**: It collects the row numbers of all matches and retrieves - the full row values for the first match found. + 5. Retrieve and return the row numbers and row values where the match was found. - 7. **Output**: The action outputs the list of row numbers, the count of rows found, - and the data from the first matching row into the action results. + 6. Terminate the action with a status message. capabilities: can_create_case_comments: false can_create_insight: false @@ -1381,8 +1367,16 @@ Search Rows: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action reads data from a Google Sheet using the `gspread` library. It does + not modify the sheet (read-only) and does not interact with SOAR entities or + cases. categories: enrichment: false + reasoning: >- + The action does not operate on entities or alerts, so it does not qualify as + an enrichment action or any other category. It is a general utility action for + searching Google Sheets. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1398,6 +1392,9 @@ Search Rows: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use `target_entities`. It operates independently of the + SOAR entity model. Update Cell: action_product_categories: add_alert_comment: false @@ -1413,6 +1410,9 @@ Update Cell: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action updates a cell in a Google Sheet. This does not match any of the + predefined categories like ticket management, alert management, or IOC management. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1428,62 +1428,18 @@ Update Cell: update_identity: false update_ticket: false ai_description: >- - ### General Description - - The **Update Cell** action allows users to modify the content of a specific cell - within a Google Sheets spreadsheet. This action is primarily used for automated - reporting, logging incident metadata, or updating tracking sheets directly from - a SOAR playbook. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **Sheet Id** | String | Yes | The unique identifier of the spreadsheet, which - can be found in the URL: `https://docs.google.com/spreadsheets/d/{SheetId}/edit`. - | - - | **Worksheet Name** | String | No | The name of the specific tab (worksheet) - to update. If not provided, the action defaults to the first worksheet (Sheet1). - Note: This is case-sensitive. | - - | **Cell** | String | Yes | The A1 notation of the cell to update (e.g., "A1", - "C10"). | - - | **Value** | String | Yes | The data or text to be written into the specified - cell. | - - - ### Flow Description - - 1. **Initialization**: The action extracts the service account credentials from - the integration configuration. - - 2. **Connection**: It establishes a connection to the Google Sheets API using - the provided credentials. - - 3. **Spreadsheet Access**: The action opens the target spreadsheet using the `Sheet - Id`. - - 4. **Worksheet Selection**: It identifies the correct worksheet based on the `Worksheet - Name` parameter or defaults to the first sheet. - - 5. **Data Update**: It performs a write operation to update the specified `Cell` - with the provided `Value`. - - 6. **Finalization**: The action returns a success message if the update is confirmed - by the API, or an error message if the operation fails. - - - ### Additional Notes - - - The service account used in the integration must have "Editor" permissions on - the target Google Sheet. - - - If the `Worksheet Name` does not exist, the action will fail. + ### General Description: This action updates a specific cell in a Google Sheet. + It allows users to programmatically modify spreadsheet data by specifying the + Sheet ID, Worksheet Name, Cell coordinate, and the new Value. ### Parameters: + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | | + Sheet Id | string | Yes | The unique identifier of the Google Sheet (found in + the URL). | | Worksheet Name | string | No | The name of the specific tab/worksheet. + Defaults to 'Sheet1'. | | Cell | string | Yes | The cell coordinate to update + (e.g., A12). | | Value | string | Yes | The value to write into the specified + cell. | ### Flow: 1. Authenticate with Google Sheets using the provided credentials. + 2. Open the target spreadsheet using the provided Sheet Id. 3. Select the appropriate + worksheet (using Worksheet Name if provided, otherwise defaulting to Sheet1). + 4. Update the specified Cell with the provided Value. ### Additional Notes: None. capabilities: can_create_case_comments: false can_create_insight: false @@ -1492,12 +1448,17 @@ Update Cell: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the content of a specific cell within a Google Sheets spreadsheet by - writing a new value to it. + Updates a specific cell in a Google Sheet with a provided value. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a write operation on an external Google Sheet. It does not + fetch data, nor does it modify internal SecOps data or entities. categories: enrichment: false + reasoning: >- + The action is a mutation action (updating a spreadsheet) and does not fetch + data for enrichment purposes. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1513,6 +1474,9 @@ Update Cell: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with SecOps entities. It operates on external Google + Sheets. Update Row: action_product_categories: add_alert_comment: false @@ -1528,6 +1492,9 @@ Update Row: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action updates a Google Sheet. It does not match any of the predefined security-related + categories such as IOC enrichment, ticket management, or host containment. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1545,63 +1512,44 @@ Update Row: ai_description: >- ### General Description - Updates a specific row in a Google Spreadsheet with a provided list of values. - This action allows users to programmatically modify existing spreadsheet data - by specifying the spreadsheet ID, the worksheet name, the row index, and the new - cell values. + Updates a specific row in a Google Sheet with provided values. This action allows + for automated data entry or modification within a Google Sheets document. ### Parameters Description | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + | --- | --- | --- | --- | - | Sheet Id | String | Yes | The unique identifier of the spreadsheet, found in - the URL: `https://docs.google.com/spreadsheets/d/{Sheet-Id}/edit`. | + | Sheet Id | string | Yes | The unique identifier of the Google Sheet, found in + the sheet URL. | - | Worksheet Name | String | No | The name of the specific tab (worksheet) to update. - If not provided, the action defaults to the first sheet (Sheet1). Note: This is - case-sensitive. | + | Worksheet Name | string | No | The name of the specific tab/worksheet. Defaults + to "Sheet1" if not provided. | - | Row Number | String | Yes | The numerical index of the row to be updated (e.g., - "1", "2"). | + | Row Number | string | Yes | The row index to update. | - | Values | String | Yes | A comma-separated list of values to be placed in the - row, starting from the first column (e.g., "val1,val2,val3"). | + | Values | string | Yes | Comma-separated values to populate the row. | ### Additional Notes - - The action iterates through the comma-separated values provided in the 'Values' - parameter and updates cells sequentially starting from Column A (Column 1) of - the specified row. - - - Ensure the service account associated with the provided credentials has 'Editor' - access to the target spreadsheet. + The action requires valid Google Sheets credentials configured in the integration + settings. The `Values` parameter should be a comma-separated string (e.g., "val_1,val_2,val_3"). ### Flow Description - 1. **Initialization**: Extracts the Google Sheets credentials from the integration - configuration and the action parameters (Sheet Id, Worksheet Name, Row Number, - and Values). - - 2. **Connection**: Establishes a connection to the Google Sheets API using the - provided service account credentials. + 1. Extract parameters (Sheet ID, Worksheet Name, Row Number, Values). - 3. **Resource Selection**: Opens the spreadsheet using the 'Sheet Id'. If a 'Worksheet - Name' is provided, it selects that specific tab; otherwise, it defaults to the - first worksheet. + 2. Authenticate and connect to the Google Sheet using the provided credentials. - 4. **Data Processing**: Splits the 'Values' string into a list based on the comma - delimiter. + 3. Select the target worksheet (or default to 'Sheet1'). - 5. **Execution**: Iterates through the list of values, updating each cell in the - specified 'Row Number' starting from the first column. + 4. Parse the comma-separated values. - 6. **Completion**: Returns a success message if the row is updated successfully - or an error message if the operation fails. + 5. Update each cell in the specified row with the corresponding value. capabilities: can_create_case_comments: false can_create_insight: false @@ -1610,12 +1558,19 @@ Update Row: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates cell values within a specific row of a Google Spreadsheet via the Google - Sheets API. + Updates specific cells in a Google Sheet with provided values. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a write operation (mutation) on an external system (Google + Sheets) by updating specific cells. It does not fetch data from the sheet, nor + does it modify any internal SOAR data, entities, or alerts. categories: enrichment: false + reasoning: >- + The action performs a write operation (mutation) on an external system (Google + Sheets) and does not retrieve data for enrichment purposes, therefore it is + not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1631,6 +1586,9 @@ Update Row: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with SOAR entities; it operates on external Google + Sheets data based on provided parameters. Update Rows: action_product_categories: add_alert_comment: false @@ -1646,6 +1604,10 @@ Update Rows: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action updates rows in a Google Sheet. This does not align with any of the + provided security-specific categories (e.g., IOC enrichment, ticket management, + identity management, or containment). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1663,63 +1625,53 @@ Update Rows: ai_description: >- ### General Description - Updates specific rows in a Google Sheets spreadsheet with a provided set of values. - This action is designed to modify existing data within a spreadsheet, making it - useful for maintaining external logs, tracking incident progress, or updating - shared records directly from a SOAR playbook. - + Updates specific rows and columns in a Google Sheet. This action allows users + to programmatically modify spreadsheet data by specifying the target sheet, worksheet, + row numbers, and the values to be inserted. - ### Parameters Description - | Parameter | Type | Mandatory | Description | + ### Flow Description - | :--- | :--- | :--- | :--- | + 1. **Parameter Extraction**: The action extracts the `Row Number`, `Values`, `Sheet + Id`, and optional `Worksheet Name` from the action configuration. - | Row Number | String | Yes | A comma-separated list of row indices to be updated - (e.g., "1, 5, 10"). | + 2. **Client Initialization**: It initializes a Google Sheets client using the + provided credentials. - | Values | Content | Yes | A comma-separated list of values to be written into - the cells of the specified rows. The values are applied sequentially starting - from the first column (Column A). | + 3. **Spreadsheet Access**: It opens the target spreadsheet using the provided + `Sheet Id`. - | Sheet Id | String | Yes | The unique ID of the spreadsheet, which can be extracted - from the spreadsheet's URL. | + 4. **Worksheet Selection**: It selects the specified worksheet by name, or defaults + to 'Sheet1' if no name is provided. - | Worksheet Name | String | No | The name of the specific tab (worksheet) within - the spreadsheet. If not provided, the action defaults to the first worksheet. - | + 5. **Data Update**: It iterates through the provided row numbers and values, updating + the corresponding cells in the Google Sheet. - ### Flow Description + ### Parameters Description - 1. **Initialization**: The action retrieves the service account credentials from - the integration configuration and the target spreadsheet details from the action - parameters. + | Parameter | Type | Mandatory | Description | - 2. **Connection**: It establishes a connection to the Google Sheets API using - the `gspread` library. + | :--- | :--- | :--- | :--- | - 3. **Worksheet Selection**: The action opens the spreadsheet by its ID and selects - the specified worksheet (or the first one by default). + | Row Number | string | Yes | Comma-separated list of row numbers to update (e.g., + "1,2"). | - 4. **Data Processing**: It parses the comma-separated strings for row numbers - and values. + | Values | content | Yes | Comma-separated list of values to update (e.g., "value1,value2"). + | - 5. **Cell Updates**: For every row number provided, the action iterates through - the list of values and updates the corresponding cells in that row, starting from - column 1. + | Sheet Id | string | Yes | The unique identifier of the Google Sheet, found in + the sheet URL. | - 6. **Completion**: Returns a success message once all specified cells have been - updated. + | Worksheet Name | string | No | The name of the specific tab/worksheet. Defaults + to "Sheet1" if not provided. | ### Additional Notes - - The service account used in the configuration must have "Editor" permissions - on the target Google Sheet. - - - The action updates cells sequentially; for example, if three values are provided, - they will populate columns A, B, and C of the target rows. + The action performs a direct write operation to the specified Google Sheet. Ensure + the service account associated with the credentials has the necessary permissions + to edit the target spreadsheet. capabilities: can_create_case_comments: false can_create_insight: false @@ -1728,12 +1680,19 @@ Update Rows: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates cell values within a Google Sheets spreadsheet based on the provided - row numbers and values. + Updates cells in a Google Sheet with provided values. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a write operation (update_cell) on an external Google Sheet. + It does not fetch data, nor does it interact with internal SOAR entities or + case data. categories: enrichment: false + reasoning: >- + The action is a utility for updating external spreadsheets. It does not fetch + data for enrichment, nor does it modify internal SOAR data. Therefore, it is + not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1749,3 +1708,6 @@ Update Rows: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with SOAR entities. It operates on parameters provided + directly to the action. diff --git a/content/response_integrations/third_party/community/google_sheets/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/google_sheets/resources/ai/connectors_ai_description.yaml index 82899304a..d058245cb 100644 --- a/content/response_integrations/third_party/community/google_sheets/resources/ai/connectors_ai_description.yaml +++ b/content/response_integrations/third_party/community/google_sheets/resources/ai/connectors_ai_description.yaml @@ -2,10 +2,9 @@ Sheet Connector: ai_description: >- ### General Description - This connector integrates with Google Sheets to ingest data rows as alerts into - Google SecOps. It allows security teams to automate the ingestion of manual logs, - tracking spreadsheets, or any tabular data stored in Google Drive, converting - each row into a structured alert for further investigation. + This connector integrates with Google Sheets to ingest data as alerts into Google + SecOps (SOAR). It allows users to treat rows in a spreadsheet as security events + or alerts, enabling automation workflows based on spreadsheet-based data sources. ### Parameters Description @@ -14,56 +13,49 @@ Sheet Connector: | :--- | :--- | :--- | :--- | - | Credentials Json | String | Yes | Service account credentials in JSON format - used for Google API authentication. | + | Alert Name Column Index | Integer | Yes | The column index to use for the alert + name. | - | Sheet Id | String | Yes | The unique identifier of the Google Spreadsheet (found - in the URL). | + | Credentials Json | String | Yes | The JSON string containing Google Service + Account credentials. | - | Worksheet Name | String | Yes | The name of the specific tab/worksheet to pull - data from (e.g., 'Sheet1'). | + | DeviceProductField | String | Yes | The field name used to determine the device + product. | - | Alert Name Column Index | Integer | Yes | The 0-based index of the column to - use for the Alert Name. Set to -1 to use the Product name instead. | + | EventClassId | String | Yes | The field name used to determine the event name + (sub-type). | - | Product | String | Yes | The product name to assign to the ingested alerts and - events. | + | Filter Alert Column Index | Integer | No | The column index to use for filtering + rows. | - | Filter Alert Column Index | Integer | No | The 0-based index of the column used - to filter rows for ingestion. | + | Filter Alert Column Value | String | No | The value to filter by in the specified + column. | - | Filter Alert Column Value | String | No | The specific value to match in the - filter column; only matching rows will be ingested. | + | Product | String | Yes | The product name associated with the alerts. | - | DeviceProductField | String | Yes | The field name used to determine the device - product in the SOAR mapping. | + | PythonProcessTimeout | String | Yes | The timeout limit (in seconds) for the + python process. | - | EventClassId | String | Yes | The field name used to determine the event name - or sub-type. | + | Sheet Id | String | Yes | The unique identifier of the Google Sheet. | - | PythonProcessTimeout | String | Yes | The timeout limit (in seconds) for the - connector execution. | + | Worksheet Name | String | Yes | The name of the specific worksheet to pull data + from. | ### Flow Description - 1. **Authentication**: Connects to the Google Sheets API using the provided Service - Account JSON credentials. + 1. Authenticates with Google Sheets using the provided service account JSON credentials. - 2. **Resource Access**: Opens the spreadsheet using the 'Sheet Id' and selects - the specified 'Worksheet Name'. + 2. Opens the specified Google Sheet by ID and selects the target worksheet. - 3. **Data Retrieval**: Reads the first row to establish headers and then fetches - all subsequent data rows. + 3. Retrieves all rows from the worksheet. - 4. **Filtering**: If filtering parameters are provided, the connector checks the - value at the specified column index for each row, skipping rows that do not match. + 4. Iterates through the rows, applying optional filtering based on a specific + column index and value if configured. - 5. **Alert Creation**: For each valid row, a unique Alert object is created. The - alert name is derived from the configured column index. + 5. Maps each row to an AlertInfo object, using the configured column index to + determine the alert name. - 6. **Event Mapping**: Maps every cell in the row to an event dictionary, using - the worksheet headers as keys. + 6. Constructs events from the row data, mapping headers to event fields. - 7. **Ingestion**: Packages the alerts and events, then sends them to Google SecOps - for case creation. + 7. Returns the generated alerts to the SOAR platform for processing. diff --git a/content/response_integrations/third_party/community/google_sheets/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/google_sheets/resources/ai/integration_ai_description.yaml index 4857505e8..d1038fcfc 100644 --- a/content/response_integrations/third_party/community/google_sheets/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/community/google_sheets/resources/ai/integration_ai_description.yaml @@ -1,12 +1,22 @@ product_categories: - asset_inventory: true + asset_inventory: false cloud_security: false collaboration: false edr: false email_security: false iam_and_identity_management: false - itsm: true + itsm: false network_security: false + reasoning: >- + The google_sheets integration includes a connector that ingests data from Google + Sheets into the SOAR platform as alerts. This capability aligns with the SIEM + category, which is used for ingesting and processing logs and events to identify + suspicious activity. The various actions provided (e.g., Add Row, Search Row, + Update Cell) are general-purpose data management utilities for Google Sheets and + do not perform security-specific tasks such as EDR, Threat Intelligence, IAM, + or ITSM. Therefore, the integration is classified under SIEM due to its data ingestion + capabilities, while all other categories are marked as false as the integration + does not provide specialized security functionality in those domains. siem: true threat_intelligence: false vulnerability_management: false diff --git a/content/response_integrations/third_party/community/goqr/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/goqr/resources/ai/actions_ai_description.yaml index 0f5580958..13cdcaeaf 100644 --- a/content/response_integrations/third_party/community/goqr/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/goqr/resources/ai/actions_ai_description.yaml @@ -13,6 +13,10 @@ Generate QR Code: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action generates a QR code image and attaches it to the case. It does not + match any of the predefined categories (Enrich IOC, Contain Host, etc.). It + is a utility action. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -30,70 +34,54 @@ Generate QR Code: ai_description: >- ### General Description - Use the **Generate QR Code** action to create a QR code image from a provided - string of data, such as a URL, text, or identifier. This utility action is useful - for visual representation of data within a case. The generated image is automatically - attached to the case wall for easy access by analysts. + Generates a QR code image from a provided string of data. This action interacts + with an external QR code generation service to create an image based on user-defined + parameters such as size, format, and error correction level. The resulting image + is saved as a temporary file and attached to the current case. ### Parameters Description - - | Parameter | Description | Expected Type | Mandatory | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Content | The data, URL, or text string to encode into the QR code. | String - | Yes | - - | Size | The dimensions of the generated image in pixels in the format {width}x{height}. - The maximum value is 1000x1000. Default is 200x200. | String | No | - - | Image Format | The file format for the output image. Options: png, jpg, gif, - svg. Default is png. | DDL | No | - - | Error Correction | The level of data redundancy applied to the QR code. Higher - levels increase damage resistance but result in a more complex image. Options: - Low (7%), Medium (15%), Quartile (25%), High (30%). Default is Low. | DDL | No - | + | Content | string | Yes | The data, URL, or text string to encode into the QR + code. | - | Margin | The width of the blank border (quiet zone) around the QR code, measured - in pixels. Default is 1. | String | No | + | Size | string | No | The dimensions of the generated image in pixels in the + format {width}x{height}. The maximum value is 1000x1000. Default: 200x200. | - | Foreground Color | The color of the QR code modules in R-G-B format. Default: - 0-0-0 (black). | String | No | + | Image Format | ddl | No | The file format for the output image (png, jpg, gif, + svg). Default: png. | - | Background Color | The color of the image background in R-G-B format. Default: - 255-255-255 (white). | String | No | - - - ### Additional Notes + | Error Correction | ddl | No | The level of data redundancy applied to the QR + code. Higher levels increase damage resistance, but result in a more complex image. + Default: Low. | - - This action does not run on Google SecOps entities. + | Margin | string | No | The width of the blank border (quiet zone) around the + QR code, measured in pixels. Default: 1. | - - The generated QR code is saved as a temporary file and then uploaded as a case - attachment. + | Foreground Color | string | No | The color of the QR code modules in R-G-B format. + Default: 0-0-0 (black). | - - The action returns a base64 encoded string of the image in the JSON results - for use in subsequent playbook steps. + | Background Color | string | No | The color of the image background in R-G-B + format. Default: 255-255-255 (white). | ### Flow Description - 1. **Extract Parameters:** The action retrieves the input string and optional - formatting parameters (size, colors, error correction) from the user configuration. + 1. Extract configuration parameters (Content, Size, Image Format, Error Correction, + Margin, Foreground Color, Background Color). - 2. **API Request:** It sends a request to the GOQR API to generate the QR code - image based on the provided specifications. + 2. Invoke the external QR code generation API with the provided parameters. - 3. **File Handling:** The received image bytes are saved to a temporary file on - the system. + 3. Save the returned image bytes to a temporary file. - 4. **Case Integration:** The temporary file is attached to the Google SecOps case - wall. + 4. Attach the generated file to the case wall. - 5. **Result Reporting:** The action populates the JSON results with the base64-encoded - image and metadata, then cleans up temporary files. + 5. Return a JSON result containing the base64-encoded image and configuration + details. capabilities: can_create_case_comments: false can_create_insight: false @@ -101,12 +89,19 @@ Generate QR Code: can_mutate_external_data: false can_mutate_internal_data: true can_update_entities: false - external_data_mutation_explanation: 'null' + external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: >- - Adds the generated QR code image as an attachment to the case wall. + internal_data_mutation_explanation: Adds an attachment to the case wall. + reasoning: >- + The action calls an external API to generate a QR code image (fetches_data=true). + It does not mutate external systems (can_mutate_external_data=false). It adds + an attachment to the case wall, which is an internal mutation (can_mutate_internal_data=true). categories: enrichment: false + reasoning: >- + The action generates a QR code image and attaches it to the case. It does not + gather supplemental context about alerts or entities, so it is not an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -122,6 +117,9 @@ Generate QR Code: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on entities. It generates a QR code from a provided + string and attaches it to the case. Ping: action_product_categories: add_alert_comment: false @@ -137,6 +135,9 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity test (Ping) and does not perform any of the defined + functional operations like enriching IOCs, updating tickets, or containing hosts. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -152,39 +153,15 @@ Ping: update_identity: false update_ticket: false ai_description: >- - ### General Description - - The **Ping** action is a diagnostic tool used to verify the connectivity between - the Google SecOps platform and the QR Server API. It ensures that the integration - is correctly configured and that the network path to the API endpoint is open. - - - ### Parameters Description - - There are no parameters for this action. - - - ### Additional Notes - - This action uses the 'API Root' and 'Verify SSL' settings defined in the integration - configuration to establish the connection. It performs a lightweight request to - a specific endpoint to confirm the service is responsive. - - - ### Flow Description - - 1. **Initialize API Client**: The action starts by retrieving the integration's - global configuration, including the API Root URL and SSL verification settings. - - 2. **Execute Connectivity Test**: It sends a test request to the QR Server API - (specifically targeting the QR code creation endpoint with a 'PingCheck' payload). - - 3. **Evaluate Response**: The action checks if the API responds successfully without - errors. - - 4. **Report Status**: If the connection is successful, it returns a confirmation - message; otherwise, it provides an error message indicating a configuration or - connectivity issue. + Tests connectivity to the QR Server API. This action verifies that the integration + is correctly configured and the server is reachable. ### Flow 1. The action initializes + the API client using the configured API Root and Verify SSL settings. 2. It sends + a request to the QR Server API using the ping endpoint. 3. The action returns + a success message if the connection is established, or an error message if the + connection fails. ### Parameters | Parameter | Type | Mandatory | Description + | | :--- | :--- | :--- | :--- | | API Root | String | Yes | The base URL of the + QR Server API. | | Verify SSL | Boolean | Yes | Whether to verify SSL certificates + when connecting to the API. | ### Additional Notes There are no additional notes. capabilities: can_create_case_comments: false can_create_insight: false @@ -193,10 +170,18 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: true + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity check (ping) to the external QR Server API. + It does not fetch contextual data for entities, nor does it mutate any external + or internal data. It is a diagnostic action. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action. According to the instructions, 'Actions named + Ping must not be categorized as enrichment actions.' Therefore, it is not an + enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -212,6 +197,9 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. It is a global connectivity + test. Scan QR Code: action_product_categories: add_alert_comment: false @@ -227,6 +215,9 @@ Scan QR Code: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action decodes a QR code from an image. It does not match any of the defined + categories such as enrichment, containment, or ticket management. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -244,50 +235,39 @@ Scan QR Code: ai_description: >- ### General Description - The **Scan QR Code** action allows users to extract and decode information from - a QR code image. The image must be provided as a Base64-encoded string. This utility - is particularly useful for security analysts who need to programmatically inspect - the contents of QR codes found in phishing emails, documents, or other suspicious - artifacts. + Use the Scan QR Code action to extract and read data from a QR code image provided + in Base64 format. This action interacts with an external QR code scanning API + to decode the image content and return the results. ### Parameters Description - | Parameter | Description | Type | Mandatory | Default Value | + | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | :--- | + | --- | --- | --- | --- | - | QR Image Base64 Blob | The Base64-encoded string representing the QR code image - file to be scanned. | string | True | "" | + | QR Image Base64 Blob | string | Yes | The Base64-encoded string representing + the QR code image file. | ### Flow Description - 1. **Parameter Extraction**: The action retrieves the Base64-encoded image string - from the input parameters. - - 2. **Base64 Decoding**: The string is decoded into raw image bytes. If the string - is not valid Base64, the action raises a `GOQRError`. + 1. Accepts a Base64-encoded string representing a QR code image. - 3. **API Request**: The image bytes are sent to the GOQR API's `read-qr-code` - endpoint. + 2. Decodes the Base64 string into binary image data. - 4. **Response Validation**: The action checks if the API successfully identified - and decoded any QR code symbols within the image. + 3. Sends the image data to the configured QR code scanning API. - 5. **Data Extraction**: If valid symbols are found, the action extracts the decoded - data and metadata (such as the QR code type). + 4. Parses the API response to extract the decoded QR code data. - 6. **Output Generation**: The decoded results are formatted into a JSON object, - and the action completes successfully. + 5. Returns the decoded information as a JSON result. ### Additional Notes - - The action expects a valid image file (e.g., PNG, JPG) encoded in Base64 format. - - - If the image does not contain a recognizable QR code or if the API cannot decode - it, the action will fail with a descriptive error message. + The action requires a valid Base64-encoded string of a QR code image to function. + If the provided string is not a valid Base64-encoded image or does not contain + a QR code, the action will fail. capabilities: can_create_case_comments: false can_create_insight: false @@ -298,8 +278,16 @@ Scan QR Code: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a read-only operation by sending an image to an external + API to decode its contents. It does not modify any external systems or internal + SOAR data (entities, insights, or comments). categories: enrichment: false + reasoning: >- + The action is a utility for decoding QR codes. It does not perform enrichment + on entities or alerts, nor does it meet the criteria for an enrichment action + as it does not operate on SOAR entities. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -315,3 +303,6 @@ Scan QR Code: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use `target_entities`. It processes a user-provided Base64 + string directly. diff --git a/content/response_integrations/third_party/community/goqr/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/goqr/resources/ai/integration_ai_description.yaml index 0801c7556..a6f3dafc7 100644 --- a/content/response_integrations/third_party/community/goqr/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/community/goqr/resources/ai/integration_ai_description.yaml @@ -7,6 +7,12 @@ product_categories: iam_and_identity_management: false itsm: false network_security: false + reasoning: >- + The goqr integration provides utility actions for generating and scanning QR codes. + These actions do not perform security-related tasks such as log analysis, endpoint + protection, network security, threat intelligence enrichment, identity management, + or incident response orchestration. Consequently, it does not align with any of + the defined product categories. siem: false threat_intelligence: false vulnerability_management: false diff --git a/content/response_integrations/third_party/community/hibob/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/hibob/resources/ai/actions_ai_description.yaml index 67d62df9e..4131da6e2 100644 --- a/content/response_integrations/third_party/community/hibob/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/hibob/resources/ai/actions_ai_description.yaml @@ -13,6 +13,10 @@ Enrich Entities: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves contextual metadata (user details) for a user entity and + updates the entity within the platform. This matches the 'Enrich Asset' category. + It does not perform IOC enrichment, alert updates, or external system mutations. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -30,47 +34,53 @@ Enrich Entities: ai_description: >- ### General Description - The **Enrich Entities** action retrieves detailed employee information from the - Hibob HR platform for User entities within a case. It is designed to provide security - analysts with organizational context, such as department, role, and manager details, - by mapping Hibob user attributes directly to the entity's properties in Google - SecOps. + This action enriches User entities within the Google SecOps platform by retrieving + detailed profile information from the Hibob HR system. It fetches user data based + on the entity identifier, flattens the nested JSON response, and updates the entity's + `additional_properties` with the retrieved information. This provides analysts + with immediate access to HR-related context (e.g., department, role, status) directly + within the entity profile. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. **Initialization**: The action initializes the `HibobManager` using the API + root and token provided in the integration configuration. - | :--- | :--- | :--- | :--- | + 2. **Iteration**: It iterates through all `target_entities` associated with the + alert. - | Get User Image | Boolean | No | If enabled, the action logic is prepared to - handle user avatar retrieval, though the primary flow focuses on metadata enrichment. - | + 3. **Filtering**: It filters for entities of type `USER`. + 4. **Data Retrieval**: For each valid user entity, it calls the Hibob API to fetch + user details using the entity identifier. + + 5. **Data Processing**: If data is found, it flattens the nested dictionary structure + and adds a 'Hibob' prefix to all keys to ensure clarity. + + 6. **Internal Update**: It updates the entity's `additional_properties` with the + flattened data, sets the `is_enriched` flag to `True`, and updates the entity + in the SecOps platform. + + 7. **Result Reporting**: Finally, it adds the raw user data to the action result + JSON and returns a summary of enriched entities. - ### Flow Description - 1. **Initialization**: The action initializes the Hibob manager using the provided - API Token and base URL. + ### Parameters Description - 2. **Entity Filtering**: It iterates through all target entities in the current - context, specifically filtering for those of type **USER**. + | Parameter | Type | Mandatory | Description | - 3. **Data Retrieval**: For each User entity, the action queries the Hibob API - (`/v1/people/{identifier}`) using the entity's identifier (typically an email - or employee ID). + | :--- | :--- | :--- | :--- | - 4. **Data Transformation**: The retrieved JSON response is flattened into a single-level - dictionary to ensure compatibility with entity attributes. + | Get User Image | Boolean | No | A flag indicating whether to attempt to retrieve + the user's profile image. Note: While extracted, this parameter is not utilized + in the core enrichment logic of the current script version. | - 5. **Namespace Prefixing**: A "Hibob" prefix is added to all retrieved keys to - prevent data collisions and clearly identify the source of the enrichment. - 6. **Internal Update**: The entity's `additional_properties` are updated with - the new metadata, and the entity is marked as `is_enriched`. + ### Additional Notes - 7. **Finalization**: The action updates the entities within Google SecOps and - outputs a summary message of the enriched users along with the raw JSON results. + This action performs read-only operations on the external Hibob system (GET requests) + and only modifies internal entity data within the SecOps platform. capabilities: can_create_case_comments: false can_create_insight: false @@ -81,10 +91,18 @@ Enrich Entities: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity additional properties with flattened Hibob user metadata and - sets the 'is_enriched' flag to true. + Updates entity additional_properties and sets the is_enriched flag to true. + reasoning: >- + The action fetches user details from the Hibob API (fetches_data=true). It updates + the entity's `additional_properties` and `is_enriched` flag within the SOAR + platform (can_mutate_internal_data=true, can_update_entities=true). It does + not perform any write operations on the external Hibob system. categories: enrichment: true + reasoning: >- + The action fetches data from an external source (Hibob) and updates internal + entity properties without modifying external state. This meets the criteria + for an enrichment action. entity_usage: entity_types: - USERUNIQNAME @@ -101,6 +119,9 @@ Enrich Entities: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and explicitly filters for + `EntityTypes.USER` using an if-statement. Get User Image: action_product_categories: add_alert_comment: false @@ -116,6 +137,10 @@ Get User Image: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves contextual metadata (profile image) for a user from an + external HR system. This aligns with the 'Enrich Asset' category, as it provides + additional context about a user resource. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -133,46 +158,43 @@ Get User Image: ai_description: >- ### General Description - The **Get User Image** action retrieves the profile image (avatar) for a specific - employee from the Hibob platform using their email address. This action is useful - for enriching user profiles within a security context or for identity verification - processes. It returns the image in both Base64 encoded format and as a decoded - string. + This action retrieves the profile image for a specific employee from the Hibob + HR platform. It fetches the image as both a URL and a base64-encoded string, allowing + analysts to view user avatars directly within the SOAR platform. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. **Extract Parameters**: The action retrieves the `Employee's Email` provided + by the user. - | :--- | :--- | :--- | :--- | + 2. **Fetch User Details**: It queries the Hibob API to resolve the email address + to a unique employee identifier. - | Employee's Email | String | True | The email address of the employee whose photo - you want to retrieve. | + 3. **Fetch Image**: Using the employee identifier, it requests the user's avatar + image from the Hibob API. + 4. **Process Data**: If the image is found, it converts the binary content into + a base64 string. - ### Flow Description + 5. **Return Results**: The action outputs the image URL and base64 string as a + JSON result for the analyst. - 1. **Parameter Extraction**: The action retrieves the provided employee email - from the input parameters. - 2. **User Identification**: It queries the Hibob API to find the employee's internal - unique identifier associated with the provided email address. + ### Parameters Description - 3. **Image Retrieval**: Using the internal identifier, it fetches the employee's - avatar data from the Hibob avatar endpoint. + | Parameter | Type | Mandatory | Description | - 4. **Data Processing**: The binary image content is encoded into a Base64 string - for easy transport and display. + | :--- | :--- | :--- | :--- | - 5. **Result Output**: The action returns a JSON object containing the Base64 string - and the decoded content, along with status flags indicating if the user and image - exist. + | Employee's Email | string | Yes | The email address of the employee whose profile + image is to be retrieved. | ### Additional Notes - - If the user is not found or does not have an image associated with their profile, - the action will return a failure status with a descriptive message. + This action is read-only and does not modify any data within the SOAR platform + or the external Hibob system. capabilities: can_create_case_comments: false can_create_insight: false @@ -183,8 +205,17 @@ Get User Image: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs GET requests to the Hibob API to retrieve user details and + images. It does not perform any POST/PUT/DELETE operations on external systems + (can_mutate_external_data=false). It does not update entities, create insights, + or add comments to the case (can_mutate_internal_data=false). categories: - enrichment: true + enrichment: false + reasoning: >- + While the action fetches data (user image), it does not meet the criteria for + an Enrichment Action because it does not update entities, create insights, or + add case comments. It simply returns a JSON result. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -200,6 +231,9 @@ Get User Image: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities`. It relies solely + on the `Employee's Email` parameter provided by the user to perform its lookup. Ping: action_product_categories: add_alert_comment: false @@ -215,6 +249,9 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity test (Ping) and does not perform any of the defined + functional operations like enriching IOCs, updating tickets, or containing hosts. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -230,43 +267,35 @@ Ping: update_identity: false update_ticket: false ai_description: >- - ### General Description - + General description: - The **Ping** action is used to verify the connectivity between Google SecOps and - the Hibob platform. It ensures that the provided API credentials and the network - path to the Hibob API are functional. + This action tests the connectivity between the SOAR platform and the Hibob API. + It verifies that the provided API credentials are valid and that the service is + reachable. - ### Parameters Description - - - There are no parameters for this action. - - - ### Additional Notes + Flow description: + 1. The action retrieves the Hibob API configuration (API Token) from the integration + settings. - This action is primarily used for troubleshooting and initial setup verification. + 2. It initializes the Hibob manager with the API root and token. + 3. It sends a GET request to the Hibob API (`/api/user`) to verify connectivity. - ### Flow Description + 4. If the request is successful, it returns a success message; otherwise, it returns + a failure message. - 1. **Configuration Retrieval**: The action retrieves the API Token from the integration - settings. + Parameters description: - 2. **Manager Initialization**: An instance of the Hibob Manager is created using - the API root and token. + There are no parameters for this action. - 3. **Connectivity Test**: The action calls the `test_connectivity` method, which - performs a GET request to the `/api/user` endpoint. - 4. **Response Validation**: The action checks for successful HTTP status codes - and valid JSON responses. + Additional notes: - 5. **Final Output**: Returns a success message if the connection is established, - or an error message if it fails. + This action is strictly for connectivity testing and does not perform any data + retrieval or modification. capabilities: can_create_case_comments: false can_create_insight: false @@ -275,10 +304,17 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: true + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to verify connectivity to the Hibob API. It + does not modify any external or internal data, nor does it update entities or + create insights. categories: enrichment: false + reasoning: >- + The action is named 'Ping'. According to the instructions, 'Actions named Ping + must not be categorized as enrichment actions.' entity_usage: entity_types: [] filters_by_additional_properties: false @@ -294,6 +330,8 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. Revoke Access: action_product_categories: add_alert_comment: false @@ -309,6 +347,10 @@ Revoke Access: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action revokes access for a user in an external system (Hibob). This aligns + with the 'Disable Identity' category, which is defined as 'Revokes active sessions + and prevents a user or service account from authenticating to the network.' remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -321,50 +363,40 @@ Revoke Access: uncontain_host: false update_alert: false update_email: false - update_identity: true + update_identity: false update_ticket: false ai_description: >- ### General Description - The **Revoke Access** action is designed to disable a specific employee's access - to the Hibob platform using their email address. This action is primarily used - for offboarding or security containment to ensure a user can no longer authenticate - or access company resources within Hibob. + This action disables an employee's access in the Hibob platform by their email + address. It verifies the user's existence and current status before performing + the revocation. ### Parameters Description - | Parameter | Description | Type | Mandatory | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Employee's Email | The email address of the employee whose access needs to be - revoked in Hibob. | String | Yes | - - - ### Additional Notes - - This action does not process entities from the Google SecOps case; it relies entirely - on the provided email parameter. It performs a state-changing operation in Hibob - by 'uninviting' the user. + | Employee's Email | string | Yes | The email address of the employee whose access + needs to be revoked in Hibob. | ### Flow Description - 1. **Retrieve Employee Details:** The action calls the Hibob API to find the employee's - internal ID and current status based on the provided email address. + 1. Extracts the 'Employee's Email' from the action parameters. - 2. **Validate Existence:** If the employee is not found in Hibob, the action returns - a failure status. + 2. Retrieves the employee's details from Hibob using the provided email to obtain + their unique identifier. - 3. **Check Current Status:** The action checks if the employee's status is already - 'uninvited'. If so, it concludes that the revocation was already performed. + 3. Checks the current status of the employee. - 4. **Execute Revocation:** If the employee is active, the action sends a POST - request to the Hibob `/uninvite` endpoint to revoke their access. + 4. If the employee exists and is not already revoked, it sends a request to Hibob + to revoke their access. - 5. **Report Result:** The action returns a JSON result indicating whether the - user existed and if the revocation was successfully completed. + 5. Returns the status of the operation (success/failure) and whether the user + existed or was already revoked via the action result. capabilities: can_create_case_comments: false can_create_insight: false @@ -373,12 +405,19 @@ Revoke Access: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - The action sends a POST request to the Hibob '/uninvite' endpoint, which changes - the employee's status to 'uninvited' and revokes their access to the platform. + Revokes access for a specific employee in the Hibob platform by uninviting them. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches user details from Hibob (GET request) and then performs a + revocation (POST request) on the Hibob platform. It does not modify internal + SOAR data (entities, insights, or case comments). categories: enrichment: false + reasoning: >- + The action performs a mutation on an external system (Hibob) to revoke access. + It is not an enrichment action because it modifies the state of an external + system. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -394,6 +433,10 @@ Revoke Access: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not iterate over `siemplify.target_entities`. It extracts the + email directly from the action parameters (`siemplify.extract_action_param("Employee's + Email")`). Therefore, it does not run on entities. Search User: action_product_categories: add_alert_comment: false @@ -409,6 +452,10 @@ Search User: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action searches for a user in Hibob and retrieves their details. This matches + the "Search Asset" outcome. It also retrieves contextual metadata (user details), + which matches the "Enrich Asset" outcome. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -424,43 +471,40 @@ Search User: update_identity: false update_ticket: false ai_description: >- - Searches for a specific user's details in Hibob using their email address. This - action is primarily used to verify the existence of an employee and retrieve their - profile information from the Hibob HRIS platform. It retrieves a comprehensive - JSON object containing the user's data if a match is found. + ### General Description + Searches for a specific user in the Hibob HR system using their email address. + This action retrieves user details from Hibob and adds them to the action result + JSON. - ### Flow Description: - 1. **Parameter Extraction:** The action retrieves the 'Employee's Email' from - the user-provided parameters. + ### Flow Description - 2. **API Request:** It initializes the Hibob Manager and performs a GET request - to the Hibob API endpoint `/v1/people/{email}`. + 1. Extracts the "Employee's Email" parameter. - 3. **Data Processing:** The action checks the API response. If the user exists - (HTTP 200), it captures the user's profile details. + 2. Initializes the Hibob manager with the provided API token. - 4. **Result Reporting:** The retrieved data is added to the action's JSON results, - and the action completes with a success message. If the user is not found (HTTP - 404), it returns a failure message. + 3. Queries the Hibob API (`/v1/people/{employee_identifier}`) to retrieve user + details. + 4. If the user is found, the details are added to the action result JSON. - ### Parameters Description: + 5. The action concludes with a success or failure message. - | Parameter Name | Description | Type | Mandatory | Notes | - | :--- | :--- | :--- | :--- | :--- | + ### Parameters Description - | Employee's Email | The email address of the employee to search for in Hibob. - | String | Yes | Default value is 'email@gmail.com'. | + | Parameter | Type | Mandatory | Description | + | :--- | :--- | :--- | :--- | - ### Additional Notes: + | Employee's Email | string | Yes | The email address of the employee to search + for in Hibob. | - This action operates independently of the entities present in the Google SecOps - case. It relies strictly on the email address provided in the 'Employee's Email' - parameter. + + ### Additional Notes + + There are no additional notes. capabilities: can_create_case_comments: false can_create_insight: false @@ -471,8 +515,17 @@ Search User: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Hibob API to retrieve user details. + It does not mutate external data (no POST/PUT/DELETE). It does not mutate internal + data (no `update_entities`, `add_entity_insight`, etc.). It does not update + entities, create insights, modify alert data, or create case comments. categories: enrichment: false + reasoning: >- + The action fetches data from an external system (Hibob) but does not operate + on entities or update internal SOAR data (like insights or entity fields). Therefore, + it does not meet the criteria for an Enrichment Action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -488,6 +541,10 @@ Search User: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities` or use entity-specific + identifiers to perform its task. It takes an input parameter "Employee's Email" + directly. Therefore, it does not run on entities. Send Invitation: action_product_categories: add_alert_comment: false @@ -503,6 +560,9 @@ Send Invitation: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action sends an invitation to an employee in Hibob, which modifies the user's + access state (enabling them to log in). This aligns with 'Enable Identity'. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -515,61 +575,46 @@ Send Invitation: uncontain_host: false update_alert: false update_email: false - update_identity: true + update_identity: false update_ticket: false ai_description: >- ### General Description - This action sends an invitation to a new or existing employee in the Hibob HR - system. It is primarily used to invite users to log in for the first time or to - re-invite users who were previously disabled or whose invitation state is not - currently active. The action identifies the user by their email address and applies - a specific onboarding 'Welcome Wizard' flow as defined in the Hibob settings. + This action sends an invitation to an employee in the Hibob system, allowing them + to log in for the first time or re-inviting them if they were previously disabled. + This action interacts with the Hibob API to verify user existence and status before + triggering the invitation process. ### Parameters Description - | Parameter | Description | Type | Mandatory | Notes | - - | :--- | :--- | :--- | :--- | :--- | - - | Employee's Email | The email address of the employee to be invited. | String - | True | Used to look up the employee's unique ID in Hibob. | + | Parameter | Type | Mandatory | Description | - | Welcome Wizard Name | The name of the onboarding wizard flow (e.g., 'Welcome!'). - | String | True | This value is case-sensitive and must match the name configured - in Hibob (Settings -> Flows). | + | :--- | :--- | :--- | :--- | + | Employee's Email | string | Yes | The email address of the employee to invite. + | - ### Additional Notes + | Welcome Wizard Name | string | Yes | The name of the wizard to use for the invitation + (case-sensitive). | - - The action first verifies if the employee exists in Hibob before attempting - to send an invitation. - - If the employee is already in an 'invited' state, the action will terminate - without sending a duplicate invitation to avoid spamming the user. + ### Flow Description - - The 'Welcome Wizard Name' must exactly match the name in Hibob for the corresponding - ID to be correctly resolved. + 1. Extracts the `Employee's Email` and `Welcome Wizard Name` from the action parameters. + 2. Retrieves the employee's details from Hibob using the provided email. - ### Flow Description + 3. Verifies if the employee exists and checks their current invitation status. - 1. **Fetch Employee Details:** The action calls the Hibob API to retrieve the - employee's unique identifier and current invitation state based on the provided - email. + 4. If the employee is not already invited, it retrieves the list of available + welcome wizards. - 2. **Validate State:** It checks if the employee exists and if they have already - been invited. + 5. Matches the provided `Welcome Wizard Name` to a wizard ID. - 3. **Retrieve Wizards:** If the employee is eligible for an invitation, the action - fetches a list of all available onboarding wizards from Hibob. + 6. Sends an invitation to the employee using the identified wizard ID. - 4. **Resolve Wizard ID:** It searches the list of wizards to find the ID corresponding - to the provided 'Welcome Wizard Name'. - - 5. **Send Invitation:** The action performs a POST request to Hibob to trigger - the invitation for the employee using the identified wizard ID. + 7. Returns the result of the operation as a JSON object. capabilities: can_create_case_comments: false can_create_insight: false @@ -578,13 +623,19 @@ Send Invitation: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - The action performs a POST request to the Hibob API to send an invitation to - a specific employee, which modifies the employee's invitation state in the Hibob - system and triggers an automated email. + Sends an invitation to an employee in the Hibob system, which changes the employee's + invitation state. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action makes a POST request to invite an employee (can_mutate_external_data=true). + It fetches user details and wizard information (fetches_data=true). It does + not update internal entities or modify case data. categories: enrichment: false + reasoning: >- + The action mutates external data (sends an invitation), which violates the requirement + for an enrichment action to be read-only regarding external systems. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -600,6 +651,10 @@ Send Invitation: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use `target_entities`. It extracts parameters directly from + the action configuration using `siemplify.extract_action_param`. Therefore, + it does not run on entities. Upload User Image: action_product_categories: add_alert_comment: false @@ -615,6 +670,10 @@ Upload User Image: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action updates a user's profile image in an external HR system (Hibob). + This aligns with the 'Update Identity' category, which involves modifying account + metadata. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -632,44 +691,43 @@ Upload User Image: ai_description: >- ### General Description - The **Upload User Image** action allows analysts to update or set a profile picture - for a specific employee within the Hibob HR platform. By providing the employee's - email and a direct URL to an image, the action automatically resolves the internal - Hibob employee identifier and performs the update. + This action uploads a user image (avatar) to the Hibob HR platform for a specific + employee. It retrieves the employee's unique identifier using their email address + and then updates their profile image using the provided image URL. - ### Parameters Description + ### Flow Description - | Parameter Name | Type | Mandatory | Description | + 1. The action extracts the 'Employee's Email' and 'Url Image' parameters provided + by the user. - | :--- | :--- | :--- | :--- | + 2. It queries the Hibob API to retrieve the employee's details, specifically their + unique identifier, using the provided email address. - | Employee's Email | String | Yes | The email address of the employee whose profile - image you want to update. | + 3. If the employee is found, the action performs a PUT request to the Hibob API + to update the user's avatar with the specified image URL. - | Url Image | String | Yes | The public URL of the image to be uploaded as the - employee's avatar. | + 4. The action returns a success or failure message based on the outcome of the + API request. - ### Flow Description + ### Parameters Description - 1. **Retrieve Employee ID**: The action first queries the Hibob API using the - provided email address to fetch the employee's unique internal identifier. + | Parameter | Type | Mandatory | Description | - 2. **Validation**: It checks if the user exists in the Hibob system. If not, the - action terminates with a failure message. + | :--- | :--- | :--- | :--- | - 3. **Upload Image**: Using the retrieved employee ID, the action sends a PUT request - to the Hibob avatars endpoint, passing the provided image URL in the request body. + | Employee's Email | string | Yes | The email address of the employee whose image + is to be updated. | - 4. **Final Status**: The action returns a success message if the image is updated - or an error message if the upload fails (e.g., 404 error from the API). + | Url Image | string | Yes | The URL of the image to be uploaded as the user's + avatar. | ### Additional Notes - This action requires a valid API Token with permissions to read employee data - and update avatars in Hibob. + This action interacts directly with the Hibob API to modify user data. It does + not perform any operations on SOAR entities or internal case data. capabilities: can_create_case_comments: false can_create_insight: false @@ -678,12 +736,19 @@ Upload User Image: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the employee's profile avatar in the Hibob platform via a PUT request - to the avatars endpoint. + Updates the user's avatar/image in the Hibob HR platform. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches user details (GET) to retrieve an ID, then performs a PUT + request to update the user's avatar in the external Hibob system. It does not + modify internal SOAR data or entities. categories: enrichment: false + reasoning: >- + The action mutates external data (uploads an image), which violates the 'External + State Preservation' rule for enrichment actions. Therefore, it is not an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -699,3 +764,7 @@ Upload User Image: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or process `siemplify.target_entities`. It + relies entirely on user-provided parameters (email) to identify the user in + the external system. diff --git a/content/response_integrations/third_party/community/hibob/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/hibob/resources/ai/integration_ai_description.yaml index 0b062e038..38e85d461 100644 --- a/content/response_integrations/third_party/community/hibob/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/community/hibob/resources/ai/integration_ai_description.yaml @@ -7,6 +7,17 @@ product_categories: iam_and_identity_management: true itsm: false network_security: false + reasoning: >- + The Hibob integration is an HR management platform that provides context and lifecycle + management for user identities. It qualifies for 'IAM & Identity Management' because + it includes actions like 'Revoke Access' and 'Send Invitation', which allow the + agent to manage user account states (suspending or enabling access). It also qualifies + for 'Asset Inventory' because it provides 'Enrich Entities' and 'Search User' + actions, which retrieve detailed HR metadata (department, role, status) for user + entities, helping analysts understand the context of internal assets. It does + not qualify for other categories like SIEM, EDR, Network Security, or Threat Intelligence + as it does not interact with logs, host processes, network traffic, or external + threat indicators. siem: false threat_intelligence: false vulnerability_management: false diff --git a/content/response_integrations/third_party/community/imgbb/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/imgbb/resources/ai/actions_ai_description.yaml index f52dc522c..6f6960b12 100644 --- a/content/response_integrations/third_party/community/imgbb/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/imgbb/resources/ai/actions_ai_description.yaml @@ -13,6 +13,10 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action performs a connectivity test by uploading an image to Imgbb. It does + not match any of the defined product categories (e.g., it is not a sandbox submission, + it is not an IOC enrichment, it is not a ticket creation). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -28,46 +32,15 @@ Ping: update_identity: false update_ticket: false ai_description: >- - ### General Description - - The **Ping** action is designed to verify the connectivity between Google SecOps - and the Imgbb service. It ensures that the provided API key is valid and that - the network path to the Imgbb API is open. Unlike a standard ICMP ping, this action - performs a functional test by attempting to upload a small sample image to the - service. - - - ### Parameters Description - - There are no user-configurable parameters for this action. It relies entirely - on the integration's global configuration (API Key). - - - ### Additional Notes - - * This action is primarily used for troubleshooting and initial setup verification. - - * Although named 'Ping', the action performs a POST request to the upload endpoint, - which results in a temporary resource creation on the Imgbb servers (set to expire - in 600 seconds). - - - ### Flow Description - - 1. **Configuration Retrieval:** The action fetches the 'API Key' from the Imgbb - integration settings. - - 2. **Request Construction:** It prepares a POST request to the Imgbb upload API - (`https://api.imgbb.com/1/upload`) including the API key and a hardcoded base64-encoded - sample image. - - 3. **Connectivity Test:** The action executes the HTTP POST request. - - 4. **Validation:** It checks the HTTP response status code. If the request is - successful (2xx status), it confirms connectivity. - - 5. **Completion:** The action returns a success message and a boolean result to - the SOAR platform. + Tests connectivity to the Imgbb service by performing a test image upload. This + action verifies that the integration is configured correctly and can communicate + with the external API. ### Flow Description 1. Initialize the SiemplifyAction. + 2. Retrieve the 'API Key' from the Imgbb integration configuration. 3. Construct + the API upload URL using the provided API key. 4. Send a POST request to the Imgbb + API with a hardcoded test image. 5. Terminate the action with a success message + if the request is successful. ### Parameters | Parameter | Type | Mandatory | + Description | | --- | --- | --- | --- | | API Key | String | Yes | The API key + used to authenticate requests to the Imgbb service. | capabilities: can_create_case_comments: false can_create_insight: false @@ -76,12 +49,19 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - The action performs a POST request to the Imgbb upload endpoint, which creates - a temporary image resource on the external service. + Uploads a test image to the Imgbb service to verify connectivity. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to an external service (Imgbb) to upload + an image, which constitutes an external mutation. It does not fetch data, update + internal entities, or modify case data. categories: enrichment: false + reasoning: >- + The action is named 'Ping', which is explicitly excluded from being an enrichment + action. Furthermore, it performs an external mutation (upload) rather than fetching + data, failing the enrichment criteria. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -97,6 +77,9 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. It performs a global connectivity + test. Upload Image From Base64: action_product_categories: add_alert_comment: false @@ -112,6 +95,9 @@ Upload Image From Base64: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action uploads an image to an external service. It does not match any of + the predefined categories like enrichment, ticket management, or containment. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -120,7 +106,7 @@ Upload Image From Base64: search_events: false send_email: false send_message: false - submit_file: true + submit_file: false uncontain_host: false update_alert: false update_email: false @@ -129,49 +115,43 @@ Upload Image From Base64: ai_description: >- ### General Description - This action uploads an image to the Imgbb hosting service using a base64 encoded - string. It is designed to facilitate the external hosting of image-based evidence - (such as screenshots or captured visual data) and retrieve a publicly accessible - URL for use in reports or further automation steps. + This action uploads a base64-encoded image to the Imgbb service. It is designed + to take an image string, send it to the Imgbb API, and retrieve the resulting + image URL for use within the SOAR platform. - ### Parameters Description + ### Flow Description - | Parameter Name | Description | Type | Mandatory | Additional Notes | + 1. The action extracts the `Image in base64` parameter provided by the user. - | :--- | :--- | :--- | :--- | :--- | + 2. It constructs a POST request to the Imgbb API (`https://api.imgbb.com/1/upload`) + with the base64 image data. - | Image in base64 | The base64 encoded string of the image you would like to upload - to Imgbb. | string | True | Ensure the string is a valid base64 representation - of an image file. | + 3. The API response is parsed to retrieve the uploaded image URL. + 4. If the upload is successful, the action adds the image URL as a link to the + action result and returns a success message. - ### Additional Notes + 5. If the upload fails, the action returns an error message and sets the result + to failure. - - The action hardcodes an expiration of 600 seconds (10 minutes) for the uploaded - image via the API URL. - - The action provides the resulting URL as both a clickable link in the SOAR interface - and a structured JSON result. + ### Parameters Description + | Parameter | Type | Mandatory | Description | - ### Flow Description + | :--- | :--- | :--- | :--- | - 1. **Configuration Retrieval**: The action fetches the API Key and SSL verification - settings from the Imgbb integration configuration. + | Image in base64 | string | Yes | The base64-encoded string of the image to be + uploaded to Imgbb. | - 2. **Parameter Extraction**: It retrieves the base64 image string provided by - the user. - 3. **External API Interaction**: A POST request is sent to the Imgbb API (`https://api.imgbb.com/1/upload`) - containing the image data. + ### Additional Notes - 4. **Response Processing**: The action parses the JSON response from Imgbb to - extract the `url` of the uploaded image. + - This action requires an API key to be configured in the Imgbb integration settings. - 5. **Result Output**: If successful, it adds the image URL as a link to the action - results and populates the JSON result object. If it fails, it captures the error - message from the API. + - The action does not interact with any specific entities; it operates on the + provided base64 string. capabilities: can_create_case_comments: false can_create_insight: false @@ -179,13 +159,19 @@ Upload Image From Base64: can_mutate_external_data: true can_mutate_internal_data: false can_update_entities: false - external_data_mutation_explanation: >- - Uploads a new image to the Imgbb hosting service, creating a new remote resource - on their servers. - fetches_data: true + external_data_mutation_explanation: Uploads an image to the Imgbb service. + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to an external service (Imgbb) to upload + an image, which constitutes external data mutation. It does not fetch contextual + data about entities or alerts, nor does it modify internal SOAR data (entities, + insights, etc.). categories: enrichment: false + reasoning: >- + The action is an upload utility, not an enrichment action. It does not fetch + data about entities or alerts. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -201,6 +187,9 @@ Upload Image From Base64: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `target_entities`. It processes a provided + base64 string parameter. Upload Image From File Path: action_product_categories: add_alert_comment: false @@ -216,6 +205,10 @@ Upload Image From File Path: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action uploads an image to an external hosting service (Imgbb). It does + not match any of the provided security-specific categories such as enrichment, + containment, ticketing, or alert management. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -224,7 +217,7 @@ Upload Image From File Path: search_events: false send_email: false send_message: false - submit_file: true + submit_file: false uncontain_host: false update_alert: false update_email: false @@ -233,32 +226,25 @@ Upload Image From File Path: ai_description: >- ### General Description - Uploads an image file from a specified local file path to the Imgbb hosting service. - This action is designed to facilitate the sharing of visual evidence (such as - screenshots or forensic captures) by converting local files into accessible web - URLs. The resulting URL is provided as a link in the action results and within - the JSON output. + This action uploads an image file from a specified local file path to the Imgbb + image hosting service. It facilitates the sharing of images by hosting them externally + and returning a direct URL to the uploaded content. ### Flow Description - 1. **Configuration Retrieval**: Fetches the API Key and SSL verification settings - from the integration configuration. - - 2. **Parameter Extraction**: Retrieves the mandatory 'Image File Path' provided - by the user. + 1. The action extracts the `Image File Path` parameter provided by the user. - 3. **File Processing**: Opens the file from the local directory, reads its binary - content, and encodes it into a base64 string. + 2. It reads the image file from the local file system and encodes the binary content + into a base64 string. - 4. **External API Interaction**: Sends a POST request to the Imgbb API containing - the base64-encoded image. + 3. A POST request is sent to the Imgbb API (`https://api.imgbb.com/1/upload`) + containing the base64-encoded image data. - 5. **Response Handling**: Parses the JSON response from Imgbb to extract the generated - image URL. + 4. The action parses the API response to extract the hosted image URL. - 6. **Output Generation**: Adds the image URL as a clickable link to the SOAR action - result and populates the JSON result for downstream use in the playbook. + 5. The image URL is added as a link to the action result, and the full JSON response + is attached to the action output. ### Parameters Description @@ -267,17 +253,14 @@ Upload Image From File Path: | :--- | :--- | :--- | :--- | - | Image File Path | string | True | The absolute file system path of the image - to be uploaded to Imgbb. | + | Image File Path | string | Yes | The local file system path to the image file + that should be uploaded to Imgbb. | ### Additional Notes - * The action automatically sets an expiration of 600 seconds (10 minutes) for - the uploaded image via the API URL parameter. - - * If the upload fails or the service does not return a URL, the action will return - a failure status. + This action does not interact with any SecOps entities. It is a utility action + designed for file hosting and retrieval. capabilities: can_create_case_comments: false can_create_insight: false @@ -286,12 +269,22 @@ Upload Image From File Path: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Uploads a file to the Imgbb service, which creates a new hosted image resource - on their servers. - fetches_data: true + The action uploads an image file to the Imgbb hosting service, creating a new + resource on their platform. + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to an external service (Imgbb) to upload + an image, which constitutes a mutation of external data. It does not fetch contextual + data about alerts or entities, nor does it modify internal SecOps data, entities, + or case comments. categories: enrichment: false + reasoning: >- + The action is not an enrichment action because it does not fetch contextual + data about entities or alerts. Furthermore, it mutates external data by uploading + a file, which violates the requirement for enrichment actions to be read-only + regarding external systems. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -307,3 +300,6 @@ Upload Image From File Path: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `siemplify.target_entities`. It operates solely + on a file path provided as an input parameter. diff --git a/content/response_integrations/third_party/community/imgbb/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/imgbb/resources/ai/integration_ai_description.yaml index 0801c7556..22161dbcc 100644 --- a/content/response_integrations/third_party/community/imgbb/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/community/imgbb/resources/ai/integration_ai_description.yaml @@ -7,6 +7,12 @@ product_categories: iam_and_identity_management: false itsm: false network_security: false + reasoning: >- + The Imgbb integration provides utility actions for uploading images to an external + hosting service. It does not perform any security-related functions such as threat + intelligence enrichment, log analysis, identity management, ticketing, or collaboration. + As it is a general-purpose utility integration, it does not align with any of + the specified security product categories. siem: false threat_intelligence: false vulnerability_management: false diff --git a/content/response_integrations/third_party/community/ipqs_fraud_and_risk_scoring/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/ipqs_fraud_and_risk_scoring/resources/ai/actions_ai_description.yaml index 2733f2d57..1a948bd6a 100644 --- a/content/response_integrations/third_party/community/ipqs_fraud_and_risk_scoring/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/ipqs_fraud_and_risk_scoring/resources/ai/actions_ai_description.yaml @@ -13,6 +13,10 @@ Enrich Domain: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves reputation and threat intelligence for domains/hostnames, + which aligns with 'Enrich IOC'. It does not perform containment, ticket management, + or other state-changing operations. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -30,58 +34,51 @@ Enrich Domain: ai_description: >- ### General Description - The **Enrich Domain** action leverages IPQualityScore (IPQS) to perform real-time - analysis of Hostname entities. It identifies malicious URLs, phishing attempts, - malware distribution points, and parked domains using advanced machine learning - models. The action provides detailed intelligence including risk scores, domain - age, and reputation data to help analysts assess the threat level of a domain. + This action enriches Hostname entities using the IPQualityScore (IPQS) API to + detect suspicious URLs, phishing, malware, and parked domains. It retrieves real-time + threat intelligence, including risk scores and domain reputation, to help analysts + assess the threat level of a domain. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. **Parameter Extraction**: The action extracts the `Strictness` and `Fast` parameters + from the configuration. - | :--- | :--- | :--- | :--- | + 2. **Entity Filtering**: The action iterates over the target entities, specifically + filtering for `HOSTNAME` entities. - | **Strictness** | DDL | Yes | Determines the intensity of the scan. Options are - 0, 1, or 2. Higher levels perform more rigorous checks but may increase the false-positive - rate. | + 3. **API Interaction**: For each valid entity, it performs a POST request to the + IPQS API to fetch reputation data. - | **Fast** | Boolean | No | When enabled, the API provides quicker response times - by utilizing lighter checks and analysis. | + 4. **Data Processing**: The action parses the API response, calculates risk scores, + and determines if the entity is suspicious. + 5. **Internal Update**: It updates the entity's `additional_properties` (e.g., + fraud score, domain age, risk category), sets the `is_enriched` flag, and updates + the `is_suspicious` status if the risk threshold is met. - ### Flow Description + 6. **Reporting**: It creates a case insight with the risk verdict and adds a data + table to the action results. - 1. **Parameter Extraction:** Retrieves the API Key from the integration configuration - and the Strictness and Fast settings from the action parameters. - 2. **Entity Filtering:** Identifies all Hostname entities within the current context - to be processed. + ### Parameters Description - 3. **External API Query:** For each Hostname, sends a POST request to the IPQS - URL API to retrieve reputation and risk data. + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | - 4. **Risk Assessment:** Evaluates the returned risk score and specific threat - flags (e.g., malware, phishing, suspicious) to determine a final risk verdict - (e.g., Clean, Suspicious, High Risk, Critical). + | Strictness | ddl | Yes | Determines the strictness of the URL scan (0, 1, 2). + Stricter checks may increase false positives. | - 5. **Internal Enrichment:** - * Updates the entity's additional properties with IPQS metadata prefixed - with 'IPQualityScore'. - * Sets the entity's status to 'Enriched' and marks it as 'Suspicious' if - the risk scoring logic determines a threat. - * Creates a detailed Case Insight and adds a data table to the entity for - immediate visibility in the SOAR interface. - 6. **Result Reporting:** Consolidates the results into a JSON object and provides - a summary message of the processed entities. + | Fast | boolean | No | When enabled, the API provides quicker response times + using lighter checks and analysis. | ### Additional Notes - This action is specifically targeted at Hostname entities. While the underlying - manager supports multiple types, this specific action script restricts processing - to Hostnames. + This action is strictly limited to `HOSTNAME` entities as defined in the script + logic. capabilities: can_create_case_comments: false can_create_insight: true @@ -92,10 +89,19 @@ Enrich Domain: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity attributes with enrichment data, sets the suspicious status of - entities based on risk scores, and creates case insights for analyst visibility. + Updates entity properties (is_enriched, is_suspicious, additional_properties) + and creates case insights. + reasoning: >- + The action fetches threat intelligence data from the IPQS API (fetches_data=true). + It does not mutate external systems (can_mutate_external_data=false). It updates + internal entity properties (is_enriched, is_suspicious, additional_properties) + and creates case insights (can_mutate_internal_data=true). categories: enrichment: true + reasoning: >- + The action fetches data from an external source (IPQS) and updates internal + entities/insights without modifying external systems. This fits the definition + of an enrichment action. entity_usage: entity_types: - HOSTNAME @@ -112,6 +118,10 @@ Enrich Domain: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The script explicitly calls `ipqs_manager.enrich([EntityTypes.HOSTNAME])`, limiting + the action to HOSTNAME entities. It iterates over `target_entities` and filters + by `entity_type`. Enrich Email: action_product_categories: add_alert_comment: false @@ -127,6 +137,10 @@ Enrich Email: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves reputation, prevalence, and threat intelligence for an + email address (IOC). This matches the 'Enrich IOC' category. It does not perform + any other listed actions like blocking, ticketing, or alert modification. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -141,73 +155,33 @@ Enrich Email: update_email: false update_identity: false update_ticket: false - ai_description: >- - ### General Description - - Enriches Email addresses (represented as User entities) using the IPQualityScore - (IPQS) API. This action performs real-time validation, including syntax and DNS - checks, and determines if an email address is associated with abuse, fraud, or - disposable mail services. It calculates a fraud score and provides a risk verdict, - which is then used to update the entity's suspicious status and create detailed - case insights. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Abuse Strictness | DDL | Yes | Sets the strictness level (0, 1, or 2) for machine - learning pattern recognition of abusive email addresses. | - - | Fast | Boolean | No | If enabled, skips the SMTP check to increase API response - speed. | - - | Timeout in seconds | String | No | Maximum time (default 7s) to wait for a response - from the mail service provider. | - - | Suggest Domain | Boolean | No | If enabled, checks for and suggests corrections - for typos in the email domain. | - - - ### Additional Notes - - - The action specifically targets `USER` entities and validates that their identifier - matches an email regex pattern before processing. - - - Internal risk scoring logic determines the 'is_suspicious' status based on the - `fraud_score`, `disposable`, and `valid` fields returned by the API. - - - ### Flow Description - - 1. **Configuration Retrieval**: Retrieves the API key from the integration configuration - and extracts action parameters (Abuse Strictness, Fast mode, Timeout, and Suggest - Domain). - - 2. **Entity Filtering**: Filters the target entities to identify those of type - `USER`. - - 3. **Email Validation**: For each identified `USER` entity, the action verifies - if the identifier matches a standard email format using a regular expression. - - 4. **API Interaction**: Sends a POST request to the IPQS Email Validation API - for each valid email address, passing the configured strictness and speed parameters. - - 5. **Risk Assessment**: Parses the API response to calculate a risk verdict (e.g., - CLEAN, LOW RISK, HIGH RISK, INVALID, or DISPOSABLE) based on the fraud score and - validation flags. - - 6. **Internal Data Mutation**: Updates the Google SecOps entity with enrichment - attributes (prefixed with 'IPQualityScore'), sets the `is_enriched` flag, and - marks the entity as `is_suspicious` if the risk level is elevated. - - 7. **Insight Generation**: Creates a Case Insight for each processed entity, providing - a summary of the IPQS verdict. - - 8. **Result Reporting**: Adds a detailed data table to the entity and populates - the action's JSON results with the full API response. + ai_description: "### General Description\nThis action enriches email address entities\ + \ using the IPQualityScore (IPQS) API. It retrieves real-time reputation, validity,\ + \ and risk scoring data to help analysts determine if an email address is disposable,\ + \ malicious, or associated with fraudulent behavior. The action updates the entity\ + \ with detailed properties and generates a case insight for quick visibility.\n\ + \n### Flow Description\n1. **Configuration Extraction**: The action retrieves\ + \ the API key and user-defined parameters (Abuse Strictness, Fast, Timeout, Suggest\ + \ Domain).\n2. **Entity Filtering**: It iterates through the target entities,\ + \ specifically selecting `USER` entities that match a valid email address format\ + \ (using a regex check).\n3. **External API Interaction**: For each valid email,\ + \ it sends a POST request to the IPQS API to fetch reputation and risk data.\n\ + 4. **Data Processing**: The API response is parsed to extract metrics such as\ + \ fraud score, disposable status, and deliverability.\n5. **Internal Updates**:\ + \ \n - Updates the entity's `additional_properties` with the retrieved data.\n\ + \ - Sets the `is_enriched` flag on the entity.\n - Optionally updates the\ + \ `is_suspicious` flag based on the risk score.\n - Adds an entity table to\ + \ the SOAR platform with the detailed results.\n - Creates a case insight summarizing\ + \ the IPQS verdict.\n\n### Parameters Description\n| Parameter | Type | Mandatory\ + \ | Description |\n| :--- | :--- | :--- | :--- |\n| Abuse Strictness | ddl | Yes\ + \ | Sets the strictness level (0, 1, 2) for machine learning pattern recognition\ + \ of abusive email addresses. |\n| Fast | boolean | No | When enabled, skips the\ + \ SMTP check with the mail service provider to increase API speed. |\n| Timeout\ + \ in seconds | string | No | Maximum number of seconds to wait for a reply from\ + \ the mail service provider. |\n| Suggest Domain | boolean | No | If enabled,\ + \ forces analysis to check if the email domain has a typo and suggests a correction.\ + \ |\n\n### Additional Notes\n- The action specifically targets `USER` entities.\ + \ If an entity is not a `USER` or does not match the email regex, it will be skipped." capabilities: can_create_case_comments: false can_create_insight: true @@ -218,10 +192,20 @@ Enrich Email: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity attributes with enrichment data, sets the 'is_suspicious' flag - based on the fraud score, and creates case insights. + Updates entity properties, adds entity tables, and creates case insights within + the SOAR platform. + reasoning: >- + The action fetches data from an external API (IPQS) to enrich entities. It does + not mutate external systems (no block/quarantine actions). It performs allowed + internal mutations by updating entity properties, adding entity tables, and + creating case insights. categories: enrichment: true + reasoning: >- + The action fetches data from an external source (IPQS) to enrich entities. It + does not mutate external systems. It performs allowed internal mutations (updating + entities, creating insights). It is not a Ping or download action. Therefore, + it is an enrichment action. entity_usage: entity_types: - USERUNIQNAME @@ -230,7 +214,7 @@ Enrich Email: filters_by_case_identifier: false filters_by_creation_time: false filters_by_entity_type: true - filters_by_identifier: false + filters_by_identifier: true filters_by_is_artifact: false filters_by_is_enriched: false filters_by_is_internal: false @@ -238,6 +222,10 @@ Enrich Email: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and filters by `entity.entity_type + == EntityTypes.USER`. It further validates the entity identifier using an email + regex. Enrich IP: action_product_categories: add_alert_comment: false @@ -249,10 +237,14 @@ Enrich IP: disable_identity: false download_file: false enable_identity: false - enrich_asset: false + enrich_asset: true enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves reputation, fraud scores, and risk intelligence for various + indicators (IP, URL, Hostname) and assets (User, Phone). This matches 'Enrich + IOC' and 'Enrich Asset'. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -267,37 +259,39 @@ Enrich IP: update_email: false update_identity: false update_ticket: false - ai_description: "### General Description\nEnriches IP Address entities using the\ - \ IPQualityScore (IPQS) Fraud and Risk Scoring service. This action performs real-time\ - \ lookups to determine the risk level of an IP address, identifying if it is associated\ - \ with a proxy, VPN, or TOR connection, and providing over 20 data points including\ - \ fraud scores, geolocation, ISP, and connection type. It helps analysts identify\ - \ malicious actors, bots, and fraudulent transactions by providing a comprehensive\ - \ reputation profile.\n\n### Parameters Description\n| Parameter | Type | Mandatory\ - \ | Description |\n| :--- | :--- | :--- | :--- |\n| Strictness | ddl | Yes | Determines\ - \ how in-depth (strict) the query should be. Higher values (0, 1, 2) take longer\ - \ but provide more rigorous analysis. |\n| User Agent | string | No | Optional\ - \ browser user agent string to help identify bots or invalid browsers. |\n| User\ - \ Language | string | No | Optional user language header to assist in evaluating\ - \ the 'fraud_score'. |\n| Fast | boolean | No | If enabled, skips certain forensic\ - \ checks to speed up processing. |\n| Mobile | boolean | No | If enabled, specifies\ - \ that the lookup should be treated as a mobile device. |\n| Allow Public Access\ - \ Points | boolean | No | Bypasses checks for IP addresses from education, research,\ - \ or corporate connections. |\n| Lighter Penalties | boolean | No | Skips certain\ - \ denylists to reduce false positives for sensitive audiences. |\n\n### Flow Description\n\ - 1. **Configuration Extraction:** Retrieves the API Key from the integration configuration\ - \ and the action parameters (Strictness, User Agent, etc.).\n2. **Entity Filtering:**\ - \ Identifies all IP Address entities within the current context.\n3. **External\ - \ API Interaction:** For each IP address, sends a POST request to the IPQualityScore\ - \ API with the configured parameters.\n4. **Risk Scoring:** Evaluates the returned\ - \ 'fraud_score' and other indicators (proxy, VPN, malware status) to determine\ - \ a risk verdict (e.g., CLEAN, SUSPICIOUS, HIGH RISK, CRITICAL).\n5. **Internal\ - \ Data Enrichment:** \n * Updates the entity's additional properties with IPQS\ - \ metadata (ISP, ASN, Organization, etc.).\n * Sets the entity's 'is_enriched'\ - \ flag to true.\n * Marks the entity as 'is_suspicious' if the risk score exceeds\ - \ defined thresholds.\n6. **Insight Generation:** Creates a Case Insight for each\ - \ entity containing the IPQS verdict and adds a detailed data table to the entity's\ - \ results." + ai_description: "### General Description\nThis action enriches various entity types\ + \ (IP Address, Hostname, URL, User/Email, and Phone Number) using the IPQualityScore\ + \ (IPQS) Fraud and Risk Scoring service. It retrieves comprehensive threat intelligence,\ + \ including fraud scores, geolocation, ISP, connection type, and reputation data,\ + \ to help analysts assess the risk associated with an entity.\n\n### Flow Description\n\ + 1. **Parameter Extraction**: The action extracts configuration parameters (API\ + \ Key) and action-specific settings (Strictness, User Agent, User Language, Fast,\ + \ Mobile, Allow Public Access Points, Lighter Penalties).\n2. **Entity Iteration**:\ + \ It iterates through the `target_entities` provided in the case.\n3. **Type Identification**:\ + \ It identifies the entity type (IP, Hostname, URL, Email, or Phone) and prepares\ + \ the corresponding API request.\n4. **External Lookup**: It performs a POST request\ + \ to the IPQS API to fetch risk and reputation data.\n5. **Data Processing**:\ + \ Based on the response, it calculates a risk verdict (Clean, Low, Moderate, High,\ + \ Critical, Suspicious, Invalid).\n6. **Internal Update**: \n - Updates the\ + \ entity's `additional_properties` with the retrieved data.\n - Sets `is_enriched`\ + \ to true.\n - Updates `is_suspicious` if the risk score exceeds defined thresholds.\n\ + \ - Adds an entity table with detailed results.\n - Creates a case insight\ + \ with the risk verdict.\n - Adds the raw JSON result to the entity.\n\n###\ + \ Parameters Description\n| Parameter | Type | Mandatory | Description |\n| :---\ + \ | :--- | :--- | :--- |\n| Strictness | ddl | Yes | Determines the strictness\ + \ of the query (0-2). Higher values may provide higher false-positive rates. |\n\ + | User Agent | string | No | The user agent string (browser) to check if the user\ + \ is a bot or using an invalid browser. |\n| User Language | string | No | The\ + \ user's language header to evaluate risk. |\n| Fast | boolean | No | If enabled,\ + \ skips certain forensic checks to process faster. |\n| Mobile | boolean | No\ + \ | Specifies if the lookup should be treated as a mobile device. |\n| Allow Public\ + \ Access Points | boolean | No | Bypasses checks for IP addresses from education/research\ + \ institutions and corporate connections. |\n| Lighter Penalties | boolean | No\ + \ | Skips some denylists to reduce false-positives for sensitive audiences. |\n\ + \n### Additional Notes\n- The action supports multiple entity types: `ADDRESS`,\ + \ `HOSTNAME`, `URL`, `USER` (via email regex), and `PHONENUMBER`.\n- The action\ + \ does not mutate external systems; it is strictly for enrichment and internal\ + \ SOAR data updates." capabilities: can_create_case_comments: false can_create_insight: true @@ -308,13 +302,26 @@ Enrich IP: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity attributes with enrichment data, sets the suspicious status based - on fraud scores, and creates case insights. + Updates entity properties (is_enriched, is_suspicious, additional_properties), + adds entity tables, and creates case insights. + reasoning: >- + The action fetches threat intelligence data from an external API (IPQS). It + updates internal entity properties (is_enriched, is_suspicious, additional_properties), + adds entity tables, and creates case insights. It does not modify external systems + or alert data. categories: enrichment: true + reasoning: >- + The action fetches data from an external source (IPQS) and updates internal + SOAR entities and insights. It does not mutate external systems. This fits the + definition of an enrichment action. entity_usage: entity_types: - ADDRESS + - HOSTNAME + - PHONENUMBER + - USERUNIQNAME + - DestinationURL filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -328,6 +335,10 @@ Enrich IP: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over `siemplify.target_entities` and processes specific + types: `ADDRESS`, `HOSTNAME`, `URL`, `USER` (via email regex), and `PHONENUMBER`. + It does not filter by other attributes. Enrich Phone: action_product_categories: add_alert_comment: false @@ -343,6 +354,10 @@ Enrich Phone: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves reputation, risk scores, and carrier details for phone + numbers. This matches the 'Enrich IOC' category. It does not perform any other + listed actions. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -357,54 +372,30 @@ Enrich Phone: update_email: false update_identity: false update_ticket: false - ai_description: >- - Enriches Phone Number entities using the IPQualityScore (IPQS) API to verify validity - and assess risk. This action retrieves carrier information, line type (e.g., VOIP, - mobile, landline), and fraud scores to identify suspicious or disposable numbers. - - - ### Flow Description - - 1. **Parameter Extraction:** Retrieves the API key from the integration configuration - and the 'Strictness' and 'Country' parameters from the action settings. - - 2. **Entity Filtering:** Identifies all Phone Number entities within the current - alert context. - - 3. **External API Query:** For each phone number, it sends a POST request to the - IPQS phone validation endpoint. - - 4. **Risk Assessment:** Analyzes the API response (fraud score, active status, - validity) to determine a risk verdict (e.g., CLEAN, SUSPICIOUS, HIGH RISK). - - 5. **Internal Data Update:** Updates the entity's 'additional_properties' with - enrichment data, marks the entity as enriched, and sets the 'is_suspicious' flag - if risk thresholds are met. - - 6. **Insight Generation:** Creates a case insight and adds a data table to the - entity containing the detailed verification results. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Strictness | DDL | Yes | Determines the depth of the reputation check (0, 1, - or 2). Higher levels are stricter but may increase false positives. | - - | Country(For multiple countries, provide comma-separated values) | String | No - | Optional list of ISO country codes suspected to be associated with the phone - number to improve validation accuracy. | - - - ### Additional Notes - - - The action uses the `IPQualityScore` prefix for all added entity attributes. - - - Risk verdicts are calculated based on a combination of the `fraud_score`, `valid`, - and `active` fields returned by the API. + ai_description: "### General Description\nThis action enriches Phone Number entities\ + \ using the IPQualityScore (IPQS) service. It retrieves comprehensive reputation\ + \ data, including carrier details, line type, and risk analysis, to help analysts\ + \ assess the legitimacy of a phone number. The action evaluates the risk score\ + \ and updates the entity's status within the SOAR platform, providing actionable\ + \ insights.\n\n### Flow Description\n1. **Parameter Extraction**: The action retrieves\ + \ the `Strictness` level and optional `Country` configuration from the action\ + \ settings.\n2. **Entity Filtering**: It iterates through the target entities,\ + \ specifically processing those of type `PHONENUMBER`.\n3. **External API Interaction**:\ + \ For each valid phone number, it sends a POST request to the IPQS API to fetch\ + \ reputation and verification data.\n4. **Data Processing**: The retrieved data\ + \ is parsed to extract key metrics such as fraud score, carrier, and line type.\n\ + 5. **Internal Updates**: \n * Updates the entity's `additional_properties`\ + \ with the retrieved data.\n * Sets the entity's `is_enriched` flag to true.\n\ + \ * Updates the entity's `is_suspicious` flag based on the calculated risk\ + \ score.\n * Creates a case insight and an entity table containing the detailed\ + \ report.\n\n### Parameters Description\n| Parameter | Type | Mandatory | Description\ + \ |\n| :--- | :--- | :--- | :--- |\n| Strictness | ddl | Yes | Defines the strictness\ + \ level of the reputation check (0, 1, or 2). Stricter checks may increase the\ + \ false-positive rate. |\n| Country | string | No | Optionally provide the default\ + \ country or countries (comma-separated) associated with the phone number. |\n\ + \n### Additional Notes\nThis action is strictly for enrichment purposes and does\ + \ not modify any external systems. It only updates internal SOAR entity data and\ + \ creates insights." capabilities: can_create_case_comments: false can_create_insight: true @@ -415,10 +406,18 @@ Enrich Phone: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity attributes with enrichment data, sets the suspicious status of - entities, and creates case insights based on the fraud analysis. + Updates entity properties (is_enriched, is_suspicious, additional_properties) + and creates case insights and entity tables. + reasoning: >- + The action fetches data from an external API (IPQS) to enrich phone number entities. + It updates the entity's internal properties (is_enriched, is_suspicious, additional_properties) + and creates case insights and tables. It does not mutate external systems. categories: enrichment: true + reasoning: >- + The action fetches data from an external source (IPQS) to enrich entities. It + does not mutate external systems. It performs allowed internal mutations (updating + entities, creating insights). Therefore, it is an enrichment action. entity_usage: entity_types: - PHONENUMBER @@ -435,6 +434,10 @@ Enrich Phone: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over `siemplify.target_entities` and explicitly filters + for `PHONENUMBER` entities via the `enrich` method call, which checks `if entity.entity_type + in entity_types`. Enrich URL: action_product_categories: add_alert_comment: false @@ -450,6 +453,10 @@ Enrich URL: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves reputation and threat intelligence for a URL, which matches + the 'Enrich IOC' category. It does not perform any other actions like blocking + or ticketing. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -464,33 +471,26 @@ Enrich URL: update_email: false update_identity: false update_ticket: false - ai_description: "Enriches URL entities using the IPQualityScore (IPQS) service to\ - \ detect malicious activity in real-time. This action leverages machine learning\ - \ models to identify phishing links, malware URLs, viruses, and parked domains.\ - \ It retrieves detailed intelligence including risk scores, domain age, and classification\ - \ categories. Based on the results, the action updates the entity's suspicious\ - \ status in Google SecOps, adds enrichment attributes, and generates a case insight\ - \ for analysts.\n\n### Parameters\n| Parameter | Type | Mandatory | Description\ - \ |\n| :--- | :--- | :--- | :--- |\n| Strictness | ddl | Yes | Determines the\ - \ strictness of the scan (0, 1, or 2). Higher levels increase detection but may\ - \ raise false positives. |\n| Fast | boolean | No | If enabled, the API performs\ - \ lighter checks for faster response times. |\n\n### Additional Notes\n- This\ - \ action specifically targets URL entities. \n- The risk verdict (Clean, Low Risk,\ - \ Moderate Risk, High Risk, or Critical) is calculated based on the risk score\ - \ and specific threat flags (malware/phishing) returned by IPQS.\n\n### Flow Description\n\ - 1. **Initialization**: Extracts the API key from the integration configuration\ - \ and the 'Strictness' and 'Fast' parameters from the action settings.\n2. **Entity\ - \ Filtering**: Identifies all URL entities within the current alert context.\n\ - 3. **External API Interaction**: For each URL, sends a POST request to the IPQS\ - \ URL API endpoint with the configured strictness and speed settings.\n4. **Data\ - \ Processing**: Parses the API response to extract threat indicators (e.g., malware,\ - \ phishing, risk score) and metadata (e.g., domain age, IP address).\n5. **Internal\ - \ Mutation**: \n - Updates the entity's additional properties with the retrieved\ - \ data.\n - Sets the entity as 'suspicious' if the risk score or threat flags\ - \ exceed defined thresholds.\n - Creates a detailed Case Insight containing\ - \ the IPQS verdict.\n - Adds a data table to the entity for quick reference.\n\ - 6. **Completion**: Updates the entities in the SecOps platform and returns a summary\ - \ of the processed URLs." + ai_description: "Enriches URL entities using the IPQS Fraud and Risk Scoring service.\ + \ This action retrieves real-time threat intelligence, including risk scores,\ + \ malware/phishing indicators, and domain reputation, to help analysts assess\ + \ the safety of a URL. \n\n### Flow Description\n1. **Parameter Extraction**:\ + \ The action retrieves the `Strictness` and `Fast` configuration parameters.\n\ + 2. **Entity Processing**: It iterates through the provided URL entities.\n3. **External\ + \ API Call**: For each URL, it queries the IPQS API to fetch reputation and risk\ + \ data.\n4. **Data Parsing & Scoring**: It parses the API response, calculates\ + \ a risk verdict (e.g., Clean, Suspicious, Critical), and formats the data into\ + \ a table.\n5. **Internal Update**: It updates the entity's additional properties\ + \ with the retrieved intelligence, marks the entity as enriched, and sets the\ + \ suspicious flag if the risk score exceeds thresholds.\n6. **Insight Creation**:\ + \ It creates a case insight with the risk verdict and adds the detailed data table\ + \ to the entity.\n\n### Parameters\n| Parameter | Type | Mandatory | Description\ + \ |\n| :--- | :--- | :--- | :--- |\n| Strictness | ddl | Yes | Defines the strictness\ + \ of the scan (0, 1, 2). Stricter checks may increase false-positive rates. |\n\ + | Fast | boolean | No | When enabled, the API provides quicker response times\ + \ using lighter checks and analysis. |\n\n### Additional Notes\nThis action is\ + \ strictly for enrichment and does not modify external systems. It only updates\ + \ internal entity properties and creates case insights within Google SecOps." capabilities: can_create_case_comments: false can_create_insight: true @@ -501,10 +501,18 @@ Enrich URL: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity attributes with enrichment data, sets the suspicious flag based - on risk scores, and creates case insights. + Updates entity properties (additional_properties, is_enriched, is_suspicious) + and creates case insights. + reasoning: >- + The action fetches threat intelligence from an external API (IPQS) for URL entities. + It does not mutate external systems. It updates internal SOAR entities with + new properties and creates insights, which are allowed internal mutations. categories: enrichment: true + reasoning: >- + The action fetches data (enrichment) and updates internal entities/insights + without modifying external systems. It meets the criteria for an enrichment + action. entity_usage: entity_types: - DestinationURL @@ -521,6 +529,9 @@ Enrich URL: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over `siemplify.target_entities` and filters specifically + for URL entities as defined in the `EnrichUrl.py` script call `ipqs_manager.enrich([EntityTypes.URL])`. Ping: action_product_categories: add_alert_comment: false @@ -536,6 +547,9 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity test (Ping) and does not perform any of the defined + functional outcomes like enrichment, containment, or ticketing. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -550,24 +564,36 @@ Ping: update_email: false update_identity: false update_ticket: false - ai_description: "### General Description\nThe **Ping** action is a diagnostic tool\ - \ designed to verify the connectivity between the Google SecOps platform and the\ - \ IPQualityScore (IPQS) API. It ensures that the provided API Key is valid and\ - \ that the network path to the IPQS servers is open. This action is typically\ - \ used during the initial setup of the integration or for troubleshooting communication\ - \ issues.\n\n### Parameters Description\nThere are no parameters for this action.\n\ - \n### Additional Notes\nThis action performs a test query using a hardcoded email\ - \ address (`support@ipqualityscore.com`) to validate the API response. It does\ - \ not process any entities from the current case or alert.\n\n### Flow Description\n\ - 1. **Configuration Extraction:** The action retrieves the 'API Key' from the integration's\ - \ configuration settings.\n2. **Payload Preparation:** A static JSON payload is\ - \ created containing a test email address.\n3. **API Request:** The action sends\ - \ a POST request to the IPQS email validation endpoint using the `IPQSManager`.\n\ - 4. **Response Validation:** The action checks the `success` field in the API response.\n\ - 5. **Final Status:** \n * If the request is successful, the action completes\ - \ with a success message.\n * If the request fails (e.g., invalid API key or\ - \ network error), the action fails and provides the error message returned by\ - \ the API." + ai_description: >- + ### General Description + + This action verifies connectivity to the IPQualityScore (IPQS) API. It is designed + to test whether the configured API credentials are valid and the service is reachable. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | API Key | String | Yes | The API key used to authenticate the connection request + to the IPQS service. | + + + ### Flow Description + + 1. The action extracts the API Key from the integration configuration. + + 2. It initializes the `IPQSManager` with the provided API Key and a hardcoded + test email address. + + 3. It sends a test request to the IPQS API to verify connectivity. + + 4. It evaluates the response status. + + 5. The action concludes by returning a success or failure message based on the + connectivity result. capabilities: can_create_case_comments: false can_create_insight: false @@ -578,8 +604,17 @@ Ping: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity check (ping) to the IPQS API. It makes an + external API request to verify the connection, but it does not fetch contextual + data for entities, nor does it mutate any external or internal systems. categories: enrichment: false + reasoning: >- + The action is a connectivity test ('Ping'). Per the instructions, Ping actions + are not enrichment actions. It does not meet the criteria for enrichment as + it does not fetch data about entities, nor does it perform any allowed internal + mutations. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -595,3 +630,6 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or process `target_entities`. It uses a hardcoded + email address for the connectivity test. diff --git a/content/response_integrations/third_party/community/ipqs_fraud_and_risk_scoring/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/ipqs_fraud_and_risk_scoring/resources/ai/integration_ai_description.yaml index 2e831240c..37aa7e021 100644 --- a/content/response_integrations/third_party/community/ipqs_fraud_and_risk_scoring/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/community/ipqs_fraud_and_risk_scoring/resources/ai/integration_ai_description.yaml @@ -7,6 +7,16 @@ product_categories: iam_and_identity_management: false itsm: false network_security: false + reasoning: >- + The integration 'ipqs_fraud_and_risk_scoring' is a dedicated threat intelligence + enrichment service. Its primary function is to provide reputation, risk scores, + and threat data for various indicators of compromise (IOCs) such as IP addresses, + domains, URLs, email addresses, and phone numbers. It does not perform log analysis + (SIEM), host containment (EDR), firewall/gateway management (Network Security), + identity management (IAM), or ticket management (ITSM). While it enriches email + and URL entities, it does not perform the specific 'Email Security' functions + of managing inboxes or searching for affected users. Therefore, it is classified + solely under Threat Intelligence. siem: false threat_intelligence: true vulnerability_management: false diff --git a/content/response_integrations/third_party/community/lacework/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/lacework/resources/ai/connectors_ai_description.yaml index 126bf1f0b..b93f29893 100644 --- a/content/response_integrations/third_party/community/lacework/resources/ai/connectors_ai_description.yaml +++ b/content/response_integrations/third_party/community/lacework/resources/ai/connectors_ai_description.yaml @@ -2,11 +2,11 @@ Lacework Connector: ai_description: >- ### General Description - The Lacework Connector enables Google SecOps to ingest security events from the - Lacework platform. It monitors for cloud security threats, compliance violations, - and anomalous behavior by pulling data from the Lacework Events API, allowing - security teams to centralize Lacework alerts within their SOAR environment for - automated response and investigation. + The Lacework Connector is designed to ingest security events from the Lacework + platform into Google SecOps (SOAR). It periodically polls the Lacework Events + API to retrieve security alerts, filters them based on a configurable severity + threshold, and maps them into standardized alert objects for further investigation + and response within the SOAR platform. ### Parameters Description @@ -15,45 +15,40 @@ Lacework Connector: | :--- | :--- | :--- | :--- | - | accountName | String | Yes | The Lacework account URL (e.g., youraccount.lacework.net). - | - - | keyId | String | Yes | The Lacework API Access Key ID used for authentication. - | - - | secret | Password | Yes | The Lacework API Secret Key used for authentication. - | - - | severity_threshold | String | Yes | The minimum severity level to fetch (1-Critical, - 2-High, 3-Medium, 4-Low, 5-Info). The connector fetches the selected level and - all levels above it (e.g., 3 fetches Medium, High, and Critical). | + | accountName | String | Yes | The Lacework account name/URL identifier. | | DeviceProductField | String | Yes | The field name used to determine the device - product in the ingested data. | + product. | | EventClassId | String | Yes | The field name used to determine the event name (sub-type). | + | keyId | String | Yes | The Lacework API Key ID. | + | PythonProcessTimeout | String | Yes | The timeout limit (in seconds) for the - python process running the connector script. | + python process. | + + | secret | Password | Yes | The Lacework API Secret. | + + | severity_threshold | String | Yes | Lacework Event Severity Threshold (1-Critical + to 5-Info). | ### Flow Description - 1. **Authentication**: The connector uses the provided `keyId` and `secret` to - request a temporary access token from the Lacework API. + 1. The connector initializes by authenticating with the Lacework API using the + provided `keyId`, `secret`, and `accountName` to obtain a temporary access token. + + 2. It queries the Lacework Events API for events occurring within the last hour. - 2. **Event Retrieval**: It queries the Lacework Events API for a list of events - that occurred within the last hour. + 3. For each retrieved event, the connector checks the event's severity against + the configured `severity_threshold`. - 3. **Severity Filtering**: The connector iterates through the retrieved events - and filters out any that do not meet the configured `severity_threshold` (where - lower numerical values represent higher severity). + 4. If the event meets the threshold, the connector fetches detailed information + for that specific event ID. - 4. **Detail Enrichment**: For each event that passes the filter, the connector - makes a secondary API call to fetch the full event details using the unique Event - ID. + 5. The event data is mapped to a standardized SOAR `AlertInfo` format, including + severity mapping, start/end times, and event details. - 5. **Mapping and Ingestion**: The connector maps Lacework severity levels to Google - SecOps priority levels, flattens the event data, and creates `AlertInfo` objects - which are then ingested into the system as cases. + 6. Finally, the processed alerts are returned to the SOAR system for case creation + and ingestion. diff --git a/content/response_integrations/third_party/community/lacework/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/lacework/resources/ai/integration_ai_description.yaml index a888df70b..cf256fcd6 100644 --- a/content/response_integrations/third_party/community/lacework/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/community/lacework/resources/ai/integration_ai_description.yaml @@ -7,6 +7,15 @@ product_categories: iam_and_identity_management: false itsm: false network_security: false - siem: true + reasoning: >- + The Lacework integration is specifically designed to monitor cloud environments, + focusing on the analysis of CloudTrail logs and the generation of security alerts + for cloud-native resources. This aligns directly with the 'Cloud Security' category, + which is defined for alerts involving cloud-native resources like GCP, AWS, and + Azure. The connector facilitates the ingestion of these cloud-specific security + events into the SOAR platform. It does not perform general SIEM log aggregation, + host-based EDR process analysis, network gateway blocking, or identity management, + and therefore does not fit those respective categories. + siem: false threat_intelligence: false vulnerability_management: false diff --git a/content/response_integrations/third_party/community/logzio/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/logzio/resources/ai/actions_ai_description.yaml index 7698c3b97..714ce7a2a 100644 --- a/content/response_integrations/third_party/community/logzio/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/logzio/resources/ai/actions_ai_description.yaml @@ -13,6 +13,9 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity test (Ping). It does not match any of the functional + categories like Enrich IOC, Contain Host, etc. It is a diagnostic action. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -28,62 +31,41 @@ Ping: update_identity: false update_ticket: false ai_description: >- - ### General Description + Validates connectivity to Logz.io by testing provided security and operations + tokens. This action ensures that the configured API tokens are valid and that + the integration can successfully communicate with the Logz.io API. - The **Ping** action is designed to verify the connectivity between Google SecOps - and the Logz.io platform. It validates the provided API tokens for both Security - and Operations accounts by making a request to the Logz.io `whoami` endpoint. - This action is primarily used during the initial setup or for troubleshooting - to ensure that the integration can successfully communicate with the Logz.io API. + ### Parameters - - ### Parameters Description - - - | Parameter Name | Type | Mandatory | Description | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | `logzio_security_token` | String | Yes | The API token for the Logz.io Security - account. This is an integration configuration parameter. | - - | `logzio_operations_token` | String | Yes | The API token for the Logz.io Operations - account. This is an integration configuration parameter. | + | logzio_security_token | String | Yes | The security token for Logz.io. | - | `logzio_region` | String | No | The region where the Logz.io account is hosted - (e.g., 'us', 'eu'). Defaults to 'us' if not provided. This is an integration configuration - parameter. | + | logzio_operations_token | String | Yes | The operations token for Logz.io. | - | `logzio_custom_endpoint` | String | No | A custom URL for the Logz.io API, if - applicable. This is an integration configuration parameter. | - - - ### Flow Description + | logzio_region | String | No | The region for the Logz.io account (defaults to + US). | + | logzio_custom_endpoint | String | No | A custom API endpoint URL if required. + | - 1. **Configuration Extraction**: The action retrieves the security token, operations - token, region, and optional custom endpoint from the integration's configuration - settings. - 2. **Token Validation**: It performs a basic check to ensure the tokens are non-empty - strings and properly formatted. + ### Flow - 3. **Connectivity Test**: It constructs the API URL (handling specific regions - or custom endpoints) and sends a GET request to the `v1/account-management/whoami` - endpoint for both the Security and Operations tokens. + 1. Extract configuration parameters (tokens, region, custom endpoint). - 4. **Response Verification**: The action checks if the API returns a 200 OK status - code. If successful, it logs the associated account name to confirm authentication - and connectivity. + 2. Validate that tokens are provided and are strings. + 3. Construct the API endpoint URL based on the region or custom endpoint. - ### Additional Notes + 4. Send a GET request to the Logz.io `whoami` endpoint using the provided tokens. + 5. Verify the response status code (200) and log the account name. - This action does not process any entities and does not modify any data. It is - strictly a connectivity test. There are no action-specific parameters; it relies - entirely on the integration's configuration. + 6. Return success or failure status. capabilities: can_create_case_comments: false can_create_insight: false @@ -92,10 +74,18 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: false + fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity test (Ping) by sending a GET request to an + external API. It does not modify any external state, nor does it modify internal + SOAR data (entities, insights, etc.). It is a read-only connectivity check. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action. According to the instructions, 'Actions named + Ping must not be categorized as enrichment actions.' Even though it fetches + data (GET request), it is explicitly excluded from the enrichment category. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -111,6 +101,9 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not reference `siemplify.target_entities` or any entity objects. + It is a global connectivity test. json-adapter: action_product_categories: add_alert_comment: false @@ -126,6 +119,10 @@ json-adapter: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a data parsing utility that transforms raw JSON input into a specific + format. It does not perform any of the defined product category operations (e.g., + enrichment, containment, ticketing, etc.). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -141,62 +138,19 @@ json-adapter: update_identity: false update_ticket: false ai_description: >- - ### General Description - - The **json-adapter** action is a utility designed to transform raw log data from - Logz.io into a standardized JSON format compatible with Google SecOps playbooks. - It specifically targets JSON structures containing a 'results' array and extracts - user-defined fields, mapping them to a generic entity-like structure consisting - of `entityType` and `entityIdentifier`. This allows downstream playbook actions - to easily consume specific data points from complex log objects. - - - ### Parameters Description - - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **fields_to_search** | String | Yes | A comma-separated list of keys (fields) - to look for within each log entry in the provided JSON. | - - | **raw_json** | String | Yes | The raw JSON string containing the logs to be - processed. The action expects a top-level 'results' key containing a list of objects. - | - - - ### Flow Description - - 1. **Parameter Extraction:** The action retrieves the `fields_to_search` and `raw_json` - from the input parameters. - - 2. **Data Parsing:** The `raw_json` string is parsed into a JSON object, and the - `fields_to_search` string is split into a list of individual field names. - - 3. **Log Iteration:** The action iterates through each log entry found in the - `results` array of the input JSON. - - 4. **Field Extraction:** For each log entry, the action checks if any of the specified - search fields exist as keys. - - 5. **Standardization:** If a field is found, its key and value are mapped to a - new object: `{"entityType": , "entityIdentifier": }`. - - 6. **Result Compilation:** All mapped objects are collected into a final results - list. - - 7. **Output Generation:** If matches are found, the action returns the standardized - JSON and completes successfully. If no fields are found, the action fails. - - - ### Additional Notes - - - This action does not interact with external APIs; it performs local data transformation - on the provided input. - - - The action will only succeed (EXECUTION_STATE_COMPLETED) if at least one of - the requested fields is found in the provided JSON. + Parses raw JSON log data to extract specific fields and format them into a standardized + JSON structure suitable for playbook consumption. This utility is designed to + normalize data from Logz.io logs. Parameters: | Parameter | Type | Mandatory | + Description | | --- | --- | --- | --- | | fields_to_search | string | Yes | Comma + separated list of fields to search within the JSON. | | raw_json | string | Yes + | Raw data in JSON format that is to be searched. | Flow description: 1. Retrieve + fields_to_search and raw_json from action parameters. 2. Parse the raw_json string + into a JSON object. 3. Iterate through the results array within the parsed JSON. + 4. For each item, check if the specified fields exist. 5. If a field exists, create + a mapping where the field name is the entityType and the field value is the entityIdentifier. + 6. Collect these mappings into an output structure. 7. If any mappings are found, + add the resulting JSON to the action output using add_result_json. 8. Complete + the action with a success status if results were found, or failure otherwise. capabilities: can_create_case_comments: false can_create_insight: false @@ -207,8 +161,16 @@ json-adapter: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action processes input parameters to transform data. It does not perform + any external API calls (fetches_data=false), nor does it modify any internal + SOAR entities, insights, or case data. It simply outputs a JSON result. categories: enrichment: false + reasoning: >- + The action does not fetch data from external sources, nor does it modify the + state of the SOAR platform or external systems. It is a data parsing utility, + not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -224,6 +186,9 @@ json-adapter: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with siemplify.target_entities. It processes raw + input strings provided as parameters. logzio-get-logs-by-event-id: action_product_categories: add_alert_comment: false @@ -239,6 +204,10 @@ logzio-get-logs-by-event-id: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves historical logs from Logz.io based on a provided event + ID. This matches the Search Events category. It does not perform enrichment, + update alerts, or modify external systems. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -254,57 +223,17 @@ logzio-get-logs-by-event-id: update_identity: false update_ticket: false ai_description: >- - Fetches the logs that triggered a specific security event from Logz.io. This action - allows analysts to retrieve the raw log data associated with an alert for deeper - investigation. It supports pagination to handle large volumes of logs and automatically - creates case insights in Google SecOps to display the retrieved information. - - - ### Flow Description: - - 1. **Configuration Retrieval:** The action starts by extracting the Logz.io API - token, region, and optional custom endpoint from the integration settings. - - 2. **API Endpoint Determination:** It constructs the appropriate Logz.io API URL - based on the provided region or custom endpoint. - - 3. **Initial Data Fetch:** It sends a POST request to the Logz.io security search - API using the mandatory `alert_event_id` to retrieve the first page of logs. - - 4. **Pagination Handling:** If the total number of logs exceeds the initial page - size, the action uses a thread pool to concurrently fetch all remaining pages - of logs. - - 5. **Data Processing:** The collected logs are aggregated into a single JSON structure. - - 6. **Insight Creation:** The action iterates through the logs and creates case - insights within the Google SecOps platform to provide immediate visibility into - the event data. - - 7. **Result Reporting:** Finally, it attaches the full JSON result to the action - and completes the execution. - - - ### Parameters Description: - - | Parameter Name | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | alert_event_id | String | Yes | The unique GUID of the security event in Logz.io - that you want to investigate. | - - | page_size | String | No | Controls the number of results per page. Valid inputs - are 1 to 1000. Defaults to 25. | - - - ### Additional Notes: - - - This action does not operate on entities (IPs, Hosts, etc.) but rather on a - specific Event ID provided as a parameter. - - - The action uses multi-threading to speed up the retrieval of logs when multiple - pages are present. + Fetches logs from Logz.io associated with a specific security event ID. The action + retrieves logs in a paginated manner and adds them as a JSON result to the action + output. Additionally, it creates case insights for the retrieved logs. Flow: 1. + Extracts the alert_event_id and page_size from the action parameters. 2. Constructs + the API request body with the event ID and pagination settings. 3. Sends a POST + request to the Logz.io API to retrieve logs. 4. Handles pagination by fetching + subsequent pages if necessary. 5. Adds the retrieved logs as a JSON result to + the action output. 6. Creates case insights for the retrieved logs. Parameters: + alert_event_id (string, mandatory): Unique GUID of the security event in your + Logz.io security account. page_size (string, optional): Controls the number of + results per page. Valid inputs are 1 to 1000. Defaults to 25. capabilities: can_create_case_comments: false can_create_insight: true @@ -315,10 +244,18 @@ logzio-get-logs-by-event-id: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action creates case insights within Google SecOps to display the logs retrieved - from Logz.io. + Creates case insights containing the retrieved logs. + reasoning: >- + The action fetches logs from Logz.io via a POST request (fetches_data=true). + It does not modify external systems (can_mutate_external_data=false). It creates + case insights within the SOAR platform (can_mutate_internal_data=true, can_create_insight=true). categories: enrichment: false + reasoning: >- + The action fetches logs from an external source (Logz.io). However, it is not + an enrichment action because it does not provide supplemental context (reputation, + prevalence, etc.) for entities or alerts, but rather retrieves raw log data. + It is classified as a search action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -334,6 +271,10 @@ logzio-get-logs-by-event-id: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over siemplify.target_entities or use entity-specific + identifiers. It relies on a user-provided alert_event_id parameter to fetch + logs. logzio-search-logs: action_product_categories: add_alert_comment: false @@ -349,6 +290,10 @@ logzio-search-logs: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action searches for logs in Logz.io and returns the results. This matches + the 'Search Events' category. It does not perform enrichment, containment, or + ticket management. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -364,68 +309,21 @@ logzio-search-logs: update_identity: false update_ticket: false ai_description: >- - ### General Description - - The **Logz.io Search Logs** action allows users to query and retrieve logs from - their Logz.io operations account. It utilizes the Logz.io Search API (v1) to perform - Lucene-based searches within a specified time range. This action is primarily - used for log investigation and gathering telemetry data related to security incidents. - - - ### Parameters Description - - | Parameter | Description | Type | Mandatory | - - | :--- | :--- | :--- | :--- | - - | **query** | A search query written in valid Lucene syntax. If not provided, - it defaults to a wildcard (`*`) to match all logs. | String | No | - - | **size** | The number of log results to return per query. The value must be - between 1 and 1000. If invalid or empty, it defaults to 1000. | String | No | - - | **from_time** | The earliest time to search. It accepts various formats including - Unix timestamps, relative time (e.g., "5 minutes ago"), or specific date strings. - | String | Yes | - - | **to_time** | The latest time to search. Similar to `from_time`, it accepts - multiple date formats. If left empty, the search extends to the current time. - | String | No | - - - ### Flow Description - - 1. **Configuration Extraction:** The action retrieves the Logz.io API token, region, - and optional custom endpoint from the integration settings. - - 2. **Parameter Validation:** It extracts the search query, result size, and time - range parameters. The `size` is validated to ensure it stays within the 1-1000 - range. - - 3. **Time Parsing:** The `from_time` and `to_time` strings are parsed into Unix - millisecond timestamps using the `dateparser` library to ensure compatibility - with the Logz.io API. - - 4. **Request Construction:** An Elasticsearch-compatible JSON request body is - created, incorporating the Lucene query and the timestamp range filter. - - 5. **API Execution:** A POST request is sent to the Logz.io Search API endpoint - (determined by the region or custom endpoint). - - 6. **Data Processing:** The action parses the API response, extracts the raw log - data (`_source` field) from the hits, and formats them into a JSON result. - - 7. **Completion:** The retrieved logs are attached to the action's output, and - a summary message indicating the number of logs found is returned. - - - ### Additional Notes - - - The action is limited to a maximum of 1000 logs per execution. - - - If the API token is missing or invalid, the action will fail. - - - The `from_time` parameter is mandatory to define the search window. + Searches for logs in your Logz.io operations account based on a provided query + and time range. \n\n### Flow Description \n1. The action extracts configuration + parameters (Logz.io API token, region, and optional custom endpoint) and action + parameters (query, size, from_time, and to_time). \n2. It constructs a Lucene-based + search query and prepares the request body. \n3. It sends a POST request to the + Logz.io search API. \n4. It parses the response and returns the log results as + a JSON object to the SOAR platform. \n\n### Parameters Description \n| Parameter + | Type | Mandatory | Description | \n| :--- | :--- | :--- | :--- | \n| query | + string | No | A search query written in valid Lucene syntax. Default is `*`. | + \n| size | string | No | Number of log results per query. Limited to 1000 logs. + | \n| from_time | string | Yes | Earliest time to search. Accepts Unix timestamps, + relative time, or format `%Y-%m-%dT%H:%M:%S.%f`. | \n| to_time | string | No | + Latest time to search. | \n\n### Additional Notes \nIf no size is provided, the + action defaults to 1000 logs. The `from_time` parameter is mandatory for the search + to execute. capabilities: can_create_case_comments: false can_create_insight: false @@ -436,8 +334,16 @@ logzio-search-logs: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to the Logz.io API to retrieve logs based + on a query and time range. It does not modify external systems or internal SOAR + data (entities, insights, comments). It is a read-only operation. categories: - enrichment: true + enrichment: false + reasoning: >- + The action is a search utility for logs. It does not operate on specific entities + to enrich them, nor does it meet the criteria for an enrichment action (which + requires operating on entities). entity_usage: entity_types: [] filters_by_additional_properties: false @@ -453,3 +359,6 @@ logzio-search-logs: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities` or use any entity-specific + logic. It is a standalone search action. diff --git a/content/response_integrations/third_party/community/logzio/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/logzio/resources/ai/connectors_ai_description.yaml index 5b9150962..a7f0017b5 100644 --- a/content/response_integrations/third_party/community/logzio/resources/ai/connectors_ai_description.yaml +++ b/content/response_integrations/third_party/community/logzio/resources/ai/connectors_ai_description.yaml @@ -2,11 +2,10 @@ LOGZIO fetch-security-events: ai_description: >- ### General Description - The Logz.io Fetch Security Events connector integrates with the Logz.io Cloud - SIEM to automatically ingest security rule events into Google SecOps. It allows - security teams to centralize their monitoring by converting Logz.io security alerts - into actionable cases, ensuring that triggered rules are investigated within the - SOAR platform. + The Logz.io Fetch Security Events connector enables the ingestion of security + events from a Logz.io account into Google SecOps. It allows security teams to + monitor and respond to security rules triggered within Logz.io by converting these + events into actionable cases within the SOAR platform. ### Parameters Description @@ -16,60 +15,54 @@ LOGZIO fetch-security-events: | :--- | :--- | :--- | :--- | | DeviceProductField | String | Yes | The field name used to determine the device - product (default: `device_product`). | + product. | | EventClassId | String | Yes | The field name used to determine the event name - or sub-type (default: `event_name`). | + (sub-type). | - | from_date | String | Yes | The earliest time to search for events during the - first run. Supports Unix timestamps, relative time (e.g., '1 day ago'), or ISO - 8601 format. | + | from_date | String | Yes | Earliest time to search. Accepts Unix timestamps, + relative time, or "%Y-%m-%dT%H:%M:%S.%f". | - | logzio_custom_endpoint | String | No | Optional custom URL for the Logz.io API. - If provided, it overrides the `logzio_region` parameter. | + | logzio_custom_endpoint | String | No | Optional custom URL for the Logz.io API; + overrides logzio_region. | - | logzio_region | String | No | The 2-letter region code for your Logz.io account - (e.g., 'us', 'eu', 'uk'). Defaults to 'us' if left empty. | + | logzio_region | String | No | 2-letter region code for your Logz.io account. + | - | logzio_token | Password | Yes | The API token for your Logz.io security account - used for authentication. | + | logzio_token | Password | Yes | API token for your Logz.io security account. + | - | page_size | Integer | No | The number of results to retrieve per API call. Valid - range is 1 to 1000 (default: 25). | + | page_size | Integer | No | Controls the number of results per page (1-1000). + | - | PythonProcessTimeout | String | Yes | The timeout limit in seconds for the connector's - execution process. | + | PythonProcessTimeout | String | Yes | The timeout limit (in seconds) for the + python process. | - | search_term | String | No | A filter string to match against the security rule - names. | + | search_term | String | No | Filter for a matching string in the rule name. | - | severities | String | No | A comma-delimited list of severities to fetch (e.g., - "HIGH, SEVERE"). Supported values: INFO, LOW, MEDIUM, HIGH, SEVERE. | + | severities | String | No | Comma-delimited list of security rules severities + (e.g., "INFO", "LOW", "MEDIUM", "HIGH", "SEVERE"). | ### Flow Description - 1. **Endpoint Resolution**: The connector determines the Logz.io API endpoint - using the provided region or custom endpoint URL. + 1. Initializes the connector and extracts configuration parameters, including + the API token and region. - 2. **Time Window Calculation**: It identifies the start time for the search. On - the first run, it uses the `from_date` parameter; on subsequent runs, it uses - the timestamp of the last ingested event plus a 100ms offset. The end time is - set to 3 minutes prior to the current time to ensure data consistency. + 2. Determines the API endpoint based on the provided region or custom URL. - 3. **Event Querying**: A POST request is sent to the Logz.io Security Events Search - API with filters for time range, search terms, and severities. + 3. Calculates the time range for the query, using either the last saved timestamp + or the user-provided `from_date`. - 4. **Concurrent Pagination**: If the search results span multiple pages, the connector - utilizes a thread pool to fetch all pages concurrently, optimizing data retrieval - speed. + 4. Queries the Logz.io Security Rules API (`v2/security/rules/events/search`) + with the specified filters (search term, severities, pagination). - 5. **Data Transformation**: Each Logz.io event is mapped to a Google SecOps Alert - object. This includes mapping Logz.io severities to platform priorities and extracting - metadata such as rule descriptions, tags, and group-by fields. + 5. Iterates through all available pages of results to collect all relevant security + events. - 6. **Timestamp Persistence**: The connector tracks the latest event timestamp - and saves it to the system state to prevent duplicate ingestion in future cycles. + 6. Maps each Logz.io event to the Google SecOps alert format, including severity + mapping and event details. - 7. **Case Ingestion**: The compiled list of alerts is returned to Google SecOps - for case creation and further orchestration. + 7. Updates the internal timestamp to ensure subsequent runs fetch only new events. + + 8. Returns the collected alerts to the SOAR platform for case creation. diff --git a/content/response_integrations/third_party/community/logzio/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/logzio/resources/ai/integration_ai_description.yaml index 466738966..995cf1cd3 100644 --- a/content/response_integrations/third_party/community/logzio/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/community/logzio/resources/ai/integration_ai_description.yaml @@ -7,6 +7,14 @@ product_categories: iam_and_identity_management: false itsm: false network_security: false + reasoning: >- + The Logz.io integration is primarily designed to ingest security events and alerts + from the Logz.io platform into Google SecOps. This functionality aligns directly + with the SIEM category, as it enables the SOAR platform to monitor security rules + triggered in Logz.io, create cases, and provide visibility into security incidents. + It does not perform EDR, Network Security, Threat Intelligence, Email Security, + IAM, Cloud Security (specifically for resource configuration), ITSM, Vulnerability + Management, Asset Inventory, or Collaboration functions. siem: true threat_intelligence: false vulnerability_management: false diff --git a/content/response_integrations/third_party/community/luminar_iocs_and_leaked_credentials/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/luminar_iocs_and_leaked_credentials/resources/ai/actions_ai_description.yaml index 0e2e6a33b..58b178cd4 100644 --- a/content/response_integrations/third_party/community/luminar_iocs_and_leaked_credentials/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/luminar_iocs_and_leaked_credentials/resources/ai/actions_ai_description.yaml @@ -13,6 +13,9 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity test (Ping) and does not perform any of the defined + product category operations such as enrichment, ticket creation, or containment. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -27,28 +30,22 @@ Ping: update_email: false update_identity: false update_ticket: false - ai_description: "### General Description\nThe **Ping** action is a diagnostic tool\ - \ designed to verify the connectivity between Google SecOps and the **Luminar\ - \ IOCs and Leaked Credentials** API. Its primary purpose is to validate that the\ - \ integration's configuration parameters\u2014specifically the Client ID, Client\ - \ Secret, Account ID, and Base URL\u2014are correct and that the external service\ - \ is reachable.\n\n### Parameters Description\nThis action does not require any\ - \ input parameters. It utilizes the global integration configuration settings\ - \ to perform the connectivity test.\n\n### Flow Description\n1. **Configuration\ - \ Retrieval**: The action extracts the `Luminar API Client ID`, `Luminar API Client\ - \ Secret`, `Luminar API Account ID`, and `Luminar Base URL` from the integration's\ - \ shared settings.\n2. **Authentication Request**: It initializes the `LuminarManager`\ - \ and executes the `test_connectivity` method. This method sends a `POST` request\ - \ to the Luminar token endpoint (`/externalApi/realm/{account_id}/token`) using\ - \ the `client_credentials` grant type.\n3. **Response Validation**: \n * If\ - \ the API returns a successful response (HTTP 200), the action confirms a successful\ - \ connection.\n * If the API returns authentication errors (HTTP 401, 403)\ - \ or other failure codes, the action identifies the failure and provides a descriptive\ - \ error message.\n4. **Execution Completion**: The action concludes by reporting\ - \ the final status (Success or Failure) to the SOAR interface.\n\n### Additional\ - \ Notes\nThis action is intended for initial setup and troubleshooting. It does\ - \ not process entities or modify any data within Google SecOps or the Luminar\ - \ platform." + ai_description: >- + The Ping action tests the connectivity between the Google SecOps platform and + the Luminar API. General description: This action verifies that the provided API + credentials and configuration are valid by attempting to authenticate with the + Luminar API. Parameters description: Luminar API Client ID (String, Mandatory): + The client ID for Luminar API authentication. Luminar API Client Secret (String, + Mandatory): The client secret for Luminar API authentication. Luminar API Account + ID (String, Mandatory): The account ID used to construct the API request URL. + Luminar Base URL (String, Mandatory): The base URL for the Luminar API. Additional + notes: All parameters are mandatory for the action to successfully test connectivity. + Flow description: 1. The action extracts the configuration parameters (Client + ID, Client Secret, Account ID, Base URL). 2. It initializes the LuminarManager + with these credentials. 3. It executes the test_connectivity method, which sends + a POST request to the Luminar API token endpoint. 4. The action validates the + response status code (200 OK indicates success, while 400-404 indicate failure). + 5. It logs the result and terminates the action with the appropriate status. capabilities: can_create_case_comments: false can_create_insight: false @@ -59,8 +56,19 @@ Ping: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity test by sending a POST request to an external + API to validate credentials. It does not fetch contextual data for entities + or alerts (fetches_data=false). It does not change the state of any external + system (can_mutate_external_data=false) or internal system (can_mutate_internal_data=false). + It does not update entities, create insights, modify alert data, or create case + comments. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action designed solely for connectivity testing. According + to the provided rules, 'Ping' actions are not enrichment actions. It does not + fetch data, nor does it mutate any systems. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -76,3 +84,6 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with or iterate over any entities. It is a global + connectivity test. diff --git a/content/response_integrations/third_party/community/luminar_iocs_and_leaked_credentials/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/luminar_iocs_and_leaked_credentials/resources/ai/connectors_ai_description.yaml index cbbe33bd4..897ee95e5 100644 --- a/content/response_integrations/third_party/community/luminar_iocs_and_leaked_credentials/resources/ai/connectors_ai_description.yaml +++ b/content/response_integrations/third_party/community/luminar_iocs_and_leaked_credentials/resources/ai/connectors_ai_description.yaml @@ -1,39 +1,66 @@ "Luminar IOCs and Leaked Credentials Connector": - ai_description: "### General Description\nThe Luminar IOCs and Leaked Credentials\ - \ connector integrates with Cognyte Luminar to ingest high-fidelity threat intelligence\ - \ into Google SecOps. It fetches Indicators of Compromise (IOCs) and leaked credential\ - \ data provided in STIX format, allowing security teams to monitor for malicious\ - \ infrastructure and compromised accounts identified by Luminar's intelligence\ - \ platform.\n\n### Parameters Description\n| Parameter | Type | Mandatory | Description\ - \ |\n| :--- | :--- | :--- | :--- |\n| Luminar API Account ID | Password | Yes\ - \ | The unique Account ID required for Luminar API authentication. |\n| Luminar\ - \ API Client ID | Password | Yes | The Client ID used to generate OAuth2 access\ - \ tokens. |\n| Luminar API Client Secret | Password | Yes | The Client Secret\ - \ used to generate OAuth2 access tokens. |\n| Luminar Base URL | String | Yes\ - \ | The base URL of the Luminar API instance (e.g., https://demo.cyberluminar.com).\ - \ |\n| DeviceProductField | String | Yes | The field name used to determine the\ - \ device product in the ingested events. |\n| EventClassId | String | Yes | The\ - \ field name used to determine the event sub-type or name. |\n| PythonProcessTimeout\ - \ | String | Yes | The maximum execution time (in seconds) allowed for the connector\ - \ script. |\n| Verify SSL | Boolean | No | If enabled, the connector will verify\ - \ the SSL certificate of the Luminar API server. |\n| Proxy Server Address | String\ - \ | No | The address of the proxy server if one is required for outbound communication.\ - \ |\n| Proxy Port | Integer | No | The port of the proxy server. |\n| Proxy Username\ - \ | String | No | The username for proxy authentication. |\n| Proxy Password |\ - \ Password | No | The password for proxy authentication. |\n\n### Flow Description\n\ - 1. **Authentication**: The connector establishes a session with the Luminar API\ - \ by exchanging the Client ID and Client Secret for an OAuth2 access token.\n\ - 2. **Timestamp Management**: It retrieves the last successful execution timestamp\ - \ to perform incremental fetching, ensuring only new threat data is processed.\n\ - 3. **Data Ingestion**: The connector queries the `/externalApi/stix` endpoint\ - \ to retrieve threat objects, including malware, incidents, indicators, and their\ - \ relationships.\n4. **STIX Processing**: \n * **IOCs**: Correlates STIX indicators\ - \ (IPs, Domains, URLs, Hashes) with their associated Malware families using relationship\ - \ objects.\n * **Leaked Credentials**: Correlates user account data with specific\ - \ data breach incidents.\n * **Expiration Monitoring**: Identifies indicators\ - \ with valid expiration dates and groups them for lifecycle management.\n5. **Event\ - \ Aggregation**: To optimize case management, the connector slices large datasets\ - \ into chunks (maximum 499 events per alert) and groups them by Malware Family,\ - \ Incident Name, or Expiration Date.\n6. **Alert Creation**: Structured AlertInfo\ - \ objects are created and sent to Google SecOps, mapping Luminar's threat attributes\ - \ to standard security event fields." + ai_description: >- + ### General Description + + The Luminar IOCs and Leaked Credentials connector integrates with the Luminar + platform to ingest threat intelligence data. It periodically fetches Indicators + of Compromise (IOCs) and leaked credential incidents, maps them to the SOAR data + model, and creates actionable alerts within the Google SecOps platform. This enables + security teams to proactively monitor for malicious activity and compromised accounts + identified by Luminar. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | DeviceProductField | String | Yes | The field name used to determine the device + product. | + + | EventClassId | String | Yes | The field name used to determine the event name + (sub-type). | + + | Luminar API Account ID | Password | Yes | The Luminar API Account ID. | + + | Luminar API Client ID | Password | Yes | The Luminar API Client ID. | + + | Luminar API Client Secret | Password | Yes | The Luminar API Client Secret. + | + + | Luminar Base URL | String | Yes | The base URL for the Luminar API. | + + | Proxy Password | Password | No | Proxy server password. | + + | Proxy Port | Integer | No | Proxy server port. | + + | Proxy Server Address | String | No | Proxy server address. | + + | Proxy Username | String | No | Proxy server username. | + + | PythonProcessTimeout | String | Yes | Timeout limit (in seconds) for the script + execution. | + + | Verify SSL | Boolean | No | Whether to verify SSL certificates. | + + + ### Flow Description + + 1. **Authentication**: The connector authenticates with the Luminar API using + the provided Client ID, Client Secret, and Account ID to obtain an access token. + + 2. **Data Fetching**: It queries the `/externalApi/stix` endpoint to retrieve + threat intelligence objects, utilizing pagination to handle large datasets. + + 3. **Data Processing**: The connector parses the STIX objects, identifying relationships + between malware/incidents and their associated indicators. + + 4. **Enrichment & Mapping**: It maps STIX patterns (e.g., file hashes, IP addresses, + domains) to internal indicator types and enriches the data with relevant metadata. + + 5. **Alert Creation**: The processed data is grouped and sliced into manageable + chunks (up to 500 items per alert) and converted into SOAR `AlertInfo` objects. + + 6. **Ingestion**: The generated alerts are returned to the SOAR platform for further + investigation and response. diff --git a/content/response_integrations/third_party/community/luminar_iocs_and_leaked_credentials/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/luminar_iocs_and_leaked_credentials/resources/ai/integration_ai_description.yaml index 2e831240c..9de43db75 100644 --- a/content/response_integrations/third_party/community/luminar_iocs_and_leaked_credentials/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/community/luminar_iocs_and_leaked_credentials/resources/ai/integration_ai_description.yaml @@ -7,6 +7,18 @@ product_categories: iam_and_identity_management: false itsm: false network_security: false + reasoning: >- + The integration 'Luminar IOCs and Leaked Credentials' is primarily designed to + ingest threat intelligence data, specifically Indicators of Compromise (IOCs) + and leaked credential records, into the SOAR platform. This aligns directly with + the Threat Intelligence category, as the primary purpose is to provide intelligence + for security investigations and alert creation. It does not perform EDR, Network + Security, Cloud Security, or Vulnerability Management functions. While it processes + leaked credentials, it does not provide the capability to manage identities (e.g., + password resets, account suspension), so IAM & Identity Management is false. It + does not interact with email systems, so Email Security is false. The job functionality + is limited to internal case maintenance (closing expired cases) and does not constitute + an ITSM integration. Therefore, only the Threat Intelligence category is applicable. siem: false threat_intelligence: true vulnerability_management: false diff --git a/content/response_integrations/third_party/community/luminar_iocs_and_leaked_credentials/resources/ai/jobs_ai_description.yaml b/content/response_integrations/third_party/community/luminar_iocs_and_leaked_credentials/resources/ai/jobs_ai_description.yaml index 320d9c2d1..3cc7192a3 100644 --- a/content/response_integrations/third_party/community/luminar_iocs_and_leaked_credentials/resources/ai/jobs_ai_description.yaml +++ b/content/response_integrations/third_party/community/luminar_iocs_and_leaked_credentials/resources/ai/jobs_ai_description.yaml @@ -2,12 +2,9 @@ Luminar IOC and Leaked Credentials Job: ai_description: >- ### General Description - This job performs automated maintenance for cases generated by the Luminar IOCs - and Leaked Credentials integration. It identifies open cases related to Luminar - indicators and checks their expiration status. If an indicator is found to be - expired based on its metadata, the job automatically assigns the case to a designated - user and closes it with a maintenance reason, ensuring the case queue remains - relevant and up-to-date. + This job automates the maintenance of "Luminar IOCs" cases within Google SecOps. + It identifies cases that have expired based on their security event card data + and automatically closes them to keep the case management system clean. ### Parameters Description @@ -17,29 +14,22 @@ Luminar IOC and Leaked Credentials Job: | :--- | :--- | :--- | :--- | | Siemplify Username | String | Yes | The username used to authenticate with the - Google SecOps API and the user to whom expired cases will be assigned before closure. - | + SOAR API. | - | Siemplify Password | Password | Yes | The password for the specified Siemplify - Username to facilitate API authentication. | + | Siemplify Password | Password | Yes | The password used to authenticate with + the SOAR API. | ### Flow Description - 1. **Authentication**: Logs into the Google SecOps (Siemplify) API using the provided - username and password to retrieve a bearer token for subsequent requests. + 1. Authenticates with the SOAR API using the provided credentials to obtain a + bearer token. - 2. **Case Search**: Queries the system for all open cases that contain the title - "Luminar IOCs". + 2. Queries the SOAR platform for all open cases titled "Luminar IOCs". - 3. **Detail Retrieval**: For each matching case, the job fetches the full case - details to access specific alert fields. + 3. Iterates through each retrieved case to fetch its full details. - 4. **Expiration Check**: Extracts the expiration date from the security event - cards within the case and compares it against the current system time. + 4. Parses the expiration date from the case's security event card. - 5. **Case Assignment**: If the expiration date has passed, the job performs a - bulk assignment of the case to the configured Siemplify Username. - - 6. **Case Closure**: Executes a bulk close operation on the expired cases, marking - them with a "Maintenance" reason and a comment indicating the IOCs have expired. + 5. If the expiration date has passed, the job assigns the case to the configured + user and closes it with the reason "Maintenance" and root cause "Other". diff --git a/content/response_integrations/third_party/community/marketo/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/marketo/resources/ai/actions_ai_description.yaml index eae0cb16a..70176fe14 100644 --- a/content/response_integrations/third_party/community/marketo/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/marketo/resources/ai/actions_ai_description.yaml @@ -13,6 +13,9 @@ Create lead: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action creates a new lead in Marketo. This does not match any of the predefined + categories (e.g., Enrichment, Ticket, Alert, Blocklist, etc.). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -25,56 +28,18 @@ Create lead: uncontain_host: false update_alert: false update_email: false - update_identity: true + update_identity: false update_ticket: false ai_description: >- - ### General Description - - The **Create lead** action allows users to create a new lead record within the - Marketo platform. This is typically used to synchronize user information or register - new contacts discovered during an investigation into marketing or CRM workflows. - - - ### Flow Description - - 1. **Parameter Extraction:** The action retrieves integration credentials (Client - Id, Client Secret, Munchkin Id) and action-specific parameters (Email, First Name, - Last Name, Country). - - 2. **API Connection:** It initializes the Marketo Client using the provided credentials. - - 3. **Lead Creation:** The action sends a request to Marketo to create a lead using - the `createOnly` method, ensuring that it only creates a new record and does not - update existing ones based on the email address. - - 4. **Response Handling:** It parses the API response. If the creation is successful, - it returns the lead ID. If it fails (e.g., lead already exists or invalid data), - it captures the error reasons. - - 5. **Finalization:** The action reports the execution status and provides the - raw JSON response from Marketo. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Email | String | Yes | The email address of the new lead. Used as the primary - lookup field. | - - | First Name | String | Yes | The first name of the new lead. | - - | Last Name | String | Yes | The last name of the new lead. | - - | Country | String | Yes | The country associated with the new lead. | - - - ### Additional Notes - - * This action does not process SOAR entities; it relies entirely on the provided - input parameters. + This action creates a new lead in the Marketo platform using the provided user + details. Parameters: Email (string, mandatory): The email address of the new lead. + First Name (string, mandatory): The first name of the new lead. Last Name (string, + mandatory): The last name of the new lead. Country (string, mandatory): The country + of the new lead. Flow: 1. Extract integration configuration parameters (Client + Id, Client Secret, Munchkin Id). 2. Extract action parameters (Email, First Name, + Last Name, Country). 3. Initialize the MarketoClient. 4. Execute the create_update_leads + method with action='createOnly' to create the lead in Marketo. 5. Process the + response and set the execution status. 6. Add the result JSON to the action output. capabilities: can_create_case_comments: false can_create_insight: false @@ -83,11 +48,17 @@ Create lead: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new lead record in the Marketo system. + Creates a new lead record in the Marketo platform. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST-like operation to create a lead in Marketo. It does + not fetch data or modify internal SecOps data. categories: enrichment: false + reasoning: >- + The action creates external data (a lead) rather than retrieving data, so it + cannot be an Enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -103,6 +74,8 @@ Create lead: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with entities. It uses direct input parameters. Get Lead By Email Param: action_product_categories: add_alert_comment: false @@ -118,6 +91,10 @@ Get Lead By Email Param: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves lead details (metadata) for a specific user/email from + Marketo. This aligns with the 'Enrich Asset' category, as it provides contextual + metadata for a user. It is not an IOC enrichment as it targets a user/lead. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -132,28 +109,48 @@ Get Lead By Email Param: update_email: false update_identity: false update_ticket: false - ai_description: "### General Description\nThe **Get Lead By Email Param** action\ - \ retrieves detailed lead information from Marketo for a specific email address\ - \ provided as an input parameter. This action allows analysts to fetch marketing\ - \ and identity context for a user directly by their email address, independent\ - \ of the entities currently present in a Google SecOps case.\n\n### Parameters\ - \ Description\n| Parameter | Type | Mandatory | Description |\n| :--- | :--- |\ - \ :--- | :--- |\n| Email | String | True | The email address of the user you want\ - \ to retrieve details for. The value is case-insensitive as the action converts\ - \ it to lowercase before processing. |\n\n### Flow Description\n1. **Configuration\ - \ Retrieval:** The action extracts the necessary Marketo API credentials (Client\ - \ Id, Client Secret, and Munchkin Id) from the integration settings.\n2. **Input\ - \ Processing:** The action retrieves the target email address from the input parameters\ - \ and converts it to lowercase.\n3. **API Interaction:** It initializes the Marketo\ - \ client and executes a query using the `get_multiple_leads_by_filter_type` method,\ - \ filtering specifically by the 'email' field.\n4. **Outcome Determination:**\ - \ \n * If lead data is returned, the action identifies the Lead ID, constructs\ - \ a success message, and sets the result value to `True`.\n * If no lead is\ - \ found, it informs the user that the lead does not exist and sets the result\ - \ value to `False`.\n5. **Data Output:** The full JSON response from Marketo is\ - \ attached to the action results for further use in playbooks.\n\n### Additional\ - \ Notes\nThis action is parameter-driven and does not iterate over or modify Google\ - \ SecOps entities. It is strictly a data retrieval task." + ai_description: >- + ### General Description + + This action retrieves lead information from Marketo for a specified email address. + It is designed to fetch contextual metadata about a user or lead, which can be + used for further investigation or enrichment within a playbook. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Email | string | true | The email address of the user you want to get the details + for. | + + + ### Additional Notes + + This action requires valid Marketo API credentials (Client ID, Client Secret, + and Munchkin ID) to be configured in the integration settings. The action does + not modify any external or internal data; it only retrieves information and adds + it to the action result. + + + ### Flow Description + + 1. Extract configuration parameters (Client ID, Client Secret, Munchkin ID) from + the integration settings. + + 2. Extract the `Email` parameter provided by the user. + + 3. Initialize the `MarketoClient` using the extracted credentials. + + 4. Query Marketo for leads matching the provided email address using the `get_multiple_leads_by_filter_type` + method. + + 5. If a lead is found, return the lead ID and set the action result to true; otherwise, + report that the user does not exist and set the result to false. + + 6. Add the raw lead details to the action result JSON for further use in the playbook. capabilities: can_create_case_comments: false can_create_insight: false @@ -164,8 +161,16 @@ Get Lead By Email Param: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action queries the Marketo API to retrieve lead information based on an + email address. It does not modify any external systems or internal SOAR data + (entities, insights, comments). It only adds the result JSON to the action output. categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches contextual data (lead details) from an external system (Marketo) + without modifying any external or internal state. This fits the definition of + an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -181,6 +186,10 @@ Get Lead By Email Param: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use `siemplify.target_entities`. It relies on a user-provided + `Email` parameter to perform the lookup. Therefore, it does not process any + entities. Get Lead By Entity Email: action_product_categories: add_alert_comment: false @@ -196,6 +205,10 @@ Get Lead By Entity Email: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves contextual metadata (first name, last name, email, lead + ID) for a user entity from Marketo. This matches the 'Enrich Asset' category. + It does not perform IOC enrichment, ticket creation, or other listed actions. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -213,44 +226,52 @@ Get Lead By Entity Email: ai_description: >- ### General Description - The **Get Lead By Entity Email** action enriches User entities within Google SecOps - by retrieving corresponding lead information from Marketo. It uses the entity's - identifier (email address) to query the Marketo database and returns key details - such as the Lead ID, first name, and last name. + This action retrieves lead information from Marketo for entities identified as + users with valid email addresses. It queries the Marketo API using the email address, + retrieves details such as first name, last name, and lead ID, and updates the + entity's additional properties within the SOAR platform. ### Parameters Description - There are no action-specific parameters for this action. It relies on the integration's - global configuration (Client ID, Client Secret, and Munchkin ID). + | Parameter | Type | Mandatory | Description | + | :--- | :--- | :--- | :--- | - ### Flow Description + | Client Id | String | Yes | The Client ID for Marketo API authentication. | - 1. **Initialization**: The action initializes the Marketo client using the provided - integration credentials. + | Client Secret | String | Yes | The Client Secret for Marketo API authentication. + | - 2. **Entity Filtering**: It iterates through the target entities, selecting only - those of type `USER` that possess a valid email format (verified via regex). + | Munchkin Id | String | Yes | The Munchkin ID for Marketo API authentication. + | - 3. **Data Retrieval**: For each valid entity, the action queries Marketo using - the `get_multiple_leads_by_filter_type` method with the email as the filter. - 4. **Enrichment**: If a matching lead is found, the action extracts the Lead ID, - first name, last name, and email. + ### Additional Notes - 5. **Internal Update**: The extracted data is added to the entity's `additional_properties`, - the `is_enriched` flag is set to `true`, and the entity is updated within the - SOAR platform. + This action requires valid Marketo API credentials. It only processes entities + of type 'USER' that have a valid email address as their identifier. - 6. **Results**: A JSON result containing the enrichment details for all processed - entities and the total count of leads found is attached to the action output. + ### Flow Description - ### Additional Notes + 1. Initialize the Marketo client using the provided configuration parameters (Client + ID, Client Secret, Munchkin ID). + + 2. Iterate through the target entities in the SOAR case. + + 3. Validate that the entity is of type 'USER' and that its identifier is a valid + email address. + + 4. Query the Marketo API for lead details using the email address. + + 5. If a lead is found, update the entity's `additional_properties` with the retrieved + data (first name, last name, email, lead ID) and mark the entity as enriched. - - Entities that do not match the email regex or are not of type `USER` are skipped - with a log message. + 6. Update the enriched entities in the SOAR platform. + + 7. Add the result as a JSON object containing the enriched entities and the total + count of leads found. capabilities: can_create_case_comments: false can_create_insight: false @@ -261,10 +282,19 @@ Get Lead By Entity Email: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity additional properties with Marketo lead information and sets - the is_enriched flag to true. + Updates entity 'additional_properties' and 'is_enriched' status within the SOAR + platform. + reasoning: >- + The action fetches data from the Marketo API (fetches_data=true). It does not + mutate external systems (can_mutate_external_data=false). It updates entity + properties within the SOAR platform (can_mutate_internal_data=true, can_update_entities=true). + It does not create insights, modify alert data, or create case comments. categories: enrichment: true + reasoning: >- + The action fetches lead data from Marketo to enrich user entities. It does not + mutate external systems and only performs allowed internal mutations (updating + entity properties). Therefore, it is an enrichment action. entity_usage: entity_types: - USERUNIQNAME @@ -281,6 +311,11 @@ Get Lead By Entity Email: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and filters using `ent.entity_type + == EntityTypes.USER` and a regex check on `ent.identifier` to ensure it is a + valid email address. Therefore, it targets `USERUNIQNAME` entities, filtering + by entity type and identifier. Ping: action_product_categories: add_alert_comment: false @@ -296,6 +331,9 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity test ('Ping') and does not perform any of the defined + product category operations (e.g., enriching IOCs, updating tickets, etc.). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -313,40 +351,38 @@ Ping: ai_description: >- ### General Description - The **Ping** action is designed to verify the connectivity between Google SecOps - and the Marketo platform. It ensures that the provided credentials (Client ID, - Client Secret, and Munchkin ID) are valid and that the environment can successfully - communicate with the Marketo API. + Tests the connectivity with Marketo by performing a simple API request to verify + the integration's health. ### Parameters Description - There are no action-specific parameters for this action. It relies entirely on - the integration's configuration parameters. + | Parameter | Type | Mandatory | Description | + + | --- | --- | --- | --- | + + | Client Id | String | Yes | Used for authentication with Marketo. | + + | Client Secret | String | Yes | Used for authentication with Marketo. | + + | Munchkin Id | String | Yes | Used for authentication with Marketo. | ### Flow Description - 1. **Configuration Extraction**: The action retrieves the `Client Id`, `Client - Secret`, and `Munchkin Id` from the Marketo integration settings. + 1. Extract configuration parameters (Client Id, Client Secret, Munchkin Id). - 2. **Client Initialization**: It initializes the `MarketoClient` using the extracted - credentials. + 2. Initialize the `MarketoClient`. - 3. **Connectivity Test**: The action attempts to execute a `get_lead_by_id` request - for a lead with ID `1`. This serves as a functional test to confirm API access - and permissions. + 3. Execute a `get_lead_by_id` request with a hardcoded ID to verify the connection. - 4. **Execution Result**: If the API call is successful, the action terminates - with a success status. If an exception occurs during the process, it is raised, - indicating a connectivity or configuration issue. + 4. End the action with a success status. ### Additional Notes - * This action does not process any entities from the case. - - * It is strictly used for health checks and troubleshooting integration setup. + This is a connectivity test action and does not perform any data enrichment or + mutation. capabilities: can_create_case_comments: false can_create_insight: false @@ -357,8 +393,16 @@ Ping: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET-like operation (`get_lead_by_id`) to verify connectivity. + It does not modify external or internal data, nor does it update entities or + create insights. categories: enrichment: false + reasoning: >- + The action is named 'Ping'. According to the instructions, 'Actions named Ping + must not be categorized as enrichment actions.' Therefore, it is not an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -374,6 +418,10 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not iterate over `target_entities` or use any entity identifiers. + It uses a hardcoded ID `1` to test connectivity, therefore it does not process + any entities. Request Campaign: action_product_categories: add_alert_comment: false @@ -389,6 +437,10 @@ Request Campaign: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action triggers a campaign in Marketo for a specific lead. This is an external + system mutation. It does not fit any of the provided categories (e.g., Enrichment, + Ticket, Containment, etc.). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -406,10 +458,9 @@ Request Campaign: ai_description: >- ### General Description - The **Request Campaign** action allows users to trigger a specific marketing campaign - for a designated lead within the Marketo platform. This action is primarily used - to automate marketing workflows or responses based on security events or identified - user behavior. + This action triggers a specific campaign for a lead in the Marketo platform. It + allows users to pass custom tokens to the campaign, enabling automated marketing + workflows directly from the SOAR platform. ### Parameters Description @@ -418,37 +469,29 @@ Request Campaign: | :--- | :--- | :--- | :--- | - | Campaign Id | string | Yes | The unique identifier of the Marketo campaign to - be triggered. The action converts this to an integer internally. | + | Lead Id | string | Yes | The ID of the lead to be added to the campaign. | - | Lead Id | string | Yes | The unique identifier of the lead (user/contact) for - whom the campaign should be requested. The action converts this to an integer - internally. | + | Campaign Id | string | Yes | The ID of the campaign to trigger. | - | Tokens Json | string | No | A JSON-formatted string containing key-value pairs - representing tokens to be passed to the campaign. Keys are processed to ensure - lowercase values unless they contain the word 'password'. | + | Tokens Json | string | No | A JSON string containing tokens for the campaign. + | ### Flow Description - 1. **Initialization**: The action retrieves Marketo integration credentials (Client - ID, Client Secret, Munchkin ID) and the specific action parameters (Campaign ID, - Lead ID, and Tokens JSON). + 1. Extract configuration parameters (Client ID, Client Secret, Munchkin ID) from + the integration settings. + + 2. Extract action parameters (Campaign ID, Lead ID, Tokens) from the action input. - 2. **Token Processing**: If provided, the `Tokens Json` is parsed. The logic iterates - through the keys and converts values to lowercase, except for values associated - with keys containing 'password' to preserve credential integrity. + 3. Parse the `Tokens Json` string into a dictionary. - 3. **API Connection**: A connection is established with the Marketo API using - the `MarketoClient` and the provided credentials. + 4. Initialize the Marketo client using the provided configuration. - 4. **Execution**: The action calls the `request_campaign` method on the Marketo - client, passing the Campaign ID, the Lead ID (as a list), and the processed tokens. + 5. Execute the `request_campaign` method in Marketo with the provided Campaign + ID, Lead ID, and tokens. - 5. **Completion**: If the API call is successful, the action returns a success - message and a boolean result of `True`. If an error occurs, it logs the exception - and returns a failure status. + 6. Log the execution status and end the action with a success or failure message. capabilities: can_create_case_comments: false can_create_insight: false @@ -457,12 +500,19 @@ Request Campaign: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Triggers a marketing campaign for a specific lead in Marketo, which initiates - external workflows and communications. + Triggers a campaign for a specific lead in the Marketo platform. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action triggers a campaign in Marketo, which is an external system mutation. + It does not fetch data, modify internal SOAR data, update entities, create insights, + or modify alert data. categories: enrichment: false + reasoning: >- + The action performs a mutation on an external system (Marketo) by triggering + a campaign. It does not fetch data for enrichment purposes, nor does it modify + internal SOAR data. Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -478,3 +528,6 @@ Request Campaign: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not iterate over `siemplify.target_entities` or use any entity-specific + logic. It relies solely on the provided `Lead Id` and `Campaign Id` parameters. diff --git a/content/response_integrations/third_party/community/marketo/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/marketo/resources/ai/integration_ai_description.yaml index 0b062e038..f9b08a3a7 100644 --- a/content/response_integrations/third_party/community/marketo/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/community/marketo/resources/ai/integration_ai_description.yaml @@ -4,9 +4,20 @@ product_categories: collaboration: false edr: false email_security: false - iam_and_identity_management: true + iam_and_identity_management: false itsm: false network_security: false + reasoning: >- + The Marketo integration provides capabilities to retrieve lead information and + associate it with user entities within the SOAR platform. Specifically, the actions + 'Get Lead By Email Param' and 'Get Lead By Entity Email' are designed to fetch + contextual metadata (first name, last name, lead ID) for user entities, which + aligns with the 'Asset Inventory' category definition of retrieving more information + about an internal asset (in this case, a user). The integration does not perform + SIEM, EDR, Network Security, Threat Intelligence, Email Security, IAM, Cloud Security, + ITSM, Vulnerability Management, or Collaboration functions. While it interacts + with user data, it does not manage identity lifecycles (IAM) or provide security + reputation scores (Threat Intelligence). siem: false threat_intelligence: false vulnerability_management: false diff --git a/content/response_integrations/third_party/community/microsoft_graph_security_tools/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/microsoft_graph_security_tools/resources/ai/actions_ai_description.yaml index 7fb30806e..f94d876a7 100644 --- a/content/response_integrations/third_party/community/microsoft_graph_security_tools/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/microsoft_graph_security_tools/resources/ai/actions_ai_description.yaml @@ -13,6 +13,9 @@ Delete Attachment: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action modifies the state of an email by removing an attachment. This aligns + with the 'Update Email' category, which covers modifications to email state. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -28,25 +31,44 @@ Delete Attachment: update_identity: false update_ticket: false ai_description: >- - ### General Description\nDeletes a specific attachment from a user's mailbox using - the Microsoft Graph API. This action is primarily used as a remediation step to - remove malicious or unauthorized files from an email message after they have been - identified.\n\n### Parameters Description\n| Parameter | Type | Mandatory | Description - |\n| :--- | :--- | :--- | :--- |\n| **User ID** | String | Yes | The email address - or `userPrincipalName` of the user whose mailbox contains the message. |\n| **Message - ID** | String | Yes | The unique identifier of the email message containing the - attachment. |\n| **Attachment ID** | String | Yes | The unique identifier of the - specific attachment to be deleted. |\n\n### Flow Description\n1. **Authentication**: - The action connects to Microsoft Graph using the configured Client ID, Tenant - ID, and either a Client Secret or a Certificate.\n2. **Parameter Extraction**: - It retrieves the `User ID`, `Message ID`, and `Attachment ID` from the action - input parameters.\n3. **API Execution**: It sends a `DELETE` request to the Microsoft - Graph endpoint for the specific attachment: `https://graph.microsoft.com/v1.0/users/{user_id}/messages/{message_id}/attachments/{attachment_id}`.\n4. - **Result Handling**: The action evaluates the response. A `204 No Content` status - indicates a successful deletion. The result is logged and returned as a JSON object.\n\n### - Additional Notes\n- This action performs a permanent deletion of the attachment.\n- - The integration must have the `Mail.ReadWrite` permission granted in the Azure - portal for this action to function correctly. + Deletes a specific attachment from a user's email message using the Microsoft + Graph API. This action is useful for removing malicious or sensitive attachments + from user mailboxes. + + + ### Flow Description + + 1. Extracts configuration parameters (Client ID, Secret ID, Tenant ID, Certificate + details) and action parameters (User ID, Message ID, Attachment ID). + + 2. Initializes the `MicrosoftGraphSecurityManager` to authenticate with the Microsoft + Graph API. + + 3. Executes a DELETE request to the Microsoft Graph API endpoint for the specified + attachment. + + 4. Returns the status and output message of the deletion request. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | User ID | string | Yes | The email address or user principal name of the user + whose mailbox contains the message. | + + | Message ID | string | Yes | The unique identifier of the email message. | + + | Attachment ID | string | Yes | The unique identifier of the attachment to be + deleted. | + + + ### Additional Notes + + This action performs a destructive operation on external data (Microsoft 365). + Ensure the provided IDs are correct before execution. capabilities: can_create_case_comments: false can_create_insight: false @@ -55,12 +77,20 @@ Delete Attachment: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Deletes a specific attachment from a user's email message in Microsoft Graph - (Office 365). + Deletes an attachment from a user's email message in Microsoft 365 via the Microsoft + Graph API. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a DELETE request to the Microsoft Graph API to remove an + attachment from an email. It does not fetch data, nor does it mutate internal + Google SecOps data (like case comments or insights). It is a direct mutation + of external data. categories: enrichment: false + reasoning: >- + The action is a mutation action (deleting an attachment) and does not fetch + data for enrichment purposes. Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -76,6 +106,9 @@ Delete Attachment: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities`. It extracts parameters + directly from the action configuration using `siemplify.extract_action_param`. Delete Message: action_product_categories: add_alert_comment: false @@ -91,6 +124,9 @@ Delete Message: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action deletes a message from a user's mailbox, which directly matches the + 'Delete Email' category. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -105,28 +141,21 @@ Delete Message: update_email: false update_identity: false update_ticket: false - ai_description: "### General Description\nDeletes a specific email message from\ - \ one or more Microsoft 365 mailboxes using the Microsoft Graph API. This action\ - \ is primarily used for remediation purposes, such as removing phishing emails\ - \ or unauthorized communications from user inboxes.\n\n### Parameters Description\n\ - | Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ - | Message ID | String | Yes | The unique identifier of the email message to be\ - \ deleted. |\n| User ID | String | Yes | The email address or userPrincipalName\ - \ of the user. This parameter supports a comma-separated list (CSV) to perform\ - \ the deletion across multiple mailboxes in a single execution. |\n\n### Flow\ - \ Description\n1. **Authentication**: The action initializes a connection to the\ - \ Microsoft Graph API using the configured Client ID, Tenant ID, and either a\ - \ Client Secret or Certificate.\n2. **Input Processing**: It extracts the target\ - \ Message ID and the User ID(s) provided in the action parameters.\n3. **Deletion\ - \ Logic**: \n - If a single User ID is provided, the action sends a DELETE\ - \ request to the Microsoft Graph endpoint for that specific message.\n - If\ - \ a CSV list of User IDs is provided, the action iterates through each user and\ - \ attempts to delete the message from their respective mailbox.\n4. **Completion**:\ - \ The action captures the API response status (expecting HTTP 204 for success)\ - \ and returns a summary of the operation's success or failure.\n\n### Additional\ - \ Notes\n- This action does not process SecOps entities; it relies entirely on\ - \ the provided Message ID and User ID parameters.\n- Ensure the Azure Application\ - \ has the appropriate permissions (e.g., `Mail.ReadWrite`) to perform deletions." + ai_description: >- + General Description: This action deletes a specific message from a user's mailbox + using the Microsoft Graph API. It is designed to remove unwanted or malicious + emails from one or more user mailboxes based on the provided Message ID and User + ID. Parameters Description: | Parameter | Type | Mandatory | Description | | --- + | --- | --- | --- | | Message ID | string | Yes | The unique identifier of the + message to be deleted. | | User ID | string | Yes | The email address or user + principal name of the user whose mailbox contains the message. Supports CSV input + to delete from multiple mailboxes. | Flow Description: 1. The action extracts + the necessary integration configuration (Client ID, Secret ID, Tenant ID, and + Certificate details) and action parameters (User ID, Message ID). 2. It initializes + the Microsoft Graph Security Manager using the provided credentials. 3. It executes + a DELETE request to the Microsoft Graph API endpoint for the specified user and + message ID. 4. The action returns the result of the deletion operation, indicating + success or failure. capabilities: can_create_case_comments: false can_create_insight: false @@ -135,12 +164,18 @@ Delete Message: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Deletes email messages from Microsoft 365 mailboxes via the Microsoft Graph - API. + Deletes a message from a user's mailbox in Microsoft Graph. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a DELETE request to the Microsoft Graph API to remove a + message from a user's mailbox. It does not fetch data, update internal SOAR + entities, or create insights. categories: enrichment: false + reasoning: >- + The action is a mutation action (deletion) and does not retrieve data for enrichment + purposes. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -156,6 +191,9 @@ Delete Message: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not utilize siemplify.target_entities. It operates on parameters + provided directly by the user. Get Message: action_product_categories: add_alert_comment: false @@ -171,11 +209,15 @@ Get Message: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves a specific email message from the mail server. This aligns + with the 'Search Email' category, which involves identifying and retrieving + email data. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false search_asset: false - search_email: false + search_email: true search_events: false send_email: false send_message: false @@ -188,11 +230,11 @@ Get Message: ai_description: >- ### General Description - The **Get Message** action retrieves the full details of a specific email message - from a user's Microsoft 365 inbox using the Microsoft Graph API. This action is - primarily used for forensic investigation or automated response flows where the - content or metadata of a specific email (identified by its unique ID) needs to - be analyzed. + Retrieves a specific email message from a user's inbox using the Microsoft Graph + API. This action authenticates with the Microsoft Graph API using the provided + integration credentials, then executes a GET request to fetch the message details + based on the provided User ID and Message ID. The retrieved message data is returned + as a JSON result in the action output. ### Parameters Description @@ -201,38 +243,29 @@ Get Message: | :--- | :--- | :--- | :--- | - | **User ID** | string | Yes | The `userPrincipalName` (typically the email address) - of the user whose mailbox is being accessed. | - - | **Message ID** | string | Yes | The unique identifier of the specific email - message to retrieve. | - + | User ID | string | Yes | The email address or userPrincipalName of the user + whose inbox to search. | - ### Flow Description + | Message ID | string | Yes | The unique identifier of the message to retrieve. + | - 1. **Authentication**: The action initializes a connection to the Microsoft Graph - API using the integration's Client ID, Secret, and Tenant ID. - 2. **Parameter Extraction**: It extracts the target **User ID** and **Message - ID** from the action parameters. + ### Additional Notes - 3. **API Retrieval**: The action performs a GET request to the Microsoft Graph - endpoint: `https://graph.microsoft.com/v1.0/users/{User ID}/messages/{Message - ID}`. + There are no additional notes for this action. - 4. **Data Processing**: The retrieved JSON data, containing message properties - such as subject, body, sender, and timestamps, is processed. - 5. **Output**: The action returns the message details as a JSON result and completes - with a success status. + ### Flow Description + 1. Extracts `User ID` and `Message ID` from the action parameters. - ### Additional Notes + 2. Authenticates with the Microsoft Graph API using the configured integration + credentials. - - This action is read-only and does not modify the state of the email or the mailbox. + 3. Sends a GET request to the Microsoft Graph API to retrieve the specified message + details. - - Ensure the registered Azure AD application has the `Mail.Read` or `Mail.ReadWrite` - permissions. + 4. Returns the message data as a JSON result in the action output. capabilities: can_create_case_comments: false can_create_insight: false @@ -243,8 +276,17 @@ Get Message: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Microsoft Graph API to retrieve message + details. It does not modify any external systems or internal SecOps data (no + entity updates, insights, or comments). categories: enrichment: false + reasoning: >- + The action retrieves data (a message) but does not perform any of the allowed + internal mutations (add comments, create insights, update entities) to enrich + an entity or alert. Therefore, it does not meet the strict criteria for an Enrichment + Action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -260,6 +302,10 @@ Get Message: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities` or use entity-specific + identifiers to perform its task. It uses parameters provided directly in the + action configuration. Get User MFA: action_product_categories: add_alert_comment: false @@ -275,6 +321,10 @@ Get User MFA: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves MFA registration details for a user, which provides contextual + metadata about the user's security posture. This matches 'Enrich Asset'. It + also searches for the user/asset, matching 'Search Asset'. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -292,36 +342,34 @@ Get User MFA: ai_description: >- ### General Description - Retrieves Multi-Factor Authentication (MFA) registration and status details for - users from Microsoft Graph. This action is designed to provide visibility into - a user's security posture by identifying whether they have registered for MFA, - if it is enabled, and which authentication methods are configured. It processes - a specific email address provided as a parameter and also automatically scans - all entities in the case that appear to be email addresses. + This action retrieves Multi-Factor Authentication (MFA) registration statistics + for a specified user email address from Microsoft Graph. It can also process email-like + entities found within the current case to provide a comprehensive view of MFA + status across multiple users. ### Flow Description - 1. **Authentication**: Connects to the Microsoft Graph API using the provided - Client ID, Secret ID (or Certificate), and Tenant ID. + 1. Extracts configuration parameters (Client ID, Secret ID, Tenant ID, etc.) and + action parameters (User Email, Create Insight). - 2. **Parameter Processing**: Fetches MFA statistics for the primary user email - specified in the `User Email` action parameter. + 2. Initializes the Microsoft Graph Security manager to authenticate and connect + to the Microsoft Graph API. - 3. **Entity Processing**: Iterates through all entities associated with the current - case. It identifies entities whose identifiers contain an "@" symbol (treating - them as potential user principal names). + 3. Retrieves MFA registration statistics for the provided `User Email`. - 4. **Data Retrieval**: For each identified user (from parameters and entities), - it queries the Microsoft Graph beta reports endpoint to retrieve credential registration - details. + 4. If `Create Insight` is enabled, it generates a case insight containing the + MFA statistics for the provided email. + + 5. Iterates through all `target_entities` in the case, identifying those that + appear to be email addresses (containing an '@' symbol). - 5. **Insight Generation**: If the `Create Insight` parameter is enabled, the action - generates a detailed case insight for each user, summarizing their MFA registration - status, capabilities, and methods. + 6. Retrieves MFA statistics for each identified email entity. - 6. **Output**: Returns a comprehensive JSON array containing the MFA statistics - for all processed users. + 7. If `Create Insight` is enabled, it generates a case insight for each identified + email entity. + + 8. Aggregates all retrieved MFA statistics and returns them as a JSON result. ### Parameters Description @@ -330,21 +378,16 @@ Get User MFA: | :--- | :--- | :--- | :--- | - | User Email | string | True | The primary userPrincipalName (email) to search - for. This user's data will always be the first entry in the results. | + | User Email | string | Yes | The email address to search for (userPrincipalName). + Valid target entities (emails) will also be checked. | - | Create Insight | boolean | False | If set to `true`, the action will create - a detailed insight in the Google SecOps case for every user successfully queried. - Defaults to `false`. | + | Create Insight | boolean | No | If true, creates a case insight for each email + checked with MFA stats. | ### Additional Notes - - The action uses the Microsoft Graph Beta API endpoint (`/beta/reports/credentialUserRegistrationDetails`) - to fetch detailed MFA statistics. - - - The JSON result will always return the data for the `User Email` input at index - zero, followed by any data found for matching entities. + The action filters entities by checking if the identifier contains an '@' symbol. capabilities: can_create_case_comments: false can_create_insight: true @@ -355,46 +398,20 @@ Get User MFA: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Creates case insights containing MFA registration and capability details for - the specified users. + Creates case insights for the retrieved MFA statistics. + reasoning: >- + The action fetches MFA statistics from Microsoft Graph for a specific user email + and optionally for email-like entities in the case. It creates case insights + if configured. It does not mutate external data. categories: enrichment: true + reasoning: >- + The action fetches contextual data (MFA stats) about users and adds insights + to the case. It does not mutate external systems. This fits the definition of + an enrichment action. entity_usage: entity_types: - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false @@ -409,6 +426,10 @@ Get User MFA: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over `siemplify.target_entities` and filters them by checking + if the identifier contains an '@' symbol. It does not filter by specific entity + types or other attributes. List Attachments: action_product_categories: add_alert_comment: false @@ -424,11 +445,15 @@ List Attachments: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves a list of attachments from a specific email message. This + does not align with the provided categories, as it is not searching for emails, + enriching IOCs/assets, or performing containment/ticket actions. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false search_asset: false - search_email: true + search_email: false search_events: false send_email: false send_message: false @@ -439,53 +464,41 @@ List Attachments: update_identity: false update_ticket: false ai_description: >- - ### General Description - - Retrieves a list of attachment objects associated with a specific email message - in a user's mailbox using the Microsoft Graph API. This action provides metadata - for all files or items attached to the message, which is essential for forensic - analysis and email investigations. + Retrieves a list of attachment objects from a specific email message in Microsoft + Graph. - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | + ### Flow Description - | User ID | string | Yes | The email address (userPrincipalName) or the unique - identifier of the user whose mailbox is being accessed. | + 1. Extracts the `User ID` (userPrincipalName) and `Message ID` from the action + parameters. - | Message ID | string | No | The unique identifier of the message from which to - retrieve the attachment list. Note: While marked as non-mandatory in configuration, - the underlying API call requires this ID to target a specific message. | + 2. Authenticates with the Microsoft Graph API using the provided integration credentials + (Client ID, Secret/Certificate, Tenant ID). + 3. Queries the Microsoft Graph API endpoint `https://graph.microsoft.com/v1.0/users/{user_id}/messages/{message_id}/attachments` + to fetch the list of attachments. - ### Additional Notes + 4. Returns the retrieved attachment data as a JSON result to the action output. - - This action performs a read-only operation and does not modify the mailbox or - the attachments. - - The results are returned as a JSON array containing attachment metadata (e.g., - name, content type, size). + ### Parameters + | Parameter | Type | Mandatory | Description | - ### Flow Description + | :--- | :--- | :--- | :--- | - 1. **Authentication**: The action initializes the Microsoft Graph Security Manager - using the provided Client ID, Secret/Certificate, and Tenant ID. + | User ID | string | Yes | The email address (userPrincipalName) of the user. + | - 2. **Parameter Extraction**: It retrieves the `User ID` and `Message ID` from - the action input parameters. + | Message ID | string | No | The ID of the message to retrieve the attachment + list from. | - 3. **API Request**: It executes a GET request to the Microsoft Graph endpoint: - `https://graph.microsoft.com/v1.0/users/{user_id}/messages/{message_id}/attachments`. - 4. **Data Processing**: The action validates the API response and extracts the - list of attachment objects. + ### Additional Notes - 5. **Output**: The retrieved data is attached to the action results as a JSON - object, and the action completes successfully. + This action is a read-only operation that fetches data from Microsoft Graph. It + does not modify any external or internal system state. capabilities: can_create_case_comments: false can_create_insight: false @@ -496,8 +509,16 @@ List Attachments: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Microsoft Graph API to retrieve attachment + metadata for a specific email message. It does not modify any external or internal + data, nor does it operate on SOAR entities. categories: - enrichment: true + enrichment: false + reasoning: >- + The action retrieves data (attachments) from an external system (Microsoft Graph) + but does not operate on SOAR entities or update internal SOAR data. Therefore, + it is not classified as an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -513,6 +534,9 @@ List Attachments: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities` or use entity-specific + identifiers to perform its task. It uses direct parameters provided by the user. List Mail Rules: action_product_categories: add_alert_comment: false @@ -528,6 +552,10 @@ List Mail Rules: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves mail rules for a user's inbox, which is contextual metadata + for a resource. This matches the `enrich_asset` category. It does not perform + any other actions like updating alerts, tickets, or blocking IOCs. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -543,45 +571,36 @@ List Mail Rules: update_identity: false update_ticket: false ai_description: >- - The 'List Mail Rules' action retrieves all message rules defined for a specific - user's inbox within Microsoft Graph. This is useful for identifying potentially - malicious or suspicious mail forwarding, deletion, or redirection rules that could - indicate account compromise or data exfiltration. - - - ### Flow Description: - - 1. **Authentication:** The action establishes a connection to the Microsoft Graph - API using the provided Client ID, Secret/Certificate, and Tenant ID. + ### General Description - 2. **Parameter Extraction:** It retrieves the 'User ID' (email address) from the - action parameters. + Retrieves all message rule objects defined for a user's inbox using the Microsoft + Graph API. This action allows analysts to inspect mail forwarding or filtering + rules configured on a specific user's account. - 3. **API Request:** It sends a GET request to the Microsoft Graph endpoint: `https://graph.microsoft.com/v1.0/users/{user_id}/mailFolders/inbox/messageRules`. - 4. **Data Processing:** The action receives the list of rule objects from the - response. + ### Parameters Description - 5. **Output:** The retrieved mail rules are attached to the action result as a - JSON object for further analysis or playbook logic. + | Parameter | Type | Mandatory | Description | + | :--- | :--- | :--- | :--- | - ### Parameters Description: + | User ID | string | True | The email address (userPrincipalName) of the user + whose mail rules are to be retrieved. | - | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + ### Flow Description - | User ID | string | True | The userPrincipalName or email address of the user - whose inbox rules are being queried. | + 1. Extract integration configuration parameters (Client ID, Secret ID, Tenant + ID, Certificate details). + 2. Extract the `User ID` parameter. - ### Additional Notes: + 3. Authenticate with Microsoft Graph using the provided credentials. - - This action does not modify any data in Microsoft Graph; it is strictly a read-only - operation. + 4. Query the Microsoft Graph API for the inbox message rules associated with the + specified `User ID`. - - The results are returned in the `JsonResult` field of the action output. + 5. Return the retrieved mail rules as the action result. capabilities: can_create_case_comments: false can_create_insight: false @@ -592,8 +611,16 @@ List Mail Rules: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Microsoft Graph API to retrieve mail + rules. It does not perform any POST/PUT/DELETE operations (no external mutation). + It does not update any internal SOAR data (entities, insights, comments). categories: - enrichment: true + enrichment: false + reasoning: >- + The action fetches data, but it does not operate on `target_entities` or update + internal SOAR data (entities, insights, comments). Therefore, it does not meet + the criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -609,6 +636,9 @@ List Mail Rules: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code takes a `User ID` as a parameter but does not iterate over the `target_entities` + list provided by the SOAR platform. Therefore, it does not run on entities. List Messages: action_product_categories: add_alert_comment: false @@ -624,6 +654,10 @@ List Messages: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves a list of messages from a user's mailbox, which directly + matches the 'Search Email' category. It does not perform any other actions like + blocking, ticket creation, or alert modification. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -641,58 +675,43 @@ List Messages: ai_description: >- ### General Description - Lists email messages from a specific user's Microsoft 365 mailbox using the Microsoft - Graph API. This action allows analysts to retrieve a collection of messages based - on specific criteria, which is essential for investigating phishing attempts, - data exfiltration, or verifying user communications. It supports OData query parameters - for advanced filtering and field selection to optimize the data returned. + This action retrieves a list of messages from a specific user's mailbox using + the Microsoft Graph API. It allows for filtering and selecting specific fields + to refine the returned data, providing visibility into email communications for + investigation purposes. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | User ID | String | Yes | The email address or userPrincipalName of the target - user whose mailbox will be queried. | + | User ID | string | Yes | The email address (userPrincipalName) of the user whose + mailbox messages are to be listed. | - | Select Filter | String | No | A comma-separated list of specific fields to return - for each message (e.g., `sender,subject,receivedDateTime`). This helps reduce - the payload size. | - - | Query Parameters | String | No | Standard Microsoft Graph OData query parameters. - Should begin with '$'. For example: `$filter=subject eq 'test'` or `$top=10`. + | Select Filter | string | No | A CSV list of fields to return (e.g., 'sender,subject'). | + | Query Parameters | string | No | OData query parameters to filter or sort the + results (e.g., '$filter=subject eq \'test\''). Must begin with '$'. | + ### Flow Description - 1. **Initialization**: The action extracts the integration's connection details - (Client ID, Secret, Tenant ID) and the user-provided parameters (User ID, Select + 1. **Initialization**: The action extracts integration configuration (Client ID, + Secret ID, Tenant ID, Certificate details) and action parameters (User ID, Select Filter, Query Parameters). - 2. **Authentication**: It establishes a connection to Microsoft Graph using the - provided credentials (either client secret or certificate-based authentication). - - 3. **Request Construction**: The action constructs the API request URL targeting - the `/users/{user_id}/messages` endpoint, appending the `$select` and other OData - query parameters if provided. + 2. **Authentication**: Initializes the `MicrosoftGraphSecurityManager` to authenticate + with Microsoft Graph using the provided credentials. - 4. **Data Retrieval**: It executes a GET request to the Microsoft Graph API to - fetch the list of messages. + 3. **Execution**: Calls the `list_messages` method, which constructs the API request + to the Microsoft Graph endpoint (`/users/{user_email}/messages`) with the specified + filters and query parameters. - 5. **Result Processing**: The retrieved message data is returned as a JSON object - and the action execution state is set to completed. - - - ### Additional Notes - - - Ensure the Azure App Registration has the necessary permissions (e.g., `Mail.Read` - or `Mail.Read.All`) to access user mailboxes. - - - The `Query Parameters` must follow the Microsoft Graph OData syntax to avoid - API errors. + 4. **Output**: The retrieved message data is added to the action result as a JSON + object, and the action completes successfully. capabilities: can_create_case_comments: false can_create_insight: false @@ -703,8 +722,16 @@ List Messages: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Microsoft Graph API to retrieve email + messages. It does not modify any external systems, nor does it update internal + SOAR entities or case data. It is a read-only operation. categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches data (messages) from an external source (Microsoft Graph) + without modifying any external or internal state. This aligns with the definition + of an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -720,6 +747,10 @@ List Messages: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on SOAR entities. It takes a 'User ID' as a direct + input parameter to identify the mailbox to query, rather than iterating over + `target_entities`. Ping: action_product_categories: add_alert_comment: false @@ -735,6 +766,9 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity test (Ping) and does not perform any of the defined + product category operations such as enrichment, containment, or ticket management. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -752,10 +786,10 @@ Ping: ai_description: >- ### General Description - Verifies the connectivity between Google SecOps and the Microsoft Graph Security - API. This action validates the integration's configuration by attempting to authenticate - and retrieve an OAuth2 access token using the provided credentials (Client ID, - Secret ID, or Certificate and Tenant ID). + This action performs a connectivity test (Ping) to the Microsoft Graph Security + API. It validates the provided credentials by attempting to generate an access + token, ensuring that the integration is correctly configured and able to communicate + with the Microsoft Graph Security service. ### Parameters Description @@ -764,33 +798,42 @@ Ping: | :--- | :--- | :--- | :--- | - | None | N/A | N/A | This action does not have any input parameters. It relies - solely on the integration's configuration settings. | + | Client ID | String | Yes | The Application ID for the Microsoft Graph Security + integration. | + | Secret ID | String | Yes | The application secret for the Microsoft Graph Security + integration. | - ### Flow Description + | Tenant ID | String | Yes | The domain name from the Azure portal. | - 1. **Configuration Extraction**: The action retrieves the integration's global - configuration parameters, including the Client ID, Secret ID, Tenant ID, and certificate - details. + | Certificate Path | String | No | Path to the certificate on the Siemplify server + if using certificate-based authentication. | + + | Certificate Password | String | No | Password for the certificate if it is password-protected. + | - 2. **Manager Initialization**: It instantiates the `MicrosoftGraphSecurityManager` - using the extracted configuration. - 3. **Authentication Check**: Upon initialization, the manager attempts to perform - an OAuth2 handshake with the Microsoft identity platform to acquire an access - token. + ### Additional Notes - 4. **Execution Outcome**: If the authentication is successful, the action returns - a success status and a 'Connection Established' message. If the authentication - fails or a network error occurs, the action catches the exception and returns - a failure status with the error details. + Either Client Secret or Certificate authentication must be configured for the + action to run. This action does not perform any data retrieval or modification + operations. - ### Additional Notes + ### Flow Description + + 1. The action extracts the required configuration parameters (Client ID, Secret + ID, Tenant ID, Certificate Path, and Certificate Password). + + 2. It initializes the `MicrosoftGraphSecurityManager` using the provided credentials. + + 3. The manager attempts to authenticate with the Microsoft Graph Security API. + + 4. If authentication is successful, the action returns a success message and a + result value of "true". - This is a standard diagnostic action used to ensure that the integration is correctly - configured and has the necessary permissions to communicate with Microsoft Graph. + 5. If an exception occurs during initialization or authentication, the action + returns a failure message and a result value of "false". capabilities: can_create_case_comments: false can_create_insight: false @@ -801,8 +844,16 @@ Ping: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity test (Ping) to the Microsoft Graph Security + API. It validates credentials by attempting to generate an access token. It + does not fetch contextual data, mutate external systems, or modify internal + SOAR data. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action, which is explicitly excluded from being an enrichment + action per the instructions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -818,3 +869,6 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities; it only performs a connectivity + check using configuration parameters. diff --git a/content/response_integrations/third_party/community/microsoft_graph_security_tools/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/microsoft_graph_security_tools/resources/ai/connectors_ai_description.yaml index ecd104a03..e34a4f037 100644 --- a/content/response_integrations/third_party/community/microsoft_graph_security_tools/resources/ai/connectors_ai_description.yaml +++ b/content/response_integrations/third_party/community/microsoft_graph_security_tools/resources/ai/connectors_ai_description.yaml @@ -2,11 +2,11 @@ MS SecureScore Alert: ai_description: >- ### General Description - The **MS SecureScore Alert** connector monitors the Microsoft Secure Score for - a given tenant using the Microsoft Graph API. It is designed to proactively alert - security teams when the organization's security posture, as measured by the Secure - Score, falls below a predefined threshold. This allows for rapid response to changes - in security configurations or compliance across Microsoft 365 environments. + This connector monitors the Microsoft 365 Secure Score via the Microsoft Graph + Security API. It allows security teams to define a threshold; if the organization's + Secure Score falls below this value, the connector automatically generates an + alert within Google SecOps, enabling proactive remediation of security posture + degradation. ### Parameters Description @@ -15,94 +15,110 @@ MS SecureScore Alert: | :--- | :--- | :--- | :--- | - | Client ID | String | Yes | The Application (client) ID from the Azure App Registration. - | + | Threshold | Integer | No | The Secure Score threshold. An alert is raised if + the score drops below this value. | - | Secret ID | Password | Yes | The Client Secret from the Azure App Registration - (required if not using certificates). | + | Tenant ID | String | Yes | The Azure Tenant ID. | - | Tenant ID | String | Yes | The Directory (tenant) ID from Azure. | + | Secret ID | Password | Yes | The Azure Secret ID. | - | Threshold | Integer | No | The numerical value representing the minimum acceptable - Secure Score. An alert is raised if the score drops below this. | + | Client ID | String | Yes | The Azure Client ID. | - | Default Priority | Integer | Yes | The priority assigned to the created alert - (-1: Informative, 40: Low, 60: Medium, 80: High, 100: Critical). | + | Certificate Path | String | No | Path to the certificate file on the Siemplify + server (if using certificate-based authentication). | - | Certificate Path | String | No | Local path to a certificate file on the server - if using certificate-based authentication. | + | Certificate Password | Password | No | Password for the certificate file. | - | Certificate Password | Password | No | The password for the certificate file, - if applicable. | + | PythonProcessTimeout | String | Yes | Timeout limit (in seconds) for the Python + process. | | EventClassId | String | Yes | The field name used to determine the event name - (default: SecureScore). | + (sub-type). | | DeviceProductField | String | Yes | The field name used to determine the device - product (default: Microsoft 365). | + product. | - | PythonProcessTimeout | String | Yes | The timeout limit in seconds for the script - execution. | + | Default Priority | Integer | Yes | The default priority for the alert (-1 to + 100). | ### Flow Description - 1. **Authentication**: The connector authenticates with the Microsoft Graph API - using either the Client Secret or a provided Certificate. + 1. Authenticates with the Microsoft Graph Security API using the provided Client + ID and Secret (or Certificate). - 2. **Data Retrieval**: It queries the Microsoft Graph Beta endpoint (`/security/secureScores`) - to retrieve the most recent Secure Score data. + 2. Retrieves the current Secure Score from the Microsoft 365 environment. - 3. **Threshold Comparison**: The script extracts the `currentScore` from the API - response and compares it against the user-configured `Threshold` parameter. + 3. Compares the current score against the user-defined Threshold. - 4. **Alert Generation**: If the current score is strictly less than the threshold, - the connector initiates the alert creation process. + 4. If the score is below the threshold, it constructs an alert containing relevant + metrics, including active user counts, enabled services, and comparative industry/tenant + averages. - 5. **Event Mapping**: The connector creates a detailed event containing the current - score, active user counts, and comparative averages (Industry, Total Seats, and - Tenant averages). - - 6. **Ingestion**: The alert and its associated event data are packaged and ingested - into Google SecOps for analyst review. + 5. Ingests the generated alert into the Google SecOps platform for further investigation. MS365 MFA Alert: - ai_description: "### General Description\nThe **MS365 MFA Alert** connector integrates\ - \ with the Microsoft Graph API to monitor and alert on the Multi-Factor Authentication\ - \ (MFA) registration status of users within a Microsoft 365 tenant. Its primary\ - \ purpose is to identify security gaps, such as users who have not registered\ - \ for MFA or users who have self-service password reset capabilities enabled,\ - \ which could pose a risk if not properly managed. By ingesting these status changes\ - \ as alerts, security teams can proactively enforce MFA policies and secure user\ - \ accounts.\n\n### Parameters Description\n| Parameter | Type | Mandatory | Description\ - \ |\n| :--- | :--- | :--- | :--- |\n| Tenant ID | String | Yes | The Azure Active\ - \ Directory Tenant ID. |\n| Client ID | String | Yes | The Application (client)\ - \ ID of the Azure App Registration. |\n| Secret ID | Password | Yes | The Client\ - \ Secret for the Azure App Registration. Required if not using certificate-based\ - \ authentication. |\n| Certificate Path | String | No | The local file path to\ - \ a certificate on the server if using certificate-based authentication instead\ - \ of a secret. |\n| Certificate Password | Password | No | The password for the\ - \ certificate file, if applicable. |\n| MFA Registration Alert | Boolean | No\ - \ | If enabled (true), the connector creates alerts for users who are not registered\ - \ for MFA. |\n| Self Service Reset Alert | Boolean | No | If enabled (true), the\ - \ connector creates alerts for users who have the ability to perform a self-service\ - \ password reset. |\n| Exclude Guests | Boolean | No | If enabled (true), the\ - \ connector will ignore guest/external users (identified by '#EXT#' in their UPN).\ - \ |\n| EventClassId | String | Yes | The value used to populate the event name/sub-type\ - \ (default: 'MFA Alert'). |\n| DeviceProductField | String | Yes | The value used\ - \ to identify the device product in the SOAR (default: 'Microsoft 365'). |\n|\ - \ PythonProcessTimeout | String | Yes | The maximum time in seconds allowed for\ - \ the connector execution. |\n\n### Flow Description\n1. **Authentication**: The\ - \ connector authenticates to the Microsoft Graph API using the provided Tenant\ - \ ID, Client ID, and either a Client Secret or a Certificate.\n2. **Data Retrieval**:\ - \ It queries the Microsoft Graph `credentialUserRegistrationDetails` report endpoint\ - \ to fetch MFA registration and capability statistics for all users in the tenant.\n\ - 3. **Filtering**: \n * It checks the global allowlist (whitelist) to exclude\ - \ specific service accounts or legacy users.\n * If 'Exclude Guests' is active,\ - \ it filters out any user principal names containing '#EXT#'.\n4. **Alert Evaluation**:\ - \ For each remaining user, the connector checks:\n * If the user is not MFA-registered\ - \ and 'MFA Registration Alert' is enabled.\n * If the user is capable of self-service\ - \ reset and 'Self Service Reset Alert' is enabled.\n5. **Case Creation**: For\ - \ every user meeting the alert criteria, the connector generates a SOAR Alert\ - \ containing user identity details (UPN, Display Name) and their specific MFA\ - \ registration status.\n6. **Ingestion**: The generated alerts and associated\ - \ events are packaged and sent to Google SecOps for case management and investigation." + ai_description: >- + ### General Description + + The MS365 MFA Alert connector monitors Microsoft 365 user MFA registration status. + It retrieves credential registration details from the Microsoft Graph API and + generates alerts in Google SecOps for users who are not registered for MFA or + have self-service password reset capabilities enabled, helping security teams + identify potential account vulnerabilities. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Tenant ID | String | Yes | Tenant ID from Azure. | + + | Secret ID | Password | Yes | Secret ID from Azure. | + + | Client ID | String | Yes | Client ID from Azure. | + + | PythonProcessTimeout | String | Yes | The timeout limit (in seconds) for the + python process. | + + | EventClassId | String | Yes | The field name used to determine the event name + (sub-type). | + + | DeviceProductField | String | Yes | The field name used to determine the device + product. | + + | Self Service Reset Alert | Boolean | No | Create alert when a user has the ability + to self-service reset their password/MFA. | + + | MFA Registration Alert | Boolean | No | Create alert when a user is not registered + for MFA. | + + | Exclude Guests | Boolean | No | Exclude guests/external users from alerts (emails + containing #EXT#). | + + | Certificate Path | String | No | Path to the certificate on the Siemplify server + for certificate-based authentication. | + + | Certificate Password | Password | No | Password for the certificate file, if + applicable. | + + + ### Flow Description + + 1. Authenticates with the Microsoft Graph API using the provided Client ID/Secret + or Certificate credentials. + + 2. Retrieves user MFA registration statistics from the `credentialUserRegistrationDetails` + endpoint. + + 3. Iterates through the retrieved user data, applying filters to exclude guests + if configured. + + 4. Checks each user against the system allowlist. + + 5. Evaluates if the user meets the criteria for an alert (e.g., not registered + for MFA or has self-service reset enabled). + + 6. Creates and ingests an alert into Google SecOps for each user matching the + criteria. diff --git a/content/response_integrations/third_party/community/microsoft_graph_security_tools/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/microsoft_graph_security_tools/resources/ai/integration_ai_description.yaml index b070990d3..a341e5175 100644 --- a/content/response_integrations/third_party/community/microsoft_graph_security_tools/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/community/microsoft_graph_security_tools/resources/ai/integration_ai_description.yaml @@ -7,6 +7,17 @@ product_categories: iam_and_identity_management: true itsm: false network_security: false - siem: false + reasoning: >- + The integration provides capabilities across Email Security, IAM & Identity Management, + Cloud Security, and SIEM. It includes multiple actions for managing email messages + and attachments (e.g., Delete Message, Get Message, List Messages), which directly + supports Email Security investigations and remediation. The integration monitors + identity-related security posture, such as MFA registration and self-service password + reset capabilities, aligning with IAM & Identity Management. It interacts with + Microsoft 365/Azure via the Microsoft Graph API to monitor cloud-native security + configurations like Secure Score, fitting the Cloud Security category. Finally, + the connectors ingest security alerts into the platform based on these findings, + which fulfills the SIEM category for monitoring and alerting. + siem: true threat_intelligence: false vulnerability_management: false diff --git a/content/response_integrations/third_party/community/nucleon_cyber/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/nucleon_cyber/resources/ai/actions_ai_description.yaml index 987b29b1c..e03246a82 100644 --- a/content/response_integrations/third_party/community/nucleon_cyber/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/nucleon_cyber/resources/ai/actions_ai_description.yaml @@ -13,12 +13,17 @@ GetIPs: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves a feed of active threat intelligence data from an external + API. It does not match any of the specific categories like 'Enrich IOC', 'Enrich + Asset', 'Search Events', or 'Get Alert Information' as it is a general-purpose + data retrieval action for a threat feed. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false search_asset: false search_email: false - search_events: true + search_events: false send_email: false send_message: false submit_file: false @@ -28,43 +33,21 @@ GetIPs: update_identity: false update_ticket: false ai_description: >- - ### General Description - - Retrieves a list of active cyber threats from the Nucleon Cyber Active Threats - API. This action provides a JSON object containing intelligence data which can - be used for further analysis or correlation within a playbook. - - - ### Parameters Description - - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | limit | string | Yes | The maximum number of threat records to retrieve from - the API. Default is 10. | - - - ### Flow Description - - 1. **Configuration Extraction**: The action retrieves the necessary credentials - (Username, Password) and client identifiers (Client Name, Client ID) from the - integration configuration. - - 2. **Parameter Retrieval**: It fetches the `limit` parameter to determine how - many threat records to request. - - 3. **API Interaction**: A POST request is sent to the Nucleon Cyber `activethreats` - endpoint with the provided credentials and parameters. - - 4. **Error Handling**: The action checks for a successful HTTP 200 response and - validates that the API key/credentials are correct. - - 5. **Data Processing**: It extracts the threat data from the response JSON. - - 6. **Output Generation**: The retrieved data is added to the action's JSON results, - making it available for subsequent steps in the SOAR workflow. + ### General Description\nThis action retrieves active threat intelligence data + from the Nucleon Cyber API. It is designed to fetch a feed of cyber intelligence, + which can then be used in subsequent playbook steps for analysis or automated + response.\n\n### Parameters Description\n* **limit** (string, mandatory): Specifies + the maximum number of threat intelligence records to retrieve from the API. The + default value is '10'.\n\n### Flow Description\n1. The action extracts the necessary + integration configuration parameters, including 'Username', 'Password', 'client + name', and 'client id', as well as the 'limit' parameter.\n2. It initiates a POST + request to the Nucleon Cyber Active Threats API endpoint ('https://api.nucleoncyber.com/feed/activethreats') + using the provided credentials and parameters.\n3. The action validates the API + response status. If the status is not 200, it raises an authentication error.\n4. + It parses the JSON response to extract the 'data' section.\n5. The retrieved threat + intelligence data is added to the action results using 'siemplify.result.add_result_json' + and 'siemplify.result.add_json' for use in the playbook.\n6. The action concludes + with a success message. capabilities: can_create_case_comments: false can_create_insight: false @@ -75,8 +58,16 @@ GetIPs: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to an external API to fetch threat intelligence + data. It does not mutate external systems, nor does it modify internal SOAR + data (entities, insights, or case comments). It is a data retrieval action. categories: enrichment: false + reasoning: >- + The action fetches data from an external source (Nucleon Cyber API) but does + not perform enrichment on specific entities or alerts. It is a global data retrieval + action, not an enrichment action as defined by the SOAR SDK guidelines. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -92,6 +83,9 @@ GetIPs: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with 'siemplify.target_entities'. It operates globally + to fetch a threat intelligence feed. Ping: action_product_categories: add_alert_comment: false @@ -107,6 +101,9 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity test ('Ping') and does not perform any of the defined + functional outcomes (e.g., enrichment, containment, ticketing). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -122,46 +119,34 @@ Ping: update_identity: false update_ticket: false ai_description: >- - ### General Description - - Verifies connectivity to the NucleonCyber API. This action performs a test request - to the active threats endpoint to ensure that the provided credentials (Username, - Password) and client identifiers (Client Name, Client ID) are valid and that the - service is reachable. + General Description: This action verifies connectivity to the NucleonCyber API + by sending a POST request to the `activethreats` endpoint. It validates the provided + credentials and configuration parameters. - ### Parameters Description + Parameters description: | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | - - | limit | string | Yes | Specifies the number of API results to request during - the connectivity test to verify data retrieval capabilities. | + | --- | --- | --- | --- | + | limit | string | Yes | Specifies the limit for API results. | - ### Additional Notes - This is a standard connectivity test (Ping) action and does not process or enrich - specific entities within a case. + Additional notes: None. - ### Flow Description + Flow description: - 1. **Configuration Extraction**: Retrieves the integration's global configuration - parameters, including Username, Password, Client Name, and Client ID. + 1. Extracts configuration parameters (Username, Password, client name, client + id) and the action parameter `limit`. - 2. **Parameter Extraction**: Retrieves the `limit` action parameter. + 2. Sends a POST request to the NucleonCyber API endpoint (`https://api.nucleoncyber.com/feed/activethreats`) + using the provided credentials and parameters. - 3. **API Request**: Executes a POST request to the NucleonCyber `activethreats` - endpoint using basic authentication and the client identifiers in the request - body. + 3. Validates the response status code to ensure the connection is successful. - 4. **Validation**: Checks the HTTP response status. If the status code is not - 200, it raises an exception indicating bad credentials or a connection error. - - 5. **Completion**: Ends the action with a success message if the connection is - established. + 4. Terminates the action with a success message if the connection is established. capabilities: can_create_case_comments: false can_create_insight: false @@ -170,10 +155,17 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: true + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity check (Ping) to the NucleonCyber API. It + does not fetch contextual data for entities, nor does it mutate external or + internal systems. It simply validates credentials and connectivity. categories: enrichment: false + reasoning: >- + The action is a 'Ping' (connectivity test). Per the instructions, Ping actions + are not categorized as enrichment actions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -189,3 +181,5 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. diff --git a/content/response_integrations/third_party/community/nucleon_cyber/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/nucleon_cyber/resources/ai/integration_ai_description.yaml index 2e831240c..1ee00d679 100644 --- a/content/response_integrations/third_party/community/nucleon_cyber/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/community/nucleon_cyber/resources/ai/integration_ai_description.yaml @@ -7,6 +7,17 @@ product_categories: iam_and_identity_management: false itsm: false network_security: false + reasoning: >- + The Nucleon Cyber integration is primarily designed to provide high-quality threat + intelligence feeds to secure environments against APTs and professional hacking + groups. The 'GetIPs' action retrieves active threat intelligence data from the + Nucleon Cyber API, which directly aligns with the Threat Intelligence category's + purpose of providing enrichment data (such as risk scores or threat indicators) + to confirm if an alert is a True Positive. The integration does not perform actions + related to SIEM log searching, EDR host management, network security blocking, + email management, identity management, cloud resource configuration, ITSM ticketing, + vulnerability scanning, asset inventory management, or collaboration/notification + workflows. siem: false threat_intelligence: true vulnerability_management: false diff --git a/content/response_integrations/third_party/community/pager_duty/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/pager_duty/resources/ai/actions_ai_description.yaml index 4a5c0f363..af2dbd3b7 100644 --- a/content/response_integrations/third_party/community/pager_duty/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/pager_duty/resources/ai/actions_ai_description.yaml @@ -13,6 +13,10 @@ Create Incident: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action performs a POST request to the PagerDuty API to create a new incident. + This aligns with the 'Create Ticket' category, as it generates a new record + in an external system. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -30,9 +34,9 @@ Create Incident: ai_description: >- ### General Description - Creates a new incident in PagerDuty using specified parameters. This action allows - analysts to programmatically trigger PagerDuty incidents directly from Google - SecOps, ensuring that the right teams are notified with the necessary context. + This action creates a new incident in PagerDuty using the provided details, title, + email, and urgency level. It interacts with the PagerDuty API to generate a new + incident record based on the parameters supplied by the user. ### Parameters Description @@ -41,42 +45,36 @@ Create Incident: | :--- | :--- | :--- | :--- | - | Details | string | Yes | A detailed description of the incident, providing context - for the responder (e.g., 'A disk is getting full on this machine'). | + | Details | string | Yes | The description or body of the incident. | - | Title | string | Yes | A short, descriptive title for the incident (e.g., 'The - server is on fire'). | + | Title | string | Yes | The title of the incident. | - | Email | string | Yes | The email address of the PagerDuty user creating the - incident. This is used for the 'From' header in the API request. | + | Email | string | Yes | The email address of the user creating the incident (used + for the 'From' header). | - | Urgency | string | Yes | The urgency level of the incident. Common values include - 'high' or 'low'. | + | Urgency | string | Yes | The urgency level of the incident. | ### Additional Notes - * This action requires a 'Services' ID to be configured in the integration settings, - as PagerDuty incidents must be associated with a specific service. - - * The action does not process entities; it creates a global incident based on - the provided parameters. + This action requires a valid PagerDuty API token and a configured Service ID in + the integration settings to function correctly. ### Flow Description - 1. **Initialization**: The action initializes the PagerDuty manager using the - API token and retrieves the 'Services' ID from the integration configuration. + 1. Initialize the `PagerDutyManager` with the API token retrieved from the integration + configuration. + + 2. Extract the required parameters (Title, Email, Urgency, Details) and the Service + ID from the configuration. - 2. **Parameter Extraction**: It extracts the Title, Email, Urgency, and Details - from the action parameters. + 3. Execute the `create_incident` method, which sends a POST request to the PagerDuty + `/incidents` endpoint. - 3. **API Request**: It sends a POST request to the PagerDuty `/incidents` endpoint - with the incident payload, including the 'From' header required by PagerDuty for - user attribution. + 4. Add the resulting incident data to the action result. - 4. **Result Handling**: If successful, the action returns the full JSON response - of the created incident and sets the execution state to completed. + 5. Terminate the action with a success or failure status based on the API response. capabilities: can_create_case_comments: false can_create_insight: false @@ -85,11 +83,19 @@ Create Incident: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new incident record in the PagerDuty platform. - fetches_data: true + Creates a new incident in the PagerDuty platform. + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to create an incident in PagerDuty, which + is an external mutation. It does not fetch data, update entities, or modify + internal SOAR data. categories: enrichment: false + reasoning: >- + The action creates a new incident in an external system (PagerDuty) and does + not retrieve contextual data for enrichment, therefore it is not an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -105,6 +111,10 @@ Create Incident: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities` or use any entity-specific + identifiers. It relies entirely on user-provided parameters to create an incident + in PagerDuty. Filtered Incident List: action_product_categories: add_alert_comment: false @@ -120,12 +130,17 @@ Filtered Incident List: enrich_ioc: false execute_command_on_the_host: false get_alert_information: true + reasoning: >- + The action retrieves a list of incidents from PagerDuty based on search criteria. + This matches 'Search Events' (as it returns a collection of historical logs/telemetry/incidents) + and 'Get Alert Information' (as it fetches information about incidents/alerts + from the 3rd party product). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false search_asset: false search_email: false - search_events: false + search_events: true send_email: false send_message: false submit_file: false @@ -135,79 +150,65 @@ Filtered Incident List: update_identity: false update_ticket: false ai_description: >- - Retrieves a filtered list of incidents from PagerDuty based on specified criteria. - This action allows analysts to search for incidents using parameters such as status, - urgency, assigned users, teams, and specific time ranges. It is primarily used - to gather context about existing PagerDuty incidents or to find specific alerts - for further investigation. - + ### General Description - ### Flow Description: + Retrieves a filtered list of incidents from PagerDuty based on user-defined criteria + such as status, urgency, and time range. This action queries the PagerDuty API + and returns the matching incident records for further analysis. - 1. **Parameter Extraction:** The action retrieves configuration details (API Key) - and user-provided filter parameters from the environment. - 2. **Parameter Parsing:** It processes multi-choice parameters (like Urgencies, - Statuses, and IDs), handling them as lists or JSON-formatted strings to ensure - compatibility with the API request. + ### Parameters Description - 3. **Filter Construction:** A query dictionary is built, mapping the provided - filters to the expected PagerDuty API query parameters (e.g., `statuses[]`, `urgencies[]`, - `since`, `until`). + | Parameter | Type | Mandatory | Description | - 4. **API Interaction:** The action calls the PagerDuty API's `/incidents` endpoint - using a GET request with the constructed query string. + | :--- | :--- | :--- | :--- | - 5. **Result Processing:** The retrieved list of incidents is returned as a JSON - object, and the action completes with a success message if incidents are found. + | Email | String | Yes | The email address associated with the PagerDuty account. + | + | Urgencies | Multi-choice | No | Filter incidents by urgency (e.g., low, high). + | - ### Parameters Description: + | Incidents_Statuses | Multi-choice | No | Filter incidents by status (e.g., triggered, + acknowledged, resolved). | - | Parameter | Type | Mandatory | Description | + | Since | String | No | Start date for the filter (YYYY-MM-DD). | - | :--- | :--- | :--- | :--- | + | Until | String | No | End date for the filter (YYYY-MM-DD). | - | **Email** | String | Yes | The email address of the user making the request. - Required for PagerDuty API headers. | + | Service_IDS | String | No | Filter by specific service IDs. | - | **Urgencies** | Multi-choice | No | Filter incidents by urgency level (e.g., - 'low', 'high'). | + | Team_IDS | String | No | Filter by specific team IDs. | - | **Incidents_Statuses** | Multi-choice | No | Filter incidents by their current - state (e.g., 'triggered', 'acknowledged', 'resolved'). | + | User_IDS | String | No | Filter by specific user IDs. | - | **User_IDS** | String | No | Filter incidents assigned to specific user IDs - (can be a comma-separated list or JSON array). | + | Incident_Key | String | No | Filter by a specific incident key. | - | **Team_IDS** | String | No | Filter incidents associated with specific team - IDs. | + | Data_Range | String | No | Filter by a specific data range. | - | **Service_IDS** | String | No | Filter incidents associated with specific service - IDs. | + | sort_by | Multi-choice | No | Sort the results by field (e.g., incident_number, + created_at) and order (asc, desc). | - | **Incident_Key** | String | No | Filter by the unique incident key. | + | Additional_Data | Multi-choice | No | Additional details to include in the response. + | - | **Since** | String | No | Start date for the search (format: YYYY-MM-DD). | - | **Until** | String | No | End date for the search (format: YYYY-MM-DD). | + ### Additional Notes - | **Data_Range** | String | No | A predefined date range for the search. | + This action performs a GET request to the PagerDuty API. Ensure the API key is + correctly configured in the integration settings. - | **sort_by** | Multi-choice | No | Determines the field to sort by and the order - (asc/desc). | - | **Additional_Data** | Multi-choice | No | Specifies additional incident details - to include in the response (e.g., 'users', 'services'). | + ### Flow Description + 1. Extracts filter parameters (e.g., `Urgencies`, `Incidents_Statuses`, `Since`, + `Until`) from the action configuration. - ### Additional Notes: + 2. Constructs a query dictionary based on the provided filters. - - The `Since` and `Until` parameters should follow the `YYYY-MM-DD` format. The - maximum range for the search is typically 6 months. + 3. Sends a GET request to the PagerDuty API to fetch the filtered list of incidents. - - This action does not require any entities to be present in the SecOps case to - run. + 4. Adds the retrieved incident data to the action result for the user. capabilities: can_create_case_comments: false can_create_insight: false @@ -218,8 +219,18 @@ Filtered Incident List: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the PagerDuty API to retrieve a list of + incidents based on provided filters. It does not modify any external data, nor + does it update any internal SOAR entities or insights. It simply fetches and + returns data. categories: - enrichment: true + enrichment: false + reasoning: >- + The action is a search/list operation. It does not perform enrichment on specific + entities (it does not iterate over `target_entities`), nor does it meet the + criteria for an enrichment action as defined (it doesn't update entities or + create insights). Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -235,6 +246,9 @@ Filtered Incident List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `target_entities`. It operates independently + of any specific entity context. Get Incident By ID: action_product_categories: add_alert_comment: false @@ -250,6 +264,10 @@ Get Incident By ID: enrich_ioc: false execute_command_on_the_host: false get_alert_information: true + reasoning: >- + The action fetches incident details from PagerDuty. This directly aligns with + the 'Get Alert Information' category, which is defined as fetching information + about an alert or incident from a 3rd party product. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -267,52 +285,41 @@ Get Incident By ID: ai_description: >- ### General Description - The **Get Incident By ID** action retrieves detailed information about a specific - incident from PagerDuty using its unique incident key. This action is primarily - used to fetch external context regarding a PagerDuty incident and bring it into - the Google SecOps environment for further analysis or automated decision-making - within a playbook. - + This action retrieves detailed information about a specific incident from PagerDuty. + It allows analysts to fetch the full incident payload, including status, urgency, + and body details, by providing the unique incident key. - ### Parameters Description - | Parameter | Type | Mandatory | Description | + ### Flow Description - | :--- | :--- | :--- | :--- | + 1. The action extracts the `Incident Key` and `Email` parameters provided by the + user. - | Incident Key | string | Yes | The unique identifier (key) of the PagerDuty incident - to be retrieved. | + 2. It initializes the PagerDuty manager using the configured API token. - | Email | string | Yes | The email address of the PagerDuty user making the request. - This is required for the 'From' header in the PagerDuty API request. | + 3. It queries the PagerDuty API to retrieve the incident details associated with + the provided key. + 4. The retrieved incident data is returned as a JSON result in the action output. - ### Flow Description - 1. **Parameter Extraction**: The action extracts the `Incident Key` and `Email` - from the input parameters and retrieves the API token from the integration configuration. + ### Parameters Description - 2. **Manager Initialization**: It initializes the PagerDuty manager with the provided - API token. + | Parameter | Type | Mandatory | Description | - 3. **Data Retrieval**: The action sends a GET request to the PagerDuty incidents - endpoint to fetch incident data. + | :--- | :--- | :--- | :--- | - 4. **Filtering**: It iterates through the retrieved incidents to find the specific - record where the `incident_key` matches the provided input. + | Incident Key | string | Yes | The unique identifier of the incident to retrieve. + | - 5. **Result Output**: If a match is found, the incident details are added to the - action's JSON results. The action then concludes with a success message and a - boolean result indicating whether the incident was found. + | Email | string | Yes | The email address used for authentication or identification + in the PagerDuty request. | ### Additional Notes - - This action does not operate on SecOps entities (like IPs or Hostnames); it - relies entirely on the provided `Incident Key` parameter. - - - The `Email` parameter is mandatory because PagerDuty's API requires the 'From' - header to identify the user performing the action. + This action performs a read-only operation and does not modify any data within + Google SecOps or PagerDuty. capabilities: can_create_case_comments: false can_create_insight: false @@ -323,8 +330,17 @@ Get Incident By ID: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the PagerDuty API to retrieve incident + details. It does not modify any external systems (no POST/PUT/DELETE) and does + not modify any internal Google SecOps data (no entity updates, insights, or + case comments). categories: enrichment: false + reasoning: >- + While the action fetches data, it does not operate on SOAR entities or alerts + to provide enrichment context. It is a standalone utility action for retrieving + incident information, thus it does not meet the criteria for an Enrichment Action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -340,6 +356,9 @@ Get Incident By ID: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with the `target_entities` list or any specific + entity objects. It operates independently of the entity model. Get User By Email: action_product_categories: add_alert_comment: false @@ -351,14 +370,17 @@ Get User By Email: disable_identity: false download_file: false enable_identity: false - enrich_asset: false + enrich_asset: true enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves user information from PagerDuty. This matches the 'Enrich + Asset' category (returning contextual metadata for a user). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false - search_asset: true + search_asset: false search_email: false search_events: false send_email: false @@ -372,10 +394,9 @@ Get User By Email: ai_description: >- ### General Description - Retrieves detailed information for a specific PagerDuty user by providing their - email address. This action is primarily used to fetch user metadata such as names, - IDs, roles, and contact information from PagerDuty to assist in incident response - and user identification. + This action retrieves user details from PagerDuty by providing a specific user + email address. It queries the PagerDuty API to find a matching user and returns + the user's information as a JSON result. ### Parameters Description @@ -384,33 +405,28 @@ Get User By Email: | :--- | :--- | :--- | :--- | - | Email | string | Yes | The email address of the PagerDuty user to retrieve information - for. Defaults to 'test@example.com' in configuration. | + | Email | string | Yes | The email address of the user to retrieve from PagerDuty. + | - ### Flow Description + ### Additional Notes - 1. **Initialization**: The action initializes the PagerDuty manager using the - API token provided in the integration configuration. + - This action does not modify any data in PagerDuty or the SOAR platform. - 2. **Parameter Retrieval**: It extracts the target email address from the action - parameters. + - If no user is found with the provided email, the action will fail. - 3. **API Request**: The action calls the PagerDuty `/users` endpoint with a query - parameter matching the provided email. - 4. **Data Processing**: It iterates through the results returned by the API to - find an exact match for the email address. + ### Flow Description - 5. **Result Handling**: If a match is found, the user's details are added to the - action's JSON results, and a success message is generated. If no user is found - or an error occurs, the action fails with an appropriate error message. + 1. Initialize the PagerDuty manager with the API key retrieved from the configuration. + 2. Retrieve the user email from the action parameters. - ### Additional Notes + 3. Query the PagerDuty API for users matching the provided email. - This action does not operate on SecOps entities; it relies entirely on the 'Email' - string parameter provided by the user or playbook. + 4. If a match is found, return the user details as a JSON result. + + 5. If no user is found, return a failure status. capabilities: can_create_case_comments: false can_create_insight: false @@ -421,8 +437,17 @@ Get User By Email: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the PagerDuty API to retrieve user information. + It does not modify any external systems or internal SOAR data (entities, insights, + comments). categories: enrichment: false + reasoning: >- + The action fetches data (user details) from an external system (PagerDuty) without + modifying any external or internal state. It does not meet the criteria for + 'Enrichment' because it does not update entities, create insights, or add comments. + It is a data retrieval action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -438,6 +463,9 @@ Get User By Email: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not iterate over `siemplify.target_entities` or use any entity + objects. It takes a raw string parameter `Email`. Get User By ID: action_product_categories: add_alert_comment: false @@ -453,6 +481,10 @@ Get User By ID: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves user details from PagerDuty, which provides contextual + metadata about a user. This aligns with the 'Enrich Asset' category. It does + not perform any other actions like updating alerts, tickets, or blocking IOCs. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -467,24 +499,37 @@ Get User By ID: update_email: false update_identity: false update_ticket: false - ai_description: "### General Description\nThe **Get User By ID** action retrieves\ - \ detailed information for a specific PagerDuty user using their unique User ID.\ - \ This action is primarily used to gather metadata about a user, such as their\ - \ name, email, role, time zone, and contact methods, which can be essential for\ - \ incident response and escalation workflows.\n\n### Parameters Description\n\ - | Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ - | **UserID** | String | Yes | The unique identifier of the user in PagerDuty (e.g.,\ - \ 'PXP9SRE'). |\n\n### Flow Description\n1. **Input Retrieval**: The action extracts\ - \ the `UserID` from the action parameters.\n2. **API Connection**: It initializes\ - \ the PagerDuty manager using the integration's API key.\n3. **Data Fetching**:\ - \ The action performs a GET request to the PagerDuty `/users/{id}` endpoint.\n\ - 4. **Result Handling**: \n * If the user is found, the action returns the user's\ - \ profile data as a JSON object and completes successfully.\n * If the user\ - \ is not found or the API call fails, the action returns an error message and\ - \ marks the execution as failed.\n\n### Additional Notes\n- This action does not\ - \ automatically process entities from the SecOps case; it requires the specific\ - \ User ID to be provided as a parameter.\n- The retrieved data is stored in the\ - \ `JsonResult` output." + ai_description: >- + ### General Description + + Retrieves user details from PagerDuty by providing a specific User ID. This action + fetches comprehensive user information from the PagerDuty platform and returns + it as a JSON result for further analysis or display within the SOAR platform. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | UserID | string | Yes | The unique identifier of the user in PagerDuty. | + + + ### Flow Description + + 1. Initialize the PagerDuty manager using the API key retrieved from the integration + configuration. + + 2. Retrieve the `UserID` parameter provided by the user. + + 3. Call the PagerDuty API to fetch the user's details using the provided `UserID`. + + 4. If the user is found, return the user information as a JSON result and mark + the action as completed. + + 5. If the user is not found or an error occurs, return an error message and mark + the action as failed. capabilities: can_create_case_comments: false can_create_insight: false @@ -495,8 +540,16 @@ Get User By ID: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the PagerDuty API to retrieve user information + based on a provided ID. It does not modify any external systems or internal + SOAR data. categories: enrichment: false + reasoning: >- + The action fetches data from an external system (PagerDuty) but does not operate + on SOAR entities (it uses a raw parameter). Therefore, it does not meet the + criteria for an Enrichment Action as defined for SOAR entities. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -512,6 +565,9 @@ Get User By ID: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities`. It uses a direct + input parameter `UserID` to fetch data. List All OnCall: action_product_categories: add_alert_comment: false @@ -527,6 +583,11 @@ List All OnCall: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves a list of on-call users from PagerDuty. It does not match + any of the defined categories (e.g., Enrich IOC, Enrich Asset, Update Alert, + etc.) as it is a general information retrieval task that does not operate on + specific entities or alerts. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -544,37 +605,35 @@ List All OnCall: ai_description: >- ### General Description - The **List All OnCall** action retrieves a comprehensive list of all current on-call - shifts and assignments from PagerDuty. This utility action provides visibility - into which users are currently responsible for incident response across all configured - services and schedules within the PagerDuty environment. + This action retrieves the list of all on-call users and schedules from the PagerDuty + platform. It provides visibility into who is currently on-call, which can be useful + for incident response and escalation management. - ### Parameters Description + ### Parameters - There are no parameters for this action. + There are no parameters required for this action. ### Additional Notes - This action does not operate on specific entities (such as Hostnames or IP Addresses) - and does not require any input parameters. It performs a global retrieval of on-call - data from the PagerDuty API. + This action does not require any input entities and operates globally to fetch + on-call information from PagerDuty. ### Flow Description - 1. **Authentication**: The action initializes the PagerDuty manager using the - API key provided in the integration configuration. + 1. Initialize the `SiemplifyAction` and retrieve the PagerDuty API configuration. + + 2. Initialize the `PagerDutyManager` with the provided API token. - 2. **Data Retrieval**: It executes a GET request to the PagerDuty `/oncalls` endpoint - to fetch the current on-call list. + 3. Execute the `list_oncalls` method to fetch the current on-call data from the + PagerDuty API. - 3. **Result Handling**: The action extracts the list of on-call objects from the - response and attaches them to the action's JSON results. + 4. Add the retrieved on-call information to the action results using `add_result_json`. - 4. **Completion**: The action concludes with a success message indicating that - the users were successfully retrieved. + 5. Terminate the action with a success status if the data is retrieved, or a failure + status if an error occurs. capabilities: can_create_case_comments: false can_create_insight: false @@ -585,8 +644,15 @@ List All OnCall: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the PagerDuty API to retrieve on-call information. + It does not modify any external systems, nor does it update any internal SOAR + entities or cases. categories: enrichment: false + reasoning: >- + The action retrieves data from an external source but does not perform enrichment + on specific entities or alerts. It is a general information retrieval action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -602,6 +668,9 @@ List All OnCall: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities; it fetches a global list of + on-call users from PagerDuty. List Incidents: action_product_categories: add_alert_comment: false @@ -617,6 +686,10 @@ List Incidents: enrich_ioc: false execute_command_on_the_host: false get_alert_information: true + reasoning: >- + The action retrieves a list of incidents from PagerDuty. This matches the 'Get + Alert Information' category, as it fetches incident data from the 3rd party + product. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -634,42 +707,28 @@ List Incidents: ai_description: >- ### General Description - The **List Incidents** action retrieves a complete list of all incidents from - the PagerDuty platform. This is a utility action designed to provide broad visibility - into the current state of PagerDuty incidents, allowing analysts to see active - or historical records without needing to target a specific entity or alert ID. + This action retrieves a comprehensive list of all incidents from the PagerDuty + platform. It is designed to provide visibility into current incidents managed + within PagerDuty. ### Parameters Description - | Parameter Name | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | None | N/A | N/A | This action does not take any input parameters. | + There are no action parameters required for this action. ### Flow Description - 1. **Configuration Retrieval**: The action starts by fetching the PagerDuty API - key from the integration's configuration settings. - - 2. **API Interaction**: It initializes the PagerDuty manager and calls the `get_all_incidents` - method, which performs a GET request to the `/incidents` endpoint. + 1. Initialize the `SiemplifyAction` and retrieve the `api_key` from the integration + configuration. - 3. **Data Processing**: The action receives the list of incidents from PagerDuty - and checks if any data was returned. + 2. Initialize the `PagerDutyManager` with the provided API key. - 4. **Output Generation**: The retrieved incident data is added to the action's - JSON results, and the action completes with a success message indicating whether - incidents were found. + 3. Call the `get_all_incidents` method to fetch the list of incidents from PagerDuty. + 4. Add the retrieved incident data to the action result using `add_result_json`. - ### Additional Notes - - This action does not operate on specific entities (like IPs or Hostnames) and - does not modify any data within PagerDuty or Google SecOps. It is strictly a data - retrieval utility. + 5. Terminate the action with a success or failure message based on the outcome. capabilities: can_create_case_comments: false can_create_insight: false @@ -680,8 +739,15 @@ List Incidents: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the PagerDuty API to retrieve a list of + incidents. It does not modify any external or internal data. categories: enrichment: false + reasoning: >- + The action fetches a list of incidents from PagerDuty. It does not enrich specific + entities or alerts within the SOAR platform. It is a retrieval action, not an + enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -697,6 +763,9 @@ List Incidents: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `target_entities`. It fetches a global list + of incidents from the PagerDuty API. List Users: action_product_categories: add_alert_comment: false @@ -712,6 +781,11 @@ List Users: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves a list of users from PagerDuty. It does not match any of + the specific categories provided (e.g., it is not enriching a specific IOC or + Asset, nor is it performing a management action like blocking or updating). + It is a general data retrieval/listing action. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -729,39 +803,36 @@ List Users: ai_description: >- ### General Description - The **List Users** action retrieves a comprehensive list of all users associated - with the PagerDuty account. This is a utility action used for administrative oversight, - user discovery, or to provide context for other PagerDuty-related workflows within - Google SecOps. It interacts with the PagerDuty API to fetch user metadata such - as names, emails, roles, and time zones. + This action retrieves a comprehensive list of all users from the PagerDuty platform. + It is designed to provide visibility into the user directory within PagerDuty, + returning the data as a JSON result for further analysis or display within the + SOAR platform. ### Parameters Description - There are no parameters required for this action. + There are no user-configurable input parameters for this action. The action utilizes + the API key configured in the PagerDuty integration settings to authenticate and + fetch the data. - ### Flow Description - - 1. **Initialization**: The action initializes the PagerDuty manager using the - API token provided in the integration configuration. - - 2. **API Request**: It executes a GET request to the PagerDuty `/users` endpoint - to retrieve the full list of user objects. + ### Additional Notes - 3. **Data Processing**: The action captures the list of users returned by the - API. + This action does not require any specific entities to be selected. It performs + a global fetch operation against the PagerDuty API. - 4. **Output**: The retrieved user data is added to the action's JSON results, - and a success message is generated for the analyst. + ### Flow Description - ### Additional Notes + 1. **Initialization**: The action initializes the `SiemplifyAction` and retrieves + the PagerDuty API token from the integration configuration. - * This action does not require any input entities or parameters to run. + 2. **Execution**: It instantiates the `PagerDutyManager` and calls the `list_users` + method to query the PagerDuty `/users` endpoint. - * If no users are found in the PagerDuty account, the action will complete successfully - but report that no users were found. + 3. **Output**: The retrieved list of users is added to the action results as a + JSON object. If the operation is successful, a success message is returned; otherwise, + an error message is generated. capabilities: can_create_case_comments: false can_create_insight: false @@ -772,8 +843,17 @@ List Users: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the PagerDuty API to retrieve a list of + users. It does not modify any external systems (no POST/PUT/DELETE), nor does + it modify any internal SOAR data (entities, insights, or case comments). It + simply returns the fetched data as a result. categories: enrichment: false + reasoning: >- + The action does not operate on entities, nor does it enrich them. It is a utility + action that fetches a global list of users from an external system. Therefore, + it does not meet the criteria for an Enrichment Action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -789,6 +869,9 @@ List Users: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not reference `siemplify.target_entities` or perform any operations + on specific entities. It fetches a global list of users from the PagerDuty API. Ping: action_product_categories: add_alert_comment: false @@ -804,6 +887,10 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity test ('Ping') and does not perform any functional + operations like enriching data, creating tickets, or modifying alerts. Therefore, + it does not match any of the defined product categories. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -819,24 +906,35 @@ Ping: update_identity: false update_ticket: false ai_description: >- - ### General Description\n\nThe **Ping** action is used to verify the connectivity - between Google SecOps and the PagerDuty API. It ensures that the provided API - key is valid and that the PagerDuty service is reachable. This action is essential - for confirming that the integration is correctly configured and ready for use.\n\n### - Parameters Description\n\n| Parameter | Type | Mandatory | Description |\n| :--- - | :--- | :--- | :--- |\n| None | N/A | N/A | This action does not have any input - parameters. |\n\n### Additional Notes\n\n* The action relies on the `api_key` - provided in the integration configuration. This key must have the necessary permissions - to access the PagerDuty API (specifically the `/abilities` endpoint).\n* This - action is typically used during the initial setup or troubleshooting of the PagerDuty - integration.\n\n### Flow Description\n\n1. **Parameter Extraction**: The action - retrieves the `api_key` from the PagerDuty integration configuration.\n2. **Client - Initialization**: A `PagerDutyManager` instance is created using the API key.\n3. - **Connectivity Test**: The action calls the `test_connectivity` method, which - performs a `GET` request to the PagerDuty `/abilities` endpoint.\n4. **Result - Validation**: If the request is successful (HTTP 200), the action returns a success - message. If the request fails (e.g., due to an invalid API key or network issues), - an error message is generated. + This action tests connectivity to the PagerDuty API to ensure the provided credentials + are valid and the service is reachable. + + + ### Flow Description + + 1. The action extracts the `api_key` from the integration configuration. + + 2. It initializes the `PagerDutyManager` using the provided API key. + + 3. It executes a `GET` request to the PagerDuty `/abilities` endpoint. + + 4. If the request is successful, the action completes; otherwise, it raises an + error. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | `api_key` | String | Yes | The API key used to authenticate with the PagerDuty + API. | + + + ### Additional Notes + + There are no additional notes for this action. capabilities: can_create_case_comments: false can_create_insight: false @@ -845,10 +943,17 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: false + fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the PagerDuty `/abilities` endpoint to + verify connectivity and authentication. It does not modify any external or internal + data, update entities, or create insights. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action, which is explicitly excluded from being an enrichment + action according to the instructions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -864,6 +969,8 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. Run Response Play: action_product_categories: add_alert_comment: false @@ -879,6 +986,10 @@ Run Response Play: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action triggers a response play in PagerDuty. This does not align with the + provided categories such as enrichment, ticket management, alert modification, + or containment. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -894,52 +1005,38 @@ Run Response Play: update_identity: false update_ticket: false ai_description: >- - ### General Description + Triggers a specific response play in PagerDuty for a given incident. This action + allows users to automate incident response workflows by executing predefined response + plays directly from the SOAR platform. - The **Run Response Play** action triggers a specified PagerDuty Response Play - for a given incident. Response Plays are predefined sets of actions that can be - executed to manage incidents efficiently, such as notifying specific teams or - updating incident statuses. This action is currently marked as deprecated. - - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Email | string | Yes | The email address of the PagerDuty user. This is used - in the 'From' header for API authentication and auditing. Default is 'test@example.com'. - | + | Email | string | Yes | The email address associated with the user triggering + the response play. | - | Response ID | string | Yes | The unique identifier of the Response Play to be - executed. Default is 'test'. | + | Response ID | string | Yes | The unique identifier of the response play to be + executed. | - | Incident_ID | string | Yes | The unique identifier of the PagerDuty incident - on which the play will be run. Default is 'Default'. | + | Incident_ID | string | Yes | The unique identifier of the incident on which + the response play will be run. | ### Flow Description - 1. **Initialization:** The action extracts the user email, Response Play ID, and - Incident ID from the input parameters. - - 2. **API Request:** It constructs and sends a POST request to the PagerDuty API - endpoint `/response_plays/{response_play_id}/run`. - - 3. **Execution:** The request includes the incident reference in the payload and - the user's email in the headers. - - 4. **Completion:** The action captures the API response, adds it to the JSON results, - and reports the success or failure of the operation. - + 1. The action extracts the required parameters: `Email`, `Response ID`, and `Incident_ID`. - ### Additional Notes + 2. It initializes the `PagerDutyManager` using the configured API token. - - This action is deprecated and may be removed in future versions. + 3. It executes the response play by sending a POST request to the PagerDuty API + endpoint `/response_plays/{response_plays_id}/run`. - - It does not interact with SOAR entities directly; all identifiers must be provided - as parameters. + 4. The result of the operation is added to the action results, and the action + concludes with a success or failure status. capabilities: can_create_case_comments: false can_create_insight: false @@ -948,12 +1045,20 @@ Run Response Play: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Triggers a response play in PagerDuty for a specific incident, which can initiate - various automated workflows, notifications, or status changes. + Triggers a response play in PagerDuty for a specific incident via a POST request. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to an external system (PagerDuty) to trigger + a response play, which constitutes an external data mutation. It does not fetch + contextual data for enrichment, nor does it modify internal SOAR data, entities, + or case comments. categories: enrichment: false + reasoning: >- + The action is a trigger/mutation action that executes a process in an external + system. It does not fetch data for enrichment purposes, nor does it meet the + criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -969,6 +1074,9 @@ Run Response Play: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with or iterate over SOAR entities. It operates + on specific identifiers provided as input parameters. Snooze Incident: action_product_categories: add_alert_comment: false @@ -984,6 +1092,11 @@ Snooze Incident: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action performs a POST request to PagerDuty to snooze an incident. This + is a state change in an external system (PagerDuty). It aligns with the 'Update + Ticket' category as it modifies the status/state of an incident in an external + ticketing/incident management system. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -999,50 +1112,21 @@ Snooze Incident: update_identity: false update_ticket: true ai_description: >- - Snoozes a PagerDuty incident for a predefined duration of 3600 seconds (1 hour). - This action interacts with the PagerDuty API to temporarily silence notifications - for a specific incident, effectively changing its state in the external system. - It requires the Incident ID and the email address of the requester to authorize - the change. - - - ### Parameters - - | Parameter | Type | Mandatory | Description | - - | --- | --- | --- | --- | - - | Email | string | Yes | The email address of the PagerDuty user performing the - action. This is used in the 'From' header for API authentication and auditing. - | - - | IncidentID | string | Yes | The unique identifier of the PagerDuty incident - that needs to be snoozed. | - - - ### Flow Description - - 1. **Initialization**: The action retrieves the PagerDuty API key from the integration - configuration and extracts the 'Email' and 'IncidentID' from the action parameters. - - 2. **API Interaction**: It utilizes the PagerDutyManager to send a POST request - to the `/incidents/{incident_id}/snooze` endpoint. - - 3. **Payload**: The request includes a hardcoded payload setting the snooze duration - to 3600 seconds. - - 4. **Result Processing**: If successful, the action retrieves the updated incident - data from PagerDuty and attaches it as a JSON result to the SOAR action. If the - API returns an error (e.g., 404 or 403), the action fails and reports the HTTP - error details. - - - ### Additional Notes - - * This action does not run on entities; it operates strictly based on the provided - Incident ID parameter. - - * The snooze duration is currently fixed at 1 hour within the script logic. + ### General Description\nSnoozes a PagerDuty incident for a specified duration + (default 3600 seconds). This action allows analysts to temporarily suppress notifications + for an incident directly from the SOAR platform.\n\n### Parameters Description\n| + Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| + Email | string | Yes | The email address of the user performing the action, used + for PagerDuty API authentication headers. |\n| IncidentID | string | Yes | The + unique identifier of the PagerDuty incident to snooze. |\n\n### Additional Notes\nThe + action requires a valid PagerDuty API token configured in the integration settings. + The snooze duration is hardcoded to 3600 seconds.\n\n### Flow Description\n1. + Extract the `Email` and `IncidentID` parameters from the action configuration.\n2. + Initialize the `PagerDutyManager` using the API token retrieved from the integration + configuration.\n3. Execute the `snooze_incident` method, which sends a POST request + to the PagerDuty API endpoint `/incidents/{incident_id}/snooze`.\n4. The request + includes the provided email in the headers and a default snooze duration of 3600 + seconds.\n5. Return the resulting incident details in the action result. capabilities: can_create_case_comments: false can_create_insight: false @@ -1051,12 +1135,19 @@ Snooze Incident: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Changes the status of a PagerDuty incident to 'snoozed' for a duration of one - hour via a POST request to the PagerDuty API. - fetches_data: true + Snoozes an incident in PagerDuty by sending a POST request to the PagerDuty + API. + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to the PagerDuty API to snooze an incident, + which is an external system mutation. It does not fetch additional contextual + data, nor does it modify any internal SecOps data, entities, or alerts. categories: enrichment: false + reasoning: >- + The action is a mutation action (snoozing an incident) and does not fetch data + for enrichment purposes. Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1072,3 +1163,6 @@ Snooze Incident: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or process any entities. It uses action parameters + to identify the incident to snooze. diff --git a/content/response_integrations/third_party/community/pager_duty/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/pager_duty/resources/ai/connectors_ai_description.yaml index d74bc3c55..b8bd85d3a 100644 --- a/content/response_integrations/third_party/community/pager_duty/resources/ai/connectors_ai_description.yaml +++ b/content/response_integrations/third_party/community/pager_duty/resources/ai/connectors_ai_description.yaml @@ -2,58 +2,48 @@ PagerDutyConnector: ai_description: >- ### General Description - - The PagerDuty connector integrates Google SecOps with the PagerDuty API to automate - the ingestion of incidents. It monitors PagerDuty for new incidents, transforms - them into SOAR alerts, and provides an optional mechanism to automatically acknowledge - incidents within PagerDuty once they are successfully ingested into the platform. + The PagerDuty connector integrates with the PagerDuty API to fetch incidents and + ingest them as alerts into Google SecOps. It supports optional automatic acknowledgment + of incidents within PagerDuty upon successful ingestion into the SOAR platform. ### Parameters Description - | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | apiKey | String | Yes | The API Key used to authenticate with the PagerDuty - API. | + | acknowledge | Boolean | No | If enabled, acknowledges the incident in PagerDuty + after ingestion. Note: The API key must have permissions to modify incidents. + | - | acknowledge | Boolean | No | If set to true, the connector will acknowledge - the incident in PagerDuty immediately after ingestion. Note: The API key must - have write permissions for incidents. | + | apiKey | String | Yes | The API key used to authenticate with the PagerDuty + API. | | DeviceProductField | String | Yes | The field name used to determine the device - product in the ingested event data. | + product. | | EventClassId | String | Yes | The field name used to determine the event name - or sub-type. | + (sub-type). | - | PythonProcessTimeout | String | Yes | The maximum time (in seconds) allowed - for the connector script to execute. | + | PythonProcessTimeout | String | Yes | The timeout limit (in seconds) for the + Python process. | ### Flow Description + 1. The connector initializes the PagerDuty manager using the provided API key. - 1. **Authentication**: The connector establishes a session with the PagerDuty - API using the provided API Key. - - 2. **Incident Retrieval**: It queries the PagerDuty `/incidents` endpoint to fetch - a list of current incidents. + 2. It queries the PagerDuty API to retrieve a list of active incidents. - 3. **Severity Mapping**: For each incident, the connector maps PagerDuty's urgency - levels ('high' or 'low') to the internal SOAR severity scale (e.g., 'high' maps - to 100). + 3. For each retrieved incident, it maps the PagerDuty urgency level to the corresponding + SOAR severity. - 4. **Alert Construction**: The connector builds an `AlertInfo` object for each - incident, populating it with metadata such as the incident title, creation time, - and unique PagerDuty ID. The raw incident data is flattened and attached as an - event. + 4. It constructs a SOAR alert object containing incident details, including title, + ID, and creation time. - 5. **Auto-Acknowledgment**: If the `acknowledge` parameter is enabled, the connector - sends a request back to PagerDuty to update the incident status to 'acknowledged' - for every incident successfully processed. + 5. If the `acknowledge` parameter is enabled, the connector sends an acknowledgment + request back to PagerDuty for the processed incident. - 6. **Ingestion**: The final list of alerts is returned to Google SecOps for case - creation and further orchestration. + 6. Finally, the connector returns the list of processed alerts to the SOAR platform + for case creation. diff --git a/content/response_integrations/third_party/community/pager_duty/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/pager_duty/resources/ai/integration_ai_description.yaml index 6896a3667..d8f3de73f 100644 --- a/content/response_integrations/third_party/community/pager_duty/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/community/pager_duty/resources/ai/integration_ai_description.yaml @@ -7,6 +7,17 @@ product_categories: iam_and_identity_management: false itsm: true network_security: false + reasoning: >- + The PagerDuty integration is primarily an ITSM tool used for incident management, + ticketing, and alerting. It qualifies as ITSM because it allows for the creation, + listing, and management of incidents (tickets). It qualifies as Collaboration + because it manages on-call schedules and triggers response plays, which are essential + for notifying teams and coordinating incident response. It does not qualify as + SIEM because, while it ingests alerts, it does not perform the core SIEM functions + of log aggregation, timeline analysis, or IOC tracking across logs. It does not + meet the criteria for EDR, Network Security, Threat Intelligence, Email Security, + IAM, Cloud Security, Vulnerability Management, or Asset Inventory as it does not + perform the specific security-focused tasks defined for those categories. siem: false threat_intelligence: false vulnerability_management: false diff --git a/content/response_integrations/third_party/community/perimeter_x/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/perimeter_x/resources/ai/actions_ai_description.yaml index 5d7cc4339..1f17c386a 100644 --- a/content/response_integrations/third_party/community/perimeter_x/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/perimeter_x/resources/ai/actions_ai_description.yaml @@ -13,6 +13,9 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity test ('Ping') and does not perform any of the defined + functional operations (enrichment, containment, ticket management, etc.). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -27,27 +30,19 @@ Ping: update_email: false update_identity: false update_ticket: false - ai_description: >- - ### General Description\nThe **Ping** action is a diagnostic tool designed to - verify the connectivity between Google SecOps and the Slack API using the configured - PerimeterX integration credentials. It ensures that the provided API key is valid - and that the system can successfully communicate with Slack's authentication endpoints.\n\n### - Parameters Description\n\n| Parameter | Type | Mandatory | Description |\n| :--- - | :--- | :--- | :--- |\n| Slack API Key | String | Yes | The API token used to - authenticate with Slack. This is a configuration-level parameter. |\n| Slack Channel - | String | Yes | The Slack channel name used for the integration. This is a configuration-level - parameter. |\n\n### Additional Notes\n* This action does not require any runtime - parameters; it uses the values defined in the integration configuration.\n* This - action does not process or interact with any entities or alerts.\n* As a 'Ping' - action, it is excluded from being categorized as an enrichment action.\n\n### - Flow Description\n1. **Parameter Extraction**: The action retrieves the `Slack - API Key` and `Slack Channel` from the integration's configuration settings.\n2. - **Manager Initialization**: It initializes the `PerimeterXManager` with the retrieved - Slack credentials.\n3. **Authentication Check**: The action calls the Slack `auth.test` - API endpoint to validate the token.\n4. **Result Evaluation**: If the API returns - a successful response (`ok: true`), the action reports a successful connection.\n5. - **Error Handling**: If the API call fails or returns an error, the action captures - the exception and reports a failure state. + ai_description: "The Ping action verifies connectivity to the Slack API by performing\ + \ an authentication test. It is used to ensure that the integration is correctly\ + \ configured and can communicate with the Slack workspace. \n\n### Parameters\n\ + | Parameter | Type | Mandatory | Description |\n| --- | --- | --- | --- |\n| Slack\ + \ API Key | String | Yes | The API key used to authenticate with the Slack workspace.\ + \ |\n| Slack Channel | String | Yes | The name of the Slack channel to verify\ + \ connectivity against. |\n\n### Flow\n1. Extract the configuration parameters\ + \ (Slack API Key and Slack Channel) from the integration settings.\n2. Initialize\ + \ the PerimeterXManager with the provided credentials and connector type.\n3.\ + \ Execute the auth() method, which sends a POST request to the Slack auth.test\ + \ endpoint to validate the API key.\n4. If the authentication is successful, return\ + \ a success message; otherwise, return an error message indicating the failure.\n\ + 5. Terminate the action with the appropriate execution status (Completed or Failed)." capabilities: can_create_case_comments: false can_create_insight: false @@ -58,8 +53,15 @@ Ping: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity test (Ping) to verify Slack API authentication. + It does not fetch contextual data for entities, nor does it modify any external + or internal systems. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action, which is explicitly excluded from being an enrichment + action. It does not perform any data retrieval or state modification. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -75,3 +77,5 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. diff --git a/content/response_integrations/third_party/community/perimeter_x/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/perimeter_x/resources/ai/connectors_ai_description.yaml index a7f8bf690..4b0302ee2 100644 --- a/content/response_integrations/third_party/community/perimeter_x/resources/ai/connectors_ai_description.yaml +++ b/content/response_integrations/third_party/community/perimeter_x/resources/ai/connectors_ai_description.yaml @@ -1,59 +1,24 @@ Slack Connector For Code Defender: ai_description: >- - ### General Description - - The Slack Connector For Code Defender integrates Google SecOps with Slack to ingest - security alerts generated by PerimeterX Code Defender. It monitors a designated - Slack channel where PerimeterX posts incident notifications, automatically converting - these messages into structured cases for security orchestration and response. - This connector is ideal for teams using Slack as a centralized notification hub - for their PerimeterX security events. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Slack Channel | String | Yes | The name of the Slack channel to monitor for - alerts (e.g., 'cd_alerts'). Do not include the '#' prefix. | - - | Slack API Key | Password | Yes | The OAuth API Key used to authenticate with - the Slack API. | - - | PythonProcessTimeout | String | Yes | The timeout limit (in seconds) for the - Python process running the connector script. | - - | EventClassId | String | Yes | The field name used to determine the event name - or sub-type within the SOAR. | - - | DeviceProductField | String | Yes | The field name used to determine the device - product (e.g., PerimeterXCodeDefender). | - - - ### Flow Description - - 1. **Authentication**: The connector authenticates with the Slack API using the - provided API Key. - - 2. **Channel Identification**: It searches for the internal Slack Channel ID corresponding - to the configured channel name. - - 3. **Message Retrieval**: The connector fetches recent message history from the - channel, utilizing a stored timestamp to ensure only new messages since the last - execution are processed. - - 4. **Alert Filtering**: It filters the message stream specifically for messages - containing the title "Code Defender has detected a new incident" within the attachments. - - 5. **Data Extraction**: For each matching message, the connector parses the attachment - fields to extract critical alert metadata, including Risk Level (Severity), Host - Domain, Script details, and deep links to the PerimeterX console. - - 6. **Mapping and Ingestion**: The extracted data is mapped to the Google SecOps - AlertInfo model, where Risk Levels are translated into system priorities. The - alerts are then ingested as cases. - - 7. **Checkpointing**: The timestamp of the most recent processed message is saved - to prevent duplicate ingestion in subsequent runs. + ### General Description\nThe PerimeterX Code Defender Connector integrates Google + SecOps with Slack to ingest security alerts generated by PerimeterX Code Defender. + It monitors a designated Slack channel for specific incident notifications, parses + the message content, and creates corresponding alerts within the SOAR platform + for further investigation and response.\n\n### Parameters Description\n| Parameter + | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Slack Channel + | String | Yes | The name of the Slack channel to monitor (without the "#" prefix). + |\n| Slack API Key | Password | Yes | The API key used to authenticate with the + Slack API. |\n| PythonProcessTimeout | String | Yes | The timeout limit (in seconds) + for the Python process execution. |\n| EventClassId | String | Yes | The field + name used to determine the event name (sub-type). |\n| DeviceProductField | String + | Yes | The field name used to determine the device product. |\n\n### Flow Description\n1. + The connector initializes by connecting to the Slack API using the provided API + key.\n2. It resolves the configured Slack channel name to a channel ID.\n3. It + fetches message history from the channel, starting from the last successful execution + timestamp to ensure only new alerts are processed.\n4. It filters messages to + identify those specifically related to "Code Defender" incidents.\n5. For each + identified incident, it parses the message attachments to extract relevant data + such as severity, affected script, domain, and deep links.\n6. It maps the extracted + data into a standardized `AlertInfo` format and ingests the alerts into the SOAR + platform.\n7. Finally, it updates the last run timestamp to ensure subsequent + runs continue from the correct point in time. diff --git a/content/response_integrations/third_party/community/perimeter_x/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/perimeter_x/resources/ai/integration_ai_description.yaml index b927e7b41..d67a52d48 100644 --- a/content/response_integrations/third_party/community/perimeter_x/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/community/perimeter_x/resources/ai/integration_ai_description.yaml @@ -7,6 +7,16 @@ product_categories: iam_and_identity_management: false itsm: false network_security: true + reasoning: >- + The integration provides a connector to ingest security alerts from PerimeterX + Code Defender via Slack. PerimeterX Code Defender is a web application security + solution that detects client-side attacks. By ingesting these alerts into the + SOAR platform, the integration enables security teams to respond to web-based + attacks, which aligns with the 'Network Security' category definition of verifying + if a web-based attack was blocked or detected. The integration does not perform + host-level analysis (EDR), identity management (IAM), or ticketing (ITSM), nor + does it provide enrichment or log searching capabilities (SIEM/Threat Intelligence). + Therefore, it is classified under Network Security. siem: false threat_intelligence: false vulnerability_management: false diff --git a/content/response_integrations/third_party/community/philips_hue/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/philips_hue/resources/ai/actions_ai_description.yaml index 8f4a18b12..89b12f22e 100644 --- a/content/response_integrations/third_party/community/philips_hue/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/philips_hue/resources/ai/actions_ai_description.yaml @@ -13,6 +13,10 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity test (Ping) for the Philips HUE Bridge. It does + not perform any of the defined actions like enriching IOCs, updating tickets, + or blocking hosts. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -30,39 +34,38 @@ Ping: ai_description: >- ### General Description - The **Ping** action is used to verify the connectivity between Google SecOps and - the Philips HUE Bridge. It ensures that the provided Bridge IP and Authorized - Username are correct and that the bridge is reachable over the network. + This action tests the connectivity to a Philips HUE Bridge by performing a GET + request to the bridge's API. It is a diagnostic tool used to verify that the SOAR + platform can communicate with the external device. ### Parameters Description - There are no action-specific parameters for this action. It relies on the integration's - configuration parameters: + | Parameter | Type | Mandatory | Description | - * **Bridge IP**: The IP address of the Philips HUE bridge. + | :--- | :--- | :--- | :--- | - * **Authorized Username**: The username used to authorize access to the bridge. + | Bridge IP | String | Yes | The IP address of the Philips HUE bridge. | + | Authorized Username | String | Yes | The username to authorize access to the + product's attributes. | - ### Flow Description - 1. **Parameter Extraction**: The action retrieves the Bridge IP and Authorized - Username from the integration configuration. + ### Additional Notes - 2. **Manager Initialization**: A connection manager is initialized using the retrieved - credentials. + This action is a connectivity test (Ping) and does not perform any data enrichment + or state changes on the bridge or within the SOAR platform. - 3. **Connectivity Test**: The action performs a GET request to the bridge's base - API endpoint. - 4. **Result Handling**: If the request is successful, the action returns a success - status; otherwise, it reports a failure with the error details. + ### Flow Description + 1. Extract the `Bridge IP` and `Authorized Username` from the integration configuration. - ### Additional Notes + 2. Initialize the `PhilipsManager` with the provided credentials. + + 3. Execute the `test_connectivity` method, which sends a GET request to the bridge. - This action is primarily used for troubleshooting and initial setup verification. + 4. Return the connection status and an output message indicating success or failure. capabilities: can_create_case_comments: false can_create_insight: false @@ -71,10 +74,17 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: true + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to verify connectivity to the Philips HUE + Bridge. It does not modify external or internal data, nor does it update entities + or create insights. It is a diagnostic action. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action. According to the guidelines, 'Actions named Ping + must not be categorized as enrichment actions.' entity_usage: entity_types: [] filters_by_additional_properties: false @@ -90,6 +100,9 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `target_entities` or any specific entity types. + It operates on global configuration parameters. Turn Off Light: action_product_categories: add_alert_comment: false @@ -105,6 +118,10 @@ Turn Off Light: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action interacts with a Philips HUE bridge to change the state of a light. + This does not align with any of the provided security-focused categories such + as IOC enrichment, ticket management, or host containment. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -120,20 +137,38 @@ Turn Off Light: update_identity: false update_ticket: false ai_description: >- - Turns off a specific Philips Hue light bulb using its unique identifier. This - action interacts with the Philips Hue Bridge API to verify the light's existence - and reachability before sending a command to update its state to 'off'.\n\n### - Flow Description:\n1. **Parameter Extraction:** Retrieves the Bridge IP and Authorized - Username from the integration configuration and the Light ID from the action parameters.\n2. - **Existence Check:** Queries the bridge to ensure the provided Light ID exists.\n3. - **Reachability Check:** Verifies if the light is currently reachable by the bridge.\n4. - **State Update:** Sends a PUT request to the bridge to set the light's 'on' state - to false.\n5. **Result Reporting:** Returns the status of the operation and the - details of the light's state.\n\n### Parameters Description:\n| Parameter | Type - | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Light ID | String - | Yes | The unique identifier of the light bulb you wish to turn off. |\n\n### - Additional Notes:\n- This action does not process SecOps entities; it operates - directly on the provided Light ID parameter. + ### General Description + + This action turns off a specific Philips HUE light by its unique identifier. It + interacts with a Philips HUE bridge to verify the light's existence and reachability + before sending a command to change its power state to 'off'. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Light ID | string | Yes | The identifier of the light to be turned off. | + + + ### Flow Description + + 1. **Initialization**: The action extracts the required configuration parameters + (Bridge IP, Authorized Username) and the 'Light ID' action parameter. + + 2. **Verification**: It initializes the `PhilipsManager` and performs a search + to verify that the provided 'Light ID' exists on the bridge. + + 3. **Reachability Check**: If the light exists, it checks if the light is currently + reachable from the bridge. + + 4. **Execution**: If the light is reachable, it sends a PUT request to the bridge + to set the light's state to 'off'. + + 5. **Result**: The action returns the result of the operation, indicating success + or failure based on the bridge's response. capabilities: can_create_case_comments: false can_create_insight: false @@ -142,12 +177,21 @@ Turn Off Light: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Changes the state of a physical light bulb to 'off' via the Philips Hue Bridge - API. + Sends a PUT request to the Philips HUE bridge to change the state of the specified + light to 'off'. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs GET requests to verify the light's existence and reachability + (fetches_data=true). It then performs a PUT request to change the state of the + light on the external Philips HUE bridge (can_mutate_external_data=true). It + does not modify internal SOAR data, entities, or case information. categories: enrichment: false + reasoning: >- + The action mutates external data (turns off a light) and does not perform any + enrichment or internal data modification. Therefore, it is not an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -163,6 +207,9 @@ Turn Off Light: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or utilize `target_entities`. It operates based + on a user-provided 'Light ID' parameter. Turn On Light and Color: action_product_categories: add_alert_comment: false @@ -178,6 +225,10 @@ Turn On Light and Color: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action controls a physical IoT device (Philips Hue light). It does not match + any of the standard security-focused categories such as IOC enrichment, ticket + management, or host containment. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -195,50 +246,50 @@ Turn On Light and Color: ai_description: >- ### General Description - Turns on a specific Philips Hue light bulb and applies a selected color and alert - effect. This action is used to provide physical visual indicators (e.g., turning - a light red during a high-severity incident) by interacting with the Philips Hue - Bridge API. + This action controls a Philips Hue light by adjusting its power state, color, + and alert effects via the Philips Hue Bridge API. It allows analysts to trigger + visual indicators on physical hardware, which can be useful for physical security + alerting or status signaling. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. **Initialization**: The action extracts the Philips Hue Bridge IP and authorized + username from the integration configuration. - | :--- | :--- | :--- | :--- | + 2. **Parameter Retrieval**: It retrieves the `Light ID`, `Color`, and `Alert effect` + from the action parameters. - | Light ID | string | Yes | The unique identifier of the light bulb you want to - control. | + 3. **Validation**: It performs a GET request to the Philips Hue Bridge to verify + that the specified `Light ID` exists. - | Color | ddl | Yes | The color to apply to the light. Options include Red, Orange, - Yellow, Green, Blue, Purple, and Pink. | + 4. **Execution**: If the light exists, it performs a PUT request to the Bridge + API to update the light's state (power, color, and effect). - | Alert effect | ddl | Yes | The visual effect to trigger. 'None' just turns the - light on; 'Flicker-Once' performs a single alert cycle; 'Flicker-Loop' performs - alert cycles for 15 seconds. | + 5. **Result**: The action returns the status of the operation, indicating success + or failure based on the API response. - ### Flow Description + ### Parameters Description - 1. **Initialization**: Extracts the Bridge IP and Username from the integration - configuration, and the Light ID, Color, and Alert effect from the action parameters. + | Parameter | Type | Mandatory | Description | - 2. **Validation**: Checks if the provided Light ID exists on the Philips Hue Bridge. + | :--- | :--- | :--- | :--- | - 3. **Reachability Check**: Verifies if the specific light bulb is currently reachable - by the bridge. + | Light ID | string | Yes | The unique identifier of the Philips Hue light to + control. | - 4. **Execution**: Sends a PUT request to the bridge to turn the light on, set - the hue (based on the chosen color), and apply the selected alert effect. + | Color | ddl | Yes | The color to set the light to (Options: Red, Orange, Yellow, + Green, Blue, Purple, Pink). | - 5. **Reporting**: Returns a success message if the light was successfully updated, - or an error message if the light was unreachable or the ID was invalid. + | Alert effect | ddl | Yes | The visual effect to apply (Options: None, Flicker-Once, + Flicker-Loop). | ### Additional Notes - This action does not run on entities; it requires a specific Light ID to be provided - manually as a parameter. + This action requires a valid Philips Hue Bridge IP and an authorized username + configured in the integration settings to communicate with the device. capabilities: can_create_case_comments: false can_create_insight: false @@ -247,12 +298,20 @@ Turn On Light and Color: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Changes the state of a physical Philips Hue light bulb by turning it on and - modifying its color and alert effect settings via a PUT request to the Hue Bridge. + Updates the state of a Philips Hue light (power, color, effect) via the Philips + Hue Bridge API. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action interacts with an external Philips Hue Bridge API. It performs GET + requests to verify light existence and reachability, and a PUT request to modify + the light's state (color, effect, power). It does not modify internal SOAR data + (entities, insights, etc.). categories: enrichment: false + reasoning: >- + The action mutates external data (changes light state) and does not perform + enrichment on entities or alerts. Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -268,3 +327,6 @@ Turn On Light and Color: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not reference `siemplify.target_entities` or any entity objects. + It uses a provided `Light ID` parameter to identify the target device. diff --git a/content/response_integrations/third_party/community/philips_hue/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/philips_hue/resources/ai/integration_ai_description.yaml index a4b23e02c..495f6e690 100644 --- a/content/response_integrations/third_party/community/philips_hue/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/community/philips_hue/resources/ai/integration_ai_description.yaml @@ -1,12 +1,20 @@ product_categories: asset_inventory: false cloud_security: false - collaboration: true + collaboration: false edr: false email_security: false iam_and_identity_management: false itsm: false network_security: false + reasoning: >- + The philips_hue integration provides actions to control physical IoT lighting + devices (turning lights on/off, changing colors). These actions do not align with + any of the defined security-focused product categories such as SIEM, EDR, Network + Security, Threat Intelligence, Email Security, IAM, Cloud Security, ITSM, Vulnerability + Management, Asset Inventory, or Collaboration. The integration is purely for physical + environment control and does not perform security operations, data enrichment, + or incident response tasks as defined in the provided schema. siem: false threat_intelligence: false vulnerability_management: false diff --git a/content/response_integrations/third_party/community/phish_tank/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/phish_tank/resources/ai/actions_ai_description.yaml index ce6404370..a7a61e2aa 100644 --- a/content/response_integrations/third_party/community/phish_tank/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/phish_tank/resources/ai/actions_ai_description.yaml @@ -13,6 +13,10 @@ Check Url: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves reputation and threat intelligence (suspicious status) + for a URL from PhishTank. This matches the 'Enrich IOC' category. It does not + perform any other actions like blocking, ticketing, or alert management. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -30,51 +34,41 @@ Check Url: ai_description: >- ### General Description - Enriches URL entities by checking their reputation against the PhishTank community - database. This action identifies if a URL is known for phishing activities, retrieves - verification status, and provides direct links to PhishTank detail pages. + Checks if a specific URL is marked as suspicious by the PhishTank Community. This + action queries the PhishTank API for each URL entity in the scope, retrieves threat + intelligence, and updates the entity's status if it is verified as malicious. + It also generates insights for the analyst to review. ### Parameters Description - | Parameter Name | Type | Mandatory | Description | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Service Url | String | Yes | The PhishTank API endpoint URL, configured at the - integration level. | + | Service Url | String | Yes | The API endpoint URL for the PhishTank service. + | ### Flow Description - 1. **Configuration Retrieval:** Fetches the PhishTank service URL from the integration - settings. + 1. Extract the `Service Url` configuration parameter. - 2. **Entity Filtering:** Identifies all `URL` entities within the current action - scope. + 2. Iterate through all target entities, filtering for those of type `URL`. - 3. **Reputation Lookup:** For each URL, sends a POST request to the PhishTank - API to query its status. + 3. For each URL, send a POST request to the PhishTank API to retrieve reputation + data. - 4. **Data Parsing:** Processes the XML response to extract database presence, - verification status, and validity. + 4. Parse the XML response to determine if the URL is in the database and if it + is verified as malicious. - 5. **Insight Generation:** Adds an entity insight to the SOAR case for each URL, - detailing whether it was found and its verification status. + 5. If the URL is found, add an insight to the entity containing details such as + the link, verification status, and validity. - 6. **Entity Update:** If a URL is verified as a phish, the action marks the entity - as suspicious and updates its status in Google SecOps. + 6. If the URL is verified as malicious, mark the entity as suspicious and update + it in the SOAR platform. - 7. **Result Reporting:** Returns a summary of found, suspicious, and failed entities, - along with the raw JSON data for further analysis. - - - ### Additional Notes - - - This action uses the `OriginalIdentifier` of the entity if available, falling - back to the standard identifier for the lookup. - - - A score modifier of 50 is applied internally to entities found in the database. + 7. Add the raw API response as a JSON result to the action output. capabilities: can_create_case_comments: false can_create_insight: true @@ -85,10 +79,21 @@ Check Url: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates the 'is_suspicious' attribute of URL entities if they are verified as - phishing in PhishTank and adds entity insights to the case. + Updates the entity's 'is_suspicious' attribute and adds insights to the entity + within the SOAR platform. + reasoning: >- + The action fetches threat intelligence data from the PhishTank API (fetches_data=true). + It does not modify any external systems (can_mutate_external_data=false). It + performs internal mutations by updating the entity's suspicious status and adding + insights to the entity (can_mutate_internal_data=true, can_update_entities=true, + can_create_insight=true). categories: enrichment: true + reasoning: >- + The action fetches data from an external source (PhishTank) to enrich the entity + context. It does not mutate external systems. It performs allowed internal mutations + (updating entities, adding insights). Therefore, it is classified as an enrichment + action. entity_usage: entity_types: - DestinationURL @@ -105,6 +110,9 @@ Check Url: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and explicitly filters for + entities where `entity.entity_type == EntityTypes.URL` (mapped to DestinationURL). Ping: action_product_categories: add_alert_comment: false @@ -120,6 +128,9 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity test ('Ping') and does not perform any of the defined + operational tasks such as enrichment, containment, or ticket management. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -137,37 +148,36 @@ Ping: ai_description: >- ### General Description - The **Ping** action is a diagnostic tool used to verify the connectivity between - the Google SecOps environment and the PhishTank service. It ensures that the integration - is correctly configured and that the PhishTank API is reachable and responding - to requests. + Tests the connectivity between the Google SecOps environment and the PhishTank + service. This action verifies that the integration is correctly configured and + can communicate with the external API. ### Parameters Description - There are no user-configurable parameters for this action. It relies solely on - the integration's global configuration. + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Service Url | String | Yes | The base URL for the PhishTank API. | ### Additional Notes - This action performs a test request using a hardcoded URL (`google.com`) to validate - the API's response format and availability. + This action is a diagnostic tool and does not perform any functional operations + or data retrieval. ### Flow Description - 1. **Configuration Extraction**: The action retrieves the `Service Url` from the - PhishTank integration settings. + 1. Retrieve the `Service Url` from the integration configuration. - 2. **Connectivity Request**: It executes a POST request to the service URL with - a sample payload containing a test URL and a request for a JSON response. + 2. Send a POST request to the provided URL with a test payload (`{"url": "google.com", + "format": "json"}`). - 3. **Status Verification**: The action checks the HTTP response status code. If - the request fails (e.g., 4xx or 5xx error), an exception is raised. + 3. Validate the response status code. - 4. **Result Reporting**: Upon a successful response, the action concludes by reporting - that the service is connected. + 4. Terminate the action with a success message. capabilities: can_create_case_comments: false can_create_insight: false @@ -176,10 +186,18 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: true + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity test (Ping) to the configured PhishTank service + URL. It does not fetch contextual data for entities, nor does it mutate any + external or internal systems. It is strictly a diagnostic action. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action, which is explicitly excluded from being an enrichment + action per the guidelines. It does not fetch data or perform any operational + tasks. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -195,3 +213,6 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities; it is a global connectivity + test. diff --git a/content/response_integrations/third_party/community/phish_tank/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/phish_tank/resources/ai/integration_ai_description.yaml index 2e831240c..dbd140091 100644 --- a/content/response_integrations/third_party/community/phish_tank/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/community/phish_tank/resources/ai/integration_ai_description.yaml @@ -3,10 +3,20 @@ product_categories: cloud_security: false collaboration: false edr: false - email_security: false + email_security: true iam_and_identity_management: false itsm: false network_security: false + reasoning: >- + The phish_tank integration is primarily designed to provide threat intelligence + by checking the reputation of URL indicators against the PhishTank community database. + This aligns directly with the Threat Intelligence category, as it is used to enrich + URL entities to determine their malicious status. Additionally, because PhishTank + is a specialized service for identifying phishing attempts, the integration is + highly relevant to Email Security investigations, where analysts need to verify + suspicious links found in emails. It does not perform SIEM, EDR, Network Security + (blocking at the gateway), IAM, Cloud Security, ITSM, Vulnerability Management, + Asset Inventory, or Collaboration functions. siem: false threat_intelligence: true vulnerability_management: false diff --git a/content/response_integrations/third_party/community/pulsedive/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/pulsedive/resources/ai/actions_ai_description.yaml index b30c0700b..ed40dc16c 100644 --- a/content/response_integrations/third_party/community/pulsedive/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/pulsedive/resources/ai/actions_ai_description.yaml @@ -13,6 +13,10 @@ Enrich IP: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves reputation, risk levels, and threat intelligence for an + IP address (IOC). This matches the 'Enrich IOC' category. It does not perform + any containment, ticketing, or alert modification actions. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -27,35 +31,36 @@ Enrich IP: update_email: false update_identity: false update_ticket: false - ai_description: "Enriches IP Address entities using Pulsedive threat intelligence.\ - \ This action retrieves comprehensive data about an IP, including its risk level,\ - \ risk factors, and community comments. It evaluates the risk against a user-defined\ - \ threshold to automatically mark entities as suspicious within Google SecOps.\n\ - \n### Flow Description\n1. **Filter Entities:** Identifies all IP Address entities\ - \ (ADDRESS) within the current context.\n2. **Fetch Intelligence:** For each IP,\ - \ it queries the Pulsedive API to retrieve indicator details, risk scores, and\ - \ optionally, community comments.\n3. **Risk Evaluation:** Compares the retrieved\ - \ Pulsedive risk level (e.g., 'high', 'critical') against the user-provided 'Threshold'\ - \ parameter.\n4. **Internal Enrichment:** \n * Updates the entity's additional\ - \ properties with Pulsedive metadata (prefixed with 'PD').\n * Marks the entity\ - \ as 'suspicious' if the risk meets or exceeds the threshold.\n * Marks the\ - \ entity as 'enriched'.\n5. **Reporting:** \n * Generates an Entity Insight\ - \ containing a formatted HTML report of the risk factors and indicator details.\n\ - \ * If enabled, creates a Data Table on the case wall containing community\ - \ comments.\n6. **Finalize:** Updates the entities in the SecOps platform and\ - \ returns a JSON result summarizing the findings.\n\n### Parameters Description\n\ - | Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ - | **Threshold** | DDL | Yes | The minimum risk level (verylow, low, medium, high,\ - \ critical) required for the action to mark an entity as suspicious. |\n| **Retrieve\ - \ Comments** | Boolean | No | If true, the action fetches and displays community\ - \ comments from Pulsedive. Default is true. |\n| **Only Suspicious Entity Insight**\ - \ | Boolean | No | If true, insights will only be created for entities that meet\ - \ the risk threshold. Default is false. |\n| **Max Comments To Return** | String\ - \ | No | Limits the number of comments retrieved and displayed in the data table.\ - \ Default is 50. |\n\n### Additional Notes\n* The action uses a mapping system\ - \ to convert Pulsedive's string-based risk levels into numerical scores for comparison\ - \ against the user-defined threshold.\n* Enrichment data is added to entities\ - \ with the prefix 'PD' to distinguish Pulsedive data from other sources." + ai_description: "### General Description\nThis action enriches IP Address entities\ + \ by retrieving threat intelligence from Pulsedive. It fetches reputation data,\ + \ risk factors, and comments (if requested) for the specified IP addresses. The\ + \ action evaluates the risk level of the IP against a user-defined threshold and\ + \ updates the entity's suspicious status, adds enrichment properties, and generates\ + \ insights within the Google SecOps platform.\n\n### Flow Description\n1. **Parameter\ + \ Extraction**: The action retrieves configuration parameters (API Root, API Key,\ + \ SSL verification) and action-specific parameters (Threshold, Retrieve Comments,\ + \ etc.).\n2. **Entity Filtering**: It filters the target entities to process only\ + \ those of type `ADDRESS`.\n3. **Data Retrieval**: For each valid entity, it queries\ + \ the Pulsedive API to fetch indicator data, including risk levels and comments.\n\ + 4. **Risk Evaluation**: It compares the retrieved risk score against the configured\ + \ `Threshold`. If the risk meets or exceeds the threshold, the entity is marked\ + \ as suspicious.\n5. **Enrichment & Insight Creation**: \n - Updates the entity's\ + \ `additional_properties` with the retrieved threat data.\n - Optionally constructs\ + \ a data table of comments and adds it to the case.\n - Creates an entity insight\ + \ summarizing the risk and threat details.\n6. **SOAR Update**: Updates the enriched\ + \ entities in the SOAR platform and adds a final JSON result containing the processed\ + \ data.\n\n### Parameters Description\n| Parameter | Type | Mandatory | Description\ + \ |\n| :--- | :--- | :--- | :--- |\n| Threshold | ddl | Yes | The risk level threshold\ + \ (verylow, low, medium, high, critical) used to determine if an entity should\ + \ be marked as suspicious. |\n| Retrieve Comments | boolean | No | If enabled,\ + \ the action will retrieve and display comments associated with the entity. |\n\ + | Only Suspicious Entity Insight | boolean | No | If enabled, the action will\ + \ only create an entity insight if the entity is determined to be suspicious based\ + \ on the threshold. |\n| Max Comments To Return | string | No | Specifies the\ + \ maximum number of comments to retrieve for the entity. |\n\n### Additional Notes\n\ + - The action requires a valid Pulsedive API key and connectivity to the Pulsedive\ + \ API endpoint.\n- If no entities of type `ADDRESS` are found, the action will\ + \ not perform any enrichment." capabilities: can_create_case_comments: false can_create_insight: true @@ -66,10 +71,20 @@ Enrich IP: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity suspicious status, adds enrichment properties to the entity objects, - creates entity insights, and adds data tables to the case wall. + The action updates entity properties, adds entity insights, and adds data tables + to the case wall within Google SecOps. + reasoning: >- + The action fetches threat intelligence data from Pulsedive (fetches_data=true). + It does not perform any actions that change the state of external systems (can_mutate_external_data=false). + It performs internal mutations by updating entity properties, adding entity + insights, and adding data tables to the case (can_mutate_internal_data=true). categories: enrichment: true + reasoning: >- + The action is designed to fetch threat intelligence (enrichment) for IP addresses. + It does not mutate external systems and only performs allowed internal mutations + (updating entities, creating insights, adding data tables). Therefore, it qualifies + as an enrichment action. entity_usage: entity_types: - ADDRESS @@ -86,6 +101,9 @@ Enrich IP: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code explicitly filters `siemplify.target_entities` to process only entities + where `entity.entity_type == EntityTypes.ADDRESS`. Enrich URL: action_product_categories: add_alert_comment: false @@ -101,6 +119,10 @@ Enrich URL: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves threat intelligence (reputation, risk level) for a URL + indicator. This aligns with the 'Enrich IOC' category. It does not perform any + other actions like ticketing, blocking, or identity management. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -115,62 +137,36 @@ Enrich URL: update_email: false update_identity: false update_ticket: false - ai_description: >- - ### General Description - - Enriches URL entities using threat intelligence from Pulsedive. This action retrieves - comprehensive indicator data, including risk levels, risk factors, and user comments. - It evaluates the risk of each URL against a user-defined threshold to determine - if the entity should be marked as suspicious within Google SecOps. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Max Comments To Return | String | No | Specifies the maximum number of comments - to retrieve from Pulsedive for each entity. Default is 50. | - - | Threshold | DDL | Yes | Defines the risk level at which an entity is marked - as suspicious. Options include: `verylow`, `low`, `medium`, `high`, and `critical`. - | - - | Retrieve Comments | Boolean | No | If enabled, the action fetches community - comments associated with the URL. Default is `true`. | - - | Only Suspicious Entity Insight | Boolean | No | If enabled, entity insights - will only be created for URLs that meet or exceed the specified risk threshold. - Default is `false`. | - - - ### Additional Notes - - - The action maps Pulsedive risk levels to numerical scores for comparison: `unknown` - (-1), `none` (0), `low` (1), `medium` (2), `high` (3), and `critical` (4). - - - Enrichment data is prefixed with `PD` in the entity's additional properties. - - - ### Flow Description - - 1. **Filter Entities:** Identifies all URL entities within the current context. - - 2. **Fetch Intelligence:** For each URL, queries the Pulsedive API to retrieve - indicator details, risk scores, and comments. - - 3. **Risk Evaluation:** Compares the retrieved risk level against the configured - `Threshold` parameter. - - 4. **Internal Mutation:** If the threshold is met, marks the entity as suspicious - (`is_suspicious = True`). - - 5. **Enrichment:** Updates the entity's additional properties with Pulsedive metadata - and sets the `is_enriched` flag. - - 6. **Reporting:** Adds a data table to the case wall for retrieved comments and - generates an entity insight based on the analysis results and user preferences. + ai_description: "### General Description\nThis action enriches URL entities by querying\ + \ the Pulsedive threat intelligence platform. It retrieves detailed indicator\ + \ information, including risk levels, risk factors, and associated comments. The\ + \ action evaluates the URL's risk against a user-defined threshold to determine\ + \ if it should be marked as suspicious within the SOAR platform. It updates the\ + \ entity's properties, generates insights, and provides a detailed data table\ + \ of comments for analyst review.\n\n### Flow Description\n1. **Initialization**:\ + \ The action extracts configuration parameters (API Root, API Key, SSL verification)\ + \ and action-specific parameters (Threshold, Retrieve Comments, etc.).\n2. **Filtering**:\ + \ It filters the target entities to process only those with the type `URL`.\n\ + 3. **Enrichment**: For each URL, it queries the Pulsedive API to retrieve indicator\ + \ data.\n4. **Risk Evaluation**: It compares the retrieved risk level against\ + \ the configured threshold. If the risk meets or exceeds the threshold, the entity\ + \ is marked as suspicious.\n5. **Data Update**: \n - Updates the entity's `additional_properties`\ + \ with the enrichment data.\n - Adds a data table containing comments to the\ + \ case wall if comments are retrieved.\n - Creates an entity insight summarizing\ + \ the risk and findings.\n6. **Finalization**: Updates the entities in the SOAR\ + \ platform and adds a JSON result containing the full enrichment details.\n\n\ + ### Parameters Description\n| Parameter | Type | Mandatory | Description |\n|\ + \ :--- | :--- | :--- | :--- |\n| Max Comments To Return | string | No | Specifies\ + \ the maximum number of comments to retrieve for the entity. Defaults to 50. |\n\ + | Threshold | ddl | Yes | The risk level threshold (verylow, low, medium, high,\ + \ critical) used to determine if an entity is marked as suspicious. |\n| Retrieve\ + \ Comments | boolean | No | If enabled, the action retrieves comments associated\ + \ with the entity. Defaults to true. |\n| Only Suspicious Entity Insight | boolean\ + \ | No | If enabled, the action only creates an insight if the entity is determined\ + \ to be suspicious. Defaults to false. |\n\n### Additional Notes\n- The action\ + \ requires a valid Pulsedive API key configured in the integration settings.\n\ + - The `Threshold` parameter is mandatory and dictates the sensitivity of the suspicious\ + \ status assignment." capabilities: can_create_case_comments: false can_create_insight: true @@ -181,10 +177,21 @@ Enrich URL: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity suspicious status, populates additional properties with enrichment - data, creates entity insights, and adds data tables to the case wall. + The action updates entity properties, adds entity insights, and adds data tables + to the case wall. + reasoning: >- + The action fetches data from the Pulsedive API (fetches_data=true). It does + not modify external systems (can_mutate_external_data=false). It performs internal + mutations by updating entity properties, adding insights, and adding data tables + to the case (can_mutate_internal_data=true). It updates entities and creates + insights, but does not modify alert data or create case comments. categories: enrichment: true + reasoning: >- + The action is designed to fetch threat intelligence data from an external source + (Pulsedive) to enrich entities. It does not mutate external systems. It performs + allowed internal mutations (updating entities, creating insights). Therefore, + it qualifies as an enrichment action. entity_usage: entity_types: - DestinationURL @@ -201,6 +208,9 @@ Enrich URL: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code explicitly filters `siemplify.target_entities` using `entity.entity_type + == EntityTypes.URL`. Therefore, it only processes URL entities. Get Threat Details: action_product_categories: add_alert_comment: false @@ -216,6 +226,10 @@ Get Threat Details: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves threat intelligence (risk, description, news, etc.) for + a specific threat, which aligns with the 'Enrich IOC' category. It does not + perform any other listed actions. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -230,66 +244,29 @@ Get Threat Details: update_email: false update_identity: false update_ticket: false - ai_description: >- - ### General Description - - The **Get Threat Details** action retrieves comprehensive threat intelligence - from Pulsedive using either a threat name or a specific threat ID. It provides - detailed context including risk levels, categories, wiki summaries, related news, - and user comments. This information helps analysts understand the nature and severity - of a specific threat actor or campaign. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **Threat Name** | String | No | The name of the threat to retrieve information - for (e.g., "Zeus"). | - - | **Threat ID** | String | No | The unique Pulsedive ID for the threat. | - - | **Retrieve Comments** | Boolean | No | If set to `True`, retrieves user comments - associated with the threat. Default is `True`. | - - | **Split Risk** | Boolean | No | If set to `True`, breaks down indicator counts - by risk level. Default is `True`. | - - | **Create Insight** | Boolean | No | If set to `True`, creates a detailed case - insight in Google SecOps. Default is `False`. | - - - ### Additional Notes - - - Either **Threat Name** or **Threat ID** should be provided for the action to - function correctly. - - - The action adds a data table to the case wall containing threat comments if - they are retrieved. - - - ### Flow Description - - 1. **Parameter Extraction:** The action retrieves the API configuration and user-provided - parameters (Threat Name, ID, and display options). - - 2. **Pulsedive Query:** It calls the Pulsedive API to fetch threat data based - on the provided identifier. - - 3. **Data Processing:** The action parses the response, extracting risk summaries, - wiki information, and news. - - 4. **Comment Retrieval:** If enabled, it fetches and formats user comments into - a CSV-style table. - - 5. **Internal Mutation:** - - Adds a data table to the case wall for comments. - - If **Create Insight** is enabled, it generates a formatted insight with - the threat's risk summary and news. - 6. **Output:** Returns the full threat data as a JSON object and completes the - action. + ai_description: "### General Description\nThis action retrieves detailed threat\ + \ intelligence from Pulsedive based on a provided Threat Name or Threat ID. It\ + \ fetches comprehensive data including risk summaries, news, and comments, and\ + \ provides options to visualize this information within the Google SecOps platform\ + \ via data tables and case insights.\n\n### Parameters\n| Parameter | Type | Mandatory\ + \ | Description |\n| :--- | :--- | :--- | :--- |\n| Threat Name | string | No\ + \ | The name of the threat to retrieve. Either this or 'Threat ID' must be provided.\ + \ |\n| Threat ID | string | No | The ID of the threat to retrieve. Either this\ + \ or 'Threat Name' must be provided. |\n| Retrieve Comments | boolean | No | Whether\ + \ to fetch and display comments associated with the threat. Defaults to true.\ + \ |\n| Split Risk | boolean | No | Whether to split indicator counts by risk level.\ + \ Defaults to true. |\n| Create Insight | boolean | No | Whether to create a case\ + \ insight containing the threat details. Defaults to false. |\n\n### Additional\ + \ Notes\nEither 'Threat Name' or 'Threat ID' must be provided for the action to\ + \ execute successfully. The action does not operate on entities; it uses these\ + \ parameters to query the Pulsedive API directly.\n\n### Flow Description\n1.\ + \ **Initialization**: Extracts configuration parameters (API Root, API Key, SSL\ + \ verification) and action parameters.\n2. **Data Retrieval**: Initializes the\ + \ PulsediveManager and queries the Pulsedive API using the provided Threat Name\ + \ or Threat ID.\n3. **Data Processing**: \n - If comments are retrieved, constructs\ + \ a data table and adds it to the case results.\n - If 'Create Insight' is\ + \ enabled, generates a case insight with the threat details.\n4. **Output**: Returns\ + \ the threat data as a JSON result and logs the execution status." capabilities: can_create_case_comments: false can_create_insight: true @@ -300,10 +277,19 @@ Get Threat Details: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Adds a data table for threat comments to the case wall and can create a case - insight with threat details. + Creates a case insight and adds a data table to the case results. + reasoning: >- + The action fetches threat intelligence data from the Pulsedive API (fetches_data=true). + It does not mutate any external systems. It performs internal mutations by creating + a case insight and adding a data table to the case results, which are permitted + internal mutations for enrichment actions. categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches threat intelligence data from an external source (Pulsedive) + and does not mutate external systems. It performs allowed internal mutations + (creating an insight and adding a data table). Thus, it qualifies as an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -319,6 +305,9 @@ Get Threat Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on entities. It uses direct input parameters ('Threat + Name' or 'Threat ID') to query the Pulsedive API. Ping: action_product_categories: add_alert_comment: false @@ -334,6 +323,9 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity test and does not perform any of the defined operational + tasks like enrichment, containment, or ticketing. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -348,25 +340,16 @@ Ping: update_email: false update_identity: false update_ticket: false - ai_description: "### General Description\nThe **Ping** action is a diagnostic utility\ - \ designed to verify the connectivity between the Google SecOps platform and the\ - \ Pulsedive API. Its primary purpose is to ensure that the integration's configuration\ - \ parameters\u2014such as the API Root, API Key, and SSL verification settings\u2014\ - are valid and that the Pulsedive service is reachable over the network.\n\n###\ - \ Parameters Description\nThis action does not require any input parameters.\n\ - \n### Additional Notes\nThis action is typically used during the initial setup\ - \ of the Pulsedive integration or when troubleshooting communication failures.\ - \ It does not process any entities or modify any data within the SOAR or Pulsedive.\n\ - \n### Flow Description\n1. **Extract Configuration**: The action retrieves the\ - \ global integration settings, including the `API Root`, `API Key`, and `Verify\ - \ SSL` preference.\n2. **Initialize Manager**: It instantiates the `PulsediveManager`\ - \ using the extracted configuration.\n3. **Connectivity Test**: The manager executes\ - \ a GET request to the Pulsedive search endpoint (`/api/search.php`) to test the\ - \ API's responsiveness.\n4. **Response Validation**: The script validates the\ - \ HTTP response. If the status code indicates success, the action proceeds; otherwise,\ - \ it catches the exception.\n5. **Finalize Execution**: The action returns a success\ - \ message if the connection is established or a detailed error message if the\ - \ connection fails." + ai_description: >- + Tests connectivity to the Pulsedive server. This action verifies that the provided + API credentials and endpoint are valid by performing a test request to the Pulsedive + API. ### Flow 1. Extracts configuration parameters (API Root, API Key, Verify + SSL). 2. Initializes the PulsediveManager with the provided credentials. 3. Executes + a connectivity test against the Pulsedive API. 4. Returns the success or failure + status of the connection. ### Parameters | Parameter | Type | Mandatory | Description + | | --- | --- | --- | --- | | API Root | String | Yes | The base URL for the Pulsedive + API. | | API Key | String | Yes | The API key for authentication. | | Verify SSL + | Boolean | No | Whether to verify SSL certificates. Defaults to True. | capabilities: can_create_case_comments: false can_create_insight: false @@ -375,10 +358,17 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: false + fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity test by making a GET request to the Pulsedive + API. It does not modify external or internal systems, nor does it process entities. + It fetches data in the sense that it performs a network request to verify connectivity. categories: enrichment: false + reasoning: >- + The action is a connectivity test ('Ping'). Per the instructions, Ping actions + are explicitly excluded from being categorized as enrichment actions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -394,6 +384,8 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with entities. It is a global connectivity test. Scan Indicator: action_product_categories: add_alert_comment: false @@ -409,6 +401,10 @@ Scan Indicator: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves reputation, risk scores, and threat intelligence for indicators + from Pulsedive, which aligns with the 'Enrich IOC' category. It does not perform + any containment, ticket management, or alert modification actions. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -424,65 +420,62 @@ Scan Indicator: update_identity: false update_ticket: false ai_description: >- - Performs a security scan on indicators using Pulsedive to retrieve comprehensive - threat intelligence. This action is asynchronous and supports both Passive (metadata - lookup) and Active (direct probing) scan types. It evaluates the risk level of - each entity against a user-defined threshold, marking entities as suspicious if - they meet or exceed the limit. The action enriches entities with Pulsedive-specific - properties, generates detailed HTML insights, and creates data tables for community - comments. + ### General Description + Performs a scan on an indicator (e.g., IP, URL, Hash) using the Pulsedive platform + to retrieve threat intelligence, risk assessments, and associated comments. This + action automates the submission of indicators for analysis, polls for completion, + and enriches the entity within Google SecOps with the gathered intelligence. - ### Flow Description: - 1. **Submission**: The action iterates through all target entities and submits - them to Pulsedive for analysis based on the selected `Scan Type` (Passive or Active). + ### Flow Description + + 1. **Submission**: The action submits the target indicators to Pulsedive for analysis + using either a 'Passive' or 'Active' scan type. - 2. **Polling**: As an asynchronous action, it periodically checks the status of - the scan using the queue ID (QID) until the report is marked as 'done'. + 2. **Polling**: The action periodically checks the status of the scan reports + until they are completed. - 3. **Data Retrieval**: Once the scan is complete, the action fetches the full - report, including risk scores, risk factors, and community comments. + 3. **Retrieval**: Once completed, it fetches the detailed scan data, including + risk scores, risk factors, and comments. - 4. **Risk Evaluation**: The retrieved risk level is compared against the user-provided - `Threshold`. If the risk is equal to or higher than the threshold, the entity's - suspicious status is updated in the SOAR. + 4. **Enrichment**: It updates the entity's `additional_properties` with the retrieved + data, marks the entity as suspicious if it meets the configured risk threshold, + and generates an entity insight. - 5. **Enrichment & Insights**: The action updates the entity's additional properties - with Pulsedive metadata, creates an HTML insight for the analyst, and adds a data - table containing community comments to the case wall. + 5. **Reporting**: It adds a data table containing comments to the case and returns + a JSON result containing the full scan details. - ### Parameters Description: + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Only Suspicious Entity Insight | Boolean | No | If enabled, insights will only - be created for entities that meet or exceed the risk threshold. Default is false. - | + | **Scan Type** | ddl | Yes | Determines the scan method: 'Passive' (no direct + reach-out) or 'Active' (more noisy). | - | Scan Type | DDL | Yes | Choose between 'Passive' (fetch existing data without - direct contact) or 'Active' (perform a live, more intrusive scan). | + | **Threshold** | ddl | Yes | The risk level (verylow, low, medium, high, critical) + at which an entity is marked as suspicious. | - | Max Comments To Return | String | No | The maximum number of community comments - to retrieve for the indicator. Default is 50. | + | **Only Suspicious Entity Insight** | boolean | No | If enabled, creates insights + only for entities identified as suspicious. | - | Threshold | DDL | Yes | The risk level (verylow, low, medium, high, critical) - required to mark an entity as suspicious. | + | **Retrieve Comments** | boolean | No | If enabled, fetches and includes comments + associated with the indicator. | - | Retrieve Comments | Boolean | No | If enabled, community comments from Pulsedive - will be retrieved and displayed in a data table. Default is true. | + | **Max Comments To Return** | string | No | Specifies the maximum number of comments + to retrieve. | - ### Additional Notes: + ### Additional Notes - - The action uses the `OriginalIdentifier` property of the entity if available, - otherwise it uses the standard identifier. + - This action is designed for indicator enrichment and does not perform any external + blocking or containment operations. - - Risk scores are mapped internally to numerical values (0-4) to facilitate threshold - comparison. + - The action supports asynchronous execution, allowing it to wait for scan results + without blocking the entire workflow. capabilities: can_create_case_comments: false can_create_insight: true @@ -493,10 +486,22 @@ Scan Indicator: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity suspicious status, adds enrichment properties to entities, and - creates entity insights and data tables within the SOAR case. + The action updates entity properties, adds entity insights, and adds data tables + to the case. + reasoning: >- + The action fetches threat intelligence data from Pulsedive (fetches_data=true). + It does not perform any external mutations (can_mutate_external_data=false). + It performs internal mutations by updating entity properties, adding insights, + and adding data tables to the case (can_mutate_internal_data=true). It updates + entities and creates insights, but does not modify alert data or create case + comments. categories: enrichment: true + reasoning: >- + The action fetches data from an external source (Pulsedive) to enrich entities. + It does not mutate external systems. It performs allowed internal mutations + (updating entities, creating insights). Therefore, it qualifies as an enrichment + action. entity_usage: entity_types: - ADDRESS @@ -547,3 +552,6 @@ Scan Indicator: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` without applying any type-based + filtering. Therefore, it is considered to run on all supported entity types. diff --git a/content/response_integrations/third_party/community/pulsedive/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/pulsedive/resources/ai/integration_ai_description.yaml index 2e831240c..06be9bae8 100644 --- a/content/response_integrations/third_party/community/pulsedive/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/community/pulsedive/resources/ai/integration_ai_description.yaml @@ -7,6 +7,14 @@ product_categories: iam_and_identity_management: false itsm: false network_security: false + reasoning: >- + The Pulsedive integration is a dedicated Threat Intelligence platform. Its primary + actions, such as 'Enrich IP', 'Enrich URL', 'Get Threat Details', and 'Scan Indicator', + are designed to retrieve reputation, risk scores, and threat intelligence data + for various indicators (IPs, URLs, Hashes). It does not perform log analysis (SIEM), + host containment (EDR), network blocking (Network Security), identity management + (IAM), or ticket management (ITSM). Consequently, it aligns exclusively with the + 'Threat Intelligence' category. siem: false threat_intelligence: true vulnerability_management: false diff --git a/content/response_integrations/third_party/community/sample_integration/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/sample_integration/resources/ai/actions_ai_description.yaml index af057d215..bf899194b 100644 --- a/content/response_integrations/third_party/community/sample_integration/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/sample_integration/resources/ai/actions_ai_description.yaml @@ -13,6 +13,10 @@ Async Action Example: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is an orchestration/workflow action that monitors case tags. It does + not match any of the provided product categories (e.g., it does not enrich IOCs, + update tickets, or contain hosts). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -27,21 +31,29 @@ Async Action Example: update_email: false update_identity: false update_ticket: false - ai_description: >- - This is an asynchronous action that monitors specified cases until they are assigned - a particular tag. It is designed to pause execution flow until the required condition - (a specific tag on a case) is met. Parameters: Case IDs (string, optional): A - comma-separated list of case IDs to monitor. If not provided, the action defaults - to the current case ID. Case Tag To Wait For (string, mandatory): The specific - tag the action is waiting to see on the cases. Flow: 1. Extracts the Case IDs - and Case Tag To Wait For parameters. 2. On the first run, it retrieves the details - for each specified case. 3. It checks if the cases have the required tag. 4. If - cases are missing the tag, it enters a waiting state (IN_PROGRESS) and stores - the state of processed/waiting cases. 5. On subsequent runs, it re-checks the - cases that were previously missing the tag. 6. Once all specified cases have the - required tag, the action completes successfully. Additional Notes: This is an - asynchronous action. It will continue to run until the timeout is reached or all - specified cases have the required tag. + ai_description: "This is an asynchronous action that monitors specific Google SecOps\ + \ cases until they are assigned a designated tag. It is designed to pause execution\ + \ and wait for a specific condition (a case tag) to be met on one or more cases.\n\ + \n### Flow Description\n1. **Parameter Extraction**: The action extracts the `Case\ + \ IDs` (a comma-separated list of cases to monitor) and the `Case Tag To Wait\ + \ For` (the tag to look for). If no `Case IDs` are provided, it defaults to the\ + \ current case ID.\n2. **Case Data Retrieval**: In each iteration, the action\ + \ fetches the details of the specified cases using the `get_case_overview_details`\ + \ function.\n3. **Tag Verification**: It checks if the specified tag exists in\ + \ the tags list of each case.\n4. **Status Management**: \n - If a case has\ + \ the required tag, it is marked as \"done\".\n - If not all cases have the\ + \ tag, the action sets its execution state to `IN_PROGRESS` and stores the progress\ + \ (which cases are done and which are still waiting) in the `additional_data`\ + \ parameter for the next iteration.\n5. **Completion**: Once all specified cases\ + \ have the required tag, the action completes successfully.\n\n### Parameters\n\ + | Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ + | `Case IDs` | string | No | A comma-separated list of case IDs to monitor. If\ + \ not provided, the action defaults to the current case ID. |\n| `Case Tag To\ + \ Wait For` | string | Yes | The specific case tag that the action will wait for.\ + \ |\n\n### Additional Notes\nThis action is asynchronous and will continue to\ + \ run in iterations until all specified cases have the required tag or the action\ + \ reaches its timeout limit. It does not perform any external mutations or modifications\ + \ to the cases themselves." capabilities: can_create_case_comments: false can_create_insight: false @@ -52,8 +64,17 @@ Async Action Example: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches case details from the internal SOAR platform to check for + the presence of a specific tag. It does not mutate any external systems, nor + does it modify any internal SOAR data (like case tags or status). It does not + update entities, create insights, or add comments. categories: enrichment: false + reasoning: >- + The action is an orchestration/workflow action designed to wait for a specific + condition. It does not enrich entities or alerts with external data, nor does + it meet the criteria for an enrichment action as defined in the guidelines. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -69,6 +90,9 @@ Async Action Example: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action operates on case IDs provided as parameters or the current case ID. + It does not iterate over `target_entities` or use any entity-specific logic. Enrich Entity Action Example: action_product_categories: add_alert_comment: false @@ -84,6 +108,11 @@ Enrich Entity Action Example: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action does not fetch data from an external source, which is a requirement + for the 'Enrich IOC' or 'Enrich Asset' categories. It only adds static metadata + to the entity within the SOAR platform. Therefore, it does not match any of + the defined product categories. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -101,36 +130,32 @@ Enrich Entity Action Example: ai_description: >- ### General Description - This action demonstrates how to enrich entities within Google SecOps. It processes - entities based on the selected "Entity Type" parameter and adds enrichment data - (timestamp and status) to the entity. This action is a sample implementation and - does not perform actual external API calls. + Enriches entities by adding a static 'enriched' flag and a timestamp to the entity's + data within the SOAR platform. This action allows users to select specific entity + types (IP, Hash, User) or all entities to process. ### Parameters Description | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + | --- | --- | --- | --- | - | Entity Type | ddl | Yes | Defines the category of entities to process. Options: - "All Entities", "IP", "Hash", "User". | + | Entity Type | DDL | Yes | Defines what entities from the scope of the alert + should be processed. Options: All Entities, IP, Hash, User. | ### Flow Description - 1. Extract the "Entity Type" parameter. + 1. Extract the 'Entity Type' parameter. - 2. Validate the parameter against supported entity types. + 2. Validate the parameter. - 3. Iterate through the target entities that match the selected type. + 3. Iterate through the target entities matching the selected type. - 4. For each entity, generate enrichment data (a dictionary with a timestamp). + 4. Generate a static enrichment dictionary. - 5. Update the entity with the enrichment data and add a data table to the action - results. - - 6. Finalize the action with a success message listing the enriched entities. + 5. Update the entity with this data and add a data table. capabilities: can_create_case_comments: false can_create_insight: false @@ -141,45 +166,25 @@ Enrich Entity Action Example: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Updates entity fields with enrichment data. + Updates entity data with enrichment fields and adds a data table to the SOAR + case. + reasoning: >- + The action does not perform any external API calls (fetches_data=false). It + updates entity data internally by adding a static enrichment flag and a data + table to the SOAR case (can_mutate_internal_data=true, can_update_entities=true). + It does not mutate external systems, modify alert data, or create case comments. categories: enrichment: false + reasoning: >- + The action does not fetch data from an external source, which is a requirement + for the 'Enrichment' category. It only adds static metadata to the entity within + the SOAR platform. entity_usage: entity_types: - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress + - CHILDHASH - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false @@ -194,6 +199,11 @@ Enrich Entity Action Example: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over `siemplify.target_entities` and filters them based + on the 'Entity Type' parameter provided by the user. The supported entity types + are mapped from the 'Entity Type' DDL parameter, which includes IP (ADDRESS), + Hash (FILEHASH, CHILDHASH, PARENTHASH), and User (USERUNIQNAME). Ping: action_product_categories: add_alert_comment: false @@ -209,6 +219,9 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity test (Ping). It does not perform any of the defined + product category operations (e.g., enrichment, containment, ticketing). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -224,17 +237,39 @@ Ping: update_identity: false update_ticket: false ai_description: >- - ### General Description\nTests connectivity to the API Service. This action verifies - that the integration can successfully communicate with the configured API endpoint - using the provided credentials.\n\n### Flow Description\n1. The action initializes - the API client using the provided configuration parameters (API Root, Password, - Verify SSL).\n2. It performs a connectivity test by sending a request to the API - service.\n3. Based on the response, it returns a success or failure message.\n\n### - Parameters Description\n| Parameter | Type | Mandatory | Description |\n| :--- - | :--- | :--- | :--- |\n| API Root | String | Yes | The base URL of the API service. - |\n| Password Field | String | No | The password for authentication. |\n| Verify - SSL | Boolean | Yes | Whether to verify SSL certificates. |\n\n### Additional - Notes\nThere are no additional notes. + Tests connectivity to the configured API Service. This action verifies that the + integration can successfully communicate with the external service using the provided + authentication parameters. + + + ### Parameters + + | Parameter | Type | Mandatory | Description | + + | --- | --- | --- | --- | + + | API Root | String | Yes | The base URL of the API service to test connectivity + against. | + + | Password Field | String | No | The password or API key used for authentication. + | + + | Verify SSL | Boolean | Yes | Whether to verify the SSL certificate of the API + service. | + + + ### Flow Description + + 1. The action initializes the API client using the provided configuration parameters + (API Root, Password, Verify SSL). + + 2. It establishes an authenticated session with the API service. + + 3. The action calls the `test_connectivity` method on the API client to verify + the connection. + + 4. If the connection is successful, it returns a success message; otherwise, it + returns an error message. capabilities: can_create_case_comments: false can_create_insight: false @@ -243,10 +278,16 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: true + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity test (`test_connectivity`) to the API service. + It does not fetch data, mutate external systems, or modify internal SOAR data. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action used for connectivity testing. Per instructions, + Ping actions are not enrichment actions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -262,6 +303,9 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with entities; it performs a global connectivity + test. Simple Action Example: action_product_categories: add_alert_comment: false @@ -277,6 +321,11 @@ Simple Action Example: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves historical exchange rate data based on user-defined parameters. + This matches the 'Search Events' category, which involves returning historical + logs or telemetry data. It does not match other categories like 'Enrich IOC' + or 'Enrich Asset' as it does not provide reputation or asset metadata. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -292,18 +341,66 @@ Simple Action Example: update_identity: false update_ticket: false ai_description: >- - ### General Description: This action fetches currency exchange rates from the - api.vatcomply.com service based on the provided parameters. ### Parameters: | - Parameter | Type | Mandatory | Description | | --- | --- | --- | --- | | Currencies - String | string | No | Comma-separated list of currencies. | | Currencies DDL - | ddl | No | Select a currency from a list. | | Time Frame | ddl | No | Time range - (Today, Last 7 Days, Custom). | | Start Time | string | No | Start date (ISO 8601). - | | End Time | string | No | End date (ISO 8601). | | Return JSON Result | boolean - | Yes | Whether to return the result as JSON. | ### Flow Description: 1. Extract - and validate parameters. 2. Fetch exchange rate data from the external API. 3. - Create data tables and links for the results. 4. Attach the JSON results to the - current case. ### Additional Notes: This action does not work with Google SecOps - entities. + ### General Description + + This action fetches historical exchange rate data from the `api.vatcomply.com` + service based on user-provided currencies and time frames. It processes the requested + data, generates data tables and links for the case, and saves the results as a + JSON attachment to the current case. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Currencies String | string | No | A comma-separated list of currencies to process. + | + + | Currencies DDL | ddl | No | A dropdown selection for a currency. Either this + or 'Currencies String' must be provided. | + + | Time Frame | ddl | No | The time range for the results (Today, Last 7 Days, + Custom). | + + | Start Time | string | No | The start date in ISO 8601 format. Mandatory if 'Time + Frame' is set to 'Custom'. | + + | End Time | string | No | The end date in ISO 8601 format. If not provided when + 'Time Frame' is 'Custom', it defaults to the current time. | + + | Return JSON Result | boolean | Yes | If enabled, the action returns the results + as a JSON object. | + + + ### Additional Notes + + - If 'Time Frame' is set to 'Custom', 'Start Time' is mandatory. The delta between + 'Start Time' and 'End Time' cannot exceed 7 days; if it does, the action automatically + adjusts the 'End Time' to be exactly 7 days after the 'Start Time'. + + - At least one of 'Currencies String' or 'Currencies DDL' must be provided. + + + ### Flow Description + + 1. **Extraction**: Extracts all action parameters from the configuration. + + 2. **Validation**: Validates the currency and time frame parameters, ensuring + required fields are present and constraints (like the 7-day limit) are met. + + 3. **Data Retrieval**: Calls the `api_client.get_rates` method to fetch exchange + rate data from the external API. + + 4. **Processing**: Creates data tables and links based on the retrieved exchange + rates. + + 5. **Attachment**: Saves the JSON results as a file and adds it as an attachment + to the current case. + + 6. **Completion**: Returns a success message summarizing the processed currencies + and the time range. capabilities: can_create_case_comments: false can_create_insight: false @@ -314,9 +411,17 @@ Simple Action Example: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Adds the retrieved exchange rate data as a JSON attachment to the current case. + Adds a JSON file as an attachment to the current case. + reasoning: >- + The action fetches data from an external API (api.vatcomply.com). It does not + mutate external data. It mutates internal data by adding an attachment to the + case. It does not update entities, create insights, or modify alert data. categories: enrichment: false + reasoning: >- + The action fetches data, but it performs an internal mutation (adding an attachment) + that is not in the allowed list for enrichment actions (Add Case Comments, Create + Case Insights, Update Entity fields). Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -332,3 +437,6 @@ Simple Action Example: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not reference `target_entities` or perform any operations on entities. + Therefore, it does not run on any entity types. diff --git a/content/response_integrations/third_party/community/sample_integration/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/sample_integration/resources/ai/connectors_ai_description.yaml index 71aa17aeb..a14c25576 100644 --- a/content/response_integrations/third_party/community/sample_integration/resources/ai/connectors_ai_description.yaml +++ b/content/response_integrations/third_party/community/sample_integration/resources/ai/connectors_ai_description.yaml @@ -3,9 +3,10 @@ ### General Description This connector integrates with the `api.vatcomply.com` service to fetch currency - exchange rates and ingest them as alerts into Google SecOps. It provides flexible - configuration for how rates are processed, allowing users to create individual - alerts per currency or combined alerts, and supports filtering via dynamic lists. + exchange rates. It processes these rates and creates alerts within Google SecOps, + allowing users to monitor financial data or exchange rate fluctuations as security + events. The connector supports flexible configuration for filtering, alert creation, + and proxy settings. ### Parameters Description @@ -25,12 +26,12 @@ | Environment Regex Pattern | String | No | Regex pattern to manipulate the environment field value. | - | PythonProcessTimeout | String | Yes | Timeout limit (in seconds) for the python - process. | + | PythonProcessTimeout | String | Yes | Timeout limit (in seconds) for the script. + | - | API Root | String | Yes | API Root for the integration service. | + | API Root | String | Yes | API Root URL for the service. | - | Password Field | Password | No | API password field (showcase purpose). | + | Password Field | Password | No | API password (for showcase). | | Currencies To Fetch | String | No | Comma-separated list of currencies to fetch. | @@ -38,17 +39,15 @@ | Create Alert Per Exchange Rate | Boolean | No | If enabled, creates a separate alert per exchange rate. | - | Alert Severity | String | No | Severity level (Critical, High, Medium, Low, - Informational). | + | Alert Severity | String | No | Severity level for created alerts. | - | Add Attachment | Boolean | No | If enabled, adds a JSON object attachment to - the alert. | + | Add Attachment | Boolean | No | If enabled, attaches JSON data to the alert. + | - | Max Days Backwards | Integer | Yes | Amount of days to fetch alerts from (Max: - 30). | + | Max Days Backwards | Integer | Yes | Number of days to fetch alerts from. | - | Max Alerts To Fetch | String | Yes | Number of alerts/dates to process per iteration. - | + | Max Alerts To Fetch | String | Yes | Maximum number of alerts to process per + iteration. | | Use dynamic list as blocklist | Boolean | Yes | If enabled, uses the dynamic list as a blocklist. | @@ -67,23 +66,17 @@ ### Flow Description - 1. **Initialization**: The connector initializes the API client using the provided - API root, SSL settings, and authentication parameters. - - 2. **Context Retrieval**: It reads existing alert IDs from the SOAR platform to - ensure only new data is processed. + 1. Initializes the API client using the provided API Root and authentication parameters. - 3. **Data Fetching**: It queries `api.vatcomply.com` for exchange rates for the - configured currencies, starting from the last successful execution time. + 2. Reads existing alert IDs from the SOAR context to prevent duplicate processing. - 4. **Alert Creation**: It maps the retrieved exchange rates into `AlertInfo` objects. - Depending on the configuration, it creates either a single alert per currency - or a combined alert containing all rates. + 3. Fetches exchange rate data from `api.vatcomply.com` for the configured currencies. - 5. **Filtering**: It filters the generated alerts against the SOAR whitelist/blocklist - (using the dynamic list) and checks for overflow conditions. + 4. Transforms the fetched data into `AlertInfo` objects, optionally creating separate + alerts for each currency or a combined alert. - 6. **Ingestion**: Valid alerts are ingested into Google SecOps. + 5. Filters alerts based on the whitelist/blocklist configuration and checks for + overflow. - 7. **State Management**: The connector updates the last success time and saves - the processed alert IDs to the context for future iterations. + 6. Stores the processed alert IDs in the SOAR context and updates the last success + time. diff --git a/content/response_integrations/third_party/community/sample_integration/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/sample_integration/resources/ai/integration_ai_description.yaml index 0801c7556..481f89952 100644 --- a/content/response_integrations/third_party/community/sample_integration/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/community/sample_integration/resources/ai/integration_ai_description.yaml @@ -5,8 +5,16 @@ product_categories: edr: false email_security: false iam_and_identity_management: false - itsm: false + itsm: true network_security: false - siem: false + reasoning: >- + The integration includes a connector that ingests external data (exchange rates) + and creates alerts in Google SecOps, which aligns with the SIEM category's pattern + of data ingestion and alert creation. The integration also includes a job that + manages case lifecycle (closing cases and adding comments), which aligns with + the ITSM category's pattern of documenting investigations and managing ticket/case + states. Other categories are not applicable as the integration does not perform + security-specific functions like EDR, Network Security, or Threat Intelligence. + siem: true threat_intelligence: false vulnerability_management: false diff --git a/content/response_integrations/third_party/community/sample_integration/resources/ai/jobs_ai_description.yaml b/content/response_integrations/third_party/community/sample_integration/resources/ai/jobs_ai_description.yaml index 3ad07d047..f2d4c441d 100644 --- a/content/response_integrations/third_party/community/sample_integration/resources/ai/jobs_ai_description.yaml +++ b/content/response_integrations/third_party/community/sample_integration/resources/ai/jobs_ai_description.yaml @@ -2,10 +2,11 @@ Simple Job Example: ai_description: >- ### General Description - This job automates case management and enrichment by monitoring open cases for - specific tags. It performs two primary functions: closing cases tagged as "Closed" - and enriching cases tagged as "Currency" with current exchange rate data retrieved - from an external API. + This job automates case management tasks in Google SecOps based on specific case + tags. It performs two primary functions: closing cases tagged as "Closed" and + enriching cases tagged as "Currency" by adding the latest exchange rate as a comment. + The job maintains a persistent context to track processed cases and prevent duplicate + comments within the same day. ### Parameters Description @@ -14,27 +15,27 @@ Simple Job Example: | :--- | :--- | :--- | :--- | - | API Root | String | Yes | The base URL for the external API service. | + | API Root | String | Yes | The base URL for the API service. | - | Password Field | Password | No | API password field for authentication purposes. - | + | Password Field | Password | No | An example field for API authentication. | - | Verify SSL | Boolean | Yes | Whether to validate SSL certificates when connecting - to the API. | + | Verify SSL | Boolean | Yes | If enabled, validates the SSL certificate when + connecting to the API. | ### Flow Description 1. Initializes the API client using the provided configuration parameters. - 2. Loads the job context to track processed cases and the current date. + 2. Loads the job context to retrieve the state of previously processed cases and + the current date. - 3. Queries SOAR for open cases tagged with either "Closed" or "Currency". + 3. Queries Google SecOps for open cases tagged with either "Closed" or "Currency". 4. Iterates through the retrieved cases: - * If a case is tagged "Closed", it closes the case in SOAR. - * If a case is tagged "Currency" and has not been commented on today, it fetches - the EUR exchange rate from the external API and adds a comment to the case. - 5. Updates the job context with the IDs of cases that received a comment. - - 6. Saves the updated context to ensure state persistence across job runs. + * If the case is tagged "Closed", it closes the case in Google SecOps. + * If the case is tagged "Currency" and has not been commented on today, it + fetches the current exchange rate from the API and adds it as a comment to the + case. + 5. Updates the job context with the IDs of newly commented cases and saves the + context for future runs. diff --git a/content/response_integrations/third_party/community/send_grid/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/send_grid/resources/ai/actions_ai_description.yaml index 541c9d9de..0d8e04136 100644 --- a/content/response_integrations/third_party/community/send_grid/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/send_grid/resources/ai/actions_ai_description.yaml @@ -13,6 +13,10 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + This action is a connectivity test ('Ping'). It does not perform any of the + listed operational tasks such as enrichment, containment, ticket management, + or alert modification. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -27,26 +31,27 @@ Ping: update_email: false update_identity: false update_ticket: false - ai_description: "### General Description\nThe **Ping** action is a diagnostic tool\ - \ designed to verify the connectivity between Google SecOps and the SendGrid service.\ - \ It validates the provided API Token by checking its permissions against the\ - \ SendGrid API. Specifically, it ensures that the token has the necessary authorization\ - \ to send emails, which is a prerequisite for other SendGrid actions.\n\n### Parameters\ - \ Description\nThere are no input parameters for this action. It relies entirely\ - \ on the integration's global configuration (specifically the **API Token**).\n\ - \n### Additional Notes\n* This action is primarily used during the initial setup\ - \ or troubleshooting of the SendGrid integration to ensure the API key is valid\ - \ and has the correct scopes.\n* The action specifically looks for the `mail.send`\ - \ scope in the API response.\n\n### Flow Description\n1. **Configuration Retrieval**:\ - \ The action retrieves the `API Token` from the SendGrid integration settings.\n\ - 2. **API Request**: It initiates an HTTPS GET request to the SendGrid endpoint\ - \ `/v3/scopes` using the provided token for authentication.\n3. **Response Parsing**:\ - \ The action parses the JSON response from SendGrid to extract the list of authorized\ - \ scopes.\n4. **Permission Validation**: It uses a regular expression to search\ - \ for the `mail.send` permission within the retrieved scopes.\n5. **Result Finalization**:\ - \ \n * If the `mail.send` scope is found, the action returns a success message\ - \ and a `True` result value.\n * If the scope is missing or the connection\ - \ fails, it returns an error message and a `False` result value." + ai_description: >- + General description: This action tests the connectivity to the SendGrid API by + verifying the provided API token's permissions. This ensures that the integration + is correctly configured and authorized to perform operations. + + + Parameters description: There are no parameters for this action. + + + Flow description: + + 1. Retrieve the API token from the SendGrid integration configuration. + + 2. Establish an HTTPS connection to the SendGrid API endpoint (api.sendgrid.com). + + 3. Perform a GET request to the /v3/scopes endpoint to verify the token's permissions. + + 4. Parse the response to check for the mail.send scope. + + 5. Return a success status if the connection is established and the required scope + is present, or an error message otherwise. capabilities: can_create_case_comments: false can_create_insight: false @@ -57,8 +62,16 @@ Ping: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to verify connectivity and permissions. It + does not modify external systems, update entities, or create insights. While + it fetches data (scopes), it is a connectivity test and not an enrichment action. categories: enrichment: false + reasoning: >- + The action is named 'Ping'. According to the provided instructions, actions + named 'Ping' must not be categorized as enrichment actions, regardless of whether + they fetch data. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -74,6 +87,9 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not reference target_entities or perform any operations on entities. + It is a standalone connectivity test. Send Email: action_product_categories: add_alert_comment: false @@ -89,6 +105,9 @@ Send Email: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action sends an email using the SendGrid API, which directly matches the + 'Send Email' category. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -103,29 +122,49 @@ Send Email: update_email: false update_identity: false update_ticket: false - ai_description: "### General Description\nThis action sends an email message through\ - \ the SendGrid API. It is primarily used for automated notifications, reporting,\ - \ or communication within a security orchestration workflow. The action allows\ - \ for full customization of the sender, recipient, subject, and HTML content.\n\ - \n### Parameters Description\n| Parameter | Type | Mandatory | Description |\n\ - | :--- | :--- | :--- | :--- |\n| Email From | string | Yes | The email address\ - \ that will appear as the sender. |\n| Email To | string | Yes | The recipient's\ - \ email address. |\n| Subject | string | Yes | The subject line of the email.\ - \ |\n| Content | email_content | Yes | The HTML body content of the email. Supports\ - \ dynamic placeholders and HTML formatting. |\n| Return Message Status | boolean\ - \ | No | If set to `true`, the action will return the SendGrid API response status\ - \ code and recipient details in the execution results. Default is `false`. |\n\ - \n### Additional Notes\nThis action does not process entities from the SecOps\ - \ environment; it relies entirely on the provided input parameters to define the\ - \ email's destination and content.\n\n### Flow Description\n1. **Initialization**:\ - \ The action loads the SendGrid API token from the integration configuration and\ - \ retrieves the email parameters (From, To, Subject, Content).\n2. **Message Construction**:\ - \ A SendGrid Mail object is created using the provided sender, recipient, subject,\ - \ and HTML content.\n3. **API Interaction**: The action initializes the SendGrid\ - \ API client and attempts to send the message.\n4. **Result Handling**: \n \ - \ * If successful, it logs the success.\n * If `Return Message Status` is enabled,\ - \ it captures the API status code and metadata into a JSON result.\n * If the\ - \ API call fails, an error is logged and the action returns a failure status." + ai_description: >- + ### General Description + + Sends an email message using the SendGrid API. This action allows users to dispatch + notifications or reports to specified recipients. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Return Message Status | boolean | No | If set to true, the action saves the + response status code and recipient list as a JSON result. | + + | Subject | string | Yes | The subject line of the email. | + + | Email To | string | Yes | The recipient's email address. | + + | Email From | string | Yes | The sender's email address. | + + | Content | email_content | Yes | The HTML content of the email. | + + + ### Additional Notes + + This action does not require any entities to run. + + + ### Flow Description + + 1. Initializes the SendGrid API client using the configured API token. + + 2. Constructs the email message using the provided sender, recipient, subject, + and content. + + 3. Sends the email via the SendGrid API. + + 4. If 'Return Message Status' is enabled, saves the response status code and recipient + information as a JSON result in the action output. + + 5. Logs the operation status and returns the execution result. capabilities: can_create_case_comments: false can_create_insight: false @@ -133,13 +172,18 @@ Send Email: can_mutate_external_data: true can_mutate_internal_data: false can_update_entities: false - external_data_mutation_explanation: >- - Sends an outbound email message through the SendGrid service to the specified - recipient. + external_data_mutation_explanation: Sends an email via the SendGrid API. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action sends an email via the SendGrid API, which is an external system + mutation. It does not fetch data, update entities, or create insights. categories: enrichment: false + reasoning: >- + The action is not an enrichment action as it does not fetch data from an external + source to enrich entities or alerts. It is an action that performs an external + operation (sending an email). entity_usage: entity_types: [] filters_by_additional_properties: false @@ -155,3 +199,6 @@ Send Email: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use or process any entities. It operates independently of + the entity list. diff --git a/content/response_integrations/third_party/community/send_grid/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/send_grid/resources/ai/integration_ai_description.yaml index a4b23e02c..860df3c72 100644 --- a/content/response_integrations/third_party/community/send_grid/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/community/send_grid/resources/ai/integration_ai_description.yaml @@ -7,6 +7,14 @@ product_categories: iam_and_identity_management: false itsm: false network_security: false + reasoning: >- + The SendGrid integration provides capabilities to send emails via an API. It does + not perform defensive email security operations such as searching or deleting + emails in inboxes, so it does not fit the 'Email Security' category. It also does + not perform SIEM, EDR, Network Security, Threat Intelligence, IAM, Cloud Security, + ITSM, Vulnerability Management, or Asset Inventory functions. However, it is used + to send notifications to stakeholders regarding alerts or critical findings, which + aligns with the 'Collaboration' category's purpose of notifying stakeholders. siem: false threat_intelligence: false vulnerability_management: false diff --git a/content/response_integrations/third_party/community/signal_sciences/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/signal_sciences/resources/ai/actions_ai_description.yaml index d4a948b34..01c44962b 100644 --- a/content/response_integrations/third_party/community/signal_sciences/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/signal_sciences/resources/ai/actions_ai_description.yaml @@ -13,6 +13,9 @@ Add IP to Allow List: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action adds an IP address to an allow list in an external security product + (Signal Sciences). This directly matches the 'Add IOC To Allowlist' category. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -30,11 +33,11 @@ Add IP to Allow List: ai_description: >- ### General Description - Adds IP addresses to the Signal Sciences allow list for a specific site. This - action allows users to provide IP addresses either through a comma-separated parameter - or by automatically processing IP entities present in the current SecOps case. - It validates the IP format and checks for existing entries to avoid duplicates - before performing the update. + This action adds one or more IP addresses to the Allow List for a specific site + within the Signal Sciences platform. It ensures that traffic from these IP addresses + is permitted by updating the site's security configuration. The action supports + both manual input of IP addresses and the processing of IP entities attached to + the case. ### Parameters Description @@ -43,47 +46,50 @@ Add IP to Allow List: | :--- | :--- | :--- | :--- | - | Site Name | String | Yes | The API name of the site as defined in the Signal + | Site Name | string | Yes | The API name of the site as defined in the Signal Sciences dashboard. | - | IP Address | String | No | A comma-separated list of IP addresses to add. If - provided, these are processed in addition to any IP entities found in the case. - | + | IP Address | string | No | A comma-separated list of IP addresses to add to + the Signal Sciences allow list. If not provided, the action will attempt to process + IP entities from the case. | - | Note | String | Yes | The descriptive note or justification associated with - the allowed IP address. This is required by the Signal Sciences API. | + | Note | string | Yes | A descriptive note or justification for adding the IP + address to the allow list. This is required by the Signal Sciences API. | ### Additional Notes - - The action will skip IP addresses that are already present in the site's allow - list. + - The action will attempt to process IP addresses provided in the 'IP Address' + parameter. If no IPs are provided via the parameter, it will fall back to processing + any 'ADDRESS' type entities associated with the current case. - - Both IPv4 and IPv6 addresses are supported and validated before processing. + - The action validates that the provided strings are valid IPv4 or IPv6 addresses + before attempting to add them. - - If no IPs are provided via parameters and no IP entities are found in the case, - the action will terminate with a message. + - If an IP address already exists in the allow list for the specified site, the + action will skip the addition for that IP. ### Flow Description - 1. **Parameter Extraction**: Retrieves the 'Site Name', 'IP Address' list, and - 'Note' from the action configuration. + 1. **Extraction**: The action extracts the 'Site Name', 'IP Address', and 'Note' + parameters. - 2. **Entity Collection**: Identifies target IP addresses from the 'IP Address' - parameter and filters the case's target entities for those of type ADDRESS. + 2. **Collection**: It collects target IP addresses from the 'IP Address' parameter + and any 'ADDRESS' entities found in the case. - 3. **Deduplication and Validation**: Combines all identified IPs, removes duplicates, - and validates that each string is a valid IP address. + 3. **Validation**: Each collected IP is validated to ensure it is a correct IP + format. - 4. **Pre-check**: Fetches the current allow list for the specified site from Signal - Sciences to identify IPs that are already allowed. + 4. **Check Existing**: The action fetches the current allow list for the specified + site to avoid duplicate entries. - 5. **External Mutation**: For each valid IP not already on the list, sends a PUT - request to the Signal Sciences API to add the IP with the provided note. + 5. **Execution**: For each unique, valid IP not already in the allow list, the + action sends a PUT request to the Signal Sciences API to add the IP with the provided + note. - 6. **Finalization**: Aggregates the results, providing a summary of successfully - added IPs and any that failed or were skipped. + 6. **Reporting**: The action constructs a result summary detailing which IPs were + successfully added and which failed. capabilities: can_create_case_comments: false can_create_insight: false @@ -92,12 +98,21 @@ Add IP to Allow List: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Adds specified IP addresses to the Signal Sciences allow list for a specific - site using a PUT request. + Adds the specified IP address to the allow list configuration for a specific + site in the Signal Sciences platform. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a PUT request to the Signal Sciences API to add an IP address + to an allow list, which constitutes an external data mutation. It fetches existing + allow list data to check for duplicates, but does not modify internal SOAR case + data (entities, insights, etc.). categories: enrichment: false + reasoning: >- + The action mutates external data (adds an IP to an allow list), which violates + the 'External State Preservation' rule for enrichment actions. Therefore, it + is not an enrichment action. entity_usage: entity_types: - ADDRESS @@ -114,6 +129,9 @@ Add IP to Allow List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `self.soar_action.target_entities` and filters them using + `entity.entity_type == EntityTypes.ADDRESS`. It does not apply other filters. Add IP to Block List: action_product_categories: add_alert_comment: false @@ -129,6 +147,9 @@ Add IP to Block List: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action adds an IP address to a blocklist in an external security product + (Signal Sciences). This directly matches the 'Add IOC To Blocklist' category. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -144,52 +165,52 @@ Add IP to Block List: update_identity: false update_ticket: false ai_description: >- - ### General Description + The **Add IP to Block List** action enables security analysts to block specific + IP addresses within a designated site in the Signal Sciences platform. This action + helps mitigate threats by preventing malicious traffic from interacting with protected + resources. - Use the **Add IP to Block List** action to add specific IP addresses to the block - list of a designated site in Signal Sciences. This action helps in mitigating - threats by blocking malicious traffic at the WAF level. - - - ### Parameters Description - | Parameter | Type | Mandatory | Description | + ### Flow Description - | :--- | :--- | :--- | :--- | + 1. **Parameter Extraction**: The action extracts the `Site Name`, `IP Address` + (optional), and `Note` (mandatory) from the action configuration. - | Site Name | String | Yes | The API name of the site as defined in the Signal - Sciences dashboard. | + 2. **Target Identification**: It aggregates IP addresses from the `IP Address` + parameter and any `ADDRESS` type entities present in the current case. - | IP Address | String | No | A comma-separated list of IP addresses to add. If - empty, the action uses ADDRESS entities from the case. | + 3. **Pre-check**: It fetches the existing block list for the specified site to + identify if any target IPs are already blocked, preventing redundant API calls. - | Note | String | Yes | The descriptive note or justification for blocking the - IP. | + 4. **Execution**: For each new IP address, it performs a PUT request to the Signal + Sciences API to add the IP to the block list with the provided justification note. + 5. **Result Reporting**: It compiles the results, indicating which IPs were successfully + added and which failed, and updates the action output message accordingly. - ### Flow Description - 1. **Parameter Extraction:** The action retrieves the Site Name, IP Address list, - and Note. + ### Parameters - 2. **IP Collection:** It identifies target IPs from the input parameter and the - case's ADDRESS entities, then deduplicates them. + | Parameter | Type | Mandatory | Description | - 3. **Validation:** Each IP is checked for valid IPv4/IPv6 format. + | :--- | :--- | :--- | :--- | - 4. **Pre-check:** The action fetches the existing block list for the site to avoid - redundant API calls. + | Site Name | string | Yes | The API name of the site as defined in the Signal + Sciences dashboard. | - 5. **Execution:** It adds new IPs to the Signal Sciences block list using the - provided note. + | IP Address | string | No | A comma-separated list of IP addresses to add to + the Signal Sciences block list. If not provided, the action will attempt to use + IP entities from the case. | - 6. **Finalization:** Success and failure statuses are reported for each IP. + | Note | string | Yes | The descriptive note or justification associated with + the blocked IP address. | ### Additional Notes - Either the 'IP Address' parameter must be populated, or the case must contain - ADDRESS entities for the action to have targets to process. + - The action requires either the `IP Address` parameter to be populated or `ADDRESS` + type entities to be present in the case for it to perform any blocking operations. + If neither is provided, the action will terminate without performing any changes. capabilities: can_create_case_comments: false can_create_insight: false @@ -198,12 +219,21 @@ Add IP to Block List: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Adds the specified IP addresses to the Signal Sciences block list for a designated - site. + Adds the specified IP address to the block list of a designated site in the + Signal Sciences platform. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches existing block list data from the Signal Sciences API to + check for duplicates (fetches_data=true). It then performs a PUT request to + add new IPs to the block list (can_mutate_external_data=true). It does not modify + any internal SOAR case data, entities, or insights. categories: enrichment: false + reasoning: >- + The action performs a mutation on an external system (Signal Sciences) to block + an IP. It does not meet the criteria for an enrichment action as it is not read-only + and does not enrich internal SOAR data. entity_usage: entity_types: - ADDRESS @@ -220,6 +250,9 @@ Add IP to Block List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `self.soar_action.target_entities` and filters them based + on `entity.entity_type == EntityTypes.ADDRESS`. List Sites: action_product_categories: add_alert_comment: false @@ -235,6 +268,10 @@ List Sites: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves a list of sites from the Signal Sciences API. It does not + match any of the provided categories (e.g., Enrich IOC, Enrich Asset, Update + Alert, etc.). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -249,31 +286,41 @@ List Sites: update_email: false update_identity: false update_ticket: false - ai_description: "### General Description\nThe **List Sites** action retrieves a\ - \ list of all sites available within the configured corporation in Signal Sciences.\ - \ This action is primarily used for discovery purposes, allowing users to identify\ - \ the specific site names required as inputs for other Signal Sciences actions,\ - \ such as blocking or allowing IP addresses.\n\n### Parameters Description\n|\ - \ Parameter Name | Type | Mandatory | Description |\n| :--- | :--- | :--- | :---\ - \ |\n| Max Sites To Return | String | No | The maximum number of sites to return\ - \ in the results. If set to 0 or left empty, the action will attempt to retrieve\ - \ all available sites. The default value is 50. |\n\n### Flow Description\n1.\ - \ **Parameter Extraction and Validation**: The action extracts the `Max Sites\ - \ To Return` parameter and validates that it is a valid integer. If the parameter\ - \ is missing or empty, it defaults to 0 (returning all sites).\n2. **API Interaction**:\ - \ The action calls the Signal Sciences API to fetch site information. It uses\ - \ internal pagination logic to ensure that the requested number of records (or\ - \ all records) are retrieved correctly from the corporation's account.\n3. **Data\ - \ Transformation**: The raw API response is processed into structured `Site` data\ - \ models. \n4. **Result Generation**: \n * **JSON Results**: The action populates\ - \ the JSON results with the raw data for each site found.\n * **Data Table**:\ - \ A table named \"Signal Sciences Sites\" is created, displaying the API Name,\ - \ Display Name, Creation Date, and Agent Level for each site.\n * **Output\ - \ Message**: A summary message is generated listing the names of all successfully\ - \ fetched sites.\n\n### Additional Notes\n- This action does not operate on specific\ - \ entities (like IPs or Hostnames) and instead fetches global configuration data\ - \ for the corporation.\n- If no sites are found, the action will return a successful\ - \ status with a message indicating that no sites were found." + ai_description: >- + ### General Description + + Use the **List Sites** action to retrieve a list of all sites available within + the corporation in Signal Sciences. This action fetches site information from + the Signal Sciences API and presents it as a table and JSON results. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Max Sites To Return | string | No | The maximum number of sites to return. If + set to 0 or left empty, the action returns all available sites. Defaults to 50. + | + + + ### Flow Description + + 1. Extract the `Max Sites To Return` parameter from the action configuration. + + 2. Call the Signal Sciences API to fetch site information, utilizing pagination + if necessary to retrieve the requested number of sites. + + 3. Format the retrieved site data into a table and JSON results. + + 4. Update the action output with the list of retrieved sites and a success message. + + + ### Additional Notes + + If no sites are found for the given corporation, the action will return a message + indicating that no sites were found. capabilities: can_create_case_comments: false can_create_insight: false @@ -284,8 +331,16 @@ List Sites: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Signal Sciences API to retrieve a list + of sites. It does not modify any external or internal data, nor does it update + entities or create insights. categories: enrichment: false + reasoning: >- + The action fetches data from an external system (Signal Sciences) but does not + enrich specific entities (e.g., IP, User). It is a configuration/utility action, + not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -301,6 +356,9 @@ List Sites: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `target_entities` or use entity-specific identifiers. + It fetches global corporation data. Ping: action_product_categories: add_alert_comment: false @@ -316,6 +374,9 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + This is a connectivity test action. It does not match any of the functional + categories like enrichment, blocking, or ticketing. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -331,56 +392,30 @@ Ping: update_identity: false update_ticket: false ai_description: >- - ### General Description - - The **Ping** action is used to verify the connectivity between Google SecOps and - the Signal Sciences platform. It ensures that the provided credentials (Email, - API Token) and configuration (API Root, Corporation Name) are correct and that - the network allows communication with the Signal Sciences API. + Tests connectivity to the Signal Sciences API. This action verifies that the provided + connection parameters (API Root, Email, API Token, and Corporation Name) are valid + and that the SOAR platform can successfully communicate with the Signal Sciences + service. - ### Parameters Description - - There are no action-specific parameters for this action. It relies entirely on - the global integration configuration parameters: - - - | Parameter | Type | Mandatory | Description | + ### Parameters - | :--- | :--- | :--- | :--- | - - | API Root | String | No | The base URL of the Signal Sciences API. Defaults to - `https://dashboard.signalsciences.net`. | - - | Email | String | Yes | The email address associated with the Signal Sciences - API user. | - - | API Token | String | Yes | The API token for authentication. | - - | Corporation Name | String | Yes | The name of the corporation in Signal Sciences. - | - - | Verify SSL | Boolean | No | Whether to verify the SSL certificate of the API - server. Defaults to `True`. | + There are no parameters for this action. ### Flow Description - 1. **Initialize Client**: The action initializes the Signal Sciences API client - using the integration's configuration parameters. - - 2. **Test Connectivity**: It executes a `GET` request to the `/corps/{corp_name}` - endpoint to verify that the API token and corporation name are valid. + 1. The action initializes the Signal Sciences API client using the configured + integration settings. - 3. **Evaluate Result**: If the request returns a successful status code, the action - reports a successful connection. If an exception occurs (e.g., 401 Unauthorized - or connection timeout), it captures the error and marks the action as failed. + 2. It sends a GET request to the Signal Sciences corporation endpoint to verify + connectivity. + 3. If the request is successful, it returns a success message indicating connectivity + is established. - ### Additional Notes - - This action does not process any entities or modify any data. It is strictly for - diagnostic purposes to ensure the integration is configured correctly. + 4. If the request fails (e.g., due to invalid credentials or network issues), + it logs the error and marks the action as failed. capabilities: can_create_case_comments: false can_create_insight: false @@ -389,10 +424,16 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: true + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to test connectivity. It does not mutate external + or internal data, nor does it update entities or create insights. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action. According to the instructions, Ping actions must + not be categorized as enrichment actions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -408,6 +449,8 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. Remove IP from Allow List: action_product_categories: add_alert_comment: false @@ -423,6 +466,9 @@ Remove IP from Allow List: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action removes an IP from an allow list in Signal Sciences, which directly + matches the 'Remove IOC From Allowlist' category. remove_ioc_from_allowlist: true remove_ioc_from_blocklist: false reset_identity_password: false @@ -438,64 +484,51 @@ Remove IP from Allow List: update_identity: false update_ticket: false ai_description: >- - ### General Description - - The **Remove IP from Allow List** action is designed to remove specific IP addresses - from the allow list (whitelist) of a designated site within the Signal Sciences - platform. This action is useful for revoking trusted status from IPs that are - no longer considered safe or were added temporarily. It can process IPs provided - directly as a parameter or identified as entities within the Google SecOps environment. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | + The **Remove IP from Allow List** action removes specified IP addresses from the + allow list of a designated site within the Signal Sciences platform. This action + helps maintain security posture by ensuring that only authorized IPs remain on + the allow list. - | Site Name | string | Yes | The API name of the site as defined in the Signal - Sciences dashboard. This determines which site's allow list will be modified. - | - | IP Address | string | No | A comma-separated list of IP addresses to remove. - If this parameter is provided, the action will process these IPs in addition to - any IP Address entities found in the context. | + ### Flow Description + 1. **Parameter Extraction**: The action extracts the `Site Name` and an optional + comma-separated list of `IP Address` values from the action parameters. - ### Additional Notes + 2. **Entity Collection**: It collects IP addresses from the provided `IP Address` + parameter and identifies any `ADDRESS` entities present in the current SOAR case. - - The action first retrieves the current allow list for the specified site to - find the internal IDs associated with the target IP addresses. + 3. **Data Retrieval**: It fetches the current allow list for the specified site + from Signal Sciences to identify the unique `item_id` associated with each target + IP. - - If an IP address is not found in the allow list, the action treats it as successfully - removed (since the desired state is achieved). + 4. **Removal**: For each identified IP, the action performs a DELETE request to + remove the corresponding entry from the Signal Sciences allow list. - - The action validates that the provided strings are valid IPv4 or IPv6 addresses - before attempting removal. + 5. **Finalization**: The action reports the success or failure of the removal + process for each IP address. - ### Flow Description + ### Parameters Description - 1. **Parameter Extraction:** The action retrieves the `Site Name` and the optional - `IP Address` list from the input parameters. + | Parameter | Type | Mandatory | Description | - 2. **Entity Collection:** It identifies all `ADDRESS` entities within the current - alert context. + | :--- | :--- | :--- | :--- | - 3. **Consolidation:** It combines the IPs from the parameters and the entities - into a single, deduplicated list of target IPs. + | Site Name | string | Yes | The API name of the site as defined in the Signal + Sciences dashboard. | - 4. **Allow List Retrieval:** The action calls the Signal Sciences API to fetch - the existing allow list for the specified site. + | IP Address | string | No | A comma-separated list of IP addresses to remove + from the Signal Sciences allow list. If not provided, the action will process + `ADDRESS` entities from the case. | - 5. **Validation and Matching:** For each target IP, the action validates the format - and searches for a matching entry in the retrieved allow list. - 6. **Removal:** If a match is found, the action sends a DELETE request to Signal - Sciences using the specific item ID to remove the IP from the list. + ### Additional Notes - 7. **Finalization:** The action reports the success or failure of the removal - process for each IP and sets the final execution status. + - The action requires either the `IP Address` parameter to be populated or `ADDRESS` + entities to be present in the case for it to perform any removal operations. If + neither is provided, the action will terminate with a message indicating no IPs + were found. capabilities: can_create_case_comments: false can_create_insight: false @@ -504,12 +537,20 @@ Remove IP from Allow List: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - The action performs a DELETE request to the Signal Sciences API to remove specific - IP entries from the site's allow list. + Removes IP addresses from the Signal Sciences allow list for a specific site. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches the current allow list from the external system to identify + the correct item IDs for removal (fetches_data=true). It then performs a DELETE + request to remove the IP from the allow list, which constitutes an external + data mutation (can_mutate_external_data=true). It does not modify internal SOAR + data, entities, or insights. categories: enrichment: false + reasoning: >- + The action is not an enrichment action because it mutates external data (removes + an IP from an allow list). entity_usage: entity_types: - ADDRESS @@ -526,6 +567,9 @@ Remove IP from Allow List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over `target_entities` and filters for entities where the + type is `ADDRESS`. Remove IP from Block List: action_product_categories: add_alert_comment: false @@ -541,6 +585,10 @@ Remove IP from Block List: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action removes an IP address from the Signal Sciences blocklist, which directly + matches the 'Remove IOC From Blocklist' category defined as restoring connectivity + or execution rights for an indicator by removing it from restricted lists. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: true reset_identity_password: false @@ -555,33 +603,50 @@ Remove IP from Block List: update_email: false update_identity: false update_ticket: false - ai_description: "### General Description\nThe **Remove IP from Block List** action\ - \ is used to remove specific IP addresses from the block list of a designated\ - \ site within Signal Sciences. This action is typically used in response to false\ - \ positives or when a previously blocked IP is deemed safe, restoring its ability\ - \ to interact with the protected site.\n\n### Parameters Description\n| Parameter\ - \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Site Name\ - \ | string | True | The API name of the site as defined in the Signal Sciences\ - \ dashboard. |\n| IP Address | string | False | A comma-separated list of IP addresses\ - \ to remove from the Signal Sciences block list. If provided, these will be processed\ - \ alongside any IP entities found in the scope. |\n\n### Additional Notes\n- The\ - \ action processes both IP addresses provided in the `IP Address` parameter and\ - \ any `ADDRESS` entities present in the current context.\n- If an IP address is\ - \ not found in the block list, the action treats it as a success (as the desired\ - \ state\u2014not being blocked\u2014is already met).\n- The action validates that\ - \ the provided strings are valid IPv4 or IPv6 addresses before attempting removal.\n\ - \n### Flow Description\n1. **Parameter Extraction:** The action retrieves the\ - \ `Site Name` and the optional `IP Address` list from the input parameters.\n\ - 2. **Entity Identification:** It identifies all `ADDRESS` entities in the current\ - \ SOAR context.\n3. **Target Consolidation:** It combines the IPs from the parameters\ - \ and the entities into a single, deduplicated list of target IPs.\n4. **Block\ - \ List Retrieval:** The action fetches the current block list for the specified\ - \ site from Signal Sciences to identify the internal IDs associated with the target\ - \ IPs.\n5. **Removal Execution:** For each target IP, the action searches for\ - \ a matching entry in the retrieved block list. If found, it sends a request to\ - \ Signal Sciences to delete that specific block list item.\n6. **Finalization:**\ - \ The action reports which IPs were successfully removed (or were already absent)\ - \ and which ones failed (e.g., due to invalid format or API errors)." + ai_description: >- + ### General Description + + The **Remove IP from Block List** action removes specific IP addresses from the + block list of a designated site within the Signal Sciences platform. This action + helps restore connectivity or access for IPs that were previously blocked. + + + ### Parameters + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Site Name | string | Yes | The API name of the site as defined in the Signal + Sciences dashboard. | + + | IP Address | string | No | A comma-separated list of IP addresses to remove + from the Signal Sciences block list. | + + + ### Additional Notes + + - The action processes IP addresses provided in the 'IP Address' parameter and + any 'ADDRESS' entities attached to the case. If no IPs are provided via parameters + or entities, the action will terminate. + + + ### Flow Description + + 1. **Parameter Extraction**: Retrieves the 'Site Name' and 'IP Address' parameters. + + 2. **Entity Identification**: Collects IP addresses from the 'IP Address' parameter + and identifies any 'ADDRESS' entities from the current case. + + 3. **Data Retrieval**: Fetches the current blocklist for the specified site from + the Signal Sciences API. + + 4. **Validation & Removal**: Iterates through the target IPs, validates their + format, checks if they exist in the fetched blocklist, and sends a DELETE request + to remove them if found. + + 5. **Reporting**: Logs the success or failure of each removal operation and updates + the action output message with the final status. capabilities: can_create_case_comments: false can_create_insight: false @@ -590,12 +655,21 @@ Remove IP from Block List: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Removes specified IP addresses from the Signal Sciences block list for a specific - site using a DELETE request. + Removes the specified IP address from the block list in the Signal Sciences + dashboard. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches the current blocklist from the external system to identify + the ID of the IP to be removed (fetches_data=true). It then performs a DELETE + request to the Signal Sciences API to remove the IP from the blocklist (can_mutate_external_data=true). + It does not modify internal SOAR data, entities, or case insights. categories: enrichment: false + reasoning: >- + The action performs a mutation on an external system (removing an IP from a + blocklist), which violates the 'External State Preservation' constraint required + for enrichment actions. entity_usage: entity_types: - ADDRESS @@ -612,3 +686,6 @@ Remove IP from Block List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `self.soar_action.target_entities` and filters specifically + for entities of type `ADDRESS` to include them in the list of IPs to be removed. diff --git a/content/response_integrations/third_party/community/signal_sciences/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/signal_sciences/resources/ai/integration_ai_description.yaml index b927e7b41..1e30cec40 100644 --- a/content/response_integrations/third_party/community/signal_sciences/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/community/signal_sciences/resources/ai/integration_ai_description.yaml @@ -7,6 +7,14 @@ product_categories: iam_and_identity_management: false itsm: false network_security: true + reasoning: >- + The Signal Sciences integration is a Web Application Firewall (WAF) management + tool. Its primary capabilities involve managing IP allow and block lists, which + directly aligns with the Network Security category, as it allows the agent to + block or permit malicious IPs at the gateway. It does not perform SIEM log analysis, + EDR host-level investigation, threat intelligence enrichment (it does not provide + reputation scores), or any other functions related to IAM, ITSM, or cloud resource + management. siem: false threat_intelligence: false vulnerability_management: false diff --git a/content/response_integrations/third_party/community/spell_checker/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/spell_checker/resources/ai/actions_ai_description.yaml index 0fc2a8e83..28f07cdd2 100644 --- a/content/response_integrations/third_party/community/spell_checker/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/spell_checker/resources/ai/actions_ai_description.yaml @@ -13,6 +13,9 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity check ('Ping') and does not perform any of the + defined product category operations (enrichment, ticketing, containment, etc.). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -28,31 +31,20 @@ Ping: update_identity: false update_ticket: false ai_description: >- - ### General Description + General description: This action performs a connectivity check to verify that + the Spell Checker integration is properly configured and reachable. It does not + perform any data processing or external system modifications. - The **Ping** action is a diagnostic utility designed to verify the connectivity - and functional status of the **Spell Checker** integration within Google SecOps. - It serves as a basic health check to ensure that the integration is correctly - installed and that the environment can execute its associated scripts. + Parameters description: There are no parameters for this action. - ### Parameters Description - There are no parameters for this action. + Additional notes: This is a standard connectivity check action. - ### Additional Notes - - This action does not perform any actual spell-checking logic or external API calls. - It is strictly used for verifying the integration's presence and operational readiness. - - - ### Flow Description - - 1. **Initialization**: The action initializes the Siemplify SDK context. - - 2. **Status Confirmation**: The action immediately terminates with a success message, - "Spell Checker is connected," confirming that the integration is reachable. + Flow description: 1. The action initializes the `SiemplifyAction` module. 2. It + executes a connectivity check. 3. It returns a success message indicating the + integration is connected. capabilities: can_create_case_comments: false can_create_insight: false @@ -63,8 +55,15 @@ Ping: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action is a simple connectivity check ('Ping'). It does not fetch data, + mutate external systems, or modify internal SOAR data. categories: enrichment: false + reasoning: >- + The action is named 'Ping', which is explicitly excluded from being an enrichment + action per the guidelines. It does not fetch data or perform any enrichment + tasks. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -80,6 +79,9 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. It is a standalone connectivity + check. Spelling Check: action_product_categories: add_alert_comment: false @@ -95,6 +97,10 @@ Spelling Check: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action performs a local spell check on a string input. It does not interact + with external systems, fetch threat intelligence, or modify alerts/entities. + It does not fit any of the defined product categories. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -109,24 +115,18 @@ Spelling Check: update_email: false update_identity: false update_ticket: false - ai_description: >- - ### General Description The **Spelling Check** action identifies misspelled words - within a provided text string and suggests potential corrections based on word - frequency. It is designed to help analysts clean up notes, reports, or extracted - text within a playbook. ### Parameters Description | Parameter | Type | Mandatory - | Description | | :--- | :--- | :--- | :--- | | Input | String | No | The text - content that will be analyzed for spelling errors. | ### Flow Description 1. - **Text Extraction**: The action retrieves the string provided in the `Input` parameter. - 2. **Sanitization**: It cleans the input text using regular expressions to remove - special characters and punctuation, while preserving letters, spaces, and specific - symbols like '@'. 3. **Misspelling Identification**: The cleaned text is split - into individual words, which are then checked against a dictionary (including - a custom allowlist of technical terms like 'microsoft', 'google', 'playbook'). - 4. **Suggestion Generation**: For every word identified as misspelled, the action - generates a list of likely correct candidates. 5. **Reporting**: The results are - compiled into a JSON object and a data table named 'Found spelling mistakes' for - use in subsequent playbook steps. ### Additional Notes This action performs - local processing and does not communicate with external web services. + ai_description: "This action performs a spell check on a provided input string to\ + \ identify misspelled words and suggest corrections. \n\n### Parameters\n| Parameter\ + \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Input |\ + \ string | No | The text that will be checked by the Spell Checker. |\n\n### Flow\n\ + 1. Retrieve the `Input` parameter from the action configuration.\n2. Clean the\ + \ input text using regex to remove special characters and irrelevant symbols.\n\ + 3. Use the `SpellCheckerManager` to identify unknown words (misspellings) in the\ + \ cleaned text.\n4. Generate correction candidates for each identified misspelled\ + \ word.\n5. Return the results as a JSON object and a data table containing the\ + \ original words and their recommended corrections.\n\n### Additional Notes\n\ + This action performs local text processing and does not interact with external\ + \ systems or modify SOAR case data." capabilities: can_create_case_comments: false can_create_insight: false @@ -137,8 +137,17 @@ Spelling Check: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs local text processing using the `pyspellchecker` library. + It does not interact with external APIs, modify external systems, or update + internal SOAR data (entities, insights, or alerts). It simply returns the results + of the spell check as a JSON object and a data table. categories: enrichment: false + reasoning: >- + The action does not fetch data from an external source, nor does it enrich entities + or alerts. It is a utility action for text processing. Therefore, it is not + an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -154,3 +163,6 @@ Spelling Check: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `siemplify.target_entities`. It processes + a raw string input provided via parameters. diff --git a/content/response_integrations/third_party/community/spell_checker/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/spell_checker/resources/ai/integration_ai_description.yaml index 0801c7556..534cfcb2a 100644 --- a/content/response_integrations/third_party/community/spell_checker/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/community/spell_checker/resources/ai/integration_ai_description.yaml @@ -7,6 +7,15 @@ product_categories: iam_and_identity_management: false itsm: false network_security: false + reasoning: >- + The 'spell_checker' integration provides utility functions for text processing + (spell checking) and connectivity verification. It does not interact with security + infrastructure, threat intelligence feeds, identity providers, cloud environments, + or ticketing systems. It does not perform any of the functions defined for the + listed product categories (SIEM, EDR, Network Security, Threat Intelligence, Email + Security, IAM, Cloud Security, ITSM, Vulnerability Management, Asset Inventory, + or Collaboration). Therefore, it does not align with any of the defined security + product categories. siem: false threat_intelligence: false vulnerability_management: false diff --git a/content/response_integrations/third_party/community/superna_zero_trust/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/superna_zero_trust/resources/ai/actions_ai_description.yaml index bf94065e1..ce0dfd90b 100644 --- a/content/response_integrations/third_party/community/superna_zero_trust/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/superna_zero_trust/resources/ai/actions_ai_description.yaml @@ -13,6 +13,10 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action performs a health check (Ping) on an external system. It does not + match any of the defined product categories (Enrichment, Containment, Ticket + management, etc.). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -27,28 +31,41 @@ Ping: update_email: false update_identity: false update_ticket: false - ai_description: "### General Description\nThe **Ping** action is designed to verify\ - \ the connectivity and health of the Superna Eyeglass Zero Trust API. It performs\ - \ a simple health check by sending a GET request to the configured Eyeglass IP\ - \ address. This is primarily used during setup or troubleshooting to ensure that\ - \ the Google SecOps environment can successfully communicate with the Superna\ - \ Zero Trust management interface.\n\n### Parameters Description\nThere are no\ - \ action-specific parameters for this action. It relies entirely on the integration's\ - \ global configuration settings:\n* **api_token**: The API key used for authentication.\n\ - * **eyeglass_ip**: The IP address or hostname of the Superna Eyeglass server.\n\ - * **Verify SSL**: A boolean flag indicating whether to verify the SSL certificate\ - \ of the server.\n\n### Additional Notes\n* This action does not process any entities.\n\ - * As per standard SOAR conventions, 'Ping' actions are used for connectivity testing\ - \ and are not classified as enrichment.\n\n### Flow Description\n1. **Configuration\ - \ Retrieval**: The action extracts the `api_token`, `eyeglass_ip`, and `Verify\ - \ SSL` settings from the integration configuration.\n2. **URL Construction**:\ - \ It constructs the full API endpoint URL using the provided IP and the hardcoded\ - \ path `/sera/v1/healthcheck`.\n3. **API Request**: It executes an authenticated\ - \ HTTP GET request to the health check endpoint with a 30-second timeout.\n4.\ - \ **Response Handling**: \n * If the request is successful (HTTP 200), it logs\ - \ the response and marks the action as completed.\n * If a timeout, connection\ - \ error, or HTTP error occurs, it catches the exception, logs the error details,\ - \ and marks the action as failed." + ai_description: >- + ### General Description + + This action performs a health check on the Superna Zero Trust system by sending + a GET request to the `/sera/v1/healthcheck` endpoint. It verifies connectivity + to the Eyeglass instance. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | `api_token` | String | Yes | The API token used for authentication with the + Superna Zero Trust API. | + + | `eyeglass_ip` | String | Yes | The IP address or hostname of the Eyeglass instance. + | + + | `Verify SSL` | Boolean | No | Determines whether to verify SSL certificates + during the API request. Defaults to `False`. | + + + ### Flow Description + + 1. Extract configuration parameters (`api_token`, `eyeglass_ip`, `Verify SSL`). + + 2. Construct the API URL using the provided IP and the health check route (`/sera/v1/healthcheck`). + + 3. Send a GET request to the constructed URL with the API token in the headers. + + 4. Handle potential exceptions (Timeout, ConnectionError, HTTPError, RequestException). + + 5. Return the execution status and response text using `siemplify.end`. capabilities: can_create_case_comments: false can_create_insight: false @@ -57,10 +74,16 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: true + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to an external API to verify connectivity + (health check). It does not modify external or internal data. categories: enrichment: false + reasoning: >- + The action is named 'Ping' and performs a health check. According to the rules, + 'Ping' actions are not enrichment actions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -76,6 +99,9 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not interact with `siemplify.target_entities`. It is a global + action. Superna Snapshot Critical NAS Data: action_product_categories: add_alert_comment: false @@ -91,6 +117,9 @@ Superna Snapshot Critical NAS Data: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action triggers a snapshot via an external API. It does not match any of + the predefined categories (Enrichment, Containment, Ticketing, etc.). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -108,62 +137,44 @@ Superna Snapshot Critical NAS Data: ai_description: >- ### General Description - The **Superna Snapshot Critical NAS Data** action triggers a 'Cyber Snapshot' - for critical NAS (Network Attached Storage) data paths using the Superna Eyeglass - Zero Trust API. This action is designed to interact with the ransomware protection - module of Superna Eyeglass to identify and secure critical data paths, providing - a point-in-time snapshot for recovery or security analysis. + Triggers a snapshot of critical NAS data using the Superna Zero Trust API. This + action initiates a snapshot process on the target NAS system to ensure data integrity + and security. ### Parameters Description - This action does not have any action-specific parameters. It relies entirely on - the **SupernaZeroTrust** integration configuration: - - - | Parameter | Expected Type | Mandatory | Description | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | api_token | String | Yes | The API key used to authenticate with the Superna - Eyeglass server. | - - | eyeglass_ip | String | Yes | The IP address or hostname of the Superna Eyeglass - instance. | + | `api_token` | String | Yes | The API key for authentication with the Superna + Zero Trust API. | - | Verify SSL | Boolean | No | If enabled, the action will verify the SSL certificate - of the Eyeglass server. Defaults to False. | + | `eyeglass_ip` | String | Yes | The IP address of the Eyeglass instance. | + | `Verify SSL` | Boolean | No | Whether to verify SSL certificates (default: False). + | - ### Additional Notes - - This action is executed asynchronously. + ### Flow Description - - It performs a POST request to the `/sera/v2/ransomware/criticalpaths` endpoint, - which typically triggers a state change or a snapshot process in the external - system. + 1. Extracts configuration parameters (`api_token`, `eyeglass_ip`, `Verify SSL`) + from the integration settings. - - This action does not process or require any SecOps entities (IPs, Hosts, etc.) - to run. + 2. Constructs the API request URL and headers. + 3. Sends a POST request to the Superna Zero Trust API endpoint (`/sera/v2/ransomware/criticalpaths`) + to initiate the snapshot process. - ### Flow Description + 4. Handles potential errors (timeout, connection, HTTP errors). - 1. **Configuration Retrieval:** The action extracts the API token, Eyeglass IP, - and SSL verification settings from the integration's global configuration. + 5. Returns the API response as the action result. - 2. **Endpoint Construction:** It constructs the target API URL using the provided - Eyeglass IP and the ransomware critical paths route. - 3. **API Execution:** It sends a POST request to the Superna Eyeglass server, - including the API key in the headers. - - 4. **Response Handling:** The action monitors the request for success, timeouts, - or connection errors. + ### Additional Notes - 5. **Completion:** The raw response text from the Superna API is returned as the - action's result value, and the execution status is set to completed or failed - based on the HTTP response. + The action does not require any entities to run. capabilities: can_create_case_comments: false can_create_insight: false @@ -172,12 +183,18 @@ Superna Snapshot Critical NAS Data: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - The action performs a POST request to the Superna Eyeglass ransomware critical - paths endpoint, which triggers a snapshot or state change for NAS data protection. - fetches_data: true + Triggers a snapshot of critical NAS data on the Superna Zero Trust system. + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to the Superna Zero Trust API to trigger + a snapshot of critical NAS data. It does not fetch data for enrichment or modify + internal SOAR data. categories: enrichment: false + reasoning: >- + The action performs a POST request to trigger a snapshot, which is a mutation + of external state, not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -193,6 +210,9 @@ Superna Snapshot Critical NAS Data: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not reference `siemplify.target_entities` or any entity-specific + logic. Superna Zero Trust User Lockout: action_product_categories: add_alert_comment: false @@ -208,6 +228,10 @@ Superna Zero Trust User Lockout: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action performs a lockout of a user account on an external system (Superna + NAS). This aligns with 'Disable Identity' as it revokes access to the NAS storage. + It does not perform enrichment, ticket creation, or host containment. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -225,10 +249,9 @@ Superna Zero Trust User Lockout: ai_description: >- ### General Description - This action locks out a suspected user from all Superna-protected NAS storage. - It interacts with the Superna Eyeglass Zero Trust API to resolve user permissions - and apply a 'deny read' permission to SMB shares, effectively isolating the user - from sensitive data. + This action locks out a specified user from Superna protected NAS storage by interacting + with the Eyeglass Zero Trust API. It applies a deny read permission to SMB shares + for the target user. ### Parameters Description @@ -237,34 +260,28 @@ Superna Zero Trust User Lockout: | :--- | :--- | :--- | :--- | - | UserName | String | Yes | The identifier of the user to be locked out. Expected - format is `domain\username` or `user@domain`. | + | UserName | string | Yes | The user to be locked out of NAS storage in format + domain\username or user@domain name. | ### Flow Description - 1. **Parameter Initialization**: The action retrieves the integration configuration, - including the Eyeglass IP, API token, and SSL verification settings. + 1. Extracts configuration parameters (API token, Eyeglass IP, SSL verification + setting). - 2. **Input Processing**: It extracts the `UserName` from the action parameters - and URL-encodes it to ensure it is safe for use in an API request. + 2. Extracts the `UserName` parameter. - 3. **API Request Construction**: The action builds the specific API endpoint for - user lockout using the provided Eyeglass IP and the encoded username. + 3. Constructs the API endpoint URL by appending the URL-encoded username to the + base path. - 4. **Execution**: A POST request is sent to the Superna Eyeglass server. The action - includes the API key in the headers for authentication. + 4. Sends a POST request to the Superna Eyeglass API to initiate the user lockout. - 5. **Response Handling**: The action captures the response from the server, handling - potential timeouts, connection errors, or HTTP errors, and reports the final status - back to Google SecOps. + 5. Logs the outcome and terminates the action with the appropriate status. ### Additional Notes - This action performs a state change in an external system (Superna Eyeglass) and - does not process entities from the current alert context; it relies solely on - the provided `UserName` parameter. + Requires valid `api_token` and `eyeglass_ip` configured in the integration settings. capabilities: can_create_case_comments: false can_create_insight: false @@ -273,12 +290,21 @@ Superna Zero Trust User Lockout: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Locks out a user from Superna protected NAS storage by applying deny read permissions - to SMB shares via a POST request to the Eyeglass API. + The action sends a POST request to the Superna Eyeglass API to apply a deny + read permission to SMB shares for the specified user, effectively locking them + out of NAS storage. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to an external API to change the state of + a user's access (lockout). It does not fetch data, nor does it modify internal + SecOps data or entities. categories: enrichment: false + reasoning: >- + The action performs a mutation on an external system (locking out a user) and + does not fetch data for enrichment purposes, therefore it is not an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -294,6 +320,10 @@ Superna Zero Trust User Lockout: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities`. It uses a provided + `UserName` parameter to perform the lockout, meaning it does not operate on + SecOps entities. Superna Zero Trust User Un Lock: action_product_categories: add_alert_comment: false @@ -309,6 +339,10 @@ Superna Zero Trust User Un Lock: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action unlocks a user account, which directly restores authentication capabilities + and system access. This matches the 'Enable Identity' category. It does not + perform enrichment, ticket creation, or other listed actions. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -326,49 +360,37 @@ Superna Zero Trust User Un Lock: ai_description: >- ### General Description - Unlocks a user account that was previously locked out from Superna protected NAS - storage. This action is primarily used to restore access for users who were restricted - due to security policies, such as automated ransomware protection triggers. It - communicates with the Superna Eyeglass API to perform the unlock operation. + This action unlocks a user account that was previously locked out from Superna + protected NAS storage using the Superna Eyeglass Zero Trust API. It performs a + POST request to the external system to restore access for the specified user. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | UserName | String | Yes | The identifier of the user to unlock. The expected - format is either `domain\username` or `username@domain`. This value is URL-encoded - before being sent to the API. | + | UserName | string | Yes | The name of the user to unlock, in the format `domain\username` + or `username@domain`. | ### Flow Description - 1. **Initialization**: The action retrieves the necessary configuration parameters, - including the API token, Eyeglass IP address, and SSL verification settings. - - 2. **Parameter Extraction**: It extracts the `UserName` provided by the user or - playbook. + 1. **Configuration Extraction**: Retrieves the API token, Eyeglass IP address, + and SSL verification settings from the integration configuration. - 3. **Data Preparation**: The username is URL-encoded to ensure it is correctly - handled in the API request path. + 2. **Parameter Extraction**: Retrieves the `UserName` parameter provided by the + user. - 4. **API Request**: A POST request is constructed and sent to the Superna Eyeglass - endpoint: `https://{eyeglass_ip}/sera/v2/ransomware/unlock/{user}`. - - 5. **Response Handling**: The action evaluates the API response. If successful, - it completes the execution; otherwise, it handles timeouts, connection errors, - or HTTP errors and reports the failure. - - - ### Additional Notes + 3. **API Request Construction**: Builds the API endpoint URL using the Eyeglass + IP and the user identifier. - - This action requires the `api_token` and `eyeglass_ip` to be correctly configured - in the integration settings. + 4. **Execution**: Sends a POST request to the Superna Eyeglass API to unlock the + user. - - The action does not process entities from the case; it relies solely on the - provided `UserName` parameter. + 5. **Result Handling**: Processes the API response and terminates the action with + a success or failure status. capabilities: can_create_case_comments: false can_create_insight: false @@ -377,12 +399,18 @@ Superna Zero Trust User Un Lock: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Unlocks a user account in the Superna protected NAS storage system by sending - a POST request to the Superna Eyeglass API. + Unlocks a user account on the external Superna Eyeglass system. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to an external API (Superna Eyeglass) to + unlock a user account. It does not fetch data for enrichment, nor does it modify + internal SOAR case data or entities. categories: enrichment: false + reasoning: >- + The action is a mutation action (unlocking a user) and does not perform data + retrieval for enrichment purposes. Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -398,3 +426,6 @@ Superna Zero Trust User Un Lock: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or utilize `siemplify.target_entities`. It + relies solely on the `UserName` input parameter. diff --git a/content/response_integrations/third_party/community/superna_zero_trust/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/superna_zero_trust/resources/ai/integration_ai_description.yaml index 6c27508d3..0dc17be29 100644 --- a/content/response_integrations/third_party/community/superna_zero_trust/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/community/superna_zero_trust/resources/ai/integration_ai_description.yaml @@ -7,6 +7,16 @@ product_categories: iam_and_identity_management: true itsm: false network_security: false + reasoning: >- + The integration provides automation for Superna Zero Trust, focusing on NAS storage + security. The 'Superna Zero Trust User Lockout' action allows for the suspension + of user access to NAS storage by applying deny read permissions to SMB shares, + which directly aligns with the 'IAM & Identity Management' category's goal of + managing identity and suspending accounts. The 'Superna Snapshot Critical NAS + Data' action performs a data protection task (snapshotting), and the 'Ping' action + performs a health check; neither of these actions fits into the provided categories + (SIEM, EDR, Network Security, etc.). Therefore, the integration is classified + under IAM & Identity Management. siem: false threat_intelligence: false vulnerability_management: false diff --git a/content/response_integrations/third_party/community/team_cymru_scout/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/team_cymru_scout/resources/ai/actions_ai_description.yaml index 29577245d..2a2efc05b 100644 --- a/content/response_integrations/third_party/community/team_cymru_scout/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/team_cymru_scout/resources/ai/actions_ai_description.yaml @@ -13,6 +13,10 @@ Account Usage: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves account usage statistics. It does not match any of the + provided categories, which are focused on IOC enrichment, asset management, + ticketing, or containment. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -30,52 +34,57 @@ Account Usage: ai_description: >- ### General Description - The **Account Usage** action retrieves and displays the current API consumption - metrics for the Team Cymru Scout integration. It provides visibility into query - limits and remaining balances for both standard and foundation API services, helping - analysts monitor quota usage and prevent service interruptions. + The Account Usage action retrieves the current account usage metrics for the Team + Cymru Scout API. This action provides visibility into the API's query limits, + used queries, and remaining queries, allowing administrators to monitor their + subscription usage directly from the SOAR platform. - ### Parameters + ### Parameters Description - This action does not require any input parameters. + There are no parameters required for this action. It utilizes the integration + configuration settings (Authentication Type, API Key, Username, Password, Verify + SSL) to authenticate and communicate with the Team Cymru Scout service. ### Flow Description - 1. **Authentication**: The action establishes a connection with the Team Cymru - Scout API using the configured credentials (API Key or Username/Password). + 1. The action initializes the `SiemplifyAction` and retrieves the integration + configuration parameters. - 2. **Data Retrieval**: It sends a GET request to the `/usage` endpoint to fetch - real-time account statistics. + 2. An `ApiManager` instance is created using the retrieved credentials. - 3. **Data Processing**: The response is parsed to extract metrics such as used - queries, remaining queries, and query limits for both the primary and foundation - APIs. + 3. The action calls the `/usage` endpoint of the Team Cymru Scout API. - 4. **Output Generation**: The action populates a JSON result with the raw response - and renders a formatted data table named 'Account Usage' in the Google SecOps - UI for easy review. + 4. If the API call is successful, the raw JSON response is added to the action + results. + 5. The usage data is transformed into a readable table format and rendered in + the action output. - ### Additional Notes - - This is a utility action and does not process or enrich specific entities within - a case. + 6. If an error occurs during the API call, the action logs the error and fails + the execution. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: true + can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: >- - The action adds a data table named 'Account Usage' to the action results within - the Google SecOps platform. + internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to retrieve account usage metrics from an + external API (fetches_data=true). It does not modify any external system state + (can_mutate_external_data=false). It does not update entities, create insights, + or modify alert data within the SOAR platform (can_mutate_internal_data=false). categories: enrichment: false + reasoning: >- + The action fetches account usage metrics for the integration itself, not supplemental + context about specific alerts or entities. Therefore, it does not meet the criteria + for an Enrichment Action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -91,6 +100,9 @@ Account Usage: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with target entities; it performs a global check + on the integration's account usage. Advanced Query: action_product_categories: add_alert_comment: false @@ -103,9 +115,13 @@ Advanced Query: download_file: false enable_identity: false enrich_asset: false - enrich_ioc: false + enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action fetches threat intelligence and summary information for indicators + (Enrich IOC) and performs a search against historical telemetry data (Search + Events). It does not perform any containment, ticket management, or alert modification. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -120,70 +136,29 @@ Advanced Query: update_email: false update_identity: false update_ticket: false - ai_description: >- - ### General Description - - The **Advanced Query** action executes a search using the Team Cymru Scout query - language to retrieve comprehensive summary information from the platform. It allows - analysts to perform complex searches across historical telemetry and threat intelligence - data, returning detailed results including PDNS information, open ports, peer - communications, and digital certificates. - - - ### Parameters Description - - | Parameter | Expected Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Query | String | Yes | A simple or advanced query following the Scout query - language (e.g., `comms.ip="1.1.1.1"`). | - - | Start Date | String | No | The beginning of the date range for results, formatted - as `YYYY-MM-DD` in UTC. Defaults to 29 days prior to the current date. | - - | End Date | String | No | The end of the date range for results, formatted as - `YYYY-MM-DD` in UTC. Defaults to the current date. | - - | Days | String | No | A relative offset in days from the current time. If provided, - this integer value takes priority over the `Start Date` and `End Date`. | - - | Size | String | No | The maximum number of records to return in the search results. - The maximum allowed value is 5000. | - - - ### Additional Notes - - - The `Days` parameter is an integer offset that overrides specific date range - parameters if both are provided. - - - The action enforces a maximum result size of 5000 records to ensure performance. - - - All dates must be provided in the `YYYY-MM-DD` format and are processed in UTC - time. - - - ### Flow Description - - 1. **Parameter Extraction:** The action retrieves the Scout query, date ranges, - relative day offset, and result size from the input parameters. - - 2. **Validation:** It validates the date formats and ensures the start date is - not after the end date. It also checks that the requested size does not exceed - the platform limit. - - 3. **API Execution:** The action sends a GET request to the `/search` endpoint - of the Team Cymru Scout API with the constructed query and filters. - - 4. **Data Processing:** Upon receiving a successful response, the action parses - the JSON data to extract IP summaries, PDNS records, open ports, peer communications, - service counts, fingerprints, and X.509 certificates. - - 5. **Output Generation:** The action generates multiple data tables for each category - of information and attaches the raw JSON response to the action results. - - 6. **Usage Tracking:** It creates an 'Account Usage' table to inform the user - of their remaining query quota. + ai_description: "Performs an advanced search query against the Team Cymru Scout\ + \ platform to retrieve summary information based on the Scout query language.\ + \ This action allows users to query historical telemetry data and retrieve detailed\ + \ threat intelligence summaries.\n\n### Flow Description\n1. **Parameter Extraction**:\ + \ The action extracts the mandatory `Query` string and optional parameters (`Start\ + \ Date`, `End Date`, `Days`, `Size`) from the action configuration.\n2. **Authentication**:\ + \ It authenticates with the Team Cymru Scout API using the configured credentials.\n\ + 3. **Data Retrieval**: It executes the search query against the Team Cymru Scout\ + \ API.\n4. **Data Processing**: The action processes the API response to generate\ + \ multiple data tables, including Summary Information, PDNS, Open Ports, Peers,\ + \ Service Counts, Fingerprints, and Certificates.\n5. **Result Generation**: It\ + \ adds the raw JSON response to the action results and renders the generated data\ + \ tables and an API usage report in the SOAR case.\n\n### Parameters\n| Parameter\ + \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Query |\ + \ string | Yes | A simple or advanced query as described by the Scout query language.\ + \ |\n| Start Date | string | No | The latest date for results (YYYY-MM-DD). Defaults\ + \ to 29 days prior to today. |\n| End Date | string | No | The earliest date for\ + \ results (YYYY-MM-DD). Defaults to today's date. |\n| Days | string | No | Relative\ + \ offset in days from current time. Takes priority over Start/End Date if provided.\ + \ |\n| Size | string | No | Size, in records, of the search results (Max 5000).\ + \ |\n\n### Additional Notes\n- The action does not operate on specific entities;\ + \ it runs based on the provided query string. \n- If `Days` is provided, it takes\ + \ precedence over `Start Date` and `End Date`." capabilities: can_create_case_comments: false can_create_insight: false @@ -194,8 +169,19 @@ Advanced Query: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Team Cymru Scout API to fetch search + results based on a query string. It does not modify any external systems (no + POST/PUT/DELETE). It does not modify internal SOAR case data (like entity attributes + or alert status), but rather adds result tables to the action output, which + is standard for enrichment actions. categories: - enrichment: false + enrichment: true + reasoning: >- + The action is designed to fetch supplemental context (threat intelligence and + historical telemetry) from an external source (Team Cymru Scout) based on a + query. It does not mutate external state and does not perform forbidden internal + mutations. Therefore, it qualifies as an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -211,6 +197,9 @@ Advanced Query: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `target_entities`. It relies entirely on the + `Query` parameter provided by the user to perform its search. Enrich IPs: action_product_categories: add_alert_comment: false @@ -226,6 +215,11 @@ Enrich IPs: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves threat intelligence (reputation, tags) for IP addresses + and updates the entity profile. This directly matches the 'Enrich IOC' category. + It does not perform any other operations like ticket creation, host containment, + or alert modification. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -240,28 +234,36 @@ Enrich IPs: update_email: false update_identity: false update_ticket: false - ai_description: "### General Description\nEnriches IP Address entities using the\ - \ Team Cymru Scout platform. This action retrieves reputation data, tags, and\ - \ ASN information to provide context for network-based indicators. It includes\ - \ a built-in caching mechanism that checks if an entity has been enriched within\ - \ the last 24 hours to optimize API usage and prevent redundant calls.\n\n###\ - \ Parameters Description\nThere are no user-configurable parameters for this action.\ - \ It automatically processes all IP Address entities present in the current context.\n\ - \n### Additional Notes\n- The action applies a 'TCS' prefix to all enriched data\ - \ fields added to the entity's additional properties.\n- Entities are marked as\ - \ 'Suspicious' in Google SecOps if the Team Cymru Scout rating is 'malicious'\ - \ or 'suspicious'.\n\n### Flow Description\n1. **Entity Identification**: The\ - \ action identifies all `ADDRESS` entities within the target scope.\n2. **Cache\ - \ Check**: For each IP, it checks the `TCS_last_enriched` property. If the entity\ - \ was enriched less than 24 hours ago, it skips the API call for that specific\ - \ entity.\n3. **Data Retrieval**: It batches the remaining IP addresses and queries\ - \ the Team Cymru Scout foundation API to retrieve summary information.\n4. **Data\ - \ Processing**: The action parses the API response, extracting the overall rating,\ - \ tags, and ASN details.\n5. **Internal Mutation**: \n - Updates the `is_suspicious`\ - \ flag based on the threat rating.\n - Populates `additional_properties` with\ - \ the enrichment data (prefixed with 'TCS').\n - Sets the `is_enriched` flag\ - \ to true.\n6. **Finalization**: Updates the entities in Google SecOps and provides\ - \ a summary JSON of the retrieved data." + ai_description: >- + Enriches IP Address entities using the Team Cymru Scout platform. This action + retrieves threat intelligence, including reputation ratings and tags, for specified + IP addresses. It evaluates the risk of the IP and updates the entity's status + within the SOAR platform. + + + ### Flow Description + + 1. **Identify Entities**: The action retrieves all IP Address entities from the + current case. + + 2. **Filter**: It checks if the entity has already been enriched in the last 24 + hours using the `TCS_last_enriched` property. If so, it skips the entity. + + 3. **Fetch Data**: It queries the Team Cymru Scout API to retrieve summary information + for the valid IP addresses. + + 4. **Update Entities**: For each IP, it updates the entity's `is_suspicious` status + based on the rating (malicious/suspicious) and adds enrichment data (tags, rating, + last enriched timestamp) to the entity's `additional_properties`. + + 5. **Finalize**: It updates the entities in the SOAR platform and adds the API + result to the action output. + + + ### Parameters + + There are no input parameters for this action. It operates on the `target_entities` + provided in the case context. capabilities: can_create_case_comments: false can_create_insight: false @@ -272,10 +274,19 @@ Enrich IPs: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity fields (additional properties), sets the suspicious status based - on threat ratings, and marks entities as enriched. + Updates entity properties (is_suspicious, is_enriched, and additional_properties) + within the SOAR platform. + reasoning: >- + The action fetches threat intelligence data from the Team Cymru Scout API (fetches_data=true). + It updates entity properties (is_suspicious, is_enriched, and additional_properties) + within the SOAR platform (can_mutate_internal_data=true, can_update_entities=true). + It does not perform any mutations on external systems (can_mutate_external_data=false). categories: enrichment: true + reasoning: >- + The action is designed to fetch contextual data (threat intelligence) for IP + entities and update them within the SOAR platform. It does not mutate external + systems and adheres to the constraints of an enrichment action. entity_usage: entity_types: - ADDRESS @@ -292,6 +303,11 @@ Enrich IPs: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over `siemplify.target_entities` and explicitly filters + for entities where `entity.entity_type == EntityTypes.ADDRESS`. It also checks + the `additional_properties` attribute to determine if an entity has already + been enriched within the last 24 hours. Extract Tags: action_product_categories: add_alert_comment: false @@ -307,6 +323,10 @@ Extract Tags: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves threat intelligence (tags) for an IP address, which aligns + with the 'Enrich IOC' category. It does not perform any other actions like ticketing, + containment, or alert updates. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -324,55 +344,41 @@ Extract Tags: ai_description: >- ### General Description - The **Extract Tags** action retrieves and analyzes tags associated with a specific - IP address and its communicating peers using the Team Cymru Scout threat intelligence - platform. It allows analysts to provide a list of specific tags (e.g., 'malware', - 'phishing') and checks if the target IP or any of its peers are associated with - those tags. This is useful for identifying related infrastructure or confirming - the nature of a suspicious IP based on community-sourced or proprietary tagging. + This action extracts tags from a specified IP address and its associated peers + using the Team Cymru Scout API. It allows analysts to search for specific tags + within the IP's context to identify potential threats or relevant indicators. + The action retrieves detailed IP information, processes the tags, and returns + a list of IPs that match the specified search criteria. - ### Parameters Description + ### Parameters - | Parameter | Description | Type | Mandatory | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | IP Address | The specific IP address for which tags and peer tags will be extracted. - | String | Yes | + | IP Address | string | Yes | The IP address whose tags and peer tags need to + be extracted. | - | Tags to Search | A comma-separated list of tags to look for within the results - (e.g., 'malware, phishing, botnet'). | String | Yes | + | Tags to Search | string | Yes | A comma-separated string of tags to search for + within the tags associated with the IP and its peers. | ### Flow Description - 1. **Parameter Extraction:** The action extracts the target IP address and the - search tags from the input parameters. - - 2. **Validation:** It validates the format of the provided IP address to ensure - it is a valid IPv4 or IPv6 address. - - 3. **API Interaction:** The action calls the Team Cymru Scout 'Get IP Details' - endpoint to fetch metadata, including tags for the target IP and its known communicating - peers. + 1. **Input Validation**: Validates the provided IP address format. - 4. **Data Processing:** It parses the API response to create a mapping of IP addresses - to their respective tags. + 2. **Data Retrieval**: Queries the Team Cymru Scout API to fetch details for the + provided IP address. - 5. **Tag Matching:** The action performs an intersection between the tags found - in the API response and the tags provided in the 'Tags to Search' parameter. + 3. **Processing**: Parses the API response to extract tags for the target IP and + its peers. - 6. **Result Generation:** It identifies which IPs (target or peers) matched the - search criteria, adds the detailed results to the action's JSON output, and renders - an 'Account Usage' table to track API consumption. + 4. **Matching**: Compares the extracted tags against the user-provided 'Tags to + Search' list. - - ### Additional Notes - - This action does not run on SecOps entities automatically; it requires the IP - address to be passed as a manual parameter. It is primarily used for deep-dive - enrichment and correlation of network peers. + 5. **Output**: Returns a JSON result containing the matching IPs and their associated + tags, and renders a data table showing API usage statistics. capabilities: can_create_case_comments: false can_create_insight: false @@ -383,8 +389,17 @@ Extract Tags: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches IP details from an external API (Team Cymru Scout). It does + not mutate external systems or modify internal SOAR data (entities, insights, + etc.). It simply processes the retrieved data and returns the results via the + action result and output message. categories: enrichment: true + reasoning: >- + The action fetches data from an external source (Team Cymru Scout) to provide + context (tags) for an IP address. It does not mutate external or internal data. + It fits the definition of an enrichment action as it gathers supplemental context. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -400,6 +415,9 @@ Extract Tags: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action takes an IP address as a parameter ('IP Address') rather than iterating + over 'siemplify.target_entities'. Therefore, it does not run on entities. Get Communications Info: action_product_categories: add_alert_comment: false @@ -415,6 +433,10 @@ Get Communications Info: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves communications information (reputation/context) for IP + addresses, which aligns with the 'Enrich IOC' category. It does not perform + any other actions like ticketing, blocking, or alert management. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -432,11 +454,10 @@ Get Communications Info: ai_description: >- ### General Description - Retrieves detailed communication information for specified IP addresses from Team - Cymru Scout. This action allows security analysts to investigate network traffic - patterns by identifying peers, protocols, and event counts associated with an - IP. It is particularly useful for understanding the communication profile of a - suspicious indicator, including its top services and autonomous system (AS) associations. + This action retrieves detailed communications information for specified IP addresses + from the Team Cymru Scout service. It allows analysts to query historical data + regarding network peers, services, and other communication patterns associated + with the provided IP addresses. ### Parameters Description @@ -445,72 +466,64 @@ Get Communications Info: | :--- | :--- | :--- | :--- | - | IP Addresses | String | Yes | A comma-separated list of IPv4 or IPv6 addresses - to fetch detailed communication information for. | + | IP Addresses | string | Yes | A comma-separated list of IPv4 or IPv6 addresses + to fetch information for. | - | Limit | String | Yes | The maximum number of valid IP addresses to be allowed - for processing in a single execution (Default: 10). | + | Limit | string | Yes | The maximum number of valid IP addresses to be processed. + | - | Start Date | String | No | The latest date for results, formatted as YYYY-MM-DD - in UTC. If not provided, defaults to 29 days prior to today. | + | Start Date | string | No | The earliest date for results, formatted YYYY-MM-DD + in UTC. Defaults to 29 days prior to today. | - | End Date | String | No | The earliest date for results, formatted as YYYY-MM-DD - in UTC. If not provided, defaults to today's date. | + | End Date | string | No | The latest date for results, formatted YYYY-MM-DD in + UTC. Defaults to today's date. | - | Days | String | No | Relative offset in days (integer) from the current time - in UTC. Note: This parameter takes priority over Start Date and End Date if all - three are provided. | + | Days | string | No | Relative offset in days from the current time in UTC. This + takes priority over Start Date and End Date if provided. | - | Size | String | No | The size, in records, of the search results (Maximum allowed - size is 1000). | + | Size | string | No | The size, in records, of the search results. Maximum allowed + is 1000. | ### Flow Description - 1. **Parameter Extraction**: The action extracts the target IP addresses, processing - limits, and time-based filters (Start Date, End Date, Days, Size) from the input - parameters. - - 2. **Validation**: It validates the format of the provided IP addresses and ensures - that date parameters are logically consistent (e.g., start date is not after the - end date and is within the 90-day historical limit). - - 3. **API Manager Initialization**: Initializes the connection to Team Cymru Scout - using the configured authentication method (API Key or Username/Password). - - 4. **Data Retrieval**: Iterates through the validated IP addresses (up to the - specified limit) and performs GET requests to the Team Cymru Scout API to retrieve - 'comms' (communications) section data. + 1. **Initialization**: The action initializes the `SiemplifyAction` and retrieves + integration configuration (API credentials, SSL verification settings). - 5. **Result Aggregation**: Processes the API responses to aggregate communication - details, including peer IPs, protocols, country codes, and AS names. + 2. **Input Validation**: It extracts and validates the provided IP addresses, + ensuring they are correctly formatted and handling duplicates or invalid entries. + It also validates optional date and size parameters. - 6. **Output Generation**: Generates a 'Peers' data table for the case wall, adds - the raw JSON response to the action results, and creates an 'Account Usage' table - to track API quota consumption. + 3. **Data Retrieval**: It queries the Team Cymru Scout API (`/ip/{ip}/details`) + to fetch communications data for the valid IP addresses. + 4. **Result Processing**: The action processes the API response, generating structured + data tables (e.g., Peers, Account Usage) and adding them to the action result + using `add_data_table`. - ### Additional Notes - - - The action performs strictly read-only operations against the Team Cymru Scout - API. - - - If the 'Days' parameter is provided, it will override any values provided in - 'Start Date' or 'End Date'. + 5. **Completion**: The action logs the status and returns the final result to + the SOAR platform. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: true + can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: >- - Adds data tables (Peers, Account Usage) and JSON results to the action output - within the Google SecOps case. + internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Team Cymru Scout API to retrieve communications + information for IP addresses. It does not modify any external or internal system + state. It adds data tables to the action result for display purposes, which + is standard for enrichment actions and does not constitute internal data mutation. categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches data from an external source (Team Cymru Scout) and does + not mutate any external or internal state. It adds data tables to the result, + which is permitted for enrichment actions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -526,6 +539,10 @@ Get Communications Info: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action extracts IP addresses directly from the action parameter 'IP Addresses' + rather than iterating over 'siemplify.target_entities'. Therefore, it does not + run on entities. Get Fingerprints Info: action_product_categories: add_alert_comment: false @@ -541,6 +558,11 @@ Get Fingerprints Info: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves detailed fingerprint information for IP addresses, which + provides threat intelligence and context for the indicators. This aligns with + the 'Enrich IOC' category. It does not perform any other actions like ticketing, + blocking, or alert management. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -556,81 +578,68 @@ Get Fingerprints Info: update_identity: false update_ticket: false ai_description: >- - ### General Description - - The **Get Fingerprints Info** action retrieves detailed fingerprinting data for - a list of IP addresses from the Team Cymru Scout platform. This information helps - analysts identify the types of services, protocols, and unique signatures associated - with an IP, providing deep visibility into the nature of the traffic or the host's - identity. + Retrieves detailed fingerprint information for specified IP addresses from Team + Cymru Scout. This action provides contextual intelligence regarding the fingerprints + associated with the provided indicators. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **IP Addresses** | String | Yes | A comma-separated list of IPv4 or IPv6 addresses - to investigate. | - - | **Limit** | String | Yes | The maximum number of valid IP addresses to process - in a single execution. | - - | **Start Date** | String | No | The beginning of the search window (YYYY-MM-DD). - Defaults to 29 days ago. | - - | **End Date** | String | No | The end of the search window (YYYY-MM-DD). Defaults - to today. | - - | **Days** | String | No | An integer representing a relative offset in days from - the current time. If provided, this takes priority over Start/End dates. | + | IP Addresses | String | Yes | Comma-separated list of IPv4 or IPv6 addresses + to fetch information for. | - | **Size** | String | No | The maximum number of fingerprint records to return - per IP (Max: 1000). | + | Limit | String | Yes | The maximum number of valid IP addresses to be processed. + | + | Start Date | String | No | The latest date for results (YYYY-MM-DD). Defaults + to 29 days prior to today. | - ### Flow Description + | End Date | String | No | The earliest date for results (YYYY-MM-DD). Defaults + to today's date. | - 1. **Parameter Extraction:** The action parses the input IP addresses and configuration - settings (Limit, Dates, Size). + | Days | String | No | Relative offset in days from current time. Takes priority + over Start/End Date if provided. | - 2. **Validation:** It validates the format of the IP addresses and ensures the - date ranges or 'Days' offset are within the allowed limits (e.g., Start Date within - 90 days). + | Size | String | No | Size of the search results (max 1000). | - 3. **API Interaction:** For each valid IP (up to the defined Limit), the action - performs a GET request to the Team Cymru Scout `/ip/{ip}/details` endpoint, specifically - requesting the 'fingerprints' section. - 4. **Data Processing:** The retrieved JSON data is parsed to extract fingerprint - signatures, ports, protocols, and observation timestamps. + ### Flow - 5. **Output Generation:** The action populates a "Fingerprints" data table and - an "Account Usage" table in the Google SecOps case and attaches the raw JSON response - for further analysis. + 1. Extracts integration configuration and action parameters. + 2. Validates the provided IP addresses and optional date/size parameters. - ### Additional Notes + 3. Queries the Team Cymru Scout API for fingerprint details for each valid IP. - - If the **Days** parameter is provided, it will override the **Start Date** and - **End Date** parameters. + 4. Processes the API response to generate data tables (Fingerprints, Account Usage). - - The action supports both IPv4 and IPv6 addresses. + 5. Renders the data tables and adds the raw JSON response to the action results. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: true + can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: >- - The action adds data tables (Fingerprints, Account Usage) and result JSON to - the Google SecOps case. + internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Team Cymru Scout API to retrieve fingerprint + information for provided IP addresses. It does not modify any external systems + or internal SOAR data (entities, alerts, or cases). It only renders data tables + and adds result JSON to the action output. categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches threat intelligence data (fingerprints) for IP addresses + from an external source. It does not mutate any external or internal state, + and it does not perform any forbidden actions like pinging or downloading files. + Therefore, it qualifies as an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -646,6 +655,10 @@ Get Fingerprints Info: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action extracts IP addresses directly from the action parameter 'IP Addresses' + rather than iterating over the 'target_entities' list provided by the SOAR platform. + Therefore, it does not operate on entities. Get IP Details: action_product_categories: add_alert_comment: false @@ -661,6 +674,10 @@ Get IP Details: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves reputation, prevalence, and threat intelligence (PDNS, + open ports, etc.) for IP indicators. This directly matches the 'Enrich IOC' + category. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -678,13 +695,11 @@ Get IP Details: ai_description: >- ### General Description - This action retrieves comprehensive threat intelligence and network telemetry - for a list of provided IP addresses from Team Cymru Scout. It is designed to provide - analysts with deep visibility into an IP's history and behavior, including WHOIS - records, Passive DNS (PDNS) data, open ports, SSL/TLS certificates, and communication - peers. The action processes multiple IPs simultaneously (up to a configurable - limit) and presents the findings in structured data tables for easy analysis within - the SOAR interface. + The 'Get IP Details' action retrieves comprehensive threat intelligence and contextual + information for specified IP addresses using the Team Cymru Scout service. This + action allows analysts to query historical data, including PDNS, open ports, peer + communications, and WHOIS information, to assist in incident investigation and + threat hunting. ### Parameters Description @@ -693,78 +708,62 @@ Get IP Details: | :--- | :--- | :--- | :--- | - | **IP Addresses** | String | Yes | A comma-separated list of IPv4 or IPv6 addresses - to investigate. | + | IP Addresses | String | Yes | A comma-separated list of IPv4 or IPv6 addresses + to fetch information for. | - | **Limit** | String | Yes | The maximum number of valid IP addresses to process - in a single execution (default is 10). | + | Limit | String | Yes | The maximum number of valid IP addresses to process. + | - | **Start Date** | String | No | The start of the search window in YYYY-MM-DD - format (UTC). Defaults to 29 days ago if not provided. | + | Start Date | String | No | The start date for the query in YYYY-MM-DD format. + Defaults to 29 days prior to today. | - | **End Date** | String | No | The end of the search window in YYYY-MM-DD format - (UTC). Defaults to the current date if not provided. | + | End Date | String | No | The end date for the query in YYYY-MM-DD format. Defaults + to today's date. | - | **Days** | String | No | A relative offset in days from the current time. If - provided, this takes priority over Start/End dates. | + | Days | String | No | Relative offset in days from the current time. Takes priority + over Start/End Date if provided. | - | **Size** | String | No | The maximum number of records to return for specific - search results (max 1000). | + | Size | String | No | The number of records to return (max 1000). | ### Flow Description - 1. **Input Validation:** The action parses the comma-separated list of IP addresses, - removes duplicates, and validates the format (IPv4/IPv6). It also validates date - formats and the 'Days'/'Size' integers. - - 2. **API Authentication:** Connects to the Team Cymru Scout API using either an - API Key or Username/Password credentials. - - 3. **Data Retrieval:** For each valid IP address (up to the specified limit), - the action performs a GET request to the `/ip/{ip}/details` endpoint, applying - the date and size filters. - - 4. **Result Aggregation:** The raw JSON response for each IP is collected. The - action also calculates API usage statistics (remaining queries). - - 5. **Table Generation:** The action transforms the complex JSON response into - several human-readable data tables: - * **Summary Information:** High-level overview including Country Code, WHOIS - data, and overall insight ratings. - * **Insights:** Specific threat indicators or behavioral observations. - * **Top PDNS:** Recent Passive DNS resolutions. - * **Top Peers:** Significant network communication partners. - * **Top Open Ports:** Services identified on the host. - * **Top Fingerprints & Certificates:** Cryptographic and service-level identification - data. - 6. **Final Output:** The action returns a success status if at least one IP was - successfully queried, providing the full JSON result and the generated tables - to the case wall. + 1. **Initialization**: The action extracts configuration parameters (API credentials) + and action inputs (IPs, dates, limits). + 2. **Validation**: It validates the provided IP addresses, ensuring they are correctly + formatted and removing duplicates. It also validates date ranges and optional + parameters. - ### Additional Notes + 3. **Data Retrieval**: The action iterates through the valid IP addresses and + performs API calls to the Team Cymru Scout service to fetch detailed information. - - If the number of valid IPs exceeds the **Limit** parameter, the extra IPs are - skipped and a warning is logged. + 4. **Data Processing**: The retrieved data is processed and organized into structured + tables (e.g., Summary, PDNS, Open Ports, Peers, Fingerprints, Certificates). - - The **Days** parameter, if provided, will override any values in **Start Date** - or **End Date**. + 5. **Output**: The action renders the data tables in the SOAR case and adds the + raw JSON response to the action results. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: true + can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: >- - The action populates the action results with multiple data tables (Summary, - Insights, PDNS, Peers, Ports, Fingerprints, Certificates) and a JSON result - containing the raw intelligence data. + internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Team Cymru Scout API to retrieve IP + intelligence. It does not modify any external systems (no POST/PUT/DELETE). + It does not modify internal SOAR data (no entity updates, no insight creation, + no case comments). It simply renders data tables for the analyst to review. categories: enrichment: true + reasoning: >- + The action is an enrichment action because it fetches contextual data about + indicators (IPs) from an external source and displays it without modifying any + external or internal state. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -780,6 +779,10 @@ Get IP Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action extracts IP addresses directly from the action parameters ('IP Addresses') + rather than iterating over the 'target_entities' list provided by the SOAR platform. + Therefore, it does not run on entities. Get PDNS Info: action_product_categories: add_alert_comment: false @@ -795,6 +798,11 @@ Get PDNS Info: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves PDNS information for IP addresses, which provides threat + intelligence and context for an indicator. This aligns with the 'Enrich IOC' + category. It does not perform any other actions like ticket creation, host containment, + or alert modification. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -810,84 +818,83 @@ Get PDNS Info: update_identity: false update_ticket: false ai_description: >- - ### General Description + Retrieves detailed Passive DNS (PDNS) information for specified IP addresses using + the Team Cymru Scout service. This action allows analysts to query historical + DNS data associated with IP addresses to aid in threat investigation and infrastructure + analysis. - The **Get PDNS Info** action retrieves detailed Passive DNS (PDNS) information - for a specified list of IP addresses from the Team Cymru Scout platform. This - action provides historical context on domain resolutions associated with an IP, - enabling analysts to identify malicious infrastructure, historical activity, and - prevalence. It outputs results as a JSON object and populates data tables within - the case for easy review. + ### Flow Description - ### Parameters Description + 1. **Input Extraction**: The action extracts the provided IP addresses, limit, + and optional date/size parameters from the action configuration. - | Parameter | Type | Mandatory | Description | + 2. **Validation**: It validates the format of the IP addresses and optional date/size + parameters (e.g., ensuring dates are in YYYY-MM-DD format and within allowed ranges). - | :--- | :--- | :--- | :--- | + 3. **API Interaction**: It initializes the API manager and performs a GET request + to the Team Cymru Scout API to fetch PDNS details for the valid IP addresses. - | **IP Addresses** | String | Yes | A comma-separated list of IPv4 or IPv6 addresses - to fetch PDNS information for. | + 4. **Data Processing**: The action processes the API response, extracting relevant + PDNS records. - | **Limit** | String | Yes | The maximum number of valid IP addresses to process - in a single execution. Must be a positive integer. | + 5. **Result Generation**: It generates data tables (PDNS Information, Account + Usage) and adds the raw JSON response to the action results for the analyst to + review. - | **Start Date** | String | No | The latest date for results, formatted as YYYY-MM-DD - in UTC. Defaults to 29 days prior to today if not provided. | + 6. **Completion**: The action concludes by providing a summary message indicating + the success or failure of the operation. - | **End Date** | String | No | The earliest date for results, formatted as YYYY-MM-DD - in UTC. Defaults to the current date if not provided. | - | **Days** | String | No | Relative offset in days (integer) from the current - time. **Note:** This parameter takes priority over Start Date and End Date if - all three are provided. | + ### Parameters - | **Size** | String | No | The number of records to return per search (maximum - 1000). | + | Parameter | Type | Mandatory | Description | + | :--- | :--- | :--- | :--- | - ### Flow Description + | IP Addresses | String | Yes | Comma-separated list of IPv4 or IPv6 addresses + to fetch information for. | - 1. **Initialization:** The action extracts the provided IP addresses and configuration - parameters, including limits and time-range filters. + | Limit | String | Yes | The maximum number of valid IP addresses to be allowed. + | - 2. **Validation:** It validates the format of the IP addresses and ensures the - date parameters are logically sound (e.g., Start Date is not after End Date and - is within the 90-day historical limit). + | Start Date | String | No | The earliest date for results, formatted YYYY-MM-DD + in UTC time. | - 3. **API Execution:** For each valid IP address (up to the specified limit), the - action performs a GET request to the Team Cymru Scout `/ip/{ip}/details` endpoint - to retrieve PDNS records. + | End Date | String | No | The latest date for results, formatted YYYY-MM-DD in + UTC time. | - 4. **Data Processing:** The retrieved data is parsed to extract domain names, - event counts, and first/last seen timestamps. + | Days | String | No | Relative offset in days (integer) from current time in + UTC. Takes priority over Start/End Date if provided. | - 5. **Output Generation:** The action adds the raw response to the JSON result, - renders a data table for the PDNS information, and creates an 'Account Usage' - table to track remaining API credits. + | Size | String | No | Size, in records, of the search results (Max 1000). | ### Additional Notes - - The action handles batching and respects the maximum record size of 1000 per - IP. - - - If the `Days` parameter is used, it overrides any values provided in `Start - Date` or `End Date`. + - The action does not modify any external or internal systems; it is strictly + for information retrieval. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: true + can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: >- - Adds data tables containing PDNS records and API usage statistics to the Google - SecOps case. + internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Team Cymru Scout API to retrieve PDNS + information for provided IP addresses. It does not modify any external systems + (no POST/PUT/DELETE) nor does it modify internal SOAR case data (entities, insights, + or comments). It only renders data tables in the action results. categories: - enrichment: false + enrichment: true + reasoning: >- + The action is designed to fetch contextual threat intelligence (PDNS data) for + IP addresses. It does not mutate external systems, nor does it perform any restricted + internal mutations. It fits the definition of an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -903,6 +910,10 @@ Get PDNS Info: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action extracts IP addresses directly from the action parameters ('IP Addresses') + rather than iterating over the 'target_entities' list provided by the SOAR platform. + Therefore, it does not run on entities. Get Ports Info: action_product_categories: add_alert_comment: false @@ -918,12 +929,17 @@ Get Ports Info: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action fetches threat intelligence (open ports information) for an IP address. + This matches the 'Enrich IOC' category as it provides contextual intelligence + for an indicator. It does not perform any other actions like ticketing, blocking, + or alert management. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false search_asset: false search_email: false - search_events: true + search_events: false send_email: false send_message: false submit_file: false @@ -932,80 +948,54 @@ Get Ports Info: update_email: false update_identity: false update_ticket: false - ai_description: >- - Retrieves detailed open ports information for specified IP addresses from Team - Cymru Scout. This action allows analysts to investigate the network footprint - of an IP by identifying active services, protocols, and historical visibility - of open ports. - - - ### Flow Description - - 1. **Parameter Extraction & Validation**: The action parses the input `IP Addresses` - (comma-separated) and validates them against IPv4/IPv6 formats. It also validates - time-range parameters like `Days`, `Start Date`, and `End Date`. - - 2. **Authentication**: Connects to the Team Cymru Scout API using the configured - authentication method (API Key or Username/Password). - - 3. **Data Retrieval**: For each valid IP address (up to the specified `Limit`), - the action fetches detailed port information from the `open_ports` section of - the API. - - 4. **Data Processing**: The retrieved data is transformed into a structured format, - including service names, port numbers, protocols, and first/last seen timestamps. - - 5. **Output Generation**: The action generates an "Open Ports" data table and - an "Account Usage" table (showing API quota status) within the Google SecOps case. - It also returns the raw JSON response for use in subsequent playbook steps. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | IP Addresses | String | Yes | Comma-separated list of IPv4 or IPv6 addresses - to fetch port information for. | - - | Limit | String | Yes | The maximum number of valid IP addresses to process in - a single execution (Default is 10). | - - | Start Date | String | No | The latest date for results (YYYY-MM-DD). Defaults - to 29 days prior to today if not provided. | - - | End Date | String | No | The earliest date for results (YYYY-MM-DD). Defaults - to today's date. | - - | Days | String | No | Relative offset in days from current time. This takes priority - over Start/End dates if provided. | - - | Size | String | No | The number of records to return per search (Maximum allowed - is 1000). | - - - ### Additional Notes - - - The `Days` parameter is an integer representing a relative offset and will override - specific date filters if both are provided. - - - The action performs internal mutations by adding data tables to the case wall - but does not modify external system states or existing entity attributes. + ai_description: "### General Description\nThe **Get Ports Info** action retrieves\ + \ detailed open ports information for specified IP addresses from the Team Cymru\ + \ Scout service. This action allows analysts to gather threat intelligence regarding\ + \ network services and open ports associated with an IP, which is critical for\ + \ identifying potential attack vectors or unauthorized services.\n\n### Parameters\ + \ Description\n| Parameter | Type | Mandatory | Description |\n| :--- | :--- |\ + \ :--- | :--- |\n| IP Addresses | string | Yes | A comma-separated list of IP\ + \ addresses (IPv4 or IPv6) to fetch information for. |\n| Limit | string | Yes\ + \ | The maximum number of valid IP addresses to process. |\n| Start Date | string\ + \ | No | The latest date for results (YYYY-MM-DD). Defaults to 29 days prior to\ + \ today. |\n| End Date | string | No | The earliest date for results (YYYY-MM-DD).\ + \ Defaults to today's date. |\n| Days | string | No | Relative offset in days\ + \ from current time. Takes priority over Start/End Date if provided. |\n| Size\ + \ | string | No | The size, in records, of the search results (max 1000). |\n\n\ + ### Additional Notes\n- The action validates the provided IP addresses and dates.\ + \ \n- If `Days` is provided, it takes priority over `Start Date` and `End Date`.\n\ + - The action renders multiple data tables in the SOAR case, including Open Ports\ + \ information and Account Usage statistics.\n\n### Flow Description\n1. **Initialization**:\ + \ The action initializes the `SiemplifyAction` and retrieves integration parameters\ + \ (API credentials).\n2. **Validation**: It validates the input IP addresses and\ + \ optional date/size parameters.\n3. **API Interaction**: It connects to the Team\ + \ Cymru Scout API using the `ApiManager` to fetch detailed port information for\ + \ the valid IPs.\n4. **Data Processing**: It processes the API response, handling\ + \ any errors or invalid IPs.\n5. **Output**: It adds the raw JSON response to\ + \ the action result and renders data tables (e.g., Open Ports, Account Usage)\ + \ for the analyst to review." capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: true + can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: >- - Adds data tables for 'Open Ports' and 'Account Usage' to the Google SecOps case - and populates the action's JSON result with the raw API response. + internal_data_mutation_explanation: null + reasoning: >- + The action fetches data from the Team Cymru Scout API based on user-provided + IP addresses. It does not mutate any external systems (no POST/PUT/DELETE). + It does not mutate internal SOAR data (it does not update entities, create insights, + or add case comments). It only adds result JSON and renders data tables for + reporting purposes. categories: enrichment: false + reasoning: >- + The action fetches data, but it does not run on entities (it uses an input parameter) + and does not update entity, case, or alert data. Therefore, it does not meet + the criteria for an Enrichment Action in the context of SOAR entity enrichment. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1021,6 +1011,9 @@ Get Ports Info: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action extracts IP addresses from the 'IP Addresses' action parameter, not + from the `target_entities` list. Therefore, it does not run on entities. Get Proto Info: action_product_categories: add_alert_comment: false @@ -1036,6 +1029,11 @@ Get Proto Info: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves protocol information for IP addresses, which provides threat + intelligence and context. This aligns with the 'Enrich IOC' category. It does + not perform any other actions like updating tickets, blocking IPs, or modifying + alerts. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1050,36 +1048,69 @@ Get Proto Info: update_email: false update_identity: false update_ticket: false - ai_description: "### General Description\nRetrieves detailed protocol information\ - \ for specified IP addresses from Team Cymru Scout. This action allows analysts\ - \ to investigate network traffic patterns by fetching historical protocol data\ - \ associated with an IP, including event counts and date-based breakdowns. It\ - \ is useful for identifying unusual protocol usage or verifying communication\ - \ patterns during forensic investigations.\n\n### Parameters Description\n| Parameter\ - \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| IP Addresses\ - \ | String | Yes | A comma-separated list of IPv4 or IPv6 addresses to fetch detailed\ - \ protocol information for. |\n| Limit | String | Yes | The maximum number of\ - \ valid IP addresses to process in a single execution. Default is 10. |\n| Start\ - \ Date | String | No | The latest date for results in YYYY-MM-DD format (UTC).\ - \ Defaults to 29 days prior to today if not provided. |\n| End Date | String |\ - \ No | The earliest date for results in YYYY-MM-DD format (UTC). Defaults to today's\ - \ date if not provided. |\n| Days | String | No | Relative offset in days (integer)\ - \ from the current time. If provided, this takes priority over Start Date and\ - \ End Date. |\n| Size | String | No | The number of records to return in the search\ - \ results (maximum 1000). |\n\n### Additional Notes\n- The action performs validation\ - \ on the provided IP addresses and date ranges. \n- If the `Days` parameter is\ - \ provided, it will override any values in `Start Date` or `End Date`.\n- The\ - \ action provides an 'Account Usage' table to help track API quota consumption.\n\ - \n### Flow Description\n1. **Parameter Extraction**: The action extracts the IP\ - \ addresses, limit, and optional date/size filters from the input.\n2. **Validation**:\ - \ It validates the format of the IP addresses and ensures the date range is within\ - \ the supported limits (e.g., start date not older than 90 days, range not exceeding\ - \ 30 days).\n3. **API Interaction**: For each valid IP address (up to the specified\ - \ limit), the action queries the Team Cymru Scout API's `proto_by_ip` section.\n\ - 4. **Data Processing**: The retrieved protocol data is aggregated and formatted\ - \ into a JSON result.\n5. **Output Generation**: The action generates a data table\ - \ named 'Proto By IP' containing the detailed protocol records and an 'Account\ - \ Usage' table showing remaining API queries." + ai_description: >- + ### General Description + + The **Get Proto Info** action retrieves detailed protocol information for specified + IP addresses from the Team Cymru Scout service. This action allows analysts to + query historical protocol data, providing visibility into network communications + associated with specific IP addresses. The results are presented in structured + data tables within the action output, facilitating quick analysis of network behavior. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | IP Addresses | string | Yes | A comma-separated list of IP addresses (IPv4 or + IPv6) to fetch information for. | + + | Limit | string | Yes | The maximum number of valid IP addresses to be processed. + | + + | Start Date | string | No | The latest date for results, formatted YYYY-MM-DD + in UTC. Defaults to 29 days prior to today. | + + | End Date | string | No | The earliest date for results, formatted YYYY-MM-DD + in UTC. Defaults to today's date. | + + | Days | string | No | Relative offset in days from the current time. This takes + priority over Start Date and End Date if provided. | + + | Size | string | No | The number of records to return in the search results (max + 1000). | + + + ### Additional Notes + + - The action validates the provided IP addresses and date formats before making + API calls. + + - If both `Start Date` and `End Date` are provided, they must be within a 30-day + range. + + - The `Days` parameter, if provided, overrides the `Start Date` and `End Date` + parameters. + + + ### Flow Description + + 1. **Initialization**: The action initializes the `SiemplifyAction` and retrieves + integration configuration parameters (API credentials). + + 2. **Validation**: It validates the input IP addresses and optional parameters + (Start Date, End Date, Days, Size) using internal validation logic. + + 3. **API Interaction**: It calls the Team Cymru Scout API to fetch protocol information + for the valid IP addresses. + + 4. **Data Processing**: The API response is processed, and relevant data tables + (e.g., Proto By IP) are generated. + + 5. **Output**: The action renders the data tables in the action result and adds + the raw JSON response to the result object. capabilities: can_create_case_comments: false can_create_insight: false @@ -1090,8 +1121,18 @@ Get Proto Info: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches protocol information from an external API (Team Cymru Scout) + and renders it into data tables. It does not mutate external systems, update + entities, create insights, or modify alert data. It is a read-only enrichment + action. categories: enrichment: true + reasoning: >- + The action fetches contextual data (protocol information) about IP addresses + from an external source and displays it to the user. It does not mutate external + systems or internal SOAR data (entities, insights, etc.). It meets the criteria + for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1107,6 +1148,10 @@ Get Proto Info: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action takes IP addresses as a string input parameter (`IP Addresses`) rather + than operating on `siemplify.target_entities`. Therefore, it does not run on + specific entity types. Get Whois Info: action_product_categories: add_alert_comment: false @@ -1122,6 +1167,10 @@ Get Whois Info: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves Whois information for IP addresses, which provides context + and threat intelligence. This aligns with the 'Enrich IOC' category. It does + not perform any other actions like ticketing, blocking, or alert management. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1137,64 +1186,52 @@ Get Whois Info: update_identity: false update_ticket: false ai_description: >- - ### General Description - - The **Get Whois Info** action retrieves detailed Whois registration data for a - list of IP addresses from the Team Cymru Scout platform. It provides critical - context for security investigations, such as Autonomous System Numbers (ASN), - organization names, network names, and contact information. + Retrieves detailed Whois information for specified IP addresses from the Team + Cymru Scout service. This action provides contextual intelligence regarding the + ownership and network details of the provided indicators. - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | + ### Flow Description - | **IP Addresses** | String | Yes | A comma-separated list of IPv4 or IPv6 addresses - to investigate. | + 1. **Input Extraction**: The action extracts the provided IP addresses, limit, + and optional date/size parameters from the action configuration. - | **Limit** | String | Yes | The maximum number of valid IP addresses to process - in a single execution (default is 10). | + 2. **Validation**: It validates the format of the IP addresses and the provided + date ranges. - | **Start Date** | String | No | The latest date for results in YYYY-MM-DD format - (UTC). Defaults to 29 days ago if not provided. | + 3. **API Interaction**: It performs a GET request to the Team Cymru Scout API + to fetch Whois details for the valid IP addresses. - | **End Date** | String | No | The earliest date for results in YYYY-MM-DD format - (UTC). Defaults to today if not provided. | + 4. **Result Processing**: The raw API response is added to the action's JSON results. - | **Days** | String | No | An integer representing a relative offset in days from - the current time. If provided, this takes priority over Start and End dates. | + 5. **Data Presentation**: The action generates and renders a data table containing + the retrieved Whois information (e.g., ASN, Org Name, Contact IDs) for the analyst + to review. - | **Size** | String | No | The number of records to return per search (maximum - 1000). | + ### Parameters - ### Flow Description - - 1. **Initialization**: The action extracts authentication credentials and input - parameters from the integration environment. + | Parameter | Type | Mandatory | Description | - 2. **Validation**: It validates the format of the provided IP addresses, removes - duplicates, and enforces the processing limit defined by the user. + | :--- | :--- | :--- | :--- | - 3. **Data Retrieval**: For each valid IP address, the action sends a request to - the Team Cymru Scout API to fetch Whois-specific details. + | IP Addresses | string | Yes | The IP address(es) to fetch detailed information + for. Supports IPv4 and IPv6. | - 4. **Data Processing**: The raw API response is parsed to extract key fields like - ASN, BGP information, and organizational contacts. + | Limit | string | Yes | The maximum number of valid IP addresses to be allowed. + | - 5. **Output Generation**: The action populates a data table named 'Whois' with - the findings, attaches the full raw response as JSON, and provides a summary of - the API usage. + | Start Date | string | No | The latest date for results, formatted YYYY-MM-DD + in UTC time. Defaults to 29 days prior to today. | + | End Date | string | No | The earliest date for results, formatted YYYY-MM-DD + in UTC time. Defaults to today's date. | - ### Additional Notes + | Days | string | No | Relative offset in days from current time in UTC. Takes + priority over Start/End Date if provided. | - - This action is read-only and does not modify any data within Team Cymru Scout. - - - If the 'Days' parameter is provided, it will override any values provided in - the 'Start Date' and 'End Date' parameters. + | Size | string | No | Size, in records, of the search results. Maximum allowed + size is 1000. | capabilities: can_create_case_comments: false can_create_insight: false @@ -1205,8 +1242,16 @@ Get Whois Info: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to retrieve Whois information for IP addresses. + It does not modify external systems or internal case data (other than adding + result tables, which is standard reporting). categories: enrichment: true + reasoning: >- + The action fetches data (Whois info) and presents it in tables. It does not + mutate external systems or modify internal case data. It fits the definition + of an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1222,6 +1267,10 @@ Get Whois Info: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action takes IP addresses as a string input parameter rather than operating + on `siemplify.target_entities`. Therefore, it does not run on specific entity + types. Get X509 Info: action_product_categories: add_alert_comment: false @@ -1234,15 +1283,19 @@ Get X509 Info: download_file: false enable_identity: false enrich_asset: false - enrich_ioc: false + enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves contextual metadata (X509 certificate information) for + IP addresses, which are indicators of compromise (IOCs). This aligns with the + 'Enrich IOC' category as it provides threat intelligence context for the indicator. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false search_asset: false search_email: false - search_events: true + search_events: false send_email: false send_message: false submit_file: false @@ -1251,50 +1304,81 @@ Get X509 Info: update_email: false update_identity: false update_ticket: false - ai_description: "Retrieves detailed X509 certificate information for specified IP\ - \ addresses from Team Cymru Scout. This action allows analysts to investigate\ - \ the SSL/TLS certificates associated with an IP, providing insights into the\ - \ certificate's validity, issuer, and subject details. It supports both IPv4 and\ - \ IPv6 addresses and allows for historical lookups within a 90-day window.\n\n\ - ### Parameters Description\n\n| Parameter | Type | Mandatory | Description |\n\ - | :--- | :--- | :--- | :--- |\n| IP Addresses | String | Yes | A comma-separated\ - \ list of IPv4 or IPv6 addresses to fetch certificate information for. |\n| Limit\ - \ | String | Yes | The maximum number of valid IP addresses to process in a single\ - \ execution. Default is 10. |\n| Start Date | String | No | The latest date for\ - \ results (YYYY-MM-DD) in UTC. Defaults to 29 days prior to today. |\n| End Date\ - \ | String | No | The earliest date for results (YYYY-MM-DD) in UTC. Defaults\ - \ to the current date. |\n| Days | String | No | A relative offset in days from\ - \ the current time. If provided, this takes priority over Start Date and End Date.\ - \ |\n| Size | String | No | The number of records to retrieve per search. Maximum\ - \ allowed value is 1000. |\n\n### Flow Description\n\n1. **Validation**: The\ - \ action parses the input IP addresses and validates their format (IPv4/IPv6).\ - \ It also validates the date parameters, ensuring the search range does not exceed\ - \ 30 days and the start date is not older than 90 days.\n2. **API Interaction**:\ - \ For each valid IP address (up to the specified limit), the action calls the\ - \ Team Cymru Scout API to retrieve X509 certificate metadata.\n3. **Data Processing**:\ - \ The action extracts certificate details such as the common name, issuer, serial\ - \ number, and validity period.\n4. **Output Generation**: \n * A **Certificates**\ - \ data table is created containing the processed certificate information.\n \ - \ * An **Account Usage** data table is generated to show remaining API query\ - \ quotas.\n * The raw API response is attached as a JSON result for further\ - \ automated processing.\n\n### Additional Notes\n\n* The `Days` parameter is\ - \ the most efficient way to define a relative search window and will override\ - \ specific date inputs.\n* If multiple IPs are provided, the action processes\ - \ them sequentially up to the defined `Limit`." + ai_description: >- + Retrieves detailed X509 certificate information for specified IP addresses from + the Team Cymru Scout service. This action allows analysts to query historical + X509 data associated with IP addresses to support threat investigation and infrastructure + analysis. + + + ### Flow Description + + 1. **Parameter Extraction**: The action extracts the required IP addresses, limit, + and optional date/size parameters from the action configuration. + + 2. **Validation**: It validates the provided IP addresses and optional date/size + parameters to ensure they meet the required formats and constraints. + + 3. **API Interaction**: It queries the Team Cymru Scout API to fetch X509 certificate + details for the valid IP addresses. + + 4. **Data Processing**: The retrieved data is processed and formatted into readable + tables. + + 5. **Result Generation**: The action renders the data tables in the SOAR platform + and adds the raw JSON response to the action results for further analysis. + + + ### Parameters + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | IP Addresses | string | Yes | Comma-separated list of IPv4 or IPv6 addresses + to fetch information for. | + + | Limit | string | Yes | The maximum number of valid IP addresses to be processed. + | + + | Start Date | string | No | The latest date for results (YYYY-MM-DD). Defaults + to 29 days prior to today. | + + | End Date | string | No | The earliest date for results (YYYY-MM-DD). Defaults + to today's date. | + + | Days | string | No | Relative offset in days from current time. Takes priority + over Start/End Date if provided. | + + | Size | string | No | Size of the search results (max 1000). | + + + ### Additional Notes + + This action does not modify any internal SOAR data or external systems. It is + strictly a data retrieval and visualization action. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: true + can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: >- - The action populates the 'Certificates' and 'Account Usage' data tables and - the action's JSON result within the Google SecOps case. + internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Team Cymru Scout API to retrieve X509 + information. It does not perform any POST/PUT/DELETE operations on external + systems (can_mutate_external_data=false). It does not update entities, create + insights, or modify alert data within the SOAR platform (can_mutate_internal_data=false). + It simply renders data tables for the analyst to view. categories: enrichment: false + reasoning: >- + While the action fetches data, it does not meet the strict criteria for an 'Enrichment + Action' because it does not update entity fields, create insights, or add case + comments. It is purely a data retrieval and display action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1310,6 +1394,10 @@ Get X509 Info: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action takes IP addresses as a direct input parameter from the user and + does not iterate over or process the `target_entities` list from the SOAR case. + Therefore, it does not run on entities. List IP Summary: action_product_categories: add_alert_comment: false @@ -1325,6 +1413,10 @@ List IP Summary: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves threat intelligence and summary information for IP addresses, + which aligns with the 'Enrich IOC' category. It does not perform any other actions + like ticketing, blocking, or alert management. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1340,58 +1432,38 @@ List IP Summary: update_identity: false update_ticket: false ai_description: >- - ### General Description - - The **List IP Summary** action fetches comprehensive threat intelligence and reputation - data for a provided list of IP addresses from the Team Cymru Scout platform. It - is designed to provide quick summary information, including ASN details, country - codes, and overall reputation ratings, for multiple indicators in a single execution. - This action is particularly useful for bulk enrichment of IP addresses during - the initial stages of an investigation. - - - ### Parameters Description + Fetches summary information for a list of IP addresses from Team Cymru Scout. + This action retrieves threat intelligence, including geo-location, ASN, and insights, + and renders the results as data tables within the action output. - | Parameter | Type | Mandatory | Description | Expected Value | Flow Impact | - | :--- | :--- | :--- | :--- | :--- | :--- | - - | **IP Addresses** | String | Yes | The list of IP addresses to be enriched. | - A comma-separated string of IPs (e.g., "1.1.1.1, 2.2.2.2"). | Determines the set - of indicators the action will query. | - - | **Limit** | String | Yes | The maximum number of valid IP addresses to process. - | A positive integer string (e.g., "10"). | Truncates the input list if the number - of valid IPs exceeds this value. | + ### Flow Description + 1. The action extracts the provided list of IP addresses and the processing limit + from the action parameters. - ### Flow Description + 2. It validates the IP addresses to ensure they are in the correct format. - 1. **Parameter Extraction:** The action retrieves the comma-separated list of - IP addresses and the processing limit from the input parameters. + 3. It calls the Team Cymru Scout API to retrieve summary information for the valid + IP addresses. - 2. **Validation and Cleaning:** It validates each IP address, removes duplicates, - and filters out invalid formats. If the number of valid IPs exceeds the specified - limit, the list is truncated. + 4. The action processes the API response, handling any errors or batching requirements. - 3. **API Interaction:** The action sends batched requests to the Team Cymru Scout - "Foundation" API endpoint to retrieve summary data for the valid IPs. + 5. It renders the retrieved data as tables (Summary Information, Insights) in + the action result. - 4. **Data Aggregation:** It processes the API responses, aggregating threat insights, - ASN information, and geographic data for each IP. - 5. **Output Generation:** The action populates the execution results with a JSON - object containing the raw data and generates three data tables: "Summary Information - for IPs", "Insights", and "Account Usage". + ### Parameters Description + | Parameter | Type | Mandatory | Description | - ### Additional Notes + | :--- | :--- | :--- | :--- | - - This action does not automatically process entities from the alert context; - it relies strictly on the manual input provided in the "IP Addresses" parameter. + | IP Addresses | string | Yes | A comma-separated list of IP addresses to be fetched. + | - - API usage statistics are tracked and displayed in the "Account Usage" table - to help monitor query quotas. + | Limit | string | Yes | The maximum number of valid IP addresses to be processed. + | capabilities: can_create_case_comments: false can_create_insight: false @@ -1402,8 +1474,16 @@ List IP Summary: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches IP summary data from the Team Cymru Scout API (fetches_data=true). + It does not perform any mutations on external systems or internal SecOps data + (no entity updates, insights, or comments). categories: enrichment: true + reasoning: >- + The action fetches data from an external source (Team Cymru Scout) and does + not mutate any external or internal systems. It provides contextual information + about IPs, fitting the enrichment category. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1419,6 +1499,9 @@ List IP Summary: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action takes a string of IP addresses as an input parameter. It does not + operate on `siemplify.target_entities`. Ping: action_product_categories: add_alert_comment: false @@ -1434,6 +1517,9 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity test and does not perform any of the defined product + category operations such as enrichment, containment, ticketing, or alert management. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1449,40 +1535,27 @@ Ping: update_identity: false update_ticket: false ai_description: >- - ### General Description - Tests the connectivity and configuration of the Team Cymru Scout integration. - This action verifies that the provided credentials (either API Key or Username/Password) - are valid and that the Google SecOps environment can successfully communicate - with the Team Cymru Scout API. + This action performs a GET request to the integration's API usage endpoint to + verify that the provided credentials are valid and that the service is reachable. + It does not perform any data enrichment or modifications to external or internal + systems. - ### Parameters Description + ### Parameters There are no parameters for this action. - ### Additional Notes - - This action is primarily used for troubleshooting and initial setup verification. - It targets the `/usage` endpoint of the Team Cymru Scout API to confirm access. - - ### Flow Description - 1. **Retrieve Configuration:** The action fetches the integration's configuration - parameters, including the authentication type, credentials, and SSL verification - settings. + 1. Retrieves integration configuration parameters (API Key/Credentials). - 2. **Initialize API Manager:** An instance of the `ApiManager` is created using - the retrieved credentials. + 2. Initializes the API Manager with the provided credentials. - 3. **Connectivity Test:** The action calls the `api_usage` method, which performs - a GET request to the `/usage` endpoint. + 3. Executes a connectivity test by calling the API usage endpoint. - 4. **Result Handling:** If the API call returns a successful response (HTTP 200), - the action completes with a success message. If the call fails (e.g., due to invalid - credentials or network issues), the action fails and provides the error details. + 4. Returns a success or failure message based on the API response. capabilities: can_create_case_comments: false can_create_insight: false @@ -1493,8 +1566,15 @@ Ping: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Team Cymru Scout API to verify connectivity + and check account usage. It does not modify any external or internal data, nor + does it interact with entities or create insights. categories: enrichment: false + reasoning: >- + The action is named 'Ping' and is used to test connectivity. Per the instructions, + actions named 'Ping' must not be categorized as enrichment actions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1510,3 +1590,5 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. diff --git a/content/response_integrations/third_party/community/team_cymru_scout/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/team_cymru_scout/resources/ai/integration_ai_description.yaml index 2e831240c..bd8327983 100644 --- a/content/response_integrations/third_party/community/team_cymru_scout/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/community/team_cymru_scout/resources/ai/integration_ai_description.yaml @@ -7,6 +7,20 @@ product_categories: iam_and_identity_management: false itsm: false network_security: false - siem: false + reasoning: >- + The Team Cymru Scout integration provides threat intelligence data, including + reputation, tags, historical telemetry, PDNS, WHOIS, and X509 information for + IP addresses and domains. Threat Intelligence: The integration is a primary source + of enrichment for external indicators (IPs, domains), providing reputation, risk + scores, and historical context, which directly matches the Threat Intelligence + category. SIEM: The integration provides access to historical telemetry and netflow + data, enabling analysts to investigate if an IOC has been seen globally and identify + the source of suspicious activity, aligning with the SIEM category. Other Categories: + The integration does not perform EDR (no host/process-level activity), Network + Security (no firewall/WAF log retrieval or blocking), Email Security, IAM, Cloud + Security, ITSM, Vulnerability Management, Asset Inventory, or Collaboration, as + it focuses exclusively on external threat intelligence and historical telemetry + retrieval. + siem: true threat_intelligence: true vulnerability_management: false diff --git a/content/response_integrations/third_party/community/telegram/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/telegram/resources/ai/actions_ai_description.yaml index a7cc133ea..baef2854e 100644 --- a/content/response_integrations/third_party/community/telegram/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/telegram/resources/ai/actions_ai_description.yaml @@ -13,6 +13,10 @@ Get Bot Details: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves bot configuration details from the Telegram API. It does + not match any of the defined categories such as Enrich IOC, Enrich Asset, or + Alert management, as it is a utility action for verifying integration settings. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -27,22 +31,41 @@ Get Bot Details: update_email: false update_identity: false update_ticket: false - ai_description: "### General Description\nRetrieves the details of the Telegram\ - \ bot configured in the integration. This action is primarily used to verify the\ - \ bot's identity and connectivity by fetching its basic information, such as its\ - \ ID, name, and username, directly from the Telegram API.\n\n### Parameters Description\n\ - This action does not require any input parameters.\n\n### Additional Notes\n*\ - \ The action relies on the **API Token** provided in the integration's configuration\ - \ to authenticate with the Telegram Bot API.\n* It uses the Telegram `getMe` endpoint,\ - \ which is a simple method for testing a bot's auth token.\n\n### Flow Description\n\ - 1. **Configuration Extraction:** The action retrieves the `API Token` from the\ - \ Telegram integration settings.\n2. **Manager Initialization:** It initializes\ - \ the `TelegramManager` using the extracted token.\n3. **API Interaction:** The\ - \ action calls the `get_bot_details` method, which sends a GET request to the\ - \ Telegram `getMe` endpoint.\n4. **Result Processing:** \n * If successful,\ - \ the bot's details (JSON) are added to the action's results.\n * If the request\ - \ fails (e.g., invalid token or network error), the action reports a failure with\ - \ the corresponding error message." + ai_description: >- + ### General Description + + This action retrieves the configuration details of the configured Telegram bot. + It is primarily used to verify the connectivity and validity of the Telegram API + token provided in the integration settings. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | API Token | String | Yes | The API token used to authenticate with the Telegram + Bot API. | + + + ### Flow Description + + 1. The action initializes the `TelegramManager` using the provided API token. + + 2. It executes a `GET` request to the Telegram API's `/getMe` endpoint. + + 3. The response, containing the bot's details, is captured and returned as a JSON + result. + + 4. The action concludes by logging the status and returning the result to the + SOAR platform. + + + ### Additional Notes + + This action is a utility operation and does not perform any modifications to external + systems or internal SOAR data. capabilities: can_create_case_comments: false can_create_insight: false @@ -53,8 +76,17 @@ Get Bot Details: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Telegram API to retrieve bot information. + It does not modify external systems, update entities, or create insights. It + is a read-only operation used for configuration verification. categories: enrichment: false + reasoning: >- + While the action fetches data, it does not gather supplemental context about + alerts or entities. It is a utility action for verifying integration connectivity + and configuration. Therefore, it does not meet the criteria for an Enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -70,6 +102,9 @@ Get Bot Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. It is a global utility action + that operates independently of the case or alert entities. Get Chat Details: action_product_categories: add_alert_comment: false @@ -85,6 +120,10 @@ Get Chat Details: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves chat details from Telegram. It does not match any of the + defined categories such as 'Enrich IOC', 'Enrich Asset', 'Create Ticket', or + 'Get Alert Information' (as it retrieves chat info, not alert info). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -99,47 +138,22 @@ Get Chat Details: update_email: false update_identity: false update_ticket: false - ai_description: >- - ### General Description - - Retrieves detailed information about a specific Telegram chat using its unique - identifier or username. This action is useful for gathering metadata about groups, - channels, or private chats, such as the chat title, type, and the invite link - if available. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Chat ID | String | Yes | The unique identifier or username for the target Telegram - chat (e.g., a numeric ID or '@username'). | - - - ### Flow Description - - 1. **Initialization**: The action initializes the Telegram Manager using the API - Token provided in the integration configuration. - - 2. **Parameter Extraction**: It retrieves the 'Chat ID' from the action parameters. - - 3. **API Interaction**: The action calls the Telegram API's `getChat` endpoint - to fetch the details of the specified chat. - - 4. **Data Processing**: It extracts the `invite_link` from the API response to - provide a direct link to the chat. - - 5. **Output**: The action returns the full chat details as a JSON object and adds - the invite link to the action results in the Google SecOps interface. - - - ### Additional Notes - - This action does not operate on entities; it requires a specific Chat ID to be - provided manually or via a playbook property. It is a read-only operation and - does not modify any data within Telegram. + ai_description: "### General Description\nThis action retrieves detailed information\ + \ about a specific Telegram chat using the Telegram Bot API. It is designed to\ + \ fetch metadata, such as the invite link, for a given chat identifier. This action\ + \ is useful for gathering context about communication channels within the Telegram\ + \ platform.\n\n### Parameters Description\n| Parameter | Type | Mandatory | Description\ + \ |\n| :--- | :--- | :--- | :--- |\n| Chat ID | string | Yes | The unique identifier\ + \ or username of the Telegram chat to retrieve details for. |\n\n### Flow Description\n\ + 1. **Initialization**: The action extracts the `API Token` from the integration\ + \ configuration and the `Chat ID` from the action parameters.\n2. **Data Retrieval**:\ + \ It initializes the `TelegramManager` and calls the `get_chat_details` method,\ + \ which performs a GET request to the Telegram API (`/getChat`).\n3. **Result\ + \ Processing**: \n * If successful, it extracts the `invite_link` from the\ + \ response.\n * It adds the invite link to the action results using `add_link`.\n\ + \ * It adds the full JSON response to the action results using `add_result_json`.\n\ + 4. **Completion**: The action concludes by setting the execution status to completed\ + \ or failed based on the API response." capabilities: can_create_case_comments: false can_create_insight: false @@ -150,8 +164,18 @@ Get Chat Details: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Telegram API to retrieve chat details. + It does not modify any external systems (no POST/PUT/DELETE). It does not update + internal SOAR entities, create insights, or modify case data. It only returns + the retrieved data to the action results. categories: enrichment: false + reasoning: >- + While the action fetches data, it does not operate on entities or alerts to + provide supplemental context (enrichment). It is a standalone utility action + for retrieving information from an external service. Therefore, it does not + meet the criteria for an Enrichment Action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -167,6 +191,9 @@ Get Chat Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or utilize `siemplify.target_entities`. It + relies solely on the 'Chat ID' parameter provided by the user. Get Messages: action_product_categories: add_alert_comment: false @@ -182,6 +209,11 @@ Get Messages: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves historical messages from a chat service, which aligns with + the 'Search Events' category as it returns a collection of logs/telemetry data. + It does not perform enrichment on specific IOCs or assets, nor does it perform + any containment or ticket management actions. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -197,51 +229,43 @@ Get Messages: update_identity: false update_ticket: false ai_description: >- - ### General Description + Retrieves messages from a Telegram chat using the Telegram Bot API. This action + allows users to pull historical messages from a chat, optionally filtering by + message type or starting from a specific message ID. - Retrieves messages and updates from a Telegram chat where the bot is a member. - This action interacts with the Telegram Bot API's `getUpdates` endpoint to pull - communication data, which can then be used for further analysis or ingestion within - the SOAR platform. It allows for filtering by message type and starting from a - specific message ID (offset). + ### Flow Description - ### Parameters Description + 1. **Configuration Extraction**: The action retrieves the `API Token` from the + integration configuration. - | Parameter Name | Type | Mandatory | Description | + 2. **Parameter Extraction**: It extracts the `Last Message ID` and `Message Types` + from the action parameters. - | :--- | :--- | :--- | :--- | + 3. **API Interaction**: The action initializes the `TelegramManager` and calls + the Telegram `getUpdates` endpoint using the provided parameters. - | Last Message ID | string | No | The ID of the last message from which the action - will start pulling all subsequent messages. This corresponds to the 'offset' parameter - in the Telegram API. | + 4. **Result Handling**: The retrieved messages are returned as a JSON result to + the SOAR platform. - | Message Types | content | No | A list of the message/update types to retrieve - (e.g., `['message', 'channel_post', 'poll_answer']`). If empty, all types are - retrieved. | + ### Parameters - ### Flow Description - - 1. **Initialization**: The action initializes the Telegram Manager using the provided - API Token from the integration configuration. + | Parameter | Type | Mandatory | Description | - 2. **Parameter Extraction**: It extracts the `Last Message ID` (used as an offset) - and the `Message Types` (allowed updates) from the action parameters. + | :--- | :--- | :--- | :--- | - 3. **API Interaction**: The action calls the Telegram `getUpdates` method via - a GET request to fetch the latest messages based on the provided filters. + | Last Message ID | string | No | The ID of the last message from which to start + pulling messages. | - 4. **Result Processing**: The retrieved messages are returned as a JSON object - and stored in the action's execution results. + | Message Types | content | No | A list of message types to retrieve (e.g., ['channel_post', + 'poll_answer']). | ### Additional Notes - - The bot must be a member of the chat/channel to retrieve its messages. - - - This action does not target specific entities and operates as a general data - retrieval task. + This action does not interact with specific SOAR entities. It performs a read-only + operation against the Telegram API to fetch message history. capabilities: can_create_case_comments: false can_create_insight: false @@ -252,8 +276,16 @@ Get Messages: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Telegram API to retrieve messages. + It does not modify any external system state (no POST/PUT/DELETE) and does not + modify any internal SOAR data (entities, insights, or case comments). categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches data from an external source (Telegram) and does not mutate + any external or internal systems. It meets the criteria for an enrichment action + as defined in the system instructions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -269,6 +301,9 @@ Get Messages: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or utilize any SOAR entities. It operates on + global parameters to fetch messages from a Telegram chat. Ping: action_product_categories: add_alert_comment: false @@ -284,6 +319,10 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity test ('Ping') and does not perform any of the defined + product category operations such as enrichment, containment, ticketing, or alert + management. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -301,44 +340,36 @@ Ping: ai_description: >- ### General Description - The **Ping** action is designed to test and verify the connectivity between the - Google SecOps platform and the Telegram API. Its primary purpose is to ensure - that the integration is correctly configured and that the provided Bot API Token - is valid and authorized to communicate with Telegram's servers. + This action tests the connectivity between the Google SecOps SOAR platform and + the Telegram API. It verifies that the provided API Token is valid and that the + SOAR platform can successfully communicate with the Telegram service. - ### Parameters Description - - There are no action-specific parameters for this action. It relies entirely on - the global integration configuration (specifically the 'API Token'). - - - ### Additional Notes + ### Parameters - - This action does not interact with any entities (IPs, Users, etc.). + | Parameter | Type | Mandatory | Description | - - It is a read-only operation that checks the status of the bot account. + | :--- | :--- | :--- | :--- | - - Per standard SOAR practices, Ping actions are used for health checks and are - not classified as enrichment. + | API Token | String | Yes | The Telegram Bot API token used to authenticate requests + to the Telegram service. | ### Flow Description - 1. **Configuration Retrieval**: The action extracts the 'API Token' from the Telegram - integration settings. + 1. The action initializes the `SiemplifyAction` and extracts the `API Token` from + the integration configuration. - 2. **Manager Initialization**: It initializes the Telegram communication manager - with the provided token. + 2. It initializes the `TelegramManager` using the provided token. - 3. **API Request**: The action executes a GET request to the Telegram `/getMe` - endpoint. + 3. The action calls the `test_connectivity` method, which performs a `GET` request + to the Telegram API's `getMe` endpoint. - 4. **Validation**: It checks the response from Telegram to confirm the bot is - active and the token is valid. + 4. If the API returns a successful response (`ok: true`), the action completes + with a success status. - 5. **Final Status**: The action returns a success message if the connection is - established, or a failure message if the API call fails or returns an error. + 5. If the connection fails or the API returns an error, the action completes with + a failure status. capabilities: can_create_case_comments: false can_create_insight: false @@ -349,8 +380,18 @@ Ping: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity check by sending a GET request to the Telegram + API. It does not modify external systems, update internal SOAR data, or process + entities. While it performs a network request to verify connectivity, it does + not perform any enrichment or mutation operations. categories: enrichment: false + reasoning: >- + The action is named 'Ping' and serves as a connectivity test. According to the + provided instructions, actions named 'Ping' must not be categorized as enrichment + actions. Furthermore, it does not perform any enrichment, mutation, or entity-related + operations. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -366,6 +407,9 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. It is a standalone connectivity + test. Send Document: action_product_categories: add_alert_comment: false @@ -381,6 +425,10 @@ Send Document: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action sends a document to a Telegram chat. This aligns with the 'Send Message' + category, as it is a communication action used to deliver content to a messaging + platform. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -398,41 +446,45 @@ Send Document: ai_description: >- ### General Description - Sends a document to a specific Telegram chat using a provided URL. This action - allows users to share files (such as PDFs, logs, or images) hosted at a public - or accessible URL directly into a Telegram conversation or channel via a bot. + This action sends a document from a specified URL to a designated Telegram chat. + It utilizes the Telegram Bot API to deliver the file, facilitating automated communication + and document sharing within Telegram channels or private chats directly from the + SOAR platform. - ### Parameters Description + ### Flow Description + 1. **Configuration Extraction**: The action retrieves the Telegram API Token from + the integration configuration. - | Parameter | Type | Mandatory | Description | + 2. **Parameter Extraction**: The action extracts the `Chat ID` and `Document URL` + provided by the user. - | :--- | :--- | :--- | :--- | + 3. **API Interaction**: The action initializes the `TelegramManager` and invokes + the `send_doc` method, which performs an API request to the Telegram `sendDocument` + endpoint. + + 4. **Result Handling**: The action captures the response from the Telegram API, + logs the outcome, and returns the result to the SOAR platform. - | Document URL | String | Yes | The direct URL of the document to be sent to the - Telegram chat. | - | Chat ID | String | Yes | The unique identifier or username of the target Telegram - chat where the document will be sent. | + ### Parameters Description + | Parameter | Type | Mandatory | Description | - ### Flow Description + | :--- | :--- | :--- | :--- | - 1. **Configuration Retrieval**: The action fetches the Telegram Bot API Token - from the integration settings. + | Document URL | string | Yes | The URL of the document to be sent to the chat. + | - 2. **Parameter Extraction**: The target Chat ID and the URL of the document are - retrieved from the action input. + | Chat ID | string | Yes | The unique identifier of the Telegram chat where the + document will be sent. | - 3. **API Interaction**: The action uses the Telegram Manager to call the `sendDocument` - endpoint of the Telegram Bot API. - 4. **Result Processing**: The response from Telegram, containing details of the - sent message, is captured and added to the action's JSON results. + ### Additional Notes - 5. **Completion**: The action concludes by reporting whether the document was - successfully sent. + This action performs an external mutation by sending a document to a Telegram + chat. It does not perform any enrichment or internal data modification. capabilities: can_create_case_comments: false can_create_insight: false @@ -441,12 +493,21 @@ Send Document: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Sends a document to a Telegram chat, which creates a new message/post in the - external Telegram system. - fetches_data: true + Sends a document to a Telegram chat, which updates the chat history in the external + Telegram system. + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action interacts with the Telegram API to send a document to a specific + chat. This constitutes an external mutation (sending a message/document). It + does not fetch data for enrichment purposes, nor does it modify internal SOAR + data, entities, or alerts. categories: enrichment: false + reasoning: >- + The action is not an enrichment action because it does not fetch data to enrich + entities or alerts. It performs an external action (sending a document) and + does not meet the criteria for enrichment. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -462,6 +523,9 @@ Send Document: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use or iterate over entities. It relies solely on user-provided + parameters (Chat ID and Document URL) to perform its function. Send Location: action_product_categories: add_alert_comment: false @@ -477,6 +541,9 @@ Send Location: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action sends a location to a Telegram chat. This aligns with the 'Send Message' + category, which covers sending notifications or content to communication applications. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -492,52 +559,17 @@ Send Location: update_identity: false update_ticket: false ai_description: >- - ### General Description - - Sends a geographic location (latitude and longitude) to a specific Telegram chat - using a bot. This action is useful for sharing physical coordinates or points - of interest directly into a communication channel during incident response or - coordination. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Chat ID | string | Yes | The unique identifier for the target chat or the username - of the target channel (e.g., '123456789'). | - - | Latitude | string | Yes | The latitude coordinate of the location to be sent - (e.g., '30.0123213'). | - - | Longitude | string | Yes | The longitude coordinate of the location to be sent - (e.g., '30.456468'). | - - - ### Additional Notes - - This action does not process or interact with Google SecOps entities. It relies - solely on the provided action parameters to execute the request to the Telegram - Bot API. - - - ### Flow Description - - 1. **Parameter Extraction**: The action retrieves the Telegram API Token from - the integration configuration and the Chat ID, Latitude, and Longitude from the - action parameters. - - 2. **Manager Initialization**: Initializes the Telegram Manager using the provided - API Token. - - 3. **API Interaction**: Calls the Telegram `sendLocation` endpoint with the specified - chat ID and coordinates. - - 4. **Result Processing**: Captures the API response, attaches it as a JSON result - to the action, and reports a success or failure message based on the outcome of - the network request. + General Description: Sends a geographic location (latitude and longitude) to a + specified Telegram chat. This action allows analysts to share location data directly + from the SOAR platform to a Telegram channel or private chat. Flow Description: + 1. Extracts the Telegram API token from the integration configuration. 2. Retrieves + the Chat ID, Latitude, and Longitude from the action parameters. 3. Initializes + the TelegramManager with the API token. 4. Sends the location data to the specified + Telegram chat using the Telegram API. 5. Returns the API response as a JSON result + to the SOAR platform. Parameters Description: Longitude (string, mandatory): The + longitude coordinate of the location. Latitude (string, mandatory): The latitude + coordinate of the location. Chat ID (string, mandatory): The unique identifier + of the Telegram chat where the location will be sent. Additional Notes: None. capabilities: can_create_case_comments: false can_create_insight: false @@ -546,12 +578,19 @@ Send Location: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Sends a location message to a specified Telegram chat, which creates a new message - entry in the external Telegram platform. + Sends a location message to a Telegram chat, which modifies the state of the + chat history in the external Telegram system. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action interacts with the Telegram API to send a location message. This + constitutes an external mutation (adding a message to a chat). It does not fetch + data, nor does it modify internal SOAR entities or case data. categories: enrichment: false + reasoning: >- + The action does not fetch data for enrichment, nor does it modify internal SOAR + data. It is a communication action used to send information to an external platform. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -567,6 +606,9 @@ Send Location: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use or iterate over siemplify.target_entities. It relies + solely on user-provided parameters. Send Message: action_product_categories: add_alert_comment: false @@ -582,6 +624,9 @@ Send Message: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action sends a message to a Telegram chat. This directly aligns with the + 'Send Message' category. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -597,46 +642,44 @@ Send Message: update_identity: false update_ticket: false ai_description: >- - Sends a message to a specific Telegram chat using a configured bot. This action - allows for automated notifications or communications to be dispatched directly - from a playbook to a Telegram user, group, or channel. + ### General Description + + This action sends a message to a specific Telegram chat using a configured bot. + It allows analysts to communicate information directly from the SOAR platform + to a Telegram channel or private chat. ### Flow Description - 1. **Initialization**: The action initializes the Telegram Manager using the provided - Bot API Token from the integration configuration. + 1. The action initializes the `SiemplifyAction` and retrieves the `API Token` + from the integration configuration. - 2. **Parameter Extraction**: It retrieves the target 'Chat ID' and the 'Message' - content from the action parameters. + 2. It extracts the `Chat ID` and `Message` content from the action parameters. - 3. **API Interaction**: The action calls the Telegram Bot API's `sendMessage` - endpoint with the specified chat identifier and message text. + 3. A `TelegramManager` instance is created using the provided API token. - 4. **Result Processing**: The response from Telegram (containing the sent message - details) is captured as a JSON result, and the action completes with a success - or failure status based on the API response. + 4. The action calls the `telegram_bot_sendmessage` method, which sends a request + to the Telegram API to deliver the message to the specified chat. + + 5. The result of the API call is added to the action result, and the action completes + with a success or failure status. ### Parameters Description - | Parameter Name | Type | Mandatory | Description | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Chat ID | String | Yes | The unique identifier for the target chat or the username - of the target channel (e.g., '123456' or '@my_channel'). | + | Chat ID | string | Yes | The unique identifier or username of the chat where + the message should be sent. | - | Message | String | Yes | The text content of the message you want to send to - the specified chat. | + | Message | string | Yes | The content of the message to be sent. | ### Additional Notes - - This action does not operate on SecOps entities; it relies entirely on the provided - parameters. - - - Ensure the Bot has the necessary permissions to post in the target chat or channel. + There are no additional notes. capabilities: can_create_case_comments: false can_create_insight: false @@ -645,12 +688,21 @@ Send Message: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Sends a new message to a Telegram chat, which creates new data/content within - the Telegram platform. + Sends a message to a Telegram chat, changing the state of the chat by adding + a new message. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action interacts with the Telegram API to send a message, which constitutes + an external mutation (sending data to an external system). It does not fetch + contextual data for enrichment, nor does it modify internal SOAR data such as + entities, insights, or alert data. categories: enrichment: false + reasoning: >- + The action performs an external action (sending a message) and does not retrieve + data for enrichment or modify internal SOAR data. Therefore, it does not meet + the criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -666,6 +718,9 @@ Send Message: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with or iterate over entities. It uses parameters + provided directly in the action configuration. Send Photo: action_product_categories: add_alert_comment: false @@ -681,6 +736,10 @@ Send Photo: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action sends a photo to a Telegram chat. This aligns with the 'Send Message' + category, as it dispatches content to a communication platform. It does not + match other categories like 'Enrich IOC', 'Create Ticket', etc. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -696,51 +755,37 @@ Send Photo: update_identity: false update_ticket: false ai_description: >- - ### General Description + Sends a photo to a specified Telegram chat. This action allows users to share + visual content directly from a URL to a Telegram chat, facilitating automated + communication and reporting within the Telegram platform. - The **Send Photo** action allows a Google SecOps bot to send an image to a specific - Telegram chat or channel. This is useful for automated notifications that require - visual context, such as screenshots of dashboards, security alerts, or forensic - evidence. The action requires a direct URL to the image and the target Chat ID. + ### Parameters - ### Parameters Description - - | Parameter Name | Type | Mandatory | Description | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Chat ID** | String | Yes | The unique identifier for the target Telegram chat - or channel where the photo will be sent. | + | Photo URL | string | Yes | The HTTP URL of the photo to be sent. It should point + to a valid image file (e.g., png, jpeg, jpg). | - | **Photo URL** | String | Yes | The HTTP/HTTPS URL of the photo to be sent. The - URL must point directly to an image file and should end with a valid extension - (e.g., .png, .jpeg, .jpg). | - - - ### Additional Notes - - - The Telegram Bot must have the necessary permissions to post in the specified - Chat ID. - - - The image must be accessible via the provided URL by the Telegram servers. + | Chat ID | string | Yes | The unique identifier of the chat where the photo will + be sent. | ### Flow Description - 1. **Configuration Retrieval:** The action retrieves the Telegram Bot API Token + 1. The action initializes the `TelegramManager` using the API token retrieved from the integration configuration. - 2. **Parameter Extraction:** It extracts the target `Chat ID` and the `Photo URL` - from the action input. + 2. It extracts the `Chat ID` and `Photo URL` from the provided action parameters. - 3. **API Interaction:** The action initializes the `TelegramManager` and calls - the `send_photo` method, which sends a request to the Telegram Bot API endpoint - `/sendPhoto`. + 3. It invokes the `send_photo` method of the `TelegramManager`, which performs + an API request to the Telegram `sendPhoto` endpoint. - 4. **Result Processing:** If successful, the action returns the metadata of the - sent message as a JSON result. If the request fails (e.g., invalid Chat ID or - inaccessible URL), the action reports a failure state. + 4. The action processes the response from the Telegram API, logs the outcome, + and returns the result JSON to the SOAR platform, indicating whether the photo + was sent successfully. capabilities: can_create_case_comments: false can_create_insight: false @@ -749,12 +794,19 @@ Send Photo: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Sends a photo to a Telegram chat, which creates a new message record in the - external Telegram system. + Sends a photo to a Telegram chat, which creates a new message in the external + system. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action interacts with the Telegram API to send a photo to a specific chat. + This constitutes an external mutation (sending a message). It does not fetch + data for enrichment, nor does it modify internal SOAR data or entities. categories: enrichment: false + reasoning: >- + The action is a messaging/notification action, not an enrichment action. It + does not fetch data for analysis, nor does it update entities or insights. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -770,6 +822,9 @@ Send Photo: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use `target_entities`. It relies solely on user-provided + parameters (`Chat ID` and `Photo URL`). Send Poll: action_product_categories: add_alert_comment: false @@ -785,6 +840,9 @@ Send Poll: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action sends a poll to a Telegram chat. This aligns with the 'Send Message' + category, as it dispatches a message/poll to a communication application. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -800,54 +858,46 @@ Send Poll: update_identity: false update_ticket: false ai_description: >- - Sends a poll with pre-defined answer options to a specific Telegram chat or group. - This action allows users to create interactive polls via a Telegram bot, facilitating - decision-making or data collection directly within the communication platform. - - - ### Flow Description + ### General Description - 1. **Parameter Extraction:** The action retrieves the Telegram API Token from - the integration configuration and the Chat ID, Question, Options, and Anonymity - settings from the action parameters. + This action sends a poll with pre-defined answer options to a specified Telegram + chat. It leverages the Telegram Bot API to create and post the poll, allowing + for interactive communication within a Telegram group or channel. - 2. **Manager Initialization:** Initializes the Telegram Manager to handle communication - with the Telegram Bot API. - 3. **API Interaction:** Calls the Telegram `sendPoll` endpoint with the specified - question and answer options. + ### Parameters Description - 4. **Result Processing:** Captures the API response (the created poll object), - attaches it as a JSON result, and provides a success or failure message to the - SOAR platform. + | Parameter | Type | Mandatory | Description | + | :--- | :--- | :--- | :--- | - ### Parameters Description + | Chat ID | string | Yes | The unique identifier of the chat where the bot should + send the poll. Note: Non-anonymous polls cannot be sent to channel chats. | - | Parameter Name | Type | Mandatory | Description | + | Question | string | Yes | The question text to be displayed in the poll. | - | :--- | :--- | :--- | :--- | + | Options | content | Yes | A JSON array of strings representing the answer options + for the poll. | - | Chat ID | String | Yes | The unique identifier for the target chat or the username - of the target channel (e.g., "123456"). Note: Non-anonymous polls cannot be sent - to channel chats. | + | Is Anonymous | boolean | No | Determines if the poll results will be anonymous. + Note: Non-anonymous polls cannot be sent to channel chats. | - | Question | String | Yes | The text of the question you want to send to the chat. - | - | Options | Content (Array) | Yes | A JSON array of strings representing the answer - options (e.g., `["Option 1", "Option 2"]`). | + ### Flow Description - | Is Anonymous | Boolean | No | Determines if the poll responses will be anonymous. - Default is false. Note: Non-anonymous polls cannot be sent to channel chats. | + 1. The action initializes the `TelegramManager` using the configured API token. + 2. It extracts the required parameters (`Chat ID`, `Question`, `Options`, `Is + Anonymous`) from the action settings. - ### Additional Notes + 3. It calls the `ask_question` method, which sends a request to the Telegram API + (`/sendPoll`) to create the poll in the specified chat. - - Ensure the Telegram Bot has the necessary permissions to send messages and polls - in the target chat. + 4. The action captures the response from the Telegram API and adds it to the action + result JSON. - - If sending to a channel, the poll **must** be anonymous. + 5. The action concludes by returning a success status and a message indicating + whether the poll was sent successfully. capabilities: can_create_case_comments: false can_create_insight: false @@ -856,12 +906,21 @@ Send Poll: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Sends a poll to a Telegram chat, which creates a new interactive message/object - within the external Telegram platform. + Sends a poll to a Telegram chat, which modifies the state of the external chat + environment. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action interacts with the Telegram API to send a poll, which constitutes + an external mutation (changing the state of the Telegram chat). It does not + fetch contextual data about alerts or entities, nor does it modify any internal + SOAR data, entities, or case information. categories: enrichment: false + reasoning: >- + The action performs an external mutation (sending a poll) and does not fetch + data for enrichment purposes. Therefore, it does not meet the criteria for an + enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -877,6 +936,9 @@ Send Poll: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with or iterate over SOAR entities. It operates + based on parameters provided in the action configuration. Set Default Chat Permissions: action_product_categories: add_alert_comment: false @@ -892,6 +954,11 @@ Set Default Chat Permissions: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action modifies the configuration of a Telegram chat (permissions). It does + not fit standard IOC/Asset enrichment, ticket/alert management, or host containment + categories. It is a configuration/management action for an external communication + platform. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -909,11 +976,11 @@ Set Default Chat Permissions: ai_description: >- ### General Description - Sets the default chat permissions for all new members in a specified Telegram - chat or group. This action allows administrators to define the baseline capabilities - for new participants, such as their ability to send messages, polls, invite other - users, or modify chat information. It is primarily used for group management and - automated moderation within Telegram communities. + This action updates the default chat permissions for a specified Telegram group + or supergroup. It allows administrators to configure restrictions for new members, + such as the ability to send messages, edit chat information, invite users, pin + messages, or send polls. The action interacts with the Telegram Bot API to apply + these settings. ### Parameters Description @@ -922,53 +989,47 @@ Set Default Chat Permissions: | :--- | :--- | :--- | :--- | - | Chat ID | String | Yes | The unique identifier for the target chat or group - where permissions will be applied. | + | Chat ID | string | Yes | The unique identifier for the Telegram chat (group + or supergroup) to be configured. | - | Can Send Messages | Boolean | No | Determines if new members are allowed to - send text messages, contacts, and locations. Default is true. | - - | Can Edit Info | Boolean | No | Determines if new members can edit the chat title, - photo, and other settings. Note: This cannot be applied in supergroups. Default - is true. | + | Can Send Messages | boolean | No | If true, allows users to send text messages. + Default is true. | - | Can Invite Users | Boolean | No | Determines if new members can invite other - users to the chat. Default is true. | + | Can Edit Info | boolean | No | If true, allows users to edit the chat title, + photo, and other settings. Default is true. Note: Cannot be applied in supergroups. + | - | Can Pin Messages | Boolean | No | Determines if new members are allowed to pin - messages. Note: This cannot be applied in supergroups. Default is true. | + | Can Invite Users | boolean | No | If true, allows users to invite new members + to the chat. Default is true. | - | Can Send Polls | Boolean | No | Determines if new members are allowed to send - polls. Default is true. | + | Can Pin Messages | boolean | No | If true, allows users to pin messages. Default + is true. Note: Cannot be applied in supergroups. | + | Can Send Polls | boolean | No | If true, allows users to send polls. Default + is true. | - ### Additional Notes - * The bot must be an administrator in the target group or supergroup for this - action to function. + ### Flow Description - * The bot must specifically have the `can_restrict_members` administrative permission. + 1. The action extracts the required configuration (API Token) and the action parameters + (Chat ID and permission settings). - * Certain permissions (like 'Can Edit Info' and 'Can Pin Messages') are restricted - by Telegram and cannot be applied to supergroups via this specific method. + 2. It initializes the `TelegramManager` with the provided API Token. + 3. It calls the `set_default_chat_permissions` method, which sends a request to + the Telegram API endpoint `setChatPermissions` with the specified configuration. - ### Flow Description + 4. The action returns a success or failure status, along with the JSON response + from the Telegram API, and terminates the execution. - 1. **Configuration Retrieval:** The action retrieves the Telegram Bot API Token - from the integration settings. - 2. **Parameter Extraction:** It extracts the target Chat ID and the specific permission - flags (Send Messages, Edit Info, Invite Users, Pin Messages, Send Polls) provided - by the user. + ### Additional Notes - 3. **API Interaction:** The action initializes the Telegram Manager and calls - the `setChatPermissions` endpoint on the Telegram API with the specified parameters. + - The bot must be an administrator in the target group or supergroup and must + have the `can_restrict_members` permission for this action to succeed. - 4. **Result Processing:** If the API call is successful, the action returns a - success message and the raw JSON response from Telegram. If the call fails (e.g., - due to insufficient bot permissions or an invalid Chat ID), it returns an error - message and marks the action as failed. + - Some permissions (e.g., Can Edit Info, Can Pin Messages) may have limitations + depending on the chat type (e.g., supergroups). capabilities: can_create_case_comments: false can_create_insight: false @@ -977,12 +1038,20 @@ Set Default Chat Permissions: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the default chat permissions for all new members in a specific Telegram - chat or group via the Telegram Bot API. + Updates the default chat permissions for a Telegram group or supergroup via + the Telegram Bot API. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a state-changing operation on an external system (Telegram) + by updating chat permissions. It does not fetch data for enrichment, nor does + it modify internal Google SecOps data (cases, alerts, or entities). categories: enrichment: false + reasoning: >- + The action is a configuration/management task that modifies external system + state. It does not retrieve data for enrichment purposes, therefore it is not + an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -998,6 +1067,10 @@ Set Default Chat Permissions: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on Google SecOps entities. It uses a 'Chat ID' parameter + provided by the user to identify the target chat, rather than iterating over + `target_entities`. Set User Permissions: action_product_categories: add_alert_comment: false @@ -1013,6 +1086,10 @@ Set User Permissions: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action modifies user permissions (e.g., promoting/demoting members, changing + capabilities) in a Telegram chat. This aligns with the 'Update Identity' category, + which covers modifying account metadata, permissions, or group memberships. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1028,73 +1105,66 @@ Set User Permissions: update_identity: true update_ticket: false ai_description: >- - Adds or revokes user permissions in a Telegram supergroup or a channel. This action - allows a bot (which must be an administrator with appropriate rights) to manage - specific administrative and member privileges for a target user. It can be used - to promote users to admin roles or restrict their capabilities within a chat. - - - ### Flow Description - - 1. **Initialization**: The action initializes the Telegram Manager using the provided - API Token. - - 2. **Parameter Extraction**: It retrieves the target `Chat ID`, `User ID`, and - various boolean permission flags from the action parameters. - - 3. **API Interaction**: The action calls the Telegram `promoteChatMember` API - endpoint, passing the permission flags to update the user's status. + ### General Description - 4. **Result Processing**: It captures the API response, determines if the operation - was successful, and outputs the resulting JSON data. + Updates user permissions within a Telegram supergroup or channel. This action + allows administrators to modify specific capabilities for a user, such as pinning + messages, promoting members, or editing chat information. ### Parameters Description | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + | --- | --- | --- | --- | - | User ID | string | Yes | The unique identifier of the user whose permissions - are being modified. | + | Chat ID | string | Yes | The unique identifier or username of the chat. | - | Chat ID | string | Yes | The unique identifier or username of the target supergroup - or channel. | + | User ID | string | Yes | The unique identifier of the user. | - | Can Pin Messages | boolean | No | If true, the user can pin messages (relevant - for supergroups only). | + | Can Pin Messages | boolean | No | Allows the user to pin messages (relevant + for supergroups). | - | Can Promote Members | boolean | No | If true, the user can add new administrators - or revoke existing ones. | + | Can Promote Members | boolean | No | Allows the user to add or revoke administrators. + | - | Can Restrict Members | boolean | No | If true, the user can restrict, ban, or - unban chat members. | + | Can Restrict Members | boolean | No | Allows the user to restrict, ban, or unban + members. | - | Can Post Messages | boolean | No | If true, the user can post messages (relevant - for channels only). | + | Can Post Messages | boolean | No | Allows the user to post messages (relevant + for channels). | - | Can Edit The Info | boolean | No | If true, the user can edit chat title, photo, + | Can Edit The Info | boolean | No | Allows the user to edit chat title, photo, and other settings. | - | Is Anonymous | boolean | No | If true, the user's presence in the chat is hidden. - | + | Is Anonymous | boolean | No | Hides the user's presence in the chat. | - | Can Invite Users | boolean | No | If true, the user can invite new users to - the chat. | + | Can Invite Users | boolean | No | Allows the user to invite new members. | - | Can Delete Messages | boolean | No | If true, the user can delete messages of - other users. | + | Can Delete Messages | boolean | No | Allows the user to delete messages of other + users. | - | Can Edit Messages | boolean | No | If true, the user can edit messages of other + | Can Edit Messages | boolean | No | Allows the user to edit messages of other users. | ### Additional Notes - - The bot must be an administrator in the target chat for this action to work. + The bot must be an administrator in the chat for this to work and must have the + appropriate admin permissions. + + + ### Flow Description + + 1. Extract configuration parameters (API Token) and action parameters (Chat ID, + User ID, and various permission flags). + + 2. Initialize the `TelegramManager` with the provided API token. + + 3. Invoke the `promoteChatMember` API endpoint to apply the requested permission + changes to the specified user in the target chat. - - The bot must have the specific administrative permissions it is trying to grant - or revoke from others. + 4. Return the API response as a JSON result. capabilities: can_create_case_comments: false can_create_insight: false @@ -1103,12 +1173,20 @@ Set User Permissions: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Modifies user permissions and administrative rights within a Telegram supergroup - or channel using the promoteChatMember API endpoint. - fetches_data: true + Updates user permissions (promote/demote) in a Telegram chat via the `promoteChatMember` + API. + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a state-changing operation (`promoteChatMember`) on the + Telegram API to update user permissions. It does not fetch contextual data for + enrichment, nor does it modify internal SOAR data or entities. categories: enrichment: false + reasoning: >- + The action is a mutation action that changes external system state (Telegram + permissions). It does not fetch data for enrichment purposes, nor does it meet + the criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1124,6 +1202,9 @@ Set User Permissions: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on `siemplify.target_entities`. It uses `Chat ID` + and `User ID` provided as action parameters. Wait for poll results: action_product_categories: add_alert_comment: false @@ -1139,6 +1220,11 @@ Wait for poll results: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves poll results from Telegram. It does not match any of the + specific product categories (e.g., Enrich IOC, Enrich Asset, etc.) as it is + a utility action for polling external data, not specifically for enriching IOCs, + assets, or managing alerts/tickets. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1156,68 +1242,55 @@ Wait for poll results: ai_description: >- ### General Description - The **Wait for poll results** action is an asynchronous utility designed to monitor - a specific Telegram poll and retrieve its results. It is typically used in workflows - where a decision or input is required from a user via a Telegram poll. The action - continues to poll the Telegram API until either a specific vote threshold is reached - for any of the poll options or a pre-defined waiting timeframe expires. + This action waits for poll results from a Telegram bot. It polls the Telegram + API for updates, filters for a specific poll ID, and checks if the votes for any + option meet a defined threshold. This action is designed to be run asynchronously, + allowing it to wait for poll results over a specified timeframe. ### Parameters Description | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + | --- | --- | --- | --- | - | **Poll ID** | String | Yes | The unique identifier of the poll to fetch answers - for. | + | Scan back Limit | string | Yes | Top amount of polls' answers to be scanned. + | - | **Answer Votes Threshold** | String | Yes | The number of votes an answer must - receive for the action to stop waiting and return a successful result. | + | Waiting Timeframe | string | Yes | Time in minutes to wait for votes. | - | **Waiting Timeframe** | String | Yes | The maximum amount of time (in minutes) - to wait for votes before the action stops, even if the threshold wasn't met. | + | Answer Votes Threshold | string | Yes | Number of votes required to stop waiting. + | - | **Scan back Limit** | String | Yes | The maximum number of poll answers/updates - to scan in the Telegram history (specifically for polls sent by the bot). | + | Poll ID | string | Yes | The ID of the poll to fetch answers for. | ### Flow Description - 1. **Initialization**: The action retrieves the Telegram API token from the integration - configuration and extracts the user-defined parameters (Poll ID, Threshold, Timeframe, - and Scan Limit). + 1. Initialize parameters (Poll ID, Threshold, Timeframe, Limit). - 2. **State Management**: On the first run, it initializes the start time. On subsequent - runs (asynchronous retries), it retrieves the previous state (start time, timeframe, - and last scanned update ID) from the action's internal `additional_data` parameter. + 2. Check if it's the first run or a subsequent run (using `additional_data` for + state). - 3. **Data Retrieval**: It calls the Telegram `getUpdates` API to fetch recent - activity, specifically looking for poll-related updates. + 3. Fetch updates from Telegram using `TelegramManager`. - 4. **Filtering**: The action filters the retrieved updates to find matches for - the specific **Poll ID** provided in the parameters. + 4. Filter updates for the specific `Poll ID`. - 5. **Threshold Evaluation**: It checks the `voter_count` for each option in the - poll. If any option meets or exceeds the **Answer Votes Threshold**, the action - completes successfully. + 5. Check if any option in the poll meets the `Answer Votes Threshold`. - 6. **Timeout Check**: If the threshold is not met, it calculates the elapsed time. - If the **Waiting Timeframe** has been reached, the action completes, returning - the current state of the poll even if the threshold wasn't met. + 6. If threshold met, complete the action. - 7. **Iteration**: If neither the threshold nor the timeout is met, the action - sets its state to `IN_PROGRESS` and schedules a retry, passing the current state - forward to the next execution cycle. + 7. If threshold not met but timeframe reached, complete the action (with failure/timeout + status). + 8. If threshold not met and timeframe not reached, continue waiting (return `EXECUTION_STATE_INPROGRESS`). - ### Additional Notes - - This action is asynchronous and will run multiple times until a concluding condition - is met. + ### Additional Notes - - The **Scan back Limit** helps optimize performance by limiting how far back - in the update history the bot looks for the specific poll. + This action is designed to be run asynchronously. It maintains state across runs + using the `additional_data` parameter to track the start time and the last processed + update ID. capabilities: can_create_case_comments: false can_create_insight: false @@ -1228,8 +1301,18 @@ Wait for poll results: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches poll updates from the Telegram API (`get_updates`). It does + not modify any external system state (it only reads). It does not modify any + internal Google SecOps data (no insights, comments, or entity updates). It uses + `siemplify.end` to report the final status and `add_result_json` to return the + poll data, which are standard reporting mechanisms. categories: enrichment: true + reasoning: >- + The action fetches data (poll results) from an external source (Telegram) and + does not mutate any external or internal systems. It meets the criteria for + an enrichment action as it is a read-only data retrieval task. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1245,3 +1328,6 @@ Wait for poll results: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `siemplify.target_entities`. It operates on + a specific `Poll ID` provided as a parameter. diff --git a/content/response_integrations/third_party/community/telegram/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/telegram/resources/ai/connectors_ai_description.yaml index 6271ce4bb..555c0a0e4 100644 --- a/content/response_integrations/third_party/community/telegram/resources/ai/connectors_ai_description.yaml +++ b/content/response_integrations/third_party/community/telegram/resources/ai/connectors_ai_description.yaml @@ -1,60 +1,30 @@ Telegram Connector: - ai_description: >- - ### General Description - - - The Telegram Connector ingests messages from Telegram channels, supergroups, and - private chats into Google SecOps as alerts. This integration allows security teams - to monitor Telegram communications for potential threats, data leaks, or malicious - activity. The connector utilizes a Telegram Bot to poll for new updates. For successful - ingestion, the bot must be an administrator in channels or have message access - in groups. Additionally, this connector is incompatible with active Telegram webhooks; - any existing webhooks must be disabled for the polling mechanism to work. - - - ### Parameters Description - - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | API Token | Password | Yes | The unique API Token for your Telegram Bot. | - - | DeviceProductField | String | Yes | The field name used to determine the device - product in the ingested event (Default: device_product). | - - | EventClassId | String | Yes | The field name used to determine the event name - or sub-type (Default: event_name). | - - | PythonProcessTimeout | String | Yes | The timeout limit (in seconds) for the - Python process running the script (Default: 30). | - - - ### Flow Description - - - 1. **Authentication**: The connector establishes a session with the Telegram Bot - API using the provided API Token. - - 2. **State Management**: It retrieves the `update_id` of the last processed message - from the Google SecOps connector context to ensure only new data is ingested. - - 3. **Data Retrieval**: The connector polls the Telegram `getUpdates` endpoint, - using the saved `update_id` as an offset to fetch all messages sent since the - last execution. - - 4. **Message Processing**: The script iterates through the retrieved updates, - distinguishing between standard messages (private/group) and channel posts. - - 5. **Event Mapping**: Each message is flattened and mapped to a Google SecOps - event structure, capturing the message content, sender details, and timestamps. - - 6. **Alert Creation**: The events are encapsulated into `AlertInfo` objects with - a default priority of Medium (60) and a standardized naming convention. - - 7. **System Ingestion**: The alerts are returned to Google SecOps for case creation - and further analysis. - - 8. **Checkpointing**: Upon successful processing, the connector saves the `update_id` - of the most recent message back to the context storage for the next polling cycle. + ai_description: "### General Description\nThe Telegram Connector enables the ingestion\ + \ of messages from Telegram channels, groups, and private chats into Google SecOps.\ + \ By leveraging the Telegram Bot API, this connector monitors for new messages\ + \ and transforms them into actionable alerts within the SOAR platform. \n\n**Important\ + \ Considerations:**\n* For channel monitoring, the bot must be an administrator.\n\ + * For group monitoring, the bot must have access to messages.\n* This connector\ + \ cannot operate simultaneously with an active Telegram Webhook. If a webhook\ + \ is active, it must be disabled using the Telegram API `setWebhook` method before\ + \ running this connector.\n\n### Parameters Description\n| Parameter | Type |\ + \ Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| API Token | Password\ + \ | Yes | The Telegram Bot API token used to authenticate and communicate with\ + \ the Telegram API. |\n| DeviceProductField | String | Yes | The field name used\ + \ to determine the device product in the ingested event. |\n| EventClassId | String\ + \ | Yes | The field name used to determine the event name (sub-type) in the ingested\ + \ event. |\n| PythonProcessTimeout | String | Yes | The timeout limit (in seconds)\ + \ for the Python process running the connector script. |\n\n### Flow Description\n\ + 1. **Initialization**: The connector initializes the `TelegramManager` using the\ + \ provided API Token.\n2. **State Retrieval**: It retrieves the `last_saved_update_id`\ + \ from the connector context to ensure only new messages are processed.\n3. **Data\ + \ Fetching**: It queries the Telegram API (`getUpdates`) starting from the next\ + \ message ID (`last_saved_update_id + 1`).\n4. **Processing**: \n * Iterates\ + \ through the retrieved updates.\n * Identifies the message type (`message`\ + \ for private/group or `channel_post` for channels).\n * Flattens the message\ + \ data and maps it to a standard event format.\n5. **Alert Creation**: Each processed\ + \ event is converted into a SOAR `AlertInfo` object with defined start/end times\ + \ and priority.\n6. **Persistence**: After processing, the latest `update_id`\ + \ is saved back to the connector context to prevent duplicate processing in future\ + \ runs.\n7. **Output**: The collected alerts are returned to the SOAR platform\ + \ for case creation." diff --git a/content/response_integrations/third_party/community/telegram/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/telegram/resources/ai/integration_ai_description.yaml index 4b35c0d73..ef8cc945b 100644 --- a/content/response_integrations/third_party/community/telegram/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/community/telegram/resources/ai/integration_ai_description.yaml @@ -4,9 +4,19 @@ product_categories: collaboration: true edr: false email_security: false - iam_and_identity_management: true + iam_and_identity_management: false itsm: false network_security: false + reasoning: >- + The Telegram integration is primarily a Collaboration tool, providing multiple + actions to send messages, documents, photos, locations, and polls to Telegram + chats, which facilitates SOC notifications and human-in-the-loop workflows. Additionally, + the integration includes a connector that ingests messages from Telegram channels, + groups, and private chats into the SOAR platform as alerts, which aligns with + the SIEM category's data ingestion capabilities. It does not meet the criteria + for other categories such as EDR, Network Security, or IAM, as it does not perform + host-level security operations, manage firewall/WAF rules, or manage enterprise-level + user identities. siem: true threat_intelligence: false vulnerability_management: false diff --git a/content/response_integrations/third_party/community/vanilla_forums/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/vanilla_forums/resources/ai/actions_ai_description.yaml index 9f218f04c..d994fb5e9 100644 --- a/content/response_integrations/third_party/community/vanilla_forums/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/vanilla_forums/resources/ai/actions_ai_description.yaml @@ -13,6 +13,10 @@ Add User: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action creates a new user in an external system (VanillaForums). It does + not match any of the provided categories (e.g., Enrich IOC, Create Ticket, Update + Identity, etc.). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -25,76 +29,68 @@ Add User: uncontain_host: false update_alert: false update_email: false - update_identity: true + update_identity: false update_ticket: false ai_description: >- ### General Description - Adds a new user to Vanilla Forums with comprehensive profile details including - name, email, role, and password. This action is useful for automated user provisioning - or onboarding processes within a community management workflow. It includes built-in - logic to handle username collisions by appending or replacing characters based - on user-defined separators. + This action adds a new user to the VanillaForums platform. It validates the provided + password complexity, checks for existing users with the same name to avoid duplicates + (optionally appending special characters if needed), and registers the new user + with the specified role and details. ### Parameters Description - | Parameter Name | Type | Mandatory | Description | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | First Name | string | Yes | The first name of the new user. | + | First Name | string | Yes | New user's first name. | - | Last Name | string | Yes | The last name of the new user. | + | Last Name | string | Yes | New user's last name. | - | Email | string | Yes | The email address for the new account. | + | Email | string | Yes | New user's email address. | - | Role ID | string | Yes | The numeric ID of the role to be assigned to the user - (e.g., '8'). | + | Role ID | string | Yes | The ID of the role to assign to the user. | - | Password | password | Yes | The password for the new user. Must be at least - 6 characters long and contain both letters and digits. | + | Password | password | Yes | Password for the new user. Must be at least 6 characters + and include both letters and digits. | - | Override Name Duplicity | boolean | No | If set to 'True', the action will attempt - to create the user even if the username already exists by using alternative identifiers. - Default is 'False'. | + | Override Name Duplicity | boolean | No | If true, allows creating a user even + if another user with the same name exists (by appending special characters). | - | Additional Identifiers | string | No | A comma-separated list of characters - (e.g., '_,~,-') used to replace the space between first and last names if the - primary username is taken. | + | Additional Identifiers | string | No | Characters to use as separators if the + username already exists. | - | Email Confirmed | boolean | No | Whether the user's email address is marked - as confirmed upon creation. Default is 'True'. | + | Photo URL | string | No | URL of the new user's picture. | - | Photo URL | string | No | The URL for the new user's profile picture. | + | Email Confirmed | boolean | No | Whether the email address is confirmed. | ### Additional Notes - - The action performs a validation check on the password complexity before attempting - to communicate with the Vanilla Forums API. - - - If `Override Name Duplicity` is enabled and all provided `Additional Identifiers` - result in existing usernames, the action will fail. + This action requires valid API credentials (API Token and URL) configured for + the VanillaForums integration. The action will fail if the password does not meet + the complexity requirements or if a unique username cannot be generated when name + duplicity is not allowed. ### Flow Description - 1. **Validation**: Validates that the provided password meets the complexity requirements - (minimum 6 characters, includes letters and digits). + 1. Extracts integration configuration and action parameters. - 2. **Username Check**: Checks if a user with the combined 'First Name' and 'Last - Name' already exists in Vanilla Forums. + 2. Validates the password complexity. - 3. **Collision Handling**: If the name exists and `Override Name Duplicity` is - enabled, the action iterates through the `Additional Identifiers` to find a unique - username variation. + 3. Searches for an existing user in VanillaForums using the provided first and + last name. - 4. **User Creation**: Sends a POST request to the Vanilla Forums API to create - the user account with the specified attributes. + 4. If the user exists and name duplicity is allowed, attempts to find a unique + username by appending characters from the 'Additional Identifiers' list. - 5. **Result Processing**: Returns the created user's details, including the assigned - email and password, as a JSON result. + 5. Registers the new user in VanillaForums via a POST request. + + 6. Returns the user details in the result JSON. capabilities: can_create_case_comments: false can_create_insight: false @@ -103,12 +99,18 @@ Add User: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new user account record in the Vanilla Forums database via a POST - request to the /v2/users endpoint. + Creates a new user in the VanillaForums platform. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to search for existing users and a POST request + to create a new user in the VanillaForums platform. It does not modify internal + SOAR data (like entities or insights). categories: enrichment: false + reasoning: >- + The action is not an enrichment action because it mutates external data (creates + a new user) and does not meet the criteria for read-only enrichment. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -124,6 +126,10 @@ Add User: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not iterate over `siemplify.target_entities` or use any entity-specific + identifiers. It operates on user-provided parameters to create a new user in + the VanillaForums platform. Generate Password: action_product_categories: add_alert_comment: false @@ -139,6 +145,10 @@ Generate Password: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action generates a random password string locally. It does not perform any + of the listed product category operations (e.g., enrichment, containment, ticket + management). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -154,43 +164,13 @@ Generate Password: update_identity: false update_ticket: false ai_description: >- - Generates a random password string that adheres to Vanilla Forums' complexity - requirements. The action creates a password consisting of at least one uppercase - letter, one lowercase letter, and a sequence of digits to reach the specified - length. - - - ### Flow Description: - - 1. **Parameter Extraction:** Retrieves the desired password length from the action - parameters. - - 2. **Validation:** Checks if the requested length is at least 6 characters; if - not, the action fails. - - 3. **Password Generation:** Uses a local utility to construct a string with one - uppercase letter, one lowercase letter, and the remaining characters as digits. - - 4. **Output:** Returns the generated password string as the script result. - - - ### Parameters Description: - - | Parameter Name | Expected Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Length | String | No | The total number of characters for the generated password. - Must be at least 6. Defaults to 6 if not specified. | - - - ### Additional Notes: - - * This action does not interact with any external APIs; it performs local string - generation logic. - - * The generated password is provided as the raw result of the action for use in - subsequent playbook steps (e.g., creating a user). + General Description: This action generates a random password string of a specified + length. Flow: 1. Extract the Length parameter from the action configuration. 2. + Validate that the length is at least 6 characters. 3. Generate a random string + containing one uppercase letter, one lowercase letter, and the remaining characters + as digits. 4. Return the generated password as the action result. Parameters: + Length (string, optional, default: 6): The desired length of the password. Must + be at least 6 characters. capabilities: can_create_case_comments: false can_create_insight: false @@ -201,8 +181,14 @@ Generate Password: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a local string generation based on a user-provided length. + It does not interact with any external APIs or modify any internal SOAR data. categories: enrichment: false + reasoning: >- + The action does not fetch data from any external source; it performs a local + calculation. Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -218,6 +204,8 @@ Generate Password: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. Get User Details: action_product_categories: add_alert_comment: false @@ -229,10 +217,15 @@ Get User Details: disable_identity: false download_file: false enable_identity: false - enrich_asset: false + enrich_asset: true enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action fetches detailed user information from the VanillaForums API based + on a provided User ID. This aligns with the 'Enrich Asset' category, as it retrieves + contextual metadata for a user. It does not perform any mutations on external + systems or internal SOAR data, nor does it operate on entities directly. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -250,41 +243,38 @@ Get User Details: ai_description: >- ### General Description - The **Get User Details** action retrieves comprehensive profile information for - a specific user from Vanilla Forums using their unique User ID. This action is - designed to fetch metadata such as usernames, email addresses, roles, and ranks, - providing context for investigations involving forum participants. + This action retrieves detailed user information from the VanillaForums platform + by querying the API with a specific User ID. It is designed to fetch profile data + for a given user, which can then be used for further analysis or reporting within + the SOAR platform. ### Parameters Description - | Parameter | Description | Type | Mandatory | Default Value | + | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | :--- | + | :--- | :--- | :--- | :--- | - | User ID | The unique identifier of the user whose details you want to fetch. - | String | Yes | 0 | + | User ID | string | true | The unique identifier of the user whose details are + to be retrieved. | - ### Flow Description + ### Additional Notes - 1. **Initialization:** The action initializes the Siemplify environment and retrieves - the Vanilla Forums API token and Base URL from the integration configuration. + None. - 2. **Parameter Extraction:** It extracts the `User ID` provided by the user. - 3. **API Interaction:** The action calls the `get_user_details` method in the - `VanillaManager`, which executes a GET request to the `/v2/users/{user_id}` endpoint. + ### Flow Description - 4. **Result Handling:** If successful, the full JSON response from Vanilla Forums - is attached to the action results. If the user is not found or an error occurs, - the action reports a failure. + 1. The action extracts the `User ID` parameter provided by the user. + 2. It initializes the `VanillaManager` using the configured API token and base + URL. - ### Additional Notes + 3. It performs a GET request to the VanillaForums API (`/v2/users/{user_id}`) + to fetch the user's profile information. - - This action does not process SecOps entities; it relies entirely on the manually - provided `User ID` parameter. + 4. The retrieved user details are returned as a JSON object in the action result. capabilities: can_create_case_comments: false can_create_insight: false @@ -295,8 +285,18 @@ Get User Details: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to retrieve user details from the VanillaForums + API (fetches_data=true). It does not modify any external systems (can_mutate_external_data=false) + or internal SOAR data (can_mutate_internal_data=false). It does not update entities, + create insights, or modify alert data. categories: enrichment: false + reasoning: >- + The action fetches data from an external source, but it does not operate on + SOAR entities (it uses a raw User ID parameter). Therefore, it does not meet + the criteria for an Enrichment Action, which requires operating on alerts or + entities. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -312,6 +312,10 @@ Get User Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities` or use entity-specific + identifiers. It takes a raw 'User ID' parameter as input. Therefore, it does + not run on any entity types. Get a Leaderboard Analytics: action_product_categories: add_alert_comment: false @@ -327,12 +331,16 @@ Get a Leaderboard Analytics: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action fetches leaderboard analytics from an external system. It does not + match any of the provided categories (e.g., Enrichment, Ticket, Alert, Identity, + etc.). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false search_asset: false search_email: false - search_events: true + search_events: false send_email: false send_message: false submit_file: false @@ -342,49 +350,52 @@ Get a Leaderboard Analytics: update_identity: false update_ticket: false ai_description: >- - Fetches analytics for specific leaderboards from Vanilla Forums within a defined - date range. This action allows analysts to retrieve performance and activity data - (such as top posters or discussion starters) for community management or auditing - purposes. It queries the Vanilla Forums API for each specified leaderboard and - returns the aggregated data as a JSON result. + ### General Description + Fetches analytics for specified leaderboards from VanillaForums within a defined + date range. This action retrieves leaderboard data, such as top posters or discussion + starters, and returns the results as a JSON object for further analysis. - ### Parameters + + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Leaderboards | string | Yes | A comma-separated list of leaderboard identifiers - to query (e.g., 'top-posters, top-discussion-starters'). | + | Leaderboards | string | Yes | Comma-separated list of leaderboards to fetch + (e.g., "top-posters, top-discussion-starters"). | + + | To | string | Yes | End date of the time frame in yyyy-mm-dd format. | - | To | string | Yes | The end date of the analytics timeframe in YYYY-MM-DD format. - | + | Amount Limit | string | Yes | The maximum number of rows to return for each + leaderboard. | - | Amount Limit | string | Yes | The maximum number of rows/records to return for - each individual leaderboard. | + | From | string | Yes | Start date of the time frame in yyyy-mm-dd format. | + + + ### Additional Notes - | From | string | Yes | The start date of the analytics timeframe in YYYY-MM-DD - format. | + This action does not operate on entities and does not modify any internal or external + data. It is a read-only operation that retrieves analytics data from the VanillaForums + API. ### Flow Description - 1. **Initialization**: The action initializes the Vanilla Forums manager using - the provided API Token and Base URL from the integration configuration. + 1. Extract the action parameters: `Leaderboards`, `Amount Limit`, `From`, and + `To`. - 2. **Parameter Parsing**: It extracts the list of leaderboards, the date range - (From/To), and the result limit from the action parameters. + 2. Initialize the `VanillaManager` with the API token and base URL. - 3. **Data Retrieval**: The action iterates through each requested leaderboard - and calls the Vanilla Forums API to fetch the corresponding analytics data for - the specified timeframe. + 3. Split the `Leaderboards` parameter into a list of individual boards. - 4. **Result Aggregation**: The retrieved data for each board is collected into - a structured JSON list. + 4. Iterate through each board and call the `get_leaderboard_analytics` method + to fetch the analytics data. - 5. **Completion**: The action outputs the aggregated JSON results and a summary - message indicating which leaderboards were successfully processed. + 5. Append the results to a JSON list. + + 6. Return the final JSON result using `siemplify.result.add_result_json`. capabilities: can_create_case_comments: false can_create_insight: false @@ -395,8 +406,15 @@ Get a Leaderboard Analytics: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to fetch analytics data (fetches_data=true). + It does not mutate external systems, update entities, create insights, or modify + alert data. categories: enrichment: false + reasoning: >- + The action fetches data but does not operate on entities or alerts, therefore + it does not meet the criteria for an Enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -412,6 +430,9 @@ Get a Leaderboard Analytics: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `siemplify.target_entities`. It processes + parameters provided directly to the action configuration. Ping: action_product_categories: add_alert_comment: false @@ -427,6 +448,9 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity test ('Ping'). It does not perform any of the defined + functional outcomes such as enriching IOCs, updating tickets, or blocking hosts. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -442,39 +466,32 @@ Ping: update_identity: false update_ticket: false ai_description: >- - ### General Description - - Verifies the connectivity between Google SecOps and the VanillaForums instance. - This action is used to ensure that the provided API Token and Base URL are valid - and that the network path to the service is open. + Verifies connectivity to the VanillaForums instance. This action ensures that + the SOAR platform can successfully communicate with the VanillaForums API. - ### Parameters Description + ### Parameters There are no parameters for this action. ### Additional Notes - This action relies on the integration's global configuration (API Token and URL) - to perform the connectivity test. + This action is a connectivity test (Ping) and does not perform any functional + operations on entities or alerts. ### Flow Description - 1. **Configuration Retrieval**: The action retrieves the `API Token` and `URL` - from the VanillaForums integration configuration. + 1. Retrieves the API Token and Base URL from the integration configuration. - 2. **Manager Initialization**: It initializes the `VanillaManager` with the retrieved - credentials. + 2. Initializes the `VanillaManager` with the provided credentials. - 3. **Connectivity Test**: The action executes a GET request to the `/v2/categories` - endpoint of the VanillaForums API, requesting a single category to minimize data - transfer. + 3. Attempts to connect to the VanillaForums API by sending a `GET` request to + the `/v2/categories` endpoint. - 4. **Response Validation**: It checks the HTTP response status. If the request - is successful, it confirms connectivity; otherwise, it catches the exception and - reports the failure. + 4. Returns a success status if the connection is established, or a failure status + if an error occurs. capabilities: can_create_case_comments: false can_create_insight: false @@ -485,8 +502,15 @@ Ping: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to verify connectivity to the VanillaForums + API. It does not modify external or internal data, nor does it update entities, + create insights, or modify alert data. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action. Per the instructions, 'Actions named Ping must + not be categorized as enrichment actions.' entity_usage: entity_types: [] filters_by_additional_properties: false @@ -502,6 +526,8 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `target_entities`. Search User By Email and Name: action_product_categories: add_alert_comment: false @@ -513,10 +539,15 @@ Search User By Email and Name: disable_identity: false download_file: false enable_identity: false - enrich_asset: false + enrich_asset: true enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action searches for a user in the VanillaForums platform and returns contextual + metadata (existence, details). This matches the 'Enrich Asset' category (returning + contextual metadata for a user) and the 'Search Asset' category (searching for + the asset within the product). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -534,54 +565,39 @@ Search User By Email and Name: ai_description: >- ### General Description - The **Search User By Email and Name** action is designed to verify the existence - of a user within the VanillaForums platform. It performs two independent searches: - one based on a provided email address and another based on a username. This action - is primarily used to validate user accounts or retrieve specific user details - during investigations or administrative workflows. + This action searches for a user within the VanillaForums platform using their + email address and username. It retrieves information from the platform to confirm + the existence of the user and provides their details if found. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **User Email** | String | Yes | The email address of the user to search for. - The search is performed case-insensitively. | + | User Email | string | Yes | The email address of the user to search for. | - | **User Name** | String | Yes | The full name or username of the user to search - for in the platform. | + | User Name | string | Yes | The full name of the user to search for. | ### Flow Description - 1. **Parameter Extraction**: The action retrieves the `User Email` and `User Name` - from the input parameters, applying basic cleaning (stripping whitespace and converting - the email to lowercase). - - 2. **Email Search**: It queries the VanillaForums API's `/v2/users` endpoint. - Since this endpoint returns a list, the action iterates through pages of users - to find an exact match for the provided email. - - 3. **Name Search**: It queries the `/v2/users/by-names` endpoint to check for - the existence of the provided username. - - 4. **Result Consolidation**: The action evaluates if a user was found via either - the email or the name search. If found by email, the full user details are captured. + 1. The action extracts the `User Email` and `User Name` from the provided action + parameters. - 5. **Output**: The action returns a boolean result indicating if any match was - found, along with a JSON object containing the search status for both identifiers - and the user details if available. + 2. It initializes the `VanillaManager` using the configured API token and base + URL. + 3. It performs a search in the VanillaForums API for the user by email address. - ### Additional Notes + 4. It performs a search in the VanillaForums API for the user by username. - - This action does not interact with Google SecOps entities; it relies entirely - on the string values provided in the parameters. + 5. It compiles the findings into a result JSON, indicating whether the user was + found by email, by username, or both, and includes the user details if available. - - The `UserDetails` field in the JSON output is only populated if a match is found - during the email search phase. + 6. The action concludes by returning the result JSON and a status message to the + SOAR platform. capabilities: can_create_case_comments: false can_create_insight: false @@ -592,8 +608,16 @@ Search User By Email and Name: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs GET requests to the VanillaForums API to retrieve user information. + It does not modify any external or internal data, nor does it update entities + or create insights. categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches data from an external system (VanillaForums) to provide context + about a user. It does not mutate any external or internal data. This qualifies + as an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -609,6 +633,10 @@ Search User By Email and Name: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action uses action parameters ('User Email', 'User Name') to perform the + search, rather than iterating over 'target_entities'. Therefore, it does not + run on any specific entity types. Update Badge: action_product_categories: add_alert_comment: false @@ -624,6 +652,11 @@ Update Badge: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action performs a state-changing operation (assigning a badge) on an external + system (VanillaForums). It does not match any of the provided categories (Enrich + IOC, Contain Host, Update Identity, etc.) as it is a specific administrative + task for a forum platform. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -636,47 +669,18 @@ Update Badge: uncontain_host: false update_alert: false update_email: false - update_identity: true + update_identity: false update_ticket: false ai_description: >- - Awards a specific badge to a user within Vanilla Forums using their respective - IDs. This action interacts with the Vanilla Forums API to grant recognition or - status to a community member. - - - ### Flow Description - - 1. **Parameter Extraction:** The action retrieves the `User ID` and `Badge ID` - from the input parameters. - - 2. **Manager Initialization:** It initializes the `VanillaManager` using the integration's - API Token and Base URL. - - 3. **API Interaction:** The action calls the `give_user_badge` method, which sends - a POST request to the Vanilla Forums `/v2/badges/{badge_id}/users` endpoint. - - 4. **Result Processing:** It captures the response from the API, updates the action - status to completed upon success, and attaches the badge details as a JSON result. - - - ### Parameters Description - - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | User ID | String | Yes | The unique identifier of the user who will receive - the badge. | - - | Badge ID | String | Yes | The unique identifier of the badge to be awarded to - the user. | - - - ### Additional Notes - - * This action does not run on SecOps entities; it relies entirely on the provided - ID parameters. + ### General Description: This action assigns a specific badge to a user within + the VanillaForums platform. ### Parameters Description: User ID (string, mandatory): + The ID of the user to be awarded the badge. Badge ID (string, mandatory): The + ID of the badge to be awarded to the user. ### Flow Description: 1. Extracts User + ID and Badge ID from the action parameters. 2. Initializes the VanillaManager + using the integration configuration (API Token, URL). 3. Executes the give_user_badge + method, which sends a POST request to the VanillaForums API to assign the specified + badge to the user. 4. Logs the outcome and adds the resulting JSON response to + the action results. ### Additional Notes: There are no additional notes. capabilities: can_create_case_comments: false can_create_insight: false @@ -685,12 +689,18 @@ Update Badge: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Awards a badge to a user in Vanilla Forums, which changes the user's profile - state in the external system. + Assigns a badge to a user in the VanillaForums platform via a POST request. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to an external API to assign a badge to a + user. It does not fetch contextual data for entities, nor does it modify internal + SOAR data (entities, insights, comments). categories: enrichment: false + reasoning: >- + The action is a mutation action (assigning a badge) and does not fetch data + for enrichment purposes. Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -706,6 +716,9 @@ Update Badge: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use siemplify.target_entities. It relies on user-provided + parameters (User ID and Badge ID) to perform the operation. Update Rank: action_product_categories: add_alert_comment: false @@ -721,6 +734,11 @@ Update Rank: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action updates a user's rank in the VanillaForums platform. This aligns + with the 'Update Identity' category, which involves modifying account metadata, + permissions, or roles. It does not match other categories like 'Enrich IOC' + or 'Contain Host'. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -736,47 +754,36 @@ Update Rank: update_identity: true update_ticket: false ai_description: >- - Updates the rank of a specific user within Vanilla Forums. This action allows - administrators to programmatically change a user's community standing or permission - level by assigning a new Rank ID to a specific User ID. - - - ### Flow Description: + ### General Description - 1. **Parameter Extraction:** The action retrieves the 'Rank ID' and 'User ID' - from the action parameters. + This action updates the rank of a user within the VanillaForums platform. It allows + administrators to modify a user's rank by providing the corresponding Rank ID + and User ID. - 2. **Manager Initialization:** It initializes the VanillaManager using the integration's - API Token and Base URL. - 3. **API Interaction:** The action calls the `change_user_rank` method, which - sends a PUT request to the Vanilla Forums API endpoint `/v2/users/{user_id}/rank` - with the new rank information. + ### Parameters - 4. **Result Handling:** If the request is successful, the action completes with - a success message and provides the raw JSON response from the API. If it fails, - an error message is logged and the action status is set to failed. + | Parameter | Type | Mandatory | Description | + | :--- | :--- | :--- | :--- | - ### Parameters Description: + | Rank ID | string | Yes | The ID of the rank to assign to the user. | - | Parameter Name | Type | Mandatory | Description | + | User ID | string | Yes | The ID of the user whose rank is being updated. | - | :--- | :--- | :--- | :--- | - | Rank ID | String | Yes | The unique identifier of the rank you wish to assign - to the user. | - - | User ID | String | Yes | The unique identifier of the user whose rank is being - modified. | + ### Flow Description + 1. The action extracts the `Rank ID` and `User ID` from the provided parameters. - ### Additional Notes: + 2. It initializes the `VanillaManager` using the configured API token and base + URL. - - This action performs a direct mutation on the external Vanilla Forums system. + 3. It calls the `change_user_rank` method, which sends a `PUT` request to the + VanillaForums API to update the user's rank. - - It does not process SecOps entities (like IP or Hostname) but operates on specific - IDs provided as input parameters. + 4. The action concludes by returning the operation result and updating the execution + status. capabilities: can_create_case_comments: false can_create_insight: false @@ -785,12 +792,18 @@ Update Rank: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the rank of a user in the Vanilla Forums platform via a PUT request - to the user's rank endpoint. + Updates the user's rank in the VanillaForums platform via a PUT request. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a `PUT` request to the VanillaForums API to change a user's + rank. This is an external mutation. It does not fetch data for enrichment, nor + does it modify internal SOAR entities or case data. categories: enrichment: false + reasoning: >- + The action is a mutation action (updates external system state) and does not + fetch data for enrichment purposes. Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -806,6 +819,9 @@ Update Rank: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action takes `User ID` as a direct input parameter and does not interact + with the `siemplify.target_entities` list. Therefore, it does not run on entities. Update User Role: action_product_categories: add_alert_comment: false @@ -821,6 +837,9 @@ Update User Role: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action updates the role of a user in an external system (VanillaForums). + This matches the 'Update Identity' category. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -835,40 +854,17 @@ Update User Role: update_email: false update_identity: true update_ticket: false - ai_description: >- - Updates the role of a specific user within Vanilla Forums. This action allows - an analyst to programmatically change a user's permissions by assigning them a - new role ID. It interacts with the Vanilla Forums API via a PATCH request to modify - the user's profile data. - - - ### Flow Description: - - 1. **Parameter Extraction:** The action retrieves the `UserID` and `RoleID` from - the input parameters. - - 2. **API Interaction:** It calls the `give_user_role` method in the VanillaManager, - which sends a PATCH request to the `/v2/users/{userID}` endpoint with the new - `roleID`. - - 3. **Validation:** The action checks the API response to ensure the role was successfully - updated and that the provided Role ID was valid. - - 4. **Result Reporting:** The updated user details are returned as a JSON result, - and the action status is updated to reflect success or failure. - - - ### Parameters Description: - - | Parameter Name | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | UserID | String | True | The unique identifier of the user whose role needs - to be changed. | - - | RoleID | String | True | The unique identifier of the role to be assigned to - the user. | + ai_description: "This action updates the role of a specific user within the VanillaForums\ + \ platform. \n\n### Flow Description\n1. The action extracts the `UserID` and\ + \ `RoleID` from the provided action parameters.\n2. It initializes the `VanillaManager`\ + \ using the integration configuration (API token and base URL).\n3. The action\ + \ calls the `give_user_role` method, which sends a `PATCH` request to the VanillaForums\ + \ API to update the user's role.\n4. The updated user details are returned as\ + \ a JSON result, and the action completes with a success or failure status.\n\n\ + ### Parameters Description\n| Parameter | Type | Mandatory | Description |\n|\ + \ :--- | :--- | :--- | :--- |\n| UserID | string | Yes | The ID of the user whose\ + \ role is to be changed. |\n| RoleID | string | Yes | The ID of the role to be\ + \ assigned to the user. |" capabilities: can_create_case_comments: false can_create_insight: false @@ -877,12 +873,17 @@ Update User Role: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the role assignment for a user in the Vanilla Forums platform using - a PATCH request. - fetches_data: true + Updates the user's role in the VanillaForums platform via a PATCH request. + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a PATCH request to the VanillaForums API to update a user's + role, which is an external mutation. It does not perform any internal SOAR data + mutations (like updating entities or creating insights). categories: enrichment: false + reasoning: >- + The action is a mutation action (updates user role), not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -898,3 +899,6 @@ Update User Role: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use `siemplify.target_entities`. It uses action parameters + `UserID` and `RoleID` directly. diff --git a/content/response_integrations/third_party/community/vanilla_forums/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/vanilla_forums/resources/ai/integration_ai_description.yaml index 6c27508d3..fe999d7be 100644 --- a/content/response_integrations/third_party/community/vanilla_forums/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/community/vanilla_forums/resources/ai/integration_ai_description.yaml @@ -7,6 +7,17 @@ product_categories: iam_and_identity_management: true itsm: false network_security: false + reasoning: >- + The vanilla_forums integration provides administrative actions to manage users + within the VanillaForums platform, including Add User, Update Rank, and Update + User Role. These actions allow for the creation of users and the modification + of user privileges and roles, which aligns with the IAM & Identity Management + category. The integration does not perform SIEM, EDR, Network Security, Threat + Intelligence, Email Security, Cloud Security, ITSM, Vulnerability Management, + Asset Inventory, or Collaboration functions as defined in the provided criteria. + While the integration includes search and retrieval actions, these do not map + to the specific definitions of the other categories (e.g., they are not for IT + assets or IOCs). siem: false threat_intelligence: false vulnerability_management: false diff --git a/content/response_integrations/third_party/community/vectra_qux/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/vectra_qux/resources/ai/actions_ai_description.yaml index 14b37f9f8..482a3a87f 100644 --- a/content/response_integrations/third_party/community/vectra_qux/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/vectra_qux/resources/ai/actions_ai_description.yaml @@ -13,6 +13,10 @@ Add Note: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action adds a note to an external entity in VectraQUX. It does not match + any of the provided categories (e.g., it is not an alert comment, ticket update, + or IOC blocklist action). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -28,53 +32,42 @@ Add Note: update_identity: false update_ticket: false ai_description: >- - Adds a note to a specific entity (Account, Host, or Detection) in the Vectra QUX - platform. This action allows analysts to document findings, provide context, or - record automated observations directly within the Vectra interface from Google - SecOps. + ### General Description + Adds a note to a specific entity (Account, Host, or Detection) within the VectraQUX + platform. This action allows analysts to append contextual information or updates + directly to an entity record in the external system. - ### Parameters Description + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Note | String | Yes | The text content of the note to be added to the entity. - | + | Note | string | Yes | The text content of the note to be added. | - | Entity ID | String | Yes | The unique numerical ID of the entity in Vectra. + | Entity ID | string | Yes | The unique identifier of the entity in VectraQUX. | - | Entity Type | DDL | Yes | The category of the entity. Supported values are: - `Account`, `Host`, and `Detection`. | - - - ### Additional Notes - - - The `Entity ID` must be a valid integer. The action will fail if the ID does not - exist or if the user does not have sufficient permissions in Vectra QUX to add - notes to the specified entity type. + | Entity Type | ddl | Yes | The category of the entity. Options: Account, Host, + Detection. | ### Flow Description + 1. The action extracts configuration parameters (API Root, API Token, Verify SSL) + and action parameters (Note, Entity ID, Entity Type). - 1. **Parameter Extraction:** The action retrieves the API connection settings - (API Root, Token, SSL verification) and the user-provided parameters: Note, Entity - ID, and Entity Type. + 2. The VectraQUX manager is initialized with the provided credentials. - 2. **Validation:** It validates that the `Entity ID` provided is a valid integer. + 3. The Entity ID is validated to ensure it is an integer. - 3. **API Interaction:** It initializes the VectraQUX manager and sends a POST - request to the Vectra API endpoint corresponding to the specified entity type - and ID (e.g., `/api/v2.5/hosts/{id}/notes`). + 4. A POST request is sent to the VectraQUX API endpoint `/{entity_type}s/{entity_id}/notes` + to create the note. - 4. **Result Processing:** It captures the API response, which contains the details - of the newly created note object, and outputs it to the action's data table and - JSON result for analyst review. + 5. The response is processed and added to the action results as a data table and + JSON object. capabilities: can_create_case_comments: false can_create_insight: false @@ -83,12 +76,17 @@ Add Note: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Adds a new note to a specific entity (Account, Host, or Detection) in the Vectra - QUX platform. + Adds a note to the specified entity in the VectraQUX platform. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to add a note to an external system (VectraQUX). + It does not fetch data, nor does it modify internal SecOps data or entities. categories: enrichment: false + reasoning: >- + The action is a mutation action (adding a note to an external system) and does + not fetch data for enrichment purposes. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -104,6 +102,9 @@ Add Note: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities`. It takes `Entity + ID` and `Entity Type` as direct input parameters. Add Outcome: action_product_categories: add_alert_comment: false @@ -119,6 +120,10 @@ Add Outcome: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action creates a new outcome in the Vectra platform. This does not match + any of the provided product categories, such as ticket creation, IOC management, + or alert modification. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -134,43 +139,15 @@ Add Outcome: update_identity: false update_ticket: false ai_description: >- - Adds a new outcome (resolution category) to the Vectra AI platform. Outcomes are - used during the assignment resolution process to categorize detections or entities - (e.g., as a true positive or false positive). This action allows administrators - to dynamically expand the available resolution options within the Vectra environment. - - - ### Flow Description - - 1. **Parameter Extraction**: Retrieves the 'Title' and 'Category' from the action - input. - - 2. **API Interaction**: Sends a POST request to the Vectra API (`/api/v2.5/assignment_outcomes`) - with the provided details. - - 3. **Result Processing**: Captures the newly created outcome's metadata, including - its unique ID and system status. - - 4. **Output Generation**: Populates a data table and JSON result with the outcome - details for the analyst. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Title | String | Yes | The unique name/title for the new outcome. | - - | Category | DDL | Yes | The classification category for the outcome. Supported - values: `malicious_true_positive`, `benign_true_positive`, `false_positive`. | - - - ### Additional Notes - - - This action does not run on entities; it is a management action that modifies - the configuration of the Vectra AI platform. + General description: Adds a new outcome to the Vectra QUX platform. Flow description: + 1. Extracts configuration parameters (API Root, API Token, Verify SSL) and action + parameters (Title, Category). 2. Initializes the VectraQUXManager with the provided + credentials. 3. Executes the add_outcome method, which sends a POST request to + the Vectra API to create the outcome. 4. Adds the resulting outcome details to + the action result as a data table and JSON. Parameters description: Title (string, + mandatory): The unique title of the outcome. Category (ddl, mandatory): The category + of the outcome. Options: malicious_true_positive, benign_true_positive, false_positive. + Additional notes: None. capabilities: can_create_case_comments: false can_create_insight: false @@ -179,12 +156,17 @@ Add Outcome: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new outcome resource (resolution category) in the Vectra AI platform - via a POST request. + Creates a new outcome record in the Vectra QUX platform. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to the Vectra API to create a new outcome. + It does not fetch data, nor does it modify internal SOAR entities or alerts. categories: enrichment: false + reasoning: >- + The action performs a POST request to create an outcome in an external system. + It does not fetch data, so it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -200,6 +182,9 @@ Add Outcome: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over target_entities or use entity identifiers. + It operates independently of any specific entity. Add Tags: action_product_categories: add_alert_comment: false @@ -215,6 +200,10 @@ Add Tags: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action updates entity metadata (tags) in the VectraQUX platform. This aligns + with the 'Update Identity' category, as it modifies account metadata. It does + not fit other categories like enrichment, containment, or alert management. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -230,54 +219,53 @@ Add Tags: update_identity: true update_ticket: false ai_description: >- - Adds tags to specific entities (Accounts, Hosts, or Detections) in the Vectra - AI platform. This action allows users to provide a comma-separated list of tags - and a comma-separated list of entity IDs. It first retrieves the existing tags - for each entity to ensure no duplicates are created, then updates the entity with - the combined list of tags. The results, including the status of each update, are - presented in a data table. + Adds tags to specified entities (Account, Host, or Detection) within the VectraQUX + platform. This action retrieves the current tags for the provided entity IDs, + merges them with the new tags, and updates the entity metadata in the external + system. - ### Parameters + ### Flow Description + 1. **Initialization**: Extracts configuration parameters (API Root, API Token, + SSL verification) and action parameters (Tags, Entity IDs, Entity Type). - | Parameter | Type | Mandatory | Description | + 2. **Parsing**: Processes the comma-separated strings for Tags and Entity IDs + into lists, removing duplicates. - | :--- | :--- | :--- | :--- | + 3. **Iteration**: Loops through each provided Entity ID. - | Tags | string | True | List of the Tags which user wants to add to the account, - host or detection. | + 4. **Fetch**: Retrieves the existing tags for the current entity from the VectraQUX + platform. - | Entity IDs | string | True | List of the Entity IDs in which user wants to add - Tags. | + 5. **Update**: Merges the existing tags with the new tags and performs a PATCH + request to update the entity's tags in VectraQUX. - | Entity Type | ddl | True | The type of the entity in which tags will be added. - Supported values: Account, Host, Detection. | + 6. **Reporting**: Logs the success or failure of each update and generates a result + table and JSON output for the SOAR action. - ### Flow Description + ### Parameters Description + | Parameter | Type | Mandatory | Description | - 1. **Parameter Extraction:** Retrieves the API configuration and action parameters, - including the tags to add, the target entity IDs, and the entity type (Account, - Host, or Detection). + | :--- | :--- | :--- | :--- | - 2. **Tag Processing:** Splits the provided tags string into a unique list and - removes whitespace. + | Tags | String | Yes | A comma-separated list of tags to be added to the entities. + | - 3. **Entity Processing:** Splits the provided entity IDs string into a unique - list of validated integers. + | Entity IDs | String | Yes | A comma-separated list of Entity IDs to which the + tags will be added. | - 4. **Tag Retrieval:** For each entity ID, the action fetches the current tags - from Vectra AI via a GET request. + | Entity Type | DDL | Yes | The type of entity (Account, Host, or Detection) to + update. | - 5. **Tag Merging:** Combines the existing tags with the new tags, ensuring uniqueness. - 6. **External Update:** Sends a PATCH request to Vectra AI to update the entity's - tags with the merged list. + ### Additional Notes - 7. **Result Compilation:** Tracks successes and failures for each ID, adding a - summary data table and JSON result to the action output. + This action performs a mutation on the external VectraQUX platform. It does not + modify internal SOAR case data, but it does output results to the action's result + object. capabilities: can_create_case_comments: false can_create_insight: false @@ -286,12 +274,21 @@ Add Tags: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the tags associated with specific entities (Accounts, Hosts, or Detections) - in the Vectra AI platform using a PATCH request. + Updates the tag list for the specified entity (Account, Host, or Detection) + in the VectraQUX platform. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches existing tags from the VectraQUX API (fetches_data=true) + and performs a PATCH request to update the entity's tags (can_mutate_external_data=true). + It does not modify internal SOAR case data (entities, insights, or case comments), + only providing standard result outputs. categories: enrichment: false + reasoning: >- + The action is not an enrichment action because it mutates external data (updates + tags on the VectraQUX platform). Enrichment actions must be read-only regarding + external systems. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -307,6 +304,10 @@ Add Tags: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities`. Instead, it accepts + a list of Entity IDs as an action parameter. Therefore, it does not run on SOAR + entities directly. Assign Entity: action_product_categories: add_alert_comment: false @@ -322,6 +323,10 @@ Assign Entity: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action creates an assignment between an entity and a user in the Vectra + platform. This does not match any of the provided categories (Enrichment, Ticket, + Alert, Blocklist, Identity, Host, Email, etc.). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -339,10 +344,10 @@ Assign Entity: ai_description: >- ### General Description - Assigns a specific entity (either a Host or an Account) to a user within the Vectra - platform. This action is primarily used for workflow management, allowing analysts - to programmatically set ownership or responsibility for specific detected entities - to a particular user ID in Vectra. + This action assigns a specific entity (Host or Account) to a user within the Vectra + QUX platform. It facilitates the management of entity assignments by linking a + target entity to a designated user ID, enabling better tracking and ownership + of security entities. ### Parameters Description @@ -351,39 +356,39 @@ Assign Entity: | :--- | :--- | :--- | :--- | - | Entity ID | string | Yes | The unique numeric identifier of the entity in Vectra - that you want to assign. | + | Entity ID | string | Yes | The unique identifier of the entity (Account or Host) + to be assigned. | - | Entity Type | ddl | Yes | Specifies the type of the entity being assigned. Options - are 'Account' or 'Host'. | + | Entity Type | ddl | Yes | The type of the entity. Must be either 'Account' or + 'Host'. | - | User ID | string | Yes | The unique numeric identifier of the Vectra user to - whom the entity will be assigned. | + | User ID | string | Yes | The unique identifier of the user to whom the entity + will be assigned. | - ### Additional Notes + ### Flow Description - - Both the **Entity ID** and **User ID** must be valid numeric strings, as the - action performs an integer validation check before proceeding. + 1. **Initialization**: The action extracts configuration parameters (API Root, + API Token, SSL verification) and action parameters (Entity ID, Entity Type, User + ID). - - This action creates a new assignment record in Vectra via a POST request. + 2. **Validation**: It validates that both the `Entity ID` and `User ID` are valid + integers. + 3. **Execution**: It initializes the `VectraQUXManager` and sends a POST request + to the Vectra API to create the assignment between the specified entity and the + user. - ### Flow Description + 4. **Result Handling**: Upon success, it adds the assignment details to the action + results as a data table and a JSON object containing the raw assignment data. - 1. **Parameter Extraction**: The action retrieves the API configuration (Root, - Token, SSL) and the action parameters (User ID, Entity ID, Entity Type). - 2. **Validation**: It validates that the provided `Entity ID` and `User ID` are - valid integers. + ### Additional Notes - 3. **API Interaction**: It initializes the VectraQUX manager and calls the `assign_entity` - method, which sends a POST request to the Vectra `/assignments` endpoint with - the user and entity details. + - Both `Entity ID` and `User ID` must be provided as valid integer strings for + the action to succeed. - 4. **Result Processing**: Upon success, it retrieves the assignment details (including - the new Assignment ID) and outputs them into a data table and a raw JSON result - for the SOAR platform. + - This action performs a state change in the external Vectra QUX system. capabilities: can_create_case_comments: false can_create_insight: false @@ -392,12 +397,18 @@ Assign Entity: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new assignment record in the Vectra platform, linking a specific host - or account entity to a user ID. - fetches_data: true + Creates an assignment between an entity and a user in the Vectra QUX system. + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to the Vectra API to create an assignment + between an entity and a user. It does not fetch data, update SOAR entities, + or create insights/comments. categories: enrichment: false + reasoning: >- + The action performs a mutation on an external system (Vectra) to create an assignment. + It does not fetch data, so it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -413,6 +424,9 @@ Assign Entity: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action takes 'Entity ID' and 'Entity Type' as input parameters rather than + operating on 'siemplify.target_entities'. Therefore, it does not use SOAR entities. Assign Group: action_product_categories: add_alert_comment: false @@ -428,6 +442,9 @@ Assign Group: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action updates group membership in an external system (Vectra QUX). It does + not match any of the predefined categories (Enrich IOC, Contain Host, etc.). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -440,46 +457,69 @@ Assign Group: uncontain_host: false update_alert: false update_email: false - update_identity: true + update_identity: false update_ticket: false - ai_description: "### General Description\nThe **Assign Group** action allows users\ - \ to add multiple members to a specific group within the Vectra platform. This\ - \ action is designed to manage group memberships by appending new identifiers\ - \ (such as Hosts, Accounts, IPs, or Domains) to an existing group identified by\ - \ its ID. It is particularly useful for organizing entities for policy enforcement\ - \ or investigative tracking.\n\n### Parameters Description\n| Parameter | Type\ - \ | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| **Group ID** |\ - \ String | Yes | The unique numeric identifier of the group in Vectra to which\ - \ members will be assigned. |\n| **Members** | String | Yes | A comma-separated\ - \ list of member identifiers (e.g., IP addresses, hostnames, or account UIDs)\ - \ to be added to the group. |\n\n### Flow Description\n1. **Parameter Extraction:**\ - \ The action retrieves the `Group ID` and the `Members` string from the input\ - \ parameters.\n2. **Validation:** The `Group ID` is validated to ensure it is\ - \ a valid positive integer. The `Members` string is processed into a unique list\ - \ of identifiers.\n3. **API Interaction:** The action calls the Vectra API using\ - \ a `PATCH` request to the group's endpoint. It uses the `membership_action=append`\ - \ parameter to ensure new members are added without removing existing ones.\n\ - 4. **Verification:** After the update, the action compares the requested members\ - \ against the actual membership list returned by the API to determine which members\ - \ were successfully assigned and which were not.\n5. **Output Generation:** \n\ - \ * If no members were assigned, the action returns a failure status.\n \ - \ * If some or all members were assigned, it generates an HTML table displaying\ - \ the updated group details (ID, Name, Type, Description, and Members) and provides\ - \ the full raw JSON response." + ai_description: >- + ### General Description + + This action assigns members to a specific group in the Vectra QUX system. It allows + analysts to manage group memberships by adding a list of members to a target group. + + + ### Flow Description + + 1. Extract configuration parameters (API Root, API Token, Verify SSL). + + 2. Extract action parameters (Group ID, Members). + + 3. Call the Vectra QUX API to append the specified members to the group. + + 4. Process the API response to identify which members were successfully assigned + and which were not. + + 5. Generate an HTML view of the updated group details and add it to the action + results. + + 6. Add the full API response as JSON to the action results. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Group ID | string | Yes | The ID of the specific group to update. | + + | Members | string | Yes | A comma-separated list of members to assign to the + group. | + + + ### Additional Notes + + None. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: true - can_mutate_internal_data: false + can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: >- - Updates the membership list of a group in the Vectra platform by appending new - members via a PATCH request. - fetches_data: true - internal_data_mutation_explanation: null + Updates group membership in the external Vectra QUX system. + fetches_data: false + internal_data_mutation_explanation: >- + Adds an HTML view and result JSON to the action's output. + reasoning: >- + The action performs a PATCH request to update group members in the external + Vectra QUX system (can_mutate_external_data=true). It also adds an HTML view + and result JSON to the SOAR action (can_mutate_internal_data=true). It does + not fetch data for enrichment, update entities, or modify alerts. categories: enrichment: false + reasoning: >- + The action is a mutation action (updating group members) and does not perform + enrichment or data retrieval. Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -495,6 +535,9 @@ Assign Group: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use `target_entities`. It uses action parameters `Group + ID` and `Members` to perform its task. Describe Assignment: action_product_categories: add_alert_comment: false @@ -509,7 +552,11 @@ Describe Assignment: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false - get_alert_information: false + get_alert_information: true + reasoning: >- + The action fetches assignment details from the VectraQUX API. This information + is related to detections and alerts, which aligns with the 'Get Alert Information' + category. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -525,37 +572,44 @@ Describe Assignment: update_identity: false update_ticket: false ai_description: >- - ### General Description - Retrieves detailed information about a specific assignment from the VectraQUX - platform. This action fetches the assignment details based on the provided Assignment - ID and presents the data in both JSON and table formats for analysis. + platform. This action fetches the assignment data using its unique ID, parses + the response, and presents the details in both a JSON format and a structured + data table within the SOAR case. - ### Parameters Description + ### Flow - | Parameter | Type | Mandatory | Description | + 1. Extract configuration parameters (API Root, API Token, Verify SSL). - | :--- | :--- | :--- | :--- | + 2. Extract the mandatory `Assignment ID` parameter. - | Assignment ID | string | Yes | The unique identifier of the assignment to retrieve. - | + 3. Validate the `Assignment ID` as an integer. + 4. Initialize the `VectraQUXManager` to interact with the Vectra API. - ### Flow Description + 5. Perform a GET request to retrieve assignment details. - 1. Extract configuration parameters (API Root, API Token, Verify SSL). + 6. Add the raw JSON response to the action results. - 2. Extract the `Assignment ID` parameter. + 7. Construct and add a data table containing the assignment details to the SOAR + case. - 3. Initialize the `VectraQUXManager` with the provided credentials. - 4. Execute the `describe_assignment` method to fetch data from the VectraQUX API. + ### Parameters - 5. Add the raw JSON response to the action results. + | Parameter | Type | Mandatory | Description | - 6. Construct and add a data table containing the assignment details to the action - results. + | :--- | :--- | :--- | :--- | + + | Assignment ID | string | Yes | The unique identifier of the assignment to retrieve. + | + + + ### Additional Notes + + - The action requires a valid `Assignment ID` to function correctly. If the ID + is invalid or not found, the action will fail and return an error message. capabilities: can_create_case_comments: false can_create_insight: false @@ -566,8 +620,19 @@ Describe Assignment: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the VectraQUX API to fetch assignment details + (fetches_data=true). It does not mutate any external systems (can_mutate_external_data=false). + It does not modify any internal SOAR data (like entities, insights, or case + comments), it only outputs the retrieved information as a result JSON and a + data table (can_mutate_internal_data=false). categories: enrichment: false + reasoning: >- + The action fetches data from an external source but does not meet the strict + criteria for an enrichment action, as it does not enrich entities or alerts + directly, nor does it create insights or add comments. It is a data retrieval + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -583,6 +648,9 @@ Describe Assignment: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities`. It takes an `Assignment + ID` as an input parameter to perform its task. Describe Detection: action_product_categories: add_alert_comment: false @@ -598,6 +666,10 @@ Describe Detection: enrich_ioc: false execute_command_on_the_host: false get_alert_information: true + reasoning: >- + The action fetches detailed information about a specific detection from the + VectraQUX platform. This aligns directly with the 'Get Alert Information' category, + as it retrieves context about a security event/detection. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -613,49 +685,42 @@ Describe Detection: update_identity: false update_ticket: false ai_description: >- - ### General Description - - The **Describe Detection** action retrieves detailed information for a specific - detection from the Vectra AI platform using its unique Detection ID. It provides - analysts with granular visibility into a threat, including its type, category, - current state, and the source entity (host or account) involved. - - - ### Parameters Description + Retrieves detailed information for a specific detection from the VectraQUX platform. + This action allows analysts to fetch comprehensive data regarding a detection + by its unique ID, which is then presented as a data table and raw JSON for further + investigation. - | Parameter | Type | Mandatory | Description | + ### Flow Description - | :--- | :--- | :--- | :--- | + 1. **Parameter Extraction**: The action retrieves the required API credentials + (API Root, API Token) and the mandatory `Detection ID` from the action parameters. - | Detection ID | String | Yes | The unique identifier of the detection to be described. - This value must be a valid integer. | + 2. **Manager Initialization**: It initializes the `VectraQUXManager` using the + provided credentials to establish a connection to the VectraQUX API. + 3. **Data Retrieval**: The action calls the `describe_detection` method to fetch + the full details of the specified detection. - ### Additional Notes + 4. **Result Presentation**: The retrieved detection data is formatted into a readable + table and the raw JSON response is added to the action results for the analyst + to review. - - This action does not process entities from the SOAR case; it operates solely - based on the provided `Detection ID` parameter. - - The results are presented both as a formatted data table and as a raw JSON object - for further downstream processing. + ### Parameters Description + | Parameter | Type | Mandatory | Description | - ### Flow Description + | :--- | :--- | :--- | :--- | - 1. **Input Validation**: The action first validates that the `Detection ID` provided - is a valid non-negative integer. + | Detection ID | string | Yes | The unique identifier of the detection to retrieve + from VectraQUX. | - 2. **API Interaction**: It initializes the VectraQUX manager and performs a GET - request to the `/detections/{detection_id}` endpoint. - 3. **Data Parsing**: The raw API response is transformed into a structured Detection - object, which includes cleaning up internal API versioning from URLs. + ### Additional Notes - 4. **Result Generation**: - - A data table titled "Describe Detection" is created containing key fields: - ID, Detection Type, State, Category, Source Entity ID, and Source Entity Name. - - The full raw JSON payload is added to the action results. + This action is a read-only operation and does not modify any data within the VectraQUX + platform or the Google SecOps case. capabilities: can_create_case_comments: false can_create_insight: false @@ -666,8 +731,17 @@ Describe Detection: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to retrieve detection details from the VectraQUX + API. It does not perform any write operations (POST/PUT/DELETE) on external + systems, nor does it modify any internal Google SecOps data (entities, insights, + or case comments). It simply outputs the retrieved data to the action result. categories: enrichment: false + reasoning: >- + While the action fetches data, it does not meet the criteria for an Enrichment + Action because it does not update entities, create insights, or add case comments. + It is strictly a data retrieval action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -683,6 +757,9 @@ Describe Detection: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `siemplify.target_entities`. It operates based + on a provided `Detection ID` parameter. Describe Entity: action_product_categories: add_alert_comment: false @@ -698,10 +775,14 @@ Describe Entity: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves detailed metadata about an entity (Account or Host) from + Vectra QUX. This aligns with the 'Enrich Asset' category, as it provides contextual + information about a resource. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false - search_asset: true + search_asset: false search_email: false search_events: false send_email: false @@ -712,27 +793,45 @@ Describe Entity: update_email: false update_identity: false update_ticket: false - ai_description: "Retrieves comprehensive details for a specific entity (Host or\ - \ Account) from Vectra QUX using its unique identifier. This action is used to\ - \ gather deep contextual metadata about an asset, including its state, threat\ - \ scores, severity, and associated detection summaries. The retrieved information\ - \ is presented as both a structured data table and a raw JSON object for further\ - \ analysis.\n\n### Flow Description:\n1. **Parameter Extraction:** The action\ - \ retrieves the API configuration (Root, Token, SSL) and the specific action parameters:\ - \ `Entity ID` and `Entity Type`.\n2. **Validation:** Validates that the provided\ - \ `Entity ID` is a proper integer.\n3. **API Interaction:** Connects to the Vectra\ - \ QUX manager to perform a GET request against the specific entity endpoint (either\ - \ `/hosts/{id}` or `/accounts/{id}`).\n4. **Data Processing:** Parses the API\ - \ response into an internal Entity model.\n5. **Output Generation:** Converts\ - \ the entity data into a flat CSV-style table for the SOAR interface and attaches\ - \ the full raw JSON response to the action results.\n\n### Parameters Description:\n\ - | Parameter Name | Type | Mandatory | Description |\n| :--- | :--- | :--- | :---\ - \ |\n| Entity ID | String | Yes | The unique numerical identifier for the Account\ - \ or Host in Vectra QUX. |\n| Entity Type | DDL | Yes | Specifies the category\ - \ of the entity. Must be either 'Account' or 'Host'. |\n\n### Additional Notes:\n\ - - This action does not run on SOAR entities automatically; it requires a specific\ - \ ID provided as an input parameter. \n- If the entity is not found, the action\ - \ will return a failure status with a descriptive error message." + ai_description: >- + ### General Description + + Retrieves detailed information about a specific entity (Account or Host) from + the Vectra QUX platform. This action fetches entity metadata, including threat + scores, tags, and detection sets, and presents the information in a structured + format. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + |---|---|---|---| + + | Entity ID | string | Yes | Unique identifier for the Account or Host. | + + | Entity Type | ddl | Yes | Type of entity to describe (Account or Host). | + + + ### Additional Notes + + The action requires both `Entity ID` and `Entity Type` to be provided to successfully + query the Vectra QUX API. If the entity is not found, the action will fail. + + + ### Flow Description + + 1. Initialize `SiemplifyAction`. + + 2. Extract configuration parameters (API Root, Token, SSL). + + 3. Extract action parameters (Entity ID, Entity Type). + + 4. Validate Entity ID. + + 5. Call `VectraQUXManager.describe_entity` to fetch data from the Vectra API. + + 6. Add the retrieved entity details to the action result as a data table and JSON. capabilities: can_create_case_comments: false can_create_insight: false @@ -743,8 +842,17 @@ Describe Entity: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to retrieve entity details from the Vectra + QUX API. It does not perform any mutations on external systems or internal SOAR + data (entities, insights, comments). It only outputs the retrieved data to the + action results. categories: enrichment: true + reasoning: >- + The action fetches data from an external system (Vectra QUX) and displays it + in the result. It does not mutate external systems or internal SOAR data (entities, + insights, comments). It meets the criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -760,6 +868,10 @@ Describe Entity: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action takes `Entity ID` and `Entity Type` as input parameters. It does + not operate on the `target_entities` list provided by the SOAR platform. Therefore, + it does not run on entities in the context of the SOAR entity model. Download PCAP: action_product_categories: add_alert_comment: false @@ -775,6 +887,10 @@ Download PCAP: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action downloads a PCAP file from the Vectra QUX platform. This matches + the 'Download File' category. It does not perform any other actions like enrichment, + ticketing, or containment. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -790,56 +906,38 @@ Download PCAP: update_identity: false update_ticket: false ai_description: >- - ### General Description - - Downloads a PCAP (Packet Capture) file associated with a specific detection ID - from Vectra QUX. This action is used to retrieve network traffic data for forensic - analysis and deep packet inspection related to a security event identified by - Vectra. + Downloads a PCAP file from the Vectra QUX platform for a specific detection ID. + This action retrieves the PCAP file associated with a given detection and attaches + it to the SOAR action result for further analysis. - ### Parameters Description - - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Detection ID | String | Yes | The unique identifier of the detection in Vectra - QUX for which the PCAP file should be retrieved. This value must be a valid integer. - | + ### Flow Description + 1. Extracts configuration parameters (API Root, API Token, Verify SSL) and the + mandatory Detection ID. - ### Additional Notes + 2. Initializes the `VectraQUXManager` to interact with the Vectra API. - - The action validates that the provided `Detection ID` is a valid integer before - attempting the download. + 3. Validates the provided Detection ID as an integer. - - The retrieved file is attached directly to the action result in base64 format, - making it available for download within the Google SecOps platform. + 4. Requests the PCAP file from the Vectra API using the detection ID. - - If the file is not found or the ID is invalid, the action will fail with a descriptive - error message. + 5. Saves the file locally and attaches it to the SOAR action result. - ### Flow Description + ### Parameters Description - 1. **Parameter Extraction**: Retrieves the API configuration (Root, Token, SSL) - and the `Detection ID` from the action input. + | Parameter | Type | Mandatory | Description | - 2. **Validation**: Validates that the `Detection ID` is a valid non-negative integer. + | :--- | :--- | :--- | :--- | - 3. **API Request**: Connects to the Vectra QUX API and sends a GET request to - the PCAP download endpoint for the specified detection. + | Detection ID | string | Yes | The unique identifier of the detection for which + the PCAP file is requested. | - 4. **File Processing**: Receives the binary file content and extracts the filename - from the response headers. - 5. **Attachment**: Encodes the file content to base64 and attaches it to the Siemplify - action result. + ### Additional Notes - 6. **Completion**: Ends the action, providing a success message with the filename - or an error message if the process fails. + There are no additional notes for this action. capabilities: can_create_case_comments: false can_create_insight: false @@ -850,8 +948,16 @@ Download PCAP: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to retrieve a PCAP file from the Vectra QUX + API. It does not modify external systems or internal SOAR data (entities, insights, + etc.). It adds an attachment to the action result, which is a standard output + mechanism and not considered a mutation of internal case data. categories: enrichment: false + reasoning: >- + The action downloads a file, which is explicitly excluded from the enrichment + category per the provided instructions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -867,6 +973,10 @@ Download PCAP: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities`. It operates based + on a `Detection ID` parameter provided by the user. Therefore, it does not run + on any specific entity types. List Assignments: action_product_categories: add_alert_comment: false @@ -882,6 +992,10 @@ List Assignments: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves a list of assignments from VectraQUX. It does not match + any of the specific categories like 'Enrich IOC', 'Enrich Asset', 'Update Alert', + etc. It is a general search/list action. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -896,67 +1010,33 @@ List Assignments: update_email: false update_identity: false update_ticket: false - ai_description: >- - Lists all assignments from Vectra QUX based on provided query parameters. This - action allows analysts to filter assignments by associated accounts, hosts, assignees, - resolution status, and creation time. The results are presented in a structured - data table and as a raw JSON object for further processing. - - - ### Flow Description - - 1. **Parameter Extraction:** The action retrieves configuration details (API Root, - Token) and user-provided filters (IDs, resolution status, time range, and limit). - - 2. **Validation:** It validates the 'Limit' parameter to ensure it is a valid - integer and processes comma-separated ID strings into lists. - - 3. **Query Construction:** It maps all filters into a query parameter dictionary - compatible with the Vectra API. - - 4. **Data Retrieval:** It calls the Vectra API to fetch assignments, handling - pagination automatically to respect the specified limit. - - 5. **Output Generation:** If assignments are found, it populates a data table - with key details (IDs, users, outcomes) and attaches the full JSON response to - the action results. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Accounts IDs | String | No | Comma-separated account IDs to filter the assignments. - | - - | Hosts IDs | String | No | Comma-separated host IDs to filter the assignments. - | - - | Assignees IDs | String | No | Comma-separated assignee IDs to filter the assignments. - | - - | Resolution IDs | String | No | Comma-separated outcome/resolution IDs to filter - the assignments. | - - | Resolved | DDL | No | Filter by resolution status. Options: None, True, False. - | - - | Created After | String | No | Filter assignments created after a specific timestamp - (e.g., '2 days', 'yyyy-mm-dd'). | - - | Limit | String | No | The maximum number of assignment records to retrieve. - | - - - ### Additional Notes - - - If no assignments match the criteria, the action completes successfully with - a 'No assignments found' message. - - - The 'Limit' parameter defaults to a system maximum if not specified or set to - 0. + ai_description: "### General Description\nThe **List Assignments** action retrieves\ + \ a list of assignments from the VectraQUX platform based on specified filter\ + \ criteria. This action is useful for auditing or reviewing the status of assignments\ + \ within the VectraQUX environment, allowing analysts to filter by accounts, hosts,\ + \ assignees, resolution status, and creation time.\n\n### Parameters Description\n\ + | Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ + | Accounts IDs | string | No | Comma-separated account IDs to filter out accounts.\ + \ |\n| Hosts IDs | string | No | Comma-separated host IDs to filter out accounts.\ + \ |\n| Assignees IDs | string | No | Comma-separated assignment IDs to filter\ + \ out accounts. |\n| Resolution IDs | string | No | Comma-separated outcome IDs\ + \ to filter out accounts. |\n| Resolved | ddl | No | Filter by resolved status\ + \ (True/False). |\n| Created After | string | No | Filter by created after the\ + \ timestamp. Supported formats: 2 minutes, 2 hours, 2 days, 2 weeks, 2 months,\ + \ 2 years, yyyy-mm-dd, yyyy-mm-ddTHH: MM:SSZ. |\n| Limit | string | No | Specify\ + \ the limit for fetching the records. |\n\n### Flow Description\n1. **Initialization**:\ + \ The action initializes the `SiemplifyAction` and extracts configuration parameters\ + \ (API Root, API Token, Verify SSL) and action parameters.\n2. **Validation**:\ + \ It validates the provided parameters, such as the `Limit` and various ID fields,\ + \ ensuring they are in the correct format.\n3. **Manager Setup**: It initializes\ + \ the `VectraQUXManager` with the provided credentials to establish a connection\ + \ to the VectraQUX API.\n4. **Data Retrieval**: It queries the VectraQUX API for\ + \ assignments using the provided filters (Accounts, Hosts, Assignees, Resolution,\ + \ Resolved status, Created After).\n5. **Result Processing**: \n - If assignments\ + \ are found, it constructs a data table titled \"Assignment Details\" and adds\ + \ it to the action results.\n - It adds the raw assignment data as a JSON result.\n\ + 6. **Completion**: The action finishes by logging the status and returning the\ + \ output message." capabilities: can_create_case_comments: false can_create_insight: false @@ -967,8 +1047,19 @@ List Assignments: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to retrieve assignment data from the VectraQUX + API. It does not mutate external systems or internal case data. It simply reports + the retrieved data in a table and JSON format, which are standard output mechanisms + and not considered internal mutations. categories: enrichment: false + reasoning: >- + The action fetches data (assignments) from an external system (VectraQUX). It + does not mutate external data. It does not modify internal SOAR data (entities, + insights, comments). Therefore, it is not an enrichment action (which requires + fetching data about entities/alerts to enrich them, or updating entities/insights). + This action is a list/search action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -984,6 +1075,10 @@ List Assignments: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities`. It uses action + parameters to filter the API call, and therefore does not run on any specific + entity types. List Entity Detections: action_product_categories: add_alert_comment: false @@ -995,10 +1090,15 @@ List Entity Detections: disable_identity: false download_file: false enable_identity: false - enrich_asset: true + enrich_asset: false enrich_ioc: false execute_command_on_the_host: false - get_alert_information: false + get_alert_information: true + reasoning: >- + The action fetches a list of detections for a specific entity from VectraQUX. + This matches the 'Search Events' category (returns historical logs/telemetry) + and 'Get Alert Information' (fetches information about the entity's detections + from the 3rd party product). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1013,66 +1113,26 @@ List Entity Detections: update_email: false update_identity: false update_ticket: false - ai_description: >- - Retrieves a list of detections associated with a specific entity (either a Host - or an Account) from the Vectra QUX platform. This action allows analysts to query - historical and active security events related to a specific asset by providing - its unique identifier. It supports filtering by the detection state and limiting - the number of results returned, providing essential context for incident investigation. - - - ### Parameters Description - - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Entity ID | String | Yes | The unique identifier for the Account or Host within - the Vectra platform. | - - | Entity Type | DDL | Yes | Specifies the category of the entity. Options are - 'Account' or 'Host'. | - - | Limit | String | No | The maximum number of detection records to retrieve from - the API. | - - | State | DDL | Yes | Filters detections based on their current status. Options - include 'Active', 'Inactive', or 'Fixed'. | - - - ### Additional Notes - - - - The action constructs a specific query string for the Vectra search API based - on the provided entity type (e.g., `detection.src_host.id` for Hosts or `detection.src_linked_account.id` - for Accounts). - - - Results are returned as a raw JSON object and also formatted into a data table - for immediate visibility in the SOAR case wall. - - - ### Flow Description - - - 1. **Initialization**: The action extracts the API configuration (Root, Token, - SSL) and the user-provided parameters (Entity ID, Type, Limit, State). - - 2. **Validation**: It validates that the 'Entity ID' and 'Limit' inputs are valid - integers to ensure API compatibility. - - 3. **API Request**: It initializes the VectraQUXManager and calls the `list_entity_detections` - method, which targets the `/api/v2.5/search/detections` endpoint. - - 4. **Query Execution**: The manager builds a query string combining the entity - identifier and the requested state (e.g., `detection.src_host.id:123 AND detection.state:"active"`). - - 5. **Pagination**: The action handles API pagination to fetch all relevant records - up to the specified limit. - - 6. **Output**: The retrieved detections are parsed into data models and added - to the action results as both a JSON object and a structured data table containing - IDs, categories, and timestamps. + ai_description: "Lists all detections for a specified entity (Account or Host) from\ + \ the VectraQUX platform. This action retrieves detection data based on the provided\ + \ entity ID, type, and state, and outputs the results as a JSON object and a data\ + \ table.\n\n### Flow Description\n1. **Parameter Extraction**: The action extracts\ + \ configuration parameters (API Root, API Token, Verify SSL) and action parameters\ + \ (Entity ID, Entity Type, Limit, State).\n2. **Validation**: It validates the\ + \ provided parameters, ensuring the Entity ID and Limit are valid integers.\n\ + 3. **API Interaction**: It initializes the `VectraQUXManager` and calls the API\ + \ to retrieve detections for the specified entity, filtering by the provided state.\n\ + 4. **Result Processing**: \n - If detections are found, it adds the JSON representation\ + \ of the detections to the action result and constructs a data table for the action\ + \ output.\n - If no detections are found, it adds the JSON result to the action\ + \ output.\n\n### Parameters Description\n| Parameter | Type | Mandatory | Description\ + \ |\n| :--- | :--- | :--- | :--- |\n| Entity ID | string | Yes | The unique ID\ + \ for the Account or Host. |\n| Entity Type | ddl | Yes | The type of entity.\ + \ Options: Account, Host. |\n| Limit | string | No | The maximum number of records\ + \ to fetch. |\n| State | ddl | Yes | The state to filter detections. Options:\ + \ Active, Inactive, Fixed. |\n\n### Additional Notes\n- The action performs a\ + \ GET request to the VectraQUX API and does not modify any external system state.\ + \ It is a read-only operation regarding external systems." capabilities: can_create_case_comments: false can_create_insight: false @@ -1083,8 +1143,20 @@ List Entity Detections: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches detection data from the VectraQUX API (fetches_data=true). + It does not perform any POST/PUT/DELETE operations on external systems (can_mutate_external_data=false). + It adds result JSON and a data table to the SOAR action output, which is not + considered a mutation of existing internal data (can_mutate_internal_data=false). + It does not update entities, create insights, modify alert data, or create case + comments. categories: enrichment: true + reasoning: >- + The action fetches detection data from an external system (VectraQUX) to provide + context about an entity. It does not mutate external systems and does not modify + existing internal data (it only adds new output). Therefore, it qualifies as + an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1100,6 +1172,11 @@ List Entity Detections: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action takes 'Entity ID' and 'Entity Type' as input parameters. It does + not iterate over the `siemplify.target_entities` list provided by the SOAR platform. + Therefore, it does not run on entities in the context of the SOAR entity object + model. List Groups: action_product_categories: add_alert_comment: false @@ -1115,10 +1192,15 @@ List Groups: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action lists groups from the VectraQUX platform based on user-provided filters. + It does not enrich IOCs or assets, update alerts, create tickets, or perform + containment actions. It is a search/list operation that does not fit into the + provided specific product categories. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false - search_asset: true + search_asset: false search_email: false search_events: false send_email: false @@ -1129,55 +1211,80 @@ List Groups: update_email: false update_identity: false update_ticket: false - ai_description: "### General Description\nLists groups from Vectra QUX based on\ - \ various query parameters. This action allows analysts to search for and retrieve\ - \ metadata about host, account, IP, or domain groups defined within the Vectra\ - \ platform. It supports filtering by group name, type, importance, members (IPs,\ - \ hostnames, etc.), and modification history. The results are presented as a data\ - \ table for quick review and a full JSON object for further automation.\n\n###\ - \ Parameters Description\n| Parameter | Type | Mandatory | Description |\n| :---\ - \ | :--- | :--- | :--- |\n| Host Names | string | No | Comma-separated list of\ - \ host names to filter groups by. |\n| Account Names | string | No | Comma-separated\ - \ list of account names to filter groups by. |\n| Domains | string | No | Comma-separated\ - \ list of domains to filter groups by. |\n| Host Ids | string | No | Comma-separated\ - \ list of host IDs to filter groups by. |\n| Importance | ddl | No | Filter groups\ - \ by importance level (low, medium, high, never_prioritize). |\n| IPs | string\ - \ | No | Comma-separated list of IP addresses to filter groups by. |\n| Last Modified\ - \ Timestamp GTE | string | No | Filter groups modified on or after this timestamp.\ - \ |\n| Last Modified By | string | No | Filter groups modified by a specific username.\ - \ |\n| Name | string | No | Filter by the specific name of the group. |\n| Type\ - \ | ddl | No | Filter by group type (host, account, ip, domain). |\n| Limit |\ - \ string | No | Maximum number of group records to fetch. |\n| Description | string\ - \ | No | Case-insensitive match for the group description. |\n\n### Additional\ - \ Notes\n- If no parameters are provided, the action will attempt to list all\ - \ groups up to the specified limit.\n- The 'Limit' parameter defaults to a system\ - \ maximum if not specified or set to 0.\n\n### Flow Description\n1. **Parameter\ - \ Extraction:** The action retrieves configuration details (API Root, Token) and\ - \ all optional filter parameters from the user input.\n2. **Validation:** Validates\ - \ the 'Limit' parameter to ensure it is a valid integer.\n3. **API Request:**\ - \ Initializes the VectraQUXManager and calls the `get_group_list` method, which\ - \ performs a GET request to the `/api/v2.5/groups` endpoint with the specified\ - \ query parameters.\n4. **Pagination:** If the number of results exceeds the page\ - \ size, the action automatically paginates through the Vectra API to collect the\ - \ requested number of records.\n5. **Output Generation:** \n - If groups are\ - \ found, it constructs a data table named 'List Of Groups' containing the ID,\ - \ Name, Type, and Description of each group.\n - The full raw JSON response\ - \ is attached to the action results.\n - A summary message indicates the number\ - \ of groups successfully retrieved." + ai_description: >- + Lists groups from the VectraQUX platform based on provided filters. This action + allows users to search for groups by various criteria such as host names, account + names, domains, IPs, importance, and type. It retrieves the matching groups from + the VectraQUX API and presents the results in a data table and as a JSON object. + + + ### Parameters + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Host Names | string | No | Comma separated values of host names. | + + | Account Names | string | No | Comma separated values of account names. | + + | Domains | string | No | Comma separated values of domains. | + + | Host Ids | string | No | Comma separated values of host ids. | + + | Importance | ddl | No | Importance of group (low, medium, high, never_prioritize, + None). | + + | IPs | string | No | Comma separated values of ips. | + + | Last Modified Timestamp GTE | string | No | Last modified timestamp (greater + or equal) of group. | + + | Last Modified By | string | No | Username who has modified the group. | + + | Name | string | No | Name of group. | + + | Type | ddl | No | Type of group (host, account, ip, domain, None). | + + | Limit | string | No | Specify limit for fetching records. | + + | Description | string | No | Description of group (case insensitive match). | + + + ### Flow Description + + 1. Extracts configuration parameters (API Root, API Token, Verify SSL). + + 2. Extracts action parameters (filters for the group search). + + 3. Initializes the `VectraQUXManager` to interact with the VectraQUX API. + + 4. Calls the `get_group_list` method to retrieve groups matching the provided + filters. + + 5. If groups are found, adds a data table and a JSON result to the action output. + + 6. Logs the execution status and handles any potential errors. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: true + can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: >- - Adds a data table 'List Of Groups' to the case wall containing details of the - retrieved groups. + internal_data_mutation_explanation: null + reasoning: >- + The action fetches data from the VectraQUX API using a GET request (`get_group_list`). + It does not mutate any external or internal data, nor does it update entities, + create insights, or modify alert data. categories: enrichment: false + reasoning: >- + The action fetches data from an external system (VectraQUX) but does not gather + supplemental context about alerts or entities in the context of enrichment. + It is a search/list operation, not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1193,6 +1300,10 @@ List Groups: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities` or use entity-specific + identifiers to perform its task. It uses user-provided parameters to filter + the search. List Outcomes: action_product_categories: add_alert_comment: false @@ -1208,6 +1319,11 @@ List Outcomes: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves a list of assignment outcomes from the VectraQUX API. It + does not perform enrichment on entities or alerts, nor does it modify any external + or internal data. It does not fit into the specific categories provided (e.g., + enrichment, containment, ticketing, or alert information). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1223,42 +1339,35 @@ List Outcomes: update_identity: false update_ticket: false ai_description: >- - Lists all assignment outcomes from Vectra QUX. This action retrieves a list of - possible outcomes that can be used when resolving assignments within the Vectra - platform. It provides details such as the outcome ID, title, category, and whether - it is a built-in or user-selectable option. + ### General Description + Lists assignment outcomes from the VectraQUX platform. This action retrieves a + list of configured assignment outcomes, allowing analysts to view available options + for resolving assignments within the VectraQUX system. - ### Flow Description - 1. **Parameter Initialization**: Retrieves the API Root, Token, and SSL verification - settings from the integration configuration, and the 'Limit' parameter from the - action input. + ### Parameters Description - 2. **Validation**: Validates that the 'Limit' parameter is a valid non-negative - integer. If the limit is set to 0, the action will fail. + | Parameter | Type | Mandatory | Description | - 3. **API Interaction**: Connects to the Vectra QUX API and fetches the list of - assignment outcomes, applying pagination if necessary based on the specified limit. + | :--- | :--- | :--- | :--- | - 4. **Output Generation**: Formats the retrieved outcomes into a data table named - 'Outcome Details' and provides the full raw data in JSON format. + | Limit | string | No | Specifies the maximum number of outcomes to return. | - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. Initialize the `VectraQUXManager` using the provided API credentials (`API + Root`, `API Token`, `Verify SSL`). - | :--- | :--- | :--- | :--- | + 2. Validate the `Limit` parameter to ensure it is a valid non-negative integer. - | Limit | string | No | Specifies the maximum number of outcome records to retrieve. - If not provided, the system default limit is used. | + 3. Call the VectraQUX API to retrieve the list of assignment outcomes. + 4. If outcomes are retrieved, construct a CSV table of the outcome details and + add it to the action results. - ### Additional Notes - - - This action does not operate on specific entities and returns a global list - of outcomes available in the Vectra QUX instance. + 5. Add the raw outcome data as a JSON result to the action output. capabilities: can_create_case_comments: false can_create_insight: false @@ -1269,8 +1378,18 @@ List Outcomes: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the VectraQUX API to retrieve a list of + assignment outcomes. It does not modify any external systems, nor does it update + internal SOAR entities, insights, or alert data. It simply presents the retrieved + data in the action results. categories: enrichment: false + reasoning: >- + The action retrieves configuration data (assignment outcomes) from an external + system. It does not gather supplemental context about specific alerts or entities, + nor does it update entity profiles or create insights. Therefore, it does not + meet the criteria for an Enrichment Action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1286,6 +1405,9 @@ List Outcomes: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `siemplify.target_entities` or any specific + entity objects. It performs a global fetch of configuration data. List Users: action_product_categories: add_alert_comment: false @@ -1301,6 +1423,11 @@ List Users: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves a list of users from the VectraQUX platform. It does not + match any of the provided categories (e.g., Enrich IOC, Enrich Asset, Search + Events, etc.) as it is a general list retrieval action rather than an enrichment + or search action targeting specific assets or alerts. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1315,36 +1442,30 @@ List Users: update_email: false update_identity: false update_ticket: false - ai_description: "### General Description\nRetrieves a list of users from Vectra\ - \ QUX based on specified query parameters. This action allows analysts to search\ - \ for and audit user accounts within the Vectra platform by filtering for specific\ - \ roles, authentication profiles, login activity, and account types. It is primarily\ - \ used for administrative oversight and identifying user context during investigations.\n\ - \n### Parameters Description\n| Parameter | Type | Mandatory | Description |\n\ - | :--- | :--- | :--- | :--- |\n| Role | String | No | Filters the results to users\ - \ assigned a specific role in Vectra QUX. |\n| Authentication Profile | String\ - \ | No | Filters users based on their associated authentication profile. |\n|\ - \ Last Login GTE | String | No | Filters for users whose last login timestamp\ - \ is greater than or equal to the provided value. |\n| User Name | String | No\ - \ | Filters for a specific username. |\n| Account Type | String | No | Filters\ - \ users by their account type (e.g., local, LDAP). |\n| Limit | String | No |\ - \ Specifies the maximum number of user records to retrieve. Defaults to the system\ - \ limit if not provided. |\n\n### Flow Description\n1. **Initialization**: The\ - \ action initializes the Vectra QUX manager using the provided API Root and Token.\n\ - 2. **Parameter Validation**: The 'Limit' parameter is validated to ensure it is\ - \ a valid non-negative integer.\n3. **Data Retrieval**: The action performs a\ - \ GET request to the Vectra QUX users endpoint, applying the provided filters\ - \ (Role, Username, etc.) as query parameters.\n4. **Pagination**: If a limit is\ - \ specified, the action handles pagination to retrieve the requested number of\ - \ records.\n5. **Output Generation**: \n - If users are found, it constructs\ - \ a data table named 'List Of Users' containing key details (ID, Username, Role,\ - \ Account Type, Last Login).\n - It also attaches the full raw JSON response\ - \ to the action results.\n6. **Completion**: The action concludes with a success\ - \ message indicating the number of users retrieved or a message stating no users\ - \ were found.\n\n### Additional Notes\n- If no parameters are provided, the action\ - \ will attempt to list all users up to the specified or default limit.\n- The\ - \ 'Last Login GTE' parameter expects a timestamp format compatible with the Vectra\ - \ API." + ai_description: "### General Description\nLists users from the VectraQUX platform\ + \ based on provided query parameters. This action retrieves user information such\ + \ as ID, username, role, account type, and last login timestamp, and presents\ + \ the results in a data table and a JSON output.\n\n### Flow Description\n1. **Configuration\ + \ Extraction**: The action retrieves the API Root, API Token, and SSL verification\ + \ settings from the integration configuration.\n2. **Parameter Extraction**: It\ + \ extracts optional filters including Role, User Name, Account Type, Authentication\ + \ Profile, Last Login GTE, and Limit.\n3. **Validation**: The 'Limit' parameter\ + \ is validated to ensure it is a non-negative integer.\n4. **API Interaction**:\ + \ The action initializes the `VectraQUXManager` and calls the Vectra API to fetch\ + \ the user list based on the provided filters.\n5. **Result Output**: \n -\ + \ If users are found, it constructs a CSV data table of the user details and adds\ + \ it to the action results.\n - It adds the raw user list as a JSON result.\n\ + \ - If no users are found, it provides an appropriate output message.\n\n###\ + \ Parameters Description\n| Parameter | Type | Mandatory | Description |\n| :---\ + \ | :--- | :--- | :--- |\n| Role | string | No | Filter users by their assigned\ + \ role. |\n| Authentication Profile | string | No | Filter users by their authentication\ + \ profile. |\n| Last Login GTE | string | No | Filter users whose login timestamp\ + \ is greater than or equal to this value. |\n| User Name | string | No | Filter\ + \ users by their username. |\n| Account Type | string | No | Filter users by their\ + \ account type. |\n| Limit | string | No | Specify the maximum number of records\ + \ to fetch. |\n\n### Additional Notes\nThere are no mandatory action parameters.\ + \ If no filters are provided, the action will attempt to list users based on the\ + \ default API behavior." capabilities: can_create_case_comments: false can_create_insight: false @@ -1355,8 +1476,16 @@ List Users: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the VectraQUX API to retrieve a list of + users. It does not modify any external systems or internal SOAR data (entities, + insights, etc.). It only outputs the retrieved data to the action results. categories: enrichment: false + reasoning: >- + The action retrieves a list of users from the VectraQUX platform. It does not + enrich specific entities or alerts within the case, nor does it meet the criteria + for an enrichment action as defined (gathering context about alerts/entities). entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1372,6 +1501,9 @@ List Users: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `siemplify.target_entities`. It is a standalone + search/list action that does not operate on specific entities. Mark Detection Fixed: action_product_categories: add_alert_comment: false @@ -1387,6 +1519,11 @@ Mark Detection Fixed: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action updates the status of detections in the external VectraQUX platform. + It does not match any of the provided categories (e.g., it is not an enrichment, + it does not update a SecOps alert, it does not create a ticket, it does not + contain a host). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1402,45 +1539,36 @@ Mark Detection Fixed: update_identity: false update_ticket: false ai_description: >- - ### General Description + Marks specified detections as fixed in the VectraQUX platform. This action updates + the status of detections in the external system based on the provided detection + IDs. - Marks specific detections in Vectra AI as fixed. This action allows analysts to - update the state of one or more detections in the Vectra platform directly from - Google SecOps, facilitating the remediation workflow. + ### Flow Description - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | + 1. Extracts configuration (API Root, Token, SSL verification) and action parameters + (Detection IDs). - | Detection IDs | String | Yes | A comma-separated list of numeric identifiers - for the detections that should be marked as fixed in Vectra. | + 2. Validates the provided Detection IDs. + 3. Sends a PATCH request to the VectraQUX API to update the status of the specified + detections to "fixed". - ### Additional Notes + 4. Adds the API response to the action results. - - This action does not run on entities; it requires explicit IDs provided as a - parameter. - - The action validates that the provided IDs are integers before sending the request. + ### Parameters Description + | Parameter | Type | Mandatory | Description | - ### Flow Description + | :--- | :--- | :--- | :--- | - 1. **Parameter Extraction**: Retrieves the 'Detection IDs' from the action input - and configuration details (API Root, Token) from the integration settings. + | Detection IDs | string | Yes | Comma separated values of IDs. | - 2. **Validation**: Parses the comma-separated string of IDs and validates that - each ID is a valid integer using the `validate_integer` utility. - 3. **API Interaction**: Initializes the `VectraQUXManager` and calls the `mark_detection_as_fixed` - method, which sends a PATCH request to the Vectra AI detections endpoint with - the payload `mark_as_fixed: True`. + ### Additional Notes - 4. **Result Processing**: Adds the raw JSON response from the API to the action - results and completes the execution with a success message. + None. capabilities: can_create_case_comments: false can_create_insight: false @@ -1449,12 +1577,19 @@ Mark Detection Fixed: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the status of specific detections in Vectra AI to 'fixed' by sending - a PATCH request to the detections endpoint. + Updates the status of specified detections to 'fixed' in the VectraQUX platform. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a PATCH request to update the status of detections in an + external system (VectraQUX). It does not fetch data, nor does it modify internal + SOAR data or entities. categories: enrichment: false + reasoning: >- + The action performs a PATCH request to update the status of detections in an + external system (VectraQUX). It does not fetch data, nor does it modify internal + SOAR data or entities. Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1470,6 +1605,10 @@ Mark Detection Fixed: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities` or use entity-specific + identifiers to perform its task. It takes a comma-separated string of Detection + IDs as an input parameter. Mark Entity Fixed: action_product_categories: add_alert_comment: false @@ -1485,6 +1624,11 @@ Mark Entity Fixed: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action marks detections as fixed in the Vectra AI platform. This is an external + state change. None of the provided categories (Enrich IOC, Enrich Asset, Update + Alert, etc.) specifically cover "Mark Detection Fixed" or "Update Detection + Status". Therefore, all categories are false. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1500,24 +1644,46 @@ Mark Entity Fixed: update_identity: false update_ticket: false ai_description: >- - ### General Description\nMarks all detections associated with a specific entity - (Host or Account) as 'fixed' in the Vectra platform. This action is useful for - bulk-remediating or closing out detections once an entity has been investigated - and the issues resolved.\n\n### Parameters Description\n| Parameter | Type | Mandatory - | Description |\n| :--- | :--- | :--- | :--- |\n| Entity ID | String | Yes | The - unique identifier of the entity in Vectra. This value is validated as an integer. - |\n| Entity Type | DDL | Yes | The type of the entity. Can be either 'Account' - or 'Host'. |\n\n### Additional Notes\n- The action first retrieves the entity - details to identify all associated detection IDs before attempting to mark them - as fixed.\n- If no detections are found for the entity, the action completes successfully - with a message indicating no detections were found.\n- The Entity ID must be a - valid integer.\n\n### Flow Description\n1. **Parameter Extraction**: Retrieves - the API configuration and action parameters (Entity ID and Entity Type).\n2. **Validation**: - Validates that the provided Entity ID is a valid integer.\n3. **Entity Lookup**: - Calls the Vectra API to describe the entity and extract the list of associated - detection IDs.\n4. **Remediation**: If detections exist, sends a PATCH request - to Vectra to mark all identified detections as fixed.\n5. **Result Reporting**: - Adds the API response to the action results and provides a summary message. + Marks all detections for a specified entity as fixed in the Vectra AI platform. + This action retrieves the entity's details, identifies associated detections, + and updates their status to "fixed" in the external system. + + + ### Parameters description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Entity ID | string | Yes | Unique ID for the entity. | + + | Entity Type | string | Yes | Type of Entity, can be either Account or Host. + | + + + ### Additional notes + + This action requires `Entity ID` and `Entity Type` to be provided as parameters. + It does not operate on existing SOAR entities but rather uses the provided parameters + to perform the operation. + + + ### Flow description + + 1. Initialize `SiemplifyAction` and extract configuration parameters (API Root, + API Token, Verify SSL). + + 2. Extract action parameters (`Entity ID`, `Entity Type`). + + 3. Initialize `VectraQUXManager` with the provided credentials. + + 4. Retrieve entity details using `describe_entity` to get associated detection + IDs. + + 5. If detections are found, call `mark_detection_as_fixed` to update their status + in the Vectra platform. + + 6. Add the API response to the action result. capabilities: can_create_case_comments: false can_create_insight: false @@ -1526,12 +1692,20 @@ Mark Entity Fixed: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the status of detections associated with the specified entity to 'fixed' - in the Vectra platform via a PATCH request. + Marks detections associated with the entity as fixed in the Vectra AI platform. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches entity data from the Vectra API (`describe_entity`) and then + performs a PATCH request (`mark_detection_as_fixed`) to update the status of + detections in the external system. It does not modify internal SOAR data, update + entities, create insights, or modify alert data. categories: enrichment: false + reasoning: >- + The action mutates external data (marks detections as fixed) and does not meet + the criteria for an enrichment action, which must be read-only regarding external + systems. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1547,6 +1721,10 @@ Mark Entity Fixed: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action takes `Entity ID` and `Entity Type` as input parameters and does + not iterate over `siemplify.target_entities`. Therefore, it does not run on + entities in the SOAR sense. Ping: action_product_categories: add_alert_comment: false @@ -1562,6 +1740,9 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity test ('Ping') and does not perform any of the specific + functional outcomes listed (e.g., enrichment, containment, ticketing). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1576,30 +1757,44 @@ Ping: update_email: false update_identity: false update_ticket: false - ai_description: "### General Description\nThe **Ping** action is a utility designed\ - \ to verify the connectivity between the Google SecOps (Chronicle) server and\ - \ the Vectra platform. It ensures that the provided configuration parameters,\ - \ such as the API Root and API Token, are correct and that the network path is\ - \ open.\n\n### Parameters Description\n| Parameter Name | Description | Type |\ - \ Mandatory | Notes |\n| :--- | :--- | :--- | :--- | :--- |\n| API Root | The\ - \ base URL of the Vectra platform API. | String | Yes | Configured at the integration\ - \ level. |\n| API Token | The authentication token used to authorize requests\ - \ to the Vectra API. | String | Yes | Configured at the integration level. |\n\ - | Verify SSL | Specifies whether to verify the SSL certificate of the Vectra server.\ - \ | Boolean | Yes | Default is True. |\n\n### Additional Notes\n- This action\ - \ does not process any entities.\n- It is primarily used for troubleshooting and\ - \ initial setup verification.\n- According to standard classification, Ping actions\ - \ are not considered enrichment actions.\n\n### Flow Description\n1. **Initialization**:\ - \ The action initializes the Siemplify SDK and retrieves the integration configuration\ - \ parameters (API Root, API Token, and Verify SSL).\n2. **Manager Setup**: It\ - \ instantiates the `VectraQUXManager` using the retrieved configuration.\n3. **Connectivity\ - \ Test**: The manager executes the `test_connectivity` method, which performs\ - \ a simple `GET` request to the Vectra hosts endpoint (`/api/v2.5/hosts`).\n4.\ - \ **Result Handling**: \n - If the request is successful, the action returns\ - \ a success message and a boolean result of `True`.\n - If an exception occurs\ - \ (e.g., authentication failure, timeout, or invalid URL), the action catches\ - \ the error, logs the details, and returns a failure message with a boolean result\ - \ of `False`." + ai_description: >- + Tests the connectivity of the Chronicle SOAR server to the Vectra platform. This + action verifies that the integration is correctly configured and can communicate + with the VectraQUX API. + + + ### Flow Description + + 1. The action initializes the integration and extracts the required configuration + parameters: API Root, API Token, and Verify SSL. + + 2. It instantiates the `VectraQUXManager` using the provided credentials. + + 3. The action calls the `test_connectivity` method, which performs a GET request + to the VectraQUX API to verify the connection. + + 4. If the request is successful, the action completes with a success message. + If the request fails, the action reports the failure and the error details. + + + ### Parameters + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | API Root | string | Yes | The base URL for the VectraQUX API. | + + | API Token | string | Yes | The authentication token for the VectraQUX API. | + + | Verify SSL | boolean | Yes | Whether to verify SSL certificates for the connection. + | + + + ### Additional Notes + + This action is a connectivity test and does not perform any data enrichment or + system modifications. capabilities: can_create_case_comments: false can_create_insight: false @@ -1610,8 +1805,15 @@ Ping: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to verify connectivity to the VectraQUX API. + It does not mutate external or internal data, nor does it update entities, create + insights, or modify alert data. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action, which is explicitly excluded from being an enrichment + action by the provided instructions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1627,6 +1829,8 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with or process any entities. Remove Assignment: action_product_categories: add_alert_comment: false @@ -1642,6 +1846,10 @@ Remove Assignment: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action removes an assignment from an entity in Vectra, which modifies the + entity's metadata. This aligns with the 'Update Identity' category, which covers + modifications to account metadata. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1654,54 +1862,40 @@ Remove Assignment: uncontain_host: false update_alert: false update_email: false - update_identity: false + update_identity: true update_ticket: false ai_description: >- - ### General Description - - Removes the assignment for a specific entity (Account or Host) in Vectra QUX. - This action is used to clear analyst assignments from entities in the Vectra platform, - allowing them to be returned to an unassigned state or reassigned. It first verifies - the existence of an assignment for the specified entity before attempting the - deletion. + Removes an assignment from a specified entity (Account or Host) in the Vectra + QUX platform. This action retrieves the entity's current assignment details and + then deletes the assignment. ### Parameters - | Parameter | Description | Type | Mandatory | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Entity ID | The unique identifier of the entity in Vectra QUX whose assignment - should be removed. | String | Yes | - - | Entity Type | The category of the entity. Supported values are 'Account' and - 'Host'. | DDL | Yes | + | Entity ID | string | Yes | The unique identifier of the entity (Account or Host) + from which the assignment should be removed. | + | Entity Type | ddl | Yes | The type of the entity. Options: Account, Host. | - ### Flow - 1. **Validation**: Validates that the provided `Entity ID` is a valid integer. - - 2. **Entity Lookup**: Retrieves the current details of the entity from Vectra - QUX using the `Entity ID` and `Entity Type` to check for active assignments. - - 3. **Assignment Identification**: Checks the entity's metadata for an existing - `assignment` object and extracts its `id`. + ### Flow Description - 4. **Removal**: If an assignment is found, the action sends a DELETE request to - the Vectra QUX API to remove the specific assignment. + 1. Extract configuration parameters (API Root, API Token, Verify SSL) and action + parameters (Entity ID, Entity Type). - 5. **Completion**: Returns a success message if the assignment was successfully - deleted. If the entity had no assignment, the action fails with a descriptive - message. + 2. Initialize the `VectraQUXManager` with the provided credentials. + 3. Call `describe_entity` to retrieve the entity's current details and assignment + information. - ### Additional Notes + 4. If an assignment exists, call `remove_assignment` to delete it from the Vectra + platform. - This action performs a state change in the external Vectra QUX system by deleting - an assignment record. It does not modify entities or alerts within the Google - SecOps platform directly. + 5. Return the execution status and a success or failure message. capabilities: can_create_case_comments: false can_create_insight: false @@ -1710,12 +1904,19 @@ Remove Assignment: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Deletes an assignment record in Vectra QUX associated with a specific Host or - Account entity via a DELETE request to the assignments endpoint. + Removes an assignment from an entity in the external Vectra QUX platform. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches entity details (GET request) to identify the assignment ID, + then performs a DELETE request to remove the assignment in the external Vectra + system. It does not modify internal SOAR case data (e.g., insights, entities, + or comments). categories: enrichment: false + reasoning: >- + The action mutates external data (removes an assignment), which violates the + requirement for enrichment actions to be read-only regarding external systems. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1731,6 +1932,10 @@ Remove Assignment: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action accepts 'Entity ID' and 'Entity Type' as input parameters rather + than iterating over the SOAR 'target_entities' list. Therefore, it does not + operate on SOAR entities directly. Remove Group: action_product_categories: add_alert_comment: false @@ -1746,6 +1951,11 @@ Remove Group: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action modifies group membership in the VectraQUX system. This aligns with + the definition of `Update Identity` ('Modifies account metadata, such as group + memberships, permissions, or contact information'). It does not fit other categories + like `Enrich IOC` or `Contain Host`. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1761,45 +1971,40 @@ Remove Group: update_identity: true update_ticket: false ai_description: >- - Removes members from a specified group in Vectra QUX. This action allows analysts - to manage group memberships by providing a Group ID and a comma-separated list - of members to be removed. It validates the input, performs the removal via the - Vectra API, and provides a detailed summary of which members were successfully - removed and which were not found or could not be removed. + ### General Description + This action removes specified members from a group within the VectraQUX system. + It validates the provided group ID, fetches the current group members, and then + performs an update to remove the requested members. - ### Parameters + + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Group ID | String | Yes | The unique integer ID of the Vectra group from which - members will be removed. | + | Group ID | string | Yes | The ID of the specific group to modify. | - | Members | String | Yes | A comma-separated list of members to remove. The format - of the members (e.g., IP, Hostname, Account UID) depends on the group's type. - | + | Members | string | Yes | A comma-separated list of members to remove from the + group. | ### Flow Description - 1. **Validation**: Validates that the provided Group ID is a valid positive integer. + 1. Extracts configuration parameters (API Root, API Token, Verify SSL) and action + parameters (Group ID, Members). - 2. **Member Processing**: Parses the comma-separated string of members into a - unique list. + 2. Validates that the `Group ID` is a valid integer. - 3. **Pre-check**: Retrieves the current group members from Vectra QUX to establish - a baseline. + 3. Initializes the `VectraQUXManager` to interact with the VectraQUX API. - 4. **Removal**: Sends a PATCH request to the Vectra QUX API with the `membership_action="remove"` - parameter to update the group. + 4. Fetches the current members of the specified group. - 5. **Verification**: Compares the updated group membership list against the initial - list and the requested members to determine which removals were successful. + 5. Updates the group by removing the specified members. - 6. **Output**: Renders an HTML table showing the updated group properties and - members, and provides the full group object in JSON format. + 6. Renders the updated group details as an HTML view and adds the result as JSON + to the action output. capabilities: can_create_case_comments: false can_create_insight: false @@ -1808,12 +2013,19 @@ Remove Group: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Removes specified members from a group in Vectra QUX using a PATCH request to - the groups endpoint. + Removes specified members from a group in the VectraQUX system. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches data from the VectraQUX API (`get_group_members`) and mutates + external data (`update_group_members` with `membership_action='remove'`). It + does not mutate internal SOAR data (e.g., updating entities, creating insights, + or modifying alert data). categories: enrichment: false + reasoning: >- + The action mutates external data (removes members from a group), therefore it + is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1829,6 +2041,9 @@ Remove Group: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not iterate over `siemplify.target_entities`. It uses parameters + provided in the action settings (`Group ID`, `Members`). Remove Note: action_product_categories: add_alert_comment: false @@ -1844,6 +2059,9 @@ Remove Note: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action removes a note from an external system. This does not match any of + the predefined categories (e.g., Enrich IOC, Update Alert, Contain Host). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1859,52 +2077,17 @@ Remove Note: update_identity: false update_ticket: false ai_description: >- - ### General Description - - Removes a specific note from a designated entity within the Vectra QUX platform. - This action allows analysts to manage and clean up annotations associated with - Accounts, Hosts, or Detections by providing the specific Note ID and the parent - Entity ID. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Entity ID | String | Yes | The unique identifier of the entity (Account, Host, - or Detection) from which the note should be removed. | - - | Note ID | String | Yes | The unique identifier of the specific note to be deleted. - | - - | Entity Type | DDL | Yes | The category of the entity. Supported values: `Account`, - `Host`, `Detection`. | - - - ### Additional Notes - - This action performs a permanent deletion of the note in the external Vectra QUX - system. The action validates that the provided IDs are integers before attempting - the API call. - - - ### Flow Description - - 1. **Parameter Extraction:** The action retrieves the `Entity ID`, `Note ID`, - and `Entity Type` from the input parameters. - - 2. **Validation:** It validates that both the `Entity ID` and `Note ID` are valid - integer values using an internal utility. - - 3. **API Interaction:** The action initializes the VectraQUXManager and sends - a `DELETE` request to the Vectra QUX API endpoint corresponding to the specified - entity type and IDs. - - 4. **Result Handling:** Upon a successful deletion, the action returns a success - message. If the note or entity is not found, or if permissions are insufficient, - it catches the specific exception and reports the failure. + General description: This action removes a note from a specific entity (Account, + Host, or Detection) in the VectraQUX platform. Parameters description: Entity + ID (string, mandatory): The ID of the entity from which the note should be removed. + Note ID (string, mandatory): The ID of the note to be removed. Entity Type (ddl, + mandatory): The type of the entity (Account, Host, or Detection). Additional notes: + The action requires the Entity ID, Note ID, and Entity Type to be provided as + parameters. Flow description: 1. Extracts configuration parameters (API Root, + API Token, SSL verification). 2. Extracts action parameters (Entity ID, Note ID, + Entity Type). 3. Validates that Entity ID and Note ID are integers. 4. Sends a + DELETE request to the VectraQUX API to remove the specified note from the entity. + 5. Returns a success or failure message based on the API response. capabilities: can_create_case_comments: false can_create_insight: false @@ -1913,12 +2096,17 @@ Remove Note: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Deletes a specific note record associated with an entity (Host, Account, or - Detection) in the Vectra QUX platform. + Deletes a note from an entity in the VectraQUX platform. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a DELETE request to the VectraQUX API to remove a note. + It does not fetch data, nor does it modify internal SOAR data. categories: enrichment: false + reasoning: >- + The action is a mutation action (DELETE) on an external system, not an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1934,6 +2122,10 @@ Remove Note: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action uses parameters provided by the user (Entity ID, Entity Type) rather + than iterating over siemplify.target_entities. Thus, it does not run on entities + in the SOAR context. Remove Tags: action_product_categories: add_alert_comment: false @@ -1949,6 +2141,10 @@ Remove Tags: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action updates tags on an external entity. It does not match any of the + predefined categories (e.g., it is not an enrichment, ticket, or containment + action). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1961,15 +2157,15 @@ Remove Tags: uncontain_host: false update_alert: false update_email: false - update_identity: true + update_identity: false update_ticket: false ai_description: >- ### General Description - Removes specific tags from a Vectra entity (Account, Host, or Detection) based - on a provided Entity ID. This action allows analysts to manage metadata within - the Vectra platform by programmatically stripping unwanted or outdated labels - from assets or detections. + Removes specified tags from an entity (Account, Host, or Detection) within the + VectraQUX platform. This action retrieves the current tags for the specified entity, + removes the requested tags from the list, and updates the entity in VectraQUX + with the modified tag set. ### Parameters Description @@ -1978,48 +2174,32 @@ Remove Tags: | :--- | :--- | :--- | :--- | - | Tags | String | Yes | A comma-separated list of tags to be removed from the - specified entity. | - - | Entity ID | String | Yes | The unique identifier of the entity in Vectra from - which tags will be removed. | - - | Entity Type | DDL | Yes | The category of the entity. Supported values are: - `Account`, `Host`, and `Detection`. | - - - ### Additional Notes - - - The action first retrieves the current tags for the entity. If the entity is - not found or none of the specified tags exist on the entity, the action will fail. + | Tags | string | Yes | A comma-separated list of tags to remove from the entity. + | - - The `Entity ID` must be a valid integer. + | Entity ID | string | Yes | The unique identifier of the entity from which tags + should be removed. | - - The action uses a `PATCH` request to update the tag list on the external Vectra - system. + | Entity Type | ddl | Yes | The type of the entity (Account, Host, or Detection). + | ### Flow Description - 1. **Parameter Initialization**: Extracts the API configuration and action parameters - (`Tags`, `Entity ID`, `Entity Type`). + 1. Extracts configuration parameters (API Root, API Token, Verify SSL) and action + parameters (Tags, Entity ID, Entity Type). - 2. **Tag Processing**: Splits the input `Tags` string into a unique list of stripped - tag names. + 2. Validates the Entity ID as an integer. - 3. **Entity Validation**: Validates that the `Entity ID` is a proper integer. + 3. Fetches the existing tags for the specified entity using the VectraQUX API. - 4. **Data Retrieval**: Fetches the current list of tags associated with the entity - from Vectra. + 4. Identifies which of the provided tags exist on the entity. - 5. **Tag Comparison**: Iterates through the requested tags to remove. It identifies - which tags currently exist on the entity and prepares a new list excluding them. + 5. Removes the identified tags from the entity's tag list. - 6. **External Mutation**: Sends a `PATCH` request to Vectra with the updated (reduced) - tag list. + 6. Updates the entity in VectraQUX with the new tag list via a PATCH request. - 7. **Result Reporting**: Outputs a JSON result and a data table summarizing the - update status and the final list of tags remaining on the entity. + 7. Logs the operation status and adds a result table to the action output. capabilities: can_create_case_comments: false can_create_insight: false @@ -2028,12 +2208,20 @@ Remove Tags: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Removes specified tags from an entity (Account, Host, or Detection) in the Vectra - platform by sending a PATCH request with the updated tag list. + Updates the entity's tag list in the VectraQUX platform by removing the specified + tags. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches current tag data from the VectraQUX API (fetches_data=true) + and performs a PATCH request to update the entity's tags on the external platform + (can_mutate_external_data=true). It does not modify internal SOAR case data + or entities directly. categories: enrichment: false + reasoning: >- + The action mutates external data (updates tags on VectraQUX), therefore it does + not meet the criteria for an Enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -2049,6 +2237,11 @@ Remove Tags: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over the `siemplify.target_entities` list. Instead, + it relies on user-provided parameters (`Entity ID` and `Entity Type`) to identify + the target entity. Therefore, it does not run on entities in the context of + the SOAR entity model. Resolve Assignment: action_product_categories: add_alert_comment: false @@ -2064,6 +2257,10 @@ Resolve Assignment: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action resolves an assignment in the Vectra platform. It does not match + any of the defined categories, such as updating an alert within SecOps, creating + a ticket, or modifying IOC blocklists. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -2078,30 +2275,53 @@ Resolve Assignment: update_email: false update_identity: false update_ticket: false - ai_description: "Resolves an assignment in VectraQUX based on a specific assignment\ - \ ID and outcome ID. This action is used to finalize the status of a security\ - \ assignment by providing a resolution outcome (e.g., Benign True Positive, Malicious\ - \ True Positive, or False Positive), optional triage rules, and notes. It performs\ - \ a state change in the VectraQUX platform.\n\n### Flow Description\n1. **Parameter\ - \ Validation**: Validates that the `Assignment ID` and `Outcome ID` are valid\ - \ integers. If `Detection IDs` are provided, they are also validated as integers.\ - \ \n2. **Triage Logic**: If a `Triage As` rule is specified, the action ensures\ - \ that at least one `Detection ID` is also provided, as required by the Vectra\ - \ API logic.\n3. **API Interaction**: Sends a PUT request to the VectraQUX `/assignments/{assignment_id}/resolve`\ - \ endpoint with the resolution details.\n4. **Result Processing**: Retrieves the\ - \ updated assignment object and outputs it as a JSON result and a formatted data\ - \ table in the SOAR case.\n\n### Parameters Description\n| Parameter Name | Type\ - \ | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Outcome ID | String\ - \ | Yes | The ID representing the resolution outcome. Common values: 1 (Benign\ - \ True Positive), 2 (Malicious True Positive), 3 (False Positive). Custom IDs\ - \ are also supported. |\n| Assignment ID | String | Yes | The unique integer identifier\ - \ of the assignment to be resolved. |\n| Note Title | String | No | An optional\ - \ note or title to be attached to the resolution record in VectraQUX. |\n| Triage\ - \ As | String | No | An optional triage rule name to apply during resolution.\ - \ |\n| Detection IDs | String | No | A comma-separated list of integer detection\ - \ IDs to associate with this resolution. |\n\n### Additional Notes\n* **Dependency**:\ - \ If the `Triage As` parameter is used, at least one `Detection ID` must be provided;\ - \ otherwise, the action will fail with a validation error." + ai_description: >- + Resolves an assignment in the Vectra QUX platform. This action updates the status + of a specific assignment by providing an outcome ID and optional metadata such + as notes, triage rules, and associated detection IDs. + + + ### Flow Description + + 1. **Initialization**: Extracts configuration parameters (API Root, API Token, + Verify SSL) and action parameters (Assignment ID, Outcome ID, Note Title, Triage + As, Detection IDs). + + 2. **Validation**: Validates the provided Assignment ID, Outcome ID, Triage As, + and Detection IDs to ensure they meet format requirements. + + 3. **Execution**: Initializes the `VectraQUXManager` and sends a PUT request to + the Vectra API to resolve the specified assignment. + + 4. **Output**: Adds the API response as a JSON result and constructs a data table + containing the resolved assignment details for the analyst. + + + ### Parameters + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Assignment ID | string | Yes | The ID of the assignment to resolve. | + + | Outcome ID | string | Yes | The outcome ID for resolving the assignment (e.g., + 1 for Benign True Positive, 2 for Malicious True Positive, 3 for False Positive). + | + + | Note Title | string | No | A note title to be added for the assignment resolution. + | + + | Triage As | string | No | Triage rule for resolving the assignment. | + + | Detection IDs | string | No | A comma-separated list of Integer detection IDs + associated with the resolution. | + + + ### Additional Notes + + If `Triage As` is provided, at least one `Detection ID` must also be provided + for the action to succeed. capabilities: can_create_case_comments: false can_create_insight: false @@ -2110,12 +2330,19 @@ Resolve Assignment: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the status of an assignment in the VectraQUX platform to 'Resolved' - and applies the specified outcome, notes, and triage metadata. - fetches_data: true + Resolves an assignment in the Vectra QUX platform via a PUT request. + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a PUT request to the Vectra API to resolve an assignment, + which constitutes an external data mutation. It does not fetch data from the + external system, nor does it modify internal SOAR data (entities, insights, + or alert data). categories: enrichment: false + reasoning: >- + The action does not fetch data (it is a resolution/mutation action) and it mutates + external data. Therefore, it does not meet the criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -2131,6 +2358,9 @@ Resolve Assignment: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on entities. It takes an 'Assignment ID' as a direct + input parameter and does not iterate over or filter the 'target_entities' list. Search Accounts: action_product_categories: add_alert_comment: false @@ -2146,6 +2376,10 @@ Search Accounts: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action searches for accounts within the Vectra platform. This matches the + 'Search Asset' category, as it is searching for assets (accounts) associated + with the product. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -2161,94 +2395,83 @@ Search Accounts: update_identity: false update_ticket: false ai_description: >- - Searches for and retrieves account details from the Vectra QUX platform based - on a wide range of filtering criteria. This action allows analysts to query the - Vectra API to find specific accounts, evaluate their threat and certainty scores, - and review their detection history. - - ### General Description - The action performs a paginated search against the Vectra QUX `/accounts` endpoint. - It supports complex filtering including account state, score thresholds, timestamps, - and tags. The results are returned as a comprehensive JSON object and summarized - in a data table within the Google SecOps case for quick review. - - - ### Parameters Description + The **Search Accounts** action queries the Vectra platform to retrieve a list + of accounts based on specific filter criteria. This action allows analysts to + search for accounts by name, state, threat score, certainty score, privilege level, + and various timestamps. The results are returned as a JSON object and a formatted + data table, providing visibility into account details within the Vectra environment. - | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + ### Flow Description - | Order | ddl | No | Determines if the results should be returned in 'Ascending' - or 'Descending' order. | + 1. **Initialization**: The action initializes the `SiemplifyAction` and extracts + configuration parameters (API Root, API Token, Verify SSL) and action-specific + filters. - | Limit | string | No | The maximum number of account records to retrieve. | + 2. **Validation**: It validates the provided input parameters, such as `Limit`, + `Threat GTE`, `Certainty GTE`, and `Privilege Level`, ensuring they meet the required + formats. - | Order By | ddl | No | The field used to sort the results (e.g., threat score, - certainty score, timestamp, or ID). | + 3. **API Interaction**: It instantiates the `VectraQUXManager` and executes a + search request against the Vectra API using the provided filters. - | Fields | multi_choice | No | A list of specific account attributes to include - in the response (e.g., name, state, tags, privilege_level). | + 4. **Data Processing**: If accounts are found, the action processes the results + by removing API version strings from URLs and extracting mandatory fields for + the data table. - | Name | string | No | Filter accounts by a specific name. | + 5. **Output**: The action adds the raw JSON results to the action output and generates + a data table titled "List Of Accounts" for the analyst to review. - | State | ddl | No | Filter accounts by their current state ('Active' or 'Inactive'). - | - | Threat GTE | string | No | Filter for accounts with a threat score Greater Than - or Equal to this value. | + ### Parameters Description - | Certainty GTE | string | No | Filter for accounts with a certainty score Greater - Than or Equal to this value. | + | Parameter | Type | Mandatory | Description | - | Last Detection Timestamp GTE | string | No | Filter for accounts with a last - detection timestamp Greater Than or Equal to this date. | + | :--- | :--- | :--- | :--- | - | Last Detection Timestamp LTE | string | No | Filter for accounts with a last - detection timestamp Less Than or Equal to this date. | + | Order | ddl | No | Filter accounts by ascending or descending order. | - | Tags | string | No | Filter accounts by specific tags (comma-separated). | + | Limit | string | No | The maximum number of records to fetch. | - | Note Modified Timestamp GTE | string | No | Filter for accounts where notes - were modified after this timestamp. | + | Order By | ddl | No | Field to order results by (e.g., t_score, c_score, last_detection_timestamp, + id). | - | Privilege Level | string | No | Filter accounts by their assigned privilege - level. | + | Fields | multi_choice | No | Comma-separated list of fields to include in the + results. | - | Privilege Category | ddl | No | Filter accounts by privilege category ('Low', - 'Medium', 'High'). | + | Name | string | No | Filter accounts by name. | + | State | ddl | No | Filter accounts by state (Active, Inactive). | - ### Additional Notes + | Threat GTE | string | No | Filter accounts with a threat score greater than + or equal to the provided value. | - - If 'Order' is set to 'Descending' and an 'Order By' field is selected, the action - automatically prefixes the sort field with a minus sign for the API call. + | Certainty GTE | string | No | Filter accounts with a certainty score greater + than or equal to the provided value. | - - The action performs internal validation on integer-based parameters like 'Limit', - 'Threat GTE', and 'Certainty GTE' to ensure they are valid non-negative values. + | Last Detection Timestamp GTE | string | No | Filter accounts with a last detection + timestamp greater than or equal to the provided value. | - - API version strings are automatically stripped from returned URLs to provide - cleaner data links. + | Last Detection Timestamp LTE | string | No | Filter accounts with a last detection + timestamp less than or equal to the provided value. | + | Tags | string | No | Filter accounts by tags (comma-separated). | - ### Flow Description + | Note Modified Timestamp GTE | string | No | Filter accounts with a note modified + timestamp greater than or equal to the provided value. | - 1. **Parameter Extraction:** The action retrieves configuration settings (API - Root, Token) and all user-provided search filters. + | Privilege Level | string | No | Filter accounts by privilege level. | - 2. **Validation:** It validates that numerical inputs (Limit, Scores) are correctly - formatted integers. + | Privilege Category | ddl | No | Filter accounts by privilege category (Low, + Medium, High). | - 3. **API Request:** It constructs a GET request with the specified query parameters - and executes a paginated search via the `VectraQUXManager`. - 4. **Data Processing:** The action iterates through the retrieved account objects, - cleaning up URL fields and extracting mandatory fields for display. + ### Additional Notes - 5. **Output Generation:** It populates a data table named 'List Of Accounts' and - attaches the full raw JSON results to the action output. + This action does not require any specific entity context to run, as it performs + a global search within the Vectra platform based on the provided parameters. capabilities: can_create_case_comments: false can_create_insight: false @@ -2259,8 +2482,18 @@ Search Accounts: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Vectra API to search for accounts based + on user-provided filters. It does not modify any external systems, nor does + it modify internal SOAR case data (entities, insights, etc.). It simply retrieves + and displays data. categories: enrichment: false + reasoning: >- + The action is a search/query action. It does not enrich an existing entity (it + searches for accounts based on criteria), nor does it meet the criteria for + an enrichment action as defined (it does not update entity attributes or create + insights). entity_usage: entity_types: [] filters_by_additional_properties: false @@ -2276,6 +2509,9 @@ Search Accounts: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or filter by `target_entities`. It performs + a search based on user-provided parameters. Search Detections: action_product_categories: add_alert_comment: false @@ -2290,7 +2526,12 @@ Search Detections: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false - get_alert_information: false + get_alert_information: true + reasoning: >- + The action searches for detections in an external system based on provided filters. + This directly aligns with 'Search Events' (retrieving historical logs/telemetry) + and 'Get Alert Information' (fetching information about detections from the + 3rd party product). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -2308,103 +2549,98 @@ Search Detections: ai_description: >- ### General Description - The **Search Detections** action allows users to query and retrieve a list of - detections from the Vectra QUX platform based on a wide array of filtering criteria. - It is primarily used for threat hunting, investigation, and reporting by fetching - detailed metadata about security events, such as detection types, categories, - threat scores, and associated host or IP information. - - - ### Parameters Description - - | Parameter Name | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | + This action searches for detections in the Vectra AI platform based on a variety + of user-defined filters. It allows analysts to query for specific detections, + such as those related to a particular host, source IP, or detection category, + and retrieve detailed information about them. The action outputs the results as + a JSON object and a formatted data table for easy viewing within the Google SecOps + platform. - | Last Timestamp GTE | String | No | Filters detections with a last seen timestamp - greater than or equal to the provided value. | - | Host ID | String | No | Filters detections associated with a specific Vectra - Host ID. | + ### Flow Description - | Tags | String | No | Filters detections by a comma-separated list of tags. | + 1. **Initialization:** The action initializes the `SiemplifyAction` and extracts + configuration parameters (API Root, API Token, Verify SSL) and action parameters + (filters). - | Is Targeting Key Asset | DDL | No | Filters detections based on whether they - target a key asset (True/False). | + 2. **Validation:** It validates the input parameters, such as `Limit`, `Threat + GTE`, `Certainty GTE`, and `Host ID`, ensuring they meet the required formats. - | Note Modified Timestamp GTE | String | No | Filters detections where the associated - note was modified after the given timestamp. | + 3. **Search:** It uses the `VectraQUXManager` to perform a search against the + Vectra AI API (`/api/v2.5/detections`) using the provided filters. - | Order | DDL | No | Specifies the sort order: 'Ascending' or 'Descending'. | + 4. **Processing:** If detections are found, it processes the results by cleaning + up URLs and extracting mandatory fields (e.g., ID, detection type, category, timestamps, + state) and source information (account/host name and IP). - | Limit | String | No | The maximum number of detection records to retrieve. | + 5. **Output:** It adds the full JSON response to the action results and constructs + a data table titled "List Of Detections" for the analyst to review. - | Order By | DDL | No | The field used to sort results (e.g., last_timestamp, - t_score, c_score). | - | Fields | Multi-Choice | No | A list of specific fields to include in the response - (e.g., id, category, src_ip). | + ### Parameters Description - | State | DDL | No | Filters detections by their current state: 'Active', 'Inactive', - or 'Fixed'. | + | Parameter | Type | Mandatory | Description | - | Detection Type | String | No | Filters by the specific type of detection (e.g., - 'Suspicious HTTP Service'). | + | :--- | :--- | :--- | :--- | - | Detection Category | DDL | No | Filters by the broad category (e.g., 'Lateral - Movement', 'Exfiltration'). | + | Last Timestamp GTE | string | No | Filter by last detection timestamp greater + than or equal to the given value. | - | Src IP | String | No | Filters detections originating from a specific source - IP address. | + | Host ID | string | No | Filter by host ID. | - | Threat GTE | String | No | Filters detections with a threat score greater than - or equal to this value. | + | Tags | string | No | Filter by comma-separated tags. | - | Certainty GTE | String | No | Filters detections with a certainty score greater - than or equal to this value. | + | Is Targeting Key Asset | ddl | No | Filter if detections are targeting a key + asset (True/False). | + | Note Modified Timestamp GTE | string | No | Filter based on note modified timestamp. + | - ### Additional Notes + | Order | ddl | No | Order results in Ascending or Descending order. | - - If the **Order** is set to 'Descending' and an **Order By** field is selected, - the action automatically prefixes the field with a minus sign for the API request. + | Limit | string | No | The maximum number of records to fetch. | - - The action cleans up URLs in the returned data by removing API versioning prefixes - (e.g., `/api/v2.5`) to provide cleaner links for analysts. + | Order By | ddl | No | Field to order results by (last_timestamp, created_datetime, + t_score, c_score, id). | + | Fields | multi_choice | No | Select specific fields to include in the output. + | - ### Flow Description + | State | ddl | No | Filter by detection state (Active, Inactive, Fixed). | - 1. **Parameter Extraction**: The action retrieves configuration settings (API - Root, Token) and all user-provided filter parameters. + | Detection Type | string | No | Filter by detection type. | - 2. **Validation**: It validates numeric inputs like 'Limit', 'Threat GTE', and - 'Certainty GTE' to ensure they are valid integers. + | Detection Category | ddl | No | Filter by detection category (Command and Control, + Botnet, etc.). | - 3. **API Request**: The action calls the Vectra QUX API's detections endpoint - using a GET request, applying the constructed query parameters and pagination - logic. + | Src IP | string | No | Filter by source IP address. | - 4. **Data Processing**: If detections are found, the action iterates through the - results to normalize URLs and extract key fields for display. + | Threat GTE | string | No | Filter by threat score greater than or equal to the + given value. | - 5. **Output Generation**: The full raw data is attached as a JSON result, and - a summary table titled 'List Of Detections' is added to the case wall for quick - review. + | Certainty GTE | string | No | Filter by certainty score greater than or equal + to the given value. | capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: true + can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: >- - The action adds a data table named 'List Of Detections' to the case wall containing - summary information of the retrieved detections. + internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to search for detections in an external system + (Vectra AI). It does not modify any external or internal data, nor does it update + entities, create insights, or modify alert data. It simply retrieves and displays + information. categories: enrichment: false + reasoning: >- + The action is a search/retrieval action. It does not meet the criteria for an + Enrichment Action because it does not update entities, create insights, or add + comments to the case. It is a search/query action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -2420,6 +2656,10 @@ Search Detections: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities`. It relies entirely + on user-provided parameters to perform its search. Therefore, it does not run + on entities. Search Hosts: action_product_categories: add_alert_comment: false @@ -2435,12 +2675,16 @@ Search Hosts: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action searches for hosts (assets) in the Vectra platform and returns the + results. This matches 'Search Asset'. It also returns a collection of data matching + search parameters, which matches 'Search Events' as it returns host telemetry/logs. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false search_asset: true search_email: false - search_events: false + search_events: true send_email: false send_message: false submit_file: false @@ -2452,99 +2696,83 @@ Search Hosts: ai_description: >- ### General Description - Searches for and retrieves host details from Vectra QUX based on a wide variety - of filtering criteria. This action allows security analysts to perform discovery - and asset management by querying the Vectra platform for hosts that match specific - security postures, such as high threat scores, specific tags, or active network - traffic. The results provide comprehensive metadata for each host, including IP - addresses, severity levels, and detection summaries. - - - ### Parameters Description - + This action searches for hosts within the Vectra QUX platform based on a comprehensive + set of filter criteria. It allows analysts to query the Vectra API to retrieve + specific host information, such as threat scores, certainty levels, and activity + status, and presents the results directly within the SOAR action output. - | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | - - | Limit | String | No | The maximum number of host records to return. Defaults - to the system limit if not specified. | + ### Flow Description - | Tags | String | No | Filter hosts based on specific tags assigned in Vectra. - | + 1. **Parameter Extraction**: The action retrieves configuration parameters (API + Root, Token) and user-defined search filters (e.g., Name, State, Threat Level, + Tags, Time ranges). - | Last Source | String | No | Filter hosts based on the last source identifier. - | + 2. **API Interaction**: It initializes the `VectraQUXManager` and executes a search + request against the Vectra API using the provided filters. - | Order | DDL | No | Specifies whether to sort results in 'Ascending' or 'Descending' - order. | + 3. **Data Processing**: The action processes the returned host data, including + cleaning up API version strings from URLs and extracting specific fields for display. - | Fields | Multi-select | No | A list of specific host fields to include in the - response (e.g., id, name, ip, threat). | + 4. **Output Generation**: The results are formatted and added to the action output + as a JSON object and a structured data table for easy review by the analyst. - | Name | String | No | Filter hosts by their display name. | - | State | DDL | No | Filter hosts by their current state: 'Active' or 'Inactive'. - | + ### Parameters Description - | Threat GTE | String | No | Filter for hosts with a threat score greater than - or equal to this value. | + | Parameter | Type | Mandatory | Description | - | Certainty GTE | String | No | Filter for hosts with a certainty score greater - than or equal to this value. | + | :--- | :--- | :--- | :--- | - | Last Detection Timestamp GTE | String | No | Filter for hosts with a last detection - timestamp greater than or equal to this value. | + | Limit | string | No | The maximum number of records to fetch. | - | Last Detection Timestamp LTE | String | No | Filter for hosts with a last detection - timestamp less than or equal to this value. | + | Tags | string | No | Filter hosts based on specific tags. | - | Is Targeting Key Asset | DDL | No | Filter hosts based on whether they are targeting - key assets (True/False). | + | Last Source | string | No | Filter hosts based on the last source. | - | Privilege Level GTE | String | No | Filter for hosts with a privilege level - greater than or equal to this value. | + | Order | ddl | No | Sort order (Ascending or Descending). | - | Privilege Category | DDL | No | Filter by privilege category: 'Low', 'Medium', - or 'High'. | + | Fields | multi_choice | No | Select specific fields to include in the output + (e.g., id, name, ip, threat, certainty). | - | Active Traffic | DDL | No | Filter for hosts that have shown active traffic - within the last two hours (True/False). | + | Name | string | No | Filter hosts by name. | - | Order By | DDL | No | The field used to sort the results (e.g., t_score, c_score, - last_detection_timestamp). | + | State | ddl | No | Filter hosts by state (Active or Inactive). | - | Note Modified Timestamp GTE | String | No | Filter based on when the host's - notes were last modified. | + | Threat GTE | string | No | Filter hosts with a threat score greater than or + equal to the provided value. | + | Certainty GTE | string | No | Filter hosts with a certainty score greater than + or equal to the provided value. | - ### Additional Notes + | Last Detection Timestamp GTE | string | No | Filter hosts with a last detection + timestamp greater than or equal to the provided value. | - - This action is read-only and does not modify any data within Vectra QUX. + | Last Detection Timestamp LTE | string | No | Filter hosts with a last detection + timestamp less than or equal to the provided value. | - - If no hosts match the provided criteria, the action will complete successfully - with a message indicating no results were found. + | Is Targeting Key Asset | ddl | No | Filter hosts that are targeting key assets + (True/False). | - - Timestamps should be provided in a format recognized by the Vectra API (typically - ISO 8601). + | Privilege Level GTE | string | No | Filter hosts with a privilege level greater + than or equal to the provided value. | + | Privilege Category | ddl | No | Filter hosts by privilege category (Low, Medium, + High). | - ### Flow Description + | Active Traffic | ddl | No | Filter hosts with active traffic (True/False). | - 1. **Initialization:** Extracts the API configuration (Root URL, Token) and all - user-provided search filters. + | Order By | ddl | No | Field to order the results by (t_score, c_score, id, last_detection_timestamp). + | - 2. **Validation:** Validates numerical parameters such as 'Limit', 'Threat GTE', - and 'Certainty GTE' to ensure they are valid integers. + | Note Modified Timestamp GTE | string | No | Filter hosts based on note modification + timestamp. | - 3. **API Query:** Constructs a paginated GET request to the Vectra QUX `/hosts` - endpoint, applying the filters as query parameters. - 4. **Data Sanitization:** Processes the retrieved host list to clean up internal - API versioning strings from URLs and detection sets for better readability. + ### Additional Notes - 5. **Output:** Returns the full host details as a JSON object and generates a - summary data table containing key attributes like ID, Name, IP, and Threat Score. + This action does not require any specific entities to be selected in the SOAR + case; it operates independently based on the provided search parameters. capabilities: can_create_case_comments: false can_create_insight: false @@ -2555,8 +2783,18 @@ Search Hosts: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Vectra API to search for hosts based + on user-provided filters. It does not modify any external systems or internal + SOAR data (entities, insights, etc.). It simply returns the search results in + the action output. categories: enrichment: false + reasoning: >- + The action is a search/retrieval action, not an enrichment action. It does not + update entities or create insights. It does not meet the criteria for an enrichment + action as it does not gather supplemental context about existing entities in + the case. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -2572,6 +2810,9 @@ Search Hosts: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on `siemplify.target_entities`. It uses input parameters + to perform a search against the Vectra API. Unmark Detection Fixed: action_product_categories: add_alert_comment: false @@ -2587,6 +2828,11 @@ Unmark Detection Fixed: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action performs a state change (unmarking as fixed) on detections within + an external system (Vectra). It does not match the 'Update Alert' category (which + is specific to the SecOps platform), nor does it match any other provided categories + like ticket management, identity management, or IOC blocklisting. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -2604,48 +2850,46 @@ Unmark Detection Fixed: ai_description: >- ### General Description - Reverts the 'fixed' status of specific detections in Vectra AI. This action allows - analysts to unmark detections that were previously flagged as resolved or fixed, - effectively reopening them for further investigation or monitoring within the - Vectra platform. + This action unmarks specified detections as fixed within the Vectra QUX platform. + It communicates with the Vectra API to update the status of detections, effectively + reverting them from a 'fixed' state to an active or unresolved state based on + the provided detection IDs. ### Parameters Description - | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Detection IDs | String | Yes | A comma-separated list of Vectra detection IDs - (e.g., "123, 456") that should be unmarked as fixed. | + | Detection IDs | string | Yes | A comma-separated list of detection IDs to be + unmarked as fixed. | ### Additional Notes - - The action validates that all provided IDs are valid integers before sending - the request to Vectra AI. + - This action requires valid API credentials (API Root and API Token) configured + in the integration settings. - - If any ID in the list is invalid or does not exist, the action may fail or return - an error message from the Vectra API. + - The action performs a PATCH request to the Vectra API. Ensure the provided IDs + are valid integers. ### Flow Description - 1. **Parameter Extraction**: Retrieves the `Detection IDs` string from the action - parameters. + 1. **Initialization**: The action initializes the `SiemplifyAction` and extracts + configuration parameters (API Root, API Token, Verify SSL) and the action parameter + (`Detection IDs`). - 2. **Validation**: Splits the input string by commas and validates that each individual - ID is a valid integer. + 2. **Validation**: The provided `Detection IDs` string is split and validated + to ensure each ID is a valid integer. - 3. **API Interaction**: Connects to the Vectra AI API and sends a `PATCH` request - to the detections endpoint. + 3. **API Interaction**: The `VectraQUXManager` is instantiated, and the `unmark_detection_as_fixed` + method is called, which sends a PATCH request to the Vectra API (`/api/v2.5/detections`) + with the payload `{"detectionIdList": detection_list_id, "mark_as_fixed": "False"}`. - 4. **Status Update**: The request payload explicitly sets the `mark_as_fixed` - attribute to `False` for the specified list of detection IDs. - - 5. **Result Reporting**: Captures the API response and adds it to the action's - JSON results for the analyst to review. + 4. **Result**: The response from the API is added to the action result JSON, and + the action completes with a success or failure status. capabilities: can_create_case_comments: false can_create_insight: false @@ -2654,12 +2898,21 @@ Unmark Detection Fixed: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the status of specific detections in Vectra AI by unmarking them as - 'fixed' via a PATCH request to the detections endpoint. + Updates the detection status in the external Vectra system by unmarking it as + fixed. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a PATCH request to an external API (Vectra) to update the + state of detections. It does not fetch data (GET), nor does it modify internal + SOAR data (entities, insights, or case comments). categories: enrichment: false + reasoning: >- + The action is a mutation action that changes the state of detections in an external + system. It does not fetch data, nor does it perform any of the allowed internal + mutations (creating insights, updating entities, or adding comments). Therefore, + it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -2675,6 +2928,9 @@ Unmark Detection Fixed: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or process `siemplify.target_entities`. It + takes a string of detection IDs as an input parameter. Update Assignment: action_product_categories: add_alert_comment: false @@ -2690,6 +2946,10 @@ Update Assignment: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action updates the assignment of an entity to a user in the Vectra QUX system. + This modifies the entity's assignment metadata, which aligns with the 'Update + Identity' category. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -2702,84 +2962,63 @@ Update Assignment: uncontain_host: false update_alert: false update_email: false - update_identity: false + update_identity: true update_ticket: false ai_description: >- - Updates the assigned user for a specific entity (Host or Account) in Vectra QUX. - This action is used to change the ownership or responsibility of an entity within - the Vectra platform by modifying its existing assignment. It first retrieves the - entity's current details to identify the active assignment ID and then performs - a PUT request to update the 'assign_to_user_id' field. This is particularly useful - for workflow orchestration where an analyst or automated process needs to reassign - a resource for investigation. - - - ### Parameters Description - - - | Parameter | Type | Mandatory | Description | + Updates the assigned user for a specific entity (Account or Host) in the Vectra + QUX system. This action retrieves the current entity details to identify the existing + assignment and then updates it by assigning the specified User ID. It returns + the update result and adds a data table to the action results. - | :--- | :--- | :--- | :--- | - - | Entity ID | String | Yes | The unique integer identifier of the entity (Host - or Account) in Vectra QUX. | - - | Entity Type | DDL | Yes | The category of the entity to update. Supported values - are 'Account' and 'Host'. | - - | User ID | String | Yes | The unique integer identifier of the Vectra user to - whom the entity should be reassigned. | + ### Flow Description - ### Additional Notes + 1. Validates input parameters (Entity ID, User ID). + 2. Retrieves current entity details from Vectra QUX to identify the existing assignment. - * **Prerequisite:** The target entity must already have an existing assignment - in Vectra QUX. If no assignment is found, the action will fail with an informative - message. + 3. Updates the assignment by assigning the specified User ID to the entity. - * **Validation:** Both 'Entity ID' and 'User ID' must be valid numeric strings - that can be converted to integers. + 4. Returns the update result and adds a data table to the action results. - * **Output:** The action provides a data table named 'Updated Assignment' containing - the new assignment details and the full JSON response from the Vectra API. + ### Parameters Description - ### Flow Description + | Parameter | Type | Mandatory | Description | + | :--- | :--- | :--- | :--- | - 1. **Parameter Extraction:** Retrieves the API configuration and the action parameters - (Entity ID, Entity Type, and User ID). + | Entity ID | string | Yes | The ID of the entity to update. | - 2. **Input Validation:** Validates that the provided Entity ID and User ID are - valid non-negative integers. + | Entity Type | ddl | Yes | The type of entity (Account or Host). | - 3. **Entity Lookup:** Calls the Vectra API to describe the specified entity and - check for an existing assignment. + | User ID | string | Yes | The ID of the user to assign. | - 4. **Assignment Identification:** Extracts the 'assignment_id' from the entity's - current assignment metadata. - 5. **External Update:** Executes a PUT request to the Vectra assignments endpoint - to update the assigned user to the new User ID. + ### Additional Notes - 6. **Result Reporting:** Adds the updated assignment details to a data table and - the raw response to the JSON results, then completes the action with a success - message. + - The action requires valid API credentials for the Vectra QUX integration. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: true - can_mutate_internal_data: false + can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: >- - Updates the 'assign_to_user_id' field for an existing assignment in Vectra QUX - via a PUT request to the assignments API endpoint. + Updates the assignment of an entity to a new user in the Vectra QUX system. fetches_data: true - internal_data_mutation_explanation: null + internal_data_mutation_explanation: >- + Adds result JSON and a data table to the SOAR action results. + reasoning: >- + The action fetches entity details (fetches_data=true) and updates the assignment + in the external Vectra QUX system (can_mutate_external_data=true). It also adds + result JSON and a data table to the SOAR action results (can_mutate_internal_data=true). categories: enrichment: false + reasoning: >- + The action mutates external data (updates assignment), so it is not an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -2795,3 +3034,7 @@ Update Assignment: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action takes Entity ID and Entity Type as input parameters and does not + iterate over `siemplify.target_entities`, therefore it does not run on entities + in the context of the SOAR entity model. diff --git a/content/response_integrations/third_party/community/vectra_qux/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/vectra_qux/resources/ai/connectors_ai_description.yaml index 1c5eea981..0e96ce877 100644 --- a/content/response_integrations/third_party/community/vectra_qux/resources/ai/connectors_ai_description.yaml +++ b/content/response_integrations/third_party/community/vectra_qux/resources/ai/connectors_ai_description.yaml @@ -1,46 +1,85 @@ Vectra QUX - Entities Connector: - ai_description: "### General Description\nThe Vectra QUX - Entities Connector enables\ - \ the ingestion of security data from the Vectra QUX platform into Google SecOps.\ - \ Unlike standard alert connectors, this integration focuses on **Entities** (Hosts\ - \ or Accounts). It retrieves entities that have active detections and maps each\ - \ entity to a Google SecOps alert, while the individual detections associated\ - \ with that entity are ingested as alert events. This provides a consolidated,\ - \ asset-centric view of malicious activity.\n\n### Parameters Description\n| Parameter\ - \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| API Root\ - \ | String | Yes | The base URL of the Vectra QUX API (e.g., `https://
:`).\ - \ |\n| API Token | Password | Yes | A unique identifier used to authenticate and\ - \ authorize access to the API. |\n| Entity Type | String | Yes | The type of entity\ - \ to fetch. Supported values: `Host`, `Account`. Default is `Host`. |\n| DeviceProductField\ - \ | String | Yes | The field name used to determine the device product. Default:\ - \ `Vectra QUX`. |\n| EventClassId | String | Yes | The field name used to determine\ - \ the event name/sub-type. Default: `detection_type`. |\n| Max Hours Backwards\ - \ | Integer | No | Number of hours before the first connector iteration to retrieve\ - \ data from. Default: `0`. |\n| Threat Score GTE | Integer | No | Filters for\ - \ entities with threat scores greater than or equal to this value. |\n| Certainty\ - \ Score GTE | Integer | No | Filters for entities with certainty scores greater\ - \ than or equal to this value. |\n| Detection Category | String | No | Filters\ - \ results by category (e.g., Command & Control, Lateral Movement, Exfiltration).\ - \ |\n| Detection Type | String | No | Filters results by a specific Vectra detection\ - \ type. |\n| Specific Tag | String | No | Filters results by a specific tag assigned\ - \ in Vectra. |\n| Partial Tag | String | No | Filters results by a partial tag\ - \ match. |\n| Query | String | No | A custom query string used to specify advanced\ - \ conditions for filtering results. |\n| Limit | Integer | No | Maximum number\ - \ of entities to fetch in a single iteration. |\n| Verify SSL | Boolean | No |\ - \ If enabled, the connector will verify the SSL certificate of the API Root. |\n\ - | PythonProcessTimeout | String | Yes | The timeout limit (in seconds) for the\ - \ python process running the script. |\n\n### Flow Description\n1. **Initialization**:\ - \ The connector authenticates with the Vectra QUX API and retrieves the timestamp\ - \ of the last successful run and a list of previously processed entity IDs to\ - \ avoid duplicates.\n2. **Entity Fetching**: It queries the Vectra `/search/hosts`\ - \ or `/search/accounts` endpoint for entities modified since the last execution,\ - \ applying user-defined filters such as Threat/Certainty scores, tags, and categories.\n\ - 3. **Detection Enrichment**: For every entity identified, the connector performs\ - \ a secondary API call to fetch all associated \"active\" detections for that\ - \ specific asset.\n4. **Data Mapping**: \n * The **Entity** metadata (ID,\ - \ Name, Severity) is mapped to a Google SecOps **Alert**.\n * Each **Detection**\ - \ associated with the entity is transformed into a SecOps **Event**.\n * \ - \ Vectra severity levels (Low, Medium, High, Critical) are mapped to corresponding\ - \ SecOps priority values.\n5. **Case Creation**: The connector packages the mapped\ - \ data into `AlertInfo` objects and ingests them into Google SecOps.\n6. **State\ - \ Persistence**: Upon successful ingestion, the connector updates the last modification\ - \ timestamp and the list of processed IDs to ensure continuity in the next iteration." + ai_description: >- + ### General Description + + The Vectra QUX - Entities Connector integrates Google SecOps (SOAR) with the Vectra + QUX platform. It is designed to periodically retrieve security entities, such + as Hosts or Accounts, and their associated detections. By mapping these entities + to alerts and their detections to events, the connector enables security teams + to monitor, investigate, and respond to threats identified by Vectra directly + within the SOAR platform. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | API Root | String | Yes | The base URL of the Vectra QUX API. | + + | API Token | Password | Yes | Authentication token for the Vectra QUX API. | + + | Certainty Score GTE | Integer | No | Filters entities with a certainty score + greater than or equal to this value. | + + | Detection Category | String | No | Filters results by detection category (e.g., + Command & Control, Botnet Activity). | + + | Detection Type | String | No | Filters results by specific detection type. | + + | DeviceProductField | String | Yes | Field name used to determine the device + product. | + + | Entity Type | String | Yes | The type of entity to fetch (e.g., Host, Account). + | + + | EventClassId | String | Yes | Field name used to determine the event name. | + + | Limit | Integer | No | Maximum number of entities to fetch per iteration. | + + | Max Hours Backwards | Integer | No | Number of hours to look back for initial + data retrieval. | + + | Partial Tag | String | No | Partial tag to filter results. | + + | PythonProcessTimeout | String | Yes | Timeout limit (in seconds) for the script + execution. | + + | Query | String | No | Custom query string for advanced filtering. | + + | Specific Tag | String | No | Specific tag to filter results. | + + | Threat Score GTE | Integer | No | Filters entities with a threat score greater + than or equal to this value. | + + | Verify SSL | Boolean | No | Whether to verify SSL certificates for API requests. + | + + + ### Flow Description + + 1. **Initialization**: The connector initializes the connection to the Vectra + QUX API using the provided API Root and Token. + + 2. **Validation**: Input parameters are validated to ensure correct entity types + and score formats. + + 3. **Data Retrieval**: The connector queries the Vectra QUX API for entities (Hosts + or Accounts) based on the configured filters (e.g., threat score, certainty, tags, + and time range). + + 4. **Deduplication**: It checks against previously processed alert IDs to avoid + creating duplicate cases. + + 5. **Processing**: For each retrieved entity, the connector fetches associated + detections. + + 6. **Mapping**: Each entity is mapped to a SOAR alert, and its detections are + mapped as alert events. + + 7. **Ingestion**: The processed alerts are ingested into Google SecOps as cases + for further investigation. + + 8. **Cleanup**: Timestamps and processed IDs are saved to maintain state for the + next iteration. diff --git a/content/response_integrations/third_party/community/vectra_qux/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/vectra_qux/resources/ai/integration_ai_description.yaml index 971d37ab1..5875b90c3 100644 --- a/content/response_integrations/third_party/community/vectra_qux/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/community/vectra_qux/resources/ai/integration_ai_description.yaml @@ -5,8 +5,21 @@ product_categories: edr: false email_security: false iam_and_identity_management: true - itsm: true - network_security: true + itsm: false + network_security: false + reasoning: >- + The Vectra QUX integration is a threat detection platform that ingests security + entities (Hosts and Accounts) and their associated detections into Chronicle SOAR, + which aligns with the SIEM category for alert and event ingestion. It provides + threat and certainty scores for entities and detections, supporting the Threat + Intelligence category for enrichment. The integration manages 'Accounts' and 'Hosts,' + including assignment and group management, which aligns with the IAM & Identity + Management category. The description explicitly mentions 'hybrid and multi-cloud + enterprises,' and the connector retrieves cloud-relevant entities, supporting + the Cloud Security category. It also functions as an Asset Inventory tool by retrieving + detailed host and account information. It does not perform EDR-specific tasks + (process trees, isolation), Network Security (firewall logs, blocking), Email + Security, ITSM, Vulnerability Management, or Collaboration. siem: true threat_intelligence: true vulnerability_management: false diff --git a/content/response_integrations/third_party/community/vectra_qux/resources/ai/jobs_ai_description.yaml b/content/response_integrations/third_party/community/vectra_qux/resources/ai/jobs_ai_description.yaml index 5187f2db6..cf36ed992 100644 --- a/content/response_integrations/third_party/community/vectra_qux/resources/ai/jobs_ai_description.yaml +++ b/content/response_integrations/third_party/community/vectra_qux/resources/ai/jobs_ai_description.yaml @@ -1,34 +1,52 @@ Vectra QUX - Clear Empty Cases Job: - ai_description: "### General Description\nThe **Vectra QUX - Clear Empty Cases Job**\ - \ is a maintenance utility designed to reduce noise and redundancy within Google\ - \ SecOps. It identifies and closes cases or individual alerts that contain duplicate\ - \ security events already being tracked in other open cases. By analyzing the\ - \ unique detection IDs provided by Vectra QUX, the job ensures that analysts are\ - \ not investigating the same underlying threat across multiple tickets, effectively\ - \ streamlining the incident response workflow.\n\n### Parameters Description\n\ - | Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ - | Max Hours Backwards | String | No | The maximum number of hours to look back\ - \ for open cases. Setting this to '0' will cause the job to process all open cases\ - \ regardless of their creation time. Default is '24'. |\n| Environments | String\ - \ | Yes | A comma-separated list of environments to include in the cleanup process.\ - \ Only cases within these environments will be processed. Default is 'Default\ - \ Environment'. |\n| Products | String | Yes | A comma-separated list of product\ - \ names to filter alerts. The job only evaluates alerts where the 'DeviceProduct'\ - \ matches these values. Default is 'Vectra QUX'. |\n\n### Flow Description\n1.\ - \ **Initialization**: The job retrieves the configuration parameters and calculates\ - \ the time range for processing based on the last successful execution and the\ - \ `Max Hours Backwards` setting.\n2. **Case Fetching**: It queries the SOAR platform\ - \ for all cases currently in an \"OPEN\" status that fall within the specified\ - \ time window.\n3. **Filtering and Extraction**: For each retrieved case, the\ - \ job verifies if it belongs to the allowed `Environments` and `Products`. It\ - \ then extracts the unique detection (event) IDs from the alerts associated with\ - \ those cases.\n4. **Duplicate Analysis**: The job builds a map of event IDs\ - \ to identify overlaps between different cases and alerts. It determines if an\ - \ alert's events are entirely contained within other active cases.\n5. **Case\ - \ and Alert Closure**: \n * If an entire case consists of alerts that are\ - \ duplicates of events in other cases, the job closes the case with the root cause:\ - \ \"Similar case already under investigation\".\n * If only specific alerts\ - \ within a case are redundant, those individual alerts are closed with the root\ - \ cause: \"Similar alert already under investigation\".\n6. **Timestamp Update**:\ - \ Finally, the job saves the current execution timestamp to the internal database\ - \ to serve as the starting point for the next scheduled run." + ai_description: >- + ### General Description + + This job automates the maintenance of the Google SecOps (Chronicle) SOAR case + queue by identifying and closing empty or duplicate cases originating from the + Vectra QUX integration. It helps reduce investigation noise by analyzing open + cases, filtering them based on specific environments and product names, and automatically + closing cases that contain redundant or identical alerts. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Max Hours Backwards | String | No | The maximum number of hours to look back + for open cases. Defaults to 24 hours. Set to '0' to process all open cases. | + + | Environments | String | Yes | A comma-separated list of environments to filter + cases by. Defaults to 'Default Environment'. | + + | Products | String | Yes | A comma-separated list of product field names to filter + alerts by. Defaults to 'Vectra QUX'. | + + + ### Flow Description + + 1. Extracts and validates the job configuration parameters (Max Hours Backwards, + Environments, and Products). + + 2. Calculates the start time for the job based on the last successful execution + timestamp to ensure incremental processing. + + 3. Fetches all open cases from the SOAR platform that match the specified time + range. + + 4. Iterates through each open case to retrieve associated entities and their corresponding + detections. + + 5. Filters the retrieved detections to include only those matching the provided + environment and product name criteria. + + 6. Analyzes the filtered cases to identify identical alerts or cases that are + effectively empty. + + 7. Closes redundant cases or removes duplicate alerts from cases as identified + by the analysis logic. + + 8. Updates the job's last success timestamp in the database to track progress + for the next execution. diff --git a/content/response_integrations/third_party/community/vectra_rux/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/vectra_rux/resources/ai/actions_ai_description.yaml index bc40b95a1..a8c870b8f 100644 --- a/content/response_integrations/third_party/community/vectra_rux/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/vectra_rux/resources/ai/actions_ai_description.yaml @@ -13,6 +13,10 @@ Add Note: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action adds a note to an entity in the VectraRUX platform. It does not match + any of the provided categories (e.g., it is not adding a comment to a SOAR alert, + nor is it an enrichment or containment action). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -28,24 +32,11 @@ Add Note: update_identity: false update_ticket: false ai_description: >- - Adds a note to a specific entity (Account, Host, or Detection) within the Vectra - platform. This action allows analysts to document findings or provide context - directly on the Vectra resource from within Google SecOps, ensuring that information - is synchronized between the two platforms. - - - ### Flow Description - - 1. **Parameter Extraction**: Retrieves the note content, target entity ID, and - entity type from the action parameters. - - 2. **Validation**: Validates that the provided Entity ID is a valid integer. - - 3. **API Interaction**: Executes a POST request to the Vectra API's notes endpoint - for the specified entity. + ### General Description - 4. **Result Processing**: Captures the API response (the created note object) - and presents it in a data table and JSON format for the analyst. + Adds a note to a specific entity (Account, Host, or Detection) within the VectraRUX + platform. This action allows analysts to append contextual information or investigation + notes directly to an entity in the external system. ### Parameters Description @@ -54,23 +45,28 @@ Add Note: | :--- | :--- | :--- | :--- | - | Note | String | Yes | The text content of the note to be added to the Vectra - entity. | + | Note | string | Yes | The text content of the note to be added to the entity. + | - | Entity ID | String | Yes | The unique numeric identifier of the entity in Vectra. + | Entity ID | string | Yes | The unique identifier of the entity in VectraRUX. | - | Entity Type | DDL | Yes | The type of entity to which the note will be added. - Options: Account, Host, or Detection. | + | Entity Type | ddl | Yes | The type of the entity. Supported values: Account, + Host, Detection. | + + ### Flow Description - ### Additional Notes + 1. Extracts configuration parameters (API Root, Client ID, Client Secret) and + action parameters (Note, Entity ID, Entity Type). - - The Entity ID must be a numeric value corresponding to an existing resource - in the Vectra environment. + 2. Validates the provided Entity ID. - - This action performs a state change in the external Vectra system by creating - a new note record. + 3. Sends a POST request to the VectraRUX API endpoint (`/entities/{entity_id}/notes`) + to create the note. + + 4. Adds the API response to the action result as a data table and JSON for reporting + purposes. capabilities: can_create_case_comments: false can_create_insight: false @@ -79,12 +75,18 @@ Add Note: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new note record in the Vectra platform associated with a specific - Account, Host, or Detection entity. + Adds a note to an entity (Account, Host, or Detection) in the VectraRUX platform. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to the VectraRUX API to add a note to an + entity. It does not fetch data, nor does it modify internal SOAR case data or + entities. It is a mutation action on an external system. categories: enrichment: false + reasoning: >- + The action is a mutation action (adding a note to an external system) and does + not fetch data for enrichment purposes, therefore it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -100,6 +102,10 @@ Add Note: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use `siemplify.target_entities`. It accepts `Entity ID` + and `Entity Type` as manual input parameters from the user, rather than operating + on entities already present in the case. Add Tags: action_product_categories: add_alert_comment: false @@ -115,6 +121,10 @@ Add Tags: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action updates tags on an external system (Vectra RUX). None of the provided + categories (e.g., Enrich IOC, Contain Host, Update Identity) perfectly match + this 'Update Tags' functionality. Therefore, all categories are set to false. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -127,62 +137,56 @@ Add Tags: uncontain_host: false update_alert: false update_email: false - update_identity: true + update_identity: false update_ticket: false ai_description: >- - Adds tags to specific entities in the Vectra RUX platform. This action allows - users to append one or more tags to Accounts, Hosts, or Detections by providing - their unique Vectra IDs. The action first retrieves the existing tags for each - specified entity to ensure that existing data is preserved and only new, unique - tags are added. It then performs a PATCH request to update the entity's tag list - in the external system. + ### General Description + Adds tags to specified entities (Account, Host, or Detection) in the Vectra RUX + platform. This action retrieves existing tags for the provided entity IDs, merges + them with the new tags, and updates the entity's tag list in the external system + via a PATCH request. The action logs the status of each update and provides a + summary table of the results. - ### Parameters Description + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Tags | String | Yes | A comma-separated list of tags to be added to the specified - entities. | + | Tags | string | Yes | Comma-separated list of tags to add to the account, host, + or detection. | - | Entity IDs | String | Yes | A comma-separated list of the unique Vectra identifiers - for the entities to be tagged. | + | Entity IDs | string | Yes | Comma-separated list of the Entity IDs to which + the user wants to add tags. | - | Entity Type | DDL | Yes | The category of the entity being tagged. Options include: - `Account`, `Host`, or `Detection`. | + | Entity Type | ddl | Yes | The type of the entity to which tags will be added + (Options: Account, Host, Detection). | - ### Additional Notes + ### Flow Description - - This action does not process Google SecOps entities automatically; it requires - explicit Vectra IDs as input parameters. + 1. Extracts configuration (API credentials) and action parameters (Tags, Entity + IDs, Entity Type). - - The action ensures that duplicate tags are not created by merging the new tags - with the existing ones retrieved from the API. + 2. Validates and parses the input IDs and tags, removing duplicates. + 3. Iterates through each provided Entity ID. - ### Flow Description + 4. Fetches existing tags for the entity from the Vectra RUX API. - 1. **Parameter Extraction:** The action retrieves the list of tags, entity IDs, - and the entity type from the user input. + 5. Merges the existing tags with the new tags. - 2. **Validation:** It validates that the provided Entity IDs are integers and - cleans the tag strings. + 6. Updates the entity's tags in Vectra RUX via a PATCH request. - 3. **Tag Retrieval:** For each entity ID, the action calls the Vectra API to fetch - the current list of tags. + 7. Logs the status of each update and generates a result table in the SOAR case. - 4. **Merging:** It combines the existing tags with the new tags, removing any - duplicates. - 5. **External Update:** The action sends a PATCH request to Vectra RUX to update - the entity with the new combined tag list. + ### Additional Notes - 6. **Reporting:** It generates a data table and a JSON result summarizing the - success or failure of the tag update for each ID. + The action requires valid API credentials for the Vectra RUX integration to be + configured. capabilities: can_create_case_comments: false can_create_insight: false @@ -191,12 +195,19 @@ Add Tags: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the tag metadata for Accounts, Hosts, or Detections in the Vectra RUX - platform via a PATCH request. + Updates the tag list for the specified entity in the Vectra RUX platform. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches existing tags from the Vectra RUX API (fetches_data=true) + and then performs a PATCH request to update the tags on the external system + (can_mutate_external_data=true). It does not modify internal SOAR case data + or entities directly. categories: enrichment: false + reasoning: >- + The action mutates external data (updates tags), so it is not an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -212,6 +223,9 @@ Add Tags: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities`. It takes `Entity + IDs` as an input parameter. Therefore, it does not run on SOAR entities. Assign Entity: action_product_categories: add_alert_comment: false @@ -227,6 +241,10 @@ Assign Entity: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action assigns an entity to a user in the Vectra RUX platform. This does + not match any of the provided categories (Enrichment, Containment, Ticket management, + etc.). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -239,47 +257,48 @@ Assign Entity: uncontain_host: false update_alert: false update_email: false - update_identity: true + update_identity: false update_ticket: false ai_description: >- - Assigns a Vectra RUX entity (Host or Account) to a specific user. This action - creates an assignment record within the Vectra platform, facilitating ownership - and accountability for investigation or remediation tasks. It validates that the - provided IDs are integers before making the API request and returns the details - of the created assignment. + ### General Description + This action assigns a specific entity (either a Host or an Account) to a designated + user within the Vectra RUX platform. It facilitates the management of entity assignments + by interacting directly with the Vectra RUX API. - ### Parameters + + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Entity ID | string | Yes | The unique identifier of the Host or Account in Vectra - RUX that will be assigned. | + | Entity ID | string | Yes | The unique identifier of the entity (Host or Account) + to be assigned. | - | Entity Type | ddl | Yes | Specifies whether the Entity ID refers to an 'Account' - or a 'Host'. | + | Entity Type | ddl | Yes | The type of the entity. Supported values are 'Account' + or 'Host'. | - | User ID | string | Yes | The unique identifier of the Vectra RUX user to whom - the assignment will be made. | + | User ID | string | Yes | The unique identifier of the user to whom the entity + will be assigned. | ### Flow Description - 1. **Initialization**: Extracts the API configuration and the action parameters - (User ID, Entity ID, and Entity Type). + 1. **Initialization**: The action initializes the `SiemplifyAction` and extracts + configuration parameters (API Root, Client ID, Client Secret) and action parameters + (User ID, Entity ID, Entity Type). - 2. **Validation**: Validates that the `Entity ID` and `User ID` are valid positive - integers. - - 3. **API Interaction**: Initializes the VectraRUXManager and calls the `assign_entity` - method, which sends a POST request to the Vectra RUX assignments endpoint. + 2. **Validation**: The action validates that the provided `Entity ID` and `User + ID` are valid integers. - 4. **Result Processing**: Parses the API response into an Assignment object. + 3. **Execution**: The action initializes the `VectraRUXManager` and calls the + `assign_entity` method, which performs a POST request to the Vectra RUX API to + create the assignment. - 5. **Output**: Adds a data table containing the assignment details and the raw - JSON response to the action results in Google SecOps. + 4. **Result Reporting**: Upon successful assignment, the action adds the assignment + details to the action results as a data table and a JSON object containing the + raw response data. capabilities: can_create_case_comments: false can_create_insight: false @@ -288,12 +307,20 @@ Assign Entity: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new assignment record in Vectra RUX, linking a specific entity (Host - or Account) to a user. - fetches_data: true + Assigns an entity (Host or Account) to a user in the Vectra RUX platform via + a POST request. + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to the Vectra RUX API to assign an entity + to a user. It does not fetch data for enrichment, nor does it modify internal + SOAR case data (such as updating entities or adding insights). It only reports + the result of the external mutation. categories: enrichment: false + reasoning: >- + The action is a mutation action (assigning an entity) and does not fetch data + for enrichment purposes. It does not meet the criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -309,6 +336,10 @@ Assign Entity: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use `siemplify.target_entities`. It takes `Entity ID` and + `Entity Type` as direct input parameters from the action configuration, rather + than operating on entities already present in the case. Assign Group: action_product_categories: add_alert_comment: false @@ -324,6 +355,9 @@ Assign Group: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action modifies group membership in an external system (VectraRUX). This + aligns with the 'Update Identity' category, which includes modifying group memberships. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -341,9 +375,9 @@ Assign Group: ai_description: >- ### General Description - Adds members to a specific group in Vectra AI. This action allows analysts to - manage group memberships dynamically by appending a list of members (such as hosts, - IPs, or accounts) to an existing group identified by its ID. + Adds members to a specified group in the VectraRUX system. This action allows + users to append a list of members to an existing group by providing the group's + ID and the list of members to be added. ### Parameters Description @@ -352,42 +386,36 @@ Assign Group: | :--- | :--- | :--- | :--- | - | Group ID | String | True | The unique identifier of the group in Vectra AI. - This value must be a positive integer. | + | Group ID | string | Yes | The ID of the group to which members will be added. + | - | Members | String | True | A comma-separated list of members to be added to the - group. The type of member (e.g., hostname, IP, account UID) should correspond - to the group's defined type. | + | Members | string | Yes | A comma-separated list of members to assign to the + group. | - ### Additional Notes + ### Flow Description - - The action uses the 'append' membership action, ensuring that existing group - members are preserved and not overwritten. + 1. Extracts configuration (API Root, Client ID, Client Secret) and action parameters + (Group ID, Members). - - The action provides a detailed HTML view of the group's properties and membership - status after the update. + 2. Validates the `Group ID` as an integer. + 3. Initializes the `VectraRUXManager` with the provided credentials. - ### Flow Description + 4. Calls the API to append the specified members to the group. - 1. **Parameter Extraction**: The action retrieves the `Group ID` and `Members` - list from the input parameters. + 5. Compares the requested members with the updated group members to identify which + were successfully assigned. - 2. **Validation**: It validates that the `Group ID` is a valid integer and processes - the `Members` string into a list of unique, stripped strings. + 6. Generates an HTML view of the group details and adds the raw JSON response + to the action results. - 3. **Authentication**: Connects to the Vectra AI API using the provided credentials - (API Root, Client ID, and Client Secret). - 4. **Group Update**: Sends a PATCH request to the Vectra API to add the new members - to the specified group using the `append` membership action. + ### Additional Notes - 5. **Verification**: Compares the requested members against the updated group - membership returned by the API to identify any members that could not be assigned. + - The action expects the `Group ID` to be a valid integer. - 6. **Output Generation**: Returns the updated group details in JSON format and - renders an HTML table for the case wall showing the group's current state. + - The `Members` parameter should be a comma-separated string of member identifiers. capabilities: can_create_case_comments: false can_create_insight: false @@ -396,12 +424,19 @@ Assign Group: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the membership list of a group in Vectra AI using a PATCH request to - the groups endpoint. + Appends specified members to a group in the VectraRUX system. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a PATCH request to update group members in VectraRUX (can_mutate_external_data=true). + It retrieves the updated group object from the response (fetches_data=true). + It does not modify internal SOAR case data or entities. categories: enrichment: false + reasoning: >- + The action modifies group membership in an external system (VectraRUX), which + constitutes a mutation of external data. Therefore, it cannot be classified + as an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -417,6 +452,9 @@ Assign Group: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not reference `target_entities` or perform any entity-based operations. + It uses input parameters `Group ID` and `Members` to perform the action. Describe Assignment: action_product_categories: add_alert_comment: false @@ -431,7 +469,11 @@ Describe Assignment: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false - get_alert_information: true + get_alert_information: false + reasoning: >- + The action retrieves details for a specific assignment ID. It does not perform + enrichment on IOCs or Assets, nor does it modify alerts, tickets, or identities. + It does not fit the specific definitions of the provided categories. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -446,49 +488,26 @@ Describe Assignment: update_email: false update_identity: false update_ticket: false - ai_description: >- - ### General Description - - Retrieves comprehensive details for a specific assignment within Vectra RUX using - its unique identifier. This action allows analysts to view metadata associated - with an assignment, including the assigned user, the resolver, the outcome, and - associated entity IDs (Host or Account). It is primarily used to audit or verify - the status of tasks within the Vectra platform. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Assignment ID | String | Yes | The unique numerical identifier of the assignment - to retrieve. The value is validated as a non-negative integer before processing. - | - - - ### Flow Description - - 1. **Parameter Initialization**: The action extracts the `Assignment ID` from - the user input and validates that it is a valid integer. - - 2. **Authentication**: The action initializes the `VectraRUXManager`, which handles - OAuth2 token generation and session management. - - 3. **Data Retrieval**: A GET request is sent to the Vectra RUX API endpoint `/api/v3.4/assignments/{assignment_id}`. - - 4. **Data Parsing**: The response is parsed into an `Assignment` data model, which - extracts key fields such as `Assigned User`, `Outcome Title`, and `Entity ID`. - - 5. **Output Generation**: The action returns the full raw JSON response and constructs - a data table named 'Describe Assignment' containing the flattened assignment details. - - - ### Additional Notes - - This action does not process entities from the Google SecOps case; it operates - strictly based on the provided `Assignment ID` parameter. If the ID is not found, - the action will return a failure status. + ai_description: "### General Description\nThis action retrieves detailed information\ + \ about a specific assignment from the VectraRUX platform. It allows analysts\ + \ to fetch metadata, user assignments, and resolution details for a given assignment\ + \ ID, providing visibility into the assignment's status and history within the\ + \ VectraRUX environment.\n\n### Parameters Description\n| Parameter | Type | Mandatory\ + \ | Description |\n| :--- | :--- | :--- | :--- |\n| Assignment ID | string | Yes\ + \ | The unique identifier of the assignment to retrieve. |\n\n### Additional Notes\n\ + - This action requires valid API credentials (API Root, Client ID, Client Secret)\ + \ configured in the integration settings.\n- The action performs a read-only operation\ + \ and does not modify any data in VectraRUX or the SOAR platform.\n\n### Flow\ + \ Description\n1. **Initialization**: The action initializes the `SiemplifyAction`\ + \ and extracts the required configuration parameters (API Root, Client ID, Client\ + \ Secret) and the `Assignment ID` action parameter.\n2. **Validation**: The `Assignment\ + \ ID` is validated to ensure it is a valid integer.\n3. **API Interaction**: The\ + \ `VectraRUXManager` is initialized, and the `describe_assignment` method is called\ + \ to fetch the assignment details from the VectraRUX API.\n4. **Result Processing**:\ + \ \n - The raw JSON response is added to the action results.\n - The assignment\ + \ information is formatted into a CSV-based data table and added to the action\ + \ output.\n5. **Completion**: The action concludes by setting the execution status\ + \ and output message, providing the retrieved details to the analyst." capabilities: can_create_case_comments: false can_create_insight: false @@ -499,8 +518,17 @@ Describe Assignment: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the VectraRUX API to retrieve assignment + details. It does not modify any external systems (no POST/PUT/DELETE), nor does + it modify internal SOAR data (no entity updates or insights). It simply fetches + and displays information. categories: - enrichment: true + enrichment: false + reasoning: >- + The action fetches data from an external source, but it does not gather context + about alerts or entities (it gathers context about an assignment). Therefore, + it does not meet the definition of an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -516,6 +544,9 @@ Describe Assignment: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on entities. It takes an `Assignment ID` as a direct + input parameter to fetch details from the VectraRUX API. Describe Detection: action_product_categories: add_alert_comment: false @@ -531,6 +562,10 @@ Describe Detection: enrich_ioc: false execute_command_on_the_host: false get_alert_information: true + reasoning: >- + The action retrieves detailed information about a specific detection from the + Vectra RUX platform. This directly aligns with the 'Get Alert Information' category, + as it fetches information about an alert (detection) from the 3rd party product. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -545,25 +580,45 @@ Describe Detection: update_email: false update_identity: false update_ticket: false - ai_description: "### General Description\nThe **Describe Detection** action retrieves\ - \ comprehensive details for a specific detection from the Vectra RUX platform\ - \ using its unique identifier. It is primarily used for deep-dive investigations\ - \ where an analyst needs to see the full raw data and metadata associated with\ - \ a specific security event identified by Vectra.\n\n### Parameters Description\n\ - | Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ - | **Detection ID** | String | Yes | The unique identifier of the detection to\ - \ retrieve. This value is validated as an integer before the request is made.\ - \ |\n\n### Flow Description\n1. **Parameter Initialization**: The action retrieves\ - \ the integration configuration (API Root, Client ID, Client Secret) and the mandatory\ - \ `Detection ID` parameter.\n2. **Validation**: The `Detection ID` is validated\ - \ to ensure it is a valid non-negative integer.\n3. **API Interaction**: The\ - \ action authenticates with Vectra RUX and performs a GET request to the `/detections/{detection_id}`\ - \ endpoint.\n4. **Data Processing**: The raw JSON response is parsed into a `Detection`\ - \ data model, which extracts key fields such as state, category, type, and source\ - \ entity information.\n5. **Output Generation**: \n * A data table titled\ - \ \"Describe Detection\" is added to the case wall, containing a summary of the\ - \ detection.\n * The full raw JSON response is attached to the action results\ - \ for detailed inspection." + ai_description: >- + ### General Description + + The **Describe Detection** action retrieves comprehensive details for a specific + detection from the Vectra RUX platform. This action is designed to provide analysts + with deep-dive information about a detection by querying the Vectra API using + a unique Detection ID. The output is presented in both a structured data table + and a raw JSON format, facilitating easier investigation and decision-making. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Detection ID | string | Yes | The unique identifier of the detection to be retrieved. + This value must be a valid integer. | + + + ### Flow Description + + 1. **Configuration Extraction**: The action retrieves the necessary API credentials + (API Root, Client ID, Client Secret) from the integration configuration. + + 2. **Parameter Extraction**: The action extracts the `Detection ID` provided by + the user. + + 3. **Validation**: The `Detection ID` is validated to ensure it is a valid integer. + + 4. **API Interaction**: The action initializes the `VectraRUXManager` and calls + the `describe_detection` method to fetch the detection details from the Vectra + RUX API. + + 5. **Result Formatting**: The retrieved detection data is formatted into a data + table and a JSON object, which are then added to the action results. + + 6. **Completion**: The action concludes by setting the execution status and providing + a success or error message. capabilities: can_create_case_comments: false can_create_insight: false @@ -574,8 +629,18 @@ Describe Detection: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Vectra RUX API to retrieve detection + details based on a provided ID. It does not perform any write operations (POST/PUT/DELETE) + on external systems, nor does it modify internal SOAR case data (e.g., updating + entities, adding insights, or modifying alert status). It is a read-only enrichment + action. categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches supplemental context (detection details) from an external + source (Vectra RUX) without modifying any external or internal state. This aligns + with the definition of an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -591,6 +656,10 @@ Describe Detection: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities` or use entity-specific + identifiers. It accepts a `Detection ID` as a direct input parameter to fetch + detection details, therefore it does not run on entities. Describe Entity: action_product_categories: add_alert_comment: false @@ -606,10 +675,13 @@ Describe Entity: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves contextual metadata (e.g., state, urgency, tags) for a + resource (Account or Host), which directly matches the 'Enrich Asset' category. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false - search_asset: true + search_asset: false search_email: false search_events: false send_email: false @@ -623,11 +695,10 @@ Describe Entity: ai_description: >- ### General Description - The **Describe Entity** action retrieves comprehensive details for a specific - entity (either a **Host** or an **Account**) from the Vectra RUX platform using - its unique identifier. This action is primarily used for deep-dive investigations - where an analyst needs the full metadata associated with a Vectra-tracked asset, - including its state, severity, urgency scores, and associated detection IDs. + Retrieves detailed information for a specific entity (Account or Host) from the + VectraRUX platform. This action fetches comprehensive metadata, including state, + urgency scores, and detection history, and presents it in the action results as + a data table and raw JSON. ### Parameters Description @@ -636,36 +707,28 @@ Describe Entity: | :--- | :--- | :--- | :--- | - | **Entity ID** | String | Yes | The unique numerical identifier for the entity - in Vectra RUX. | + | Entity ID | string | Yes | The unique identifier of the entity to retrieve. + | - | **Entity Type** | DDL | Yes | The category of the entity. Must be either `Account` - or `Host`. | + | Entity Type | ddl | Yes | The type of entity, either 'Account' or 'Host'. | ### Flow Description - 1. **Parameter Extraction:** The action retrieves the `Entity ID` and `Entity - Type` from the user input. - - 2. **Validation:** It validates that the `Entity ID` is a valid integer. - - 3. **API Request:** It calls the Vectra RUX API to fetch the raw data for the - specified entity using a GET request. - - 4. **Data Processing:** The response is parsed into a structured Entity object. + 1. Extracts configuration parameters (API Root, Client ID, Client Secret) and + action parameters (Entity ID, Entity Type). - 5. **Output Generation:** The action creates a Data Table with key entity attributes - and attaches the full raw API response as a JSON result. + 2. Validates the provided Entity ID as an integer. + 3. Initializes the VectraRUXManager to handle API communication. - ### Additional Notes + 4. Executes a GET request to the VectraRUX API to describe the specified entity. - * This action does not automatically process entities present in the Google SecOps - case; it requires a specific ID as input. + 5. Adds the retrieved entity details to the action result as a data table and + raw JSON. - * If the entity is not found, the action will return a failure status with an - informative error message. + 6. Handles potential errors (e.g., invalid ID, item not found) and logs the execution + status. capabilities: can_create_case_comments: false can_create_insight: false @@ -676,8 +739,16 @@ Describe Entity: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to retrieve entity details from the VectraRUX + API. It does not modify any external systems or internal SOAR data (it only + adds result data to the action execution). categories: enrichment: true + reasoning: >- + The action fetches contextual data about an entity from an external source (VectraRUX) + without modifying any external or internal systems. This aligns with the definition + of an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -693,6 +764,10 @@ Describe Entity: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action takes 'Entity ID' and 'Entity Type' as input parameters rather than + iterating over the 'target_entities' list. Therefore, it does not directly operate + on SOAR entities. Download PCAP: action_product_categories: add_alert_comment: false @@ -708,6 +783,10 @@ Download PCAP: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves a specific file (PCAP) from the Vectra RUX platform. This + directly matches the 'Download File' category. It does not perform enrichment, + alert updates, or containment operations. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -723,65 +802,59 @@ Download PCAP: update_identity: false update_ticket: false ai_description: >- - ### General Description - - The **Download PCAP** action retrieves a Packet Capture (PCAP) file associated - with a specific detection ID from the Vectra RUX platform. This action is designed - to facilitate forensic investigations by providing analysts with the raw network - traffic data that triggered a specific security detection. + Downloads a PCAP file associated with a specific detection ID from the Vectra + RUX platform. This action retrieves the forensic PCAP file and attaches it to + the action result for further analysis. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Detection ID | String | Yes | The unique identifier of the Vectra detection - for which the PCAP file should be downloaded. The value must be a valid integer. - | + | Detection ID | string | Yes | The unique identifier of the detection for which + the PCAP file should be downloaded. | ### Flow Description - 1. **Initialization:** The action initializes the Vectra RUX manager using the - provided API credentials and root URL. + 1. **Initialization**: Extracts API configuration (API Root, Client ID, Client + Secret) and the `Detection ID` parameter. - 2. **Validation:** The provided `Detection ID` is validated to ensure it is a - valid integer. + 2. **Manager Setup**: Initializes the `VectraRUXManager` to handle API communication. - 3. **Data Retrieval:** The action makes a GET request to the Vectra RUX API to - download the PCAP file content associated with the detection. + 3. **Validation**: Validates that the provided `Detection ID` is a valid integer. - 4. **File Handling:** The action extracts the filename from the API response headers - and saves the file content. + 4. **Data Retrieval**: Requests the PCAP file content from the Vectra RUX API + using the provided detection ID. - 5. **Attachment:** The downloaded PCAP file is encoded and added as an attachment - to the action result in Google SecOps, making it available for download by the - analyst. + 5. **File Handling**: Saves the retrieved PCAP file locally and attaches the file + content to the SOAR action result. - - ### Additional Notes - - - This action does not process entities from the case; it relies solely on the - `Detection ID` parameter. - - - If the PCAP file is not available for the specified detection, the action will - return a failure status. + 6. **Completion**: Returns the execution status and a summary message indicating + success or failure. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: true + can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: >- - Adds the downloaded PCAP file as an attachment to the action result within the - Google SecOps platform. + internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to retrieve a PCAP file from the Vectra RUX + API. It does not modify any external system state (no POST/PUT/DELETE on external + resources). It does not modify internal SOAR case data, entities, or insights; + it only attaches a file to the action result, which is a standard output mechanism. categories: enrichment: false + reasoning: >- + The action is a specific file retrieval task ('Download PCAP') rather than a + general enrichment action designed to gather context about entities or alerts. + Therefore, it does not meet the criteria for an Enrichment Action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -797,6 +870,10 @@ Download PCAP: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities`. It operates based + on a provided `Detection ID` parameter, meaning it does not run on specific + entity types. List Assignments: action_product_categories: add_alert_comment: false @@ -812,6 +889,10 @@ List Assignments: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves a list of assignments from an external system. It does + not match any of the specific categories like 'Enrich IOC', 'Enrich Asset', + 'Update Alert', or 'Search Events' as it is specific to assignment management. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -826,38 +907,55 @@ List Assignments: update_email: false update_identity: false update_ticket: false - ai_description: "### General Description\nThis action retrieves a list of assignments\ - \ from the Vectra RUX platform based on various filtering criteria. It allows\ - \ analysts to search for assignments associated with specific accounts, hosts,\ - \ assignees, or resolution outcomes. The results are presented as a data table\ - \ for quick review and as a raw JSON object for further automated processing.\n\ - \n### Parameters Description\n| Parameter Name | Type | Mandatory | Description\ - \ |\n| :--- | :--- | :--- | :--- |\n| Accounts IDs | String | No | A comma-separated\ - \ list of account IDs to filter the assignments. |\n| Assignees IDs | String |\ - \ No | A comma-separated list of user IDs (assignees) to filter the assignments.\ - \ |\n| Resolution IDs | String | No | A comma-separated list of outcome/resolution\ - \ IDs to filter the assignments. |\n| Resolved | DDL | No | Filter assignments\ - \ by their resolution status. Options: `None` (no filter), `True` (only resolved),\ - \ `False` (only unresolved). |\n| Created After | String | No | Filter assignments\ - \ created after a specific timestamp. Supports relative formats (e.g., '2 days')\ - \ or absolute ISO 8601 formats. |\n| Limit | String | No | The maximum number\ - \ of assignment records to retrieve. |\n| Hosts IDs | String | No | A comma-separated\ - \ list of host IDs to filter the assignments. |\n\n### Additional Notes\n- If\ - \ no filters are provided, the action will attempt to list assignments based on\ - \ the default limit.\n- The `Limit` parameter is validated to ensure it is a positive\ - \ integer.\n- The action uses pagination to handle large sets of results from\ - \ the Vectra API.\n\n### Flow Description\n1. **Parameter Extraction**: The action\ - \ extracts configuration details (API Root, Credentials) and user-provided filter\ - \ parameters.\n2. **Input Validation**: Comma-separated ID strings are processed\ - \ into lists, and the `Limit` parameter is validated as an integer.\n3. **API\ - \ Request Construction**: A query parameter mapping is built based on the provided\ - \ filters (e.g., `resolved`, `created_after`, `accounts`, `hosts`).\n4. **Data\ - \ Retrieval**: The `VectraRUXManager` executes a paginated GET request to the\ - \ `/assignments` endpoint.\n5. **Result Processing**: The retrieved assignments\ - \ are parsed into internal data models.\n6. **Output Generation**: \n - A data\ - \ table titled \"Assignment Details\" is created containing key fields like Assignment\ - \ ID, Assigned User, and Outcome.\n - The full raw JSON response is attached\ - \ to the action results." + ai_description: >- + ### General Description + + This action retrieves a list of assignments from the VectraRUX platform based + on specified filter criteria. It allows analysts to query assignments by account, + host, assignee, resolution status, and creation time, providing visibility into + current investigation assignments. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Accounts IDs | string | No | Comma-separated account IDs to filter assignments. + | + + | Assignees IDs | string | No | Comma-separated user IDs to filter assignments. + | + + | Resolution IDs | string | No | Comma-separated resolution IDs to filter assignments. + | + + | Resolved | ddl | No | Filter assignments by resolved status (None, True, False). + | + + | Created After | string | No | Filter assignments created after a specific timestamp + (e.g., '2 days', 'yyyy-mm-dd'). | + + | Limit | string | No | The maximum number of records to return. | + + | Hosts IDs | string | No | Comma-separated host IDs to filter assignments. | + + + ### Flow Description + + 1. Initialize the VectraRUX manager using the configured API credentials. + + 2. Parse and validate the provided action parameters (filters). + + 3. Construct the query parameters mapping based on the provided inputs. + + 4. Execute a GET request to the VectraRUX API to fetch the assignment list. + + 5. Format the retrieved assignment data into a data table for the case wall and + a JSON result for further processing. + + 6. Return the final output message indicating the number of assignments retrieved. capabilities: can_create_case_comments: false can_create_insight: false @@ -868,8 +966,16 @@ List Assignments: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to retrieve assignment data from the VectraRUX + API. It does not modify any external or internal data, nor does it update entities, + create insights, or modify alert data. categories: enrichment: false + reasoning: >- + The action fetches data from an external system but does not perform enrichment + on specific entities or alerts within the SOAR platform. It is a standalone + search/list action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -885,6 +991,9 @@ List Assignments: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or interact with `siemplify.target_entities`. + It relies solely on user-provided input parameters to query the API. List Detections: action_product_categories: add_alert_comment: false @@ -900,6 +1009,10 @@ List Detections: enrich_ioc: false execute_command_on_the_host: false get_alert_information: true + reasoning: >- + The action retrieves a collection of detections based on search parameters, + which aligns with 'Search Events' and 'Get Alert Information'. It does not perform + enrichment on a specific IOC or asset, nor does it perform any mutation actions. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -915,95 +1028,85 @@ List Detections: update_identity: false update_ticket: false ai_description: >- - Lists detections from the Vectra AI platform based on a wide variety of filtering - criteria. This action allows analysts to query for specific security events (detections) - associated with hosts or accounts, or to perform broader searches across the environment. - It retrieves detailed metadata for each detection, including threat and certainty - scores, timestamps, and detection types. - - ### General Description - This action interacts with the Vectra RUX API to retrieve a list of detections. - It supports extensive filtering, including by entity ID, detection category, threat/certainty - thresholds, and time ranges. The results are presented as a summary data table - in the SOAR interface and as a full JSON object for downstream playbook logic. - + This action retrieves a list of detections from the Vectra RUX platform based + on various filtering criteria. It allows analysts to query detections by category, + threat score, certainty, timestamp, tags, entity type, and entity ID. The action + processes the retrieved detection data, cleans up URLs, and presents the results + in a structured data table and raw JSON format for further analysis. - ### Parameters Description - | Parameter | Type | Mandatory | Description | + ### Flow Description - | :--- | :--- | :--- | :--- | + 1. **Parameter Extraction**: The action extracts configuration parameters (API + Root, Client ID, Client Secret) and action parameters (filters like Detection + Category, Threat GTE, Entity ID, etc.). - | Detection Category | DDL | No | Filters detections by category (e.g., Exfiltration, - Lateral Movement, Reconnaissance). | + 2. **Initialization**: It initializes the `VectraRUXManager` to handle API communication. - | Threat GTE | String | No | Filters detections with a threat score greater than - or equal to the provided value. | + 3. **Data Retrieval**: It calls the Vectra RUX API to fetch detections matching + the provided filters. - | Certainty GTE | String | No | Filters detections with a certainty score greater - than or equal to the provided value. | + 4. **Data Processing**: The action processes the retrieved detections, including + removing API version strings from URLs and extracting relevant fields. - | Last Timestamp GTE | String | No | Filters detections with a last seen timestamp - greater than or equal to the provided value. | + 5. **Output Generation**: It adds the processed detections to the action output + as a data table and a raw JSON result. - | Last Timestamp LTE | String | No | Filters detections with a last seen timestamp - less than or equal to the provided value. | - | Tags | String | No | Comma-separated list of tags to filter detections. | + ### Parameters Description - | Entity Type | DDL | No | The type of entity to filter by (Host or Account). - | + | Parameter | Type | Mandatory | Description | - | Entity ID | String | No | The specific ID of the entity to retrieve detections - for. | + | :--- | :--- | :--- | :--- | - | Is Targeting Key Asset | DDL | No | Filters detections based on whether they - target a key asset (True/False). | + | Detection Category | ddl | No | Filter detections by Detection Category (e.g., + Info, Exfiltration, Lateral Movement). | - | Note Modified Timestamp GTE | String | No | Filters detections where notes were - modified after the specified timestamp. | + | Threat GTE | string | No | Filter detections whose threat score is greater than + or equal to the given value. | - | Limit | String | No | The maximum number of detection records to retrieve. | + | Certainty GTE | string | No | Filter detections whose certainty score is greater + than or equal to the given value. | - | Order | DDL | No | Specifies the sort order (Ascending or Descending). | + | Last Timestamp GTE | string | No | Filter detections based on the start of the + timestamp range. | - | Order By | DDL | No | Specifies the field to sort by (last_timestamp, threat_score, - certainty_score). | + | Last Timestamp LTE | string | No | Filter detections based on the end of the + timestamp range. | - | State | DDL | No | Filters detections by their current state (Active, Inactive, - Fixed). | + | Tags | string | No | Filter detections by comma-separated tags. | - | Detection Type | String | No | Filters by a specific detection type string. + | Entity Type | ddl | No | Filter detections by Entity Type (Host or Account). | + | Entity ID | string | No | Filter detections by the specific ID of the entity. + | - ### Additional Notes + | Is Targeting Key Asset | ddl | No | Filter detections based on whether they + target a key asset. | - - The action automatically handles API versioning by stripping version strings - from returned URLs to ensure compatibility with the platform's UI. + | Note Modified Timestamp GTE | string | No | Filter detections based on the note + modified timestamp. | - - If no detections match the provided filters, the action will complete successfully - with an informative message. + | Limit | string | No | The maximum number of records to fetch. | + | Order | ddl | No | Order records by Ascending or Descending. | - ### Flow Description + | Order By | ddl | No | Field to order records by (last_timestamp, threat_score, + certainty_score). | - 1. **Authentication:** Connects to the Vectra API using the configured Client - ID and Client Secret to obtain an access token. + | State | ddl | No | Filter detections by State (Active, Inactive, Fixed). | - 2. **Parameter Validation:** Validates numeric inputs like 'Limit', 'Threat GTE', - and 'Certainty GTE' to ensure they are valid integers. + | Detection Type | string | No | Filter detections by detection type. | - 3. **API Query:** Constructs a GET request to the `/detections` endpoint, applying - all provided filter parameters. - 4. **Data Processing:** Iterates through the retrieved detections, cleaning up - URL fields and extracting key fields for the summary table. + ### Additional Notes - 5. **Output Generation:** Adds a formatted data table to the case wall and attaches - the full raw JSON response to the action results. + - This action does not require any specific entity to be selected in the SOAR + platform, as it uses the provided `Entity ID` and `Entity Type` parameters to + perform the search. capabilities: can_create_case_comments: false can_create_insight: false @@ -1014,8 +1117,17 @@ List Detections: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Vectra RUX API to retrieve detection + data based on provided filters. It does not modify any external or internal + system state. It adds a data table and raw JSON to the action results, which + is standard for reporting and enrichment actions. categories: enrichment: true + reasoning: >- + The action fetches data from an external source (Vectra RUX) and does not mutate + any external or internal systems. It fits the criteria for an enrichment action + as it provides supplemental context (detections) for investigation. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1031,6 +1143,10 @@ List Detections: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities`. It accepts `Entity + ID` and `Entity Type` as input parameters to perform the search, meaning it + does not run on specific SOAR entities. List Entities: action_product_categories: add_alert_comment: false @@ -1046,6 +1162,11 @@ List Entities: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves a list of assets (hosts or accounts) from the Vectra RUX + platform based on search criteria. This matches the 'Search Asset' category. + It does not enrich specific IOCs or assets, nor does it perform any containment + or ticket management actions. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1060,90 +1181,54 @@ List Entities: update_email: false update_identity: false update_ticket: false - ai_description: >- - ### General Description - - Retrieves a list of entities (Hosts or Accounts) from the Vectra RUX platform - based on user-defined query parameters. This action is useful for broad searches - or audits of assets within the Vectra environment, allowing analysts to filter - by state, tags, urgency scores, and timeframes. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Entity Type | DDL | Yes | Specifies whether to fetch 'Host' or 'Account' entities. - | - - | Order By | DDL | No | Field used to sort the results (e.g., urgency_score, last_detection_timestamp). - | - - | Fields | Multi-choice | No | Specific fields to include in the output. | - - | Name | String | No | Filter results by the entity's name. | - - | State | DDL | No | Filter by the entity's state (Active or Inactive). | - - | Last Detection Timestamp GTE | String | No | Filter for entities with a last - detection timestamp greater than or equal to this value. | - - | Last Detection Timestamp LTE | String | No | Filter for entities with a last - detection timestamp less than or equal to this value. | - - | Tags | String | No | Filter by comma-separated tags. | - - | Note Modified Timestamp GTE | String | No | Filter for entities where notes - were modified after this timestamp. | - - | Prioritized | DDL | No | Filter based on whether the entity is prioritized (True/False). - | - - | Limit | String | No | The maximum number of entities to retrieve. | - - | Order | DDL | No | Sort order (Ascending or Descending). | - - - ### Flow Description - - 1. **Parameter Extraction**: The action retrieves configuration settings and user-provided - filter parameters. - - 2. **Validation**: Validates the 'Limit' parameter to ensure it is a valid integer. - - 3. **API Request**: Calls the Vectra RUX API's list entities endpoint with the - specified filters and pagination logic. - - 4. **Data Processing**: Iterates through the returned entities, cleans up internal - API URLs, and extracts a subset of mandatory fields (ID, Name, Severity, etc.) - for display. - - 5. **Output Generation**: Adds a formatted data table 'List Of Entities' to the - action results and provides the full raw JSON response for further processing. - - - ### Additional Notes - - - The 'Entity Type' parameter is mandatory and determines the scope of the search. - - - If no entities match the criteria, the action completes with a message indicating - no results were found. + ai_description: "Retrieves a list of entities (hosts or accounts) from the Vectra\ + \ RUX platform based on specified filtering criteria. \n\n### Flow Description\n\ + 1. Extracts configuration parameters (API Root, Client ID, Client Secret).\n2.\ + \ Extracts action parameters (Entity Type, Limit, Order By, Fields, Name, State,\ + \ etc.).\n3. Initializes the `VectraRUXManager` and calls the `list_entities`\ + \ method with the provided filters.\n4. Processes the retrieved entities, removing\ + \ API version strings from URLs.\n5. Constructs a CSV table of the entities and\ + \ adds it to the action results.\n6. Adds the full JSON response of the entities\ + \ to the action results.\n\n### Parameters Description\n| Parameter | Type | Mandatory\ + \ | Description |\n| :--- | :--- | :--- | :--- |\n| Entity Type | ddl | Yes |\ + \ The type of entity to retrieve (e.g., \"account\", \"host\"). |\n| Order By\ + \ | ddl | No | Sorts records by fields like `urgency_score`, `last_detection_timestamp`,\ + \ `name`, or `last_modified_timestamp`. Use \"-\" for descending order. |\n| Fields\ + \ | multi_choice_parameter | No | Filter the fields to show in the output. |\n\ + | Name | string | No | Filter based on entity Name. |\n| State | ddl | No | Filter\ + \ based on State (Active, Inactive). |\n| Last Detection Timestamp GTE | string\ + \ | No | Filter based on Last Detection Timestamp GTE. |\n| Last Detection Timestamp\ + \ LTE | string | No | Filter based on Last Detection Timestamp LTE. |\n| Tags\ + \ | string | No | Filter based on Tags (comma-separated values). |\n| Note Modified\ + \ Timestamp GTE | string | No | Filter based on Note Modified Timestamp GTE. |\n\ + | Prioritized | ddl | No | Filter based on if the entity is prioritized or not.\ + \ |\n| Limit | string | No | Fetch this number of Entities. |\n| Order | ddl |\ + \ No | Filter based on ascending or descending order. |\n\n### Additional Notes\n\ + - The action does not modify any external or internal system state; it is a read-only\ + \ operation that reports data." capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: true + can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: >- - Adds a data table 'List Of Entities' to the action results containing the retrieved - entity details. + internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Vectra RUX API to retrieve a list of + entities based on user-provided filters. It does not modify any external system + state, nor does it update internal SOAR entities, insights, or case comments. + It simply reports the retrieved data in the action results. categories: enrichment: false + reasoning: >- + The action retrieves a list of entities from an external system. It does not + perform enrichment on existing entities (i.e., it does not update entity attributes + or add insights to them), nor does it meet the criteria for an enrichment action + as it does not proactively fetch context for existing entities in the case. + Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1159,6 +1244,11 @@ List Entities: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities` or perform operations + on specific entities already present in the case. It takes input parameters + to query the Vectra RUX API for a list of entities. Therefore, it does not run + on entities. List Entity Detections: action_product_categories: add_alert_comment: false @@ -1170,16 +1260,20 @@ List Entity Detections: disable_identity: false download_file: false enable_identity: false - enrich_asset: false + enrich_asset: true enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves detections associated with a specific entity (Host or Account). + This provides contextual metadata about the entity's security posture, aligning + with the 'Enrich Asset' category. It does not perform any other listed actions. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false search_asset: false search_email: false - search_events: true + search_events: false send_email: false send_message: false submit_file: false @@ -1191,10 +1285,11 @@ List Entity Detections: ai_description: >- ### General Description - Retrieves a list of detections associated with a specific entity (Host or Account) - from the Vectra RUX platform. This action is useful for security analysts to quickly - identify all security events or 'detections' linked to a particular asset or user - account, providing context for investigation and incident response. + This action retrieves a list of detections associated with a specific entity (Host + or Account) from the Vectra RUX platform. It allows analysts to filter detections + by their state (Active, Inactive, or Fixed) and limit the number of results returned. + The action provides visibility into the security events linked to a particular + asset, aiding in investigation and threat hunting. ### Parameters Description @@ -1203,44 +1298,33 @@ List Entity Detections: | :--- | :--- | :--- | :--- | - | Entity ID | string | Yes | The unique numerical identifier of the entity (Host - or Account) in Vectra RUX. | - - | Entity Type | ddl | Yes | Specifies whether the provided ID belongs to an 'Account' - or a 'Host'. | - - | Limit | string | No | The maximum number of detections to retrieve. If not provided, - the system uses a default limit. | - - | State | ddl | Yes | Filters detections by their current state. Options include - 'Active', 'Inactive', or 'Fixed'. | - + | Entity ID | string | Yes | The unique identifier of the entity (Host or Account) + in Vectra RUX. | - ### Additional Notes + | Entity Type | ddl | Yes | The type of the entity. Options: 'Account' or 'Host'. + | - - The action first fetches the entity details to extract the list of associated - detection IDs before querying the detection details. + | Limit | string | No | The maximum number of detections to return. | - - Results are presented both as a raw JSON object and a formatted data table for - easy viewing in the SOAR interface. + | State | ddl | Yes | The state of detections to filter by. Options: 'Active', + 'Inactive', or 'Fixed'. | ### Flow Description - 1. **Parameter Extraction**: The action retrieves the Entity ID, Entity Type, - Limit, and State from the user input. + 1. **Initialization**: Extracts configuration parameters (API Root, Client ID, + Client Secret) and action parameters (Entity ID, Entity Type, Limit, State). - 2. **Validation**: It validates that the Entity ID and Limit are valid integers. + 2. **Validation**: Validates the provided Entity ID and Limit parameters. - 3. **Entity Lookup**: It calls the Vectra RUX API to describe the entity and retrieve - its associated `detection_ids`. + 3. **Entity Retrieval**: Calls the Vectra RUX API to describe the specified entity + and retrieve its associated detection IDs. - 4. **Detection Retrieval**: If detections exist, it queries the detections endpoint - using the retrieved IDs and applies the state filter and limit. + 4. **Detection Fetching**: If detections exist, it queries the Vectra RUX API + to list the detections based on the provided state and limit. - 5. **Output Generation**: The retrieved detection data is processed into a JSON - result and a data table containing key fields like ID, URL, Type, Category, and - Last Timestamp. + 5. **Output**: Returns the retrieved detections as a JSON object and displays + them in a data table within the action results. capabilities: can_create_case_comments: false can_create_insight: false @@ -1251,8 +1335,16 @@ List Entity Detections: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs GET requests to retrieve entity and detection information + from the Vectra RUX API. It does not modify any external or internal system + state. It outputs data to the action result using standard SDK methods. categories: enrichment: true + reasoning: >- + The action fetches contextual data (detections) for an entity. It does not mutate + external systems or modify internal SOAR data (like updating entities or adding + insights). It meets the criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1268,6 +1360,10 @@ List Entity Detections: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities`. It takes `Entity + ID` and `Entity Type` as input parameters. Therefore, it does not run on entities + in the context of the SOAR entity model. List Groups: action_product_categories: add_alert_comment: false @@ -1283,6 +1379,10 @@ List Groups: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a listing utility that retrieves group information from the Vectra + RUX platform. It does not match any of the specific operational categories like + enrichment, containment, or ticket management. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1298,77 +1398,59 @@ List Groups: update_identity: false update_ticket: false ai_description: >- - Retrieves a list of groups from Vectra RUX based on specified filtering criteria. - This action allows analysts to search for groups by name, type (account, IP, domain, - host), importance level, and associated identifiers like hostnames or account - names. It is useful for identifying group memberships and organizational structures - within the Vectra platform. + Lists groups from the Vectra RUX platform based on provided filter criteria. This + action allows users to query groups by various attributes such as name, type, + importance, and associated network identifiers (IPs, hostnames, etc.). - ### Flow Description: - - 1. **Parameter Initialization**: The action extracts configuration details (API - Root, Client ID, Client Secret) and user-provided search filters. + ### Flow Description - 2. **Input Processing**: Comma-separated strings for parameters like 'Host Names', - 'Account Names', 'Domains', and 'IPs' are parsed into lists for the API query. + 1. **Parameter Extraction**: The action retrieves configuration parameters (API + credentials) and action-specific filters (e.g., Name, Type, IPs, Limit) from the + integration settings. - 3. **Validation**: The 'Limit' parameter is validated to ensure it is a positive - integer. + 2. **Initialization**: The `VectraRUXManager` is initialized with the provided + API credentials to establish a connection. - 4. **API Query**: The action calls the Vectra RUX API's group listing endpoint, - applying the provided filters and handling pagination to retrieve the requested - number of records. + 3. **Data Retrieval**: The action queries the Vectra RUX API to fetch groups matching + the specified filters. - 5. **Output Generation**: If groups are found, they are presented in a structured - data table and a full JSON result is attached to the action output. + 4. **Result Formatting**: If groups are found, the action formats the retrieved + data into a table and a JSON result, which are then added to the action output. - ### Parameters Description: + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Last Modified Timestamp GTE | String | No | Filters groups modified on or after - this timestamp. | - - | Last Modified By | String | No | Filters groups modified by a specific username. - | - - | Name | String | No | Filters groups by their name. | - - | Type | DDL | No | Filters groups by type: 'account', 'ip', 'domain', or 'host'. - | - - | Limit | String | No | The maximum number of group records to retrieve. | + | Last Modified Timestamp GTE | string | No | Last modified timestamp (greater + or equal) of the group. | - | Account Names | String | No | Comma-separated list of account names to filter - by. | + | Last Modified By | string | No | Username who has modified the group. | - | Domains | String | No | Comma-separated list of domains to filter by. | + | Name | string | No | Name of the group. | - | Host Ids | String | No | Comma-separated list of host IDs to filter by. | + | Type | ddl | No | Type of group (account, ip, domain, host). | - | Host Names | String | No | Comma-separated list of host names to filter by. - | + | Limit | string | No | Specify the limit for fetching records. | - | Importance | DDL | No | Filters groups by importance level (e.g., low, medium, - high). | + | Account Names | string | No | Comma-separated values of account names. | - | IPs | String | No | Comma-separated list of IP addresses to filter by. | + | Domains | string | No | Comma-separated values of domains. | - | Description | String | No | Filters groups by description (case-insensitive - match). | + | Host Ids | string | No | Comma-separated values of host IDs. | + | Host Names | string | No | Comma-separated values of host names. | - ### Additional Notes: + | Importance | ddl | No | Importance of the group (low, medium, high, never_prioritize). + | - - This action does not run on entities automatically; it relies entirely on the - provided input parameters. + | IPs | string | No | Comma-separated values of IPs. | - - If no parameters are provided, the action will attempt to list all groups up - to the default limit. + | Description | string | No | Description of the group (case-insensitive match). + | capabilities: can_create_case_comments: false can_create_insight: false @@ -1379,8 +1461,17 @@ List Groups: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Vectra RUX API to retrieve a list of + groups based on user-provided filters. It does not modify any external systems, + nor does it modify internal case data or entities. It simply reports the retrieved + data in the action results. categories: enrichment: false + reasoning: >- + The action is a utility for listing groups from an external system. It does + not proactively fetch context for specific entities or alerts to enrich them, + nor does it meet the criteria for an enrichment action as defined. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1396,6 +1487,9 @@ List Groups: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on `siemplify.target_entities`. It uses input parameters + to filter the list of groups retrieved from the API. List Outcomes: action_product_categories: add_alert_comment: false @@ -1411,6 +1505,10 @@ List Outcomes: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves a list of assignment outcomes from the Vectra RUX system. + It does not match any of the specific categories like 'Enrich IOC', 'Enrich + Asset', or 'Update Alert'. It is a general data retrieval action. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1425,45 +1523,56 @@ List Outcomes: update_email: false update_identity: false update_ticket: false - ai_description: "### General Description\nRetrieves a list of all available assignment\ - \ outcomes from the Vectra RUX platform. This action provides visibility into\ - \ the possible resolution states (e.g., 'True Positive', 'False Positive') and\ - \ categories that can be applied when resolving assignments or detections. The\ - \ results are presented both as a structured JSON object and a formatted data\ - \ table for easy review by analysts.\n\n### Parameters Description\n| Parameter\ - \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Limit |\ - \ String | No | Specifies the maximum number of outcome records to fetch from\ - \ the API. If left empty, the action will attempt to retrieve all available outcomes\ - \ up to the system's default limit. |\n\n### Flow Description\n1. **Parameter\ - \ Initialization**: The action extracts the API configuration (Root, Client ID,\ - \ Client Secret) and the optional 'Limit' parameter.\n2. **Validation**: The 'Limit'\ - \ parameter is validated to ensure it is a valid non-negative integer.\n3. **API\ - \ Interaction**: The action connects to the Vectra RUX API and requests the list\ - \ of assignment outcomes from the `/assignment_outcomes` endpoint, applying pagination\ - \ if necessary based on the provided limit.\n4. **Data Processing**: The retrieved\ - \ outcomes are parsed into a standardized model containing the Outcome ID, Title,\ - \ Category, and whether it is a built-in or user-selectable outcome.\n5. **Output\ - \ Generation**: \n * A data table titled \"Outcome Details\" is created and\ - \ added to the case.\n * The full raw response is attached as a JSON result.\n\ - \ * A success message indicates the number of outcomes retrieved.\n\n###\ - \ Additional Notes\n- If no outcomes are found, the action will complete successfully\ - \ with a \"No outcomes found\" message.\n- This action is primarily used for administrative\ - \ or investigative context to understand how alerts can be classified during the\ - \ resolution phase." + ai_description: >- + Lists assignment outcomes from the Vectra RUX system. This action retrieves a + list of configured outcomes, allowing analysts to view available options for assignment + resolution within the Vectra RUX platform. + + + ### Parameters + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Limit | string | No | Specifies the maximum number of records to fetch. | + + + ### Flow Description + + 1. Initialize the VectraRUX manager using the provided API credentials (API Root, + Client ID, Client Secret). + + 2. Validate the 'Limit' parameter to ensure it is a valid non-negative integer. + + 3. Call the Vectra RUX API to retrieve the list of assignment outcomes. + + 4. If outcomes are found, construct a data table with the outcome details and + add it to the action results. + + 5. Add the raw list of outcomes as a JSON result to the action output. + + 6. Complete the action execution with a success status. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: true + can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: >- - Adds a data table named 'Outcome Details' to the action results within Google - SecOps. + internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to retrieve a list of assignment outcomes + from the Vectra RUX API. It does not modify any external or internal data, nor + does it update entities, create insights, or modify alert data. categories: enrichment: false + reasoning: >- + The action fetches data (list of outcomes) but does not enrich entities or alerts, + nor does it meet the criteria for an enrichment action (which requires updating + entities, insights, or adding comments). entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1479,6 +1588,9 @@ List Outcomes: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with the `target_entities` list or perform operations + on specific entities. List Users: action_product_categories: add_alert_comment: false @@ -1494,6 +1606,10 @@ List Users: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves a list of users from the VectraRUX platform. It does not + match any of the provided categories (e.g., it is not an enrichment of an IOC/Asset, + nor does it perform any containment or ticket management). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1509,27 +1625,54 @@ List Users: update_identity: false update_ticket: false ai_description: >- - Lists users from the Vectra RUX platform based on query parameters. This action - enables security analysts to search for and retrieve user account information, - including roles, email addresses, and login history. It is primarily used for - identity verification and investigative research within the Vectra environment. - ### Flow Description: 1. **Parameter Extraction:** Retrieves API credentials and - filter criteria (Role, Email, Last Login GTE, Limit) from the action configuration. - 2. **Validation:** Validates the 'Limit' parameter to ensure it is a valid integer. - 3. **API Interaction:** Connects to the Vectra RUX API and requests the user list - using the specified filters. 4. **Pagination:** Handles paginated responses from - the API to collect all relevant user records up to the defined limit. 5. **Data - Processing:** Parses the raw API response into structured User objects. 6. **Output - Generation:** Populates a data table ('List Of Users') in the SOAR case and provides - the full JSON response for downstream tasks. ### Parameters Description: | Parameter - | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | | Role | String - | No | Filters the user list by a specific role (e.g., 'admin', 'readonly'). | - | Email | String | No | Filters the user list by a specific email address. | | - Last Login GTE | String | No | Filters for users whose last login timestamp is - greater than or equal to the provided value. | | Limit | String | No | Specifies - the maximum number of user records to retrieve. | ### Additional Notes: - If no - users match the criteria, the action completes successfully with an informative - message. - The 'Limit' parameter defaults to a system-defined maximum if not provided. + ### General Description + + This action retrieves a list of users from the VectraRUX platform based on optional + filtering criteria. It allows analysts to query users by role, email, or last + login timestamp, providing a structured view of user data within the VectraRUX + environment. + + + ### Flow Description + + 1. **Initialization**: The action extracts configuration parameters (API Root, + Client ID, Client Secret) and action parameters (Role, Email, Last Login GTE, + Limit). + + 2. **Validation**: The 'Limit' parameter is validated to ensure it is a non-negative + integer. + + 3. **API Interaction**: The `VectraRUXManager` is initialized to authenticate + and communicate with the VectraRUX API. + + 4. **Data Retrieval**: The action calls the `get_user_list` method to fetch user + records from the VectraRUX API based on the provided filters. + + 5. **Output**: If users are found, the action constructs a CSV data table and + a JSON result containing the user details. If no users are found, an appropriate + message is returned. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Role | string | No | Filter users by their assigned role. | + + | Email | string | No | Filter users by their email address. | + + | Last Login GTE | string | No | Filter users whose login timestamp is greater + than or equal to the provided value. | + + | Limit | string | No | Specify the maximum number of records to fetch. | + + + ### Additional Notes + + This action does not require any specific entity context to run, as it is a standalone + utility for listing users from the VectraRUX platform. capabilities: can_create_case_comments: false can_create_insight: false @@ -1540,8 +1683,17 @@ List Users: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to retrieve user data from the VectraRUX API. + It does not modify any external or internal systems. It outputs the results + as a data table and JSON, which are standard reporting outputs, not internal + mutations. categories: enrichment: false + reasoning: >- + The action fetches data from an external source but does not gather supplemental + context about specific alerts or entities. It is a standalone list action, not + an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1557,6 +1709,9 @@ List Users: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on entities. It is a standalone utility action to + list users. Mark Detection Fixed: action_product_categories: add_alert_comment: false @@ -1572,6 +1727,10 @@ Mark Detection Fixed: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action performs a PATCH request to an external system (Vectra RUX) to update + the status of detections. It does not match any of the provided categories (Enrichment, + Ticket, Blocklist, Containment, etc.). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1587,45 +1746,46 @@ Mark Detection Fixed: update_identity: false update_ticket: false ai_description: >- - Marks specific detections as fixed in the Vectra platform. This action allows - analysts to programmatically update the status of one or more detections by providing - their unique identifiers. It is useful for closing out handled threats directly - from the SOAR workflow. + ### General Description + Marks specific detections as fixed in the Vectra RUX platform. This action updates + the status of one or more detections to 'fixed' by sending a PATCH request to + the Vectra RUX API. - ### Flow Description - 1. **Parameter Extraction**: Retrieves the API configuration (Root, Client ID, - Secret) and the list of Detection IDs from the action input. + ### Parameters Description - 2. **Validation**: Parses the comma-separated string of Detection IDs and validates - that each ID is a valid integer. + | Parameter | Type | Mandatory | Description | - 3. **API Interaction**: Connects to the Vectra API and sends a PATCH request to - the detections endpoint, setting the `mark_as_fixed` flag to `True` for all provided - IDs. + | :--- | :--- | :--- | :--- | - 4. **Result Handling**: Captures the API response and reports the success or failure - of the operation. + | Detection IDs | string | Yes | A comma-separated list of detection IDs to be + marked as fixed. | - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. Extracts the API root and authentication credentials (Client ID, Client Secret) + from the integration configuration. - | :--- | :--- | :--- | :--- | + 2. Extracts the 'Detection IDs' parameter from the action input. + + 3. Initializes the `VectraRUXManager` to handle API communication. + + 4. Parses the comma-separated string of Detection IDs into a list of integers. - | Detection IDs | String | Yes | A comma-separated list of numeric IDs for the - detections that should be marked as fixed. | + 5. Sends a `PATCH` request to the Vectra RUX API endpoint (`/api/v3.4/detections`) + with the list of detection IDs and the `mark_as_fixed` flag set to `True`. + + 6. Adds the API response to the action results using `siemplify.result.add_result_json`. ### Additional Notes - - This action does not run on entities; it requires explicit IDs provided via - the 'Detection IDs' parameter. + - The action requires valid API credentials to authenticate with the Vectra RUX + platform. - - The action uses a PATCH request to modify the state of detections in the external - Vectra system. + - If an invalid detection ID is provided, the action will fail and log an error. capabilities: can_create_case_comments: false can_create_insight: false @@ -1634,12 +1794,20 @@ Mark Detection Fixed: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the 'mark_as_fixed' status of detections to 'True' in the Vectra platform + Updates the status of specified detections to 'fixed' in the Vectra RUX platform via a PATCH request. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a PATCH request to an external system (Vectra RUX) to update + the status of detections (can_mutate_external_data=true). It does not fetch + contextual data (fetches_data=false), nor does it modify internal SOAR case + data (can_mutate_internal_data=false). categories: enrichment: false + reasoning: >- + The action is a mutation action (PATCH request) and does not fetch data for + enrichment purposes, therefore it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1655,6 +1823,10 @@ Mark Detection Fixed: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities` and does not use + entity-specific identifiers to perform its task. It takes `Detection IDs` as + a parameter. Mark Entity Fixed: action_product_categories: add_alert_comment: false @@ -1670,6 +1842,10 @@ Mark Entity Fixed: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action marks detections as fixed in an external system. This does not align + with the provided categories, which are focused on IOCs, tickets, identities, + or host containment. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1685,48 +1861,39 @@ Mark Entity Fixed: update_identity: false update_ticket: false ai_description: >- - Marks all detections associated with a specific entity as 'fixed' in the Vectra - platform. This action identifies all active detections for a given Host or Account - and updates their status to prevent further alerting on those specific instances. - - - ### Flow Description: - - 1. **Parameter Extraction:** Retrieves the 'Entity ID' and 'Entity Type' (Host - or Account) from the action parameters. + ### General Description - 2. **Entity Validation:** Validates that the provided Entity ID is a valid integer. + Marks all detections associated with a specific entity (Host or Account) as fixed + in the VectraRUX system. This action is used to update the status of security + detections in the external Vectra platform based on the provided entity identifier. - 3. **Detection Retrieval:** Calls the Vectra API to describe the entity and retrieve - the list of all associated detection IDs. - 4. **Status Update:** If detections are found, it sends a PATCH request to the - Vectra platform to mark all retrieved detection IDs as fixed. + ### Parameters Description - 5. **Result Reporting:** Returns the API response as a JSON result and provides - a summary message of the operation. + | Parameter | Type | Mandatory | Description | + | --- | --- | --- | --- | - ### Parameters Description: + | Entity ID | string | Yes | The unique identifier of the entity to mark as fixed. + | - | Parameter Name | Type | Mandatory | Description | + | Entity Type | ddl | Yes | The type of the entity. Options: Account, Host. | - | :--- | :--- | :--- | :--- | - | Entity ID | string | Yes | The unique numerical identifier of the entity in - Vectra whose detections should be marked as fixed. | + ### Flow Description - | Entity Type | ddl | Yes | The category of the entity. Must be either 'Account' - or 'Host'. | + 1. Extracts configuration parameters (API Root, Client ID, Client Secret) and + action parameters (Entity ID, Entity Type). + 2. Initializes the `VectraRUXManager` to handle API communication. - ### Additional Notes: + 3. Calls `describe_entity` to retrieve the entity details and its associated detection + IDs. - - This action performs a state change in the external Vectra system by updating - the status of detections. + 4. If detections are found, sends a PATCH request to the VectraRUX API to mark + the identified detections as fixed. - - If no detections are associated with the provided Entity ID, the action will - complete successfully with a message indicating no detections were found. + 5. Adds the API response to the action results. capabilities: can_create_case_comments: false can_create_insight: false @@ -1735,12 +1902,19 @@ Mark Entity Fixed: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the status of detections in the Vectra platform to 'fixed' via a PATCH - request to the /detections endpoint. + Marks detections associated with the specified entity as fixed in the external + VectraRUX system. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches entity details (GET) to retrieve detection IDs and then performs + a PATCH request to update the state of those detections in the external VectraRUX + system. It does not modify internal SOAR case data or entities. categories: enrichment: false + reasoning: >- + The action mutates external data (marking detections as fixed), which violates + the 'Read-Only' constraint required for Enrichment actions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1756,6 +1930,10 @@ Mark Entity Fixed: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action uses parameters ('Entity ID', 'Entity Type') provided by the user + to perform its task. It does not iterate over or process the `siemplify.target_entities` + list. Ping: action_product_categories: add_alert_comment: false @@ -1771,6 +1949,9 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity test (Ping) and does not perform any of the defined + functional outcomes like enriching data, blocking IOCs, or managing tickets. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1786,44 +1967,40 @@ Ping: update_identity: false update_ticket: false ai_description: >- - ### General Description - Tests the connectivity of the Chronicle SOAR server to the Vectra platform. This - action verifies that the provided API Root, Client ID, and Client Secret are valid - and that the SOAR server can reach the Vectra API endpoints by attempting to generate - an OAuth2 token. + action validates the API credentials by attempting to authenticate with the Vectra + RUX API. It retrieves an OAuth token to verify that the integration is correctly + configured and that the SOAR server can communicate with the external service. - ### Parameters Description + ### Parameters - | Parameter | Description | Type | Mandatory | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | None | This action does not have any input parameters. | N/A | N/A | + | API Root | string | Yes | The base URL of the Vectra RUX API. | + | Client ID | string | Yes | The Client ID used for authentication. | - ### Flow Description + | Client Secret | string | Yes | The Client Secret used for authentication. | - 1. **Initialization**: The action initializes the Siemplify context and retrieves - the integration's global configuration parameters (API Root, Client ID, and Client - Secret). - 2. **Manager Setup**: It instantiates the `VectraRUXManager` which handles the - session and authentication logic. + ### Flow Description - 3. **Connectivity Test**: The manager attempts to authenticate with the Vectra - platform using the provided credentials. This involves checking for existing tokens - or requesting a new one via the OAuth2 token endpoint. + 1. The action initializes the `VectraRUXManager` using the provided API Root, + Client ID, and Client Secret. - 4. **Result Reporting**: If the authentication is successful, the action returns - a success message. If an error occurs (e.g., network timeout, invalid credentials), - it logs the error and reports a failure. + 2. It attempts to establish a connection by calling `test_connectivity()`. + 3. The manager generates an OAuth token by sending a POST request to the authentication + endpoint. - ### Additional Notes + 4. If the authentication is successful, the action logs a success message and + completes. - There are no additional notes for this action. + 5. If the authentication fails, the action logs the error and marks the execution + as failed. capabilities: can_create_case_comments: false can_create_insight: false @@ -1834,8 +2011,15 @@ Ping: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity test by attempting to authenticate with the + Vectra RUX API. It does not fetch contextual data, mutate external data (other + than standard authentication), or modify internal SOAR data. categories: enrichment: false + reasoning: >- + The action is a connectivity test (Ping). Per the instructions, Ping actions + are not enrichment actions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1851,6 +2035,8 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with entities. Remove Assignment: action_product_categories: add_alert_comment: false @@ -1866,6 +2052,10 @@ Remove Assignment: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action removes an assignment from an entity in Vectra RUX. This is a state + change in the external system. It does not match any of the provided categories + (Enrich IOC, Enrich Asset, Update Alert, etc.). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1878,14 +2068,14 @@ Remove Assignment: uncontain_host: false update_alert: false update_email: false - update_identity: true + update_identity: false update_ticket: false ai_description: >- ### General Description - Removes the assignment associated with a specific entity (either an Account or - a Host) in Vectra RUX. This action is used to clear ownership or responsibility - status for an entity within the Vectra platform by deleting the assignment record. + Removes an assignment from a specified entity (Account or Host) in Vectra RUX. + This action identifies the assignment associated with the provided entity ID and + type, then deletes the assignment record from the external system. ### Parameters Description @@ -1894,38 +2084,29 @@ Remove Assignment: | :--- | :--- | :--- | :--- | - | Entity ID | String | Yes | The unique identifier of the entity in Vectra RUX - from which the assignment should be removed. | - - | Entity Type | DDL | Yes | The type of the entity. Supported values are 'Account' - or 'Host'. | + | Entity ID | string | Yes | The ID of the entity to remove the assignment from. + | + | Entity Type | ddl | Yes | The type of the entity (Account or Host). | - ### Flow Description - 1. **Parameter Extraction:** Retrieves the `Entity ID` and `Entity Type` from - the action parameters. + ### Additional Notes - 2. **Validation:** Validates that the provided `Entity ID` is a valid integer. + None. - 3. **Entity Lookup:** Fetches the current information for the specified entity - from Vectra RUX to verify its state. - 4. **Assignment Check:** Checks if the entity currently has an active assignment - associated with it. + ### Flow Description - 5. **Removal:** If an assignment exists, it extracts the `Assignment ID` and sends - a DELETE request to the Vectra RUX API to remove the assignment. + 1. Extracts configuration (API credentials) and action parameters (Entity ID, + Entity Type). - 6. **Completion:** Returns a success message if the assignment was successfully - deleted, or an error message if the entity did not have an assignment or if the - entity was not found. + 2. Initializes the Vectra RUX manager. + 3. Retrieves the entity information to identify the current assignment. - ### Additional Notes + 4. If an assignment exists, it deletes the assignment using the assignment ID. - This action requires valid API credentials (Client ID and Client Secret) and the - API Root URL for the Vectra RUX instance to be configured in the integration settings. + 5. Returns the operation status. capabilities: can_create_case_comments: false can_create_insight: false @@ -1934,11 +2115,19 @@ Remove Assignment: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Deletes an assignment record in Vectra RUX associated with the specified entity. + Deletes an assignment record from the Vectra RUX system. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches entity information to find an assignment ID and then performs + a DELETE request to remove that assignment from the Vectra RUX system. It does + not modify internal SOAR data or entities. categories: enrichment: false + reasoning: >- + The action performs a deletion on an external system (Vectra RUX), which violates + the 'External State Preservation' rule for enrichment actions. Therefore, it + is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1954,6 +2143,10 @@ Remove Assignment: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action uses action parameters (`Entity ID`, `Entity Type`) to identify the + target, rather than iterating over `siemplify.target_entities`. Therefore, it + does not run on entities in the context of the SOAR entity model. Remove Group: action_product_categories: add_alert_comment: false @@ -1969,6 +2162,10 @@ Remove Group: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action modifies group memberships, which aligns with the 'Update Identity' + category definition: 'Modifies account metadata, such as group memberships, + permissions, or contact information.' remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1984,58 +2181,42 @@ Remove Group: update_identity: true update_ticket: false ai_description: >- - Removes specified members from a group in Vectra AI. This action allows for automated - management of Vectra groups by providing a Group ID and a list of members to be - detached. It performs a state change in the Vectra platform and provides a detailed - summary of the operation, including an HTML visualization of the group's updated - state. - + Removes specified members from a group in the Vectra RUX platform. This action + retrieves the current group membership, performs the removal operation, and provides + a summary of the changes. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Group ID | String | True | The unique integer ID of the group in Vectra AI. - | - - | Members | String | True | A comma-separated list of members to remove. The format - of the members (e.g., IP, hostname, UID, or domain) must match the group's type - configuration in Vectra. | - - - ### Additional Notes - - - The **Group ID** must be a valid positive integer. - - - The action will identify which members were successfully removed and which were - not found in the group. + | Group ID | string | Yes | The ID of the specific group from which members should + be removed. | - - The result includes an HTML table showing the updated group properties and its - current member list. + | Members | string | Yes | A comma-separated list of members to remove from the + group. | ### Flow Description - 1. **Parameter Extraction:** Retrieves API credentials and action parameters (Group - ID and Members). + 1. **Initialization**: Extracts configuration parameters (API Root, Client ID, + Client Secret) and action parameters (Group ID, Members). - 2. **Validation:** Validates that the Group ID is a positive integer and processes - the comma-separated Members string into a list. + 2. **Validation**: Validates that the Group ID is a valid integer. - 3. **Pre-check:** Fetches the current group members from Vectra AI to verify the - group's existence and current state. + 3. **Fetch**: Retrieves the current list of members for the specified group using + the Vectra RUX API. - 4. **Mutation:** Executes a PATCH request to the Vectra API endpoint for the specified - group with the `membership_action` set to `remove`. + 4. **Mutation**: Calls the Vectra RUX API to remove the specified members from + the group. - 5. **Analysis:** Compares the requested removals against the updated group state - returned by the API to determine successful and failed removals. + 5. **Verification**: Compares the requested removals against the updated group + membership to determine which members were successfully removed. - 6. **Output Generation:** Renders an HTML table of the updated group details and - returns the full group object as a JSON result. + 6. **Reporting**: Generates an HTML view of the group details and adds the raw + JSON response to the action results. capabilities: can_create_case_comments: false can_create_insight: false @@ -2044,12 +2225,20 @@ Remove Group: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Removes specified members from a group in Vectra AI by sending a PATCH request - to the `/groups/{group_id}` endpoint with the `membership_action=remove` parameter. + Removes specified members from a group in the Vectra RUX platform. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches current group members to verify the state before performing + a removal. It then performs a PATCH request to the Vectra RUX API to remove + members from a group, which constitutes an external data mutation. It does not + modify internal SOAR case data, entities, or alert status. categories: enrichment: false + reasoning: >- + The action performs an external mutation (removing members from a group), which + violates the 'External State Preservation' rule for enrichment actions. Therefore, + it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -2065,6 +2254,9 @@ Remove Group: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or utilize the `target_entities` attribute. + It relies solely on input parameters provided by the user. Remove Note: action_product_categories: add_alert_comment: false @@ -2080,6 +2272,10 @@ Remove Note: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action removes a note from an external system. This does not align with + any of the provided categories such as enrichment, containment, ticketing, or + alert management. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -2095,54 +2291,43 @@ Remove Note: update_identity: false update_ticket: false ai_description: >- - ### General Description - - Removes a specific note from a designated entity within the Vectra RUX platform. - This action allows analysts to manage and clean up notes associated with Accounts, - Hosts, or Detections by providing the unique identifiers for both the entity and - the note. - - - ### Parameters Description - - | Parameter | Description | Type | Mandatory | Expected Value | + Removes a specific note from an entity within the Vectra RUX system. This action + allows analysts to clean up or remove outdated or incorrect notes associated with + accounts, hosts, or detections. - | :--- | :--- | :--- | :--- | :--- | - | Entity ID | The unique identifier of the entity (Account, Host, or Detection) - from which the note should be removed. | String | Yes | A numeric string representing - the Entity ID. | + ### Parameters - | Note ID | The unique identifier of the specific note to be deleted. | String - | Yes | A numeric string representing the Note ID. | + | Parameter | Type | Mandatory | Description | - | Entity Type | The category of the entity from which the note is being removed. - | DDL | Yes | One of: 'Account', 'Host', or 'Detection'. | + | :--- | :--- | :--- | :--- | + | Entity ID | string | Yes | The unique identifier of the entity from which the + note should be removed. | - ### Additional Notes + | Note ID | string | Yes | The unique identifier of the note to be removed. | - This action performs a permanent deletion of the note in the external Vectra RUX - system. The 'Entity ID' and 'Note ID' parameters are validated as integers before - the request is sent. + | Entity Type | ddl | Yes | The type of the entity (e.g., Account, Host, Detection). + | ### Flow Description - 1. **Initialization**: The action initializes the Vectra RUX manager using the - provided API credentials (API Root, Client ID, and Client Secret). + 1. **Initialization**: The action initializes the `SiemplifyAction` and extracts + the necessary configuration parameters (API Root, Client ID, Client Secret) and + action parameters (Entity ID, Note ID, Entity Type). - 2. **Parameter Extraction**: It retrieves the `Entity ID`, `Note ID`, and `Entity - Type` from the action inputs. + 2. **Manager Setup**: It initializes the `VectraRUXManager` to handle API communication. - 3. **Validation**: The `Entity ID` and `Note ID` are validated to ensure they - are valid integer values. + 3. **Validation**: It validates that the provided Entity ID and Note ID are valid + integers. - 4. **Execution**: The action calls the Vectra RUX API using a DELETE request to - the endpoint `api/v3.4/entities/{entity_id}/notes/{note_id}`. + 4. **Execution**: It calls the `remove_note` method of the `VectraRUXManager`, + which performs a DELETE request to the Vectra RUX API to remove the specified + note. - 5. **Completion**: Upon successful deletion, the action returns a confirmation - message and sets the result value to true. + 5. **Completion**: It logs the outcome and returns a success or failure message + to the SOAR platform. capabilities: can_create_case_comments: false can_create_insight: false @@ -2151,12 +2336,19 @@ Remove Note: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Deletes a specific note associated with an entity (Account, Host, or Detection) - in the Vectra RUX platform. + The action deletes a note from the Vectra RUX system via an API call. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a DELETE request to an external API (Vectra RUX) to remove + a note. It does not fetch data (no GET requests for context), does not update + internal SOAR entities, and does not create insights or comments. It is a pure + external mutation action. categories: enrichment: false + reasoning: >- + The action does not fetch data, so it cannot be an enrichment action. It is + a management/mutation action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -2172,6 +2364,11 @@ Remove Note: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action uses input parameters ('Entity ID', 'Entity Type') provided by the + user to identify the target, rather than iterating over the `siemplify.target_entities` + list. Therefore, it does not run on entities in the context of the SOAR entity + model. Remove Tags: action_product_categories: add_alert_comment: false @@ -2187,6 +2384,10 @@ Remove Tags: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action updates tags on an entity in the VectraRUX platform. None of the + provided product categories (e.g., Enrich IOC, Contain Host, Update Alert) specifically + cover the modification of entity tags. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -2202,57 +2403,47 @@ Remove Tags: update_identity: false update_ticket: false ai_description: >- - Removes specific tags from a Vectra entity (Account, Host, or Detection) identified - by its ID. This action first retrieves the current tags associated with the entity, - identifies which of the requested tags are present, and then updates the entity's - tag list on the Vectra platform by removing those tags. It provides a summary - of the operation, including which tags were successfully removed and which were - not found. - - - ### Flow Description - - 1. **Parameter Extraction:** Retrieves the target tags (comma-separated), the - Entity ID, and the Entity Type (Account, Host, or Detection) from the action parameters. + ### General Description - 2. **Data Retrieval:** Calls the Vectra API to fetch the current list of tags - associated with the specified entity ID and type. + Removes specified tags from an entity (Account, Host, or Detection) within the + VectraRUX platform. This action retrieves the current tags for the specified entity, + removes the requested tags from the list, and updates the entity's tag configuration + in the external system. - 3. **Tag Comparison:** Compares the provided tags against the existing tags. It - identifies tags that can be removed and those that do not exist on the entity. - 4. **External Mutation:** If valid tags for removal are found, it constructs a - new tag list (excluding the removed tags) and sends a PATCH request to the Vectra - platform to update the entity. + ### Parameters - 5. **Output Generation:** Adds a JSON result and a data table to the SOAR case - detailing the update status, the entity ID, and the final tag list. + | Parameter | Type | Mandatory | Description | + | :--- | :--- | :--- | :--- | - ### Parameters Description + | Tags | string | Yes | A comma-separated list of tags to remove from the entity. + | + | Entity ID | string | Yes | The unique identifier of the entity (Account, Host, + or Detection). | - | Parameter | Type | Mandatory | Description | + | Entity Type | ddl | Yes | The type of the entity. Supported values: Account, + Host, Detection. | - | :--- | :--- | :--- | :--- | - | Tags | string | Yes | A comma-separated list of tags to be removed from the - entity. | + ### Flow Description - | Entity ID | string | Yes | The unique identifier of the entity in Vectra from - which tags will be removed. | + 1. Extracts configuration parameters (API Root, Client ID, Client Secret) and + action parameters (Tags, Entity ID, Entity Type). - | Entity Type | ddl | Yes | The category of the entity. Supported values: Account, - Host, Detection. | + 2. Initializes the VectraRUX manager to handle API communication. + 3. Validates the Entity ID and fetches the current tags for the specified entity + using the `get_entity_tags` method. - ### Additional Notes + 4. Compares the requested tags with the existing tags and removes the matches. - - This action does not process entities from the SOAR entity list; it operates - strictly on the ID provided in the 'Entity ID' parameter. + 5. Updates the entity's tags in the VectraRUX platform using the `update_tags` + method. - - If none of the specified tags exist on the entity, the action will fail with - a 'TagsUpdateFailException'. + 6. Logs the operation status and adds the result to the action output as a JSON + object and a data table. capabilities: can_create_case_comments: false can_create_insight: false @@ -2261,12 +2452,20 @@ Remove Tags: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the entity's metadata in the Vectra platform by removing specified tags - via a PATCH request to the tagging API endpoint. + Updates the tag list for an entity (Account, Host, or Detection) in the external + VectraRUX platform. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches existing tags from the external VectraRUX system (GET request) + and subsequently performs a PATCH request to update the entity's tags. It does + not modify internal SOAR case data or update SOAR entity objects directly. categories: enrichment: false + reasoning: >- + The action performs a mutation on an external system (updating tags), which + violates the requirement for an enrichment action to be read-only regarding + external systems. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -2282,6 +2481,10 @@ Remove Tags: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities`. It accepts `Entity + ID` and `Entity Type` as direct input parameters to identify the target, meaning + it does not operate on the SOAR entity model. Resolve Assignment: action_product_categories: add_alert_comment: false @@ -2297,6 +2500,10 @@ Resolve Assignment: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action resolves an assignment in the Vectra RUX platform. This is an operational + update to an external record, which aligns with the 'Update Ticket' category + as assignments are effectively tickets in this context. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -2314,62 +2521,51 @@ Resolve Assignment: ai_description: >- ### General Description - Resolves a specific assignment in Vectra AI using its unique assignment ID and - a designated outcome ID. This action allows analysts to close out tasks within - the Vectra platform directly from Google SecOps, providing options to add notes, - apply triage rules, and associate specific detections with the resolution. - + Resolves an assignment in the Vectra RUX platform. This action allows analysts + to update the status of an assignment by providing an outcome ID and optional + metadata such as notes, triage rules, and associated detection IDs. - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + ### Flow Description - | Assignment ID | String | Yes | The unique integer ID of the assignment to be - resolved. | + 1. **Initialization**: Extracts configuration parameters (API Root, Client ID, + Client Secret) and action parameters (Assignment ID, Outcome ID, Note Title, Triage + As, Detection IDs). - | Outcome ID | String | Yes | The integer ID representing the resolution outcome - (e.g., 1 for Benign True Positive, 2 for Malicious True Positive, 3 for False - Positive). Custom IDs are also supported. | + 2. **Validation**: Validates the provided Assignment ID, Outcome ID, and Triage + As parameters to ensure they meet the required format and constraints. - | Note Title | String | No | A descriptive note or title to be attached to the - resolution record in Vectra. | + 3. **Execution**: Initializes the `VectraRUXManager` and performs a PUT request + to the Vectra API to resolve the specified assignment. - | Triage As | String | No | A triage rule string to apply to the resolution. Must - be at least 4 characters long and contain no special characters. | + 4. **Output**: Adds the resolution result as a JSON object and a data table to + the action results. - | Detection IDs | String | No | A comma-separated list of integer detection IDs - to be associated with the triage rule. | + ### Parameters Description - ### Additional Notes + | Parameter | Type | Mandatory | Description | - - **Dependency:** If the 'Triage As' parameter is provided, at least one 'Detection - ID' must also be provided for the action to succeed. + | :--- | :--- | :--- | :--- | - - **Validation:** The action performs strict validation on 'Assignment ID' and - 'Outcome ID' to ensure they are valid non-negative integers. + | Assignment ID | string | Yes | The ID of the assignment to resolve. | + | Outcome ID | string | Yes | The outcome ID for resolving the assignment (e.g., + 1 for Benign True Positive, 2 for Malicious True Positive, 3 for False Positive). + | - ### Flow Description + | Note Title | string | No | A note to be added for resolving the assignment. + | - 1. **Parameter Extraction:** The action retrieves the Assignment ID, Outcome ID, - and optional metadata (Note, Triage, Detections) from the input. + | Triage As | string | No | Triage rule for resolving the assignment. | - 2. **Validation Logic:** It validates that IDs are integers and checks that 'Triage - As' meets the character requirements. It also enforces the requirement that 'Detection - IDs' must be present if 'Triage As' is used. + | Detection IDs | string | No | A list of Integer detection IDs separated by commas + or a single detection ID. | - 3. **External API Call:** The action sends a `PUT` request to the Vectra RUX API - endpoint `/assignments/{assignment_id}/resolve` with the resolution payload. - 4. **Data Processing:** Upon a successful API response, the action parses the - updated assignment details. + ### Additional Notes - 5. **Output Generation:** The action produces a JSON result containing the full - API response and creates a data table named 'Resolved Assignment' for the case - wall. + If 'Triage As' is provided, at least one 'Detection ID' must also be provided. capabilities: can_create_case_comments: false can_create_insight: false @@ -2378,12 +2574,19 @@ Resolve Assignment: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the state of an assignment in the Vectra AI platform to 'Resolved' and - applies outcome, triage, and note metadata. - fetches_data: true + Resolves an assignment in the Vectra RUX platform via a PUT request. + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a PUT request to the Vectra API to resolve an assignment. + It does not fetch data for enrichment purposes, nor does it modify internal + SOAR entities or case data. It is a state-changing operation on an external + system. categories: enrichment: false + reasoning: >- + The action is not an enrichment action as it does not fetch data to enrich entities + or alerts. It is a mutation action on an external system. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -2399,6 +2602,9 @@ Resolve Assignment: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use `siemplify.target_entities`. It operates on an `Assignment + ID` provided as a parameter. Unmark Detection Fixed: action_product_categories: add_alert_comment: false @@ -2414,6 +2620,10 @@ Unmark Detection Fixed: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action updates the status of detections in an external product (VectraRUX). + It does not match any of the provided categories, such as enrichment, containment, + or ticket management. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -2431,47 +2641,45 @@ Unmark Detection Fixed: ai_description: >- ### General Description - Unmarks specific detections as fixed within the Vectra AI platform. This action - is used to revert the status of detections that were previously marked as resolved - or fixed, allowing them to be re-evaluated or monitored again in the Vectra dashboard. + Unmarks specific detections as fixed in the VectraRUX platform. This action allows + analysts to revert the 'fixed' status of detections, ensuring they remain visible + or active for further investigation. - ### Parameters Description + ### Flow Description - | Parameter | Description | Type | Mandatory | + 1. **Configuration**: The action retrieves the API Root, Client ID, and Client + Secret from the integration configuration. - | :--- | :--- | :--- | :--- | + 2. **Parameter Extraction**: It extracts the comma-separated list of Detection + IDs from the action parameters. - | Detection IDs | A comma-separated list of numeric IDs representing the detections - to be unmarked as fixed. | String | Yes | + 3. **Initialization**: The `VectraRUXManager` is initialized with the provided + credentials to establish a connection to the VectraRUX API. + 4. **Validation**: The provided Detection IDs are validated to ensure they are + integers. - ### Additional Notes + 5. **Execution**: The action sends a `PATCH` request to the VectraRUX API to update + the status of the specified detections, setting `mark_as_fixed` to `False`. - - The action validates that each provided ID is a valid integer before attempting - the API call. + 6. **Result**: The API response is added to the action result as a JSON object. - - This action performs a bulk update on the external Vectra AI system. + ### Parameters Description - ### Flow Description + | Parameter | Type | Mandatory | Description | - 1. **Parameter Extraction**: The action retrieves the `Detection IDs` string from - the input parameters. + | :--- | :--- | :--- | :--- | - 2. **Validation**: It splits the comma-separated string and validates that each - ID is a valid integer using the `validate_integer` utility. + | Detection IDs | string | Yes | A comma-separated list of Detection IDs to be + unmarked as fixed. | - 3. **Authentication**: The action initializes the `VectraRUXManager`, which handles - OAuth2 token generation or retrieval from the local cache. - 4. **External Update**: It calls the `unmark_detection_as_fixed` method, which - sends a `PATCH` request to the Vectra API endpoint with the `mark_as_fixed` payload - set to `False` for the specified IDs. + ### Additional Notes - 5. **Result Processing**: The API response is captured, added to the action's - JSON results, and the execution state is set to completed or failed based on the - success of the request. + This action performs a state change in the external VectraRUX system. Ensure that + the provided Detection IDs are valid and exist within the VectraRUX environment. capabilities: can_create_case_comments: false can_create_insight: false @@ -2480,12 +2688,21 @@ Unmark Detection Fixed: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the 'mark_as_fixed' status of specific detections to 'False' in the - Vectra AI platform via a PATCH request. + Updates the 'fixed' status of detections in the VectraRUX platform by sending + a PATCH request. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a PATCH request to the VectraRUX API to update the status + of specific detections. It does not fetch data for enrichment, nor does it modify + internal SOAR entities, case wall, or insights. It only adds the result of the + API call to the action output. categories: enrichment: false + reasoning: >- + The action is a mutation action (updating detection status) and does not retrieve + data for enrichment. Therefore, it does not meet the criteria for an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -2501,6 +2718,9 @@ Unmark Detection Fixed: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or utilize `siemplify.target_entities`. It + relies entirely on a user-provided parameter for Detection IDs. Update Assignment: action_product_categories: add_alert_comment: false @@ -2516,6 +2736,10 @@ Update Assignment: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action updates an assignment in the VectraRUX system. It does not match + any of the provided categories (e.g., Enrich IOC, Update Alert, Create Ticket, + etc.). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -2531,54 +2755,39 @@ Update Assignment: update_identity: false update_ticket: false ai_description: >- - ### General Description - - Updates the assigned user for a specific assignment associated with a Host or - Account in Vectra AI. This action is used to reassign ownership of a detection - or entity investigation within the Vectra platform by modifying the 'assign_to_user_id' - field of an existing assignment. + Updates the assigned user for a specific assignment in the VectraRUX system. This + action retrieves the assignment ID associated with a given entity and then updates + that assignment to the specified user. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Entity ID | String | Yes | The unique identifier of the Host or Account in Vectra - AI. | + | Entity ID | string | Yes | The ID of the entity (Account or Host) whose assignment + is being updated. | - | Entity Type | DDL | Yes | The type of entity to update. Options are 'Account' - or 'Host'. | + | Entity Type | ddl | Yes | The type of the entity (Account or Host). | - | User ID | String | Yes | The unique identifier of the user to whom the assignment - will be reassigned. | - - - ### Additional Notes - - The action first retrieves the entity's current information to identify the active - `assignment_id`. If the entity does not have an active assignment, the action - will fail with an 'ItemNotFound' error. + | User ID | string | Yes | The ID of the user to assign the assignment to. | ### Flow Description - 1. **Parameter Extraction**: Retrieves the Entity ID, Entity Type, and User ID - from the action inputs. + 1. Extract configuration parameters (API Root, Client ID, Client Secret) and action + parameters (Entity ID, Entity Type, User ID). + + 2. Validate that the provided Entity ID and User ID are valid integers. - 2. **Validation**: Validates that the Entity ID and User ID are provided as valid - integer strings. + 3. Initialize the VectraRUXManager to handle API interactions. - 3. **Fetch Assignment ID**: Calls the Vectra API to retrieve the specific entity's - metadata and extracts the ID of the current assignment. + 4. Fetch the specific entity information to retrieve the associated `assignment_id`. - 4. **Update Assignment**: Sends a PUT request to the Vectra assignments endpoint - to update the assigned user to the provided User ID. + 5. Perform a PUT request to update the assignment with the provided `user_id`. - 5. **Result Processing**: Adds the raw API response to the action results and - creates a data table named 'Updated Assignment' containing the assignment ID, - the new user ID, and the entity details. + 6. Add the response data and a summary table to the action result. capabilities: can_create_case_comments: false can_create_insight: false @@ -2587,12 +2796,18 @@ Update Assignment: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the 'assign_to_user_id' field for an existing assignment object in the - Vectra AI platform via a PUT request. + Updates the assigned user for a specific assignment in the VectraRUX system. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches entity information (GET) and updates an assignment (PUT) + in the external VectraRUX system. It does not modify internal SOAR data (entities, + insights, or case comments). categories: enrichment: false + reasoning: >- + The action mutates external data (updates an assignment), which violates the + 'Read-Only' requirement for enrichment actions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -2608,3 +2823,7 @@ Update Assignment: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action uses parameters 'Entity ID' and 'Entity Type' provided by the user, + rather than iterating over 'siemplify.target_entities'. Therefore, it does not + run on entities in the context of the SOAR entity model. diff --git a/content/response_integrations/third_party/community/vectra_rux/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/vectra_rux/resources/ai/connectors_ai_description.yaml index bd0c4ab68..e41935713 100644 --- a/content/response_integrations/third_party/community/vectra_rux/resources/ai/connectors_ai_description.yaml +++ b/content/response_integrations/third_party/community/vectra_rux/resources/ai/connectors_ai_description.yaml @@ -2,13 +2,12 @@ Vectra RUX - Entities Connector: ai_description: >- ### General Description - The Vectra RUX - Entities Connector integrates with the Vectra RUX platform to - ingest security entities (Hosts or Accounts) and their associated detections into - Google SecOps. It transforms each Vectra entity into a SOAR alert, where individual - detections are represented as events within that alert. This allows for a consolidated - view of all malicious activity related to a specific host or account within a - single case. The connector supports stateful tracking, ensuring that updates to - existing entities are correctly grouped and duplicates are avoided. + The Vectra RUX - Entities Connector is designed to integrate the Vectra RUX platform + with Google SecOps (SOAR). It periodically retrieves security entities (such as + Hosts or Accounts) and their associated detections from Vectra RUX, mapping them + into structured alerts and events within the SOAR platform for further investigation + and response. This connector ensures that security teams can monitor and act upon + high-priority entities identified by Vectra RUX. ### Parameters Description @@ -17,65 +16,54 @@ Vectra RUX - Entities Connector: | :--- | :--- | :--- | :--- | - | API Root | String | Yes | The base URL of the Vectra RUX API (e.g., https://
:). - | + | API Root | String | Yes | The base URL of the Vectra RUX API. | - | Client ID | String | Yes | Unique identifier assigned to the client for API - authentication. | + | Client ID | String | Yes | Unique identifier for API authentication. | - | Client Secret | Password | Yes | Confidential key associated with the Client - ID for secure authorization. | + | Client Secret | Password | Yes | Confidential key for API authentication. | | DeviceProductField | String | Yes | The field name used to determine the device - product (default: Vectra RUX). | + product. | - | Entity Type | String | Yes | The type of entity to retrieve: 'Host' or 'Account'. + | Entity Type | String | Yes | The type of entity to fetch (Account or Host). | - | EventClassId | String | Yes | The field name used to determine the event name/sub-type - (default: detection_type). | + | EventClassId | String | Yes | The field name used to determine the event name + (sub-type). | - | Limit | Integer | No | Maximum number of entities to fetch in a single execution. - | + | Limit | Integer | No | Maximum number of entities to fetch per iteration. | - | Max Hours Backwards | Integer | No | Number of hours to look back for entities - during the first connector iteration. | + | Max Hours Backwards | Integer | No | Time window (in hours) to look back for + new entities. | - | Prioritized | Boolean | No | If enabled, only entities with a priority score - above the configured threshold are fetched. | + | Prioritized | Boolean | No | If enabled, only fetches entities with a priority + score above the threshold. | - | Specific Tag | String | No | A specific tag used to filter the entity results. - | + | PythonProcessTimeout | String | Yes | Timeout limit (in seconds) for the connector + script. | - | PythonProcessTimeout | String | Yes | The timeout limit (in seconds) for the - python process running the script. | + | Specific Tag | String | No | A specific tag used to filter the retrieved entities. + | ### Flow Description - 1. **Authentication**: The connector authenticates with the Vectra RUX API using - OAuth2 (Client ID and Secret) and manages access/refresh tokens stored in a local - configuration file. + 1. The connector initializes and authenticates with the Vectra RUX API using the + provided credentials. - 2. **Entity Discovery**: It queries the Vectra RUX `/entities` endpoint, filtering - by the configured `Entity Type` (Host or Account), `Specific Tag`, and `Prioritized` - status. + 2. It calculates the start time based on the `Max Hours Backwards` parameter to + determine the data retrieval window. - 3. **Time-based Filtering**: The connector retrieves entities modified since the - last successful execution or within the `Max Hours Backwards` window for the initial - run. + 3. It queries the Vectra RUX API to list entities (Hosts or Accounts) based on + the configured filters (e.g., entity type, priority, tags). - 4. **Detection Retrieval**: For each discovered entity, the connector fetches - all associated active detections from the `/detections` endpoint. + 4. For each retrieved entity, the connector fetches associated active detections. - 5. **Assignment Enrichment**: It retrieves assignment information (assigned user, - resolution status, and outcomes) for the entity and attaches it to the alert metadata. + 5. It maps each entity to a SOAR alert and its associated detections to alert + events, including relevant metadata and assignments. - 6. **Alert Mapping**: The connector maps the Vectra entity to a Google SecOps - alert and its detections to individual events. It generates a `source_grouping_identifier` - based on the Entity ID to ensure that updates to the same entity are grouped into - the same SOAR case. + 6. The connector checks for duplicates and overflow conditions before ingesting + the alerts into the SOAR platform. - 7. **Ingestion and State Management**: The constructed `AlertInfo` objects are - ingested into the system. The connector then saves the last processed timestamp - and entity IDs to prevent duplicate ingestion in future cycles. + 7. Finally, it updates the internal state (timestamps and processed IDs) to ensure + subsequent iterations only fetch new data. diff --git a/content/response_integrations/third_party/community/vectra_rux/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/vectra_rux/resources/ai/integration_ai_description.yaml index c5805635b..59ed8ef6a 100644 --- a/content/response_integrations/third_party/community/vectra_rux/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/community/vectra_rux/resources/ai/integration_ai_description.yaml @@ -2,11 +2,26 @@ product_categories: asset_inventory: true cloud_security: true collaboration: false - edr: false + edr: true email_security: false - iam_and_identity_management: false + iam_and_identity_management: true itsm: true network_security: true + reasoning: >- + The Vectra RUX integration is a cloud-native threat detection platform that ingests + entities and detections, providing visibility into suspicious activity across + cloud, data center, and network environments. It qualifies as a SIEM because its + connector ingests entities and detections for monitoring. It qualifies as EDR + because it manages hosts and retrieves detection details for them. It qualifies + as Network Security because it consolidates network data and detects threats within + the network. It qualifies as Threat Intelligence because it provides threat scores + and certainty scores for detections. It qualifies as IAM & Identity Management + because it manages accounts, group memberships, and user assignments. It qualifies + as Cloud Security because it is a cloud-native threat detection platform. It qualifies + as ITSM because it includes assignment management and resolution actions. It qualifies + as Asset Inventory because it lists and describes assets like hosts and accounts. + It does not qualify for Email Security, Vulnerability Management, or Collaboration + as it lacks specific actions for those domains. siem: true threat_intelligence: true vulnerability_management: false diff --git a/content/response_integrations/third_party/community/vectra_rux/resources/ai/jobs_ai_description.yaml b/content/response_integrations/third_party/community/vectra_rux/resources/ai/jobs_ai_description.yaml index 862e25acd..1f6edcf01 100644 --- a/content/response_integrations/third_party/community/vectra_rux/resources/ai/jobs_ai_description.yaml +++ b/content/response_integrations/third_party/community/vectra_rux/resources/ai/jobs_ai_description.yaml @@ -2,12 +2,10 @@ Vectra RUX - Clear Empty Cases Job: ai_description: >- ### General Description - This job performs maintenance on Google SecOps cases generated by the Vectra RUX - integration. It identifies and closes redundant cases and alerts that contain - duplicate detection data already present in other open investigations. By analyzing - the underlying event IDs within alerts, the job ensures that analysts are not - working on multiple cases for the same underlying security events, effectively - deduplicating the workload and reducing noise. + This job automates the maintenance of the investigation queue by identifying and + closing empty or duplicate cases originating from the Vectra RUX integration. + It helps reduce noise by automatically resolving cases that contain redundant + alerts or are deemed non-malicious based on cross-case analysis. ### Parameters Description @@ -16,40 +14,31 @@ Vectra RUX - Clear Empty Cases Job: | :--- | :--- | :--- | :--- | - | Max Hours Backwards | String | No | The maximum number of hours to look back - for open cases. Default is 24. Set to '0' to process all open cases regardless - of age. | + | Max Hours Backwards | String | No | The time window (in hours) to look back + for open cases. Use '0' to fetch all open cases. Default is 24. | - | Environments | String | Yes | Comma-separated list of environments to include - in the cleanup process (e.g., 'Default Environment'). | + | Environments | String | Yes | A comma-separated list of environments to process. + | - | Products | String | Yes | Comma-separated list of product names to filter alerts - (e.g., 'Vectra RUX'). Only alerts from these products are evaluated for deduplication. + | Products | String | Yes | A comma-separated list of product field names to process. | ### Flow Description - 1. Retrieves configuration parameters for the time range, target environments, - and product names. - - 2. Calculates the starting timestamp for the search based on the 'Max Hours Backwards' - parameter or the timestamp of the last successful run. + 1. Initialize job parameters and retrieve the last successful run timestamp from + the job context. - 3. Queries the SOAR platform for all cases currently in 'OPEN' status that fall - within the calculated time window. + 2. Fetch all open cases from the SOAR platform, optionally filtered by the specified + time window. - 4. Filters the retrieved cases to include only those matching the specified environments - and containing alerts from the target products. + 3. For each case, retrieve associated entities and their corresponding detections. - 5. Extracts and maps unique detection/event IDs from the alerts within the filtered - cases. + 4. Filter the detections based on the provided `Environments` and `Products` parameters. - 6. Identifies redundant alerts where all associated event IDs are already present - in other active alerts or cases. + 5. Analyze the collected alerts to identify identical or duplicate events across + different cases. - 7. Closes redundant cases or individual alerts using a predefined root cause indicating - that a similar case is already under investigation. + 6. Automatically close cases or remove specific alerts identified as duplicates. - 8. Updates the job's internal execution timestamp to mark the successful completion - of the run. + 7. Save the current execution timestamp to the job context for the next run. diff --git a/content/response_integrations/third_party/community/vorlon/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/vorlon/resources/ai/actions_ai_description.yaml index d7ae4d479..a8be4cc66 100644 --- a/content/response_integrations/third_party/community/vorlon/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/vorlon/resources/ai/actions_ai_description.yaml @@ -13,6 +13,9 @@ Get Alerts: enrich_ioc: false execute_command_on_the_host: false get_alert_information: true + reasoning: >- + The action fetches alert information from the Vorlon server based on provided + filters. This matches the 'Get Alert Information' category. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -28,66 +31,52 @@ Get Alerts: update_identity: false update_ticket: false ai_description: >- - ### General Description - - The **Get Alerts** action retrieves a list of alerts from the Vorlon server based - on user-defined filters. It allows analysts to query the external system for specific - alerts using identifiers, service associations, time ranges, and status. The results - are returned as a JSON object for use in playbooks. - - - ### Flow Description - - 1. **Parameter Extraction**: The action retrieves configuration details (API Root, - Client ID, Client Secret) and action parameters including service IDs, alert IDs, - time filters, and status. + Retrieves a list of alerts from the Vorlon server based on specified filtering + criteria. This action allows users to filter alerts by requesting or responding + services, specific alert IDs, time ranges (From/To), alert status, and result + limits. The retrieved alert data is returned as a JSON result for further analysis + within the SOAR platform. - 2. **Manager Initialization**: It initializes the `VorlonManager` which handles - authentication and session management with the Vorlon API. - 3. **Data Retrieval**: The action calls the `get_alerts` method, which constructs - a GET request to the `/rest/v1/alerts` endpoint. It processes time strings into - epoch timestamps and cleans comma-separated strings for the query. - - 4. **Result Output**: The fetched alerts are added to the action's JSON results, - and the action completes with a success message. - - - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Requesting Service | String | No | A comma-separated list of service IDs that - initiated the alerts. | + | Requesting Service | string | No | Requesting service id(s) to include, specified + as a comma separated list of ids. | - | Responding Service | String | No | A comma-separated list of service IDs that - responded to the alerts. | + | Responding Service | string | No | Responding service id(s) to include, specified + as a comma separated list of ids. | - | Alert IDs | String | No | A comma-separated list of specific alert IDs to retrieve. - | + | Alert IDs | string | No | The list of alert ids to retrieve, specified as a + comma separated list of ids. | - | From | String | No | Filter alerts from this time (Format: `YYYY-MM-DDTHH:MM:SS`). + | From | string | No | Filter by start time in the format "YYYY-MM-DDTHH:MM:SS". | - | To | String | No | Filter alerts up to this time (Format: `YYYY-MM-DDTHH:MM:SS`). - | + | To | string | No | Filter by end time in the format "YYYY-MM-DDTHH:MM:SS". | - | Alert Status | DDL | No | Filter by alert status: `open` (default), `dismissed`, - or `resolved`. | + | Alert Status | ddl | No | The list of alert statuses to retrieve (open, dismissed, + resolved). Default is 'open'. | - | Limit | String | No | The maximum number of alerts to return. Default is 100. - | + | Limit | string | No | Filter by limit. Default is '100'. | - ### Additional Notes + ### Flow Description + + 1. The action initializes the VorlonManager using the provided API credentials. + + 2. It extracts the user-provided filter parameters (services, IDs, time range, + status, limit). + + 3. It calls the `get_alerts` method on the VorlonManager, which performs a GET + request to the `/rest/v1/alerts` endpoint. - - The `From` and `To` parameters must strictly follow the `YYYY-MM-DDTHH:MM:SS` - format (e.g., 2023-10-27T10:00:00) to be correctly parsed into epoch timestamps. + 4. The retrieved alert data is added to the action result using `siemplify.result.add_result_json`. - - If no filters are provided, the action defaults to fetching the most recent - 'open' alerts. + 5. The action completes with a success or failure message based on the API response. capabilities: can_create_case_comments: false can_create_insight: false @@ -98,8 +87,15 @@ Get Alerts: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Vorlon API to retrieve alert information. + It does not modify any external systems, nor does it update internal SOAR entities, + insights, or case data. categories: enrichment: false + reasoning: >- + The action retrieves data (alerts) but does not enrich existing entities or + alerts. It is a data retrieval action, not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -115,6 +111,9 @@ Get Alerts: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with or filter by any entities. It operates independently + of the entity model. Get All Services: action_product_categories: add_alert_comment: false @@ -130,6 +129,10 @@ Get All Services: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves a list of services from the Vorlon server. It does not + match any of the specific categories provided (e.g., Enrich IOC, Enrich Asset, + Update Alert, etc.) as it is a general information retrieval action. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -147,40 +150,36 @@ Get All Services: ai_description: >- ### General Description - The **Get All Services** action retrieves a comprehensive list of all detected - and observed services from the Vorlon platform. This action is primarily used - for discovery and inventory purposes, providing visibility into the services monitored - by the Vorlon server. + This action retrieves a comprehensive list of all detected and observed services + from the Vorlon server. It is designed to provide visibility into the service + landscape managed by the Vorlon integration. ### Flow Description - 1. **Authentication**: The action establishes a session with the Vorlon API using - the configured API Root, Client ID, and Client Secret. + 1. The action initializes the `VorlonManager` using the integration's configuration + parameters: `API Root`, `Client ID`, and `Client Secret`. - 2. **API Request**: It performs a GET request to the `/rest/v1/services` endpoint - to retrieve the full list of services. + 2. It performs a GET request to the `/rest/v1/services` endpoint of the Vorlon + API. - 3. **Result Processing**: The action captures the JSON response from the server - and attaches it as a JSON result to the action execution. + 3. The retrieved list of services is returned as a JSON result in the action output. - 4. **Completion**: The action concludes by reporting the success or failure of - the data retrieval process. + 4. If the request fails, the action logs the error and terminates with a failure + status. ### Parameters Description - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | N/A | N/A | N/A | This action does not require any input parameters. | + There are no input parameters for this action. The action relies on the integration's + global configuration settings (API Root, Client ID, Client Secret) to authenticate + and communicate with the Vorlon server. ### Additional Notes - This action does not operate on specific entities (such as IPs or Hostnames) and - instead returns a global list of services from the integrated Vorlon instance. + This action is a read-only operation and does not modify any data in the Vorlon + system or the SOAR platform. capabilities: can_create_case_comments: false can_create_insight: false @@ -191,8 +190,16 @@ Get All Services: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to retrieve service data from the Vorlon API. + It does not modify any external systems (no POST/PUT/DELETE), nor does it modify + internal SOAR data (entities, insights, or comments). categories: enrichment: false + reasoning: >- + The action fetches data from an external source but does not enrich specific + entities or alerts. It is a general data retrieval action and does not meet + the criteria for an Enrichment Action as defined. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -208,6 +215,9 @@ Get All Services: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. It fetches global service data + from the Vorlon API. Get Connection Summary: action_product_categories: add_alert_comment: false @@ -223,12 +233,15 @@ Get Connection Summary: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves connection summary data from an external API. It does not + match any of the specific categories like enrichment, ticketing, or containment. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false search_asset: false search_email: false - search_events: true + search_events: false send_email: false send_message: false submit_file: false @@ -240,67 +253,51 @@ Get Connection Summary: ai_description: >- ### General Description - This action retrieves a summary of network connections associated with a specific - service from the Vorlon platform. It allows analysts to fetch aggregated connection - data by providing a Service ID and applying optional filters such as Instance - ID, time range, connection type (observed or detected), and specific secret IDs. - The results are returned as a JSON object for further analysis within the SOAR - platform. + This action retrieves a connection summary for a specified service from the Vorlon + server. It allows users to filter the summary by instance ID, time range, connection + type, and specific secret IDs. ### Parameters Description | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | - - | Service ID | String | Yes | The unique identifier for the service (typically - the service name or app name) for which to retrieve the connection summary. | + | --- | --- | --- | --- | - | Instance ID | String | No | If provided, filters the connection summary by a - specific instance ID of the service. | + | Service ID | string | Yes | The service or app name to get the connections summary + for. | - | From | String | No | If provided, filters the summary by a start time in the - format `YYYY-MM-DDTHH:MM:SS` (e.g., 2023-10-27T10:00:00). | - - | To | String | No | If provided, filters the summary by an end time in the format - `YYYY-MM-DDTHH:MM:SS` (e.g., 2023-10-27T11:00:00). | + | Instance ID | string | No | If provided, filter by the instance ID of the service. + | - | Type | DDL | No | The type of connection to summarize. Options are `observed` - (default) or `detected`. | + | From | string | No | If provided, filter by from time in the format "YYYY-MM-DDTHH:MM:SS". + | - | Secret IDs | String | No | A comma-separated list of secret IDs to filter the - connection summary. | + | To | string | No | If provided, filter by to time in the format "YYYY-MM-DDTHH:MM:SS". + | + | Type | string | No | Type of connection (observed or detected). Default is 'observed'. + | - ### Flow Description + | Secret IDs | string | No | A comma-separated list of secret IDs. | - 1. **Initialization**: The action extracts the Vorlon integration configuration - (API Root, Client ID, Client Secret) and the user-provided action parameters. - 2. **Manager Setup**: A `VorlonManager` instance is initialized to handle communication - with the Vorlon API. + ### Additional Notes - 3. **Time Processing**: If the `From` or `To` parameters are provided, the action - validates the string format and converts them into epoch timestamps required by - the API. + There are no additional notes. - 4. **API Execution**: The action calls the Vorlon API's connection summary endpoint - using the specified Service ID and optional query parameters (secrets, instance, - time range, type). - 5. **Result Handling**: The retrieved connection summary is added to the action's - JSON results. If the fetch is successful, the action completes with a success - message; otherwise, it reports a failure. + ### Flow Description + 1. Initialize the VorlonManager with API credentials (API Root, Client ID, Client + Secret). - ### Additional Notes + 2. Extract the action parameters (Service ID, Instance ID, From, To, Type, Secret + IDs). - - The `Service ID` is a mandatory parameter and must be provided for the action - to run. + 3. Call the Vorlon API to retrieve the connection summary using the provided parameters. - - Time filters must strictly follow the `YYYY-MM-DDTHH:MM:SS` format to avoid - execution errors. + 4. Add the retrieved JSON result to the action output. capabilities: can_create_case_comments: false can_create_insight: false @@ -311,8 +308,16 @@ Get Connection Summary: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to retrieve connection summary data from the + Vorlon API. It does not modify any external or internal data, nor does it update + entities or create insights. categories: enrichment: false + reasoning: >- + The action fetches data but does not perform any of the allowed internal mutations + (update entities, create insights, add comments). Therefore, it is not classified + as an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -328,6 +333,8 @@ Get Connection Summary: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with entities. It operates on service-level data. Get Connections: action_product_categories: add_alert_comment: false @@ -343,6 +350,10 @@ Get Connections: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves connection telemetry data from an external service. This + aligns with the 'Search Events' category, which involves returning historical + logs or telemetry data. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -358,67 +369,27 @@ Get Connections: update_identity: false update_ticket: false ai_description: >- - ### General Description - - This action retrieves connection logs for a specific service from the Vorlon server. - It allows analysts to query historical telemetry data regarding how services are - interacting, filtered by time ranges, specific instances, or secret identifiers. - The results are returned as a JSON object for further analysis within the SOAR - platform. - - - ### Parameters Description - - | Parameter | Mandatory | Type | Description | - - | :--- | :--- | :--- | :--- | - - | Service ID | Yes | String | The unique identifier (typically the service or - app name) for which to retrieve connection data. | - - | Instance ID | No | String | Filters the results to a specific instance of the - service. | - - | From | No | String | Filters connections starting from this time. Expected format: - "YYYY-MM-DDTHH:MM:SS" (e.g., 1970-01-01T00:00:00). | - - | To | No | String | Filters connections up to this time. Expected format: "YYYY-MM-DDTHH:MM:SS" - (e.g., 1970-01-01T00:00:00). | - - | Secret IDs | No | String | A comma-separated list of secret IDs to filter the - connection results. | - - | Limit | No | String | The maximum number of connection records to return. Defaults - to 100 if not specified. | - - - ### Flow Description - - 1. **Parameter Extraction**: The action extracts the API configuration (Root URL, - Client ID, Client Secret) and the user-provided action parameters (Service ID, - Instance ID, Time range, Secret IDs, and Limit). - - 2. **Manager Initialization**: It initializes the `VorlonManager` to handle authentication - and API communication. - - 3. **Data Retrieval**: The action calls the `get_connections` method, which performs - a GET request to the Vorlon API endpoint `/rest/v1/connections/{service_id}` with - the specified filters. - - 4. **Result Processing**: The retrieved connection data is attached to the action's - execution context as a JSON result. - - 5. **Completion**: The action terminates with a success message indicating that - connections were successfully fetched, or an error message if the request failed. - - - ### Additional Notes - - - The `From` and `To` parameters must strictly follow the `YYYY-MM-DDTHH:MM:SS` - format to be correctly converted to epoch time by the integration logic. - - - If the API returns an empty response for a valid service ID, the action will - raise an exception. + The 'Get Connections' action retrieves connection telemetry data for a specified + service from the Vorlon server. This action is useful for auditing service interactions, + troubleshooting connectivity, or investigating traffic patterns. The action performs + a GET request to the Vorlon API using the provided service identifier and optional + filters. The resulting connection data is returned as a JSON object to the SOAR + platform for further analysis. ### Parameters | Parameter | Type | Mandatory | + Description | | --- | --- | --- | --- | | Service ID | string | Yes | The service + or application name to retrieve connections for. | | Instance ID | string | No + | Filter by the instance ID of the service. | | From | string | No | Start time + filter in YYYY-MM-DDTHH:MM:SS format. | | To | string | No | End time filter in + YYYY-MM-DDTHH:MM:SS format. | | Secret IDs | string | No | A comma-separated list + of secret IDs to filter by. | | Limit | string | No | The maximum number of results + to return (default is 100). | ### Flow Description 1. The action extracts the + necessary configuration parameters (API Root, Client ID, Client Secret) to authenticate + with the Vorlon server. 2. It extracts the action-specific parameters (Service + ID, Instance ID, From, To, Secret IDs, Limit). 3. The VorlonManager initializes + a session and authenticates using the provided credentials. 4. The action calls + the 'get_connections' method, which performs a GET request to the Vorlon API endpoint. + 5. The retrieved connection data is returned as a JSON result to the SOAR platform. + 6. If the request fails, the action logs the error and terminates with a failed + status. capabilities: can_create_case_comments: false can_create_insight: false @@ -429,8 +400,16 @@ Get Connections: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to an external API (Vorlon) to retrieve connection + data. It does not modify any external systems (no POST/PUT/DELETE), nor does + it modify any internal SOAR data (no entity updates, insights, or case comments). categories: - enrichment: true + enrichment: false + reasoning: >- + The action fetches data from an external source (Vorlon API). However, it does + not operate on entities or alerts, nor does it enrich them. It is a data retrieval + action, not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -446,6 +425,9 @@ Get Connections: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with the SOAR entity model. It operates based on + a 'Service ID' parameter provided by the user, not on target entities. Get Linked Alerts: action_product_categories: add_alert_comment: false @@ -461,6 +443,11 @@ Get Linked Alerts: enrich_ioc: false execute_command_on_the_host: false get_alert_information: true + reasoning: >- + The action retrieves information about linked alerts from an external system + (Vorlon) and returns it in the result JSON. This aligns with the 'Get Alert + Information' category. It does not perform any other actions like blocking, + ticketing, or updating alerts. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -476,52 +463,47 @@ Get Linked Alerts: update_identity: false update_ticket: false ai_description: >- - ### General Description + Fetches linked alerts from the Vorlon server based on a provided Alert ID. This + action retrieves a list of alerts that share the same secret ID and alert group, + providing additional context for the investigation. - Retrieves alerts linked to a specific Alert ID from the Vorlon platform. Linked - alerts are defined as those sharing the same secret ID and alert group. This action - is useful for identifying related security incidents and understanding the scope - of a potential threat by aggregating related telemetry. - - - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. The action extracts configuration parameters (API Root, Client ID, Client Secret) + to authenticate with the Vorlon server. - | :--- | :--- | :--- | :--- | + 2. It extracts action parameters, including the mandatory Alert ID and optional + filters (Alert Status, Page, Limit). - | Alert ID | String | Yes | The unique identifier of the alert for which linked - alerts should be retrieved. | + 3. The action initializes the VorlonManager and calls the API to retrieve linked + alerts. - | Alert Status | DDL | No | Filters the results by alert status. Supported values: - `open`, `dismissed`, `resolved`. | + 4. The retrieved alert data is added to the action's result JSON for the analyst + to review. - | Page | String | No | The page number for paginated results. | - | Limit | String | No | The maximum number of alerts to return. Default is 100. - | + ### Parameters + | Parameter | Type | Mandatory | Description | - ### Flow Description + | :--- | :--- | :--- | :--- | - 1. **Authentication**: Connects to the Vorlon API using the configured API Root, - Client ID, and Client Secret to obtain a bearer token. + | Alert ID | string | Yes | The ID of the alert for which linked alerts should + be returned. | - 2. **Parameter Extraction**: Retrieves the mandatory Alert ID and optional filters - (Status, Page, Limit) from the action input. + | Alert Status | ddl | No | Filter the linked alerts by status (e.g., open, dismissed, + resolved). | - 3. **Data Retrieval**: Executes a GET request to the Vorlon endpoint (`/rest/v1/alerts/linked/{id}`) - to fetch alerts linked to the provided ID. + | Page | string | No | The page number for pagination. | - 4. **Output**: Returns the list of linked alerts as a JSON result for use in subsequent - playbook steps. + | Limit | string | No | The maximum number of results to return. | ### Additional Notes - This action does not operate on SecOps entities; it requires a specific Alert - ID as input. If no linked alerts are found, the action will return a failure status. + This action does not modify any internal or external data; it is strictly a data + retrieval action used to gather information about related alerts. capabilities: can_create_case_comments: false can_create_insight: false @@ -532,8 +514,17 @@ Get Linked Alerts: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Vorlon API to retrieve linked alerts. + It does not mutate any external systems (no POST/PUT/DELETE) and does not modify + any internal SOAR data (no entity updates, insights, or comments). It simply + returns the fetched data in the result JSON. categories: enrichment: false + reasoning: >- + While the action fetches data, it does not perform any internal mutations (such + as updating entities, creating insights, or adding comments) to enrich the case. + It is a data retrieval action rather than an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -549,6 +540,9 @@ Get Linked Alerts: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities`. It operates based + on an input parameter `Alert ID` provided by the user, not on SOAR entities. Get Secrets: action_product_categories: add_alert_comment: false @@ -564,6 +558,11 @@ Get Secrets: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves secret details from an external system. It does not match + any of the defined product categories (e.g., Enrich IOC, Enrich Asset, Update + Alert, etc.) as it is not performing enrichment on entities or alerts, nor is + it modifying any system state. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -581,10 +580,8 @@ Get Secrets: ai_description: >- ### General Description - Retrieves detailed information about secrets from the Vorlon platform. This action - allows users to fetch metadata for specific secrets using their IDs or to retrieve - all secrets associated with a particular service. It is primarily used for gathering - context about credentials or sensitive configurations managed within Vorlon. + This action retrieves secret details from the Vorlon server. It allows users to + query secrets either by providing a specific Service ID or a list of Secret IDs. ### Parameters Description @@ -593,36 +590,31 @@ Get Secrets: | :--- | :--- | :--- | :--- | - | Service ID | String | No | The unique identifier (typically the service name) - for which to retrieve all associated secrets. | + | Service ID | string | No | The ID of the service (typically the service name). + | - | Secret IDs | String | No | A comma-separated list of specific secret identifiers - to retrieve details for. | + | Secret IDs | string | No | A comma-separated list of secret IDs. | ### Additional Notes - **Important:** Either the `Secret IDs` parameter or the `Service ID` parameter - must be provided for the action to execute successfully. If both parameters are - provided, or if neither is provided, the action will fail with an error message. + Either `Service ID` or `Secret IDs` must be provided for the action to execute + successfully. ### Flow Description - 1. **Initialization:** The action initializes the Vorlon manager using the provided - API Root, Client ID, and Client Secret from the integration configuration. + 1. The action extracts the necessary configuration parameters (API Root, Client + ID, Client Secret) to authenticate with the Vorlon server. - 2. **Parameter Extraction:** It retrieves the `Secret IDs` and `Service ID` from - the action input parameters. + 2. It extracts the `Service ID` and `Secret IDs` from the action parameters. - 3. **Validation:** The logic checks that exactly one of the two parameters is - populated. If both or neither are provided, an exception is raised. + 3. It initializes the `VorlonManager` with the provided credentials. - 4. **Data Retrieval:** The action calls the Vorlon API's secrets endpoint (`GET - /rest/v1/secrets`) with the appropriate query parameters (`ids` or `service_id`). + 4. It calls the `get_secrets` method, which sends a GET request to the Vorlon + API to retrieve the requested secret details. - 5. **Output:** The retrieved secret details are added to the action's JSON results - and a success message is returned to the SOAR platform. + 5. The retrieved secret details are returned as a JSON result. capabilities: can_create_case_comments: false can_create_insight: false @@ -633,8 +625,17 @@ Get Secrets: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches secret details from the Vorlon server using a GET request. + It does not mutate any external systems, nor does it modify any internal Google + SecOps data (entities, insights, or comments). It simply returns the retrieved + data as a JSON result. categories: - enrichment: true + enrichment: false + reasoning: >- + The action fetches data but does not perform any enrichment on entities or alerts. + It does not update entities, add insights, or add comments. Therefore, it does + not meet the criteria for an Enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -650,6 +651,10 @@ Get Secrets: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `target_entities`. It retrieves data based + on user-provided parameters (`Service ID` or `Secret IDs`) and does not perform + any filtering on entities. Ping: action_product_categories: add_alert_comment: false @@ -665,6 +670,9 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity test ('Ping'). It does not match any of the defined + product categories (Enrichment, Containment, Ticket management, etc.). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -682,46 +690,47 @@ Ping: ai_description: >- ### General Description - The **Ping** action is a diagnostic tool used to verify the connectivity between - the Google SecOps (Chronicle) environment and the **Vorlon** instance. It ensures - that the provided credentials (Client ID and Client Secret) are valid and that - the API Root URL is reachable. This action is typically used during the initial - setup of the integration or for troubleshooting communication issues. + The Ping action verifies connectivity between the Google SecOps SOAR platform + and the Vorlon instance. It ensures that the integration configuration (API Root, + Client ID, and Client Secret) is valid and that the server is reachable. ### Parameters Description + There are no action-specific parameters for this action. However, the action relies + on the following integration configuration parameters: + + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | N/A | N/A | N/A | This action does not have any input parameters. It relies - solely on the integration's configuration settings (API Root, Client ID, and Client - Secret). | + | API Root | String | Yes | The base URL of the Vorlon API. | + | Client ID | String | Yes | The client ID used for authentication. | + + | Client Secret | String | Yes | The client secret used for authentication. | - ### Additional Notes - - This action does not process any entities. + ### Additional Notes - - It performs an authentication handshake followed by a basic GET request to the - services endpoint to confirm end-to-end connectivity. + This action is strictly for connectivity testing and does not perform any data + enrichment or system modifications. ### Flow Description - 1. **Configuration Extraction**: The action retrieves the `API Root`, `Client - ID`, and `Client Secret` from the integration's configuration. + 1. Initialize the `SiemplifyAction` object. - 2. **Manager Initialization**: It initializes the `VorlonManager`, which automatically - attempts to fetch an OAuth2 access token using the provided credentials. + 2. Extract the required integration configuration parameters (API Root, Client + ID, Client Secret). - 3. **Connectivity Test**: The action calls the `test_connectivity` method, which - sends a GET request to the `/rest/v1/services` endpoint of the Vorlon API. + 3. Instantiate the `VorlonManager` with the provided credentials. - 4. **Result Reporting**: If the request is successful, the action completes with - a success message. If any step fails (e.g., authentication error or network timeout), - it catches the exception and reports a failure. + 4. Execute the `test_connectivity` method, which performs a GET request to the + Vorlon services endpoint. + + 5. Return a success or failure message based on the connectivity test result. capabilities: can_create_case_comments: false can_create_insight: false @@ -732,8 +741,17 @@ Ping: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to verify connectivity to the Vorlon server. + It does not modify any external or internal data, nor does it interact with + entities. While it performs a network request, it does not fetch contextual + data for alerts or entities. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action, which is explicitly excluded from being an enrichment + action. It does not fetch data to enrich entities, nor does it perform any state + changes. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -749,6 +767,8 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. Update Alert: action_product_categories: add_alert_comment: false @@ -764,6 +784,11 @@ Update Alert: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action updates an alert on the external Vorlon system. The 'Update Alert' + category is defined as changing the status, severity, or assignee of the alert + *within the SecOps platform*, which does not apply here. Therefore, none of + the provided categories match. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -779,60 +804,58 @@ Update Alert: update_identity: false update_ticket: false ai_description: >- - ### General Description + Updates an alert on the Vorlon server. This action takes a JSON-formatted alert + update request as input and sends it to the Vorlon API to modify the alert's status + or details. - The **Update Alert** action allows users to modify the properties of an existing - alert within the Vorlon platform. This action is primarily used to change the - status of an alert (e.g., dismissing it) or to apply updates to linked alerts - by providing a structured JSON payload. + ### Flow - ### Parameters Description + 1. Extracts the required configuration parameters (API Root, Client ID, Client + Secret) and the `Alert Object` parameter. - | Parameter | Type | Mandatory | Description | + 2. Initializes the `VorlonManager` with the provided credentials. - | :--- | :--- | :--- | :--- | + 3. Sends a `PUT` request to the Vorlon API endpoint (`/rest/v1/alerts/update`) + with the provided JSON body. - | Alert Object | String | Yes | A JSON-formatted string containing the update - details. It must include the `alert_id` and the specific fields to be updated, - such as `new_status` or `apply_to_linked_alerts`. | + 4. Returns the response from the server as a JSON result. - ### Flow Description + ### Parameters - 1. **Parameter Extraction:** The action retrieves the API configuration (API Root, - Client ID, Client Secret) and the `Alert Object` input string. - - 2. **JSON Validation:** The action attempts to parse the `Alert Object` string - into a JSON object. If the string is not valid JSON, the action fails. + | Parameter | Type | Mandatory | Description | - 3. **API Interaction:** The action calls the Vorlon Manager's `update_alert` method, - which sends a `PUT` request to the `/rest/v1/alerts/update` endpoint with the - validated JSON payload. + | :--- | :--- | :--- | :--- | - 4. **Result Processing:** The response from the Vorlon server, containing the - updated alert's data, is added to the action's JSON results for use in subsequent - playbook steps. + | Alert Object | string | Yes | The alert update request JSON body. Example: `{"alert_id": + "1234567890", "apply_to_linked_alerts": false, "new_status": "dismissed"}` | ### Additional Notes - - This action does not run on specific SecOps entities; it operates based on the - `alert_id` provided within the `Alert Object` parameter. + - This action performs a mutation on an external system (Vorlon server). capabilities: can_create_case_comments: false can_create_insight: false - can_modify_alert_data: false + can_modify_alert_data: true can_mutate_external_data: true can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the status or properties of an alert on the Vorlon server using a PUT + Updates the alert status or details on the external Vorlon server via a PUT request. - fetches_data: true + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a PUT request to an external API to update an alert's status + or details. It does not fetch data, nor does it modify internal SecOps entities + or cases. categories: enrichment: false + reasoning: >- + The action is not an enrichment action because it does not fetch data; it performs + a mutation (update) on an external system. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -848,3 +871,6 @@ Update Alert: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not iterate over `siemplify.target_entities` or use any entity + objects. It takes a raw JSON string as input. diff --git a/content/response_integrations/third_party/community/vorlon/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/community/vorlon/resources/ai/connectors_ai_description.yaml index 09aec72cd..738bceedb 100644 --- a/content/response_integrations/third_party/community/vorlon/resources/ai/connectors_ai_description.yaml +++ b/content/response_integrations/third_party/community/vorlon/resources/ai/connectors_ai_description.yaml @@ -2,11 +2,10 @@ Vorlon Connector: ai_description: >- ### General Description - The Vorlon Connector integrates Google SecOps with the Vorlon platform to automate - the ingestion of security alerts. It monitors for unauthorized or suspicious service-to-service - connections and secret usage, converting these alerts into structured cases for - investigation within the SOAR platform. This allows security teams to centralize - their monitoring of service interactions and potential secret exposures. + The Vorlon Connector enables the ingestion of security alerts from the Vorlon + platform into Google SecOps. It facilitates automated monitoring by periodically + querying the Vorlon API for new alerts, mapping them to standardized case formats, + and creating incidents within the SOAR environment. ### Parameters Description @@ -15,54 +14,49 @@ Vorlon Connector: | :--- | :--- | :--- | :--- | - | API Root | String | Yes | The base URL of the Vorlon instance (e.g., `https://.vorlon.io`). + | API Root | String | Yes | The base URL for the Vorlon API (e.g., https://.vorlon.io). | - | Client ID | String | Yes | The Client ID used for OAuth2 authentication. | + | Client ID | String | Yes | The Client ID used for authentication. | - | Client Secret | Password | Yes | The Client Secret used for OAuth2 authentication. + | Client Secret | Password | Yes | The Client Secret used for authentication. | | DeviceProductField | String | Yes | The field name used to determine the device - product (Default: Vorlon). | + product. | - | EventClassId | String | Yes | The field name used to determine the event name/sub-type - (Default: type). | + | EventClassId | String | Yes | The field name used to determine the event name + (sub-type). | - | Max Days Backwards | String | No | The number of days to look back for alerts - on the first run (Default: 1). | + | Max Days Backwards | String | No | The number of days to look back when fetching + incidents (default is 1). | - | Max Incidents per Fetch | String | Yes | The maximum number of alerts to retrieve - in a single execution cycle (Default: 10). | + | Max Incidents per Fetch | String | Yes | The maximum number of incidents to + retrieve in a single fetch. | - | Open Alerts Only | Boolean | No | If enabled, only fetches alerts with an "open" - status. If disabled, fetches open, dismissed, and resolved alerts. | + | Open Alerts Only | Boolean | No | If enabled, fetches only alerts with an "open" + status; otherwise, fetches all statuses. | - | PythonProcessTimeout | String | Yes | The timeout limit in seconds for the connector - execution process. | + | PythonProcessTimeout | String | Yes | The timeout limit (in seconds) for the + Python process. | ### Flow Description 1. **Authentication**: The connector authenticates with the Vorlon API using the - provided Client ID and Client Secret to obtain an OAuth2 bearer token via the - `/rest/v1/token` endpoint. + provided Client ID and Client Secret to obtain an access token. - 2. **Timestamp Management**: It retrieves the last successful execution timestamp - from the SOAR database. If no timestamp exists (e.g., first run), it calculates - a starting point based on the "Max Days Backwards" parameter. + 2. **Initialization**: It retrieves configuration parameters and determines the + time range for fetching alerts based on the last successful execution timestamp + or the `Max Days Backwards` setting. - 3. **Alert Retrieval**: The connector queries the Vorlon `/rest/v1/alerts` endpoint, - applying filters for the last saved timestamp, alert status (based on the "Open - Alerts Only" setting), and the "Max Incidents per Fetch" limit. + 3. **Data Fetching**: It queries the Vorlon `/rest/v1/alerts` endpoint, applying + filters for status (if configured) and time range. - 4. **Data Mapping**: Each retrieved alert is transformed into a SOAR event. The - connector extracts critical metadata including requesting/responding service IDs, - service names, secret types, and severity levels. + 4. **Case Creation**: For each retrieved alert, the connector creates a corresponding + event and maps it into a `CaseInfo` object, including details like start/end times, + severity, and service information. - 5. **Case Creation**: The processed events are encapsulated into `CaseInfo` objects, - mapping Vorlon alert titles and IDs to case names and rule generators. - - 6. **Ingestion and Checkpointing**: The cases are ingested into Google SecOps, - and the timestamp of the most recent alert is saved to ensure the next iteration - only fetches new data. + 5. **Ingestion**: The mapped cases are returned to the SOAR platform for processing, + and the latest timestamp is saved to ensure subsequent fetches start from the + correct point. diff --git a/content/response_integrations/third_party/community/vorlon/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/vorlon/resources/ai/integration_ai_description.yaml index 7bf893de0..0f855e630 100644 --- a/content/response_integrations/third_party/community/vorlon/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/community/vorlon/resources/ai/integration_ai_description.yaml @@ -1,5 +1,5 @@ product_categories: - asset_inventory: true + asset_inventory: false cloud_security: true collaboration: false edr: false @@ -7,6 +7,17 @@ product_categories: iam_and_identity_management: false itsm: false network_security: false + reasoning: >- + The Vorlon integration is primarily focused on the discovery, monitoring, and + risk profiling of third-party applications and data in motion. The connector facilitates + the ingestion of security alerts into the SOAR platform, which aligns with SIEM + capabilities for alert ingestion and visibility into activity. Furthermore, the + focus on third-party application risk and monitoring of cloud-based services aligns + with Cloud Security (specifically SaaS security). It does not perform EDR, Network + Security (blocking/firewall), Threat Intelligence (reputation), Email Security, + IAM, ITSM, Vulnerability Management, or Collaboration functions. It is not classified + as Asset Inventory as it focuses on third-party applications rather than internal + IT-managed devices. siem: true threat_intelligence: false vulnerability_management: false diff --git a/content/response_integrations/third_party/community/webhook/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/webhook/resources/ai/actions_ai_description.yaml index b285388f5..edaa37232 100644 --- a/content/response_integrations/third_party/community/webhook/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/webhook/resources/ai/actions_ai_description.yaml @@ -13,6 +13,10 @@ Create Token: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action creates a new webhook token on an external service. It does not match + any of the predefined categories such as 'Create Ticket', 'Enrich IOC', or 'Contain + Host'. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -27,55 +31,22 @@ Create Token: update_email: false update_identity: false update_ticket: false - ai_description: >- - ### General Description - - Creates a new webhook token on the Webhook service. This action generates a unique - URL that can be used to receive incoming HTTP requests, which is useful for testing - integrations or setting up temporary callback endpoints. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Default Content | string | Yes | The content that will be displayed or returned - in the response body when the generated webhook URL is accessed. | - - | Default Content Type | string | Yes | The MIME type of the content (e.g., `text/html` - or `application/json`) to be returned by the webhook URL. | - - | Timeout | string | No | The number of seconds (max 10) the service should wait - before returning a response to a request sent to the webhook URL. | - - - ### Flow Description - - 1. **Parameter Extraction**: The action retrieves the 'Default Content', 'Default - Content Type', and 'Timeout' values from the input parameters. - - 2. **Manager Initialization**: It initializes the WebhookManager using the base - URL from the integration configuration. - - 3. **Token Creation**: The action calls the `create_token` method, which sends - a POST request to the external service's `/token` endpoint with the specified - payload. - - 4. **URL Generation**: Upon receiving a successful response containing a UUID, - the action constructs the full webhook URL. - - 5. **Output**: The action returns the generated URL and the full JSON response - from the service to the SOAR platform. - - - ### Additional Notes - - - The 'Timeout' parameter is intended for testing timeout behaviors and is capped - at 10 seconds. - - - The generated webhook URL is unique to the created token. + ai_description: "Creates a new webhook token on the configured Webhook service.\ + \ This action allows users to generate a unique webhook URL that, when accessed,\ + \ returns specified content and content type. \n\n### Flow Description\n1. Initialize\ + \ the action and retrieve the base URL from the integration configuration.\n2.\ + \ Extract the required parameters: 'Default Content', 'Default Content Type',\ + \ and the optional 'Timeout'.\n3. Invoke the `WebhookManager` to send a POST request\ + \ to the webhook service to generate a new token with the provided configuration.\n\ + 4. Construct the full webhook URL using the returned UUID and the base URL.\n\ + 5. Add the resulting JSON (containing the token details and URL) to the action\ + \ output and terminate the action.\n\n### Parameters Description\n| Parameter\ + \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Default\ + \ Content | string | Yes | Content to be presented upon the webhook URL click,\ + \ if successful. |\n| Default Content Type | string | Yes | Type of content to\ + \ be presented upon the new webhook URL click (e.g., text/html). |\n| Timeout\ + \ | string | No | Amount of seconds to wait before returning the response (intended\ + \ for testing timeouts). Max is 10. |" capabilities: can_create_case_comments: false can_create_insight: false @@ -84,12 +55,19 @@ Create Token: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new webhook token on the external service, which generates a unique - URL for receiving incoming requests. + Creates a new webhook token on the external webhook service. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to an external service to create a new webhook + token. It does not fetch data from external systems, nor does it modify internal + SOAR entities or case data. It only outputs the result of the creation process. categories: enrichment: false + reasoning: >- + The action creates a resource (webhook token) on an external system. It does + not fetch data for enrichment, nor does it modify internal SOAR data. Therefore, + it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -105,6 +83,8 @@ Create Token: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with or process any entities. Delete Token: action_product_categories: add_alert_comment: false @@ -120,6 +100,10 @@ Delete Token: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action deletes a token on an external service. This does not fit any of + the predefined categories (e.g., IOC management, identity management, ticketing, + or email operations). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -135,43 +119,38 @@ Delete Token: update_identity: false update_ticket: false ai_description: >- - ### General Description + ### General description - Deletes a Webhook token using its unique identifier. This action interacts with - the Webhook service to remove the specified token, effectively disabling the associated - webhook URL and preventing any further requests from being received or processed - through it. + Deletes a specific webhook token from the Webhook service using the provided Token + ID. This action interacts with the external Webhook API to remove the token, rendering + the associated URL inaccessible. - ### Parameters Description + ### Parameters description - | Parameter | Description | Type | Mandatory | + | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + | --- | --- | --- | --- | - | Token ID | The unique identifier of the token to be deleted. | String | Yes + | Token ID | string | Yes | The unique identifier of the webhook token to be deleted. | - ### Flow Description + ### Additional notes - 1. **Parameter Extraction**: The action retrieves the `Token ID` provided by the - user. + None. - 2. **Manager Initialization**: Initializes the Webhook manager using the configured - base URL. - 3. **External Request**: Executes a DELETE request to the external Webhook service - endpoint corresponding to the provided token ID. + ### Flow description - 4. **Result Handling**: Captures the response status from the external service - and updates the action result to indicate whether the deletion was successful. + 1. Extract the `Token ID` parameter from the action configuration. + 2. Initialize the `WebhookManager` with the configured base URL. - ### Additional Notes + 3. Send a DELETE request to the external Webhook service to remove the specified + token. - There are no entities involved in this action; it operates solely based on the - provided `Token ID` parameter. + 4. Return the deletion status and update the action result. capabilities: can_create_case_comments: false can_create_insight: false @@ -180,12 +159,20 @@ Delete Token: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Deletes a specific webhook token from the external service, making the associated + Deletes a webhook token from the external Webhook service, rendering the associated URL inaccessible. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a DELETE request to an external API to remove a token. It + does not fetch data, nor does it modify internal SOAR data (entities, insights, + etc.). categories: enrichment: false + reasoning: >- + The action performs a destructive operation (deletion) on an external system. + It does not fetch data for enrichment, nor does it modify internal SOAR data. + Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -201,6 +188,9 @@ Delete Token: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `siemplify.target_entities`. It operates on + a user-provided `Token ID` parameter. Get Webhook Response: action_product_categories: add_alert_comment: false @@ -216,6 +206,9 @@ Get Webhook Response: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves historical webhook request data based on a token ID. This + aligns with the 'Search Events' category as it returns a collection of logs/telemetry. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -231,64 +224,15 @@ Get Webhook Response: update_identity: false update_ticket: false ai_description: >- - The 'Get Webhook Response' action is designed to retrieve data from requests sent - to a specific webhook URL, formatted as `{Base URL}/{Token ID}`. This action is - asynchronous and can be configured to wait for data based on two distinct conditions: - a fixed timeframe or until the first request is detected. It is primarily used - to capture external callbacks or manual interactions (like a user clicking a link) - and bring that data back into the SOAR platform for analysis. - - - ### Flow Description - - 1. **Parameter Initialization:** The action retrieves the `Token ID`, `Responses - To Retrieve` (All or Latest), `TimeFrame`, and `Pending Condition` from the input - parameters. - - 2. **Condition Handling:** - * **TimeFrame Mode:** The action calculates the start time. If the current - execution is within the specified `TimeFrame` (in minutes), it sets the status - to 'In Progress' and waits. Once the timeframe expires, it performs a single fetch - of the webhook requests. - * **AwaitClick Mode:** The action immediately checks for any requests associated - with the `Token ID`. If at least one request is found, it completes. If no requests - are found, it sets the status to 'In Progress' to check again in the next iteration. - 3. **Data Retrieval:** The action calls the Webhook API to fetch request data. - It automatically filters out requests generated by Slackbots (based on the User-Agent). - - 4. **Result Processing:** Depending on the `Responses To Retrieve` parameter, - it returns either the full list of requests or only the most recent one. The data - is then attached to the action results as a JSON object. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Pending Condition | DDL | Yes | Determines the wait logic. `TimeFrame` waits - for a set duration before fetching; `AwaitClick` waits until at least one request - is received. | - - | TimeFrame | String | Yes | The number of minutes to wait before fetching data - when `Pending Condition` is set to `TimeFrame`. | - - | Responses To Retrieve | DDL | Yes | Determines the scope of data returned. `All` - retrieves all captured requests; `Latest` retrieves only the most recent request. - | - - | Token ID | String | Yes | The unique identifier for the webhook token to monitor. - | - - - ### Additional Notes - - * This action does not process SOAR entities; it operates strictly based on the - provided `Token ID` parameter. - - * The action is asynchronous (`is_async: true`), meaning it will yield execution - and resume until the specified condition is met or a system timeout occurs. + Fetches webhook request data for a specific token ID. The action initializes a + WebhookManager and retrieves requests based on the provided token ID. It supports + two waiting conditions: 'TimeFrame' (waits for a specified duration) and 'AwaitClick' + (polls until a request is found). It filters out Slackbot requests and returns + the data as a JSON result. Parameters: 1. Pending Condition (ddl, mandatory): + Determines the waiting logic (TimeFrame or AwaitClick). 2. TimeFrame (string, + mandatory): Minutes to wait if TimeFrame is selected. 3. Responses To Retrieve + (ddl, mandatory): Whether to retrieve 'All' or 'Latest' requests. 4. Token ID + (string, mandatory): The identifier for the webhook token. capabilities: can_create_case_comments: false can_create_insight: false @@ -299,8 +243,13 @@ Get Webhook Response: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to retrieve webhook data. It does not modify + external systems or internal SOAR data. categories: enrichment: false + reasoning: >- + The action does not operate on entities, so it cannot be an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -316,6 +265,9 @@ Get Webhook Response: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use target_entities. It uses a Token ID parameter provided + by the user. Ping: action_product_categories: add_alert_comment: false @@ -331,6 +283,9 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity test ('Ping'). It does not perform any of the defined + actions such as enriching IOCs, updating tickets, or containing hosts. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -346,39 +301,33 @@ Ping: update_identity: false update_ticket: false ai_description: >- - ### General Description - - The **Ping** action is a diagnostic utility designed to verify the connectivity - between the Google SecOps platform and the Webhook service. Its primary purpose - is to ensure that the integration configuration (specifically the base URL) is - correct and that the external service is reachable and responding to requests. + Tests connectivity to the Webhook integration by sending a GET request to the + configured base URL. This action verifies that the integration is reachable and + properly configured. - ### Parameters Description - - There are no parameters for this action. + ### Parameters + | Parameter | Type | Mandatory | Description | - ### Additional Notes + | :--- | :--- | :--- | :--- | - This action relies on the 'URL' parameter provided in the integration's global - configuration. It does not interact with any entities or alert data. + | URL | String | Yes | The base URL of the Webhook service to test connectivity + against. | ### Flow Description - 1. **Configuration Retrieval**: The action retrieves the 'URL' setting from the - Webhook integration configuration. + 1. Initialize the `SiemplifyAction` object. - 2. **Manager Initialization**: It initializes the `WebhookManager` with the provided - base URL. + 2. Retrieve the `URL` configuration parameter from the integration settings. - 3. **Connectivity Test**: The action executes the `test_connectivity` method, - which performs an HTTP GET request to the base URL. + 3. Instantiate the `WebhookManager` with the provided base URL. - 4. **Execution Outcome**: If the request is successful (no exceptions raised), - the action returns a success message. If the request fails, it captures the error - and returns a failure state. + 4. Execute the `test_connectivity` method, which performs a GET request to the + base URL to verify the service is reachable. + + 5. Return the connectivity status (success or failure) and an appropriate message. capabilities: can_create_case_comments: false can_create_insight: false @@ -387,10 +336,18 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: false + fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to verify connectivity to the Webhook service. + It does not modify any external systems, update entities, or create insights. + It is a read-only connectivity check. categories: enrichment: false + reasoning: >- + The action is named 'Ping' and performs a connectivity test. According to the + provided instructions, 'Actions named Ping must not be categorized as enrichment + actions.' entity_usage: entity_types: [] filters_by_additional_properties: false @@ -406,3 +363,6 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. It is a global connectivity + test that does not reference the `target_entities` list. diff --git a/content/response_integrations/third_party/community/webhook/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/webhook/resources/ai/integration_ai_description.yaml index a4b23e02c..d9bce6fc6 100644 --- a/content/response_integrations/third_party/community/webhook/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/community/webhook/resources/ai/integration_ai_description.yaml @@ -1,12 +1,21 @@ product_categories: asset_inventory: false cloud_security: false - collaboration: true + collaboration: false edr: false email_security: false iam_and_identity_management: false itsm: false network_security: false + reasoning: >- + The Webhook integration provides utility actions for creating, deleting, and retrieving + data from webhook endpoints. It functions as a generic HTTP request receiver and + testing tool. It does not perform security-specific operations such as threat + intelligence enrichment, host containment, identity management, or ticketing. + It does not interact with internal assets, users, or security logs in a way that + aligns with the definitions of SIEM, EDR, Network Security, or other provided + security categories. Consequently, it does not fit into any of the specified product + categories. siem: false threat_intelligence: false vulnerability_management: false diff --git a/content/response_integrations/third_party/community/whois_xml_api/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/whois_xml_api/resources/ai/actions_ai_description.yaml index c8f651d46..007beb403 100644 --- a/content/response_integrations/third_party/community/whois_xml_api/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/whois_xml_api/resources/ai/actions_ai_description.yaml @@ -13,6 +13,11 @@ Enrich Entities: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves WHOIS registration data for domains and URLs, which provides + contextual threat intelligence. This matches the 'Enrich IOC' category. It does + not perform any other operations such as ticket management, containment, or + alert modification. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -30,40 +35,37 @@ Enrich Entities: ai_description: >- ### General Description - Enriches Hostname and URL entities using the Whois XML API. This action retrieves - detailed registration information, such as registrant name, organization, and - contact details, and maps this data directly to the entity's additional properties - within Google SecOps. This provides analysts with immediate context regarding - the ownership and history of external domains and URLs. + This action enriches Hostname and URL entities by retrieving WHOIS registration + data from the Whois XML API. It enhances the context of these entities within + the SOAR platform by populating their additional properties with registrant details, + aiding in threat investigation and attribution. - ### Parameters Description + ### Parameters - There are no action-specific parameters for this action. It relies on the 'API - Key' provided in the integration configuration. + | Parameter | Type | Mandatory | Description | + | :--- | :--- | :--- | :--- | - ### Flow Description + | API Key | String | Yes | The API key required to authenticate with the Whois + XML API service. | - 1. **Configuration Retrieval**: Extracts the Whois XML API Key from the integration's - global configuration. - 2. **Entity Filtering**: Iterates through the target entities in the current context, - selecting only those that are of type `HOSTNAME` (and are not marked as internal) - or `URL`. + ### Flow Description - 3. **External API Query**: For each eligible entity, it performs a GET request - to the Whois XML API service using the entity's identifier as the domain name. + 1. **Initialization**: The action retrieves the API key from the integration configuration. - 4. **Data Extraction**: Parses the JSON response to locate the `WhoisRecord` and - specifically the `registrant` details. + 2. **Entity Filtering**: It iterates through the provided target entities, filtering + for `HOSTNAME` (excluding internal hosts) and `URL` entities. - 5. **Internal Enrichment**: Updates the entity's `additional_properties` with - the retrieved registrant information. + 3. **Data Retrieval**: For each valid entity, it constructs a query and performs + a GET request to the Whois XML API to fetch registration information. - 6. **Finalization**: Reports the successfully enriched entities back to Google - SecOps, updates the entity objects in the platform, and provides a summary message - of the results. + 4. **Entity Update**: If registrant details are found in the API response, the + action updates the entity's `additional_properties` with this data. + + 5. **Finalization**: The action pushes the updated entity information back to + the SOAR platform and returns the count of successfully processed entities. capabilities: can_create_case_comments: false can_create_insight: false @@ -74,10 +76,20 @@ Enrich Entities: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity additional properties with registrant details retrieved from + Updates entity 'additional_properties' with registrant details retrieved from the Whois XML API. + reasoning: >- + The action performs a GET request to an external API (Whois XML API) to retrieve + data, satisfying the 'fetches_data' requirement. It does not modify any external + systems (can_mutate_external_data=false). It updates entity properties within + the SOAR platform using 'update_entities', which constitutes an internal mutation + (can_mutate_internal_data=true). categories: enrichment: true + reasoning: >- + The action fetches external data (WHOIS information) and updates internal entity + properties without modifying external systems or performing unauthorized internal + mutations. This aligns with the definition of an enrichment action. entity_usage: entity_types: - HOSTNAME @@ -95,6 +107,10 @@ Enrich Entities: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over 'siemplify.target_entities' and explicitly filters for + 'HOSTNAME' (where 'is_internal' is false) and 'URL' (mapped to 'DestinationURL') + entity types. Get Domain Details: action_product_categories: add_alert_comment: false @@ -110,6 +126,10 @@ Get Domain Details: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves domain registration details, which provides context and + threat intelligence for a domain indicator. This aligns with the 'Enrich IOC' + category. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -125,47 +145,36 @@ Get Domain Details: update_identity: false update_ticket: false ai_description: >- - ### General Description + Fetches domain registration and availability details from the Whois XML API. This + action retrieves comprehensive WHOIS data for a specified domain, which can be + used for threat intelligence and domain reputation analysis. - The **Get Domain Details** action retrieves comprehensive WHOIS information for - a specified domain using the WHOIS XML API. It provides details such as registration - dates, registrar information, registrant contact details, and name servers. This - action is primarily used to gather context about a domain during an investigation. + ### Parameters - ### Parameters Description + | Parameter | Type | Mandatory | Description | - | Parameter Name | Type | Mandatory | Description | + | --- | --- | --- | --- | - | :--- | :--- | :--- | :--- | - - | Domain Name | String | Yes | The domain name to retrieve WHOIS details for (e.g., - google.com). | + | Domain Name | string | Yes | The domain to scan. | - | Check availability | Boolean | No | If set to true, the action will also check - the availability of the domain. Defaults to false. | + | Check availability | boolean | No | Whether to check domain availability. | ### Flow Description - 1. **Initialization**: The action retrieves the API Key from the integration configuration. - - 2. **Parameter Extraction**: It extracts the target domain name and the optional - availability check flag from the action parameters. + 1. Extract the API key from the integration configuration. - 3. **Request Construction**: A GET request URL is constructed targeting the WHOIS - XML API endpoint, including the domain name and the availability check preference. + 2. Extract the `Domain Name` and `Check availability` parameters from the action + settings. - 4. **Data Retrieval**: The action sends a request to the external API. + 3. Construct the API request URL with the provided parameters. - 5. **Output**: The resulting JSON data is attached to the action results and made - available for subsequent playbook steps. + 4. Execute a GET request to the Whois XML API. + 5. Add the JSON response to the action result and context details. - ### Additional Notes - - This action does not automatically process entities from the case; it requires - a domain name to be provided as a direct input parameter. + 6. End the action with a success message. capabilities: can_create_case_comments: false can_create_insight: false @@ -176,8 +185,16 @@ Get Domain Details: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to an external API (Whois XML API) to retrieve + domain information. It does not modify any external systems or internal case + data (entities, insights, etc.). categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches data from an external source (Whois XML API) and does not + modify any external or internal systems. It meets the criteria for an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -193,6 +210,9 @@ Get Domain Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities`. It extracts parameters + directly from the action configuration. Ping: action_product_categories: add_alert_comment: false @@ -208,6 +228,10 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity check ('Ping') and does not perform any of the + defined operational tasks such as enriching IOCs, updating tickets, or containing + hosts. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -223,41 +247,43 @@ Ping: update_identity: false update_ticket: false ai_description: >- - ### General Description + This action verifies connectivity to the Whois XML API by performing a test request. + It ensures that the provided API key is valid and that the integration can successfully + communicate with the external service. - The **Ping** action is a diagnostic utility designed to verify the connectivity - between the Google SecOps environment and the Whois XML API service. Its primary - purpose is to ensure that the integration is correctly configured and that the - API credentials provided are valid. + ### Flow Description - ### Parameters Description + 1. **Extract Configuration**: The action retrieves the 'API Key' from the integration + configuration. - There are no input parameters for this action. It relies solely on the integration's - configuration settings (API Key). + 2. **Construct Request**: A test GET request is constructed using the provided + API key and a hardcoded domain ('google.com'). + 3. **Execute Request**: The action sends the GET request to the Whois XML API + endpoint. - ### Additional Notes + 4. **Validate Response**: The response is checked for authentication errors (e.g., + 'ApiKey authenticate failed'). - This action is a standard connectivity check. According to the classification - rules, actions named 'Ping' are not categorized as enrichment actions, even though - they perform a read-only request to an external service. + 5. **Finalize**: If the request is successful, the action ends with a success + status. - ### Flow Description + ### Parameters + + | Parameter | Type | Mandatory | Description | - 1. **Configuration Extraction**: The action retrieves the 'API Key' from the integration's - global configuration. + | :--- | :--- | :--- | :--- | - 2. **Connectivity Test**: It performs an HTTP GET request to the Whois XML API - endpoint, using a test query for 'google.com' to validate the communication path. + | API Key | String | Yes | The API key used to authenticate the request to the + Whois XML API. | - 3. **Credential Validation**: The action inspects the response body for specific - error strings (e.g., 'ApiKey authenticate failed') to determine if the credentials - are valid. - 4. **Status Reporting**: If the request is successful and credentials are valid, - the action concludes with a 'Successful Connection' status. + ### Additional Notes + + This action is a diagnostic tool used to verify connectivity and authentication. + It does not perform any data enrichment or state changes. capabilities: can_create_case_comments: false can_create_insight: false @@ -268,8 +294,15 @@ Ping: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to verify connectivity. It does not modify + external systems, update entities, or create insights. It is a diagnostic action. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action designed to verify connectivity. According to + the provided guidelines, Ping actions are explicitly excluded from being categorized + as enrichment actions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -285,3 +318,6 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with target_entities or any entity-specific data. + It performs a static connectivity check. diff --git a/content/response_integrations/third_party/community/whois_xml_api/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/whois_xml_api/resources/ai/integration_ai_description.yaml index 2e831240c..83643e15f 100644 --- a/content/response_integrations/third_party/community/whois_xml_api/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/community/whois_xml_api/resources/ai/integration_ai_description.yaml @@ -7,6 +7,12 @@ product_categories: iam_and_identity_management: false itsm: false network_security: false + reasoning: >- + The integration provides WHOIS data for domains and URLs, which is a core function + of threat intelligence enrichment. It helps analysts understand domain ownership + and reputation, which is a standard first step in investigating external indicators. + It does not perform any SIEM, EDR, Network Security, Email Security, IAM, Cloud + Security, ITSM, Vulnerability Management, Asset Inventory, or Collaboration functions. siem: false threat_intelligence: true vulnerability_management: false diff --git a/content/response_integrations/third_party/community/workflow_tools/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/workflow_tools/resources/ai/actions_ai_description.yaml index 365d16dba..d0c4cd7ba 100644 --- a/content/response_integrations/third_party/community/workflow_tools/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/workflow_tools/resources/ai/actions_ai_description.yaml @@ -13,6 +13,10 @@ Approval Request: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action modifies the state of an alert/case by moving it and assigning it + to a reviewer, which matches 'Update Alert'. It also sends a notification to + Slack, which matches 'Send Message'. It does not perform other listed actions. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -27,33 +31,41 @@ Approval Request: update_email: false update_identity: false update_ticket: false - ai_description: "### General Description\nThe **Approval Request** action is designed\ - \ to facilitate manual intervention within a workflow by pausing execution and\ - \ requiring a reviewer's approval. It manages the assignment of cases to specific\ - \ approval managers and provides the option to isolate a specific alert into its\ - \ own case if it is currently grouped with others. Additionally, it integrates\ - \ with Slack to notify the designated reviewer that a case is awaiting their attention.\n\ - \n### Parameters Description\n| Parameter | Description | Type | Mandatory | \n\ - | :--- | :--- | :--- | :--- |\n| Move Alert If Grouped | If set to `true` and\ - \ the current case contains multiple alerts, the action will move the specific\ - \ alert being processed into a new, separate case before assigning it for approval.\ - \ If `false`, the entire case is assigned as-is. | Boolean | No (Default: true)\ - \ |\n\n### Additional Notes\n- This action requires several integration-level\ - \ configuration parameters to be set, including the Siemplify API Key, API Root,\ - \ Instance Hostname, and a Slack Webhook URL.\n- The 'Approval Manager' and 'Secondary\ - \ Approval Manager' are defined at the integration configuration level, not as\ - \ action parameters.\n- If the alert is moved to a new case, the action returns\ - \ both the original and the new case IDs in the JSON result.\n\n### Flow Description\n\ - 1. **Initialization**: The action retrieves configuration details for the Siemplify\ - \ API and Slack webhook.\n2. **Grouping Check**: It evaluates the `Move Alert\ - \ If Grouped` parameter. If enabled and the case contains more than one alert,\ - \ it triggers a request to the Siemplify API to move the current alert to a new\ - \ case.\n3. **Case Assignment**: The action assigns the relevant case (either\ - \ the original one or the newly created one) to the designated 'Approval Manager'.\n\ - 4. **Notification**: It constructs a message containing a direct link to the case\ - \ and sends it to the configured Slack channel via a webhook.\n5. **Completion**:\ - \ The action finishes with a status of 'Completed', providing the case IDs and\ - \ assignment details in the output." + ai_description: >- + ### General Description + + This action manages workflow approvals by assigning cases to designated reviewers + and optionally moving alerts to new cases if they are grouped. It integrates with + the Google SecOps (Siemplify) API to perform case management tasks and sends notifications + to a configured Slack webhook. + + + ### Parameters + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Move Alert If Grouped | boolean | false | If true, moves the alert to a new + case if it is currently grouped with other alerts. | + + + ### Flow Description + + 1. Extracts configuration parameters including API credentials, Slack webhook, + and approval managers. + + 2. Determines if the alert needs to be moved to a new case based on the `Move + Alert If Grouped` parameter and the number of alerts in the case. + + 3. If moving is required, calls the API to move the alert to a new case. + + 4. Assigns the case (or the new case) to the specified approval manager. + + 5. Sends a notification to the configured Slack webhook. + + 6. Returns a JSON result containing the original case ID, new case ID (if applicable), + and reviewer information. capabilities: can_create_case_comments: false can_create_insight: false @@ -62,14 +74,24 @@ Approval Request: can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: >- - Sends a notification message to an external Slack channel via a webhook to alert - a reviewer. - fetches_data: false + Moves the alert to a new case via an external API call and sends a notification + to Slack. + fetches_data: true internal_data_mutation_explanation: >- - Reassigns the case to a specific user and potentially moves an alert to a new - case, changing the case structure within Google SecOps. + Assigns the case to the approval manager using the internal SOAR API. + reasoning: >- + The action performs external API calls to move alerts and send Slack messages + (can_mutate_external_data=true). It also uses internal SOAR methods to assign + cases (can_mutate_internal_data=true). It fetches user profiles via an API call + (fetches_data=true). It modifies alert/case state by moving alerts and assigning + cases (can_modify_alert_data=true). It does not update entities, create insights, + or create case comments. categories: enrichment: false + reasoning: >- + The action is a workflow management tool that modifies case and alert state. + It does not fit the definition of an enrichment action as it does not retrieve + contextual data for entities to enrich their profiles. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -85,6 +107,10 @@ Approval Request: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action operates on the case and alert level using `siemplify.case.identifier` + and `siemplify.current_alert.identifier`. It does not iterate over `target_entities` + or use entity-specific identifiers. Approval Response: action_product_categories: add_alert_comment: true @@ -100,6 +126,9 @@ Approval Response: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action adds a comment to the alert/case, matching 'Add Alert Comment'. It + also sends a message to Slack, matching 'Send Message'. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -114,33 +143,55 @@ Approval Response: update_email: false update_identity: false update_ticket: false - ai_description: "### General Description\nThe **Approval Response** action allows\ - \ an authorized user (Approval Manager) to respond to a pending approval request\ - \ within a Google SecOps workflow. It validates the identity of the user attempting\ - \ the action against a predefined list of managers or roles. Once validated, it\ - \ records the approval or denial decision, attaches reviewer comments to the case,\ - \ and sends a notification to a Slack channel.\n\n### Parameters Description\n\ - \n| Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :---\ - \ |\n| Action Approved | Boolean | Yes | Determines the outcome of the request.\ - \ If set to `True`, the request is approved; if `False`, it is denied. |\n| Response\ - \ Comments | String | No | Optional notes or justification provided by the reviewer.\ - \ These are added as a comment to the case. |\n\n### Flow Description\n1. **Configuration\ - \ Extraction:** The action retrieves integration settings including API credentials,\ - \ Slack webhook URLs, and the identities of authorized Approval Managers.\n2.\ - \ **User Validation:** It identifies the user who triggered the action (`original_requesting_user`)\ - \ and checks if they match the authorized manager names or belong to the authorized\ - \ SOC roles by querying the Google SecOps API.\n3. **Decision Processing:** \n\ - \ * If the user is authorized and the action is approved, it prepares an approval\ - \ message.\n * If the user is authorized and the action is denied, it prepares\ - \ a denial message.\n * If the user is unauthorized, the action fails and sends\ - \ an error notification to Slack.\n4. **Internal Documentation:** If comments\ - \ were provided, the action adds them to the case wall using the `add_comment`\ - \ method.\n5. **External Notification:** The final decision (including the reviewer's\ - \ name and comments) is posted to the configured Slack webhook.\n\n### Additional\ - \ Notes\n* This action requires the `Workflow Tools` integration to be configured\ - \ with a valid Siemplify API Key and Root to perform user role validation.\n*\ - \ If the `Approval Manager` parameter starts with an `@` symbol, the action treats\ - \ it as a Role check rather than a specific username check." + ai_description: >- + ### General Description + + The Approval Response action allows authorized users to approve or deny a workflow + request within the Google SecOps platform. It verifies the requesting user's authorization + against configured approval managers and, upon success, updates the workflow status, + logs the decision, and optionally adds comments to the case. It also provides + notifications via Slack. + + + ### Flow Description + + 1. **Configuration Extraction**: Retrieves integration settings including API + credentials, Slack webhook URL, and authorized approval managers. + + 2. **Authorization Check**: Validates if the `original_requesting_user` matches + the primary or secondary approval manager (or their roles). + + 3. **Decision Processing**: Based on the `Action Approved` parameter, it sets + the approval status and prepares a corresponding message. + + 4. **Case Commenting**: If `Response Comments` are provided, it appends these + notes to the current case and alert. + + 5. **Notification**: Sends the approval/denial status message to the configured + Slack webhook. + + 6. **Result Reporting**: Finalizes the action with the execution status and result + JSON. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Action Approved | boolean | Yes | Determines if the request is approved (True) + or denied (False). | + + | Response Comments | string | No | Optional notes to be added to the case wall + upon approval or denial. | + + + ### Additional Notes + + This action does not operate on specific entities; it functions at the case and + alert level. Authorization is strictly enforced; if the user is not authorized, + the action will fail. capabilities: can_create_case_comments: true can_create_insight: false @@ -149,14 +200,18 @@ Approval Response: can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: >- - Sends a notification message to an external Slack channel via a webhook to report - the approval or denial of a request. + Sends a notification message to a configured Slack webhook. fetches_data: true - internal_data_mutation_explanation: >- - Adds a comment to the Google SecOps case containing the reviewer's notes and - decision details. + internal_data_mutation_explanation: Adds a comment to the case wall. + reasoning: >- + The action queries the Siemplify API to verify user roles (fetches data). It + sends a message to an external Slack webhook (mutates external data). It adds + a comment to the case wall (mutates internal data/creates case comment). categories: enrichment: false + reasoning: >- + The action is a workflow/operational tool for approvals. It does not fetch context + about entities, so it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -172,6 +227,10 @@ Approval Response: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action operates on the case and alert context directly using `siemplify.case.identifier` + and `siemplify.current_alert.identifier`. It does not iterate over or filter + `target_entities`. Assign Case to Current User: action_product_categories: add_alert_comment: false @@ -187,6 +246,9 @@ Assign Case to Current User: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action updates the assignee of the case, which aligns with the 'Update Alert' + category (as it modifies alert/case metadata within the SecOps platform). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -201,25 +263,21 @@ Assign Case to Current User: update_email: false update_identity: false update_ticket: false - ai_description: "### General Description\nThis action assigns the current case and\ - \ alert to the user who manually triggered the action. It is specifically designed\ - \ to be used at the beginning of a playbook to establish ownership when an analyst\ - \ begins investigating a case. \n\n### Parameters Description\nThere are no input\ - \ parameters for this action.\n\n### Additional Notes\n* This action **must**\ - \ be executed manually by a user. If triggered automatically by the system (e.g.,\ - \ as part of an automated playbook run without manual intervention), the action\ - \ will fail because it cannot assign a case to the 'System' user.\n* The action\ - \ requires the 'Workflow Tools' integration to be configured with a valid Siemplify\ - \ API Key and Root URL to perform the assignment.\n\n### Flow Description\n1.\ - \ **Configuration Extraction:** The action retrieves the API Key, API Root, and\ - \ Instance Hostname from the integration settings.\n2. **Context Retrieval:**\ - \ It identifies the current Case ID, Alert ID, and the username of the person\ - \ who requested the action execution.\n3. **User Validation:** The action checks\ - \ if the requesting user is the 'System' user. If it is, the action raises an\ - \ error, as it requires a human analyst for assignment.\n4. **Assignment:** If\ - \ valid, the action calls the internal API to assign the specific case and alert\ - \ to the requesting user.\n5. **Completion:** The action finishes by returning\ - \ the username of the assigned analyst as the result value." + ai_description: "### General Description\nAssigns the current case to the user who\ + \ triggered the playbook action. This action is designed to be placed at the start\ + \ of a playbook and executed when an analyst begins working on a case.\n\n###\ + \ Parameters Description\n| Parameter | Type | Mandatory | Description |\n| :---\ + \ | :--- | :--- | :--- |\n| Siemplify API Key | String | Yes | The API key used\ + \ to authenticate with the Siemplify API. |\n| Siemplify API Root | String | Yes\ + \ | The base URL for the Siemplify API. |\n| Siemplify Instance Hostname | String\ + \ | Yes | The hostname of the Siemplify instance. |\n\n### Additional Notes\n\ + - This action will fail if the requesting user is the \"System\" user. \n- This\ + \ playbook action must be set to manual execution to work, as it relies on the\ + \ `original_requesting_user` context.\n\n### Flow Description\n1. Extract configuration\ + \ parameters (API Key, API Root, Hostname).\n2. Identify the current case ID,\ + \ alert ID, and the user who triggered the action.\n3. Validate that the requesting\ + \ user is not the \"System\" user.\n4. Use the `WorkflowToolsManager` to assign\ + \ the case to the requesting user via the internal `siemplify.assign_case` method." capabilities: can_create_case_comments: false can_create_insight: false @@ -230,10 +288,16 @@ Assign Case to Current User: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: >- - Assigns the current case and alert to the user who triggered the action within - the Google SecOps platform. + Updates the case assignee to the user who triggered the action. + reasoning: >- + The action modifies the internal state of the case by assigning it to a specific + user. It does not fetch external data or mutate external systems. It uses internal + SOAR methods to perform the assignment. categories: enrichment: false + reasoning: >- + The action is an operational task to assign a case, not an enrichment action. + It does not fetch data from external sources. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -249,6 +313,9 @@ Assign Case to Current User: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not process entities from the `target_entities` list. It operates + on the case and alert identifiers directly. Ping: action_product_categories: add_alert_comment: false @@ -264,6 +331,9 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action performs a connectivity check and sends a test message to Slack. + Sending a message to Slack aligns with the 'Send Message' category. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -279,46 +349,44 @@ Ping: update_identity: false update_ticket: false ai_description: >- - ### General Description + This action performs a connectivity check and configuration validation for the + 'Workflow Tools' integration. It verifies API access by querying user profiles + and tests the Slack integration by sending a test message. - The **Ping** action is a diagnostic tool designed to verify the connectivity and - configuration of the Workflow Tools integration. It performs a two-fold validation: - first, it checks the availability and permissions of the configured Approval Managers - within the Google SecOps (Chronicle) environment; second, it verifies the outbound - communication to Slack by sending a test message via a webhook. + ### Parameters - ### Parameters Description + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | - This action does not take any dynamic input parameters. It relies entirely on - the integration's global configuration settings: + | Siemplify API Key | String | Yes | API key for authentication. | - * **Siemplify API Key/Root**: Used to authenticate and communicate with the internal - SecOps API. + | Siemplify API Root | String | Yes | Base URL for the API. | - * **Slack Webhook URL**: The endpoint used to send the test notification. + | Siemplify Instance Hostname | String | Yes | Hostname of the instance. | - * **Approval Manager / Secondary Approval Manager**: The identities or roles that - the action attempts to verify. + | Slack Webhook URL | String | No | URL for Slack notifications. | + + | Approval Manager | String | Yes | Primary reviewer name or role. | + + | Secondary Approval Manager | String | No | Secondary reviewer name or role. + | ### Flow Description - 1. **Configuration Extraction**: The action retrieves the API keys, hostnames, - and reviewer identities from the integration settings. + 1. Extracts configuration parameters (API credentials, Slack webhook, and reviewer + details). - 2. **Manager Initialization**: Initializes the `WorkflowToolsManager` to handle - API requests. + 2. Initializes the `WorkflowToolsManager`. - 3. **User Verification**: Calls the internal SecOps API (`GetUserProfiles`) to - verify that the primary and secondary Approval Managers exist or that the current - user belongs to the specified roles. + 3. Validates the provided reviewer and secondary reviewer against the SecOps user + profiles via API. - 4. **External Notification**: Sends a test message ("This is a test message. Posted - by Workflow Tools Ping.") to the configured Slack Webhook URL. + 4. Sends a test message to the configured Slack webhook. - 5. **Completion**: If all API calls and the Slack webhook request succeed, the - action returns a success status. + 5. Logs the completion status. capabilities: can_create_case_comments: false can_create_insight: false @@ -326,12 +394,19 @@ Ping: can_mutate_external_data: true can_mutate_internal_data: false can_update_entities: false - external_data_mutation_explanation: >- - Sends a test message to a Slack channel using the configured Webhook URL. + external_data_mutation_explanation: Sends a test message to a Slack webhook. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches user profile data from the API (fetches_data=true) and sends + a test message to a Slack webhook (can_mutate_external_data=true). It does not + modify internal SOAR data or entities. categories: enrichment: false + reasoning: >- + The action is named 'Ping' and performs a connectivity check. According to the + guidelines, actions named 'Ping' must not be categorized as enrichment actions. + It does not perform any data enrichment on entities. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -347,3 +422,7 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `target_entities` or use any entity-specific + identifiers. It operates based on configuration parameters provided in the integration + settings. diff --git a/content/response_integrations/third_party/community/workflow_tools/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/workflow_tools/resources/ai/integration_ai_description.yaml index 6896a3667..5bb8cdd81 100644 --- a/content/response_integrations/third_party/community/workflow_tools/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/community/workflow_tools/resources/ai/integration_ai_description.yaml @@ -7,6 +7,17 @@ product_categories: iam_and_identity_management: false itsm: true network_security: false + reasoning: >- + The 'workflow_tools' integration is designed for case management, workflow orchestration, + and human-in-the-loop processes. It qualifies for 'Collaboration' because it explicitly + implements approval workflows ('Approval Request' and 'Approval Response') and + sends notifications to Slack, which aligns with the requirement for human-in-the-loop + approval and SOC notification. It also qualifies for 'ITSM' because it manages + the investigation lifecycle by assigning cases to users and adding comments to + the case wall, which serves the purpose of documenting investigations and assigning + tasks. It does not perform functions related to SIEM, EDR, Network Security, Threat + Intelligence, Email Security, IAM, Cloud Security, Vulnerability Management, or + Asset Inventory. siem: false threat_intelligence: false vulnerability_management: false diff --git a/content/response_integrations/third_party/community/zoom/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/community/zoom/resources/ai/actions_ai_description.yaml index 9227c9fb7..76f0d43cd 100644 --- a/content/response_integrations/third_party/community/zoom/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/community/zoom/resources/ai/actions_ai_description.yaml @@ -13,6 +13,10 @@ Create Meeting: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action creates a meeting in Zoom. None of the provided categories (Enrichment, + Ticket, Alert, Identity, Containment, Email, File, etc.) match the functionality + of creating a meeting. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -28,62 +32,48 @@ Create Meeting: update_identity: false update_ticket: false ai_description: >- - ### General Description - - Creates a scheduled or instant meeting in Zoom for a specified host. This action - allows for the automated creation of collaboration sessions directly from a playbook, - facilitating rapid incident response coordination. + Creates a scheduled or instant meeting in Zoom. This action interacts with the + Zoom API to provision a new meeting based on the provided configuration parameters. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Meeting Type | Dropdown | Yes | Specifies if the meeting is 'Instant' or 'Scheduled'. - Note that 'Instant' will override 'Scheduled' configurations. | + | Meeting Type | ddl | Yes | The type of the meeting: 'Instant' or 'Scheduled'. + | - | Meeting Start Time | String | Yes | The start time for scheduled meetings. Expected - format is GMT 'yyyy-mm-dd hh:mm:ss'. | + | Meeting Start Time | string | Yes | Meeting start time (required for scheduled + meetings). Format: GMT yyyy-mm-dd hh:mm:ss. | - | Meeting Topic | String | Yes | The title or subject of the meeting. | + | Meeting Topic | string | Yes | The topic of the meeting. | - | Auto Recording Type | Dropdown | Yes | Determines if the meeting should be recorded - automatically. Options are 'local', 'cloud', or 'none'. | + | Auto Recording Type | ddl | Yes | Recording setting: 'local', 'cloud', or 'none'. + | - | Time Zone | String | Yes | The time zone for the meeting in 'Continent/Country' - format (e.g., 'Europe/London'). | + | Time Zone | string | Yes | The time zone in Continent/Country format. | - | Meeting Duration | String | Yes | The length of the meeting in minutes. | + | Meeting Duration | string | Yes | The meeting duration in minutes. | - | Host Email Address | String | Yes | The email address of the Zoom user who will - be the host of the meeting. | + | Host Email Address | string | Yes | The email address of the meeting host. | - ### Additional Notes - - - This action requires either OAuth credentials (Account ID, Client ID, Client - Secret) or a JWT Token to be configured in the Zoom integration settings. + ### Flow - - Upon successful creation, the action provides a direct 'Meeting URL link' in - the SOAR interface for easy access. + 1. The action extracts the required parameters from the configuration. + 2. It initializes the `ZoomManager` with the integration credentials. - ### Flow Description + 3. It calls the `create_meeting` method, which performs a POST request to the + Zoom API. - 1. **Parameter Extraction**: The action retrieves all user-provided parameters - including topic, type, timing, and host email. + 4. If the meeting is created successfully, the action adds the meeting URL as + a link to the result and attaches the full JSON response. - 2. **Authentication**: Initializes the Zoom Manager using the integration's configuration - to authenticate with the Zoom API. - - 3. **API Request**: Sends a POST request to the Zoom API endpoint `/users/{host_email}/meetings` - with a payload containing the meeting configuration. - - 4. **Output Generation**: If the meeting is created, the action extracts the join - URL to create a clickable link in the SOAR and returns the complete meeting metadata - as a JSON result. + 5. If the creation fails, the action sets the execution state to failed and logs + the error. capabilities: can_create_case_comments: false can_create_insight: false @@ -92,11 +82,18 @@ Create Meeting: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new meeting record in the Zoom platform for the specified host email. + Creates a new meeting in the Zoom platform. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to the Zoom API to create a meeting, which + constitutes an external data mutation. It does not fetch data from external + systems, nor does it modify internal SOAR data, entities, or alert information. categories: enrichment: false + reasoning: >- + The action creates a meeting in an external system (Zoom). It does not fetch + data for enrichment purposes, so it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -112,6 +109,9 @@ Create Meeting: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use or iterate over entities. It relies solely on parameters + provided in the action configuration. Create User: action_product_categories: add_alert_comment: false @@ -127,6 +127,10 @@ Create User: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action creates a new user in Zoom. None of the provided categories explicitly + cover 'Create User'. 'Update Identity' is for modifying existing accounts, not + creating new ones. Therefore, no category is selected. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -139,15 +143,14 @@ Create User: uncontain_host: false update_alert: false update_email: false - update_identity: true + update_identity: false update_ticket: false ai_description: >- ### General Description - The **Create User** action allows administrators to programmatically create a - new user account within the Zoom platform. It facilitates identity management - by automating the provisioning of users with specific license types and contact - information directly from Google SecOps. + This action creates a new user account within the Zoom platform. It allows administrators + to provision users by specifying their first name, last name, email address, and + license type. ### Parameters Description @@ -156,40 +159,38 @@ Create User: | :--- | :--- | :--- | :--- | - | **First Name** | string | True | The first name of the user to be created. | + | First Name | string | Yes | The first name of the user to be created. | - | **Last Name** | string | True | The last name of the user to be created. | + | Last Name | string | Yes | The last name of the user to be created. | - | **Email** | string | True | The email address associated with the new Zoom account. - This serves as the unique identifier. | + | Email | string | Yes | The email address of the user to be created. | - | **User Type** | ddl | True | The license level for the user. Options include: - 'Basic', 'Licensed', or 'On-prem'. | + | User Type | ddl | Yes | The license type for the user. Options: 'Basic', 'Licensed', + 'On-prem'. | ### Additional Notes - * The action first performs a check to see if a user with the provided email already - exists in Zoom. If the user exists, the action will fail to prevent duplicate - creation. - - * The 'User Type' determines the features and limitations available to the user - within Zoom. + This action performs a check to see if the user already exists before attempting + creation. If the user already exists, the action will fail. The action returns + the details of the created user in the result JSON. ### Flow Description - 1. **Parameter Extraction:** The action retrieves the first name, last name, email, - and user type from the input parameters. + 1. The action extracts the required parameters (First Name, Last Name, Email, + User Type) from the configuration. + + 2. It initializes the ZoomManager using the provided integration credentials. - 2. **Pre-check:** It queries the Zoom API to verify if the email address is already - registered. + 3. It attempts to fetch the user details using the provided email to check if + the user already exists. - 3. **User Creation:** If the email is unique, it sends a POST request to the Zoom - `/users` endpoint with the specified user details. + 4. If the user does not exist, it performs a POST request to the Zoom API to create + the new user with the specified details. - 4. **Result Processing:** Upon successful creation, the action retrieves the new - user's metadata from Zoom and attaches it as a JSON result to the action output. + 5. If the creation is successful, it returns the user details in the action result; + otherwise, it reports a failure. capabilities: can_create_case_comments: false can_create_insight: false @@ -198,12 +199,19 @@ Create User: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new user account in the Zoom platform via a POST request to the /users - endpoint. + Creates a new user account in the Zoom platform. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to check for user existence and a POST request + to create a user in Zoom. It does not modify internal SOAR data or entities, + nor does it update alert data or create insights. categories: enrichment: false + reasoning: >- + The action creates a user in an external system (Zoom). It is not an enrichment + action as it performs a mutation (creation) and does not primarily fetch data + for enrichment purposes (the fetch is a check for existence). entity_usage: entity_types: [] filters_by_additional_properties: false @@ -219,6 +227,9 @@ Create User: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on SOAR entities. It takes input parameters directly + from the action configuration and does not iterate over `target_entities`. Delete User: action_product_categories: add_alert_comment: false @@ -234,6 +245,10 @@ Delete User: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action deletes a user from Zoom, which is an identity management operation. + It removes the user's access and existence in the system, which aligns with + the 'Disable Identity' category. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -246,64 +261,55 @@ Delete User: uncontain_host: false update_alert: false update_email: false - update_identity: true + update_identity: false update_ticket: false ai_description: >- - ### General Description - - Deletes a user permanently from the Zoom platform. This action allows for the - optional transfer of the user's associated data, including future meetings, past - recordings, and future webinars, to a designated recipient email address before - the account is removed. + Deletes a user permanently from Zoom. This action allows for the optional transfer + of the deleted user's meetings, recordings, and webinars to another specified + user. - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | + ### Flow Description - | Deleted User Email | string | Yes | The email address of the Zoom user to be - permanently deleted. | + 1. Extracts the `Deleted User Email` and transfer preferences (meetings, recordings, + webinars) from the action parameters. - | Transfer Email | string | No | The email address of the user who will receive - the transferred data (meetings, recordings, webinars). | + 2. Checks if the user has any meetings, recordings, or webinars to transfer using + the Zoom API. - | Transfer Meeting | boolean | No | If set to true, transfers all future scheduled - meetings to the Transfer Email recipient. | + 3. Performs a `DELETE` request to the Zoom API to remove the user, optionally + transferring their data to the specified `Transfer Email`. - | Transfer Recordings | boolean | No | If set to true, transfers all past cloud - recordings to the Transfer Email recipient. | + 4. Returns the deletion status in the action result. - | Transfer Webinar | boolean | No | If set to true, transfers all future scheduled - webinars to the Transfer Email recipient. | + ### Parameters - ### Additional Notes + | Parameter | Type | Mandatory | Description | - - The action first checks if the user has any recordings, webinars, or meetings - before attempting a transfer. If no data is found for a specific category, the - transfer flag for that category is automatically set to false to prevent API errors. + | :--- | :--- | :--- | :--- | - - This action performs a permanent deletion (disassociation) of the user account. + | `Deleted User Email` | string | Yes | The email address of the user to be permanently + deleted. | + | `Transfer Meeting` | boolean | No | If true, transfers future meetings scheduled + for the deleted user to the `Transfer Email`. | - ### Flow Description + | `Transfer Recordings` | boolean | No | If true, transfers past recordings associated + with the deleted user to the `Transfer Email`. | - 1. **Parameter Extraction:** Retrieves the target user's email and the transfer - configurations from the action parameters. + | `Transfer Webinar` | boolean | No | If true, transfers future webinars scheduled + for the deleted user to the `Transfer Email`. | - 2. **Data Validation:** Queries the Zoom API to check for the existence of recordings, - webinars, and meetings for the target user. + | `Transfer Email` | string | No | The email address of the user to whom the data + will be transferred. Required if any transfer option is set to true. | - 3. **Conditional Flag Adjustment:** Updates the transfer flags based on whether - data actually exists to be transferred. - 4. **User Deletion:** Sends a DELETE request to the Zoom API with the specified - transfer parameters. + ### Additional Notes - 5. **Result Reporting:** Returns a JSON result indicating whether the deletion - was successful or if the user was not found. + If any of the transfer options (`Transfer Meeting`, `Transfer Recordings`, `Transfer + Webinar`) are set to true, the `Transfer Email` parameter should be provided to + specify the recipient of the transferred data. capabilities: can_create_case_comments: false can_create_insight: false @@ -312,12 +318,20 @@ Delete User: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Permanently deletes a user account from the Zoom platform and optionally transfers - their data (meetings, webinars, recordings) to another user. + Deletes the specified user account from Zoom and optionally transfers their + data (meetings, recordings, webinars) to another user. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a DELETE request to the Zoom API to remove a user, which + constitutes an external data mutation. It also fetches data (lists meetings, + recordings, and webinars) to check for transfer eligibility before deletion. + It does not modify internal SOAR data or entities. categories: enrichment: false + reasoning: >- + The action is a destructive mutation (deletion) of an external identity, not + an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -333,6 +347,9 @@ Delete User: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on `target_entities`. It uses the `Deleted User + Email` parameter to identify the user to be deleted. Enrich Entities: action_product_categories: add_alert_comment: false @@ -348,6 +365,10 @@ Enrich Entities: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves user profile information from Zoom and updates the entity + in the SOAR platform. This matches the 'Enrich Asset' category. It does not + match 'Enrich IOC' as it targets users, not indicators of compromise. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -362,28 +383,59 @@ Enrich Entities: update_email: false update_identity: false update_ticket: false - ai_description: "Enriches User entities with account information retrieved from\ - \ Zoom. This action identifies User entities within the current context, queries\ - \ the Zoom API for their specific profile details (such as department, job title,\ - \ account status, and creation time), and maps this data back to the entity's\ - \ additional properties in Google SecOps. \n\n### Flow Description:\n1. **Initialization**:\ - \ The action initializes the Zoom Manager using the integration's configuration\ - \ credentials (OAuth or JWT).\n2. **Entity Filtering**: It iterates through the\ - \ target entities and filters for those of type 'USER'.\n3. **Data Retrieval**:\ - \ For each identified User entity, it performs a GET request to the Zoom API using\ - \ the entity's identifier (email address) to fetch comprehensive user details.\n\ - 4. **Data Processing**: The retrieved JSON data is flattened and prefixed with\ - \ 'Zoom' to ensure clarity and prevent data collisions.\n5. **Internal Update**:\ - \ The action updates the entity's 'additional_properties' with the enriched data\ - \ and marks the entity as 'enriched'.\n6. **Completion**: It updates the entities\ - \ within the SecOps platform and provides a JSON result containing the raw data\ - \ for all successfully enriched users.\n\n### Parameters Description:\n| Parameter\ - \ Name | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| None\ - \ | N/A | No | This action does not have any action-specific parameters; it relies\ - \ on the global integration configuration for authentication. |\n\n### Additional\ - \ Notes:\n* This action is strictly read-only regarding the external Zoom environment.\n\ - * If an error occurs while processing a specific entity, the action logs the error\ - \ and continues to the next entity." + ai_description: >- + ### General Description + + This action enriches User entities by retrieving detailed profile information + from Zoom. It connects to the Zoom API using either JWT or OAuth credentials, + fetches user-specific data, and updates the entity's `additional_properties` within + the SOAR platform to provide analysts with context. + + + ### Parameters + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | JWT Token | String | No | Token used for JWT authentication. Either this or + OAuth credentials must be provided. | + + | Account ID | String | No | Account ID for OAuth authentication. | + + | Client ID | String | No | Client ID for OAuth authentication. | + + | Client Secret | String | No | Client Secret for OAuth authentication. | + + + ### Additional Notes + + Either the `JWT Token` or the set of OAuth parameters (`Account ID`, `Client ID`, + `Client Secret`) must be configured for the action to authenticate successfully + with Zoom. + + + ### Flow Description + + 1. **Initialization**: The action initializes the `ZoomManager` using the provided + configuration parameters. + + 2. **Entity Iteration**: It iterates through all target entities provided in the + SOAR case. + + 3. **Filtering**: It filters the entities to process only those of type `USER`. + + 4. **Data Retrieval**: For each valid user entity, it calls the Zoom API to fetch + user details. + + 5. **Data Processing**: The retrieved user data is flattened and prefixed with + "Zoom" to ensure clarity. + + 6. **Entity Update**: The action updates the entity's `additional_properties` + with the Zoom data and marks the entity as enriched (`is_enriched = True`). + + 7. **Finalization**: It updates the entities in the SOAR platform and adds the + full JSON result to the action output. capabilities: can_create_case_comments: false can_create_insight: false @@ -394,10 +446,19 @@ Enrich Entities: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates the 'additional_properties' and 'is_enriched' fields of the User entities - within Google SecOps. + Updates entity additional_properties and sets the is_enriched flag to true within + the SOAR platform. + reasoning: >- + The action fetches user data from the Zoom API (fetches_data=true). It does + not modify external systems (can_mutate_external_data=false). It updates entity + properties within the SOAR platform (can_mutate_internal_data=true, can_update_entities=true). + It does not create insights, modify alert data, or create case comments. categories: enrichment: true + reasoning: >- + The action fetches data from an external source (Zoom) and updates internal + entity properties without modifying external state. This fits the definition + of an enrichment action. entity_usage: entity_types: - USERUNIQNAME @@ -414,6 +475,9 @@ Enrich Entities: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and explicitly filters for + `EntityTypes.USER`. Get Meeting Recording: action_product_categories: add_alert_comment: false @@ -429,6 +493,11 @@ Get Meeting Recording: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves specific meeting recording details from Zoom. It does not + match any of the specific categories like 'Enrich IOC', 'Create Ticket', or + 'Contain Host'. It is a data retrieval action that does not fit the defined + product categories. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -444,43 +513,42 @@ Get Meeting Recording: update_identity: false update_ticket: false ai_description: >- - ### General Description + Fetches meeting recording details from Zoom using a provided Meeting ID. This + action retrieves the recording information, including the share URL, and adds + it to the action results for the analyst to review. + - The **Get Meeting Recording** action retrieves the details and sharing URL of - a specific Zoom meeting recording stored in the cloud. This action is primarily - used to gather evidence or review recorded communications associated with a security - incident. It fetches comprehensive metadata about the recording, including the - start time, duration, and individual recording files. + ### Flow Description + 1. The action initializes the `ZoomManager` using the configured integration credentials. - ### Parameters Description + 2. It extracts the `Meeting ID` parameter provided by the user. - | Parameter Name | Description | Type | Mandatory | Notes | + 3. It performs a GET request to the Zoom API to retrieve the recording details + for the specified meeting. - | :--- | :--- | :--- | :--- | :--- | + 4. The action extracts the `share_url` from the response. - | Meeting ID | The unique identifier of the Zoom meeting for which the recording - is being requested. | String | Yes | This ID is used to construct the API request - path. | + 5. It adds the recording URL as a clickable link to the action result. + 6. It adds the full JSON response containing the meeting recording details to + the action result. - ### Flow Description - 1. **Parameter Extraction:** The action retrieves the `Meeting ID` provided by - the user. + ### Parameters - 2. **Manager Initialization:** It initializes the `ZoomManager` using the integration's - configuration (OAuth or JWT credentials). + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | - 3. **API Interaction:** The action calls the Zoom API's GET `/meetings/{meeting_id}/recordings` - endpoint to fetch recording data. + | Meeting ID | string | Yes | The ID of the desired meeting recording to fetch. + | - 4. **Data Processing:** It extracts the `share_url` from the API response to provide - a direct link to the recording. - 5. **Result Output:** The action adds the sharing URL as a clickable link in the - SOAR interface and attaches the full JSON response containing all recording details - for downstream use in the playbook. + ### Additional Notes + + This action does not modify any external systems or internal case data. It is + a read-only operation designed to retrieve information. capabilities: can_create_case_comments: false can_create_insight: false @@ -491,8 +559,18 @@ Get Meeting Recording: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Zoom API to retrieve meeting recording + details. It does not modify any external systems or internal case data. It adds + a link and JSON result to the action output, which is standard for action results + and does not constitute internal data mutation (like updating entities or creating + insights). categories: enrichment: false + reasoning: >- + The action fetches data from an external system (Zoom) but does not enrich any + entities or alerts. It does not update entities, create insights, or add case + comments. Therefore, it does not meet the criteria for an Enrichment Action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -508,6 +586,9 @@ Get Meeting Recording: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on entities. It takes a 'Meeting ID' as a direct + input parameter to fetch data from the Zoom API. Ping: action_product_categories: add_alert_comment: false @@ -523,6 +604,10 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity test ('Ping') and does not perform any of the defined + functional operations (e.g., enrichment, containment, ticketing). Therefore, + it does not match any of the product categories. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -537,29 +622,46 @@ Ping: update_email: false update_identity: false update_ticket: false - ai_description: "### General Description\nThe **Ping** action is a diagnostic tool\ - \ designed to verify the connectivity between Google SecOps and the Zoom API.\ - \ It ensures that the provided credentials (either JWT or OAuth) are valid and\ - \ that the network path to the Zoom service is open. This action is typically\ - \ used during the initial setup of the integration or for troubleshooting authentication\ - \ issues.\n\n### Parameters Description\nThere are no action-specific parameters\ - \ for this action. It relies entirely on the integration's configuration parameters\ - \ (JWT Token or OAuth credentials).\n\n### Additional Notes\n* The action requires\ - \ at least one valid authentication method to be configured: either a **JWT Token**\ - \ or a combination of **Account ID**, **Client ID**, and **Client Secret** for\ - \ OAuth.\n* The connectivity test is performed by attempting to list active\ - \ users from the Zoom account. If the API returns a successful response, the connection\ - \ is considered established.\n\n### Flow Description\n1. **Initialization**:\ - \ The action initializes the Siemplify environment and logger.\n2. **Configuration\ - \ Retrieval**: It fetches the integration configuration, including authentication\ - \ credentials.\n3. **Manager Setup**: The `ZoomManager` is instantiated using\ - \ the retrieved credentials, handling the authentication logic (OAuth login or\ - \ JWT header setup).\n4. **Connectivity Test**: The action calls the `test_connectivity`\ - \ method, which executes a GET request to the Zoom `/users` endpoint.\n5. **Result\ - \ Handling**: \n * If the request succeeds, the action returns a success\ - \ status with the message \"Connected successfully\".\n * If the request\ - \ fails (e.g., due to invalid credentials or network errors), an exception is\ - \ caught, and the action returns a failure status with the specific error message." + ai_description: >- + ### General Description + + This action tests the connectivity between the SOAR platform and the Zoom API. + It verifies that the provided credentials (either JWT or OAuth) are valid and + that the API is reachable. + + + ### Flow Description + + 1. Initialize the `ZoomManager` using the provided configuration parameters (JWT + or OAuth credentials). + + 2. Call the `test_connectivity()` method, which performs a GET request to the + Zoom API `/users` endpoint. + + 3. If the request is successful, return a success message. + + 4. If the request fails, catch the exception and return a failure message. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | --- | --- | --- | --- | + + | JWT Token | String | No | Used for JWT authentication. | + + | Account ID | String | No | Used for OAuth authentication. | + + | Client ID | String | No | Used for OAuth authentication. | + + | Client Secret | String | No | Used for OAuth authentication. | + + + ### Additional Notes + + Either the `JWT Token` or the combination of `Account ID`, `Client ID`, and `Client + Secret` must be configured for the action to run. capabilities: can_create_case_comments: false can_create_insight: false @@ -570,8 +672,15 @@ Ping: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to verify connectivity to the Zoom API. It + does not mutate external data, nor does it modify any internal SecOps data or + entities. categories: enrichment: false + reasoning: >- + The action is a connectivity test ('Ping'). According to the guidelines, Ping + actions are not categorized as enrichment actions, even if they fetch data. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -587,3 +696,6 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not iterate over `siemplify.target_entities` or perform any operations + on entities. It is a global connectivity test. diff --git a/content/response_integrations/third_party/community/zoom/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/community/zoom/resources/ai/integration_ai_description.yaml index 01511d2a6..f5082b734 100644 --- a/content/response_integrations/third_party/community/zoom/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/community/zoom/resources/ai/integration_ai_description.yaml @@ -1,12 +1,21 @@ product_categories: - asset_inventory: true + asset_inventory: false cloud_security: false - collaboration: true + collaboration: false edr: false email_security: false iam_and_identity_management: true itsm: false network_security: false + reasoning: >- + The Zoom integration provides capabilities to manage user accounts, specifically + through the 'Create User' and 'Delete User' actions, and to enrich user entities + with profile information via the 'Enrich Entities' action. These operations directly + align with the 'IAM & Identity Management' category, which covers managing user + identities and retrieving user-related information. The integration does not interact + with logs, endpoints, network infrastructure, cloud infrastructure, or ticketing + systems, and therefore does not qualify for the other categories such as SIEM, + EDR, Network Security, Cloud Security, or ITSM. siem: false threat_intelligence: false vulnerability_management: false diff --git a/content/response_integrations/third_party/partner/anyrun_sandbox/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/anyrun_sandbox/resources/ai/actions_ai_description.yaml index 63d773013..e003edba1 100644 --- a/content/response_integrations/third_party/partner/anyrun_sandbox/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/anyrun_sandbox/resources/ai/actions_ai_description.yaml @@ -10,9 +10,13 @@ File Android Analysis: download_file: false enable_identity: false enrich_asset: false - enrich_ioc: false + enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action submits a file to a sandbox for analysis ('Submit File'), extracts + IOCs from the report ('Enrich IOC'), and adds comments to the case ('Add Alert + Comment'). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -28,95 +32,75 @@ File Android Analysis: update_identity: false update_ticket: false ai_description: >- - ### General Description - - Performs automated malware analysis of file attachments using an Android Virtual - Machine in the ANY.RUN Sandbox. This action allows security analysts to safely - execute suspicious files in a controlled environment to observe behavior, network - activity, and identify malicious indicators. It retrieves a file attachment from - the SecOps case, submits it for analysis with customizable network and privacy - settings, and returns a comprehensive report including IOCs and a final verdict. - + Performs Android file analysis using the ANY.RUN Sandbox. This action submits + a case attachment to the ANY.RUN Android sandbox for automated analysis, retrieves + the analysis report, and extracts indicators of compromise (IOCs). - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. Retrieves the attachment from the case. - | :--- | :--- | :--- | :--- | + 2. Submits the file to the ANY.RUN Android sandbox for analysis with specified + configuration parameters (e.g., timeout, network settings, privacy type). - | Timeout In Seconds | string | No | Select task completion time. Range: 10-660 - seconds. Default is 240. | + 3. Adds a comment to the case with a link to the interactive analysis. - | Change to valid extension | boolean | No | Automatically change file extension - to a valid one if necessary. | + 4. Polls the sandbox for the task status. - | Command line | string | No | Optional command-line arguments for the analyzed - object. | + 5. Retrieves the HTML analysis report and saves it as an attachment to the case + wall. - | System's language | string | No | Operating system's language (e.g., 'en-US' - or 'Brazil'). | + 6. Extracts and summarizes suspicious or malicious IOCs found during analysis + and adds them as a comment to the case. - | User Tags | string | No | Add user tags (max 8 tags, 16 characters each). | - | Analysis Privacy Type | ddl | No | Privacy settings for the task. Supports: - public, bylink, owner, byteam. | + ### Parameters Description - | Network Connect | boolean | No | Enable network connection for the VM. | + | Parameter | Type | Mandatory | Description | - | Network Fakenet | boolean | No | Enable FakeNet feature to simulate network - services. | + | :--- | :--- | :--- | :--- | - | Network Tor | boolean | No | Enable TOR for network traffic. | + | Timeout In Seconds | string | No | Select task completion time. Size range: + 10-660 seconds. Default: 240. | - | Network Geo | string | No | TOR geolocation option (e.g., US, AU). | + | Change to valid extension | boolean | No | Automatically change file extension + to valid. Default: true. | - | Network Mitm | boolean | No | Enable HTTPS MITM Proxy for traffic inspection. - | + | Command line | string | No | Optional command-line arguments for the analyzed + object. | - | Network Residential Proxy | boolean | No | Use a residential proxy for the analysis. + | System's language | string | No | Operation system's language. Default: en-US. | - | Network Residential Proxy Geo | string | No | Residential proxy geolocation - option (e.g., US, AU). | + | User Tags | string | No | Add user tags. Default: secops-alert. | + | Analysis Privacy Type | ddl | No | Privacy settings. Supports: bylink, byteam, + public, owner. Default: bylink. | - ### Flow Description + | Network Connect | boolean | No | Enable network connection. Default: true. | - 1. **Retrieve Attachment:** The action fetches the list of attachments associated - with the current Google SecOps case and selects the first one. + | Network Fakenet | boolean | No | Enable FakeNet feature. Default: false. | - 2. **Submit to Sandbox:** The file is uploaded to the ANY.RUN Sandbox using the - Android VM environment, applying all configured network, privacy, and timeout - parameters. + | Network Tor | boolean | No | Enable TOR using. Default: false. | - 3. **Interactive Link:** A comment is added to the case wall providing a direct - URL to the interactive analysis session in ANY.RUN. + | Network Geo | string | No | TOR geolocation option. Default: fastest. | - 4. **Monitor Status:** The action polls the ANY.RUN API to monitor the progress - of the analysis task. - - 5. **Retrieve Report:** Once analysis is complete, the action downloads the full - HTML report. - - 6. **Internal Mutation (Case Wall):** The HTML report is saved as a new attachment - to the case wall for forensic record-keeping. + | Network Mitm | boolean | No | Enable HTTPS MITM Proxy using. Default: false. + | - 7. **Extract IOCs:** The action retrieves identified Indicators of Compromise - (IOCs) and posts a summary comment to the case if suspicious or malicious indicators - are found. + | Network Residential Proxy | boolean | No | Residential proxy using. Default: + false. | - 8. **Final Verdict:** The action concludes by providing the final analysis verdict - (e.g., Malicious, Suspicious, No threats detected). + | Network Residential Proxy Geo | string | No | Residential proxy geolocation + option. Default: fastest. | ### Additional Notes - - **Prerequisites:** Requires a valid ANY.RUN Sandbox API Key configured in the - integration settings. - - - **Error Handling:** If no attachments are found in the case, the action will - fail with an 'Attachment is not found' message. + This action requires an API key for the ANY.RUN Sandbox to be configured in the + integration settings. It operates on case attachments and does not require specific + entity types to be present in the case. capabilities: can_create_case_comments: true can_create_insight: false @@ -125,15 +109,21 @@ File Android Analysis: can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: >- - Submits a file to the ANY.RUN sandbox to create a new analysis task, which consumes - sandbox resources and creates a new record in the external system. + Submits a file to the ANY.RUN sandbox for analysis, creating a new task. fetches_data: true internal_data_mutation_explanation: >- - Adds comments to the case wall with analysis links and IOC summaries, and saves - the downloaded HTML analysis report as a new attachment in the Google SecOps - case. + Adds the analysis report as an attachment to the case wall and adds comments + to the case. + reasoning: >- + The action submits a file to the ANY.RUN sandbox (external mutation), polls + for status, retrieves the report, and extracts IOCs. It adds comments and attachments + to the case (internal mutation). categories: enrichment: false + reasoning: >- + The action creates a task in an external system (ANY.RUN), which constitutes + a mutation of external data. Therefore, it does not meet the criteria for an + Enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -149,6 +139,10 @@ File Android Analysis: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action operates on case attachments retrieved via `siemplify.get_attachments()`, + not on `target_entities`. Therefore, it does not run on any specific entity + types. File Linux Analysis: action_product_categories: add_alert_comment: true @@ -161,9 +155,13 @@ File Linux Analysis: download_file: false enable_identity: false enrich_asset: false - enrich_ioc: true + enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action submits a file to a sandbox for analysis, which matches the 'Submit + File' category. It also adds comments to the case, matching 'Add Alert Comment'. + It does not perform enrichment, blocking, or other listed operations. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -181,111 +179,112 @@ File Linux Analysis: ai_description: >- ### General Description - The **File Linux Analysis** action submits a file attachment from a Google SecOps - case to the ANY.RUN sandbox for automated and interactive analysis within a Linux - environment (Ubuntu or Debian). It allows security analysts to safely execute - suspicious files in a controlled virtual machine to observe behavior, network - activity, and identify potential threats. + This action performs automated file analysis by submitting case attachments to + the ANY.RUN sandbox. It allows analysts to execute files in a controlled Linux + environment to observe behavior, retrieve threat intelligence, and generate detailed + analysis reports. The action supports various configuration options, including + OS selection, network settings (e.g., Tor, Proxy), and privacy settings. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. **Initialization**: Extracts the ANY.RUN API key and configuration parameters + (e.g., OS version, network settings). - | :--- | :--- | :--- | :--- | + 2. **Attachment Retrieval**: Fetches the first available attachment from the current + case. - | **Env Os** | DDL | Yes | Specifies the Linux distribution for the analysis environment. - Supports 'ubuntu' and 'debian'. | + 3. **Submission**: Submits the attachment to the ANY.RUN sandbox for analysis + using the specified configuration. - | **StartFolder** | DDL | No | Defines the initial directory where the file will - be placed in the VM (desktop, home, downloads, temp). | + 4. **Monitoring**: Polls the sandbox task status until completion. - | **Run As Root** | Boolean | No | If enabled, the file will be executed with - superuser (root) privileges. | + 5. **Reporting**: Retrieves the HTML analysis report and any identified Indicators + of Compromise (IOCs). - | **Timeout In Seconds** | String | No | Sets the duration for the analysis task. - Range: 10-660 seconds. Default is 240. | + 6. **Internal Update**: Saves the HTML report as an attachment to the case wall + and adds a comment containing the analysis link and a summary of identified IOCs. - | **Change to valid extension** | Boolean | No | If enabled, the sandbox will - automatically correct the file extension to a valid one before execution. | - | **Command line** | String | No | Optional command-line arguments to be passed - to the file during execution. | + ### Parameters Description - | **System's language** | String | No | Sets the operating system's locale or - language (e.g., 'en-US' or 'Brazil'). | + | Parameter | Type | Mandatory | Description | - | **User Tags** | String | No | Custom tags to categorize the task in the ANY.RUN - interface (max 8 tags, 16 chars each). | + | :--- | :--- | :--- | :--- | - | **Analysis Privacy Type** | DDL | No | Controls the visibility of the analysis - task (public, bylink, owner, byteam). | + | Env Os | ddl | Yes | The operating system version for the sandbox (e.g., ubuntu, + debian). | - | **Network Connect** | Boolean | No | Enables or disables network connectivity - for the analysis VM. | + | StartFolder | ddl | No | The folder where the file will be placed (e.g., desktop, + home, downloads, temp). | - | **Network Fakenet** | Boolean | No | Enables the FakeNet feature to simulate - network services and intercept traffic. | + | Run As Root | boolean | No | If true, executes the file with superuser privileges. + | - | **Network Tor** | Boolean | No | Routes the VM's network traffic through the - TOR network. | + | Timeout In Seconds | string | No | The duration to wait for task completion + (10-660 seconds). | - | **Network Geo** | String | No | Specifies the TOR exit node geolocation (e.g., - 'US', 'AU'). | + | Change to valid extension | boolean | No | Automatically renames the file to + a valid extension if necessary. | - | **Network Mitm** | Boolean | No | Enables an HTTPS Man-In-The-Middle proxy for - inspecting encrypted traffic. | + | Command line | string | No | Optional command-line arguments for the file execution. + | - | **Network Residential Proxy** | Boolean | No | Uses a residential proxy for - the VM's network traffic. | + | System's language | string | No | The locale identifier for the sandbox OS (e.g., + en-US). | - | **Network Residential Proxy Geo** | String | No | Specifies the geolocation - for the residential proxy. | + | User Tags | string | No | Tags to associate with the analysis task. | + | Analysis Privacy Type | ddl | No | Privacy settings for the analysis (public, + bylink, owner, byteam). | - ### Flow Description + | Network Connect | boolean | No | Enables network connectivity for the sandbox. + | - 1. **Attachment Retrieval:** The action identifies and retrieves the first available - file attachment from the Google SecOps case. + | Network Fakenet | boolean | No | Enables the FakeNet feature. | - 2. **Task Submission:** The file is uploaded to the ANY.RUN sandbox, and a Linux - analysis task is initiated using the configured OS and network parameters. + | Network Tor | boolean | No | Enables TOR for network traffic. | - 3. **Interactive Link:** The action immediately adds a comment to the case containing - a direct link to the live interactive analysis in ANY.RUN. + | Network Geo | string | No | Geolocation for TOR traffic. | - 4. **Status Polling:** The action monitors the progress of the analysis task until - completion. + | Network Mitm | boolean | No | Enables HTTPS MITM Proxy. | - 5. **Report Retrieval:** Once finished, the action downloads the full HTML analysis - report. + | Network Residential Proxy | boolean | No | Enables residential proxy usage. + | - 6. **Case Enrichment:** The HTML report is saved as a new attachment on the case - wall. Additionally, the action extracts any identified Malicious or Suspicious - Indicators of Compromise (IOCs) and posts them as a summary comment in the case. + | Network Residential Proxy Geo | string | No | Geolocation for residential proxy. + | ### Additional Notes - - This action requires at least one attachment to be present in the case to function. - - - The action uses the ANY.RUN Linux connector specifically for non-Windows file - analysis. + This action operates on case attachments rather than specific entities. It requires + a valid ANY.RUN API key configured in the integration settings. capabilities: can_create_case_comments: true can_create_insight: false can_modify_alert_data: false - can_mutate_external_data: true + can_mutate_external_data: false can_mutate_internal_data: true can_update_entities: false - external_data_mutation_explanation: >- - Submits a file to the ANY.RUN sandbox platform and creates a new analysis task. + external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Adds comments to the case and saves the analysis report as a new attachment - on the case wall. + Adds an HTML analysis report as an attachment to the case wall and appends comments + with analysis results and IOCs. + reasoning: >- + The action submits a file to an external sandbox (ANY.RUN) for analysis, which + is a 'Submit File' operation. It fetches the resulting report and IOCs (fetches_data=true). + It does not mutate external production systems (e.g., blocking/quarantine). + It mutates internal SOAR data by adding attachments to the case wall and adding + comments to the case. categories: enrichment: false + reasoning: >- + The action is primarily a 'Submit File' operation. While it retrieves data, + it creates a task in an external system (ANY.RUN), which violates the 'External + State Preservation' rule for enrichment actions. Therefore, it is not classified + as an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -301,6 +300,9 @@ File Linux Analysis: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action operates on case attachments retrieved via `siemplify.get_attachments()`. + It does not iterate over or filter `target_entities`. File Windows Analysis: action_product_categories: add_alert_comment: true @@ -316,6 +318,9 @@ File Windows Analysis: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action submits a file to a sandbox for analysis, which matches the 'Submit + File' category. It also adds comments to the case, matching 'Add Alert Comment'. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -333,11 +338,13 @@ File Windows Analysis: ai_description: >- ### General Description - Submits a file attachment from a Google SecOps case to the ANY.RUN sandbox for - interactive analysis on a Windows virtual machine. This action allows analysts - to perform deep forensic analysis of suspicious files by executing them in a controlled - environment and retrieving detailed reports, including network activity, process - behavior, and Indicators of Compromise (IOCs). + This action performs a file analysis using the ANY.RUN Windows sandbox. It retrieves + a file attachment from the current case, submits it to the ANY.RUN sandbox for + automated analysis with configurable environment settings, and then processes + the results. The action provides visibility into the file's behavior by adding + a link to the interactive analysis, saving the full HTML report as a case attachment, + and summarizing any suspicious or malicious indicators (IOCs) found during the + analysis as a case comment. ### Parameters Description @@ -346,86 +353,85 @@ File Windows Analysis: | :--- | :--- | :--- | :--- | - | Environment Version | ddl | No | Version of OS. Supports 7, 10, 11. Default - is 10. | + | Environment Version | ddl | No | OS version for the sandbox environment. Supports + 7, 10, 11. | - | Environment Bitness | ddl | No | Bitness of Operation System. Supports 32, 64. - Default is 64. | + | Environment Bitness | ddl | No | OS bitness for the sandbox environment. Supports + 32, 64. | - | Environment Type | ddl | No | Environment preset type. Select **development** - for Windows 10 x64; otherwise, **complete** is required. | + | Environment Type | ddl | No | Environment preset type. Use 'development' for + Windows 10 x64, otherwise 'complete'. | - | File Force Elevation | boolean | No | Forces the file to execute with elevated - privileges (for PE32, PE32+, PE64 files only). | + | File Force Elevation | boolean | No | If true, executes the file with elevated + privileges (for PE files). | - | StartFolder | ddl | No | The folder where the file execution starts (desktop, - home, downloads, temp, appdata, windows, root). | + | StartFolder | ddl | No | The folder where the file will be executed. Supports + desktop, home, downloads, appdata, temp, windows, root. | - | Timeout In Seconds | string | No | Task completion time range: 10-660 seconds. - Default is 240. | + | Timeout In Seconds | string | No | Task completion time. Range: 10-660 seconds. + | - | Change to valid extension | boolean | No | Automatically change file extension - to a valid one. | + | Change to valid extension | boolean | No | If true, automatically changes the + file extension to a valid one. | | Command line | string | No | Optional command-line arguments for the analyzed - object. | + file. | - | System's language | string | No | Operation system's language (e.g., 'en-US' - or 'Brazil'). | + | System's language | string | No | The OS language (e.g., 'en-US'). | - | User Tags | string | No | Custom tags for the task (max 8 tags, max 16 chars - each). | + | User Tags | string | No | User-defined tags for the task. | - | Analysis Privacy Type | ddl | No | Privacy settings: public, bylink, owner, - byteam. Default is bylink. | + | Analysis Privacy Type | ddl | No | Privacy settings for the analysis. Supports: + bylink, byteam, public, owner. | - | Network Connect | boolean | No | Enable network connection for the sandbox. - | + | Network Connect | boolean | No | If true, enables network connectivity during + analysis. | - | Network Fakenet | boolean | No | Enable FakeNet feature. | + | Network Fakenet | boolean | No | If true, enables the FakeNet feature. | - | Network Tor | boolean | No | Enable TOR usage. | + | Network Tor | boolean | No | If true, enables TOR usage. | | Network Geo | string | No | TOR geolocation option (e.g., US, AU). | - | Network Mitm | boolean | No | Enable HTTPS MITM Proxy. | + | Network Mitm | boolean | No | If true, enables HTTPS MITM proxy. | - | Network Residential Proxy | boolean | No | Enable residential proxy usage. | + | Network Residential Proxy | boolean | No | If true, enables residential proxy + usage. | | Network Residential Proxy Geo | string | No | Residential proxy geolocation - option. | + option (e.g., US, AU). | ### Additional Notes - * The action requires at least one attachment to be present in the Google SecOps - case to function. + - The action requires at least one file attachment to be present in the case to + execute successfully. - * It automatically polls the sandbox until the analysis is complete or the timeout - is reached. + - The action interacts with the ANY.RUN API to submit files and retrieve reports. ### Flow Description - 1. **Attachment Retrieval:** Fetches the first available attachment from the Google - SecOps case. + 1. **Configuration Extraction**: Retrieves the API key and proxy settings from + the integration configuration. + + 2. **Attachment Retrieval**: Fetches the file attachment from the current case. - 2. **Sandbox Submission:** Submits the file to the ANY.RUN Windows sandbox using - the configured environment (OS version, bitness) and network settings. + 3. **File Submission**: Submits the file to the ANY.RUN sandbox using the provided + environment and network parameters. - 3. **Interactive Link:** Adds a comment to the case with a direct link to the - interactive analysis task in ANY.RUN. + 4. **Comment Generation**: Adds a case comment containing a link to the interactive + analysis on the ANY.RUN platform. - 4. **Status Polling:** Monitors the task status until the analysis is finished. + 5. **Status Polling**: Polls the sandbox for the analysis task status until completion. - 5. **Report Retrieval:** Downloads the HTML analysis report and saves it as an - attachment to the case wall. + 6. **Report Processing**: Retrieves the HTML analysis report and saves it as a + case wall attachment. - 6. **IOC Extraction:** Retrieves Indicators of Compromise (IOCs) from the report. - If suspicious or malicious indicators are identified, a summary comment is added - to the case. + 7. **IOC Extraction**: Identifies suspicious or malicious IOCs from the report + and appends them to the case as a summary comment. - 7. **Verdict:** Ends the action by providing the final analysis verdict. + 8. **Verdict Return**: Returns the final analysis verdict to the user. capabilities: can_create_case_comments: true can_create_insight: false @@ -434,14 +440,23 @@ File Windows Analysis: can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: >- - Submits a file to the ANY.RUN sandbox, which creates a new analysis task/resource - in the external system. + Submits a file to the ANY.RUN sandbox for analysis, creating a new analysis + task. fetches_data: true internal_data_mutation_explanation: >- - Adds comments to the case and saves the analysis report as an attachment to - the case wall. + Adds analysis reports as attachments to the case wall and appends comments with + analysis links and IOC summaries. + reasoning: >- + The action interacts with the ANY.RUN sandbox to submit a file for analysis + (can_mutate_external_data=true). It fetches the analysis report and IOCs (fetches_data=true). + It modifies the internal case by adding comments and attachments (can_mutate_internal_data=true, + can_create_case_comments=true). It does not update entities or create insights. categories: enrichment: false + reasoning: >- + The action is a 'Submit File' action. It performs an active analysis by submitting + a file to an external sandbox, which creates a task. It is not an enrichment + action because it creates a task in an external system. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -457,6 +472,9 @@ File Windows Analysis: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action operates on case attachments retrieved via `siemplify.get_attachments()`, + not on `target_entities`. Therefore, it does not use any entity types. Ping: action_product_categories: add_alert_comment: false @@ -472,6 +490,10 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity test (Ping) and does not perform any functional + operations such as enrichment, containment, or ticket management. Therefore, + it does not match any of the defined product categories. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -486,29 +508,20 @@ Ping: update_email: false update_identity: false update_ticket: false - ai_description: "### General Description\nThe **Ping** action is a diagnostic tool\ - \ designed to verify the connectivity between the Google SecOps environment and\ - \ the ANY.RUN Sandbox service. Its primary purpose is to ensure that the integration\ - \ is correctly configured, the API key is valid, and network paths (including\ - \ optional proxies) are functional.\n\n### Parameters Description\nThere are no\ - \ action-specific parameters for this action. It relies entirely on the global\ - \ integration configuration parameters:\n* **ANYRUN Sandbox API KEY**: The authentication\ - \ token used to access the ANY.RUN API.\n* **Verify SSL**: Boolean flag to enable\ - \ or disable SSL certificate validation.\n* **Enable proxy**: Boolean flag to\ - \ determine if a proxy should be used for the connection.\n* **Proxy host**: The\ - \ hostname or IP of the proxy server (if enabled).\n* **Proxy port**: The port\ - \ of the proxy server (if enabled).\n\n### Flow Description\n1. **Configuration\ - \ Extraction**: The action retrieves the API key, SSL verification settings, and\ - \ proxy configurations from the integration's global settings.\n2. **Proxy Validation\ - \ (Optional)**: If the 'Enable proxy' setting is active, the action first attempts\ - \ to establish a connection through the specified proxy host and port to ensure\ - \ the network path is open.\n3. **Authorization Check**: The action initializes\ - \ a connection to the ANY.RUN Sandbox service and executes an authorization check\ - \ (`check_authorization`) to validate the provided API key.\n4. **Result Reporting**:\ - \ \n * If the connection and authorization are successful, the action completes\ - \ with a success status and an informative message.\n * If a connection error\ - \ or authentication failure occurs, the action catches the exception, logs the\ - \ error, and returns a failed execution state." + ai_description: >- + General description: This action tests the connectivity between the SOAR platform + and the ANYRUN Sandbox service. It validates the provided API key and, if configured, + verifies the proxy connection settings. Parameters description: 1. ANYRUN Sandbox + API KEY (String, Mandatory): The API key used for authentication. 2. Verify SSL + (Boolean, Optional): Whether to verify SSL certificates. 3. Enable proxy (Boolean, + Optional): Whether to use a proxy. 4. Proxy host (String, Optional): The proxy + server hostname. 5. Proxy port (String, Optional): The proxy server port. Additional + notes: The 'Proxy host' and 'Proxy port' parameters are required if 'Enable proxy' + is set to true. Flow description: 1. The action extracts the configuration parameters. + 2. If 'Enable proxy' is enabled, it validates the proxy connection using the provided + host and port. 3. It then validates the API key by calling the ANYRUN Sandbox + authorization endpoint. 4. Finally, it logs the success or failure of the connection + and terminates the action. capabilities: can_create_case_comments: false can_create_insight: false @@ -517,10 +530,18 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: true + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity check to the ANYRUN Sandbox service by validating + the API key and optionally checking proxy settings. It does not fetch contextual + data, mutate external systems, or modify internal SOAR data. categories: enrichment: false + reasoning: >- + The action is named 'Ping' and is a connectivity test. According to the provided + rules, actions named 'Ping' must not be categorized as enrichment actions. It + does not fetch data or perform any other enrichment tasks. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -536,6 +557,9 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or interact with any entities. It is a standalone + utility action for testing connectivity. URL Android Analysis: action_product_categories: add_alert_comment: true @@ -548,9 +572,14 @@ URL Android Analysis: download_file: false enable_identity: false enrich_asset: false - enrich_ioc: true + enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action submits a URL to the ANY.RUN sandbox for analysis, which creates + a new task record in the external system. This matches the 'Submit File' category. + It also adds comments to the case with the analysis results, matching 'Add Alert + Comment'. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -568,92 +597,78 @@ URL Android Analysis: ai_description: >- ### General Description - Performs automated URL analysis using an Android Virtual Machine in the ANY.RUN - sandbox. This action allows security analysts to safely investigate suspicious - URLs by detonating them in a controlled mobile environment to observe behavior, - network activity, and potential threats. It retrieves detailed reports, extracts - indicators of compromise (IOCs), and provides a final verdict directly within - the SecOps platform. + Performs URL analysis using an Android VM in the ANY.RUN sandbox. This action + submits a URL for dynamic analysis, monitors the task status, retrieves the analysis + report, and extracts identified IOCs. It provides visibility into potentially + malicious URLs by executing them in a controlled environment. ### Parameters Description - | Parameter | Description | Type | Mandatory | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Url | The destination URL(s) to analyze. Supports comma-separated values for - bulk analysis. | String | Yes | - - | Timeout In Seconds | Select task completion time. Size range: 10-660 seconds. - | String | No | + | Url | string | Yes | The destination URL(s) to analyze. Can be provided as a + direct URL or an entity identifier. | - | Command line | Optional command-line arguments for the analyzed object. | String - | No | + | Timeout In Seconds | string | No | Task completion time (10-660 seconds). Default + is 120. | - | System's language | Operation system's language (e.g., 'en-US' or 'Brazil'). - | String | No | - - | User Tags | Custom tags for the task (max 8 tags, 16 characters each). | String - | No | - - | Analysis Privacy Type | Privacy settings for the task (public, bylink, owner, - byteam). | DDL | No | + | Command line | string | No | Optional command-line arguments for the analyzed + object. | - | Network Connect | Enable network connection in the sandbox VM. | Boolean | No + | System's language | string | No | Operation system's language (e.g., 'en-US'). | - | Network Fakenet | Enable FakeNet feature to simulate network responses. | Boolean - | No | + | User Tags | string | No | User tags for the task. | - | Network Tor | Enable TOR usage for the analysis. | Boolean | No | + | Analysis Privacy Type | ddl | No | Privacy settings (public, bylink, owner, + byteam). Default is 'bylink'. | - | Network Geo | TOR geolocation option (e.g., US, AU). | String | No | + | Network Connect | boolean | No | Enable network connection. Default is 'true'. + | - | Network Mitm | Enable HTTPS MITM Proxy for traffic inspection. | Boolean | No + | Network Fakenet | boolean | No | Enable FakeNet feature. Default is 'false'. | - | Network Residential Proxy | Enable residential proxy usage. | Boolean | No | + | Network Tor | boolean | No | Enable TOR. Default is 'false'. | - | Network Residential Proxy Geo | Residential proxy geolocation option (e.g., - US, AU). | String | No | + | Network Geo | string | No | TOR geolocation option. Default is 'fastest'. | + | Network Mitm | boolean | No | Enable HTTPS MITM Proxy. Default is 'false'. | - ### Additional Notes + | Network Residential Proxy | boolean | No | Enable residential proxy. Default + is 'false'. | - - This action specifically utilizes an Android VM for analysis, making it ideal - for mobile-specific threats. + | Network Residential Proxy Geo | string | No | Residential proxy geolocation + option. Default is 'fastest'. | - - The action supports multiple URLs by splitting the input string by commas. - - It automatically handles report generation and attachment to the case wall. + ### Flow Description + 1. Extracts configuration (API key, SSL settings) and action parameters (URL, + timeout, network settings). - ### Flow Description + 2. Connects to the ANY.RUN sandbox using the provided credentials. - 1. **Initialization**: Extracts the ANY.RUN API key and SSL configuration from - the integration settings. + 3. Submits the URL for analysis. - 2. **Input Parsing**: Retrieves the target URL(s) from the action parameters. + 4. Adds a comment to the case with the link to the interactive analysis. - 3. **Task Creation**: For each URL, it initiates a new Android sandbox analysis - task in ANY.RUN with the specified network and environment configurations. + 5. Monitors the task status until completion. - 4. **Interactive Link**: Adds a comment to the case containing a direct link to - the ANY.RUN interactive analysis session. + 6. Downloads the HTML analysis report and saves it as a case wall attachment. - 5. **Status Monitoring**: Polls the ANY.RUN API to monitor the progress of the - analysis task until completion. + 7. Retrieves identified IOCs and adds them as a comment. - 6. **Report Retrieval**: Downloads the full HTML analysis report and attaches - it to the case wall as a base64-encoded file. + 8. Retrieves the final analysis verdict and adds it as a comment. - 7. **IOC Extraction**: Fetches extracted indicators (IOCs) from the analysis and - adds a summary comment to the case if any suspicious or malicious indicators are - identified. - 8. **Final Verdict**: Retrieves the final analysis verdict and posts a concluding - status comment to the case. + ### Additional Notes + + The action requires an API key for the ANY.RUN sandbox. The 'Url' parameter is + mandatory and can be provided as a direct URL or an entity identifier. capabilities: can_create_case_comments: true can_create_insight: false @@ -662,14 +677,22 @@ URL Android Analysis: can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: >- - Creates a new URL analysis task/job in the ANY.RUN sandbox environment for every - URL provided. + Submits a URL to the ANY.RUN sandbox for analysis, which creates a new task + record in the external system. fetches_data: true internal_data_mutation_explanation: >- - Adds multiple comments to the case (analysis links, IOC summaries, and verdicts) - and saves the HTML analysis report as an attachment to the case wall. + Adds analysis reports as case wall attachments and adds comments to the case + with analysis results and IOCs. + reasoning: >- + The action submits a URL to the ANY.RUN sandbox for analysis (mutating external + data), monitors the task status, retrieves the analysis report, and extracts + identified IOCs (fetches data). It also adds comments to the case and saves + the report as a case wall attachment (mutating internal data). categories: enrichment: false + reasoning: >- + The action creates a task in an external sandbox (mutating external data), so + it cannot be an Enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -685,6 +708,10 @@ URL Android Analysis: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code extracts the 'Url' parameter directly using `extract_action_param`. + It does not iterate over `siemplify.target_entities` or perform any entity-specific + filtering logic. Therefore, it does not run on entities. URL Linux Analysis: action_product_categories: add_alert_comment: true @@ -694,12 +721,17 @@ URL Linux Analysis: create_ticket: false delete_email: false disable_identity: false - download_file: true + download_file: false enable_identity: false enrich_asset: false enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action submits a URL for analysis, which matches the 'Submit File' category + (as it submits an object for analysis). It also returns threat intelligence + (IOCs) for the indicator, matching 'Enrich IOC'. Finally, it adds comments to + the case, matching 'Add Alert Comment'. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -714,120 +746,68 @@ URL Linux Analysis: update_email: false update_identity: false update_ticket: false - ai_description: >- - Performs automated URL analysis using a Linux virtual machine within the ANY.RUN - sandbox environment. This action allows analysts to submit one or more URLs for - dynamic analysis, specifying the operating system (Ubuntu or Debian) and the browser - (Chrome or Firefox). It facilitates deep inspection of web-based threats by providing - interactive analysis links, detailed HTML reports, and a summary of extracted - Indicators of Compromise (IOCs). - - - ### Parameters Description - - - | Parameter | Description | Type | Mandatory | - - | :--- | :--- | :--- | :--- | - - | Url | The destination URL(s) to be analyzed. Supports comma-separated values. - Defaults to the entity identifier. | String | Yes | - - | Machine Os | The Linux distribution to use for the analysis. Options: ubuntu, - debian. | DDL | Yes | - - | Browser | The web browser to use for the analysis. Options: Google Chrome, Mozilla - Firefox. | DDL | Yes | - - | Timeout In Seconds | The duration for the analysis task (range: 10-660 seconds). - Default is 120. | String | No | - - | Command line | Optional command-line arguments for the analyzed object. | String - | No | - - | System's language | The OS locale identifier or country name (e.g., 'en-US'). - | String | No | - - | User Tags | Custom tags for the task (max 8 tags, 16 characters each). | String - | No | - - | Analysis Privacy Type | Privacy level for the analysis: public, bylink, owner, - or byteam. | DDL | No | - - | Network Connect | Enables network connectivity during analysis. | Boolean | - No | - - | Network Fakenet | Enables the FakeNet feature to simulate network services. - | Boolean | No | - - | Network Tor | Enables routing traffic through the TOR network. | Boolean | No - | - - | Network Geo | Specifies the TOR geolocation (e.g., US, AU). | String | No | - - | Network Mitm | Enables HTTPS MITM Proxy for traffic decryption. | Boolean | - No | - - | Network Residential Proxy | Enables the use of a residential proxy. | Boolean - | No | - - | Network Residential Proxy Geo | Specifies the residential proxy geolocation. - | String | No | - - - ### Additional Notes - - - This action initiates a state change in the ANY.RUN platform by creating a new - analysis task. - - - It retrieves and attaches an HTML report directly to the Google SecOps case - wall. - - - Extracted IOCs with suspicious or malicious reputations are summarized in case - comments. - - - ### Flow Description - - 1. **Initialization:** Extracts the API key and SSL configuration from the integration - settings. - - 2. **Submission:** Submits the provided URL(s) to the ANY.RUN API to start a Linux-based - sandbox analysis task with the specified OS and browser configurations. - - 3. **Interaction:** Adds a comment to the case wall containing a direct link to - the interactive ANY.RUN task. - - 4. **Monitoring:** Polls the ANY.RUN service to monitor the task status until - completion. - - 5. **Reporting:** Downloads the full HTML analysis report and saves it as an attachment - to the case wall. - - 6. **IOC Extraction:** Retrieves extracted indicators from the analysis and posts - a summary of any suspicious or malicious IOCs as a case comment. - - 7. **Verdict:** Fetches the final analysis verdict and posts a concluding status - comment to the case. + ai_description: "### General Description\nThis action submits a URL to the ANY.RUN\ + \ sandbox for analysis on a Linux VM. It retrieves the analysis report (HTML)\ + \ and identified indicators of compromise (IOCs), saves the report as an attachment\ + \ to the case wall, and adds comments with the analysis link and a summary of\ + \ identified malicious or suspicious indicators.\n\n### Flow Description\n1. **Configuration\ + \ Extraction**: Extracts the ANY.RUN API key and SSL verification settings from\ + \ the integration configuration.\n2. **Parameter Extraction**: Extracts the target\ + \ URL(s) and analysis options (OS, browser, network settings, etc.) from the action\ + \ parameters.\n3. **Sandbox Submission**: For each URL, initializes the `SandboxConnector`\ + \ and submits the URL for analysis on a Linux VM.\n4. **Reporting**: \n - Adds\ + \ a comment to the case with the link to the interactive ANY.RUN analysis.\n \ + \ - Waits for the task status.\n - Retrieves the analysis report in HTML\ + \ format and saves it as an attachment to the case wall.\n - Retrieves the\ + \ IOC report and adds a summary comment to the case.\n - Adds a final comment\ + \ with the overall analysis verdict.\n\n### Parameters Description\n| Parameter\ + \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Url | string\ + \ | Yes | The destination URL(s) to analyze. Defaults to `[Entity.Identifier]`.\ + \ |\n| Machine Os | ddl | Yes | The operating system version for the sandbox (e.g.,\ + \ ubuntu, debian). |\n| Browser | ddl | Yes | The browser to use for analysis\ + \ (e.g., Google Chrome, Mozilla Firefox). |\n| Timeout In Seconds | string | No\ + \ | The task completion time (10-660 seconds). |\n| Command line | string | No\ + \ | Optional command-line arguments for the analyzed object. |\n| System's language\ + \ | string | No | The OS language (e.g., 'en-US'). |\n| User Tags | string | No\ + \ | User tags for the task. |\n| Analysis Privacy Type | ddl | No | Privacy settings\ + \ for the analysis (public, bylink, owner, byteam). |\n| Network Connect | boolean\ + \ | No | Enable network connection. |\n| Network Fakenet | boolean | No | Enable\ + \ FakeNet feature. |\n| Network Tor | boolean | No | Enable TOR usage. |\n| Network\ + \ Geo | string | No | TOR geolocation option. |\n| Network Mitm | boolean | No\ + \ | Enable HTTPS MITM Proxy. |\n| Network Residential Proxy | boolean | No | Enable\ + \ residential proxy. |\n| Network Residential Proxy Geo | string | No | Residential\ + \ proxy geolocation option. |\n\n### Additional Notes\n- The action processes\ + \ multiple URLs if provided as a comma-separated string.\n- The action relies\ + \ on the `ANYRUN-Sandbox` integration configuration for API credentials and proxy\ + \ settings." capabilities: can_create_case_comments: true can_create_insight: false can_modify_alert_data: false - can_mutate_external_data: true + can_mutate_external_data: false can_mutate_internal_data: true can_update_entities: false - external_data_mutation_explanation: >- - Submits a URL to the ANY.RUN sandbox to initiate a new automated analysis task, - creating a new resource/record in the external system. + external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Adds multiple comments to the case wall regarding task status, IOC summaries, - and verdicts. It also saves the HTML analysis report as an attachment to the - case wall. + The action adds comments and saves HTML reports as attachments to the case wall + within Google SecOps. + reasoning: >- + The action fetches analysis reports and IOC data from the ANY.RUN sandbox (fetches_data=true). + It does not mutate external security controls (can_mutate_external_data=false). + It performs internal mutations by adding comments and saving attachments to + the case wall (can_mutate_internal_data=true, can_create_case_comments=true). + It does not update entities, create insights, or modify alert data. categories: - enrichment: false + enrichment: true + reasoning: >- + The action is an enrichment action because it proactively fetches analysis data + (reports, IOCs) from an external sandbox and adds this context to the case via + comments and attachments. It does not mutate external systems (e.g., blocking) + and only performs allowed internal mutations (adding comments/attachments). entity_usage: - entity_types: [] + entity_types: + - DestinationURL filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -841,6 +821,10 @@ URL Linux Analysis: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action uses the 'Url' parameter, which defaults to '[Entity.Identifier]'. + It processes the URL provided, which corresponds to the 'DestinationURL' entity + type. URL Windows Analysis: action_product_categories: add_alert_comment: true @@ -850,12 +834,16 @@ URL Windows Analysis: create_ticket: false delete_email: false disable_identity: false - download_file: true + download_file: false enable_identity: false enrich_asset: false enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action submits a URL to a sandbox for analysis, which matches the 'Submit + File' category (as it is an analysis submission). It also adds comments to the + case, matching 'Add Alert Comment'. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -873,114 +861,102 @@ URL Windows Analysis: ai_description: >- ### General Description - Submits one or more URLs to the ANY.RUN sandbox for automated analysis within - a Windows virtual machine environment. This action allows security analysts to - observe the behavior of suspicious links in a controlled environment, providing - detailed reports on network activity, process execution, and potential indicators - of compromise (IOCs). + This action performs URL analysis using a Windows VM in the ANY.RUN Sandbox. It + submits a specified URL for interactive analysis, retrieves the resulting report + (HTML) and any identified indicators of compromise (IOCs), and updates the case + with the analysis results, including a link to the interactive report, a summary + of malicious/suspicious IOCs, and the full analysis report as a case wall attachment. - ### Parameters Description - - | Parameter | Description | Type | Mandatory | Default Value | - - | :--- | :--- | :--- | :--- | :--- | + ### Flow Description - | Url | The destination URL(s) to be analyzed. Multiple URLs can be provided as - a comma-separated list. | string | Yes | [Entity.Identifier] | + 1. **Configuration Extraction**: Extracts the ANY.RUN API key, SSL verification + settings, and proxy configuration. - | Browser | The web browser to use for the analysis (e.g., Microsoft Edge, Google - Chrome). | ddl | Yes | Microsoft Edge | + 2. **Parameter Extraction**: Extracts the target URL(s) and analysis options (browser, + timeout, network settings, etc.) from the action parameters. - | Timeout In Seconds | The duration for the sandbox task (range: 10-660 seconds). - | string | No | 120 | + 3. **Analysis Submission**: Iterates through the provided URLs and submits each + to the ANY.RUN Sandbox for analysis using the `SandboxConnector`. - | Command line | Optional command-line arguments to be used during the analysis. - | string | No | "" | + 4. **Case Commenting**: Adds a comment to the case containing a link to the interactive + ANY.RUN analysis task. - | System's language | The operating system locale/language (e.g., 'en-US'). | - string | No | en-US | + 5. **Report Retrieval**: Fetches the analysis report in HTML format and saves + it as a case wall attachment. - | User Tags | Custom tags to associate with the analysis task (max 8 tags, 16 - chars each). | string | No | secops-alert | + 6. **IOC Processing**: Retrieves IOCs from the analysis report and adds a summary + comment to the case if any suspicious or malicious indicators are found. - | Analysis Privacy Type | Privacy level for the task (public, bylink, owner, byteam). - | ddl | No | bylink | + 7. **Verdict Logging**: Retrieves and logs the final analysis verdict to the case. - | Network Connect | Enables or disables network connectivity for the VM. | boolean - | No | true | - | Network Fakenet | Enables the FakeNet feature to simulate network services. - | boolean | No | false | + ### Parameters Description - | Network Tor | Enables the use of the TOR network for the analysis. | boolean - | No | false | + | Parameter | Type | Mandatory | Description | - | Network Geo | Specifies the TOR geolocation (e.g., US, AU). | string | No | - fastest | + | :--- | :--- | :--- | :--- | - | Network Mitm | Enables HTTPS MITM (Man-In-The-Middle) proxying. | boolean | - No | false | + | Url | string | Yes | The destination URL(s) to analyze. | - | Network Residential Proxy | Enables the use of a residential proxy. | boolean - | No | false | + | Browser | ddl | Yes | The browser to use for analysis (e.g., Microsoft Edge, + Google Chrome). | - | Network Residential Proxy Geo | Specifies the residential proxy geolocation. - | string | No | fastest | + | Timeout In Seconds | string | No | Task completion time (10-660 seconds). | + | Command line | string | No | Optional command-line arguments for the analyzed + object. | - ### Flow Description + | System's language | string | No | The operating system's language (e.g., 'en-US'). + | - 1. **Initialization:** Retrieves the ANY.RUN API key and SSL verification settings - from the integration configuration. + | User Tags | string | No | User tags for the task. | - 2. **Input Parsing:** Extracts the URL(s) provided in the action parameters. + | Analysis Privacy Type | ddl | No | Privacy settings (e.g., public, bylink). + | - 3. **Task Creation:** For each URL, it initiates a Windows-based sandbox analysis - task in ANY.RUN using the specified browser and network configurations. + | Network Connect | boolean | No | Enable network connection. | - 4. **Interactive Link:** Immediately posts a comment to the case wall containing - a direct link to the interactive ANY.RUN task. + | Network Fakenet | boolean | No | Enable FakeNet feature. | - 5. **Monitoring:** Polls the ANY.RUN API to monitor the status of the analysis - task until completion. + | Network Tor | boolean | No | Enable TOR usage. | - 6. **Report Retrieval:** Once finished, it downloads the full analysis report - in HTML format. + | Network Geo | string | No | TOR geolocation option. | - 7. **Internal Mutation (Attachment):** Attaches the HTML report to the Google - SecOps case wall for forensic review. + | Network Mitm | boolean | No | Enable HTTPS MITM Proxy. | - 8. **IOC Extraction:** Fetches a list of IOCs identified during the analysis. - If suspicious or malicious indicators are found, it summarizes them in a case - comment. + | Network Residential Proxy | boolean | No | Enable residential proxy. | - 9. **Final Verdict:** Retrieves the final analysis verdict and posts it as a concluding - comment on the case. + | Network Residential Proxy Geo | string | No | Residential proxy geolocation + option. | ### Additional Notes - - This action performs external mutations by creating tasks on the ANY.RUN platform. - - - It performs internal mutations by adding multiple comments and file attachments - to the case wall. + - The action does not iterate over `siemplify.target_entities` directly; it extracts + the URL from the action parameters. If the `Url` parameter is set to `[Entity.Identifier]`, + it will use the entity identifier as the URL. capabilities: can_create_case_comments: true can_create_insight: false can_modify_alert_data: false - can_mutate_external_data: true + can_mutate_external_data: false can_mutate_internal_data: true can_update_entities: false - external_data_mutation_explanation: >- - Creates a new URL analysis task in the ANY.RUN sandbox environment for every - URL provided. + external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Adds multiple comments to the case wall (interactive links, IOC summaries, and - verdicts) and uploads the HTML analysis report as a case attachment. + Adds comments to the case and saves the analysis report as a case wall attachment. + reasoning: >- + The action submits a URL to the ANY.RUN sandbox for analysis, which involves + fetching the analysis report and IOCs. It mutates internal data by adding comments + and attachments to the case. It does not mutate external security controls (e.g., + blocking an IP). categories: enrichment: false + reasoning: >- + The action is a sandbox submission task, not a simple enrichment task. It performs + a complex analysis workflow rather than just fetching reputation data. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -996,3 +972,8 @@ URL Windows Analysis: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action extracts the URL from the action parameters rather than iterating + over `siemplify.target_entities`. Therefore, it does not directly process entities + in the SOAR sense, even though the parameter might be populated by an entity + identifier. diff --git a/content/response_integrations/third_party/partner/anyrun_sandbox/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/anyrun_sandbox/resources/ai/integration_ai_description.yaml index 2e831240c..ad10dd145 100644 --- a/content/response_integrations/third_party/partner/anyrun_sandbox/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/partner/anyrun_sandbox/resources/ai/integration_ai_description.yaml @@ -7,6 +7,15 @@ product_categories: iam_and_identity_management: false itsm: false network_security: false + reasoning: >- + The anyrun_sandbox integration is primarily a Threat Intelligence tool. Its core + functionality involves submitting files and URLs to an external sandbox environment + to perform dynamic analysis. The expected outcome of these actions is the retrieval + of threat intelligence, such as analysis reports, risk scores, and extracted Indicators + of Compromise (IOCs), which helps analysts confirm if an alert is a True Positive. + It does not perform SIEM log searching, EDR host containment, network blocking, + or identity management. Therefore, it aligns strictly with the Threat Intelligence + category. siem: false threat_intelligence: true vulnerability_management: false diff --git a/content/response_integrations/third_party/partner/anyrun_ti_feeds/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/anyrun_ti_feeds/resources/ai/actions_ai_description.yaml index f37d802e8..37ea0526a 100644 --- a/content/response_integrations/third_party/partner/anyrun_ti_feeds/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/anyrun_ti_feeds/resources/ai/actions_ai_description.yaml @@ -13,6 +13,9 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity test (Ping) and does not perform any of the defined + product category operations such as enrichment, containment, or ticket management. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -28,58 +31,48 @@ Ping: update_identity: false update_ticket: false ai_description: >- - ### General Description + Tests connectivity to the ANY.RUN TI Feeds service. This action verifies that + the provided API credentials and network configuration (including optional proxy + settings) allow for successful communication with the ANY.RUN API. - Tests the connectivity and authentication between Google SecOps and the ANY.RUN - TI Feeds service. This action ensures that the integration is correctly configured - and can communicate with the external API. It verifies the validity of the API - key and tests network paths, including optional proxy configurations. - - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | | ANYRUN TI Feeds API key | String | Yes | The API key used to authenticate with - the ANY.RUN TI Feeds service. | - - | Verify SSL | Boolean | No | If enabled, the action will verify the SSL certificate - of the ANY.RUN server. | - - | Enable proxy | Boolean | No | If enabled, the action will use the configured - proxy settings to connect. | + the ANY.RUN service. | - | Proxy host | String | No | The host address of the proxy server. This is required - if 'Enable proxy' is set to true. | + | Verify SSL | Boolean | No | Whether to verify SSL certificates during the connection. + | - | Proxy port | String | No | The port of the proxy server. This is required if - 'Enable proxy' is set to true. | + | Enable proxy | Boolean | No | Whether to route the connection through a proxy + server. | + | Proxy host | String | No | The hostname or IP address of the proxy server. Required + if 'Enable proxy' is enabled. | - ### Additional Notes - - This action does not process any entities and is used solely for configuration - validation. Either the direct connection or the proxy connection must be successful - for the action to complete with a success status. + | Proxy port | String | No | The port number of the proxy server. Required if + 'Enable proxy' is enabled. | ### Flow Description - 1. **Extract Configuration**: The action retrieves the API key, SSL verification - preference, and proxy settings from the integration configuration. + 1. The action extracts the required configuration parameters, including the API + key and network settings. + + 2. If 'Enable proxy' is selected, the action validates the proxy configuration + by attempting a connection to the proxy host. - 2. **Proxy Validation (Optional)**: If proxying is enabled, the action attempts - to establish a connection through the specified proxy host and port to verify - the proxy settings. + 3. The action initializes the ANY.RUN FeedsConnector using the provided API key + and SSL verification settings. - 3. **Authentication Check**: The action initializes a connection to the ANY.RUN - TI Feeds service and performs an authorization check to verify that the provided - API key is valid. + 4. It executes a connectivity check (authorization test) against the ANY.RUN service. - 4. **Result Reporting**: The action concludes by logging the success or failure - of the connection attempt and returns the execution state to the SecOps platform. + 5. The action logs the success or failure of the connection and terminates with + the appropriate execution state. capabilities: can_create_case_comments: false can_create_insight: false @@ -90,8 +83,15 @@ Ping: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity check (Ping) to verify API access. It does + not fetch contextual data, mutate external systems, or modify internal SOAR + data. categories: enrichment: false + reasoning: >- + The action is a 'Ping' connectivity test. According to the guidelines, actions + named 'Ping' must not be categorized as enrichment actions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -107,3 +107,6 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities; it is a global connectivity + test. diff --git a/content/response_integrations/third_party/partner/anyrun_ti_feeds/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/anyrun_ti_feeds/resources/ai/integration_ai_description.yaml index 2e831240c..70d7c540b 100644 --- a/content/response_integrations/third_party/partner/anyrun_ti_feeds/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/partner/anyrun_ti_feeds/resources/ai/integration_ai_description.yaml @@ -7,6 +7,15 @@ product_categories: iam_and_identity_management: false itsm: false network_security: false + reasoning: >- + The integration is designed to synchronize threat intelligence indicators (IPs, + URLs, and Domains) from the ANY.RUN sandbox into Google SecOps DataTables. Its + primary purpose is to provide security teams with up-to-date threat data to enhance + detection and investigation capabilities. This aligns directly with the Threat + Intelligence category, which focuses on providing indicators and reputation data + to confirm if an alert is a True Positive. The integration does not perform SIEM + log searching, EDR host analysis, network blocking, or other operational tasks, + so it does not qualify for those categories. siem: false threat_intelligence: true vulnerability_management: false diff --git a/content/response_integrations/third_party/partner/anyrun_ti_feeds/resources/ai/jobs_ai_description.yaml b/content/response_integrations/third_party/partner/anyrun_ti_feeds/resources/ai/jobs_ai_description.yaml index fad0b480d..5f8c528dd 100644 --- a/content/response_integrations/third_party/partner/anyrun_ti_feeds/resources/ai/jobs_ai_description.yaml +++ b/content/response_integrations/third_party/partner/anyrun_ti_feeds/resources/ai/jobs_ai_description.yaml @@ -2,12 +2,10 @@ ANYRUN TI Feeds: ai_description: >- ### General Description - This job synchronizes threat intelligence indicators from ANY.RUN to Google SecOps - DataTables. It automates the retrieval of IP, URL, and Domain indicators via the - TAXII/STIX protocol and stores them in dedicated DataTables (`anyrun_feed_ip`, - `anyrun_feed_url`, `anyrun_feed_domain`). This ensures that security teams have - access to up-to-date ANY.RUN threat intelligence directly within Google SecOps - for detection and enrichment purposes. + The ANY.RUN TI Feeds job synchronizes threat intelligence indicators (IPs, URLs, + and Domains) from the ANY.RUN platform into Google SecOps DataTables. This process + ensures that security teams have access to up-to-date threat data for detection + and investigation purposes. ### Parameters Description @@ -16,50 +14,23 @@ ANYRUN TI Feeds: | :--- | :--- | :--- | :--- | - | Feed Fetch Depth | String | Yes | Specify the number of days back to fetch indicators - from the ANY.RUN feed. Default is 90 days. | - - | ANYRUN TI Feeds API key | String | Yes | The API key used to authenticate with - the ANY.RUN TI Feeds service (configured in integration settings). | - - | Project ID | String | Yes | The Google Cloud Project ID for the SecOps instance - (configured in integration settings). | - - | Project location | String | Yes | The location of the Google Cloud Project (e.g., - 'us', 'europe') (configured in integration settings). | - - | Instance ID | String | Yes | The specific Google SecOps Instance ID (configured - in integration settings). | - - | Google service account | String | Yes | The JSON key for the Google Service - Account used to interact with the SecOps API (configured in integration settings). - | - - | Verify SSL | Boolean | No | Whether to verify SSL certificates for the connection - to ANY.RUN (configured in integration settings). | + | Feed Fetch Depth | String | Yes | Specify feed fetch depth in days. | ### Flow Description - 1. **Initialization**: The job extracts the necessary configuration parameters, - including API keys, Google SecOps instance details, and the fetch depth. + 1. Authenticates with the ANY.RUN API and Google SecOps using provided credentials. - 2. **Connection Setup**: Establishes an authorized session with the Google SecOps - API and a connection to the ANY.RUN TAXII/STIX feed. + 2. Iterates through the configured indicator categories (IP, URL, Domain). - 3. **Indicator Processing**: Iterates through the defined indicator types (IP, - URL, and Domain). + 3. For each category, checks for the existence of the corresponding DataTable + in Google SecOps. - 4. **DataTable Maintenance**: For each indicator type, the job checks if the corresponding - DataTable exists in Google SecOps. If it does, the job deletes the existing table - to perform a clean synchronization. + 4. Deletes the existing DataTable if it exists to ensure a clean state. - 5. **Schema Creation**: Creates a new DataTable with a structured schema including - columns for the indicator value, confidence level, labels, creation date, and - modification date. + 5. Creates a new DataTable with the appropriate schema. - 6. **Data Retrieval**: Fetches indicators from the ANY.RUN feed that have been - modified within the specified `Feed Fetch Depth` period. + 6. Fetches indicators from ANY.RUN's TAXII/STIX feed, filtered by the specified + Feed Fetch Depth. - 7. **Bulk Upload**: Converts the retrieved indicators into the required format - and performs a bulk upload into the newly created Google SecOps DataTables. + 7. Bulk uploads the retrieved indicators into the Google SecOps DataTable. diff --git a/content/response_integrations/third_party/partner/anyrun_ti_lookup/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/anyrun_ti_lookup/resources/ai/actions_ai_description.yaml index 6b7f2f223..bc8f3b7a4 100644 --- a/content/response_integrations/third_party/partner/anyrun_ti_lookup/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/anyrun_ti_lookup/resources/ai/actions_ai_description.yaml @@ -13,6 +13,10 @@ ANYRUN TI Lookup: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves threat intelligence (verdict, summary) for indicators, + matching 'Enrich IOC'. It also adds comments to the case, matching 'Add Alert + Comment'. It does not perform any other listed actions. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -27,36 +31,52 @@ ANYRUN TI Lookup: update_email: false update_identity: false update_ticket: false - ai_description: "### General Description\nPerforms threat intelligence lookups using\ - \ the ANY.RUN TI Lookup service. This action allows analysts to retrieve detailed\ - \ threat reports, reputation scores, and analysis links for various entity types\ - \ including IP addresses, domains, URLs, file hashes, and processes. It can process\ - \ specific entities or execute raw queries to gather intelligence from the ANY.RUN\ - \ platform.\n\n### Parameters Description\n| Parameter | Description | Type |\ - \ Mandatory | Notes |\n| :--- | :--- | :--- | :--- | :--- |\n| Lookup Depth |\ - \ Specifies the number of days from the current date for which you want to lookup\ - \ intelligence data. | String | Yes | Default is 90 days. |\n| Query | A raw query\ - \ string with necessary filters. Supports condition concatenation with AND, OR,\ - \ NOT, and parentheses. | String | No | If provided, the action performs a lookup\ - \ based on this query instead of individual entities. |\n| Identifiers | The target\ - \ case entity identifiers to be looked up. | String | Yes | Usually mapped to\ - \ `[Entity.Identifier]`. |\n| Types | The target case entity types corresponding\ - \ to the identifiers. | String | Yes | Usually mapped to `[Entity.Type]`. |\n\n\ - ### Flow Description\n1. **Initialization**: Extracts the API key, SSL verification\ - \ settings, and lookup depth from the integration configuration and action parameters.\n\ - 2. **Query Execution**: \n * If a **Query** parameter is provided, the action\ - \ executes a raw search against the ANY.RUN TI Lookup API.\n * If no query\ - \ is provided, the action iterates through the provided **Identifiers** and **Types**.\n\ - 3. **Intelligence Retrieval**: For each supported entity (IP, IPSet, Domain, URL,\ - \ Process, FileHash), the action calls the ANY.RUN API to fetch intelligence data.\n\ - 4. **Internal Updates**:\n * Adds a comment to the case containing a direct\ - \ hyperlink to the ANY.RUN analysis page for the entity.\n * Saves the full\ - \ JSON report as an attachment to the case wall for forensic review.\n5. **Result\ - \ Summarization**: Calculates a text-based verdict (Malicious, Suspicious, Unknown)\ - \ based on the threat level returned by ANY.RUN and posts a final summary comment\ - \ to the case wall.\n\n### Additional Notes\n- Supported entity types are: `address`,\ - \ `ipset`, `destinationurl`, `domain`, `process`, and `filehash`.\n- The action\ - \ requires a valid ANY.RUN TI Lookup API Key configured in the integration settings." + ai_description: >- + Performs threat intelligence lookups against the ANY.RUN service for specified + entities or raw queries. This action retrieves intelligence data, such as threat + levels and summaries, and provides visibility into potential threats. + + + ### Flow Description + + 1. **Initialization**: Extracts configuration parameters including 'Lookup Depth', + 'Query', 'Identifiers', and 'Types'. + + 2. **Query Processing**: If a raw 'Query' is provided, the action performs a direct + lookup against the ANY.RUN service. + + 3. **Entity Processing**: If no raw query is provided, the action parses the 'Identifiers' + and 'Types' parameters. It iterates through the provided entities, mapping them + to supported types (IP, Domain, URL, Hash, Process). + + 4. **Data Retrieval**: For each valid entity or query, the action connects to + the ANY.RUN service to fetch intelligence data. + + 5. **Reporting**: The action adds a summary comment to the case and saves the + full JSON report as an attachment to the case wall. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Lookup Depth | string | Yes | Specify the number of days from the current date + for which you want to lookup. | + + | Query | string | No | Raw query with necessary filters. Supports condition concatenation + with AND, OR, NOT and Parentheses (). | + + | Identifiers | string | Yes | The target case entity identifiers. | + + | Types | string | Yes | The target case entity types. | + + + ### Additional Notes + + Either a 'Query' or a combination of 'Identifiers' and 'Types' must be provided + for the action to execute successfully. capabilities: can_create_case_comments: true can_create_insight: false @@ -67,10 +87,21 @@ ANYRUN TI Lookup: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action adds comments to the case and saves detailed JSON reports as attachments - to the case wall. + The action adds comments to the case and saves JSON attachments to the case + wall. + reasoning: >- + The action fetches threat intelligence data from an external service (ANY.RUN) + via GET requests (fetches_data=true). It does not modify external systems (can_mutate_external_data=false). + It performs internal mutations by adding comments to the case and saving attachments + to the case wall (can_mutate_internal_data=true). It does not update entity + fields or create insights (can_update_entities=false, can_create_insight=false). + It adds case comments (can_create_case_comments=true). categories: - enrichment: false + enrichment: true + reasoning: >- + The action is designed to fetch threat intelligence data (enrichment) and does + not modify external systems. It performs allowed internal mutations (adding + comments and attachments). Therefore, it qualifies as an enrichment action. entity_usage: entity_types: - ADDRESS @@ -83,7 +114,7 @@ ANYRUN TI Lookup: filters_by_alert_identifier: false filters_by_case_identifier: false filters_by_creation_time: false - filters_by_entity_type: true + filters_by_entity_type: false filters_by_identifier: false filters_by_is_artifact: false filters_by_is_enriched: false @@ -92,6 +123,11 @@ ANYRUN TI Lookup: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action processes entities provided via the 'Identifiers' and 'Types' parameters. + It maps these to supported types defined in the configuration: ADDRESS, IPSET, + DestinationURL, DOMAIN, PROCESS, and FILEHASH. It does not filter entities by + internal attributes like creation time or modification time. Ping: action_product_categories: add_alert_comment: false @@ -107,6 +143,10 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity test (Ping) for the ANY.RUN TI Lookup service. + It does not perform any enrichment, containment, or ticket management. It does + not match any of the defined product categories. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -122,62 +162,24 @@ Ping: update_identity: false update_ticket: false ai_description: >- - ### General Description - - The **Ping** action is a utility designed to verify the connectivity and authentication - status between the Google SecOps environment and the **ANY.RUN TI Lookup** service. - It ensures that the integration is correctly configured and can successfully communicate - with the external API. - - - ### Parameters Description - - This action does not have any instance-specific parameters. It relies on the following - **Integration Configuration** parameters: - - - | Parameter Name | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | ANYRUN TI Lookup API KEY | String | Yes | The API key required to authenticate - requests to ANY.RUN. | - - | Verify SSL | Boolean | No | If enabled, the action will verify the SSL certificate - of the ANY.RUN API. | - - | Enable proxy | Boolean | No | If enabled, the action will route traffic through - the configured proxy. | - - | Proxy host | String | No | The hostname or IP address of the proxy server (required - if proxy is enabled). | - - | Proxy port | String | No | The port number of the proxy server (required if - proxy is enabled). | - - - ### Flow Description - - 1. **Configuration Extraction**: The action retrieves the API key and network - settings (SSL, Proxy) from the integration configuration. - - 2. **Proxy Validation (Optional)**: If proxying is enabled, the action attempts - to establish a connection through the specified proxy host and port using the - `check_proxy` method. - - 3. **Authorization Check**: The action initializes a connection to the ANY.RUN - service and performs an authorization check via the `check_authorization` method - to validate the API key. - - 4. **Result Reporting**: The action logs the outcome (Success or Failure) and - terminates with the appropriate execution state (`COMPLETED` or `FAILED`). - - - ### Additional Notes - - - This action is primarily used for troubleshooting and initial setup verification. - - - It does not process or enrich any entities. + General Description: This action tests the connectivity between the Google SecOps + environment and the ANY.RUN TI Lookup service. It validates the provided API key + and, if configured, the proxy settings to ensure the integration is properly set + up and reachable. Parameters: | Parameter | Type | Mandatory | Description | | + --- | --- | --- | --- | | ANYRUN TI Lookup API KEY | String | Yes | The API key + used to authenticate with the ANY.RUN service. | | Verify SSL | Boolean | No | + Whether to verify SSL certificates during the connection. | | Enable proxy | Boolean + | No | Whether to route the connection through a proxy. | | Proxy host | String + | No | The hostname or IP address of the proxy server. Required if 'Enable proxy' + is true. | | Proxy port | String | No | The port number of the proxy server. Required + if 'Enable proxy' is true. | Additional Notes: Either the proxy configuration + (Proxy host and Proxy port) must be provided if 'Enable proxy' is set to true, + or the action will fail. Flow Description: 1. Initialize the Siemplify action. + 2. Extract the configuration parameters (API key, SSL verification, proxy settings). + 3. If 'Enable proxy' is enabled, validate the proxy host and port, then test connectivity + through the proxy. 4. If 'Enable proxy' is disabled, test connectivity directly + to the ANY.RUN service using the provided API key. 5. Log the success or failure + of the connectivity test and terminate the action. capabilities: can_create_case_comments: false can_create_insight: false @@ -188,8 +190,15 @@ Ping: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity test (Ping) to the ANY.RUN service. It does + not fetch contextual data, mutate external or internal data, or interact with + entities. categories: enrichment: false + reasoning: >- + The action is a Ping action, which is explicitly excluded from being an enrichment + action per the instructions. It does not fetch contextual data. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -205,3 +214,6 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with the target_entities attribute. It is a standalone + connectivity test. diff --git a/content/response_integrations/third_party/partner/anyrun_ti_lookup/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/anyrun_ti_lookup/resources/ai/integration_ai_description.yaml index 2e831240c..a1ce70dd5 100644 --- a/content/response_integrations/third_party/partner/anyrun_ti_lookup/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/partner/anyrun_ti_lookup/resources/ai/integration_ai_description.yaml @@ -7,6 +7,16 @@ product_categories: iam_and_identity_management: false itsm: false network_security: false + reasoning: >- + The anyrun_ti_lookup integration is designed specifically to enrich Indicators + of Compromise (IOCs) such as IP addresses, domains, URLs, and file hashes by querying + the ANY.RUN threat intelligence service. This aligns perfectly with the Threat + Intelligence category, as it provides risk scores, threat context, and verdict + data to help analysts confirm if an alert is a True Positive. The integration + does not perform SIEM log analysis, EDR host-level actions, network security blocking, + email management, IAM operations, cloud security monitoring, ITSM ticket management, + vulnerability scanning, asset inventory lookups, or collaboration/human-in-the-loop + workflows. siem: false threat_intelligence: true vulnerability_management: false diff --git a/content/response_integrations/third_party/partner/censys/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/censys/resources/ai/actions_ai_description.yaml index 34a73b6bf..e28aa6fd1 100644 --- a/content/response_integrations/third_party/partner/censys/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/censys/resources/ai/actions_ai_description.yaml @@ -13,6 +13,9 @@ Enrich Certificates: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves threat intelligence (certificate details) for an indicator + (FILEHASH), which matches the 'Enrich IOC' category. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -30,47 +33,56 @@ Enrich Certificates: ai_description: >- ### General Description - Enriches `FILEHASH` entities with comprehensive SSL/TLS certificate intelligence - using the Censys Platform API. This action treats the entity identifier as a certificate's - SHA-256 fingerprint and retrieves detailed metadata including issuer information, - subject details, validity periods, and self-signed status. The retrieved data - is mapped to the entity's additional properties, providing analysts with immediate - context regarding the certificate's legitimacy and configuration. + This action enriches FILEHASH entities (specifically SSL/TLS certificate fingerprints) + using the Censys Platform API. It retrieves comprehensive certificate intelligence, + including issuer, subject, validity periods, and Subject Alternative Names (SANs), + and updates the entity's profile within the SOAR platform. - ### Parameters Description + ### Flow Description - There are no action-specific parameters for this action. It relies on the integration's - global configuration (API Key and Organization ID) and the entities present in - the current scope. + 1. **Initialization**: The action retrieves integration parameters (API Key, Organization + ID, Verify SSL) and initializes the Censys API manager. + 2. **Entity Extraction**: It identifies all FILEHASH entities in the current scope. - ### Flow Description + 3. **Validation**: It filters the entities to ensure the certificate IDs (SHA-256 + fingerprints) are in the correct 64-character hexadecimal format. - 1. **Entity Extraction:** Identifies all `FILEHASH` entities within the current - SOAR scope. + 4. **API Interaction**: It performs a batch request to the Censys API to fetch + enrichment data for the valid certificate IDs. - 2. **Validation:** Validates that each entity identifier follows the required - format for a certificate fingerprint (exactly 64 hexadecimal characters). + 5. **Data Processing**: For each successfully retrieved certificate, it parses + the response, removes any existing enrichment data, and updates the entity's `additional_properties` + with the new intelligence. - 3. **API Interaction:** Performs a batch POST request to the Censys `/v3/global/asset/certificate` - endpoint using the validated fingerprints. + 6. **Entity Update**: It updates the entities in the SOAR platform and marks them + as enriched. - 4. **Data Processing:** For each matching result, it parses the certificate's - subject DN, issuer DN, common name, validity start/end dates, and signature details. + 7. **Result Reporting**: It returns a summary message and the raw JSON results + of the enrichment. - 5. **Internal Update:** Clears any existing Censys enrichment data on the entity, - updates the entity's additional properties with the new metadata, and marks the - entity as enriched in the SOAR platform. + ### Parameters Description - ### Additional Notes + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | API Key | String | Yes | The API key used to authenticate with the Censys platform. + | - - This action specifically targets `FILEHASH` entities because Censys identifies - certificates by their SHA-256 hash. + | Organization Id | String | Yes | The Organization ID associated with the Censys + account. | - - If an entity identifier is not a valid 64-character hex string, it is skipped - and reported as invalid in the output message. + | Verify SSL | Boolean | Yes | Whether to verify SSL certificates when making + API requests. | + + + ### Additional Notes + + This action specifically targets FILEHASH entities. If no valid FILEHASH entities + are found, the action will terminate without making API calls. capabilities: can_create_case_comments: false can_create_insight: false @@ -81,10 +93,16 @@ Enrich Certificates: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates FILEHASH entity attributes with certificate metadata (issuer, subject, - validity) and sets the enrichment status to true. + Updates entity additional properties and sets the is_enriched flag to true. + reasoning: >- + The action fetches certificate intelligence from Censys and updates the entity's + internal properties within the SOAR platform. It does not modify external systems. categories: enrichment: true + reasoning: >- + The action fetches data from an external source (Censys) and updates internal + entity properties. It does not mutate external systems or perform restricted + internal actions, thus qualifying as an enrichment action. entity_usage: entity_types: - FILEHASH @@ -93,7 +111,7 @@ Enrich Certificates: filters_by_case_identifier: false filters_by_creation_time: false filters_by_entity_type: true - filters_by_identifier: false + filters_by_identifier: true filters_by_is_artifact: false filters_by_is_enriched: false filters_by_is_internal: false @@ -101,6 +119,9 @@ Enrich Certificates: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action specifically targets FILEHASH entities. It filters them by type and + validates the identifier format (SHA-256 fingerprint). Enrich IPs: action_product_categories: add_alert_comment: false @@ -112,10 +133,15 @@ Enrich IPs: disable_identity: false download_file: false enable_identity: false - enrich_asset: false + enrich_asset: true enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves threat intelligence and contextual metadata for IP addresses + from Censys. This aligns with 'Enrich IOC' (reputation/intelligence) and 'Enrich + Asset' (contextual metadata for a resource). It does not perform any other actions + like ticketing, blocking, or alert management. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -131,51 +157,47 @@ Enrich IPs: update_identity: false update_ticket: false ai_description: >- - Enriches IP Address entities using the Censys Platform API. This action retrieves - comprehensive intelligence about internet-facing infrastructure, including active - services, open ports, protocols, SSL/TLS certificates, known vulnerabilities, - and geographic location data. It helps security teams understand the attack surface - exposure of specific IP addresses. - - - ### Flow Description: - - 1. **Parameter Extraction:** Retrieves integration configuration (API Key, Org - ID) and the optional 'At Time' action parameter. + ### General Description - 2. **Entity Identification:** Filters the current context for IP Address (ADDRESS) - entities. + This action enriches IP Address entities using the Censys Platform API. It retrieves + comprehensive intelligence about internet-facing infrastructure, including services, + ports, protocols, certificates, vulnerabilities, and location data. This data + is then mapped to the entity's additional properties to assist security teams + in understanding their attack surface exposure. - 3. **Validation:** Validates the format of the identified IP addresses and the - provided RFC3339 timestamp. - 4. **API Interaction:** Performs a batch request to the Censys `/v3/global/asset/host` - endpoint to fetch host intelligence. + ### Parameters Description - 5. **Data Processing:** Parses the API response using a dedicated data model to - extract relevant enrichment fields. + | Parameter | Type | Mandatory | Description | - 6. **Internal Update:** Clears previous Censys enrichment data, updates the entity's - additional properties with new intelligence, and marks the entity as enriched. + | :--- | :--- | :--- | :--- | + | At Time | string | No | RFC3339 Timestamp to view all requested hosts at a specific + point in time. Ensure that you suffix the date with T00:00:00Z or a specific time. + | - ### Parameters Description: - | Parameter | Type | Mandatory | Description | + ### Flow Description - | :--- | :--- | :--- | :--- | + 1. **Initialization**: The action initializes the Censys API manager using the + configured API Key and Organization ID. - | At Time | String | No | An RFC3339 formatted timestamp (e.g., 2024-01-15T00:00:00Z) - used to retrieve historical host data from a specific point in time. | + 2. **Entity Retrieval**: It retrieves all IP Address entities from the current + case scope. + 3. **Validation**: It filters the retrieved entities to ensure only valid IP addresses + are processed. - ### Additional Notes: + 4. **Data Fetching**: It calls the Censys API to fetch host intelligence for the + valid IP addresses, optionally using the provided 'At Time' parameter for historical + data. - - This action performs batch processing for efficiency but updates each entity - individually within the SOAR platform. + 5. **Enrichment**: For each IP, it parses the API response, removes any existing + Censys enrichment data, and updates the entity's `additional_properties` with + the new intelligence. - - If an IP is not found in the Censys database, the action will report it as 'not - found' in the output message but will continue processing other entities. + 6. **Finalization**: It updates the entities in the SOAR platform and returns + a summary message and JSON results. capabilities: can_create_case_comments: false can_create_insight: false @@ -186,10 +208,18 @@ Enrich IPs: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity additional properties with Censys host intelligence data (ports, - services, location, etc.) and sets the 'is_enriched' flag to true. + Updates entity additional_properties with enrichment data retrieved from Censys. + reasoning: >- + The action fetches data from the Censys API (fetches_data=true). It updates + entity properties within the SOAR platform (can_update_entities=true, can_mutate_internal_data=true). + It does not perform any actions that change the state of external systems (can_mutate_external_data=false). + It does not create insights, modify alert data, or create case comments. categories: enrichment: true + reasoning: >- + The action fetches data from an external source (Censys) and updates internal + entity data. It does not mutate external systems or perform unauthorized internal + mutations. Therefore, it qualifies as an enrichment action. entity_usage: entity_types: - ADDRESS @@ -206,6 +236,10 @@ Enrich IPs: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code uses the `get_ip_entities` helper function, which iterates over `siemplify.target_entities` + and filters specifically for `EntityTypes.ADDRESS`. No other entity types are + processed. Enrich Web Properties: action_product_categories: add_alert_comment: false @@ -217,10 +251,14 @@ Enrich Web Properties: disable_identity: false download_file: false enable_identity: false - enrich_asset: false + enrich_asset: true enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves contextual metadata (services, certificates, vulnerabilities) + for web properties (IPs/Domains). This matches 'Enrich IOC' and 'Enrich Asset' + expected outcomes. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -238,61 +276,44 @@ Enrich Web Properties: ai_description: >- ### General Description - Enriches IP Address and Domain entities with comprehensive web property intelligence - using the Censys Platform API. This action retrieves detailed data about web-facing - assets, including HTTP/HTTPS service details, SSL/TLS certificates, software technologies, - and security configurations. It allows analysts to investigate specific ports - and even view historical data for a specific point in time. + Enriches web property entities (IPs and Domains) using the Censys Platform API. + This action retrieves detailed intelligence about web-facing assets, including + HTTP/HTTPS services, certificates, technologies, and security configurations. ### Parameters Description - | Parameter | Type | Mandatory | Default | Description | + | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | :--- | + | :--- | :--- | :--- | :--- | - | Port | String | True | 80, 443 | A comma-separated list of port numbers (e.g., - "80, 443, 8080") to investigate for each entity. | + | Port | string | Yes | Comma-separated ports associated with the domain or hostname + (e.g., "80, 443"). | - | At Time | String | False | None | An RFC3339 formatted timestamp (e.g., "2024-01-15T00:00:00Z") - to retrieve historical web property data from a specific point in time. | + | At Time | string | No | RFC3339 Timestamp to view all requested hosts at a specific + point in time. | ### Flow Description - 1. **Parameter Extraction:** The action retrieves the `Port` and `At Time` parameters - and validates their format (e.g., ensuring ports are within the 1-65535 range - and the timestamp is valid RFC3339). + 1. Extract integration parameters (API Key, Organization ID, SSL verification). - 2. **Entity Identification:** It identifies all `ADDRESS` (IP) and `DOMAIN` entities - in the current scope. + 2. Extract action parameters (Ports, optional At Time). - 3. **Identifier Generation:** For every valid entity and every specified port, - it constructs a unique web property identifier in the format `hostname:port`. + 3. Identify valid `ADDRESS` and `DOMAIN` entities from the case. - 4. **API Interaction:** The action sends a POST request to the Censys Platform - API (`/v3/global/asset/webproperty`) with the list of identifiers and the optional - timestamp. + 4. Validate entities and parse the provided ports. - 5. **Data Parsing:** It processes the API response, matching returned resources - back to the original entities and ports. It uses a specialized data model to extract - fields like software vendors, certificate fingerprints, and threat names. + 5. Construct web property IDs (e.g., `hostname:port`). - 6. **Internal Mutation:** For each match, it clears any existing Censys enrichment - data for that specific port on the entity and then updates the entity's `additional_properties` - with the new intelligence. - - 7. **Finalization:** The action marks the entities as enriched, updates them within - Google SecOps, and provides a summary message of the results. + 6. Query the Censys API for enrichment data. + 7. Update entity `additional_properties` with retrieved data (e.g., services, + certificates, vulnerabilities). - ### Additional Notes + 8. Update entities in the SOAR platform. - - This action specifically targets `ADDRESS` and `DOMAIN` entity types. Other - types will be ignored. - - - Enrichment data is prefixed with `Censys_{port}_` to allow for multiple port - enrichments on a single entity without data collisions. + 9. Return JSON results. capabilities: can_create_case_comments: false can_create_insight: false @@ -303,10 +324,18 @@ Enrich Web Properties: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity additional properties with web property enrichment data (services, - certificates, software) and sets the 'is_enriched' flag to true. + Updates entity `additional_properties` with enrichment data retrieved from Censys. + reasoning: >- + The action fetches data from the Censys API (fetches_data=true). It does not + mutate external systems (can_mutate_external_data=false). It updates entity + properties (can_mutate_internal_data=true, can_update_entities=true). It does + not create insights, modify alert data, or create case comments. categories: enrichment: true + reasoning: >- + The action fetches data from an external source (Censys) to enrich entities. + It does not mutate external systems. It only updates entity properties. This + fits the definition of an enrichment action. entity_usage: entity_types: - ADDRESS @@ -324,6 +353,10 @@ Enrich Web Properties: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action retrieves entities using `get_web_property_entities`, which filters + for `ADDRESS` and `DOMAIN` types. It does not filter by other attributes like + creation time or identifier. Get Host History: action_product_categories: add_alert_comment: false @@ -339,6 +372,10 @@ Get Host History: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves historical event data for a host, which aligns with the + 'Search Events' category. It does not perform enrichment on entities, update + alerts, or mutate external systems. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -354,65 +391,51 @@ Get Host History: update_identity: false update_ticket: false ai_description: >- - ### General Description + Retrieves the historical event data for a specific host (IP address) from the + Censys platform. This action allows users to track infrastructure changes, service + modifications, and scan history over a defined time range. - This action retrieves the historical event timeline for a specific host (IP address) - from Censys. It allows security analysts to track infrastructure changes over - time, identifying when specific services were added, removed, or modified. This - is particularly useful for forensic investigations, tracking threat actor infrastructure - evolution, or auditing asset changes. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + ### Flow Description - | Host ID | String | Yes | The IP address of the host to retrieve history for. - | + 1. Extracts the `Host ID`, `Start Time`, and `End Time` parameters from the action + configuration. - | Start Time | String | Yes | The start time of the host timeline. Must be a valid - RFC3339 string (e.g., 2025-01-01T00:00:00Z). This represents the beginning of - the historical window. | + 2. Validates the `Host ID` as a valid IP address and ensures `Start Time` and + `End Time` are valid RFC3339 timestamps. - | End Time | String | Yes | The end time of the host timeline. Must be a valid - RFC3339 string (e.g., 2025-01-02T00:00:00Z). This represents the end of the historical - window and must be later than the Start Time. | + 3. Initializes the `APIManager` to interact with the Censys API. + 4. Performs a GET request to the Censys `/v3/global/asset/host/{host_id}/timeline` + endpoint, utilizing time-based pagination to retrieve the full history. - ### Additional Notes + 5. Handles potential partial data scenarios if pagination is interrupted, logging + warnings and collecting available data. - - The action implements time-based pagination, fetching up to 1000 records or - 10 pages of data. + 6. Adds the raw JSON response to the action results and constructs a data table + of events for display in the UI. - - If the API returns more than 1000 records, a warning is provided, and the analyst - is directed to the Censys platform for full exploration. - - The action handles partial data collection; if an error occurs during pagination, - it will return the events collected up to that point with a warning. + ### Parameters Description + | Parameter | Type | Mandatory | Description | - ### Flow Description + | :--- | :--- | :--- | :--- | - 1. **Parameter Extraction**: Retrieves the `Host ID`, `Start Time`, and `End Time` - from the action configuration. + | Host ID | string | Yes | The IP address of the host to retrieve history for. + | - 2. **Validation**: Validates that the `Host ID` is a properly formatted IP address - and that both timestamps adhere to the RFC3339 standard. + | Start Time | string | Yes | The start of the timeline (RFC3339 format). Must + be earlier than the End Time. | - 3. **API Initialization**: Sets up the Censys API manager using the provided API - Key and Organization ID. + | End Time | string | Yes | The end of the timeline (RFC3339 format). Must be + earlier than the current time. | - 4. **Data Retrieval**: Executes a paginated GET request to the Censys host timeline - endpoint. It reverses the user-provided chronological times to match the API's - reverse-chronological requirements. - 5. **Data Processing**: Iterates through the retrieved events, parsing resource - details (like service ports, protocols, DNS names, or ASN changes) using the `HostHistoryEventModel`. + ### Additional Notes - 6. **Output Generation**: Populates a data table named "Host History Events" with - the parsed data and attaches the full raw response as a JSON result to the case. + - The action enforces a maximum record threshold and will display a warning if + results are truncated or if further exploration is required on the Censys platform. capabilities: can_create_case_comments: false can_create_insight: false @@ -423,8 +446,17 @@ Get Host History: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Censys API to retrieve host history + data (fetches_data=true). It does not modify any external systems (can_mutate_external_data=false) + or internal Google SecOps data (can_mutate_internal_data=false). It does not + update entities, create insights, or modify alert data. categories: enrichment: false + reasoning: >- + The action retrieves historical event data from Censys. It does not update entities, + create insights, or add case comments. Therefore, it does not meet the criteria + for an Enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -440,6 +472,9 @@ Get Host History: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities` or use entity-specific + identifiers to perform its task. It takes the `Host ID` as a direct input parameter. Get Rescan Status: action_product_categories: add_alert_comment: false @@ -455,6 +490,11 @@ Get Rescan Status: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves the status of a scan from the Censys platform. It does + not match any of the defined categories such as 'Enrich IOC', 'Enrich Asset', + 'Create Ticket', or 'Get Alert Information' as it is specific to scan status + monitoring. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -470,46 +510,34 @@ Get Rescan Status: update_identity: false update_ticket: false ai_description: >- - ### General Description + Retrieves the current status of a scan from Censys using a provided Scan ID. This + action allows users to monitor the progress of previously initiated scans and + determine when results are available. - The **Get Rescan Status** action retrieves the current status of a scan from Censys - using its unique Scan ID. This action is designed to be used asynchronously, allowing - the SOAR platform to monitor the progress of a scan (such as one started by the - 'Initiate Rescan' action) until it reaches a terminal state (Completed or Failed). - - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Scan ID | string | Yes | The unique identifier of the tracked scan. This ID - is typically obtained from the output of a previous rescan initiation action. - | + | Scan ID | string | Yes | The unique identifier of the tracked scan. | ### Flow Description - 1. **Parameter Extraction:** The action extracts the `Scan ID` provided by the - user or a previous playbook step. + 1. Extract the `Scan ID` parameter from the action configuration. - 2. **API Request:** It sends a GET request to the Censys API (`/v3/global/scans/{scan_id}`) - to fetch the current metadata of the scan. + 2. Initialize the `APIManager` with the integration's API key and organization + ID. - 3. **Status Evaluation:** The action checks the `completed` field in the API response: - * If the field is missing, the scan is considered still running, and the action - returns an `IN_PROGRESS` status. - * If the field is `True`, the scan is finished, and the action returns `COMPLETED`. - * If the field is `False`, the scan is marked as `FAILED`. - 4. **Result Reporting:** The full JSON response from Censys is attached to the - action results for further use in the playbook. + 3. Call the Censys API to fetch the status of the scan associated with the provided + `Scan ID`. + 4. Parse the API response to determine the scan's execution state (Completed, + In Progress, or Failed). - ### Additional Notes - - This action is intended for use in playbooks that require waiting for external - scan results before proceeding with enrichment or analysis. + 5. Return the status and result to the SOAR platform. capabilities: can_create_case_comments: false can_create_insight: false @@ -520,8 +548,17 @@ Get Rescan Status: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Censys API to retrieve the status of + a scan. It does not modify any external systems, nor does it update internal + entities or create insights. It simply fetches data and returns it to the SOAR + platform. categories: enrichment: false + reasoning: >- + The action does not fetch context about entities or alerts, nor does it update + entities. It is a status check for a specific scan ID, which does not meet the + criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -537,6 +574,9 @@ Get Rescan Status: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on entities. It takes a 'Scan ID' as a direct input + parameter. Initiate Rescan: action_product_categories: add_alert_comment: false @@ -552,6 +592,9 @@ Initiate Rescan: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action initiates a rescan on the Censys platform. It does not match any + of the provided categories (Enrichment, Containment, Ticket, etc.). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -567,60 +610,50 @@ Initiate Rescan: update_identity: false update_ticket: false ai_description: >- - ### General Description - Initiates a live rescan for a known host service or web origin on the Censys platform. - This action allows analysts to trigger an immediate update of Censys's data for - a specific endpoint (IP or domain) and port. The action returns a unique scan - ID which can be used to track the progress and results of the scan. + This action triggers an on-demand scan of a specific IP/domain and port to validate + infrastructure and track changes. The scan may take several minutes to complete, + and the action returns a scan ID that can be used to monitor the scan's status. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | IOC Type | DDL | Yes | Determines the type of target to scan. Options are 'Service' - (for IP-based targets) or 'Web Origin' (for domain-based targets). | - - | IOC Value | String | Yes | The specific IP address or domain name to be rescanned. - | + | IOC Type | ddl | Yes | The type of IOC to rescan (Service or Web Origin). | - | Port | String | Yes | The port number associated with the service or web origin - (valid range: 1 to 65535). Defaults to 443. | + | IOC Value | string | Yes | The IP address or domain name to initiate a rescan + for. | - | Protocol | String | No | The application-level protocol (e.g., 'http', 'ssh'). - This is **mandatory** if the 'IOC Type' is set to 'Service'. | + | Port | string | Yes | The port associated with the IP or domain (1-65535). | - | Transport Protocol | DDL | No | The transport layer protocol. Options include - 'Unknown', 'TCP', 'UDP', 'ICMP', or 'QUIC'. | - - - ### Additional Notes - - - If 'IOC Type' is set to 'Service', the 'IOC Value' must be a valid IP address - and the 'Protocol' parameter must be provided. + | Protocol | string | No | The service protocol (Required for Service IOC Type). + | - - The scan may take several minutes to complete in the external Censys system. + | Transport Protocol | ddl | No | The transport protocol (Unknown, TCP, UDP, ICMP, + QUIC) (Required for Service IOC Type). | ### Flow Description - 1. **Parameter Extraction:** The action retrieves the target details (Type, Value, - Port, Protocol) from the user input. + 1. The action extracts the configuration parameters (API Key, Organization ID, + Verify SSL) and the action-specific parameters (IOC Type, IOC Value, Port, Protocol, + Transport Protocol). - 2. **Validation:** It validates that the port is within the legal range and ensures - that if a 'Service' scan is requested, an IP address and protocol are provided. + 2. It validates the provided parameters, ensuring the port is within the valid + range and that required fields for the selected IOC Type are present. - 3. **API Request:** The action sends a POST request to the Censys `/v3/global/scans/rescan` - endpoint with the target configuration. + 3. It initializes the Censys API Manager. - 4. **Result Processing:** It captures the `tracked_scan_id` and task information - from the Censys response. + 4. It sends a POST request to the Censys API (`/v3/global/scans/rescan`) to initiate + the rescan. - 5. **Output:** The action returns the scan ID and creation time to the SOAR case - and provides the full JSON response for further automation steps. + 5. It captures the response, which includes a `tracked_scan_id`. + + 6. It adds the full JSON response to the action results and returns a status message + containing the scan ID and creation time if available. capabilities: can_create_case_comments: false can_create_insight: false @@ -629,12 +662,18 @@ Initiate Rescan: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Initiates a live rescan on the Censys platform, which triggers new scanning - activity and updates the state of the target's data within the Censys system. - fetches_data: true + Initiates a live rescan of a host service or web origin on the Censys platform. + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to the Censys API to initiate a rescan. It + does not fetch contextual data for enrichment, update entities, or modify internal + case data. It triggers an external process on the Censys platform. categories: enrichment: false + reasoning: >- + The action triggers an external process (rescan) and does not retrieve contextual + data for enrichment. It does not meet the criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -650,6 +689,10 @@ Initiate Rescan: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action uses parameters provided in the action configuration (IOC Value, + Port, etc.) rather than iterating over `siemplify.target_entities`. Therefore, + it does not run on entities. Ping: action_product_categories: add_alert_comment: false @@ -665,6 +708,10 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action performs a connectivity test (Ping) to the Censys API. It does not + match any of the provided product categories (e.g., Enrich IOC, Contain Host, + etc.). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -680,56 +727,43 @@ Ping: update_identity: false update_ticket: false ai_description: >- - ### General Description - - The **Ping** action is a utility designed to verify the connectivity and authentication - between the Google SecOps SOAR platform and the Censys API. It ensures that the - integration is correctly configured with a valid API Key and Organization ID, - and that the server can reach the Censys platform over the network. - - - ### Parameters Description - - This action does not require any input parameters. It relies entirely on the global - integration configuration (API Key, Organization ID, and Verify SSL). + Tests connectivity to the Censys platform to verify that the integration can successfully + authenticate and communicate with the Censys API. This action performs a simple + connectivity test and returns the status of the connection. - | Parameter Name | Type | Mandatory | Description | + ### Flow Description - | :--- | :--- | :--- | :--- | + 1. The action extracts the required configuration parameters: API Key, Organization + ID, and Verify SSL. - | N/A | N/A | N/A | No parameters are used for this action. | + 2. It initializes the `APIManager` using these credentials. + 3. It executes a connectivity test by making a GET request to the Censys API. - ### Additional Notes + 4. The action returns a success or failure message based on the API response. - - This action is primarily used for health checks and initial configuration validation. - - It performs a read-only GET request to the Censys account/organization endpoint. + ### Parameters - - Per system rules, Ping actions are not classified as enrichment actions. + | Parameter | Type | Mandatory | Description | + | :--- | :--- | :--- | :--- | - ### Flow Description + | API Key | String | Yes | The API key used for authenticating with the Censys + platform. | - 1. **Initialization**: The action starts by initializing the Siemplify context - and logging the execution start. + | Organization Id | String | Yes | The Organization ID associated with the Censys + account. | - 2. **Configuration Retrieval**: It extracts the global integration settings: `API - Key`, `Organization ID`, and `Verify SSL`. + | Verify SSL | Boolean | Yes | Whether to verify SSL certificates when connecting + to the Censys API. | - 3. **API Client Setup**: An instance of the `APIManager` is created using the - retrieved credentials. - 4. **Connectivity Check**: The action calls the `test_connectivity` method, which - executes a GET request to the Censys API endpoint `/v3/accounts/organizations/{organization_id}`. + ### Additional Notes - 5. **Execution Completion**: - - If the API call is successful, the action ends with a "Successfully connected" - message and a `True` result. - - If an error occurs (e.g., 401 Unauthorized or connection timeout), the action - catches the exception, logs the error details, and ends with a failure message - and a `False` result. + This action does not perform any data retrieval or modification beyond verifying + connectivity. capabilities: can_create_case_comments: false can_create_insight: false @@ -740,8 +774,15 @@ Ping: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to verify connectivity to the Censys API. + It does not modify any external or internal data, nor does it update entities + or create insights. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action, which is explicitly excluded from being an enrichment + action per the provided instructions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -757,3 +798,5 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with or process any entities. diff --git a/content/response_integrations/third_party/partner/censys/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/censys/resources/ai/integration_ai_description.yaml index ac8e64b44..0c31d8046 100644 --- a/content/response_integrations/third_party/partner/censys/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/partner/censys/resources/ai/integration_ai_description.yaml @@ -7,6 +7,15 @@ product_categories: iam_and_identity_management: false itsm: false network_security: false + reasoning: >- + The Censys integration is primarily a Threat Intelligence and Vulnerability Management + tool. It provides enrichment for external indicators (IPs, Domains, Certificates) + by retrieving comprehensive intelligence such as services, ports, and vulnerabilities, + which directly supports the 'Threat Intelligence' category for confirming True + Positives and the 'Vulnerability Management' category by identifying potential + exposures and vulnerabilities on internet-facing assets. It does not perform SIEM + log ingestion, EDR host containment, network blocking, cloud configuration management, + ITSM ticketing, internal asset inventory management, or collaboration tasks. siem: false threat_intelligence: true vulnerability_management: true diff --git a/content/response_integrations/third_party/partner/clarotyxdome/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/clarotyxdome/resources/ai/actions_ai_description.yaml index 1213b7e18..f99073c3e 100644 --- a/content/response_integrations/third_party/partner/clarotyxdome/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/clarotyxdome/resources/ai/actions_ai_description.yaml @@ -13,6 +13,11 @@ AddVulnerabilities: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves contextual metadata (vulnerabilities) for a device/asset, + which aligns with the 'Enrich Asset' category. It does not perform IOC enrichment + (which typically refers to file hashes or malicious IPs) or any other listed + containment/ticketing actions. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -27,35 +32,50 @@ AddVulnerabilities: update_email: false update_identity: false update_ticket: false - ai_description: "### General Description\nEnriches entities with vulnerability information\ - \ retrieved from Claroty xDome. This action identifies devices within the xDome\ - \ platform using their IP address, MAC address, or a unique identifier (UID) and\ - \ fetches associated vulnerability data, including CVE IDs, risk scores, and remediation\ - \ recommendations. The retrieved data is then appended to the entity's additional\ - \ properties in Google SecOps.\n\n### Parameters Description\n| Parameter | Description\ - \ | Type | Mandatory |\n| :--- | :--- | :--- | :--- |\n| xdomeHost | The base\ - \ URL for the Claroty xDome instance (e.g., https://example.xdome.claroty.com).\ - \ | String | Yes |\n| xdomeApiToken | The API token used for authenticating requests\ - \ to the Claroty xDome API. | String | Yes |\n| Verify SSL | If enabled, the action\ - \ will validate the SSL certificate of the xDome API endpoint. | Boolean | No\ - \ |\n\n### Flow Description\n1. **Configuration Extraction**: Retrieves the xDome\ - \ host, API token, and SSL verification settings from the integration configuration.\n\ - 2. **Entity Iteration**: Processes each target entity provided in the current\ - \ context.\n3. **Device Identification**: \n * Checks if the entity identifier\ - \ is a UID (32-40 character hex string).\n * If not a UID, it attempts to match\ - \ the identifier against IP (v4/v6) or MAC address patterns.\n * Performs a\ - \ search in xDome to find the corresponding device record.\n4. **Vulnerability\ - \ Retrieval**: For each identified device, it queries the xDome API to fetch all\ - \ related vulnerability records, including details like severity, EPSS scores,\ - \ and descriptions.\n5. **Internal Enrichment**: \n * Updates the entity's\ - \ `additional_properties` with the vulnerability list, total count, and a `is_vulnerable`\ - \ flag.\n * Sets the entity's `is_enriched` status to `True`.\n6. **Entity\ - \ Update**: Commits the enriched data back to the Google SecOps platform.\n7.\ - \ **Final Reporting**: Provides a summary message indicating which entities were\ - \ successfully enriched and which failed.\n\n### Additional Notes\n- The action\ - \ uses a timeout of 5 seconds for API requests.\n- It limits the device search\ - \ to the first 5 matches and vulnerability retrieval to the first 100 records\ - \ per device." + ai_description: >- + ### General Description + + This action enriches entities (such as IP addresses, MAC addresses, or device + UIDs) with vulnerability information retrieved from the Claroty xDome platform. + It identifies the corresponding device in xDome and fetches associated vulnerability + data, including CVE IDs, risk scores, and remediation recommendations, updating + the entity's profile within the SOAR platform. + + + ### Parameters + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | xdomeHost | string | Yes | Base URL for the Claroty xDome instance. | + + | xdomeApiToken | string | Yes | API token for authenticating to the Claroty xDome + API. | + + | Verify SSL | string | No | Enable to validate SSL certificates for xDome API + connections. | + + + ### Flow Description + + 1. **Configuration Extraction**: The action retrieves the `xdomeHost`, `xdomeApiToken`, + and `Verify SSL` settings. + + 2. **Entity Iteration**: The action iterates through all provided target entities. + + 3. **Device Identification**: For each entity, it checks if the identifier is + a UID. If not, it attempts to resolve the entity (IP or MAC) to a device UID using + the Claroty xDome API. + + 4. **Vulnerability Retrieval**: Once a device UID is obtained, the action queries + the Claroty xDome API for all vulnerabilities associated with that device. + + 5. **Entity Enrichment**: The retrieved vulnerability data (including counts, + scores, and descriptions) is added to the entity's `additional_properties`. + + 6. **Update**: The action updates the enriched entities in the SOAR platform and + adds the results to the action output. capabilities: can_create_case_comments: false can_create_insight: false @@ -66,53 +86,30 @@ AddVulnerabilities: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity additional properties with vulnerability data and sets the is_enriched - flag. + Updates entity additional properties with vulnerability data and sets the enriched + status. + reasoning: >- + The action fetches vulnerability data from an external API (Claroty xDome) and + updates the internal SOAR entities with this information. It does not modify + the state of the external Claroty xDome system (no POST/PUT/DELETE that changes + external data). It performs internal mutations by updating entity properties. categories: enrichment: true + reasoning: >- + The action is an enrichment action because it fetches data from an external + source (Claroty xDome) and updates internal entity data without modifying any + external system state. entity_usage: entity_types: - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - HOSTNAME - - IPSET - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false filters_by_creation_time: false filters_by_entity_type: false - filters_by_identifier: true + filters_by_identifier: false filters_by_is_artifact: false filters_by_is_enriched: false filters_by_is_internal: false @@ -120,6 +117,11 @@ AddVulnerabilities: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over all target entities. It attempts to resolve identifiers + (IP, MAC, UID) to devices. It does not filter the input list by type, so it + supports all entity types, though it specifically processes ADDRESS, MacAddress, + and generic identifiers. EnrichAlerts: action_product_categories: add_alert_comment: false @@ -135,6 +137,10 @@ EnrichAlerts: enrich_ioc: false execute_command_on_the_host: false get_alert_information: true + reasoning: >- + The action retrieves alert information from Claroty xDome (`get_alert_information`) + and updates the current alert's metadata and security results within the SOAR + platform (`update_alert`). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -152,45 +158,49 @@ EnrichAlerts: ai_description: >- ### General Description - The **EnrichAlerts** action retrieves comprehensive details for a specific alert - from Claroty xDome and maps that information onto the current Google SecOps alert. - This enrichment process includes populating additional properties with Claroty-specific - metadata and updating the alert's security results with MITRE ATT&CK tactics and - techniques (supporting both ICS and Enterprise frameworks). + This action enriches a Google SecOps alert by retrieving detailed information + from a Claroty xDome alert. It fetches specific alert metadata, including MITRE + ATT&CK tactics and techniques, and updates the current Google SecOps alert's properties + and security results to provide better context for analysts. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. **Configuration Extraction**: The action retrieves the Claroty xDome API host + and authentication token from the integration configuration. - | :--- | :--- | :--- | :--- | + 2. **Parameter Extraction**: The action extracts the `clarotyAlertId` parameter + provided by the user. - | `clarotyAlertId` | String | Yes | The unique identifier of the alert within - the Claroty xDome platform. | + 3. **Data Retrieval**: The action performs a POST request to the Claroty xDome + API (`/api/v1/alerts/`) to fetch the alert details matching the provided ID. + 4. **Alert Enrichment**: If the alert is found, the action updates the current + Google SecOps alert's `additional_properties` with the retrieved Claroty alert + data. - ### Flow Description + 5. **MITRE Mapping**: The action maps MITRE ATT&CK tactics and techniques (ICS + or Enterprise) from the Claroty alert to the Google SecOps alert's `security_result` + field. - 1. **Authentication**: The action retrieves the Claroty xDome host and API token - from the integration configuration. + 6. **Result Reporting**: The retrieved alert data is added to the action result + JSON, and a status message is returned. - 2. **Data Retrieval**: It sends a POST request to the Claroty API to fetch details - for the alert specified by the `clarotyAlertId` parameter. - 3. **Property Mapping**: If the alert is found, the action iterates through the - Claroty alert fields (such as alert name, type, class, and status) and adds them - to the Google SecOps alert's `additional_properties` with a `Claroty_` prefix. + ### Parameters Description - 4. **MITRE Enrichment**: The action extracts MITRE technique names and IDs (checking - both Enterprise and ICS fields) and updates the `security_result` field of the - alert with the corresponding tactic and technique information. + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | `clarotyAlertId` | string | Yes | The unique alert ID from Claroty xDome to + be retrieved and used for enrichment. | ### Additional Notes - This action specifically targets the alert object itself rather than individual - entities. It is designed to provide context to the analyst by bringing external - alert metadata directly into the SecOps case management interface. + This action does not require any specific entity types to run, as it operates + on the current alert context. capabilities: can_create_case_comments: false can_create_insight: false @@ -201,10 +211,19 @@ EnrichAlerts: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates the current alert's additional properties and security result fields - (MITRE tactics and techniques) with data retrieved from Claroty xDome. + Updates the current alert's `additional_properties` and `security_result` (MITRE + info) within Google SecOps. + reasoning: >- + The action fetches alert data from an external API (Claroty xDome). It then + modifies the current alert's `additional_properties` and `security_result` fields + within the SOAR platform. It does not mutate external data, create insights, + or add case comments. categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches data from an external source (Claroty xDome) and updates + the internal alert's metadata. It does not mutate external systems. This fits + the definition of an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -220,6 +239,9 @@ EnrichAlerts: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action operates on the `siemplify.current_alert` object directly and does + not iterate over or filter `target_entities`. EnrichXDomeAssetInformation: action_product_categories: add_alert_comment: false @@ -235,6 +257,11 @@ EnrichXDomeAssetInformation: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves contextual metadata (device category, manufacturer, risk + score, vulnerabilities) for assets (IPs/MACs). This aligns with the 'Enrich + Asset' category. It does not perform IOC reputation lookups (Enrich IOC), nor + does it perform containment or ticketing operations. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -252,54 +279,53 @@ EnrichXDomeAssetInformation: ai_description: >- ### General Description - Enriches IP Address and MAC Address entities with detailed asset metadata and - vulnerability information retrieved from Claroty xDome. This action helps analysts - understand the context of a device, including its category, manufacturer, risk - score, and known vulnerabilities, by querying the Claroty xDome API. + This action enriches asset information by querying the Claroty xDome platform. + It retrieves detailed device metadata and vulnerability information for entities + identified as IP or MAC addresses. The action updates the entity's profile within + the SOAR platform with the retrieved data, providing analysts with context regarding + the device's category, manufacturer, risk score, and associated vulnerabilities. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. **Configuration Extraction**: The action retrieves the `xdomeHost` and `xdomeApiToken` + from the integration configuration. - | :--- | :--- | :--- | :--- | + 2. **Entity Filtering**: It iterates through the target entities, processing only + those with the type `ADDRESS` or `MACADDRESS`. - | xdomeHost | playbook_name | Yes | The base URL for the Claroty xDome instance - (e.g., `https://example.xdome.claroty.com`). | + 3. **Device Query**: For each valid entity, it performs a POST request to the + Claroty xDome API (`/api/v1/devices/`) to fetch device details based on the IP + or MAC address. - | xdomeApiToken | playbook_name | Yes | The API token used for authenticating - requests to the Claroty xDome instance. | + 4. **Vulnerability Query**: If a device is found, it performs a second POST request + to the Claroty xDome API (`/api/v1/device_vulnerability_relations/`) to retrieve + associated vulnerabilities using the device's unique identifier (UID). + 5. **Data Enrichment**: The retrieved device and vulnerability data are compacted + and added to the entity's `additional_properties`. - ### Additional Notes + 6. **Entity Update**: The action updates the entities in the SOAR platform and + marks them as enriched. - - The action specifically targets `ADDRESS` (IP) and `MacAddress` entity types. - - It uses regex to distinguish between IPv4, IPv6, and MAC addresses to apply - the correct search filter in the Claroty API. + ### Parameters Description - - If multiple devices are found for a single identifier, only the first result - is used for enrichment. + | Parameter | Type | Mandatory | Description | + | :--- | :--- | :--- | :--- | - ### Flow Description + | `xdomeHost` | string | Yes | Base URL for the Claroty xDome instance. | - 1. **Validation**: The action iterates through the target entities and filters - for supported types (`ADDRESS` or `MacAddress`). It further validates the identifier - format using regex. + | `xdomeApiToken` | string | Yes | API token for authenticating to the Claroty + xDome instance. | - 2. **Device Lookup**: For each valid entity, it performs a search in Claroty xDome - to find matching devices based on the IP or MAC address. - 3. **Vulnerability Retrieval**: If a device is found, the action retrieves a list - of associated vulnerabilities using the device's unique identifier (UID). + ### Additional Notes - 4. **Data Processing**: It compiles a set of enrichment fields, including device - category, risk score, and a summary of the top 5 vulnerabilities. + - The action only processes entities of type `ADDRESS` or `MACADDRESS`. - 5. **Entity Update**: The compiled data is added to the entity's `additional_properties` - (prefixed with `Claroty_`), and the entity is marked as enriched within Google - SecOps. + - If no matching device is found in Claroty xDome, the entity is not enriched. capabilities: can_create_case_comments: false can_create_insight: false @@ -310,10 +336,19 @@ EnrichXDomeAssetInformation: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity additional properties with asset metadata and vulnerability information - retrieved from Claroty xDome. + Updates entity `additional_properties` and sets the `is_enriched` flag to true. + reasoning: >- + The action fetches device and vulnerability data from an external system (Claroty + xDome) via API calls. It updates the entity's `additional_properties` within + the SOAR platform, which constitutes an internal mutation, but does not modify + external system state, create insights, or add case comments. categories: enrichment: true + reasoning: >- + The action fetches data from an external source (Claroty xDome) to enrich entities. + It does not mutate external systems. It modifies internal entity data (which + is an allowed internal mutation for enrichment actions). Therefore, it is classified + as an enrichment action. entity_usage: entity_types: - ADDRESS @@ -323,7 +358,7 @@ EnrichXDomeAssetInformation: filters_by_case_identifier: false filters_by_creation_time: false filters_by_entity_type: true - filters_by_identifier: true + filters_by_identifier: false filters_by_is_artifact: false filters_by_is_enriched: false filters_by_is_internal: false @@ -331,6 +366,10 @@ EnrichXDomeAssetInformation: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and explicitly checks if + the entity type is `EntityTypes.ADDRESS` or `EntityTypes.MACADDRESS`. It processes + these specific types and filters out others. Ping: action_product_categories: add_alert_comment: false @@ -346,6 +385,9 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity test (Ping) and does not perform any of the defined + product category operations (e.g., enrichment, containment, ticket management). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -361,50 +403,17 @@ Ping: update_identity: false update_ticket: false ai_description: >- - ### General Description - - Tests the connectivity to the Claroty xDome platform using the provided configuration - parameters. This action ensures that the Google SecOps environment can successfully - authenticate and communicate with the Claroty xDome API by attempting to retrieve - a single alert record. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | xdomeHost | String | Yes | The base URL of the Claroty xDome instance (e.g., - https://api.xdome.claroty.com). | - - | xdomeApiToken | String | Yes | The API token used for Bearer authentication. - | - - | Verify SSL | Boolean | No | If enabled, the action will verify the SSL certificate - of the xDome host. Defaults to False if not specified. | - - - ### Flow Description - - 1. **Parameter Extraction**: The action retrieves the integration's configuration - parameters, including the host URL, API token, and SSL verification preference. - - 2. **API Request**: It constructs a POST request to the `/api/v1/alerts/` endpoint. - The request includes a JSON payload designed to fetch only one alert (`limit: - 1`) to minimize data transfer while verifying access. - - 3. **Validation**: The action checks the response status. If the request is successful - (HTTP 2xx), it confirms connectivity. - - 4. **Error Handling**: If the request fails due to network issues, invalid credentials, - or server errors, the exception is caught, logged, and a failure status is returned. - - - ### Additional Notes - - This action does not have specific action-level parameters; it relies entirely - on the integration's global configuration settings. + General description: This action tests the connectivity between the SOAR platform + and the Claroty xDome API. It verifies that the provided host URL and API token + are valid by attempting to retrieve a sample alert from the system. Parameters: + | Parameter | Type | Mandatory | Description | | --- | --- | --- | --- | | xdomeHost + | String | Yes | The base URL of the Claroty xDome instance. | | xdomeApiToken + | String | Yes | The API token for authentication. | | Verify SSL | Boolean | + No | Whether to verify SSL certificates. | Flow description: 1. Extract the configuration + parameters (Host, API Token, SSL verification) from the integration settings. + 2. Construct the API endpoint URL for the alerts resource. 3. Send a POST request + to the Claroty xDome API to verify the connection. 4. Return a success or failure + message based on the API response. capabilities: can_create_case_comments: false can_create_insight: false @@ -413,10 +422,17 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: true + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity test (Ping) by sending a POST request to + the Claroty xDome API. It does not fetch contextual data for entities, nor does + it mutate external or internal data. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action, which is explicitly excluded from being an enrichment + action per the guidelines. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -432,3 +448,5 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. diff --git a/content/response_integrations/third_party/partner/clarotyxdome/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/clarotyxdome/resources/ai/integration_ai_description.yaml index 3276144a2..4ede364fa 100644 --- a/content/response_integrations/third_party/partner/clarotyxdome/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/partner/clarotyxdome/resources/ai/integration_ai_description.yaml @@ -7,6 +7,18 @@ product_categories: iam_and_identity_management: false itsm: false network_security: false + reasoning: >- + The clarotyxdome integration is designed to enrich Google SecOps alerts and entities + with data from the Claroty xDome platform. The actions 'AddVulnerabilities' and + 'EnrichXDomeAssetInformation' specifically retrieve device metadata (such as manufacturer + and category) and vulnerability data (including CVEs and risk scores) for assets + identified by IP or MAC addresses. This functionality directly aligns with the + 'Vulnerability Management' category, as it helps analysts determine if an asset + is susceptible to specific exploits, and the 'Asset Inventory' category, as it + provides critical context about internal assets. The integration does not perform + SIEM log ingestion, EDR process-level analysis, network security blocking, threat + intelligence reputation lookups for IOCs, email security, IAM management, cloud + security, ITSM ticketing, or collaboration tasks. siem: false threat_intelligence: false vulnerability_management: true diff --git a/content/response_integrations/third_party/partner/cyjax_threat_intelligence/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/cyjax_threat_intelligence/resources/ai/actions_ai_description.yaml index d70f2adf9..1f5dddb37 100644 --- a/content/response_integrations/third_party/partner/cyjax_threat_intelligence/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/cyjax_threat_intelligence/resources/ai/actions_ai_description.yaml @@ -13,6 +13,11 @@ Domain monitor: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves domain monitoring data from the Cyjax API based on search + parameters. This matches the 'Search Events' category, as it returns a collection + of telemetry data. It does not match enrichment categories because it does not + operate on specific entities. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -28,68 +33,37 @@ Domain monitor: update_identity: false update_ticket: false ai_description: >- - Retrieves information from the Cyjax Domain Monitor feature, which tracks brands - against newly registered global domains and Certificate Transparency Logs (CTL). - This action allows users to search for specific domain patterns or monitor registrations - within a specific timeframe. The results provide visibility into potentially malicious - or brand-infringing domains. - - - ### Parameters - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Query | String | No | A query string to search for a domain or part of it. | - - | Since | String | No | The start date time in ISO8601 format (e.g., 2026-02-09T15:01:39Z). - | - - | Until | String | No | The end date time in ISO8601 format (e.g., 2026-02-09T15:01:39Z). - | - - - ### Additional Notes - - - The action retrieves a maximum of 1000 records due to API pagination limits. - - - If no results are found, the action completes successfully with an informative - message. - - - Dates must be provided in the YYYY-MM-DDTHH:MM:SSZ format. - - - ### Flow Description - - 1. **Parameter Extraction:** Retrieves the `Query`, `Since`, and `Until` parameters - from the action configuration. - - 2. **Validation:** Validates that the provided dates are in the correct ISO8601 - format and that the `Since` date is not after the `Until` date. - - 3. **API Request:** Initializes the Cyjax API client and performs a paginated - search against the Domain Monitor endpoint. - - 4. **Data Processing:** Parses the raw API response into structured domain monitor - results, limiting the output to the first 1000 records. - - 5. **Output Generation:** Populates a data table named "Domain Monitor Results" - and attaches the full JSON response to the action results. + Retrieves domain monitoring information from Cyjax, tracking brands against newly + registered global domains and certificate transparency logs (CTL). This action + queries the Cyjax API based on provided search parameters (Query, Since, Until) + and returns a structured list of domain monitor results. The results are displayed + in a data table and provided as raw JSON output. Parameters: Query (string, optional): + A query string to search for a domain or part of it. Since (string, optional): + The start date time in ISO8601 format. Until (string, optional): The end date + time in ISO8601 format. Flow: 1. Extracts configuration (API token, SSL verification) + and action parameters (Query, Since, Until). 2. Validates date parameters. 3. + Initializes the Cyjax API client. 4. Queries the Cyjax Domain Monitor endpoint + with pagination support. 5. Processes the retrieved domain data into a structured + format. 6. Adds a data table to the action results and returns the raw JSON output. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: true + can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: >- - The action adds a data table named "Domain Monitor Results" to the case and - populates the JSON result with the retrieved domain information. + internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Cyjax API to retrieve domain monitoring + data. It does not modify external systems or internal SOAR data (entities, insights, + etc.). It simply displays the results in a table and JSON format. categories: enrichment: false + reasoning: >- + The action does not operate on entities (no target_entities usage), so it cannot + be an enrichment action. It is a standalone search action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -105,6 +79,9 @@ Domain monitor: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not iterate over siemplify.target_entities or use any entity-specific + logic. It is a standalone search action. Enrich IOCs: action_product_categories: add_alert_comment: false @@ -120,6 +97,9 @@ Enrich IOCs: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves reputation and threat intelligence (GeoIP, ASN, Sightings) + for indicators of compromise. This aligns with the 'Enrich IOC' category. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -134,51 +114,27 @@ Enrich IOCs: update_email: false update_identity: false update_ticket: false - ai_description: >- - ### General Description - - Enriches Indicators of Compromise (IOCs) using the Cyjax threat intelligence platform. - This action retrieves comprehensive contextual data for various indicator types, - including sightings from monitored sources, GeoIP location information, and Autonomous - System Number (ASN) details. It is designed to provide analysts with immediate - visibility into the prevalence and origin of a threat actor's infrastructure. - - - ### Parameters Description - - This action does not require any manual input parameters. It automatically processes - all supported entities currently attached to the case. - - - ### Flow Description - - 1. **Entity Retrieval**: The action identifies all target entities associated - with the current Google SecOps case. - - 2. **API Interaction**: For each entity, the action performs a GET request to - the Cyjax API's enrichment endpoint using the entity's identifier. - - 3. **Data Cleaning**: Before applying new data, the action clears any existing - Cyjax-specific enrichment properties (prefixed with `Cyjax_`) from the entity - to ensure data freshness. - - 4. **Entity Enrichment**: The action updates the entity's additional properties - with retrieved intelligence, including `Cyjax_Last_Seen`, `Cyjax_Sightings_Count`, - GeoIP details (Country, City), and ASN organization/number. - - 5. **Internal State Update**: The action marks the entities as enriched and updates - them within the Google SecOps platform. - - 6. **Reporting**: Finally, it generates a detailed CSV data table named "Enriched - IOCs" and attaches the raw JSON results to the case for further analysis. - - - ### Additional Notes - - Supported IOC types include Domain, Email, Hostname, FileHash (MD5, SHA1, SHA256), - IPv4, IPv6, URL, and CVE. If an IOC is not found in the Cyjax database, the action - will report it as 'not found' in the output message without failing the entire - execution. + ai_description: "### General Description\nThe **Enrich IOCs** action retrieves threat\ + \ intelligence data for Indicators of Compromise (IOCs) using the Cyjax API. It\ + \ fetches contextual information such as GeoIP, ASN, and sighting details for\ + \ various entity types (e.g., Domain, Email, Hostname, FileHash, IP, URL, CVE).\ + \ The action updates the entity's profile within the SOAR platform with this enrichment\ + \ data, marks the entity as enriched, and provides a summary table of the results.\n\ + \n### Parameters\n| Parameter | Type | Mandatory | Description |\n| :--- | :---\ + \ | :--- | :--- |\n| API Token | String | Yes | The API token used for authentication\ + \ with the Cyjax service. |\n| Verify SSL | Boolean | No | If enabled, verifies\ + \ the SSL certificate for API requests. Defaults to False. |\n\n### Flow Description\n\ + 1. **Initialization**: The action retrieves the integration configuration (API\ + \ Token, Verify SSL) and initializes the Cyjax API client.\n2. **Entity Retrieval**:\ + \ It retrieves all target entities associated with the current case.\n3. **Enrichment**:\ + \ For each entity, the action performs a GET request to the Cyjax `/indicator-of-compromise/enrichment`\ + \ endpoint.\n4. **Data Processing**: \n - If enrichment data is found, it parses\ + \ the response (GeoIP, ASN, Sightings).\n - It removes any existing Cyjax-specific\ + \ enrichment data from the entity.\n - It updates the entity's `additional_properties`\ + \ with the new enrichment data and sets `is_enriched` to True.\n5. **Update**:\ + \ The action updates the enriched entities in the SOAR platform.\n6. **Reporting**:\ + \ It adds a data table containing the enrichment results to the action output\ + \ and returns a status message." capabilities: can_create_case_comments: false can_create_insight: false @@ -189,46 +145,26 @@ Enrich IOCs: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity additional properties with Cyjax threat intelligence data and - sets the 'is_enriched' flag to true. + Updates entity `additional_properties` with enrichment data and sets `is_enriched` + to True. + reasoning: >- + The action fetches threat intelligence data from the Cyjax API (GET requests) + and updates the entities within the SOAR platform with the retrieved enrichment + data. It does not mutate external systems, modify alert data, or create insights/comments. categories: enrichment: true + reasoning: >- + The action fetches data from an external source (Cyjax) and updates internal + entity attributes. It does not mutate external systems or perform forbidden + internal mutations. It is a valid enrichment action. entity_usage: entity_types: - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - DOMAIN - - EMAILSUBJECT - - EVENT - FILEHASH - - FILENAME - - GENERICENTITY - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - DestinationURL - - USB - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false @@ -243,6 +179,11 @@ Enrich IOCs: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action retrieves all target entities from the case using `get_entity_objects` + and iterates through them to perform enrichment. It does not apply any filtering + logic based on entity attributes (like type, creation time, etc.) within the + script, so it is considered to run on all supported entity types. List Data Breaches: action_product_categories: add_alert_comment: false @@ -258,6 +199,11 @@ List Data Breaches: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action fetches data breach records from the Cyjax API based on search parameters. + This matches the 'Search Events' category as it retrieves historical telemetry + data. It does not perform enrichment on entities, nor does it mutate external + or internal systems. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -272,33 +218,50 @@ List Data Breaches: update_email: false update_identity: false update_ticket: false - ai_description: "Lists all email addresses and associated data breach records collected\ - \ by Cyjax. This action allows users to search for specific email addresses or\ - \ patterns within the Cyjax data leak database and filter results by a specific\ - \ time range. It retrieves detailed information about each breach, including the\ - \ breach name, source, discovery date, and the types of data classes (e.g., passwords,\ - \ usernames) that were compromised.\n\n### Flow Description\n1. **Parameter Extraction:**\ - \ The action retrieves the `Query`, `Since`, and `Until` parameters from the user\ - \ input.\n2. **Validation:** It validates that the provided dates are in the correct\ - \ ISO8601 format (`YYYY-MM-DDTHH:MM:SSZ`) and ensures the `Since` date is not\ - \ later than the `Until` date.\n3. **API Initialization:** Initializes the Cyjax\ - \ API manager using the configured API token.\n4. **Data Retrieval:** Executes\ - \ a paginated GET request to the Cyjax `/data-leak/credentials` endpoint. It automatically\ - \ handles pagination to fetch up to 1,000 records.\n5. **Output Generation:**\ - \ \n * Converts the raw API response into a structured data table named 'Data\ - \ Breach Results'.\n * Attaches the full raw data as a JSON result for further\ - \ processing in the playbook.\n * Provides a status message indicating the\ - \ number of records found and any pagination limits reached.\n\n### Parameters\ - \ Description\n| Parameter | Type | Mandatory | Description |\n| :--- | :--- |\ - \ :--- | :--- |\n| Query | String | False | A search string used to find an email\ - \ address or a partial match within the breach database. |\n| Since | String |\ - \ False | The start date and time for the search in ISO8601 format (e.g., 2026-02-09T15:01:39Z).\ - \ |\n| Until | String | False | The end date and time for the search in ISO8601\ - \ format (e.g., 2026-02-09T15:01:39Z). |\n\n### Additional Notes\n* **Pagination\ - \ Limit:** The action is hardcoded to retrieve a maximum of 1,000 records to prevent\ - \ performance issues. If the limit is reached, a note is added to the output message.\n\ - * **Date Format:** Both `Since` and `Until` must strictly follow the `YYYY-MM-DDTHH:MM:SSZ`\ - \ format." + ai_description: >- + ### General Description + + This action retrieves a list of data breaches from the Cyjax platform based on + optional search criteria. It allows users to filter results by a query string + and a specific date range, providing visibility into compromised credentials. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | --- | --- | --- | --- | + + | Query | string | No | A query string to search for an email address or part + of it. | + + | Since | string | No | The start date time in ISO8601 format (e.g., 2026-02-09T15:01:39Z). + | + + | Until | string | No | The end date time in ISO8601 format (e.g., 2026-02-09T15:01:39Z). + | + + + ### Additional Notes + + The action automatically handles pagination up to a limit of 1000 records. If + the limit is reached, a note is added to the output message. + + + ### Flow Description + + 1. Extracts configuration parameters (Query, Since, Until). + + 2. Validates the provided date range. + + 3. Initializes the Cyjax API client. + + 4. Queries the Cyjax API for data breaches, handling pagination automatically. + + 5. Processes the retrieved data into a structured format. + + 6. Displays the results in a data table within the case and returns the raw JSON + output. capabilities: can_create_case_comments: false can_create_insight: false @@ -309,8 +272,16 @@ List Data Breaches: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Cyjax API to retrieve data breach records + (fetches_data=true). It does not perform any POST/PUT/DELETE operations (can_mutate_external_data=false). + It does not modify any internal case data, entities, or insights (can_mutate_internal_data=false). categories: enrichment: false + reasoning: >- + The action is not an enrichment action because it does not operate on entities + or alerts to gather supplemental context. It is a standalone search action that + retrieves data breach records. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -326,6 +297,10 @@ List Data Breaches: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or utilize `siemplify.target_entities`. It + performs a standalone search against the Cyjax API based on provided parameters, + therefore it does not operate on any specific entity types. Ping: action_product_categories: add_alert_comment: false @@ -341,6 +316,9 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity test ('Ping') and does not perform any of the defined + functional operations such as enrichment, containment, ticketing, or alert management. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -355,27 +333,26 @@ Ping: update_email: false update_identity: false update_ticket: false - ai_description: "### General Description\nThe **Ping** action is a diagnostic tool\ - \ used to verify the connectivity between the Google SecOps SOAR platform and\ - \ the Cyjax Threat Intelligence API. It ensures that the provided API Token is\ - \ valid and that the network configuration (including SSL verification settings)\ - \ allows for successful communication with the Cyjax service.\n\n### Parameters\ - \ Description\nThere are no parameters for this action.\n\n### Additional Notes\n\ - This action uses the integration's global configuration parameters (API Token\ - \ and Verify SSL) to perform the connectivity test. It does not process any entities\ - \ or modify any data within the SOAR or Cyjax platforms.\n\n### Flow Description\n\ - 1. **Initialization**: The action starts by initializing the Siemplify context\ - \ and logging the start of the process.\n2. **Configuration Retrieval**: It extracts\ - \ the `API Token` and `Verify SSL` settings from the integration's configuration.\n\ - 3. **API Manager Setup**: An instance of the `APIManager` is created using the\ - \ retrieved credentials.\n4. **Connectivity Test**: The action calls the `ping`\ - \ method in the manager, which executes a `GET` request to the `/indicator-of-compromise`\ - \ endpoint with a minimal result set (`per-page=1`) to verify the authentication\ - \ and endpoint availability.\n5. **Result Handling**: \n - If the request is\ - \ successful, it logs the success and returns a positive result value (`True`).\n\ - \ - If an exception occurs (e.g., 401 Unauthorized, connection timeout, or\ - \ 500 Server Error), it captures the error, logs the details, and returns a failed\ - \ status with a `False` result value." + ai_description: "### General Description\nThis action tests the connectivity between\ + \ the Google SecOps SOAR platform and the Cyjax API. It validates the provided\ + \ integration configuration (API Token and SSL verification settings) to ensure\ + \ the SOAR platform can successfully communicate with the Cyjax service.\n\n###\ + \ Parameters Description\nThere are no action-specific parameters. The action\ + \ utilizes the integration configuration parameters defined in the Cyjax integration\ + \ settings:\n\n| Parameter | Type | Mandatory | Description |\n| :--- | :--- |\ + \ :--- | :--- |\n| API Token | String | Yes | The authentication token used to\ + \ access the Cyjax API. |\n| Verify SSL | Boolean | No | Whether to verify SSL\ + \ certificates when making API requests. Defaults to False. |\n\n### Flow Description\n\ + 1. **Initialization**: The action initializes the `SiemplifyAction` and retrieves\ + \ the integration configuration (API Token and Verify SSL) using `get_integration_params`.\n\ + 2. **Manager Instantiation**: An `APIManager` instance is created using the retrieved\ + \ credentials.\n3. **Connectivity Test**: The action calls the `ping()` method,\ + \ which performs a GET request to the Cyjax API endpoint (`/indicator-of-compromise`).\n\ + 4. **Result Handling**: \n - If the API returns a successful response, the\ + \ action logs the success and sets the execution result to True.\n - If an\ + \ exception occurs (e.g., unauthorized access, network error), the action logs\ + \ the error and sets the execution result to False.\n5. **Completion**: The action\ + \ terminates, reporting the connectivity status." capabilities: can_create_case_comments: false can_create_insight: false @@ -386,8 +363,15 @@ Ping: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Cyjax API to verify connectivity. It + does not modify any external systems, update internal entities, or create insights. + It is a utility action for connectivity testing. categories: enrichment: false + reasoning: >- + The action is a connectivity test ('Ping'). Per the instructions, actions named + 'Ping' must not be categorized as enrichment actions, even if they fetch data. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -403,3 +387,6 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with or process any entities. It is a global connectivity + test. diff --git a/content/response_integrations/third_party/partner/cyjax_threat_intelligence/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/cyjax_threat_intelligence/resources/ai/integration_ai_description.yaml index ac8e64b44..fbb3ade24 100644 --- a/content/response_integrations/third_party/partner/cyjax_threat_intelligence/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/partner/cyjax_threat_intelligence/resources/ai/integration_ai_description.yaml @@ -7,6 +7,15 @@ product_categories: iam_and_identity_management: false itsm: false network_security: false + reasoning: >- + The integration is primarily focused on providing threat intelligence capabilities. + The 'Enrich IOCs' action directly aligns with the 'Threat Intelligence' category + by fetching reputation data, sightings, and contextual information for various + indicators (IPs, Hashes, Domains, URLs). The 'Domain monitor' and 'List Data Breaches' + actions provide additional intelligence gathering capabilities, which further + support this classification. The integration does not perform SIEM log analysis, + EDR host-level investigation, network blocking, identity management, or ITSM ticketing + functions. Therefore, it is classified exclusively under Threat Intelligence. siem: false threat_intelligence: true - vulnerability_management: true + vulnerability_management: false diff --git a/content/response_integrations/third_party/partner/cylusone/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/cylusone/resources/ai/actions_ai_description.yaml index baddb850b..106d020a7 100644 --- a/content/response_integrations/third_party/partner/cylusone/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/cylusone/resources/ai/actions_ai_description.yaml @@ -13,6 +13,12 @@ EnrichAssetInformation: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves contextual metadata (asset information) for an IP address + and updates the entity. This matches the 'Enrich Asset' category. It does not + perform threat intelligence lookups (reputation/prevalence) in the traditional + sense of 'Enrich IOC', though it enriches an IP. 'Enrich Asset' is the most + accurate description. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -30,55 +36,39 @@ EnrichAssetInformation: ai_description: >- ### General Description - Enriches IP Address entities with detailed asset information retrieved from the - Cylus platform. This action is designed to provide security analysts with contextual - metadata about network assets, such as MAC addresses, operating system details, - and custom properties, by querying the Cylus API using the entity's IP address. + This action enriches IP address entities with asset information retrieved from + the CylusOne platform. It queries the CylusOne API to obtain detailed asset metadata + for a given IP address, flattens the retrieved properties, and updates the entity's + additional properties within the SOAR platform. ### Parameters Description - There are no parameters for this action. + There are no action-specific parameters. The action relies on global integration + configuration parameters (Base URL, API Key, and Verify SSL) to establish connectivity + with the CylusOne platform. ### Additional Notes - - The action specifically targets entities of type `ADDRESS` (IP addresses). - - - It performs a validation check to ensure the IP address is in a valid IPv4 format - before making API calls. - - - Enrichment data is prefixed with `Cylus_` to avoid collisions with other data - sources. - - - List-based fields (like MACs or IPs) are truncated to a maximum of 5 items and - formatted as comma-separated strings. + This action is designed to be used for asset enrichment. It does not perform threat + intelligence lookups (e.g., reputation scores) and does not modify any external + systems. ### Flow Description - 1. **Initialization**: The action initializes the Cylus API manager using the - integration's base URL and API key. - - 2. **Entity Filtering**: It iterates through the target entities in the current - context, filtering for those of type `ADDRESS`. - - 3. **Validation**: For each valid entity, it verifies the IPv4 format of the identifier. - - 4. **Data Retrieval**: It performs a GET request to the Cylus `/rest/v1/assets/by-ip` - endpoint using the IP address. + 1. The action iterates through all target entities provided in the case. - 5. **Data Processing**: If an asset is found, the action flattens the JSON response, - cleans property names (converting them to snake_case), and formats list values. + 2. It filters for entities of type `ADDRESS` and validates their format. - 6. **Internal Mutation**: The processed data is added to the entity's `additional_properties` - and the `is_enriched` flag is set to true. + 3. For each valid IP, it queries the CylusOne API to retrieve associated asset + details. - 7. **Update**: The action updates the entities within Google SecOps to persist - the enrichment data. + 4. The retrieved asset data is flattened and formatted into key-value pairs. - 8. **Completion**: It returns a summary message indicating which entities were - successfully enriched and provides the raw data in the JSON result. + 5. The action updates the entity's `additional_properties` with this new information + and marks the entity as enriched. capabilities: can_create_case_comments: false can_create_insight: false @@ -89,10 +79,18 @@ EnrichAssetInformation: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates the entity's additional properties with asset information from Cylus - and sets the 'is_enriched' flag to true. + Updates the entity's additional_properties and sets the is_enriched flag to + true. + reasoning: >- + The action fetches asset data from an external API (CylusOne) and updates the + internal entity properties within the SOAR platform. It does not modify external + systems or create insights/comments. categories: enrichment: true + reasoning: >- + The action fetches data from an external source and updates internal entity + properties without modifying external systems. This meets the criteria for an + enrichment action. entity_usage: entity_types: - ADDRESS @@ -109,6 +107,9 @@ EnrichAssetInformation: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and explicitly checks `entity.entity_type + == EntityTypes.ADDRESS`. Ping: action_product_categories: add_alert_comment: false @@ -124,6 +125,9 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity test (Ping) and does not perform any of the defined + product category actions (e.g., enrichment, containment, ticket management). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -138,25 +142,39 @@ Ping: update_email: false update_identity: false update_ticket: false - ai_description: "### General Description\nThe **Ping** action is a diagnostic utility\ - \ designed to verify the connectivity between the Google SecOps platform and the\ - \ **CylusOne** instance. It validates that the integration's configuration parameters,\ - \ such as the Base URL and API Key, are correct and that the network path is open.\n\ - \n### Parameters Description\n| Parameter | Type | Mandatory | Description |\n\ - | :--- | :--- | :--- | :--- |\n| None | N/A | N/A | This action does not require\ - \ any input parameters as it uses the global integration configuration. |\n\n\ - ### Additional Notes\nThis action is strictly for connectivity testing and does\ - \ not interact with any entities in the current case or alert context.\n\n###\ - \ Flow Description\n1. **Parameter Extraction**: The action retrieves the `Base\ - \ URL`, `Cylus API Key`, and `Verify SSL` settings from the integration configuration.\n\ - 2. **API Client Initialization**: It initializes the `ApiManager` with the provided\ - \ credentials and connection settings.\n3. **Connectivity Verification**: The\ - \ action executes a `GET` request to the assets endpoint using a hardcoded test\ - \ IP address (`10.0.0.5`) to verify the API's responsiveness.\n4. **Status Reporting**:\ - \ \n * If the API returns a successful response (200 OK) or a valid 'Not Found'\ - \ (404), the action completes successfully.\n * If the API returns authentication\ - \ errors (401/403) or connection failures, the action reports a failure with the\ - \ specific error message." + ai_description: >- + ### General Description + + Tests the connectivity to the CylusOne platform. This action validates the provided + API credentials and ensures the integration can successfully communicate with + the CylusOne API endpoint. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Base URL | String | Yes | The base URL of the CylusOne API. | + + | Cylus API Key | String | Yes | The API key used for authentication. | + + | Verify SSL | Boolean | No | Whether to verify SSL certificates during API requests. + | + + + ### Flow Description + + 1. The action extracts the integration parameters (Base URL, API Key, Verify SSL) + from the configuration. + + 2. It initializes the `ApiManager` with these parameters. + + 3. It calls the `test_connectivity` method, which sends a GET request to the CylusOne + API to verify the connection. + + 4. The action returns a success or failure status based on the API response. capabilities: can_create_case_comments: false can_create_insight: false @@ -167,8 +185,15 @@ Ping: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity test (Ping) to the CylusOne platform. It + does not fetch contextual data for entities, nor does it mutate any external + or internal systems. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action, which is explicitly excluded from being an enrichment + action per the instructions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -184,3 +209,6 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities; it performs a global connectivity + test. diff --git a/content/response_integrations/third_party/partner/cylusone/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/cylusone/resources/ai/integration_ai_description.yaml index fb8271382..60f8a5eb5 100644 --- a/content/response_integrations/third_party/partner/cylusone/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/partner/cylusone/resources/ai/integration_ai_description.yaml @@ -6,7 +6,16 @@ product_categories: email_security: false iam_and_identity_management: false itsm: false - network_security: true + network_security: false + reasoning: >- + The integration provides an action 'EnrichAssetInformation' which retrieves detailed + asset metadata for IP addresses from the CylusOne Rail OT Cybersecurity platform. + This functionality directly aligns with the Asset Inventory category, which is + defined by the ability to retrieve information about internal assets such as ownership + and business criticality. The integration does not perform threat intelligence + lookups (reputation/prevalence), nor does it provide SIEM-like log searching, + EDR-like host containment, or network security blocking capabilities based on + the provided actions. Therefore, it is classified solely as Asset Inventory. siem: false threat_intelligence: false vulnerability_management: false diff --git a/content/response_integrations/third_party/partner/cyware_intel_exchange/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/cyware_intel_exchange/resources/ai/actions_ai_description.yaml index 67a47bcad..dad6a9f9a 100644 --- a/content/response_integrations/third_party/partner/cyware_intel_exchange/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/cyware_intel_exchange/resources/ai/actions_ai_description.yaml @@ -13,6 +13,9 @@ Add IOCs to Allowed list: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action adds indicators to an allowed list in an external system (Cyware). + This directly matches the 'Add IOC To Allowlist' category. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -28,21 +31,47 @@ Add IOCs to Allowed list: update_identity: false update_ticket: false ai_description: >- - ### General Description: Marks indicators (IOCs) as allowed in Cyware Intel Exchange - (CTIX). This action prevents these indicators from being flagged as threats in - future intelligence processing by adding them to the platform's whitelist. ### - Parameters Description: | Parameter | Type | Mandatory | Description | | :--- - | :--- | :--- | :--- | | IOC Type | DDL | Yes | The STIX-compatible type of the - indicator (e.g., ipv4-addr, domain-name, file). | | Reason | String | Yes | The - justification for allowlisting these indicators. | ### Flow Description: 1. Retrieve - integration configuration and action parameters (IOC Type and Reason). 2. Collect - all entity identifiers from the current SOAR context. 3. Initialize the Cyware - API Manager. 4. Send a POST request to the Cyware allowed_indicators endpoint - with the collected identifiers and parameters. 5. Parse the response to determine - how many indicators were newly created, already existed, or were invalid. 6. Output - the summary message and the full JSON response. ### Additional Notes: The action - processes all entities in the context using the single specified IOC Type. There - are no parameters that are conditionally mandatory. + ### General Description + + This action adds indicators of compromise (IOCs) to the allowed list (whitelist) + within the Cyware Intel Exchange platform. It allows analysts to mark specific + indicators as trusted, preventing future security alerts or false positives for + these items. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | IOC Type | ddl | Yes | The type of indicator (e.g., ipv4-addr, domain-name). + | + + | Reason | string | Yes | The reason for adding the indicators to the allowed + list. | + + + ### Additional Notes + + If no entities are found in the case, the action completes without performing + any API calls. + + + ### Flow Description + + 1. Retrieve integration configuration (Base URL, credentials). + + 2. Extract action parameters (`IOC Type`, `Reason`). + + 3. Retrieve target entities from the case. + + 4. If entities are present, send a request to the Cyware API to add these indicators + to the allowed list. + + 5. Process the API response to identify newly added, existing, or invalid indicators. + + 6. Log the results and update the action result with the API response. capabilities: can_create_case_comments: false can_create_insight: false @@ -51,11 +80,18 @@ Add IOCs to Allowed list: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Adds indicators to the allowed list (whitelist) in the Cyware CTIX platform. + Adds indicators to the allowed list in Cyware Intel Exchange. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to an external system (Cyware) to add indicators + to an allowed list. It does not fetch data, nor does it modify internal SOAR + data (entities, insights, etc.). categories: enrichment: false + reasoning: >- + The action is a mutation action (adding to an allowlist) and does not fetch + data for enrichment. Therefore, it is not an enrichment action. entity_usage: entity_types: - ADDRESS @@ -106,6 +142,11 @@ Add IOCs to Allowed list: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code calls `get_entities(siemplify)`, which retrieves all target entities + from the case. It does not filter by type or other properties in the script + itself (the `IOC Type` parameter is passed to the API, but the script processes + all entities found in the case). Therefore, it supports all entity types. Add Note to IOCs: action_product_categories: add_alert_comment: false @@ -121,6 +162,10 @@ Add Note to IOCs: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action adds a note to an IOC in the Cyware Intel Exchange. This does not + match any of the predefined categories (e.g., it is not an enrichment action, + nor does it modify alerts, tickets, or blocklists). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -138,11 +183,9 @@ Add Note to IOCs: ai_description: >- ### General Description - Adds a note to an existing threat data object (IOC) in Cyware Intel Exchange. - This action allows analysts to append contextual information, analysis results, - or metadata to indicators stored in the CTIX platform. It supports both plain - text and JSON-formatted notes. The action automatically resolves SecOps entities - to their corresponding Cyware internal IDs before attaching the note. + This action adds a note to an existing threat data object (IOC) within the Cyware + Intel Exchange platform. It allows analysts to attach contextual information or + metadata to indicators, facilitating better threat intelligence management. ### Parameters Description @@ -151,46 +194,28 @@ Add Note to IOCs: | :--- | :--- | :--- | :--- | - | Note Type | String | Yes | The category or type of the note (e.g., 'threatdata'). - This helps organize notes within the Cyware platform. | - - | Note | String | Yes | The actual content of the note to be added to the indicator. + | Note Type | string | Yes | The category or type of the note (e.g., 'threatdata'). | - | Is the Note in Json format | Boolean | No | If set to true, the action validates - that the 'Note' parameter contains a valid JSON string before submission. Default - is false. | - + | Note | string | Yes | The content of the note to be added. | - ### Flow Description + | Is the Note in Json format | boolean | No | Set to true if the provided note + content is in JSON format. | - 1. **Initialization**: Retrieves integration configuration (API credentials) and - action parameters (Note, Note Type, JSON flag). - 2. **Entity Identification**: Collects all target entities from the current SecOps - context. - - 3. **Bulk Lookup**: Sends the entity identifiers to the Cyware CTIX bulk lookup - endpoint to retrieve the internal indicator IDs required for the note-adding API. - - 4. **Note Submission**: Iterates through the valid indicators found in Cyware - and sends a POST request to the `/ingestion/notes/` endpoint for each, attaching - the specified note content. - - 5. **Validation**: If the note is marked as JSON, the script parses and re-serializes - it to ensure it is valid JSON before the API call. + ### Flow Description - 6. **Reporting**: Aggregates the responses from Cyware, including the unique IDs - of the created notes, and outputs a summary of successes and failures. + 1. Extract parameters: `Note`, `Note Type`, and `Is the Note in Json format`. + 2. Retrieve target entities from the current case. - ### Additional Notes + 3. Perform a bulk lookup in Cyware Intel Exchange to resolve entity identifiers + to internal object IDs. - * **Entity Matching**: Only entities that already exist as indicators in Cyware - Intel Exchange will be processed; others are skipped. + 4. For each successfully resolved indicator, send a POST request to add the specified + note. - * **JSON Validation**: If 'Is the Note in Json format' is enabled but the input - is not valid JSON, the action will terminate with a failure status. + 5. Return the execution status and details of the operation. capabilities: can_create_case_comments: false can_create_insight: false @@ -199,12 +224,17 @@ Add Note to IOCs: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Adds a new note record to an existing indicator object in the Cyware Intel Exchange - (CTIX) platform via a POST request to the /ingestion/notes/ endpoint. + Adds a note to an indicator in the Cyware Intel Exchange. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches data (lookup_iocs) and mutates external data (add_note_to_indicator). + It does not mutate internal data, update entities, create insights, or modify + alert data. categories: enrichment: false + reasoning: >- + The action mutates external data (adds a note), so it is not an enrichment action. entity_usage: entity_types: - ADDRESS @@ -255,6 +285,9 @@ Add Note to IOCs: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code uses `get_entities(siemplify)` to retrieve all `target_entities` from + the case without filtering by type. Therefore, it supports all entity types. Create Intel in Cyware Intel Exchange: action_product_categories: add_alert_comment: false @@ -270,6 +303,10 @@ Create Intel in Cyware Intel Exchange: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action creates an intelligence record in an external system (Cyware Intel + Exchange). It does not match any of the provided categories (Enrich IOC, Create + Ticket, etc.). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -285,71 +322,76 @@ Create Intel in Cyware Intel Exchange: update_identity: false update_ticket: false ai_description: >- - Creates a new intelligence record in Cyware Intel Exchange for each provided entity. - This action allows analysts to contribute threat intelligence to their Cyware - CTIX instance directly from a case, supporting various indicator types and metadata - such as TLP, confidence scores, and tags. + ### General Description + This action creates a new intelligence record in the Cyware Intel Exchange (CTIX) + platform. It processes target entities from the case, prepares a payload with + specified metadata (such as TLP, confidence, tags, and description), and submits + it to the Cyware API. The action also polls the status of the creation task to + ensure the intelligence record is successfully processed. - ### Flow Description - 1. **Parameter Extraction:** The action retrieves configuration parameters (Base - URL, Credentials) and action parameters (Title, TLP, Confidence, Tags, Expiry, - Description, and IOC Type). + ### Parameters Description - 2. **Input Validation:** It validates that the Title and Description do not exceed - character limits and ensures that numerical values like Confidence and Expiry - are within valid ranges. + | Parameter | Type | Mandatory | Description | - 3. **Intel Submission:** For each target entity in the case, the action constructs - a payload and sends a POST request to the Cyware Quick Intel API to create a STIX-based - intelligence record. + | :--- | :--- | :--- | :--- | - 4. **Status Polling:** After submission, the action retrieves a Task ID and enters - a polling loop, checking the status of the intel creation process at regular intervals - until it reaches a success or failure state. + | Title | string | Yes | The title for the intelligence record (max 100 characters). + Defaults to the alert name. | - 5. **Result Aggregation:** The action collects the API responses for all processed - entities and returns them as a JSON result, providing a summary of successful - and failed submissions. + | TLP | ddl | No | The Traffic Light Protocol (TLP) value for the intel. Options: + RED, CLEAR, AMBER, AMBER_STRICT, NONE, GREEN. Defaults to NONE. | + | Metadata Confidence Score | string | No | A source confidence score for the + intel (0-100). | - ### Parameters Description + | Tags | string | No | Comma-separated tag names to add to the intel. | - | Parameter | Type | Mandatory | Description | + | Deprecates After | string | No | The expiration time of the indicator in days + (max 1000 days). Defaults to 180. | - | :--- | :--- | :--- | :--- | + | Description | string | No | A description for the intel (max 1000 characters). + | - | Title | string | True | The title for the intel record (max 100 characters). - Defaults to the Alert Name. | + | IOC Type | ddl | Yes | The type of indicator (e.g., ipv4-addr, domain-name, + file, etc.). Defaults to ipv4-addr. | - | IOC Type | ddl | True | The STIX-compatible indicator type (e.g., ipv4-addr, - domain-name, file). | - | TLP | ddl | False | The Traffic Light Protocol level (RED, CLEAR, AMBER, AMBER_STRICT, - NONE, GREEN). | + ### Additional Notes - | Metadata Confidence Score | string | False | A source confidence score between - 0 and 100. | + - The action validates that the `Title` does not exceed 100 characters and the + `Description` does not exceed 1000 characters. - | Tags | string | False | Comma-separated list of tags to associate with the intel. - | + - The `Metadata Confidence Score` and `Deprecates After` parameters are validated + as integers. - | Deprecates After | string | False | Expiration time for the indicator in days - (max 1000). Defaults to 180. | + - If no entities are found in the case, the action completes without performing + any operations. - | Description | string | False | A detailed description for the intel record (max - 1000 characters). | + ### Flow Description - ### Additional Notes + 1. **Initialization**: Retrieves integration parameters (Base URL, Access ID, + Secret Key) and target entities from the case. + + 2. **Validation**: Validates input parameters (Title, Description, Confidence + Score, Deprecates After). + + 3. **Processing**: Iterates through each target entity. + + 4. **Payload Preparation**: Constructs the intelligence creation payload, including + metadata (TLP, tags, confidence, description) and the indicator value. - - This action processes all target entities attached to the case using the single - 'IOC Type' selected in the parameters. Ensure that the entities in the scope match - the selected type. + 5. **Creation**: Sends a POST request to the Cyware CTIX API (`/conversion/quick-intel/create-stix/`) + to create the intel. - - The action includes a built-in polling mechanism that waits for Cyware to process - the 'Quick Intel' task before completing. + 6. **Status Polling**: If a task ID is returned, the action polls the status endpoint + (`/conversion/quick-intel/receive-report/`) until the report status is marked + as successful or failed, or until the maximum number of attempts is reached. + + 7. **Result Reporting**: Aggregates the results for all processed indicators and + adds them to the action result. capabilities: can_create_case_comments: false can_create_insight: false @@ -358,12 +400,19 @@ Create Intel in Cyware Intel Exchange: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates new intelligence records (indicators/reports) in the Cyware Intel Exchange - platform via POST requests. + Creates a new intelligence record in Cyware Intel Exchange. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action makes a POST request to create an intelligence record in Cyware Intel + Exchange (can_mutate_external_data=true). It also polls for the status of the + creation task (fetches_data=true). It does not modify internal SOAR data or + update entities. categories: enrichment: false + reasoning: >- + The action creates external data (an intelligence record) rather than retrieving + data, so it cannot be an Enrichment action. entity_usage: entity_types: - ADDRESS @@ -414,6 +463,10 @@ Create Intel in Cyware Intel Exchange: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code uses `get_entities(siemplify)` to retrieve all target entities from + the case and processes them without filtering by type. Therefore, it supports + all entity types. Create Task for IOCs: action_product_categories: add_alert_comment: false @@ -429,6 +482,11 @@ Create Task for IOCs: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action creates a task in an external system (Cyware), which is functionally + equivalent to creating a ticket or record. This aligns with the 'Create Ticket' + category. It does not match other categories like enrichment, containment, or + alert updates. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -444,59 +502,54 @@ Create Task for IOCs: update_identity: false update_ticket: false ai_description: >- - Creates tasks for IOC entities in Cyware Intel Exchange. This action facilitates - workflow management by allowing users to generate tasks with specific descriptions, - priorities, and deadlines associated with threat indicators. It supports assigning - tasks to specific users via email and handles bulk processing of entities. + ### General Description + This action creates a task for a threat data object (IOC) in the Cyware Intel + Exchange platform. It allows users to define task details, assign them to specific + users, and set deadlines. - ### Flow Description - 1. **Parameter Extraction:** Retrieves task details including text, priority, - status, deadline, and an optional assignee email. - - 2. **Deadline Calculation:** Validates the deadline (1-365 days) and calculates - the target epoch timestamp. + ### Parameters Description - 3. **User Resolution:** If an assignee email is provided, the action fetches the - corresponding User ID from Cyware. + | Parameter | Type | Mandatory | Description | - 4. **IOC Lookup:** Performs a bulk lookup to map the identifiers of the target - entities to their internal Cyware indicator IDs. + | :--- | :--- | :--- | :--- | - 5. **Task Creation:** Iterates through the valid indicators and sends a POST request - to Cyware to create a task for each, including the specified metadata. + | Text | string | Yes | The description of the task to be performed (Max 2000 + characters). | + | Priority | ddl | Yes | The priority of the task (high, medium, low). | - ### Parameters Description + | Status | ddl | Yes | The status of the task (not_started, in_progress, completed). + | - | Parameter | Type | Mandatory | Description | + | Deadline | string | Yes | The deadline of the task in days (Max 365 days). | - | :--- | :--- | :--- | :--- | + | Assignee Email ID | string | No | The email ID of a valid user to assign the + task. If not provided, the task is created without an assignee. | - | Text | string | Yes | The description of the task to be performed. Limited to - 2000 characters. | - | Priority | ddl | Yes | The priority level of the task. Options: high, medium, - low. | + ### Flow Description - | Status | ddl | Yes | The initial status of the task. Options: not_started, in_progress, - completed. | + 1. **Initialization**: The action extracts the provided parameters and retrieves + the target entities from the case. - | Deadline | string | Yes | The deadline for the task in days from the current - time. Must be between 1 and 365. | + 2. **Validation**: It validates the `Text` length and the `Deadline` integer value. - | Assignee Email ID | string | No | The email address of a valid Cyware user to - assign the task to. If not provided, the task remains unassigned. | + 3. **Authentication**: It initializes the Cyware API manager using the integration + configuration. + 4. **User Lookup**: If an `Assignee Email ID` is provided, it retrieves the corresponding + user ID from Cyware. - ### Additional Notes + 5. **IOC Lookup**: It performs a bulk lookup to map the provided entity identifiers + to their corresponding indicator IDs in Cyware. - - The action will fail if an 'Assignee Email ID' is provided but the user cannot - be found in Cyware Intel Exchange. + 6. **Task Creation**: For each valid indicator, it creates a task in Cyware with + the specified parameters (text, priority, status, deadline, and optional assignee). - - Only entities that are successfully resolved to existing indicators in Cyware - will have tasks created for them; others will be skipped. + 7. **Result Reporting**: It compiles the results of the task creation process + and returns them as a JSON result, updating the action status accordingly. capabilities: can_create_case_comments: false can_create_insight: false @@ -505,12 +558,20 @@ Create Task for IOCs: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates new task records in the Cyware Intel Exchange platform associated with - specific threat indicators. + Creates new tasks for indicators in the Cyware Intel Exchange platform. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches data (user information and indicator IDs) from the Cyware + Intel Exchange API. It mutates external data by creating new tasks in the Cyware + platform. It does not mutate internal SOAR data (other than returning results) + or modify alert data. categories: enrichment: false + reasoning: >- + The action is not an enrichment action because it performs a mutation on an + external system (creating a task). It does not meet the criteria for an enrichment + action. entity_usage: entity_types: - ADDRESS @@ -561,6 +622,10 @@ Create Task for IOCs: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code retrieves all target entities using `get_entities(siemplify)` and performs + a lookup for these entities in Cyware. It does not filter by specific entity + types, so it supports all available entity types. Get Allowed IOCs: action_product_categories: add_alert_comment: false @@ -576,6 +641,11 @@ Get Allowed IOCs: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves a list of allowed IOCs from the Cyware platform. It does + not match any of the specific categories like 'Enrich IOC' (which requires enriching + a specific indicator), 'Search Events', or 'Get Alert Information'. It is a + general data retrieval action. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -591,67 +661,68 @@ Get Allowed IOCs: update_identity: false update_ticket: false ai_description: >- - Retrieves a list of Indicators of Compromise (IOCs) that are marked as allowed - (whitelisted) within the Cyware Intel Exchange (CTIX) platform. This action allows - analysts to audit or verify the current allowlist based on specific criteria such - as indicator type or creation time. + Retrieves a list of allowed (whitelisted) Indicators of Compromise (IOCs) from + the Cyware Intel Exchange platform. This action allows users to filter the results + by indicator type and creation time. The retrieved data is presented as a data + table in the action results. - ### Flow Description: - - 1. **Parameter Extraction:** The action retrieves the 'IOC Type' and 'Created - From' parameters from the user input. + ### Flow Description - 2. **Validation:** It validates the 'Created From' parameter to ensure it is a - valid epoch timestamp (integer). + 1. The action extracts the configuration parameters (Base URL, Access ID, Secret + Key) and action parameters (IOC Type, Created From). - 3. **API Interaction:** It connects to the Cyware CTIX API and queries the allowed - indicators endpoint, automatically handling pagination to aggregate all matching - results. + 2. It initializes the Cyware API manager. - 4. **Data Processing:** The raw API response is parsed into internal data models. - If results are found, it prepares a summary for a data table. + 3. It performs a GET request to the Cyware Intel Exchange API to fetch the allowed + IOCs, applying any specified filters. - 5. **Output Generation:** It populates a data table named 'Allowed IOCs' in the - Google SecOps case (limited to the first 10 records for visibility) and provides - the full result set in JSON format. + 4. The retrieved IOCs are processed and formatted into a CSV-style data table. + 5. The action adds the data table to the result and returns the full JSON response. - ### Parameters Description: + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | IOC Type | DDL | No | Filters the retrieved indicators by a specific type (e.g., - 'domain-name', 'ipv4-addr'). Defaults to 'All'. | + | IOC Type | ddl | No | Filter the results by a specific indicator type (e.g., + domain-name, ipv4-addr). Select 'All' to retrieve all types. | - | Created From | String | No | An epoch timestamp in seconds. If provided, the - action only retrieves indicators created after this time. | + | Created From | string | No | Filter records based on the creation time in epoch + format (seconds). | - ### Additional Notes: + ### Additional Notes - - This action does not require or process entities from the Google SecOps case; - it performs a global search within the Cyware platform. + - If no filters are provided, the action retrieves all allowed IOCs up to the + default page size limits. - - The data table displayed in the UI is capped at 10 records to maintain performance, - but the full list is available in the JSON result. + - The action outputs a data table named 'Allowed IOCs' containing the ID, Type, + and Value of the retrieved indicators. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: true + can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: >- - Adds a data table named 'Allowed IOCs' to the Google SecOps case containing - the retrieved indicator details. + internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to retrieve data from the Cyware Intel Exchange. + It does not mutate any external systems or internal SOAR data (entities, insights, + etc.). It only outputs the retrieved data as a table in the action results. categories: enrichment: false + reasoning: >- + The action retrieves a list of allowed IOCs from an external system. It does + not enrich specific entities or alerts within the case, nor does it meet the + criteria for an enrichment action as it is a global data retrieval task rather + than context gathering for specific entities. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -667,6 +738,9 @@ Get Allowed IOCs: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with siemplify.target_entities. It performs a global + query against the Cyware API based on provided parameters. Get IOC Details: action_product_categories: add_alert_comment: false @@ -682,6 +756,11 @@ Get IOC Details: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action fetches threat intelligence data (reputation, scores, tags) for indicators + from Cyware Intel Exchange and updates the SOAR entities with this information. + This matches the 'Enrich IOC' category. It does not mutate external systems + or perform other actions like ticket creation or containment. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -697,55 +776,45 @@ Get IOC Details: update_identity: false update_ticket: false ai_description: >- - Retrieves detailed threat intelligence for entities from Cyware Intel Exchange - (CTIX). This action performs a bulk lookup for indicators, fetching metadata such - as analyst scores, confidence scores, TLP levels, and whitelist status. It enriches - the entities within Google SecOps by updating their additional properties and - marking them as enriched, while also providing a summary table of the findings. + This action retrieves threat intelligence details for indicators (IOCs) from the + Cyware Intel Exchange platform. It allows users to optionally include enrichment + data and relations in the response. The action fetches details for the provided + entities, displays them in a data table, and enriches the entities within the + SOAR case by updating their properties with threat intelligence scores and metadata. - ### Flow Description - - 1. **Parameter Initialization**: Extracts action parameters including 'Enrichment - Data', 'Relation Data', and specific 'Fields' to retrieve. - - 2. **Entity Collection**: Gathers all target entities from the current context - to use their identifiers for the lookup. + ### Parameters - 3. **API Request**: Executes a bulk lookup request to the Cyware CTIX API using - the collected entity identifiers. + | Parameter | Type | Mandatory | Description | - 4. **Data Processing**: Parses the API response into structured data models, creating - a CSV-formatted data table for the case wall. + | :--- | :--- | :--- | :--- | - 5. **Entity Enrichment**: Iterates through the results and updates the corresponding - SecOps entities with enrichment attributes (e.g., Cyware_analyst_score, Cyware_tlp) - and sets the 'is_enriched' flag to true. + | Enrichment Data | boolean | false | Whether to include enrichment data in the + results. | + | Relation Data | boolean | false | Whether to include relations in the results. + | - ### Parameters Description + | Fields | string | false | Specific fields to retrieve (e.g., "name,id"). | - | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + ### Flow Description - | Enrichment Data | boolean | No | If set to true, the action will request and - include extended enrichment metadata from CTIX in the results. | + 1. Extracts configuration parameters (Base URL, Access ID, Secret Key, Verify + SSL). - | Relation Data | boolean | No | If set to true, the action will retrieve information - about related threat objects. | + 2. Extracts action parameters (Enrichment Data, Relation Data, Fields). - | Fields | string | No | A comma-separated list of specific fields (e.g., 'name,id,tlp') - to include in the API response. If left empty, default fields are returned. | + 3. Retrieves target entities from the case. + 4. Queries the Cyware Intel Exchange API for IOC details. - ### Additional Notes + 5. Constructs a data table with the retrieved IOC information. - - This action is primarily used for IOC enrichment and does not modify any data - within the Cyware platform. + 6. Updates the SOAR entities with the retrieved enrichment data (e.g., scores, + TLP, tags). - - The action processes all entity types attached to the case without specific - type filtering. + 7. Updates the entities in the SOAR platform. capabilities: can_create_case_comments: false can_create_insight: false @@ -756,10 +825,20 @@ Get IOC Details: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity additional properties with threat intelligence data (scores, - TLP, whitelist status) and marks them as enriched. + Updates entity attributes with threat intelligence data and marks the entity + as enriched. + reasoning: >- + The action fetches threat intelligence data from an external API (Cyware Intel + Exchange) using a POST request. It does not mutate external systems (no state + change on Cyware). It performs internal mutations by updating entity attributes + (e.g., adding enrichment data) and updating the entities in the SOAR platform. + It does not create insights, modify alert data, or create case comments. categories: enrichment: true + reasoning: >- + The action fetches data (IOC details) and updates entity attributes (enrichment). + It does not mutate external systems. It fits the definition of an enrichment + action. entity_usage: entity_types: - ADDRESS @@ -802,7 +881,7 @@ Get IOC Details: filters_by_case_identifier: false filters_by_creation_time: false filters_by_entity_type: false - filters_by_identifier: false + filters_by_identifier: true filters_by_is_artifact: false filters_by_is_enriched: false filters_by_is_internal: false @@ -810,6 +889,11 @@ Get IOC Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action retrieves all target entities from the case and filters them based + on whether their identifier exists in the results returned from the Cyware API. + Since no explicit type-based filtering is performed in the code, it is considered + to support all entity types. Manage Tags in IOCs: action_product_categories: add_alert_comment: false @@ -825,6 +909,11 @@ Manage Tags in IOCs: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action performs tag management (add/remove) on IOCs in an external system. + It does not match any of the provided specific categories like 'Enrich IOC' + (which is read-only), 'Contain Host', or 'Update Alert'. Therefore, all flags + are false. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -840,58 +929,47 @@ Manage Tags in IOCs: update_identity: false update_ticket: false ai_description: >- - Manages tags for Indicators of Compromise (IOCs) within Cyware Intel Exchange. - This action allows users to either add or remove specific tags from entities identified - in a case. If the 'Add Tag' operation is selected and a specified tag does not - exist in Cyware, the action will automatically create the tag before associating - it with the IOC. The action performs a lookup to resolve entity identifiers to - their corresponding Cyware object IDs before applying the tag changes. - - - ### Flow Description - - 1. **Parameter Initialization**: Retrieves integration configuration (Base URL, - credentials) and action parameters (Tags, Operation Type). - - 2. **Entity Retrieval**: Collects all target entities from the current case context. - - 3. **Tag Resolution**: Fetches the list of all available tags from Cyware Intel - Exchange to map the provided tag names to their internal IDs. - - 4. **IOC Lookup**: Resolves the identifiers of the target entities to their internal - Cyware object IDs. - - 5. **Tag Management (Add)**: If the operation is 'Add Tag', it identifies missing - tags, creates them in Cyware, and then performs a bulk update to add all valid - tag IDs to the identified IOCs. - - 6. **Tag Management (Remove)**: If the operation is 'Remove Tag', it performs - a bulk update to remove the specified tag IDs from the identified IOCs. + ### General Description - 7. **Result Reporting**: Returns a JSON result containing the API response and - provides a summary message of the tags added or removed. + This action manages tags for Indicators of Compromise (IOCs) within the Cyware + Intel Exchange platform. It allows analysts to either add or remove specific tags + from a set of IOCs identified in the SOAR case. If adding tags, the action automatically + creates any tags that do not already exist in the Cyware platform before applying + them to the IOCs. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Tags | String | Yes | A comma-separated list of tag names to be added or removed - (e.g., "test-1", "test-2"). | + | Tags | string | Yes | A comma-separated list of tag names to add or remove (e.g., + "malware, phishing"). | - | Operation Type | DDL | Yes | Determines whether to 'Add Tag' or 'Remove Tag'. - If 'Add Tag' is chosen, missing tags will be created automatically. | + | Operation Type | ddl | Yes | The operation to perform: "Add Tag" or "Remove + Tag". | - ### Additional Notes + ### Flow Description + + 1. **Initialization**: Extracts integration configuration (Base URL, Access ID, + Secret Key) and action parameters. - - This action requires the entities to already exist as indicators in Cyware Intel - Exchange to be successfully tagged. + 2. **Entity Retrieval**: Retrieves all target entities (IOCs) from the current + SOAR case. - - If an entity is not found in Cyware, it will be skipped, and the action will - report the invalid IOCs in the output message. + 3. **Tag Resolution**: Fetches existing tags from Cyware Intel Exchange to map + tag names to their respective IDs. + + 4. **Operation Execution**: + * **If "Add Tag"**: Looks up IOC IDs for the provided entities. If any tags + are missing in Cyware, it creates them. Finally, it performs a bulk update to + add the tags to the identified IOCs. + * **If "Remove Tag"**: Looks up IOC IDs for the provided entities and performs + a bulk update to remove the specified tags from the identified IOCs. + 5. **Result Reporting**: Returns the operation status and details via the script + result JSON. capabilities: can_create_case_comments: false can_create_insight: false @@ -900,13 +978,22 @@ Manage Tags in IOCs: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Adds or removes tags associated with indicators in Cyware Intel Exchange. Additionally, - if the 'Add Tag' operation is used with tag names that do not exist, the action - creates those new tags in the external system. + The action adds or removes tags from IOCs in the Cyware Intel Exchange platform + and may create new tags if they do not exist. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches data (tag lists and IOC lookups) from the Cyware Intel Exchange + API. It performs external mutations by adding, removing, or creating tags in + the Cyware platform. It does not modify internal SOAR case data (e.g., updating + entity fields or adding case comments), nor does it update alert status. categories: enrichment: false + reasoning: >- + The action is not an enrichment action because it performs mutations on an external + system (Cyware Intel Exchange) by adding/removing tags. It does not meet the + criteria for an enrichment action, which must be read-only regarding external + systems. entity_usage: entity_types: - ADDRESS @@ -957,10 +1044,14 @@ Manage Tags in IOCs: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action retrieves all target entities from the case using `get_entities` + and attempts to look them up in Cyware. It does not filter by specific entity + types in the code, so it is considered to support all entity types. Mark IOCs False Positive: action_product_categories: add_alert_comment: false - add_ioc_to_allowlist: false + add_ioc_to_allowlist: true add_ioc_to_blocklist: false contain_host: false create_ticket: false @@ -972,6 +1063,12 @@ Mark IOCs False Positive: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action modifies the status of an indicator in an external threat intelligence + platform (Cyware) to 'false positive'. This aligns with the 'Add IOC To Allowlist' + category, as marking an indicator as a false positive is a standard method to + prevent future alerts on that indicator. It does not perform enrichment, containment, + or ticket creation. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -987,48 +1084,45 @@ Mark IOCs False Positive: update_identity: false update_ticket: false ai_description: >- - Marks multiple Indicator of Compromise (IOC) entities as false positives within - the Cyware Intel Exchange (CTIX) platform. This action facilitates the management - of threat intelligence by allowing analysts to bulk-update the status of indicators - that have been determined to be non-threatening. The process involves an initial - lookup to map entity identifiers to their internal Cyware IDs before applying - the false positive status. - + ### General Description - ### Flow Description: + This action marks specified indicators (IOCs) as false positives within the Cyware + Intel Exchange platform. By identifying indicators that have been incorrectly + flagged, this action helps maintain the accuracy of threat intelligence data. - 1. **Entity Retrieval:** The action identifies all target entities associated - with the current case. - 2. **ID Resolution:** It performs a bulk lookup in Cyware CTIX to retrieve the - internal object IDs for the provided entity identifiers. + ### Flow Description - 3. **Validation:** The action identifies which indicators exist in the CTIX platform; - any indicators not found are logged and skipped. + 1. **Configuration Retrieval**: The action retrieves the necessary integration + parameters (Base URL, Access ID, Secret Key) from the Cyware Intel Exchange integration + configuration. - 4. **Status Update:** A bulk request is sent to the Cyware API to mark the validated - indicator IDs as false positives. + 2. **Entity Retrieval**: The action retrieves all target entities attached to + the current case. - 5. **Result Reporting:** The action returns the API response and provides a summary - message indicating the number of successfully updated indicators. + 3. **IOC Lookup**: The action performs a bulk lookup in the Cyware Intel Exchange + platform to map the entity values to their corresponding internal object IDs. + 4. **Filtering**: The action filters out any indicators that were not found in + the Cyware platform. - ### Parameters Description: + 5. **Mutation**: The action sends a bulk request to Cyware to mark the identified, + valid indicators as false positives. - | Parameter | Type | Mandatory | Description | + 6. **Result Reporting**: The action returns the operation status and result details, + including the number of indicators successfully marked. - | :--- | :--- | :--- | :--- | - | N/A | N/A | N/A | This action does not require any input parameters. | + ### Parameters Description + There are no specific action parameters required for this action. It relies on + the integration configuration and the entities attached to the case. - ### Additional Notes: - - Indicators that do not exist in the Cyware Intel Exchange environment will be - skipped during the execution. + ### Additional Notes - - This action does not modify internal Google SecOps entity attributes or create - insights; it focuses solely on updating the state in the external Cyware platform. + This action performs a mutation on an external system (Cyware Intel Exchange). + It does not modify internal Google SecOps data. capabilities: can_create_case_comments: false can_create_insight: false @@ -1037,13 +1131,20 @@ Mark IOCs False Positive: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the 'is_false_positive' status of indicators in the Cyware Intel Exchange - (CTIX) platform via a bulk POST request to the /ingestion/threat-data/bulk-action/false_positive/ - endpoint. + Marks indicators as false positive in the Cyware Intel Exchange platform. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches data from Cyware Intel Exchange to lookup IOC IDs (fetches_data=true). + It then performs a POST request to mark these indicators as false positives + in the external system (can_mutate_external_data=true). It does not modify internal + SOAR data, update entities, create insights, or modify alert data. categories: enrichment: false + reasoning: >- + The action mutates external data (marks indicators as false positive in Cyware), + which violates the 'External State Preservation' rule for enrichment actions. + Therefore, it is not an enrichment action. entity_usage: entity_types: - ADDRESS @@ -1094,6 +1195,11 @@ Mark IOCs False Positive: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action retrieves all target entities from the case using `get_entities(siemplify)`. + It does not filter by specific entity types in the code, meaning it attempts + to process any entity provided. Therefore, it supports all available entity + types. Ping: action_product_categories: add_alert_comment: false @@ -1109,6 +1215,9 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity test ("Ping") and does not perform any of the defined + product category operations (e.g., enrichment, containment, ticketing). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1123,30 +1232,47 @@ Ping: update_email: false update_identity: false update_ticket: false - ai_description: "### General Description\nThe **Ping** action is a diagnostic tool\ - \ used to verify the connectivity between the Google SecOps environment and the\ - \ Cyware Intel Exchange (CTIX) instance. It ensures that the integration's configuration\ - \ parameters\u2014such as the Base URL, Access ID, and Secret Key\u2014are valid\ - \ and that the network path to the Cyware server is open.\n\n### Parameters Description\n\ - There are no action-specific parameters for this action. It relies entirely on\ - \ the global integration configuration settings:\n* **Base URL**: The root URL\ - \ of the Cyware CTIX tenant.\n* **Access ID**: The API Access ID used for authentication.\n\ - * **Secret Key**: The API Secret Key used for signing requests.\n* **Verify\ - \ SSL**: A boolean flag to determine if SSL certificates should be validated.\n\ - \n### Additional Notes\n* This action does not process any entities or modify\ - \ any data within Google SecOps or Cyware.\n* It is primarily used during the\ - \ initial setup of the integration or for troubleshooting communication issues.\n\ - \n### Flow Description\n1. **Parameter Initialization**: The action retrieves\ - \ the global integration configuration (Base URL, Access ID, Secret Key, and SSL\ - \ verification setting).\n2. **API Manager Setup**: An instance of the `APIManager`\ - \ is initialized using the retrieved credentials.\n3. **Connectivity Test**:\ - \ The action calls the `test_connectivity` method, which performs an authenticated\ - \ HTTP GET request to the `/ping/` endpoint of the Cyware API.\n4. **Result Handling**:\ - \ \n * If the server responds successfully (HTTP 200), the action returns\ - \ a success message and sets the result value to `True`.\n * If the request\ - \ fails (e.g., due to invalid credentials, timeout, or network errors), an exception\ - \ is caught, an error message is logged, and the action execution state is set\ - \ to `Failed`." + ai_description: >- + ### General Description + + This action verifies connectivity to the Cyware Intel Exchange server by sending + a ping request. It ensures that the integration is correctly configured and that + the SOAR platform can communicate with the Cyware API. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Base URL | String | Yes | The URL of the Cyware CTIX tenant. | + + | Access ID | String | Yes | The Access ID for API authentication. | + + | Secret Key | String | Yes | The Secret Key for API authentication. | + + | Verify SSL | Boolean | No | Whether to verify the SSL certificate. Defaults + to False. | + + + ### Flow Description + + 1. Extracts integration configuration parameters (Base URL, Access ID, Secret + Key, Verify SSL). + + 2. Initializes the API manager with the provided credentials. + + 3. Sends a GET request to the `/ping/` endpoint of the Cyware server. + + 4. Returns a success message if the connection is established, or an error message + if the connection fails. + + + ### Additional Notes + + This action is a connectivity test and does not perform any data retrieval or + modification. capabilities: can_create_case_comments: false can_create_insight: false @@ -1157,8 +1283,15 @@ Ping: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the `/ping/` endpoint to verify connectivity. + It does not modify external or internal data, nor does it fetch contextual data + about alerts or entities. categories: enrichment: false + reasoning: >- + The action is a connectivity test ("Ping"). Per the instructions, Ping actions + are not enrichment actions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1174,6 +1307,8 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with entities, as it is a connectivity test. Remove IOCs from Allowed list: action_product_categories: add_alert_comment: false @@ -1189,6 +1324,9 @@ Remove IOCs from Allowed list: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action removes indicators from an allowlist in an external system (Cyware + Intel Exchange). This directly matches the 'Remove IOC From Allowlist' category. remove_ioc_from_allowlist: true remove_ioc_from_blocklist: false reset_identity_password: false @@ -1206,43 +1344,49 @@ Remove IOCs from Allowed list: ai_description: >- ### General Description - Removes Indicators of Compromise (IOCs) from the Cyware Intel Exchange allowed - list (un-whitelisting). This action identifies the internal Cyware IDs for the - provided entities and performs a bulk un-whitelist operation to restore standard - monitoring for these indicators. + This action removes specified Indicators of Compromise (IOCs) from the allowlist + within the Cyware Intel Exchange platform. It is designed to manage indicator + status by un-whitelisting entities that were previously allowed. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | None | N/A | N/A | No parameters are required for this action. | + | Base URL | string | Yes | The base URL of the Cyware CTIX tenant. | + | Access ID | string | Yes | The Access ID for API authentication. | - ### Additional Notes + | Secret Key | string | Yes | The Secret Key for API authentication. | - - This action performs a bulk operation on all target entities. + | Verify SSL | boolean | No | Whether to verify the SSL certificate. Defaults + to False. | - - Only indicators that already exist in Cyware Intel Exchange can be removed from - the allowed list. - - Indicators not found in Cyware will be skipped without failing the action. + ### Additional Notes + + This action requires valid API credentials for the Cyware Intel Exchange integration. + It performs a bulk lookup to map entity identifiers to internal Cyware IDs before + attempting the removal. ### Flow Description - 1. **Initialization**: Retrieve integration settings and target entities. + 1. Retrieve integration configuration parameters (Base URL, Access ID, Secret + Key, Verify SSL). + + 2. Identify target entities from the current case. - 2. **ID Resolution**: Perform a bulk lookup in Cyware to find internal IDs for - the entities. + 3. Perform a bulk lookup in Cyware Intel Exchange to map the entity identifiers + to internal indicator IDs. - 3. **Filtering**: Identify valid indicators and skip those not found in the system. + 4. Filter out any indicators that were not found in the system. - 4. **Execution**: Send a POST request to the Cyware bulk un-whitelist endpoint. + 5. Send a request to remove the valid indicators from the allowlist. - 5. **Completion**: Return the API response and set the action status. + 6. Return the operation result and status to the user. capabilities: can_create_case_comments: false can_create_insight: false @@ -1251,49 +1395,27 @@ Remove IOCs from Allowed list: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Removes specified indicators from the allowed list (un-whitelists them) in Cyware - Intel Exchange. + Removes indicators from the allowlist in the Cyware Intel Exchange platform. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches data (bulk lookup of IOCs) and mutates external data (removes + IOCs from the allowlist in Cyware). It does not mutate internal SOAR data (no + entity updates, insights, or case comments are created). categories: enrichment: false + reasoning: >- + The action is a mutation action (removes from allowlist) and does not meet the + criteria for an enrichment action, which must be read-only regarding external + systems. entity_usage: entity_types: - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE + - DESTINATIONDOMAIN - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE + - FILEHASH - DestinationURL - - USB - - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1307,3 +1429,7 @@ Remove IOCs from Allowed list: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action retrieves all target entities from the case and attempts to look + them up in Cyware. It does not filter by specific entity attributes within the + code, so it supports all relevant IOC entity types. diff --git a/content/response_integrations/third_party/partner/cyware_intel_exchange/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/cyware_intel_exchange/resources/ai/integration_ai_description.yaml index 4788aca80..b02f191af 100644 --- a/content/response_integrations/third_party/partner/cyware_intel_exchange/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/partner/cyware_intel_exchange/resources/ai/integration_ai_description.yaml @@ -5,8 +5,21 @@ product_categories: edr: false email_security: false iam_and_identity_management: false - itsm: true + itsm: false network_security: false + reasoning: >- + The cyware_intel_exchange integration is a Threat Intelligence Platform (TIP) + connector. Its primary capability is to enrich security alerts by retrieving threat + intelligence data (reputation, scores, tags) for indicators (IPs, Hashes, Domains) + using the 'Get IOC Details' action, which directly aligns with the Threat Intelligence + category. The integration also provides operational capabilities to manage threat + intelligence within the Cyware platform, such as adding/removing indicators from + allowlists, managing tags, creating intelligence records, and creating tasks for + indicators. It does not perform SIEM log analysis, EDR host containment, network + security blocking, email management, IAM operations, cloud resource management, + vulnerability scanning, asset inventory lookups, or collaboration/notification + tasks. While it creates 'tasks', these are specific to the Cyware platform and + do not constitute an ITSM ticketing workflow. siem: false threat_intelligence: true vulnerability_management: false diff --git a/content/response_integrations/third_party/partner/darktrace/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/darktrace/resources/ai/actions_ai_description.yaml index 2ab907570..d9b584fd6 100644 --- a/content/response_integrations/third_party/partner/darktrace/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/darktrace/resources/ai/actions_ai_description.yaml @@ -13,6 +13,9 @@ Add Comment To Model Breach: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action appends a note to the activity timeline of an alert (model breach) + in the external Darktrace system. This aligns with the 'Add Alert Comment' category. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -28,38 +31,47 @@ Add Comment To Model Breach: update_identity: false update_ticket: false ai_description: >- - Adds a comment to a specific model breach in Darktrace. This action allows analysts - to document findings, provide context, or update the status of a breach directly - within the Darktrace platform from Google SecOps. It requires the unique identifier - of the model breach and the text of the comment to be added. + ### General Description + Adds a comment to a specific model breach in the Darktrace platform. This action + allows analysts to append notes or context directly to an existing model breach, + facilitating better documentation and collaboration within Darktrace. - ### Parameters - | Parameter | Type | Mandatory | Description | + ### Flow Description - | :--- | :--- | :--- | :--- | + 1. **Parameter Extraction**: The action extracts the required configuration parameters + (API Root, API Token, API Private Token, Verify SSL) and the action-specific parameters + (Model Breach ID, Comment). - | Model Breach ID | string | True | Specify the ID of the model breach to which - you want to add a comment. | + 2. **Manager Initialization**: Initializes the `DarktraceManager` with the provided + credentials to establish a connection to the Darktrace API. - | Comment | string | True | Specify the comment text for the model breach. | + 3. **Execution**: Sends a POST request to the Darktrace API endpoint `/modelbreaches/{model_breach_id}/comments` + with the provided comment message. + 4. **Result Handling**: Returns the result of the operation. If the model breach + is not found, it handles the `NotFoundException` and returns a failure status + with an appropriate error message. - ### Flow Description - 1. **Parameter Extraction**: The action retrieves the API configuration (Root, - Token, Private Token) and the action parameters (Model Breach ID and Comment). + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | - 2. **Manager Initialization**: Initializes the Darktrace Manager to handle authentication - and API communication. + | Model Breach ID | string | Yes | The unique identifier of the model breach in + Darktrace to which the comment will be added. | - 3. **API Interaction**: Executes a POST request to the Darktrace `/modelbreaches/{model_breach_id}/comments` - endpoint with the provided comment text. + | Comment | string | Yes | The text content of the comment to be added to the + model breach. | - 4. **Result Handling**: Captures the API response and adds it to the action's - JSON results. If the breach ID is not found, it reports a failure with a specific - error message. + + ### Additional Notes + + This action does not interact with Google SecOps entities directly; it operates + on a specific Model Breach ID provided as an input parameter. capabilities: can_create_case_comments: false can_create_insight: false @@ -68,12 +80,19 @@ Add Comment To Model Breach: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Adds a comment to a specific model breach record within the Darktrace platform - via a POST request. + Adds a comment to a model breach in the Darktrace platform. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to an external API (Darktrace) to add a comment + to a model breach. It does not fetch data, update entities, or modify internal + SOAR data. It does not create case comments within the SOAR platform. categories: enrichment: false + reasoning: >- + The action does not fetch data (not enrichment). It mutates external data (adds + a comment). It does not fit the criteria for enrichment as it does not retrieve + data. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -89,6 +108,9 @@ Add Comment To Model Breach: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `target_entities`. It uses a specific `Model + Breach ID` provided as a parameter. Enrich Entities: action_product_categories: add_alert_comment: false @@ -104,6 +126,10 @@ Enrich Entities: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves reputation, prevalence, and contextual metadata for indicators + (IOCs) and assets (devices/endpoints) from Darktrace. This aligns with both + 'Enrich IOC' and 'Enrich Asset' categories. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -118,30 +144,33 @@ Enrich Entities: update_email: false update_identity: false update_ticket: false - ai_description: "Enriches IP Address, Hostname, MacAddress, and URL entities using\ - \ information from Darktrace. This action retrieves detailed device metadata,\ - \ endpoint information, and optionally historical connection data to provide context\ - \ for security investigations.\n\n### Flow Description\n1. **Parameter Initialization:**\ - \ Extracts API configuration and action parameters, including connection data\ - \ fetching preferences and insight creation settings.\n2. **Entity Filtering:**\ - \ Identifies supported entities (IP, Hostname, MAC, and URL) from the target list.\n\ - 3. **Data Retrieval:** \n * For **IP/MAC** entities: Queries Darktrace for\ - \ specific device details.\n * For **Hostname** entities: Searches for the\ - \ device and retrieves details via MAC or IP.\n * For **URL** entities: Extracts\ - \ the domain and fetches endpoint details.\n4. **Connection Enrichment:** If enabled,\ - \ retrieves historical connection data for the identified internal endpoints based\ - \ on the specified lookback period.\n5. **SOAR Update:** Updates entity enrichment\ - \ fields, populates data tables (Interacted Devices, Connection Data), and creates\ - \ entity insights if configured.\n\n### Parameters Description\n| Parameter |\ - \ Type | Mandatory | Description |\n| --- | --- | --- | --- |\n| Fetch Connection\ - \ Data | Boolean | No | If enabled, the action retrieves additional information\ - \ about connections related to internal endpoints. Default is true. |\n| Max Hours\ - \ Backwards | String | No | Specifies the number of hours to look back when fetching\ - \ connection data. Default is 24. |\n| Create Endpoint Insight | Boolean | No\ - \ | If enabled, creates a SOAR insight containing summary information about the\ - \ Darktrace internal endpoint. Default is true. |\n\n### Additional Notes\n* For\ - \ URL entities, the action automatically extracts the domain part for querying.\n\ - * If 'Max Hours Backwards' is set to less than 1, it defaults to 24 hours." + ai_description: "Enriches entities (IP, Hostname, MacAddress, URL) using information\ + \ from Darktrace. This action retrieves device and endpoint details from Darktrace\ + \ and optionally fetches connection data for internal endpoints. It updates the\ + \ entity's profile with enrichment data, generates insights, and attaches data\ + \ tables to the case for further analysis.\n\n### Flow Description\n1. **Parameter\ + \ Extraction**: The action extracts configuration parameters (API Root, Token,\ + \ SSL verification) and action-specific parameters (Fetch Connection Data, Max\ + \ Hours Backwards, Create Endpoint Insight).\n2. **Entity Filtering**: It iterates\ + \ through the target entities, filtering for supported types: ADDRESS, HOSTNAME,\ + \ MACADDRESS, and URL.\n3. **Data Retrieval**: For each entity, it queries the\ + \ Darktrace API to retrieve device or endpoint details based on the entity type.\n\ + 4. **Optional Connection Data**: If 'Fetch Connection Data' is enabled, it retrieves\ + \ additional connection history for the identified device.\n5. **Enrichment &\ + \ Reporting**: \n - Updates the entity's additional properties with the retrieved\ + \ data.\n - Marks the entity as enriched.\n - Adds a data table containing\ + \ device/endpoint details to the case.\n - Optionally creates an entity insight\ + \ if 'Create Endpoint Insight' is enabled.\n - Adds a data table for connection\ + \ data if retrieved.\n - Updates the entities in the case and returns a JSON\ + \ result summary.\n\n### Parameters\n| Parameter | Type | Mandatory | Description\ + \ |\n| :--- | :--- | :--- | :--- |\n| Fetch Connection Data | boolean | No | If\ + \ enabled, the action fetches connection data related to the internal endpoints\ + \ from Darktrace. |\n| Max Hours Backwards | string | No | Specifies the time\ + \ range (in hours) for fetching connection data. Default is 24. |\n| Create Endpoint\ + \ Insight | boolean | No | If enabled, creates an insight containing information\ + \ about the internal endpoints. |\n\n### Additional Notes\n- The action automatically\ + \ handles domain extraction from URL entities.\n- If no entities are successfully\ + \ enriched, the action returns a failure status." capabilities: can_create_case_comments: false can_create_insight: true @@ -152,10 +181,22 @@ Enrich Entities: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity enrichment attributes and creates entity insights within the - SOAR case. + Updates entity additional properties, adds entity insights, and adds data tables + to the case. + reasoning: >- + The action fetches data from the Darktrace API (fetches_data=true). It does + not perform any write operations to external systems (can_mutate_external_data=false). + It performs internal mutations by updating entity properties, adding insights, + and adding data tables to the case (can_mutate_internal_data=true). It specifically + uses SDK methods to update entities and create insights. categories: enrichment: true + reasoning: >- + The action is designed to fetch contextual information about entities from an + external source (Darktrace) and enrich the entity profile within the SOAR platform. + It does not mutate external systems and only performs allowed internal mutations + (updating entities, creating insights). Therefore, it qualifies as an enrichment + action. entity_usage: entity_types: - ADDRESS @@ -175,6 +216,9 @@ Enrich Entities: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over `siemplify.target_entities` and filters them based + on the `SUPPORTED_ENTITY_TYPES` list (ADDRESS, HOSTNAME, MACADDRESS, URL). Execute Custom Search: action_product_categories: add_alert_comment: false @@ -190,6 +234,10 @@ Execute Custom Search: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action executes a custom search query and returns the results. This directly + matches the 'Search Events' category, which is defined as returning a collection + of historical logs or telemetry data matching specific search parameters. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -205,62 +253,55 @@ Execute Custom Search: update_identity: false update_ticket: false ai_description: >- - Executes a custom search query in Darktrace to retrieve specific event or telemetry - data. This action allows analysts to perform advanced hunting or data retrieval - by providing a raw Darktrace query and defining a specific time window. The results - are returned as a JSON object containing the hits found in the Darktrace environment. + Executes a custom search query against the Darktrace platform to retrieve historical + data or telemetry. This action allows analysts to perform ad-hoc investigations + by querying Darktrace's advanced search API. ### Flow Description - 1. **Parameter Extraction**: The action retrieves the API configuration and user-provided - parameters, including the search query, timeframe, and result limit. + 1. **Parameter Extraction**: The action retrieves the necessary API credentials + (API Root, Token, Private Token) and action parameters (Query, Time Frame, Start/End + Time, Max Results). - 2. **Timeframe Calculation**: It determines the start and end timestamps for the - search. This can be based on predefined relative ranges (e.g., 'Last Hour'), times - relative to the current alert (e.g., '5 Minutes Around Alert Time'), or a specific - custom ISO 8601 range. + 2. **Time Calculation**: It determines the search time range. If a specific time + frame is provided, it calculates the start and end timestamps. If the time frame + is relative to the alert (e.g., '30 Minutes Around Alert Time'), it uses the current + alert's start and end times. - 3. **Request Preparation**: The search query and timeframe parameters are bundled - into a JSON payload, which is then Base64 encoded to meet the requirements of - the Darktrace Advanced Search API. + 3. **Search Execution**: It constructs a base64-encoded query and executes a GET + request to the Darktrace `/advancedsearch/api/search/` endpoint. - 4. **API Execution**: A GET request is sent to the Darktrace `advanced_search` - endpoint using the encoded query. + 4. **Result Output**: The retrieved search results are parsed and added to the + action's result JSON, making them available for the analyst to review. - 5. **Result Processing**: The action parses the API response, converts the hits - into a structured format, and attaches them to the action results in Google SecOps. - - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Query | string | Yes | The specific Darktrace query string to be executed. | + | Query | String | Yes | The search query to execute in Darktrace. | - | Time Frame | ddl | No | Predefined time ranges for the search. Options include - 'Last Hour', 'Last 24 Hours', 'Alert Time Till Now', '30 Minutes Around Alert - Time', etc. Defaults to 'Last Hour'. | + | Time Frame | DDL | No | The time range for the search (e.g., 'Last Hour', 'Last + 24 Hours', 'Custom'). Defaults to 'Last Hour'. | - | Start Time | string | No | The start time for the search in ISO 8601 format. - Mandatory only if 'Time Frame' is set to 'Custom'. | + | Start Time | String | No | The start time in ISO 8601 format. Mandatory if 'Time + Frame' is set to 'Custom'. | - | End Time | string | No | The end time for the search in ISO 8601 format. If - 'Custom' is selected and this is empty, the current time is used. | + | End Time | String | No | The end time in ISO 8601 format. Defaults to current + time if not provided. | - | Max Results To Return | string | No | Limits the number of search results returned. + | Max Results To Return | String | No | The maximum number of results to return. Defaults to 50. | ### Additional Notes - - If 'Custom' is selected for the 'Time Frame', the 'Start Time' parameter must - be provided, otherwise the action will fail. - - - The action uses the alert's internal start and end times when relative alert-based - timeframes are selected. + If 'Custom' is selected for the 'Time Frame' parameter, the 'Start Time' parameter + must be provided. The action utilizes the current alert's context (start/end time) + if the selected time frame is relative to the alert. capabilities: can_create_case_comments: false can_create_insight: false @@ -271,8 +312,18 @@ Execute Custom Search: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Darktrace API to retrieve search results + based on a user-provided query. It does not modify any external systems (no + POST/PUT/DELETE operations that change state). It does not modify internal Google + SecOps data (no entity updates, insights, or case comments). It only outputs + the retrieved data to the action result. categories: - enrichment: false + enrichment: true + reasoning: >- + The action is designed to fetch contextual data (search results) from an external + system (Darktrace). It does not mutate external systems, nor does it modify + internal Google SecOps data. Therefore, it qualifies as an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -288,6 +339,10 @@ Execute Custom Search: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or process `target_entities`. It operates based + on the alert's time context and user-provided query parameters, not on specific + entity objects. List Endpoint Events: action_product_categories: add_alert_comment: false @@ -299,10 +354,15 @@ List Endpoint Events: disable_identity: false download_file: false enable_identity: false - enrich_asset: false - enrich_ioc: false + enrich_asset: true + enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves event logs for specific endpoints (IPs, Hostnames, MACs) + from Darktrace. This provides context about the asset's behavior, matching 'Enrich + Asset' and 'Enrich IOC'. It also returns a collection of historical logs, matching + 'Search Events'. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -318,29 +378,29 @@ List Endpoint Events: update_identity: false update_ticket: false ai_description: >- - Retrieves historical event logs for specific endpoint entities (IP, Hostname, - or MacAddress) from Darktrace. This action allows analysts to query various event - types such as connections, unusual connections, and model breaches within a defined - timeframe. The retrieved data is presented as formatted data tables on the case - wall and as a raw JSON result for further automation. + ### General Description + + Lists endpoint events from Darktrace for specified entities (IP, Hostname, or + MacAddress). This action retrieves historical event data such as connections, + unusual connections, and model breaches to provide context for security investigations. ### Flow Description - 1. **Parameter Validation:** The action validates the provided event types and - ensures the 'Max Events To Return' is a positive integer. It also calculates the - start and end timestamps based on the 'Time Frame' selection. + 1. **Initialization**: Extracts configuration parameters (API root, tokens) and + action parameters (Event Type, Time Frame, etc.). - 2. **Device Identification:** For each supported entity, the action queries Darktrace - to find the corresponding internal Device ID (`did`). + 2. **Filtering**: Identifies and filters target entities from the case that match + supported types (IP, Hostname, MacAddress). - 3. **Event Retrieval:** If a device is found, the action iterates through the - requested event types and fetches the latest events for that specific device within - the timeframe. + 3. **Device Search**: For each valid entity, queries the Darktrace API to locate + the corresponding device. - 4. **Data Presentation:** Successfully retrieved events are converted into CSV-formatted - data tables and attached to the case. A comprehensive JSON object containing all - events is also returned. + 4. **Event Retrieval**: If the device is found, fetches the requested event types + within the specified time frame. + + 5. **Reporting**: Adds the retrieved event data to the action results as data + tables and a JSON result object. ### Parameters Description @@ -349,42 +409,48 @@ List Endpoint Events: | :--- | :--- | :--- | :--- | - | Event Type | String | Yes | A comma-separated list of event types to retrieve - (e.g., connection, unusualconnection, notice, devicehistory, modelbreach). | + | Event Type | string | Yes | Comma-separated list of event types to return (e.g., + connection, unusualconnection, notice). | - | Time Frame | DDL | Yes | The time range for the search (e.g., Last Hour, Last - 24 Hours). If 'Custom' is selected, 'Start Time' must be provided. | + | Time Frame | ddl | Yes | Time range for the search (e.g., Last Hour, Last 6 + Hours, Custom). | - | Start Time | String | No | The start time for the search in ISO 8601 format. - Mandatory only if 'Time Frame' is set to 'Custom'. | + | Start Time | string | No | ISO 8601 start time. Mandatory if "Custom" is selected + for Time Frame. | - | End Time | String | No | The end time for the search in ISO 8601 format. Defaults - to the current time if left empty. | + | End Time | string | No | ISO 8601 end time. Defaults to current time if not + provided. | - | Max Events To Return | String | No | The maximum number of events to return - per event type. Defaults to 50. | + | Max Events To Return | string | No | Maximum number of events to return per + event type. Default is 50. | ### Additional Notes - - Events are returned in the UTC timezone. - - - If 'Custom' is selected for 'Time Frame', the 'Start Time' parameter becomes - effectively mandatory for the action to succeed. + If "Custom" is selected for the "Time Frame" parameter, the "Start Time" parameter + must be provided. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: true + can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: >- - The action adds data tables to the SOAR case wall containing the retrieved endpoint - events. + internal_data_mutation_explanation: null + reasoning: >- + The action performs GET requests to the Darktrace API to retrieve event data + for specific endpoints. It does not perform any POST/PUT/DELETE operations on + external systems, nor does it modify internal Google SecOps data (e.g., it does + not update entities, create insights, or modify case data). It only outputs + data to the action result. categories: - enrichment: false + enrichment: true + reasoning: >- + The action is designed to fetch supplemental context (events) for entities. + It does not mutate external systems or modify internal Google SecOps data (it + only outputs results). Therefore, it qualifies as an enrichment action. entity_usage: entity_types: - ADDRESS @@ -403,6 +469,10 @@ List Endpoint Events: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and filters them based on + whether their type is in the `SUPPORTED_ENTITY_TYPES` list (ADDRESS, HOSTNAME, + MACADDRESS). List Similar Devices: action_product_categories: add_alert_comment: false @@ -418,6 +488,11 @@ List Similar Devices: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves contextual metadata about devices (similar devices) from + Darktrace, which aligns with 'Enrich Asset'. It also performs a search for the + device within the product to get its ID, which aligns with 'Search Asset'. It + does not modify external systems or alert data. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -432,41 +507,72 @@ List Similar Devices: update_email: false update_identity: false update_ticket: false - ai_description: "Retrieves a list of devices from Darktrace that exhibit similar\ - \ behavioral patterns to the target entities (IP Address, Hostname, or MAC Address).\ - \ This action helps analysts identify related assets or potential lateral movement\ - \ by leveraging Darktrace's similarity analysis. \n\n### Flow Description\n1.\ - \ **Initialization**: Validates configuration parameters (API Root, Tokens) and\ - \ establishes a connection to the Darktrace API.\n2. **Entity Filtering**: Identifies\ - \ supported entities within the case, specifically IP Addresses, Hostnames, and\ - \ MAC Addresses.\n3. **Device Identification**: For each supported entity, the\ - \ action queries Darktrace to find the corresponding internal Device ID (DID).\n\ - 4. **Similarity Query**: Uses the retrieved DID to fetch a list of similar devices,\ - \ respecting the 'Max Devices To Return' limit.\n5. **Data Enrichment**: Populates\ - \ an entity-level data table with details of the similar devices, including their\ - \ IP, MAC, OS, Hostname, and seen timestamps.\n6. **Finalization**: Aggregates\ - \ the results into a JSON object and provides a summary message of successful\ - \ and failed entity processing.\n\n### Parameters Description\n| Parameter | Type\ - \ | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Max Devices To\ - \ Return | Integer | No | Specifies the maximum number of similar devices to retrieve\ - \ for each entity. Default is 50. The value must be greater than 0. |\n\n### Additional\ - \ Notes\n- The action will fail if 'Max Devices To Return' is set to 0 or a negative\ - \ number.\n- If a device cannot be found in Darktrace for a given entity identifier,\ - \ that entity will be marked as failed." + ai_description: >- + ### General Description + + This action retrieves a list of similar devices for a given endpoint (IP, Hostname, + or MAC Address) from the Darktrace platform. It helps security analysts identify + related assets or potential lateral movement by querying Darktrace's device database. + + + ### Flow Description + + 1. **Initialization**: The action extracts necessary API credentials (API Root, + Token, Private Token) and the `Max Devices To Return` parameter. + + 2. **Filtering**: It filters the provided `target_entities` to include only supported + types: `ADDRESS`, `HOSTNAME`, and `MacAddress`. + + 3. **Device Search**: For each valid entity, the action queries Darktrace to find + the corresponding device ID (`did`). + + 4. **Retrieval**: If the device is found, it requests a list of similar devices + from Darktrace, limited by the `Max Devices To Return` parameter. + + 5. **Output**: The action adds a table of similar devices to the entity's context + and includes the full results in the action's JSON output. + + + ### Parameters + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Max Devices To Return | integer | No | Specifies the maximum number of similar + devices to return per entity. Defaults to 50. | + + + ### Additional Notes + + - The action requires valid Darktrace API credentials to be configured in the + integration settings. + + - If no similar devices are found for an entity, the action will report it as + a failure for that specific entity. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: true + can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: >- - Adds a data table to each processed entity containing details of similar devices - found in Darktrace. + internal_data_mutation_explanation: null + reasoning: >- + The action performs GET requests to the Darktrace API to search for devices + and retrieve similar device information. It does not perform any POST/PUT/DELETE + operations on external systems (no external mutation). It adds result tables + and JSON to the SOAR action output, which is standard for enrichment actions + and does not constitute internal data mutation (modifying existing case data). categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches contextual data (similar devices) from an external system + (Darktrace) to enrich the investigation. It does not mutate external systems, + nor does it modify existing internal SOAR data (like alert status or case fields). + It meets all criteria for an enrichment action. entity_usage: entity_types: - ADDRESS @@ -485,6 +591,10 @@ List Similar Devices: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code explicitly filters `siemplify.target_entities` using `SUPPORTED_ENTITY_TYPES`, + which includes `ADDRESS`, `HOSTNAME`, and `MACADDRESS`. It iterates over these + entities to perform lookups. Ping: action_product_categories: add_alert_comment: false @@ -500,6 +610,9 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity test (Ping) and does not perform any of the defined + functional operations like enriching IOCs, updating tickets, or containing hosts. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -515,51 +628,40 @@ Ping: update_identity: false update_ticket: false ai_description: >- - Tests the connectivity between Google SecOps and the Darktrace server using the - provided integration configuration parameters. This action is primarily used to - verify that the API Root, API Token, and API Private Token are correct and that - the network path to the Darktrace instance is open. + Tests connectivity to the Darktrace server using the provided API credentials. + This action performs a GET request to the status endpoint to verify that the integration + is correctly configured and the server is reachable. - ### Flow Description: + ### Flow Description - 1. **Parameter Extraction:** Retrieves the integration's global configuration - parameters, including the API Root, API Token, API Private Token, and SSL verification - settings. + 1. The action extracts the API Root, API Token, API Private Token, and SSL verification + settings from the integration configuration. - 2. **Manager Initialization:** Initializes the Darktrace API manager with the - extracted credentials and settings. + 2. It initializes the `DarktraceManager` with these credentials. - 3. **Connectivity Test:** Executes a GET request to the Darktrace `/status` endpoint - to verify the validity of the credentials and the reachability of the server. + 3. It calls the `test_connectivity` method, which sends a GET request to the Darktrace + `/status` endpoint. - 4. **Result Reporting:** Returns a success message if the server responds correctly, - or an error message detailing the failure if the connection cannot be established. + 4. If the request is successful, the action returns a success message. If the + request fails, it catches the exception and returns a failure message. - ### Parameters Description: + ### Parameters - | Parameter Name | Type | Mandatory | Description | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | API Root | String | Yes | The base URL of the Darktrace API instance. | + | API Root | string | Yes | The base URL for the Darktrace API. | - | API Token | String | Yes | The public API token for authentication. | + | API Token | string | Yes | The API token for authentication. | - | API Private Token | String | Yes | The private API token used for generating - request signatures. | + | API Private Token | string | Yes | The private API token for signature generation. + | - | Verify SSL | Boolean | No | If enabled, the action will verify the SSL certificate - of the Darktrace server. Defaults to True. | - - - ### Additional Notes: - - * This action does not require any input entities and does not modify any data - within Darktrace or Google SecOps. - - * It is intended for troubleshooting and initial setup verification. + | Verify SSL | boolean | No | Whether to verify the SSL certificate of the API + root. | capabilities: can_create_case_comments: false can_create_insight: false @@ -570,8 +672,15 @@ Ping: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Darktrace status endpoint to verify + connectivity. It does not mutate external or internal data, nor does it update + entities or create insights. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action, which is explicitly excluded from being an enrichment + action per the instructions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -587,6 +696,8 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. Update Model Breach Status: action_product_categories: add_alert_comment: false @@ -602,6 +713,10 @@ Update Model Breach Status: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action updates the status of a model breach in Darktrace. This aligns with + the 'Update Alert' category as it changes the status of an alert-like object + (model breach). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -617,24 +732,32 @@ Update Model Breach Status: update_identity: false update_ticket: false ai_description: >- - Updates the status of a specific model breach in Darktrace to either 'Acknowledged' - or 'Unacknowledged'. This action allows analysts to manage the lifecycle of Darktrace - detections directly from the SOAR platform. + ### General Description + + Updates the status of a model breach in the Darktrace platform. This action allows + analysts to acknowledge or unacknowledge specific model breaches, ensuring that + the status in Darktrace reflects the current investigation state. ### Flow Description - 1. **Fetch Current Status**: The action first retrieves the current state of the - specified model breach from Darktrace to verify its existence and current acknowledgment - status. + 1. **Initialization**: Extracts configuration parameters (API Root, Token, Private + Token, SSL verification) and action parameters (Status, Model Breach ID). - 2. **Status Comparison**: It compares the requested status with the current status. - If the breach is already in the desired state, the action completes successfully - without making further API calls. + 2. **Validation**: Initializes the `DarktraceManager` to interact with the Darktrace + API. - 3. **Update Execution**: If a change is required, the action sends a POST request - to the Darktrace API to either acknowledge or unacknowledge the breach based on - the input parameter. + 3. **Fetch**: Retrieves the current details of the specified model breach to verify + its existence and current status. + + 4. **Check**: Compares the requested status with the current status. If the breach + is already in the desired state, the action terminates with a success message. + + 5. **Update**: If the status differs, performs a POST request to either acknowledge + or unacknowledge the model breach in Darktrace. + + 6. **Completion**: Returns a success message indicating the status update or an + error message if the operation fails. ### Parameters Description @@ -643,19 +766,17 @@ Update Model Breach Status: | :--- | :--- | :--- | :--- | - | Status | DDL | Yes | The target status to set for the model breach. Options - are 'Acknowledged' or 'Unacknowledged'. | + | Status | ddl | Yes | The status to set for the model breach. Options: 'Acknowledged', + 'Unacknowledged'. | - | Model Breach ID | String | Yes | The unique identifier of the model breach in - Darktrace that needs to be updated. | + | Model Breach ID | string | Yes | The unique identifier of the model breach to + update. | ### Additional Notes - - This action performs a state change in the external Darktrace system. - - - If the provided Model Breach ID is not found in Darktrace, the action will fail - with a 'Not Found' error. + This action performs a state change in the external Darktrace system. It does + not modify any entities or data within the Google SecOps platform. capabilities: can_create_case_comments: false can_create_insight: false @@ -664,12 +785,20 @@ Update Model Breach Status: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the acknowledgment status of a model breach in the Darktrace console - via POST requests to the /acknowledge or /unacknowledge endpoints. + Updates the status of a model breach (Acknowledged/Unacknowledged) in the Darktrace + platform. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches data (GET) to verify the current status of the model breach + and performs a mutation (POST) to update the status in the external Darktrace + system. It does not modify internal SecOps data, entities, or insights. categories: enrichment: false + reasoning: >- + The action performs a mutation on an external system (Darktrace), which violates + the 'External State Preservation' rule for enrichment actions. Therefore, it + is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -685,3 +814,7 @@ Update Model Breach Status: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or process `target_entities`. It relies on + the 'Model Breach ID' parameter provided by the user to identify the target + object in Darktrace. diff --git a/content/response_integrations/third_party/partner/darktrace/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/partner/darktrace/resources/ai/connectors_ai_description.yaml index ddbb01a5e..99cf639f9 100644 --- a/content/response_integrations/third_party/partner/darktrace/resources/ai/connectors_ai_description.yaml +++ b/content/response_integrations/third_party/partner/darktrace/resources/ai/connectors_ai_description.yaml @@ -1,101 +1,171 @@ Darktrace - AI Incident Events Connector: - ai_description: "### General Description\nThe Darktrace - AI Incident Events Connector\ - \ integrates Google SecOps with Darktrace's AI Analyst to ingest high-fidelity\ - \ security incidents. Unlike standard model breaches, AI Analyst incidents provide\ - \ a synthesized view of related events, offering a narrative summary of detected\ - \ threats. This connector allows security teams to automate the ingestion of these\ - \ machine-learning-driven insights, ensuring that complex attack patterns identified\ - \ by Darktrace are immediately available for orchestration and response.\n\n###\ - \ Parameters Description\n| Parameter | Type | Mandatory | Description |\n| :---\ - \ | :--- | :--- | :--- |\n| DeviceProductField | String | Yes | The source field\ - \ name used to retrieve the Product Field name (default: Product Name). |\n| EventClassId\ - \ | String | Yes | The source field name used to retrieve the Event Field name\ - \ (default: data_type). |\n| Environment Field Name | String | No | The field\ - \ name where the environment name is stored for multi-tenant support. |\n| Environment\ - \ Regex Pattern | String | No | A regex pattern to extract or manipulate the environment\ - \ value. |\n| PythonProcessTimeout | Integer | Yes | The timeout limit in seconds\ - \ for the connector execution. |\n| API Root | String | Yes | The API root URL\ - \ of the Darktrace instance (e.g., https://darktrace-instance.com). |\n| API Token\ - \ | String | Yes | The Darktrace API public token. |\n| API Private Token | Password\ - \ | Yes | The Darktrace API private token used for HMAC signature generation.\ - \ |\n| Verify SSL | Boolean | Yes | If enabled, verifies the SSL certificate of\ - \ the Darktrace server. |\n| Lowest AI Incident Score To Fetch | Integer | Yes\ - \ | The minimum AI Analyst score (0-100) required to ingest an incident. |\n|\ - \ Max Hours Backwards | Integer | No | The number of hours to look back for incidents\ - \ during the first run or fallback. |\n| Max AI Incidents To Fetch | Integer |\ - \ No | The maximum number of incidents to process per iteration (Max: 100). |\n\ - | Use dynamic list as a blocklist | Boolean | Yes | If enabled, the SOAR dynamic\ - \ list will act as a blocklist for incident titles. |\n| Proxy Server Address\ - \ | String | No | The address of the proxy server if required. |\n| Proxy Username\ - \ | String | No | The username for proxy authentication. |\n| Proxy Password |\ - \ Password | No | The password for proxy authentication. |\n\n### Flow Description\n\ - 1. **Authentication**: The connector establishes a connection to the Darktrace\ - \ API using a custom HMAC signature generated from the API Token, Private Token,\ - \ and current UTC timestamp.\n2. **Time Management**: It determines the fetch\ - \ window by checking the last successful execution timestamp. If no timestamp\ - \ exists, it uses the `Max Hours Backwards` parameter. It applies a 4-hour split\ - \ interval and a 1-hour padding to ensure data consistency.\n3. **Data Retrieval**:\ - \ The connector queries the `/aianalyst/incidentevents` endpoint, filtering by\ - \ the `Lowest AI Incident Score To Fetch` and the calculated time range.\n4. **Deduplication\ - \ and Filtering**: Fetched incidents are compared against a list of previously\ - \ processed IDs. It then applies a dynamic list filter (whitelist or blacklist)\ - \ against the incident title.\n5. **Data Transformation**: \n * The connector\ - \ flattens complex, nested JSON structures from the AI Analyst (including 'details'\ - \ and 'periods') into flat event dictionaries.\n * It maps the Darktrace\ - \ `aiaScore` to Google SecOps severity levels (e.g., 100 = Critical, 80 = High).\n\ - \ * It assigns the environment based on the configured regex or default settings.\n\ - 6. **Ingestion**: Transformed incidents are packaged as `AlertInfo` objects and\ - \ ingested into Google SecOps as cases.\n7. **State Persistence**: The connector\ - \ saves the IDs of processed incidents and updates the last success timestamp\ - \ to prevent duplicate ingestion in future cycles." + ai_description: >- + ### General Description + + The Darktrace - AI Incident Events Connector is designed to ingest AI-driven incident + events from the Darktrace platform into Google SecOps. It enables security teams + to monitor and respond to high-fidelity AI-detected threats by automatically creating + cases within the SOAR platform. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | DeviceProductField | String | Yes | Source field name to retrieve the Product + Field name. | + + | EventClassId | String | Yes | Source field name to retrieve the Event Field + name. | + + | Environment Field Name | String | No | Field name where the environment name + is stored. | + + | Environment Regex Pattern | String | No | Regex pattern to manipulate the environment + field value. | + + | PythonProcessTimeout | Integer | Yes | Timeout limit for the connector script. + | + + | API Root | String | Yes | API root URL of the Darktrace instance. | + + | API Token | String | Yes | Darktrace API token. | + + | API Private Token | Password | Yes | Darktrace API private token. | + + | Verify SSL | Boolean | Yes | Whether to verify the SSL certificate for the connection. + | + + | Lowest AI Incident Score To Fetch | Integer | Yes | Minimum score threshold + for fetching AI incidents (0-100). | + + | Max Hours Backwards | Integer | No | Hours to look back for the initial fetch + or fallback. | + + | Max AI Incidents To Fetch | Integer | No | Maximum number of incidents to process + per iteration. | + + | Use dynamic list as a blocklist | Boolean | Yes | Whether to use a dynamic list + as a blocklist. | + + | Proxy Server Address | String | No | Proxy server address. | + + | Proxy Username | String | No | Proxy username. | + + | Proxy Password | Password | No | Proxy password. | + + + ### Flow Description + + 1. The connector authenticates with the Darktrace API using the provided API Token + and Private Token. + + 2. It determines the time range for data retrieval based on the last successful + run timestamp or the configured `Max Hours Backwards`. + + 3. It queries the Darktrace `/aianalyst/incidentevents` endpoint for AI incidents, + applying the `Lowest AI Incident Score To Fetch` filter. + + 4. Fetched incidents are filtered against `existing_ids` to prevent duplicates + and checked against the configured whitelist/blacklist. + + 5. Valid incidents are mapped to the Google SecOps `AlertInfo` format, including + environment and severity details. + + 6. The connector creates cases in Google SecOps for each processed incident. + + 7. Finally, it updates the last success timestamp to ensure subsequent runs only + fetch new data. Darktrace - Model Breaches Connector: - ai_description: "### General Description\n\nThe Darktrace - Model Breaches Connector\ - \ integrates Google SecOps with the Darktrace platform to ingest \"Model Breaches\"\ - \ as cases. This connector monitors for anomalous network behaviors detected by\ - \ Darktrace's AI and retrieves detailed connection events associated with each\ - \ breach to provide comprehensive context for security investigations. It supports\ - \ advanced filtering by score, priority, and behavior category to ensure only\ - \ relevant security incidents are ingested.\n\n### Parameters Description\n\n\ - | Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ - | API Root | String | Yes | The API root URL of the Darktrace instance (e.g.,\ - \ https://darktrace-instance.com). |\n| API Token | String | Yes | The public\ - \ API token for Darktrace authentication. |\n| API Private Token | Password |\ - \ Yes | The private API token used to generate cryptographic signatures for requests.\ - \ |\n| Verify SSL | Boolean | Yes | If enabled, verifies the SSL certificate of\ - \ the Darktrace server. |\n| DeviceProductField | String | Yes | The source field\ - \ name used to retrieve the Product Name (Default: Product Name). |\n| EventClassId\ - \ | String | Yes | The source field name used to retrieve the Event Field name\ - \ (Default: eventType). |\n| Lowest Model Breach Score To Fetch | Integer | No\ - \ | The minimum score (0-100) required for a model breach to be ingested. |\n\ - | Lowest Priority To Fetch | Integer | No | The minimum priority (1-5) required\ - \ for a model breach to be ingested (1-3: Informational, 4: Suspicious, 5: Critical).\ - \ |\n| Max Hours Backwards | Integer | No | The number of hours to look back for\ - \ breaches during the initial run or as a fallback. |\n| Max Model Breaches To\ - \ Fetch | Integer | No | Maximum number of breaches to process per iteration (Maximum:\ - \ 1000). |\n| Use whitelist as a blacklist | Boolean | Yes | If enabled, the configured\ - \ whitelist will function as a blacklist. |\n| Behaviour Visibility | String |\ - \ No | Comma-separated list of behavior categories to ingest (e.g., Critical,\ - \ Suspicious, Compliance, Informational). |\n| Padding Time | Integer | No | Amount\ - \ of hours used as a padding for the fetch window (Maximum: 100). |\n| Environment\ - \ Field Name | String | No | The field name where the environment name is stored\ - \ for multi-tenant setups. |\n| Environment Regex Pattern | String | No | A regex\ - \ pattern to extract or manipulate the environment name from the environment field.\ - \ |\n| PythonProcessTimeout | Integer | Yes | Timeout limit in seconds for the\ - \ connector execution. |\n\n### Flow Description\n\n1. **Authentication**: The\ - \ connector establishes a connection to the Darktrace API using the provided API\ - \ Root and Tokens, generating a HMAC-SHA1 signature for each request.\n2. **Time\ - \ Management**: It calculates the fetch window based on the last successful execution\ - \ timestamp, applying `Max Hours Backwards` for initial runs and adjusting with\ - \ `Padding Time` if configured.\n3. **Alert Retrieval**: The connector queries\ - \ the `/modelbreaches` endpoint to fetch recent breaches that meet the `Lowest\ - \ Model Breach Score` and `Lowest Priority` thresholds.\n4. **Filtering**: \n\ - \ * **Whitelist/Blacklist**: Filters breaches based on their name using the\ - \ provided list.\n * **Behavior Visibility**: Filters breaches based on their\ - \ category (e.g., Critical, Suspicious) as defined in the `Behaviour Visibility`\ - \ parameter.\n5. **Enrichment**: For each breach, the connector fetches granular\ - \ connection details and event data from the `/details` endpoint to populate the\ - \ case events.\n6. **Case Creation**: The connector maps the Darktrace breach\ - \ data and associated events into the Google SecOps AlertInfo format, applying\ - \ environment and product mapping logic.\n7. **Persistence**: Successfully processed\ - \ breach IDs and the latest timestamp are saved to prevent duplicate ingestion\ - \ in subsequent cycles." + ai_description: >- + ### General Description + + The Darktrace Model Breaches Connector is designed to fetch model breach alerts + and their associated connection events from the Darktrace platform. By integrating + this connector, users can automatically ingest security incidents into Google + SecOps, allowing for centralized monitoring and automated response to anomalous + network behavior. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | API Root | String | Yes | The base URL of the Darktrace API. | + + | API Token | String | Yes | The API token for authentication. | + + | API Private Token | Password | Yes | The private API token for signature generation. + | + + | Verify SSL | Boolean | Yes | Whether to verify the SSL certificate of the Darktrace + server. | + + | Lowest Model Breach Score To Fetch | Integer | No | The minimum score (0-100) + for breaches to be fetched. | + + | Lowest Priority To Fetch | Integer | No | The minimum priority (1-5) for breaches + to be fetched. | + + | Max Hours Backwards | Integer | No | The lookback period in hours for the initial + fetch. | + + | Max Model Breaches To Fetch | Integer | No | The maximum number of breaches + to process per iteration. | + + | Behaviour Visibility | String | No | Filter breaches by behavior category (Critical, + Suspicious, Compliance, Informational). | + + | Use whitelist as a blacklist | Boolean | Yes | If enabled, the whitelist acts + as a blacklist. | + + | PythonProcessTimeout | Integer | Yes | Timeout limit for the connector script. + | + + | DeviceProductField | String | Yes | Field name to retrieve the product name. + | + + | EventClassId | String | Yes | Field name to retrieve the event type. | + + | Environment Field Name | String | No | Field name where the environment name + is stored. | + + | Environment Regex Pattern | String | No | Regex pattern to manipulate the environment + field value. | + + | Proxy Server Address | String | No | Proxy server address. | + + | Proxy Username | String | No | Proxy username. | + + | Proxy Password | Password | No | Proxy password. | + + | Padding Time | Integer | No | Padding time in hours for the last success timestamp. + | + + + ### Flow Description + + 1. The connector initializes the connection to the Darktrace API using the provided + credentials and configuration. + + 2. It calculates the `last_success_timestamp` based on the configured `Max Hours + Backwards` and `Padding Time` to determine the starting point for fetching new + alerts. + + 3. It queries the Darktrace API for model breaches, applying filters for score, + priority, and existing alert IDs to avoid duplicates. + + 4. For each fetched breach, the connector retrieves detailed event information. + + 5. It applies additional filtering based on the `Behaviour Visibility` and whitelist/blacklist + settings. + + 6. The breach data is mapped into the SOAR alert format, including environment + and device information. + + 7. Finally, the connector saves the state (processed IDs and timestamps) and returns + the ingested alerts to the SOAR platform for case creation. diff --git a/content/response_integrations/third_party/partner/darktrace/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/darktrace/resources/ai/integration_ai_description.yaml index ac6c94bb4..f3a52a507 100644 --- a/content/response_integrations/third_party/partner/darktrace/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/partner/darktrace/resources/ai/integration_ai_description.yaml @@ -2,11 +2,23 @@ product_categories: asset_inventory: true cloud_security: false collaboration: false - edr: false + edr: true email_security: false iam_and_identity_management: false itsm: false network_security: true + reasoning: >- + The Darktrace integration provides comprehensive visibility into network and endpoint + activity. The connectors ingest AI-driven incident events and model breaches, + which aligns with SIEM capabilities for centralized monitoring and alert ingestion. + The integration supports EDR and Network Security categories by providing actions + to list endpoint events, retrieve connection data, and search for unusual network + behavior, which are critical for investigating host-based and network-based threats. + Additionally, the integration supports Asset Inventory by allowing analysts to + enrich entity profiles with device details and identify similar devices. It also + provides Threat Intelligence capabilities by enriching entities with contextual + data to confirm alert validity. It does not provide specific actions for Email + Security, IAM, ITSM, Vulnerability Management, or Collaboration. siem: true threat_intelligence: true vulnerability_management: false diff --git a/content/response_integrations/third_party/partner/domain_tools/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/domain_tools/resources/ai/actions_ai_description.yaml index ca0da5e0b..60bbe4434 100644 --- a/content/response_integrations/third_party/partner/domain_tools/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/domain_tools/resources/ai/actions_ai_description.yaml @@ -13,6 +13,10 @@ Get Domain Rdap: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action fetches RDAP data from DomainTools, which provides registration and + ownership context for domains. This matches the 'Enrich IOC' category. It does + not modify external systems or perform containment actions. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -27,32 +31,44 @@ Get Domain Rdap: update_email: false update_identity: false update_ticket: false - ai_description: "### General Description\nEnriches Domain, Hostname, and URL entities\ - \ with parsed RDAP (Registration Data Access Protocol) information from DomainTools.\ - \ This action retrieves detailed registration data, including registrar details,\ - \ contact information, creation/expiration dates, and nameservers. The retrieved\ - \ data is used to enrich the entity's additional properties and generate informative\ - \ data tables within the case.\n\n### Parameters Description\n| Parameter | Expected\ - \ Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Domain |\ - \ string | False | A specific domain to get the parsed RDAP result for. If provided,\ - \ the action will run only on this domain, ignoring other entities in the case\ - \ context. |\n\n### Flow Description\n1. **Initialization**: Extracts configuration\ - \ parameters (Username, API Token, Verify SSL) and the optional 'Domain' action\ - \ parameter.\n2. **Entity Identification**: If a specific 'Domain' parameter is\ - \ provided, it creates a temporary domain entity. Otherwise, it identifies all\ - \ supported entities (URL, Hostname, Domain) within the current case context.\n\ - 3. **Domain Extraction**: For each target entity, it extracts the base domain\ - \ name from the identifier (e.g., extracting from a URL or email).\n4. **Data\ - \ Retrieval**: Queries the DomainTools API using the `get_parsed_domain_rdap`\ - \ method to fetch registration data.\n5. **Internal Mutation**: \n * Flattens\ - \ the RDAP data and adds it to the entity's `additional_properties` with a 'DT'\ - \ prefix.\n * Generates an entity-specific table containing the RDAP details.\n\ - \ * Appends summary data to a global case data table named 'DomainTools Parsed\ - \ Domain RDAP'.\n6. **Completion**: Updates the enriched entities in Google SecOps\ - \ and returns the results as JSON.\n\n### Additional Notes\n* If the 'Domain'\ - \ parameter is used, the action logic bypasses the standard entity iteration and\ - \ focuses solely on the provided string.\n* The action handles cases where no\ - \ RDAP record is found by logging the status and providing a placeholder result." + ai_description: >- + Enriches domain, hostname, or URL entities with RDAP (Registration Data Access + Protocol) information from DomainTools. This action retrieves threat intelligence + and registration details for the specified domain, hostname, or URL, and updates + the entity's properties with the retrieved data. + + + ### Flow + + 1. Extracts configuration parameters (Username, API Token, Verify SSL) from the + integration settings. + + 2. Identifies target entities from the case (DOMAIN, HOSTNAME, URL) or uses the + provided `Domain` parameter if specified. + + 3. Queries the DomainTools API for parsed RDAP data for each target entity. + + 4. Updates the entity's `additional_properties` with the retrieved RDAP data. + + 5. Generates a summary table and JSON results for the case to provide visibility + into the enrichment results. + + + ### Parameters + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Domain | string | false | The domain to get the parsed domain RDAP result. If + not provided, the action runs on all supported entities in the case. | + + + ### Additional Notes + + If the `Domain` parameter is provided, the action will run only for that specific + domain. If it is not provided, the action will iterate over all supported entities + (DOMAIN, HOSTNAME, URL) present in the case. capabilities: can_create_case_comments: false can_create_insight: false @@ -63,10 +79,18 @@ Get Domain Rdap: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity additional properties with RDAP registration data and adds data - tables to the case results. + The action updates entity properties and adds data tables/JSON results to the + case. + reasoning: >- + The action fetches RDAP data from DomainTools (fetches_data=true). It updates + entity properties (can_update_entities=true) and adds data tables/JSON results + to the case (can_mutate_internal_data=true). It does not modify external systems. categories: enrichment: true + reasoning: >- + The action fetches data from an external source (DomainTools) and updates internal + entities without modifying external systems, which qualifies it as an enrichment + action. entity_usage: entity_types: - DOMAIN @@ -85,6 +109,10 @@ Get Domain Rdap: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and filters them based on + `SUPPORTED_ENTITY_TYPES` (DOMAIN, HOSTNAME, URL). It also supports an optional + `Domain` parameter to run on a specific domain. Get WhoIs History: action_product_categories: add_alert_comment: false @@ -100,6 +128,10 @@ Get WhoIs History: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves Whois history, which provides threat intelligence and context + for domains. This aligns with the 'Enrich IOC' category. It does not perform + any other actions like ticketing, blocking, or identity management. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -114,65 +146,27 @@ Get WhoIs History: update_email: false update_identity: false update_ticket: false - ai_description: >- - ### General Description - - The **Get WhoIs History** action enriches domain-related entities (Domain, Hostname, - and URL) with historical Whois information retrieved from DomainTools. This action - provides visibility into past registration details, registrar changes, and ownership - history, which is essential for identifying domain aging, ownership shifts, or - infrastructure patterns used by adversaries. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Domain | String | No | A specific domain to query. If provided, the action will - focus solely on this value and ignore other entities in the case context. | - - - ### Additional Notes - - - The action supports **DOMAIN**, **HOSTNAME**, and **DestinationURL** entity - types. - - - If the `Domain` parameter is left empty, the action automatically processes - all supported entities within the current case context. - - - Enrichment results are added to the entity's additional properties (prefixed - with `DT`) and presented in both entity-specific tables and a consolidated case-wide - data table. - - - ### Flow Description - - 1. **Initialization**: Retrieves API credentials (Username and API Token) from - the integration configuration and initializes the DomainTools manager. - - 2. **Entity Identification**: Determines the target domains by either using the - provided `Domain` parameter or filtering the case's entities for supported types - (URL, Hostname, Domain). - - 3. **Data Retrieval**: For each identified domain, the action queries the DomainTools - API to fetch its Whois history records. - - 4. **Data Processing**: Parses the retrieved historical data, including registration - dates, registrar names, and registrant information. - - 5. **Internal Enrichment**: - - Updates the entity's **additional_properties** with flattened Whois data. - - Adds a detailed **entity table** containing the history for each specific - domain. - - Creates a global **data table** named "DomainTools Whois History" to summarize - all enriched entities in the case. - 6. **Completion**: Updates the entities in Google SecOps and returns a summary - message of the enrichment results. + ai_description: "### General Description\nThis action enriches domain-related entities\ + \ (URL, Hostname, Domain) with Whois history data retrieved from DomainTools.\ + \ It provides historical registration information, which is valuable for threat\ + \ hunting and investigating the provenance of suspicious domains.\n\n### Parameters\n\ + | Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ + | Domain | string | No | The specific domain to retrieve Whois history for. If\ + \ not provided, the action processes all target entities of type URL, Hostname,\ + \ or Domain. |\n\n### Flow Description\n1. **Configuration Extraction**: Retrieves\ + \ integration settings (Username, ApiToken, Verify SSL) from the environment.\n\ + 2. **Entity Identification**: Identifies target entities from the case or the\ + \ optional 'Domain' parameter.\n3. **Data Retrieval**: For each valid entity,\ + \ the action queries the DomainTools API for Whois history.\n4. **Data Processing**:\ + \ \n - Flattens the retrieved Whois history data.\n - Updates the entity's\ + \ `additional_properties` with the enriched data (prefixed with 'DT').\n -\ + \ Generates a CSV table of the history for the entity.\n5. **Result Reporting**:\ + \ \n - Updates the entities in the SOAR platform.\n - Adds a summary data\ + \ table to the action results.\n - Returns a JSON result containing the enriched\ + \ data for each processed entity." capabilities: can_create_case_comments: false - can_create_insight: false + can_create_insight: true can_modify_alert_data: false can_mutate_external_data: false can_mutate_internal_data: true @@ -180,10 +174,18 @@ Get WhoIs History: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity additional properties with historical Whois data and adds data - tables to the case for visualization. + Updates entity additional properties and adds data tables to the case results. + reasoning: >- + The action fetches Whois history data from an external API (DomainTools). It + does not perform any external mutations (e.g., blocking). It performs internal + mutations by updating entity properties and adding data tables to the SOAR case. categories: enrichment: true + reasoning: >- + The action is designed to fetch supplemental context (Whois history) for entities. + It does not mutate external systems and only performs allowed internal mutations + (updating entities and adding insights/tables). Therefore, it qualifies as an + enrichment action. entity_usage: entity_types: - DOMAIN @@ -202,6 +204,9 @@ Get WhoIs History: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over `siemplify.target_entities` and filters them based + on whether their type is in the supported list (URL, Hostname, Domain). Investigate Domain: action_product_categories: add_alert_comment: false @@ -217,6 +222,10 @@ Investigate Domain: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves threat intelligence (risk scores, threats, evidence) for + domains, which aligns with 'Enrich IOC'. It does not perform asset enrichment + (e.g., user/host metadata), nor does it perform any containment or ticket management. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -234,43 +243,50 @@ Investigate Domain: ai_description: >- ### General Description - Enriches Domain, Hostname, and URL entities using DomainTools Iris Investigate. - This action retrieves comprehensive threat intelligence, including overall risk - scores, proximity risk, threat profiles (malware, phishing, spam), registration - dates, and hosting details. It helps analysts quickly assess the reputation and - history of a domain by providing both summary tables and detailed entity attributes. + Enriches domain, hostname, and URL entities using DomainTools Iris Investigate. + This action retrieves comprehensive threat intelligence, including risk scores, + threat profiles, and hosting information, to assist in the investigation of suspicious + domains. - ### Parameters Description + ### Flow Description - | Parameter | Default Value | Type | Mandatory | Description | + 1. **Configuration Extraction**: Retrieves the DomainTools API credentials (Username, + API Token) and SSL verification settings. - | :--- | :--- | :--- | :--- | :--- | + 2. **Entity Identification**: Identifies target entities (Domain, Hostname, URL) + from the case or uses the provided 'Domain' parameter if specified. - | Domain | "" | string | False | A specific domain to investigate. If provided, - the action will focus on this domain instead of the case entities. | + 3. **Data Retrieval**: Queries the DomainTools Iris Investigate API for threat + intelligence data, processing entities in chunks of up to 100. + 4. **Data Parsing**: Parses the API response into a structured model containing + analytics, identity, registration, and hosting details. - ### Flow Description + 5. **Entity Enrichment**: Updates the entity's `additional_properties` with the + retrieved data and marks the entity as enriched. + + 6. **Result Reporting**: Adds a CSV table of the investigation results to the + entity and a summary table to the action results, then updates the entities in + the SOAR platform. - 1. **Initialization**: Extract integration configuration parameters (Username, - API Token, SSL settings) and identify target entities (URL, Hostname, Domain). - 2. **Target Selection**: If the 'Domain' parameter is provided, it creates a temporary - domain entity for investigation. Otherwise, it extracts domains from all supported - entities in the case. + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | - 3. **API Interaction**: Queries the DomainTools Iris Investigate API for the identified - domains. The action supports batching up to 100 domains per call to optimize performance. + | Domain | string | false | The domain to investigate. If not provided, the action + will attempt to enrich all supported entities (Domain, Hostname, URL) found in + the case. | - 4. **Data Parsing**: Processes the API response into structured data models, extracting - risk scores, identity information, registration dates, and hosting details. - 5. **Internal Updates**: Updates the entities in Google SecOps with the retrieved - intelligence data (prefixed with 'DT') and sets the 'is_enriched' flag to true. + ### Additional Notes - 6. **Output Generation**: Generates entity-specific tables and a comprehensive - summary data table for the case wall, along with JSON results for downstream automation. + If the 'Domain' parameter is provided, the action will prioritize investigating + that specific domain. Otherwise, it will iterate through all valid entities of + type Domain, Hostname, or URL present in the case. capabilities: can_create_case_comments: false can_create_insight: false @@ -281,15 +297,25 @@ Investigate Domain: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity additional properties with DomainTools intelligence data and - sets the 'is_enriched' flag to true. + Updates entity 'additional_properties' and adds result tables/JSON to the action + output. + reasoning: >- + The action fetches threat intelligence data from the DomainTools API (fetches_data=true). + It does not modify external systems (can_mutate_external_data=false). It updates + internal SOAR entities with enrichment data and adds result tables (can_mutate_internal_data=true, + can_update_entities=true). It does not create insights, modify alerts, or add + case comments. categories: enrichment: true + reasoning: >- + The action fetches data from an external source (DomainTools) and updates internal + entities with that data. It does not mutate external systems. It fits the definition + of an enrichment action. entity_usage: entity_types: - - DOMAIN - - HOSTNAME - DestinationURL + - HOSTNAME + - DOMAIN filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -303,6 +329,10 @@ Investigate Domain: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code filters 'siemplify.target_entities' using 'SUPPORTED_ENTITY_TYPES', + which includes URL, HOSTNAME, and DOMAIN. It checks the entity type attribute + to determine if the entity should be processed. Ping: action_product_categories: add_alert_comment: false @@ -318,6 +348,9 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity test ('Ping') and does not perform any of the defined + product category operations such as enrichment, ticketing, or containment. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -333,43 +366,18 @@ Ping: update_identity: false update_ticket: false ai_description: >- - ### General Description - - Tests the connectivity to the DomainTools API using the provided credentials (Username - and API Token). This action ensures that the integration is correctly configured - and that the Google SecOps environment can reach the DomainTools service. It verifies - the validity of the credentials by attempting to retrieve account and license - information from the external service. - - - ### Parameters Description - - | Parameter Name | Description | Type | Mandatory | - - | :--- | :--- | :--- | :--- | - - | N/A | This action does not have any input parameters. | N/A | N/A | - - - ### Additional Notes - - This action relies on the integration's global configuration (Username, API Token, - and Verify SSL) to establish a connection. It performs a call to the DomainTools - `account_information` endpoint during the initialization of the manager class. - - - ### Flow Description - - 1. **Retrieve Configuration**: The action fetches the integration settings, including - the Username, API Token, and SSL verification preference. - - 2. **Initialize Manager**: It instantiates the `DomainToolsManager`. During this - process, the manager automatically calls the DomainTools API's account information - endpoint to verify credentials and retrieve available product licenses. - - 3. **Verify Connection**: If the API responds successfully, the action concludes - with a 'Connection Established' message. If an exception is raised during the - API call or initialization, the connection is considered failed. + Tests connectivity to the DomainTools API. This action validates the provided + credentials by attempting to retrieve account information from the DomainTools + service. It returns a success message if the connection is established or a failure + message if the connection fails. ### Parameters Description | Parameter | Type + | Mandatory | Description | | :--- | :--- | :--- | :--- | | Username | String + | Yes | The DomainTools API username. | | ApiToken | String | Yes | The DomainTools + API key. | | Verify SSL | Boolean | Yes | Whether to verify SSL certificates for + API requests. | ### Additional Notes This action is a connectivity test and does + not process any entities. ### Flow Description 1. Initialize the Siemplify action. + 2. Retrieve configuration parameters (Username, ApiToken, Verify SSL). 3. Initialize + the DomainToolsManager, which triggers an API call to fetch account information. + 4. Return a status message indicating whether the connection was successful. capabilities: can_create_case_comments: false can_create_insight: false @@ -380,8 +388,14 @@ Ping: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity test by calling the DomainTools API to fetch + account information. It does not modify any external or internal data. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action, which is explicitly excluded from being an enrichment + action per the instructions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -397,3 +411,6 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not iterate over or utilize the target_entities attribute. It + is a global connectivity test that does not depend on specific entity types. diff --git a/content/response_integrations/third_party/partner/domain_tools/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/domain_tools/resources/ai/integration_ai_description.yaml index 2e831240c..d530ab6c0 100644 --- a/content/response_integrations/third_party/partner/domain_tools/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/partner/domain_tools/resources/ai/integration_ai_description.yaml @@ -7,6 +7,16 @@ product_categories: iam_and_identity_management: false itsm: false network_security: false + reasoning: >- + The DomainTools integration is a dedicated threat intelligence provider. Its primary + actions, such as 'Get Domain Rdap', 'Get WhoIs History', and 'Investigate Domain', + are specifically designed to enrich domain, hostname, and URL entities with risk + scores, registration data, and historical context. This aligns perfectly with + the 'Threat Intelligence' category, which focuses on the enrichment of external + indicators to determine reputation and confirm alerts. The integration does not + perform SIEM log analysis, EDR host containment, network security blocking, email + management, IAM operations, cloud security, ITSM ticketing, vulnerability management, + asset inventory, or collaboration tasks. siem: false threat_intelligence: true vulnerability_management: false diff --git a/content/response_integrations/third_party/partner/doppel_vision/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/doppel_vision/resources/ai/actions_ai_description.yaml index fa9cb6f00..a6877f049 100644 --- a/content/response_integrations/third_party/partner/doppel_vision/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/doppel_vision/resources/ai/actions_ai_description.yaml @@ -13,6 +13,10 @@ Create Abuse Alert: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action creates a new record (abuse alert) in an external system. This aligns + with the 'Create Ticket' category, which involves generating a new record in + an external system. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -30,40 +34,43 @@ Create Abuse Alert: ai_description: >- ### General Description - Creates an abuse alert for a specified entity within the Doppel system. This action - is primarily used to report suspicious entities, such as URLs, to the Doppel abuse - box for investigation. It will fail if the provided entity is invalid or belongs - to a protected list (e.g., well-known domains like google.com). + Creates an abuse alert in the DoppelVision system for a specified entity (e.g., + URL). This action automates the reporting process by sending a request to the + DoppelVision API. ### Parameters Description - | Parameter | Description | Type | Mandatory | Default Value | + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | - | :--- | :--- | :--- | :--- | :--- | + | Entity | string | Yes | The entity (e.g., URL) for which to create the abuse + alert. | - | Entity | The specific entity (e.g., a URL) that should be reported to the Doppel - abuse box. | string | Yes | https://dummyabuseurl.com | + + ### Additional Notes + + This action requires valid API credentials (API Key, User API Key, and Organization + Code) to be configured in the DoppelVision integration settings. The action will + fail if the provided entity is invalid or protected in the DoppelVision system. ### Flow Description - 1. **Parameter Extraction**: The action retrieves the necessary API credentials - (API Key, User API Key, Organization Code) from the integration configuration - and the target entity from the action parameters. + 1. Extracts the required API credentials (API Key, User API Key, Organization + Code) from the integration configuration. + + 2. Extracts the target `Entity` from the action parameters. - 2. **Manager Initialization**: Initializes the `DoppelManager` with the provided - credentials to facilitate communication with the Doppel API. + 3. Initializes the `DoppelManager` with the provided credentials. - 3. **API Interaction**: Executes a POST request to the `/alert/abuse` endpoint - of the Doppel API, passing the entity identifier. + 4. Sends a POST request to the DoppelVision API (`/alert/abuse`) to create an + abuse alert for the specified entity. - 4. **Result Processing**: If the API call is successful, the resulting alert data - is stored in the action's JSON results. If the call fails or the entity is protected/invalid, - an exception is raised and the action is marked as failed. + 5. Stores the API response in the action result JSON. - 5. **Completion**: Logs the execution status and returns the final output message - to the Google SecOps platform. + 6. Completes the action with a success or failure status based on the API response. capabilities: can_create_case_comments: false can_create_insight: false @@ -72,11 +79,18 @@ Create Abuse Alert: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new abuse alert record in the Doppel external system via a POST request. - fetches_data: true + Creates an abuse alert in the external DoppelVision system. + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to create an abuse alert in an external system + (DoppelVision). It does not fetch data for enrichment, nor does it modify internal + SOAR data (entities, insights, comments). categories: enrichment: false + reasoning: >- + The action is a mutation action (creating an alert), not an enrichment action, + as it does not fetch data for context. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -92,6 +106,9 @@ Create Abuse Alert: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action takes a string parameter named 'Entity' from the action configuration. + It does not iterate over or process `siemplify.target_entities`. Create Alert: action_product_categories: add_alert_comment: false @@ -107,6 +124,10 @@ Create Alert: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action creates a new alert record in the external DoppelVision system. This + aligns with the 'Create Ticket' category, which covers generating new records + in external systems. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -121,28 +142,38 @@ Create Alert: update_email: false update_identity: false update_ticket: false - ai_description: "### General Description\nThis action creates a new alert within\ - \ the DoppelVision platform for a specified entity. It is primarily used to programmatically\ - \ trigger Doppel's internal monitoring or investigation workflows for a specific\ - \ indicator (such as a URL). The action communicates with the Doppel API via a\ - \ POST request and returns the details of the created alert.\n\n### Parameters\ - \ Description\n| Parameter | Description | Type | Mandatory | Notes |\n| :---\ - \ | :--- | :--- | :--- | :--- |\n| Entity | The specific entity (e.g., a URL or\ - \ identifier) for which the alert should be created in DoppelVision. | string\ - \ | Yes | Default value is 'https://dummyrul.com'. |\n\n### Flow Description\n\ - 1. **Configuration Extraction**: The action retrieves the API Key, User API Key,\ - \ and Organization Code from the integration configuration.\n2. **Parameter Extraction**:\ - \ The action retrieves the 'Entity' string provided by the user.\n3. **Manager\ - \ Initialization**: A `DoppelManager` instance is initialized with the provided\ - \ credentials.\n4. **API Interaction**: The action calls the `create_alert` method,\ - \ which sends a POST request to the DoppelVision `/alert` endpoint with the entity\ - \ payload.\n5. **Result Processing**: \n * If the API returns a successful\ - \ response, the alert data is stored in the action's JSON results.\n * If the\ - \ API call fails or returns an empty response, an exception is raised.\n6. **Completion**:\ - \ The action concludes by reporting the execution status and an output message\ - \ to the Google SecOps workbench.\n\n### Additional Notes\nThis action does not\ - \ iterate over SecOps entities automatically; it requires the 'Entity' parameter\ - \ to be explicitly passed, typically from a playbook variable or manual input." + ai_description: >- + Creates a new alert in the DoppelVision system for a specified entity. This action + allows users to trigger the creation of an alert record externally by providing + the entity identifier. + + + ### Parameters + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Entity | string | Yes | The entity (e.g., URL, IP) for which to create the alert + in DoppelVision. | + + + ### Flow Description + + 1. **Configuration Extraction**: The action retrieves the necessary API credentials + (API Key, User API Key, and Organization Code) from the integration configuration. + + 2. **Parameter Extraction**: The `Entity` parameter is extracted from the action + input. + + 3. **Manager Initialization**: The `DoppelManager` is initialized with the provided + credentials. + + 4. **Alert Creation**: The action calls the `create_alert` method, which sends + a POST request to the DoppelVision API to create the alert for the specified entity. + + 5. **Result Handling**: The API response is stored in the action result JSON. + If the creation fails, an exception is raised, and the action is marked as failed. capabilities: can_create_case_comments: false can_create_insight: false @@ -151,12 +182,18 @@ Create Alert: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new alert record in the DoppelVision platform via a POST request to - the /alert endpoint. + Creates a new alert in the DoppelVision system. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to create an alert in an external system + (DoppelVision). It does not fetch data for enrichment, nor does it modify internal + SecOps data or entities. categories: enrichment: false + reasoning: >- + The action is a creation/mutation action, not an enrichment action, as it does + not retrieve data for the purpose of enriching existing entities. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -172,6 +209,10 @@ Create Alert: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action takes an 'Entity' parameter as input, but it does not iterate over + or process the 'siemplify.target_entities' list. Therefore, it does not run + on specific entity types. Get Alert: action_product_categories: add_alert_comment: false @@ -187,6 +228,11 @@ Get Alert: enrich_ioc: false execute_command_on_the_host: false get_alert_information: true + reasoning: >- + The action retrieves alert details from the DoppelVision platform via an API + GET request. This directly matches the 'Get Alert Information' category. It + does not perform any other actions such as updating alerts, creating tickets, + or modifying IOCs. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -202,49 +248,45 @@ Get Alert: update_identity: false update_ticket: false ai_description: >- - Retrieves detailed information about a specific alert from the DoppelVision platform. - The action allows users to fetch alert data using either a specific Alert ID or - an entity identifier (such as a URL). It is primarily used to gather context about - existing alerts within the Doppel ecosystem and returns the raw JSON data for - use in subsequent playbook steps. + Retrieves alert details from the DoppelVision platform. This action allows users + to fetch specific alert information by providing either an entity identifier or + a unique Alert ID. The action interacts with the DoppelVision API to retrieve + the alert data and stores the resulting JSON in the action's output for further + analysis. - ### Parameters Description - + ### Parameters - | Parameter | Description | Type | Mandatory | Notes | + | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | :--- | + | :--- | :--- | :--- | :--- | - | Entity | The entity identifier (e.g., a URL) associated with the alert. | String - | No | Either 'Entity' or 'Alert_ID' must be provided, but not both. | + | Entity | string | No | The entity identifier to search for. Either this or 'Alert_ID' + must be provided. | - | Alert_ID | The unique identifier of the alert in the Doppel tenant. | String - | No | Either 'Entity' or 'Alert_ID' must be provided, but not both. | + | Alert_ID | string | No | The unique ID of the alert to fetch. Either this or + 'Entity' must be provided. | ### Additional Notes - - This action does not process entities from the Google SecOps case; it relies - strictly on the provided input parameters. - - - The action will fail if both parameters are provided or if both are omitted. + Either the 'Entity' or 'Alert_ID' parameter must be configured for the action + to run. If both or neither are provided, the action will fail. ### Flow Description - 1. **Parameter Extraction:** The action retrieves the API credentials from the - integration configuration and the 'Entity' or 'Alert_ID' from the action parameters. + 1. Extract configuration parameters (API Key, User API Key, Organization Code) + and action parameters (Entity, Alert_ID). - 2. **Validation:** It checks that exactly one of the two search parameters ('Entity' - or 'Alert_ID') is populated. + 2. Validate that exactly one of 'Entity' or 'Alert_ID' is provided. - 3. **API Request:** It calls the DoppelVision API's GET endpoint for alerts using - the provided identifier. + 3. Call the DoppelVision API to fetch the alert details using the provided identifier. - 4. **Result Processing:** If an alert is found, the full JSON response is added - to the action's results. If no alert is found or the API returns an error, the - action fails. + 4. If the alert is found, store the JSON response in the action result. + + 5. If the alert is not found or an error occurs, the action fails and logs the + error. capabilities: can_create_case_comments: false can_create_insight: false @@ -255,8 +297,17 @@ Get Alert: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to retrieve alert information from an external + API (DoppelVision). It does not perform any write operations on external systems + (no mutation) and does not modify any internal Google SecOps case data (no entity + updates, insights, or comments). categories: enrichment: false + reasoning: >- + The action fetches data from an external source, but it does not perform any + of the allowed internal mutations (updating entities, creating insights, or + adding comments) required to be classified as an Enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -272,6 +323,10 @@ Get Alert: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or process Google SecOps entities (e.g., `siemplify.target_entities`). + It accepts an 'Entity' string as an input parameter for the API query, which + is distinct from the SOAR entity object model. Get Alerts: action_product_categories: add_alert_comment: false @@ -287,12 +342,16 @@ Get Alerts: enrich_ioc: false execute_command_on_the_host: false get_alert_information: true + reasoning: >- + The action fetches a list of alerts from the Doppel platform based on user-defined + filters. This aligns with the 'Get Alert Information' category. It does not + perform any other actions like enrichment, containment, or ticket creation. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false search_asset: false search_email: false - search_events: true + search_events: false send_email: false send_message: false submit_file: false @@ -304,11 +363,11 @@ Get Alerts: ai_description: >- ### General Description - This action fetches alerts from the Doppel Vision platform based on specified - filtering criteria. It is designed to retrieve a list of alerts for review or - further processing within Google SecOps. The action interacts with the Doppel - API's `/alerts` endpoint using a GET request, making it a read-only operation - relative to the external system. + The **Get Alerts** action retrieves a list of alerts from the Doppel platform + based on specified filtering criteria. This action allows analysts to query the + Doppel tenant for alerts, supporting various filters such as search keys, product + categories, creation dates, sorting preferences, and queue states. The retrieved + alerts are returned as a JSON object in the action results for further analysis. ### Parameters Description @@ -317,58 +376,49 @@ Get Alerts: | :--- | :--- | :--- | :--- | - | Search Key | string | No | Filters alerts by a specific key, currently supporting - search by URL. | + | Search Key | string | No | A search term to filter alerts by URL or other identifiers. + | - | Product | ddl | No | Filters alerts by product category (e.g., domains, social_media, + | Product | ddl | No | The product category to filter by (e.g., domains, social_media, mobile_apps, ecommerce, crypto, emails, paid_adds). | - | Created Before | string | No | Filters alerts created before a specific timestamp - (ISO 8601 format, e.g., '2024-01-05T13:45:30'). | + | Created Before | string | No | Filter alerts created before this date (format: + 'YYYY-MM-DDTHH:MM:SS'). | - | Created After | string | No | Filters alerts created after a specific timestamp - (ISO 8601 format, e.g., '2024-01-05T13:45:30'). | + | Created After | string | No | Filter alerts created after this date (format: + 'YYYY-MM-DDTHH:MM:SS'). | - | Sort Type | ddl | No | The field to sort the results by. Options include 'date_sourced' - (default) or 'date_last_actioned'. | + | Sort Type | ddl | No | The field to sort the reports by. Defaults to 'date_sourced'. + Options: 'date_sourced', 'date_last_actioned'. | - | Sort Order | ddl | No | The order of sorting. Options are 'asc' or 'desc' (default). - | + | Sort Order | ddl | No | The order to sort the reports by. Defaults to 'desc'. + Options: 'asc', 'desc'. | - | Page | string | No | Page number for pagination; defaults to 0. | + | Page | string | No | Page number for pagination. Defaults to 0. | - | Queue State | ddl | No | Filters alerts by their current queue status (e.g., + | Queue State | ddl | No | Filter alerts by their current queue status (e.g., doppel_review, actioned, needs_confirmation, taken_down, monitoring, archived). | - | Tags | string | No | A comma-separated list of tags to filter the alerts. | - - - ### Additional Notes - - - This action does not require any input entities to run; it fetches data globally - for the configured tenant. - - - All parameters are optional. If no parameters are provided, the action fetches - the most recent alerts based on default API behavior. + | Tags | string | No | A comma-separated list of tags to filter alerts. | ### Flow Description - 1. **Configuration Extraction:** The action retrieves the API Key, User API Key, - and Organization Code from the integration settings. + 1. **Configuration Extraction**: The action retrieves the necessary API credentials + (API Key, User API Key, Organization Code) from the DoppelVision integration configuration. - 2. **Parameter Parsing:** It extracts optional filters such as `Search Key`, `Product`, - `Queue State`, and date ranges from the action input. + 2. **Parameter Parsing**: It extracts the optional action parameters provided + by the user and constructs a `filters` dictionary, removing any empty or null + values. - 3. **Filter Construction:** A filter dictionary is built, removing any null values - and splitting the `Tags` string into a list. + 3. **Data Retrieval**: The action instantiates the `DoppelManager` and calls the + `get_alerts` method, passing the constructed filters to the Doppel API. - 4. **API Interaction:** The `DoppelManager` is initialized and calls the `get_alerts` - method, which performs a GET request to the Doppel API. - - 5. **Result Processing:** The retrieved list of alerts is added to the action's - JSON results. If no alerts are found, the action fails with an informative message. + 4. **Result Handling**: If alerts are successfully retrieved, the action stores + the JSON response in the action result using `siemplify.result.add_result_json` + and logs the total count. If no alerts are found or an error occurs, the action + fails gracefully with an appropriate error message. capabilities: can_create_case_comments: false can_create_insight: false @@ -379,8 +429,17 @@ Get Alerts: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Doppel API to retrieve alert data based + on user-provided filters. It does not modify any external systems (no POST/PUT/DELETE) + and does not modify any internal SOAR data (no entity updates, insights, or + case comments). categories: enrichment: false + reasoning: >- + The action retrieves data from an external system but does not enrich specific + entities or alerts within the case context. It is a data retrieval action, not + an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -396,6 +455,9 @@ Get Alerts: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on `siemplify.target_entities`. It is a global action + that fetches alerts from the Doppel platform based on provided filters. Ping: action_product_categories: add_alert_comment: false @@ -411,6 +473,9 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity test ("Ping") and does not perform any of the defined + functional outcomes like enriching IOCs, updating tickets, or containing hosts. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -428,38 +493,45 @@ Ping: ai_description: >- ### General Description - The **Ping** action is used to verify the connectivity between Google SecOps and - the DoppelVision platform. It validates the provided configuration parameters, - such as the API Key, User API Key, and Organization Code, by attempting a basic - API request to the Doppel service to ensure the integration is correctly configured. + Validates connectivity to the DoppelVision API by performing a test request. This + action ensures that the provided credentials are correct and that the integration + can successfully communicate with the DoppelVision service. ### Parameters Description - There are no input parameters for this action. It relies entirely on the integration's - global configuration settings (API Key, User API Key, and Organization Code). + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + | API Key | String | Yes | The primary API key used for authentication with the + DoppelVision service. | - ### Flow Description + | User API Key | String | No | An optional user-specific API key for authentication. + | - 1. **Configuration Extraction**: The action retrieves the API Key, User API Key, - and Organization Code from the integration's shared configuration. + | Organization Code | String | No | An optional code for multi-tenant environment + configurations. | - 2. **Manager Initialization**: An instance of the DoppelManager is created using - the extracted credentials. - 3. **Connectivity Test**: The action executes a connection test by performing - a GET request to the Doppel `/alerts` endpoint. + ### Additional Notes - 4. **Result Reporting**: If the API responds with a success status, the action - ends with a 'Connection successful' message. If the request fails or the credentials - are invalid, it returns a failure message. + This action is intended for configuration validation and does not perform any + operational tasks on entities or alerts. - ### Additional Notes + ### Flow Description + + 1. The action extracts the configuration parameters: `API Key`, `User API Key`, + and `Organization Code`. - This action is strictly for connectivity testing and does not interact with entities - or modify any data within Google SecOps or DoppelVision. + 2. It initializes the `DoppelManager` instance using these credentials. + + 3. It executes the `connection_test` method, which sends a GET request to the + `/alerts` endpoint of the DoppelVision API. + + 4. If the request is successful, it returns a "Connection successful" message; + otherwise, it returns a "Connection failed" message. capabilities: can_create_case_comments: false can_create_insight: false @@ -470,8 +542,14 @@ Ping: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to verify connectivity. It does not modify + external systems, update entities, or create insights. It is a diagnostic action. categories: enrichment: false + reasoning: >- + The action is a "Ping" action. According to the instructions, "Actions named + Ping must not be categorized as enrichment actions." entity_usage: entity_types: [] filters_by_additional_properties: false @@ -487,6 +565,9 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `target_entities`. It is a global configuration + validation task. Update Alert: action_product_categories: add_alert_comment: false @@ -502,6 +583,10 @@ Update Alert: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action updates an alert in an external system (DoppelVision). It does not + update an alert within the SecOps platform, nor does it fit any other category + like ticket creation or IOC management. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -519,12 +604,9 @@ Update Alert: ai_description: >- ### General Description - The **Update Alert** action allows users to modify the status and state of an - existing alert within the DoppelVision platform. It specifically targets the `Queue_State` - (e.g., moving an alert to 'actioned' or 'archived') and the `Entity_State` (e.g., - marking a URL as 'active', 'down', or 'parked'). This action is primarily used - to synchronize remediation or review progress from Google SecOps back to the DoppelVision - source system. + Updates an alert's status (queue state and entity state) in the DoppelVision platform. + This action allows users to modify the state of an alert by providing either an + Alert ID or an Entity identifier. ### Parameters Description @@ -533,46 +615,32 @@ Update Alert: | :--- | :--- | :--- | :--- | - | **Alert_ID** | String | No | The unique identifier for the specific alert in - the Doppel tenant. | - - | **Entity** | String | No | The entity (usually a URL) associated with the alert. + | Alert_ID | string | No | Unique identity for each specific alert in Doppel tenant. | - | **Queue_State** | DDL | Yes | The target queue state for the alert. Supported - values: `doppel_review`, `needs_confirmation`, `monitoring`, `taken_down`, `actioned`, - `archived`. | + | Entity | string | No | Entity to be alerted (e.g., URL). | - | **Entity_State** | DDL | Yes | The target state of the entity. Supported values: - `active`, `down`, `parked`. | + | Queue_State | ddl | Yes | Queue state value of the Alerts (doppel_review, needs_confirmation, + monitoring, taken_down, actioned, archived). | + | Entity_State | ddl | Yes | Entity state of Alerts (active, down, parked). | - ### Additional Notes - - **Validation Logic**: The action requires exactly one identifier to be provided. - You must provide **either** the `Alert_ID` or the `Entity` parameter. Providing - both or neither will result in a validation error and action failure. + ### Additional Notes - - This action performs an external state change (PUT request) in the DoppelVision - API. + Either `Alert_ID` or `Entity` must be provided for the action to run. If both + are provided, the action will fail. ### Flow Description - 1. **Parameter Extraction**: The action retrieves the integration configuration - (API Key, User API Key, Organization Code) and the action parameters (`Alert_ID`, - `Entity`, `Queue_State`, `Entity_State`). + 1. Extract parameters (API keys, Alert_ID/Entity, Queue_State, Entity_State). - 2. **Input Validation**: It verifies that either `Alert_ID` or `Entity` is provided, - ensuring they are not both present or both missing. + 2. Validate that either `Alert_ID` or `Entity` is provided, but not both. - 3. **API Interaction**: It calls the DoppelVision API's update endpoint using - a PUT request, passing the selected identifier and the new state values. + 3. Call the DoppelVision API to update the alert using a PUT request. - 4. **Result Processing**: Upon a successful response, the action stores the updated - alert details in the JSON results and completes with a success message. If the - update fails or returns an empty response, the action terminates with a failure - status. + 4. Store the API response in the action result. capabilities: can_create_case_comments: false can_create_insight: false @@ -581,12 +649,19 @@ Update Alert: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the 'queue_state' and 'entity_state' of an alert record within the DoppelVision - platform via a PUT request. - fetches_data: true + Updates the alert's queue state and entity state in the DoppelVision platform + via a PUT request. + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a PUT request to an external API (DoppelVision) to update + an alert's state. It does not fetch data, nor does it modify internal SecOps + data or entities. categories: enrichment: false + reasoning: >- + The action is a mutation action (updating an external alert) and does not fetch + data for enrichment purposes, therefore it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -602,3 +677,6 @@ Update Alert: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities`. It takes `Entity` + as a parameter, which is a string input, not a SecOps entity object. diff --git a/content/response_integrations/third_party/partner/doppel_vision/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/doppel_vision/resources/ai/integration_ai_description.yaml index 4788aca80..31a5d1e68 100644 --- a/content/response_integrations/third_party/partner/doppel_vision/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/partner/doppel_vision/resources/ai/integration_ai_description.yaml @@ -5,8 +5,17 @@ product_categories: edr: false email_security: false iam_and_identity_management: false - itsm: true + itsm: false network_security: false + reasoning: >- + The integration 'doppel_vision' connects the DoppelVision threat intelligence + platform with Google SecOps. Its primary functionality involves retrieving, creating, + and updating threat alerts and abuse reports. This aligns directly with the Threat + Intelligence category, as it provides external threat data and allows for the + management of threat-related records. It does not perform SIEM log analysis, EDR + host-level actions, network security blocking, email inbox management, IAM operations, + cloud resource management, ITSM ticketing, vulnerability scanning, asset inventory + management, or collaboration/notification tasks. siem: false threat_intelligence: true vulnerability_management: false diff --git a/content/response_integrations/third_party/partner/grey_noise/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/grey_noise/resources/ai/actions_ai_description.yaml index 132e6f031..2d96ef290 100644 --- a/content/response_integrations/third_party/partner/grey_noise/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/grey_noise/resources/ai/actions_ai_description.yaml @@ -13,6 +13,10 @@ Execute GNQL Query: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action executes a GNQL query to search GreyNoise threat intelligence data + and returns the results. This matches the 'Search Events' category as it retrieves + a collection of data matching specific search parameters. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -28,53 +32,49 @@ Execute GNQL Query: update_identity: false update_ticket: false ai_description: >- + ### General Description + Executes custom GreyNoise Query Language (GNQL) queries to search GreyNoise threat - intelligence data. This action allows users to perform complex searches across - the GreyNoise dataset, retrieving information about IP addresses, classifications, - and scanning behavior. It supports pagination to handle large result sets and - provides options to simplify the output or exclude raw data for performance. + intelligence data. This action supports automatic pagination to retrieve large + datasets based on the provided query and configuration parameters. - ### Flow Description + ### Parameters Description - 1. **Parameter Extraction:** The action retrieves the GNQL query, maximum results - limit, and output preferences (Quick mode and Exclude Raw). + | Parameter | Type | Mandatory | Description | - 2. **Validation:** Validates that the 'Max Results' parameter is a positive integer. + | :--- | :--- | :--- | :--- | - 3. **API Interaction:** Connects to the GreyNoise API and executes the query. + | GNQL Query | string | Yes | The GreyNoise Query Language query string to execute. + | - 4. **Pagination:** If the result set exceeds the page size, the action automatically - uses scroll tokens to fetch subsequent pages until the 'Max Results' limit is - reached or all data is retrieved. + | Max Results | string | No | Number of results to return per request (max 5000). + Defaults to 1000. | - 5. **Result Aggregation:** Collects all fetched records and returns them as a - JSON object. + | Quick | boolean | No | If true, the response will only include the IP address + and the classification or trust level. Defaults to false. | + | Exclude Raw | boolean | No | Whether to exclude raw scan data from the response. + Defaults to true. | - ### Parameters Description - | Parameter | Type | Mandatory | Description | + ### Flow Description - | :--- | :--- | :--- | :--- | + 1. Extracts action parameters (GNQL Query, Max Results, Quick, Exclude Raw). - | GNQL Query | String | Yes | The GreyNoise Query Language query string to execute - (e.g., 'last_seen:1d'). | + 2. Initializes the `APIManager` with the configured API key. - | Max Results | String | No | The maximum number of records to return. Default - is 1000. | + 3. Executes the GNQL query using the `APIManager`, handling pagination automatically + until the `Max Results` limit is reached or no more data is available. - | Quick | Boolean | No | If set to true, the response will only include the IP - address and the classification or trust level. | + 4. Collects all retrieved data into a list. - | Exclude Raw | Boolean | No | If set to true, raw scan data will be excluded - from the response to reduce payload size. | + 5. Returns the collected data as a JSON result in the action output. ### Additional Notes - - This action does not operate on specific entities within the SecOps case; it - performs a global search based on the provided query string. + None. capabilities: can_create_case_comments: false can_create_insight: false @@ -85,8 +85,16 @@ Execute GNQL Query: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches data from the GreyNoise API by executing a GNQL query. It + does not mutate external or internal data, nor does it update entities, create + insights, or modify alert data. categories: enrichment: false + reasoning: >- + The action executes a query to search GreyNoise data and returns the results. + It does not perform enrichment on specific entities, nor does it modify any + internal or external data. Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -102,6 +110,9 @@ Execute GNQL Query: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. It takes a query string as input + and returns search results from the GreyNoise API. Get CVE Details: action_product_categories: add_alert_comment: false @@ -117,6 +128,11 @@ Get CVE Details: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves threat intelligence (CVSS, EPSS, threat activity) for CVE + indicators and updates the entity profile. This directly matches the 'Enrich + IOC' category. It does not perform any other actions such as ticket creation, + alert updates, or containment. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -131,42 +147,29 @@ Get CVE Details: update_email: false update_identity: false update_ticket: false - ai_description: >- - Enriches CVE entities using GreyNoise intelligence to provide deep context on - vulnerabilities and active exploitation. This action retrieves critical data points - including CVSS scores, EPSS (Exploit Prediction Scoring System) scores, CISA KEV - (Known Exploited Vulnerabilities) status, and real-time threat activity counts. - It helps analysts prioritize vulnerabilities by identifying which ones are being - actively exploited in the wild. - - - ### Parameters Description - - There are no specific action parameters for this action. It automatically processes - all CVE entities present in the current context using the integration's global - API key. - - - ### Flow Description - - 1. **Entity Identification**: The action scans the current case for entities of - type CVE. - - 2. **Format Validation**: Each CVE identifier is validated against the standard - format (CVE-YYYY-NNNN). - - 3. **GreyNoise Lookup**: For each valid CVE, the action queries the GreyNoise - API to retrieve vulnerability details and exploitation intelligence. - - 4. **Data Enrichment**: The retrieved data (CVSS, EPSS, description, etc.) is - mapped to entity attributes prefixed with `GN_`. - - 5. **Insight Generation**: A detailed HTML insight is generated for each CVE, - featuring color-coded severity levels, exploit availability badges, and active - threat IP counts. - - 6. **Internal Update**: The action updates the CVE entities in Google SecOps with - the new enrichment data and attaches the generated insights to the case wall. + ai_description: "### General Description\nThis action enriches CVE (Common Vulnerabilities\ + \ and Exposures) entities by retrieving threat intelligence from the GreyNoise\ + \ API. It fetches critical vulnerability data, including CVSS scores, EPSS scores,\ + \ and active threat activity, to provide analysts with context regarding the exploitability\ + \ and prevalence of the vulnerability. The action updates the entity's properties\ + \ within the SOAR platform and generates a detailed HTML insight for quick reference.\n\ + \n### Flow Description\n1. **Initialization**: The action initializes the GreyNoise\ + \ API manager using the configured API key.\n2. **Entity Retrieval**: It identifies\ + \ all CVE-type entities associated with the current case.\n3. **Validation**:\ + \ For each CVE entity, the action validates the identifier format (CVE-YYYY-NNNN).\n\ + 4. **Data Fetching**: It queries the GreyNoise API to retrieve detailed vulnerability\ + \ information.\n5. **Enrichment**: \n * Updates the entity's `additional_properties`\ + \ with retrieved data (e.g., `GN_CVSS_Score`, `GN_EPSS_Score`, `GN_Exploit_Found`).\n\ + \ * Marks the entity as enriched.\n6. **Insight Generation**: Creates an HTML-formatted\ + \ insight containing the vulnerability assessment and adds it to the entity.\n\ + 7. **Finalization**: Updates the entities in the SOAR platform and adds the raw\ + \ result data to the action output.\n\n### Parameters Description\n| Parameter\ + \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| GN API\ + \ Key | String | Yes | The API key used to authenticate with the GreyNoise service.\ + \ |\n\n### Additional Notes\n* The action requires at least one CVE entity to\ + \ be present in the case to execute successfully.\n* If no data is found for a\ + \ specific CVE in the GreyNoise dataset, the entity will not be enriched, and\ + \ the action will log the event." capabilities: can_create_case_comments: false can_create_insight: true @@ -177,10 +180,19 @@ Get CVE Details: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates CVE entities with enrichment attributes (CVSS, EPSS, threat counts) - and creates detailed HTML insights within the Google SecOps case. + Updates entity properties and adds insights to the entity within the SOAR platform. + reasoning: >- + The action fetches data from the GreyNoise API (fetches_data=true). It does + not perform any external mutations (can_mutate_external_data=false). It performs + internal mutations by updating entity properties and adding insights to the + SOAR platform (can_mutate_internal_data=true, can_update_entities=true, can_create_insight=true). categories: enrichment: true + reasoning: >- + The action is designed to fetch threat intelligence for CVE entities and update + their internal representation (properties and insights). It does not mutate + external systems or perform unauthorized internal modifications. Therefore, + it qualifies as an enrichment action. entity_usage: entity_types: - CVE @@ -197,6 +209,10 @@ Get CVE Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code explicitly filters `siemplify.target_entities` for entities of type + `EntityTypes.CVE`. It does not filter by other attributes like creation time + or modification time. IP Lookup: action_product_categories: add_alert_comment: false @@ -212,6 +228,10 @@ IP Lookup: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves reputation, classification, and threat intelligence for + IP addresses from GreyNoise. This directly matches the 'Enrich IOC' category. + It does not perform any containment, ticketing, or alert modification actions. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -226,32 +246,27 @@ IP Lookup: update_email: false update_identity: false update_ticket: false - ai_description: "Enriches IP Address entities using GreyNoise intelligence to provide\ - \ comprehensive context on internet-wide scanning activity and business service\ - \ associations. The action identifies whether an IP is a known scanner, its classification\ - \ (benign, suspicious, or malicious), associated threat actors, and any related\ - \ CVEs. It automatically adapts its execution logic based on the API key tier\ - \ (Community vs. Enterprise), utilizing batch lookups for Enterprise users to\ - \ optimize performance.\n\n### Flow Description:\n1. **Entity Identification:**\ - \ Filters the target entities to identify all IP Address (ADDRESS) entities within\ - \ the current context.\n2. **Tier Detection:** Checks the provided GreyNoise API\ - \ key to determine if it belongs to the Community or Enterprise tier.\n3. **Data\ - \ Retrieval:** \n * For **Enterprise** keys: Performs a batch lookup for all\ - \ identified IPs simultaneously.\n * For **Community** keys: Performs individual\ - \ lookups for each IP.\n4. **Enrichment & Classification:** Processes the API\ - \ response to extract classification, actor names, tags, and CVE data. It updates\ - \ the entity's suspicious status if the classification is 'suspicious' or 'malicious'.\n\ - 5. **Internal Updates:** Populates the entity's additional properties with GreyNoise\ - \ metadata (prefixed with `GN_`) and marks the entity as enriched.\n6. **Insight\ - \ Generation:** Creates a detailed HTML insight for each successfully processed\ - \ IP, providing a visual summary of the intelligence gathered.\n\n### Parameters\ - \ Description:\n| Parameter | Type | Mandatory | Description |\n| :--- | :---\ - \ | :--- | :--- |\n| GN API Key | String | Yes | The API key used to authenticate\ - \ with GreyNoise services. This is configured at the integration level. |\n\n\ - ### Additional Notes:\n* This action is strictly read-only regarding external\ - \ systems and is classified as an enrichment action.\n* If no IP Address entities\ - \ are found, the action will complete successfully with a message indicating no\ - \ entities were processed." + ai_description: "### General Description\nThis action performs comprehensive IP\ + \ enrichment using the GreyNoise API. It retrieves threat intelligence, including\ + \ classification, actor information, tags, CVEs, and business service intelligence\ + \ for IP Address entities. The action supports both Community and Enterprise API\ + \ tiers, automatically adjusting the lookup method (individual vs. batch) based\ + \ on the API key provided.\n\n### Parameters\n| Parameter | Type | Mandatory |\ + \ Description |\n| :--- | :--- | :--- | :--- |\n| GN API Key | String | Yes |\ + \ The API key used to authenticate with the GreyNoise service. |\n\n### Flow Description\n\ + 1. **Initialization**: The action initializes the `APIManager` using the provided\ + \ API key and determines the API tier (Community or Enterprise).\n2. **Entity\ + \ Identification**: It retrieves all IP Address entities from the current case.\n\ + 3. **Data Retrieval**: \n - If using the **Community tier**, it processes IPs\ + \ individually.\n - If using the **Enterprise tier**, it performs a batch lookup\ + \ for efficiency.\n4. **Enrichment**: For each IP found in the GreyNoise dataset,\ + \ the action:\n - Updates the entity's `additional_properties` with retrieved\ + \ intelligence (e.g., classification, actor, tags).\n - Sets the `is_enriched`\ + \ flag to true.\n - Updates the `is_suspicious` status based on the classification\ + \ (e.g., 'malicious' or 'suspicious').\n - Generates an HTML insight containing\ + \ the detailed intelligence and adds it to the entity.\n5. **Result Reporting**:\ + \ The action updates the entities in the case and attaches the full JSON response\ + \ to the action results." capabilities: can_create_case_comments: false can_create_insight: true @@ -262,10 +277,21 @@ IP Lookup: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity attributes with GreyNoise intelligence (classification, actor, - tags, CVEs) and creates detailed entity insights. + Updates entity properties (is_enriched, is_suspicious, additional_properties) + and adds entity insights within Google SecOps. + reasoning: >- + The action fetches threat intelligence data from the GreyNoise API (fetches_data=true). + It does not perform any actions that change the state of external systems (can_mutate_external_data=false). + It updates internal entity data (is_enriched, is_suspicious, additional_properties) + and creates entity insights (can_mutate_internal_data=true, can_update_entities=true, + can_create_insight=true). categories: enrichment: true + reasoning: >- + The action is designed to fetch supplemental context (threat intelligence) for + IP entities. It does not mutate external systems and only performs allowed internal + mutations (updating entities and creating insights). Therefore, it qualifies + as an enrichment action. entity_usage: entity_types: - ADDRESS @@ -282,6 +308,9 @@ IP Lookup: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action explicitly filters target entities using `get_ip_entities`, which + selects only entities of type `ADDRESS` (EntityTypes.ADDRESS). IP Timeline Lookup: action_product_categories: add_alert_comment: false @@ -297,6 +326,10 @@ IP Timeline Lookup: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves threat intelligence (timeline data) for an IP address, + which matches the 'Enrich IOC' category. It does not perform any other actions + like ticketing, blocking, or alert management. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -312,59 +345,56 @@ IP Timeline Lookup: update_identity: false update_ticket: false ai_description: >- - Retrieves the historical activity timeline for IP Address entities from GreyNoise, - providing visibility into how an IP's behavior and classification have changed - over time. This action allows analysts to visualize trends in scanning activity, - port usage, or tag associations. + ### General Description + This action retrieves the activity timeline for IP addresses from the GreyNoise + platform. It provides visibility into how an IP address's classification or other + fields have changed over a specified period, helping analysts understand the historical + behavior of an indicator. - ### Flow Description: - 1. **Parameter Initialization:** Extracts the 'Days', 'Field', and 'Granularity' - parameters from the action configuration and validates that 'Days' is a positive - integer. + ### Flow Description - 2. **Entity Filtering:** Identifies all IP Address entities within the current - context. + 1. **Parameter Extraction**: The action extracts the `Days`, `Field`, and `Granularity` + parameters from the configuration. - 3. **External Lookup:** For each IP, it queries the GreyNoise Timeline API using - the specified field (e.g., classification, tag_ids) and time range. + 2. **Validation**: It validates that the `Days` parameter is a positive integer. - 4. **Metadata Enrichment:** If the 'Field' is set to 'tag_ids', the action performs - additional lookups to fetch descriptive metadata for each tag identified in the - timeline. + 3. **Entity Retrieval**: It identifies all `ADDRESS` type entities within the + current case. - 5. **Internal Updates:** Enriches the SOAR entities with the retrieved timeline - data and marks them as enriched. + 4. **API Interaction**: For each IP entity, it queries the GreyNoise API to fetch + the activity timeline based on the provided parameters. - 6. **Insight Generation:** Creates a detailed HTML insight for each entity, featuring - a formatted timeline overview and links to the GreyNoise Visualizer. + 5. **Enrichment**: It updates the entity's `additional_properties` with the retrieved + timeline data (e.g., first seen, timeline field). + + 6. **Insight Generation**: It generates an HTML insight containing the timeline + data and attaches it to the entity. + + 7. **Entity Update**: It updates the entities in the case with the new enrichment + data and marks them as enriched. - ### Parameters Description: + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Field | DDL | No | The specific attribute to track over time. Options include: - destination_port, http_path, http_user_agent, source_asn, source_org, source_rdns, - tag_ids, or classification (default). | - - | Granularity | String | No | The time bucket size for the timeline. Supports - hours (e.g., 1h to 24h) or days (e.g., 1d to 90d). Default is '1d'. | + | Field | ddl | No | The field over which to show the activity breakdown (e.g., + classification, destination_port). Default is 'classification'. | - | Days | String | No | The total lookback period in days. Must be a positive integer. - Default is '30'. | + | Granularity | string | No | The granularity of activity date ranges. Can be + in hours (e.g., 'Xh') or days (e.g., 'Xd'). Default is '1d'. | + | Days | string | No | The number of days to show data for. Default is '30'. | - ### Additional Notes: - - This action is primarily used for historical context and trend analysis rather - than real-time reputation checks. + ### Additional Notes - - If 'tag_ids' is selected as the field, the action will automatically fetch tag - names and descriptions to provide more context in the insights. + This action is strictly for enrichment purposes and does not perform any blocking + or external system modifications. capabilities: can_create_case_comments: false can_create_insight: true @@ -375,10 +405,17 @@ IP Timeline Lookup: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity additional properties with GreyNoise timeline data and creates - entity insights containing activity summaries. + Updates entity properties and adds insights to the entity within the SOAR platform. + reasoning: >- + The action fetches timeline data from the GreyNoise API for IP entities. It + updates the entities with this enrichment data and creates an HTML insight on + the entity. It does not mutate external systems. categories: enrichment: true + reasoning: >- + The action fetches data from an external source (GreyNoise) and updates internal + entities/insights without modifying external systems. This fits the definition + of an enrichment action. entity_usage: entity_types: - ADDRESS @@ -395,6 +432,9 @@ IP Timeline Lookup: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code uses `get_ip_entities` which filters `siemplify.target_entities` for + `EntityTypes.ADDRESS`. Ping: action_product_categories: add_alert_comment: false @@ -410,6 +450,10 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity test ('Ping') and does not perform any of the defined + product category operations such as enrichment, ticketing, containment, or alert + modification. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -424,35 +468,24 @@ Ping: update_email: false update_identity: false update_ticket: false - ai_description: >- - Tests the connectivity to the GreyNoise API and validates the provided API key. - This action is primarily used to ensure that the integration is correctly configured - and that the SOAR platform can communicate with GreyNoise services. It checks - the validity of the API key and, for enterprise-tier keys, verifies that the key - has not expired. - - - ### Parameters - - There are no action-specific parameters for this action. It relies on the global - integration configuration (GN API Key). - - - ### Flow Description - - 1. **Initialization**: The action initializes the Siemplify context and retrieves - the GreyNoise API key from the integration's configuration settings. - - 2. **Connectivity Test**: It uses the GreyNoise API Manager to call the `test_connection` - endpoint of the GreyNoise API. - - 3. **Expiration Check**: If the connection is successful and the API key is not - a 'community' tier key, the action parses the expiration date from the response - and compares it against the current date to ensure the key is still valid. - - 4. **Result Handling**: The action captures any exceptions (such as rate limits - or request failures) and returns a success or failure message to the SOAR platform - along with the execution status. + ai_description: "### General Description\nThe Ping action is a diagnostic tool designed\ + \ to verify connectivity between the Google SecOps SOAR platform and the GreyNoise\ + \ API. It validates that the provided API key is authenticated and that the integration\ + \ can successfully communicate with the GreyNoise server. This action is typically\ + \ used to troubleshoot integration issues or confirm that the environment is correctly\ + \ configured before running more complex operations.\n\n### Parameters Description\n\ + | Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ + | GN API Key | String | Yes | The API key used to authenticate requests to the\ + \ GreyNoise service. |\n\n### Flow Description\n1. **Initialization**: The action\ + \ initializes the `SiemplifyAction` and retrieves the `GN API Key` from the integration\ + \ configuration.\n2. **Connectivity Test**: It instantiates the `APIManager` and\ + \ invokes the `test_connectivity` method, which performs a request to the GreyNoise\ + \ API to validate the credentials.\n3. **Error Handling**: \n * If a `RateLimitError`\ + \ occurs, the action logs the error and returns a failure status.\n * If a\ + \ `RequestFailure` occurs, the action logs the failure and returns a failure status.\n\ + \ * Any other exceptions are caught, logged, and result in a failure status.\n\ + 4. **Completion**: The action logs the final status and terminates with a success\ + \ or failure message, providing immediate feedback on the connectivity state." capabilities: can_create_case_comments: false can_create_insight: false @@ -461,10 +494,19 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: true + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity test (Ping) against the GreyNoise API. It + does not fetch contextual data about entities, nor does it mutate any external + or internal systems. It is a diagnostic action used solely for verifying API + connectivity. categories: enrichment: false + reasoning: >- + The action is a connectivity test ('Ping'). Per the instructions, actions named + 'Ping' must not be categorized as enrichment actions. Furthermore, it does not + fetch data or modify state, failing the criteria for enrichment. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -480,6 +522,9 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. It is a global connectivity + test that does not require entity context. Quick IP Lookup: action_product_categories: add_alert_comment: false @@ -495,6 +540,11 @@ Quick IP Lookup: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves reputation, classification, and threat intelligence for + IP addresses from GreyNoise and updates the entity in the SOAR platform. This + aligns perfectly with the 'Enrich IOC' category. It does not perform any other + actions such as ticketing, blocking, or alert management. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -510,52 +560,46 @@ Quick IP Lookup: update_identity: false update_ticket: false ai_description: >- - Performs a lightweight IP classification lookup using the GreyNoise service to - identify internet scanners and business services. This action is designed for - high-speed enrichment of IP Address entities, providing immediate context on whether - an IP is known for 'noise' (mass scanning) or belongs to a trusted business service. - - - ### Flow Description - - 1. **Entity Extraction:** Identifies all IP Address entities within the current - alert or case context. - - 2. **GreyNoise Query:** Executes a bulk 'quick lookup' request to the GreyNoise - API for all identified IP addresses. - - 3. **Data Processing:** Iterates through the API responses to determine if GreyNoise - has data ('noise') for each IP. + ### General Description - 4. **Entity Enrichment:** For IPs found in the dataset, it updates the entity's - additional properties with trust levels and classifications. - - 5. **Risk Assessment:** Automatically marks entities as suspicious if GreyNoise - classifies them as 'malicious' or 'suspicious'. - - 6. **Insight Generation:** Creates and attaches a formatted HTML insight to each - enriched entity, providing a visual summary of the intelligence. - - 7. **Result Reporting:** Returns a comprehensive JSON object containing the lookup - results for all processed entities. + This action performs a lightweight IP classification lookup using the GreyNoise + API. It retrieves trust levels, internet scanner status, and business service + status for provided IP addresses. The action enriches the IP entities within the + SOAR platform by updating their properties, setting their suspicious status, and + generating visual insights for analysts. ### Parameters Description - | Parameter Name | Type | Mandatory | Description | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | None | N/A | N/A | This action does not require any input parameters beyond - the global integration configuration (API Key). | + | GN API Key | String | Yes | The API key used to authenticate with the GreyNoise + service. | - ### Additional Notes - - * This action specifically targets `ADDRESS` entities. + ### Flow Description - * It uses the GreyNoise 'quick' endpoint, which is optimized for performance and - provides a subset of the full IP context (classification and trust level). + 1. **Initialization**: The action initializes the GreyNoise API manager using + the provided API key. + + 2. **Entity Retrieval**: It identifies and filters all `ADDRESS` type entities + from the current case. + + 3. **Data Lookup**: It sends the list of IP addresses to the GreyNoise API to + perform a quick lookup. + + 4. **Processing**: For each IP address found in the GreyNoise dataset: + * It updates the entity's `additional_properties` with enrichment data (e.g., + classification, trust level). + * It sets the entity's `is_enriched` flag to `True`. + * It evaluates the classification to determine if the entity should be marked + as `is_suspicious`. + * It generates an HTML insight summarizing the IP intelligence and adds it + to the entity. + 5. **Update**: The action updates the enriched entities within the SOAR platform + and returns the results as a JSON object. capabilities: can_create_case_comments: false can_create_insight: true @@ -566,11 +610,20 @@ Quick IP Lookup: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity additional properties with GreyNoise metadata, sets the entity's - suspicious status based on classification, and adds HTML insights to the entity - context. + Updates entity properties and adds insights to entities within the SOAR platform. + reasoning: >- + The action fetches threat intelligence data from the GreyNoise API (fetches_data=true). + It does not perform any actions that change the state of external systems (can_mutate_external_data=false). + It performs internal mutations by updating entity properties and adding insights + to entities within the SOAR platform (can_mutate_internal_data=true, can_update_entities=true, + can_create_insight=true). categories: enrichment: true + reasoning: >- + The action is an enrichment action because it fetches data from an external + source (GreyNoise) to provide context on IP entities. It does not mutate external + systems. It performs allowed internal mutations (updating entities and creating + insights). entity_usage: entity_types: - ADDRESS @@ -587,3 +640,6 @@ Quick IP Lookup: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action uses the `get_ip_entities` utility, which filters `siemplify.target_entities` + to include only those with `entity_type == EntityTypes.ADDRESS`. diff --git a/content/response_integrations/third_party/partner/grey_noise/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/partner/grey_noise/resources/ai/connectors_ai_description.yaml index b329f6190..fdb39173a 100644 --- a/content/response_integrations/third_party/partner/grey_noise/resources/ai/connectors_ai_description.yaml +++ b/content/response_integrations/third_party/partner/grey_noise/resources/ai/connectors_ai_description.yaml @@ -2,12 +2,11 @@ Generate Alert from GreyNoise GNQL: ai_description: >- ### General Description - This connector retrieves threat intelligence data from GreyNoise using GreyNoise - Query Language (GNQL) and generates security alerts in Google SecOps. It allows - security teams to monitor for specific IP behaviors, classifications (malicious, - suspicious, benign), or actors seen across the internet. Each unique IP matching - the query criteria is ingested as an alert, providing enriched context such as - actor names, associated CVEs, and VPN/TOR status. + This connector integrates with GreyNoise to automatically fetch threat intelligence + data based on GNQL (GreyNoise Query Language) queries. It identifies malicious, + suspicious, benign, or unknown IP addresses and generates corresponding security + alerts within Google SecOps SOAR, enabling proactive threat monitoring and automated + incident response. ### Parameters Description @@ -16,47 +15,42 @@ Generate Alert from GreyNoise GNQL: | :--- | :--- | :--- | :--- | - | GN API Key | Password | Yes | The API key used to authenticate with GreyNoise - services. | - - | Query | String | Yes | The GNQL query to execute (e.g., `last_seen:1d`). If - left empty, it defaults to `last_seen:1d`. | + | GN API Key | Password | Yes | The API key used to authenticate with the GreyNoise + service. | | Max Results | Integer | No | The maximum number of results to fetch in a single - execution. Default is 100. | + execution. | + + | Query | String | Yes | The GNQL query string used to filter the data to be fetched. + | | DeviceProductField | String | Yes | The field name used to determine the device - product in the SOAR. Default is 'GreyNoise'. | + product in the generated alert. | | EventClassId | String | Yes | The field name used to determine the event name (sub-type). | - | PythonProcessTimeout | Integer | Yes | The timeout limit (in seconds) for the - python process running the script. Default is 1200. | + | PythonProcessTimeout | String | Yes | The timeout limit (in seconds) for the + Python process running the script. | ### Flow Description - 1. **Initialization**: The connector initializes the GreyNoise API client using - the provided API Key and retrieves previously processed event IDs from the local - state to prevent duplicate alerts. + 1. The connector initializes and retrieves configuration parameters, including + the API key and the GNQL query. - 2. **Query Execution**: It executes the configured GNQL query against the GreyNoise - API to find matching IP indicators. + 2. It reads existing event IDs from the system to perform deduplication and prevent + redundant alert creation. - 3. **Pagination & Fetching**: The connector iterates through the results, supporting - pagination via scroll tokens until the `Max Results` limit is reached or all available - data is fetched. + 3. It connects to the GreyNoise API and executes the specified GNQL query to retrieve + relevant IP intelligence data. - 4. **Deduplication**: Each result is checked against the list of already processed - event IDs (a unique combination of IP and timestamp). + 4. For each retrieved event, the connector maps the data to a standard SOAR AlertInfo + object, including severity, timestamps, and environment details. - 5. **Alert Mapping**: Matching IP records are transformed into SOAR Alert objects. - Severity is dynamically assigned based on GreyNoise classification: 'Malicious' - maps to High, 'Suspicious' to Medium, and 'Benign' or 'Unknown' to Low. + 5. It filters out duplicate events and checks for system overflow limits. - 6. **Ingestion**: The connector performs an overflow check and then ingests the - unique alerts into the system. + 6. Valid alerts are ingested into Google SecOps SOAR as new cases. - 7. **State Persistence**: Processed IDs are saved back to the system to ensure - they are skipped in subsequent runs. + 7. Finally, the connector updates the stored event IDs to ensure future runs only + process new data. diff --git a/content/response_integrations/third_party/partner/grey_noise/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/grey_noise/resources/ai/integration_ai_description.yaml index ac8e64b44..74081366b 100644 --- a/content/response_integrations/third_party/partner/grey_noise/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/partner/grey_noise/resources/ai/integration_ai_description.yaml @@ -7,6 +7,19 @@ product_categories: iam_and_identity_management: false itsm: false network_security: false + reasoning: >- + The integration is primarily focused on providing threat intelligence and vulnerability + context. The 'Threat Intelligence' category is applicable because the integration + provides extensive enrichment for IP addresses (reputation, classification, actor + information, and historical timelines) via actions like 'IP Lookup' and 'Quick + IP Lookup'. The 'Vulnerability Management' category is applicable because the + 'Get CVE Details' action retrieves critical vulnerability data, including CVSS + and EPSS scores, which helps analysts assess the exploitability of vulnerabilities. + The integration does not fit the 'SIEM' category because, while it generates alerts + via a connector, it does so based on external threat intelligence data rather + than querying internal logs or assets. It does not perform EDR, Network Security + (blocking), Email Security, IAM, Cloud Security, ITSM, Asset Inventory, or Collaboration + functions. siem: false threat_intelligence: true vulnerability_management: true diff --git a/content/response_integrations/third_party/partner/group_ib_ti/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/group_ib_ti/resources/ai/actions_ai_description.yaml index ebb13ef88..2c862bf76 100644 --- a/content/response_integrations/third_party/partner/group_ib_ti/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/group_ib_ti/resources/ai/actions_ai_description.yaml @@ -13,12 +13,16 @@ Get-Collection-Info-Async: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves threat intelligence collections from an external API. It + does not match any of the provided categories (e.g., it does not enrich specific + IOCs, update alerts, or perform containment). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false search_asset: false search_email: false - search_events: true + search_events: false send_email: false send_message: false submit_file: false @@ -28,62 +32,46 @@ Get-Collection-Info-Async: update_identity: false update_ticket: false ai_description: >- - Retrieves threat intelligence data from specific Group-IB TI collections. This - action is designed to fetch updates from the TI portal, utilizing a sequence-based - tracking system (timestamps) to ensure only new data is ingested in subsequent - runs. It operates independently of SecOps entities, making it suitable for scheduled - playbooks that sync threat intelligence feeds into the platform. - - - ### Parameters Description - - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Enable mapping parser | boolean | No | If enabled, the action will parse the - raw API response using predefined mapping keys for the collection to provide a - structured output. | + Extracts threat intelligence data from the Group-IB TI database. This action retrieves + specific collections of threat data (e.g., APT threats, malware, phishing kits) + based on a sequence update number or a provided start date. It does not operate + on specific entities. - | Collection | ddl | Yes | The specific Group-IB TI collection to download (e.g., - apt/threat, malware/cnc, compromised/account_group). | - | Start date | string | No | The date (YYYY-MM-DD) to begin fetching data from - if no previous checkpoint (timestamp) exists. | + ### Flow Description - | Portion limit | ddl | Yes | The maximum number of data portions to retrieve - from the API in a single execution run. | + 1. Initialize the Group-IB connector and poller. + 2. Determine the starting sequence update number, either by fetching the last + timestamp from storage or using the provided 'Start date'. - ### Additional Notes + 3. Create a data generator to fetch portions of the requested collection from + the Group-IB TI API. - - This action ignores any input entities and uses the input entity only as a start - trigger. + 4. Iterate through the data portions, optionally applying a mapping parser if + enabled. - - It uses internal storage via `fetch_timestamp` to track the last retrieved sequence - number, allowing for incremental updates and preventing duplicate data ingestion. + 5. Aggregate the parsed or raw data into a JSON result and add it to the action + output. - ### Flow Description + ### Parameters - 1. **Initialization**: The action initializes and extracts user-defined parameters - including the target collection, portion limits, and parsing preferences. + | Parameter | Type | Mandatory | Description | - 2. **Checkpoint Retrieval**: It checks for a stored sequence update number (timestamp) - from a previous execution to determine the starting point for the fetch. + | :--- | :--- | :--- | :--- | - 3. **Fallback Logic**: If no previous timestamp is found, it calculates a starting - sequence number based on the provided 'Start date' or defaults to one day ago. + | Enable mapping parser | boolean | No | If enabled, parses the raw data using + predefined mapping keys. Defaults to false. | - 4. **API Connection**: Establishes a connection to the Group-IB TI API and initializes - a data generator for the selected collection. + | Collection | ddl | Yes | The specific Group-IB TI collection to download (e.g., + apt/threat, malware/malware). | - 5. **Data Ingestion**: Fetches data in portions, optionally applying a mapping - parser to transform raw API items into standardized JSON objects. + | Start date | string | No | The date to start downloading collection data from + (format: YYYY-MM-DD). | - 6. **Result Aggregation**: Aggregates all retrieved items into a single JSON result - and completes the task. + | Portion limit | ddl | Yes | Controls the number of data portions returned from + the API. Defaults to 100. | capabilities: can_create_case_comments: false can_create_insight: false @@ -94,8 +82,17 @@ Get-Collection-Info-Async: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches threat intelligence data from the Group-IB TI API (fetches_data=true). + It does not perform any write operations to external systems (can_mutate_external_data=false). + It does not modify internal SOAR data, update entities, create insights, or + add case comments (all mutation flags=false). categories: enrichment: false + reasoning: >- + While the action fetches data, it does not perform enrichment on specific entities + or alerts. It is a data retrieval action for threat intelligence feeds, not + an enrichment action as defined by the criteria. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -111,6 +108,9 @@ Get-Collection-Info-Async: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action explicitly ignores any entities provided in the context, as stated + in the description and confirmed by the code which does not iterate over target_entities. Get-Graph-Info: action_product_categories: add_alert_comment: false @@ -126,6 +126,10 @@ Get-Graph-Info: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves threat intelligence (graph information) for indicators + (IPs and Domains). This directly aligns with the 'Enrich IOC' category. It does + not perform any other operations such as ticketing, blocking, or alert management. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -141,38 +145,34 @@ Get-Graph-Info: update_identity: false update_ticket: false ai_description: >- - ### General Description - - Retrieves WHOIS and relationship graph information for IP and Domain entities - from Group-IB Threat Intelligence. This action helps analysts understand the infrastructure, - ownership details, and potential connections associated with network indicators - by querying the Group-IB TI Graph API. + Retrieves WHOIS and graph information for IP addresses and domains using the Group-IB + Threat Intelligence service. This action provides contextual intelligence to help + analysts understand the relationships and background of specific indicators. - ### Parameters + ### Flow Description - There are no parameters for this action. + 1. **Initialization**: The action initializes the Group-IB connector to establish + a connection with the Threat Intelligence API. + 2. **Entity Gathering**: It retrieves all target entities from the current case. - ### Flow Description + 3. **Validation**: Each entity is validated to ensure it is either an IP address + or a domain. Unsupported entity types are skipped. - 1. **Initialization**: The action initializes the Group-IB TI poller using the - integration's configuration (API login, key, and URL). + 4. **Data Retrieval**: For each valid entity, the action queries the Group-IB + API (`utils/graph/{type}`) to fetch relevant graph information. - 2. **Entity Identification**: It identifies all entities associated with the current - context. + 5. **Result Aggregation**: The retrieved data is aggregated into a JSON object. - 3. **Filtering**: The action filters the entities, processing only those identified - as IP addresses or Domains (using an internal validator). + 6. **Output**: The final JSON result is attached to the action, making it available + for the playbook and the analyst. - 4. **Data Retrieval**: For each valid entity, it sends a request to the Group-IB - TI Graph API endpoint (`utils/graph/{type}`) to fetch WHOIS and connectivity data. - 5. **Result Aggregation**: The API responses are collected and formatted into - a structured JSON result object. + ### Parameters - 6. **Completion**: The aggregated JSON is attached to the action output, and the - action completes with a success status. + There are no specific input parameters for this action; it relies on the integration's + configured API credentials and the entities present in the case. capabilities: can_create_case_comments: false can_create_insight: false @@ -183,8 +183,18 @@ Get-Graph-Info: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to an external API (Group-IB) to retrieve + threat intelligence data. It does not perform any POST/PUT/DELETE operations + on external systems, nor does it modify internal case data (such as updating + entities, creating insights, or adding case comments). It only attaches the + retrieved data to the action result. categories: enrichment: true + reasoning: >- + The action is designed to fetch supplemental context (graph info) for entities. + It does not mutate external systems, nor does it perform any restricted internal + mutations. It meets all criteria for an enrichment action. entity_usage: entity_types: - ADDRESS @@ -202,6 +212,10 @@ Get-Graph-Info: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and filters them using `EntityValidator` + to ensure only 'ip' and 'domain' types are processed. These map to 'ADDRESS' + and 'DOMAIN' entity types in the SecOps platform. Get-TI-Search-Info: action_product_categories: add_alert_comment: false @@ -213,10 +227,15 @@ Get-TI-Search-Info: disable_identity: false download_file: false enable_identity: false - enrich_asset: true + enrich_asset: false enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action queries the Group-IB TI database for indicators (IPs, Hashes, Domains, + etc.) and returns the findings. This is a classic Enrichment IOC action. It + does not perform any other operations like ticket creation, alert updates, or + containment. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -232,61 +251,50 @@ Get-TI-Search-Info: update_identity: false update_ticket: false ai_description: >- - Searches the Group-IB Threat Intelligence (TI) database for comprehensive information - regarding various entity types, including Domains, IP Addresses, File Hashes, - Bank Cards, and Email addresses. This action acts as a global search tool that - identifies which TI collections contain data about the target entities and then - retrieves the specific records from those collections. - + Searches the Group-IB Threat Intelligence database for information related to + entities found in the case. This action identifies the type of each entity (e.g., + IP, Domain, Hash, Email, Credit Card) and queries the Group-IB TI platform to + retrieve relevant threat intelligence, such as associated threat actors, malware, + or malicious activity. The retrieved data is then returned as a JSON result for + further analysis. - ### Parameters Description - - - | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + ### Flow Description - | Enable mapping parser | Boolean | No | Determines whether the action should - parse the retrieved TI data using predefined mapping keys (`true`) or return the - raw data items (`false`). Default is `false`. | + 1. **Initialization**: The action initializes the `SiemplifyAction` and the `GIBConnector` + to interact with the Group-IB TI API. + 2. **Entity Gathering**: It retrieves all entities from the current case. - ### Flow Description + 3. **Entity Validation**: For each entity, it uses an `EntityValidator` to determine + the entity type (e.g., IP, Domain, Hash). + 4. **Data Retrieval**: It performs a global search for each entity in the Group-IB + TI database to identify relevant collections. - 1. **Initialize Connection**: Sets up the Group-IB TI poller using the integration's - API credentials (Login, Key, and URL). + 5. **Data Extraction**: It iterates through the identified collections, queries + the data, and optionally parses it using a mapping parser if enabled. - 2. **Entity Processing**: Iterates through all entities associated with the current - context. + 6. **Result Output**: The aggregated data is added to the action result as a JSON + object. - 3. **Type Validation**: For each entity, it uses a validator to determine if the - identifier corresponds to a supported type (Domain, IP, Hash, Email, or Credit - Card). It also handles URLs by extracting the host domain or IP. - 4. **Discovery**: Executes a global search for each valid entity to discover which - specific TI collections (e.g., `apt/threat`, `malware/cnc`, `compromised/bank_card_group`) - contain relevant information. + ### Parameters - 5. **Data Extraction**: For each discovered collection, it queries the Group-IB - database to retrieve detailed records, applying a limit of 3000 items per collection. + | Parameter | Type | Mandatory | Description | - 6. **Formatting**: If the "Enable mapping parser" parameter is enabled, it transforms - the raw API response into a structured format based on internal mapping configurations. + | :--- | :--- | :--- | :--- | - 7. **Output**: Aggregates all findings into a comprehensive JSON object, organized - by collection name, and returns it as the action's result. + | Enable mapping parser | boolean | No | If set to true, the action parses the + retrieved data using predefined mapping keys. If false, it collects raw dictionary + items. Defaults to false. | ### Additional Notes - - - The action includes built-in rate limiting (1-second sleeps) between API calls - to ensure stability. - - - This action is primarily used for data gathering; it does not automatically - update entity attributes or create insights within the platform. The retrieved - data is intended for use by subsequent playbook steps via the `JsonResult`. + This action does not modify any data within the case or external systems; it is + strictly an enrichment action that retrieves and displays threat intelligence + data. capabilities: can_create_case_comments: false can_create_insight: false @@ -297,8 +305,17 @@ Get-TI-Search-Info: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET-like operation to search the Group-IB TI database + for threat intelligence. It does not modify any external systems (no POST/PUT/DELETE). + It does not modify internal SOAR case data (no entity updates, insights, or + comments). It simply returns the retrieved data as a JSON result. categories: enrichment: true + reasoning: >- + The action is designed to fetch threat intelligence data for indicators (enrichment). + It does not mutate external systems or internal case data. It meets all criteria + for an enrichment action. entity_usage: entity_types: - ADDRESS @@ -341,7 +358,7 @@ Get-TI-Search-Info: filters_by_case_identifier: false filters_by_creation_time: false filters_by_entity_type: false - filters_by_identifier: true + filters_by_identifier: false filters_by_is_artifact: false filters_by_is_enriched: false filters_by_is_internal: false @@ -349,6 +366,11 @@ Get-TI-Search-Info: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over all `target_entities` provided in the case. It uses + an `EntityValidator` to determine the type of each entity and only processes + those it recognizes (IP, Domain, Hash, Email, Card). Since it does not filter + the input list before processing, it is considered to support all entity types. Get-TI-Search-Info-By-Collection: action_product_categories: add_alert_comment: false @@ -364,6 +386,11 @@ Get-TI-Search-Info-By-Collection: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves threat intelligence (reputation, prevalence, metadata) + for indicators like IPs, domains, and hashes. This directly matches the 'Enrich + IOC' category. It does not perform any other actions like ticketing, containment, + or alert updates. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -379,62 +406,59 @@ Get-TI-Search-Info-By-Collection: update_identity: false update_ticket: false ai_description: >- - Searches the Group-IB Threat Intelligence (TI) database for information related - to specific entities within a chosen collection. This action allows analysts to - retrieve deep contextual data on indicators such as IPs, Domains, Hashes, URLs, - Emails, and Credit Cards by querying specialized Group-IB collections (e.g., APT - threats, malware configs, compromised accounts). It supports optional data mapping - to transform raw API responses into a structured format and allows for targeted - searches using specific tags. + ### General Description + This action searches for threat intelligence information in the Group-IB TI database + for entities provided in the case. It allows analysts to query specific collections + (e.g., APT threats, malware, phishing) to retrieve contextual data, indicators, + and metadata associated with the provided entities. - ### Parameters - | Parameter | Type | Mandatory | Description | + ### Flow Description - | :--- | :--- | :--- | :--- | + 1. **Initialization**: The action initializes the Group-IB TI poller using the + provided API credentials and configuration. - | Collection | DDL | Yes | The specific Group-IB TI collection to search within - (e.g., `apt/threat`, `malware/cnc`, `compromised/account_group`). | + 2. **Parameter Extraction**: It extracts the required `Collection` parameter, + the optional `Enable mapping parser` flag, and the optional `Search tag`. - | Enable mapping parser | Boolean | No | If enabled, the action will parse the - raw API response using predefined mapping keys to provide a more structured output. - Default is `false`. | + 3. **Entity Processing**: The action iterates through all target entities in the + case. It uses an `EntityValidator` to identify the type of each entity (e.g., + IP, Domain, Hash, URL, Email, Credit Card). - | Search tag | String | No | Allows for targeted field searches. If provided, - the query is formatted as `tag:entity` (e.g., `domain:google.com`). If empty, - a general search is performed. | + 4. **Query Construction**: For each entity, it constructs a search query. If a + `Search tag` is provided, it prefixes the query (e.g., `domain:example.com`); + otherwise, it uses the entity identifier directly. + 5. **Data Retrieval**: It queries the Group-IB TI API for the selected collection + using the constructed query. - ### Additional Notes + 6. **Result Processing**: The retrieved data is parsed (if the mapping parser + is enabled) and added to the action's result JSON, which is then returned to the + SOAR platform. - - The action automatically detects the entity type (IP, Domain, Hash, etc.) from - the entity identifier to optimize the search query. - - The `Enable mapping parser` parameter is treated as a string comparison in the - logic; ensure the boolean value is passed correctly from the playbook. + ### Parameters Description + | Parameter | Type | Mandatory | Description | - ### Flow Description + | :--- | :--- | :--- | :--- | - 1. **Initialization**: Retrieves the user-defined parameters: `Collection`, `Enable - mapping parser`, and `Search tag`. + | `Collection` | DDL | Yes | The specific threat intelligence collection to query + (e.g., `apt/threat`, `malware/malware`). | - 2. **Entity Processing**: Iterates through the target entities in the case and - uses an internal validator to determine their specific type (e.g., converting - a URL to its underlying domain or IP). + | `Enable mapping parser` | Boolean | No | If set to true, the action uses a mapping + parser to format the output data. Defaults to false. | - 3. **Query Construction**: For each valid entity, constructs a search query. If - a `Search tag` is provided, it prefixes the entity identifier with the tag. + | `Search tag` | String | No | An optional tag to prefix the search query (e.g., + `domain`). If provided, the query format becomes `tag:entity`. | - 4. **API Interaction**: Calls the Group-IB TI API using a poller to search the - specified `Collection` with the constructed query, limited to 3000 results. - 5. **Data Parsing**: Depending on the `Enable mapping parser` setting, either - parses the results into a structured format or retrieves the raw JSON items. + ### Additional Notes - 6. **Output**: Aggregates all findings and attaches them to the action result - as a JSON object. + This action does not modify any external systems or internal case data; it is + strictly an enrichment/search action. It supports a wide variety of entity types, + which are automatically detected and processed. capabilities: can_create_case_comments: false can_create_insight: false @@ -445,21 +469,31 @@ Get-TI-Search-Info-By-Collection: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Group-IB TI API to retrieve threat + intelligence data based on the provided entities. It does not perform any write + operations to external systems (no mutation) and does not modify internal SOAR + case data (no internal mutation). It simply returns the retrieved data as a + result JSON. categories: enrichment: true + reasoning: >- + The action is designed to fetch supplemental context (threat intelligence) about + entities from an external source (Group-IB TI). It does not mutate external + state or internal SOAR data. Therefore, it qualifies as an enrichment action. entity_usage: entity_types: - ADDRESS + - CREDITCARD - DOMAIN - - FILEHASH - DestinationURL + - FILEHASH - USERUNIQNAME - - CREDITCARD filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false filters_by_creation_time: false - filters_by_entity_type: true + filters_by_entity_type: false filters_by_identifier: false filters_by_is_artifact: false filters_by_is_enriched: false @@ -468,6 +502,12 @@ Get-TI-Search-Info-By-Collection: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over `siemplify.target_entities` and uses an `EntityValidator` + to determine the type of each entity. It supports multiple entity types including + IP addresses, domains, file hashes, URLs, emails, and credit cards. It does + not apply specific filters on the entities themselves (like is_internal or is_suspicious) + before processing them. Ping: action_product_categories: add_alert_comment: false @@ -483,6 +523,10 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity test (Ping) that retrieves a list of collections. + It does not perform any of the listed operational tasks (enrichment, containment, + ticketing, etc.). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -500,45 +544,30 @@ Ping: ai_description: >- ### General Description - Tests connectivity to the Group-IB Threat Intelligence API and retrieves a list - of available data collections based on the user's subscription. This action is - used to verify that the integration is correctly configured and to identify which - threat intelligence feeds are accessible to the current account. + Tests connectivity to the Group-IB Threat Intelligence API and retrieves available + collections based on the subscription. This action verifies that the integration + is correctly configured and can communicate with the external service. ### Parameters Description - | Parameter | Description | Expected Type | Mandatory | - - | :--- | :--- | :--- | :--- | - - | N/A | This action does not take any input parameters. | N/A | N/A | + There are no parameters for this action. ### Additional Notes - - This action relies solely on the integration's global configuration parameters - (API Login, API Key, and API URL). - - - The output includes a JSON object containing the available collections, which - helps analysts understand the scope of data available for enrichment and automated - connectors. + None. ### Flow Description - 1. **Initialize Connection**: The action retrieves the API Login, API Key, and - API URL from the integration configuration. + 1. Initialize the `SiemplifyAction` and `GIBConnector`. - 2. **Request Collections**: It sends a GET request to the Group-IB `user/granted_collections` - endpoint. + 2. Send a request to the `user/granted_collections` endpoint. - 3. **Process Response**: The action parses the JSON response from the API containing - the list of authorized collections. + 3. Add the resulting JSON (list of collections) to the action result. - 4. **Finalize**: If successful, it returns a 'Connection Established' message - and attaches the list of granted collections to the action results. If the request - fails, it reports the specific error encountered. + 4. End the action with a success or failure status. capabilities: can_create_case_comments: false can_create_insight: false @@ -549,8 +578,15 @@ Ping: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to test connectivity and retrieve data (fetches_data=true). + It does not mutate any external or internal systems, nor does it update entities, + create insights, or modify alert data. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action. According to the rules, Ping actions are not + enrichment actions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -566,3 +602,6 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not iterate over `target_entities` or use entity-specific identifiers + to perform its task. It only initializes the connector. diff --git a/content/response_integrations/third_party/partner/group_ib_ti/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/partner/group_ib_ti/resources/ai/connectors_ai_description.yaml index 7a8b8d9c7..cb833e99a 100644 --- a/content/response_integrations/third_party/partner/group_ib_ti/resources/ai/connectors_ai_description.yaml +++ b/content/response_integrations/third_party/partner/group_ib_ti/resources/ai/connectors_ai_description.yaml @@ -2,12 +2,11 @@ TI IoC Hash Connector: ai_description: >- ### General Description - The **TI IoC Hash Connector** integrates Google SecOps with the Group-IB Threat - Intelligence (TI) Portal to ingest file hash Indicators of Compromise (IoCs). - It specifically monitors the `ioc/common` collection for new malicious file hashes, - allowing security teams to stay updated on global file-based threats. The connector - aggregates these indicators into cases within Google SecOps for automated response - and investigation. + The TI IoC Hash Connector integrates Google SecOps with the Group-IB Threat Intelligence + (TI) portal. Its primary purpose is to automatically retrieve Indicators of Compromise + (IoCs), specifically file hashes, from the Group-IB TI platform. By ingesting + these hashes as alerts, the connector enables security teams to proactively monitor + for malicious file activity within their environment. ### Parameters Description @@ -18,71 +17,62 @@ TI IoC Hash Connector: | API key | Password | Yes | API key generated at your Group-IB TI Profile. | - | API login | Email | Yes | Your email address used to enter the Group-IB TI Portal. + | API login | Email | Yes | Email address used to access the Group-IB TI Portal. | - | API URL | String | Yes | Group-IB TI Portal URL (default: `https://tap.group-ib.com/api/v2/`). - | + | API URL | String | Yes | The URL for the Group-IB TI Portal. | - | Case name | String | Yes | The name to display for the created cases in the - SOAR. | + | Case name | String | Yes | The name to display for the created case. | - | Case severity | String | Yes | Severity level for the cases (Informative, Low, - Medium, High, Critical). | + | Case severity | String | Yes | The severity level for the case (Informative, + Low, Medium, High, Critical). | - | Case type | String | Yes | Case type used to trigger specific playbooks or actions. - | + | Case type | String | Yes | The case type to trigger an action. | | DeviceProductField | String | Yes | The field name used to determine the device - product (default: `title`). | + product. | - | EventClassId | String | Yes | The field name used to determine the event name - or sub-type (default: `id`). | + | EventClassId | String | Yes | The field name used to determine the event name. + | | PythonProcessTimeout | String | Yes | The timeout limit (in seconds) for the - script execution. | + python process. | - | Start date | String | No | Initial date to start downloading data (YYYY-MM-DD). - If not provided, it defaults to one day back. | + | Start date | String | No | Start date for data collection (YYYY-MM-DD). Defaults + to one day back if not provided. | - | Verify SSL | Boolean | Yes | Whether to verify SSL certificates for API requests. - | + | Verify SSL | Boolean | Yes | Whether to verify SSL certificates. | ### Flow Description - 1. **Authentication**: The connector establishes a connection to the Group-IB - TI Portal using the provided API Login and API Key. + 1. The connector initializes a connection to the Group-IB TI API using the provided + credentials and configuration. - 2. **State Retrieval**: It fetches the last processed sequence update number (timestamp) - from the internal storage. If no timestamp is found, it uses the `Start date` - parameter or defaults to 24 hours ago to determine the starting point. + 2. It retrieves the last processed sequence update number from local storage to + ensure incremental data ingestion. - 3. **Data Ingestion**: The connector queries the `ioc/common` collection for new - updates. It uses a generator to fetch data in portions (limit of 50 per batch) - to ensure efficient processing. + 3. If no previous state is found, it uses the configured `Start date` (or defaults + to one day back) to fetch initial data. - 4. **Filtering and Parsing**: It filters the incoming data to extract valid file - hashes and associated metadata (such as the Group-IB object ID). + 4. It queries the `ioc/common` collection from the Group-IB TI portal. - 5. **Alert Aggregation**: Extracted hashes are mapped to SOAR events and aggregated - into a single `AlertInfo` object representing a case. + 5. The retrieved data is parsed to extract file hashes (`file_ioc__hash`). - 6. **Case Creation**: The aggregated alert is ingested into Google SecOps with - the configured severity, name, and type. + 6. For each identified hash, the connector creates an alert in Google SecOps, + mapping the data to the required alert format. - 7. **Checkpointing**: Upon successful processing, the connector saves the latest - sequence update number to the internal storage to ensure the next execution resumes - from the last processed record. + 7. The connector saves the latest sequence update number to storage to maintain + state for subsequent runs. TI IoC IP Connector: ai_description: >- ### General Description - The TI IoC IP Connector integrates Google SecOps with the Group-IB Threat Intelligence - (TI) Portal to ingest IP-based Indicators of Compromise (IoCs). It periodically - monitors the Group-IB `ioc/common` collection to fetch the latest malicious IP - addresses and automatically creates cases within Google SecOps for security analysis - and automated response. + This connector integrates with the Group-IB Threat Intelligence (TI) portal to + retrieve Indicators of Compromise (IoCs), specifically IP addresses. It periodically + polls the `ioc/common` collection, processes the retrieved data, and creates alerts + within Google SecOps (Chronicle SOAR) to facilitate proactive threat detection + and response. ### Parameters Description @@ -91,63 +81,56 @@ TI IoC IP Connector: | :--- | :--- | :--- | :--- | - | API login | Email | Yes | Your email address used to enter the Group-IB TI Portal. - | + | API login | Email | Yes | Your email address used to access the Group-IB TI + Portal. | - | API URL | String | Yes | The base URL for the Group-IB TI Portal API (default: - https://tap.group-ib.com/api/v2/). | + | API URL | String | Yes | The URL for the Group-IB TI Portal. | - | Case name | String | Yes | The name to be displayed for the created cases in - Google SecOps. | + | Case name | String | Yes | The name of the case to display in SOAR. | - | Case severity | String | Yes | The severity level for the created cases (Informative, - Low, Medium, High, Critical). | + | Case severity | String | Yes | The severity level for the created case (e.g., + Informative, Low, Medium, High, Critical). | - | Case type | String | Yes | The case type used to trigger specific playbooks - or actions. | + | Case type | String | Yes | The case type to trigger an action. | | DeviceProductField | String | Yes | The field name used to determine the device - product in the event metadata. | + product. | - | EventClassId | String | Yes | The field name used to determine the event name/sub-type. + | EventClassId | String | Yes | The field name used to determine the event name. | - | PythonProcessTimeout | String | Yes | The timeout limit in seconds for the connector - execution. | + | PythonProcessTimeout | String | Yes | The timeout limit (in seconds) for the + script execution. | - | Start date | String | No | The starting date (YYYY-MM-DD) to fetch data if no - previous checkpoint exists. Defaults to one day back. | + | Start date | String | No | The start date (YYYY-MM-DD) to download collection + data. Defaults to one day back if not provided. | | API key | Password | Yes | The API key generated from your Group-IB TI Profile. | - | Verify SSL | Boolean | Yes | Whether to verify SSL certificates for API requests. - | + | Verify SSL | Boolean | Yes | Whether to verify SSL certificates for the API + connection. | ### Flow Description - 1. **Authentication**: The connector establishes a connection to the Group-IB - TI Portal using the provided API login and API key. + 1. Initializes the connection to the Group-IB TI portal using the provided credentials + and API URL. + + 2. Retrieves the last processed sequence update number from the SOAR storage to + ensure incremental data fetching. - 2. **Checkpoint Retrieval**: It checks the Google SecOps internal storage for - the last processed sequence update number (timestamp) to ensure data continuity. + 3. If no previous timestamp exists, it uses the configured `Start date` (or defaults + to one day back) to initialize the sequence update. - 3. **Initial Sync**: If no previous checkpoint is found, the connector uses the - configured `Start date` (or defaults to 24 hours ago) to determine the starting - sequence update number from the Group-IB API. + 4. Queries the `ioc/common` collection from the Group-IB TI API. - 4. **Data Ingestion**: The connector queries the `ioc/common` collection for new - threat data using the sequence update number. + 5. Parses the retrieved data, filtering for valid IP addresses. - 5. **Filtering and Parsing**: It parses the retrieved data, specifically filtering - for indicators that contain IP address information within the `network_profile` - section. + 6. Maps the parsed events into the Google SecOps alert format, including metadata + like severity and type. - 6. **Case and Event Creation**: For the identified IoCs, the connector generates - a Google SecOps case containing individual events for each malicious IP address, - applying the configured severity and case type. + 7. Creates and ingests the alerts into the SOAR platform. - 7. **State Persistence**: Upon successful ingestion, the connector saves the latest - sequence update number back to the internal storage to prevent duplicate ingestion - in the next run. + 8. Updates the sequence number in the SOAR storage to track the progress for the + next execution. diff --git a/content/response_integrations/third_party/partner/group_ib_ti/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/group_ib_ti/resources/ai/integration_ai_description.yaml index 2e831240c..60a46966c 100644 --- a/content/response_integrations/third_party/partner/group_ib_ti/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/partner/group_ib_ti/resources/ai/integration_ai_description.yaml @@ -7,6 +7,17 @@ product_categories: iam_and_identity_management: false itsm: false network_security: false - siem: false + reasoning: >- + The integration 'group_ib_ti' is primarily classified as Threat Intelligence because + it provides multiple enrichment actions (e.g., 'Get-Graph-Info', 'Get-TI-Search-Info') + that query the Group-IB database to retrieve reputation, malware family names, + and historical data for indicators like IPs, domains, and hashes. Furthermore, + the integration qualifies as SIEM because it includes connectors ('TI IoC Hash + Connector', 'TI IoC IP Connector') that ingest threat feeds and automatically + create alerts within the Google SecOps platform, enabling proactive monitoring + and detection of malicious activity. It does not perform actions related to EDR + (host containment), Network Security (firewall management), Email Security, IAM, + Cloud Security, ITSM, Vulnerability Management, Asset Inventory, or Collaboration. + siem: true threat_intelligence: true vulnerability_management: false diff --git a/content/response_integrations/third_party/partner/houdin_io/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/houdin_io/resources/ai/actions_ai_description.yaml index bb0cea519..0824f5474 100644 --- a/content/response_integrations/third_party/partner/houdin_io/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/houdin_io/resources/ai/actions_ai_description.yaml @@ -13,6 +13,10 @@ Enrich Entities: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves threat intelligence (reputation, scores, analysis) for + IOCs (IPs, Domains, Hashes, URLs). This matches the 'Enrich IOC' category. It + does not perform containment or other actions. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -28,64 +32,45 @@ Enrich Entities: update_identity: false update_ticket: false ai_description: >- - ### General Description - - Enriches entities by performing scans on Houdin.io to retrieve threat intelligence - and AI-driven analysis. The action supports multiple entity types including Public - IP addresses, URLs, Domains, and File Hashes. It allows users to specify which - scanners (e.g., VirusTotal, URLScan, AbuseIPDB, Triage) should be utilized for - the enrichment process. Results, including threat scores and AI-generated summaries, - are appended to the entities as additional properties, providing analysts with - immediate context within the Google SecOps platform. + Enriches entities by scanning them using the Houdin.io platform. This action processes + specific entity types (Public IP, Domain, File Hash, URL, and Destination URL) + by launching a scan via the Houdin.io API and polling for the results. Once the + analysis is complete, it updates the entity's `additional_properties` with a threat + score, AI analysis summary, and the sources used for the scan. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | scanOn | Multi-choice | No | (Optional) An array of scanners you want Houdin - to use. Supported options include: vt, urlscan, alienvault, abuseipdb, triage, - mesmer, and servicenow. If not provided, Houdin uses its default scanner set. - | - - - ### Additional Notes - - - The action is asynchronous and involves polling the Houdin.io API for results - after the initial scan request. - - - It specifically filters for Public IP addresses (global) and will skip internal/private - IP addresses. - - - Compatible artifact types for scanning include: Public IPv4/IPv6, URL, Domain, - MD5, SHA1, and SHA256 hashes. + | scanOn | multi_choice_parameter | No | An optional array of scanners (e.g., + vt, urlscan, alienvault, abuseipdb, triage, mesmer, servicenow) to be used by + Houdin for the scan. | ### Flow Description - 1. **Filter Entities:** The action iterates through target entities and identifies - compatible types: URL, Domain, FileHash, DestinationURL, or Public IP addresses - (verified via global scope check). + 1. **Initialization**: The action initializes the HoudinManager using the provided + API Key. - 2. **Launch Scans:** For each compatible entity, it initiates a scan request to - the Houdin.io API using the `launch_scan` method, passing the optional scanner - list. + 2. **Filtering**: It iterates through the target entities, filtering for compatible + types: Public IP (via `isIPExternal` check), Domain, File Hash, URL, and Destination + URL. - 3. **Poll Results:** The action polls the Houdin.io API for each generated scan - ID until the analysis is complete or the maximum retry limit is reached. + 3. **Scan Launch**: For each compatible entity, it triggers a scan via the Houdin.io + API (`/scan/launch`). - 4. **Extract Intelligence:** It parses the returned scan results to extract the - 'Mesmer' global threat score, AI analysis summary, and the list of sources used - for the scan. + 4. **Polling**: It polls the Houdin.io API (`/scan/result`) for each scan ID until + results are retrieved. - 5. **Enrich Entities:** The action updates the `additional_properties` of the - successful entities with the retrieved threat intelligence (e.g., `Houdin-io_Threat_Score`, - `Houdin-io_AI_Analysis`). + 5. **Enrichment**: It parses the scan results, specifically extracting the global + score and summary from the 'mesmer' analysis. - 6. **Finalize:** It updates the entities in the case, adds a detailed JSON result - for each entity, and returns a summary message of the processed indicators. + 6. **Update**: It updates the `additional_properties` of the successful entities + with the retrieved threat intelligence and adds the full result JSON to the action + output. capabilities: can_create_case_comments: false can_create_insight: false @@ -96,10 +81,17 @@ Enrich Entities: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity additional properties with Houdin-io threat scores, AI analysis - summaries, and analysis sources. + Updates the `additional_properties` of the processed entities with threat scores + and analysis summaries. + reasoning: >- + The action fetches threat intelligence data from Houdin.io by launching scans + and polling results. It updates the entity's `additional_properties` with the + retrieved data. It does not modify external systems or alert data. categories: enrichment: true + reasoning: >- + The action fetches data (enrichment) and only performs allowed internal mutations + (updating entities). It does not mutate external systems. entity_usage: entity_types: - ADDRESS @@ -114,11 +106,16 @@ Enrich Entities: filters_by_identifier: false filters_by_is_artifact: false filters_by_is_enriched: false - filters_by_is_internal: true + filters_by_is_internal: false filters_by_is_pivot: false filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and filters by specific types + (`ADDRESS`, `DOMAIN`, `FILEHASH`, `DestinationURL`). It also performs a check + on the identifier of `ADDRESS` entities to ensure they are external, but this + is not a filter on the `is_internal` attribute. Ping: action_product_categories: add_alert_comment: false @@ -134,6 +131,9 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity test ('Ping'). It does not match any of the specific + functional categories like Enrich IOC, Contain Host, etc. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -148,30 +148,18 @@ Ping: update_email: false update_identity: false update_ticket: false - ai_description: "### General Description\nThe **Ping** action is a utility designed\ - \ to verify the connectivity between the Google SecOps platform and the Houdin.io\ - \ API. It ensures that the provided API Key is valid and that the network path\ - \ to the API endpoint is open and functional. This action is typically used during\ - \ the initial setup of the integration or for troubleshooting communication issues.\n\ - \n### Parameters Description\n| Parameter Name | Type | Mandatory | Description\ - \ |\n| :--- | :--- | :--- | :--- |\n| None | N/A | N/A | This action does not\ - \ have any input parameters. It relies solely on the integration's configuration\ - \ (API Key and Verify SSL). |\n\n### Additional Notes\n- This action uses a POST\ - \ request to the `/ping` endpoint of the Houdin.io API.\n- It includes a retry\ - \ mechanism that attempts the connection up to two times if a 500 Internal Server\ - \ Error is encountered.\n- The action returns a boolean value (`true` or `false`)\ - \ to indicate the success or failure of the connectivity test.\n\n### Flow Description\n\ - 1. **Initialization**: The action extracts the global integration configuration,\ - \ specifically the **API Key** and the **Verify SSL** setting.\n2. **Manager Setup**:\ - \ It initializes the `HoudinManager` with the extracted credentials.\n3. **Connectivity\ - \ Test**: The action calls the `test_connectivity` method, which sends an authenticated\ - \ POST request to `https://app.houdin.io/api/v1/ping`.\n4. **Response Handling**:\ - \ \n - If the API returns a 200 OK status, the action logs a success message\ - \ and sets the result to `true`.\n - If the API returns a 500 error, it retries\ - \ once.\n - If the API returns any other error status or a connection exception\ - \ occurs, the action catches the error, logs it, and sets the result to `false`.\n\ - 5. **Completion**: The action terminates, providing the connectivity status and\ - \ a descriptive output message." + ai_description: >- + General description: This action tests the connectivity to the Houdin.io API to + ensure the integration is properly configured and the service is reachable. Flow + description: 1. The action extracts the 'API Key' and 'Verify SSL' configuration + parameters. 2. It initializes the HoudinManager with the provided credentials. + 3. It sends a POST request to the Houdin.io ping endpoint. 4. It validates the + response status code. 5. It returns a success or failure status based on the connectivity + result. Parameters description: | Parameter | Type | Mandatory | Description | + | --- | --- | --- | --- | | API Key | String | Yes | The API key used for authentication + with the Houdin.io service. | | Verify SSL | Boolean | No | Whether to verify + SSL certificates for the connection. Defaults to False. | Additional notes: This + action is a connectivity test and does not perform any data enrichment or mutation. capabilities: can_create_case_comments: false can_create_insight: false @@ -182,8 +170,16 @@ Ping: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity test by sending a POST request to the Houdin.io + API. It does not fetch contextual data for entities, nor does it mutate any + external or internal data. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action. According to the instructions, 'Actions named + Ping must not be categorized as enrichment actions.' It also does not fetch + contextual data. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -199,6 +195,9 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not reference siemplify.target_entities or any entity objects. + It is a global connectivity test. Scan Artifact: action_product_categories: add_alert_comment: false @@ -211,9 +210,13 @@ Scan Artifact: download_file: false enable_identity: false enrich_asset: false - enrich_ioc: false + enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action submits an artifact to the Houdin.io platform for analysis (matching + 'Submit File') and retrieves the resulting threat intelligence (matching 'Enrich + IOC'). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -231,11 +234,9 @@ Scan Artifact: ai_description: >- ### General Description - Launches a scan on the Houdin.io platform for a specific artifact and retrieves - the analysis results. This action supports multiple artifact types, including - IP addresses (IPv4/IPv6), URLs, domains, and file hashes (MD5, SHA1, SHA256). - It operates by initiating a scan job and then polling the Houdin API until the - results are available. + The "Scan Artifact" action initiates a security scan on a specified artifact (such + as an IP, URL, Domain, or File Hash) using the Houdin.io platform. It retrieves + the scan results and provides them as the action output. ### Parameters Description @@ -244,38 +245,28 @@ Scan Artifact: | :--- | :--- | :--- | :--- | - | artifact | string | Yes | The specific artifact to be scanned. Supported types: - IPv4, IPv6, URL, Domain, MD5, SHA1, SHA256. | + | artifact | string | Yes | The artifact to scan (e.g., IPv4, IPv6, URL, Domain, + MD5, SHA1, SHA256). | - | scanOn | multi_choice_parameter | No | A list of specific scanners to be utilized - by Houdin (e.g., vt, urlscan, alienvault, abuseipdb, triage, mesmer, servicenow). - | + | scanOn | multi_choice_parameter | No | An optional array of scanners to use + (e.g., vt, urlscan, alienvault, abuseipdb, triage, mesmer, servicenow). | ### Flow Description - 1. **Setup**: The action extracts the API Key from the integration configuration - and initializes the Houdin communication manager. - - 2. **Input Processing**: It retrieves the `artifact` and the optional `scanOn` - list of scanners from the action parameters. + 1. The action extracts the `artifact` and `scanOn` parameters. - 3. **Scan Initiation**: The action sends a POST request to the Houdin API to launch - a new scan for the provided artifact. + 2. It calls the Houdin.io API to launch a scan for the provided artifact. - 4. **Polling**: Because the scan takes time, the action enters a polling phase, - repeatedly checking the status of the scan ID via GET requests until the analysis - is finished. + 3. It polls the Houdin.io API for the scan results until the scan is completed. - 5. **Completion**: Once the scan is complete, the full result set is retrieved - and attached to the action's output as a JSON result. + 4. The final scan result is added to the action output. ### Additional Notes - This action is executed asynchronously. Users should ensure that the script timeout - value in the Google SecOps IDE is set high enough to accommodate the time required - for external scanners to complete their analysis. + This action is asynchronous. The script timeout value in the Google SecOps IDE + should be adjusted if necessary to accommodate the scan duration. capabilities: can_create_case_comments: false can_create_insight: false @@ -284,11 +275,20 @@ Scan Artifact: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Initiates a new scan job and creates a scan record on the Houdin.io platform. + Initiates a scan on the Houdin.io platform via a POST request. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action initiates a scan on an external platform (Houdin.io) via a POST request, + which constitutes an external mutation. It then polls for and retrieves the + scan results (fetches data). It does not modify internal SOAR data (case/alert + data) or update entities. categories: enrichment: false + reasoning: >- + The action performs a POST request to launch a scan, which is an external mutation. + Therefore, it does not meet the 'External State Preservation' requirement for + an Enrichment Action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -304,3 +304,6 @@ Scan Artifact: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action uses the `artifact` parameter provided by the user, not the `target_entities` + list from the SOAR platform. diff --git a/content/response_integrations/third_party/partner/houdin_io/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/houdin_io/resources/ai/integration_ai_description.yaml index 2e831240c..33676e028 100644 --- a/content/response_integrations/third_party/partner/houdin_io/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/partner/houdin_io/resources/ai/integration_ai_description.yaml @@ -7,6 +7,18 @@ product_categories: iam_and_identity_management: false itsm: false network_security: false + reasoning: >- + The houdin_io integration is designed to provide automated AI-driven cyber threat + analysis. Its primary actions, 'Enrich Entities' and 'Scan Artifact', focus on + processing external indicators (IPs, Domains, Hashes, URLs) to retrieve threat + intelligence, including risk scores and analysis summaries. This functionality + aligns perfectly with the 'Threat Intelligence' category, which is defined by + the ability to enrich external indicators to determine their reputation and confirm + if an alert is a True Positive. The integration does not perform functions related + to SIEM log analysis, EDR host containment, network security gateway blocking, + email management, IAM identity control, cloud resource management, ITSM ticketing, + vulnerability scanning, asset inventory management, or collaboration/notification + workflows. siem: false threat_intelligence: true vulnerability_management: false diff --git a/content/response_integrations/third_party/partner/infoblox_nios/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/infoblox_nios/resources/ai/actions_ai_description.yaml index 4e1cfbc4b..81ec52c56 100644 --- a/content/response_integrations/third_party/partner/infoblox_nios/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/infoblox_nios/resources/ai/actions_ai_description.yaml @@ -13,6 +13,9 @@ Create Host Record: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action creates a host record in Infoblox. This does not match any of the + provided categories (e.g., Enrichment, Containment, Ticket creation, etc.). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -28,73 +31,57 @@ Create Host Record: update_identity: false update_ticket: false ai_description: >- - ### General Description + Creates a new host record in Infoblox NIOS. This action allows users to define + a host name, associate IPv4/IPv6 addresses, configure DNS settings, and add metadata + such as comments, aliases, and extended attributes. It performs a POST request + to the Infoblox API to provision the record and returns the created host details. - The **Create Host Record** action adds a new host record to the Infoblox NIOS - system. This action is used for IP Address Management (IPAM) and DNS inventory, - allowing users to define a host with its associated IPv4 and IPv6 addresses. If - configured, the action can also automatically generate corresponding DNS records - such as A, AAAA, and PTR records. + ### Parameters - ### Flow Description + | Parameter | Type | Mandatory | Description | - 1. **Parameter Extraction:** The action retrieves the host name, IP address lists, - DNS view, and optional metadata including comments, aliases, and extended attributes. + | :--- | :--- | :--- | :--- | - 2. **Validation:** It ensures the host name is provided and validates that the - IP address objects and additional parameters are in the correct JSON format. + | Name | string | Yes | The FQDN of the host (e.g., server1.auth.threat.zone). + | - 3. **API Interaction:** It initializes the Infoblox API manager and executes a - POST request to the `/record:host` endpoint to create the record. + | IPv4 Addresses | string | No | JSON array of IPv4 address objects. | - 4. **Output:** Upon successful creation, the action returns the full details of - the new host record as a JSON result and displays a summary table in the SOAR - interface. + | IPv6 Addresses | string | No | JSON array of IPv6 address objects. | + | View | string | No | The DNS view (default: "default"). | - ### Parameters Description + | Comment | string | No | Additional notes about the host record. | - | Parameter | Type | Mandatory | Description | + | Aliases | string | No | Comma-separated list of DNS aliases (CNAMEs). | - | :--- | :--- | :--- | :--- | + | Configure for DNS | boolean | No | Whether to create associated DNS records + (default: true). | - | Name | String | Yes | The FQDN of the host (e.g., server1.example.com). It must - belong to an existing DNS zone. | + | Extended Attributes | string | No | Comma-separated key/value pairs for extended + attributes. | - | IPv4 Addresses | String | No | A JSON array of IPv4 objects (e.g., [{"ipv4addr":"192.168.1.100","mac":"00:11:22:33:44:55","configure_for_dhcp":true}]). - | - - | IPv6 Addresses | String | No | A JSON array of IPv6 objects (e.g., [{"ipv6addr":"2001:db8::1"}]). - | + | Additional Parameters | string | No | Comma-separated key/value pairs for additional + API parameters. | - | View | String | No | The DNS view in which the record resides (default: "default"). - | - | Comment | String | No | Additional information or notes about this host record. - | + ### Flow Description - | Aliases | String | No | Comma-separated list of DNS aliases (CNAMEs) for this - host. | + 1. The action extracts configuration parameters (API root, credentials) and action-specific + inputs. - | Configure for DNS | Boolean | No | When true, creates associated DNS records - (A/AAAA/PTR). Default is true. | + 2. It validates the provided inputs (e.g., required strings, IP address objects, + additional parameters). - | Extended Attributes | String | No | Comma-separated key/value formatted string - for extended attributes (e.g., "Site=New York"). | + 3. It initializes the `APIManager` to communicate with the Infoblox NIOS API. - | Additional Parameters | String | No | JSON object for additional parameters - supported by the Infoblox API. | + 4. It executes a POST request to create the host record with the specified attributes. + 5. Upon success, it adds the created host record details to the action results + as a JSON object and a data table. - ### Additional Notes - - - The **Name** parameter is mandatory despite being marked as optional in the - parameter extraction logic, as it is explicitly validated as a required string - before the API call. - - - The **IPv4 Addresses** and **IPv6 Addresses** parameters must be valid JSON - arrays of objects. + 6. If an error occurs, it logs the exception and fails the action execution. capabilities: can_create_case_comments: false can_create_insight: false @@ -103,12 +90,20 @@ Create Host Record: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new host record and potentially associated DNS records (A, AAAA, PTR) - in the Infoblox NIOS system via a POST request to the /record:host endpoint. + Creates a new host record in the Infoblox NIOS system. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to create a host record in an external Infoblox + system (can_mutate_external_data=true). It does not fetch data from external + systems (fetches_data=false). It does not modify internal SOAR case data, entities, + or alerts (can_mutate_internal_data=false). categories: enrichment: false + reasoning: >- + The action is a creation/mutation action that adds a record to an external system. + It does not fetch data for enrichment purposes, nor does it meet the criteria + for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -124,6 +119,9 @@ Create Host Record: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or process `siemplify.target_entities`. It + operates based on parameters provided in the action configuration. Create RPZ A Rule: action_product_categories: add_alert_comment: false @@ -139,6 +137,10 @@ Create RPZ A Rule: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action creates an RPZ A rule, which is a mechanism for DNS-based blocking + or redirection. This aligns with the 'Add IOC To Blocklist' category as it updates + security controls to prevent interaction with an indicator. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -154,61 +156,55 @@ Create RPZ A Rule: update_identity: false update_ticket: false ai_description: >- - Creates a Response Policy Zone (RPZ) Substitute rule in Infoblox NIOS. This action - allows administrators to map a specific domain name (A record) or an IPv4 address - to a substitute IPv4 address. This is primarily used for DNS redirection, sinkholing, - or blocking access to specific network resources by overriding standard DNS resolution. + ### General Description + Creates an RPZ (Response Policy Zone) A rule in Infoblox NIOS. This action maps + a domain name or an IPv4 address to a substitute IPv4 address, enabling DNS redirection + or blocking capabilities within the Infoblox environment. - ### Flow Description: - 1. **Parameter Extraction:** The action retrieves the object type, rule name, - target RP zone, substitute IPv4 address, and optional comments or additional JSON - parameters. + ### Flow Description - 2. **Validation:** It validates that the rule name and RP zone are provided, and - ensures the substitute IPv4 address is a valid IPv4 format. + 1. **Parameter Extraction**: The action retrieves configuration parameters (API + credentials) and action-specific inputs (Object Type, Name, RP Zone, IPv4 Address, + etc.). - 3. **Record Type Determination:** Based on the 'Object Type' parameter, the action - determines whether to create a standard RPZ A rule (`record:rpz:a`) for domains - or an IP-based RPZ A rule (`record:rpz:a:ipaddress`). + 2. **Validation**: Validates the provided inputs, including the required string + formats and the validity of the IPv4 address. - 4. **API Execution:** It constructs the rule name (appending the zone if not already - present) and sends a POST request to the Infoblox WAPI to create the record. + 3. **API Interaction**: Initializes the Infoblox API manager and sends a POST + request to create the specified RPZ A rule. - 5. **Result Processing:** Upon success, it returns the raw JSON response and creates - a data table in the SOAR case wall summarizing the new rule's details. + 4. **Result Processing**: Adds the API response as a JSON result and constructs + a data table containing the rule details for the action output. - ### Parameters Description: + ### Parameters Description - | Parameter Name | Type | Mandatory | Description | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Object Type** | DDL | Yes | Determines the record category. Options are 'Domain - Name' (standard A record) or 'IP Address' (IP-based rule). | + | Object Type | ddl | Yes | The type of object for which to create the record. + Options: 'IP Address', 'Domain Name'. | - | **Name** | String | Yes | The name/FQDN of the rule to be created. | + | Name | string | Yes | The name of the rule to be created. | - | **RP Zone** | String | Yes | The specific Response Policy Zone where the rule - will be assigned. | + | RP Zone | string | Yes | The Response Policy Zone to assign the rule to. | - | **IPv4 Address** | String | Yes | The substitute IPv4 address that the DNS query - will resolve to. | + | IPv4 Address | string | Yes | The IPv4 address to be used as the substitute + in the rule. | - | **Comment** | String | No | An optional descriptive comment for the rule. | + | Comment | string | No | An optional comment for the rule. | - | **Additional Parameters** | String | No | A JSON object string containing extra - parameters supported by the Infoblox WAPI for RPZ rules. | + | Additional Parameters | string | No | A JSON object containing additional parameters + for creating the response policy zone. | - ### Additional Notes: - - - The action automatically formats the rule name by appending the RP Zone if the - provided name does not already end with it. + ### Additional Notes - - If 'Additional Parameters' is provided, it must be a valid JSON object string. + This action performs a direct mutation on the Infoblox NIOS system. Ensure that + the provided credentials have the necessary permissions to create RPZ rules. capabilities: can_create_case_comments: false can_create_insight: false @@ -217,12 +213,21 @@ Create RPZ A Rule: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new RPZ A rule record in the Infoblox NIOS system via a POST request - to the WAPI. + Creates an RPZ A rule in the Infoblox NIOS system, which modifies DNS resolution + policies. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to create a rule in an external system (Infoblox + NIOS). It does not fetch data (GET) for enrichment purposes, nor does it modify + internal SOAR case data or entities. It only adds result data to the action + output. categories: enrichment: false + reasoning: >- + The action is a mutation action designed to create a rule in an external system. + It does not fetch data to enrich entities, therefore it is not an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -238,6 +243,9 @@ Create RPZ A Rule: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `siemplify.target_entities`. It relies entirely + on user-provided parameters to perform its task. Create RPZ AAAA Rule: action_product_categories: add_alert_comment: false @@ -253,6 +261,10 @@ Create RPZ AAAA Rule: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action creates an RPZ AAAA rule, which is used for DNS redirection or blocking. + This aligns with the 'Add IOC To Blocklist' category as it updates security + controls (DNS) to prevent interaction with specific indicators. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -268,63 +280,49 @@ Create RPZ AAAA Rule: update_identity: false update_ticket: false ai_description: >- - ### General Description - - Creates an RPZ AAAA rule in Infoblox NIOS. This action allows for mapping a domain - name or an IPv6 address to a substitute IPv6 address within a specific Response - Policy Zone (RPZ). This is commonly used for DNS-based redirection or blocking - of malicious traffic. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | + Creates an RPZ (Response Policy Zone) AAAA rule in Infoblox NIOS to map a domain + name or IPv6 address to a substitute IPv6 address for DNS redirection or blocking. + This action allows administrators to configure DNS-based security policies directly + from the SOAR platform. - | :--- | :--- | :--- | :--- | - | Object Type | String | Yes | The type of the object for which to create the - record. Options: 'Domain Name', 'IP Address'. | - - | Name | String | Yes | The name of the rule (e.g., the domain name or IP address - to be redirected). | - - | RP Zone | String | Yes | The name of the Response Policy Zone where the rule - will be created. | + ### Flow Description - | IPv6 Address | String | Yes | The substitute IPv6 address that the target will - be redirected to. | + 1. **Parameter Extraction**: The action retrieves the required parameters: Object + Type, Name, RP Zone, IPv6 Address, and optional parameters like Comment and Additional + Parameters. - | Comment | String | No | An optional comment to associate with the rule. | + 2. **Validation**: It validates the provided inputs, ensuring the Name and RP + Zone are non-empty strings and the IPv6 Address is a valid IPv6 format. - | Additional Parameters | String | No | A JSON string containing any additional - Infoblox WAPI parameters for the record creation. | + 3. **API Interaction**: It initializes the Infoblox API manager and sends a request + to create the RPZ AAAA rule based on the specified object type (Domain Name or + IP Address). + 4. **Result Processing**: Upon success, it adds the created rule details as a + JSON result and a data table to the action output. If the creation fails, it logs + the error and sets the execution state to failed. - ### Additional Notes - - The action performs validation to ensure the provided IPv6 Address is in a valid - format. + ### Parameters - - Depending on the 'Object Type' selected, the action creates either a 'record:rpz:aaaa' - or a 'record:rpz:aaaa:ipaddress' in Infoblox. + | Parameter | Type | Mandatory | Description | + | :--- | :--- | :--- | :--- | - ### Flow Description + | Object Type | ddl | Yes | The type of the object for which to create the record + (Domain Name or IP Address). | - 1. **Initialization:** The action extracts the integration configuration and the - user-provided parameters. + | Name | string | Yes | The name of the rule. | - 2. **Validation:** It verifies that the Name, RP Zone, and IPv6 Address are provided - and that the IPv6 address is valid. + | RP Zone | string | Yes | The zone to assign the rule to. | - 3. **API Preparation:** It determines the appropriate Infoblox WAPI endpoint and - record type based on the 'Object Type' parameter. + | IPv6 Address | string | Yes | The IPv6 address of the substitute rule. | - 4. **Execution:** It sends a POST request to the Infoblox NIOS API to create the - new RPZ AAAA rule. + | Comment | string | No | Comment for this rule. | - 5. **Output:** Upon successful creation, it adds the raw API response to the action - results and generates a data table for the analyst. + | Additional Parameters | string | No | JSON object containing additional parameters + to create the response policy zone. | capabilities: can_create_case_comments: false can_create_insight: false @@ -333,12 +331,18 @@ Create RPZ AAAA Rule: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new RPZ AAAA rule in Infoblox NIOS, which modifies the DNS configuration - of the specified Response Policy Zone. + Creates an RPZ AAAA rule in the Infoblox NIOS system. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to create an RPZ rule in Infoblox NIOS. It + does not fetch external data for enrichment, nor does it modify internal SOAR + entities, insights, or case data. It only adds result data to the action output. categories: enrichment: false + reasoning: >- + The action is a mutation action (creating a rule) and does not fetch data for + enrichment purposes. Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -354,6 +358,9 @@ Create RPZ AAAA Rule: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with or filter any entities. It relies entirely + on parameters provided in the action configuration. Create RPZ CNAME Rule: action_product_categories: add_alert_comment: false @@ -369,6 +376,10 @@ Create RPZ CNAME Rule: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action creates a CNAME rule in an RPZ, which is a DNS-based security control + used to block or redirect traffic. This aligns with the 'Add IOC To Blocklist' + category. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -383,37 +394,58 @@ Create RPZ CNAME Rule: update_email: false update_identity: false update_ticket: false - ai_description: "Adds a CNAME rule to an existing Response Policy Zone (RPZ) in\ - \ Infoblox NIOS to override DNS behavior. This action allows administrators to\ - \ define how specific domain names or IP addresses should be handled by the DNS\ - \ firewall, such as blocking them, allowing them to pass through, or substituting\ - \ them with a different domain name.\n\n### Flow Description:\n1. **Parameter\ - \ Extraction:** The action retrieves the rule name, target RP zone, rule type,\ - \ object type, and optional configurations like comments and DNS views.\n2. **Validation:**\ - \ It validates that mandatory fields (Name, RP Zone) are provided and that 'Additional\ - \ Parameters' is a valid JSON object.\n3. **Logic Mapping:** \n * It determines\ - \ the specific Infoblox API endpoint based on the 'Object Type' (Domain Name,\ - \ IP Address, or Client IP Address).\n * It maps the 'Rule Type' to the corresponding\ - \ 'canonical' value required by Infoblox (e.g., '*' for 'Block (No data)', 'rpz-passthru'\ - \ for 'Passthru' on Client IPs).\n4. **API Execution:** A POST request is sent\ - \ to the Infoblox NIOS server to create the rule.\n5. **Result Processing:** Upon\ - \ success, the action returns the raw JSON response and displays the created rule\ - \ details in a structured data table.\n\n### Parameters Description:\n| Parameter\ - \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Name |\ - \ string | Yes | The rule name in FQDN format. |\n| RP Zone | string | Yes | The\ - \ Response Policy Zone to which the rule will be assigned. |\n| Rule Type | ddl\ - \ | Yes | The action to take: 'Passthru', 'Block (No such domain)', 'Substitute\ - \ (Domain name)', or 'Block (No data)'. |\n| Object Type | ddl | Yes | The type\ - \ of object the rule applies to: 'Domain Name', 'IP Address', or 'Client IP Address'.\ - \ |\n| Substitute Name | string | No | The domain name to substitute. Required\ - \ only if 'Rule Type' is set to 'Substitute (Domain name)'. |\n| View | string\ - \ | No | The DNS view where the records are located. Defaults to 'default'. |\n\ - | Comment | string | No | An optional comment or description for the rule. |\n\ - | Additional Parameters | string | No | A JSON object containing any extra parameters\ - \ supported by the Infoblox API for RPZ rules. |\n\n### Additional Notes:\n* The\ - \ 'Substitute (Domain name)' rule type is only applicable when the 'Object Type'\ - \ is 'Domain Name'.\n* If the 'Name' provided does not end with the 'RP Zone'\ - \ name, the action automatically appends the zone name to ensure a valid FQDN." + ai_description: >- + Creates a CNAME rule in an existing Response Policy Zone (RPZ) within Infoblox + NIOS to override DNS behavior. This action allows administrators to define rules + for specific domains or IP addresses to block, pass through, or substitute DNS + responses. + + + ### Flow + + 1. Extracts configuration parameters (API credentials, etc.) and action-specific + inputs. + + 2. Validates the required parameters, including the RP Zone and Rule Name. + + 3. Invokes the Infoblox API to create the specified RPZ CNAME rule. + + 4. Adds the API response to the action result and generates a data table summarizing + the created rule. + + + ### Parameters + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Name | string | Yes | The rule name in FQDN format. | + + | RP Zone | string | Yes | The zone to assign the rule to. | + + | Rule Type | ddl | Yes | The type of the rule to create (e.g., Passthru, Block, + Substitute). | + + | Object Type | ddl | Yes | The type of the object for which to assign the rule + (Domain Name, IP Address, Client IP Address). | + + | Substitute Name | string | No | The substitute name to assign (substitute domain + only). | + + | Comment | string | No | Comment for this rule. | + + | View | string | No | The DNS view in which the records are located. Defaults + to 'default'. | + + | Additional Parameters | string | No | JSON object containing additional parameters + to create the RPZ rule. | + + + ### Additional Notes + + - The action performs a direct mutation on the Infoblox NIOS system. Ensure the + provided credentials have sufficient permissions to modify RPZ configurations. capabilities: can_create_case_comments: false can_create_insight: false @@ -422,12 +454,18 @@ Create RPZ CNAME Rule: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new CNAME record within a Response Policy Zone (RPZ) on the Infoblox - NIOS server, which modifies DNS resolution behavior for the specified targets. + Creates a new CNAME rule in the Infoblox Response Policy Zone. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to the Infoblox API to create a new RPZ CNAME + rule. It does not fetch external data for enrichment, nor does it modify internal + SOAR case data (entities, insights, or comments). categories: enrichment: false + reasoning: >- + The action creates external data (a rule) and does not fetch context or perform + enrichment. Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -443,6 +481,9 @@ Create RPZ CNAME Rule: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or process `siemplify.target_entities`. It + relies entirely on parameters provided in the action configuration. Create RPZ MX Rule: action_product_categories: add_alert_comment: false @@ -458,6 +499,9 @@ Create RPZ MX Rule: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action creates a specific DNS record (MX rule) in an RPZ. This is a configuration + task and does not fit the provided categories for blocking, ticketing, or enrichment. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -473,57 +517,52 @@ Create RPZ MX Rule: update_identity: false update_ticket: false ai_description: >- - Adds a mail exchange (MX) override rule to a Response Policy Zone (RPZ) in Infoblox - NIOS. This action allows administrators to define custom mail routing logic within - a specific DNS zone by creating an MX record. It supports standard MX parameters - like preference and mail exchanger host, along with optional comments and advanced - JSON-based parameters for the Infoblox WAPI. + Creates a Mail Exchange (MX) override rule within a Response Policy Zone (RPZ) + on the Infoblox NIOS platform. This action allows administrators to define specific + mail exchange routing rules for DNS response policies. ### Flow Description - 1. **Parameter Extraction:** The action retrieves integration credentials and - action parameters including the rule name, target RP zone, mail exchanger, and - preference. + 1. **Parameter Extraction**: The action retrieves the required configuration (API + root, credentials) and action-specific parameters (RP Zone, Name, Mail Exchanger, + Preference, Comment, and Additional Parameters). - 2. **Validation:** It validates that mandatory fields are non-empty, ensures the - 'Preference' is a valid integer, and checks that 'Additional Parameters' is a - valid JSON object. + 2. **Validation**: It validates that the required fields are present and that + the Preference is a valid integer. - 3. **API Interaction:** It constructs a POST request to the Infoblox NIOS WAPI - (`/record:rpz:mx`) to create the rule. + 3. **API Interaction**: It initiates a POST request to the Infoblox NIOS API to + create the new RPZ MX rule. - 4. **Result Processing:** Upon success, it formats the created rule's data into - a JSON result and a CSV-formatted data table for display in the SOAR interface. + 4. **Result Reporting**: Upon success, it adds the created rule details to the + action result JSON and displays a data table containing the rule information. + If the creation fails, it logs the error and reports the failure. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Name | String | Yes | The name of the rule to be created. | + | Name | string | Yes | Specify the name of the rule. | - | RP Zone | String | Yes | The Response Policy Zone where the rule will be assigned. - | + | RP Zone | string | Yes | The zone to assign the rule to. | - | Mail Exchanger | String | Yes | Specify the mail exchanger host for the rule. - | + | Mail Exchanger | string | Yes | Specify the mail exchanger for the rule. | - | Preference | String | Yes | The preference value for the MX rule (must be a - non-negative integer). | + | Preference | string | Yes | Preference value for the rule. | - | Comment | String | No | An optional descriptive comment for the rule. | + | Comment | string | No | Comment for this rule. | - | Additional Parameters | String | No | A JSON object containing additional parameters - to be passed to the Infoblox API. | + | Additional Parameters | string | No | JSON object containing additional parameters + to create response policy zone. | ### Additional Notes - - The action automatically appends the RP Zone name to the Rule Name if it is - not already present to ensure a fully qualified domain name (FQDN) format. + - The action does not interact with entities. It is a configuration management + action for Infoblox DNS settings. capabilities: can_create_case_comments: false can_create_insight: false @@ -532,12 +571,19 @@ Create RPZ MX Rule: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new Mail Exchange (MX) override rule record within the Infoblox NIOS - Response Policy Zone (RPZ) configuration. + Creates a new Mail Exchange (MX) rule in the specified Response Policy Zone + (RPZ) on the Infoblox NIOS platform. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to the Infoblox API to create a new RPZ MX + rule. It does not fetch data, nor does it modify internal SOAR case data (entities, + insights, etc.). categories: enrichment: false + reasoning: >- + The action is a configuration/mutation action that creates a new rule in an + external system. It does not fetch data for enrichment purposes. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -553,6 +599,8 @@ Create RPZ MX Rule: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. Create RPZ NAPTR Rule: action_product_categories: add_alert_comment: false @@ -568,6 +616,10 @@ Create RPZ NAPTR Rule: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action creates a NAPTR rule in Infoblox. This is a configuration change + on an external system. It does not match any of the predefined categories such + as enrichment, ticketing, identity management, or host containment. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -583,67 +635,46 @@ Create RPZ NAPTR Rule: update_identity: false update_ticket: false ai_description: >- - ### General Description - - Adds a NAPTR (Naming Authority Pointer) override rule in a Response Policy Zone - (RPZ) within Infoblox NIOS. This action allows for the control of DNS-based service - discovery by defining how specific domain names should be processed and replaced. - It is useful for redirecting or modifying DNS responses for service discovery - queries within a managed environment. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | + Creates a NAPTR (Naming Authority Pointer) override rule within a specified Response + Policy Zone (RPZ) on an Infoblox NIOS appliance. This action allows administrators + to configure DNS-based service discovery rules by defining the rule name, zone, + order, preference, and replacement values. - | Name | String | Yes | Specify the name of the rule. | - | RP Zone | String | Yes | The zone to assign the rule to. | + ### Flow - | Order | String | Yes | Order parameter in NAPTR record defines the sequence - of rule application when multiple rules exist. | + 1. Extracts configuration parameters (API root, credentials). - | Preference | String | Yes | The preference of the Substitute (NAPTR Record) - Rule record. | + 2. Extracts action parameters (Name, RP Zone, Order, Preference, Replacement, + Comment, Additional Parameters). - | Replacement | String | Yes | Substitute rule object `replacement` field of the - NAPTR record. For non-terminal NAPTR records, this field specifies the next domain - name to look up. | + 3. Validates required fields and integer constraints. - | Comment | String | No | Comment for this rule. | + 4. Sends a POST request to the Infoblox NIOS API to create the NAPTR rule. - | Additional Parameters | String | No | JSON object containing additional parameters - to create response policy zone. | + 5. Adds the result to the action output and generates a data table for the created + rule. - ### Flow Description + ### Parameters - 1. **Extract and Validate Parameters**: The action retrieves the Name, RP Zone, - Order, Preference, Replacement, Comment, and Additional Parameters. It ensures - that mandatory string fields are not empty. + | Parameter | Type | Mandatory | Description | - 2. **Integer Validation**: The 'Order' and 'Preference' values are validated to - ensure they are non-negative integers within the range of 0 to 65535. + | :--- | :--- | :--- | :--- | - 3. **JSON Parsing**: If 'Additional Parameters' are provided, they are parsed - from a JSON string into a dictionary. + | Name | string | Yes | Name of the rule. | - 4. **API Execution**: The action uses the Infoblox API Manager to send a POST - request to the `/record:rpz:naptr` endpoint with the specified rule details. + | RP Zone | string | Yes | The zone to assign the rule to. | - 5. **Result Processing**: Upon success, the action adds the raw JSON response - and a formatted data table to the case and returns a success message. + | Order | string | Yes | Sequence of rule application. | + | Preference | string | Yes | Preference of the NAPTR record. | - ### Additional Notes + | Replacement | string | Yes | Replacement domain name. | - - The 'Order' and 'Preference' parameters are mandatory and must be valid integers - between 0 and 65535. + | Comment | string | No | Comment for the rule. | - - The 'Additional Parameters' field allows for advanced configuration by providing - a JSON object with extra Infoblox WAPI fields. + | Additional Parameters | string | No | JSON object for extra parameters. | capabilities: can_create_case_comments: false can_create_insight: false @@ -652,11 +683,20 @@ Create RPZ NAPTR Rule: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new NAPTR rule record in the Infoblox NIOS Response Policy Zone. + Creates a new NAPTR rule in the specified Response Policy Zone on the Infoblox + NIOS appliance. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to the Infoblox API to create a new NAPTR + rule, which constitutes an external data mutation. It does not fetch data, nor + does it modify internal SOAR data (entities, insights, or comments). categories: enrichment: false + reasoning: >- + The action is a creation/mutation action that modifies external system state + (Infoblox) and does not fetch data for enrichment purposes. Therefore, it is + not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -672,11 +712,15 @@ Create RPZ NAPTR Rule: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `siemplify.target_entities`. It processes + input parameters directly from the action configuration to create a rule in + Infoblox. Create RPZ PTR Rule: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false - add_ioc_to_blocklist: false + add_ioc_to_blocklist: true contain_host: false create_ticket: false delete_email: false @@ -687,6 +731,10 @@ Create RPZ PTR Rule: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action creates a DNS-based rule (RPZ PTR) in Infoblox, which is a security + control mechanism used to override DNS responses. This aligns with the 'Add + IOC To Blocklist' category as it updates security controls to manage traffic/resolution. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -701,35 +749,53 @@ Create RPZ PTR Rule: update_email: false update_identity: false update_ticket: false - ai_description: "### General Description\nThe **Create RPZ PTR Rule** action allows\ - \ users to create a reverse DNS (PTR) substitute rule within a specific Response\ - \ Policy Zone (RPZ) in Infoblox NIOS. This action is used to override standard\ - \ reverse DNS lookups for specific IP addresses, which is a common practice for\ - \ implementing security redirections or custom DNS policies.\n\n### Parameters\ - \ Description\n| Parameter | Type | Mandatory | Description |\n| :--- | :--- |\ - \ :--- | :--- |\n| **PTR DName** | String | Yes | The domain name of the RPZ substitute\ - \ rule object of the PTR record. |\n| **RP Zone** | String | Yes | The name of\ - \ the Response Policy Zone where the rule will be assigned. |\n| **Name** | String\ - \ | No | The name of the RPZ Substitute rule object of the PTR record. |\n| **Comment**\ - \ | String | No | A descriptive comment for the rule. |\n| **IPv4 Address** |\ - \ String | No | The IPv4 address of the substitute rule. |\n| **IPv6 Address**\ - \ | String | No | The IPv6 address of the substitute rule. |\n| **Additional Parameters**\ - \ | String | No | A JSON-formatted string containing additional WAPI parameters\ - \ for the rule creation. |\n\n### Additional Notes\n- **Conditional Requirement:**\ - \ At least one of the following parameters must be provided for the action to\ - \ execute successfully: `Name`, `IPv4 Address`, or `IPv6 Address`.\n- **IP Validation:**\ - \ The action performs strict validation on the format of `IPv4 Address` and `IPv6\ - \ Address` if they are provided.\n\n### Flow Description\n1. **Initialization:**\ - \ Retrieves integration configuration (API Root, credentials) and action parameters.\n\ - 2. **Validation:** \n - Ensures mandatory fields `PTR DName` and `RP Zone`\ - \ are non-empty.\n - Validates that at least one identifier (`Name`, `IPv4\ - \ Address`, or `IPv6 Address`) is present.\n - Validates the format of provided\ - \ IP addresses and ensures `Additional Parameters` is a valid JSON object.\n3.\ - \ **API Execution:** Constructs a payload and sends a POST request to the Infoblox\ - \ NIOS WAPI endpoint for `record:rpz:ptr`.\n4. **Output:** \n - On success,\ - \ it captures the created record's details.\n - Generates a data table titled\ - \ \"RPZ PTR Rule\" and attaches the full JSON response to the action results.\n\ - \ - Returns a success message indicating the rule was created." + ai_description: >- + Creates a reverse DNS lookup override (PTR rule) in a Response Policy Zone (RPZ) + within Infoblox NIOS. This action allows administrators to define custom DNS responses + for specific IP addresses, effectively managing DNS-based security policies. + + + ### Flow + + 1. Extracts and validates the required parameters: `PTR DName` and `RP Zone`. + + 2. Validates the provided `IPv4 Address` or `IPv6 Address` formats. + + 3. Ensures at least one of `Name`, `IPv4 Address`, or `IPv6 Address` is provided. + + 4. Sends a request to the Infoblox NIOS API to create the RPZ PTR rule. + + 5. Adds the creation result to the action output as a JSON object and a data table. + + + ### Parameters + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | PTR DName | string | Yes | The domain name of the RPZ substitute rule object + of the PTR record. | + + | RP Zone | string | Yes | The zone to assign the rule to. | + + | Name | string | No | The name of the RPZ Substitute rule object of the PTR record. + | + + | Comment | string | No | Comment for this rule. | + + | IPv4 Address | string | No | The IPv4 address of the substitute rule. | + + | IPv6 Address | string | No | The IPv6 address of the substitute rule. | + + | Additional Parameters | string | No | JSON object containing additional parameters + to create the response policy zone. | + + + ### Additional Notes + + At least one of 'Name', 'IPv4 Address', or 'IPv6 Address' must be provided for + the action to execute successfully. capabilities: can_create_case_comments: false can_create_insight: false @@ -738,12 +804,18 @@ Create RPZ PTR Rule: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new 'record:rpz:ptr' object in the Infoblox NIOS system, modifying - the DNS configuration of the specified Response Policy Zone. + Creates a new RPZ PTR rule in the Infoblox NIOS system. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to the Infoblox API to create a new RPZ PTR + rule. It does not fetch data, nor does it modify internal SOAR case data or + entities. categories: enrichment: false + reasoning: >- + The action is a mutation action (creates a rule) and does not fetch data for + enrichment purposes. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -759,6 +831,9 @@ Create RPZ PTR Rule: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use or iterate over `target_entities`. It relies on user-provided + parameters. Create RPZ SRV Rule: action_product_categories: add_alert_comment: false @@ -774,6 +849,11 @@ Create RPZ SRV Rule: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action creates an SRV record in an RPZ. RPZ rules are a standard mechanism + for DNS-based filtering, redirection, and blocking, which aligns with the 'Add + IOC To Blocklist' category as it modifies DNS resolution behavior to influence + network traffic. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -789,68 +869,58 @@ Create RPZ SRV Rule: update_identity: false update_ticket: false ai_description: >- - Adds a Substitute (SRV Record) Rule to a Response Policy Zone (RPZ) in Infoblox - NIOS. This action allows security administrators to override service-based DNS - lookups by creating specific SRV records within a policy zone, which can be used - for redirection or policy enforcement. The action validates that numerical parameters - like Priority, Port, and Weight are within valid ranges before submitting the - request to the Infoblox WAPI. + Creates an SRV record override in a Response Policy Zone (RPZ) within Infoblox + NIOS. This action allows administrators to define service-based DNS lookups by + specifying the rule name, priority, port, weight, and target within a designated + RPZ. - ### Flow Description: + ### Flow Description - 1. **Parameter Extraction:** The action retrieves mandatory parameters including - the Rule Name, Priority, RP Zone, Port, Target, and Weight, along with optional - Comments and Additional Parameters. + 1. **Parameter Extraction**: The action retrieves the required configuration parameters + (Name, Priority, RP Zone, Port, Target, Weight) and optional parameters (Comment, + Additional Parameters) from the action settings. - 2. **Validation:** It validates that the Rule Name, RP Zone, and Target are non-empty - strings. It also ensures that Priority, Port, and Weight are valid non-negative - integers. + 2. **Validation**: It validates that the required strings are provided and that + numerical parameters (Priority, Port, Weight) are valid integers. - 3. **API Interaction:** It initializes the Infoblox API Manager and sends a POST - request to the `record:rpz:srv` endpoint to create the rule in the specified zone. + 3. **API Interaction**: It initializes the Infoblox API manager and sends a POST + request to create the SRV rule in the specified RPZ. - 4. **Result Processing:** If the rule is created successfully, the action returns - the raw JSON response and populates a data table with the rule's details (Reference - ID, Name, Target, Port, Priority, Weight, etc.). + 4. **Result Reporting**: Upon success, it adds the created rule details to the + action result as a JSON object and a data table for visibility. - ### Parameters Description: + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Name | string | True | The name of the SRV rule to create. | + | Name | string | Yes | The name of the rule. | - | Priority | string | True | The priority of the SRV record (must be a non-negative - integer). | + | Priority | string | Yes | The priority of the SRV record rule. | - | RP Zone | string | True | The name of the Response Policy Zone where the record - will reside. | + | RP Zone | string | Yes | The name of the response policy zone in which the record + resides. | - | Port | string | True | The port of the service (must be a non-negative integer). - | - - | Target | string | True | The target host or text associated with the SRV record. - | + | Port | string | Yes | The port of the SRV record rule. | - | Weight | string | True | The weight of the SRV record (must be a non-negative - integer). | + | Target | string | Yes | The target of the SRV record rule. | - | Comment | string | False | An optional descriptive comment for the rule. | + | Weight | string | Yes | The weight of the SRV record rule. | - | Additional Parameters | string | False | A JSON object containing any additional - Infoblox WAPI parameters for the record creation. | + | Comment | string | No | Text associated with the record. | + | Additional Parameters | string | No | JSON object containing additional parameters + to create the response policy zone. | - ### Additional Notes: - - The action automatically appends the RP Zone name to the Rule Name if it is - not already present to ensure the FQDN is correctly formatted for Infoblox. + ### Additional Notes - - Numerical parameters (Priority, Port, Weight) are accepted as strings but must - represent integers between 0 and 65535. + This action performs a write operation on the Infoblox NIOS system. Ensure the + provided credentials have sufficient permissions to create records in the target + RPZ. capabilities: can_create_case_comments: false can_create_insight: false @@ -859,12 +929,18 @@ Create RPZ SRV Rule: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new SRV record override (record:rpz:srv) within a Response Policy - Zone in the Infoblox NIOS system. + Creates a new SRV record override in the Infoblox Response Policy Zone. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to the Infoblox API to create a new SRV record + rule. It does not fetch data from external systems, nor does it modify internal + SOAR case data, entities, or insights. categories: enrichment: false + reasoning: >- + The action is a mutation action that creates a new record in an external system. + It does not retrieve data for enrichment purposes. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -880,6 +956,9 @@ Create RPZ SRV Rule: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with or filter any entities. It operates solely + based on the input parameters provided in the action configuration. Create RPZ TXT Rule: action_product_categories: add_alert_comment: false @@ -895,6 +974,11 @@ Create RPZ TXT Rule: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action creates a specific DNS rule (RPZ TXT) in Infoblox. While RPZ is a + security control, this action is a generic rule creation and does not explicitly + map to the provided categories like 'Add IOC To Blocklist' (which implies a + specific blocklist management workflow) or others. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -910,50 +994,53 @@ Create RPZ TXT Rule: update_identity: false update_ticket: false ai_description: >- - Adds a TXT record rule to a Response Policy Zone (RPZ) in Infoblox NIOS. This - action allows users to associate specific text data with a DNS response, which - can be used for policy documentation, SPF records, or other informational purposes - within the DNS security framework. + ### General Description + + This action creates a new Response Policy Zone (RPZ) TXT rule within the Infoblox + NIOS system. It allows users to associate specific text data with a DNS response + by defining a rule within a designated RPZ zone. This is typically used for DNS-based + policy enforcement or information dissemination. - ### Flow Description: + ### Flow Description - 1. **Parameter Extraction:** Retrieves the RP Zone, Rule Name, Text content, and - optional comments or additional parameters from the action input. + 1. **Parameter Extraction**: The action extracts the required configuration parameters: + `RP Zone`, `Name`, `Text`, `Comment`, and `Additional Parameters`. - 2. **Validation:** Ensures mandatory fields (RP Zone, Name, Text) are provided - and that additional parameters are in valid JSON format. + 2. **Validation**: It validates that the mandatory string parameters (`RP Zone`, + `Name`, `Text`) are provided and that `Additional Parameters` is a valid JSON + object. - 3. **API Interaction:** Sends a POST request to the Infoblox NIOS WAPI (`/record:rpz:txt`) - to create the new rule. + 3. **API Interaction**: The action initializes the `APIManager` and sends a POST + request to the Infoblox NIOS API to create the RPZ TXT rule. - 4. **Result Processing:** Captures the API response, updates the action status, - and generates a data table containing the details of the created TXT rule. + 4. **Result Processing**: Upon success, it adds the created rule details as a + JSON result and a data table to the action output. If the operation fails, it + logs the error and sets the execution state to failed. - ### Parameters Description: + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | RP Zone | String | Yes | The specific Response Policy Zone where the rule will - be created. | + | RP Zone | String | Yes | The zone to assign the rule to. | - | Name | String | Yes | The name/owner of the TXT record. | + | Name | String | Yes | The name of the rule. | - | Text | String | Yes | The actual text data to be stored in the TXT record. | + | Text | String | Yes | Text associated with the record. | - | Comment | String | No | An optional descriptive comment for the rule. | + | Comment | String | No | Comment for this rule. | - | Additional Parameters | String | No | A JSON object containing any extra WAPI - parameters supported by Infoblox for this record type. | + | Additional Parameters | String | No | JSON object containing additional parameters + to create response policy zone. | - ### Additional Notes: + ### Additional Notes - * This action does not run on entities; it uses the provided parameters to create - the record directly. + This action does not operate on entities and is strictly a configuration mutation + action for the Infoblox NIOS appliance. capabilities: can_create_case_comments: false can_create_insight: false @@ -962,12 +1049,18 @@ Create RPZ TXT Rule: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new TXT record rule in the specified Response Policy Zone (RPZ) on - the Infoblox NIOS server via a POST request. + Creates a new RPZ TXT rule in the Infoblox NIOS system. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to the Infoblox API to create a new RPZ TXT + rule. It does not fetch data from external systems, nor does it modify internal + SOAR case data or entities. categories: enrichment: false + reasoning: >- + The action is a mutation action (creates a rule) and does not fetch data for + enrichment, therefore it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -983,6 +1076,9 @@ Create RPZ TXT Rule: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with or filter any entities; it operates on configuration + parameters provided by the user. Create Response Policy Zone: action_product_categories: add_alert_comment: false @@ -998,6 +1094,10 @@ Create Response Policy Zone: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action creates a Response Policy Zone in Infoblox. This does not match any + of the provided categories (e.g., it is not an IOC blocklist, ticket, or identity + management action). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1013,66 +1113,56 @@ Create Response Policy Zone: update_identity: false update_ticket: false ai_description: >- - Creates a new Response Policy Zone (RPZ) in Infoblox NIOS to define custom DNS - responses. This action allows administrators to set up zones that can override - standard DNS resolution for security or policy enforcement purposes. It supports - configuring the zone's policy (e.g., NXDOMAIN, SUBSTITUTE), severity, and type - (LOCAL, FEED, or FIREEYE). - - - ### Flow Description: - - 1. **Parameter Extraction:** The action retrieves the FQDN, RPZ Policy, Severity, - Type, and other optional parameters like Substitute Name and Comment from the - user input. + Creates a new Response Policy Zone (RPZ) in the Infoblox NIOS system. This action + allows users to define custom DNS response policies by specifying the FQDN, policy + type, severity, and optional parameters like substitute names or comments. It + interacts with the Infoblox API to provision the zone and returns the created + zone details in a data table. - 2. **Validation:** It validates that the FQDN is provided and that 'Additional - Parameters' and 'Fireeye Rule Mapping' (if provided) are valid JSON objects. - 3. **API Interaction:** It uses the Infoblox NIOS API Manager to send a POST request - to the `/zone_rp` endpoint with the specified configuration. - - 4. **Result Processing:** Upon successful creation, the action retrieves the details - of the new RPZ, formats them into a data table, and returns the raw JSON result. - - - ### Parameters Description: + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | FQDN | String | Yes | The fully qualified domain name of the DNS zone to be - created. | + | FQDN | string | Yes | The name of this DNS zone in FQDN format. | - | Substitute Name | String | No | The alternative name of the redirect target - if the policy is set to SUBSTITUTE. | + | Substitute Name | string | No | The alternative name of the redirect target + as a substitute response policy zone. | - | Comment | String | No | A descriptive comment for the zone. | + | Comment | string | No | Comment for the zone. | - | RPZ Policy | DDL | No | The override policy (e.g., GIVEN, NXDOMAIN, PASSTHRU). - Default is GIVEN. | + | RPZ Policy | ddl | No | The override policy of the response policy zone. Options: + DISABLED, GIVEN, NODATA, NXDOMAIN, PASSTHRU, SUBSTITUTE. Default: GIVEN. | - | RPZ Severity | DDL | No | The severity level of the zone (e.g., CRITICAL, MAJOR). - Default is MAJOR. | + | RPZ Severity | ddl | No | The severity of the response policy zone. Options: + CRITICAL, MAJOR, WARNING, INFORMATIONAL. Default: MAJOR. | - | RPZ Type | DDL | No | The type of RPZ (LOCAL, FEED, or FIREEYE). Default is - LOCAL. | + | RPZ Type | ddl | No | The type of the Response Policy Zone. Options: FEED, FIREEYE, + LOCAL. Default: LOCAL. | - | Fireeye Rule Mapping | String | No | A JSON object defining rules to map FireEye - alerts to the zone. | + | Fireeye Rule Mapping | string | No | Rules to map FireEye alerts. | - | Additional Parameters | String | No | A JSON object containing any extra parameters - supported by the Infoblox WAPI for zone creation. | + | Additional Parameters | string | No | JSON object containing additional parameters + to create the response policy zone. | - ### Additional Notes: + ### Flow Description + + 1. **Parameter Extraction**: The action extracts the provided configuration parameters + (FQDN, policy, severity, etc.) from the action settings. - - This action is primarily used for infrastructure management and security policy - setup rather than direct incident enrichment. + 2. **Validation**: It validates the required FQDN string and parses optional JSON + parameters (FireEye mapping and Additional Parameters). - - The 'Additional Parameters' field allows for advanced configuration not explicitly - covered by the standard action parameters. + 3. **API Interaction**: It initializes the Infoblox API manager and sends a POST + request to the Infoblox NIOS API (`/zone_rp`) to create the new Response Policy + Zone. + + 4. **Result Processing**: Upon success, it adds the created zone details to the + action result as a JSON object and a data table. If the creation fails, it logs + the error and sets the execution state to failed. capabilities: can_create_case_comments: false can_create_insight: false @@ -1081,12 +1171,20 @@ Create Response Policy Zone: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new Response Policy Zone (RPZ) resource within the Infoblox NIOS environment - via a POST request. - fetches_data: true + Creates a new Response Policy Zone (RPZ) in the Infoblox NIOS system. + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to the Infoblox API to create a new Response + Policy Zone (can_mutate_external_data=true). It does not fetch data from external + systems (fetches_data=false). It does not modify internal SOAR case data, entities, + or alerts (can_mutate_internal_data=false). categories: enrichment: false + reasoning: >- + The action creates a new resource in an external system (Infoblox) and does + not retrieve data or perform enrichment. Therefore, it is not an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1102,6 +1200,9 @@ Create Response Policy Zone: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on entities. It takes configuration parameters directly + from the action settings to perform its task. DHCP Lease Lookup: action_product_categories: add_alert_comment: false @@ -1117,10 +1218,14 @@ DHCP Lease Lookup: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves contextual metadata (DHCP lease info) for a resource (IP/MAC), + which aligns with the 'Enrich Asset' category. It does not perform threat intelligence + lookups (Enrich IOC), nor does it modify alerts, tickets, or external configurations. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false - search_asset: true + search_asset: false search_email: false search_events: false send_email: false @@ -1132,71 +1237,58 @@ DHCP Lease Lookup: update_identity: false update_ticket: false ai_description: >- - Retrieves DHCP lease details for a MAC or IP address from Infoblox NIOS. This - action allows analysts to query the Infoblox DHCP database to find active or historical - lease information associated with specific network identifiers. It supports filtering - by various attributes such as IP address, hardware MAC, hostname, and user identity. - + Retrieves DHCP lease details from Infoblox NIOS based on provided search criteria. + This action allows analysts to query for lease information using various identifiers + such as IP address, MAC address, hostname, or DUID. The action fetches the relevant + lease records from the Infoblox API and presents them in a structured table and + JSON format for further investigation. - ### Flow Description: - 1. **Parameter Initialization:** The action retrieves integration configuration - (API Root, credentials) and action-specific parameters (IP, MAC, Hostname, etc.). - - 2. **Validation:** It validates the format of the provided IP address and ensures - the 'Limit' parameter is a positive integer. + ### Flow Description - 3. **API Interaction:** The action connects to the Infoblox NIOS WAPI and performs - a GET request to the `/lease` endpoint. It uses a pagination mechanism to handle - large result sets up to the user-defined limit. + 1. **Parameter Extraction**: The action extracts search parameters (IP Address, + Hardware, Hostname, IPv6 DUID, Protocol, Fingerprint, Username, and Limit) from + the action configuration. - 4. **Data Processing:** Retrieved lease records are parsed into a structured data - model. + 2. **Validation**: It validates the provided parameters, ensuring the IP address + format is correct and the limit is a valid integer. - 5. **Output Generation:** The action populates the execution results with a raw - JSON array of lease details and creates a data table on the case wall showing - key fields like IP Address, Hardware, Client Hostname, and Binding State. + 3. **API Interaction**: It initializes the Infoblox API manager and performs a + GET request to the Infoblox `/lease` endpoint using the provided filters. + 4. **Result Processing**: The retrieved lease records are processed, converted + into a readable CSV format, and added to the action results as a data table and + raw JSON. - ### Parameters Description: + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | IP Address | string | No | The IPv4 or IPv6 address of the lease to look up. - | - - | Hardware | string | No | The MAC address for IPv4 leases. Supports regex or - exact search. | - - | Hostname | string | No | The hostname sent via DHCP option 12. Supports regex - or exact search. | + | IP Address | string | No | Lease IP address (IPv4 or IPv6). | - | IPv6 DUID | string | No | The IPv6 DUID identifier for IPv6 leases. Supports - regex or exact search. | + | Hardware | string | No | MAC address for IPv4 leases. Regex or exact search + supported. | - | Protocol | ddl | No | Filters results by protocol. Options: Both (default), - IPv4, IPv6. | - - | Fingerprint | string | No | The DHCP client fingerprint; supports case-insensitive - or regex search. | + | Hostname | string | No | Hostname sent via DHCP option 12. Regex/exact search. + | - | Username | string | No | The user associated with the lease request; supports - case-insensitive or regex search. | + | IPv6 DUID | string | No | IPv6 DUID identifier for IPv6 leases. Regex/exact + search. | - | Limit | string | No | Maximum number of objects to be returned (Default is 100). + | Protocol | ddl | No | One of: BOTH, IPV4, IPV6; exact match only. Default: Both. | + | Fingerprint | string | No | DHCP client fingerprint; case-insensitive or regex + search. | - ### Additional Notes: + | Username | string | No | User associated with lease request; case-insensitive/regex + search. | - * This action does not run on SecOps entities automatically; identifiers must - be provided as manual input parameters. - - * If no results are found, the action will complete successfully with an informative - message. + | Limit | string | No | Maximum numbers of objects to be returned. Default: 100. + | capabilities: can_create_case_comments: false can_create_insight: false @@ -1207,8 +1299,16 @@ DHCP Lease Lookup: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Infoblox API to retrieve DHCP lease + information. It does not modify any external systems, nor does it update internal + SOAR entities, insights, or case data. It is a read-only lookup action. categories: enrichment: true + reasoning: >- + The action fetches data from an external source (Infoblox) to provide context + (DHCP lease details). It does not mutate external systems or modify internal + SOAR data, satisfying the criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1224,6 +1324,10 @@ DHCP Lease Lookup: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities`. It relies entirely + on user-provided parameters to perform its lookup, therefore it does not run + on specific entity types. Delete RPZ Rule: action_product_categories: add_alert_comment: false @@ -1239,6 +1343,10 @@ Delete RPZ Rule: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action deletes an RPZ rule in Infoblox. RPZ rules are typically used for + DNS-based blocking. Deleting such a rule is equivalent to removing an IOC from + a blocklist. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: true reset_identity_password: false @@ -1254,42 +1362,33 @@ Delete RPZ Rule: update_identity: false update_ticket: false ai_description: >- - Deletes a Response Policy Zone (RPZ) rule from Infoblox NIOS. This action uses - the unique reference ID of a rule to remove it from the specified RPZ, effectively - reversing DNS-based blocking or redirection policies associated with that rule. - It supports all RPZ record types by targeting the specific object reference provided - by the user. + Deletes a specific Response Policy Zone (RPZ) rule from the Infoblox NIOS system + using the provided Reference ID. This action interacts with the Infoblox API to + remove the rule, effectively modifying the external DNS filtering configuration. ### Parameters - | Parameter | Description | Type | Mandatory | Notes | + | Parameter | Type | Mandatory | Description | - | --- | --- | --- | --- | --- | + | :--- | :--- | :--- | :--- | - | Reference ID | The unique WAPI reference ID of the RPZ rule to be deleted (e.g., - `record:rpz:cname/ZG5zLm5ldHdvcmtfcG9saWN5X3pvbmUkLl9kZWZhdWx0LmNvbS5leGFtcGxl:example.com`). - | String | Yes | This ID is typically obtained from search or creation actions. - | + | Reference ID | string | Yes | The unique reference ID of the RPZ rule to be + deleted. | ### Flow Description - 1. **Parameter Extraction:** The action retrieves the `Reference ID` from the - input parameters and the integration configuration (API Root, Username, Password). - - 2. **Validation:** It ensures the `Reference ID` is a non-empty string. + 1. The action extracts the 'Reference ID' parameter provided by the user. - 3. **API Interaction:** The action initializes the `APIManager` and sends a `DELETE` - request to the Infoblox WAPI endpoint corresponding to the provided reference - ID. + 2. It initializes the `APIManager` using the configured Infoblox NIOS integration + credentials. - 4. **Error Handling:** If the reference ID is not found (404), it returns a specific - 'not found' message. Other API errors or connection issues are caught and reported - as failures. + 3. It executes a DELETE request to the Infoblox API using the provided 'Reference + ID' to remove the corresponding RPZ rule. - 5. **Completion:** The action concludes by providing a success message if the - rule was successfully deleted. + 4. The action returns a success message if the deletion is successful, or an error + message if the rule is not found or if the API request fails. capabilities: can_create_case_comments: false can_create_insight: false @@ -1298,12 +1397,18 @@ Delete RPZ Rule: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Deletes a specific RPZ rule (DNS record) from the Infoblox NIOS server, which - modifies the active DNS response policy configuration. + Deletes an RPZ rule from the Infoblox NIOS system. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a DELETE request to the Infoblox API to remove a specific + RPZ rule. It does not fetch data, nor does it modify internal SOAR entities + or case data. categories: enrichment: false + reasoning: >- + The action performs a mutation (deletion) on an external system and does not + retrieve data for enrichment purposes. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1319,6 +1424,9 @@ Delete RPZ Rule: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on entities. It uses a direct input parameter 'Reference + ID' to identify the rule to delete. Delete Response Policy Zone: action_product_categories: add_alert_comment: false @@ -1334,6 +1442,10 @@ Delete Response Policy Zone: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action deletes a Response Policy Zone in Infoblox. This is a configuration + management task and does not align with the provided SOC response categories + such as enrichment, ticket management, or host containment. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1349,48 +1461,32 @@ Delete Response Policy Zone: update_identity: false update_ticket: false ai_description: >- - Deletes an existing Response Policy Zone (RPZ) from Infoblox NIOS using its unique - reference ID. This action is used to clean up or remove DNS security policies - that are no longer required. - - - ### Flow Description: + Deletes a specific Response Policy Zone (RPZ) from the Infoblox NIOS system. This + action is used to remove existing policy zones by their reference ID. - 1. **Parameter Extraction:** The action retrieves the `Reference ID` from the - input parameters. - 2. **Validation:** It validates that the `Reference ID` is a non-empty string. - - 3. **API Initialization:** Initializes the Infoblox API Manager using the integration's - configuration (API Root, Username, Password). - - 4. **Execution:** Sends a `DELETE` request to the Infoblox WAPI endpoint associated - with the provided reference ID. - - 5. **Error Handling:** If the reference ID is not found (404), it returns a specific - 'not found' message. Other API or connection errors are caught and reported as - failures. + ### Parameters + | Parameter | Type | Mandatory | Description | - ### Parameters Description: + | :--- | :--- | :--- | :--- | - | Parameter Name | Description | Type | Mandatory | Notes | + | Reference ID | string | Yes | The unique reference ID of the Response Policy + Zone to be deleted. | - | :--- | :--- | :--- | :--- | :--- | - | Reference ID | The unique WAPI reference ID of the response policy zone to be - deleted (e.g., `zone_rp/ZG5zLnpvbmUkLl9kZWZhdWx0LmNvbS5leGFtcGxlLnJwei:example.rpz/default`). - | String | Yes | This ID is typically obtained from a previous 'Search' or 'Get - Details' action. | + ### Flow Description + 1. The action extracts the `Reference ID` from the provided parameters. - ### Additional Notes: + 2. It initializes the `APIManager` using the integration's configuration (API + root, credentials, and SSL settings). - - This action does not run on entities; it requires a specific Reference ID as - input. + 3. It sends a `DELETE` request to the Infoblox API endpoint corresponding to the + provided `Reference ID`. - - Deleting a Response Policy Zone is a destructive operation and cannot be undone - via this action. + 4. The action handles potential errors, such as `ItemNotFoundException` if the + zone does not exist, or general API errors, and returns a success or failure status. capabilities: can_create_case_comments: false can_create_insight: false @@ -1399,11 +1495,20 @@ Delete Response Policy Zone: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Deletes a Response Policy Zone (RPZ) configuration from the Infoblox NIOS server. + Removes an existing Response Policy Zone from the Infoblox system using the + provided reference ID. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a DELETE request to the Infoblox API to remove a Response + Policy Zone. It does not fetch data, nor does it modify any internal SOAR data + or entities. categories: enrichment: false + reasoning: >- + The action is a management/mutation action that deletes data in an external + system. It does not fetch data and does not meet the criteria for an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1419,6 +1524,9 @@ Delete Response Policy Zone: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with the `target_entities` list. It operates based + on a provided `Reference ID` parameter. Get Response Policy Zone Details: action_product_categories: add_alert_comment: false @@ -1434,6 +1542,10 @@ Get Response Policy Zone Details: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves configuration details for a Response Policy Zone. It does + not match any of the defined categories such as Enrich IOC, Enrich Asset, or + Update Alert, as it is a specific configuration retrieval task for DNS infrastructure. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1449,62 +1561,48 @@ Get Response Policy Zone Details: update_identity: false update_ticket: false ai_description: >- - ### General Description + Retrieves configuration details for a specified Response Policy Zone (RPZ) from + the Infoblox NIOS system. This action allows users to query for RPZ information + based on specific filters such as FQDN, DNS view, or comments. - Retrieves configuration details for Response Policy Zones (RPZ) from Infoblox - NIOS. This action is used to query the Infoblox environment for specific DNS zones - to inspect their security policies, severity settings, and operational status. - It is a read-only action intended for configuration auditing and visibility within - the security operations workflow. + ### Flow Description - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | + 1. The action extracts the provided input parameters: `FQDN`, `View`, `Comment`, + and `Limit`. - | FQDN | string | No | The name of the DNS zone in FQDN format. If provided, filters - results to this specific zone. | + 2. It initializes a connection to the Infoblox NIOS API using the configured credentials. - | View | string | No | The name of the DNS view in which the zone resides (e.g., - "external"). If not provided, the action defaults to the "default" view. | + 3. It performs a GET request to the Infoblox API to retrieve the RPZ details matching + the provided filters. - | Comment | string | No | A comment string used to filter the zones. This allows - for searching zones based on administrative notes. | + 4. If RPZ zones are found, it formats the results into a JSON object and a data + table for display in the action results. - | Limit | string | No | The maximum number of objects to be returned by the query. - Defaults to "100". | + 5. If no zones are found, it returns an appropriate message. - ### Additional Notes + ### Parameters - - This action does not process or require any Google SecOps entities (such as - IP or Hostname) to execute. + | Parameter | Type | Mandatory | Description | - - The data table displayed in the interface is limited to the first 20 records - found for performance reasons, while the full JSON result contains all retrieved - records up to the specified limit. + | :--- | :--- | :--- | :--- | + | FQDN | string | No | The FQDN of the DNS zone to retrieve. | - ### Flow Description + | View | string | No | The name of the DNS view in which the zone resides (default: + "default"). | - 1. **Initialize Manager:** Connects to the Infoblox NIOS API using the provided - credentials and API root configuration. + | Comment | string | No | A comment to filter the zones by. | - 2. **Validate Inputs:** Extracts user-provided parameters and ensures the 'Limit' - parameter is a valid positive integer. + | Limit | string | No | The maximum number of objects to be returned (default: + "100"). | - 3. **Query Infoblox:** Sends a GET request to the `/zone_rp` endpoint. If filters - (FQDN, View, Comment) are provided, they are included as query parameters to narrow - the search. - 4. **Paginate Results:** If the number of results exceeds the internal page size, - the action automatically handles pagination to retrieve all records up to the - user-defined limit. + ### Additional Notes - 5. **Format Output:** Converts the raw API response into a structured JSON result - and a flattened data table for display in the Google SecOps case wall. + This action is a read-only operation and does not modify any data on the Infoblox + appliance or within the Google SecOps platform. capabilities: can_create_case_comments: false can_create_insight: false @@ -1515,8 +1613,17 @@ Get Response Policy Zone Details: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Infoblox API to retrieve configuration + details for Response Policy Zones. It does not modify any external system state + (no POST/PUT/DELETE), nor does it modify internal Google SecOps data (no entity + updates, insights, or case comments). categories: - enrichment: true + enrichment: false + reasoning: >- + The action retrieves configuration data from an external system but does not + perform enrichment on specific entities or alerts within the SOAR platform. + It is a general information retrieval action, not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1532,6 +1639,9 @@ Get Response Policy Zone Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with or filter by any Google SecOps entities. It + operates independently of the target_entities list. IP Lookup: action_product_categories: add_alert_comment: false @@ -1547,10 +1657,14 @@ IP Lookup: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves contextual metadata (IPAM info) for an IP address, which + aligns with 'Enrich Asset' (contextual metadata for a resource) and 'Enrich + IOC' (reputation/prevalence/intelligence for an indicator). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false - search_asset: true + search_asset: false search_email: false search_events: false send_email: false @@ -1562,71 +1676,67 @@ IP Lookup: update_identity: false update_ticket: false ai_description: >- - The **IP Lookup** action retrieves detailed IP Address Management (IPAM) information - from Infoblox NIOS for a specific IP address, a network, or a range of IP addresses. - It allows analysts to query the Infoblox database to identify the status, MAC - address, associated names, and extended attributes of network assets. The action - supports both IPv4 and IPv6 lookups and provides results in both a structured - data table and raw JSON format. + Retrieves IP Address Management (IPAM) information from Infoblox NIOS for a specified + IP address, network, or IP range. This action provides contextual metadata such + as IP status, usage, MAC address, and extended attributes, which helps in identifying + and managing network resources. ### Flow Description - 1. **Parameter Validation**: The action ensures that exactly one search criteria - is provided: either an `IP Address`, a `Network` (CIDR), or an IP range (`From - IP` and `To IP`). It also validates the format of the provided IP/Network strings. + 1. **Parameter Extraction**: The action extracts configuration parameters (API + root, credentials) and action parameters (IP Address, Network, From/To IP, Status, + Extended Attributes, Limit). - 2. **API Connection**: Initializes a connection to the Infoblox NIOS WAPI using - the provided integration credentials. + 2. **Validation**: It validates that at least one of the primary search parameters + (IP Address, Network, or IP Range) is provided and ensures that only one is specified. + It also validates the format of the provided IP addresses, networks, and the limit + integer. - 3. **Data Retrieval**: Executes a GET request to the appropriate Infoblox endpoint - (`ipv4address` or `ipv6address`) with the specified filters (Status, Extended - Attributes) and pagination limits. + 3. **API Interaction**: The action initializes the Infoblox API manager and performs + a lookup request to the Infoblox NIOS server based on the provided criteria. - 4. **Data Processing**: Parses the API response, converting raw data into `IPLookup` - models which include fields like MAC Address, Usage, and Conflict status. + 4. **Data Processing**: The retrieved records are processed into a structured + format, and the raw JSON response is added to the action results. - 5. **Output Generation**: Populates a Google SecOps data table with the first - 20 records and attaches the full result set as a JSON object to the action output. + 5. **Output Generation**: The action generates a data table containing the IPAM + details (Reference ID, IP Address, Status, Types, Network, MAC Address, Names, + Usage, Comment, Is Conflict, Extended Attributes) and displays it in the action + results. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **IP Address** | String | No | The specific IP address to retrieve information - for. Cannot be used with Network or Range parameters. | + | IP Address | string | No | The IP address to retrieve information for. Cannot + be used with Network or IP Range. | - | **Network** | String | No | The network in FQDN/CIDR format (e.g., 192.168.1.0/24). - Cannot be used with IP or Range parameters. | + | Network | string | No | The network in FQDN/CIDR format. Cannot be used with + IP Address or IP Range. | - | **From IP** | String | No | The start of an IP range. Must be used with 'To - IP'. | + | From IP | string | No | The beginning of the IP range. Must be used with To + IP. | - | **To IP** | String | No | The end of an IP range. Must be used with 'From IP'. - | + | To IP | string | No | The end of the IP range. Must be used with From IP. | - | **Status** | DDL | No | Filters results by device status: All, Active, Used, - or Unused. Default is 'All'. | + | Status | ddl | No | The status of the IP device (All, Active, Used, Unused). + Default is 'All'. | - | **Limit** | String | No | Maximum number of objects to return from the API. - Default is 100. | + | Extended Attributes | string | No | Comma-separated key/value formatted filter + for extended attributes (e.g., 'Site=New York'). | - | **Extended Attributes** | String | No | Comma-separated key/value pairs to filter - by Infoblox extended attributes (e.g., 'Site=New York'). | + | Limit | string | No | Maximum number of objects to be returned. Default is '100'. + | ### Additional Notes - * **Mutual Exclusivity**: You must provide exactly one of the following: `IP - Address`, `Network`, or the pair of `From IP` and `To IP`. Providing more than - one set or none at all will result in an execution failure. - - * **Table Limits**: While the action can fetch many records based on the `Limit` - parameter, only the first 20 records are displayed in the UI data table for performance - reasons. + Either the 'IP Address', 'Network', or the 'From IP'/'To IP' pair must be configured + for the action to run. Specifying more than one of these sets will result in an + error. capabilities: can_create_case_comments: false can_create_insight: false @@ -1637,8 +1747,16 @@ IP Lookup: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Infoblox API to retrieve IPAM information. + It does not modify any external systems (no POST/PUT/DELETE). It does not modify + internal SOAR data (entities, insights, or case comments), only adding result + data (JSON and table) to the action output. categories: enrichment: true + reasoning: >- + The action fetches data from an external system (Infoblox) and does not mutate + any external or internal data. It meets the criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1654,6 +1772,10 @@ IP Lookup: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities`. It uses `extract_action_param` + to retrieve parameters directly from the action configuration. Therefore, it + does not run on entities. List Host Info: action_product_categories: add_alert_comment: false @@ -1669,6 +1791,11 @@ List Host Info: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves host records (hostname, IP, attributes) from Infoblox, + which provides contextual metadata for a resource, matching the 'Enrich Asset' + category. It also searches for the asset in the product, matching the 'Search + Asset' category. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1684,58 +1811,52 @@ List Host Info: update_identity: false update_ticket: false ai_description: >- - ### General Description - - Retrieves host records from Infoblox NIOS, providing detailed information such - as hostnames, associated IPv4/IPv6 addresses (A/AAAA records), PTR records, DNS - view information, and configured extensible attributes. This action allows for - flexible searching of the IPAM database to identify and enrich asset information - based on specific criteria. + Retrieves host records from Infoblox NIOS, including hostname, associated IPv4/IPv6 + addresses, PTR records, DNS view information, and configured extensible attributes. + This action allows users to query the Infoblox database based on specific host + identifiers or attributes to gather contextual information about network assets. ### Flow Description - 1. **Parameter Extraction**: The action retrieves search criteria from the user, - including hostname, IPv4/IPv6 addresses, and extended attribute filters. + 1. **Parameter Extraction**: The action extracts configuration parameters (API + root, credentials) and action-specific parameters (Name, IPv4 Address, IPv6 Address, + Extended Attributes, Limit). - 2. **Validation**: Validates the format of provided IP addresses and ensures the - limit parameter is a valid integer. + 2. **Validation**: Validates the provided IP addresses and the limit parameter + to ensure they meet the required format and constraints. - 3. **API Request**: Queries the Infoblox WAPI `/record:host` endpoint using the - provided filters and pagination logic to handle large result sets. + 3. **API Interaction**: Connects to the Infoblox NIOS API to search for host records + matching the provided criteria. - 4. **Data Processing**: Parses the raw API response into structured host objects, - extracting key fields like DNS views, aliases, and attributes. + 4. **Result Processing**: If records are found, it formats the data into a CSV-compatible + table and a JSON object, which are then added to the action results for the analyst + to review. - 5. **Output Generation**: Adds the full JSON response to the action results and - creates a formatted data table for the first 20 records found. + ### Parameters - ### Parameters Description - - | Parameter | Description | Expected Type | Mandatory | Default | + | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | :--- | + | :--- | :--- | :--- | :--- | - | IPv4 Address | Filter host records by a specific IPv4 address. | String | No - | N/A | + | Name | String | No | The hostname for the record. | - | Name | Filter host records by hostname. | String | No | N/A | + | IPv4 Address | String | No | IPv4 address information. | - | IPv6 Address | Filter host records by a specific IPv6 address. | String | No - | N/A | + | IPv6 Address | String | No | IPv6 address information. | - | Extended Attributes | Comma-separated key/value pairs for filtering by extensible - attributes (e.g., "Site=New York"). | String | No | N/A | + | Extended Attributes | String | No | Comma-separated key/value formatted filter + for extended attributes, e.g., "Site=New York,OtherProp=MyValue". | - | Limit | The maximum number of host records to return. | String | No | 100 | + | Limit | String | No | Maximum number of objects to be returned. Defaults to + 100. | ### Additional Notes - This action does not automatically process entities from the SecOps case. It relies - entirely on the input parameters provided in the action configuration to perform - the search. + This action is read-only and does not modify any data in Infoblox or the SOAR + platform. It is designed to provide asset context. capabilities: can_create_case_comments: false can_create_insight: false @@ -1746,8 +1867,17 @@ List Host Info: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Infoblox API to retrieve host information. + It does not perform any POST, PUT, or DELETE operations, meaning it does not + mutate external data. It does not modify internal SOAR data (entities, insights, + or case comments), it only adds result data (tables/JSON) to the action output. categories: enrichment: true + reasoning: >- + The action fetches contextual data (host records) from an external system (Infoblox) + to assist in investigations. It does not mutate external systems or modify internal + SOAR data. Therefore, it qualifies as an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1763,6 +1893,10 @@ List Host Info: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or process `siemplify.target_entities`. It + relies entirely on user-provided input parameters (Name, IP addresses) to perform + its query. List Network Info: action_product_categories: add_alert_comment: false @@ -1774,10 +1908,15 @@ List Network Info: disable_identity: false download_file: false enable_identity: false - enrich_asset: false + enrich_asset: true enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves network configuration metadata from Infoblox, which aligns + with the 'Enrich Asset' category (returning contextual metadata for a resource). + It does not search for assets associated with an alert, nor does it search historical + logs/telemetry events. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1793,61 +1932,39 @@ List Network Info: update_identity: false update_ticket: false ai_description: >- - ### General Description + Lists defined IPv4/IPv6 networks and subnets in Infoblox IPAM. This action retrieves + network configuration details based on provided filters and displays them in a + table format. - The **List Network Info** action retrieves a list of defined IPv4 and IPv6 networks - and subnets from the Infoblox NIOS IPAM (IP Address Management) system. It allows - analysts to search for specific network ranges using CIDR notation or filter results - based on custom extended attributes defined within Infoblox. The action is primarily - used for visibility and discovery of network infrastructure directly from the - SOAR platform. + ### Flow - ### Flow Description - - 1. **Parameter Initialization:** The action extracts the `Network` CIDR, `Limit`, - and `Extended Attributes` from the user input. + 1. Extracts action parameters: `Network`, `Extended Attributes`, and `Limit`. - 2. **Validation:** It validates that the `Limit` is a positive integer and ensures - the `Network` parameter (if provided) conforms to valid CIDR formatting. + 2. Validates the `Limit` and `Network` address format. - 3. **API Interaction:** The action connects to the Infoblox WAPI and performs - a GET request to the `/network` endpoint. It applies filters based on the provided - network address and parses the `Extended Attributes` string into the format required - by the Infoblox API. + 3. Queries the Infoblox API to retrieve network information matching the criteria. - 4. **Pagination:** If the result set is large, the action utilizes the Infoblox - paging mechanism to fetch records up to the specified `Limit`. + 4. Adds the raw JSON results to the action output. - 5. **Data Output:** The retrieved network details (such as network address, view, - utilization, and comments) are added to the action's JSON results and displayed - in a structured data table named "Networks". + 5. If networks are found, formats the data into a table and adds it to the action + output. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | - - | Network | String | No | The network address in CIDR notation (e.g., "192.168.1.0/24"). - If provided, the search is restricted to this specific network. | - - | Limit | String | No | The maximum number of network objects to return. Defaults - to 100 if not specified. | - - | Extended Attributes | String | No | A comma-separated list of key/value pairs - (e.g., "Site=New York,Department=IT") used to filter networks based on Infoblox - metadata. | + | --- | --- | --- | --- | + | Network | string | No | The network address in CIDR notation (e.g., "192.168.1.0/24"). + | - ### Additional Notes - - * This action does not run on specific entities; it is a general search utility - that takes string inputs to query the IPAM database. + | Limit | string | No | Maximum number of objects to be returned. Defaults to + 100. | - * The data table in the SOAR interface will display up to 20 records for readability, - while the full result set is available in the JSON output. + | Extended Attributes | string | No | Comma-separated key/value formatted filter + for extended attributes (e.g., "Site=New York"). | capabilities: can_create_case_comments: false can_create_insight: false @@ -1858,8 +1975,16 @@ List Network Info: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Infoblox API to retrieve network information. + It does not modify any external systems or internal SOAR data (entities, insights, + comments). categories: enrichment: false + reasoning: >- + The action does not operate on entities (it does not take entities as input + or update them). Therefore, it does not meet the criteria for an Enrichment + Action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1875,6 +2000,9 @@ List Network Info: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not reference `siemplify.target_entities` and operates independently + of any specific entity. Ping: action_product_categories: add_alert_comment: false @@ -1890,6 +2018,10 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity test ('Ping'). It does not fetch IOC data, update + alerts, or perform any of the other listed actions. It is a diagnostic tool + and does not match any of the defined product categories. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1904,25 +2036,36 @@ Ping: update_email: false update_identity: false update_ticket: false - ai_description: "### General Description\nThe **Ping** action is a diagnostic tool\ - \ used to verify the connectivity between the Google SecOps environment and the\ - \ Infoblox NIOS server. It ensures that the provided integration configuration\ - \ parameters (API Root, Username, and Password) are correct and that the Infoblox\ - \ API is reachable.\n\n### Parameters Description\nThere are no action-specific\ - \ parameters for this action. It relies entirely on the integration's global configuration\ - \ settings.\n\n### Additional Notes\n* This action performs a simple `GET` request\ - \ to the Infoblox WAPI schema endpoint (`/?_schema`) to validate the connection.\n\ - * It does not interact with or modify any DNS records, DHCP leases, or network\ - \ configurations.\n\n### Flow Description\n1. **Parameter Extraction:** The action\ - \ retrieves the global integration configuration, including the API Root, Username,\ - \ and Password.\n2. **Manager Initialization:** An instance of the `APIManager`\ - \ is initialized using the extracted credentials.\n3. **Connectivity Test:** The\ - \ action calls the `test_connectivity` method, which executes a `GET` request\ - \ to the Infoblox API schema endpoint.\n4. **Result Handling:** \n * If the\ - \ request is successful, the action returns a success message and sets the result\ - \ value to `True`.\n * If the request fails (e.g., due to network issues or\ - \ invalid credentials), the action catches the exception, logs the error, and\ - \ returns a failure message with the result value set to `False`." + ai_description: >- + ### General Description + + This action tests the connectivity between the Google SecOps platform and the + Infoblox NIOS server. It verifies that the provided credentials and API root are + valid by attempting to retrieve the API schema. + + + ### Parameters Description + + There are no parameters for this action. + + + ### Additional Notes + + This action is intended for diagnostic purposes to ensure the integration is configured + correctly. + + + ### Flow Description + + 1. Extracts the integration configuration parameters (API Root, Username, Password) + from the environment. + + 2. Initializes the `APIManager` with the provided credentials. + + 3. Executes a `GET` request to the Infoblox API schema endpoint (`/?_schema`). + + 4. Returns a success message if the connection is established, or a failure message + if an exception occurs. capabilities: can_create_case_comments: false can_create_insight: false @@ -1933,8 +2076,16 @@ Ping: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to verify connectivity to the Infoblox server. + It does not modify any external or internal data, nor does it update entities + or create insights. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action. According to the instructions, 'Actions named + Ping must not be categorized as enrichment actions.' Therefore, it is not an + enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1950,6 +2101,9 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `target_entities` or use any entity-specific + identifiers. It is a global connectivity test. Search RPZ Rule: action_product_categories: add_alert_comment: false @@ -1965,6 +2119,10 @@ Search RPZ Rule: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action searches for RPZ rules in Infoblox. It does not match any of the + provided categories (e.g., it is not an IOC enrichment, asset enrichment, or + alert update). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1980,61 +2138,55 @@ Search RPZ Rule: update_identity: false update_ticket: false ai_description: >- - Searches for specific Response Policy Zone (RPZ) rules within Infoblox NIOS. This - action allows analysts to query the Infoblox WAPI for various RPZ record types - (such as A, AAAA, CNAME, MX, etc.) based on a rule name and specific object types. - It retrieves detailed configuration data for the matching rules, which can be - used to verify existing security policies or prepare for rule modifications. + ### General Description + + This action searches for Response Policy Zone (RPZ) rules within the Infoblox + NIOS platform based on user-defined criteria. It allows users to query specific + object types and filter by rule name, returning the results in both JSON format + and a structured data table for easy analysis. - ### Flow Description: + ### Flow Description - 1. **Parameter Initialization:** The action retrieves the Infoblox API credentials - and the user-provided search criteria, including the object type, rule name, and - desired output fields. + 1. The action initializes the connection to the Infoblox NIOS API using the provided + credentials. - 2. **Validation:** It validates the 'Limit' parameter to ensure it is a positive - integer. + 2. It extracts the action parameters: `Object Type` (mandatory), `Rule Name`, + `Output Fields`, and `Limit`. - 3. **API Query:** The action performs a GET request to the Infoblox WAPI, utilizing - pagination if the number of results exceeds the page size, up to the specified - limit. + 3. It validates the `Limit` parameter to ensure it is a positive integer. - 4. **Data Processing:** The retrieved rule data is processed and formatted. If - specific output fields were requested, they are included alongside default fields - like 'name' and 'view'. + 4. It constructs the API request with the specified filters. - 5. **Output Generation:** The results are attached to the action as a JSON result - and displayed in a structured data table named 'RPZ Rules' within the SOAR interface. + 5. It executes the search query against the Infoblox API. + 6. If results are found, it formats them into a data table and adds the raw JSON + results to the action output. - ### Parameters Description: + + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Object Type** | DDL | Yes | The specific Infoblox RPZ object type to search - for (e.g., `record:rpz:cname`, `record:rpz:a`, `record:rpz:txt`). | - - | **Rule Name** | String | No | The full name of the rule to search for (e.g., - `malicious.domain.com.rpz_zone`). If omitted, the action may return all rules - of the specified type depending on server configuration. | + | Object Type | String | Yes | The Infoblox object type to search (e.g., `record:rpz:cname`). + | - | **Output Fields** | String | No | A comma-separated list of additional fields - to include in the response (e.g., `comment`, `disable`). | + | Rule Name | String | No | The full rule name to search for. | - | **Limit** | String | No | The maximum number of rule objects to return. Defaults - to 100. | + | Output Fields | String | No | Comma-separated fields to include in the returned + object. | + | Limit | String | No | Maximum number of objects to be returned (default: 100). + | - ### Additional Notes: - * This action does not run on entities; it is a standalone search utility based - on the provided parameters. + ### Additional Notes - * The data table displays a maximum of 20 records for readability, while the full - result set is available in the JSON output. + The `Limit` parameter must be a positive integer. If not provided, it defaults + to 100. The `Object Type` parameter is mandatory and must be one of the supported + Infoblox object types. capabilities: can_create_case_comments: false can_create_insight: false @@ -2045,8 +2197,16 @@ Search RPZ Rule: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Infoblox API to search for RPZ rules. + It does not modify any external or internal data. It does not interact with + SOAR entities. categories: - enrichment: true + enrichment: false + reasoning: >- + The action does not operate on SOAR entities (it does not use `target_entities`), + and it does not enrich existing alert or entity data. Therefore, it is not an + enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -2062,11 +2222,14 @@ Search RPZ Rule: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not reference `target_entities` or perform any operations on SOAR + entities. It is a standalone search action. Update RPZ CNAME Rule: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false - add_ioc_to_blocklist: true + add_ioc_to_blocklist: false contain_host: false create_ticket: false delete_email: false @@ -2077,6 +2240,10 @@ Update RPZ CNAME Rule: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action updates an existing RPZ CNAME rule in Infoblox. This is a configuration + change on an external security appliance. It does not match any of the specific + categories like 'Enrich IOC', 'Contain Host', or 'Update Ticket'. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -2093,70 +2260,57 @@ Update RPZ CNAME Rule: update_ticket: false ai_description: >- Updates an existing Response Policy Zone (RPZ) CNAME rule in Infoblox NIOS to - modify DNS response behavior. This action allows analysts to change the policy - of a specific DNS rule, such as switching between blocking, passing through, or - substituting domain names. It interacts with the Infoblox WAPI using a PUT request - to apply changes to the rule identified by its Reference ID. + modify DNS behavior. This action performs a configuration update on the external + Infoblox system based on the provided parameters. - ### Flow Description: + ### Flow - 1. **Parameter Extraction:** The action retrieves the Reference ID, Rule Type, - Name, RP Zone, and other optional parameters from the user input. + 1. Extract action parameters (Reference ID, Rule Type, Name, RP Zone, etc.) from + the configuration. - 2. **Validation:** It validates that mandatory fields (Reference ID, Name, RP - Zone) are provided and that 'Additional Parameters' is a valid JSON object. It - also ensures that a 'Substitute Name' is provided if the 'Substitute (Domain name)' - rule type is selected. + 2. Validate that mandatory parameters (Reference ID, Name, RP Zone) are provided. - 3. **Canonical Mapping:** Based on the selected 'Rule Type', the action determines - the correct 'canonical' value (e.g., '*' for Block No Data, 'rpz-passthru' for - Passthru, or the provided Substitute Name). + 3. Parse any additional parameters provided as a JSON string. - 4. **API Execution:** It calls the Infoblox API via a PUT request to update the - specific rule record. + 4. Call the Infoblox API to update the specified RPZ CNAME rule using a PUT request. - 5. **Output Generation:** Upon success, the action returns the updated rule details - in a JSON format and populates a data table for the analyst. + 5. Add the result JSON and a data table containing the updated rule details to + the action output. - ### Parameters Description: + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Reference ID | String | Yes | The unique reference ID of the existing RPZ rule - to be updated. | - - | Rule Type | DDL | Yes | The desired DNS behavior: Passthru, Block (No such Domain), - Block (No data), or Substitute (Domain name). | + | Reference ID | string | Yes | The reference ID of the existing RPZ rule to update. + | - | Name | String | Yes | The rule name in FQDN format. | + | Rule Type | ddl | Yes | The type of the rule to update (Passthru, Block (No + such Domain), Block (No data), Substitute (Domain name)). | - | RP Zone | String | Yes | The Response Policy Zone to which the rule belongs. - | + | Name | string | Yes | The rule name in a FQDN format. | - | Comment | String | No | An optional comment to associate with the rule. | + | RP Zone | string | Yes | The zone to assign the rule to. | - | Substitute Name | String | No | The domain name to substitute. **Mandatory** - if Rule Type is 'Substitute (Domain name)'. | + | Comment | string | No | Comment for this rule. | - | View | String | No | The DNS view where the record is located. Defaults to 'default'. - | + | Substitute Name | string | No | The substitute name to assign (substitute domain + only). | - | Additional Parameters | String | No | A JSON object containing any extra parameters - supported by the Infoblox WAPI for RPZ rules. | + | View | string | No | The DNS view in which the records are located. Defaults + to 'default'. | + | Additional Parameters | string | No | JSON object containing additional parameters + to update the RPZ rule. | - ### Additional Notes: - - The 'Substitute (Domain name)' rule type is only applicable to standard CNAME - rules and cannot be used if the Reference ID points to an IP Address or Client - IP Address object type. + ### Additional Notes - - If the 'Rule Type' is 'Passthru' and the reference ID indicates a client IP - address, the canonical value is automatically set to 'rpz-passthru'. + This action performs a direct mutation on the Infoblox NIOS system. Ensure the + provided Reference ID corresponds to an existing rule. capabilities: can_create_case_comments: false can_create_insight: false @@ -2165,12 +2319,18 @@ Update RPZ CNAME Rule: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates an existing RPZ CNAME rule in Infoblox NIOS via a PUT request to the - WAPI. - fetches_data: true + Updates an existing RPZ CNAME rule in the Infoblox NIOS system. + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a PUT request to the Infoblox API to update an existing + RPZ CNAME rule. It does not fetch data for enrichment, nor does it modify internal + SOAR case data or entities. categories: enrichment: false + reasoning: >- + The action is a mutation action (updates external configuration) and does not + fetch data for enrichment purposes. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -2186,3 +2346,6 @@ Update RPZ CNAME Rule: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `siemplify.target_entities`. It uses parameters + provided in the action configuration. diff --git a/content/response_integrations/third_party/partner/infoblox_nios/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/infoblox_nios/resources/ai/integration_ai_description.yaml index fb8271382..e4f84e74a 100644 --- a/content/response_integrations/third_party/partner/infoblox_nios/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/partner/infoblox_nios/resources/ai/integration_ai_description.yaml @@ -7,6 +7,17 @@ product_categories: iam_and_identity_management: false itsm: false network_security: true + reasoning: >- + The infoblox_nios integration provides capabilities for managing DNS Firewall + protections (RPZs) and retrieving IPAM/DHCP/Host information. It qualifies for + 'Network Security' because it allows security teams to define RPZ rules that block + or redirect malicious DNS traffic at the gateway level. It also qualifies for + 'Asset Inventory' because it provides actions like 'IP Lookup', 'List Host Info', + and 'DHCP Lease Lookup', which retrieve contextual metadata about network assets + (IP, MAC, Hostname, etc.). It does not qualify for 'Threat Intelligence' because + it does not provide reputation scores or malware family data, nor does it qualify + for other categories like SIEM, EDR, or ITSM as it does not perform log analysis, + process-level inspection, or ticket management. siem: false threat_intelligence: false vulnerability_management: false diff --git a/content/response_integrations/third_party/partner/infoblox_threat_defense_with_ddi/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/infoblox_threat_defense_with_ddi/resources/ai/actions_ai_description.yaml index 3fbfb20cd..9e10aa97f 100644 --- a/content/response_integrations/third_party/partner/infoblox_threat_defense_with_ddi/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/infoblox_threat_defense_with_ddi/resources/ai/actions_ai_description.yaml @@ -13,6 +13,10 @@ Create Custom List: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action creates a custom list in Infoblox. This does not match any of the + specific categories like 'Enrich IOC', 'Contain Host', or 'Create Ticket'. It + is a configuration management action. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -28,78 +32,77 @@ Create Custom List: update_identity: false update_ticket: false ai_description: >- - Creates a new custom list in Infoblox Threat Defense for use in security policies. - This action allows users to define a list of indicators (IP addresses or domains) - along with metadata such as confidence levels, threat levels, and tags. The action - validates the format of the provided indicators before submission and outputs - the details of the created list into a data table on the case wall. + ### General Description + Creates a new custom list within the Infoblox Threat Defense platform. This action + allows users to define a new list by specifying its name, type, and optional attributes + such as description, confidence level, threat level, and tags. The action interacts + with the Infoblox API to provision the list and returns the created list details + in the action results. - ### Parameters + + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Name | string | True | The unique name of the Custom List to be created. | + | Name | string | Yes | The name of the Custom List to create. | - | Type | string | True | The type of Custom List (default is 'custom_list'). | - - | Items | string | False | Comma-separated list of indicators (IPv4, IPv6, or - domains) to include in the list. | - - | Description | string | False | A brief description of the Custom List's purpose. + | Type | string | Yes | The type of Custom List to create (default: 'custom_list'). | - | Confidence Level | ddl | False | The confidence level for the list (High, Medium, - Low). Default is High. | - - | Threat Level | ddl | False | The threat level for the list (High, Medium, Low, - Info). Default is Low. | - - | Tags | string | False | A JSON object string representing tags to categorize - the list (e.g., '{"key": "value"}'). | + | Items | string | No | Comma-separated items to include in the Custom List. | + | Description | string | No | A description for the Custom List. | - ### Additional Notes + | Confidence Level | ddl | No | The confidence level for this list (Options: High, + Medium, Low; default: 'High'). | - - The 'Items' parameter must contain valid IPv4, IPv6, or domain name formats; - otherwise, the action will fail validation. + | Threat Level | ddl | No | The threat level for this list (Options: High, Medium, + Low, Info; default: 'Low'). | - - The 'Tags' parameter must be a valid JSON object string. + | Tags | string | No | Tags to categorize and organize the Custom List. | ### Flow Description - 1. **Parameter Extraction:** The action retrieves the integration configuration - and action parameters provided by the user. + 1. **Parameter Extraction**: The action retrieves the required configuration (API + root, key, SSL verification) and action-specific parameters. + + 2. **Input Validation**: Validates that the 'Name' and 'Type' parameters are provided + and that any provided items are valid indicators. - 2. **Validation:** It validates that mandatory fields are present, checks that - the 'Items' string contains valid network indicators, and ensures 'Tags' is a - valid JSON object. + 3. **Payload Construction**: Builds the JSON payload containing the list details, + including optional fields like description, confidence level, threat level, and + tags. - 3. **API Request:** It constructs a payload and sends a POST request to the Infoblox - API endpoint `/api/atcfw/v1/named_lists` to create the resource. + 4. **API Interaction**: Sends a POST request to the Infoblox API endpoint (`/api/atcfw/v1/named_lists`) + to create the custom list. - 4. **Result Processing:** Upon success, the action parses the API response, adds - the raw JSON to the action results, and generates a data table named 'Custom List - Details' for the case wall. + 5. **Result Reporting**: Adds the API response as a JSON result and generates + a data table summarizing the created custom list details in the action output. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: true - can_mutate_internal_data: true + can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new custom list resource in the Infoblox Threat Defense platform via - a POST request. - fetches_data: true - internal_data_mutation_explanation: >- - Adds a data table containing the created custom list details to the Google SecOps - case wall. + Creates a new custom list in the Infoblox Threat Defense platform. + fetches_data: false + internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to create a custom list in the external Infoblox + system. It does not fetch data from external sources, nor does it modify internal + SOAR entities, alerts, or case data. It is a configuration management action. categories: enrichment: false + reasoning: >- + The action creates a new resource in an external system (Infoblox) and does + not retrieve data or perform enrichment. Therefore, it is not an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -115,6 +118,9 @@ Create Custom List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on entities; it creates a custom list based on provided + parameters and does not reference `target_entities`. Create Network List: action_product_categories: add_alert_comment: false @@ -130,6 +136,10 @@ Create Network List: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action creates a network list in Infoblox. This does not fit the specific + categories provided (like Create Ticket, Blocklist, etc.). It is a configuration/management + action. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -145,47 +155,49 @@ Create Network List: update_identity: false update_ticket: false ai_description: >- - ### General Description + Creates a new network list in the Infoblox Threat Defense system to define where + security policies should be applied. This action allows users to specify a name, + a list of items (such as IP addresses or CIDRs), and an optional description for + the new network list. - Creates a new network list in Infoblox Threat Defense. Network lists are used - to define specific sets of IP addresses or CIDR blocks where security policies - should be applied. This action allows for the programmatic creation of these containers - to streamline security policy management. + ### Flow Description - ### Parameters Description + 1. The action retrieves the necessary integration configuration (API root, API + key, SSL verification settings). + 2. It extracts the action parameters: Name, Items, and Description. - | Parameter | Description | Type | Mandatory | + 3. It validates that the Name and Items parameters are provided and non-empty. - | :--- | :--- | :--- | :--- | + 4. It converts the comma-separated Items string into a list format. - | Name | The unique name for the network list being created. | String | Yes | + 5. It sends a POST request to the Infoblox API to create the network list with + the provided details. - | Items | A comma-separated list of items (e.g., IPv4 addresses, IPv6 addresses, - or CIDR blocks) to be included in the network list. | String | Yes | + 6. Upon success, it adds the API response as a JSON result and a data table to + the action output. - | Description | A brief explanation or context for the network list. | String - | No | + ### Parameters Description - ### Flow Description + | Parameter | Type | Mandatory | Description | - 1. **Parameter Extraction:** The action retrieves the `Name`, `Items`, and `Description` - from the user input. + | :--- | :--- | :--- | :--- | - 2. **Validation:** It validates that the `Name` and `Items` strings are not empty - and converts the `Items` string into a list format. + | Name | string | Yes | The name of the network list to be created. | - 3. **API Interaction:** The action uses the `APIManager` to send a POST request - to the Infoblox `/api/atcfw/v1/network_lists` endpoint with the provided details. + | Items | string | Yes | A comma-separated list of items (e.g., IP addresses, + CIDRs) to include in the network list. | - 4. **Data Processing:** Upon a successful response, the action parses the returned - data into a `NetworkList` object. + | Description | string | No | An optional description for the network list. | - 5. **Output Generation:** The action populates a data table named "Network List - Details" with the ID, Name, and Description of the new list and provides the full - raw JSON response for further use in playbooks. + + ### Additional Notes + + - The action requires valid API credentials and connectivity to the Infoblox Threat + Defense API. If the creation fails, the action will return an error message and + set the execution state to failed. capabilities: can_create_case_comments: false can_create_insight: false @@ -194,12 +206,19 @@ Create Network List: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new network list resource in the Infoblox Threat Defense platform - via a POST request. + Creates a new network list in the Infoblox Threat Defense system. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to create a network list in an external system + (Infoblox). It does not fetch data, update entities, or create insights. It + uses standard output methods (add_result_json, add_data_table) which do not + constitute internal data mutation. categories: enrichment: false + reasoning: >- + The action creates a new resource in an external system rather than retrieving + data, so it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -215,6 +234,9 @@ Create Network List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on entities. It takes input parameters directly + from the user configuration. Create Security Policy: action_product_categories: add_alert_comment: false @@ -230,6 +252,10 @@ Create Security Policy: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action creates a new security policy in Infoblox. This does not match any + of the provided categories (e.g., Enrich IOC, Create Ticket, Contain Host). + It is a configuration management action. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -247,11 +273,12 @@ Create Security Policy: ai_description: >- ### General Description - Creates a new security policy in Infoblox Threat Defense. This action allows for - the programmatic creation of security policies, enabling automated management - of DNS security rules, network lists, and device group associations. It is useful - for establishing baseline security postures or dynamically creating policies during - incident response. + This action creates a new security policy within the Infoblox Threat Defense system. + It allows users to define policy attributes such as name, description, rules, + associated network lists, DNS Forwarding Proxies (DFPs), roaming device groups, + and various security settings like DNS rebinding protection and safe search. The + action constructs a payload based on the provided parameters and sends a POST + request to the Infoblox API to provision the new policy. ### Parameters Description @@ -260,77 +287,75 @@ Create Security Policy: | :--- | :--- | :--- | :--- | - | Policy Name | String | Yes | The unique name for the new security policy. | + | Policy Name | string | Yes | The name of the security policy to create. | - | Description | String | No | A brief explanation of the policy's purpose. | + | Description | string | No | A description for the security policy. | - | Rules | String | No | A JSON array of rule objects, each containing fields like - action, type, and data. | + | Rules | string | No | A JSON array of objects defining security rules (action, + type, data, policy_name, redirect_name). | - | Network Lists | String | No | Comma-separated IDs of network lists to associate - with this policy. | + | Network Lists | string | No | Comma-separated IDs of network lists to associate + with the policy. | - | DFPS | String | No | Comma-separated IDs of DNS Forwarding Proxies to associate - with this policy. | + | DFPS | string | No | Comma-separated IDs of DNS Forwarding Proxies to associate + with the policy. | - | Roaming Device Groups | String | No | Comma-separated IDs of Roaming Device - Groups to associate with this policy. | + | Roaming Device Groups | string | No | Comma-separated IDs of Roaming Device + Groups to associate with the policy. | - | Block DNS Rebinding | Boolean | No | Specify whether to block DNS rebinding - attacks. Defaults to false. | + | Block DNS Rebinding | boolean | No | Whether to block DNS rebinding attacks + (default: false). | - | Safe Search | Boolean | No | Specify whether to enable safe search filtering. - Defaults to false. | + | Safe Search | boolean | No | Whether to enable safe search filtering (default: + false). | - | Tags | String | No | A JSON object containing tags used to categorize and organize - the Security Policy. | + | Tags | string | No | JSON object containing tags to categorize the policy. | - | Additional Parameters | String | No | A JSON object containing advanced parameters - such as precedence, doh_enabled, or ecs. | + | Additional Parameters | string | No | JSON object for additional settings (e.g., + precedence, access_codes, doh_enabled). | ### Flow Description - 1. **Parameter Extraction:** The action retrieves the integration configuration - (API Root, API Key) and all user-provided action parameters. - - 2. **Validation:** Validates that the 'Policy Name' is non-empty and ensures that - 'Rules', 'Tags', and 'Additional Parameters' are valid JSON strings if provided. - - 3. **Payload Construction:** Constructs a structured JSON payload for the Infoblox - API. It parses comma-separated strings for network lists and device groups into - integer lists and validates that 'Additional Parameters' only contains supported - keys. - - 4. **API Execution:** Sends a POST request to the Infoblox `/api/atcfw/v1/security_policies` - endpoint via the APIManager. - - 5. **Result Processing:** Upon success, the action returns the full API response - as a JSON result and populates a data table named 'Security Policy Details' with - the ID, name, and description of the newly created policy. + 1. **Initialization**: The action extracts integration configuration (API root, + key, SSL verification) and action parameters. + 2. **Validation**: It validates that the mandatory `Policy Name` is provided. - ### Additional Notes + 3. **Payload Construction**: It parses the input parameters, including converting + comma-separated lists to integer lists and parsing JSON strings for rules, tags, + and additional parameters. - - The `Rules` parameter must be formatted as a JSON array of objects. + 4. **API Execution**: It sends a POST request to the Infoblox API to create the + security policy. - - Supported keys for `Additional Parameters` include: `precedence`, `access_codes`, - `doh_enabled`, `doh_fqdn`, `ecs`, `onprem_resolve`, `dfp_services`, `net_address_dfps`, - `user_groups`, and `default_redirect_name`. + 5. **Result Handling**: Upon success, it adds the resulting JSON and a data table + containing the policy details to the SOAR action results. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: true - can_mutate_internal_data: false + can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: >- - Creates a new security policy resource in the Infoblox Threat Defense platform - via a POST request. + Creates a new security policy in the Infoblox Threat Defense system. fetches_data: false - internal_data_mutation_explanation: null + internal_data_mutation_explanation: >- + Adds result JSON and a data table to the SOAR action results. + reasoning: >- + The action performs a POST request to create a security policy in an external + system (Infoblox), which constitutes external data mutation. It does not fetch + data from external systems. It performs internal mutation by adding result JSON + and a data table to the SOAR action results, but it does not update entities, + create insights, modify alert data, or create case comments. categories: enrichment: false + reasoning: >- + The action creates a new security policy in an external system. It does not + fetch data, nor does it perform any of the allowed internal mutations (Case + Comments, Insights, Entity Updates) that would qualify it as an enrichment action. + Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -346,6 +371,10 @@ Create Security Policy: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not reference `target_entities` or any entity-specific logic. + It operates on global configuration parameters to create a security policy in + the external system. DHCP Lease Lookup: action_product_categories: add_alert_comment: false @@ -361,10 +390,14 @@ DHCP Lease Lookup: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves DHCP lease information, which provides contextual metadata + (IP, MAC, Hostname) for network assets. This aligns with the 'Enrich Asset' + category. It does not perform IOC enrichment, containment, or ticket management. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false - search_asset: true + search_asset: false search_email: false search_events: false send_email: false @@ -375,44 +408,53 @@ DHCP Lease Lookup: update_email: false update_identity: false update_ticket: false - ai_description: "### General Description\nRetrieves DHCP lease information from\ - \ Infoblox Threat Defense with DDI based on specified filter criteria. This action\ - \ allows analysts to look up details such as IP addresses, hostnames, MAC addresses,\ - \ and lease states (e.g., used, free) to gain context about network assets and\ - \ their historical or current assignments.\n\n### Parameters Description\n| Parameter\ - \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| DHCP Lease\ - \ Filter | string | No | A logical expression used to filter DHCP leases (e.g.,\ - \ `address == \"192.168.1.10\"` or `hostname == \"workstation-01\"`). |\n| Offset\ - \ | string | No | The starting point for pagination. Defaults to \"0\". |\n| Limit\ - \ | string | No | The maximum number of results to return. Defaults to \"100\"\ - . |\n| Order By | string | No | Comma-separated fields to sort the results (e.g.,\ - \ `address asc`). Supports dot notation for nested fields. |\n\n### Flow Description\n\ - 1. **Parameter Initialization:** The action extracts the integration configuration\ - \ (API Root, API Key) and the user-provided parameters (Filter, Offset, Limit,\ - \ Order By).\n2. **Validation:** The `Offset` and `Limit` parameters are validated\ - \ to ensure they are non-negative integers.\n3. **API Request:** The action calls\ - \ the Infoblox API's DHCP lease endpoint (`/api/ddi/v1/dhcp/lease`) using a GET\ - \ request with the specified filters and pagination settings.\n4. **Data Processing:**\ - \ \n * The raw JSON response is attached to the action results.\n * If records\ - \ are found, the action parses them into a structured format and creates a data\ - \ table named \"DHCP Leases\" (showing up to 20 records) for display in the case\ - \ wall.\n5. **Completion:** The action returns a success message indicating the\ - \ number of records retrieved or a failure message if an error occurs during the\ - \ API call." + ai_description: "### General Description\nThis action retrieves DHCP lease information\ + \ from Infoblox Threat Defense with DDI based on specified filter criteria. It\ + \ allows analysts to query for network lease records, such as IP addresses, hostnames,\ + \ and hardware addresses, to assist in asset identification and network troubleshooting.\n\ + \n### Flow Description\n1. **Initialization**: Extracts configuration parameters\ + \ (API root, API key, SSL verification) and action parameters (DHCP Lease Filter,\ + \ Offset, Limit, Order By).\n2. **Validation**: Validates the `Offset` and `Limit`\ + \ parameters to ensure they are non-negative integers.\n3. **Data Retrieval**:\ + \ Queries the Infoblox API to fetch DHCP lease records matching the provided filter\ + \ criteria.\n4. **Result Processing**: \n - Adds the raw JSON response to the\ + \ action results.\n - If records are found, converts them into a structured\ + \ format and adds a data table titled \"DHCP Leases\" to the action results.\n\ + \ - Sets an output message indicating the number of records retrieved.\n\n\ + ### Parameters Description\n| Parameter | Type | Mandatory | Description |\n|\ + \ :--- | :--- | :--- | :--- |\n| DHCP Lease Filter | string | No | Filter DHCP\ + \ leases by specific criteria (e.g., address == \u201C127.0.0.1\u201D and hostname\ + \ == \u201Cubuntu\u201D). |\n| Offset | string | No | Specify the offset from\ + \ where to start pagination. Default is \"0\". |\n| Limit | string | No | Specify\ + \ the maximum number of results to return. Default is \"100\". |\n| Order By |\ + \ string | No | Comma-separated JSON fields to sort the results. Use asc or desc\ + \ for sort direction. Supports dot notation for nested fields. |\n\n### Additional\ + \ Notes\n- This action is a read-only operation and does not modify any data in\ + \ Infoblox or the SOAR platform.\n- The action result includes both a raw JSON\ + \ object and a formatted table for easier viewing in the SOAR interface." capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: true + can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: >- - Adds a data table named 'DHCP Leases' to the Google SecOps case containing the - retrieved lease records. + internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Infoblox API to retrieve DHCP lease + information. It does not modify any external systems or internal SOAR data (entities, + insights, or alerts). It only populates the action result with JSON and a data + table. categories: enrichment: false + reasoning: >- + The action fetches data from an external system (Infoblox) but does not meet + the criteria for an enrichment action. Enrichment actions are restricted to + updating entities, creating insights, or adding comments. This action only adds + a result table and JSON to the action result, which does not qualify as an internal + mutation of the case data. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -428,6 +470,9 @@ DHCP Lease Lookup: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or process `siemplify.target_entities`. It + relies entirely on user-provided parameters to perform the lookup. DNS Record Lookup: action_product_categories: add_alert_comment: false @@ -443,6 +488,11 @@ DNS Record Lookup: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action performs a GET request to retrieve DNS records from Infoblox. This + matches the 'Search Events' category as it returns historical logs or telemetry + data. It does not match 'Enrich IOC' as it does not return reputation or threat + intelligence. It does not mutate any external or internal data. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -457,67 +507,24 @@ DNS Record Lookup: update_email: false update_identity: false update_ticket: false - ai_description: >- - ### General Description - - Performs a DNS record query in Infoblox Threat Defense with DDI to retrieve associated - IP addresses or domains based on user-defined filter criteria. This action is - useful for broad searches across the DNS infrastructure, allowing analysts to - find records matching specific types, zones, or tags without needing to target - a specific entity. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | DNS Record Filter | String | No | Filter DNS records by specific criteria using - logical expressions (e.g., `type=="PTR"` and `absolute_zone_name == "Test"`). - | - - | Tag Filter | String | No | Filter DNS records by specific tags using logical - expressions (e.g., `'nios/federation_enabled'==true`). | - - | Offset | String | No | Specify the offset from where to start pagination. Defaults - to "0". | - - | Limit | String | No | Specify the maximum number of results to return. Defaults - to "100". | - - | Order By | String | No | Comma-separated JSON fields to sort the results. Supports - `asc` or `desc` for direction and dot notation for nested fields. | - - - ### Additional Notes - - - This action does not process specific SecOps entities; it is a global lookup - action based on the provided filter parameters. - - - The action limits the number of records displayed in the UI data table to a - predefined maximum (20) to ensure readability, while the full result set is available - in the JSON output. - - - ### Flow Description - - 1. **Parameter Initialization**: The action retrieves the integration configuration - and extracts the user-provided filters, pagination, and sorting parameters. - - 2. **Validation**: The `Offset` and `Limit` parameters are validated to ensure - they are valid, non-negative integers. - - 3. **API Request**: The action calls the Infoblox API manager to perform a GET - request against the DNS record endpoint (`/api/ddi/v1/dns/record`) using the constructed - query parameters. - - 4. **Data Processing**: The raw API response is parsed, and the DNS records are - mapped to the `DNSRecord` data model. - - 5. **Output Generation**: The action populates a data table named "DNS Records" - with the formatted results and attaches the complete raw JSON response to the - action results. + ai_description: "Performs a DNS record query to retrieve associated IPs or domains\ + \ from the Infoblox Threat Defense with DDI platform. This action allows users\ + \ to filter DNS records by specific criteria or tags, and supports pagination\ + \ and sorting of the results. The retrieved records are displayed in a data table\ + \ and added to the action's result JSON.\\n\\n### Flow:\\n1. Extract action parameters\ + \ (DNS Record Filter, Tag Filter, Offset, Limit, Order By).\\n2. Initialize the\ + \ APIManager with integration credentials.\\n3. Execute the `dns_record_lookup`\ + \ API call to fetch DNS records.\\n4. Parse the API response into `DNSRecord`\ + \ data models.\\n5. Add the raw JSON response to the action results.\\n6. Display\ + \ the records in a data table.\\n\\n### Parameters:\\n| Parameter | Type | Mandatory\ + \ | Description |\\n| :--- | :--- | :--- | :--- |\\n| DNS Record Filter | string\ + \ | No | Filter DNS records by specific criteria (e.g., type==\u201DPTR\u201D\ + \ and absolute_zone_name == \u201CTest\u201D). |\\n| Tag Filter | string | No\ + \ | Filter DNS records by specific tags (e.g., 'nios/federation_enabled'==true).\ + \ |\\n| Offset | string | No | Specify the offset from where to start pagination.\ + \ Defaults to \"0\". |\\n| Limit | string | No | Specify the maximum number of\ + \ results to return. Defaults to \"100\". |\\n| Order By | string | No | Comma-separated\ + \ JSON fields to sort the results. |\\n\\n### Additional Notes:\\nNone." capabilities: can_create_case_comments: false can_create_insight: false @@ -528,8 +535,16 @@ DNS Record Lookup: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action makes a GET request to retrieve DNS records (fetches_data=true). + It does not mutate any external or internal data. It does not update entities, + create insights, or modify alert data. categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches DNS records from an external source (Infoblox) without modifying + any external or internal state. It meets the criteria for an enrichment action + as it proactively retrieves data. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -545,6 +560,10 @@ DNS Record Lookup: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities` or use entity-specific + identifiers. It performs a general lookup based on user-provided filters, so + it does not run on any specific entity types. Get Custom List: action_product_categories: add_alert_comment: false @@ -560,6 +579,10 @@ Get Custom List: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves custom list configuration data from Infoblox. It does not + match any of the defined categories, as it is not an enrichment, containment, + or alert management action. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -577,73 +600,61 @@ Get Custom List: ai_description: >- ### General Description - Retrieves the contents and metadata of custom lists from Infoblox Threat Defense. - This action allows users to fetch a specific list by its unique ID or search for - multiple lists using names, types, or tag-based filters. The retrieved data includes - list identifiers, names, descriptions, threat levels, and item counts. Results - are presented in both a structured data table for quick review and a raw JSON - format for downstream automation. + Retrieves the contents of a custom list from the Infoblox Threat Defense platform. + This action allows users to query for specific custom lists by ID, name, or type, + and supports filtering and sorting by tags. The retrieved data is formatted into + a table and JSON output for display within the SOAR platform. - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | + ### Flow Description - | Custom List ID | String | No | The unique identifier of the custom list to retrieve. - If provided, other filters like Name and Tags are ignored. | + 1. **Parameter Extraction**: The action extracts integration configuration (API + root, API key, SSL verification) and action-specific parameters (Custom List ID, + Name, Type, Tag Filter, Tag Sort Filter, Offset, Limit). - | Name | String | No | The name of the custom list to search for. This parameter - is used in conjunction with 'Type'. | + 2. **Validation**: Validates input parameters, ensuring numeric fields like Offset + and Limit are valid integers. - | Type | String | No | The type of the custom list (default: 'custom_list'). Required - when searching by Name. | + 3. **API Interaction**: Calls the Infoblox API to fetch the custom list(s) based + on the provided criteria. - | Tag Filter | String | No | Filter security policies or lists by specific tags - using the format: `'tag_name'='tag_value'`. | + 4. **Data Processing**: Processes the API response, converting the results into + a structured format (CSV) using the `CustomList` data model. - | Tag Sort Filter | String | No | Sort the retrieved custom lists based on specific - tags (e.g., 'Test1'). | + 5. **Output Generation**: Adds the raw JSON response and a formatted data table + to the action results for analyst review. - | Offset | String | No | Specify the starting point for pagination (default: '0'). - | - | Limit | String | No | Specify the maximum number of results to return (default: - '100'). | + ### Parameters Description + | Parameter | Type | Mandatory | Description | - ### Additional Notes + | :--- | :--- | :--- | :--- | - - **Priority Logic**: If 'Custom List ID' is provided, the action fetches that - specific list. If 'Name' and 'Type' are both provided, the action searches for - lists matching those criteria. Otherwise, it uses the 'Tag Filter' and 'Tag Sort - Filter'. + | Custom List ID | string | No | The unique identifier of the custom list to retrieve. + | - - **Table Constraints**: The 'Custom List Details' table displays a maximum of - 20 records, even if the 'Limit' parameter is set higher. The full set of results - is always available in the JSON output. + | Name | string | No | The name of the custom list. | + | Type | string | No | The type of the custom list (default: 'custom_list'). | - ### Flow Description + | Tag Filter | string | No | Filter security policy by specific tags in the format: + ''=''. | - 1. **Parameter Initialization**: Extracts configuration (API Root, API Key) and - action parameters (ID, Name, Filters, Pagination). + | Tag Sort Filter | string | No | Sort Custom List by Tags (e.g., 'Test1'). | - 2. **Input Validation**: Validates that 'Offset', 'Limit', and 'Custom List ID' - (if provided) are valid non-negative integers. + | Offset | string | No | Specify the offset from where to start pagination (default: + '0'). | - 3. **API Request Construction**: Determines the correct Infoblox endpoint based - on the provided parameters, prioritizing specific IDs over general filters. + | Limit | string | No | Specify the maximum number of results to return (default: + '100'). | - 4. **Data Retrieval**: Executes a GET request to the Infoblox Threat Defense API - to fetch the list data. - 5. **Data Modeling**: Maps the raw API response to internal `CustomList` data - models to extract key fields like Threat Level and Item Count. + ### Additional Notes - 6. **Output Generation**: Produces a CSV-formatted data table for the UI and attaches - the complete JSON response to the action result. + If no specific parameters are provided, the action attempts to retrieve a list + of custom lists based on the default pagination settings. The action does not + modify any external or internal system state. capabilities: can_create_case_comments: false can_create_insight: false @@ -654,8 +665,18 @@ Get Custom List: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to retrieve custom list data from the Infoblox + API. It does not modify external systems, nor does it update internal SOAR entities, + insights, or alert data. It simply presents the retrieved information in the + action results. categories: enrichment: false + reasoning: >- + The action retrieves configuration data (custom lists) from an external system. + It does not gather supplemental context about alerts or entities, nor does it + update entity profiles or create insights. Therefore, it does not meet the criteria + for an Enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -671,6 +692,9 @@ Get Custom List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `siemplify.target_entities`. It operates on + global configuration parameters and API queries, not on specific SOAR entities. Get Indicator Intel Lookup Result: action_product_categories: add_alert_comment: false @@ -686,6 +710,10 @@ Get Indicator Intel Lookup Result: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves threat intelligence (Dossier lookup results) for an indicator, + which aligns with the 'Enrich IOC' category. It does not perform any other operations + like ticket creation, host containment, or alert modification. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -700,30 +728,43 @@ Get Indicator Intel Lookup Result: update_email: false update_identity: false update_ticket: false - ai_description: "### General Description\nThe **Get Indicator Intel Lookup Result**\ - \ action retrieves the results of a Dossier lookup job previously initiated in\ - \ Infoblox Threat Defense. This action is designed to fetch comprehensive threat\ - \ intelligence for indicators such as IP addresses, URLs, Hostnames, Email addresses,\ - \ and File Hashes using a specific Job ID. It is typically used in automated workflows\ - \ to poll for results after an asynchronous investigation has been started.\n\n\ - ### Parameters Description\n| Parameter | Type | Mandatory | Description |\n|\ - \ :--- | :--- | :--- | :--- |\n| **Job ID** | string | Yes | The unique identifier\ - \ of the Dossier lookup job for which results are being requested. This ID is\ - \ obtained from the 'Initiate Indicator Intel Lookup With Dossier' action. |\n\ - \n### Flow Description\n1. **Parameter Extraction:** The action extracts the `Job\ - \ ID` from the input parameters and validates that it is a non-empty string.\n\ - 2. **API Interaction:** It connects to the Infoblox API and performs a GET request\ - \ to the Dossier results endpoint using the provided Job ID.\n3. **Data Parsing:**\ - \ The action processes the API response, converting the raw data into a structured\ - \ format. It specifically extracts fields like the intelligence source, status,\ - \ and timestamp.\n4. **Result Reporting:** \n * The full JSON response from\ - \ the API is attached to the action results.\n * A data table named \"Dossier\ - \ Lookup Results\" is generated, displaying up to 20 records for quick analyst\ - \ review.\n5. **Finalization:** The action completes with a success message indicating\ - \ the number of dossier results retrieved for the given Job ID.\n\n### Additional\ - \ Notes\nThis action does not interact with SecOps entities directly; it operates\ - \ solely based on the provided `Job ID`. If the Job ID does not exist or the API\ - \ returns an error, the action will fail with a descriptive error message." + ai_description: >- + Retrieves the results of a previously initiated Dossier lookup job from Infoblox + Threat Defense. This action fetches detailed threat intelligence data associated + with a specific Job ID and presents it within the SOAR platform. + + + ### Flow Description + + 1. The action extracts the mandatory `Job ID` parameter provided by the user. + + 2. It initializes the `APIManager` to communicate with the Infoblox Threat Defense + API. + + 3. It performs a GET request to retrieve the lookup results for the specified + `Job ID`. + + 4. If results are found, it processes the data, creates a CSV-formatted table + of the findings, and adds it to the action results. + + 5. It also attaches the raw JSON response to the action results for comprehensive + visibility. + + + ### Parameters + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Job ID | string | Yes | The unique identifier of the Dossier lookup job to retrieve + results for. | + + + ### Additional Notes + + This action is designed to be used after the 'Initiate Indicator Intel Lookup + With Dossier' action, which generates the `Job ID` required here. capabilities: can_create_case_comments: false can_create_insight: false @@ -734,8 +775,19 @@ Get Indicator Intel Lookup Result: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to retrieve data from an external system (Infoblox). + It does not modify any external systems (no POST/PUT/DELETE). It does not modify + internal SOAR data (entities, insights, or case comments), but rather appends + result data (tables and JSON) to the action output, which is standard for data + retrieval actions. categories: enrichment: true + reasoning: >- + The action fetches threat intelligence data (Dossier lookup results) from an + external source. It does not mutate external systems, nor does it perform any + internal mutations (like updating entities or creating insights). It strictly + retrieves and displays information, fitting the criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -751,6 +803,10 @@ Get Indicator Intel Lookup Result: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or process `siemplify.target_entities`. It + operates based on a provided `Job ID` parameter, which is an external reference, + not a SOAR entity. Get Network List: action_product_categories: add_alert_comment: false @@ -766,6 +822,10 @@ Get Network List: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves network list configuration data from Infoblox. It does + not match any of the defined product categories such as enrichment, ticket management, + or containment. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -783,62 +843,51 @@ Get Network List: ai_description: >- ### General Description - The **Get Network List** action retrieves the contents and metadata of network - lists from Infoblox Threat Defense. It allows users to fetch a specific list by - its unique identifier or search for multiple lists using logical filter expressions. - This action is primarily used for auditing existing network configurations or - verifying the contents of CIDR/IP blocks managed within the Infoblox environment. - + Retrieves network lists from Infoblox Threat Defense. This action fetches configuration + data regarding network lists, allowing analysts to view existing lists, their + descriptions, and associated security policies. - ### Parameters Description - | Parameter | Type | Mandatory | Description | + ### Flow Description - | :--- | :--- | :--- | :--- | + 1. The action extracts integration configuration parameters (API root, API key, + SSL verification) and action-specific parameters (Network List ID, Security Network + Filter, Offset, Limit). - | **Network List ID** | String | No | The unique identifier of the network list - to retrieve. If provided, the action fetches only this specific list and ignores - the filter parameter. | + 2. It validates the provided parameters to ensure they are in the correct format + (e.g., integers for Offset and Limit). - | **Security Network Filter** | String | No | A logical expression string (e.g., - `name == 'net_list1'`) used to filter the returned network lists based on specific - criteria. | + 3. It initiates a GET request to the Infoblox API to retrieve the requested network + list(s). - | **Offset** | String | No | The pagination offset indicating where to start the - results. Default is "0". | + 4. The retrieved data is returned as a JSON result and formatted into a data table + for display in the SOAR platform. - | **Limit** | String | No | The maximum number of results to return in a single - request. Default is "100". | + ### Parameters Description - ### Flow Description + | Parameter | Type | Mandatory | Description | - 1. **Parameter Initialization**: The action extracts the API configuration (Root, - Key, SSL) and the user-provided parameters including the Network List ID, filter, - offset, and limit. + | :--- | :--- | :--- | :--- | - 2. **Validation**: It validates that the `Network List ID` (if provided), `Offset`, - and `Limit` are valid non-negative integers. + | Network List ID | string | No | The unique identifier of the network list to + retrieve. | - 3. **API Request**: It sends a GET request to the Infoblox `/api/atcfw/v1/network_lists` - endpoint. If a specific `Network List ID` is provided, it appends the ID to the - URL to target that specific resource. + | Security Network Filter | string | No | A logical expression string to filter + the network lists (e.g., name == 'net_list1'). | - 4. **Data Processing**: The retrieved JSON data is added to the action's result - JSON. + | Offset | string | No | The pagination offset to start retrieving results from. + Default is '0'. | - 5. **Output Generation**: If results are found, the action creates a data table - in the SOAR case displaying the Network List ID, Name, Description, and Security - Policy ID for up to 20 records. + | Limit | string | No | The maximum number of results to return. Default is '100'. + | ### Additional Notes - - If the **Network List ID** is provided, the **Security Network Filter** is ignored - by the Infoblox API. - - - The action supports pagination through the **Offset** and **Limit** parameters - to handle large sets of network lists. + If a 'Network List ID' is provided, the action will attempt to retrieve that specific + list. Otherwise, it will retrieve a list of network lists based on the provided + filter, offset, and limit. capabilities: can_create_case_comments: false can_create_insight: false @@ -849,8 +898,17 @@ Get Network List: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Infoblox API to retrieve network list + data. It does not modify any external systems (no POST/PUT/DELETE). It does + not modify internal SOAR case data (entities, insights, comments). It simply + outputs the retrieved data to the action result. categories: enrichment: false + reasoning: >- + The action retrieves configuration data (network lists) from an external system. + It does not perform enrichment on entities, nor does it meet the criteria for + an enrichment action as it does not gather context about alerts or entities. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -866,6 +924,9 @@ Get Network List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or process any entities from the SOAR platform. + It operates independently of the entity model. Get SOC Insights Assets: action_product_categories: add_alert_comment: false @@ -880,11 +941,15 @@ Get SOC Insights Assets: enrich_asset: true enrich_ioc: false execute_command_on_the_host: false - get_alert_information: false + get_alert_information: true + reasoning: >- + The action retrieves asset metadata (IP, MAC, OS, User) associated with an insight, + which aligns with 'Enrich Asset'. It also fetches information about the insight + itself, aligning with 'Get Alert Information'. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false - search_asset: true + search_asset: false search_email: false search_events: false send_email: false @@ -895,41 +960,29 @@ Get SOC Insights Assets: update_email: false update_identity: false update_ticket: false - ai_description: "### General Description\nThis action retrieves a detailed list\ - \ of assets associated with a specific Infoblox SOC Insight ID. It allows analysts\ - \ to identify which resources (IP addresses, MAC addresses, hostnames) were involved\ - \ in a particular threat insight. The action supports various filters to narrow\ - \ down the asset list and provides the results in both a structured data table\ - \ and a raw JSON format for downstream processing.\n\n### Parameters Description\n\ - | Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ - | Insight ID | String | Yes | The unique identifier of the SOC Insight from which\ - \ to retrieve associated assets. |\n| Asset IP | String | No | Filters the results\ - \ to include only assets matching this specific IP address. |\n| MAC Address |\ - \ String | No | Filters the results to include only assets matching this specific\ - \ MAC address. |\n| OS Version | String | No | Filters the results to include\ - \ only assets running this specific operating system version. |\n| User | String\ - \ | No | Filters the results to include only assets associated with this specific\ - \ username. |\n| Limit | String | No | The maximum number of asset records to\ - \ return. Defaults to 100. |\n| From | String | No | Filters for assets changed\ - \ after this timestamp. Expected format: `YYYY-MM-DDTHH:mm:ss.SSS`. |\n| To |\ - \ String | No | Filters for assets changed before this timestamp. Expected format:\ - \ `YYYY-MM-DDTHH:mm:ss.SSS`. |\n\n### Flow Description\n1. **Parameter Extraction:**\ - \ The action extracts the mandatory `Insight ID` and optional filter parameters\ - \ (IP, MAC, OS, User, Time range, and Limit) from the environment.\n2. **Validation:**\ - \ It validates that the `Insight ID` is provided and that the `Limit` is a valid\ - \ positive integer.\n3. **API Request:** The action calls the Infoblox API via\ - \ the `APIManager` to fetch asset data associated with the specified Insight ID,\ - \ applying all provided filters as query parameters.\n4. **Data Processing:**\ - \ The retrieved asset data is parsed into `SOCInsightAsset` data models.\n5. **Output\ - \ Generation:** \n * The full API response is added as a JSON result.\n \ - \ * A data table named \"Assets\" is created, containing key details like\ - \ Asset IP, MAC Address, Threat Level, OS Version, and User (up to a maximum of\ - \ 20 records for display).\n6. **Completion:** The action concludes with a success\ - \ message indicating the number of assets found.\n\n### Additional Notes\n* \ - \ If no assets are found for the provided Insight ID, the action will complete\ - \ successfully but report that no assets were found.\n* The data table is limited\ - \ to showing the first 20 records to maintain performance and readability within\ - \ the UI, while the full result set is available in the JSON output." + ai_description: "### General Description\nRetrieves a list of associated assets\ + \ for a specific SOC Insight ID from Infoblox Threat Defense. This action allows\ + \ analysts to query asset details such as IP addresses, MAC addresses, OS versions,\ + \ and associated users, providing context for security insights.\n\n### Flow Description\n\ + 1. **Configuration**: The action initializes the connection to the Infoblox API\ + \ using the provided API root, API key, and SSL verification settings.\n2. **Parameter\ + \ Extraction**: It extracts the required `Insight ID` and optional filters (`Asset\ + \ IP`, `MAC Address`, `OS Version`, `User`, `Limit`, `From`, `To`) from the action\ + \ parameters.\n3. **Data Retrieval**: It calls the Infoblox API to fetch asset\ + \ data associated with the specified Insight ID, applying any provided filters.\n\ + 4. **Result Processing**: \n - The raw JSON response is added to the action\ + \ result.\n - If assets are found, the data is formatted into a CSV table and\ + \ added to the action result for display.\n - If no assets are found, an appropriate\ + \ message is returned.\n\n### Parameters Description\n| Parameter | Type | Mandatory\ + \ | Description |\n| :--- | :--- | :--- | :--- |\n| Insight ID | string | Yes\ + \ | The ID of the insight to retrieve assets from. |\n| Asset IP | string | No\ + \ | Filter assets by IP address. |\n| MAC Address | string | No | Filter assets\ + \ by MAC address. |\n| OS Version | string | No | Filter assets by operating system\ + \ version. |\n| User | string | No | Filter assets by associated user. |\n| Limit\ + \ | string | No | Specify the maximum number of results to return (default: 100).\ + \ |\n| From | string | No | Filter by assets changed after this time (YYYY-MM-DDTHH:mm:ss.SSS).\ + \ |\n| To | string | No | Filter by assets changed before this time (YYYY-MM-DDTHH:mm:ss.SSS).\ + \ |" capabilities: can_create_case_comments: false can_create_insight: false @@ -940,8 +993,16 @@ Get SOC Insights Assets: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to retrieve asset information from Infoblox + based on an Insight ID. It does not mutate external systems or modify internal + case data (entities, insights, etc.). It only adds result data to the action + execution. categories: enrichment: true + reasoning: >- + The action fetches data from an external source (Infoblox) and does not mutate + any external or internal systems. It meets the criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -957,6 +1018,9 @@ Get SOC Insights Assets: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities`. It uses an `Insight + ID` parameter provided by the user. Get SOC Insights Comments: action_product_categories: add_alert_comment: false @@ -972,6 +1036,9 @@ Get SOC Insights Comments: enrich_ioc: false execute_command_on_the_host: false get_alert_information: true + reasoning: >- + The action fetches information about an insight from the Infoblox product. This + aligns with the 'Get Alert Information' category. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -986,32 +1053,49 @@ Get SOC Insights Comments: update_email: false update_identity: false update_ticket: false - ai_description: "### General Description\nRetrieves the list of comments associated\ - \ with a specific SOC Insight in Infoblox Threat Defense. This action allows analysts\ - \ to review the history, manual notes, or automated updates related to a security\ - \ finding directly within the Google SecOps platform. It supports time-based filtering\ - \ to narrow down the results to a specific period.\n\n### Parameters Description\n\ - \n| Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :---\ - \ |\n| Insight ID | String | Yes | The unique identifier of the SOC Insight to\ - \ retrieve comments from. |\n| From | String | No | Filter by comments changed\ - \ after this time. Expected format: `YYYY-MM-DDTHH:mm:ss.SSS`. |\n| To | String\ - \ | No | Filter by comments changed before this time. Expected format: `YYYY-MM-DDTHH:mm:ss.SSS`.\ - \ |\n\n### Flow Description\n1. **Parameter Initialization:** The action extracts\ - \ the integration configuration (API Root, API Key) and the user-provided parameters\ - \ (`Insight ID`, `From`, `To`).\n2. **Validation:** Validates that the mandatory\ - \ `Insight ID` is provided and is a non-empty string.\n3. **API Interaction:**\ - \ Connects to the Infoblox API and sends a GET request to the SOC Insights comments\ - \ endpoint for the specified ID, applying any provided time filters.\n4. **Data\ - \ Processing:** Parses the response. If comments are found, it maps them to the\ - \ `SOCInsightComment` data model.\n5. **Output Generation:** \n - Creates a\ - \ data table named \"SOC Insight Comments\" containing up to 20 of the most recent\ - \ comments.\n - Attaches the full raw JSON response to the action results for\ - \ use in subsequent playbook steps.\n6. **Completion:** Returns a success message\ - \ indicating the number of comments retrieved.\n\n### Additional Notes\n- The\ - \ UI data table is limited to showing the first 20 records for performance, but\ - \ the complete set of retrieved comments is available in the `JsonResult`.\n-\ - \ Ensure that the `From` and `To` timestamps strictly follow the ISO-like format\ - \ `YYYY-MM-DDTHH:mm:ss.SSS` to avoid API errors." + ai_description: >- + Retrieves comments associated with a specific SOC Insight from Infoblox Threat + Defense. This action fetches the comment history for a given insight ID, allowing + analysts to review changes and updates made to the insight. + + + ### Parameters + + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Insight ID | string | Yes | The unique identifier of the SOC insight. | + + | From | string | No | Filter comments changed after this time (YYYY-MM-DDTHH:mm:ss.SSS). + | + + | To | string | No | Filter comments changed before this time (YYYY-MM-DDTHH:mm:ss.SSS). + | + + + ### Additional Notes + + + If no comments are found, the action will output a message indicating that no + comments were found for the provided Insight ID. + + + ### Flow Description + + + 1. Extracts configuration parameters (API root, key, SSL verification). + + 2. Extracts action parameters (Insight ID, From, To). + + 3. Validates the Insight ID. + + 4. Calls the Infoblox API to fetch comments for the specified insight. + + 5. Formats the comments into a data table and adds it to the action result. + + 6. Adds the raw JSON response to the action result. capabilities: can_create_case_comments: false can_create_insight: false @@ -1022,8 +1106,15 @@ Get SOC Insights Comments: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to retrieve comments for a specific SOC insight. + It does not modify any external or internal data. It does not update entities + or create insights. categories: - enrichment: true + enrichment: false + reasoning: >- + The action fetches data (comments) but does not enrich entities or alerts (it + operates on insights). Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1039,6 +1130,9 @@ Get SOC Insights Comments: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `target_entities` or use entity-specific identifiers. + It operates on an `Insight ID` provided as a parameter. Get SOC Insights Events: action_product_categories: add_alert_comment: false @@ -1053,7 +1147,12 @@ Get SOC Insights Events: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false - get_alert_information: true + get_alert_information: false + reasoning: >- + The action retrieves a list of events based on an Insight ID and various filters. + This matches the 'Search Events' category, as it returns a collection of historical + logs/telemetry data. It does not match 'Enrich IOC' or 'Enrich Asset' as it + doesn't operate on those entities. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1068,80 +1167,35 @@ Get SOC Insights Events: update_email: false update_identity: false update_ticket: false - ai_description: >- - ### General Description - - Retrieves a list of events associated with a specific SOC Insight from Infoblox - Threat Defense. This action allows analysts to drill down into the specific activities - (such as DNS queries) that triggered a threat insight, providing granular visibility - into the detected threat and its context. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Insight ID | String | Yes | The unique identifier of the SOC insight to retrieve - events for. | - - | Device IP | String | No | Filter the events by a specific device's IP address. - | - - | Query | String | No | Filter events by a specific query string. | - - | Query Type | String | No | Filter events by DNS query type (e.g., TXT, A, MX). - | - - | Source | String | No | Filter events by the threat intelligence source or feed - (e.g., DFP). | - - | Indicator | String | No | Filter events by a specific threat indicator such - as a domain, IP, or hash. | - - | Threat Level | DDL | No | Filter by threat level. Options: All, Info, Low, Medium, - High. Default is 'All'. | - - | Confidence Level | DDL | No | Filter by confidence level. Options: All, Low, - Medium, High. Default is 'All'. | - - | Limit | String | No | Specify the maximum number of results to return. Default - is 100. | - - | From | String | No | Filter by events detected after this time (Format: YYYY-MM-DDTHH:mm:ss.SSS). - | - - | To | String | No | Filter by events detected before this time (Format: YYYY-MM-DDTHH:mm:ss.SSS). - | - - - ### Additional Notes - - - The action generates a data table named "SOC Insight Events" containing key - event details like Confidence Level, Device Name, Device IP, Action, Policy, Threat - Family, and Threat Level. - - - The full API response is attached as a JSON result for comprehensive analysis. - - - ### Flow Description - - 1. **Parameter Extraction:** The action extracts the mandatory `Insight ID` and - various optional filtering parameters (Device IP, Query, Threat Level, etc.) from - the user input. - - 2. **Validation:** It validates that the `Insight ID` is a non-empty string and - that the `Limit` is a valid positive integer. - - 3. **API Interaction:** It initializes the APIManager and calls the `get_soc_insights_events` - method, which performs a GET request to the Infoblox SOC Insights API endpoint. - - 4. **Data Processing:** The action parses the returned events using the `SOCInsightEvent` - data model and prepares a flattened list for the data table. - - 5. **Output Generation:** It adds a data table to the case wall showing up to - 20 records and provides the complete JSON response as a script result. + ai_description: "Retrieves a list of events associated with a specific SOC Insight\ + \ from Infoblox Threat Defense. This action allows analysts to drill down into\ + \ the details of a generated insight by fetching the underlying events, which\ + \ can be filtered by various criteria such as device IP, query type, threat level,\ + \ and confidence level.\n\n### Flow Description\n1. **Configuration**: The action\ + \ initializes the API connection using the provided API root, API key, and SSL\ + \ verification settings.\n2. **Parameter Extraction**: It extracts the mandatory\ + \ `Insight ID` and optional filters (e.g., `Device IP`, `Query`, `Threat Level`,\ + \ `Confidence Level`, `Limit`, `From`, `To`) from the action parameters.\n3. **Data\ + \ Retrieval**: It calls the Infoblox API to fetch the events associated with the\ + \ specified `Insight ID`, applying any provided filters.\n4. **Result Processing**:\ + \ \n - If events are found, it formats the data into a table and adds it to\ + \ the action result.\n - It also adds the full raw JSON response to the action\ + \ result for detailed analysis.\n - If no events are found, it returns a message\ + \ indicating that no events were found for the given ID.\n\n### Parameters Description\n\ + | Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ + | Insight ID | string | Yes | The unique identifier of the SOC insight to retrieve\ + \ events from. |\n| Device IP | string | No | Filter events by the IP address\ + \ of the device. |\n| Query | string | No | Filter events by a specific query\ + \ string. |\n| Query Type | string | No | Filter events by DNS query type (e.g.,\ + \ TXT, A, MX). |\n| Source | string | No | Filter events by the threat intelligence\ + \ source or feed. |\n| Indicator | string | No | Filter events by a specific threat\ + \ indicator (e.g., domain, IP, hash). |\n| Threat Level | ddl | No | Filter by\ + \ threat level (All, Info, Low, Medium, High). |\n| Confidence Level | ddl | No\ + \ | Filter by confidence level (All, Low, Medium, High). |\n| Limit | string |\ + \ No | Specify the maximum number of results to return (Default: 100). |\n| From\ + \ | string | No | Filter by events detected after this time (Format: YYYY-MM-DDTHH:mm:ss.SSS).\ + \ |\n| To | string | No | Filter by events detected before this time (Format:\ + \ YYYY-MM-DDTHH:mm:ss.SSS). |" capabilities: can_create_case_comments: false can_create_insight: false @@ -1152,8 +1206,18 @@ Get SOC Insights Events: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to retrieve events for a specific SOC insight. + It does not modify any external or internal data. It adds a data table to the + action result, which is not considered an internal mutation (like updating entities + or creating insights). categories: - enrichment: true + enrichment: false + reasoning: >- + The action retrieves events for a specific insight ID. It does not operate on + entities or alerts to enrich them, nor does it meet the strict criteria for + an enrichment action (which typically involves updating entities or creating + insights). It is a data retrieval action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1169,6 +1233,9 @@ Get SOC Insights Events: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use `target_entities`. It takes an `Insight ID` as a parameter + to fetch data. Get SOC Insights Indicators: action_product_categories: add_alert_comment: false @@ -1181,9 +1248,13 @@ Get SOC Insights Indicators: download_file: false enable_identity: false enrich_asset: false - enrich_ioc: true + enrich_ioc: false execute_command_on_the_host: false - get_alert_information: false + get_alert_information: true + reasoning: >- + The action fetches information about a SOC Insight from the Infoblox platform. + This aligns with the 'Get Alert Information' category, as it retrieves details + about a security-relevant object (Insight) from the 3rd party product. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1198,87 +1269,50 @@ Get SOC Insights Indicators: update_email: false update_identity: false update_ticket: false - ai_description: >- - ### General Description - - Retrieves a list of indicators associated with a specific Infoblox SOC Insight. - This action allows analysts to fetch detailed threat intelligence for indicators - linked to an insight, including confidence scores, threat levels, and associated - threat actors. The results are presented in a data table for quick review and - as a full JSON object for further processing. - - - ### Parameters Description - - - | Parameter | Description | Expected Type | Mandatory | - - | :--- | :--- | :--- | :--- | - - | Insight ID | The unique identifier of the SOC insight to retrieve indicators - from. | String | Yes | - - | Confidence | Filter the results by a specific confidence score. | String | No - | - - | Indicator | Filter the results by a specific indicator value (e.g., a domain - or IP). | String | No | - - | Actor | Filter the results by a specific threat actor. | String | No | - - | From | Filter by indicators seen after this time. Expected format: YYYY-MM-DDTHH:mm:ss.SSS. - | String | No | - - | To | Filter by indicators seen before this time. Expected format: YYYY-MM-DDTHH:mm:ss.SSS. - | String | No | - - | Action | Filter by the action taken on the indicator (e.g., blocked, allowed). - | String | No | - - | Limit | Specify the maximum number of results to return. Defaults to 100. | - String | No | - - - ### Additional Notes - - - This action does not run on entities; it uses the 'Insight ID' parameter to - query Infoblox. - - - The action displays up to 20 indicator records in the 'SOC Insight Indicators' - data table, while the full list is available in the JSON result. - - - ### Flow Description - - 1. **Parameter Initialization:** Extracts the mandatory 'Insight ID' and optional - filters (Confidence, Indicator, Actor, Time range, Action, and Limit) from the - action parameters. - - 2. **Validation:** Validates that the 'Insight ID' is provided and that the 'Limit' - is a valid positive integer. - - 3. **API Interaction:** Initializes the Infoblox API Manager and performs a GET - request to the SOC Insights indicators endpoint using the provided filters. - - 4. **Data Processing:** Parses the API response. If indicators are found, it converts - the first 20 records into a flat format suitable for a data table. - - 5. **Output Generation:** Adds the 'SOC Insight Indicators' data table to the - case and provides the complete raw response as a JSON result. + ai_description: "Retrieves a list of indicators associated with a specific SOC Insight\ + \ from Infoblox Threat Defense. This action allows users to filter indicators\ + \ by confidence, indicator value, threat actor, time range, and action taken.\n\ + \n### Flow Description\n1. **Parameter Extraction**: The action extracts the required\ + \ `Insight ID` and optional filters (Confidence, Indicator, Actor, From, To, Action,\ + \ Limit) from the configuration.\n2. **Validation**: Validates that the `Insight\ + \ ID` is provided and the `Limit` is a valid integer.\n3. **API Interaction**:\ + \ Connects to the Infoblox API to fetch the indicators associated with the specified\ + \ `Insight ID` using the provided filters.\n4. **Result Processing**: \n - If\ + \ indicators are found, it formats the data into a table and adds it to the action\ + \ results.\n - The full raw JSON response is added to the action results.\n\ + \ - If no indicators are found, an appropriate message is returned.\n\n### Parameters\n\ + | Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ + | Insight ID | string | Yes | The ID of the insight to retrieve indicators from.\ + \ |\n| Confidence | string | No | Filter by confidence score. |\n| Indicator |\ + \ string | No | Filter by specific indicator value. |\n| Actor | string | No |\ + \ Filter by threat actor. |\n| From | string | No | Filter by indicators seen\ + \ after this time (format: YYYY-MM-DDTHH:mm:ss.SSS). |\n| To | string | No | Filter\ + \ by indicators seen before this time (format: YYYY-MM-DDTHH:mm:ss.SSS). |\n|\ + \ Action | string | No | Filter by action taken. |\n| Limit | string | No | Specify\ + \ the maximum number of results to return (default: 100). |\n\n### Additional\ + \ Notes\n- This action is read-only and does not modify any external or internal\ + \ system state." capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: false - can_mutate_internal_data: true + can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null fetches_data: true - internal_data_mutation_explanation: >- - Adds a data table 'SOC Insight Indicators' to the case containing the retrieved - indicator details. + internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Infoblox API to retrieve indicator + data for a specific SOC Insight. It does not perform any write operations to + external systems, nor does it modify internal case data, entities, or insights. + It simply presents the retrieved data in the action results. categories: enrichment: false + reasoning: >- + The action retrieves data (indicators) but does not operate on or enrich specific + SecOps entities (e.g., IP, FileHash). Therefore, it does not meet the criteria + for an Enrichment Action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1294,6 +1328,9 @@ Get SOC Insights Indicators: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or interact with `siemplify.target_entities`. + It operates based on an `Insight ID` provided as a parameter. Get Security Policies: action_product_categories: add_alert_comment: false @@ -1309,6 +1346,9 @@ Get Security Policies: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves security policies from Infoblox. This does not match any + of the provided categories (Enrich IOC, Enrich Asset, Update Alert, etc.). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1324,58 +1364,57 @@ Get Security Policies: update_identity: false update_ticket: false ai_description: >- - Retrieves all configured security policies and their metadata from Infoblox Threat - Defense. This action allows analysts to audit or review the security posture by - listing policies, optionally filtered by specific criteria or tags. + ### General Description + Retrieves a list of configured security policies and their metadata from the Infoblox + Threat Defense with DDI platform. This action allows users to query policies based + on specific filters, tags, and sorting criteria, providing visibility into the + current security policy configuration. - ### Flow Description: - 1. **Parameter Initialization:** The action extracts integration configuration - and user-provided parameters, including filters for policies and tags, as well - as pagination settings (Offset and Limit). + ### Parameters Description - 2. **Validation:** Validates that the Offset and Limit parameters are non-negative - integers. + | Parameter | Type | Mandatory | Description | - 3. **API Interaction:** Sends a GET request to the Infoblox `/api/atcfw/v1/security_policies` - endpoint with the specified filters and pagination. + | :--- | :--- | :--- | :--- | - 4. **Data Processing:** Parses the API response into structured `SecurityPolicy` - models. + | Security Policy Filter | string | No | A logical expression string to filter + security policies (e.g., name== 'sec_policy_a'). | - 5. **Output Generation:** Populates the action results with the raw JSON response - and creates a data table displaying key policy details (ID, Name, Description, - Default Action). + | Tag Filter | string | No | Filter security policy by specific tags format: ''=''. + | + | Tag Sort Filter | string | No | Sort security policy list by Tags. | - ### Parameters Description: + | Offset | string | No | Specify the offset from where to start pagination. | - | Parameter | Type | Mandatory | Description | + | Limit | string | No | Specify the maximum number of results to return. | - | :--- | :--- | :--- | :--- | - | Security Policy Filter | String | No | A logical expression string to filter - security policies (e.g., `name=='sec_policy_a'`). | + ### Additional Notes - | Tag Filter | String | No | Filter security policy by specific tags using the - format: `''=''`. | + - The action uses pagination parameters (Offset and Limit) to manage the volume + of returned data. - | Tag Sort Filter | String | No | Sort the security policy list based on Tags. - | + - Results are displayed in a data table if any policies are found. - | Offset | String | No | The starting point for pagination (Default: 0). | - | Limit | String | No | The maximum number of results to return (Default: 100). - | + ### Flow Description + + 1. Initialize integration parameters (API root, API key, SSL verification). + + 2. Extract action parameters (filters, sorting, pagination). + 3. Validate pagination parameters (Offset and Limit). - ### Additional Notes: + 4. Call the Infoblox API to retrieve security policies based on the provided filters. - - This action does not operate on specific entities; it retrieves global configuration - data. + 5. Process the API response into a list of `SecurityPolicy` objects. - - The data table displays a maximum of 20 records for readability. + 6. Add the raw JSON response to the action results. + + 7. If policies are found, construct and add a data table to the action results + for display. capabilities: can_create_case_comments: false can_create_insight: false @@ -1386,8 +1425,17 @@ Get Security Policies: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to retrieve security policies from the Infoblox + API. It does not modify external data, nor does it modify internal SecOps data + (entities, insights, or comments). It simply displays the retrieved information + in the action results. categories: - enrichment: true + enrichment: false + reasoning: >- + The action retrieves configuration data (security policies) from an external + system. It does not fetch context about specific alerts or entities, nor does + it meet the criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1403,6 +1451,9 @@ Get Security Policies: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `target_entities`. It retrieves global security + policies from the Infoblox API. Host Lookup: action_product_categories: add_alert_comment: false @@ -1414,14 +1465,18 @@ Host Lookup: disable_identity: false download_file: false enable_identity: false - enrich_asset: false + enrich_asset: true enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves host information (IPAM data) from Infoblox, which provides + contextual metadata for assets. This matches the 'Enrich Asset' category. It + does not perform IOC enrichment, ticket management, or containment actions. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false - search_asset: true + search_asset: false search_email: false search_events: false send_email: false @@ -1433,52 +1488,28 @@ Host Lookup: update_identity: false update_ticket: false ai_description: >- - Retrieves host information from Infoblox IPAM. This action allows users to search - for host asset records using flexible filters for host attributes and tags. It - supports pagination and custom sorting of results. The retrieved data is presented - in a structured data table and as a raw JSON result for further processing in - the playbook. - - - ### Flow Description - - 1. **Parameter Extraction**: The action retrieves the API connection details and - the user-provided search filters (Host Filter, Tag Filter) and pagination settings - (Offset, Limit, Order By). - - 2. **Validation**: It validates that the Offset and Limit parameters are valid - non-negative integers. - - 3. **API Request**: It calls the Infoblox API (`/api/ddi/v1/ipam/host`) with the - specified filters and sorting parameters. - - 4. **Data Processing**: The action parses the returned host records, converting - them into a flat format suitable for a CSV-style data table. - - 5. **Output Generation**: It adds the full JSON response to the action results - and populates a data table named "Hosts" with the first 20 records found. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Host Filter | String | No | Filter IPAM hosts by specific criteria (e.g., `name=="webserver01"` - or `ip_address=="192.168.1.100"`). | - - | Tag Filter | String | No | Filter IP addresses by specific tags (e.g. `'Tenable_scan'=='true'`). - | - - | Offset | String | No | Specify the offset from where to start pagination. Default - is "0". | - - | Limit | String | No | Specify the maximum number of results to return. Default - is "100". | - - | Order By | String | No | Comma-separated JSON fields to sort the results. Supports - dot notation and `asc`/`desc`. | + General description: This action retrieves host information from the Infoblox + IPAM system based on provided filter criteria. It allows users to query host records + using specific filters, tags, and pagination settings. The action fetches data + from the Infoblox API and presents the results in both a JSON format and a structured + data table for easier analysis. Parameters description: | Parameter | Type | Mandatory + | Description | | --- | --- | --- | --- | | Host Filter | string | No | Filter + IPAM hosts by specific criteria (e.g., name=="webserver01" or ip_address=="192.168.1.100"). + | | Tag Filter | string | No | Filter IP addresses by specific tags (e.g. 'Tenable_scan'=='true'). + | | Offset | string | No | Specify the offset from where to start pagination. + Defaults to "0". | | Limit | string | No | Specify the maximum number of results + to return. Defaults to "100". | | Order By | string | No | Comma-separated JSON + fields to sort the results. Use asc or desc for sort direction. | Additional notes: + The action validates that Offset and Limit are non-negative integers. If no host + records are found, the action returns a message indicating no records were found. + Flow description: 1. The action initializes the Infoblox API manager using the + configured API root, API key, and SSL verification settings. 2. It extracts and + validates the provided action parameters (Host Filter, Tag Filter, Offset, Limit, + Order By). 3. It performs a GET request to the Infoblox IPAM host endpoint (/api/ddi/v1/ipam/host) + with the specified filters and pagination parameters. 4. The raw JSON response + is added to the action results. 5. If host records are returned, the action converts + the data into a flat CSV format and adds it to a data table named 'Hosts'. 6. + A success message is generated indicating the number of records retrieved. capabilities: can_create_case_comments: false can_create_insight: false @@ -1489,8 +1520,17 @@ Host Lookup: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Infoblox API to retrieve host information. + It does not modify any external systems or internal Google SecOps data (such + as entities, insights, or alert data). It only reports the retrieved data back + to the user via result JSON and a data table. categories: - enrichment: false + enrichment: true + reasoning: >- + The action is designed to fetch contextual information (host details) from an + external system (Infoblox) without modifying any external or internal state. + This aligns with the definition of an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1506,6 +1546,9 @@ Host Lookup: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on target entities. It uses input parameters to + query the Infoblox API directly, so the entity_types list is empty. IP Lookup: action_product_categories: add_alert_comment: false @@ -1517,14 +1560,18 @@ IP Lookup: disable_identity: false download_file: false enable_identity: false - enrich_asset: false - enrich_ioc: false + enrich_asset: true + enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves IP address information, including hostnames and hardware + addresses, which provides context for assets and indicators. This matches 'Enrich + IOC' and 'Enrich Asset'. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false - search_asset: true + search_asset: false search_email: false search_events: false send_email: false @@ -1535,64 +1582,31 @@ IP Lookup: update_email: false update_identity: false update_ticket: false - ai_description: >- - ### General Description - - The **IP Lookup** action retrieves detailed IP address information from Infoblox - IPAM. It allows users to search for IP records using various filters such as IP - state, tags, and custom filter expressions. The results include metadata like - hardware addresses, hostnames, and usage status, which are presented in a data - table and as raw JSON for further processing. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **IP Filter** | String | No | A logical expression to filter IP addresses (e.g., - `address=="192.168.1.100"`). | - - | **Address State** | DDL | No | Filters by the state of the IP address. Options: - `Any`, `Free`, `Used`. Default is `Used`. | - - | **Scope** | String | No | Specifies the network scope for the lookup. | - - | **Tag Filter** | String | No | Filters results based on specific tags (e.g., - `'Tenable_scan'=='true'`). | - - | **Offset** | String | No | The starting point for pagination. Default is `0`. - | - - | **Limit** | String | No | The maximum number of records to return. Default is - `100`. | - - | **Order By** | String | No | Comma-separated fields to sort the results (e.g., - `address asc`). | - - - ### Flow Description - - 1. **Parameter Extraction:** The action retrieves user-provided filters and pagination - settings. - - 2. **Validation:** It validates that `Offset` and `Limit` are non-negative integers. - - 3. **API Interaction:** It sends a GET request to the Infoblox `/api/ddi/v1/ipam/address` - endpoint with the specified query parameters. - - 4. **Data Processing:** The response is parsed, and up to 20 records are formatted - into a data table. - - 5. **Output:** The action returns the full JSON response and displays the formatted - table in the SOAR interface. - - - ### Additional Notes - - This action does not automatically process entities from the alert context; it - relies entirely on the provided input parameters. + ai_description: "Retrieves IP address information from Infoblox. This action queries\ + \ the Infoblox DDI API to fetch IP address details based on provided filters such\ + \ as IP address, state, scope, and tags. \n\n### Flow Description\n1. **Parameter\ + \ Extraction**: The action extracts configuration parameters (API root, API key,\ + \ SSL verification) and action-specific parameters (IP Filter, Address State,\ + \ Scope, Tag Filter, Offset, Limit, Order By).\n2. **API Initialization**: An\ + \ `APIManager` instance is initialized with the provided credentials.\n3. **Data\ + \ Retrieval**: The action calls the `ip_lookup` method of the `APIManager`, which\ + \ performs a GET request to the Infoblox IPAM address endpoint.\n4. **Result Processing**:\ + \ The retrieved IP records are processed into `IPLookup` data models.\n5. **Output\ + \ Generation**: The action adds the raw JSON response to the action result and\ + \ generates a data table titled \"IP Lookup Data\" containing the processed IP\ + \ information.\n\n### Parameters Description\n| Parameter | Type | Mandatory |\ + \ Description |\n| :--- | :--- | :--- | :--- |\n| IP Filter | string | No | Filter\ + \ IP addresses by specific criteria (e.g., address==\"192.168.1.100\" or state==\"\ + USED\"). |\n| Address State | ddl | No | Filter by IP address state (e.g., 'Any',\ + \ 'Free', 'Used'). Defaults to 'Used'. |\n| Scope | string | No | Specify the\ + \ scope for IP address lookup. |\n| Tag Filter | string | No | Filter IP addresses\ + \ by specific tags (e.g. 'Tenable_scan'=='true'). |\n| Offset | string | No |\ + \ Specify the offset from where to start pagination. Defaults to \"0\". |\n| Limit\ + \ | string | No | Specify the maximum number of results to return. Defaults to\ + \ \"100\". |\n| Order By | string | No | Comma-separated JSON fields to sort the\ + \ results. Use asc or desc for sort direction. |\n\n### Additional Notes\n- If\ + \ no IP data is found, the action returns a message indicating that no data was\ + \ found.\n- The action supports pagination via the Offset and Limit parameters." capabilities: can_create_case_comments: false can_create_insight: false @@ -1603,8 +1617,16 @@ IP Lookup: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to retrieve IP address information from Infoblox. + It does not modify any external or internal systems. It adds a data table to + the action result, which is not considered internal data mutation (like updating + entities or creating insights). categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches data from an external source (Infoblox) and does not mutate + any external or internal systems. It meets the criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1620,6 +1642,9 @@ IP Lookup: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `target_entities`. It uses input parameters + to perform a lookup. Indicator Threat Lookup With TIDE: action_product_categories: add_alert_comment: false @@ -1635,6 +1660,10 @@ Indicator Threat Lookup With TIDE: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves threat intelligence (reputation, threat class, etc.) for + an indicator from Infoblox TIDE. This matches the 'Enrich IOC' category. It + does not perform any other actions like blocking, ticketing, or updating alerts. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1649,76 +1678,36 @@ Indicator Threat Lookup With TIDE: update_email: false update_identity: false update_ticket: false - ai_description: >- - ### General Description - - Retrieves threat intelligence for specific indicators (IP, Host, URL, Email, or - Hash) from Infoblox TIDE (Threat Intelligence Data Exchange). This action allows - analysts to query the TIDE database using various filters such as threat class, - target, and top-level domains to identify known malicious activity associated - with an indicator. The results provide context on the threat level, class, and - profile of the detected indicators. - - - ### Parameters Description - - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Indicator Type | ddl | No | Specifies the category of indicator to search for. - Options include All, IP, Host, URL, Email, and Hash. Default is "All". | - - | Indicator Value | string | No | The specific value of the indicator to look - up (e.g., an IP address or domain). | - - | Domain | string | No | A comma-separated list of domains to filter the threat - search. | - - | Top-Level Domain | string | No | A comma-separated list of top-level domains - (TLDs) to filter the search. | - - | Threat Class | string | No | A comma-separated list of threat classes (e.g., - malware, botnet) to filter the results. | - - | Target | string | No | A comma-separated list of targets to filter the search. - | - - | Expiration | string | No | A period of time or ISO8601 date after which data - is no longer considered active. | - - | Limit | string | No | The maximum number of results to return from the API. - Default is 100. | - - - ### Additional Notes - - This action does not automatically iterate over entities in a Google SecOps case. - It relies on the provided "Indicator Value" and other filter parameters to perform - the lookup. If "Indicator Type" is set to "All", the "Indicator Value" is ignored - in the specific type-based query parameters. - - - ### Flow Description - - 1. **Parameter Extraction:** The action retrieves integration configuration (API - Root, Key) and action-specific parameters including the indicator type, value, - and various filters. - - 2. **Validation:** Validates the 'Limit' parameter to ensure it is a positive - integer. - - 3. **API Request:** Initiates a GET request to the Infoblox TIDE threat data endpoint - (`/tide/api/data/threats`) using the constructed query parameters. - - 4. **Data Processing:** Parses the "threat" array from the API response. It maps - the raw data to a structured model, extracting fields like Threat Level, Class, - and Profile. - - 5. **Output Generation:** Adds the full JSON response to the action results and - constructs a data table showing up to the first 20 threat records for analyst - review. + ai_description: "### General Description\nThis action retrieves threat intelligence\ + \ details for a specified indicator (IP, URL, Host, Email, or Hash) using the\ + \ Infoblox Threat Defense (TIDE) service. It allows analysts to query the TIDE\ + \ database based on various criteria such as indicator type, threat class, and\ + \ target, providing valuable context for security investigations.\n\n### Flow\ + \ Description\n1. **Parameter Extraction**: The action extracts input parameters,\ + \ including the indicator type, indicator value, and optional filters (Domain,\ + \ TLD, Threat Class, Target, Expiration, Limit).\n2. **API Interaction**: It initializes\ + \ the `APIManager` and performs a GET request to the Infoblox TIDE API endpoint\ + \ (`/tide/api/data/threats`) with the provided filters.\n3. **Data Processing**:\ + \ The action processes the API response, mapping the threat data to `IndicatorThreatLookupTideResult`\ + \ models.\n4. **Output Generation**: \n - The raw JSON response is added to\ + \ the action results.\n - If threat records are found, a data table titled\ + \ \"TIDE Indicator Threat Lookup Results\" is constructed and displayed, showing\ + \ key details like Indicator, Type, Threat Level, Class, Property, Profile, and\ + \ Detection status.\n\n### Parameters Description\n| Parameter | Type | Mandatory\ + \ | Description |\n| :--- | :--- | :--- | :--- |\n| Indicator Type | ddl | No\ + \ | Specify the type of indicator to search for (Host, IP, URL, Email, Hash, All).\ + \ Defaults to 'All'. |\n| Indicator Value | string | No | Specify the indicator\ + \ value(s) based on the indicator type you want to search for. |\n| Domain | string\ + \ | No | Specify the comma-separated domain(s) to search for. |\n| Top-Level Domain\ + \ | string | No | Specify the comma-separated top-level domain(s) to search for.\ + \ |\n| Threat Class | string | No | Specify the comma-separated threat class(es)\ + \ to search for. |\n| Target | string | No | Specify the comma-separated target(s)\ + \ to search for. |\n| Expiration | string | No | Period of time after which data\ + \ is no longer considered active. |\n| Limit | string | No | Specify the maximum\ + \ number of results to return. Defaults to '1000'. |\n\n### Additional Notes\n\ + - This action is a read-only lookup and does not modify any external systems or\ + \ internal case data. \n- If no threat data is found, the action returns a message\ + \ indicating no data was found." capabilities: can_create_case_comments: false can_create_insight: false @@ -1729,8 +1718,17 @@ Indicator Threat Lookup With TIDE: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Infoblox TIDE API to retrieve threat + intelligence for a specified indicator. It does not modify any external or internal + data. It simply presents the retrieved information in the action results via + data tables and JSON output. categories: enrichment: true + reasoning: >- + The action fetches threat intelligence data from an external source (Infoblox + TIDE) and presents it in the action results. It does not mutate any external + or internal state. This fits the definition of an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1746,6 +1744,9 @@ Indicator Threat Lookup With TIDE: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities`. It uses input + parameters to perform a lookup, meaning it does not run on specific entities. "Initiate Indicator Intel Lookup With Dossier": action_product_categories: add_alert_comment: false @@ -1761,6 +1762,9 @@ Indicator Threat Lookup With TIDE: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves threat intelligence (reputation, etc.) for an indicator + using Infoblox Dossier. This matches the 'Enrich IOC' category. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1778,56 +1782,53 @@ Indicator Threat Lookup With TIDE: ai_description: >- ### General Description - Initiates an indicator investigation using Infoblox Dossier. This action allows - users to perform threat intelligence lookups for various indicator types, including - IP addresses, hostnames, URLs, email addresses, and file hashes. It can operate - in either a synchronous mode (waiting for results) or an asynchronous mode (returning - a Job ID for later retrieval). - + Initiates an indicator investigation using Infoblox Dossier. This action queries + the Infoblox Threat Defense platform to retrieve threat intelligence for a specified + indicator (IP, Host, URL, Email, or Hash). Depending on the configuration, it + either waits for the results to be returned or initiates a job and returns a Job + ID for later retrieval. - ### Parameters Description - | Parameter | Type | Mandatory | Description | + ### Flow Description - | :--- | :--- | :--- | :--- | + 1. **Parameter Extraction**: The action retrieves the `Indicator Type`, `Indicator + Value`, `Source`, and `Wait for Results` parameters from the configuration. - | Indicator Type | DDL | Yes | Specify the type of indicator to search for. Supported - values: Host, IP, URL, Email, Hash. | + 2. **API Interaction**: It calls the Infoblox API (`/tide/api/services/intel/lookup/indicator/{type}`) + to initiate the intel lookup. - | Indicator Value | String | Yes | Specify the indicator value to search for. - | + 3. **Result Processing**: + - If `Wait for Results` is set to `true`, the action processes the returned + data and displays it in a data table. + - If `Wait for Results` is set to `false`, the action returns the `Job ID` + and `Status` in a data table. + 4. **Output**: The raw API response is added to the action results as JSON, and + a summary table is generated for the analyst. - | Source | String | No | Specify comma-separated sources to query within Dossier. - | - | Wait for Results | Boolean | No | If set to true, the action will wait for the - investigation to complete and return the results. If false, it returns a Job ID - immediately. Default is false. | + ### Parameters Description + | Parameter | Type | Mandatory | Description | - ### Flow Description + | :--- | :--- | :--- | :--- | - 1. **Parameter Extraction:** The action retrieves the indicator type, value, sources, - and the wait flag from the input parameters. + | Indicator Type | ddl | Yes | The type of indicator to search for (IP, Host, + URL, Email, Hash). | - 2. **Validation:** It validates that the indicator value is a non-empty string. + | Indicator Value | string | Yes | The actual value of the indicator to investigate. + | - 3. **API Interaction:** It calls the Infoblox Dossier API via a GET request to - initiate the lookup. + | Source | string | No | Comma-separated threat intelligence sources to query. + | - 4. **Result Processing:** - - If **Wait for Results** is true: The action processes the returned dossier - results and populates a data table with details such as Source, Status, and Data. - - If **Wait for Results** is false: The action retrieves the Job ID and status, - populating a data table with these tracking details. - 5. **Output:** The raw API response is attached as a JSON result, and a summary - message is provided to the user. + | Wait for Results | boolean | No | If set to true, the action waits for the lookup + to complete and displays results; otherwise, it returns a Job ID. | ### Additional Notes - This action does not automatically iterate over entities in the SecOps case; it - requires the indicator value to be provided as a direct parameter. + This action does not modify any external or internal systems; it is strictly an + enrichment and information-gathering tool. capabilities: can_create_case_comments: false can_create_insight: false @@ -1838,8 +1839,17 @@ Indicator Threat Lookup With TIDE: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to retrieve threat intelligence for an indicator. + It does not modify external systems or internal case data (entities/insights). + It adds a data table to the action result, which is standard output and not + considered internal mutation. categories: enrichment: true + reasoning: >- + The action fetches threat intelligence data for an indicator. It does not mutate + external systems or modify internal case data. It meets the criteria for an + enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1855,6 +1865,9 @@ Indicator Threat Lookup With TIDE: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action takes the indicator value as a parameter and does not iterate over + or process `siemplify.target_entities`. Ping: action_product_categories: add_alert_comment: false @@ -1870,6 +1883,9 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity test. It does not perform any of the defined functional + outcomes such as enriching IOCs, updating tickets, or modifying alerts. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1884,28 +1900,42 @@ Ping: update_email: false update_identity: false update_ticket: false - ai_description: "### General Description\nThe **Ping** action is a diagnostic utility\ - \ designed to verify the connectivity between Google SecOps and the Infoblox Threat\ - \ Defense with DDI platform. It ensures that the integration's configuration parameters\u2014\ - specifically the API Root and API Key\u2014are correct and that the network path\ - \ is open. This action is typically used during initial setup or troubleshooting\ - \ to confirm that the SOAR can successfully authenticate and communicate with\ - \ the Infoblox API.\n\n### Parameters Description\nThere are no input parameters\ - \ for this action. It relies entirely on the integration's global configuration\ - \ settings (API Root, API Key, and Verify SSL).\n\n### Flow Description\n1. **Initialization**:\ - \ The action initializes the Siemplify SDK and retrieves the global integration\ - \ configuration (API Root, API Key, and SSL verification settings).\n2. **Manager\ - \ Setup**: An instance of the `APIManager` is created using the retrieved credentials.\n\ - 3. **Connectivity Test**: The action calls the `test_connectivity` method, which\ - \ performs a `GET` request to the Infoblox authentication endpoint (`/api/authn/v1/account`).\n\ - 4. **Result Handling**: \n * If the request is successful (HTTP 200), the action\ - \ returns a success message and sets the result value to `True`.\n * If an\ - \ exception occurs (e.g., authentication failure, timeout, or connection error),\ - \ the action logs the error, returns a failure message, and sets the execution\ - \ state to `FAILED`.\n\n### Additional Notes\n* This action does not process any\ - \ entities or modify any data within Infoblox or Google SecOps.\n* As per standard\ - \ SOAR practices, actions named 'Ping' are excluded from being categorized as\ - \ enrichment actions." + ai_description: >- + ### General Description + + This action tests the connectivity between the Google SecOps SOAR platform and + the Infoblox Threat Defense with DDI server to ensure the integration is configured + correctly. It verifies that the provided API credentials have valid access to + the Infoblox API. + + + ### Flow Description + + 1. The action initializes the `SiemplifyAction` and retrieves the required integration + parameters (API Root, API Key, and Verify SSL). + + 2. It instantiates the `APIManager` using these credentials. + + 3. The action calls the `test_connectivity` method, which performs a GET request + to the Infoblox `/api/authn/v1/account` endpoint. + + 4. If the request is successful, the action returns a success message. If the + request fails, it logs the error and returns a failure status. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | --- | --- | --- | --- | + + | N/A | N/A | N/A | There are no parameters for this action. | + + + ### Additional Notes + + This action is strictly for connectivity testing and does not perform any data + retrieval or modification. capabilities: can_create_case_comments: false can_create_insight: false @@ -1916,8 +1946,15 @@ Ping: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Infoblox API to verify connectivity. + It does not modify external or internal data, update entities, or create insights. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action. According to the instructions, 'Actions named + Ping must not be categorized as enrichment actions.' Therefore, it is not an + enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1933,6 +1970,9 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. It performs a global connectivity + check against the Infoblox API. Remove Custom List: action_product_categories: add_alert_comment: false @@ -1948,6 +1988,11 @@ Remove Custom List: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action deletes a custom list in Infoblox. This is a configuration management + action. It does not match any of the specific categories like 'Remove IOC From + Blocklist' (which implies removing an indicator from a list, not deleting the + list itself) or 'Update Alert'. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1963,41 +2008,39 @@ Remove Custom List: update_identity: false update_ticket: false ai_description: >- - ### General Description - - Deletes a specified custom list from the Infoblox Threat Defense system using - its unique identifier. This action is used to manage and clean up threat intelligence - lists or policy-related named lists within the Infoblox environment. + Deletes a specified custom list from the Infoblox Threat Defense system. This + action allows administrators to remove existing custom lists by providing their + unique identifier. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Custom List ID | String | Yes | The unique identifier of the custom list to - be removed. This value must be a positive integer. | - - - ### Additional Notes - - - The action performs a destructive operation (DELETE) on the external system. - - - Ensure the ID is correct, as this operation cannot be undone via the SOAR. + | Custom List ID | string | Yes | The unique identifier of the custom list to + be removed. Must be a positive integer. | ### Flow Description - 1. **Parameter Extraction**: Retrieves the `Custom List ID` from the action parameters. + 1. **Configuration Retrieval**: The action retrieves the necessary integration + configuration (API Root, API Key, Verify SSL) to establish a connection with the + Infoblox Threat Defense system. - 2. **Validation**: Validates that the provided ID is a valid positive integer. + 2. **Parameter Extraction**: The action extracts the `Custom List ID` provided + by the user. - 3. **API Interaction**: Sends a DELETE request to the Infoblox API endpoint for - named lists using the provided ID. + 3. **Validation**: The `Custom List ID` is validated to ensure it is a positive + integer. - 4. **Result Handling**: Returns a success message if the deletion is confirmed - or an error message if the list is not found or the request fails. + 4. **API Execution**: The action initializes the `APIManager` and sends a `DELETE` + request to the Infoblox API endpoint (`/api/atcfw/v1/named_lists/{custom_list_id}`) + to remove the specified custom list. + + 5. **Result Handling**: The action returns a success message if the list is deleted, + or an error message if the operation fails (e.g., invalid ID, API error). capabilities: can_create_case_comments: false can_create_insight: false @@ -2006,11 +2049,19 @@ Remove Custom List: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Deletes a specified custom list from the Infoblox Threat Defense system. + Deletes a custom list from the Infoblox Threat Defense system. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a DELETE request to an external API to remove a custom list + configuration. It does not fetch data, nor does it modify internal SOAR data + (entities, insights, etc.). categories: enrichment: false + reasoning: >- + The action is a destructive mutation (deletion) of an external configuration + object, not an enrichment action. It does not fetch data or perform any of the + allowed internal mutations. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -2026,6 +2077,9 @@ Remove Custom List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on entities. It takes a 'Custom List ID' as a parameter + and performs a management operation on the Infoblox system. Remove Network List: action_product_categories: add_alert_comment: false @@ -2041,6 +2095,10 @@ Remove Network List: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action removes a network list from the Infoblox environment. This is an + administrative configuration change and does not match any of the specific IOC, + asset, or alert management categories provided. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -2056,44 +2114,43 @@ Remove Network List: update_identity: false update_ticket: false ai_description: >- - Removes an existing network list from the Infoblox Threat Defense environment. - This action targets a specific network list by its unique identifier and performs - a permanent deletion in the external system. It is typically used for cleaning - up security configurations or decommissioning specific network groupings. + ### General Description + + Removes a network list from the Infoblox Threat Defense environment. This action + performs a DELETE request to the Infoblox API using the provided Network List + ID. - ### Flow Description: + ### Parameters Description + + | Parameter | Type | Mandatory | Description | - 1. **Parameter Extraction:** The action retrieves the 'Network List ID' from the - input parameters. + | :--- | :--- | :--- | :--- | - 2. **Validation:** It validates that the provided ID is a positive integer. + | Network List ID | string | Yes | The ID of the network list to be removed. | - 3. **API Interaction:** The action initializes the Infoblox API Manager and sends - a DELETE request to the `/api/atcfw/v1/network_lists/{network_list_id}` endpoint. - 4. **Result Handling:** If the deletion is successful, it returns a completion - status. If the list is assigned to a security policy or does not exist, it captures - the error and fails the action. + ### Additional Notes + - The `Network List ID` parameter is validated as a positive integer before the + API call is made. - ### Parameters Description: - | Parameter Name | Expected Type | Mandatory | Description | + ### Flow Description - | :--- | :--- | :--- | :--- | + 1. Extracts integration parameters (API root, API key, SSL verification) from + the configuration. - | Network List ID | String | True | The unique numerical identifier of the network - list to be removed. Must be a positive integer. | + 2. Extracts the `Network List ID` from the action parameters. + 3. Validates that the `Network List ID` is a positive integer. - ### Additional Notes: + 4. Initializes the `APIManager` and calls the `remove_network_list` method. - - This action does not run on entities; it requires a specific ID provided as - a parameter. + 5. Performs a DELETE request to the Infoblox API endpoint `/api/atcfw/v1/network_lists/{network_list_id}`. - - Deletion may fail if the network list is currently associated with an active - security policy. + 6. Returns a success message if the deletion is successful, or an error message + if the operation fails. capabilities: can_create_case_comments: false can_create_insight: false @@ -2102,12 +2159,17 @@ Remove Network List: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Deletes a network list resource from the Infoblox Threat Defense platform using - a DELETE request. + Deletes the specified network list from the Infoblox Threat Defense environment. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a DELETE request to the Infoblox API to remove a network + list. It does not fetch data, nor does it modify internal SOAR data or entities. categories: enrichment: false + reasoning: >- + The action performs a DELETE operation on an external system (Infoblox) and + does not fetch data, therefore it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -2123,6 +2185,9 @@ Remove Network List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on entities. It takes a `Network List ID` as a parameter + to perform an administrative action on the Infoblox platform. Remove Security Policy: action_product_categories: add_alert_comment: false @@ -2138,8 +2203,12 @@ Remove Security Policy: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action deletes a security policy from the Infoblox Threat Defense system. + This is a configuration change and does not match any of the provided categories + (e.g., Enrichment, Containment, Ticket management, etc.). remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: true + remove_ioc_from_blocklist: false reset_identity_password: false search_asset: false search_email: false @@ -2153,38 +2222,44 @@ Remove Security Policy: update_identity: false update_ticket: false ai_description: >- + ### General Description + Deletes a specified security policy from the Infoblox Threat Defense system. This - action is primarily used to remove security restrictions or unblock indicators - by deleting the policy that governs their behavior. It requires a specific Security - Policy ID to identify the target for deletion. + action is used to remove an existing security policy by its unique identifier. ### Parameters Description - - | Parameter | Description | Type | Mandatory | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Security Policy ID | The unique identifier of the security policy to be deleted. - The value must be a positive integer string. | String | Yes | + | Security Policy ID | string | Yes | The unique identifier of the security policy + to be deleted. This must be a valid integer. | ### Flow Description + 1. **Initialization**: The action extracts the integration configuration (API + root, API key, and SSL verification settings). + + 2. **Parameter Extraction**: The action extracts the `Security Policy ID` from + the provided parameters. + + 3. **Validation**: The `Security Policy ID` is validated to ensure it is a non-empty, + positive integer. - 1. **Parameter Extraction**: The action retrieves the `Security Policy ID` from - the input parameters. + 4. **API Interaction**: The action initializes the `APIManager` and sends a `DELETE` + request to the Infoblox Threat Defense API to remove the specified security policy. - 2. **Validation**: It validates that the ID is a non-empty string and represents - a valid positive integer. + 5. **Completion**: The action returns a success message if the policy is removed, + or an error message if the operation fails. - 3. **API Interaction**: The action initializes the Infoblox API Manager and sends - a `DELETE` request to the security policies endpoint using the provided ID. - 4. **Result Handling**: If the deletion is successful, the action completes with - a success message. If the API returns an error (e.g., policy not found), the action - fails and reports the error reason. + ### Additional Notes + + This action performs a destructive operation on the external system (Infoblox + Threat Defense). Ensure the `Security Policy ID` is correct before executing. capabilities: can_create_case_comments: false can_create_insight: false @@ -2193,12 +2268,18 @@ Remove Security Policy: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Deletes a security policy from the Infoblox Threat Defense system via a DELETE - request to the API. + Deletes a security policy from the Infoblox Threat Defense system. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action makes a DELETE request to remove a security policy from the Infoblox + Threat Defense system. It does not fetch data, nor does it modify internal SOAR + data (entities, insights, etc.). categories: enrichment: false + reasoning: >- + The action performs a DELETE operation on an external system (Infoblox) to remove + a security policy. It does not fetch data, so it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -2214,6 +2295,9 @@ Remove Security Policy: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use entities. It operates on a specific `Security Policy + ID` provided as a parameter. Update Custom List: action_product_categories: add_alert_comment: false @@ -2229,6 +2313,11 @@ Update Custom List: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action updates the metadata of a custom list in Infoblox. It does not add + or remove IOCs, nor does it perform any of the other defined actions like ticket + creation, alert updates, or host containment. Therefore, it does not match any + of the provided product categories. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -2243,32 +2332,58 @@ Update Custom List: update_email: false update_identity: false update_ticket: false - ai_description: "Updates the metadata and configuration of an existing custom list\ - \ in Infoblox Threat Defense. This action allows for modifying the list's name,\ - \ description, confidence level, threat level, and tags. It follows a 'fetch-and-patch'\ - \ logic where it first retrieves the current state of the list to ensure that\ - \ any parameters not provided by the user remain unchanged.\n\n### Flow Description:\n\ - 1. **Fetch Existing Data:** The action retrieves the current configuration of\ - \ the custom list using the provided `Custom List ID` to ensure data continuity.\n\ - 2. **Parameter Merging:** It merges the user-provided inputs with the existing\ - \ data. If a parameter is left blank, the current value is retained. \n3. **Nullification\ - \ Logic:** If the keyword `empty` is used for the `Description` or `Tags` parameters,\ - \ those fields are cleared in the external system.\n4. **API Update:** A `PUT`\ - \ request is sent to the Infoblox API with the updated payload.\n5. **Result Processing:**\ - \ The action returns the updated list details as a JSON result and populates a\ - \ data table named 'Custom List Details'.\n\n### Parameters Description:\n| Parameter\ - \ Name | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Custom\ - \ List ID | string | Yes | The unique identifier of the custom list to be updated.\ - \ Must be a positive integer. |\n| Name | string | No | The new name for the custom\ - \ list. |\n| Description | string | No | The new description for the custom list.\ - \ Use the keyword `empty` to remove the existing description. |\n| Confidence\ - \ Level | ddl | No | The confidence level for the custom list. Options: High,\ - \ Medium, Low. |\n| Threat Level | ddl | No | The threat level for the custom\ - \ list. Options: High, Medium, Low, Info. |\n| Tags | string | No | A JSON object\ - \ string representing tags to categorize the list. Use the keyword `empty` to\ - \ remove existing tags. |\n\n### Additional Notes:\n- This action does not modify\ - \ the actual items (indicators) within the list; it only modifies the list's metadata.\ - \ To update items, use the 'Update Custom List Items' action." + ai_description: >- + Updates the metadata of an existing custom list in Infoblox Threat Defense. This + action allows users to modify the name, description, confidence level, threat + level, and tags of a specific custom list while preserving its existing items. + + + ### Flow Description + + 1. **Parameter Extraction**: The action retrieves the provided configuration parameters, + including the mandatory `Custom List ID` and optional metadata fields. + + 2. **Data Retrieval**: It fetches the current details of the specified custom + list from Infoblox to ensure existing data (like the list items) is preserved. + + 3. **Payload Construction**: A new payload is constructed by merging the provided + updates with the existing list data. + + 4. **Update Execution**: The action sends a PUT request to the Infoblox API to + update the custom list metadata. + + 5. **Result Display**: The updated list details are returned and displayed in + a data table within the SecOps platform. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Custom List ID | string | Yes | The unique identifier of the custom list to + update. | + + | Name | string | No | The new name for the custom list. | + + | Description | string | No | The new description for the custom list. Use 'empty' + to remove the description. | + + | Confidence Level | ddl | No | The new confidence level (High, Medium, Low). + | + + | Threat Level | ddl | No | The new threat level (High, Medium, Low, Info). | + + | Tags | string | No | The new tags to categorize the list. Use 'empty' to remove + tags. | + + + ### Additional Notes + + This action only updates the metadata of the custom list. It does not add or remove + items (IOCs) from the list. To modify list items, use the dedicated 'Update Custom + List Items' action. capabilities: can_create_case_comments: false can_create_insight: false @@ -2277,12 +2392,19 @@ Update Custom List: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the metadata (name, description, confidence level, threat level, and - tags) of an existing custom list in Infoblox Threat Defense via a PUT request. + Updates the metadata (name, description, confidence level, threat level, tags) + of a custom list in Infoblox. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches existing custom list data to preserve its current state (items) + and then performs a PUT request to update the list's metadata in the external + Infoblox system. It does not modify internal SecOps data, entities, or alerts. categories: enrichment: false + reasoning: >- + The action mutates external data (updates a custom list configuration), which + violates the 'Read-Only' requirement for enrichment actions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -2298,11 +2420,14 @@ Update Custom List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on entities. It takes a 'Custom List ID' as a parameter + and performs operations on that specific list in the external system. Update Custom List Items: action_product_categories: add_alert_comment: false - add_ioc_to_allowlist: false - add_ioc_to_blocklist: false + add_ioc_to_allowlist: true + add_ioc_to_blocklist: true contain_host: false create_ticket: false delete_email: false @@ -2313,8 +2438,12 @@ Update Custom List Items: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false - remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: false + reasoning: >- + The action updates items in a custom list in Infoblox Threat Defense. This list + can be used for blocklisting or allowlisting indicators, thus matching the 'Add/Remove + IOC To Blocklist/Allowlist' categories. + remove_ioc_from_allowlist: true + remove_ioc_from_blocklist: true reset_identity_password: false search_asset: false search_email: false @@ -2327,61 +2456,27 @@ Update Custom List Items: update_email: false update_identity: false update_ticket: false - ai_description: >- - ### General Description - - The **Update Custom List Items** action allows users to modify the contents of - an existing Custom List within Infoblox Threat Defense. It supports adding or - removing multiple indicators, such as IPv4 addresses, IPv6 addresses, and domain - names, in a single execution. This is primarily a management action used to maintain - lists that are often referenced by security policies for blocking or allowing - traffic. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **Custom List ID** | String | Yes | The unique identifier of the Custom List - to be updated. Although provided as a string, it must represent a positive integer. - | - - | **Action** | DDL | Yes | The operation to perform on the list. Options are `Add` - (to insert new items) or `Remove` (to delete existing items). | - - | **Items** | String | Yes | A comma-separated list of indicators (IPv4, IPv6, - or domains) to be processed. | - - - ### Flow Description - - 1. **Parameter Extraction and Validation:** The action retrieves the Custom List - ID, the desired action (Add/Remove), and the list of items. It validates that - the ID is a positive integer and that the items provided are valid IPv4/IPv6 addresses - or domain names. - - 2. **API Request Construction:** Based on the selected action, the script constructs - a `PATCH` request body containing either `inserted_items_described` or `deleted_items_described`. - - 3. **External Interaction:** The action sends the `PATCH` request to the Infoblox - API endpoint: `/api/atcfw/v1/named_lists/{custom_list_id}/items`. - - 4. **Response Processing:** The action parses the API response to identify how - many items were successfully added, removed, or updated. It then outputs a summary - message and the raw JSON response. - - - ### Additional Notes - - - **Entity Usage:** This action does not process SecOps entities (like IP or Domain - objects in the case). It operates strictly on the strings provided in the **Items** - parameter. - - - **Validation Constraints:** The `Custom List ID` must be greater than zero. - If the `Items` parameter results in an empty list after parsing, the action will - fail. + ai_description: "### General Description\nThis action updates items in an existing\ + \ custom list within the Infoblox Threat Defense platform. It allows analysts\ + \ to dynamically add or remove indicators (such as IP addresses or domains) from\ + \ a specified custom list, facilitating automated management of threat intelligence\ + \ or security policy lists.\n\n### Parameters Description\n| Parameter | Type\ + \ | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Custom List ID\ + \ | string | Yes | The unique identifier of the Custom List to be updated. |\n\ + | Action | ddl | Yes | The operation to perform on the list. Options are 'Add'\ + \ or 'Remove'. |\n| Items | string | Yes | A comma-separated list of indicators\ + \ (IPs, domains) to be added to or removed from the list. |\n\n### Flow Description\n\ + 1. **Initialization**: The action extracts the configuration parameters (API root,\ + \ API key, SSL verification) and the action-specific parameters (Custom List ID,\ + \ Action, Items).\n2. **Validation**: \n - Validates that the `Custom List\ + \ ID` is a positive integer.\n - Converts the `Items` string into a list and\ + \ validates that each item is a properly formatted IPv4, IPv6, or domain name.\n\ + 3. **Execution**: \n - Initializes the `APIManager` to communicate with the\ + \ Infoblox Threat Defense API.\n - Sends a `PATCH` request to the `/api/atcfw/v1/named_lists/{custom_list_id}/items`\ + \ endpoint with the specified action and items.\n4. **Result Handling**: \n \ + \ - Processes the API response to determine which items were successfully added,\ + \ removed, or updated.\n - Generates an output message summarizing the operation\ + \ results.\n - Adds the full API response as a JSON result to the action output." capabilities: can_create_case_comments: false can_create_insight: false @@ -2390,12 +2485,21 @@ Update Custom List Items: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates (adds or removes) indicators within a specific Custom List in the Infoblox - Threat Defense platform using a PATCH request. + The action modifies a custom list in Infoblox Threat Defense by adding or removing + indicators. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a PATCH request to an external API (Infoblox) to modify + a custom list. It does not fetch data for enrichment, nor does it modify internal + SOAR data, entities, or alerts. It is a pure mutation action on an external + system. categories: enrichment: false + reasoning: >- + The action is a mutation action that modifies an external system (Infoblox) + and does not fetch data for enrichment purposes. Therefore, it does not meet + the criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -2411,11 +2515,14 @@ Update Custom List Items: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on entities. It takes parameters directly from the + action configuration and does not iterate over or filter any entities. Update Network List: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false - add_ioc_to_blocklist: true + add_ioc_to_blocklist: false contain_host: false create_ticket: false delete_email: false @@ -2426,8 +2533,15 @@ Update Network List: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action updates a network list configuration in Infoblox. While network lists + can be used for security policies, this action is a generic configuration update + and does not strictly match the specific outcomes of 'Add IOC To Blocklist' + or 'Add IOC To Allowlist' as defined, as it does not explicitly manage block/allow + status for specific IOCs in a security control context, but rather updates the + list definition itself. remove_ioc_from_allowlist: false - remove_ioc_from_blocklist: true + remove_ioc_from_blocklist: false reset_identity_password: false search_asset: false search_email: false @@ -2441,60 +2555,60 @@ Update Network List: update_identity: false update_ticket: false ai_description: >- - Updates an existing network list in Infoblox Threat Defense with a new name, items, - or description. This action allows for granular updates to network lists used - for security policies. If optional parameters like Name, Items, or Description - are not provided, the action fetches the current configuration from Infoblox and - preserves the existing values. The action also supports clearing the description - field using a specific keyword. + Updates an existing network list within the Infoblox Threat Defense platform. + This action allows users to modify the name, items (such as IP addresses or CIDRs), + or description of a specific network list identified by its ID. - ### Flow Description: + ### Flow Description - 1. **Parameter Extraction:** The action retrieves the Network List ID (mandatory) - and optional fields (Name, Items, Description) from the user input. + 1. **Initialization**: The action extracts the necessary configuration parameters + (API root, API key, SSL verification) and action-specific inputs. - 2. **Validation:** Validates that the Network List ID is a positive integer. + 2. **Validation**: It validates the `Network List ID` to ensure it is a valid + integer. - 3. **Data Retrieval:** Fetches the current state of the specified network list - from the Infoblox API to ensure that any fields not being updated retain their - current values. + 3. **Data Retrieval**: The action fetches the current details of the specified + network list from Infoblox to ensure existing data is preserved if optional parameters + are not provided. - 4. **Payload Construction:** Merges the new inputs with the existing data. If - the 'Description' parameter is set to 'empty', the field is cleared. + 4. **Payload Construction**: It constructs the update payload by merging the provided + new values with the existing data fetched in the previous step. - 5. **External Update:** Sends a PUT request to the Infoblox API to update the - network list. + 5. **Execution**: It sends a `PUT` request to the Infoblox API to update the network + list configuration. - 6. **Output Generation:** Returns the updated network list details as a JSON object - and populates a data table named 'Network List Details' in the SecOps platform. + 6. **Result Reporting**: The action returns the updated network list details as + a JSON result and a data table, and marks the execution as completed. - ### Parameters Description: + ### Parameters - | Parameter Name | Type | Mandatory | Description | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Network List ID | string | True | The unique identifier of the network list - to be updated. Must be a positive integer. | + | Network List ID | string | Yes | The unique identifier of the network list to + be updated. | - | Name | string | False | The new name for the network list. If omitted, the current - name is kept. | + | Name | string | No | The new name for the network list. | - | Items | string | False | A comma-separated list of items (e.g., IP addresses - or CIDRs) to include in the network list. If omitted, current items are kept. - | + | Items | string | No | A comma-separated list of items (e.g., IP addresses) to + include in the network list. | + + | Description | string | No | A new description for the network list. Use the + keyword `empty` to remove the existing description. | - | Description | string | False | A new description for the network list. Use the - keyword `empty` to remove the existing description. If omitted, the current description - is kept. | + ### Additional Notes - ### Additional Notes: + - This action performs a `PUT` request, which overwrites the specified fields + of the network list. If optional parameters (Name, Items, Description) are not + provided, the action attempts to retain the existing values by fetching the current + state first. - - This action performs a 'Read-Modify-Write' pattern by fetching current data - before updating to prevent accidental data loss of non-specified fields. + - The `Items` parameter expects a comma-separated string, which is parsed into + a list before the API request is made. capabilities: can_create_case_comments: false can_create_insight: false @@ -2503,12 +2617,21 @@ Update Network List: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the configuration (name, items, or description) of an existing network - list in the Infoblox Threat Defense platform via a PUT request. + Updates the configuration (name, items, description) of a network list in the + Infoblox Threat Defense platform. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches current network list data (GET) to perform a merge before + updating (PUT). It mutates external data in Infoblox by updating the network + list configuration. It does not mutate internal SOAR case data, update entities, + or create insights. categories: enrichment: false + reasoning: >- + The action mutates external data (updates a network list) and does not meet + the criteria for an enrichment action, which must be read-only regarding external + systems. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -2524,6 +2647,9 @@ Update Network List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action operates on a specific 'Network List ID' provided as a parameter. + It does not iterate over or process SOAR target entities. Update Security Policy: action_product_categories: add_alert_comment: false @@ -2539,6 +2665,10 @@ Update Security Policy: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action updates a security policy configuration in Infoblox. It does not + match any of the defined categories such as Enrich IOC, Update Alert, Update + Ticket, or Contain Host. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -2556,84 +2686,82 @@ Update Security Policy: ai_description: >- ### General Description - Updates an existing security policy in Infoblox Threat Defense. This action allows - for the modification of policy names, descriptions, network lists, forwarding - policies (DFPS), roaming device groups, security rules, and advanced settings - like safe search or DNS rebinding protection. It ensures data consistency by fetching - the current policy state before applying updates, merging the new parameters with - existing configurations. + Updates an existing security policy configuration within Infoblox Threat Defense. + This action allows administrators to modify various attributes of a security policy, + such as its name, description, associated network lists, forwarding policies, + roaming device groups, security rules, and other advanced parameters. It fetches + the current policy configuration first to ensure that only the specified fields + are updated while preserving existing settings for unspecified parameters. ### Parameters Description - | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Security Policy ID | String | Yes | The unique identifier of the security policy + | Security Policy ID | string | Yes | The unique identifier of the security policy to update. | - | Policy Name | String | No | The updated name for the security policy. | + | Policy Name | string | No | The new name for the security policy. | - | Description | String | No | An updated description for the policy. Use the keyword - `empty` to remove the existing description. | + | Description | string | No | The new description for the security policy. Use + the keyword `empty` to remove the existing description. | - | Network Lists | String | No | Comma-separated IDs of network lists to associate - with this policy. Use the keyword `empty` to remove all network lists. | + | Network Lists | string | No | Comma-separated IDs of network lists to associate + with the policy. Use `empty` to remove existing associations. | - | DFPS | String | No | Comma-separated IDs of Default Forwarding Policies to update. - Use the keyword `empty` to remove all DFPS. | + | DFPS | string | No | Comma-separated Default Forwarding Policies to update. + Use `empty` to remove existing DFPS. | - | Roaming Device Groups | String | No | Comma-separated IDs of Roaming Device - Groups to associate with this policy. Use the keyword `empty` to remove all groups. + | Roaming Device Groups | string | No | Comma-separated IDs of roaming device + groups to associate with the policy. Use `empty` to remove existing associations. | - | Rules | String | No | A JSON list of security rule objects (action, type, data, - etc.). Use the keyword `empty` to remove all rules. | + | Rules | string | No | A JSON array string defining security rules (action, type, + data, policy_name, redirect_name). Use `empty` to remove all rules. | - | Safe Search | DDL | No | Specify whether to enable (`True`) or disable (`False`) - safe search filtering. | + | Safe Search | ddl | No | Enables or disables safe search filtering (True/False). + | - | Block DNS Rebinding | DDL | No | Specify whether to block (`True`) or allow - (`False`) DNS rebinding attacks. | + | Block DNS Rebinding | ddl | No | Enables or disables blocking of DNS rebinding + attacks (True/False). | - | Tags | String | No | A JSON object containing tags to categorize the policy. - | + | Tags | string | No | A JSON object string containing tags to categorize the + policy. | - | Additional Parameters | String | No | A JSON object containing advanced parameters - such as `precedence`, `access_codes`, `doh_enabled`, or `doh_fqdn`. | + | Additional Parameters | string | No | A JSON object string containing additional + parameters (e.g., precedence, access_codes, doh_enabled). | ### Additional Notes - - The action uses a "fetch-then-update" logic: it retrieves the existing policy - data first to ensure that fields not specified in the action parameters are preserved - rather than overwritten with null values. + - This action performs a read-before-write operation: it retrieves the current + policy configuration to merge with the provided updates. - - The keyword `empty` is specifically handled for `Description`, `Network Lists`, - `DFPS`, `Roaming Device Groups`, and `Rules` to allow clearing those configurations. + - Parameters marked as optional will retain their existing values if not provided + in the action input. ### Flow Description - 1. **Parameter Extraction:** The action extracts the mandatory `Security Policy - ID` and all optional update parameters. + 1. **Initialization**: Extracts integration configuration (API root, key, SSL + verification) and action parameters. - 2. **Validation:** Validates that the `Security Policy ID` is a positive integer. + 2. **Validation**: Validates the `Security Policy ID` to ensure it is a valid + integer. - 3. **Data Retrieval:** Fetches the current configuration of the specified security - policy from the Infoblox API. + 3. **Fetch**: Retrieves the existing security policy configuration from Infoblox + using the provided ID. - 4. **Payload Construction:** Merges the provided updates with the existing policy - data. If a parameter is not provided, the existing value is kept. If `empty` is - provided, the field is cleared. + 4. **Payload Construction**: Merges the provided optional parameters with the + existing policy data to create the update payload. - 5. **API Update:** Sends a PUT request to the Infoblox endpoint to update the - security policy with the new payload. + 5. **Update**: Sends a PUT request to the Infoblox API to update the security + policy. - 6. **Output:** Returns the updated policy details as a JSON result and populates - a data table named "Security Policy Details" for the analyst. + 6. **Output**: Adds the API response as JSON and a summary table of the updated + policy details to the action results. capabilities: can_create_case_comments: false can_create_insight: false @@ -2642,13 +2770,19 @@ Update Security Policy: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the configuration of an existing security policy in Infoblox Threat - Defense via a PUT request, potentially changing rules, network associations, - and security settings. + Updates the configuration of an existing security policy in the Infoblox Threat + Defense system. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches existing policy data (fetches_data=true) and performs a PUT + request to update the policy configuration in the external Infoblox system (can_mutate_external_data=true). + It does not modify internal SOAR case data, entities, or alert data. categories: enrichment: false + reasoning: >- + The action is not an enrichment action because it mutates external data (updates + a security policy) and does not primarily fetch context for entities. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -2664,3 +2798,6 @@ Update Security Policy: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action operates on a specific Security Policy ID provided as a parameter + and does not iterate over or process target entities from the SOAR case. diff --git a/content/response_integrations/third_party/partner/infoblox_threat_defense_with_ddi/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/partner/infoblox_threat_defense_with_ddi/resources/ai/connectors_ai_description.yaml index 6f5635a62..a58a09f8b 100644 --- a/content/response_integrations/third_party/partner/infoblox_threat_defense_with_ddi/resources/ai/connectors_ai_description.yaml +++ b/content/response_integrations/third_party/partner/infoblox_threat_defense_with_ddi/resources/ai/connectors_ai_description.yaml @@ -2,11 +2,11 @@ Infoblox - DNS Security Events Connector: ai_description: >- ### General Description - The **Infoblox - DNS Security Events Connector** retrieves DNS security events - from the Infoblox Threat Defense platform and ingests them as alerts into Google - SecOps. This connector allows security teams to monitor and respond to malicious - DNS activity, such as domain lookups associated with malware, phishing, or data - exfiltration, by centralizing Infoblox telemetry within the SOAR environment. + This connector integrates with the Infoblox Threat Defense with DDI platform to + ingest DNS security events into Google SecOps SOAR. It enables security teams + to monitor DNS-related threats, such as malware or unauthorized domain queries, + by fetching events based on configurable filters like threat level, policy, or + network. ### Parameters Description @@ -15,35 +15,34 @@ Infoblox - DNS Security Events Connector: | :--- | :--- | :--- | :--- | - | API Root | String | Yes | The base URL of the Infoblox CSP API (e.g., `https://csp.infoblox.com/`). - | - - | API Key | Password | Yes | A unique identifier used to authenticate and authorize - access to the Infoblox API. | - | PythonProcessTimeout | String | Yes | The timeout limit (in seconds) for the - python process running the script. | + python process. | - | EventClassId | String | Yes | The field name used to determine the event name/sub-type - (default: `tclass`). | + | EventClassId | String | Yes | The field name used to determine the event name + (sub-type). | | DeviceProductField | String | Yes | The field name used to determine the device - product (default: `Infoblox Threat Defense with DDI`). | + product. | + + | API Key | Password | Yes | A unique identifier used to authenticate and authorize + access to the API. | + + | API Root | String | Yes | The base URL of the API, used as the entry point for + all API requests. | | Feed Name | String | No | Filter by comma-separated threat feed or custom list - names. | + name. | - | Limit | String | No | Specify the maximum number of alerts to create per iteration - (default: `100`). | + | Limit | String | No | Specify the maximum number of alerts to create. | - | Max Hours Backwards | String | No | Number of hours to look back for alerts - during the first connector iteration (default: `24`). | + | Max Hours Backwards | String | No | Number of hours before the first connector + iteration to retrieve alerts from for the first time. | - | Network | String | No | Filter by comma-separated network names, on-premises - hosts, or endpoints. | + | Network | String | No | Filter by comma-separated network name, on-premises + host, endpoint, or DFP name. | - | Policy Action | String | No | Filter by comma-separated actions performed (e.g., - `Log`, `Block`, `Redirect`). | + | Policy Action | String | No | Filter by comma-separated action performed (Log, + Block, Default, Redirect). | | Policy Name | String | No | Filter by comma-separated security policy names. | @@ -51,57 +50,46 @@ Infoblox - DNS Security Events Connector: | Queried name | String | No | Filter by comma-separated queried domain names. | - | Threat Class | String | No | Filter by comma-separated threat categories (e.g., - `Malware`, `MalwareDownload`). | + | Threat Class | String | No | Filter by comma-separated threat category (e.g., + Malware). | - | Threat Family | String | No | Filter by comma-separated threat families (e.g., - `Log4Shell`, `OPENRESOLVER`). | + | Threat Family | String | No | Filter by comma-separated threat family (e.g., + Log4Shell). | | Threat Indicator | String | No | Filter by comma-separated threat indicators - (domains or IPs). | + (domains, IPs). | - | Threat Level | String | No | Filter by threat severity level (`LOW`, `MEDIUM`, - `HIGH`, `CRITICAL`). | + | Threat Level | String | No | Filter by threat severity level (LOW, MEDIUM, HIGH). + | - | Verify SSL | Boolean | No | If enabled, the connector will verify the SSL certificate - of the API endpoint. | + | Verify SSL | Boolean | No | Verify SSL certificate. | ### Flow Description - 1. **Authentication**: The connector establishes a session with the Infoblox Cloud - Services Portal (CSP) using the provided API Key. - - 2. **Time Range Calculation**: It determines the starting timestamp by checking - the last successful execution time. If no previous state exists, it uses the "Max - Hours Backwards" parameter. + 1. Connects to the Infoblox API using the provided API Key and Root URL. - 3. **Data Retrieval**: The connector queries the Infoblox `/api/dnsdata/v2/dns_event` - endpoint, applying all configured filters such as Threat Level, Policy Name, and - Feed Name. + 2. Calculates the time range for fetching events based on the last successful + run or the configured `Max Hours Backwards`. - 4. **Pagination**: It paginates through the API results until the specified "Limit" - is reached or all new events are fetched. + 3. Queries the Infoblox DNS Security Events endpoint, applying optional filters + (e.g., Threat Level, Policy Name, Network). - 5. **Deduplication**: For each event, a unique composite ID is generated based - on the event time, queried name, device, and feed name to ensure no duplicate - alerts are created. + 4. Filters out already processed events using stored IDs to prevent duplicates. - 6. **Alert Mapping**: The raw DNS event data is mapped to the Google SecOps AlertInfo - model. This includes mapping Infoblox severity levels to SOAR priorities and populating - event extensions with the full JSON payload. + 5. Maps each retrieved DNS event to a SOAR `AlertInfo` object, including relevant + extensions and event data. - 7. **Ingestion**: The processed alerts are sent to Google SecOps, and the connector - saves the timestamp of the latest event to ensure the next run starts from where - it left off. + 6. Ingests the mapped alerts into the SOAR platform and updates the last success + timestamp for the next iteration. Infoblox - SOC Insights Connector: ai_description: >- ### General Description - This connector retrieves SOC Insights from the Infoblox Threat Defense with DDI - platform and ingests them as alerts into Google SecOps. It allows security teams - to centralize high-fidelity security insights generated by Infoblox's DNS security - analytics and threat intelligence for automated investigation and response. + This connector retrieves SOC Insights from the Infoblox platform and creates alerts + in Google SecOps SOAR. It enables security teams to monitor and investigate threats + detected by Infoblox Threat Defense with DDI, facilitating automated response + workflows. ### Parameters Description @@ -110,55 +98,44 @@ Infoblox - SOC Insights Connector: | :--- | :--- | :--- | :--- | - | API Root | String | Yes | The base URL of the Infoblox API (e.g., https://csp.infoblox.com/). - | + | PythonProcessTimeout | String | Yes | The timeout limit (in seconds) for the + python process. | - | API Key | Password | Yes | A unique identifier used to authenticate and authorize - access to the Infoblox API. | + | EventClassId | String | Yes | The field name used to determine the event name + (sub-type). | - | Verify SSL | Boolean | Yes | Enable or disable SSL certificate verification - for API requests. | + | DeviceProductField | String | Yes | The field name used to determine the device + product. | - | Status | String | No | Filter Insights by their current status (e.g., ACTIVE, - CLOSED). | + | API Root | String | Yes | The base URL of the Infoblox API. | - | Threat Type | String | No | Filter Insights by the specific type of threat detected. - | + | API Key | Password | Yes | The API key for authentication. | - | Priority | String | No | Filter Insights by priority level (INFO, LOW, MEDIUM, - HIGH, CRITICAL). | + | Verify SSL | Boolean | Yes | Enable/disable SSL certificate verification. | - | DeviceProductField | String | Yes | The field name used to determine the device - product in the SOAR alert (Default: Infoblox Threat Defense with DDI). | + | Status | String | No | Filter Insights by status (e.g., ACTIVE, CLOSED). | - | EventClassId | String | Yes | The field name used to determine the event name - or sub-type (Default: tclass). | + | Threat Type | String | No | Filter Insights by threat type. | - | PythonProcessTimeout | Integer | Yes | The timeout limit (in seconds) for the - connector execution process. | + | Priority | String | No | Filter Insights by priority (INFO, LOW, MEDIUM, HIGH, + CRITICAL). | ### Flow Description - 1. **Authentication**: The connector establishes a connection to the Infoblox - API using the provided API Key and API Root. + 1. Connects to the Infoblox API using the provided credentials and base URL. + + 2. Validates input filters (Status, Priority) against allowed values. - 2. **Deduplication**: It retrieves the list of previously processed Insight IDs - from the system to ensure only new data is ingested. + 3. Reads existing insight IDs from the local state to ensure deduplication. - 3. **Data Retrieval**: The connector queries the Infoblox `/api/v1/insights` endpoint, - applying filters for Status, Threat Type, and Priority if configured. + 4. Queries the Infoblox API for SOC Insights, applying optional filters. - 4. **Validation**: Input parameters like Status and Priority are validated against - allowed values (e.g., Active/Closed) before the request is made. + 5. Iterates through the retrieved insights, converting each into a standardized + AlertInfo object. - 5. **Alert Transformation**: Each retrieved SOC Insight is mapped to a Google - SecOps AlertInfo object. This includes mapping the threat severity (e.g., CRITICAL - to 100), setting the environment, and populating extensions with the full raw - JSON data. + 6. Checks for case overflow and skips alerts if necessary. - 6. **Safety Checks**: During processing, the connector monitors for script timeouts - and case overflow limits to ensure system stability. + 7. Returns the processed alerts to the SOAR platform for case creation. - 7. **Ingestion**: Validated alerts are returned to the system, and the processed - Insight IDs are saved to prevent future duplication. + 8. Updates the local state with the newly processed insight IDs. diff --git a/content/response_integrations/third_party/partner/infoblox_threat_defense_with_ddi/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/infoblox_threat_defense_with_ddi/resources/ai/integration_ai_description.yaml index ac6c94bb4..5bb36efdf 100644 --- a/content/response_integrations/third_party/partner/infoblox_threat_defense_with_ddi/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/partner/infoblox_threat_defense_with_ddi/resources/ai/integration_ai_description.yaml @@ -7,6 +7,17 @@ product_categories: iam_and_identity_management: false itsm: false network_security: true + reasoning: >- + The Infoblox Threat Defense with DDI integration provides comprehensive network + visibility and security control. It qualifies as a SIEM integration because its + connectors ingest DNS security events and SOC insights, which are used to monitor + and identify suspicious activity. It is a Network Security integration as it allows + for the management of network lists and security policies to control network traffic + and block malicious domains or IPs. It functions as a Threat Intelligence integration + by providing multiple actions to enrich indicators (IPs, domains, etc.) with reputation + and threat data via TIDE and Dossier. Finally, it serves as an Asset Inventory + integration by offering lookup actions (DHCP, Host, IP) to retrieve contextual + metadata for internal assets. siem: true threat_intelligence: true vulnerability_management: false diff --git a/content/response_integrations/third_party/partner/ip_info/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/ip_info/resources/ai/actions_ai_description.yaml index 742d5ca9f..195a97e69 100644 --- a/content/response_integrations/third_party/partner/ip_info/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/ip_info/resources/ai/actions_ai_description.yaml @@ -13,6 +13,11 @@ Get Domain Information: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves reputation and threat intelligence for a domain (IOC), + which aligns with the 'Enrich IOC' category. It does not perform asset-specific + enrichment (e.g., OS, owner), nor does it perform containment, ticketing, or + alert management. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -27,24 +32,52 @@ Get Domain Information: update_email: false update_identity: false update_ticket: false - ai_description: "### General Description\nEnriches Hostname entities by fetching\ - \ detailed domain information from the IPInfo service. This action extracts the\ - \ domain from a hostname, retrieves associated metadata from the IPInfo API, and\ - \ populates the entity's additional properties and case data tables with the results.\n\ - \n### Parameters Description\nThere are no parameters for this action.\n\n###\ - \ Additional Notes\nThis action specifically targets Hostname entities. It uses\ - \ a helper utility to ensure that even if a full URL or complex hostname is provided,\ - \ only the base domain is queried against the IPInfo API.\n\n### Flow Description\n\ - 1. **Initialization**: Connects to the IPInfo API using the configured API Root\ - \ and Token.\n2. **Entity Filtering**: Identifies all Hostname entities within\ - \ the current scope.\n3. **Domain Extraction**: For each Hostname, it extracts\ - \ the base domain name.\n4. **Data Retrieval**: Queries the IPInfo `/domains`\ - \ endpoint for information related to the extracted domain.\n5. **Internal Enrichment**:\ - \ \n * Updates the entity's `additional_properties` with flattened domain\ - \ data.\n * Marks the entity as enriched.\n * Adds a data table to the\ - \ entity in the Google SecOps UI containing the domain details.\n6. **Finalization**:\ - \ Updates all processed entities in the system and returns a summary of the fetched\ - \ information." + ai_description: >- + ### General Description + + This action fetches domain information from the IPInfo service for provided Hostname + entities. It retrieves reputation and metadata for the domain, updates the entity's + profile with this information, and provides a detailed table in the action results. + + + ### Flow Description + + 1. **Initialization**: The action initializes the `IPInfoManager` using the provided + API Root, Token, and SSL verification settings. + + 2. **Filtering**: It filters the `target_entities` to process only those with + the `HOSTNAME` type. + + 3. **Data Retrieval**: For each valid hostname, it queries the IPInfo API to retrieve + domain information. + + 4. **Enrichment**: The retrieved data is flattened and added to the entity's `additional_properties` + with an `IPInfo` prefix. The entity is marked as enriched (`is_enriched = True`). + + 5. **Result Reporting**: An entity table containing the domain information is + added to the action results, and the updated entities are saved back to the SOAR + platform. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | API Root | String | Yes | The base URL for the IPInfo API. | + + | Token | String | Yes | The API token used for authentication with the IPInfo + service. | + + | Verify SSL | Boolean | No | Whether to verify SSL certificates for the API connection. + Defaults to false. | + + + ### Additional Notes + + This action is strictly for enrichment purposes and does not perform any external + mutations or containment actions. capabilities: can_create_case_comments: false can_create_insight: false @@ -55,10 +88,18 @@ Get Domain Information: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity additional properties with domain information and adds entity - tables to the case. + Updates the entity's 'additional_properties' and 'is_enriched' status within + the SOAR platform. + reasoning: >- + The action fetches domain information from an external API (IPInfo) and updates + the internal entity properties (`additional_properties` and `is_enriched`). + It does not modify external systems, alert status, or create case comments. categories: enrichment: true + reasoning: >- + The action fetches data from an external source (IPInfo) and updates internal + entities. It does not mutate external systems or perform unauthorized internal + mutations. Therefore, it qualifies as an enrichment action. entity_usage: entity_types: - HOSTNAME @@ -75,6 +116,9 @@ Get Domain Information: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code explicitly filters `siemplify.target_entities` to process only entities + where `entity.entity_type == EntityTypes.HOSTNAME`. Get IP Information: action_product_categories: add_alert_comment: false @@ -90,6 +134,10 @@ Get IP Information: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves threat intelligence and metadata for an IP address, which + aligns with the 'Enrich IOC' category. It does not perform any other listed + actions such as ticket creation, containment, or alert modification. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -104,27 +152,49 @@ Get IP Information: update_email: false update_identity: false update_ticket: false - ai_description: "### General Description\nEnriches IP Address entities using the\ - \ IPInfo service. This action retrieves detailed contextual information for IP\ - \ addresses, including geolocation (city, region, country), ASN (Autonomous System\ - \ Number), and organizational details. The retrieved data is used to update the\ - \ entity's profile within Google SecOps, providing analysts with immediate visibility\ - \ into the origin and ownership of the IP.\n\n### Parameters Description\nThere\ - \ are no specific action parameters for this action. It relies on the global integration\ - \ configuration (API Root, Token, and Verify SSL).\n\n### Additional Notes\n*\ - \ This action only processes entities of type **ADDRESS**.\n* It updates the entity's\ - \ `additional_properties` with a prefix of `IPInfo` to avoid field collisions.\n\ - * It marks the entity as `enriched` upon successful data retrieval.\n\n### Flow\ - \ Description\n1. **Entity Filtering**: The action identifies all entities in\ - \ the current context that are of type `ADDRESS`.\n2. **API Interaction**: For\ - \ each identified IP address, the action calls the IPInfo API to fetch its metadata.\n\ - 3. **Data Processing**: The JSON response from IPInfo is flattened and prefixed\ - \ with `IPInfo`.\n4. **Internal Updates**: \n * The flattened data is added\ - \ to the entity's `additional_properties`.\n * A data table containing the\ - \ IP information is attached to the entity.\n * The entity is marked as enriched.\n\ - 5. **Finalization**: The action updates all modified entities in the platform\ - \ and returns a consolidated JSON result containing the raw data for all processed\ - \ IPs." + ai_description: >- + ### General Description + + This action retrieves detailed information for IP address entities using the IPInfo + service. It fetches contextual data such as geolocation, ISP, and other relevant + metadata to assist analysts in investigating potential threats. The action updates + the entity's profile within the SOAR platform with the retrieved information. + + + ### Parameters + + | Parameter | Type | Mandatory | Description | + + | --- | --- | --- | --- | + + | API Root | String | Yes | The base URL for the IPInfo API. | + + | Token | String | Yes | The API token used for authentication with the IPInfo + service. | + + | Verify SSL | Boolean | No | Whether to verify SSL certificates when connecting + to the API. Defaults to false. | + + + ### Flow Description + + 1. Initialize the IPInfo manager using the provided API Root, Token, and SSL verification + settings. + + 2. Filter the target entities to identify those of type 'ADDRESS'. + + 3. For each identified IP address, query the IPInfo API to retrieve associated + information. + + 4. If data is successfully retrieved, update the entity's 'additional_properties' + with the fetched data (prefixed with 'IPInfo') and mark the entity as enriched. + + 5. Add the retrieved information to the action results as a table and a JSON object. + + 6. Update the entities in the SOAR platform with the new properties. + + 7. End the action with a summary message indicating the success or failure of + the operations. capabilities: can_create_case_comments: false can_create_insight: false @@ -135,10 +205,18 @@ Get IP Information: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity additional properties with enriched IP metadata and adds a data - table to the entity in the case. + Updates entity additional properties and enrichment status within the SOAR platform. + reasoning: >- + The action fetches IP reputation and metadata from an external API (IPInfo) + and updates the entity's internal properties within the SOAR platform. It does + not modify any external systems, making it a read-only operation regarding external + state. categories: enrichment: true + reasoning: >- + The action fetches data from an external source and updates internal entity + attributes without modifying external systems. It meets all criteria for an + enrichment action. entity_usage: entity_types: - ADDRESS @@ -155,6 +233,9 @@ Get IP Information: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and filters specifically + for entities where `entity.entity_type == EntityTypes.ADDRESS`. Ping: action_product_categories: add_alert_comment: false @@ -170,6 +251,11 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity test (Ping) used to verify API token validity. + It does not perform any functional operations such as enrichment, containment, + or ticket management, and therefore does not match any of the defined product + categories. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -187,40 +273,32 @@ Ping: ai_description: >- ### General Description - The **Ping** action is designed to verify the connectivity between Google SecOps - and the IPInfo service. It ensures that the provided API token is valid and that - the API root URL is accessible by performing a test request to the external service. + This action verifies the connectivity and validity of the API token for the IPInfo + integration. It performs a test request to the configured API root to ensure the + integration is properly authenticated and reachable. ### Parameters Description - There are no parameters for this action. + There are no input parameters for this action. The action relies on the integration + configuration (API Root, Token, Verify SSL) defined in the integration settings. ### Flow Description - 1. **Configuration Retrieval**: The action retrieves the integration configuration, - including the API Root, Token, and SSL verification settings from the integration - settings. - - 2. **Manager Initialization**: An instance of the `IPInfoManager` is created using - the retrieved configuration. - - 3. **Connectivity Test**: The action calls the `ping` method, which performs a - GET request to the IPInfo API using a hardcoded test IP address (`8.8.8.8`). + 1. Initialize the `SiemplifyAction` object. - 4. **Response Validation**: The response is validated for HTTP errors and specific - error messages in the content to confirm the API token's validity. + 2. Retrieve the integration configuration (API Root, Token, Verify SSL) from the + IPInfo provider settings. - 5. **Result Reporting**: If the request is successful, the action ends with a - 'Connection Established' message and returns `True` as the script result. + 3. Instantiate the `IPInfoManager` with the retrieved configuration. + 4. Execute the `ping()` method, which performs a GET request to the API root using + a test IP address ("8.8.8.8"). - ### Additional Notes + 5. Validate the response to ensure the API token is valid and the service is reachable. - This action is primarily used for troubleshooting and verifying the initial setup - or ongoing health of the IPInfo integration. It does not process any entities - from the current case. + 6. Terminate the action with a success message. capabilities: can_create_case_comments: false can_create_insight: false @@ -231,8 +309,16 @@ Ping: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity test (ping) to verify API token validity. + It does not fetch contextual data on alerts or entities, nor does it modify + any external or internal data. categories: enrichment: false + reasoning: >- + The action is named 'Ping'. According to the provided instructions, actions + named 'Ping' must not be categorized as enrichment actions, regardless of whether + they fetch data. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -248,3 +334,6 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. It performs a global connectivity + test using a hardcoded test IP address. diff --git a/content/response_integrations/third_party/partner/ip_info/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/ip_info/resources/ai/integration_ai_description.yaml index 2e831240c..7debe7f70 100644 --- a/content/response_integrations/third_party/partner/ip_info/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/partner/ip_info/resources/ai/integration_ai_description.yaml @@ -7,6 +7,14 @@ product_categories: iam_and_identity_management: false itsm: false network_security: false + reasoning: >- + The integration provides enrichment for external indicators, specifically IP addresses + and domains, by retrieving geolocation, ISP, and metadata. This aligns directly + with the 'Threat Intelligence' category, which is defined as the first step of + enrichment for external indicators (IP, Hash, URL) to determine reputation and + context. The integration does not perform any SIEM log searching, EDR host-level + actions, network security blocking, ITSM ticket management, or internal asset + inventory management. Therefore, it is strictly classified under Threat Intelligence. siem: false threat_intelligence: true vulnerability_management: false diff --git a/content/response_integrations/third_party/partner/jamf/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/jamf/resources/ai/actions_ai_description.yaml index b6796a830..e02df69c8 100644 --- a/content/response_integrations/third_party/partner/jamf/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/jamf/resources/ai/actions_ai_description.yaml @@ -3,7 +3,7 @@ Assign to Group: add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false - contain_host: true + contain_host: false create_ticket: false delete_email: false disable_identity: false @@ -13,6 +13,9 @@ Assign to Group: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action modifies group membership in Jamf Pro. It does not match any of the + provided categories (Enrichment, Ticket, Alert, Email, Containment, etc.). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -30,63 +33,54 @@ Assign to Group: ai_description: >- ### General Description - Adds computers to a specific computer group in Jamf Pro using various identifiers. - This action is primarily used for containment, policy enforcement, or organizational - tasks by grouping devices together within the Jamf management console. - - - ### Parameters Description - + This action assigns one or more computers to a specific computer group within + Jamf Pro. It allows administrators to manage group memberships by providing computer + identifiers such as IDs, names, or serial numbers. This is useful for grouping + devices for policy application, scoping, or containment workflows. - | Parameter | Description | Type | Mandatory | - | :--- | :--- | :--- | :--- | + ### Flow Description - | Group ID | The unique identifier (ID) of the computer group in Jamf Pro that - you want to modify. | String | Yes | + 1. **Configuration Extraction**: The action retrieves the Jamf Pro API credentials + and configuration from the integration settings. - | Computer IDs | A comma-separated list of Jamf computer IDs to add to the group - (e.g., "123, 456"). | String | No | + 2. **Parameter Extraction**: It extracts the `Group ID` and the lists of computer + identifiers (`Computer IDs`, `Computer Names`, `Computer Serial Numbers`) from + the action parameters. - | Computer Names | A comma-separated list of computer names to add to the group. - Note: Names may not be unique in Jamf. | String | No | + 3. **Validation**: The action validates that at least one computer identifier + is provided. - | Computer Serial Numbers | A comma-separated list of computer serial numbers - to add to the group. | String | No | + 4. **Parsing**: It parses the comma-separated strings into lists of identifiers. + 5. **Execution**: It initializes the `JamfManager` and performs a PUT request + to the Jamf Pro API to add the specified computers to the target group. - ### Additional Notes + 6. **Result Reporting**: The action returns the result of the operation, including + the number of computers processed and the group name, to the SOAR platform. - - **Requirement:** At least one of the following parameters must be provided for - the action to execute: `Computer IDs`, `Computer Names`, or `Computer Serial Numbers`. - - **Reliability:** It is recommended to use `Computer IDs` or `Computer Serial - Numbers` for reliable identification, as computer names are not required to be - unique in Jamf Pro. + ### Parameters Description - - **API Usage:** This action interacts with the Jamf Pro Classic API using XML-formatted - PUT requests. + | Parameter | Type | Mandatory | Description | + | :--- | :--- | :--- | :--- | - ### Flow Description + | Group ID | string | Yes | The ID of the computer group to modify. | - 1. **Initialization:** The action initializes the Jamf Pro API manager using the - provided API Root, Client ID, and Client Secret. + | Computer IDs | string | No | Comma-separated list of computer IDs to add. | - 2. **Parameter Validation:** It checks if at least one computer identifier (ID, - Name, or Serial Number) has been provided. If all are empty, the action fails. + | Computer Names | string | No | Comma-separated list of computer names to add. + | - 3. **Data Parsing:** Comma-separated strings for IDs, Names, and Serial Numbers - are parsed into individual lists, stripping whitespace. + | Computer Serial Numbers | string | No | Comma-separated list of computer serial + numbers to add. | - 4. **API Request Construction:** The action constructs an XML payload containing - the `` block with the specified identifiers. - 5. **Execution:** A PUT request is sent to the Jamf Pro Classic API endpoint `/JSSResource/computergroups/id/{id}`. + ### Additional Notes - 6. **Result Processing:** The action parses the XML response from Jamf, extracts - the group name (if available), and returns a JSON summary of the processed computers - and the operation status. + At least one of the following parameters must be provided for the action to execute: + `Computer IDs`, `Computer Names`, or `Computer Serial Numbers`. capabilities: can_create_case_comments: false can_create_insight: false @@ -95,13 +89,18 @@ Assign to Group: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the membership of a computer group in Jamf Pro by adding specified computers. - This can trigger configuration changes, software deployments, or security restrictions - on the target devices based on the group's assigned policies. + Adds computers to a specified computer group in Jamf Pro. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a PUT request to the Jamf Pro API to modify group membership. + It does not fetch data for enrichment, nor does it modify internal SOAR data + (other than returning a result JSON). categories: enrichment: false + reasoning: >- + The action is a management/mutation action, not an enrichment action, as it + does not fetch data for context. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -117,6 +116,9 @@ Assign to Group: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use `target_entities`. It relies on parameters provided + in the action configuration. Get Computer Inventory: action_product_categories: add_alert_comment: false @@ -132,10 +134,14 @@ Get Computer Inventory: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves computer inventory data, which provides contextual metadata + (OS, hardware, user info) for assets. This aligns with the 'Enrich Asset' category. + It does not perform searches for historical logs (Search Events) or modify alerts/tickets. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false - search_asset: true + search_asset: false search_email: false search_events: false send_email: false @@ -150,71 +156,60 @@ Get Computer Inventory: ### General Description Retrieves paginated computer inventory records from Jamf Pro. This action allows - analysts to perform comprehensive searches for managed computers using various - filters such as name, serial number, UDID, username, or email. It supports detailed - data retrieval by allowing the selection of specific inventory sections (e.g., - Hardware, Security, Operating System, Applications) and provides sorting capabilities - to organize the results. + users to query the Jamf Pro API for computer details, supporting pagination, sorting, + filtering, and specific section selection to optimize data retrieval. - ### Parameters Description - - | Parameter | Type | Mandatory | Description | + ### Flow Description - | :--- | :--- | :--- | :--- | + 1. **Initialization**: Extracts integration configuration (API root, credentials) + and action parameters (Page, Page Size, Filter, Filter Value, Section, Sort). - | Page | String | No | The page number to retrieve. Defaults to 0. | + 2. **Validation**: Validates input parameters, ensuring page numbers and sizes + are valid integers. - | Page Size | String | No | The number of records to return per page. Defaults - to 100. | + 3. **Query Construction**: Builds the API query string based on the provided filter + field, filter value, and sorting criteria. It also determines the necessary API + sections to request based on the filter field if not explicitly provided. - | Filter | DDL | Yes | The field to filter the inventory by. Options include `general.name`, - `hardware.serialNumber`, `udid`, `userAndLocation.username`, and `userAndLocation.email`. - | + 4. **Data Retrieval**: Initializes the `JamfManager` and executes the `get_computer_inventory` + method to fetch data from the Jamf Pro API. - | Filter Value | String | Yes | The specific value to search for based on the - selected Filter field. | + 5. **Result Processing**: Processes the API response, calculates pagination information, + and adds the retrieved inventory data to the action result JSON for display in + the SOAR platform. - | Section | Multi-choice | No | Specific inventory sections to include in the - response (e.g., HARDWARE, SECURITY, APPLICATIONS). Selecting specific sections - can optimize data retrieval. Defaults to ALL. | - | Sort | Multi-choice | No | Criteria to sort the results, including field name - and direction (asc/desc). | + ### Parameters Description + | Parameter | Type | Mandatory | Description | - ### Additional Notes + | :--- | :--- | :--- | :--- | - - If a `Filter` is provided but the `Filter Value` is empty (or vice versa), the - action will skip the filtering logic and return results based on pagination and - sorting only. + | Page | string | No | Page number to retrieve (default 0). | - - The action automatically ensures that the section corresponding to the `Filter` - field is included in the API request to ensure the filter can be processed correctly - by Jamf Pro. + | Page Size | string | No | Number of records per page (default 100). | + | Filter | ddl | Yes | Filter criteria field (e.g., general.name, hardware.serialNumber). + | - ### Flow Description + | Filter Value | string | Yes | The value to filter by for the selected Filter + field. | - 1. **Initialization**: Extracts the Jamf Pro API configuration (Root URL, Client - ID, Secret) and the action parameters. + | Section | MULTI_CHOICE_PARAMETER | No | Sections to include in the response + (e.g., GENERAL, HARDWARE, SECURITY). Defaults to ALL. | - 2. **Validation**: Converts and validates pagination parameters (`Page`, `Page - Size`) to ensure they are valid integers. + | Sort | MULTI_CHOICE_PARAMETER | No | Sort criteria (e.g., general.name:asc). + | - 3. **Criteria Processing**: Processes the `Sort` criteria and constructs the `Filter` - string in the Jamf Pro API format (e.g., `field=="value"`). - 4. **Section Selection**: Determines which inventory sections to request. If specific - sections are requested, it ensures the section required for the active filter - is also included. + ### Additional Notes - 5. **API Execution**: Initializes the Jamf Manager and calls the `get_computer_inventory` - endpoint with the processed parameters. + - The action requires both `Filter` and `Filter Value` to be provided to apply + filtering. If only one is provided, the filter is skipped. - 6. **Result Handling**: Captures the inventory data, calculates pagination metadata - (e.g., if more pages are available), and outputs the results as a JSON object - for use in the SOAR platform. + - The action automatically adds required sections based on the filter field if + not explicitly requested. capabilities: can_create_case_comments: false can_create_insight: false @@ -225,8 +220,16 @@ Get Computer Inventory: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Jamf Pro API to retrieve computer inventory + data. It does not mutate any external systems (no POST/PUT/DELETE). It does + not modify any internal SOAR data (entities, insights, or case comments), it + only returns the retrieved data as a result JSON. categories: enrichment: true + reasoning: >- + The action fetches data from an external system (Jamf Pro) and does not mutate + any external or internal systems. It meets the criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -242,6 +245,10 @@ Get Computer Inventory: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on specific entities. It retrieves global inventory + data from Jamf Pro based on provided filter parameters, not based on specific + entities in the case. Get Device Group Membership: action_product_categories: add_alert_comment: false @@ -257,6 +264,11 @@ Get Device Group Membership: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves device group membership data from Jamf Pro. It does not + match any of the specific product categories (e.g., Enrich IOC, Enrich Asset, + Update Alert) as it is a general data retrieval action for a group, not a specific + indicator or asset. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -274,10 +286,9 @@ Get Device Group Membership: ai_description: >- ### General Description - The **Get Device Group Membership** action retrieves the list of computers belonging - to a specific computer group in Jamf Pro. It is designed to provide visibility - into the composition of both Static and Smart computer groups, returning details - such as the total member count and basic information for each device in the group. + Retrieves membership information for a specific device group from Jamf Pro. This + action fetches detailed membership data, including all member devices and their + basic information, for both static and smart computer groups. ### Parameters Description @@ -286,32 +297,30 @@ Get Device Group Membership: | :--- | :--- | :--- | :--- | - | Group ID | String | Yes | The unique identifier of the computer group in Jamf - Pro for which membership information is requested. | + | Group ID | string | Yes | The ID of the computer group to retrieve membership + for. | ### Flow Description - 1. **Authentication**: The action authenticates with the Jamf Pro API using the - configured Client ID and Client Secret to obtain a bearer token. + 1. Extracts configuration parameters (API root, credentials) and the `Group ID` + action parameter. + + 2. Initializes the `JamfManager` to authenticate with the Jamf Pro API. - 2. **API Request**: It performs a GET request to the Jamf Classic API endpoint - (`/JSSResource/computergroups/id/{id}`) using the provided Group ID. + 3. Queries the Jamf Pro API to retrieve the membership details for the specified + `Group ID`. - 3. **Data Extraction**: The action parses the response to extract the list of - member computers and calculates the total number of members. + 4. If data is found, it extracts the list of computers and the member count. - 4. **Result Processing**: The retrieved membership data is formatted into a JSON - object and attached to the action results. If no group is found, the action reports - that no membership data was available. + 5. Adds the retrieved membership data to the action result JSON for use in the + playbook. ### Additional Notes - This action does not operate on SecOps entities (like Hostnames or IPs). It is - a standalone lookup action that requires a specific Jamf Group ID to function. - It is classified as an enrichment action because it retrieves data without modifying - the state of Jamf Pro or the SecOps case. + This action is a read-only operation that retrieves data from Jamf Pro. It does + not modify any external systems or internal case data. capabilities: can_create_case_comments: false can_create_insight: false @@ -322,8 +331,16 @@ Get Device Group Membership: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to retrieve device group membership data from + Jamf Pro. It does not mutate external systems, update entities, create insights, + or modify case data. It only returns the retrieved data as a JSON result. categories: enrichment: true + reasoning: >- + The action fetches data from an external system (Jamf Pro) and does not mutate + any external or internal data. It meets the criteria for an enrichment action + as it is a read-only data retrieval task. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -339,6 +356,10 @@ Get Device Group Membership: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on `siemplify.target_entities`. It retrieves information + based on a provided `Group ID` parameter, so it does not target any specific + entity types. Get Device Information: action_product_categories: add_alert_comment: false @@ -354,10 +375,13 @@ Get Device Information: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves contextual metadata (hardware, OS, user/location) for a + specific device from Jamf Pro. This matches the 'Enrich Asset' category. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false - search_asset: true + search_asset: false search_email: false search_events: false send_email: false @@ -371,47 +395,36 @@ Get Device Information: ai_description: >- ### General Description - Retrieves detailed information for a specific computer from Jamf Pro using its - unique ID. This action provides comprehensive visibility into the device's hardware - specifications, operating system details, user/location data, and security posture. - It is primarily used for asset enrichment and gathering context during security - investigations. + This action retrieves detailed computer information from Jamf Pro using a specified + Computer ID. It fetches comprehensive device data, including general details, + hardware specifications, operating system information, and user/location data, + providing valuable context for asset management and investigation. - ### Parameters Description + ### Parameters - | Parameter | Description | Type | Mandatory | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Computer ID | The unique identifier of the computer in Jamf Pro to retrieve - information for. | String | Yes | + | Computer ID | string | Yes | The unique identifier of the computer in Jamf Pro + to retrieve information for. | ### Flow Description - 1. **Parameter Extraction:** The action retrieves the `Computer ID` from the user - input. + 1. **Initialization**: The action extracts the required Jamf Pro API configuration + (API Root, Client ID, Client Secret, Verify SSL) and the mandatory `Computer ID` + parameter. - 2. **Authentication:** The `JamfManager` authenticates with the Jamf Pro API using - the provided Client ID and Secret to obtain a temporary access token. + 2. **Manager Setup**: Initializes the `JamfManager` with the provided credentials + to handle API authentication and communication. - 3. **Data Retrieval:** The action calls the Jamf Pro API endpoint `/api/v1/computers-inventory-detail/{id}` - to fetch the full inventory record for the specified device. + 3. **Data Retrieval**: Calls the Jamf Pro API to fetch detailed inventory information + for the specified device ID. - 4. **Data Sanitization:** The manager cleans the returned JSON data to ensure - special characters or malformed strings do not interfere with the SOAR platform's - processing. - - 5. **Result Output:** The detailed device information is added to the action's - JSON results, and the execution status is set to completed. - - - ### Additional Notes - - This action does not automatically iterate over entities in a case. It requires - a specific `Computer ID` as input, which can be obtained from other Jamf search - actions or inventory listings. + 4. **Result Output**: If the device is found, the action returns the device information + as a JSON result. If not found, it logs the event and returns a failure status. capabilities: can_create_case_comments: false can_create_insight: false @@ -422,8 +435,16 @@ Get Device Information: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Jamf Pro API to retrieve device details. + It does not modify any external systems or internal SOAR data (entities, insights, + or case comments). categories: enrichment: true + reasoning: >- + The action fetches device information from an external system (Jamf Pro) without + modifying any external or internal state. This fits the definition of an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -439,6 +460,9 @@ Get Device Information: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action takes 'Computer ID' as a direct input parameter rather than iterating + over `siemplify.target_entities`. Therefore, it does not run on entities. Get Mobile Device Inventory: action_product_categories: add_alert_comment: false @@ -454,6 +478,9 @@ Get Mobile Device Inventory: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves mobile device inventory, which provides contextual metadata + about assets (mobile devices). This matches 'Enrich Asset' and 'Search Asset'. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -469,71 +496,62 @@ Get Mobile Device Inventory: update_identity: false update_ticket: false ai_description: >- - ### General Description - - The **Get Mobile Device Inventory** action retrieves detailed inventory information - for mobile devices managed within Jamf Pro. It utilizes the Jamf Pro v2 API to - fetch data, supporting advanced features such as pagination, multi-field sorting, - and specific data section selection (e.g., Hardware, Security, Applications). - This action is primarily used for asset discovery and gathering contextual metadata - about mobile endpoints during an investigation. + Retrieves mobile device inventory from Jamf Pro with support for pagination, sorting, + and filtering. This action allows analysts to query Jamf Pro for specific mobile + device details based on criteria such as serial number, UDID, username, or email + address. It optimizes data retrieval by allowing the selection of specific data + sections (e.g., Hardware, Security, Applications). - ### Parameters Description - - | Parameter | Type | Mandatory | Description | + ### Flow Description - | :--- | :--- | :--- | :--- | + 1. **Initialization**: The action initializes the Jamf Manager using the provided + API credentials (API Root, Client ID, Client Secret) and SSL verification settings. - | **Page** | String | No | The page number to retrieve for paginated results. - Defaults to 0. | + 2. **Parameter Processing**: It extracts and validates action parameters, including + pagination (Page, Page Size), sorting criteria, and filtering options (Filter + field and value). - | **Page Size** | String | No | The number of records to return per page (Max - 2000). Defaults to 100. | + 3. **Section Determination**: It automatically determines the required data sections + based on the selected filter field to ensure efficient API requests. - | **Filter** | DDL | Yes | The field used to filter the inventory search. Options - include `serialNumber`, `udid`, `username`, and `emailAddress`. | + 4. **Data Retrieval**: It calls the Jamf Pro v2 API to fetch the mobile device + inventory based on the constructed query parameters. - | **Filter Value** | String | Yes | The specific value to search for in the selected - filter field. | + 5. **Result Output**: The retrieved inventory data is returned as a JSON result, + which is then added to the action's output for the analyst to review. - | **Section** | DDL | No | Specifies which data sections to include in the response - (e.g., `HARDWARE`, `SECURITY`, `NETWORK`). Selecting specific sections optimizes - data retrieval. Defaults to `ALL`. | - | **Sort** | Multi-Choice | No | Defines the sorting order of the results using - `field:direction` pairs (e.g., `displayName:asc`). | + ### Parameters + | Parameter | Type | Mandatory | Description | - ### Flow Description + | :--- | :--- | :--- | :--- | - 1. **Parameter Extraction:** The action retrieves configuration details (API Root, - Credentials) and user-provided parameters (Filter, Pagination, Sorting). + | Page | string | No | Page number to retrieve (default: 0). | - 2. **Validation:** It validates that `Page` and `Page Size` are valid integers - and within acceptable ranges. + | Page Size | string | No | Number of records per page (default: 100). | - 3. **Query Construction:** Processes the `Sort` criteria into an API-compatible - string and constructs a filter query string based on the `Filter` and `Filter - Value` parameters. It also automatically ensures that the required data section - for the chosen filter field is included in the request. + | Filter | ddl | Yes | The field to filter by (e.g., serialNumber, udid, username, + emailAddress). | - 4. **API Interaction:** Authenticates with Jamf Pro and sends a GET request to - the `/api/v2/mobile-devices/detail` endpoint with the constructed query parameters. + | Filter Value | string | Yes | The value to match against the selected filter + field. | - 5. **Data Processing:** Cleans the returned JSON data to ensure compatibility - and handles any API errors or empty result sets. + | Section | ddl | No | The data sections to include in the response (e.g., ALL, + GENERAL, HARDWARE). Defaults to ALL. | - 6. **Output:** Returns the inventory data as a JSON result in the SOAR platform. + | Sort | ddl | No | Sort criteria for the results (e.g., displayName:asc). | ### Additional Notes - * This action does not run on SecOps entities; it performs a direct search based - on the provided parameters. + - The action requires valid Jamf Pro API credentials configured in the integration + settings. - * If no devices match the criteria, the action will complete successfully but - indicate that no results were found. + - The 'Filter' and 'Filter Value' parameters are mandatory for performing a targeted + search. If no filter is provided, the action may return a broad list of devices + depending on the API configuration. capabilities: can_create_case_comments: false can_create_insight: false @@ -544,8 +562,16 @@ Get Mobile Device Inventory: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Jamf Pro API to retrieve mobile device + inventory. It does not modify any external or internal systems. It simply returns + the retrieved data as a JSON result. categories: enrichment: true + reasoning: >- + The action fetches data from an external system (Jamf Pro) to provide context + about mobile devices. It does not mutate external or internal data. It fits + the definition of an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -561,6 +587,9 @@ Get Mobile Device Inventory: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on `siemplify.target_entities`. It uses input parameters + to query the Jamf API directly. List Computer Groups: action_product_categories: add_alert_comment: false @@ -572,10 +601,14 @@ List Computer Groups: disable_identity: false download_file: false enable_identity: false - enrich_asset: false + enrich_asset: true enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves computer groups, which provides contextual information + about the asset environment in Jamf Pro. This aligns with the 'Enrich Asset' + category, as it returns contextual metadata for resources. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -591,42 +624,47 @@ List Computer Groups: update_identity: false update_ticket: false ai_description: >- - ### General Description + Retrieves all computer groups (both static and smart) configured in Jamf Pro. + This action connects to the Jamf Pro API, fetches the complete list of computer + groups, and returns the data as a JSON object for further analysis or reporting. - Retrieves all computer groups from Jamf Pro. This action fetches a comprehensive - list of both static and smart computer groups configured in the Jamf Pro environment. - The results are returned as a JSON object, allowing playbooks to dynamically reference - group names or IDs for subsequent management tasks. + ### Flow Description - ### Parameters Description + 1. **Initialization**: The action initializes the `JamfManager` using the provided + API credentials (`Jamf Pro API Root`, `Jamf Pro Client API ID`, `Jamf Pro Client + API Secret`) and SSL verification settings. - | Parameter | Type | Mandatory | Description | + 2. **Data Retrieval**: It calls the Jamf Pro API endpoint `/api/v1/computer-groups` + to retrieve the list of all computer groups. - | :--- | :--- | :--- | :--- | + 3. **Result Processing**: The retrieved list is formatted into a JSON structure + and added to the action results. If no groups are found, an empty list is returned. - | None | N/A | N/A | This action does not have any input parameters. It relies - solely on the integration's configuration for authentication and connectivity. - | + ### Parameters - ### Flow Description + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | - 1. **Authentication**: The action authenticates with the Jamf Pro API using the - provided Client API ID and Secret to obtain an OAuth2 access token. + | Jamf Pro API Root | String | Yes | The base URL for the Jamf Pro API (e.g., + https://yourserver.jamfcloud.com). | - 2. **Data Retrieval**: It sends a GET request to the Jamf Pro `/api/v1/computer-groups` - endpoint to fetch the complete list of computer groups. + | Jamf Pro Client API ID | String | Yes | The client ID used for API authentication. + | + + | Jamf Pro Client API Secret | String | Yes | The client secret used for API authentication. + | - 3. **Result Processing**: The retrieved list is formatted into a JSON object and - returned as the action's result. If no groups are found, an empty list is returned. + | Verify SSL | Boolean | Yes | Whether to verify SSL certificates when connecting + to the Jamf Pro API. Defaults to True. | ### Additional Notes - This action does not target specific entities and operates at the system-wide - level of the Jamf Pro instance. It is primarily used for discovery and utility - purposes within playbooks. + This action is a read-only operation and does not modify any data within Jamf + Pro or the SOAR platform. capabilities: can_create_case_comments: false can_create_insight: false @@ -637,8 +675,16 @@ List Computer Groups: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to retrieve computer groups from Jamf Pro. + It does not modify any external or internal data. It simply returns the retrieved + data as a JSON result. categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches data from an external system (Jamf Pro) and does not mutate + any external or internal state. It qualifies as an enrichment action as it gathers + supplemental context about the environment. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -654,6 +700,9 @@ List Computer Groups: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on any specific entities; it retrieves global configuration + data (computer groups) from Jamf Pro. Ping: action_product_categories: add_alert_comment: false @@ -669,6 +718,9 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity test and does not perform any of the defined product + category operations such as enrichment, containment, ticketing, or alert modification. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -686,10 +738,9 @@ Ping: ai_description: >- ### General Description - Verifies connectivity to the Jamf Pro and Jamf Protect APIs. This action ensures - that the SOAR platform can successfully authenticate and communicate with the - configured Jamf instances using the provided credentials. It is primarily used - for troubleshooting and initial setup validation. + This action verifies connectivity to the Jamf Pro and Jamf Protect APIs. It is + used to ensure that the integration is correctly configured and that the provided + credentials have the necessary permissions to communicate with the Jamf services. ### Parameters Description @@ -698,51 +749,48 @@ Ping: | :--- | :--- | :--- | :--- | - | Jamf Pro API Root | String | Yes | The base URL of the Jamf Pro server (e.g., - https://yourserver.jamfcloud.com). | + | Jamf Pro API Root | String | Yes | The base URL for the Jamf Pro API. | - | Jamf Pro Client API ID | String | Yes | The Client ID used for Jamf Pro API - authentication. | + | Jamf Pro Client API ID | String | Yes | The Client API ID for Jamf Pro authentication. + | - | Jamf Pro Client API Secret | String | Yes | The Client Secret used for Jamf - Pro API authentication. | + | Jamf Pro Client API Secret | String | Yes | The Client API Secret for Jamf Pro + authentication. | - | Verify SSL | Boolean | No | If enabled, the action will verify the SSL certificate - of the Jamf servers. Defaults to True. | + | Verify SSL | Boolean | No | Whether to verify SSL certificates for API requests. + Defaults to True. | - | Jamf Protect API Root | String | No | The base URL of the Jamf Protect server. - | + | Jamf Protect API Root | String | No | The base URL for the Jamf Protect API. + Required if testing Jamf Protect connectivity. | - | Jamf Protect Client API ID | String | No | The Client ID used for Jamf Protect - API authentication. | + | Jamf Protect Client API ID | String | No | The Client API ID for Jamf Protect + authentication. Required if testing Jamf Protect connectivity. | - | Jamf Protect Client API Secret | String | No | The Client Secret used for Jamf - Protect API authentication. | + | Jamf Protect Client API Secret | String | No | The Client API Secret for Jamf + Protect authentication. Required if testing Jamf Protect connectivity. | ### Additional Notes - - Jamf Pro connectivity is always tested as it is the primary component of the - integration. - - - Jamf Protect connectivity is optional and will only be tested if all three Protect-related - parameters (API Root, Client ID, and Client Secret) are provided. + - If Jamf Protect parameters are provided, the action will attempt to verify connectivity + to both Jamf Pro and Jamf Protect. If only Jamf Pro parameters are provided, it + will only verify Jamf Pro connectivity. ### Flow Description - 1. **Parameter Extraction:** Retrieves Jamf Pro and optional Jamf Protect configuration - parameters from the integration settings. + 1. Extract the required configuration parameters (Jamf Pro API Root, Client ID, + Client Secret, and optional SSL verification setting). + + 2. Initialize the `JamfManager` with the provided credentials. - 2. **Jamf Pro Validation:** Initializes the Jamf Pro manager, requests an OAuth - access token, and calls the version endpoint to verify the connection. + 3. Execute the `test_connectivity` method to verify access to the Jamf Pro API. - 3. **Optional Jamf Protect Validation:** If Jamf Protect credentials are provided, - it initializes the Jamf Protect manager and attempts to retrieve an authentication - token. + 4. If Jamf Protect parameters are provided, initialize the `JamfProtectManager` + and execute its `test_connectivity` method. - 4. **Result Reporting:** Returns a success message if the connection tests pass, - or a failure message with error details if any step fails. + 5. Log the success or failure of the connectivity tests and terminate the action + with the appropriate status. capabilities: can_create_case_comments: false can_create_insight: false @@ -753,8 +801,16 @@ Ping: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity test by making GET requests to the Jamf APIs + to verify authentication and server availability. It does not modify any external + or internal data, nor does it update entities or create insights. categories: enrichment: false + reasoning: >- + The action is named 'Ping'. According to the instructions, actions named 'Ping' + must not be categorized as enrichment actions, regardless of whether they fetch + data. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -770,6 +826,9 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities; it is a global connectivity + test. Remote Lock Managed Device: action_product_categories: add_alert_comment: false @@ -785,6 +844,10 @@ Remote Lock Managed Device: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action sends a remote lock command to a managed computer, which isolates + the device and restricts user access. This directly aligns with the 'Contain + Host' category. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -800,53 +863,59 @@ Remote Lock Managed Device: update_identity: false update_ticket: false ai_description: >- - Remotely lock a managed computer using Jamf Pro MDM commands. This action is designed - specifically for computers and allows an analyst to secure a device by locking - its screen. The action requires a 6-digit PIN which will be needed to unlock the - device physically. Optionally, a custom message and phone number can be displayed - on the lock screen to provide instructions or contact information to the user. + ### General Description + + This action remotely locks a managed computer using Jamf Pro MDM commands. It + is intended for security containment scenarios where a device needs to be immediately + secured. The action sends a `DEVICE_LOCK` command to the Jamf Pro API, which locks + the device screen. Optionally, a custom message and a contact phone number can + be displayed on the locked screen to provide instructions to the user. - ### Flow Description: + ### Flow Description - 1. **Parameter Extraction:** The action retrieves the Computer ID, PIN, and optional - display details (Message and Phone Number) from the input parameters. + 1. **Configuration Extraction**: The action retrieves the Jamf Pro API credentials + (API Root, Client ID, Client Secret) and SSL verification settings from the integration + configuration. - 2. **Management ID Retrieval:** It queries the Jamf Pro API to find the `managementId` - associated with the provided Computer ID, which is required for MDM command routing. + 2. **Parameter Extraction**: The action extracts the required `Computer ID` and + `PIN`, along with optional `Message` and `Phone Number` parameters. - 3. **MDM Command Execution:** It sends a `DEVICE_LOCK` command to the Jamf Pro - MDM server, including the mandatory PIN and any optional display text. + 3. **Device Identification**: The action calls the Jamf Pro API to retrieve detailed + device information for the provided `Computer ID` to obtain the required `managementId`. - 4. **Result Reporting:** The action returns the status of the command initiation - and provides a JSON result containing the command details and the API response. + 4. **Command Execution**: The action sends a `DEVICE_LOCK` MDM command to the + Jamf Pro API, including the `managementId`, the required 6-digit PIN, and any + optional display information. + 5. **Result Reporting**: The action logs the command initiation status and adds + the result details to the action output. - ### Parameters Description: + + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Computer ID | String | Yes | The unique ID of the computer in Jamf Pro to be - locked. | + | Computer ID | string | Yes | The unique identifier of the computer in Jamf Pro + to be locked. | - | PIN | String | Yes | A 6-digit numeric code required to unlock the device. Note: - The underlying logic requires this to be exactly 6 digits. | + | PIN | string | Yes | A 6-digit PIN code required to unlock the device. | - | Message | String | No | An optional custom message to display on the locked - screen. | + | Message | string | No | An optional custom message to display on the locked + device screen. | - | Phone Number | String | No | An optional phone number to display on the locked - screen. | + | Phone Number | string | No | An optional phone number to display on the locked + device screen for contact. | - ### Additional Notes: + ### Additional Notes - * This action is intended for computers. For mobile devices (iOS/iPadOS), use - the 'Remote Lock Mobile Device' action. + - This action is specifically designed for computers. For mobile devices, use + the "Remote Lock Mobile Device" action. - * The PIN must be exactly 6 digits; otherwise, the action will fail during validation. + - The PIN parameter is mandatory and must be exactly 6 digits. capabilities: can_create_case_comments: false can_create_insight: false @@ -855,12 +924,22 @@ Remote Lock Managed Device: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Sends a 'DEVICE_LOCK' MDM command to Jamf Pro to remotely lock a managed computer, - changing the physical state of the device to a locked screen. + Sends a DEVICE_LOCK MDM command to the Jamf Pro API to remotely lock the specified + managed computer. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches device information (management ID) from the Jamf Pro API + to perform the lock command (fetches_data=true). It performs a POST request + to the Jamf Pro API to send a device lock command, which changes the state of + the external device (can_mutate_external_data=true). It does not modify internal + SOAR case data, entities, or alerts. categories: enrichment: false + reasoning: >- + The action is a containment action that modifies the state of an external device. + It does not meet the criteria for an enrichment action as it performs a state-changing + operation on an external system. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -876,6 +955,9 @@ Remote Lock Managed Device: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on SOAR entities directly. It takes a 'Computer + ID' as a direct input parameter to identify the target device. Remote Lock Mobile Device: action_product_categories: add_alert_comment: false @@ -891,6 +973,9 @@ Remote Lock Mobile Device: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action performs a remote lock on a mobile device, which is functionally + equivalent to containing a host (isolating it from use). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -906,53 +991,44 @@ Remote Lock Mobile Device: update_identity: false update_ticket: false ai_description: >- - Remotely locks a managed mobile device using Jamf Pro MDM commands. This action - is used to secure a device by locking its screen, preventing unauthorized access. - It allows for an optional custom message and phone number to be displayed on the - lock screen to assist in recovery or provide instructions to the user. - - - ### Flow Description: - - 1. **Parameter Extraction:** Retrieves the Mobile Device ID and optional display - information (Message and Phone Number) from the action parameters. - - 2. **Authentication:** Establishes a session with the Jamf Pro API using provided - client credentials. - - 3. **Device Context Retrieval:** Fetches detailed information for the specified - Mobile Device ID to obtain its unique `managementId` required for MDM commands. - - 4. **Command Execution:** Sends a `DEVICE_LOCK` MDM command to the Jamf Pro server - targeting the specific `managementId` via the MDM commands endpoint. + ### General Description - 5. **Result Processing:** Captures the API response and logs the command initiation - status and details within the SOAR. + Remotely locks a managed mobile device using Jamf Pro MDM commands. This action + is designed to secure a device by sending a lock command, optionally displaying + a custom message and contact phone number on the device screen. - ### Parameters Description: + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Mobile Device ID | String | Yes | The unique identifier of the mobile device - in Jamf Pro. | + | Mobile Device ID | string | Yes | The unique identifier of the mobile device + to be locked. | - | Message | String | No | A custom message to display on the device's lock screen. - | + | Message | string | No | An optional custom message to display on the locked + device screen. | + + | Phone Number | string | No | An optional phone number to display on the locked + device screen for contact purposes. | - | Phone Number | String | No | A contact phone number to display on the device's - lock screen. | + ### Flow Description + + 1. **Initialization**: The action extracts the Jamf Pro API configuration (API + root, client ID, client secret) and the action parameters (Mobile Device ID, Message, + Phone Number). - ### Additional Notes: + 2. **Device Retrieval**: The action calls the Jamf Pro API to retrieve the details + of the specified mobile device to obtain its `managementId`. - * This action requires the device to be currently managed by Jamf Pro and have - a valid MDM profile installed to receive the lock command. + 3. **Command Execution**: The action sends a `DEVICE_LOCK` MDM command to the + Jamf Pro API, including the `managementId`, the optional message, and the optional + phone number. - * The action first performs a lookup to resolve the management ID before issuing - the lock command. + 4. **Result Handling**: The action logs the status of the command initiation and + adds the result to the SOAR action output. capabilities: can_create_case_comments: false can_create_insight: false @@ -961,12 +1037,20 @@ Remote Lock Mobile Device: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Sends a 'DEVICE_LOCK' MDM command to the Jamf Pro API, which triggers a remote - screen lock on the physical or virtual mobile device. + Sends a DEVICE_LOCK MDM command to the Jamf Pro API to remotely lock the specified + mobile device. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches device details (management ID) from the Jamf Pro API to perform + the lock, so it fetches data. It sends a command to Jamf Pro to lock the device, + which is an external mutation. It does not modify internal SOAR data or entities. categories: enrichment: false + reasoning: >- + The action is a containment action (locking a device), not an enrichment action. + It does not retrieve context for analysis but rather performs a state-changing + operation on an external device. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -982,6 +1066,10 @@ Remote Lock Mobile Device: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action uses a parameter 'Mobile Device ID' provided by the user, rather + than iterating over 'siemplify.target_entities'. Therefore, it does not run + on entities. Update Extension Attribute: action_product_categories: add_alert_comment: false @@ -997,6 +1085,11 @@ Update Extension Attribute: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action updates an extension attribute for a computer in Jamf Pro. This is + a metadata update on an asset. It does not match any of the provided categories + (e.g., it is not an alert update, ticket update, identity update, or containment + action). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1012,55 +1105,50 @@ Update Extension Attribute: update_identity: false update_ticket: false ai_description: >- - Updates a specific extension attribute for a computer managed in Jamf Pro. This - action allows administrators to modify custom metadata fields (extension attributes) - for a specific device by providing the computer's ID and the desired attribute - name and values. + Updates a specific extension attribute for a computer in Jamf Pro. This action + allows administrators to modify custom metadata fields for managed devices, supporting + multiple values as a comma-separated list. - ### Flow Description: + ### Flow - 1. **Parameter Extraction:** Retrieves the Jamf Pro API configuration and action - parameters, including the Computer ID, Extension Attribute Name, and the new values. + 1. Extracts configuration (API root, credentials) and action parameters (Computer + ID, Extension Attribute Name, Values). - 2. **Attribute Discovery:** Fetches the complete list of available computer extension - attributes from Jamf Pro to resolve the provided attribute name into its corresponding - internal Definition ID. + 2. Initializes the `JamfManager` to handle API communication. - 3. **Value Parsing:** Processes the provided 'Values' string, splitting it into - a list if multiple comma-separated values are provided. + 3. Fetches the list of all available extension attributes from Jamf Pro to identify + the correct attribute ID by name. - 4. **External Update:** Executes a PATCH request to the Jamf Pro API for the specified - computer, updating the targeted extension attribute with the new values. + 4. Updates the specified computer's extension attribute with the provided values + using a PATCH request. - 5. **Result Processing:** Captures the API response, extracts basic computer details - (Name, Serial, Platform) for the output message, and attaches the full raw response - as a JSON result. + 5. Returns the result of the update operation, including computer details if available. - ### Parameters Description: + ### Parameters - | Parameter Name | Type | Mandatory | Description | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Computer ID | String | Yes | The unique identifier of the computer in Jamf Pro - that needs to be updated. | + | Computer ID | string | Yes | The ID of the computer to update the extension + attribute for. | - | Extension Attribute Name | String | Yes | The display name of the extension - attribute to update (e.g., 'Department', 'Asset Tag'). | + | Extension Attribute Name | string | Yes | The name of the extension attribute + to update. | - | Values | String | Yes | A comma-separated list of values to set for the extension - attribute. Multiple values are supported for attributes that allow them. | + | Values | string | Yes | Comma-separated list of values to set for the extension + attribute (e.g., value1,value2,value3). | - ### Additional Notes: + ### Additional Notes - - The action performs a lookup of all extension attributes first; if the provided - 'Extension Attribute Name' does not exist in Jamf Pro, the action will fail and - list available attributes in the error message. + - The action requires valid Jamf Pro API credentials configured in the integration + settings. - - This action specifically targets the Jamf Pro 'Computers' inventory. + - The 'Values' parameter accepts a comma-separated list of strings, which will + be set for the specified extension attribute. capabilities: can_create_case_comments: false can_create_insight: false @@ -1069,12 +1157,20 @@ Update Extension Attribute: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the values of a specific extension attribute for a computer record within - the Jamf Pro inventory via a PATCH request. + Updates the specified extension attribute for a computer in the Jamf Pro system. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action makes a PATCH request to the Jamf Pro API to update an extension + attribute (can_mutate_external_data=true). It fetches the list of extension + attributes to find the correct ID (fetches_data=true). It does not modify internal + SOAR data or entities. categories: enrichment: false + reasoning: >- + The action performs a mutation on an external system (Jamf Pro) to update an + extension attribute. It does not fetch data for the purpose of enrichment, nor + does it modify internal SOAR data. Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1090,6 +1186,10 @@ Update Extension Attribute: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities` or use entity-specific + identifiers from the SOAR entity model. It relies on a user-provided `Computer + ID` parameter to perform the update. Therefore, it does not run on entities. Update Protect Prevent List: action_product_categories: add_alert_comment: false @@ -1105,6 +1205,9 @@ Update Protect Prevent List: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action updates a prevent list in Jamf Protect, which is functionally equivalent + to adding indicators to a blocklist. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1119,70 +1222,30 @@ Update Protect Prevent List: update_email: false update_identity: false update_ticket: false - ai_description: >- - Updates an existing prevent list in Jamf Protect to block specific indicators - such as file hashes, Team IDs, or Signing IDs. This action retrieves the current - state of a named prevent list, validates that the provided indicators match the - list's required format (e.g., SHA-1/SHA-256 for hashes), and appends the new data - and tags to the existing list. It ensures that the prevent type of an existing - list is not changed, as this is not supported by the Jamf Protect API. - - - ### Parameters - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Prevent List Name | string | Yes | The name of the existing prevent list in - Jamf Protect that you want to update. | - - | Prevent List Description | string | No | An optional updated description for - the prevent list. If left empty, the existing description is preserved. | - - | Prevent Type | ddl | Yes | The category of indicators the list contains. Options - include: File Hash, Signing Information - Team ID, Signing Information - Code - Directory Hash, or Signing Information - Signing ID. This must match the existing - list's type. | - - | Prevent List Data | string | Yes | A comma-separated list of identifiers (e.g., - hashes or IDs) to be added to the prevent list. | - - | Prevent List Tags | string | No | A comma-separated list of tags to be associated - with the prevent list. New tags are merged with existing ones. | - - - ### Additional Notes - - - The action will fail if the specified 'Prevent List Name' does not exist in - Jamf Protect. - - - The 'Prevent Type' cannot be changed for an existing list; the action will raise - an error if the input type differs from the remote list type. - - - At least one tag must exist for the list (either provided in the parameters - or already present on the remote list). - - - ### Flow Description - - 1. **Fetch Existing Lists:** Retrieves all prevent lists from Jamf Protect to - find a match for the provided name. - - 2. **Type Validation:** Verifies that the input 'Prevent Type' matches the type - of the existing list found in Jamf Protect. - - 3. **Data Parsing:** Parses the comma-separated strings for indicators and tags - into clean lists. - - 4. **Format Validation:** Validates the format of the new indicators based on - the 'Prevent Type' (e.g., checking for valid Apple Team ID structure or hash lengths). - - 5. **Merge Data:** Combines and deduplicates the new indicators and tags with - the existing data from the remote list. - - 6. **Update Mutation:** Executes a GraphQL mutation to update the prevent list - in Jamf Protect with the merged data. + ai_description: "Updates an existing prevent list in Jamf Protect by adding new\ + \ indicators (hashes, domains, IPs) and tags. This action allows security teams\ + \ to maintain and expand their blocklists directly from the SOAR platform.\n\n\ + ### Flow Description\n1. **Initialization**: Extracts configuration parameters\ + \ (API credentials) and action parameters.\n2. **Parsing**: Processes the provided\ + \ comma-separated strings for indicators (`Prevent List Data`) and tags (`Prevent\ + \ List Tags`) into lists.\n3. **Retrieval**: Connects to Jamf Protect to retrieve\ + \ the existing prevent lists and identifies the target list by name.\n4. **Validation**:\ + \ Verifies that the `Prevent Type` matches the existing list and validates the\ + \ format of the new indicators based on the selected type.\n5. **Merge**: Merges\ + \ the new indicators and tags with the existing ones, ensuring no duplicates.\n\ + 6. **Update**: Executes a GraphQL mutation to update the prevent list in Jamf\ + \ Protect.\n7. **Result**: Returns the updated prevent list details and sets the\ + \ execution status.\n\n### Parameters\n| Parameter | Type | Mandatory | Description\ + \ |\n| :--- | :--- | :--- | :--- |\n| Prevent List Name | string | Yes | The name\ + \ of the prevent list to update. |\n| Prevent List Description | string | No |\ + \ An optional description for the prevent list. |\n| Prevent Type | ddl | Yes\ + \ | The type of indicators being added (e.g., File Hash, Signing Information).\ + \ |\n| Prevent List Data | string | Yes | A comma-separated list of indicators\ + \ to add to the prevent list. |\n| Prevent List Tags | string | No | A comma-separated\ + \ list of tags to associate with the prevent list. |\n\n### Additional Notes\n\ + - The action requires that the `Prevent Type` matches the existing list type;\ + \ it cannot be changed. \n- At least one indicator value must be provided in `Prevent\ + \ List Data`." capabilities: can_create_case_comments: false can_create_insight: false @@ -1191,12 +1254,20 @@ Update Protect Prevent List: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates an existing prevent list (blocklist) in Jamf Protect by adding new indicators - and tags via a GraphQL mutation. + Updates an existing prevent list in Jamf Protect by adding new indicators and + tags. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches existing prevent lists from Jamf Protect to identify the + target list (fetches_data=true). It then performs a GraphQL mutation to update + the list in Jamf Protect (can_mutate_external_data=true). It does not modify + internal SOAR entities or case data. categories: enrichment: false + reasoning: >- + The action is not an enrichment action because it mutates external data (updates + a prevent list in Jamf Protect). entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1212,6 +1283,9 @@ Update Protect Prevent List: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on entities; it uses parameters provided in the + action configuration. Wipe Managed Device: action_product_categories: add_alert_comment: false @@ -1227,6 +1301,9 @@ Wipe Managed Device: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action performs a remote wipe of a managed device, which is a form of network/device + isolation and containment. This aligns with the 'Contain Host' category. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1242,68 +1319,61 @@ Wipe Managed Device: update_identity: false update_ticket: false ai_description: >- - Remotely erases or wipes a managed computer using the Jamf Pro `ERASE_DEVICE` - MDM command. This action is specifically designed for macOS computers managed - via Jamf Pro. It retrieves the device's management ID and then issues a command - to perform a factory reset or secure wipe based on the provided obliteration behavior. - It also supports 'Return to Service' configurations, allowing the device to automatically - re-enroll or connect to Wi-Fi after the wipe process is complete. + Remotely erases or wipes a managed computer using the Jamf Pro ERASE_DEVICE MDM + command. This action is intended for containment scenarios where a device must + be cleared of data. It retrieves the device's management ID from Jamf Pro before + issuing the wipe command. - ### Flow Description: + ### Parameters - 1. **Parameter Extraction:** Retrieves Jamf Pro connection details and action - parameters including Computer ID, PIN, and obliteration settings. - 2. **Manager Initialization:** Initializes the JamfManager and authenticates with - the Jamf Pro API to obtain a bearer token. + | Parameter | Type | Mandatory | Description | - 3. **Management ID Retrieval:** Calls the Jamf Pro API to fetch detailed inventory - for the specified Computer ID to extract its `managementId`. + | :--- | :--- | :--- | :--- | - 4. **Command Execution:** Sends a POST request to the Jamf Pro MDM commands endpoint - with the `ERASE_DEVICE` command type and specified parameters (PIN, obliteration - behavior, and Return to Service profiles). + | Computer ID | string | Yes | The unique identifier of the computer to erase. + | - 5. **Result Reporting:** Returns a JSON object containing the API response from - Jamf and the details of the command initiated. + | PIN | string | Yes | A 6-digit PIN required for the erase command. | + | Obliteration Behavior | ddl | Yes | Defines how the device is obliterated (Default, + DoNotObliterate, ObliterateWithWarning, Always). | - ### Parameters Description: + | Return to Service | boolean | Yes | Whether to enable the 'Return to Service' + workflow after the erase. | - | Parameter | Type | Mandatory | Description | + | MDM Profile Data | string | No | Base64-encoded MDM profile data, required if + 'Return to Service' is enabled. | - | --- | --- | --- | --- | + | WiFi Profile Data | string | No | Base64-encoded WiFi profile data, required + if 'Return to Service' is enabled. | + + + ### Additional Notes - | Computer ID | string | Yes | The unique identifier of the computer in Jamf Pro - to be wiped. | - | PIN | string | Yes | A 6-digit PIN required for the erase command. Note: While - marked mandatory in configuration, the logic handles empty strings if the device - doesn't require one. | + * If 'Return to Service' is enabled, at least one of 'MDM Profile Data' or 'WiFi + Profile Data' must be provided. - | Obliteration Behavior | ddl | Yes | Determines how the device is wiped. Options: - Default, DoNotObliterate, ObliterateWithWarning, Always. | - | Return to Service | boolean | Yes | If enabled, the device will attempt to return - to a managed state after wiping. | + ### Flow Description - | MDM Profile Data | string | No | Base64-encoded MDM profile data used for Return - to Service. | - | WiFi Profile Data | string | No | Base64-encoded WiFi profile data used for - Return to Service. | + 1. **Configuration Initialization**: Extracts Jamf Pro API credentials and configuration + settings. + 2. **Parameter Extraction**: Retrieves the action parameters (Computer ID, PIN, + etc.). - ### Additional Notes: + 3. **Device Information Retrieval**: Calls the Jamf Pro API to fetch the device's + `managementId` using the provided `Computer ID`. - - **Return to Service Requirements:** If 'Return to Service' is enabled, at least - one of 'MDM Profile Data' or 'WiFi Profile Data' must be provided; otherwise, - the action will fail with a parameter error. + 4. **Command Execution**: Sends an `ERASE_DEVICE` MDM command to the Jamf Pro + API, including the specified obliteration behavior and return-to-service settings. - - **Device Compatibility:** This action uses the Jamf Pro computer inventory endpoints - and is intended for computers. For mobile devices (iOS/iPadOS), use the 'Wipe - Mobile Device' action. + 5. **Result Reporting**: Logs the outcome of the command initiation and adds the + result to the action output. capabilities: can_create_case_comments: false can_create_insight: false @@ -1312,12 +1382,22 @@ Wipe Managed Device: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Initiates an ERASE_DEVICE MDM command in Jamf Pro, which results in the remote - wiping/erasing of the target managed computer. + Initiates an ERASE_DEVICE MDM command on the target computer via the Jamf Pro + API. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches device information (management ID) from Jamf Pro to perform + the operation (fetches_data=true). It then sends a POST request to Jamf Pro + to initiate a device wipe, which is a state-changing operation on the external + system (can_mutate_external_data=true). It does not modify internal SOAR case + data or entities. categories: enrichment: false + reasoning: >- + The action is a containment action designed to wipe a device. It does not meet + the criteria for an enrichment action as it performs a destructive mutation + on an external system. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1333,6 +1413,9 @@ Wipe Managed Device: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or process `siemplify.target_entities`. It + accepts a `Computer ID` as a direct input parameter. Wipe Mobile Device: action_product_categories: add_alert_comment: false @@ -1348,6 +1431,10 @@ Wipe Mobile Device: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action performs a remote wipe of a mobile device, which is a containment + operation. This aligns with the 'Contain Host' category, as it isolates/neutralizes + the device. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1363,67 +1450,59 @@ Wipe Mobile Device: update_identity: false update_ticket: false ai_description: >- - Remotely erase or wipe a managed mobile device using the Jamf Pro ERASE_DEVICE - MDM command. This action is used for containment and data protection by completely - wiping a device's data. It supports advanced options such as preserving data plans - for eSIM devices, disabling proximity setup on reboot, and configuring 'Return - to Service' settings to automate re-enrollment after the wipe. - + Remotely erases or wipes a managed mobile device using the Jamf Pro MDM ERASE_DEVICE + command. This action is designed for containment scenarios where a device needs + to be cleared of data. - ### Flow Description: - 1. **Authentication**: The action authenticates with the Jamf Pro API using the - provided Client ID and Secret to obtain an OAuth access token. + ### Flow Description - 2. **Device Identification**: It retrieves the specific management ID for the - provided Mobile Device ID, which is required to issue MDM commands. + 1. The action initializes the JamfManager using the provided API credentials and + configuration. - 3. **Command Construction**: The action constructs an ERASE_DEVICE MDM command - payload, incorporating parameters for data plan preservation, proximity setup - restrictions, and Return to Service configurations (including MDM/WiFi profiles - and bootstrap tokens). + 2. It extracts the required action parameters, including the Mobile Device ID + and optional settings like data plan preservation, proximity setup, and return-to-service + configurations. - 4. **Execution**: The command is sent to the Jamf Pro MDM server via a POST request. + 3. It sends an ERASE_DEVICE MDM command to the Jamf Pro API for the specified + device. - 5. **Reporting**: The action returns the command status and execution details - as a JSON result. + 4. The action returns the result of the command execution, including status and + command details, to the SOAR platform. - ### Parameters Description: + ### Parameters - | Parameter Name | Type | Mandatory | Description | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Mobile Device ID | String | Yes | The unique identifier of the mobile device - in Jamf Pro to be erased. | + | Mobile Device ID | string | Yes | The unique identifier of the mobile device + to be erased. | - | Preserve Data Plan | Boolean | No | If true, preserves the data plan on devices - with eSIM functionality (iOS 11+). Default is false. | + | Preserve Data Plan | boolean | No | Whether to preserve the data plan on a mobile + device with eSIM functionality. | - | Disallow Proximity Setup | Boolean | No | If true, disables Proximity Setup - on the next reboot and skips the pane in Setup Assistant (iOS 11+). Default is - false. | + | Disallow Proximity Setup | boolean | No | Whether to disable Proximity Setup + on the next reboot. | - | Return to Service | Boolean | Yes | Whether to enable the 'Return to Service' - feature, which allows the device to automatically re-enroll after being erased. - Default is true. | + | Return to Service | boolean | Yes | Whether to enable return to service after + erase. | - | MDM Profile Data | String | No | Base64-encoded MDM profile data required for - Return to Service. | + | MDM Profile Data | string | No | Base64-encoded MDM profile data for return + to service. | - | WiFi Profile Data | String | No | Base64-encoded WiFi profile data required - for Return to Service. | + | WiFi Profile Data | string | No | Base64-encoded WiFi profile data for return + to service. | - | Bootstrap Token | String | No | Base64-encoded bootstrap token for the device, - used for Return to Service. | + | Bootstrap Token | string | No | Base64-encoded bootstrap token for the device. + | - ### Additional Notes: + ### Additional Notes - - The 'Return to Service' feature requires valid MDM and/or WiFi profile data - to function correctly. If enabled without providing profile data, the action may - fail or the device may not re-enroll automatically. + - The 'Return to Service' parameter is mandatory. If enabled, ensure that the + necessary profile data (MDM or WiFi) is provided if required by the device configuration. capabilities: can_create_case_comments: false can_create_insight: false @@ -1432,12 +1511,19 @@ Wipe Mobile Device: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Sends an ERASE_DEVICE MDM command to Jamf Pro, which triggers a remote factory - reset/wipe of the physical or virtual mobile device. - fetches_data: true + Sends an ERASE_DEVICE MDM command to the Jamf Pro API, which triggers a remote + wipe of the specified mobile device. + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a destructive operation (wiping a device) via an external + API (Jamf Pro). It does not fetch data for enrichment, nor does it modify internal + SOAR entities or case data. It is a pure containment/remediation action. categories: enrichment: false + reasoning: >- + The action does not fetch data for enrichment and performs a destructive external + mutation (wiping a device). Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1453,3 +1539,6 @@ Wipe Mobile Device: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action operates on a specific 'Mobile Device ID' provided as an input parameter. + It does not iterate over or process 'siemplify.target_entities'. diff --git a/content/response_integrations/third_party/partner/jamf/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/jamf/resources/ai/integration_ai_description.yaml index fc37bcee9..9eeca3e53 100644 --- a/content/response_integrations/third_party/partner/jamf/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/partner/jamf/resources/ai/integration_ai_description.yaml @@ -6,7 +6,19 @@ product_categories: email_security: false iam_and_identity_management: false itsm: false - network_security: false + network_security: true + reasoning: >- + The Jamf integration provides comprehensive device management and endpoint security + capabilities. It qualifies for 'Asset Inventory' because it includes multiple + actions (e.g., 'Get Computer Inventory', 'Get Mobile Device Inventory', 'Get Device + Information') to retrieve detailed asset metadata. It qualifies for 'EDR' because + it provides endpoint security features, including containment actions like 'Remote + Lock' and 'Wipe' for both computers and mobile devices, which aligns with EDR + containment capabilities. It qualifies for 'Network Security' because the 'Update + Protect Prevent List' action allows for the blocking of malicious indicators (hashes, + domains, IPs), which aligns with the category's goal of blocking malicious traffic/indicators. + It does not fit 'SIEM' (no log searching), 'IAM' (no user account management), + or other categories like 'ITSM' or 'Vulnerability Management'. siem: false threat_intelligence: false vulnerability_management: false diff --git a/content/response_integrations/third_party/partner/netappransomwareresilience/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/netappransomwareresilience/resources/ai/actions_ai_description.yaml index a402d4023..d7a112652 100644 --- a/content/response_integrations/third_party/partner/netappransomwareresilience/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/netappransomwareresilience/resources/ai/actions_ai_description.yaml @@ -12,7 +12,11 @@ Check Job Status: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false - get_alert_information: false + get_alert_information: true + reasoning: >- + The action performs a GET request to retrieve the status of a job from the NetApp + Ransomware Resilience service. This aligns with the 'Get Alert Information' + category as it fetches status information from the 3rd party product. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -28,52 +32,17 @@ Check Job Status: update_identity: false update_ticket: false ai_description: >- - ### General Description - - The **Check Job Status** action is a utility designed to monitor the progress - and outcome of asynchronous operations within the NetApp Ransomware Resilience - Service (RRS). It queries the NetApp BlueXP API to retrieve the current state - of a specific job, enabling playbooks to track long-running tasks such as snapshot - creation or volume management. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Source | String | Yes | The source identifier for the request, typically 'rps-agent'. + Checks the status of an asynchronous job in the NetApp Ransomware Resilience service. + This action queries the RRS API to retrieve the current status of a specific job, + providing visibility into the progress of operations initiated within the service.\n\n### + Flow\n1. Initialize the `ApiManager` to handle authentication and API communication.\n2. + Extract the `Source`, `Agent ID`, and `Job ID` from the action parameters.\n3. + Perform a `GET` request to the RRS API to fetch the job status.\n4. Return the + job status JSON as the action result.\n\n### Parameters\n| Parameter | Type | + Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Source | string | + Yes | Source string (e.g., rps-agent). |\n| Agent ID | string | Yes | Console + Agent ID. |\n| Job ID | string | Yes | Job ID for which status to be fetched. | - - | Agent ID | String | Yes | The unique identifier for the Console Agent associated - with the job. | - - | Job ID | String | Yes | The unique identifier of the asynchronous job whose - status is being queried. | - - - ### Flow Description - - 1. **Parameter Extraction**: The action retrieves the `Source`, `Agent ID`, and - `Job ID` from the user-provided input parameters. - - 2. **API Interaction**: It uses the `ApiManager` to authenticate via OAuth2 and - perform a GET request to the RRS job status endpoint. - - 3. **Data Retrieval**: The action fetches the JSON response containing the job's - current status (e.g., Pending, Running, Completed, Failed) and associated metadata. - - 4. **Result Reporting**: The retrieved job status is attached to the action as - a JSON result, and the action completes with a success status if the API call - is successful. - - - ### Additional Notes - - This action does not process or enrich SOAR entities. It is strictly a utility - for tracking background tasks initiated by other actions in the NetApp Ransomware - Resilience integration. capabilities: can_create_case_comments: false can_create_insight: false @@ -84,8 +53,16 @@ Check Job Status: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to fetch job status information from the NetApp + Ransomware Resilience API. It does not mutate any external or internal data, + nor does it update entities, create insights, or modify alert data. categories: enrichment: false + reasoning: >- + The action fetches job status information from an external service. It does + not enrich entities or alerts, nor does it modify any internal or external state. + Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -101,6 +78,10 @@ Check Job Status: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities` or use any entity-specific + identifiers. It extracts parameters directly from the action configuration. + Therefore, it does not run on any entity types. Enrich IP Address: action_product_categories: add_alert_comment: false @@ -116,6 +97,11 @@ Enrich IP Address: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves threat intelligence data for a provided IP address from + the NetApp Ransomware Resilience Service. This matches the 'Enrich IOC' category. + It does not perform any state-changing operations on external systems or internal + entities. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -130,48 +116,14 @@ Enrich IP Address: update_email: false update_identity: false update_ticket: false - ai_description: >- - ### General Description - - Enriches a specific IP address using the NetApp Ransomware Resilience Service - (RRS). This action retrieves threat intelligence data associated with the provided - IP address to assist in security analysis and incident response. It interacts - with the NetApp BlueXP API to fetch contextual information about the indicator. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | IP Address | String | Yes | The IP address that needs to be enriched with threat - intelligence data. | - - - ### Flow Description - - 1. **Initialization**: The action initializes the `ApiManager`, which handles - OAuth token management and session setup. - - 2. **Parameter Extraction**: The target IP address is extracted from the action's - input parameters. - - 3. **API Interaction**: The action sends a POST request to the NetApp RRS `enrich/ip-address` - endpoint containing the IP address. - - 4. **Result Processing**: The retrieved enrichment data is attached to the action's - JSON results. - - 5. **Completion**: The action concludes by providing a success message and the - enrichment data to the SOAR platform. - - - ### Additional Notes - - This action does not automatically iterate over entities in the SOAR case. It - relies on the `IP Address` parameter provided during execution. If the API call - fails, the action will return a failed status with the corresponding error message. + ai_description: "General description: Enriches an IP address with threat intelligence\ + \ data using the NetApp Ransomware Resilience Service (RRS). \n\n### Parameters\ + \ description\n| Parameter | Type | Mandatory | Description |\n| --- | --- | ---\ + \ | --- |\n| IP Address | string | Yes | The IP address to be enriched. |\n\n\ + ### Flow description\n1. Initialize `ApiManager` with credentials.\n2. Extract\ + \ `IP Address` from action parameters.\n3. Call the RRS API `enrich/ip-address`\ + \ endpoint to retrieve threat intelligence.\n4. Add the retrieved JSON data to\ + \ the action result.\n5. End the action with a success or failure status." capabilities: can_create_case_comments: false can_create_insight: false @@ -182,8 +134,15 @@ Enrich IP Address: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches data from an external API (`enrich_ip`). It does not mutate + external data (it's a GET/POST-for-read operation). It does not mutate internal + data (no `update_entities`, `add_insight`, etc.). categories: enrichment: true + reasoning: >- + The action fetches data from an external service (RRS) and does not mutate any + external or internal systems. It meets the criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -199,6 +158,10 @@ Enrich IP Address: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code extracts the IP address directly from the action parameters (`siemplify.extract_action_param("IP + Address")`) rather than iterating over `siemplify.target_entities`. Therefore, + it does not process any specific entity types from the SOAR entity model. Enrich Storage: action_product_categories: add_alert_comment: false @@ -214,6 +177,10 @@ Enrich Storage: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves contextual metadata (volume information) for a storage + resource, which aligns with the 'Enrich Asset' category. It does not perform + IOC enrichment, alert updates, or containment actions. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -229,50 +196,42 @@ Enrich Storage: update_identity: false update_ticket: false ai_description: >- - ### General Description - - The **Enrich Storage** action retrieves detailed volume and storage information - for a specific agent and system from the NetApp Ransomware Resilience Service - (RRS). This action is used to gather contextual metadata about storage assets, - which is essential for assessing the scope and impact of potential ransomware - incidents. + This action retrieves storage volume information from the NetApp Ransomware Resilience + Service (RRS). It is designed to provide contextual data about storage systems + to assist in security investigations. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. **Initialization**: The action initializes the `ApiManager` using the configured + integration credentials (Client ID, Client Secret, Account ID). - | :--- | :--- | :--- | :--- | + 2. **Parameter Extraction**: It extracts the mandatory `Agent ID` and `System + ID` from the action parameters. - | **Agent ID** | string | Yes | The unique identifier for the Console Agent. | - - | **System ID** | string | Yes | The unique identifier for the Storage System. - | + 3. **Data Retrieval**: The action performs a GET request to the RRS API endpoint + (`enrich/storage`) using the provided IDs to fetch storage enrichment data. + 4. **Output**: The retrieved storage information is added to the action's result + JSON, and the action completes with a success status. - ### Flow Description - 1. **Authentication**: The action initializes the API Manager, which handles OAuth2 - authentication with the NetApp BlueXP platform, ensuring a valid access token - is available. + ### Parameters - 2. **Parameter Extraction**: The action extracts the mandatory `Agent ID` and - `System ID` from the user-provided input. + | Parameter | Type | Mandatory | Description | - 3. **Data Retrieval**: It performs a GET request to the RRS enrichment endpoint - (`enrich/storage`) using the provided identifiers as query parameters. + | :--- | :--- | :--- | :--- | - 4. **Result Processing**: The API response, containing storage metadata, is parsed - and attached to the action's output as a JSON result. + | Agent ID | string | Yes | The Console Agent ID associated with the storage system. + | - 5. **Completion**: The action concludes by providing a success message and the - retrieved data to the SOAR platform. + | System ID | string | Yes | The Storage System ID to be enriched. | ### Additional Notes - This action does not operate on SOAR entities (like IPs or Hostnames) directly; - instead, it requires specific IDs provided as parameters to query the NetApp backend. + This action does not operate on specific SOAR entities (e.g., IP, Hash). It is + a utility action that fetches data based on provided input parameters. capabilities: can_create_case_comments: false can_create_insight: false @@ -283,8 +242,17 @@ Enrich Storage: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to an external API (RRS) to retrieve storage + information. It does not modify any external systems (no POST/PUT/DELETE for + state changes) and does not modify internal SOAR data (entities, insights, or + comments). categories: - enrichment: true + enrichment: false + reasoning: >- + While the action fetches data, it does not operate on entities (e.g., IP, Hostname) + as required by the definition of an Enrichment Action in this context. It is + a standalone data retrieval action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -300,6 +268,9 @@ Enrich Storage: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not reference `siemplify.target_entities` or perform any operations + on SOAR entities. It relies entirely on action parameters provided by the user. Ping: action_product_categories: add_alert_comment: false @@ -315,6 +286,9 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity test ("Ping") and does not perform any of the defined + product category operations (e.g., enrichment, containment, ticket management). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -332,38 +306,27 @@ Ping: ai_description: >- ### General Description - The **Ping** action is a diagnostic tool designed to verify the connectivity and - authentication configuration between Google SecOps and the NetApp Ransomware Resilience - Service (RRS). It ensures that the provided credentials (Client ID, Client Secret, - and Account ID) are valid and that the RRS API endpoints are reachable. - - - ### Parameters Description - - This action does not require any input parameters. + Tests connectivity to the NetApp Ransomware Resilience Service (RRS). This action + validates the authentication token against the RRS API to verify that the integration + is properly configured and the server is reachable. ### Flow Description - 1. **Initialization**: The action initializes the `ApiManager`, which retrieves - the integration configuration. + 1. Initialize the `SiemplifyAction` and `ApiManager`. - 2. **Authentication Check**: It triggers the OAuth flow to either retrieve a cached - token from encrypted storage or generate a new one using the provided credentials. + 2. The `ApiManager` checks the validity of the current OAuth token. - 3. **Connectivity Validation**: It calls the `is_token_valid` method to confirm - that a valid session can be established with the NetApp service. + 3. If the token is expired or missing, the `ApiManager` attempts to refresh the + token via the OAuth endpoint. - 4. **Result Reporting**: If the token is valid and the service responds, the action - completes successfully. If an authentication or connection error occurs, it reports - a failure with the specific error message. + 4. The action logs the connection status and returns a success or failure message + to the SOAR platform. - ### Additional Notes + ### Parameters Description - This action is primarily used during the initial setup of the integration or for - troubleshooting communication issues. It does not process any entities or modify - any data. + There are no parameters for this action. capabilities: can_create_case_comments: false can_create_insight: false @@ -374,8 +337,15 @@ Ping: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity test. It does not fetch contextual data about + alerts or entities, nor does it mutate external or internal systems. It only + validates authentication credentials. categories: enrichment: false + reasoning: >- + The action is named "Ping" and performs a connectivity test. Per the instructions, + "Actions named Ping must not be categorized as enrichment actions." entity_usage: entity_types: [] filters_by_additional_properties: false @@ -391,6 +361,8 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. Take Snapshot: action_product_categories: add_alert_comment: false @@ -406,6 +378,10 @@ Take Snapshot: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action triggers a snapshot creation on an external storage system. This + does not fit into the provided categories (Enrichment, Containment, Ticketing, + etc.). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -420,27 +396,39 @@ Take Snapshot: update_email: false update_identity: false update_ticket: false - ai_description: "### General Description\nThis action triggers the creation of a\ - \ volume snapshot via the NetApp Ransomware Resilience Service (RRS). It is designed\ - \ to provide a point-in-time recovery point for storage volumes, enhancing data\ - \ resilience against ransomware attacks. The action communicates with the NetApp\ - \ BlueXP API to initiate the snapshot process for a specific volume identified\ - \ by its ID, system ID, and agent ID.\n\n### Parameters Description\n\n| Parameter\ - \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Volume\ - \ ID | string | Yes | The unique identifier of the storage volume for which the\ - \ snapshot will be created. |\n| Agent ID | string | Yes | The identifier of the\ - \ Console agent responsible for managing the storage system. |\n| System ID |\ - \ string | Yes | The unique identifier of the Storage System where the volume\ - \ is located. |\n\n### Flow Description\n1. **Initialization**: The action initializes\ - \ the SOAR SDK and the NetApp RRS API Manager.\n2. **Parameter Extraction**: It\ - \ retrieves the `Volume ID`, `Agent ID`, and `System ID` from the action input\ - \ parameters.\n3. **API Call**: The action sends a POST request to the NetApp\ - \ RRS `storage/take-snapshot` endpoint using the provided identifiers.\n4. **Response\ - \ Handling**: \n * If the request is successful, it captures the snapshot metadata\ - \ returned by the API.\n * If an error occurs (authentication, connection,\ - \ or API error), it catches the exception and logs the failure.\n5. **Completion**:\ - \ The action outputs the API response as a JSON result and sets the execution\ - \ status to completed or failed based on the outcome." + ai_description: >- + ### General Description + + Triggers a volume snapshot creation via the NetApp Ransomware Resilience Service. + This action initiates a snapshot request on the storage system using the provided + volume, agent, and system identifiers. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Volume ID | string | Yes | The ID of the volume to snapshot. | + + | Agent ID | string | Yes | The console agent ID. | + + | System ID | string | Yes | The storage system ID. | + + + ### Flow Description + + 1. Initialize the `SiemplifyAction` and extract the required parameters: `Volume + ID`, `Agent ID`, and `System ID`. + + 2. Initialize the `ApiManager` to handle authentication and API communication + with the NetApp Ransomware Resilience Service. + + 3. Execute the `take_snapshot` API call (POST request) using the provided parameters. + + 4. Return the result of the snapshot creation as a JSON object and terminate the + action with the appropriate status. capabilities: can_create_case_comments: false can_create_insight: false @@ -449,12 +437,18 @@ Take Snapshot: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new volume snapshot in the NetApp storage system via the Ransomware - Resilience Service API. + Triggers a volume snapshot creation on the NetApp Ransomware Resilience Service. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to an external API to trigger a snapshot + creation. It does not fetch contextual data for enrichment, nor does it modify + internal SOAR data or entities. categories: enrichment: false + reasoning: >- + The action is a mutation action (creating a snapshot) and does not perform enrichment + or data retrieval. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -470,6 +464,9 @@ Take Snapshot: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action uses parameters provided in the action configuration (Volume ID, + Agent ID, System ID) and does not operate on target_entities. Volume Offline: action_product_categories: add_alert_comment: false @@ -485,6 +482,10 @@ Volume Offline: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action takes a volume offline, which is a containment/remediation action. + It does not match enrichment, ticket creation, or alert updates. It is most + similar to 'Contain Host' as it isolates a resource (volume) from the network/system. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -502,52 +503,47 @@ Volume Offline: ai_description: >- ### General Description - The **Volume Offline** action allows analysts to programmatically take a specific - storage volume offline via the NetApp Ransomware Resilience Service (RRS). This - action is primarily used as a containment strategy during active ransomware incidents - to prevent further data encryption or unauthorized access by isolating the affected - storage resource. - + This action takes a storage volume offline using the NetApp Ransomware Resilience + Service (RRS). It is designed to be used as a containment or remediation step + to prevent further data access or potential ransomware spread on a specific storage + volume. - ### Parameters Description - | Parameter | Type | Mandatory | Description | + ### Flow Description - | :--- | :--- | :--- | :--- | + 1. **Parameter Extraction**: The action extracts the `Volume ID`, `Agent ID`, + and `System ID` from the provided action parameters. - | **Volume ID** | String | Yes | The unique identifier of the storage volume that - needs to be taken offline. | + 2. **Authentication**: The `ApiManager` initializes and ensures a valid OAuth + token is available, refreshing it if necessary using the configured credentials. - | **Agent ID** | String | Yes | The identifier for the Console Agent associated - with the storage system. | + 3. **API Execution**: The action sends a POST request to the NetApp RRS API endpoint + (`storage/take-volume-offline`) with the provided identifiers. - | **System ID** | String | Yes | The identifier for the specific storage system - where the volume resides. | + 4. **Result Reporting**: The API response is captured and added to the action's + result JSON, and the action terminates with a success or failure status. - ### Additional Notes + ### Parameters Description - - This action performs a state-changing operation on the external NetApp storage - system. + | Parameter | Type | Mandatory | Description | - - All three parameters are required to uniquely identify the target volume within - the NetApp BlueXP architecture. + | :--- | :--- | :--- | :--- | + | Volume ID | string | Yes | The unique identifier of the storage volume to take + offline. | - ### Flow Description + | Agent ID | string | Yes | The identifier of the console agent managing the storage + system. | - 1. **Parameter Extraction**: The action retrieves the `Volume ID`, `Agent ID`, - and `System ID` from the input parameters. + | System ID | string | Yes | The identifier of the storage system. | - 2. **Authentication**: The integration's API Manager handles OAuth2 authentication - with NetApp BlueXP to obtain a valid bearer token. - 3. **API Execution**: A POST request is dispatched to the RRS `storage/take-volume-offline` - endpoint with the provided identifiers. + ### Additional Notes - 4. **Result Processing**: The action captures the API response, determines the - execution status (Completed or Failed), and attaches the raw JSON response to - the action results in Google SecOps. + This action performs a state-changing operation on an external system. Ensure + that the provided credentials have the necessary permissions to modify storage + volume states. capabilities: can_create_case_comments: false can_create_insight: false @@ -556,12 +552,20 @@ Volume Offline: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Takes a storage volume offline in the NetApp Ransomware Resilience Service, - changing its availability state to prevent access. + Sends a POST request to the NetApp Ransomware Resilience Service to take a specific + storage volume offline. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to an external API to change the state of + a storage volume (take it offline). It does not fetch contextual data for enrichment, + nor does it modify internal SOAR entities or case data. categories: enrichment: false + reasoning: >- + The action is a command/control action (taking a volume offline). It does not + fetch data for enrichment, nor does it perform any of the allowed internal mutations + (insights, comments, entity updates). Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -577,3 +581,6 @@ Volume Offline: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not reference `siemplify.target_entities`. It relies entirely + on parameters provided in the action configuration. diff --git a/content/response_integrations/third_party/partner/netappransomwareresilience/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/netappransomwareresilience/resources/ai/integration_ai_description.yaml index b962d2eb6..c8334cc29 100644 --- a/content/response_integrations/third_party/partner/netappransomwareresilience/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/partner/netappransomwareresilience/resources/ai/integration_ai_description.yaml @@ -7,6 +7,16 @@ product_categories: iam_and_identity_management: false itsm: false network_security: false + reasoning: >- + The integration provides threat intelligence enrichment for IP addresses via the + 'Enrich IP Address' action, which aligns with the Threat Intelligence category. + Additionally, the 'Enrich Storage' action retrieves contextual metadata about + storage volumes, fitting the Asset Inventory category. While the integration includes + remediation actions like 'Volume Offline' and 'Take Snapshot', these are storage-specific + containment and protection actions and do not align with the definitions for EDR + (host-level), Network Security (gateway-level), or other categories. The integration + does not perform SIEM log analysis, email security, IAM management, ITSM ticketing, + vulnerability management, or collaboration tasks. siem: false threat_intelligence: true vulnerability_management: false diff --git a/content/response_integrations/third_party/partner/netenrich_connect/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/netenrich_connect/resources/ai/actions_ai_description.yaml index 5a8082364..7bc4a485a 100644 --- a/content/response_integrations/third_party/partner/netenrich_connect/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/netenrich_connect/resources/ai/actions_ai_description.yaml @@ -13,6 +13,10 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity check (Ping) and does not perform any of the defined + product-specific operations like enriching IOCs, updating tickets, or containing + hosts. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -30,42 +34,47 @@ Ping: ai_description: >- ### General Description - Tests the connectivity between Google SecOps and the Resolution Intelligence Cloud - by sending a request to the configured inbound webhook URL. This action is used - to verify that the integration parameters are correct and the external service - is reachable. + Verifies connectivity to the Resolution Intelligence Cloud API by sending a POST + request to the configured webhook URL. This action is used to ensure the integration + is properly configured and the API endpoint is reachable. ### Parameters Description - There are no action parameters for this action. It relies entirely on the integration's - configuration parameters. + | Parameter | Type | Mandatory | Description | + | --- | --- | --- | --- | - ### Additional Notes + | RI Inbound Webhook URL | String | Yes | The webhook URL for the Resolution Intelligence + Cloud API. | + + | Token | String | Yes | The authentication token to be injected into the webhook + URL. | + + | Verify SSL | Boolean | No | Whether to verify SSL certificates during the request. + Defaults to True. | - * The action utilizes the following configuration parameters: 'RI Inbound Webhook - URL', 'Token', and 'Verify SSL'. - * The action considers a response status code of 200 or 400 as a successful connectivity - test. + ### Additional Notes + + The action requires the `RI Inbound Webhook URL` and `Token` parameters to be + configured for the request to be constructed and sent successfully. ### Flow Description - 1. **Configuration Retrieval**: The action extracts the 'RI Inbound Webhook URL', - 'Token', and 'Verify SSL' settings from the integration configuration. + 1. Extract configuration parameters: `RI Inbound Webhook URL`, `Token`, and `Verify + SSL`. + + 2. Construct the target URL by replacing the `{token}` placeholder in the webhook + URL with the provided token. - 2. **URL Construction**: It constructs the target URL by replacing the `{token}` - placeholder in the webhook URL with the actual token provided in the configuration. + 3. Execute a POST request to the constructed URL. - 3. **Connectivity Test**: It executes a POST request to the constructed URL with - an empty JSON body. + 4. Evaluate the HTTP response status code. - 4. **Result Evaluation**: The action checks the HTTP status code of the response. - If the code is 200 or 400, it concludes that the API is reachable and ends successfully. - If the request fails or returns a different status code, it captures the error - or status code and ends with a failure message. + 5. If the status code is 200 or 400, the action concludes as successful. Otherwise, + it reports a failure. capabilities: can_create_case_comments: false can_create_insight: false @@ -76,8 +85,14 @@ Ping: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity check (ping) via a POST request. It does + not fetch data, mutate external systems, or modify internal SOAR data. categories: enrichment: false + reasoning: >- + The action is named 'Ping'. According to the instructions, 'Actions named Ping + must not be categorized as enrichment actions.' It also does not fetch data. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -93,3 +108,5 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. diff --git a/content/response_integrations/third_party/partner/netenrich_connect/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/netenrich_connect/resources/ai/integration_ai_description.yaml index cb7ae3807..38606e599 100644 --- a/content/response_integrations/third_party/partner/netenrich_connect/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/partner/netenrich_connect/resources/ai/integration_ai_description.yaml @@ -7,6 +7,15 @@ product_categories: iam_and_identity_management: false itsm: true network_security: false - siem: true + reasoning: >- + The netenrich_connect integration is primarily designed to synchronize case data, + comments, attachments, and status updates between the Netenrich Resolution Intelligence + Cloud and Google SecOps (SOAR). Its core functionality revolves around maintaining + consistency in case management and ticket lifecycle across platforms. This aligns + directly with the ITSM category, which focuses on documenting investigations and + managing tasks. The integration does not perform SIEM log analysis, EDR host containment, + threat intelligence enrichment, or other specialized security domain functions + like cloud security or identity management. Therefore, it is classified as ITSM. + siem: false threat_intelligence: false vulnerability_management: false diff --git a/content/response_integrations/third_party/partner/netenrich_connect/resources/ai/jobs_ai_description.yaml b/content/response_integrations/third_party/partner/netenrich_connect/resources/ai/jobs_ai_description.yaml index a784ef89d..8f4c11e40 100644 --- a/content/response_integrations/third_party/partner/netenrich_connect/resources/ai/jobs_ai_description.yaml +++ b/content/response_integrations/third_party/partner/netenrich_connect/resources/ai/jobs_ai_description.yaml @@ -1,63 +1,91 @@ Sync ActOn Updates To Case: - ai_description: "### General Description\nThis job synchronizes ActOn\u2122 data\ - \ from Netenrich's Resolution Intelligence Cloud (RIC) to Google SecOps cases.\ - \ It manages the entire lifecycle of a case by handling initial creation, field\ - \ updates, and comment synchronization. The job ensures that critical information\ - \ such as case priority, status, stage, and assignee are aligned between the two\ - \ systems, while also enriching cases with detailed scoring evidence and entity\ - \ data.\n\n### Parameters Description\n| Parameter | Type | Mandatory | Description\ - \ |\n| :--- | :--- | :--- | :--- |\n| CREATE | String (JSON) | No | A JSON payload\ - \ containing the initial ActOn data used to create a new case in Google SecOps.\ - \ |\n| UPDATE | String (JSON) | No | A JSON payload containing updated ActOn information\ - \ to synchronize with an existing case. |\n| COMMENT | String (JSON) | No | A\ - \ JSON payload containing new comments or attachments to be added to the case\ - \ wall. |\n\n*Note: While the job metadata defines no static parameters, the script\ - \ logic dynamically processes one of the three JSON payloads above depending on\ - \ the trigger event.*\n\n### Flow Description\n1. **Payload Extraction**: The\ - \ job identifies the operation type by checking for `CREATE`, `UPDATE`, or `COMMENT`\ - \ data in the input parameters.\n2. **Case Management**: It either creates a new\ - \ case or retrieves an existing one using the external ticket identifier from\ - \ the Resolution Intelligence Cloud.\n3. **Field Synchronization**: The job updates\ - \ core case attributes including the title, description, priority, and status\ - \ to match the external ActOn state.\n4. **Assignee & Stage Mapping**: It fetches\ - \ and maps SOC roles and case stages from the SOAR API to ensure the case is assigned\ - \ to the correct team and reflects the proper workflow stage.\n5. **Comment &\ - \ Attachment Processing**: New comments are added to the case wall. If attachments\ - \ are present, the job decodes the base64 content and uploads the files directly\ - \ to the case.\n6. **Metadata Enrichment**: It manages a specialized custom entity\ - \ within the case to store complex metadata such as scoring evidence, incident\ - \ categories, and alert counts.\n7. **Entity Delta Sync**: The job compares entities\ - \ in the incoming payload with existing case entities and adds any missing assets\ - \ or indicators.\n8. **External Notification**: Upon successful creation or update,\ - \ the job sends a confirmation back to the Netenrich inbound webhook to maintain\ - \ bi-directional synchronization." + ai_description: >- + ### General Description + + This job synchronizes case information from Resolution Intelligence Cloud (RIC) + to Google SecOps (SOAR). It acts as a bridge to ensure that case details, such + as descriptions, titles, priorities, assignees, and statuses, remain consistent + across both platforms. Additionally, it handles the synchronization of comments, + attachments, and entities, while updating custom entity properties with relevant + scoring evidence and alert data. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | CREATE | JSON String | No | Payload containing data for creating a new case. + | + + | UPDATE | JSON String | No | Payload containing data for updating an existing + case. | + + | COMMENT | JSON String | No | Payload containing data for adding a comment to + a case. | + + + ### Flow Description + + 1. Parses the incoming payload to determine the action type (CREATE, UPDATE, or + COMMENT). + + 2. Retrieves or creates the corresponding case in Google SecOps based on the provided + ticket ID. + + 3. If the action is a COMMENT, it adds the comment and any attachments to the + case and exits. + + 4. For CREATE or UPDATE actions, it synchronizes case metadata including description, + title, priority, assignee, stage, and status. + + 5. Updates custom entity properties with scoring evidence, alert data, and service + information. + + 6. Synchronizes new entities into the case. + + 7. If a new case is created, it posts a confirmation message back to the Resolution + Intelligence Cloud inbound webhook. Sync Case Updates To ActOn: - ai_description: "### General Description\nThis job synchronizes case updates from\ - \ Google SecOps to the Netenrich Resolution Intelligence Cloud (ActOn). It is\ - \ designed to run at frequent intervals (typically every minute) to ensure that\ - \ manual activities, such as comments, attachments, status changes, and assignee\ - \ updates performed within a SecOps case, are reflected in the corresponding ActOn\ - \ ticket. This maintains data parity between the two platforms during incident\ - \ response.\n\n### Parameters Description\n| Parameter | Type | Mandatory | Description\ - \ |\n| :--- | :--- | :--- | :--- |\n| RI Inbound Webhook URL | String | Yes |\ - \ The Netenrich Resolution Intelligence webhook endpoint used to receive case\ - \ updates. |\n| Token | String | Yes | The authentication token required to authorize\ - \ requests to the Netenrich inbound webhook. |\n| Environment | String | Yes |\ - \ The specific Google SecOps environment name used to filter which cases should\ - \ be synchronized. |\n\n### Flow Description\n1. **Check Last Sync**: Retrieves\ - \ the timestamp of the last successful execution from the job's scoped context\ - \ to determine the time window for updates.\n2. **Fetch Updated Cases**: Queries\ - \ Google SecOps for all cases modified since the last synchronization timestamp.\n\ - 3. **Filter by Environment**: Filters the retrieved cases to ensure only those\ - \ belonging to the configured 'Environment' are processed.\n4. **Retrieve Wall\ - \ Activities**: For each updated case, the job fetches the case wall activities\ - \ and filters for manual comments, attachments, and assignee changes (ignoring\ - \ automated system updates).\n5. **Process Attachments**: If new attachments are\ - \ detected, the job retrieves the file data and converts it to a base64-encoded\ - \ string for transmission.\n6. **Map Metadata**: Maps SecOps case attributes\u2014\ - including status (e.g., Closed), stage IDs, tags, and assigned SOC roles\u2014\ - to the Netenrich ActOn data schema.\n7. **Transmit Updates**: Constructs a JSON\ - \ payload containing the updates and posts it to the Netenrich Resolution Intelligence\ - \ inbound webhook.\n8. **Update Context**: Saves the current execution timestamp\ - \ to the job context to serve as the starting point for the next synchronization\ - \ cycle." + ai_description: >- + ### General Description + + This job synchronizes case updates from Google SecOps SOAR to the Netenrich Resolution + Intelligence Cloud (ActOn). It periodically monitors case wall activities, processes + relevant comments and attachments, and pushes these updates to the external platform + via a webhook to ensure data consistency between the two systems. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | RI Inbound Webhook URL | String | Yes | The URL endpoint for the Resolution + Intelligence Cloud inbound webhook. | + + | Token | String | Yes | The authentication token required for the webhook. | + + | Environment | String | Yes | The specific environment name to filter cases for + synchronization. | + + + ### Flow Description + + 1. Retrieves the `last_sync_time` from the job context. + + 2. Queries Google SecOps for cases updated since the last sync interval. + + 3. Filters cases based on the configured environment. + + 4. For each case, fetches wall activities and filters for relevant updates (e.g., + manual comments, assignee changes). + + 5. Transforms case data and activities into the required payload format, including + attachments and tags. + + 6. Sends the payload to the Resolution Intelligence Cloud via the configured webhook. + + 7. Updates the `last_sync_time` in the job context for the next run. diff --git a/content/response_integrations/third_party/partner/orca_security/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/orca_security/resources/ai/actions_ai_description.yaml index 893972e54..f635b7f19 100644 --- a/content/response_integrations/third_party/partner/orca_security/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/orca_security/resources/ai/actions_ai_description.yaml @@ -13,6 +13,9 @@ Add Comment To Alert: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action adds a comment to an alert in the external Orca Security system. + This directly aligns with the 'Add Alert Comment' category. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -23,52 +26,45 @@ Add Comment To Alert: send_message: false submit_file: false uncontain_host: false - update_alert: true + update_alert: false update_email: false update_identity: false update_ticket: false ai_description: >- - ### General Description + Adds a comment to a specific alert in the Orca Security platform. This action + allows analysts to append notes or automated log entries directly to an alert + within the external system. - Adds a comment to a specific alert within the Orca Security platform. This action - allows analysts to document findings, provide updates, or add context to an existing - alert directly from Google SecOps. It interacts with the Orca Security API using - a PUT request to append the specified text to the alert's comment history. - - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Alert ID | string | True | The unique identifier of the alert in Orca Security - to which the comment will be added. | + | Alert ID | string | Yes | The unique identifier of the alert to which the comment + should be added. | - | Comment | string | True | The text content of the comment to be added to the - alert. | + | Comment | string | Yes | The text content of the comment to be added. | ### Flow Description - 1. **Parameter Extraction**: The action retrieves the API configuration (Root, - Key/Token) and the action parameters (Alert ID and Comment). - - 2. **Manager Initialization**: Initializes the `OrcaSecurityManager` to handle - authentication and API communication. + 1. **Configuration Extraction**: The action retrieves the necessary API credentials + (API Root, API Key/Token) and SSL verification settings from the integration configuration. - 3. **API Interaction**: Calls the `add_alert_comment` method, which sends a PUT - request to the Orca Security endpoint `/api/alerts/{alert_id}/comment` with the - comment payload. + 2. **Parameter Extraction**: The action extracts the `Alert ID` and `Comment` + provided by the user. - 4. **Result Processing**: Captures the API response, converts the created comment - data into a JSON result, and provides a success message to the analyst. + 3. **Manager Initialization**: An `OrcaSecurityManager` instance is initialized + with the provided credentials. + 4. **API Interaction**: The action calls the `add_alert_comment` method, which + sends a `PUT` request to the Orca Security API to append the specified comment + to the target alert. - ### Additional Notes - - This action does not interact with Google SecOps entities; it operates directly - on a specific Alert ID provided as an input parameter. + 5. **Result Handling**: The action returns the result of the operation, including + the created comment object, and logs the status of the execution. capabilities: can_create_case_comments: false can_create_insight: false @@ -77,12 +73,18 @@ Add Comment To Alert: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Adds a new comment to a specific alert in the Orca Security platform via a PUT - request. - fetches_data: true + Adds a comment to an alert in the Orca Security platform. + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a PUT request to an external API (Orca Security) to add + a comment to an alert. It does not fetch data, nor does it modify internal SOAR + data or entities. categories: enrichment: false + reasoning: >- + The action mutates external data (adds a comment) and does not fetch data, so + it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -98,6 +100,9 @@ Add Comment To Alert: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on entities. It takes an `Alert ID` as a direct + input parameter and does not reference `siemplify.target_entities`. Get Asset Details: action_product_categories: add_alert_comment: false @@ -113,6 +118,10 @@ Get Asset Details: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves contextual metadata (asset details, vulnerabilities) for + assets, which directly matches the 'Enrich Asset' category. It does not perform + IOC enrichment, alert updates, or other containment actions. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -130,11 +139,29 @@ Get Asset Details: ai_description: >- ### General Description - Retrieves comprehensive details for specific assets from Orca Security. This action - allows analysts to fetch metadata such as asset type, account, category, and state. - Additionally, it can retrieve associated vulnerability information filtered by - a minimum severity level, providing a deeper look into the security posture of - the specified resources. + Retrieves detailed information about assets from Orca Security. This action fetches + asset metadata and, optionally, related vulnerability information based on specified + severity thresholds. It provides visibility into asset risk and configuration, + optionally generating case insights for the enriched assets. + + + ### Flow Description + + 1. **Initialization**: Extracts configuration parameters (API credentials, URL) + and action parameters (Asset IDs, vulnerability settings). + + 2. **Asset Retrieval**: Iterates through the provided list of Asset IDs and queries + the Orca Security API for detailed asset information. + + 3. **Vulnerability Enrichment**: If enabled, fetches vulnerability details for + each asset, filtered by the specified minimum severity and result limit. + + 4. **Insight Generation**: If enabled, creates a case insight for each successfully + enriched asset, containing key asset details and a link to the asset in the Orca + Security UI. + + 5. **Output**: Adds the collected asset and vulnerability data to the action results + as a JSON object and a data table. ### Parameters Description @@ -143,53 +170,27 @@ Get Asset Details: | :--- | :--- | :--- | :--- | - | Asset IDs | String | Yes | A comma-separated list of unique Orca Security asset - identifiers to retrieve details for. | + | Asset IDs | String | Yes | A comma-separated list of asset IDs to retrieve details + for. | | Return Vulnerabilities Information | Boolean | No | If enabled, the action will - also fetch and include vulnerability data related to each asset. | + fetch and include vulnerabilities related to the asset. | - | Lowest Severity For Vulnerabilities | DDL | Yes | The minimum severity threshold - (e.g., Critical, High, Medium, Low, Unknown) used to filter the vulnerabilities - returned. | + | Lowest Severity For Vulnerabilities | String | Yes | The minimum severity level + (e.g., Critical, High, Medium, Low, Unknown) for vulnerabilities to be included. + | | Max Vulnerabilities To Fetch | String | No | The maximum number of vulnerabilities - to retrieve per asset (Default: 50, Max: 100). | + to return per asset (Default: 50, Max: 100). | - | Create Insight | Boolean | No | If enabled, the action will generate a SOAR - case insight for each successfully enriched asset. | + | Create Insight | Boolean | No | If enabled, creates a case insight for every + successfully enriched asset. | ### Additional Notes - - The action requires either an API Key or an API Token to be configured in the - integration settings. - - - The `Max Vulnerabilities To Fetch` parameter must be a positive integer and - cannot exceed the system limit of 100. - - - ### Flow Description - - 1. **Parameter Extraction:** The action retrieves the list of Asset IDs and configuration - settings (API roots, credentials). - - 2. **Validation:** It validates that the `Max Vulnerabilities To Fetch` is a positive - integer within the allowed range (1-100). - - 3. **Manager Initialization:** Initializes the `OrcaSecurityManager` to handle - API communication. - - 4. **Asset Iteration:** For each provided Asset ID: - - **Fetch Asset Details:** Queries the Orca Security API for the asset's metadata. - - **Fetch Vulnerabilities (Optional):** If requested, queries for vulnerabilities - matching the specified severity and limit. - - **Data Aggregation:** Combines asset and vulnerability data into a single - JSON object. - - **Insight Generation (Optional):** Creates a case insight containing a summary - of the asset's state and a link to the Orca UI. - 5. **Output Generation:** Adds the aggregated JSON results and a summary data - table to the SOAR action results. + - The action does not operate on entities directly from the case; it relies on + the 'Asset IDs' parameter provided by the user. capabilities: can_create_case_comments: false can_create_insight: true @@ -200,10 +201,17 @@ Get Asset Details: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Creates case insights and data tables within the SOAR platform to display asset - and vulnerability information. + Creates case insights for enriched assets. + reasoning: >- + The action fetches asset and vulnerability data from the Orca Security API (fetches_data=true). + It does not modify any external systems (can_mutate_external_data=false). It + creates case insights within Google SecOps (can_mutate_internal_data=true, can_create_insight=true). categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches data from an external source (Orca Security) to provide context + (enrichment). It does not mutate external systems. It performs allowed internal + mutations (creating insights). Therefore, it qualifies as an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -219,6 +227,10 @@ Get Asset Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action takes 'Asset IDs' as a string parameter provided by the user. It + does not iterate over or filter the 'target_entities' list provided by the SOAR + platform. Get Compliance Info: action_product_categories: add_alert_comment: false @@ -234,6 +246,11 @@ Get Compliance Info: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves compliance framework information from Orca Security. It + does not match the expected outcomes for IOC enrichment, asset enrichment, alert + management, or any other specific category provided. It is a general information + retrieval action. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -249,56 +266,41 @@ Get Compliance Info: update_identity: false update_ticket: false ai_description: >- - ### General Description - - Retrieves detailed compliance information from Orca Security based on specified - frameworks. This action helps security teams monitor their compliance posture - by fetching scores, pass/fail counts, and status for various security frameworks - (e.g., CIS, NIST, SOC2). + Retrieves compliance framework information from Orca Security. This action allows + users to query specific compliance frameworks or retrieve a list of all available + frameworks, optionally creating a case insight to display the findings within + the SOAR platform. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Framework Names | String | No | A comma-separated list of framework names to - retrieve. If left empty, the action returns information for all selected frameworks - in Orca. | + | Framework Names | string | No | Comma-separated list of framework names to retrieve. + If empty, returns information about all selected frameworks. | - | Create Insight | Boolean | Yes | If set to true, the action generates a case - insight summarizing the compliance status of the retrieved frameworks. | + | Create Insight | boolean | Yes | If enabled, creates a case insight containing + the compliance information. | - | Max Frameworks To Return | Integer | No | The maximum number of frameworks to - include in the results. Default is 50. | + | Max Frameworks To Return | string | No | The maximum number of frameworks to + return. Defaults to 50. | ### Flow Description - 1. **Parameter Extraction:** Retrieves the API configuration and action parameters, - including framework names and result limits. - - 2. **API Request:** Connects to the Orca Security API and queries the compliance - overview endpoint for each specified framework. - - 3. **Data Processing:** Parses the response into structured framework objects - containing scores and test results. - - 4. **Insight Generation:** If enabled, constructs an HTML-formatted insight and - attaches it to the case. + 1. **Initialization**: Extracts configuration parameters (API Root, Key, Token, + SSL) and action parameters. - 5. **Output:** Populates a data table named "Compliance Details" and provides - the raw JSON results for downstream playbook use. + 2. **Data Retrieval**: Initializes the `OrcaSecurityManager` and calls the Orca + Security API to fetch compliance framework details based on the provided filters. + 3. **Insight Generation**: If `Create Insight` is enabled, generates a case insight + containing the retrieved compliance data. - ### Additional Notes - - - If specific framework names are provided but none are found in Orca Security, - the action will fail. - - - This action does not process specific entities from the case; it retrieves organizational-level - compliance data. + 4. **Output**: Adds the compliance details to a data table and returns the results + in JSON format. capabilities: can_create_case_comments: false can_create_insight: true @@ -309,10 +311,18 @@ Get Compliance Info: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action creates a case insight and adds a data table to the case containing - compliance details. + Creates a case insight containing compliance information. + reasoning: >- + The action fetches compliance data from the Orca Security API (fetches_data=true). + It does not perform any operations that change the state of the external system + (can_mutate_external_data=false). It creates a case insight within the SOAR + platform (can_create_insight=true), which constitutes an internal mutation. categories: enrichment: true + reasoning: >- + The action fetches data from an external source (Orca Security) and does not + mutate external systems. It creates a case insight, which is an allowed internal + mutation for enrichment actions. Therefore, it qualifies as an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -328,6 +338,9 @@ Get Compliance Info: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or process any entities from the SOAR platform. + It operates globally based on the provided parameters. Get Vulnerability Details: action_product_categories: add_alert_comment: false @@ -339,10 +352,14 @@ Get Vulnerability Details: disable_identity: false download_file: false enable_identity: false - enrich_asset: false + enrich_asset: true enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves vulnerability details (CVEs) and associated asset information + from Orca Security. This aligns with 'Enrich IOC' (as CVEs are indicators of + vulnerability) and 'Enrich Asset' (as it returns asset metadata). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -360,67 +377,57 @@ Get Vulnerability Details: ai_description: >- ### General Description - The **Get Vulnerability Details** action retrieves comprehensive information about - specific vulnerabilities (CVEs) from Orca Security. It allows analysts to enrich - a list of CVE IDs with data such as descriptions, fix availability, affected assets, - and severity levels. + Retrieves detailed vulnerability information from Orca Security for a specified + list of CVE IDs. This action allows analysts to gather context on vulnerabilities, + including affected assets and severity, and optionally generates case insights + for further investigation. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. **Parameter Extraction**: The action extracts the provided CVE IDs, output + format preferences, and configuration settings. - | :--- | :--- | :--- | :--- | + 2. **Initialization**: Initializes the Orca Security Manager to establish a connection + with the Orca Security API. - | **CVE IDs** | String | Yes | A comma-separated list of CVE identifiers (e.g., - CVE-2021-44228) to be enriched. | + 3. **Data Retrieval**: Iterates through the provided CVE IDs and queries the Orca + Security API to fetch vulnerability details, including affected assets and severity + scores. - | **Fields To Return** | String | No | A comma-separated list of specific fields - to include in the output. If left empty, all available fields are returned. | + 4. **Insight Generation**: If the 'Create Insight' parameter is enabled, the action + generates a case insight for each enriched vulnerability, summarizing the severity + and affected assets. - | **Output** | DDL | No | Determines the output format. Options are `JSON` (returns - data in the action result) or `CSV` (creates a file and returns the path). | + 5. **Result Formatting**: Formats the retrieved data into the requested output + format (JSON or CSV) and adds it to the action results, including a data table + for easy viewing. - | **Create Insight** | Boolean | No | If enabled (true), the action will generate - a General Insight in the case for every successfully enriched vulnerability. | - | **Max Assets To Return** | String | No | The maximum number of assets associated - with the CVE to retrieve. Default is 50, maximum is 10,000. | + ### Parameters Description + | Parameter | Type | Mandatory | Description | - ### Flow Description + | :--- | :--- | :--- | :--- | - 1. **Parameter Extraction:** The action retrieves the CVE IDs, output preferences, - and insight configuration from the user input. + | CVE IDs | string | Yes | A comma-separated list of CVEs to enrich. | - 2. **Validation:** It validates that the `Max Assets To Return` is a positive - integer within the allowed limit (10,000). + | Fields To Return | string | No | A comma-separated list of specific fields to + return in the output. | - 3. **API Interaction:** For each provided CVE ID, the action queries the Orca - Security API using the `VulnerabilityQueryBuilder` to fetch vulnerability and - asset data. + | Output | ddl | No | The format of the output: 'JSON' or 'CSV'. | - 4. **Data Processing:** - * If `Fields To Return` is specified, the results are filtered to include - only those keys. - * The action flattens the data for CSV/Table compatibility. - 5. **Internal Updates:** - * If `Create Insight` is true, a General Insight is created for the case, - summarizing the CVE's severity, description, and affected assets. - * A data table named "Vulnerability Details" is added to the case containing - the enrichment data. - 6. **Final Output:** The action returns the results in the selected format (JSON - or CSV path) and provides a summary message of successful and failed enrichments. + | Create Insight | boolean | No | If enabled, creates a case insight for every + enriched vulnerability. | + | Max Assets To Return | string | No | The maximum number of assets related to + the CVE to return (Default: 50, Max: 10000). | - ### Additional Notes - * This action does not run on entities; it processes the CVE IDs provided in the - input parameter. + ### Additional Notes - * The action is classified as non-enrichment because it modifies the case by adding - a data table, which falls outside the strict "Read-Only/Insight/Comment/Entity - Update" definition. + - The action does not operate on specific entities from the case; it relies entirely + on the 'CVE IDs' input parameter. capabilities: can_create_case_comments: false can_create_insight: true @@ -431,10 +438,17 @@ Get Vulnerability Details: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Creates case insights for each enriched vulnerability and adds a data table - named 'Vulnerability Details' to the case. + Creates case insights for enriched vulnerabilities. + reasoning: >- + The action fetches vulnerability data from an external API (Orca Security). + It does not mutate external systems. It creates internal case insights based + on the retrieved data, which constitutes an internal mutation. categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches data from an external source (Orca Security) and creates + insights within the SOAR platform. It does not mutate external systems or perform + unauthorized internal mutations. It qualifies as an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -450,6 +464,9 @@ Get Vulnerability Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on `siemplify.target_entities`. It takes CVE IDs + as a direct input parameter. Ping: action_product_categories: add_alert_comment: false @@ -465,6 +482,10 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity test ('Ping') and does not perform any of the defined + product category operations such as enrichment, ticketing, containment, or alert + management. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -480,16 +501,12 @@ Ping: update_identity: false update_ticket: false ai_description: >- - ### General Description - - Tests the connectivity to the Orca Security API using the provided configuration - parameters. This action ensures that the API Root, authentication credentials - (API Key or Token), and SSL settings are correctly configured and that the Google - SecOps platform can communicate with the Orca Security environment. - + Tests connectivity to the Orca Security API to ensure the integration is configured + correctly. This action validates the provided credentials and API root by performing + a test request to the Orca Security server. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | @@ -497,39 +514,30 @@ Ping: | API Root | String | Yes | The base URL of the Orca Security API. | - | API Key | String | No | The API key for authentication. Used if API Token is - not provided. | - - | API Token | String | No | The API token for authentication. This is the preferred - authentication method. | - - | Verify SSL | Boolean | No | If enabled, the action will verify the SSL certificate - of the API server. | + | API Key | String | No | The API key for authentication (used if token is not + provided). | + | API Token | String | No | The API token for authentication (preferred method). + | - ### Additional Notes - - * Either the **API Key** or the **API Token** must be configured for the integration - to authenticate successfully. - - * The action performs a small query (fetching one vulnerability) to verify that - the credentials have the necessary permissions. + | Verify SSL | Boolean | No | Whether to validate the SSL certificate of the API + root. | ### Flow Description - 1. **Parameter Extraction**: Retrieves the API Root, API Key, API Token, and SSL - verification settings from the integration configuration. + 1. The action extracts the configuration parameters (API Root, API Key, API Token, + Verify SSL) from the integration settings. - 2. **Manager Initialization**: Initializes the Orca Security API manager with - the extracted credentials. + 2. It initializes the `OrcaSecurityManager` with the provided credentials and + SSL verification setting. - 3. **Connectivity Test**: Executes a `test_connectivity` call, which sends a POST - request to the vulnerability details endpoint with a limit of 1. + 3. The action calls the `test_connectivity` method, which performs a test API + request to the Orca Security server. - 4. **Result Reporting**: If the request is successful, the action completes with - a success message. If an exception occurs (e.g., authentication failure, network - timeout), the action fails and reports the error. + 4. If the request is successful, the action returns a success message. If the + request fails, it catches the exception and returns a failure message with the + error details. capabilities: can_create_case_comments: false can_create_insight: false @@ -540,8 +548,15 @@ Ping: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity test by making an API call to the Orca Security + server. It does not modify external or internal data, nor does it update entities, + create insights, or modify alert data. categories: enrichment: false + reasoning: >- + The action is named 'Ping', which is explicitly excluded from being categorized + as an enrichment action per the provided instructions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -557,6 +572,8 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with or process any entities. Scan Assets: action_product_categories: add_alert_comment: false @@ -572,6 +589,9 @@ Scan Assets: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action triggers a scan in Orca Security. This does not match any of the + provided categories (e.g., Enrich IOC, Contain Host, etc.). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -589,11 +609,9 @@ Scan Assets: ai_description: >- ### General Description - The **Scan Assets** action initiates and monitors security scans for a specified - list of asset IDs within the Orca Security platform. This action operates asynchronously, - meaning it triggers the scans and then periodically checks their status until - they are completed or a timeout occurs. It is designed to provide visibility into - the security posture of specific cloud assets on demand. + This action triggers a security scan for specified assets in Orca Security. It + is designed to run asynchronously, allowing the action to initiate scans and poll + for their completion status over multiple runs. ### Parameters Description @@ -602,41 +620,31 @@ Scan Assets: | :--- | :--- | :--- | :--- | - | **Asset IDs** | String | Yes | A comma-separated list of unique identifiers - for the assets you wish to scan. | + | Asset IDs | string | Yes | A comma-separated list of asset IDs for which you + want to initiate a scan. | - ### Flow Description - - 1. **Initialization**: The action extracts the provided Asset IDs from the parameters - and initializes the Orca Security manager using the integration's configuration - (API Root, API Key/Token). + ### Additional Notes - 2. **Scan Initiation**: During the first run, the action iterates through the - provided Asset IDs and sends a request to the Orca Security API to start a new - scan for each asset. It records the resulting scan IDs. + This action is asynchronous. Please adjust the script timeout value in the Siemplify + IDE as needed to accommodate the time required for the scans to complete. - 3. **Status Monitoring**: The action enters an asynchronous state. In subsequent - runs, it checks the status of each pending scan using the scan IDs obtained in - the previous step. - 4. **Data Retrieval**: Once a scan reaches the 'done' status, the action retrieves - the raw scan data from Orca Security. + ### Flow Description - 5. **Completion**: After all scans are finished, the action aggregates the results, - adds the raw scan data to the action's JSON results, and provides a summary message - of successful and failed scans. If the process approaches the global timeout, - it will exit gracefully with a list of pending assets. + 1. The action extracts the `Asset IDs` from the input parameters. + 2. It initializes the `OrcaSecurityManager` to interact with the Orca Security + API. - ### Additional Notes + 3. If it is the first run, the action calls `start_scan` for each provided asset + ID and tracks them as pending. - * This action is **asynchronous**. Users should ensure that the script timeout - in the Google SecOps IDE is configured appropriately to allow enough time for - the scans to complete in the external system. + 4. If it is a subsequent run (asynchronous), the action checks the status of the + pending scans. - * If a scan is already running for a specific asset in Orca Security, the action - will automatically track that existing scan instead of failing. + 5. Once a scan is completed, the action adds the result JSON to the action output + and reports the status of all scanned assets. capabilities: can_create_case_comments: false can_create_insight: false @@ -645,12 +653,20 @@ Scan Assets: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Initiates a security scan for the specified asset IDs in Orca Security via a - POST request to the scan endpoint. + Triggers a security scan in Orca Security, which changes the state of the external + system. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action triggers a scan in an external system (Orca Security) via a POST + request, which constitutes a mutation of external data. It also fetches the + status of these scans via GET requests. It does not modify internal Google SecOps + data, update entities, create insights, or modify alert data. categories: enrichment: false + reasoning: >- + The action triggers a scan in an external system (Orca Security), which is a + mutation of external state. Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -666,6 +682,9 @@ Scan Assets: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on entities. It takes `Asset IDs` as a direct input + parameter and does not reference `siemplify.target_entities`. Update Alert: action_product_categories: add_alert_comment: false @@ -681,6 +700,10 @@ Update Alert: enrich_ioc: false execute_command_on_the_host: false get_alert_information: true + reasoning: >- + The action updates the status, snooze state, or verification status of an alert + in Orca Security, which matches the 'Update Alert' category. It also fetches + the updated alert data, matching 'Get Alert Information'. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -695,73 +718,29 @@ Update Alert: update_email: false update_identity: false update_ticket: false - ai_description: >- - ### General Description - - The **Update Alert** action allows analysts to modify the state of a specific - alert within the Orca Security platform. It supports updating the alert's status - (e.g., Open, In Progress, Close, Dismiss), managing its snooze state (Snooze or - Unsnooze), and initiating the alert verification process. This action is essential - for synchronizing incident response states between Google SecOps and Orca Security. - - - ### Parameters Description - - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **Alert ID** | String | Yes | The unique identifier of the alert in Orca Security - that needs to be updated. | - - | **Verify Alert** | Boolean | No | If enabled, the action will initiate the verification - process for the specified alert. | - - | **Snooze State** | DDL | No | Specifies the snooze state for the alert. Options - include `Snooze` or `Unsnooze`. | - - | **Snooze Days** | String | No | Specifies the duration (in days) for which the - alert should be snoozed. This is required if **Snooze State** is set to `Snooze`. - Defaults to 1 day if not provided. | - - | **Status** | DDL | No | The new status to assign to the alert. Options include - `Open`, `In Progress`, `Close`, and `Dismiss`. | - - - ### Additional Notes - - - At least one of the following parameters must be configured for the action to - execute: **Status**, **Verify Alert**, or **Snooze State**. - - - If **Snooze State** is set to `Unsnooze` and no **Status** is provided, the - action will automatically set the alert status to `Open`. - - - The action performs a final fetch of the alert data after updates to provide - the most current state in the results. - - - ### Flow Description - - 1. **Parameter Extraction:** The action retrieves the Alert ID and the desired - update parameters (Status, Snooze, Verification). - - 2. **Validation:** It ensures that at least one update operation is requested - and that snooze duration is provided if snoozing. - - 3. **Verification Update:** If requested, it calls the Orca Security API to initiate - the alert verification process. - - 4. **Snooze Update:** If a snooze state is specified, it updates the alert's snooze - settings accordingly. - - 5. **Status Update:** If a new status is provided (or implied by an unsnooze action), - it updates the alert's status in Orca Security. - - 6. **Data Retrieval:** The action fetches the latest details for the updated alert. - - 7. **Completion:** The updated alert data is returned as a JSON result, and the - action completes with a success message. + ai_description: "Updates an alert in Orca Security. This action allows users to\ + \ modify the status, snooze state, or verification status of a specific alert\ + \ within the Orca Security platform.\n\n### Flow Description\n1. **Initialization**:\ + \ Extracts configuration parameters (API credentials, SSL verification) and action\ + \ parameters (Alert ID, Verify Alert, Snooze State, Snooze Days, Status).\n2.\ + \ **Validation**: Ensures that at least one update operation (Verify, Snooze,\ + \ or Status change) is requested. If 'Snooze' is selected, it validates that 'Snooze\ + \ Days' is provided.\n3. **Execution**: \n - If 'Verify Alert' is enabled,\ + \ it calls the Orca Security API to verify the alert.\n - If 'Snooze State'\ + \ is set to 'Snooze', it calls the API to snooze the alert for the specified number\ + \ of days.\n - If 'Status' is provided, it updates the alert status in Orca\ + \ Security.\n4. **Data Retrieval**: Fetches the updated alert data from Orca Security.\n\ + 5. **Output**: Returns the updated alert data as a JSON result.\n\n### Parameters\n\ + | Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ + | Alert ID | String | Yes | The unique identifier of the alert to be updated.\ + \ |\n| Verify Alert | Boolean | No | If enabled, initiates the verification process\ + \ for the alert. |\n| Snooze State | DDL | No | Specifies the snooze state for\ + \ the alert (Snooze/Unsnooze). |\n| Snooze Days | String | No | Number of days\ + \ to snooze the alert. Mandatory if 'Snooze State' is set to 'Snooze'. Defaults\ + \ to 1 day. |\n| Status | DDL | No | Specifies the new status to set for the alert\ + \ (Open, In Progress, Close, Dismiss). |\n\n### Additional Notes\nAt least one\ + \ of the following parameters must be configured for the action to run: 'Status',\ + \ 'Verify Alert', or 'Snooze State'." capabilities: can_create_case_comments: false can_create_insight: false @@ -770,12 +749,20 @@ Update Alert: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the status, snooze state, or verification status of an alert in Orca - Security via PUT requests. + Updates the alert status, snooze state, or verification status in the Orca Security + platform. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs PUT requests to update the status, snooze state, or verification + status of an alert in Orca Security (external mutation). It also fetches the + updated alert data (fetches data). It does not modify internal SOAR entities, + insights, or case comments. categories: enrichment: false + reasoning: >- + The action mutates external data (updates alert status/snooze), so it is not + an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -791,3 +778,6 @@ Update Alert: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action uses an 'Alert ID' parameter provided by the user to identify the + alert, rather than iterating over 'siemplify.target_entities'. diff --git a/content/response_integrations/third_party/partner/orca_security/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/partner/orca_security/resources/ai/connectors_ai_description.yaml index 90c8f6d87..b34256475 100644 --- a/content/response_integrations/third_party/partner/orca_security/resources/ai/connectors_ai_description.yaml +++ b/content/response_integrations/third_party/partner/orca_security/resources/ai/connectors_ai_description.yaml @@ -2,12 +2,12 @@ Orca Security - Alerts Connector: ai_description: >- ### General Description - The Orca Security Alerts Connector fetches security findings and alerts from the - Orca Security platform and ingests them into Google SecOps as cases. It provides - comprehensive visibility into cloud risks, including vulnerabilities, misconfigurations, - and compromised assets, by querying Orca's serving layer API. The connector supports - advanced filtering by severity, Orca score, and categories to ensure only relevant - security data is ingested. + This connector integrates with Orca Security to ingest security alerts into Google + SecOps. It enables automated monitoring of security findings by fetching alerts + from the Orca Security platform, allowing users to apply granular filters such + as severity, category, alert type, and Orca score to ensure only relevant data + is ingested. The connector supports authentication via API Key or Token and provides + options for proxy configuration and environment mapping. ### Parameters Description @@ -16,70 +16,75 @@ Orca Security - Alerts Connector: | :--- | :--- | :--- | :--- | + | API Root | String | Yes | The base URL of the Orca Security instance. | + + | API Key | Password | No | API Key for authentication. Used if API Token is not + provided. | + + | API Token | Password | No | API Token for authentication. Preferred over API + Key. | + | DeviceProductField | String | Yes | The source field name used to retrieve the Product Field name. | | EventClassId | String | Yes | The source field name used to retrieve the Event Field name. | - | API Root | String | Yes | The API root URL of your Orca Security instance (e.g., - https://.orcasecurity.io). | + | Category Filter | String | No | Comma-separated list of category names to filter + ingested alerts. | - | API Key | Password | No | API Key for authentication. If both Key and Token - are provided, the Token is used. | + | Alert Type Filter | String | No | Specific alert types to ingest (e.g., aws_s3_bucket_accessible_to_unmonitored_account). + | - | API Token | Password | No | API Token for authentication. This is the preferred - authentication method. | + | Lowest Severity To Fetch | String | No | Minimum severity level to fetch (Compromised, + Imminent compromise, Hazardous, Informational). | - | Verify SSL | Boolean | Yes | If enabled, verifies the SSL certificate for the - connection to the Orca Security server. | + | Lowest Orca Score To Fetch | String | No | Minimum Orca score (1-10) to filter + alerts. | - | Category Filter | String | No | A comma-separated list of category names to - include during ingestion (case-sensitive). | + | Max Hours Backwards | Integer | No | Time range in hours to fetch alerts from + during the initial run or after expiration. | - | Alert Type Filter | String | No | Specific alert types to fetch (e.g., aws_s3_bucket_accessible_to_unmonitored_account). - | + | Max Alerts To Fetch | Integer | No | Maximum number of alerts to process per + connector iteration. | - | Lowest Severity To Fetch | String | No | The minimum severity level to ingest - (Compromised, Imminent compromise, Hazardous, Informational). | + | Use dynamic list as a blacklist | Boolean | Yes | If enabled, uses dynamic lists + as a blacklist for alert titles. | - | Lowest Orca Score To Fetch | String | No | The minimum Orca Score (1-10) required - for an alert to be ingested. | + | Verify SSL | Boolean | Yes | Whether to verify the SSL certificate of the Orca + Security server. | - | Max Hours Backwards | Integer | No | The number of hours to look back for alerts - during the initial run or as a fallback. | + | PythonProcessTimeout | Integer | Yes | Timeout limit in seconds for the connector + script execution. | - | Max Alerts To Fetch | Integer | No | The maximum number of alerts to process - in a single connector iteration (default: 100). | + | Environment Field Name | String | No | Field name where the environment name + is stored. | - | Use dynamic list as a blacklist | Boolean | Yes | If enabled, the SOAR dynamic - list will be used to exclude alerts based on their title. | + | Environment Regex Pattern | String | No | Regex pattern to manipulate the environment + field value. | + | Proxy Server Address | String | No | Address of the proxy server. | - ### Flow Description + | Proxy Username | String | No | Username for proxy authentication. | + + | Proxy Password | Password | No | Password for proxy authentication. | - 1. **Authentication**: The connector initializes a session with Orca Security - using either an API Token (Header-based) or an API Key (Cookie-based via a login - request). - 2. **Time Management**: It calculates the fetch window by checking the last successful - execution timestamp or falling back to the 'Max Hours Backwards' setting. + ### Flow Description + + 1. **Authentication**: Connects to the Orca Security API using the provided API + Key or Token and verifies the connection. - 3. **Query Construction**: An alert query is built using the `AlertQueryBuilder`, - incorporating user-defined filters for severity, Orca score, categories, and alert - types. + 2. **Querying**: Fetches alerts from the Orca Security API, applying filters for + severity, score, category, and alert type as configured. - 4. **Data Retrieval**: The connector sends a POST request to the Orca Serving - Layer API to retrieve matching alerts. + 3. **Deduplication**: Filters out alerts that have already been processed by checking + against a local state file of alert IDs. - 5. **Deduplication & Filtering**: It filters out previously ingested alerts using - a local ID cache and applies dynamic list logic (whitelist or blacklist) against - the alert titles. + 4. **Mapping**: Maps the retrieved alert data into the standard Google SecOps + case format, applying environment and product field mappings. - 6. **Case Mapping**: Each valid alert is transformed into a Google SecOps `AlertInfo` - object. The raw alert data is attached as an event, and environment/product fields - are mapped based on configuration. + 5. **Ingestion**: Creates cases in Google SecOps for the filtered, new alerts. - 7. **Ingestion & State Persistence**: The connector ingests the alerts into the - SOAR platform, updates the last run timestamp, and saves the IDs of processed - alerts to prevent duplicates in future cycles. + 6. **State Management**: Updates the last success timestamp and saves the list + of processed alert IDs to ensure subsequent runs only fetch new data. diff --git a/content/response_integrations/third_party/partner/orca_security/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/orca_security/resources/ai/integration_ai_description.yaml index 15ef5e595..aaa40cb7e 100644 --- a/content/response_integrations/third_party/partner/orca_security/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/partner/orca_security/resources/ai/integration_ai_description.yaml @@ -7,6 +7,17 @@ product_categories: iam_and_identity_management: false itsm: false network_security: false - siem: false + reasoning: >- + The Orca Security integration is a cloud-native security platform. It qualifies + as Cloud Security because it provides visibility into cloud configurations, workloads, + and findings across cloud environments (GCP/AWS/Azure). It qualifies as Vulnerability + Management as it retrieves vulnerability details (CVEs) and compliance framework + information. It qualifies as Asset Inventory because it fetches detailed asset + metadata and configuration states. Finally, it qualifies as SIEM because the provided + connector ingests security alerts from the Orca platform into Google SecOps, enabling + centralized monitoring and alert management. It does not perform EDR (process-level + activity), Network Security (blocking at gateway), Email Security, IAM management, + ITSM, or Collaboration functions. + siem: true threat_intelligence: false vulnerability_management: true diff --git a/content/response_integrations/third_party/partner/recorded_future_intelligence/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/recorded_future_intelligence/resources/ai/actions_ai_description.yaml index ad9813198..87736cb06 100644 --- a/content/response_integrations/third_party/partner/recorded_future_intelligence/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/recorded_future_intelligence/resources/ai/actions_ai_description.yaml @@ -13,6 +13,10 @@ Add Analyst Note: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action creates an analyst note in an external system (Recorded Future). + It does not match any of the provided categories, such as enriching IOCs, updating + alerts, or performing containment actions. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -30,56 +34,44 @@ Add Analyst Note: ai_description: >- ### General Description - The **Add Analyst Note** action allows analysts to publish a custom note directly - to the Recorded Future platform. This is useful for documenting findings, sharing - intelligence, or tagging specific indicators within the Recorded Future ecosystem. - The action automatically collects the identifiers of all entities present in the - current Google SecOps case and appends them to the note text, ensuring that the - context of the investigation is preserved in the external record. + This action creates an analyst note within the Recorded Future platform. It aggregates + the identifiers of all entities currently present in the case and appends them + to the provided note text, ensuring that the analyst note is contextually linked + to the relevant entities. This facilitates better documentation and threat intelligence + sharing within the Recorded Future ecosystem. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Note Title** | String | Yes | The title of the analyst note to be created - in Recorded Future. | - - | **Note Text** | String | Yes | The main content or body of the note. The action - will automatically append a list of case entities to this text. | + | Note Title | string | Yes | The title for the analyst note. | - | **Topic** | DDL | No | An optional category for the note, such as 'Malware/Tool - Profile', 'Actor Profile', or 'Indicator'. Defaults to 'None'. | + | Note Text | string | Yes | The main content/body of the analyst note. | - - ### Additional Notes - - - This action does not modify any data within Google SecOps; it only creates a - record in the external Recorded Future system. - - - The resulting `note_id` from Recorded Future is returned as the action's output. + | Topic | ddl | No | The specific topic or category for the note (e.g., Actor + Profile, Malware/Tool Profile). | ### Flow Description - 1. **Parameter Extraction**: The action retrieves the API credentials from the - integration configuration and the note details (Title, Text, Topic) from the action - parameters. + 1. **Parameter Extraction**: The action retrieves the `Note Title`, `Note Text`, + and `Topic` from the action parameters. - 2. **Entity Collection**: It iterates through all entities associated with the - current case and compiles their identifiers into a formatted string. + 2. **Entity Collection**: It iterates through all `target_entities` provided in + the case and collects their identifiers. - 3. **Text Augmentation**: The list of collected entity identifiers is appended - to the user-provided `Note Text` to provide context for the note in Recorded Future. + 3. **Text Preparation**: The collected entity identifiers are appended to the + `Note Text` to provide context. - 4. **External API Call**: The action uses the Recorded Future Manager to send - a request to the Recorded Future API to publish the note with the specified title, - augmented text, and topic. + 4. **API Interaction**: The action initializes the `RecordedFutureManager` and + calls the `get_analyst_notes` method to create the note in the Recorded Future + platform. - 5. **Result Handling**: Upon success, the action returns the unique ID of the - created note (`note_id`) and completes the execution. + 5. **Result**: The action returns the `note_id` of the created note and completes + the execution. capabilities: can_create_case_comments: false can_create_insight: false @@ -88,48 +80,26 @@ Add Analyst Note: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new Analyst Note record in the Recorded Future platform. + Creates a new analyst note in the Recorded Future platform. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to the Recorded Future API to create an analyst + note (mutating external data). It does not fetch data for enrichment, nor does + it modify any internal Google SecOps case data, entities, or alert statuses. categories: enrichment: false + reasoning: >- + The action is designed to create data in an external system (Recorded Future) + rather than retrieving or enriching data. It does not meet the criteria for + an enrichment action. entity_usage: entity_types: - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT + - DestinationURL - FILEHASH - - FILENAME - - GENERICENTITY - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -143,6 +113,10 @@ Add Analyst Note: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action processes all entities provided in `siemplify.target_entities` to + extract their identifiers for the note content. It does not apply any filtering + logic based on entity properties. Detonate File: action_product_categories: add_alert_comment: false @@ -158,6 +132,9 @@ Detonate File: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action submits a file to a sandbox for detonation and returns the analysis + report. This directly matches the 'Submit File' category. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -173,62 +150,46 @@ Detonate File: update_identity: false update_ticket: false ai_description: >- - Submits a file to the Recorded Future Sandbox (Triage) for detonation and behavioral - analysis. This action is designed to handle file samples asynchronously, allowing - the sandbox to complete its analysis before retrieving the results. It supports - fetching files from either a local file system or a Google Cloud Platform (GCP) - bucket. Once the analysis is complete, the action retrieves a comprehensive report, - including threat scores, signatures, and network flows, and attaches this information - as a case insight within Google SecOps. - - - ### Flow Description - - 1. **File Retrieval**: The action identifies the file source (GCP Bucket or Local - File System) and retrieves the file content using the provided path. - - 2. **Submission**: The file is uploaded to the Recorded Future Sandbox API along - with optional parameters like a specific analysis profile or an archive password. + ### General Description - 3. **Polling**: As an asynchronous action, it enters an 'In Progress' state, periodically - checking the status of the submission until the sandbox reports that the analysis - is finished. + Submits a file to the Recorded Future Sandbox for detonation and analysis. This + action allows analysts to upload files from either a Google Cloud Storage (GCP) + bucket or the local file system to the Recorded Future Sandbox, enabling automated + malware analysis and threat intelligence gathering. - 4. **Report Generation**: Upon completion, the action fetches the overview report - from the sandbox. - 5. **Enrichment & Insights**: The action processes the report data to create a - detailed HTML insight in the SecOps case, providing visibility into the file's - behavior and risk score. + ### Parameters + | Parameter | Type | Mandatory | Description | - ### Parameters Description + | :--- | :--- | :--- | :--- | + | File Path | string | Yes | The path to the file to be analyzed. | - | Parameter | Type | Mandatory | Description | + | File Source | ddl | Yes | The source of the file. Options: 'GCP Bucket', 'Local + File System'. | - | :--- | :--- | :--- | :--- | + | Profile | string | No | The Sandbox profile to use for analysis. | - | File Path | string | Yes | The specific path or identifier of the file to be - detonated. | + | Password | string | No | Password for the archive sample, if applicable. | - | File Source | ddl | Yes | Defines where to pull the file from. Options are 'GCP - Bucket' (default) or 'Local File System'. | - | Profile | string | No | The specific Recorded Future Sandbox profile to use - for the analysis. | + ### Flow Description - | Password | string | No | The password required to extract the file if it is - a protected archive. | + 1. **Initialization**: Extracts configuration parameters (API URL, API Key) and + action inputs. + 2. **File Retrieval**: Retrieves the file from the specified source (GCP Bucket + or Local File System). - ### Additional Notes + 3. **Submission**: Submits the file to the Recorded Future Sandbox for detonation. - - This action is asynchronous and may require multiple execution cycles depending - on the sandbox analysis time. + 4. **Asynchronous Polling**: Since the action is asynchronous, it polls the sandbox + for the analysis status. - - If the action times out, it will list the pending files that were still being - processed. + 5. **Result Processing**: Once the analysis is complete, it retrieves the sandbox + report, generates case insights containing the analysis details, and returns the + final result. capabilities: can_create_case_comments: false can_create_insight: true @@ -237,16 +198,25 @@ Detonate File: can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: >- - Submits a new file sample to the Recorded Future Sandbox for detonation and - analysis, which creates a new analysis record in the external system. + Submits a file to the Recorded Future Sandbox, which creates a new analysis + job in the external system. fetches_data: true internal_data_mutation_explanation: >- - Creates case insights within Google SecOps to display the results of the sandbox - detonation report. + Creates case insights containing the sandbox analysis results. + reasoning: >- + The action submits a file to an external sandbox (mutating external state by + creating a new analysis job) and fetches the resulting analysis report (fetches + data). It also creates case insights within the SOAR platform (mutating internal + data). categories: enrichment: false + reasoning: >- + While the action retrieves analysis data, it is primarily a 'Submit File' action + that creates a new analysis job in an external system (Recorded Future Sandbox). + Therefore, it does not meet the 'Read-Only' criteria for an Enrichment action. entity_usage: - entity_types: [] + entity_types: + - FILEHASH filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -260,6 +230,8 @@ Detonate File: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action is configured in the simulation data to operate on FILEHASH entities. Detonate URL: action_product_categories: add_alert_comment: false @@ -275,6 +247,11 @@ Detonate URL: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action submits a URL to a sandbox for detonation and retrieves the report. + This aligns with the 'Submit File' category, which covers sandbox submission + of samples, including URLs. It does not perform standard enrichment, alert updates, + or containment. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -290,56 +267,42 @@ Detonate URL: update_identity: false update_ticket: false ai_description: >- - ### General Description - - Submits URL entities to the Recorded Future Sandbox for detonation and behavioral - analysis. This action is designed to provide deep visibility into the nature of - a URL by executing it in a controlled environment and observing its activities, - such as network connections, file modifications, and signature matches. It is - an asynchronous action that handles the submission and then polls the sandbox - until the analysis is complete. - - - ### Parameters Description + Submits a URL to the Recorded Future Sandbox for detonation and analysis. This + action automates the process of sending suspicious URLs to an external sandbox + environment to observe behavior and generate a threat report. - | Parameter | Type | Mandatory | Description | + ### Flow Description - | :--- | :--- | :--- | :--- | + 1. **Extraction**: The action extracts URL entities from the current case. - | Profile | String | No | Specifies the Sandbox profile to be used for the detonation. - If not provided, the default sandbox profile will be used. | + 2. **Submission**: Each URL is submitted to the Recorded Future Sandbox API for + analysis. + 3. **Monitoring**: The action monitors the status of the submission asynchronously. - ### Flow Description + 4. **Retrieval**: Once the analysis is complete, the action retrieves the detailed + detonation report. - 1. **Entity Extraction**: The action identifies all URL entities within the current - case scope. + 5. **Insight Generation**: The action generates a case insight containing the + detonation results, including risk scores, tags, and signature details. - 2. **Submission**: It submits each identified URL to the Recorded Future Sandbox - API using the provided (or default) profile. - 3. **Asynchronous Polling**: Since detonation takes time, the action enters an - 'In Progress' state. It periodically checks the status of the submitted samples. + ### Parameters - 4. **Report Retrieval**: Once the sandbox marks a sample as 'reported', the action - fetches the full overview report, including risk scores and behavioral signatures. + | Parameter | Type | Mandatory | Description | - 5. **Case Enrichment**: The action generates detailed case insights for each URL, - providing a summary of the detonation results (score, scan time, target details, - and IOCs). + | :--- | :--- | :--- | :--- | - 6. **Finalization**: Once all URLs are processed, it outputs the results as a - JSON object and populates a data table in the case wall. + | Profile | string | No | Specifies the Sandbox profile to use for the detonation. + | ### Additional Notes - - **Asynchronous Execution**: This action will remain in an 'In Progress' state - until the sandbox analysis is finished or a timeout occurs. - - - **Timeout Management**: If the analysis takes longer than the configured SOAR - timeout, the action will report a timeout error listing the pending URLs. + This action is asynchronous and will wait for the analysis to complete or until + the action times out. Ensure the action timeout is configured appropriately in + the SOAR platform to accommodate the sandbox analysis duration. capabilities: can_create_case_comments: false can_create_insight: true @@ -348,14 +311,21 @@ Detonate URL: can_mutate_internal_data: true can_update_entities: false external_data_mutation_explanation: >- - Submits a URL to the Recorded Future Sandbox, which creates a new analysis sample - record and initiates a detonation process in the external system. + Submits a URL to the Recorded Future Sandbox for detonation, which creates a + new analysis job in the external system. fetches_data: true internal_data_mutation_explanation: >- - Creates case insights containing the detonation report details and adds a results - data table to the case wall. + Creates case insights within the SOAR platform containing the detonation results. + reasoning: >- + The action submits a URL to an external sandbox (mutating external state by + creating an analysis job) and subsequently fetches the analysis report (fetches + data). It also creates case insights within the SOAR platform (internal mutation). categories: enrichment: false + reasoning: >- + The action is not an enrichment action because it mutates external state by + submitting a URL for detonation (creating an analysis job), which violates the + 'External State Preservation' rule for enrichment actions. entity_usage: entity_types: - DestinationURL @@ -372,6 +342,9 @@ Detonate URL: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and filters for entities + of type `URL` (mapped to `DestinationURL`). Enrich CVE: action_product_categories: add_alert_comment: false @@ -387,6 +360,10 @@ Enrich CVE: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves reputation and threat intelligence for a CVE, which aligns + with the 'Enrich IOC' category. It does not perform any containment, ticketing, + or alert management actions. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -401,77 +378,56 @@ Enrich CVE: update_email: false update_identity: false update_ticket: false - ai_description: >- - Enriches CVE entities using Recorded Future Intelligence. This action retrieves - comprehensive threat intelligence for vulnerabilities, including risk scores, - evidence details, and links to intelligence cards. It evaluates the risk based - on a user-defined threshold to mark entities as suspicious and contributes detection - data back to Recorded Future if Collective Insights is enabled. - - - ### Parameters Description - - - | Parameter | Type | Mandatory | Default | Description | - - | :--- | :--- | :--- | :--- | :--- | - - | Risk Score Threshold | String | True | 25 | Represents the minimum malicious - risk score (0-99) for a CVE to be marked suspicious. Levels: Very Critical (90-99), - Critical (80-89), High (65-79), Medium (25-64), Low (5-24), None (0). | - - | Include Links | Boolean | False | False | If enabled, the action retrieves information - about related links for the CVE. | - - | Enable Collective Insights | Boolean | False | True | If enabled, the action - contributes detection telemetry back to Recorded Future's Collective Insights - platform. | - - - ### Additional Notes - - - Collective Insights are only submitted if the global integration setting is - enabled and the alert reporting vendor is not Recorded Future. - - - The action updates the entity's suspicious status and adds enrichment data to - its additional properties. - - - ### Flow Description - - 1. **Initialization:** Extracts API credentials from the integration configuration - and user parameters (Threshold, Links, Collective Insights) from the action settings. - - 2. **Entity Filtering:** Identifies and processes only CVE entities present in - the current context. - - 3. **Data Retrieval:** Queries the Recorded Future API for each CVE to fetch risk - scores, evidence details, and intelligence card URLs. - - 4. **External Mutation:** If 'Enable Collective Insights' is active, it submits - detection data to Recorded Future. - - 5. **Risk Evaluation:** Compares the retrieved risk score against the 'Risk Score - Threshold'. If exceeded, the entity is marked as suspicious. - - 6. **Internal Updates:** Updates the entity's properties in Google SecOps, creates - detailed case insights, and adds data tables for risk rules and links. + ai_description: "### General Description\nThis action enriches CVE (Common Vulnerabilities\ + \ and Exposures) entities by querying the Recorded Future Intelligence platform.\ + \ It retrieves comprehensive threat intelligence, including risk scores, evidence\ + \ details, and optional links. The action evaluates the CVE's risk against a user-defined\ + \ threshold to determine if it should be marked as suspicious, subsequently updating\ + \ the entity's profile and generating a case insight if the threshold is exceeded.\n\ + \n### Parameters Description\n| Parameter | Type | Mandatory | Description |\n\ + | :--- | :--- | :--- | :--- |\n| Risk Score Threshold | string | Yes | The minimum\ + \ malicious risk score (0-99) for a CVE to be marked as suspicious. |\n| Include\ + \ Links | boolean | No | If enabled, the action retrieves additional links related\ + \ to the CVE. |\n| Enable Collective Insights | boolean | No | If enabled, contributes\ + \ detection data back to Recorded Future. |\n\n### Additional Notes\n- The action\ + \ requires a valid Recorded Future API configuration.\n- Collective Insights submission\ + \ is conditional based on both the action parameter and global configuration settings.\n\ + \n### Flow Description\n1. **Initialization**: Extracts configuration parameters\ + \ (API URL, API Key) and action-specific parameters (Threshold, Include Links,\ + \ Collective Insights).\n2. **Processing**: Iterates through the provided CVE\ + \ entities.\n3. **Enrichment**: Queries the Recorded Future API for each CVE to\ + \ retrieve risk data and intelligence.\n4. **Evaluation**: Compares the retrieved\ + \ risk score against the configured threshold.\n5. **Internal Update**: \n \ + \ - Updates the entity's `additional_properties` with enrichment data.\n -\ + \ Sets the entity's `is_enriched` status to true.\n - If the score exceeds\ + \ the threshold, marks the entity as `is_suspicious` and creates a case insight.\n\ + 6. **Finalization**: Updates the entities in the SecOps platform and returns the\ + \ results." capabilities: can_create_case_comments: false can_create_insight: true can_modify_alert_data: false - can_mutate_external_data: true + can_mutate_external_data: false can_mutate_internal_data: true can_update_entities: true - external_data_mutation_explanation: >- - If 'Enable Collective Insights' is enabled, the action submits detection telemetry - and incident metadata to Recorded Future's Collective Insights platform. + external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity attributes such as suspicious status and additional properties, - and creates case insights containing threat intelligence summaries. + Updates entity attributes (is_enriched, is_suspicious, additional_properties) + and creates case insights. + reasoning: >- + The action fetches threat intelligence data from the Recorded Future API (fetches_data=true). + It does not perform any actions that change the state of external systems (can_mutate_external_data=false). + It performs internal mutations by updating entity attributes (is_enriched, is_suspicious, + additional_properties) and creating case insights (can_mutate_internal_data=true). + It does not modify alert data or create case comments. categories: - enrichment: false + enrichment: true + reasoning: >- + The action is designed to fetch threat intelligence for CVE entities. It does + not mutate external systems. It performs allowed internal mutations (updating + entities and creating insights). Therefore, it meets the criteria for an enrichment + action. entity_usage: entity_types: - CVE @@ -488,6 +444,9 @@ Enrich CVE: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and explicitly filters for + entities where `entity.entity_type` is `EntityTypes.CVE`. Enrich Hash: action_product_categories: add_alert_comment: false @@ -503,6 +462,10 @@ Enrich Hash: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves reputation and threat intelligence for a file hash (IOC) + from Recorded Future. This directly matches the 'Enrich IOC' category. It does + not perform any other actions like ticket creation, containment, or alert modification. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -518,12 +481,13 @@ Enrich Hash: update_identity: false update_ticket: false ai_description: >- - Enriches File Hash entities using Recorded Future Intelligence. This action retrieves - comprehensive threat intelligence, including risk scores, evidence details, and - related entity links. It evaluates the risk based on a user-defined threshold, - updates the entity's suspicious status, and generates detailed case insights and - data tables. Additionally, it can optionally contribute detection telemetry back - to Recorded Future's Collective Insights system. + ### General Description + + This action enriches File Hash entities by querying the Recorded Future intelligence + platform. It retrieves threat intelligence, including risk scores, triggered risk + rules, and associated links. Based on the configured risk threshold, the action + updates the entity's suspicious status and generates a case insight if the hash + is deemed risky. ### Parameters @@ -532,49 +496,62 @@ Enrich Hash: | :--- | :--- | :--- | :--- | - | Risk Score Threshold | String | Yes | Represents the minimum malicious risk - score (0-89) for a Hash to be marked malicious. | + | Risk Score Threshold | string | Yes | The minimum malicious risk score (0-89) + for a Hash to be marked as suspicious. Default is 25. | - | Include Links | Boolean | No | If enabled, the action retrieves information - about related links. | + | Include Links | boolean | No | If enabled, the action retrieves additional links + related to the hash. Default is false. | - | Enable Collective Insights | Boolean | No | If enabled, contributes detection - telemetry back to Recorded Future. | + | Enable Collective Insights | boolean | No | If enabled, contributes detection + data back to Recorded Future. Default is true. | ### Flow Description - 1. **Initialization:** Extracts API configuration (URL, Key, SSL) and action parameters. + 1. **Initialization**: Extracts API configuration (URL, Key, SSL verification) + and action parameters (Threshold, Include Links, Collective Insights). + + 2. **Entity Processing**: Iterates through the `target_entities` provided in the + case, filtering specifically for `FILEHASH` entities. - 2. **Entity Identification:** Filters the case for `FILEHASH` entities. + 3. **Intelligence Retrieval**: Queries the Recorded Future API for each valid + hash to obtain risk scores, evidence details, and optional links. - 3. **Intelligence Retrieval:** Queries Recorded Future for each hash to fetch - risk scores, evidence, and optional links. + 4. **Data Enrichment**: Updates the entity's `additional_properties` with the + retrieved intelligence data and sets the `is_enriched` flag. - 4. **Telemetry Submission:** If 'Enable Collective Insights' is active, submits - detection data to Recorded Future. + 5. **Risk Assessment**: Compares the retrieved risk score against the `Risk Score + Threshold`. If the score exceeds the threshold, the entity is marked as `is_suspicious`. - 5. **Risk Evaluation:** Compares the hash's risk score against the 'Risk Score - Threshold'. + 6. **Insight Generation**: If the hash is marked as suspicious, a case insight + is created containing the risk details and evidence. - 6. **Internal Enrichment:** Updates entity properties, marks entities as suspicious - if they exceed the threshold, and creates case insights with the analysis results. + 7. **Result Reporting**: Adds data tables (Overview, Risk Rules, Links) to the + action results and updates the entities in the SOAR platform. capabilities: can_create_case_comments: false can_create_insight: true can_modify_alert_data: false - can_mutate_external_data: true + can_mutate_external_data: false can_mutate_internal_data: true can_update_entities: true - external_data_mutation_explanation: >- - If 'Enable Collective Insights' is enabled, the action submits detection telemetry - to Recorded Future's Collective Insights platform. + external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity attributes (additional properties, suspicious status, enriched - status) and creates case insights. + Updates entity attributes (is_suspicious, is_enriched, additional_properties) + and creates case insights. + reasoning: >- + The action fetches threat intelligence from the Recorded Future API (fetches_data=true). + It does not perform any actions that change the state of external systems (can_mutate_external_data=false). + It performs internal mutations by updating entity attributes and creating case + insights (can_mutate_internal_data=true, can_update_entities=true, can_create_insight=true). + It does not modify alert data or create case comments. categories: - enrichment: false + enrichment: true + reasoning: >- + The action is an enrichment action because it fetches data from an external + source (Recorded Future), does not mutate external systems, and only performs + allowed internal mutations (updating entities and creating insights). entity_usage: entity_types: - FILEHASH @@ -591,6 +568,10 @@ Enrich Hash: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and filters them using `if + entity.entity_type in entity_types`, where `entity_types` is defined as `[EntityTypes.FILEHASH]`. + No other filters are applied. Enrich Host: action_product_categories: add_alert_comment: false @@ -606,6 +587,10 @@ Enrich Host: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action fetches threat intelligence for Host and Domain entities, which matches + the 'Enrich IOC' category. It does not perform any containment, ticketing, or + other actions. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -621,12 +606,13 @@ Enrich Host: update_identity: false update_ticket: false ai_description: >- - Enriches Hostname and Domain entities using Recorded Future Intelligence. This - action retrieves comprehensive threat intelligence, including risk scores, triggered - risk rules, and related links. It evaluates the risk based on a user-defined threshold, - updates the entity's suspicious status within Google SecOps, and generates detailed - case insights and data tables for analyst review. Additionally, it can optionally - contribute detection telemetry back to Recorded Future's Collective Insights platform. + ### General Description + + This action queries Recorded Future to retrieve threat intelligence for Host and + Domain entities. It enriches the entities with risk scores, risk strings, and + other relevant intelligence data. If the retrieved risk score exceeds the configured + threshold, the action marks the entity as suspicious and generates a case insight + with the detailed risk evidence. ### Parameters @@ -635,64 +621,70 @@ Enrich Host: | :--- | :--- | :--- | :--- | - | Risk Score Threshold | String | Yes | Represents the minimum malicious risk - score (0-99) for a Host to be marked malicious. | + | Risk Score Threshold | string | Yes | Represents the minimum malicious risk + score (0-99) for a Host to be marked as suspicious. | - | Include Links | Boolean | No | If enabled, the action will retrieve information + | Include Links | boolean | No | If enabled, the action retrieves information about related links. | - | Enable Collective Insights | Boolean | No | If enabled, the action contributes - detection telemetry back to Recorded Future. | + | Enable Collective Insights | boolean | No | If enabled, contributes detection + data back to Recorded Future. | - ### Flow Description + ### Additional Notes - 1. **Initialization**: Extracts API configuration and action parameters, including - the risk threshold and link inclusion settings. + - The action filters target entities to process only those of type `HOSTNAME` + or `DOMAIN`. - 2. **Entity Processing**: Filters the target entities to identify Hostnames and - Domains. + - Collective Insights submission is conditional based on global settings, action + parameters, and the reporting vendor of the current alert. - 3. **Intelligence Retrieval**: Queries the Recorded Future API for each identified - entity to fetch risk scores and evidence. - 4. **External Mutation (Optional)**: If 'Enable Collective Insights' is enabled, - the action submits detection data to Recorded Future. + ### Flow Description - 5. **Risk Evaluation**: Compares the retrieved risk score against the 'Risk Score - Threshold'. + 1. Extracts configuration parameters (API URL, API Key, SSL verification, Collective + Insights global setting) and action parameters. - 6. **Internal Enrichment**: Updates the entity's additional properties, sets the - 'is_suspicious' flag if the threshold is met, and populates data tables with the - report summary and risk rules. + 2. Determines if Collective Insights should be enabled based on the action settings + and alert context. - 7. **Insight Generation**: Creates a detailed case insight for entities deemed - risky, providing context on why the entity was flagged. + 3. Initializes the Recorded Future manager. + 4. Iterates through the target entities, filtering for `HOSTNAME` and `DOMAIN` + types. - ### Additional Notes + 5. For each valid entity, fetches threat intelligence from Recorded Future. + + 6. Adds data tables to the action results containing the report, triggered risk + rules, and links (if enabled). - - The action supports both `HOSTNAME` and `DOMAIN` entity types. + 7. If the risk score exceeds the threshold, marks the entity as suspicious and + creates a case insight. - - Collective Insights submission is skipped if the alert's reporting vendor is - 'Recorded Future' to avoid circular reporting. + 8. Updates the entity with enrichment data and marks it as enriched. + + 9. Adds the final JSON result and ends the action. capabilities: can_create_case_comments: false can_create_insight: true can_modify_alert_data: false - can_mutate_external_data: true + can_mutate_external_data: false can_mutate_internal_data: true can_update_entities: true - external_data_mutation_explanation: >- - If the 'Enable Collective Insights' parameter is enabled, the action submits - detection telemetry and incident metadata to Recorded Future's Collective Insights - API. + external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity attributes such as suspicious status, enriched status, and additional - properties. It also creates case insights and adds data tables to the case. + Updates entity properties and creates case insights based on threat intelligence. + reasoning: >- + The action fetches threat intelligence from Recorded Future for Host and Domain + entities. It updates the entities with enrichment data and creates insights + if the risk score exceeds the threshold. It does not mutate external systems. categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches data (enrichment), does not mutate external systems, and + only performs allowed internal mutations (updating entities and creating insights). + It is an enrichment action. entity_usage: entity_types: - HOSTNAME @@ -710,6 +702,9 @@ Enrich Host: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and filters for `HOSTNAME` + and `DOMAIN` types using `entity.entity_type in entity_types`. Enrich IOC: action_product_categories: add_alert_comment: false @@ -725,6 +720,10 @@ Enrich IOC: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves reputation, risk scores, and threat intelligence for indicators + (IOCs) from Recorded Future. This directly matches the 'Enrich IOC' category. + It does not perform containment, ticketing, or alert management actions. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -739,90 +738,65 @@ Enrich IOC: update_email: false update_identity: false update_ticket: false - ai_description: >- - Enriches Indicators of Compromise (IOCs) using Recorded Future Intelligence. This - action retrieves comprehensive threat intelligence for multiple entity types, - including IP addresses, domains, hostnames, file hashes, URLs, and CVEs. It evaluates - the risk score of each entity against a user-defined threshold to determine if - the entity should be marked as suspicious within the platform. Additionally, the - action can contribute detection data back to Recorded Future via the Collective - Insights feature. - - - ### Flow Description: - - 1. **Parameter Extraction:** Retrieves the API configuration (URL, Key, SSL) and - action parameters (Risk Score Threshold, Include Links, Enable Collective Insights). - - 2. **Entity Filtering:** Iterates through the target entities in the case and - filters for supported types: IP Address, Domain, Hostname, File Hash, URL, and - CVE. - - 3. **Intelligence Retrieval:** For each supported entity, it queries Recorded - Future to fetch risk scores, evidence details, and optional related links. - - 4. **Collective Insights Submission:** If enabled, the action submits the detection - context (case title, timestamp, and IOC) to Recorded Future's Collective Insights - API. - - 5. **Risk Evaluation:** Compares the retrieved risk score against the 'Risk Score - Threshold'. If the score exceeds the threshold, the entity is marked as suspicious. - - 6. **Internal Enrichment:** Updates the entity's additional properties with threat - data, adds data tables for risk rules and overview, and creates a detailed Case - Insight containing the intelligence report. - - - ### Parameters Description: - - | Parameter Name | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Risk Score Threshold | string | Yes | The minimum malicious risk score (0-100) - required to mark an entity as suspicious. Default is 25. | - - | Include Links | boolean | No | If enabled, the action retrieves and displays - information about related entity links in a data table. | - - | Enable Collective Insights | boolean | No | If enabled, the action contributes - detection metadata back to Recorded Future. This is only active if the global - integration setting is also enabled and the alert vendor is not Recorded Future. - | - - - ### Additional Notes: - - - The action performs an external mutation when 'Enable Collective Insights' is - active by sending detection data to Recorded Future. - - - Entity suspicious status and enrichment fields are updated only for entities - successfully found in the Recorded Future database. + ai_description: "### General Description\nThe **Enrich IOC** action queries the\ + \ Recorded Future intelligence platform to retrieve threat intelligence for various\ + \ indicators of compromise (IOCs). It evaluates the risk score of each entity\ + \ against a user-defined threshold to determine if the entity should be marked\ + \ as suspicious. The action enriches the entity profile with threat intelligence\ + \ data, updates the entity's status, and generates case insights for high-risk\ + \ findings.\n\n### Parameters\n| Parameter | Type | Mandatory | Description |\n\ + | :--- | :--- | :--- | :--- |\n| **Risk Score Threshold** | string | Yes | The\ + \ minimum malicious risk score required for an entity to be marked as suspicious.\ + \ |\n| **Include Links** | boolean | No | If enabled, the action retrieves and\ + \ includes links to the Recorded Future portal. |\n| **Enable Collective Insights**\ + \ | boolean | No | If enabled, the action contributes detection data back to Recorded\ + \ Future. |\n\n### Flow Description\n1. **Initialization**: The action initializes\ + \ the Recorded Future manager using the provided API credentials and configuration.\n\ + 2. **Entity Processing**: It iterates through the target entities, filtering for\ + \ supported types (HOSTNAME, CVE, FILEHASH, ADDRESS, URL, DOMAIN).\n3. **Enrichment**:\ + \ For each supported entity, it queries the Recorded Future API to fetch threat\ + \ intelligence, including risk scores, evidence details, and location data (for\ + \ IPs).\n4. **Risk Evaluation**: It compares the retrieved risk score against\ + \ the configured **Risk Score Threshold**. If the score exceeds the threshold,\ + \ the entity is marked as suspicious.\n5. **Internal Updates**: \n - Updates\ + \ the entity's `additional_properties` with enrichment data.\n - Sets the entity's\ + \ `is_enriched` and `is_suspicious` flags.\n - Creates a case insight if the\ + \ entity is deemed risky.\n - Adds data tables and links to the action results\ + \ for analyst review.\n6. **Finalization**: Updates the entities in the case and\ + \ returns the final execution status." capabilities: can_create_case_comments: false can_create_insight: true can_modify_alert_data: false - can_mutate_external_data: true + can_mutate_external_data: false can_mutate_internal_data: true can_update_entities: true - external_data_mutation_explanation: >- - If 'Enable Collective Insights' is enabled, the action performs a POST request - to the Recorded Future Collective Insights API to contribute detection metadata - from the current case. + external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity attributes such as 'is_suspicious', 'is_enriched', and 'additional_properties'. - It also creates Case Insights and adds data tables to the action results. + Updates entity attributes (is_suspicious, is_enriched, additional_properties) + and creates case insights. + reasoning: >- + The action fetches threat intelligence data from the Recorded Future API (fetches_data=true). + It does not perform any actions that change the state of external systems (can_mutate_external_data=false). + It performs internal mutations by updating entity attributes (is_suspicious, + is_enriched, additional_properties) and creating case insights (can_mutate_internal_data=true, + can_update_entities=true, can_create_insight=true). It does not modify alert + data or create case comments. categories: - enrichment: false + enrichment: true + reasoning: >- + The action is designed to fetch threat intelligence and enrich entities without + modifying external systems. It performs allowed internal mutations (updating + entities and creating insights). Therefore, it qualifies as an enrichment action. entity_usage: entity_types: - ADDRESS - CVE + - DOMAIN - FILEHASH - HOSTNAME - DestinationURL - - DOMAIN filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -836,6 +810,11 @@ Enrich IOC: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over `siemplify.target_entities` and filters them based + on a predefined list of supported types: HOSTNAME, CVE, FILEHASH, ADDRESS, URL, + and DOMAIN. It does not filter by other attributes like creation time, modification + time, or specific entity properties. Enrich IOCs Bulk: action_product_categories: add_alert_comment: false @@ -851,6 +830,10 @@ Enrich IOCs Bulk: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action fetches threat intelligence (reputation, risk scores) for various + IOCs from Recorded Future. This aligns with the 'Enrich IOC' category. It does + not perform any other actions like updating alerts, tickets, or blocking IOCs. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -865,80 +848,52 @@ Enrich IOCs Bulk: update_email: false update_identity: false update_ticket: false - ai_description: >- - Enriches multiple Indicator of Compromise (IOC) entities in bulk using the Recorded - Future SOAR API. This action retrieves threat intelligence for supported entity - types including IP Addresses, Domains, Hostnames, File Hashes, URLs, and CVEs. - It provides a consolidated JSON result containing the intelligence data for all - processed entities. - - - ### Flow Description - - 1. **Configuration Extraction:** Retrieves API credentials (URL, Key) and SSL - verification settings from the integration configuration. - - 2. **Parameter Processing:** Checks the 'Enable Collective Insights' action parameter - and global settings to determine if detection data should be shared back with - Recorded Future. - - 3. **Entity Filtering:** Identifies all supported entities within the current - case context (IP, Domain, Host, Hash, URL, CVE). - - 4. **Bulk Intelligence Retrieval:** Sends a single bulk request to the Recorded - Future SOAR API to fetch enrichment data for all identified entities. - - 5. **Collective Insights Submission:** If enabled and the alert source is not - Recorded Future, it submits detection metadata to the Recorded Future Collective - Insights API. - - 6. **Result Output:** Formats the retrieved intelligence into a JSON object and - attaches it to the action results. - - - ### Parameters Description - - | Parameter Name | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Enable Collective Insights | boolean | No | If enabled (default: true), the - action will contribute detection information back to Recorded Future's Collective - Insights platform, provided the global setting is also enabled and the alert did - not originate from Recorded Future. | - - - ### Additional Notes - - * This action is optimized for bulk processing and uses the specialized Recorded - Future SOAR API endpoint. - - * Unlike individual enrichment actions, this bulk action primarily returns raw - JSON data and does not automatically update entity attributes or create case insights - within the SOAR UI. + ai_description: "Enriches multiple IOCs in bulk using Recorded Future intelligence.\ + \ This action queries the Recorded Future API to retrieve threat intelligence\ + \ for various entity types, including IP addresses, hostnames, file hashes, URLs,\ + \ domains, and CVEs. \n\n### Flow Description\n1. Extracts configuration parameters\ + \ (API URL, API Key, SSL verification, and global Collective Insights setting)\ + \ and the action-specific parameter 'Enable Collective Insights'.\n2. Determines\ + \ if Collective Insights submission is enabled based on the global setting, action\ + \ parameter, and the alert's reporting vendor.\n3. Initializes the Recorded Future\ + \ manager.\n4. Iterates through the target entities in the case, filtering for\ + \ supported types (HOSTNAME, CVE, FILEHASH, ADDRESS, URL, DOMAIN).\n5. Performs\ + \ a bulk enrichment request to Recorded Future for the identified entities.\n\ + 6. Returns the enrichment results as a JSON result object for the action.\n\n\ + ### Parameters\n| Parameter | Type | Mandatory | Description |\n| :--- | :---\ + \ | :--- | :--- |\n| Enable Collective Insights | boolean | No | If enabled, contribute\ + \ detections back to Recorded Future. Defaults to true. |\n\n### Additional Notes\n\ + This action performs bulk enrichment and does not update the entities directly\ + \ in the case. It returns the results in the action's JSON output." capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false - can_mutate_external_data: true + can_mutate_external_data: false can_mutate_internal_data: false can_update_entities: false - external_data_mutation_explanation: >- - If the 'Enable Collective Insights' parameter is enabled, the action performs - a POST request to the Recorded Future Collective Insights API to submit detection - and incident metadata. + external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a bulk query to the Recorded Future API to fetch threat + intelligence for various IOC types. It does not mutate external systems or modify + internal case data (entities, insights, or comments). It only returns the fetched + data as a JSON result. categories: - enrichment: false + enrichment: true + reasoning: >- + The action is designed to fetch threat intelligence data for IOCs. It does not + mutate external systems, nor does it modify internal case data (entities, insights, + or comments). It meets all criteria for an enrichment action. entity_usage: entity_types: - - ADDRESS + - HOSTNAME - CVE - - DOMAIN - FILEHASH - - HOSTNAME + - ADDRESS - DestinationURL + - DOMAIN filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -952,6 +907,10 @@ Enrich IOCs Bulk: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over `siemplify.target_entities` and filters them based + on whether their `entity_type` is present in the `SUPPORTED_ENTITIES` list (HOSTNAME, + CVE, FILEHASH, ADDRESS, URL, DOMAIN). Enrich IP: action_product_categories: add_alert_comment: false @@ -967,6 +926,10 @@ Enrich IP: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves threat intelligence for IP addresses, which directly matches + the 'Enrich IOC' category. It does not perform any other actions like blocking, + ticketing, or alert management. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -981,82 +944,55 @@ Enrich IP: update_email: false update_identity: false update_ticket: false - ai_description: >- - Enriches IP Address entities using Recorded Future Intelligence to provide comprehensive - threat context. The action retrieves risk scores, evidence details, and geographical - location data for each IP. It evaluates the risk score against a user-defined - threshold to automatically mark entities as suspicious and generate detailed case - insights. Additionally, it can contribute detection data back to Recorded Future's - Collective Insights platform. - - - ### Parameters - - | Parameter | Type | Mandatory | Default | Description | - - | :--- | :--- | :--- | :--- | :--- | - - | Risk Score Threshold | String | Yes | 25 | The minimum malicious risk score - (0-99) required to mark an IP as suspicious. Scores below 5 are 'No Malicious - content', 5-24 are 'Unusual', 25-64 are 'Suspicious', 65-89 are 'Malicious', and - 90-99 are 'Very Malicious'. | - - | Include Links | Boolean | No | False | If enabled, the action retrieves information - about related entity links from Recorded Future. | - - | Enable Collective Insights | Boolean | No | True | If enabled, the action contributes - detection information back to Recorded Future's Collective Insights API. | - - - ### Additional Notes - - - The action updates the entity's 'is_suspicious' and 'is_enriched' flags based - on the results and the provided threshold. - - - Collective Insights submissions are automatically excluded if the alert's reporting - vendor matches the integration's default vendor to avoid redundant reporting. - - - ### Flow Description - - 1. **Parameter Extraction**: Retrieves API configuration (URL, Key, SSL settings) - and action parameters (Threshold, Links, Collective Insights). - - 2. **Entity Filtering**: Identifies and processes only 'ADDRESS' (IP) entities - from the target entities list. - - 3. **Intelligence Retrieval**: For each IP, it queries the Recorded Future API - to fetch risk scores, location data (ASN, Country, City, Org), and evidence details. - - 4. **External Mutation (Optional)**: If 'Enable Collective Insights' is active, - it submits the detection context to Recorded Future. - - 5. **Risk Evaluation**: Compares the retrieved risk score against the 'Risk Score - Threshold'. If the score exceeds the threshold, the entity is marked as suspicious. - - 6. **Internal Data Enrichment**: Updates the entity's additional properties with - enrichment data, adds data tables to the case wall (Overview, Risk Rules, Links), - and creates a detailed Case Insight if the entity is deemed risky. - - 7. **Finalization**: Updates the entities within the SecOps platform and returns - a JSON result of the enrichment data. + ai_description: "### General Description\nEnriches IP Address entities using the\ + \ Recorded Future intelligence platform. This action retrieves comprehensive threat\ + \ intelligence, including risk scores, location data, and associated risk rules,\ + \ to provide context for IP entities within a case. It evaluates the risk score\ + \ against a user-defined threshold to determine if an entity should be marked\ + \ as suspicious.\n\n### Flow Description\n1. **Initialization**: The action extracts\ + \ configuration parameters (API URL, API Key, SSL verification) and action parameters\ + \ (Risk Score Threshold, Include Links, Enable Collective Insights).\n2. **Entity\ + \ Processing**: It iterates through the `target_entities` provided in the case,\ + \ filtering specifically for entities of type `ADDRESS`.\n3. **Data Retrieval**:\ + \ For each valid IP entity, it queries the Recorded Future API to fetch threat\ + \ intelligence data.\n4. **Enrichment**: \n - Updates the entity's `additional_properties`\ + \ with the retrieved intelligence (e.g., risk score, location, organization).\n\ + \ - Sets the entity's `is_enriched` status to true.\n - If the risk score\ + \ exceeds the configured `Risk Score Threshold`, it marks the entity as `is_suspicious`.\n\ + 5. **Insight Generation**: If the entity is marked suspicious, it creates a case\ + \ insight containing detailed risk evidence and location data.\n6. **Result Reporting**:\ + \ Updates the entities in the SOAR platform and adds data tables and links to\ + \ the action results.\n\n### Parameters Description\n| Parameter | Type | Mandatory\ + \ | Description |\n| :--- | :--- | :--- | :--- |\n| Risk Score Threshold | string\ + \ | Yes | The minimum malicious risk score (0-99) for an IP to be marked as suspicious.\ + \ |\n| Include Links | boolean | No | If enabled, the action retrieves additional\ + \ links related to the IP. |\n| Enable Collective Insights | boolean | No | If\ + \ enabled, contributes detection data back to Recorded Future. |\n\n### Additional\ + \ Notes\nThis action is strictly for enrichment and does not modify any external\ + \ systems. It only updates internal entity attributes and creates case insights\ + \ within Google SecOps." capabilities: can_create_case_comments: false can_create_insight: true can_modify_alert_data: false - can_mutate_external_data: true + can_mutate_external_data: false can_mutate_internal_data: true can_update_entities: true - external_data_mutation_explanation: >- - If 'Enable Collective Insights' is enabled, the action submits detection information - (IOC value, type, and incident context) to Recorded Future's Collective Insights - API. + external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity attributes including 'is_suspicious', 'is_enriched', and 'additional_properties'. - It also creates Case Insights and adds multiple data tables to the case. + Updates entity properties and creates case insights within Google SecOps. + reasoning: >- + The action fetches threat intelligence from the Recorded Future API for IP entities. + It does not mutate external systems. It performs internal mutations by updating + entity properties (e.g., risk score, suspicious status) and creating case insights + within Google SecOps. categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches data (enrichment) and only performs allowed internal mutations + (updating entities, creating insights). It does not mutate external systems, + thus meeting the criteria for an enrichment action. entity_usage: entity_types: - ADDRESS @@ -1073,6 +1009,9 @@ Enrich IP: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and filters them by `entity.entity_type` + to process only `ADDRESS` entities. Enrich URL: action_product_categories: add_alert_comment: false @@ -1088,6 +1027,10 @@ Enrich URL: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves threat intelligence for a URL, which is an IOC. This matches + the 'Enrich IOC' category. It does not perform any other actions like blocking, + ticketing, or alert management. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1103,72 +1046,73 @@ Enrich URL: update_identity: false update_ticket: false ai_description: >- - Enriches URL entities using Recorded Future Intelligence to provide comprehensive - threat context. The action retrieves risk scores, evidence details, and optional - related entity links from Recorded Future. It evaluates the URL against a user-defined - risk threshold to determine if it should be marked as suspicious within the case. - Additionally, it can optionally contribute detection data back to Recorded Future - via the Collective Insights feature. + ### General Description + Enriches URL entities using Recorded Future Intelligence. This action queries + the Recorded Future API to retrieve threat intelligence, risk scores, and associated + metadata for a given URL. It evaluates the risk based on a user-defined threshold, + updates the entity's suspicious status, and generates a case insight with the + analysis results. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. **Initialization**: Extracts configuration parameters (API URL, API Key, SSL + verification) and action parameters (Risk Score Threshold, Include Links, Enable + Collective Insights). - | :--- | :--- | :--- | :--- | + 2. **Entity Processing**: Iterates over the target entities, filtering for URL + entities. - | Risk Score Threshold | string | True | Represents the minimum malicious risk - score (0-99) for a URL to be marked malicious. Scores 65-89 are Malicious, 90-99 - are Very Malicious. | + 3. **Enrichment**: Queries the Recorded Future API for intelligence on each URL. - | Include Links | boolean | False | If enabled, the action retrieves information - about related entity links associated with the URL. | + 4. **Evaluation**: Compares the retrieved risk score against the configured threshold. + If the score exceeds the threshold, the entity is marked as suspicious. - | Enable Collective Insights | boolean | False | If enabled, the action contributes - detection information back to Recorded Future. This is only active if the alert - vendor is not Recorded Future. | + 5. **Internal Update**: Updates the entity's properties with enrichment data, + creates a case insight with the findings, and adds data tables to the action results. - ### Flow Description + ### Parameters Description + | Parameter | Type | Mandatory | Description | - 1. **Initialization**: Extracts configuration parameters (API Key, URL, SSL settings) - and action parameters (Threshold, Links toggle, Collective Insights toggle). + | :--- | :--- | :--- | :--- | - 2. **Entity Filtering**: Identifies URL entities within the current case scope. + | Risk Score Threshold | string | Yes | Represents the minimum malicious risk + score (0-99) for a URL to be marked malicious. | - 3. **Intelligence Retrieval**: For each URL, it queries Recorded Future to fetch - enrichment data, including risk scores and evidence. + | Include Links | boolean | No | If enabled, the action retrieves information + about links associated with the URL. | - 4. **Collective Insights Submission**: If enabled and applicable, it submits - the detection metadata to Recorded Future's Collective Insights API. + | Enable Collective Insights | boolean | No | If enabled, contributes detections + back to Recorded Future. | - 5. **Risk Assessment**: Compares the retrieved risk score against the 'Risk Score - Threshold'. If the score exceeds the threshold, the entity is marked as suspicious. - 6. **Internal Updates**: Updates the entity's additional properties with enrichment - data, adds data tables for risk rules and links, and creates a detailed case insight - for analysts. + ### Additional Notes - 7. **Completion**: Updates the entities in the SecOps platform and returns a - summary of successful, not found, or failed enrichments. + This action is strictly for enrichment and does not modify any external systems. capabilities: can_create_case_comments: false can_create_insight: true can_modify_alert_data: false - can_mutate_external_data: true + can_mutate_external_data: false can_mutate_internal_data: true can_update_entities: true - external_data_mutation_explanation: >- - Submits detection information to Recorded Future's Collective Insights platform - if the 'Enable Collective Insights' parameter is set to true. + external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity attributes (additional properties, suspicious status, enriched - status) and creates case insights based on the retrieved intelligence. + Updates entity properties and creates case insights. + reasoning: >- + The action fetches threat intelligence from Recorded Future for URL entities. + It updates the entity's suspicious status and adds enrichment data to the entity. + It creates case insights with the findings. It does not mutate external systems. categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches data (enrichment), does not mutate external systems, and + only performs allowed internal mutations (updating entities and creating insights). + It is an enrichment action. entity_usage: entity_types: - DestinationURL @@ -1185,6 +1129,9 @@ Enrich URL: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and filters for `EntityTypes.URL` + (mapped to `DestinationURL`). Get Alert Details: action_product_categories: add_alert_comment: false @@ -1200,6 +1147,11 @@ Get Alert Details: enrich_ioc: false execute_command_on_the_host: false get_alert_information: true + reasoning: >- + The action fetches detailed information about a specific alert from the Recorded + Future platform. This directly aligns with the 'Get Alert Information' category. + It does not perform any other operations like enrichment of IOCs/Assets, ticket + creation, or containment. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1215,41 +1167,44 @@ Get Alert Details: update_identity: false update_ticket: false ai_description: >- - Fetches detailed information about a specific Recorded Future alert using its - unique identifier. This action retrieves comprehensive metadata, including associated - documents, related entities, evidence details, and rule information. The retrieved - data is returned as a JSON object and includes a direct link to the alert report - in the Recorded Future portal for further investigation. + ### General Description + The 'Get Alert Details' action retrieves comprehensive information about a specific + alert from the Recorded Future platform. By providing a unique Alert ID, the action + queries the Recorded Future API to fetch details such as documents, related entities, + and evidence. The retrieved information is then returned as a JSON result within + the case, and a direct link to the Recorded Future web report is added to the + action output for easy access by analysts. - ### Parameters + + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Alert ID | String | True | Specify the unique ID of the Recorded Future alert - for which you would like to fetch details. | + | Alert ID | string | Yes | The unique identifier of the alert in Recorded Future + for which details are to be fetched. | ### Flow Description - 1. **Parameter Extraction:** The action retrieves the API credentials (URL, Key) - and the mandatory `Alert ID` from the input parameters. + 1. **Parameter Extraction**: The action extracts the 'Alert ID' provided by the + user. - 2. **Manager Initialization:** It initializes the `RecordedFutureManager` to handle - communication with the Recorded Future API. + 2. **Initialization**: The 'RecordedFutureManager' is initialized using the configured + API URL and API Key. - 3. **Data Retrieval:** The action calls the Recorded Future API to fetch the full - details of the specified alert. + 3. **Data Retrieval**: The action calls the 'get_information_about_alert' method + using the provided Alert ID to fetch the alert data. - 4. **Data Transformation:** The raw API response is processed and transformed - into a structured `AlertDetails` object, extracting key information such as hits, - rules, and organization details. + 4. **Result Output**: The retrieved alert data is added to the action's result + as a JSON object. - 5. **Output Generation:** The action adds the structured alert data as a JSON - result and provides a direct web link to the Recorded Future portal for the specific - alert. + 5. **Link Addition**: A link to the Recorded Future web report for the alert is + added to the action output. + + 6. **Completion**: The action completes and returns the status and output message. capabilities: can_create_case_comments: false can_create_insight: false @@ -1260,8 +1215,17 @@ Get Alert Details: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Recorded Future API to retrieve alert + details based on an ID. It does not perform any POST/PUT/DELETE operations on + external systems, nor does it modify any internal SOAR data such as entities, + insights, or case comments. categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches supplemental context about an alert from an external source + (Recorded Future). It does not mutate external or internal data, satisfying + the criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1277,6 +1241,9 @@ Get Alert Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or process 'target_entities'. It operates solely + based on the 'Alert ID' parameter provided by the user. Get Playbook Alert Details: action_product_categories: add_alert_comment: false @@ -1292,6 +1259,9 @@ Get Playbook Alert Details: enrich_ioc: false execute_command_on_the_host: false get_alert_information: true + reasoning: >- + The action fetches detailed information about a specific alert from the Recorded + Future platform. This directly matches the 'Get Alert Information' category. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1306,45 +1276,23 @@ Get Playbook Alert Details: update_email: false update_identity: false update_ticket: false - ai_description: >- - Fetches detailed information about a specific Recorded Future Playbook Alert and - returns the results to the Google SecOps case. This action is designed to provide - analysts with deeper context regarding alerts, such as updated DNS records, new - vulnerability stages, code repository leaks, or identity exposures. It retrieves - the full data model for the specified alert, which can then be used for further - automated analysis or manual review. - - - ### Parameters - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Playbook Alert ID | String | Yes | The unique identifier of the Playbook Alert - for which you want to retrieve details. | - - | Category | String | Yes | The specific category of the Playbook Alert. Supported - values include: `domain_abuse`, `cyber_vulnerability`, `code_repo_leakage`, `third_party_risk`, - `identity_novel_exposures`, and `geopolitics_facility`. | - - - ### Flow Description - - 1. **Parameter Extraction:** The action retrieves the API configuration (URL, - Key, SSL settings) and the user-provided Playbook Alert ID and Category. - - 2. **Manager Initialization:** It initializes the Recorded Future Manager to handle - API communication. - - 3. **Data Retrieval:** The action calls the Recorded Future API to fetch the specific - details of the alert based on the ID and Category provided. - - 4. **Result Processing:** The retrieved alert object is converted to JSON and - added to the action's execution results. - - 5. **Link Generation:** A direct web link to the Recorded Future portal for that - specific alert is added to the action results for easy access by the analyst. + ai_description: "### General Description\nThis action fetches detailed information\ + \ about a specific Recorded Future Playbook Alert. It retrieves comprehensive\ + \ data, including DNS records, vulnerability stages, and other relevant intelligence,\ + \ and returns this information to the Google SecOps case as a JSON result and\ + \ a direct link to the Recorded Future web report.\n\n### Parameters\n| Parameter\ + \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Playbook\ + \ Alert ID | string | Yes | The unique identifier of the playbook alert to fetch.\ + \ |\n| Category | string | Yes | The category of the playbook alert (e.g., domain_abuse,\ + \ cyber_vulnerability, code_repo_leakage, third_party_risk, identity_novel_exposures,\ + \ geopolitics_facility). |\n\n### Flow Description\n1. **Initialization**: The\ + \ action initializes the `RecordedFutureManager` using the configured API URL\ + \ and API Key.\n2. **Data Retrieval**: It calls the Recorded Future API to fetch\ + \ details for the provided `Playbook Alert ID` and `Category`.\n3. **Result Processing**:\ + \ \n - The retrieved alert details are added to the action results as a JSON\ + \ object.\n - A link to the Recorded Future web report is added to the action\ + \ results.\n4. **Completion**: The action completes and returns a success message\ + \ or an error message if the alert is not found or if authentication fails." capabilities: can_create_case_comments: false can_create_insight: false @@ -1355,8 +1303,17 @@ Get Playbook Alert Details: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Recorded Future API to retrieve alert + details. It does not modify any external systems (no POST/PUT/DELETE). It does + not modify internal SOAR data (no entity updates, insights, or case comments). + It simply returns the fetched data as a result JSON and a link. categories: enrichment: true + reasoning: >- + The action fetches data from an external source (Recorded Future) and does not + mutate any external or internal systems. It meets the criteria for an enrichment + action as it gathers supplemental context without violating internal state constraints. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1372,6 +1329,9 @@ Get Playbook Alert Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or reference `siemplify.target_entities`. It + operates based on input parameters provided by the user. Ping: action_product_categories: add_alert_comment: false @@ -1387,6 +1347,9 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity test (Ping) and does not perform any of the defined + operational tasks like enrichment, containment, or ticket management. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1401,29 +1364,18 @@ Ping: update_email: false update_identity: false update_ticket: false - ai_description: "### General Description\nThe Ping action is a diagnostic tool used\ - \ to verify the connectivity between Google SecOps and the Recorded Future API.\ - \ It ensures that the provided API URL and API Key are valid and that the network\ - \ configuration allows for successful communication with the service.\n\n### Parameters\ - \ Description\nThere are no action-specific parameters for this action. It relies\ - \ entirely on the integration's global configuration parameters:\n\n| Parameter\ - \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| ApiUrl\ - \ | String | Yes | The base URL for the Recorded Future API. |\n| ApiKey | String\ - \ | Yes | The API key used for authentication with Recorded Future. |\n| Verify\ - \ SSL | Boolean | No | If enabled, the action will verify the SSL certificate\ - \ of the API server. Defaults to False. |\n\n### Additional Notes\nThis action\ - \ performs a test lookup for a known public IP address (8.8.8.8) to confirm that\ - \ the enrichment service is responsive. It does not process any entities from\ - \ the current case or alert.\n\n### Flow Description\n1. **Initialization**: The\ - \ action initializes the Siemplify API and extracts the global configuration parameters\ - \ (API URL, API Key, and SSL verification settings).\n2. **Manager Setup**: It\ - \ instantiates the `RecordedFutureManager` using the provided credentials.\n3.\ - \ **Connectivity Test**: The action calls the `test_connectivity` method, which\ - \ attempts to perform a basic enrichment lookup for the IP address `8.8.8.8`.\n\ - 4. **Result Handling**: \n * If the lookup is successful, the action returns\ - \ a success status with the message \"Connection Established.\"\n * If an exception\ - \ occurs (e.g., network error, invalid API key), the action catches the error,\ - \ logs the details, and returns a failure status with a descriptive error message." + ai_description: "Tests connectivity to the Recorded Future API. This action verifies\ + \ that the integration is correctly configured by attempting to establish a connection\ + \ using the provided API credentials. \n\n### Parameters\n| Parameter | Type |\ + \ Mandatory | Description |\n| --- | --- | --- | --- |\n| ApiUrl | string | Yes\ + \ | The base URL for the Recorded Future API. |\n| ApiKey | string | Yes | The\ + \ API key used for authentication. |\n| Verify SSL | boolean | No | Whether to\ + \ verify SSL certificates when connecting to the API. Defaults to False. |\n\n\ + ### Flow Description\n1. The action initializes the Recorded Future manager using\ + \ the provided API URL, API key, and SSL verification setting.\n2. It attempts\ + \ to call the `test_connectivity` method on the manager to verify the connection.\n\ + 3. If the connection is successful, it logs the success and completes the action.\n\ + 4. If an error occurs, it logs the exception and marks the action as failed." capabilities: can_create_case_comments: false can_create_insight: false @@ -1432,10 +1384,17 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: true + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity test to the Recorded Future API. It does + not fetch data about entities, mutate external systems, or modify internal SOAR + data. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action, which is explicitly excluded from being an enrichment + action. It does not fetch data on entities or perform any enrichment tasks. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1451,6 +1410,9 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities; it performs a global connectivity + test. Refresh Playbook Alert: action_product_categories: add_alert_comment: false @@ -1466,6 +1428,9 @@ Refresh Playbook Alert: enrich_ioc: false execute_command_on_the_host: false get_alert_information: true + reasoning: >- + The action fetches alert details from Recorded Future and adds them to the case. + This matches the 'Get Alert Information' category. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1481,14 +1446,12 @@ Refresh Playbook Alert: update_identity: false update_ticket: false ai_description: >- - Refreshes a Recorded Future Playbook Alert within a Google SecOps case by fetching - the latest data from the Recorded Future platform. This action is specifically - designed to work with cases generated by the Recorded Future Playbook Alerts Connector. - It retrieves updated alert details based on a specific Playbook Alert ID and Category, - identifies new entities associated with the alert, and adds them to the current - case. Additionally, it generates enriched event data, including HTML-formatted - content for display in SecOps widgets, and provides a direct link to the Recorded - Future Web Report. + ### General Description + + Updates information in a case created by the Playbook Alerts Connector with new + data from the Recorded Future platform. This action fetches the latest details + for a specific Playbook Alert and adds relevant entities (such as domains, IPs, + or hosts) to the case based on the alert's category. ### Parameters @@ -1497,31 +1460,30 @@ Refresh Playbook Alert: | :--- | :--- | :--- | :--- | - | Playbook Alert ID | string | True | The unique identifier of the playbook alert - in Recorded Future for which you want to fetch updated details. | + | Playbook Alert ID | string | Yes | The ID of the playbook alert for which you + would like to fetch details. | - | Category | string | True | The category of the Playbook Alert. Supported values - include: `domain_abuse`, `cyber_vulnerability`, `code_repo_leakage`, `third_party_risk`, - `identity_novel_exposures`, and `geopolitics_facility`. | + | Category | string | Yes | The Category of the Playbook Alert. Possible values + are domain_abuse, cyber_vulnerability, code_repo_leakage, third_party_risk, identity_novel_exposures, + and geopolitics_facility. | ### Flow Description - 1. **Validation:** The action first verifies that the current Google SecOps alert - originated from the Recorded Future Playbook Alert product. + 1. **Initialization**: Extracts configuration parameters (API URL, API Key, SSL + verification) and action parameters (Playbook Alert ID, Category). - 2. **Data Retrieval:** It calls the Recorded Future API to fetch the most recent - details for the specified Playbook Alert ID and Category. + 2. **Validation**: Verifies that the current alert is a valid Recorded Future + Playbook Alert. - 3. **Entity Discovery:** Based on the alert category, the action parses the response - to identify relevant entities such as IP addresses, domains, hostnames, or CVEs. + 3. **Data Retrieval**: Calls the Recorded Future API to fetch the latest details + for the specified Playbook Alert ID and category. - 4. **Internal Mutation:** Discovered entities are added to the Google SecOps case - using the `add_entity_to_case` method. + 4. **Internal Mutation**: Based on the alert category, adds relevant entities + to the case using `siemplify.add_entity_to_case`. - 5. **Output Generation:** The action constructs a JSON result containing enriched - event data (including HTML chunks for UI widgets) and adds a direct link to the - Recorded Future portal for the specific alert. + 5. **Result Generation**: Adds the alert details as a JSON result and provides + a link to the Recorded Future portal for further investigation. capabilities: can_create_case_comments: false can_create_insight: false @@ -1532,10 +1494,19 @@ Refresh Playbook Alert: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action adds new entities discovered in the refreshed Recorded Future alert - data to the current Google SecOps case. + Adds new entities to the case based on the playbook alert details. + reasoning: >- + The action fetches data from the Recorded Future API (fetches_data=true). It + does not mutate external systems. It performs internal mutation by adding new + entities to the case using `siemplify.add_entity_to_case` (can_mutate_internal_data=true). + It does not update existing entities, create insights, or modify alert data. categories: enrichment: false + reasoning: >- + The action fetches data but performs internal mutations (adding entities to + the case) that are not in the allowed list for enrichment actions (Add Case + Comments, Create Case Insights, Update Entity fields/attributes). Therefore, + it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1551,6 +1522,9 @@ Refresh Playbook Alert: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities`. It uses parameters + to fetch data and then adds entities to the case. Search Hash Malware Intelligence: action_product_categories: add_alert_comment: false @@ -1566,6 +1540,10 @@ Search Hash Malware Intelligence: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action fetches malware intelligence (sandbox reports) for a file hash, which + provides threat intelligence. This matches the 'Enrich IOC' category. It does + not perform any other actions like blocking, ticketing, or alert management. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1581,52 +1559,47 @@ Search Hash Malware Intelligence: update_identity: false update_ticket: false ai_description: >- - Queries Recorded Future to retrieve existing malware intelligence and sandbox - analysis reports for file hash entities. This action specifically targets SHA256 - hashes and searches for reports previously generated within the Recorded Future - Sandbox environment. It allows users to filter results to their own enterprise - submissions and define a specific lookback period. For every hash found, the action - generates a detailed Case Insight containing analysis summaries, risk scores, - detected signatures (including TTPs), and network flow data. + ### General Description + This action queries the Recorded Future API to retrieve malware intelligence reports + for specific file hash entities. It allows users to search for sandbox reports + associated with a hash, optionally filtering by enterprise-specific submissions + and a defined date range. The action provides valuable context for threat hunting + and incident response by surfacing sandbox analysis results directly within the + case. - ### Flow Description: - 1. **Parameter Extraction:** The action retrieves the API configuration and user-provided - parameters, including the enterprise filter and date range. + ### Parameters Description - 2. **Entity Filtering:** It identifies all `FILEHASH` entities within the current - context, specifically validating that they are SHA256 (64 characters). + | Parameter | Type | Mandatory | Description | - 3. **Intelligence Retrieval:** For each valid hash, it queries the Recorded Future - Malware Intelligence API for sandbox reports matching the criteria. + | :--- | :--- | :--- | :--- | - 4. **Insight Generation:** If reports are found, the action parses the technical - details (signatures, network flows, scores) and creates a formatted HTML Case - Insight for the entity. + | My Enterprise | boolean | No | Specify if the sample hash should be searched + in your enterprise submissions only. Defaults to false. | - 5. **Result Output:** The action returns a JSON object containing the raw report - data and updates the action status based on whether reports were successfully - retrieved. + | Start Date | string | No | Specify the starting date to lookback. Accept format + like 2026-01-23 or -1d. Defaults to -30d. | + | End Date | string | No | Specify the ending date to lookback. Accept format + like 2026-01-23 or -1d. None means today. | - ### Parameters Description: - | Parameter Name | Type | Mandatory | Description | + ### Flow Description - | :--- | :--- | :--- | :--- | + 1. The action extracts configuration parameters (API URL, API Key, SSL verification) + and action parameters (My Enterprise, Start Date, End Date). - | My Enterprise | boolean | No | If set to `true`, the search is restricted to - samples submitted by your organization's Recorded Future account. Defaults to - `false`. | + 2. It iterates through the target entities, filtering for those with the type + `FILEHASH` and an identifier length of 64 characters. - | Start Date | string | No | The start date for the report search lookback. Supports - relative formats like `-30d` or absolute dates like `YYYY-MM-DD`. Defaults to - `-30d`. | + 3. For each valid hash, it calls the Recorded Future API to fetch sandbox reports. - | End Date | string | No | The end date for the report search lookback. Supports - relative or absolute formats. If left empty, it defaults to the current date. - | + 4. If reports are found, it generates a detailed HTML insight containing the sandbox + analysis, including scores, tags, file extensions, signatures, and network flows, + and attaches it to the case. + + 5. The action adds the raw JSON results of the API call to the action output. capabilities: can_create_case_comments: false can_create_insight: true @@ -1637,10 +1610,18 @@ Search Hash Malware Intelligence: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - The action creates Case Insights within Google SecOps to display malware intelligence - and sandbox report details for the analyzed file hashes. + Creates case insights with the retrieved malware intelligence report. + reasoning: >- + The action fetches malware intelligence data from Recorded Future (fetches_data=true). + It does not mutate external systems. It creates case insights (can_create_insight=true), + which is an internal mutation allowed for enrichment actions. It does not update + entities or modify alerts. categories: enrichment: true + reasoning: >- + The action fetches data (malware reports) and creates insights. It does not + mutate external systems or perform forbidden internal mutations. It is an enrichment + action. entity_usage: entity_types: - FILEHASH @@ -1649,7 +1630,7 @@ Search Hash Malware Intelligence: filters_by_case_identifier: false filters_by_creation_time: false filters_by_entity_type: true - filters_by_identifier: false + filters_by_identifier: true filters_by_is_artifact: false filters_by_is_enriched: false filters_by_is_internal: false @@ -1657,9 +1638,12 @@ Search Hash Malware Intelligence: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over `siemplify.target_entities` and filters for `FILEHASH` + entities with an identifier length of 64. Update Alert: action_product_categories: - add_alert_comment: true + add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false contain_host: false @@ -1672,6 +1656,10 @@ Update Alert: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action updates an alert in the external Recorded Future platform. It does + not update an alert within the SecOps platform, nor does it create or update + an ITSM ticket. Therefore, it does not match any of the predefined product categories. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1682,59 +1670,53 @@ Update Alert: send_message: false submit_file: false uncontain_host: false - update_alert: true + update_alert: false update_email: false update_identity: false update_ticket: false ai_description: >- - Updates an existing alert in Recorded Future by modifying its status, assignee, - or adding a note. This action allows analysts to synchronize the state of an alert - between Google SecOps and the Recorded Future platform. + Updates an alert in the Recorded Future platform. This action allows users to + modify the status, assignee, or add a note to an existing alert in Recorded Future. - ### Flow Description: + ### Parameters - 1. **Parameter Extraction:** The action retrieves the Recorded Future API credentials - and the specific alert details (ID, Status, Assignee, and Note) from the action - parameters. + | Parameter | Type | Mandatory | Description | - 2. **Validation:** It verifies that at least one of the optional parameters (Assign - To, Note, or Status) is provided to perform an update. + | :--- | :--- | :--- | :--- | - 3. **API Interaction:** The action uses the `RecordedFutureManager` to send a - request to the Recorded Future API, targeting the specified Alert ID with the - new values. + | Alert ID | string | Yes | Specify the ID of the alert that needs to be updated. + | - 4. **Result Processing:** Upon a successful API call, the action returns a JSON - result confirming the update and provides an output message to the SecOps case - wall. + | Assign To | string | No | Specify to whom to assign the alert. You can provide + id, username, user hash, or email. | + | Note | string | No | Specify a note that should be updated on the alert. | - ### Parameters Description: + | Status | ddl | Yes | Specify the new status for the alert (None, New, Pending, + Dismissed, Resolved, Flag for Tuning). | - | Parameter Name | Type | Mandatory | Description | + ### Additional Notes - | :--- | :--- | :--- | :--- | + At least one of the following parameters must be provided for the action to successfully + update the alert: Assign To, Note, or Status. - | Alert ID | String | Yes | The unique identifier of the alert in Recorded Future - that needs to be updated. | - | Assign To | String | No | The identifier (ID, username, hash, or email) of the - user to whom the alert should be assigned. | + ### Flow Description - | Note | String | No | A text note to be added or updated on the alert in Recorded - Future. | + 1. Extract the configuration parameters (API URL, API Key, SSL verification) and + action parameters (Alert ID, Assign To, Note, Status). - | Status | DDL | Yes | The new status to set for the alert. Options include: New, - Pending, Dismissed, Resolved, Flag for Tuning. | + 2. Validate that at least one of the update parameters (Assign To, Note, or Status) + is provided. + 3. Initialize the `RecordedFutureManager` with the provided credentials. - ### Additional Notes: + 4. Call the `update_alert` method on the manager to perform the update in the + Recorded Future platform. - * Although 'Status' is marked as mandatory in the configuration, the underlying - logic requires that at least one of 'Status', 'Assign To', or 'Note' contains - a value for the action to execute successfully. + 5. Add the result JSON to the action output and complete the script. capabilities: can_create_case_comments: false can_create_insight: false @@ -1743,12 +1725,19 @@ Update Alert: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the status, assignee, and notes of an alert within the Recorded Future - platform. + Updates the status, assignee, or note of an alert in the Recorded Future platform. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action updates an alert in the external Recorded Future platform by sending + a request with the provided parameters (status, assignee, note). It does not + fetch data, update internal SecOps entities, or create insights/comments. categories: enrichment: false + reasoning: >- + The action performs a mutation on an external system (Recorded Future) and does + not retrieve data or perform any enrichment tasks. Therefore, it is not an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1764,6 +1753,9 @@ Update Alert: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or process any entities from the SecOps platform. + It operates solely based on the provided action parameters. Update Playbook Alert: action_product_categories: add_alert_comment: false @@ -1779,6 +1771,11 @@ Update Playbook Alert: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action updates a playbook alert in an external system (Recorded Future). + It does not match the 'Update Alert' category, which is strictly defined as + updating alerts within the SecOps platform. It does not match other categories + like 'Create Ticket' or 'Contain Host'. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1789,65 +1786,64 @@ Update Playbook Alert: send_message: false submit_file: false uncontain_host: false - update_alert: true + update_alert: false update_email: false update_identity: false update_ticket: false ai_description: >- - Updates a playbook alert in Recorded Future with new metadata such as status, - priority, assignee, and comments. This action allows analysts to synchronize the - state of an alert between Google SecOps and Recorded Future. - - - ### Flow Description: - - 1. **Parameter Extraction:** The action retrieves the mandatory Playbook Alert - ID and Category, along with optional update parameters (Status, Priority, Assignee, - Log Entry, and Reopen Strategy). - - 2. **Validation:** It verifies that at least one optional update parameter has - been provided; otherwise, the action fails to prevent redundant API calls. - - 3. **External Interaction:** The action uses the Recorded Future Manager to fetch - the current state of the alert and then submits an update request to the Recorded - Future API. + ### General Description - 4. **Result Processing:** The updated alert details are returned as a JSON result, - and a success message is displayed in the action output. + Updates a specific Playbook Alert within the Recorded Future platform. This action + allows analysts to modify the status, priority, assignee, or add a log entry to + an existing playbook alert, facilitating automated alert management and synchronization + between Google SecOps and Recorded Future. - ### Parameters Description: + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Playbook Alert ID | String | Yes | The unique identifier of the playbook alert + | Playbook Alert ID | string | Yes | The unique identifier of the playbook alert to be updated. | - | Playbook Alert Category | String | Yes | The category of the playbook alert - (e.g., domain_abuse, cyber_vulnerability). | + | Playbook Alert Category | string | Yes | The category of the playbook alert. + | - | Assign To | String | No | The user uhash to whom the alert should be assigned - in Recorded Future. | + | Assign To | string | No | The user uhash to assign the alert to. | - | Log Entry | String | No | A comment or note to be added to the alert's activity - log during the update. | + | Log Entry | string | No | A comment or note to be added to the alert. | - | Status | DDL | No | The new status for the alert (New, In Progress, Dismissed, + | Status | ddl | No | The new status for the alert (e.g., New, In Progress, Dismissed, Resolved). | - | Priority | DDL | No | The new priority level for the alert (High, Moderate, + | Priority | ddl | No | The new priority for the alert (e.g., High, Moderate, Informational). | - | Reopen Strategy | DDL | No | Defines the strategy for reopening the alert (Never, + | Reopen Strategy | ddl | No | The strategy for reopening the alert (e.g., Never, Significant Updates). | - ### Additional Notes: + ### Additional Notes + + This action performs a direct update to the external Recorded Future system. It + does not modify any entities or alerts within the Google SecOps platform itself. + + + ### Flow Description + + 1. **Initialization**: The action extracts configuration parameters (API URL, + API Key) and action parameters (Alert ID, Category, etc.). + + 2. **Validation**: It verifies that at least one update parameter (Assign To, + Log Entry, Status, Priority, or Reopen Strategy) is provided. + + 3. **Execution**: It initializes the `RecordedFutureManager` and calls the `update_playbook_alert` + method to send the update request to the Recorded Future API. - At least one of the following parameters must be configured for the action to - run: 'Assign To', 'Log Entry', 'Status', 'Priority', or 'Reopen Strategy'. + 4. **Result**: The action adds the JSON result of the update operation to the + action results and completes the execution. capabilities: can_create_case_comments: false can_create_insight: false @@ -1856,12 +1852,20 @@ Update Playbook Alert: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the status, priority, assignee, log entry, or reopen strategy of a playbook - alert in the Recorded Future platform. - fetches_data: true + Updates the status, priority, assignee, or adds a log entry to a playbook alert + in Recorded Future. + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs an API call to update an external resource (Playbook Alert + in Recorded Future). It does not fetch data, nor does it modify any internal + Google SecOps data, entities, or case comments. categories: enrichment: false + reasoning: >- + The action is a mutation action that updates external data. It does not fetch + data for enrichment purposes, nor does it meet the criteria for an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1877,3 +1881,6 @@ Update Playbook Alert: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on entities. It uses a specific 'Playbook Alert + ID' provided as a parameter to identify the target alert in the external system. diff --git a/content/response_integrations/third_party/partner/recorded_future_intelligence/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/partner/recorded_future_intelligence/resources/ai/connectors_ai_description.yaml index f4b655edf..0a1efa162 100644 --- a/content/response_integrations/third_party/partner/recorded_future_intelligence/resources/ai/connectors_ai_description.yaml +++ b/content/response_integrations/third_party/partner/recorded_future_intelligence/resources/ai/connectors_ai_description.yaml @@ -2,12 +2,11 @@ ai_description: >- ### General Description - This connector integrates with Recorded Future to ingest **Classic Alerts** into - Google SecOps. It allows security teams to monitor and automate the response to - external threat intelligence alerts generated by Recorded Future's intelligence - rules. The connector supports advanced filtering by alert status, rule names (via - allowlist/denylist), and severity, while also ingesting AI-generated insights - to provide analysts with immediate context. + This connector integrates with Recorded Future to fetch "Classic" security alerts + and ingest them into Google SecOps (SOAR) as cases. It enables automated monitoring + of threat intelligence alerts, supporting advanced filtering, deduplication (overflow), + and environment mapping to ensure relevant alerts are prioritized and actionable + within the SOAR platform. ### Parameters Description @@ -16,95 +15,82 @@ | :--- | :--- | :--- | :--- | - | DeviceProductField | String | Yes | The source field name used to retrieve the - Product Field name (default: `device_product`). | + | API URL | String | Yes | API Root of the Recorded Future instance. | - | EventClassId | String | Yes | The source field name used to retrieve the Event - Field name (default: `rule_name`). | + | API Key | Password | Yes | API Key from Recorded Future. | - | Environment Field Name | String | No | The name of the field where the environment - name is stored. | - - | Environment Regex Pattern | String | No | A regex pattern to manipulate the - value found in the Environment Field Name. | - - | PythonProcessTimeout | Integer | Yes | Timeout limit in seconds for the python - process (default: `180`). | + | Severity | String | Yes | Severity assigned to created alerts (Low, Medium, + High, Critical). | - | API URL | String | Yes | API Root of the Recorded Future instance (default: - `https://api.recordedfuture.com`). | + | DeviceProductField | String | Yes | Source field name for the Product Field. + | - | API Key | Password | Yes | Your Recorded Future API Key. | + | EventClassId | String | Yes | Source field name for the Event Field. | - | Fetch Max Hours Backwards | Integer | No | The number of hours back from which - to fetch events if no previous timestamp exists. | + | PythonProcessTimeout | Integer | Yes | Timeout limit for the python process. + | - | Alert Statuses | String | No | Comma-separated list of statuses to fetch (e.g., - `New, Pending, Resolved, Dismissed`). | + | Fetch Max Hours Backwards | Integer | No | Amount of hours to fetch events from. + | - | Max Alerts To Fetch | Integer | No | Maximum number of alerts to process per - iteration (default: `100`). | + | Alert Statuses | String | No | Comma-separated statuses (e.g., New, Pending). + | - | Severity | String | Yes | The severity assigned to created alerts (Low, Medium, - High, Critical). | + | Max Alerts To Fetch | Integer | No | Max alerts per iteration. | - | Use whitelist as a blacklist | Boolean | No | If enabled, the connector's whitelist - will act as a denylist for rule names. | + | Use whitelist as a blacklist | Boolean | No | If enabled, whitelist acts as + a denylist. | - | Enable Overflow | Boolean | No | If enabled, uses deduplication logic to prevent - alert flooding. | + | Enable Overflow | Boolean | No | If enabled, uses Google 'overflow' to deduplicate + alerts. | | Extract all Entities | Boolean | No | If enabled, extracts all entities from - alert events; otherwise, only the primary entity is extracted. | + events. | - | Verify SSL | Boolean | No | If enabled, verifies the SSL certificate of the - Recorded Future server. | + | Verify SSL | Boolean | No | Verify SSL certificate. | - | Proxy Server Address | String | No | The address of the proxy server to use. + | Environment Field Name | String | No | Field name where environment is stored. | - | Proxy Username | String | No | The proxy username for authentication. | + | Environment Regex Pattern | String | No | Regex to manipulate environment field. + | - | Proxy Password | Password | No | The proxy password for authentication. | + | Proxy Server Address | String | No | Proxy server address. | + | Proxy Username | String | No | Proxy username. | - ### Flow Description + | Proxy Password | Password | No | Proxy password. | - 1. **Initialization**: Connects to the Recorded Future API using the provided - API Key and URL, validating SSL and proxy settings if configured. - 2. **Time Range Determination**: Calculates the starting point for the fetch based - on the last successful execution timestamp or the "Fetch Max Hours Backwards" - parameter. + ### Flow Description - 3. **Alert Discovery**: Queries Recorded Future for alert IDs that match the specified - "Alert Statuses" and (optionally) specific rule IDs defined in the whitelist. + 1. Connects to the Recorded Future API using the provided credentials. - 4. **Data Retrieval**: Fetches full alert details in bulk, including metadata, - associated entities, and AI-generated insights (AI Insights). + 2. Reads previously processed alert IDs to ensure deduplication across iterations. - 5. **Filtering**: Applies whitelist/denylist logic against the Recorded Future - `rule_name` to determine which alerts should be processed. + 3. Queries Recorded Future for alerts based on the configured time range, status, + and severity. - 6. **Mapping & Enrichment**: Transforms the raw Recorded Future data into the - Google SecOps AlertInfo model. This includes mapping severity, assigning environments - via regex, and attaching AI insights to the event data. + 4. Filters alerts based on the configured whitelist/blacklist (rule names). - 7. **Deduplication**: Checks if "Enable Overflow" is active to skip alerts that - meet deduplication criteria. + 5. Processes each alert: + * Maps the alert to the Google SecOps `AlertInfo` format. + * Applies environment mapping if configured. + * Checks for alert overflow (deduplication) if enabled. + 6. Ingests processed alerts into Google SecOps as cases. - 8. **Ingestion**: Creates cases in Google SecOps for each processed alert and - updates the internal state with the latest processed alert IDs and timestamps. + 7. Updates the state (timestamps and processed IDs) for subsequent runs. "Recorded Future - Playbook Alerts Connector": ai_description: >- ### General Description - The Recorded Future - Playbook Alerts Connector ingests high-fidelity "Playbook - Alerts" from the Recorded Future Intelligence platform into Google SecOps. This - connector allows security teams to automate the monitoring of specific threat - categories, such as domain abuse, code repository leakages, and third-party risks, - by transforming these intelligence alerts into actionable cases within the SOAR - environment. + The Recorded Future - Playbook Alerts Connector is designed to ingest security + alerts from the Recorded Future platform into Google SecOps. It enables automated + monitoring of various threat intelligence categories, such as domain abuse, cyber + vulnerabilities, and third-party risks, allowing security analysts to respond + to threats efficiently. The connector periodically polls the Recorded Future API, + filters alerts based on user-defined criteria, and creates cases within the SOAR + platform for further investigation. ### Parameters Description @@ -113,136 +99,109 @@ | :--- | :--- | :--- | :--- | - | DeviceProductField | String | Yes | The source field name used to retrieve the - Product Field name (default: device_product). | - - | EventClassId | String | Yes | The source field name used to retrieve the Event - Field name (default: category). | - - | Environment Field Name | String | No | The name of the field where the environment - name is stored. | + | API URL | String | Yes | API Root of the Recorded Future instance. | - | Environment Regex Pattern | String | No | A regex pattern used to extract or - manipulate the environment name from the environment field. | + | API Key | Password | Yes | API Key from Recorded Future. | - | PythonProcessTimeout | Integer | Yes | The maximum time (in seconds) allowed - for the connector script to run. | + | DeviceProductField | String | Yes | Source field name to retrieve the Product + Field name. | - | API URL | String | Yes | The base URL for the Recorded Future API instance. - | + | EventClassId | String | Yes | Source field name to retrieve the Event Field + name. | - | API Key | Password | Yes | The API Key used for authentication with Recorded - Future. | + | PythonProcessTimeout | Integer | Yes | Timeout limit for the python process + running the script. | - | Fetch Max Hours Backwards | Integer | No | The lookback window (in hours) for - fetching alerts during the first run or after a gap. | + | Fetch Max Hours Backwards | Integer | No | Amount of hours from where to fetch + events. | - | Playbook Alert Categories | String | No | Comma-separated list of categories - to fetch (e.g., domain_abuse, cyber_vulnerability). | + | Playbook Alert Categories | String | No | Comma-separated list of alert categories + to fetch. | | Playbook Alert Statuses | String | No | Comma-separated list of alert statuses - to fetch (e.g., New, InProgress). | + to fetch. | | Playbook Alert Priorities | String | No | Comma-separated list of alert priorities - to fetch (e.g., High, Moderate). | + to fetch. | - | Max Alerts To Fetch | Integer | No | The maximum number of alerts to process - in a single connector iteration. | + | Max Alerts To Fetch | Integer | No | Maximum number of alerts to process per + iteration. | - | Severity | String | No | An optional override to set a fixed severity (Low, - Medium, High, Critical) for all ingested alerts. | + | Severity | String | No | Override severity for created alerts (Low, Medium, + High, Critical). | - | Enable Overflow | Boolean | No | If enabled, uses the Google SecOps overflow - mechanism to deduplicate similar alerts. | + | Enable Overflow | Boolean | No | If enabled, uses Google 'overflow' to deduplicate + similar alerts. | - | Verify SSL | Boolean | No | If enabled, verifies the SSL certificate of the + | Verify SSL | Boolean | No | If enabled, verifies the SSL certificate for the Recorded Future server. | - | Proxy Server Address | String | No | The address of the proxy server if one - is required. | + | Environment Field Name | String | No | Field name where the environment name + is stored. | + + | Environment Regex Pattern | String | No | Regex pattern to manipulate the environment + field value. | + + | Proxy Server Address | String | No | Address of the proxy server. | - | Proxy Username | String | No | The username for proxy authentication. | + | Proxy Username | String | No | Username for proxy authentication. | - | Proxy Password | Password | No | The password for proxy authentication. | + | Proxy Password | Password | No | Password for proxy authentication. | ### Flow Description - 1. **Initialization**: The connector establishes a connection to the Recorded - Future API using the provided credentials and configuration. + 1. The connector initializes and connects to the Recorded Future API using the + provided credentials. - 2. **Time Window Calculation**: It determines the starting point for the fetch - by checking the last successful execution timestamp or falling back to the "Fetch - Max Hours Backwards" setting. + 2. It reads existing alert IDs from the system to ensure that only new alerts + are processed, preventing duplicates. - 3. **Data Retrieval**: The connector queries Recorded Future for Playbook Alerts, - applying filters for specific categories, statuses, and priorities defined in - the parameters. + 3. It queries the Recorded Future API for Playbook Alerts, applying filters for + categories, statuses, priorities, and the specified time range. - 4. **Deduplication**: It compares fetched alert IDs against a local cache of previously - processed IDs to ensure no duplicate cases are created. + 4. For each fetched alert, the connector checks for script timeouts and applies + deduplication logic if 'Enable Overflow' is enabled. - 5. **Transformation**: Each unique alert is mapped to the Google SecOps AlertInfo - data model. This includes mapping environment details, calculating severity (or - applying overrides), and formatting the raw intelligence data into events. + 5. Valid alerts are mapped to the Google SecOps case format, including environment + mapping based on configured fields and regex patterns. - 6. **Overflow Check**: If enabled, the connector checks if the alert matches overflow - criteria to prevent system saturation from repetitive alerts. + 6. The processed alerts are ingested into the SOAR platform as new cases. - 7. **Ingestion**: Validated alerts are sent to the Google SecOps platform to be - created as cases. The connector then updates its state by saving the new timestamp - and processed IDs. + 7. Finally, the connector saves the current timestamp and updated list of alert + IDs to ensure subsequent iterations continue from the correct point. "Recorded Future - Playbook Alerts Tracking Connector": - ai_description: "### General Description\nThe **Recorded Future - Playbook Alerts\ - \ Tracking Connector** is designed to monitor and ingest updates for existing\ - \ Playbook Alerts from Recorded Future into Google SecOps. Unlike standard connectors\ - \ that fetch new alerts, this tracking connector specifically identifies modifications\ - \ to existing alerts\u2014such as status changes, priority escalations, or the\ - \ addition of new evidence\u2014and creates new cases in Google SecOps based on\ - \ these triggers. This ensures that significant developments in ongoing Recorded\ - \ Future investigations are captured as actionable events within the SOAR platform.\n\ - \n### Parameters Description\n| Parameter | Type | Mandatory | Description |\n\ - | :--- | :--- | :--- | :--- |\n| DeviceProductField | String | Yes | The source\ - \ field name used to retrieve the Product Field name (default: device_product).\ - \ |\n| EventClassId | String | Yes | The source field name used to retrieve the\ - \ Event Field name (default: category). |\n| Environment Field Name | String |\ - \ No | The field name where the environment name is stored. |\n| Environment Regex\ - \ Pattern | String | No | A regex pattern to manipulate the environment field\ - \ value. |\n| PythonProcessTimeout | Integer | Yes | Timeout limit in seconds\ - \ for the python process. |\n| API URL | String | Yes | The API Root of the Recorded\ - \ Future instance (default: https://api.recordedfuture.com). |\n| API Key | Password\ - \ | Yes | Your Recorded Future API Key. |\n| Search Max Hours Backwards | Integer\ - \ | No | The number of hours to look back for Playbook Alert updates since the\ - \ last run. |\n| Playbook Alert Categories | String | No | Comma-separated list\ - \ of categories to fetch (e.g., domain_abuse, cyber_vulnerability). |\n| Playbook\ - \ Alert Statuses | String | No | Comma-separated list of statuses to fetch (e.g.,\ - \ New, InProgress, Resolved). |\n| Playbook Alert Priorities | String | No | Comma-separated\ - \ list of priorities to fetch (e.g., Informational, Moderate, High). |\n| Playbook\ - \ Alert Reopened | Boolean | No | If true, creates a new case when a Playbook\ - \ Alert is reopened. |\n| Priority Increased | Boolean | No | If true, creates\ - \ a new case when a Playbook Alert's priority is increased. |\n| New Assessment\ - \ Added | Boolean | No | If true, creates a new case when a new assessment is\ - \ added to the alert. |\n| Entity Added | Boolean | No | If true, creates a new\ - \ case when new entities are added to the alert. |\n| Max Alerts To Fetch | Integer\ - \ | No | Maximum number of alerts to process per connector iteration. |\n| Severity\ - \ | String | Yes | The default severity (Low, Medium, High, Critical) assigned\ - \ to created alerts. |\n| Enable Overflow | Boolean | No | If enabled, uses Google\ - \ SecOps overflow logic to deduplicate similar alerts. |\n| Verify SSL | Boolean\ - \ | No | If enabled, verifies the SSL certificate for the Recorded Future server.\ - \ |\n\n### Flow Description\n1. **Initialization**: The connector establishes\ - \ a connection to the Recorded Future API using the provided API Key and URL.\n\ - 2. **Time Range Calculation**: It determines the search window by checking the\ - \ last successful execution time or falling back to the \"Search Max Hours Backwards\"\ - \ parameter.\n3. **Alert Retrieval**: It queries Recorded Future for Playbook\ - \ Alerts that have been updated within the time window, filtered by the configured\ - \ categories, statuses, and priorities.\n4. **Update Analysis**: For each retrieved\ - \ alert, the connector inspects the `panel_log_v2` (audit logs) to identify specific\ - \ changes that occurred within the search timeframe.\n5. **Trigger Evaluation**:\ - \ The connector checks if the identified changes match the enabled tracking triggers:\ - \ Reopened, Priority Increased, New Assessment Added, or Entity Added.\n6. **Case\ - \ Creation**: If a valid update trigger is detected, the connector maps the Playbook\ - \ Alert data into a Google SecOps alert format, applying environment and severity\ - \ settings.\n7. **Deduplication**: If \"Enable Overflow\" is active, the connector\ - \ checks for similar existing alerts to prevent redundant case creation.\n8. **Ingestion**:\ - \ The final alert objects are sent to Google SecOps to be created as new cases\ - \ for analyst review." + ai_description: "### General Description\nThis connector integrates with Recorded\ + \ Future to track and ingest Playbook Alert updates into Google SecOps. It monitors\ + \ for specific changes in alerts\u2014such as status updates, priority increases,\ + \ new assessments, or added entities\u2014and automatically creates or updates\ + \ cases within the SOAR platform based on these events.\n\n### Parameters Description\n\ + | Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ + | API URL | String | Yes | API Root of the Recorded Future instance. |\n| API\ + \ Key | Password | Yes | API Key from Recorded Future. |\n| DeviceProductField\ + \ | String | Yes | Source field name for the Product Field name. |\n| EventClassId\ + \ | String | Yes | Source field name for the Event Field name. |\n| PythonProcessTimeout\ + \ | Integer | Yes | Timeout limit for the python process. |\n| Severity | String\ + \ | Yes | Severity assigned to created cases (Low, Medium, High, Critical). |\n\ + | Search Max Hours Backwards | Integer | No | Hours to look back for updates.\ + \ |\n| Playbook Alert Categories | String | No | Comma-separated categories to\ + \ fetch. |\n| Playbook Alert Statuses | String | No | Comma-separated statuses\ + \ to fetch. |\n| Playbook Alert Priorities | String | No | Comma-separated priorities\ + \ to fetch. |\n| Playbook Alert Reopened | Boolean | No | Create case if alert\ + \ is reopened. |\n| Priority Increased | Boolean | No | Create case if priority\ + \ increases. |\n| New Assessment Added | Boolean | No | Create case if new assessment\ + \ is added. |\n| Entity Added | Boolean | No | Create case if entities are added.\ + \ |\n| Max Alerts To Fetch | Integer | No | Max alerts per iteration. |\n| Enable\ + \ Overflow | Boolean | No | Use overflow to deduplicate alerts. |\n| Verify SSL\ + \ | Boolean | No | Verify SSL certificate. |\n| Environment Field Name | String\ + \ | No | Field name for environment. |\n| Environment Regex Pattern | String |\ + \ No | Regex for environment field. |\n| Proxy Server Address | String | No |\ + \ Proxy server address. |\n| Proxy Username | String | No | Proxy username. |\n\ + | Proxy Password | Password | No | Proxy password. |\n\n### Flow Description\n\ + 1. Authenticate with the Recorded Future API using the provided credentials.\n\ + 2. Retrieve Playbook Alerts based on configured filters (categories, statuses,\ + \ priorities) and the specified time window.\n3. Analyze alert logs to detect\ + \ specific changes (reopened, priority increase, new assessment, entity added).\n\ + 4. Filter alerts based on the enabled change criteria.\n5. Map valid alerts to\ + \ SOAR cases, applying environment settings and deduplication if overflow is enabled.\n\ + 6. Ingest the resulting cases into Google SecOps." diff --git a/content/response_integrations/third_party/partner/recorded_future_intelligence/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/recorded_future_intelligence/resources/ai/integration_ai_description.yaml index ac8e64b44..8ef2618c9 100644 --- a/content/response_integrations/third_party/partner/recorded_future_intelligence/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/partner/recorded_future_intelligence/resources/ai/integration_ai_description.yaml @@ -7,6 +7,16 @@ product_categories: iam_and_identity_management: false itsm: false network_security: false - siem: false + reasoning: >- + The integration 'recorded_future_intelligence' provides extensive threat intelligence + enrichment capabilities, including actions to enrich various IOC types (IP, Hash, + URL, CVE, Hostname) and retrieve malware intelligence. This directly aligns with + the Threat Intelligence category. Additionally, the integration includes multiple + connectors (Classic Alerts, Playbook Alerts, Playbook Alerts Tracking) that ingest + security alerts from Recorded Future into Google SecOps, which is a core function + of a SIEM integration. The integration does not provide EDR, Network Security, + Email Security, IAM, Cloud Security, ITSM, Vulnerability Management, Asset Inventory, + or Collaboration capabilities as defined in the provided criteria. + siem: true threat_intelligence: true - vulnerability_management: true + vulnerability_management: false diff --git a/content/response_integrations/third_party/partner/rubrik_security_cloud/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/rubrik_security_cloud/resources/ai/actions_ai_description.yaml index 36a27530c..8fac09302 100644 --- a/content/response_integrations/third_party/partner/rubrik_security_cloud/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/rubrik_security_cloud/resources/ai/actions_ai_description.yaml @@ -13,12 +13,17 @@ Advanced IOC Scan: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action initiates a threat hunt (scan) on the Rubrik Security Cloud platform. + It does not match any of the predefined categories, as it is a specialized security + operation for threat hunting rather than enrichment, containment, or ticket + management. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false search_asset: false search_email: false - search_events: true + search_events: false send_email: false send_message: false submit_file: false @@ -28,107 +33,104 @@ Advanced IOC Scan: update_identity: false update_ticket: false ai_description: >- - Starts a new advanced threat hunt (IOC scan) in Rubrik Security Cloud across specified - objects. This action allows for granular scanning by supporting various indicator - types (Hashes, File Paths, or YARA rules) and filtering criteria such as date - ranges, file sizes, and path inclusions/exclusions. It initiates a bulk threat - hunt process and returns the unique identifiers for the created hunts. + ### General Description + This action initiates an advanced Indicator of Compromise (IOC) scan on specified + Rubrik objects within the Rubrik Security Cloud platform. It allows for highly + configurable threat hunting by supporting various IOC types, date ranges, file + size filters, and path inclusions/exclusions. The action triggers a bulk threat + hunt mutation and returns the results, which are then displayed in the SOAR interface + as a data table. - ### Flow Description - 1. **Parameter Extraction:** Retrieves the target Object IDs, IOC details (either - via individual type/value or a JSON-encoded advanced IOC object), and various - scan filters (dates, file sizes, paths). + ### Parameters Description - 2. **Validation:** Validates that Object IDs are provided, dates are in the correct - ISO format, and integer parameters (like file sizes or snapshot limits) are valid. - It also ensures that the start date precedes the end date. + | Parameter | Type | Mandatory | Description | - 3. **API Initialization:** Authenticates with Rubrik Security Cloud using the - provided Service Account JSON and initializes the GraphQL API manager. + | :--- | :--- | :--- | :--- | - 4. **Scan Initiation:** Executes a GraphQL mutation (`startBulkThreatHunt`) to - trigger the scan on the Rubrik platform. + | Object ID | string | Yes | Comma-separated list of object IDs to scan. | - 5. **Result Processing:** Captures the hunt IDs and statuses from the response, - adds the raw JSON to the action results, and populates a data table in the SOAR - case for the analyst to track the progress. + | IOC Type | ddl | No | Type of IOC to search for (e.g., PATH_OR_FILENAME, HASH, + YARA_RULE). | + | IOC Value | string | No | Specific IOC value to search for. | - ### Parameters Description + | Scan Name | string | No | Custom name for the scan (auto-generated if not provided). + | - | Parameter Name | Type | Mandatory | Description | + | Advanced IOC | string | No | JSON encoded Indicators Of Compromise to scan. + | - | :--- | :--- | :--- | :--- | + | Start Date | string | No | Start date for snapshot range (ISO format). | - | **Object ID** | String | Yes | Comma-separated list of Rubrik object IDs (e.g., - VM FIDs) to perform the scan on. | + | End Date | string | No | End date for snapshot range (ISO format). | - | **IOC Type** | DDL | No | The type of indicator to scan for. Options: `INDICATOR_OF_COMPROMISE_TYPE_PATH_OR_FILENAME`, - `INDICATOR_OF_COMPROMISE_TYPE_HASH`, `INDICATOR_OF_COMPROMISE_TYPE_YARA_RULE`. + | Max Snapshots Per Object | string | No | Maximum snapshots to scan per object. | - | **IOC Value** | String | No | The specific value of the indicator (e.g., a file - hash or path). Required if `IOC Type` is used. | + | Max Matches Per Snapshot | string | No | Maximum matches to return per snapshot. + | - | **Advanced IOC** | String | No | A JSON-encoded string containing multiple IOCs. - Keys should be the IOC type and values should be lists of indicator values. | + | Min File Size | string | No | Minimum file size in bytes to scan. | - | **Scan Name** | String | No | A custom name for the threat hunt. If not provided, - a name is auto-generated using the current timestamp. | + | Max File Size | string | No | Maximum file size in bytes to scan. | - | **Start Date** | String | No | Filter snapshots from this date (Format: `yyyy-mm-dd` - or `yyyy-mm-ddTHH:MM:SSZ`). | + | Paths To Include | string | No | Comma-separated paths to include in scan. | - | **End Date** | String | No | Filter snapshots until this date (Format: `yyyy-mm-dd` - or `yyyy-mm-ddTHH:MM:SSZ`). | + | Paths To Exclude | string | No | Comma-separated paths to exclude from scan. + | - | **Max Snapshots Per Object** | String | No | Maximum number of snapshots to - scan for each target object. | + | Paths To Exempt | string | No | Comma-separated paths to exempt from exclusion. + | - | **Max Matches Per Snapshot** | String | No | The scan for a snapshot terminates - once this number of matches is reached. | - | **Min File Size** | String | No | Minimum file size in bytes to include in the - scan. | + ### Additional Notes + + Either the 'Advanced IOC' parameter must be configured, or the combination of + 'IOC Type' and 'IOC Value' must be provided for the action to run. If neither + is provided, the action will fail. - | **Max File Size** | String | No | Maximum file size in bytes to include in the - scan. | - | **Paths To Include** | String | No | Comma-separated list of file paths to include - in the scan. | + ### Flow Description - | **Paths To Exclude** | String | No | Comma-separated list of file paths to exclude - from the scan. | + 1. **Configuration Initialization**: Retrieves integration parameters (Service + Account JSON, SSL verification) from the SOAR configuration. - | **Paths To Exempt** | String | No | Comma-separated list of paths to exempt - from the exclusion list. | + 2. **Parameter Extraction**: Extracts all action parameters from the user input. + 3. **Validation**: Validates parameters, including object IDs, integers, JSON + structures, and date formats. - ### Additional Notes + 4. **Client Initialization**: Initializes the Rubrik Security Cloud client using + the provided credentials. - * **IOC Configuration:** You must provide either the `Advanced IOC` JSON parameter - OR both the `IOC Type` and `IOC Value` parameters for the action to execute successfully. + 5. **Execution**: Executes the `start_advance_ioc_scan` mutation to trigger the + threat hunt on the Rubrik platform. - * **Date Filtering:** If both `Start Date` and `End Date` are provided, the action - validates that the start date is earlier than the end date. + 6. **Result Processing**: Processes the response, generates a data table with + the hunt details, and adds it to the SOAR action result. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: true - can_mutate_internal_data: true + can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Initiates a new threat hunt (scan job) in Rubrik Security Cloud, which creates - new hunt records and consumes system resources for the scanning process. - fetches_data: true - internal_data_mutation_explanation: >- - Adds a data table to the Google SecOps case containing the IDs and names of - the initiated threat hunts. + Initiates a threat hunt (scan) on the Rubrik Security Cloud platform. + fetches_data: false + internal_data_mutation_explanation: null + reasoning: >- + The action triggers a threat hunt (mutation) on the Rubrik platform. It does + not fetch contextual data about entities, nor does it modify internal SOAR case + data (entities, insights, or comments). categories: enrichment: false + reasoning: >- + The action performs a mutation (starts a scan) on an external system. It does + not fetch data for enrichment purposes, nor does it modify internal SOAR data. + Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -144,6 +146,9 @@ Advanced IOC Scan: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on `siemplify.target_entities`. It takes `Object + ID` as a parameter to identify the target system for the scan. Get CDM Cluster Connection State: action_product_categories: add_alert_comment: false @@ -159,6 +164,10 @@ Get CDM Cluster Connection State: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves contextual metadata (connection state) for a resource (CDM + cluster). This matches the 'Enrich Asset' category. It does not fetch alert + information, so 'Get Alert Information' is false. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -176,49 +185,36 @@ Get CDM Cluster Connection State: ai_description: >- ### General Description - The **Get CDM Cluster Connection State** action retrieves the current connection - status of a specific Cloud Data Management (CDM) cluster within Rubrik Security - Cloud (RSC). This action is useful for monitoring the health and availability - of backup infrastructure components by checking the connectivity status of all - nodes within a cluster. + Retrieves the connection state of a specific CDM (Cloud Data Management) cluster + from Rubrik Security Cloud. This action provides visibility into the connectivity + status of nodes within the cluster. ### Parameters Description | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | - - | **Cluster ID** | String | Yes | The unique identifier of the CDM cluster for - which the connection state is being requested. | + | --- | --- | --- | --- | + | Cluster ID | string | Yes | The unique identifier of the CDM cluster. | - ### Flow Description - 1. **Parameter Extraction**: The action retrieves the mandatory `Cluster ID` from - the input parameters. + ### Additional Notes - 2. **Authentication**: It initializes the Rubrik API manager using the provided - service account credentials and handles OAuth token management (including automatic - refresh if expired). + There are no additional notes for this action. - 3. **Data Retrieval**: A GraphQL query is sent to Rubrik Security Cloud to fetch - the `connectedState` for all nodes associated with the specified cluster ID. - 4. **Data Processing**: The raw GraphQL response is parsed, and node connection - states are extracted and structured using a dedicated data model. + ### Flow Description - 5. **Result Generation**: The action populates a data table named "CDM Cluster - Connection State" containing the Cluster ID and Connection State for each node. - It also attaches the full JSON response to the action results for further analysis. + 1. Extracts the `Cluster ID` parameter. + 2. Initializes the Rubrik Security Cloud API client. - ### Additional Notes + 3. Queries the Rubrik API for the connection state of the specified cluster. - - This action does not run on entities; it requires a specific Cluster ID as input. + 4. Parses the response to extract node connection details. - - The data table is limited to the first 20 records (nodes) found to ensure performance - and readability. + 5. Adds the retrieved data to the action results as a table and JSON. capabilities: can_create_case_comments: false can_create_insight: false @@ -229,8 +225,16 @@ Get CDM Cluster Connection State: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches data from the Rubrik API (fetches_data=true). It does not + mutate external systems (can_mutate_external_data=false). It does not modify + internal SOAR case data (can_mutate_internal_data=false). categories: enrichment: true + reasoning: >- + The action fetches data from an external source (Rubrik Security Cloud) and + does not mutate any external or internal data. It is a read-only enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -246,6 +250,9 @@ Get CDM Cluster Connection State: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities`. It uses a provided + `Cluster ID` parameter. Get CDM Cluster Location: action_product_categories: add_alert_comment: false @@ -257,14 +264,18 @@ Get CDM Cluster Location: disable_identity: false download_file: false enable_identity: false - enrich_asset: false + enrich_asset: true enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves contextual metadata (geographical location) for a specific + resource (CDM Cluster). This aligns with the 'Enrich Asset' category, which + covers returning contextual metadata for a user or resource. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false - search_asset: true + search_asset: false search_email: false search_events: false send_email: false @@ -276,52 +287,37 @@ Get CDM Cluster Location: update_identity: false update_ticket: false ai_description: >- - ### General Description + Retrieves the geographical location information for a specific Rubrik CDM (Cloud + Data Management) cluster. This action interacts with the Rubrik Security Cloud + API to fetch location details for all nodes within the specified cluster and presents + the data in a structured table format. - The **Get CDM Cluster Location** action retrieves the geographical location (physical - address) of a specific Rubrik CDM (Cloud Data Management) cluster. This action - is used to identify where the physical hardware or cloud instance of a cluster - is located, which is essential for data residency verification, compliance auditing, - and infrastructure management. - - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Cluster ID | String | Yes | The unique identifier of the CDM cluster for which - you want to retrieve the location information. | + | Cluster ID | string | Yes | The unique identifier of the CDM cluster to retrieve + location information for. | ### Flow Description - 1. **Parameter Extraction**: The action extracts the mandatory `Cluster ID` from - the user input. - - 2. **Authentication**: It establishes a secure connection to the Rubrik Security - Cloud using service account credentials and OAuth token management. - - 3. **API Query**: The action executes a GraphQL query (`CDM_CLUSTER_LOCATION_QUERY`) - against the Rubrik API, filtering by the provided `Cluster ID` to retrieve `geoLocation` - data. - - 4. **Data Processing**: It parses the response to extract the physical address - for each node associated with the cluster. - - 5. **Output Generation**: The results are formatted into a data table named "CDM - Cluster Location" and the full raw response is attached as a JSON result for use - in subsequent playbook steps. + 1. The action extracts the `Cluster ID` from the provided parameters. + 2. It initializes the `APIManager` to establish a connection with the Rubrik Security + Cloud API. - ### Additional Notes + 3. It calls the API to retrieve the CDM cluster location data using the provided + `Cluster ID`. - - This action does not operate on SecOps entities (like IPs or Hostnames); it - requires a specific Rubrik Cluster ID as a parameter. + 4. The retrieved data is added to the action results as a JSON object. - - If the provided Cluster ID is invalid or not found, the action will return a - failure status. + 5. The action parses the node location data and generates a data table titled + "CDM Cluster Location" containing the Cluster ID and its location, which is then + added to the action output. capabilities: can_create_case_comments: false can_create_insight: false @@ -332,8 +328,18 @@ Get CDM Cluster Location: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET-like operation to retrieve geographical location data + from the Rubrik Security Cloud API. It does not modify any external system state, + nor does it modify internal Google SecOps data (such as entities, alerts, or + insights). It only outputs the retrieved information to the action results. categories: enrichment: false + reasoning: >- + The action fetches data from an external source, but it does not operate on + Google SecOps entities (it uses a parameter-based ID). Therefore, it does not + meet the criteria for an Enrichment Action, which must be designed to gather + context about alerts or entities. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -349,6 +355,9 @@ Get CDM Cluster Location: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or process `siemplify.target_entities`. It + relies solely on the `Cluster ID` provided as an action parameter. Get Sonar Sensitive Hits: action_product_categories: add_alert_comment: false @@ -360,16 +369,21 @@ Get Sonar Sensitive Hits: disable_identity: false download_file: false enable_identity: false - enrich_asset: false + enrich_asset: true enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves sensitive data hits for a resource (Rubrik object), which + provides contextual metadata about the object's security posture. This matches + the 'Enrich Asset' category. It does not perform any other actions like ticket + creation, alert updates, or IOC management. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false search_asset: false search_email: false - search_events: true + search_events: false send_email: false send_message: false submit_file: false @@ -379,54 +393,43 @@ Get Sonar Sensitive Hits: update_identity: false update_ticket: false ai_description: >- - Retrieves sensitive data classification hits for a specific Rubrik object (such - as a virtual machine, database, or file set) from Rubrik Security Cloud. This - action utilizes Rubrik Sonar, a data classification engine, to identify sensitive - data violations within a specified lookback period. It is useful for identifying - data exposure or compliance risks associated with specific backup objects. - - - ### Flow Description: - - 1. **Parameter Validation:** Validates the mandatory 'Object Name' and the optional - 'Lookback Days' (defaulting to 7 days if not provided). + ### General Description - 2. **Date Calculation:** Determines the target search date by subtracting the - lookback days from the current time. + Retrieves sensitive data hits detected by Rubrik Sonar for a specific object within + a configurable lookback period. Sonar is Rubrik's data classification and sensitive + data discovery engine. - 3. **Object Discovery:** Queries the Rubrik Security Cloud GraphQL API to find - the internal identifiers (snappableFid and snapshotFid) for the object matching - the provided name on the calculated date. - 4. **Data Retrieval:** Executes a detailed GraphQL query to fetch sensitive hit - metrics, including analyzer groups, specific analyzer names, and total hit counts - for the identified object snapshot. + ### Parameters Description - 5. **Output Generation:** Formats the retrieved data into a structured data table - ('Sonar Sensitive Hits') and provides the full raw JSON response for further processing. + | Parameter | Type | Mandatory | Description | + | :--- | :--- | :--- | :--- | - ### Parameters Description: + | Object Name | string | Yes | The name of the Rubrik object to check for sensitive + hits. | + | Lookback Days | string | No | Number of days in the past to retrieve scan results + from. Defaults to 7. | - | Parameter Name | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + ### Flow Description - | Object Name | String | True | The exact name of the Rubrik object (e.g., a VM - or Volume Group) to check for sensitive data hits. | + 1. Extracts the `Object Name` and `Lookback Days` parameters from the action configuration. - | Lookback Days | String | False | The number of days in the past to look for - scan results. Defaults to '7'. Must be a non-negative integer. | + 2. Calculates the search date by subtracting the `Lookback Days` from the current + date. + 3. Initializes the Rubrik Security Cloud client using the provided service account + credentials. - ### Additional Notes: + 4. Queries the Rubrik API to find the object and retrieve its sensitive data hits + for the calculated date. - - This action does not run on SecOps entities; it performs a search based on the - provided 'Object Name' string. + 5. Parses the response and formats the sensitive hits data using the `SonarSensitiveHitsDatamodel`. - - If no object is found matching the name or if no snapshots exist for that object - on the target date, the action will fail with an informative error message. + 6. Adds the raw JSON result and a formatted data table containing the sensitive + hits to the action output. capabilities: can_create_case_comments: false can_create_insight: false @@ -437,8 +440,16 @@ Get Sonar Sensitive Hits: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches data from the Rubrik Security Cloud API to retrieve sensitive + data hits for a specified object. It does not mutate any external systems or + internal SOAR data (entities, insights, or comments). categories: - enrichment: false + enrichment: true + reasoning: >- + The action is designed to fetch supplemental context (sensitive data hits) about + a resource. It does not mutate external or internal state, making it a valid + enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -454,6 +465,9 @@ Get Sonar Sensitive Hits: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on entities. It uses an action parameter 'Object + Name' to identify the target resource, rather than iterating over `siemplify.target_entities`. IOC Scan Results: action_product_categories: add_alert_comment: false @@ -468,13 +482,17 @@ IOC Scan Results: enrich_asset: false enrich_ioc: false execute_command_on_the_host: false - get_alert_information: false + get_alert_information: true + reasoning: >- + The action retrieves detailed information about a threat hunt scan, which aligns + with 'Get Alert Information' (fetching details of a specific hunt) and 'Search + Events' (returning historical scan telemetry). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false search_asset: false search_email: false - search_events: false + search_events: true send_email: false send_message: false submit_file: false @@ -484,52 +502,42 @@ IOC Scan Results: update_identity: false update_ticket: false ai_description: >- - ### General Description - - Retrieves the results of an IOC (Indicator of Compromise) scan or threat hunt - from Rubrik Security Cloud. This action is designed to fetch detailed metrics - and status information for a specific hunt identified by its ID. It supports asynchronous - execution, allowing it to monitor the progress of a hunt that is still running. + Retrieves detailed results of a threat hunt (IOC scan) from Rubrik Security Cloud + using a specific Hunt ID. This action fetches scan status, object metrics, and + scan metrics to provide visibility into the threat hunt's progress and findings. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. The action extracts the mandatory `Hunt ID` parameter. - | :--- | :--- | :--- | :--- | + 2. It initializes the Rubrik Security Cloud client using the configured service + account credentials. - | Hunt ID | String | Yes | The unique identifier of the threat hunt or IOC scan - to retrieve results for. | + 3. It executes an API call to retrieve the threat hunt details and metrics associated + with the provided `Hunt ID`. + 4. The retrieved data is parsed and formatted into a data table for display in + the SOAR interface. - ### Flow Description + 5. The action returns the execution status and the formatted results. - 1. **Parameter Extraction**: The action retrieves the `Hunt ID` from the input - parameters and validates that it is a non-empty string. - 2. **Client Initialization**: It initializes the Rubrik Security Cloud API manager - using the provided service account credentials and handles OAuth token management. + ### Parameters - 3. **Data Retrieval**: A GraphQL query is sent to Rubrik to fetch `threatHuntDetailV2` - and `threatHuntObjectMetrics` for the specified ID. + | Parameter | Type | Mandatory | Description | - 4. **Data Processing**: The raw JSON response is processed and formatted into - a structured data model (`IOCScanResultsDatamodel`). + | :--- | :--- | :--- | :--- | - 5. **Output Generation**: - * The full JSON response is added to the action results for further processing. - * A data table named "IOC Scan Results" is created, containing key metrics - such as Hunt Name, Type, Status, IOC Details, Object Metrics, and Scan Metrics. - 6. **Status Handling**: The action checks the current status of the hunt. If the - status is `PENDING` or `IN_PROGRESS`, the action returns an `IN_PROGRESS` state - to allow the SOAR platform to poll for completion. + | Hunt ID | string | Yes | The unique identifier of the threat hunt or IOC scan + to retrieve. | ### Additional Notes - This action is typically used as a follow-up to the "Turbo IOC Scan" or "Advanced - IOC Scan" actions to retrieve the final findings and metrics once the scan has - processed the target snapshots. + This action is designed to be used for monitoring the status and results of previously + initiated threat hunts. It does not perform any modifications to the Rubrik Security + Cloud environment or internal SOAR entities. capabilities: can_create_case_comments: false can_create_insight: false @@ -540,8 +548,17 @@ IOC Scan Results: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET-like operation (via GraphQL POST) to retrieve threat + hunt scan results from Rubrik Security Cloud. It does not modify any external + systems or internal SOAR data (entities, insights, etc.). It simply formats + and returns the retrieved data as a result table. categories: enrichment: true + reasoning: >- + The action fetches supplemental context (threat hunt results) from an external + source without modifying any external or internal state. It meets the criteria + for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -557,6 +574,9 @@ IOC Scan Results: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on entities; it uses a specific 'Hunt ID' parameter + to fetch data. List Events: action_product_categories: add_alert_comment: false @@ -572,6 +592,11 @@ List Events: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves a list of events from the Rubrik Security Cloud API based + on user-defined filters. This matches the 'Search Events' category, which is + defined as returning a collection of historical logs or telemetry data matching + specific search parameters. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -587,88 +612,69 @@ List Events: update_identity: false update_ticket: false ai_description: >- - The 'List Events' action retrieves a filtered list of events and activities from - Rubrik Security Cloud (RSC). It allows analysts to query the RSC audit and activity - logs to identify specific system behaviors, job statuses, or security-related - events. The action supports extensive filtering by activity status, type, severity, - object details, and time ranges. Results are returned as a raw JSON object and - formatted into a data table for easy review within the SOAR case. + ### General Description + This action retrieves a list of events and activities from the Rubrik Security + Cloud. It allows users to filter events based on various criteria such as activity + status, type, severity, object details, cluster IDs, and date ranges. The action + supports sorting and pagination to manage the volume of returned data. - ### Parameters Description + ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Sort By** | DDL | No | Specifies the field to use for sorting the response - (e.g., Last Updated, Severity, Start Time). | - - | **Sort Order** | DDL | No | Specifies the order to sort the data (Ascending - or Descending). | - - | **Limit** | String | No | The maximum number of results to retrieve (Default: - 50, Max: 1000). | - - | **Next Page Token** | String | No | The cursor token used to retrieve the next - set of paginated results. | - - | **Activity Status** | String | No | Comma-separated list of statuses to filter - by (e.g., 'Failure', 'Success', 'Running'). | - - | **Activity Type** | String | No | Comma-separated list of activity types to - filter by (e.g., 'Backup', 'Anomaly', 'Storage'). | + | Activity Status | string | No | Comma-separated list of activity statuses to + filter (e.g., "Failure", "Success"). | - | **Severity** | String | No | Comma-separated list of severity levels (e.g., - 'Critical', 'Warning', 'Info'). | + | Activity Type | string | No | Comma-separated list of activity types to filter + (e.g., "Sync", "Anomaly"). | - | **Object Name** | String | No | Filters events based on the name of the object - involved. | + | Severity | string | No | Comma-separated list of severity levels to filter (e.g., + "Critical", "Warning"). | - | **Object Type** | String | No | Comma-separated list of object types (e.g., - 'VmwareVm', 'WindowsFileset'). | + | Object Name | string | No | Name of the object to filter events for. | - | **Cluster ID** | String | No | Comma-separated list of Rubrik Cluster IDs to - filter the events. | + | Object Type | string | No | Comma-separated list of object types to filter (e.g., + "ShareFileset", "VmwareVm"). | - | **Start Date** | String | No | The start date for the event range (Format: yyyy-mm-dd - or ISO 8601). | + | Cluster ID | string | No | Comma-separated list of cluster IDs to filter. | - | **End Date** | String | No | The end date for the event range (Format: yyyy-mm-dd - or ISO 8601). | + | Start Date | string | No | Start date for event range (ISO format: yyyy-mm-dd, + yyyy-mm-ddTHH:MM:SSZ). | + | End Date | string | No | End date for event range (ISO format: yyyy-mm-dd, yyyy-mm-ddTHH:MM:SSZ). + | - ### Additional Notes + | Sort By | ddl | No | Field to sort results by. | - - If both **Start Date** and **End Date** are provided, the Start Date must be - chronologically before the End Date. + | Sort Order | ddl | No | Sort order (Asc/Desc). | - - The action uses GraphQL to communicate with Rubrik Security Cloud. + | Limit | string | No | Maximum number of events to retrieve (default: 50, max: + 1000). | - - A maximum of 20 records are displayed in the SOAR data table to maintain performance, - while the full result set is available in the JSON output. + | Next Page Token | string | No | Token for pagination to retrieve the next set + of results. | ### Flow Description - 1. **Parameter Extraction:** The action extracts all filtering, sorting, and pagination - parameters provided by the user. - - 2. **Validation:** It validates that the 'Limit' is a positive integer and that - the provided dates match supported formats (YYYY-MM-DD or ISO). + 1. **Initialization**: The action initializes the Rubrik Security Cloud client + using the provided service account credentials. - 3. **API Initialization:** Initializes the Rubrik APIManager using the provided - Service Account credentials and handles OAuth token generation/refresh. + 2. **Validation**: It validates all input parameters, including date formats and + integer constraints. - 4. **Data Retrieval:** Executes a GraphQL query (`activitySeriesConnection`) against - the Rubrik Security Cloud endpoint with the specified filters. + 3. **Data Retrieval**: It executes a GraphQL query to fetch events from Rubrik + Security Cloud, applying the specified filters, sorting, and pagination. - 5. **Result Processing:** Parses the GraphQL response, extracts the event edges - and pagination info, and converts the data into a structured format. + 4. **Result Processing**: The action parses the API response, extracts event details, + and formats the data. - 6. **Output Generation:** Adds the full response to the action's JSON results - and populates a data table named 'Events' in the SOAR case wall. + 5. **Output**: It adds the raw JSON response to the action results and constructs + a CSV table of the retrieved events for display in the SOAR interface. capabilities: can_create_case_comments: false can_create_insight: false @@ -679,8 +685,17 @@ List Events: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a read-only GraphQL query to fetch event data from Rubrik + Security Cloud. It does not modify external systems or internal SecOps data. + It adds results to the action output (JSON and table), which is standard for + reporting and does not constitute internal data mutation. categories: enrichment: false + reasoning: >- + The action fetches data (events) but does not meet the criteria for an Enrichment + action because it does not enrich entities or alerts, nor does it create insights + or comments. It is a data retrieval/search action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -696,6 +711,9 @@ List Events: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `siemplify.target_entities`. It operates independently + of any specific entity. List Object Snapshots: action_product_categories: add_alert_comment: false @@ -711,6 +729,10 @@ List Object Snapshots: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves a list of snapshots for a specific object. It does not + match any of the defined categories such as IOC enrichment, asset enrichment, + ticket management, or containment actions. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -725,42 +747,68 @@ List Object Snapshots: update_email: false update_identity: false update_ticket: false - ai_description: "### General Description\nRetrieves a list of snapshots for a specific\ - \ object from Rubrik Security Cloud (RSC). This action allows analysts to query\ - \ the backup history of a workload, providing visibility into available recovery\ - \ points. It supports filtering by date range and snapshot type, as well as pagination\ - \ for large result sets.\n\n### Parameters Description\n\n| Parameter | Type |\ - \ Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| **Object ID** |\ - \ String | Yes | The unique identifier (FID) of the object for which snapshots\ - \ are to be searched. |\n| **Limit** | String | No | The maximum number of snapshots\ - \ to retrieve in the response. The value must be between 1 and 1000. Default is\ - \ 50. |\n| **Next Page Token** | String | No | The cursor used to retrieve the\ - \ next set of results if more snapshots are available. |\n| **Sort Order** | DDL\ - \ | No | Specifies the chronological order of the results based on creation time.\ - \ Options: `Asc` (default), `Desc`. |\n| **Start Date** | String | No | Filters\ - \ snapshots created on or after this date. Supported formats: `yyyy-mm-dd`, `yyyy-mm-ddTHH:MM:SSZ`.\ - \ |\n| **End Date** | String | No | Filters snapshots created on or before this\ - \ date. Supported formats: `yyyy-mm-dd`, `yyyy-mm-ddTHH:MM:SSZ`. |\n| **Snapshot\ - \ Type** | String | No | A comma-separated list of snapshot types to filter the\ - \ results (e.g., `OnDemand`). |\n\n### Flow Description\n1. **Initialization**:\ - \ The action extracts the mandatory `Object ID` and optional filter parameters\ - \ from the environment.\n2. **Validation**: It validates that the `Object ID`\ - \ is non-empty, the `Limit` is a valid integer within the allowed range (1-1000),\ - \ and that the provided dates follow the supported ISO formats. It also ensures\ - \ the `Start Date` is before the `End Date`.\n3. **API Interaction**: The action\ - \ authenticates with Rubrik Security Cloud and executes a GraphQL query (`OBJECT_SNAPSHOTS_QUERY`)\ - \ to fetch the snapshot metadata for the specified object.\n4. **Data Processing**:\ - \ The raw GraphQL response is captured. The action then processes the snapshot\ - \ edges to extract key details such as Snapshot ID, Creation Date, Cluster Name,\ - \ and SLA Domain Name.\n5. **Output**: \n - A formatted data table named \"\ - Object Snapshots\" is added to the case wall containing the processed metadata.\n\ - \ - The full raw JSON response is attached to the action results.\n - A\ - \ status message is returned indicating the number of snapshots found and providing\ - \ a pagination token if more results exist.\n\n### Additional Notes\n- If the\ - \ `Next Page Token` is returned in the output message, it can be used in a subsequent\ - \ execution of this action to fetch the next page of snapshots.\n- The data table\ - \ is limited to showing a maximum of 20 records for readability, while the full\ - \ result set is available in the JSON output." + ai_description: >- + Retrieves a list of snapshots for a specific object from Rubrik Security Cloud. + This action allows users to query backup snapshots based on an object ID, with + options to filter by date range, snapshot type, and sort order. The results are + returned as a JSON object and a formatted CSV table. + + + ### Flow Description + + 1. **Parameter Extraction**: The action extracts the required `Object ID` and + optional parameters (`Start Date`, `End Date`, `Snapshot Type`, `Limit`, `Next + Page Token`, `Sort Order`) from the action configuration. + + 2. **Validation**: It validates the provided parameters, ensuring the `Object + ID` is present, dates are in the correct format, and the `Limit` is a valid integer. + + 3. **API Initialization**: The action initializes the Rubrik API client using + the provided service account credentials. + + 4. **Data Retrieval**: It executes a GraphQL query to fetch the snapshots from + Rubrik Security Cloud based on the provided filters. + + 5. **Result Processing**: The action processes the API response, extracts snapshot + details, and handles pagination information. + + 6. **Output Generation**: It adds the raw JSON response to the action results + and generates a CSV table containing snapshot details (Snapshot ID, Creation Date, + Cluster Name, SLA Domain Name) for the analyst to review. + + + ### Parameters + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Object ID | String | Yes | The unique identifier of the object to list snapshots + for. | + + | Start Date | String | No | The start date to get snapshots from (Format: yyyy-mm-dd, + yyyy-mm-ddTHH:MM:SSZ). | + + | End Date | String | No | The end date to get snapshots until (Format: yyyy-mm-dd, + yyyy-mm-ddTHH:MM:SSZ). | + + | Snapshot Type | String | No | Comma-separated list of snapshot types to filter. + | + + | Limit | String | No | Number of results to retrieve (Default: 50, Max: 1000). + | + + | Next Page Token | String | No | The next page cursor to retrieve the next set + of results. | + + | Sort Order | String | No | Specify the order to sort the data in (Asc/Desc). + | + + + ### Additional Notes + + - The action does not modify any data; it is a read-only operation for retrieving + backup information. capabilities: can_create_case_comments: false can_create_insight: false @@ -771,8 +819,16 @@ List Object Snapshots: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a read-only GraphQL query to the Rubrik API to retrieve + snapshot information. It does not modify external systems, nor does it update + internal SOAR entities, insights, or alert data. categories: enrichment: false + reasoning: >- + The action retrieves data (snapshots) from an external system but does not meet + the criteria for an Enrichment Action as it does not enrich entities or alerts + within the SOAR platform. It is a data retrieval/listing action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -788,6 +844,10 @@ List Object Snapshots: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `siemplify.target_entities`. It accepts an + `Object ID` as a direct input parameter, meaning it does not operate on SOAR + entities. List Sonar File Contexts: action_product_categories: add_alert_comment: false @@ -799,16 +859,19 @@ List Sonar File Contexts: disable_identity: false download_file: false enable_identity: false - enrich_asset: false + enrich_asset: true enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves contextual metadata (file contexts, sensitive data findings) + for a resource (the object/snapshot), which aligns with the 'Enrich Asset' category. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false search_asset: false search_email: false - search_events: true + search_events: false send_email: false send_message: false submit_file: false @@ -820,75 +883,67 @@ List Sonar File Contexts: ai_description: >- ### General Description - Retrieves file contexts detected by Rubrik Sonar for a specific object snapshot - from Rubrik Security Cloud. This action allows analysts to identify sensitive - data findings within files, folders, or file shares, providing detailed metadata - such as file size, hit counts, access types, and modification times. It supports - various filtering options including file name, path, and user ID to narrow down - results. - + Retrieves file contexts and sensitive data findings from Rubrik Sonar for a specific + object snapshot. This action allows analysts to investigate file-level details, + including sensitive hits and access patterns, by querying the Rubrik Security + Cloud API. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. **Parameter Extraction**: The action extracts required parameters (Object ID, + Snapshot ID) and optional filters (File Name, File Path, User ID, etc.) from the + action configuration. - | :--- | :--- | :--- | :--- | + 2. **API Initialization**: Initializes the Rubrik Security Cloud client using + the provided service account credentials. - | Object ID | string | Yes | The unique identifier of the object (Snappable ID) - to retrieve file contexts for. | + 3. **Data Retrieval**: Executes a GraphQL query to fetch file context data from + Rubrik Sonar based on the provided filters and pagination settings. - | Snapshot ID | string | Yes | The unique identifier of the snapshot associated - with the object. | + 4. **Result Processing**: Parses the API response, formats the data into a table, + and adds the raw JSON response to the action results. - | File Name | string | No | Filter results by a specific file, folder, or file - share name. | + 5. **Output**: Returns a status message and displays the retrieved file context + data in the SOAR interface. - | File Path | string | No | Filter results by a standard file path. | - | User ID | string | No | Filter results by a specific user ID. | + ### Parameters Description - | Include Whitelisted Results | ddl | No | Indicates whether to include results - that have been whitelisted. Options: True, False. | + | Parameter | Type | Mandatory | Description | - | Limit | string | No | Maximum number of file contexts to retrieve in the response - (default is 50). | + | :--- | :--- | :--- | :--- | - | Next Page Token | string | No | The cursor token used to retrieve the next set - of paginated results. | + | Object ID | string | Yes | The unique identifier of the object or Snappable + ID. | - | Sort By | ddl | No | Field used to sort the response (e.g., HITS, NAME, LAST_MODIFIED). - | + | Snapshot ID | string | Yes | The Snapshot ID of the object. | - | Sort Order | ddl | No | Specifies the order to sort the data (Asc or Desc). - Default is Desc. | + | File Name | string | No | Specify the name of the file, folder, or file share + object to filter by. | + | File Path | string | No | Specify the standard file path to filter with. | - ### Flow Description + | User ID | string | No | Specify the user ID to filter with. | - 1. **Parameter Validation**: Validates that the mandatory `Object ID` and `Snapshot - ID` are provided and that the `Limit` is a valid integer. + | Include Whitelisted Results | ddl | No | Boolean to include whitelisted results + (True/False). | - 2. **API Initialization**: Initializes the Rubrik Security Cloud API manager using - the provided service account credentials. + | Limit | string | No | Number of results to retrieve (default: 50). | - 3. **Data Retrieval**: Executes a GraphQL query to fetch Sonar file context data - from Rubrik, applying any provided filters such as file name, path, or user ID. + | Next Page Token | string | No | The next page cursor to retrieve the next set + of results. | - 4. **Result Processing**: Parses the API response into a structured data model - and adds the raw JSON result to the action output. + | Sort By | ddl | No | Field to use for sorting the response (e.g., HITS, NAME, + LAST_ACCESS_TIME). | - 5. **Output Generation**: Generates a data table named "Sonar File Contexts" containing - key file metadata and provides a status message summarizing the number of records - retrieved. + | Sort Order | ddl | No | Order to sort the data (Asc/Desc, default: Desc). | ### Additional Notes - - The action hardcodes the timezone to 'UTC' for the query. - - - The data table displayed in the SOAR interface is limited to the first 20 records - for performance and readability. + - Either Object ID or Snapshot ID must be provided as they are mandatory for the + API call to succeed. capabilities: can_create_case_comments: false can_create_insight: false @@ -899,8 +954,16 @@ List Sonar File Contexts: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches data from Rubrik Security Cloud via GraphQL. It does not + mutate external systems or internal SOAR data. It presents the retrieved data + in a table and JSON format, which is standard for enrichment actions. categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches data (file contexts) to provide context about an object/snapshot. + It does not mutate external systems or internal SOAR data. It qualifies as an + enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -916,6 +979,9 @@ List Sonar File Contexts: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on `target_entities`. It uses parameters provided + in the action configuration to identify the object and snapshot. Ping: action_product_categories: add_alert_comment: false @@ -931,6 +997,9 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity test ('Ping'). It does not match any of the defined + product categories such as Enrich IOC, Contain Host, or Create Ticket. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -948,10 +1017,10 @@ Ping: ai_description: >- ### General Description - The **Ping** action is designed to verify the connectivity between the Google - SecOps SOAR platform and the Rubrik Security Cloud instance. It ensures that the - provided credentials (Service Account JSON) are valid and that the SOAR server - can successfully communicate with the Rubrik GraphQL API. + This action tests the connectivity between the Google SecOps SOAR server and the + Rubrik Security Cloud instance. It verifies that the integration is correctly + configured and that the SOAR platform can successfully authenticate and communicate + with the Rubrik API. ### Parameters Description @@ -959,28 +1028,18 @@ Ping: There are no parameters for this action. - ### Additional Notes - - This action is primarily used during the initial setup of the integration or for - troubleshooting communication issues. It utilizes OAuth 2.0 for authentication, - managing token generation and storage internally. - - ### Flow Description - 1. **Parameter Extraction**: The action retrieves the `Service Account JSON` and - `Verify SSL` settings from the integration configuration. + 1. Initialize the `SiemplifyAction` module. + + 2. Retrieve integration parameters (Service Account JSON, Verify SSL) from the + integration configuration. - 2. **API Manager Initialization**: It initializes the `APIManager`, which handles - the OAuth token lifecycle (checking for existing tokens in encrypted storage or - generating a new one). + 3. Initialize the `APIManager` to handle authentication and API communication. - 3. **Connectivity Test**: The action executes a simple GraphQL query (`deploymentVersion`) - against the Rubrik Security Cloud endpoint. + 4. Perform a connectivity test by sending a GraphQL query to the Rubrik API. - 4. **Result Reporting**: If the query succeeds, it returns a success message and - a `True` result value. If any step fails (authentication, network error, or API - error), it captures the exception and reports a failure. + 5. Log the result and terminate the action with a success or failure status. capabilities: can_create_case_comments: false can_create_insight: false @@ -991,8 +1050,16 @@ Ping: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity test by sending a GraphQL query to the Rubrik + Security Cloud API. It does not modify external or internal data, nor does it + update entities or create insights. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action. Per the provided instructions, 'Actions named + Ping must not be categorized as enrichment actions.' Therefore, it is not an + enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1008,6 +1075,9 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on any entities; it performs a global connectivity + test. Turbo IOC Scan: action_product_categories: add_alert_comment: false @@ -1023,12 +1093,16 @@ Turbo IOC Scan: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action initiates a threat hunt scan in Rubrik Security Cloud. This does + not align with any of the provided categories (e.g., Enrichment, Containment, + Ticket Management). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false search_asset: false search_email: false - search_events: true + search_events: false send_email: false send_message: false submit_file: false @@ -1038,84 +1112,42 @@ Turbo IOC Scan: update_identity: false update_ticket: false ai_description: >- - Starts a new Turbo Threat Hunt scan in Rubrik Security Cloud to search for specific - Indicators of Compromise (IOCs). This action is optimized for speed and allows - for scanning multiple IOCs across specific clusters or the entire infrastructure - within a defined time range and snapshot limit. - - - ### Parameters Description - - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | IOC | String | Yes | A comma-separated list of indicator values (e.g., MD5, - SHA1, or SHA256 hashes) to scan for. | - - | Scan Name | String | No | A custom name for the new turbo threat hunt scan. - If not provided, a name is automatically generated using the format 'Google-SecOps-YYYY-MM-DD-HH:MM:SS'. - | - - | Cluster ID | String | No | A comma-separated list of cluster IDs on which to - perform the scan. If left empty, the scan may target all available clusters. | - - | Start Time | String | No | Filters the snapshots from the provided date. Supported - formats: `yyyy-mm-dd`, `yyyy-mm-ddTHH:MM:SSZ`, or `yyyy-mm-ddTHH:MM:SS.fffZ`. - | - - | End Time | String | No | Filters the snapshots until the provided date. Supported - formats: `yyyy-mm-dd`, `yyyy-mm-ddTHH:MM:SSZ`, or `yyyy-mm-ddTHH:MM:SS.fffZ`. - | - - | Max Snapshots Per Object | String | No | The maximum number of snapshots to - scan per object. Must be a positive integer. | - - - ### Additional Notes - - - If both `Start Time` and `End Time` are provided, the `Start Time` must be chronologically - before the `End Time`. - - - The action returns a unique `Hunt ID` which can be used to track the progress - and results of the scan in subsequent actions. - - - ### Flow Description - - 1. **Parameter Extraction:** The action retrieves the IOC list, scan name, cluster - IDs, time filters, and snapshot limits from the input. - - 2. **Validation:** It validates that the IOC list is not empty, ensures dates - are in the correct format, and checks that the snapshot limit is a valid positive - integer. - - 3. **API Initialization:** Connects to the Rubrik Security Cloud API using the - provided service account credentials. - - 4. **Scan Initiation:** Executes a GraphQL mutation to start the Turbo Threat - Hunt with the specified configuration. - - 5. **Result Processing:** Captures the `huntId` from the API response, adds the - full JSON response to the action results, and creates a data table in the SOAR - case containing the Hunt ID. + ### General Description This action initiates a Turbo IOC (Indicator of Compromise) + scan across Rubrik infrastructure. Turbo scans are optimized for speed and can + scan multiple IOCs across clusters with configurable time ranges and snapshot + limits. ### Parameters Description | Parameter | Type | Mandatory | Description + | | :--- | :--- | :--- | :--- | | IOC | string | Yes | Comma-separated list of + IOCs to scan for. | | Scan Name | string | No | Custom name for the scan (auto-generated + if not provided). | | Cluster ID | string | No | Comma-separated list of cluster + IDs to scan. | | Start Time | string | No | Start time for snapshot range (ISO + format). | | End Time | string | No | End time for snapshot range (ISO format). + | | Max Snapshots Per Object | string | No | Maximum number of snapshots to scan + per object. | ### Additional Notes There are no additional notes. ### Flow Description + 1. Extract the action parameters (IOC, Scan Name, Cluster ID, etc.). 2. Initialize + the Rubrik Security Cloud client using the provided service account credentials. + 3. Execute the start_turbo_ioc_scan mutation via the Rubrik GraphQL API. 4. Retrieve + the hunt_id from the response. 5. Add the raw JSON response and a data table containing + the hunt_id to the SOAR action results. capabilities: can_create_case_comments: false can_create_insight: false can_modify_alert_data: false can_mutate_external_data: true - can_mutate_internal_data: true + can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Initiates a new Turbo Threat Hunt scan process within the Rubrik Security Cloud - environment. - fetches_data: true - internal_data_mutation_explanation: >- - Adds a data table to the Google SecOps case containing the unique identifier - (Hunt ID) of the initiated scan. + Initiates a Turbo IOC scan (threat hunt) in the Rubrik Security Cloud. + fetches_data: false + internal_data_mutation_explanation: null + reasoning: >- + The action performs a mutation on the Rubrik Security Cloud platform by initiating + a threat hunt scan. It does not fetch contextual data about entities or alerts, + nor does it modify internal SOAR data. categories: enrichment: false + reasoning: >- + The action initiates a scan (mutation) rather than retrieving data, so it is + not an Enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1131,3 +1163,6 @@ Turbo IOC Scan: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use target_entities and operates independently of any specific + entity. diff --git a/content/response_integrations/third_party/partner/rubrik_security_cloud/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/rubrik_security_cloud/resources/ai/integration_ai_description.yaml index 4839c93dd..77430f571 100644 --- a/content/response_integrations/third_party/partner/rubrik_security_cloud/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/partner/rubrik_security_cloud/resources/ai/integration_ai_description.yaml @@ -1,12 +1,22 @@ product_categories: - asset_inventory: true - cloud_security: false + asset_inventory: false + cloud_security: true collaboration: false edr: false email_security: false iam_and_identity_management: false itsm: false network_security: false - siem: true + reasoning: >- + The Rubrik Security Cloud integration is designed to manage and secure data protection + environments, which are integral to cloud-native security architectures. The integration + provides actions to retrieve configuration states (CDM Cluster Connection State, + Location) and security findings (Sonar Sensitive Hits, File Contexts), which directly + aligns with the Cloud Security category's objective of returning resource configuration + states and findings. While the integration includes threat hunting capabilities + (IOC Scans), it does not provide reputation services for external indicators, + nor does it function as a general-purpose SIEM or IT asset inventory system. Therefore, + it is classified under Cloud Security. + siem: false threat_intelligence: false vulnerability_management: false diff --git a/content/response_integrations/third_party/partner/silentpush/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/silentpush/resources/ai/actions_ai_description.yaml index ada291b7d..426d93554 100644 --- a/content/response_integrations/third_party/partner/silentpush/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/silentpush/resources/ai/actions_ai_description.yaml @@ -13,6 +13,9 @@ Add Feed: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action creates a new feed in the Silent Push platform. This does not align + with any of the provided categories (Enrich IOC, Contain Host, etc.). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -30,56 +33,50 @@ Add Feed: ai_description: >- ### General Description - The **Add Feed** action allows users to create a new feed within the Silent Push - platform. This is a management action used to define new sources or categories - of threat intelligence data by providing metadata such as name, type, and tags. + This action adds a new feed to the Silent Push platform. It interacts with the + Silent Push API to create a feed based on the provided parameters, such as name, + type, category, vendor, description, and tags. ### Parameters Description - | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Name** | string | Yes | The unique name for the new feed. | + | Name | string | Yes | Name of the feed. | - | **Type** | string | Yes | The classification type of the feed (e.g., 'domain', - 'ip'). | + | Type | string | Yes | Feed Type. | - | **Category** | string | No | The category the feed belongs to. | + | Category | string | No | Feed Category. | - | **Vendor** | string | No | The provider or vendor of the feed data. | + | Vendor | string | No | Vendor. | - | **Feed Description** | string | No | A detailed description of the feed's purpose - or content. | + | Feed Description | string | No | URL for the screenshot. | - | **Tags** | string | No | A comma-separated list of tags to associate with the - feed. | + | Tags | string | No | Tags that should be attached with the feed. | - ### Flow Description + ### Additional Notes - 1. **Parameter Extraction:** The action retrieves the Silent Push server URL and - API key from the integration configuration, along with the feed details from the - action parameters. + This action does not perform any operations on entities. It is a configuration/management + action that interacts with the Silent Push API. - 2. **Manager Initialization:** Initializes the `SilentPushManager` to handle API - communication. - 3. **API Request:** Executes a POST request to the Silent Push `/api/v1/feeds/` - endpoint with the provided feed metadata. + ### Flow Description - 4. **Result Handling:** Processes the API response. If successful, it returns - the feed details; otherwise, it reports a failure. + 1. Extract the integration configuration (Server URL, API Key). + 2. Extract the action parameters (Name, Type, Category, Vendor, Feed Description, + Tags). - ### Additional Notes + 3. Initialize the `SilentPushManager` with the extracted configuration. - - The `Tags` parameter should be provided as a comma-separated string (e.g., 'malware,phishing'). + 4. Call the `add_feed` method, which sends a POST request to the Silent Push API + to create the new feed. - - This action does not interact with or modify SecOps entities directly, although - it may log entity identifiers present in the context for debugging purposes. + 5. Handle the API response, log the outcome, and end the action with the appropriate + status. capabilities: can_create_case_comments: false can_create_insight: false @@ -88,12 +85,17 @@ Add Feed: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Creates a new feed resource on the Silent Push server via a POST request to - the /api/v1/feeds/ endpoint. + Creates a new feed in the Silent Push platform. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to the Silent Push API to create a new feed. + It does not fetch data or modify internal SecOps data. categories: enrichment: false + reasoning: >- + The action creates external data (a feed) rather than retrieving data, so it + cannot be an Enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -109,6 +111,9 @@ Add Feed: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` only to print them, but does + not use them to perform the action. Therefore, no entities are used. Add Feed Tags: action_product_categories: add_alert_comment: false @@ -124,6 +129,10 @@ Add Feed Tags: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action updates tags on a feed in the Silent Push platform. This does not + align with any of the provided categories (Enrich IOC, Update Alert, Create + Ticket, etc.). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -141,48 +150,33 @@ Add Feed Tags: ai_description: >- ### General Description - Adds tags to a specific feed in the Silent Push platform. This action allows users - to organize and categorize threat intelligence feeds by appending a list of descriptive - tags to a feed identified by its unique UUID. + Adds tags to a specific feed in the Silent Push platform. This action takes a + Feed UUID and a comma-separated list of tags as input, and performs a POST request + to the Silent Push API to update the tags associated with the specified feed. ### Parameters Description | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | - - | Feed UUID | string | Yes | The unique identifier (UUID) of the feed to which - the tags will be added. | - - | Tags | string | Yes | A comma-separated list of tags to be updated to the feed. - | - - - ### Additional Notes + |---|---|---|---| - - Although the parameters are marked as optional in the configuration, they are - functionally required for the action to execute its logic successfully. + | Feed UUID | string | No | The unique identifier of the feed to update. | - - This action does not interact with or enrich SecOps entities; it is a management - action performed directly on the Silent Push platform. + | Tags | string | No | Comma-separated tags to be updated to the feed. | ### Flow Description - 1. **Configuration Extraction**: Retrieves the Silent Push Server URL and API - Key from the integration settings. + 1. Extract configuration parameters (Server URL, API Key). - 2. **Parameter Extraction**: Retrieves the `Feed UUID` and the `Tags` string from - the action parameters. + 2. Extract action parameters (Feed UUID, Tags). - 3. **API Interaction**: Calls the Silent Push Manager's `add_feed_tags` method, - which sends a POST request to the `/api/v1/feeds/{feed_uuid}/tags/` endpoint with - the provided tags. + 3. Initialize `SilentPushManager`. - 4. **Result Handling**: Checks the API response. If data is returned, the action - completes successfully; otherwise, it logs an error and terminates with a failure - status. + 4. Call `add_feed_tags` with the provided UUID and tags. + + 5. Log the result and end the action. capabilities: can_create_case_comments: false can_create_insight: false @@ -191,12 +185,17 @@ Add Feed Tags: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Adds tags to a specific feed in the Silent Push platform via a POST request - to the feeds API. + Updates the tags associated with a feed in the Silent Push platform. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to the Silent Push API to update tags for + a feed. It does not fetch data, nor does it modify internal SOAR data or entities. categories: enrichment: false + reasoning: >- + The action is a mutation action (POST request) that updates external data (feed + tags). It does not retrieve data for enrichment purposes. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -212,11 +211,15 @@ Add Feed Tags: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` only to print their identifiers. + It does not use these entities to perform the API call or filter the action's + logic. Therefore, it does not run on entities. Add Indicators: action_product_categories: add_alert_comment: false add_ioc_to_allowlist: false - add_ioc_to_blocklist: true + add_ioc_to_blocklist: false contain_host: false create_ticket: false delete_email: false @@ -227,6 +230,10 @@ Add Indicators: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action adds indicators to a feed in the Silent Push platform. This does + not match any of the provided categories (e.g., blocklist, allowlist, ticket, + etc.). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -242,55 +249,47 @@ Add Indicators: update_identity: false update_ticket: false ai_description: >- - Adds indicators to a specified feed in the Silent Push platform. This action allows - users to programmatically update threat intelligence feeds by providing a Feed - UUID and a list of indicators (such as domains or IP addresses). The indicators - are provided as a comma-separated string, which the action parses into a list - and submits via a POST request to the Silent Push API. - - - ### Parameters Description + Adds indicators to a specified feed in the Silent Push platform. This action facilitates + the management of threat intelligence feeds by pushing new indicators to a target + feed. - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Feed UUID | string | No | The unique identifier (UUID) of the feed where indicators - will be added. If not provided, a default UUID is used. | + ### Flow Description - | Indicators | string | No | A comma-separated list of indicators (e.g., 'example.com, - 1.2.3.4') to be added to the feed. | + 1. The action extracts the required configuration parameters (Silent Push Server + URL and API Key) and action parameters (Feed UUID, Indicators, and ASN) from the + integration settings. + 2. It initializes the `SilentPushManager` with the provided credentials. - ### Additional Notes + 3. It calls the `add_indicators` method, which performs a POST request to the + Silent Push API to add the provided indicators to the specified feed. + 4. The action logs the outcome of the API request and terminates with the appropriate + execution status. - * **Entity Usage:** Although the script iterates through the target entities in - the scope, it does not use their data to perform the action. The action relies - entirely on the provided 'Indicators' parameter. - * **ASN Parameter:** The code attempts to extract an 'ASN' parameter, but it is - not defined in the action's configuration and is only referenced in error messages. + ### Parameters Description + | Parameter | Type | Mandatory | Description | - ### Flow Description + | :--- | :--- | :--- | :--- | + | Feed UUID | string | No | The unique identifier of the feed to which indicators + will be added. | - 1. **Configuration Extraction:** Retrieves the Silent Push server URL and API - Key from the integration settings. + | Indicators | string | No | A comma-separated list of indicators to be added + to the feed. | - 2. **Parameter Extraction:** Retrieves the 'Feed UUID' and the 'Indicators' string - from the action parameters. + | ASN | string | No | An optional ASN parameter extracted by the script, though + not explicitly used in the primary API call logic. | - 3. **Manager Initialization:** Initializes the Silent Push Manager to handle API - communication. - 4. **API Request:** Sends a POST request to the Silent Push endpoint `/api/v1/feeds/{feed_uuid}/indicators/` - with the list of indicators. + ### Additional Notes - 5. **Result Handling:** Evaluates the API response. If successful, the action - completes; otherwise, it logs an error and fails. + - The action does not perform any operations on the entities present in the case, + despite iterating over them for logging purposes. It is strictly an external mutation + action. capabilities: can_create_case_comments: false can_create_insight: false @@ -299,12 +298,18 @@ Add Indicators: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Adds new indicators to a specified feed within the Silent Push platform via - a POST request. + Adds indicators to a specified feed in the Silent Push platform via a POST request. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to an external API (Silent Push) to add indicators + to a feed. It does not fetch data for enrichment, nor does it modify internal + SOAR data (entities, insights, etc.). categories: enrichment: false + reasoning: >- + The action is a mutation action (adding data to an external system) and does + not retrieve data for enrichment, therefore it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -320,6 +325,10 @@ Add Indicators: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` only to print their identifiers, + but does not use them for any logic or API calls. Therefore, it does not run + on entities. Add Indicators Tags: action_product_categories: add_alert_comment: false @@ -335,6 +344,10 @@ Add Indicators Tags: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action updates tags for an indicator in an external system (Silent Push). + This does not match any of the provided categories (Enrich IOC, Contain Host, + Update Ticket, etc.). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -352,54 +365,45 @@ Add Indicators Tags: ai_description: >- ### General Description - Adds tags to a specific indicator within a Silent Push feed. This action allows - analysts to categorize and organize threat indicators directly on the Silent Push - platform by updating their associated metadata. It is primarily used for threat - intelligence management and feed curation. + This action updates the tags of a specific indicator within a feed on the Silent + Push platform. It allows analysts to manage and categorize indicators by adding + custom tags directly to the Silent Push system. ### Parameters Description - | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Feed UUID | string | Yes | The unique identifier (UUID) of the target feed in - Silent Push. | + | Feed UUID | string | Yes | The unique identifier (UUID) of the feed containing + the indicator. | - | Indicator Name | string | Yes | The name of the indicator (e.g., a domain or - IP address) that will receive the new tags. | + | Indicator Name | string | Yes | The name of the indicator to be tagged. | - | Tags | string | Yes | The specific tags to be added to the indicator. Multiple - tags should be provided as a single string (the format depends on the Silent Push - API requirements, typically comma-separated). | + | Tags | string | Yes | The tags to be added to the indicator. | ### Additional Notes - This action does not process Google SecOps entities. It relies entirely on the - provided parameters to identify the feed and the indicator. The action uses a - `PUT` request to update the external system state. + The action requires a valid Silent Push API key and server URL configured in the + integration settings. All parameters (Feed UUID, Indicator Name, Tags) are mandatory + for the action to execute successfully. ### Flow Description - 1. **Configuration Extraction:** Retrieves the Silent Push Server URL and API - Key from the integration settings. + 1. Extract the integration configuration (Server URL, API Key) from the environment. - 2. **Parameter Extraction:** Collects the `Feed UUID`, `Indicator Name`, and `Tags` - from the action input. + 2. Extract the action parameters (Feed UUID, Indicator Name, Tags). - 3. **API Initialization:** Initializes the `SilentPushManager` with the provided - credentials. + 3. Initialize the `SilentPushManager` with the provided configuration. - 4. **External Mutation:** Executes a `PUT` request to the Silent Push endpoint: - `/api/v1/feeds/{feed_uuid}/indicators/{indicator_name}/update-tags/` with the - provided tags in the payload. + 4. Call the `add_indicators_tags` method via the manager, which performs a `PUT` + request to the Silent Push API to update the tags for the specified indicator. - 5. **Result Handling:** Validates the API response. If successful, it completes - the action; otherwise, it logs an error and fails the execution. + 5. Log the result of the operation and terminate the action with the appropriate + status. capabilities: can_create_case_comments: false can_create_insight: false @@ -408,12 +412,18 @@ Add Indicators Tags: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the tags of a specific indicator within a Silent Push feed using a PUT - request to the Silent Push API. + Updates the tags for a specific indicator within a feed on the Silent Push platform. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a `PUT` request to the Silent Push API to update tags for + an indicator. This is an external mutation. It does not fetch data, nor does + it modify internal SecOps data (entities, insights, etc.). categories: enrichment: false + reasoning: >- + The action is a mutation action (updating tags in an external system) and does + not fetch data for enrichment. Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -429,6 +439,10 @@ Add Indicators Tags: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` only to print their identifiers. + It does not use them to perform the API call or filter the action. Therefore, + it does not run on entities. Density Lookup: action_product_categories: add_alert_comment: false @@ -444,6 +458,11 @@ Density Lookup: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves density information (DNS/IP parameters) for indicators, + which provides threat intelligence and context. This aligns with the 'Enrich + IOC' category. It does not perform any other actions like ticketing, blocking, + or asset management. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -458,32 +477,44 @@ Density Lookup: update_email: false update_identity: false update_ticket: false - ai_description: "### General Description\nThe **Density Lookup** action queries\ - \ the Silent Push platform to retrieve granular density information for various\ - \ DNS and IP parameters. This data helps analysts understand the prevalence and\ - \ associations of specific infrastructure components, such as Name Servers (NS),\ - \ Mail Exchange (MX) servers, IP addresses, and Autonomous System Numbers (ASNs).\ - \ It is primarily used for infrastructure analysis and identifying commonalities\ - \ across different network assets.\n\n### Parameters Description\n\n| Parameter\ - \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| **Qtype**\ - \ | string | Yes | The type of density lookup to perform. Supported types include\ - \ `nssrv`, `mxsrv`, `nshash`, `mxhash`, `ipv4`, `ipv6`, `asn`, and `chv`. |\n\ - | **Query** | string | Yes | The specific value (e.g., a domain name, IP address,\ - \ or server hostname) to query for density information. |\n| **Scope** | string\ - \ | No | Defines the match level or scope for the lookup to filter results. |\n\ - \n### Additional Notes\n- This action requires a valid API Key and Server URL\ - \ configured in the Silent Push integration settings.\n- If the query returns\ - \ no records, the action will result in a failure status with an error message\ - \ indicating that no density records were found.\n\n### Flow Description\n1. **Initialization:**\ - \ The action extracts the integration configuration (Server URL and API Key) and\ - \ the action parameters (`Qtype`, `Query`, and `Scope`).\n2. **API Request:**\ - \ It initializes the `SilentPushManager` and executes a GET request to the Silent\ - \ Push density lookup endpoint using the provided parameters.\n3. **Data Validation:**\ - \ The action parses the response and checks for the presence of records in the\ - \ `response.records` field.\n4. **Execution Outcome:** \n - If records are\ - \ found, the action completes successfully and returns the data in a JSON format.\n\ - \ - If no records are found or an API error occurs, the action fails and logs\ - \ the corresponding error message." + ai_description: >- + The action queries granular DNS/IP parameters (e.g., NS servers, MX servers, IP + addresses, ASNs) for density information using the Silent Push platform. This + action is used to retrieve threat intelligence and contextual data about indicators. + + + ### Flow + + 1. Extracts configuration parameters (`Silent Push Server`, `API Key`) and action + parameters (`Qtype`, `Query`, `Scope`). + + 2. Initializes the `SilentPushManager` with the provided credentials. + + 3. Executes a `GET` request to the Silent Push API endpoint `explore/padns/lookup/density/{qtype}/{query}`. + + 4. Retrieves and processes the density records. + + 5. Logs the results and completes the action. + + + ### Parameters + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Qtype | string | Yes | Query Type (e.g., nssrv, mxsrv, nshash, mxhash, ipv4, + ipv6, asn, chv). | + + | Query | string | Yes | Value to query. | + + | Scope | string | No | Match level. | + + + ### Additional Notes + + The action does not use the target entities provided in the case, even though + it iterates over them in the code. capabilities: can_create_case_comments: false can_create_insight: false @@ -494,8 +525,14 @@ Density Lookup: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Silent Push API to retrieve density + records. It does not modify any external or internal data. categories: enrichment: true + reasoning: >- + The action fetches data from an external source (Silent Push) and does not mutate + any external or internal systems, making it an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -511,6 +548,11 @@ Density Lookup: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` only to print their identifiers, + but it does not use these entities to perform the density lookup. The lookup + is performed using the `Qtype` and `Query` action parameters. Therefore, the + action does not run on entities. Forward Padns Lookup: action_product_categories: add_alert_comment: false @@ -523,15 +565,18 @@ Forward Padns Lookup: download_file: false enable_identity: false enrich_asset: false - enrich_ioc: false + enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action performs a PADNS lookup, which provides threat intelligence and context + about a domain or DNS record. This aligns with the 'Enrich IOC' category. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false search_asset: false search_email: false - search_events: true + search_events: false send_email: false send_message: false submit_file: false @@ -541,14 +586,25 @@ Forward Padns Lookup: update_identity: false update_ticket: false ai_description: >- - ### General Description + Performs a forward Passive DNS (PADNS) lookup using the Silent Push API to retrieve + DNS record information. This action is useful for gathering threat intelligence + and infrastructure context regarding specific DNS records. - This action performs a forward Passive DNS (PADNS) lookup using the Silent Push - API. It allows analysts to retrieve historical DNS records (such as A, AAAA, MX, - NS, etc.) for a specific domain name. The action supports extensive filtering - capabilities, including date ranges (first/last seen), regular expressions, and - network masks, making it a powerful tool for infrastructure analysis and threat - hunting. + + ### Flow Description + + 1. **Configuration Extraction**: The action retrieves the Silent Push server URL + and API key from the integration configuration. + + 2. **Parameter Extraction**: It extracts the required `Qname` (DNS record name) + and optional filtering parameters (e.g., `Qtype`, `Netmask`, `Regex`, `Limit`) + from the action settings. + + 3. **API Request**: The action calls the Silent Push API to perform a forward + PADNS lookup using the provided parameters. + + 4. **Response Handling**: It validates the API response. If records are found, + it returns the data; otherwise, it logs an error and fails the execution. ### Parameters Description @@ -557,82 +613,50 @@ Forward Padns Lookup: | :--- | :--- | :--- | :--- | - | Qname | string | Yes | The DNS record name (domain) to lookup. | + | Qname | string | Yes | The DNS record name to lookup. | - | Qtype | string | No | The DNS record type to query (e.g., 'ns', 'a', 'mx'). - Defaults to 'ns'. | + | Qtype | string | No | DNS record type (e.g., ns, a, mx). Defaults to 'ns'. | - | Netmask | string | No | Filter results by a specific netmask. | + | Netmask | string | No | The netmask to filter the lookup results. | - | subdomain | string | No | Flag to include subdomains in the lookup results. + | Subdomains | string | No | Flag to include subdomains in the lookup results. | - | Regex | string | No | A regular expression to filter the returned DNS records. - | + | Regex | string | No | Regular expression to filter the DNS records. | - | Match | string | No | Specifies the type of match for the query (e.g., 'exact', - 'partial'). | + | Match | string | No | Type of match for the query (e.g., exact, partial). | - | First Seen After | string | No | Filter records first observed after this date - (YYYY-MM-DD). | + | First Seen After | string | No | Filter results to include only records first + seen after this date. | - | First Seen Before | string | No | Filter records first observed before this - date (YYYY-MM-DD). | + | First Seen Before | string | No | Filter results to include only records first + seen before this date. | - | Last Seen After | string | No | Filter records last observed after this date - (YYYY-MM-DD). | + | Last Seen After | string | No | Filter results to include only records last + seen after this date. | - | Last Seen Before | string | No | Filter records last observed before this date - (YYYY-MM-DD). | + | Last Seen Before | string | No | Filter results to include only records last + seen before this date. | - | As Of | string | No | Retrieve DNS records as they appeared at a specific point + | As Of | string | No | Date or time to get the DNS records as of a specific point in time. | - | Sort | string | No | Field by which to sort the results (e.g., 'date', 'score'). + | Sort | string | No | Sort the results by the specified field (e.g., date, score). | - | Output Format | string | No | The desired format for the returned results (e.g., - JSON, XML). | + | Output Format | string | No | The format in which the results should be returned + (e.g., JSON, XML). | | Prefer | string | No | Preference for specific DNS servers or sources. | - | With Metadata | string | No | Boolean flag to include additional metadata in - the records. | + | With Metadata | string | No | Flag to include metadata in the DNS records. | - | Max Wait | string | No | Maximum seconds to wait for the API response (0-25). - | + | Max Wait | string | No | Maximum number of seconds to wait for results before + timing out. | - | Skip | string | No | Number of results to skip for pagination. | + | Skip | string | No | Number of results to skip for pagination purposes. | | Limit | string | No | Maximum number of results to return. | - - - ### Additional Notes - - * **Entity Usage:** Although the script contains logic to iterate over target - entities, it does not currently use them as inputs for the lookup. The action - relies entirely on the `Qname` parameter provided by the user. - - * **Pagination:** Use the `Skip` and `Limit` parameters to manage large result - sets. - - - ### Flow Description - - 1. **Initialization:** The action initializes the Silent Push manager using the - configured Server URL and API Key. - - 2. **Parameter Extraction:** It retrieves the mandatory `Qname` and all optional - filtering/pagination parameters from the action configuration. - - 3. **API Request:** A GET request is dispatched to the Silent Push PADNS lookup - endpoint (`explore/padns/lookup/query/{qtype}/{qname}`) with the specified filters. - - 4. **Error Handling:** The script checks the API response for errors or empty - record sets. If no records are found, the action fails with a descriptive message. - - 5. **Completion:** Upon success, the action returns the retrieved DNS records - and sets the execution state to completed. capabilities: can_create_case_comments: false can_create_insight: false @@ -643,8 +667,15 @@ Forward Padns Lookup: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Silent Push API to retrieve DNS records. + It does not modify external systems or internal SOAR data (entities, insights, + comments). categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches data from an external source (Silent Push) and does not mutate + any external or internal systems. It fits the criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -660,6 +691,10 @@ Forward Padns Lookup: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` only to print them, but does + not use them for the lookup logic. The lookup is performed based on the `Qname` + parameter provided in the action settings. Therefore, it does not run on entities. Get ASN Reputation: action_product_categories: add_alert_comment: false @@ -675,6 +710,10 @@ Get ASN Reputation: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves reputation history and threat intelligence for an ASN. + This aligns with the 'Enrich IOC' category. It does not perform any other actions + like ticketing, containment, or alert updates. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -692,55 +731,49 @@ Get ASN Reputation: ai_description: >- ### General Description - Retrieves historical reputation data for a specific Autonomous System Number (ASN) - using the Silent Push platform. This action provides insights into the threat - landscape associated with an ASN, including reputation scores and historical changes. - It is primarily used for threat intelligence and risk assessment of network infrastructure. + This action retrieves historical reputation data for a specific Autonomous System + Number (ASN) from the Silent Push platform. It provides analysts with insights + into the reputation history of an ASN, which can be used to assess the risk associated + with network infrastructure. - ### Parameters Description - - | Parameter | Type | Mandatory | Description | + ### Flow Description - | :--- | :--- | :--- | :--- | + 1. **Configuration Extraction**: The action retrieves the Silent Push server URL + and API key from the integration configuration. - | **ASN** | string | Yes | The Autonomous System Number (ASN) to lookup (e.g., - '12345'). | + 2. **Parameter Extraction**: It extracts the `ASN` (mandatory), `Explain` (optional), + and `Limit` (optional) parameters provided by the user. - | **Explain** | boolean | No | If set to `true`, the action retrieves additional - information explaining how the reputation score was calculated. Defaults to `false`. - | + 3. **Data Retrieval**: The action initializes the `SilentPushManager` and performs + an API request to fetch the ASN reputation history. - | **Limit** | string | No | Specifies the maximum number of historical reputation - records to retrieve. | + 4. **Data Processing**: The raw response is parsed, and the reputation entries + are sorted by date in descending order. + 5. **Result Generation**: The processed data is formatted into a table and added + to the action's result JSON for display in the SecOps platform. - ### Flow Description - 1. **Configuration Extraction:** Retrieves the Silent Push Server URL and API - Key from the integration settings. + ### Parameters Description - 2. **Parameter Retrieval:** Extracts the target `ASN`, the `Explain` flag, and - the `Limit` value from the action inputs. + | Parameter | Type | Mandatory | Description | - 3. **API Interaction:** Calls the Silent Push Manager's `get_asn_reputation` method, - which performs a GET request to the ASN reputation history endpoint. + | :--- | :--- | :--- | :--- | - 4. **Data Processing:** Extracts the reputation data from the raw API response - and sorts the history entries by date in descending order. + | ASN | string | Yes | The Autonomous System Number (ASN) to look up. | - 5. **Table Preparation:** Formats the sorted data into a structured list, including - the ASN, reputation score, AS name, and date. If the `Explain` parameter is enabled, - it also includes the explanation field. + | Explain | boolean | No | If set to true, includes detailed information used + to calculate the reputation score. | - 6. **Result Output:** Adds the processed data to the action's JSON results and - completes the execution with a success message. + | Limit | string | No | The maximum number of reputation history records to retrieve. + | ### Additional Notes - While the action metadata description mentions IPv4, the technical implementation - and parameters specifically target Autonomous System Numbers (ASNs). + This action does not perform any operations on entities present in the case; it + relies solely on the `ASN` parameter provided by the user. capabilities: can_create_case_comments: false can_create_insight: false @@ -751,8 +784,16 @@ Get ASN Reputation: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to an external API (Silent Push) to retrieve + reputation data. It does not modify any external systems, nor does it update + internal SecOps data such as entities, insights, or case comments. categories: enrichment: true + reasoning: >- + The action fetches reputation data from an external source (Silent Push) and + returns it to the user. It does not mutate any external or internal systems. + This fits the definition of an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -768,6 +809,10 @@ Get ASN Reputation: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use entities to perform its logic. It relies on the 'ASN' + parameter provided by the user. The code iterates over 'siemplify.target_entities' + only for logging purposes, which does not constitute processing entities. Get ASN Takedown Reputation: action_product_categories: add_alert_comment: false @@ -783,6 +828,10 @@ Get ASN Takedown Reputation: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves reputation and threat intelligence for an ASN, which is + a form of indicator. This aligns with the 'Enrich IOC' category. It does not + perform any other actions like ticket creation, containment, or alert modification. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -800,47 +849,49 @@ Get ASN Takedown Reputation: ai_description: >- ### General Description - The **Get ASN Takedown Reputation** action retrieves historical takedown reputation - data for a specific Autonomous System Number (ASN) from the Silent Push platform. - This information helps analysts understand the threat profile and historical malicious - activity associated with an ASN. + This action retrieves takedown reputation history for a specific Autonomous System + Number (ASN) from the Silent Push platform. It provides threat intelligence regarding + the ASN's involvement in takedown activities, which can be used to assess the + risk associated with infrastructure. ### Parameters Description - | Parameter | Type | Mandatory | Default | Description | + | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | :--- | + | :--- | :--- | :--- | :--- | - | ASN | string | Yes | 211298 | The Autonomous System Number (ASN) to investigate. - | + | ASN | string | Yes | The Autonomous System Number (ASN) to lookup. | - | Explain | boolean | No | true | If enabled, the response includes the specific - data points used to calculate the reputation score. | + | Explain | boolean | No | If set to true, includes detailed information used + to calculate the reputation score. | - | Limit | string | No | | The maximum number of historical reputation records - to retrieve. | + | Limit | string | No | The maximum number of reputation history records to retrieve. + | ### Flow Description - 1. **Parameter Extraction:** The action retrieves the target ASN and optional - configuration (Explain, Limit) from the user input. + 1. The action extracts the integration configuration (Server URL, API Key) and + the action parameters (ASN, Explain, Limit). + + 2. It initializes the `SilentPushManager` to handle communication with the Silent + Push API. - 2. **API Interaction:** It sends a GET request to the Silent Push `explore/takedownreputation/asn` - endpoint using the provided ASN. + 3. The action calls the `get_asn_takedown_reputation` method, which performs a + GET request to the Silent Push API endpoint. - 3. **Data Processing:** The action parses the `takedown_reputation` history from - the API response. + 4. If reputation data is successfully retrieved, the action adds the result as + a JSON object to the action results. - 4. **Result Output:** The retrieved history is returned as a JSON object for use - in subsequent playbook steps. + 5. If no data is found or an error occurs during the API call, the action logs + the error and terminates with a failed status. ### Additional Notes - - This action does not automatically process entities from the SecOps case; it - requires the ASN to be provided as a direct parameter. + This action does not perform any modifications to the entities or the case. It + is strictly a data retrieval action. capabilities: can_create_case_comments: false can_create_insight: false @@ -851,8 +902,17 @@ Get ASN Takedown Reputation: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to an external API (Silent Push) to retrieve + reputation data. It does not modify any external systems, nor does it update + internal entities, create insights, or modify case data. It simply returns the + retrieved data as a JSON result. categories: - enrichment: true + enrichment: false + reasoning: >- + While the action fetches data (reputation), it does not meet the strict criteria + for an Enrichment Action because it does not update entities, create insights, + or add case comments. It only returns a result JSON. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -868,6 +928,10 @@ Get ASN Takedown Reputation: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` only to print their identifiers + to the logs. It does not use these entities to filter the API request or perform + any logic on them. Therefore, the action does not run on entities. Get ASNs for Domain: action_product_categories: add_alert_comment: false @@ -883,6 +947,10 @@ Get ASNs for Domain: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves threat intelligence (ASNs) for a domain. This matches the + 'Enrich IOC' category as it provides contextual intelligence for an indicator. + It does not perform any other actions like ticketing or containment. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -897,30 +965,33 @@ Get ASNs for Domain: update_email: false update_identity: false update_ticket: false - ai_description: "### General Description\nThe **Get ASNs for Domain** action retrieves\ - \ Autonomous System Numbers (ASNs) associated with a specific domain and its subdomains\ - \ using the Silent Push API. By querying Passive DNS (PADNS) data, the action\ - \ identifies the network infrastructure (ASNs) that have hosted the domain's A\ - \ records over the last 30 days. This provides security analysts with critical\ - \ context regarding the hosting environment of a domain, which is useful for infrastructure\ - \ mapping and identifying potentially malicious network patterns.\n\n### Parameters\ - \ Description\n| Parameter | Type | Mandatory | Description |\n| :--- | :--- |\ - \ :--- | :--- |\n| **Domain** | String | Yes | The domain name to search ASNs\ - \ for (e.g., `silentpush.com`). The action retrieves ASNs associated with A records\ - \ for this domain and its subdomains from the last 30 days. |\n\n### Flow Description\n\ - 1. **Configuration Extraction**: The action retrieves the Silent Push Server URL\ - \ and API Key from the integration's global configuration.\n2. **Parameter Retrieval**:\ - \ The target `Domain` is extracted from the action's input parameters.\n3. **API\ - \ Interaction**: The action initializes the `SilentPushManager` and calls the\ - \ `get_asns_for_domain` method, which performs a GET request to the `explore/padns/lookup/domain/asns/{domain}`\ - \ endpoint.\n4. **Data Processing**: The action parses the API response to extract\ - \ the list of ASN records.\n5. **Result Handling**: \n - If ASN records are\ - \ found, the action completes successfully, returning the list of ASNs in the\ - \ output message and script result.\n - If no records are found, the action\ - \ logs an error and terminates with a failed status.\n\n### Additional Notes\n\ - - This action does not automatically update entities or create insights within\ - \ Google SecOps; it primarily serves to fetch and return raw ASN data for use\ - \ in subsequent playbook steps." + ai_description: >- + ### General Description + + This action retrieves Autonomous System Numbers (ASNs) associated with a specific + domain using the Silent Push platform. It queries the Silent Push API to fetch + the associated ASNs for the provided domain, providing valuable threat intelligence. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Domain | string | Yes | The domain name to search for associated ASNs. | + + + ### Flow Description + + 1. Extracts the `Domain` parameter from the action configuration. + + 2. Initializes the `SilentPushManager` with the provided API credentials. + + 3. Queries the Silent Push API (`explore/padns/lookup/domain/asns/{domain}`) to + fetch associated ASNs. + + 4. Logs the results or errors and terminates the action with the retrieved data. capabilities: can_create_case_comments: false can_create_insight: false @@ -931,45 +1002,18 @@ Get ASNs for Domain: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to retrieve ASN data for a domain. It does + not mutate external systems, nor does it update internal SOAR entities or insights. categories: - enrichment: true + enrichment: false + reasoning: >- + The action fetches data but does not update entities, create insights, or add + comments. It does not meet the criteria for an Enrichment Action as defined, + because it does not perform any internal mutations (like updating the entity + profile). entity_usage: - entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -983,6 +1027,10 @@ Get ASNs for Domain: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` only to print their identifiers. + It does not use them to perform the lookup or update them. Therefore, it does + not process entities. Get Data Exports: action_product_categories: add_alert_comment: false @@ -998,6 +1046,9 @@ Get Data Exports: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action downloads a file from a remote host. This matches the 'Download File' + category. It does not perform any other operations. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1013,45 +1064,34 @@ Get Data Exports: update_identity: false update_ticket: false ai_description: >- - Downloads exported feed data from Silent Push. This action retrieves the content - of a specific data export (such as indicator lists in CSV format) from the Silent - Push platform using a provided Feed URL. It is primarily used to ingest threat - intelligence feeds or exported datasets for further processing within the SOAR - platform. - + Downloads data export files from the Silent Push platform. This action retrieves + a file from a specified URL and logs the content. - ### Flow Description - 1. **Configuration Retrieval:** Extracts the Silent Push server URL and API key - from the integration settings. + ### Flow - 2. **Parameter Extraction:** Retrieves the mandatory 'Feed URL' parameter which - specifies the file to be downloaded. + 1. Extracts configuration (Server URL, API Key) and the `Feed URL` parameter. - 3. **API Interaction:** Constructs the full export URL and performs an authenticated - HTTP GET request to the Silent Push export endpoint. + 2. Initializes the `SilentPushManager`. - 4. **Response Handling:** Validates the response status. If successful, it captures - the file content and determines a filename based on the URL string. + 3. Sends a GET request to the specified `Feed URL` to retrieve the export data. - 5. **Output:** Returns the exported data content as the action result. + 4. Logs the status and the content of the downloaded file. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Feed URL | string | Yes | The specific URL suffix or identifier for the feed - data to be exported (e.g., '9b38bd50-ea46-4280-8739-9b71fc3a9291_indicators.csv'). - | + | Feed URL | string | Yes | The URL from which to export the feed data. | ### Additional Notes - - This action is classified as a download action because its primary purpose is - to retrieve raw file content from an external service. + This action is a utility for downloading data and does not perform any operations + on entities or alerts. capabilities: can_create_case_comments: false can_create_insight: false @@ -1062,8 +1102,16 @@ Get Data Exports: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to download a file from an external URL. It + does not modify any external systems, nor does it update any internal SOAR entities + or insights. It only logs the result. categories: enrichment: false + reasoning: >- + The action downloads a file. It does not associate the data with any entity + or alert, nor does it perform any enrichment logic. Therefore, it is not an + enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1079,6 +1127,9 @@ Get Data Exports: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` but only prints their identifiers + to the log. It does not use the entities to perform any logic or filtering. Get Domain Certificates: action_product_categories: add_alert_comment: false @@ -1094,6 +1145,11 @@ Get Domain Certificates: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves SSL certificate information for a domain, which provides + threat intelligence and context about the domain's infrastructure. This aligns + with the 'Enrich IOC' category. It does not perform any other actions like updating + tickets, blocking IOCs, or managing identities. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1108,44 +1164,31 @@ Get Domain Certificates: update_email: false update_identity: false update_ticket: false - ai_description: "### General Description\nThis action retrieves SSL/TLS certificate\ - \ data collected from domain scanning using the Silent Push platform. It allows\ - \ analysts to query specific domains for their certificate history and details,\ - \ providing valuable context for infrastructure analysis and threat hunting. The\ - \ action supports various filters such as date ranges, certificate issuers, and\ - \ regular expressions to narrow down the results.\n\n### Parameters Description\n\ - | Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ - | Domain | string | True | The specific domain to query for certificate data.\ - \ |\n| Domain Regex | string | False | A regular expression used to filter the\ - \ domains in the certificate results. |\n| Certificate Issuer | string | False\ - \ | Filters the results to only include certificates issued by a specific authority.\ - \ |\n| Date Min | string | False | Filters for certificates issued on or after\ - \ this date (e.g., YYYY-MM-DD). |\n| Date Max | string | False | Filters for certificates\ - \ issued on or before this date (e.g., YYYY-MM-DD). |\n| Prefer | string | False\ - \ | Determines the API behavior for long-running queries: whether to wait for\ - \ results or return a `job_id` immediately. |\n| Max Wait | string | False | The\ - \ number of seconds (0 to 25) to wait for results before the API returns a `job_id`.\ - \ |\n| With Metadata | string | False | If set to true, the response will include\ - \ a metadata object containing result counts and job identifiers. |\n| Skip |\ - \ string | False | The number of initial results to skip (used for pagination).\ - \ |\n| Limit | string | False | The maximum number of certificate records to return\ - \ in the response. |\n\n### Additional Notes\n- If the query is complex or the\ - \ system requires more time, the action may return a `job_id` and status instead\ - \ of immediate certificate data. In such cases, the `Get Job Status` action should\ - \ be used to retrieve the final results.\n- The action returns data in a structured\ - \ JSON format (`JsonResult`) for use in subsequent playbook logic.\n\n### Flow\ - \ Description\n1. **Configuration Extraction:** The action retrieves the Silent\ - \ Push Server URL and API Key from the integration settings.\n2. **Parameter Parsing:**\ - \ It extracts the target domain and all optional filter parameters (regex, issuer,\ - \ dates, pagination settings) from the action input.\n3. **API Request:** The\ - \ action initializes the `SilentPushManager` and sends a GET request to the `explore/domain/certificates/{domain}`\ - \ endpoint with the specified filters.\n4. **Response Handling:** \n - If the\ - \ API returns a `job_status`, the action completes by providing the job details\ - \ for asynchronous tracking.\n - If the API returns certificate data directly,\ - \ it extracts the list of certificates and any associated metadata.\n5. **Result\ - \ Finalization:** The action outputs the retrieved data and sets the execution\ - \ status to completed. If no certificates are found or an error occurs, it logs\ - \ the issue and fails the action." + ai_description: "### General Description\nThis action retrieves SSL certificate\ + \ details for a specified domain using the Silent Push platform. It allows for\ + \ advanced filtering of certificate data, including regex matching, issuer filtering,\ + \ and date range constraints. The action is designed to provide contextual intelligence\ + \ about a domain's infrastructure by querying historical and current certificate\ + \ records.\n\n### Parameters Description\n| Parameter | Type | Mandatory | Description\ + \ |\n| :--- | :--- | :--- | :--- |\n| Domain | string | Yes | The domain to query\ + \ certificates for. |\n| Domain Regex | string | No | Regular expression to match\ + \ domains. |\n| Certificate Issuer | string | No | Filter by certificate issuer.\ + \ |\n| Date Min | string | No | Filter certificates issued on or after this date.\ + \ |\n| Date Max | string | No | Filter certificates issued on or before this date.\ + \ |\n| Prefer | string | No | Prefer to wait for results for longer running queries\ + \ or to return job_id immediately. |\n| Max Wait | string | No | Number of seconds\ + \ to wait for results before returning a job_id (0-25 seconds). |\n| With Metadata\ + \ | string | No | Includes a metadata object in the response. |\n| Skip | string\ + \ | No | Number of results to skip. |\n| Limit | string | No | Number of results\ + \ to return. |\n\n### Flow Description\n1. **Configuration Extraction**: The action\ + \ retrieves the Silent Push server URL and API key from the integration configuration.\n\ + 2. **Parameter Parsing**: It extracts and validates the provided action parameters,\ + \ including domain, filters, and pagination settings.\n3. **API Request**: The\ + \ action calls the Silent Push API (`/explore/domain/certificates/{domain}`) to\ + \ fetch certificate data.\n4. **Response Handling**: \n - If the API returns\ + \ a job status, the action reports the job details.\n - If certificate data\ + \ is returned, it processes the certificates and metadata.\n5. **Output**: The\ + \ action returns the certificate information and metadata as the script result." capabilities: can_create_case_comments: false can_create_insight: false @@ -1156,8 +1199,17 @@ Get Domain Certificates: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Silent Push API to retrieve certificate + data. It does not modify any external systems (no POST/PUT/DELETE) and does + not modify any internal Google SecOps data (no entity updates, insights, or + comments). categories: enrichment: true + reasoning: >- + The action fetches data from an external source (Silent Push) to provide context + about a domain. It does not mutate external systems or modify internal Google + SecOps data. Therefore, it qualifies as an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1173,6 +1225,11 @@ Get Domain Certificates: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action uses the 'Domain' parameter provided in the action settings to perform + the query. While it iterates over `siemplify.target_entities` for logging purposes, + it does not use these entities to drive the logic or filter the request. Therefore, + it does not run on specific entity types. Get Enrichment Data: action_product_categories: add_alert_comment: false @@ -1188,6 +1245,11 @@ Get Enrichment Data: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action fetches enrichment data for domains or IP addresses from the Silent + Push API. This matches the 'Enrich IOC' expected outcome. It does not mutate + external systems or modify internal case data, so it is not a containment or + update action. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1203,63 +1265,45 @@ Get Enrichment Data: update_identity: false update_ticket: false ai_description: >- - ### General Description + This action retrieves comprehensive enrichment information for a given resource + (domain, IPv4, or IPv6) from the Silent Push platform. It allows users to specify + the resource type and value, and optionally include detailed calculation explanations + or scan data for IPv4 resources. - The **Get Enrichment Data** action retrieves comprehensive threat intelligence - and enrichment information for a specific resource, such as a domain, IPv4 address, - or IPv6 address, from the Silent Push platform. This action provides deep visibility - into the reputation, infrastructure, and metadata associated with an indicator, - supporting analysts in threat analysis and investigation. + ### Parameters - ### Parameters Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Resource** | String | Yes | The type of resource to enrich. Supported values: - `domain`, `ipv4`, `ipv6`. Default is `ipv4`. | + | Resource | string | Yes | Type of resource for which information needs to be + retrieved (e.g., domain, ipv4, ipv6). | - | **Value** | String | Yes | The specific indicator value (e.g., an IP address - or domain name) to be enriched. Default is `142.251.188.102`. | + | Value | string | Yes | Value corresponding to the selected "resource" for which + information needs to be retrieved (e.g., silentpush.com). | - | **Explain** | Boolean | No | If set to `true`, the response will include detailed - explanations of how the data calculations (like risk scores) were derived. Default - is `false`. | + | Explain | boolean | No | Include explanation of data calculations. | - | **Scan Data** | Boolean | No | If set to `true`, the action will include additional - scan data. This is only applicable when the resource type is `ipv4`. Default is - `false`. | + | Scan Data | boolean | No | Include scan data (IPv4 only). | ### Flow Description - 1. **Initialization**: The action initializes the Silent Push manager using the - provided server URL and API key from the integration configuration. - - 2. **Parameter Extraction**: It retrieves the resource type, the indicator value, - and the optional flags for explanations and scan data from the action parameters. - 3. **Validation**: If the resource is an IP address, it validates the format against - the specified type (IPv4 or IPv6) using internal validation logic. + 1. **Initialization**: The action extracts the Silent Push API credentials and + the action parameters (`Resource`, `Value`, `Explain`, `Scan Data`). - 4. **Data Retrieval**: It sends a GET request to the Silent Push enrichment endpoint - (`explore/enrich/{resource}/{value}`) with the specified query parameters. + 2. **Validation**: It validates the `Resource` type against allowed values and + performs IP address validation if the resource is an IPv4 or IPv6 address. - 5. **Output**: The retrieved enrichment data is returned as a JSON object. If - no data is found, the action fails with an error message. - - - ### Additional Notes + 3. **Data Retrieval**: The action queries the Silent Push API to fetch enrichment + data based on the provided resource and value. - - This action is a standalone enrichment tool that operates on a single input - value provided via parameters rather than automatically iterating through all - entities in the current scope. - - - The **Scan Data** parameter is specifically intended for use with the `ipv4` - resource type and may be ignored or return no additional data for other resource - types. + 4. **Result Processing**: If enrichment data is successfully retrieved, it is + added to the action's result JSON. If no data is found or an error occurs, the + action fails with an appropriate error message. capabilities: can_create_case_comments: false can_create_insight: false @@ -1270,8 +1314,17 @@ Get Enrichment Data: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Silent Push API to retrieve enrichment + data. It does not mutate external systems or modify internal SOAR data (entities, + insights, or case comments). It only returns the retrieved data as a result + JSON. categories: enrichment: true + reasoning: >- + The action fetches data from an external source (Silent Push) to provide context + for IOCs. It does not mutate external systems or modify internal SOAR data. + This aligns with the definition of an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1287,6 +1340,11 @@ Get Enrichment Data: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action uses action parameters (`Resource` and `Value`) to perform the lookup. + While it iterates over `siemplify.target_entities` for logging purposes, it + does not use them to perform the enrichment logic. Therefore, no entity types + are processed. Get Future Attack Indicatiors: action_product_categories: add_alert_comment: false @@ -1302,6 +1360,10 @@ Get Future Attack Indicatiors: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves a list of indicators from a feed. It does not enrich a + specific IOC, update an alert, or perform any of the other listed actions. It + is a data retrieval action for threat intelligence feeds. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1319,60 +1381,48 @@ Get Future Attack Indicatiors: ai_description: >- ### General Description - The **Get Future Attack Indicatiors** action retrieves threat intelligence indicators - from the Silent Push platform based on a specific Feed UUID. This action is designed - to gather proactive intelligence about potential future attacks by fetching ranked - indicators associated with a designated threat feed. It is primarily used for - threat hunting and situational awareness by providing a list of indicators that - have been identified as part of emerging threat campaigns. + This action fetches indicators of potential future attacks from the Silent Push + platform using a provided Feed UUID. It retrieves threat intelligence data based + on the specified feed and pagination settings. - ### Parameters Description + ### Flow Description - | Parameter | Type | Mandatory | Description | + 1. **Configuration Extraction**: The action extracts the `Silent Push Server` + URL and `API Key` from the integration configuration. - | :--- | :--- | :--- | :--- | + 2. **Parameter Extraction**: The action extracts the `Feed UUID`, `Page No`, and + `Page Size` from the action parameters. - | **Feed UUID** | String | Yes | The unique identifier for the Silent Push feed - from which to fetch indicators. | + 3. **Manager Initialization**: The `SilentPushManager` is initialized with the + server URL and API key. - | **Page No** | String | No | The specific page number of results to retrieve - from the feed. Defaults to "1". | + 4. **Data Retrieval**: The action calls the `get_future_attack_indicators` method + of the `SilentPushManager` to fetch the threat ranking data. - | **Page Size** | String | No | The number of indicator records to return per - page. Defaults to "10000". | + 5. **Result Output**: The retrieved indicators are returned as a JSON object in + the action results. - ### Flow Description + ### Parameters Description - 1. **Configuration Extraction**: The action retrieves the Silent Push server URL - and API key from the integration's global configuration. + | Parameter | Type | Mandatory | Description | - 2. **Parameter Parsing**: It extracts the `Feed UUID`, `Page No`, and `Page Size` - from the action's input parameters, applying default values for pagination if - they are not provided. + | :--- | :--- | :--- | :--- | - 3. **API Interaction**: The action initializes the `SilentPushManager` and calls - the `get_future_attack_indicators` method, which performs a GET request to the - Silent Push `/api/v2/iocs/threat-ranking/` endpoint using the provided Feed UUID - and pagination criteria. + | Feed UUID | string | Yes | Unique ID for the feed to fetch records for. | - 4. **Data Processing**: The response is parsed to extract the list of indicators. - If the response is empty or no indicators are found, the action logs an error - and terminates with a failure status. + | Page No | string | No | The page number to fetch results from (default: 1). + | - 5. **Result Reporting**: The retrieved indicators are added to the action's JSON - results (`ScriptResult`) for use in subsequent playbook steps. The action then - concludes with a success message containing the indicator data. + | Page Size | string | No | The number of indicators to fetch per page (default: + 10000). | ### Additional Notes - - This action is a global fetch operation and does not target or filter specific - entities within the Google SecOps case. - - - The action name contains a typographical error ("Indicatiors") which is preserved - from the integration metadata. + If no indicators are found for the provided `Feed UUID`, the action will fail + and log an error message. capabilities: can_create_case_comments: false can_create_insight: false @@ -1383,8 +1433,16 @@ Get Future Attack Indicatiors: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to an external API to retrieve threat intelligence + data (future attack indicators). It does not modify any external systems or + internal SOAR data (entities, insights, comments). categories: enrichment: false + reasoning: >- + The action fetches data from an external source but does not operate on specific + entities or alerts to enrich them. It is a data retrieval task, not an enrichment + action as defined by the SOAR framework. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1400,6 +1458,10 @@ Get Future Attack Indicatiors: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use `target_entities` to perform its task. It only iterates + over them for logging purposes, which does not constitute processing or filtering + entities. Get IPV4 Reputation: action_product_categories: add_alert_comment: false @@ -1415,6 +1477,10 @@ Get IPV4 Reputation: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves reputation history for an IPv4 address, which directly + matches the 'Enrich IOC' category. It does not perform any other operations + like updating alerts, tickets, or host containment. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1430,52 +1496,42 @@ Get IPV4 Reputation: update_identity: false update_ticket: false ai_description: >- - ### General Description - - Retrieves historical reputation data for a specific IPv4 address using the Silent - Push platform. This action provides detailed insights into the threat history - and reputation scores associated with a network indicator, allowing analysts to - assess the risk level based on historical behavior. + Retrieves reputation information for an IPv4 address from the Silent Push platform. + This action fetches historical reputation data, including detailed calculation + explanations if requested, and returns the results as a JSON response. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Nameserver | String | Yes | The IPv4 address for which reputation information + | Nameserver | string | Yes | The IPv4 address for which reputation information needs to be retrieved. | - | Explain | Boolean | No | If set to true, the response includes the specific - information and logic used to calculate the reputation score. Defaults to false. - | + | Explain | boolean | No | If set to true, includes detailed information used + to calculate the reputation score. Defaults to false. | - | Limit | String | No | The maximum number of reputation history entries to retrieve - from the service. | + | Limit | string | No | The maximum number of reputation history entries to retrieve. + | ### Flow Description - 1. **Parameter Extraction**: The action extracts the target IPv4 address (Nameserver), - the explanation flag, and the result limit from the user-provided parameters. - - 2. **API Request**: It calls the Silent Push `explore/ipreputation/history/ipv4` - endpoint via the `get_ipv4_reputation` manager method. + 1. The action extracts the integration configuration (Server URL, API Key) and + the action parameters (Nameserver, Explain, Limit). - 3. **Data Validation**: The action verifies if the response contains reputation - history data. If the history is empty, it logs an error and terminates with a - failure status. + 2. It initializes the `SilentPushManager` with the provided credentials. - 4. **Result Output**: The raw API response is attached to the action's JSON results, - making the reputation data available for downstream playbook logic. + 3. It calls the `get_ipv4_reputation` method of the `SilentPushManager` to fetch + the reputation history for the specified IPv4 address. + 4. If the reputation data is successfully retrieved, it is added to the action's + result JSON. - ### Additional Notes - - This action is parameter-driven and does not automatically iterate through or - update entities in the Google SecOps case. It is primarily used to fetch raw intelligence - data for a specific indicator provided in the 'Nameserver' field. + 5. If no data is found or an error occurs during the API call, the action logs + the error and terminates with a failed status. capabilities: can_create_case_comments: false can_create_insight: false @@ -1486,8 +1542,16 @@ Get IPV4 Reputation: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches data from an external API (Silent Push) using a GET request. + It does not mutate any external systems, nor does it modify internal Google + SecOps data (entities, insights, or comments). categories: enrichment: true + reasoning: >- + The action fetches data from an external source (Silent Push) to provide context + (reputation history) for an IPv4 address. It does not mutate external systems + or internal data, fulfilling the criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1503,6 +1567,11 @@ Get IPV4 Reputation: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over `siemplify.target_entities` only to print them, but + it does not use them to perform the reputation lookup. The lookup is performed + using the 'Nameserver' parameter provided by the user. Therefore, it does not + run on entities. Get Nameserver Reputation: action_product_categories: add_alert_comment: false @@ -1518,6 +1587,11 @@ Get Nameserver Reputation: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves reputation history for a nameserver, which is a form of + threat intelligence for an indicator. This aligns with the 'Enrich IOC' category. + It does not perform any other operations like ticket creation, host containment, + or alert updates. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1535,10 +1609,11 @@ Get Nameserver Reputation: ai_description: >- ### General Description - Retrieves historical reputation data for a specified nameserver using the Silent - Push API. This action provides reputation scores and can optionally include detailed - information about how the score was calculated. It is primarily used to assess - the risk associated with specific DNS infrastructure. + This action retrieves historical reputation data for a specified nameserver from + the Silent Push platform. It provides insights into the nameserver's reputation + history, which can be used to assess the risk associated with specific DNS infrastructure. + The action supports optional parameters to include detailed calculation explanations + and to limit the number of history entries returned. ### Parameters Description @@ -1547,41 +1622,32 @@ Get Nameserver Reputation: | :--- | :--- | :--- | :--- | - | Nameserver | string | Yes | The name of the nameserver (e.g., a.dns-servers.net.ru) - for which reputation information needs to be retrieved. | + | Nameserver | string | Yes | The nameserver name for which reputation information + needs to be retrieved. | - | Explain | string | No | If set to a truthy value, the action retrieves the specific - information used to calculate the reputation score. | + | Explain | string | No | If provided, includes detailed information used to calculate + the reputation score. | - | Limit | string | No | The maximum number of historical reputation records to - retrieve from the service. | + | Limit | string | No | The maximum number of reputation history entries to retrieve. + | ### Flow Description - 1. **Configuration Extraction**: Retrieves the Silent Push Server URL and API - Key from the integration's global configuration. - - 2. **Parameter Extraction**: Collects the target Nameserver, the Explain flag, - and the Limit value from the action's input parameters. - - 3. **API Interaction**: Initializes the Silent Push Manager and calls the `get_nameserver_reputation` - endpoint to fetch historical data. + 1. **Configuration Extraction**: The action extracts the Silent Push server URL + and API key from the integration configuration. - 4. **Data Transformation**: Iterates through the retrieved reputation history - items and converts integer-based date values (formatted as YYYYMMDD) into standard - ISO format strings for better readability. + 2. **Parameter Extraction**: It retrieves the `Nameserver`, `Explain`, and `Limit` + parameters provided by the user. - 5. **Result Finalization**: If valid reputation data is found, the action completes - successfully. If no data is returned or an error occurs during the API call, the - action terminates with a failure status. + 3. **API Request**: The action initializes the `SilentPushManager` and calls the + `get_nameserver_reputation` method to fetch data from the Silent Push API. + 4. **Data Processing**: It processes the returned reputation data, specifically + parsing date fields into ISO format. - ### Additional Notes - - This action does not automatically update entities or create insights within the - Google SecOps case. It returns the retrieved data as a JSON result for use in - subsequent playbook logic. + 5. **Output**: The action logs the status and reputation data, then terminates + with the result. capabilities: can_create_case_comments: false can_create_insight: false @@ -1592,8 +1658,16 @@ Get Nameserver Reputation: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Silent Push API to retrieve reputation + data for a nameserver. It does not modify any external systems, nor does it + modify any internal Google SecOps data (entities, insights, or case comments). categories: enrichment: true + reasoning: >- + The action is a read-only operation that fetches threat intelligence (reputation + data) from an external source (Silent Push). It does not mutate external or + internal data, satisfying the criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1609,6 +1683,11 @@ Get Nameserver Reputation: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action relies on the 'Nameserver' parameter provided in the action settings + to perform its task. Although the code iterates over `siemplify.target_entities` + to print them, it does not use these entities to perform the logic or filter + the request. Therefore, it does not run on entities. Get Subnet Reputation: action_product_categories: add_alert_comment: false @@ -1624,6 +1703,11 @@ Get Subnet Reputation: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves reputation history for a subnet, which is a form of threat + intelligence for an indicator (IOC). This matches the 'Enrich IOC' category. + It does not perform any other actions like updating tickets, blocking IOCs, + or managing identities. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1639,45 +1723,50 @@ Get Subnet Reputation: update_identity: false update_ticket: false ai_description: >- - Retrieves the reputation history for a specific IPv4 subnet using the Silent Push - platform. This action allows analysts to understand the historical threat context - and reputation scores associated with a network range, which is useful for identifying - malicious infrastructure or assessing the risk of network traffic. + ### General Description + This action retrieves the reputation history for a specific IPv4 subnet using + the Silent Push API. It allows analysts to gather historical threat intelligence + regarding a subnet to assess its risk profile. - ### Parameters - | Parameter | Type | Mandatory | Description | + ### Flow Description - | :--- | :--- | :--- | :--- | + 1. **Configuration Extraction**: The action retrieves the Silent Push server URL + and API key from the integration configuration. - | Subnet | string | True | The IPv4 subnet (e.g., 192.168.0.0/16) for which reputation - information needs to be retrieved. | + 2. **Parameter Extraction**: It extracts the `Subnet`, `Explain` (optional), and + `Limit` (optional) parameters provided by the user. - | Explain | string | False | If provided, the API returns detailed information - and the logic used to calculate the reputation score. | + 3. **Data Retrieval**: The action initializes the `SilentPushManager` and performs + a GET request to the Silent Push API to fetch the reputation history for the specified + subnet. - | Limit | string | False | Specifies the maximum number of reputation history - entries to retrieve from the service. | + 4. **Result Handling**: If data is found, it logs the reputation history. If no + data is found or the request fails, it logs an error and terminates the action + with a failed status. - ### Flow Description + ### Parameters Description + + | Parameter | Type | Mandatory | Description | - 1. **Configuration Extraction:** The action retrieves the Silent Push Server URL - and API Key from the integration settings. + | :--- | :--- | :--- | :--- | + + | Subnet | string | Yes | The IPv4 subnet for which reputation information needs + to be retrieved. | - 2. **Parameter Retrieval:** It extracts the target `Subnet`, the `Explain` flag, - and the `Limit` value from the action input. + | Explain | string | No | A flag to show detailed information used to calculate + the reputation score. | - 3. **API Interaction:** The action initializes the `SilentPushManager` and calls - the `get_subnet_reputation` method, which performs a GET request to the Silent - Push `explore/ipreputation/history/subnet` endpoint. + | Limit | string | No | The maximum number of reputation history entries to retrieve. + | - 4. **Data Processing:** It parses the response to extract the `subnet_reputation_history`. - If no history is found, the action reports a failure. - 5. **Completion:** The action returns the reputation history data as a JSON result - and completes the execution with a summary message. + ### Additional Notes + + This action does not perform any mutations on external systems or internal Google + SecOps data. It is a read-only operation designed for enrichment purposes. capabilities: can_create_case_comments: false can_create_insight: false @@ -1688,8 +1777,16 @@ Get Subnet Reputation: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Silent Push API to retrieve reputation + data. It does not modify any external systems, nor does it update any internal + Google SecOps data (entities, insights, or comments). categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches reputation data from an external source (Silent Push) and + does not modify any external or internal state. This aligns with the definition + of an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1705,6 +1802,11 @@ Get Subnet Reputation: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` only to print their identifiers + for logging purposes. The actual logic for fetching reputation relies solely + on the `Subnet` parameter provided in the action settings, not on the entities + themselves. Therefore, the action does not run on entities. Get job status: action_product_categories: add_alert_comment: false @@ -1720,6 +1822,10 @@ Get job status: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves the status of a job from an external service. It does not + match any of the specific categories like 'Enrich IOC', 'Enrich Asset', 'Create + Ticket', etc. It is a utility action for job monitoring. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1737,11 +1843,9 @@ Get job status: ai_description: >- ### General Description - The **Get job status** action retrieves the current status or the final results - of an asynchronous job previously initiated within the Silent Push platform. This - utility is essential for workflows involving long-running processes, such as bulk - domain lookups or complex scans, allowing playbooks to poll for completion and - ingest the resulting data once available. + This action retrieves the status of a running job or the results of a completed + job from the Silent Push platform. It is used to monitor the progress of asynchronous + tasks initiated by other Silent Push actions. ### Parameters Description @@ -1750,49 +1854,37 @@ Get job status: | :--- | :--- | :--- | :--- | - | **Job ID** | string | Yes | The unique identifier of the job to check, typically - returned by other Silent Push actions. | + | Job ID | string | Yes | The unique identifier of the job to retrieve status + for. | - | **Max Wait** | string | No | The number of seconds the action should wait for - the job to complete before returning the current status (valid range: 0-25 seconds). - Defaults to 20 seconds if not specified. | + | Max Wait | string | No | The number of seconds to wait for results (0-25 seconds). + Defaults to 20 if not provided. | - | **Status Only** | boolean | No | If enabled, the action will return only the - job's status metadata, even if the job has already finished and results are available. - | - - | **Force Metadata On** | boolean | No | When enabled, the response will always - include query metadata, regardless of the settings used when the job was originally - created. | - - | **Force Metadata Off** | boolean | No | When enabled, the response will never - include query metadata, regardless of the settings used when the job was originally - created. | - - - ### Additional Notes + | Status Only | boolean | No | If set to true, returns the job status even if + the job is already complete. | - - This action is primarily a utility for job orchestration and does not directly - enrich entities or modify case data within Google SecOps. + | Force Metadata On | boolean | No | If set to true, always returns query metadata, + even if the original request did not include it. | - - The `Max Wait` parameter is capped at 25 seconds by the Silent Push API logic. + | Force Metadata Off | boolean | No | If set to true, never returns query metadata, + even if the original request included it. | ### Flow Description - 1. **Initialization**: Extracts the integration configuration (API Key and Server - URL) and the user-provided action parameters. + 1. **Configuration Extraction**: The action retrieves the Silent Push Server URL + and API Key from the integration configuration. - 2. **Validation**: Converts the `Max Wait` parameter to an integer and ensures - it falls within the default range (defaulting to 20 if empty). + 2. **Parameter Extraction**: The action extracts the `Job ID`, `Max Wait`, `Status + Only`, `Force Metadata On`, and `Force Metadata Off` parameters. - 3. **API Request**: Sends a GET request to the Silent Push `explore/job/{job_id}` - endpoint with the specified query parameters. + 3. **API Request**: The action calls the `get_job_status` method of the `SilentPushManager`, + which performs a GET request to the Silent Push API using the provided `Job ID` + and parameters. - 4. **Response Handling**: Parses the job status and results from the API response. - - 5. **Completion**: Returns the job data as the action output. If no job status - is found for the provided ID, the action fails. + 4. **Result Handling**: The action processes the API response. If the job status + is found, it returns the status information as the output message. If no status + is found or an error occurs, it logs the error and fails the action. capabilities: can_create_case_comments: false can_create_insight: false @@ -1803,45 +1895,20 @@ Get job status: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Silent Push API to retrieve the status + of a job. It does not modify any external systems, nor does it perform any internal + mutations such as updating entities, creating insights, or adding case comments. + It simply fetches and returns data. categories: enrichment: false + reasoning: >- + The action fetches data (job status) but does not meet the criteria for an enrichment + action because it does not perform any of the allowed internal mutations (updating + entities, creating insights, or adding case comments). It is a utility action + for job monitoring. entity_usage: - entity_types: - - ADDRESS - - ALERT - - APPLICATION - - CHILDHASH - - CHILDPROCESS - - CLUSTER - - CONTAINER - - CREDITCARD - - CVE - - CVEID - - DATABASE - - DEPLOYMENT - - DESTINATIONDOMAIN - - DOMAIN - - EMAILSUBJECT - - EVENT - - FILEHASH - - FILENAME - - GENERICENTITY - - HOSTNAME - - IPSET - - MacAddress - - PARENTHASH - - PARENTPROCESS - - PHONENUMBER - - POD - - PROCESS - - SERVICE - - SOURCEDOMAIN - - THREATACTOR - - THREATCAMPAIGN - - THREATSIGNATURE - - DestinationURL - - USB - - USERUNIQNAME + entity_types: [] filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false @@ -1855,6 +1922,10 @@ Get job status: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` only to print their identifiers, + but it does not use them in the API request or any logic. Therefore, it does + not run on entities. List Domain Information: action_product_categories: add_alert_comment: false @@ -1870,6 +1941,10 @@ List Domain Information: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves reputation, risk scores, and WHOIS information for domains, + which aligns with the 'Enrich IOC' category. It does not perform any other actions + like ticket creation, containment, or alert updates. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1884,34 +1959,49 @@ List Domain Information: update_email: false update_identity: false update_ticket: false - ai_description: "### General Description\nThe **List Domain Information** action\ - \ retrieves comprehensive metadata for a list of domains from the Silent Push\ - \ platform. It provides core domain information and can be optionally configured\ - \ to include Silent Push risk scores (with detailed explanations) and live WHOIS\ - \ data. This action is designed for bulk enrichment and threat assessment of domain\ - \ indicators provided as input parameters.\n\n### Parameters Description\n| Parameter\ - \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| **Domains**\ - \ | String | Yes | A comma-separated list of domains to query (e.g., \"example.com,\ - \ test.org\"). The action supports a maximum of 100 domains per request. |\n|\ - \ **Fetch Risk Score** | Boolean | No | If set to `true`, the action retrieves\ - \ the Silent Push risk score and a detailed explanation for each domain. Default\ - \ is `false`. |\n| **Fetch Whois Info** | Boolean | No | If set to `true`, the\ - \ action retrieves live WHOIS information, including registrant details, registration\ - \ dates, and nameservers. Default is `false`. |\n\n### Flow Description\n1. **Initialization**:\ - \ The action extracts the Silent Push server URL and API key from the integration\ - \ configuration.\n2. **Input Processing**: It parses the `Domains` string into\ - \ a list and evaluates the boolean flags for risk scores and WHOIS data.\n3. **Data\ - \ Retrieval**: \n - The action calls the Silent Push API to fetch bulk domain\ - \ information for the provided list.\n - If `Fetch Risk Score` is enabled,\ - \ it retrieves risk assessment data for each domain.\n - If `Fetch Whois Info`\ - \ is enabled, it performs individual WHOIS lookups for each domain.\n4. **Result\ - \ Formatting**: The retrieved data is aggregated into a structured JSON object\ - \ and a Markdown-formatted summary is generated for the Google SecOps interface.\n\ - 5. **Completion**: The action returns the results to the SOAR platform, indicating\ - \ success or failure based on the API response.\n\n### Additional Notes\n- This\ - \ action does not automatically update entities within the Google SecOps case;\ - \ it returns the enrichment data as a script result for use in subsequent playbook\ - \ steps.\n- A maximum of 100 domains can be submitted in a single execution." + ai_description: >- + ### General Description + + This action retrieves detailed domain information from the Silent Push platform. + It allows users to query multiple domains simultaneously and optionally fetch + associated risk scores and WHOIS information. The results are returned in both + Markdown format for readability and JSON format for further processing. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Domains | string | Yes | Comma-separated list of domains to query. | + + | Fetch Risk Score | boolean | No | Whether to fetch risk scores for the domains. + Defaults to false. | + + | Fetch Whois Info | boolean | No | Whether to fetch WHOIS information for the + domains. Defaults to false. | + + + ### Flow Description + + 1. **Configuration Extraction**: The action extracts the necessary integration + configuration, including the Silent Push Server URL and API Key. + + 2. **Parameter Extraction**: It retrieves the `Domains`, `Fetch Risk Score`, and + `Fetch Whois Info` parameters provided by the user. + + 3. **Manager Initialization**: The `SilentPushManager` is initialized with the + extracted configuration. + + 4. **Data Retrieval**: The action calls the `list_domain_information` method of + the `SilentPushManager` to fetch the requested data from the Silent Push API. + + 5. **Response Formatting**: The API response is formatted into a Markdown string + for display and a JSON object for the action result. + + 6. **Result Output**: The JSON response is added to the action result, and the + action completes successfully. capabilities: can_create_case_comments: false can_create_insight: false @@ -1922,8 +2012,15 @@ List Domain Information: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches domain information (risk score, WHOIS) from the Silent Push + API. It does not modify any external or internal systems, nor does it update + entities or create insights. categories: enrichment: true + reasoning: >- + The action fetches data from an external source (Silent Push) and does not mutate + any external or internal state. It qualifies as an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1939,6 +2036,11 @@ List Domain Information: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action processes a comma-separated list of domains provided via the 'Domains' + parameter. Although the script iterates over `siemplify.target_entities` for + logging purposes, it does not perform any operations on these entities. Therefore, + it does not run on entities. List Domain Infratags: action_product_categories: add_alert_comment: false @@ -1954,6 +2056,11 @@ List Domain Infratags: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves infrastructure tags for domains, which provides threat + intelligence and context about the domain's infrastructure. This aligns with + the 'Enrich IOC' category. It does not perform any other actions like ticket + creation, host containment, or alert modification. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -1969,55 +2076,62 @@ List Domain Infratags: update_identity: false update_ticket: false ai_description: >- - Retrieves infrastructure tags (infratags) for multiple domains using the Silent - Push API. This action allows analysts to identify common infrastructure patterns - and cluster domains based on shared attributes, which is useful for threat hunting - and attribution. It supports both live data and historical Passive DNS (PADNS) - data. + ### General Description + This action retrieves infrastructure tags (infratags) for a specified list of + domains from the Silent Push platform. It allows for optional clustering of results + and supports different lookup modes (e.g., live or padns) to provide detailed + infrastructure context for the provided domains. - ### Parameters - | Parameter | Type | Mandatory | Description | + ### Flow Description - | :--- | :--- | :--- | :--- | + 1. **Configuration Extraction**: The action extracts the necessary API credentials + and action parameters (Domain, Cluster, Mode, Match, As Of, Origin UID, Use Get) + from the integration configuration and action settings. - | Domain | string | Yes | A comma-separated list of domains to investigate. | + 2. **API Request**: It initializes the `SilentPushManager` and calls the `list_domain_infratags` + method, which performs a POST request to the Silent Push API to fetch infrastructure + tags for the provided domains. - | Cluster | boolean | No | If set to true, the action will return clustered results - based on shared infrastructure tags. | + 3. **Response Processing**: The action parses the API response. If clustering + is enabled, it formats the tag clusters into a readable structure. - | Mode | string | No | The lookup mode to use: 'live' (default) or 'padns'. | + 4. **Result Output**: The retrieved infratags and optional cluster data are added + to the action's result JSON for use in the SOAR platform. - | Match | string | No | Specifies how to handle self-hosted infrastructure (defaults - to 'self'). | - | As Of | string | No | A timestamp used to filter PADNS data between first and - last seen dates. | + ### Parameters Description - | Use Get | boolean | No | Internal flag for request method (defaults to true). - | + | Parameter | Type | Mandatory | Description | - | Origin UID | string | No | An optional unique identifier for the request origin. + | :--- | :--- | :--- | :--- | + + | Domain | string | Yes | A comma-separated list of domains to retrieve infrastructure + tags for. | + + | Cluster | boolean | No | Whether to cluster the results. Defaults to false. | + | Mode | string | No | Mode for lookup (live/padns). Defaults to "live". | - ### Flow Description + | Match | string | No | Handling of self-hosted infrastructure. Defaults to "self". + | - 1. **Parameter Extraction:** The action retrieves the API key, server URL, and - user-provided parameters, including the list of domains. + | As Of | string | No | Build infratags from padns data where the as_of timestamp + equivalent is between the first_seen and the last_seen timestamp. | - 2. **Data Retrieval:** It sends a POST request to the Silent Push 'explore/bulk/domain/infratags' - endpoint with the specified domains and filtering criteria. + | Origin UID | string | No | Unique identifier for the API user. | - 3. **Response Validation:** The action verifies that the returned data matches - the requested mode. + | Use Get | boolean | No | Flag to indicate if GET should be used (though the + implementation defaults to POST). | - 4. **Result Processing:** If clustering is enabled, it formats the tag clusters - into a readable structure. - 5. **Output Generation:** The retrieved infratags and optional clusters are attached - to the action result as JSON. + ### Additional Notes + + The action relies on the `Domain` parameter to perform the lookup. While it iterates + over `siemplify.target_entities` for logging purposes, it does not use these entities + to filter or drive the API request logic. capabilities: can_create_case_comments: false can_create_insight: false @@ -2028,8 +2142,17 @@ List Domain Infratags: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to the Silent Push API to retrieve infrastructure + tags for domains. It does not modify any external systems, nor does it update + internal SOAR entities, create insights, or modify alert data. It is a read-only + data retrieval operation. categories: - enrichment: false + enrichment: true + reasoning: >- + The action is designed to fetch contextual infrastructure data (infratags) for + domains. It does not mutate external systems or modify internal SOAR data (entities, + insights, comments). Therefore, it qualifies as an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -2045,6 +2168,11 @@ List Domain Infratags: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action extracts the domains to query from the 'Domain' action parameter, + not from the `target_entities` list. Although the code iterates over `siemplify.target_entities` + for logging purposes, it does not use them to perform the lookup or filter the + results. Therefore, it does not run on entities. List IP Information: action_product_categories: add_alert_comment: false @@ -2060,6 +2188,10 @@ List IP Information: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves reputation and threat intelligence (ASN data) for IP addresses, + which aligns with the 'Enrich IOC' category. It does not perform any other operations + like ticket creation, host containment, or alert modification. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -2074,27 +2206,39 @@ List IP Information: update_email: false update_identity: false update_ticket: false - ai_description: "Retrieves comprehensive IP information, specifically IP-to-ASN\ - \ (Autonomous System Number) mapping, for multiple IPv4 and IPv6 addresses using\ - \ the Silent Push API. This action allows for bulk lookups by accepting a comma-separated\ - \ list of IP addresses, validating their format, and fetching network ownership\ - \ and routing data.\n\n### Parameters Description\n\n| Parameter | Type | Mandatory\ - \ | Description |\n| :--- | :--- | :--- | :--- |\n| Ips | String | Yes | A comma-separated\ - \ list of IPv4 or IPv6 addresses (e.g., \"142.251.188.102, 2001:4860:4860::8888\"\ - ) to be queried. |\n\n### Flow Description\n\n1. **Initialization:** The action\ - \ retrieves the Silent Push Server URL and API Key from the integration's global\ - \ configuration.\n2. **Input Parsing:** It extracts the `Ips` parameter and splits\ - \ the comma-separated string into a list of individual IP strings.\n3. **Validation:**\ - \ The action iterates through the list, using the `SilentPushManager` to categorize\ - \ each address as either IPv4 or IPv6 based on standard IP formatting.\n4. **Bulk\ - \ Querying:** \n * If IPv4 addresses are present, it performs a bulk POST\ - \ request to the Silent Push `ipv4` lookup endpoint.\n * If IPv6 addresses\ - \ are present, it performs a bulk POST request to the Silent Push `ipv6` lookup\ - \ endpoint.\n5. **Data Aggregation:** The results from both queries (containing\ - \ ASN, CIDR, and registry information) are combined into a single result set.\n\ - 6. **Finalization:** The action returns the aggregated IP information in the\ - \ output message and sets the execution status to completed. If no information\ - \ is found for any of the provided IPs, the action fails." + ai_description: >- + Retrieves comprehensive IP information (such as ASN details) for a provided list + of IPv4 and IPv6 addresses using the Silent Push API. This action validates the + input IPs, categorizes them into IPv4 and IPv6, and queries the Silent Push platform + for ASN information. The gathered data is returned in the action output. + + + ### Parameters + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Ips | string | Yes | Comma-separated list of IP addresses to retrieve information + for. | + + + ### Flow Description + + 1. **Configuration Extraction**: The action retrieves the Silent Push server URL + and API key from the integration configuration. + + 2. **Input Processing**: The `Ips` parameter is extracted and split into a list + of individual IP addresses. + + 3. **Validation**: The action validates each IP address to determine if it is + IPv4 or IPv6 using the `SilentPushManager`. + + 4. **Data Retrieval**: The action queries the Silent Push API (`explore/bulk/ip2asn`) + for the validated IPv4 and IPv6 addresses. + + 5. **Output**: The gathered IP information is formatted and returned as the action + result. capabilities: can_create_case_comments: false can_create_insight: false @@ -2105,8 +2249,17 @@ List IP Information: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET/POST request to an external API to retrieve IP information + (enrichment). It does not modify the state of the external system (no blocking/quarantine), + nor does it modify internal Google SecOps data (no entity updates, insights, + or comments). categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches data from an external source (Silent Push) to provide context + (enrichment). It does not mutate external systems or modify internal data, satisfying + the criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -2122,6 +2275,11 @@ List IP Information: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use the `target_entities` list to perform its logic; it + relies solely on the `Ips` parameter provided in the action settings. The iteration + over `target_entities` in the code is for logging purposes only and does not + influence the action's execution or data processing. Live URL Scan: action_product_categories: add_alert_comment: false @@ -2137,6 +2295,9 @@ Live URL Scan: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves hosting metadata for a URL, which is an indicator of compromise + (IOC). This matches the 'Enrich IOC' category. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -2152,67 +2313,51 @@ Live URL Scan: update_identity: false update_ticket: false ai_description: >- - Scans a specific URL using the Silent Push platform to retrieve detailed hosting - metadata and scan results. This action allows analysts to perform on-demand URL - analysis by specifying various scanning profiles, including the platform, operating - system, browser, and geographic region from which the scan should originate. The - results provide insights into the infrastructure and behavior of the target URL, - which are returned as a structured JSON object for further investigation or automated - decision-making. - - - ### Parameters Description - + ### General Description - | Parameter | Type | Mandatory | Default Value | Description | + This action performs a live scan of a specified URL using the Silent Push platform + to retrieve detailed hosting metadata. It allows analysts to gather intelligence + on a URL by specifying the environment (platform, OS, browser, and region) in + which the scan should be executed. - | :--- | :--- | :--- | :--- | :--- | - | URL | string | True | https://silentpush.com | The specific URL to be scanned - by Silent Push. | + ### Parameters Description - | Platform | string | False | N/A | The device type to simulate during the scan. - Supported values: `Desktop`, `Mobile`, `Crawler`. | + | Parameter | Type | Mandatory | Description | - | Os | string | False | N/A | The operating system to simulate during the scan. - Supported values: `Windows`, `Linux`, `MacOS`, `iOS`, `Android`. | + | :--- | :--- | :--- | :--- | - | Browser | string | False | N/A | The web browser to simulate during the scan. - Supported values: `Firefox`, `Chrome`, `Edge`, `Safari`. | + | URL | string | Yes | The URL to be scanned. | - | Region | string | False | N/A | The geographic region from which the scan should - be initiated. Supported values: `US`, `EU`, `AS`, `TOR`. | + | Platform | string | No | The device platform to perform the scan with (e.g., + Desktop, Mobile, Crawler). | + | Os | string | No | The operating system to perform the scan with (e.g., Windows, + Linux, MacOS, iOS, Android). | - ### Additional Notes + | Browser | string | No | The browser to perform the scan with (e.g., Firefox, + Chrome, Edge, Safari). | - - The action performs strict validation on the `Platform`, `Os`, `Browser`, and - `Region` parameters. If an invalid value is provided, the action will fail before - making the API call. - - - This action does not automatically iterate over entities; it relies on the provided - `URL` parameter. If you wish to scan a URL entity, you must map the entity's identifier - to the `URL` parameter in the playbook. + | Region | string | No | The region from where the scan should be performed (e.g., + US, EU, AS, TOR). | ### Flow Description - 1. **Configuration Extraction:** Retrieves the Silent Push Server URL and API - Key from the integration settings. - - 2. **Parameter Retrieval:** Extracts the target URL and optional scanning profile - parameters (Platform, OS, Browser, Region). + 1. **Configuration Extraction**: The action retrieves the Silent Push server URL + and API key from the integration configuration. - 3. **Validation:** Validates the optional parameters against a list of allowed - values (e.g., ensuring the OS is one of the supported types like Windows or Linux). + 2. **Parameter Extraction**: It extracts the URL and optional environment parameters + (Platform, OS, Browser, Region) provided by the user. - 4. **API Interaction:** Sends a GET request to the Silent Push `scanondemand` - endpoint with the specified URL and profile settings. + 3. **Validation**: The action validates the provided environment parameters against + a predefined list of allowed values. - 5. **Data Processing:** Parses the API response to extract the `scan` metadata. + 4. **API Interaction**: It calls the Silent Push `explore/tools/scanondemand` + endpoint to initiate the live URL scan. - 6. **Output Generation:** Formats the scan results into a JSON object and completes - the action, providing a summary message of the scan outcome. + 5. **Result Processing**: The action formats the scan results and returns them + as a JSON object in the action output. capabilities: can_create_case_comments: false can_create_insight: false @@ -2223,8 +2368,15 @@ Live URL Scan: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Silent Push API to retrieve scan data + for a URL. It does not modify any external or internal systems, nor does it + update entities or create insights. categories: enrichment: true + reasoning: >- + The action fetches data from an external source (Silent Push) and does not mutate + any external or internal state. It fits the definition of an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -2240,6 +2392,10 @@ Live URL Scan: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not use entities to perform the scan; it uses the provided URL + parameter. The code iterates over `target_entities` only for logging purposes, + not for processing. Ping: action_product_categories: add_alert_comment: false @@ -2255,6 +2411,9 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity test ('Ping') and does not perform any of the defined + functional operations such as enrichment, ticketing, containment, or alert management. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -2269,28 +2428,41 @@ Ping: update_email: false update_identity: false update_ticket: false - ai_description: "### General Description\nThe **Ping** action is a diagnostic utility\ - \ designed to verify the connectivity and authentication between Google SecOps\ - \ and the Silent Push API. Its primary purpose is to ensure that the integration's\ - \ configuration parameters, specifically the Server URL and API Key, are valid\ - \ and that the Silent Push service is reachable.\n\n### Parameters Description\n\ - This action does not require any input parameters. It relies entirely on the integration's\ - \ global configuration:\n\n| Parameter Name | Expected Type | Mandatory | Description\ - \ |\n| :--- | :--- | :--- | :--- |\n| N/A | N/A | N/A | This action has no specific\ - \ input parameters. |\n\n### Flow Description\n1. **Parameter Extraction**: The\ - \ action retrieves the 'Silent Push Server' URL and 'API Key' from the integration's\ - \ configuration settings.\n2. **Credential Validation**: It checks if both the\ - \ URL and API Key are provided; if either is missing, the action fails immediately.\n\ - 3. **Connection Attempt**: The action initializes the `SilentPushManager` and\ - \ calls the `test_connection` method. This method performs a lightweight `GET`\ - \ request (searching for a single domain) to the Silent Push API to verify the\ - \ credentials.\n4. **Execution Outcome**: \n * If the API responds successfully,\ - \ the action completes with a success message.\n * If an exception occurs (e.g.,\ - \ 401 Unauthorized, 403 Forbidden, or network timeout), the action catches the\ - \ error and returns a failure status with the specific error details.\n\n### Additional\ - \ Notes\n* This action is strictly for connectivity testing and does not interact\ - \ with or modify any entities within the SOAR case.\n* Per standard SOAR conventions,\ - \ Ping actions are not classified as enrichment actions." + ai_description: >- + ### General Description + + This action tests the connectivity to the Silent Push platform to ensure that + the provided API credentials and server URL are valid and functional. It performs + a lightweight API request to verify the connection, providing immediate feedback + on the integration's status. + + + ### Parameters + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Silent Push Server | String | Yes | The base URL of the Silent Push API server. + | + + | API Key | String | Yes | The API key used for authenticating requests to the + Silent Push platform. | + + + ### Flow Description + + 1. **Configuration Extraction**: The action retrieves the `Silent Push Server` + URL and `API Key` from the integration configuration. + + 2. **Initialization**: The `SilentPushManager` is initialized with the provided + credentials. + + 3. **Connectivity Test**: The action calls the `test_connection` method, which + performs a sample API request (e.g., `search_domains`) to validate the connection. + + 4. **Result Reporting**: Based on the response, the action logs the success or + failure of the connection and terminates with the appropriate status message. capabilities: can_create_case_comments: false can_create_insight: false @@ -2301,8 +2473,15 @@ Ping: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity test by making a GET request to the Silent + Push API. It does not modify external or internal data, nor does it interact + with entities or alerts. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action, which is explicitly excluded from being categorized + as an enrichment action per the provided instructions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -2318,6 +2497,9 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities; it is a global connectivity + test. Reverse Padns Lookup: action_product_categories: add_alert_comment: false @@ -2330,15 +2512,18 @@ Reverse Padns Lookup: download_file: false enable_identity: false enrich_asset: false - enrich_ioc: false + enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves Passive DNS records, which provides threat intelligence + and context for an indicator. This aligns with the 'Enrich IOC' category. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false search_asset: false search_email: false - search_events: true + search_events: false send_email: false send_message: false submit_file: false @@ -2347,101 +2532,41 @@ Reverse Padns Lookup: update_email: false update_identity: false update_ticket: false - ai_description: >- - ### General Description - - The **Reverse Padns Lookup** action performs a reverse Passive DNS (pDNS) query - using the Silent Push platform. It allows security analysts to identify DNS records - (such as NS or MX records) that point to a specific domain or record name. This - capability is essential for infrastructure mapping, identifying shared infrastructure - between malicious actors, and uncovering related assets during an investigation. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | **Qname** | String | Yes | The DNS record name to lookup (e.g., a nameserver - like `ns1.example.com` or a mail server). | - - | **Qtype** | String | No | The DNS record type to filter the results by (e.g., - `ns`, `mx`). Defaults to `ns`. | - - | **Netmask** | String | No | A network mask to filter the lookup results. | - - | **subdomain** | String | No | A flag to include subdomains in the lookup results. - | - - | **Regex** | String | No | A regular expression used to filter the returned DNS - records. | - - | **Match** | String | No | The type of match for the query (e.g., `exact`, `partial`). - | - - | **First Seen After** | String | No | Filter results to include only records - first observed after this date. | - - | **First Seen Before** | String | No | Filter results to include only records - first observed before this date. | - - | **Last Seen After** | String | No | Filter results to include only records last - observed after this date. | - - | **Last Seen Before** | String | No | Filter results to include only records - last observed before this date. | - - | **As Of** | String | No | Retrieve DNS records as they appeared at a specific - point in time. | - - | **Sort** | String | No | Sort the results by a specified field (e.g., `date`, - `score`). | - - | **Output Format** | String | No | The format in which results should be returned - (e.g., `JSON`, `XML`). | - - | **Prefer** | String | No | Preference for specific DNS servers or sources. | - - | **With Metadata** | String | No | Flag to include additional metadata in the - DNS records. | - - | **Max Wait** | String | No | Maximum number of seconds to wait for results before - timing out. | - - | **Skip** | String | No | Number of results to skip for pagination purposes. - | - - | **Limit** | String | No | Maximum number of results to return. | - - - ### Flow Description - - 1. **Initialization**: The action initializes the Silent Push manager using the - provided Server URL and API Key from the integration configuration. - - 2. **Parameter Extraction**: It extracts the mandatory `Qname` and all optional - filtering/pagination parameters from the action input. - - 3. **API Request**: The action sends a GET request to the Silent Push `explore/padns/lookup/answer` - endpoint, passing the `Qtype`, `Qname`, and all provided filters. - - 4. **Response Validation**: It checks the API response for errors. If the API - returns an error or no records are found, the action logs the failure and terminates. - - 5. **Output**: If records are found, they are formatted into an output message - and the action completes successfully. - - - ### Additional Notes - - - This is a **Global Action** and does not automatically iterate over entities - in the SecOps case. It relies entirely on the `Qname` parameter provided in the - input. - - - There is a minor discrepancy between the YAML parameter name (`subdomain`) and - the Python script's extraction logic (`Subdomains`); ensure the parameter is correctly - mapped in the environment. + ai_description: "### General Description\nThis action performs a reverse Passive\ + \ DNS (PADNS) lookup using the Silent Push platform. It retrieves historical DNS\ + \ record associations for a given query name (`Qname`) and record type (`Qtype`),\ + \ allowing analysts to identify infrastructure linked to specific domains or IP\ + \ addresses. This provides valuable threat intelligence and context for investigations.\n\ + \n### Flow Description\n1. **Configuration Extraction**: The action retrieves\ + \ the Silent Push API key and server URL from the integration configuration.\n\ + 2. **Parameter Extraction**: It extracts the required `Qname` and `Qtype`, along\ + \ with optional filtering parameters (e.g., `Netmask`, `Regex`, `Date` filters,\ + \ `Limit`).\n3. **API Request**: The action sends a GET request to the Silent\ + \ Push `explore/padns/lookup/answer` endpoint with the specified parameters.\n\ + 4. **Response Handling**: \n - If records are found, the action returns the\ + \ data and marks the execution as completed.\n - If no records are found or\ + \ an API error occurs, the action logs the failure and terminates.\n\n### Parameters\ + \ Description\n| Parameter | Type | Mandatory | Description |\n| :--- | :--- |\ + \ :--- | :--- |\n| Qtype | string | No | DNS record type (e.g., 'ns', 'a', 'mx').\ + \ Defaults to 'ns'. |\n| Qname | string | Yes | The DNS record name to lookup.\ + \ |\n| Netmask | string | No | The netmask to filter the lookup results. |\n|\ + \ Subdomains | string | No | Flag to include subdomains in the lookup results.\ + \ |\n| Regex | string | No | Regular expression to filter the DNS records. |\n\ + | Match | string | No | Type of match for the query (e.g., exact, partial). |\n\ + | First Seen After | string | No | Filter results to include only records first\ + \ seen after this date. |\n| First Seen Before | string | No | Filter results\ + \ to include only records first seen before this date. |\n| Last Seen After |\ + \ string | No | Filter results to include only records last seen after this date.\ + \ |\n| Last Seen Before | string | No | Filter results to include only records\ + \ last seen before this date. |\n| As Of | string | No | Date or time to get the\ + \ DNS records as of a specific point in time. |\n| Sort | string | No | Sort the\ + \ results by the specified field (e.g., date, score). |\n| Output Format | string\ + \ | No | The format in which the results should be returned (e.g., JSON, XML).\ + \ |\n| Prefer | string | No | Preference for specific DNS servers or sources.\ + \ |\n| With Metadata | string | No | Flag to include metadata in the DNS records.\ + \ |\n| Max Wait | string | No | Maximum number of seconds to wait for results\ + \ before timing out. |\n| Skip | string | No | Number of results to skip for pagination\ + \ purposes. |\n| Limit | string | No | Maximum number of results to return. |" capabilities: can_create_case_comments: false can_create_insight: false @@ -2452,8 +2577,16 @@ Reverse Padns Lookup: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Silent Push API to retrieve Passive + DNS data. It does not modify any external systems, nor does it update internal + SOAR data (entities, insights, or comments). categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches contextual threat intelligence (Passive DNS records) from + an external source without modifying any external or internal systems. It meets + all criteria for an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -2469,6 +2602,11 @@ Reverse Padns Lookup: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not utilize entities to perform its lookup; it relies entirely + on the 'Qname' parameter provided in the action configuration. The loop over + 'target_entities' in the code is used only for logging purposes and does not + influence the API request logic. Run Threat check: action_product_categories: add_alert_comment: false @@ -2484,6 +2622,11 @@ Run Threat check: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves threat intelligence (reputation/threat check) for a given + indicator (IP or domain) from the Silent Push platform. This matches the 'Enrich + IOC' category. It does not perform any containment, ticket creation, or alert + modification. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -2498,57 +2641,29 @@ Run Threat check: update_email: false update_identity: false update_ticket: false - ai_description: >- - Runs a threat check against the Silent Push Threat Check API to retrieve reputation - and threat intelligence for a specific indicator. This action is parameter-driven - and queries the Silent Push database for a provided value (IP or domain) against - a specified data source. It returns the raw threat check results to the action - output. - - - ### Parameters Description - - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | Data | string | Yes | The name of the data source to query (e.g., 'iofa'). | - - | Query | string | Yes | The specific value to check for threats (e.g., an IP - address or domain name). | - - | Type | string | Yes | The type of the value being queried (e.g., 'ip', 'domain'). - | - - | User Identifier | string | Yes | A unique identifier for the user making the - request, used for tracking and auditing. | - - - ### Additional Notes - - - This action does not automatically process entities from the Google SecOps case; - it relies entirely on the values provided in the action parameters. - - - The action performs a GET request to the Silent Push Threat Check API endpoint. - - - ### Flow Description - - 1. **Configuration Extraction:** Retrieves the Silent Push server URL and API - key from the integration settings. - - 2. **Parameter Retrieval:** Extracts the 'Data', 'Query', 'Type', and 'User Identifier' - from the action input. - - 3. **API Interaction:** Initializes the Silent Push Manager and executes a threat - check query via a GET request to the external API. - - 4. **Result Processing:** Evaluates the API response. If data is found, it formats - the output message; otherwise, it logs an error and fails the action. - - 5. **Completion:** Ends the action execution, returning the threat check results - as the final output message. + ai_description: "The 'Run Threat check' action retrieves threat intelligence for\ + \ a specified indicator (such as an IP address or domain) from the Silent Push\ + \ platform. This action is designed to provide context on potential threats by\ + \ querying the Silent Push API with user-provided parameters.\n\n### Flow Description\n\ + 1. **Configuration Extraction**: The action retrieves the Silent Push server URL\ + \ and API key from the integration configuration.\n2. **Parameter Extraction**:\ + \ It extracts the required input parameters: `Data`, `Type`, `User Identifier`,\ + \ and `Query`.\n3. **Threat Check Execution**: The action initializes the `SilentPushManager`\ + \ and calls the `run_threat_check` method, which performs a GET request to the\ + \ Silent Push API to fetch threat information.\n4. **Result Handling**: \n -\ + \ If the API returns data, the action logs the result and completes successfully.\n\ + \ - If the API fails or returns no data, the action logs an error and terminates\ + \ with a failed status.\n5. **Logging**: The action logs the status, result value,\ + \ and output message for audit purposes.\n\n### Parameters Description\n| Parameter\ + \ | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| Data |\ + \ string | Yes | The name of the data source to query (e.g., 'iofa'). |\n| Query\ + \ | string | Yes | The value to check for threats (e.g., an IP address or domain).\ + \ |\n| Type | string | Yes | The type of the value being queried (e.g., 'ip',\ + \ 'domain'). |\n| User Identifier | string | Yes | A unique identifier for the\ + \ user making the request. |\n\n### Additional Notes\nThis action does not perform\ + \ any operations on entities within the Google SecOps platform, despite iterating\ + \ over them for logging purposes. It relies entirely on the provided action parameters\ + \ to execute the threat check." capabilities: can_create_case_comments: false can_create_insight: false @@ -2559,8 +2674,16 @@ Run Threat check: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches threat intelligence data from the Silent Push API using the + `run_threat_check` method. It does not perform any external or internal mutations, + nor does it update entities, create insights, or modify alert data. categories: - enrichment: false + enrichment: true + reasoning: >- + The action fetches threat intelligence data from the Silent Push API. It does + not mutate any external or internal data. It meets the criteria for an enrichment + action as it proactively fetches data and preserves system states. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -2576,6 +2699,11 @@ Run Threat check: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` only to log their identifiers, + but does not perform any filtering or operations on the entities themselves. + The action relies on provided action parameters for its execution rather than + entity data. Screenshot URL: action_product_categories: add_alert_comment: false @@ -2591,6 +2719,11 @@ Screenshot URL: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action generates a screenshot of a URL and returns the URL of the screenshot. + It does not perform any of the defined actions such as enriching IOCs, updating + alerts, or containing hosts. Therefore, it does not match any of the product + categories. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -2608,47 +2741,36 @@ Screenshot URL: ai_description: >- ### General Description - Generates a visual screenshot of a specified URL using the Silent Push platform. - This action is primarily used for visual verification of potentially malicious - websites or for documenting the state of a web resource during an investigation. - It retrieves a URL pointing to the captured image and verifies that the image - is accessible. + Generates a screenshot of a specified URL using the Silent Push API. This action + retrieves a visual representation of the target URL, validates the screenshot's + accessibility, and returns the screenshot URL as a result. ### Parameters Description - | Parameter | Type | Mandatory | Default Value | Description | - - | :--- | :--- | :--- | :--- | :--- | + | Parameter | Type | Mandatory | Description | - | URL | string | True | https://www.virustotal.com/gui/domain/tbibank-bg.com | - The specific URL for which a screenshot should be generated. | + | :--- | :--- | :--- | :--- | + | URL | string | Yes | The URL for the screenshot. | - ### Flow Description - 1. **Configuration Extraction**: Retrieves the Silent Push Server URL and API - Key from the integration settings. + ### Additional Notes - 2. **Parameter Retrieval**: Extracts the target URL from the action parameters. + None. - 3. **API Request**: Calls the Silent Push `scanondemand` endpoint to initiate - a screenshot capture for the provided URL. - 4. **Response Validation**: Checks the API response for errors and ensures a `screenshot_url` - is returned. + ### Flow Description - 5. **Image Verification**: Performs a secondary HTTP GET request to the returned - screenshot URL to verify that the image was successfully generated and is reachable. + 1. Extract configuration (Server URL, API Key) and the `URL` parameter. - 6. **Result Reporting**: Outputs the original URL and the resulting screenshot - URL as a JSON result for use in subsequent playbook steps. + 2. Call the Silent Push API to generate the screenshot. + 3. Validate the API response and ensure the screenshot URL is present. - ### Additional Notes + 4. Download the image to verify it is accessible. - This action does not automatically attach the image to the case wall or update - entity attributes; it provides the URL of the screenshot as a result output. + 5. Return the screenshot URL in the action result JSON. capabilities: can_create_case_comments: false can_create_insight: false @@ -2659,8 +2781,16 @@ Screenshot URL: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches data from the Silent Push API (fetches_data=true). It does + not mutate external data (no POST/PUT/DELETE). It does not mutate internal data + (no updates to entities, insights, or comments). categories: enrichment: false + reasoning: >- + The action fetches data (a screenshot URL) but does not update entities, create + insights, or add comments. It does not meet the criteria for an Enrichment Action + as defined. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -2676,6 +2806,10 @@ Screenshot URL: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` but only to print them. It + does not use them to perform the action, relying instead on the `URL` parameter. + Therefore, it does not run on entities. Search Scan Data: action_product_categories: add_alert_comment: false @@ -2691,6 +2825,11 @@ Search Scan Data: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action searches scan data repositories using SPQL queries. This aligns with + the 'Search Events' category, which involves returning historical logs or telemetry + data matching specific search parameters. It does not match enrichment, ticket + management, or containment categories. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -2706,55 +2845,50 @@ Search Scan Data: update_identity: false update_ticket: false ai_description: >- - Searches Silent Push scan data repositories using SPQL (Silent Push Query Language) - queries. This action allows analysts to perform complex searches across raw scan - data to identify infrastructure patterns, historical changes, or specific attributes - associated with malicious activity. The action returns raw scan data records based - on the provided query and filtering parameters. + Searches Silent Push scan data repositories using SPQL queries. This action retrieves + raw scan data based on a provided query string and optional filtering parameters. - ### Parameters Description + ### Flow Description + 1. **Configuration Extraction**: The action retrieves the Silent Push server URL + and API key from the integration configuration. - | Parameter | Type | Mandatory | Description | + 2. **Parameter Extraction**: It extracts the SPQL query, fields, limit, skip, + and metadata settings from the action parameters. - | :--- | :--- | :--- | :--- | + 3. **Data Retrieval**: It calls the Silent Push API to perform a search on scan + data repositories using the provided query and filters. - | Query | string | True | The SPQL query string used to search the scan data (e.g., - 'tld=cool'). | + 4. **Result Processing**: The action processes the API response. If scan data + is found, it logs the records and completes the action. If no data is found or + an error occurs, it logs the failure and terminates. - | Fields | string | False | A comma-separated list of specific fields to return - in the response. | - | sort | string | False | Criteria used to sort the results. | + ### Parameters Description - | Skip | string | False | The number of records to skip in the response (useful - for pagination). | + | Parameter | Type | Mandatory | Description | - | Limit | string | False | The maximum number of results to return. | + | :--- | :--- | :--- | :--- | - | With Metadata | boolean | False | Whether to include metadata in the response. - Defaults to true. | + | Query | string | Yes | The SPQL query string used to search the scan data. | + | Fields | string | No | Specific fields to return in the response. | - ### Flow Description + | sort | string | No | Sorting criteria for the returned results. | + | Skip | string | No | The number of records to skip in the response. | - 1. **Configuration Extraction:** Retrieves the Silent Push Server URL and API - Key from the integration settings. + | Limit | string | No | The maximum number of results to return. | - 2. **Parameter Parsing:** Extracts the SPQL query and optional filtering parameters - (Fields, Limit, Skip, Sort, Metadata) from the action input. + | With Metadata | boolean | No | Whether to include metadata in the response. + Defaults to true. | - 3. **API Interaction:** Initializes the Silent Push Manager and executes a POST - request to the `explore/scandata/search/raw` endpoint. - 4. **Data Processing:** Parses the JSON response to extract the `scandata_raw` - records. + ### Additional Notes - 5. **Result Handling:** If records are found, it returns them as a JSON result - and completes the action. If no records are found or an error occurs, the action - is marked as failed. + This action does not perform any operations on entities, despite iterating over + them for logging purposes. It is strictly a search and retrieval action. capabilities: can_create_case_comments: false can_create_insight: false @@ -2765,8 +2899,17 @@ Search Scan Data: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to the Silent Push API to search for scan + data. It retrieves data (fetches_data=true) but does not modify any external + systems (can_mutate_external_data=false) or internal SecOps data (can_mutate_internal_data=false). + It does not update entities, create insights, or modify alert data. categories: enrichment: false + reasoning: >- + While the action fetches data, it is not an enrichment action because it does + not gather context about specific entities or alerts. It is a general search + operation against an external repository. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -2782,6 +2925,10 @@ Search Scan Data: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` only to print their identifiers + for logging purposes. It does not use these entities to filter the search or + perform any logic, therefore it does not run on entities. search domains: action_product_categories: add_alert_comment: false @@ -2797,6 +2944,11 @@ search domains: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action searches for domains based on criteria and returns a list of records. + This aligns with the 'Search Events' category, which involves returning historical + logs or telemetry data matching specific search parameters. It does not enrich + a specific IOC, update alerts, or perform containment. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -2812,30 +2964,15 @@ search domains: update_identity: false update_ticket: false ai_description: >- - Searches for domains within the Silent Push platform using a variety of optional - filters such as domain names, regex patterns, name servers, and ASN details. This - action is primarily used for threat hunting and gathering a list of domains that - match specific infrastructure or registration characteristics. It retrieves a - list of records containing domain metadata from the Silent Push 'explore' API. - - - ### Flow Description: - - 1. **Parameter Extraction:** Retrieves the Silent Push server URL, API key, and - all search filters provided by the user (e.g., Domain, Regex, ASN, Registrar). - - 2. **Manager Initialization:** Initializes the `SilentPushManager` to handle API - communication using the provided credentials. - - 3. **API Request:** Sends a GET request to the `explore/domain/search` endpoint - with the specified query parameters and filters. + ### General Description - 4. **Result Processing:** Parses the JSON response to extract domain records. - If records are found, they are returned as a JSON result; otherwise, a 'no domains - found' message is generated. + The `search_domains` action allows analysts to query the Silent Push platform + for domains based on a wide range of filtering criteria. This action is useful + for threat hunting and intelligence gathering, enabling users to identify domains + associated with specific infrastructure, registrars, or risk profiles. - ### Parameters Description: + ### Parameters Description | Parameter | Type | Mandatory | Description | @@ -2844,8 +2981,7 @@ search domains: | Domain | string | No | Name or wildcard pattern of domain names to search for. | - | Domain Regex | string | No | A valid RE2 regex pattern to match domains. Overrides - the 'Domain' argument. | + | Domain Regex | string | No | A valid RE2 regex pattern to match domains. | | Name Server | string | No | Name server name or wildcard pattern of the name server used by domains. | @@ -2865,27 +3001,41 @@ search domains: | | Certificate Issuer | string | No | Filter domains that had SSL certificates - issued by the specified certificate issuer. Wildcards supported. | + issued by the specified certificate issuer. | | Whois Date After | string | No | Filter domains with a WHOIS creation date after this date (YYYY-MM-DD). | - | Skip | string | No | Number of results to skip in the search query for pagination. - | + | Skip | string | No | Number of results to skip in the search query. | + + | Limit | string | No | Number of results to return. | + + | Start Date | string | No | Start date for domain search (YYYY-MM-DD). | + + | End Date | string | No | End date for domain search (YYYY-MM-DD). | + + | Risk Score Min | string | No | Minimum risk score filter. | + + | Risk Score Max | string | No | Maximum risk score filter. | - | Limit | string | No | Number of results to return. Defaults to the SilentPush - API's behavior. | + ### Flow Description + + 1. **Configuration Extraction**: The action retrieves the Silent Push server URL + and API key from the integration configuration. - ### Additional Notes: + 2. **Parameter Extraction**: It extracts all provided search filters from the + action parameters. + + 3. **Initialization**: The `SilentPushManager` is initialized with the retrieved + credentials. - - The action logic also supports 'Start Date', 'End Date', and 'Risk Score' range - parameters if they are passed through the integration, though they may not be - visible in all UI configurations. + 4. **Execution**: The action calls the `search_domains` method of the manager, + passing all filters to the Silent Push API. - - This action does not automatically update entities or create insights in the - SecOps case; it returns the raw search results for use in subsequent playbook - steps. + 5. **Result Processing**: The action processes the API response. If records are + found, they are returned in the output message; otherwise, a 'No domains found' + message is returned. capabilities: can_create_case_comments: false can_create_insight: false @@ -2896,8 +3046,17 @@ search domains: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Silent Push API to search for domains + based on provided parameters. It does not modify any external systems, nor does + it update internal SOAR entities or case data. It is a read-only search operation. categories: enrichment: false + reasoning: >- + The action is a search/query tool that retrieves data from an external API. + It does not meet the criteria for an Enrichment Action because it does not operate + on specific entities to enrich them; rather, it performs a broad search based + on user-provided parameters. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -2913,3 +3072,7 @@ search domains: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` only to print their identifiers + to the logs. It does not use these entities to filter the search or perform + any logic on them. Therefore, it does not run on entities. diff --git a/content/response_integrations/third_party/partner/silentpush/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/silentpush/resources/ai/integration_ai_description.yaml index 2e831240c..c1551fbb3 100644 --- a/content/response_integrations/third_party/partner/silentpush/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/partner/silentpush/resources/ai/integration_ai_description.yaml @@ -7,6 +7,16 @@ product_categories: iam_and_identity_management: false itsm: false network_security: false + reasoning: >- + The Silent Push integration is a threat intelligence platform that provides proactive + threat detection and enrichment capabilities. Its primary functions include retrieving + reputation data, DNS records, ASN information, and infrastructure tags for indicators + such as IPs, domains, and ASNs. These capabilities directly align with the 'Threat + Intelligence' category, as the integration is used to enrich indicators and provide + context for security investigations. It does not perform SIEM log analysis, EDR + host-level actions, network security blocking at the gateway, or other operational + tasks like ITSM ticketing or IAM management. Therefore, it is classified solely + under Threat Intelligence. siem: false threat_intelligence: true vulnerability_management: false diff --git a/content/response_integrations/third_party/partner/silverfort/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/silverfort/resources/ai/actions_ai_description.yaml index dac323302..c988d0218 100644 --- a/content/response_integrations/third_party/partner/silverfort/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/silverfort/resources/ai/actions_ai_description.yaml @@ -13,6 +13,10 @@ Change Policy State: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action modifies the state of an authentication policy in Silverfort. None + of the provided categories (e.g., Update Identity, Update Alert, Contain Host) + specifically cover 'Update Policy'. Therefore, all flags are set to false. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -30,10 +34,10 @@ Change Policy State: ai_description: >- ### General Description - Enables or disables an authentication policy in Silverfort. This action provides - a quick way to toggle a policy's active state without modifying its underlying - configuration, allowing for rapid response to security requirements or maintenance - needs. + This action enables or disables an authentication policy within the Silverfort + platform. It allows analysts to quickly toggle a policy's active state without + modifying its underlying configuration, facilitating rapid response to security + events or policy adjustments. ### Parameters Description @@ -45,30 +49,23 @@ Change Policy State: | Policy ID | string | Yes | The unique identifier of the policy to enable or disable. | - | Enable Policy | boolean | Yes | Set to `true` to enable the policy, or `false` - to disable it. | - - - ### Additional Notes - - This action requires the 'Policies App User ID' and 'Policies App User Secret' - to be configured in the Silverfort integration settings to authenticate with the - Policies API. + | Enable Policy | boolean | Yes | Set to true to enable the policy, or false to + disable it. | ### Flow Description - 1. **Parameter Extraction**: The action retrieves the `Policy ID` and the desired - `Enable Policy` state from the input parameters. + 1. The action extracts the `Policy ID` and `Enable Policy` parameters from the + action configuration. - 2. **Client Initialization**: It initializes the Silverfort Policy API client - using the integration's authentication credentials. + 2. It initializes the Silverfort Policy API client using the provided integration + credentials. - 3. **API Interaction**: The action sends a POST request to the Silverfort `/v1/public/changePolicyState` - endpoint with the specified policy ID and state. + 3. It sends a POST request to the Silverfort API endpoint `/v1/public/changePolicyState` + with the specified `policy_id` and `state`. - 4. **Result Reporting**: The action returns a success message and provides the - updated policy state in the JSON results. + 4. Upon a successful API response, it returns a success message indicating the + policy has been enabled or disabled. capabilities: can_create_case_comments: false can_create_insight: false @@ -77,12 +74,19 @@ Change Policy State: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the 'enabled' status of a specific authentication policy within the + Changes the active state (enabled/disabled) of an authentication policy in the Silverfort platform. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to the Silverfort API to change the state + of a policy. It does not fetch data, nor does it modify internal SOAR data or + entities. categories: enrichment: false + reasoning: >- + The action performs a state change on an external system (Silverfort) and does + not fetch data for enrichment. Therefore, it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -98,6 +102,9 @@ Change Policy State: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with SOAR entities. It operates based on parameters + provided in the action configuration. Get Entity Risk: action_product_categories: add_alert_comment: false @@ -113,6 +120,11 @@ Get Entity Risk: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves risk scores, severity, and risk factors for a user or resource. + This matches the 'Enrich Asset' category, which involves returning contextual + metadata for a user or resource. It does not match 'Enrich IOC' as it targets + users/resources rather than indicators of compromise. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -130,51 +142,42 @@ Get Entity Risk: ai_description: >- ### General Description - Retrieves risk information for a specific user or resource from Silverfort. This - action fetches the current risk score, severity level, and specific risk factors - associated with the entity to provide security context for investigations. It - is a read-only action that does not modify the state of the entity in Silverfort. + This action retrieves risk information for a user or resource from Silverfort. + It fetches the current risk score, severity, and risk factors associated with + the specified entity, providing valuable context for security investigations. - ### Parameters Description - + ### Parameters - | Parameter | Description | Type | Mandatory | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | User Principal Name | The user principal name (e.g., user@domain.com) of the - user to check. | String | No | + | User Principal Name | string | No | The user principal name (e.g., user@domain.com). + Either this or 'Resource Name' must be provided. | - | Resource Name | The name of the resource (for non-user entities) to check. | - String | No | + | Resource Name | string | No | The resource name for non-user entities. Either + this or 'User Principal Name' must be provided. | ### Additional Notes - Either the **User Principal Name** or the **Resource Name** must be provided for - the action to run successfully. If both are missing, the action will raise a validation - error. + Either 'User Principal Name' or 'Resource Name' must be configured for the action + to run successfully. If both are missing, the action will fail. ### Flow Description 1. **Parameter Extraction**: The action extracts the 'User Principal Name' and - 'Resource Name' from the input parameters. + 'Resource Name' from the action configuration. - 2. **Validation**: It verifies that at least one of the identifier parameters - is populated. + 2. **Validation**: It validates that at least one of the parameters is provided. - 3. **API Client Initialization**: It initializes the Silverfort Risk API client - using the integration's authentication credentials (API Root and External API - Key). + 3. **API Interaction**: It initializes the Silverfort Risk API client and performs + a GET request to retrieve the risk data for the specified entity. - 4. **Data Retrieval**: The action performs a GET request to the Silverfort Risk - API to fetch risk details for the specified entity. - - 5. **Result Processing**: The retrieved risk data (score, severity, factors, and - last update time) is processed and returned as a JSON result for use in subsequent - playbook steps. + 4. **Result Processing**: The retrieved risk information is set as the JSON result + for the action. capabilities: can_create_case_comments: false can_create_insight: false @@ -185,8 +188,17 @@ Get Entity Risk: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the Silverfort API to retrieve risk information + for a user or resource. It does not perform any write operations on external + systems, nor does it modify any internal SOAR data (such as updating entities + or creating insights). categories: enrichment: true + reasoning: >- + The action fetches contextual risk data for entities (users/resources) without + modifying any external or internal systems. This fits the definition of an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -202,6 +214,9 @@ Get Entity Risk: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over the `target_entities` list. It accepts parameters + directly from the action configuration to identify the user or resource. Get Policy: action_product_categories: add_alert_comment: false @@ -217,6 +232,10 @@ Get Policy: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves policy configuration from Silverfort. It does not match + any of the specific categories like enrichment, containment, or ticket management. + It is a read-only information retrieval action. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -234,12 +253,10 @@ Get Policy: ai_description: >- ### General Description - The **Get Policy** action retrieves detailed configuration information for a specific - authentication policy from Silverfort using its unique Policy ID. This action - is essential for security analysts to understand the logic, scope, and enforcement - settings of a policy, including the users, groups, source devices, and destination - resources it affects, as well as the specific security actions (e.g., MFA, Block, - Allow) it triggers. + Retrieves detailed configuration information for a specific authentication policy + from Silverfort using its unique Policy ID. This action allows analysts to inspect + policy settings, including users, groups, sources, destinations, and action settings, + directly from the Silverfort platform. ### Parameters Description @@ -248,33 +265,22 @@ Get Policy: | :--- | :--- | :--- | :--- | - | Policy ID | String | Yes | The unique identifier of the Silverfort policy to - be retrieved. | + | Policy ID | string | Yes | The unique identifier of the policy to retrieve. + | ### Flow Description - 1. **Parameter Extraction:** The action extracts the `Policy ID` from the input - parameters. - - 2. **Authentication:** The action initializes a connection to the Silverfort Policies - API using the configured credentials and generates a JWT token for secure communication. - - 3. **API Request:** It sends a GET request to the Silverfort `/v2/public/policies/{policy_id}` - endpoint to fetch the policy's full configuration. - - 4. **Data Processing:** The retrieved policy data is parsed and converted into - a structured JSON format. - - 5. **Output Generation:** The action populates the JSON results with the policy - details and provides a success message indicating the policy name and ID. + 1. The action extracts the `Policy ID` parameter provided by the user. + 2. It initializes the Silverfort Policy API client using the configured integration + credentials. - ### Additional Notes - - - This action does not modify any data within Silverfort; it is a read-only operation. + 3. It performs a GET request to the Silverfort API endpoint (`/v2/public/policies/{policy_id}`) + to fetch the policy details. - - If the provided Policy ID does not exist, the action will return an error message. + 4. The retrieved policy configuration is returned as a JSON result, and a success + message is generated. capabilities: can_create_case_comments: false can_create_insight: false @@ -285,8 +291,16 @@ Get Policy: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to retrieve policy details from the Silverfort + API. It does not modify any external systems or internal SOAR data (entities, + insights, etc.). categories: enrichment: false + reasoning: >- + The action retrieves policy configuration data. It does not enrich entities + or alerts, nor does it modify any state. Therefore, it is not an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -302,6 +316,9 @@ Get Policy: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on entities. It takes a `Policy ID` as a direct + input parameter to fetch policy configuration. Get Service Account: action_product_categories: add_alert_comment: false @@ -317,6 +334,10 @@ Get Service Account: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves detailed attributes for a service account, which is a resource. + This matches the 'Enrich Asset' category. It does not perform any mutations + or alert updates. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -332,25 +353,38 @@ Get Service Account: update_identity: false update_ticket: false ai_description: >- - ### General Description\nRetrieves detailed information for a specific Silverfort - service account using its unique identifier (GUID). This action fetches comprehensive - metadata including risk scores, predictability metrics, protection status, and - authentication behavior, enabling analysts to perform deep-dive investigations - into service account activities.\n\n### Parameters Description\n| Parameter | - Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n| **Service Account - GUID** | String | Yes | The unique identifier (GUID) of the service account in - Silverfort to be retrieved. |\n\n### Additional Notes\n- This action does not - automatically iterate over entities; it requires a specific GUID provided as a - parameter.\n- The returned data includes attributes such as `upn`, `dn`, `risk`, - `predictability`, and flags for `highly_privileged` or `suspected_brute_force` - behavior.\n\n### Flow Description\n1. **Parameter Extraction**: The action extracts - the mandatory `Service Account GUID` from the input parameters.\n2. **Client Initialization**: - It initializes the Silverfort Service Account API client using the configured - integration credentials.\n3. **Data Retrieval**: The action sends a GET request - to the Silverfort API endpoint `/v1/public/serviceAccounts/{guid}`.\n4. **Result - Processing**: Upon a successful response, the service account data is parsed into - a structured JSON result, and a success message is generated containing the account's - display name and GUID. + Retrieves detailed information about a specific service account from Silverfort + by its GUID. The action extracts the GUID from the input parameters, queries the + Silverfort API, and returns the account's attributes, including risk, predictability, + and protection status. + + + ### Flow Description + + 1. The action extracts the `Service Account GUID` parameter provided by the user. + + 2. It initializes the `ServiceAccountApiClient` to communicate with the Silverfort + API. + + 3. It performs a GET request to the Silverfort API using the provided GUID to + retrieve the service account details. + + 4. The retrieved service account data is returned as a JSON result. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Service Account GUID | string | Yes | The unique identifier of the service account + to retrieve. | + + + ### Additional Notes + + There are no additional notes for this action. capabilities: can_create_case_comments: false can_create_insight: false @@ -361,8 +395,16 @@ Get Service Account: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to retrieve service account details from the + Silverfort API. It does not mutate any external or internal data, nor does it + update entities or create insights. categories: enrichment: false + reasoning: >- + The action fetches data from an external system but does not operate on or update + any SOAR entities or alerts. Therefore, it does not meet the criteria for an + Enrichment Action, which requires gathering context about alerts or entities. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -378,6 +420,10 @@ Get Service Account: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code does not iterate over `siemplify.target_entities` or use entity-specific + identifiers from the SOAR entity model. It retrieves a service account GUID + via a parameter, so it does not run on entities. List Policies: action_product_categories: add_alert_comment: false @@ -393,6 +439,9 @@ List Policies: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action lists policies from Silverfort. It does not match any of the defined + product categories. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -408,25 +457,35 @@ List Policies: update_identity: false update_ticket: false ai_description: >- - ### General Description Lists all authentication policies from Silverfort. This - action allows users to retrieve a comprehensive list of configured policies, including - their status, authentication types, and scope. It supports optional field filtering - to limit the returned data to specific attributes of interest. ### Parameters - Description | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- - | :--- | | Fields | String | No | A comma-separated list of fields to include - in the response. Available fields include: enabled, policyName, authType, protocols, - policyType, allUsersAndGroups, usersAndGroups, allDevices, sources, allDestinations, - destinations, action, MFAPrompt, all, bridgeType. If left empty, all available - fields are returned. | ### Additional Notes - If invalid fields are provided in - the Fields parameter, they will be ignored, and a warning will be logged. - This - action does not operate on specific entities and returns global policy information. - ### Flow Description 1. Extract Parameters: The action retrieves the Fields parameter - from the input. 2. Field Parsing: If fields are specified, the string is split - into a list and validated against the supported Silverfort policy fields. 3. API - Request: The action calls the Silverfort Policies API (/v2/public/policies/index) - using a POST request containing the requested fields. 4. Result Processing: The - retrieved policy list is converted to JSON format and stored in the action's results. - 5. Output: A success message is generated indicating the number of policies retrieved. + Lists all authentication policies from Silverfort with optional field filtering. + This action retrieves a list of policies and their configurations from the Silverfort + API. + + + ### Flow + + 1. Extract the optional 'Fields' parameter from the action configuration. + + 2. Validate the provided fields against the allowed list of policy fields. + + 3. Call the Silverfort API to retrieve the list of policies. + + 4. Return the retrieved policies as a JSON result. + + + ### Parameters + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | Fields | string | No | Comma-separated list of fields to include in the response. + If not specified, all fields are returned. | + + + ### Additional Notes + + - The action does not require any entities to run. capabilities: can_create_case_comments: false can_create_insight: false @@ -437,8 +496,14 @@ List Policies: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action fetches a list of policies from the Silverfort API. It does not mutate + any external or internal data, nor does it update entities or create insights. categories: enrichment: false + reasoning: >- + The action fetches data but does not enrich alerts or entities, so it is not + an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -454,6 +519,8 @@ List Policies: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on any entities. List Service Accounts: action_product_categories: add_alert_comment: false @@ -465,14 +532,19 @@ List Service Accounts: disable_identity: false download_file: false enable_identity: false - enrich_asset: false + enrich_asset: true enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves a list of service accounts and their attributes from Silverfort. + This provides contextual metadata about these resources, which aligns with the + 'Enrich Asset' category. It does not perform any mutations or specific alert + updates. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false - search_asset: true + search_asset: false search_email: false search_events: false send_email: false @@ -484,62 +556,48 @@ List Service Accounts: update_identity: false update_ticket: false ai_description: >- - ### General Description - - Lists service accounts from Silverfort with support for pagination and specific - field selection. This action allows analysts to retrieve a comprehensive list - of service accounts and their associated metadata, such as risk scores, protection - status, and authentication patterns, which is essential for identity-based auditing - and threat hunting. + Lists service accounts from the Silverfort system with optional pagination and + field filtering. This action retrieves a list of service accounts and their associated + attributes, such as GUID, display name, risk level, and ownership information. - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | + ### Flow Description - | Page Size | String | No | The number of results to retrieve per page (range: - 1-100). Defaults to "50". | + 1. **Parameter Extraction**: The action extracts the `Page Size`, `Page Number`, + and `Fields` parameters from the configuration. - | Page Number | String | No | The specific page number to retrieve. Defaults to - "1". | + 2. **Field Validation**: If specific fields are requested, the action validates + them against a predefined list of valid service account fields. Invalid fields + are ignored, and a warning is logged. - | Fields | String | No | A comma-separated list of specific attributes to include - in the response (e.g., `guid, risk, upn`). If left empty, all available fields - are returned. | + 3. **API Interaction**: The action initializes the `ServiceAccountApiClient` and + makes a POST request to the Silverfort `/v1/public/serviceAccounts/index` endpoint + to retrieve the service accounts. + 4. **Result Processing**: The retrieved service account data is parsed and returned + as a JSON result, and an output message is generated indicating the number of + accounts retrieved. - ### Additional Notes - - Supported fields for the `Fields` parameter include: `guid`, `display_name`, - `sources_count`, `destinations_count`, `number_of_authentications`, `risk`, `predictability`, - `protected`, `upn`, `dn`, `spn`, `comment`, `owner`, `type`, `domain`, `category`, - `creation_date`, `highly_privileged`, `interactive_login`, `broadly_used`, `suspected_brute_force`, - and `repetitive_behavior`. + ### Parameters Description - - If invalid fields are provided in the `Fields` parameter, the action will log - a warning and ignore the invalid entries while processing the valid ones. + | Parameter | Type | Mandatory | Description | + | :--- | :--- | :--- | :--- | - ### Flow Description + | Page Size | string | No | Number of results per page (1-100). Defaults to 50. + | - 1. **Parameter Extraction:** The action extracts the `Page Size`, `Page Number`, - and `Fields` parameters from the input configuration. + | Page Number | string | No | Page number to retrieve. Defaults to 1. | - 2. **Field Validation:** If the `Fields` parameter is provided, the action splits - the string and validates each field against the supported Silverfort service account - attribute list. + | Fields | string | No | Comma-separated list of fields to include in the response. + If not specified, all fields are returned. | - 3. **API Interaction:** The action authenticates with the Silverfort Service Accounts - API and sends a POST request to the `/serviceAccounts/index` endpoint with the - specified pagination and field filters. - 4. **Data Processing:** The action receives the list of service accounts and converts - the results into a structured JSON format. + ### Additional Notes - 5. **Output Generation:** The action provides a success message indicating the - number of accounts retrieved and populates the JSON results for use in playbooks. + This action is a read-only operation that fetches data from the Silverfort API. + It does not modify any external system state or internal SOAR case data. capabilities: can_create_case_comments: false can_create_insight: false @@ -550,8 +608,19 @@ List Service Accounts: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to the Silverfort API to list service accounts. + It fetches data (fetches_data=true) but does not modify any external system + state (can_mutate_external_data=false). It does not update entities, create + insights, or modify case data (all other flags=false). categories: enrichment: false + reasoning: >- + The action retrieves a list of service accounts from an external system. While + it fetches data, it does not perform enrichment on specific entities (it lists + all accounts), and it does not meet the criteria for an Enrichment Action as + defined (it does not operate on target entities). Therefore, it is not classified + as an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -567,6 +636,9 @@ List Service Accounts: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `target_entities` or use entity-specific identifiers. + It is a standalone action that lists service accounts from the Silverfort system. Ping: action_product_categories: add_alert_comment: false @@ -582,6 +654,9 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity test (Ping) and does not perform any of the defined + product category operations like enrichment, ticketing, or containment. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -597,45 +672,40 @@ Ping: update_identity: false update_ticket: false ai_description: >- - ### General Description + Tests connectivity to the Silverfort API. This action validates the configuration + of the External API Key and tests connectivity for each configured API (Risk, + Service Accounts, Policies) by attempting to connect to their respective endpoints. + It returns a success or failure message based on the connectivity results. - Tests connectivity to the Silverfort API. This action validates the 'External - API Key' and verifies connectivity for each configured API module (Risk, Service - Accounts, and Policies) using their respective App User IDs and Secrets provided - in the integration configuration. + ### Parameters - ### Parameters Description + | Parameter | Type | Mandatory | Description | - There are no action-specific parameters for this action. It relies entirely on - the integration's global configuration settings (API Root, External API Key, and - module-specific credentials). + | :--- | :--- | :--- | :--- | + | is_success | boolean | No | The script result name indicating if the ping was + successful. | - ### Additional Notes - - The action requires at least one set of API credentials (Risk, Service Accounts, - or Policies) to be configured in the integration settings to run. + ### Flow Description - - It performs lightweight requests (e.g., listing rules or checking a test entity) - to verify that authentication tokens can be generated and accepted by the Silverfort - endpoints. + 1. The action retrieves the integration parameters (API Root, API Key, and credentials + for Risk, Service Accounts, and Policies). + 2. It identifies which API types have credentials configured. - ### Flow Description + 3. For each configured API type, it initializes the corresponding client and calls + the `test_connectivity` method. - 1. **Configuration Retrieval**: The action fetches the integration parameters, - including the API Root and all provided credentials. + 4. It collects the results (success or failure) for each API. - 2. **API Identification**: It determines which Silverfort API modules (Risk, Service - Accounts, Policies) have credentials configured. + 5. If no APIs are configured, it raises an error. - 3. **Connectivity Testing**: For each identified module, it initializes a specific - client and executes a `test_connectivity` method which performs a low-impact API - call. + 6. If all connectivity tests fail, it raises an error. - 4. **Result Aggregation**: It collects the status of each test and returns a summary - message indicating which APIs connected successfully and which failed. + 7. If some or all tests succeed, it updates the output message with the status + of each API and completes. capabilities: can_create_case_comments: false can_create_insight: false @@ -644,10 +714,17 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: true + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity test (Ping) against the Silverfort API endpoints. + It does not fetch contextual data about alerts or entities, nor does it mutate + any external or internal data. It is a diagnostic action. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action, which is explicitly excluded from being an enrichment + action per the instructions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -663,6 +740,8 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not process any entities; it is a global connectivity test. Update Entity Risk: action_product_categories: add_alert_comment: false @@ -678,6 +757,9 @@ Update Entity Risk: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action updates the risk level of a user in Silverfort. This modifies account + metadata, which aligns with the 'Update Identity' category. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -695,12 +777,10 @@ Update Entity Risk: ai_description: >- ### General Description - Updates the risk information for a specific user identity within the Silverfort - platform. This action allows security analysts to manually adjust or programmatically - set risk levels (e.g., activity risk, malware risk) for a user based on external - intelligence or observed behavior. By updating the risk score and providing a - duration for its validity, analysts can influence Silverfort's authentication - policies and adaptive response logic. + This action updates the risk information for a specific user within the Silverfort + platform. By providing a user principal name and specifying the risk type, severity, + and duration, analysts can proactively adjust the risk profile of an identity + in Silverfort based on external threat intelligence or security events. ### Parameters Description @@ -709,46 +789,38 @@ Update Entity Risk: | :--- | :--- | :--- | :--- | - | User Principal Name | string | Yes | The unique identifier (UPN) of the user - to update (e.g., user@domain.com). | + | User Principal Name | string | Yes | The user principal name (e.g., user@domain.com) + to update risk for. | - | Risk Type | ddl | Yes | The specific category of risk to update. Options include: - `activity_risk`, `malware_risk`, `data_breach_risk`, or `custom_risk`. | + | Risk Type | ddl | Yes | The type of risk to update (activity_risk, malware_risk, + data_breach_risk, custom_risk). | - | Severity | ddl | Yes | The severity level assigned to the risk. Options include: - `low`, `medium`, `high`, or `critical`. | - - | Valid For Hours | string | Yes | A positive integer representing how long (in - hours) this risk indicator should remain active before expiring. | - - | Description | string | Yes | A text description providing context or justification - for the risk update. | + | Severity | ddl | Yes | The severity level of the risk (low, medium, high, critical). + | + | Valid For Hours | string | Yes | How long (in hours) the risk indicator should + be valid. | - ### Additional Notes - - This action performs a state change in the Silverfort console. It requires the - 'Risk API' credentials (App User ID and Secret) to be configured in the integration - settings. The action validates that 'Valid For Hours' is a positive integer and - that the provided Risk Type and Severity match Silverfort's supported values. + | Description | string | Yes | Description of the risk indicator. | ### Flow Description - 1. **Parameter Extraction:** The action retrieves the User Principal Name, Risk - Type, Severity, Duration, and Description from the input parameters. + 1. **Extraction**: The action extracts the provided parameters (User Principal + Name, Risk Type, Severity, Valid For Hours, Description) from the SOAR action + configuration. - 2. **Validation:** It verifies that the Risk Type and Severity are valid according - to predefined enums and ensures the duration is a positive integer. + 2. **Validation**: The action validates that the Risk Type and Severity are within + the allowed values and that the 'Valid For Hours' is a positive integer. - 3. **API Client Initialization:** It initializes the Silverfort Risk API client - using the configured credentials and JWT authentication. + 3. **API Interaction**: The action initializes the Silverfort Risk API client + and constructs a `RiskUpdate` object. - 4. **Request Execution:** It constructs a `RiskUpdate` object and sends a POST - request to the `/v1/public/updateEntityRisk` endpoint. + 4. **Execution**: The action performs a POST request to the Silverfort API (`/v1/public/updateEntityRisk`) + to apply the risk update for the specified user. - 5. **Result Processing:** Upon success, it returns a JSON object containing the - updated risk details and confirms the update in the output message. + 5. **Completion**: The action returns a success message indicating the risk update + was applied. capabilities: can_create_case_comments: false can_create_insight: false @@ -757,12 +829,18 @@ Update Entity Risk: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the risk level, severity, and description for a user identity in the - Silverfort platform via a POST request to the Risk API. + Updates the risk level for a user entity in the Silverfort platform. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to the Silverfort API to update the risk + level of a user. It does not fetch data or modify internal SOAR data (entities, + insights, or comments). categories: enrichment: false + reasoning: >- + The action is a mutation action (updates external risk data) and does not fetch + data, so it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -778,6 +856,10 @@ Update Entity Risk: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action uses a string parameter 'User Principal Name' provided by the user + input, not the `siemplify.target_entities` list. Therefore, it does not run + on entities. Update Policy: action_product_categories: add_alert_comment: false @@ -793,6 +875,10 @@ Update Policy: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action updates an authentication policy in Silverfort. It does not match + any of the provided categories (e.g., Enrich IOC, Update Alert, Update Ticket, + etc.). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -805,76 +891,64 @@ Update Policy: uncontain_host: false update_alert: false update_email: false - update_identity: true + update_identity: false update_ticket: false ai_description: >- ### General Description - Updates an authentication policy in Silverfort. This action allows for modifying - the policy's enabled state and managing the lists of users, groups, sources, and - destinations associated with the policy. It is primarily used to dynamically adjust - security controls based on incident response needs, such as enabling a policy - or adding specific users to a restricted group. + Updates an authentication policy in Silverfort. This action allows administrators + to modify the enabled state of a policy and dynamically update the lists of users, + groups, sources, and destinations associated with that policy. - ### Parameters Description - - | Parameter | Description | Type | Mandatory | + ### Flow Description - | :--- | :--- | :--- | :--- | + 1. **Parameter Extraction**: The action extracts the `Policy ID` (mandatory) and + optional parameters such as `Enabled` state, and JSON-formatted strings for adding/removing + users, groups, sources, and destinations. - | Policy ID | The unique identifier of the policy to update. | string | Yes | + 2. **Parsing**: The action parses the provided JSON strings into structured objects + (identifiers and destinations) required by the Silverfort API. - | Enabled | Determines whether the policy should be enabled (true) or disabled - (false). | boolean | No | + 3. **API Interaction**: The action initializes the Silverfort Policy API client + and sends a PATCH request to update the specified policy with the provided changes. - | Add Users and Groups | JSON array of users/groups to add to the policy. Format: - `[{"identifierType": "upn", "identifier": "user@domain.com", "displayName": "User - Name", "domain": "domain.com"}]` | string | No | + 4. **Result**: The action returns a success message indicating the policy has + been updated. - | Remove Users and Groups | JSON array of users/groups to remove from the policy. - Format: `[{"identifierType": "upn", "identifier": "user@domain.com", "displayName": - "User Name", "domain": "domain.com"}]` | string | No | - | Add Sources | JSON array of sources to add to the policy. Format: `[{"identifierType": - "ip", "identifier": "10.0.0.1", "displayName": "Server"}]` | string | No | + ### Parameters Description - | Remove Sources | JSON array of sources to remove from the policy. Format: `[{"identifierType": - "ip", "identifier": "10.0.0.1", "displayName": "Server"}]` | string | No | + | Parameter | Type | Mandatory | Description | - | Add Destinations | JSON array of destinations to add to the policy. Format: - `[{"identifierType": "hostname", "identifier": "server.domain.com", "displayName": - "Server", "domain": "domain.com", "services": ["rdp"]}]` | string | No | + | :--- | :--- | :--- | :--- | - | Remove Destinations | JSON array of destinations to remove from the policy. - Format: `[{"identifierType": "hostname", "identifier": "server.domain.com", "displayName": - "Server", "domain": "domain.com", "services": ["rdp"]}]` | string | No | + | Policy ID | string | Yes | The unique identifier of the policy to update. | + | Enabled | boolean | No | Enable or disable the policy. | - ### Additional Notes + | Add Users and Groups | string | No | JSON array of users/groups to add to the + policy. | - - The action expects JSON-formatted strings for the 'Add/Remove' parameters. If - the JSON is malformed, the action will fail with a validation error. + | Remove Users and Groups | string | No | JSON array of users/groups to remove + from the policy. | - - At least one update parameter (Enabled, Add/Remove lists) should be provided - alongside the Policy ID for the action to have an effect. + | Add Sources | string | No | JSON array of sources to add to the policy. | + | Remove Sources | string | No | JSON array of sources to remove from the policy. + | - ### Flow Description + | Add Destinations | string | No | JSON array of destinations to add to the policy. + | - 1. **Parameter Extraction**: The action retrieves the Policy ID and all optional - update parameters from the input. + | Remove Destinations | string | No | JSON array of destinations to remove from + the policy. | - 2. **JSON Parsing**: It parses the JSON strings for users, groups, sources, and - destinations into internal data models. - 3. **API Interaction**: It initializes the Silverfort Policy API client and sends - a PATCH request to the `/v2/public/policies/{policy_id}` endpoint with the specified - changes. + ### Additional Notes - 4. **Result Processing**: Upon a successful API response, it constructs a JSON - result indicating the policy was updated and returns a success message to the - SOAR. + This action performs a direct mutation on the Silverfort platform. Ensure the + `Policy ID` is correct before execution. capabilities: can_create_case_comments: false can_create_insight: false @@ -883,13 +957,19 @@ Update Policy: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Modifies the configuration of an authentication policy in Silverfort, including - its enabled state and the associated users, groups, sources, and destinations - via a PATCH request. + Updates an authentication policy in Silverfort by modifying its enabled state + and updating the lists of users, groups, sources, and destinations. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a PATCH request to the Silverfort API to update an existing + policy. It does not fetch data for enrichment, nor does it modify any internal + SOAR case data or entities. categories: enrichment: false + reasoning: >- + The action is a configuration update (mutation) and does not fetch data for + enrichment purposes. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -905,6 +985,9 @@ Update Policy: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action operates on a specific Policy ID provided as a parameter and does + not iterate over or process SOAR entities. Update SA Policy: action_product_categories: add_alert_comment: false @@ -920,6 +1003,10 @@ Update SA Policy: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action updates the policy configuration for a service account in Silverfort. + This aligns with the 'Update Identity' category, as it modifies account protection + settings. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -937,10 +1024,10 @@ Update SA Policy: ai_description: >- ### General Description - Updates the protection policy for a specific service account in Silverfort. This - action allows security teams to programmatically adjust the security posture of - service accounts by enabling or disabling policies, toggling blocking mode, configuring - SIEM integration, and managing allowlists for sources, destinations, and protocols. + Updates the protection policy for a specific service account within the Silverfort + platform. This action allows administrators to modify security configurations, + including enabling/disabling the policy, toggling blocking, configuring SIEM logging, + setting risk level thresholds, and managing allowed sources and destinations. ### Parameters Description @@ -949,66 +1036,56 @@ Update SA Policy: | :--- | :--- | :--- | :--- | - | Service Account GUID | String | Yes | The unique identifier (GUID) of the service - account whose policy is being updated. | + | Service Account GUID | string | Yes | The unique identifier (GUID) of the service + account to update. | - | Enabled | Boolean | No | Toggle to enable or disable the policy. | + | Enabled | boolean | No | Enable or disable the policy. | - | Block | Boolean | No | Toggle to enable or disable blocking for policy violations. - | + | Block | boolean | No | Enable or disable blocking for policy violations. | - | Send to SIEM | Boolean | No | Toggle to enable or disable sending policy violation - logs to the SIEM. | + | Send to SIEM | boolean | No | Enable or disable SIEM logging. | - | Risk Level | DDL | No | The risk level threshold for the policy. Supported values: - `low`, `medium`, `high`. | - - | Allow All Sources | Boolean | No | If set to true, the policy will ignore the - specific allowed sources list and allow all sources. | - - | Allow All Destinations | Boolean | No | If set to true, the policy will ignore - the specific allowed destinations list and allow all destinations. | - - | Protocols | String | No | A comma-separated list of protocols to allow (e.g., - `Kerberos`, `ldap`, `ntlm`). | + | Risk Level | ddl | No | Risk level threshold for the policy (low, medium, high). + | - | Add Allowed Sources | String | No | A JSON array of source objects to add to - the allowlist. Format: `[{"key": "10.0.0.1", "key_type": "ip"}]`. | + | Allow All Sources | boolean | No | If true, ignores specific allowed sources + list. | - | Remove Allowed Sources | String | No | A JSON array of source objects to remove - from the allowlist. Format: `[{"key": "10.0.0.1", "key_type": "ip"}]`. | + | Allow All Destinations | boolean | No | If true, ignores specific allowed destinations + list. | - | Add Allowed Destinations | String | No | A JSON array of destination objects - to add to the allowlist. Format: `[{"key": "10.0.0.1", "key_type": "ip"}]`. | + | Protocols | string | No | Comma-separated list of protocols to allow (Kerberos, + ldap, ntlm). | - | Remove Allowed Destinations | String | No | A JSON array of destination objects - to remove from the allowlist. Format: `[{"key": "10.0.0.1", "key_type": "ip"}]`. - | + | Add Allowed Sources | string | No | JSON array of sources to add to the allowlist. + Format: [{"key": "10.0.0.1", "key_type": "ip"}] | + | Remove Allowed Sources | string | No | JSON array of sources to remove from + the allowlist. Format: [{"key": "10.0.0.1", "key_type": "ip"}] | - ### Additional Notes + | Add Allowed Destinations | string | No | JSON array of destinations to add to + the allowlist. Format: [{"key": "10.0.0.1", "key_type": "ip"}] | - The `Add/Remove Allowed Sources/Destinations` parameters require a specific JSON - structure. Each object in the array must contain a `key` (the identifier, such - as an IP or hostname) and a `key_type` (the type of identifier). + | Remove Allowed Destinations | string | No | JSON array of destinations to remove + from the allowlist. Format: [{"key": "10.0.0.1", "key_type": "ip"}] | ### Flow Description - 1. **Parameter Extraction:** The action retrieves the mandatory Service Account - GUID and all optional policy configuration parameters from the input. + 1. **Parameter Extraction**: The action extracts all provided parameters from + the SOAR action configuration. - 2. **Validation:** It validates that the provided `Risk Level` and `Protocols` - match the supported enums in the Silverfort system. + 2. **Validation**: It validates the provided 'Risk Level' and 'Protocols' against + allowed values. - 3. **Endpoint Parsing:** It parses the JSON strings provided for adding or removing - allowed sources and destinations into structured data models. + 3. **Parsing**: It parses the JSON strings provided for allowed sources and destinations + into structured objects. - 4. **API Interaction:** It sends a POST request to the Silverfort Service Accounts - API endpoint to apply the specified policy updates for the given GUID. + 4. **API Interaction**: It initializes the Silverfort Service Account client and + sends a POST request to the Silverfort API to update the policy for the specified + service account GUID. - 5. **Result Handling:** The action returns a success status and the GUID of the - updated service account. + 5. **Result**: It returns a success message indicating the policy update status. capabilities: can_create_case_comments: false can_create_insight: false @@ -1017,12 +1094,19 @@ Update SA Policy: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the protection policy configuration for a specific service account in - Silverfort, including blocking status, logging, and allowlists. + Updates the protection policy for a service account in Silverfort, including + settings like blocking, SIEM logging, risk levels, and allowed sources/destinations. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to update a service account policy in the + external Silverfort system. It does not fetch data for enrichment, nor does + it modify any internal SOAR entities or case data. categories: enrichment: false + reasoning: >- + The action is a mutation action that updates external policy configurations. + It does not fetch data for enrichment purposes. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -1038,3 +1122,6 @@ Update SA Policy: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action operates on a Service Account GUID provided as a parameter and does + not iterate over or filter SOAR target entities. diff --git a/content/response_integrations/third_party/partner/silverfort/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/silverfort/resources/ai/integration_ai_description.yaml index 0b062e038..0b993c80c 100644 --- a/content/response_integrations/third_party/partner/silverfort/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/partner/silverfort/resources/ai/integration_ai_description.yaml @@ -7,6 +7,18 @@ product_categories: iam_and_identity_management: true itsm: false network_security: false + reasoning: >- + The Silverfort integration is an identity security platform that provides capabilities + to manage and monitor identity-related security. It includes actions to retrieve + and update risk levels for users and service accounts (e.g., 'Get Entity Risk', + 'Update Entity Risk', 'Update SA Policy'), which directly aligns with the 'IAM + & Identity Management' category. Furthermore, the integration provides visibility + into service accounts by retrieving their detailed attributes and configurations + (e.g., 'Get Service Account', 'List Service Accounts'), which qualifies it for + the 'Asset Inventory' category as these service accounts are critical internal + assets. The integration does not perform log analysis (SIEM), host-level process + inspection (EDR), network traffic blocking (Network Security), or external indicator + reputation checks (Threat Intelligence). siem: false threat_intelligence: false vulnerability_management: false diff --git a/content/response_integrations/third_party/partner/spycloud/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/spycloud/resources/ai/actions_ai_description.yaml index 26e99dda7..f0c70cba2 100644 --- a/content/response_integrations/third_party/partner/spycloud/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/spycloud/resources/ai/actions_ai_description.yaml @@ -13,6 +13,10 @@ List Catalogs: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves a list of catalogs from SpyCloud. It does not match any + of the specific operational categories like enrichment, containment, or ticket + management. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -30,67 +34,60 @@ List Catalogs: ai_description: >- ### General Description - This action retrieves a list of available data catalogs from SpyCloud based on - specified timeframes and filtering criteria. It is primarily used to identify - which breach catalogs are available for further investigation or entity enrichment - within a specific period. + This action retrieves a list of available breach catalogs from the SpyCloud platform. + It allows users to filter catalogs based on specific criteria and time frames, + providing visibility into available breach data sources. - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + | --- | --- | --- | --- | - | Filter Logic | DDL | No | Determines how the 'Filter Value' is applied. Options - are 'Equal' (exact match on title) or 'Contains' (substring match across all fields). - Default is 'Equal'. | + | Filter Logic | ddl | No | Specifies the filter logic to apply (Equal or Contains). + | - | Filter Value | String | No | The string to search for. If 'Equal' is selected, - it matches the catalog title. If 'Contains' is selected, it searches all response - fields. | + | Filter Value | string | No | The value to use for filtering. "Equal" matches + the title, while "Contains" searches all values. | - | Time Frame | DDL | Yes | The period to search for catalogs. Options: 'Last Week', - 'Last Month', 'Last Year', or 'Custom'. | + | Time Frame | ddl | Yes | The time range for the search (Last Week, Last Month, + Last Year, or Custom). | - | Start Time | String | No | Mandatory if 'Time Frame' is set to 'Custom'. Specifies - the beginning of the search range in ISO 8601 format. | + | Start Time | string | No | The start time for the search in ISO 8601 format. + Mandatory if "Custom" is selected for Time Frame. | - | End Time | String | No | Specifies the end of the search range in ISO 8601 format. - If 'Custom' is selected and this is empty, the current time is used. | + | End Time | string | No | The end time for the search in ISO 8601 format. Defaults + to current time if not provided when "Custom" is selected. | - | Max Catalogs To Return | String | No | Limits the number of catalog records - returned. Default is 50. | + | Max Catalogs To Return | string | No | The maximum number of catalogs to return. + Default is 50. | ### Additional Notes - - If 'Custom' is selected for 'Time Frame', the 'Start Time' parameter must be - provided, otherwise the action will fail. + - If "Custom" is selected for the "Time Frame" parameter, the "Start Time" parameter + must be provided. - - The action supports pagination and will automatically fetch all results from - the SpyCloud API before applying local filters and limits. + - The action performs local filtering if "Equal" logic is selected. ### Flow Description - 1. **Initialization**: The action initializes the SpyCloud manager using the provided - API credentials and configuration. + 1. Extract configuration parameters (API Root, API Key, Verify SSL) and action + parameters. - 2. **Timeframe Calculation**: It parses the 'Time Frame' and optional 'Start/End - Time' parameters to determine the search window. + 2. Calculate the start and end timestamps based on the selected "Time Frame" and + provided start/end time strings. - 3. **Data Retrieval**: It performs a paginated GET request to the SpyCloud `/enterprise-v1/breach/catalog` - endpoint. + 3. Initialize the SpyCloudManager and query the SpyCloud API for catalogs using + the calculated time range and filter value. - 4. **Filtering**: If a 'Filter Value' is provided, the action filters the retrieved - list based on the 'Filter Logic' (Equal or Contains). + 4. Apply local filtering to the results if "Equal" logic is specified. - 5. **Limiting**: The result set is truncated based on the 'Max Catalogs To Return' - parameter. + 5. Truncate the results list to the specified "Max Catalogs To Return" limit. - 6. **Output**: The final list of catalogs is added to the action results as a - JSON object and displayed in a data table named 'Available Catalogs'. + 6. Output the results as a JSON object and a formatted data table for the user. capabilities: can_create_case_comments: false can_create_insight: false @@ -101,8 +98,17 @@ List Catalogs: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to the SpyCloud API to fetch catalog data. + It does not modify any external systems, nor does it modify internal SOAR case + data, entities, or alerts. It simply outputs the retrieved data to the action + results. categories: enrichment: false + reasoning: >- + The action fetches data from an external source (SpyCloud) but does not enrich + specific entities or alerts within the SOAR platform. It is a utility action + for listing available catalogs, not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -118,6 +124,9 @@ List Catalogs: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with or iterate over any entities in the SOAR case. + It operates independently of the entity model. List Entity Breaches: action_product_categories: add_alert_comment: false @@ -133,6 +142,10 @@ List Entity Breaches: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves breach data, which provides threat intelligence (Enrich + IOC) and contextual metadata for users and domains (Enrich Asset). It does not + perform any containment or ticket management actions. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -148,65 +161,56 @@ List Entity Breaches: update_identity: false update_ticket: false ai_description: >- - Retrieves breach information from SpyCloud for specific entities including IP - Addresses, Usernames, Email Addresses, and Domains. This action checks if the - provided entities have been involved in known data breaches within a specified - timeframe and enriches the entities with the findings. + Retrieves breach information for entities (IPs, Users/Emails, Domains) from SpyCloud. + This action enriches entities with threat intelligence regarding known breaches, + helping analysts identify compromised assets. + + ### Flow Description - ### Flow Description: + 1. **Configuration & Parameter Extraction**: The action retrieves API credentials + and action-specific parameters (Time Frame, Catalog Filter, etc.). - 1. **Initialization**: The action initializes the SpyCloud manager using the provided - API credentials and configuration. + 2. **Entity Filtering**: It filters the provided target entities to include only + supported types: IP Address, User/Email, and URL (Domain). - 2. **Timeframe Calculation**: It determines the search window based on the 'Time - Frame' parameter. If 'Custom' is selected, it validates and uses the 'Start Time' - and 'End Time' parameters. + 3. **Breach Querying**: For each valid entity, it determines the appropriate breach + type (IPs, Emails, Usernames, or Domains) and queries the SpyCloud API for breach + records within the specified time frame. - 3. **Catalog Resolution**: If a 'Catalog Filter' is provided, the action fetches - available catalogs from SpyCloud to find the corresponding ID for targeted searching. + 4. **Enrichment**: If breaches are found, the action updates the entity's `additional_properties` + with the breach data and marks the entity as enriched. - 4. **Entity Processing**: The action iterates through supported entities (IP, - User, URL): - * It determines the appropriate breach type (ips, emails, usernames, or domains). - * It extracts the relevant identifier (e.g., stripping the domain from a URL). - * It queries the SpyCloud API for breach records associated with that identifier - and catalog. - 5. **Enrichment and Results**: For entities with found breaches, it updates the - entity's additional properties with enrichment data, marks the entity as enriched, - and compiles the raw breach data into a JSON result for the SOAR platform. + 5. **Result Reporting**: The action updates the entities in the SOAR platform + and returns the breach details as a JSON result. - ### Parameters Description: + ### Parameters - | Parameter Name | Type | Mandatory | Description | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Catalog Filter | string | No | Specify the name of the category/catalog in which - you want to search for breaches. | + | Catalog Filter | String | No | Specify the name of the category in which you + want to search for breaches. | - | Time Frame | ddl | Yes | Predefined time range for the search (Last Week, Last - Month, Last Year, or Custom). | + | Time Frame | DDL | Yes | Specify a time frame for the search (Last Week, Last + Month, Last Year, Custom). | - | Start Time | string | No | Mandatory if 'Time Frame' is set to 'Custom'. Format: - ISO 8601. | + | Start Time | String | No | Start time for the search. Mandatory if "Custom" + is selected for "Time Frame". Format: ISO 8601. | - | End Time | string | No | Optional end time for 'Custom' searches. Defaults to - current time if not provided. Format: ISO 8601. | + | End Time | String | No | End time for the search. Format: ISO 8601. If not provided + for "Custom", defaults to current time. | - | Max Breaches To Return | string | No | The maximum number of breach records - to retrieve per entity. Default is 1, maximum is 1000. | + | Max Breaches To Return | String | No | Specify how many breaches to return per + entity. Default: 1. Maximum: 1000. | - ### Additional Notes: - - * **Entity Mapping**: Username entities are automatically checked against an email - regex; if they match, they are treated as 'emails' breach types, otherwise as - 'usernames'. + ### Additional Notes - * **URL Handling**: For URL entities, the action automatically extracts the domain - part to perform the search. + - If "Custom" is selected for the "Time Frame" parameter, the "Start Time" parameter + must be provided. capabilities: can_create_case_comments: false can_create_insight: false @@ -217,10 +221,18 @@ List Entity Breaches: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity additional properties with breach information and sets the 'is_enriched' - flag to true for entities where breaches were found. + The action updates entity properties (additional_properties) and marks entities + as enriched within the SOAR platform. + reasoning: >- + The action fetches breach data from an external API (SpyCloud) and updates the + entity's additional properties within the SOAR platform. It does not mutate + external systems or modify alert data/case comments. categories: enrichment: true + reasoning: >- + The action is an enrichment action. It fetches data from an external source + (SpyCloud) and updates internal entity data without mutating external systems + or performing unauthorized internal mutations. entity_usage: entity_types: - ADDRESS @@ -239,6 +251,9 @@ List Entity Breaches: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code filters `siemplify.target_entities` using `SUPPORTED_ENTITY_TYPES`, + which includes ADDRESS, USER, and URL (mapped to DestinationURL). Ping: action_product_categories: add_alert_comment: false @@ -254,6 +269,10 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity test ('Ping'). It does not perform any of the defined + actions like enriching IOCs, updating tickets, or blocking hosts. Therefore, + it does not match any of the provided product categories. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -268,26 +287,44 @@ Ping: update_email: false update_identity: false update_ticket: false - ai_description: "### General Description\nThe **Ping** action is a diagnostic tool\ - \ designed to verify the connectivity between Google SecOps and the SpyCloud service.\ - \ It ensures that the provided API credentials and network configurations (such\ - \ as the API Root and SSL settings) are valid and that the SpyCloud API is reachable.\n\ - \n### Parameters Description\n| Parameter Name | Expected Type | Mandatory | Description\ - \ |\n| :--- | :--- | :--- | :--- |\n| **API Root** | String | Yes | The base URL\ - \ for the SpyCloud API instance. |\n| **API Key** | String | Yes | The API key\ - \ used for authentication with SpyCloud. |\n| **Verify SSL** | Boolean | Yes |\ - \ If enabled, the action will verify the SSL certificate of the SpyCloud server.\ - \ |\n\n### Flow Description\n1. **Parameter Extraction:** The action retrieves\ - \ the `API Root`, `API Key`, and `Verify SSL` settings from the integration configuration.\n\ - 2. **Manager Initialization:** It initializes the `SpyCloudManager` with the extracted\ - \ credentials.\n3. **Connectivity Test:** The manager executes a `GET` request\ - \ to a specific SpyCloud endpoint (`/enterprise-v1/breach/catalog/1`) to test\ - \ the connection.\n4. **Result Handling:** \n * If the request is successful,\ - \ the action completes with a success message.\n * If an error occurs (e.g.,\ - \ authentication failure, network timeout), the action fails and provides the\ - \ error details.\n\n### Additional Notes\n* This action does not process or require\ - \ any entities.\n* It is strictly used for configuration validation and does not\ - \ perform any data enrichment or mutation." + ai_description: >- + Tests connectivity to the SpyCloud API to ensure the integration is configured + correctly. This action validates the connection parameters by sending a request + to the SpyCloud server. + + + ### Flow Description + + 1. The action extracts the required configuration parameters: API Root, API Key, + and Verify SSL. + + 2. It initializes the SpyCloudManager with these parameters. + + 3. It executes a connectivity test by sending a GET request to the SpyCloud ping + endpoint. + + 4. If the request is successful, it returns a success message; otherwise, it returns + a failure message with the error details. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | --- | --- | --- | --- | + + | API Root | String | Yes | The base URL for the SpyCloud API. | + + | API Key | String | Yes | The authentication key for the SpyCloud API. | + + | Verify SSL | Boolean | Yes | Whether to verify the SSL certificate for the connection. + | + + + ### Additional Notes + + This action is a connectivity test and does not perform any data enrichment or + system modifications. capabilities: can_create_case_comments: false can_create_insight: false @@ -296,10 +333,18 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: true + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity test by sending a GET request to the SpyCloud + API. It does not fetch contextual data about alerts or entities, nor does it + modify any external or internal data. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action. Per the instructions, 'Actions named Ping must + not be categorized as enrichment actions.' It does not perform any enrichment + or data retrieval for entities. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -315,3 +360,5 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. diff --git a/content/response_integrations/third_party/partner/spycloud/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/spycloud/resources/ai/integration_ai_description.yaml index 2e831240c..7c3fb6eec 100644 --- a/content/response_integrations/third_party/partner/spycloud/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/partner/spycloud/resources/ai/integration_ai_description.yaml @@ -4,9 +4,19 @@ product_categories: collaboration: false edr: false email_security: false - iam_and_identity_management: false + iam_and_identity_management: true itsm: false network_security: false + reasoning: >- + The SpyCloud integration is primarily categorized as Threat Intelligence because + its core functionality involves enriching entities (IPs, Domains, Usernames/Emails) + with breach data to determine if they have been compromised, which serves as a + critical step in verifying the reputation of indicators. It is also categorized + as IAM & Identity Management because the integration specifically targets account + takeover prevention and the remediation of exposed passwords, allowing security + teams to identify and address compromised user identities. It does not perform + SIEM log analysis, EDR host containment, network security blocking, or ITSM ticket + management. siem: false threat_intelligence: true vulnerability_management: false diff --git a/content/response_integrations/third_party/partner/stairwell/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/stairwell/resources/ai/actions_ai_description.yaml index 794fad4a7..a33c8d6fe 100644 --- a/content/response_integrations/third_party/partner/stairwell/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/stairwell/resources/ai/actions_ai_description.yaml @@ -13,6 +13,10 @@ Enrich Hash: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves threat intelligence (reputation, prevalence, etc.) for + a file hash, which matches the 'Enrich IOC' category. It does not perform any + other actions like ticketing, blocking, or host containment. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -27,34 +31,29 @@ Enrich Hash: update_email: false update_identity: false update_ticket: false - ai_description: "Enriches File Hash entities using threat intelligence data from\ - \ Stairwell. This action retrieves comprehensive metadata about a file, including\ - \ its size, entropy, various hash formats (MD5, SHA1, SHA256, Imphash, TLSH),\ - \ and maliciousness verdicts. It evaluates the risk level based on Stairwell's\ - \ 'Maleval' malicious probability and specific 'MALICIOUS' verdicts. The action\ - \ updates the entity's attributes, marks it as suspicious if applicable, and generates\ - \ detailed insights and data tables for analyst review.\n\n### Parameters Description\n\ - \n| Parameter Name | Type | Mandatory | Description |\n| :--- | :--- | :--- |\ - \ :--- |\n| API Root | String | Yes | The base URL of the Stairwell API instance.\ - \ |\n| API Key | String | Yes | The API key used for authentication with Stairwell.\ - \ |\n| Organization ID | String | No | The specific Stairwell Organization ID\ - \ to context the request. |\n| User ID | String | No | The specific Stairwell\ - \ User ID to context the request. |\n\n### Flow Description\n\n1. **Initialization**:\ - \ Extracts the Stairwell API configuration (Root, Key, Org ID, User ID) and identifies\ - \ all File Hash entities in the current context.\n2. **Data Retrieval**: For\ - \ each File Hash entity, the action queries the Stairwell Enrichment API to fetch\ - \ the object event report.\n3. **Data Parsing**: The raw JSON response is parsed\ - \ into a structured File data model, extracting metadata like file magic, mime\ - \ type, and sightings.\n4. **Enrichment & Risk Assessment**: \n * Updates\ - \ the entity's additional properties with the retrieved metadata.\n * Determines\ - \ if the file is suspicious by checking for a 'MALICIOUS' verdict or a high 'Maleval'\ - \ malicious probability.\n5. **Internal Updates**: \n * If suspicious, creates\ - \ an Entity Insight containing the malicious probability, detection labels, and\ - \ first-seen date.\n * Adds a detailed CSV-formatted data table to the case\ - \ wall for each enriched hash.\n * Updates the entities within Google SecOps\ - \ to reflect the new enrichment data and suspicious status.\n6. **Completion**:\ - \ Returns a summary message of successfully enriched hashes and provides the full\ - \ raw data in JSON format." + ai_description: "### General Description\nEnriches file hash entities using the\ + \ Stairwell platform. This action retrieves comprehensive threat intelligence,\ + \ including file metadata, prevalence, and malicious probability scores, to assist\ + \ analysts in evaluating the risk associated with specific file hashes.\n\n###\ + \ Flow Description\n1. **Initialization**: Extracts configuration parameters (API\ + \ Root, API Key, Organization ID, and User ID) required for authentication and\ + \ API communication.\n2. **Filtering**: Identifies and filters target entities\ + \ within the case to process only those of type `FILEHASH`.\n3. **Enrichment**:\ + \ For each valid file hash, the action queries the Stairwell API to retrieve detailed\ + \ file intelligence.\n4. **Data Processing**: \n - Updates the entity's `additional_properties`\ + \ with the retrieved enrichment data.\n - Sets the `is_enriched` flag to true.\n\ + \ - Evaluates the file's suspicious status based on the retrieved verdict and\ + \ malicious probability.\n5. **Reporting**: \n - If the file is deemed suspicious,\ + \ it generates an entity insight.\n - Adds a data table containing the enrichment\ + \ results to the case.\n - Updates the entities within the SOAR platform.\n\ + \n### Parameters Description\n| Parameter | Type | Mandatory | Description |\n\ + | :--- | :--- | :--- | :--- |\n| API Root | String | Yes | The base URL for the\ + \ Stairwell API. |\n| API Key | String | Yes | The API key used for authentication\ + \ with the Stairwell service. |\n| Organization ID | String | No | The Organization\ + \ ID to include in the API request headers. |\n| User ID | String | No | The User\ + \ ID to include in the API request headers. |\n\n### Additional Notes\n- This\ + \ action is strictly for enrichment and does not perform any modifications on\ + \ external systems. \n- It only processes entities of type `FILEHASH`." capabilities: can_create_case_comments: false can_create_insight: true @@ -65,10 +64,18 @@ Enrich Hash: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity enrichment fields, sets the 'is_suspicious' flag, creates entity - insights, and adds data tables to the case wall. + Updates entity properties, sets suspicious status, adds entity insights, and + adds data tables to the case. + reasoning: >- + The action fetches threat intelligence data from the Stairwell API (GET). It + updates internal entity properties, sets the suspicious flag, and creates insights + within the SOAR platform. It does not modify external systems. categories: enrichment: true + reasoning: >- + The action fetches data (Enrichment) and does not mutate external systems. It + performs allowed internal mutations (updating entities, creating insights). + It is not a Ping or download action. entity_usage: entity_types: - FILEHASH @@ -85,6 +92,8 @@ Enrich Hash: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code filters `siemplify.target_entities` specifically for `FILEHASH` entities. Enrich Hostname: action_product_categories: add_alert_comment: false @@ -96,10 +105,14 @@ Enrich Hostname: disable_identity: false download_file: false enable_identity: false - enrich_asset: false - enrich_ioc: true + enrich_asset: true + enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves contextual metadata for a hostname (asset) from Stairwell. + This matches the 'Enrich Asset' category. It does not perform IOC enrichment + (IP/Hash), nor does it perform containment or ticketing actions. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -114,67 +127,28 @@ Enrich Hostname: update_email: false update_identity: false update_ticket: false - ai_description: >- - ### General Description - - The **Enrich Hostname** action retrieves comprehensive threat intelligence and - reputation data for Hostname entities from the Stairwell platform. It provides - analysts with visibility into host verdicts, community opinions, and DNS records - (A, AAAA, MX) to assist in incident investigation and triage. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | API Root | String | Yes | The base URL of the Stairwell API instance. | - - | API Key | String | Yes | The API key used for authentication with Stairwell. - | - - | Organization ID | String | No | Optional identifier for the specific Stairwell - organization context. | - - | User ID | String | No | Optional identifier for the specific Stairwell user - context. | - - - ### Flow Description - - 1. **Initialization:** The action extracts configuration parameters (API Root, - API Key, Org ID, User ID) and initializes the Stairwell API manager. - - 2. **Entity Filtering:** It identifies all `HOSTNAME` entities within the current - alert context. - - 3. **Data Retrieval:** For each hostname, it queries the Stairwell enrichment - API to fetch the host's detailed report, including opinions and DNS records. - - 4. **Entity Enrichment:** - * Updates the entity's additional properties with the retrieved data (prefixed - with 'SW'). - * Marks the entity as enriched in the SOAR platform. - * Evaluates the host's verdict; if the verdict is "MALICIOUS", the entity - is marked as suspicious. - 5. **Insight Generation:** If a host is deemed suspicious, a formatted HTML insight - is added to the entity for quick analyst review. - - 6. **Reporting:** - * Constructs a data table for each host containing DNS records and community - opinions. - * Appends raw JSON results to the action output for downstream processing. - 7. **Finalization:** Updates the entities in the SOAR platform and provides a - summary message of successful and failed enrichments. - - - ### Additional Notes - - - This action is strictly read-only regarding the Stairwell platform and does - not modify any external data. - - - It specifically targets `HOSTNAME` entities and will skip other entity types. + ai_description: "### General Description\nThis action enriches Hostname entities\ + \ by retrieving threat intelligence and contextual data from the Stairwell platform.\ + \ It helps analysts understand the reputation and associated records of a host\ + \ within their environment.\n\n### Flow Description\n1. **Configuration Extraction**:\ + \ The action retrieves the API Root, API Key, Organization ID, and User ID from\ + \ the integration configuration.\n2. **Entity Filtering**: It iterates through\ + \ the target entities in the case, filtering specifically for those with the type\ + \ `HOSTNAME`.\n3. **Data Retrieval**: For each valid hostname, it queries the\ + \ Stairwell API to fetch host-specific reports.\n4. **Enrichment**: \n - Updates\ + \ the entity's `additional_properties` with the retrieved data.\n - Marks the\ + \ entity as enriched.\n - Evaluates the host's suspicious status based on the\ + \ Stairwell verdict.\n5. **Reporting**: \n - If the host is deemed suspicious,\ + \ it creates a case insight.\n - Adds a data table to the case results containing\ + \ the detailed host report.\n - Updates the entities within the SecOps platform.\n\ + \n### Parameters Description\n| Parameter | Type | Mandatory | Description |\n\ + | :--- | :--- | :--- | :--- |\n| API Root | String | Yes | The base URL for the\ + \ Stairwell API. |\n| API Key | String | Yes | The API key used for authentication\ + \ with Stairwell. |\n| Organization ID | String | No | The Organization ID to\ + \ include in API headers. |\n| User ID | String | No | The User ID to include\ + \ in API headers. |\n\n### Additional Notes\n- The action requires at least one\ + \ Hostname entity to be present in the case to perform any operations.\n- If the\ + \ execution deadline is reached, the action will terminate gracefully." capabilities: can_create_case_comments: false can_create_insight: true @@ -185,10 +159,19 @@ Enrich Hostname: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity attributes with enrichment data, sets suspicious status, and - creates entity insights and data tables within the case. + Updates entity properties, adds insights, and adds data tables to the case. + reasoning: >- + The action fetches host data from the Stairwell API (fetches_data=true). It + does not modify external systems (can_mutate_external_data=false). It performs + internal mutations by updating entity properties, adding insights, and adding + data tables to the case (can_mutate_internal_data=true). categories: enrichment: true + reasoning: >- + The action fetches data from an external source (Stairwell) to enrich entities. + It does not mutate external systems. It performs allowed internal mutations + (updating entities, creating insights). Therefore, it is classified as an enrichment + action. entity_usage: entity_types: - HOSTNAME @@ -205,6 +188,9 @@ Enrich Hostname: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and filters specifically + for `EntityTypes.HOSTNAME`. Enrich IP: action_product_categories: add_alert_comment: false @@ -220,6 +206,10 @@ Enrich IP: enrich_ioc: true execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves threat intelligence (reputation, verdict) for an IP address + from Stairwell. This matches the 'Enrich IOC' category. It does not perform + any other actions like blocking, ticketing, or alert management. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -234,67 +224,28 @@ Enrich IP: update_email: false update_identity: false update_ticket: false - ai_description: >- - ### General Description - - Enriches IP Address entities with threat intelligence data from Stairwell. This - action retrieves detailed reports including verdicts, opinions, and comments for - each IP address found in the case context. It helps analysts quickly identify - malicious infrastructure by providing contextual metadata and automated risk assessments. - - - ### Parameters Description - - | Parameter | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | API Root | String | Yes | The base URL of the Stairwell API. | - - | API Key | String | Yes | The API key used for authentication with Stairwell. - | - - | Organization ID | String | No | The specific Organization ID to include in the - request headers for multi-tenant environments. | - - | User ID | String | No | The specific User ID to include in the request headers - if required by the API configuration. | - - - ### Flow Description - - 1. **Initialization**: Extracts API credentials and configuration parameters from - the integration settings. - - 2. **Entity Identification**: Filters the target entities to identify all `ADDRESS` - (IP) types. - - 3. **Data Retrieval**: For each identified IP, the action queries the Stairwell - API to fetch the latest enrichment report. - - 4. **Enrichment**: Updates the entity's additional properties with the retrieved - data and marks the entity as enriched. - - 5. **Risk Assessment**: Evaluates the verdict from Stairwell; if the verdict is - 'MALICIOUS', the entity is marked as suspicious in Google SecOps. - - 6. **Insight Generation**: Creates an HTML-formatted entity insight for suspicious - IPs, highlighting the malicious verdict. - - 7. **Result Reporting**: Generates a data table for each IP containing the report - summary and attaches the full raw JSON response to the action results. - - 8. **Finalization**: Updates all successfully processed entities within the platform - and returns a summary message. - - - ### Additional Notes - - - This action is classified as an enrichment type and does not modify any data - in the external Stairwell system. - - - If an IP is not found in Stairwell, the action will log an error for that specific - entity but continue processing others. + ai_description: "### General Description\nEnriches IP Address entities using the\ + \ Stairwell API. This action retrieves threat intelligence, including verdicts\ + \ and opinions, for specified IP addresses. It updates the entity's profile with\ + \ this information, marks the entity as enriched, and flags it as suspicious if\ + \ the verdict is malicious. Additionally, it generates insights and data tables\ + \ for the case wall to assist analysts in their investigation.\n\n### Parameters\ + \ Description\n| Parameter | Type | Mandatory | Description |\n| :--- | :--- |\ + \ :--- | :--- |\n| API Root | String | Yes | The base URL for the Stairwell API.\ + \ |\n| API Key | String | Yes | The API key used for authentication with the Stairwell\ + \ service. |\n| Organization ID | String | No | The Organization ID to include\ + \ in the API request headers. |\n| User ID | String | No | The User ID to include\ + \ in the API request headers. |\n\n### Flow Description\n1. **Initialization**:\ + \ Extracts configuration parameters (API Root, API Key, Organization ID, User\ + \ ID).\n2. **Filtering**: Filters the target entities to process only those of\ + \ type `ADDRESS`.\n3. **Enrichment**: For each IP address, queries the Stairwell\ + \ API to retrieve threat intelligence data.\n4. **Internal Update**: \n - Updates\ + \ the entity's `additional_properties` with the retrieved data.\n - Sets the\ + \ entity's `is_enriched` flag to true.\n - Evaluates the verdict to set the\ + \ `is_suspicious` flag.\n - If the entity is suspicious, creates an entity\ + \ insight.\n - Adds a data table to the action results containing the enrichment\ + \ details.\n5. **Finalization**: Updates the entities in the SOAR platform and\ + \ returns the final status and output message." capabilities: can_create_case_comments: false can_create_insight: true @@ -305,10 +256,19 @@ Enrich IP: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity attributes with enrichment data, sets suspicious status, and - creates entity insights based on Stairwell intelligence. + Updates entity additional properties, marks entities as enriched/suspicious, + adds entity insights, and adds data tables to the case. + reasoning: >- + The action fetches IP reputation data from the Stairwell API (fetches_data=true). + It does not modify external systems (can_mutate_external_data=false). It updates + internal SOAR entities with enrichment data and creates insights for suspicious + entities (can_mutate_internal_data=true, can_update_entities=true, can_create_insight=true). categories: enrichment: true + reasoning: >- + The action fetches data from an external source (Stairwell) to enrich entities. + It does not mutate external systems. It performs allowed internal mutations + (updating entities, creating insights). Therefore, it is an enrichment action. entity_usage: entity_types: - ADDRESS @@ -325,6 +285,10 @@ Enrich IP: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and filters using `entity.entity_type + == EntityTypes.ADDRESS`. This means it targets ADDRESS entities, filtering by + entity_type. Ping: action_product_categories: add_alert_comment: false @@ -340,6 +304,9 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity test (Ping) and does not perform any of the defined + product category operations like enrichment, containment, or ticket management. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -357,57 +324,41 @@ Ping: ai_description: >- ### General Description - The **Ping** action is designed to verify the connectivity between Google SecOps - and the Stairwell API. It ensures that the provided credentials (API Key, Organization - ID, etc.) and the API Root URL are correct and that the service is reachable. - This is typically used as a health check during the initial setup or troubleshooting - of the Stairwell integration. + This action tests the connectivity between the Google SecOps SOAR platform and + the Stairwell API. It verifies that the provided API credentials and configuration + settings are valid by attempting to reach a test endpoint. ### Parameters Description - | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | API Root | String | Yes | The base URL of the Stairwell API instance. | - - | API Key | String | Yes | The API key used for authentication with Stairwell. - | - - | Organization ID | String | No | The specific Organization ID associated with - the Stairwell account. | - - | User ID | String | No | The specific User ID associated with the Stairwell account. - | - + | API Root | String | Yes | The base URL of the Stairwell API. | - ### Additional Notes + | API Key | String | Yes | The API key used for authentication with the Stairwell + service. | - - This action does not process any entities from the SecOps case. It uses a hardcoded - dummy hostname (`www.google.com`) to perform a test lookup against the Stairwell - enrichment endpoint. + | Organization ID | String | No | The Organization ID to include in the API request + headers. | - - If the action fails, it usually indicates an issue with the network configuration, - invalid API keys, or an incorrect API Root URL. + | User ID | String | No | The User ID to include in the API request headers. | ### Flow Description - 1. **Parameter Initialization**: The action retrieves the integration configuration - parameters, including the API Root, API Key, and optional IDs. + 1. The action initializes the `StairwellManager` using the provided configuration + parameters (API Root, API Key, Organization ID, User ID). - 2. **Manager Setup**: It initializes the `StairwellManager` with the provided - configuration. + 2. It executes a connectivity test by calling `manager.test_connectivity()`, which + performs a GET request to a dummy endpoint on the Stairwell API. - 3. **Connectivity Test**: The action calls the `test_connectivity` method, which - attempts to fetch enrichment data for a dummy hostname (`www.google.com`) via - a GET request to the Stairwell API. + 3. If the request is successful, the action completes with a success status and + an output message indicating that the connection was established. - 4. **Result Handling**: If the API responds successfully, the action returns a - success status and a "Connection Established" message. If an exception occurs - (e.g., HTTP error, timeout), it catches the error and reports a failure. + 4. If an error occurs (e.g., invalid credentials, network issues), the action + catches the exception, logs the error, and fails the execution. capabilities: can_create_case_comments: false can_create_insight: false @@ -418,8 +369,15 @@ Ping: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GET request to verify connectivity to the Stairwell API. + It does not modify any external or internal data, nor does it update entities, + create insights, or modify alert data. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action, which is explicitly excluded from being an enrichment + action per the provided instructions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -435,3 +393,6 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not process any entities from the SOAR platform; it uses a hardcoded + dummy hostname to test connectivity. diff --git a/content/response_integrations/third_party/partner/stairwell/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/stairwell/resources/ai/integration_ai_description.yaml index 2e831240c..160009014 100644 --- a/content/response_integrations/third_party/partner/stairwell/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/partner/stairwell/resources/ai/integration_ai_description.yaml @@ -7,6 +7,17 @@ product_categories: iam_and_identity_management: false itsm: false network_security: false + reasoning: "The Stairwell integration is primarily designed to provide threat intelligence\ + \ and malware analysis. Its core actions\u2014Enrich Hash, Enrich IP, and Enrich\ + \ Hostname\u2014are dedicated to enriching indicators of compromise (IOCs) and\ + \ hostnames with reputation data, verdicts, and malicious probability scores.\ + \ This aligns directly with the 'Threat Intelligence' category, which is used\ + \ for the first step of enrichment for external indicators to determine their\ + \ reputation. The integration does not perform SIEM log searching, EDR host containment,\ + \ network blocking, or ITSM ticketing. While it enriches hostnames, it provides\ + \ threat intelligence and malware analysis rather than asset inventory data (such\ + \ as owner, department, or business criticality), so it does not qualify for the\ + \ 'Asset Inventory' category." siem: false threat_intelligence: true vulnerability_management: false diff --git a/content/response_integrations/third_party/partner/thinkst_canary/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/thinkst_canary/resources/ai/actions_ai_description.yaml index 8aadaf4c4..3e0aa9725 100644 --- a/content/response_integrations/third_party/partner/thinkst_canary/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/thinkst_canary/resources/ai/actions_ai_description.yaml @@ -13,6 +13,12 @@ Acknowledge Console Alert: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action acknowledges an incident on the external Canary Console. It does + not modify the alert status within the SecOps platform (which is the requirement + for 'Update Alert'), nor does it perform any of the other listed actions (e.g., + ticket creation, IOC management, host containment). Therefore, it does not match + any of the defined product categories. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -30,43 +36,48 @@ Acknowledge Console Alert: ai_description: >- ### General Description - The **Acknowledge Console Alert** action is designed to mark a specific incident - as acknowledged on the Thinkst Canary Console. This action is primarily used to - synchronize alert statuses between Google SecOps and the Canary platform, ensuring - that once an analyst has addressed an alert in the SOAR, the corresponding event - is updated in the source system to prevent duplicate effort. + The Acknowledge Console Alert action is used to mark an incident as acknowledged + on the Thinkst Canary Console. This action helps synchronize the state of an incident + between the Canary Console and the SOAR platform, ensuring that acknowledged alerts + are tracked appropriately in the external system. - ### Parameters Description + ### Flow Description - | Parameter Name | Type | Mandatory | Description | + 1. **Configuration Extraction**: The action retrieves the required `API Key`, + `Console Hash`, and `Verify SSL` settings from the integration configuration. - | :--- | :--- | :--- | :--- | + 2. **Validation**: It verifies that the `API Key` and `Console Hash` are not set + to their default values. If they are, the action fails. - | N/A | N/A | N/A | This action does not have any input parameters. | + 3. **Incident Identification**: The action accesses the `current_alert` object + in the SOAR platform to retrieve the `AlertId` from the `security_events` property. + 4. **Acknowledgment**: It sends a POST request to the Canary Console API (`/incident/acknowledge`) + using the retrieved `AlertId` to acknowledge the incident. - ### Additional Notes - This action relies on metadata (specifically the `AlertId`) that must be present - in the `additional_properties` of the security events associated with the alert. - This metadata is typically populated by the Thinkst Canary connector during the - ingestion process. If the `AlertId` is missing, the action will fail. + ### Parameters Description + | Parameter | Type | Mandatory | Description | - ### Flow Description + | :--- | :--- | :--- | :--- | + + | API Key | String | Yes | The API key used to authenticate with the Canary Console. + | + + | Console Hash | String | Yes | The unique hash/domain identifier for the Canary + Console. | - 1. **Configuration Retrieval:** The action retrieves the integration's global - settings, including the API Key and Console Hash. + | Verify SSL | Boolean | No | Determines whether to verify SSL certificates when + making API requests. | - 2. **Metadata Extraction:** It accesses the `security_events` of the current alert - in Google SecOps and extracts the `AlertId` from the first event's `additional_properties`. - 3. **External API Call:** It executes a POST request to the Thinkst Canary API - endpoint `/incident/acknowledge` using the extracted `AlertId` as the identifier. + ### Additional Notes - 4. **Execution Finalization:** The action concludes by reporting whether the acknowledgment - was successful based on the response from the Canary Console. + - This action requires that the alert was originally ingested by the Thinkst Canary + Connector, as it relies on the `AlertId` being present in the `additional_properties` + of the alert's security events. capabilities: can_create_case_comments: false can_create_insight: false @@ -75,13 +86,21 @@ Acknowledge Console Alert: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Acknowledges an incident on the Thinkst Canary Console, changing its status - from unacknowledged to acknowledged via a POST request to the /incident/acknowledge - endpoint. + The action sends a POST request to the Canary Console API to acknowledge an + incident, changing its status in the external system. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to an external API (Canary Console) to acknowledge + an incident. It does not fetch data for enrichment, nor does it modify any internal + SOAR data (entities, insights, or case comments). categories: enrichment: false + reasoning: >- + The action is a state-changing operation (acknowledgment) on an external system. + It does not fetch data for enrichment, nor does it perform any of the allowed + internal mutations (comments, insights, entity updates). Therefore, it is not + an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -97,6 +116,9 @@ Acknowledge Console Alert: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action operates on the `current_alert` object to retrieve the `AlertId` + from its security events. It does not iterate over or filter `target_entities`. Ping: action_product_categories: add_alert_comment: false @@ -112,6 +134,10 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity check (Ping) to verify API credentials and console + accessibility. It does not perform any of the listed functional operations such + as enriching IOCs, updating tickets, or modifying alert data. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -127,48 +153,46 @@ Ping: update_identity: false update_ticket: false ai_description: >- - Verifies connectivity to the Thinkst Canary Console by testing the provided API - Key and Console Hash against the `/ping` endpoint. This action is primarily used - to ensure that the integration is correctly configured and can communicate with - the external service. + Verifies connectivity to the Thinkst Canary Console by validating the provided + API credentials and console hash. This action ensures that the integration is + correctly configured and can communicate with the external service. ### Flow Description - 1. **Parameter Extraction:** Retrieves the 'API Key', 'Console Hash', and 'Verify - SSL' settings from the integration configuration. + 1. **Configuration Extraction**: The action retrieves the 'API Key', 'Console + Hash', and 'Verify SSL' settings from the integration configuration. - 2. **Validation:** Checks if the API Key and Console Hash have been changed from - their default placeholder values. + 2. **Validation**: It checks if the 'API Key' and 'Console Hash' are provided + and not set to their default placeholder values. If missing, the action fails. - 3. **Connectivity Test:** Initializes the Thinkst Manager and sends a GET request - to the `/ping` endpoint of the Canary Console. + 3. **Connectivity Check**: It initializes the `ThinkstActionManager` and sends + a GET request to the `/ping` endpoint of the Canary Console API. - 4. **Result Handling:** Evaluates the response from the console. If the response - indicates success, the action completes successfully; otherwise, it reports a - failure. + 4. **Result**: Based on the API response, it determines if the connection was + successful and terminates the action with the appropriate status and message. - ### Parameters Description + ### Parameters - | Parameter Name | Type | Mandatory | Description | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | API Key | String | Yes (Config) | The authentication token used to access the - Thinkst Canary API. | + | API Key | String | Yes | The API key used to authenticate with the Canary Console. + | - | Console Hash | String | Yes (Config) | The unique identifier/subdomain for your - Canary Console (e.g., the 'mycompany' part of 'mycompany.canary.tools'). | + | Console Hash | String | Yes | The unique domain hash for the Canary Console + (e.g., 'example' in 'example.canary.tools'). | - | Verify SSL | Boolean | No (Config) | Determines whether to verify the SSL certificate - of the Canary Console. | + | Verify SSL | Boolean | No | Whether to verify SSL certificates when connecting + to the console. | ### Additional Notes - * This action does not process any entities and is used solely for configuration - validation. + This action is strictly for connectivity verification and does not perform any + data enrichment or system mutations. capabilities: can_create_case_comments: false can_create_insight: false @@ -177,10 +201,18 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: true + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a simple connectivity check (ping) against the Thinkst Canary + Console API. It does not fetch contextual data for entities, nor does it mutate + any external or internal system state. It is a utility action for configuration + validation. categories: enrichment: false + reasoning: >- + The action is named 'Ping' and performs a connectivity check. Per the provided + instructions, actions named 'Ping' must not be categorized as enrichment actions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -196,3 +228,6 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. It operates solely based on + configuration parameters provided in the integration settings. diff --git a/content/response_integrations/third_party/partner/thinkst_canary/resources/ai/connectors_ai_description.yaml b/content/response_integrations/third_party/partner/thinkst_canary/resources/ai/connectors_ai_description.yaml index 85f46e291..1104789ff 100644 --- a/content/response_integrations/third_party/partner/thinkst_canary/resources/ai/connectors_ai_description.yaml +++ b/content/response_integrations/third_party/partner/thinkst_canary/resources/ai/connectors_ai_description.yaml @@ -1,37 +1,60 @@ Thinkst - Alert Connector: - ai_description: "### General Description\nThis connector integrates with the Thinkst\ - \ Canary Console to ingest security incidents into Google SecOps. It monitors\ - \ for activity triggered by Canarytokens, Honeypots, and operational events (such\ - \ as console or flock setting changes). By converting Canary incidents into structured\ - \ alerts, it provides security teams with immediate visibility into decoy-based\ - \ detections and potential unauthorized access within their environment.\n\n###\ - \ Parameters Description\n| Parameter | Type | Mandatory | Description |\n| :---\ - \ | :--- | :--- | :--- |\n| API Key | Password | Yes | The API key used to authenticate\ - \ with the Canary Console API. |\n| Console Hash | String | Yes | The unique hash\ - \ of your Canary Console (the subdomain part before .canary.tools). |\n| Verify\ - \ SSL | Boolean | No | If enabled, the connector verifies the SSL certificate\ - \ of the Canary Console. Default is True. |\n| Ignore Informative | Boolean |\ - \ No | If enabled, incidents classified as 'Informative' (e.g., disconnections\ - \ or setting changes) will not create cases. |\n| PythonProcessTimeout | String\ - \ | Yes | The timeout limit in seconds for the python process running the connector\ - \ script. |\n| DeviceProductField | String | Yes | The field name used to determine\ - \ the device product (default: device_product). |\n| EventClassId | String | Yes\ - \ | The field name used to determine the event sub-type (default: SourceType).\ - \ |\n\n### Flow Description\n1. **Authentication**: The connector establishes\ - \ a secure connection to the Thinkst Canary Console using the provided API Key\ - \ and Console Hash.\n2. **State Management**: It checks the connector's internal\ - \ context for the last processed incident ID and timestamp. If no state is found,\ - \ it defaults to fetching incidents from the last 24 hours.\n3. **Data Retrieval**:\ - \ The connector queries the `/incidents/unacknowledged` endpoint. It handles pagination\ - \ using cursors to ensure all pending incidents are retrieved.\n4. **Filtering**:\ - \ If the 'Ignore Informative' parameter is set to true, the connector filters\ - \ out incidents with an informative priority level (e.g., logtype 1004, 23001).\n\ - 5. **Mapping & Transformation**: \n * Converts Canary incident fields into\ - \ SOAR-compatible formats.\n * Assigns priorities (Informative, Low, Medium,\ - \ High, Critical) based on the incident's logtype.\n * Categorizes events\ - \ into Source Types: 'Canarytoken', 'Operational', or 'Honeypot'.\n * Generates\ - \ descriptive alert names and includes direct links to the Canary Console portal.\n\ - 6. **Ingestion**: The processed incidents are packaged as `AlertInfo` objects\ - \ and ingested into Google SecOps as cases.\n7. **Checkpointing**: After successful\ - \ ingestion, the connector updates its context with the latest incident ID and\ - \ timestamp to prevent duplicate processing in the next iteration." + ai_description: >- + ### General Description + + The Thinkst Alert Connector integrates with the Thinkst Canary Console to retrieve + security incidents. It periodically polls the Canary API for new, unacknowledged + incidents, transforms them into standardized SOAR alerts, and ingests them into + Google SecOps. This allows security teams to monitor and respond to honeypot triggers + and other Canary-detected events directly within the SOAR platform. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | API Key | Password | Yes | The API key for your Thinkst Canary console. | + + | Console Hash | String | Yes | The unique hash for your console (the part before + .canary.tools). | + + | Verify SSL | Boolean | No | Whether to verify SSL certificates when connecting + to the console. | + + | Ignore Informative | Boolean | No | If enabled, prevents the creation of cases + for informative incidents. | + + | PythonProcessTimeout | String | Yes | The timeout limit (in seconds) for the + Python process. | + + | DeviceProductField | String | Yes | The field name used to determine the device + product. | + + | EventClassId | String | Yes | The field name used to determine the event name + (sub-type). | + + + ### Flow Description + + 1. **Initialization**: The connector initializes using the provided API Key and + Console Hash to establish a secure connection to the Thinkst Canary API. + + 2. **Data Fetching**: It queries the `/incidents/unacknowledged` endpoint, handling + pagination to retrieve all new incidents since the last successful run (tracked + via context properties). + + 3. **Filtering**: If the "Ignore Informative" option is enabled, the connector + filters out incidents classified as informative (e.g., system configuration changes). + + 4. **Transformation**: Each incident is mapped to a SOAR `AlertInfo` object. This + includes normalizing timestamps, mapping incident types to priorities, and flattening + event data into a format compatible with Google SecOps. + + 5. **Ingestion**: The processed alerts are returned to the SOAR platform for case + creation. + + 6. **State Management**: Upon successful ingestion, the connector updates its + context with the latest incident ID and timestamp to ensure subsequent runs only + fetch new data. diff --git a/content/response_integrations/third_party/partner/thinkst_canary/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/thinkst_canary/resources/ai/integration_ai_description.yaml index 466738966..ae4ac1137 100644 --- a/content/response_integrations/third_party/partner/thinkst_canary/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/partner/thinkst_canary/resources/ai/integration_ai_description.yaml @@ -6,7 +6,16 @@ product_categories: email_security: false iam_and_identity_management: false itsm: false - network_security: false - siem: true + network_security: true + reasoning: >- + The Thinkst Canary integration is a deception technology platform that monitors + for unauthorized access to honeypots. The primary function of the connector is + to ingest security alerts (honeypot triggers) into the SOAR platform. These alerts + are typically network-based, such as unauthorized port scans or access attempts, + which aligns with the Network Security category. The integration does not perform + log aggregation (SIEM), host-level process analysis (EDR), or other functions + like IAM, ITSM, or vulnerability management. Therefore, it is categorized under + Network Security. + siem: false threat_intelligence: false vulnerability_management: false diff --git a/content/response_integrations/third_party/partner/torq/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/torq/resources/ai/actions_ai_description.yaml index ce5ac0646..272a5bad8 100644 --- a/content/response_integrations/third_party/partner/torq/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/torq/resources/ai/actions_ai_description.yaml @@ -13,6 +13,10 @@ Create a Case: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action triggers a workflow in Torq to create a case. This aligns with the + 'Create Ticket' category, as it generates a new record/case in an external system. + It does not perform enrichment, containment, or other listed actions. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -28,61 +32,55 @@ Create a Case: update_identity: false update_ticket: false ai_description: >- - Invokes a Torq workflow via a Webhook to create a case or incident. This action - transmits the current alert payload, including entity details and metadata, to - Torq. If API credentials or a Bearer token are configured, the action will poll - the Torq Public API to retrieve the final execution status and output of the triggered - workflow. + Creates a case in Torq by triggering a workflow via a webhook. This action sends + the current alert payload, including entity information, to a configured Torq + webhook URL. It supports optional deduplication and correlation keys to manage + case creation and grouping. If configured, the action polls the Torq Public API + to retrieve the final execution output of the workflow. - ### Parameters - - - | Parameter | Type | Mandatory | Description | + ### Flow Description - | :--- | :--- | :--- | :--- | + 1. Reads integration configuration (URL, Secret, etc.) and action parameters. - | Deduplication Key | string | No | An optional idempotency key used by Torq to - prevent duplicate case creation. | + 2. Collects alert context, including case ID, alert details, and associated entities. - | Correlation Key | string | No | An optional key used for grouping related cases - or incidents within Torq. | + 3. Constructs a JSON payload containing the alert data and optional keys. - | Poll Max Seconds | string | No | The maximum duration (in seconds) to poll the - Torq API for the workflow's final result. Default is 60. | + 4. Sends a POST request to the Torq Webhook URL. - | Poll Interval Seconds | string | No | The interval (in seconds) between consecutive - polling requests to the Torq API. Default is 3. | + 5. Optionally polls the Torq Public API for the execution status and output if + configured. + 6. Adds the execution result to the Google SecOps action result pane. - ### Additional Notes + ### Parameters Description - * The action requires a 'Torq URL' and 'Webhook Secret' to be configured in the - integration settings. + | Parameter | Type | Mandatory | Description | - * To enable polling for the final execution result, 'Client ID' and 'Client Secret' - (or a 'Bearer Token override') must also be provided in the integration configuration. + | :--- | :--- | :--- | :--- | + | Deduplication Key | string | No | Optional idempotency key for case creation. + | - ### Flow Description + | Correlation Key | string | No | Optional correlation key for grouping cases/incidents. + | + | Poll Max Seconds | string | No | Maximum seconds to poll the execution (default: + 60). | - 1. **Data Collection**: The action gathers context from the current Google SecOps - case and alert, including entity identifiers, severity, and additional properties. + | Poll Interval Seconds | string | No | Seconds between poll requests (default: + 3). | - 2. **Webhook Invocation**: It sends a POST request containing the alert data to - the specified Torq Webhook URL, authenticated via the 'secret' header. - 3. **Execution Tracking**: Upon a successful webhook trigger, the action extracts - the execution ID from the response body or headers. + ### Additional Notes - 4. **Polling (Optional)**: If API credentials are available, the action enters - a polling loop, querying the Torq Public API for the workflow's completion status - (e.g., SUCCESS, FAILED). + - The action requires a valid Torq URL and Webhook Secret to be configured in + the integration instance settings. - 5. **Result Reporting**: The final execution output and status are captured and - returned as a JSON result within the SecOps platform. + - The action uses asynchronous polling to retrieve the final execution output + from Torq. capabilities: can_create_case_comments: false can_create_insight: false @@ -91,12 +89,19 @@ Create a Case: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Triggers a Torq workflow by sending a POST request to a webhook URL, which can - result in the creation of a case or incident within the Torq platform. + Triggers a workflow in Torq to create a case, which may result in external system + state changes. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action makes a POST request to trigger a workflow (can_mutate_external_data=true) + and polls the Torq Public API for execution status (fetches_data=true). It does + not update internal entities or modify alert data. categories: enrichment: false + reasoning: >- + The action creates external data (a case in Torq) rather than retrieving data + for enrichment, so it cannot be an Enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -112,6 +117,10 @@ Create a Case: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `alert.entities` to serialize them into the payload sent + to Torq. It does not filter or perform operations on `siemplify.target_entities`. + Therefore, it does not 'run on' entities in the context of the SOAR action framework. Ping: action_product_categories: add_alert_comment: false @@ -127,6 +136,10 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action triggers a workflow in Torq and polls for the result. It does not + match any of the predefined categories such as enrichment, containment, or ticket + management. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -142,53 +155,47 @@ Ping: update_identity: false update_ticket: false ai_description: >- - Sends a ping request to a Torq workflow via a Webhook and optionally polls the - Torq Public API for the execution result. This action is primarily used to verify - connectivity or trigger a simple automated workflow in Torq from Google SecOps. + Sends a ping to a Torq workflow via Webhook and optionally polls the Torq Public + API for the execution result. This action allows users to trigger automated workflows + in Torq and monitor their completion status directly from Google SecOps. ### Flow Description - 1. **Configuration Retrieval:** The action fetches integration settings including - the Webhook URL, Secret, and API credentials (Client ID/Secret). + 1. **Configuration Initialization**: The action reads the integration configuration + (URL, secret, region, etc.) from the server. - 2. **Payload Construction:** It builds a JSON payload containing the source ('Google - SecOps'), the action name ('ping'), and minimal case context (Case ID, Case Name, - and Environment). + 2. **Payload Construction**: It constructs a JSON payload containing the source, + action label, and minimal context (case ID and name). - 3. **Webhook Trigger:** It sends a POST request to the Torq Webhook URL using - the 'secret' header for authentication. + 3. **Webhook Trigger**: It sends a POST request to the configured Torq webhook + URL to initiate the workflow. - 4. **Execution Polling:** If the Webhook response contains an execution ID, the - action enters a polling loop. It queries the Torq Public API at the specified - interval until the workflow reaches a terminal state (e.g., SUCCESS, FAILED) or - the maximum polling time is reached. + 4. **Polling**: If an execution ID is returned, the action polls the Torq Public + API for the execution status until it reaches a terminal state or the maximum + polling time is exceeded. - 5. **Result Processing:** The final execution status and any output data from - the Torq workflow are captured and returned as a JSON result. + 5. **Result Output**: The final execution result, including status and output, + is added to the action result. ### Parameters Description - | Parameter Name | Type | Mandatory | Description | + | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | Poll Max Seconds | string | No | The maximum number of seconds to poll the Torq - API for the workflow execution result. Defaults to 60. | + | Poll Max Seconds | string | false | Maximum seconds to poll the execution. Defaults + to "60". | - | Poll Interval Seconds | string | No | The number of seconds to wait between - each poll request to the Torq API. Defaults to 3. | + | Poll Interval Seconds | string | false | Seconds between poll requests. Defaults + to "3". | ### Additional Notes - * This action requires a valid Webhook URL and Secret configured in the Torq integration - settings. - - * If API credentials (Client ID and Client Secret) are provided, the action will - attempt to poll for the execution result; otherwise, it will only perform the - initial Webhook trigger. + This action does not operate on specific entities and does not require any entity + selection to run. capabilities: can_create_case_comments: false can_create_insight: false @@ -197,12 +204,18 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Triggers a Torq workflow via a Webhook POST request, which initiates an automated - process in the external Torq platform. + Triggers a workflow execution in Torq via a webhook POST request. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action triggers an external workflow via a POST request (can_mutate_external_data=true) + and polls the Torq Public API for the execution result (fetches_data=true). + It does not modify internal SecOps data, update entities, or create insights. categories: enrichment: false + reasoning: >- + The action triggers an external workflow and is not designed to fetch contextual + data for entities or alerts, therefore it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -218,6 +231,9 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over or interact with `siemplify.target_entities`. + It operates independently of any entity context. Run a Workflow: action_product_categories: add_alert_comment: false @@ -233,6 +249,10 @@ Run a Workflow: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action triggers a workflow in Torq. This is a generic automation trigger + and does not match any of the specific product categories provided (e.g., Enrichment, + Containment, Ticket Management). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -250,12 +270,9 @@ Run a Workflow: ai_description: >- ### General Description - The **Run a Workflow** action allows users to trigger a generic workflow in **Torq** - by sending a POST request to a pre-configured webhook. This action is highly flexible, - allowing users to pass custom JSON input and optionally include the full context - of the current Google SecOps alert. If Torq API credentials (Client ID and Secret) - are configured, the action will also poll the Torq Public API to retrieve the - final execution status and any output data generated by the workflow. + Triggers a workflow in Torq by sending a JSON payload to a configured webhook. + This action allows for custom automation by passing arbitrary JSON data and optionally + including the current alert's context. ### Parameters Description @@ -264,49 +281,36 @@ Run a Workflow: | :--- | :--- | :--- | :--- | - | **Workflow Input** | String (JSON) | Yes | A JSON object containing the data - to be passed into the Torq workflow. Must be a valid JSON string. | + | Workflow Input | string | Yes | JSON object to pass into the Torq workflow. + | - | **Include Alert Payload** | Boolean | No | If set to `True`, the action will - include the current alert's metadata (identifier, name, severity, etc.) and a - list of associated entities in the request payload under the `alert` key. | + | Include Alert Payload | boolean | No | If true, include the current alert payload + under 'alert'. | - | **Poll Max Seconds** | String | No | The maximum amount of time (in seconds) - the action should wait for the workflow to complete. Default is 60 seconds. | + | Poll Max Seconds | string | No | Maximum seconds to poll the execution. | - | **Poll Interval Seconds** | String | No | The frequency (in seconds) at which - the action checks the Torq API for the workflow's status. Default is 3 seconds. - | + | Poll Interval Seconds | string | No | Seconds between poll requests. | - ### Flow Description - - 1. **Configuration Retrieval**: The action fetches integration settings (Webhook - URL, Secret, Region) and action parameters. + ### Additional Notes - 2. **Payload Construction**: It builds a JSON payload including the `Workflow - Input`. If `Include Alert Payload` is enabled, it serializes the current alert - and its entities into the payload. + The action performs a POST request to trigger the workflow and then polls the + Torq Public API for the result. Ensure the Torq webhook URL and secret are correctly + configured in the integration settings. - 3. **Webhook Invocation**: The action sends an authenticated POST request to the - Torq webhook URL. - 4. **Execution Polling (Optional)**: If the webhook response contains an execution - ID and API credentials are available, the action enters a polling loop. It queries - the Torq Public API until the workflow reaches a terminal state (e.g., SUCCESS, - FAILED) or the timeout is reached. + ### Flow Description - 5. **Result Processing**: The final execution status, headers, and output data - are captured and attached to the action's result in Google SecOps. + 1. Reads integration configuration (URL, secret, etc.) and action parameters. + 2. Constructs a payload containing the provided `Workflow Input` and optionally + the current alert's context. - ### Additional Notes + 3. Sends a POST request to the Torq webhook URL. - - To enable polling for workflow results, the integration must be configured with - a **Client ID** and **Client Secret**. + 4. Polls the Torq Public API for the execution status until completion or timeout. - - The action uses a "best-effort" approach to collect alert data, ensuring that - even if some fields are missing, the workflow trigger still proceeds. + 5. Returns the execution result in the action output. capabilities: can_create_case_comments: false can_create_insight: false @@ -315,12 +319,18 @@ Run a Workflow: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Triggers the execution of a workflow in the Torq platform via a webhook POST - request. + Triggers a workflow execution in the Torq platform via a webhook POST request. fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action makes a POST request to trigger a workflow (can_mutate_external_data=true) + and polls the Torq Public API for execution status (fetches_data=true). It does + not modify internal data or entities. categories: enrichment: false + reasoning: >- + The action triggers an external workflow (mutation) and polls for status. It + does not fit the 'read-only' enrichment criteria. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -336,3 +346,7 @@ Run a Workflow: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `target_entities` or filter by entity type. + It optionally includes alert entities in the payload if 'Include Alert Payload' + is enabled, but it does not perform operations on these entities. diff --git a/content/response_integrations/third_party/partner/torq/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/torq/resources/ai/integration_ai_description.yaml index 6896a3667..ac206fcc0 100644 --- a/content/response_integrations/third_party/partner/torq/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/partner/torq/resources/ai/integration_ai_description.yaml @@ -7,6 +7,14 @@ product_categories: iam_and_identity_management: false itsm: true network_security: false + reasoning: >- + The Torq integration provides capabilities to create cases and run workflows within + the Torq platform. Creating cases aligns with the ITSM category, as it facilitates + documenting investigations and tracking tasks. Running workflows is a core orchestration + capability that often involves collaboration, such as triggering automated responses + or human-in-the-loop processes, which fits the Collaboration category. The integration + does not perform functions related to SIEM, EDR, Network Security, Threat Intelligence, + Email Security, IAM, Cloud Security, Vulnerability Management, or Asset Inventory. siem: false threat_intelligence: false vulnerability_management: false diff --git a/content/response_integrations/third_party/partner/wiz/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/wiz/resources/ai/actions_ai_description.yaml index a68507597..e0d29d21a 100644 --- a/content/response_integrations/third_party/partner/wiz/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/wiz/resources/ai/actions_ai_description.yaml @@ -1,6 +1,6 @@ Add Comment To Issue: action_product_categories: - add_alert_comment: true + add_alert_comment: false add_ioc_to_allowlist: false add_ioc_to_blocklist: false contain_host: false @@ -13,6 +13,10 @@ Add Comment To Issue: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action adds a comment to an external issue in Wiz. It does not match any + of the provided categories (e.g., it is not an alert comment, ticket update, + or IOC modification). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -26,52 +30,35 @@ Add Comment To Issue: update_alert: false update_email: false update_identity: false - update_ticket: true + update_ticket: false ai_description: >- - ### General Description + Adds a comment to a specified issue in Wiz. This action allows users to append + notes or updates to an existing issue within the Wiz platform by providing the + issue's unique identifier and the comment text. - The **Add Comment To Issue** action allows users to append a text comment or note - to a specific security issue within the Wiz platform. This action is primarily - used to document investigation progress, provide updates, or synchronize analyst - notes between Google SecOps and Wiz. - - ### Parameters Description + ### Parameters | Parameter | Type | Mandatory | Description | | :--- | :--- | :--- | :--- | - | **Issue ID** | String | Yes | The unique identifier of the issue in Wiz to which - the comment will be added. | + | Issue ID | string | Yes | The unique identifier of the issue in Wiz. | - | **Comment** | String | Yes | The text content of the comment to be added to - the issue. | + | Comment | string | Yes | The text of the comment to add to the issue. | ### Flow Description - 1. **Parameter Extraction**: The action retrieves the `Issue ID` and the `Comment` - text from the user-provided parameters. - - 2. **API Client Initialization**: It initializes the Wiz API client using the - integration's configuration (API Root, Client ID, and Client Secret). + 1. The action extracts the `Issue ID` and `Comment` parameters from the input. - 3. **Mutation Execution**: The action constructs a GraphQL mutation (`createIssueNote`) - and sends a POST request to the Wiz `/graphql` endpoint to create the comment - thread. + 2. It initializes the Wiz API client using the provided configuration. - 4. **Result Processing**: Upon a successful response, the action parses the returned - JSON to extract the details of the newly created comment (ID, timestamp, and text) - and provides a success message. + 3. It constructs a GraphQL mutation to add a note to the specified issue. + 4. It sends the mutation to the Wiz API via a POST request. - ### Additional Notes - - - This action performs a state-changing mutation in the external Wiz system. - - - If the specified `Issue ID` is invalid or not found, the action will raise an - `IssueNotFoundError`. + 5. It returns the result of the operation. capabilities: can_create_case_comments: false can_create_insight: false @@ -80,12 +67,19 @@ Add Comment To Issue: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Adds a new comment (note) to a specific issue in the Wiz platform using a GraphQL - mutation. - fetches_data: true + Adds a comment to an existing issue in the Wiz platform. + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a mutation (adding a comment) on an external system (Wiz) + via a GraphQL POST request. It does not fetch contextual data, nor does it modify + internal SecOps data, entities, or alerts. categories: enrichment: false + reasoning: >- + The action is a mutation action (adding a comment to an external issue) and + does not retrieve data or perform enrichment, therefore it is not an enrichment + action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -101,6 +95,9 @@ Add Comment To Issue: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with SecOps entities. It operates on a specific + Issue ID provided as a parameter. Get Issue Details: action_product_categories: add_alert_comment: false @@ -116,6 +113,10 @@ Get Issue Details: enrich_ioc: false execute_command_on_the_host: false get_alert_information: true + reasoning: >- + The action fetches detailed information about a specific issue from the Wiz + platform. This aligns with the 'Get Alert Information' category, which covers + fetching details of alerts or issues from 3rd party products. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -133,11 +134,9 @@ Get Issue Details: ai_description: >- ### General Description - The **Get Issue Details** action retrieves comprehensive metadata for a specific - issue identified by its unique ID in the Wiz platform. This action is designed - to provide deep context about a finding, including its current status, severity, - affected cloud resources, and associated projects, which can be used for automated - decision-making or reporting within a playbook. + The Get Issue Details action retrieves comprehensive information about a specific + issue from the Wiz platform. This action is useful for gathering context on security + findings, vulnerabilities, or misconfigurations identified by Wiz. ### Parameters Description @@ -146,33 +145,29 @@ Get Issue Details: | :--- | :--- | :--- | :--- | - | Issue ID | String | Yes | The unique identifier of the Wiz issue to retrieve. + | Issue ID | string | Yes | The unique identifier of the Wiz issue to retrieve. | ### Flow Description - 1. **Parameter Extraction**: The action retrieves the `Issue ID` provided by the - user. + 1. The action extracts the `Issue ID` parameter provided by the user. - 2. **API Initialization**: It initializes the Wiz API client using the integration's - configuration (API Root, Client ID, Client Secret). + 2. It initializes the Wiz API client using the configured integration credentials. - 3. **Data Retrieval**: A GraphQL query is constructed and sent to the Wiz `/graphql` - endpoint to fetch specific fields including `status`, `severity`, `description`, - `entitySnapshot` (cloud platform, region, etc.), and `projects`. + 3. It constructs a GraphQL query to request specific fields (e.g., status, severity, + description, entity snapshot) for the specified issue. - 4. **Result Processing**: The retrieved data is parsed into a structured format - and returned as a JSON result for use in subsequent playbook steps. + 4. The action executes the GraphQL query against the Wiz API. + 5. The retrieved issue details are returned as a JSON result, providing the analyst + with the necessary context. - ### Additional Notes - - This action is a read-only operation and does not modify any data in the Wiz - platform. + ### Additional Notes - - If the provided `Issue ID` is invalid or does not exist, the action will raise - an `IssueNotFoundError`. + This action does not modify any data in Wiz or the SOAR platform; it is a read-only + operation. capabilities: can_create_case_comments: false can_create_insight: false @@ -183,8 +178,16 @@ Get Issue Details: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a GraphQL query to retrieve issue details from the Wiz API. + It does not modify external systems or internal SOAR data, nor does it update + entities or create insights. categories: enrichment: false + reasoning: >- + The action fetches data from an external source (Wiz) but does not operate on + SOAR entities (it uses a manual ID parameter). Therefore, it does not meet the + criteria for an Enrichment action, which requires operating on entities. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -200,6 +203,9 @@ Get Issue Details: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not reference `target_entities` or use the entity object model. + It accepts a raw string parameter `Issue ID` to perform its lookup. Ignore Issue: action_product_categories: add_alert_comment: false @@ -215,6 +221,10 @@ Ignore Issue: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action updates the status of an issue in the external Wiz platform. It does + not fit the specific definitions of 'Update Alert' (which is for SecOps platform + alerts) or 'Update Ticket' (which is for ITSM). Therefore, no category is selected. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -232,58 +242,45 @@ Ignore Issue: ai_description: >- ### General Description - The **Ignore Issue** action allows security analysts to dismiss or ignore specific - security issues within the Wiz platform. This action is primarily intended for - managing Graph Control or Cloud Configuration issues that are identified as false - positives or exceptions. By executing this action, the status of the specified - issue in Wiz is updated to 'REJECTED', and the provided resolution reason and - mandatory context note are attached to the record for auditability. + Use the Ignore Issue action to ignore a specified issue in Wiz. This action updates + the status of the issue to 'REJECTED' in the Wiz platform, effectively ignoring + it based on the provided resolution reason and note. ### Parameters Description | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + | --- | --- | --- | --- | - | Issue ID | String | Yes | The unique identifier of the issue in Wiz that needs - to be ignored. | + | Issue ID | string | Yes | The unique identifier of the issue in Wiz. | - | Resolution Reason | DDL | No | The reason for ignoring the issue. Supported - values include: 'False Positive', 'Exception', and 'Won't Fix'. If not provided, - it defaults to 'False Positive'. | + | Resolution Reason | ddl | No | The reason for the resolution of the issue. Options: + False Positive, Exception, Won't Fix. | - | Resolution Note | String | Yes | A mandatory note providing additional context - or justification for why the issue is being ignored. | + | Resolution Note | string | Yes | A note that gives additional context for the + issue resolution. | - ### Flow Description + ### Additional Notes - 1. **Parameter Extraction:** The action retrieves the `Issue ID`, `Resolution - Reason`, and `Resolution Note` from the user input. + This action only works on Graph Control or Cloud Configuration issues. - 2. **Validation:** It validates the `Resolution Reason` against the allowed values - defined in the integration constants. - 3. **API Client Initialization:** The action initializes an authenticated Wiz - API client using the integration's global configuration (API Root, Client ID, - and Client Secret). + ### Flow Description - 4. **External Mutation:** The action constructs and sends a GraphQL mutation to - the Wiz API to update the issue's status to 'REJECTED' and apply the specified - resolution metadata. + 1. Extract the required parameters (Issue ID, Resolution Reason, Resolution Note) + from the action configuration. - 5. **Result Processing:** The action captures the updated issue details from the - API response, populates the JSON results, and returns a success message to the - SOAR platform. + 2. Validate the provided parameters, ensuring the Resolution Reason is one of + the allowed values. + 3. Initialize the Wiz API client using the integration configuration. - ### Additional Notes + 4. Call the `ignore_issue` method on the API client, which sends a GraphQL mutation + to update the issue status to 'REJECTED' in Wiz. - - This action only supports Graph Control or Cloud Configuration issues in Wiz. - - - While the 'Resolution Reason' is optional in the UI, the underlying logic ensures - a default value is applied if the field is left empty. + 5. Return the result of the operation. capabilities: can_create_case_comments: false can_create_insight: false @@ -292,12 +289,18 @@ Ignore Issue: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the status of a specified issue in Wiz to 'REJECTED' and sets the resolution + Updates the status of an issue in Wiz to 'REJECTED' with a specified resolution reason and note. - fetches_data: true + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a mutation on the external Wiz platform by updating an issue's + status. It does not fetch data, nor does it modify internal SecOps data or entities. categories: enrichment: false + reasoning: >- + The action is a mutation (updating an issue status) and does not fetch data, + therefore it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -313,6 +316,9 @@ Ignore Issue: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with `target_entities`. It operates on a specific + Issue ID provided as a parameter. Ping: action_product_categories: add_alert_comment: false @@ -328,6 +334,9 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity test (Ping). It does not perform any of the listed + operational tasks (enrichment, containment, ticket management, etc.). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -343,41 +352,42 @@ Ping: update_identity: false update_ticket: false ai_description: >- - ### General Description + Tests connectivity to the Wiz API. This action verifies that the provided credentials + and API root are valid by executing a test GraphQL query against the Wiz server. - The **Ping** action is a diagnostic tool used to verify the connectivity between - Google SecOps and the Wiz platform. It ensures that the provided integration parameters - (API Root, Client ID, and Client Secret) are correct and that the network path - to the Wiz API is open. + ### Flow Description - ### Parameters Description + 1. Initializes the API client using the provided configuration parameters (API + Root, Client ID, Client Secret). - There are no parameters for this action. + 2. Authenticates with the Wiz API using OAuth2 client credentials. + 3. Sends a test GraphQL query (`issues(first: 1)`) to the Wiz API to verify connectivity. - ### Flow Description + 4. Returns a success message if the connection is established, or raises an error + if the connection fails. + + + ### Parameters Description - 1. **Authentication**: The action first attempts to authenticate with the Wiz - OAuth service using the configured Client ID and Client Secret to obtain a bearer - token. + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | API Root | String | Yes | The base URL for the Wiz API. | - 2. **API Request**: Once authenticated, it executes a minimal GraphQL query (`query - { issues(first: 1) { nodes { id } } }`) against the Wiz API endpoint. + | Client ID | String | Yes | The client ID for authentication. | - 3. **Validation**: The action validates the HTTP response status and the GraphQL - response body. If the request is successful and no errors are returned, the connection - is confirmed. + | Client Secret | String | Yes | The client secret for authentication. | - 4. **Outcome**: If successful, a success message is returned; otherwise, an error - message detailing the failure (e.g., invalid credentials or connection timeout) - is provided. + | Verify SSL | Boolean | No | Whether to verify SSL certificates. | ### Additional Notes - This action is strictly for connectivity testing and does not process any entities - or modify any data within Wiz or Google SecOps. + This action is a connectivity test and does not perform any data retrieval or + mutation beyond verifying the authentication and API reachability. capabilities: can_create_case_comments: false can_create_insight: false @@ -388,8 +398,15 @@ Ping: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: null + reasoning: >- + The action performs a connectivity test by sending a GraphQL query to the Wiz + API. It does not modify external or internal data, nor does it update entities + or create insights. categories: enrichment: false + reasoning: >- + The action is a 'Ping' action. Per the instructions, 'Actions named Ping must + not be categorized as enrichment actions.' entity_usage: entity_types: [] filters_by_additional_properties: false @@ -405,6 +422,8 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on entities; it is a global connectivity test. Reopen Issue: action_product_categories: add_alert_comment: false @@ -420,6 +439,10 @@ Reopen Issue: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action updates the status of an issue in the external Wiz platform. While + Wiz is a security platform, it functions as an issue tracking system, making + 'Update Ticket' the most appropriate category for this state-changing operation. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -437,48 +460,34 @@ Reopen Issue: ai_description: >- ### General Description - The **Reopen Issue** action allows analysts to change the status of a specific - issue in Wiz back to 'OPEN'. This is typically used when a previously resolved - or ignored issue is found to be still active or requires further investigation. - The action communicates with the Wiz GraphQL API to perform a mutation on the - issue's state. + The **Reopen Issue** action updates the status of a specified issue in the Wiz + platform to 'OPEN'. This action is used to reactivate issues that were previously + resolved or ignored, allowing for further investigation or remediation. ### Parameters Description - | Parameter Name | Description | Type | Mandatory | Notes | + | Parameter | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | :--- | + | :--- | :--- | :--- | :--- | - | Issue ID | The unique identifier of the issue in Wiz to be reopened. | String - | True | This ID is required to target the specific finding in the Wiz platform. + | Issue ID | string | Yes | The unique identifier of the issue in Wiz to be reopened. | ### Flow Description - 1. **Parameter Extraction**: The action retrieves the `Issue ID` from the input - parameters. - - 2. **API Initialization**: It initializes the Wiz API client using the provided - integration credentials (API Root, Client ID, Client Secret). + 1. **Parameter Extraction**: The action extracts the `Issue ID` from the provided + input parameters. - 3. **Mutation Construction**: The action builds a GraphQL mutation payload specifically - designed to update the `status` field of the issue to `OPEN`. + 2. **API Client Initialization**: The action initializes the Wiz API client using + the configured credentials. - 4. **Execution**: The mutation is sent to the Wiz `/graphql` endpoint. + 3. **Mutation Execution**: The action sends a GraphQL mutation to the Wiz API + to update the status of the specified issue to 'OPEN'. - 5. **Result Processing**: Upon success, the action retrieves the updated issue - object from the response and provides it as a JSON result, confirming the status - change in the output message. - - - ### Additional Notes - - - This action performs a state change in the external Wiz environment. - - - If the provided `Issue ID` does not exist, the action will return an error indicating - the issue was not found. + 4. **Result Handling**: The action returns the updated issue details and provides + a success message confirming the issue has been reopened. capabilities: can_create_case_comments: false can_create_insight: false @@ -487,11 +496,19 @@ Reopen Issue: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the status of a specific issue in the Wiz platform to 'OPEN'. - fetches_data: true + Updates the status of an issue in the Wiz platform to 'OPEN'. + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a mutation (GraphQL update) on an external system (Wiz) + to change the status of an issue. It does not fetch data for enrichment purposes, + nor does it modify internal SecOps data or entities. categories: enrichment: false + reasoning: >- + The action is a mutation (state change) on an external system and does not perform + any data retrieval for enrichment or analysis. Therefore, it does not qualify + as an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -507,6 +524,10 @@ Reopen Issue: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not operate on SecOps entities (e.g., IP, Host). It takes an + 'Issue ID' as a direct input parameter to perform the operation on the external + Wiz platform. Resolve Issue: action_product_categories: add_alert_comment: false @@ -522,6 +543,10 @@ Resolve Issue: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action performs a mutation to resolve an issue in the Wiz platform. It does + not match any of the provided categories (e.g., it is not an enrichment, ticket + creation, or alert update within SecOps). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -535,53 +560,50 @@ Resolve Issue: update_alert: false update_email: false update_identity: false - update_ticket: true + update_ticket: false ai_description: >- - Resolves a specified issue in Wiz. This action is specifically designed to work - with Threat Detection issues by updating their status to 'RESOLVED' in the Wiz - platform. It allows analysts to provide a resolution reason and an optional note - to document the closure of the finding. + ### General Description + The Resolve Issue action updates the status of a specified issue in the Wiz platform + to 'RESOLVED'. This action is used to manage threat detection issues by providing + a resolution reason and an optional note, allowing analysts to track and close + out security findings directly from the SOAR platform. - ### Flow Description - 1. **Parameter Extraction:** The action retrieves the mandatory `Issue ID` and - optional `Resolution Reason` and `Resolution Note` from the input parameters. + ### Parameters Description - 2. **Validation:** It validates that the provided `Resolution Reason` matches - one of the predefined allowed values in Wiz. + | Parameter | Type | Mandatory | Description | - 3. **API Interaction:** The action constructs a GraphQL mutation to update the - issue's status to 'RESOLVED' and includes the resolution metadata. + | --- | --- | --- | --- | - 4. **Result Processing:** Upon a successful API call, the action returns the updated - issue object as a JSON result and provides a success message. + | Issue ID | string | Yes | The unique identifier of the issue in Wiz. | + | Resolution Reason | ddl | No | The reason for the resolution of the issue. Defaults + to 'Not Malicious Threat'. | - ### Parameters Description + | Resolution Note | string | No | A note that gives additional context about the + resolution. | - | Parameter Name | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + ### Additional Notes - | Issue ID | string | Yes | The unique identifier of the issue in Wiz that needs - to be resolved. | + This action is a mutation action and does not fetch data. It requires an `Issue + ID` to identify the target issue in Wiz. The `Resolution Reason` must be one of + the predefined values: 'Malicious Threat', 'Not Malicious Threat', 'Security Test + Threat', 'Planned Action Threat', or 'Inconclusive Threat'. - | Resolution Reason | ddl | No | The reason for the resolution. Expected values - include: 'Malicious Threat', 'Not Malicious Threat', 'Security Test Threat', 'Planned - Action Threat', or 'Inconclusive Threat'. Defaults to 'Not Malicious Threat'. - | - | Resolution Note | string | No | An optional note providing additional context - or details regarding the resolution of the issue. | + ### Flow Description + 1. Extract the `Issue ID`, `Resolution Reason`, and `Resolution Note` from the + action parameters. - ### Additional Notes + 2. Initialize the Wiz API client using the provided integration configuration. - - This action only supports resolving issues categorized as 'Threat Detection' - in Wiz. + 3. Execute a GraphQL mutation to update the issue status to 'RESOLVED' in Wiz, + including the provided reason and note. - - If the specified `Issue ID` is not found, the action will return an error. + 4. Return the result of the mutation and output a success message. capabilities: can_create_case_comments: false can_create_insight: false @@ -590,12 +612,17 @@ Resolve Issue: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Updates the status of a specific issue in Wiz to 'RESOLVED' and attaches a resolution - reason and note. - fetches_data: true + Updates the status of an issue in Wiz to 'RESOLVED' via a GraphQL mutation. + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a GraphQL mutation to resolve an issue in Wiz. It does not + fetch data, nor does it modify internal SOAR data or entities. categories: enrichment: false + reasoning: >- + The action is a mutation action that updates the state of an issue in an external + system (Wiz). It does not fetch data, so it is not an enrichment action. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -611,3 +638,6 @@ Resolve Issue: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not iterate over `target_entities`. It uses an `Issue ID` provided + as a parameter to resolve an issue in Wiz. diff --git a/content/response_integrations/third_party/partner/wiz/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/wiz/resources/ai/integration_ai_description.yaml index 15ef5e595..baa2a2a9b 100644 --- a/content/response_integrations/third_party/partner/wiz/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/partner/wiz/resources/ai/integration_ai_description.yaml @@ -7,6 +7,17 @@ product_categories: iam_and_identity_management: false itsm: false network_security: false + reasoning: >- + The Wiz integration is a Cloud Security platform (CNAPP) that provides visibility + into cloud environments. It qualifies for the 'Cloud Security' category as it + manages cloud-native resources, findings, and configurations. It qualifies for + 'Vulnerability Management' because it identifies and tracks vulnerabilities and + misconfigurations across cloud assets. It qualifies for 'Asset Inventory' as it + provides detailed information about cloud assets, including ownership and criticality. + It does not qualify for 'ITSM' as the 'Issues' managed are security findings rather + than general IT tickets, nor does it fit 'SIEM', 'EDR', 'Network Security', 'Threat + Intelligence', 'Email Security', 'IAM', or 'Collaboration' categories based on + the provided actions. siem: false threat_intelligence: false vulnerability_management: true diff --git a/content/response_integrations/third_party/partner/xm_cyber/resources/ai/actions_ai_description.yaml b/content/response_integrations/third_party/partner/xm_cyber/resources/ai/actions_ai_description.yaml index 28c698835..13e5d5a91 100644 --- a/content/response_integrations/third_party/partner/xm_cyber/resources/ai/actions_ai_description.yaml +++ b/content/response_integrations/third_party/partner/xm_cyber/resources/ai/actions_ai_description.yaml @@ -13,6 +13,10 @@ Calculate Risk Score: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action performs internal calculations to generate a risk score. It does + not match any of the defined product categories (e.g., it does not enrich IOCs/assets + with external data, update alerts, or perform containment). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -27,40 +31,66 @@ Calculate Risk Score: update_email: false update_identity: false update_ticket: false - ai_description: "Calculates a comprehensive risk score for alerts by processing\ - \ XM Cyber metadata attached to events and entities. This action allows security\ - \ teams to define weights for specific risk factors\u2014such as the absence of\ - \ MFA, administrative privileges, or critical asset status\u2014to generate a\ - \ normalized risk score (0-100). The resulting JSON object can be used in subsequent\ - \ playbook steps for conditional branching and alert prioritization.\n\n### Flow\ - \ Description\n1. **Parameter Extraction**: Retrieves user-defined weights for\ - \ various risk components (e.g., AD Risk, MFA status) from the action parameters.\n\ - 2. **Event Processing**: Iterates through the alert's security events to identify\ - \ XM Cyber labels and calculates individual risk scores for each asset or user\ - \ mentioned in the events.\n3. **Entity Processing**: Scans target entities (Users\ - \ and Hostnames) for enriched XM Cyber metadata and calculates risk scores based\ - \ on their specific attributes.\n4. **Aggregation**: Consolidates all individual\ - \ scores by selecting the maximum values for risk, impact, and probability components.\n\ - 5. **Label Consolidation**: Aggregates all unique labels found across events and\ - \ entities into a single comma-separated string.\n6. **Output Generation**: Returns\ - \ a structured JSON object containing the final calculated risk score and supporting\ - \ metadata for use in the playbook environment.\n\n### Parameters Description\n\ - | Parameter | Type | Mandatory | Description |\n| :--- | :--- | :--- | :--- |\n\ - | AD Risk to Domain | DDL | Yes | Selects the weight for Active Directory risk\ - \ to domain values in the calculation. |\n| AD Risky Principals | DDL | Yes |\ - \ Selects the weight for AD risky principals in the calculation. |\n| AD Admins\ - \ And DCs | DDL | Yes | Selects the weight for AD administrators and Domain Controllers.\ - \ |\n| User without MFA | DDL | Yes | Selects the weight for users identified\ - \ as not having Multi-Factor Authentication. |\n| Is Critical Asset | DDL | Yes\ - \ | Selects the weight for entities marked as critical assets. |\n| Predefined\ - \ Admin | DDL | Yes | Selects the weight for predefined administrative accounts.\ - \ |\n| Highly Privileged | DDL | Yes | Selects the weight for highly privileged\ - \ accounts or assets. |\n| Compromise Risk Score | DDL | Yes | Selects the multiplier\ - \ level for the compromise risk score component. |\n| Choke Point Score | DDL\ - \ | Yes | Selects the multiplier level for the choke point score component. |\n\ - \n### Additional Notes\n- This action does not perform external API calls; it\ - \ relies on data already present in the alert (e.g., from previous enrichment\ - \ steps).\n- The final risk score is capped at 100." + ai_description: >- + ### General Description + + The 'Calculate Risk Score' action computes a risk score for entities and alerts + based on a set of configurable parameters and existing event or entity properties. + It aggregates risk factors such as critical asset status, administrative privileges, + and MFA usage to provide a normalized risk score, which can be used by playbooks + for alert prioritization and filtering. + + + ### Flow Description + + 1. **Parameter Collection**: The action extracts configuration parameters (e.g., + risk weights for AD roles, MFA status, and critical assets) from the action settings. + + 2. **Data Retrieval**: It accesses the current alert's security events and target + entities (specifically USER and HOSTNAME types). + + 3. **Risk Calculation**: For each event and entity, it calculates a risk score + using predefined mappings and the provided configuration parameters. + + 4. **Aggregation**: It aggregates the calculated scores and properties into a + structured JSON object. + + 5. **Result Output**: The final JSON object is added to the action results for + use by subsequent playbook steps. + + + ### Parameters Description + + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | + + | AD Risk to Domain | ddl | Yes | Select the AD Risk to Domain values to be used + in the XMCyber Risk Score Calculations. | + + | AD Risky Principals | ddl | Yes | Select the AD Risky Principals values to be + used in the XMCyber Risk Score Calculations. | + + | AD Admins And DCs | ddl | Yes | Select the AD Admins And DCs values to be used + in the XMCyber Risk Score Calculations. | + + | User without MFA | ddl | Yes | Select the User without MFA values to be used + in the XMCyber Risk Score Calculations. | + + | Is Critical Asset | ddl | Yes | Select the Is Critical Asset values to be used + in the XMCyber Risk Score Calculations. | + + | Predefined Admin | ddl | Yes | Select the Predefined Admin values to be used + in the XMCyber Risk Score Calculations. | + + | Highly Privileged | ddl | Yes | Select the Highly Privileged values to be used + in the XMCyber Risk Score Calculations. | + + | Compromise Risk Score | ddl | Yes | Select Compromise Risk Score value to be + used for the XMCyber Risk Score Calculations. | + + | Choke Point Score | ddl | Yes | Select Choke Point Score value to be used for + the XMCyber Risk Score Calculations. | capabilities: can_create_case_comments: false can_create_insight: false @@ -71,8 +101,18 @@ Calculate Risk Score: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs internal calculations on existing alert and entity data + retrieved from the SOAR platform. It does not make external API calls (fetches_data=false), + does not modify external systems (can_mutate_external_data=false), and does + not modify internal SOAR data (can_mutate_internal_data=false). It simply generates + a result JSON object. categories: enrichment: false + reasoning: >- + The action does not fetch data from an external source, which is a requirement + for enrichment actions. It is a utility action for calculating risk scores based + on internal data. entity_usage: entity_types: - HOSTNAME @@ -90,6 +130,10 @@ Calculate Risk Score: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over `siemplify.target_entities` and filters them based + on `SUPPORTED_ENTITY_TYPES` (USER and HOSTNAME). It also accesses `entity.additional_properties` + to perform the risk calculation. Enrich Entities: action_product_categories: add_alert_comment: false @@ -105,6 +149,11 @@ Enrich Entities: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action retrieves contextual metadata (labels, risk scores, etc.) for assets + and users from XM Cyber and updates the entity profile in SecOps. This matches + the 'Enrich Asset' category. It does not match 'Enrich IOC' as it targets assets/users, + not indicators like IPs or Hashes. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -120,43 +169,39 @@ Enrich Entities: update_identity: false update_ticket: false ai_description: >- - Enriches Hostname and User entities using data from the XM Cyber platform. This - action retrieves detailed metadata, including risk scores, labels, and administrative - status, to provide better context for security analysts within Google SecOps. - - - ### Flow Description - - 1. **Entity Identification**: Identifies all `HOSTNAME` and `USER` entities within - the current alert scope. - - 2. **Filtering**: Filters out entities that have already been enriched within - the last 24 hours (based on the `XMC_last_enriched` property) or are already present - in the security event data to avoid redundant API calls. + ### General Description - 3. **Data Retrieval**: Queries the XM Cyber API for enrichment data associated - with the remaining entities. + This action enriches `HOSTNAME` and `USER` entities by retrieving contextual metadata + from the XM Cyber platform. It enhances the entity profile within Google SecOps + by adding relevant security attributes, such as risk scores and labels, which + helps analysts better understand the threat landscape associated with specific + assets and users. - 4. **Entity Update**: Maps the retrieved XM Cyber attributes (e.g., Choke Point - Score, Critical Asset status, AD Risk) to the entity's additional properties with - an `XMC_` prefix and marks the entity as enriched. + ### Parameters - ### Parameters Description + There are no explicit parameters defined for this action. It utilizes integration-level + configuration settings (Base URL, API Key, Authentication Type) to establish a + connection with the XM Cyber platform. - | Parameter Name | Type | Mandatory | Description | - | :--- | :--- | :--- | :--- | + ### Flow Description - | None | N/A | N/A | This action does not require any input parameters. | + 1. **Initialization**: The action retrieves integration parameters and initializes + the API manager. + 2. **Filtering**: It filters the target entities from the alert, keeping only + `HOSTNAME` and `USER` types. It further refines this list by excluding entities + that have already been enriched within the last 24 hours. - ### Additional Notes + 3. **Enrichment**: The action queries the XM Cyber API to fetch enrichment data + for the remaining entities. - - The action relies on the `XMC_last_enriched` property to manage enrichment frequency - and optimize performance. + 4. **Update**: It processes the API response, updates the `additional_properties` + of the entities with the retrieved data, and marks them as enriched. - - Only entities of type `HOSTNAME` and `USER` are supported for enrichment. + 5. **Finalization**: The action updates the entities in the Google SecOps platform + and provides a summary of the processed entities. capabilities: can_create_case_comments: false can_create_insight: false @@ -167,10 +212,18 @@ Enrich Entities: external_data_mutation_explanation: null fetches_data: true internal_data_mutation_explanation: >- - Updates entity additional properties with enrichment data from XM Cyber and - sets the 'is_enriched' flag to true. + Updates entity additional properties and enrichment status within Google SecOps. + reasoning: >- + The action fetches data from an external API (XM Cyber) to enrich entities. + It updates the entity's `additional_properties` and `is_enriched` status within + the SecOps platform using `siemplify.update_entities`. It does not mutate external + data or create insights/comments. categories: enrichment: true + reasoning: >- + The action fetches data (enrichment) and updates internal entity properties. + It does not mutate external systems, create insights, or add comments. It fits + the definition of an Enrichment Action. entity_usage: entity_types: - HOSTNAME @@ -180,14 +233,18 @@ Enrich Entities: filters_by_case_identifier: false filters_by_creation_time: false filters_by_entity_type: true - filters_by_identifier: true + filters_by_identifier: false filters_by_is_artifact: false - filters_by_is_enriched: false + filters_by_is_enriched: true filters_by_is_internal: false filters_by_is_pivot: false filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code filters `siemplify.target_entities` by `SUPPORTED_ENTITY_TYPES` (`USER`, + `HOSTNAME`). It also checks `additional_properties` for existing enrichment + data and updates the entity's `is_enriched` status. Get Event Data JSON: action_product_categories: add_alert_comment: false @@ -203,6 +260,11 @@ Get Event Data JSON: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a utility that formats existing data into a JSON result. It does + not fetch new information from an external product, nor does it perform any + enrichment, containment, or ticketing operations. It does not match any of the + defined product categories. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -218,54 +280,30 @@ Get Event Data JSON: update_identity: false update_ticket: false ai_description: >- - ### General Description - - This action extracts and aggregates XM Cyber enrichment data from security events - and entities associated with the current Google SecOps alert. It is designed to - provide a consolidated JSON object containing threat intelligence and asset context - (such as risk scores and attack techniques) that has been previously attached - to the alert context. This is primarily a utility action used to format and retrieve - data for downstream playbook logic or reporting. + This action aggregates entity details (users and hostnames) from the current alert's + security events and existing enriched entities. It formats this information into + a structured JSON object, including direct links to the XM Cyber entity overview + page. ### Flow Description - 1. **Data Retrieval**: The action fetches all security events from the current - alert and the list of target entities in the scope. - - 2. **Event Processing**: It iterates through security events, looking for specific - XM Cyber identifiers (Asset Product Object ID or User Product Object ID) within - the event's additional properties. + 1. Retrieve security events and target entities from the current alert. - 3. **Entity Processing**: It filters target entities to include only Hostnames - and Users. It then checks for the presence of XM Cyber enrichment markers in their - metadata. + 2. Extract entity IDs and XM Cyber-specific attributes from event properties. - 4. **Data Extraction**: For each identified XM Cyber entity, it extracts a predefined - set of parameters, including Choke Point Scores, Compromise Risk Scores, Critical - Asset status, and associated attack techniques. + 3. Filter target entities based on supported types (USER, HOSTNAME) and XM Cyber + identifiers. - 5. **URL Generation**: It constructs a direct deep link to the entity's overview - page within the XM Cyber web console using the configured Base URL. + 4. Compile the extracted data into a mapping of entity IDs to their properties, + appending a URL to the XM Cyber instance for each. - 6. **Output**: The aggregated data is returned as a single JSON object mapping - entity identifiers to their respective XM Cyber attributes. + 5. Output the final JSON object to the action results. - ### Parameters Description + ### Parameters - | Parameter Name | Type | Mandatory | Description | - - | :--- | :--- | :--- | :--- | - - | None | N/A | N/A | This action does not require any input parameters. | - - - ### Additional Notes - - * This action does not perform live API calls to XM Cyber to fetch new data; it - relies on data already present in the alert's security events or entity additional - properties (typically populated by a previous enrichment action or connector). + There are no input parameters for this action. capabilities: can_create_case_comments: false can_create_insight: false @@ -276,12 +314,21 @@ Get Event Data JSON: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action processes existing data from the alert and entities to format a JSON + result. It does not perform any external API calls (fetches_data=false), does + not mutate external systems, and does not modify internal case data (entities, + insights, or comments). categories: enrichment: false + reasoning: >- + The action does not fetch data from an external source (it processes existing + alert/entity data) and does not perform any mutations. Therefore, it does not + meet the criteria for an Enrichment action. entity_usage: entity_types: - - HOSTNAME - USERUNIQNAME + - HOSTNAME filters_by_additional_properties: true filters_by_alert_identifier: false filters_by_case_identifier: false @@ -295,6 +342,10 @@ Get Event Data JSON: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action iterates over `siemplify.target_entities` and filters them based + on their `entity_type` (USERUNIQNAME, HOSTNAME) and the presence of specific + XM Cyber identifiers in their `additional_properties`. Ping: action_product_categories: add_alert_comment: false @@ -310,6 +361,9 @@ Ping: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action is a connectivity test (Ping) and does not perform any of the listed + operational tasks (enrichment, containment, ticket management, etc.). remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -325,40 +379,17 @@ Ping: update_identity: false update_ticket: false ai_description: >- - ### General Description - - Tests the connectivity and authentication credentials for the XM Cyber integration. - This action ensures that the Google SecOps platform can successfully communicate - with the XM Cyber instance using the provided Base URL and API Key or Access Token. - - - ### Parameters Description - - There are no parameters for this action. - - - ### Flow Description - - 1. **Retrieve Configuration:** Fetches the integration's global configuration - parameters, including the authentication type (Access Token Based or API Key), - Base URL, and API Key. - - 2. **Initialize API Manager:** Sets up the communication session. If OAuth is - selected, it initializes the token management flow. If API Key is selected, it - prepares the request headers. - - 3. **Validate Connection:** Performs a test request to the XM Cyber authentication - endpoint (`/api/auth/`) to verify that the credentials are valid and the server - is reachable. - - 4. **Report Status:** Returns a success message if the connection is established - or a failure message with error details if the connection fails. - - - ### Additional Notes - - This action is primarily used for troubleshooting and verifying the initial setup - of the XM Cyber integration. + Tests the connectivity and configuration of the XM Cyber integration. This action + verifies that the provided credentials and base URL are valid by attempting to + authenticate with the XM Cyber API. Flow: 1. Extracts integration parameters (Base + URL, API Key, Auth Type) from the configuration. 2. Initializes the ApiManager + with the provided credentials. 3. Performs a connectivity test by sending a request + to the XM Cyber API (specifically the /api/auth/ endpoint). 4. Returns a success + or failure status based on the API response. Parameters: Access Token Based Authentication + (Boolean, Mandatory): Determines whether to use OAuth or API Key authentication. + Base URL (String, Mandatory): The base URL of the XM Cyber instance. API Key (String, + Mandatory): The API key used for authentication. Additional Notes: This action + is a connectivity test and does not perform any data enrichment or system modifications. capabilities: can_create_case_comments: false can_create_insight: false @@ -367,10 +398,17 @@ Ping: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: null - fetches_data: true + fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a simple connectivity check (Ping) to verify that the provided + credentials and URL are valid. It does not fetch data, mutate external systems, + or modify internal SOAR data. categories: enrichment: false + reasoning: >- + The action is named Ping and is used for connectivity testing. Per the instructions, + Ping actions must not be categorized as enrichment actions. entity_usage: entity_types: [] filters_by_additional_properties: false @@ -386,6 +424,8 @@ Ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The action does not interact with any entities. Push Breach Point Data: action_product_categories: add_alert_comment: false @@ -401,6 +441,13 @@ Push Breach Point Data: enrich_ioc: false execute_command_on_the_host: false get_alert_information: false + reasoning: >- + The action pushes breach point labels to entities in the XM Cyber platform based + on criteria. It does not fetch data, nor does it perform standard containment + or ticketing actions. It modifies metadata in an external system, but does not + fit the specific definitions of the provided categories (e.g., it's not updating + an identity's password or permissions, nor is it a standard ticket update). + Therefore, all categories are false. remove_ioc_from_allowlist: false remove_ioc_from_blocklist: false reset_identity_password: false @@ -413,52 +460,55 @@ Push Breach Point Data: uncontain_host: false update_alert: false update_email: false - update_identity: true + update_identity: false update_ticket: false ai_description: >- - ### General Description + Pushes breach point labels to entities in XM Cyber based on defined criteria. + This action allows analysts to identify specific entities (users or assets) that + meet certain criteria and apply a custom label to them within the XM Cyber platform. - This action pushes a specific attribute (label) to entities in the XM Cyber platform. - It allows users to define criteria based on entity or event properties. If an - entity matches the criteria, the specified attribute is applied to that entity - in XM Cyber. This is typically used to mark 'Breach Points' or other security-relevant - classifications discovered during investigation. + ### Flow - ### Parameters Description + 1. Authenticate with the XM Cyber platform using the configured credentials. - | Parameter | Type | Mandatory | Description | + 2. Extract action parameters: `Attribute Name`, `Parameter`, `Operator`, and `Value`. - | :--- | :--- | :--- | :--- | + 3. Validate the provided input parameters. - | Attribute Name | string | Yes | The name of the attribute/label to be pushed - to XM Cyber (e.g., 'Google_SecOps_BP'). | + 4. Iterate through the current alert's security events and target entities. - | Parameter | ddl | Yes | The entity or event property to evaluate (e.g., 'Compromised - Risk Score', 'Is Critical Asset', 'All'). | + 5. Filter entities based on the provided criteria (e.g., checking if a specific + property matches a value). - | Operator | ddl | Yes | The comparison operator used to match the value (e.g., - 'Equals', 'Greater than', 'Contains'). | + 6. Push the breach point label to the matching entities in XM Cyber via an API + request. - | Value | string | Yes | The value to compare against the selected parameter. - | + ### Parameters - ### Flow Description + | Parameter | Type | Mandatory | Description | + + | :--- | :--- | :--- | :--- | - 1. **Authentication**: Connects to XM Cyber using either API Key or OAuth credentials. + | Attribute Name | string | Yes | The name of the attribute/label to be pushed + to entities in XM Cyber. | + + | Parameter | ddl | Yes | The entity property to check against the criteria. | - 2. **Parameter Extraction**: Retrieves the attribute name, criteria parameter, - operator, and target value. + | Operator | ddl | Yes | The operator used for matching the values (e.g., Equals, + Contains). | - 3. **Entity Identification**: Scans both the target entities (Users and Hostnames) - and the security events associated with the alert. + | Value | string | Yes | The custom value to compare against the entity parameter + value. | - 4. **Criteria Evaluation**: For each entity, it checks if the specified property - (from `additional_properties`) matches the user-defined criteria. - 5. **Data Submission**: For all matching entities, it sends a POST request to - the XM Cyber API to apply the label with a value of `true`. + ### Additional Notes + + - The action supports filtering entities based on `USER` and `HOSTNAME` types. + + - If the `Parameter` is set to 'All', the criteria check is bypassed, and data + is pushed for all supported entities. capabilities: can_create_case_comments: false can_create_insight: false @@ -467,22 +517,28 @@ Push Breach Point Data: can_mutate_internal_data: false can_update_entities: false external_data_mutation_explanation: >- - Applies labels/attributes to entities in the XM Cyber inventory via a POST request - to the /api/entityInventory/applyImportedLabelsOnEntities endpoint. + Pushes breach point labels to entities in the XM Cyber platform. fetches_data: false internal_data_mutation_explanation: null + reasoning: >- + The action performs a POST request to the XM Cyber API to push breach point + labels to entities. It does not fetch data from the external system for enrichment, + nor does it modify internal SOAR case data (entities, insights, etc.). categories: enrichment: false + reasoning: >- + The action is a mutation action that pushes data to an external system, not + an enrichment action that retrieves data. entity_usage: entity_types: - HOSTNAME - USERUNIQNAME - filters_by_additional_properties: true + filters_by_additional_properties: false filters_by_alert_identifier: false filters_by_case_identifier: false filters_by_creation_time: false filters_by_entity_type: true - filters_by_identifier: true + filters_by_identifier: false filters_by_is_artifact: false filters_by_is_enriched: false filters_by_is_internal: false @@ -490,3 +546,7 @@ Push Breach Point Data: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: >- + The code iterates over `siemplify.target_entities` and filters by `SUPPORTED_ENTITY_TYPES` + which includes `USER` and `HOSTNAME`. This means it targets `USERUNIQNAME` and + `HOSTNAME` entities, filtering by entity_type. diff --git a/content/response_integrations/third_party/partner/xm_cyber/resources/ai/integration_ai_description.yaml b/content/response_integrations/third_party/partner/xm_cyber/resources/ai/integration_ai_description.yaml index f1d4ad08f..08e3c9acd 100644 --- a/content/response_integrations/third_party/partner/xm_cyber/resources/ai/integration_ai_description.yaml +++ b/content/response_integrations/third_party/partner/xm_cyber/resources/ai/integration_ai_description.yaml @@ -4,9 +4,18 @@ product_categories: collaboration: false edr: false email_security: false - iam_and_identity_management: true + iam_and_identity_management: false itsm: false network_security: false + reasoning: >- + The XM Cyber integration provides capabilities to enrich HOSTNAME and USER entities + with risk scores, criticality, and breach point data from the XM Cyber Continuous + Exposure Management platform. This aligns with Asset Inventory as it provides + critical context (risk, criticality) about internal assets. It also aligns with + Vulnerability Management because XM Cyber's core function is to identify attack + paths, breach points, and exposure, which is a critical component of modern vulnerability + management and risk-based prioritization. It does not perform SIEM log ingestion, + EDR host containment, network blocking, or IAM management. siem: false - threat_intelligence: true + threat_intelligence: false vulnerability_management: true From b64b1ad3f24c2376e1a00486d9e0ae71dd5c3f6a Mon Sep 17 00:00:00 2001 From: talshapir Date: Sun, 12 Apr 2026 18:11:40 +0300 Subject: [PATCH 25/26] update mp to filter reasoning key out and adjust tests and deconstruct to new fields --- .../restructure/integrations/deconstruct.py | 12 ++++---- .../integrations/action/metadata.py | 8 ++--- .../integrations/integration_meta/metadata.py | 4 +-- .../resources/ai/actions_ai_description.yaml | 30 +++++++++++++++++++ .../ai/integration_ai_description.yaml | 1 + .../resources/ai/actions_ai_description.yaml | 30 +++++++++++++++++++ .../ai/integration_ai_description.yaml | 1 + .../resources/ai/actions_ai_description.yaml | 30 +++++++++++++++++++ .../ai/integration_ai_description.yaml | 1 + .../test_describe_integration.py | 1 + 10 files changed, 105 insertions(+), 13 deletions(-) diff --git a/packages/mp/src/mp/build_project/restructure/integrations/deconstruct.py b/packages/mp/src/mp/build_project/restructure/integrations/deconstruct.py index e0125f5d2..297f86d72 100644 --- a/packages/mp/src/mp/build_project/restructure/integrations/deconstruct.py +++ b/packages/mp/src/mp/build_project/restructure/integrations/deconstruct.py @@ -187,16 +187,14 @@ def _create_ai_description_file(self, resources_dir: Path) -> None: ai_file: Path = ai_dir / file_name mp.core.file_utils.write_yaml_to_file(content, ai_file) - categories_dict: dict[str, bool] = { - category: ( - PRODUCT_CATEGORY_TO_DEF_PRODUCT_CATEGORY[category] - in self.integration.metadata.product_categories - ) - for category in PRODUCT_CATEGORY_TO_DEF_PRODUCT_CATEGORY + categories_dict: dict[str, bool | str] = { + category: value in self.integration.metadata.product_categories + for category, value in PRODUCT_CATEGORY_TO_DEF_PRODUCT_CATEGORY.items() } + categories_dict["reasoning"] = "" ai_meta = IntegrationAiMetadata( - product_categories=IntegrationProductCategories(**categories_dict) + product_categories=IntegrationProductCategories.model_validate(categories_dict) ) ai_file: Path = ai_dir / mp.core.constants.INTEGRATIONS_AI_DESCRIPTION_FILE diff --git a/packages/mp/src/mp/core/data_models/integrations/action/metadata.py b/packages/mp/src/mp/core/data_models/integrations/action/metadata.py index 1f38130f6..f4a10dcc6 100644 --- a/packages/mp/src/mp/core/data_models/integrations/action/metadata.py +++ b/packages/mp/src/mp/core/data_models/integrations/action/metadata.py @@ -416,8 +416,8 @@ def _get_ai_fields(action_name: str, integration_path: Path) -> AiFields: ai_categories=( [ AI_CATEGORY_TO_DEF_AI_CATEGORY[category] - for category, is_true in ai_meta.categories.model_dump().items() - if is_true + for category, val in ai_meta.categories.model_dump().items() + if category != "reasoning" and val is True ] if ai_meta.categories else [] @@ -426,8 +426,8 @@ def _get_ai_fields(action_name: str, integration_path: Path) -> AiFields: action_product_categories=( [ PRODUCT_CATEGORY_TO_DEF_PRODUCT_CATEGORY[category] - for category, is_true in ai_meta.action_product_categories.model_dump().items() - if is_true + for category, val in ai_meta.action_product_categories.model_dump().items() + if category != "reasoning" and val is True ] if ai_meta.action_product_categories else [] diff --git a/packages/mp/src/mp/core/data_models/integrations/integration_meta/metadata.py b/packages/mp/src/mp/core/data_models/integrations/integration_meta/metadata.py index f930bd066..c1afb8100 100644 --- a/packages/mp/src/mp/core/data_models/integrations/integration_meta/metadata.py +++ b/packages/mp/src/mp/core/data_models/integrations/integration_meta/metadata.py @@ -437,8 +437,8 @@ def _get_ai_fields(integration_path: Path) -> AiFields: return AiFields( product_categories=[ PRODUCT_CATEGORY_TO_DEF_PRODUCT_CATEGORY[category] - for category, is_true in ai_meta.product_categories.model_dump().items() - if is_true + for category, val in ai_meta.product_categories.model_dump().items() + if category != "reasoning" and val is True ], ) diff --git a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/google/mock_integration/resources/ai/actions_ai_description.yaml b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/google/mock_integration/resources/ai/actions_ai_description.yaml index c19d27b9c..f61de5141 100644 --- a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/google/mock_integration/resources/ai/actions_ai_description.yaml +++ b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/google/mock_integration/resources/ai/actions_ai_description.yaml @@ -10,8 +10,10 @@ ping: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: Some reason categories: enrichment: false + reasoning: Some reason entity_usage: entity_types: [ ] filters_by_additional_properties: false @@ -27,5 +29,33 @@ ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: Some reason action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: Some reason + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/google/mock_integration/resources/ai/integration_ai_description.yaml b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/google/mock_integration/resources/ai/integration_ai_description.yaml index a67fd6077..5a6a3c0de 100644 --- a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/google/mock_integration/resources/ai/integration_ai_description.yaml +++ b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/google/mock_integration/resources/ai/integration_ai_description.yaml @@ -7,6 +7,7 @@ product_categories: iam_and_identity_management: false itsm: false network_security: true + reasoning: Some reason siem: true threat_intelligence: false vulnerability_management: false diff --git a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/mock_built_integration/mock_integration/resources/ai/actions_ai_description.yaml b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/mock_built_integration/mock_integration/resources/ai/actions_ai_description.yaml index c19d27b9c..f61de5141 100644 --- a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/mock_built_integration/mock_integration/resources/ai/actions_ai_description.yaml +++ b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/mock_built_integration/mock_integration/resources/ai/actions_ai_description.yaml @@ -10,8 +10,10 @@ ping: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: Some reason categories: enrichment: false + reasoning: Some reason entity_usage: entity_types: [ ] filters_by_additional_properties: false @@ -27,5 +29,33 @@ ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: Some reason action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: Some reason + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/mock_built_integration/mock_integration/resources/ai/integration_ai_description.yaml b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/mock_built_integration/mock_integration/resources/ai/integration_ai_description.yaml index a67fd6077..5a6a3c0de 100644 --- a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/mock_built_integration/mock_integration/resources/ai/integration_ai_description.yaml +++ b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/mock_built_integration/mock_integration/resources/ai/integration_ai_description.yaml @@ -7,6 +7,7 @@ product_categories: iam_and_identity_management: false itsm: false network_security: true + reasoning: Some reason siem: true threat_intelligence: false vulnerability_management: false diff --git a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/third_party/mock_integration/resources/ai/actions_ai_description.yaml b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/third_party/mock_integration/resources/ai/actions_ai_description.yaml index c19d27b9c..f61de5141 100644 --- a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/third_party/mock_integration/resources/ai/actions_ai_description.yaml +++ b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/third_party/mock_integration/resources/ai/actions_ai_description.yaml @@ -10,8 +10,10 @@ ping: external_data_mutation_explanation: null fetches_data: false internal_data_mutation_explanation: null + reasoning: Some reason categories: enrichment: false + reasoning: Some reason entity_usage: entity_types: [ ] filters_by_additional_properties: false @@ -27,5 +29,33 @@ ping: filters_by_is_suspicious: false filters_by_is_vulnerable: false filters_by_modification_time: false + reasoning: Some reason action_product_categories: + add_alert_comment: false + add_ioc_to_allowlist: false + add_ioc_to_blocklist: false + contain_host: false + create_ticket: false + delete_email: false + disable_identity: false + download_file: false + enable_identity: false + enrich_asset: false enrich_ioc: true + execute_command_on_the_host: false + get_alert_information: false + reasoning: Some reason + remove_ioc_from_allowlist: false + remove_ioc_from_blocklist: false + reset_identity_password: false + search_asset: false + search_email: false + search_events: false + send_email: false + send_message: false + submit_file: false + uncontain_host: false + update_alert: false + update_email: false + update_identity: false + update_ticket: false diff --git a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/third_party/mock_integration/resources/ai/integration_ai_description.yaml b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/third_party/mock_integration/resources/ai/integration_ai_description.yaml index a67fd6077..5a6a3c0de 100644 --- a/packages/mp/tests/test_mp/mock_content_hub/response_integrations/third_party/mock_integration/resources/ai/integration_ai_description.yaml +++ b/packages/mp/tests/test_mp/mock_content_hub/response_integrations/third_party/mock_integration/resources/ai/integration_ai_description.yaml @@ -7,6 +7,7 @@ product_categories: iam_and_identity_management: false itsm: false network_security: true + reasoning: Some reason siem: true threat_intelligence: false vulnerability_management: false diff --git a/packages/mp/tests/test_mp/test_describe/test_describe_integration.py b/packages/mp/tests/test_mp/test_describe/test_describe_integration.py index 14a9c32b5..32f3713ec 100644 --- a/packages/mp/tests/test_mp/test_describe/test_describe_integration.py +++ b/packages/mp/tests/test_mp/test_describe/test_describe_integration.py @@ -61,6 +61,7 @@ def test_describe_integration_command(tmp_path: Path, non_built_integration: Pat vulnerability_management=False, asset_inventory=False, collaboration=False, + reasoning="Some reason", ) ) ] From b997b0a98d8358fb8fbb5b714634d304b1c55a3b Mon Sep 17 00:00:00 2001 From: talshapir Date: Tue, 14 Apr 2026 10:40:46 +0300 Subject: [PATCH 26/26] update deps --- packages/mp/pyproject.toml | 2 +- packages/mp/uv.lock | 79 +++++++++++++++++++------------------- 2 files changed, 41 insertions(+), 40 deletions(-) diff --git a/packages/mp/pyproject.toml b/packages/mp/pyproject.toml index 77ed8876b..2a8d260fd 100644 --- a/packages/mp/pyproject.toml +++ b/packages/mp/pyproject.toml @@ -46,7 +46,7 @@ dependencies = [ "platformdirs>=4.5.0", "ty>=0.0.29", "ruamel-yaml == 0.17.40", - "google-genai>=1.72.0", + "google-genai>=1.73.0", "tenacity>=9.1.2", "anyio>=4.12.1", "toon-format", diff --git a/packages/mp/uv.lock b/packages/mp/uv.lock index d1aded3e2..ea706e031 100644 --- a/packages/mp/uv.lock +++ b/packages/mp/uv.lock @@ -245,7 +245,7 @@ requests = [ [[package]] name = "google-genai" -version = "1.72.0" +version = "1.73.0" source = { registry = "https://pypi.org/simple" } dependencies = [ { name = "anyio" }, @@ -259,9 +259,9 @@ dependencies = [ { name = "typing-extensions" }, { name = "websockets" }, ] -sdist = { url = "https://files.pythonhosted.org/packages/3c/20/2aff5ea3cd7459f85101d119c136d9ca4369fcda3dcf0cfee89b305611a4/google_genai-1.72.0.tar.gz", hash = "sha256:abe7d3aecfafb464b904e3a09c81b626fb425e160e123e71a5125a7021cea7b2", size = 522844, upload-time = "2026-04-09T21:35:46.283Z" } +sdist = { url = "https://files.pythonhosted.org/packages/99/5f/b293b1a78a547b0dd061642a3f6087f0a52c1b723eafa58f94ccdc3e0d2a/google_genai-1.73.0.tar.gz", hash = "sha256:569395b2c225e12bcd8758b8affe1af480e0a1b1c71d652d38c705677057e05f", size = 530812, upload-time = "2026-04-13T20:40:02.642Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/9f/3d/9f70246114cdf56a2615a40428ced08bc844f5a26247fe812b2f0dd4eaca/google_genai-1.72.0-py3-none-any.whl", hash = "sha256:ea861e4c6946e3185c24b40d95503e088fc230a73a71fec0ef78164b369a8489", size = 764230, upload-time = "2026-04-09T21:35:44.587Z" }, + { url = "https://files.pythonhosted.org/packages/5a/73/fb36ced456688c9b95a8ab49a1f408f5b3e69a589788f3eb25016002dd7a/google_genai-1.73.0-py3-none-any.whl", hash = "sha256:dfb0214b834bf977e3841de512cfb651d2fe76309f85064b80c2bc11da99d76b", size = 786072, upload-time = "2026-04-13T20:40:00.365Z" }, ] [[package]] @@ -303,14 +303,14 @@ wheels = [ [[package]] name = "hypothesis" -version = "6.151.12" +version = "6.151.14" source = { registry = "https://pypi.org/simple" } dependencies = [ { name = "sortedcontainers" }, ] -sdist = { url = "https://files.pythonhosted.org/packages/ce/ab/67ca321d1ab96fd3828b12142f1c258e2d4a668a025d06cd50ab3409787f/hypothesis-6.151.12.tar.gz", hash = "sha256:be485f503979af4c3dfa19e3fc2b967d0458e7f8c4e28128d7e215e0a55102e0", size = 463900, upload-time = "2026-04-08T19:40:06.205Z" } +sdist = { url = "https://files.pythonhosted.org/packages/83/77/3227982784ff12a74fc5b28823f3487f457640e6cc653afe16d090891334/hypothesis-6.151.14.tar.gz", hash = "sha256:14fffdfdb50e816cf114f9946aebbf533d7e0920c07ddc1531889f0a22ffaa20", size = 464375, upload-time = "2026-04-13T21:50:11.188Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/0e/5a/6cecf134b631050a1f8605096adbe812483b60790d951470989d39b56860/hypothesis-6.151.12-py3-none-any.whl", hash = "sha256:37d4f3a768365c30571b11dfd7a6857a12173d933010b2c4ab65619f1b5952c5", size = 529656, upload-time = "2026-04-08T19:40:03.126Z" }, + { url = "https://files.pythonhosted.org/packages/b7/60/1d19db13777148efb57c27a8ceea48afb80cba9ce6da85b57ccbe0e8f44f/hypothesis-6.151.14-py3-none-any.whl", hash = "sha256:0c27a1e1092752d8c424b7f1caeb6ecfbed9af87914f510b59c1be69945e85a5", size = 530046, upload-time = "2026-04-13T21:50:08.282Z" }, ] [[package]] @@ -444,7 +444,7 @@ requires-dist = [ { name = "anyio", specifier = ">=4.12.1" }, { name = "deepdiff", specifier = ">=8.6.1" }, { name = "defusedxml", specifier = ">=0.7.1" }, - { name = "google-genai", specifier = ">=1.72.0" }, + { name = "google-genai", specifier = ">=1.73.0" }, { name = "jinja2", specifier = ">=3.1.6" }, { name = "libcst", specifier = ">=1.8.2" }, { name = "packaging", specifier = ">=26.0" }, @@ -576,7 +576,7 @@ wheels = [ [[package]] name = "pydantic" -version = "2.12.5" +version = "2.13.0" source = { registry = "https://pypi.org/simple" } dependencies = [ { name = "annotated-types" }, @@ -584,46 +584,47 @@ dependencies = [ { name = "typing-extensions" }, { name = "typing-inspection" }, ] -sdist = { url = "https://files.pythonhosted.org/packages/69/44/36f1a6e523abc58ae5f928898e4aca2e0ea509b5aa6f6f392a5d882be928/pydantic-2.12.5.tar.gz", hash = "sha256:4d351024c75c0f085a9febbb665ce8c0c6ec5d30e903bdb6394b7ede26aebb49", size = 821591, upload-time = "2025-11-26T15:11:46.471Z" } +sdist = { url = "https://files.pythonhosted.org/packages/84/6b/69fd5c7194b21ebde0f8637e2a4ddc766ada29d472bfa6a5ca533d79549a/pydantic-2.13.0.tar.gz", hash = "sha256:b89b575b6e670ebf6e7448c01b41b244f471edd276cd0b6fe02e7e7aca320070", size = 843468, upload-time = "2026-04-13T10:51:35.571Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/5a/87/b70ad306ebb6f9b585f114d0ac2137d792b48be34d732d60e597c2f8465a/pydantic-2.12.5-py3-none-any.whl", hash = "sha256:e561593fccf61e8a20fc46dfc2dfe075b8be7d0188df33f221ad1f0139180f9d", size = 463580, upload-time = "2025-11-26T15:11:44.605Z" }, + { url = "https://files.pythonhosted.org/packages/01/d7/c3a52c61f5b7be648e919005820fbac33028c6149994cd64453f49951c17/pydantic-2.13.0-py3-none-any.whl", hash = "sha256:ab0078b90da5f3e2fd2e71e3d9b457ddcb35d0350854fbda93b451e28d56baaf", size = 471872, upload-time = "2026-04-13T10:51:33.343Z" }, ] [[package]] name = "pydantic-core" -version = "2.41.5" +version = "2.46.0" source = { registry = "https://pypi.org/simple" } dependencies = [ { name = "typing-extensions" }, ] -sdist = { url = "https://files.pythonhosted.org/packages/71/70/23b021c950c2addd24ec408e9ab05d59b035b39d97cdc1130e1bce647bb6/pydantic_core-2.41.5.tar.gz", hash = "sha256:08daa51ea16ad373ffd5e7606252cc32f07bc72b28284b6bc9c6df804816476e", size = 460952, upload-time = "2025-11-04T13:43:49.098Z" } -wheels = [ - { url = "https://files.pythonhosted.org/packages/e8/72/74a989dd9f2084b3d9530b0915fdda64ac48831c30dbf7c72a41a5232db8/pydantic_core-2.41.5-cp311-cp311-macosx_10_12_x86_64.whl", hash = "sha256:a3a52f6156e73e7ccb0f8cced536adccb7042be67cb45f9562e12b319c119da6", size = 2105873, upload-time = "2025-11-04T13:39:31.373Z" }, - { url = "https://files.pythonhosted.org/packages/12/44/37e403fd9455708b3b942949e1d7febc02167662bf1a7da5b78ee1ea2842/pydantic_core-2.41.5-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:7f3bf998340c6d4b0c9a2f02d6a400e51f123b59565d74dc60d252ce888c260b", size = 1899826, upload-time = "2025-11-04T13:39:32.897Z" }, - { url = "https://files.pythonhosted.org/packages/33/7f/1d5cab3ccf44c1935a359d51a8a2a9e1a654b744b5e7f80d41b88d501eec/pydantic_core-2.41.5-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:378bec5c66998815d224c9ca994f1e14c0c21cb95d2f52b6021cc0b2a58f2a5a", size = 1917869, upload-time = "2025-11-04T13:39:34.469Z" }, - { url = "https://files.pythonhosted.org/packages/6e/6a/30d94a9674a7fe4f4744052ed6c5e083424510be1e93da5bc47569d11810/pydantic_core-2.41.5-cp311-cp311-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:e7b576130c69225432866fe2f4a469a85a54ade141d96fd396dffcf607b558f8", size = 2063890, upload-time = "2025-11-04T13:39:36.053Z" }, - { url = "https://files.pythonhosted.org/packages/50/be/76e5d46203fcb2750e542f32e6c371ffa9b8ad17364cf94bb0818dbfb50c/pydantic_core-2.41.5-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:6cb58b9c66f7e4179a2d5e0f849c48eff5c1fca560994d6eb6543abf955a149e", size = 2229740, upload-time = "2025-11-04T13:39:37.753Z" }, - { url = "https://files.pythonhosted.org/packages/d3/ee/fed784df0144793489f87db310a6bbf8118d7b630ed07aa180d6067e653a/pydantic_core-2.41.5-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:88942d3a3dff3afc8288c21e565e476fc278902ae4d6d134f1eeda118cc830b1", size = 2350021, upload-time = "2025-11-04T13:39:40.94Z" }, - { url = "https://files.pythonhosted.org/packages/c8/be/8fed28dd0a180dca19e72c233cbf58efa36df055e5b9d90d64fd1740b828/pydantic_core-2.41.5-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:f31d95a179f8d64d90f6831d71fa93290893a33148d890ba15de25642c5d075b", size = 2066378, upload-time = "2025-11-04T13:39:42.523Z" }, - { url = "https://files.pythonhosted.org/packages/b0/3b/698cf8ae1d536a010e05121b4958b1257f0b5522085e335360e53a6b1c8b/pydantic_core-2.41.5-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:c1df3d34aced70add6f867a8cf413e299177e0c22660cc767218373d0779487b", size = 2175761, upload-time = "2025-11-04T13:39:44.553Z" }, - { url = "https://files.pythonhosted.org/packages/b8/ba/15d537423939553116dea94ce02f9c31be0fa9d0b806d427e0308ec17145/pydantic_core-2.41.5-cp311-cp311-musllinux_1_1_aarch64.whl", hash = "sha256:4009935984bd36bd2c774e13f9a09563ce8de4abaa7226f5108262fa3e637284", size = 2146303, upload-time = "2025-11-04T13:39:46.238Z" }, - { url = "https://files.pythonhosted.org/packages/58/7f/0de669bf37d206723795f9c90c82966726a2ab06c336deba4735b55af431/pydantic_core-2.41.5-cp311-cp311-musllinux_1_1_armv7l.whl", hash = "sha256:34a64bc3441dc1213096a20fe27e8e128bd3ff89921706e83c0b1ac971276594", size = 2340355, upload-time = "2025-11-04T13:39:48.002Z" }, - { url = "https://files.pythonhosted.org/packages/e5/de/e7482c435b83d7e3c3ee5ee4451f6e8973cff0eb6007d2872ce6383f6398/pydantic_core-2.41.5-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:c9e19dd6e28fdcaa5a1de679aec4141f691023916427ef9bae8584f9c2fb3b0e", size = 2319875, upload-time = "2025-11-04T13:39:49.705Z" }, - { url = "https://files.pythonhosted.org/packages/fe/e6/8c9e81bb6dd7560e33b9053351c29f30c8194b72f2d6932888581f503482/pydantic_core-2.41.5-cp311-cp311-win32.whl", hash = "sha256:2c010c6ded393148374c0f6f0bf89d206bf3217f201faa0635dcd56bd1520f6b", size = 1987549, upload-time = "2025-11-04T13:39:51.842Z" }, - { url = "https://files.pythonhosted.org/packages/11/66/f14d1d978ea94d1bc21fc98fcf570f9542fe55bfcc40269d4e1a21c19bf7/pydantic_core-2.41.5-cp311-cp311-win_amd64.whl", hash = "sha256:76ee27c6e9c7f16f47db7a94157112a2f3a00e958bc626e2f4ee8bec5c328fbe", size = 2011305, upload-time = "2025-11-04T13:39:53.485Z" }, - { url = "https://files.pythonhosted.org/packages/56/d8/0e271434e8efd03186c5386671328154ee349ff0354d83c74f5caaf096ed/pydantic_core-2.41.5-cp311-cp311-win_arm64.whl", hash = "sha256:4bc36bbc0b7584de96561184ad7f012478987882ebf9f9c389b23f432ea3d90f", size = 1972902, upload-time = "2025-11-04T13:39:56.488Z" }, - { url = "https://files.pythonhosted.org/packages/11/72/90fda5ee3b97e51c494938a4a44c3a35a9c96c19bba12372fb9c634d6f57/pydantic_core-2.41.5-graalpy311-graalpy242_311_native-macosx_10_12_x86_64.whl", hash = "sha256:b96d5f26b05d03cc60f11a7761a5ded1741da411e7fe0909e27a5e6a0cb7b034", size = 2115441, upload-time = "2025-11-04T13:42:39.557Z" }, - { url = "https://files.pythonhosted.org/packages/1f/53/8942f884fa33f50794f119012dc6a1a02ac43a56407adaac20463df8e98f/pydantic_core-2.41.5-graalpy311-graalpy242_311_native-macosx_11_0_arm64.whl", hash = "sha256:634e8609e89ceecea15e2d61bc9ac3718caaaa71963717bf3c8f38bfde64242c", size = 1930291, upload-time = "2025-11-04T13:42:42.169Z" }, - { url = "https://files.pythonhosted.org/packages/79/c8/ecb9ed9cd942bce09fc888ee960b52654fbdbede4ba6c2d6e0d3b1d8b49c/pydantic_core-2.41.5-graalpy311-graalpy242_311_native-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:93e8740d7503eb008aa2df04d3b9735f845d43ae845e6dcd2be0b55a2da43cd2", size = 1948632, upload-time = "2025-11-04T13:42:44.564Z" }, - { url = "https://files.pythonhosted.org/packages/2e/1b/687711069de7efa6af934e74f601e2a4307365e8fdc404703afc453eab26/pydantic_core-2.41.5-graalpy311-graalpy242_311_native-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:f15489ba13d61f670dcc96772e733aad1a6f9c429cc27574c6cdaed82d0146ad", size = 2138905, upload-time = "2025-11-04T13:42:47.156Z" }, - { url = "https://files.pythonhosted.org/packages/5f/9b/1b3f0e9f9305839d7e84912f9e8bfbd191ed1b1ef48083609f0dabde978c/pydantic_core-2.41.5-pp311-pypy311_pp73-macosx_10_12_x86_64.whl", hash = "sha256:b2379fa7ed44ddecb5bfe4e48577d752db9fc10be00a6b7446e9663ba143de26", size = 2101980, upload-time = "2025-11-04T13:43:25.97Z" }, - { url = "https://files.pythonhosted.org/packages/a4/ed/d71fefcb4263df0da6a85b5d8a7508360f2f2e9b3bf5814be9c8bccdccc1/pydantic_core-2.41.5-pp311-pypy311_pp73-macosx_11_0_arm64.whl", hash = "sha256:266fb4cbf5e3cbd0b53669a6d1b039c45e3ce651fd5442eff4d07c2cc8d66808", size = 1923865, upload-time = "2025-11-04T13:43:28.763Z" }, - { url = "https://files.pythonhosted.org/packages/ce/3a/626b38db460d675f873e4444b4bb030453bbe7b4ba55df821d026a0493c4/pydantic_core-2.41.5-pp311-pypy311_pp73-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:58133647260ea01e4d0500089a8c4f07bd7aa6ce109682b1426394988d8aaacc", size = 2134256, upload-time = "2025-11-04T13:43:31.71Z" }, - { url = "https://files.pythonhosted.org/packages/83/d9/8412d7f06f616bbc053d30cb4e5f76786af3221462ad5eee1f202021eb4e/pydantic_core-2.41.5-pp311-pypy311_pp73-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:287dad91cfb551c363dc62899a80e9e14da1f0e2b6ebde82c806612ca2a13ef1", size = 2174762, upload-time = "2025-11-04T13:43:34.744Z" }, - { url = "https://files.pythonhosted.org/packages/55/4c/162d906b8e3ba3a99354e20faa1b49a85206c47de97a639510a0e673f5da/pydantic_core-2.41.5-pp311-pypy311_pp73-musllinux_1_1_aarch64.whl", hash = "sha256:03b77d184b9eb40240ae9fd676ca364ce1085f203e1b1256f8ab9984dca80a84", size = 2143141, upload-time = "2025-11-04T13:43:37.701Z" }, - { url = "https://files.pythonhosted.org/packages/1f/f2/f11dd73284122713f5f89fc940f370d035fa8e1e078d446b3313955157fe/pydantic_core-2.41.5-pp311-pypy311_pp73-musllinux_1_1_armv7l.whl", hash = "sha256:a668ce24de96165bb239160b3d854943128f4334822900534f2fe947930e5770", size = 2330317, upload-time = "2025-11-04T13:43:40.406Z" }, - { url = "https://files.pythonhosted.org/packages/88/9d/b06ca6acfe4abb296110fb1273a4d848a0bfb2ff65f3ee92127b3244e16b/pydantic_core-2.41.5-pp311-pypy311_pp73-musllinux_1_1_x86_64.whl", hash = "sha256:f14f8f046c14563f8eb3f45f499cc658ab8d10072961e07225e507adb700e93f", size = 2316992, upload-time = "2025-11-04T13:43:43.602Z" }, - { url = "https://files.pythonhosted.org/packages/36/c7/cfc8e811f061c841d7990b0201912c3556bfeb99cdcb7ed24adc8d6f8704/pydantic_core-2.41.5-pp311-pypy311_pp73-win_amd64.whl", hash = "sha256:56121965f7a4dc965bff783d70b907ddf3d57f6eba29b6d2e5dabfaf07799c51", size = 2145302, upload-time = "2025-11-04T13:43:46.64Z" }, +sdist = { url = "https://files.pythonhosted.org/packages/6f/0a/9414cddf82eda3976b14048cc0fa8f5b5d1aecb0b22e1dcd2dbfe0e139b1/pydantic_core-2.46.0.tar.gz", hash = "sha256:82d2498c96be47b47e903e1378d1d0f770097ec56ea953322f39936a7cf34977", size = 471441, upload-time = "2026-04-13T09:06:33.813Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/ce/43/9bc38d43a6a48794209e4eb6d61e9c68395f69b7949f66842854b0cd1344/pydantic_core-2.46.0-cp311-cp311-macosx_10_12_x86_64.whl", hash = "sha256:0027da787ae711f7fbd5a76cb0bb8df526acba6c10c1e44581de1b838db10b7b", size = 2121004, upload-time = "2026-04-13T09:05:17.531Z" }, + { url = "https://files.pythonhosted.org/packages/8c/1d/f43342b7107939b305b5e4efeef7d54e267a5ef51515570a5c1d77726efb/pydantic_core-2.46.0-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:63e288fc18d7eaeef5f16c73e65c4fd0ad95b25e7e21d8a5da144977b35eb997", size = 1947505, upload-time = "2026-04-13T09:04:48.975Z" }, + { url = "https://files.pythonhosted.org/packages/4a/cd/ccf48cbbcaf0d99ba65969459ebfbf7037600b2cfdcca3062084dd83a008/pydantic_core-2.46.0-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:080a3bdc6807089a1fe1fbc076519cea287f1a964725731d80b49d8ecffaa217", size = 1973301, upload-time = "2026-04-13T09:05:42.149Z" }, + { url = "https://files.pythonhosted.org/packages/c2/ff/a7bb1e7a762fb1f40ad5ef4e6a92c012864a017b7b1fdfb71cf91faa8b73/pydantic_core-2.46.0-cp311-cp311-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:c065f1c3e54c3e79d909927a8cb48ccbc17b68733552161eba3e0628c38e5d19", size = 2042208, upload-time = "2026-04-13T09:05:32.591Z" }, + { url = "https://files.pythonhosted.org/packages/ea/64/d3f11c6f6ace71526f3b03646df95eaab3f21edd13e00daae3f20f4e5a09/pydantic_core-2.46.0-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:7e2db58ab46cfe602d4255381cce515585998c3b6699d5b1f909f519bc44a5aa", size = 2229046, upload-time = "2026-04-13T09:04:18.59Z" }, + { url = "https://files.pythonhosted.org/packages/d0/64/93db9a63cce71630c58b376d63de498aa93cb341c72cd5f189b5c08f5c28/pydantic_core-2.46.0-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:c660974890ec1e4c65cff93f5670a5f451039f65463e9f9c03ad49746b49fc78", size = 2292138, upload-time = "2026-04-13T09:04:13.816Z" }, + { url = "https://files.pythonhosted.org/packages/e9/96/936fccce22f1f2ae8b2b694de651c2c929847be5f701c927a0bb3b1eb679/pydantic_core-2.46.0-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:d3be91482a8db77377c902cca87697388a4fb68addeb3e943ac74f425201a099", size = 2093333, upload-time = "2026-04-13T09:05:15.729Z" }, + { url = "https://files.pythonhosted.org/packages/75/76/c325e7fda69d589e26e772272044fe704c7e525c47d0d32a74f8345ac657/pydantic_core-2.46.0-cp311-cp311-manylinux_2_31_riscv64.whl", hash = "sha256:1c72de82115233112d70d07f26a48cf6996eb86f7e143423ec1a182148455a9d", size = 2138802, upload-time = "2026-04-13T09:03:51.142Z" }, + { url = "https://files.pythonhosted.org/packages/c0/6f/ccaa2ff7d53a017b66841e2d38edd1f38d19ae1a2d0c5efee17f2d432229/pydantic_core-2.46.0-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:7904e58768cd79304b992868d7710bfc85dc6c7ed6163f0f68dbc1dcd72dc231", size = 2181358, upload-time = "2026-04-13T09:04:30.737Z" }, + { url = "https://files.pythonhosted.org/packages/6c/71/0c4b6303e92d63edcb81f5301695cdf70bb351775b4733eea65acdac8384/pydantic_core-2.46.0-cp311-cp311-musllinux_1_1_aarch64.whl", hash = "sha256:1af8d88718005f57bb4768f92f4ff16bf31a747d39dfc919b22211b84e72c053", size = 2183985, upload-time = "2026-04-13T09:04:06.792Z" }, + { url = "https://files.pythonhosted.org/packages/71/eb/f6bf255de38a4393aaa10bff224e882b630576bc26ebfb401e42bb965092/pydantic_core-2.46.0-cp311-cp311-musllinux_1_1_armv7l.whl", hash = "sha256:a5b891301b02770a5852253f4b97f8bd192e5710067bc129e20d43db5403ede2", size = 2328559, upload-time = "2026-04-13T09:06:14.143Z" }, + { url = "https://files.pythonhosted.org/packages/f2/71/93895a1545f50823a24b21d7761c2bd1b1afea7a6ddc019787caec237361/pydantic_core-2.46.0-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:48b671fe59031fd9754c7384ac05b3ed47a0cccb7d4db0ec56121f0e6a541b90", size = 2367466, upload-time = "2026-04-13T09:05:59.613Z" }, + { url = "https://files.pythonhosted.org/packages/78/39/62331b3e71f41fb13d486621e2aec49900ba56567fb3a0ae5999fded0005/pydantic_core-2.46.0-cp311-cp311-win32.whl", hash = "sha256:0a52b7262b6cc67033823e9549a41bb77580ac299dc964baae4e9c182b2e335c", size = 1981367, upload-time = "2026-04-13T09:07:37.563Z" }, + { url = "https://files.pythonhosted.org/packages/9f/51/caac70958420e2d6115962f550676df59647c11f96a44c2fcb61662fcd16/pydantic_core-2.46.0-cp311-cp311-win_amd64.whl", hash = "sha256:4103fea1beeef6b3a9fed8515f27d4fa30c929a1973655adf8f454dc49ee0662", size = 2065942, upload-time = "2026-04-13T09:06:37.873Z" }, + { url = "https://files.pythonhosted.org/packages/b2/cf/576b2a4eb5500a1a5da485613b1ea8bc0d7279b27e0426801574b284ae65/pydantic_core-2.46.0-cp311-cp311-win_arm64.whl", hash = "sha256:3137cd88938adb8e567c5e938e486adc7e518ffc96b4ae1ec268e6a4275704d7", size = 2052532, upload-time = "2026-04-13T09:06:03.697Z" }, + { url = "https://files.pythonhosted.org/packages/2d/f1/6731c2d6caf03efe822101edb4783eb3f212f34b7b005a34f039f67e76e1/pydantic_core-2.46.0-graalpy311-graalpy242_311_native-macosx_10_12_x86_64.whl", hash = "sha256:ce2e38e27de73ff6a0312a9e3304c398577c418d90bbde97f0ba1ee3ab7ac39f", size = 2121259, upload-time = "2026-04-13T09:07:34.845Z" }, + { url = "https://files.pythonhosted.org/packages/72/fd/ac34d4c92e739e37a040be9e7ea84d116afec5f983a7db856c27135fba77/pydantic_core-2.46.0-graalpy311-graalpy242_311_native-macosx_11_0_arm64.whl", hash = "sha256:f0d34ba062396de0be7421e6e69c9a6821bf6dc73a0ab9959a48a5a6a1e24754", size = 1945798, upload-time = "2026-04-13T09:04:24.729Z" }, + { url = "https://files.pythonhosted.org/packages/b6/a4/f413a522c4047c46b109be6805a3095d35e5a4882fd5b4fdc0909693dfc0/pydantic_core-2.46.0-graalpy311-graalpy242_311_native-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:c4c0a12147b4026dd68789fb9f22f1a8769e457f9562783c181880848bbd6412", size = 1986062, upload-time = "2026-04-13T09:05:57.177Z" }, + { url = "https://files.pythonhosted.org/packages/91/2e/9760025ea8b0f49903c0ceebdfc2d8ef839da872426f2b03cae9de036a7c/pydantic_core-2.46.0-graalpy311-graalpy242_311_native-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:a99896d9db56df901ab4a63cd6a36348a569cff8e05f049db35f4016a817a3d9", size = 2145344, upload-time = "2026-04-13T09:03:56.924Z" }, + { url = "https://files.pythonhosted.org/packages/09/ed/fbd8127e4a19c4fdbb2f4983cf72c7b3534086df640c813c5c0ec4218177/pydantic_core-2.46.0-pp311-pypy311_pp73-macosx_10_12_x86_64.whl", hash = "sha256:be3e04979ba4d68183f247202c7f4f483f35df57690b3f875c06340a1579b47c", size = 2119951, upload-time = "2026-04-13T09:04:35.923Z" }, + { url = "https://files.pythonhosted.org/packages/ec/77/df8711ebb45910412f90d75198430fa1120f5618336b71fa00303601c5a4/pydantic_core-2.46.0-pp311-pypy311_pp73-macosx_11_0_arm64.whl", hash = "sha256:b1eae8d7d9b8c2a90b34d3d9014804dca534f7f40180197062634499412ea14e", size = 1953812, upload-time = "2026-04-13T09:05:40.293Z" }, + { url = "https://files.pythonhosted.org/packages/12/fe/14b35df69112bd812d6818a395eeab22eeaa2befc6f85bc54ed648430186/pydantic_core-2.46.0-pp311-pypy311_pp73-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:3a95a2773680dd4b6b999d4eccdd1b577fd71c31739fb4849f6ada47eabb9c56", size = 2139585, upload-time = "2026-04-13T09:06:46.94Z" }, + { url = "https://files.pythonhosted.org/packages/1f/f0/4fea4c14ebbdeb87e5f6edd2620735fcbd384865f06707fe229c021ce041/pydantic_core-2.46.0-pp311-pypy311_pp73-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:25988c3159bb097e06abfdf7b21b1fcaf90f187c74ca6c7bb842c1f72ce74fa8", size = 2179154, upload-time = "2026-04-13T09:04:15.639Z" }, + { url = "https://files.pythonhosted.org/packages/5c/36/6329aa79ba32b73560e6e453164fb29702b115fd3b2b650e796e1dc27862/pydantic_core-2.46.0-pp311-pypy311_pp73-musllinux_1_1_aarch64.whl", hash = "sha256:747d89bd691854c719a3381ba46b6124ef916ae85364c79e11db9c84995d8d03", size = 2182917, upload-time = "2026-04-13T09:07:24.483Z" }, + { url = "https://files.pythonhosted.org/packages/92/61/edbf7aea71052d410347846a2ea43394f74651bf6822b8fad8703ca00575/pydantic_core-2.46.0-pp311-pypy311_pp73-musllinux_1_1_armv7l.whl", hash = "sha256:909a7327b83ca93b372f7d48df0ebc7a975a5191eb0b6e024f503f4902c24124", size = 2327716, upload-time = "2026-04-13T09:06:31.681Z" }, + { url = "https://files.pythonhosted.org/packages/a4/11/aa5089b941e85294b1d5d526840b18f0d4464f842d43d8999ce50ef881c1/pydantic_core-2.46.0-pp311-pypy311_pp73-musllinux_1_1_x86_64.whl", hash = "sha256:2f7e6a3752378a69fadf3f5ee8bc5fa082f623703eec0f4e854b12c548322de0", size = 2365925, upload-time = "2026-04-13T09:05:38.338Z" }, + { url = "https://files.pythonhosted.org/packages/0c/75/e187b0ea247f71f2009d156df88b7d8449c52a38810c9a1bd55dd4871206/pydantic_core-2.46.0-pp311-pypy311_pp73-win_amd64.whl", hash = "sha256:ef47ee0a3ac4c2bb25a083b3acafb171f65be4a0ac1e84edef79dd0016e25eaa", size = 2193856, upload-time = "2026-04-13T09:05:03.114Z" }, ] [[package]]